About | Software | Manuals | Key of Death Bypass | Purchase | Contact Us | arcade-cabinets.com

Research is expensive

We provide the information for bypassing the key for free. Research is expensive though, basically the time spent researching is overtime hours I do not get to work for pay. So if you like the work and want to say "thanks" feel free to make a small donation (or a large) to help cover the time I spent. It may help encourage me to make hacks to other versions of the software, though no promises :)

Consider becoming a supporter of my patreon.com community. Become a Patron! or

A walk through of cracking the Megatouch© Force 2011

Important note:
All the steps below required you install the latest version of the Megatouch Force 2011.5 software.

Step 4: Altering the graphics startup process

In this step we will reconfigure the system to not automatically boot into the game when it restart, however it will boot into the graphics system which is required for the step 5 to be successful.
Type the following commands:
-bash-3.00# cp ~/.xinitrc ~/.xinitrc.bak
-bash-3.00# echo "xterm" | cat - ~/.xinitrc.bak > ~/.xinitrc
-bash-3.00# reboot

Step 5: Make the disk writeable again

Since we rebooted we have to tell the system to take the disk out of read only mode and let us write to it, just as we did in the first series of steps.
First you will notice the system boots to a black screen with a white terminal box, touch the touchscreen in the area of the white terminal box, then type the following command.
-bash-3.00# mount -o rw,remount /

Step 6: Extract the encrypted data from your actual key

In this step we will extract the encrypted data from your Dallas DS1996 Key and save it to the file /.key. This is actually easy to do as on the Force 2011 there is a debugger on the system which allows you to easily manipulate the running code.

What we are about to do is to execute the program, however we will stop it immediately after it has read the data from the Dallas Key, we will then write out the 1024 bytes of data it read to a file. Below is the gdb session that extracts the keys.

Step 7: Patching KeyManager::Check()

We are now ready to patch the main game binary which we stored as /usr/local/bin/start. We will need to patch this code in a few places to bypass the need for the physical key. The first of these patches in the the KeyManager::Check() function. Normally KeyManager::Check will do a few of checks of the Dallas Key data. For example checking to see that a Dallas key is physically present in the key holder, what DS 199x key family it is, what range the serial number is etc. The control flow graph (CFG) of KeyManager::Check() looks like this.

Our patch will greatly simplify this function. The C code for our KeyManger::Check() after patching would look like this.


int KeyManager::Check(void) {
  return 1;
}
However we must write the code directly in ia32 (x86) machine language. The code we patch the binary with will be the following:

ia32 Assembly InstructionMachine Code Values
xor eax, eax0x31 0xC0
inc eax0x40
retn 0xC3
This code is located at offset 0x2FA68A (3122826) in the binary /usr/local/bin/start.
The command to perform the patch is:
-bash-3.00# perl -e 'print "\x31\xC0\x40\xC3"' | dd bs=1 count=4 seek=3122826 of=/usr/local/bin/start conv=notrunc
Note: the new function for KeyManager::Check() will only be 4 bytes total. This will free up quite a bit of space in the actual binary, we will use this space in the next step.

Step 8: Writing machine code to read the the stored key data from disk

The system needs the data from the Dallas key, it contains important configuration information such as what region the game is in, and what games and options are available. Remember in step 4 we were able to read the encrypted data from the key and store it on disk as /.key

In this step we will write some custom machine code to read the data from disk and store it into a certain memory address that the game expects the encrypted data to be in.

The assembly code looks like this

The machine code should be patched somewhere in the space freed when we shortend the KeyManager::Check() function. We will start is immediately after our patched KeyManager::Check() ends which is at offset 3122830 in the file /usr/local/bin/start

To add this code run the following commands


-bash-3.00# perl -e 'print "\x2F\x2E\x6B\x65\x79\x00\x00\x00\x00\x00\x60\x31\xC0\xB0\x05\xBB"' | dd bs=1 count=16 seek=3122830 of=/usr/local/bin/start conv=notrunc
-bash-3.00# perl -e 'print "\x8E\x26\x34\x08\x31\xC9\xCD\x80\x74\x04\x53\x6E\x6F\x42\x89\xC3"' | dd bs=1 count=16 seek=3122846 of=/usr/local/bin/start conv=notrunc
-bash-3.00# perl -e 'print "\xB0\x03\x8D\x8D\xF4\xFB\xFF\xFF\xBA\x00\x04\x00\x00\xCD\x80\xB0"' | dd bs=1 count=16 seek=3122862 of=/usr/local/bin/start conv=notrunc
-bash-3.00# perl -e 'print "\x06\xCD\x80\x61\x68\xAD\xBA\x34\x08\xC3\x68\x61\x63\x6B\x65\x64"' | dd bs=1 count=16 seek=3122878 of=/usr/local/bin/start conv=notrunc
At this point we have added new code that can read the encrypted key information from /.key however nothing actually uses this code, yet. Calling this code will come in the next step:

Step 9: Patching KeyManager::ReadDs1995KeyData() to read the key data from disk

In step 5 we patched the system so that it always thinks a valid key is in the game. However to fully play the game the system needs the data that is stored on the key. In this step we patch the game so that rather than trying to read the key data from the physical key, instead we read it from the copy of the data we dumped from the physical key in step 4. We do this by updating the game code so rather than calling USBIO::ReadUSBMemory() it calls the code we created in step 6 that instead reads the data from /.key

The original game code looks like this (in C)

The game code after we patch it

Here is the command to make that patch


-bash-3.00# perl -e 'print "\x68\x98\x26\x34\x08\xC3\x53\x6E\x6F\x42\x00\x90\x90\x90"' | dd bs=1 count=14 seek=3160553 of=/usr/local/bin/start conv=notrunc

Step 10: Patching USBIO::ReadKeyId()

We are almost done. One of the last tasks is to change the operation of USBIO::ReadKeyID() which reads and "fixes" the serial number from the actual Dallas Key.

Under normal operation the game reads the serial number from the physical Dallas key, it then "fixes up" the serial number. (For some reason the lower level hardware/drivers give back the serial number encoded slighly off). This is the code on the left circled in red. If there is no key present the game instead loads a fake serial number "A5 A5 A5 A5 A5 A5 A5 A5". This is the code on the right circled in green . We are going to patch the code so that it ALWAYS goes to the right and reads in a static serial number, we will later patch that serial number to be the serial number of the real key. The code below shows the code we want to patch.

Here is the command to make that patch


-bash-3.00# perl -e 'print "\x74"' | dd bs=1 count=1 seek=3160093 of=/usr/local/bin/start conv=notrunc

Step 11: Patching is the serial number

In step 8 we changed the code so that the game will not read the serial number from the physical key, but instead read it straight from static data in the game code. In this step we patch in the actual serial number from our real key. To do this get out your real key. The bottom of the key should look like the picture below. Read the serial number from the right to left in groups of 2 digits, the first 2 digits and the last two digits are above the rest of the digits. In this example the data would be

0C 2B C5 FB 00 00 00 5E

Now split the the characters into two parts, each with 8 digits.
Part #1Part #2
0C 2B C5 FB 00 00 00 5E
Now we will patch in the digits directly into the game code. FIRST goes "part #1" then goes part #2 Here is the commands to make that patch, remember put your actual digts in below, part #2 on the first command, part #1 on the second command.


-bash-3.00# perl -e 'print "\x0C\x2B\xC5\xFB"' | dd bs=1 count=4 seek=3160118 of=/usr/local/bin/start conv=notrunc

-bash-3.00# perl -e 'print "\x00\x00\x00\x5E"' | dd bs=1 count=4 seek=3160125 of=/usr/local/bin/start conv=notrunc

Step 12: Reset the graphics system

Now we have to undo the changes we did in step 4, so the system automatically starts the game again. TYpe the following command.

-bash-3.00# mv ~/.xinitrc.bak ~/.xinitrc

Step 13: Remove your key

At this point you can remove your security key. You game now should work without needing the key, you no longer need to worry that your key battery will expire rendering your system useless.

Step 14: Reboot the system, and enjoy your game!


-bash-3.00# reboot
Upon removing the security key and rebooting, your system should reboot into the Megatouch Force 2011 game!

If you found this useful please consider making a small donation usignn the link below. Hopefully we can recoup the cost of the 3 megatouches we bought to hack and the time we spent. Hopefully we can also find more time to crack other megatouch systems.

© 2009-2017 arcade-cabinets.com. All rights reserved.
All other products, trademarks, and copyrights are owned by their respective owners.