This crackme can be downloaded from here.

I start by running the program which asks for a serial number. Nothing seems to happen when I write a wrong one and press 'Check'.

I usually use IDA Pro for reverse engineering but for this crackme I tried OllyDBG, just to try something different. I opened the binary in Olly and searched for the GetDlgItemTextA function, put a breakpoint and ran the code.

When the breakpoint was reached I stepped over and got back to where it was called. The following is a disassembly of the function that made the call to GetDlgItemTextA:

004013D0   . 83EC 10        SUB ESP,10
004013D3   . 8D4424 00      LEA EAX,DWORD PTR SS:[ESP]
004013D7   . 56             PUSH ESI
004013D8   . 6A 0F          PUSH 0F
004013DA   . 50             PUSH EAX
004013DB   . 8BF1           MOV ESI,ECX
004013DD   . 68 E8030000    PUSH 3E8
004013E2   . E8 75020000    CALL <JMP.&MFC42.#3098>
004013E7   . 83F8 08        CMP EAX,8
004013EA   . 75 5D          JNZ SHORT Crackme3.00401449
004013EC   . 807C24 09 2D   CMP BYTE PTR SS:[ESP+9],2D
004013F1   . 75 56          JNZ SHORT Crackme3.00401449
004013F3   . 0FBE4C24 04    MOVSX ECX,BYTE PTR SS:[ESP+4]
004013F8   . D1E1           SHL ECX,1
004013FA   . 83F9 64        CMP ECX,64
004013FD   . 75 4A          JNZ SHORT Crackme3.00401449
004013FF   . 8A4424 0B      MOV AL,BYTE PTR SS:[ESP+B]
00401403   . 84C0           TEST AL,AL
00401405   . 74 42          JE SHORT Crackme3.00401449
00401407   . 807C24 08 2B   CMP BYTE PTR SS:[ESP+8],2B
0040140C   . 75 3B          JNZ SHORT Crackme3.00401449
0040140E   . 0FBE5424 05    MOVSX EDX,BYTE PTR SS:[ESP+5]
00401413   . 83C2 0A        ADD EDX,0A
00401416   . 83FA 44        CMP EDX,44
00401419   . 75 2E          JNZ SHORT Crackme3.00401449
0040141B   . 0FBE4424 07    MOVSX EAX,BYTE PTR SS:[ESP+7]
00401420   . 83E8 2E        SUB EAX,2E
00401423   . 75 24          JNZ SHORT Crackme3.00401449
00401425   . 807C24 0A 4D   CMP BYTE PTR SS:[ESP+A],4D
0040142A   . 75 1D          JNZ SHORT Crackme3.00401449
0040142C   . 0FBE4C24 06    MOVSX ECX,BYTE PTR SS:[ESP+6]
00401431   . 83C1 0A        ADD ECX,0A
00401434   . 83F9 33        CMP ECX,33
00401437   . 75 10          JNZ SHORT Crackme3.00401449
00401439   . 6A 00          PUSH 0
0040143B   . 6A 00          PUSH 0
0040143D   . 68 20304000    PUSH Crackme3.00403020                   ;  ASCII "Serial is Correct!!!"
00401442   . 8BCE           MOV ECX,ESI
00401444   . E8 0D020000    CALL <JMP.&MFC42.#4224>
00401449   > 5E             POP ESI
0040144A   . 83C4 10        ADD ESP,10
0040144D   . C3             RETN

The function checks the characters in the serial one at a time but in random order. The serial lies at address [ESP+4], so when the code references [ESP+9] it is the fifth character away from the first, that is the sixth character.

 

Address: Meaning
004013E7 The serial must be eight characters long
004013EC Sixth character is 0x2d, that is '-'
004013F3-004013FA First character is 0x32, that is '2'
004013FF-00401403 Eight character must not be null, that is it may be any printable.
00401407 Fifth character is 0x2, that is '+'
0040140E-00401416 Second character is 0x3a, that is ':'
0040141B-00401420 Fourth character is 0x2e, that is '.'
00401425 Seventh character is 0x4d, that is 'M'
0040142C-00401434 Third character is 0x29, that is ')'

Putting it all together you get: '2:).+-M8'