T 24.29.240.180:64148 -> 205.132.149.125:8000 [AP]
  LOGN***Interrupt***Interrupt|||
         ^^Username   ^^Password
Sperated by three *'s and ending with three |'s.
         
T 205.132.149.125:8000 -> 192.168.1.2:3288 [AP]
  USRO

Response received from a successful logon.

T 205.132.149.125:8000 -> 24.29.240.180:12843 [AP]
  INVP

Response received from Invalid Password.

T 205.132.149.125:8000 -> 24.29.240.180:12867 [AP]
  INVU

Reponse received when you enter an Invalid Username.

T 24.29.240.180:64148 -> 205.132.149.125:8000 [AP]
  SCNT|||

T 205.132.149.125:8000 -> 192.168.1.2:3288 [AP]
  SCNT***1207|||

This apears to be a way of checkign to make sure the lcient and server are still alive and talking to each other.

The client sends SCNT||| and the Server replies with SCNT***1207|||  
After I tried connecting by hand again i kept receiving 1207. Although once in a while I will receive 1112 from both the by hand methad AND the windows client. I beleive these are the only two values it has. 

NOTE: You can 'SCNT' without AUTHING.

--------

CHAT***.Interrupt.: Hi|||

This is how you talk. Right now the server only holds one channel so that is why there is no channel variable I assume.
Now if you connect by hand and do this your text WILL appear. BUT in the color BLUE not the normal GREEN the windows client sends. I beleive this is because of how they send the command. Here is the exact command above send from the Windows client, in hex:

T 24.29.240.180:64159 -> 205.132.149.125:8000 [AP]
  43 48 41 54 2a 2a 2a cf    49 6e 74 65 72 72 75 70    CHAT***.Interrup
  74 d8 3a 20 c8 48 69 7c    7c 7c                      t.: .Hi|||

As you can see there is a change. I.E. cf not 2e etc.

NOTE: You CAN chat without AUTHing.

The follwoing is a dump of trying to list files of another USER.

T 24.29.240.180:64159 -> 205.132.149.125:8000 [AP]
  53 52 43 48 2a 2a 2a 62    6c 61 68 2a 2a 2a 2a 2a    SRCH***blah*****
  2a 2a 2a 2a 30 2a 2a 2a    30 2a 2a 2a 31 31 32 2a    ****0***0***112*
  2a 2a 32 32 30 35 30 2a    2a 2a 30 2a 2a 2a 4d 50    **22050***0***MP
  33 2a 2a 2a 4d 6f 6e 6f    2a 2a 2a 53 61 6c 61 64    3***Mono***Salad
  54 6f 73 73 65 72 7c 7c    7c                         Tosser|||

T 205.132.149.125:8000 -> 192.168.1.2:3344 [AP]
  4c 53 54 52                                           LSTR

T 24.29.240.180:64159 -> 205.132.149.125:8000 [AP]
  4e 58 54 53 7c 7c 7c                                  NXTS|||

T 205.132.149.125:8000 -> 192.168.1.2:3344 [AP]
  53 44 55 4e                                           SDUN

As you can see it does a SRCH for MP3s and the User was SaladTosser. Then it proceeds with a LSTR (LIST) , followed by NXTS|||

T 24.29.240.180:64159 -> 205.132.149.125:8000 [AP]
  53 52 43 48 2a 2a 2a 62    6c 61 68 2a 2a 2a 2a 2a    SRCH***blah*****
  2a 2a 2a 2a 30 2a 2a 2a    30 2a 2a 2a 31 31 32 2a    ****0***0***112*
  2a 2a 32 32 30 35 30 2a    2a 2a 30 2a 2a 2a 4d 50    **22050***0***MP
  33 2a 2a 2a 4d 6f 6e 6f    2a 2a 2a 53 61 6c 61 64    3***Mono***Salad
  54 6f 73 73 65 72 7c 7c    7c                         Tosser|||

blah seems to be a constant. No matter if you do a it is sent to the server.  the next part the '0' is the field where you enter what You are searching for.  Then the next 0 is meaningless it seems. then the 112 is the lest bitrate and the 22050 is the least Hz. THe MP3 is the Filetype. Mono is the type of sound. I.E. Stero or Mono.  Last field is teh Username. 

-----Data Trasnfer

Ok when you make a data transfer this is what happens.

You connect to port 8969 on the remote client then send STARTfileyouwant*Nick*0* now there is NO space between START and file youwant.

Here is the kicker. You can GET any file on the system. how you ask. Reverse directory traversal.  Good ol' ../

Say you want autoexec.bat file and the person has their MP3s in \Mp3s\  You connect to port 8969 and type START../autoexec.bat*Godno*0*

And bewm you will get the contents displayed to your screen. Neeto.

-------------

Possible remote commands or interesting strings.  Problem is
discerning which are client commands and which are server codes.

OWNER
START
EOLT
***Gobbledy Gook vcksdmclksmdclksmdclksdm

****
*****
DELE|||
SONG***

START

SRCH***blah***
***0
CHAT    (begin chat message)
INVU    (invalid user)
INVP    (invalid password)
USRE    (user exists?)
USRC
USRN
USRO    (user okay?)
USRB
SVRM    
SACK    (search acknowledge?)
SDUN    (status done?)
SRET
LSTR
CHAT
UCNT     (user count)   UCNT|||
SCNT     (song count)
NVER     (new version?)
NEWU     (new user)
LOGN
NXTS|||  (solicits SDUN)
XSCH|||  (maybe check for new client?)

RSET

sending 
SONG***\n
DELE|||\n 

solicits

EROS


I think these are scrictly client<->server commands.

from the disasm:
  004A1484: 00497BE8 ("INVU")
  004A1488: 00497BF8 ("INVP")
  004A148C: 00497C08 ("USRE")
  004A1490: 00497C18 ("USRC")
  004A1494: 00497C28 ("USRN")
  004A1498: 00497C38 ("USRO")
  004A149C: 00497C48 ("USRB")
  004A14A0: 00497C58 ("SVRM")
  004A14A4: 00497C68 ("SACK")
  004A14A8: 00497C78 ("SDUN")
  004A14AC: 00497C88 ("SRET")
  004A14B0: 00497C98 ("LSTR")
  004A14B4: 00497CA8 ("CHAT")
  004A14B8: 00497CB8 ("UCNT")
  004A14BC: 00497CC8 ("SCNT")
  004A14C0: 00497CD8 ("NVER")


----


Binary is compiled with debugging symbols, written in Delphi
(Pascal).  Interestingly enough it uses the same Ping library that
Abe's does.