Difference between revisions of "Sombra ARG"
| [unchecked revision] | [unchecked revision] |
(Added old trails section as suggested by Svard.) |
Clone1018b (talk | contribs) (Merging in http://wiki.gamedetectives.net/index.php?title=Sombra_ARG:Cryptography) |
||
| Line 89: | Line 89: | ||
xxqklaxbm4cMeh2oKhqlHhdaBKOi6XX2XDWpa6+P5o9MQw== | xxqklaxbm4cMeh2oKhqlHhdaBKOi6XX2XDWpa6+P5o9MQw== | ||
| − | + | Using a tool to decode the Base64 results in the following output: | |
| − | + | Salted__���ifK/E�i��9^1Q�*Q�t+V=� | |
| + | /ع��W/ | ||
| + | �_����V��?q����f�F���"��=q�������[�� | ||
| + | z��*����Z����u�\5�k�C | ||
(Note: copy/pasting this string will not work; some of the characters will not paste properly) | (Note: copy/pasting this string will not work; some of the characters will not paste properly) | ||
| − | The "Salted__" header at the start of the string indicates that the remainder of the text is encoded in an OpenSSL cipher, which requires a key. | + | ==== Decrypting the encryption ==== |
| + | |||
| + | The "Salted__" header at the start of the string indicates that the remainder of the text is encoded in an OpenSSL cipher, which requires a key and a known cipher. Salts are added to encrypted data to ensure uniqueness. | ||
| + | |||
| + | Since we know the salt, and we know the input data, '''all we need to decrypt is the password and cipher method'''. Since OpenSSL has been around for ages, there are many different cipher methods. | ||
| + | |||
| + | '''A Cipher''' is a mathematical algorithm to convert data into unreadable binary data. | ||
| + | |||
| + | '''A Password''' is key to the box, if you know it you can easily decrypt the data. | ||
| + | |||
| + | ==== Narrowing Down Ciphers ==== | ||
| + | |||
| + | [[File:HexOfEncryptedMessage.png|thumbnail|right|Hex view of the encrypted string]] | ||
| + | |||
| + | The Cipher used has been narrowed down by looking at a Hex Dump of the encrypted string. There are two major types of ciphers, stream ciphers and block ciphers. Stream ciphers encrypt only the data fed into them, whereas block ciphers will always be a set chunk length. | ||
| + | |||
| + | A byte is roughly a single character, but special characters can take up multiple bytes. We know that OpenSSL Salted Encryption uses the first 8 bytes of the output for <code>Salted__</code> and the next 8 bytes for the actual salt. The rest of the information is the '''encrypted message'''. | ||
| + | |||
| + | The immediately interesting thing here is that the '''encrypted message''' data stops 3 bytes short of a full chunk. This is a excellent indicator that the cipher used is a stream cipher (or a block cipher in CTR/OFB/CFB mode). This narrows our cipher list down significantly. This also means that the final string that Blizzard encrypted is less than 93 bytes! | ||
=== Directions & Letters === | === Directions & Letters === | ||
Revision as of 14:49, 8 August 2016
| Sombra ARG | |
|---|---|
| The Sombra ARG - an ARG involving an unreleased Overwatch hero. | |
| Type | [[List_of_Investigations#Official|Official]] |
| Creator | Blizzard |
| Discovered | 06-12-2016 |
The Sombra ARG is an ARG involving Overwatch, a game made by Blizzard. Sombra is the name of an unreleased Overwatch hero that has been hinted at by Blizzard as being an upcoming playable character. Clues and ciphers referencing Sombra were found in various developer updates and short animations released by Blizzard, and this ARG is comprised of those clues.
Ana Videos
Ana Origin Video
On July 12, 2016, a video for the new Overwatch hero named Ana was released. By pausing the video at the 2:11 time mark, a bunch of hexadecimal numbers were discovered:
65 76 2E 2E 2E 7B 76 20 66 62 72 20 63 7E 72 79 72 20 7B 76 20 7E 79 71 78 65 7A 76 74 7E D4 A4 79 2C 20 63 7E 72 79 72 20 72 7B 20 67 78 73 72 65 2E 2E 2E 7B 76 20 66 62 72 20 63 7E 72 79 72 20 7B 76 20 7E 79 71 78 65 7A 76 74 7E 04 A4 79 2C 20 63 7E 72 79 72 20 72 7B 20 67 78 73 72 65 2E 2E 2E 7B 76 20 66 62 72 20 63 7E 72 79 72 20 7B 76 20 7E 79 71 78 65 7A 76 74 7E 04 A4 79 2C 20 63 7E 72 79 72 20 72 7B 20 67 78 73 72 65 2E 2E 2E 7B 76 20 66 62 72 20 63 7E 72 79 72 20 7B 76 20 7E 79 71 78 65 7A 76 74 7E 04 A4 79 2C 20 63 7E 72 79 72 20 72 7B 20 67 78 73 72 65 2E 2E 2E
From Hex to ASCII this decoded to:
ev...
{v fbr c~ryr {v ~yqxezvt~Ô¤y, c~ryr r{ gxsre...
{v fbr c~ryr {v ~yqxezvt~Ô¤y, c~ryr r{ gxsre...
{v fbr c~ryr {v ~yqxezvt~Ô¤y, c~ryr r{ gxsre...
{v fbr c~ryr {v ~yqxezvt~Ô¤y, c~ryr r{ gxsre...
When passed through an XOR Cipher with constant 23, this returned:
ra... la que tiene la información; tiene el poder... la que tiene la información; tiene el poder... la que tiene la información; tiene el poder... la que tiene la información; tiene el poder...
Note the "ra" preceding the Spanish message. It translates to
She who has the information; has the power...
A second frame of hexadecimal numbers was discovered at the 1:16 time mark of the video:
When put through the same process, the same string was discovered, but at the end, the letters Somb appeared. These letters were combined with ra from the first cipher to create Sombra, the name of an unreleased hero that has been hinted at by Blizzard in the past. This led us to believe that this ARG had to do with Sombra, and the ARG was named accordingly.
Dev Update Video
At the end of this video, a series of vertical barcodes were discovered. The barcodes were solved to be binary, a dump of which is available here, credit of redditor /u/zapu.
Discord user Crauss turned the ones and zeroes into black and white pixels, which formed a QR code:
Scanning this QR code yielded the following message:
Estuvo eso facilito? Ahora que tengo su atencion, dejenme se las pongo mas dificil
And translated from Sombra's native language of Spanish into English:
Was that easy? Well, now that I have your attenion, allow me to make things much more difficult
Summer Games
Summer Games Video
On August 2, another cipher was discovered in this video - this time, the ciphertext was in base64:
U2FsdGVkX1+vupppZksvRf5pq5g5XjFRlipRkwB0K1Y96Qsv2L m+31cmzaAILwytX/z66ZVWEQM/ccf1g+9m5Ubu1+sit+A9cenD xxqklaxbm4cMeh2oKhqlHhdaBKOi6XX2XDWpa6+P5o9MQw==
Using a tool to decode the Base64 results in the following output:
Salted__���ifK/E�i��9^1Q�*Q�t+V=�
/ع��W/
�_����V��?q����f�F���"��=q�������[��
z��*����Z����u�\5�k�C
(Note: copy/pasting this string will not work; some of the characters will not paste properly)
Decrypting the encryption
The "Salted__" header at the start of the string indicates that the remainder of the text is encoded in an OpenSSL cipher, which requires a key and a known cipher. Salts are added to encrypted data to ensure uniqueness.
Since we know the salt, and we know the input data, all we need to decrypt is the password and cipher method. Since OpenSSL has been around for ages, there are many different cipher methods.
A Cipher is a mathematical algorithm to convert data into unreadable binary data.
A Password is key to the box, if you know it you can easily decrypt the data.
Narrowing Down Ciphers
The Cipher used has been narrowed down by looking at a Hex Dump of the encrypted string. There are two major types of ciphers, stream ciphers and block ciphers. Stream ciphers encrypt only the data fed into them, whereas block ciphers will always be a set chunk length.
A byte is roughly a single character, but special characters can take up multiple bytes. We know that OpenSSL Salted Encryption uses the first 8 bytes of the output for Salted__ and the next 8 bytes for the actual salt. The rest of the information is the encrypted message.
The immediately interesting thing here is that the encrypted message data stops 3 bytes short of a full chunk. This is a excellent indicator that the cipher used is a stream cipher (or a block cipher in CTR/OFB/CFB mode). This narrows our cipher list down significantly. This also means that the final string that Blizzard encrypted is less than 93 bytes!
Directions & Letters
There are references to directions that are present in the North American version of the video. These references are conspicuously absent from other versions of the trailer. These references are shown below, with the relevant heroes and timestamps:
East - Mercy - Route 66 - 0:17
Center - D. Va - Temple of Anubis - 0:19
North - Torbjorn - Nepal - 0:21
South - Genji - Hanamura - 0:22
Southeast - McCree - Hollywood - 0:24
West - Symmetra - Watchpoint: Gibraltar - 0:30
Southwest - Bastion - Hollywood - 0:34
Northeast - Winston - Volskaya Industries - 0:46
Northwest - Tracer - King's Row - 0:47
Here are the screencaps, arranged according to their directions:
Old Trails
A Code In the Sky
On the developer livestream that happened on August 3rd, Jeff Kaplan and other members of the dev team were asked about the compass (video) (mirror):
"I'm being told to ask you guys about the compass. Are you allowed to make any comments on that?" "The compass." "The compass?" "The compass? That sounds like deep CIA level stuff. Way above our heads."
The phrase "above our heads" led solvers to look towards the sky. They found that on the Dorado map, looking directly up at the sky would reveal this image after some editing. Even more visible images are available here, the bottom two pictures have been "unwrapped" to be a square. This pattern was not visible in previous updates.
It is confirmed that the code in the sky is not a regular ShotCode, since a regular ShotCode can only contain 40 bits of data, and the code we are seeing in the sky is atleast 128 bytes big. It is also not an Annular Barcode since those need to have a startpoint, which ours does not.
Flight Times Board
Players also took use of the developer quote of "Way above our heads." as possible hint to the flight board in Numbani. Many attempts to correlate it to usable data have been proven inconclusive.
One of the attempts was to try an ADFGVX cipher on the flight number prefixes, to try to see if any pertinent data was available. Nothing has been recovered from the cipher.
Another attempt was to map out all of the locations listed on the flight board, but nothing has come out of that yet.
References
Media Appearances
3rd Aug. 2016
[EN] Kotaku - Overwatch Fans Find New Clues About The Mysterious Hero Sombra
[EN] Polygon - Overwatch fans are trying to crack the latest mystery about Sombra
[EN] PCGamesN - Overwatch's Sombra ARG continues with new clues, but no solutions
[EN] Team-Dignitas - Who is Sombra? All facts and clues about Sombra
[FR] Gamewave - UN NOUVEAU CODE CACHÉ DANS LA DERNIÈRE CINÉMATIQUE D'OVERWATCH!
[EN] FollowNews - Overwatch Fans Find New Clues About The Mysterious Hero Sombra
4th Aug. 2016
[EN] PCGamer - Overwatch Summer Games trailer hides a mysterious secret
[SK] Sector - Nové Overwatch video obsahuje ďalšie tajomstvá
[EN] Gamerant - Overwatch Players Uncover More ‘Sombra’ Clues
5th Aug. 2016
[EN] Kotaku - Days Later, Overwatch Fans Can't Figure Out The 'Sky Code' Mystery
[NL] Gamersnet - Cryptische speurtocht naar Overwatch' nieuwe heldin Sombra gaat bizar diep
[ES] Alfa Beta Jeuga - Overwatch: El enigma de Sombra sigue ofreciendo nuevos detalles
Temporary resources
(This content will be deleted after we've solved the riddles. It serves currently as a repo of tools for the Discord community)
Potential Clues / (mostly) Speculations: https://docs.google.com/document/d/1D-VSNpY1gpNwCDJ2Ocl2VM6bdiggU-NsZJbfDvLOOAk/edit?pli=1
https://github.com/glv2/bruteforce-salted-openssl
http://axxim.net/ow/gol-guesser/
Spreadsheet of what is being tested and what has already been tested: https://docs.google.com/spreadsheets/d/1rI08baFQmAwaqHC-9GF9VNGCYjuRE-q4LN9k4ottjuQ/pubhtml
