WoW Auto Launcher

[agnivohneb]

After some time of wanting to automatically launch XFire and wow together with one click I found the program AutoHotkey that made all that come true.
My first hotkey program worked but very buggy and I had to re-edit the source to change anything, also when I gave it to a friend he had no idea on how to configure it for his system. This program on the other hand has a friendly user interface to change any settings and saves the settings in a .ini file in the users appdata folder so multiple users on the same computer can enjoy it without any conflict.


First Run
You will be prompted for the required information.
Steps:
1. "This is your first time running this program" window
2. Would you like to launch XFire or not. (if no skip to 4)
3. What is the XFire directory (usualy the default folder is all you need)
4. What is the wow directory (usualy the default folder is all you need)
5. Privacy warning (yes/no), if no stop now.
6. WoW username
7. WoW password
8. Finished and steps you need to do.

Not first run
Actually Runs the program
Steps:
1. start XFire (only if set)
2. minimize XFire
3. start wow launcher then click play
4. wait for {login delay}
5. enter user account info then login

NOTE: Holding SHIFT when opening the program will take you back to first run but keeps the old data in tact until you edit it. good for changing single fields like password or login delay.

That's it. Hope you enjoy it. I included the source so you can make it more to your needs.

EDIT: I just wish to note that the icon is vista compatible.

[apomb]

I dont like the sounds of this at all ... who uploads exes(other than turing created files) im surprised at this

[riveryu]

WoW + .exe lauched at log in = stolen acc?

[Zeroth]

Oh, if only there was a community of tech-savvy users, people with VMs and the skills... if only... Occam's Razor. If he were someone trolling for accounts, would he really make 129 posts to lull us into a sense of safety, and target a community of intelligent, naturally suspicious users? Or, that he's just trying to help us? Its easier to believe the second one.

*turns down the sarcasm-meter*

[Dan]

The program seems to be clean, i went threw the code, took a look at the exe in a hex editor and ran it well watching all the network connections or packets the program sent (witch is none).

As far as i can tell it does exctaly what agnivohneb says it does.

Personaly i would not recomend using such a program as it stores your username and password in plain text so any one using your computer or any one with access to it could steal that information however agnivohneb's program warns you of just this when you run it. This plain text file is stored in your application data folder.

[agnivohneb]

I never do anything like that when I program. Its all clean. No transmition of accounts over the internet just stored on your computer for later reference. And if you still don't trust the .exe then compile it yourself. AutoHotkey is a free program that you can get.

Dan - I am working on encrypting the password before it saves to the file but AutoHotkey doesn't have any type of encrypting built in so it may take me some time.
Hey if anyone has made a function that will encrypt stuff please let me know.

[agnivohneb]

UDATED

I did change it so it now encrypts the password before sending to the file so it is not in plain sight.

I would like to thank Laszlo and Titan at the AHK Forums (http://www.autohotkey.com/forum/topic7678.html) for the function to encrypt the password.

[Dan]

Intresting aprorache however from what i can see that ecnryption method is fundemtaly falwed.

A smart hacker could easly decrypt the password as you seem to use the username as the key to encrypt the password. The username is in plain text witch is the key to the encrypted password in the same file and the alrogthim for the encerption is public knowangle.

Also the encryption chiper seemes to be close to a vigenere cipher witch is a type of polyalphabetic substitution chiper from the 1500s. It can be attacked with frequency analysis as well as serveral other methods.

In short, you simpley can't encript the users password securely with out requiring a key to be goten from the user or some kind of token or key that is not stroned on the computer noramly. This is enstaly the problem with auto login programs, you can't have both seucrity and the convicen of not having to provied a key in some way.

[agnivohneb]

Is there anything at all that I can do to not require the user to enter the key every time the program runs?

*AgnivohNeb thinks for a while then has an idea.*

How about adding a new first and last character to the password string, both characters would original be a static character like "A". When encrypting, the program would just add the 2 to the string. When decrypting, the program would find out what is the offset from the original character (A) and the new character.

[Zeroth]

If you have access to Linux, take a look at how Linux distros handle this problem with secure keyrings.

[Dan]

agnivohneb @ 28th August 2008, 12:26 pm wrote:

Is there anything at all that I can do to not require the user to enter the key every time the program runs?

Easly, no. Since the langue you are using has no encription libs or apis you would have to implment it all your self and even then you still need a token, key, password or somthing.

There is one thing you could do, witch would be to store the encryption key on a usb stick and only have the usb stick in when you are using WoW. However this is some what reduent as blizard allready has a more secure token soultion: http://www.blizzard.com/store/details.xml?id=1100000182 (tho this might need a password in addtion to it for 2 factor security).

@Zeroth, keyrings would work but my understanding of it is that you still need to provied a master password or key witch goses agsinted the hole point of his program. Please correct me if i am mistaken.

P.S. that method you (agnivohneb) sugested of adding chars will not work as the hacker will know what the chars are and the encryption algoritm is still insecure. What you sugested is basicly salting and only help with hashs like md5 or sha1 to protect aginsted look up tables like a rainbow table.

P.P.S I should also note that becues of the way your program works (simulating typing in the password) the password becomes plain text at serveral points in the ram. If a hacker got a malcuies program in to your computer they could watch your program put the text in the password field or read the password from the ram. It's posible a keylogger might also still work on it as the program is simulating key strokes. However thess are also security issues that are persent using your auto launcher or not witch is why blizzad sells there authenticator i linked to above.