Difference between revisions of "Sombra ARG:Cryptography"

From Game Detectives Wiki
Jump to: navigation, search
[unchecked revision][unchecked revision]
(Created page with " == The Base64 == At 0:08 seconds in the Summer Games youtube video, you can find a base64 string. You can use , and . keys to skip frame by frame until you see it. File:T...")
 
Line 1: Line 1:
 +
Cryptography first made it's appearance in the Sombra ARG with the [http://wiki.gamedetectives.net/index.php?title=Sombra_ARG#Summer_Games_Video Summer Games Video]. So far "Tracers Tail" has been the most concrete lead in solving the ARG.
 +
  
 
== The Base64 ==
 
== The Base64 ==
  
At 0:08 seconds in the Summer Games youtube video, you can find a base64 string. You can use , and . keys to skip frame by frame until you see it.
+
At 0:08 seconds in the [https://www.youtube.com/watch?v=qpcOD9tJM4k Summer Games youtube video], you can find a base64 string. You can use , and . keys to skip frame by frame until you see it.
  
 
[[File:TracerTailFlat.png]]
 
[[File:TracerTailFlat.png]]
Line 26: Line 28:
 
                                       �_����V��?q����f�F���"��=q�������[��
 
                                       �_����V��?q����f�F���"��=q�������[��
 
                                                                           z��*����Z����u�\5�k�C
 
                                                                           z��*����Z����u�\5�k�C
Please note this decoding is useless since your browser kills most of the actual data. Use base64 to pass the string around.
+
''Please note this decoding is useless since your browser kills most of the actual data. Use base64 to pass the string around.''
 
 
  
 
== The Understanding ==
 
== The Understanding ==
Line 61: Line 62:
 
Currently we're using the hivemind to guess passwords with the Gol! Guesser and using advanced bruteforcing methods to try and find the password. We're still far away but this is the most concrete problem Blizzard has given us to solve. Please checkout the [http://axxim.net/ow/gol-guesser/ Gol! Guesser] and the [http://discord.me/gamedetectives GameDetectives Discord] to help us out and contribute!
 
Currently we're using the hivemind to guess passwords with the Gol! Guesser and using advanced bruteforcing methods to try and find the password. We're still far away but this is the most concrete problem Blizzard has given us to solve. Please checkout the [http://axxim.net/ow/gol-guesser/ Gol! Guesser] and the [http://discord.me/gamedetectives GameDetectives Discord] to help us out and contribute!
  
Thanks
 
 
This information comes from the GameDetectives Discord and specifically the following people: vmzcg, efco, Epsilon, dovinde, offbeatwitch, catnipp, Wolen
 
This information comes from the GameDetectives Discord and specifically the following people: vmzcg, efco, Epsilon, dovinde, offbeatwitch, catnipp, Wolen

Revision as of 01:12, 6 August 2016

Cryptography first made it's appearance in the Sombra ARG with the Summer Games Video. So far "Tracers Tail" has been the most concrete lead in solving the ARG.


The Base64

At 0:08 seconds in the Summer Games youtube video, you can find a base64 string. You can use , and . keys to skip frame by frame until you see it.

TracerTailFlat.png

Base64 is a binary-to-text encoding scheme that allows you to safely share binary information. Blizzard most likely uses this because reading information off a video is hard enough, this makes it much easier.

Unfortunately the base64 doesn't use a monospace font, our reading skills are pretty good, so we can narrow it down to 16 different possibilities for reading the base64, since characters like a capital I and a lowercase L look the same. However if we let the computer try and figure it out, there are 78732 possibilities.


The Decoding

Since Base64 is for encoding, decoding the string is very easy. Using our best guess base64:

U2FsdGVkX1+vupppZksvRf5pq5g5XjFRlipRkwB0K1Y96Qsv2L
m+31cmzaAILwytX/z66ZVWEQM/ccf1g+9m5Ubu1+sit+A9cenD
xxqklaxbm4cMeh2oKhqlHhdaBKOi6XX2XDWpa6+P5o9MQw==

We can pass it into a tool like so:

$ echo "U2FsdGVkX1+vupppZksvRf5pq5g5XjFRlipRkwB0K1Y96Qsv2Lm+31cmzaAILwytX/z66ZVWEQM/ccf1g+9m5Ubu1+sit+A9cenDxxqklaxbm4cMeh2oKhqlHhdaBKOi6XX2XDWpa6+P5o9MQw==" | base64 -d
Salted__���ifK/E�i��9^1Q�*Q�t+V=�
                                /ع��W/
                                      �_����V��?q����f�F���"��=q�������[��
                                                                          z��*����Z����u�\5�k�C

Please note this decoding is useless since your browser kills most of the actual data. Use base64 to pass the string around.

The Understanding

Our best guess so far is that this decoded string is a OpenSSL salted encrypted string. The key identifier is the Salted__ string in the output.

You can read more about OpenSSL salted encryption here, but the gist is pretty easy. OpenSSL is encryption, salts are unique inputs. Salts are added to encrypted data to ensure uniqueness. With the string we have above, we already know the salt. It's the 8 bytes after the Salted__ identifier.

Since we know the salt, and we know the input data, all we need to decrypt is the password and cipher method. Since OpenSSL has been around for ages, there are many different cipher methods. However most are not used, however we must check all of them because you can still encrypt data with them.

A Cipher is a mathematical algorithm to convert data into unreadable binary data.

A Password is key to the box, if you know it you can easily decrypt the data.


Narrowing Down Ciphers

Since there are 190+ cipher methods, we need to narrow it down. So our next step is to look for clues in the encrypted data. There are two major types of ciphers, stream ciphers and block ciphers. Stream ciphers encrypt only the data fed into them, whereas block ciphers will always be a set chunk length.

With that knowledge we can use a hex editor to look at the encrypted string:

HexOfEncryptedMessage.png

A byte is roughly a single character, but special characters can take up multiple bytes. We know that OpenSSL Salted Encryption uses the first 8 bytes of the output for Salted__ and the next 8 bytes for the actual salt. The rest of the information is the encrypted message.

The immediately interesting thing here is that the encrypted message data stops 3 bytes short of a full chunk. This is a excellent indicator that the cipher used is a stream cipher (or a block cipher in CTR/OFB/CFB mode). This narrows our cipher list down significantly.

This means that the final string that Blizzard encrypted MUST BE 93 bytes! However some of the stream ciphers aren't 1:1 so it may be shorter.


Where We Are Now

Currently we're using the hivemind to guess passwords with the Gol! Guesser and using advanced bruteforcing methods to try and find the password. We're still far away but this is the most concrete problem Blizzard has given us to solve. Please checkout the Gol! Guesser and the GameDetectives Discord to help us out and contribute!

This information comes from the GameDetectives Discord and specifically the following people: vmzcg, efco, Epsilon, dovinde, offbeatwitch, catnipp, Wolen