Holiday Hack 2023: Squarewheel Yard
Geography
Getting To
Before I head over to the space Island, I’ll notice three Gameboy objectives in my badge and go exploring. At the backside of the Island of Misfit Toys, I’ll find Squarewheel Yard:
Location Layout
The port has a very Misfit Toys vibe:
Click for full size imageThe Goose greets me with:
Good of the Island of Misfit Toys
Beep beep
Luggage Lock Decode
Challenge
This area adds the Luggage Lock objective to the badge:
Garland Candlesticks is in the center of the area next to a suitcase:
Garland Candlesticks
Hey there, I’m Garland Candlesticks! I could really use your help with something.
You see, I have this important pamphlet in my luggage, but I just can’t remember the combination to open it!
Chris Elgee gave a talk recently that might help me with this problem. Did you attend that?
I seem to recall Chris mentioning a technique to figure out the combinations…
I have faith in you! We’ll get that luggage open in no time.
This pamphlet is crucial for me, so I can’t thank you enough for your assistance.
Once we retrieve it, I promise to treat you to a frosty snack on me!
Game
The game offers a chance to select a difficulty:
I get luggage with the number of wheels matching what I select:
The help button shows up to interact:
It’s worth noting that clicking on the button (or pushing space) presses in that button a little bit each time, and after 5 or 6 presses, it pops back out. This is meant to represent the amount of pressure being put on the button.
Solve
Chris Elgee’s talk at KringleCon 2023, Lock Talk, talks about how to attack this kind of lock. Basically, I want to put some pressure on the button and look for where there’s resistance to turning the dials. Where it gets stuck, that’s a good sign that it’s the right one, though any position can get resistance with too much pressure and/or bad luck.
On entering the correct code, the bag opens:
Hack
This challenge is a fun one to hack as well. I’ll look at the websocket messages and show two ways to cheat the challenge:
- Looking at the setup message to figure out the combo.
- Sending 10,000 “Open” messages with each combination possibility from the dev tools console.
Full details in this video:
Epilogue
Garland Candlesticks
Wow, you did it! I knew you could crack the code. Thank you so much!
Bonus! Fishing
Challenge Part 1
Poinsettia McMittens (who must be a twin of Garland) is standing by the dock with some information about fishing:
Poinsettia McMittens
Excuse me, but you’re interrupting my fishing serenity. Oh, you’d like to know how to become as good at fishing as I am?
Well, first of all, thank you for noticing my flair for fishing. It’s not just about looking good beside the lake, you know.
The key is in the details, much like crafting the perfect toy. Observe the water, the weather, and the fish’s habits - it’s a science and an art.
Of course, it helps to have a natural charm. Fish seem to find me irresistible. Must be my sparkling personality… or maybe it’s just the glitter of my allure.
Oh, the mysteries of the aquatic life around these islands are as elusive as, well, a clever compliment. But you’ll get one if you probe enough.
Remember, patience is more than a virtue in fishing; it’s a strategy. Like waiting for the right time to use flattery, you wait for the right moment to strike.
Go see if you can catch, say, 20 different types of fish!
Fishing Legit
Fishing is easy enough. I make sure my boat is at a stop in the water, and click the “Cast Line” button:
The button turns to “Reel it in”:
After some amount of time, it will turn red:
Clicking then (and before it goes back to white) will catch a fish, which opens the Pescadex and shows details about it. For example:
With some patience and a few minutes, I’ll catch 20 fish and head back to Poinsettia.
Challenge Part 2
Poinsettia ups the stakes:
Poinsettia McMittens
Hoy small fry, nice work!
Now, just imagine if we had an automatic fish catcher? It would be as ingenious as me on a good day!
I came across this fascinating article about such a device in a magazine during one of my more glamorous fishing sessions.
If only I could get my hands on it, I’d be the undisputed queen of catching them all!
On talking, two objectives show up (one already solved):
Find Heat Maps
At the top of the body of the main sea page, there’s a commented out HTML link:
This leads to https://2023.holidayhackchallenge.com/sea/fishdensityref.html, which is a page that has black and white squares for each of a bunch of fish:
Source Analysis
The goal here is to figure out what triggers a fish on the line. At line 327 of client.js, there’s an event listener created for incoming message:
It does a long if / else if block for the different starting letters of the message. At first I was very intriged by f::
} else if (messageType === 'f:') {
const parsed = JSON.parse(payload);
const idx = playerData.fishCaught.findIndex(fish => fish.name === parsed.fish.name);
if (idx === -1) {
playerData.fishCaught.push(parsed.fish);
pescadexIndex = playerData.fishCaught.length - 1;
freshCatch = true;
} else {
pescadexIndex = idx;
}
cotd.classList.add('visible');
updatePescadex();
}
It turns out this message comes from the server after I push “Reel it in”. So that’s not much use. At the end after all the messages are processed, it calls UpdateUI() regardless which message was called. In that function, this section jumps out:
if (me.fishing) {
reelItInBtn.style.display = 'block';
if (me.onTheLine) {
reelItInBtn.classList.add('gotone');
reelItInBtn.innerText = 'Reel it in!';
} else {
reelItInBtn.classList.remove('gotone');
reelItInBtn.innerText = 'Reel it in';
}
} else {
reelItInBtn.style.display = 'none';
}
me is defined earlier as Entities[playerData.uid]. Outside that function, I don’t have access to me. But Entities and playerData do exist:
If I grab the Entities entry for my uid, it has fishing, fishCaught, and oneTheLine:
Listening on Socket
POC
I want to try to listen on the socket, so I’ll mimic what’s in the code in my console:
Right away, there are a ton of v: messages. I’ll re-run to filter those out (refreshing the page to reset the console). At first there’s nothing, but as soon as I start moving, there’s a bunch of e: messages:
Finding e Messages
I’ll refresh again and add some information about the payload. When I move, e: messages provide the update as to where my boat is and where it’s going:
But when I fish, must larger e: messages come through:
These are the updates that set onTheLine!
Sending on Socket
I want to be able to automatically do things, so I need to know if there’s a message I can send that will “Reel it in”. At line 1007, there’s an event listener defined for when that button is clicked:
const reelItInBtn = document.querySelector('button.reelitin');
reelItInBtn.addEventListener('click', () => {
socket.send(`reel`);
window.top.postMessage({
type: 'sfx',
filename: 'fishing-reel.mp3',
}, '*');
});
It looks like all I have to do is send “reel” over the websocket. I’ll test it, by entering socket.send('reel'); into the console while I’m fishing, and observer that the UI updates to show I’m no longer fishing. I can wait until there’s a fish on the line and then send, and it does catch the fish!
Auto-Fish
I’ll use the following code to automatically fish:
socket.addEventListener("message", event => {
const messageType = event.data.substr(0, 2);
const payload = event.data.substr(2);
if (messageType == "e:") {
const parsed = JSON.parse(payload);
if (playerData.uid in parsed) {
const data = parsed[playerData.uid];
if ('onTheLine' in data && data.onTheLine) {
const idx = playerData.fishCaught.findIndex(fish => fish.name === data.onTheLine);
if (idx !== -1) {
console.log("Already have " + data.onTheLine);
} else {
socket.send('reel');
console.log(data.onTheLine + ' [' + (playerData.fishCaught.length + 1) + ']');
setTimeout(() => {socket.send('cast');}, 500);
}
}
}
}
});
It listens on the websocket, and when there’s an e: message, it checks for onTheLine and if it’s true. If so, it looks in my current caught fish to see if I already have it, and if not, it sends the reel message over the socket. It then prints a message to the log, and casts again in half a second.
If I want to not fish, all I have to do is manually reel it in, and then it won’t recast until I cast again and it catches something.
Using Heatmaps
Manually
Some fish are tricky to find, and I will need to be in just the right place. I could manually overlay the map with the heatmaps, but that seems like a lot of work.
In the source, there’s a dict ImageAssets that defines the parts of the map:
Interestingly, by the time they get to my current context, they are not strings, but HTML objects:
These are used each time the UI is updated. I’ll try replacing the minimap.png with a heatmap:
The map in the bottom right updates:
Now I can move around finding hot spots (where it’s very light) and fish there. This is particularly useful for the Piscis Cyberneticus Skodo, which is only found on one distinct space on the map:
Automate
I don’t want to have to keep finding the links and updating them. I’ll use curl with some bash-foo to get a list of the fish:
$ curl https://2023.holidayhackchallenge.com/sea/fishdensityref.html -s | grep h3 | cut -d'>' -f2 | cut -d'<' -f1 > SansHolidayChallenge-2023/fish.txt
I’ll use vim to quickly create a JavaScript array from this list, and then use that to make the following function:
function update_map() {
var fishlist = ['Flutterfin Rainbow-Roll', 'Gelatina Ringletfin', 'Funfetti Flick-Flick', 'Fluffle-Muffin Sparklefin', 'Jovian Jamboree Jellydonut Jellyfish', 'Gumball Glooperfish', 'Jester Jellyfin', 'The Chocolate Star Gingo Guppy', 'Whirly Snuffleback Trout', 'Jolly Jellyjam Fish', 'Lounging Liquorice Crustacean-Nosed Berryfin', 'Jinglefin Jellyfrizzle', 'The Polka-Dot-Propeller Puffling Fish', 'JubiliFLOPinear Snorkeldonut', 'Glittering Gummy Guppy', 'Whiskered Whizzler', 'Flamango-Buzzling Sushi Swimmer', 'Flutterfin Bubblegum Gumball', 'ChocoSeahorsefly', 'Speckled Toastfin Snorkelback', 'Jamboree Jellywing', 'Fantabulous Fry-Sherbert Aquapine', 'Jamboree Jellofish', 'Bubblegum Blowfish-Bee', 'Frizzle Fringe Flutterfin', 'Whiskered Jumblefish', 'Bumblefin Toffee Torpedo', 'Jolly Jellypeanut Fish', 'Gumbubble Guppy', 'Glittering Gummy Whipray', 'Flippity Flan Flopper', 'Biscuit Bugle-Tail Fish', 'Strudel Scuttle Scalefish', 'Bubblegum Bumblefin', 'Flutterfin Falafeluncher', 'The Splendiferous Spaghetti Starfin', 'The Rainbow Jelibelly Floatfish', 'Rhinoceros Beetle Bumble Tuna', 'Hatwearing Hippofish', 'Frizzle Fish', 'Polka-Pop CandyFloss Fish', 'Bumbleberry Floatfish', 'Caramelotus Humming Float', 'Dandy Candy Goby', 'The Polka-Dot Pudding Puff', 'Frosted Donut Jellyfluff Puffer', 'Flamingo Flapjack Finaticus', 'The Splendiferous Spaghetti Seahorsicle', 'Flutterfin Scoopscale', 'Frizzle Frazzle Fly-n-Fish', 'Frizzle-Frizzled Jambalaya Jellyfish', 'Sprinkfish', 'Fantail Flutterfin', 'JellyChip CuddleSwimmer', 'Whiskered Lollipop Loonfish', 'Jester Gumball Pufferfish', 'The Hummingbrewster BumbleFlish', 'Jangleroo Snackfin', 'Blibbering Blubberwing', 'The Bubblegum Confeetish', 'Fantastical Fusilloni Flounderfish', 'Pizzafin Flutterbub', 'The Whiskered Watermelon Pufferfish', 'The Bumblebee Doughnut Delphin', 'Pistachio Pizzafin Puffinfly', 'Aquatic JellyPuff Doughnut Shark', 'Gumball Guppygator', 'The Burgerwing Seahorse', 'Bellychuckle Balloonfish', 'FizzleWing PuffleGill', 'Bumbleberry Rainbow Flicorn Fish', 'Whistlefin Wafflegill', 'Pizzadillo Glitter-Guppy', 'Jamboree Jellydonut Jellyfish Trout', 'The Bubblegum Bumblefin', 'Gelatino Floatyfin', 'The Frambuzzle Flickerfin', 'The Speckled Pizzafin Fizzflyer', 'Sparkling Pizzafin Pixie-fish', 'Bumblecado Finstache Hybridsail', 'Pizzamarine Popcorn Puffer', 'Laughter Ligrolomia', 'Frosted Jelly Doughnut Pegasus Finfish', 'The Whirling Donut Jellygator', 'Flutterfin Cupcake Goby', 'The Gumball Guppy', 'Bubblegum Blowfish Beetle Bug', 'Sparkling Gumbubble Piscadot', 'The Flamboyant Flutter-fish', 'Twinkling Tortellini Trouterfly', 'Beatleberry Fluff Guppy.', 'Glaze Meringuelle', 'The Whiskered Blubberberry Flapper', 'Sherbet Swooshfin', 'Marzipoisson Popsicala', 'Bubblegum Ballistic Barracuda', 'Puzzletail Splashcake', 'Fantasia Fluffernutter Finfish', 'Rainbow Jelly-Dough Fish', 'Flutterfin Pizzapuffer', 'BugBrella Aquacake', 'Twirly Finny Cakeling', 'Frizzleberry Flapjack Fish', 'Whiskered Sprinkle Glider', 'The Pristimaela Parfait Pengu-Angel', 'Bubblerooni WhiskerWaffle', 'The Speckled Whisker-Spoon Puffer', 'BumbleSquid Donutella', 'Sparkleberry Gobblefin', 'Fizzgiggle Frizzlefin', 'JibberJelly Sundae Swimmer', 'The Flutterfin Pastry Puffer', 'Rainbow Gummy Scalefish', 'Jingle JellyFroth Fish', 'The Spotted Flutterfin Pastrytetra', 'Flutterfin Hotcheeto Penguinfish', 'Piscis Cyberneticus Skodo', 'Oreo OctoPufferRock', 'Fluffernutter Pufferpine', 'Whirlygig Polka-Dotted Jelly-Donut Pufferfish', 'Bumbleberry Gilled Glider', 'Polkadot Pancake Puffer', 'Mermacorn Fish', 'Sprinkle Starfish Sardine', 'Choco-Bumblefin Parrot Trout', 'The Fantabulous Gala Glazed-Guppy', 'Pudding Puff ParrotMoth Fish', 'Fantastical Flapjack Flipperfin', 'TruffleBugle ZephyrFish', 'Bumbleberry Glitterfin', 'The Jester Jellycarafe', 'The Flamingotuna McSprinklefin', 'Whiskerfroth Flutterfin', 'Spotted Sprinkledonut Puffer', 'Stripe-tailed Pepperoni Puffer', 'Jelly-Feather Macaroon Guppy', 'Flutterfin Pancake Puffer.', 'Whiskered Rainbow Glidleberry', 'Chucklefin Clownfish', 'Bumbleberry Snorkelsnout', 'Jolly Jellydozer', 'The Polka Dotted Jello-fish', 'The Bumbleberry Guppiesaurus', 'Flutterfin Pizzacrust Glimmertail', 'Bumblebee, Pizza-fin Jamboree', 'Whizzbizzle Poptuckle', 'Candyfloss Clownphino', 'Flutterglaze Bumblefin', 'Bumbleberry Poptarticus', 'Plaid Zephyr Cuddlefin', 'Jolly Jambalaya Jubilee Fish', 'Confetti Clownfrippery Fish', 'Rainbow Jelly-Bumble Shark', 'Marshmallow Pogo-Starfish', 'The Spangled Jelly-Tortle Ripplefin', 'Fantabulous Rainbow Polka Poptartfish', 'The ChocoChandelier Goldnipper', 'Gummybrella Anemofin', 'Gummy Fizzler', 'The Bumblebelly Polkadot Glaze-fish', 'Fantaray Flakefin', 'Splendiferous Ribbontail', 'The Butterfleagleberry Seahorse', 'Sushinano Sweetsquid', 'The Whiskered Melonfin', 'The Fantastical Fizzbopper', 'Splashtastic Bagelback Rainbownose', 'Pizzafly Rainbowgill', 'Frizzling Bubblehopper', 'Cuckoo Bubblegum Unicornfish', 'The Lucid Lollyscale'];
var i = 0;
var idx = 0
while (idx >= 0 && i < fishlist.length) {
idx = playerData.fishCaught.findIndex(fish => fish.name === fishlist[i]);
if (idx < 0) {
console.log("Looking for: " + fishlist[i] + " [" + i + "]");
ImageAssets['minimap'].src = 'https://2023.holidayhackchallenge.com/sea/assets/noise/' + fishlist[i].replace(/ /g, '%20') + '.png'
}
i = i + 1;
}
}
It will loop through the fish list until it finds one that isn’t in the list, and then update the map. I’ll run setInterval in the console to run it every 30 seconds:
setInterval(update_map, 30000)
Epilogue
Poinsettia is impressed:
Poinsettia McMittens
You managed to catch every fish? You’re like the fishing version of a Christmas miracle!
Now, if only you could teach me your ways… but then again, I’m already pretty fabulous at everything I do.