Difference between revisions of "Sombra ARG"
[unchecked revision] | [unchecked revision] |
Imnotgoats (talk | contribs) |
(→Email) |
||
Line 361: | Line 361: | ||
...Terminando conexión... | ...Terminando conexión... | ||
− | + | User by the name of 'Majesty' immediately discovered that sending an e-mail to [email protected] resulted in an automated response via pastebin.com: | |
Thank you for contacting A Moment in Crime's anonymous crime line! | Thank you for contacting A Moment in Crime's anonymous crime line! | ||
Line 384: | Line 384: | ||
Authorities believe that they have set their sights on crossing the Atlantic to America. | Authorities believe that they have set their sights on crossing the Atlantic to America. | ||
− | |||
= References = | = References = |
Revision as of 23:44, 23 August 2016
Sombra ARG | |
---|---|
The Sombra ARG - an ARG involving an unreleased Overwatch hero. | |
Type | [[List_of_Investigations#Official|Official]] |
Creator | Blizzard |
Discovered | 06-12-2016 |
The Sombra ARG is an ARG involving Overwatch, a game made by Blizzard. Sombra is the name of an unreleased Overwatch hero that has been hinted at by Blizzard as being an upcoming playable character. Clues and ciphers referencing Sombra were found in various developer updates and short animations released by Blizzard, and this ARG is comprised of those clues.
Not long after the games release, there were numerous pieces of in-game information that appeared, all in Dorado. When Ana was revealed as Overwatch’s newest character, more clues appeared in her origin video. Finally, when the summer games update was released, many more clues were given, yet again in videos. All the main clues are now listed below.
Contents
Ana Videos
Ana Origin Video
On July 12, 2016, a video for the new Overwatch hero named Ana was released. By pausing the video at the 1:16 time mark, a bunch of hexadecimal numbers were discovered:
2E 2E 2E 7B 76 20 66 62 72 20 63 7E 72 79 72 20 7B 76 20 7E 79 71 78 65 7A 76 74 7E D4 A4 79 2C 20 63 7E 72 79 72 20 72 7B 20 67 78 73 72 65 2E 2E 2E 7B 76 20 66 62 72 20 63 7E 72 79 72 20 7B 76 20 7E 79 71 78 65 7A 76 74 7E D4 A4 79 2C 20 63 7E 72 79 72 20 72 7B 20 67 78 73 72 65 2E 2E 2E 7B 76 20 66 62 72 20 63 7E 72 79 72 20 7B 76 20 7E 79 71 78 65 7A 76 74 7E D4 A4 79 2C 20 63 7E 72 79 72 20 72 7B 20 67 78 73 72 65 2E 2E 2E 7B 76 20 66 62 72 20 63 7E 72 79 72 20 7B 76 20 7E 79 71 78 65 7A 76 74 7E D4 A4 79 2C 20 63 7E 72 79 72 20 72 7B 20 67 78 73 72 65 2E 2E 2E 64 78 7A 75
Hex to ASCII gave us
...{v fbr c~ryr {v ~yqxezvt~Ô¤y, c~ryr r{ gxsre...{v fbr c~ryr {v ~yqxezvt~Ô¤y, c~ryr r{ gxsre...{v fbr c~ryr {v ~yqxezvt~Ô¤y, c~ryr r{ gxsre...{v fbr c~ryr {v ~yqxezvt~Ô¤y, c~ryr r{ gxsre...dxzu
And with an XOR Cipher with the constant 23, it gave us
..la que tiene la información; tiene el poder...la que tiene la información; tiene el poder...la que tiene la información; tiene el poder...la que tiene la información; tiene el poder...somb
When put the whole process, the same string was discovered, but at the end, the letters somb
appeared. These letters were combined with ra
from the other cipher to create sombra
, the name of an unreleased hero that has been hinted at by Blizzard in the past. This led us to believe that this ARG had to do with Sombra, and the ARG was named accordingly.
A second frame of hexadecimal numbers was discovered at the 2:11 time mark of the video:
65 76 2E 2E 2E 7B 76 20 66 62 72 20 63 7E 72 79 72 20 7B 76 20 7E 79 71 78 65 7A 76 74 7E D4 A4 79 2C 20 63 7E 72 79 72 20 72 7B 20 67 78 73 72 65 2E 2E 2E 7B 76 20 66 62 72 20 63 7E 72 79 72 20 7B 76 20 7E 79 71 78 65 7A 76 74 7E D4 A4 79 2C 20 63 7E 72 79 72 20 72 7B 20 67 78 73 72 65 2E 2E 2E 7B 76 20 66 62 72 20 63 7E 72 79 72 20 7B 76 20 7E 79 71 78 65 7A 76 74 7E D4 A4 79 2C 20 63 7E 72 79 72 20 72 7B 20 67 78 73 72 65 2E 2E 2E 7B 76 20 66 62 72 20 63 7E 72 79 72 20 7B 76 20 7E 79 71 78 65 7A 76 74 7E D4 A4 79 2C 20 63 7E 72 79 72 20 72 7B 20 67 78 73 72 65 2E 2E 2E
From Hex to ASCII this decoded to:
ev... {v fbr c~ryr {v ~yqxezvt~Ô¤y, c~ryr r{ gxsre... {v fbr c~ryr {v ~yqxezvt~Ô¤y, c~ryr r{ gxsre... {v fbr c~ryr {v ~yqxezvt~Ô¤y, c~ryr r{ gxsre... {v fbr c~ryr {v ~yqxezvt~Ô¤y, c~ryr r{ gxsre...
When passed through an XOR Cipher with constant 23, this returned:
ra... la que tiene la información; tiene el poder... la que tiene la información; tiene el poder... la que tiene la información; tiene el poder... la que tiene la información; tiene el poder...
Note the "ra" preceding the Spanish message. It translates to
She who has the information, has the power...
Dev Update Video
At the end of this video, a series of vertical barcodes were discovered. The barcodes were solved to be binary, a dump of which is available here, credit of redditor /u/zapu.
Discord user Crauss turned the ones and zeroes into black and white pixels, which formed a QR code:
Scanning this QR code yielded the following message:
"¿Estuvo eso facilito? Ahora que tengo su atención, déjenme se las pongo más difícil."
And translated from Sombra's native language of Spanish into English:
Was that easy? Well, now that I have your attenion, allow me to make things much more difficult
Welcome to the Summer Games Video
On August 2, another cipher was discovered in this video - this time, the ciphertext was in base64:
U2FsdGVkX1+vupppZksvRf5pq5g5XjFRIipRkwB0K1Y96Qsv2L m+31cmzaAILwytX/z66ZVWEQM/ccf1g+9m5Ubu1+sit+A9cenD xxqkIaxbm4cMeh2oKhqIHhdaBKOi6XX2XDWpa6+P5o9MQw==
Using a tool to decode the Base64 results in the following output:
Salted__���ifK/E�i��9^1Q�*Q�t+V=� /ع��W/ �_����V��?q����f�F���"��=q�������[�� z��*����Z����u�\5�k�C
(Note: copy/pasting this string will not work; some of the characters will not paste properly)
Decrypting the Encryption
The "Salted__" header at the start of the string indicates that the remainder of the text is encoded in an OpenSSL cipher, which requires a key and a known cipher. Salts are added to encrypted data to ensure uniqueness.
Since we know the salt, and we know the input data, all we need to decrypt is the password and cipher method. Since OpenSSL has been around for ages, there are many different cipher methods.
A Cipher is a mathematical algorithm to convert data into unreadable binary data.
A Password is key to the box, if you know it you can easily decrypt the data.
Narrowing Down Ciphers
The Cipher used has been narrowed down by looking at a Hex Dump of the encrypted string. There are two major types of ciphers, stream ciphers and block ciphers. Stream ciphers encrypt only the data fed into them, whereas block ciphers will always be a set chunk length.
A byte is roughly a single character, but special characters can take up multiple bytes. We know that OpenSSL Salted Encryption uses the first 8 bytes of the output for Salted__
and the next 8 bytes for the actual salt. The rest of the information is the encrypted message.
The immediately interesting thing here is that the encrypted message data stops 3 bytes short of a full chunk. This is a excellent indicator that the cipher used is a stream cipher (or a block cipher in CTR/OFB/CFB mode). This narrows our cipher list down significantly. This also means that the final string that Blizzard encrypted is less than 93 bytes!
Directions & Letters
There are references to directions that are present in the North American version of the video. These references are conspicuously absent from other versions of the trailer. These references are shown below, with the relevant heroes and timestamps:
Directions
Here are the screencaps, arranged according to their directions.
Dorado Photo
On the Overwatch media page, a new photo of the attacking spawn in Dorado was added. This photo was "Data Moshed", which is purposely injecting code into an image to produce artistic effects.(Here is an example of purposely data moshing the image manually to achieve similar effects)
After comparing the images via difference checking tools, it was found that certain English and Spanish characters were replaced with exclamation points, producing a Spanish sentence out of the replaced characters.
"Por que estan mirando al cielo? La respuesta no esta sobre sus cabezas, esta detras de ustedes. A veces, necesitan analizar sus logros previos."
Translated into English, this phrase is
"Why are you looking at the sky? The answer isn't over your heads, it's behind you. Sometimes, you need to analyze your previous achievements."
Source Code of Achievements on Play Overwatch
On the Play Overwatch Website, if you log in and view the achievements on the player profile; there is a mystery achievement. Viewing the source code of the image lead us to a new phrase:
Vientos, nada mal. No obstante, me aburro. Intentemos algo nuevo en la misma dirección. uczihriwgsxorxwunaarawryqhbrsfmeqrjjmu 5552E494 78T3 4VM9 OPL6 IS8208O913KRlrx
Translated, it says:
<! - Damn, not bad. However, I'm getting bored. Let's try something new in the same direction. uczihriwgsxorxwunaarawryqhbrsfmeqrjjmu 5552E494 78T3 4VM9 OPL6 IS8208O913KRlrx ->
The original translation said "Winds bad." which is a Mexican slang term meaning "Damn, not bad.".
Volskaya Datamosh / ASCII Skull
The following instructions explain the process of how the ASCII Skull and "little games" quote were found:
1. Take the following section of code from the "?" achievement hint above.
uczihriwgsxorxwunaarawryqhbrsfmeqrjjmu 5552E494 78T3 4VM9 OPL6 IS8208O913KRlrx
2. Run it through a Vigenére Cipher
3. Use heroes in the order of their positions on the compass (further above) to get hero names for the passphrase:
tracertorbjornwinstonsymmetradvamercybastiongenjimccree
4. The code received will result in the following url which, when formatted in to a proper URL, becomes the following picture:
blzgdapiproaakamaihdnetmediascreenshot 5552E494 78B3 4CE9 ACF6 EF8208F913CFjpg
'https://blzgdapipro-a.akamaihd.net/media/screenshot/5552E494-78B3-4CE9-ACF6-EF8208F913CF.jpg'
5. A difference check between the new and original image resulted in the following message:
Parece que te gustan estos jueguitos... por que no jugamos uno de verdad? :PB@Bk: ,jB@@B@B@B@BBL. 7G@B@B@BMMMMMB@B@B@Nr :kB@B@@@MMOMOMOMOMMMM@B@B@B1, :5@B@B@B@BBMMOMOMOMOMOMOMM@@@B@B@BBu. 70@@@B@B@B@BXBBOMOMOMOMOMOMMBMPB@B@B@B@B@Nr G@@@BJ iB@B@@ OBMOMOMOMOMOMOM@2 B@B@B. EB@B@S @@BM@GJBU. iSuB@OMOMOMOMOMOMM@OU1: .kBLM@M@B@ B@MMB@B 7@BBMMOMOMOMOMOBB@: B@BMM@B @@@B@B 7@@@MMOMOMOMM@B@: @@B@B@ @@OLB. BNB@MMOMOMM@BEB rBjM@B @@ @ M OBOMOMM@q M .@ @@ @@OvB B:u@MMOMOMMBJiB .BvM@B @B@B@J 0@B@MMOMOMOMB@B@u q@@@B@ B@MBB@v G@@BMMMMMMMMMMMBB@5 F@BMM@B @BBM@BPNi LMEB@OMMMM@B@MMOMM@BZM7 rEqB@MBB@ B@@@BM B@B@B qBMOMB@B@B@BMOMBL B@B@B @B@B@M J@@@@PB@B@B@B7G@OMBB. ,@MMM@qLB@B@@@BqB@BBv iGB@,i0@M@B@MMO@E : M@OMM@@@B@Pii@@N: . B@M@B@MMM@B@B@B@MMM@@@M@B @[email protected]@MBB@B@B@@BM@::B@B@ B@@@ .B@B.:@B@ :B@B @B@O :0 r@B@ B@@ .@B@: P: vMB :@B@ :BO7 ,B@B
Translation:
"It seems you like these little games... Why don't we play a real one?"
This is the python2 script to extract modified bytes from datamoshed volskaya screenshot, https://gist.github.com/synap5e/27635d2ff6f0e3b15f0c902dca2974a9
Overwatch Forums Glitching Page/ "Skycoder"
Discord user named 'Majesty' was tipped towards an ominous topic on the official Overwatch forums, posted by a user named 'Skycoder.' [1] The name of the topic, if translated from binary, says "23." A clue towards what may be a reference to the 23rd character in Overwatch- Sombra. This topic's page soon begins to glitch and distort, turning a hue of purple before opening a text box stating;
"la que tiene la información; tiene el poder"
and typing another code;
... ICAgICAgICAgICAgICAgICAgICAgICAgICA6UEKPQms6CiAgICAgICAg ICAgICAgICAgICAgICAsakKIQEJAQkBCQEJCTC4KICAgICAgICAgICAg ICAgICAgIDdHlkKTQpVCTU1NTU1CQEJAQkBOcgogICAgICAgICAgICAg ICA6a0KSQpCIl01NT01PTU9NT01NTU2MQphCQEIxLAogICAgICAgICAg IDo1kUKNQphCiEJCTU1PTU9NT01PTU9NT01NipJuQm5CQEJCdS4KICAg ICAgICA3MG6GlUKIQpJClEJYQkJPTU9NT01PTU9NT01NQk1QQphCiEJA QkBCQE5yCiAgICAgIEeYlpdCSiBpQohCh4ggIE9CTU9NT01PTU9NT01P TZYyICBCj0JAQi4gRUJAQkBTCiAgICAgIJKWQk2HR0pCVS4gIGlTdUKI T01PTU9NT01PTU9NTZdPVTE6ICAua0JMTYhNhkKXCiAgICAgIEKMTU1C mUIgICAgICAgN4hCQk1NT01PTU9NT01PQkKWOiAgICAgICBCh0JNTYhC CiAgICAgII2YiEKKQiAgICAgICAgIDeSlkBNTU9NT01PTU1AQkA6ICAg ICAgICAgQEBCQEJACiAgICAgII+ST0xCLiAgICAgICAgICBCTkKPTU1P TU9NTY9CRUIgICAgICAgICAgckJqTYRCCiAgICAgIJBAICBAICAgICAg ICAgICBNICBPQk9NT01NQHEgIE0gICAgICAgICAgLkAgIEBACiAgICAg IISVT3ZCICAgICAgICAgICBCOnWMTU1PTU9NTUJKaUIgICAgICAgICAg LkJ2TUBCCiAgICAgIIRCkUKYSiAgICAgICAgIDCRQpdNTU9NT01PTUKV QkB1ICAgICAgICAgcUBAQEJACiAgICAgIEKETUJCjHYgICAgICAgR4+L Qk1NTU1NTU1NTU1NQkKINSAgICAgICBGhEJNTUBCCiAgICAgIIdCQk1/ QlBOaSAgIExNRUKFT01NTU2PQoNNTU9NTYpCWk03ICAgckVxQodNQkKE CiAgICAgIEKYloRCTSAgQm1ChEIgIHFCTU9NQpBChUKEQk1PTUJMICBC QEJAQiAgQEJAQkBNCiAgICAgICBKlm2GhFBCj0KEQplCN0eIT01CQi4g ICAsQE1NTUBxTEJAQkBAQEJxQkBCQnYKICAgICAgICAgIGlHQpUsaTCE TZZCbk1NT4tFICA6ICBNQE9NTUBAQEJAUGlpQEBOOgogICAgICAgICAg ICAgLiAgIEKXTZBCj01NTUBCQEJAQkBNTU1AQEBNQEIKICAgICAgICAg ICAgICAgICBAQkBCLmlATUJCQEJAQkBAQk1AOjpCQEJACiAgICAgICAg ICAgICAgICAgQkBAQCAuQkBCLjpAQkAgOkJAQiAgQEJATwogICAgICAg ICAgICAgICAgICAgOjAgckBCQCAgQkBAIC5AQkA6IFA6CiAgICAgICAg ICAgICAgICAgICAgICAgdk1CIDpAQkAgOkJPNwogICAgICAgICAgICAg ICAgICAgICAgICAgICAsQkBCCg==▌
This was recognized to be Base64, which was then run through a cypher and translated to a new ASCII image;
:PBBk: ,jB@B@B@B@BBL. 7GBBBMMMMMB@B@B@Nr :kBBMMOMOMOMOMMMMBB@B1, :5BBBBBMMOMOMOMOMOMOMMnBnB@BBu. 70nBBBBXBBOMOMOMOMOMOMMBMPBBB@B@B@Nr GBJ iBB OBMOMOMOMOMOMOM2 BB@B. EB@B@S BMGJBU. iSuBOMOMOMOMOMOMMOU1: .kBLMMB BMMBB 7BBMMOMOMOMOMOBB: BBMMB BB 7@MMOMOMOMM@B@: @@B@B@ OLB. BNBMMOMOMMBEB rBjMB @ @ M OBOMOMM@q M .@ @@ OvB B:uMMOMOMMBJiB .BvM@B BBJ 0BMMOMOMOMBB@u q@@@B@ BMBBv GBMMMMMMMMMMMBB5 FBMM@B BBM?BPNi LMEBOMMMMBMMOMMBZM7 rEqBMBB BBM BmBB qBMOMBBBBMOMBL B@B@B @B@B@M JmPBBBB7GOMBB. ,@MMM@qLB@B@@@BqB@BBv iGB,i0MBnMMOE : M@OMM@@@B@Pii@@N: . BMBMMM@B@B@B@MMM@@@M@B @[email protected]@MBB@B@B@@BM@::B@B@ B@@@ .B@B.:@B@ :B@B @B@O :0 r@B@ B@@ .@B@: P: vMB :@B@ :BO7 ,B@B
A diff between the original skull and the new one yielded the following string:
LESPROMETIUNJUEGO...CREOQUEUSTEDESLOSDETECTIVESDEJUEGOSLOLLAMARIANUNTRAILHEAD?BLZGDAUSA-AMBAS-CALAVERAS.HTML
This translates to:
I promised you a game. I believe you Games Detectives would call it a trailhead? BLZGDA Use both skulls.html
Skull Video
BLZGDA is Blizzard's server for hosting media, using full URL we get:
https://blzgdapipro-a.akamaihd.net/media/screenshot/usa-ambas-calaveras.html
This link leads to a video which, for a brief moment, clearly shows an image of the Sombra skull:
In the video properties you can find:
Parecen estar muy interesados en estos "héroes". ¿Tal vez les interese conocer algunos detallitos que he averiguado sobre ellos?
Which translates to:
They seem to be very interested in these "heroes". Maybe interested to know some details that I found out about them?
There is also a pulse ping in the video - looking at which lines it "pings" on and assigning letters to these lines, we get something along the lines of:
momentincrime
'momentincrime' appeared to refer to Roadhog and Junkrat video "A Moment in Crime". A site: amomentincrime.com was also found, where you can find information about configuration made to automatic mail response:
...Estableciendo conexión... ...Protocolo Sombra v1.3 iniciado...
...Infiltrando la respuesta automática del email de pistas...
...Terminando conexión...
User by the name of 'Majesty' immediately discovered that sending an e-mail to [email protected] resulted in an automated response via pastebin.com:
Thank you for contacting A Moment in Crime's anonymous crime line! We have analyzed your submission and forwarded the information to the relevant parties. Your help could be vital in apprehending these cri ...Estableciendo conexión... ...Protocolo Sombra v1.7 iniciado... 01:07:47 02:02:02 01:08:06 02:13:43 01:18:32 01:18:21 02:10:19 01:06:21 02:05:18 01:04:02 01:07:08 02:18:25 01:13:04 02:19:20 01:23:02 01:16:40 02:16:35 01:23:04 02:17:16 01:06:42 01:13:29 02:18:06 01:05:02 02:15:41 01:08:34 j.7F57O,NLv:qj.7B:,1qv@B1j5ivB:, ...Terminando conexión... minals and bringing them to justice. These fugitives are responsible for a string of robberies, arson, and other crimes stretching from Sydney to King's Row. Authorities believe that they have set their sights on crossing the Atlantic to America.
References
Temporary resources
A repo of tools and resources made by the Game Detectives Discord community for use in the Sombra ARG.
ASCII Skull
ASCII Skull Analysis: https://github.com/bahamas10/sombra
Removing SOMBR@ Analysis: http://pastebin.com/15u27YTC
ASCII Skull Eye Analysys: https://docs.google.com/spreadsheets/d/1-JQpWyitMKYhP-4l8ZDFiJI3NjqRrvoEnRdFQawike8
Google Docs
Observations and Speculations Spreadsheet: https://docs.google.com/spreadsheets/d/1rI08baFQmAwaqHC-9GF9VNGCYjuRE-q4LN9k4ottjuQ/pubhtml
Tracer Code
GOL! Guesser: http://axxim.net/ow/gol-guesser/
Bruteforcing tool: https://github.com/glv2/bruteforce-salted-openssl
Old / False Leads
Media Appearances
3rd Aug. 2016
[EN] Kotaku - Overwatch Fans Find New Clues About The Mysterious Hero Sombra
[EN] Polygon - Overwatch fans are trying to crack the latest mystery about Sombra
[EN] PCGamesN - Overwatch's Sombra ARG continues with new clues, but no solutions
[EN] Team-Dignitas - Who is Sombra? All facts and clues about Sombra
[FR] Gamewave - UN NOUVEAU CODE CACHÉ DANS LA DERNIÈRE CINÉMATIQUE D'OVERWATCH!
[EN] FollowNews - Overwatch Fans Find New Clues About The Mysterious Hero Sombra
4th Aug. 2016
[EN] PCGamer - Overwatch Summer Games trailer hides a mysterious secret
[SK] Sector - Nové Overwatch video obsahuje ďalšie tajomstvá
[EN] Gamerant - Overwatch Players Uncover More ‘Sombra’ Clues
[HU] Gamestar - Overwatch - újabb nyomok utalnak a még be nem jelentett hősre
5th Aug. 2016
[EN] Kotaku - Days Later, Overwatch Fans Can't Figure Out The 'Sky Code' Mystery
[NL] Gamersnet - Cryptische speurtocht naar Overwatch' nieuwe heldin Sombra gaat bizar diep
[ES] Alfa Beta Jeuga - Overwatch: El enigma de Sombra sigue ofreciendo nuevos detalles
[EN] IGN (Video) - Sombra: Overwatch's Secret New Hero - Overwatch HQ
7th Aug. 2016
[EN] Gamespresso - Summary of the state of sombra's ARG in Overwatch
8th Aug. 2016
[EN/CN] Zhentoo - Overwatch new hero Secret Dorado hidden mystery
[EN] TechNewsToday - Overwatch: Sombra Continues to Elude Detectives
11th Aug. 2016
[EN] The Know - New Overwatch Hero Hints
12th Aug. 2016
[EN] Kotaku - Overwatch Fans' Sombra Investigation Reaps A Skull Code