Gameloft ZIP Unscrambler
Posted: Tue May 20, 2014 10:48 pm
It seems some newer Gameloft games, such as N.O.V.A. 3, use scrambled ZIP files instead of the traditional CustomPak. It took me forever banging my head against the CustomPak reader until I realized that it was probably not a CustomPak. Somehow it also escaped my attention until today that all files of this type starts with "SB". Well, anyway, here's a program to descramble the files. Have fun with it. Source code is included, as always. I haven't written my DRM wrapper yet, so I guess iOS app hacking noobs will be all over this soon.
Download at the blog: blog/?p=1177
Format notes
It's basically a ZIP file, but with different signatures and encrypted file headers. Instead of "PK\x03\x04" for each file header, you've got "SB" followed by a short of the header length. Not sure why they did it that way, but that's how it works. Oddly enough, the compressed data is not encrypted, so just copy that verbatim. Near the end you'll find the central ZIP directory, which starts with "SDIR", and goes on until the end of the file. Note this directory is a single block instead of the many repeating blocks you find in a normal .zip file. Everything after the "SDIR" is encrypted, so to get this block back just write "PK\x01\x02" to your output and dump the decrypted block to it. No need to differentiate between a central directory entry and the end-of-central-directory block. Regarding the encryption, it's just scrolling XOR, with the file name being the key.
Version History
[1.0.0.0 2014-05-20]
Download at the blog: blog/?p=1177
Format notes
It's basically a ZIP file, but with different signatures and encrypted file headers. Instead of "PK\x03\x04" for each file header, you've got "SB" followed by a short of the header length. Not sure why they did it that way, but that's how it works. Oddly enough, the compressed data is not encrypted, so just copy that verbatim. Near the end you'll find the central ZIP directory, which starts with "SDIR", and goes on until the end of the file. Note this directory is a single block instead of the many repeating blocks you find in a normal .zip file. Everything after the "SDIR" is encrypted, so to get this block back just write "PK\x01\x02" to your output and dump the decrypted block to it. No need to differentiate between a central directory entry and the end-of-central-directory block. Regarding the encryption, it's just scrolling XOR, with the file name being the key.
Version History
[1.0.0.0 2014-05-20]
- Initial release