Windows Explored

Everyday Windows Desktop Support, Advanced Troubleshooting & Other OS Tidbits

Wife.exe Crash Troubleshooting

Posted by William Diaz on May 18, 2012


Not all issues I troubleshoot are at work. Sometimes I might be sitting at home and then this somewhat buggy application starts up. It’s a random occurrence and trying to resolve its problems can be very taxing. The main reason for this is I don’t have the source code and trying to reverse-engineer it is nearly impossible because it’s data structures are not logical. But maybe we can look at its crash dump and find out what’s happening.

Looking at the dump:

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: wife

IMAGE_NAME:  wife.dll

Followup: MachineOwner

0:005> kb 100
ChildEBP RetAddr  Args to Child             
02298970 7e419418 7e42770a 000c0258 00000001 ntdll!KiFastSystemCallRet
022989a8 7e4249c4 002d04ba 000c0258 00000001 user32!NtUserWaitMessage+0xc
022989d0 7e43a956 02298dec 0375ff50 000c0258 user32!InternalDialogBoxBeginTalkingToSelf+0xd0
02298c90 7e43a2bc 02298dec 00000000 ffffffff user32!SoftModalMessageBox+0x938
02298de0 7e4663fd 02298dec 00000028 000c0258 user32!MessageBoxWorker+0x2ba
02298e38 7e4664a2 000c0258 046f5e28 03822620 user32!MessageBoxTimeoutW+0x7a
02298e6c 7e450877 000c0258 02298f30 6d6546f0 user32!MessageBoxTimeoutA+0x9c
02298e8c 3e351f02 000c0258 02298f30 6d6546f0 user32!MessageBoxExA+0x1b
02298eac 7e45082f 000c0258 02298f30 6d6546f0 ieframe!Detour_MessageBoxExA+0x2c
02298ec8 6d64f5dc 000c0258 02298f30 6d6546f0 user32!MessageBoxA+0x45
WARNING: Stack unwind information not available. Following frames may be wrong.
02298efc 6d64dd5f 02298f30 6d6546f0 00012010 Emotions!RetreiveAnger+0x6a63
022990c4 7c912d58 7c80b54e 00000001 0c301d1f wife!PMSMode+0x51e6
02299160 7c864031 022993f8 00000000 00000000 ntdll!LdrUnlockLoaderLock+0xb1
022993d0 7c83ab38 022993f8 7c839b21 02299400 kernel32!UnhandledExceptionFilter+0x1c7
022993d8 7c839b21 02299400 00000000 02299400 kernel32!BaseThreadStartTrouble+0x4d
02299400 7c9032a8 022994ec 0229ffdc 0229950c kernel32!_except_handler3+0x61
02299424 7c90327a 022994ec 0229ffdc 0229950c ntdll!ExecuteHusband+0x26
022994d4 7c90e46a 00000000 0229950c 022994ec ntdll!ExecuteHusband+0x24
022994d4 7c812aeb 00000000 0229950c 022994ec ntdll!KiUserExceptionDispatcher+0xe
0229982c 7c359aed e06d7363 00000001 00000003 kernel32!RaiseException+0x53
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for wife.dll –
0229986c 6d4a4180 0229987c 6d4b24f4 6d4af580 msvcr666!_CxxThrowAFit+0x34
02299884 6d4a4b03 028ea910 10962dc8 028ea910 wife!DivideByZero+0x4180
022998ac 6d4a34b7 022998dc 6d4af814 6d4af810 wife!ComesHome+0x4b03
022998f4 6d4a6a68 10962dc8 00000000 3dc02d41 wife!ComesHome+0x34b7

The wife module begins it routine by coming home it seems. Immediately, we can see a problem as it divides by zero and an exception is likely to ensue. This leads to it throwing a fit in what is obviously a somewhat malicious component (perhaps trying to masquerade as msvcr71.dll). Predictably, exceptions follow and it wants to kill me via another party, sadly ntdll.dll. Further up the stack is an important clue when wife.dll calls function PMSMode. This leads it to call Emotions.dll and nasty function that speaks for itself. After purposefully ignoring this failing application, it sends a message to itself, me, and everything around by prancing around and talking to itself.

Lets see if we can make sense of wife.exe’s state of mind by dumping a parameter:

022998ac 6d4a34b7 022998dc 6d4af814 6d4af810 wife!ComesHome+0x4b03

0:005> db 6d4af810
6d4af810  28 29 56 00 63 6f 6e 74-61 69 6e 65 72 52 65 61  ()V.containerRea
6d4af820  64 79 00 00 53 00 43 00-52 00 49 00 50 00 54 00  dy..S.C.R.I.P.T.
6d4af830  41 00 42 00 4c 00 45 00-00 00 00 00 74 00 72 00  A.B.L.E…..t.r.
6d4af840  75 00 65 00 00 00 00 00-20 63 61 6e 20 6e 6f 74  u.e…..can not
6d4af850  66 69 6e 64 20 6b 65 79 73 2e 2e 75 6e 73 65 6c find keys..unsel
6d4af860  00 00 00 00 28 29 4c 6a-61 76 61 2f 6c 61 6e 67  lectable.()Ljava
6d4af870  2f 4f 62 6a 65 63 74 3b-00 00 00 00 67 65 74 44  /Object;….getD
6d4af880  69 73 70 61 74 63 68 4f-62 6a 65 63 74 00 00 00  ispatchObject…
0:005> db
6d4af890  44 61 6d 6e 20 62 61 73 6b 65 74 62 61 6c 6c 00 Damn basketball
6d4af8a0  20 67 61 6d 65 73 2e 2e 73 75 6e 2f 70 6c 75 67   games..sun/plug
6d4af8b0  69 65 77 65 72 2f 49 45-78 70 6c 6f 72 65 72 50  iewer/IExplorerP
6d4af8c0  6c 75 67 69 6e 43 6f 6e-74 65 78 74 00 00 00 00  luginContext….
6d4af8d0  28 5a 5b 4c 6a 61 76 61-2f 6c 61 6e 67 2f 53 74  (Z[Ljava/lang/St
6d4af8e0  72 69 6e 67 3b 5b 4c 6a-61 76 61 2f 6c 61 6e 67  ring;[Ljava/lang
6d4af8f0  2f 53 74 72 69 6e 67 3b-49 29 4c 73 75 6e 2f 70  /String;I)Lsun/p
6d4af900  6c 75 67 69 6e 2f 76 69-65 77 65 72 2f 49 45 78  lugin/viewer/IEx
0:005>
6d4af910  70 6c 6f 72 65 72 50 6c-75 67 69 6e 4f 62 6a 65  plorerPluginObje
6d4af920  63 74 3b 00 63 72 65 61-74 65 50 6c 75 67 69 6e  ct;.createPlugin
6d4af930  4f 62 6a 65 63 74 00 00-73 75 6e 2f 70 6c 75 67  Object..sun/plug
6d4af940  69 6e 2f 41 70 70 6c 65-74 56 69 65 77 65 72 00  in/AppletViewer.
6d4af950  28 49 4a 29 56 00 00 00-69 6e 69 74 45 6e 76 69  (IJ)V…initEnvi
6d4af960  72 6f 6e 6d 65 6e 74 00-73 75 6e 2f 70 6c 75 67  ronment.sun/plug
6d4af970  69 74 20 64 72 69 6e 6b 73 20 61 20 62 65 65 72 it drinks a beer
6d4af980  28 5a 29 56 00 00 00 00-73 68 6f 77 4a 61 76 61  (Z)V….showJava

Spooky, it seems to not function properly with another component, perhaps husband.dll. I don’t see why, though, as this is a stable component. Also, coffee might be involved? Let’s see what it’s trying to say before it crashes out:

022989d0 7e43a956 02298dec 0375ff50 000c0258 user32!InternalDialogBoxBeginTalkingToSelf+0xd0

0:005> db 02298dec

0:005>
02298eec  00 00 00 00 00 00 00 00-01 00 00 00 0c 00 00 00  …………….
02298efc  9c 90 29 02 5f dd 64 6d-30 8f 29 02 f0 46 65 6d  ..)._.dm0.)..Fem
02298f0c  10 20 01 00 30 8f 29 02-d8 45 65 6d 30 8f 29 02  . ..0.)..Eem0.).
02298f1c  18 47 65 6d 30 8f 29 02-1c 90 29 02 30 8f 29 02  .Gem0.)…).0.).
02298f2c  1c 47 65 6d 52 75 6e 74-69 6d 65 20 45 72 72 6f  .GemRuntime Erro
02298f3c  72 21 0a 0a 50 72 6f 67-72 61 6d 3a 20 43 3a 5c  r!..Program: C:\
02298f4c  50 72 6f 67 72 61 6d 20 46 69 6c 65 73 5c 57 69  Program Files\Wi
02298f5c  66 65 20 31 2e 30 5c 57 69 66 65 2e 65 78 65 00  fe 1.0\Wife.exe..
0:005>
02298f6c  00 00 00 00 00 00 00 00-01 00 00 00 0c 00 00 00  ……………
02298f7c  54 68 69 73 20 61 70 70-6c 69 63 61 74 69 6f 6e  This application
02298f8c  20 68 61 73 20 72 65 71-75 65 73 74 65 64 20 74   has requested t
02298f9c  68 65 20 52 75 6e 74 69-6d 65 20 74 6f 20 74 65  he Runtime to te
02298fac  72 6d 69 6e 61 74 65 20 62 65 63 61 75 73 65 20 rminate because
02298fbc  64 69 6e 6e 65 72 20 62 6f 72 69 6e 67 20 61 6e   dinner boring an
02298fcc  64 20 70 61 6e 74 73 20 6e 6f 20 66 69 74 21 20 d pants no fit!
02298fdc  61 6e 64 20 24 24 20 67 72 65 65 6e 20 77 6f 77 and $$ green wow

Obviously it wants to eat. Then there is an issue with clothing. Ultimately, money is involved but it seems to be perplexed on how to manage it? I am not sure this issue can be resolved without an update to wife.dll. For the time being a workaround will need to be devised.

Advertisements

2 Responses to “Wife.exe Crash Troubleshooting”

  1. dfb said

    You must access through the backdoor.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: