The interface between clients is somewhat HTTP like and apparently at one time you could use a web browser to list and download files, however that is no longer the case.

This is the sniffed conversation when listing files from someone:

me to person hosting:

GET /.files HTTP/1.1 Host: <IP removed>:1214 UserAgent: KazaaClient May 28 2002 00:23:52 X-Kazaa-Username: nikm X-Kazaa-Network: KaZaA X-Kazaa-IP: 10.1.1.10:1214 X-Kazaa-SupernodeIP: <IP removed>:1214 Connection: close 7`(@

response from person hosting to me:

HTTP/1.0 403 Forbidden 38 350208597 HTTP/1.1 200 OK Content-Length: 56152 Accept-Ranges: bytes Date: Tue, 10 Sep 2002 01:06:20 GMT Server: KazaaClient Jul 15 2002 20:37:36 Connection: close Last-Modified: Tue, 10 Sep 2002 01:06:20 GMT X-Kazaa-Username: <Username Removed> X-Kazaa-Network: KaZaA X-Kazaa-IP: <IP removed>:1214 X-Kazaa-SupernodeIP: <IP removed>:1214 Content-Type: application/octet-stream

but if I do this manually, and just telnet to port 1214 and send:

GET /.files HTTP/1.1 Host: <IP removed>:1214 UserAgent: KazaaClient May 28 2002 00:23:52 X-Kazaa-Username: nikm X-Kazaa-Network: KaZaA X-Kazaa-IP: 10.1.1.10:1214 X-Kazaa-SupernodeIP: <IP removed>:1214 Connection: close

I get back:

HTTP/1.0 403 Forbidden 38 2273515777

but the connection stays open - but after I send anything, it closes:

asd Connection closed by foreign host.

---

so my thoery is the 2273515777 is a challenge response type thing.. especially since on subsequent requests I get:

HTTP/1.0 403 Forbidden 38 2708108060 HTTP/1.0 403 Forbidden 38 554584555 HTTP/1.0 403 Forbidden 38 3674731848 HTTP/1.0 403 Forbidden 38 1127480240 HTTP/1.0 403 Forbidden 38 2212186433 HTTP/1.0 403 Forbidden 38 1302349904 HTTP/1.0 403 Forbidden 38 2185931950

which makes be belive it's not a hash of anything I've sent nor a date stamp since they are not increasing.. when I do a more detailed dump of the packets, I see:

IP-ADDR: 10.1.1.10 -----> <IP removed> IP-Ver4 || Head:0x14 (bytes) || Service(TOS):0 || Length over all:0269 Fragmentation: ID:0x0227 - Flags: 0 1 0 - Offset:00000 TTL:128 || Protokoll:006 (TCP) || HeaderCRC:0xd67c TCP-HEADER:) Ports: 1049-->1214 (unknown) Seq./Ack. Nr.:0x352369e0 / 0x009b1a14 Data-Offset:0x05 Reserved-6Bit:00 Flags:-urg-ACK-PSH-rst-syn-fin- Window:0xfaf0 CRC:0x7424 Urgent-Pointer:0x0000 Bytes until here: 0x0036 Bytes over all: 0x011b 47 45 54 20 2f 2e 66 69 6c 65 73 20 48 54 54 50 GET /.files HTTP 2f 31 2e 31 0d 0a 48 6f 73 74 3a 20 36 36 2e 31 /1.1..Host: 66.1 32 31 2e 32 31 31 2e 31 39 35 3a 31 32 31 34 0d 21.211.195:1214. 0a 55 73 65 72 41 67 65 6e 74 3a 20 4b 61 7a 61 .UserAgent: Kaza 61 43 6c 69 65 6e 74 20 4d 61 79 20 32 38 20 32 aClient May 28 2 30 30 32 20 30 30 3a 32 33 3a 35 32 0d 0a 58 2d 002 00:23:52..X- 4b 61 7a 61 61 2d 55 73 65 72 6e 61 6d 65 3a 20 Kazaa-Username: 6e 69 6b 6d 0d 0a 58 2d 4b 61 7a 61 61 2d 4e 65 nikm..X-Kazaa-Ne 74 77 6f 72 6b 3a 20 4b 61 5a 61 41 0d 0a 58 2d twork: KaZaA..X- 4b 61 7a 61 61 2d 49 50 3a 20 31 30 2e 31 2e 31 Kazaa-IP: 10.1.1 2e 31 30 3a 31 32 31 34 0d 0a 58 2d 4b 61 7a 61 .10:1214..X-Kaza 61 2d 53 75 70 65 72 6e 6f 64 65 49 50 3a 20 36 a-SupernodeIP: 6 36 2e 37 31 2e 34 2e 37 32 3a 31 32 31 34 0d 0a 6.71.4.72:1214.. 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 Connection: clos 65 0d 0a 0d 0a e....

Note that the tool used to these packet dumps is aps, here's the command line:

aps -p 1214 -o tcp-ip,udp-ip -d 6

IP-ADDR: <IP removed> -----> 10.1.1.10 IP-Ver4 || Head:0x14 (bytes) || Service(TOS):0 || Length over all:0080 Fragmentation: ID:0x5c2c - Flags: 0 1 0 - Offset:00000 TTL:114 || Protokoll:006 (TCP) || HeaderCRC:0xc375 TCP-HEADER: Ports: 1214-->1049 (unknown) Seq./Ack. Nr.:0x009b1a14 / 0x35236ac5 Data-Offset:0x05 Reserved-6Bit:00 Flags:-urg-ACK-PSH-rst-syn-fin- Window:0x2153 CRC:0x5f0b Urgent-Pointer:0x0000 Bytes until here: 0x0036 Bytes over all: 0x005e 48 54 54 50 2f 31 2e 30 20 34 30 33 20 46 6f 72 HTTP/1.0 403 For 62 69 64 64 65 6e 20 33 38 20 34 31 35 37 35 34 bidden 38 415754 34 35 37 36 0d 0a 0d 0a 4576....

Now here's the data send back:

IP-ADDR: 10.1.1.10 -----> <IP removed> IP-Ver4 || Head:0x14 (bytes) || Service(TOS):0 || Length over all:0044 Fragmentation: ID:0x0229 - Flags: 0 1 0 - Offset:00000 TTL:128 || Protokoll:006 (TCP) || HeaderCRC:0xd75b TCP-HEADER: Ports: 1049-->1214 (unknown) Seq./Ack. Nr.:0x35236ac5 / 0x009b1a3c Data-Offset:0x05 Reserved-6Bit:00 Flags:-urg-ACK-PSH-rst-syn-fin- Window:0xfac8 CRC:0x14a9 Urgent-Pointer:0x0000 Bytes until here: 0x0036 Bytes over all: 0x003c 93 e0 27 98 00 00 ..'...

And now the floodgates open:

IP-ADDR: <IP removed> -----> 10.1.1.10 IP-Ver4 || Head:0x14 (bytes) || Service(TOS):0 || Length over all:0416 Fragmentation: ID:0x942c - Flags: 0 1 0 - Offset:00000 TTL:113 || Protokoll:006 (TCP) || HeaderCRC:0x52e4 TCP-HEADER: Ports: 1214-->1049 (unknown) Seq./Ack. Nr.:0x009b1a3c / 0x35236ac9 Data-Offset:0x05 Reserved-6Bit:00 Flags:-urg-ACK-PSH-rst-syn-fin- Window:0x214f CRC:0xf419 Urgent-Pointer:0x0000 Bytes until here: 0x0036 Bytes over all: 0x01ae 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK. 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a .Content-Length: 20 31 32 30 33 35 36 0d 0a 41 63 63 65 70 74 2d 120356..Accept- 52 61 6e 67 65 73 3a 20 62 79 74 65 73 0d 0a 44 Ranges: bytes..D 61 74 65 3a 20 54 68 75 2c 20 31 32 20 53 65 70 ate: Thu, 12 Sep 20 32 30 30 32 20 32 31 3a 32 39 3a 31 39 20 47 2002 21:29:19 G 4d 54 0d 0a 53 65 72 76 65 72 3a 20 4b 61 7a 61 MT..Server: Kaza 61 43 6c 69 65 6e 74 20 4d 61 79 20 32 38 20 32 aClient May 28 2 30 30 32 20 30 30 3a 32 33 3a 35 32 0d 0a 43 6f 002 00:23:52..Co 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d nnection: close. 0a 4c 61 73 74 2d 4d 6f 64 69 66 69 65 64 3a 20 .Last-Modified: 54 68 75 2c 20 31 32 20 53 65 70 20 32 30 30 32 Thu, 12 Sep 2002 20 32 31 3a 32 39 3a 31 39 20 47 4d 54 0d 0a 58 21:29:19 GMT..X 2d 4b 61 7a 61 61 2d 55 73 65 72 6e 61 6d 65 3a -Kazaa-Username: 20 74 6f 6e 69 61 6c 65 78 69 73 0d 0a 58 2d 4b tonialexis..X-K 61 7a 61 61 2d 4e 65 74 77 6f 72 6b 3a 20 4b 61 azaa-Network: Ka 5a 61 41 0d 0a 58 2d 4b 61 7a 61 61 2d 49 50 3a ZaA..X-Kazaa-IP: 20 36 36 2e 31 32 31 2e 32 31 31 2e 31 39 35 3a 66.121.211.195: 31 32 31 34 0d 0a 58 2d 4b 61 7a 61 61 2d 53 75 1214..X-Kazaa-Su 70 65 72 6e 6f 64 65 49 50 3a 20 36 36 2e 32 36 pernodeIP: 66.26 2e 31 38 2e 31 35 31 3a 31 32 31 34 0d 0a 43 6f .18.151:1214..Co 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c ntent-Type: appl 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 ication/octet-st 72 65 61 6d 0d 0a 0d 0a ream....

that was the header, here's the real data:

IP-ADDR: <IP removed> -----> 10.1.1.10 IP-Ver4 || Head:0x14 (bytes) || Service(TOS):0 || Length over all:1500 Fragmentation: ID:0x952c - Flags: 0 1 0 - Offset:00000 TTL:114 || Protokoll:006 (TCP) || HeaderCRC:0x84e9 TCP-HEADER: Ports: 1214-->1049 (unknown) Seq./Ack. Nr.:0x009b1bb4 / 0x35236ac9 Data-Offset:0x05 Reserved-6Bit:00 Flags:-urg-ACK-psh-rst-syn-fin- Window:0x214f CRC:0x0b50 Urgent-Pointer:0x0000 Bytes until here: 0x0036 Bytes over all: 0x05ea 59 61 d2 59 11 5e 99 c3 0b 64 fe 70 58 25 6b cf Ya.Y.^...d.pX%k. ff ef ff ff d6 06 a0 00 01 02 08 58 6d 61 6e 2e ...........Xman. 62 69 6e a4 40 69 c2 86 33 33 a0 b2 6d 64 dd 33 bin.@i..33..md.3 0e 5b 56 d7 72 89 48 e0 2b 82 c0 c9 75 04 02 23 .[V.r.H.+...u..# 41 61 6c 69 79 61 68 20 70 6c 61 6e 65 20 63 72 Aaliyah plane cr 61 73 68 20 66 6f 6f 74 61 67 65 20 28 31 29 2e ash footage (1). 6d 70 67 0d 04 82 60 81 70 05 01 0f 15 02 93 09 mpg...`.p....... 73 53 1a 7f 09 51 25 f3 08 c5 af 7b b0 eb 41 c0 sS...Q%....{..A. e6 1b 9c b4 ae 42 82 b9 bf 3d 09 02 1f 42 32 4b .....B...=...B2K 20 2d 20 42 32 4b 20 2d 20 30 31 20 2d 20 47 6f - B2K - 01 - Go 74 73 20 54 61 20 42 65 2e 6d 70 33 05 02 82 41 ts Ta Be.mp3...A 15 02 81 00 04 0a 47 6f 74 73 20 54 61 20 42 65 ......Gots Ta Be 06 03 42 32 4b 08 03 42 32 4b 0e 03 52 26 42 01 ..B2K..B2K..R&B. 02 8f 52 0a 02 65 6e aa e9 a6 d6 e0 6e f0 66 c1 ..R..en.....n.f. 48 6c 94 8e b4 30 22 ff 0b ab e3 c1 12 ec 8f 01 Hl...0"......... 03 02 0f 6b 6d 64 31 37 31 67 75 5f 65 6e 2e 65 ...kmd171gu_en.e 78 65 04 12 4b 61 5a 61 41 20 75 70 64 61 74 65 xe..KaZaA update 20 31 2e 37 2e 31 06 14 53 68 61 72 6d 61 6e 20 1.7.1..Sharman 4e 65 74 77 6f 72 6b 73 20 4c 74 64 d8 f2 88 78 Networks Ltd...x 36 04 6a c4 34 b4 9f b7 a9 7f c8 29 e4 5b e4 f6 6.j.4......).[.. 89 12 82 ee b0 00 07 02 1d 30 36 2d 74 77 65 65 .........06-twee 74 2d 62 6f 6f 67 69 65 5f 32 6e 69 74 65 2d 74 t-boogie_2nite-t 61 73 2e 6d 70 33 04 0c 62 6f 6f 67 69 65 20 32 as.mp3..boogie 2 6e 69 74 65 06 05 74 77 65 65 74 08 14 73 6f 75 nite..tweet..sou 74 68 65 72 6e 20 68 75 6d 6d 69 6e 67 62 69 72 thern hummingbir 64 0e 03 52 26 42 01 02 8f 52 1a 1e 23 74 41 53 d..R&B...R..#tAS 20 2f 75 70 6c 6f 61 64 20 62 79 20 71 75 69 63 /upload by quic 6b 6d 75 73 69 63 2e 36 78 2e 89 70 ff 0f 47 42 kmusic.6x..p..GB 26 54 2a b5 3d 73 36 e0 0b b0 99 0c 67 e7 86 6b &T*.=s6.....g..k 82 cf f3 23 09 02 21 30 38 2d 74 77 65 65 74 2d ...#..!08-tweet- 6d 61 6b 65 5f 75 72 5f 6d 6f 76 65 2d 74 61 73 make_ur_move-tas 20 28 31 29 2e 6d 70 33 04 0c 6d 61 6b 65 20 75 (1).mp3..make u 72 20 6d 6f 76 65 06 05 74 77 65 65 74 08 14 73 r move..tweet..s 6f 75 74 68 65 72 6e 20 68 75 6d 6d 69 6e 67 62 outhern hummingb 69 72 64 0e 03 52 26 42 01 02 8f 52 1a 04 23 74 ird..R&B...R..#t 41 53 0a 02 65 6e 0c 04 61 7a 7a 79 d0 3a 49 69 AS..en..azzy.:Ii ad da 68 78 1c 82 2a bc 0f 39 b4 45 a9 c7 53 ed ..hx..*..9.E..S. a3 01 81 93 d8 6a 08 02 2b 47 69 6e 75 77 69 6e .....j..+Ginuwin 65 20 2d 20 54 79 20 52 65 61 6c 20 53 74 69 6e e - Ty Real Stin 67 79 20 20 20 52 65 6d 69 78 20 32 20 28 31 29 gy Remix 2 (1) 2e 6d 70 33 05 02 81 44 15 01 60 04 0e 53 74 69 .mp3...D..`..Sti 6e 67 79 20 28 72 65 6d 69 78 29 06 08 47 69 6e ngy (remix)..Gin 75 77 69 6e 65 08 15 42 61 72 62 65 72 73 68 6f uwine..Barbersho 70 20 53 6f 75 6e 64 74 72 61 63 6b 01 02 8f 52 p Soundtrack...R 0e 03 52 26 42 5d 88 fc 6c 58 60 ea 04 1e a3 98 ..R&B]..lX`..... d8 2c b6 71 ca 6a 2f a9 fb a5 1e 81 e6 b0 00 08 .,.q.j/......... 02 2c 4b 61 72 79 6e 20 57 68 69 74 65 20 2d 2d .,Karyn White -- 20 49 27 6d 20 4e 6f 74 20 59 6f 75 72 20 53 75 I'm Not Your Su 70 65 72 77 6f 6d 61 6e 20 20 2e 6d 70 33 05 02 perwoman .mp3.. 81 73 15 02 81 00 04 0a 53 75 70 65 72 77 6f 6d .s......Superwom 61 6e 06 0b 4b 61 72 79 6e 20 57 68 69 74 65 0e an..Karyn White. 08 53 6c 6f 77 20 4a 61 6d 08 0b 4b 61 72 79 6e .Slow Jam..Karyn 20 57 68 69 74 65 01 02 8f 51 e6 11 37 39 51 2a White...Q..79Q* 11 c2 9f 48 9e 37 91 50 e7 87 73 28 90 74 cf 7e ...H.7.P..s(.t.~ 93 dd c8 04 07 02 2f 4e 45 52 44 20 2d 20 52 6f ....../NERD - Ro 63 6b 73 74 61 72 20 28 4c 69 76 65 20 6f 6e 20 ckstar (Live on 4c 65 74 74 65 72 6d 61 6e 29 20 56 43 44 20 28 Letterman) VCD ( 31 29 2e 6d 70 67 0d 04 82 60 81 70 05 02 81 6d 1).mpg...`.p...m 15 02 88 63 04 08 52 6f 63 6b 73 74 61 72 06 07 ...c..Rockstar.. 4e 2a 45 2a 52 2a 44 0e 10 4d 75 73 69 63 20 26 N*E*R*D..Music & 20 4d 75 73 69 63 61 6c 73 67 7e 34 ce c9 a5 3c Musicalsg~4...< 0c 1c a9 f9 09 b9 41 61 2b 70 44 6d b7 d4 3d 82 ......Aa+pDm..=. 8d 80 00 06 02 2e 42 6f 6e 65 20 54 68 75 67 73 ......Bone Thugs 20 4e 27 20 48 61 72 6d 6f 6e 79 20 2d 20 46 69 N' Harmony - Fi 72 73 74 20 4f 66 20 54 68 65 20 4d 6f 6e 74 68 rst Of The Month 2e 6d 70 33 05 02 82 3b 15 01 70 04 12 46 69 72 .mp3...;..p..Fir 73 74 20 4f 66 20 54 68 65 20 4d 6f 6e 74 68 06 st Of The Month. 15 42 6f 6e 65 20 54 68 75 67 73 20 4e 27 20 48 .Bone Thugs N' H 61 72 6d 6f 6e 79 0e 05 4f 74 68 65 72 e5 f0 bc armony..Other... 15 e1 10 61 fc df 87 d6 9d 22 3f 58 e0 a3 38 51 ...a....."?X..8Q e3 84 00 81 8c fd 66 09 02 0d 53 74 69 6c 6c 20 ......f...Still 46 6c 79 2e 77 6d 61 04 09 53 74 69 6c 6c 20 46 Fly.wma..Still F 6c 79 06 0a 42 69 67 20 54 79 6d 65 72 73 08 09 ly..Big Tymers.. 48 6f 6f 64 20 52 69 63 68 0e 03 52 41 50 0a 02 Hood Rich..RAP.. 65 6e 01 02 8f 52 0c 09 53 74 69 6c 6c 20 46 6c en...R..Still Fl 79 1a 0d 62 6c 69 6e 67 20 62 6c 69 6e 67 0d 0a y..bling bling.. af 4e b5 d0 56 f6 37 8c 5f 9f 0d 14 63 d7 98 b0 .N..V.7._...c... 52 f0 08 f7 f4 1f 82 a7 a0 00 05 02 23 74 6f 6e R...........#ton 79 20 74 65 72 72 79 20 2d 20 57 68 65 6e 20 49 y terry - When I 20 61 6d 20 77 69 74 68 20 79 6f 75 2e 6d 70 33 am with you.mp3 05 02 82 2e 15 02 81 00 06 0a 74 6f 6e 79 20 74 ..........tony t 65 72 72 79 04 12 57 68 65 6e 20 49 20 61 6d 20 erry..When I am 77 69 74 68 20 79 6f 75 2b 53 c0 4c 3c 1d 01 47 with you+S.L<..G 2d 5e d6 95 b5 10 a2 33 bf c1 ca e9 d7 1e 82 96 -^.....3........ f0 50 05 02 1f 4c 61 75 72 79 6e 20 48 69 6c 6c .P...Lauryn Hill 20 2d 20 49 20 55 73 65 64 20 74 6f 20 4c 6f 76 - I Used to Lov 2e 6d 70 33 05 02 82 1e 15 02 81 00 04 12 49 20 .mp3..........I 55 73 65 64 20 74 6f 20 4c 6f 76 65 20 48 69 6d Used to Love Him 06 1e 4c 61 75 72 79 6e 20 48 69 6c 6c 20 66 65 ..Lauryn Hill fe 61 74 2e 20 4d 61 72 79 20 4a 20 42 6c 69 67 65 at. Mary J Blige 03 d6 48 86 bd c4 52 69 aa 5c 59 1c 8b 31 3d d4 ..H...Ri.\Y..1=. ec 66 f0 1e .f..

and so on (they're fragmented into MTU sizes)

so my question is how does 4157544576 (0xf7cf1880) relate to 0x93e027980000 (I think the trailing 0's can be ignored, so that leaves 0x93e02798).

hmmm...

My current way of listing files is a bit sneaky - I'm using KaZaA-lite which doesn't have any spyware or ads, and I search for anything, then I do a list files on any particular user while sniffing for the IP of the remote user. My laptop is behind a server which is doing NAT and from which I sniff on. So once I have the remote sites IP, I redirect all traffic to that IP to the IP I'm trying to scan:

iptables -t nat -A PREROUTING -d <ip of user> -p tcp --dport 1214 -j DNAT --to-destination <ip I want to scan>

and then to a list files again, and now I see the files shared by the '<ip I want to scan>' - but my main problem now is it's not easily automatable and I cannot get the output in text format :(

A search on the net shows *NOTHING* at all.. I've found one program that does a denial of service using 'GET /.message" but that doesn't work anymore, and I've found a program to send a message using 'GET /.message' but it doesn't work anymore either (I think you have to pass the channel response). There is some mention of a kazaalib on an old version of a kazaa website, but that's about it..

So I observed a few transactions to build up this challenge response table:

1886046367 21 61 a2 d8 00 00 1959296611 48 1e 0b 8d 00 00 3451046637 e9 bc 76 48 00 00 1384819493 28 09 4e 7b 00 00 3635156251 71 72 98 e1 00 00

and then I wrote a fake kazaa client offering files to send new challenges to to see if it always responded the same and got:

challenged: 1886046367 response:21 61 a2 d8 challenged: 1886046368 response:6c f4 79 64 challenged: 1886046369 response:0e 5e a2 a7 challenged: 1886046370 response:d6 d9 98 30 challenged: 1886046371 response:36 af 16 49 challenged: 1886046372 response:50 e1 36 ef challenged: 1886046373 response:50 e4 6d 85 challenged: 1886046374 response:a8 2b 66 90 challenged: 1886046375 response:00 cf a4 9a challenged: 1886046376 response:db 02 b3 0a challenged: 1886046377 response:fa d5 43 cd challenged: 1886046378 response:dd 7a 58 a3 challenged: 1886046379 response:4a c7 19 01 challenged: 1886046380 response:f5 fd f4 70 challenged: 1886046381 response:6a c2 da d5 challenged: 1886046382 response:84 f4 48 9d challenged: 1886046383 response:6f cd 64 f5 challenged: 1886046384 response:68 a9 1e ae challenged: 1886046385 response:df 9a 4e ad challenged: 1886046386 response:d7 d2 64 40 challenged: 1886046387 response:ba 8f 8a bd

and one of the other ones:

challenged: 1959296611 response:48 1e 0b 8d challenged: 1959296612 response:64 24 0c 29 challenged: 1959296613 response:58 6b 5c d2 challenged: 1959296614 response:dc 58 bf d1 challenged: 1959296615 response:d2 0a 8f 4b challenged: 1959296616 response:4c d4 95 2b challenged: 1959296617 response:14 17 9f d5

and then some sequential from 1:

challenged: 1 response:28 d7 82 ee challenged: 2 response:b7 3e 20 29 challenged: 3 response:38 7b 43 aa challenged: 4 response:cf ba a8 f4 challenged: 5 response:49 ba 15 90 challenged: 6 response:31 1e 1d 7d challenged: 7 response:ea 31 99 82 challenged: 8 response:fa 39 4c e2 challenged: 9 response:0d 01 cd 40 challenged: 10 response:3e 8b 71 06

so then I tried a man in the middle attack where I pass the IP of a machine I want to scan, then sit and wait for an intercepted connection from my real client - when my real client connects to my program, I connect to the IP I want to scan and get the challenge, then pass it back to my real client and listen for the response. I then pass the response out to the scanned IP and hope it works.. my current problem is my program is inserting junk in the TCP packet:

I do a:

write(client_socket, input, 4);

and I see the following hit the wire:

IP-ADDR: 66.135.144.66 -----> <IP Removed< IP-Ver4 || Head:0x14 (bytes) || Service(TOS):0 || Length over all:0056 Fragmentation: ID:0x6fa4 - Flags: 0 1 0 - Offset:00000 TTL:064 || Protokoll:006 (TCP) || HeaderCRC:0x0c85 TCP-HEADER: Ports: 46968-->1214 (unknown) Seq./Ack. Nr.:0x621b24a9 / 0x8d222140 Data-Offset:0x08 Reserved-6Bit:00 Flags:-urg-ACK-PSH-rst-syn-fin- Window:0x16d0 CRC:0xe8e6 Urgent-Pointer:0x0000 Bytes until here: 0x0036 Bytes over all: 0x0046 01 01 08 0a 27 b7 4e 39 00 27 35 4c dd db 3d c6 ....'.N9.'5L..=.

vs. what I want to send:

HW-ADDR: 00:d0:59:c5:79:09 -----> 00:50:8b:5d:f9:1f IP-ADDR: 10.1.1.10 -----> 10.1.0.1 IP-Ver4 || Head:0x14 (bytes) || Service(TOS):0 || Length over all:0044 Fragmentation: ID:0x0660 - Flags: 0 1 0 - Offset:00000 TTL:128 || Protokoll:006 (TCP) || HeaderCRC:0xdf5f TCP-HEADER: Ports: 1136-->1214 (unknown) Seq./Ack. Nr.:0x974cfbbc / 0x61862bc1 Data-Offset:0x05 Reserved-6Bit:00 Flags:-urg-ACK-PSH-rst-syn-fin- Window:0xfacb CRC:0x5acf Urgent-Pointer:0x0000 Bytes until here: 0x0036 Bytes over all: 0x003c dd db 3d c6 00 00 ..=...

So where the heck is '01 01 08 0a 27 b7 4e 39 00 27 35 4c' coming from???

hmm.. on further experimentation, it appears that the man in the middle is working about 1 in 4 times.. now to figure out the packet format.

challenged: 1 response: 28 d7 82 ee challenged: 01 response: 28 d7 82 ee challenged: 001 response: 28 d7 82 ee challenged: 0001 response: 28 d7 82 ee

so sure enough, it's something based on the numeric value.. so we'll worry about the algorithm later..

so here's a partial packet dump of a file list:

d6:2e:52:d6 1a:fb:90:18 81:c0:f0:00 09:02:23:4a ..R............J 69:6d:6d:79 20:45:61:74 73:20:57:6f 72:6c:64:20 immy Eats World 2d:20:52:6f 6c:6c:65:72 20:51:75:65 65:6e:2e:6d . Roller Queen.m 70:33:05:02 81:45:15:02 81:00:04:0c 52:6f:6c:6c p3...E......Roll 65:72:20:51 75:65:65:6e 06:0f:4a:69 6d:6d:79:20 er Queen..Jimmy 45:61:74:20 57:6f:72:6c 64:08:0e:42 6c:65:65:64 Eat World..Bleed 20:41:6d:65 72:69:63:61 6e:0e:04:72 6f:63:6b:0a .American..rock. 02:65:6e:01 02:8f:51:fe ee:7b:31:b3 70:e1:6d:d5 .en...Q...1.p.m. 95:91:6e:2c 12:57:3a:c0 9a:68:80:ae 45:81:94:94 ..n..W...h..E... 73:05:02:28 51:75:65:65 6e:20:4f:66 20:54:68:65 s...Queen Of The 20:44:61:6d 6e:65:64:20 2d:20:4a:6f 6e:61:74:68 Damned . Jonath 61:6e:20:44 61:76:69:73 2e:6d:70:33 05:02:81:4a an Davis.mp3...J 15:01:60:06 13:51:75:65 65:6e:20:4f 66:20:54:68 .....Queen Of Th 65:20:44:61 6d:6e:65:64 04:0e:4a:6f 6e:61:74:68 e Damned..Jonath 61:6e:20:44 61:76:69:73 0c:2d:f2:9d eb:a4:18:37 an Davis.......7 0d:41:4c:12 ff:c9:d2:2e 21:9f:cd:f6 f6:2d:82:bf .AL............. cf:02:05:02 1f:4e:49:4e 20:2d:20:52 75:69:6e:00 .....NIN...Ruin. 65:72:20:28 74:72:61:6e 63:65:20:72 65:6d:69:78 er .trance remix 29:2e:6d:70 33:05:02:82 47:15:02:81 00:06:03:4e ..mp3...G......N 49:4e:04:15 52:75:69:6e 65:72:20:28 74:72:61:6e IN..Ruiner .tran 63:65:20:72 65:6d:69:78 29:00:e0:4a 8a:f2:86:1a ce remix...J.... c0:ac:70:e4 e7:c0:fa:c4 2b:60:7c:67 17:b4:59:82 ..p........g..Y. b5:a1:00:07 02:39:42:6f 62:20:57:65 69:72:20:26 .....9Bob Weir . 20:52:61:74 64:6f:67:20 2d:20:45:76 65:6e:69:6e Ratdog . Evenin 67:20:4d:6f 6f:64:73:20 2d:20:30:39 20:2d:20:54 g Moods . 09 . T 68:65:20:44 65:65:70:20 45:6e:64:2e 6d:70:33:05 he Deep End.mp3. 02:82:3d:15 02:81:00:04 0c:54:68:65 20:44:65:00 .........The.De. 65:70:20:45 6e:64:06:11 42:6f:62:20 57:65:69:72 ep End..Bob Weir 20:26:20:52 61:74:64:6f 67:08:0d:45 76:65:6e:69 . Ratdog..Eveni 6e:67:20:4d 6f:6f:64:73 0e:0c:47:65 6e:65:72:61 ng Moods..Genera 6c:20:52:6f 63:6b:34:63 93:32:d4:78 55:b5:5d:54 l Rock4c.2.xU..T 22:f8:75:45 fc:b1:d6:b8 90:1d:ac:12 84:92:e1:00 ..uE............ 06:02:16:72 61:74:20:64 6f:67:20:2d 54:77:6f:20 ...rat dog .Two 44:6a:69:6e 6e:2e:6d:70 33:05:02:84 1f:15:02:81 Djinn.mp3....... 00:04:09:54 77:6f:20:44 6a:69:6e:6e 06:11:42:6f ...Two Djinn..Bo 62:20:57:65 69:72:20:26 20:52:61:74 64:6f:67:08 b Weir . Ratdog. 0d:45:76:65 6e:69:6e:67 20:4d:6f:6f 64:73:1c:00 .Evening.Moods.. 9b:a8:c0:69 fd:d6:63:a0 fd:b7:00:0e c5:ed:5b:b9 ...i..c......... 76:35:05:92 42:83:b7:b9 56:06:02:20 45:76:65:6e v5..B...V.. Even 69:6e:67:20 4d:6f:6f:64 73:20:2d:20 31:30:20:2d ing Moods . 10 . 20:45:76:65 6e:20:53:6f 2e:6d:70:33 05:02:83:42 Even So.mp3...B 15:02:81:00 04:07:45:76 65:6e:20:53 6f:06:11:42 ......Even So..B 6f:62:20:57 65:69:72:20 26:20:52:61 74:64:6f:67 ob Weir . Ratdog 08:0d:45:76 65:6e:69:6e 67:20:4d:6f 6f:64:73:0f ..Evening Moods. 35:c5:4d:c0 3f:cc:2a:c2 db:39:e8:f0 29:4e:e6:f6 5.M......9...N.. df:fe:c2:e8 3d:83:c5:f1 00:07:02:3a 42:6f:62:20 ............Bob 57:65:69:72 20:26:20:52 61:74:64:6f 67:20:2d:00 Weir...Ratdog... 20:45:76:65 6e:69:6e:67 20:4d:6f:6f 64:73:20:2d Evening Moods . 20:30:38:20 2d:20:4f:63 74:6f:62:65 72:20:51:75 08 . October Qu 65:65:6e:2e 6d:70:33:05 02:83:51:15 02:81:00:04 een.mp3...Q..... 0d:4f:63:74 6f:62:65:72 20:51:75:65 65:6e:06:06 .October Queen.. 52:61:74:64 6f:67:08:0d 45:76:65:6e 69:6e:67:20 Ratdog..Evening 4d:6f:6f:64 73:0e:0c:47 65:6e:65:72 61:6c:20:52 Moods..General R 6f:63:6b:37 c1:49:fb:82 70:c0:bc:34 0a: ock..I..p....

OK, so let's use the .mp3 in the data stream and collect the bytes after each entry leading up to the next one:

Name	Next 8 Bytes	Bytes until next one
Roller Queen.mp3	05:02:81:45:15:02:81:00
Jonathan Davis.mp3	05:02:81:4a:15:01:60:06
(trance remix).mp3	05:02:82:47:15:02:81:00
The Deep End.mp3	05:02:82:3d:15:02:81:00
Two Djinn.mp3	05:02:84:1f:15:02:81:00
Even So.mp3	05:02:83:42:15:02:81:00
A Message To You Rudy.wav	15:02:8b:03:05:02:81:2c
Guilty Conscience.mp3	05:01:02:15:02:81:00:06
<edited>.mpeg	0d:04:82:40:81:70:05:02
<edited>.mpeg	0d:04:82:40:81:70:05:01
<edited>.mpg	0d:04:82:40:81:70:05:01

Hmm.. so maybe the first two bytes after are media types.. this seems to be a dead end since in some cases I see only two bytes after a file name before some other text.. let's break the dumps out into my best guess of related data and try and determine where the size indicator is since they do not seem to be in fixed size chunks.

So we can see the length indicator of the filename...

The value preceeding the string length appears to be a code of what
the string is.

02 - File Name
04 - Title
06 - Artist
08 - Album Name
0e - Genre

String Length

From a KaZaA listing, we know the following about this entry:
Title = Roller Queen
Artist = Jimmy Eat World
Media Type = Audio
Category = rock
ETA = 0:00:48 (hex is 0x30)
Size = 3086KB (hex is 0x0c0e)
Bandwidth = 1024 (hex is 0x0400)
Filename = Jimmy Eats World - Roller Queen.mp3
Album Name = Bleed American

0x23 = dec 35

d6:2e:52:d6 1a:fb:90:18 81:c0:f0:00 09:02:23[4a ..R...........#J
69:6d:6d:79 20:45:61:74 73:20:57:6f 72:6c:64:20 immy Eats World 
2d:20:52:6f 6c:6c:65:72 20:51:75:65 65:6e:2e:6d - Roller Queen.m
70:33]05:02 81:45:15:02 81:00:04:0c[52:6f:6c:6c p3...E......Roll
65:72:20:51 75:65:65:6e]06:0f[4a:69 6d:6d:79:20 er Queen..Jimmy 
45:61:74:20 57:6f:72:6c 64]08:0e[42 6c:65:65:64 Eat World..Bleed
20:41:6d:65 72:69:63:61 6e]0e:04[72 6f:63:6b]02 .American..rock.
65:6e:01:02 8f:51:fe:ee 7b:31:b3:70 e1:6d:d5:95 en...Q..{1.p.m..
91:6e:2c:12 57:3a:c0:9a 68:80:ae:45 81:94:94:73 .n,.W:..h..E...s
05                                              .


From a KaZaA listing, we know the following about this entry:
Title = Jonathan Davis
Artist = Queen Of The Damned
Media Type = Audio
Category = 
ETA = 0:00:37 (hex is 0x25)
Size = 2370KB (hex is 0x942)
Bandwidth = 1024 (hex is 0x0400)
Filename = Queen Of The Damned - Jonathan Davis.mp3

0x28 = dec 40

      02:28 51:75:65:65 6e:20:4f:66 20:54:68:65   ..Queen Of The
20:44:61:6d 6e:65:64:20 2d:20:4a:6f 6e:61:74:68  Damned . Jonath
61:6e:20:44 61:76:69:73 2e:6d:70:33 05:02:81:4a an Davis.mp3...J
15:01:60:06 13[51:75:65 65:6e:20:4f 66:20:54:68 .....Queen Of Th
65:20:44:61 6d:6e:65:64]04:0e[4a:6f 6e:61:74:68 e Damned..Jonath
61:6e:20:44 61:76:69:73]0c:2d:f2:9d eb:a4:18:37 an Davis.......7
0d:41:4c:12 ff:c9:d2:2e 21:9f:cd:f6 f6:2d:82:bf .AL.............
cf:02:05:                                       ...

0x1f = dec 31

         02 1f:4e:49:4e 20:2d:20:52 75:69:6e:65 .....NIN...Ruine
72:20:28:74 72:61:6e:63 65:20:72:65 6d:69:78:29 r (trance remix)
2e:6d:70:33 05:02:82:47 15:02:81:00 06:03:4e:49 .mp3...G......NI
4e:04:15:52 75:69:6e:65 72:20:28:74 72:61:6e:63 N..Ruiner (tranc
65:20:72:65 6d:69:78:29 00:e0:4a:8a f2:86:1a:c0 e remix)..J.....
ac:70:e4:e7 c0:fa:c4:2b 60:7c:67:17 b4:59:82:b5 .p.....+`|g..Y..
a1:00:07                                        ...

0x39 = dec 57

            02:39:42:6f 62:20:57:65 69:72:20:26 .....9Bob Weir &
20:52:61:74 64:6f:67:20 2d:20:45:76 65:6e:69:6e  Ratdog - Evenin
67:20:4d:6f 6f:64:73:20 2d:20:30:39 20:2d:20:54 g Moods - 09 - T
68:65:20:44 65:65:70:20 45:6e:64:2e 6d:70:33:05 he Deep End.mp3.
02:82:3d:15 02:81:00:04 0c:54:68:65 20:44:65:65 .........The.Dee
70:20:45 6e:64:06:11 42:6f:62:20 57:65:69:72:20 p End..Bob Weir 
26:20:52 61:74:64:6f 67:08:0d:45 76:65:6e:69:6e & Ratdog..Evenin
67:20:4d 6f:6f:64:73 0e:0c:47:65 6e:65:72:61:6c g Moods..General
20:52:6f 63:6b:34:63 93:32:d4:78 55:b5:5d:54:22  Rock4c.2.xU.]T"
f8:75:45 fc:b1:d6:b8 90:1d:ac:12 84:92:e1:00:06 .uE.............

                                       02:1a:42 ..-..v.........B
72:69:61:6e 6e:61:20:42 61:6e:6b:73 20:4f:6e:20 rianna Banks On 
53:74:6f:6f 6c:2e:61:76 69:0d:04:82 40:81:70:05 Stool.avi.....p.
02:84:4c:15 02:82:66:1c 04:44:49:56 33:04:17[42 ..L...f..DIV3..B
72:69:61:6e 61:20:42:61 6e:6b:73:20 2d:20:4f:6e riana Banks - On
20:53:74:6f 6f:6c]06:0c[42:72:69:61 6e:61:20:42  Stool..Briana B
61:6e:6b:73]0e:07[45:72 6f:74:69:63 61]12:56:69 anks..Erotica.Vi
64:65 6f:20 43:6c:69:70 02:65:6e:1a 58[42:6c:6f deo.Clip.en.XBlo
6e:64:65:20 62:69:74:63 68:20:6d:61 73:74:65:72 nde bitch master
62:61:74:65 73:20:77:69 74:68:20:64 69:6c:64:6f bates with dildo
20:74:68:65 6e:20:67:65 74:73:20:66 75:63:6b:65 then gets fucke
64:20:62:79 20:73:6f:6d 65:20:64:75 64:65:20:74 d by some dude t
68:61:74:20 63:6f:6d:65 73:20:72:75 6e:6e:69:6e hat comes runnin
67:20:69:6e 2e]0c:05[64 69:6c:64:6f]08:12[45:6e g in...dildo..En
65:6d:61:20 4f:66:20:54 68:65:20:53 74:61:74:65]ema Of The State
90:13:9e:36 b3:3e:1d:92 b0:a5:78:72 e3:d0:c7:06 ...6.>....xr....
25:36:8a:07 b2:5c:a6:c6 c3:50:0b:               %6...\...P.

         02 19:42:52:49 41:4e:4e:41 20:42:41:4e    ..BRIANNA.BAN
4b:53:20:42 45:44:52:4f 4f:4d:2e:6d 70:67:0d:04 KS BEDROOM.mpg..
82:60:81:70 05:02:83:50 15:02:88:63 04:16:42:72 .`.p...P...c..Br
69:61:6e:61 20:42:61:6e 6b:73:20:2d 20:57:6f:77 iana Banks - Wow
20:21:21:21 06:0c:42:72 69:61:6e:61 20:42:61:6e  !!!..Briana Ban
6b:73:0e:07 45:72:6f:74 69:63:61:12 56:69:64:65 ks..Erotica.Vide
6f:20:43:6c 69:70:0c:18 42:72:69:61 6e:61:20:42 o Clip..Briana B
61:6e:6b:73 20:44:65:65 70:20:74:68 72:6f:61:74 anks Deep throat
02:65:6e:1a 04:67:6f:6f 64:a2:b8:37 6f:66:ae:d0 .en..good..7of..
c6:60:63:73 6f:ba:c8:15 a2:b7:1c:30 35:9a:08:a2 .`cso......05...
bd:d0:00:0c

This is my fake response:

Title = Clean
Artist = Unknown
Media Type = Audio
Category = 
ETA = 0:00:47 (hex is 0x2f)
Size = 2980KB (hex is 0x0ba4)
Bandwidth = 504 (hex is 0x01f8)
Filename = clean.mp3


00:6d:78:ab 01:62:84:3d 4a:12:7d:2e 4d:56:05:2d .mx..b.=J.}.MV.-
2c:2b:69:4d 93:0b:81:ba a6:3f:03:02 09:63:6c:65 ,+iM.....?...cle
61:6e:2e:6d 70:33:05:02 81:3f:15:02 81:00:      an.mp.........

Now with 2 files:

00 6d 78 ab 01 62 84 3d 4a 12 7d 2e 4d 56 05 2d .mx..b.=J.}.MV.-
2c 2b 69 4d 93 0b 81 ba a6 3f 03 02 09[63 6c 65 ,+iM.....?...cle
61 6e 2e 6d 70 33]05 02 81 3f 15 02 81 00 67 c1 an.mp3...?....g.
3c d8 74 61 8a 4e 12 89 e0 23 34 94 ed f7 b1 8a <.ta.N...#4.....
91 8a a6 10 f2 bf 58 07 02 08[46 61 6b 65 2e 6d ......X...Fake.m
70 33]05 01 75 15 02 81 00 04 04[46 61 6b 65]06 p3..u......Fake.
0e 44 65 61 74 68 20 53 65 6e 74 65 6e 63 65 08 .Death Sentence.
12[4e 6f 74 20 41 20 50 72 65 74 74 79 20 53 69 .Not A Pretty Si
67 68 74]0e 04[50 75 6e 6b]                     ght..Punk

Now just the second file.

67 c1 3c d8 74 61 8a 4e 12 89 e0 23 34 94 ed f7 g.<.ta.N...#4...
b1 8a 91 8a a6 10 f2 bf 58 07 02 08[46 61 6b 65 ........X...Fake
2e 6d 70 33]05 01[75]15 02[81 00]04 04[46 61 6b .mp3..u......Fak
65]06 0e[44 65 61 74 68 20 53 65 6e 74 65 6e 63 e..Death Sentenc
65]08 12[4e 6f 74 20 41 20 50 72 65 74 74 79 20 e..Not A Pretty 
53 69 67 68 74]0e 04[50 75 6e 6b]               Sight..Punk

It looks like the pre-amble (before the '02' file name) and the middle text 
(the stuff immediately following the filename, but before the other attributes)
do not change at all if there is other entries in the stream.. so we can
conclude that there is no indication of the number of files and in fact 
no header at all in the packet stream. The 'Content-Length' in the HTTP
response header is the only indicator of the length of data.

So, this means that we need to decipher:

for clean.mp3:

[pre-amble]
00 6d 78 ab 01 62 84 3d 4a 12 7d 2e 4d 56 05 2d .mx..b.=J.}.MV.-
2c 2b 69 4d 93 0b 81 ba a6 3f 03                ,+iM.....?.
[middle text]
05 02 81 3f 15 02 81 00                         ...?....

the above should contain the following:
Media Type = Audio
Size = 2980KB (hex is 0x0ba4)

and maybe:
Bandwidth = 504 (hex is 0x01f8)
ETA = 0:00:47 (hex is 0x2f)

and for fake.mp3:

[pre-amble]
67 c1 3c d8 74 61 8a 4e 12 89 e0 23 34 94 ed f7 g.<.ta.N...#4...
b1 8a 91 8a a6 10 f2 bf 58 07                   ........X.
[middle text]
05 01 75 15 02 81 00                            ..u....

the above should contain the following:
Media Type = Audio
Size = 1831KB (0x727)

and maybe:
Bandwidth 504 (hex is 0x1f8)
ETA = 0:00:29 (hex is 1d)

hmm.. upon looking at the middle text, it appears that the first two 
bytes are some kind of type + length indicator.. normally we see 05 02
followed by some stuff, and in a 1 byte shorter middle text we see
05 01.. so 0x75 must be the '05' attribute for fake.mp3 and 0x813f must
be the '05' attribute for clean.mp3..

Aha! With these two attributes, we can see the the number before the 
file name is the number of fields!!! I've indicated this now with 
This color

aa e9 a6 d6 e0 6e f0 66 c1 48 6c 94 8e b4 30 22 .....n.f.Hl...0"
ff 0b ab e3 c1 12 ec 8f 01 03 02 0f[6b 6d 64 31 ............kmd1
37 31 67 75 5f 65 6e 2e 65 78 65]04 12[4b 61 5a 71gu_en.exe..KaZ
61 41 20 75 70 64 61 74 65 20 31 2e 37 2e 31]06 aA update 1.7.1.
14[53 68 61 72 6d 61 6e 20 4e 65 74 77 6f 72 6b .Sharman Network
73 20 4c 74 64]34 40 1e 96 eb 6a 00 93 d3 bd 5c s Ltd4@...j....\
d1 ac 77 ed 7a 91 a6 97 6a 92 61 81 cb 93 26 05 ..w.z...j.a...&.
02 0d[6b 6d 64 31 33 34 5f 65 6e 2e 65 78 65]04 ..kmd134_en.exe.
1d[4b 61 5a 61 41 20 4d 65 64 69 61 20 44 65 73 .KaZaA Media Des
6b 74 6f 70 20 49 6e 73 74 61 6c 6c 65 72]06 14[ktop Installer..
53 68 61 72 6d 61 6e 20 4e 65 74 77 6f 72 6b 73 Sharman Networks
20 4c 74 64]18 0d[56 65 72 73 69 6f 6e 20 31 2e  Ltd..Version 1.
33 2e 34]1a 1d[4b 61 5a 61 41 20 4d 65 64 69 61 3.4..KaZaA Media
20 44 65 73 6b 74 6f 70 20 49 6e 73 74 61 6c 6c  Desktop Install
65 72]61 26 72 9e a0 0f 64 22 5f 50 a7 e4 11 49 era&r...d"_P...I
68 a5 71 40 97 46 8a 3b ec 8e 70 03 02 13[6b 6d h.q@.F.;..p...km
64 31 37 31 67 75 5f 65 6e 20 28 31 29 2e 65 78 d171gu_en (1).ex
65 04 12 4b 61 5a 61 41 20 75 70 64 61 74 65 20 e..KaZaA update 
31 2e 37 2e 31 06 14[53 68 61 72 6d 61 6e 20 4e 1.7.1..Sharman N
65 74 77 6f 72 6b 73 20 4c 74 64]87 19 df a4 c2 etworks Ltd.....
3d 44 4b 20 95 5a fd 05 a3 b4 4d d2 b7 b4 a3 86 =DK .Z....M.....
0f 81 d8 a0 00 0a 02 15[53 65 76 65 6e 64 75 73 ........Sevendus
74 20 2d 20 42 69 74 63 68 2e 6d 70 33]05 02[81 t - Bitch.mp3...
5e]15 02[81 00]06 09[53 65 76 65 6e 64 75 73 74 ^......Sevendust
0e 05[4d 65 74 61 6c]04 05[42 69 74 63 68]08 09[..Metal..Bitch..
53 65 76 65 6e 64 75 73 74 1a 0d[48 6f 6c 6c 79 Sevendust..Holly
77 6f 6f 64 20 4d 50 33]01 01[61]0a 02[65 6e]d4 wood MP3..a..en.
7d 6d 60 f1 3d c7 ce 61 dd b9 48 8a 3c 38 df 49 }m`.=..a..H.<8.I
fe ff ff bf 42 83 36 01 02 1f 53 68 6f 72 74 63 ....B.6...Shortc
75 74 20 74 6f 20 6b 6d 64 31 37 31 67 75 5f 65 ut to kmd171gu_e
6e 2e 65 78 65 2e 6c 6e 6b fe 90 42 8f 8f c6 e7 n.exe.lnk..B....
44 5f 2c 26 33 73 b9 89 43 40 fe ff ff d6 2d 83 D_,&3s..C@....-.
3f 01 02 22 53 68 6f 72 74 63 75 74 20 74 6f 20 ?.."Shortcut to 
4b 61 7a 61 61 55 70 64 61 74 65 31 35 31 2e 65 KazaaUpdate151.e
78 65 2e 6c 6e 6b 9d 8e 0e 9a d9 02 4f 21 06 cf xe.lnk......O!..
73 f0 dc 29 38 98 34 fe ff ff b6 2d 83 4b 01 02 s..)8.4....-.K..
26 53 68 6f 72 74 63 75 74 20 74 6f 20 4b 61 7a &Shortcut to Kaz
61 61 55 70 64 61 74 65 31 35 31 20 28 31 29 2e aaUpdate151 (1).
65 78 65 2e 6c 6e 6b 24 dd 60 a2 d8 2c 0a a4 83 exe.lnk$.`..,...
b5 b2 31 94 6c 4c 49 43 fe ff ff df 48 83 3c 01 ..1.lLIC....H.<.
02 25 53 68 6f 72 74 63 75 74 20 28 33 29 20 74 .%Shortcut (3) t
6f 20 4b 61 7a 61 61 55 70 64 61 74 65 31 35 2e o KazaaUpdate15.
65 78 65 2e 6c 6e 6b 89 1f dc 40 93 60 a5 82 f0 exe.lnk...@.`...
6f 5c f4 08 72 43 9c 40 fe ff ff a4 36 83 3f 01 o\..rC.@....6.?.
02 26 53 68 6f 72 74 63 75 74 20 28 32 29 20 74 .&Shortcut (2) t
6f 20 4b 61 7a 61 61 55 70 64 61 74 65 31 35 31 o KazaaUpdate151
2e 65 78 65 2e 6c 6e 6b 39 f8 0c 39 e4 75 63 d4 .exe.lnk9..9.uc.
21 14 2f 8e 0c e3 ca f8 43 fe ff ff aa 0b 83 3c !./.....C......<
01 02 25 53 68 6f 72 74 63 75 74 20 28 34 29 20 ..%Shortcut (4) 
74 6f 20 4b 61 7a 61 61 55 70 64 61 74 65 31 35 to KazaaUpdate15
2e 65 78 65 2e 6c 6e 6b 3e 45 0c c8 61 84 99 b7 .exe.lnk>E..a...
54 e5 78 0d 92 67 51 2a 34 fe ff ff a7 18 83 4b T.x..gQ*4......K
01 02 2a 53 68 6f 72 74 63 75 74 20 28 32 29 20 ..*Shortcut (2) 
74 6f 20 4b 61 7a 61 61 55 70 64 61 74 65 31 35 to KazaaUpdate15
31 20 28 31 29 2e 65 78 65 2e 6c 6e 6b a0 aa 8e 1 (1).exe.lnk...
d4 47 68 2c 58 55 ed b8 c4 da 9e 17 1d 40 fe ff .Gh,XU.......@..
ff d6 2c 83 3f 01 02 26 53 68 6f 72 74 63 75 74 ..,.?..&Shortcut
20 28 33 29 20 74 6f 20 4b 61 7a 61 61 55 70 64  (3) to KazaaUpd
61 74 65 31 35 31 2e 65 78 65 2e 6c 6e 6b e0 e4 ate151.exe.lnk..
f0 28 84 34 0e dc a0 46 8e 1d 29 02 d5 46 3a a2 .(.4...F..)..F:.
ed 09 eb 24 81 f6 86 70 0b 02 1a 47 65 6e 75 69 ...$...p...Genui
6e 65 20 2d 20 52 69 64 65 20 4d 79 20 50 6f 6e ne - Ride My Pon
79 2e 6d 70 33 05 02 81 7c 15 02 81 00 06 08 47 y.mp3...|......G
69 6e 75 77 69 6e 65 04 04 50 6f 6e 79 0e 03 52 inuwine..Pony..R
26 42 08 06 53 69 6e 67 6c 65 01 02 8f 40 1a 04 &B..Single...@..
4e 6f 6e 65 0a 02 65 6e 0c 04 50 6f 6e 79 71 06 None..en..Ponyq.
d3 96 fa 99 4a 1c 2d c4 f5 79 e9 32 c3 9c 5a a5 ....J.-..y.2..Z.
c7 b7 af 43 81 fb 90 00 05 02 2a 44 65 66 20 4c ...C......*Def L
65 6f 70 61 72 64 20 2d 20 57 68 65 6e 20 4c 6f eopard - When Lo
76 65 20 26 20 48 61 74 65 20 43 6f 6c 6c 69 64 ve & Hate Collid
65 2e 6d 70 33 05 02 82 01 15 02 81 00 06 0b 44 e.mp3..........D
65 66 20 4c 65 6f 70 61 72 64 04 18 57 68 65 6e ef Leopard..When
20 4c 6f 76 65 20 26 20 48 61 74 65 20 43 6f 6c  Love & Hate Col
6c 69 64 65 f7 2a c3 3b ce 37 a4 92 d6 c7 8a 16 lide.*.;.7......
82 d2 67 75 8a bd 27 89 d9 0f 82 84 93 4a 08 02 ..gu..'......J..
1a 44 65 6e 6e 69 73 20 4c 65 61 72 79 20 2d 20 .Dennis Leary - 
41 73 73 68 6f 6c 65 2e 6d 70 33 05 02 82 0a 15 Asshole.mp3.....
02 81 00 04 07 41 73 73 68 6f 6c 65 06 0c 44 65 .....Asshole..De
6e 6e 69 73 20 4c 65 61 72 79 08 0c 4d 79 20 44 nnis Leary..My D
6f 63 75 6d 65 6e 74 73 0e 04 41 63 69 64 01 02 ocuments..Acid..
8f 49 46 2f 71 ab 20 ca 1f c2 d3 e0 34 bf 6e 3b .IF/q. .....4.n;
5c c1 55 8b 7d fb cc 01 82 d2 d7 18 05 02 1c 44 \.U.}..........D
65 66 20 4c 65 6f 70 61 72 64 20 2d 20 4c 6f 76 ef Leopard - Lov
65 20 42 69 74 65 73 2e 6d 70 33 05 02 82 5b 15 e Bites.mp3...[.
02 81 00 04 0a 4c 6f 76 65 20 42 69 74 65 73 06 .....Love Bites.
0b 44 65 66 20 4c 65 6f 70 61 72 64 bc b2 8e c3 .Def Leopard....
3a 82 cb 6d 7f 26 2f 77 fa 22 c0 67 c6 b8 6e e8 :..m.&/w.".g..n.
94 45 8b cc a1 00 06 02 2b 44 65 6e 69 73 20 4c .E......+Denis L
65 61 72 79 20 2d 20 4e 6f 20 43 75 72 65 20 46 eary - No Cure F
6f 72 20 43 61 6e 63 65 72 20 50 61 72 74 20 32 or Cancer Part 2
2e 6d 70 33 05 02 8b 70 15 02 81 00 04 19 4e 6f .mp3...p......No
20 43 75 72                                      Cur

aa e9 a6 d6 e0 6e f0 66 c1 48 6c 94 8e b4 30 22 ff 0b ab e3 c1 12 ec 8f 01     Software
34 40 1e 96 eb 6a 00 93 d3 bd 5c d1 ac 77 ed 7a 91 a6 97 6a 92 61 81 cb 93 26  Software
61 26 72 9e a0 0f 64 22 5f 50 a7 e4 11 49 68 a5 71 40 97 46 8a 3b ec 8e 70     Software
87 19 df a4 c2 3d 44 4b 20 95 5a fd 05 a3 b4 4d d2 b7 b4 a3 86 0f 81 d8 a0 00  Audio
d4 7d 6d 60 f1 3d c7 ce 61 dd b9 48 8a 3c 38 df 49 fe ff ff bf 42 83 36        Link
fe 90 42 8f 8f c6 e7 44 5f 2c 26 33 73 b9 89 43 40 fe ff ff d6 2d 83 3f        Link
9d 8e 0e 9a d9 02 4f 21 06 cf 73 f0 dc 29 38 98 34 fe ff ff b6 2d 83 4b        Link
24 dd 60 a2 d8 2c 0a a4 83 b5 b2 31 94 6c 4c 49 43 fe ff ff df 48 83 3c        Link
89 1f dc 40 93 60 a5 82 f0 6f 5c f4 08 72 43 9c 40 fe ff ff a4 36 83 3f        Link
39 f8 0c 39 e4 75 63 d4 21 14 2f 8e 0c e3 ca f8 43 fe ff ff aa 0b 83 3c        Link
3e 45 0c c8 61 84 99 b7 54 e5 78 0d 92 67 51 2a 34 fe ff ff a7 18 83 4b        Link
a0 aa 8e d4 47 68 2c 58 55 ed b8 c4 da 9e 17 1d 40 fe ff ff d6 2c 83 3f        Link
e0 e4 f0 28 84 34 0e dc a0 46 8e 1d 29 02 d5 46 3a a2 ed 09 eb 24 81 f6 86 70  Audio
71 06 d3 96 fa 99 4a 1c 2d c4 f5 79 e9 32 c3 9c 5a a5 c7 b7 af 43 81 fb 90 00  Audio
f7 2a c3 3b ce 37 a4 92 d6 c7 8a 16 82 d2 67 75 8a bd 27 89 d9 0f 82 84 93 4a  Audio
46 2f 71 ab 20 ca 1f c2 d3 e0 34 bf 6e 3b 5c c1 55 8b 7d fb cc 01 82 d2 d7 18  Audio
bc b2 8e c3 3a 82 cb 6d 7f 26 2f 77 fa 22 c0 67 c6 b8 6e e8 94 45 8b cc a1 00  Audio

Here are my test entries:
00 6d 78 ab 01 62 84 3d 4a 12 7d 2e 4d 56 05 2d 2c 2b 69 4d 93 0b 81 ba a6 3f  Audio
67 c1 3c d8 74 61 8a 4e 12 89 e0 23 34 94 ed f7 b1 8a 91 8a a6 10 f2 bf 58     Audio

Oh well, there goes that theory

87 19 df a4 c2 3d 44 4b 20 95 5a fd 05 a3 b4 4d d2 b7 b4 a3 86 0f 81 d8 a0 00  Audio
e0 e4 f0 28 84 34 0e dc a0 46 8e 1d 29 02 d5 46 3a a2 ed 09 eb 24 81 f6 86 70  Audio
71 06 d3 96 fa 99 4a 1c 2d c4 f5 79 e9 32 c3 9c 5a a5 c7 b7 af 43 81 fb 90 00  Audio
f7 2a c3 3b ce 37 a4 92 d6 c7 8a 16 82 d2 67 75 8a bd 27 89 d9 0f 82 84 93 4a  Audio
46 2f 71 ab 20 ca 1f c2 d3 e0 34 bf 6e 3b 5c c1 55 8b 7d fb cc 01 82 d2 d7 18  Audio
bc b2 8e c3 3a 82 cb 6d 7f 26 2f 77 fa 22 c0 67 c6 b8 6e e8 94 45 8b cc a1 00  Audio
00 6d 78 ab 01 62 84 3d 4a 12 7d 2e 4d 56 05 2d 2c 2b 69 4d 93 0b 81 ba a6 3f  Audio
67 c1 3c d8 74 61 8a 4e 12 89 e0 23 34 94 ed f7 b1 8a 91 8a a6 10 f2 bf 58     Audio

65 20 66 6f 72 20 43 61 6e 63 65 72 20 50 61 72 e for Cancer Par
74 20 32 06 0b 44 65 6e 69 73 20 4c 65 61 72 79 t 2..Denis Leary
0e 06 43 6f 6d 65 64 79 5e 09 da 51 06 42 ce a3 ..Comedy^..Q.B..
48 ac 7f 87 8a 0f 55 3f 61 fe ff ff 94 07 83 1e H.....U?a.......
01 02 15 46 52 45 45 20 43 6f 6f 6c 20 53 61 76 ...FREE Cool Sav
69 6e 67 73 2e 6c 6e 6b ec e8 79 94 98 3c 47 cf ings.lnk..y..<G.
dd b4 96 2b 86 43 5c e9 6d fe ff ff fc 73 83 12 ...+.C\.m....s..
01 02 17 57 49 4e 20 41 20 46 52 45 45 20 56 61 ...WIN A FREE Va
63 61 74 69 6f 6e 2e 6c 6e 6b 99 00 b7 2a b5 5a cation.lnk...*.Z
60 d5 d2 b0 14 31 1c bb ea 00 4f fe ff ff ac 1a `....1....O.....
83 30 01 02 1d 53 68 6f 72 74 63 75 74 20 74 6f .0...Shortcut to
20 6b 6d 64 31 33 34 5f 65 6e 2e 65 78 65 2e 6c  kmd134_en.exe.l
6e 6b b7 41 5b 88 24 e0 d6 76 b0 44 40 f6 24 2e nk.A[.$..v.D@.$.
53 cd 43 fe ff ff f6 0f 83 3c 01 02 21 53 68 6f S.C......<..!Sho
72 74 63 75 74 20 74 6f 20 4b 61 7a 61 61 55 70 rtcut to KazaaUp
64 61 74 65 31 35 2e 65 78 65 2e 6c 6e 6b 2b 43 date15.exe.lnk+C
7a 24 7c 86 71 0d bf 9c 0f 93 60 9e 0b 9a 43 fe z$|.q.....`...C.
ff ff ed 30 83 3c 01 02 25 53 68 6f 72 74 63 75 ...0.<..%Shortcu
74 20 28 32 29 20 74 6f 20 4b 61 7a 61 61 55 70 t (2) to KazaaUp
64 61 74 65 31 35 2e 65 78 65 2e 6c 6e 6b 75 6a date15.exe.lnkuj
31 a1 12 45 98 44 73 51 ca 9d 66 05 7f 0d af df 1..E.DsQ..f.....
99 17 ad 7d 81 fe d9 68 05 02 27 75 6e 6b 6e 6f ...}...h..'unkno
77 6e 20 2d 20 45 76 65 72 79 20 52 6f 73 65 20 wn - Every Rose 
68 61 73 20 69 74 27 73 20 54 68 6f 72 6e 2e 6d has it's Thorn.m
70 33 05 02 82 05 15 02 81 00 04 19 45 76 65 72 p3..........Ever
79 20 52 6f 73 65 20 68 61 73 20 69 74 73 20 54 y Rose has its T
68 6f 72 6e 73 06 0e 47 75 6e 73 20 61 6e 64 20 horns..Guns and 
52 6f 73 65 73 a5 4b 0e 79 ec 58 4c 91 be d1 21 Roses.K.y.XL...!
26 ff 1f d7 f6 71 b0 20 7a cf 42 81 ab a8 5d 05 &....q. z.B...].
02 11 4b 61 7a 61 61 55 70 64 61 74 65 31 35 2e ..KazaaUpdate15.
65 78 65 04 10 4b 61 5a 61 41 20 75 70 64 61 74 exe..KaZaA updat
65 20 31 2e 35 06 14 53 68 61 72 6d 61 6e 20 4e e 1.5..Sharman N
65 74 77 6f 72 6b 73 20 4c 74 64 18 0b 56 65 72 etworks Ltd..Ver
73 69 6f 6e 20 31 2e 35 1a 1d 4b 61 5a 61 41 20 sion 1.5..KaZaA 
4d 65 64 69 61 20 44 65 73 6b 74 6f 70 20 49 6e Media Desktop In
73 74 61 6c 6c 65 72 0a 52 8f 5b e9 b5 a1 7b 3d staller.R.[...{=
5b 5d b8 6b 90 30 35 52 c4 7b 22 bd 28 82 9d c1 [].k.05R.{".(...
27 05 02 10 41 43 44 43 2d 74 68 75 6e 64 65 72 '...ACDC-thunder
2e 6d 70 33 05 02 82 24 15 02 81 00 06 04 41 43 .mp3...$......AC
44 43 04 07 74 68 75 6e 64 65 72 7a 1f b8 dd 7f DC..thunderz....
61 a0 4a 46 31 76 b1 92 3f f4 90 40 63 40 b9 08 a.JF1v..?..@c@..
81 ab db 74 05 02 16 4b 61 7a 61 61 55 70 64 61 ...t...KazaaUpda
74 65 31 35 31 20 28 31 29 2e 65 78 65 04 12 4b te151 (1).exe..K
61 5a 61 41 20 75 70 64 61 74 65 20 31 2e 35 2e aZaA update 1.5.
31 06 14 53 68 61 72 6d 61 6e 20 4e 65 74 77 6f 1..Sharman Netwo
72 6b 73 20 4c 74 64 18 0b 56 65 72 73 69 6f 6e rks Ltd..Version
20 31 2e 35 1a 1d 4b 61 5a 61 41 20 4d 65 64 69  1.5..KaZaA Medi
61 20 44 65 73 6b 74 6f 70 20 49 6e 73 74 61 6c a Desktop Instal
6c 65 72 bc 63 26 ac 72 a9 d5 e8 c5 ec b8 17 0c ler.c&.r........
1f 0e 71 e1 03 6a 70 d0 58 82 94 a0 00 06 02 25 ..q..jp.X......%
5a 61 6b 6b 20 57 79 6c 64 65 20 2d 20 4b 69 63 Zakk Wylde - Kic
6b 20 41 73 73 20 47 75 69 74 61 72 20 53 6f 6c k Ass Guitar Sol
6f 2e 6d 70 33 05 02 82 1b 15 02 81 00 04 14 4b o.mp3..........K
69 63 6b 20 41 73 73 20 47 75 69 74 61 72 20 53 ick Ass Guitar S
6f 6c 6f 06 0a 5a 61 6b 6b 20 57 79 6c 64 65 0e olo..Zakk Wylde.
05 4f 74 68 65 72 d5 83 5f f0 e0 ad d6 74 87 c2 .Other.._....t..
18 d1 55 b3 0d aa 17 27 60 c4 91 40 81 ce cb 54 ..U....'`..@...T
0c 02 24 47 65 6f 72 67 65 20 53 74 72 61 69 74 ..$George Strait
20 2d 20 49 20 43 72 6f 73 73 20 4d 79 20 48 65  - I Cross My He
61 72 74 2e 6d 70 33 05 02 81 54 15 02 81 00 06 art.mp3...T.....
0d 47 65 6f 72 67 65 20 53 74 72 61 69 74 0e 07 .George Strait..
43 6f 75 6e 74 72 79 04 10 49 20 43 72 6f 73 73 Country..I Cross
20 4d 79 20 48 65 61 72 74 08 0c 50 75 72 65 20  My Heart..Pure 
43 6f 75 6e 74 72 79 01 02 89 27 1a 0e 2c 20 41 Country...'.., A
47 23 20 31 43 31 43 37 43 39 46 0a 02 65 6e 0c G# 1C1C7C9F..en.
09 6c 6f 76 65 20 73 6f 6e 67 12 08 54 56 20 73 .love song..TV s
68 6f 77 73 f9 d5 a2 fd bb 38 8b 4a 3b f7 f6 44 hows.....8.J;..D
dc f7 60 e5 8f 0e 05 d4 cd 11 83 e9 f0 00 0a 02 ..`.............
30 4b 65 6e 6e 79 20 57 61 79 6e 65 20 53 68 65 0Kenny Wayne She
70 68 65 72 64 20 2d 20 54 68 65 20 73 6b 79 20 pherd - The sky 
69 73 20 63 72 79 69 6e 67 20 28 31 29 2e 6d 70 is crying (1).mp
33 05 02 83 76 15 02 81 00 04 2b 54 68 65 20 73 3...v.....+The s
6b 79 20 69 73 20 63 72 79 69 6e 67 2d 77 69 74 ky is crying-wit
68 20 6b 65 6e 6e 79 20 77 61 79 6e 65 20 73 68 h kenny wayne sh
65 70 68 65 72 64 06 14 4b 65 6e 6e 79 20 57 61 epherd..Kenny Wa
79 6e 65 20 53 68 65 70 70 61 72 64 08 31 4c 69 yne Sheppard.1Li
76 65 20 61 74 20 74 68 65 20 6f 6c 64 20 61 62 ve at the old ab
73 69 6e 74 68 65 20 68 6f 75 73 65 20 62 61 72 sinthe house bar
2e 2e 2e 66 72 69 64 61 79 20 6e 69 67 68 74 0e ...friday night.
05 42 6c 75 65 73 1a 12 42 72 79 61 6e 20 4c 65 .Blues..Bryan Le
65 20 4f 6e 20 56 6f 63 61 6c 01 02 8f 4f 0a 02 e On Vocal...O..
65 6e d3 12 20 63 1f 63 01 3d e9 0f dd f1 4f 7b en.. c.c.=....O{
86 26 bb 36 fc 0a ae 4b 81 e5 80 00 0d 02 18 4e .&.6...K.......N
69 63 6b 65 6c 62 61 63 6b 20 2d 20 54 6f 6f 20 ickelback - Too 
42 61 64 2e 6d 70 33 05 02 85 0b 15 02 81 00 04 Bad.mp3.........
07 54 6f 6f 20 42 61 64 06 0a 4e 69 63 6b 65 6c .Too Bad..Nickel
62 61 63 6b 08 0e 53 69 6c 76 65 72 20 53 69 64 back..Silver Sid
65 20 55 70 0e 05 67 65 6e 72 65 01 02 8f 4e 1a e Up..genre...N.
14 28 66 72 6f 6d 20 74 68 65 20 4e 6f 72 6d 20 .(from the Norm 
53 68 6f 77 29 0a 02 65 6e 0c 0a 4e 69 63 6b 65 Show)..en..Nicke
6c 62 61 63 6b 12 0a 56 69 64 65 6f 20 43 6c 69 lback..Video Cli
70 09 05 84                                     p...

Preambles are:

5e 09 da 51 06 42 ce a3 48 ac 7f 87 8a 0f 55 3f 61 fe ff ff 94 07 83 1e Link
99 00 b7 2a b5 5a 60 d5 d2 b0 14 31 1c bb ea 00 4f fe ff ff ac 1a 83 30 Link
b7 41 5b 88 24 e0 d6 76 b0 44 40 f6 24 2e 53 cd 43 fe ff ff f6 0f 83 3c Link
2b 43 7a 24 7c 86 71 0d bf 9c 0f 93 60 9e 0b 9a 43 fe ff ff ed 30 83 3c Link
a5 4b 0e 79 ec 58 4c 91 be d1 21 26 ff 1f d7 f6 71 b0 20 7a cf 42 81 ab a8 5d Software
?? 7a 1f b8 dd 7f 61 a0 4a 46 31 76 b1 92 3f f4 90 40 63 40 b9 08 81 ab db 74 Software
75 6a 31 a1 12 45 98 44 73 51 ca 9d 66 05 7f 0d af df 99 17 ad 7d 81 fe d9 68 Audio
0a 52 8f 5b e9 b5 a1 7b 3d 5b 5d b8 6b 90 30 35 52 c4 7b 22 bd 28 82 9d c1 27 Audio
bc 63 26 ac 72 a9 d5 e8 c5 ec b8 17 0c 1f 0e 71 e1 03 6a 70 d0 58 82 94 a0 00 Audio
d5 83 5f f0 e0 ad d6 74 87 c2 18 d1 55 b3 0d aa 17 27 60 c4 91 40 81 ce cb 54 Audio
f9 d5 a2 fd bb 38 8b 4a 3b f7 f6 44 dc f7 60 e5 8f 0e 05 d4 cd 11 83 e9 f0 00 Audio
d3 12 20 63 1f 63 01 3d e9 0f dd f1 4f 7b 86 26 bb 36 fc 0a ae 4b 81 e5 80 00 Audio

b4 95 bc 5d 5e ca 4d e7 a3 e4 07 e6 2a 30 c1 09 5a 02 69 44 bc 0b 82 cf a6 5a Audio
f3 91 f3 ac a3 fa 38 33 55 ac 0b 2b fd 47 13 4c dd a0 ca b8 e0 3e 81 ed f3 37 Audio
d6 65 7b 58 64 1e ca 89 4a f7 af 3c 42 14 0d 0a c2 0b a5 91 f9 38 81 fe a6 7b Audio
cc 08 c5 8b 79 46 64 eb 0c ce 13 db 07 dd cb 31 84 8f dd 85 b1 19 f0 e9 51 Audio

7a 1f b8 dd 7f 61 a0 4a 46 31 76 b1 92 3f f4 90 40 63 40 b9 08 81 ab db 74 Software

Still curious about the challenge response algorithm, I'm going to stare at this for a while to see if anything pops out:

challenged:   1 response: 28d782ee binary: 00101000 11010111 10000010 11101110 
challenged:   2 response: b73e2029 binary: 10110111 00111110 00100000 00101001 delta +8e669d3b 
challenged:   3 response: 387b43aa binary: 00111000 01111011 01000011 10101010 delta -7ec2dc7f 
challenged:   4 response: cfbaa8f4 binary: 11001111 10111010 10101000 11110100 delta +973f654a 
challenged:   5 response: 49ba1590 binary: 01001001 10111010 00010101 10010000 delta -86009364 
challenged:   6 response: 311e1d7d binary: 00110001 00011110 00011101 01111101 delta -189bf813 
challenged:   7 response: ea319982 binary: 11101010 00110001 10011001 10000010 delta +b9137c05 
challenged:   8 response: fa394ce2 binary: 11111010 00111001 01001100 11100010 delta +1007b360 
challenged:   9 response: 0d01cd40 binary: 00001101 00000001 11001101 01000000 delta -ed377fa2 
challenged:  10 response: 3e8b7106 binary: 00111110 10001011 01110001 00000110 delta +3189a3c6 
challenged:  11 response: 77f0c568 binary: 01110111 11110000 11000101 01101000 delta +39655462 
challenged:  12 response: 989d84e2 binary: 10011000 10011101 10000100 11100010 delta +20acbf7a 
challenged:  13 response: 7746816b binary: 01110111 01000110 10000001 01101011 delta -21570377 
challenged:  14 response: 88069681 binary: 10001000 00000110 10010110 10000001 delta +10c01516 
challenged:  15 response: 94663c10 binary: 10010100 01100110 00111100 00010000 delta +c5fa58f 
challenged:  16 response: 8545c692 binary: 10000101 01000101 11000110 10010010 delta -f20757e 
challenged:  17 response: 82042136 binary: 10000010 00000100 00100001 00110110 delta -341a55c 
challenged:  18 response: 580900dc binary: 01011000 00001001 00000000 11011100 delta -29fb205a 
challenged:  19 response: ab41fa2e binary: 10101011 01000001 11111010 00101110 delta +5338f952 
challenged:  20 response: b8984489 binary: 10111000 10011000 01000100 10001001 delta +d564a5b 
challenged:  21 response: 5f84cd3d binary: 01011111 10000100 11001101 00111101 delta -5913774c 
challenged:  22 response: c4f20ed7 binary: 11000100 11110010 00001110 11010111 delta +656d419a 
challenged:  23 response: 881f3fab binary: 10001000 00011111 00111111 10101011 delta -3cd2cf2c 
challenged:  24 response: 83b9433c binary: 10000011 10111001 01000011 00111100 delta -465fc6f 
challenged:  26 response: 9e4f5eb2 binary: 10011110 01001111 01011110 10110010 delta +2964628 
challenged:  27 response: c21ecd0f binary: 11000010 00011110 11001101 00001111 delta +23cf6e5d 
challenged:  28 response: 12b7111f binary: 00010010 10110111 00010001 00011111 delta -af67bbf0 
challenged:  29 response: 266ea06c binary: 00100110 01101110 10100000 01101100 delta +13b78f4d 
challenged:  30 response: 43e8d672 binary: 01000011 11101000 11010110 01110010 delta +1d7a3606 
challenged:  31 response: f6d69d5e binary: 11110110 11010110 10011101 01011110 delta +b2edc6ec 
challenged:  32 response: 3ef784a6 binary: 00111110 11110111 10000100 10100110 delta -b7df18b8 
challenged:  33 response: 9c7f4614 binary: 10011100 01111111 01000110 00010100 delta +5d87c16e 
challenged:  34 response: e06c1e10 binary: 11100000 01101100 00011110 00010000 delta +43ecd7fc 
challenged:  35 response: 667c7041 binary: 01100110 01111100 01110000 01000001 delta -79efadcf 
challenged:  36 response: c4747cd4 binary: 11000100 01110100 01111100 11010100 delta +5df80c93 
challenged:  37 response: 3ba60514 binary: 00111011 10100110 00000101 00010100 delta -88ce77c0 
challenged:  38 response: b9b2a8b8 binary: 10111001 10110010 10101000 10111000 delta +7e0ca3a4 
challenged:  39 response: 79e96b64 binary: 01111001 11101001 01101011 01100100 delta -3fc93d54 
challenged:  40 response: 9c23b358 binary: 10011100 00100011 10110011 01011000 delta +223a47f4 
challenged:  41 response: 6ef8c5ce binary: 01101110 11111000 11000101 11001110 delta -2d2aed8a 
challenged:  42 response: 3db83609 binary: 00111101 10111000 00110110 00001001 delta -31408fc5 
challenged:  43 response: 136de61e binary: 00010011 01101101 11100110 00011110 delta -2a4a4feb 
challenged:  44 response: 24f123e8 binary: 00100100 11110001 00100011 11101000 delta +11833dca 
challenged:  45 response: e0e4c2a3 binary: 11100000 11100100 11000010 10100011 delta +bbf39ebb 
challenged:  46 response: bc1847f9 binary: 10111100 00011000 01000111 11111001 delta -24cc7aaa 
challenged:  47 response: 4ca9d0ad binary: 01001100 10101001 11010000 10101101 delta -6f6e774c 
challenged:  48 response: 2f795ba4 binary: 00101111 01111001 01011011 10100100 delta -1d307509 
challenged:  49 response: 693cbaab binary: 01101001 00111100 10111010 10101011 delta +39c35f07 
challenged:  50 response: 4e0199bc binary: 01001110 00000001 10011001 10111100 delta -1b3b20ef 
challenged:  51 response: b213198a binary: 10110010 00010011 00011001 10001010 delta +64117fce 
challenged:  52 response: c4895aa6 binary: 11000100 10001001 01011010 10100110 delta +1276411c 
challenged:  53 response: 8f529ba3 binary: 10001111 01010010 10011011 10100011 delta -3536bf03 
challenged:  54 response: 28db1cfe binary: 00101000 11011011 00011100 11111110 delta -66777ea5 
challenged:  55 response: 592627e4 binary: 01011001 00100110 00100111 11100100 delta +304b0ae6 
challenged:  56 response: 04a3eaae binary: 00000100 10100011 11101010 10101110 delta -54823d36 
challenged:  57 response: ffe04773 binary: 11111111 11100000 01000111 01110011 delta +fb3c5cc5 
challenged:  58 response: 76bb7d94 binary: 01110110 10111011 01111101 10010100 delta -8924c9df 
challenged:  59 response: 6e48ae7e binary: 01101110 01001000 10101110 01111110 delta -872cf16 
challenged:  60 response: 060558a2 binary: 00000110 00000101 01011000 10100010 delta -684355dc 
challenged:  61 response: b7edbcea binary: 10110111 11101101 10111100 11101010 delta +b1e86448 
challenged:  62 response: b4cac362 binary: 10110100 11001010 11000011 01100010 delta -322f988 
challenged:  63 response: 2f5c26d9 binary: 00101111 01011100 00100110 11011001 delta -856e9c89 
challenged:  64 response: 4988b22b binary: 01001001 10001000 10110010 00101011 delta +1a2c8b52 
challenged:  65 response: 52e0acf9 binary: 01010010 11100000 10101100 11111001 delta +957face 
challenged:  66 response: e234a28d binary: 11100010 00110100 10100010 10001101 delta +8f53f594 
challenged:  67 response: fc6efc01 binary: 11111100 01101110 11111100 00000001 delta +1a3a5974 
challenged:  68 response: 48eace43 binary: 01001000 11101010 11001110 01000011 delta -b3842dbe 
challenged:  69 response: 2ae3d69a binary: 00101010 11100011 11010110 10011010 delta -1e06f7a9 
challenged:  70 response: 1a6421aa binary: 00011010 01100100 00100001 10101010 delta -107fb4f0 
challenged:  71 response: 289d712c binary: 00101000 10011101 01110001 00101100 delta +e394f82 
challenged:  72 response: aab85a5d binary: 10101010 10111000 01011010 01011101 delta +821ae931 
challenged:  73 response: 32afc85b binary: 00110010 10101111 11001000 01011011 delta -78089202 
challenged:  74 response: 699adb67 binary: 01101001 10011010 11011011 01100111 delta +36eb130c 
challenged:  75 response: 4e80d6ce binary: 01001110 10000000 11010110 11001110 delta -1b1a0499 
challenged:  76 response: 72ba892c binary: 01110010 10111010 10001001 00101100 delta +2439b25e 
challenged:  77 response: 2769c8fb binary: 00100111 01101001 11001000 11111011 delta -4b50c031 
challenged:  78 response: 3f363865 binary: 00111111 00110110 00111000 01100101 delta +17cc6f6a 
challenged:  79 response: 05998810 binary: 00000101 10011001 10001000 00010000 delta -399cb055 
challenged:  80 response: fdebcea2 binary: 11111101 11101011 11001110 10100010 delta +f8524692 
challenged:  81 response: da0e751e binary: 11011010 00001110 01110101 00011110 delta -23dd5984 
challenged:  82 response: e83debb3 binary: 11101000 00111101 11101011 10110011 delta +e2f7695 
challenged:  83 response: 7752b1bc binary: 01110111 01010010 10110001 10111100 delta -70eb39f7 
challenged:  84 response: 365cdd3d binary: 00110110 01011100 11011101 00111101 delta -40f5d47f 
challenged:  85 response: 20e37636 binary: 00100000 11100011 01110110 00110110 delta -15796707 
challenged:  86 response: 1f42e8ff binary: 00011111 01000010 11101000 11111111 delta -1a08d37 
challenged:  87 response: c53ccf86 binary: 11000101 00111100 11001111 10000110 delta +a5f9e687 
challenged:  88 response: 01384258 binary: 00000001 00111000 01000010 01011000 delta -c4048d2e 
challenged:  89 response: cfea72fa binary: 11001111 11101010 01110010 11111010 delta +ceb230a2 
challenged:  90 response: 8e054eee binary: 10001110 00000101 01001110 11101110 delta -41e5240c 
challenged:  91 response: d9336e4a binary: 11011001 00110011 01101110 01001010 delta +4b2e1f5c 
challenged:  92 response: 23621c40 binary: 00100011 01100010 00011100 01000000 delta -b5d1520a 
challenged:  93 response: b19110a8 binary: 10110001 10010001 00010000 10101000 delta +8e2ef468 
challenged:  94 response: e95e6edc binary: 11101001 01011110 01101110 11011100 delta +37cd5e34 
challenged:  95 response: 2d446503 binary: 00101101 01000100 01100101 00000011 delta -bc1a09d9 
challenged:  96 response: 7f6a768d binary: 01111111 01101010 01110110 10001101 delta +5226118a 
challenged:  97 response: 667b262a binary: 01100110 01111011 00100110 00101010 delta -18ef5063 
challenged:  98 response: c452b502 binary: 11000100 01010010 10110101 00000010 delta +5dd78ed8 
challenged:  99 response: 24aac088 binary: 00100100 10101010 11000000 10001000 delta -9fa7f47a 
challenged: 100 response: 18500a6d binary: 00011000 01010000 00001010 01101101 delta -c5ab61b 
challenged: 101 response: 2811f310 binary: 00101000 00010001 11110011 00010000 delta +fc1e8a3 
challenged: 102 response: 75ead6b3 binary: 01110101 11101010 11010110 10110011 delta +4dd8e3a3 
challenged: 103 response: df888538 binary: 11011111 10001000 10000101 00111000 delta +699dae85 

challenged: 1 response: 28d782ee binary: 00101000 11010111 10000010 11101110 
challenged: 685212398 response: 557fe42d binary: 01010101 01111111 11100100 00101101 delta +2ca8613f 
challenged: 1434444845 response: f63f8ce0 binary: 11110110 00111111 10001100 11100000 delta +a0bfa8b3 
challenged: 4131359968 response: 92ee801b binary: 10010010 11101110 10000000 00011011 delta -63510cc5 
challenged: 2465103899 response: e01d5438 binary: 11100000 00011101 01010100 00111000 delta +4d2ed41d 
challenged: 3760018488 response: bf701e09 binary: 10111111 01110000 00011110 00001001 delta -20ad362f 
challenged: 3211795977 response: 40394596 binary: 01000000 00111001 01000101 10010110 delta -7f36d873 
challenged: 1077495190 response: 9fca19cb binary: 10011111 11001010 00011001 11001011 delta +5f90d435 
challenged: 2680822219 response: c3e56da0 binary: 11000011 11100101 01101101 10100000 delta +241b53d5 
challenged: 3286592928 response: 6985d408 binary: 01101001 10000101 11010100 00001000 delta -5a5f9998 
challenged: 1770378248 response: 8e9b3153 binary: 10001110 10011011 00110001 01010011 delta +25155d4b 
challenged: 2392535379 response: cf5c0dfb binary: 11001111 01011100 00001101 11111011 delta +40c0dca8 
challenged: 3478916603 response: de6df272 binary: 11011110 01101101 11110010 01110010 delta +f11e477 
challenged: 3731747442 response: 92aa4d3f binary: 10010010 10101010 01001101 00111111 delta -4bc3a533 
challenged: 2460634431 response: 49ceeaea binary: 01001001 11001110 11101010 11101010 delta -48db6255 
challenged: 1238297322 response: 98b2ad12 binary: 10011000 10110010 10101101 00010010 delta +4ee3c228 
challenged: 2561846546 response: cc76e863 binary: 11001100 01110110 11101000 01100011 delta +33c43b51 
challenged: 3430344803 response: 29e0b81c binary: 00101001 11100000 10111000 00011100 delta -a2963047 

challenged: 01 response: 28d782ee binary: 00101000 11010111 10000010 11101110 
challenged: 01a response: 28d782ee binary: 00101000 11010111 10000010 11101110 delta +0 
challenged: 01b response: 28d782ee binary: 00101000 11010111 10000010 11101110 delta +0 
challenged: 01c response: 28d782ee binary: 00101000 11010111 10000010 11101110 delta +0 
challenged: 1c response: 28d782ee binary: 00101000 11010111 10000010 11101110 delta +0 

After reading this page I decided to check out giFT to see if they had any luck with the challenge/response stuff as it appeared that they were working on breaking the protcol too, or atleast the text:

There is an open-source implementation of the Fasttrack protocol which is used by KaZaA and its spyware-free cousin Morpheus (and others). The open-source project is called giFT and also documents the previously unknown protocol.

however after downloading the source I didn't see too much in there, and after getting on IRC the developers told me to "go away" and didn't seem interested at all in talking. Apparently they've given up and decided to implement their own protocol.

I did correspond with some folks after seeing this page who were working on implementing a file sharing app that would work with as many networks as possible. Due to the possible use of encryption and proprietary protocol used by KaZaA, they decided to skip it. They also pointed me to an older version of giFT which was apparently compatible with and older version of KaZaA. I bet that this was prior to the implementation of the challenge response system. Upon perusing the source, i noticed that they have either solved the file format issue, or can give me a lot of hints. I saw the following:

enum { FILE_TAG_ANY = 0x00, FILE_TAG_YEAR = 0x01, FILE_TAG_HREF = 0x02,
    FILE_TAG_HASH = 0x03, FILE_TAG_TITLE = 0x04, FILE_TAG_TIME = 0x05,
    FILE_TAG_ARTIST = 0x06, FILE_TAG_ALBUM = 0x08, FILE_TAG_LANGUAGE = 0x0a,
    FILE_TAG_KEYWORDS = 0x0c, FILE_TAG_RESOLUTION = 0x0d,
    FILE_TAG_GENRE = 0x0e, FILE_TAG_BITDEPTH = 0x11, FILE_TAG_QUALITY = 0x15,
    FILE_TAG_VERSION = 0x18, FILE_TAG_COMMENT = 0x1a, FILE_TAG_RATING = 0x1d,
    FILE_TAG_SIZE = 0x21 };

I also noted that there were more developers listed in the AUTHORS for the old version, so I think I might try mailing developers that are no longer involved with the project to ask if they got anywhere with the challenge response system.

OK, I've been spending a bit of time on my man in the middle code and got a fair way along in the file format decoding and optimized the reading routines to use select rather than do sleeps while waiting for data. I did get a response from one of the old giFT developers who jumped onboard and has started helping. The most interesting thing that he has come up with is a set of challenges where a couple of challenges yield the same result. Here are the values he came up with:

Greetings,

I've found 4 pairs of challenges that return the same response:

Challenges: 3981838635 and 125858548 both get the response: f5 2f 45 34
( or 4113515828, according to perls hex function)

4083751529 and 846529237 return 00 f2 c2 f0 ( 15909616 )

953752299 and 2916448484 return f1 0a ed 71 ( 4044025201 )

517756024 and 1011799067 return 66 e6 ce 52 ( 1726402130 )

Overall I've gotten an amazing number of challenge / response pairs. 
But all my attempts to figure out how f(c) = r have failed miserably. 
It's looking like I have about 130,000 challenge / response pairs.  I've
got them in a mysql database.  I could dump it to a file for you if
you'd like it.

I can't seem to do anything with it.

--Zack

This should help a ton with figuring out the function...

OK, so let's play with this a bit.

327502d5 and f3691a69 produce 00f2c2f0
difference is c0f41794

38d91aeb and add578e4 produce f10aed71
difference is 74fc5df9

1edc5478 and 3c4ed41b produce 66e6ce52
difference is 1d727fa3

ed56092b and 078072f4 produce f52f4534
difference is e5d59637

let's confirm these values..
challenged:  846529237 response: 00f2c2f0 binary: 00000000 11110010 11000010 11110000 
challenged: 4083751529 response: 00f2c2f0 binary: 00000000 11110010 11000010 11110000 delta +0 
challenged:  953752299 response: f10aed71 binary: 11110001 00001010 11101101 01110001 delta +f0182a81 
challenged: 2916448484 response: f10aed71 binary: 11110001 00001010 11101101 01110001 delta +0 
challenged:  517756024 response: 66e6ce52 binary: 01100110 11100110 11001110 01010010 delta -8a241f1f 
challenged: 1011799067 response: 66e6ce52 binary: 01100110 11100110 11001110 01010010 delta +0 
challenged: 3981838635 response: f52f4534 binary: 11110101 00101111 01000101 00110100 delta +8e4876e2 
challenged:  125858548 response: f52f4534 binary: 11110101 00101111 01000101 00110100 delta +0 

ok, now let's muck with this a bit.. let's take the first challenge and
add the differences from the other three pairs to see what we get:

so we're going to challenge:
327502d5, 
327502d5+c0f41794, 
327502d5+74fc5df9
327502d5+1d727fa3
327502d5+e5d59637 (this one overflows)

and observe:

challenged : 846529237 response: 00f2c2f0 binary: 00000000 11110010 11000010 11110000 
challenged: 4083751529 response: 00f2c2f0 binary: 00000000 11110010 11000010 11110000 delta +0 
challenged: 2809225422 response: 785c850d binary: 01111000 01011100 10000101 00001101 delta +7769c21d 
challenged: 1340572280 response: 8ca858d6 binary: 10001100 10101000 01011000 11010110 delta +144bd3c9 
challenged:  407542028 response: bee0add2 binary: 10111110 11100000 10101101 11010010 delta +323854fc 

ok, nothing much to see, let's try
078072f4 plus the differences:

challenged:  125858548 response: f52f4534 binary: 11110101 00101111 01000101 00110100 
challenged: 3363080840 response: 5979ae94 binary: 01011001 01111001 10101110 10010100 delta -9bb596a0 
challenged: 2088554733 response: 8af8b4f1 binary: 10001010 11111000 10110100 11110001 delta +317f065d 
challenged:  619901591 response: 40287d76 binary: 01000000 00101000 01111101 01110110 delta -4ad0377b 
challenged: 3981838635 response: f52f4534 binary: 11110101 00101111 01000101 00110100 delta +b506c7be 

hmmm.. again, not much, let's keep going:
1edc5478 + differences

challenged: 517756024  response: 66e6ce52 binary: 01100110 11100110 11001110 01010010 
challenged: 3754978316 response: 4de54f93 binary: 01001101 11100101 01001111 10010011 delta -19017ebf 
challenged: 2480452209 response: 10f94a95 binary: 00010000 11111001 01001010 10010101 delta -3cec04fe 
challenged: 1011799067 response: 66e6ce52 binary: 01100110 11100110 11001110 01010010 delta +55ed83bd 
challenged: 78768815   response: 64d131a9 binary: 01100100 11010001 00110001 10101001 delta -2159ca9  (overflow here)

and lastly:
38d91aeb + differences

challenged: 953752299  response: f10aed71 binary: 11110001 00001010 11101101 01110001 
challenged: 4190974591 response: 61a1ef56 binary: 01100001 10100001 11101111 01010110 delta -8f68fe1b 
challenged: 2916448484 response: f10aed71 binary: 11110001 00001010 11101101 01110001 delta +8f68fe1b 
challenged: 1447795342 response: a06c4649 binary: 10100000 01101100 01000110 01001001 delta -509ea728 
challenged: 514765090  response: 19f6ec7b binary: 00011001 11110110 11101100 01111011 delta -867559ce  (overflow again)

so all we see is the original dupes - we seem to be striking out here..

hmm.. more dupes from Zack, he just sent me:

Both: 3981838635 and 125858548 returned f5 2f 45 34 ( 4113515828 ) 
Both: 4083751529 and 846529237 returned 00 f2 c2 f0 ( 15909616 ) 
Both: 953752299 and 2916448484 returned f1 0a ed 71 ( 4044025201 ) 
Both: 517756024 and 1011799067 returned 66 e6 ce 52 ( 1726402130 ) 
Both: 985572990 and 1416533408 returned 4e 82 b6 a5 ( 1317189285 ) 
Both: 2814860520 and 4004979365 returned 0e 1a 40 49 ( 236601417 ) 
Both: 4251664106 and 2947995269 returned f5 d4 d6 dc ( 4124366556 ) 
Both: 2008520747 and 3171505471 returned 02 25 5a e6 ( 36002534 ) 
Both: 61952471 and 1409342214 returned e0 93 dc de ( 3767786718 ) 
Both: 710034193 and 3023203105 returned 56 a4 27 d5 ( 1453598677 ) 
Both: 3575964921 and 2272677 returned 56 c9 08 49 ( 1456015433 ) 
Both: 567274427 and 165363821 returned 52 7f 7d 3b ( 1384086843 ) 
Both: 2541291463 and 248289902 returned 1f 42 9b 2f ( 524458799 ) 
Both: 2667270286 and 2677943833 returned 94 b4 4b 60 ( 2494843744 ) 
Both: 1711341047 and 754288003 returned f0 99 ff 4d ( 4036624205 ) 
Both: 3944044014 and 1924202017 returned 55 54 31 5a ( 1431581018 ) 
Both: 3258121042 and 698388196 returned d7 6c e7 64 ( 3614238564 ) 
Both: 696722827 and 2807047041 returned 89 e9 1a 3e ( 2313755198 ) 
Both: 3883427003 and 3566014053 returned a1 63 89 bf ( 2707655103 ) 
Both: 233110544 and 2204824787 returned b5 dc fc c6 ( 3051158726 ) 
Both: 3512643603 and 1643794564 returned c7 6d d9 0d ( 3345864973 ) 
Both: 2877873903 and 2991492637 returned 53 0d 71 a0 ( 1393389984 ) 
Both: 1371731033 and 145901118 returned 28 b5 70 5b ( 682979419 ) 
Both: 887033038 and 1199085204 returned a3 8e ad d6 ( 2744036822 ) 
Both: 3722941635 and 2135267444 returned 9a ab c0 78 ( 2594947192 ) 
Both: 226972735 and 2034431198 returned 7f 2a fe b5 ( 2133524149 ) 
Both: 153961725 and 164873797 returned 0e 4a 7f cd ( 239763405 ) 
Both: 3787801253 and 1769734800 returned 26 9f 98 ac ( 647993516 ) 
Both: 1525155274 and 1119799801 returned 63 58 10 9d ( 1666715805 ) 
Both: 1077755855 and 2338421304 returned 09 ab 26 3d ( 162211389 ) 
Both: 402317918 and 902542987 returned af 3a 69 cf ( 2939840975 ) 

OK, well, got some more help from other folks:

Jodon Karlik wrote:

I just wrote a small program to
factor the numbers.... problem is I'm wondering if we should treat them
as unsigned longs or as signed longs ... either way I haven't really had
much success :(.  I've included the program if you want to do some
testing, you can switch between signed/unsigned by changing all the
"long"s to "unsigned long" and all the %i's to %u's.  Originally I
thought it could be signed longs, which in turn would explain why MOST
(but not ALL) duplicates appear to be in pairs of negative/positive
numbers.

The most interesting one, I think is:

Both: 2814860520 and 4004979365 returned 0e 1a 40 49 ( 236601417 )

When I put the second number (4004979365) into a signed long, it's
actually a prime number itself.  I haven't tried unsigned yet.  I'll
plot the points in excel later tonight to see if the points have any
pattern.

Here's Jodon's program:

#include <cstdio>

int main()
{
        unsigned long numberToBreak = 0xf52f4534, numExpected = 0xf52f4534;
        unsigned long toNumber = numberToBreak, i, j;
        unsigned long Factors[65535], PrimeFacts[65535], curFac = 0, tmpLong;
        char buf[20];

        if (toNumber < 0)
                toNumber = -toNumber;

        printf("have unsigned #'s:\nTo Break: %10u and expected %-10u\n", numberToBreak, numExpected);

        printf("All Factors:\n");
        for (i = 1 ; i < toNumber ; i++)
        {
                if (numberToBreak%i)
                        continue;
                Factors[curFac] = i;
                Factors[curFac+1] = numberToBreak/i;
                toNumber = Factors[curFac+1];
                if (toNumber < 0)
                        toNumber = -toNumber;
                printf("%7u %15u\n", Factors[curFac], Factors[curFac+1]);
                curFac += 2;
        }

        i = 2;
        j = 0;
        printf("\nPrime Factors:\n");
        while (numberToBreak != 1 && numberToBreak != -1)
        {
                if (numberToBreak%i)
                {
                        i++;
                        continue;
                }
                PrimeFacts[j++] = i;
                printf("%-10u", i);
                numberToBreak /= i;
                printf("Left with %u\n", numberToBreak);
        }

        //fgets(&buf[0], 10, stdin);
}

Running the Zack's first set of dupes through Jodon's factoring program, I get:

Both: 3981838635 and 125858548 returned f5 2f 45 34 ( 4113515828 )

To Break: 3981838635 and expected 4113515828
All Factors:
      1      3981838635
      3      1327279545
      5       796367727
      9       442426515
     15       265455909
     27       147475505
     45        88485303
    135        29495101

Prime Factors:
3         Left with 1327279545
3         Left with 442426515
3         Left with 147475505
5         Left with 29495101
29495101  Left with 1

To Break:  125858548 and expected 4113515828
All Factors:
      1       125858548
      2        62929274
      4        31464637
     17         7403444
     34         3701722
     68         1850861
    167          753644
    334          376822
    668          188411
   2839           44332
   5678           22166
  11083           11356

Prime Factors:
2         Left with 62929274
2         Left with 31464637
17        Left with 1850861
167       Left with 11083
11083     Left with 1

To Break: 4113515828 and expected 4113515828
All Factors:
      1      4113515828
      2      2056757914
      4      1028378957
    809         5084692
   1618         2542346
   3236         1271173

Prime Factors:
2         Left with 2056757914
2         Left with 1028378957
809       Left with 1271173
1271173   Left with 1

So at first glance, this is a bit disheartening as there does not to seem to be anything that jumps out... trying a new set:

Both: 4083751529 and 846529237 returned 00 f2 c2 f0 ( 15909616 )

To Break: 4083751529 and expected 15909616  
All Factors:
      1      4083751529
     11       371250139
     13       314134733
     19       214934291
    143        28557703
    209        19539481
    247        16533407
   2717         1503037

Prime Factors:
11        Left with 371250139
13        Left with 28557703
19        Left with 1503037
1503037   Left with 1

To Break:  846529237 and expected 15909616  
All Factors:
      1       846529237
     23        36805619
     71        11922947
   1633          518389

Prime Factors:
23        Left with 36805619
71        Left with 518389
518389    Left with 1

To Break:   15909616 and expected 15909616  
All Factors:
      1        15909616
      2         7954808
      4         3977404
      8         1988702
     16          994351
    107          148688
    214           74344
    428           37172
    856           18586
   1712            9293

Prime Factors:
2         Left with 7954808
2         Left with 3977404
2         Left with 1988702
2         Left with 994351
107       Left with 9293
9293      Left with 1

A new mail from Justin had the following:

I graphed the list of dups you have, doesn't look like much, but you would need more numbers to see what it looks like. The 2 different colors are each set of dups, so every y value has 2 x values.