I suggest you should take into consideration that make_package_npdrm.exe creates packages not protected by drm. So, these packages are runable only on test units and there could be much more differences between npdrm and retail packages than we can imagine.
To put it in words, it takes a key, adds a row number and uses the sha1 hash of it to decrpyt the data.
I didn't look to much into it but it does compute the sha1 hash of the header and stuff as well, didn't look to much into which part of the header exactly was used though.
Still the problem is make_package_npdrm can't decrypt non-dev packages.
BTW: I'm sure I'm not the first one finding it, but as nobody mentioned it so far.