Errata: Example 2 (pages 28-32) Note that different versions of subseven have been found to have different "hidden" master passwords, while later versions may have it removed. Memory locations will vary based on the specific version that you test. The subseven master password in the example was tested on version 2.1 of subseven using softice under windows 98. When using softice on Windows NT you must choose an alternate break point (other than bpr); this is left as an exercise for the reader. (Hint: Google for "nt softice commands"). All versions of the Trojan can be downloaded at http://www.subseven.ws/, although the downloads on that site have been known to be offline at times. Correction: 0167:004040dd 8b0e mov ecx,[esi] ; our password 0167:004040df 8b1f mov ebx,[edi] 0167:004040e1 39d9 cmp ecx,ebx 0167:004040e3 755 jnz 0040413d 0167:004040e5 4a dec edx 0167:004040e6 7415 jz 004040fd 0167:004040e8 8b4e04 v ecx,[esi+04] ; move 1st 4 chars into ecx 0167:004040eb 8b5f04 mov ebx,[edi+04] ; move another 4 chars into ebx 0167:004040ee 39d9 cmp ecx,ebx ; compare the two values At line 2 of the assembly dump, [edi] is a pointer to the master password and line 8 isn't just "another 4 chars" but rather is four characters of the master password (the supposed "real" password). The correct reference for the example is "Trojan Reversing Part I - by defiler" Thanks to defiler for his corrections.