Sombra ARG

From Game Detectives Wiki
Revision as of 04:53, 12 August 2016 by Blafa (talk | contribs) (New Datamoshed Photo)
Jump to: navigation, search
Sombra ARG
Active since 06-12-2016
Overwatch logo.jpg
The Sombra ARG - an ARG involving an unreleased Overwatch hero.
Type [[List_of_Investigations#Official|Official]]
Creator Blizzard
Discovered 06-12-2016

The Sombra ARG is an ARG involving Overwatch, a game made by Blizzard. Sombra is the name of an unreleased Overwatch hero that has been hinted at by Blizzard as being an upcoming playable character. Clues and ciphers referencing Sombra were found in various developer updates and short animations released by Blizzard, and this ARG is comprised of those clues.

Not long after the games release, there were numerous pieces of in-game information that appeared, all in Dorado. When Ana was revealed as Overwatch’s newest character, more clues appeared in her origin video. Finally, when the summer games update was released, many more clues were given, yet again in videos. All the main clues are now listed below.

Ana Videos

Ana Origin Video

On July 12, 2016, a video for the new Overwatch hero named Ana was released. By pausing the video at the 1:16 time mark, a bunch of hexadecimal numbers were discovered:

Ana Hex2.png

2E 2E 2E 7B 76 20 66 62 72 20 63 7E 72 79 72 20 7B 76 20 7E
79 71 78 65 7A 76 74 7E D4 A4 79 2C 20 63 7E 72 79 72 20 72
7B 20 67 78 73 72 65 2E 2E 2E 7B 76 20 66 62 72 20 63 7E 72
79 72 20 7B 76 20 7E 79 71 78 65 7A 76 74 7E D4 A4 79 2C 20
63 7E 72 79 72 20 72 7B 20 67 78 73 72 65 2E 2E 2E 7B 76 20
66 62 72 20 63 7E 72 79 72 20 7B 76 20 7E 79 71 78 65 7A 76
74 7E D4 A4 79 2C 20 63 7E 72 79 72 20 72 7B 20 67 78 73 72
65 2E 2E 2E 7B 76 20 66 62 72 20 63 7E 72 79 72 20 7B 76 20
7E 79 71 78 65 7A 76 74 7E D4 A4 79 2C 20 63 7E 72 79 72 20
72 7B 20 67 78 73 72 65 2E 2E 2E 64 78 7A 75

Hex to ASCII gave us

...{v fbr c~ryr {v ~yqxezvt~Ô¤y, c~ryr r{ gxsre...{v fbr c~ryr {v ~yqxezvt~Ô¤y, c~ryr r{ gxsre...{v fbr c~ryr {v ~yqxezvt~Ô¤y, c~ryr r{ gxsre...{v fbr       
c~ryr {v ~yqxezvt~Ô¤y, c~ryr r{ gxsre...dxzu

And with an XOR Cipher with the constant 23, it gave us

..la que tiene la información; tiene el poder...la que tiene la información; tiene el poder...la que tiene la información; tiene el poder...la que tiene la  
información; tiene el poder...somb

When put the whole process, the same string was discovered, but at the end, the letters somb appeared. These letters were combined with ra from the other cipher to create sombra, the name of an unreleased hero that has been hinted at by Blizzard in the past. This led us to believe that this ARG had to do with Sombra, and the ARG was named accordingly.


A second frame of hexadecimal numbers was discovered at the 2:11 time mark of the video:

Ana Hex.png

65 76 2E 2E 2E 7B 76 20 66 62 72 20 63 7E 72 79 72 20 7B 76
20 7E 79 71 78 65 7A 76 74 7E D4 A4 79 2C 20 63 7E 72 79 72
20 72 7B 20 67 78 73 72 65 2E 2E 2E 7B 76 20 66 62 72 20 63
7E 72 79 72 20 7B 76 20 7E 79 71 78 65 7A 76 74 7E D4 A4 79
2C 20 63 7E 72 79 72 20 72 7B 20 67 78 73 72 65 2E 2E 2E 7B
76 20 66 62 72 20 63 7E 72 79 72 20 7B 76 20 7E 79 71 78 65
7A 76 74 7E D4 A4 79 2C 20 63 7E 72 79 72 20 72 7B 20 67 78
73 72 65 2E 2E 2E 7B 76 20 66 62 72 20 63 7E 72 79 72 20 7B
76 20 7E 79 71 78 65 7A 76 74 7E D4 A4 79 2C 20 63 7E 72 79
72 20 72 7B 20 67 78 73 72 65 2E 2E 2E


From Hex to ASCII this decoded to:

ev...
{v fbr c~ryr {v ~yqxezvt~Ô¤y, c~ryr r{ gxsre...
{v fbr c~ryr {v ~yqxezvt~Ô¤y, c~ryr r{ gxsre...
{v fbr c~ryr {v ~yqxezvt~Ô¤y, c~ryr r{ gxsre...
{v fbr c~ryr {v ~yqxezvt~Ô¤y, c~ryr r{ gxsre...

When passed through an XOR Cipher with constant 23, this returned:

ra...

la que tiene la información; tiene el poder...
la que tiene la información; tiene el poder...
la que tiene la información; tiene el poder...
la que tiene la información; tiene el poder...

Note the "ra" preceding the Spanish message. It translates to

She who has the information, has the power...

Dev Update Video

The vertical barcodes found at the end of the Ana Dev Update video

At the end of this video, a series of vertical barcodes were discovered. The barcodes were solved to be binary, a dump of which is available here, credit of redditor /u/zapu.

Discord user Crauss turned the ones and zeroes into black and white pixels, which formed a QR code:

Sombra QR code.png

Scanning this QR code yielded the following message:

"¿Estuvo eso facilito? Ahora que tengo su atención, déjenme se las pongo más difícil." 

And translated from Sombra's native language of Spanish into English:

Was that easy? Well, now that I have your attenion, allow me to make things much more difficult

Welcome to the Summer Games Video

The base64 cipher in the Summer Games video

On August 2, another cipher was discovered in this video - this time, the ciphertext was in base64:

U2FsdGVkX1+vupppZksvRf5pq5g5XjFRIipRkwB0K1Y96Qsv2L
m+31cmzaAILwytX/z66ZVWEQM/ccf1g+9m5Ubu1+sit+A9cenD
xxqkIaxbm4cMeh2oKhqIHhdaBKOi6XX2XDWpa6+P5o9MQw==

Using a tool to decode the Base64 results in the following output:

Salted__���ifK/E�i��9^1Q�*Q�t+V=�
                                /ع��W/
                                      �_����V��?q����f�F���"��=q�������[��
                                                                          z��*����Z����u�\5�k�C

(Note: copy/pasting this string will not work; some of the characters will not paste properly)

Decrypting the Encryption

The "Salted__" header at the start of the string indicates that the remainder of the text is encoded in an OpenSSL cipher, which requires a key and a known cipher. Salts are added to encrypted data to ensure uniqueness.

Since we know the salt, and we know the input data, all we need to decrypt is the password and cipher method. Since OpenSSL has been around for ages, there are many different cipher methods.

A Cipher is a mathematical algorithm to convert data into unreadable binary data.

A Password is key to the box, if you know it you can easily decrypt the data.

Narrowing Down Ciphers

Hex view of the encrypted string

The Cipher used has been narrowed down by looking at a Hex Dump of the encrypted string. There are two major types of ciphers, stream ciphers and block ciphers. Stream ciphers encrypt only the data fed into them, whereas block ciphers will always be a set chunk length.

A byte is roughly a single character, but special characters can take up multiple bytes. We know that OpenSSL Salted Encryption uses the first 8 bytes of the output for Salted__ and the next 8 bytes for the actual salt. The rest of the information is the encrypted message.

The immediately interesting thing here is that the encrypted message data stops 3 bytes short of a full chunk. This is a excellent indicator that the cipher used is a stream cipher (or a block cipher in CTR/OFB/CFB mode). This narrows our cipher list down significantly. This also means that the final string that Blizzard encrypted is less than 93 bytes!

Directions & Letters

There are references to directions that are present in the North American version of the video. These references are conspicuously absent from other versions of the trailer. These references are shown below, with the relevant heroes and timestamps:

Here are the screencaps, arranged according to their directions:

Overwatch map.jpg

Album of full screencaps

Dorado Photo

On the Overwatch media page, a new photo of the attacking spawn in Dorado was added. This photo was "Data Moshed", which is purposely injecting code into an image to produce artistic effects.Here is an example of purposely data moshing the image manually to achieve similar effects. However, in this case, certain English and Spanish characters were replaced with an exclamation point. By taking each character from each exclamation point, it produced a sentence in Spanish.

"Por que estan mirando al cielo? La respuesta no esta sobre sus cabezas, esta detras de ustedes. A veces, necesitan analizar sus logros previos."

Translated into English, this phrase is

"Why are you looking at the sky? The answer isn't over your heads, it's behind you. Sometimes, you need to analyze your previous achievements."

Source Code of Achievements on Play Overwatch

On the Play Overwatch Website, if you log in and view the achievements on the player profile; there is a mystery achievement. Viewing the source code of the image lead us to a new phrase.

Vientos, nada mal. No obstante, me aburro. Intentemos algo nuevo en la misma dirección. uczihriwgsxorxwunaarawryqhbrsfmeqrjjmu 5552E494 78T3 4VM9 OPL6   
IS8208O913KRlrx

Literally translated, it says.

<! - Damn, not bad. However, I'm getting bored. Let's try something new in the same direction. uczihriwgsxorxwunaarawryqhbrsfmeqrjjmu 5552E494 78T3 4VM9 OPL6 
IS8208O913KRlrx -> 

The original translation said "Winds bad." which is a Mexican slang term meaning "Damn, not bad.".

New Datamoshed Photo

1. Take section of code from the "?" achievement hint

2. Put in to Vigenére Cipher

3. Use compass to get hero names for the passphrase:

message: uczihriwgsxorxwunaarawryqhbrsfmeqrjjmu 5552E494 78T3 4VM9 OPL6 IS8208O913KRlrx
passphrase: tracertorbjornwinstonsymmetradvamercybastiongenjimccree

4. This resulted in 'https://blzgdapipro-a.akamaihd.net/media/screenshot/5552E494-78B3-4CE9-ACF6-EF8208F913CF.jpg'

5. Difference check between the new and original image resulted in the following message:


Parece que te gustan estos jueguitos... por que no jugamos uno de verdad?
                          :[email protected]:
                      ,[email protected]@[email protected]@[email protected]
                   [email protected]@[email protected]@[email protected]@Nr
               :[email protected]@@@[email protected]@[email protected],
           :[email protected]@[email protected]@[email protected]@@[email protected]@BBu.
        [email protected]@@[email protected]@[email protected]@[email protected]@[email protected]@Nr
      [email protected]@@BJ [email protected]@@  [email protected]  [email protected]@B. [email protected]@S
      @@[email protected]  [email protected]@OU1:  [email protected]@[email protected]
      [email protected]@B       [email protected]@:       [email protected]@B
      @@@[email protected]         [email protected]@@[email protected]@:         @@[email protected]@
      @@OLB.          [email protected]@BEB          [email protected]
      @@  @           M  [email protected]  M          [email protected]  @@
      @@OvB           B:[email protected]          [email protected]
      @[email protected]@J         [email protected]@[email protected]@u         [email protected]@@[email protected]
      [email protected]@v       [email protected]@[email protected]       [email protected]@B
      @[email protected]   [email protected]@[email protected]@BZM7   [email protected]@
      [email protected]@@BM  [email protected]@B  [email protected]@[email protected]  [email protected]@B  @[email protected]@M
       [email protected]@@@[email protected]@[email protected]@OMBB.   ,@[email protected]@[email protected]@@[email protected]
          [email protected],[email protected]@[email protected]@E  :  [email protected]@@@[email protected]@@N:
             .   [email protected]@[email protected]@[email protected]@[email protected]@@@[email protected]
                 @[email protected]@[email protected]@[email protected]@[email protected]::[email protected]@
                 [email protected]@@ [email protected]:@[email protected] :[email protected]  @[email protected]
                   :0 [email protected]@  [email protected]@ [email protected]@: P:
                       vMB :@[email protected] :BO7
                           ,[email protected]

Translation:

"It seems you like these little games... Why don't we play a real one?"

This is the python2 script to extract modified bytes from datamooshed volskaya screenshot, https://gist.github.com/synap5e/27635d2ff6f0e3b15f0c902dca2974a9

References

Old / False Leads

Click here for all of the false leads that the community came across while trying to solve the Sombra ARG/

Media Appearances

3rd Aug. 2016

[EN] Kotaku - Overwatch Fans Find New Clues About The Mysterious Hero Sombra

[EN] Polygon - Overwatch fans are trying to crack the latest mystery about Sombra

[EN] PCGamesN - Overwatch's Sombra ARG continues with new clues, but no solutions

[EN] Team-Dignitas - Who is Sombra? All facts and clues about Sombra

[FR] Gamewave - UN NOUVEAU CODE CACHÉ DANS LA DERNIÈRE CINÉMATIQUE D'OVERWATCH!

[EN] FollowNews - Overwatch Fans Find New Clues About The Mysterious Hero Sombra

4th Aug. 2016

[EN] PCGamer - Overwatch Summer Games trailer hides a mysterious secret

[SK] Sector - Nové Overwatch video obsahuje ďalšie tajomstvá

[EN] Techinsider - 'Overwatch' players are going to insane lengths to solve a mystery that Blizzard's teased for months

[EN] Gamerant - Overwatch Players Uncover More ‘Sombra’ Clues

[HU] Gamestar - Overwatch - újabb nyomok utalnak a még be nem jelentett hősre

5th Aug. 2016

[EN] Kotaku - Days Later, Overwatch Fans Can't Figure Out The 'Sky Code' Mystery

[NL] Gamersnet - Cryptische speurtocht naar Overwatch' nieuwe heldin Sombra gaat bizar diep

[ES] Alfa Beta Jeuga - Overwatch: El enigma de Sombra sigue ofreciendo nuevos detalles

[EN] IGN (Video) - Sombra: Overwatch's Secret New Hero - Overwatch HQ

7th Aug. 2016

[EN] Gamespresso - Summary of the state of sombra's ARG in Overwatch

8th Aug. 2016

[EN/CN] Zhentoo - Overwatch new hero Secret Dorado hidden mystery

[EN] TechNewsToday - Overwatch: Sombra Continues to Elude Detectives

Temporary resources

(This content will be deleted after we've solved the riddles. It serves currently as a repo of tools for the Discord community.)

Potential Clues / (mostly) Speculations: https://docs.google.com/document/d/1D-VSNpY1gpNwCDJ2Ocl2VM6bdiggU-NsZJbfDvLOOAk/edit?pli=1

Bruteforcing tool: https://github.com/glv2/bruteforce-salted-openssl

GOL! Guesser: http://axxim.net/ow/gol-guesser/

Spreadsheet of what is being tested and what has already been tested: https://docs.google.com/spreadsheets/d/1rI08baFQmAwaqHC-9GF9VNGCYjuRE-q4LN9k4ottjuQ/pubhtml