upb's Push-The-Pusher

[difficulty: 3][protection: CRC32 manipulation]

Your name is used to generate an input buffer. Your serial decides which bits of the input buffer are complemented. Finally, the CRC32 of the input buffer must equal a predefined value (0xFAF3CCCE).

Though CRC is so old and there are numerous resources online about its many variations, this turned out to be much much harder than I expected. Here is the final technique:

  1. find what 32-bit input has CRC32 of 0xFAF3CCCE (brute all 32-bit values or try to work backwards with the long division)
  2. calculate CRC32 of the input buffer less 32-bits
  3. since CRC32(input,4,X) == CRC32(input^X,4,0) we can concatenate the four bytes discovered from step 1 to the buffer after having xor'd them by the result from step 2
  4. the CRC32 of the full input buffer now is 0xFAF3CCCE

If you're facing a similar task, the solution text includes a hand-worked example of CRC32. Oh! And a challenge to you: given a CRC lookup table, how can you quickly find which polynomial was used to generate it?


  1. Hey , Thanks man once again for posting solution.

    The So;X

  2. Yo So;X! NP! I was thinking of what a second version of the crackme could do to fight this method.... 64-bit polynomial maybe (the small brute in this solution would not longer work) and bit mods would happen on the highest-degree terms instead of the lowest


thanks for commenting!