ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Fri Dec 13, 2019 11:11 pm

All times are UTC




Post new topic  Reply to topic  [ 14 posts ] 
Author Message
PostPosted: Fri Jan 04, 2019 5:44 am 
User avatar

Joined: Fri Apr 20, 2018 12:41 am
Posts: 406
I want to view the files in Gameloft's Ice Age Adventures but they are in some type of archive that goes by .ARK, its unreadable, metadata encrypted with XXTEA and also data compressed with zlib. I heard it is via that My Little Pony city builder uses this format similarly and pack.info, in AppData for Android and Documents for iOS lists the files in one. Any advice on decrypting this archive or will someone try? Thanks a lot.

_________________
Hacking Angry Birds since 2016


Last edited by LolHacksRule on Mon Oct 28, 2019 5:09 pm, edited 4 times in total.

Top
   
PostPosted: Sat Jan 12, 2019 12:40 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 10822
Not sure if the information are encrypted, anyway with offzip -a you can extract the compressed files but not those not-compressed.


Top
   
PostPosted: Sat Jan 12, 2019 2:28 am 
User avatar

Joined: Fri Apr 20, 2018 12:41 am
Posts: 406
Huh, never knew...

_________________
Hacking Angry Birds since 2016


Top
   
PostPosted: Mon Oct 28, 2019 5:12 pm 
User avatar

Joined: Fri Apr 20, 2018 12:41 am
Posts: 406
Someone found the ARK file structure, not sure if it applies as this is from MLP'S ARKs...

Code:
4 bytes - number of files in archive.
4 bytes - metadata offset
4 bytes - seems to be always 01000000
12-(metadata_offset-1) - compressed data (files compressed and/or encrypted one by one)
Metadata_offset-endoffile - encrypted metadata
_______
Metadata structure:
64 bytes - filename
64 bytes - subfolder name (ex. 'folder/')
4 bytes - offset in ark archive
4 bytes - uncompressed file size
4 bytes - compressed file size (if equals to uncompressed size then not compressed)
4 bytes - encrypted file size (or zeroes if not encrypted)
4 bytes - timestamp
16 bytes - MD5 hash of the file
4 bytes - extract the file? (01000000 or 00000000)
=>168 bytes for every file in archive


Oh, and here's Win8's base version of the file. http://www.filedropper.com/0000iaadatadx, "DX" I guess is Deluxe (Windows 8), Android uses "and" and iOS uses "ios". https://www.dropbox.com/sh/0b1mne4z4tcd ... d5FVsw2xaa someone made a program with its source code to decompress them in MLP but it doesn't work for this game, the XXTEA metadata key (4F943201A15B02004F943201B5889900) is the EXACT SAME as MLP for BOTH PC AND MOBILE (IDK IOS)... https://www.dropbox.com/sh/0b1mne4z4tcd ... TjxP7P/Bin. Win8 CDN: http://www.filedropper.com/0182rstiaadatadx.

https://github.com/Arzaroth/Pon3Ark Another tool, but doesn't work, says the ARK version is bad...

UPDATE: ARK Archiver cannot decrypt metadata of the MLP city builder as of some update, IDK when it was updated filedropper.com/mlpandroidark.


Attachments:
File comment: A filename dump, from ARK Extractor, it gets the metadata but fails to extract the game data, due to "MD5 mismatch".
SomeNames_CDN_Android.bin [1.61 MiB]
Downloaded 14 times
File comment: Another filename dump, from ARK Extractor, it gets the metadata but fails to extract the game data, due to "MD5 mismatch".
MoreNames_CDN_Android.bin [1.61 MiB]
Downloaded 13 times
File comment: Android (CDN)
pack.info.txt [4.62 KiB]
Downloaded 16 times

_________________
Hacking Angry Birds since 2016
Top
   
PostPosted: Sat Nov 02, 2019 6:20 pm 
User avatar

Joined: Fri Apr 20, 2018 12:41 am
Posts: 406
Turns out there's yet ANOTHER ARK variant, from Littlest Pet Shop's dataText.obb from the CDN, again, its compressed the exact same way (not a CustomPAK). The metadata encryption key from MLP (OLD)/IAA is definitely reused.


Attachments:
File comment: May be helpful for this game
extractedarklist.txt [8.89 KiB]
Downloaded 19 times
dataText_LPS_FILECUTTER.zip [3.99 MiB]
Downloaded 14 times

_________________
Hacking Angry Birds since 2016


Last edited by LolHacksRule on Mon Nov 04, 2019 5:48 pm, edited 1 time in total.
Top
   
PostPosted: Mon Nov 04, 2019 4:05 pm 

Joined: Sat Aug 09, 2014 2:34 pm
Posts: 875
Script for unpack Ice Age Adventures ark files (Android / iOS version).

Edited: See below.


Last edited by Ekey on Mon Nov 04, 2019 6:53 pm, edited 1 time in total.

Top
   
PostPosted: Mon Nov 04, 2019 4:46 pm 
User avatar

Joined: Fri Apr 20, 2018 12:41 am
Posts: 406
DUDE THANK YOU SO MUCH! This will also likely work on LPS's OBB due to the same encryption key is used. UPDATE: Got this error on LPS's OBB (rebuilt), I'll try the original file soon UPDATE2: It worked fine with 5 dups of the same files in "swf" with similar extensions. Trying IAA (Android) from CDN (MEMORY ERROR) and BASE RN (WORKS).

Code:
Error: the compressed zlib/deflate input is wrong or incomplete (-5)
Info:  algorithm   1
       offset      001ab609
       input size  0x00063723 407331
       output size 0x00084be0 543712
       result      0xffffffff -1

Error: the uncompressed data (-1) is bigger than the allocated buffer (612242)

Last script line before the error or that produced the error:
  33  clog PATH OFFSET ZSIZE SIZE


Attachments:
File comment: That's why rebuild doesn't work.
RebuildisBroken.PNG [59.54 KiB]
Not downloaded yet

_________________
Hacking Angry Birds since 2016


Last edited by LolHacksRule on Mon Nov 04, 2019 5:35 pm, edited 5 times in total.
Top
   
PostPosted: Mon Nov 04, 2019 5:12 pm 

Joined: Sat Aug 09, 2014 2:34 pm
Posts: 875
In game 2 encryption keys, main key and dlc key (OBB??)

PS: Well, I lost some experience in BMS coding, therefore in the script it is possible the condition is not written correctly :P


Top
   
PostPosted: Mon Nov 04, 2019 5:39 pm 
User avatar

Joined: Fri Apr 20, 2018 12:41 am
Posts: 406
IAA CDN: https://we.tl/t-KVGRHGvdQ8

_________________
Hacking Angry Birds since 2016


Top
   
PostPosted: Mon Nov 04, 2019 5:55 pm 

Joined: Sat Aug 09, 2014 2:34 pm
Posts: 875
LolHacksRule wrote:

I guess it'a encrypted with new key.


Top
   
PostPosted: Mon Nov 04, 2019 6:00 pm 
User avatar

Joined: Fri Apr 20, 2018 12:41 am
Posts: 406
I really doubt they use a new key, ARK Extractor can decrypt the metadata completely fine with MLP (OLD)'s reused/default metadata key and the dumps I sent above prove it.

_________________
Hacking Angry Birds since 2016


Top
   
PostPosted: Mon Nov 04, 2019 6:04 pm 

Joined: Sat Aug 09, 2014 2:34 pm
Posts: 875
In the file that you uploaded the metadata offset exceeds the size of the archive itself.

FileSize > 53 506 702 bytes
Offset in header >59 658 772


Top
   
PostPosted: Mon Nov 04, 2019 6:53 pm 

Joined: Sat Aug 09, 2014 2:34 pm
Posts: 875
Here updated script. Now encrypted files must be correctly decompressed.

Code:
# Gameloft (Glitch Engine) ARK format
#   Ice Age Adventures (Android / iOS)
#   Littlest Pet Shop (Android)
#   MY LITTLE PONY: Magic Princess (Android)
# script for QuickBMS http://quickbms.aluigi.org

set KEY binary "\x4F\x94\x32\x01\xA1\x5B\x02\x00\x4F\x94\x32\x01\xB5\x88\x99\x00"

get TABLE_SIZE asize
get FILES long
get TABLE_OFFSET long
math TABLE_SIZE -= TABLE_OFFSET

callfunction DecryptTable 1

for i = 0 < FILES
    getdstring NAME 64 MEMORY_FILE
    getdstring PATH 64 MEMORY_FILE
    get OFFSET long MEMORY_FILE
    get SIZE long MEMORY_FILE
    get ZSIZE long MEMORY_FILE
    get ESIZE long MEMORY_FILE
    get TIMESTAMP long MEMORY_FILE
    getdstring MD5 16 MEMORY_FILE
    get RESERVED long MEMORY_FILE
   
    string PATH += NAME
   
    if ESIZE != 0
        log MEMORY_FILE2 OFFSET ESIZE
        encryption xxtea KEY "0x9e3779b9 0" 0 16
        goto 0
        if ZSIZE == SIZE
           log PATH 0 SIZE MEMORY_FILE2
        else
           clog PATH 0 ESIZE SIZE MEMORY_FILE2
        endif
        encryption "" ""
    else
        if ZSIZE == SIZE
           log PATH OFFSET SIZE
        else
           clog PATH OFFSET ZSIZE SIZE
        endif
    endif
next i

startfunction DecryptTable
    encryption xxtea KEY "0x9e3779b9 0" 0 16
    log MEMORY_FILE TABLE_OFFSET TABLE_SIZE
    encryption "" ""
endfunction


Last edited by Ekey on Mon Nov 04, 2019 7:25 pm, edited 8 times in total.

Top
   
PostPosted: Mon Nov 04, 2019 6:56 pm 
User avatar

Joined: Fri Apr 20, 2018 12:41 am
Posts: 406
Actually, the CDN file for IAA was incomplete (50MB/57.7MB). Sorry about that, your old script works fine too. Didn't expect autodecompression of zlib'ed files in them, that's a nice touch. Works fine on IAA Win8 data files too.

_________________
Hacking Angry Birds since 2016


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 14 posts ] 

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited