All challenges can be queried on the API under https://cryptochall.ks.kgc.io (N.B. it refuses insecure connection). Any submitted characters not in [a-zA-Z0-9 ] will generate an error. To solve the first 2 challenges, you must write a program that creates valid signatures, in order to send the /win endpoint the message specified in the /flag one. That signed message must be successfully verified by the verification service. Obviously, your program should not just copy a signature received from the signing service, and we've thus blacklisted the winning messages.