Exeem only begins a connection to the Exeem network when it begins an operation. On Exeem’s initial connection to the Exeem network, it bootstraps. It does this by doing a DNS lookup on four FQDNs, all of which as of January 22, 2005 point to the same IP address. Exeem then connects to this IP address on port 1026, sends an Exeem packet with function “6”. The server responds with a list of 20 or so Exeem Superpeers to connnect to. Subsequently, when one does a search or new files research, the Exeem client connects to these 20 hosts and does a search, or a request for new files.
The Exeem packet
The Exeem packet is of the following format – “0-A-(B)-C”, with 0 being a 0, A being the one byte function code (which was 6 in the case of the above bootstrapping), B being a payload carried in some Exeem packets (such as search) and C being 8 bytes which are different every connection (possibly a random Blowfish key). Thus, a minimum Exeem packet size from the client to the SuperPeer is 10 bytes (not including TCP/IP headers). Exeem packets containing searches are larger.
The bootstrap thus is “0-6-C” with C being 8 bytes. The 8 bytes sent at the end of every Exeem packet is suspected to be a randomly generated Blowfish key. The bootstrap server then responds with a list of some 20-odd Exeem SuperPeers to connect to.
A new file refresh on exeem is “0-8-C” with C being 8 bytes. About 20 Superpeers are connected to and asked what the latest publish files (torrents) are. They respond to the peer.
A search is “0-22-B-C” (that is in decimal notation, in hex the 22 is a “16”). The C is the seemingly randomly generated 8 bytes which are suspected of being a Blowfish key. The B contains the search. The size of the search packet depends on factors such as the length of the search string. The first 8 bytes of the B array is thought to be the settings of the search – which language is chosen, what categories to search in, file length, whether all words in search query are needed, rating parameters and so forth. The end of B is thought to be the actual search string. The actual search string sent is of a size always a multiple of 8 – 8, 16, 24 and so forth. Padding is probably added in searches of less than these lengths. The B array if unchanged remains consistent through multiple searches, thus, it is probably not a hash or encryption connected to the 8 “random” bytes at the end of each Exeem packet.
It is known that Exeem uses the Crypto++ (http://sourceforge.net/projects/cryptopp) library, and possibly the Blowfish algorithm contained within it. What the 8 random bytes of every packet sent, whether they are random or not, whether they are Blowfish keys or not is yet unknown. One possibility is Exeem sends servers a random 8-byte Blowfish key every session, and the response from the SuperPeers are encoded with that key. Note, each SuperPeer is connected to with a different 8 random bytes.
TakeDown.NET -> “Exeem/Protocol”