I don't like the name of this challenge because it isn't really something I think we "reverse" -- it deals with rolling totals and md5's which aren't really reversible (e.g. A total of "100" might be 50+50 or it could be 25+75, but we don't know which case we're dealing with, for instance) -- implying that brute forcing is really the only way we can go about it, but in a way that won't be inefficient and waste a lot of time and resources.
My issue though is still with the fact that you have both a serial string as well as a password string -- both are used as md5's. That is, it's not like we're ONLY using the total of the hex values derived from the password string -- we're actually using the password string itself as well as the serial string in our operations, for instance: ('0x0' . substr($strPasswordMD5, $i%32, 1)) is used in one operation, implying that in our calculations, we must find the full serial string and also know the full password string. This is puzzling me at the moment (would take eons to find all combinations of serials with all combinations of passwords, etc... there must be some shortcut but I'm not seeing it yet).
Will keep cracking at it though
EDIT: I think I just answered my own question, on a second look. We don't *technically* need to know the password, I think... we just need to be able to match the net output of that entire operation where the password just happens to be used.