Skip to content

Easter Eggs

If you couldn't tell, the creators of Holiday Hack Challenge love to hide humor and pop culture references throughout the game for observant players to find. Here are a few I encountered.

Jason the Plant

Jason has made an appearance in past Holiday Hack Challenges, and this time he's returned as a potted plant at the entrance to Santa's castle.

Die Hard

The avatars have no shoes. Just like John McClane in the movie, our characters must navigate the world without shoes.

"NOW I HAVE A ZERO-DAY. HO-HO-HO." is a nod to the line in Die Hard where John McClane sends a terrorist down the elevator wearing a sweatshirt that says "NOW I HAVE A MACHINE GUN. HO-HO-HO."

HoHoHoDaddy phone number

The telephone number listed on the HoHoHoDaddy webpage, 115 97 110 116 97, is the hex-encoded text string "santa".

GitHub repo

In addition to the ventilation system schematics, there is code for a drone delivery system under development by the North Pole elves. What could possibly go wrong?

A wild MissingNo appears!

Manipulating your avatar's DNA to an unsupported value will cause the game to represent you as the MISSINGNO from the Nintendo Pokemon game (more here: https://en.wikipedia.org/wiki/MissingNo).

Unfortunately, server-side input validation prevents us from setting our avatar to MISSINGNO for others to see.. however you could change it client-side and share the image on social media.

MissingNo

The easiest way I found to do this was using an interception proxy (shown in ZAP below) to send a WS_USERS WebSockets message toward my client with an invalid DNA string.

MissingNo

WebSocket Fun

Communication between the client and game server uses WebSockets protocol. Some of the keywords used in the communications were entertaining: WS_OHHIMARK, WAKE_UP_WERE_AT_GRANDMAS, AUF_WIEDERSEHEN, and my favorite:

DENNIS_NEDRY, the computer geek gone rogue from Jurassic Park, is the server response when we attempt to update our DNA. I swear I could hear him saying "Ah ah ah.. You didn't say the magic word!"

Dennis

Jenny's Number

If you take the time to download source.min.html, which is referenced in the wannacookie malware that infected Alabaster's computer, you'll see that the ransomware demands 8675309 Bitcoins to unlock the files it has encrypted. This is the phone number in "867-5309/Jenny", the 1980's Tommy Tutone hit.

Jenny

Musical Lock

The musical lock for Santa's vault is right out of Willy Wonka and the Chocolate Factory from 1971. In the movie, Mrs. Teavee misidentifies the tune played on the musical lock as Rachmaninoff (https://www.youtube.com/watch?v=5g4r-FbGivk). In fact, it's the opening bars of Mozart's Overture from Marriage of Figaro. In his hints, Alabaster makes the same mistake, and then corrects himself.

Willy Wonka Meme

And so many more that I surely missed!