I used HxD, and opened up the application in RAM once I got to the prompt in CPS asking me for the password.

Since the EXE for the ASTRO25 CPSes are over 20MB, that's _A LOT_ of text to scan through manually with no prior guidance as to where to look. So, I set the XTL1500 aside.

I took one of my archived code plugs from another XTL1500 I have, then set a known password on that. From there, I got the saved codeplug to the point where it was prompting me for the "read" password. I opened up HxD again and opened PatMobile.exe in RAM. This time, I searched for the password I had set, and HxD found it.

You might say "Well big freaking deal Patrick, you knew what the password was!" Well, in doing this, I at least knew that the password was recoverable using this method.

I made a note of the memory address I had found the password at, and the strings of text that was around the password in HxD.

Next, I plugged the XTL back in with the unknown password, got to the point where it was giving me a prompt for the password, opened up the instance of PatMobile.exe in RAM via HxD, then went to the memory address I documented in the "control" part of the experiment. The password wasn't in the exact memory address as the saved codeplug with the known password (nor did I expect it to be), but after a couple of minutes of searching for similar text around where the password was located during the "control" part of the experiment, I did find it!