Holiday Hack 2022: Appendix B: Hacking KringleCon
Given that Holiday Hack Challenge is a hacking challenge, and there’s no rule against it, it’s a good idea to poke at the underlying website that is KringleCon. There are things I can learn that make things like finding hidden chests or the wallet key recovery easier.
Video
This part is best explained in a video:
A summary of that information follows.
Summary
HTML
Just by looking a the HTML items on the page. Almost everything that I would interact with has the class ent. I can use this to get and display information about these locations on the screen. I wrote a short TamperMonkey script that will do just that. It updates every 2 seconds (though typically only I’m moving).
My JavaScript is not good making for some ugly code, but it works, and is available here.
JavaScript
The JavaScript that runs the game is very obfuscated. I’d love to figure it out some day, but I did not get time to look at it this year.
Network Traffic
When looking for items across the map, looking at the network requests can be super useful. For example, if when I walk into the Tolkien Ring, I see these images download, right away I know there’s a chest in here:
Websocket
On the Dev Tools network tab, with a filter set only on WS, on first entering any location, there’s a single web socket connection opened:
Clicking on it, I can see the messages:
There are many interesting message types to look through, but the most useful one is AAANNNDD_SCENE, which contains all the information about the room I just entered:
entities shows the NPCs and terminals in the room:
grid gives the walkable spaces in a 2D grid. For example, for Tolkien Ring:
1111111111111111111111111111 111111111
1
11
11
11
11
11
111
The secret path down to the chest is obvious here!