I took a small look in to that padding bytes theory almost a year ago. From my findings I determined they were using the ISAAC PRNG which was seeded from mouse co-ordinates gathered when the client started up and whenever the mouse was moved before logging in (and it was also likely seeded by other information such as current time as well). The generator was used to generate the XTEA key and each padding byte within packets, I didn't see any evidence of data hiding within the padding bytes. Like I said though it was only a small look and that was a year ago.
I have also just taken a look at the Flash client's generator and they are actually using "their own" PRNG. The PRNG they are using is the RC4 keystream generator with a 256-byte key, they are however generating the key from Flash's random class and the current time. Their actual implementation comes from the open source as3crypto library for which you can find the source code up on Google Code (files of interest are Random.as and ARC4.as), and CIP are also in breach of not including the as3crypto library anywhere.