Gameloft Auckland *.ARK

[LolHacksRule]

I want to view the files in Gameloft's Ice Age Adventures but they are in some type of archive that goes by .ARK, its unreadable, metadata encrypted with XXTEA and also data compressed with zlib. I heard it is via that My Little Pony city builder uses this format similarly and pack.info, in AppData for Android and Documents for iOS lists the files in one. Any advice on decrypting this archive or will someone try? Thanks a lot.

[aluigi]

Not sure if the information are encrypted, anyway with offzip -a you can extract the compressed files but not those not-compressed.

[LolHacksRule]

Huh, never knew...

[LolHacksRule]

Someone found the ARK file structure, not sure if it applies as this is from MLP'S ARKs...

Code: Select all

4 bytes - number of files in archive.
4 bytes - metadata offset
4 bytes - seems to be always 01000000
12-(metadata_offset-1) - compressed data (files compressed and/or encrypted one by one)
Metadata_offset-endoffile - encrypted metadata
_______
Metadata structure:
64 bytes - filename
64 bytes - subfolder name (ex. 'folder/')
4 bytes - offset in ark archive
4 bytes - uncompressed file size
4 bytes - compressed file size (if equals to uncompressed size then not compressed)
4 bytes - encrypted file size (or zeroes if not encrypted)
4 bytes - timestamp
16 bytes - MD5 hash of the file
4 bytes - extract the file? (01000000 or 00000000)
=>168 bytes for every file in archive

Oh, and here's Win8's base version of the file. http://www.filedropper.com/0000iaadatadx, "DX" I guess is Deluxe (Windows 8), Android uses "and" and iOS uses "ios". https://www.dropbox.com/sh/0b1mne4z4tcd ... d5FVsw2xaa someone made a program with its source code to decompress them in MLP but it doesn't work for this game, the XXTEA metadata key (4F943201A15B02004F943201B5889900) is the EXACT SAME as MLP for BOTH PC AND MOBILE (IDK IOS)... https://www.dropbox.com/sh/0b1mne4z4tcd ... TjxP7P/Bin. Win8 CDN: http://www.filedropper.com/0182rstiaadatadx.

https://github.com/Arzaroth/Pon3Ark Another tool, but doesn't work, says the ARK version is bad...

UPDATE: ARK Archiver cannot decrypt metadata of the MLP city builder as of some update, IDK when it was updated filedropper.com/mlpandroidark.

[LolHacksRule]

Turns out there's yet ANOTHER ARK variant, from Littlest Pet Shop's dataText.obb from the CDN, again, its compressed the exact same way (not a CustomPAK). The metadata encryption key from MLP (OLD)/IAA is definitely reused.

[Ekey]

Script for unpack Ice Age Adventures ark files (Android / iOS version).

Edited: See below.

[LolHacksRule]

DUDE THANK YOU SO MUCH! This will also likely work on LPS's OBB due to the same encryption key is used. UPDATE: Got this error on LPS's OBB (rebuilt), I'll try the original file soon UPDATE2: It worked fine with 5 dups of the same files in "swf" with similar extensions. Trying IAA (Android) from CDN (MEMORY ERROR) and BASE RN (WORKS).

Code: Select all

Error: the compressed zlib/deflate input is wrong or incomplete (-5)
Info:  algorithm   1
       offset      001ab609
       input size  0x00063723 407331
       output size 0x00084be0 543712
       result      0xffffffff -1

Error: the uncompressed data (-1) is bigger than the allocated buffer (612242)

Last script line before the error or that produced the error:
  33  clog PATH OFFSET ZSIZE SIZE

[Ekey]

In game 2 encryption keys, main key and dlc key (OBB??)

PS: Well, I lost some experience in BMS coding, therefore in the script it is possible the condition is not written correctly

[LolHacksRule]

IAA CDN: https://we.tl/t-KVGRHGvdQ8

[Ekey]

IAA CDN: https://we.tl/t-KVGRHGvdQ8

I guess it'a encrypted with new key.

[LolHacksRule]

I really doubt they use a new key, ARK Extractor can decrypt the metadata completely fine with MLP (OLD)'s reused/default metadata key and the dumps I sent above prove it.

[Ekey]

In the file that you uploaded the metadata offset exceeds the size of the archive itself.

FileSize > 53 506 702 bytes
Offset in header >59 658 772

[Ekey]

Here updated script. Now encrypted files must be correctly decompressed.

Code: Select all

# Gameloft (Glitch Engine) ARK format
#   Ice Age Adventures (Android / iOS)
#   Littlest Pet Shop (Android)
#   MY LITTLE PONY: Magic Princess (Android)
# script for QuickBMS http://quickbms.aluigi.org

set KEY binary "\x4F\x94\x32\x01\xA1\x5B\x02\x00\x4F\x94\x32\x01\xB5\x88\x99\x00"

get TABLE_SIZE asize
get FILES long
get TABLE_OFFSET long
math TABLE_SIZE -= TABLE_OFFSET

callfunction DecryptTable 1

for i = 0 < FILES
    getdstring NAME 64 MEMORY_FILE
    getdstring PATH 64 MEMORY_FILE
    get OFFSET long MEMORY_FILE
    get SIZE long MEMORY_FILE
    get ZSIZE long MEMORY_FILE
    get ESIZE long MEMORY_FILE
    get TIMESTAMP long MEMORY_FILE
    getdstring MD5 16 MEMORY_FILE
    get RESERVED long MEMORY_FILE
   
    string PATH += NAME
   
    if ESIZE != 0
        log MEMORY_FILE2 OFFSET ESIZE
        encryption xxtea KEY "0x9e3779b9 0" 0 16
        goto 0
        if ZSIZE == SIZE
           log PATH 0 SIZE MEMORY_FILE2
        else
           clog PATH 0 ESIZE SIZE MEMORY_FILE2
        endif
        encryption "" ""
    else
        if ZSIZE == SIZE
           log PATH OFFSET SIZE
        else
           clog PATH OFFSET ZSIZE SIZE
        endif
    endif
next i

startfunction DecryptTable
    encryption xxtea KEY "0x9e3779b9 0" 0 16
    log MEMORY_FILE TABLE_OFFSET TABLE_SIZE
    encryption "" ""
endfunction

[LolHacksRule]

Actually, the CDN file for IAA was incomplete (50MB/57.7MB). Sorry about that, your old script works fine too. Didn't expect autodecompression of zlib'ed files in them, that's a nice touch. Works fine on IAA Win8 data files too.

[LolHacksRule]

Source of ARK archives: https://github.com/flowerfx/vietlot_cc_ ... ib/RKUtils, appears to be from Gameloft Auckland (2013). The writer has a binary built.

[LolHacksRule]

Quick rebump, there's issues extracting Pastry Paradise's OBBs (more ARK variants, hashes for names?).

BASE:

Code: Select all

  offset   filesize   filename
--------------------------------------
  00000010 8346       Assets\Animations\a_cop_b_end_a_happy.anim
  00000000 0          bf58b57544d6
  00000000 0          a_neutral.animad32b86647e807248c440e37eaec9
  00000000 0          ions\a_cop_b_end_b_happy.anim
  00000000 0          00000004.dat
  0000006d 0          d827344e2cb1cfee
  65746e65 1851862642 Vac96c395b56568440ba008211629ce3e

Error: incomplete input file 0: main.12049.com.gameloft.android.ANMP.GloftPAHM.obb
       Can't read 28009 bytes from offset 65746e65.
       Anyway don't worry, it's possible that the BMS script has been written
       to exit in this way if it's reached the end of the archive so check it
       or contact its author or verify that all the files have been extracted.
       Please check the following coverage information to know if it's ok.

  coverage file 0     0%   513447     68063596   . offset 65746e65

Last script line before the error or that produced the error:
  43  clog PATH OFFSET ZSIZE SIZE

PATCH:

Code: Select all

  offset   filesize   filename
--------------------------------------
  00000010 236463     Assets\Localization\arabic.loc
  00000000 0          4ca69902c1e3
  00000000 0          cf33492c3efbdd25f0ca28a087b49b
  00000000 0          zation\english.loc

- it's not possible to create that file due to its filename or related
  incompatibilities (for example already exists a folder with that name), so
  now you must choose a new filename for saving it.
  if you press ENTER a new name will be generated automatically.
  - old: zation\english.loc
  - new: (pressed enter here)
  00000000 0          00000004.dat
  00000000 0          ec2d2cc6bc0701e0
  6f6c2e6e 99         ]5eca70cc7fa92f3093f264bc72e07f0d

Error: incomplete input file 0: patch.12254.com.gameloft.android.ANMP.GloftPAHM.obb
       Can't read 99 bytes from offset 6f6c2e6e.
       Anyway don't worry, it's possible that the BMS script has been written
       to exit in this way if it's reached the end of the archive so check it
       or contact its author or verify that all the files have been extracted.
       Please check the following coverage information to know if it's ok.

  coverage file 0     0%   69998      7932246    . offset 6f6c2e6e

Last script line before the error or that produced the error:
  43  clog PATH OFFSET ZSIZE SIZE

The encryption key is for sure correct. filedropper.com/glpastryparadiseobbs

[LolHacksRule]

Rebump?

[Ekey]

Obviously the format is different. Anyway, no files = no help.

[LolHacksRule]

Wow it expired in 3 days... Hold on I'll reup soon. UPDATE: https://www.filedropper.com/showdownloa ... seobbs122j

[Ekey]

Code: Select all

# Gameloft (Pastry Paradise) OBB format
# script for QuickBMS http://quickbms.aluigi.org

set KEY binary "\x4F\x94\x32\x01\xA1\x5B\x02\x00\x4F\x94\x32\x01\xB5\x88\x99\x00"

get TABLE_SIZE asize
get FILES long
get TABLE_OFFSET long
math TABLE_SIZE -= TABLE_OFFSET

callfunction DecryptTable 1

for i = 0 < FILES
    getdstring NAME 128 MEMORY_FILE
    get OFFSET long MEMORY_FILE
    get SIZE long MEMORY_FILE
    get ZSIZE long MEMORY_FILE
    get ESIZE long MEMORY_FILE
    get TIMESTAMP long MEMORY_FILE
    getdstring MD5 32 MEMORY_FILE
    get RESERVED long MEMORY_FILE
    get NULL byte MEMORY_FILE
   
    if ESIZE != 0
        log MEMORY_FILE2 OFFSET ESIZE
        encryption xxtea KEY "0x9e3779b9 0" 0 16
        goto 0
        if ZSIZE == SIZE
           log NAME 0 SIZE MEMORY_FILE2
        else
           clog NAME 0 ESIZE SIZE MEMORY_FILE2
        endif
        encryption "" ""
    else
        if ZSIZE == SIZE
           log NAME OFFSET SIZE
        else
           clog NAME OFFSET ZSIZE SIZE
        endif
    endif
next i

startfunction DecryptTable
    encryption xxtea KEY "0x9e3779b9 0" 0 16
    log MEMORY_FILE TABLE_OFFSET TABLE_SIZE
    encryption "" ""
endfunction