Sombra ARG
by fotoply ♪
1. 1st clue (Solved)
1.1. Found in Ana Origin video at 1:16
1.2. Hex found:
1.3. Second frame was found at 2:11
1.4. Was deciphered by XOR'ing the value with 23, the supposed hero number for sombra
1.5. Led to the qoute "She who has the information, has the power..."
2. 2nd clue (Solved)
2.1. Found at the end of a dev update video
2.2. Original frame found:
2.3. Was converted into binary and from binary into a QR code
2.4. Recovered QR code
2.5. QR code reads: "¿Estuvo eso facilito? Ahora que tengo su atención, déjenme se las pongo más difícil." which is "Was that easy? Well, now that I have your attention, allow me to make things much more difficult."
3. 3a clue (Unsolved)
3.1. Found in Summer Games video as Tracer jumps a hurdle
3.2. Picture of the code:
3.3. This was split roughly to the following: U2FsdGVkX1+vupppZksvRf5pq5g5XjFRIipRkwB0K1Y96Qsv2L m+31cmzaAILwytX/z66ZVWEQM/ccf1g+9m5Ubu1+sit+A9cenD xxqkIaxbm4cMeh2oKhqIHhdaBKOi6XX2XDWpa6+P5o9MQw==
3.4. This was decoded from Base64 into a OpenSSL encrypted string. The string remains unsolved, but passwords can be attempted at http://axxim.net/ow/gol-guesser/
3.5. Some people suspect that this step was bypassed by Blizzard as we were unable to solve it, but this remains unconfirmed
4. 3b clue (Semi-solved)
4.1. Also found in the Summer Games video was a series of directions. These directions were superimposed only on the video released by the PlayOverwatch channel and are not present ingame either.
4.2. The directions corresponds to the 8 cardinal directions of a compass, with D.Va being C for center.
4.3. Combined they look the following:
4.4. These directions were initially suspected to be used for the 3a clue but nothing has come of that so far.
5. 4th clue (Solved)
5.1. After being stuck on the Tracer code for some time Blizzard released a new hint by discreetly adding a new picture to the galleries section of the PlayOverwatch site.
5.2. The datamoshed image:
5.3. By comparing it the original image from the site, the following message was found in the difference between the images: "Por que estan mirando al cielo? La respuesta no esta sobre sus cabezas, esta detras de ustedes. A veces, necesitan analizar sus logros previos."
5.4. The text was translated to "Why are you looking at the sky? The answer isn't over your heads, it's behind you. Sometimes, you need to analyze your previous achievements.", which was a hint to a previous red herring called the Skycode.
6. 5th clue (Solved)
6.1. The clue led to analyzing the achievements section on the site. This revealed a new "?" achievement, which had a comment attached to it in the source code.
6.2. The site with source code:
6.3. The comment read: "Vientos, nada mal. No obstante, me aburro. Intentemos algo nuevo en la misma dirección. uczihriwgsxorxwunaarawryqhbrsfmeqrjjmu 5552E494 78T3 4VM9 OPL6 IS8208O913KRlrx"
6.4. Which translated is: "Damn, not bad. However, I'm getting bored. Let's try something new in the same direction. uczihriwgsxorxwunaarawryqhbrsfmeqrjjmu 5552E494 78T3 4VM9 OPL6 IS8208O913KRlrx"
7. 6th clue (Solved)
7.1. The code at the end of the translation in the 5th clue was run through a Vigenére Cipher. For the password the character names were taken in the order they were included in the compass.
7.2. Passphrase used: tracertorbjornwinstonsymmetradvamercybastiongenjimccree
7.3. The result is the following: blzgdapiproaakamaihdnetmediascreenshot 5552E494 78B3 4CE9 ACF6 EF8208F913CFjpg
7.4. Which translates to the following URL: https://blzgdapipro-a.akamaihd.net/media/screenshot/5552E494-78B3-4CE9-ACF6-EF8208F913CF.jpg
7.5. That URL leads to a datamoshed image of Volskyrya Industries
8. 7th clue (Solved)
8.1. By taking the datamoshed image from clue 6, an ascii skull was obtained, togherter with the phrase "Parece que te gustan estos jueguitos... por que no jugamos uno de verdad?", which translated means "It seems you like these little games... Why don't we play a real one?"
8.2. This extraction was done by a python script
8.3. The skull:
8.4. The skull had nothing to proceed on and it was presumed a dead-end until the next clue was released.
9. 8th clue (Solved)
9.1. At some point after the 7th clue, the user Majesty was tipped towards a thread on the Blizzard forums.
9.2. This thread has custom Javascript which printed the following Base64 encoded message: ICAgICAgICAgICAgICAgICAgICAgICAgICA6UEKPQms6CiAgICAgICAg ICAgICAgICAgICAgICAsakKIQEJAQkBCQEJCTC4KICAgICAgICAgICAg ICAgICAgIDdHlkKTQpVCTU1NTU1CQEJAQkBOcgogICAgICAgICAgICAg ICA6a0KSQpCIl01NT01PTU9NT01NTU2MQphCQEIxLAogICAgICAgICAg IDo1kUKNQphCiEJCTU1PTU9NT01PTU9NT01NipJuQm5CQEJCdS4KICAg ICAgICA3MG6GlUKIQpJClEJYQkJPTU9NT01PTU9NT01NQk1QQphCiEJA QkBCQE5yCiAgICAgIEeYlpdCSiBpQohCh4ggIE9CTU9NT01PTU9NT01P TZYyICBCj0JAQi4gRUJAQkBTCiAgICAgIJKWQk2HR0pCVS4gIGlTdUKI T01PTU9NT01PTU9NTZdPVTE6ICAua0JMTYhNhkKXCiAgICAgIEKMTU1C mUIgICAgICAgN4hCQk1NT01PTU9NT01PQkKWOiAgICAgICBCh0JNTYhC CiAgICAgII2YiEKKQiAgICAgICAgIDeSlkBNTU9NT01PTU1AQkA6ICAg ICAgICAgQEBCQEJACiAgICAgII+ST0xCLiAgICAgICAgICBCTkKPTU1P TU9NTY9CRUIgICAgICAgICAgckJqTYRCCiAgICAgIJBAICBAICAgICAg ICAgICBNICBPQk9NT01NQHEgIE0gICAgICAgICAgLkAgIEBACiAgICAg IISVT3ZCICAgICAgICAgICBCOnWMTU1PTU9NTUJKaUIgICAgICAgICAg LkJ2TUBCCiAgICAgIIRCkUKYSiAgICAgICAgIDCRQpdNTU9NT01PTUKV QkB1ICAgICAgICAgcUBAQEJACiAgICAgIEKETUJCjHYgICAgICAgR4+L Qk1NTU1NTU1NTU1NQkKINSAgICAgICBGhEJNTUBCCiAgICAgIIdCQk1/ QlBOaSAgIExNRUKFT01NTU2PQoNNTU9NTYpCWk03ICAgckVxQodNQkKE CiAgICAgIEKYloRCTSAgQm1ChEIgIHFCTU9NQpBChUKEQk1PTUJMICBC QEJAQiAgQEJAQkBNCiAgICAgICBKlm2GhFBCj0KEQplCN0eIT01CQi4g ICAsQE1NTUBxTEJAQkBAQEJxQkBCQnYKICAgICAgICAgIGlHQpUsaTCE TZZCbk1NT4tFICA6ICBNQE9NTUBAQEJAUGlpQEBOOgogICAgICAgICAg ICAgLiAgIEKXTZBCj01NTUBCQEJAQkBNTU1AQEBNQEIKICAgICAgICAg ICAgICAgICBAQkBCLmlATUJCQEJAQkBAQk1AOjpCQEJACiAgICAgICAg ICAgICAgICAgQkBAQCAuQkBCLjpAQkAgOkJAQiAgQEJATwogICAgICAg ICAgICAgICAgICAgOjAgckBCQCAgQkBAIC5AQkA6IFA6CiAgICAgICAg ICAgICAgICAgICAgICAgdk1CIDpAQkAgOkJPNwogICAgICAgICAgICAg ICAgICAgICAgICAgICAsQkBCCg==
9.2.1. When decoded this results in a similiar ASCII skull:
9.3. This skull was then compared to the already existing one and the following string was found by finding the difference: OHVSURPHWLXQMXHJR...FUHRTXHXVWHGHVORVGHWHFWLYHVGHMXHJRVOROODPDULDQXQWUDLOKHDG?EOCJGDXVD-DPEDV-FDODYHUDV.KWPO
9.4. This was recognised as being shifted with a Caesar Cipher, with the key being 23. After shifting it back the following was the result: LESPROMETIUNJUEGO...CREOQUEUSTEDESLOSDETECTIVESDEJUEGOSLOLLAMARIANUNTRAILHEAD?BLZGDAUSA-AMBAS-CALAVERAS.HTML Which when spaces are added results in the following spanish sentence: Les prometi un juego...creo que ustedes los Detectives de Juegos lo llamarían un trailhead? BLZGDUSA-AMBAS-CALAVERAS.HTML
10. 9th clue (Solved)
10.1. By taking the data at the end of the 8th clue message and transforming it into a Blizzard media URL the following link was achieved: https://blzgdapipro-a.akamaihd.net/media/screenshot/usa-ambas-calaveras.html
10.2. This link leads to a medical record which was presumably obtained by Sombra. The record is a small MP4 that shows a moving heartbeat and, near the end, a small skull on the right.
10.3. A picture of the record:
10.3.1. The record is most likely from when Ana was hospitalized after being shot by Widowmaker
10.4. The heartbeat to the right with the small lines was decoded by taking each line to be a letter from the alphabet, which resulted in the string "momentincrime", a previous blizzard website.
11. 10th clue (Solved)
11.1. The tip to go to "A moment in crime" meant that the website was visited. On the website a new message was found: ...Estableciendo conexión... ...Protocolo Sombra v1.3 iniciado... ...Infiltrando la respuesta automática del email de pistas... ...Terminando conexión...
11.2. This lead to sending a mail to a previous email address used by Blizzard for A moment in the crime: [email protected]
11.3. The following mail was received back:
11.3.1. This was found to be encrypted using a Bifid cipher, which was deciphered as above:
11.3.2. The deciphered text looks like leetspeak, though there are some oddities in the "dialect" chosen for the leetspeak.
11.3.3. Some people suspect that this might actually be a further clue or a key for something.
12. 11a clue (Unsolved)
12.1. It was discovered that the forum post found in the 8th clue had a "posted x time ago" that was counting down instead of up. When that countdown reached 0 seconds ago, the post disappeared and the A moment in crime website changed into the following, with the percentage being at 2%:
12.2. In the sourcecode for this site, the following comment was found: Bien hecho, ya tienen mi clave. Hackear este programa de televisión no tuvo chiste. Espérense a lo que sigue. This was, roughly, translated into the following: Well done, you have my password. Hacking this television program was meaningless, wait for what is coming. This translation is discussed due to use of slang
12.3. So far nothing has come from the site, apart from the percentage increasing very, very slowly, currently halted at 5%
12.3.1. During the evening (european time), the site was updated again, with the percentage slowly progressing through some decimals of 5%. A new message was also added to the source code: Parece que se están calentando un poco las cosas... tendré que pasar desapercibida mientras esto se finaliza. Which translates to: It seems that things are are warming up a little... gotta go unnoticed while it completes. The percentage was increased by what seemed to be the very small amount at a time
12.3.2. Additional HTML was also added, though it seems of no significance: <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> It does not have any effect on the website and only defines that the website is text based and is using UTF-8 encoding for text.
12.3.3. The percentage seems to be increasing in semi-regular intervals of 0.0038 or 0.0037, with 0.0038 being a lot more common. Some are trying to convert this to binary or morse
12.3.4. The increase had a short break, lasting for 5 hours, after which it jumped the amount it is estimated that it should have jumped in those 5 hours. No official reason was given.