Difference between revisions of "Sombra ARG"
[unchecked revision] | [unchecked revision] |
m (→Ana Origin Video) |
m (→Ana Origin Video) |
||
Line 51: | Line 51: | ||
</pre> | </pre> | ||
− | This | + | This was a repeating phrase in Spanish, which translated to: |
<pre> | <pre> |
Revision as of 14:33, 20 July 2018
Sombra ARG | |
---|---|
The Sombra ARG - an ARG involving an unreleased Overwatch hero. | |
Type | Official |
Creator | Blizzard Entertainment |
Discovered | 2016-06-12 |
Completed | 2016-11-04 |
Main Page > List of Investigations > Sombra ARG The Sombra ARG was an ARG for the first-person shooter Overwatch, developed by Blizzard Entertainment. Sombra was the name of a then-unreleased Overwatch hero. The ARG was comprised of clues and ciphers referencing Sombra, which were found in various developer updates and short animations.
At the game's release, there were numerous pieces of in-game information that appeared in the map Dorado, hinting at a character called Sombra. When the hero Ana was revealed, more Sombra clues appeared in Ana's origin video. In the weeks that followed, more clues were discovered, which led up to a character reveal animation at BlizzCon 2016.
Contents
Ana Videos
Ana Origin Video
On July 12, 2016, a video for the new Overwatch hero named Ana was released. At the 1:16 mark, players discovered a set of hexidecmial values:
2E 2E 2E 7B 76 20 66 62 72 20 63 7E 72 79 72 20 7B 76 20 7E 79 71 78 65 7A 76 74 7E D4 A4 79 2C 20 63 7E 72 79 72 20 72 7B 20 67 78 73 72 65 2E 2E 2E 7B 76 20 66 62 72 20 63 7E 72 79 72 20 7B 76 20 7E 79 71 78 65 7A 76 74 7E D4 A4 79 2C 20 63 7E 72 79 72 20 72 7B 20 67 78 73 72 65 2E 2E 2E 7B 76 20 66 62 72 20 63 7E 72 79 72 20 7B 76 20 7E 79 71 78 65 7A 76 74 7E D4 A4 79 2C 20 63 7E 72 79 72 20 72 7B 20 67 78 73 72 65 2E 2E 2E 7B 76 20 66 62 72 20 63 7E 72 79 72 20 7B 76 20 7E 79 71 78 65 7A 76 74 7E D4 A4 79 2C 20 63 7E 72 79 72 20 72 7B 20 67 78 73 72 65 2E 2E 2E 64 78 7A 75
A hex to ASCII translation yielded the following:
...{v fbr c~ryr {v ~yqxezvt~Ô¤y, c~ryr r{ gxsre...{v fbr c~ryr {v ~yqxezvt~Ô¤y, c~ryr r{ gxsre...{v fbr c~ryr {v ~yqxezvt~Ô¤y, c~ryr r{ gxsre...{v fbr c~ryr {v ~yqxezvt~Ô¤y, c~ryr r{ gxsre...dxzu
Using an XOR Cipher with the constant 23 on the above text resulted in the following message:
..la que tiene la información; tiene el poder...la que tiene la información; tiene el poder...la que tiene la información; tiene el poder...la que tiene la información; tiene el poder...somb
This was a repeating phrase in Spanish, which translated to:
She who has the information, has the power...
Players then discovered a second set of hexidecimal values at the 2:11 mark:
65 76 2E 2E 2E 7B 76 20 66 62 72 20 63 7E 72 79 72 20 7B 76 20 7E 79 71 78 65 7A 76 74 7E D4 A4 79 2C 20 63 7E 72 79 72 20 72 7B 20 67 78 73 72 65 2E 2E 2E 7B 76 20 66 62 72 20 63 7E 72 79 72 20 7B 76 20 7E 79 71 78 65 7A 76 74 7E D4 A4 79 2C 20 63 7E 72 79 72 20 72 7B 20 67 78 73 72 65 2E 2E 2E 7B 76 20 66 62 72 20 63 7E 72 79 72 20 7B 76 20 7E 79 71 78 65 7A 76 74 7E D4 A4 79 2C 20 63 7E 72 79 72 20 72 7B 20 67 78 73 72 65 2E 2E 2E 7B 76 20 66 62 72 20 63 7E 72 79 72 20 7B 76 20 7E 79 71 78 65 7A 76 74 7E D4 A4 79 2C 20 63 7E 72 79 72 20 72 7B 20 67 78 73 72 65 2E 2E 2E
When put through the same process, the same string of Spanish was revealed, but with the letters ra
at the beginning of the message. These letters were combined with somb
from the first cipher to create the name sombra
. No more clues were discovered until the release of the Dev Update video.
Dev Update Video
At the end of this video, a series of vertical barcodes were discovered. Scanning the barcodes gave hexadecimal numbers which where then converted to binary, a dump of which is available here.
Turning the ones and zeroes into black and white pixels formed a QR code:
Scanning this QR code yielded the following message:
"¿Estuvo eso facilito? Ahora que tengo su atención, déjenme se las pongo más difícil."
Translated from Spanish into English:
Was that easy? Well, now that I have your attention, allow me to make things much more difficult.
After this, no more clues were discovered until the Summer Games video was released.
Welcome to the Summer Games Video
Tracer Trail Cipher
Note: The cipher described below remains unsolved.
On August 2, another cipher was discovered in the Welcome to the Summer Games trailer. This time, the ciphertext was in base64:
U2FsdGVkX1+vupppZksvRf5pq5g5XjFRIipRkwB0K1Y96Qsv2L m+31cmzaAILwytX/z66ZVWEQM/ccf1g+9m5Ubu1+sit+A9cenD xxqkIaxbm4cMeh2oKhqIHhdaBKOi6XX2XDWpa6+P5o9MQw==
Using a tool to decode the Base64 resulted in the following output:
Salted__���ifK/E�i��9^1Q�*Q�t+V=� /ع��W/ �_����V��?q����f�F���"��=q�������[�� z��*����Z����u�\5�k�C
(Note: copy/pasting this string will not work; some of the characters are not printable and are not even displayed correctly on this page)
Decrypting the Cipher
The "Salted__" header at the start of the string indicates that the remainder of the text is encrypted with OpenSSL software library, which requires a password and the encryption cipher that was used. Salt is added by OpenSSL to ensure uniqueness of the key and the IV derived from the password and used for the encryption.
Since we know the salt, and we know the input data, all we need to decrypt is the password and cipher method. Since OpenSSL has been around for ages, there are many different cipher methods.
Narrowing Down Ciphers
The cipher used has been narrowed down by looking at a Hex Dump of the encrypted string. There are two major types of ciphers, stream ciphers and block ciphers. Stream ciphers encrypt only the data fed into them, whereas block ciphers always encrypt a certain number of bytes at a time (a "chunk").
A byte is roughly a single character, but special characters can take up multiple bytes. We know that OpenSSL Salted Encryption uses the first 8 bytes of the output for Salted__
and the next 8 bytes for the actual salt. The rest of the information is the encrypted message.
The immediately interesting thing here is that the encrypted message data stops 3 bytes short of a full chunk. This is a excellent indicator that the cipher used is a stream cipher (or a block cipher in CTR/OFB/CFB mode). This narrows the list of potential ciphers down significantly. This also means that the final string that Blizzard encrypted is less than 93 bytes!
This cipher remains unsolved, but it's speculated that Blizzard moved past the cipher by creating alternate puzzles.
Directions & Letters
There was another lead in the Summer Games video. There are references to directions that are present in the North American version of the video. These references are conspicuously absent from other versions of the trailer. These references are shown below, with the relevant heroes and timestamps:
Here are the screenshots, arranged according to their directions.
These heroes, arranged in this particular order, provided a password that was used later in the ARG.
Dorado Photo
On the Overwatch media page, a new photo of the attacking spawn in Dorado was added. This photo was "datamoshed", which means it concealed a hidden message while also taking on a distorted appearance. (Here is an example of purposely data moshing the image manually to achieve similar effects.)
After comparing the images with difference checking tools, it was found that certain English and Spanish characters were replaced with exclamation points. The missing characters produced the following Spanish phrase:
"Por que estan mirando al cielo? La respuesta no esta sobre sus cabezas, esta detras de ustedes. A veces, necesitan analizar sus logros previos."
Translated into English, this phrase reads:
"Why are you looking at the sky? The answer isn't over your heads, it's behind you. Sometimes, you need to analyze your previous achievements."
The phrase "Why are you looking at the sky?" is most likely a reference to a strange artifact that was discovered in the sky of the Dorado map, dubbed the "Skycode". The Skycode ended up being a red herring, completely unrelated to the ARG.
Analyzing Achievements
The phrase "you need to analyze your previous achievements" led players to look at the achievements on the Overwatch website. It was noticed noticed that by logging in and viewing the achievements on a player profile, a mystery achievement appeared. Viewing the source code of the image lead players to a new phrase:
Vientos, nada mal. No obstante, me aburro. Intentemos algo nuevo en la misma dirección. uczihriwgsxorxwunaarawryqhbrsfmeqrjjmu 5552E494 78T3 4VM9 OPL6 IS8208O913KRlrx
Translated, it says:
Damn, not bad. However, I'm getting bored. Let's try something new in the same direction. uczihriwgsxorxwunaarawryqhbrsfmeqrjjmu 5552E494 78T3 4VM9 OPL6 IS8208O913KRlrx
Volskaya Datamosh
The following instructions explain the process of how the ASCII Skull and "little games" quote were found:
1. Take the following section of code from the "?" achievement hint above.
uczihriwgsxorxwunaarawryqhbrsfmeqrjjmu 5552E494 78T3 4VM9 OPL6 IS8208O913KRlrx
2. Run it through a Vigenére Cipher
3. Use heroes in the order of their positions on the compass (further above) to get hero names for the passphrase:
tracertorbjornwinstonsymmetradvamercybastiongenjimccree
4. The code received will result in the following url which, when formatted in to a proper URL, becomes the following picture:
blzgdapiproaakamaihdnetmediascreenshot 5552E494 78B3 4CE9 ACF6 EF8208F913CFjpg blzgdapipro-a.akamaihd.net/media/screenshot/5552E494-78B3-4CE9-ACF6-EF8208F913CF.jpg
The distortion on this picture indicates that it, too, is "datamoshed", and that it conceals hidden information. A difference check between the new and original image resulted in an interesting message.
ASCII Skull #1
The diff from the datamosh resulted in the following output:
Parece que te gustan estos jueguitos... por que no jugamos uno de verdad? :PB@Bk: ,jB@@B@B@B@BBL. 7G@B@B@BMMMMMB@B@B@Nr :kB@B@@@MMOMOMOMOMMMM@B@B@B1, :5@B@B@B@BBMMOMOMOMOMOMOMM@@@B@B@BBu. 70@@@B@B@B@BXBBOMOMOMOMOMOMMBMPB@B@B@B@B@Nr G@@@BJ iB@B@@ OBMOMOMOMOMOMOM@2 B@B@B. EB@B@S @@BM@GJBU. iSuB@OMOMOMOMOMOMM@OU1: .kBLM@M@B@ B@MMB@B 7@BBMMOMOMOMOMOBB@: B@BMM@B @@@B@B 7@@@MMOMOMOMM@B@: @@B@B@ @@OLB. BNB@MMOMOMM@BEB rBjM@B @@ @ M OBOMOMM@q M .@ @@ @@OvB B:u@MMOMOMMBJiB .BvM@B @B@B@J 0@B@MMOMOMOMB@B@u q@@@B@ B@MBB@v G@@BMMMMMMMMMMMBB@5 F@BMM@B @BBM@BPNi LMEB@OMMMM@B@MMOMM@BZM7 rEqB@MBB@ B@@@BM B@B@B qBMOMB@B@B@BMOMBL B@B@B @B@B@M J@@@@PB@B@B@B7G@OMBB. ,@MMM@qLB@B@@@BqB@BBv iGB@,i0@M@B@MMO@E : M@OMM@@@B@Pii@@N: . B@M@B@MMM@B@B@B@MMM@@@M@B @[email protected]@MBB@B@B@@BM@::B@B@ B@@@ .B@B.:@B@ :B@B @B@O :0 r@B@ B@@ .@B@: P: vMB :@B@ :BO7 ,B@B
Translation:
"It seems you like these little games... Why don't we play a real one?"
This is the python2 script to extract modified bytes from datamoshed volskaya screenshot: https://gist.github.com/synap5e/27635d2ff6f0e3b15f0c902dca2974a9
No further progress was made until August 23rd.
Overwatch Forums Glitching Page/ "Skycoder"
A user named 'Skycoder' posted an ominous topic on the official Overwatch forums.
The name of the topic, if translated from binary, says "23"; a reference to Sombra, who was to be the 23rd hero in Overwatch. The age of the forum post started at 23 hours, counted down rather than increasing.
Visiting this forum post led the webpage to glitch and distort. The page turned a hue of purple before opening a text box stating:
"la que tiene la información; tiene el poder"
Translated to English:
"She who has the information, has the power"
and displaying another code:
ICAgICAgICAgICAgICAgICAgICAgICAgICA6UEKPQms6CiAgICAgICAg ICAgICAgICAgICAgICAsakKIQEJAQkBCQEJCTC4KICAgICAgICAgICAg ICAgICAgIDdHlkKTQpVCTU1NTU1CQEJAQkBOcgogICAgICAgICAgICAg ICA6a0KSQpCIl01NT01PTU9NT01NTU2MQphCQEIxLAogICAgICAgICAg IDo1kUKNQphCiEJCTU1PTU9NT01PTU9NT01NipJuQm5CQEJCdS4KICAg ICAgICA3MG6GlUKIQpJClEJYQkJPTU9NT01PTU9NT01NQk1QQphCiEJA QkBCQE5yCiAgICAgIEeYlpdCSiBpQohCh4ggIE9CTU9NT01PTU9NT01P TZYyICBCj0JAQi4gRUJAQkBTCiAgICAgIJKWQk2HR0pCVS4gIGlTdUKI T01PTU9NT01PTU9NTZdPVTE6ICAua0JMTYhNhkKXCiAgICAgIEKMTU1C mUIgICAgICAgN4hCQk1NT01PTU9NT01PQkKWOiAgICAgICBCh0JNTYhC CiAgICAgII2YiEKKQiAgICAgICAgIDeSlkBNTU9NT01PTU1AQkA6ICAg ICAgICAgQEBCQEJACiAgICAgII+ST0xCLiAgICAgICAgICBCTkKPTU1P TU9NTY9CRUIgICAgICAgICAgckJqTYRCCiAgICAgIJBAICBAICAgICAg ICAgICBNICBPQk9NT01NQHEgIE0gICAgICAgICAgLkAgIEBACiAgICAg IISVT3ZCICAgICAgICAgICBCOnWMTU1PTU9NTUJKaUIgICAgICAgICAg LkJ2TUBCCiAgICAgIIRCkUKYSiAgICAgICAgIDCRQpdNTU9NT01PTUKV QkB1ICAgICAgICAgcUBAQEJACiAgICAgIEKETUJCjHYgICAgICAgR4+L Qk1NTU1NTU1NTU1NQkKINSAgICAgICBGhEJNTUBCCiAgICAgIIdCQk1/ QlBOaSAgIExNRUKFT01NTU2PQoNNTU9NTYpCWk03ICAgckVxQodNQkKE CiAgICAgIEKYloRCTSAgQm1ChEIgIHFCTU9NQpBChUKEQk1PTUJMICBC QEJAQiAgQEJAQkBNCiAgICAgICBKlm2GhFBCj0KEQplCN0eIT01CQi4g ICAsQE1NTUBxTEJAQkBAQEJxQkBCQnYKICAgICAgICAgIGlHQpUsaTCE TZZCbk1NT4tFICA6ICBNQE9NTUBAQEJAUGlpQEBOOgogICAgICAgICAg ICAgLiAgIEKXTZBCj01NTUBCQEJAQkBNTU1AQEBNQEIKICAgICAgICAg ICAgICAgICBAQkBCLmlATUJCQEJAQkBAQk1AOjpCQEJACiAgICAgICAg ICAgICAgICAgQkBAQCAuQkBCLjpAQkAgOkJAQiAgQEJATwogICAgICAg ICAgICAgICAgICAgOjAgckBCQCAgQkBAIC5AQkA6IFA6CiAgICAgICAg ICAgICAgICAgICAgICAgdk1CIDpAQkAgOkJPNwogICAgICAgICAgICAg ICAgICAgICAgICAgICAsQkBCCg==
ASCII Skull #2
The code was recognized to be Base64, which was then translated to a new ASCII image:
:PB.Bk: ,jBˆ@B@B@B@BBL. 7G–B“B•BMMMMMB@B@B@Nr :kB’B.ˆ—MMOMOMOMOMMMMŒB˜B@B1, :5‘B.B˜BˆBBMMOMOMOMOMOMOMMŠ’nBnB@BBu. 70n†•BˆB’B”BXBBOMOMOMOMOMOMMBMPB˜BˆB@B@B@Nr G˜–—BJ iBˆB‡ˆ OBMOMOMOMOMOMOM–2 B.B@B. EB@B@S ’–BM‡GJBU. iSuBˆOMOMOMOMOMOMM—OU1: .kBLMˆM†B— BŒMMB™B 7ˆBBMMOMOMOMOMOBB–: B‡BMMˆB .˜ˆBŠB 7’–@MMOMOMOMM@B@: @@B@B@ .’OLB. BNB.MMOMOMM.BEB rBjM„B .@ @ M OBOMOMM@q M .@ @@ „•OvB B:uŒMMOMOMMBJiB .BvM@B „B‘B˜J 0‘B—MMOMOMOMB•B@u q@@@B@ B„MBBŒv G.‹BMMMMMMMMMMMBBˆ5 F„BMM@B ‡BBM.BPNi LMEB…OMMMM.BƒMMOMMŠBZM7 rEqB‡MBB„ B˜–„BM BmB„B qBMOMB.B…B„BMOMBL B@B@B @B@B@M J–m†„PB.B„B™B7GˆOMBB. ,@MMM@qLB@B@@@BqB@BBv iGB•,i0„M–BnMMO‹E : M@OMM@@@B@Pii@@N: . B—M.B.MMM@B@B@B@MMM@@@M@B @[email protected]@MBB@B@B@@BM@::B@B@ B@@@ .B@B.:@B@ :B@B @B@O :0 r@B@ B@@ .@B@: P: vMB :@B@ :BO7 ,B@B
It should be noted that the skull above shouldn't be used to decode anything, just that it's a skull. Characters do not copy the same for some people due to character sets being different. Instead, a much simpler method is going to be used to achieve this.
First, you must strip both skulls of spaces, and new characters. You can do this in Notepad++ or any semi-advanced text editor. The strings cannot be shown due to their length, but the idea is to have them be on a single line with no spaces.
The process to get something out of these 2 strings is to subtract each byte from both skulls, and showing the ones that are not 0. A user on our Discord has given us a script made in C to automate this hosted on this Pastebin. You can compile it and read the source to get an understanding of what you need.
After subtracting each byte from both skulls, you end up with this string:
OHVSURPHWLXQMXHJR...FUHRTXHXVWHGHVORVGHWHFWLYHVGHMXHJRVOROODPDULDQXQWUDLOKHDG?EOCJGDXVD-DPEDV-FDODYHUDV.KWPO
This string was recognized as a Caesar Cipher. After shifting it 23 places, it resulted in:
LESPROMETIUNJUEGO...CREOQUEUSTEDESLOSDETECTIVESDEJUEGOSLOLLAMARIANUNTRAILHEAD?BLZGDAUSA-AMBAS-CALAVERAS.HTML
When cleaned up and translated, the message reads:
Les prometi un juego...creo que ustedes los Detectives de Juegos lo llamarían un trailhead? BLZGDUSA-AMBAS-CALAVERAS.HTML
When translated from Spanish to English:
I promised you a game...I believe you Game Detectives would call it a trailhead? BLZGDAUSA-AMBAS-CALAVERAS.HTML
"USA-AMBAS-CALAVERAS" translates to "USE-BOTH-SKULLS", and the .HTML
extension hinted at a URL.
Skull Video
BLZGDA is Blizzard's server for hosting media, using full URL we get:
https://blzgdapipro-a.akamaihd.net/media/screenshot/usa-ambas-calaveras.html
This link leads to a video which clearly shows an image of a skull, along with a dossier of info:
In the video properties you can find:
Parecen estar muy interesados en estos "héroes". ¿Tal vez les interese conocer algunos detallitos que he averiguado sobre ellos? You seem to be very interested in these "heroes". Maybe interested to know some details that I found out about them?
There is also a heartbeat monitor in the video - by looking at which lines it "pings" on, and by assigning letters to these lines, players uncovered the following string:
momentincrime
amomentincrime E-mail
'momentincrime' appeared to refer to the Roadhog and Junkrat video A Moment in Crime, which came out months before the release of Overwatch. However, a website, amomentincrime.com, was also found, which displayed the following text:
...Estableciendo conexión... ...Protocolo Sombra v1.3 iniciado... ...Infiltrando la respuesta automática del email de pistas... ...Terminando conexión...
It was discovered that sending an e-mail to [email protected] resulted in an automated response via email:
Thank you for contacting A Moment in Crime's anonymous crime line! We have analyzed your submission and forwarded the information to the relevant parties. Your help could be vital in apprehending these cri ...Estableciendo conexión... ...Protocolo Sombra v1.7 iniciado... 01:07:47 02:02:02 01:08:06 02:13:43 01:18:32 01:18:21 02:10:19 01:06:21 02:05:18 01:04:02 01:07:08 02:18:25 01:13:04 02:19:20 01:23:02 01:16:40 02:16:35 01:23:04 02:17:16 01:06:42 01:13:29 02:18:06 01:05:02 02:15:41 01:08:34 j.7F57O,NLv:qj.7B:,1qv@B1j5ivB:, ...Terminando conexión... minals and bringing them to justice. These fugitives are responsible for a string of robberies, arson, and other crimes stretching from Sydney to King's Row. Authorities believe that they have set their sights on crossing the Atlantic to America.
If the timestamp-looking numbers are taken as AA:BB:CC, where AA is the number of skull, BB is the row and CC is the column (as illustrated here), the 5x5 table would look like this:
S j G B L . @ M O k i , v : 0 E 7 r q N J P 5 F 1
This square was used as a key to decode the string below the table, using the Bifid cipher:
j . 7 F 5 7 O , N L v : q j . 7 B : , 1 q v @ B 1 j 5 i v B : , 12 21 42 54 53 42 24 32 45 15 33 34 44 12 21 42 14 34 32 55 44 33 22 14 55 12 53 31 33 14 34 32 1 2 2 1 4 2 5 4 5 3 4 2 2 4 3 2 4 5 1 5 3 3 3 4 4 4 1 2 2 1 4 2 1 4 3 4 3 2 5 5 4 4 3 3 2 2 1 4 5 5 1 2 5 3 3 1 3 3 1 4 3 4 3 2 11 24 23 14 43 22 55 45 54 34 43 23 22 42 31 24 45 55 11 52 35 33 33 41 43 43 11 24 23 14 43 22
SOMBr@1NF:rM@7iON1SP0vvErrSOMBr@
The phrase is leet-speak; when translated, it becomes:
Sombra Information is power Sombra
The string SOMBr@1NF:rM@7iON1SP0vvErrSOMBr@
was used as a password later on in the ARG.
A Moment in Crime Transmission
Once the 23-hour countdown on the Skycoder forum post reached zero, amomentincrime.com was updated. It now read:
...Estableciendo conexión... ...Protocolo Sombra v1.9 iniciado... ...Transmitiendo información a ómnicos activos... 2% ...Terminando conexión...
Translating the text on the page from Spanish to English:
...Establishing connection... ...Sombra Protocol v1.9 initiated... ...Transmitting information to active omnics... 2% ...Ending connection...
A comment was added in the source code:
Bien hecho, ya tienen mi clave. Hackear este programa de televisión no tuvo chiste. Espérense a lo que sigue. Well done, you have my password. Hacking this television program was meaningless. Wait for what is coming.
The percent number on the amomentincrime.com slowly increased over time. Once the 5% milestone was hit, the Sombra Protocol version number changed to to v1.95. Afterwards, the percentage increased by 0.0038% every 3 minutes.
Another comment was added to the source code as well:
Parece que se están calentando un poco las cosas... tendré que pasar desapercibida mientras esto se finaliza. It seems things are heating up a bit... I'll have to go unnoticed while this is finishing.
On 18th October at 19:02 GMT the site reached 100%, and the site updated, leaving this message:
...Transmisión finalizada - finalizando carga... ...Carga finalizada. Unidad Bastion E-54 comprometida...
Which roughly translates to:
...Transmission complete - finishing upload... ...Upload finished. Unit Bastion E-54 engaged...
Hidden in the source code of the site was
v1.4.0.2.324??
This was a version number for the next version of Overwatch. Accordingly, the next clue was discovered in the game itself.
Sombra vs. LumériCo
The Hacked Bastion
On 2016-10-19, a new Overwatch version was released - version 1.4.0.2.32448. The source code for https://www.amomentincrime.com was shortly updated to change the two ?
s to the same numbers. Users discovered that Bastion had a strange interaction on the Dorado map - when next to one of the SOMBRA PROTOCOL terminals, he would emit a series of beeps.
The beeps were, in fact, Morse code, which decoded to the following:
SQOFJFBNITIZWGDXSDO
By using the letters from the string string SOMBr@1NF:rM@7iON1SP0vvErrSOMBr@
as a key (SOMBrNFrMiONSPvvErr
) for a Vigenere cipher, the string was decoded to read:
ACCESSWWWLUMERICOMX
This led to the website https://lumerico.mx/.
LuméReaction
The LumeriCo website was for fictional Mexican company LumériCo, who had built several reactors in Dorado. The website had a news page, noting the imminent opening of a new reactor on November 1 as well as a recent attack on the construction site. There were also About and Login pages.
A few extra text files were found, none of them serving any apparent purpose or relevance:
Allow: omnics
This file is merely a joke about the Robots exclusion standard, a txt file usually included to tell bots accessing the site what they should and should not do - a common usage is telling Googlebot not to index the site on Google. However, Blizzard have instead chosen to allow Omnics, the fictional race of robots in the Overwatch universe, to access the site.
Allow: ?? Allow: ???
This seemed to be another joke about the Robots exclusion standard.
{"message":"thanks for calling the api"}
One final joke - this so-called "API" has no practical purpose.
Phone Number
At the bottom of the Lumerico website, a phone number was discovered: (510) 766-2726. ARG players called the phone number to hear a woman speaking in Spanish. She says a string of numbers: 5-2-4-1-3 (pause) 23-4-14-8-6-18-17-23-21-18-15
The second part translates (a=1, b=2, etc) to WDNHFRQWURO. After rotating 23 times (ROT-23 cipher) this becomes TAKECONTROL.
Take Control
The phone message lead to a more significant page on the site: https://lumerico.mx/TAKECONTROL/index.html. It was styled the same way as amomentincrime.com and featured an image of Sombra's skull icon, named "calavera.png" (a Spanish name for "skull" associated with the Mexican Day of the Dead). There was also text on the page:
ethldtíoíesnoemfetuylm.bnlsssqtann)hcnslararuCpdGeoopéqubdsroaan.arnasdmdor1vrsmerñerlsdacnnnoaexedsidcn.iarsgcyi,iqeqnd.pooitoaeaaransterLetéáedasodocMrnseeiuCsimnosetlójnueodacapsadcoanfasest.rnucaodacadmdoemoipíogPoipbehaSussai.,yccandin.reueatenaoiorneoeetaoéyenimt¿rPehec,uurobudeílrysriteenasni,adngpjrálireecgrolsmhYnao?nmonomepeldezmapcpunoaulrrruCstmeitltetlróesoapsdéyufcuascaa,rensbuinergnqedlmvlbpdtaz.enebuineuldoerecrGefqfirrasulrbeatHsilnbaúaeeaaooassraooa,ioedo:aLiuielPr ursmoootlnielteeánlosulobeauaanopearrúiesltéyrosssisuaaeaenremsieaismdjmolrsspebiecdéyusittnvrcacp.taebrtLiunróporner eúcrneuyraarsettsyrseen.aaPnrneuyraeastuCpnhl/wLloaloa.qartlsyuínreute.evgdpiuábdmPooucvdeccmoreurr.o?unriorydbaSnalegeáezadienáutalaaioeemfcbgdinableoc¿éppoeocelsumuoaHearsosqadrrrftuLiorannnoneneriiatcnlomoqnaqdunrcno,enmerosaereisloabolii.e.dormerosepopdé,eo:r#5scoegaqoeaibs(edioraamtdírnlyoetjcgratmnrrobnrsstloeYqoeocicpnómlpernmaepogenmodqamubodnaeasuaenMoolloupeqvgrLtúr tsosrdvoeaerroaeusdmaauamoMobsnaeanraunnt,roierbeoiemaodbmantursotñauoureeuoerreopc.etlr sotñneerLimeaFsNJ
This is a column order transposition cipher with the key 5 2 4 1 3
, which was obtained in the phone call. The result is: (spaced out for clarity)
Los felicito por haber llegado hasta aquí. Solo quería saber si estaban listos. (Hey, es muy difícil encontrar buena ayuda últimamente...deberían ver algunos de los payasitos que están trabajando conmigo) Por ahora, continuemos con el verdadero reto: acabar con LumériCo y su president e Guillermo Portero. ¿Y porqué? Porque es un hombre codicioso, corrupto y un ladrón abominable. Su plan de traer en línea el más grande y el más poderoso zigurat el 1 de noviembre no es nada más que una artimaña, un elaborado plan designado para ejercer aún más influencia sobre la gente de México y en gordar los bolsillos de sus compinches. ¿Y quién va a pagar por eso? La gente común y corriente, los mismos que siempre quedan olvidados. He empezado a mejorar mis protocolos para que sean usados para derrumbar la infraestructura de LumériCo y Los Muertos también están intentando levantarse en contra de la corrupción. Mientras tanto, escarben por el sitio de LumériCo y busquen información que podamos usar en contra del cabrón, mejor aún, encuentren su nombre de usuario y contraseña para asegurarnos de que ciertos detalles no muy favorables sobre el presidentito...aparezcan... Pude encontrar el nombre de usuario y contraseña de un empleado de soporte de LumériCo, empiecen por ahí: GFlores/g#fNwP5qJ
Translated:
I'm congratulating you for getting in here. I only wanted to know if you were ready or not. (Hey, it's really difficult to get good help lately... you should see some of the clowns I'm working with). For now, let's continue with the true challenge: taking down Lumerico Corp president Guillermo Portero. Why? Because he's a greedy and corrupt man, and an abominable thief. His plan of bringing in line the most powerful and biggest zigurat the 1st of november us nothing more than a deceit, an elaborate plan by his gang to become even more influential in the people of Mexico and get more money. And who's gonna pay for that? Common people, the ones that are always forgotten. I've started upgrading my protocols so that they are used to take down the Lumerico Corp infraestructure and Los Muertos are also trying to go against the corruption. Meanwhile, search the Lumerico Corp site for info we can use against the bastard, or better, get his username and password so that hundreds "not so favorable" facts about the president start popping up. I was able to get the username and pass of a Lumerico Corp employee, start here: GFlores/g#fNwP5qJ
Presidential Login
Using the credentials obtained through the message above on the https://lumerico.mx/login Lumerico login page], players accessed the account of Gonzalo Flores, including his emails. Transcripts of these emails are archived here.
Here is the only email that held relevance to the ARG:
De:Valeria Valderrama<[email protected]> Para:Gonzalo Flores<[email protected]> Asunto:Página de Guillermo Hola, Gonzo: ¿Puedes ver el tráfico de https://lumerico.mx/president-bypass? Guillermo debería ser el único accediendo desde su página de inicio privada, pero parece que está teniendo mucho tráfico. Tal vez tengamos que escalar esto a la señorita Jiménez, pero quiero estar segura de que es digno de su tiempo. Valeria Valderrama
The email references a lot of traffic to the President Bypass Link. That page displays an "access denied" message, but there is a President Auth-Bypass Revision 1.02: /.git/
line in the source code.
This line led players to dump the data from the /.git/ subpage with git protocol and upload it to Github. That were codebehind files for the website, including a class.authentication.php file containing an encryption function and class.president-bypass.php file containing the president's (Guillermo Portero) username GPortero
and encrypted password ?MzY:MTI5:?AzY:OWM?:?EDO:ZGU?:jVTM:MTJm:2ITM:MTUw:?QjY:OWY?:?kTO:MTQx:?MzY
.
ARG players with technical knowledge wrote a function that reversed the encryption from class.authentication.php and used it on the encrypted password. The resulting password was Xy@4+Bkuqd<53uJ
.
After logging in to the President's account, players were able to read his emails. After 30 minutes, another email appeared in the President's inbox, from Sombra herself:
Veo que se han podido infiltrar en su correo. No se preocupen, él no puede ver este correo, lo he ocultado de su vista si se conecta desde una de sus direcciones conocidas de IP. Necesito un poco más de tiempo para establecer el próximo grupo de potocolos. Manténganse atentos a principios de la otra semana. Le echaré unos cuantos trapitos sucios en sus correos para que se filtren al público "accidentalmente". Ya veremos como reaccionan los medios de comunicación.
The rough translation is:
I see you have been able to infiltrate into his mail. Don't worry, he cannot see this email, I've hidden it from his sight if he connects from one of his known IP addresses. I need a little bit of time to establish the next set of protocols. Stay alert early next week. I'll throw some dirty laundry in his emails that can "accidentally" leak to the public. We'll see how the media will react to that.
Admin Access
On October 25, new emails were discovered in the GFlores account, but they had no immediate significance to the ARG. In addition, omnics.txt was updated:
Allow: Tzolk'in Allow: Imix ChikchanManik Imix ChikchanImixChikchanImix Manik Chikchan Imix Kimi Chikchan Chikchan Kimi ChikchanImixChikchanImix ChikchanKimi
Tzolk'in is the name of a Mayan Calendar, and the second line was a series of animals from it in the Tzolk'in dialect. Imix stands for Day 1, Chikchan — 5, Manik — 7 and Kimi — 6. Turned into numbers, the string reads 1 57 1 5151 7 5 1 6 5 5 6 5151 56
. These digits turned into pictograms of Maya numerals (one by one, not numbers as a whole) written horizontally become . -..- . -.-. ..- - . .- - - .- -.-. -.-
That is a morse code, which decodes to EXECUTEATTACK
.
This led us to https://lumerico.mx/EXECUTEATTACK/index.html, where the following text was discovered:
Ha llegado el momento. Esos correos expuestos la verdad sobre Portero, iniciado la revuelta, y hemos convencido a la gente de México a apoyar nuestra causa. Ahora es el momento para el golpe. Convertiremos su preciada inauguración el 1 de noviembre en un gran movimiento en su contra. Necesito que hagan una cosa: Consigan acceso al correo del jefa de seguridad y busquen alguna forma de ayudarme en el ataque. Es posible que lo vean contactando a Portero pronto. He cambiado su contraseña a: d0r*NuLw9
Translated to English:
The moment has come. These emails exposed the truth about Portero, initiated the revolt, and have convinced people of Mexico to support our cause. Now is the time to strike. Convert his precious inauguration on November 1 to a large movement against it. I need you to do one thing: Get access to the email security chief and seek some form of help in the attack. You may see her contacting Portero soon. I've changed her password: d0r*NuLw9
Logging in with the credentials MJimenez / d0r*NuLw9
gave us access to the admin panel of Lumerico. Until 01 Nov. 2016 it stayed inactive and any command was answered with the same message saying the terminal disconnected.
The Terminal
Once the console became usable, players could type help
to see a list of commands:
override Engineer safety mode override help Provides help information about commands version Displays system version information about Displays information about the system grep Search output by string
In the MJimenez email account, there was an email labeled Corrupción de correo electrónico
with highlighted text in side of it, specifically /ter/
. After some hard thinking, people discovered that doing about | grep 'ter'
(in linux this is a command to list all the lines from the about that have a substring ter) returns this text:
Open source lightweight shell for any terminal. Anything with a terminal 1.1.0 - expanded terminal support
The first word of every line given from the output was boldened and purple. Putting the words together, we got OpenAnything1.1.0
, which was a solution which was used shortly.
Another available command for the terminal was override
. After typing override
, the console prompted ARG players with three security questions:
- Favorite Movie. The answer to the prompt is
some like it bot
, a movie from the Overwatch universe. - Favorite Cookie Flavor. The answer being
nuevas sabor delicias
, a flavor referenced in an email in the MJimenez account. - Secret. The answer to this prompt is
OpenAnything1.1.0
.
This returned OK
, gave players admin access, and enabled a new set of commands:
ls Lists files by path cat Read file by path exec Execute a file
Typing ls
listed two files: payload
and d_ilqh_nhb.html
(the file name is a ROT23 for a_fine_key).
cat mnt/d_ilqh_nhb.html
yielded a text where ASCII characters (repeating string vhnl tldv xyl vcxelo xv qhrtv. zkolg[nl]
) were in a shape of a key. Deciphering it using the Affine cipher (A=23, B=23) yielded the following string: some keys are shaped as locks. index[me]
. It is assumed that some keys are shaped as locks line alluded to the Tracer Trail ciphertext being used as a key.
Simultaneously, entering exec payload
presented players with a prompt — the answer to which is the Tracer Trail. When inputted, players were given a message that looked quite similar to what was previously seen at amomentincrime.com. The counter shown in the top right is then incremented.
Misdirection
On October 1, 2016, the lumerico.mx home page changed to show "glitches" and the black overlay with a message under the purple skull, while a string <!-- MISDIRECTION -->
was also added to the source of the page.
The message says:
Buen trabajo, amigos. No lo hubiera logrado sin su ayuda. En fin, me consiguieron los recursos que necesitaba para mi siguiente golpe – les encantará. Esperen noticias de mí en los próximos días... Les voy a mandar algo para agradecerles… Ojalá lo puedan aprovechar. Dasvidanya amigos
Translated:
</pre> Good job, folks. I would not have done it without your help. Anyway, I got the resources needed for my next hit - you'll love it. Expect to hear from me in the coming days... I'm going to send something to thank you ... Hopefully you can use it. Dasvidanya friends </pre>
Note that Dasvidanya is a phonetic transliteration of до свиданья — a russian phrase for "goodbye". The thing that Sombra sent as a thank you was a new spray, named "Día de Los Muertos" after the Mexican festival that took place at the same time as the ARG. The spray is currently only available on the PC version of the game.
The MISDIRECTION string lead to the page https://lumerico.mx/MISDIRECTION/index.html containing:
...Estableciendo conexiуn... ...Protocolo Sombra v2.3 iniciado... ...Desviando datos del zigurat de LumériCo hacia el objetivo... ...Descifrando contraseсas del objetivo... ...Acceso otorgado al directorio de volskayaindustries.com... ...boop ;)... ...Terminando conexión...
Translated:
...Establishing connection... ...Sombra Protocol v2.3 initiated... ...Forwarding the data from the LumériCo ziggurat to the target... ...Deciphering the target passwords... ...Access Granted to the directory of volskayaindustries.com... ...boop ;)... ...Ending connection..
Blizzcon
Blizzcon 2016 opened with the Overwatch short "Infiltration", a short depicting Reaper, Widowmaker, and Sombra on Volskaya Industries. During the showing of the short, Sombra's hero page went live, showcasing her abilities and character backstory.
References
Community Resources
A collection of tools and resources made by the Game Detectives Discord community for use in the ARG.
ASCII Skull
ASCII Skull Analysis: https://github.com/bahamas10/sombra
Removing SOMBR@ Analysis: https://pastebin.com/15u27YTC
ASCII Skull Eye Analysys: https://docs.google.com/spreadsheets/d/1-JQpWyitMKYhP-4l8ZDFiJI3NjqRrvoEnRdFQawike8
Google Docs
Observations and Speculations Spreadsheet: https://docs.google.com/spreadsheets/d/1rI08baFQmAwaqHC-9GF9VNGCYjuRE-q4LN9k4ottjuQ/pubhtml
LumériCo Emails and Translations Spreadsheet: https://goo.gl/cQgdIJ (Courtesy of UberPilot)
Tracer Code
GOL! Guesser: https://axxim.net/ow/gol-guesser/
Uber GOL! Guesser: https://axxim.net/ow/gol-guesser/uber/
The Uber GOL! Guesser only prints out UTF-8 compliant results, which makes it easier to identify potentially correct answers.
Bruteforcing tool: https://github.com/glv2/bruteforce-salted-openssl
Third-Party Resources
A collection of third-party tools and resources that the Game Detectives Discord community has used in the ARG.
Image of Reaper
stegdetect (Linux): https://github.com/abeluck/stegdetect
stegdetect is a Linux utility used to determine if a given image may contain encoded information.
JPHide & JPSeek: https://linux01.gwdg.de/~alatham/stego.html
iSteg (Mac OSX): https://www.hanynet.com/isteg/
JPHide & JPSeek is used to hide and find, respectively, a file inside a JPEG image.
iSteg works similarly to JPHide on the Mac OSX platform.
stegbreak (Linux): https://linux.die.net/man/1/stegbreak
stegbreak is used to do brute-force dictionary attacks on JPEG images.
Easter Eggs
The following are collection of references and Easter Eggs encountered throughout the ARG.
In-Game
Sombra's "Amused" Emote
This character emote features the Skycode, accompanied by soft music resembling the Skysong. Sombra's expression is one of amusement, and it's a nod to the community's prolonged creative attempts to solving an nonexistent puzzle.
Skycode Spray
This character spray features Sombra's iconic skull in front of a compass rose and the Skycode. This is a reference to both the cardinal directions used in one of the puzzles and to the Skycode, which is considered the most significant false lead that solvers encountered.
In-ARG
Espresso Command
There was a hidden command in LumériCo's admin terminal. Inputting the word espresso
returned the following message: Coffee Pot Status: Brewed approximately 23 hours ago, currently 0% full
This is referencing a variety of emails found in the LumériCo site involving broken espresso machines and incompetent coffee brewing, which caught the attention of the community and gave way to a vast variety of mediocre jokes. Furthermore, "23 hours" makes reference to the number 23, which was believed by many to possess some sort of significance to the ARG, as Sombra would be the 23rd character in Overwatch. Finally, "0%" references the ARG's notable waiting periods that have been widely criticized by the community, specifically A Moment in Crime's upload percentage.
Due to the iconic purple text it is believed that this hidden command was created by Sombra herself.
Media Appearances
3rd Aug. 2016
[EN] Kotaku - Overwatch Fans Find New Clues About The Mysterious Hero Sombra
[EN] Polygon - Overwatch fans are trying to crack the latest mystery about Sombra
[EN] PCGamesN - Overwatch's Sombra ARG continues with new clues, but no solutions
[EN] Team-Dignitas - Who is Sombra? All facts and clues about Sombra
[FR] Gamewave - UN NOUVEAU CODE CACHÉ DANS LA DERNIÈRE CINÉMATIQUE D'OVERWATCH!
[EN] FollowNews - Overwatch Fans Find New Clues About The Mysterious Hero Sombra
4th Aug. 2016
[EN] PCGamer - Overwatch Summer Games trailer hides a mysterious secret
[SK] Sector - Nové Overwatch video obsahuje ďalšie tajomstvá
[EN] Gamerant - Overwatch Players Uncover More ‘Sombra’ Clues
[HU] Gamestar - Overwatch - újabb nyomok utalnak a még be nem jelentett hősre
5th Aug. 2016
[EN] Kotaku - Days Later, Overwatch Fans Can't Figure Out The 'Sky Code' Mystery
[NL] Gamersnet - Cryptische speurtocht naar Overwatch' nieuwe heldin Sombra gaat bizar diep
[ES] Alfa Beta Jeuga - Overwatch: El enigma de Sombra sigue ofreciendo nuevos detalles
[EN] IGN (Video) - Sombra: Overwatch's Secret New Hero - Overwatch HQ
7th Aug. 2016
[EN] Gamespresso - Summary of the state of sombra's ARG in Overwatch
8th Aug. 2016
[EN/CN] Zhentoo - Overwatch new hero Secret Dorado hidden mystery
[EN] TechNewsToday - Overwatch: Sombra Continues to Elude Detectives
11th Aug. 2016
[EN] The Know - New Overwatch Hero Hints
12th Aug. 2016
[EN] Kotaku - Overwatch Fans' Sombra Investigation Reaps A Skull Code
14th Aug. 2016
[EN] Gamerant - Skull Code is Latest Clue in Overwatch’s Sombra Investigation
16th Aug. 2016
[EN] Christian Today - 'Overwatch' DLC update: Skull Code the latest clue for Sombra investigation
[EN] Yibada - 'Overwatch' DLC update: New clues on Sombra's inclusion to the roster revealed
23rd Aug. 2016
[EN] Tech News Today - Overwatch: All We Know About the Sombra ARG
24th Aug. 2016
[EN] Gamerant - Overwatch Forums Glitch Out, Reveals Hidden Message From Sombra
[EN] Gamerant - New Website Counts Down To Next Clue For Overwatch’s Sombra
[EN] Polygon - Overwatch's Sombra mystery appears to be coming to a close
[EN] VG247 - Overwatch forums glitch out, reveal a message from the mysterious Sombra
[EN] Tech News Today - Sombra Hacks Into Overwatch Forums
[EN] IGN - Overwatch Mystery Character Sombra Could Be Revealed Today
25th Aug. 2016
[EN] Kotaku - Overwatch Players Are Getting Sick Of The Sombra ARG
[EN] IGN - Overwatch Made the Internet Lose its Mind Last Night, And I Had a Front-Row Seat
[EN] Tech News Today - Overwatch: Countdown to Sombra
30th Aug. 2016
[EN] PC Gamer - Overwatch's Sombra riddle begins to irritate the players trying to solve it
3rd Oct. 2016
[EN] Mobile & Apps - Sombra To Be Revealed At Blizzcon? Halloween Event Confirmed In Data Leak
4th Oct. 2016
[EN] iTechPost - Overwatch Update: Are We Finally Getting Sombra?
11th Oct. 2016
[EN] Kotaku - Overwatch Fans Hacked Actual People In An Attempt To Find Sombra
17th Oct. 2016
[EN] TelKom Gaming - Will Sombra Hack Her Way Into BlizzCon 2016?
18th Oct. 2016
[EN] OverwatchTips - Everything You NEED To Know (Sombra ARG)
26th Oct. 2016
[EN] Min Network - Everything we know about Blizzard's rumored Nov. 1 release
28th Oct. 2016
[EN] Kotaku - Imagining Horror Stories Of A Never-Ending Overwatch ARG
1st Nov. 2016
[EN] IGN - Will Sombra be at BlizzCon 2016?
8th Nov. 2016