I've managed to port CeApiSpy from
http://www.forwardlab.com/freestuff.htm which is the updated version of
http://www.ddj.com/architect/184405459?pgno=1 to MIPS.
So what does it do ?
It loads a dll which infects every process and replaces a few API calls, the most important one is LoadLibraryExW. Every app that wants to load tv2engine.dll gets a handle to dummydll3.dll instead, which is a wrapper dll generated by wrappergen. The included dummydll3.dll is slightly modified to log a few function calls, it sends the logged data via tcp to 192.168.2.4 port 31337, i've attached a sample console client (which does
not display the received data), too.
There are still a few problems, TV2SecureCore_Encrypt/DecryptMessage creates a massive amount of data because the maximum block size is 4096 so it gets called hundreds of times, which in turn seems to cause problems with the tcp logging. Unhooking the functions or unloading the dlls is impossible, so don't bother, just restart your box.
Just look at
http://www.t-hack.com/wiki/index.php/TV2ClientCE.exe for the function signatures and compare them to your tv2clientce (there are slight differences, i.e. the debug tv2clientce calls tv2engine_create with engineparams e) and then replace the data types with the help of the pinvoke cheat sheet from here
http://msdn.microsoft.com/en-us/library/ac7ay120.aspxrequirements : vs05, win ce 5 standard sdk
