Information provided by | All credits to Brian B. and Nicholas Navaroli

A walk through of cracking the Megatouch© Force 2011

Important note:
All the steps below required you install the latest version of the Megatouch Force 2011.5 software.

Step 1: Obtaining access to the shell

The first step needed to crack the system is to get shell access to the system itself. The easiest way to do this is plug in a keyboard and override the Linux kernel boot configuration options to boot to run level 3
  1. Using a Phillips head screwdriver remove the metal panel on the back of the megatouch, exposing the external USB port
  2. Plug in a USB keyboard into the USB port
  3. Turn on the machine, when you see the "FORCE" logo, hold down the "Alt" key, keep it held down till you see a red box on the screen and a console that says "boot:"
  4. Enter the following line
    linux-V28_40 3
  5. Once the sytem is booted and prompting for a login, login with the following credentials
    • username: maxx
    • password: maxx
  6. You are now logged in as root

  7. Once you login you will most likely want to edit or copy files on the system. To do that you must first set the root filesystem (/) to read/write using the following command.
    root@linux# mount -o remount,rw /

Step 2 - Obtaining the game code

On the Force 2011 the main game code is actually hidden with another binary. When the system starts, it launches /usr/local/bin/start. This code is just a wrapper program that contains and extracts the actual game binary. start extracts the real game binary from itself via /proc/self/exe, then it performs some decoding and finally writes the new program to disk as /tmp/dstart and launches the new binary. The details of the decoding are described here, however as you will see you do not actually need to understand how to decode the binary to retrieve the game code.

While the designers of this code jump through a few hoops to try to hide the actual game binary, it is trivial to bypass all their work. Simply lauch /usr/local/bin/start and then copy out the decoded file from /tmp/dstart. To do this you must do the following steps.

Step 3: Replace /usr/local/bin/dstart

The next step is to replace the original /usr/local/bin/start binary with the binary you copied from /tmp/dstart. After you copy, ensure the SUID permission is set.
The commands below will do this for you assuming your extracted file was called /tmp/extracted_dstart

-bash-3.00# cp /tmp/extracted_dstart /usr/local/bin/start
-bash-3.00# chmod 4755 /usr/local/bin/start

A walk through of cracking the Megatouch© Force 2011

Important note:
All the steps below required you install the latest version of the Megatouch Force 2011.5 software.

Step 4: Altering the graphics startup process

In this step we will reconfigure the system to not automatically boot into the game when it restart, however it will boot into the graphics system which is required for the step 5 to be successful.
Type the following commands:
-bash-3.00# cp ~/.xinitrc ~/.xinitrc.bak
-bash-3.00# echo "xterm" | cat - ~/.xinitrc.bak > ~/.xinitrc
-bash-3.00# reboot

Step 5: Make the disk writeable again

Since we rebooted we have to tell the system to take the disk out of read only mode and let us write to it, just as we did in the first series of steps.
First you will notice the system boots to a black screen with a white terminal box, touch the touchscreen in the area of the white terminal box, then type the following command.
-bash-3.00# mount -o rw,remount /

Step 6: Extract the encrypted data from your actual key

In this step we will extract the encrypted data from your Dallas DS1996 Key and save it to the file /.key. This is actually easy to do as on the Force 2011 there is a debugger on the system which allows you to easily manipulate the running code.

What we are about to do is to execute the program, however we will stop it immediately after it has read the data from the Dallas Key, we will then write out the 1024 bytes of data it read to a file. Below is the gdb session that extracts the keys.

Step 7: Patching KeyManager::Check()

We are now ready to patch the main game binary which we stored as /usr/local/bin/start. We will need to patch this code in a few places to bypass the need for the physical key. The first of these patches in the the KeyManager::Check() function. Normally KeyManager::Check will do a few of checks of the Dallas Key data. For example checking to see that a Dallas key is physically present in the key holder, what DS 199x key family it is, what range the serial number is etc. The control flow graph (CFG) of KeyManager::Check() looks like this.

Our patch will greatly simplify this function. The C code for our KeyManger::Check() after patching would look like this.

int KeyManager::Check(void) {
  return 1;
However we must write the code directly in ia32 (x86) machine language. The code we patch the binary with will be the following:

ia32 Assembly InstructionMachine Code Values
xor eax, eax0x31 0xC0
inc eax0x40
retn 0xC3
This code is located at offset 0x2FA68A (3122826) in the binary /usr/local/bin/start.
The command to perform the patch is:
-bash-3.00# perl -e 'print "\x31\xC0\x40\xC3"' | dd bs=1 count=4 seek=3122826 of=/usr/local/bin/start conv=notrunc
Note: the new function for KeyManager::Check() will only be 4 bytes total. This will free up quite a bit of space in the actual binary, we will use this space in the next step.

Step 8: Writing machine code to read the the stored key data from disk

The system needs the data from the Dallas key, it contains important configuration information such as what region the game is in, and what games and options are available. Remember in step 4 we were able to read the encrypted data from the key and store it on disk as /.key

In this step we will write some custom machine code to read the data from disk and store it into a certain memory address that the game expects the encrypted data to be in.

The assembly code looks like this

The machine code should be patched somewhere in the space freed when we shortend the KeyManager::Check() function. We will start is immediately after our patched KeyManager::Check() ends which is at offset 3122830 in the file /usr/local/bin/start

To add this code run the following commands

-bash-3.00# perl -e 'print "\x2F\x2E\x6B\x65\x79\x00\x00\x00\x00\x00\x60\x31\xC0\xB0\x05\xBB"' | dd bs=1 count=16 seek=3122830 of=/usr/local/bin/start conv=notrunc
-bash-3.00# perl -e 'print "\x8E\x26\x34\x08\x31\xC9\xCD\x80\x74\x04\x53\x6E\x6F\x42\x89\xC3"' | dd bs=1 count=16 seek=3122846 of=/usr/local/bin/start conv=notrunc
-bash-3.00# perl -e 'print "\xB0\x03\x8D\x8D\xF4\xFB\xFF\xFF\xBA\x00\x04\x00\x00\xCD\x80\xB0"' | dd bs=1 count=16 seek=3122862 of=/usr/local/bin/start conv=notrunc
-bash-3.00# perl -e 'print "\x06\xCD\x80\x61\x68\xAD\xBA\x34\x08\xC3\x68\x61\x63\x6B\x65\x64"' | dd bs=1 count=16 seek=3122878 of=/usr/local/bin/start conv=notrunc
At this point we have added new code that can read the encrypted key information from /.key however nothing actually uses this code, yet. Calling this code will come in the next step:

Step 9: Patching KeyManager::ReadDs1995KeyData() to read the key data from disk

In step 7 we patched the system so that it always thinks a valid key is in the game. However to fully play the game the system needs the data that is stored on the key. In this step we patch the game so that rather than trying to read the key data from the physical key, instead we read it from the copy of the data we dumped from the physical key in step 6. We do this by updating the game code so rather than calling USBIO::ReadUSBMemory() it calls the code we created in step 6 that instead reads the data from /.key

The original game code looks like this (in C)

The game code after we patch it

Here is the command to make that patch

-bash-3.00# perl -e 'print "\x68\x98\x26\x34\x08\xC3\x53\x6E\x6F\x42\x00\x90\x90\x90"' | dd bs=1 count=14 seek=3160553 of=/usr/local/bin/start conv=notrunc

Step 10: Patching USBIO::ReadKeyId()

We are almost done. One of the last tasks is to change the operation of USBIO::ReadKeyID() which reads and "fixes" the serial number from the actual Dallas Key.

Under normal operation the game reads the serial number from the physical Dallas key, it then "fixes up" the serial number. (For some reason the lower level hardware/drivers give back the serial number encoded slighly off). This is the code on the left circled in red. If there is no key present the game instead loads a fake serial number "A5 A5 A5 A5 A5 A5 A5 A5". This is the code on the right circled in green . We are going to patch the code so that it ALWAYS goes to the right and reads in a static serial number, we will later patch that serial number to be the serial number of the real key. The code below shows the code we want to patch.

Here is the command to make that patch

-bash-3.00# perl -e 'print "\x74"' | dd bs=1 count=1 seek=3160093 of=/usr/local/bin/start conv=notrunc

Step 11: Patching is the serial number

In step 8 we changed the code so that the game will not read the serial number from the physical key, but instead read it straight from static data in the game code. In this step we patch in the actual serial number from our real key. To do this get out your real key. The bottom of the key should look like the picture below. Read the serial number from the right to left in groups of 2 digits, the first 2 digits and the last two digits are above the rest of the digits. In this example the data would be

0C 2B C5 FB 00 00 00 5E

Now split the the characters into two parts, each with 8 digits.
Part #1Part #2
0C 2B C5 FB 00 00 00 5E
Now we will patch in the digits directly into the game code. FIRST goes "part #1" then goes part #2 Here is the commands to make that patch, remember put YOUR actual digts in below(do not try to use the example serial number, it WILL NOT work)

-bash-3.00# perl -e 'print "\x0C\x2B\xC5\xFB"' | dd bs=1 count=4 seek=3160118 of=/usr/local/bin/start conv=notrunc

-bash-3.00# perl -e 'print "\x00\x00\x00\x5E"' | dd bs=1 count=4 seek=3160125 of=/usr/local/bin/start conv=notrunc

Step 12: Tri Towers Security Key Check

Thank you to Daryl Kerr for this fix on Force 2011!

-bash-3.00# perl -e 'print "\x31\xC0\x40\xC3"' | dd bs=1 count=4 seek=3159682 of=/usr/local/bin/start conv=notrunc

Step 13: Reset the graphics system

Now we have to undo the changes we did in step 4, so the system automatically starts the game again. TYpe the following command.

-bash-3.00# mv ~/.xinitrc.bak ~/.xinitrc

Step 14: Remove your key

At this point you can remove your security key. You game now should work without needing the key, you no longer need to worry that your key battery will expire rendering your system useless.

Step 15: Reboot the system, and enjoy your game!

-bash-3.00# reboot
Upon removing the security key and rebooting, your system should reboot into the Megatouch Force 2011 game!

If you found this useful please consider making a small donation usignn the link below. Hopefully we can recoup the cost of the 3 megatouches we bought to hack and the time we spent. Hopefully we can also find more time to crack other megatouch systems.

© 2009-2017 All rights reserved.
All other products, trademarks, and copyrights are owned by their respective owners.