From 3243b8bd812734bd26f24caaf60ce73d0181ac7a Mon Sep 17 00:00:00 2001 From: davidchiii Date: Tue, 20 Feb 2024 22:06:15 -0500 Subject: [PATCH] Deployed c44c3304 with MkDocs version: 1.5.3 --- 404.html | 107 + .../index.html | 107 + .../buffer-overflow/index.html | 107 + .../heap-exploitation/index.html | 107 + binary-exploitation/no-execute/index.html | 107 + binary-exploitation/overview/index.html | 107 + .../relocation-read-only/index.html | 107 + .../return-oriented-programming/index.html | 107 + binary-exploitation/stack-canaries/index.html | 107 + .../what-are-buffers/index.html | 107 + .../what-are-calling-conventions/index.html | 107 + .../what-are-registers/index.html | 107 + .../index.html | 109 + .../what-is-binary-security/index.html | 107 + .../what-is-the-got/index.html | 107 + .../what-is-the-heap/index.html | 107 + .../what-is-the-stack/index.html | 107 + challenges/2011/Crypto/crypto1/index.html | 107 + challenges/2011/Crypto/crypto10/index.html | 107 + challenges/2011/Crypto/crypto2/index.html | 107 + challenges/2011/Crypto/crypto3/index.html | 107 + challenges/2011/Crypto/crypto4/index.html | 107 + challenges/2011/Crypto/crypto5/index.html | 107 + challenges/2011/Crypto/crypto6/index.html | 107 + challenges/2011/Crypto/crypto7/index.html | 107 + challenges/2011/Crypto/crypto8/index.html | 107 + challenges/2011/Crypto/crypto9/index.html | 107 + challenges/2011/Forensics/android1/index.html | 107 + challenges/2011/Forensics/android2/index.html | 107 + .../2011/Forensics/evilburritos/index.html | 107 + .../2011/Forensics/evilburritos2/index.html | 107 + challenges/2011/Forensics/hardware/index.html | 107 + .../2011/Forensics/loveletter/index.html | 107 + .../2011/Forensics/networking101/index.html | 107 + .../2011/Forensics/patchmanagement/index.html | 107 + challenges/2011/Pwn/bin1/index.html | 107 + challenges/2011/Pwn/bin2/index.html | 107 + challenges/2011/Pwn/bin3/index.html | 107 + challenges/2011/Pwn/bin4/index.html | 107 + challenges/2011/Pwn/bin5/index.html | 107 + .../2011/Pwn/exploitation101/index.html | 107 + challenges/2011/Pwn/python/index.html | 107 + challenges/2011/Reversing/linux/index.html | 107 + challenges/2011/Reversing/net1/index.html | 107 + challenges/2011/Reversing/opengl/index.html | 107 + .../2011/Reversing/reversing101/index.html | 107 + challenges/2012/Crypto/crypto1/index.html | 107 + challenges/2012/Forensics/core/index.html | 107 + .../2012/Forensics/dongle.pcap/index.html | 107 + .../2012/Forensics/forensics1/index.html | 107 + .../2012/Forensics/forensics2/index.html | 107 + .../2012/Forensics/lemieux.pcap/index.html | 107 + .../2012/Forensics/telnet.pcap/index.html | 107 + .../Forensics/timewave-zero.pcap/index.html | 107 + .../2012/Forensics/version1.png/index.html | 107 + .../2012/Forensics/version2.png/index.html | 107 + challenges/2012/Pwn/12345/index.html | 107 + challenges/2012/Pwn/23456/index.html | 107 + challenges/2012/Pwn/4842/index.html | 107 + challenges/2012/Pwn/54321/index.html | 107 + .../csaw2012reversing.exe/index.html | 107 + .../Reversing/csaw2012reversing/index.html | 107 + .../csawqualification.exe/index.html | 107 + .../csawqualificationeasy.exe/index.html | 107 + .../2012/Reversing/reversing1/index.html | 107 + .../2012/Reversing/reversing2/index.html | 107 + .../2012/Reversing/reversing3/index.html | 107 + challenges/2013/Crypto/CSAWpad/index.html | 107 + .../2013/Crypto/onlythisprogram/index.html | 107 + challenges/2013/Crypto/slurp/index.html | 107 + challenges/2013/Crypto/stfu/index.html | 107 + .../2013/Forensics/Black_and_White/index.html | 107 + .../deeeeeeaaaaaadbeeeeeeeeeef/index.html | 107 + challenges/2013/Forensics/saidzed/index.html | 107 + .../2013/Misc/Alexander_Taylor/index.html | 107 + challenges/2013/Misc/Jordan_Weins/index.html | 107 + challenges/2013/Misc/Julian_Cohen/index.html | 107 + challenges/2013/Misc/Life/index.html | 107 + challenges/2013/Misc/Networking_1/index.html | 107 + challenges/2013/Misc/Networking_2/index.html | 107 + challenges/2013/Misc/historypeats/index.html | 107 + .../2013/Misc/trivia_questions/index.html | 107 + challenges/2013/Pwn/CSAW_Diary/index.html | 107 + challenges/2013/Pwn/Exploitation_1/index.html | 107 + challenges/2013/Pwn/Exploitation_2/index.html | 107 + challenges/2013/Pwn/SCP-hack/index.html | 107 + challenges/2013/Pwn/itsy/index.html | 107 + .../2013/Pwn/kernelchallenge/index.html | 107 + challenges/2013/Pwn/miteegashun/index.html | 107 + challenges/2013/Pwn/silkstreet/index.html | 107 + .../2013/Reversing/BikiniBonanza/index.html | 107 + .../2013/Reversing/Brad_Anton/index.html | 107 + .../CSAW_2013_Reversing_1/index.html | 107 + .../CSAW_2013_Reversing_2/index.html | 107 + challenges/2013/Reversing/DotNet/index.html | 107 + .../2013/Reversing/Impossible/index.html | 107 + .../Noobs_First_Firmware_Mod/index.html | 107 + challenges/2013/Reversing/bad_bios/index.html | 107 + challenges/2013/Reversing/crackme/index.html | 107 + .../Reversing/csaw2013reversing3/index.html | 107 + challenges/2013/Reversing/keygenme/index.html | 107 + challenges/2013/Web/Guess_Harder/index.html | 107 + .../2013/Web/Michael_Hanchak/index.html | 107 + challenges/2013/Web/Nevernote/index.html | 107 + challenges/2013/Web/Notes/index.html | 107 + challenges/2013/Web/herpderper/index.html | 107 + challenges/2013/Web/historypeats/index.html | 107 + challenges/2013/Web/iSEC_Challenge/index.html | 107 + challenges/2013/Web/twisted/index.html | 107 + .../Crypto/Wieners_-_Antoniewicz/index.html | 107 + challenges/2014/Crypto/cfbsum/index.html | 107 + challenges/2014/Crypto/feal/index.html | 107 + .../Crypto/mountainsound_-_Stortz/index.html | 107 + .../2014/Crypto/psifer_school/index.html | 107 + .../2014/Forensics/Fluffy_No_More/index.html | 107 + .../Forensics/aristotle_-_Wiens/index.html | 107 + .../2014/Forensics/dumpster_diving/index.html | 107 + .../2014/Forensics/obscurity/index.html | 107 + .../2014/Forensics/why_not_sftp__/index.html | 107 + challenges/2014/Misc/pps_-_Wiens/index.html | 107 + challenges/2014/Pwn/Xorcise2/index.html | 107 + challenges/2014/Pwn/greenhornd/index.html | 107 + challenges/2014/Pwn/ish/index.html | 107 + challenges/2014/Pwn/krakme/index.html | 107 + challenges/2014/Pwn/mbot/index.html | 107 + challenges/2014/Pwn/pybabbies/index.html | 107 + challenges/2014/Pwn/s3/index.html | 107 + challenges/2014/Pwn/saturn/index.html | 107 + .../Pwn/the_road_less_traveled/index.html | 107 + challenges/2014/Pwn/xorcise1/index.html | 107 + .../2014/Reversing/aerosol_can/index.html | 107 + .../Reversing/csaw2013reversing2/index.html | 107 + challenges/2014/Reversing/odd/index.html | 107 + challenges/2014/Reversing/weissman/index.html | 107 + challenges/2014/Reversing/wololo/index.html | 107 + .../2014/Web/app_-_Oberheide/index.html | 107 + challenges/2014/Web/big_data/index.html | 107 + .../2014/Web/guestbook_-_Toews/index.html | 107 + challenges/2014/Web/hashes/index.html | 107 + challenges/2014/Web/silkgoat/index.html | 107 + .../2014/Web/webroot_-_Freeman/index.html | 107 + .../2015/Crypto/bricks_of_gold/index.html | 107 + challenges/2015/Crypto/check-plz/index.html | 107 + challenges/2015/Crypto/eps/index.html | 107 + challenges/2015/Crypto/notesy/index.html | 107 + challenges/2015/Crypto/punchout/index.html | 107 + .../2015/Crypto/slabs-of-platinum/index.html | 107 + challenges/2015/Forensics/airport/index.html | 107 + challenges/2015/Forensics/flash/index.html | 107 + .../Forensics/keep-calm-and-ctf/index.html | 107 + challenges/2015/Forensics/mandiant/index.html | 107 + challenges/2015/Forensics/net/index.html | 107 + challenges/2015/Forensics/pcapin/index.html | 107 + .../phish-it-phish-it-good/index.html | 107 + .../2015/Forensics/ransomewhere/index.html | 107 + .../2015/Forensics/sharpturn/index.html | 107 + challenges/2015/Misc/sanity-check/index.html | 107 + challenges/2015/Pwn/autobots/index.html | 107 + challenges/2015/Pwn/blox/index.html | 107 + challenges/2015/Pwn/boombox/index.html | 107 + challenges/2015/Pwn/contacts/index.html | 107 + .../2015/Pwn/creditforcredits/index.html | 107 + challenges/2015/Pwn/get-flag/index.html | 107 + .../2015/Pwn/greetingsearthling/index.html | 107 + challenges/2015/Pwn/hiddencave/index.html | 107 + challenges/2015/Pwn/hipster/index.html | 107 + challenges/2015/Pwn/meme-shop/index.html | 107 + .../Pwn/memory-disclosure-flag/index.html | 107 + challenges/2015/Pwn/precision/index.html | 107 + .../2015/Pwn/quarantinebreaker/index.html | 107 + challenges/2015/Pwn/rhinoxorus/index.html | 107 + challenges/2015/Pwn/stringipc/index.html | 107 + .../2015/Reversing/HackingTime/index.html | 107 + .../2015/Reversing/cookie-maze/index.html | 107 + challenges/2015/Reversing/ftp/index.html | 107 + .../pwning-a-locked-container-plc/index.html | 107 + .../return-of-the-wieners/index.html | 107 + challenges/2015/Reversing/wyvern/index.html | 107 + challenges/2015/Reversing/wyvern2/index.html | 107 + challenges/2015/Web/K_achieve-200/index.html | 107 + challenges/2015/Web/K_stairs-100/index.html | 107 + challenges/2015/Web/animewall/index.html | 107 + .../2015/Web/lawn-care-simulator/index.html | 107 + challenges/2015/Web/tbbpe/index.html | 107 + challenges/2015/Web/throwback-600/index.html | 107 + challenges/2015/Web/weebdate-500/index.html | 107 + .../2016/Crypto/Another_Broken_box/index.html | 107 + challenges/2016/Crypto/Broken_Box/index.html | 107 + challenges/2016/Crypto/Katy/index.html | 107 + .../2016/Crypto/Killer_cipher/index.html | 107 + challenges/2016/Crypto/Neo/index.html | 107 + .../2016/Crypto/Sleeping_Guard/index.html | 107 + .../2016/Crypto/Still_Broken_Box/index.html | 107 + .../Forensics/Clams_Dont_Dance/index.html | 107 + challenges/2016/Forensics/Kill/index.html | 107 + .../2016/Forensics/Watchword/index.html | 107 + .../Yaar_Haar_Fiddle_Dee_Dee/index.html | 107 + challenges/2016/Forensics/brainfun/index.html | 107 + .../2016/Forensics/evidence.zip/index.html | 107 + .../2016/Forensics/pure_poetry/index.html | 107 + .../2016/Forensics/yaar_haar_2/index.html | 107 + challenges/2016/Misc/Fuzyll/index.html | 107 + .../2016/Misc/Music_To_My_Ears/index.html | 107 + challenges/2016/Misc/coinslot/index.html | 107 + challenges/2016/Misc/regexpire/index.html | 107 + challenges/2016/Pwn/Aul/index.html | 107 + challenges/2016/Pwn/CyberTronix64k/index.html | 107 + challenges/2016/Pwn/Ed-Edd-Eddie/index.html | 107 + challenges/2016/Pwn/Hungman/index.html | 107 + challenges/2016/Pwn/Moms_Spaghetti/index.html | 107 + challenges/2016/Pwn/ReversePolish/index.html | 107 + challenges/2016/Pwn/Tutorial/index.html | 107 + challenges/2016/Pwn/WarmUp/index.html | 107 + challenges/2016/Pwn/detective/index.html | 107 + challenges/2016/Pwn/thimblerig/index.html | 107 + challenges/2016/Web/I_Got_Id/index.html | 107 + challenges/2016/Web/MFW/index.html | 107 + challenges/2016/Web/Seizure-Cipher/index.html | 107 + challenges/2016/Web/SugarCereal/index.html | 107 + challenges/2016/Web/cloudb/index.html | 107 + .../2016/Web/linq_to_the_present/index.html | 107 + challenges/2016/Web/wtf.sh/index.html | 107 + challenges/2016/Web/wtf.sh2/index.html | 107 + .../2016/reversing/CookieMath/index.html | 107 + .../2016/reversing/CyberTronix64k/index.html | 107 + challenges/2016/reversing/Gametime/index.html | 107 + challenges/2016/reversing/Key/index.html | 107 + .../2016/reversing/MixedSignals/index.html | 107 + .../2016/reversing/Palo-Alto/index.html | 107 + challenges/2016/reversing/Rock/index.html | 107 + .../2016/reversing/Tar-Tar-Binks/index.html | 107 + .../2016/reversing/deedeedee/index.html | 107 + challenges/2016/reversing/gofaster/index.html | 107 + challenges/2016/reversing/ivninja/index.html | 107 + challenges/2016/reversing/lazurus/index.html | 107 + .../reversing/supermonsterball/index.html | 107 + challenges/2017/Crypto/ECXOR/index.html | 107 + challenges/2017/Crypto/Lupin/index.html | 107 + .../2017/Crypto/Side-channel/index.html | 107 + challenges/2017/Crypto/almost_xor/index.html | 107 + challenges/2017/Crypto/another_xor/index.html | 107 + challenges/2017/Crypto/baby_crypt/index.html | 107 + .../2017/Forensics/best_router/index.html | 107 + .../Forensics/missed_registration/index.html | 107 + .../Forensics/thoroughlyStripped/index.html | 107 + challenges/2017/Misc/ETHERSNOOB/index.html | 107 + challenges/2017/Misc/cvv/index.html | 107 + challenges/2017/Misc/ethersplay/index.html | 107 + challenges/2017/Misc/serial/index.html | 107 + .../GlobalThermonuclearCyberwar/index.html | 107 + challenges/2017/Pwn/Humm_sCh-t/index.html | 107 + challenges/2017/Pwn/KWS2/index.html | 107 + challenges/2017/Pwn/auir/index.html | 107 + challenges/2017/Pwn/connectXor/index.html | 107 + challenges/2017/Pwn/exploitme/index.html | 107 + challenges/2017/Pwn/firewall/index.html | 107 + challenges/2017/Pwn/funtimejs/index.html | 107 + challenges/2017/Pwn/minesweeper/index.html | 107 + challenges/2017/Pwn/pilot/index.html | 107 + challenges/2017/Pwn/scv/index.html | 107 + challenges/2017/Pwn/zone/index.html | 107 + challenges/2017/Web/Gopherz2Basic/index.html | 107 + .../2017/Web/Gopherz2NotSoBasic/index.html | 107 + .../2017/Web/csaw-kernel-challenge/index.html | 107 + .../2017/Web/csaw-oauth2-chal/index.html | 107 + challenges/2017/Web/littlequery/index.html | 107 + .../2017/Web/notmycupofcoffe/index.html | 107 + challenges/2017/Web/orange/index.html | 107 + challenges/2017/Web/orangev2/index.html | 107 + challenges/2017/Web/shia/index.html | 107 + .../2017/reversing/48-bit_yeet_lab/index.html | 107 + challenges/2017/reversing/DEFCON1/index.html | 107 + challenges/2017/reversing/PROPHECY/index.html | 107 + challenges/2017/reversing/TablEZ/index.html | 107 + .../2017/reversing/bananascript/index.html | 107 + challenges/2017/reversing/gopherz/index.html | 107 + .../2017/reversing/grumpcheck/index.html | 107 + .../2017/reversing/rabbithole/index.html | 107 + challenges/2017/reversing/realism/index.html | 107 + .../2017/reversing/rusty_road/index.html | 107 + cryptography/overview/index.html | 107 + .../what-are-block-ciphers/index.html | 107 + .../what-are-hashing-functions/index.html | 107 + .../what-are-stream-ciphers/index.html | 107 + .../what-is-a-substitution-cipher/index.html | 107 + .../what-is-a-vigenere-cipher/index.html | 107 + .../what-is-caesar-cipher-rot-13/index.html | 107 + cryptography/what-is-rsa/index.html | 107 + cryptography/what-is-xor/index.html | 107 + faq/connecting-to-services/index.html | 3358 ++++++++++++++++ faq/i-need-a-server/index.html | 3353 ++++++++++++++++ faq/images/netcat.gif | Bin 0 -> 326000 bytes faq/recommended-software/index.html | 3539 +++++++++++++++++ forensics/overview/index.html | 107 + forensics/what-are-file-formats/index.html | 109 +- forensics/what-is-a-hex-editor/index.html | 107 + forensics/what-is-disk-imaging/index.html | 107 + forensics/what-is-memory-forensics/index.html | 107 + forensics/what-is-metadata/index.html | 107 + forensics/what-is-stegonagraphy/index.html | 107 + forensics/what-is-wireshark/index.html | 107 + index.html | 107 + reverse-engineering/overview/index.html | 107 + .../what-are-decompilers/index.html | 107 + .../what-are-disassemblers/index.html | 107 + .../what-is-assembly-machine-code/index.html | 107 + .../what-is-bytecode/index.html | 107 + reverse-engineering/what-is-c/index.html | 107 + reverse-engineering/what-is-gdb/index.html | 107 + search/search_index.json | 2 +- sitemap.xml.gz | Bin 127 -> 127 bytes .../what-is-command-injection/index.html | 107 + .../index.html | 107 + .../what-is-cross-site-scripting/index.html | 107 + .../what-is-directory-traversal/index.html | 107 + web-exploitation/overview/index.html | 107 + web-exploitation/php/what-is-php/index.html | 107 + .../index.html | 107 + .../what-is-sql-injection/index.html | 107 + 319 files changed, 43745 insertions(+), 2 deletions(-) create mode 100644 faq/connecting-to-services/index.html create mode 100644 faq/i-need-a-server/index.html create mode 100644 faq/images/netcat.gif create mode 100644 faq/recommended-software/index.html diff --git a/404.html b/404.html index 0c908548..08ccf2ec 100644 --- a/404.html +++ b/404.html @@ -2996,6 +2996,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/binary-exploitation/address-space-layout-randomization/index.html b/binary-exploitation/address-space-layout-randomization/index.html index 61706cee..0003d290 100644 --- a/binary-exploitation/address-space-layout-randomization/index.html +++ b/binary-exploitation/address-space-layout-randomization/index.html @@ -3019,6 +3019,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/binary-exploitation/buffer-overflow/index.html b/binary-exploitation/buffer-overflow/index.html index 0365a215..a2a01461 100644 --- a/binary-exploitation/buffer-overflow/index.html +++ b/binary-exploitation/buffer-overflow/index.html @@ -3082,6 +3082,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/binary-exploitation/heap-exploitation/index.html b/binary-exploitation/heap-exploitation/index.html index 9e294ff5..80bf3eef 100644 --- a/binary-exploitation/heap-exploitation/index.html +++ b/binary-exploitation/heap-exploitation/index.html @@ -3082,6 +3082,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/binary-exploitation/no-execute/index.html b/binary-exploitation/no-execute/index.html index 7d54dcd5..e857d41e 100644 --- a/binary-exploitation/no-execute/index.html +++ b/binary-exploitation/no-execute/index.html @@ -3019,6 +3019,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/binary-exploitation/overview/index.html b/binary-exploitation/overview/index.html index fad5a858..10f7316d 100644 --- a/binary-exploitation/overview/index.html +++ b/binary-exploitation/overview/index.html @@ -3017,6 +3017,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/binary-exploitation/relocation-read-only/index.html b/binary-exploitation/relocation-read-only/index.html index 0ec5299d..ed8341d3 100644 --- a/binary-exploitation/relocation-read-only/index.html +++ b/binary-exploitation/relocation-read-only/index.html @@ -3067,6 +3067,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/binary-exploitation/return-oriented-programming/index.html b/binary-exploitation/return-oriented-programming/index.html index 6513d63c..d1935da6 100644 --- a/binary-exploitation/return-oriented-programming/index.html +++ b/binary-exploitation/return-oriented-programming/index.html @@ -3106,6 +3106,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/binary-exploitation/stack-canaries/index.html b/binary-exploitation/stack-canaries/index.html index 39ac55e7..d1e61d97 100644 --- a/binary-exploitation/stack-canaries/index.html +++ b/binary-exploitation/stack-canaries/index.html @@ -3082,6 +3082,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/binary-exploitation/what-are-buffers/index.html b/binary-exploitation/what-are-buffers/index.html index 5362f32c..9109dd82 100644 --- a/binary-exploitation/what-are-buffers/index.html +++ b/binary-exploitation/what-are-buffers/index.html @@ -3058,6 +3058,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/binary-exploitation/what-are-calling-conventions/index.html b/binary-exploitation/what-are-calling-conventions/index.html index 525acba8..2ba06d0f 100644 --- a/binary-exploitation/what-are-calling-conventions/index.html +++ b/binary-exploitation/what-are-calling-conventions/index.html @@ -3076,6 +3076,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/binary-exploitation/what-are-registers/index.html b/binary-exploitation/what-are-registers/index.html index fbb1b189..6284741a 100644 --- a/binary-exploitation/what-are-registers/index.html +++ b/binary-exploitation/what-are-registers/index.html @@ -3019,6 +3019,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/binary-exploitation/what-is-a-format-string-vulnerability/index.html b/binary-exploitation/what-is-a-format-string-vulnerability/index.html index 5dfbd2cd..5b140c22 100644 --- a/binary-exploitation/what-is-a-format-string-vulnerability/index.html +++ b/binary-exploitation/what-is-a-format-string-vulnerability/index.html @@ -16,6 +16,8 @@ + + @@ -3056,6 +3058,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/binary-exploitation/what-is-binary-security/index.html b/binary-exploitation/what-is-binary-security/index.html index 3e6dcf07..750b82cf 100644 --- a/binary-exploitation/what-is-binary-security/index.html +++ b/binary-exploitation/what-is-binary-security/index.html @@ -3019,6 +3019,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/binary-exploitation/what-is-the-got/index.html b/binary-exploitation/what-is-the-got/index.html index 9fd7a3f8..ecdc9ada 100644 --- a/binary-exploitation/what-is-the-got/index.html +++ b/binary-exploitation/what-is-the-got/index.html @@ -3058,6 +3058,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/binary-exploitation/what-is-the-heap/index.html b/binary-exploitation/what-is-the-heap/index.html index f40335c2..d48ecf0d 100644 --- a/binary-exploitation/what-is-the-heap/index.html +++ b/binary-exploitation/what-is-the-heap/index.html @@ -3058,6 +3058,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/binary-exploitation/what-is-the-stack/index.html b/binary-exploitation/what-is-the-stack/index.html index 1931a181..87848ea3 100644 --- a/binary-exploitation/what-is-the-stack/index.html +++ b/binary-exploitation/what-is-the-stack/index.html @@ -3067,6 +3067,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2011/Crypto/crypto1/index.html b/challenges/2011/Crypto/crypto1/index.html index 5f86f207..85880d92 100644 --- a/challenges/2011/Crypto/crypto1/index.html +++ b/challenges/2011/Crypto/crypto1/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2011/Crypto/crypto10/index.html b/challenges/2011/Crypto/crypto10/index.html index e360fe94..d3583101 100644 --- a/challenges/2011/Crypto/crypto10/index.html +++ b/challenges/2011/Crypto/crypto10/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2011/Crypto/crypto2/index.html b/challenges/2011/Crypto/crypto2/index.html index 02fd0682..5ef40229 100644 --- a/challenges/2011/Crypto/crypto2/index.html +++ b/challenges/2011/Crypto/crypto2/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2011/Crypto/crypto3/index.html b/challenges/2011/Crypto/crypto3/index.html index 43936151..cf28b3a4 100644 --- a/challenges/2011/Crypto/crypto3/index.html +++ b/challenges/2011/Crypto/crypto3/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2011/Crypto/crypto4/index.html b/challenges/2011/Crypto/crypto4/index.html index 54b7c628..35b53105 100644 --- a/challenges/2011/Crypto/crypto4/index.html +++ b/challenges/2011/Crypto/crypto4/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2011/Crypto/crypto5/index.html b/challenges/2011/Crypto/crypto5/index.html index d449ff3e..c6de28f8 100644 --- a/challenges/2011/Crypto/crypto5/index.html +++ b/challenges/2011/Crypto/crypto5/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2011/Crypto/crypto6/index.html b/challenges/2011/Crypto/crypto6/index.html index 5404bea3..61bdc62e 100644 --- a/challenges/2011/Crypto/crypto6/index.html +++ b/challenges/2011/Crypto/crypto6/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2011/Crypto/crypto7/index.html b/challenges/2011/Crypto/crypto7/index.html index 2ccf054c..7b26e16e 100644 --- a/challenges/2011/Crypto/crypto7/index.html +++ b/challenges/2011/Crypto/crypto7/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2011/Crypto/crypto8/index.html b/challenges/2011/Crypto/crypto8/index.html index bc63bbdf..73b65413 100644 --- a/challenges/2011/Crypto/crypto8/index.html +++ b/challenges/2011/Crypto/crypto8/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2011/Crypto/crypto9/index.html b/challenges/2011/Crypto/crypto9/index.html index 7ebd4d86..e356f430 100644 --- a/challenges/2011/Crypto/crypto9/index.html +++ b/challenges/2011/Crypto/crypto9/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2011/Forensics/android1/index.html b/challenges/2011/Forensics/android1/index.html index 3b841e34..bbb685bd 100644 --- a/challenges/2011/Forensics/android1/index.html +++ b/challenges/2011/Forensics/android1/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2011/Forensics/android2/index.html b/challenges/2011/Forensics/android2/index.html index 26edfd9e..5060caf4 100644 --- a/challenges/2011/Forensics/android2/index.html +++ b/challenges/2011/Forensics/android2/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2011/Forensics/evilburritos/index.html b/challenges/2011/Forensics/evilburritos/index.html index 775056fd..09ec291f 100644 --- a/challenges/2011/Forensics/evilburritos/index.html +++ b/challenges/2011/Forensics/evilburritos/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2011/Forensics/evilburritos2/index.html b/challenges/2011/Forensics/evilburritos2/index.html index 10559293..8e61ba6a 100644 --- a/challenges/2011/Forensics/evilburritos2/index.html +++ b/challenges/2011/Forensics/evilburritos2/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2011/Forensics/hardware/index.html b/challenges/2011/Forensics/hardware/index.html index 3b98be4a..e7c04e76 100644 --- a/challenges/2011/Forensics/hardware/index.html +++ b/challenges/2011/Forensics/hardware/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2011/Forensics/loveletter/index.html b/challenges/2011/Forensics/loveletter/index.html index 255339b8..d4f963e4 100644 --- a/challenges/2011/Forensics/loveletter/index.html +++ b/challenges/2011/Forensics/loveletter/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2011/Forensics/networking101/index.html b/challenges/2011/Forensics/networking101/index.html index 01354db8..5fe7908a 100644 --- a/challenges/2011/Forensics/networking101/index.html +++ b/challenges/2011/Forensics/networking101/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2011/Forensics/patchmanagement/index.html b/challenges/2011/Forensics/patchmanagement/index.html index e0cc1232..09800451 100644 --- a/challenges/2011/Forensics/patchmanagement/index.html +++ b/challenges/2011/Forensics/patchmanagement/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2011/Pwn/bin1/index.html b/challenges/2011/Pwn/bin1/index.html index 0eb69d5c..5a50a7b7 100644 --- a/challenges/2011/Pwn/bin1/index.html +++ b/challenges/2011/Pwn/bin1/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2011/Pwn/bin2/index.html b/challenges/2011/Pwn/bin2/index.html index 5fb37421..38712d47 100644 --- a/challenges/2011/Pwn/bin2/index.html +++ b/challenges/2011/Pwn/bin2/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2011/Pwn/bin3/index.html b/challenges/2011/Pwn/bin3/index.html index 4d804780..cea1e2a8 100644 --- a/challenges/2011/Pwn/bin3/index.html +++ b/challenges/2011/Pwn/bin3/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2011/Pwn/bin4/index.html b/challenges/2011/Pwn/bin4/index.html index 5a47b1ff..501dd050 100644 --- a/challenges/2011/Pwn/bin4/index.html +++ b/challenges/2011/Pwn/bin4/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2011/Pwn/bin5/index.html b/challenges/2011/Pwn/bin5/index.html index 405b814b..631578fa 100644 --- a/challenges/2011/Pwn/bin5/index.html +++ b/challenges/2011/Pwn/bin5/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2011/Pwn/exploitation101/index.html b/challenges/2011/Pwn/exploitation101/index.html index ae2b1f6e..4f94b327 100644 --- a/challenges/2011/Pwn/exploitation101/index.html +++ b/challenges/2011/Pwn/exploitation101/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2011/Pwn/python/index.html b/challenges/2011/Pwn/python/index.html index 432ec2e4..7e98f59a 100644 --- a/challenges/2011/Pwn/python/index.html +++ b/challenges/2011/Pwn/python/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2011/Reversing/linux/index.html b/challenges/2011/Reversing/linux/index.html index 5792ccd7..2eaa7352 100644 --- a/challenges/2011/Reversing/linux/index.html +++ b/challenges/2011/Reversing/linux/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2011/Reversing/net1/index.html b/challenges/2011/Reversing/net1/index.html index fed527ca..066b8ebe 100644 --- a/challenges/2011/Reversing/net1/index.html +++ b/challenges/2011/Reversing/net1/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2011/Reversing/opengl/index.html b/challenges/2011/Reversing/opengl/index.html index 1ba67490..5137dcf0 100644 --- a/challenges/2011/Reversing/opengl/index.html +++ b/challenges/2011/Reversing/opengl/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2011/Reversing/reversing101/index.html b/challenges/2011/Reversing/reversing101/index.html index 3d75fc2c..19375f4a 100644 --- a/challenges/2011/Reversing/reversing101/index.html +++ b/challenges/2011/Reversing/reversing101/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2012/Crypto/crypto1/index.html b/challenges/2012/Crypto/crypto1/index.html index d9384d07..1e9eff84 100644 --- a/challenges/2012/Crypto/crypto1/index.html +++ b/challenges/2012/Crypto/crypto1/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2012/Forensics/core/index.html b/challenges/2012/Forensics/core/index.html index 22022e93..db996660 100644 --- a/challenges/2012/Forensics/core/index.html +++ b/challenges/2012/Forensics/core/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2012/Forensics/dongle.pcap/index.html b/challenges/2012/Forensics/dongle.pcap/index.html index d2610549..2c0244cf 100644 --- a/challenges/2012/Forensics/dongle.pcap/index.html +++ b/challenges/2012/Forensics/dongle.pcap/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2012/Forensics/forensics1/index.html b/challenges/2012/Forensics/forensics1/index.html index 1158f43e..26e055f7 100644 --- a/challenges/2012/Forensics/forensics1/index.html +++ b/challenges/2012/Forensics/forensics1/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2012/Forensics/forensics2/index.html b/challenges/2012/Forensics/forensics2/index.html index 901828bf..a77741d3 100644 --- a/challenges/2012/Forensics/forensics2/index.html +++ b/challenges/2012/Forensics/forensics2/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2012/Forensics/lemieux.pcap/index.html b/challenges/2012/Forensics/lemieux.pcap/index.html index 9b4b4c14..e3ca4ebc 100644 --- a/challenges/2012/Forensics/lemieux.pcap/index.html +++ b/challenges/2012/Forensics/lemieux.pcap/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2012/Forensics/telnet.pcap/index.html b/challenges/2012/Forensics/telnet.pcap/index.html index ab24d32d..1ac4e0ca 100644 --- a/challenges/2012/Forensics/telnet.pcap/index.html +++ b/challenges/2012/Forensics/telnet.pcap/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2012/Forensics/timewave-zero.pcap/index.html b/challenges/2012/Forensics/timewave-zero.pcap/index.html index e7455064..22f62c0a 100644 --- a/challenges/2012/Forensics/timewave-zero.pcap/index.html +++ b/challenges/2012/Forensics/timewave-zero.pcap/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2012/Forensics/version1.png/index.html b/challenges/2012/Forensics/version1.png/index.html index 4b3a0dde..b106a802 100644 --- a/challenges/2012/Forensics/version1.png/index.html +++ b/challenges/2012/Forensics/version1.png/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2012/Forensics/version2.png/index.html b/challenges/2012/Forensics/version2.png/index.html index f1733f5f..872af0b7 100644 --- a/challenges/2012/Forensics/version2.png/index.html +++ b/challenges/2012/Forensics/version2.png/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2012/Pwn/12345/index.html b/challenges/2012/Pwn/12345/index.html index da6f1d1f..0a354f70 100644 --- a/challenges/2012/Pwn/12345/index.html +++ b/challenges/2012/Pwn/12345/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2012/Pwn/23456/index.html b/challenges/2012/Pwn/23456/index.html index c1fd49f0..308fc14e 100644 --- a/challenges/2012/Pwn/23456/index.html +++ b/challenges/2012/Pwn/23456/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2012/Pwn/4842/index.html b/challenges/2012/Pwn/4842/index.html index 27e7b6eb..82701063 100644 --- a/challenges/2012/Pwn/4842/index.html +++ b/challenges/2012/Pwn/4842/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2012/Pwn/54321/index.html b/challenges/2012/Pwn/54321/index.html index 6d8d738c..7bcc78b0 100644 --- a/challenges/2012/Pwn/54321/index.html +++ b/challenges/2012/Pwn/54321/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2012/Reversing/csaw2012reversing.exe/index.html b/challenges/2012/Reversing/csaw2012reversing.exe/index.html index d0411202..dead15f4 100644 --- a/challenges/2012/Reversing/csaw2012reversing.exe/index.html +++ b/challenges/2012/Reversing/csaw2012reversing.exe/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2012/Reversing/csaw2012reversing/index.html b/challenges/2012/Reversing/csaw2012reversing/index.html index 39010fa9..275fddfd 100644 --- a/challenges/2012/Reversing/csaw2012reversing/index.html +++ b/challenges/2012/Reversing/csaw2012reversing/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2012/Reversing/csawqualification.exe/index.html b/challenges/2012/Reversing/csawqualification.exe/index.html index e3595cdc..5218bab2 100644 --- a/challenges/2012/Reversing/csawqualification.exe/index.html +++ b/challenges/2012/Reversing/csawqualification.exe/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2012/Reversing/csawqualificationeasy.exe/index.html b/challenges/2012/Reversing/csawqualificationeasy.exe/index.html index 621572c4..6d5bd017 100644 --- a/challenges/2012/Reversing/csawqualificationeasy.exe/index.html +++ b/challenges/2012/Reversing/csawqualificationeasy.exe/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2012/Reversing/reversing1/index.html b/challenges/2012/Reversing/reversing1/index.html index 89137d46..42b0d3ed 100644 --- a/challenges/2012/Reversing/reversing1/index.html +++ b/challenges/2012/Reversing/reversing1/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2012/Reversing/reversing2/index.html b/challenges/2012/Reversing/reversing2/index.html index 0f78b992..ecd421cd 100644 --- a/challenges/2012/Reversing/reversing2/index.html +++ b/challenges/2012/Reversing/reversing2/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2012/Reversing/reversing3/index.html b/challenges/2012/Reversing/reversing3/index.html index 4111a519..152adf03 100644 --- a/challenges/2012/Reversing/reversing3/index.html +++ b/challenges/2012/Reversing/reversing3/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Crypto/CSAWpad/index.html b/challenges/2013/Crypto/CSAWpad/index.html index bec0dd46..caf6ce84 100644 --- a/challenges/2013/Crypto/CSAWpad/index.html +++ b/challenges/2013/Crypto/CSAWpad/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Crypto/onlythisprogram/index.html b/challenges/2013/Crypto/onlythisprogram/index.html index f4c320cc..756a6464 100644 --- a/challenges/2013/Crypto/onlythisprogram/index.html +++ b/challenges/2013/Crypto/onlythisprogram/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Crypto/slurp/index.html b/challenges/2013/Crypto/slurp/index.html index 7bc6d0b3..495d952e 100644 --- a/challenges/2013/Crypto/slurp/index.html +++ b/challenges/2013/Crypto/slurp/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Crypto/stfu/index.html b/challenges/2013/Crypto/stfu/index.html index 1d468712..d4ae10b8 100644 --- a/challenges/2013/Crypto/stfu/index.html +++ b/challenges/2013/Crypto/stfu/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Forensics/Black_and_White/index.html b/challenges/2013/Forensics/Black_and_White/index.html index 6b06b6ef..7b69d289 100644 --- a/challenges/2013/Forensics/Black_and_White/index.html +++ b/challenges/2013/Forensics/Black_and_White/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Forensics/deeeeeeaaaaaadbeeeeeeeeeef/index.html b/challenges/2013/Forensics/deeeeeeaaaaaadbeeeeeeeeeef/index.html index 9a30a07c..f02008bc 100644 --- a/challenges/2013/Forensics/deeeeeeaaaaaadbeeeeeeeeeef/index.html +++ b/challenges/2013/Forensics/deeeeeeaaaaaadbeeeeeeeeeef/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Forensics/saidzed/index.html b/challenges/2013/Forensics/saidzed/index.html index 5a4658c7..681d4e40 100644 --- a/challenges/2013/Forensics/saidzed/index.html +++ b/challenges/2013/Forensics/saidzed/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Misc/Alexander_Taylor/index.html b/challenges/2013/Misc/Alexander_Taylor/index.html index f5d92fce..8c29a838 100644 --- a/challenges/2013/Misc/Alexander_Taylor/index.html +++ b/challenges/2013/Misc/Alexander_Taylor/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Misc/Jordan_Weins/index.html b/challenges/2013/Misc/Jordan_Weins/index.html index 9ce1a2e9..b30e56aa 100644 --- a/challenges/2013/Misc/Jordan_Weins/index.html +++ b/challenges/2013/Misc/Jordan_Weins/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Misc/Julian_Cohen/index.html b/challenges/2013/Misc/Julian_Cohen/index.html index ffddc854..a4bab6a6 100644 --- a/challenges/2013/Misc/Julian_Cohen/index.html +++ b/challenges/2013/Misc/Julian_Cohen/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Misc/Life/index.html b/challenges/2013/Misc/Life/index.html index fd44363a..f388b0d1 100644 --- a/challenges/2013/Misc/Life/index.html +++ b/challenges/2013/Misc/Life/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Misc/Networking_1/index.html b/challenges/2013/Misc/Networking_1/index.html index 405bbf53..e95dcf4e 100644 --- a/challenges/2013/Misc/Networking_1/index.html +++ b/challenges/2013/Misc/Networking_1/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Misc/Networking_2/index.html b/challenges/2013/Misc/Networking_2/index.html index 29e877a1..352862b4 100644 --- a/challenges/2013/Misc/Networking_2/index.html +++ b/challenges/2013/Misc/Networking_2/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Misc/historypeats/index.html b/challenges/2013/Misc/historypeats/index.html index 0befd9bb..daf78d51 100644 --- a/challenges/2013/Misc/historypeats/index.html +++ b/challenges/2013/Misc/historypeats/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Misc/trivia_questions/index.html b/challenges/2013/Misc/trivia_questions/index.html index 0bc889c3..ff09628a 100644 --- a/challenges/2013/Misc/trivia_questions/index.html +++ b/challenges/2013/Misc/trivia_questions/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Pwn/CSAW_Diary/index.html b/challenges/2013/Pwn/CSAW_Diary/index.html index 5132bb65..ef5ffedf 100644 --- a/challenges/2013/Pwn/CSAW_Diary/index.html +++ b/challenges/2013/Pwn/CSAW_Diary/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Pwn/Exploitation_1/index.html b/challenges/2013/Pwn/Exploitation_1/index.html index 13ddc431..71c601c0 100644 --- a/challenges/2013/Pwn/Exploitation_1/index.html +++ b/challenges/2013/Pwn/Exploitation_1/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Pwn/Exploitation_2/index.html b/challenges/2013/Pwn/Exploitation_2/index.html index d84ca1eb..3415f63d 100644 --- a/challenges/2013/Pwn/Exploitation_2/index.html +++ b/challenges/2013/Pwn/Exploitation_2/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Pwn/SCP-hack/index.html b/challenges/2013/Pwn/SCP-hack/index.html index 0c2f500e..81c75175 100644 --- a/challenges/2013/Pwn/SCP-hack/index.html +++ b/challenges/2013/Pwn/SCP-hack/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Pwn/itsy/index.html b/challenges/2013/Pwn/itsy/index.html index d8c7f5d7..0d5bbc27 100644 --- a/challenges/2013/Pwn/itsy/index.html +++ b/challenges/2013/Pwn/itsy/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Pwn/kernelchallenge/index.html b/challenges/2013/Pwn/kernelchallenge/index.html index b3fb608a..b1a2fa1a 100644 --- a/challenges/2013/Pwn/kernelchallenge/index.html +++ b/challenges/2013/Pwn/kernelchallenge/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Pwn/miteegashun/index.html b/challenges/2013/Pwn/miteegashun/index.html index ca51a96b..e7c62ff9 100644 --- a/challenges/2013/Pwn/miteegashun/index.html +++ b/challenges/2013/Pwn/miteegashun/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Pwn/silkstreet/index.html b/challenges/2013/Pwn/silkstreet/index.html index e285886b..48970e97 100644 --- a/challenges/2013/Pwn/silkstreet/index.html +++ b/challenges/2013/Pwn/silkstreet/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Reversing/BikiniBonanza/index.html b/challenges/2013/Reversing/BikiniBonanza/index.html index 7329ea03..939a29bd 100644 --- a/challenges/2013/Reversing/BikiniBonanza/index.html +++ b/challenges/2013/Reversing/BikiniBonanza/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Reversing/Brad_Anton/index.html b/challenges/2013/Reversing/Brad_Anton/index.html index 31983cd2..2ea86397 100644 --- a/challenges/2013/Reversing/Brad_Anton/index.html +++ b/challenges/2013/Reversing/Brad_Anton/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Reversing/CSAW_2013_Reversing_1/index.html b/challenges/2013/Reversing/CSAW_2013_Reversing_1/index.html index 4a40409e..2cbdcf34 100644 --- a/challenges/2013/Reversing/CSAW_2013_Reversing_1/index.html +++ b/challenges/2013/Reversing/CSAW_2013_Reversing_1/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Reversing/CSAW_2013_Reversing_2/index.html b/challenges/2013/Reversing/CSAW_2013_Reversing_2/index.html index 06602630..72d13454 100644 --- a/challenges/2013/Reversing/CSAW_2013_Reversing_2/index.html +++ b/challenges/2013/Reversing/CSAW_2013_Reversing_2/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Reversing/DotNet/index.html b/challenges/2013/Reversing/DotNet/index.html index 42a234d2..b647c8bc 100644 --- a/challenges/2013/Reversing/DotNet/index.html +++ b/challenges/2013/Reversing/DotNet/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Reversing/Impossible/index.html b/challenges/2013/Reversing/Impossible/index.html index f3bdc537..7ed607d2 100644 --- a/challenges/2013/Reversing/Impossible/index.html +++ b/challenges/2013/Reversing/Impossible/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Reversing/Noobs_First_Firmware_Mod/index.html b/challenges/2013/Reversing/Noobs_First_Firmware_Mod/index.html index ec13e289..605dbc77 100644 --- a/challenges/2013/Reversing/Noobs_First_Firmware_Mod/index.html +++ b/challenges/2013/Reversing/Noobs_First_Firmware_Mod/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Reversing/bad_bios/index.html b/challenges/2013/Reversing/bad_bios/index.html index e0e8edd0..4febac21 100644 --- a/challenges/2013/Reversing/bad_bios/index.html +++ b/challenges/2013/Reversing/bad_bios/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Reversing/crackme/index.html b/challenges/2013/Reversing/crackme/index.html index 3082367e..0de88dd0 100644 --- a/challenges/2013/Reversing/crackme/index.html +++ b/challenges/2013/Reversing/crackme/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Reversing/csaw2013reversing3/index.html b/challenges/2013/Reversing/csaw2013reversing3/index.html index b0f6731a..a9c60184 100644 --- a/challenges/2013/Reversing/csaw2013reversing3/index.html +++ b/challenges/2013/Reversing/csaw2013reversing3/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Reversing/keygenme/index.html b/challenges/2013/Reversing/keygenme/index.html index 94386793..006d0138 100644 --- a/challenges/2013/Reversing/keygenme/index.html +++ b/challenges/2013/Reversing/keygenme/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Web/Guess_Harder/index.html b/challenges/2013/Web/Guess_Harder/index.html index 3a22a544..ccd0c888 100644 --- a/challenges/2013/Web/Guess_Harder/index.html +++ b/challenges/2013/Web/Guess_Harder/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Web/Michael_Hanchak/index.html b/challenges/2013/Web/Michael_Hanchak/index.html index 78250698..bfef103c 100644 --- a/challenges/2013/Web/Michael_Hanchak/index.html +++ b/challenges/2013/Web/Michael_Hanchak/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Web/Nevernote/index.html b/challenges/2013/Web/Nevernote/index.html index cf1d2174..b922e4e6 100644 --- a/challenges/2013/Web/Nevernote/index.html +++ b/challenges/2013/Web/Nevernote/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Web/Notes/index.html b/challenges/2013/Web/Notes/index.html index 1868f313..398438e7 100644 --- a/challenges/2013/Web/Notes/index.html +++ b/challenges/2013/Web/Notes/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Web/herpderper/index.html b/challenges/2013/Web/herpderper/index.html index 53296c7f..c3bfe450 100644 --- a/challenges/2013/Web/herpderper/index.html +++ b/challenges/2013/Web/herpderper/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Web/historypeats/index.html b/challenges/2013/Web/historypeats/index.html index 2e807ad0..b71d0933 100644 --- a/challenges/2013/Web/historypeats/index.html +++ b/challenges/2013/Web/historypeats/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Web/iSEC_Challenge/index.html b/challenges/2013/Web/iSEC_Challenge/index.html index 6907f0f9..36de7de2 100644 --- a/challenges/2013/Web/iSEC_Challenge/index.html +++ b/challenges/2013/Web/iSEC_Challenge/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2013/Web/twisted/index.html b/challenges/2013/Web/twisted/index.html index 3395ad81..19b3c2c3 100644 --- a/challenges/2013/Web/twisted/index.html +++ b/challenges/2013/Web/twisted/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Crypto/Wieners_-_Antoniewicz/index.html b/challenges/2014/Crypto/Wieners_-_Antoniewicz/index.html index 865a5314..b56b576d 100644 --- a/challenges/2014/Crypto/Wieners_-_Antoniewicz/index.html +++ b/challenges/2014/Crypto/Wieners_-_Antoniewicz/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Crypto/cfbsum/index.html b/challenges/2014/Crypto/cfbsum/index.html index 0865ca98..4208cbe9 100644 --- a/challenges/2014/Crypto/cfbsum/index.html +++ b/challenges/2014/Crypto/cfbsum/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Crypto/feal/index.html b/challenges/2014/Crypto/feal/index.html index aff6348d..7f796c00 100644 --- a/challenges/2014/Crypto/feal/index.html +++ b/challenges/2014/Crypto/feal/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Crypto/mountainsound_-_Stortz/index.html b/challenges/2014/Crypto/mountainsound_-_Stortz/index.html index f1dd3d56..500327d1 100644 --- a/challenges/2014/Crypto/mountainsound_-_Stortz/index.html +++ b/challenges/2014/Crypto/mountainsound_-_Stortz/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Crypto/psifer_school/index.html b/challenges/2014/Crypto/psifer_school/index.html index 46e1d37a..73668a53 100644 --- a/challenges/2014/Crypto/psifer_school/index.html +++ b/challenges/2014/Crypto/psifer_school/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Forensics/Fluffy_No_More/index.html b/challenges/2014/Forensics/Fluffy_No_More/index.html index 0b982f30..a04c5ce1 100644 --- a/challenges/2014/Forensics/Fluffy_No_More/index.html +++ b/challenges/2014/Forensics/Fluffy_No_More/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Forensics/aristotle_-_Wiens/index.html b/challenges/2014/Forensics/aristotle_-_Wiens/index.html index 0de236c5..5019da2e 100644 --- a/challenges/2014/Forensics/aristotle_-_Wiens/index.html +++ b/challenges/2014/Forensics/aristotle_-_Wiens/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Forensics/dumpster_diving/index.html b/challenges/2014/Forensics/dumpster_diving/index.html index 2bfa3182..055c3f83 100644 --- a/challenges/2014/Forensics/dumpster_diving/index.html +++ b/challenges/2014/Forensics/dumpster_diving/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Forensics/obscurity/index.html b/challenges/2014/Forensics/obscurity/index.html index dd694f3f..58a1890e 100644 --- a/challenges/2014/Forensics/obscurity/index.html +++ b/challenges/2014/Forensics/obscurity/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Forensics/why_not_sftp__/index.html b/challenges/2014/Forensics/why_not_sftp__/index.html index 1ed28c6d..17267f12 100644 --- a/challenges/2014/Forensics/why_not_sftp__/index.html +++ b/challenges/2014/Forensics/why_not_sftp__/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Misc/pps_-_Wiens/index.html b/challenges/2014/Misc/pps_-_Wiens/index.html index 9973637b..ff2507da 100644 --- a/challenges/2014/Misc/pps_-_Wiens/index.html +++ b/challenges/2014/Misc/pps_-_Wiens/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Pwn/Xorcise2/index.html b/challenges/2014/Pwn/Xorcise2/index.html index e3f2db26..3c8d82a1 100644 --- a/challenges/2014/Pwn/Xorcise2/index.html +++ b/challenges/2014/Pwn/Xorcise2/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Pwn/greenhornd/index.html b/challenges/2014/Pwn/greenhornd/index.html index 274df300..6aa2fc9f 100644 --- a/challenges/2014/Pwn/greenhornd/index.html +++ b/challenges/2014/Pwn/greenhornd/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Pwn/ish/index.html b/challenges/2014/Pwn/ish/index.html index b7431973..a1c29d7b 100644 --- a/challenges/2014/Pwn/ish/index.html +++ b/challenges/2014/Pwn/ish/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Pwn/krakme/index.html b/challenges/2014/Pwn/krakme/index.html index c415f80e..0b98c9cc 100644 --- a/challenges/2014/Pwn/krakme/index.html +++ b/challenges/2014/Pwn/krakme/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Pwn/mbot/index.html b/challenges/2014/Pwn/mbot/index.html index 5e3ad836..1e889675 100644 --- a/challenges/2014/Pwn/mbot/index.html +++ b/challenges/2014/Pwn/mbot/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Pwn/pybabbies/index.html b/challenges/2014/Pwn/pybabbies/index.html index 8fb26512..a87630f0 100644 --- a/challenges/2014/Pwn/pybabbies/index.html +++ b/challenges/2014/Pwn/pybabbies/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Pwn/s3/index.html b/challenges/2014/Pwn/s3/index.html index 73184363..7cc94ccc 100644 --- a/challenges/2014/Pwn/s3/index.html +++ b/challenges/2014/Pwn/s3/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Pwn/saturn/index.html b/challenges/2014/Pwn/saturn/index.html index 47e0a5b2..26d4140e 100644 --- a/challenges/2014/Pwn/saturn/index.html +++ b/challenges/2014/Pwn/saturn/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Pwn/the_road_less_traveled/index.html b/challenges/2014/Pwn/the_road_less_traveled/index.html index 97c111e0..bc0cb71c 100644 --- a/challenges/2014/Pwn/the_road_less_traveled/index.html +++ b/challenges/2014/Pwn/the_road_less_traveled/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Pwn/xorcise1/index.html b/challenges/2014/Pwn/xorcise1/index.html index 64f63686..3972b94e 100644 --- a/challenges/2014/Pwn/xorcise1/index.html +++ b/challenges/2014/Pwn/xorcise1/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Reversing/aerosol_can/index.html b/challenges/2014/Reversing/aerosol_can/index.html index f1c4faec..b74c9445 100644 --- a/challenges/2014/Reversing/aerosol_can/index.html +++ b/challenges/2014/Reversing/aerosol_can/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Reversing/csaw2013reversing2/index.html b/challenges/2014/Reversing/csaw2013reversing2/index.html index d3c35eb0..2dbead6d 100644 --- a/challenges/2014/Reversing/csaw2013reversing2/index.html +++ b/challenges/2014/Reversing/csaw2013reversing2/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Reversing/odd/index.html b/challenges/2014/Reversing/odd/index.html index 830c8807..17e0c3c6 100644 --- a/challenges/2014/Reversing/odd/index.html +++ b/challenges/2014/Reversing/odd/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Reversing/weissman/index.html b/challenges/2014/Reversing/weissman/index.html index 0fa49691..6a93ff47 100644 --- a/challenges/2014/Reversing/weissman/index.html +++ b/challenges/2014/Reversing/weissman/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Reversing/wololo/index.html b/challenges/2014/Reversing/wololo/index.html index 950c2d49..59102576 100644 --- a/challenges/2014/Reversing/wololo/index.html +++ b/challenges/2014/Reversing/wololo/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Web/app_-_Oberheide/index.html b/challenges/2014/Web/app_-_Oberheide/index.html index 4b833c7c..17494559 100644 --- a/challenges/2014/Web/app_-_Oberheide/index.html +++ b/challenges/2014/Web/app_-_Oberheide/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Web/big_data/index.html b/challenges/2014/Web/big_data/index.html index 5560ddce..ff3fcf9f 100644 --- a/challenges/2014/Web/big_data/index.html +++ b/challenges/2014/Web/big_data/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Web/guestbook_-_Toews/index.html b/challenges/2014/Web/guestbook_-_Toews/index.html index f864fc7d..cebe2e66 100644 --- a/challenges/2014/Web/guestbook_-_Toews/index.html +++ b/challenges/2014/Web/guestbook_-_Toews/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Web/hashes/index.html b/challenges/2014/Web/hashes/index.html index e18ad710..58f0e556 100644 --- a/challenges/2014/Web/hashes/index.html +++ b/challenges/2014/Web/hashes/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Web/silkgoat/index.html b/challenges/2014/Web/silkgoat/index.html index f52fbf29..f51debbb 100644 --- a/challenges/2014/Web/silkgoat/index.html +++ b/challenges/2014/Web/silkgoat/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2014/Web/webroot_-_Freeman/index.html b/challenges/2014/Web/webroot_-_Freeman/index.html index 40f024d6..417c36fb 100644 --- a/challenges/2014/Web/webroot_-_Freeman/index.html +++ b/challenges/2014/Web/webroot_-_Freeman/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Crypto/bricks_of_gold/index.html b/challenges/2015/Crypto/bricks_of_gold/index.html index 91cfc39a..fec29096 100644 --- a/challenges/2015/Crypto/bricks_of_gold/index.html +++ b/challenges/2015/Crypto/bricks_of_gold/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Crypto/check-plz/index.html b/challenges/2015/Crypto/check-plz/index.html index bc5d2636..c8588bdb 100644 --- a/challenges/2015/Crypto/check-plz/index.html +++ b/challenges/2015/Crypto/check-plz/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Crypto/eps/index.html b/challenges/2015/Crypto/eps/index.html index 41e675d9..bf1f14f9 100644 --- a/challenges/2015/Crypto/eps/index.html +++ b/challenges/2015/Crypto/eps/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Crypto/notesy/index.html b/challenges/2015/Crypto/notesy/index.html index 2f6901d3..a507f9db 100644 --- a/challenges/2015/Crypto/notesy/index.html +++ b/challenges/2015/Crypto/notesy/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Crypto/punchout/index.html b/challenges/2015/Crypto/punchout/index.html index f91bb90d..7b461526 100644 --- a/challenges/2015/Crypto/punchout/index.html +++ b/challenges/2015/Crypto/punchout/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Crypto/slabs-of-platinum/index.html b/challenges/2015/Crypto/slabs-of-platinum/index.html index 7c1f1adc..75287f2a 100644 --- a/challenges/2015/Crypto/slabs-of-platinum/index.html +++ b/challenges/2015/Crypto/slabs-of-platinum/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Forensics/airport/index.html b/challenges/2015/Forensics/airport/index.html index 41110b84..2bed1803 100644 --- a/challenges/2015/Forensics/airport/index.html +++ b/challenges/2015/Forensics/airport/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Forensics/flash/index.html b/challenges/2015/Forensics/flash/index.html index b5665cfe..0311dff3 100644 --- a/challenges/2015/Forensics/flash/index.html +++ b/challenges/2015/Forensics/flash/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Forensics/keep-calm-and-ctf/index.html b/challenges/2015/Forensics/keep-calm-and-ctf/index.html index fe67ed1c..7dd9776c 100644 --- a/challenges/2015/Forensics/keep-calm-and-ctf/index.html +++ b/challenges/2015/Forensics/keep-calm-and-ctf/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Forensics/mandiant/index.html b/challenges/2015/Forensics/mandiant/index.html index e95defc3..66c6c01a 100644 --- a/challenges/2015/Forensics/mandiant/index.html +++ b/challenges/2015/Forensics/mandiant/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Forensics/net/index.html b/challenges/2015/Forensics/net/index.html index d48664a3..b9e1f2ec 100644 --- a/challenges/2015/Forensics/net/index.html +++ b/challenges/2015/Forensics/net/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Forensics/pcapin/index.html b/challenges/2015/Forensics/pcapin/index.html index a57faa79..f1651cb2 100644 --- a/challenges/2015/Forensics/pcapin/index.html +++ b/challenges/2015/Forensics/pcapin/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Forensics/phish-it-phish-it-good/index.html b/challenges/2015/Forensics/phish-it-phish-it-good/index.html index 0570d3aa..edefc15f 100644 --- a/challenges/2015/Forensics/phish-it-phish-it-good/index.html +++ b/challenges/2015/Forensics/phish-it-phish-it-good/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Forensics/ransomewhere/index.html b/challenges/2015/Forensics/ransomewhere/index.html index e6f5e4a4..e8cb2812 100644 --- a/challenges/2015/Forensics/ransomewhere/index.html +++ b/challenges/2015/Forensics/ransomewhere/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Forensics/sharpturn/index.html b/challenges/2015/Forensics/sharpturn/index.html index 99209568..44d50607 100644 --- a/challenges/2015/Forensics/sharpturn/index.html +++ b/challenges/2015/Forensics/sharpturn/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Misc/sanity-check/index.html b/challenges/2015/Misc/sanity-check/index.html index 30c24301..09388f66 100644 --- a/challenges/2015/Misc/sanity-check/index.html +++ b/challenges/2015/Misc/sanity-check/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Pwn/autobots/index.html b/challenges/2015/Pwn/autobots/index.html index 24230154..3f9b8751 100644 --- a/challenges/2015/Pwn/autobots/index.html +++ b/challenges/2015/Pwn/autobots/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Pwn/blox/index.html b/challenges/2015/Pwn/blox/index.html index 9e9e25a1..78796fd4 100644 --- a/challenges/2015/Pwn/blox/index.html +++ b/challenges/2015/Pwn/blox/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Pwn/boombox/index.html b/challenges/2015/Pwn/boombox/index.html index e7c446da..1e3ad872 100644 --- a/challenges/2015/Pwn/boombox/index.html +++ b/challenges/2015/Pwn/boombox/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Pwn/contacts/index.html b/challenges/2015/Pwn/contacts/index.html index 2d6ba75e..d0d36533 100644 --- a/challenges/2015/Pwn/contacts/index.html +++ b/challenges/2015/Pwn/contacts/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Pwn/creditforcredits/index.html b/challenges/2015/Pwn/creditforcredits/index.html index 006b0a33..aa3cffec 100644 --- a/challenges/2015/Pwn/creditforcredits/index.html +++ b/challenges/2015/Pwn/creditforcredits/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Pwn/get-flag/index.html b/challenges/2015/Pwn/get-flag/index.html index b07f5995..d00e6a0b 100644 --- a/challenges/2015/Pwn/get-flag/index.html +++ b/challenges/2015/Pwn/get-flag/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Pwn/greetingsearthling/index.html b/challenges/2015/Pwn/greetingsearthling/index.html index b2854707..56666dee 100644 --- a/challenges/2015/Pwn/greetingsearthling/index.html +++ b/challenges/2015/Pwn/greetingsearthling/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Pwn/hiddencave/index.html b/challenges/2015/Pwn/hiddencave/index.html index 4fbadf23..bf846850 100644 --- a/challenges/2015/Pwn/hiddencave/index.html +++ b/challenges/2015/Pwn/hiddencave/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Pwn/hipster/index.html b/challenges/2015/Pwn/hipster/index.html index 2e24050a..917a0184 100644 --- a/challenges/2015/Pwn/hipster/index.html +++ b/challenges/2015/Pwn/hipster/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Pwn/meme-shop/index.html b/challenges/2015/Pwn/meme-shop/index.html index 3bd76446..0fd06af7 100644 --- a/challenges/2015/Pwn/meme-shop/index.html +++ b/challenges/2015/Pwn/meme-shop/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Pwn/memory-disclosure-flag/index.html b/challenges/2015/Pwn/memory-disclosure-flag/index.html index efbf3104..298c98a5 100644 --- a/challenges/2015/Pwn/memory-disclosure-flag/index.html +++ b/challenges/2015/Pwn/memory-disclosure-flag/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Pwn/precision/index.html b/challenges/2015/Pwn/precision/index.html index f5b35600..8176f8b9 100644 --- a/challenges/2015/Pwn/precision/index.html +++ b/challenges/2015/Pwn/precision/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Pwn/quarantinebreaker/index.html b/challenges/2015/Pwn/quarantinebreaker/index.html index 9a8d876d..6bbf2337 100644 --- a/challenges/2015/Pwn/quarantinebreaker/index.html +++ b/challenges/2015/Pwn/quarantinebreaker/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Pwn/rhinoxorus/index.html b/challenges/2015/Pwn/rhinoxorus/index.html index 390903af..c1ecb174 100644 --- a/challenges/2015/Pwn/rhinoxorus/index.html +++ b/challenges/2015/Pwn/rhinoxorus/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Pwn/stringipc/index.html b/challenges/2015/Pwn/stringipc/index.html index b084b246..9b80a6bb 100644 --- a/challenges/2015/Pwn/stringipc/index.html +++ b/challenges/2015/Pwn/stringipc/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Reversing/HackingTime/index.html b/challenges/2015/Reversing/HackingTime/index.html index 3ef02d0b..ed27af82 100644 --- a/challenges/2015/Reversing/HackingTime/index.html +++ b/challenges/2015/Reversing/HackingTime/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Reversing/cookie-maze/index.html b/challenges/2015/Reversing/cookie-maze/index.html index ab752d8d..7db98294 100644 --- a/challenges/2015/Reversing/cookie-maze/index.html +++ b/challenges/2015/Reversing/cookie-maze/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Reversing/ftp/index.html b/challenges/2015/Reversing/ftp/index.html index 661885e0..45a2e7b4 100644 --- a/challenges/2015/Reversing/ftp/index.html +++ b/challenges/2015/Reversing/ftp/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Reversing/pwning-a-locked-container-plc/index.html b/challenges/2015/Reversing/pwning-a-locked-container-plc/index.html index 9d7dd489..f13b6611 100644 --- a/challenges/2015/Reversing/pwning-a-locked-container-plc/index.html +++ b/challenges/2015/Reversing/pwning-a-locked-container-plc/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Reversing/return-of-the-wieners/index.html b/challenges/2015/Reversing/return-of-the-wieners/index.html index 5c8bfe4b..18347fab 100644 --- a/challenges/2015/Reversing/return-of-the-wieners/index.html +++ b/challenges/2015/Reversing/return-of-the-wieners/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Reversing/wyvern/index.html b/challenges/2015/Reversing/wyvern/index.html index 3846bf1b..8efee16d 100644 --- a/challenges/2015/Reversing/wyvern/index.html +++ b/challenges/2015/Reversing/wyvern/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Reversing/wyvern2/index.html b/challenges/2015/Reversing/wyvern2/index.html index 7bfcdab1..9c02d1f0 100644 --- a/challenges/2015/Reversing/wyvern2/index.html +++ b/challenges/2015/Reversing/wyvern2/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Web/K_achieve-200/index.html b/challenges/2015/Web/K_achieve-200/index.html index d209a3d1..e4c2b0c2 100644 --- a/challenges/2015/Web/K_achieve-200/index.html +++ b/challenges/2015/Web/K_achieve-200/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Web/K_stairs-100/index.html b/challenges/2015/Web/K_stairs-100/index.html index a9ddbfc2..03bfc7fd 100644 --- a/challenges/2015/Web/K_stairs-100/index.html +++ b/challenges/2015/Web/K_stairs-100/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Web/animewall/index.html b/challenges/2015/Web/animewall/index.html index a8af4608..6a604d0a 100644 --- a/challenges/2015/Web/animewall/index.html +++ b/challenges/2015/Web/animewall/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Web/lawn-care-simulator/index.html b/challenges/2015/Web/lawn-care-simulator/index.html index b52b58cf..66a24637 100644 --- a/challenges/2015/Web/lawn-care-simulator/index.html +++ b/challenges/2015/Web/lawn-care-simulator/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Web/tbbpe/index.html b/challenges/2015/Web/tbbpe/index.html index 39b9651a..89111f0f 100644 --- a/challenges/2015/Web/tbbpe/index.html +++ b/challenges/2015/Web/tbbpe/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Web/throwback-600/index.html b/challenges/2015/Web/throwback-600/index.html index 235dcd5b..0a92890c 100644 --- a/challenges/2015/Web/throwback-600/index.html +++ b/challenges/2015/Web/throwback-600/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2015/Web/weebdate-500/index.html b/challenges/2015/Web/weebdate-500/index.html index aa732845..d4951175 100644 --- a/challenges/2015/Web/weebdate-500/index.html +++ b/challenges/2015/Web/weebdate-500/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Crypto/Another_Broken_box/index.html b/challenges/2016/Crypto/Another_Broken_box/index.html index 7a5f83c0..0996744d 100644 --- a/challenges/2016/Crypto/Another_Broken_box/index.html +++ b/challenges/2016/Crypto/Another_Broken_box/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Crypto/Broken_Box/index.html b/challenges/2016/Crypto/Broken_Box/index.html index 3162e012..e2d5e7c2 100644 --- a/challenges/2016/Crypto/Broken_Box/index.html +++ b/challenges/2016/Crypto/Broken_Box/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Crypto/Katy/index.html b/challenges/2016/Crypto/Katy/index.html index 57e2558a..72c93793 100644 --- a/challenges/2016/Crypto/Katy/index.html +++ b/challenges/2016/Crypto/Katy/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Crypto/Killer_cipher/index.html b/challenges/2016/Crypto/Killer_cipher/index.html index 2e9439a6..85af6cb3 100644 --- a/challenges/2016/Crypto/Killer_cipher/index.html +++ b/challenges/2016/Crypto/Killer_cipher/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Crypto/Neo/index.html b/challenges/2016/Crypto/Neo/index.html index 46db08ad..2e0c8433 100644 --- a/challenges/2016/Crypto/Neo/index.html +++ b/challenges/2016/Crypto/Neo/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Crypto/Sleeping_Guard/index.html b/challenges/2016/Crypto/Sleeping_Guard/index.html index 58818555..8a86e443 100644 --- a/challenges/2016/Crypto/Sleeping_Guard/index.html +++ b/challenges/2016/Crypto/Sleeping_Guard/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Crypto/Still_Broken_Box/index.html b/challenges/2016/Crypto/Still_Broken_Box/index.html index 8b20f177..c45a04ea 100644 --- a/challenges/2016/Crypto/Still_Broken_Box/index.html +++ b/challenges/2016/Crypto/Still_Broken_Box/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Forensics/Clams_Dont_Dance/index.html b/challenges/2016/Forensics/Clams_Dont_Dance/index.html index 4f98e0e0..56bbb7e3 100644 --- a/challenges/2016/Forensics/Clams_Dont_Dance/index.html +++ b/challenges/2016/Forensics/Clams_Dont_Dance/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Forensics/Kill/index.html b/challenges/2016/Forensics/Kill/index.html index 899237e8..3815719d 100644 --- a/challenges/2016/Forensics/Kill/index.html +++ b/challenges/2016/Forensics/Kill/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Forensics/Watchword/index.html b/challenges/2016/Forensics/Watchword/index.html index 07e93003..951b6a89 100644 --- a/challenges/2016/Forensics/Watchword/index.html +++ b/challenges/2016/Forensics/Watchword/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Forensics/Yaar_Haar_Fiddle_Dee_Dee/index.html b/challenges/2016/Forensics/Yaar_Haar_Fiddle_Dee_Dee/index.html index 66cdbb40..0b637d01 100644 --- a/challenges/2016/Forensics/Yaar_Haar_Fiddle_Dee_Dee/index.html +++ b/challenges/2016/Forensics/Yaar_Haar_Fiddle_Dee_Dee/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Forensics/brainfun/index.html b/challenges/2016/Forensics/brainfun/index.html index b3bb321f..9a7b2d71 100644 --- a/challenges/2016/Forensics/brainfun/index.html +++ b/challenges/2016/Forensics/brainfun/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Forensics/evidence.zip/index.html b/challenges/2016/Forensics/evidence.zip/index.html index 09ebb9eb..32ff39e6 100644 --- a/challenges/2016/Forensics/evidence.zip/index.html +++ b/challenges/2016/Forensics/evidence.zip/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Forensics/pure_poetry/index.html b/challenges/2016/Forensics/pure_poetry/index.html index 4e135aaf..506bf39f 100644 --- a/challenges/2016/Forensics/pure_poetry/index.html +++ b/challenges/2016/Forensics/pure_poetry/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Forensics/yaar_haar_2/index.html b/challenges/2016/Forensics/yaar_haar_2/index.html index 17bc50b3..3b1b2d03 100644 --- a/challenges/2016/Forensics/yaar_haar_2/index.html +++ b/challenges/2016/Forensics/yaar_haar_2/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Misc/Fuzyll/index.html b/challenges/2016/Misc/Fuzyll/index.html index 8ade1a7e..48425760 100644 --- a/challenges/2016/Misc/Fuzyll/index.html +++ b/challenges/2016/Misc/Fuzyll/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Misc/Music_To_My_Ears/index.html b/challenges/2016/Misc/Music_To_My_Ears/index.html index 5371b396..e038a16b 100644 --- a/challenges/2016/Misc/Music_To_My_Ears/index.html +++ b/challenges/2016/Misc/Music_To_My_Ears/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Misc/coinslot/index.html b/challenges/2016/Misc/coinslot/index.html index 62d52f98..8d132b07 100644 --- a/challenges/2016/Misc/coinslot/index.html +++ b/challenges/2016/Misc/coinslot/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Misc/regexpire/index.html b/challenges/2016/Misc/regexpire/index.html index a17fda8f..353ee570 100644 --- a/challenges/2016/Misc/regexpire/index.html +++ b/challenges/2016/Misc/regexpire/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Pwn/Aul/index.html b/challenges/2016/Pwn/Aul/index.html index a6ebca4f..52042e95 100644 --- a/challenges/2016/Pwn/Aul/index.html +++ b/challenges/2016/Pwn/Aul/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Pwn/CyberTronix64k/index.html b/challenges/2016/Pwn/CyberTronix64k/index.html index 8d34c072..a0668efb 100644 --- a/challenges/2016/Pwn/CyberTronix64k/index.html +++ b/challenges/2016/Pwn/CyberTronix64k/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Pwn/Ed-Edd-Eddie/index.html b/challenges/2016/Pwn/Ed-Edd-Eddie/index.html index f5ef7acb..f1b00315 100644 --- a/challenges/2016/Pwn/Ed-Edd-Eddie/index.html +++ b/challenges/2016/Pwn/Ed-Edd-Eddie/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Pwn/Hungman/index.html b/challenges/2016/Pwn/Hungman/index.html index 7ca5e4a2..30a444f9 100644 --- a/challenges/2016/Pwn/Hungman/index.html +++ b/challenges/2016/Pwn/Hungman/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Pwn/Moms_Spaghetti/index.html b/challenges/2016/Pwn/Moms_Spaghetti/index.html index 95f02766..a4101d95 100644 --- a/challenges/2016/Pwn/Moms_Spaghetti/index.html +++ b/challenges/2016/Pwn/Moms_Spaghetti/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Pwn/ReversePolish/index.html b/challenges/2016/Pwn/ReversePolish/index.html index 1a77235f..0a05f7f6 100644 --- a/challenges/2016/Pwn/ReversePolish/index.html +++ b/challenges/2016/Pwn/ReversePolish/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Pwn/Tutorial/index.html b/challenges/2016/Pwn/Tutorial/index.html index 946022c7..6740083a 100644 --- a/challenges/2016/Pwn/Tutorial/index.html +++ b/challenges/2016/Pwn/Tutorial/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Pwn/WarmUp/index.html b/challenges/2016/Pwn/WarmUp/index.html index 7753696c..8c67b0dc 100644 --- a/challenges/2016/Pwn/WarmUp/index.html +++ b/challenges/2016/Pwn/WarmUp/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Pwn/detective/index.html b/challenges/2016/Pwn/detective/index.html index c0e4f1e3..abeab333 100644 --- a/challenges/2016/Pwn/detective/index.html +++ b/challenges/2016/Pwn/detective/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Pwn/thimblerig/index.html b/challenges/2016/Pwn/thimblerig/index.html index 2c3982e3..bab67063 100644 --- a/challenges/2016/Pwn/thimblerig/index.html +++ b/challenges/2016/Pwn/thimblerig/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Web/I_Got_Id/index.html b/challenges/2016/Web/I_Got_Id/index.html index 066a5c24..76136b71 100644 --- a/challenges/2016/Web/I_Got_Id/index.html +++ b/challenges/2016/Web/I_Got_Id/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Web/MFW/index.html b/challenges/2016/Web/MFW/index.html index f6e39c5c..6decbedb 100644 --- a/challenges/2016/Web/MFW/index.html +++ b/challenges/2016/Web/MFW/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Web/Seizure-Cipher/index.html b/challenges/2016/Web/Seizure-Cipher/index.html index 44e978b2..d143fb54 100644 --- a/challenges/2016/Web/Seizure-Cipher/index.html +++ b/challenges/2016/Web/Seizure-Cipher/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Web/SugarCereal/index.html b/challenges/2016/Web/SugarCereal/index.html index 7d0a9eb8..2645007e 100644 --- a/challenges/2016/Web/SugarCereal/index.html +++ b/challenges/2016/Web/SugarCereal/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Web/cloudb/index.html b/challenges/2016/Web/cloudb/index.html index 257e4613..cca7501b 100644 --- a/challenges/2016/Web/cloudb/index.html +++ b/challenges/2016/Web/cloudb/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Web/linq_to_the_present/index.html b/challenges/2016/Web/linq_to_the_present/index.html index c2706ba3..fbf1f7ae 100644 --- a/challenges/2016/Web/linq_to_the_present/index.html +++ b/challenges/2016/Web/linq_to_the_present/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Web/wtf.sh/index.html b/challenges/2016/Web/wtf.sh/index.html index ef70e298..8a73766e 100644 --- a/challenges/2016/Web/wtf.sh/index.html +++ b/challenges/2016/Web/wtf.sh/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/Web/wtf.sh2/index.html b/challenges/2016/Web/wtf.sh2/index.html index 2a145830..3a43bf6e 100644 --- a/challenges/2016/Web/wtf.sh2/index.html +++ b/challenges/2016/Web/wtf.sh2/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/reversing/CookieMath/index.html b/challenges/2016/reversing/CookieMath/index.html index 18bc1245..4fdc5998 100644 --- a/challenges/2016/reversing/CookieMath/index.html +++ b/challenges/2016/reversing/CookieMath/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/reversing/CyberTronix64k/index.html b/challenges/2016/reversing/CyberTronix64k/index.html index 15413354..4f1c874a 100644 --- a/challenges/2016/reversing/CyberTronix64k/index.html +++ b/challenges/2016/reversing/CyberTronix64k/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/reversing/Gametime/index.html b/challenges/2016/reversing/Gametime/index.html index a4a7649d..bf382d21 100644 --- a/challenges/2016/reversing/Gametime/index.html +++ b/challenges/2016/reversing/Gametime/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/reversing/Key/index.html b/challenges/2016/reversing/Key/index.html index 60df8aca..96546b91 100644 --- a/challenges/2016/reversing/Key/index.html +++ b/challenges/2016/reversing/Key/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/reversing/MixedSignals/index.html b/challenges/2016/reversing/MixedSignals/index.html index f77d0666..747b1673 100644 --- a/challenges/2016/reversing/MixedSignals/index.html +++ b/challenges/2016/reversing/MixedSignals/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/reversing/Palo-Alto/index.html b/challenges/2016/reversing/Palo-Alto/index.html index 1720d6a8..49eeb55f 100644 --- a/challenges/2016/reversing/Palo-Alto/index.html +++ b/challenges/2016/reversing/Palo-Alto/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/reversing/Rock/index.html b/challenges/2016/reversing/Rock/index.html index 013773f4..030a9549 100644 --- a/challenges/2016/reversing/Rock/index.html +++ b/challenges/2016/reversing/Rock/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/reversing/Tar-Tar-Binks/index.html b/challenges/2016/reversing/Tar-Tar-Binks/index.html index 10f0f0d1..49598211 100644 --- a/challenges/2016/reversing/Tar-Tar-Binks/index.html +++ b/challenges/2016/reversing/Tar-Tar-Binks/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/reversing/deedeedee/index.html b/challenges/2016/reversing/deedeedee/index.html index da2f308d..df8f025f 100644 --- a/challenges/2016/reversing/deedeedee/index.html +++ b/challenges/2016/reversing/deedeedee/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/reversing/gofaster/index.html b/challenges/2016/reversing/gofaster/index.html index 91ac788c..0db02a09 100644 --- a/challenges/2016/reversing/gofaster/index.html +++ b/challenges/2016/reversing/gofaster/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/reversing/ivninja/index.html b/challenges/2016/reversing/ivninja/index.html index 82de7eb9..827b2610 100644 --- a/challenges/2016/reversing/ivninja/index.html +++ b/challenges/2016/reversing/ivninja/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/reversing/lazurus/index.html b/challenges/2016/reversing/lazurus/index.html index ac84874d..11904e51 100644 --- a/challenges/2016/reversing/lazurus/index.html +++ b/challenges/2016/reversing/lazurus/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2016/reversing/supermonsterball/index.html b/challenges/2016/reversing/supermonsterball/index.html index 195dde01..373bd717 100644 --- a/challenges/2016/reversing/supermonsterball/index.html +++ b/challenges/2016/reversing/supermonsterball/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Crypto/ECXOR/index.html b/challenges/2017/Crypto/ECXOR/index.html index 55382bed..4b9bd8c0 100644 --- a/challenges/2017/Crypto/ECXOR/index.html +++ b/challenges/2017/Crypto/ECXOR/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Crypto/Lupin/index.html b/challenges/2017/Crypto/Lupin/index.html index dc0ec578..1c0c43f3 100644 --- a/challenges/2017/Crypto/Lupin/index.html +++ b/challenges/2017/Crypto/Lupin/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Crypto/Side-channel/index.html b/challenges/2017/Crypto/Side-channel/index.html index e6cd6920..03501778 100644 --- a/challenges/2017/Crypto/Side-channel/index.html +++ b/challenges/2017/Crypto/Side-channel/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Crypto/almost_xor/index.html b/challenges/2017/Crypto/almost_xor/index.html index d11d1a14..899535a4 100644 --- a/challenges/2017/Crypto/almost_xor/index.html +++ b/challenges/2017/Crypto/almost_xor/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Crypto/another_xor/index.html b/challenges/2017/Crypto/another_xor/index.html index 9121fcdd..2bd134d3 100644 --- a/challenges/2017/Crypto/another_xor/index.html +++ b/challenges/2017/Crypto/another_xor/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Crypto/baby_crypt/index.html b/challenges/2017/Crypto/baby_crypt/index.html index be1eb830..3d093893 100644 --- a/challenges/2017/Crypto/baby_crypt/index.html +++ b/challenges/2017/Crypto/baby_crypt/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Forensics/best_router/index.html b/challenges/2017/Forensics/best_router/index.html index ae40ddbc..37adb0d4 100644 --- a/challenges/2017/Forensics/best_router/index.html +++ b/challenges/2017/Forensics/best_router/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Forensics/missed_registration/index.html b/challenges/2017/Forensics/missed_registration/index.html index aebd91d1..bba53488 100644 --- a/challenges/2017/Forensics/missed_registration/index.html +++ b/challenges/2017/Forensics/missed_registration/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Forensics/thoroughlyStripped/index.html b/challenges/2017/Forensics/thoroughlyStripped/index.html index ffc1c9c9..5b9b5fa4 100644 --- a/challenges/2017/Forensics/thoroughlyStripped/index.html +++ b/challenges/2017/Forensics/thoroughlyStripped/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Misc/ETHERSNOOB/index.html b/challenges/2017/Misc/ETHERSNOOB/index.html index f782db0d..73341d4b 100644 --- a/challenges/2017/Misc/ETHERSNOOB/index.html +++ b/challenges/2017/Misc/ETHERSNOOB/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Misc/cvv/index.html b/challenges/2017/Misc/cvv/index.html index 02fd122a..6fe5ddec 100644 --- a/challenges/2017/Misc/cvv/index.html +++ b/challenges/2017/Misc/cvv/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Misc/ethersplay/index.html b/challenges/2017/Misc/ethersplay/index.html index bee83042..5c16d677 100644 --- a/challenges/2017/Misc/ethersplay/index.html +++ b/challenges/2017/Misc/ethersplay/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Misc/serial/index.html b/challenges/2017/Misc/serial/index.html index 53b28c9c..cf1a6295 100644 --- a/challenges/2017/Misc/serial/index.html +++ b/challenges/2017/Misc/serial/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Pwn/GlobalThermonuclearCyberwar/index.html b/challenges/2017/Pwn/GlobalThermonuclearCyberwar/index.html index 5fc7e6ad..8ae6670d 100644 --- a/challenges/2017/Pwn/GlobalThermonuclearCyberwar/index.html +++ b/challenges/2017/Pwn/GlobalThermonuclearCyberwar/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Pwn/Humm_sCh-t/index.html b/challenges/2017/Pwn/Humm_sCh-t/index.html index 64840d66..817dd134 100644 --- a/challenges/2017/Pwn/Humm_sCh-t/index.html +++ b/challenges/2017/Pwn/Humm_sCh-t/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Pwn/KWS2/index.html b/challenges/2017/Pwn/KWS2/index.html index eb1872f0..12c127e7 100644 --- a/challenges/2017/Pwn/KWS2/index.html +++ b/challenges/2017/Pwn/KWS2/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Pwn/auir/index.html b/challenges/2017/Pwn/auir/index.html index 3369e266..40617c41 100644 --- a/challenges/2017/Pwn/auir/index.html +++ b/challenges/2017/Pwn/auir/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Pwn/connectXor/index.html b/challenges/2017/Pwn/connectXor/index.html index 77a6c981..4e284d7c 100644 --- a/challenges/2017/Pwn/connectXor/index.html +++ b/challenges/2017/Pwn/connectXor/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Pwn/exploitme/index.html b/challenges/2017/Pwn/exploitme/index.html index 13f18eae..c54a563a 100644 --- a/challenges/2017/Pwn/exploitme/index.html +++ b/challenges/2017/Pwn/exploitme/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Pwn/firewall/index.html b/challenges/2017/Pwn/firewall/index.html index 95f57e22..04b48394 100644 --- a/challenges/2017/Pwn/firewall/index.html +++ b/challenges/2017/Pwn/firewall/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Pwn/funtimejs/index.html b/challenges/2017/Pwn/funtimejs/index.html index f2dd10a4..3db67183 100644 --- a/challenges/2017/Pwn/funtimejs/index.html +++ b/challenges/2017/Pwn/funtimejs/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Pwn/minesweeper/index.html b/challenges/2017/Pwn/minesweeper/index.html index 66d473cc..5b91843f 100644 --- a/challenges/2017/Pwn/minesweeper/index.html +++ b/challenges/2017/Pwn/minesweeper/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Pwn/pilot/index.html b/challenges/2017/Pwn/pilot/index.html index 237ab9f5..f4d314b9 100644 --- a/challenges/2017/Pwn/pilot/index.html +++ b/challenges/2017/Pwn/pilot/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Pwn/scv/index.html b/challenges/2017/Pwn/scv/index.html index 9eff0249..08f9d9e6 100644 --- a/challenges/2017/Pwn/scv/index.html +++ b/challenges/2017/Pwn/scv/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Pwn/zone/index.html b/challenges/2017/Pwn/zone/index.html index cb8ae04c..ed0cb1a0 100644 --- a/challenges/2017/Pwn/zone/index.html +++ b/challenges/2017/Pwn/zone/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Web/Gopherz2Basic/index.html b/challenges/2017/Web/Gopherz2Basic/index.html index 5b7e64c0..a0463886 100644 --- a/challenges/2017/Web/Gopherz2Basic/index.html +++ b/challenges/2017/Web/Gopherz2Basic/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Web/Gopherz2NotSoBasic/index.html b/challenges/2017/Web/Gopherz2NotSoBasic/index.html index 5b5de2c9..abc7387a 100644 --- a/challenges/2017/Web/Gopherz2NotSoBasic/index.html +++ b/challenges/2017/Web/Gopherz2NotSoBasic/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Web/csaw-kernel-challenge/index.html b/challenges/2017/Web/csaw-kernel-challenge/index.html index aa2c8176..963a7a7d 100644 --- a/challenges/2017/Web/csaw-kernel-challenge/index.html +++ b/challenges/2017/Web/csaw-kernel-challenge/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Web/csaw-oauth2-chal/index.html b/challenges/2017/Web/csaw-oauth2-chal/index.html index 69e43f2d..93cc0914 100644 --- a/challenges/2017/Web/csaw-oauth2-chal/index.html +++ b/challenges/2017/Web/csaw-oauth2-chal/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Web/littlequery/index.html b/challenges/2017/Web/littlequery/index.html index 142530f2..86d71c54 100644 --- a/challenges/2017/Web/littlequery/index.html +++ b/challenges/2017/Web/littlequery/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Web/notmycupofcoffe/index.html b/challenges/2017/Web/notmycupofcoffe/index.html index 27553a71..8be8492d 100644 --- a/challenges/2017/Web/notmycupofcoffe/index.html +++ b/challenges/2017/Web/notmycupofcoffe/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Web/orange/index.html b/challenges/2017/Web/orange/index.html index 6f1c97d9..4ad33744 100644 --- a/challenges/2017/Web/orange/index.html +++ b/challenges/2017/Web/orange/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Web/orangev2/index.html b/challenges/2017/Web/orangev2/index.html index 5fc7652c..58e784a3 100644 --- a/challenges/2017/Web/orangev2/index.html +++ b/challenges/2017/Web/orangev2/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/Web/shia/index.html b/challenges/2017/Web/shia/index.html index db226727..67aa12ae 100644 --- a/challenges/2017/Web/shia/index.html +++ b/challenges/2017/Web/shia/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/reversing/48-bit_yeet_lab/index.html b/challenges/2017/reversing/48-bit_yeet_lab/index.html index 96484bc0..958f28c7 100644 --- a/challenges/2017/reversing/48-bit_yeet_lab/index.html +++ b/challenges/2017/reversing/48-bit_yeet_lab/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/reversing/DEFCON1/index.html b/challenges/2017/reversing/DEFCON1/index.html index 6b8a4e57..8a92424c 100644 --- a/challenges/2017/reversing/DEFCON1/index.html +++ b/challenges/2017/reversing/DEFCON1/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/reversing/PROPHECY/index.html b/challenges/2017/reversing/PROPHECY/index.html index 3cfbd543..068d8e72 100644 --- a/challenges/2017/reversing/PROPHECY/index.html +++ b/challenges/2017/reversing/PROPHECY/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/reversing/TablEZ/index.html b/challenges/2017/reversing/TablEZ/index.html index 6622a08a..18fd1d10 100644 --- a/challenges/2017/reversing/TablEZ/index.html +++ b/challenges/2017/reversing/TablEZ/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/reversing/bananascript/index.html b/challenges/2017/reversing/bananascript/index.html index bb3bc2f7..3e9f3743 100644 --- a/challenges/2017/reversing/bananascript/index.html +++ b/challenges/2017/reversing/bananascript/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/reversing/gopherz/index.html b/challenges/2017/reversing/gopherz/index.html index 999e7678..412bcea9 100644 --- a/challenges/2017/reversing/gopherz/index.html +++ b/challenges/2017/reversing/gopherz/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/reversing/grumpcheck/index.html b/challenges/2017/reversing/grumpcheck/index.html index 244e8349..1703a2d1 100644 --- a/challenges/2017/reversing/grumpcheck/index.html +++ b/challenges/2017/reversing/grumpcheck/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/reversing/rabbithole/index.html b/challenges/2017/reversing/rabbithole/index.html index 3fafb787..b4e407db 100644 --- a/challenges/2017/reversing/rabbithole/index.html +++ b/challenges/2017/reversing/rabbithole/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/reversing/realism/index.html b/challenges/2017/reversing/realism/index.html index 682559e0..e741e4f9 100644 --- a/challenges/2017/reversing/realism/index.html +++ b/challenges/2017/reversing/realism/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/challenges/2017/reversing/rusty_road/index.html b/challenges/2017/reversing/rusty_road/index.html index 0627cb4f..b46436b4 100644 --- a/challenges/2017/reversing/rusty_road/index.html +++ b/challenges/2017/reversing/rusty_road/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/cryptography/overview/index.html b/cryptography/overview/index.html index 851adc88..76f36487 100644 --- a/cryptography/overview/index.html +++ b/cryptography/overview/index.html @@ -3065,6 +3065,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/cryptography/what-are-block-ciphers/index.html b/cryptography/what-are-block-ciphers/index.html index 36a3a526..1ee03f4f 100644 --- a/cryptography/what-are-block-ciphers/index.html +++ b/cryptography/what-are-block-ciphers/index.html @@ -3172,6 +3172,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/cryptography/what-are-hashing-functions/index.html b/cryptography/what-are-hashing-functions/index.html index 6f38a711..a32d3b10 100644 --- a/cryptography/what-are-hashing-functions/index.html +++ b/cryptography/what-are-hashing-functions/index.html @@ -3076,6 +3076,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/cryptography/what-are-stream-ciphers/index.html b/cryptography/what-are-stream-ciphers/index.html index 7b2c5dec..e5221030 100644 --- a/cryptography/what-are-stream-ciphers/index.html +++ b/cryptography/what-are-stream-ciphers/index.html @@ -3133,6 +3133,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/cryptography/what-is-a-substitution-cipher/index.html b/cryptography/what-is-a-substitution-cipher/index.html index 69404b6d..23b49841 100644 --- a/cryptography/what-is-a-substitution-cipher/index.html +++ b/cryptography/what-is-a-substitution-cipher/index.html @@ -3019,6 +3019,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/cryptography/what-is-a-vigenere-cipher/index.html b/cryptography/what-is-a-vigenere-cipher/index.html index 405835a7..07de5faf 100644 --- a/cryptography/what-is-a-vigenere-cipher/index.html +++ b/cryptography/what-is-a-vigenere-cipher/index.html @@ -3067,6 +3067,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/cryptography/what-is-caesar-cipher-rot-13/index.html b/cryptography/what-is-caesar-cipher-rot-13/index.html index 3de54bf3..e9309876 100644 --- a/cryptography/what-is-caesar-cipher-rot-13/index.html +++ b/cryptography/what-is-caesar-cipher-rot-13/index.html @@ -3019,6 +3019,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/cryptography/what-is-rsa/index.html b/cryptography/what-is-rsa/index.html index 13c04c60..338386c1 100644 --- a/cryptography/what-is-rsa/index.html +++ b/cryptography/what-is-rsa/index.html @@ -3118,6 +3118,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/cryptography/what-is-xor/index.html b/cryptography/what-is-xor/index.html index 1b7f0d53..15ae2257 100644 --- a/cryptography/what-is-xor/index.html +++ b/cryptography/what-is-xor/index.html @@ -3109,6 +3109,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/faq/connecting-to-services/index.html b/faq/connecting-to-services/index.html new file mode 100644 index 00000000..9caa66c4 --- /dev/null +++ b/faq/connecting-to-services/index.html @@ -0,0 +1,3358 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + How to connect to services - CTF Handbook + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + + Skip to content + + +
    +
    + +
    + + + + + + +
    + + +
    + +
    + + + + + + +
    +
    + + + +
    +
    +
    + + + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    + + + + + + + +

    How to connect to services

    +
    +

    Note

    +

    While service challenges are often connected to with netcat or PuTTY, solving them will sometimes require using a scripting language like Python. CTF players often use Python alongside pwntools.

    +

    You can run pwntools right in your browser by using repl.it.

    +
    +

    Using netcat

    +

    netcat usage

    +

    netcat is a networking utility found on macOS and linux operating systems and allows for easy connections to CTF challenges. Service challenges will commonly give you an address and a port to connect to. The syntax for connecting to a service challenge with netcat is nc <ip> <port>.

    +

    Using ConEmu

    +

    Windows users can connect to service challenges using ConEmu, which can be downloaded here. Connecting to service challenges with ConEmu is done by running nc <ip> <port>.

    + + + + + + + + + + + + + + + + + + + + + + +
    +
    + + + +
    + +
    + +
    + + +
    + +
    +
    +
    +
    + + + + + + + + + + \ No newline at end of file diff --git a/faq/i-need-a-server/index.html b/faq/i-need-a-server/index.html new file mode 100644 index 00000000..0cdbf414 --- /dev/null +++ b/faq/i-need-a-server/index.html @@ -0,0 +1,3353 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + I need a server - CTF Handbook + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + + Skip to content + + +
    +
    + +
    + + + + + + +
    + + +
    + +
    + + + + + + +
    +
    + + + +
    +
    +
    + + + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    + + + + + + + +

    I need a server

    +

    Occasionally, certain kinds of exploits will require a server to connect back to. Some examples are connect back shellcode, cross site request forgery (CSRF), or blind cross site scripting (XSS).

    +

    I just a web server

    +

    If you just need a web server to host simple static websites or check access logs, we recommend using PythonAnywhere to host a simple web application. You can program a simple web application in popular Python web frameworks (e.g. Flask) and host it there for free.

    +

    I need a real server

    +

    If you need a real server (perhaps to run complex calculations or for shellcode to connect back to), we recommend DigitalOcean. DigitalOcean has a cheap $4-6/month plan for a small server that can be freely configured to do whatever you need.

    + + + + + + + + + + + + + + + + + + + + + + +
    +
    + + + +
    + +
    + +
    + + +
    + +
    +
    +
    +
    + + + + + + + + + + \ No newline at end of file diff --git a/faq/images/netcat.gif b/faq/images/netcat.gif new file mode 100644 index 0000000000000000000000000000000000000000..0b3add4e9052e79e77dfc91eb03d9257e3713f3c GIT binary patch literal 326000 zcmeEubyVDImTlpMOK^7!7D8}M2*EwUB?$>`3BjdscZZ^IcY-?vhr-=0xVzWm_U)dz zw|lzhzIoHVX1(|Js#-w(!9Txq_P4*Y&#pHzQv3q%krB$^E&%EsHtgbY3W|j(79pJ(=gD}G15Q6f`Ea6mf;sLGcqzVG0`(ULV$run3>5L zi^(0AnTeH|nSq&^nT3Ugm6`D=71`6LPubYm*x5MQRVX;v*g4o)IM}&39>K-MAy3E2 z!Or;zZeC6vPA)EXE-o(aM<{YU=i++)oa6Z;c%D7y(`A(WnQ&UrmmR_q}Q0s@Vc9*EmGcFx%9X&lg z{TI&-9`QriphL`%hSE^)y`iDu`);uh(o9D5ltxBIpL*mzM`{=|Ga8q?HZd_Ve}uo0 z&elgSd>f&r?XXhX%yL#IlDPO!o|Va z)zQVt!Q~Ob_O4D2uFm$ZuC8vbZtnR;phuM0d6sGEB9M(nfu`2;DiYOl#KL@ z)T`O5&x?zTO9lL^uf;YRH8#JCY}Tvn*1p-_-#@68IH?jjt$BHUeN6*HSA4Cm_DVwe zH8%$r0vrGUpt(jwLU{bi_V@<;(kA}@ze)aoll;HjBtRJ8jqsIfo-%_R3OkE#Pg(ja z-&k5%uylDwXE5<|v-zI#%NKQZO#v_|8IqP3ck#2mzf^zP4=TM?h`~bsM}iIqs*ZWd`kbj^O@; zXYoA)bz46>(q08qD%4kQkL9TqTFH7zj?fv-V>FrbNb2{!KDM$Vg-3onpXyLbsn}S1 zyw(%_R7p-q@&KCXP{aIewc@lfIyB5g?+lroZ!F&&#tBDvks@T((_tb=D~WNs)mCJj zbSVNpwOJQ37;I^Q!2rn2%leW8wfN{`BlgKwkhk6N4zYDBU3wT+Qa)tPMtL-3Lc?!5 zNZm~mXvoBQkP!W7ciNC~YcaQ0gSonx*Fy5kZGK?!;XD2a<5PbJk16h>@e)H)UV{Qd zoL=IUK0~DxJeh^Eak9#@THFlE&23y-G9I>b?^u%0BpGCStgjKsG;*XFLoKSeH`LQB( zQMiLQ^Zg9js!VeskWGIoqn`Yo0&Nw)G{=#080&74OQ?<16L$T$4k9+tF#@_401kmP zK6XS>-_XW0#z*pPz$%6LUfB;)@Xkt?Dshyyncoy^r&Pk+7rEWqbykLaZ%Az6LA~w^ zTfZ#Ghz&B)sh|onu`l5SBE|%RZC6FaJCpouzVUBAVjb8%vDBu1$mfd7#+qkoz%NDP zv}}7@blfFh4w4F7yPrlRQN)qxBBJ1Zllug~_tZ3>XZ-aK3j3}1-KsQSNRM0PJk7g@ z>=Tl>x+S}%6Q8(GtE`eJ4!=7aBhWBDREdAfXX@X^E2IacafL%}WZ)vpSE2quvR@fn z;K|;e>IdvrU7E$P8(w{BdFkO$uG~XvK@Nj|L&NqXSi{$W=zvk>8F(bqo^8*NlUQwe zP7*^c?g$AYQ;u7f6|62|pXBrua=>l9^V0zI%Yx)oyoa>r-^avbNX3GPXG` z#$}hHy2flaxCK_c5D7$LMS7JkBDDxycoi-1Gb+`j2Ki6brl0e=&ZI{Sf3~9Q=zLav zTfmV)WplN0dy|i;sModEJ+uMjOFKruM2ZI>60?IPULDEa5TPf5{3sru_Re$J^R75D zY7n!FRnLg0J%|?bx($juw-;jw@kMkaB$bXSHtE{jiQ65d2YLoPF}`=^jh^3ALI=TSBm@&#dpp`&a= z_$J|X*YcDN(%mmfPa^j4$Y_ard!#5;Bi(y5>6m1CWt&Y9t(IRR@b>m9I-f+RVPrGE zk?B)SI*G}X&t}!=?R!^$5?dCM&1NjquRVJbS38i+;n3T!e{&LFJK#lD(dzqw^faMI zK8HKLSDu5I6>c~rhbLDCYNmafG(C{RThj}*az0I7#>nOGmKpq#bPC>*&lQ~N9kj1M zO*sn572aeSq&KQayc)D6+#|q-SYBg}j$UeahbYCaE}~dC%mA zhy1k9GKishQha?QVa{in)R>#E7-UCXRmW3l6!K*?`bOjG&$78fw*}s4k0!C6W^qIF z6&?D2Nmf8cH{Lu;BJUc`YNdv~n=lRN^1?su769rLY5Xo;jD&f8A*@9ma z6{`v~yJaUUlFo~WJI&t3ClzH_RVB#3{j516J5@h>Ug8LS`eMRtj57}oKO^r4(KG-} zc|IB|japJST2`e=@S;2-w8%)WZz}1t1h#Jg0)1;MP?5k3-5v0n>27!cSN@_hPodaM zc@Yg5`Y%Q&B6o3eKSTGIwMqY;!0?$6 zt4;qSDRCPnR(Zf1`46^}Q$KL^_Y4sFk@)Z@G1Zpa@pE?Pu;Z_~_y?bbDPc_E(|yf1 zFkIAVOVYrzK8A5IddD}9s*(6NsHMnaqnIae-Qe%6n~x!maB(miPD+Yp!XCD*?!5 zVO2%O3cK2KH|FlW$&TzW~}uYO^VeO+h9aqjN6&vuy5tLsQ&sm ztMIX9XB9P2OL{(`*=53u%Iv^k;1wKkie@XE;=;atgHGELR!yU&$bm_Q-2z(AWy2-Z z`l`!i5fE?xVrt>gi%hoxhQ;5yOQGOJb+>|}VcAZ=VeR*7Yz23yw(DHbHpqK!6}9!M z>y6?`h5h{6Fs%9to=_ZwBpwYwlop3G6!k>KPh007x>i&QJ9)3u`17fU(}1xe2-U|M zus2yZ8vmdIxfGrjV*+KMi`y9~8IsEn)lUlToaL?w?(pRb4isC3Wm(_vnQ)p+H7Qz~ zsk#BUm;e*m0-koY!uyUxF5**z_S%KupSGz&JOs*@4ZHV80oF`Qw;blda_vMAAP9gs z{3V7X?clRg;|3oL+W8zZJthf4a9s(emWTXwXc3+i7`mBs7&}ch=7&dIMll$GhmYZN zg=bW@pSpdx9KSo??4)pp;{xG*ZC*Zo#lI&M{q75yJ$Y-r%*jy$SuwMC<(sXzEaV8ixc~xZs`yE0H%BZKtnsG zX>a*FTQO!IWoGZYRRw9yuU=C=nvOO~#J;)#AT?=)AtHtPcweJhYn^Fd6HO0Ee#e=0 zrT3bCHa+IX34W$|ma{&p>X&}Dwf+UX{&v&8_S1gDG5)Ta0eu_(9>l($2@28yKF%;-oO}UUvm>{Fn>^Q9HRMApx%}5L{?zdbdcxgpu8U6 z0-#@sW^f*Ia5>QTJHJAaNpN$*=h}o|iQ3@N@!%H65G}%xc3{wyQAp2Kh+s}g|CMJ4 zbI`D3s5xWkSS@Ix$8Y*7R5vGdF2G|Uz+%}kOqMZhjo$|v5O%O-nOhr1t{FCX6?PF| zbIcsBPaL%982&JAxRV!N+7-TW6^<-m0GA(r<`{v&Vt~pLjy@BCSEq+v7ltbkNi3sF zP!~q098Pi_8Tm61ekPJyD{6)z>P9+>u`a6JH|iuWij5>X|23jnnGmm2G(RjcI(`J6 zhB{g_P@5+|`lUb&Z*R1iQw)t(v}9e3q-l)wb&L~1jJ!asz;=wXQ>-0Bta@E+{l{3% z>sX`gSY3fQ;Apg=Q``rJIHS5){lGXY)VF4JacVPh)>`qR1o2<$V(d)gT@%$D6XRdi z#k&b4aGb}3@}s?E5`q#{{hSi`6BB|-5-BDU!knT-wj-kw6A@z(WwjFJoD!2rlE^y~ zA-yqaEJ=AzDp^`dl1@qa*GXtqNkuF%C8){O`SvLS$pTu*H8aTohUEId=*I2j4icqS z5-_g-xU&wtX9w=d7wYQ;k2)z1UV{^HQ^pcg&SR1%dr7AAQ;9db&&a)R8DfEf(q?gi4?_#o>fX^2T_qmqdL z)-*KPG>n2|;7uB8L9EA08h%hJ;SLdTQu;w%y4y%PWe|kAkBC+^cL4o5|e==5bEvn}twSNIAdH6p{stpk+!pLtbfTzD~+8U(Pgx%aSom7U)Y? zDo6p>WvC^kyp_$;U`^2q%F^ir>lI`g)Pvu%W`EQMe7*HZ{wz-buEt zCsGv54c5vP3(Bp@&sFHlt=`Txwao?1#(M=3`e^6bJLMU}BJ+Z7;zG;_!*23SNb*08 zq$kMabCYD7^#v!%CV*LUAvgJMBn9@e!C8IrIR!+NIA1yw3JPX(KqCd+li_7MafJnh zl{W=7H*s}Igbik)O+j%jL4<8)g+Fd$JDmx;wIh0iV*AYqp-K5etdS$ygk##phEBys zk;SuU#T7S1i#Nr}y~Q7&m8=KFY_Jk;C6$QPl^8yQFWxCJHqHM?Q+lRdx-v_2l~ihA zTKZw6^uak6Kt>2JRHmd=b}U#5OfI|aBSM)g6U#3%z%9pn8jZh8K5@x(hWExy#9vsS9U-kL8dXThcioeE0uF~-~)Ooksb*{!~F2_!X(7vJ4 z3*Fyij>tc`_KRGtOJQZ0Q0+E+ZIn>mP;IU2$RnAAsLv6646aQ{_LVRvNEfOf)~tVP zTb~ykQXofAG*{npRj-EIP+=Zi`IMmArJ*FDL8ZK*Q7)(%ouHMh5zL$%DOcU~v@s>I z(X64dd#*9AuyME{ut%tANT(@+zfno0akk%o9=40Wc-v%4+^q1dd0oeEqaS}Oxj75H zZhE)sps@C+zt&Tz#VD`NrLFEt$M2?)=x(k>Yr6Wvr4C-W)l99{&!q)r-W##84r9Lc z=~e43SsPx6C#;YV&b94{ZVQe@EBSm|tWK*6S-WsTn`wC)qdbUtpo*}uePycMIK7=~ z-kn>whEw;)u)_~@jCMhbAK15TV)H(`4fys#9f+D8vbG)4d+xGeeEIo~mCFuk+)h<; zH+5J1cdnhS@tsoTow|E2`nvdrT^2=7Rz+R5;0{x^>TklJ zw`kG~>g5Lr-A+XgE+O5X!kuP6x(_nTJz%;$ey*>N`+GispD=V#N9*>+x%Rq+5LK(Z zB(|xFC~}gd?u`SJCFu6WH}*zy^QW-2q=q=AgZrZ8`*MW)y}kRQ8~euR`jD9W+%Wnp z<@+NmdJFb?>l^#0AO9(MpcdTJ3ARsn9q1*8<}?o2%ngtPAP=)aXLWnWU27&??T7aI z=Y$6r*y@*bZAyg)cLsVpTnBaH2X`9>f9?%Bq6{6&5AMqkvGw#{7C}#ohL%I1tMfxG zcSC^UZ!7Y{58xq`l&`48!y^{Mm`!%rm?J%GBTx3d?<__t=b;1O5z@^r^5Ovjj8SZ+ zQ98Y02Fp=o|4|l^eo8$k8>TG>?0z(xd~8v8jHzja*Rq%2a!|0??8U;EXw#^~z11s) z@fwTqHw#uW#p6Hrekd%A3S&+<9*?O}*eY30Xr@dEi45yP$MuUXbTB9ML?)3mCS~0w zO`z6h3gZ?FlhS$<@7X85ELfU=q3_%#Fx;jV-i^3Gr;7Hb4v?okLq~iTto)j$0#c^u ztEa!E^oKQBMp#a|iOe*;n=yBrNoX=p!khvx%oJYCh%8KJu=~SPOz#O#=Z4NYL#NXh zW|O66c`auv7X0&zXT8{GYC`8qDQ2h^=JKTGI4$Sei%mOHM!VeR6Fv{shmH+2nOW=2 zjx<@0>CH_vSxo88&nQgV!7OJM7R=|0=U3PlmzrjNHkq%9j1H$PhWT~1-_0Ksn;#X= zsfaA)zgxNxf!_~Z^2%AdSXg?%Gy&)LGIYGq{o1#W3k6ax-H9yM>km!lspk$(3Wv)mXOGeTmiVfz^i4)llRmO!qZ@$eLjD zn!v*{&w)w$z}idEbxA8S_=hz!!u8k9>+)9X(u*dti|eX`YoZV9UW7l@AV2vRd&Mn( zV*35mrre-u{i%;-V#u+frMU6Q-Pky6L$zeXT;JI8U_%~j)3*8ZSH;cOR+|ox&rT(q zuLd{W20wXVZ3%O1dBaLR`C4rWhHV8l8wC$;=|IN9Ax4oL+n5Jiv0+B>VcWWy+sTlR zDF@qWlskN%*C2}P*;YIBemnUb>xF|mv>Q96&1>ZxyMRFCD$1>xuw6Q--3HNZy@TC$ zq`fxCc9Y^>o%>!jWUsH;u&ZQ^lDag+eSHXGIMTdEsk}c$8Cu`GJ~z0(5cY8fvNlF} z;B2+Oc3{0k2~T-+a71}{D7t>4e|RB!NX)gj>#m*Wet4{Sc(l0uKzVfCd|14AfFO4G z5_0q)x^ZK56ghE-ihYDO^aA7X2uEz!r1gk=>G)D~qdeu9z3!OO;Di$Uq=@~5N#=xc z=>#GCq_Oy<6GqU-VQ@;-GS5w=%VT{iOm&Dvbt)isA|iH1d34%FaV9u)B580c#W^OO zdL}n?s&KfcgdHPGbU6Goc&t5iK3#Qckb1sXef~k|t&zcnp~r=(wXXiq z1uE5rHRsuvr3)5=%jl{L2eC`5(#xXGOSi*AJM60hhAVG_Lz1)uKbWQo_zJb^6Sr*5vS3#P_z1^R9#QmLV0c9(LZ8dPnYnOu}_PZg4;8aX+1U zKPz_s8YXr(oT~Ovalb0|u-2J#|7n*&^G!As@zcJwnc)vTGLASuXsUp)nGHmz7 zq~Zv1IQ)?3R!Hkdu61J67t3y}KA`zrq1&9(1DQhm%w$yaxwTYE`uCTu*?KL06gn4s zWBITbrHa$e7gmc+ZZLbDxr-0;9-dThAiCFIV%z<9+1(?q?RF-L4Vbp>1Pm7H%RNx2 z^j(ei=dz`kw%qQVFZLI{vRgOXUS6K>FLh({G~Xp}J;@v56o*5hk4V42D(n>lpc|D* zpiBwjNF;I*Z%LqYb{sX)pF}CMqCH1^CW)InSN00~DfzS41R8e5l26iaB3_diXW?=a z88otVkvgoGzp1h6C}*T_qpy&r3y0_KN%Rx0kYP$?W07I__yJG$X=z6kElaK|YA0I@ z;&XYgYH)?@vmwdv(%i8;&lUKVjBKIQb3We{g*aoLyb(NH|2_mbb+uIzLt(HJ5m&&k zgeku!%03vzdh&@!RmM#&BfFwD#54_o@n_}OQqLDOwF$iGaWyriZF+fd=wxr91fdy1846dWw=15IAXdW&MwEc7VeD%+Atx=)>?=N;q`|oImne!%nMPI zpFywe6Mvq4ct`RxNv>II9W1s;Vifox?piGAy?xzgWT5_xNk}YjVjA$JNt!1vxHdh) z_v^FHh(zi2>fo99QWWFBo$hzw~o<3!e@QQD=M|5jzE*2}DRMO> z3k{B^X7|@orHhXyMJf4pRN3;6fG1D&2WrdLx+Cc1Ao6t;Kl>A&n=cO3ecv4Vtx2H| zt*_dhVy|n3C> zT%yzxx;zYN@`h1)XbNASZjBWh3^h01ULLLWrz*8H-``%H?k)}e#iRfs5}GV~ZZUwC zy@*(Pmc5Bs04qND?@U&Fi9hG9_+hXx1N`x2fvY}<#Fec9t;HklL2T7q9~6Q70jpN5 z^(J(|e9x#OLY{BDTMOmg$Py0}*}0&LV4uVX0f6{g%W$-UEI(uJUd#Lh3G3$@#A)Aj ze~LHsW7$YZaFfY#`wWpWNHXi|{+xW&gqrK}Ww2L2#lFDb7=n7DwFGewLorEP!j#>z z_oH;y%LsbcZIU@Ag0`I%^UiELJK=M|b`IEnXFE5|k98+6E6!{uKQE_Xr=X~MXQ!~N z>lc%va?)(KxOSspx1{l6XScK!`RQI+2ch|1c@JYDDf$5K?%sDc=BN9W_vtlP?YG%5C~cMlqlx}F|3o=ut`HeGEL9yZ_M(VMnt+@ssP zg~uLHZ$p0SYtt^xK5(RnB?eaOz*~~E?R=pZVk=K-eW%(@S%dhc=V_??7g@$sSJgh& zn!S^Lu5Px|0iG#~Qz-vt(dnS@<=*L#I12mOuq2V?*@!e#@!6<6-~QQ{a(Cy+h#HyR zw-JpeDd)pF=nLP54KjoMq|v5??WI4BxmLdy_tiU?HGQ)XIVU={@O?pejs0@b^%Ay! zxdcMtxLWohvbtIcU@Ey<4dFYuT8ntYalIa+VRij8!MNnQ%XxR+X)tw-{05pir|S&O z9RuGC6!y=M=6y6g%e8oTWJKBMLCX0PV(;r6JT6Lxp@it?=--MYuY z(B=0m*n{ZqlI+799=HM@(79Y1JW)?8vfz;?PDmOelXM%J_K_FyKpHY%PaBr=kvBC4 zjp|GBmk4HAK8$RJsA66(v#W;bI3=|)1h`+V@gf%^#9L~qVhQFE=+)2kFCi0o2Q$1b0 z^~a$$znB!#-GZ~nVU7ctl$Sl-qBqCkAdD<(6q%lvq+hg&LAv6<*$zMepaXp2-u{kw zfKOO|aYz4(cmjq|gK^3KV|Vn=#53RfJ$EQo+#8KTw(<|Vqkkfvxf+{)C!W7?NB;xj zx%`a1N`e%}g+j2))Kb)Qz#iLpExV*LgjzkN@8z9w1}hvKI#L*0MK_6!UM1hunT^ z#h==bc{PAO&SW)^IVW%R7vlM|JIXU@vKGp}k+&8me6h6_E{@Ey9wA9+x*jRbn7Gu=ou$;sbH`m;OAvI(}EG~G;b+{oXA zxL#~;rh<@Jx6*tF&9>457z?&CLU?z!G9#o|{~+;H{wKtwLjZQ4}HAFNiTD5(MeyR^Ku0Wc@xI-H16)ZFKI8VV@^|rjK`m+!omG^%>@Vu zfYbZ~g`8*O)BQiCkTqwFX5?+2Z-zp?8&bNdof>lBM#L+!-&n zrRrq++Y|H+`}w%KhGkU|jS&U>OG>-_^C>;Ltn>}OG`nhNHT znlP(pwQ@;uelIEiU_+GobmRTU%+6AQh)zgty7Mcu(~iiSMn3r`GyA_uNQU&sdvg%q0m#c!N!yw(OlE!@nYhL9Gn%BazJ;VF3~XX^lz0RDuGT z-uVOI(JCMJUjBv5j<&AA#!O0>8Rms#nx(HG`+qJe|GSv|zuFN0P*U!PMyLYi{f`Pq znP2QzmMW*xpO4A$g`Q37Iy^Rnp+Eb@v{Ag}#f(XA@x`n~&HlyQvNLrJ3Q)$fW)cOe zz*p`(Me0_w06d3Y&bz}xYb3m|lN}}e3{v=3T9Fa|{rq@5H~{{C==@0d>+_>Sv;AXW z?4Q=eej|jGqK(02fa~x7s&@JJHL?GFA@t{VaoGSY`agjIslXuklh*FcrG>Os=OrY( z#--5Kd)Ecj^`*bQf&JeogzEpr=Z7Yc)lCvV6(e`OEEPAC$2OH9)vmn#KN3Q}o*&;y z+6PEJN`8fc76&2+eNKuZhrHk|pF_QVTh54&;H}Y|I6jP zknOcoNn}`>0%|?quc-2dg%?w|InHbhwY(D-|4#-A|2LL%#y_{5zYw&y&}gFBw8mnw zakbtv{#`jlo`FK`(yG!!J0)|{Lo?@eBK34^=8F_(KgsVz3;Lsq|0CDY+A^6yoc~y~ z{Hw}Vc*ZDE-iG^UXxw-4MOXEcPo9YaejD=IdB#wLH|FYk_1}#8W8Z&_+pqs)*U`Tx zT1t80Ty_tTl;M@Po9vMg*#L&ffHt_x3zawG2=M!Gt?+O=lkHyYHi&TW07geLZ%iv5 zI5@lwDVjI9pH1fcNKrxJaFmJ;AaP*Kzx+C?5ogGpu1lf~pP|Fjm-jAA^p9Rg|Fb#R z|5(ui<82?IiwU+HUFRs~8GZd{6@NaVXRM>_uST{pt_4dHLQWS}QQ5;fxKFDvc8 zBX{PMGGe%Y_R!`p1A)y zZ?pge6q9K!UoxaJaX(tsTyc0dj)Z^p&<5Mhhgma-W9MyV*q29X|KBn#{vX>Vr^M|e zGy#uYvhtsF$wD!Ti3@0W)Z&$!@~jyO`sJ+U_t4?_FS!a13sz)UK73^!L>)C_*1HSl zznyFTx9A^J+s8=}&(}ZQewD%$WPPq={#7mVo7BgDShm^VZUmy$P3jO%9d=ZgN5MTqz~ zsrUIq(#Y|D)TI6|r2k*5=u%ohE4A|h(&SgBo&%jWyMymcpvM8Hdj$x9*4H9cruYA# zqEG*)RhVV3UFk<-EZ%q zfX932ADlw|^;qRM>AT-am4AW1^vB2Y|IlChdxHLV#`Y=Nfs$2Qi*FAC(iW4J$3q}~ z8Ylvn84nJHb}PXP>tF3J<;XHr)_s0!8F$3^)^7z;Yn8yYp0^ksT9XI}Y;p5j-_Ad(`B7g*VfEue>Fs(c#!hpsGzE|~xM9>Df9Q>- zo0uo#3b%c6Pt_xKKSOV7&)IY`=C)<%*+fz#&%>!{wGWUHL(Ww1kaB2$Xf ztPDfy{?lFU|4qTp=4TbAn8 zJiajwd@G6Bz_ia3MM)TL=M(v9exxw|YWvP`@%oLYHkB$WzK#ma$K*tsIDwr{G^MX| zd;@t|^()gAcTKCNRBkujX0iJAtLECL_Pu7je%Td?BFn2w4cqyvg%9g*YW(H-E!wQ< zJ|GkD3JS5p8G7N9l0cendK@KMe_|c^HpC|qXnUkKsv*Z+-PR#ANEYbvdy-+K35Fmz zLTTzY)UxB+!@und=<}i(mZGv=2DKU+LIs=S0vn0;8(%6Pqew|Yh6Y{~ss@}_101dc zwmzN2D0LkKilWc_nI^N=!d^fIMtlgRg+>scNFhf0(^rkdXnQFo$R!*W{^7#M2H4@? zdNa*sP#f@t&3xc139<@cV!x%=HpCEWVL4q>bcy7)8v!2itAy2Z@_FMG;KV zv7KCZ)n(b-=Ze-gkQ~4wjry2M&6VzC{q4fXGk2{#M8+;@KQ_(PkhrTfQZ5=P4t`H8 z3nRp$We}>gdOMyKFunC`*?-ED%VA6zz{g~Vq?>G4Fr0Po@W)BY4p!d z)?ZYWg%(>F%gxQgW-qF1p~Y4X{d0>4liz(bk-1hQ5TjZwOx24TqLk zCe9*?h-Xx_tG~iSgY)m?ut%Y0lVs?rAEdvMzz)3k{NRZL?RgjdxHgZhDsMK=et z!Q)br3}(unz$m)_N6sE)y;3oRxQ<~=XoJE&IJdu~QY+I?6t-TH-TYAC@4yG8p{U@% z1GN^p^x#Cc#WZGz;<0RVBpSD|9cF)|9@yjw2%E{2syA@9hoNVqQm!SEp>~uK}@}9Be5jh#J)8|I4qfhk5~Rc zOFGgksoM^JfwY5%rEu^i`F4Iwv8JAe+>jH6xK%8mrg2l@(0QnC@oKQ9iJPaFGCQS zUcq<#Loq;69u4vee)r}wG- z8Uj$7?dxk64y?Of=FbOrS(nQ346i(&5VuXuMYe@~13e|{4nURbxWhW{g2S?>MlNx} zwD?l%iOmZ`pz4@AeaYWGTeK2Z(^-uCqLmNJ5#;@34@&4h=Z)+9;51}#cTqdkbl@;_ zyZD$&ZN+Xr@>jZBC4*h{C^etNx7g^9H7z@XTpJz4-5AvLF@lsk=qPEBpKTeQE|)gJ zaO?p{%n2))pSfOLf1~zsT@nY94!8Ebi{mEUYDMN9_QcxIyML$D0s|0(?z=rE-hkj8 zK}gKj2zemjGzfXiLu?p?)dL#81mOWe*e0Gt2_Tq;Cw{Fb`m`qw&AgG>uHY{%a$i?fEOdbH@&7eXO9;@(3?BKn-u6J)Z;Ay^nR7+O?Bl>rs>1u=<{a! z6JME^z?PSg4N3$PNYDm>PuY!^+DkLQgP_*;S_9#x##hV`0q^SZ7X-ctKeGT|tsZY1 zV*fAv{&t%F_KyCJ3I5Kt{;t#h?pOXG;s7uH03ZGU+yq}upqIL)n^izSC~P`_r!|0Y z*;j}f!Eg&fP~1)5(KmcL@L8Huk_G~wI6~;OM>ca{N5wkXkiedhzJQQn=8%5rVCYrI z1{F>~n5R_N+<=tx3nuXN~7VAwP;WP2-ksVD4s%a2DqD2qR+z$8e$ zCoCnvBXld=oH-~uzylFALJJsy%o0xD6OJJeLOmUULlTBf5{VP&g|8Kf?i7h(8cEt4 zPCgU4d=*J86ZS+PioVX1u`ZNEAnL{hWq&JdSUNan+LssPYoQr|1WODCYDKeL2b^C; zi<88hPe*q#$4FgAOR|K#af*@I4wf^GQOFNgVu?}F3RWYDd5apXff}QA9i$T&qn8+D zAQ1C@Ch((E_$SoBkG&E0AY=k%IHIFCYbQ86lK3xL@%94oj!tm+W$|`0aKxa;PvG#y z;d}%VzRtwE_Qv~YC4^lkga;->2_(j7CC0JDM9X)SJ50o50iuC&(R18oYKYYIqg;}4LK+cgESQ_C>4`5 zefc`=k|muG4S=7NN<^AYf|f=$n?_*3uH+< zXQ?M;Yu9J%&SvZ1WE+y^$eU%q4$A)EoMV!dV^*JIF`Hv0m}$hC-kwgX+X~h)Oqsz= z?Yqu#oy~Q>$pw+-d7)+5_NBGkrf3}@6^wulU=eu^^|^yb>X~n(R5PrY<=;3eRj85dd(5` z;Su&?8TMHjcHa@wA^>f(wQ%94@klzb5o3405(rUKU+pQOvA7$15b~XWEGT=Hk6akmB%<2_03QMMk(l@R=mEz zzCFS|169DN(Wh9-X2fwQg}y(=QF&o=+0^I&Mx6?J7xEDstfnI@LmRAtR?M*^q*uw9 zd<~WIbCrs7nF0;pg~_M^IECMnkWy?4`&r5+Y;u)us|?AiKM19%^i!(2P^upx8GX5TPvJKMK{@>C`9*ArZKwyJ%NTzprt>tpW9yJKm=Iqe0xrY6FsMg9?ki8`6Ev zQ~Vo#$)m;u=ZCtahwp+Tb?U%#b&&oXN4Z>)0`TXXx*V7KJhCjr$Xrovc$A3xGO~sW zoy=}o;A0-OHo2j`p`mfEp{5WSl?(7)sIfz*5$Ig>41n-#xE^p+-*wwKOx9#;UOKAN zH0jb*Dc3aJ&@?~S)Lq!L2qSA=6>1)nYu<2ap6f5$YG~e*YuuS@J|b&Ly=^|xX}L(Q zJ#%TfX=wSF+;Vr@0&xBQK-P+=+lnUCiVSW=yDI@Uwqo72w$HZW2)E&b^YL`sh{0_j z=Qh&$Hp-$L^1C)#;db4=GWOO+dT=}IKpJC6`ymTz^D^pF;U7H0I2X?CBHHjrfdJ?> zIB3-S))`E~)}RPG{xI9rG8U8^HH0v7t+j}hV7(?xi3+YXo?+qYthmiL@$LPz@ z?W22)p@REJL;4El`<@K+m5}$NVf0t%_QT2dSA+X+g8S>|`;Ytko5=^Z&B&Xtz9c5)ADxg3gmS_sm0=b?cVM2iJ>g*K`NB?rJu{ zgL}d?-u>|V5Fl>ie!kupLJt#u+BrEjVv(;H=ODrZU=Wn&+qTNvdE zEqh8a#sh;EKi3=M*DK;n8571V5?UA&Pbm1CDO0Zd1r7^Spp;DS!XKV`(_VVzK9{(WTp=h@m zqM(|%&>1kaJ$7Lx%`Gj7Vm1q!>Y_Ir#;yQF}!)=j2WpPJgY;R$a>wfVFI(j0q#H_b;p)h)tvP9jqbQe1E zaKD5@u?!zJjHthS@45_x452kIpU*F2Q4ZlyuIve~;D-$oy05H*S4go2$ro4V?^dWG zP+HN|3EfpjN+>gA723GU1{vUZSnVWV)GISS<1f9h8cy$F(t~M5+XmAJ zAfxh-jnum-3-=|fhm9MG%`b~fcKVwD_f1F9W#{Hi!x@s3~M=pavMQ(JH~1`&V3sdYbz;i1-!UT_OP9Hu#zFVLj&2);aJIo><~2X z6osvnJnW=%>|Qi(REl{ATqlS!G=7fWq?OQ-Zyr|np&qOeo^`7Jsecpt0`GnJ(SC8hJXhrMcL z$Zt~5QyS0p4$l)YEl$2Ww;%&>E=;g{AF0z)?80p5!nUQ`TIurJP*-5diDv4h zf8!-!_|mREbaKXm1HcqI$IiVDAqFt`rzxJXF7c5J!MEV_oY zbQn?HWO!U>QFX+4-0*;J3R>EWmTp*FFUwkPzKY$ZVqaF5wpXOymK)qQDz!JjZfVKy z+J{b>4eq+aZ+o!Mx?AojmhJ|Xj)$r4ONH;phdLgEsp#@|v#{{{zNP!=rR!y-)=aU7 z73&8a-G?o){0Z5pXl7A?b%AFzO9<0kn)&HeY>L`BIZp=AB6uDP^|t- zD)rr-X2mCHi7tXV^N8=8x(bnBQ>puloli%0X45U}n)j16eoduH-PxigcZ5=iJ*HB* zS39HG4Z6Tur=JsJ1%6GX4nky7rBbxdcgn=z91R~+sTQ+UFu8g^OP$NdRI0<;1%>XF z&1!-t(J!ggliKb?F@H+Edd1DLVuNnTg7NIsY|~>Z^}+Dl@lR+flNIUxV=C3S(1FU} z!4-P6z0{qWTIP0te-9%vM|%OFFB3;d#XAy5A~K4|K_v6xdWkCGZ1eJ$RBAff^YyYH z=zM2flDOE2wvtbjI!Yz+HH>gY2w*Rn^9nh33SN_0BksTU``l6fhU#(FO+)GNm`a_n z+mr1IG2?kmrEV7tBd~lmm+ti~a^;p|KMwlR=U+C@E&mK@SGA9GVip(rY|7|s0e8Oq z*B;)@tY}ux^`hrWBFQ=kLn1K5@j@X4hDv3=TOJ;m%InxK?B1`be8(jY$U`et<&@0M zR2BH%TBs_DAx&h+zhbCT_mg_@VnSWzZPi<4t#2S=?z=e$~ifp4p4o+WUaK!Ok$VLIbNCvtqYGXY7M%`V>HA<)Oe zZm}Lzquw_yY1Lyx3xV94j`40Mo&ZCXuZ0dQ2pIUv%jpOYD24zeM^GTfFbKf542PK@ zj)WHBi7A;TNxdbGs>tPqTfU4$6V(P2v4MF}`cMPOm|r4A9f25i4UwJ)w8K?IcoDCs zp(8NA!o1=1!`n`U$FuRoRbECvMx#=|dH$_7Av0dh@iBt;AjaA1yEW@ih8XD(A$N017HP=OCBseRR zai3XM*h@7$%QcIIF27Hvq9UrKk)G{2OTR);d34@ch9sqpr#L({JbD@cF!(sdsBKH= zmi){eTPOdS^(&@Yg4dHQ0R=PJCrMMEIzIEJYbjX0Q%hcI{LI(6jcDWb6}-T<$v4ys zwKMygvS`7?yCeg3?E4CtEZXEflo@oD`kH!wwkZNvujIZForZ94EQVb$>_b|aey*GM z3aM{6P}U9tEM}I3{V(>;!=b5c-Qp)9KoVN0(uL4_N2&&-H>1*RND~kd5D-x`^p12w zlipEj(nJYGq=^WqsHpU!s5B7}#Rs`5Znh-( z*c0~(kJy|ns+~-~e+xd9(TUKR%51q9GL_XP(D5^gzyFxUvP+nZ22`vYod?5R%9)S< zwln6(qQ<{%vHT(z;(Sx&&7j-;V{aaNPG0;fYD`(o5=a&7IkF+r?RhS8N93Wgm`=@8 z_C?L)rMEA?jT*1b zcWryMw$P&~w!YYJa%dh7SRB80eBfw<_wmQ)Huf!##2Wj)Va`1C&Xy|Jana zj2bK62$VmY8|g8FWM8O>SDu#;I=eP%1Qlp2LX}5h<+;&mw+74~=mY4!^9%1DyZT;3>?g%9tbzw8z z15aYOYRR?5&S}T!Rk?CSv+_zLws+YooY;TLYXX}ka4Q2_k?hj+TRc?6m~N;wM&o&S zyW(Z0+c8}g7bxxX)n0~N{_yhjx?7P}^){|yGc`&MkAB*0TuJN$T*=%c!*1bN13s zYx2*hpeVuy>GWqYzb??yFWQsX(VwUAD-YHDb&;ve1yc58BY$gv=zvihoWN}CUx_QR z(HBx9b_K5Jv|l8(2Y^9R6F^Rd!<88Gxvc;I|7|keKgUIYsck*R;=?5YfVsA#x-(im zm{i0#HCTe{rVq0s1Gzv{PFu{@-8xFOE<9~$FHkZpo6H?< z4KtG^5nmY_>p+WXR|v4$luk>H-yJ?Wr!#M zbPr^@V^At;{ubAE_XKX;Ol`M9BsfA2J;-RrsFrS~wnvtlDHTzS_aZTmGny$BfsE#G z`OVa}Ep=@(g~J02qF6Asool~s@Nj&b$!2Q%x{)&k52m(l9Zb(O-bnhFQriqIH}a3l z58SR#N?P^=CEw`1r$yU~8zu z)aR)&RZ1;z)RBw%rm2SfZ{Q;4qk{Ev-ZQNg=A)y+bGSE|*5>mu_^uq@Z9l}cj)~@K z8;8TQIuAT?mA*EXD|!ymb(oSH-$G6yNnGA#t+0^vV@&J98dS|f+DmS@()fyj2Q%@7 z1y-%?#O3X~P9uraU-uuutjJ@}kq~Fh(b=gY>aczaiGV2)o)Q>Qm3c~KXwY`Wv==u0lgzSeaR0O^W;8bTK}Pj-zxgWJwQ?X ziD|v*9_X9DlWR*TJbuh!f8wfNEhW7r4-vqaVQ3iKUSXoDPDTco%quM&mUx=#i|K*l za37c)@4aE0hB0EIlCRZ$e;W#u5M%~d4Ik(kQVT%|nRm&}W@&^|sq9(f@3GR3NWG(?MVX1pTvE`0ONUsY=-YwKCA}Y)4N8+AqUOFh_dqp9> zgiuOV;Pq2Joa-?hS#w&p^AaFvze8Br7%0LWxUMy;4v@g~v>$>;s zR&AWx%a=64XWlGt+o*{KC-eYMcxKdg7&U(nr4oXF=p4DiQnNROMsPCEQ2-lwaAww; zgi4u$b2upQ1;821?HlB$$CtNAL@AK)p2;B>M+tvClo|e>$w47fkVPpy&%ep!NQxp? z=cyhp;*)2WO9sX+H5j8a!=Cj$2KNzs{1h`!;k8I5Fs}=@n@MFAqJJS zAPh(+r9dVLgaH+2KBU=%0VyOG=ePeh4Cr4}chM9~1E9Hb8HfY0+61_6Apl_j2;=~q zb@q4@-GbJ~cp3dkJ#H9WZ)UDd-T(u%^N;eob_mDv15n~h;S=^Ej2>XJtgB?fPUh9j ziF3*u!j)bsRA0h?{$uLSVy-%4blc!cw`PSm>@M_g)m(wd;Sa zy8kf@NNoT<56@MeFVi}^mK_C7=$nlN|Ejuw(O5tr&l3;Q?)tT{0G!Z&NZt7$I|6ksE#Wxw|2^}lcx9aFgdghkT`{&eMgvAG&isLXe{7ujO22=Asr26S{<7TP@RdR1f)(BE57YT?!`$Y_8gc9>H47gZHaiX< zSpm5yKWP;>&L8p%%&o*`=r9Q@o7S-UR^OWFU~(rz%V2(V!JSaPspnCi~Mve3NeeZl`pKE-V>^yq@ZsuQPf^& zm?;>q@VelOrk~GlMf+SCcmcBT?&ahy1onFG2vN+ekmrO0nVEcOiOTWWEgHbb%Ob00aA2V<4-OCr#iM;{t3D z+gbh*42OeORuFG4e^eOp#kMT}Ux+71d6@57?cPB{KZgCtV|qWtzyMnCkKouBe*|z^ zn*Pjhz+zvl8Gor=ir8=IN-a<^(G@IX|1exY;z(PXl1oQ_?LzMF)-C}kz=FfQu^(ne zAMC9FnbCzn=#_20ZXvn18_6Fm;ecg|9{`qaO z-m~i~@E6tK?UZtC>sjdhmR=vIgele+*~Iq=EasKa7|4XVaX4s~_Y`LkmiRMj$@fp0 zGTf#4CPlzE+{o{iTlsdWR`BX4ksf>4Vvjwde}UNh3GDarZ6?0RWOn|cIN`le+lJ3R z`H$Sl|HvtCh*GL-hc(VmoXXm9h<$3+=aowtrs}B_|t+I2IfJgmo0D{qM`NMuNP_6O%U7vNGsu=1{Q%1b&XL1|DUQqv?ey~`b z`SErEsLyqPUu&px#yp=2RqEaWsQBdN_h0a?vv{=!2B-69`_K>eZ&mA0AFBRWAL{4m zP10AH4Wz#B)=%!m0ju|EeTX>iVtqk+-qTM6JkNb3jJ89Dfy}Zuh69-t=s$xxzyKQX zgq^-RVdnZDm4Zb6incDaYo2~G^|5>P0(-N%qm)ihq}Imrb^T5QTQQ`72CsvGm=#bU z^+cjL1ff@U(^jtQe1Mz&M?TUpy)RGrKIcdf2miTuDpbo0qg%|oxb_>9MS8O zhj4ELtTQlV4E`3ruhc&=2J;Zhae)Rd193rmUw*>0V2J2zt);Bb9BrliK^3SPQ;pSa zPnJ7o+;U2aPd`jadv&e0!gg1>B z;H&H-r#BC{5d|LbwyzI3{@VjCv&lG2VtA}=*pS_$hSTVCz~H9TetXC?B|rQX1LbY0 z0<;q<$s!0V`%eb=HBlx%I#GWq?`CCNqA}5Ryssg1f*y{sBPSN@jN!Z2u0hr~d zpAfyvsidr4QHDY6XyTC|Hr^i)i@_g0X5re+W6s+=W(M$>`TpRTjp;J_X#uD%6HfV= zk&kZonwAA;O9*Rdo@~JxMRaRZJmOS zLyriGso^1eXbe0J1L$;u4Zj?ZzxzYiU;5#P?p_TfDW6*H3Xzy<&s6hyMyIft_d7+HW>FR55L2u>iE$OMR1&by9Re*uULrA#A~=A= z>s1|nXO7E56@SkMZ2g^+{TlV!wi^xuM`0fla1{0>7Y(NIC1nW4`cZ7>AI6{rwKDzq zZ1|&sh>x{p;y$5X(T?=SchN>-2K3p6Un_^&H}d@BqcGS&Y75G9SQ{wM-6fmy93gjl z71kk@bNe^sIkXIbKxujDN}tg?%0ZDudBoy}S)nioVgvCv2@VIUrWp(`7F(zuEFoLF zbcNY7^Xr#0I>MZCo2Dm!O_)e^M}1fKIy-n zv8(UJkxL5G*B)2lv@Wzs5HvFzkAokp1qt7jV>}6#u1UQ~&@wY@vV-ccjNR!2Bxh`K zM(Jk{5>KUjTYjln-@EDjGlT!s3=Y0@LUCVBh~J}7^GhV$G==T(P34yy(+uSy&71Mu zW22kEuHVYNLPO{X-gaEI%k0Dv{WPjm-Tv}>IIxkw+tF)~s_KDkEVsRxpnTO>#H{N0 z<2?G{1k1-hCwV4_OSgvM0?eIRH#3k~Al z$ss@3I>#^-tG?E-27|F&W+08LXQl>|Wld%ud4Nlbpv^RyMCx?$%9iAgxs-uQO zLu7<8J5pxeb5vda()*3KeKJCt@jZnafumF$%<$WM&;0u-)PKU0a?}wD;~`wE8ggB^ zh(U(4ysS0y(v5;nRi#|2efbf8e>oa5Sp3Q_W_bhwz-EMI-8W&cgc-^barX^D)NB)K z=Y0%hR>RT7m7LCbuC+Z43P71p2$#FipLd*hf^$U8wr|o}a-LCE&UZ>TFf3qr?w2gs zPduq#xUF-f4uSj4*ve%vGG17PsP|r1e52Lq{`B>A?ZsZ z@&SiWut?NcD*1jYuT0{Ku052H(mu#5@f#hz+PA$Pen>;Vj%W2bYddt|-CDjf5fXcj zp)#G6-cA{zfc1O$#fljK|9#H@GEj85H~`qAt@pDAkmdkIvGVZXzP#=%B`Y+2k+gkx zq)Jec^(vi}VWCNo?J=FZ1%?^Woxtqul@har{k^W71s)gss~qp14N#1FiM#^qIl43`E?oIP@Pn zKozGPCks5{J2uKt$l`JIDfHyY8E*yI*+(}|Y~2!BzpOG+a#UFgM>yYKG)({%GjI%pe zg3@sa$z{ABpTKg455*oiPG4bd{=@#1I-ZBTKVkbV?NJxL;UucCgpT>sLVaAm!1gD! zW=HDQ#eatFk5yD~(O?yp86J;+-xmTt5%R|4b3zbIY8eoKyIKZ9O$~S^`ET8s*%!Uz z$R})noPn0@O{}(Ff}QHSjD_d{PuOp+a~c3k70 z0-MGST4EI~Mrntl4}Br!co+&J>=jdrF5B4?1D)$(qHbAw=9qC87=o1uga0))_Z%F| zss_v-f%ph77SWn`7sX3eJ_8AkP z=hSCyNcSZ;+mP+OH)~CmPG4q5OT{X#8nAfPuW<*^BXMEp`fmRMScJn)vzwVck#@CVxsiCVFGMa!@Zf~_&UW;cn_3!7r{x115uyvz`Qrf0L%T!>Hj4usOVO+&$z zlg7~}MAaEk-3}T+=(Nar`ETlZ^+u)iTk!4B?obGn^v@Q~6@1{SLzm|oUpilVvFrj@TWSKVz|kW{T2QzJ1Q2fq z;2eOa$wTGyG4LGX-P6KADQS=>E?W4Oz``I$JHv8+J}_0Nat7&_#p}kQq5Mq6E7_0{ zF3Cx53P7EU`iju!^HtUhu{`pq3@Aq-3?ih8Pwvm>wT|YzQe%W32M2{4) z(i6-8y({GzGLLO^a~}9vM;B%4i;QUKX7$qeN98|$E>ApZIB0F*KIpBL;ULW)`_p>>Dtozg`+B6hBOH+7rw6t~7X^ZiG4oug9~!Ec8&0CQvyb zESxc>(sFf#`DQS&SYTN=g{l?HTfDklo?iIr!O^WONope9b0&dGqg;ye8cq@Aao$Cm z=p8E^BFW_m=gh}>tyVgDAI>LS?XnV2F{`$`AeltAXH4qq%7(_VvlXc}bd&OrYSrDZ zS6tAKn^b-)ujc)(B14&WN`*y1DqwqMmO$*3x}q1SwfxI$KK&#uO?)ptAvE_<%Cte4 zbsq|>i>HM?dmFjh4;PR*w|m{rsABalk&8^pA(7{1*>(4-*kvxAcrkrop{@@ZwRl;R zZAO=hWuR%hY&i(=ASHbuNvAiAWq$1VX8TpiJF;X~iqoDP-OKyP=7DT=`|}s=xVJ(h z>?hrGBcf?)QXWGa%jzdZj)&*$d)yW9MrA@D<@NUM({YWqYjgVhy;=O95N5o z(5_XHh{2miuQ>-idOMutA=lbaG8b{Ec9i|3WZO=svFO;ro4gx4PDSj!exW^WLDudCI&Y{)Wg?!4B8E z(ss>GK4A5_v+pcNs@VDt&2y*jlHp$$oLqmtODw9t^WcTj%j+-JQ%(Z|XWtCXtiSR( zu0Kq>wSlJ%mw0~T$(UIB$}{)vQ<+=6$9JW#zPrf1RPprw3#)5ypFCCASZ;pxdM-Bo z>cbryr~59SeO=zLKJL9^?W)kmib?gmr6Z#67IqD;FKkr3dvmUc9tUMKhneEyWX`~A zbdWW;+aB^_0LXF?se!uNmRdU2rh$0rQ+A%(4mE+1{ee!NS|C9p zKsv~+O%o(YxW@%~$!UTFiDQdFI8zOfAYo+~99W|c_L%Rj3=ZF5RF7N^)}{-Ifvd%t zhDjWj72>a0%U#AIjAddJ!Ia86HMe86xiL zSLG>Jvy85*2@B{86P*tu*vT{nAGuM3(b;*Vy#Uk6$kj3s-aQ{)%O3$(i@0tVLFymT zTo6Ih645pl0fR*f(?pB}3ysyFCp;r-eM1FZ181g`UwWcv8P5+$oj=16xMa6uxj<{R z=KNycdG0;u0c~ZdJQ`*e)p;Tc9TSC2QX)s#Z7fGk$3{Mri>5&FMS&g4AyGS+ zcBnjv+KJeqjWfzu zNEq6gpkbfDofHq&nRg8&+}j&3k4SWBPjJ&#b~R&8^h`{MNz5rrJfkgecA5#tgpZNL zr|rfE%JT=eGlkaTeR}aJbNHwgzL-KL5F+92nv@islx)wN8p3p8CCQp5IZ+}xM}Rla zo~a-y*`ho-{!a2GCSFc#O4X^9sulWbZPe95RJnYLiEm1iSxQ|}3elaEN3hgFsnjO3 z)Rt4Jtx2gJrxdzEQo6Ob9;Qwkmrlc1kO=yw-M^U@vN4**2fdKPcOhZtg;+P^siX@} z+b_I0B|jmL_Rfu;W8zv6K)*hfo)DYPS)RU@B=-)12ADH~q%vOb&LAoSb{ zGIHiJP#uyq&zR`UGp}V`5RA!Wt`lPQLbI=C*3xA0N@j5<3-X$y`IEEq%d>>$Q$!uO z#F;gvR)uA}(2`!+QZd=Q<=INiT-(jj80H)?$sF!IIT{bqS_)_oA|ce9gPza9dZFiC z(AJp;j6#L>)G?WvqYUeExqEYy=W=Gd49ZJX&D%K)adpT$(UEuTSzdfr z-a&#*M!GlXH1==))liGzHR)rUX z3fr>_%Wf7%my>K!NK8Q%`Jju&Jqz=Y`~^jkAVlJ9Z_%seqSA+amWT5z%!_fZ#fJ-v z&o&i5m?~~iV7Mk&VuLPjbSSy0P-I_NV(nY2MkAd--+d<-8l0 z4PA=^%~3Tvc&H+eby-2-y^9DT9a1bh>~HCLbWyxQ<$HWC30y7TbElkWW3HT&r9$8|w=`L~_~{C{;tIum+)oP2 z7Ue26_Ea7Zsoa@W+0$03Hd1*5d1Z%du12wzp%Az6+e$Ms?tO|^4(M_nN+~(KkIRbX zqRr7NsLPduNmZ6ttM)&yl5(vY=C77ituAz^K1o(>QCuzTTYc$SwK%k=p^*Xrh6J&L}TlGCsc-S|AGIV@LFvW~v9s_At7 zOmcnq+j@zt`Ze=tLnU#vmrtJQ0USS%k?M4b>qbaJt^1m(SSIN ztN-ZbBLt)8o!3(idovO06Ee>*#{=&`d;}|jO@IJfYv9{WAU;EY3los_1YnRrIn#h* zZKRzc(AN{TgcF!j325p@Dv%%{+{nS&#G*&w=^}8=H1e?$gw`6_sGHDhV54~x$zY=& z3=Gr()PNQ@n6l_(V#GqOZ#fv|Z?1l(Me9rpUv!J!{ubTA7QM9=Y>!j*{OvHrR5U^~S!n8(^uqd&!N1j;$xU zZU}QWCcnwu^}6}Z=|ei$SU>uFcl zaBA16W7oJ+*W{V5J2SVQ@4q#@*7=J37F*e^xzw#md!X67fzQ1`zqP&iE8{Du--@r4 zJg5NSmz!;;A4>-lZA>l`y+YniseXR2!MpYyJu9Oa_BxdM5pgPh&ax?jbB8QBW={J? zg1V*0{_5|xo&MOmS1f2!?SsL2!{HTNh5gZouC_G-FDx2==#^p$fqQ0@j}P7O?zJj( z`q9&KtElL$JIIM)=U|fgPjSS&!7RQ=S$>um#*dN+ac2Z99rS!er8tAKFja!O`%!M20dSPk&kDfO!6KtE z%551oeiZtf>)zbQ&Ot_dEjLRCmy8>U4{w$Z795@<-eOlZJ(1$v`s;(pPn8bVF>C?b zP6Z1zBAAQv3-Uq}3iA>=ii$vk^D2FDcHP6Gl9~x-`iof)&5JL6(RTXY;OwYkR+)i= z-ZnleqPssX3b=CLj8+?6KGP$9JayP+*9B>A`c6h^2=k z@{Y2PoOLIw9=hD8*iS|(qJOg4yuGVoX6flU1;d(60_MJoCma4Z zcR(nkP7)73ft*al%!)*LPzXOF;$*~tFNz-2i%*GnBsNl5mikgIW;|EmZ=yEn#POu2 zk?e)n(UrQDP{wgP>NPaWho=ZX7<5*D}e(+jO8W$H0CClNMf|lzN zWg+gT(R9PSHv}$S3^i6_VW*qzN+O)-m{>>K z%H(@@TY1!Twayo4hR&6pN4@3Z*uvYU!d?;;D9nhal`mD7l(dLEGuD6>__6rPAyyw) zHfd)_`<`QQB{pSF?Meq8x+d^1jyHK~>mFtg$2UsnHAdO1*oe~NZ@KX{;+a(K4QP|^ zR^|~3LiCS8!&7P(CrX6kKw<-8+gvgEPI-Xh_ki-ip0T^^>4cdP1^&p6!)+u5|(i!#RCvb%puc)oHPQ4tbe0GJ4?l zA~B}OP)y=Vp|O{sVG8%%!kDh2Cq;tBCvxsyd{R(+(1zNyxhShF=Jifn<)cBpMaGD- zD;Fueg!a>N->;=9xa9Ge>fl1h{p+i*FXJdmEJ$?+nwXbLgY`=+w{#A)DlC;nMU+@0 z_V{)rU<4Ab39BtBnAKV{R3zMhA5kPryv=)~l8i~j{;}`F>`I3H#XNS70=W+#Y#{Ti zs)#9_PCQR}JfE=b`uasDU!nbjsOp+3c~MvU?7{JlyxQ&n3b*XH$|Q!Pz9=nU?VT?doyc@I4HM~@*UEjD>WXmcUh3(y0ejF$#9`_P4n&*@!%Bn2(?&l z3$Fn(bnlrs`idHU(X(aYNAyOSA1$}ab(ck+>>6c%yL=N9NXeps8AErva%eE<#6<5O zSLW^K7OrJ=Zb;wXotA^R~lS$__gW}cgyaD=_S zE?+MfzA_)-2A)nbN1n#(Ld|O|d-J_GE;DGAm_@LdTsFT~O+qNKKgP1}konz)K=(_h z($W|&KNzso@JNV%VQowL-~lFZ>3r@BD~C4&50zS%BClMua+(}?BuDZl;)edrC-~+4 zTQ5DXzI{9!S?!^WIZlPjd9qwpU2o+FZi`Z$yq!3CZGHU}t~u{1(aJUgMfYr=;@U9k zd`%0V!CdIRwGqbKHLcsa=ORz9jdD=cwrLv7$E2){@oVm??J(&E*E(zC;^%9-juh@RB*!>0KVa>v@t*X|ZSj(0mIw4C|I|-}CNT`Yzd2Mt~bM%&7 zuEHUEa@wLr&6=!Ndad;0`9BnYd{KPHo7&`tY|JxoSM`4AHrelEa>ACl)P3yUCH4m6 zcm-pQfpE(tbCJ&YizZb^9u*mVZZ;e&_z<2dyYrwdfoGCSS8sg? zPf78Xm!>y7hAtpJcH<<1Io=W^BJhcT3Poco@RLZCD)M8wEI>}AcdOiGK=Y60AWRn7i9 zc~dN*<9x?ko+untuwpYBd*YGHExFVIFBdUGI8IgnG9) z`lq6?7S?C^R9ttL`i|6bkTm8tQg{{nv5zspcNSa(8P5B7l`^mFDNuDND-G!N;v~=H zX=YmO4jeAxq)f~Ob2P<4+kYk+``14u%PVlWmg`XlxF@exZ&^MOQp~Zmy^ZQqM{u zE~!_VU-sJcF4v;I3$vB^iYo%x6X^cT$eaR=Tkt)x9Z|WG(l9IqL?uh`?o~PWOv5w> z!#P)@09$vCLsxW7Xqk-Z`%v7(d5s1mDXOod5R+yT^{<8=7ztYy>QfPsDTu= zvK3gFq=t~po`VTtsXHo=xQvtX1b;Id4L8SUasAD>8-xh=(}F#>6ogOaMOQWSdqG&?jp_zrEbO=Dq^A48xIRPhsVmR#ms*_%P2roJrIVYc zaF3Ty34UZ-4Ztdwf30Y};e#L;n9+e%bHtYZ89qd^Qyl7Kq6HTIRAAgwl^QLV>A%He ziW6XBugMJDnqW5)!oLY)5w3b4*Z-NKb>=uiyeTpVfFSk6RUk%z@~jEg(9&G!@EL)L zmms z=aYIc@Uy_9Dsr%2a3OBrCSYt>+a^v`*_Mr~5%?{B? zubK|JlFi+)A3iEt3ALJWF>_AV?zylDV=*;NK04PfeA;~yBUCNCU_`Tp&b3Qwa?SA8 z@xZW(ZVai&;y>m^A5?e-?8gM*H-K6{2V?o`C(a*&v3wKPmtpj^48(D?Dov;;5xQ(8 zPvEJvc_kx4P)8JKlPRMoFqQVGqq4Lq6vMngi#F=`cF>EX_uCUE`>$0lf?Y>xDpQ^+ z*{P5h_4tTaW&)ox2w?y@umN@ZS;-7n`&KeVpzWU%PIkvDo)X8!7jstb8jYw z8xs$G(F*r=dExof+aTfOr)H=!3FN? zo_nx(%jD?^&rR1ffOJC;!l4gVCN4ZGG~-i|5^d&6_jh^&K)uTCM>zvzy;zChbl4sU z54tBi8xK8+OmktdAA{=K3OYEGxg{ULiv=n?E2`qO5GXFK+Q>grQhDz^;RJaYS_Cq! zj@G{u6fQ+-Da@1=%sB{`cga4Vsp$E?Izw&zch6AYv|s&dU;Jw%GxbOLRTll}q^(mB z->9;1QiKol{eo6;kFjuDZZ6eEA0;iD@4L+ zxn{2F7bMf=rwzFGNT$Cn{0R!y_4mNN-$r`;@ukn24NJhl_zAD_ECg&*JvVDCMcvyc(@V<`QyKmY4t6TX z*^BJ#LPVeOAKAWL(B3xMz+pNUZ(B5-m+J8^UHbkJtRLSheuHHC5}NwA1yn5gVf^F} z6>zIad%-_INH3G@5P!1|!8wqpHWT9(ya`QxKjX>$fnbgJDiPGF?B+NRERJkpp=p(f zDGRf;*1~*oVI&9Ee_Bl1!?eE@69Jkpr=KsxB>r)`(xWClV2iDsiX6<-F3X$4m_G_io5O_-a;bV#3HQf^p$W<(eSmd#J$byjs>9tElNQxK*@X;K|_tpcEeo)i<8DjsP$MJn_aJ z+K(eiAXeE>>cPfN$&2_o{m6q=)2u0^GP5`gX-gA=ge)qPH_>S+X+IP;tBrz?nyR)E z-8ICFLum0_1?f>Vq(@XpQKfKzN{zNLG-5mRbpCY#T&@ZnYeoXC7ViZBY5ZZzf>M%= zZ4N4MVdpjmgrT#pbUkd;p@cA>hY2BN1Ar(7Sqvmwl;pXiGbuL~10glkJ(7Lfw)0Ve z0HriK^I_m=mW0R1O3tW}JhGI~3g6)2(3@GsFY61+bg>bFqSzu#U+?qd4r3!nqw+Tx z_9tH>rgofd$|x%y!62oC=WHo&Gtad!9x0h?Wj*;{Kw$oVN$;Hf12F-^8*Mj4z2?IH zt_$O|G*wM65$qI?uvt5eS?hd!WeJZcsb%N>qMSr1Bv0%|`EENpadJ|CK}dLP>bQTK zd|zR=OZfulm!Wua03iC=E1-77cP1*auO_N5u7DRm7r|d)UHEO?pL@W*Sfl^-6IHwI zXIH?-pRRz{ez^jk{p+rP!JlXZ-`Ses`ydKS0|%f09D@Mjm+i(pkti?-(*@uN5DdG( zxC>00qlX<379UUOQ^8^4D3uB0_$&GtAjyuB)Hd01o)=_3%F*$hKXy;sJPyvEL%<+s zrmZi)IDvvR{|gg*z*(euPey<&GC2#0c{Y_(s3Itki)Zf0#}Kz9P3PyiBcByy3#{fR zUF_01Jiz*8yox{;27PN3U zjRk9PqgC;3YJ3i`P@={xm4X^IAzQUD0N_%o8Bh~To(s3r%Vxe0CfMrcBAmmsStqq_ zDtwDD_A$DlqLC97cm|H9eGsKC>H3WT{h2G>cXm)hU+$oO@=CYOZE)akxY9Yrhb>I@ zq*;Z(ORatVJiTyl`Xx4yvYT*4b7S&48+fG)zp;~V2RjI;`<(mr^E)U|fClzL5%_|v zApT2J=wOlS{8j-H-F965GEWLdedS+HS>edm_{V%yDD87jL*f2}XuX${U@Tu+VEin( zS_l>z50;b2?DaVH7`)9n_dwLW>?hm>cGOijxWi*F<{|NK<1&CDp zYs&6y2aa0`Xb;hgiHQ$y&l&qGiKTm05QW)H2c{_KJ9t-%c#PO3i{-4X?yVaTMS3i^N|9UkZT#51&hrw1j;PL}B)Pb{p+`^nlQp+Z~ zOF02hpG>lE>UrL8ngqX+C9v9|V;)DR4BQCOiw-pkZ=v>xrGX7y_f5r0`l*okPd%XX5HRU=@I3{F`& zA#-Y?qINJK9>Fx;+h13?F#u9pfX5LzCilOBr1XEvowW2{`m)ww$UgQ8qO$txT!Z%d zX!^T%qyz{hHx9;)fD)GzU<$K8W=6OZ>%(Ac5kToOOm?^p#nf9GC|W&vh5a;#B519P?(&3u8%y8JQsADqmVn+B#_A>LD=bmO^j}6;lw#J zXcT}S^-P*bc6)YzA_WRYL-FoQN$i}&0z?3bInsIzc4oD3%5w`UhrlFEha_Z%h&oJr zl2*#2auYpt_UDpBA4bKcup_{f-Gm1QLLM)GC0DH3P{1bU=Q$ibR-ys(FM;0idVaZ@ zI!Z{*lVMD#w2kH@E~Oso>{#AIl0O}$%#O9H99Ys21c*^6D+tC`=;bk+XKf=;BPaQn zbrsP%IZ*AQ&X@INwK}6=DZRy)k1nBcmowjzlrUeG4iuVg%%k2f-bB7_X0{on`OhTr zUr`eEpI;PB{h8@D#5zJgYX^0H5&^2;Ub&#aEWv!nUP z4Ky4G)^836eWEX-4{myZLWB)8F=65wnm8!@8l1ocU};Aq8y?v8K*(nKxsOxOm7<_w zA1tZS^MR?K>^UmVP9XVj6BLsLtjxV$^gZOtMAYVAX z$>wpC%DCpBnW!LT$2Ka2AAbuQP4qYF@MrE_|JZxLg7rUG!EEM1YG|Mc`mB+#P7z=< zypIRGUP(_(rG_gk;ZvcAW&SZ2@L|c?8HsWR=_az%pRrlvO+TswNH+--*i0b*7X-xq zFM9=_|5vSGu2-|mf4*nzN=KNS68e0p0 z3W;IF?iv(*d1(OenaodnmtU?N|2SJdh8zAP&KB`SKyo{;Kq?ew3II|7hcggG%4UIJ z0t~aq60TDB;4r6wQk*Kx*?!_UiUTvQg5-8?OLBfDtCHk$Phb#y!D&wc;B*<2>D9YK zfK9LP)ITpc|KG11p9MrM1wVR)oBTY70>sZ`BBYv{=<`sV65+$-5__6`7JE44{f8+v z#pZVcbkQ6tal@$JE$9Bs-Y442$-FhIRYo=^!f8L8brc_k`>f&;0%lE#h(OO4d;@IF zVbv-fDmKYCD6@@^_Z;q_D#`uH9srD>meM@g0sflP zTN;xP-VjN@uSaqk%$jyy(7y_1P1EQXWHMEtz*Am5y+$-+^~bDfs=SqtS*RGpl$!7; zZ*PhkZ(DAAJNLml$qh(IPVLIVR3Df_*q-a=GoWG%k>m;Un0b<7t?jsV^lj7(AP%R} z5|&WYSY0N<`SQ9$a2$Yi%x=pUMs~vijJ5@thvsb5NP#zHyGet!rCkEqfT-aED%u(T zYCbx2yJ3LNA_TX6Wx07sI~qVC{232qJ_=L=qfF6S4tCnw;aC$=KG+QiCf12_cbBg~ zZq(T3&0{>VYue{d6q7e+6#MHN{w>rTb6nURiZOIrS{g0ziM01Q1gXb92o1FiA3UC? z$(jlUwBe~!*9)X4Q=u}@HlH)bn>mD$2WVg`Wn8+JzGq^~IbrJPsqpbzaawsLRbWVJ zi_?ZVmNxHF@SQx2oJyM>hNFW>j|K_TQc*2MJTE&)lUY(ICDK`<*WF8ZtfEtApU9OC z^AwS)+pW?fmG>{XX@#n-&H7yg_{r3&c@J=*vb5IBd&7x2bx=`236en5wnUa!0gwti z6JQjeY2`7xM4Uh@Hsjn(DMaqlLb^+Dj=*q8Zx+LB(&ciK@$wi6w?6@b!voxRggRb9 z=lrhmQ^XWtTC3btH9}y|Uv(c?dbV&I%$iDf0pwscv>Mk%=^mKK3%A}~LXX}0wRY)W zxnq1t#O8YJS*V{q`7(#Ju*)fl2>jc`xqp0}q0$v&+w9@{y zr}8hYJ}ar-wyIq}-LpCa(oIeujJwPY)4BZgx=KX?*m6JuP+U5a^Hu7#NI8BB_4mb0&?Gf@^u(1y+0Vtnlh^3u~=U!FnoUgL?fAb zsUHg%KDX*qL7wgLASD(-DUT)ikB-dnJECF!`y`VQ}ZV2U<)Be1fMUTI+-!F1AW9PiMjuCz3$J8?47I5n|u&Xd0W`A2%UW zq1}E=)HUUa8;@+j1073d+Nch_N$nb~4#n%-$-Qp5ECZ#14$ccH{&r)`OYIwNj!L5p zZw#$v8SjMSGCE}(qzvam7M$yk zH>H{y0&7-jnAM7x?4@(Z7qBEmx7!!>Cx_~(>#=F;iJpnY*T~t+zc|(B$QYZrRbOzw zmU)ChuxiRs_%j*KBCW)Cbomze3B%&UcXe#7@``7ksczNQFQe%zY^Zb)j_)vz62}1h zb8K`c2FMkFOvFOJy0n*z3F8o&#erjDi=9`Hqp%LQ zFV%vZpY$tih?Mg%s>O{+s+^iab}@^&O|F?P7#E^;uaU-KNR@Nsfl=2+kq>3~u|Sp% ztgjdf&0>wa=vYimp`aE>;Up&@)`KJAz$T>hRr)y}xr!}jzjATFTNf<^2@Tkj4I>ng zNLdodW%-Gigs0SG&pd+#X%LYU2u0k-Gst><4_6AX6-(bH46s;amECS5VNIZ>kZeOo z?-Qt8n@d z%ET!8{w>jcM*!f^S~S3^jX46rL_~8FE+lvsDW4whQ)BR@#be5Orku&Qsf|M8OVxM= zu_4dc7xV7o{CN)6V=ea(bsF=)M2m(453UW>-X`F9#1A6`Ph8nxW_sPM%_7uOE+|=h z7anN))Nz;m@i&Ei{ltuL2s!di1@rcZh18Y(5saP7*|JF1Ky$Gs;`=tq>ZJfG}=ky)<{gcgR7DE?hVQE z!w+`K#TB?$O)xnNhS3Z{uD5XeNxP)A>Fr!(aMx1Rh`lxG$ha^0UK+4x>x(<2%gfxP z00!;Oxm&#{gDHf&$-WjBXxB1K4w-;TQXVr?Uma!&$>c@IpClqA%-N>1ZNU-4_)68 z=jO8LJGgvNPo!Nb5o1x8sV>fkvb?ReN>RkrUUh__--1ZLm^w_(nuy6qbtkP|sEr0( zh6N80u~L?3N%NP}2+K7y&p1CU;q4vh$5qglQ-<29Em67$3rN&%AF&hbf7MH_#OhRb z;(|~GZFd}^hrTd8T;pIpRM`!k0(lh>%P`bu-MZ^?_dweYtH!}#CAY2SBW1P=O!ep2 zrC%^n;C4uo&0Y!=jhWSV;8$YlsF5>>E*pyC;>zeux7}D^5pn7hx)LdF=FP?R%H@C9 zI}b;y`~Ho89R~*o$H*pRlaOSkV`hhBg=7~A$x1q8ua3P(vPqOZk4*`QLX^FdkWKs! zjk~(LpL=zW=lAq4I6m+1dtBG+diUb;FwAS`Rf&jYQ(o!Ahdwg`CCbWD6*ZxJaKlG% zh$BjF+1#~%?0Vo4l|BKLMh&-#D5X>rIev_jWA^TpQ*xDtI3+#K>dWp7lpbdyiCz$WV zS$?3@QxPZmhCZ?9nFbYEAurIdisRyq%fzzIU@r}APfZA`Hamr`HlWw*CD`Ke;IN{p zg}3>dQtNGRyGCz2As>5fA2jscDcZ-S)CUcHcU$v8Q2L^w@1EMe-cG(~=(~TZZ(y%) z@XneqlF~0!$PW#Dk96{jj`oW!^^5QIOI-6q{d0T$^VaUQb=%D`6pn=|?7i&R7l))oH!DHINXyW@+bnr}R@N94J+*&Z2_`WD~b4mN= ziqp-t=$mNb`&RGG?X{Z#6%r(jL=)e!osp0jBwiU3+J_`uN5ZH=NQ6VkbVA6TL(s%` z>aq~pz7YEL5C*DHCgD(KolsWiQ1+Nm&azPMzEGa^P&DzKUpP!aCrr>eOlT)2Or$JK ztS?M_Jq%72E-4%?trITm94;3Vu22@P)EBO@91 z9$`ooX(SwJq7!N69BB~~iH5#g^+j5*N7_(D*$GG4>qI#?M>)krxs*k@_C>j^N1=)D z9>UR{I?>+F(Y`U!XySWdUv%(#G?FSNR5%7re2;XFiH?bhEsKfoi$N3Llc{1;gkw{6 zV$+>t(Zu)cve?|d*u3@Fe5yD!<-Jg6m-}8C6IWgqSJ@X=y&i|AP1gy>H|WGSImfr4 zS?^`>ZGG|W>+zjb30=Yo-8u(EGsLNJp3VUkaF*Tc z8I3q-05)soXTg8|lieA2*g!+?XkK^F*(1@E7DElV2lXZeW!uW$1DdVNDBzK-K(;2G zf+xNNi-P81;?hTSvTT{8tnO9Lg>UwdHo@e}GpsF_@gojjHN5$P@c@;yO67Y%b91!k z5LJ#<-TfV6`2^z-7KOxBN=$~AwI=(paLKwM@Dz7NApB+f9-m=50<4Yct`;taHJ*_K z*QGqHdVHHQHCk2>qqE)iIR&f zsfl)s6Bha;@-T^%U^uo8$p!P=r2q+;`BEnNBZSOy43e_)@i)a3&=AFeb530$;N_tM zeqw+PSk4y!SR|A|065ahP8JM1Ud&;RR3y>JP+%w2@PsonVW1NCr{O|?nOR2tFlagIz@NFgz#@i_X$AhNd zGRcy|>|aVqLEJgA_W;dIS=nldVhtiWCu~zV=p@85;u8+ z+1M8_37_pTu1JpPRLnPVUCNRyw67-^YR`F7y)|=2ss=q~%%lEQ+Iajp_@EQ!HOCjO zZ=5O}Um~7wISzT&D51%sWU6Z;2lwY8MgmV%FAjxjsql|Sn&++W+MR_5uDbGwG-6X0 zqM1X1c_MW;qyS)K-?{3IS;$%V=Ic$8d=v&=i2LT7MG^!;(iFJlT24TVj+fdSGrF+> z#B8V5rEE~vnY&fypDV&i(9uAPAldhi5wNh6-g}JS3dd|I7_DPffxCP@^D{Gh$?HCd zmq!QG#|a%1JRizz)}92vvHKX)5>xiVF$GLJ5|sCVbDRwdcs|;Dz_}oK-?c4;UA`1m z2D668rzlA30*HX=_av@SQDXR|a6RWp~q`eJ%g$8(Fr!VM}%R?9~T z&CYbfmunbLL3*rCNr5TtWmBWeeSp(O>S5CvQ|CZ4nU@kksC1hu`I&4JTtis4^)hqo zOs%*BEjP{x9{j@Cl5C1r~ zn{U2f7MZkgoC+1o!lA6@svM5I| zxv~uHaO#*TC9Zm3#s3OY;e&`qwDv`aNtQK~5^b?mk1+CQukIZQ6rf*D@#Cx09t{>7 zu{ZV;9_bxLzF!vYX@URLAxg*ih#NL18d@O;W>@qf&$hVY7YVko#2LOfm0Eg)IxH>R zOoW6n)orR_eYwgQ|ayr zYK=c1?~kB=!#2?IU;Pd7tVVw6H?+12W%g@}`}{YQ(YY@lc582fzRDM>bb{TtGB zaen#@rI6)aXsDgJ?B^bZjL0k587BYJo>vHWrpBj5{74%K=AE6#V30 zpvHI2e82b0`n?z_I#GPqv!%A5CcnS>%gS|DMeuV(!L5&og6L0(g5d9lDELLPFs0!U zkrk(?{o>d7^`h^1RTVWZx&}i3^%K{>^j}OD#-;kFz`frKvUd4^MwQd!;G3 z%<04I{?i8beTn`A760=kTBb}cNkw0zY39i-%a?A{qARanlm+bUf75sM%KXdLoUC0+IZ-O=;V@P*gw5v~gZ+2HHhJ$b!!r?6F53X{UHY>Uu;85D5 zKsw$rw3uoN91}5(jD8cb4>(YNA|mgH#QYZ|<^%ubPhSG%HRM5AX^5pCS_`$#XQ68t z!qFj-BnU=+Vcg&C$=X2@zuuF5|GxUnZ|$q!KX}_g8d2KaSP}kF>d#|EzE@ve_?Pu$ zE?VfGtO=bWpnOnjG^nP}cQja?1vPpzT@3_h0k~0}Sa4P<`Z)?DxvCVUR{^h+g0RJhR_AhU`Gvd?GTk}VJl8)8r+h^yK48;z& zstU)pzFU`eo^4lEIyVm|-K4l){XMu~KX1B^okl-IP(S)1zMF0tz3ER38bhw?qX*ol zEO0nTPS80KgiD(Yqf*h7j|X81G^9r8fuc;K44F=#qV~dR|LJ_6|IhY~&i}$MuMiKB z(7ZdLNwOjXL;|%^k$f-#6`uI%X@_&0%-@{b}rD07ZgA(H8*}M^vap zy%_rLk#@wgD5|}NmyisDkoammgFX&@={;QYdG(dX&leL!OXm!02rzCFJp3uM=g+s- zoj)O%Z(>VISFDc1>(K4>FYw$~qqc#?s-1=X|0%@lmel;Lr$Cv}otkAs=0=0Bp?spQ;rDpqVQhq@LyfYL)3(1YlN8>OAaEM{8m@rpqxcg6g!ULc><&afWO zF3MSQ$Ei@r1d`R$coCeS0(R_Irt^^pwHWZlX(IwmdBBH^i*tnEnpP*^cw>uF!>7~J zPI4)~i@9v+o*i(n7`jn({(0ubW^CTHRkG?Y6UGKg$=!7`x3K4>lS89r1CynK7TC zN&`6Vsw}0?1*lr9okP1>01p8p zB#9d}*PF_v51F=lq?nEF-r3gRS!@a0DG@JH>)uL^DH2qDVzb2^u^{eW12hN|i(w6X_tKz;&?m7;1q*l~~{W z;_9H&~h9sWz<<%vw^c(O{Y?LBN_zhQHMvIyMKVvdr6@t6ZJC8YeCHP8bGsAA>D4 zVygP)HF}A7mfDFD(lTH&dO#{b%J_(-8prF-N6PI8$zfv$&g!jCkos)fzM^@yy*_?_ zf6eCG`jgdLt51@y%fba1t0f*{Vy-(N#jVl~adt6)h!Zo4nYM0T1-# z3};waZ(F)xNlejx;@TC_KhEj5V?& zPXox{h?csG;V5)^P;01TRJjYi8pEW6Heid|Se&}R(0M}_ZFqUaZew9{gQoDln&A8- zTqOH(XzWrdyFMWSS$aH@BsGyEC`-v);nWFz1c)*-OU3cQlSJ8Z{L?KUiu_K>BT56O^Mjsqn14e>uIWq%B9KjunYY|?= zv_Ro)bfzua6$EDPN>P3UDOA#?zjvp9rMUFb9c#yj&tGh;l%NRmY<%KMFxi2k24x=W zpa8vbk=3HMYkBrsG=tN+j`w#>I^^g@CXig_us*ADT+yI2#Q{XhfR-q#B3_lRD))`^ z0G0R#)#0nvYme@_tv-CYy|G#Y5auIr+FrUVG0@In!LPo2I5eL5tY}tw-Ufo^tDIS@ zqioN=PK-d{1{yP<%>%w6w_mKt_Et1J&iB_sGjh*T0~a$L7v&UL63F_0^ncx(kXF8)8b*#KmN*ct-+s%F2#xaazc0eViUhHdE0VPVRhq%4~kNr7+W-fH#YwukUAu$MaVu;*T z@Los|jXS)=`4L|JVdtnV6X^b-PCu1<@Jgr|U)1^&hlK`sG0h15<#RX`ZgyCl^HA2w zRp4RrQn=Q;z)em#Q6J2){1#)4#7!XHC{QkQ`xYcC!r4F4m| zBZR2@HQQ4dm{`(qGWQiYr-{m2aLWi`Exd`5JON?2ZXq$vQpHuwzns^}gx3?*RW9x2RY;u}OG~TMs}GMvu)5 zGEZXzfcPnIlBh}Swq>lc6`e>!9Jgc~mrmTQdCUS7s3#f6!4Rhu4!P@dS(e-~=`_Sq z)dY@X+Utn#A9*Q46&n|ccOf5|oNsb4-<{4E-_6i!Y}w<~ieq^3RsW}W7i<6>2K+lk z&@wGtlYGR)Q(bEtD3TY8pwmrt!h_esWQomS<*4!cs@IDn_)nH>x+gB9 z2Z68T?TxDnF;51vR0%ATq4G%J0L(Ws1S?U-0|)N+R?DEjS+wTYv!3dO*0DV4`{RBZXHeOFB2;T-8Q3`N(0%QB2J*ztVhODKEp~{mOv2q3| zxSMSHRR<@%0`dS}3p_m=;CMciJ{f4S!R~(snvK5XgY?233SRa0$MC^-05I_lt??QB z@2%-Piw?o*1T0a(c**#Nz|E8)9mNTxjuSv4Zv$E|Z7kJ6`%=QYbT92p>B?wA&H}(b z0O;t%MNLB@9q+vT~gDPzzYT;3%W_ms-tRv<)4`5IS zRTByrzM2_s4-8rhv%^PPXEZ|GBLO0taGy@V6M&Wi&=h0{-cZDXne`3qXkGc}PV%rq z{;-(SVWD-nAa`JBpNT5D6C<`RG0JH}D=6s-#%W3uilLa}BV z=SywN#;1zS7&uH+WN&Tu`s!(#&~wIZXkOl@aI0zh*0k_>)(a-YFanDqj8iato+v<@ z)l`K%GxioUc03v91OxH9+{)~sB(<7J586l%C?|EGc2cv= zissBXY36OJ>ny^N1s=|HykG!Yi#77k?3u`v;>;!}PY>+(4#Ufdqb7~Y&a#Wm;lt29 zE|}v;on1YX?Ue1*a@yG^JNp?HX6bZb=5kgsXKvw4#=UH^5RqJ0Jn~YP460knPi6w! z`!iGhGl-kdVd-YIi0D7q&=2g-ea4yEd4bf1Gkf>~tY;?gwQdGH!Www zMe-o3c||UH?Gbs8PG6X%&ROZd6JDMrftP>#LH??4zCy^I34an|n#@|f0+Jjj8CjT7 zWHvUJKBOX#E+D5%mkixn@2AO)70IBqyd!w)Zs$(_-Dmz`$^}lCeD_#3@55;dB}EIR z&lJjDEtHEZRH!IadS0lqS*S`=q%K;dai&P~YLRwak#0qi-t!`Z%_2jZVk6OFlQYHG zjiAEQXAhzOy+pY!&YZd4Uu>6i=u%Gc<*Owt>LpA5C9aAbN7hRa&p|FUCD+cB-XtmY zXnD?(J$EUp>l3%e|;qbVE48O90hO{o{PGejpwrwR< zPG!3&tj)5ZBd7AQ==~=F6+Kt0p2b!5Z&nUGuj<~($!o!{uGy>_Q>>)Vzuk4Uy4A93 z_G-o4X7zoVn#IlXr870TmKAFiWg8VW;m>QfpO*r(DA|V~>^2bC7KJxZ4u%%vi^1?* zQP2UD!6phsT#GGMOV(CI4h1L!Q4M@38nF^4vATR7Fc+2iX>D(bkoi+Q%{3~B25 zXNv^%>h-SH3sn}0RMu-huNSu}g3~r=h&D)b7sD@EYYnpUvvJgvOt!O&)yvaJg$cDCAOSIWuugJl* z`BYr93vH3>K=aAXX2d|Dhggf^nHKN(Lf@VEmJ<~%fqI3(TP;#Ft)aAq;d-sdueL_# z#o%=%qduXM2|XmM6`Iren%=xg!PJ+a?8@Zr>XL;`|Q3R^}*8``aNf^^k^rX)~)K%>gh4iKW#|&R4uL5 zBtggQ+S90rrx)~ftOlQkEkCuP)3H1D?B?lb4ujfG3C{wGp1CGyyS;nnv#-}fU)xi^ z_r{f8Upj67s^058y}^T8NV-0`BcRA*pk~{?Xyu&nAg$PhzNmNk3D>leF4CqYRNPkX zzjd)cC#XLwsQqr0UID@L`&I2l7oV5BZZA{TuXyyl>R3k&!9eZBj(X*RMmk;NYXjhj zfd>aqwha!X1; znW`5RPhQO35uT@e8GZQWlD_cDwU@48FE{QS-5Px9^!6oSeH0`v8QoGQGJmoxE{F`U%5*<0j&oW^NPbA|@`pn6TcSu%Vx{6Q8s< zm~?QPbV{6bsh$iu*5_I+2MV`%OMQ<&e53a>BuM3Nh%z%JTtaN(~OAeP`jB-akj*{X)y7tTmx94%B%bI zugZ8{5p2%5-gwoS^NPy$RUHouWj)(yP*5Fww3!fiRQ;-i@O9UVR}T}9KH8qGRhfMf zJX_gb(Br0Fbtav4`*qWtcfQgb<-WPxz&VPvxykl9obkCr=$i%RH>FB%Fiqc72EJKL zeKXqr<}Kko*76(B$$8+?{8sS%THgFp`~3XeJZS#{$?*lUvkT4-oLso?du!aHx_ z`vg)Zy9WYv4Q{Agj> zu!h#?_)4qVirIBqi=>stf)%UdwAMQ-wZyA-9TfIwS9|?ewJ)!_Traq`vx?Zi=5c(@ z^X!`U^)=t5HUFA5oj43iBu3F3D+Owm?j#1U`|AgcNrC%m69P%1lW4?sN$Bg#W0=Zk#-vAeM*^PS z{bWqCc=CDnTa>BRUCcLlJ#i(k3~H{GZSSL{JfvC;B7Tk)AH85y7sPm65DH(AZ;X^N za?mSzZ!i5rT8BeElhW^vNjn$bKqTmQ$>iwk%NB|i91?x@jc6Q-d3KbIjj3jPSrRn; z{N?oxSjhh4P%Q9uFn`8N1Qx3=jR&3}JFUltFgv3j`iR}CN^CHGgNSsOpV^Bc0VamJ zEz3&KdZ4c_+~hc51j_}}8-$p+k4J)pCY+uViO#|dwZ%YJZV(=w1rUS+Gnr^YUiRrR z!lTKiHwct9(e~1`K^vdbr;N}P8^aaNTCBYjYv#EHEDDRC_L;j--aU%VZ`U=JlT##n zb8=?N22rEQJft(dP@QI4}w#fLQ9F( z8?e+!M29oZ8kjGc(JI=qQ&q))E%)gj&%ONQ?A0ddbF9b8ryrVF%GwWJ+}s&JFk>D` zw!g%}Z4Z$?*sL7RPX@PldRbq`APlvrLczPh!d9!gjNDJ8Ux3aNu1`@as|f2tD!I$y zhF~n{nHV7T+8vAOunxDEbNjJsHrPy0 z)~v5welRrGoVP{S;rjN5?~e4Tnq}Nh1Q@D`PnaT-(?IA!s5E50MFCHN@_IatO_t!) zj==Yay6=ph#pcsKO75Ym%``@XmtiD%Yxbu5+gC&QoBQgivXS1Cmxl>}jQ$fMv1L#q6%Qlz3L5N9^skp#||1vk_atD>m5pMQ zY~pt^cRH@A7bIgGf_(64$ zoyJxAckFYLoL!GY3RBmlvZzmHccm2+riowWP&&u@B*r5*UGN&E%H{0*gvD+{@pl}x z9-JEP#6_8M%Gv5s4}NW*xsgdM_BPk#U5rkLLw6y) zR`CShtzUXo4?I_{r4G!uIFefji_>Zx@h=D_pfWk|ytqkSQ#-PXJD)$NPtUgae(46c z#W|M#$LZOH>C0pnPCd-(xuDgVUhw@~6wB4)-5sytdOi`QjZ3-l=FHYOC2USnORTo0P~f~O(qU2g|mwDU02UF+RQI) ze!kWu)Lszm*fvVPxz-FPyodBr8e^iNI>{nuHyoNW#$x=Y<Z!SK_6olTa<%s) z4XnmXEc)2b%0i+l^y2x#oQ2H9FWYqGPQ1)7+j&&wd^q0mz@+eGdb>k4LE>AzxMOdf z1>LqUTY(NvJ%g2Z<_Qa=Xx*NY$w+@3EKZPmAV^$+;#pTftU$V7>9q9u@+Xv-%eTZ2 zUMNSFciRac$sSIbIbD&~ljp6Udsoy__nB@*Nz;|QiV91ERqDzbY=``2Q7a>g=atQ} z4)>l^SeYG-tLpG}D9liPec{Yze{Xwnaml0C)>k*54-u9e?c?>Zi+i4nDO{r3onU=A zfJS6Y+_4O|&N{i923U1lwHrBj$)!S+eYL%$I;{Q;V(0k_oMy*59F=*m!+J7XZfikI zJhtR&l_QiLrAQW z5TE$kJ(}%#-;W(^n3*sP-x4}NBYYoFbIXUd7N$%N0vs<8Z z?i+n)-PVYh-+?7CX@LCexl1p%LBz1nIDlXP0{~&({plk7!G)E{8&J;;-Y;q5q-xaQ zL&jx9Yr$t+8w`?gftH1&)`w7>wBz6b0VRL$Hz2Cvny()z{|t%OjS;lL{+T7?uWKO>T`gZSM@dLz2=GiT1f;!~Ig9H(S<8UG6W0bPw~Jsb)%)U6jO0Ja^Z2`#o_K}k@J^2z``76Wns z&eAD3==ySJ<VE@U{)p_#6jDEk?|I6~Ul?7I&{x^AD9<$qnYs?zxyrz)>vwwj_NtR2jF zX=|~a;}G&~+X*7trB205?=E(~b$hpR%e3R&YLPS1_FBH*$?f%=n48-hhr{%aZO&g! zciUQW6uka!&Di1k_SVVb>pOr++YU$$RR_&SK$ae2khY+(KgB#rXceI4;b;!vMa^2m zZIc@e4aqnsTEbx7NKbZYKU|6EU(v7p0te7Et%^f;!T;yhZl#E!Ko$lF^)v0JR|U2V zmeR&FcUEQH8x{gDha1pg*fa}FEZjsuQyG4fe#K=mEE$@{enS3%dhBAjPc9Q@S=xis z7jh!<8pyeg&)?DMTC^(}i#m9j>W=>6qE7Xe>3t85HdEsJ(XAq^{5R9uOv!U%+G)uJ zZd2u+SAQG3cM)!VWbN`cZU~wo)GXg_7yCATN-0C+S!=t)`-`yHq2yJkvUS#gRm7SR>dyrT? zO!rnA|2|2TYn+G_&YpLwMcH#@oSHqid+r2h-rW&>bst#pnIsx(Hv5Dj&HzxTP+s{Pzt;azI{T};crDEC}@`|1y6J^x(Oy^AP7FC0F}J=OO~A*DyW003$d z0RVVp)6A;)?6|1VlbWrh5v;c7#v|=GY?z}AH3cQ2O=g~^bKzyb60=?OzTLo`}x zF9qm#E*!qAo9d$C#UCV;U2N{$#;g2hp3Pls?&j;#$@c=PU2N{5t@#FuOIr)yADdek zhC@Du;lZ2lj=R)?N!NmcDCB!!#w242r%1Tl+uUG4V{=c))se)`d$OakxxXOyjIM*O z@nVXJwGa`yQ#N=&3w&j_7)fwR-g~V-Q2WsbQ%uC~E)fKOwnTh}y!+DjLA*IU_;8o9 zb?DtR7P_MzuJ z7?vbv61wF{;V{JrP|=s(^4=f$>m}m%E5e&1;jvZ*B@?k1n>hMnaazusE93ckK1^`+ zz5>U%hJArDnHJ-~)GY&IIQxlx3_o(0pXxcjUVdiib8w~CBTa;@5se5B}ZJgXpFMqA(J`CWb9c{~>h{l4WuQ&V;6H zw4ehALsd2R0tXGpBWn`um_ziu(Sd`8{^xfC2lG)eR)6Zs@m-sa*Tn-4Kk#e+Ow;ip z2Pm%r6NU~MWMZ#HhYX@E+{u`HlC`+9Fh;7jA?!n4weI1a42%s!kb`!TKp~QWqk9PN z+pPX?B)JnmK#&~<8hv(?+^s$&x&J&y>_^Dp-iq&+ENXvvWo|d$t@&q{u5V)w z-aRhAO)3ZMoIrtoQ;e9^O&r-NcbJH$CyM~1lxk+(zR-Lx{11+=PZ?rAG6esc$G?{$ z7z*Mn)*b}$Gzsa0!1?T>L62(DCiGSgBybZ>ziNz>#?AmRWd1z5^)KeM3bt&tJ4|r*@efOW zc>H*u+dX#)6h8t4|KqgRWu4loLo5Zr|iI+va-&!7zB_)8~|S~Yup~j z0H6sXBu6nY&P56jM46?(4-1@#E0OR6{`qa?|EI_Q-@l4r;sjGdF(mjiYtd1GHyE~( zu@2YO5}3gl8KJ`vKJ_~H!cGPb@G#z?MM%WW&+^r&iWPbPt$L2Q^23_P= zNGdllguoF{;JWo!^rf9c`&4{4BP$-+7e;;Gj_ozrKlt9ixJr!xo={ z5eFkZp?r*Zr`YTE@qEF_dk@3>-A%xsf??)pxl=p1(kZ?dP6g-MVj{GQ{=TPwIaDV_ zF^Qh;z?JEa`<6u4-jy%U?K-uZ2NE_M-;6%Vany6$aDMx0^e@Cvf5pke=0J>vKA=+t z!c^&3O~N&>PoTn2|7ZgK)+XTJK15j3)a@`bKmbf97!l<>0(&+|2AdrYFoE468iq2I zLNGjPum?^!gA6wWAS40b!0k@{4Z^8iPF}tc@fM>Lp$EIP7p%aSsEvVy^h@E?51GSX zAah9Z!i6QHR|2qn03cQ39SI=gK~t$A+^Qp>;Zn$GFd+#7braILHY!BQj#jQ=&1a^% z^Mm{l@Z+(gDIhtX^Jxf<{%Ax9AT3<$ujP%K9Ed}UU;-o+aMPo$7BiSI3@h(J*(rhK zi4e=;tVvfc9t6grBhvZ4><(_YaQ~~UoM%C%th}9A56K>+rG$$!`yEOoo3sE0(^KQH zhiY)KzvwW^y5>u@`J|iv8ONa6A=W-Ni<0E;8zE@v!+1 zCTGEOQG%i{ObD~Q9*9!o6ag=4NfLa&ecJ^uI}NXdDZ`Yc;bKV*56rqCcZE|`L?%V_ z)lKIa*<6WuJ5E&$tT8!6CGgVW4Sby(3daB!vR_0&n+5aXanzpdrLP37_%0A}r2^67 znyw4Y>Bn*pNoZ_yaka2Vu`Z%mZpSV@+~)ERb^8}1OWV?T99th6Y%E5hpy|9m@@+=cZ=+k3()puW z+ss7X#&iaz3+$hEzuH^HRGFDFys>IQ>YlgJW=>ftkr2dJ!`2^J+kRv1!u93a z<#E{OYnOy?4_hCl>Sz3RBeVX7we5EwwnV%E5V0m?2!l*FlhF+q(tQqt##{TP5WNTc zh~FXyV#I$Tt7Rl$CM44c1V&fVpy5{bP7uz}l(7`X7JI4_7<%5s@d$mEiGvK!w23`I z^x9Z>$G%R+2yIRuM7WNFjvh$sQx3on{P1**BvAUM`H2A z+&OIxF)1Lm5Oo^{lH6o@es&n)h56qoRbOK!TI<9V^W2lFOZ$9~s?&VvxIX0i?j{uc z{-I3%=bKp$k}vi#YG0Iyh|f!emOHD(PeWOE0Vaa*Zyd_dxxU|dGYdb6?watK0XT^E z0t5vnB~t~wn7e$2z33d+JHf*+)scWVw(LlMECw5tH?9&dAqWC#I1mVrbwv0aW>p;x zqE$h*-voH6#==I**pVRF;9h2s0{=8~xSsV1AVkRD=>Q1Nq;E7rKfRTX>K-f{puER` z=})LYl8o}gkI$M&?9m4h+L#9!{0RseZYd?;X_vwiT?Jh_6COTV z_!m=C86X|X1W>A*Z41AR3EoV$bw4g$7A~-3i*qQRy^JF#*MEaHErJIXKovVu&Kc2Z z+agIvt~n3QPsH2gh;GBcgoEQ5>L2pDWX{ZH;K}LadQ;|7&K8d`IRX(4FS0J&A1|iS z^OwG7k>Pu$-13n1JRx|*cS*tJO-)g&@9hu^kQHw=eYW;|Ewm#&#fM2n_fkDs&PqO< zn2Xo8kv0nZbsd8vx1GiQOJxf!f1@(&zpO++{#QFLMRk{*TbHOad%SpOk6I^ke<(ibX@DYpG5ri+3JUQ<}VP> zV6h+(XpXSlh(CF(6B7pKJ@x~hcraB2aCibT9B_1I%J{|+5+oesIJxtXAJB^)J(Wl@ z5q^eHdx=10O~03ZilAgnz$evWJc`Z~H{K8M#hr*DImiL902&?>aZ5cG7(g3_1BZ?fT$F-0piMu%vS`y!WJ?1JUdRDCF(YE)t_D_d+XHH}a^wW+GOPw_2hM=u zl(=0oY;M1G9L43~B2j1Z7Gsts$&&Noy%+NFaQ>-1`y&(FH_l~0gg3*x*)qdE4BmU$ zGT(3#jzqwNghaj!$_WXJp7&&(O_r5qmxM8az1TI* z$!ZJ1sHwr;Y~hTuRuF)m1nk4neG7K{8^W8w6tb@uVtgm5Aja6$l*D|&A%R4E2dJO0 zHysiA*&XhO80Y)>0YC^ix~7y!q4TQHH6@tE2Jq*`6ToLhhd}Cqa0`7$pq-B`Zu{|r z@=pXFW6c-|=H{7a4B1VB4pkzgK!J`3a+qGifFR)Er_6L{f)shO(8NSo9ANN65}cWl_s;+fCh1{bu|F@Mo2jrS(zf82emx=BW_#NRG%Ca%E;p&>gv=|z?S>us2|FrhH$8!#bC44@tJ5D88d!SBPZKkX*|$Q<#FDsk|u zD)EJs_g6*zB7cLZ|B0PWd*!-aV0#Q(l1kO(rK!%lS})rZ{sOViZtm?jb`zgKXg`=F zx$||(E)#eXziU(A1YUl<`mVMZh3=K*1qBP6=YPI=; zN%Ap>_N(BA`C16uzpi}zo3I3bJ(J{9@9;+^j32U-Uw`~Rm?S?Q{~v>>{$P?I-Ukk# z@u+)&0|lea$lnn-@VxZ$s}~;v2k`g5$D_8IeKt4@ejFUCJ`E0T3#${uwNYm~s;f3v z=l?PzQ1lNb$-nT+|KG1U`$w20e`nt=Z_MC{>+J|(sMV3JrZH2%XlqJR4; z;-6rW?9B=2e0c!#H-$M_@I^LjgO7W}v-6Lg@MpnE4=*KwEBYQhD<0?^YNG7UPuI2N zyO^$+#CvVRs`N5*^KH4XpV);73PoSC3yl&a9q?-JnX#oDI}P;o?e6Tv3T z&p8}7S;IU*ZC$G7LwkYJ$oqgxCb92+|7a#ZuGnZ|e^O1S;lOTrO2!+wBTlz(2rri2 z4kYjM4M9>6Q>6w=F-<336A=8F7BY};V5pwp%zv>Mibfw;nTShcu66bVektvFn4g}#g{JXLf{_Q2= zD--?ys6*B?-5chK!mKEKKrJ@p4g=rktmmHK%j$Y~mgg;J12d~c3U1qtwZ+(HuB_6T z!jCMNz;V6Z6H=wZFgt2+d>@&)R2wefKmtyv*2wrW9`zec5)1ajs7@$*I3vN8DXD!V zkNwmOZ;>m@$sBe;2H6!d(7&64OU6F_oJq1=RyDL@Zy38@; zvg$LyFv;`a8Rm;U8MgSjg9{E*J>|wYNp$fg^Dl9(#kuLbmcE{7i8*n+IzG*A=t$q z*$soqiQzgom4%@@h`Q9k<)iH5mWf4j!GChJeNv5mMS+uJJ~zFCv6%muAq~O6wy6@J4)gI*!v2Jt{jb)Ec@c7Zr68PDOG7G3{yzK?VYCd$xQkpN)`aHE5RCpeJk9(P)zb?jF5 zx}qXSZE`LZZ(U{ReqrrqrnXR6x8;0c^Ph(yyoCETL1iAQG@}NgArjs|b}d z(tnSB!)xdL<>yxX52)OyiaY3Tl9qHbr5TmTMCfUC>gK+A;eJban0^GxDe=9E25) z&-0oOHv(Uxidzd`FzLy+PmU6*E%>5*$iNi*JGiY5(;j5jVsk=cAr!L^&DVzui0eE@ z%48bwrp0LU!k5!`Z-t9CO%B!UBwQ-rsYP~xRKSa5orR%%@ORKl3(Rt_yi7pzkpf;h1>G^-uv>s$0C1TI;=nrD^6TglV`b6h|X zra6yETKH8Msol;X;T1W0CRhh4E-1t>dN4&xMp5_y2Q)U67^vMqSLz&fOH~n)$I}DA zA~g!}p$bVcJ8*%}fuT%-{oGjoHBC7W7^}z&_+2q&h#Lqc_4f}M#4)RkliZSh!=kt$g0Y zZFgyCa`kIj4dl_Ljd!!rW{m^=)Mg>%o=NW{0W`z?3Gd4c31bX;jCJT}=7;rK;d0lG51jXurl~#YRjr*EOSGz}e4X<6`N`y4NM)78!lrE; z6=2H0Q$2bXVYeIoX%hRixex9ac3r39m#)sdOnJqFNa~kdk-a1|2r}7=^%q%P|9Ev+ihDoj ze$ARru+YcS>6L=#QiH}wr<4|+16bI*4fr*QiQW8z^3m!|>tMmDh3Td04>Y~@4JXmN zh2MC0-+eJSmzd4tI&6}w-uBWJm?xH=e=lfUALJtWjEVQCSF8T39?R9Gx%{Kv((2tr zX~7ja-lf5?>F!MF*OA(9oj6MC_iw(D+IY%!GR|9dQ1OLl>$&vgr(NUHdZd(*JMU>8 zQN!UguBOJ|z*BzCnUtuf_1H;Ck5|)Tj*BYJ_oEu_Z~9Z5G#;EIzf}jD?!2Nn?Gcp@ zADnr;uN!mr*+DvDj_&o*bHw?9`SY_~-sZDiI*;>jF0>?Y@R$rl4^C+Z$MTWEse+RZ z!wHmRpyaMZLarnoFj7ZXoN!l4Js9-nxLeTOuonA^U#8>^T!d$ik5sT}x`L?yJw;#T>7RSGj-w;C@Z)8jRdyPS8XCP)gC!<5QT2N|luAn8*08hlZn+ zmYC;=wx^DmlwP#wV5z6kp``JlXD_jrX@{hlo>%8{FAGOW%POz;AH1x^ByGsOn*_b> z4khdzz2Aj-J5@oSq@DeA#fS5%xm}f^k+TMaW};5Rw>H(w8Bop&^vmtkmNn#$Q9| z^;sCNhH7htvQn_H$AsQ23FV4m<~a(zP824f%q*lICWm|$CPu+5UL7Vq6n1T#2}Thv zArLMf!=(5!Tr@OXMW0D^Jp2wMVq!O33!CYdegx062)#~5gX)N`r3hWDNYks4X8Ms2 zUq)KQL|RryT8&3qA4S?wL`{}rFla>CQ-C41QFl|K(3+y2>5JICjCv6hWnUfTIUePG z6lF#n?WP>&D~meT{28Vrjk_e@836O_`-5CSI!~ zz6YD7?VIv58RXIvXbw&B(E+f zUqegTWJ^((OW83`QFBkh=!&P#O>z8?a&#s2i*oAHqtr>?)Ulk@k${A43x%o9avg>+G zO-}qoPU3M+GG%V6cy78uZl+W2LL`VB0a{Y-OKj`43w?@*`Z4=66TIWqf(YV z_%nw!2vtv0`I*Ba?QItJ|M++PJ(HE+qqn0T=)Oh!f-@3Vxo+I>y88SwH94=I*X*y4l|DvVe!-HVy@=jMDO{(GtdNlCyI&;Y8ksj1*w`2w&i7@(tCKS>$IuWu zX*_g@3q&Am29D0^L*<4e!cOgWe3hNSDAL5VQ-jd>v->6Dix`nHkPL(n@6EoV47J;Z zSB4Z50%x&&;7)*sJvbjIw&XZ@Nn!(Pq9+M{;Z7jB0l*1_*0NEl`?oHaLSc)3U zloYIXTIi|D3c%!OFW|5$xXxGI`OE;4_kc6?*B-!m2d!P^p6ZghfVuEyv=HWIIMvFM z5x<4h{ftHs5$+}*1PtXf8Uj{8BqO?PX5}9k-r~UlpmBpj@CCC+`E8z8G$gn9{d-;v z(8+PzoA+dI9_aEUeIhiLnna!*G~+7?XrQTm(`lCVhAn=blDi@YlJ`YQap8rxz(3;R z@u@-E-jrT$7EoKk2bM#lf;2xzrg_3g({Uk+8jVFG;=o(X{r4-GbOAN`S-0}x!)UhC z)v~FHMbp&18&(=PQ7cd_`pR36!d1fT3p z-3WT4wN~m9dXSoP_sxk*L-4KBb$@vmivwI^Jt1Am)5|wpuFuhdM=KjEAsTPEB=kY} zD>^NpQUawsGie(Fc3M&2Q-^8g_yl+KvtrXo4syT#MZb`%@ICAKtR>eE+jAwa<$~zU6 zh+}RW8kVU!f!wOL+a%Az{Ifp`jB50~-bzm8yd$GoSp%=(v8SlGfT7*I(l1IcG!$E9=c`c;9rV&z!mCG@PFi!O@&EK*Uul7}xm1 zi1JNX_^X<(I`MftWuC(>&2A>uA@mYFO~HR&B}aQ+){OH-~U;Uger>PR)q*OX2(nqU*5EnvajFg$w&r*Y8ASjMj@77o9*h z?zv}-wSB}X2@8yPAQ!%gv?>4PpolMRWR93aCZ9R)SnOae= ztQnQk6bYF9w5`4lo98BR>Zh9C2nwoQIJ0&eqhd#5z#4aZ<6rMi&Kwe`G-9gTd?t6E z!^U)MMZdP=B~dp|dN-s=FeokXd7T0+vZ~{{`q$97(?xdV&FU`QzORwBr=R(Pt9#7V zcVj0{m&E#ya!0qVD^{H)t*~UU7SEpVKwhsX&|T`kKD(RlptPdlEiRLK?M046f|zF3 zF|3RST6kAVOuy1;^gRLa*5yp}9+}g~Nd1eFq}Nh?iZ7>bUULW=eYfbq_Hz1qy+g>i zvjvxB$63K^j{aozbKY!@^SkdH?M2Tw5y5qfY&Va(49~wt_t!0n_8;}>zDG;`2FS?X zbQ*khO*EbE^{R}E)3CSke%@0lYb|NSNU8BbRsXv!hyIi4lk;zlm+H5@Z=TLmArCul z)_;xaKV6bQ9t{N7?`7RQTQfu+kM-9dRQ8{3y+WSMUTTm$Y`=N_H4b^Y5*39hFzcGB zi;lJ`s)SAy>UwOR%pu{Agz3RtP8#kaA^a{7R}3ovK=-+fi3Lad8BqN&4}t(N+S}i= z*hblW{w-V(I$1ME4bxU{5>8WU3;z2}L0}mtyy}qjmJqU=&$xWG(mO(U^qb9&hVH9I zus>g$`b~`y3Q)1eH{0PfWvaiBeLZ2fJnX9b{2_YLi^Y$Hv<*5D;yUzW0j4nq+}#lc zx)tV=xwlm+e(=~T9kLC;^` zO2w(;eER}>F})EKG$Qe(zIjzb3w+K)%GUsy@#0m%Y&G0&)}cN9(ujAxhny`^3ZcnB zLc<3blYa?^w-6ah;Ie|ak||p$_P>UK*)d|H>3zf7m3 zU^(lhGT5NPYTk3R4lc;94BhCyoucNYC)^NRdJ|nN9S8ixW-M;CkoTCk)1t@NNBk>B ztxkrq0bEsX#1w^V0{JJ*_x=u(&gMvx#wiCD6Ned(84SK|JoLIsQ*Pe+*oGi7!s%1jV3)h!oUQACeqkHm*=eXkzi_c=`Op~>iBuPS7^G1)4*8#~p zC&p#G-cDbtXKEy5>+g~}H&l`}tnX-W?$sK1V~W=8mV?z02V)LzX}*D7znmQo`0`#m zTH!T6-&?IrnmFESr=vdoI@(WlcCai>b$eeGN;-%Rm9DF0I(F;r~HVK@OwP*CE6DQWjOQXlcSp^C*dLC%y#q@=f3Z-EeJkt80|FMp>v?NFEfo*AA$1$r|AWNSuQC|EK z390yp&OZB^-GuFc--&|A|Fo!J(9d8mmAp4wQM79?$Z0Q)9zRFvy2?;!>|Q#%T8@ft z*HC25UIt%aj;guJhuDd|OtIb^b%(AGiN||cF#KE%ZNhwjTflv;Ng%GEh5Dlgc4$!YX~X|&oe ztI)nT&-h!{X#Mg2TR48c3FeKlX3B#iAGLf_vhJ}q@q=PSV7?jKjqxsngOcdp{D-35 z<9$vCrOEgO7T0e~48@|jR<#04-R_BxH3#KIfdy9PHzp^L69*Mly#>||-ILSD2bGQZ zg*M(drsgTXRduKpK8xy}S`zwi9fh`=bgPOr@4mC~Sd{91qssH4p02;_v}FK3#eg@;Ru5M{VD~a$O#CVGXP*A0T33oQqgRlZkBqnX#~e* zj$7c{IYi`-XPex}(Pf!0^QW~3)64l$E0?5qhOuks8g-UrbVqR;cE&50X7Enps_C<$X22cpQI<)M2w=jVR&TaPbY?=O87S4*z8$34E&;ZWS zg74kJ``Mp6!(9!^*yoN1eTjp$&y9UkS#}z8Z!&&KP^}i|ZVhrbJ

    k)hweEB_>G- zErWev(@f*hBfbAP)bc|~#M$u!tLVxn{cZ0iO9mTNbXct^_w5(i>ccquyJL1A^^=R< zNK&Uc-d!8ZGVe*Gfj#dre_V+yJS(f~8cRkeHUC6)@L_vlCd!<%-og5C8+*Dk*u~`x zd6u!91P6h$>0HohEoSx5iK>#F@HtjYoH!rYMqjrCZ07E;TF`?4x>%ED5{z?2%*y+<3`mYCFv$fjgJ7d6o9*RmZ3#(J`LO==p3hv zNSDPTlP6ciWJ^8-!BT2St@u>qGF!PRU}o|~N=oUu@`MUNvOFEI5*9376id>1UDwKS zyMx_L99`7GF^i$v(=08^3mjPcwN7AN>3Ov>9PC#r`3=vKh#m7)2_60=J0%h2c-I~p z{84rdB5v)MrA5;#A+6jJyVwA9rHja_AptHRTwUe3d51{9NJdSt!$!{ko~Mmq58o8r zl)2M!IU$6Fa}G&?DPu$8DbN2lG2Ct1Cu*Em^o`lzm%AFQ>+-|mZJjYe+IzUq8>HFd zs!K?7@s`7z+X4o;YXGYB0Ci_ea_AZD(xV36=V_P#SBZrL;3P5!Vc?0n{3t%Y{mF4a zM$3kLmeT}*C22?7hKFZO$I#Ke%5CuTIszu?G@eRHZUlQb>=Cx82`~`AMVYA;IDEgI z7kRojii#OKTz-o@@2niA_T-dlCX{RreskCYN2_jE3E(Sky{f^hMlVZjHR>TDv;dU{ z&;@gwaD{}LE{!y{3P!qOW3PdU>S|jAVjDdlnxs+;D|s5l)B9U$xD(%a?ncGYR6BJU z^?68c6F`!uFbJ=hK1p@FMQjlgXeA_vuQp&JZ0Cx>M!x{nwZve?YYC8W<|7|pc|Q{m z7mz#Rp-Oy7YcVMk)A zYg}^bz+g>{##cO?Bkx9i?y8#nCE$!yW%6wzoYDAzvny5qHX3uyxQEWI1?U?KDu(z0 zB#w3R+ynXOW$q1n+`R`NiVg%DWy5}f;9e@3l?|9Zcdpk&hzYl{5gj;%sk4oNUfaXc zXsk5@1))v$coFoXRUm9B`ZNk{oBO0yGMGGKgO>tkF_?USI#!=lN*7{uVXQgthuf*x zh}kyoEe#Dm#EyNP5;`E{+y8)1Jz}a6QjC!C5ZnfnTiZ0teHsuDPba|}cWk41R{ddZ zCkPAH5dwLz6HxhVjv&GZ<77g)jc~^KG*d7bf8ukbZ)fm%>zZ)4FwSn zekL-vH9XHln&XNCJXPj7@^}k9kx!jfU*^DAgR>04M+CmK5CiUGB``0=PCXscnSsjF zM@}Re3odTsPhUKs&>}8TBxr+15a5FWHEqJRRs|6^joqhcG%<1=ymfOX)`ShC%}c*x z(gVY|>dXw}EUL01arASI4-jNu zhS3P$z!asK?_t(CaT1ab;sNPmlmQm{5DFD2V~1>-pl1f86oiePmx83Q*T5*|+d(t7 z3Z;tUx<~O&l5G-1Vc|(HFWhK|$wOWFE_L?(OI^Q!Y}FLs5qKG8D6R*Elsh5p28GMb zhr%=b1XxuTo{0l%Ud-_n@2vq0(QJ?(>qcX@auqkV79P&#Cq~lEv!-xu=Q3HFB~0lt z5Se(fA@9QB7_Y%&1_&t;Jadr}{D_>$STfY_G6aiVk4q*V8_q(1GI{0R72ZUU7u|qu zml69u0$t0D5yIqKzSyQ+GPh{JmQs4fzU6k-X@RTF_}C!32UjOORM^adUS3JT(*%y!4DuE{^XA49I}?~!H3WjpBqu09hhT;=Ls(8vBQwzXgOjJR$Akx`Ths}4(gP+>sOWU)MLIgL1wye5L(aCCWX8!5AUsC$ zuLO?=JOzA;tbww)LVFuDA7A>%)4sA~z^uG52M8OAyFu`jSji80_E}cQm7-41y?ayf zg}NjmVD}D<%5E^=^F2nY4cte9^$)x|qf(%QD5{{u)*Daj0F$Ajg)L?fBGW#y$bP+y z2TOWoVwd}JZ#EjG0qWv9rLq_3$EdUe;V{~zQbwA1AO#@QYntZw@g-K|seNtmG;Cy^ zkk_?vliz$gt#I~{n^cJ=mjPF-3PfNs0O?Q0-4WJgEf?O5fa65F3|7Di4&l&fdqOc+ zLM14Pqbsh3D|wYGWtA)0m@BQAD?PazG@Hm042aSbSvU}FL!UgkPIP}3jr`sdM_qSz zO+`x${9+s7VFZ2`RLpbK+LG_h@Bq%HnfAWUJ!Lrdb0!NglkDe*R`HksC<x7D}Dp!0@#z?y13X)ynW}5fCE`D|sa1wf#2Q)Hm*UKD?$`4_P)#7+eQMz*r7= zS|?-n7AcoNWg?;YCiIUr+HtjX3F}%UYM_rCy$t06%w7%rsR2B2m>ok3Tz1Z%D-zzo z9?;YQ=LH4uxdyZ=1+dJ$e6&p1XHO)+2Nh5v64nSL-w8nHhcrHPpB}S%S0zO|X#55y zBmu+RcOcTYf6~(-vAIGhF$;lhTXLrcvd+O-HG{yeL1pqp+I+zWRYY-)7<-3-7{2$% zEQrKy5O}_XZ%Gkt7$H|MAlK7ytDyMk4+A*Z?I9qmPh%l;*hHT?LKt??p!%V-IU$V7 zhO@hPO#^&amO_~Ip_h*QvBnT$$d^|H^@(I{h|pugu2zSk+oH)|A+m48PSC)rQ-aFt zhqEw*krRfp9EEc-gk8}ix}t{}J%D|5IZXFz#9eG+e(dlILHOv2D1A6Y28~_@?QI1b zbxb5mMrJKWvp)*k>xg7XiIQF=v>K0k@iI#N3XzpE8b3W$Xg1RKDv>B6`rZ-ImBVQB zt1;pFF_AB0qGMuWt79-?qW!Nz6LX?`R%0G3$99m$W*o)De;0&j6hTGGAP8YxNetm- zo4Cs`XjM!ct72R!MO-08JW36I9Rakxj7O=#*o}y;@%VP-_yLN9p{offHTdJpgt3@} ziRy%@@r3E4gjtHjdF0i^MU)8qGI1p)ajiOWV?1%|C~=!2>Fd>`J^iGEmq~{)NypVm zr{hWIM@ax>GFUtrVvvmCl#CUdj8l`0H<3(moD8K*Arem^F-ReGN+FL;p{z-vo=BlR zPNAnvWfV_kHb`Z4N@b5t<)}&Jnn>k2PUZWpAS_;!hEjvC9j9TI#^V6#@&@Tl4C#uo z=_)EvrJ8hggLJjybgi{C9KLh_RiWf2n*!h>06WWgd%xuVoGg!HB1{B;j>vGYN$x=EX9rCX z$sK2PcV-73qtsxcXDXT4HE8}gK$ufba#u>iaZZXsE_oC1z>mZ`Cebc7H}g0b(gcLg z;zj|0v7eY`7s7fV*A*u(r3S#Fht{Kpsv-arA!?-(`5FgkU&|{x&Pk+)RvM56Trd=9JWk#^E;OwHGY@2- z(*wkOpjLx?LIVID4opqt9IT}u=Dx+^1I;xS;&Bu~40A9~(z*Dc5DCzdMoOo6v9&=l zm>_0IugaWWRmaE0T%Ih&fdRf<pQ6%pn5kX@ow1g-N#q&#^T;h)V`aVd^dgaZkC;@eqN$}(Xf8$RsBj_{aS7P z#$^50N&Ple!&ixhJ;R3G^`e85S`g^_@cdoazZjmE!6v`sp>eFx;S4R>n93nqO2w(~ z{mBI_r#gy%Jv>tw=9r1upoV9@+eCI(1vAxRxphC*y?oBr?J4iDTrvlk)mt$g`squj<2>u~|k5?FWAFT(x}m%K^S{Wf3humeleWLILg zGBM&+aL?Z)_VXS!+^+^5s3mZj_@G4{n~@S zh3L`Bo48VR&dtK4Oi81Ms0>!cF zF)J~<0SKjlA4$DA#zYma_u^!~l9WNhz>n_rz|IcuLwzat;aM?1cxX!^2?${bBp!0K za8nxK;~0pbRa;F@4%e|<&4~6o@|RH<@X?|NV}mU-(<3d{azcKoZtL1bFWk4atZHf8&|-onPK6UzyY)ig5XxN+A;V*; zVP=pFZD!=B4sD^AISpy0)eH!cd@^s_S})55f|LL&_t|8QvC3LxNU_3w=8|9-C7z2Td5 zTKgZbqe3u}?ggLiPe129Ka6^LSL$#k?CtrnMa)g91X77X{UQp-$Ck(XHOC;aC>7v|1mBfrtNGN$$c z82Ttfu1PEFGj(?lC>8`Lk}cgB@YRctVKYf@;(WN{PiX)H*JU%{(*gk&iwJNBJCRZP zPT-Ie95#m4E*?ujZr{UH1chA>z6A@0Ge-azC2cUuuU7ZX<{8L3I~2vgh9Cld$3rW7 z#1jI38|myvdnoGgYq%)~3x_TR>+O=S5vBqxT;@j%`a@qMDN9&*9A47i`T8}gkC2Ja z`)a~9qTT4Y9TtJ87}ba3&#!hlX9`Uc^*%Bn<{qib6uBAN`^0HCZWb>~tX;Y9S?q57 zifWel=>Iwot(N;Ih5h|}3$;9h(XNjbHTwlNfq6#DDx))3u{`fKdBx)rszPNUt^2Q}Z`ZKKT6%Qt3@C%)Am_P%}dt$PL~rZfNq zMQ}{jSuoXMBbIuR8(GgRhQwhLG^ogfO?3{(@UWS@ugFWZXO7_2VGBJ$vCnnYd7`+( zR(AE`|Cooi*o7m!xy1e6hyW-P%ToeK5>02urWSA22jA^+~W<1p$dN@?+i zGO5J>=DG_kkgZ^3f40~f%B-Lze-)7-9|f4mdR*CMP>W!*#mQgYe%KNGTOZr7No1Bj zmTaK74afC7s$$FG*bq*|w`5HsG&d@KzU~g@!Yj4KngeTX3yrEAW|lJY2CXL>ek8}q z)i_hJp0C-g8MQlN_9am3C*SRk0BK~ZZkH_e#IZSGsEL;ucV-aBsY@LTEsYf1&LW_x zt(Zgk*y3J*;T+a%jqa%AI7zYhv-MP@bjCI~UwpdLcHbEDb%(PW**%`=dxw%;tJ1WP z?Vr+ry6&X6m^~g!PT-1iPg<~=oH$=cI1f2mmCIO;p9Zq$_`2j;sKQi zR4~1quq^~3PZ~4mL@CTqPpE?PaN*az6zaZ%WOb`^tt1EyNLq+lBt;0z!;9r1Li%*p)R(9+{%?~AL{z6s5-3N@nr&-kTR2;3Nyzl{5~Z%1n`FP zuV%V~Q&z8^?=fi*#z$IOUXOa{w3hq$+$KlP{S?`_mS2Vwv6fZ7q>`FfbFjv#S$WRE z<(epN*Mi@|dNOcH+GdACu7qeL%TVRfalS_9l{{2+4dnq^+8{v}7ch!(*}8ItGFz_3 zQQ%cewbK?oXPxY3)>FReqz8p3rvvzb0}zxa0lsEnO*L zMICLL{f|bt(JwygxqLz`4?X@?K620f4yq0d)82mMQQ9ZebvJskJhWW!ZQA+UfAcP; z2yf%bmn$a(r`rr{u+tqXvVhaCJ)&PucL%QXp6v}!_BLaISu|k#QreKcJ6!{CpnPx6PH#H7oG;wCj>HhlMiRmtA*%F=cq_HG z?Axv{ab`~Gm70WY|Ob!G(WSH(0xzjU$fXFGyLIaCD*r^AwwL6->H!gLH&Gu$`6M>xE+M_6Nom2bSCE$sgi($pOpLblDrTu9QAF>r7!0!C zu1h7Y?0C=P^pAXOf0cgttUudU`oAZ;{xz>Vj^AE)%XqFf-ke6WjGk4k!dsdM38T-H zp4IPP@W}uA`XC0-fNGH1FH&Q2lRFmi@2(FI?M$QJO-s}X7F;Xo8N}gy_q%>bjdb;k zvPHiAtXF@Q8for=0gi1p?R1UrHt02l3^bQSXUp=(GR!yX{Ag|*(2pXt`yw+`%nDF8 zXi-+*8$Y>rhBi_v-_GPdK@xE@Ru!RwN9DlEJypdE+0U9)%66(sK6l?b2_STZ9&56}-1HaKT7Tn=Te=xjS@aV8(lKKABcF4uG z(s5%tc?aRtyTn=`{nPa^+u~pP-yZby=hHrvzPolrs?EUa=U5L=wMJJLKspcqu-An3 z;etu^k}po3uL*7)Q z@GlXrK$vHUk?-TpkFzbI8oQokeKw)P?A@k}D6 z#KHP>HOhH^Y2ww3?U~NJyHCd@U+gW9cPHI!s6RV7++CmPZ)iXwe;^i%SywF9?AbpT zbp4M~Dt|Mehx~Zu{w_V@-&HzU`TtYt5v6~nCao{$C)+>NZRtqb#kVf!-zv+H=V$jj zk$Yr~5qJm}^!UH4#5xE6)8{zg4}zlpv$WaFf*ie4%TM3Wu}KT+>iFB_QGvQTRG+R? z6{G!P`23fhW09!kfi&rMb{ePM^)Y4Lx9YE79ekM;eTs~lPIz^=yTTM4Y@FzP{4dO` z&R)1E;{9&;TtrPCj~4%Zj&=X{gQ5!lg6Ft^Vfd-b*>0&F^6cnsS;N_xb|-S14Cecz zuIf8gegPW#zJmtOKMxwx<>>zoG(<}O1~lyb1~hP9fQH}ZIQ?>h3k>dGfWL*V1PMO+ zUogVOll6l!QEHi0xyg!|d$Ek~E{PQPI;OP|Xr^iD5U_a3E+P@CEWW{Gx?=JW9 z%R1E8)$9*^$hy)0=3T8r&v?pHl^v|NQa&BgFDwsppFn@5}w^tD^Uz`Cos0iIzv0XNYGwJ!Z@F1LFPb z5zF1aDXYj|4QUEL4{3sb8`9|hJ*4HX7uNmchTz;NY9)QVQQX0rcd<(F|1)CwD-LOG zwBLuc%8Mbb^kPUeycp6Ne;(5QR?6{jn&sa#3o59DV?Dp@qvd)*)zZID@SG1@;o*FM z=)c0x^j+Z9eR{V4pO^alCp63V6a1H?S^h=<{hMa_4qE;HQ4cgio=<#_R=bu$=8BViQz3EF!eUk`X+F6>X#*vR$U2tIzs3eg3(K~ie+OA|h=YowIKYPBElVznJ zkems2+`6)ooPDH;i1lF2T`?Di!=S1DiX5vCum?mnG5{0t)y(*hw^t*vJvb~g6Ht~k zy(D9fwcMeYLt$if<`R`ft@>SYHYfvny zQ#xl}jF)9*`QXEo4`pdO-Rt3FmYh6AkzJI9r3)yQwD7Zz;Xvhj8`Wmn^c%ZE`3U>G zfqa6d$At~pJFj?azHH^bRme~5ep}nzwO*t;McXsjcUK=@@Grt_4p)-GZt^w7qtkf=tU9%|D&Yq!{#EnmgJC7KJvNylk;qu%WKI& zwv+t5y*=JrucwU7@f@e^gLz*r^%EPlhq8)0Z1y?i5*g1(io!5H`oFlJHgQC)*MP&Z z_-0g&qGKzwx=#w>4)RFGLOz6{Efw0NOH6G~M@e-(y6L(7H4)t$tF|HnAHEw#`LS@c zk|>tfnd-(IHd2{Yx{rbLWgV3<+J0sIWrIRX##2gyETt9>@a&s2IeoBgWCIk3*V(sw z45Bv17qMDs57v$)_cyPZJ?qo&_MbaV&u$_z==Bq{a;+smi2KQ3x_fPq;uK4dub|Rk7h0prD&t7OaaUzKx~bWd2I53xZcQZuDF>h~80a{KkiV7#`&ZFwO6nz{Q9X;S5`UZoa@1`?P#WE?x+D;H)MKGu z8avvvBvN}6)@u_~8o#W%EIxVE=h#=8_^oI8+R0J>?~_1!R}>|V2N6MK>1=ANDu%~H z(S2o^qP?r?uZ}+?6O?CPS6kDHJ08wfFV98gS?kmuj}!%!=bNjo8%!R5tm-Q-bm(0- zJ~qfTjK9MVrHl+ zkKftZdZT`8XS?+q{g*$L%i%mo+etkL={sB~8QIS7u`-}RyY>=7GCLnWZR`zcK9Z?;6CU)vJXHx9NJ`fqC( zpgdw`mk0U-Q68~uqwwSz7YJz;2?Ky#J6yC3{78UZ90D3bFY{jm-Aq&r>A z`OxME|7#y;EBDWu?V^d3FJf*VhvFDt#M~apj#QvxZUZSrFR<9p#qxjnLtc~c|Mq3} z-F+k;GNJZpx3)8k?kz24VXg zEap5zG=2WdZEpWI+x_pGbO!%olGo2>yB|?9|6m(#&=FNwBe~2Ug$I{q$yUc&DFJ+nQ;*_hAkX@Ye_Ezq?s+|Rz26~jrBlg{j z$3`y2!0kSig31P?u{+opE+Y5^sge06FE&t%80JghMiDqVF2M?|dfnmO=?Y>ltS5CS%bCp+V!hWC7f7h7 z5MxW?B39L$5!vGS@)^oy`@y>|quBYy{`Nw5(pXpO$q~vePnONPaCU||+DTj_F>ENe z{KNKu*I!sxX5FhbWsKdSIu`dH)$u!`E^yK)1#E2g*+f?w6q)jf&P#0Gm+SjFd)pz2 zrvNHe)mR%ap$`;Aktv4RG#WI)(kPd$J|l%~ud+ z{nVeh5TSyVw}fQGF755gD60(H^=d4K3jx~Fdwa0k-|S!`*U*ZDM=}VCgfVdWNSeqV zJ|EndMFU_>+?77517KOqO8Y(>>UmccZe1i)W{A*iaPT9}z#YerY!QvLAEM!E14Am8 z@I!1cxf+#*A}7-UbP56z*NN+#@ewcWFhA*FrLi^El~(Va7pOoUg5SBl3>IP8qcOP4T+%ll4fcL+qw^?~j~ zH}uO3Qf2(s_XI?ps)`(%?u7nJPA2`YcSf+BSrb$2%XAP#4!WJX=7M@P46$RI z+&q9~5S~5&IU}of4Paw<*8%G%DWdmI2V-y$dTx?Hz1PZB-P~I!f!Jb+P-=k0(}GGi z(iSRFb?>3Qi5#vACR_*J^q6fgWeKT)3Ng|epufr$OXy1EPp7{5_yJ6DTqWb3tKB>l z$3lkT6u^5p#zR^&i_VS_3ept1Pu|qn3f3ZQuB?g5h= z@O#MRPQV@Zo(68)O=_Ab@(EvM5><3)#gaRHi zLLC}{b0#Jf+I!-UAML z@V>SpCtosL$D^3|g%LphUa9<+-!5qZ1Rygj#*=!pOS&?QPATuy6*&kCY3y*bu~6=n zRo$^A84Mf0jvqbmJ*FnRsClUD#r~1b6m>3l2g7Pc_3^#StH{B45DI z9rRs8&w55t_5LFPfGy45NC2wS$FLhLwJ=EqU4nUO4i31X1;8nwBz<(3o?%LurBJ@9 za%E>62oUB<#_nZr0$C&Q)lUmRm`Vz`JdOSmCW}wxHL&oUWcr*r8qqA#;lz%EfJvh( zZn6m%6)D1_1Ia;88QHkbA5bH4tpo~KvYTMV?!eJzbtOZ zx-Ak!PilMArGqUn6@cq$p&)F(UD8C!j2oE^VS=Y%$l5f$0g75_NMK7zJdGrl8W`+B z(SrG}10NbyDe!VYONq3f;6$*)IAr<2`qak{BFS0s4Rw}3zx>kove0W+2Oq8yF9Wg` z!(fIS^;(e}5Y!|y;fLMw6>yAl@DLLjie@M^#ciz%jpHAwP;8kYX)c8sKAvdQ* zftr*8!KcZX(srqrrG3z=dq3gOXV*?Gt2@}>lnC=sGm?%}fq-YdKDNk}6BLJ!r@JA^7t451e>K#&fhcLYJ2_3S zARr=WLKjg%KtWKEqSz5p(T~dVeP*7S-Pzfh-JkbQIA_kh?>Vpg^}enc1tDA>f7!q( ze?v>von!jp6VrA1CW$550XdKkFHonGIJ;eDqg!Kj9=vbYYku~`N3Tjw7>Z???B7R? zvw47n0}$JG`q6X>IA0IQE{&#vdSgHG&SI>b(oZDv>)tNP+1}7FF3Cbr1Fvd)O)!5w zfabd6`uq@~{^f^HzGG~JL;h5UL z;EGvY>oW619;`GFKAWp($rQYy`CBY&j;a#}786$H=-y#N9~M)#A=;*EY-+BQKwV_P zc5vD{wZ~*MAY`-AOW`*#nlH+W80h!h6e47;oO$rPhsx1G1i)n{*F@Aw)|KgTzeSWY z_l|S1=PzxioP+#ER}rkaqzOET$DLt_ut)n(rVO4Mht>9I)c0

    X@;D@ z6GC`SLVSh%00pi+1K1}35#J;Ll9|SZw7+n3bqxBfB8J0uMsxuS)FTWMkH!ozKf{G$ zfbKK6xG{+ajX?W0^g=KCj4r=fBOr?7#_a}!(?L}v5NZY(pk&#tMJT;?Ycv3NvCka? zf{v}m>kFP%y9r1%19A8W9ug1VwjYOiQW*i{kYGG4SXDDH0Kiaj=yzOzQA$Rc1wtza zv!3nN6G|JLM;>hkjQ5jGxo6OLCLpt&Nfrc^_hg|?`+1BY-<&4SlgyY5o(otWJ-xgN zA)YCMouRG1Fu;9$k*22(@v zzfY%%4KtnBX<(K`^prN>(|B_E z{jb^zf!;jyH{M>sY_wGy>D#%37LGEp1?Phy!op2WjW z%pJ|v=bJ$<=mvJrAmOX9S)61ir8Ex16Ve#aZ_T6iwNfsaG)X8Kii7YF5F9Fsy;?2` zxDEnn6&Xq48SWR^pl|hn6T`TL4aVXls+efOd#F1IK$V6bA~+7mgSuw)dKF50l7Yz? zeY>~%crm!IE2w81-74ngwCZT>sjGpxVBekRoq+HGxE5IGp?!Q^pKBFnRIerr%}0p1 zs1r!GHS*6i_1C{3%tF`p0pX0=(`3V}%mg^juZbL-qK}!N`FU6v5Wea>J7HtjT_NZU znr+d;q<}oeZM5bL*d_Wp%7GOImy73s+7`XFh08lXjc2nxEkr^5_(U_^^M75zQ&KPFe>nFJeC4P-zB*g0pGAonx zE0dZDWd5k$6M8|qbKl+0_FPu`suKk{uiqFAdslzl+O%@KUZY3Mir3At5H@-x8;|iu%+perQY2sJxOtWhkH#Cs(Mwb9UhI$ZgX1as~gd=e?($k1<$EXgq$&t zQx%F?{MBxil(0*~B)q}MJ)z%vtUrC_jC{%UzqhU%&Rx&`avgQ%;G+`dI+M`&)$+=~ zb;AkP!*@E+e6_=KHu@*Jge^~AN=p!Tz)J4dbpJJC@vC;1T6F6NbxWP;)_%`Y^Hytd zV@*Bb7g4)`_3pVCf5YM`F>Adkh+9;~;h!T8Cl#);3?+J4S1{4yy&0;f1fH3}(?g`+ zH~&`cldkUiHs7E$tG|-QU-Ir6*4)s;`kKn^isS1?bu)F@T`jh9*N&=P3%sExX57DX zuNkEsI6q|pE$MOk+WzeH6{U!7OTl)xpquW?{Yh6Ws=)ODJN2Y@vF^&_mW$@=M10cb(W)U z$>tkZtsjH4N#(l1yVW*g5mT`pTxw!8n2UP0Jb3tmF)U5D zic%(|)PYR>iB%a@DhacI4gjo*!B~Z6|y>FR%{cITjs_7%zk??^V+BHzE zwkzxtH-yX~vyEs5$p^qgKgcB~z>O|j8p44iBUJP&1&&0${Hu}B;4>L;4)lq8uuwF? zqDC(SLx9K}CA-F8whpUX_OdJPwBU0uzt0mTup#kBklKLMt|2U%-`)izw2fBX&<$Z< z;P(mEW1;c*8-8lW>gvXJgDM2FIl_95JTu9G@R;{qUyy2uEP%9hisup|rp%7PJ-8ohRE09OEa z&YSo-ZXm|!LU}@6y$QzVL+SYwhKbQs)a`prZvB6H49w)a>|G5)RvFj5#*1r43%pf1 zxFBFP`ytmc5lf8Y!ZEXTP#0tRGt~7F-YJscI>@X7J0k~3JWmQ9%C^0#A%+_58W zQ>ZvpQruNA$7yogi8JePch|Z%_z_vxd9umz&rd_K8MNK)tZBw9T9a(JiJ;;`J}Y{()&@?ATP76Y=C zrl0xF`JwP&HbxBdy?pdEFdygcQsHy|n}tu*()v|Q-=&qq7Z!~h{f^I}Pcs1pj6WFU z^>yC}__vwK%?ydjeEy6Fea_9`ysvIVv;6Flkn%*(5EFiP7L|Dn)aJST#L6!!=30cl zRmhJMXe6+DdRa1i(O3^7{2FB4e`_A&XKt|Ix(@#h?ez(TV@-Qbcd91y0O};3GzvV4 zib|BnoIgfe?g++duHB@}zwW&P00qD{u;|)&_=!%8VVo5#Uce@v{wFs_a6RY;R6mv^ zWfS!fmVNS!2?~H!D+aGy7r%sEkcowBXpW2~rQCVe>`z72DAN5b5Ot?dH0xNnAA_6im@!*cb((=?ooAR z+>zS@VDn9N&1l!MjTRqE;$NMvRXa5WjD~x(%|tG^>$MNHF?ji{SL~FmXzXIOp0UlC z?^QLaI|Lv6dmn~)w&s@31#0yV=%C;Gehaw0eW0OY^B^G@5f-=N?!*1={K5~3BzD>X zOc}y}%2-oFlhfLCQ}0>~x0#+t0o;k(63LiPr$@mxPv2j5k3nHh%hetS;*w3P*IM>bWUa z11Tj9U{D2$1okHMxdPyRZug_lsIe(TZYug_g_Q|6z^0IonqodY+&v6|7+y)3Ha5`k zoUoEESW`N;O1G_hOS>0-Zh9-`rdNg=mS@wWP{&c(J?sZE0S| zF^yW16vy1@?Jq~Fb7c*R?R1L;_=x3LnucKJ%jb#n24C|v4NaJ6$2SB{JY=i#Gb% z#X8018D`sy?`P8a2P;%iC)R-O5;*U<_6XPXx)64e8}X;3J3cZ?Adooj;I4HbaZ>5w zZUM)}@c@q*~ zVipM`Vw3o#7b4QnOuypvIFBh(af@RnX!SVmI+VEK3^EY*uuj*EC(r5~#@h){O}+)% zTE4or-Z90k?JY3DUt*fDFE4?NTuq0-JSbEdZ4X!`R9tyoLomm&4XowA<}%8I1Piq7 zWo>K`YggG#qXJrl*ZoHYS00&rpB&S7_f6jHb@z{WJ}-la?}#Hz(-s~r?5)1j#ut@x zMcOfU@=A~Do+0vjnkDF!-^vgfO1dsBj3xMFteI-xGxrs`_l$2uo=*3BHpJg51J6zx zt*N+JJ|SrZBC1gxB)e24${+CS{&T4?{$9rwBEM(9Ec0~%rZgNXs2(KA_7!|Nbkftp zN(OvKz(^$~fGg@xZ%Cy-%_#I@SjEx;taE|SuhVddFAQ|dY>q^?8@*1-*~MRcgH8_Z zJDMRptr`Nq{P)p*sL+|%6L(MD{B{p%ZJC}`z*9Vw`@B2VAaS|l59G!HM1Hp_^wyh} z+p)JlKU{bRJ$K?FHB~ojc{NkYgM-wG1`= zSf?{_YAM@N6tlZ_?sIa;GtbsLY45L3yf{tCf0DZUx9ZXH&r33g{=VbB>6fl z_fH%9%ZsTs3I4OYHh23y@#!{}fdZ-JcW{4|zB?T)m+|kKx#sC?TJ$e0rOQ|@PRS-~pt*Ui2+*+TTN+GqG zqYy%~I1fe@>llcQX#dhT-!QI$6V}5#x0(&UXd+2PEKo*DE#(EA+0^Q@YY0WKh=$Tn zOHu4%jqRwN6GR*1!tsKIAub89SD%O}I3F0Qi~(^VNL zcsN*-6;W}YKMN}So)2wy3UI1D0qUw!S8gcd&N5*40SI%o>iPmhQm3G$;T&IzOm%b$ zQ`9^!o2)ku^-K)m(NgIQbiSSWai>8X%l@d5Cs_J7g(>DaYo);8psg`Y0-qM3n)9R{ z^+{1|G}}%v79`v%zEM79YXt*vo>Ru9!$VwPe6{mfsK*;r5BqhhCx(A^i^zlO-#!*d z%?$&BxRJTp(g)mEI5`h@;D?||{JS`*_(QQ7IvxRG*)8t$(5dDBZBf3;vjk`2l9wGOb6EEH(u=yiuX@clawYH(radJz{*x}OUzD@lbd zY+0TYVL<&%nWAx%#1L(kO$KR1K%Gd-T3DUKM7QATLzcslry!;`C$q$GyP&}I-1v%s z>ggdsYnOoWt*x)+)Qbyu)f~doGen)jtz{-5R5UJ2t|c4kK04Ewhku(G}pa5V_fN6+0UYDlcRB$OWVqQwP1lYQ|B02{042nh#TO9`>T z6vrD!22&n@AL2i!o(!LzId{DM{zYkEG(&J(!@|lggRy_(Nj1)O%L+mT!8L*IXEVOE zl225x(>%s9D`xS6)f|aPGI$mnN4%ptHlHlVc(4&Ckq~JvwjdWp7x~cM<~Ez zil?zMrQ!lAByc|!UE4-MF8mpo(P2GxIG|hShSV`cqH_)s>2QXqt;w;+fbyBMhzyYT zVW#-$D|V{$EHt5LlxKp%=C;X@pd2x1C^P$4FCYKR9!7Jz;WI@*_DQbaZR-XPK|IFz-WX|kR9?Di2eU7kNC zx7h3~6GNkonQT;ey`U#8WACoOB#b3!LZr6-l0)Dromb}u#F{vBuLcCdVVX1Mnxt+C zAiJXqYzqLchyxEtHde;;75ze%VV15T)q5*Tkxq45L}YB;-u`KF2#x;Rre7Nl1m_hG zdP9P3!6>85{A~t`*p$(4y8nX$dgyILbOl~`Lqafp{3$f4jSPX5>h}UgkSeejqM-2? z$g@9Nga9Lwc$CYCB;^ZId**YKV9&k$W)~_#8REp`yCMT|S}jo^Q|;q&N2m&|^-vOH z*eN{UVR|%#PK6T`W9<<6H9}bc(BpcWAEOR1vz2Ry`zDow*ZH7qz1m6eathLx!V%b@ zD<(orlrz)YASA+V8TDbg-9c|aSYricYzg}S275BIMMyBK-{7whAmlgL7tdq6ok>uq zuPuuKtCcSeAtICJQoq435Y}sUbYncXSO+Iv-u5Dh_KSoFuHuD;gV3|YuLKh)ZdkyB z;B~=bKa`8As5kgaIi1o*EYcac^9oU>Q)u>13{9~qVrN@mO0aQCu9F#%MNr5#6~1WX za)Z|_H5Y}`>CH{|a{-Pr)h<(Szp1{5_5iYl1dF+=-=D($pr+Thl|kER0$kaV6wt_e zfdD|$dE2P!Ne!ce0ObJ~333wz_~H)R8N=2*Vb9r>}(v-aJ)lQ0iR57`0e&$d`C zz*ZeC#r4!tjJTrjdMr*tDd`j@D4WU|j6)nqo?vvEqH=3U960TFzG5`kkq-D6!bojg z-)cr=^>QmGfh2i^?L2p*53H$)b`!{s4hMPkIP!VWHX30{hExpO@dx()euJEFz$vK`;XnOcA@uFXxP!TrWFD0)Hpb95c$Zu)6VnOIV^CAqL z#|Q{%80T_+4mULaMsx0etH3A7N(qa5cCfM)IT4fZSQlr<4goElAz%k zf9;`sY^oX&)l12*Wb=-B&{f>1@)TMKj;EG>rJ&4oKV*@gU*Hj!-lG~e)x)qv7;<2u z%0*qmKRJ~dPRLbMc72RP==jpYm3g4lS$=2-w!ffqyYMTksAbDZ1e=T4Mo>};t}Tzg z?Rn_*Z9e%I1Ie!d7ck9vTzkW)K;+d$_e6SwipXS-a&#(S{7mEwQrPfau@thh*!)6C zhRo-;n1%>9A>-VW#0sRn8|5*EJB8=)PMN-5O9)_n>uXsSrpT1&{JC4-t7ktVyusa)DV)}ypo_iVa4w~u(qLh~Z=NiLmElf_t{63`9jRl+ z%b$L>|3qRgM>Jm1zBCwfv6Ww;Z=fRZE$;i$GDo5HgQs_Exz`>2l{u^DmF6pV3YWLF zm&f8)eBG8g$GjhOdjHE>@#m~a4JrExDzjxTo>_<3;}~ z_g+r&9QyrH;#r~Zr;q;K55xgl{floCe-!-QA6f0NqrgtQ+JsUHvsVMk{TJ&gW4$j> z6^D9ad=IUy{!yuwj->?hQ^aLg1@18G-aZ%ddnIr7T;%-A%egOePQ4I&7_h%^PvVIf ziraT*Q(X1hidsc|Z~6%hYgvdvAlHdCUF-GzZ-4YogaFVoTO}u{9I0Kx`l>lw*){`H^{M@o-Lcs(i>cPAw1VMeP3_d z-U;EF+I0W48KC(3=-*8U_iGi+*CDj^c2v;RF-)G+l90IH^N<&pWqfINJ{Q~N^Pl;W zLtn?41u1&zguDluQrr~ zhs7&y#XBkZ1}Z=)w8-(xX<31%b)LWjj_y;+#8MM$E0xWoLoNKUv=Ay6`&ph#Qw{A@ zWsv4sFbM84lJP8(GZW?tX&LY`i)30c&+v8axL(7uAHyTpj^ zk+2`!b~S`egxKDAYSrB)Q?g; zb}LI{F6{n5CPmq%B>Z+cp|3R;_9qf%Z3y7Eu4gG{u5VrRW*OTMHK*1PQtSBl9$iZ7 z$Dj=8k!|jy*!q9>z{4<@J~ns%{tkkO%^e%psm)C_`DlNS8p)dX%_j^=0*eSf6*padoExHLV{?0MH3SJH^QT6m)CC< znoy(XZa^@KzU%tehM_fAVaAL;X#Y)qx?#0$Z~VH%BT6O|zl~y^B)D~lV?H;Vs2thr z_4DZcH=MS5ue_W~m?p)Vd-FYl=`*+*hEmx`uo*Tz1G;pD6 z^=JFh!*?^=zC|7N+&k#SWUa4O7X3V0o{H2hhW_*h3Yu=)94^LK)?A)8wOuvs-y5t% z90>*FX&-h>`m`*}e@vwzwR&*ngtzJO4ef*VbvYq4gXk zi{TMo(w4L@Ih`T3VNo-gpY!AH<8UCPA0QcKN_sU>u0URG1H_Rr^31{1{BfDWbp!vf zpq95deK@X__*b{kLOC;YKYuM>N*n|Ip$w|mE7X)noIMHNqIF0WOoh?Dx179@`5P5V z22Q$9UYML}Xpg9UYCrbD{v!EW7|4m%)Ag?hb&*V6>Ua>I(uHO_vhznX@J4J`7;>aI zoQ~`fz59!DQ-bX?RMb}Z8$S!7W=7)Z8k^9*DwMq2V}?;C_8WpPUB3cA97O@j zCI?ap89cZ3u1kx$M{cG7pEAHI5M>>NqpB%{k45IW!ordst6^gJ;Br+kDXzX840XbS zY&SufZIAvqi0o`r1S)| zM!|7HWJ@3_4n(1&#aIHuT4YE_h1!e3v>!Vk-~Z5BWoN(zHKX_NYx|>lqPnpk_Ov%9 zeeC)qRrKFxA}VjWbSR(3QDOY0iqFv$4z!f%d8$@@eiNK`zU1BWJonvqbE4vm@hFx# z^ofQx1D)EVum$0_{`|3^p0mk)-&#)i;0`6>$&(*uN4<7dGt!yo!ul>f#l34Cff>MKY!joN(FHn;?kkwZ60Ce@$=FVJ)qZqw!>ZIODEqfBvsmm zb}E%+?AT#1MEmftU&W`Y;2Fse+C46T`I+_kQcvvYuX4m)79WGYZz|8y#ZQfwoF0E} zC03F;mLy|0ti2`82vg1k(ctz*3gvEIsR|XIk)F+&f**TdRqm^&h6nolmi}C=^cf@B ziU?-Bt@e{Sp}#_*L8ciUHwM8eGfo4d~B@IyWn+3qwmg@st8J7VXEr&^S)CuH<{i0bhE#E1)tft9@h@vsz`ViDO6aV)H=2nHdTOpm zZ9p$dA1`n(9({3|y6AtwKy!f8XL|Vg>6a*bYYs57;+MRwx+sii&yP#GYtRW<+tbB3){@CyH z<;ZJEw*CEI0P7Q`H{d}~Y>tGkU~tV^qx6j70MGVoPpK%J zcn1Bx9d~^`{ z=^xGQF$mRRrT;O1u?fs@w^E03qHL}S!!N+4l{J}cLjV=aUl_JU6pgI9psAW(5Q>+z zgOkQB@64D}I?N-^TUe{<08~s*hEhCsk~i@S+K)UEpPHMknKGMOQAWsmp!`ZK@M}Bv zAb8?T4x9g1(X$b=lV0yBf;ac02C8-UTi6e_0n$57yr-h<)Z*$bmnMgKRb;X}J~ZFOU|^!%|yuR#Uz`OY@2|QD2!UVCk~~(wVUc9j%wuP|iA(He0aO6)$$wlq!;5 zkJd7X&&sbAlogI30;Dfu97HvkLbcncL<=B>aIZ9~K`CKqF;=H1+j*J zm^}-i?A0G+S1^n$%MMyb5wkWe*EL!=_N2=CafvW-LV#YIwUV`We%eBNG`Qk zvZ62|a>9K?^=rZKS4ak3Ir{ZycW=VSpR3A7EZlMd-!Q@C!~P0EEd1#-!S zLxZGHOBIQ8>W~_>48cM6z>WeFn51f|3f?U$OBbBGs4AsyErIF%jw@fJn~R*uchZvq z?_cUqx3ShO70}B>`AmXE?HN!{GVDxmgrc9(sT}m-&ci#f1sn$YM788?cZKTV%uUKus1~w%aHxKG~;wy)?L0=4X5o&Kv=y#}I!Vp{fwK{hD%a?J4%X~1gz=wmYSI2GVny0U45GjV2x!C4dEN1a0Ew(&XA`VUIWeB z`XMtw!akBx_n87~=Wf9IipmRXK#JmP62fxCjf9kj~#gI@AW638f3kifpw)F~wdUC}{JX0icVXUfhP(LdZJPGmupb3kvl8$?(m#X+$phj0=r=n-@9O3+N-wk-;*a zFLuvNvnsw>s^anlJQn86_HPZjl-wNJMD|D5)1@o;(Vn{*U>=+$K8_#l9IOOZc{?VP zca0jpC5xTMc3Xa6qA8;Y!KrY2E!cSw|BfuSEQoHAVeWKw>zJ6?`hACf0g&eR22AiN zqHfhI!Lf`sjH3x%YPI3=`yScl?ju>#_U!x+97I-Pob+Np$OThM@FUuIa%&OyPkuaD zQS;r)v&54`a_2h^^Dz`1>}T>rOyyVf?gLx z5LRIrp}}Y?o;wd(&@%anlec@uLl_sioC+^uZG>P2>A5nDl-$3Ic_X_kVouyvRtTEy zSe7If18cxVA`$UKHA%3e)pQ+|X&F7*39QNLSj!LJ!&IQh$c_pX(`kAIinRPU^G@G> zk9GAQ-%l(8^T?{UG?cGQw0x1-qfROM$&O|f1v;)>3l5alY1o|4)2NeC`V^?y@<{!e z%tDH+az(>PZG)<&oGy5>bb4I#d%i-T>?%$!a5wN_R?z?}KxG`&zbjjX2x?C((u_sz zlX#{bgLJRSnf!%kSLHl(T-&VAS1;O^(@=yN7|YyRqf=8?c)^~d#A)$-!sH>@5`+EmCL2~}{m#@s$wBNBpLTbjMBgN?7fa+Gd% zzS8I-i=360x9LN<|7~=yYb501YXs~!*^plo2-qxU%P@f&XlfxmWB9Yv~_HhDAiPo*V@=ek93f8}x z!pxK^ZIzOfl!CEgr@LQAJ`0YLR*FkgN^5x&KvfFMYYi=Zb5-xn)$rD|CrUBmVa~4= zeeS$DKduz1%6;xxE7eQ!e6>>4PH5P8UX<}0szKX1k+$%68>ip3TvgvXYphIbP|6aa zW%ae5>C4L=u&0J9=U!R!R#@l$`-V`umPbPtAvS&TUIv;zWu(}E%56^#%Zc(jb8bPGoHnb(n)NM74Wz8{pL4R#7{131u~lxVRKvo`pLWjESUkv(H0rU{`qdtwL1Jj zKD*=v_~D19XbSQ43#zg@WU?Nzlib z`?M@AFQ&gBXTG3kfYFs;H%nE@ON$p^iAksPsx1zZPNhN*p?V|!ahz4Mb&1TlMt^#9 zHFRq3C)vK{;CXX}D<7If_GSmWQZ)ag$NF~B0@5SP0 z;UG4YO4LPL;8*wk5NkvcJS4n!R;rf^rw`#b&sDRx#BV>)VLFRCk4o2b$w{#XWG$XZ zQI*j?kSgMg9tZtXN>$;pO1&DM;;jDQu^H!{=$-(N*hHX;$Uxa+e6AHIuT=E8m--&& zS4!1*^$Zv{D_N2?HVhrt$&_YYtvz*h#$d*oP0;e0BW%ry zdS4j23$Fi^{i-zI3JKK?xj+QiE3uz;(4Fs}L}1UQyOM!Oh3s=jI?3~~Rup2v;xdQ~ z7E?Z0xr`OWG#uiBNKlCvpH<|Pn1}UN>o>z#<1r5S&!0;<5z6kWdQS&ZvC+*L;;eSd z-@ztDworsq=mvkD( zFQ$vPnd=t7x}3(uf|k|rQdeim2GL`sZ8YWG1(xDlSf zDG>IVIXTWjS-kPNXA9Mn@3zgK7Nixzs}!RKFeLIhRr&X_ZyA2E4EA)iBxI|^|48z= zWsa9r^RNm40|smjYPwC84@^B%kPMIEvbgS?c`p^1`nhDDA_=T!NX-B}l1RS-_Yg`( zi}Te9eS$6~q>IZLvfOkT>7acnMm3B=b)?*n?=Wwa=q{?hyz>ltPRNO%5AJ zA>5RK=k?M`CXdYAEstit_y)?R5u^d?FoHZPzBLRXT+##}3-zC^q_}oe4lU}x6h7g< z^(7-g%F1Zj+;$%1GtV*QKBPl=ZhV8wt!HfG2$zxYOI@VR>myS5RWP1PjMh`bj0hOO zzxjN@6|u)#v8!iI34Iy_n@;;;XSUAn0@&~#`Rx$L*2AD|i*NHsvT?0V(}B4lqS-!DIv{C4?WTU~9Soy&A=fW}XyZ|pCnf(63_o!U0JzM+!{MNlZt@~+$dpQ+B-mv{>Z(i$3!|g(?TVH-p1+9Fi7H|F~ zE1ZNIovqlj6uAXe?C+x*Uic?9<4gZ@WuvM}BU)bSbH=TU*KeI`FnZo*R5NiadEi#& z{acqT;{Fljt9@y7`Dth!-=n%8x0uDRFWYQ04;kl*{Hl^OZoK(3_i1XQ%|P1Y)cafm zP5#CfF2?sgj9Ze8bt8Y#&kVGUEZkDQ6=|w@_N7PBBkP#~>!LgL&1JS%i;X)o+bp@- zYmCNidk96B5QNwF9%I7~?Mx6%Rm_rLS57)87=l`#4%|4DcWJG?uFq1W|6u_Q&`se3 z=)*JZ9x-u6;B-|gHZp)r)$E^efRFR2TNod?ef!2fx}$EqLmDG79qvHQcqx<3`u-yq z@s?uwz9WoYC_E0TIuk-Bs>5Moj2QOa+ap1_H+k(;N*KsaXFd&x6xnhl)HlB08m4Cf zMyfkPbGKb)oP97hlwp`YNRwRmvRz%sj^A%9N>s{H>DDZ-?{B{5Zq2<3rGitf3h}mlCB5+ z%lSBIV{i3p0hGeNIL4(f#n!LC_5{MvBrZVW%D{=5wjguJF7e27SF?|<$3R2RTQ0yi zVi<{$3VP?Y&YHg+{saAe?dda+Bf{!Dd4K4&Ykrvg(+_>3r#D4H)1NZlex8WQk=m>9 zvX}`w2^~@)=yh@F3*#xsC%&tnZ{xK9A<_N7CsHdJhv?@+V@`yft9YgKR3`d*?`3VB zQR>%BuxK#*;*gU*j}|bEWsG{=IBE9dM-G>qOiPHV-NsVwwJLY|<+7jrs zFt-BWng=htOP~rpAYwXy8pOU7-jHFGowv`){{&TvN%xExG{j^$C2pw$EW#tMmmkj@?ambv zmL$zE#a{?;Vw=9Fn7ctH`O&=k>epL?|*l?DT4-Wp&<}!E8=;Qp{adRI1b`xhgVWlHtoh36s zj$DH%>Q5E|f=>cAi-3PebgxZ}uDH&Ue~g}<^^rq~EC#0LQN{I4tB4|w05HbqW7YZO zSyb196U#BzLqHeE+?=Szpvs0ha^P%pl8t7NIUngp7djtF@#Rs(b{80#-LNLxbuMmP zaCY(xiTx*Lx4+QDx_`Ae-6chSd9g8d^HS=kr8k$GB}9W;U=LHC7k$$6YO7C=efGAs zzNp$aqfxcGweh{1v2siEr)Tf4b3VCmRmP|rZfIS&llGRi6ubQK=5?vts#gU=4}ToE zN%Q_Z^z+m5=er<2pKT6OYh`m9>jR_DD_k3Asv{Au|RZL(Z;`;NX*eoN(FL=gUzbka{c2V0 z|MJhzw|9Ngw>Gc)9~8>(`ltN`VcGY7YW)M&TLpcyCU9vo(lcHCAu?F=p(CUW;U3CU zZh9c(yPuiJN|jI{-Tpoqe39-y_pD?9P_>#K@UU ztpg+Qx21VY=#PE|VDhUh6ak-@ru+bz>%SG9|3&in57TTOO#FW%dB|J+ zZ%(UY7ynnMRnPyzG&}r1Ij#N=zP$g&qTWvVe`A{chve~JOtY*1L27~3++CGp+wffl0;|}CeXBvhdY9iPY3ME&(I z1SHxNb61|j!aNch8_qS4BA;ascy}i|1jtPWv!MLqci zy=TA?$(}uFKHroGdMMSUsr2^5m(FC%Q3?5%-;w3F*?m1hS$_zkH#?0VX!i~Qd(Uf5 z9{C|>!u4@a{lRtho(-#Orq9W)mv+u?m!~wLRN!Fg)mXU;T?5Zf@XP6(-cuOlSsb&P%X3d5-gssGU1$W4$kD z`hIrR8WgktwUk)2!sqWOAp@j*87%C75N7uF<@n%_E3%)m!;+Nkcy78A0X-@$q-%|D ziEL0pU5hqu%pa}ZCZ?B_D19iY|2hAH$fQh{=nx_oTpGc6sS3*bufqzzsX$$yq^%k( zy#IK?%(rvO%}w-B*~1-sb_z{1_6r)X&JG>g%CZZFqjS-vxcyOX4FLzn@Uzc~_rswu zb}|O)sNn0*M1;sSxZn9D%*u$_tnjmAB!cC5Yvt|H_AXNoy18KD`GnUq6O0G@Z!h?K zXs7~r1Hk#Q^qZQw>FcSi3mAtXdk^kgs?y)$}eMvLAFGJ5a5lOQBoq9)es zy`T4f_w4TZp51fy?EbRzCtP!`>v~>~$Nhf0@r=Ni#ygHvT=g?{m)Lfvd7gvuBxaY% zb?pj4NtyS(O#lnjOaVCgSS!RQ=x=w17Bx256$|90kkBZ;TnKD!(M5^YH-O`Qt{Mn5%5X03JbP$=A}9*NPqCo--z`9_Q#!JfTm z`oeGKJ3&JUhvjRXCW4vtSY&0X;~PW$)+ed2L@V$e_u1BdE!g0{t5m7vwrI*&EQ&ot z`STeWU`bC+H2x}&d-&br<8Jt0*3B|yIyoYG;ql5f(X#?eSSuU}Th zlzLtevZHzojLm)AJ2^`pbsYNMkxu@_p=>!RalJY*TRnQ|O~JtQ)<>g#3x6HIgKW(? zz&~!wD^Q}|`i1**{eX>=yRk|$F{{03293F&0b;fI#Eb}z;)TbhzOK$=`svH&-&!_( zb=_n=^X_m~k6SLsV`3SKNQ!r49j?bLnaGjfEDq#KrBo}dyegKJ_pH8=E_|uVuSv2* zuE|Q<)mM%9?T+q;85ArPDzv`G$Y7@uI9th8XjKnL7^O^LS-E&%*%LqJ%bs&zA&K|t z37N9rWF2R)-+BgAG;%C=z@Nl%k(vsS0o$1b;#xRLf`p2%rg_mO8b2?eWni+tvl)E+ zIB_%dJe`>?o&_2xEmewN^cy$^D?*q3YB`yyOw(`Wb2LcZic_9_quTUbRFD6v4C_eo zhCk|j_rAB+Rb~VTxI=xE*NKGp%)iH5{p&N#)J-ZdbhQ-r-P2SUM~mhXt3JTJv!%7y%4dGG~JNr`5_YUhg%*7&*1bT z*um^%Fc}~E@46W1cQC3KFkxC~gCOueh1?Vk6JwFvHFyWo72?=-YIscQVMlJt$;TuR z=Bc1!v_Px64P)#Le1}D}EUt^0Z;xA}Dw7%(D;Qi{@`|1!jCc}rF)zTjPspb^gtFUD z*-Iewi*OC4pv@hg zeDdQmOm+=B6bD08(ukC|nkj98(__HN3{KV*PD+XN$oC<&e&rN??s(cqK{KEwjv&LG zAOHo~5n$j>De~&{DIB0Rdy<2$df)VNzSTzvak0DeG(_L&lR{ofZ-*#+7V@$5e*H|) z?En|>gUeRfMQc$SyEY2Ars(4qksp!;nM=g<%X>97gSUL%X?RQ3C0ReReSf;+>7XBv zkdL>L(FdvO9dQrOUTAsY#D~Lv@Xl2wpoH%s47HB~dLVJs*sp?@PewP3AF8o-XlJ#ZOXS zOf*?cW|vG9+YdEvNroAvw4S9Xq^CTfN+tlMh@;|__j#6IrKU_OiJ8E4TD(|I6FiK4 zyk5(in+7Gar1`a^W$&Z~?$biAVuJ@$WM4n@rZaF|Oc|X-$o@h&E*eCbrop(<)AQ4R zeMv`cren1{%DeI?@J$a#z`zaFUY& z{NKbyInK!_k3kdinI(g1b!dAWQ$&~}IUyK>3JS+f5`d;@Gbd*i7CJ&4?Hv0glxc-n z?oI#+gUs(fQpY{QoL@lI5@axhPLv_3eUdNjEVYAy>C&L7vzy~SK9x0&IhCz>^+FEa zrV5B9?}{$=ol&}yZQzt4Sr&HG8YN}20qH_Y9&yk|m$_VALD@r)O6uOz%VNh}2htmR za%VQma=QXZwbicW=_( zElII*d0}6ac#D>Ne&rg>{m$f#7_B5K@E|MHK_}`8`HBLSo#7$3U#jDcN>?jWax8P) zN1+JH;A(Hmq)MwY%3E8@+n35augkmWD|)0V&}J2VeiZ{56)$`2FnuYuG4zMHX|`_V5x^djxvZ^Rc*FmYC5JxzDR5P3%K~>pkxdNb;mYA|KMuf^%Lb9fijjBWM@_I%XthrP+jv2Kl80eV!`>SDXfomf1DVCK6^&p4vu-G1 zCe^5rzo=kjRz{6?H&cgA;2)(}CPhp7nnLDbs>7gaEwyJ#=pw3o9L$6$p1hlHI<-t^wT$)*V?_dB22SI6_kL5JuKU1=UYf7=0sWCO916U^T zX5)MDm9TRSPUUEfDPxdaSdD^eZlRdp4qpes>MNiuL+&V9ezP=4E23o8VJ<)Ow^?n)?=V@cg0k zR1YQDxZWroJ6Ma|m+R5DpJW~Uq~CBRV~zW%O+Ol74tsSZoP!gdmo9&O1gkUHihDjK zv=+5!8#Lo|9*5zy z=V6X=cw~!h_8oLDkx4lm4ku&HjvpX@%oH9Grn_}Tu=OQWVp0Oa8%-IG2jvb6cSt6T zq9Ls9<%%VfwdE}|o}n!jAXgzKX~tk6-s+=NuF-!-Ik9kxm&!0kreW+9$@QQ|dbWra zi;Rnn7CeuRq}6#6;;f0O4gl&xiM%4rnfk11Sq2tDVcI7Gs*d%ib7{m@i@Nkso#MF{ zyYx@ByMln!>6}~2gy-}46Hxl|JUlI=Jk8KVnACYbX$(@4Lwz#R?7V=sxA0}7eOt8O zc_DM)xMV+hIKQ57k*8ePZ@_ITJ=%u7bsBGSrkLOIT%PAb{`C)XkC3bt<|L(>oyX!m z%~2*vm{Oz6^3WwcSTrwNma08|n?rcG+a}9Xh6T;CjG1Vn4N^Qhl+K(yjj5TMc(Cr(4@cigltDY|jbf5-b_;9>W!djql_8M`aLHVTpk}~L| z+WzDT(pZf0q1E0`#lD?+nC&{8X zOr-6;sdS5wW84Dy9izns1;h8tx7uqEulQ5BqH(io>FVnG1Upa0JQzoF224J`$3BI& zy{VhFymXOIEt1d5vi+pwE2#AZ8J=CR!z0cBpC@xW7;gva0AleH5xI9|LyCr@>$)RF~aeEzA{DUL|h;Q8EedwA-i}^MC z*6%+g<}qG*!9-Wrt+5#T2Q-Z zz}PEV-PW*~kh@}wStSn$-Ve9J4YTQ!s^(a#+NpQ0Me+DGmEePFF$hD^EZ=N|5|IcK zRb<_Y5Zy;#)AQ9=4?dtPwqsPO)w_c0`ih(c(^@7z!OYW0{_vz3hE2wec|E*peq85r zJ>q+M9>;5Wz=+{7YajJ))H!h5^5@9>7pu&gq(5`y&;1vttA01O{W)@r`-ho%(YpNS zhtGK1+Qk@6!kOja$B$YQSUQ(I41bT|I_+CD+X>czZ+;qj_h-9x(;)GcUWtH z?`sZM*r0!n=PB>U^FRNW3A+Ugy5li zJ#w;8_35eRP(5n86jG?3t!`*HRA%y@O&R}pPCDzRi4Kxu?N=_l!`T|SObk-@plyBg z@v)A7K->SamUXsY-GjFO-%00x)8w2Vyf7n7A_xCY@KUUN}zxNEaqx0iUG+ z_%4Udux2GDKYd~H&~T5xwX%5f`CiL>V!cE_dD=frE+RB278@WmBvLkV8oN|=TWf}^ zscA7H{5b{O)4Q4FImCL$IMZAz$#Ooa%0ax@RXWIcfOQ^R4+V=o5*Gywd5%(qbpuRuWW-p^FU&~CA+7omBlWul0Nm_@m$ai_~S#>GJ zBpj)fuv6xkBWh&knkK;UVL0alHf6^WHh-|Y;Sd^1n@a$+&OanomvTC+MjvMWkOD5O z&`M9!KWXd#2oxn$Q(de*BJKL1pfx8%*Y)oB#ZqeCjpn=n7Q4g)nPIsr1R_SeBSl{-;{wPbsR(*%^ZSvA&YNz987yY z+AxvU-HLt4r(2GtEH*D0U0oh>>q|rMSzkIPz%5kK)a1(+X49e^%tzoBegfWV|3RkA z&KiV3-+8D~T8(@X&~*aH=E+4FezU)!G}(eIc_%~|PVgHiHDf1y`M_? z1S{sYk9ep%r6=Cl&hFxY(pWyOO>4Mf7qEXkV%t-K=<^~LN@~dv4)aJKVH`!fu@D$2 z*NGG6bunsrkFGls(uEwBNZ8tSx^JDrziO6B&F?3JYm>wy14^HLQyceNI?K5nDV4n# zoEZObeU=LlBf+@p6T$z@NypydN`ky4b|T-M3GQh0#7Miyg80eO0aBUfg%T1h%sP(Q zt42uQ5cg`Q$bwdmM1>$jW@<+0V>`;8=!#eIKtw2>a$hH0eWrl^7gAO0f19;zHj4$X z!UpTc7)kWLIy7*|7L;jH%9~mpBdY#iKjeY?9}ZUazjm++if)(yxIDPl4keF>pDBgm zzwFg3Rxdys;@VSLGz=B=$1$@vO2G+czXSvFA2fS~Qu5X2Pm%6Tt z#hB0W&HuB5?YQasa!=kk%-T%s#i!;qCt&J(QKX*I3qn~8%1aKX@|gk9vj3`kKh z#@Se?`8t`azfD}(DylwLW&R~L+fVGMqtW%-Xk}Z|f3HJ2B?>*(PCwm=px`jB;uI{{ zi6nbG`&s91{TQ*>}@$GVdTx;Inn}%Pw8PFS$DxLA2 zR{wg?Co;SZhbu{Bo+qUdG9&QB6v^_IVlBnigG>l%4p0B3T;R%)!O84eRV=X;iTU^U zX1G5p2uIFBBB3{MPBh`6_w(Qjn2&zEgO%Kjz45~^AU3?$pI|JU$yn3qwS9_#6{8Cu?I_O5DY&+4zBtVleP#Drj0|kzaOV{W-A6Br~1jH z&uVrJl^MI-JLMLKLZ2ywLsqiUoBd*sR@72Xbe}kJLp;u275cxy|nz@;MeB_*Ukuy=X%PPUI}RWEL@{6~<~sYw#Ou?UcKAj{g4s^Yexg zgEe`8mC6C77COzeBUIl1ICHOHCzRUnVS*wht%_jzd-Zc>7fN5-3n#h8h2SZ&223b# z7jILAbA4Wo)2HE;xo5&}ufrHJM=jhZGe?&q%kRflPgt_EOj;|>r_#vJtGjOs$~`Fv z=gpsXpKRHmxA;|J0ZiO9x{BqrSQFtApc5?UQe`Lx_;JiV!`XO12t#Pv=Ubo!qcX!? z_Sq;e2g~IKjK-yT!*u=E+ZGE`Ld7@F3fa`RsxY!Et(<^(0(CVJU0ikO51#A2qBNK5 zePn6X^+83`k9&t_KfnKX&KeA5wCYf4*h7F+j+DWja;AlzQ}+iSS%K>ic3^{Ykm94k zy+V@bx99p0*&dotpFo@}!FWKhNH95x&O+tI)gJD=Kb{->W^wBUZYq*{~@ zd`D*vRx)-Eh6qJ7f{1{LE&hH0%DILMy)6D2M0!qa!)+Te@3wotm|`;a!G)^tMLfvk z#N(K=5vd}@G_&aLvph_YkKQGGIie8p9P&a2p#9?N^+kjAzNiDhM?=Yo3P|rzv*1!) zKFJWC5jR@LEO~=M*jNy29m1VvoA@Ns#7k>#s}R?T>YlMJfvzL44Zm;65z>{V9dmxG zZ$oeMA9D^cSRy{N5!u>Vq}x8fc8|j$k8xCp!UizO@PGgkQW-XRGJz+(yi(+@lPwz_ z&o2AhC2JDmRy5eGU-oMH2_+Tvpz{*J*t%C3KzOr)+=IzBAIonK;xAv$sVb?nF6c3x zZVWwb#w1}U#lY{{=_XADfR84h9tmr{k^`m(d-EsPyn-Ad=cLSY^r&+nWm;e+X zV7}ZizFv4K_iBKO8NkU4LM#iTxJDhUgfsU?_KFj`qO}b?B-y<7u5ysN0js;XySym% zv#(l)9=lmu@CP;vT{?P_^)T#x24hGW&3j6=SWeR(@>nBbOKy$eKnMwR3X3?iJ zY-|8|{ymTsC;CxtA3|FGn>jT!$?PPACA_aiKy)9*!!SCDj=UW758oa9ta71iKw*f8h?-+S!c( zk;xnRZ-kUqRU%&NFVluqn{+5*k_H3Vtk^870HYk9;@c`{_%yaI_Ny-M6D(1*Ipbzd z9MNZ`Y8YSgYz5|5Tsr_@7y^e4U6+zO06koT(1_sUSYklp%TbU2)CgvmlaC-a)8EY5 zM?TTrnjq-ok&T*a%x(-}0L->CrvPAM0MdZK(326nc}Hya0XMAJOoo_;L`~ukjOeK_ zNMrUAYX@yy#z-z(u$~)ijetgpo_xi}Az0eH!^Q4a1WDG6Bp-D5X3RzrIp$%t*U#hl z3CiW3=q-BA6;J~UA!G{-UzKSbaHR)&l7C^s9^&;+aiS{1e+Iw4MSsN=@A7mK`4hrs z&^YbCc<#!7xM$=*UY_)qs7U7?rwD+_K&bA#GgeqIqMOKKQts0)`H^7SJZ5?Tocq=W z>*3+j?1a(i1D9hggO4~gpCd$znmXRHwTX+0RKNFV4#d*v_me16u5D2p{qeq3div-4 zruO9yeXV)_wX;s~*pnF7!0(yshrh+!F|>aM{mk3|xt4Vh$GRChz278ol|VoGaqMMm zUKc-hQToX&o?(KyCSsH@59963Z&}6(zq>`b+-#X6*(m8HfwW%_dRFPB9)&Mks2x@q z>i>xUsQm3Si+6){m3Tq_?cQG4Iq{HIX0d1JSMLb9{^ts(mdoH>zmv=Q`^sa|qZAxf z5`U|nBd^!F(qbZjw0i2;`$mn`JxN?&C)o!VxlOCvo)^tC`qRJLX9AxFT1(G=q_~W& zTNMxecD?DJbcq%ZJPCW+=0Z<$wG6R3P5soq{nFDn_p$H($MvYCh%blDQGd?W+u9C( zYBRXB{r#11eRJUOiE&~1!&04f;F0Uy^~(1TEA8GLKMgh5A$_V3}xzMH-E50^5oS?8r6{|vc5zuwGc zyz@TZRW&0G7=zX(5CoX za0U?~gXmO)nDByzf`Vu-gC5Zavo1i{_JW@H1T!FlDVl?M5m5fi;6btw!e)jGFGg#~ zeLWatvH`-Sg$)$|iY72+9~c3c0lylixd78f0QEsIJrkIpaH#$z%wzyIWE-l72)*Zf zS@^)L;Gs6OVM-EVIwoPSkbvVJjJFO3!U&g_2=_7xfA16S;S=uH93HR`j@1WZ@1pYE z3x}D&!+hWh*l^DLQ1}8o_U;lMzwp#!0G?nHk?IqHgMf_)ML^&YIhPT63vV)zyzD@D zGHoOh5n0x(R|w}S-U}@%c#k(hQNl=PXI8-i5@^i z4>cQ_ZqQk55)aeHOi9G#ph5jgF$;*8C8T(NFUT4qw@e$mB@sLFBE|tt)ua%6&>VXR zXZ*SldrTX5y2r4JpxalaJwwD@H^(`6SxD;{-O|QmqGDwA<6#)_Sn2Tu_|bG*afDa# zq;v`7k_nVoaQ!aK5R(M@mV_7t=&>7+J&?dEnF#X%aKVY3>4{!=SS&yy_f?{RX&?t( zqM&J#*q~73oe!6=Z_=~Hq>;p=)Y>Fj$z(+o3)qxP-ZWXgC3(O-IXN*|lP*PXpFx|B z10tDXlAe;Qo5J9cVs@2cGnhiZm11L>s?U{5EuZ?TB~?8lm8u}snJ!IcKa~U;7lJ7#Ef!G z&$>cn(1mByWrSR%1K^|r-wY?UjFO0q3RE25aRy&COW9&ZeM?+5T_(LyW47W}Lp->hf&Si$hDk=IE>ud_z!vN^A^^0>0+Bok*$Gv-^e8Pc=M2eUU& z@oRTX7E zC#{jJeg)hFc|1!62t)xtec>fnp~w{q0k zQKa5lH0+b9eO=T%SfuA?4lyg%l`1wV(=#F{HeD)aZz$F|D1ISTVrN$J%CE#RqvTC% ziSts4%XNtxeW{03sh3&l`wUqHzf!+z2H)1w5A>lQ>5&SYNSGN{pcxV#Ngkeogx|Fy zqt%hI*T^7xRN_HtvKh+H59PO+hfpucSVDPSqw=^*3#7{2%*sj*N{|_46-#AR*Jai8 z<+V%nypVF_i^14V=Yb1HgoANd@REHVqXS4EdZqye7px3Xwf2m^Zx?+O9a!RUl z#;g+2ldIlbR*8{FV3P>SuN>%xanLcW`O#>YRCP^8WYNogld3YAsjQF!K<-s=EJr$HFJ8{uJv4FjW)L z@6h8iM_bopQQs3%<73m&AZGvSZxpq0QdOMg$i4xQ?j*q3Bs)%|>h!LR0W^%mPshl| zASbn4=kul7nV!(|@{>(Gpf^v{UxUL^e(w>;z~8{YO<=^YCIXJ@D`uW5GB9Lw61E_5 z2%^aO-;oy5$~UnP8nvZ?@^O9h>rtC}rZ))UVG-PFfQ}jF<`$Ej2(aX3cM0f>CV+ju z5J^Xo*V01zBnRCdQCW)^pSj~uKL^1{0t=XVB;5JRH}p(nNz7#Bgn z0?tUr#7|EE*yD-$-y!a{bbU{-6z?yAKc3?72Mb*cq4Fw-4{Bwuva3K#Qd@ACnSVKnXE47)3Vn?7sUAWSxU5m6~cmi7(zuw$5 zg^;<~*ByXCa1v1w$PCzGd^QkIY^=^0dJKr*xAx@M?k52Sq__`w6aPA;5P-2;nzfiC znmbNff=oWqsbPl-^k{7~LT+*lOj82dXee(%G`E#Q9)JsTwKo}YwgyXObq`9noo%Uy zLB2Y*Tno!4QM{Z%3kf4y?ge3_Xu>hB&8qaGX~^4XScaA)Tjb5~E z56PQeFV$*cr)1D_Wl0MxShE_!+1XXomwBh&BTv{*r#aw#(%+Z=DR{55KcUwI)~htw zKS$4@g5P?n-t%g3FxxrV4`axJWyoG_sMvxfH(&_$3{kN%G)FSQ#s=YqM9R~npWl(bUr}kh9SEml+MU0d#Q6wZwT5d26sJ z95Q6X+tow5dvvuo92v7nU#$A?KIg({i<0sLpFW=%!|7W z;c;3lD&Oa32?{|5cuvn67|ny);};EhmZBCa#iL8LTYyp|eQw7xcpnL=q;KI|5#bq3 ztNo-ySU&)%$?YgLyR&3`u+S#5OmAW_KiFNny%b3vv*LW%r;b?g*@SwNtsM}rH>@n> zPDV7AuQ#vG3GqymOaSX0H18)WnJkM!M`q$j8Wb1SNB(qf%P2-#Fk+4M5q?;Ez+LA| zyE=T^^7?Jns@B4=4C=uTp~g!T{f7qarT@~3C>(xRdF0^TVHHf*+;jG`9{u6 zw#AqjC34hcJDZ;I$0_{X&dAnPqg{QP6Ui_(_bq1KuV#n4IAS%XFQdIc?ys7G%lz3; z>;OQZl{4VZ+w$^<8k#6E?OlPn)s&GH>2KaxCsGXNWnRmiwb;2Dcf7;{!h*N_JN9F> z-xu0g#u~_~M!4_(GTa@^p)HpFnqmg}%epKRjzS6RCy0~-NZV~1$AU6D+!#>D-QwBP zIf_$0C;L@3JqBK1K?wwE+4T4jZRO#a4!LJg-TkzjeV}@uoGGK6VBbgBFMEIxm>_f$ z823xSsCaO|Siy*n;Zi0BNPsSIGz}(EJ%L+!-F-O{f-~vTtdWBO&IV3untj_?&NDzA z6F^_=At|gf`|5i_rwB`0IId0WnKl{#Z;7-#d zGvVLQn+GB0b^C1o`jcQ+D`!3qF$Ab|Cn_Y&GA_}@b_a0DFdLS4Fath^x@4dJczWfF zA@fL4tb#_|eu`F90yaygoD9hqkKL9<}(G1#DMSjKvHD z5b&S$C|=SF56O$?`&afKPTgzQzDlhTYhU-vVYD;$yZ>lmuO?bI4uVwa#k(~nYv!%4 zMlj?6gpeS})~`M{&l!2Y)iTt&vhN)Q8iW3_rdv84Swq*R}F?9tlT}b zIc`m|v|{8RJRvQ+trCm8iugM`Qu_VT_79RjWQ1E~laW4uldxraj@Fk7X$Me;Re<~b zpBRjZ&!mWeY|4ibKa_=;2;_HR5m1vF*tq5O!5_+ez^2pNQB7pm%7GyP`$2LRqfQvU z{%%(~o6}q}C;7KNm^8-5&YrtNa2`R>RJ5c=X%{wblt-4SFefBNC&?=GH5HdutWwPf z5QEX-LXqqsle4eU(QM|EW!7{0NeA6r6@>>e{u5P;4d(1(qx%M*)=}E!+J~96{4a7W zKs;fLrl)o-Nz;0LhsTv#(a}Hsene03tG1I|ys#nw+_wA8izCGtP2PX4*15ygJXANo za9MNas5{Psy8i6UG+rCw@v`j=6;2`ybV>fDGXn%;-rq^zoWA9dD02Kgm3Had_>!wK z?tf{z(KD?e7E6Am);Usap62>N;O|6|p;hjWnj^LYmztP!f1RR}jVXd|>_;%SieCe7 zTzl|dM#jlTGdjCSb`p3+DUhNH51+%T&BvaSpD-jefSywRMB&&L)hO5UQkKgzd>NXk zBo;Lo=*+=1P)F~(CC5Jxh7jo~{eV|Qet8&@T+`0=2|d-%+q5I3hV@$WXqdmBtxi*T zTv1pn>}##y$lMG}SX=U2QQcVGLdE3h;^9u6&htBL5$$K)lt}|%5+#v4T_qYrouOk* z=R{pKj^cVf4TTkQy$Sx^dVQVeN+N}tDZG>h`Z`LYv%E@{DKp}Rp`u2n4t(zVX8*D& z@I3S~w*CkbGZFQtYBYHnrz9rxBFVnd)M5Ok=&WP5x{cW&-0#HnZPTuip3`e}W{V|G zh)sjbxRUs)P(!#Qi>W zWIWS>mG~DY12I81dr0gCCRx;y(4ixe%bn}%ZYegDb}u!kOO+W1$T0O`HciF=$K>JV z&lj55@HcAztc=6GLC>K#{s(?f2dT5WV(3VW@#DGvTZrzU^TG zLK?Q!Ou~xArh5NId@KVrE7&)R>ySE1kjO$^!{n_?P*?=}0&J`}FS-k}`lbF95rQSR z8+S9vi(?}JLgVjPdUUohljbh=<#3_{bVLx-qrG?`^mQ=dzGNwr%=jqwSIY||&rbAT z@CytCgB6KL1UA3apc9NKuOtHd8Tbj|q%Y5Q0d-mb=cezID>;T;j?@wSfLqAbJ8laC zAE+An1Wci;7+)YNEOH_w8n!zgT)$|Yu1G}{0_VL8VntE6>ru%!u(Mm>cY(1u6Z1+$ zy57^kZ0&@6N|4Af?{ijyHrZk*ULFQJJ}tE60cU(P_K6G?z9mr#5<$m5sRJs~Rib8= z;4nJj(W>7HJq7jf8x~oZVi#)mAf7zztI+6SS*PuXD~XojM+(rtVA#E+lMVb9$Q>izBz>?DU=oa2pGgI~;pYY!yc91ug!603 zV<{}TWRcp+i2^F|&2qYk4YWfo_9b~xdP1sTHyZ%|)*mGBf_blkh+VGdS@;S$>$)Tu zKSQu1wq85`3XQDpd6IY|38Q~>t14{qI|aKv5zZ}_z4C0TBhF@nS~A&&2{*Be9D6(O zafI1(wJjOI#7m9XVBfUBNG?2?*(+wmQI9HQG|moN<>m~f%4#!RCdn4;;i;ppq+*XrhIYeIGK@tb%%AMVjuDr(NN3DyGr^>5`-6!ye-(#IO)Chz*(Qa=g?2r@N4IrJj^lrd>!1}H&ww=$@pA6W9sMPc~!);ll3=}h1%b>g*X9Q zLSOLu@n5{J6MfBP`!cQGO53sFsn^ltH`1u_F})@Ysvnwl4CuM4^V-pDT`yeeC8TWQ zt4J-Rv$glyRYgadB+VbW8$P#ISEZIkqK8rs(DM9uK_ z8DoEQt4P)HpJ=g$$R8E7_%{^Te;N~(r8yhda8Bb3opvZV;73Rr>4uYyqYt(iT%{)sbKro&MHMjFX+|j z_GmX;oz#^1kQs_~@Mf@J?#!!)$MaD;6-AuSm%>syCsM8L(&V6$dYgKtYH1VlyvyTu zN|tJpH+$WZ*D1$$f1i=J6=n@MaJPGC?;tzt*!>3ow2n zB05J9+`wL_f&^eUAw9l#@ z+|tuyi!(9ae@u0wmgQ6?V@a{)^Y5_DC9SAT6?4*W95hS)TXeUZEBCd#%}&9Z@uTynS{nF*cf%b_RV8 z6;uf?l^u)v*zBksD*BuaqF&GRx$G#pVyi@N^|`V2+tKxVD5}^>s_@sq=RMG$uRk*n zcZ8y-l{EV$&H8x~DkyYilkkcK6&_U-s_3@&8xQw$;j`bW7uQO+#n$jO)bs}%6o%NT zY(;|afaA8PdgVGjhL~hklb6k*UF~o|xQSoMldjNaGq}k$T#7TzSRF5?8wf)_t55|@ zZA#;2)DTGOLPvT{_qRjANl{9$;r6V=L|b0{ zjrIX>MVRVv?7-mFscMI!W|*T)Ta-!-o@Or_UeFBDghI%aZ5bM^N#Ptx$);NCI6#5o zThkjFVH@4d=q6U^6?k1hY0*99r6s6d8sI59Gb4Z@+2b29x}sPmj~@LbL8Q|zbSI0} zP@Ngw+8OP=sh$yuf8rsy?KQS7B0;?}PMLcSlf=5j8@u9icAq_iI0&nr2vU3PfO$#gG3E3Ci!QvqzF*>3t zN@DM(C0Cyc7f(xD>Pz=d%k+*lY)wB`g2;eo}O0-lMhza zB?ApCBW9kSM~GD#NR#P;n4xO#X0)_YwExU7ju_}F8FCxU7}(EFPRh{O1(2BNI@lXJrWm~m zoXfB^at@u%hR-?5z+KqW zyg~E+NAobm{KraTKg0QeS!0i#dG`imDDi?P)k3h0$<4X^g7Cr}Toe-7uwc-;5KT23 zv%8@FYaz~lCZ5Vvk$o|deI`k1F~xo{_1$7x=prIzF}-*(qhT?#cQI>rF==@*xMCuw zqdyn46!>-`AEc5my5y#~RP?K_*xu}|*HUR^A2P+vv1qBxu&=y#>BY=a<)7Z{0cf>o zCY*G+CMBbmYB?Th@(H8><1~-+F%JeW*S}S7%r8aGhBho$VX@wekjgbt1HHlHJl? zWObUaZ^m%d+HQ4jws$^s)hu~+F{XE^!IFFgnm%G_dEV2tdStntO|(J0W_D}2#l3e^_0F6d zTA!y7oxQatzD4I*%wMh=cXnIegi2hGTL1YY{`c2rbH!oXuxtEP9JxjHwpf`$E_|3{dO<{jrrF%fvW(MW^=V| zj21bMc0jY>rXnVbbWVl7;O;O&_|pzSlUAH2&u#gpf4+L=tmx{Nr=SZ zitC{?^7ZS)m``Rl6=~Hu3v{Iyn9(HCylgOHslAOazVbzg_~^%TN{_;+Um!LWI12_y zV<l6Y=>CH z0QE{oY@zyVrd!{>S*FL_>u=d1hHe-+0l)W4O-us1dvjsbZ}#%xPs;WRqQwsO3geZz z_ly1&YC^m!+b_v_f3RPg7sh>nEJ}TIfI^m(9h6lx9vqZc_uX-Suc%+@?X7J7>c^wp zx@GqLQ`heqr%&w<7!GR&rbH^LddV{n>n6(TovTKL82%ktFKw!Kd!#zh4cT9LQOY^I^!BQN6p`=Zho|1{J8nqh5PjO7)|4PdosZB z>GpI){O9f2gv!&76GA+@8Rwsz-gO$@otgjsjhz5o7m?r3$nUxmp`-#Yi9w78a-GK^m$r%+cC>^b zKF7{(d)J^B7%Tv&KsKU%oETtOH-m8Y>@O-|y!Pu;FrtsDY^!}S02bW)JR>5EyBP@AiK+R z%yFo;VBp+7r}C*1h9&6^AYiyo^E)EpnvC80UBJMdL7BAGv4}AHE}jfN{Bs;8lxAv0 z^ z0JL&6LK64TBG>?6VaBeeX0U+#eKi#*X=;PbR1FPz@AH^kHUm$3Wc4i$$mTwG~k-KOvNUqB|j+#|K_1KBh6rjzQ@ZHu8lUb*~rAzg?a#x&rc!PQ)H;K?6dZ7 zvW4$m%cxX+gUG^%>Dh63G5AVeVup|_cO@NJ;&C1^=tzEmV5qCvFs_j&;l?k`%vy*n zR+U1HqQU7zTwhc?%3fqagVMzzU5MWcls;t|ReW6emuRH2ezeV;5ZCXT4n29>+)8pl zwHHr)f*>H>Us*6#HK?EUAyP<@j&dWSZ58eWYGlPe{Qb5)yxiq|TU$oCk$K=|0eg`1 z#p+WsB{4Io8lM;d2tc5I7}Yr5V%T)oQNOHxvJ*{JsJ&_Ln1}la^?Fj)gJ9Z{I6%Dn za;Qpc`%eX4FQnwtv8r?Uj>vwN29z5^uy$R&EmhsWO``aG-BYLN2jjip!Cq+*`Y-3pa9KK8X_)@V$bofdoa_slf?^iN++CuajwDSumq7OJP7Yhb| z8$b8Sd5gTbDW5o7X1a19dA>Us7tr?UbJd+k0D?kVhl z`-tV}FU<}e)rVGyeB3R9_KOE`%--8v{BJmdryQI+1T=lm-{}1WOqO zKgA2lXARNW4F2g5k{%qQogcz75R!NLQTacyca{NF=j*rMY`XWRyHi4t4q?+>N(j;d zg3^-G-AIFUm(raA(%q#r0!ky&$la(ja{`Uv*z$Ry66gndBFXTM z3vFJNtMh;rF0pW?9l)_2pr?MS01Cxu2OaitAz-W6pc;~Rr)r23KC(UvNClBS;~rSW z29?qgE)s@y!m8e1R*eQ!iUc47foU9r6EXk=YX(D0>Ek0gw~9sMrKfhzEL-ToFMJ?B*& zHlK5JX_QAxZ8Q?_E*YV?U=Z`c9hesN7*yC8S!9EpTL9x@EVYRkuN;W$rw9;Omq|rF z%`}pO24p#brDY~e#ump9uc2zDbh>Qfu`e!<92|oHMg^cvp6Dx;gZy)zn4MysVaNGX zMgi#~$y7w$dq6A^=p6};FrAt%r&#N?zBmTKq^-hRrjVBtA^_!txp)Bc9@=58LgaV? zS7eA+Cukx)QYcd8H1iQS;~BVBd-(xmEe=A@2R=8|S&z}Vk_KrQJ%Mip9vs9KJctkT z!%C$MK>|lccO@c5+LGocl;it)oM7QN>kRWH(6NKW@<7(Z+FA+PyvDk?SCsb_u)Q`9 zUAd7Th!Dim8(0kb8BWP~z}raF(I|4#`i^P3oz}&YJB52X>*N`y%5<2VMjNhT>(7WO zyY@Uw*hqP>;obIJy_?=0k-*7CBLl&~w?oEF8YiO?Hp4p79VaoO;MACK*4K;iDXCT@ zMX&oVpC1>mI~~e%hC;iNnoOjb%%;Ok_Svj0&McMu47|cj-S<%!>ls)mUJ}6>1Bh87 zvYFh85k6hfQfDr10a=j5r;5R`T!pF1Tsb_NIW{6r_j7_^wCEf5@l-C zXDe$(3-#uhCgxng=d#th*!GfY+8bsvV!Hwr!aTc zAYa%k+moO`r{3t zSLWib)h13jf|nJGmpWUYuw+s(Ylg)qEy!>%VQGPcQb<}?4#N2<*42BQW(4SIH@KJ0 zM6<6Fo<`fW6wSfOQ0WCLrb&_E{VGA;>S(x{E%6$OY9--VsjVJI29!IGka7f0Yo7CX zuS!>=R96sdCB5az%c8HPC8&KOn~}#~=ua#jD3FaPo7K5q6Z*p46UD7DFW;dd&?!W= zmC+nO);V0RHkPO^<3(C*gSUK;54g78)Wolv$!$a`zwCa^^PG&TH+7%$qTBjhqu;z} zdJ*^PO-`$eZ`Wg`jt0dBrh*DrpGIoE^5q*qT=ip{I&Nl{yT%1rkY6J3@g z5Vi<{2(jNhFF+DOTpkZWWG_ZADBUJZL)XUT;3j{f2_}5g3aP5n6+vR62Q$gFwTM(Q zdnLZZ2WyvF;!{?VvBxsY(-b>r@S!ovP34++8{d2L`q9Db1O~9#eQ+BLpk1b&tGwpM zYO!J?L*xf#U}4)`L1KN44wb??S4kc0l%?8l@9Cm-^7drtG}fA2&~4!72-J4^j&>5C zby#Z?*a~KM-|up_?OI6adV102Nz&~t*zK#`?eE$hnA{zF)z}@n#cTVf+y9_DtPP<{ zy=R3R6ekaU9@-Q8wjt^zLyUP(JToYX8JyD}nnKc$mdudB+zV&Z3$p1gMeA7|=`Bz0 z%?<6#7woOnCM$Z|_xzx*#g(y5us`-re`j)kZ)1P|+y23e{$Y{yc1VVSmqT#q!?2XYm!ZTcDZ>bEAo$B+;K(pG%LpnuF%CL_&}|rgV1&$V zq#|;JczYOpIf5HDOp!8rqiK|RZj|+Ml#O)k*6lIQQJpbvw=v$7G5)48!MQP^%P|P) zxajS1ah-8Vw{hu|aak4>vf**OEf7?xYb2OZY#Mh2Pk_88U_~a>EGFzTCY0wUfUOe> z+Y@>$ljty$cLyd+<|ZvKC#^}RY;RB5=}bAeO*y4ZJ#CtDottvMobn`vN@~--I@A7c z(}5||!A;YlbJO9M(-EXIQMYGebY|k*W)f0n5}Rg{=Vnsp{Kz6;$k>LNmXgyfzzTvP zgr&30Wkq?UU`9dEi-Fmk%h`MdkSU}L=NzlS;tdWM^j$#tTITsFyY?q!9tyEw5}ERB znFvb7e<1T*2b804=zPhp-5$y}7p+1bfAKA#EJv>xqh9r)>KesD@2%6oUGyg2AYR=~ zuBKQgSLOgJ^YHY{y`t$MqP>M*x>V$i$)wv)&=Su`cF8Fdm0(yF;tj|BsK0JKrZ+_l z${e&V*9*VA5P=h~uNoLDe$ZDfC%)T4BOcg4KX9F0<6*o@Dh(HC>3yJ%031wS*fsXN?kC?J0t-gK_EG7k+XU*)HqpL~?`P?j2MzI=VKvjVGj^HsAOU~hM`1X=eT zvfn1|_-ps#%hDJx`t4F!FEm>&IB`1DMKPbOxl9~y9215lbm5J3AOB&4@^N&ExamYR z{_%8B5Fnoygid#>S|56qFs0V#8FyL<7d+a~2^T_OT#e{gu@-?Brz=>E@>f%V$CsC6 zd>5mtZuTzro=L&GIBkdb@8b3S8P^hw;>^~bo8}g*C7M^izm|Cz*OTq8Wge%sg7s^e zXFbgm;l@V#KPU4{KH7xJJbx>o`~sR?C};4`K3 zv&^IW2?m)&t!_0{-Q8I!p4@YLO^kk#PZ>Sbvgp0IMsvS%{)1E#Cegx?GkL%M+)!CZ zZB>Cz6nzREJa%V5%f{16?sMrbY`CWq$jnzC0aH1LSk!t*oT6NoHliat^fn$5AMqrp zIZs~6JiD+@4}(jR?hzJm-XsyZiUy)Z?l<3=rk`k5LG%Q6eO{4;c=E!w_zstN0;GW) z`gb6#ZK#JXaYYBV0g27}XsC zFPI+GV3P_e^O4AMenwl<(2Ivk)ez~q6QZHg0%N!YHezlUwaj`e-dQUGuq&m|*$Uc~ zrxFZajiimwT7h6e!eo{ADQ!aoDd2$}-sxpr;}zXhAyJ;j;?~q2@<}Kh&m%suyo*X8 z>A6M67}d8OK}DONEroK=zcliIB3WC8nUJGTk?eq`L|&S8Mk+$<16&N-OpdJYd#P}3 z6{B|5z?;IrX5(eJ1bQ12xol0asVtN}BV*E%A0!f_tY|m3N+mOUtYA5hMcp?>C)Qjr zNSyOAnZr3xZrY5_xs4+M-YoA{Qr^`N!OX{0*3&%ZQ_Ue)AZIFIBQKFGu)TtT(-eI` zRcydn*xN2&HO>Q6c_?xQ*hQ8DMb3Cp6F};FgSS-Z zm~fSVA98sUb>Ss}eD9@gZ{(_;98!zo2B~0<_L6zAQOOyvs1P40CvgH&fL^V4o)&^X z4#Q)qxy>@YekxSqTPBriq^m3=DO+Ahfd9M?B&rd>jw}>7iV!khaqpT{z)30t7&$ZJ*fohH!FGro#G}p=0TXWGm5L z8JAd85r%%`&TB@P59WV3P7-{Bt(}FFI#4HTaAXeL!JT3HF`F8fK#3WKsoKT~ub+=> zbDC9%%sj&5g07``vdQgHsjR=;YClF@k2yaiocP#CfW@gZ6Fx7Hzq~`p-KaM}1Xf}^ zUyp%_J%hzqiK0SOS}d{dDhs*8FIDiRzFf0r(5U&cOyo;BF9zoqg^f?lF&2$Qu-_LW z*lfZ!))5F1YehPVOXI)RdY7PjHe!v@yGC-mam|KkEEsHRCQQ5noA9(Pf9+*H@e{MI z;@NV9s-XPV8k2XCxf4NdpGY3)L~D9rPSkeFls+qb9E8(A+pNf0YK8vjK9du5pd`bo zsl}#2U;WJBXD$Z~CUeV&=Wj+ZxTaM->nIXr5(DZZn=T(f{He>{lfz8A#mIyVsR zRCuF#F4XFx_b%({t?i}*(|W-*RQ|nzG~~V1p^FtUOp@W~`GYLsZzvY``)TUVTY5t= zGXgZ;dpWl|{0v>@sNcOSIKJ!v-_noDKBdq{fRI9vK6%@@(Ut{z?d2(5<~~n7V0JFe zrjGK%sx?1n3(~*Zd!h7MKdA2bU01Jntk>tmhF5BzcDkn*Fk{ub$O{gwdP{dPXD<*( zR)*I+c3M4v8`N<3JoynlkrF(6t35GJJilhwaPE2GIe8HzcoEflwa2=W7$DthCR5BmiFDXT!^ff7(ar1lscFE6VHpHM=IA z;454ECA)Uwt4!c`hu2T_o}apt-@ODsEof?O+E4f7I<*GXc#NQ_H79@51pi01{^ryE zmM8w!1Oc``W!Ib%zGc_kPXas%0=;7069R*414E(NHFjurjUXtBHz?*yb}bDq;Q_RI37WMjA zxb!*@8~TcLdJxqaK`oamPe>Kno51mSUjF3P`cS%92-@QrSUlKQ^EZQ zhgA*_G=4c279}zC0ZJ?1&=iAPF$~6vGJvQIR}nSyey1dw9OwQd!&)(=&iyT zR+ULGL-4ukD-Ybp55GSaULKBXSY3XaepqsO^wx3r@^}$3<;lrvyp@o7ecF}I8LCP# zxa9+sfN+4e`{_U;Yp4W#j*Tun`}%AX`6k2bR{-@KPdAZt7@6f){+u9A!u#oP^wO;; zTEp^~jTALIc_Jsn{Z9zD7N6oUwC&U?(HS!sSlLBJo97R6Q@UpOq*99A?kM#qQvo2O z<|U9WThpYU8-&f!IfzkW1O!ULVPZvZq|n~l7kGbT8QTxLgYgC!aHn$FsxZHU$)PMr z5AFd$U33Tghulz;esrQSrzEcOGHy#(YKvtCsj1uH$x1`FKeHl zFNxyZqcM7d2k}DHXNU1oH8Pp>Lz9+0h~hb*q%*+oQFwX~osLFp#mU%vC-ERAUq0uC zMo+JL{XuMLXb$s3nLe%AgSguM99GAkKHal}_!hKWwg5iLR*P(_cBqlbsGRi<9S2*w zlZl!TgTlmcY2vhCBt}KubBbj)imyBK7i+}z9~fBuzc}rB!qET9&in=Hb#0CK$51bw zx)0y15s62iQNB#OfCCKZw5zqzq7bJNNR_WEH!gy(KA!KddooO(3f-9%W@$D?^Y21C zH`qA7>)e2~U;Mf=xA>rvD>g!{5#7;DdV`I1AJ>Po2L;_pMfUTeZJEPBEiil=*C z(dI8oAd;Et`=ClPWQd_-ouvCFb?Yp8Nf3wDSL}JM)em1gH;uyL)YoAS3}I zZ{@ThU>UnVd%Yrfn!Bx~?R2H+sI!<&$I#bE&uv(czuv&zlb z_B(u*`#8Y6{_^AX&dl+WQX2fl8o|VW%Uqo293mrfU&DS(Q35??Qb9)n zYs%G`g>_meD5Xl)Xg9XH=&|1Tk*(E(pR5rPbbBR0r-dt|;9G#bImfU^g4RAWK2U3f zoaY0`$m@{D-J;OGh%Kj8V#?Hc7(-Zd?k@b4P-g|3u1_~}u{1o3RLHb`i&3s5W=)e6dFSe%b}x{Cqv_KA&#nmAF@O zm+XE%-?Q>(1N3!W;cS{slz~@|k`ipLreIPe_YfgTwI(dMdq^;-1mG#JY&bv4HfePS zPY`n!^1y?1*;~@_v0=U-lJRsIQHJ=a$ZR(%Bk42Jc{GM*fBjm8~&}^DF8yzz9ouP64*>pTTJ&IqZT@Hhk%-@-I=ovl`LC-$j z9i&i9Faetzawixv93Rt4b?d6U!x+ybbZ{#KJxgZbk=Dn=>Hb{qnw|m6ryr9R(eik^ zWCm>$KPGQnL%n(i9qK=(?1laY>c#zsP_GznvcPa*b#dAm&9i5>~s#F1q4m`qZ1 z8OV3?BOCx3+7+SkS4U}xOk%#^Z~2J7a+!TEKPqRX(op>}N~t4?^hF-n8x&k0TM=2bh>7o}BUH+ms z8u!Mc4@i<>$rnf6bjgpvB!9`D#9?D8fa3q#Q5uVa6w^{?C{)V&Ret2RQ5kD+-}}Vc zlp3ag7kTE;9_iKP=o(zB%XSD`ngVA9TimYU9$OfS(jU6aE|fbY%SaOX0$N`lKwW0c zQT<{|FL#aJ&weLAa;7{MFZCIe;!&UT#6x2PeX6pwkRJ~7g8B2Fgwz_U!UHnNt;@5{Gu*U_jKOI2M*HPO2n(S;Z01^X_?(G?fL&2GjFD}0v z?;5~E%fBC_9GZ!fC*5&F3yRL_&%~?g{>DelBIuItyp^~gYAT;aH1*d;X_nt&WQ3~` zwIf!KwBjB5Sl?CJCs8somIu_|@3Ra5IKW#V#h0;^gk%m(|NG|GZ?Xa+tEnuOnA zTR*(zv;NuqdOel|u--ra8Qc2HSo+EQ3LQ&71L~8+qq?uJBHxWAJ+Ck3*QM8t9u&|Q z9&{|hfKs1u-W{$T3Gcc7mapEeVe#esOTls@J+#JK(bBmD^j?B8B^ABR$?U{MAk*H;k=aJhbuwD1P2q&N@h zn;O|&)m=$>V%KsnP2%yAacPOL2r|VWouo!;3-oH4*Dq5j;4PKHRHj5mnv!O)z5~?% z-Ld3N9a`tS64!9LK0AwE|M026VWpJmGfS=as5;vtuL`k`?WIb)EJ2OYWtJ|ARXn)> znathd$Q>6jdE{D~3y!P7D&1G}>$kCldu1tj)P!Ej%F6c%2!XYJvM>$PS5w(^>g1IK z_{(ES+^}8u?^OwiV`~@`EHTGo>{2zBO{+JSf zbxJfm2BO@%=6<#jNr}ujpgshW1zz7yZM8&1^s*ZkV8=NlJ)su)$GaKG`YtU^e{efx zll^FkzyDgu??p;SghKy~&S@LL86feKb@q;L7J2hb;I#M4a_`>2TL*o>a+nrOj758(kzn*I6N+@8-*Rg zUT#){;u)k#vxIe9_Od3ge%b@SS>$)FYb<^@C3x>l3td~}Lq4$p%r$hi*AlNS@**iP zXDZCfalSHpy#i;_HpE9Q9~7%}r|V0JX$1_DAHBr=-@U&;`R?By z3KFtLKRpzVXd}u^$FBDmi-`)$mEJG=%QKzbZz&niFT(fUG${|-wG{Mk*%-|?>XAa4hxuIn{fe83OsRJ zWYLu(jjT6abdfHSxrm)t>2E!?CVe4Y54LeK74gmeJtj&K2URw{{4q3 znVSQa3mMnw-%R-MdOKsIY_8@PUGBwi%B2v4CE+ziw^y?Au2Yh$Yy8`+arFoFSh$62t72>bL_wPo) zAMP)+d@Pg$`3CiHZ4lDl9Bd&PSv)&$>2@lj{Xl8?Osx3scDjGr{^GXgB}!Bt;WOSt ziTS)cnRzrKti6XCOepgV?(19R%LNV&fC3#v>i>p8q>?Ef{>{e))ucO+jegOjdkS^G z2`Lra(UX;a*FwrqalP+_6wJnql}?P-FBiCf&meMp^1YCvYx_+|5!(MIr0DJb5K^Gs z4`tnSf7Zu!o(M$APcos!1Pout^`Jg3(GIV>Y$t8J-U=T-jO>QcqCw+&jkKQD30tgx z9M`jbj-mk_M24h>&_NW!b<_T4&0Dqp(GlkFG-;3CK*NtiUwvGTxmKf>W%mOWue1)~ z$H?*It8B#d=9byDhVF?>-AYCKvvIva{ny?CNF|Ma*KxgKmVsJt72)Fai740(D?(SZw&JDt;#9O^X+FD~@?!O*HzrMiz@mu5%2GJk9MQ%TjKVa)_T?To>ld6W3ivC$41S)c&H_8C@C><;4m&6X zIL?!fltP{ZT{XI@rH&DbBS)W6l8rX|Kg@P|@R0LYS>SZK78bf>{4NV%jjv*IHS(h2 znKdF>^Ou5yZ^PvuW`TcEY5(z}b3I%fapllX(+*z)TQ<@Fv~aut!D7=t(lq~bYDJPl zg8P?K%g>tT?_UT-GT*M&G2-7&E#5)oP>)WX?VFakUrsHKpUcF4s1^Tlr+3n0AiTk2 zs9NEG`T{tA6ey>-2n5O1UOT;?7j3k+)qhrdjdktxF3EWJ$mNfm-h!jRw<246O1;(^ z`|Uz%Eh(J@yQ;+w0BI@C_1TrqIU1qTP)s(}`rG zy#Mi%FiUa5O6Zk1ulcFuuLAui-h*%FGx77}-nT12iT6LXl>8e$;#aXxF00H?`92$a zwRy;B*XsQGPKpYB-mCrP=RG9wZ`?`6>wckeKo1fu9u!|=8rPPS;Jb{!SWcoK&0p`N z-+jD&9|C`Ukoc-I{A95ES3d8NE2PsDb@)3!jAcAt&?OW&+MKToxgsB$cCp`E=y{=c zb6U{;aDAo^dM9nZghn?uf80s`{_}p#9s*p7yOtXH;R7J6xtnYFT%-|R(C7V|1jeJ_ z859MmfkdL2iJM{=2JnT(A;xL>M+b@hE(GvJayP}ZiQ*^p@fT{n{bet2X|OWkf9(50 zXMpt_5+2L%gyo6QhW-NAz*|9S90OR*cUE{M=d|1`Nl^|~sA z!$T)?)bP*IIGiL0sY|OSh!Rw>qHcJzWqB$YzqOH8W{~RlduU_Z;%?` zKDpud=`p`%KK5j-q+bc^uRmV*cYx-xsi%7@OQOG_as1U^;PsNL&lktL&`Uj9`X5P+ z8@T*P?XWog6!Ej4_|cb*;1WNk|M@#9^m#Awr=RzsafqGLo$UVX^v299gf>xhPFWF< z{|@J8rC}(N`I_@1pVTu@2F-r`!uk1l{Xk${xprVM6+qnn0 z09Od2e3N0l`k&4xHRs2Ig@SK$M6Jk^wN$UBc)dz4ucf|n{WnL9?>ImIn#r=bVI%?z zj|Go}zTpQ;@08O818~Io^%3I_70ll{Frbr#@9$0)5Q-OGO}+&4yl;s1VWvV$tpxj| zZ>SFEiX;&DWtx1EA^&%kf*;0-|9WfeZ;TVUa!e%rFj=ggUpy1LpLs-~ankcin6u6k zi$9K&svV%FcHo?=N;^T7g6O&huPqxzDo3ac`3p4+1A6=DVY{Y=LEkB$27ZBK7D}Ox zHy^!@F^Y%=B+q%|N8#?Y9C{K6|2b+H)g>yA(@LDcH8t!u&d}2*HS~51Z*kFUrFInk z4;O`+xSs=QB*L5|1IY1CC2fV>BUi#AAOD&f)_by=1Iq(=Rhymq7AB!Vk)#&6lJ!qe z!~W;f1Sh0U8NUU{+KEZaMq&BEv+DcX=GSjo{>#qspA!s9e)491w{v{CZT_$~{Fm6= z{|)vAoK4?r)z9^A*QD3h{x<@kUOu22H9I-|R%YPVfrmL@&!?Yb{pAxW{jIH!tpykT zP%8rfH)L4)L81I8%yNIF8}^_1mgktNEw2fHif*W$V|L#NfR|LLF|-C)jR$AjD&yg| z^=nlEd8&7oMYskD=84|DXlai4H32a5f#R7>RGMNkYvHd?3jbo&&(2>(cd zZgiV_uSpNsY=thClptCR;uLMAfntJGSdLijv}@TxijBxPStnT7Sdqb;DoZ$J4AJ8@ zWpuh1hWM`;I&Vakh0=IsV2vQL6Q{BZd{ZI6WoLdECVm(ue#VOalj}y^ztJ#JV;ZK7$_f(@{SVnyeM#|)FC z9sV3v)TMW4=F6QjN@c*wTYcsHWOcz-fzK0;*tJe6&?+^RHJoq9SuGP){cJQl z>)iWlxrg>UQ%h|w_Jvohe+w)6KYt+nUdWg&FvFn1Xt2g_ZLrJq7VZIl@0t25>xSUp zT{obHZ!5u;4pv*05U%}9{8njfc8ADN4)zuNk%Y+aUnxI~58vq*Ka3Cm>_FMb{a-ge z+_HGkdWV?DZi0o(=Tj)IIm=3q?w{opqj96v`ape^*AA?m+0kGo0{az|JLr7M7m^O2 zRt-q;W`LAlVW*1m^mzP|-X5vZ>tQPTzdmbxzSn?aZRp~H%n;hQv&EQR%Gy$rx3|&p zJ*W6zIZ*ibyg;E}O_)bUy4@A&2q9ufc;?D{4k!OEWpwKf(ideE{6!hHx>iOM{!tVl+~9yICVBV(PWh=NPFYOW`RQzapUfBm!y@jC4tAkl!xz z+04>;_HDc-1@Qhm52jNKYRv4@9;2A3fUK)4tPjKh0*%UVPlMmtmi}`B#t+BC(Z+vw zPXCAF;fLelJN5C0v;IxlJTF< zM*MI*{1>YP(h!>N8 zctiLe9siZoVy#Ml4PxACFa6SJkt>sZ-DnXcKQG8G6FroCT@F-lCrTxACrS4wRvH3I zcJ=m~s)tE*KyhfHuD%s)8ro{t-b%NZiLNEz>B{n8mYmgTR{f{V=`bbo{x=Vbwils= zy5vf~lmnTE5(`;Y{vfq5ZI!nFH4x)JQK%bG00ELbyr822+kHt*Zn2VRFU9}>Ehh#C zVU(fiw#YMY_shemyIrB>K)d!3?14jbx-MjWia##Y%|<4nFqpc}q1NsDAfRZxS1&0g zrW;gVbac&1JBDJGERMyyJ-v_SM2fGVlm?fNEGLV;Y57n}0|hHiuOE3gJEeHX+mmN} zN{YIRahtrM5FDf82kQW*ZNBhKCN^lJMPBi*^9WE7<8M=w$5mx-Iy8`O9rW-((ebM6 z7;b)1N=gRrCSSmXy5`W9LXOmJl(c}kX@^gS7ac3h%r?`+D@Wd2*+EXTB|IfBPQD|x z=(i@&w_Np?c*5~h0O7@3;J?cwX#II2?BC!i6#m_S(~ztuv#BQ^b2;2Kz5)MuIRGov z<~C|REMUX&uayJwA4En#%Yo=+dStZ@q7we79H?EirB}WDPAt7m4wJztShG4Rj;!n* zlTFXB;#AP-^;i193q*5+C2qxaN74#^8((~<6oKf$h#fYH8~7-VaB1XJH1nND2u^WrOHM$AEubk99JT22C&g6pO=Z}PpOw%HY z?P1Y*F6tuCg~k_sqJ^i^hm+$ZdkNx#xZ8uI{DnT4=J2qM-v9(lUS${NSNh|=&Mvu8 z`5wZ()$&jz2TxV3xauHw1HGND(kF?Sa`R;ch?2NaloJW(apka(I3qec&ZdPrw-Z08 zeBl~2W#umiiu(ezrqqSNAnaXpWXIi9B=EHLm*AWKY9IJD4(7TK{2KN63l8QNp!M(i zzy~I9m}w$B$5b_n?%+|AuvJZHJBE$GAUd%eO=GlzyeEzFijHQ@uR{+%k1r^|q39S& ziM#rnO#5Gj9)1aZ`%JfOu=rZ?XJ^N|pM8+X9X#6uH((FlB3mrzKYw_2YZ*L}Fmj?$fov7AeaB<6t}=kx?=BxOPt(WuO6E z4`|C5bLHOV2lxm+p>zaw^9(q8!W%8>BO|pcgxg%#l0XvoLXmC`j`Rz%kfy_p8uG3Dg!;rdP}{{8z{5~ZF=EZ2 zp&Z=GZ5hh~3wXmy+t%5QksXF|ugGX0sWbFSo|`fpJ|Bn|G2>?*M;{$(LE?fM`_>_n zuGHQ_uBi|-x{Q};o2;e6Vtc>i)^S36m@$#d@+doAdyXz&(LH$=?UsRw7m-Gm&V-J- z)mY+9n`+uFm{Id5ik8hPZY3D>jA{sc)vw5UjO=ldxrz?UMvp8`R@xw2&*n#ByNVD@QX4^s&zm+1lwUL+Q@HOYhv{g>({9 zUrH;5qwIy+IK~KK5fdLi)AxEw5P)v#=?zb#D>Au6TjXZt1+(W#+tAT_mqj{KxX<`w z2R4B2lQjK!(qL6>0_BK#j$?k%(oJ{1tA6R3S$`I)*>DCQ5V9GNH3B?;(25iDkhPm7 zH_r2(zF{sbqp4Q7jS|CVG}ZkF@9(-lj>Oe$qkcS)lg7C9h6NuEU(fdg{8P<4RY<3_ z1Ubcdj<&0z<8_h#3gm<@>OmmvRT$iAYF6MI)ly!&iE$L_qP)qm;Mz#S3KJAUFSm#r zw_GTZJvl^FpZW{k#Uudl?TBG3D+EXEw-FE=R%i-T89e42mgBRbzRBD@TS)T~8JWkt zMnD0LVUb`W)sQ4-8_T3^H0)Hew>BWaGH_2b!l-|Z_;G)Tr3Venn)@~(VFRu`rV$LO z`-(UQ#*}wn%seV%-s?FQX$OH%6cbmCY`4m9TeE098zahq5ZN#)mM)!9m)KF$W(m&r zw;fFkbK8m<>4GwMwKq63I4vVFhKpv1=x52gVTk}we5YI6iOlK_1_O;dytPB0bDoM1 zOFkifoI;PM#8_Ihw$Fp|B$QR{%!P9H5nC#0Bq2|CO|0$lu37muk(ad`U!r@7sQ ziJ(OebtiPvd6%$&dQZYMr!H!?10GGmPBx|VE}z|ySGea*%NTagHr_&Kcwc$dne2g< zx>q`WH!G%D<@DysQ3Ye^$$6U_6d4GN;#AMMMZ=l8eirX0m#m73Cx^PoM{7#0(ZE{x@WA4B+Qo{pHtu)F4 zQ_f0_N_lCf^!qqVZj1Ep0EoK*yVK-dmYq&iz%Z&c#RKI?6vua1;4bW7Nn?#qT4<4K z#}A(xTYJ^xN9BY&ufGXlUs^3pAH{P6L{s2!jH1bh~UP4-ZQE5i*-ezDrgzhc1D62JQFtscLDr8) z9={F%G2w$Bw7cAZ(M8#pLQcnLyLVSB7M=yc?Cw23jT7Ad_1n{U_V#74y^AnBJfP1G zmb35x00YRq#f}>WWugU0b2Y8)HO_*Qhk&jOK(|2)&GrI7sQj1UVm*DBXhE71-YW>! z2R@!a8<+$;VY_D&jTt$X7O)lV11FaZo1B<~b-1b`v!_q@ zUHgPpU%l2R2r3R7dANw5B)B9sX-m;i7(iU=Pj^}!?pFY~xVau7foD4dRJpB=ChlnS zIJ&CYD@uWe?_t~07_e|zwTv5K+5;eL9wci7+7!~=`4&c9p*9i`yxEc!ff0;!VDVf> z3}oebJSj{`nY@QMiK^;nv95=?l1<{!9~+hK6C8>H=>}s5LPAj#P46+pNN_7R*F|%`&J9`v`loq9P@XdlK^qD9KpFd7Pj6VCr0}Wz6V+Ie=Z4PWG1M_pw8c>7e#))`QUlA-*W>QJ#WTDQ_TbcDx+{g8&v%CI94s~x16?U2D1Bh4|N}c zsV6|G@Br*-Q0WO4Bp7`E0b-1?0w6*jZR5@bJ*aWYvq(KC13>HX$XMqMlKhW7aD3BdI!H{c{3u5I3%h4** ztbtM}P`R&cJRH*jdT~_Ga{!{oAP-en$rCOk&TKdl1T3(h#0Su}9bzSYewer_elAxZ zg-#_xG}uNp9S#?9xDYQR7}rGeE;Wihn~c3(o)tk3&qOAnb3TF%Qr;w%UJHEhqeA?$ zfSOMdejsa~b#q`_5GjoMlrNelz?Vw}!7E#%|AU2XY(NzQm@h7RyNt`L7Heb?k@F14 zwKHpp-)O=)xhfX0`N$sune0Ax{tXzlwx>9E#{h@CC1`azFMPAk3ey%w;)bfE9vT^F zwCcTmR7xRc+F5x&_E8xIY*si}8@I1)Ei=wz!=@ zEhx^UTE4Z)G!HwFJ z>UJQ76DN^>sHsBWrX5D>I|Gdq)hXF1V#5?8h@hW-01a3N&K{ahAQz=Q28|Gb54gib zX2HtFby$&B((sZW#cNSSyv^@}Xw$hwUWhq`$S5(zfm9l?!7#1Eo@ik7DlSdjd!Xv8 zr*WC|jzZ44tbHIV{FIF|YbgfMZWqXM@oE1Jhl|*!H@U#ft0jl=fNHIXXs(o4so1&@ zKcRreu{cLVoM_m(W@1WRnuL3-pX^xqD;mr+9|yDum>BKyYVJ>GZ6P?$a%+%=8W4oO zQcMUcn8*)6es=JwUg7jv85$=f>>Gn%()a{bun^6S1!6ZEWDz zA{WV+ny;Cd6L}k>lu0@Yrd~G%JlS_HUE*u!?k|(Pz>?mIxwDnjSWux zXA}3^t5n!GBYK^?s@DtA-n2a4>ST@A5r0{~ZIZ&wUf|x--BcH+c9Gn#*5lEi@bsen z228rXc5hX62RD;zP^e#sc4ykV?uxC5g15c(FMDOpJ4=##d>Rvy<@*>O_es6%_LS)r z?dtPOc6ue)^ZKHvmN}IKrq3a?|3+^A?o7{^d`<4#fyJ$~r2-eK_dW8IgL&E!gD-oY zqNU0e3@Yw7Ze0xcntd8-?kpBJpk)95Hpf)nUvnH|PU#6R{j>*urQZ*i?T) zIUaBNjc0&0pc}L}@NN;vsu|#jkf1PwRJ9=8{i+(L)ee3MJa6X5-joc}2Kc15@@KJ%Ezrg*But@zlG5QIemWa zTFO_vLhHEFgzrdCw7S}#E~C3@=)78wHX~Lr)Hl7#AHIBVOHCDHXhCKbSs^8FyHH!m z4e|1wqI)|VniGMR;|qe7hc07;d?}1!!`P(j`0nj??i~(foyJ?!(pU2?u0n&NpVvK$ zA9<7Ym6E93D_)a|+(4+`*wubVak)`N_*it5-~IoZq}S-E5h^_5Ai$r~6iS>Q-;_7D86irpY1$-VE7R zMgNZ8bc(9&B^aY)>Y2p$#5{#n$n-3Zd_2v{Lh;k79Z=FGINu2nZ?v>tEQJJq!@J~; zVp9cHL1a~{a>@afknYYgY|(atUeAG@k@hSi0q}hUGir15GswVadps&zySMlCq&2tV z;A!=nUYLUn8TQF48p`Dwh!77*pX?#G?qihQMMvAEvvM9S4gy@YY;UB1O-l<$&JT`8 z?FSQD*h@a*-i@C!-%!y6-@rIT2exb)bxOZYMG8ESzDdEHuOh#&uXr^YPWEY=>X0M! zovcUyTJfhDm3Zh5EOzsVQ0xewvPgAU`kPWzW<*r+ji=d&OS=>b&{tyoLOtP57c+ z@1oP=qC4%P_ti!J!o}d##W4BhsPN^u-sPmn<$eyrtpv5{tD9_(7h%X+cIT{aE|7m- zxyd$54t(qJ83_A%Q3hm7?)sFDht}tkS=rdZ>)rsB}00y!M0g$1QaY}bq|$URpB`<`y$T@L z`|Nu5X?tNkS;WIX^!ya_a7g$9fo6{dhMiwI9dOK4DuOs5JDiDxKfWu1dUNYWTQFTV zNDNaLj$IrqMN=k@tt8GafvaIuCIMZg*(C`dW|v74TeY)GkvguHNs)WN-IAsZpedK8 zekOiPhBn@)T!uc)_m(VUUUs=GQ%UZXcdLKuP|Cc!^Q|e;ZSG51tU;Ip7L%fDE&GxCZoEs3`9&;7tH1qTp)xSL}n3R+&e5 z4%R^-Vrhy^*LT6|rpTs-<8K{GsYjT^LR3f6L&NH=WWv2em-{}bpn!co;LMPRaQhi# zH7^1i{}cU!m-=bTyr>nZa#4(qf_DJ}W>9>=4_~x$0Uby;z9dc{%aExeFip{pDZotQ zi_X8X_}W=CJ0T*JdQyTs0M9UCNsJ-08x)4)cW)&EGE({)9YR$p7KJiLF^tYnfeZ-| zkLp;8LU&6TiPE-39*GiSUCoxz5%pa~=Tt2)QR1F1T}!g=e6N*cJ88C_;-h8_lM1b0 z$-8&YwY4M77w^$VMj&0`MrJ7YhmEWV$s6ypW7HqL&q**Te4m@_@Zo)4y8n$2`Pp%g zJ{08V7Jevv`5k9{wxgq{cI_#XWc{+%W=YG@_~VjB3}R?O+bHMD;ts5&t%~8oO7r4@ zTg2N{Uvq*Eo7**u*Bwf$ai}VIEDY(Mbz9W}V0>Dd((8h@24x`f^o!kQKs%dv;{^gU zl(YV&!Qme@MIL;kss0UNJ+UpF1C95%ac)rXoVn5-f@yJRCqZ8H=Q@=BMZ)^8IqSdF zuP6=4{r)b9Z}po7ho*g0B%||tr%^e@z!?GG5|Iz?9wUuYF1YT;BjgkyR?t9*kn)G} z99GmVDVk=;fo+<~souM*X0@x2_m7U?A^~UFSeO9lPhpfNi0uJ7Jc+7E^PbO%fjEp2 z0V+I;X>+Twm6st5B>+BCD5!A=9YDOGrOeRwentYu>}jWz)-)D88!Vu;w71dJ3+6Q*9rIpT2NJ&eFg3{8t=|;M{K}qQb=>|a>DHWwd8o4))GvoBkGuM5c z_xX8vyWjth{X5pN*7_Q^^3noY3GCP?OO0j>hrRNoRD21TBN zX!Y#fdM;Ip?&|Jva?rj*7C;GXc?Jt17@Gr=1rg%9CzU0Sp%pzwH${r;P)Vjl5Qfut zAt>Ccv@w^1GEb2^dYMMJZ{dM8Ja4ncmvDxY8$1+^F;HwGQ^~GPh-YflhDM zNTi68fQkW9Mh?RSw|S}(w3g+f?v~EbW{VgP24;xayhpGqNK8))i$2l{yn&@CsDoUc zMChC&EbKZHjSpXGQl9w;tsU9#^0>U@(Gx0Oyo?9Iq?~Zhshgt9NV8v1j#6}0gOI(F z6{E3@iHI}+w?`-}N6}&!GHMY)c`5_WL$GS_O&p^e zqE6GZIZ-$ae7^KL?+QTMw+CAgG~-opTpm1gV}leA2Js=to3 z**>A6;Ft1O-b}{+plJ(xIh*`&ZM?8xs}!6#Z4`@o29rS1UdA?CR-q!m8*x5cICO&O zWTrN^h0!Yg=IzqTbG)1T9G9M`L{G;dyXZP|%S8Gb!cMNEL2>XHgxI^!g%5AxYXOre zAP&gM92KEz`isd(N)TIsVhgJx{1~WkKXt$HgJ8CURS_Q8*$WiVPfUx*1jC$X1nYw> z*&4m6gUql=qQK{&2qPn{Pr85|jTA96KB3JyU6Kz`3l&a8XM81PTV$95@k-=TY)v?v z!gVT=En#NNJnkrvydSFn<~HMDd6TlJL3%MZ0NjZzGlJ@t=qkw`4)*G%A}hEpPK3J{ z)G#0T1fiM=e&f)hG2pqSLqkK-bF~NVOIfsD=123aAPH_Qh%_@d0KldQae*mAbmWF7 zIt}@(=ad?yDTVJycuCRUg{Isd`_{`>o(~ZaVKeI|Ro}QR#$;E($2wH<9Az+}Clf0Q z+)PHWyp-01l&TElh5>02N1#Vb$ebx4$#+|)TCD$MW~kMoGIU?e1A3cga+jIJmOs$j}U}Myd5Ni!BLzvb5_F+2Em39f`;t>x6;GH+uFKN0>sLooDVW zdIC;LmtPvg>C*Nfjunfaj~&Y{%PI0Y8l~U$ANTT1?GGQEEu&xw^b37C$eR54UhKJ3 zD(M%O_?og6cF&f%{&#!NpIz)}W1UXUUL0>--1+dNba8p*%We*<#|n&|(}sPtr;&IQ zSO1Ar@X+Dr;X{E-`P;;cgp*UdT$l{U(^OxLw76nIV&qwxW$xj|(3BBum=GIW^ z**_oSG&9M!JL#T2>DjF6neFJ=Y3zZvCid}zC!DG4U0TTCeaH(=&v!YHZXPfC2?%n5 z>lwZG*rO*NqaOGLjsi=rN=h!{`QF*>-gnfzS&@A*seBZcytg0uBzpVEXZld~_+;#P zO161+(ff+6d660Tat8YH6!?<1`L=)Xl|}TU!1q=I`|U0HXqmEWPx;~Q`{^^V8}j-i zMfu&s7lw%YdYPy^1m7x*5qeCIgV$Y7 z9|%E~<{cMYzpPN>0o}X6#+`Bi#dZQ+{8RuG^3e`D?Bjy4ZDK>J$l_fpAx;D+`lvu9 zB=$@Vkdh4=r6YVK49kR7y}yhq4X_LuKn?`aI0h$V0t(siBWi&IlE957q?LNrBRC{iWZ1|7v(?|c=W;k zHX}XfWgQNmb97mhXKQUVGVFbFB60p8rafhtR<#&3xEL7}gWTHylOt@^i5Rb3VYkl_ zK#=Y&CAoCdNDdmH+uT!Ub;HlYnu;TIDk0L6s)cmUH5 z`a$iz$ngZO$PlkC;6z5GV5HJX)?-lSGfuhZvnpFi_q2DMB0U z-dl zwBag_{mf(?J&dO!fw6wo*YReo>b0$EfoUnb@da z62X~+NZBGXS=>nxKHbq$r>^b+*}_RK^1-oOMQMs$xjdS=HX=?MeL1)5b1zKtMo)74 z>7xyav()Qz6t$uS`*KZ_a?cU+*lJyE`^Yry4YL?=+=BC`ck>7F3;fmdy%Uu!FP#bk zKVkb6<;@rr2zli|2n%)Uji22t5PV!Xzf@=ySm+qcnDN*@tEfPrwlD&fDYwY4_zqR+ zC*Sg$lrMwRUlbJu-2qCg#fBtlnj)K!+XzOeJ+C-bo-|E)yH+29C2x~+Ue z1V*n_;8pPR@DoS1qnv`9xKh;sTt%2DXCMi@&AU#esrsUl&H$14H0A_9CSPnU>-3I# z9$M>CiG0v;Qfau0fzC}a?Xu*I=|Fe`Q-n6jSY&x$cD2Yj{TZ-!KzOw z#cH6J@55kSLC&f`k`R8-^U`B2T>K~H8lbRYHIPXc_Ot}a39-4&HhRR8g0`ubO$Fxh370-4~q>SRPpmxN5j`_h}TF|D+t9(ZS*=apejE` z&b@n5lgQ(}3a&=2eo3O0JjautO5aGyhJJKZ$tY-5eyD?5+8TAfnke;i@WK5#(F+ zpj)!-ts<37UPGkjzyLCP0BVN; zbVzq_Rn**EEs<|zi2S4oThxA^pG051Q>jS#GP#qTvP^qULl?b^w>ML#vG(CP-5Npe z-P$hSu`ZI+PHSyKTmGD$2i+dF-ER}RUCz59q&?pJJ-*sK{%$>iDLn$0asYS=Ac7(Q zhYbcHqbI4oCtMq_)Cxcr?oIXvB+CI-puZ3FQZ4r;n_^~>-ZZy1f5C4FH`<2_(_cE! zSN^&OWBVNGcW+|kA2dQ4C${AWo(@5ho>9>QVtA-KA-gI&wfGI zk3QHzIxx*Y(40~-iPJZsP1`Tmg9_q(vKYnmIFpBuWE8zGw?6PO>@nSbLxKb1N^(=$WOU2$;w{!;xTjLqY zFF2*65)8{jyy3YY57d2#=}Uz=&cm!L^ujOBMc~Ejs|H_}81+}nif^~lhzAb*kR;_{ zyiW#(547~&Q$vIuN?F-`KazckU}#f!u-;I3!zH}wOm$@e>NvkFNQH7hB|R0ThMO;5 z?QN~Vsj{{-y90K%*Go}!-=X-egY!bS<$@QdGhGz($)3-`^~Qb3 zkc=U;mf_<+Vo))TK@m5Vgnnl{0~iD-;00pP-LBSGX6iDf*5?^_T7g+C=~2lzfrxu)v(ib3rgp{vTPo|hbl|w ze@N$+V%qJ%RllNhKYFp-Me6t+o%^;lQ_huT^QHA(7jrih<44@j#4$)TOUg0Ce{@Cg zLt;LFf_*Li*m3?w+i~+V6sZBVY#RTH4eF`VK1T}_Kbp6B7IGx)`1&%nrq&g0{AkWI zfP@#|GpTdD9LlqGW!cpI41+?dTDO{}=HaXme*?1lUW|T`PZ1;3viPI8dh>u{fl=DS zTcSmyr*eJ+d7(0n+A4RuQ1vNv@Y$UKt!plo+-Kl!9C#NA6sF64z+~;KB>alPnj-D_;tss6S3LBgLL9TG#Dd(C<7-Wa z%ulJLQhm&DKqmngQQ6kw> zOy&fn!g{qSyA*-;M-Z@8-DhsSauIy#TP~Gmtg9$3DN|8I(%OR$~#*xO@nV?cl~*!HPyUkE1` zWg48H83wj~NR9&SrAetp6;bFucYZVCLhzkODE|c+>T^+!z>ovb498Pj%e3#j&D+?h% z@J>aipoei^fC!w#c!3_nE%r=i69tNwqF}M4y31^oPQNt%7y7cznn7dc%hHiAWW5-i zpBFVgHOE{u5yAObf@rf2*H}j=NTL<#Bn~EcrS&dB<#f~3P_%sb(hRkAXWtxwADO(7nwH^kUe9LacwvYM4jd-ja}aM#NuAe_NY-pwcNoy(yT(wH-6;_ zSN}@TjS)Tl_}6ip+0U4JC_Swz3d));)#v#L|pg=Txs?bw+r5L ze^AOTPuWjhB#p1gdpb-ulqmDkU`^(fZ;Ww#J{PU1U4HwuW48R~q6bZUZM81x*gJ;B zRz)eglgR$wH}|aWf1ESeHi1{lmte{i*o=DTTokKo=lp8EGKRx;w)EhzfmM7gTPV zskd0MYTY*q53Ksiwy|c;kw#ZW-g|DfdBUzy!)rk9AVH85Abr&k%wq_U&gubG@zTz6bl1{$h1Yen2U%4q?`D0&2LO*3*KNSr>H77rf1V61> zKd7vvd+euA=ns{Zj5YipI{BL>_&=`oH=pviJodLH46x-5u+s=|a0+lr2ym$laGMJ7 zI1Ydi272=b`f3FFI|T+N1P0dzhE4^B(;Npz5C%o@2E}Lu#W@8fBm^bZ26c1=k&Sxz z@Oqdb6ZsQ<|8PVBzyZ!-W&iF;^2di`$Ya4fnjcql`s3M*`ci(*`ruIY#|eBNRlFHR z``t;BBbv9f@28Vw_0_`>n)N|@*{k-`NwUFd|LP>kD(30|hej?}`y*7|$tbETf?76B zj)*Ffut6L4a#*1av4*5g%TiBpIs>UlYNVm#Lw_e^A3v#PHFu z>JZ+OwMjgeciZhUo_NmQ&FzA|7f$so#i*BVy>_dcG2Xt_;a1H6KEX^U(|#ED+tBFd zdXX1b564vUcF}y3aw#<5c)L+OMlrm8H8QfO*K)3^Z7Rx75$vVZpTvDGd|-4?IityaRMJ038KklSCn z9HQr2yF#TWuf&?9uDj3}cEh-AB-0V^NC(xmS^EPZ!-issuAJQRBl2i-^hVJ%i_#kq zL-3hOizi;=r;gv8B!7!eLP~vlyc%yMXkMRwsdI{^R03-K)Xmzmhra!JPa=D`6m*7z zAvE*qbRC72;Z+MjEf?Z0k^v*V+~Us(b^34?)^U1YR*!3Z~{Tc%GMrIAb#zX%vDj& zZRtjBvCJSfIZ__}qK=weHM?6N?LB}s#PG&NZQ|LID6R&L@l$+ZFEo927#|hmhj0AQ z!7_VMJbRRM1~|RKUGCh*+*P7Xjs~yN? zaqR8aJ>83MMbBdk;G=A_$g%2h8=Nz)U{R*yV9RiNs4B>CZ(^h@X^KA*^JQHkh3$Uw zB6>b=xAc&0(tgUCT>hQO-XVwj{nVY%eEtv8!_PG;(p>B41^1_!dfo9Q(!Zb=2qVdi zcoQFFAm1wxCFmRR$K-$+vSUyN+#D@atjxmSd}RHNcKxkI0sw%4`@321XWs^BZy3fu z*}Q-9bZESMJpbDP+FxBfTl3A+p;Pzio2Mh`@C)kK0UEG}3EjMFZL}!FsqUu9)m4}j z3$r{~7^r(XawF|3>perWHuiOZvT>|WmKpV@eI1~1_KW|s9Zs(_;TaYoFoxn8kW1Qv zMF}KwQ+*#aNrp@@4D90!ADo8;lp=VTPMLlr{tU~3G;yZOK@52X%fU?5Ys(>QT?|)Y zNz;`u-uDGxH}C&$z|241ytnLxVfA6>wy!)LM5M4N8@cU>SO=Z5J?M7Ah`Lo{Y$=r5 zFA^A=HDBx+k~jFG0C15z5FXy>j>85Z<)Bl)Vv(J;9dP&}dqul`0nK_JZE(EcxOAf# z5GAmv1cSbMI&R&$Z7$ApCM+%TK;8beyaYzfn|nId(3a`GwnlPax4om5*~dO@}x&}0)V#Rv`Rvm zwg6)YXU^SCkQ(ZI&!+n`D-D&ipi+;Z!aQDQHk{_E@XO(t19NZJ)z6!pPr?;9IbgOm zw@A#G`Lnu7V$W5YySL8wN2FMPJ3s?izg!K_FDGmHr5=^srQ2W5cC7r_0R7#Uxa(#U z<)GEWr$8=N-tzbR>)=*i+QuIXAGsbgSi{ zLfsAQBZkQ1Tf@-A(FIblXW^jvgfK23BdVRtqh#;`^>-wKHCK^a<#;3E7yLpD_$m9x zdj46~`w%589Gdl>UF(!y=n9SdqpbJu3{Z?rA7Oq-zwQ=tC>Ds2%^jr+Bs>xy(?)gs zvZB)j|6%CRMhHf>^x$Ky{iLaZJnov_K}(n43{V8oMtg6Qge_83{uSwAmzn*vQ%gTp#5XiIro+X(+yvHQ@o*n2w*SH`A<+cNT}^^@csRoVP!Y)9kwu3h2NDmuafBJik*_>qzU~2Z7=o)I47B+2E>+LY#V=^`A*j4Ono9=<})P4 zbC3SDe86*P4TfTBbQ3`_$lm{p^7zZwp>oGn!a7zu_~Xc#n|fSig%;HcxQ!RfFt$hU zxdBEbu{DoftuDtM=OIWe&>{^2%PX*F$xpH-%gJhty5-5cgl|c7XL*6Q7tZcm;g--M zjTZmU5?T2kN!rA*7Ne~t3iJ&UNRzr_7-7sAcfE?m#&@;_E(8*Gi6rFs6?%~TyY_xD zT-{C3;9J~n?QUhr-c$3mnyDXrsp5T-$5^&?ywS~id44cy1r4EpSEP{vKmz{}ejK*f z6@MTD@g9CPhRco*1$rj(Pf7GlRP~;5RO5>@P-89QgCJvh|4XR$FmrXqR&xUKZ-(qBhn=!Q`b}v|7 znLgHcmG)_rw6x_O^*4a|Z)*Rpc^{1@`)jYC>p=@L&W?6g`mg(a{<`1iSG*5=XW@GH zwoDv0Kdx35J<3JnEi&IG?rmLa!u;)K)kL(im~~9jl^R4=2J3coo{gPXz~5Y3$~6(h zs@M!EAE+U|@bit|>lO|hNbP5uCBYl;A00>-WdHW&+aFG)fW;<_2E(n0%uejZDBmzMm8O&Db?EPS6~h2gB9zMX>Uuc>T0 zaq>zA{Nu4Ca;Q@5O*oKIKAzWx`A^2uP$@A7`{XIe4J_VsoCz;MIsoKSMtX$+|Me#O zbu(lDzys!BDZWZ;|9j=2f7k-XqC_RVH}gY{j%v_XxBt>BMlXu5H9Fl0cw%2S!zypq ztIhD`S7~kG+~|90?WfJ~T3Y-6;P(I9(%Sz8l1Rk8fty`ZHvH4DBu_uEchbb0Up-#T zvtXyZUsQPa1>WB4hpm8V#o~DV;$=u5u3<(OqE{pc z)=poHaO2|zDj*@}Ae!*4gTr-Jy~6W;lUAtCejf$)uL3`|k5R$udp#PI)Tw<8dJTf+aI=!nuWvA}TBmb!7vieBO^TS}xU+*s` zA2L`6E#GFwL-&^~gz$Ph6XP7N=I7lWC9@S$NWqfuB-#y%IolrTEa8P)cU9Wos-EvC zehxq18@MV0{Ps{NUD|!alW%`G+cqfR(C7J`IP}XA@CW;g=>5C;7G?RuLlMPZ+Ag~|GIaRg~(@a??89aO}-f#APH2mHhR#r?gPC~-xE z&v-8-R$@;I(^y1UM=v#qNctK44{wpL8w)((nql&jkaEp1`P*-iKUAsDl3-B_k{{Ay z0Y6%x zZpTjA@nw+vD7oGo`iw<x3nQaq z*7(Y&RHG~!o?0WJH-A4|eqDF`H#`J?K3p8}WYJI34_?8xuB8KL;duf4C8mF*Y5wo2 z71t<}Ym~_jRMX@igPjxE*iq=SR^ROqRBcV|BHUIfak$~g^iwwhX(ZIMLs8xbf92UZ zZD-1WdUh0F4xVtq3HNY^_3uL+k`0HJV{&H=PhX!3V0<1|QMdR!q4B8r^B+0L z9r9;np#RQxlVrFf4k7e*(9++6O-DKKr9jkNMenU+$woQ7WKao=RnXqVL?Rs{Zr>x;b5gN*C*uQ!p zu&i7;Fm4q>-4;No+d`y;!Fr5|W$@tjk}`lR1WB&RuwLy?o(12t0E!LfITm2*FZ++) zLXZTB$GoxD?3OOc!krX&IICNiVYZq^+alI|KO4q-R$9N~Gw~oKPWfeJkp(ja-}Cujj0 z;y*S{Gg$-^di&^Qn>4?YAya@2ckUiBQwny@?t2|!784Ijp7F?y!7H~OKnR7H z|HhJWI7@Yb#^baSclQV?Lki#yyF9I-w|hH>hfyoFCGUT*DA>fE2umXo<|G+#1OG(Q zR>&iAB`osE$@`S6lW4{d)1>csH5ZNt&{CU|HV2c?AWvG0Qpxf+3ef)CEc<6NByLEZ zB9tt`(uGCKMq&90QuY09^V;6<%Q4-0pY3@%jomyRtXv z6#%Nya#AvGX9aHTd71-ud>%LA3}IDh9` zp1)OXd392dcSnP~w)=q+^x}dFEr!+ryK(PyQ)xV0K)+Tgkf(ZUS%hndaDn*U^Va5w zpD96C-*T3b{HaY;x_k;t(JxO5|HG=EtvxPo`^C8tAu^TW#g+c=fIAJw6CLiCdjQpjBEL zOE}+_vuYNa+Uc6AefTdag)H+Qt7RYAZ%r<>yV@6BvYhYyo#@}6%l3a}uAV70!=%A% zuqJ40u*>om>V^I5r#(>=z1g-6EFzz{(av4KcUPO7QEFU#-z}PG15+z0vl@*dO z>@Gg++;9iDh^7e!MDPTNc)*+@DSlHT|SKTw50Y_WR=hUCY943!^q=5+1t=W^$j; zp?K!ZE4{kES84NmmIZWf^jaUNBl0Tyu{ARme2dV21yvb?Pw`yR;q$5i8U8dZrB~RA zd^|n=9Z7G`wCE3EO8UPXPhT_|P^}GJT~Qc9`?oe2Gs;+6OY?WuI_dw%m51M077mSd zdtPQBhKM2Kn=A4;9B2If><84cAn~Wl!}pej4Q1pma2LBjh~9*0g~%#O@^;B6ods0W zoMU-S5iZz?g5eq=8&ETA**;3y7fg1Y)bM`wn7e!WIgN=&U5e1@4ex)h$8 z`3t_OPZFRe!C05H24!xU&t`@W(!chK48Z&8=Nk6P$=|^<|0}=3TU93ZDbF!1G(h&{ zCH5y00HJ#2_nXW2AMmwT;ravqyB~1!6IcX;C!5uC4rtF|7Y+ku+U8^Jfi%i6|SK->L z@NZ>@Yp=q!SK&La!Z*d>+NowO8T)w_b(+2T~0`G$UT68j{7Mdaf$9 zze_df{b8!1%A4{{{g3hOZ>fg+(cw0)x-llM zb{AZ`3#wmSw;@D`7yMhH;M!eq?JoGWyMPb?0BpeiUC@tTv1m0FgY9Z}G{gO0BX)7~ z*XDX(e!xu;{+^UZJevPHRW4g5Ri>(F;FD8l!$Lpc4CEv-)@=&&{)k${!=k=*Dg&PC2M#YTV?af#6ffYT;l zc-Ad8D2pP$%Ho7Rbj_;_lr_cFnIUoIee&FE^V3cp_+|? z7HnSn!PAjN$I5cE^>p#d(T`Sk!Y4Tr5XtlJSrqzh3G}U(1Emo7I~1@8;;jh3tWboO zzW;Sx>h~qcqCb@&hh-p4rVu`+3izwy1%jjH0PIj30ki@*z?$Pf1O0r9OVLaB%4qFH zCHxWSr$e;0Ppv{Zmfj}!mca=~vpOn{y!_oQo8BJ<&#zkzbb9?0LU^HQUa-XNxSmK_ zp>N|0|ArIfXVBxz51mX`<148%|2smsV)inwOhnO7gz(89#+MoeF{cR>^w?j$*+FN$ z(rzzXvmV1Joj3kN8$HT4Dn5E`nS2u5E(#dOIJkGo(=7)!8rDS*NQcgfdShmgus z7&&G+h^ZPp8mJ9JdBrKK%?ep7cA|z7!cBpp52hJbLj^r1DJ5=?WQd8=F$F~gz!Skh zuy}DlPGR0P-W3xQ-WVCh()UN96W9E*_)fHO6FD;BiKW@QWZj9yRndpQ93LRi4A7cl zOYA<#Tql2!}Cz*tD z{l!ZlB}tJeCo=An$`L_vMhte`bqh6ar#rxkw{cLx)5>2K827b`no?I7265-A0e0M7 zNdjM6e+i-a533jcfDnFFfaE;2PbfuXd)o5Rn&`>@u^AKswT7@ z!$x6{oS=ko%r>C+8{_=q!x{6d&;zuj@d(=QW^q-$Q2h6p6+fbMpw$aLQ|)WazLs}# za^gKsKS|^bov!oOV}5IZ{hx|!ds=-um@KV7-Dzr9?8Rxc3m{6Pck zAB``{&g#71Md?i8;vYvKz@KCSFP%*rC^5wYg=h>nLm7ZHr;0(9MpS?lWO0U{P&yKX zH-#yf%)zkDgm}e_0CQMMBdwe`NSOe97(yg5DRV^?Ta-k&C22p=5)Z&@4wecH&`M58 zTZMhjPW2QX@@6IhbT`f<(iyiOW_(JJM-4!Qnqi!dx#(q507HeOh#^v223N?1jc!hv z%ecJ;{#;ici*iE6k%f%}2rUnPVq9p6pyffDivuN=IN1&!8g& z!FW+01-b2BxXmTrL%>rCB;F6mreofQk}hGgJ=Xv9o-o z#a+ixe9tKooA^z6_4fRnsf;5Clv?2mY=8)@*jXF>G)*^eMrc^W5Cn}QWB6+N-&f6m z2ON8I$L}hn^A`kT+89Y$c&Emi7sDX-n#m$4Bi|y=Q02(%5ux1k3nMnpy;uAGb`p@= zEKemGK@%VZvIU67z!YOrQfpi6b(*(kP)skTs|^sx!3R=dcDl{eKr!ewrkl}T63F6S zsNm+{NWUNpFdbghuy5sOw5KM4+OD<$9)=2vQELWu#o#t>%UEVOz$^=Gdsh!;P8h02 zvGFc)SLmf2H)S|N0W5yRw4Zq#eRQY=sViFSoI@mCnZ1Q_BK6I{WT3gCm9dP4+u+0Cb80k9p1Ad*}>{gcE6oq`8~e58KDWP9*zk z0|G1qcQhl62i}uB83?iTq=9+wu}MVKfM<_o3`6FzB94hU>75_5fX0~rYMvSFaQ8FC z#APGf?Fs>FX7y*Ui8F+T}j;St8?`R%t8L5mz}P8ehhu3-W75TbOaZfdqY z9!>r(Hie9CpY4zqytAfdOuJ`mbI=*yUr}``v!|uzl|j(Mf@M}YwSIi~lCkW~i~Uph znT06u*~O#?j!XkRg(l09`zJl3@&_(oGHHa&KAqWuN8xbIWj&gA7p6lVE_&k+wwhmZ zJHw#*Sf@}ItxJe2XQ~U_aAP*%4m>3@+|$%brz|w(tW>X*1K-McfV~ zdUKz7s|yVkCeDF-LaJ(1Iq5Bt{Dc7dXb4dc#W?t5eeYd0GT71vGe-4 z^^?&juL6L#2tY<1t~X(HQFoi- z?rX&&Fe94X*YHz6#vAw`Fokb#Uk=x|2*bkz{Ni9ag8%?906kjmxM5HyT48A}r?kDs znQ`+GF%$t9Ht3-_UI1Y#|0VcXh|eurpr(ZP3ZnI%4+Pc*#%K*M#1GgYZUbwBSdf6@ zH*wFf1JXoeb^}`rwhjFgCzmvvteAs!xQaXz#HZ)JeZs1*UfWYdB?pdtJfzPOT#}l! zW$363KrS_xtu}`TF9BTKT#u1KGhG2H+*XGZ%Gx}RZmRb3Qos=n99tR#W-hDNabqld zfH0dU>3c$L3UE(>g>iSNjYI@*j^xY02u3=Pc%CCBisAyk6qclP{v+HZ6}8h?w}U*% zCUNMWjZ)7sE=3`@!Nh@xNEB7m`!!M|s4$ZIFe11%bcZ*Rh%bc1CbIT2-Y*zzM#gBu z(vCJ3!7in|bWpD!-5BRckx@r}9&cbKSy1hB+ML4D_Fx*$b!F7@Y+ z9t?0NJO}&SISD`bY)@L}rd=1WOsN`06iqxHZ+Q}bQ#w%djbmS+pABPdkaQwgN;=Fe zK?p_PlQK~hC2`#-vDz=uKw8h6G09Xj;Vw#2Q%(Z9WD?LUNiHBs1SRVEiAV`bf|;G; z2d?BhnxNFW#Ml1GHsZ;6D7FSG$vTKBj*KbjT}dAa^&K>ASfrEZFNrv$>%5ohQdSr_ z-c952I;VYn{`utgQ6iq6ukM){$3+m{5Q2D4B$;Z>^qqe_cQTtvZ34|NqHza$0&I}E>q%VCcg;G3PYBtSk@hOhN+;e zXI{_N+RUnq!})E{2r}YWw6y0qZP5*6cI_VNJ_1os0MifvI8(r~V{GAI&;ui+7?XQ| z2s!jM<#T%Az^dFT18~*Y8$kp)f(T70E?YLz3^6i{)dr9?0*n(yI#U6KBLj}awa>vo zLN*2qWWcjP16V)c=?7pSJ7|I-&n6GZ!V8k6m8W?ROr=2MzO?al%mC=cQ6=UAL`{I6 zDsGa;T*jO^@FIxVAU}yuz)d@(O8SB@aTS6*u6_!gO2lZ8jYo0$wmE{&GedA_@8Z{S9NS6N7ELtN2G#4D0=l3W>DzY!*0k~!5Je1{k$}70KE$d^Z!IkcUHlw-o%u7$M(UZVH4Jk*rY!ImAVxZT}aVBEuMxwb0Pd;ql~hAgN``!KVC z^AScH?8J`AN<}HGQng$EV_2IKlFTw&G=KrIuLJH2-A?3ilH?noYN`;qX-ClePl4ma zbqY4}I4~uMA{Zy1fP>b7GY6&KVJZ`Qp+|2|Q(c_udCGulujfF5%X!C5m<)aGzN+d@?ptm_p?)FSUFq+7 zUT#Db&h^#5=#w$;DoyG2X-r6w>t}eb$p>DUB4S-ywA1 zX5PT|bnk1qn!LHe#f|i(LRYGfy>gU8`PvafFM3_j(_{;WFT;$k2TS6~FxguBJmQ*bn_m^i2h z>eYl9C28uie$k81JoesfjL>0BdUVu+bj<%!?seSUn9kA|Tk0t9a$jWK>lD>nf;y7I z7}}x&uh+H5`9U@s&7lMpo!?D5DP%u4P%DDP!Gr?F1USD1!!7PjTpOx2OuVrn|9d0!Oc^|q zBDgk4G5njmI(q1Hpmx(Y#P&{TMd)Vvz>Z364E-nJo5Iw<8MrD?mcY!B_A`rfx!IYT zyDlEPJU}Z+PtNj28TN-G`4YKzEn^Iuf0biE5Y!+~AsP8;^MINB19`tM^bZPD5q^3p+ znAx4&a+w=(P76VjP+i4TF7893?g;3jJ?xp5$7HJE*BVD|c_vm0lcOuksd``IX$n`Z5 zUn*nR2oBi?0*?+mk4^{jE|ZNZ@a2N5o8XY>mk*GV$KK@qWu!_PCGVvo*AVO1wzc0; zT&z_QeS9xB0G9e_Cg>ih`-!RWW7oh(uFa1h^FEX;aGH>>%X6$(4slj{tXE*Zua{42 zTv$IpS#MpqohY!;<+0I|w$azTfta1V{&0~2f0}&b<-nHSRH};Y1qicq@|ncu!~%s? z$kYt3Ts+On+Y*<_EnxBmsK5yjZ@l!OL<$)+%e&-(YEuPLLSj*^a>@mkl5Nj3Y|wTA zU(JJ@k#{U20SNts)2j0e(`Zl zp6;Nu?P8YS$3WkvvvM9Q2?AWUZmy+*Ov{Q!&-M<-?1vIs*-Q8F?#EA>uPJGQZeku_ zz_zX%cY){9kOTL?tQ1TIN^);^faG{gX8z;%7Cy9C|Yqlo|m&d8BpcpJbKGx|ws?+@RQ>@X` z+|twMH_j@y*|YS{D4(9yUb5G>oHbvbwca>y7dr3IJMZ#5?@2%JYdIfydp>k|K62w? zOz2`<@8XT;#cnR*?F7}SOIEfgi!kJ^+w)eeZ*P2AVP%`S0XygU1s3khq5^QM<;%{E z%PpbHZ6V<9@E7!`%VWJu0F3aWFn}DLoD&SpZ1;gD6Z9oiS{4t+W7h3RP+E};Clm01 zCsJMoN73F(6HiorClkl4Q>4wy_Fl}F1C2W-X#bsjnt=Nkcw&_`#Vm<1a*3qzynFs! z0-Wwi90tlos>QmUNvi8=B|1$W2qbD78WkpkX%fk5n_ATt^UZ!F>Ra0N_L~cx$?Ds> z&F&Xp5J)w4^xOR~Zb+tR>>753kqP;eYVH~L#WL%4rD*Oy97+}NL?qKXFdfUimoAyA z_4)CeVx1O$vImFeGgX%sZ@W?-99b?jxnClZYad%LcZS`NO4B~EeLt8g6hN+XYWHcP zSg$)x=geVizR45mhVHr3-n+qcsdU{7m&48ZmVg_2U))YVZ@&GIBI4;EdUk?!Ff4SA zNVCHX!+u9G18{V!Oay6AW+V%lV0>EyjdkN@doW!NPz*~5o?RRyMN=-0qae;Mfv0X< zE&*Mo*(He{<&;a3Saq;VkvXoGOWp84E(NuHDDmr|F$U|y{* zd(n?yL!LRWdbEPKmDU&O*a$;YypA6P3QANc^ud5h*W?h%yu6#IqUm?#k~+@S+xUR> z+q+@xrf)xI|L7z>71lA)E52b~(ZE!46`5_mVB*V$-4$7=$J!-@RJqFRju0|FtC{Y~ zoUVvJxC;u|e?;8{3x+a&x(l)lvdcY&Diw_(UlgeQ?JkIy#Hk!yQ~X_6e^n6k*m5Y| z$e>1Ev(|R0H|;bhn60_?@h4&3WA+>U$Rtdeh)u=4o@YS{M0YK{M3V<~7vw8{gWY=T zdO#9DOGLt=o;i}N*;Jj|ShF(Dir$u9T7~mzx}N!HTSr}O?KSC3fHoSVesk$j5cm!I zh~U)y%cd^`8n7u0njG@F{`?U3 zrXZ5|!e{2!-r5JPa}qYt>Ul{fTA|kjXoFI({VqsUzs3hKjV(x#DX?U#Uz?zPe(oAO z0|Ni*^87OwiQL4<&`YnRF9wjBCN4;_WOqZuNc?n{B4HyH&+uXN)soS;v$VtbS7~uz zAyUyD3(@!&ON*hTa-r)0V6~~ zwRPD5FXgA2-!SSS>ZBYjnec|y+G~Ut7#S)~(P~Xpi7CWjT{Q?TD z2L3a~*w(`g^@Ce)Pg-uAY#Z$EVnhLlxkTpx)W5=LIF$P~J|>lxc*}#MP}f0&d;yX)F1t3N@6$&C)QRrEGndgC2eB1k!S zGGQlX^-$3r<-m#{U*)m{$@rZLmI1j17!lCs&0xzYt_UV#B!Z}rnc>rlw0_waC^tB^ zzz`%KYYs(5bF5*2tAN%cBDE*p+#fC(8wXNSR>8rv3}}q}fn<9^b(m(YLX1G`1qU9P zu+Y0f{gI1WRoJ-K{NDy++|89B5O2oFWx?R?xh+MtjBvNxpigG+CO#Jpm(XQ!Lnz6& z6pes<&3G>Jml*EGSCYDjb0^@McuT<##0Wr|5e8CA7mf4?b>|q+Y}Jg#kv#1~c|`2K zcxF=JcO%{J^3iP?v>ucsMBO8hLO8hRox3m5h3OuXvSClBSkF9|_O%j zUH;>wl@c7<4zO6!%nO#8Ye}`Ax%Rc(cBXR0lE(Z^hR-{OE;zfwZMNG5( z9ncV5g~#L72NszvX*46~8-V-9>kGR zIwMCNL`LF~T#+&gDYC+|#EyTil|qLJLpOH4P`FlYXRU;ym4cu5un!BcotM+~;^j&x z;}54Xv5<&0QF}tIl~bRXz}~DIY2auc#}-v2UPO0+o&{b(gT{{j=};?ZIonmoJ%gp~ zAy$GMG*i;<9i|O3DI+~BW=}ux;yE=jBXDgpnM*DV<~9{WicxJ|nRN%!4)#0QuPnQB zk6!3}ra>?jKe|iWCy7Pu>906@sW)!~fxT1IVu;Mh$#ntVVcJN2A}O>QKOAxuz1XGB z()vmkS~Ry2NGwZcJr-fUR=>+2NE_n`-^i+j^W=1HG%<@Xg4yUTl5m}O;3=kFf)=r> zL4-RuymTN)7<<*wM+=~%#i$^qG*tU)G3p_#XN*Bp0rz!uzC#JNbZjDt06|2a}dGt~GMFY9jQ6AcNI zj8Y;%t^=$vjO(7{Cc_gh=iNn5jpUUgCz%gwnhm^%Sxb+xx_iGlp!k7fQ&V!Wwt>e& zHlw%o-YgfPw17TboI;ht>D}0A8ffnL@TXFk%#g&aDI{fq z`wIPhj&xeQJHjCGk86!%GpgSmXlCOW0$s=N10??UR-Tdg=BQu3t8 zyX{dA?A~sm6u)Yl*dO)k)}#A-1lKz{jyyPTi8`yFd~FVAO5cJzRn33icd9t4q|JZc zEdRD|zejLlduZoq5$Bv}-}SFM+2bGHNftY&QGInysH<4w@p?Mb_jao|;>(udxx?}4 zFZ*j>uD-ulKEJs1bu*XCa|!L1^Xj7*uiH{juJj$q1`qCj+O-fpQQ@VSCmWyGyh6aT zKbhULt8?8s{XTNUHyT%9~(1e%pd%ewtcL{nkzl4L4Zb!^Mqj&Ckj(CzHokSPh)YVZ2{^x3%D_Z^>gg;YYIVXUxK5D&&tH?War%gG(X2&9yA#*a~B>TQL)#Z+&FL z!d9q-W5DQ0xS(O}9AM(@f7cm0Lh?}98$xCr2nWjxjft(CRA~zmDt{p&nQ$bG>wvoY zX#un16Gjvo=S!PLe}x+i& z10`f|3Qo)d3b{!m>!JNJ(A5~g3IphVXVBlt&`V0V%oIehfW3kqdXCOugMq8RHK2!? zWJ8)T8|DTWV`mk>z6fvyRm(}q$;V4ULv4fDHZdOsgyCcv3_5_v7@=KYnz`=KUT#d) zJ0y2(?R+dEO3Ylh+ZErAMChgGNFTWO{t+)LGyh2gv9L=_MYLCIeGC|+Nkc9r62!ix zf!3-W3qg-nz%j|=1U)e=_nQXEiAoJ|1OH}H1qm7~TIuSA7-cS2ugMu|nKA7on*WY=z=w~`E?}ce6 z-N2y2&xm-T=W);wchNZN4%9A8Hvhcv1dPoF2MceDSF6?(j$dd^-iKWP)ye=C& znf+uZn`bI#l|M%vnMGQZee*-~@%t%tO4vCafNJwpe2fW+iqHE|}ab7$8OZ>lFATX*@V_Mh1Q)@-51rGC^MV&V`c|8a0|lTtER?%m{#o-4|+IzXk%OtY30Erq}vbDfKrBt5Ehs3>ywb)tJEb7 z8`35;?UQXx`=pSeO~@p(`JPv9Lw8=!&{rX@48G% z8E4l0&-$?8VDgGWY1NR7t~{)x1EP};BrRA#D=fH|+d{9e8k51$vI5W1*;KWd^PEMg zsX>j1P;CrG-Ktcbbgk<3IN8-6Cl*`{D{$VmgSsR^pEq)~xV4Wd^;2d93v!t28OiGH z6|xGh7Wq?31zyX=R>7tdFB;$STf=Yw}SF z@+GWqw6yT6W%C%3MOGTrCFNz+OgDTjh-vS0kC`rhQXKzuIPuI1^mnW1hi`QD-7__`|YgtZd`PkI5I^D8%)UrYORMy^spqKdL zsOeTQ^}Bc1t*_jkPkCyuUS?gxObu!Et+d=sPIg<2#9Ac_A}5|sDg=vTFOG#^^ORwk zRD2@Oz&AY4CveeTkC1%24OUZgQyk33Ovt9#-YQxW2WT`dDrSY5u=@yhaI+tWDiAhyA8TLA9lS?>~cNs zf>U+-h;$+$Pnx?!XS&1jIIL~0qeUK|^YoCI^u)3EM1;~tiS)#>LlfBv zv-(4mn|roKdeW7kIe3IQ&As_lG{~9WJoetlO1&uIYSFv5-kP8$diK?W zFRyH=#~+H0I~a{SdW<`#jk`V>cb^^i{4x%wp70T!Kp0K|1uFt zJsJIln(Gm?bGrnqkQ=-l&B-vGy9aGhk}v!Ld8O<&pEc6{ba2PtTbQv<)af# zD?@xR1g!cS-pBT)q0HW4wpF*nzZ{EWNHx|ByePZfSF0$s-pU{q*grSWgfe>zvT9Px zVFW(#+0w=W4W=$_z8lUt!8EmN*jZ^RyyzPKVElQ2Or)asEcs`4$iV7tG#wN;W&GoL0YK@4ksTyz=b1r=red+pSKH zE)@HYqK}<#fP9*YZ%}0K6nlrwv4f)F-v7sD?|($YMY$!twAyDFp;CLZb`c?aFsBzM zX?68(kg>fPuK-FRz<1nee=$^W?X)8L=4Uh47RoHMGdJCA2x$n3$M(c03c7te2CJoHXL?FbaH z^Xi=7r@07QCa?&dx)zd{G=9U6J2VRqW%fqgQ1M(4rXlzw*-n9r;k;y*rEx+}3sv8j zvKK?hopX6Cm9GZKUoWI0kM54d6v+%~vP*|n`by`xL@?Gh^^!v9o1)-rAv)@E< zX6(-;9^}kOb=Hdm4i&UUt3m5Z^diA;q8Jl$mS9A%Fa@fvQ#jqdvtNzaJPmBrQduZY^BO*NEfC+F)^q1j?6 zSCZqLl#SH?h!M*@nWupGARBI|ZuVR&kn1|A#e5MXk=f2dF;|b!QX!WBByZ7*3=&5f z2_0U%p_iZ9Q+_Z2Ahmv+8H%)14=DFr7(WRu(JoCgK$ z2YN&9ApUeAmI;k4=?9y?eAQYI3J{bZnT%i zo10$Id`X>hOD%;TNCSDdX}A^;ma;kk(uNrr2D#A*w?3nE0%wYsl+B(=k)UYP* zpcO+2++YcA`XB>$CTycYfaaxhCE!<$5SCmFsgYLvcAN=S2=K1+Vbj&hgF4wzv7#If`%UJtFUm& zJ+o^Z&Yjtq1%X$qI>bE9dIQAKrN@xBSlD>7ILuXPA4|wdCO4eq;B@$b6mgp4YjT^_}t+ z5k>ccNSYX1RQM}w@U0BkoG%5+upC(4Uoq)xoE-dm#ZiaN`oW!}=@Eh}weqE(LJ`xW zb4-HuF9tr^73j}~nmgTktNdw5ziGVr$wlf2j##&*qd?qA!ScApb+2;*^EsY%>bMU! zNcQwB>=C|Um z!u@Ux+ez!lcLML#^D0xf)8?rXs`BlJs0Wi29-AyH914%Jj?LylirQ7yUpVEcd@eG0 zBHUK*nnAQ-T5402dUG7??{j&}M)Sjr$+|g)dVw^1mguMGw=P9-HyvD_%~r?qJ)ADz z*=^#ITGL*vdwpJMZxHOc5ya^}I}q+%bh%|V)aJNXlkFc3pM4xW7%Kz4Hwsk0&el(_68AZt56&WNG-F*IJtwX!#O`F8nGs9GnR6t%Vcp z!=Yr}L_*#qy56MD-ek^%7%%{&4q$Sl5vu{@NIJ?1Z%ilw9vrv?rUz&GU~m%t_U}Rv_~~;_)|gzG&g>|2fLvO3oKN@10LdKs@ZfI^sjaVniz! zu*QRMCA%mI_V*y8yn+NUXnnkw{YP&E29VKQ5rT$Q)dx;&1_HD}k-9s`=P^RVWUD}W4d9loWmv(!=~!PW+uYs_QU4M z!WV_Y-{^+Fa}Hll4F6akzB&=UwjaJh7O^E1v7;NY>m0G47;z{Rwlp64$tnCxcW7i* zI2zh7q!Szf9XJLl{?*&$-`3a=E3vD3AKv8lC2-&FP5mYGLrmWnFZyF<@p3fd54TCa z7@>~dpKp`3r)w-K^aFX^qy6)3vdMY-^ft*Q>E`(@vskh4>@>63?|eJD6O~y^S0bm6 z>P_UkH>b4E`+g`>GKBNUx%$Hkq-OC?nMHK3Rk(5!DzjK`zw*->+v*FssM3tOO?Jny z-5P9e*nU5pqxieG$zL*yXS~%vC!PFujpcO50mrVztfa53HElHJ1F@ev*`S<)nCPv| zz;lfWirv%OBx|kd3v%?z3T+6+du@C*d|zFg=ddkByQE_k_sveTm&H6?0esqh6CSlXveosIUYP1&-wqRa9U9ZpC|+{9#-`Dz8G=~QNKigOGTY4S?A_lbJ#_*is3A$^Ls|P zZY_rIflNEv1*S@x2Oq#AEitP_lbq_W2w8%Uw4QpMZ~pjK5O3IN_WN%VY{aY^Gfs>S zA?js>tslF%o^Ii-f8LVL87e0{BF4Wy_3Us3hl}OeQ$RZp?jfFuCcpU9pC8IkZjgz= zEZ2ssKdf}FnYM1NKzx6=-=2JR-j#%x)>6OYk`pS4#bc`FvF zly_ODr&qgiE3P6mkNu8(pZ?TVe0_f&r&CYg&BLvPR=j-f0Aaee`?)sH-3MmOsyH>6 z__#BjEpCXhD8C%8NS+XhB6!@8MEh_%Wgf3Us7rqEVe)qBvQoj-@t#4)#_hC?&;pV7 z@^&Z&(ivazkT7h8VIPW}Ot3Oi;zIARKLH=wpaY8raCxLctvZ|Z z(;eII!0PXH5&(dP{#Qfa5#I-BPZ<6`qXYbG?$CW~HT&BEdRhYgy*ReasNv&xb4T*- zS6mvU`ig~sEdta4t+&&sm7>3vuGCOvUJB#9H`m`_KYTI$H1s{iusr&0fO7M#jQ?B$ zjs9r<-#b8`>0z+U!_iEoGT|qT$a!gO8cSnehzv`XBtFr8rZ2Gtl1}_QfpeB0r9aDJ zAVa+6Vh~F{axs{_c6l*`yOZTKHEFpNCiD*ZO$S(tfSu|9|Gi~Sza5}!4X31;#?{)> z0ouv7eoC5IM**u*=8oev2N=j0G_!tc?jWZE;jHGhW1ZXSQ0&HYfMMON8Rbr;Gb~AD zZP6>)G^J@m-~c4x=a?23yW)ue>|DG{&o~t)AND(bRXhb&m!Lx5d#ijUd?)S<{Sp`M zSIZH8Gk36E<+YX)Jc7xK8|XZGp(2eR`%2kJnP}YIg@bcKEGVr;!E8OQw)EbuvE7F@ zxBr%!jAYs<2RXk!0SEH}8?#PfRwA~(lfKMl`-PWpd}!->Ym|36 zM6$am=*{H5 zKqcDiOVsE-U26qtET_lUME=w}NfviuOU+2|*yPcPdp#dL?q*;w1zd&H7L6gEDUg;Y zn;7C7!a4`W(mqzf$rOSbZ%7C0y#co>2}NPd`GuH>(DjXW|8t@5U7WD+&|HS;T7(X+hT!MO4_N7M zCr|X}3)J-tJaGNZ0L7GOe&l1GxJHF5vLrv`I<=j?-(MiM*CRLNdAOYc7)^LHpiUFMQI?i|<|7usy-%5RdpVzVRne$0{n6W0#Yvm z^FQW}UpL+04#QQo-s~XzjmUZ$Nk3NWkg23f>tc9OC=brk1md-BlOg5y5 zyFb!erpnwTjXi#I6hDk3^O|?5$`^5!G&N|IV#n4Ob6y2*y*7hYoC+ zipttvHdBoQkF|Ub@>wg^_E)>OPL6lRZBS|SKLQZ{(5M0GaU(@FYABP|;=6A6(&A

    !Pcc8AI(3~1^@GS&@=GIfBnw) zci<0F7g(c5TNW|5-<4L*TXgegYt)D*0_!&~krk}B+(?2{#I6ufE!AOhvDmib39fED zgUYgRKL1ryMx`F6WDU0|oq;x1i60_is|yy^pVr4dO?kfGf22Qgfam+pw>^|bkB&PC zJH7qT5>^@a$X#FNl#vpoo~~0^*IJiRqI9qF)}tINACr>~i=N_bRWM~{#i*H zE#?E&F!gcqktZpWL<`h^ttrFjQfPzAQhd|F`>84X#yhUpcB*A9BOd5~fEaxmd0Irg z_ei#)>jAVmrt*QCN{wJXAfLTn7PaO^crof-yBmqS$r~nA(a$eq>HNt9k=-Zw6`Y*H zpFuEmTl?1&Xnl3nPY#^DQ-FVZEQ#-GmHMEXGAhUN+X()du{2mt!N)UxNa!vn)xDpE zAx+f}y`q8r3=`v~_~VrL&$Wd9!#c1tq{x5Ch4_B~DH5sNf4OtQPGk~9Y5$(5 zgCW8Cba}DP22J>sRQdD<@^1Bks?b``@x3T{9MVf-n%Rlv9Yu(LVnLe;l35Rh4xijj z#T~fA{e-GEuAiTa6Vl;BctOD_Eq6?k^_c-Nt+$8Gpi~xh$`pCS>LUe!JF8S&m4fY&P~I2$xdqr@5R&54%OM!;t}#FmieKa9p!H8N0pkJ z6O9#=jMq$3Z^xE{j$W-Dt+!%x9dCS>*1WXVdsSzT?Hfh@ zWW+ms&7K{+Zl->e0btAh^*)^w?EoJ{D;*hG7A^-#*-UBVB}SH6iDTJj_^;kCXHb$e zD9OL;{nGH1nl`fWTcy@UZ!E0YYK|UC#yFk;~pg&9gJhZ}< z)7k3QrMr~Y%W_NF+ks0qpR11Vx{iI{-^8Kqp{I1{y#uhidMw}?)MzIdm6rgT6qz5v zN85PNftTEqZiKI{*?Y`$+?1t`YBYm^YbGceZNYw5h}{V}EzA9FXGSJBjVBy*5P~Xq zo}Se1NqW5>sQdHx3o7};HSpkdRs!n%l8qVO=wNP^d!?ng%d>2{N)|g<27}VDNiBEX zGlMg{aP68_`|BIW8)~1!kGJ|y8v(yB3gru%uLKJo?M}B1h&uLqaeX~i*S{Vt7nJ{c z1pI^di-hJi>P1Lc&mi4wY>GyU7%FCOo_B`B&QeaCv}&LwrHvX4fFJ@2_hNG>0N@zXByt=sPm zW^x8I`M(QhqQ8Ur;v%V1jh*DJ*+m}xAzkrt-gLa(3A2P>&V2v4+i%eLna?$Fd9xo% zrCu!K7^wGAzh0L4G8(U95Zx8E;xB)LDVCe`iFCavrKSx9Lj@!?Ib488rlhkPip zGo@rC^nP^@aAqh-s!)OzO6F}YUsY+XEVMko=8rgIU zEEJ{|)_7P6L7l)x<1qL>=Y!WU4|Z49pZ;!f=rx=&M`GDil~(5lk0a%sAFQxjKB#k) zWEb;kap(f08VKN9H{fR~+{2ME**BD>lU7fxAr^TU8>ViWa)WeRd0Zwz&BNebDkh@M-t?V9FS=49* z9nENq|D9at+jsa+A38b@4&Ht%4$Wk0^uXtE@uFY7(#$ZndLvyH2-sIMT&BwC$-|=j6gr$v44RXm&$*?W5-H; zyJJ@_`2<}=8G#xePPfLRj6mOE#!g==C4V#m{d~thGXe>GT+WG@BUZO?O zhx}B>j~@y${V#t+=EhrnEJWrPeJm>ZpKJ&z_du8?_deCmI6{g+bGw0xD)S(yV*TkI zJE?T}d3)p68_$SN@7U#8Z>`)=ckJK&h($(0Gvccos=c;4o6p5=w5D~Et!tGzUUXvr zxuk$93gy|Mt?b1(_3RwBvuC0_J8F*y4z8fXx&^}ewo!ie*_%x=O}h_9m5!S1UmS|! z|ItVMz5Um*U`he?-`QcDnq=59gxO)veGmD`NlETRH2S}TY4Ux&KVzDlF-`teo#BjW za>g|IfobyH-gf4|ICEh9tCQuA9T>wYi(rAc$gmccEeNW+sPB~&ALgwCPAr_?KXrbK zxh*vfMX{eAF_cnz1}aerH|{R>ZIlDUdV65|bV1-;I(1;M6{6f0P?Xz3{3(m=C_CrC z&Wi;N;7SO#(i780?cdw&e+LRsYBI|=ht_z~cY4GSqZsu$x9qTRLLKg`D#%~kx`?*+ zWTY)}1@YN5!K>Q#t+2T#8AWOU=izehse<{fyXZa#t?zVWT^|EU!{yXzxPXv-c4ANoFG65G!4`d!*_l#N!i@JC4F7@;zn)%Z- z>D_;mhb{;_tp{mEJ=KKpyXn$;${iAybNl1el3Ngajd5)2r_Q6MZ&5yUu zAHU`QoM3QfZ`fV_?>4^wFW4JMRuHGEpSxz)EAMZ#vr~J+EhJD2$xY4V%?@1M^0Edt zeEa#{m)Of1udZ&l6(0AatPH^UkYTyoMM|S+i~ZFe#DC>mo@J|jaEc33@qoZzIQ)bQ zD)~YWiDfh)YTi2hq&^ldYFw`#C|J9;D1K#-Y>wh>acfKDow6Ul@!-dyeZe&BW50`H|3jZ~( zkaPA!t>T?WYvT*;ZjXviIDhsh{o7ajOwfhyR;;PQy95jbO|}=>njEryuJ?fck~!gb zR(p{@T#?Dkr@6Z?|bs z3Oc;xpz-}2dfu92spn<@3LyAbOa^!Yc=f(0599tqAoJSPXfPYuqa|Dod||a?8OP6W zOsGjGL3G|>2Pz57q*rBpywYRdhp8L?dZ2vOZNjxRb#udE3GG{3WzDSMY%MR?Sngo{ zUm7Ssq&0TUZgxM;#0rrFlUl0@JML%xX<9?Zl{s?mKrO&*fewgvXOW^!_6w8|fe^(w zKd0xlW54chs?$m;&HBJESf!d?Cmz|ss$ChPb4*Y6xV?kNN;=e{8JFUPP~4R&p34v1 zm(&AwWrPJVgY2p=X{r^-3hkqO9BDi3~qxcuiuh%>vwf3XPhf6%V5?R9m1l`oI*`1my- zaa3@BM2`6{)Uo5Erd*2AY@O99=Tv$YZ|{-lkf_nDqmvZ6IqsVhBcmyr*_ApOSxN1B zxg&z~k%jQItkdSMpY001$v|DA*-ffCoS8*oyD27k-|{nRKSQ^yD*QihRrvowsNu}2@L#MFoLLpltO~y=IsGBqaMr}||85h*nN{KUW7z-Ds_=ca zKeH;FSrz_WtNoc(Vf_DLtHO8h6D|OtYyXqA=RG0v$w-l&s=U9iJ^uyCj8xB-3cqaB zTV43A_PhhftmtL&_txH?qMOfxe@Z(F#JsBZ`=Pb>m$c(kIQqHftffwZwr{oP^_5Fq z-)hers!oy2Kc^j0t-X!^^R%Of{p6Wd;moS=w+6TW*Q^QzPQUaaNdKAl>E}L#RSj^b zTqln|A+tIA61h#Z3~$*8(|wc*DSYNGI0GvDt2t_v3F^#U@PF7{@Iyw)@Y`x|<}PSH z*j|27d~2xXjEM3lM3n#g+yy894Mhn1f33DLiW&g0!6xD)8*Kyv1n3vhb%{c;MgxrDB^vsAprr6I~bGn)7YBo zIDw39_zP{90Ij+j>|9gw*5wX-P?Bs_+zJ|rbB+^+yj)3KNH{H?DmI=59He9n!nDj$ z5zvcNQK6;6fWB3M!U0UEF=$EcEegm|iIXT9FGR=y=n8u~Ob{k8jxch)*yJ_tmBJt= zdo$#Epm;kNBdHeyU{AXngE6L_T$jtFT!O=CU}c{&zVlAdyj|HkoS4aZOowaeAliY# zEN#^~=o$nxh`v{`9Sz!X>l+|(dHnh@$D#5B=1~yli>klS>#Rd5#U4~=s6K7^f&w$IydHY`^yCD32)3ew{c8D1?Ei?i@2Q5ITIzpssRK z8P3N7K(VC1K@ZIP} z+zu!m>%End7TXQ2Dn&tGiwV z%|j>EF|!{btg3QzK7K_g6h>lJcKbcx{7E=Gn~nQ>JH?+^x%X-+r#p1Oyjwk|{kmE_ z1Rj3Ts;VY$Uln77y5})gz;?CmRP{mm89VmF^G?;3cULl`sz*N9IKU2arQtHiKk`A0 z+Y*^uPx{N@7*}aQm{P5nKO|02wU&RiU-x$+Z14V1#u-w8vs=Q2*{d*4%P=nNEd~&U z+KEDt=)khmUxP0_(S+0Y$nr~Rn4^*F!s*Y`%FC)SqJtI^$2ClP3g_ubsraawuFC(4 zUS}E@W#qu9*4-teN01j)%b>tw{{y{FzTcE$JJEGjpFJvx$dK2bjxI2tKZi9coG}v^ zLcHV8(;J90;!DAuWD;yUAhgqnNu|L7|B_-sO}?M`^P(b&AOKe6Q>x!~dB5n!W$hA~ zFpa$6*bY@P#W)E+1?^%Dk{gUD{(M|Xc)3QQPX{jpTo+J_`vKhfgM$5yKcA;pfl{!+ zE>{_a&s)Ak=y+HROxfRik$E%cD;@+`9gi|hs0}v1I}nIXLjjx7knOc1yvlj(J9 zsOj-R{_0X4cI0%S`|j@Rrl(J@o!mb;eut%Y&Xd3b|%ZSGSP!_;IsSSfz0e~|AI>ws_lG{?9Qa58YdY=j+CQvG?Bf6&*L4}#y;RGGM3q}kNcbFZxYt!r^v-j+VJLY1y*3YmeEVqIQ<)^xA@ z*;LU=W$$4Ts;}>`6Z58%_T|;mhIfpsB+4W@v>6+WJQwW^XoBCIR|F~;@&VnLLCsWg ze<>p6ml}$i*LbHtwSk*hIVxWgP2Yc3B90eVg~fcY)T-v{Dtp;*zQ9^Fk~ejun;~Jw zI!%*7-I^G%6@OlN!H%12tli$5hEw?^%m1&xr!_V4;Hzbl7#Z&&Nr$ zKEQCGrYUU_vPbt0zQK^;QM3KHhz$f4w)36UnpE{O+MTkF!Ec?gar&e+ZQb>yX2zmR zxo%v45A{sFZRjHCn7*LAQVA3_Hk|~Z2m?LK@iTRmL4lG5;)KR}XLQ#Ld1OASP z>%fe?ZG}yh^sTV_8seR zYdL&KsJ15H34|VWwhf~OoP1`+m&jp~QI1cnZc*89AIP-AU<2^9 z74LVh-JOWA%`n^094bYjuD+L*2vfu*()I2xp0%h5uVyOJphz)#t-(1^WZ04iJ9+@H(;+N?)drYid7a|;2q zB;|CyK^%!{Lt+9KVMVxe2i)TUIU10e}Ilegc&kYvYrW zOA?{W3ScN1Wt9SaB;JDnx3N*yjlg!!00208w8>|~Zy}z|6ez__oYWl3BqFPjmoT}V z%OYKPS+j98j$$;A%kQp|PLf7kXEp1t^<8B>{TK0|{&RhRj400nw%=N8zN~VQQcUky zI!!gLf?tt*O0s6O{!7O^1S5M6m|F;-%K|36p%AniIy5BU>-%^dsBrpCLKCp)JlZ(` zHsXS@&4=d~N(-&jk)mCMCjqTQ(X^w*6t#l(dPvg?`jO8sS67CFmE2~e)C1UGRmJC( zXp$*T4!R0dN(FZ6S7n7*FPk7fXt8TPnwspt8ehcrnceK7+i2CvE=gs^jn%skiw$0E z#8Pa0T!-zb1E2e7C1pVg?Nlcec%tb|ki346`&VC_oZI zk1yF?<0-9c&h6KrH*);4981dEh1GT9a8bLe4D*5c#lFceix;XApIBQ68cZHr?LNLv zD?wKUV2B20L#6h`z1;eyFY4;H2R*6q=Mga(x6pouKF1BPvriveO;l30Y}|#-#F7{| zcU*o@8Des5N?wrIIm!_jVy{F&y5iiKzquLcZAd}4?tBFY3w{w74M8onhi!?(pw|C@ zB{L%)yT>j!_>O+TCzhyLnOuq`b4v_3MoWGu-A?GB7uh5sbAt2P2XAG5dZZ8yRwh9v zk@~6c&IIjvEB3o`FY=EQz`fcgVgi1foRC)t&zDHXwN?2Ow#mY^vAmAbPl`^52Jc?^ z7v12%N7^VPt6zV_pD(6dr2N=QJ!LBW?ra-*iIYDcdjcd+c3bDDT?<_mM!*K?BJ)|3&}4$mg=5<{c80TpZu=pv}O(afCDl?!Agtk zc(lZG|Gts3RiNf^At_hQb3Ka9U{$Is;cp8V9a4)GprBN<6Sx%PM_N^FeH-^V{I}Gh zMv>I+@36#%D>X-55krY^tjIRBbGE}I2K*i1_%ybLggMF&qweojPwc{O<1GS=h7~jZY5PWrU9B)`79tHf+dhZD+ir!W@b%w1U|JVMp<>e z6!3 zAC3mx+`b~{@gdE}b)@iH!8!ii|Ix>|P(vZO`pBojiGCWaF0NtGAbM zeE|Q#hBKwE^ShEq^l@xJpaLCTm*PsR*KQsBJ+l{Pr8_S8 zd>=MIoaowdf#N(0M?c|3B1eIO(hH7LT%2&tZ1XtS^Ckqlm!P@t?0GKAx*zWOFid#1 z)lslp`tt7ktR(mn2vG=<`CgeI5rm=hb0fY6P|!|L2t;~FBqH$k5w+WHy#YR2``*_A z-CETB^t;`g6Z{P1{4^#gZ-M=dSp07b`Izfc-U;;AouCYtMGtvFsYvFgrW-{~!q8!DauMa8k zKIP9h=u$k<4Xv6WX$cH1X9?{W3avH??VJd0U#1+^4IL#5MN#ORox@sBDfFQ;x*;eE zeFgaZYYoaju5cutUIflTjBnfUN)4FanlS?#9QuO79 zX!gly&Vy)f@)%y>7=FDN0hbt|lcbod4KX55VSRmkHsgyTeT;!4{Xg^BUC8sZEmby7-WP^=y|2-`TWi9EHvCkERVc;=GYtrx=$1wBnl9Xv=KCQlnBPi_@Xd*zZg zr;|3(kTx@UXKFHSo;-cyWG8J=Fa6yl?2SwM$A)x|nDo_y^bHs8HS&xdy^MRj8M{dt zhvZcI4H;h#GAc$gfUB7pRumxpOmK3hs$C}TR3>I`CILm(SDY*&{jAUOS)|EXt3g>5 zQ&}{JS+o?{^jEVP^s||!VmTtSIc&4pd($pAW^+*Fyg10_)z2B0&k;z@x!RZ`GL<8C zm;`>r}yRM}a2=QX3QL zqmO(ch4fEGS|gCbCsWALXUK4h!sx4ovHFGau7!z399)fsskk{whlMpS3bQ{JX6hH| z^A)986%{34LG~6F9~MuGTNEbuF$>E^cfrZk{S`IV^6aC}|Iljl5d&RKKKi zs<=D3q^Yr_Ke>4Du%wQnbX321OuzK8Yv}|<@l<1J`Bdp#QPKQIk|l~VS^cti$%V_w zWeJUCtNMj&hh;GooQKh3v!S?DHgFDJqU|OF+{kXe;IDN5z;1Q0(b) zoRwk-1i(KkKW9)$>Q+gXQc2NNNmX3F3kI+cqja}ZaMe;VH!DMeBRcO=Fg0c33|E!% z#O_c~UT&(wKhdh1y9!|1K?*7X0RC7iD1x!|F%s=Du#v(=nK_E67U+Xv!>e94R=w4w z*mRD?o=58g6xaNt9uD)%C*BI-$=89wLnrSaDXO`jY=s9V84Q`zEjo~PgLe!IV!)jeO&$*eW!wN{<&s^7iueO=kyM(D(HmHCQ7bnx4{Hx6&_ zuR5XeK)Fpy9t>T@G|oTjOU@m=F&Wed4wX5;3vouyPXMr-J5|LIHuaIS0RaC=lwg{n z>Vj%5mYcKQs>a#IFh(LQ)Q+@K2NWiJvaGA6f<8Xw3Q{%2HMPlxblQl-k(G7L9POPY z==Yw$P{JV1^^+s2m&HD#>O6;1QAa_^X+XXWZ5_m5|CYx-?vs6-kRrmbvC&mmU}a~r zf^+EO36lLG9+nt}ay+2-4KaQtE?Nyaa0Muf2VpCJ$*%z_NlC1M2Gsy`ny4X$HWJAt z#5_Y#-g+D4v1{z48A$I!c1Op5r-UI21(w9h{War>fm)G@6x=a%%{*Y=sDJ3BwsEoN zUJh#60KBM1z`d`l&SHZwp}8E7*g@ud)N7^S=s;JaWTzOOtOHmE+od7TB|*GZI(8)u^ChNj7m4udJ2%gtBHO^(nZxHTnTWB zVK@W$17&sGcR-(Ee70%a+*Di*Y+~AZ%0H-%hzgpg=*Z|hpwj|yh+#OX#g~+(FnmLF zIGCklp1-^qShcNt>#uF&zlhqgy)!!hMuf!W7oOiE<_CAD z9i)gR@6H{o3AgvLwRTRMLH@NN69XTpcd%|^6UgGxFmn^4ckOuh*d|s*J0{XaMw~nM zid6EVR7l^D4X92xlNpVMu5CNG9yFYFN*QnUVsFF;bQMJ%jJM6y3XjWE#5t_iGauA8 zGp*enZ8MM^;rZ`Kp;7&OBh6p9o&qpBRou)tzt7WT{U<%B`es=^@}v9 zYKJzqTWe%OHUEpVBjlO$2DbCBrd?tO1&|O+%bS_FM$hgbr?@7?6=Wlb5wP%$d@u9U z!6W2XZ35s9pm!f9i`hq}VI-~;Ku<)tuA2)6O;fdI&)YAm+tbTn_?81FWPLD4?#za01Dq&iwvIry&Pl!$?jt=2TAvR7&rw>?Xb zF$K)1aPdvd^oXO19CX-M=8)ecO{OSD z?ESUJ=#zQS@voE0>L`?k3cE-s}Hbf^|OzQ`AteB)}hVP z&Wef8ESkJ?M{KEm8iz@oI@x?-+fHnFp90?u+m@^WcsL{d^sbzA7oT>7~fH{@UVB#b?#YAQkX3g}oVo6O7 z=3@cKW*%Jz1aUueXlOD}ph}7&idefyIT4j`zYNVZUm;VYgQn<4`%tg;^?0symd=qu zqvLAl%Uh~#P&NcF*w0p%+W2!b0T18|`kf|8^OaT3nW_dHX3%Z(O3sbOFu({?gQ&U- zvj@ahvQNu>o!1p&>O}q`eUYk%J*2WTIJv(fv5N16Plcb=n+g#a9Z6PXZPM$A>a{sT&&SI$Nae6jciSRzlw zVoOLB=CSzh-D#2kRi@9 zdr*Hg*UaaLMCVxL02N<3n$L`I4MGmQI`l`5TR;pGAX@a@gChxbAtHQtqW%f2BXclC z1S=3>aMgbbRtl&BfL|57{jL_xEkZyZWCq@{PR&m^Ys)|CuZE0(6q}G(7>47FLyh%( zziJ+l;G#5uv;%B0J_(@e&?0eA56`K!7)2R!eL>qzMHKvG4R)dNg5oG!&&p+%*wd%gp zk-wS*OPV)e>-Od=k9_0H6KF)K@U=LMIn?tt&|HW4(VJRZF7MlVwLKgvHLX%?hdCqN zemA8o_6hlX`Em>OS8J?M*~gOBN4pAZ3(c(z8H%XDY{`4(8iYlARghN$9i+PNrgDT{ zpus@CyEOGeprD_iSxh|&$9ujU1EfX_FHY80K3yPb|dO&YB; zjsgpK_3mXHcu++?Sq&wYeu9D(UKDDsPlDA|Bd<7p314-o5ZoF)yo|_AvuXGmk1xp5 zKb|NjJ~JdiVJxm*Zrl9p)7^?ziFDAEKLMw;rc34^>8%hIiQSMGfqAz`OMkRIDoFZX zMzT$8iQTTV*A)3>bGP%??MDy0fXw$j+@jTY6WRh?DdJ*UDaZODTASZ8KS*qMHitL_ zIqqknkn0jmoybt<3JejF#J8O}Z#_qT3&rMdmZImGjxe6i_mn7oo)Qm(s~5(&XrN;6 z3Lnd}7m?>0Z1ytH|CZ14nZ(>^qD!pYRwyz5*3@jCjP>JF^t(O_iW4H~W2Ks~26dYG z+VrY$mxK^C#Gi?OFt471tHBB8T=rl&LG{0V1)>=_psVHr|Vo|F|=%3kV2 z_jr^wKbfufm7-}+abm^eNwx=iEgbAnD{zs7my>-aQqjQ~yP8>4y0SU;YtGfB4xOUK zO{$wkM#0n4a*gYvMb)2cHlrdU)-YYF-wo7-aP9`>%}1twTF7x3@Jm_P$qP1+=Yf8b znTz(GAtea8<-D<@x+B@8agBxME09@$nWrgY8t01Hg)LG6D)uIaZTnBP5RCnnR2x`1 zsHj7aW-h86_fNdIGCOhvgC{q-kSCaDV+v+jck|$bR1OGtSs0D-RE5J zoXZX`(bm_7J(6OYhk3hC)>=kR1X|Ii5(G2^+ao#Je4dXEIxiq@&XeZu%mY3i(*&|7 z=^F?kz>S6a8fYLI%u+LmMqR9I7Y4|r1XR#$CKNWUr2t*a>FTh#c@`~cRJH!3$blim zifJ!&Ec|2L+Pkj$Qf)SSkh3ADpDdN0I5IV&d7>)6TK(^P0ymR#&1z6Fp|hz*^CsS~ z48MX9b~czB2mu*U1@qemAgrfjhlTY~wP58Rh*LPj>$onds%xvgG1Wp*-<0t{(gW9f zwud64L!g)aznjMdUv%bIfZ`P`LN^30PKOqXtyAVf8ra~=z&#m%5a6R%X2?;q*=4=) z%ed!}t0ow>O+{Dmh8zSlCoYtY{@o4LmzUTqJ!JGh{^kt(XuQjo=OKQ{_xQfhJV|Sg$B4JT;GScumeSz&HF^JU4mz2bY>w5E49M*z8e(11QZ0twxVEy<%D zC9NJfqQA1gr=<>Y&x%7HP&@unyLR7VY3DLwXn$Fc7frMswnkn(QFskyT?aRWIEH;*L z0>FCpY;Eerrxg0}GpRGcsAJ{er~1{x^lZP8KQ1fvs-p3yU7i#;`UmGFv|QE}exs_^ z#jpGTEc<}rJH#V-qwLShc18-pGNOciV#^{v)@A>DTdvx^cSz4VG_~a)f(mS}tJ_1a z7ej}W_mbOH=!4QULGkPvUzRr)^~592nNCXI-1+oU+|~*`WKAxshZ;DI49Px{Tox|f z?IXP3Lksl3D0r;AN_>B#QZ8~m{N7j3U-h5ndTf;kU!*;wy)6(4Wvn;z~BGyDcO9uigtMK+>%E=J4OZ!6CZ3eOR` zs!f|Og0lX+?LuWOyp9qxLBqS9{n9`B1>Nnl0FB^CQ2KY4jtQ2wD?$1U8u7umU0GQK z4@}f+6(voh&oU(=W-UY@n_ULqy2uViu*isM6x!>Ex{snbaql`=B)Y!zLJ8{Ie~}h# zAw*pjl8{(ZkY*DwZFaw2?q==drF_w8gWG)p6(y@LtPvBZIj_M-6z_f8^SBlyM!fQj zXEeL4S)6rK!g9HXwY~#%C&3GmL?#pCqK(3p>cP~IB(s#1^Ol&6>QOC_5D1nUuIm-N zD-tS_O3UhVg$M)feJbaDs_kEtl(2|4rPN;ZYf4G;;`Y~klY%Mr>jwAh9e&gn!qRY) z*6-^#n(L=8kj6)Ec!fA%iYN1ZPnw-r0!%hwsWtHWJkflv&%|=TCV9Y?te!7e#;$L` zVQxTtWx(lt;LQqyHR7NP?V#%z?OUlqH!ax;>_K<8!FTAz9*A_HTBuiYgn8hg@0_fD zy=*-dp5n?N9B;_rK(>yNgO6+|SZSyYx9x{%wGnBOVKZ>5ITWeX|A^Qe6P869u#5GY zD4|~-s+trz$lOxO$X9n2P{2fj&WEaG6B_J7Z+bigl|sN}$4RjM=AUtGlLl7g1iKzH}Gy2bem%D+C%J1Fpt$AO>Df72ynp4&Ouy zs=*%sAiwKHC(}qU9|oHu@O&1Qa*Oqy4^JtJGC?W);U@Bt--q>cSEL|n>0qS-+>Ivs zuBE0&ZaE@>=vfpAHi0L0(lEdUz!63H;NR5JVmwPf<3#ybq?W-@)k}jeGxA`wH9_G> z&%2P;`C&+=$Up%03l55`(y=7IU@ne0_VqwOT4hjc0;A_;y?(evX(}xlj#?`SiK7)A z-iQdtXE=^wEl>3~%q-pIiC2QUC8c1SA~SG=hpWRS`GPL6)3}afmPpj1Sf}VD)SAHX zs9UtMNOkA@Skv8*Z*uT^xs(vTmLO-0fc212vlbaNF09v4He&HesG)5{fW%N>`0%tl z2#E2W4rtdvHz=*Qpsv-gd`^zrSW%?SnR3a=`}hJ6l4_%rZ3_+PqVG=^bj1!2T+|@) zW1rB+jePM;+>PcgA0vn=c6+#0JP?M^u3%Fx8#RO;3@;bJNIRjP6~Y)$z!-XX35 z$}*@#Y=Q2&e4t9soR3mg43Sk@l~wM~X5QDr{!xkLTcH+HQrSl0tFEo(*Kaf~tAj+Z zD=bzK&t3`|@z3*L?L=);L7gWK|2@x4rD3@KSx!@^!1s>v=6drgfM3ZCv~s zm#@`S4B^2ojeMF_L(zR+6mJ_!0<-fR$p_xJ4_4`67{QPTH==muC0=orr0f%S)`*dY zM4h?`d8X(Z6fU^qVW1sny0}w&?CbI!5j-k$<5vQ+FZ1dZM?bRN@uYZ;roY|GYFHc^q0mThP)Yqe3qSsK#@{4$fUDqT=!$Uk0Jf$S|Q}jV9UayP=|eMB0KAcP_KyX(l}wx!Q8yjgrI9MlME(;Dn98OU8k zH2Y~mLnF)HHOpMN$U>-gRFOe)W3_VC|E=|xx%}}6mb;N`c>PJWEVAB9QQ{~`vrS#+FzSpY_wUDw% zO(k#t=;Uy1f*NuvBl=_D2IKR^@K1b_IlI^vI1yKFIm&hkI5xMQ=| z=NFDMMX~?YULNBc3zrp zB7q+HR@{R#^L0rKue;iI*v2EBjs;Vyir8xlfFgxQ#GrXek`mc;#y$^SoH)aaKm)&@ zG`qz%!(!L)r$lHQkB5vpnk65750@qnA)ctTlck71j#wkTcj~C)gjVoiA%D&+`C!2wW->;r8M!B6TPNh*%B7na{nQ!9r{z) zX-gq@i&nr&f8H`xq1({IO7OYy=@2y!y%qn%miPpOMt_#yLtHpk>a=;_+1N*c@-1r~ zYi_p^k8G>PMJt`qA`xQ-N10x`5{rbEuD4?h8YPsj1KV#ecV0wV{kZ)iR$~3owrwRc zU=(QW3)OU(%?MAWl`21k!edBH;N&o4$u|VW4uUP9B2D?0KR;w%n;h0^M>pNDB zHuG%ORw8@DNxPB1$PLM!c^KIW7uTf9RHTRQrNtV2&$so>CJFAa&35F@DWS~uuyIMX zU4z)6QPdUa3}ts{XV6QXkI&jAKGU<*!z95ucX*QXLk4^ za_Fmcs4*^WXn8Q~G+)?xSexoF?lCw*pVk=5KdIv|h3PmkAU!s3Kd0hofFOn0_>#9% zo7J)u7p;iJFzN!k@bQ|;aba70nqof~U}Q31rUxShRtcw0A#LfQqVdIyN z!xYSCk)7V)IgLKB63FO|ZBYpZ$3yu@eaqm`yw#-jK=NHP7y%@2DDL~(FZ9D-)5aYv z$|<+0lst`)*J|ozra{}jQPi2gZ&YOYhy##Bl^RWtkw0es@Ej+nu408bMvu)Tf#6%- z1^}ElToUV+F0JCV2I9gX$~!0?Wz|bhEc3QPOcp5m!3-k&xI7~%EZzn8yDa`YXJpw* zf(0jZSFXA|aH?aJxRRLrY(h=#OL4Ae~KP4*tQbh$}hMvwz}4Oj%vnKZJd2kwj8o6 z`E5z?hO>VES@gN`_XCLahiN^7ALI`8I-+|&ZF~hU^i(buA8ePAZFC7e?Dx)}pJ3?< z7^th-{bq6hv+NE&yr3wuadWybW4F`O-Cn71Z=-l+^n33z%K7_QXAq`qLYaqsnw^3* zJ>pzPk;+mx@}JVROOx>wWvjyhnLkH5@0hIqSeE=T_P8`{J@13vr-WB6mZd1*3vm8@%*tb3h0 z+4Sn%DlP50I`G=-!*v#KobdOL>4Vp~x>z~ZEWv-S^L5)y(VYuqZ*T|(3RQ1Ptlt(A zdViGl&P%%~e>xrDVvKKuQ9J^7L+Ia_(OvkZgvDQx6 z5>O33mjRGZ7!9gh~ zE@?5r7Vvo0aIKec|J_9B>>~0Po8&sL|5qpKwZ}*taos`DhaJ^@f&xhE`@}oRpy4Bv z-35R8{abwvv$^jN$B(qAhr5FFcIj7cC%TWbarZxQt(=^C=y^^rK0X3{TBq#W#U4Mn z93F2_PysLs4y(;ERZlP)A(zAMF?C-!4ueLe%?ZswGzkjDx}IA1U=S6=1Cb-~$50}v zZmq-KDcx8)m-S4g?HT<vE)ShZ8=ei}72%>&{G-{h#M+?OF@;=OZblYh8gTxX&G~ zIDS0#MG`*cReENDgNY29pB%1FH-^%A-~Kwh=C;YqluUZ=c=N(;tWdMg>FDO=VNHd_ z>?g-to?j_-Z_j=m-M%|o?Fz$Xck-=0{yCDy{U(>EgsKMU>Ae{>arLxk>4*{%*rbEfg`JTlZQwFa0_%kkRJ$O6Clb!xpZ+sD{}>U*)nrw4H{ks z$+j02%cmAhsazBaqB551s?&WIjUZ$nhxGbogUSy>0;5|F9hVC6^-UC7jtz4P6-V{J z74c5phB@(3Bf@JRw#HR7w_mMW{wyDxPgLYTwF1?KYONP*KA+p~C!*f89L)GV>A19b`~805dyuHe^;Xte1h`;<_}8ekL&Wo4l-ZTkP<#h{v43GQ z|9znM&s}m5Dw$k$UUv|(e1gPKb$)Lc?3qHgTuniL6cM-G%1}+=U>ucXF+Zd9QQyj6A^1~gul*csyEW^ktf(Znrke=Rjx#GmAu%#jHGiT*c7zX zSr;7BiYnc;yfB+6(X7z1{f#P4QDK3rLetjh7*~o!(=tx_97a>`1ASDoY<3xwg46Q9 zzzKg#h4?`+?76!4`Q8MB0cE(b&&AF{jr}9aWXG-NZ*ZGtT(fY;_3vF!spuEu2cOH$ z)u;u}@S!+LqOb2(;Gy@&S#S#Md{Y+$wq2?qY<{_^AgBthSrDEC>U0SBb?JsA8F)QE z1m9eaIs#24ojQ^vmQg+Yxs0B97|U8PRRG_9v8gZrWqJx-x?bRP7!zpsXM!C4($6=; zU(aR4MYJrz7z#SJTPdNSlkYLiOL+)@$en2rOi;+J7elY4Y&+BazPcAvW@6Jyns?V( zGDE<3cstkk((7xEU|v}g2G5o4ZhrWHdoMW?cIIF1_ho$~Lb<=(@5>?mghrPCQ}?@- z3-wX`oI;y=!>mNbQKN!c)KSBlE6cBD5idiw=I@CWzgk~pD6+Ng)Uy2k%l-cQNy}LA zukLrn6lo|LBkZ^vHKbAdflck(Y35|HoxlGAGyaGy=S|Go5eX^{`X8! zgie2nTRvU=i01wEAB+h9QRVjUlGp#@jOIT9)eZNZ&*yaC++QqOe}3}Mzx#dvXFZJl z;c7GOKl0Ji>fvIuQPL-RNG#6prEp2LoF7SC^zLg-D)xeOI>Xc$p^BDHw& z79;)ecRQRN^xAw_Q9&M?Kp?ghHZw6HmTdT?y1AG+ zPcVr%8G`~Q$0MhYLSGJYe!3{uX%`Y+ygyk+$)g;XYSOwo$Z0oN0voJ`vX4u5!)>Ef z9U*Z~jGjiE!6?orAi*tw2Oz-uG3ZN1A}@oBWTz>W*cE0om(NT1I${*xW{TIUIh3Tx zQ>#(;On#_M{>T8?(nB`L$~Qp7JrnE#XL~0=I#od)YEbsloAeyJB4RFWxP~T<3=@qu zi*Xe?q)s5w@JB+ikuZy#fjo{HBTftvM20{rG6icp^qJd5M6X-IluBq33{!nTshMQq zi;G)HvvWEtpBc>Ayg1XK5*-^)4I{x+CnVz;laf2<7jd5W3=^gx1=C&4BpRs(SWSU} zu=QBzBL^24=&}%ZOV9~di-yHq$g?4tkFD_(HBw(ws#Fpg1#lElH>X6n$Sw=ST2a-G zlcOqT!n;sNlFBqT4rJJWs8AW}mV9Cx;^L|XEc3*v*cijXxlmj#DO{!{cQRKCP6_PG z0zz8#u6J086Q$vV`HbRDG_x#dh**}yddckKCH9G|8hk~S-08ZnNmjLHKIda%{-$8} zjYm_%qrQG=>D@LofltZVzb_<*NWt+nv&++k_Hqd1ai@s^bqV4v30JHsQ-HnKs01vn z;}J4NOIV3L$$e|bi|*POvtmX%>rNM|R|MIjVn!pO7O@fG=1KueU4)=@ac#0TY6JJj zb`<_PgJkMR&Rf(^XfT{CGr}IEL4I2ZJYP2GdS~%sY7%sxoKthU9j|iO`C*KVBR4)OLj^BuqjgMyb_8`Gi2f=hs*8jsx$#BG z%ke#5C#PmGh=b!tmjRtR6DbmtC1O1BK^WuPuT*BHSopAH+yQDv?uf4HsPUv6ikr6= znqn+6u*tA40$K|?bh|fsfOtO6H+(iCa}zEp;1oBpgeZWkSn!wY?Peq{F-<*07XlQS zBhuOQ7n*P>eDd(5C9-jQt1vDa&KLw1@_Ip67Sp2>OtoQad?JdKdmN&<<=^zkvqJXU z{Chx!6yB0eHIoK-HT?tr7`V$Z+xsmC7jT$i?kXJPSmx*;D5a zoh)oS4P^wnFb*q?2NcYF1<==#?IpN*0+$2YUEg-QdnwIzCZQ=sN8#b-f7S1b-WYks z@x5^fz@V21vVF0Mvca&k=${N7Fx-53Z8AcNtlLd_)hi|EUYFLRDo2`=Eh3X|L@ps= z3~mUJdH&)DvBE3WZN&4;M~edOH#hTHF7K;N{0u7{TnW-Ty>osS_t6}APyg{xEKaNY zEvzrfo+WZQC;jj{S}aV-QV3@P62h`Q8ZG@}B4QW-_x}PV>dN^hYN0 z|MtiCUA`Jj4nA`B-Y3-TUe{)<3I1`x2R+$;=Z_|ajXxIAYXc8>p=7`wgEDx?3&#_O zBpjED&#drIASbFnrVSxXFK~CqpS2nL<(2=*jy0i;1sPw^9=^}vf_L0I0{&)i`erX- zK74spf3gEThxA6TL+j95&M%-V4VPY#S7 z1Kt4P1vn1z5u?SUnQug5sJj7qVgV&y4~_l`(l%fhCmeO>Y9ef>XNspk@xD@^5c-m=u?Vo+-(J(;!Bf>yL6)h!P=W85F{h|x7N|uQ zY1rk7+bL+5`r><9NAuxH+J%`Kggy0CoawWWN<-u$pE>uZIYjz7wH71be3Viz@%1cu zxy<5S9_Gtj(0=;S%HU&YD@!m*Sb%qF>tkZ+1OM~bo8owZkB-dG6VO7^BIz=i%Mhro zGLVAh^Ggiea);?OAL`4}6<|&TIb1gQ1yhN1*dR2^_{L%*8gYv#XLDVn5-1Ej&-Ac{tkX2T43Bn{jcY0}?qGDU4h z;%hn>^o&XklTB}K8f@%bXnGGVk8e{C4i8L;XyIwbEgJQ?9L)c~@;;xXxG<|J=Uc@a zJB>2Zk_sPO(~9EIn^xBS<^aLA?;nH9ecGD8wRVrR`R%vW+JD5@YBE-ApCav;5$u>V z?3nlISj_5JZtGb2*0FZmvHnQPZ7W;88fv)_^{iq*9AekG6U8)~nU})VaAZj6p;OhW z&x9rL#k(ehqx(~r56sO}ZOs!lXa_q`_%KucMUz^`;RGQp0vo94dZk^jEsm-ti;ct5 zUC~|3oR9_K!#09DljPUZbf=PxF?2wD8CICRc-yhNoye){SsWPI9Nh86BZ%{n!6(_= z?F?2?QjnG2kFF&g+C}*4DH2M=)-ru;0$P(0O~A<}ov&i4J`fx&F$ z{YL1_#^^bwPnFgiZ7yarKXy;0cWy7SD`^Sqd^bfLC@?#@Ag68l|lcz!KNPM zO`f4m8Cb9{c9;+>;_${eUP6jC`96g`xpG@NwT0_`%s4(e^d8BTNyO3 z`A+QJF|Jp>Ibvnnc9;MQPNH&7Ua?MG8BLy(O@64ETz)-?k}wHog8`0HNJo>IE>l3) z)Lr%@7Wp*VDlz)e6i9grCuZtiXqs$wn&N(%ihPDfc!u`X487kBW6lh7#|-Q0%=7yh z4)R$p;n^3RuV#7tX8Cev1v+MhR%c6pg2aTou(9VPFaRm#Iguj*IW}y?)ficfIr&ur zWejZ1`#Cl8ulAf@vDCln#C$cr|7uD;Z!SD<`D)(EZ{8+n-mYWbVRhc=e%_gU!Bu#{ z?bU*Z--2h(f_KM)@9Kj8{Q{hPF;I9h_|;;l-(q;qVr0i+^y*^l{bKr05b-+bM>NhN zWC_2!7byXhoijpzQjyMvO(+D*Ia;D~S;}X_&Wu66ZT-x?v0U~F8wC1yJOCB|0{(zM z{}bR=9MHvNHu^6k9Yw3*#QzO&3vof4{P0g?6ds|%e*kX(BBM;Z>D1Y+j{J?h$9FB; z#S&Ypwwe7q(lJcCI|s>KHvS741-~5ghdyu*5E+80!?Wr8eU=#Nt_dIgsBa` zqx3t-C(Q9VEG9JZ+l*Nxk2>qnEAV4ZyvmLG(H(9fNi)y*Ge%^ho)VJ)n@Jr@27m`8 zQ1R?-CaJ{+BiQ4v!nRWMtROT&I7`Ptm;yFT+v%36OY!IebI0+S2-Bw9SC|>o@;QpB!~G(}(nJek&5-P2d5S$~ z?rJtp006%AmLcEp;Gbr4VUyN(H$lMKY>@T3E)E#S(gzuD_^ia^%Vj@3 zBDYx|AtG0xU3~~H!LW(K3s2ad89)zBHn=3aB0`-8CN2-3QpS0pkrA>bf`+-G66a1^E5mzcD)lodVQX;Z&Bf7{D52p6Cu z86`d|iAIu(pN=OCRCA!t4yQ-qk`Br~WuTNAe(a=8rEU5VikWbaL=(kyA-%LlLH$Tds8dHMYE8c+LXt zw$eUKIl{RvQoemyn4jx0ko{NEvt!!tA_(3%f!js7jGQ*o4p-74&*xk^vgITvOQ#Th zXT_7G%)#TkYF^8ARFCJ{w-Wo)aTLb}&)CWoHSE|@%j>hKq-~W zvkn)@B}~^$rE|w{Qn&L$L8N`jU~g7hE_^mww{PaE?=~*bKC68B0ld zD+*rS?XhcZZ}{ZVG`jlB`%l|C#%Iq##kJGSKkd89pS>4Gjr&D*y-FND`|c>3uxh8V zxtM;pJ!m7a9CQD|Lmcq*PSn#E=<`{dm1b|9L3@x0?m}U*S8-a`$-b-hwAc!#;yg77 zQS0hP7tc2YRl?9?gK8ZMkR+ zE?N8uOLfvqr`JL18|(3&&*OQYn% z7Vz{$98MqpM+-B5?&Jv}yqBXb@@}8r=KfwOU!-X2?QFGC{4u)YxYRPWRBLi}nav_V zNm99r0MO^!C%g*n8;=wZlGcdWy{Y+JUTtP6MVM$Nh*meN_?q&$M^H!o3*wq7sfz%} z@>Jk{UzQW(yLP-GJKf@j(o{E&b%Bc_AWM>LcTtw!=X@*eW|{P zvEfM2A*T7fNNd0eh0Yc3>cgJ&6Z2H8#IM7#;&!zA=(2T?&52ppXYDlfPum|1Vh>4y z?}XPpofZaf;OtWCcbHr~)(5{r3@tZk51B~vbAE>(_^f-Z^58OMIY$KvZcv2{*$HF5 zd5_S)DfYPP*)IQZ5;Yi~^-T5MuwamDX8B4p>tJ)MNo+#;H=ph7vTMaRpO#}sSGENF z`G)kLJM^Qjy6FYCbf=uUy^C_m68_+=QSNl%K`C^=7KXOa=I>gGVszj^D_GI{>+rMc z>qEORyl+er=cQf3zxbEdL=K*Nv|G6TLRM*Ay^pPI!+lT<74@ygH}M=`8T}sT(Z0eR zn}pbIa4IB!r+7DxJVvT;mivA-P?EBeI;m3^L!@J0ck%`msqms*0l+t#WQ(2ge?~OI z^G%%cJpTJyCHksxN#?_?mn_9<8qLGe=T+g3$99bob`cIQ)wlJEkLz>4h1WlSj~|l! zezU^h`gqCv^Y~cw@yE6-{^{)JhqJm5S_kjH+zhfm0$yJpN?Ju9HdG()Z=VQhPhr3= z*CMh95+7X01&(VbNf`=ncX@}l3)jf^x@QO|8-Q_J;pBP1(&=I6$v}xUtPTaY28KZ3 z8OXTEcN6B%wPAshFRiZz_P+>xVJ3;69>}N1kx3B1zl-lyf-bZeB!SA#KZxDJ8*C8Z zD!q#>9v-~5?Y{obLxoRHmhg=xDvhFNh*x5WfhU8}VuHYoK9H=a>8OO7gMG5iA~DfO{9#%4qz5mhlNz*8Dg7LH3E z4?=|lOWaYY$B`r0QFVGz=+05iL}XOQucv~5PghYdu%k25qX$sQ9=W5y8_}azq~p6$ zQ$#Us*wLM((esR?i_K2`%`wkUM052b)^|yMlvkyVnsu zlZ%Tyv0o04%RUiRaErT3CnOe=zAOZgnPAAaPD^KDpgnv9h#0bMyfc6v>Bl3NL9y3Sx~Cw}JR6dh1cT`WY~lp6@I-Hy#OHeiPlNym&ZHM*1U!#kNlpO( zE&wcr$0Ml$xEvs)yd;kR0Ll@C79WH56tluG5lxfd)FjJgB!krf1^K7XU~1?SO6$Y) zB9Z|P(Dqcy8*xeT>y%2qDBO5Ve%n-q8UPxfYA2uK*aA2Y6ZB1C_HiUb#Q;Q8Nwlfd zHyLR%H9*`H<`D-35e~r1qzrA-U**S%@PmA(Fi+OOxMBcZM7*VbdSV%FvKJs!hWRTV znzfV;t^qy}XBvoS0M!5n75Whjlbr)p-<(;sm#G8FskE6%p1-U;{>(k zrDJhqBXno#1!No70PpkCzf3*R2(lfSa*P9jmMP3Aj_j{ps86f_{2=~hT#jr7sobp= z{K_T3H6mG*KUJ+P^++DyH6vNREEAD4S={S`zIZ0km2t+D4wU0BNs1AB<*9aS+Y|u- z#K~WW@?6zg~w-vk#!ii;UeVxI5g8j-;M$sJ7fw5Z+!d;II81{J{X z4noEKZ#-(S%;o>HwWD(^QTpRQKWg|@ni zvVvdRQ%`LDwJFdO?y>H}Wq?K4(DlQcYIpHVTQFdkdhx0^IlgO= zIA57?(QM(|^;-}dEP1(V*b#fx`F&BemZ#`rf8&}Lp|-fzd)2Q^GC|*T_!^>mi;ibI zUVfU|2+(!9-b(*_PyLp5gbP?)ZHcj$sz%r<{7~8jM$60fHqdXH9~*eqpu|7$8H=_h z7}D++-$V8@S5W-ZnNv+qzv7(YY44=$$uEQkU+(kE{*^oTu?jvxg{9Am!dk1)Kf*HD zrX-y{J0_nWZVsD%KinQa{hHpLFT8oY|7YA|9)Kd(1txLkMpyg}A{^>MR(S1;nXN*` z2o?`PjeABFweA4V7e_6t49dz_(k-&W9x{{irc#naqATcH-DC}+-w1KgL6yv&QsdyQ zq?R&ZY&=F+4iiH!fIWuENfDh?haYfJ<2*&CRpc%aH^bC;OK-)~lg&6ZvI`_c^pYGl zw;~M4^ohLAqdB?IqOG*T!A|M@5yhNzlRi&%i%=PUlCW5hWGsp^)DOa^oFYTFKYhVW za$=D+@qR+IG#D*IQaq=^?!KFEXqe>J)M^vkT4?Ft6b>uTmn7vDVK7P(XQ?M9zAO>i zvehUXnIc=a9kO`MLXN<16fTiaS2O`;bPh*J&EjCK+}Fq3+r#^q}cf(0p}5 z1z4W@+s_|O>|J+8> zD#2y=r#8~5Z`r@u8g*W$*8U^9`j&OSHu8@tf409m+VnK#$?icEN>>|r0m^7B#^^lH ze-1`wiG?Wr?Phu_AfMe*xAR1{6s4t!kKdgw)vWjn>T5Xj>F+7e9KZZTwp@!jEK0Pd&}8Q#hVqlN=K{v(92Ku-zPfS{ya_j{|NQ{KbrEprUXw=U+OSY zzbB|AZ7N@4I8A7HK?G}KDRv}fd3r(Ai+NP+Xo?Y{!Wf~;-Jfw{$V{96pEs|192_;R z|EtHjWw+#i5M4=niGlrHv;S%%wUd&8y~aKc(-59ZD-WT&i6J{S{J&>Z`p0oqvz6f(+dktrV1>qN|EI z*X0rlj!QeMIyQ}!(vDYYtFDSK-CW%SAEVzXQvhB14)3|=-mQs}t0e!>!WY5$8OJ}t zz9}JZjK4)@)|tM2?&_2{nHn_EvJ;->^f%O3paSAh*|o11Sbz?E?sY0A!CHZ}9<~3; zojoKns;~VmR?ERNNP(j2E7u0yy%Z;Vtg4fdW&e%4=kJIvFF$RF_hJc4?~&zFx$4O1 zh%w`{`&pV{*n|9L8i}aqVbuTils|@}D&>Lyn)3gE`lf|7K>mXIzQ7y?IKH6!Z~2%} zzakgn62eN{LD6l=fCT*v%T)UOjLK+3HBl!OTdfF89g&aDjw6zo47}(kmY;pxZ<5S_ zVRI<6m>b4kr4=x7y3m>xmWvi;G&M6ZyC#@v-2L!vN9Ey)Jc<5I0#_q& z2ED*!h^FE!)LGvhh+i*=)e8hsfV9AT;9f4*m7hPuL$S#uLSqAkAiFrjLox!V3GvZI zv<&jY3I?Z%>0?FztGz4#hq4d5w?USWrKl`rmz{`^t+Hf^r!tgKq@E}HT1X>BG9dtdytf0_TiNQZ50cn_6VdpiWzNMOR;-TMAz6u$)fbxhaPeqtFi1K>^81UPr zbJS^V{5!pSkbZ16{o(R2j!CfCcgc#RlwNKoJei_>&`b37I}bL68H{*$p6!)yb9KgJYmV}Ww7Fd#$8}fyiFg+nOe$o&IG9|@ z^Y7pb%)WualFS1z|UzlFcI!rt={Eqsz&~7)+ z9I3lF{2`Qk7-5GbW=5xq$*Xv5#cpb@2WLvi%p^xY3L(7rir?3ZeR_$1QH;Eb%gY#i zoaXdpW?}@C(5U8T{x!b=ui9(MRT1yCbyLb}`Se|uS9vs}DB-2~jG4F_qR1$!^J)d_ zM7$3zk9ZH`FsMTK=nyFryAT!erHcmlg@T;C)S~9&ayED;AHyBQIz^-q}#P zv55DZnlT(q>;49w4A-<>UIg7EDd$z#QT_<|E+}@aY>!fSxnAaIa1!_%oL8?n**qGO zzVsX1R|a4z z#m$7gLtZ?)5eBy}RnM7uP$^ATM9@``VstP&IAO7{op0?+#dlar2vj{bzr=fr!Ts2? zwjV~lv}!X#)nqfDL*X!#5ji6b$1fiUZb84UNYg98oMtC=n%IOsZazDk=G?v^D_1`1 z^}`aT;q<7`VVjOP^rs1BLsu^6k7+1>+9tN~&9df(t*K6`X&sdTSy5%fvN}1Yae#U} zcu9$K6C0t$mUD_kq*pKB&Ob0wB5NGc*l|@tF*CiV7R>7GJpJ_o8COT(m42yIch9G=559-N1N69RsJ z9?qoKB)`P1a(0h~f8k&5FXhN#n{0{tqI052W*KFKLKo#G!|=stuQ?1eBcUTtNR|X{VhYi0Bl2QX7j*yZxPs-x*BsK zIagC3ML{hO5`75Rf@GZJ9)2VGzp8}!53qeqc=nSe%o^ullxmQiyOUW}sm|Q>JdEuU zcy`oNeo{%v_^v=FajnE1L?*6S!1@V=j%!}_va=&HL0le5OS~pK=`7q@eFwJAGCw`% zUT7h0gVUy>ZM&}HotV$d)fTjRAPq{M-g@?+ELV=+uD$1f-BBq}wd}bIx4LZH0s|&Kq+7ZN^xfY@b_k25 zQ~rFJTi>C$UpG0a$(SQ~KzM-f&6h^vRQS0p)4pDsx?w*LE8QH*)`4k!DR1J;CjB%zSQ=6akAtEn1#DjNr}7C=suV{$GjAx0x~wLC0P*pkB!23Ciff6V z$k)>4#IJe<@k52%EmgEPEOvW^NmVW!C4ytm{88e(3^<1l(Ae|Kh+mnxL1p%o9kMc< z_mOs+{TQ|?5e~|LqmF$|$z!nRPm_Ee}oXY_U#g9>Z`fj(Ey$d3Xj#)kV6cZd{Aj-)CJXdWGq=Ogl zoDIoi=e`${=OpmNkWswl^`N-HRtxxEQ?8@;Qfy`4E*&L)VHb}avvBae2qbyF(?|?M zz$n~U#*Z^>DWL*%5@UuBpB7>LbQO)fGJcp{scsldU^5hXAtF7YVcS4s$jIOkO_%%m zV`VKif8vS8*{4jePK-Kfufkgf ze~b>RWI%}cz2J9aO!b=*Zww!|)!B!ej{E^SG~>LaF;UAa+L7Sc)1xEA{)X?YP2Ni- z?)F#)Z41hgXtg5#lk+m*FCBXf*th7928P6N>4^HMYkj>Q6gn1jR54s#H;@Z-pxLKL zK<^I#1R-VWE9|EMYCUC2V5Kru9kg7Tdaz2FI{Xj$!uWFKa(8j_952&g8l+~Ga;p92 zQ~Y{>g52nNUM5l=3-Yo$v9oCToGjgad_kg@C!*fq0kZGwm3IGG&uBHV}u74hS&+M38VU8%2}N5W)b2-_6;)M_O! zn^&f|*)fn$!SXnh&6!aoncFq=MX5RK*@qQ^j~!n)?=8{PdsFk?V(Dr+)w}#=G@tgZlk+J3kMmHdsv$rT0Cb z9?qV~ZONpx>5{!lu^U-|o8E&+5-uI^#(jLFx)Pwido}&j0JTh+D&AvMMTjI1KS<7q z#O-&I-heWtv&hS$=|f8kd1UZDI>_j)PksnccTbVmmljLLiSb%mbTix1tM04B^Ef(m zvntTjE}5YaM{1epNIxb1>|aOxsa+%feE1$mvRx8?s29bbtVNClUoQTf(rTR-e>gQD zj&v?UQux~*|MzPC{)j&b*l1{vAB<+;@Ba;Z{J9Z|N@T}dOo^NRfy_{udqrApAL*<- z*gGYZCHv^Ztg>*$vIg{+Qdv_pQ{!SZ!yHFqvH+tQ>|>Fzwvc+8d|Fk(+&$c0F z3q%mtWG8oZUO4QgH~f;y*gj$U_7Ghf`rJTov;F7Jn+;F(MS2T=o|}UD`FI0_c;Zz< zEn(MwoCnug7GR(1 zOT@C-0eaT0|3&(cT}S$8T_b%AeeYR2(l2Vd+b9;KkLkr{?Ytm;G@?B7=g5tI+!hwu zopaCn!*$U=&$@U|-+hOA=sc(QY2Vy=&LhMoerzOoo&zSX@ciCqO~RuS@Uqq%OkBb6 z=MCLS@97Z&lHI`B0ZY?-OIt9;*F;h~9ZFmYlo3uFUrJnAeAZolzM`h!ZW)jpvnLx@ zm@5Q4EZWK$OLd9)yxVcoPLIK4U3z=?XzARuo=aTO_jy4DY%iGU+(|bGB)_5JPeQpE@2;<22H{^sM8bt^ zuHaUxr1flQ`vccW0+#*uZKH=^OWq%cIx%n4#vE!t)&Sre4>KUJhjW>z(v zJ$A(WNRC+=2Lmb0*2CJDn%p7p703f{uNi%OSNSs#55V*i5t|l2FIIP=8Z9Ngg?v!P zmVH0xm8BCtw!RlPqCf{GBQOk$l96s)OC}#l%vP_s42b75WjrkK4*u;xoe9K@7`Fb*Dx-sQ0C_SkrP8c{RWo6jI zttE8XM!_&Qa+k;%RE7;_Y0r3{QgEmK33gH{pgE?yF!M|T+P{9_2429`AeBL7zlu-C zs<-^M4=C>rbtR0vhpiAQehUw9!Fg&#dn(ES`SiDZPG{|n(o!*z+4e(+TJOK`fH{X+ zg>bpk&&JJ^*`B^cx{{99@p?C_b)f40VLaz*O?39>p=LeF;m znS&ZG6u9#uMi2yp+HOAuTLX7r3Ccd)fwiuYkf$E6B|WAn=|^UGz%=9J!d373W5XiU z+_9TwmFOT#*gV + + + + + + + + + + + + + + + + + + + + + + + Recommended Software - CTF Handbook + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    +
    + +
    + + + + + + +
    + + +
    + +
    + + + + + + +
    +
    + + + +
    +
    +
    + + + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    + + + + + + + +

    Recommended Software

    +

    Generally in cyber security competitions, it is up to you and your team +to determine what software to use. In some cases you may even end up +creating new tools to give you an edge! That being said, here are some +applications that we recommend for most competitors for most +competitions.

    +

    Disassemblers/Decompilers

    +
      +
    • +

      Ghidra

      +

      Ghidra is a disassembler and decompiler that is open source and free +to use. Released by the NSA, Ghidra is a capable tool and is the +recommended disassembler for most use cases. An alternative is IDA +Pro (a cyber security industry standard), however IDA Pro is not +free and licenses are very expensive.

      +
    • +
    • +

      Binary Ninja

      +

      Binary Ninja is a commercial disassembler (with a free demo +application) that provides an aesthetic and easy to use interface +for binary reverse engineering. It also has a Web-UI which can be +used freely. Binary Ninja's API and intermediate language make it +superior than other disassemblers for certain use cases.

      +
    • +
    +

    Debuggers

    +
      +
    • +

      Pwndbg for GDB

      +

      Pwndbg is a plugin for the GNU Debugger (gdb) which makes it easier +to dynamically reverse an application by stepping through its +execution. In order to use pwndbg you will first need to have gdb +installed via a Linux virtual machine or similar.

      +
    • +
    • +

      WinDbg

      +

      WinDbg is a debugger for Windows applications.

      +
    • +
    +

    Web Tools

    +
      +
    • +

      Burp Suite

      +

      Burp Suite is an HTTP proxy and set of tools which allow you to +view, edit and replay your HTTP requests. While Burp Suite is a +commercial tool, it offers a free version which is very capable and +usually all that's needed.

      +
    • +
    • +

      sqlmap

      +

      sqlmap is a penetration testing tool that automates hte process of +detecting and exploiting SQL injection flaws. It's open source and +freely available.

      +
    • +
    • +

      Google Chrome

      +

      Google Chrome is a web browser with a suite of developer tools and +extensions. These tools and extensions can be useful when +investigating a web application.

      +
    • +
    • +

      Wireshark

      +

      Wireshark is a PCAP analysis tool which allows you to analyze and +record network traffic.

      +
    • +
    +

    Virtualization

    +
      +
    • +

      VMware

      +

      VMware is a company that creates virtualization software that allows +you to run other operating systems within your existing operating +system. While their products are not generally free, their software +is best in class for virtualization.

      +

      VMWare Fusion, VMWare Workstation, and VMWare Player are three of +their virtualization products that can be used on your computer to +run other OS'es. VMWare +Player is free to use for +Windows and Linux.

      +
    • +
    • +

      VirtualBox

      +

      VirtualBox is open source virtualization software which allows you +to virtualize other operating systems. It's very similar to VMWare +products but free for all OS'es. It is generally slower than VMWare +but works well enough for most people.

      +
    • +
    +

    Programming

    +
      +
    • +

      Python

      +

      Python is an easy-to-learn, widely used programming language which +supports complex applications as well as small scripts. It has a +large community which provides thousands of useful packages. Python +is widely used in the cyber security industry and is generally the +recommended language to use in CTF competition.

      +
    • +
    • +

      pwntools

      +

      Pwntools is a Python package which makes interacting with processes +and networks easy. It is a recommended library for interacting with +binary exploitation and networking based CTF challenges.

      +
      +

      Note

      +

      You can run +pwntools right in +your browser by using repl.it. Create a new +Python repl and install the pwntools package. After that you'll +be able to use pwntools directly from your browser without having to +install anything.

      +
      +
    • +
    +

    Miscellaneous

    +
      +
    • +

      CyberChef

      +

      CyberChef is a simple web app for analysing and decoding data +without having to deal with complex tools or programming languages.

      +
    • +
    + + + + + + + + + + + + + + + + + + + + + + +
    +
    + + + +
    + +
    + +
    + + +
    + +
    +
    +
    +
    + + + + + + + + + + \ No newline at end of file diff --git a/forensics/overview/index.html b/forensics/overview/index.html index 4d6380af..547abced 100644 --- a/forensics/overview/index.html +++ b/forensics/overview/index.html @@ -3017,6 +3017,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/forensics/what-are-file-formats/index.html b/forensics/what-are-file-formats/index.html index 41a2d58a..7974a4e5 100644 --- a/forensics/what-are-file-formats/index.html +++ b/forensics/what-are-file-formats/index.html @@ -3091,6 +3091,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + @@ -3211,7 +3318,7 @@

    Example

    - February 20, 2024 + January 26, 2024 diff --git a/forensics/what-is-a-hex-editor/index.html b/forensics/what-is-a-hex-editor/index.html index 163bfcb3..1ae9c004 100644 --- a/forensics/what-is-a-hex-editor/index.html +++ b/forensics/what-is-a-hex-editor/index.html @@ -3058,6 +3058,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/forensics/what-is-disk-imaging/index.html b/forensics/what-is-disk-imaging/index.html index 2e9f7277..f70a53eb 100644 --- a/forensics/what-is-disk-imaging/index.html +++ b/forensics/what-is-disk-imaging/index.html @@ -3058,6 +3058,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/forensics/what-is-memory-forensics/index.html b/forensics/what-is-memory-forensics/index.html index 8d85cf82..c65e8c08 100644 --- a/forensics/what-is-memory-forensics/index.html +++ b/forensics/what-is-memory-forensics/index.html @@ -3100,6 +3100,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/forensics/what-is-metadata/index.html b/forensics/what-is-metadata/index.html index 12c23383..58dc8c2e 100644 --- a/forensics/what-is-metadata/index.html +++ b/forensics/what-is-metadata/index.html @@ -3127,6 +3127,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/forensics/what-is-stegonagraphy/index.html b/forensics/what-is-stegonagraphy/index.html index daf98be8..d86e6b96 100644 --- a/forensics/what-is-stegonagraphy/index.html +++ b/forensics/what-is-stegonagraphy/index.html @@ -3100,6 +3100,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/forensics/what-is-wireshark/index.html b/forensics/what-is-wireshark/index.html index f3634df4..c6cb840b 100644 --- a/forensics/what-is-wireshark/index.html +++ b/forensics/what-is-wireshark/index.html @@ -3091,6 +3091,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/index.html b/index.html index baac5173..e431465a 100644 --- a/index.html +++ b/index.html @@ -3052,6 +3052,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/reverse-engineering/overview/index.html b/reverse-engineering/overview/index.html index bf7a53fd..e3e52f1b 100644 --- a/reverse-engineering/overview/index.html +++ b/reverse-engineering/overview/index.html @@ -3017,6 +3017,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/reverse-engineering/what-are-decompilers/index.html b/reverse-engineering/what-are-decompilers/index.html index 08b5f9de..ce29a65a 100644 --- a/reverse-engineering/what-are-decompilers/index.html +++ b/reverse-engineering/what-are-decompilers/index.html @@ -3091,6 +3091,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/reverse-engineering/what-are-disassemblers/index.html b/reverse-engineering/what-are-disassemblers/index.html index 8964e752..fb8c3d72 100644 --- a/reverse-engineering/what-are-disassemblers/index.html +++ b/reverse-engineering/what-are-disassemblers/index.html @@ -3091,6 +3091,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/reverse-engineering/what-is-assembly-machine-code/index.html b/reverse-engineering/what-is-assembly-machine-code/index.html index bc32f3b0..d24c9dcb 100644 --- a/reverse-engineering/what-is-assembly-machine-code/index.html +++ b/reverse-engineering/what-is-assembly-machine-code/index.html @@ -3136,6 +3136,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/reverse-engineering/what-is-bytecode/index.html b/reverse-engineering/what-is-bytecode/index.html index 34098803..8678f184 100644 --- a/reverse-engineering/what-is-bytecode/index.html +++ b/reverse-engineering/what-is-bytecode/index.html @@ -3001,6 +3001,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/reverse-engineering/what-is-c/index.html b/reverse-engineering/what-is-c/index.html index 9f125b6c..f758b5ff 100644 --- a/reverse-engineering/what-is-c/index.html +++ b/reverse-engineering/what-is-c/index.html @@ -3127,6 +3127,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/reverse-engineering/what-is-gdb/index.html b/reverse-engineering/what-is-gdb/index.html index ff9c6546..c8e6e819 100644 --- a/reverse-engineering/what-is-gdb/index.html +++ b/reverse-engineering/what-is-gdb/index.html @@ -3256,6 +3256,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/search/search_index.json b/search/search_index.json index 3f1cb3a1..78028511 100644 --- a/search/search_index.json +++ b/search/search_index.json @@ -1 +1 @@ -{"config": {"lang": ["en"], "separator": "[\\s\\-]+", "pipeline": ["stopWordFilter"]}, "docs": [{"location": "", "title": "Capture The Flag 101", "text": ""}, {"location": "#overview", "title": "Overview", "text": "

    Capture the Flags, or CTFs, are computer security competitions.

    Teams of competitors (or just individuals) are pitted against each other in various challenges across multiple security disciplines, competing to earn the most points.

    CTFs are often the beginning of one's cyber security career due to their team building nature and competitive aspect. In addition, there isn't a lot of commitment required beyond a weekend.

    Info

    For information about ongoing CTFs, check out CTFTime.

    In this handbook you'll learn the basics\u2122 behind the methodologies and techniques needed to succeed in Capture the Flag competitions.

    "}, {"location": "binary-exploitation/address-space-layout-randomization/", "title": "Address Space Layout Randomization (ASLR)", "text": "

    Address Space Layout Randomization (or ASLR) is the randomization of the place in memory where the program, shared libraries, the stack, and the heap are. This makes can make it harder for an attacker to exploit a service, as knowledge about where the stack, heap, or libc can't be re-used between program launches. This is a partially effective way of preventing an attacker from jumping to, for example, libc without a leak.

    Typically, only the stack, heap, and shared libraries are ASLR enabled. It is still somewhat rare for the main program to have ASLR enabled, though it is being seen more frequently and is slowly becoming the default.

    "}, {"location": "binary-exploitation/buffer-overflow/", "title": "Buffer Overflow", "text": "

    A Buffer Overflow is a vulnerability in which data can be written which exceeds the allocated space, allowing an attacker to overwrite other data.

    "}, {"location": "binary-exploitation/buffer-overflow/#stack-buffer-overflow", "title": "Stack buffer overflow", "text": "

    The simplest and most common buffer overflow is one where the buffer is on the stack. Let's look at an example.

    #include <stdio.h>\n\nint main() {\n    int secret = 0xdeadbeef;\n    char name[100] = {0};\n    read(0, name, 0x100);\n    if (secret == 0x1337) {\n        puts(\"Wow! Here's a secret.\");\n    } else {\n        puts(\"I guess you're not cool enough to see my secret\");\n    }\n}\n

    There's a tiny mistake in this program which will allow us to see the secret. name is decimal 100 bytes, however we're reading in hex 100 bytes (=256 decimal bytes)! Let's see how we can use this to our advantage.

    If the compiler chose to layout the stack like this:

            0xffff006c: 0xf7f7f7f7  // Saved EIP\n        0xffff0068: 0xffff0100  // Saved EBP\n        0xffff0064: 0xdeadbeef  // secret\n...\n        0xffff0004: 0x0\nESP ->  0xffff0000: 0x0         // name\n

    let's look at what happens when we read in 0x100 bytes of 'A's.

    The first decimal 100 bytes are saved properly:

            0xffff006c: 0xf7f7f7f7  // Saved EIP\n        0xffff0068: 0xffff0100  // Saved EBP\n        0xffff0064: 0xdeadbeef  // secret\n...\n        0xffff0004: 0x41414141\nESP ->  0xffff0000: 0x41414141  // name\n

    However when the 101st byte is read in, we see an issue:

            0xffff006c: 0xf7f7f7f7  // Saved EIP\n        0xffff0068: 0xffff0100  // Saved EBP\n        0xffff0064: 0xdeadbe41  // secret\n...\n        0xffff0004: 0x41414141\nESP ->  0xffff0000: 0x41414141  // name\n

    The least significant byte of secret has been overwritten! If we follow the next 3 bytes to be read in, we'll see the entirety of secret is \"clobbered\" with our 'A's

            0xffff006c: 0xf7f7f7f7  // Saved EIP\n        0xffff0068: 0xffff0100  // Saved EBP\n        0xffff0064: 0x41414141  // secret\n...\n        0xffff0004: 0x41414141\nESP ->  0xffff0000: 0x41414141  // name\n

    The remaining 152 bytes would continue clobbering values up the stack.

    "}, {"location": "binary-exploitation/buffer-overflow/#passing-an-impossible-check", "title": "Passing an impossible check", "text": "

    How can we use this to pass the seemingly impossible check in the original program? Well, if we carefully line up our input so that the bytes that overwrite secret happen to be the bytes that represent 0x1337 in little-endian, we'll see the secret message.

    A small Python one-liner will work nicely: python -c \"print 'A'*100 + '\\x31\\x13\\x00\\x00'\"

    This will fill the name buffer with 100 'A's, then overwrite secret with the 32-bit little-endian encoding of 0x1337.

    "}, {"location": "binary-exploitation/buffer-overflow/#going-one-step-further", "title": "Going one step further", "text": "

    As discussed on the stack page, the instruction that the current function should jump to when it is done is also saved on the stack (denoted as \"Saved EIP\" in the above stack diagrams). If we can overwrite this, we can control where the program jumps after main finishes running, giving us the ability to control what the program does entirely.

    Usually, the end objective in binary exploitation is to get a shell (often called \"popping a shell\") on the remote computer. The shell provides us with an easy way to run anything we want on the target computer.

    Say there happens to be a nice function that does this defined somewhere else in the program that we normally can't get to:

    void give_shell() {\n    system(\"/bin/sh\");\n}\n

    Well with our buffer overflow knowledge, now we can! All we have to do is overwrite the saved EIP on the stack to the address where give_shell is. Then, when main returns, it will pop that address off of the stack and jump to it, running give_shell, and giving us our shell.

    Assuming give_shell is at 0x08048fd0, we could use something like this: python -c \"print 'A'*108 + '\\xd0\\x8f\\x04\\x08'\"

    We send 108 'A's to overwrite the 100 bytes that is allocated for name, the 4 bytes for secret, and the 4 bytes for the saved EBP. Then we simply send the little-endian form of give_shell's address, and we would get a shell!

    This idea is extended on in Return Oriented Programming

    "}, {"location": "binary-exploitation/heap-exploitation/", "title": "Heap Exploits", "text": ""}, {"location": "binary-exploitation/heap-exploitation/#overflow", "title": "Overflow", "text": "

    Much like a stack buffer overflow, a heap overflow is a vulnerability where more data than can fit in the allocated buffer is read in. This could lead to heap metadata corruption, or corruption of other heap objects, which could in turn provide new attack surface.

    "}, {"location": "binary-exploitation/heap-exploitation/#use-after-free-uaf", "title": "Use After Free (UAF)", "text": "

    Once free is called on an allocation, the allocator is free to re-allocate that chunk of memory in future calls to malloc if it so chooses. However if the program author isn't careful and uses the freed object later on, the contents may be corrupt (or even attacker controlled). This is called a use after free or UAF.

    "}, {"location": "binary-exploitation/heap-exploitation/#example", "title": "Example", "text": "
    #include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\n#include <string.h>\n\ntypedef struct string {\n    unsigned length;\n    char *data;\n} string;\n\nint main() {\n    struct string* s = malloc(sizeof(string));\n    puts(\"Length:\");\n    scanf(\"%u\", &s->length);\n    s->data = malloc(s->length + 1);\n    memset(s->data, 0, s->length + 1);\n    puts(\"Data:\");\n    read(0, s->data, s->length);\n\n    free(s->data);\n    free(s);\n\n    char *s2 = malloc(16);\n    memset(s2, 0, 16);\n    puts(\"More data:\");\n    read(0, s2, 15);\n\n    // Now using s again, a UAF\n\n    puts(s->data);\n\n    return 0;\n}\n

    In this example, we have a string structure with a length and a pointer to the actual string data. We properly allocate, fill, and then free an instance of this structure. Then we make another allocation, fill it, and then improperly reference the freed string. Due to how glibc's allocator works, s2 will actually get the same memory as the original s allocation, which in turn gives us the ability to control the s->data pointer. This could be used to leak program data.

    "}, {"location": "binary-exploitation/heap-exploitation/#advanced-heap-exploitation", "title": "Advanced Heap Exploitation", "text": "

    Not only can the heap be exploited by the data in allocations, but exploits can also use the underlying mechanisms in malloc, free, etc. to exploit a program. This is beyond the scope of CTF 101, but here are a few recommended resources:

    • sploitFUN's glibc overview
    • Shellphish's how2heap
    "}, {"location": "binary-exploitation/no-execute/", "title": "No eXecute (NX Bit)", "text": "

    The No eXecute or the NX bit (also known as Data Execution Prevention or DEP) marks certain areas of the program as not executable, meaning that stored input or data cannot be executed as code. This is significant because it prevents attackers from being able to jump to custom shellcode that they've stored on the stack or in a global variable.

    "}, {"location": "binary-exploitation/overview/", "title": "Overview", "text": ""}, {"location": "binary-exploitation/overview/#binary-exploitation", "title": "Binary Exploitation", "text": "

    Binaries, or executables, are machine code for a computer to execute. For the most part, the binaries that you will face in CTFs are Linux ELF files or the occasional windows executable. Binary Exploitation is a broad topic within Cyber Security which really comes down to finding a vulnerability in the program and exploiting it to gain control of a shell or modifying the program's functions.

    Common topics addressed by Binary Exploitation or 'pwn' challenges include:

    • Registers
    • The Stack
    • Calling Conventions
    • Global Offset Table (GOT)
    • Buffers
      • Buffer Overflow
    • Return Oriented Programming (ROP)
    • Binary Security
      • No eXecute (NX)
      • Address Space Layout Randomization (ASLR)
      • Stack Canaries
      • Relocation Read-Only (RELRO)
    • The Heap
      • Heap Exploitation
    • Format String Vulnerability
    "}, {"location": "binary-exploitation/relocation-read-only/", "title": "Relocation Read-Only (RELRO)", "text": "

    Relocation Read-Only (or RELRO) is a security measure which makes some binary sections read-only.

    There are two RELRO \"modes\": partial and full.

    "}, {"location": "binary-exploitation/relocation-read-only/#partial-relro", "title": "Partial RELRO", "text": "

    Partial RELRO is the default setting in GCC, and nearly all binaries you will see have at least partial RELRO.

    From an attackers point-of-view, partial RELRO makes almost no difference, other than it forces the GOT to come before the BSS in memory, eliminating the risk of a buffer overflows on a global variable overwriting GOT entries.

    "}, {"location": "binary-exploitation/relocation-read-only/#full-relro", "title": "Full RELRO", "text": "

    Full RELRO makes the entire GOT read-only which removes the ability to perform a \"GOT overwrite\" attack, where the GOT address of a function is overwritten with the location of another function or a ROP gadget an attacker wants to run.

    Full RELRO is not a default compiler setting as it can greatly increase program startup time since all symbols must be resolved before the program is started. In large programs with thousands of symbols that need to be linked, this could cause a noticable delay in startup time.

    "}, {"location": "binary-exploitation/return-oriented-programming/", "title": "Return Oriented Programming", "text": "

    Return Oriented Programming (or ROP) is the idea of chaining together small snippets of assembly with stack control to cause the program to do more complex things.

    As we saw in buffer overflows, having stack control can be very powerful since it allows us to overwrite saved instruction pointers, giving us control over what the program does next. Most programs don't have a convenient give_shell function however, so we need to find a way to manually invoke system or another exec function to get us our shell.

    "}, {"location": "binary-exploitation/return-oriented-programming/#32-bit", "title": "32 bit", "text": "

    Imagine we have a program similar to the following:

    #include <stdio.h>\n#include <stdlib.h>\n\nchar name[32];\n\nint main() {\n    printf(\"What's your name? \");\n    read(0, name, 32);\n\n    printf(\"Hi %s\\n\", name);\n\n    printf(\"The time is currently \");\n    system(\"/bin/date\");\n\n    char echo[100];\n    printf(\"What do you want me to echo back? \");\n    read(0, echo, 1000);\n    puts(echo);\n\n    return 0;\n}\n

    We obviously have a stack buffer overflow on the echo variable which can give us EIP control when main returns. But we don't have a give_shell function! So what can we do?

    We can call system with an argument we control! Since arguments are passed in on the stack in 32-bit Linux programs (see calling conventions), if we have stack control, we have argument control.

    When main returns, we want our stack to look like something had normally called system. Recall what is on the stack after a function has been called:

            ...                                 // More arguments\n        0xffff0008: 0x00000002              // Argument 2\n        0xffff0004: 0x00000001              // Argument 1\nESP ->  0xffff0000: 0x080484d0              // Return address\n

    So main's stack frame needs to look like this:

            0xffff0008: 0xdeadbeef              // system argument 1\n        0xffff0004: 0xdeadbeef              // return address for system\nESP ->  0xffff0000: 0x08048450              // return address for main (system's PLT entry)\n

    Then when main returns, it will jump into system's PLT entry and the stack will appear just like system had been called normally for the first time.

    Note: we don't care about the return address system will return to because we will have already gotten our shell by then!

    "}, {"location": "binary-exploitation/return-oriented-programming/#arguments", "title": "Arguments", "text": "

    This is a good start, but we need to pass an argument to system for anything to happen. As mentioned in the page on ASLR, the stack and dynamic libraries \"move around\" each time a program is run, which means we can't easily use data on the stack or a string in libc for our argument. In this case however, we have a very convenient name global which will be at a known location in the binary (in the BSS segment).

    "}, {"location": "binary-exploitation/return-oriented-programming/#putting-it-together", "title": "Putting it together", "text": "

    Our exploit will need to do the following:

    1. Enter \"sh\" or another command to run as name
    2. Fill the stack with
      1. Garbage up to the saved EIP
      2. The address of system's PLT entry
      3. A fake return address for system to jump to when it's done
      4. The address of the name global to act as the first argument to system
    "}, {"location": "binary-exploitation/return-oriented-programming/#64-bit", "title": "64 bit", "text": "

    In 64-bit binaries we have to work a bit harder to pass arguments to functions. The basic idea of overwriting the saved RIP is the same, but as discussed in calling conventions, arguments are passed in registers in 64-bit programs. In the case of running system, this means we will need to find a way to control the RDI register.

    To do this, we'll use small snippets of assembly in the binary, called \"gadgets.\" These gadgets usually pop one or more registers off of the stack, and then call ret, which allows us to chain them together by making a large fake call stack.

    For example, if we needed control of both RDI and RSI, we might find two gadgets in our program that look like this (using a tool like rp++ or ROPgadget):

    0x400c01: pop rdi; ret\n0x400c03: pop rsi; pop r15; ret\n

    We can setup a fake call stack with these gadets to sequentially execute them, poping values we control into registers, and then end with a jump to system.

    "}, {"location": "binary-exploitation/return-oriented-programming/#example", "title": "Example", "text": "
            0xffff0028: 0x400d00            // where we want the rsi gadget's ret to jump to now that rdi and rsi are controlled\n        0xffff0020: 0x1337beef          // value we want in r15 (probably garbage)\n        0xffff0018: 0x1337beef          // value we want in rsi\n        0xffff0010: 0x400c03            // address that the rdi gadget's ret will return to - the pop rsi gadget\n        0xffff0008: 0xdeadbeef          // value to be popped into rdi\nRSP ->  0xffff0000: 0x400c01            // address of rdi gadget\n

    Stepping through this one instruction at a time, main returns, jumping to our pop rdi gadget:

    RIP = 0x400c01 (pop rdi)\nRDI = UNKNOWN\nRSI = UNKNOWN\n\n        0xffff0028: 0x400d00            // where we want the rsi gadget's ret to jump to now that rdi and rsi are controlled\n        0xffff0020: 0x1337beef          // value we want in r15 (probably garbage)\n        0xffff0018: 0x1337beef          // value we want in rsi\n        0xffff0010: 0x400c03            // address that the rdi gadget's ret will return to - the pop rsi gadget\nRSP ->  0xffff0008: 0xdeadbeef          // value to be popped into rdi\n

    pop rdi is then executed, popping the top of the stack into RDI:

    RIP = 0x400c02 (ret)\nRDI = 0xdeadbeef\nRSI = UNKNOWN\n\n        0xffff0028: 0x400d00            // where we want the rsi gadget's ret to jump to now that rdi and rsi are controlled\n        0xffff0020: 0x1337beef          // value we want in r15 (probably garbage)\n        0xffff0018: 0x1337beef          // value we want in rsi\nRSP ->  0xffff0010: 0x400c03            // address that the rdi gadget's ret will return to - the pop rsi gadget\n

    The RDI gadget then rets into our RSI gadget:

    RIP = 0x400c03 (pop rsi)\nRDI = 0xdeadbeef\nRSI = UNKNOWN\n\n        0xffff0028: 0x400d00            // where we want the rsi gadget's ret to jump to now that rdi and rsi are controlled\n        0xffff0020: 0x1337beef          // value we want in r15 (probably garbage)\nRSP ->  0xffff0018: 0x1337beef          // value we want in rsi\n

    RSI and R15 are popped:

    RIP = 0x400c05 (ret)\nRDI = 0xdeadbeef\nRSI = 0x1337beef\n\nRSP ->  0xffff0028: 0x400d00            // where we want the rsi gadget's ret to jump to now that rdi and rsi are controlled\n

    And finally, the RSI gadget rets, jumping to whatever function we want, but now with RDI and RSI set to values we control.

    "}, {"location": "binary-exploitation/stack-canaries/", "title": "Stack Canaries", "text": "

    Stack Canaries are a secret value placed on the stack which changes every time the program is started. Prior to a function return, the stack canary is checked and if it appears to be modified, the program exits immeadiately.

    "}, {"location": "binary-exploitation/stack-canaries/#bypassing-stack-canaries", "title": "Bypassing Stack Canaries", "text": "

    Stack Canaries seem like a clear cut way to mitigate any stack smashing as it is fairly impossible to just guess a random 64-bit value. However, leaking the address and bruteforcing the canary are two methods which would allow us to get through the canary check.

    "}, {"location": "binary-exploitation/stack-canaries/#stack-canary-leaking", "title": "Stack Canary Leaking", "text": "

    If we can read the data in the stack canary, we can send it back to the program later because the canary stays the same throughout execution. However Linux makes this slightly tricky by making the first byte of the stack canary a NULL, meaning that string functions will stop when they hit it. A method around this would be to partially overwrite and then put the NULL back or find a way to leak bytes at an arbitrary stack offset.

    A few situations where you might be able to leak a canary:

    • User-controlled format string
    • User-controlled length of an output
      • \u201cHey, can you send me 1000000 bytes? thx!\u201d
    "}, {"location": "binary-exploitation/stack-canaries/#bruteforcing-a-stack-canary", "title": "Bruteforcing a Stack Canary", "text": "

    The canary is determined when the program starts up for the first time which means that if the program forks, it keeps the same stack cookie in the child process. This means that if the input that can overwrite the canary is sent to the child, we can use whether it crashes as an oracle and brute-force 1 byte at a time!

    This method can be used on fork-and-accept servers where connections are spun off to child processes, but only under certain conditions such as when the input accepted by the program does not append a NULL byte (read or recv).

    Buffer (N Bytes) ?? ?? ?? ?? ?? ?? ?? ?? RBP RIP

    Fill the buffer N Bytes + 0x00 results in no crash

    Buffer (N Bytes) 00 ?? ?? ?? ?? ?? ?? ?? RBP RIP

    Fill the buffer N Bytes + 0x00 + 0x00 results in a crash

    N Bytes + 0x00 + 0x01 results in a crash

    N Bytes + 0x00 + 0x02 results in a crash

    ...

    N Bytes + 0x00 + 0x51 results in no crash

    Buffer (N Bytes) 00 51 ?? ?? ?? ?? ?? ?? RBP RIP

    Repeat this bruteforcing process for 6 more bytes...

    Buffer (N Bytes) 00 51 FE 0A 31 D2 7B 3C RBP RIP

    Now that we have the stack cookie, we can overwrite the RIP register and take control of the program!

    "}, {"location": "binary-exploitation/what-are-buffers/", "title": "Buffers", "text": "

    A buffer is any allocated space in memory where data (often user input) can be stored. For example, in the following C program name would be considered a stack buffer:

    #include <stdio.h>\n\nint main() {\n    char name[64] = {0};\n    read(0, name, 63);\n    printf(\"Hello %s\", name);\n    return 0;\n}\n

    Buffers could also be global variables:

    #include <stdio.h>\n\nchar name[64] = {0};\n\nint main() {\n    read(0, name, 63);\n    printf(\"Hello %s\", name);\n    return 0;\n}\n

    Or dynamically allocated on the heap:

    #include <stdio.h>\n#include <stdlib.h>\n\nint main() {\n    char *name = malloc(64);\n    memset(name, 0, 64);\n    read(0, name, 63);\n    printf(\"Hello %s\", name);\n    return 0;\n}\n
    "}, {"location": "binary-exploitation/what-are-buffers/#exploits", "title": "Exploits", "text": "

    Given that buffers commonly hold user input, mistakes when writing to them could result in attacker controlled data being written outside of the buffer's space. See the page on buffer overflows for more.

    "}, {"location": "binary-exploitation/what-are-calling-conventions/", "title": "Calling Conventions", "text": "

    To be able to call functions, there needs to be an agreed-upon way to pass arguments. If a program is entirely self-contained in a binary, the compiler would be free to decide the calling convention. However in reality, shared libraries are used so that common code (e.g. libc) can be stored once and dynamically linked in to programs that need it, reducing program size.

    In Linux binaries, there are really only two commonly used calling conventions: cdecl for 32-bit binaries, and SysV for 64-bit

    "}, {"location": "binary-exploitation/what-are-calling-conventions/#cdecl", "title": "cdecl", "text": "

    In 32-bit binaries on Linux, function arguments are passed in on the stack in reverse order. A function like this:

    int add(int a, int b, int c) {\n    return a + b + c;\n}\n

    would be invoked by pushing c, then b, then a.

    "}, {"location": "binary-exploitation/what-are-calling-conventions/#sysv", "title": "SysV", "text": "

    For 64-bit binaries, function arguments are first passed in certain registers:

    1. RDI
    2. RSI
    3. RDX
    4. RCX
    5. R8
    6. R9

    then any leftover arguments are pushed onto the stack in reverse order, as in cdecl.

    "}, {"location": "binary-exploitation/what-are-calling-conventions/#other-conventions", "title": "Other Conventions", "text": "

    Any method of passing arguments could be used as long as the compiler is aware of what the convention is. As a result, there have been many calling conventions in the past that aren't used frequently anymore. See Wikipedia for a comprehensive list.

    "}, {"location": "binary-exploitation/what-are-registers/", "title": "Registers", "text": "

    A register is a location within the processor that is able to store data, much like RAM. Unlike RAM however, accesses to registers are effectively instantaneous, whereas reads from main memory can take hundreds of CPU cycles to return.

    Registers can hold any value: addresses (pointers), results from mathematical operations, characters, etc. Some registers are reserved however, meaning they have a special purpose and are not \"general purpose registers\" (GPRs). On x86, the only 2 reserved registers are rip and rsp which hold the address of the next instruction to execute and the address of the stack respectively.

    On x86, the same register can have different sized accesses for backwards compatability. For example, the rax register is the full 64-bit register, eax is the low 32 bits of rax, ax is the low 16 bits, al is the low 8 bits, and ah is the high 8 bits of ax (bits 8-16 of rax).

    "}, {"location": "binary-exploitation/what-is-a-format-string-vulnerability/", "title": "Format String Vulnerability", "text": "

    A format string vulnerability is a bug where user input is passed as the format argument to printf, scanf, or another function in that family.

    The format argument has many different specifies which could allow an attacker to leak data if they control the format argument to printf. Since printf and similar are variadic functions, they will continue popping data off of the stack according to the format.

    For example, if we can make the format argument \"%x.%x.%x.%x\", printf will pop off four stack values and print them in hexadecimal, potentially leaking sensitive information.

    printf can also index to an arbitrary \"argument\" with the following syntax: \"%n$x\" (where n is the decimal index of the argument you want).

    While these bugs are powerful, they're very rare nowadays, as all modern compilers warn when printf is called with a non-constant string.

    "}, {"location": "binary-exploitation/what-is-a-format-string-vulnerability/#example", "title": "Example", "text": "
    #include <stdio.h>\n#include <unistd.h>\n\nint main() {\n    int secret_num = 0x8badf00d;\n\n    char name[64] = {0};\n    read(0, name, 64);\n    printf(\"Hello \");\n    printf(name);\n    printf(\"! You'll never get my secret!\\n\");\n    return 0;\n}\n

    Due to how GCC decided to lay out the stack, secret_num is actually at a lower address on the stack than name, so we only have to go to the 7th \"argument\" in printf to leak the secret:

    $ ./fmt_string\n%7$llx\nHello 8badf00d3ea43eef\n! You'll never get my secret!\n
    "}, {"location": "binary-exploitation/what-is-binary-security/", "title": "Binary Security", "text": "

    Binary Security is using tools and methods in order to secure programs from being manipulated and exploited. This tools are not infallible, but when used together and implemented properly, they can raise the difficulty of exploitation greatly.

    Some methods covered include:

    • No eXecute (NX)
    • Address Space Layout Randomization (ASLR)
    • Relocation Read-Only (RELRO)
    • Stack Canaries/Cookies
    "}, {"location": "binary-exploitation/what-is-the-got/", "title": "GOT", "text": "

    The Global Offset Table (or GOT) is a section inside of programs that holds addresses of functions that are dynamically linked. As mentioned in the page on calling conventions, most programs don't include every function they use to reduce binary size. Instead, common functions (like those in libc) are \"linked\" into the program so they can be saved once on disk and reused by every program.

    Unless a program is marked full RELRO, the resolution of function to address in dynamic library is done lazily. All dynamic libraries are loaded into memory along with the main program at launch, however functions are not mapped to their actual code until they're first called. For example, in the following C snippet puts won't be resolved to an address in libc until after it has been called once:

    int main() {\n    puts(\"Hi there!\");\n    puts(\"Ok bye now.\");\n    return 0;\n}\n

    To avoid searching through shared libraries each time a function is called, the result of the lookup is saved into the GOT so future function calls \"short circuit\" straight to their implementation bypassing the dynamic resolver.

    This has two important implications:

    1. The GOT contains pointers to libraries which move around due to ASLR
    2. The GOT is writable

    These two facts will become very useful to use in Return Oriented Programming

    "}, {"location": "binary-exploitation/what-is-the-got/#plt", "title": "PLT", "text": "

    Before a functions address has been resolved, the GOT points to an entry in the Procedure Linkage Table (PLT). This is a small \"stub\" function which is responsible for calling the dynamic linker with (effectively) the name of the function that should be resolved.

    "}, {"location": "binary-exploitation/what-is-the-heap/", "title": "The Heap", "text": "

    The heap is a place in memory which a program can use to dynamically create objects. Creating objects on the heap has some advantages compared to using the stack:

    • Heap allocations can be dynamically sized
    • Heap allocations \"persist\" when a function returns

    There are also some disadvantages however:

    • Heap allocations can be slower
    • Heap allocations must be manually cleaned up
    "}, {"location": "binary-exploitation/what-is-the-heap/#using-the-heap", "title": "Using the heap", "text": "

    In C, there are a number of functions used to interact with the heap, but we're going to focus on the two core ones:

    • malloc: allocate n bytes on the heap
    • free: free the given allocation

    Let's see how these could be used in a program:

    #include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\n\nint main() {\n    unsigned alloc_size = 0;\n    char *stuff;\n\n    printf(\"Number of bytes? \");\n    scanf(\"%u\", &alloc_size);\n\n    stuff = malloc(alloc_size + 1);\n    memset(0, stuff, alloc_size + 1);\n\n    read(0, stuff, alloc_size);\n\n    printf(\"You wrote: %s\", stuff);\n\n    free(stuff);\n\n    return 0;\n}\n

    This program reads in a size from the user, creates an allocation of that size on the heap, reads in that many bytes, then prints it back out to the user.

    "}, {"location": "binary-exploitation/what-is-the-stack/", "title": "The Stack", "text": "

    In computer architecture, the stack is a hardware manifestation of the stack data structure (a Last In, First Out queue).

    In x86, the stack is simply an area in RAM that was chosen to be the stack - there is no special hardware to store stack contents. The esp/rsp register holds the address in memory where the bottom of the stack resides. When something is pushed to the stack, esp decrements by 4 (or 8 on 64-bit x86), and the value that was pushed is stored at that location in memory. Likewise, when a pop instruction is executed, the value at esp is retrieved (i.e. esp is dereferenced), and esp is then incremented by 4 (or 8).

    N.B. The stack \"grows\" down to lower memory addresses!

    Conventionally, ebp/rbp contains the address of the top of the current stack frame, and so sometimes local variables are referenced as an offset relative to ebp rather than an offset to esp. A stack frame is essentially just the space used on the stack by a given function.

    "}, {"location": "binary-exploitation/what-is-the-stack/#uses", "title": "Uses", "text": "

    The stack is primarily used for a few things:

    • Storing function arguments
    • Storing local variables
    • Storing processor state between function calls
    "}, {"location": "binary-exploitation/what-is-the-stack/#example", "title": "Example", "text": "

    Let's see what the stack looks like right after say_hi has been called in this 32-bit x86 C program:

    #include <stdio.h>\n\nvoid say_hi(const char * name) {\n    printf(\"Hello %s!\\n\", name);\n}\n\nint main(int argc, char ** argv) {\n    char * name;\n    if (argc != 2) {\n        return 1;\n    }\n    name = argv[1];\n    say_hi(name);\n    return 0;\n}\n

    And the relevant assembly:

    0804840b <say_hi>:\n 804840b:   55                      push   ebp\n 804840c:   89 e5                   mov    ebp,esp\n 804840e:   83 ec 08                sub    esp,0x8\n 8048411:   83 ec 08                sub    esp,0x8\n 8048414:   ff 75 08                push   DWORD PTR [ebp+0x8]\n 8048417:   68 f0 84 04 08          push   0x80484f0\n 804841c:   e8 bf fe ff ff          call   80482e0 <printf@plt>\n 8048421:   83 c4 10                add    esp,0x10\n 8048424:   90                      nop\n 8048425:   c9                      leave\n 8048426:   c3                      ret\n\n08048427 <main>:\n 8048427:   8d 4c 24 04             lea    ecx,[esp+0x4]\n 804842b:   83 e4 f0                and    esp,0xfffffff0\n 804842e:   ff 71 fc                push   DWORD PTR [ecx-0x4]\n 8048431:   55                      push   ebp\n 8048432:   89 e5                   mov    ebp,esp\n 8048434:   51                      push   ecx\n 8048435:   83 ec 14                sub    esp,0x14\n 8048438:   89 c8                   mov    eax,ecx\n 804843a:   83 38 02                cmp    DWORD PTR [eax],0x2\n 804843d:   74 07                   je     8048446 <main+0x1f>\n 804843f:   b8 01 00 00 00          mov    eax,0x1\n 8048444:   eb 1c                   jmp    8048462 <main+0x3b>\n 8048446:   8b 40 04                mov    eax,DWORD PTR [eax+0x4]\n 8048449:   8b 40 04                mov    eax,DWORD PTR [eax+0x4]\n 804844c:   89 45 f4                mov    DWORD PTR [ebp-0xc],eax\n 804844f:   83 ec 0c                sub    esp,0xc\n 8048452:   ff 75 f4                push   DWORD PTR [ebp-0xc]\n 8048455:   e8 b1 ff ff ff          call   804840b <say_hi>\n 804845a:   83 c4 10                add    esp,0x10\n 804845d:   b8 00 00 00 00          mov    eax,0x0\n 8048462:   8b 4d fc                mov    ecx,DWORD PTR [ebp-0x4]\n 8048465:   c9                      leave\n 8048466:   8d 61 fc                lea    esp,[ecx-0x4]\n 8048469:   c3                      ret\n

    Skipping over the bulk of main, you'll see that at 0x8048452 main's name local is pushed to the stack because it's the first argument to say_hi. Then, a call instruction is executed. call instructions first push the current instruction pointer to the stack, then jump to their destination. So when the processor begins executing say_hi at 0x0804840b, the stack looks like this:

    EIP = 0x0804840b (push ebp)\nESP = 0xffff0000\nEBP = 0xffff002c\n\n        0xffff0004: 0xffffa0a0              // say_hi argument 1\nESP ->  0xffff0000: 0x0804845a              // Return address for say_hi\n

    The first thing say_hi does is save the current ebp so that when it returns, ebp is back where main expects it to be. The stack now looks like this:

    EIP = 0x0804840c (mov ebp, esp)\nESP = 0xfffefffc\nEBP = 0xffff002c\n\n        0xffff0004: 0xffffa0a0              // say_hi argument 1\n        0xffff0000: 0x0804845a              // Return address for say_hi\nESP ->  0xfffefffc: 0xffff002c              // Saved EBP\n

    Again, note how esp gets smaller when values are pushed to the stack.

    Next, the current esp is saved into ebp, marking the top of the new stack frame.

    EIP = 0x0804840e (sub esp, 0x8)\nESP = 0xfffefffc\nEBP = 0xfffefffc\n\n            0xffff0004: 0xffffa0a0              // say_hi argument 1\n            0xffff0000: 0x0804845a              // Return address for say_hi\nESP, EBP -> 0xfffefffc: 0xffff002c              // Saved EBP\n

    Then, the stack is \"grown\" to accommodate local variables inside say_hi.

    EIP = 0x08048414 (push [ebp + 0x8])\nESP = 0xfffeffec\nEBP = 0xfffefffc\n\n        0xffff0004: 0xffffa0a0              // say_hi argument 1\n        0xffff0000: 0x0804845a              // Return address for say_hi\nEBP ->  0xfffefffc: 0xffff002c              // Saved EBP\n        0xfffefff8: UNDEFINED\n        0xfffefff4: UNDEFINED\n        0xfffefff0: UNDEFINED\nESP ->  0xfffefffc: UNDEFINED\n

    NOTE: stack space is not implictly cleared!

    Now, the 2 arguments to printf are pushed in reverse order.

    EIP = 0x0804841c (call printf@plt)\nESP = 0xfffeffe4\nEBP = 0xfffefffc\n\n        0xffff0004: 0xffffa0a0              // say_hi argument 1\n        0xffff0000: 0x0804845a              // Return address for say_hi\nEBP ->  0xfffefffc: 0xffff002c              // Saved EBP\n        0xfffefff8: UNDEFINED\n        0xfffefff4: UNDEFINED\n        0xfffefff0: UNDEFINED\n        0xfffeffec: UNDEFINED\n        0xfffeffe8: 0xffffa0a0              // printf argument 2\nESP ->  0xfffeffe4: 0x080484f0              // printf argument 1\n

    Finally, printf is called, which pushes the address of the next instruction to execute.

    EIP = 0x080482e0\nESP = 0xfffeffe4\nEBP = 0xfffefffc\n\n        0xffff0004: 0xffffa0a0              // say_hi argument 1\n        0xffff0000: 0x0804845a              // Return address for say_hi\nEBP ->  0xfffefffc: 0xffff002c              // Saved EBP\n        0xfffefff8: UNDEFINED\n        0xfffefff4: UNDEFINED\n        0xfffefff0: UNDEFINED\n        0xfffeffec: UNDEFINED\n        0xfffeffe8: 0xffffa0a0              // printf argument 2\n        0xfffeffe4: 0x080484f0              // printf argument 1\nESP ->  0xfffeffe0: 0x08048421              // Return address for printf\n

    Once printf has returned, the leave instruction moves ebp into esp, and pops the saved EBP.

    EIP = 0x08048426 (ret)\nESP = 0xfffefffc\nEBP = 0xffff002c\n\n        0xffff0004: 0xffffa0a0              // say_hi argument 1\nESP ->  0xffff0000: 0x0804845a              // Return address for say_hi\n

    And finally, ret pops the saved instruction pointer into eip which causes the program to return to main with the same esp, ebp, and stack contents as when say_hi was initially called.

    EIP = 0x0804845a (add esp, 0x10)\nESP = 0xffff0000\nEBP = 0xffff002c\n\nESP ->  0xffff0004: 0xffffa0a0              // say_hi argument 1\n
    "}, {"location": "cryptography/overview/", "title": "Overview", "text": ""}, {"location": "cryptography/overview/#cryptography", "title": "Cryptography", "text": "

    Cryptography is the reason we can use banking apps, transmit sensitive information over the web, and in general protect our privacy. However, a large part of CTFs is breaking widely used encryption schemes which are improperly implemented. The math may seem daunting, but more often than not, a simple understanding of the underlying principles will allow you to find flaws and crack the code.

    The word \u201ccryptography\u201d technically means the art of writing codes. When it comes to digital forensics, it\u2019s a method you can use to understand how data is constructed for your analysis.

    "}, {"location": "cryptography/overview/#what-is-cryptography-used-for", "title": "What is cryptography used for?", "text": "

    Uses in every day software

    • Securing web traffic (passwords, communication, etc.)
    • Securing copyrighted software code

    Malicious uses

    • Hiding malicious communication
    • Hiding malicious code
    "}, {"location": "cryptography/overview/#topics", "title": "Topics", "text": "
    • XOR
    • Cesear Cipher
    • Substitution Cipher
    • Vigenere Cipher
    • Hashing Functions
    • Block Ciphers
    • Stream Ciphers
    • RSA
    "}, {"location": "cryptography/what-are-block-ciphers/", "title": "Block Ciphers", "text": "

    A Block Cipher is an algorithm which is used in conjunction with a cryptosystem in order to package a message into evenly distributed 'blocks' which are encrypted one at a time.

    "}, {"location": "cryptography/what-are-block-ciphers/#definitions", "title": "Definitions", "text": "
    • Mode of Operation: How a block cipher is applied to an amount of data which exceeds a block's size
    • Initialization Vector (IV): A sequence of bytes which is used to randomize encryption even if the same plaintext is encrypted
    • Starting Variable (SV): Similar to the IV, except it is used during the first block to provide a random seed during encryption
    • Padding: Padding is used to ensure that the block sizes all line up and ensure the last block fits the block cipher
    • Plaintext: Unencrypted text; Data without obfuscation
    • Key: A secret used to encrypt plaintext
    • Ciphertext: Plaintext encrypted with a key
    "}, {"location": "cryptography/what-are-block-ciphers/#common-block-ciphers", "title": "Common Block Ciphers", "text": "Mode Formulas Ciphertext ECB Y~i~ = F(PlainText~i~, Key) Y~i~ CBC Y~i~ = PlainText~i~ XOR Ciphertext~i-1~ F(Y, key); Ciphertext~0~ = IV PCBC Y~i~ = PlainText~i~ XOR (Ciphertext~i-1~ XOR PlainText~i-1~) F(Y, key); Ciphertext~0~ = IV CFB Y~i~ = Ciphertext~i-1~ Plaintext XOR F(Y, key); Ciphertext~0~ = IV OFB Y~i~ = F(Key, I~i-1~);Y~0~=IV Plaintext XOR Y~i~ CTR Y~i~ = F(Key, IV + g(i));IV = token(); Plaintext XOR Y~i~

    Note

    In this case ~i~ represents an index over the # of blocks in the plaintext. F() and g() represent the function used to convert plaintext into ciphertext.

    "}, {"location": "cryptography/what-are-block-ciphers/#electronic-codebook-ecb", "title": "Electronic Codebook (ECB)", "text": "

    ECB is the most basic block cipher, it simply chunks up plaintext into blocks and independently encrypts those blocks and chains them all into a ciphertext.

    "}, {"location": "cryptography/what-are-block-ciphers/#flaws", "title": "Flaws", "text": "

    Because ECB independently encrypts the blocks, patterns in data can still be seen clearly, as shown in the CBC Penguin image below.

    Original Image ECB Image Other Block Cipher Modes"}, {"location": "cryptography/what-are-block-ciphers/#cipher-block-chaining-cbc", "title": "Cipher Block Chaining (CBC)", "text": "

    CBC is an improvement upon ECB where an Initialization Vector is used in order to add randomness. The encrypted previous block is used as the IV for each sequential block meaning that the encryption process cannot be parallelized. CBC has been declining in popularity due to a variety of

    Note

    Even though the encryption process cannot be parallelized, the decryption process can be parallelized. If the wrong IV is used for decryption it will only affect the first block as the decryption of all other blocks depends on the ciphertext not the plaintext.

    "}, {"location": "cryptography/what-are-block-ciphers/#propogating-cipher-block-chaining-pcbc", "title": "Propogating Cipher Block Chaining (PCBC)", "text": "

    PCBC is a less used cipher which modifies CBC so that decryption is also not parallelizable. It also cannot be decrypted from any point as changes made during the decryption and encryption process \"propogate\" throughout the blocks, meaning that both the plaintext and ciphertext are used when encrypting or decrypting as seen in the images below.

    "}, {"location": "cryptography/what-are-block-ciphers/#counter-ctr", "title": "Counter (CTR)", "text": "

    Note

    Counter is also known as CM, integer counter mode (ICM), and segmented integer counter (SIC)

    CTR mode makes the block cipher similar to a stream cipher and it functions by adding a counter with each block in combination with a nonce and key to XOR the plaintext to produce the ciphertext. Similarly, the decryption process is the exact same except instead of XORing the plaintext, the ciphertext is XORed. This means that the process is parallelizable for both encryption and decryption and you can begin from anywhere as the counter for any block can be deduced easily.

    "}, {"location": "cryptography/what-are-block-ciphers/#security-considerations", "title": "Security Considerations", "text": "

    If the nonce chosen is non-random, it is important to concatonate the nonce with the counter (high 64 bits to the nonce, low 64 bits to the counter) as adding or XORing the nonce with the counter would break security as an attacker can cause a collisions with the nonce and counter. An attacker with access to providing a plaintext, nonce and counter can then decrypt a block by using the ciphertext as seen in the decryption image.

    "}, {"location": "cryptography/what-are-block-ciphers/#padding-oracle-attack", "title": "Padding Oracle Attack", "text": "

    A Padding Oracle Attack sounds complex, but essentially means abusing a block cipher by changing the length of input and being able to determine the plaintext.

    "}, {"location": "cryptography/what-are-block-ciphers/#requirements", "title": "Requirements", "text": "
    • An oracle, or program, which encrypts data using CBC
    • Continual use of the same key
    "}, {"location": "cryptography/what-are-block-ciphers/#execution", "title": "Execution", "text": "
    1. If we have two blocks of ciphertext, C~1~ and C~2~, we can get the plaintext P~2~
    2. Since we know that CBC decryptionis dependent on the prior ciphertext, if we change the last byte of C~1~ we can see if C~2~ has correct padding
    3. If it is correctly padded we know that the last byte of the plaintext
    4. If not, we can increase our byte by one and repeat until we have a successful padding
    5. We then repeat this for all successive bytes following C~1~ and if the block is 16 bytes we can expect a maximum of 4080 attempts which is trivial
    "}, {"location": "cryptography/what-are-hashing-functions/", "title": "Hashing Functions", "text": "

    Hashing functions are one way functions which theoretically provide a unique output for every input. MD5, SHA-1, and other hashes which were considered secure are now found to have collisions or two different pieces of data which produce the same supposed unique output.

    "}, {"location": "cryptography/what-are-hashing-functions/#string-hashing", "title": "String Hashing", "text": "

    A string hash is a number or string generated using an algorithm that runs on text or data.

    The idea is that each hash should be unique to the text or data (although sometimes it isn\u2019t). For example, the hash for \u201cdog\u201d should be different from other hashes.

    You can use command line tools tools or online resources such as this one. Example: $ echo -n password | md5 5f4dcc3b5aa765d61d8327deb882cf99 Here, \u201cpassword\u201d is hashed with different hashing algorithms:

    • SHA-1: 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
    • SHA-2: 5E884898DA28047151D0E56F8DC6292773603D0D6AABBDD62A11EF721D1542D8
    • MD5: 5F4DCC3B5AA765D61D8327DEB882CF99
    • CRC32: BBEDA74F

    Generally, when verifying a hash visually, you can simply look at the first and last four characters of the string.

    "}, {"location": "cryptography/what-are-hashing-functions/#file-hashing", "title": "File Hashing", "text": "

    A file hash is a number or string generated using an algorithm that is run on text or data. The premise is that it should be unique to the text or data. If the file or text changes in any way, the hash will change.

    What is it used for? - File and data identification - Password/certificate storage comparison

    How can we determine the hash of a file? You can use the md5sum command (or similar).

    $ md5sum samplefile.txt\n3b85ec9ab2984b91070128be6aae25eb samplefile.txt\n
    "}, {"location": "cryptography/what-are-hashing-functions/#hash-collisions", "title": "Hash Collisions", "text": "

    A collision is when two pieces of data or text have the same cryptographic hash. This is very rare.

    What\u2019s significant about collisions is that they can be used to crack password hashes. Passwords are usually stored as hashes on a computer, since it\u2019s hard to get the passwords from hashes.

    If you bruteforce by trying every possible piece of text or data, eventually you\u2019ll find something with the same hash. Enter it, and the computer accepts it as if you entered the actual password.

    Two different files on the same hard drive with the same cryptographic hash can be very interesting.

    \u201cIt\u2019s now well-known that the cryptographic hash function MD5 has been broken,\u201d said Peter Selinger of Dalhousie University. \u201cIn March 2005, Xiaoyun Wang and Hongbo Yu of Shandong University in China published an article in which they described an algorithm that can find two different sequences of 128 bytes with the same MD5 hash.\u201d

    For example, he cited this famous pair:

    and

    Each of these blocks has MD5 hash 79054025255fb1a26e4bc422aef54eb4.

    Selinger said that \u201cthe algorithm of Wang and Yu can be used to create files of arbitrary length that have identical MD5 hashes, and that differ only in 128 bytes somewhere in the middle of the file. Several people have used this technique to create pairs of interesting files with identical MD5 hashes.\u201d

    Ben Laurie has a nice website that visualizes this MD5 collision. For a non-technical, though slightly outdated, introduction to hash functions, see Steve Friedl\u2019s Illustrated Guide. And here\u2019s a good article from DFI News that explores the same topic.

    "}, {"location": "cryptography/what-are-stream-ciphers/", "title": "Stream Ciphers", "text": "

    A Stream Cipher is used for symmetric key cryptography, or when the same key is used to encrypt and decrypt data. Stream Ciphers encrypt pseudorandom sequences with bits of plaintext in order to generate ciphertext, usually with XOR. A good way to think about Stream Ciphers is to think of them as generating one-time pads from a given state.

    "}, {"location": "cryptography/what-are-stream-ciphers/#definitions", "title": "Definitions", "text": "
    • A keystream is a sequence of pseudorandom digits which extend to the length of the plaintext in order to uniquely encrypt each character based on the corresponding digit in the keystream
    "}, {"location": "cryptography/what-are-stream-ciphers/#one-time-pads", "title": "One Time Pads", "text": "

    A one time pad is an encryption mechanism whereby the entire plaintext is XOR'd with a random sequence of numbers in order to generate a random ciphertext. The advantage of the one time pad is that it offers an immense amount of security BUT in order for it to be useful, the randomly generated key must be distributed on a separate secure channel, meaning that one time pads have little use in modern day cryptographic applications on the internet. Stream ciphers extend upon this idea by using a key, usually 128 bit in length, in order to seed a pseudorandom keystream which is used to encrypt the text.

    "}, {"location": "cryptography/what-are-stream-ciphers/#types-of-stream-ciphers", "title": "Types of Stream Ciphers", "text": ""}, {"location": "cryptography/what-are-stream-ciphers/#synchronous-stream-ciphers", "title": "Synchronous Stream Ciphers", "text": "

    A Synchronous Stream Cipher generates a keystream based on internal states not related to the plaintext or ciphertext. This means that the stream is generated pseudorandomly outside of the context of what is being encrypted. A binary additive stream cipher is the term used for a stream cipher which XOR's the bits with the bits of the plaintext. Encryption and decryption require that the synchronus state cipher be in the same state, otherwise the message cannot be decrypted.

    "}, {"location": "cryptography/what-are-stream-ciphers/#self-synchronizing-stream-ciphers", "title": "Self-synchronizing Stream Ciphers", "text": "

    A Self-synchronizing Stream Cipher, also known as an asynchronous stream cipher or ciphertext autokey (CTAK), is a stream cipher which uses the previous N digits in order to compute the keystream used for the next N characters.

    Note

    Seems a lot like block ciphers doesn't it? That's because block cipher feedback mode (CFB) is an example of a self-synchronizing stream ciphers.

    "}, {"location": "cryptography/what-are-stream-ciphers/#stream-cipher-vulnerabilities", "title": "Stream Cipher Vulnerabilities", "text": ""}, {"location": "cryptography/what-are-stream-ciphers/#key-reuse", "title": "Key Reuse", "text": "

    The key tenet of using stream ciphers securely is to NEVER repeat key use because of the communative property of XOR. If C~1~ and C~2~ have been XOR'd with a key K, retrieving that key K is trivial because C~1~ XOR C~2~ = P~1~ XOR P~2~ and having an english language based XOR means that cryptoanalysis tools such as a character frequency analysis will work well due to the low entropy of the english language.

    "}, {"location": "cryptography/what-are-stream-ciphers/#bit-flipping-attack", "title": "Bit-flipping Attack", "text": "

    Another key tenet of using stream ciphers securely is considering that just because a message has been decrypted, it does not mean the message has not been tampered with. Because decryption is based on state, if an attacker knows the layout of the plaintext, a Man in the Middle (MITM) attack can flip a bit during transit altering the underlying ciphertext. If a ciphertext decrypts to 'Transfer $1000', then a middleman can flip a single bit in order for the ciphertext to decrypt to 'Transfer $9000' because changing a single character in the ciphertext does not affect the state in a synchronus stream cipher.

    "}, {"location": "cryptography/what-is-a-substitution-cipher/", "title": "Substitution Cipher", "text": "

    A Substitution Cipher is system of encryption where different symobls substitute a normal alphabet.

    "}, {"location": "cryptography/what-is-a-vigenere-cipher/", "title": "Vigenere Cipher", "text": "

    A Vigenere Cipher is an extended Caesar Cipher where a message is encrypted using various Caesar shifted alphabets.

    The following table can be used to encode a message:

    "}, {"location": "cryptography/what-is-a-vigenere-cipher/#encryption", "title": "Encryption", "text": "

    For example, encrypting the text SUPERSECRET with CODE would follow this process:

    1. CODE gets padded to the length of SUPERSECRET so the key becomes CODECODECOD
    2. For each letter in SUPERSECRET we use the table to get the Alphabet to use, in this instance row C and column S
    3. The ciphertext's first letter then becomes U
    4. We eventually get UISITGHGTSW
    "}, {"location": "cryptography/what-is-a-vigenere-cipher/#decryption", "title": "Decryption", "text": "
    1. Go to the row of the key, in this case C
    2. Find the letter of the cipher text in this row, in this case U
    3. The column is the first letter of the decrypted ciphertext, so we get S
    4. After repeating this process we get back to SUPERSECRET
    "}, {"location": "cryptography/what-is-caesar-cipher-rot-13/", "title": "Caesar Cipher/ROT 13", "text": "

    The Caesar Cipher or Caesar Shift is a cipher which uses the alphabet in order to encode texts.

    CAESAR encoded with a shift of 8 is KIMAIZ so ABCDEFGHIJKLMNOPQRSTUVWXYZ becomes IJKLMNOPQRSTUVWXYZABCDEFGH

    ROT13 is the same thing but a fixed shift of 13, this is a trivial cipher to bruteforce because there are only 25 shifts.

    "}, {"location": "cryptography/what-is-rsa/", "title": "RSA", "text": "

    RSA, which is an abbreviation of the author's names (Rivest\u2013Shamir\u2013Adleman), is a cryptosystem which allows for asymmetric encryption. Asymmetric cryptosystems are alos commonly referred to as Public Key Cryptography where a public key is used to encrypt data and only a secret, private key can be used to decrypt the data.

    "}, {"location": "cryptography/what-is-rsa/#definitions", "title": "Definitions", "text": "
    • The Public Key is made up of (n, e)
    • The Private Key is made up of (n, d)
    • The message is represented as m and is converted into a number
    • The encrypted message or ciphertext is represented by c
    • p and q are prime numbers which make up n
    • e is the public exponent
    • n is the modulus and its length in bits is the bit length (i.e. 1024 bit RSA)
    • d is the private exponent
    • The totient \u03bb(n) is used to compute d and is equal to the lcm(p-1, q-1), another definition for \u03bb(n) is that \u03bb(pq) = lcm(\u03bb(p), \u03bb(q))
    "}, {"location": "cryptography/what-is-rsa/#what-makes-rsa-viable", "title": "What makes RSA viable?", "text": "

    If public n, public e, private d are all very large numbers and a message m holds true for 0 < m < n, then we can say:

    (m^e^)^d^ \u2261 m (mod n)

    Note

    The triple equals sign in this case refers to modular congruence which in this case means that there exists an integer k such that (m^e^)^d^ = kn + m

    RSA is viable because it is incredibly hard to find d even with m, n, and e because factoring large numbers is an arduous process.

    "}, {"location": "cryptography/what-is-rsa/#implementation", "title": "Implementation", "text": "

    RSA follows 4 steps to be implemented: 1. Key Generation 2. Encryption 3. Decryption

    "}, {"location": "cryptography/what-is-rsa/#key-generation", "title": "Key Generation", "text": "

    We are going to follow along Wikipedia's small numbers example in order to make this idea a bit easier to understand.

    Note

    In This example we are using Carmichael's totient function where \u03bb(n) = lcm(\u03bb(p), \u03bb(q)), but Euler's totient function is perfectly valid to use with RSA. Euler's totient is \u03c6(n) = (p \u2212 1)(q \u2212 1)

    1. Choose two prime numbers such as:
      • p = 61 and q = 53
    2. Find n:
      • n = pq = 3233
    3. Calculate \u03bb(n) = lcm(p-1, q-1)

      • \u03bb(3233) = lcm(60, 52) = 780
    4. Choose a public exponent such that 1 < e < \u03bb(n) and is coprime (not a factor of) \u03bb(n). The standard is most cases is 65537, but we will be using:

      • e = 17
    5. Calculate d as the modular multiplicative inverse or in english find d such that: d x e mod \u03bb(n) = 1
      • d x 17 mod 780 = 1
      • d = 413

    Now we have a public key of (3233, 17) and a private key of (3233, 413)

    "}, {"location": "cryptography/what-is-rsa/#encryption", "title": "Encryption", "text": "

    With the public key, m can be encrypted trivially

    The ciphertext is equal to m^e^ mod n or:

    c = m^17^ mod 3233

    "}, {"location": "cryptography/what-is-rsa/#decryption", "title": "Decryption", "text": "

    With the private key, m can be decrypted trivially as well

    The plaintext is equal to c^d^ mod n or:

    m = c^413^ mod 3233

    "}, {"location": "cryptography/what-is-rsa/#exploitation", "title": "Exploitation", "text": "

    From the RsaCtfTool README

    Attacks:

    • Weak public key factorization
    • Wiener's attack
    • Hastad's attack (Small public exponent attack)
    • Small q (q < 100,000)
    • Common factor between ciphertext and modulus attack
    • Fermat's factorisation for close p and q
    • Gimmicky Primes method
    • Past CTF Primes method
    • Self-Initializing Quadratic Sieve (SIQS) using Yafu
    • Common factor attacks across multiple keys
    • Small fractions method when p/q is close to a small fraction
    • Boneh Durfee Method when the private exponent d is too small compared to the modulus (i.e d < n^0.292^)
    • Elliptic Curve Method
    • Pollards p-1 for relatively smooth numbers
    • Mersenne primes factorization
    "}, {"location": "cryptography/what-is-xor/", "title": "XOR", "text": ""}, {"location": "cryptography/what-is-xor/#data-representation", "title": "Data Representation", "text": "

    Data can be represented in different bases, an 'A' needs to be a numerical representation of Base 2 or binary so computers can understand them

    "}, {"location": "cryptography/what-is-xor/#xor-basics", "title": "XOR Basics", "text": "

    An XOR or eXclusive OR is a bitwise operation indicated by ^ and shown by the following truth table:

    A B A ^ B 0 0 0 0 1 1 1 0 1 1 1 0

    So what XOR'ing bytes in the action 0xA0 ^ 0x2C translates to is:

    1 0 1 0 0 0 0 0 0 0 1 0 1 1 0 0 1 0 0 0 1 1 0 0

    0b10001100 is equivelent to 0x8C, a cool property of XOR is that it is reversable meaning 0x8C ^ 0x2C = 0xA0 and 0x8C ^ 0xA0 = 0x2C

    "}, {"location": "cryptography/what-is-xor/#what-does-this-have-to-do-with-ctf", "title": "What does this have to do with CTF?", "text": "

    XOR is a cheap way to encrypt data with a password. Any data can be encrypted using XOR as shown in this Python example:

    >>> data = 'CAPTURETHEFLAG'\n>>> key = 'A'\n>>> encrypted = ''.join([chr(ord(x) ^ ord(key)) for x in data])\n>>> encrypted\n'\\x02\\x00\\x11\\x15\\x14\\x13\\x04\\x15\\t\\x04\\x07\\r\\x00\\x06'\n>>> decrypted = ''.join([chr(ord(x) ^ ord(key)) for x in encrypted])\n>>> decrypted\n'CAPTURETHEFLAG'\n

    This can be extended using a multibyte key by iterating in parallel with the data.

    "}, {"location": "cryptography/what-is-xor/#exploiting-xor-encryption", "title": "Exploiting XOR Encryption", "text": ""}, {"location": "cryptography/what-is-xor/#single-byte-xor-encryption", "title": "Single Byte XOR Encryption", "text": "

    Single Byte XOR Encryption is trivial to bruteforce as there are only 255 key combinations to try.

    "}, {"location": "cryptography/what-is-xor/#multibyte-xor-encryption", "title": "Multibyte XOR Encryption", "text": "

    Multibyte XOR gets exponentially harder the longer the key, but if the encrypted text is long enough, character frequency analysis is a viable method to find the key. Character Frequency Analysis means that we split the cipher text into groups based on the number of characters in the key. These groups then are bruteforced using the idea that some letters appear more frequently in the english alphabet than others.

    "}, {"location": "forensics/overview/", "title": "Forensics", "text": "

    Forensics is the art of recovering the digital trail left on a computer. There are plenty of methods to find data which is seemingly deleted, not stored, or worse, covertly recorded.

    An important part of forensics is having the right tools, as well as being familiar with the following topics:

    • File Formats
    • EXIF data
    • Wireshark & PCAPs
      • What is Wireshark
    • Stegonagraphy
    • Disk Imaging
    "}, {"location": "forensics/what-are-file-formats/", "title": "File Formats", "text": "

    File Extensions are not the sole way to identify the type of a file, files have certain leading bytes called file signatures which allow programs to parse the data in a consistent manner. Files can also contain additional \"hidden\" data called metadata which can be useful in finding out information about the context of a file's data.

    "}, {"location": "forensics/what-are-file-formats/#file-signatures", "title": "File Signatures", "text": "

    File signatures (also known as File Magic Numbers) are bytes within a file used to identify the format of the file. Generally they\u2019re 2-4 bytes long, found at the beginning of a file.

    "}, {"location": "forensics/what-are-file-formats/#what-is-it-used-for", "title": "What is it used for?", "text": "

    Files can sometimes come without an extension, or with incorrect ones. We use file signature analysis to identify the format (file type) of the file. Programs need to know the file type in order to open it properly.

    "}, {"location": "forensics/what-are-file-formats/#how-do-you-find-the-file-signature", "title": "How do you find the file signature?", "text": "

    You need to be able to look at the binary data that constitutes the file you\u2019re examining. To do this, you\u2019ll use a hexadecimal editor. Once you find the file signature, you can check it against file signature repositories such as Gary Kessler\u2019s.

    "}, {"location": "forensics/what-are-file-formats/#example", "title": "Example", "text": "

    The file above, when opened in a Hex Editor, begins with the bytes FFD8FFE0 00104A46 494600 or in ASCII \u02c7\u00ff\u02c7\u2021 JFIF where \\x00 and \\x10 lack symbols.

    Searching in Gary Kessler\u2019s database shows that this file signature belongs to a JPEG/JFIF graphics file, exactly what we suspect.

    "}, {"location": "forensics/what-is-a-hex-editor/", "title": "Hex Editor", "text": "

    A hexadecimal (hex) editor (also called a binary file editor or byte editor) is a computer program you can use to manipulate the fundamental binary data that constitutes a computer file. The name \u201chex\u201d comes from \u201chexadecimal,\u201d a standard numerical format for representing binary data. A typical computer file occupies multiple areas on the platter(s) of a disk drive, whose contents are combined to form the file. Hex editors that are designed to parse and edit sector data from the physical segments of floppy or hard disks are sometimes called sector editors or disk editors. A hex editor is used to see or edit the raw, exact contents of a file. Hex editors may used to correct data corrupted by a system or application. A list of editors can be found on the forensics Wiki. You can download one and install it on your system.

    "}, {"location": "forensics/what-is-a-hex-editor/#example", "title": "Example", "text": "

    Open fileA.jpg in a hex editor. (Most Hex editors have either a \u201cFile > Open\u201d option or a simple drag and drop.)

    When you open fileA.jpg in your hex editor, you should see something similar to this:

    Your hex editor should also have a \u201cgo to\u201d or \u201cfind\u201d feature so you can jump to a specific byte.

    "}, {"location": "forensics/what-is-disk-imaging/", "title": "Disk Imaging", "text": "

    A forensic image is an electronic copy of a drive (e.g. a hard drive, USB, etc.). It\u2019s a bit-by-\u00adbit or bitstream file that\u2019s an exact, unaltered copy of the media being duplicated.

    Wikipedia said that the most straight\u00adforward disk imaging method is to read a disk from start to finish and write the data to a forensics image format. \u201cThis can be a time-consuming process, especially for disks with a large capacity,\u201d Wikipedia said.

    To prevent write access to the disk, you can use a write blocker. It\u2019s also common to calculate a cryptographic hash of the entire disk when imaging it. \u201cCommonly-used cryptographic hashes are MD5, SHA1 and/or SHA256,\u201d said Wikipedia. \u201cBy recalculating the integrity hash at a later time, one can determine if the data in the disk image has been changed. This by itself provides no protection against intentional tampering, but it can indicate that the data was altered, e.g. due to corruption.\u201d

    Why image a disk? Forensic imaging: - Prevents tampering with the original data\u00ad evidence - Allows you to play around with the copy, without worrying about messing up the original

    "}, {"location": "forensics/what-is-disk-imaging/#forensic-image-extraction-exmple", "title": "Forensic Image Extraction Exmple", "text": "

    This example uses the tool AccessData FTK Imager.

    Step 1: Go to File > Create Disk Image

    Step 2: Select Physical Drive, because the USB or hard drive you\u2019re imaging is a physical device or drive.

    Step 3: Select the drive you\u2019re imaging. The 1000 GB is my computer hard drive; the 128 MB is the USB that I want to image.

    Step 4: Add a new image destination

    Step 5: Select whichever image type you want. Choose Raw (dd) if you\u2019re a beginner, since it\u2019s the most common type

    Step 6: Fill in all the evidence information

    Step 7: Choose where you want to store it

    Step 8: The image destination has been added. Now you can start the image extraction

    Step 9: Wait for the image to be extracted

    Step 10: This is the completed extraction

    Step 11: Add the image you just created so that you can view it

    Step 12: This time, choose image file, since that\u2019s what you just created

    Step 13: Enter the path of the image you just created

    Step 14: View the image.

    1. Evidence tree Structure of the drive image
    2. File list List of all the files in the drive image folder
    3. Properties Properties of the file/folder being examined
    4. Hex viewer View of the drive/folders/files in hexadecimal

    Step 15: To view files in the USB, go to Partition 1 > [USB name] > [root] in the Evidence Tree and look in the File List

    Step 16: Selecting fileA, fileB, fileC, or fileD gives us some properties of the files & a preview of each photo

    Step 17: Extract files of interest for further analysis by selecting, right-clicking and choosing Export Files

    "}, {"location": "forensics/what-is-memory-forensics/", "title": "Memory Forensics", "text": "

    There are plenty of traces of someone's activity on a computer, but perhaps some of the most valuble information can be found within memory dumps, that is images taken of RAM. These dumps of data are often very large, but can be analyzed using a tool called Volatility

    "}, {"location": "forensics/what-is-memory-forensics/#volatility-basics", "title": "Volatility Basics", "text": "

    Memory forensics isn't all that complicated, the hardest part would be using your toolset correctly. A good workflow is as follows:

    1. Run strings for clues
    2. Identify the image profile (which OS, version, etc.)
    3. Dump processes and look for suspicious processes
    4. Dump data related interesting processes
    5. View data in a format relating to the process (Word: docx, Notepad: txt, Photoshop: psd, etc.)
    "}, {"location": "forensics/what-is-memory-forensics/#profile-identification", "title": "Profile Identification", "text": "

    In order to properly use Volatility you must supply a profile with --profile=PROFILE, therefore before any sleuthing, you need to determine the profile using imageinfo:

    $ python vol.py -f ~/image.raw imageinfo\nVolatility Foundation Volatility Framework 2.4\nDetermining profile based on KDBG search...\n\n          Suggested Profile(s) : Win7SP0x64, Win7SP1x64, Win2008R2SP0x64, Win2008R2SP1x64\n                     AS Layer1 : AMD64PagedMemory (Kernel AS)\n                     AS Layer2 : FileAddressSpace (/Users/Michael/Desktop/win7_trial_64bit.raw)\n                      PAE type : PAE\n                           DTB : 0x187000L\n                          KDBG : 0xf80002803070\n          Number of Processors : 1\n     Image Type (Service Pack) : 0\n                KPCR for CPU 0 : 0xfffff80002804d00L\n             KUSER_SHARED_DATA : 0xfffff78000000000L\n           Image date and time : 2012-02-22 11:29:02 UTC+0000\n     Image local date and time : 2012-02-22 03:29:02 -0800\n
    "}, {"location": "forensics/what-is-memory-forensics/#dump-processes", "title": "Dump Processes", "text": "

    In order to view processes, the pslist or pstree or psscan command can be used.

    $ python vol.py -f ~/image.raw pslist --profile=Win7SP0x64 pstree\nVolatility Foundation Volatility Framework 2.5\nOffset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit\n------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------\n0xffffa0ee12532180 System                    4      0    108        0 ------      0 2018-04-22 20:02:33 UTC+0000\n0xffffa0ee1389d040 smss.exe                232      4      3        0 ------      0 2018-04-22 20:02:33 UTC+0000\n...\n0xffffa0ee128c6780 VBoxTray.exe           3324   1123     10        0      1      0 2018-04-22 20:02:55 UTC+0000\n0xffffa0ee14108780 OneDrive.exe           1422   1123     10        0      1      1 2018-04-22 20:02:55 UTC+0000\n0xffffa0ee14ade080 svchost.exe             228    121      1        0      1      0 2018-04-22 20:14:43 UTC+0000\n0xffffa0ee1122b080 notepad.exe            2019   1123      1        0      1      0 2018-04-22 20:14:49 UTC+0000\n
    "}, {"location": "forensics/what-is-memory-forensics/#process-memory-dump", "title": "Process Memory Dump", "text": "

    Dumping the memory of a process can prove to be fruitful, say we want to dump the data from notepad.exe:

    $ python vol.py -f ~/image.raw --profile=Win7SP0x64 memdump -p 2019 -D dump/\nVolatility Foundation Volatility Framework 2.4\n************************************************************************\nWriting System [     2019] to 2019.dmp\n\n$ ls -alh dump/2019.dmp\n-rw-r--r--  1 user  staff   111M Apr 22 20:47 dump/2019.dmp\n
    "}, {"location": "forensics/what-is-memory-forensics/#other-useful-commands", "title": "Other Useful Commands", "text": "

    There are plenty of commands that Volatility offers but some highlights include:

    • $ python vol.py -f IMAGE --profile=PROFILE connections: view network connections
    • $ python vol.py -f IMAGE --profile=PROFILE cmdscan: view commands that were run in cmd prompt
    "}, {"location": "forensics/what-is-metadata/", "title": "Metadata", "text": "

    Metadata is data about data. Different types of files have different metadata. The metadata on a photo could include dates, camera information, GPS location, comments, etc. For music, it could include the title, author, track number and album.

    "}, {"location": "forensics/what-is-metadata/#what-kind-of-file-metadata-is-useful", "title": "What kind of file metadata is useful?", "text": "

    Potentially, any file metadata you can find could be useful.

    "}, {"location": "forensics/what-is-metadata/#how-do-i-find-it", "title": "How do I find it?", "text": "

    Note

    EXIF Data is metadata attached to photos which can include location, time, and device information.

    One of our favorite tools is exiftool, which displays metadata for an input file, including: - File size - Dimensions (width and height) - File type - Programs used to create (e.g. Photoshop) - OS used to create (e.g. Apple)

    Run command line: exiftool(-k).exe [filename] and you should see something like this:

    "}, {"location": "forensics/what-is-metadata/#example", "title": "Example", "text": "

    Let's take a look at File A's metadata with exiftool:

    File type

    Image description

    Make and camera info

    GPS Latitude/Longitude

    "}, {"location": "forensics/what-is-metadata/#timestamps", "title": "Timestamps", "text": "

    Timestamps are data that indicate the time of certain events (MAC): - Modification \u2013 when a file was modified - Access \u2013 when a file or entries were read or accessed - Creation \u2013 when files or entries were created

    "}, {"location": "forensics/what-is-metadata/#types-of-timestamps", "title": "Types of timestamps", "text": "
    • Modified
    • Accessed
    • Created
    • Date Changed (MFT)
    • Filename Date Created (MFT)
    • Filename Date Modified (MFT)
    • Filename Date Accessed (MFT)
    • INDX Entry Date Created
    • INDX Entry Date Modified
    • INDX Entry Date Accessed
    • INDX Entry Date Changed
    "}, {"location": "forensics/what-is-metadata/#why-do-we-care", "title": "Why do we care?", "text": "

    Certain events such as creating, moving, copying, opening, editing, etc. might affect the MAC times. If the MAC timestamps can be attained, a timeline of events could be created.

    "}, {"location": "forensics/what-is-metadata/#timeline-patterns", "title": "Timeline Patterns", "text": "

    There are plenty more patterns than the ones introduced below, but these are the basics you should start with to get a good understanding of how it works, and to complete this challenge.

    "}, {"location": "forensics/what-is-metadata/#examples", "title": "Examples", "text": "

    We know that the BMP files fileA and fileD are the same, but that the JPEG files fileB and fileC are different somehow. So how can we find out what went on with these files?

    By using time stamp information from the file system, we can learn that the BMP fileD was the original file, with fileA being a copy of the original. Afterward, fileB was created by modifying fileB, and fileC was created by modifying fileA in a different way.

    Follow along as we demonstrate.

    We\u2019ll start by analyzing images in AccessData FTK Imager, where there\u2019s a Properties window that shows you some information about the file or folder you\u2019ve selected.

    Here are the extracted MAC times for fileA, fileB, fileC and fileD: Note, AccessData FTK Imager assumes that the file times on the drive are in UTC (Universal Coordinated Time). I subtracted four hours, since the USB was set up in Eastern Standard Time. This isn\u2019t necessary, but it helps me understand the times a bit better.

    Highlight timestamps that are the same, if timestamps are off by a few seconds, they should be counted as the same. This lets you see a clear difference between different timestamps. Then, highlight oldest to newest to help put them in order.

    Identify timestamp patterns.

    "}, {"location": "forensics/what-is-stegonagraphy/", "title": "Steganography", "text": "

    Steganography is the practice of hiding data in plain sight. Steganography is often embedded in images or audio.

    You could send a picture of a cat to a friend and hide text inside. Looking at the image, there\u2019s nothing to make anyone think there\u2019s a message hidden inside it.

    You could also hide a second image inside the first.

    "}, {"location": "forensics/what-is-stegonagraphy/#steganography-detection", "title": "Steganography Detection", "text": "

    So we can hide text and an image, how do we find out if there is hidden data?

    FileA and FileD appear the same, but they\u2019re different. Also, FileD was modified after it was copied, so it\u2019s possible there might be steganography in it.

    FileB and FileC don\u2019t appear to have been modified after being created. That doesn\u2019t rule out the possibility that there\u2019s steganography in them, but you\u2019re more likely to find it in fileD. This brings up two questions:

    1. Can we determine that there is steganography in fileD?
    2. If there is, what was hidden in it?
    "}, {"location": "forensics/what-is-stegonagraphy/#lsb-steganography", "title": "LSB Steganography", "text": "

    File are made of bytes. Each byte is composed of eight bits.

    Changing the least-significant bit (LSB) doesn\u2019t change the value very much.

    So we can modify the LSB without changing the file noticeably. By doing so, we can hide a message inside.

    "}, {"location": "forensics/what-is-stegonagraphy/#lsb-steganography-in-images", "title": "LSB Steganography in Images", "text": "

    LSB Steganography or Least Significant Bit Steganography is a method of Steganography where data is recorded in the lowest bit of a byte.

    Say an image has a pixel with an RGB value of (255, 255, 255), the bits of those RGB values will look like

    1 1 1 1 1 1 1 1

    By modifying the lowest, or least significant, bit, we can use the 1 bit space across every RGB value for every pixel to construct a message.

    1 1 1 1 1 1 1 0

    The reason steganography is hard to detect by sight is because a 1 bit difference in color is insignificant as seen below.

    "}, {"location": "forensics/what-is-stegonagraphy/#example", "title": "Example", "text": "

    Let\u2019s say we have an image, and part of it contains the following binary:

    And let\u2019s say we want to hide the character y inside.

    First, we need to convert the hidden message to binary.

    Now we take each bit from the hidden message and replace the LSB of the corresponding byte with it.

    And again:

    And again:

    And again:

    And again:

    And again:

    And again:

    And once more:

    Decoding LSB steganography is exactly the same as encoding, but in reverse. For each byte, grab the LSB and add it to your decoded message. Once you\u2019ve gone through each byte, convert all the LSBs you grabbed into text or a file. (You can use your file signature knowledge here!)

    "}, {"location": "forensics/what-is-stegonagraphy/#what-other-types-of-steganography-are-there", "title": "What other types of steganography are there?", "text": "

    Steganography is hard for the defense side, because there\u2019s practically an infinite number of ways it could be carried out. Here are a few examples: - LSB steganography: different bits, different bit combinations - Encode in every certain number of bytes - Use a password - Hide in different places - Use encryption on top of steganography

    "}, {"location": "forensics/what-is-wireshark/", "title": "Wireshark", "text": "

    Note from our infrastructure team

    \"Wireshark saved me hours on my last tax return! - David\"

    \"[Wireshark] is great for ruining your weekend and fixing pesky networking problems!\" - Max\"

    \"Wireshark is the powerhouse of the cell. - Joe\"

    \"Does this cable do anything? - Ayyaz\"

    Wireshark is a network protocol analyzer which is often used in CTF challenges to look at recorded network traffic. Wireshark uses a filetype called PCAP to record traffic. PCAPs are often distributed in CTF challenges to provide recorded traffic history.

    "}, {"location": "forensics/what-is-wireshark/#interface", "title": "Interface", "text": "

    Upon opening Wireshark, you are greeted with the option to open a PCAP or begin capturing network traffic on your device.

    The network traffic displayed initially shows the packets in order of which they were captured. You can filter packets by protocol, source IP address, destination IP address, length, etc.

    In order to apply filters, simply enter the constraining factor, for example 'http', in the display filter bar.

    Filters can be chained together using '&&' notation. In order to filter by IP, ensure a double equals '==' is used.

    The most pertinent part of a packet is its data payload and protocol information.

    "}, {"location": "forensics/what-is-wireshark/#decrypting-ssl-traffic", "title": "Decrypting SSL Traffic", "text": "

    By default, Wireshark cannot decrypt SSL traffic on your device unless you grant it specific certificates.

    "}, {"location": "forensics/what-is-wireshark/#high-level-ssl-handshake-overview", "title": "High Level SSL Handshake Overview", "text": "

    In order for a network session to be encrypted properly, the client and server must share a common secret for which they can use to encrypt and decrypt data without someone in the middle being able to guess. The SSL Handshake loosely follows this format:

    1. The client sends a list of available cipher suites it can use along with a random set of bytes referred to as client_random
    2. The server sends back the cipher suite that will be used, such as TLS_DHE_RSA_WITH_AES_128_CBC_SHA, along with a random set of bytes referred to as server_random
    3. The client generates a pre-master secret, encrypts it, then sends it to the server.
    4. The server and client then generate a common master secret using the selected cipher suite
    5. The client and server begin communicating using this common secret
    "}, {"location": "forensics/what-is-wireshark/#decryption-requirements", "title": "Decryption Requirements", "text": "

    There are several ways to be able to decrypt traffic.

    • If you have the client and server random values and the pre-master secret, the master secret can be generated and used to decrypt the traffic
    • If you have the master secret, traffic can be decrypted easily
    • If the cipher-suite uses RSA, you can factor n in the key in order to break the encryption on the encrypted pre-master secret and generate the master secret with the client and server randoms

    "}, {"location": "reverse-engineering/overview/", "title": "Overview", "text": ""}, {"location": "reverse-engineering/overview/#reverse-engineering", "title": "Reverse Engineering", "text": "

    Reverse Engineering in a CTF is typically the process of taking a compiled (machine code, bytecode) program and converting it back into a more human readable format.

    Very often the goal of a reverse engineering challenge is to understand the functionality of a given program such that you can identify deeper issues.

    • Assembly / Machine Code
    • The C Programming Language
    • Disassemblers
    • Decompilers
    "}, {"location": "reverse-engineering/what-are-decompilers/", "title": "Decompilers", "text": "

    Decompilers do the impossible and reverse compiled code back into psuedocode/code.

    IDA offers HexRays, which translates machine code into a higher language pseudocode.

    "}, {"location": "reverse-engineering/what-are-decompilers/#example-workflow", "title": "Example Workflow", "text": "

    Let's say we are disassembling a program which has the source code:

    #include <stdio.h>\n\nvoid printSpacer(int num){\n    for(int i = 0; i < num; ++i){\n        printf(\"-\");\n    }\n    printf(\"\\n\");\n}\n\nint main()\n{\n    char* string = \"Hello, World!\";\n    for(int i = 0; i < 13; ++i){\n        printf(\"%c\", string[i]);\n        for(int j = i+1; j < 13; j++){\n            printf(\"%c\", string[j]);\n        }\n        printf(\"\\n\");\n        printSpacer(13 - i);\n    }\n    return 0;\n}\n

    And creates an output of:

    Hello, World!\n-------------\nello, World!\n------------\nllo, World!\n-----------\nlo, World!\n----------\no, World!\n---------\n, World!\n--------\n World!\n-------\nWorld!\n------\norld!\n-----\nrld!\n----\nld!\n---\nd!\n--\n!\n-\n

    If we are given a binary compiled from that source and we want to figure out how the source looks, we can use a decompiler to get c pseudocode which we can then use to reconstruct the function. The sample decompilation can look like:

    printSpacer:\nint __fastcall printSpacer(int a1)\n{\n  int i; // [rsp+8h] [rbp-8h]\n\n  for ( i = 0; i < a1; ++i )\n    printf(\"-\");\n  return printf(\"\\n\");\n}\n\nmain:\nint __cdecl main(int argc, const char **argv, const char **envp)\n{\n  int v4; // [rsp+18h] [rbp-18h]\n  signed int i; // [rsp+1Ch] [rbp-14h]\n\n  for ( i = 0; i < 13; ++i )\n  {\n    v4 = i + 1;\n    printf(\"%c\", (unsigned int)aHelloWorld[i], envp);\n    while ( v4 < 13 )\n      printf(\"%c\", (unsigned int)aHelloWorld[v4++]);\n    printf(\"\\n\");\n    printSpacer(13 - i);\n  }\n  return 0;\n}\n

    A good method of getting a good representation of the source is to convert the decompilation into Python since Python is basically psuedocode that runs. Starting with main often allows you to gain a good overview of what the program is doing and will help you translate the other functions.

    "}, {"location": "reverse-engineering/what-are-decompilers/#main", "title": "Main", "text": "

    We know we will start with a main function and some variables, if you trace the execution of the variables, you can oftentimes determine the variable type. Because i is being used as an index, we know its an int, and because v4 used as one later on, it too is an index. We can also see that we have a variable aHelloWorld being printed with \"%c\", we can determine it represents the 'Hello, World!' string. Lets define all these variables in our Python main function:

    def main():\n    string = \"Hello, World!\"\n    i = 0\n    v4 = 0\n    for i in range(0, 13):\n        v4 = i + 1\n        print(string[i], end='')\n        while v4 < 13:\n            print(string[v4], end='')\n            v4 += 1\n        print()\n        printSpacer(13-i)\n
    "}, {"location": "reverse-engineering/what-are-decompilers/#printspacer-function", "title": "printSpacer Function", "text": "

    Now we can see that printSpacer is clearly being fed an int value. Translating it into python shouldn't be too hard.

    def printSpacer(number):\n    i = 0\n    for i in range(0, number):\n        print(\"-\", end='')\n    print()\n
    "}, {"location": "reverse-engineering/what-are-decompilers/#results", "title": "Results", "text": "

    Running main() gives us:

    Hello, World!\n-------------\nello, World!\n------------\nllo, World!\n-----------\nlo, World!\n----------\no, World!\n---------\n, World!\n--------\n World!\n-------\nWorld!\n------\norld!\n-----\nrld!\n----\nld!\n---\nd!\n--\n!\n-\n
    "}, {"location": "reverse-engineering/what-are-disassemblers/", "title": "Disassemblers", "text": "

    A disassembler is a tool which breaks down a compiled program into machine code.

    "}, {"location": "reverse-engineering/what-are-disassemblers/#list-of-disassemblers", "title": "List of Disassemblers", "text": "
    • IDA
    • Binary Ninja
    • GNU Debugger (GDB)
    • radare2
    • Hopper
    "}, {"location": "reverse-engineering/what-are-disassemblers/#ida", "title": "IDA", "text": "

    The Interactive Disassembler (IDA) is the industry standard for binary disassembly. IDA is capable of disassembling \"virtually any popular file format\". This makes it very useful to security researchers and CTF players who often need to analyze obscure files without knowing what they are or where they came from. IDA also features the industry leading Hex Rays decompiler which can convert assembly code back into a pseudo code like format.

    IDA also has a plugin interface which has been used to create some successful plugins that can make reverse engineering easier:

    • https://github.com/google/binnavi
    • https://github.com/yegord/snowman
    • https://github.com/gaasedelen/lighthouse
    • https://github.com/joxeankoret/diaphora
    • https://github.com/REhints/HexRaysCodeXplorer
    • https://github.com/osirislab/Fentanyl
    "}, {"location": "reverse-engineering/what-are-disassemblers/#binary-ninja", "title": "Binary Ninja", "text": "

    Binary Ninja is an up and coming disassembler that attempts to bring a new, more programmatic approach to reverse engineering. Binary Ninja brings an improved plugin API and modern features to reverse engineering. While it's less popular or as old as IDA, Binary Ninja (often called binja) is quickly gaining ground and has a small community of dedicated users and followers.

    Binja also has some community contributed plugins which are collected here: https://github.com/Vector35/community-plugins

    "}, {"location": "reverse-engineering/what-are-disassemblers/#gdb", "title": "gdb", "text": "

    The GNU Debugger is a free and open source debugger which also disassembles programs. It's capable as a disassembler, but most notably it is used by CTF players for its debugging and dynamic analysis capabailities.

    gdb is often used in tandom with enhancement scripts like peda, pwndbg, and GEF

    "}, {"location": "reverse-engineering/what-is-assembly-machine-code/", "title": "Assembly/Machine Code", "text": "

    Machine Code or Assembly is code which has been formatted for direct execution by a CPU. Machine Code is the reason why readable programming languages like C, when compiled, cannot be reversed into source code (well Decompilers can sort of, but more on that later).

    "}, {"location": "reverse-engineering/what-is-assembly-machine-code/#from-source-to-compilation", "title": "From Source to Compilation", "text": "

    Godbolt shows the differences in machine code generated by various compilers.

    For example, if we have a simple C++ function:

    #include <unistd.h>\n#include <stdio.h>\n#include <stdlib.h>\n\nint main() {\n    char c;\n    int fd = syscall(2, \"/etc/passwd\", 0);\n    while (syscall(0, fd, &c, 1)) {\n        putchar(c);\n    }\n}\n

    We can see the compilation results in some verbose instructions for the CPU:

    .LC0:\n  .string \"/etc/passwd\"\nmain:\n  push rbp\n  mov rbp, rsp\n  sub rsp, 16\n  mov edx, 0\n  mov esi, OFFSET FLAT:.LC0\n  mov edi, 2\n  mov eax, 0\n  call syscall\n  mov DWORD PTR [rbp-4], eax\n.L3:\n  lea rdx, [rbp-5]\n  mov eax, DWORD PTR [rbp-4]\n  mov ecx, 1\n  mov esi, eax\n  mov edi, 0\n  mov eax, 0\n  call syscall\n  test rax, rax\n  setne al\n  test al, al\n  je .L2\n  movzx eax, BYTE PTR [rbp-5]\n  movsx eax, al\n  mov edi, eax\n  call putchar\n  jmp .L3\n.L2:\n  mov eax, 0\n  leave\n  ret\n

    This is a one way process for compiled languages as there is no way to generate source from machine code. While the machine code may seem unintelligible, the extremely basic functions can be interpreted with some practice.

    "}, {"location": "reverse-engineering/what-is-assembly-machine-code/#x86-64", "title": "x86-64", "text": "

    x86-64 or amd64 or i64 is a 64-bit Complex Instruction Set Computing (CISC) architecture. This basically means that the registers used for this architecture extend an extra 32-bits on Intel's x86 architecture. CISC means that a single instruction can do a bunch of different things at once, such as memory accesses, register reads, etc. It is also a variable-length instruction set, which means different instructions can be different sizes ranging from 1 to 16 bytes long. And finally x86-64 allows for multi-sized register access, which means that you can access certain parts of a register which are different sizes.

    "}, {"location": "reverse-engineering/what-is-assembly-machine-code/#x86-64-registers", "title": "x86-64 Registers", "text": "

    x86-64 registers behave similarly to other architectures. A key component of x86-64 registers is multi-sized access which means the register RAX can have its lower 32 bits accessed with EAX. The next lower 16 bits can be accessed with AX and the lowest 8 bits can be accessed with AL which allows for the compiler to make optimizations which boost program execution.

    x86-64 has plenty of registers to use, including rax, rbx, rcx, rdx, rdi, rsi, rsp, rip, r8-r15, and more! But some registers serve special purposes.

    The special registers include: - RIP: the instruction pointer - RSP: the stack pointer - RBP: the base pointer

    "}, {"location": "reverse-engineering/what-is-assembly-machine-code/#instructions", "title": "Instructions", "text": "

    An instruction represents a single operation for the CPU to perform.

    There are different types of instructions including:

    • Data movement: mov rax, [rsp - 0x40]
    • Arithmetic: add rbx, rcx
    • Control-flow: jne 0x8000400

    Because x86-64 is a CISC architecture, instructions can be quite complex for machine code, such as repne scasb which repeats up to ECX times over memory at EDI looking for a NULL byte (0x00), decrementing ECX each byte (essentially strlen() in a single instruction!).

    It is important to remember that an instruction really is just memory; this idea will become useful with Return Oriented Programming or ROP.

    Note

    Instructions, numbers, strings, everything are always represented in hex!

    add rax, rbx\nmov rax, 0xdeadbeef\nmov rax, [0xdeadbeef] == 67 48 8b 05 ef be ad de\n\"Hello\" == 48 65 6c 6c 6f\n== 48 01 d8\n== 48 c7 c0 ef be ad de\n
    "}, {"location": "reverse-engineering/what-is-assembly-machine-code/#execution", "title": "Execution", "text": "

    What should the CPU execute? This is determined by the RIP register where IP means instruction pointer. Execution follows the pattern: fetch the instruction at the address in RIP, decode it, run it.

    "}, {"location": "reverse-engineering/what-is-assembly-machine-code/#examples", "title": "Examples", "text": "
    1. mov rax, 0xdeadbeef

    Here the operation mov is moving the \"immediate\" 0xdeadbeef into the register RAX

    1. mov rax, [0xdeadbeef + rbx * 4]

    Here the operation mov is moving the data at the address of [0xdeadbeef + RBX*4] into the register RAX. When brackets are used, you can think of the program as getting the content from that effective address.

    "}, {"location": "reverse-engineering/what-is-assembly-machine-code/#example-execution", "title": "Example Execution", "text": "
    -> 0x0804000: mov eax, 0xdeadbeef            Register Values:\n   0x0804005: mov ebx, 0x1234                RIP = 0x0804000\n   0x080400a: add, rax, rbx                  RAX = 0x0\n   0x080400d: inc rbx                        RBX = 0x0\n   0x0804010: sub rax, rbx                   RCX = 0x0\n   0x0804013: mov rcx, rax                   RDX = 0x0\n
       0x0804000: mov eax, 0xdeadbeef            Register Values:\n-> 0x0804005: mov ebx, 0x1234                RIP = 0x0804005\n   0x080400a: add, rax, rbx                  RAX = 0xdeadbeef\n   0x080400d: inc rbx                        RBX = 0x0\n   0x0804010: sub rax, rbx                   RCX = 0x0\n   0x0804013: mov rcx, rax                   RDX = 0x0\n
       0x0804000: mov eax, 0xdeadbeef            Register Values:\n   0x0804005: mov ebx, 0x1234                RIP = 0x080400a\n-> 0x080400a: add, rax, rbx                  RAX = 0xdeadbeef\n   0x080400d: inc rbx                        RBX = 0x1234\n   0x0804010: sub rax, rbx                   RCX = 0x0\n   0x0804013: mov rcx, rax                   RDX = 0x0\n
       0x0804000: mov eax, 0xdeadbeef            Register Values:\n   0x0804005: mov ebx, 0x1234                RIP = 0x080400d\n   0x080400a: add, rax, rbx                  RAX = 0xdeadd123\n-> 0x080400d: inc rbx                        RBX = 0x1234\n   0x0804010: sub rax, rbx                   RCX = 0x0\n   0x0804013: mov rcx, rax                   RDX = 0x0\n
       0x0804000: mov eax, 0xdeadbeef            Register Values:\n   0x0804005: mov ebx, 0x1234                RIP = 0x0804010\n   0x080400a: add, rax, rbx                  RAX = 0xdeadd123\n   0x080400d: inc rbx                        RBX = 0x1235\n-> 0x0804010: sub rax, rbx                   RCX = 0x0\n   0x0804013: mov rcx, rax                   RDX = 0x0\n
       0x0804000: mov eax, 0xdeadbeef            Register Values:\n   0x0804005: mov ebx, 0x1234                RIP = 0x0804013\n   0x080400a: add, rax, rbx                  RAX = 0xdeadbeee\n   0x080400d: inc rbx                        RBX = 0x1235\n   0x0804010: sub rax, rbx                   RCX = 0x0\n-> 0x0804013: mov rcx, rax                   RDX = 0x0\n
       0x0804000: mov eax, 0xdeadbeef            Register Values:\n   0x0804005: mov ebx, 0x1234                RIP = 0x0804005\n   0x080400a: add, rax, rbx                  RAX = 0xdeadbeee\n   0x080400d: inc rbx                        RBX = 0x1235\n   0x0804010: sub rax, rbx                   RCX = 0xdeadbeee\n   0x0804013: mov rcx, rax                   RDX = 0x0\n
    "}, {"location": "reverse-engineering/what-is-assembly-machine-code/#control-flow", "title": "Control Flow", "text": "

    How can we express conditionals in x86-64? We use conditional jumps such as:

    • jnz <address>
    • je <address>
    • jge <address>
    • jle <address>
    • etc.

    They jump if their condition is true, and just go to the next instruction otherwise. These conditionals are checking EFLAGS, which are special registers which store flags on certain instructions such as add rax, rbx which sets the o (overflow) flag if the sum is greater than a 64-bit register can hold, and wraps around. You can jump based on that with a jo instruction. The most important thing to remember is the cmp instruction:

    cmp rax, rbx\njle error\n
    This assembly jumps if RAX <= RBX

    "}, {"location": "reverse-engineering/what-is-assembly-machine-code/#addresses", "title": "Addresses", "text": "

    Memory acts similarly to a big array where the indices of this \"array\" are memory addresses. Remember from earlier:

    mov rax, [0xdeadbeef]

    The square brackets mean \"get the data at this address\". This is analogous to the C/C++ syntax: rax = *0xdeadbeef;

    "}, {"location": "reverse-engineering/what-is-bytecode/", "title": "What is bytecode", "text": ""}, {"location": "reverse-engineering/what-is-c/", "title": "The C Programming Language", "text": ""}, {"location": "reverse-engineering/what-is-c/#history", "title": "History", "text": "

    The C programming language was written by Dennis Ritchie in the 1970s while he was working at Bell Labs. It was first used to reimplement the Unix operating system which was purely written in assembly language. At first, the Unix developers were considering using a language called \"B\" but because B wasn't optimized for the target computer, the C language was created.

    Note

    C is the letter and the programming language after B!

    C was designed to be close to assembly and is still widely used in lower level programming where speed and control are needed (operating systems, embedded systems). C was also very influential to other programming languages used today. Notable languages include C++, Objective-C, Golang, Java, JavaScript, PHP, Python, and Rust.

    "}, {"location": "reverse-engineering/what-is-c/#hello-world", "title": "Hello World", "text": "

    C is an ancestor of many other programming languages and if you are familiar with programming, it's likely that C will be at least somewhat familiar.

    #include <stdio.h>\nint main()\n{\n   printf(\"Hello, World!\");\n   return 0;\n}\n
    "}, {"location": "reverse-engineering/what-is-c/#today", "title": "Today", "text": "

    Today C is widely used either as a low level programming language or is the base language that other programming languages are implemented in.

    While it can be difficult to see, the C language compiles down directly into machine code. The compiler is programmed to process the provided C code and emit assembly that's targetted to whatever operating system and architecture the compiler is set to use.

    Some common compilers include:

    • gcc
    • clang

    A good way to explore this relationship is to use this online GCC Explorer from Matt Godbolt.

    In regards to CTF, many reverse engineering and exploitation CTF challenges are written in C because the language compiles down directly to assembly and there are little to no safeguards in the language. This means developers must manually handle both. Of course, this can lead to mistakes which can sometimes lead to security issues.

    Note

    Other higher level langauges like Python manage memory and garbage collection for you. Google Golang was inspired by C, but adds in functionality like garbage collection and memory safety.

    There are some examples of famously vulnerable functions in C which are still available and can still result in vulnerabilities:

    • gets - Can result in buffer overflows
    • strcpy - Can result in buffer overflows
    • strcat - Can result in buffer overflows
    • strcmp - Can result in timing attacks
    "}, {"location": "reverse-engineering/what-is-c/#types", "title": "Types", "text": "

    C has four basic types:

    • char - characters
    • int - integers (e.g. 125)
    • float - 32 bit floating point number (e.g. 2.4)
    • double - 64 bit floating point number (like a float but more precise in terms of decimal points)
    "}, {"location": "reverse-engineering/what-is-c/#pointers", "title": "Pointers", "text": "

    C uses an idea known as pointers. A pointer is a variable which contains the address of another variable.

    To understand this idea we should first understand that memory is laid out in terms of addresses and data gets stored at these addresses.

    Take the following example of defining an integer in C:

    int x = 4;\n

    To the programmer this is the variable x receiving the value of 4. The computer stores this value in some location in memory. For example we can say that address 0x1000 now holds the value 4. The computer knows to directly access the memory and retrieve the value 4 whenever the programmer tries to use the x variable. If we were to say x + 4, the computer would give you 8 instead of 0x1004.

    But in C we can retrieve the memory address being used to hold the 4 value (i.e. 0x1000) by using the & character and using * to create an \"integer pointer\" type.

    int* y = &x;\n

    The y variable will store the address pointed to by the xvariable (0x1000).

    Note

    The * character allows us to declare pointer variables but also allows us to access the value stored at a pointer. For example, entering *y allows us to access the 4 value instead of 0x1000.

    Whenever we use the y variable we are using the memory address, but if we use the x variable we use the value stored at the memory address.

    "}, {"location": "reverse-engineering/what-is-c/#arrays", "title": "Arrays", "text": "

    Arrays are a grouping of objects of the same type. They are typically created with the following syntax:

    type arrayName [ arraySize ];\n

    To initialize values in the array we can do:

    int integers[ 10 ] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10};\n

    Arrays allow programmers to group data into logical containers.

    To access the individual elements of an array we access the contents by their \"index\". Most programming langauges today start counting from 0. So to take our previous example:

    int integers[ 10 ] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10};\n/*     indexes        0  1  2  3  4  5  6  7  8   9\n

    To access the value 6 we would use index 5:

    integers[5];\n
    "}, {"location": "reverse-engineering/what-is-c/#how-do-arrays-work", "title": "How do arrays work?", "text": "

    Arrays are a clever combination of multiplication, pointers, and programming.

    Because the computer knows the data type used for every element in the array, the computer needs to simply multiply the size of the data type by the index you are looking for and then add this value to the address of the beginning of the array.

    For example if we know that the base address of an array is 1000 and we know that each integer takes 8 bytes, we know that if we have 8 integers right next to each other, we can get the integer at the 4th index with the following math:

    1000 + (4 * 8) =  1032\n
    array [ 1   , 2   , 3   , 4   , 5   , 6   , 7   , 8   ]\nindex   0     1     2     3     4     5     6     7\naddrs  1000  1008  1016  1024  1032  1040  1048  1056\n
    "}, {"location": "reverse-engineering/what-is-c/#memory-management", "title": "Memory Management", "text": ""}, {"location": "reverse-engineering/what-is-gdb/", "title": "The GNU Debugger (GDB)", "text": "

    The GNU Debugger or GDB is a powerful debugger which allows for step-by-step execution of a program. It can be used to trace program execution and is an important part of any reverse engineering toolkit.

    "}, {"location": "reverse-engineering/what-is-gdb/#vanilla-gdb", "title": "Vanilla GDB", "text": "

    GDB without any modifications is unintuitive and obscures a lot of useful information. The plug-in pwndb solves a lot of these problems and makes for a much more pleasant experience. But if you are constrained and have to use vanilla gdb, here are several things to make your life easier.

    "}, {"location": "reverse-engineering/what-is-gdb/#starting-gdb", "title": "Starting GDB", "text": "

    To execute GBD and attach it to a program simply run gdb [program]

    "}, {"location": "reverse-engineering/what-is-gdb/#disassembly", "title": "Disassembly", "text": "

    (gdb) disassemble [address/symbol] will display the disassembly for that function/frame

    GDB will autocomplete functions, so saying (gdb) disas main suffices if you'd like to see the disassembly of main

    "}, {"location": "reverse-engineering/what-is-gdb/#view-disassembly-during-execution", "title": "View Disassembly During Execution", "text": "

    Another handy thing to see while stepping through a program is the disassembly of nearby instructions:

    (gdb) display/[# of instructions]i $pc [\u00b1 offset]

    • display shows data with each step
    • /[#]i shows how much data in the format i for instruction
    • $pc means the pc, program counter, register
    • [\u00b1 offset] allows you to specify how you would like the data offset from the current instruction
    "}, {"location": "reverse-engineering/what-is-gdb/#example-usage", "title": "Example Usage", "text": "

    (gdb) display/10i $pc - 0x5

    This command will show 10 instructions on screen with an offset from the next instruction of 5, giving us this display:

       0x8048535 <main+6>:  lock pushl -0x4(%ecx)\n   0x8048539 <main+10>: push   %ebp\n=> 0x804853a <main+11>: mov    %esp,%ebp\n   0x804853c <main+13>: push   %ecx\n   0x804853d <main+14>: sub    $0x14,%esp\n   0x8048540 <main+17>: sub    $0xc,%esp\n   0x8048543 <main+20>: push   $0x400\n   0x8048548 <main+25>: call   0x80483a0 <malloc@plt>\n   0x804854d <main+30>: add    $0x10,%esp\n   0x8048550 <main+33>: sub    $0xc,%esp\n
    "}, {"location": "reverse-engineering/what-is-gdb/#deleting-views", "title": "Deleting Views", "text": "

    If for whatever reason, a view no long suits your needs simply call (gdb) info display which will give you a list of active displays:

    Auto-display expressions now in effect:\nNum Enb Expression\n1:   y  /10bi $pc-0x5\n

    Then simply execute (gdb) delete display 1 and your execution will resume without the display.

    "}, {"location": "reverse-engineering/what-is-gdb/#registers", "title": "Registers", "text": "

    In order to view the state of registers with vanilla gdb, you need to run the command info registers which will display the state of all the registers:

    eax            0xf77a6ddc   -142971428\necx            0xffe06b10   -2069744\nedx            0xffe06b34   -2069708\nebx            0x0  0\nesp            0xffe06af8   0xffe06af8\nebp            0x0  0x0\nesi            0xf77a5000   -142979072\nedi            0xf77a5000   -142979072\neip            0x804853a    0x804853a <main+11>\neflags         0x286    [ PF SF IF ]\ncs             0x23 35\nss             0x2b 43\nds             0x2b 43\nes             0x2b 43\nfs             0x0  0\ngs             0x63 99\n

    If you simply would like to see the contents of a single register, the notation x/x $[register] where:

    • x/x means display the address in hex notation
    • $[register] is the register code such as eax, rax, etc.
    "}, {"location": "reverse-engineering/what-is-gdb/#pwndbg", "title": "Pwndbg", "text": "

    These commands work with vanilla gdb as well.

    "}, {"location": "reverse-engineering/what-is-gdb/#setting-breakpoints", "title": "Setting Breakpoints", "text": "

    Setting breakpoints in GDB uses the format b*[Address/Symbol]

    "}, {"location": "reverse-engineering/what-is-gdb/#example-usage_1", "title": "Example Usage", "text": "
    • (gdb) b*main: Break at the start
    • (gdb) b*0x804854d: Break at 0x804854d
    • (gdb) b*0x804854d-0x100: Break at 0x804844d
    "}, {"location": "reverse-engineering/what-is-gdb/#deleting-breakpoints", "title": "Deleting Breakpoints", "text": "

    As before, in order to delete a view, you can list the available breakpoints using (gdb) info breakpoints (don't forget about GDB's autocomplete, you don't always need to type out every command!) which will display all breakpoints:

    Num     Type           Disp Enb Address    What\n1       breakpoint     keep y   0x0804852f <main>\n3       breakpoint     keep y   0x0804864d <__libc_csu_init+61>\n

    Then simply execute (gdb) delete 1

    Note

    GDB creates breakpoints chronologically and does NOT reuse numbers.

    "}, {"location": "reverse-engineering/what-is-gdb/#stepping", "title": "Stepping", "text": "

    What good is a debugger if you can't control where you are going? In order to begin execution of a program, use the command r [arguments] similar to how if you ran it with dot-slash notation you would execute it ./program [arguments]. In this case the program will run normally and if no breakpoints are set, you will execute normally. If you have breakpoints set, you will stop at that instruction.

    • (gdb) continue [# of breakpoints]: Resumes the execution of the program until it finishes or until another breakpoint is hit (shorthand c)
    • (gdb) step[# of instructions]: Steps into an instruction the specified number of times, default is 1 (shorthand s)
    • (gdb) next instruction [# of instructions]: Steps over an instruction meaning it will not delve into called functions (shorthand ni)
    • (gdb) finish: Finishes a function and breaks after it gets returned (shorthand fin)
    "}, {"location": "reverse-engineering/what-is-gdb/#examining", "title": "Examining", "text": "

    Examining data in GDB is also very useful for seeing how the program is affecting data. The notation may seem complex at first, but it is flexible and provides powerful functionality.

    (gdb) x/[#][size][format] [Address/Symbol/Register][\u00b1 offset]

    • x/ means examine
    • [#] means how much
    • [size] means what size the data should be such as a word w (2 bytes), double word d (4 bytes), or giant word g (8 bytes)
    • [format] means how the data should be interpreted such as an instruction i, a string s, hex bytes x
    • [Address/Symbol][\u00b1 offset] means where to start interpreting the data
    "}, {"location": "reverse-engineering/what-is-gdb/#example-usage_2", "title": "Example Usage", "text": "
    • (gdb) x/x $rax: Displays the content of the register RAX as hex bytes
    • (gdb) x/i 0xdeadbeef: Displays the instruction at address 0xdeadbeef
    • (gdb) x/10s 0x893e10: Displays 10 strings at the address
    • (gdb) x/10gx 0x7fe10: Displays 10 giant words as hex at the address
    "}, {"location": "reverse-engineering/what-is-gdb/#forking", "title": "Forking", "text": "

    If the program happens to be an accept-and-fork server, gdb will have issues following the child or parent processes. In order to specify how you want gdb to function you can use the command set follow-fork-mode [on/off]

    "}, {"location": "reverse-engineering/what-is-gdb/#setting-data", "title": "Setting Data", "text": "

    If you would like to set data at any point, it is possible using the command set [Address/Register]=[Hex Data]

    "}, {"location": "reverse-engineering/what-is-gdb/#example-usage_3", "title": "Example Usage", "text": "
    • set $rax=0x0: Sets the register rax to 0
    • set 0x1e4a70=0x123: Sets the data at 0x1e4a70 to 0x123
    "}, {"location": "reverse-engineering/what-is-gdb/#process-mapping", "title": "Process Mapping", "text": "

    A handy way to find the process's mapped address spaces is to use info proc map:

    Mapped address spaces:\n\n    Start Addr   End Addr       Size     Offset objfile\n     0x8048000  0x8049000     0x1000        0x0 /directory/program\n     0x8049000  0x804a000     0x1000        0x0 /directory/program\n     0x804a000  0x804b000     0x1000     0x1000 /directory/program\n    0xf75cb000 0xf75cc000     0x1000        0x0\n    0xf75cc000 0xf7779000   0x1ad000        0x0 /lib32/libc-2.23.so\n    0xf7779000 0xf777b000     0x2000   0x1ac000 /lib32/libc-2.23.so\n    0xf777b000 0xf777c000     0x1000   0x1ae000 /lib32/libc-2.23.so\n    0xf777c000 0xf7780000     0x4000        0x0\n    0xf778b000 0xf778d000     0x2000        0x0 [vvar]\n    0xf778d000 0xf778f000     0x2000        0x0 [vdso]\n    0xf778f000 0xf77b1000    0x22000        0x0 /lib32/ld-2.23.so\n    0xf77b1000 0xf77b2000     0x1000        0x0\n    0xf77b2000 0xf77b3000     0x1000    0x22000 /lib32/ld-2.23.so\n    0xf77b3000 0xf77b4000     0x1000    0x23000 /lib32/ld-2.23.so\n    0xffc59000 0xffc7a000    0x21000        0x0 [stack]\n

    This will show you where the stack, heap (if there is one), and libc are located.

    "}, {"location": "reverse-engineering/what-is-gdb/#attaching-processes", "title": "Attaching Processes", "text": "

    Another useful feature of GDB is to attach to processes which are already running. Simply launch gdb using gdb, then find the process id of the program you would like to attach to an execute attach [pid].

    "}, {"location": "web-exploitation/overview/", "title": "Overview", "text": ""}, {"location": "web-exploitation/overview/#web-exploitation", "title": "Web Exploitation", "text": "

    Websites all around the world are programmed using various programming languages. While there are specific vulnerabilities in each programming langage that the developer should be aware of, there are issues fundamental to the internet that can show up regardless of the chosen language or framework.

    These vulnerabilities often show up in CTFs as web security challenges where the user needs to exploit a bug to gain some kind of higher level privelege.

    Common vulnerabilities to see in CTF challenges:

    • SQL Injection
    • Command Injection
    • Directory Traversal
    • Cross Site Request Forgery
    • Cross Site Scripting
    • Server Side Request Forgery
    "}, {"location": "web-exploitation/command-injection/what-is-command-injection/", "title": "Command Injection", "text": "

    Command Injection is a vulnerability that allows an attacker to submit system commands to a computer running a website. This happens when the application fails to encode user input that goes into a system shell. It is very common to see this vulnerability when a developer uses the system() command or its equivalent in the programming language of the application.

    import os\n\ndomain = user_input() # ctf101.org\n\nos.system('ping ' + domain)\n

    The above code when used normally will ping the ctf101.org domain.

    But consider what would happen if the user_input() function returned different data?

    import os\n\ndomain = user_input() # ; ls\n\nos.system('ping ' + domain)\n

    Because of the additional semicolon, the os.system() function is instructed to run two commands.

    It looks to the program as:

    ping ; ls\n

    Note

    The semicolon terminates a command in bash and allows you to put another command after it.

    Because the ping command is being terminated and the ls command is being added on, the ls command will be run in addition to the empty ping command!

    This is the core concept behind command injection. The ls command could of course be switched with another command (e.g. wget, curl, bash, etc.)

    Command injection is a very common means of privelege escalation within web applications and applications that interface with system commands. Many kinds of home routers take user input and directly append it to a system command. For this reason, many of those home router models are vulnerable to command injection.

    "}, {"location": "web-exploitation/command-injection/what-is-command-injection/#example-payloads", "title": "Example Payloads", "text": "
    • ;ls
    • $(ls)
    • `ls`
    "}, {"location": "web-exploitation/command-injection/what-is-command-injection/#related-challenges", "title": "Related Challenges", "text": ""}, {"location": "web-exploitation/cross-site-request-forgery/what-is-cross-site-request-forgery/", "title": "Cross Site Request Forgery (CSRF)", "text": "

    A Cross Site Request Forgery or CSRF Attack, pronounced see surf, is an attack on an authenticated user which uses a state session in order to perform state changing attacks like a purchase, a transfer of funds, or a change of email address.

    The entire premise of CSRF is based on session hijacking, usually by injecting malicious elements within a webpage through an <img> tag or an <iframe> where references to external resources are unverified.

    "}, {"location": "web-exploitation/cross-site-request-forgery/what-is-cross-site-request-forgery/#using-csrf", "title": "Using CSRF", "text": "

    GET requests are often used by websites to get user input. Say a user signs in to an banking site which assigns their browser a cookie which keeps them logged in. If they transfer some money, the URL that is sent to the server might have the pattern:

    http://securibank.com/transfer.do?acct=[RECEPIENT]&amount=[DOLLARS]

    Knowing this format, an attacker can send an email with a hyperlink to be clicked on or they can include an image tag of 0 by 0 pixels which will automatically be requested by the browser such as:

    <img src=\"http://securibank.com/transfer.do?acct=[RECEPIENT]&amount=[DOLLARS]\" width=\"0\" height=\"0\" border=\"0\">

    "}, {"location": "web-exploitation/cross-site-scripting/what-is-cross-site-scripting/", "title": "Cross Site Scripting (XSS)", "text": "

    Cross Site Scripting or XSS is a vulnerability where on user of an application can send JavaScript that is executed by the browser of another user of the same application.

    This is a vulnerability because JavaScript has a high degree of control over a user's web browser.

    For example JavaScript has the ability to:

    • Modify the page (called the DOM)
    • Send more HTTP requests
    • Access cookies

    By combining all of these abilities, XSS can maliciously use JavaScript to extract user's cookies and send them to an attacker controlled server. XSS can also modify the DOM to phish users for their passwords. This only scratches the surface of what XSS can be used to do.

    XSS is typically broken down into three categories:

    • Reflected XSS
    • Stored XSS
    • DOM XSS
    "}, {"location": "web-exploitation/cross-site-scripting/what-is-cross-site-scripting/#reflected-xss", "title": "Reflected XSS", "text": "

    Reflected XSS is when an XSS exploit is provided through a URL paramater.

    For example:

    https://ctf101.org?data=<script>alert(1)</script>\n

    You can see the XSS exploit provided in the data GET parameter. If the application is vulnerable to reflected XSS, the application will take this data parameter value and inject it into the DOM.

    For example:

    <html>\n    <body>\n        <script>alert(1)</script>\n    </body>\n</html>\n

    Depending on where the exploit gets injected, it may need to be constructed differently.

    Also, the exploit payload can change to fit whatever the attacker needs it to do. Whether that is to extract cookies and submit it to an external server, or to simply modify the page to deface it.

    One of the deficiencies of reflected XSS however is that it requires the victim to access the vulnerable page from an attacker controlled resource. Notice that if the data paramter, wasn't provided the exploit wouldn't work.

    In many situations, reflected XSS is detected by the browser because it is very simple for a browser to detect malicous XSS payloads in URLs.

    "}, {"location": "web-exploitation/cross-site-scripting/what-is-cross-site-scripting/#stored-xss", "title": "Stored XSS", "text": "

    Stored XSS is different from reflected XSS in one key way. In reflected XSS, the exploit is provided through a GET parameter. But in stored XSS, the exploit is provided from the website itself.

    Imagine a website that allows users to post comments. If a user can submit an XSS payload as a comment, and then have others view that malicious comment, it would be an example of stored XSS.

    The reason being that the web site itself is serving up the XSS payload to other users. This makes it very difficult to detect from the browser's perspective and no browser is capable of generically preventing stored XSS from exploiting a user.

    "}, {"location": "web-exploitation/cross-site-scripting/what-is-cross-site-scripting/#dom-xss", "title": "DOM XSS", "text": "

    DOM XSS is XSS that is due to the browser itself injecting an XSS payload into the DOM. While the server itself may properly prevent XSS, it's possible that the client side scripts may accidentally take a payload and insert it into the DOM and cause the payload to trigger.

    The server itself is not to blame, but the client side JavaScript files are causing the issue.

    "}, {"location": "web-exploitation/directory-traversal/what-is-directory-traversal/", "title": "Directory Traversal", "text": "

    Directory Traversal is a vulnerability where an application takes in user input and uses it in a directory path.

    Any kind of path controlled by user input that isn't properly sanitized or properly sandboxed could be vulnerable to directory traversal.

    For example, consider an application that allows the user to choose what page to load from a GET parameter.

    <?php\n    $page = $_GET['page']; // index.php\n    include(\"/var/www/html/\" . $page);\n?>\n

    Under normal operation the page would be index.php. But what if a malicious user gave in something different?

    <?php\n    $page = $_GET['page']; // ../../../../../../../../etc/passwd\n    include(\"/var/www/html/\" . $page);\n?>\n

    Here the user is submitting ../../../../../../../../etc/passwd.

    This will result in the PHP interpreter leaving the directory that it is coded to look in ('/var/www/html') and instead be forced up to the root folder.

    include(\"/var/www/html/../../../../../../../../etc/passwd\");\n

    Ultimately this will become /etc/passwd because the computer will not go a directory above its top directory.

    Thus the application will load the /etc/passwd file and emit it to the user like so:

    root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin\nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\nbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin\nlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\nirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\nsystemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false\nsystemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false\nsystemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false\nsystemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false\n_apt:x:104:65534::/nonexistent:/bin/false\n

    This same concept can be applied to applications where some input is taken from a user and then used to access a file or path or similar. This vulnerability very often can be used to leak sensitive data or extract application source code to find other vulnerabilities.

    "}, {"location": "web-exploitation/php/what-is-php/", "title": "PHP", "text": "

    PHP is one of the most used languages for back-end web development and therefore it has become a target by hackers. PHP is a language which makes it painful to be secure for most instances, making it every hacker's dream target.

    "}, {"location": "web-exploitation/php/what-is-php/#overview", "title": "Overview", "text": "

    PHP is a C-like language which uses tags enclosed by <?php ... ?> (sometimes just <? ... ?>). It is inlined into HTML. A word of advice is to keep the php docs open because function names are strange due to the fact that the length of function name is used to be the key in PHP's internal dictionary, so function names were shortened/lengthened to make the lookup faster. Other things include:

    • Variables start with $: $name
    • Variable variables: $$name
    • Request-specific dictionaries: $_GET, $_POST, $_SERVER
    "}, {"location": "web-exploitation/php/what-is-php/#example", "title": "Example", "text": "
    <?php\n    if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['email']) && isset($_POST['password'])) {\n        $db = new mysqli('127.0.0.1', 'cs3284', 'cs3284', 'logmein');\n        $email = $_POST['email'];\n        $password = sha1($_POST['password']);\n        $res = $db->query(\"SELECT * FROM users WHERE email = '$email' AND password = '$password'\");\n        if ($row = $res->fetch_assoc()) {\n            $_SESSION['id'] = $row['id'];\n            header('Location: index.php');\n            die();\n        }\n   }\n?>\n<html>...\n

    This example PHP simply checks the POST data for an email and password. If the password is equal to the hashed password in the database, the use is logged in and redirected to the index page.

    The line email = '$email' uses automatic string interpolation in order to convert $email into a string to compare with the database.

    "}, {"location": "web-exploitation/php/what-is-php/#type-juggling", "title": "Type Juggling", "text": "

    PHP will do just about anything to match with a loose comparison (\\=\\=) which means things can be 'equal' (\\=\\=) or really equal (\\=\\=\\=). The implicit integer parsing to strings is the root cause of a lot of issues in PHP.

    "}, {"location": "web-exploitation/php/what-is-php/#type-comparison-table", "title": "Type Comparison Table", "text": ""}, {"location": "web-exploitation/php/what-is-php/#comparisons-of-x-with-php-functions", "title": "Comparisons of $x with PHP Functions", "text": "Expression gettype() empty() is_null() isset() boolean: if($x) $x = \"\"; string TRUE FALSE TRUE FALSE $x = null; NULL TRUE TRUE FALSE FALSE var $x; NULL TRUE TRUE FALSE FALSE $x is undefined NULL TRUE TRUE FALSE FALSE $x = array(); array TRUE FALSE TRUE FALSE $x = array('a', 'b'); array FALSE FALSE TRUE TRUE $x = false; boolean TRUE FALSE TRUE FALSE $x = true; boolean FALSE FALSE TRUE TRUE $x = 1; integer FALSE FALSE TRUE TRUE $x = 42; integer FALSE FALSE TRUE TRUE $x = 0; integer TRUE FALSE TRUE FALSE $x = -1; integer FALSE FALSE TRUE TRUE $x = \"1\"; string FALSE FALSE TRUE TRUE $x = \"0\"; string TRUE FALSE TRUE FALSE $x = \"-1\"; string FALSE FALSE TRUE TRUE $x = \"php\"; string FALSE FALSE TRUE TRUE $x = \"true\"; string FALSE FALSE TRUE TRUE $x = \"false\"; string FALSE FALSE TRUE TRUE"}, {"location": "web-exploitation/php/what-is-php/#comparisons", "title": "\"==\" Comparisons", "text": "TRUE FALSE 1 0 -1 \"1\" \"0\" \"-1\" NULL array() \"php\" \"\" TRUE ==TRUE== FALSE ==TRUE== FALSE ==TRUE== ==TRUE== FALSE ==TRUE== FALSE FALSE ==TRUE== FALSE FALSE FALSE ==TRUE== FALSE ==TRUE== FALSE FALSE ==TRUE== FALSE ==TRUE== ==TRUE== FALSE ==TRUE== 1 ==TRUE== FALSE ==TRUE== FALSE FALSE ==TRUE== FALSE FALSE FALSE FALSE FALSE FALSE 0 FALSE ==TRUE== FALSE ==TRUE== FALSE FALSE ==TRUE== FALSE ==TRUE== FALSE ==TRUE== ==TRUE== -1 ==TRUE== FALSE FALSE FALSE ==TRUE== FALSE FALSE ==TRUE== FALSE FALSE FALSE FALSE \"1\" ==TRUE== FALSE ==TRUE== FALSE FALSE ==TRUE== FALSE FALSE FALSE FALSE FALSE FALSE \"0\" FALSE ==TRUE== FALSE ==TRUE== FALSE FALSE ==TRUE== FALSE FALSE FALSE FALSE FALSE \"-1\" ==TRUE== FALSE FALSE FALSE ==TRUE== FALSE FALSE ==TRUE== FALSE FALSE FALSE FALSE NULL FALSE ==TRUE== FALSE ==TRUE== FALSE FALSE FALSE FALSE ==TRUE== ==TRUE== FALSE ==TRUE== array() FALSE ==TRUE== FALSE FALSE FALSE FALSE FALSE FALSE ==TRUE== ==TRUE== FALSE FALSE \"php\" ==TRUE== FALSE FALSE ==TRUE== FALSE FALSE FALSE FALSE FALSE FALSE ==TRUE== FALSE \"\" FALSE ==TRUE== FALSE ==TRUE== FALSE FALSE FALSE FALSE ==TRUE== FALSE FALSE ==TRUE=="}, {"location": "web-exploitation/php/what-is-php/#comparisons_1", "title": "\"===\" Comparisons", "text": "TRUE FALSE 1 0 -1 \"1\" \"0\" \"-1\" NULL array() \"php\" \"\" TRUE ==TRUE== FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE ==TRUE== FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE 1 FALSE FALSE ==TRUE== FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE 0 FALSE FALSE FALSE ==TRUE== FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE -1 FALSE FALSE FALSE FALSE ==TRUE== FALSE FALSE FALSE FALSE FALSE FALSE FALSE \"1\" FALSE FALSE FALSE FALSE FALSE ==TRUE== FALSE FALSE FALSE FALSE FALSE FALSE \"0\" FALSE FALSE FALSE FALSE FALSE FALSE ==TRUE== FALSE FALSE FALSE FALSE FALSE \"-1\" FALSE FALSE FALSE FALSE FALSE FALSE FALSE ==TRUE== FALSE FALSE FALSE FALSE NULL FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE ==TRUE== FALSE FALSE FALSE array() FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE ==TRUE== FALSE FALSE \"php\" FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE ==TRUE== FALSE \"\" FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE ==TRUE=="}, {"location": "web-exploitation/php/what-is-php/#file-inclusion", "title": "File Inclusion", "text": "

    PHP has multiple ways to include other source files such as require, require_once and include. These can take a dynamic string such as require $_GET['page'] . \".php\"; which is usually seen in templating.

    "}, {"location": "web-exploitation/php/what-is-php/#php-stream-filters", "title": "PHP Stream Filters", "text": "

    PHP has its own URL scheme: php://... and its main purpose is to filter output automatically. It can automatically remove certain HTML tags and can base64 encode as well.

    "}, {"location": "web-exploitation/php/what-is-php/#example_1", "title": "Example", "text": "
    $fp = fopen('php://output', 'w');\nstream_filter_append(\n       $fp,\n       'string.strip_tags',\n       STREAM_FILTER_WRITE,\n       array('b','i','u'));\nfwrite($fp, \"<b>bolded text</b> enlarged to a <h1>level 1 heading</h1>\\n\");\n/* <b>bolded text</b> enlarged to a level 1 heading */\n
    "}, {"location": "web-exploitation/php/what-is-php/#exploitation", "title": "Exploitation", "text": "

    These filters can also be used on input such as:

    • php://filter/convert.base64-encode/resource={file}
    • include, file_get_contents(), etc. support URLs including PHP stream filter URLs (php://)
    • include normally evaluates any PHP code (in tags) it finds, but if it\u2019s base64 encoded it can be used to leak source
    "}, {"location": "web-exploitation/server-side-request-forgery/what-is-server-side-request-forgery/", "title": "Server Side Request Forgery (SSRF)", "text": "

    Server Side Request Forgery or SSRF is where an attacker is able to cause a web application to send a request that the attacker defines.

    For example, say there is a website that lets you take a screenshot of any site on the internet.

    Under normal usage a user might ask it to take a screenshot of a page like Google, or The New York Times. But what if a user does something more nefarious? What if they asked the site to take a picture of http://localhost ? Or perhaps tries to access something more useful like http://localhost/server-status ?

    Note

    127.0.0.1 (also known as localhost or loopback) represents the computer itself. Accessing localhost means you are accessing the computer's own internal network. Developers often use localhost as a way to access the services they have running on their own computers.

    Depending on what the response from the site is the attacker may be able to gain additional information about what's running on the computer itself.

    In addition, the requests originating from the server would come from the server's IP not the attackers IP. Because of that, it is possible that the attacker might be able to access internal resources that he wouldn't normally be able to access.

    Another usage for SSRF is to create a simple port scanner to scan the internal network looking for internal services.

    "}, {"location": "web-exploitation/sql-injection/what-is-sql-injection/", "title": "SQL Injection", "text": "

    SQL Injection is a vulnerability where an application takes input from a user and doesn't vaildate that the user's input doesn't contain additional SQL.

    <?php\n    $username = $_GET['username']; // kchung\n    $result = mysql_query(\"SELECT * FROM users WHERE username='$username'\");\n?>\n

    If we look at the $username variable, under normal operation we might expect the username parameter to be a real username (e.g. kchung).

    But a malicious user might submit different kind of data. For example, consider if the input was '?

    The application would crash because the resulting SQL query is incorrect.

    SELECT * FROM users WHERE username='''\n

    Note

    Notice the extra single quote at the end.

    With the knowledge that a single quote will cause an error in the application we can expand a little more on SQL Injection.

    What if our input was ' OR 1=1?

    SELECT * FROM users WHERE username='' OR 1=1\n

    1 is indeed equal to 1. This equates to true in SQL. If we reinterpret this the SQL statement is really saying

    SELECT * FROM users WHERE username='' OR true\n

    This will return every row in the table because each row that exists must be true.

    We can also inject comments and termination characters like -- or /* or ;. This allows you to terminate SQL queries after your injected statements. For example '-- is a common SQL injection payload.

    SELECT * FROM users WHERE username=''-- '\n

    This payload sets the username parameter to an empty string to break out of the query and then adds a comment (--) that effectively hides the second single quote.

    Using this technique of adding SQL statements to an existing query we can force databases to return data that it was not meant to return.

    "}]} \ No newline at end of file +{"config": {"lang": ["en"], "separator": "[\\s\\-]+", "pipeline": ["stopWordFilter"]}, "docs": [{"location": "", "title": "Capture The Flag 101", "text": ""}, {"location": "#overview", "title": "Overview", "text": "

    Capture the Flags, or CTFs, are computer security competitions.

    Teams of competitors (or just individuals) are pitted against each other in various challenges across multiple security disciplines, competing to earn the most points.

    CTFs are often the beginning of one's cyber security career due to their team building nature and competitive aspect. In addition, there isn't a lot of commitment required beyond a weekend.

    Info

    For information about ongoing CTFs, check out CTFTime.

    In this handbook you'll learn the basics\u2122 behind the methodologies and techniques needed to succeed in Capture the Flag competitions.

    "}, {"location": "binary-exploitation/address-space-layout-randomization/", "title": "Address Space Layout Randomization (ASLR)", "text": "

    Address Space Layout Randomization (or ASLR) is the randomization of the place in memory where the program, shared libraries, the stack, and the heap are. This makes can make it harder for an attacker to exploit a service, as knowledge about where the stack, heap, or libc can't be re-used between program launches. This is a partially effective way of preventing an attacker from jumping to, for example, libc without a leak.

    Typically, only the stack, heap, and shared libraries are ASLR enabled. It is still somewhat rare for the main program to have ASLR enabled, though it is being seen more frequently and is slowly becoming the default.

    "}, {"location": "binary-exploitation/buffer-overflow/", "title": "Buffer Overflow", "text": "

    A Buffer Overflow is a vulnerability in which data can be written which exceeds the allocated space, allowing an attacker to overwrite other data.

    "}, {"location": "binary-exploitation/buffer-overflow/#stack-buffer-overflow", "title": "Stack buffer overflow", "text": "

    The simplest and most common buffer overflow is one where the buffer is on the stack. Let's look at an example.

    #include <stdio.h>\n\nint main() {\n    int secret = 0xdeadbeef;\n    char name[100] = {0};\n    read(0, name, 0x100);\n    if (secret == 0x1337) {\n        puts(\"Wow! Here's a secret.\");\n    } else {\n        puts(\"I guess you're not cool enough to see my secret\");\n    }\n}\n

    There's a tiny mistake in this program which will allow us to see the secret. name is decimal 100 bytes, however we're reading in hex 100 bytes (=256 decimal bytes)! Let's see how we can use this to our advantage.

    If the compiler chose to layout the stack like this:

            0xffff006c: 0xf7f7f7f7  // Saved EIP\n        0xffff0068: 0xffff0100  // Saved EBP\n        0xffff0064: 0xdeadbeef  // secret\n...\n        0xffff0004: 0x0\nESP ->  0xffff0000: 0x0         // name\n

    let's look at what happens when we read in 0x100 bytes of 'A's.

    The first decimal 100 bytes are saved properly:

            0xffff006c: 0xf7f7f7f7  // Saved EIP\n        0xffff0068: 0xffff0100  // Saved EBP\n        0xffff0064: 0xdeadbeef  // secret\n...\n        0xffff0004: 0x41414141\nESP ->  0xffff0000: 0x41414141  // name\n

    However when the 101st byte is read in, we see an issue:

            0xffff006c: 0xf7f7f7f7  // Saved EIP\n        0xffff0068: 0xffff0100  // Saved EBP\n        0xffff0064: 0xdeadbe41  // secret\n...\n        0xffff0004: 0x41414141\nESP ->  0xffff0000: 0x41414141  // name\n

    The least significant byte of secret has been overwritten! If we follow the next 3 bytes to be read in, we'll see the entirety of secret is \"clobbered\" with our 'A's

            0xffff006c: 0xf7f7f7f7  // Saved EIP\n        0xffff0068: 0xffff0100  // Saved EBP\n        0xffff0064: 0x41414141  // secret\n...\n        0xffff0004: 0x41414141\nESP ->  0xffff0000: 0x41414141  // name\n

    The remaining 152 bytes would continue clobbering values up the stack.

    "}, {"location": "binary-exploitation/buffer-overflow/#passing-an-impossible-check", "title": "Passing an impossible check", "text": "

    How can we use this to pass the seemingly impossible check in the original program? Well, if we carefully line up our input so that the bytes that overwrite secret happen to be the bytes that represent 0x1337 in little-endian, we'll see the secret message.

    A small Python one-liner will work nicely: python -c \"print 'A'*100 + '\\x31\\x13\\x00\\x00'\"

    This will fill the name buffer with 100 'A's, then overwrite secret with the 32-bit little-endian encoding of 0x1337.

    "}, {"location": "binary-exploitation/buffer-overflow/#going-one-step-further", "title": "Going one step further", "text": "

    As discussed on the stack page, the instruction that the current function should jump to when it is done is also saved on the stack (denoted as \"Saved EIP\" in the above stack diagrams). If we can overwrite this, we can control where the program jumps after main finishes running, giving us the ability to control what the program does entirely.

    Usually, the end objective in binary exploitation is to get a shell (often called \"popping a shell\") on the remote computer. The shell provides us with an easy way to run anything we want on the target computer.

    Say there happens to be a nice function that does this defined somewhere else in the program that we normally can't get to:

    void give_shell() {\n    system(\"/bin/sh\");\n}\n

    Well with our buffer overflow knowledge, now we can! All we have to do is overwrite the saved EIP on the stack to the address where give_shell is. Then, when main returns, it will pop that address off of the stack and jump to it, running give_shell, and giving us our shell.

    Assuming give_shell is at 0x08048fd0, we could use something like this: python -c \"print 'A'*108 + '\\xd0\\x8f\\x04\\x08'\"

    We send 108 'A's to overwrite the 100 bytes that is allocated for name, the 4 bytes for secret, and the 4 bytes for the saved EBP. Then we simply send the little-endian form of give_shell's address, and we would get a shell!

    This idea is extended on in Return Oriented Programming

    "}, {"location": "binary-exploitation/heap-exploitation/", "title": "Heap Exploits", "text": ""}, {"location": "binary-exploitation/heap-exploitation/#overflow", "title": "Overflow", "text": "

    Much like a stack buffer overflow, a heap overflow is a vulnerability where more data than can fit in the allocated buffer is read in. This could lead to heap metadata corruption, or corruption of other heap objects, which could in turn provide new attack surface.

    "}, {"location": "binary-exploitation/heap-exploitation/#use-after-free-uaf", "title": "Use After Free (UAF)", "text": "

    Once free is called on an allocation, the allocator is free to re-allocate that chunk of memory in future calls to malloc if it so chooses. However if the program author isn't careful and uses the freed object later on, the contents may be corrupt (or even attacker controlled). This is called a use after free or UAF.

    "}, {"location": "binary-exploitation/heap-exploitation/#example", "title": "Example", "text": "
    #include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\n#include <string.h>\n\ntypedef struct string {\n    unsigned length;\n    char *data;\n} string;\n\nint main() {\n    struct string* s = malloc(sizeof(string));\n    puts(\"Length:\");\n    scanf(\"%u\", &s->length);\n    s->data = malloc(s->length + 1);\n    memset(s->data, 0, s->length + 1);\n    puts(\"Data:\");\n    read(0, s->data, s->length);\n\n    free(s->data);\n    free(s);\n\n    char *s2 = malloc(16);\n    memset(s2, 0, 16);\n    puts(\"More data:\");\n    read(0, s2, 15);\n\n    // Now using s again, a UAF\n\n    puts(s->data);\n\n    return 0;\n}\n

    In this example, we have a string structure with a length and a pointer to the actual string data. We properly allocate, fill, and then free an instance of this structure. Then we make another allocation, fill it, and then improperly reference the freed string. Due to how glibc's allocator works, s2 will actually get the same memory as the original s allocation, which in turn gives us the ability to control the s->data pointer. This could be used to leak program data.

    "}, {"location": "binary-exploitation/heap-exploitation/#advanced-heap-exploitation", "title": "Advanced Heap Exploitation", "text": "

    Not only can the heap be exploited by the data in allocations, but exploits can also use the underlying mechanisms in malloc, free, etc. to exploit a program. This is beyond the scope of CTF 101, but here are a few recommended resources:

    • sploitFUN's glibc overview
    • Shellphish's how2heap
    "}, {"location": "binary-exploitation/no-execute/", "title": "No eXecute (NX Bit)", "text": "

    The No eXecute or the NX bit (also known as Data Execution Prevention or DEP) marks certain areas of the program as not executable, meaning that stored input or data cannot be executed as code. This is significant because it prevents attackers from being able to jump to custom shellcode that they've stored on the stack or in a global variable.

    "}, {"location": "binary-exploitation/overview/", "title": "Overview", "text": ""}, {"location": "binary-exploitation/overview/#binary-exploitation", "title": "Binary Exploitation", "text": "

    Binaries, or executables, are machine code for a computer to execute. For the most part, the binaries that you will face in CTFs are Linux ELF files or the occasional windows executable. Binary Exploitation is a broad topic within Cyber Security which really comes down to finding a vulnerability in the program and exploiting it to gain control of a shell or modifying the program's functions.

    Common topics addressed by Binary Exploitation or 'pwn' challenges include:

    • Registers
    • The Stack
    • Calling Conventions
    • Global Offset Table (GOT)
    • Buffers
      • Buffer Overflow
    • Return Oriented Programming (ROP)
    • Binary Security
      • No eXecute (NX)
      • Address Space Layout Randomization (ASLR)
      • Stack Canaries
      • Relocation Read-Only (RELRO)
    • The Heap
      • Heap Exploitation
    • Format String Vulnerability
    "}, {"location": "binary-exploitation/relocation-read-only/", "title": "Relocation Read-Only (RELRO)", "text": "

    Relocation Read-Only (or RELRO) is a security measure which makes some binary sections read-only.

    There are two RELRO \"modes\": partial and full.

    "}, {"location": "binary-exploitation/relocation-read-only/#partial-relro", "title": "Partial RELRO", "text": "

    Partial RELRO is the default setting in GCC, and nearly all binaries you will see have at least partial RELRO.

    From an attackers point-of-view, partial RELRO makes almost no difference, other than it forces the GOT to come before the BSS in memory, eliminating the risk of a buffer overflows on a global variable overwriting GOT entries.

    "}, {"location": "binary-exploitation/relocation-read-only/#full-relro", "title": "Full RELRO", "text": "

    Full RELRO makes the entire GOT read-only which removes the ability to perform a \"GOT overwrite\" attack, where the GOT address of a function is overwritten with the location of another function or a ROP gadget an attacker wants to run.

    Full RELRO is not a default compiler setting as it can greatly increase program startup time since all symbols must be resolved before the program is started. In large programs with thousands of symbols that need to be linked, this could cause a noticable delay in startup time.

    "}, {"location": "binary-exploitation/return-oriented-programming/", "title": "Return Oriented Programming", "text": "

    Return Oriented Programming (or ROP) is the idea of chaining together small snippets of assembly with stack control to cause the program to do more complex things.

    As we saw in buffer overflows, having stack control can be very powerful since it allows us to overwrite saved instruction pointers, giving us control over what the program does next. Most programs don't have a convenient give_shell function however, so we need to find a way to manually invoke system or another exec function to get us our shell.

    "}, {"location": "binary-exploitation/return-oriented-programming/#32-bit", "title": "32 bit", "text": "

    Imagine we have a program similar to the following:

    #include <stdio.h>\n#include <stdlib.h>\n\nchar name[32];\n\nint main() {\n    printf(\"What's your name? \");\n    read(0, name, 32);\n\n    printf(\"Hi %s\\n\", name);\n\n    printf(\"The time is currently \");\n    system(\"/bin/date\");\n\n    char echo[100];\n    printf(\"What do you want me to echo back? \");\n    read(0, echo, 1000);\n    puts(echo);\n\n    return 0;\n}\n

    We obviously have a stack buffer overflow on the echo variable which can give us EIP control when main returns. But we don't have a give_shell function! So what can we do?

    We can call system with an argument we control! Since arguments are passed in on the stack in 32-bit Linux programs (see calling conventions), if we have stack control, we have argument control.

    When main returns, we want our stack to look like something had normally called system. Recall what is on the stack after a function has been called:

            ...                                 // More arguments\n        0xffff0008: 0x00000002              // Argument 2\n        0xffff0004: 0x00000001              // Argument 1\nESP ->  0xffff0000: 0x080484d0              // Return address\n

    So main's stack frame needs to look like this:

            0xffff0008: 0xdeadbeef              // system argument 1\n        0xffff0004: 0xdeadbeef              // return address for system\nESP ->  0xffff0000: 0x08048450              // return address for main (system's PLT entry)\n

    Then when main returns, it will jump into system's PLT entry and the stack will appear just like system had been called normally for the first time.

    Note: we don't care about the return address system will return to because we will have already gotten our shell by then!

    "}, {"location": "binary-exploitation/return-oriented-programming/#arguments", "title": "Arguments", "text": "

    This is a good start, but we need to pass an argument to system for anything to happen. As mentioned in the page on ASLR, the stack and dynamic libraries \"move around\" each time a program is run, which means we can't easily use data on the stack or a string in libc for our argument. In this case however, we have a very convenient name global which will be at a known location in the binary (in the BSS segment).

    "}, {"location": "binary-exploitation/return-oriented-programming/#putting-it-together", "title": "Putting it together", "text": "

    Our exploit will need to do the following:

    1. Enter \"sh\" or another command to run as name
    2. Fill the stack with
      1. Garbage up to the saved EIP
      2. The address of system's PLT entry
      3. A fake return address for system to jump to when it's done
      4. The address of the name global to act as the first argument to system
    "}, {"location": "binary-exploitation/return-oriented-programming/#64-bit", "title": "64 bit", "text": "

    In 64-bit binaries we have to work a bit harder to pass arguments to functions. The basic idea of overwriting the saved RIP is the same, but as discussed in calling conventions, arguments are passed in registers in 64-bit programs. In the case of running system, this means we will need to find a way to control the RDI register.

    To do this, we'll use small snippets of assembly in the binary, called \"gadgets.\" These gadgets usually pop one or more registers off of the stack, and then call ret, which allows us to chain them together by making a large fake call stack.

    For example, if we needed control of both RDI and RSI, we might find two gadgets in our program that look like this (using a tool like rp++ or ROPgadget):

    0x400c01: pop rdi; ret\n0x400c03: pop rsi; pop r15; ret\n

    We can setup a fake call stack with these gadets to sequentially execute them, poping values we control into registers, and then end with a jump to system.

    "}, {"location": "binary-exploitation/return-oriented-programming/#example", "title": "Example", "text": "
            0xffff0028: 0x400d00            // where we want the rsi gadget's ret to jump to now that rdi and rsi are controlled\n        0xffff0020: 0x1337beef          // value we want in r15 (probably garbage)\n        0xffff0018: 0x1337beef          // value we want in rsi\n        0xffff0010: 0x400c03            // address that the rdi gadget's ret will return to - the pop rsi gadget\n        0xffff0008: 0xdeadbeef          // value to be popped into rdi\nRSP ->  0xffff0000: 0x400c01            // address of rdi gadget\n

    Stepping through this one instruction at a time, main returns, jumping to our pop rdi gadget:

    RIP = 0x400c01 (pop rdi)\nRDI = UNKNOWN\nRSI = UNKNOWN\n\n        0xffff0028: 0x400d00            // where we want the rsi gadget's ret to jump to now that rdi and rsi are controlled\n        0xffff0020: 0x1337beef          // value we want in r15 (probably garbage)\n        0xffff0018: 0x1337beef          // value we want in rsi\n        0xffff0010: 0x400c03            // address that the rdi gadget's ret will return to - the pop rsi gadget\nRSP ->  0xffff0008: 0xdeadbeef          // value to be popped into rdi\n

    pop rdi is then executed, popping the top of the stack into RDI:

    RIP = 0x400c02 (ret)\nRDI = 0xdeadbeef\nRSI = UNKNOWN\n\n        0xffff0028: 0x400d00            // where we want the rsi gadget's ret to jump to now that rdi and rsi are controlled\n        0xffff0020: 0x1337beef          // value we want in r15 (probably garbage)\n        0xffff0018: 0x1337beef          // value we want in rsi\nRSP ->  0xffff0010: 0x400c03            // address that the rdi gadget's ret will return to - the pop rsi gadget\n

    The RDI gadget then rets into our RSI gadget:

    RIP = 0x400c03 (pop rsi)\nRDI = 0xdeadbeef\nRSI = UNKNOWN\n\n        0xffff0028: 0x400d00            // where we want the rsi gadget's ret to jump to now that rdi and rsi are controlled\n        0xffff0020: 0x1337beef          // value we want in r15 (probably garbage)\nRSP ->  0xffff0018: 0x1337beef          // value we want in rsi\n

    RSI and R15 are popped:

    RIP = 0x400c05 (ret)\nRDI = 0xdeadbeef\nRSI = 0x1337beef\n\nRSP ->  0xffff0028: 0x400d00            // where we want the rsi gadget's ret to jump to now that rdi and rsi are controlled\n

    And finally, the RSI gadget rets, jumping to whatever function we want, but now with RDI and RSI set to values we control.

    "}, {"location": "binary-exploitation/stack-canaries/", "title": "Stack Canaries", "text": "

    Stack Canaries are a secret value placed on the stack which changes every time the program is started. Prior to a function return, the stack canary is checked and if it appears to be modified, the program exits immeadiately.

    "}, {"location": "binary-exploitation/stack-canaries/#bypassing-stack-canaries", "title": "Bypassing Stack Canaries", "text": "

    Stack Canaries seem like a clear cut way to mitigate any stack smashing as it is fairly impossible to just guess a random 64-bit value. However, leaking the address and bruteforcing the canary are two methods which would allow us to get through the canary check.

    "}, {"location": "binary-exploitation/stack-canaries/#stack-canary-leaking", "title": "Stack Canary Leaking", "text": "

    If we can read the data in the stack canary, we can send it back to the program later because the canary stays the same throughout execution. However Linux makes this slightly tricky by making the first byte of the stack canary a NULL, meaning that string functions will stop when they hit it. A method around this would be to partially overwrite and then put the NULL back or find a way to leak bytes at an arbitrary stack offset.

    A few situations where you might be able to leak a canary:

    • User-controlled format string
    • User-controlled length of an output
      • \u201cHey, can you send me 1000000 bytes? thx!\u201d
    "}, {"location": "binary-exploitation/stack-canaries/#bruteforcing-a-stack-canary", "title": "Bruteforcing a Stack Canary", "text": "

    The canary is determined when the program starts up for the first time which means that if the program forks, it keeps the same stack cookie in the child process. This means that if the input that can overwrite the canary is sent to the child, we can use whether it crashes as an oracle and brute-force 1 byte at a time!

    This method can be used on fork-and-accept servers where connections are spun off to child processes, but only under certain conditions such as when the input accepted by the program does not append a NULL byte (read or recv).

    Buffer (N Bytes) ?? ?? ?? ?? ?? ?? ?? ?? RBP RIP

    Fill the buffer N Bytes + 0x00 results in no crash

    Buffer (N Bytes) 00 ?? ?? ?? ?? ?? ?? ?? RBP RIP

    Fill the buffer N Bytes + 0x00 + 0x00 results in a crash

    N Bytes + 0x00 + 0x01 results in a crash

    N Bytes + 0x00 + 0x02 results in a crash

    ...

    N Bytes + 0x00 + 0x51 results in no crash

    Buffer (N Bytes) 00 51 ?? ?? ?? ?? ?? ?? RBP RIP

    Repeat this bruteforcing process for 6 more bytes...

    Buffer (N Bytes) 00 51 FE 0A 31 D2 7B 3C RBP RIP

    Now that we have the stack cookie, we can overwrite the RIP register and take control of the program!

    "}, {"location": "binary-exploitation/what-are-buffers/", "title": "Buffers", "text": "

    A buffer is any allocated space in memory where data (often user input) can be stored. For example, in the following C program name would be considered a stack buffer:

    #include <stdio.h>\n\nint main() {\n    char name[64] = {0};\n    read(0, name, 63);\n    printf(\"Hello %s\", name);\n    return 0;\n}\n

    Buffers could also be global variables:

    #include <stdio.h>\n\nchar name[64] = {0};\n\nint main() {\n    read(0, name, 63);\n    printf(\"Hello %s\", name);\n    return 0;\n}\n

    Or dynamically allocated on the heap:

    #include <stdio.h>\n#include <stdlib.h>\n\nint main() {\n    char *name = malloc(64);\n    memset(name, 0, 64);\n    read(0, name, 63);\n    printf(\"Hello %s\", name);\n    return 0;\n}\n
    "}, {"location": "binary-exploitation/what-are-buffers/#exploits", "title": "Exploits", "text": "

    Given that buffers commonly hold user input, mistakes when writing to them could result in attacker controlled data being written outside of the buffer's space. See the page on buffer overflows for more.

    "}, {"location": "binary-exploitation/what-are-calling-conventions/", "title": "Calling Conventions", "text": "

    To be able to call functions, there needs to be an agreed-upon way to pass arguments. If a program is entirely self-contained in a binary, the compiler would be free to decide the calling convention. However in reality, shared libraries are used so that common code (e.g. libc) can be stored once and dynamically linked in to programs that need it, reducing program size.

    In Linux binaries, there are really only two commonly used calling conventions: cdecl for 32-bit binaries, and SysV for 64-bit

    "}, {"location": "binary-exploitation/what-are-calling-conventions/#cdecl", "title": "cdecl", "text": "

    In 32-bit binaries on Linux, function arguments are passed in on the stack in reverse order. A function like this:

    int add(int a, int b, int c) {\n    return a + b + c;\n}\n

    would be invoked by pushing c, then b, then a.

    "}, {"location": "binary-exploitation/what-are-calling-conventions/#sysv", "title": "SysV", "text": "

    For 64-bit binaries, function arguments are first passed in certain registers:

    1. RDI
    2. RSI
    3. RDX
    4. RCX
    5. R8
    6. R9

    then any leftover arguments are pushed onto the stack in reverse order, as in cdecl.

    "}, {"location": "binary-exploitation/what-are-calling-conventions/#other-conventions", "title": "Other Conventions", "text": "

    Any method of passing arguments could be used as long as the compiler is aware of what the convention is. As a result, there have been many calling conventions in the past that aren't used frequently anymore. See Wikipedia for a comprehensive list.

    "}, {"location": "binary-exploitation/what-are-registers/", "title": "Registers", "text": "

    A register is a location within the processor that is able to store data, much like RAM. Unlike RAM however, accesses to registers are effectively instantaneous, whereas reads from main memory can take hundreds of CPU cycles to return.

    Registers can hold any value: addresses (pointers), results from mathematical operations, characters, etc. Some registers are reserved however, meaning they have a special purpose and are not \"general purpose registers\" (GPRs). On x86, the only 2 reserved registers are rip and rsp which hold the address of the next instruction to execute and the address of the stack respectively.

    On x86, the same register can have different sized accesses for backwards compatability. For example, the rax register is the full 64-bit register, eax is the low 32 bits of rax, ax is the low 16 bits, al is the low 8 bits, and ah is the high 8 bits of ax (bits 8-16 of rax).

    "}, {"location": "binary-exploitation/what-is-a-format-string-vulnerability/", "title": "Format String Vulnerability", "text": "

    A format string vulnerability is a bug where user input is passed as the format argument to printf, scanf, or another function in that family.

    The format argument has many different specifies which could allow an attacker to leak data if they control the format argument to printf. Since printf and similar are variadic functions, they will continue popping data off of the stack according to the format.

    For example, if we can make the format argument \"%x.%x.%x.%x\", printf will pop off four stack values and print them in hexadecimal, potentially leaking sensitive information.

    printf can also index to an arbitrary \"argument\" with the following syntax: \"%n$x\" (where n is the decimal index of the argument you want).

    While these bugs are powerful, they're very rare nowadays, as all modern compilers warn when printf is called with a non-constant string.

    "}, {"location": "binary-exploitation/what-is-a-format-string-vulnerability/#example", "title": "Example", "text": "
    #include <stdio.h>\n#include <unistd.h>\n\nint main() {\n    int secret_num = 0x8badf00d;\n\n    char name[64] = {0};\n    read(0, name, 64);\n    printf(\"Hello \");\n    printf(name);\n    printf(\"! You'll never get my secret!\\n\");\n    return 0;\n}\n

    Due to how GCC decided to lay out the stack, secret_num is actually at a lower address on the stack than name, so we only have to go to the 7th \"argument\" in printf to leak the secret:

    $ ./fmt_string\n%7$llx\nHello 8badf00d3ea43eef\n! You'll never get my secret!\n
    "}, {"location": "binary-exploitation/what-is-binary-security/", "title": "Binary Security", "text": "

    Binary Security is using tools and methods in order to secure programs from being manipulated and exploited. This tools are not infallible, but when used together and implemented properly, they can raise the difficulty of exploitation greatly.

    Some methods covered include:

    • No eXecute (NX)
    • Address Space Layout Randomization (ASLR)
    • Relocation Read-Only (RELRO)
    • Stack Canaries/Cookies
    "}, {"location": "binary-exploitation/what-is-the-got/", "title": "GOT", "text": "

    The Global Offset Table (or GOT) is a section inside of programs that holds addresses of functions that are dynamically linked. As mentioned in the page on calling conventions, most programs don't include every function they use to reduce binary size. Instead, common functions (like those in libc) are \"linked\" into the program so they can be saved once on disk and reused by every program.

    Unless a program is marked full RELRO, the resolution of function to address in dynamic library is done lazily. All dynamic libraries are loaded into memory along with the main program at launch, however functions are not mapped to their actual code until they're first called. For example, in the following C snippet puts won't be resolved to an address in libc until after it has been called once:

    int main() {\n    puts(\"Hi there!\");\n    puts(\"Ok bye now.\");\n    return 0;\n}\n

    To avoid searching through shared libraries each time a function is called, the result of the lookup is saved into the GOT so future function calls \"short circuit\" straight to their implementation bypassing the dynamic resolver.

    This has two important implications:

    1. The GOT contains pointers to libraries which move around due to ASLR
    2. The GOT is writable

    These two facts will become very useful to use in Return Oriented Programming

    "}, {"location": "binary-exploitation/what-is-the-got/#plt", "title": "PLT", "text": "

    Before a functions address has been resolved, the GOT points to an entry in the Procedure Linkage Table (PLT). This is a small \"stub\" function which is responsible for calling the dynamic linker with (effectively) the name of the function that should be resolved.

    "}, {"location": "binary-exploitation/what-is-the-heap/", "title": "The Heap", "text": "

    The heap is a place in memory which a program can use to dynamically create objects. Creating objects on the heap has some advantages compared to using the stack:

    • Heap allocations can be dynamically sized
    • Heap allocations \"persist\" when a function returns

    There are also some disadvantages however:

    • Heap allocations can be slower
    • Heap allocations must be manually cleaned up
    "}, {"location": "binary-exploitation/what-is-the-heap/#using-the-heap", "title": "Using the heap", "text": "

    In C, there are a number of functions used to interact with the heap, but we're going to focus on the two core ones:

    • malloc: allocate n bytes on the heap
    • free: free the given allocation

    Let's see how these could be used in a program:

    #include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\n\nint main() {\n    unsigned alloc_size = 0;\n    char *stuff;\n\n    printf(\"Number of bytes? \");\n    scanf(\"%u\", &alloc_size);\n\n    stuff = malloc(alloc_size + 1);\n    memset(0, stuff, alloc_size + 1);\n\n    read(0, stuff, alloc_size);\n\n    printf(\"You wrote: %s\", stuff);\n\n    free(stuff);\n\n    return 0;\n}\n

    This program reads in a size from the user, creates an allocation of that size on the heap, reads in that many bytes, then prints it back out to the user.

    "}, {"location": "binary-exploitation/what-is-the-stack/", "title": "The Stack", "text": "

    In computer architecture, the stack is a hardware manifestation of the stack data structure (a Last In, First Out queue).

    In x86, the stack is simply an area in RAM that was chosen to be the stack - there is no special hardware to store stack contents. The esp/rsp register holds the address in memory where the bottom of the stack resides. When something is pushed to the stack, esp decrements by 4 (or 8 on 64-bit x86), and the value that was pushed is stored at that location in memory. Likewise, when a pop instruction is executed, the value at esp is retrieved (i.e. esp is dereferenced), and esp is then incremented by 4 (or 8).

    N.B. The stack \"grows\" down to lower memory addresses!

    Conventionally, ebp/rbp contains the address of the top of the current stack frame, and so sometimes local variables are referenced as an offset relative to ebp rather than an offset to esp. A stack frame is essentially just the space used on the stack by a given function.

    "}, {"location": "binary-exploitation/what-is-the-stack/#uses", "title": "Uses", "text": "

    The stack is primarily used for a few things:

    • Storing function arguments
    • Storing local variables
    • Storing processor state between function calls
    "}, {"location": "binary-exploitation/what-is-the-stack/#example", "title": "Example", "text": "

    Let's see what the stack looks like right after say_hi has been called in this 32-bit x86 C program:

    #include <stdio.h>\n\nvoid say_hi(const char * name) {\n    printf(\"Hello %s!\\n\", name);\n}\n\nint main(int argc, char ** argv) {\n    char * name;\n    if (argc != 2) {\n        return 1;\n    }\n    name = argv[1];\n    say_hi(name);\n    return 0;\n}\n

    And the relevant assembly:

    0804840b <say_hi>:\n 804840b:   55                      push   ebp\n 804840c:   89 e5                   mov    ebp,esp\n 804840e:   83 ec 08                sub    esp,0x8\n 8048411:   83 ec 08                sub    esp,0x8\n 8048414:   ff 75 08                push   DWORD PTR [ebp+0x8]\n 8048417:   68 f0 84 04 08          push   0x80484f0\n 804841c:   e8 bf fe ff ff          call   80482e0 <printf@plt>\n 8048421:   83 c4 10                add    esp,0x10\n 8048424:   90                      nop\n 8048425:   c9                      leave\n 8048426:   c3                      ret\n\n08048427 <main>:\n 8048427:   8d 4c 24 04             lea    ecx,[esp+0x4]\n 804842b:   83 e4 f0                and    esp,0xfffffff0\n 804842e:   ff 71 fc                push   DWORD PTR [ecx-0x4]\n 8048431:   55                      push   ebp\n 8048432:   89 e5                   mov    ebp,esp\n 8048434:   51                      push   ecx\n 8048435:   83 ec 14                sub    esp,0x14\n 8048438:   89 c8                   mov    eax,ecx\n 804843a:   83 38 02                cmp    DWORD PTR [eax],0x2\n 804843d:   74 07                   je     8048446 <main+0x1f>\n 804843f:   b8 01 00 00 00          mov    eax,0x1\n 8048444:   eb 1c                   jmp    8048462 <main+0x3b>\n 8048446:   8b 40 04                mov    eax,DWORD PTR [eax+0x4]\n 8048449:   8b 40 04                mov    eax,DWORD PTR [eax+0x4]\n 804844c:   89 45 f4                mov    DWORD PTR [ebp-0xc],eax\n 804844f:   83 ec 0c                sub    esp,0xc\n 8048452:   ff 75 f4                push   DWORD PTR [ebp-0xc]\n 8048455:   e8 b1 ff ff ff          call   804840b <say_hi>\n 804845a:   83 c4 10                add    esp,0x10\n 804845d:   b8 00 00 00 00          mov    eax,0x0\n 8048462:   8b 4d fc                mov    ecx,DWORD PTR [ebp-0x4]\n 8048465:   c9                      leave\n 8048466:   8d 61 fc                lea    esp,[ecx-0x4]\n 8048469:   c3                      ret\n

    Skipping over the bulk of main, you'll see that at 0x8048452 main's name local is pushed to the stack because it's the first argument to say_hi. Then, a call instruction is executed. call instructions first push the current instruction pointer to the stack, then jump to their destination. So when the processor begins executing say_hi at 0x0804840b, the stack looks like this:

    EIP = 0x0804840b (push ebp)\nESP = 0xffff0000\nEBP = 0xffff002c\n\n        0xffff0004: 0xffffa0a0              // say_hi argument 1\nESP ->  0xffff0000: 0x0804845a              // Return address for say_hi\n

    The first thing say_hi does is save the current ebp so that when it returns, ebp is back where main expects it to be. The stack now looks like this:

    EIP = 0x0804840c (mov ebp, esp)\nESP = 0xfffefffc\nEBP = 0xffff002c\n\n        0xffff0004: 0xffffa0a0              // say_hi argument 1\n        0xffff0000: 0x0804845a              // Return address for say_hi\nESP ->  0xfffefffc: 0xffff002c              // Saved EBP\n

    Again, note how esp gets smaller when values are pushed to the stack.

    Next, the current esp is saved into ebp, marking the top of the new stack frame.

    EIP = 0x0804840e (sub esp, 0x8)\nESP = 0xfffefffc\nEBP = 0xfffefffc\n\n            0xffff0004: 0xffffa0a0              // say_hi argument 1\n            0xffff0000: 0x0804845a              // Return address for say_hi\nESP, EBP -> 0xfffefffc: 0xffff002c              // Saved EBP\n

    Then, the stack is \"grown\" to accommodate local variables inside say_hi.

    EIP = 0x08048414 (push [ebp + 0x8])\nESP = 0xfffeffec\nEBP = 0xfffefffc\n\n        0xffff0004: 0xffffa0a0              // say_hi argument 1\n        0xffff0000: 0x0804845a              // Return address for say_hi\nEBP ->  0xfffefffc: 0xffff002c              // Saved EBP\n        0xfffefff8: UNDEFINED\n        0xfffefff4: UNDEFINED\n        0xfffefff0: UNDEFINED\nESP ->  0xfffefffc: UNDEFINED\n

    NOTE: stack space is not implictly cleared!

    Now, the 2 arguments to printf are pushed in reverse order.

    EIP = 0x0804841c (call printf@plt)\nESP = 0xfffeffe4\nEBP = 0xfffefffc\n\n        0xffff0004: 0xffffa0a0              // say_hi argument 1\n        0xffff0000: 0x0804845a              // Return address for say_hi\nEBP ->  0xfffefffc: 0xffff002c              // Saved EBP\n        0xfffefff8: UNDEFINED\n        0xfffefff4: UNDEFINED\n        0xfffefff0: UNDEFINED\n        0xfffeffec: UNDEFINED\n        0xfffeffe8: 0xffffa0a0              // printf argument 2\nESP ->  0xfffeffe4: 0x080484f0              // printf argument 1\n

    Finally, printf is called, which pushes the address of the next instruction to execute.

    EIP = 0x080482e0\nESP = 0xfffeffe4\nEBP = 0xfffefffc\n\n        0xffff0004: 0xffffa0a0              // say_hi argument 1\n        0xffff0000: 0x0804845a              // Return address for say_hi\nEBP ->  0xfffefffc: 0xffff002c              // Saved EBP\n        0xfffefff8: UNDEFINED\n        0xfffefff4: UNDEFINED\n        0xfffefff0: UNDEFINED\n        0xfffeffec: UNDEFINED\n        0xfffeffe8: 0xffffa0a0              // printf argument 2\n        0xfffeffe4: 0x080484f0              // printf argument 1\nESP ->  0xfffeffe0: 0x08048421              // Return address for printf\n

    Once printf has returned, the leave instruction moves ebp into esp, and pops the saved EBP.

    EIP = 0x08048426 (ret)\nESP = 0xfffefffc\nEBP = 0xffff002c\n\n        0xffff0004: 0xffffa0a0              // say_hi argument 1\nESP ->  0xffff0000: 0x0804845a              // Return address for say_hi\n

    And finally, ret pops the saved instruction pointer into eip which causes the program to return to main with the same esp, ebp, and stack contents as when say_hi was initially called.

    EIP = 0x0804845a (add esp, 0x10)\nESP = 0xffff0000\nEBP = 0xffff002c\n\nESP ->  0xffff0004: 0xffffa0a0              // say_hi argument 1\n
    "}, {"location": "cryptography/overview/", "title": "Overview", "text": ""}, {"location": "cryptography/overview/#cryptography", "title": "Cryptography", "text": "

    Cryptography is the reason we can use banking apps, transmit sensitive information over the web, and in general protect our privacy. However, a large part of CTFs is breaking widely used encryption schemes which are improperly implemented. The math may seem daunting, but more often than not, a simple understanding of the underlying principles will allow you to find flaws and crack the code.

    The word \u201ccryptography\u201d technically means the art of writing codes. When it comes to digital forensics, it\u2019s a method you can use to understand how data is constructed for your analysis.

    "}, {"location": "cryptography/overview/#what-is-cryptography-used-for", "title": "What is cryptography used for?", "text": "

    Uses in every day software

    • Securing web traffic (passwords, communication, etc.)
    • Securing copyrighted software code

    Malicious uses

    • Hiding malicious communication
    • Hiding malicious code
    "}, {"location": "cryptography/overview/#topics", "title": "Topics", "text": "
    • XOR
    • Cesear Cipher
    • Substitution Cipher
    • Vigenere Cipher
    • Hashing Functions
    • Block Ciphers
    • Stream Ciphers
    • RSA
    "}, {"location": "cryptography/what-are-block-ciphers/", "title": "Block Ciphers", "text": "

    A Block Cipher is an algorithm which is used in conjunction with a cryptosystem in order to package a message into evenly distributed 'blocks' which are encrypted one at a time.

    "}, {"location": "cryptography/what-are-block-ciphers/#definitions", "title": "Definitions", "text": "
    • Mode of Operation: How a block cipher is applied to an amount of data which exceeds a block's size
    • Initialization Vector (IV): A sequence of bytes which is used to randomize encryption even if the same plaintext is encrypted
    • Starting Variable (SV): Similar to the IV, except it is used during the first block to provide a random seed during encryption
    • Padding: Padding is used to ensure that the block sizes all line up and ensure the last block fits the block cipher
    • Plaintext: Unencrypted text; Data without obfuscation
    • Key: A secret used to encrypt plaintext
    • Ciphertext: Plaintext encrypted with a key
    "}, {"location": "cryptography/what-are-block-ciphers/#common-block-ciphers", "title": "Common Block Ciphers", "text": "Mode Formulas Ciphertext ECB Y~i~ = F(PlainText~i~, Key) Y~i~ CBC Y~i~ = PlainText~i~ XOR Ciphertext~i-1~ F(Y, key); Ciphertext~0~ = IV PCBC Y~i~ = PlainText~i~ XOR (Ciphertext~i-1~ XOR PlainText~i-1~) F(Y, key); Ciphertext~0~ = IV CFB Y~i~ = Ciphertext~i-1~ Plaintext XOR F(Y, key); Ciphertext~0~ = IV OFB Y~i~ = F(Key, I~i-1~);Y~0~=IV Plaintext XOR Y~i~ CTR Y~i~ = F(Key, IV + g(i));IV = token(); Plaintext XOR Y~i~

    Note

    In this case ~i~ represents an index over the # of blocks in the plaintext. F() and g() represent the function used to convert plaintext into ciphertext.

    "}, {"location": "cryptography/what-are-block-ciphers/#electronic-codebook-ecb", "title": "Electronic Codebook (ECB)", "text": "

    ECB is the most basic block cipher, it simply chunks up plaintext into blocks and independently encrypts those blocks and chains them all into a ciphertext.

    "}, {"location": "cryptography/what-are-block-ciphers/#flaws", "title": "Flaws", "text": "

    Because ECB independently encrypts the blocks, patterns in data can still be seen clearly, as shown in the CBC Penguin image below.

    Original Image ECB Image Other Block Cipher Modes"}, {"location": "cryptography/what-are-block-ciphers/#cipher-block-chaining-cbc", "title": "Cipher Block Chaining (CBC)", "text": "

    CBC is an improvement upon ECB where an Initialization Vector is used in order to add randomness. The encrypted previous block is used as the IV for each sequential block meaning that the encryption process cannot be parallelized. CBC has been declining in popularity due to a variety of

    Note

    Even though the encryption process cannot be parallelized, the decryption process can be parallelized. If the wrong IV is used for decryption it will only affect the first block as the decryption of all other blocks depends on the ciphertext not the plaintext.

    "}, {"location": "cryptography/what-are-block-ciphers/#propogating-cipher-block-chaining-pcbc", "title": "Propogating Cipher Block Chaining (PCBC)", "text": "

    PCBC is a less used cipher which modifies CBC so that decryption is also not parallelizable. It also cannot be decrypted from any point as changes made during the decryption and encryption process \"propogate\" throughout the blocks, meaning that both the plaintext and ciphertext are used when encrypting or decrypting as seen in the images below.

    "}, {"location": "cryptography/what-are-block-ciphers/#counter-ctr", "title": "Counter (CTR)", "text": "

    Note

    Counter is also known as CM, integer counter mode (ICM), and segmented integer counter (SIC)

    CTR mode makes the block cipher similar to a stream cipher and it functions by adding a counter with each block in combination with a nonce and key to XOR the plaintext to produce the ciphertext. Similarly, the decryption process is the exact same except instead of XORing the plaintext, the ciphertext is XORed. This means that the process is parallelizable for both encryption and decryption and you can begin from anywhere as the counter for any block can be deduced easily.

    "}, {"location": "cryptography/what-are-block-ciphers/#security-considerations", "title": "Security Considerations", "text": "

    If the nonce chosen is non-random, it is important to concatonate the nonce with the counter (high 64 bits to the nonce, low 64 bits to the counter) as adding or XORing the nonce with the counter would break security as an attacker can cause a collisions with the nonce and counter. An attacker with access to providing a plaintext, nonce and counter can then decrypt a block by using the ciphertext as seen in the decryption image.

    "}, {"location": "cryptography/what-are-block-ciphers/#padding-oracle-attack", "title": "Padding Oracle Attack", "text": "

    A Padding Oracle Attack sounds complex, but essentially means abusing a block cipher by changing the length of input and being able to determine the plaintext.

    "}, {"location": "cryptography/what-are-block-ciphers/#requirements", "title": "Requirements", "text": "
    • An oracle, or program, which encrypts data using CBC
    • Continual use of the same key
    "}, {"location": "cryptography/what-are-block-ciphers/#execution", "title": "Execution", "text": "
    1. If we have two blocks of ciphertext, C~1~ and C~2~, we can get the plaintext P~2~
    2. Since we know that CBC decryptionis dependent on the prior ciphertext, if we change the last byte of C~1~ we can see if C~2~ has correct padding
    3. If it is correctly padded we know that the last byte of the plaintext
    4. If not, we can increase our byte by one and repeat until we have a successful padding
    5. We then repeat this for all successive bytes following C~1~ and if the block is 16 bytes we can expect a maximum of 4080 attempts which is trivial
    "}, {"location": "cryptography/what-are-hashing-functions/", "title": "Hashing Functions", "text": "

    Hashing functions are one way functions which theoretically provide a unique output for every input. MD5, SHA-1, and other hashes which were considered secure are now found to have collisions or two different pieces of data which produce the same supposed unique output.

    "}, {"location": "cryptography/what-are-hashing-functions/#string-hashing", "title": "String Hashing", "text": "

    A string hash is a number or string generated using an algorithm that runs on text or data.

    The idea is that each hash should be unique to the text or data (although sometimes it isn\u2019t). For example, the hash for \u201cdog\u201d should be different from other hashes.

    You can use command line tools tools or online resources such as this one. Example: $ echo -n password | md5 5f4dcc3b5aa765d61d8327deb882cf99 Here, \u201cpassword\u201d is hashed with different hashing algorithms:

    • SHA-1: 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
    • SHA-2: 5E884898DA28047151D0E56F8DC6292773603D0D6AABBDD62A11EF721D1542D8
    • MD5: 5F4DCC3B5AA765D61D8327DEB882CF99
    • CRC32: BBEDA74F

    Generally, when verifying a hash visually, you can simply look at the first and last four characters of the string.

    "}, {"location": "cryptography/what-are-hashing-functions/#file-hashing", "title": "File Hashing", "text": "

    A file hash is a number or string generated using an algorithm that is run on text or data. The premise is that it should be unique to the text or data. If the file or text changes in any way, the hash will change.

    What is it used for? - File and data identification - Password/certificate storage comparison

    How can we determine the hash of a file? You can use the md5sum command (or similar).

    $ md5sum samplefile.txt\n3b85ec9ab2984b91070128be6aae25eb samplefile.txt\n
    "}, {"location": "cryptography/what-are-hashing-functions/#hash-collisions", "title": "Hash Collisions", "text": "

    A collision is when two pieces of data or text have the same cryptographic hash. This is very rare.

    What\u2019s significant about collisions is that they can be used to crack password hashes. Passwords are usually stored as hashes on a computer, since it\u2019s hard to get the passwords from hashes.

    If you bruteforce by trying every possible piece of text or data, eventually you\u2019ll find something with the same hash. Enter it, and the computer accepts it as if you entered the actual password.

    Two different files on the same hard drive with the same cryptographic hash can be very interesting.

    \u201cIt\u2019s now well-known that the cryptographic hash function MD5 has been broken,\u201d said Peter Selinger of Dalhousie University. \u201cIn March 2005, Xiaoyun Wang and Hongbo Yu of Shandong University in China published an article in which they described an algorithm that can find two different sequences of 128 bytes with the same MD5 hash.\u201d

    For example, he cited this famous pair:

    and

    Each of these blocks has MD5 hash 79054025255fb1a26e4bc422aef54eb4.

    Selinger said that \u201cthe algorithm of Wang and Yu can be used to create files of arbitrary length that have identical MD5 hashes, and that differ only in 128 bytes somewhere in the middle of the file. Several people have used this technique to create pairs of interesting files with identical MD5 hashes.\u201d

    Ben Laurie has a nice website that visualizes this MD5 collision. For a non-technical, though slightly outdated, introduction to hash functions, see Steve Friedl\u2019s Illustrated Guide. And here\u2019s a good article from DFI News that explores the same topic.

    "}, {"location": "cryptography/what-are-stream-ciphers/", "title": "Stream Ciphers", "text": "

    A Stream Cipher is used for symmetric key cryptography, or when the same key is used to encrypt and decrypt data. Stream Ciphers encrypt pseudorandom sequences with bits of plaintext in order to generate ciphertext, usually with XOR. A good way to think about Stream Ciphers is to think of them as generating one-time pads from a given state.

    "}, {"location": "cryptography/what-are-stream-ciphers/#definitions", "title": "Definitions", "text": "
    • A keystream is a sequence of pseudorandom digits which extend to the length of the plaintext in order to uniquely encrypt each character based on the corresponding digit in the keystream
    "}, {"location": "cryptography/what-are-stream-ciphers/#one-time-pads", "title": "One Time Pads", "text": "

    A one time pad is an encryption mechanism whereby the entire plaintext is XOR'd with a random sequence of numbers in order to generate a random ciphertext. The advantage of the one time pad is that it offers an immense amount of security BUT in order for it to be useful, the randomly generated key must be distributed on a separate secure channel, meaning that one time pads have little use in modern day cryptographic applications on the internet. Stream ciphers extend upon this idea by using a key, usually 128 bit in length, in order to seed a pseudorandom keystream which is used to encrypt the text.

    "}, {"location": "cryptography/what-are-stream-ciphers/#types-of-stream-ciphers", "title": "Types of Stream Ciphers", "text": ""}, {"location": "cryptography/what-are-stream-ciphers/#synchronous-stream-ciphers", "title": "Synchronous Stream Ciphers", "text": "

    A Synchronous Stream Cipher generates a keystream based on internal states not related to the plaintext or ciphertext. This means that the stream is generated pseudorandomly outside of the context of what is being encrypted. A binary additive stream cipher is the term used for a stream cipher which XOR's the bits with the bits of the plaintext. Encryption and decryption require that the synchronus state cipher be in the same state, otherwise the message cannot be decrypted.

    "}, {"location": "cryptography/what-are-stream-ciphers/#self-synchronizing-stream-ciphers", "title": "Self-synchronizing Stream Ciphers", "text": "

    A Self-synchronizing Stream Cipher, also known as an asynchronous stream cipher or ciphertext autokey (CTAK), is a stream cipher which uses the previous N digits in order to compute the keystream used for the next N characters.

    Note

    Seems a lot like block ciphers doesn't it? That's because block cipher feedback mode (CFB) is an example of a self-synchronizing stream ciphers.

    "}, {"location": "cryptography/what-are-stream-ciphers/#stream-cipher-vulnerabilities", "title": "Stream Cipher Vulnerabilities", "text": ""}, {"location": "cryptography/what-are-stream-ciphers/#key-reuse", "title": "Key Reuse", "text": "

    The key tenet of using stream ciphers securely is to NEVER repeat key use because of the communative property of XOR. If C~1~ and C~2~ have been XOR'd with a key K, retrieving that key K is trivial because C~1~ XOR C~2~ = P~1~ XOR P~2~ and having an english language based XOR means that cryptoanalysis tools such as a character frequency analysis will work well due to the low entropy of the english language.

    "}, {"location": "cryptography/what-are-stream-ciphers/#bit-flipping-attack", "title": "Bit-flipping Attack", "text": "

    Another key tenet of using stream ciphers securely is considering that just because a message has been decrypted, it does not mean the message has not been tampered with. Because decryption is based on state, if an attacker knows the layout of the plaintext, a Man in the Middle (MITM) attack can flip a bit during transit altering the underlying ciphertext. If a ciphertext decrypts to 'Transfer $1000', then a middleman can flip a single bit in order for the ciphertext to decrypt to 'Transfer $9000' because changing a single character in the ciphertext does not affect the state in a synchronus stream cipher.

    "}, {"location": "cryptography/what-is-a-substitution-cipher/", "title": "Substitution Cipher", "text": "

    A Substitution Cipher is system of encryption where different symobls substitute a normal alphabet.

    "}, {"location": "cryptography/what-is-a-vigenere-cipher/", "title": "Vigenere Cipher", "text": "

    A Vigenere Cipher is an extended Caesar Cipher where a message is encrypted using various Caesar shifted alphabets.

    The following table can be used to encode a message:

    "}, {"location": "cryptography/what-is-a-vigenere-cipher/#encryption", "title": "Encryption", "text": "

    For example, encrypting the text SUPERSECRET with CODE would follow this process:

    1. CODE gets padded to the length of SUPERSECRET so the key becomes CODECODECOD
    2. For each letter in SUPERSECRET we use the table to get the Alphabet to use, in this instance row C and column S
    3. The ciphertext's first letter then becomes U
    4. We eventually get UISITGHGTSW
    "}, {"location": "cryptography/what-is-a-vigenere-cipher/#decryption", "title": "Decryption", "text": "
    1. Go to the row of the key, in this case C
    2. Find the letter of the cipher text in this row, in this case U
    3. The column is the first letter of the decrypted ciphertext, so we get S
    4. After repeating this process we get back to SUPERSECRET
    "}, {"location": "cryptography/what-is-caesar-cipher-rot-13/", "title": "Caesar Cipher/ROT 13", "text": "

    The Caesar Cipher or Caesar Shift is a cipher which uses the alphabet in order to encode texts.

    CAESAR encoded with a shift of 8 is KIMAIZ so ABCDEFGHIJKLMNOPQRSTUVWXYZ becomes IJKLMNOPQRSTUVWXYZABCDEFGH

    ROT13 is the same thing but a fixed shift of 13, this is a trivial cipher to bruteforce because there are only 25 shifts.

    "}, {"location": "cryptography/what-is-rsa/", "title": "RSA", "text": "

    RSA, which is an abbreviation of the author's names (Rivest\u2013Shamir\u2013Adleman), is a cryptosystem which allows for asymmetric encryption. Asymmetric cryptosystems are alos commonly referred to as Public Key Cryptography where a public key is used to encrypt data and only a secret, private key can be used to decrypt the data.

    "}, {"location": "cryptography/what-is-rsa/#definitions", "title": "Definitions", "text": "
    • The Public Key is made up of (n, e)
    • The Private Key is made up of (n, d)
    • The message is represented as m and is converted into a number
    • The encrypted message or ciphertext is represented by c
    • p and q are prime numbers which make up n
    • e is the public exponent
    • n is the modulus and its length in bits is the bit length (i.e. 1024 bit RSA)
    • d is the private exponent
    • The totient \u03bb(n) is used to compute d and is equal to the lcm(p-1, q-1), another definition for \u03bb(n) is that \u03bb(pq) = lcm(\u03bb(p), \u03bb(q))
    "}, {"location": "cryptography/what-is-rsa/#what-makes-rsa-viable", "title": "What makes RSA viable?", "text": "

    If public n, public e, private d are all very large numbers and a message m holds true for 0 < m < n, then we can say:

    (m^e^)^d^ \u2261 m (mod n)

    Note

    The triple equals sign in this case refers to modular congruence which in this case means that there exists an integer k such that (m^e^)^d^ = kn + m

    RSA is viable because it is incredibly hard to find d even with m, n, and e because factoring large numbers is an arduous process.

    "}, {"location": "cryptography/what-is-rsa/#implementation", "title": "Implementation", "text": "

    RSA follows 4 steps to be implemented: 1. Key Generation 2. Encryption 3. Decryption

    "}, {"location": "cryptography/what-is-rsa/#key-generation", "title": "Key Generation", "text": "

    We are going to follow along Wikipedia's small numbers example in order to make this idea a bit easier to understand.

    Note

    In This example we are using Carmichael's totient function where \u03bb(n) = lcm(\u03bb(p), \u03bb(q)), but Euler's totient function is perfectly valid to use with RSA. Euler's totient is \u03c6(n) = (p \u2212 1)(q \u2212 1)

    1. Choose two prime numbers such as:
      • p = 61 and q = 53
    2. Find n:
      • n = pq = 3233
    3. Calculate \u03bb(n) = lcm(p-1, q-1)

      • \u03bb(3233) = lcm(60, 52) = 780
    4. Choose a public exponent such that 1 < e < \u03bb(n) and is coprime (not a factor of) \u03bb(n). The standard is most cases is 65537, but we will be using:

      • e = 17
    5. Calculate d as the modular multiplicative inverse or in english find d such that: d x e mod \u03bb(n) = 1
      • d x 17 mod 780 = 1
      • d = 413

    Now we have a public key of (3233, 17) and a private key of (3233, 413)

    "}, {"location": "cryptography/what-is-rsa/#encryption", "title": "Encryption", "text": "

    With the public key, m can be encrypted trivially

    The ciphertext is equal to m^e^ mod n or:

    c = m^17^ mod 3233

    "}, {"location": "cryptography/what-is-rsa/#decryption", "title": "Decryption", "text": "

    With the private key, m can be decrypted trivially as well

    The plaintext is equal to c^d^ mod n or:

    m = c^413^ mod 3233

    "}, {"location": "cryptography/what-is-rsa/#exploitation", "title": "Exploitation", "text": "

    From the RsaCtfTool README

    Attacks:

    • Weak public key factorization
    • Wiener's attack
    • Hastad's attack (Small public exponent attack)
    • Small q (q < 100,000)
    • Common factor between ciphertext and modulus attack
    • Fermat's factorisation for close p and q
    • Gimmicky Primes method
    • Past CTF Primes method
    • Self-Initializing Quadratic Sieve (SIQS) using Yafu
    • Common factor attacks across multiple keys
    • Small fractions method when p/q is close to a small fraction
    • Boneh Durfee Method when the private exponent d is too small compared to the modulus (i.e d < n^0.292^)
    • Elliptic Curve Method
    • Pollards p-1 for relatively smooth numbers
    • Mersenne primes factorization
    "}, {"location": "cryptography/what-is-xor/", "title": "XOR", "text": ""}, {"location": "cryptography/what-is-xor/#data-representation", "title": "Data Representation", "text": "

    Data can be represented in different bases, an 'A' needs to be a numerical representation of Base 2 or binary so computers can understand them

    "}, {"location": "cryptography/what-is-xor/#xor-basics", "title": "XOR Basics", "text": "

    An XOR or eXclusive OR is a bitwise operation indicated by ^ and shown by the following truth table:

    A B A ^ B 0 0 0 0 1 1 1 0 1 1 1 0

    So what XOR'ing bytes in the action 0xA0 ^ 0x2C translates to is:

    1 0 1 0 0 0 0 0 0 0 1 0 1 1 0 0 1 0 0 0 1 1 0 0

    0b10001100 is equivelent to 0x8C, a cool property of XOR is that it is reversable meaning 0x8C ^ 0x2C = 0xA0 and 0x8C ^ 0xA0 = 0x2C

    "}, {"location": "cryptography/what-is-xor/#what-does-this-have-to-do-with-ctf", "title": "What does this have to do with CTF?", "text": "

    XOR is a cheap way to encrypt data with a password. Any data can be encrypted using XOR as shown in this Python example:

    >>> data = 'CAPTURETHEFLAG'\n>>> key = 'A'\n>>> encrypted = ''.join([chr(ord(x) ^ ord(key)) for x in data])\n>>> encrypted\n'\\x02\\x00\\x11\\x15\\x14\\x13\\x04\\x15\\t\\x04\\x07\\r\\x00\\x06'\n>>> decrypted = ''.join([chr(ord(x) ^ ord(key)) for x in encrypted])\n>>> decrypted\n'CAPTURETHEFLAG'\n

    This can be extended using a multibyte key by iterating in parallel with the data.

    "}, {"location": "cryptography/what-is-xor/#exploiting-xor-encryption", "title": "Exploiting XOR Encryption", "text": ""}, {"location": "cryptography/what-is-xor/#single-byte-xor-encryption", "title": "Single Byte XOR Encryption", "text": "

    Single Byte XOR Encryption is trivial to bruteforce as there are only 255 key combinations to try.

    "}, {"location": "cryptography/what-is-xor/#multibyte-xor-encryption", "title": "Multibyte XOR Encryption", "text": "

    Multibyte XOR gets exponentially harder the longer the key, but if the encrypted text is long enough, character frequency analysis is a viable method to find the key. Character Frequency Analysis means that we split the cipher text into groups based on the number of characters in the key. These groups then are bruteforced using the idea that some letters appear more frequently in the english alphabet than others.

    "}, {"location": "faq/connecting-to-services/", "title": "How to connect to services", "text": "

    Note

    While service challenges are often connected to with netcat or PuTTY, solving them will sometimes require using a scripting language like Python. CTF players often use Python alongside pwntools.

    You can run pwntools right in your browser by using repl.it.

    "}, {"location": "faq/connecting-to-services/#using-netcat", "title": "Using netcat", "text": "

    netcat is a networking utility found on macOS and linux operating systems and allows for easy connections to CTF challenges. Service challenges will commonly give you an address and a port to connect to. The syntax for connecting to a service challenge with netcat is nc <ip> <port>.

    "}, {"location": "faq/connecting-to-services/#using-conemu", "title": "Using ConEmu", "text": "

    Windows users can connect to service challenges using ConEmu, which can be downloaded here. Connecting to service challenges with ConEmu is done by running nc <ip> <port>.

    "}, {"location": "faq/i-need-a-server/", "title": "I need a server", "text": "

    Occasionally, certain kinds of exploits will require a server to connect back to. Some examples are connect back shellcode, cross site request forgery (CSRF), or blind cross site scripting (XSS).

    "}, {"location": "faq/i-need-a-server/#i-just-a-web-server", "title": "I just a web server", "text": "

    If you just need a web server to host simple static websites or check access logs, we recommend using PythonAnywhere to host a simple web application. You can program a simple web application in popular Python web frameworks (e.g. Flask) and host it there for free.

    "}, {"location": "faq/i-need-a-server/#i-need-a-real-server", "title": "I need a real server", "text": "

    If you need a real server (perhaps to run complex calculations or for shellcode to connect back to), we recommend DigitalOcean. DigitalOcean has a cheap $4-6/month plan for a small server that can be freely configured to do whatever you need.

    "}, {"location": "faq/recommended-software/", "title": "Recommended Software", "text": "

    Generally in cyber security competitions, it is up to you and your team to determine what software to use. In some cases you may even end up creating new tools to give you an edge! That being said, here are some applications that we recommend for most competitors for most competitions.

    "}, {"location": "faq/recommended-software/#disassemblersdecompilers", "title": "Disassemblers/Decompilers", "text": "
    • Ghidra

      Ghidra is a disassembler and decompiler that is open source and free to use. Released by the NSA, Ghidra is a capable tool and is the recommended disassembler for most use cases. An alternative is IDA Pro (a cyber security industry standard), however IDA Pro is not free and licenses are very expensive.

    • Binary Ninja

      Binary Ninja is a commercial disassembler (with a free demo application) that provides an aesthetic and easy to use interface for binary reverse engineering. It also has a Web-UI which can be used freely. Binary Ninja's API and intermediate language make it superior than other disassemblers for certain use cases.

    "}, {"location": "faq/recommended-software/#debuggers", "title": "Debuggers", "text": "
    • Pwndbg for GDB

      Pwndbg is a plugin for the GNU Debugger (gdb) which makes it easier to dynamically reverse an application by stepping through its execution. In order to use pwndbg you will first need to have gdb installed via a Linux virtual machine or similar.

    • WinDbg

      WinDbg is a debugger for Windows applications.

    "}, {"location": "faq/recommended-software/#web-tools", "title": "Web Tools", "text": "
    • Burp Suite

      Burp Suite is an HTTP proxy and set of tools which allow you to view, edit and replay your HTTP requests. While Burp Suite is a commercial tool, it offers a free version which is very capable and usually all that's needed.

    • sqlmap

      sqlmap is a penetration testing tool that automates hte process of detecting and exploiting SQL injection flaws. It's open source and freely available.

    • Google Chrome

      Google Chrome is a web browser with a suite of developer tools and extensions. These tools and extensions can be useful when investigating a web application.

    • Wireshark

      Wireshark is a PCAP analysis tool which allows you to analyze and record network traffic.

    "}, {"location": "faq/recommended-software/#virtualization", "title": "Virtualization", "text": "
    • VMware

      VMware is a company that creates virtualization software that allows you to run other operating systems within your existing operating system. While their products are not generally free, their software is best in class for virtualization.

      VMWare Fusion, VMWare Workstation, and VMWare Player are three of their virtualization products that can be used on your computer to run other OS'es. VMWare Player is free to use for Windows and Linux.

    • VirtualBox

      VirtualBox is open source virtualization software which allows you to virtualize other operating systems. It's very similar to VMWare products but free for all OS'es. It is generally slower than VMWare but works well enough for most people.

    "}, {"location": "faq/recommended-software/#programming", "title": "Programming", "text": "
    • Python

      Python is an easy-to-learn, widely used programming language which supports complex applications as well as small scripts. It has a large community which provides thousands of useful packages. Python is widely used in the cyber security industry and is generally the recommended language to use in CTF competition.

    • pwntools

      Pwntools is a Python package which makes interacting with processes and networks easy. It is a recommended library for interacting with binary exploitation and networking based CTF challenges.

      Note

      You can run pwntools right in your browser by using repl.it. Create a new Python repl and install the pwntools package. After that you'll be able to use pwntools directly from your browser without having to install anything.

    "}, {"location": "faq/recommended-software/#miscellaneous", "title": "Miscellaneous", "text": "
    • CyberChef

      CyberChef is a simple web app for analysing and decoding data without having to deal with complex tools or programming languages.

    "}, {"location": "forensics/overview/", "title": "Forensics", "text": "

    Forensics is the art of recovering the digital trail left on a computer. There are plenty of methods to find data which is seemingly deleted, not stored, or worse, covertly recorded.

    An important part of forensics is having the right tools, as well as being familiar with the following topics:

    • File Formats
    • EXIF data
    • Wireshark & PCAPs
      • What is Wireshark
    • Stegonagraphy
    • Disk Imaging
    "}, {"location": "forensics/what-are-file-formats/", "title": "File Formats", "text": "

    File Extensions are not the sole way to identify the type of a file, files have certain leading bytes called file signatures which allow programs to parse the data in a consistent manner. Files can also contain additional \"hidden\" data called metadata which can be useful in finding out information about the context of a file's data.

    "}, {"location": "forensics/what-are-file-formats/#file-signatures", "title": "File Signatures", "text": "

    File signatures (also known as File Magic Numbers) are bytes within a file used to identify the format of the file. Generally they\u2019re 2-4 bytes long, found at the beginning of a file.

    "}, {"location": "forensics/what-are-file-formats/#what-is-it-used-for", "title": "What is it used for?", "text": "

    Files can sometimes come without an extension, or with incorrect ones. We use file signature analysis to identify the format (file type) of the file. Programs need to know the file type in order to open it properly.

    "}, {"location": "forensics/what-are-file-formats/#how-do-you-find-the-file-signature", "title": "How do you find the file signature?", "text": "

    You need to be able to look at the binary data that constitutes the file you\u2019re examining. To do this, you\u2019ll use a hexadecimal editor. Once you find the file signature, you can check it against file signature repositories such as Gary Kessler\u2019s.

    "}, {"location": "forensics/what-are-file-formats/#example", "title": "Example", "text": "

    The file above, when opened in a Hex Editor, begins with the bytes FFD8FFE0 00104A46 494600 or in ASCII \u02c7\u00ff\u02c7\u2021 JFIF where \\x00 and \\x10 lack symbols.

    Searching in Gary Kessler\u2019s database shows that this file signature belongs to a JPEG/JFIF graphics file, exactly what we suspect.

    "}, {"location": "forensics/what-is-a-hex-editor/", "title": "Hex Editor", "text": "

    A hexadecimal (hex) editor (also called a binary file editor or byte editor) is a computer program you can use to manipulate the fundamental binary data that constitutes a computer file. The name \u201chex\u201d comes from \u201chexadecimal,\u201d a standard numerical format for representing binary data. A typical computer file occupies multiple areas on the platter(s) of a disk drive, whose contents are combined to form the file. Hex editors that are designed to parse and edit sector data from the physical segments of floppy or hard disks are sometimes called sector editors or disk editors. A hex editor is used to see or edit the raw, exact contents of a file. Hex editors may used to correct data corrupted by a system or application. A list of editors can be found on the forensics Wiki. You can download one and install it on your system.

    "}, {"location": "forensics/what-is-a-hex-editor/#example", "title": "Example", "text": "

    Open fileA.jpg in a hex editor. (Most Hex editors have either a \u201cFile > Open\u201d option or a simple drag and drop.)

    When you open fileA.jpg in your hex editor, you should see something similar to this:

    Your hex editor should also have a \u201cgo to\u201d or \u201cfind\u201d feature so you can jump to a specific byte.

    "}, {"location": "forensics/what-is-disk-imaging/", "title": "Disk Imaging", "text": "

    A forensic image is an electronic copy of a drive (e.g. a hard drive, USB, etc.). It\u2019s a bit-by-\u00adbit or bitstream file that\u2019s an exact, unaltered copy of the media being duplicated.

    Wikipedia said that the most straight\u00adforward disk imaging method is to read a disk from start to finish and write the data to a forensics image format. \u201cThis can be a time-consuming process, especially for disks with a large capacity,\u201d Wikipedia said.

    To prevent write access to the disk, you can use a write blocker. It\u2019s also common to calculate a cryptographic hash of the entire disk when imaging it. \u201cCommonly-used cryptographic hashes are MD5, SHA1 and/or SHA256,\u201d said Wikipedia. \u201cBy recalculating the integrity hash at a later time, one can determine if the data in the disk image has been changed. This by itself provides no protection against intentional tampering, but it can indicate that the data was altered, e.g. due to corruption.\u201d

    Why image a disk? Forensic imaging: - Prevents tampering with the original data\u00ad evidence - Allows you to play around with the copy, without worrying about messing up the original

    "}, {"location": "forensics/what-is-disk-imaging/#forensic-image-extraction-exmple", "title": "Forensic Image Extraction Exmple", "text": "

    This example uses the tool AccessData FTK Imager.

    Step 1: Go to File > Create Disk Image

    Step 2: Select Physical Drive, because the USB or hard drive you\u2019re imaging is a physical device or drive.

    Step 3: Select the drive you\u2019re imaging. The 1000 GB is my computer hard drive; the 128 MB is the USB that I want to image.

    Step 4: Add a new image destination

    Step 5: Select whichever image type you want. Choose Raw (dd) if you\u2019re a beginner, since it\u2019s the most common type

    Step 6: Fill in all the evidence information

    Step 7: Choose where you want to store it

    Step 8: The image destination has been added. Now you can start the image extraction

    Step 9: Wait for the image to be extracted

    Step 10: This is the completed extraction

    Step 11: Add the image you just created so that you can view it

    Step 12: This time, choose image file, since that\u2019s what you just created

    Step 13: Enter the path of the image you just created

    Step 14: View the image.

    1. Evidence tree Structure of the drive image
    2. File list List of all the files in the drive image folder
    3. Properties Properties of the file/folder being examined
    4. Hex viewer View of the drive/folders/files in hexadecimal

    Step 15: To view files in the USB, go to Partition 1 > [USB name] > [root] in the Evidence Tree and look in the File List

    Step 16: Selecting fileA, fileB, fileC, or fileD gives us some properties of the files & a preview of each photo

    Step 17: Extract files of interest for further analysis by selecting, right-clicking and choosing Export Files

    "}, {"location": "forensics/what-is-memory-forensics/", "title": "Memory Forensics", "text": "

    There are plenty of traces of someone's activity on a computer, but perhaps some of the most valuble information can be found within memory dumps, that is images taken of RAM. These dumps of data are often very large, but can be analyzed using a tool called Volatility

    "}, {"location": "forensics/what-is-memory-forensics/#volatility-basics", "title": "Volatility Basics", "text": "

    Memory forensics isn't all that complicated, the hardest part would be using your toolset correctly. A good workflow is as follows:

    1. Run strings for clues
    2. Identify the image profile (which OS, version, etc.)
    3. Dump processes and look for suspicious processes
    4. Dump data related interesting processes
    5. View data in a format relating to the process (Word: docx, Notepad: txt, Photoshop: psd, etc.)
    "}, {"location": "forensics/what-is-memory-forensics/#profile-identification", "title": "Profile Identification", "text": "

    In order to properly use Volatility you must supply a profile with --profile=PROFILE, therefore before any sleuthing, you need to determine the profile using imageinfo:

    $ python vol.py -f ~/image.raw imageinfo\nVolatility Foundation Volatility Framework 2.4\nDetermining profile based on KDBG search...\n\n          Suggested Profile(s) : Win7SP0x64, Win7SP1x64, Win2008R2SP0x64, Win2008R2SP1x64\n                     AS Layer1 : AMD64PagedMemory (Kernel AS)\n                     AS Layer2 : FileAddressSpace (/Users/Michael/Desktop/win7_trial_64bit.raw)\n                      PAE type : PAE\n                           DTB : 0x187000L\n                          KDBG : 0xf80002803070\n          Number of Processors : 1\n     Image Type (Service Pack) : 0\n                KPCR for CPU 0 : 0xfffff80002804d00L\n             KUSER_SHARED_DATA : 0xfffff78000000000L\n           Image date and time : 2012-02-22 11:29:02 UTC+0000\n     Image local date and time : 2012-02-22 03:29:02 -0800\n
    "}, {"location": "forensics/what-is-memory-forensics/#dump-processes", "title": "Dump Processes", "text": "

    In order to view processes, the pslist or pstree or psscan command can be used.

    $ python vol.py -f ~/image.raw pslist --profile=Win7SP0x64 pstree\nVolatility Foundation Volatility Framework 2.5\nOffset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit\n------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------\n0xffffa0ee12532180 System                    4      0    108        0 ------      0 2018-04-22 20:02:33 UTC+0000\n0xffffa0ee1389d040 smss.exe                232      4      3        0 ------      0 2018-04-22 20:02:33 UTC+0000\n...\n0xffffa0ee128c6780 VBoxTray.exe           3324   1123     10        0      1      0 2018-04-22 20:02:55 UTC+0000\n0xffffa0ee14108780 OneDrive.exe           1422   1123     10        0      1      1 2018-04-22 20:02:55 UTC+0000\n0xffffa0ee14ade080 svchost.exe             228    121      1        0      1      0 2018-04-22 20:14:43 UTC+0000\n0xffffa0ee1122b080 notepad.exe            2019   1123      1        0      1      0 2018-04-22 20:14:49 UTC+0000\n
    "}, {"location": "forensics/what-is-memory-forensics/#process-memory-dump", "title": "Process Memory Dump", "text": "

    Dumping the memory of a process can prove to be fruitful, say we want to dump the data from notepad.exe:

    $ python vol.py -f ~/image.raw --profile=Win7SP0x64 memdump -p 2019 -D dump/\nVolatility Foundation Volatility Framework 2.4\n************************************************************************\nWriting System [     2019] to 2019.dmp\n\n$ ls -alh dump/2019.dmp\n-rw-r--r--  1 user  staff   111M Apr 22 20:47 dump/2019.dmp\n
    "}, {"location": "forensics/what-is-memory-forensics/#other-useful-commands", "title": "Other Useful Commands", "text": "

    There are plenty of commands that Volatility offers but some highlights include:

    • $ python vol.py -f IMAGE --profile=PROFILE connections: view network connections
    • $ python vol.py -f IMAGE --profile=PROFILE cmdscan: view commands that were run in cmd prompt
    "}, {"location": "forensics/what-is-metadata/", "title": "Metadata", "text": "

    Metadata is data about data. Different types of files have different metadata. The metadata on a photo could include dates, camera information, GPS location, comments, etc. For music, it could include the title, author, track number and album.

    "}, {"location": "forensics/what-is-metadata/#what-kind-of-file-metadata-is-useful", "title": "What kind of file metadata is useful?", "text": "

    Potentially, any file metadata you can find could be useful.

    "}, {"location": "forensics/what-is-metadata/#how-do-i-find-it", "title": "How do I find it?", "text": "

    Note

    EXIF Data is metadata attached to photos which can include location, time, and device information.

    One of our favorite tools is exiftool, which displays metadata for an input file, including: - File size - Dimensions (width and height) - File type - Programs used to create (e.g. Photoshop) - OS used to create (e.g. Apple)

    Run command line: exiftool(-k).exe [filename] and you should see something like this:

    "}, {"location": "forensics/what-is-metadata/#example", "title": "Example", "text": "

    Let's take a look at File A's metadata with exiftool:

    File type

    Image description

    Make and camera info

    GPS Latitude/Longitude

    "}, {"location": "forensics/what-is-metadata/#timestamps", "title": "Timestamps", "text": "

    Timestamps are data that indicate the time of certain events (MAC): - Modification \u2013 when a file was modified - Access \u2013 when a file or entries were read or accessed - Creation \u2013 when files or entries were created

    "}, {"location": "forensics/what-is-metadata/#types-of-timestamps", "title": "Types of timestamps", "text": "
    • Modified
    • Accessed
    • Created
    • Date Changed (MFT)
    • Filename Date Created (MFT)
    • Filename Date Modified (MFT)
    • Filename Date Accessed (MFT)
    • INDX Entry Date Created
    • INDX Entry Date Modified
    • INDX Entry Date Accessed
    • INDX Entry Date Changed
    "}, {"location": "forensics/what-is-metadata/#why-do-we-care", "title": "Why do we care?", "text": "

    Certain events such as creating, moving, copying, opening, editing, etc. might affect the MAC times. If the MAC timestamps can be attained, a timeline of events could be created.

    "}, {"location": "forensics/what-is-metadata/#timeline-patterns", "title": "Timeline Patterns", "text": "

    There are plenty more patterns than the ones introduced below, but these are the basics you should start with to get a good understanding of how it works, and to complete this challenge.

    "}, {"location": "forensics/what-is-metadata/#examples", "title": "Examples", "text": "

    We know that the BMP files fileA and fileD are the same, but that the JPEG files fileB and fileC are different somehow. So how can we find out what went on with these files?

    By using time stamp information from the file system, we can learn that the BMP fileD was the original file, with fileA being a copy of the original. Afterward, fileB was created by modifying fileB, and fileC was created by modifying fileA in a different way.

    Follow along as we demonstrate.

    We\u2019ll start by analyzing images in AccessData FTK Imager, where there\u2019s a Properties window that shows you some information about the file or folder you\u2019ve selected.

    Here are the extracted MAC times for fileA, fileB, fileC and fileD: Note, AccessData FTK Imager assumes that the file times on the drive are in UTC (Universal Coordinated Time). I subtracted four hours, since the USB was set up in Eastern Standard Time. This isn\u2019t necessary, but it helps me understand the times a bit better.

    Highlight timestamps that are the same, if timestamps are off by a few seconds, they should be counted as the same. This lets you see a clear difference between different timestamps. Then, highlight oldest to newest to help put them in order.

    Identify timestamp patterns.

    "}, {"location": "forensics/what-is-stegonagraphy/", "title": "Steganography", "text": "

    Steganography is the practice of hiding data in plain sight. Steganography is often embedded in images or audio.

    You could send a picture of a cat to a friend and hide text inside. Looking at the image, there\u2019s nothing to make anyone think there\u2019s a message hidden inside it.

    You could also hide a second image inside the first.

    "}, {"location": "forensics/what-is-stegonagraphy/#steganography-detection", "title": "Steganography Detection", "text": "

    So we can hide text and an image, how do we find out if there is hidden data?

    FileA and FileD appear the same, but they\u2019re different. Also, FileD was modified after it was copied, so it\u2019s possible there might be steganography in it.

    FileB and FileC don\u2019t appear to have been modified after being created. That doesn\u2019t rule out the possibility that there\u2019s steganography in them, but you\u2019re more likely to find it in fileD. This brings up two questions:

    1. Can we determine that there is steganography in fileD?
    2. If there is, what was hidden in it?
    "}, {"location": "forensics/what-is-stegonagraphy/#lsb-steganography", "title": "LSB Steganography", "text": "

    File are made of bytes. Each byte is composed of eight bits.

    Changing the least-significant bit (LSB) doesn\u2019t change the value very much.

    So we can modify the LSB without changing the file noticeably. By doing so, we can hide a message inside.

    "}, {"location": "forensics/what-is-stegonagraphy/#lsb-steganography-in-images", "title": "LSB Steganography in Images", "text": "

    LSB Steganography or Least Significant Bit Steganography is a method of Steganography where data is recorded in the lowest bit of a byte.

    Say an image has a pixel with an RGB value of (255, 255, 255), the bits of those RGB values will look like

    1 1 1 1 1 1 1 1

    By modifying the lowest, or least significant, bit, we can use the 1 bit space across every RGB value for every pixel to construct a message.

    1 1 1 1 1 1 1 0

    The reason steganography is hard to detect by sight is because a 1 bit difference in color is insignificant as seen below.

    "}, {"location": "forensics/what-is-stegonagraphy/#example", "title": "Example", "text": "

    Let\u2019s say we have an image, and part of it contains the following binary:

    And let\u2019s say we want to hide the character y inside.

    First, we need to convert the hidden message to binary.

    Now we take each bit from the hidden message and replace the LSB of the corresponding byte with it.

    And again:

    And again:

    And again:

    And again:

    And again:

    And again:

    And once more:

    Decoding LSB steganography is exactly the same as encoding, but in reverse. For each byte, grab the LSB and add it to your decoded message. Once you\u2019ve gone through each byte, convert all the LSBs you grabbed into text or a file. (You can use your file signature knowledge here!)

    "}, {"location": "forensics/what-is-stegonagraphy/#what-other-types-of-steganography-are-there", "title": "What other types of steganography are there?", "text": "

    Steganography is hard for the defense side, because there\u2019s practically an infinite number of ways it could be carried out. Here are a few examples: - LSB steganography: different bits, different bit combinations - Encode in every certain number of bytes - Use a password - Hide in different places - Use encryption on top of steganography

    "}, {"location": "forensics/what-is-wireshark/", "title": "Wireshark", "text": "

    Note from our infrastructure team

    \"Wireshark saved me hours on my last tax return! - David\"

    \"[Wireshark] is great for ruining your weekend and fixing pesky networking problems!\" - Max\"

    \"Wireshark is the powerhouse of the cell. - Joe\"

    \"Does this cable do anything? - Ayyaz\"

    Wireshark is a network protocol analyzer which is often used in CTF challenges to look at recorded network traffic. Wireshark uses a filetype called PCAP to record traffic. PCAPs are often distributed in CTF challenges to provide recorded traffic history.

    "}, {"location": "forensics/what-is-wireshark/#interface", "title": "Interface", "text": "

    Upon opening Wireshark, you are greeted with the option to open a PCAP or begin capturing network traffic on your device.

    The network traffic displayed initially shows the packets in order of which they were captured. You can filter packets by protocol, source IP address, destination IP address, length, etc.

    In order to apply filters, simply enter the constraining factor, for example 'http', in the display filter bar.

    Filters can be chained together using '&&' notation. In order to filter by IP, ensure a double equals '==' is used.

    The most pertinent part of a packet is its data payload and protocol information.

    "}, {"location": "forensics/what-is-wireshark/#decrypting-ssl-traffic", "title": "Decrypting SSL Traffic", "text": "

    By default, Wireshark cannot decrypt SSL traffic on your device unless you grant it specific certificates.

    "}, {"location": "forensics/what-is-wireshark/#high-level-ssl-handshake-overview", "title": "High Level SSL Handshake Overview", "text": "

    In order for a network session to be encrypted properly, the client and server must share a common secret for which they can use to encrypt and decrypt data without someone in the middle being able to guess. The SSL Handshake loosely follows this format:

    1. The client sends a list of available cipher suites it can use along with a random set of bytes referred to as client_random
    2. The server sends back the cipher suite that will be used, such as TLS_DHE_RSA_WITH_AES_128_CBC_SHA, along with a random set of bytes referred to as server_random
    3. The client generates a pre-master secret, encrypts it, then sends it to the server.
    4. The server and client then generate a common master secret using the selected cipher suite
    5. The client and server begin communicating using this common secret
    "}, {"location": "forensics/what-is-wireshark/#decryption-requirements", "title": "Decryption Requirements", "text": "

    There are several ways to be able to decrypt traffic.

    • If you have the client and server random values and the pre-master secret, the master secret can be generated and used to decrypt the traffic
    • If you have the master secret, traffic can be decrypted easily
    • If the cipher-suite uses RSA, you can factor n in the key in order to break the encryption on the encrypted pre-master secret and generate the master secret with the client and server randoms

    "}, {"location": "reverse-engineering/overview/", "title": "Overview", "text": ""}, {"location": "reverse-engineering/overview/#reverse-engineering", "title": "Reverse Engineering", "text": "

    Reverse Engineering in a CTF is typically the process of taking a compiled (machine code, bytecode) program and converting it back into a more human readable format.

    Very often the goal of a reverse engineering challenge is to understand the functionality of a given program such that you can identify deeper issues.

    • Assembly / Machine Code
    • The C Programming Language
    • Disassemblers
    • Decompilers
    "}, {"location": "reverse-engineering/what-are-decompilers/", "title": "Decompilers", "text": "

    Decompilers do the impossible and reverse compiled code back into psuedocode/code.

    IDA offers HexRays, which translates machine code into a higher language pseudocode.

    "}, {"location": "reverse-engineering/what-are-decompilers/#example-workflow", "title": "Example Workflow", "text": "

    Let's say we are disassembling a program which has the source code:

    #include <stdio.h>\n\nvoid printSpacer(int num){\n    for(int i = 0; i < num; ++i){\n        printf(\"-\");\n    }\n    printf(\"\\n\");\n}\n\nint main()\n{\n    char* string = \"Hello, World!\";\n    for(int i = 0; i < 13; ++i){\n        printf(\"%c\", string[i]);\n        for(int j = i+1; j < 13; j++){\n            printf(\"%c\", string[j]);\n        }\n        printf(\"\\n\");\n        printSpacer(13 - i);\n    }\n    return 0;\n}\n

    And creates an output of:

    Hello, World!\n-------------\nello, World!\n------------\nllo, World!\n-----------\nlo, World!\n----------\no, World!\n---------\n, World!\n--------\n World!\n-------\nWorld!\n------\norld!\n-----\nrld!\n----\nld!\n---\nd!\n--\n!\n-\n

    If we are given a binary compiled from that source and we want to figure out how the source looks, we can use a decompiler to get c pseudocode which we can then use to reconstruct the function. The sample decompilation can look like:

    printSpacer:\nint __fastcall printSpacer(int a1)\n{\n  int i; // [rsp+8h] [rbp-8h]\n\n  for ( i = 0; i < a1; ++i )\n    printf(\"-\");\n  return printf(\"\\n\");\n}\n\nmain:\nint __cdecl main(int argc, const char **argv, const char **envp)\n{\n  int v4; // [rsp+18h] [rbp-18h]\n  signed int i; // [rsp+1Ch] [rbp-14h]\n\n  for ( i = 0; i < 13; ++i )\n  {\n    v4 = i + 1;\n    printf(\"%c\", (unsigned int)aHelloWorld[i], envp);\n    while ( v4 < 13 )\n      printf(\"%c\", (unsigned int)aHelloWorld[v4++]);\n    printf(\"\\n\");\n    printSpacer(13 - i);\n  }\n  return 0;\n}\n

    A good method of getting a good representation of the source is to convert the decompilation into Python since Python is basically psuedocode that runs. Starting with main often allows you to gain a good overview of what the program is doing and will help you translate the other functions.

    "}, {"location": "reverse-engineering/what-are-decompilers/#main", "title": "Main", "text": "

    We know we will start with a main function and some variables, if you trace the execution of the variables, you can oftentimes determine the variable type. Because i is being used as an index, we know its an int, and because v4 used as one later on, it too is an index. We can also see that we have a variable aHelloWorld being printed with \"%c\", we can determine it represents the 'Hello, World!' string. Lets define all these variables in our Python main function:

    def main():\n    string = \"Hello, World!\"\n    i = 0\n    v4 = 0\n    for i in range(0, 13):\n        v4 = i + 1\n        print(string[i], end='')\n        while v4 < 13:\n            print(string[v4], end='')\n            v4 += 1\n        print()\n        printSpacer(13-i)\n
    "}, {"location": "reverse-engineering/what-are-decompilers/#printspacer-function", "title": "printSpacer Function", "text": "

    Now we can see that printSpacer is clearly being fed an int value. Translating it into python shouldn't be too hard.

    def printSpacer(number):\n    i = 0\n    for i in range(0, number):\n        print(\"-\", end='')\n    print()\n
    "}, {"location": "reverse-engineering/what-are-decompilers/#results", "title": "Results", "text": "

    Running main() gives us:

    Hello, World!\n-------------\nello, World!\n------------\nllo, World!\n-----------\nlo, World!\n----------\no, World!\n---------\n, World!\n--------\n World!\n-------\nWorld!\n------\norld!\n-----\nrld!\n----\nld!\n---\nd!\n--\n!\n-\n
    "}, {"location": "reverse-engineering/what-are-disassemblers/", "title": "Disassemblers", "text": "

    A disassembler is a tool which breaks down a compiled program into machine code.

    "}, {"location": "reverse-engineering/what-are-disassemblers/#list-of-disassemblers", "title": "List of Disassemblers", "text": "
    • IDA
    • Binary Ninja
    • GNU Debugger (GDB)
    • radare2
    • Hopper
    "}, {"location": "reverse-engineering/what-are-disassemblers/#ida", "title": "IDA", "text": "

    The Interactive Disassembler (IDA) is the industry standard for binary disassembly. IDA is capable of disassembling \"virtually any popular file format\". This makes it very useful to security researchers and CTF players who often need to analyze obscure files without knowing what they are or where they came from. IDA also features the industry leading Hex Rays decompiler which can convert assembly code back into a pseudo code like format.

    IDA also has a plugin interface which has been used to create some successful plugins that can make reverse engineering easier:

    • https://github.com/google/binnavi
    • https://github.com/yegord/snowman
    • https://github.com/gaasedelen/lighthouse
    • https://github.com/joxeankoret/diaphora
    • https://github.com/REhints/HexRaysCodeXplorer
    • https://github.com/osirislab/Fentanyl
    "}, {"location": "reverse-engineering/what-are-disassemblers/#binary-ninja", "title": "Binary Ninja", "text": "

    Binary Ninja is an up and coming disassembler that attempts to bring a new, more programmatic approach to reverse engineering. Binary Ninja brings an improved plugin API and modern features to reverse engineering. While it's less popular or as old as IDA, Binary Ninja (often called binja) is quickly gaining ground and has a small community of dedicated users and followers.

    Binja also has some community contributed plugins which are collected here: https://github.com/Vector35/community-plugins

    "}, {"location": "reverse-engineering/what-are-disassemblers/#gdb", "title": "gdb", "text": "

    The GNU Debugger is a free and open source debugger which also disassembles programs. It's capable as a disassembler, but most notably it is used by CTF players for its debugging and dynamic analysis capabailities.

    gdb is often used in tandom with enhancement scripts like peda, pwndbg, and GEF

    "}, {"location": "reverse-engineering/what-is-assembly-machine-code/", "title": "Assembly/Machine Code", "text": "

    Machine Code or Assembly is code which has been formatted for direct execution by a CPU. Machine Code is the reason why readable programming languages like C, when compiled, cannot be reversed into source code (well Decompilers can sort of, but more on that later).

    "}, {"location": "reverse-engineering/what-is-assembly-machine-code/#from-source-to-compilation", "title": "From Source to Compilation", "text": "

    Godbolt shows the differences in machine code generated by various compilers.

    For example, if we have a simple C++ function:

    #include <unistd.h>\n#include <stdio.h>\n#include <stdlib.h>\n\nint main() {\n    char c;\n    int fd = syscall(2, \"/etc/passwd\", 0);\n    while (syscall(0, fd, &c, 1)) {\n        putchar(c);\n    }\n}\n

    We can see the compilation results in some verbose instructions for the CPU:

    .LC0:\n  .string \"/etc/passwd\"\nmain:\n  push rbp\n  mov rbp, rsp\n  sub rsp, 16\n  mov edx, 0\n  mov esi, OFFSET FLAT:.LC0\n  mov edi, 2\n  mov eax, 0\n  call syscall\n  mov DWORD PTR [rbp-4], eax\n.L3:\n  lea rdx, [rbp-5]\n  mov eax, DWORD PTR [rbp-4]\n  mov ecx, 1\n  mov esi, eax\n  mov edi, 0\n  mov eax, 0\n  call syscall\n  test rax, rax\n  setne al\n  test al, al\n  je .L2\n  movzx eax, BYTE PTR [rbp-5]\n  movsx eax, al\n  mov edi, eax\n  call putchar\n  jmp .L3\n.L2:\n  mov eax, 0\n  leave\n  ret\n

    This is a one way process for compiled languages as there is no way to generate source from machine code. While the machine code may seem unintelligible, the extremely basic functions can be interpreted with some practice.

    "}, {"location": "reverse-engineering/what-is-assembly-machine-code/#x86-64", "title": "x86-64", "text": "

    x86-64 or amd64 or i64 is a 64-bit Complex Instruction Set Computing (CISC) architecture. This basically means that the registers used for this architecture extend an extra 32-bits on Intel's x86 architecture. CISC means that a single instruction can do a bunch of different things at once, such as memory accesses, register reads, etc. It is also a variable-length instruction set, which means different instructions can be different sizes ranging from 1 to 16 bytes long. And finally x86-64 allows for multi-sized register access, which means that you can access certain parts of a register which are different sizes.

    "}, {"location": "reverse-engineering/what-is-assembly-machine-code/#x86-64-registers", "title": "x86-64 Registers", "text": "

    x86-64 registers behave similarly to other architectures. A key component of x86-64 registers is multi-sized access which means the register RAX can have its lower 32 bits accessed with EAX. The next lower 16 bits can be accessed with AX and the lowest 8 bits can be accessed with AL which allows for the compiler to make optimizations which boost program execution.

    x86-64 has plenty of registers to use, including rax, rbx, rcx, rdx, rdi, rsi, rsp, rip, r8-r15, and more! But some registers serve special purposes.

    The special registers include: - RIP: the instruction pointer - RSP: the stack pointer - RBP: the base pointer

    "}, {"location": "reverse-engineering/what-is-assembly-machine-code/#instructions", "title": "Instructions", "text": "

    An instruction represents a single operation for the CPU to perform.

    There are different types of instructions including:

    • Data movement: mov rax, [rsp - 0x40]
    • Arithmetic: add rbx, rcx
    • Control-flow: jne 0x8000400

    Because x86-64 is a CISC architecture, instructions can be quite complex for machine code, such as repne scasb which repeats up to ECX times over memory at EDI looking for a NULL byte (0x00), decrementing ECX each byte (essentially strlen() in a single instruction!).

    It is important to remember that an instruction really is just memory; this idea will become useful with Return Oriented Programming or ROP.

    Note

    Instructions, numbers, strings, everything are always represented in hex!

    add rax, rbx\nmov rax, 0xdeadbeef\nmov rax, [0xdeadbeef] == 67 48 8b 05 ef be ad de\n\"Hello\" == 48 65 6c 6c 6f\n== 48 01 d8\n== 48 c7 c0 ef be ad de\n
    "}, {"location": "reverse-engineering/what-is-assembly-machine-code/#execution", "title": "Execution", "text": "

    What should the CPU execute? This is determined by the RIP register where IP means instruction pointer. Execution follows the pattern: fetch the instruction at the address in RIP, decode it, run it.

    "}, {"location": "reverse-engineering/what-is-assembly-machine-code/#examples", "title": "Examples", "text": "
    1. mov rax, 0xdeadbeef

    Here the operation mov is moving the \"immediate\" 0xdeadbeef into the register RAX

    1. mov rax, [0xdeadbeef + rbx * 4]

    Here the operation mov is moving the data at the address of [0xdeadbeef + RBX*4] into the register RAX. When brackets are used, you can think of the program as getting the content from that effective address.

    "}, {"location": "reverse-engineering/what-is-assembly-machine-code/#example-execution", "title": "Example Execution", "text": "
    -> 0x0804000: mov eax, 0xdeadbeef            Register Values:\n   0x0804005: mov ebx, 0x1234                RIP = 0x0804000\n   0x080400a: add, rax, rbx                  RAX = 0x0\n   0x080400d: inc rbx                        RBX = 0x0\n   0x0804010: sub rax, rbx                   RCX = 0x0\n   0x0804013: mov rcx, rax                   RDX = 0x0\n
       0x0804000: mov eax, 0xdeadbeef            Register Values:\n-> 0x0804005: mov ebx, 0x1234                RIP = 0x0804005\n   0x080400a: add, rax, rbx                  RAX = 0xdeadbeef\n   0x080400d: inc rbx                        RBX = 0x0\n   0x0804010: sub rax, rbx                   RCX = 0x0\n   0x0804013: mov rcx, rax                   RDX = 0x0\n
       0x0804000: mov eax, 0xdeadbeef            Register Values:\n   0x0804005: mov ebx, 0x1234                RIP = 0x080400a\n-> 0x080400a: add, rax, rbx                  RAX = 0xdeadbeef\n   0x080400d: inc rbx                        RBX = 0x1234\n   0x0804010: sub rax, rbx                   RCX = 0x0\n   0x0804013: mov rcx, rax                   RDX = 0x0\n
       0x0804000: mov eax, 0xdeadbeef            Register Values:\n   0x0804005: mov ebx, 0x1234                RIP = 0x080400d\n   0x080400a: add, rax, rbx                  RAX = 0xdeadd123\n-> 0x080400d: inc rbx                        RBX = 0x1234\n   0x0804010: sub rax, rbx                   RCX = 0x0\n   0x0804013: mov rcx, rax                   RDX = 0x0\n
       0x0804000: mov eax, 0xdeadbeef            Register Values:\n   0x0804005: mov ebx, 0x1234                RIP = 0x0804010\n   0x080400a: add, rax, rbx                  RAX = 0xdeadd123\n   0x080400d: inc rbx                        RBX = 0x1235\n-> 0x0804010: sub rax, rbx                   RCX = 0x0\n   0x0804013: mov rcx, rax                   RDX = 0x0\n
       0x0804000: mov eax, 0xdeadbeef            Register Values:\n   0x0804005: mov ebx, 0x1234                RIP = 0x0804013\n   0x080400a: add, rax, rbx                  RAX = 0xdeadbeee\n   0x080400d: inc rbx                        RBX = 0x1235\n   0x0804010: sub rax, rbx                   RCX = 0x0\n-> 0x0804013: mov rcx, rax                   RDX = 0x0\n
       0x0804000: mov eax, 0xdeadbeef            Register Values:\n   0x0804005: mov ebx, 0x1234                RIP = 0x0804005\n   0x080400a: add, rax, rbx                  RAX = 0xdeadbeee\n   0x080400d: inc rbx                        RBX = 0x1235\n   0x0804010: sub rax, rbx                   RCX = 0xdeadbeee\n   0x0804013: mov rcx, rax                   RDX = 0x0\n
    "}, {"location": "reverse-engineering/what-is-assembly-machine-code/#control-flow", "title": "Control Flow", "text": "

    How can we express conditionals in x86-64? We use conditional jumps such as:

    • jnz <address>
    • je <address>
    • jge <address>
    • jle <address>
    • etc.

    They jump if their condition is true, and just go to the next instruction otherwise. These conditionals are checking EFLAGS, which are special registers which store flags on certain instructions such as add rax, rbx which sets the o (overflow) flag if the sum is greater than a 64-bit register can hold, and wraps around. You can jump based on that with a jo instruction. The most important thing to remember is the cmp instruction:

    cmp rax, rbx\njle error\n
    This assembly jumps if RAX <= RBX

    "}, {"location": "reverse-engineering/what-is-assembly-machine-code/#addresses", "title": "Addresses", "text": "

    Memory acts similarly to a big array where the indices of this \"array\" are memory addresses. Remember from earlier:

    mov rax, [0xdeadbeef]

    The square brackets mean \"get the data at this address\". This is analogous to the C/C++ syntax: rax = *0xdeadbeef;

    "}, {"location": "reverse-engineering/what-is-bytecode/", "title": "What is bytecode", "text": ""}, {"location": "reverse-engineering/what-is-c/", "title": "The C Programming Language", "text": ""}, {"location": "reverse-engineering/what-is-c/#history", "title": "History", "text": "

    The C programming language was written by Dennis Ritchie in the 1970s while he was working at Bell Labs. It was first used to reimplement the Unix operating system which was purely written in assembly language. At first, the Unix developers were considering using a language called \"B\" but because B wasn't optimized for the target computer, the C language was created.

    Note

    C is the letter and the programming language after B!

    C was designed to be close to assembly and is still widely used in lower level programming where speed and control are needed (operating systems, embedded systems). C was also very influential to other programming languages used today. Notable languages include C++, Objective-C, Golang, Java, JavaScript, PHP, Python, and Rust.

    "}, {"location": "reverse-engineering/what-is-c/#hello-world", "title": "Hello World", "text": "

    C is an ancestor of many other programming languages and if you are familiar with programming, it's likely that C will be at least somewhat familiar.

    #include <stdio.h>\nint main()\n{\n   printf(\"Hello, World!\");\n   return 0;\n}\n
    "}, {"location": "reverse-engineering/what-is-c/#today", "title": "Today", "text": "

    Today C is widely used either as a low level programming language or is the base language that other programming languages are implemented in.

    While it can be difficult to see, the C language compiles down directly into machine code. The compiler is programmed to process the provided C code and emit assembly that's targetted to whatever operating system and architecture the compiler is set to use.

    Some common compilers include:

    • gcc
    • clang

    A good way to explore this relationship is to use this online GCC Explorer from Matt Godbolt.

    In regards to CTF, many reverse engineering and exploitation CTF challenges are written in C because the language compiles down directly to assembly and there are little to no safeguards in the language. This means developers must manually handle both. Of course, this can lead to mistakes which can sometimes lead to security issues.

    Note

    Other higher level langauges like Python manage memory and garbage collection for you. Google Golang was inspired by C, but adds in functionality like garbage collection and memory safety.

    There are some examples of famously vulnerable functions in C which are still available and can still result in vulnerabilities:

    • gets - Can result in buffer overflows
    • strcpy - Can result in buffer overflows
    • strcat - Can result in buffer overflows
    • strcmp - Can result in timing attacks
    "}, {"location": "reverse-engineering/what-is-c/#types", "title": "Types", "text": "

    C has four basic types:

    • char - characters
    • int - integers (e.g. 125)
    • float - 32 bit floating point number (e.g. 2.4)
    • double - 64 bit floating point number (like a float but more precise in terms of decimal points)
    "}, {"location": "reverse-engineering/what-is-c/#pointers", "title": "Pointers", "text": "

    C uses an idea known as pointers. A pointer is a variable which contains the address of another variable.

    To understand this idea we should first understand that memory is laid out in terms of addresses and data gets stored at these addresses.

    Take the following example of defining an integer in C:

    int x = 4;\n

    To the programmer this is the variable x receiving the value of 4. The computer stores this value in some location in memory. For example we can say that address 0x1000 now holds the value 4. The computer knows to directly access the memory and retrieve the value 4 whenever the programmer tries to use the x variable. If we were to say x + 4, the computer would give you 8 instead of 0x1004.

    But in C we can retrieve the memory address being used to hold the 4 value (i.e. 0x1000) by using the & character and using * to create an \"integer pointer\" type.

    int* y = &x;\n

    The y variable will store the address pointed to by the xvariable (0x1000).

    Note

    The * character allows us to declare pointer variables but also allows us to access the value stored at a pointer. For example, entering *y allows us to access the 4 value instead of 0x1000.

    Whenever we use the y variable we are using the memory address, but if we use the x variable we use the value stored at the memory address.

    "}, {"location": "reverse-engineering/what-is-c/#arrays", "title": "Arrays", "text": "

    Arrays are a grouping of objects of the same type. They are typically created with the following syntax:

    type arrayName [ arraySize ];\n

    To initialize values in the array we can do:

    int integers[ 10 ] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10};\n

    Arrays allow programmers to group data into logical containers.

    To access the individual elements of an array we access the contents by their \"index\". Most programming langauges today start counting from 0. So to take our previous example:

    int integers[ 10 ] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10};\n/*     indexes        0  1  2  3  4  5  6  7  8   9\n

    To access the value 6 we would use index 5:

    integers[5];\n
    "}, {"location": "reverse-engineering/what-is-c/#how-do-arrays-work", "title": "How do arrays work?", "text": "

    Arrays are a clever combination of multiplication, pointers, and programming.

    Because the computer knows the data type used for every element in the array, the computer needs to simply multiply the size of the data type by the index you are looking for and then add this value to the address of the beginning of the array.

    For example if we know that the base address of an array is 1000 and we know that each integer takes 8 bytes, we know that if we have 8 integers right next to each other, we can get the integer at the 4th index with the following math:

    1000 + (4 * 8) =  1032\n
    array [ 1   , 2   , 3   , 4   , 5   , 6   , 7   , 8   ]\nindex   0     1     2     3     4     5     6     7\naddrs  1000  1008  1016  1024  1032  1040  1048  1056\n
    "}, {"location": "reverse-engineering/what-is-c/#memory-management", "title": "Memory Management", "text": ""}, {"location": "reverse-engineering/what-is-gdb/", "title": "The GNU Debugger (GDB)", "text": "

    The GNU Debugger or GDB is a powerful debugger which allows for step-by-step execution of a program. It can be used to trace program execution and is an important part of any reverse engineering toolkit.

    "}, {"location": "reverse-engineering/what-is-gdb/#vanilla-gdb", "title": "Vanilla GDB", "text": "

    GDB without any modifications is unintuitive and obscures a lot of useful information. The plug-in pwndb solves a lot of these problems and makes for a much more pleasant experience. But if you are constrained and have to use vanilla gdb, here are several things to make your life easier.

    "}, {"location": "reverse-engineering/what-is-gdb/#starting-gdb", "title": "Starting GDB", "text": "

    To execute GBD and attach it to a program simply run gdb [program]

    "}, {"location": "reverse-engineering/what-is-gdb/#disassembly", "title": "Disassembly", "text": "

    (gdb) disassemble [address/symbol] will display the disassembly for that function/frame

    GDB will autocomplete functions, so saying (gdb) disas main suffices if you'd like to see the disassembly of main

    "}, {"location": "reverse-engineering/what-is-gdb/#view-disassembly-during-execution", "title": "View Disassembly During Execution", "text": "

    Another handy thing to see while stepping through a program is the disassembly of nearby instructions:

    (gdb) display/[# of instructions]i $pc [\u00b1 offset]

    • display shows data with each step
    • /[#]i shows how much data in the format i for instruction
    • $pc means the pc, program counter, register
    • [\u00b1 offset] allows you to specify how you would like the data offset from the current instruction
    "}, {"location": "reverse-engineering/what-is-gdb/#example-usage", "title": "Example Usage", "text": "

    (gdb) display/10i $pc - 0x5

    This command will show 10 instructions on screen with an offset from the next instruction of 5, giving us this display:

       0x8048535 <main+6>:  lock pushl -0x4(%ecx)\n   0x8048539 <main+10>: push   %ebp\n=> 0x804853a <main+11>: mov    %esp,%ebp\n   0x804853c <main+13>: push   %ecx\n   0x804853d <main+14>: sub    $0x14,%esp\n   0x8048540 <main+17>: sub    $0xc,%esp\n   0x8048543 <main+20>: push   $0x400\n   0x8048548 <main+25>: call   0x80483a0 <malloc@plt>\n   0x804854d <main+30>: add    $0x10,%esp\n   0x8048550 <main+33>: sub    $0xc,%esp\n
    "}, {"location": "reverse-engineering/what-is-gdb/#deleting-views", "title": "Deleting Views", "text": "

    If for whatever reason, a view no long suits your needs simply call (gdb) info display which will give you a list of active displays:

    Auto-display expressions now in effect:\nNum Enb Expression\n1:   y  /10bi $pc-0x5\n

    Then simply execute (gdb) delete display 1 and your execution will resume without the display.

    "}, {"location": "reverse-engineering/what-is-gdb/#registers", "title": "Registers", "text": "

    In order to view the state of registers with vanilla gdb, you need to run the command info registers which will display the state of all the registers:

    eax            0xf77a6ddc   -142971428\necx            0xffe06b10   -2069744\nedx            0xffe06b34   -2069708\nebx            0x0  0\nesp            0xffe06af8   0xffe06af8\nebp            0x0  0x0\nesi            0xf77a5000   -142979072\nedi            0xf77a5000   -142979072\neip            0x804853a    0x804853a <main+11>\neflags         0x286    [ PF SF IF ]\ncs             0x23 35\nss             0x2b 43\nds             0x2b 43\nes             0x2b 43\nfs             0x0  0\ngs             0x63 99\n

    If you simply would like to see the contents of a single register, the notation x/x $[register] where:

    • x/x means display the address in hex notation
    • $[register] is the register code such as eax, rax, etc.
    "}, {"location": "reverse-engineering/what-is-gdb/#pwndbg", "title": "Pwndbg", "text": "

    These commands work with vanilla gdb as well.

    "}, {"location": "reverse-engineering/what-is-gdb/#setting-breakpoints", "title": "Setting Breakpoints", "text": "

    Setting breakpoints in GDB uses the format b*[Address/Symbol]

    "}, {"location": "reverse-engineering/what-is-gdb/#example-usage_1", "title": "Example Usage", "text": "
    • (gdb) b*main: Break at the start
    • (gdb) b*0x804854d: Break at 0x804854d
    • (gdb) b*0x804854d-0x100: Break at 0x804844d
    "}, {"location": "reverse-engineering/what-is-gdb/#deleting-breakpoints", "title": "Deleting Breakpoints", "text": "

    As before, in order to delete a view, you can list the available breakpoints using (gdb) info breakpoints (don't forget about GDB's autocomplete, you don't always need to type out every command!) which will display all breakpoints:

    Num     Type           Disp Enb Address    What\n1       breakpoint     keep y   0x0804852f <main>\n3       breakpoint     keep y   0x0804864d <__libc_csu_init+61>\n

    Then simply execute (gdb) delete 1

    Note

    GDB creates breakpoints chronologically and does NOT reuse numbers.

    "}, {"location": "reverse-engineering/what-is-gdb/#stepping", "title": "Stepping", "text": "

    What good is a debugger if you can't control where you are going? In order to begin execution of a program, use the command r [arguments] similar to how if you ran it with dot-slash notation you would execute it ./program [arguments]. In this case the program will run normally and if no breakpoints are set, you will execute normally. If you have breakpoints set, you will stop at that instruction.

    • (gdb) continue [# of breakpoints]: Resumes the execution of the program until it finishes or until another breakpoint is hit (shorthand c)
    • (gdb) step[# of instructions]: Steps into an instruction the specified number of times, default is 1 (shorthand s)
    • (gdb) next instruction [# of instructions]: Steps over an instruction meaning it will not delve into called functions (shorthand ni)
    • (gdb) finish: Finishes a function and breaks after it gets returned (shorthand fin)
    "}, {"location": "reverse-engineering/what-is-gdb/#examining", "title": "Examining", "text": "

    Examining data in GDB is also very useful for seeing how the program is affecting data. The notation may seem complex at first, but it is flexible and provides powerful functionality.

    (gdb) x/[#][size][format] [Address/Symbol/Register][\u00b1 offset]

    • x/ means examine
    • [#] means how much
    • [size] means what size the data should be such as a word w (2 bytes), double word d (4 bytes), or giant word g (8 bytes)
    • [format] means how the data should be interpreted such as an instruction i, a string s, hex bytes x
    • [Address/Symbol][\u00b1 offset] means where to start interpreting the data
    "}, {"location": "reverse-engineering/what-is-gdb/#example-usage_2", "title": "Example Usage", "text": "
    • (gdb) x/x $rax: Displays the content of the register RAX as hex bytes
    • (gdb) x/i 0xdeadbeef: Displays the instruction at address 0xdeadbeef
    • (gdb) x/10s 0x893e10: Displays 10 strings at the address
    • (gdb) x/10gx 0x7fe10: Displays 10 giant words as hex at the address
    "}, {"location": "reverse-engineering/what-is-gdb/#forking", "title": "Forking", "text": "

    If the program happens to be an accept-and-fork server, gdb will have issues following the child or parent processes. In order to specify how you want gdb to function you can use the command set follow-fork-mode [on/off]

    "}, {"location": "reverse-engineering/what-is-gdb/#setting-data", "title": "Setting Data", "text": "

    If you would like to set data at any point, it is possible using the command set [Address/Register]=[Hex Data]

    "}, {"location": "reverse-engineering/what-is-gdb/#example-usage_3", "title": "Example Usage", "text": "
    • set $rax=0x0: Sets the register rax to 0
    • set 0x1e4a70=0x123: Sets the data at 0x1e4a70 to 0x123
    "}, {"location": "reverse-engineering/what-is-gdb/#process-mapping", "title": "Process Mapping", "text": "

    A handy way to find the process's mapped address spaces is to use info proc map:

    Mapped address spaces:\n\n    Start Addr   End Addr       Size     Offset objfile\n     0x8048000  0x8049000     0x1000        0x0 /directory/program\n     0x8049000  0x804a000     0x1000        0x0 /directory/program\n     0x804a000  0x804b000     0x1000     0x1000 /directory/program\n    0xf75cb000 0xf75cc000     0x1000        0x0\n    0xf75cc000 0xf7779000   0x1ad000        0x0 /lib32/libc-2.23.so\n    0xf7779000 0xf777b000     0x2000   0x1ac000 /lib32/libc-2.23.so\n    0xf777b000 0xf777c000     0x1000   0x1ae000 /lib32/libc-2.23.so\n    0xf777c000 0xf7780000     0x4000        0x0\n    0xf778b000 0xf778d000     0x2000        0x0 [vvar]\n    0xf778d000 0xf778f000     0x2000        0x0 [vdso]\n    0xf778f000 0xf77b1000    0x22000        0x0 /lib32/ld-2.23.so\n    0xf77b1000 0xf77b2000     0x1000        0x0\n    0xf77b2000 0xf77b3000     0x1000    0x22000 /lib32/ld-2.23.so\n    0xf77b3000 0xf77b4000     0x1000    0x23000 /lib32/ld-2.23.so\n    0xffc59000 0xffc7a000    0x21000        0x0 [stack]\n

    This will show you where the stack, heap (if there is one), and libc are located.

    "}, {"location": "reverse-engineering/what-is-gdb/#attaching-processes", "title": "Attaching Processes", "text": "

    Another useful feature of GDB is to attach to processes which are already running. Simply launch gdb using gdb, then find the process id of the program you would like to attach to an execute attach [pid].

    "}, {"location": "web-exploitation/overview/", "title": "Overview", "text": ""}, {"location": "web-exploitation/overview/#web-exploitation", "title": "Web Exploitation", "text": "

    Websites all around the world are programmed using various programming languages. While there are specific vulnerabilities in each programming langage that the developer should be aware of, there are issues fundamental to the internet that can show up regardless of the chosen language or framework.

    These vulnerabilities often show up in CTFs as web security challenges where the user needs to exploit a bug to gain some kind of higher level privelege.

    Common vulnerabilities to see in CTF challenges:

    • SQL Injection
    • Command Injection
    • Directory Traversal
    • Cross Site Request Forgery
    • Cross Site Scripting
    • Server Side Request Forgery
    "}, {"location": "web-exploitation/command-injection/what-is-command-injection/", "title": "Command Injection", "text": "

    Command Injection is a vulnerability that allows an attacker to submit system commands to a computer running a website. This happens when the application fails to encode user input that goes into a system shell. It is very common to see this vulnerability when a developer uses the system() command or its equivalent in the programming language of the application.

    import os\n\ndomain = user_input() # ctf101.org\n\nos.system('ping ' + domain)\n

    The above code when used normally will ping the ctf101.org domain.

    But consider what would happen if the user_input() function returned different data?

    import os\n\ndomain = user_input() # ; ls\n\nos.system('ping ' + domain)\n

    Because of the additional semicolon, the os.system() function is instructed to run two commands.

    It looks to the program as:

    ping ; ls\n

    Note

    The semicolon terminates a command in bash and allows you to put another command after it.

    Because the ping command is being terminated and the ls command is being added on, the ls command will be run in addition to the empty ping command!

    This is the core concept behind command injection. The ls command could of course be switched with another command (e.g. wget, curl, bash, etc.)

    Command injection is a very common means of privelege escalation within web applications and applications that interface with system commands. Many kinds of home routers take user input and directly append it to a system command. For this reason, many of those home router models are vulnerable to command injection.

    "}, {"location": "web-exploitation/command-injection/what-is-command-injection/#example-payloads", "title": "Example Payloads", "text": "
    • ;ls
    • $(ls)
    • `ls`
    "}, {"location": "web-exploitation/command-injection/what-is-command-injection/#related-challenges", "title": "Related Challenges", "text": ""}, {"location": "web-exploitation/cross-site-request-forgery/what-is-cross-site-request-forgery/", "title": "Cross Site Request Forgery (CSRF)", "text": "

    A Cross Site Request Forgery or CSRF Attack, pronounced see surf, is an attack on an authenticated user which uses a state session in order to perform state changing attacks like a purchase, a transfer of funds, or a change of email address.

    The entire premise of CSRF is based on session hijacking, usually by injecting malicious elements within a webpage through an <img> tag or an <iframe> where references to external resources are unverified.

    "}, {"location": "web-exploitation/cross-site-request-forgery/what-is-cross-site-request-forgery/#using-csrf", "title": "Using CSRF", "text": "

    GET requests are often used by websites to get user input. Say a user signs in to an banking site which assigns their browser a cookie which keeps them logged in. If they transfer some money, the URL that is sent to the server might have the pattern:

    http://securibank.com/transfer.do?acct=[RECEPIENT]&amount=[DOLLARS]

    Knowing this format, an attacker can send an email with a hyperlink to be clicked on or they can include an image tag of 0 by 0 pixels which will automatically be requested by the browser such as:

    <img src=\"http://securibank.com/transfer.do?acct=[RECEPIENT]&amount=[DOLLARS]\" width=\"0\" height=\"0\" border=\"0\">

    "}, {"location": "web-exploitation/cross-site-scripting/what-is-cross-site-scripting/", "title": "Cross Site Scripting (XSS)", "text": "

    Cross Site Scripting or XSS is a vulnerability where on user of an application can send JavaScript that is executed by the browser of another user of the same application.

    This is a vulnerability because JavaScript has a high degree of control over a user's web browser.

    For example JavaScript has the ability to:

    • Modify the page (called the DOM)
    • Send more HTTP requests
    • Access cookies

    By combining all of these abilities, XSS can maliciously use JavaScript to extract user's cookies and send them to an attacker controlled server. XSS can also modify the DOM to phish users for their passwords. This only scratches the surface of what XSS can be used to do.

    XSS is typically broken down into three categories:

    • Reflected XSS
    • Stored XSS
    • DOM XSS
    "}, {"location": "web-exploitation/cross-site-scripting/what-is-cross-site-scripting/#reflected-xss", "title": "Reflected XSS", "text": "

    Reflected XSS is when an XSS exploit is provided through a URL paramater.

    For example:

    https://ctf101.org?data=<script>alert(1)</script>\n

    You can see the XSS exploit provided in the data GET parameter. If the application is vulnerable to reflected XSS, the application will take this data parameter value and inject it into the DOM.

    For example:

    <html>\n    <body>\n        <script>alert(1)</script>\n    </body>\n</html>\n

    Depending on where the exploit gets injected, it may need to be constructed differently.

    Also, the exploit payload can change to fit whatever the attacker needs it to do. Whether that is to extract cookies and submit it to an external server, or to simply modify the page to deface it.

    One of the deficiencies of reflected XSS however is that it requires the victim to access the vulnerable page from an attacker controlled resource. Notice that if the data paramter, wasn't provided the exploit wouldn't work.

    In many situations, reflected XSS is detected by the browser because it is very simple for a browser to detect malicous XSS payloads in URLs.

    "}, {"location": "web-exploitation/cross-site-scripting/what-is-cross-site-scripting/#stored-xss", "title": "Stored XSS", "text": "

    Stored XSS is different from reflected XSS in one key way. In reflected XSS, the exploit is provided through a GET parameter. But in stored XSS, the exploit is provided from the website itself.

    Imagine a website that allows users to post comments. If a user can submit an XSS payload as a comment, and then have others view that malicious comment, it would be an example of stored XSS.

    The reason being that the web site itself is serving up the XSS payload to other users. This makes it very difficult to detect from the browser's perspective and no browser is capable of generically preventing stored XSS from exploiting a user.

    "}, {"location": "web-exploitation/cross-site-scripting/what-is-cross-site-scripting/#dom-xss", "title": "DOM XSS", "text": "

    DOM XSS is XSS that is due to the browser itself injecting an XSS payload into the DOM. While the server itself may properly prevent XSS, it's possible that the client side scripts may accidentally take a payload and insert it into the DOM and cause the payload to trigger.

    The server itself is not to blame, but the client side JavaScript files are causing the issue.

    "}, {"location": "web-exploitation/directory-traversal/what-is-directory-traversal/", "title": "Directory Traversal", "text": "

    Directory Traversal is a vulnerability where an application takes in user input and uses it in a directory path.

    Any kind of path controlled by user input that isn't properly sanitized or properly sandboxed could be vulnerable to directory traversal.

    For example, consider an application that allows the user to choose what page to load from a GET parameter.

    <?php\n    $page = $_GET['page']; // index.php\n    include(\"/var/www/html/\" . $page);\n?>\n

    Under normal operation the page would be index.php. But what if a malicious user gave in something different?

    <?php\n    $page = $_GET['page']; // ../../../../../../../../etc/passwd\n    include(\"/var/www/html/\" . $page);\n?>\n

    Here the user is submitting ../../../../../../../../etc/passwd.

    This will result in the PHP interpreter leaving the directory that it is coded to look in ('/var/www/html') and instead be forced up to the root folder.

    include(\"/var/www/html/../../../../../../../../etc/passwd\");\n

    Ultimately this will become /etc/passwd because the computer will not go a directory above its top directory.

    Thus the application will load the /etc/passwd file and emit it to the user like so:

    root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin\nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\nbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin\nlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\nirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\nsystemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false\nsystemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false\nsystemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false\nsystemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false\n_apt:x:104:65534::/nonexistent:/bin/false\n

    This same concept can be applied to applications where some input is taken from a user and then used to access a file or path or similar. This vulnerability very often can be used to leak sensitive data or extract application source code to find other vulnerabilities.

    "}, {"location": "web-exploitation/php/what-is-php/", "title": "PHP", "text": "

    PHP is one of the most used languages for back-end web development and therefore it has become a target by hackers. PHP is a language which makes it painful to be secure for most instances, making it every hacker's dream target.

    "}, {"location": "web-exploitation/php/what-is-php/#overview", "title": "Overview", "text": "

    PHP is a C-like language which uses tags enclosed by <?php ... ?> (sometimes just <? ... ?>). It is inlined into HTML. A word of advice is to keep the php docs open because function names are strange due to the fact that the length of function name is used to be the key in PHP's internal dictionary, so function names were shortened/lengthened to make the lookup faster. Other things include:

    • Variables start with $: $name
    • Variable variables: $$name
    • Request-specific dictionaries: $_GET, $_POST, $_SERVER
    "}, {"location": "web-exploitation/php/what-is-php/#example", "title": "Example", "text": "
    <?php\n    if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['email']) && isset($_POST['password'])) {\n        $db = new mysqli('127.0.0.1', 'cs3284', 'cs3284', 'logmein');\n        $email = $_POST['email'];\n        $password = sha1($_POST['password']);\n        $res = $db->query(\"SELECT * FROM users WHERE email = '$email' AND password = '$password'\");\n        if ($row = $res->fetch_assoc()) {\n            $_SESSION['id'] = $row['id'];\n            header('Location: index.php');\n            die();\n        }\n   }\n?>\n<html>...\n

    This example PHP simply checks the POST data for an email and password. If the password is equal to the hashed password in the database, the use is logged in and redirected to the index page.

    The line email = '$email' uses automatic string interpolation in order to convert $email into a string to compare with the database.

    "}, {"location": "web-exploitation/php/what-is-php/#type-juggling", "title": "Type Juggling", "text": "

    PHP will do just about anything to match with a loose comparison (\\=\\=) which means things can be 'equal' (\\=\\=) or really equal (\\=\\=\\=). The implicit integer parsing to strings is the root cause of a lot of issues in PHP.

    "}, {"location": "web-exploitation/php/what-is-php/#type-comparison-table", "title": "Type Comparison Table", "text": ""}, {"location": "web-exploitation/php/what-is-php/#comparisons-of-x-with-php-functions", "title": "Comparisons of $x with PHP Functions", "text": "Expression gettype() empty() is_null() isset() boolean: if($x) $x = \"\"; string TRUE FALSE TRUE FALSE $x = null; NULL TRUE TRUE FALSE FALSE var $x; NULL TRUE TRUE FALSE FALSE $x is undefined NULL TRUE TRUE FALSE FALSE $x = array(); array TRUE FALSE TRUE FALSE $x = array('a', 'b'); array FALSE FALSE TRUE TRUE $x = false; boolean TRUE FALSE TRUE FALSE $x = true; boolean FALSE FALSE TRUE TRUE $x = 1; integer FALSE FALSE TRUE TRUE $x = 42; integer FALSE FALSE TRUE TRUE $x = 0; integer TRUE FALSE TRUE FALSE $x = -1; integer FALSE FALSE TRUE TRUE $x = \"1\"; string FALSE FALSE TRUE TRUE $x = \"0\"; string TRUE FALSE TRUE FALSE $x = \"-1\"; string FALSE FALSE TRUE TRUE $x = \"php\"; string FALSE FALSE TRUE TRUE $x = \"true\"; string FALSE FALSE TRUE TRUE $x = \"false\"; string FALSE FALSE TRUE TRUE"}, {"location": "web-exploitation/php/what-is-php/#comparisons", "title": "\"==\" Comparisons", "text": "TRUE FALSE 1 0 -1 \"1\" \"0\" \"-1\" NULL array() \"php\" \"\" TRUE ==TRUE== FALSE ==TRUE== FALSE ==TRUE== ==TRUE== FALSE ==TRUE== FALSE FALSE ==TRUE== FALSE FALSE FALSE ==TRUE== FALSE ==TRUE== FALSE FALSE ==TRUE== FALSE ==TRUE== ==TRUE== FALSE ==TRUE== 1 ==TRUE== FALSE ==TRUE== FALSE FALSE ==TRUE== FALSE FALSE FALSE FALSE FALSE FALSE 0 FALSE ==TRUE== FALSE ==TRUE== FALSE FALSE ==TRUE== FALSE ==TRUE== FALSE ==TRUE== ==TRUE== -1 ==TRUE== FALSE FALSE FALSE ==TRUE== FALSE FALSE ==TRUE== FALSE FALSE FALSE FALSE \"1\" ==TRUE== FALSE ==TRUE== FALSE FALSE ==TRUE== FALSE FALSE FALSE FALSE FALSE FALSE \"0\" FALSE ==TRUE== FALSE ==TRUE== FALSE FALSE ==TRUE== FALSE FALSE FALSE FALSE FALSE \"-1\" ==TRUE== FALSE FALSE FALSE ==TRUE== FALSE FALSE ==TRUE== FALSE FALSE FALSE FALSE NULL FALSE ==TRUE== FALSE ==TRUE== FALSE FALSE FALSE FALSE ==TRUE== ==TRUE== FALSE ==TRUE== array() FALSE ==TRUE== FALSE FALSE FALSE FALSE FALSE FALSE ==TRUE== ==TRUE== FALSE FALSE \"php\" ==TRUE== FALSE FALSE ==TRUE== FALSE FALSE FALSE FALSE FALSE FALSE ==TRUE== FALSE \"\" FALSE ==TRUE== FALSE ==TRUE== FALSE FALSE FALSE FALSE ==TRUE== FALSE FALSE ==TRUE=="}, {"location": "web-exploitation/php/what-is-php/#comparisons_1", "title": "\"===\" Comparisons", "text": "TRUE FALSE 1 0 -1 \"1\" \"0\" \"-1\" NULL array() \"php\" \"\" TRUE ==TRUE== FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE ==TRUE== FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE 1 FALSE FALSE ==TRUE== FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE 0 FALSE FALSE FALSE ==TRUE== FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE -1 FALSE FALSE FALSE FALSE ==TRUE== FALSE FALSE FALSE FALSE FALSE FALSE FALSE \"1\" FALSE FALSE FALSE FALSE FALSE ==TRUE== FALSE FALSE FALSE FALSE FALSE FALSE \"0\" FALSE FALSE FALSE FALSE FALSE FALSE ==TRUE== FALSE FALSE FALSE FALSE FALSE \"-1\" FALSE FALSE FALSE FALSE FALSE FALSE FALSE ==TRUE== FALSE FALSE FALSE FALSE NULL FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE ==TRUE== FALSE FALSE FALSE array() FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE ==TRUE== FALSE FALSE \"php\" FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE ==TRUE== FALSE \"\" FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE ==TRUE=="}, {"location": "web-exploitation/php/what-is-php/#file-inclusion", "title": "File Inclusion", "text": "

    PHP has multiple ways to include other source files such as require, require_once and include. These can take a dynamic string such as require $_GET['page'] . \".php\"; which is usually seen in templating.

    "}, {"location": "web-exploitation/php/what-is-php/#php-stream-filters", "title": "PHP Stream Filters", "text": "

    PHP has its own URL scheme: php://... and its main purpose is to filter output automatically. It can automatically remove certain HTML tags and can base64 encode as well.

    "}, {"location": "web-exploitation/php/what-is-php/#example_1", "title": "Example", "text": "
    $fp = fopen('php://output', 'w');\nstream_filter_append(\n       $fp,\n       'string.strip_tags',\n       STREAM_FILTER_WRITE,\n       array('b','i','u'));\nfwrite($fp, \"<b>bolded text</b> enlarged to a <h1>level 1 heading</h1>\\n\");\n/* <b>bolded text</b> enlarged to a level 1 heading */\n
    "}, {"location": "web-exploitation/php/what-is-php/#exploitation", "title": "Exploitation", "text": "

    These filters can also be used on input such as:

    • php://filter/convert.base64-encode/resource={file}
    • include, file_get_contents(), etc. support URLs including PHP stream filter URLs (php://)
    • include normally evaluates any PHP code (in tags) it finds, but if it\u2019s base64 encoded it can be used to leak source
    "}, {"location": "web-exploitation/server-side-request-forgery/what-is-server-side-request-forgery/", "title": "Server Side Request Forgery (SSRF)", "text": "

    Server Side Request Forgery or SSRF is where an attacker is able to cause a web application to send a request that the attacker defines.

    For example, say there is a website that lets you take a screenshot of any site on the internet.

    Under normal usage a user might ask it to take a screenshot of a page like Google, or The New York Times. But what if a user does something more nefarious? What if they asked the site to take a picture of http://localhost ? Or perhaps tries to access something more useful like http://localhost/server-status ?

    Note

    127.0.0.1 (also known as localhost or loopback) represents the computer itself. Accessing localhost means you are accessing the computer's own internal network. Developers often use localhost as a way to access the services they have running on their own computers.

    Depending on what the response from the site is the attacker may be able to gain additional information about what's running on the computer itself.

    In addition, the requests originating from the server would come from the server's IP not the attackers IP. Because of that, it is possible that the attacker might be able to access internal resources that he wouldn't normally be able to access.

    Another usage for SSRF is to create a simple port scanner to scan the internal network looking for internal services.

    "}, {"location": "web-exploitation/sql-injection/what-is-sql-injection/", "title": "SQL Injection", "text": "

    SQL Injection is a vulnerability where an application takes input from a user and doesn't vaildate that the user's input doesn't contain additional SQL.

    <?php\n    $username = $_GET['username']; // kchung\n    $result = mysql_query(\"SELECT * FROM users WHERE username='$username'\");\n?>\n

    If we look at the $username variable, under normal operation we might expect the username parameter to be a real username (e.g. kchung).

    But a malicious user might submit different kind of data. For example, consider if the input was '?

    The application would crash because the resulting SQL query is incorrect.

    SELECT * FROM users WHERE username='''\n

    Note

    Notice the extra single quote at the end.

    With the knowledge that a single quote will cause an error in the application we can expand a little more on SQL Injection.

    What if our input was ' OR 1=1?

    SELECT * FROM users WHERE username='' OR 1=1\n

    1 is indeed equal to 1. This equates to true in SQL. If we reinterpret this the SQL statement is really saying

    SELECT * FROM users WHERE username='' OR true\n

    This will return every row in the table because each row that exists must be true.

    We can also inject comments and termination characters like -- or /* or ;. This allows you to terminate SQL queries after your injected statements. For example '-- is a common SQL injection payload.

    SELECT * FROM users WHERE username=''-- '\n

    This payload sets the username parameter to an empty string to break out of the query and then adds a comment (--) that effectively hides the second single quote.

    Using this technique of adding SQL statements to an existing query we can force databases to return data that it was not meant to return.

    "}]} \ No newline at end of file diff --git a/sitemap.xml.gz b/sitemap.xml.gz index d302cc79bb85b2d261c7210486febd9aa5fa2e00..dbfdbfcbe7fdbf5e5a832701d5ce6a5e327112ad 100644 GIT binary patch delta 12 Tcmb=gXOr*d;8>P1k*yK{7@h;& delta 12 Tcmb=gXOr*d;5d{%k*yK{872ex diff --git a/web-exploitation/command-injection/what-is-command-injection/index.html b/web-exploitation/command-injection/what-is-command-injection/index.html index 1394d0f8..66de7e27 100644 --- a/web-exploitation/command-injection/what-is-command-injection/index.html +++ b/web-exploitation/command-injection/what-is-command-injection/index.html @@ -3067,6 +3067,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/web-exploitation/cross-site-request-forgery/what-is-cross-site-request-forgery/index.html b/web-exploitation/cross-site-request-forgery/what-is-cross-site-request-forgery/index.html index c73e93cf..1b290ce7 100644 --- a/web-exploitation/cross-site-request-forgery/what-is-cross-site-request-forgery/index.html +++ b/web-exploitation/cross-site-request-forgery/what-is-cross-site-request-forgery/index.html @@ -3058,6 +3058,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/web-exploitation/cross-site-scripting/what-is-cross-site-scripting/index.html b/web-exploitation/cross-site-scripting/what-is-cross-site-scripting/index.html index 029188ff..6e3130f9 100644 --- a/web-exploitation/cross-site-scripting/what-is-cross-site-scripting/index.html +++ b/web-exploitation/cross-site-scripting/what-is-cross-site-scripting/index.html @@ -3019,6 +3019,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/web-exploitation/directory-traversal/what-is-directory-traversal/index.html b/web-exploitation/directory-traversal/what-is-directory-traversal/index.html index 6682900a..b2a26dd8 100644 --- a/web-exploitation/directory-traversal/what-is-directory-traversal/index.html +++ b/web-exploitation/directory-traversal/what-is-directory-traversal/index.html @@ -3019,6 +3019,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/web-exploitation/overview/index.html b/web-exploitation/overview/index.html index c5ff4483..8c825da0 100644 --- a/web-exploitation/overview/index.html +++ b/web-exploitation/overview/index.html @@ -3017,6 +3017,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/web-exploitation/php/what-is-php/index.html b/web-exploitation/php/what-is-php/index.html index fd6b89aa..35013f21 100644 --- a/web-exploitation/php/what-is-php/index.html +++ b/web-exploitation/php/what-is-php/index.html @@ -3166,6 +3166,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/web-exploitation/server-side-request-forgery/what-is-server-side-request-forgery/index.html b/web-exploitation/server-side-request-forgery/what-is-server-side-request-forgery/index.html index d99196d0..61acca44 100644 --- a/web-exploitation/server-side-request-forgery/what-is-server-side-request-forgery/index.html +++ b/web-exploitation/server-side-request-forgery/what-is-server-side-request-forgery/index.html @@ -3019,6 +3019,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + + diff --git a/web-exploitation/sql-injection/what-is-sql-injection/index.html b/web-exploitation/sql-injection/what-is-sql-injection/index.html index 8ca04fa1..fdb870ae 100644 --- a/web-exploitation/sql-injection/what-is-sql-injection/index.html +++ b/web-exploitation/sql-injection/what-is-sql-injection/index.html @@ -3019,6 +3019,113 @@ + + + + + + + + + + + +
  • + + + + + + + + + + + +
  • + + +