Here is the second part of the story about the epoch -making Arg arranged Blizzard Before the official presentation to the public a new hero Overwatch – Hacker Sombra. You can find the first part of the material on our website or in the January issue of the magazine (if, for example, you want to get it for the collection in print and then transfer this knowledge to grandchildren).
Stage 5. Skycoder
Everything changed on August 23, when on the Battle forum.Net has a strange post from the user with the nickname Skycoder: Blizzard did not miss the opportunity to pin their players. The name of the topic meant "23" in the binary system. It was worth going into this topic, the picture immediately began to fail; It was barely enough to read the message left by Sombra – the already familiar “La Que Tiene La Información; Tiene El Poder ". After a few seconds, the text of the new cipher appeared on the screen.
Interestingly, in the same topic from Skycoder a few hours after its publication, an image of a reap appeared, which was suspiciously similar to a picture that the desperate detectives sent Sombre. After a short cerebral assault, they could pull out the following text from it: “Aquiesta Tujuego” (“Here is your game”).
Uh, thanks, sombra!
The first detectives that found Skycoder noted that, judging by the information from the post, it was published 23 hours ago. However, the players later saw that this time indicator did not https://euphoria-wins-casino.co.uk/ increase, but, on the contrary, decreases! If you find this message now, then there the timer froze forever in the position “One second ago”. The detectives decided that this is a countdown to something important, possibly before the opening of the sombra to the general public.
As for the code, then the already familiar Base64 quickly recognized it in it. After decryption, it turned into another ASCII-Cherep. With the help of cunning manipulations (the gaps and all the extra characters were removed from the skulls, and then only bytes, not equal 0), users removed the following cryptogram from the images:
OHVSURPHWLXQMXHJR … Fuhrtxhxvwhvorvhwhfwlyhvlhmxhjrvrvorvorvorvorvorvorvorvorvorvorvrodpduldqwudlokhdg?EOCJGDXVD-DPEDV-FDYHUDV.KWPO.
This sequence was already opened with the help of the cipher of Caesar-23 (a very symbolic number, yes). The principle of decryption is simple: you just need to make a shift in the alphabet for the right number, in this case it is 23. At the exit they received the following message: “LesPrometIunjuegocreoSteeslosdetectivesdejuegoslomarilzailzgdasaambascalavereashtml”. This is translated in a fixed form: “I promised you the game … It seems you, Game Detectives, call it a big clue? BLZGDUSA-GABAS-CALAVERAS.HTML ".
“USA Ambas Calaveras” means “use both skulls”, and ending .HTML in a clear way hinted at some web page. Blzgd, in turn, is a server on which Blizzard stores images and videos. Knowing the characteristic type of links to the company's media server, Internet detectives quickly restored the full link: “https: // Blzgdapipro-a.Akamaihd.NET/Media/Screenshot/USA-GABAS-CALAVERAS.HTML ".
There they were waiting for a curious video with a medical file of a person who was suspiciously similar to Anu Amari. Signed by Yanina Kovalskaya, but this is such an Eastern European version of Masha Ivanova or Jane Doe, that is, a clearly fake name.
If you download this video and watch its properties, you will find a new comment from Sombra: “It seems that you are very interested in these heroes. You may be interested in some things that I found out about them?"An unambiguous signal:" I know where Ana and under what name it hides. Boop!".
Now follow your hands. The video displays the beating of the pulse of Ana. Right above this indicator – 26 vertical sticks, according to the number of letters of the English alphabet. Yes, you all correctly understood: the next message was encrypted into the pulse. It was very short: "Moment in Crime".
What the players thought: So, the heat began!
Stage 6. Criminal hour
This is a clear reference to the trailer of the rat and turbosvin, which came out already in September 2015 and was called “A Moment in Crime. Special Report: The Junkers (“Crime Hour. Special issue: “vultures” ”). Glory to Holmes, in the video itself, because of his statute of limitations, there were no references to Sombre, but the Internet detectives soon found a fresh site-AmoMentincrime.Com.
There I met the Spanish text of the following content: “I establish a connection. The protocol “Sombra” V1.3 initiated. I am introducing automatic response to e-mail. The connection is torn ". Automatic response to e -mail? No problems. You can send an e-mail to any domain if you use mail type Tips@domain name. On Mailto: Tips@amomentincrime.COM can still be written. And you will receive a special letter.
► SOMBRARA and then ripened! Does not allow television men to hunt a rat with a turbosvin. And here is a new cryptogram!
Users decided that the upper part of the Tarabarshchina consists of something very similar to the AA: BB: CC format. If we take our good old skulls and assume that the first figure in the code denotes the skull number, and the other two are the coordinates of the Y and X axes, then at the exit we will get such a mesh of the characters 5×5 ..
You think we are close to unraveling? Yes, nothing like that. Experts of encryption recognized in this grid the key to the BIFID code and tried to use it to decode the text part of the cryptogram from the letter from AmoMentincrime.Com. To our surprise, it worked, and the following phrase turned out to be before the detective eyes: “Sombr@1NF: rm@7ion1sp0vversombr@”. No, this time it can be read without tricks, take a closer look: “Sombra Information Is Power Sombra”. – "Dombra information is the power of sombra". Yes, you are kidding!
Meanwhile, the countdown in the topic of Skycoder reached the extreme point … which led to the fact that the already native to us the site AmoMentincrime has already been updated.Com. And what would you think – another counting appeared on it, with the "transmission of information to active omniks"! Without references, as they say, life is not sweet.
► It all started with 2%.
In addition, a new message surfaced in the source code of the site from our elusive hacker: “Well done, now you have my password. The hack of this TV program did not lead to anything. Wait for what will happen next ".
Yeah, it means that “sombr@1NF: rm@7ion1sp0vversombr@” is her password. But what?
As soon as 5% of the data was transferred to unnamed omniks, a new message appeared in the page: “It seems that the situation is gradually heating up … I will have to go to the bottom until everything ends here”. Okay, sombra, you go to the bottom, and we will wait.
October 18, the timer finally reached 100%. A new text appeared on the site: “The download is completed. Unit E-54 Bastion hacked ".
Sombre clearly managed to crank up some big business. Hack of bastion – not jokes.
What the players thought: No, the heat did not start. One countdown after another reference? Yes, how much can!
Stage 7. Haughty bastion and dirty linen of the president Lumérico
On October 19, an update was reached by Overwatch, after which Bastion began to make strange sounds next to one of the hacked terminals on Drado. As it turned out, our beloved tin broadcast with the help of the alphabet Morse. For radio amateurs, the star hour came, with their help it was possible to find out that Omnik transmitted the next cryptogram: SQOFJFBNITIZWGDXSDO.
The Internet detectives hacked this code with the help of a cipher of Vicener already familiar to us. This time, the key with such difficulties was the Sombr@1NF: Rm@7ion1sp0vversombr@difficulties. The message was clear: Accesswwwwlumericomx. Recall that Lumérico is the same energy corporation that erected nuclear power plants in the form of glass zikgurats.
The site of this giant of the market was quite modest … and all in Spanish. This, however, did not stop enthusiasts. Having discovered the phone number (510) 766-2726 at the bottom of the page, they immediately began to call it on it. At the other end of the wire, everyone met the message of the answering machine, at the end of which the woman measuredly dictated a number of numbers-also in Spanish, of course: 5-2-4-1-3 (pause) 23-4-14-8-6-18-17- 23-21-18-15.
The second part of the number was the code. If we assume that each digit corresponds to the letter of the English alphabet under the corresponding number, we will be able to derive the word wdnhfrqwuro from the numbers. We drive it through Caesar-23 already familiar to us and get another seemingly clear team: TakeControl (take control).
As it turned out, we are talking about the page of the site Lumérico – https: // lumerico.MX/TakeControl/Index.HTML . There we were met by the branded skull of Sombra and the new cipher.
Then the first part of the digital code, which we got on the phone, came in handy for inquisitive minds. Using it as a key by rearrangement, the detectives deciphered the most detailed message from a mysterious hacker.
Sombra praised those who managed to get to this point, complained about those with whom she usually had to work, and, most importantly, explained why all the cheese-brow. It turns out that she, together with Los Mayurtos, wages the war against Lumérico and the president of the Corporation Guillermo Portero-“a corrupt man and a shameless thief”. And she also shared the login and password of one of the employees of Lumérico. Say, start with this: gflores/g#fnwp5qj.
Using these data, I managed to go to the Lumérico website under an employee account named Gonzalo Flores. A real holiday was waiting for detectives in personal mail – a whole bunch of letters in which you could dig. Here you have a story with a broken coffee machine, and pathos letters from the president, and anxiety about interruptions in the work of the site (Sombra, you work inaccurately!). Of particular interest was the message that mentioned the page with the sonorous address https: // lumerico.MX/President-Bypass .
► Valuable information had to be sought in such letters.
Access to the specified link was closed, however, an interesting line “President Auth-Bypass Revision 1.02: /.Git/". The specified repository immediately damp and uploaded the received files to Github. Among them found Class files.Authentication.PHP (with encryption function) and class.President-Bypass.PHP, in which they found the name of the GPORTERO user and the encrypted password: ?Mzy: MTI5:?Azy: OWM?:?Edo: ZGU?: jvtm: mtjm: 2itm: mtuw:?QJY: OWY?:?KTO: MTQX:?Mzy.
In a thematic conversation on Discord there were people who quickly wrote a function for decoding a password, and in the hands of involuntary assistants Sombra turned out to be the key to the presidential account: XY@4+bkuqd <53uj (and how he remembered him, interesting?).
About half an hour after the players got the opportunity to read the presidential correspondence (Porto, it turns out, was very concerned that the employees rested well), a new letter from Sombra came to the mail:
“I see you managed to hack his box. Do not worry, he will not see this letter; I hid this message for any guests from its IP addresses. I need a little time to prepare the next series of protocols. Be ready at the beginning of next week. I will try to throw as much dirt as possible in his mail, so that all this then can “accidentally” get into the people. Let's see how the media will react to this ".
On October 25, new letters appeared in Flores's post office. At the same time, which is much more important, the Omnics file has been updated on the Lumérico portal.txt, which before that simply allowed omniks to go to the site. A couple of new lines of a very strange look appeared there:
Allow: tzolk’in
Allow: Imix chikchanmanik Imix chikchaxchikchakchanimix manik chikchan Imix kimi chikchan chimi chikchakchakchakchachanimix chikchankimii
Tsylkin is the name of the Mayan calendar and a special dialect. Words after the second “Allow:” – the names of animals in this dialect. “IMix” means the first day, “Chikchans” – 5, “Manic” – 7 … If you write down the resulting chain of numbers Mayan and in the horizontal line, you get the most real line of the Morse code: . -..- . -.-. …– . .- – – .- -.-. -.- . The signal is deciphered simply: ExecuteTtack (attack, they say).
Internet detectives already, according to the scheme we know, quickly found the corresponding page, /executeattack /index.HTML. There was another text: “The moment has come. These letters revealed the truth about Portero, began a revolution and convinced the inhabitants of Mexico to support our business. It's time to strike. We will turn the ceremony on November 1, which is so dear to his heart, into a giant protest against this initiative. One thing is required of you: get access to the post of chief of security and try to help the attack. Soon she can write Portero. I changed her password to d0r*nulw9 ".
Here it remained only to go to the site under the login of Mjimenez, and the players fell into the "Adminka" Lumérico. However, until November 1, everything remained quietly: the command line did not work, the same answer was on any team: “There is no connection”.
What the players thought: wait again? In general, a very ambiguous situation is loosening. Sombra seems to lead a very complex game where the ARG participants are just puppets. Also cooperates with Los Mayrtos. Apparently, the sold-76 could not finally deal with them.
Stage 8. Team line
On November 1, the command line began to speak meaningfully. Only a few teams initially worked in the panel:
ABOUT – displays information about the versions of the terminal and shows the available HELP command;
Help – displays a list of available commands;
Override – disconnection of the security system;
Version – displays the current version of the system;
Gras – Search.
It is worth noting that the undocumented team of Espresso, which showed the status of coffee makers, also worked on the command line. Very convenient!
After activating the command line in the letter of Maria Jimenes, the word "/ter/". Detectives drove into the command line the cunning team ABOUT | Grep Ter, which displayed the following text ..
Then it remained only to try to take control of the system using Override. For everything to work out, it was necessary to answer a number of questions. First: your favorite movie (answer – SOME Like it Bot, a movie from a poster in Hollywood). Second: The favorite taste of cookies (Nuevas sabor delicias, mentioned in one of the personal letters). Third: just Secret (the words from the search results Grep Ter – OpenanyThing1 just helped here.1.0). Victory! The system issued the message “OK”, the players gained access to three new teams: LS – display a list of files, CAT – Count the file, Exec – launch the file.
The LS team identified a couple of interesting files: “/mnt/Payload” and “/MNT/D_ILQH_NHB.HTML ". The name d_ilqh_nhb was opened using the indispensable Caesar-23, the answer was the phrase "a_fine_key". When the detectives opened the D_ILQH_NHB file using the CAT command, they saw the key image collected from the symbols of the repeating phrase “VHNL TLDV XYL VCXELO XV QHRTV.Zkolg ".
It turned out that the phrase can be decoded using an affin cipher (a = 23. B = 23). As a result, the phrase "SOME KEYS Are Shapeed as Locks.index "(some keys are in the form of locks).
If, using the "Exec", start the Payload file, the system will ask for the code. They are a surprise! – It turned out to be a once unsolved code from the trace of the chrono -scapel tracer, from the summer games. Yes, that still the castle was.
Well, the players have achieved their own: the power station began to work with interruptions. Well, at least the next countdown began until the final overload.
What the players thought: Another countdown is how glorious (but in general it is clear that they just reached the arg to BlizzCon).
Stage 9. Epilogue
And here is the moment of the triumph: the power station is overloaded. The Lumérico website immediately acquired a new look: a huge sugar skull appeared on the main page, and under it – a victorious message from Sombra: “Good work, guys. Without your help, I could not cope. In any case, now I have the resources that I need for the next operation, you will like it. Wait for the news in the next few days … I will send you something in gratitude; I hope it will work out. Dasvidanya, friends ”(a gift, as it turned out later, is graffiti in the form of a painted skull).
You think everything is? Not really. In the source code of the page, too, something has changed. There was a line <!- Misdirection> (<!- Misleading>). Those who decided to promote the history of this operation of the sombra to the end quickly found the page https: // lumerico.MX/Misdirection/Index.HTML.
There, the last text was waiting for detectives from our cunning hacker: “… installation of the connection … The protocol of“ Sombra ”V2 was launched.3 … redirecting the Lumérico pyramid data to the goal … Hacking passwords of the target … Access to the VolskayainDustries directory has been received.com … boop;) … turning off the connection … "
► What happened next? BlizzCon and the official representation of sombra!
What the players thought (and we are with them): Arrgh, we just used. And you won’t understand either Blizzard, or Sombra, or all together. Also, they brought almost a nose to the shortage of Infiltration, the reaper take it. Okay, let's go in love with the art sombra merged on November 1 ..
* * *
Don’t say, Arg turned out to be funny – with complex riddles, which, it seems, the detectives decided much faster than they initially expected in Blizzard. Hence the sagging, and counters, and other ambiguous moments. But it was still very cool. I would like to know – the next characters will also announce so interestingly? Or they will come up with something more abruptly?
