Globeriz Project

Sunday, May 10, 2015

Unturned v2.2.5 ESP/Box C# Source

Here is a source code of some simple (fast!) boxes and ESP

Do not ask me how to use this, if you are after sources you should be able to figure it out yourself!

This ESP/Box Class is written by me but you're free to steal it since it's not entirely functional at some occasions

The Drawing class is not written by me, credits goes to whoever created it

Tags:
Unturned hack free download working cheat link exploit 2.2.5 2.2.4 2.2.3 2.2.2 unturned-hacks hacks cheats multiplayer v2.2.5 v2.2.4 v2.2.3 v2.2.2 hack download link trainer download link unturned hacks unturned hack version2 steam VAC ESP ESPBoxes globeriz VAC3 VAC2 Unturned cheats pvp PvE zombie wireframe wirebox boxframe wire collider renderer Renderer Unturned ESP Sourcecode source src Dll CSharp-Assembly dll CSharp UnityEngine Collider Game Hacks Game Cheats Trainers downloads unity code game indie

Thursday, January 22, 2015

HD Video Converter Factory Pro Analysis (Incomplete)

[Serial Routine]

Get Serial Length (result as EAX)
00945998   . E8 6384B5FF    CALL VideoCon.0049DE00

Comparing Serial Ptr with 0 (NULL)
0094599D   . 837D 98 00     CMP DWORD PTR SS:[EBP-0x68],0x0

If zero, output "Please input Registration Code!"
009459A1   . 75 61          JNZ SHORT VideoCon.00945A04
009459A3   . 8D45 F8        LEA EAX,DWORD PTR SS:[EBP-0x8]
009459A6   . BA C05E9400    MOV EDX,VideoCon.00945EC0                ; UNICODE "Please input Registration Code!"

Checking serial length (EAX = UNICODE serial)
00945A43   . 8945 BC        MOV DWORD PTR SS:[EBP-0x44],EAX
00945A46   . 837D BC 00     CMP DWORD PTR SS:[EBP-0x44],0x0 ;compare first wchar_t of serial with null char
00945A4A   . 74 0B          JE SHORT VideoCon.00945A57
00945A4C   . 8B45 BC        MOV EAX,DWORD PTR SS:[EBP-0x44]
00945A4F   . 83E8 04        SUB EAX,0x4
00945A52   . 8B00           MOV EAX,DWORD PTR DS:[EAX]
00945A54   . 8945 BC        MOV DWORD PTR SS:[EBP-0x44],EAX
00945A57   > 837D BC 08     CMP DWORD PTR SS:[EBP-0x44],0x8 ;compare serial length with 8
00945A5B   . 7D 0D          JGE SHORT VideoCon.00945A6A
00945A5D   . 8D45 EC        LEA EAX,DWORD PTR SS:[EBP-0x14]
00945A60   . BA C45F9400    MOV EDX,VideoCon.00945FC4                ; UNICODE "00000000"
00945A65   . E8 5E31ACFF    CALL VideoCon.00408BC8

Checking serial format
00945A6A   > 8B55 EC        MOV EDX,DWORD PTR SS:[EBP-0x14] ;EDX = UNICODE serial
00945A6D   . B8 E45F9400    MOV EAX,VideoCon.00945FE4                ; UNICODE "VC-"
00945A72   . E8 F942ACFF    CALL VideoCon.00409D70 ;int UnicodeStringSearch (returns pos of substring found in src string)
00945A77   . 48             DEC EAX
00945A78   . 75 26          JNZ SHORT VideoCon.00945AA0 ;FAIL! (thus, pos of "VC-" must be 1, i.e. start of serial)
00945A7A   . 8B55 EC        MOV EDX,DWORD PTR SS:[EBP-0x14]
00945A7D   . B8 F85F9400    MOV EAX,VideoCon.00945FF8                ; UNICODE "-HDP"
00945A82   . E8 E942ACFF    CALL VideoCon.00409D70
00945A87   . 83F8 03        CMP EAX,0x3
00945A8A   . 75 14          JNZ SHORT VideoCon.00945AA0 ;FAIL! (thus, pos of "-HDP" must be 3, i.e. serial starts with "VC-HDP")
00945A8C   . 8B45 EC        MOV EAX,DWORD PTR SS:[EBP-0x14]
00945A8F   . 66:8378 0C 42 CMP WORD PTR DS:[EAX+0xC],0x42 ;cmp first wchar_t right after "VC-HDP" with "B"
00945A94   . 74 70          JE SHORT VideoCon.00945B06
00945A99   . 66:8378 0C 41 CMP WORD PTR DS:[EAX+0xC],0x41 ;cmp first wchar_t right after "VC-HDP" with "B"
00945A9E   . 74 66          JE SHORT VideoCon.00945B06
00945AA0   > 8B15 3CC3A500 MOV EDX,DWORD PTR DS:[0xA5C33C]          ; VideoCon.00B1118C ; FAIL jmp
00945AA6   . 8B12           MOV EDX,DWORD PTR DS:[EDX]

Comments: valid serial start with "VC-HDPA" or "VC-HDPB"
A: perpetual license | B: timed license

After verifying serial format
00945B06   > 8B45 EC        MOV EAX,DWORD PTR SS:[EBP-0x14]
00945B09   . 66:8378 0C 42 CMP WORD PTR DS:[EAX+0xC],0x42 ;case "A" or "B" distinction
00945B0E   . 0F85 BF010000 JNZ VideoCon.00945CD3 ;jump if case "A"
case "B": //We use a test serial: VC-HDPB1234567890ABCDE
DateTime Conversion
00945B14   . 8D45 E8        LEA EAX,DWORD PTR SS:[EBP-0x18]
00945B17   . 50             PUSH EAX                                 ; /Arg1
00945B18   . B9 0A000000    MOV ECX,0xA                              ; |
00945B1D   . BA 09000000    MOV EDX,0x9                              ; |
00945B22   . 8B45 EC        MOV EAX,DWORD PTR SS:[EBP-0x14]          ; |
00945B25   . E8 9A40ACFF    CALL VideoCon.00409BC4                   ; \VideoCon.00409BC4 ;Get substring pos=9 len=10
00945B2A   . 8D45 8C        LEA EAX,DWORD PTR SS:[EBP-0x74]
00945B2D   . 50             PUSH EAX                                 ; /Arg1
00945B2E   . B9 05000000    MOV ECX,0x5                              ; |
00945B33   . BA 06000000    MOV EDX,0x6                              ; |
00945B38   . 8B45 E8        MOV EAX,DWORD PTR SS:[EBP-0x18]          ; |
00945B3B   . E8 8440ACFF    CALL VideoCon.00409BC4                   ; \VideoCon.00409BC4 ;Get substring pos=6 len=5

Short Summary: Extract 7890A

00945B40   . 8B45 8C        MOV EAX,DWORD PTR SS:[EBP-0x74]
00945B43   . 8D55 E8        LEA EDX,DWORD PTR SS:[EBP-0x18]
00945B46   . B9 01000000    MOV ECX,0x1
00945B4B   . E8 2041ACFF    CALL VideoCon.00409C70
00945B50   . 8D45 E8        LEA EAX,DWORD PTR SS:[EBP-0x18]
00945B53   . B9 05000000    MOV ECX,0x5
00945B58   . BA 0B000000    MOV EDX,0xB
00945B5D   . E8 AA40ACFF    CALL VideoCon.00409C0C
00945B62   . 8D45 88        LEA EAX,DWORD PTR SS:[EBP-0x78] ;param1 = [1F85E4] = 0x0
00945B65   . 8B4D E8        MOV ECX,DWORD PTR SS:[EBP-0x18] ;param3 = "7890A23456"
00945B68   . BA 60609400    MOV EDX,VideoCon.00946060 ;param2 = 0x24
00945B6D   . E8 E23EACFF    CALL VideoCon.00409A54
00945B72   . 8B45 88        MOV EAX,DWORD PTR SS:[EBP-0x78]
00945B75   . 33D2           XOR EDX,EDX
00945B77   . E8 4CD7ADFF    CALL VideoCon.004232C8
00945B7C   . 99             CDQ

00945B7D   . 8945 C0        MOV DWORD PTR SS:[EBP-0x40],EAX
00945B80   . 8955 C4        MOV DWORD PTR SS:[EBP-0x3C],EDX ;sign of EAX
00945B83   . FF75 C4        PUSH DWORD PTR SS:[EBP-0x3C]             ; /Arg2
00945B86   . FF75 C0        PUSH DWORD PTR SS:[EBP-0x40]             ; |Arg1
00945B89   . 8D45 E8        LEA EAX,DWORD PTR SS:[EBP-0x18]          ; |
00945B8C   . E8 27D5ADFF    CALL VideoCon.004230B8                   ; \VideoCon.004230B8

00945C66   . DD5D D8        FSTP QWORD PTR SS:[EBP-0x28]
00945C69   . 9B             WAIT
00945C6A   . DD45 D8        FLD QWORD PTR SS:[EBP-0x28]
00945C6D   . DC5D D0        FCOMP QWORD PTR SS:[EBP-0x30]
00945C70   . 9B             WAIT
00945C71   . DFE0           FSTSW AX
00945C73   . 9E             SAHF
00945C74   . 72 0F          JB SHORT VideoCon.00945C85 ;jump if below (invalid)
00945C76   . DF6D C0        FILD QWORD PTR SS:[EBP-0x40]
00945C79   . DC45 D0        FADD QWORD PTR SS:[EBP-0x30]
00945C7C   . DC5D D8        FCOMP QWORD PTR SS:[EBP-0x28]
00945C7F   . 9B             WAIT
00945C80   . DFE0           FSTSW AX
00945C82   . 9E             SAHF
00945C83   . 73 4E          JNB SHORT VideoCon.00945CD3 ;jump if above (valid)
00945C85   > A1 D0CAA500    MOV EAX,DWORD PTR DS:[0xA5CAD0] ;FAIL!
...
00945CA6   . BA 70609400    MOV EDX,VideoCon.00946070                ; UNICODE "The license code has been expired! ...

Common Serial Checking Routine
//We use a test serial: VC-HDPA1234567890ABCDE
00945CD3   > 8B15 3CC3A500 MOV EDX,DWORD PTR DS:[0xA5C33C]          ; VideoCon.00B1118C
00945CD9   . 8B12           MOV EDX,DWORD PTR DS:[EDX] ;U"C:\Users\Globeriz\Documents\WonderFox Soft\HD Video Converter Factory Pro\" (install directory)
00945CDB   . 8D85 78FFFFFF LEA EAX,DWORD PTR SS:[EBP-0x88] ;18F5D4 [18F5D4] = 0x0
00945CE1   . B9 10609400    MOV ECX,VideoCon.00946010                ; UNICODE "Se001.ini"
00945CE6   . E8 693DACFF    CALL VideoCon.00409A54
00945CEB   . 8B8D 78FFFFFF MOV ECX,DWORD PTR SS:[EBP-0x88]
00945CF1   . B2 01          MOV DL,0x1
00945CF3   . A1 CC6E4600    MOV EAX,DWORD PTR DS:[0x466ECC]
00945CF8   . E8 8B15B2FF    CALL VideoCon.00467288
00945CFD   . 8945 CC        MOV DWORD PTR SS:[EBP-0x34],EAX
00945D00   . 33C0           XOR EAX,EAX
00945D02   . 55             PUSH EBP
00945D03   . 68 515D9400    PUSH VideoCon.00945D51
00945D08   . 64:FF30        PUSH DWORD PTR FS:[EAX]
00945D0B   . 64:8920        MOV DWORD PTR FS:[EAX],ESP
00945D0E   . 8D95 74FFFFFF LEA EDX,DWORD PTR SS:[EBP-0x8C]
00945D14   . 8B45 FC        MOV EAX,DWORD PTR SS:[EBP-0x4]
00945D17   . 8B80 A0030000 MOV EAX,DWORD PTR DS:[EAX+0x3A0]
00945D1D   . E8 DE80B5FF    CALL VideoCon.0049DE00
00945D22   . 8B85 74FFFFFF MOV EAX,DWORD PTR SS:[EBP-0x8C]
00945D28   . 50             PUSH EAX ;param1 = UNICODE serial
00945D29   . B9 30609400    MOV ECX,VideoCon.00946030                ; UNICODE "KeyCode"
00945D2E   . BA 4C609400    MOV EDX,VideoCon.0094604C                ; UNICODE "Reg"
00945D33   . 8B45 CC        MOV EAX,DWORD PTR SS:[EBP-0x34]
00945D36   . 8B18           MOV EBX,DWORD PTR DS:[EAX]
00945D38   . FF53 08        CALL DWORD PTR DS:[EBX+0x8] ;00468FD4 WritePrivateProfileStringW
/*
0018F580   0094604C |Section = "Reg"
0018F584   00946030 |Key = "KeyCode"
0018F588   05C2256C |String = "VC-HDPA1234567890ABCDE"
0018F58C   05BE14FC \FileName = "C:\Users\Globeriz\Documents\WonderFox Soft\HD Video Converter Factory Pro\Se001.ini"

00469005 |. E8 BE81FAFF    CALL <JMP.&KERNEL32.WritePrivateProfileS>; \WritePrivateProfileStringW
*/
00945D3B   . 33C0           XOR EAX,EAX
00945D3D   . 5A             POP EDX
00945D3E   . 59             POP ECX
00945D3F   . 59             POP ECX
00945D40   . 64:8910        MOV DWORD PTR FS:[EAX],EDX
00945D43   . 68 585D9400    PUSH VideoCon.00945D58
00945D48   > 8B45 CC        MOV EAX,DWORD PTR SS:[EBP-0x34] ;EAX = 0x05BF0900
00945D4B   . E8 C80DACFF    CALL VideoCon.00406B18 ;check serial?
00945D50   . C3             RETN ;jmp 00945D58

00945D58   . A1 6CC8A500    MOV EAX,DWORD PTR DS:[0xA5C86C]
00945D5D   . C600 01        MOV BYTE PTR DS:[EAX],0x1
00945D60   . 8B1D 38C4A500 MOV EBX,DWORD PTR DS:[0xA5C438]          ; VideoCon.00B10C80
00945D66   . 8B1B           MOV EBX,DWORD PTR DS:[EBX]
00945D68   . 8B15 38C4A500 MOV EDX,DWORD PTR DS:[0xA5C438]          ; VideoCon.00B10C80
00945D6E   . 8B12           MOV EDX,DWORD PTR DS:[EDX]
00945D70   . 8B83 34030000 MOV EAX,DWORD PTR DS:[EBX+0x334]
00945D76   . FF93 30030000 CALL DWORD PTR DS:[EBX+0x330]
00945D7C   . B2 01          MOV DL,0x1
00945D7E   . A1 7007AF00    MOV EAX,DWORD PTR DS:[0xAF0770]
00945D83   . 8B08           MOV ECX,DWORD PTR DS:[EAX]
00945D85   . FF91 80000000 CALL DWORD PTR DS:[ECX+0x80]
00945D8B   . A1 D0CAA500    MOV EAX,DWORD PTR DS:[0xA5CAD0]
00945D90   . 8B00           MOV EAX,DWORD PTR DS:[EAX]
00945D92   . 33D2           XOR EDX,EDX

00945D94   . E8 4B4BC1FF    CALL VideoCon.0055A8E4
00945D99   . A1 ECC5A500    MOV EAX,DWORD PTR DS:[0xA5C5EC]
00945D9E   . 8038 00        CMP BYTE PTR DS:[EAX],0x0 ; compare result with false

00945DA1   . 74 29          JE SHORT VideoCon.00945DCC ; if false then output "Invalid registration information."
00945DA3   . 8D45 F8        LEA EAX,DWORD PTR SS:[EBP-0x8]
00945DA6   . BA 98619400    MOV EDX,VideoCon.00946198                ; UNICODE "You have successfully registered HD Video Converter Factory Pro. Enjoy it."
...
00945DCA   . EB 27          JMP SHORT VideoCon.00945DF3
00945DCC   > 8D45 F8        LEA EAX,DWORD PTR SS:[EBP-0x8]
00945DCF   . BA 4C639400    MOV EDX,VideoCon.0094634C                ; UNICODE "Invalid registration information."

/* Patching */
.text:009F25FB                 cmp     dword ptr [ebp-0ECh], 0
.text:009F2602                 jz      short loc_9F2615
9F2615 good

Culprit!
009F1E08   . C605 D70FB100 >MOV BYTE PTR DS:[0xB10FD7],0x0

Crack Protection
(Call stack)
00502EB7
00502FD6
009DC000
55 88 EC 83 C4 F8 89 55 F8 89 45 FC A1 88
EB 45 90
009DC000     EB 45          JMP SHORT VideoCon.009DC047
...
009DC01F |. BA 54C09D00    MOV EDX,VideoCon.009DC054                ; UNICODE "ID=110,Can not find required files, please reinstall!"

00502E9A   . 81FE 13010000 CMP ESI,0x113

Tuesday, January 20, 2015

Personal Software List for Fresh Window Installs

Let's face it... it's really time-consuming and frustrating to find the essential programs to install when you have finally decided to reinstall your Windows system.

That said, I have compiled my list (mostly for my personal use) of survival programs needed right after a new install of Windows system.

Last Update: 10 Dec 2017

Internet Browser:
Mozilla Firefox (js:Greasemonkey) Cons: eats up all your RAM if you open more than 1 tab
~~Google Chrome (fast)~~ Not suggested due to alleged privacy issues.
Chromium
~~Opera (even faster)~~
Vivaldi

Archiving Software:
Bandizip (FREE, lightwight, pretty interface, codepage support, unarchives popular archive formats: ZIP, RAR, 7Z, ...)
7-Zip (Open source, .7z format has high compression rate)
(N.B. Do not use WinRAR, it's evil!)

PDF Viewer:
~~Foxit Reader (free, minimal unobstructive ads)~~
SumatraPDF

VC++ Development:
Microsoft Visual Studio Community Edition (if you can afford the disk space)

Microsoft Visual C++ Express 2010 (lightweight, but lacks MFC and rc Editor)
ResEdit (rc Editor to overcome the problem above)
eXeScope(another ancient .rc Resource Editor, not free)
WTL (Windows Template Library) (better stop using MFC altogether!!)
Windows Driver Development Kit (DDK) (contains ATL libraries needed for WTL)

Qt (GUI development, if you can afford the disk space)

DirectX SDK
Windows Development Kit (WDK)

Reverse Engineering Tools:
Finding packer/compiler/linker signatures
ProtectionID v6.x.x (better than PEiD in my opinion)
Detect It Easy v0.88 v1.0.1

Code analysis
(General:)
OllyDbg v1.10 (Don't use v2) Dynamic code analysis (don't run trojans directly!)
IDA Pro + Hex-Rays Decompiler (Static code analysis) Cons: Not freeware.
PE Explorer (Static code analysis) not free, less fancy(useless) stuffs than IDA Pro
x96dbg (32-bit and 64-bit debugger, has built-in Scylla)
C32Asm (Chinese GB language disassembler)

(VB.NET C# Exclusive:)
~~.NET Reflector+Reflexil (disassembling .NET applications directly, not free)~~
ILSpy (free, open-source) + Reflexil

(Delphi Exclusive:)
DeDe (support Borland only)
IDR (Interactive Delphi Reconstructor), good support for Embarcadero Delphi (up to XE3 at time of writing) 32-bit only!!!
Delphi Decompiler 1.7 by Bitmaker

(VB6 Exclusive:)
P32Dasm v.2.80.75 (VB PCode Decompiler)

(Java Exclusive:)
Java Decompiler / 2008-2015 Emmanuel Dupuy (free, open-source)
~~DJ Java Decompiler (not free)~~
Java Bytecode Viewer (good for Android apk as well)

(Flash/ActionScript Exclusive:)
JPEXS Free Flash Decompiler
~~Sothink Flash Decompiler (not free)~~
Yogda 1.0.564

Dumping Tools
~~CHimpREC (dumping tool)~~
Scylla 0.9.7c 0.9.8 x86/x64 Dumping Tool + Imports Reconstructor

Miscellaneous Tools
Armadillo Key Tool
ProcessMonitor (SysInternals)
Spy++
Kernel Detective

Portable Software Tools
VMWare ThinApp
Cameyo

Debugging HTTP(S) Traffic:
Fiddler2 / 4
Charles (great support for multiple protocols e.g. AMF3 but NOT FREE)

Graphic Editing Tools:
paint.NET (FREEware, simple interface) Sufficient for day-to-day casual image manipulation
SAI 1/2 (useful if you have a drawing tablet, not free though)
Adobe Photoshop CC (ugh...)

Text Editing Tools:
Notepad++ (FREEware)
Sublime Text 2/3 (not free)
jEdit (free)
Atom (slow startup...)
Brackets

HEX Editing Tools:
MiTeC Hexadecimal Editor (free)
HxD (Freeware Hex Editor and Disk Editor)
Hex Workshop(not free)
WinHex(forensic use, not free)
UltraEdit (powerful but not free)
010 Editor (powerful templates, not free)

Disc Tools:
DAEMON Tools Lite
InfraRecorder (free, open-source)

Alcohol 120

Screen Recording Tools:
CamStudio (free, open-source)

Fraps

Bandicam

Audio/Media Tools:
Audacity
foobar2000
VLC media player

Virtual Machine Tools:
VMWare Player
VirtualBox

MiscTools:
WinDirStat
Search Everything
CCleaner
RegSeeker
Process Hacker 2
Process Monitor
HashCalc

Sunday, December 7, 2014

x86 Assembly Notes - The C Calling Convention

One major part of x86 assembly is the ability to invoke subrountines.
This educational note is prepared to enhance the reader's understanding why there are prolog and epilog in a subroutine, as well as the changes in stack. Only slight understanding of x86 assembly is assumed.

Prepared by Globeriz (Globeriz Project)

It all starts with the stack.
The stacks works in a LIFO(Last-in First-out) basis. This means the last value pushed onto stack will be the first value to pop from the stack. e.g.:
push 3 ;push 0x00000003 to stack
push 2 ;push 0x00000002 to stack
push 1 ;push 0x00000001 to stack
pop eax ;pop last pushed value from stack (i.e. 1) to eax

First, familiarize yourself with push and pop instructions.
push - for pushing a value onto stack
It first decreases esp(stack pointer register) by 4 ( sizeof (DWORD) ), then the value is assigned to the dereferenced value of esp.
In opcodes, push eax is equivalent to:
sub esp, 4 ;esp = esp - 4 (i.e. esp-4 => esp)
mov [esp], eax ;*(DWORD *)esp = eax
Meanwhile in stack:

Memory Address	Relative to esp	Value	Memory Address	Relative to esp	Value
X-4	esp-4	?	X-4	esp	eax
X	esp	a	X	esp+4	a
X+4	esp+4	b	X+4	esp+8	b
BEFORE push eax			AFTER push eax

N.B. push eax does not alter the value of eax after execution.

pop - for popping (getting the last pushed value) from stack
It firsts assign memory/register with the last pushed value on stack ( i.e. [esp] ), then increases esp by 4
In opcodes, pop eax is equivalent to:
mov eax, [esp] ; eax = *(DWORD *)esp
add esp, 4 ; esp = esp + 4
Note how pop eax cancels out the effect of push eax
Meanwhile in stack:

Memory Address	Relative to esp	Value	Memory Address	Relative to esp	Value
X-8	esp-4	?	X-8	esp-8	?
X-4	esp	eax	X-4	esp-4	eax
X	esp+4	a	X	esp	a
X+4	esp+8	b	X+4	esp+4	b
BEFORE pop eax			AFTER pop eax

Now, after understanding the push and pop instructions and their relations with the stack, it is time to introduce the C calling convention in x86 assembly.

There are TWO parties involved in a call, namely the caller (main routine) and the callee (subroutine).

The C calling convention of caller is as follows:
STEP P1> Saving the registers (by pushing them onto stack) that will be altered in the subroutine, such that it is possible to restore them after returning from the subroutine. Common examples are eax ecx edx.
STEP P2> Passing the necessary parameters to the subroutine. The parameters are pushed onto stack just before the call instruction, where the pushing order of the parameters (according to C calling convention) should be reverse of the order in the subroutine function (i.e. the LAST parameter of the function should be pushed FIRST)
STEP P3> Using the call instruction to invoke the subroutine function. The call instruction first pushes the return address (eip, or offset to the instruction right after call in caller) onto stack, and then it branches to the subroutine address to execute code in callee.
In opcodes, call eax is equivalent to:
push eip
jmp eax
Then the CPU enters callee (subroutine).

After returning from the subroutine function, (the return value from subroutine can be found in eax register)
STEP E1> Remove (deallocate) the parameters from stack by increasing esp by the total size of parameters.
STEP E2> Restoring saved registers (by popping them from stack) as the registers are believed to be altered in the subroutine N.B. the popping of registers should be the REVERSE of the order they are pushed

The following assembly code demonstrates the role of caller:
...
push eax ;saving registers
push ecx ;
push edx ;
push param3 ;passing parameters
push param2 ;
push param1 ;first parameter pushed last
    call _subroutine ;invoke _subroutine(param1, param2, param3)
add esp, 0x0C ;restoring stack to the state before the call
pop edx ;restoring registers
pop ecx ;
pop eax ;first saved register pops last
...

The rules for callee is as follows:
STEP P1> Preserving ebp (base pointer) and then copy the value of esp to ebp. Inside the subroutine, ebp is a copy of initial stack pointer. It is going to be used as a reference point for parameters and local variables in subroutine. The reason behind preserving ebp is that the caller does not expect ebp to be altered in the subroutine, therefore it is necessarily to be done in order to restore its value later on.
STEP P2> Allocating space for local variables, this is done by decreasing esp by the size of local variables required. After this, parameters and local variables can be located at known constant offsets (See Appendix A) from ebp.
STEP P3> Preserve the registers that will be used by the subroutine. Common examples are ebx edi esi

After the steps above (prolog), the CPU proceeds to the main body of subroutine. After executing the main body code, the following steps are followed to return properly to the caller (main routine).

STEP E1> Copy the return value to eax.
STEP E2> Restore the registers saved in prolog by pop instructions (REVERSE of order pushed)
STEP E3> Remove (deallocate) local variables by copying ebp to esp (simply reversing STEP P2)
STEP E4> Right before ret instruction, restore the ebp of caller by popping ebp from stack.
STEP E5> Using the ret instruction to return to caller (main routine). The ret instruction pops the return address from stack and branches to the main routine address to continue executing code in caller.

These steps are known as epilog. After epilog, the CPU returns to caller.

The following assembly code demonstrates the role of callee:
_subroutine:
; prolog
push ebp ;preserving ebp
mov ebp, esp ;preparing ebp as a reference point
sub esp, 0x08 ;allocate space for local variables
      push ebx ;preserving registers
      push edi
      push esi
; end of prolog
... ; main body
;epilog
      pop esi ;restoring registers
      pop edi
      pop ebx
mov esp, ebp ;deallocate local variables
pop ebp ; restoring ebp
ret ; return to main routine
;end of epilog

Appendix A (stack inside subroutine main body, after prolog and before epilog)

Memory relative to ebp (hex)	Value
ebp-14	esi (saved)
ebp-10	edi (saved)
ebp-C	ebx (saved)
ebp-8	local_var2
ebp-4	local_var1
ebp	ebp (saved)
ebp+4	eip (return address)
ebp+8	param1
ebp+C	param2
ebp+10	param3

Appendix B (entire stack change for calling process)

...;caller
push eax ;saving registers
push ecx ;
push edx ;
push param3 ;passing parameters
push param2 ;
push param1 ;first parameter pushed last
call _subroutine ;invoke _subroutine(param1, param2, param3)

Memory Address	Relative to esp	Value	Memory Address	Relative to esp	Value
X-4	esp-4	?	X-4	esp	eax
X	esp	?	X	esp+4	?
Original state			AFTER push eax

Memory Address	Relative to esp	Value	Memory Address	Relative to esp	Value
X-C	esp-4	?	X-C	esp	edx
X-8	esp	ecx	X-8	esp+4	ecx
X-4	esp+4	eax	X-4	esp+8	eax
X	esp+8	?	X	esp+C	?
AFTER push ecx			AFTER push edx

Memory Address	Relative to esp	Value	Memory Address	Relative to esp	Value
X-18	esp-8	?	X-18	esp-4	?
X-14	esp-4	?	X-14	esp	param2
X-10	esp	param3	X-10	esp+4	param3
X-C	esp+4	edx	X-C	esp+8	edx
X-8	esp+8	ecx	X-8	esp+C	ecx
X-4	esp+C	eax	X-4	esp+10	eax
X	esp+10	?	X	esp+14	?
AFTER push parma3			AFTER push param2

Memory Address	Relative to esp	Value	Memory Address	Relative to esp	Value
X-1C	esp-4	?	X-1C	esp	eip
X-18	esp	param1	X-18	esp+4	param1
X-14	esp+4	param2	X-14	esp+8	param2
X-10	esp+8	param3	X-10	esp+C	param3
X-C	esp+C	edx	X-C	esp+10	edx
X-8	esp+10	ecx	X-8	esp+14	ecx
X-4	esp+14	eax	X-4	esp+18	eax
X	esp+18	?	X	esp+1C	?
AFTER push param1			AFTER call _subroutine

Inside subroutine:
; prolog
push ebp ;preserving ebp
mov ebp, esp ;preparing ebp as a reference point
sub esp, 0x08 ;allocate space for local variables
      push ebx ;preserving registers
      push edi
      push esi
; end of prolog
...

Memory Address	Relative to esp	Value	Memory Address	Relative to esp	Relative to ebp	Value
X-24	esp-4	?	X-24	esp-4	ebp-4	?
X-20	esp	ebp	X-20	esp	ebp	ebp
X-1C	esp+4	eip	X-1C	esp+4	ebp+4	eip
X-18	esp+8	param1	X-18	esp+8	ebp+8	param1
X-14	esp+C	param2	X-14	esp+C	ebp+C	param2
X-10	esp+10	param3	X-10	esp+10	ebp+10	param3
X-C	esp+14	edx	X-C	esp+14	ebp+14	edx
X-8	esp+18	ecx	X-8	esp+18	ebp+18	ecx
X-4	esp+1C	eax	X-4	esp+1C	ebp+1C	eax
X	esp+20	?	X	esp+20	ebp+20	?
AFTER push ebp			AFTER mov ebp, esp

Memory Address	Relative to esp	Relative to ebp	Value	Memory Address	Relative to esp	Relative to ebp	Value
X-2C	esp-4	ebp-C	?	X-2C	esp	ebp-C	ebx
X-28	esp	ebp-8	?	X-28	esp+4	ebp-8	?(var2)
X-24	esp+4	ebp-4	?	X-24	esp+8	ebp-4	?(var1)
X-20	esp+8	ebp	ebp	X-20	esp+C	ebp	ebp
X-1C	esp+C	ebp+4	eip	X-1C	esp+10	ebp+4	eip
X-18	esp+10	ebp+8	param1	X-18	esp+14	ebp+8	param1
X-14	esp+14	ebp+C	param2	X-14	esp+18	ebp+C	param2
X-10	esp+18	ebp+10	param3	X-10	esp+1C	ebp+10	param3
X-C	esp+1C	ebp+14	edx	X-C	esp+20	ebp+14	edx
X-8	esp+20	ebp+18	ecx	X-8	esp+24	ebp+18	ecx
X-4	esp+24	ebp+1C	eax	X-4	esp+28	ebp+1C	eax
X	esp+28	ebp+20	?	X	esp+2C	ebp+20	?
AFTER sub esp, 0x08				AFTER push ebx

Memory Address	Relative to esp	Relative to ebp	Value	Memory Address	Relative to esp	Relative to ebp	Value
X-38	esp-8	ebp-18	?	X-38	esp-4	ebp-18	?
X-34	esp-4	ebp-14	?	X-34	esp	ebp-14	esi
X-30	esp	ebp-10	edi	X-30	esp+4	ebp-10	edi
X-2C	esp+4	ebp-C	ebx	X-2C	esp+8	ebp-C	ebx
X-28	esp+8	ebp-8	var2	X-28	esp+C	ebp-8	var2
X-24	esp+C	ebp-4	var1	X-24	esp+10	ebp-4	var1
X-20	esp+10	ebp	ebp	X-20	esp+14	ebp	ebp
X-1C	esp+14	ebp+4	eip	X-1C	esp+18	ebp+4	eip
X-18	esp+18	ebp+8	param1	X-18	esp+1C	ebp+8	param1
X-14	esp+1C	ebp+C	param2	X-14	esp+20	ebp+C	param2
X-10	esp+20	ebp+10	param3	X-10	esp+24	ebp+10	param3
X-C	esp+24	ebp+14	edx	X-C	esp+28	ebp+14	edx
X-8	esp+28	ebp+18	ecx	X-8	esp+2C	ebp+18	ecx
X-4	esp+2C	ebp+1C	eax	X-4	esp+30	ebp+1C	eax
X	esp+30	ebp+20	?	X	esp+34	ebp+20	?
AFTER push edi				AFTER push esi

Then it enters main body of subroutine. After the main body:
...
;epilog
      pop esi ;restoring registers
      pop edi
      pop ebx
mov esp, ebp ;deallocate local variables
pop ebp ; restoring ebp
ret ; return to main routine
;end of epilog

Memory Address	Relative to esp	Relative to ebp	Value	Memory Address	Relative to esp	Relative to ebp	Value
X-38	esp-8	ebp-18	?	X-38	esp-C	ebp-18	?
X-34	esp-4	ebp-14	esi(x)	X-34	esp-8	ebp-14	esi(x)
X-30	esp	ebp-10	edi	X-30	esp-4	ebp-10	edi(x)
X-2C	esp+4	ebp-C	ebx	X-2C	esp	ebp-C	ebx
X-28	esp+8	ebp-8	var2	X-28	esp+4	ebp-8	var2
X-24	esp+C	ebp-4	var1	X-24	esp+8	ebp-4	var1
X-20	esp+10	ebp	ebp	X-20	esp+C	ebp	ebp
X-1C	esp+14	ebp+4	eip	X-1C	esp+10	ebp+4	eip
X-18	esp+18	ebp+8	param1	X-18	esp+14	ebp+8	param1
X-14	esp+1C	ebp+C	param2	X-14	esp+18	ebp+C	param2
X-10	esp+20	ebp+10	param3	X-10	esp+1C	ebp+10	param3
X-C	esp+24	ebp+14	edx	X-C	esp+20	ebp+14	edx
X-8	esp+28	ebp+18	ecx	X-8	esp+24	ebp+18	ecx
X-4	esp+2C	ebp+1C	eax	X-4	esp+28	ebp+1C	eax
X	esp+30	ebp+20	?	X	esp+2C	ebp+20	?
AFTER pop esi				AFTER pop edi

Memory Address	Relative to esp	Relative to ebp	Value	Memory Address	Relative to esp	Relative to ebp	Value
X-34	esp-C	ebp-14	esi(x)	X-34	esp-14	ebp-14	esi(x)
X-30	esp-8	ebp-10	edi(x)	X-30	esp-10	ebp-10	edi(x)
X-2C	esp-4	ebp-C	ebx(x)	X-2C	esp-C	ebp-C	ebx(x)
X-28	esp	ebp-8	var2	X-28	esp-8	ebp-8	var2(x)
X-24	esp+4	ebp-4	var1	X-24	esp-4	ebp-4	var1(x)
X-20	esp+8	ebp	ebp	X-20	esp	ebp	ebp
X-1C	esp+C	ebp+4	eip	X-1C	esp+4	ebp+4	eip
X-18	esp+10	ebp+8	param1	X-18	esp+8	ebp+8	param1
X-14	esp+14	ebp+C	param2	X-14	esp+C	ebp+C	param2
X-10	esp+18	ebp+10	param3	X-10	esp+10	ebp+10	param3
X-C	esp+1C	ebp+14	edx	X-C	esp+14	ebp+14	edx
X-8	esp+20	ebp+18	ecx	X-8	esp+18	ebp+18	ecx
X-4	esp+24	ebp+1C	eax	X-4	esp+1C	ebp+1C	eax
X	esp+28	ebp+20	?	X	esp+20	ebp+20	?
AFTER pop ebx				AFTER mov esp, ebp

Memory Address	Relative to esp	Value	Memory Address	Relative to esp	Value
X-2C	esp-10	ebx(x)	X-2C	esp-14	ebx(x)
X-28	esp-C	var2(x)	X-28	esp-10	var2(x)
X-24	esp-8	var1(x)	X-24	esp-C	var1(x)
X-20	esp-4	ebp(x)	X-20	esp-8	ebp(x)
X-1C	esp	eip	X-1C	esp-4	eip(x)
X-18	esp+4	param1	X-18	esp	param1
X-14	esp+8	param2	X-14	esp+4	param2
X-10	esp+C	param3	X-10	esp+8	param3
X-C	esp+10	edx	X-C	esp+C	edx
X-8	esp+14	ecx	X-8	esp+10	ecx
X-4	esp+18	eax	X-4	esp+14	eax
X	esp+1C	?	X	esp+18	?
AFTER pop ebp			AFTER ret

Then CPU returns to main routine to continue execution:
add esp, 0x0C ;restoring stack to the state before the call
pop edx ;restoring registers
pop ecx ;
pop eax ;first saved register pops last
...

Memory Address	Relative to esp	Value	Memory Address	Relative to esp	Value
X-1C	esp-10	eip(x)	X-1C	esp-14	eip(x)
X-18	esp-C	param1(x)	X-18	esp-10	param1(x)
X-14	esp-8	param2(x)	X-14	esp-C	param2(x)
X-10	esp-4	param3(x)	X-10	esp-8	param3(x)
X-C	esp	edx	X-C	esp-4	edx(x)
X-8	esp+4	ecx	X-8	esp	ecx
X-4	esp+8	eax	X-4	esp+4	eax
X	esp+C	?	X	esp+8	?
AFTER sub esp, 0x0C			AFTER pop edx

Memory Address	Relative to esp	Value	Memory Address	Relative to esp	Value
X-C	esp-8	edx(x)	X-C	esp-C	edx(x)
X-8	esp-4	ecx(x)	X-8	esp-8	ecx(x)
X-4	esp	eax	X-4	esp-4	eax(x)
X	esp+4	?	X	esp	?
AFTER pop ecx			AFTER pop eax (Original state)