==Phrack Inc.== Volume 0x0b, Issue 0x3a, Phile #0x05 of 0x0e |=----=[ Armouring the ELF: Binary encryption on the UNIX platform ]=----=| |=-----------------------------------------------------------------------=| |=-------=[ grugq , scut ]=------=| --[ Contents - Introduction - Why encrypt? - What is binary encryption? - The threat - ELF format - ELF headers - ELF sections - ELF segments - ELF support and history - ELF loading - ELF loading - Linux - ELF Linux - auxiliary vectors - ELF mapping - Binary encryption theory - Runtime decryption techniques - ELF parasite approach - Packing/Userspace ELF loader - The future - References --[ Introduction The UNIX world has lagged far behind the Microsoft world (including both MS-DOS and MS Windows) in the twin realms of binary protection and reverse engineering. The variety and types of binary protection are a major area of difference. MS Windows PE binaries can be encrypted, packed, wrapped, and thoroughly obfuscated, and then decrypted, unpacked, unwrapped, and reconstructed. Conversely, the best that can be done to a UNIX ELF binary is stripping the debugging symbol table. There are no deconstructors, no wrappers, no encrypters, and only a single packer (UPX [12], aimed at decreasing disk space, not increasing protection) for the ELF. Clearly the UNIX ELF binary is naked compared to the powerful protections afforded the Windows PE binary format. The quantity and quality of reverse engineering tools are other key areas of significant gulf. The runtime environment of the PE binary, and indeed the very operating system it executes on, is at the mercy of the brilliant debugger SoftICE. Meanwhile the running ELF can only be examined one word at a time via the crippled system call ptrace(), imperfectly interfaced via adb and its brain dead cousin: gdb. The procfs, on those systems on which it is present, typically only provides the ability to examine a process rather than control it. Indeed, the UNIX world is an unrealised nightmare for the UNIX reverse engineer. Unrealised because up until now no one has bothered to protect an ELF binary. --[ Why encrypt? The prime motivator for protecting files on MS platforms has been to enforce copy protection in a failed attempt to ensure payment for shareware applications. As of now, there is no such motivation on the UNIX side, but there are other reasons to protect binaries. From the viewpoint of an attacker the reasons to protect binaries can be listed as: - hindering forensic analysis in case of detection - hindering copying of confidential data (possibly by other attackers or commercially motivated forensic investigators*) - adding functionality to the protected binary From the point of view of a defender, there are also good reasons to protect binaries. These can be enumerated as - adding a level of authorization checks - hindering analysis of customised intrusion detection tools (tools that an attacker might figure out how to evade, were they to discover their purpose) - adding functionality to the protected binary The need to protect binaries from analysis in the UNIX world has clearly surfaced. * Certain big five companies sell their collections of recovered exploits for an annual fee. --[ What is binary encryption? The reasons to protect a binary are clear, now we have to come up with a good design for the protection itself. When we talk of protecting binaries it is important to know what sort of protection we expect to achieve; we must define our requirements. The requirements for this implementation are as follows: - Only authorised individuals may execute the binary. - The on disk binary must be immune for all methods of static analysis which might reveal anything substantial about the purposes/methods of the binary. - The process image of the binary, something that unfortunately cannot be hidden, must obscure the purposes/methods of the binary. - The mechanism for protecting the binary must be production quality, being both robust and reliable. The best mechanism to fulfill all of these requirements is with some form of encryption. We know enough of what we want that we can now define the term "binary encryption" as the process of protecting a binary from reverse engineering and analysis, while keeping it intact and executeable to the underlying operating system. Thus, when we talk of binary encryption we refer to a robust security mechanism for protecting binaries. --[ The threat Today most of the so called "forensic analysts" have very few tools and knowledge at hand to counter anything more sophisticated than rm, strip and some uncautious attacker. This has been demostrated in the public analysis of the x2 binary [14]. Two seminal forensic investigators have been completely stumped by a relatively simple binary protection. It is worth mentioning that two private reverse engineers reversed the x2 binary to C source code in approximately one day. The Unix forensic investigater has an extremely limited range of tools at her disposal for analysis of a compromised machine. These tools tend to be targeted at debugging a misbehaving system, rather than analysing a compromised system. While locate, find, lsof and netstat are fine when attempting to keep a production system from falling over, when it comes to investigating a breakin, they fall short on usefulness. Even TCT is severly limited in its capabilities (although that is the subject of another paper). If the broad analysis of an entire system is so impaired, binary analysis is even more so. The forensic analyst is equiped with tools designed to debug binaries straight from the back end of an accomidating compiler, not the hostile binaries packaged by a crafty attacker. The list of tools is short, but for completeness presented here: strings, objdump, readelf, ltrace, strace, and gdb. These tools are all based on two flawed interfaces: libbfd and ptrace(). There are superior tools currently in development, but they are primarily intended for, and used by, Unix reverse engineers and other individuals with "alternative" motivations. Barring these private reverse engineering applications, no Unix tools exist to tackle sophisticated hostile code. This is because the basic Unix debugging hooks are very limited. The ubiquitus ptrace() can be easily subverted and confused, and while /proc interface is more feature rich, it is not uniform across platforms. Additionally the /proc debugging interface typically provides only information about the runtime environment of a process, not control over its exectuion. Even the most sophisticated procfs need not be of any help to the analyst, if the binary is sufficiently protected. That said, there has been some slight improvement in the quality of analysis tools. The powerful Windows only disassembler - IDA - now provides complete support for the ELF binary format. Indeed, with the latest release IDA can finally handle ELF binaries without a section header table (thanks Ilfak). These improvements in the available tools are meaningless however, unless there is an accompanying increase in knowledge and skill for the forensic analysers. Given that there are almost no skilled reverse engineers in forensic analysis (based on the published material one could easily conclude that there are none), the hackers will have the upper hand at the start of this arms race. As the underground world struggles with with the issue of leaking exploits and full vs. non disclusure, more hackers will see binary encryption as a means of securing their intellectual property. Simultaneously the security community is going to be exposed to more encrypted binaries, and will have to learn to analyse a hostile binary. --[ ELF format The 'Executeable and Linking Format' is a standardized file format for executeable code. It is mostly used for executeable files (ET_EXEC) or for shared libraries (ET_DYN). Currently almost all modern Unix variants support the ELF format for its portability, standardized features and designed-from-scratch cleaness. The actual version of the ELF standard is 1.2. There are multiple documents covering the standard, see [1]. The ELF binary format was designed to meet the requirements of both linkers (typically used during compile time) and loaders (typically used only during run time). This nessicitated the incorporation of two distinct interfaces to describe the data contained within the binary file. These two interfaces have no dependancy on each other. This section will act as a brief introduction to both interfaces of the ELF. --[ ELF headers An ELF file must contain at a minimum an ELF header. The ELF header contains information regarding how the contents of the binary file should be interpreted, as well as the locations of the other structures describing the binary. The ELF header starts at offset 0 within the file, and has the following format: #define EI_NIDENT (16) typedef struct { unsigned char e_ident[EI_NIDENT]; /* Magic number and other info */ Elf32_Half e_type; /* Object file type */ Elf32_Half e_machine; /* Architecture */ Elf32_Word e_version; /* Object file version */ Elf32_Addr e_entry; /* Entry point virtual address */ Elf32_Off e_phoff; /* Program header table file offset */ Elf32_Off e_shoff; /* Section header table file offset */ Elf32_Word e_flags; /* Processor-specific flags */ Elf32_Half e_ehsize; /* ELF header size in bytes */ Elf32_Half e_phentsize; /* Program header table entry size */ Elf32_Half e_phnum; /* Program header table entry count */ Elf32_Half e_shentsize; /* Section header table entry size */ Elf32_Half e_shnum; /* Section header table entry count */ Elf32_Half e_shstrndx; /* Section header string table index */ } Elf32_Ehdr; The fields are explained in detail below: * e_ident has certain known offsets that contain information about how to treat and interpret the binary. Be warned that Linux defines additional indices and values that are not contained in the SysV ABI, and are therefore non-portable. These are the official known offsets, and their potential values: #define EI_MAG0 0 /* File identification byte 0 index */ #define ELFMAG0 0x7f /* Magic number byte 0 */ #define EI_MAG1 1 /* File identification byte 1 index */ #define ELFMAG1 'E' /* Magic number byte 1 */ #define EI_MAG2 2 /* File identification byte 2 index */ #define ELFMAG2 'L' /* Magic number byte 2 */ #define EI_MAG3 3 /* File identification byte 3 index */ #define ELFMAG3 'F' /* Magic number byte 3 */ #define EI_CLASS 4 /* File class byte index */ #define ELFCLASSNONE 0 /* Invalid class */ #define ELFCLASS32 1 /* 32-bit objects */ #define ELFCLASS64 2 /* 64-bit objects */ #define EI_DATA 5 /* Data encoding byte index */ #define ELFDATANONE 0 /* Invalid data encoding */ #define ELFDATA2LSB 1 /* 2's complement, little endian */ #define ELFDATA2MSB 2 /* 2's complement, big endian */ #define EI_VERSION 6 /* File version byte index */ #define EV_CURRENT 1 /* Value must be EV_CURRENT */ * e_type describes how the binary is intended to be utilised. The following are legal values: #define ET_NONE 0 /* No file type */ #define ET_REL 1 /* Relocatable file */ #define ET_EXEC 2 /* Executable file */ #define ET_DYN 3 /* Shared object file */ #define ET_CORE 4 /* Core file */ * e_machine indicates for which architecture the object file is intended. The following is a short list of the most common values: #define EM_SPARC 2 /* SUN SPARC */ #define EM_386 3 /* Intel 80386 */ #define EM_SPARCV9 43 /* SPARC v9 64-bit */ #define EM_IA_64 50 /* Intel Merced */ * e_version indicates which version of ELF the object file conforms too. Currently it must be set to EV_CURRENT, identical to e_ident[EI_VERSION]. * e_entry contains the relative virtual address of the entry point to the binary. This is traditionally the function _start() which is located at the start of the .text section (see below). This field only has meaning for ET_EXEC objects. * e_phoff conatins the offset from the start of the file to the first Program Header (see below). This field is only meaningful in ET_EXEC and ET_DYN objects. * e_shoff contains the offset from the start of the file to the first Section Header (see below). This field is always useful to the reverse engineer, but only required on ET_REL files. * e_flags contains processor specific flags. This field is not used on i386 or SPARC systems, so it can be safely ignored. * e_ehsize contains the size of the ELF header. This is for error checking and should be set to sizeof(Elf32_Ehdr). * e_phentsize contains the size of a Program Header. This is for error checking and should be set to sizeof(Elf32_Phdr). * e_phnum contains the number of Program headers. The program header table is an array of Elf32_Phdr with e_phnum elements. * e_shentsize contains the size of a Section Header. This is for error checking and should be set to sizeof(Elf32_Shdr). * e_shnum contains the number of Section headers. The section header table is an array of Elf32_Shdr with e_shnum elements. * e_shstrndx contains the index within the section header table of the section containing the string table of section names (see below). The following two sections describe in detail the linking interface and the execution interface to the ELF, respectively. --[ ELF Sections The interface used when linking multiple object files together is the Section interface. The binary file is viewed as an collection of sections; each an array of bytes of which no byte may reside in more than one secion. The contents of a section may be interpreted in any way by the inspecting application, although there is helper information to enable an application to correctly interpret a section's contents. Each section is described by a section header, contained within a section header table typically located at the end of the object. The section header table is an array of section headers in arbitrary order, although usually in the same order as they appear in the file, with the only exeption being that the zeroeth entry is the NULL section: a section which is set to 0 and doesn't describe any part of the binary. Each section header has the following format: typedef struct { Elf32_Word sh_name; /* Section name (string tbl index) */ Elf32_Word sh_type; /* Section type */ Elf32_Word sh_flags; /* Section flags */ Elf32_Addr sh_addr; /* Section virtual addr at execution */ Elf32_Off sh_offset; /* Section file offset */ Elf32_Word sh_size; /* Section size in bytes */ Elf32_Word sh_link; /* Link to another section */ Elf32_Word sh_info; /* Additional section information */ Elf32_Word sh_addralign; /* Section alignment */ Elf32_Word sh_entsize; /* Entry size if section holds table */ } Elf32_Shdr; The fields of the section header have the following meanings: * sh_name contains an index into the section contents of the e_shstrndx string table. This index is the start of a null terminated string to be used as the name of the section. There are reserved names, the most important being: .text Executable object code .rodata Read only strings .data Initialised "static" data .bss Zero initialized "static" data, and the base of the heap * sh_type contains the section type, helping the inspecting application to determine how to interpret the sections contents. The following are legal values: #define SHT_NULL 0 /* Section header table entry unused */ #define SHT_PROGBITS 1 /* Program data */ #define SHT_SYMTAB 2 /* Symbol table */ #define SHT_STRTAB 3 /* String table */ #define SHT_RELA 4 /* Relocation entries with addends */ #define SHT_HASH 5 /* Symbol hash table */ #define SHT_DYNAMIC 6 /* Dynamic linking information */ #define SHT_NOTE 7 /* Notes */ #define SHT_NOBITS 8 /* Program space with no data (bss) */ #define SHT_REL 9 /* Relocation entries, no addends */ #define SHT_SHLIB 10 /* Reserved */ #define SHT_DYNSYM 11 /* Dynamic linker symbol table */ * sh_flags contains a bitmap defining how the contents of the section are to be treated at run time. Any bitwise OR'd value of the following is legal: #define SHF_WRITE (1 << 0) /* Writable */ #define SHF_ALLOC (1 << 1) /* Occupies memory during execution */ #define SHF_EXECINSTR (1 << 2) /* Executable */ * sh_addr contains the relative virtual address of the section during runtime. * sh_offset contains the offset from the start of the file to the first byte of the section. * sh_size contains the size in bytes of the section. * sh_link is used to link associated sections together. This is typically used to link a string table to a section whose contents require a string table for correct intepretation, e.g. symbol tables. * sh_info is a used to contain extra information to aid in link editing. This field has exactly two uses, indicating which section a relocation applies to for SHT_REL[A] sections, and holding the maximum number of elements plus one within a symbol table. * sh_addralign contains the alignment requirement of section contents, typically 0/1 (both meaning no alignment) or 4. * sh_entsize, if the section holds a table, contains the size of each element. Used for error checking. --[ ELF Segments The ELF segment interface is used to during the creation of a process image. Each segment, a contiguous stream of bytes, (not to be confused with a memory segment, i.e. one page) is described by a program header. The program headers are contained in a program header table described by the ELF header. This table can be located anywhere, but is typically located immediately after the ELF header *. The program header is now described in depth: typedef struct { Elf32_Word p_type; /* Segment type */ Elf32_Off p_offset; /* Segment file offset */ Elf32_Addr p_vaddr; /* Segment virtual address */ Elf32_Addr p_paddr; /* Segment physical address */ Elf32_Word p_filesz; /* Segment size in file */ Elf32_Word p_memsz; /* Segment size in memory */ Elf32_Word p_flags; /* Segment flags */ Elf32_Word p_align; /* Segment alignment */ } Elf32_Phdr; The fields have the following meanings: * p_type describes how to treat the contents of a segment. The following are legal values: #define PT_NULL 0 /* Program header table entry unused */ #define PT_LOAD 1 /* Loadable program segment */ #define PT_DYNAMIC 2 /* Dynamic linking information */ #define PT_INTERP 3 /* Program interpreter */ #define PT_NOTE 4 /* Auxiliary information */ #define PT_SHLIB 5 /* Reserved */ #define PT_PHDR 6 /* Entry for header table itself */ * p_offset contains the offset within the file of the first byte of the segment. * p_vaddr contains the realtive virtual address the segment expects to be loaded into memory at. * p_paddr contains the physical address of the segment expects to be loaded into memory at. This field has no meaning unless the hardware supports and requires this information. Typically this field is set to either 0 or the same value as p_vaddr. * p_filesz contains the size in bytes of the segment within the file. * p_memsz contains the size in bytes of the segment once loaded into memory. If the segment has a larger p_memsz than p_filesz, the remaining space is initialised to 0. This is the mechanism used to create the .bss during program loading. * p_flags contains the memory protection flags for the segment once loaded. Any bit wise OR'd combination of following are legal values: #define PF_X (1 << 0) /* Segment is executable */ #define PF_W (1 << 1) /* Segment is writable */ #define PF_R (1 << 2) /* Segment is readable */ * p_align contains the alignment for the segment in memory. If the segment is of type PT_LOAD, then the alignment will be the expected page size. * FreeBSD's dynamic linker requires the program header table to be located within the first page (4096 bytes) of the binary. --[ ELF format - support and history The ELF format has widely gained acceptance as a reliable and mature executeable format. It is flexible, being able to support different architectures, 32 and 64 bit alike, without compromising too much of its design. As of now, the following systems support the ELF format: DGUX | ELF, ?, ? FreeBSD | ELF, 32/64 bit, little/big endian IRIX | ELF, 64 bit, big endian Linux | ELF, 32/64 bit, little/big endian NetBSD | ELF, 32/64 bit, little/big endian Solaris | ELF, 32/64 bit, little/big endian UnixWare | ELF, 32 bit, little endian The 32/64 bit differences on a single system is due to different architectures the operating systems is able to run on. --[ ELF loading An ELF binary is loaded by mapping all PT_LOAD segments into memory at the correct locations (p_vaddr), the binary is checked for library dependancies and if they exist those libraries are loaded. Finally, any relocations that need to be done are performed, and control is transfered to the main executable's entry point. The accompanying code in load.c demonstrates one method of doing this (based on the GNU dynamic linker). --[ ELF loading - Linux Once the userspace receives control, we have this situation: - All PT_LOAD segments of the binary, or if its dynamicly linked: the dynamic linker, are mapped properly - Entry point: In case there is a PT_INTERP segment, the program counter is set to the entry point of the program interpreter. - Entry point: In case there is no PT_INTERP segment, the program counter is initialized to the ELF header's entry point. - The top of the stack is initialized with important data, see below. When the userspace receives control, the stack layout has a fixed format. The rough order is this: The detailed layout, assuming IA32 architecture, is this (Linux kernel series 2.2/2.4): position content size (bytes) + comment ------------------------------------------------------------------------ stack pointer -> [ argc = number of args ] 4 [ argv[0] (pointer) ] 4 (program name) [ argv[1] (pointer) ] 4 [ argv[..] (pointer) ] 4 * x [ argv[n - 1] (pointer) ] 4 [ argv[n] (pointer) ] 4 (= NULL) [ envp[0] (pointer) ] 4 [ envp[1] (pointer) ] 4 [ envp[..] (pointer) ] 4 [ envp[term] (pointer) ] 4 (= NULL) [ auxv[0] (Elf32_auxv_t) ] 8 [ auxv[1] (Elf32_auxv_t) ] 8 [ auxv[..] (Elf32_auxv_t) ] 8 [ auxv[term] (Elf32_auxv_t) ] 8 (= AT_NULL vector) [ padding ] 0 - 16 [ argument ASCIIZ strings ] >= 0 [ environment ASCIIZ str. ] >= 0 (0xbffffffc) [ end marker ] 4 (= NULL) (0xc0000000) < top of stack > 0 (virtual) ------------------------------------------------------------------------ When the runtime linker (rtld) has done its duty of mapping and resolving all the required libraries and symbols, it does some initialization work and hands over the control to the real program entry point afterwards. As this happens, the conditions are: - All required libraries mapped from 0x40000000 on - All CPU registers set to zero, except the stack pointer ($sp) and the program counter ($eip/$ip or $pc). The ABI may specify further initial values, the i386 ABI requires that %edx is set to the address of the DT_FINI function. --[ ELF loading - auxiliary vectors (Elf32_auxv_t). The stack initialization is somewhat familar for a C programmer, since he knows the argc, argv and environment pointers from the parameters of his 'main' function. It gets called by the C compiler support code with exactly this parameters: main (argc, &argv[0], &envp[0]); However, what is more of a mystery, and usually not discussed at all, is the array of 'Elf32_auxv_t' vectors. The structure is defined in the elf.h include file: typedef struct { int a_type; /* Entry type */ union { long int a_val; /* Integer value */ void *a_ptr; /* Pointer value */ void (*a_fcn) (void); /* Function pointer value */ } a_un; } Elf32_auxv_t; It is a generic type-to-value relationship structure used to transfer very important data from kernelspace to userspace. The array is initialized on any successful execution, but normally it is used only by the program interpreter. Lets take a look on the 'a_type' values, which define what kind of data the structure contains. The types are found in the 'elf.h' file, and although each architecture implementing the ELF standard is free to define them, there are a lot of similarities among them. The following list is from a Linux 2.4 kernel. /* Legal values for a_type (entry type). */ #define AT_NULL 0 /* End of vector */ #define AT_IGNORE 1 /* Entry should be ignored */ #define AT_EXECFD 2 /* File descriptor of program */ #define AT_PHDR 3 /* Program headers for program */ #define AT_PHENT 4 /* Size of program header entry */ #define AT_PHNUM 5 /* Number of program headers */ #define AT_PAGESZ 6 /* System page size */ #define AT_BASE 7 /* Base address of interpreter */ #define AT_FLAGS 8 /* Flags */ #define AT_ENTRY 9 /* Entry point of program */ #define AT_NOTELF 10 /* Program is not ELF */ #define AT_UID 11 /* Real uid */ #define AT_EUID 12 /* Effective uid */ #define AT_GID 13 /* Real gid */ #define AT_EGID 14 /* Effective gid */ #define AT_CLKTCK 17 /* Frequency of times() */ Some types are mandatory for the runtime dynamic linker, while some are merely candy and remain unused. Also, the kernel does not have to use every type, infact, the order and occurance of the elements are subject to change across different kernel versions. This turns out to be important when writing our own userspace ELF loader, since the runtime dynamic linker may expect a certain format, or even worse, the headers we receive by the kernel ourselves are in different order on different systems (Linux 2.2 to 2.4 changed behaviour, for example). Anyway, if we stick to a few simple rules when parsing and setting up the headers, few things can go wrong: - Always skip sizeof(Elf32_auxv_t) bytes at a time - Skip any unknown AT_* type - Ignore AT_IGNORE types - Stop processing only at AT_NULL vector On Linux, the runtime linker requires the following Elf32_auxv_t structures: AT_PHDR, a pointer to the program headers of the executeable AT_PHENT, set to 'e_phentsize' element of the ELF header (constant) AT_PHNUM, number of program headers, 'e_phnum' from ELF header AT_PAGESZ, set to constant 'PAGE_SIZE' (4096 on x86) AT_ENTRY, real entry point of the executeable (from ELF header) On other architectures there are similar requirements for very important auxiliary vectors, with which the runtime linker would not be able to work. Some further details about the way Linux starts up an executeable can be found at [11]. --[ Binary encryption theory There is nothing new about encrypting binaries, indeed since the 1980's there have been various mechanisms developed for protecting binaries on personal computers. The most active developers of binary protections have been virus writers and shareware developers. While these techniques have evolved with advances in processing power and operating system architecture, most of the basic concepts remain the same. Essentially a plaintext decryption engine will execute first and it will decrypt the next encrypted section of code, this might be the main .text, or it might be another decryption engine. Barring a flawed and easily cracked encryption technique (e.g. XOR with a fixed value), the first plaintext decryptor is the usually the weak point of any encrypted binary. Due to this weakness, a number of various methods have been developed for making the initial decryption engine as difficult to reverse engineer as possible. The following is just a brief list of methods that have been used to protect the initial decryption engine: * Self Modifying Code: Code which alters itself during run time, so that analysis of the binary file on disk is different from analysis of the memory image. * Polymorphic Engines: Creates a unique decryption engine each time it is used so that it is more difficult to compare two files. Also, it is slightly more difficult to reverse engineer. * Anti-Disassembling/Debugging tricks: Tricks which attempt to confuse the tools being used by the reverse engineer. This makes it difficult for the analyst to discover what the object code is doing. The following is a short list of encryption methods that have been used to protect the main object code of the executable: * XOR: The favourite of any aspiring hacker, xor is frequently used to obfuscate code with a simple encryption. These are usually very easily broken, but extend slightly the time it takes to reverse engineer. * Stream Ciphers: Ideal for binary encryption, these are usually strong, small and can decrypt an arbitray number of bytes. A binary properly encrypted with a stream cipher is impregnable to analysis. * Block Ciphers: These are more awkward to use for binary encryption because of the block alignment requirements. * Virtual CPUs: A painstaking and powerful method of securing a binary. The object code actually runs on a virual CPU that needs to be independantly analysed first. Very painful for a reverse engineer (and also the developer). There are even mechanisms to keep the plaintext as safe as possible in memory. Here is a partial list of some of these mechanisms: * Running Line Code: This is when only the code immediately needed is decrypted, and then encrypted again after use. CPU intensive, but extremely difficult to analyse. * Proprietary Binary Formats: If the object code is stored in an unknown format, it is quite difficult for the reverse engineer to determine what is data and what is text. --[ Runtime encryption techniques --[ The virus approach Adding code to an ELF executeable is far from being new. There have been known ELF viruses since about 1997, and Silvio was the first to publish about it [2], [3]. One nasty property about the ELF format is its "easy loading" design goal. The program headers and the associated segments map directly into the memory, speeding up the preparation of the executeable when executing it. The way its implemented in the ELF format makes it difficult to change the file layout after linking. To add code or to modify the basic structure becomes nearly impossible, since a lot of hardcoded values cannot be adjusted without knowing the pre-linking information, such as relocation information, symbols, section headers and the like. But most of such information is either gone in the binary or incomplete. Even with such information, modifying the structure of the ELF executeable is difficult (without using a sophisticated library such as libbfd). For an in-depth discussion about reducing the pain when modifying shared libraries with most of the symbol information intact, klog has written an article about it [4]. Because of this difficulties, most attempts in the past have focused on exploiting 'gaps' within the ELF binary, that get mapped into memory when loading it, but remain unused. Such areas are needed to align the memory on pages. As mentioned earlier, ELF has been designed for fast loading, and this alignment in the file guarantees a one-to-one mapping of the file into the memory. Also, as we will see below, this alignment allows easy implementation of page-wise granularity for read, write and execution permission. So the 'usual' ELF virus searches through the host executeable for such gaps, and in case a sufficient large area has been found it writes a copy of itself into it. Afterwards it redirects the execution flow of the program to its own area, often by just modifying the program entry point in the ELF header. There have been numerous examples for such viruses, most notable the 'VIT' [5] and 'Brundle-Fly' [6] virii. While this approach works moderatly well in practice, it cannot infect every ET_EXEC ELF executeable. The page size (PAGE_SIZE) on a UNIX system is often 4096, and since the padding can take up at max a whole page, the chances of finding a possible gap is dependant on the virus size and the host executeable. An average virus of the above type takes about 2000 bytes and hence can infect only about 50 percent of all executeables. While for virii this adds some non-deterministic fun and does not really matter, for reliable binary encryption this approach has serious drawbacks. However, there have been mad people using this approach for basic binary encryption purposes. The program which does this is called dacryfile. There is a demonstration copy of dacryfile* available from [7]. Dacryfile uses a data injected parasite to perform the run time decryption of the host file. While dacryfile is undocumented, a limited amount of information is provided here for the curious. Dacryfile is a collection of tools which implement the following concept. The host file is encrypted from the start of the .text section, to the end of the .text segment. The file now has its object code and its read only data protected by encryption, while all its data and dynamic objects are open to inspection. The host file is injected with a parasite that will perform the runtime decryption. This parasite can be of arbitrary size because it is appended to the end of the .data segment. The default link map of a gcc produced Linux ELF has the .dynamic section as the last prior to the .bss section. The .dynamic section is an array of Elf32_Dyn structures, terminated by a NULL struct tag. Therefore, regardless of how big the .dynamic section, processing of its contents will halt when the terminating Elf32_Dyn struct is encountered. A parasite can be injected at the end of the section without damaging the host file in any way. The dacryfile program "inject" appends the .text section from a parasite object file onto the .dynamic section of a host binary. The parasite itself is fairly simple, utilising the subversive dynamic linking Linux library to access libc functions, and rc4 to decrypt the host. The dacryfile collection is unsupported and undocumented, it and all other first generation binary encryptors, are a dead end. However, a dacryfile protected binary will be extremely immune from the recent pitiful attempts at reverse engineering by the forensic experts. Provided the encryption passphrase remains secret, and is strong enough to withstand a brute force attack, a dacryfile protect binary will keep is its object code or read-only data secure from examination. The dynamic string table will still be available, but that will provide limited information about the functionality of the binary. Also included with the article is a stripped down but functional loader of the burneye runtime encryption program. It is commented and should work just fine. * dacryphilia is a fetish in which one gains sexual arousal through the tears of one's partner. --[ Packing/Userspace ELF loader The most flexible approach to wrap an executeable has been invented by the developers of the UPX packer [12], by John Reiser to be exact :). They load the binary in userspace, much like the kernel does it. When done properly there is no visible change in behaviour to the wrapped program, while it has no constrains on either the wrapper or the wrapped executeable, as the techniques mentioned before have. So this is the way we want to encrypt binaries, by loading them from userspace. Normally the kernel is responsible for loading the ELF executeable into memory, setting page permissions and allocating storage. Then it passes control to the code in the executeable. On todays system this is not fully true anymore. The kernel still does a lot of initial work, but then interacts with a userspace runtime linker (rtld) to resolve libraries dependancies, symbols and linking preparations. Only after the rtld has done the whole backstage work, control is passed to the real programs entry point. The program finds itself in a healthy environment with all library symbols resolved, well prepared memory layout and a carefully watching runtime linker in the background. In normal system use this is a very hidden operation and since it works so smooth nobody really cares. But as we are going to write a userspace ELF loader, we have to mess with the details. To get a rough impression, just write a simple "hello world" program in C, compile it, and instead of just running it, do a strace on it. Ever wondered what happens as so many syscalls are issued by your one-line executeable? This is the runtime linker in action, trying to resolve your 'printf' symbol after it mapped the entire C library into memory and prepared the page permissions. A lot of interesting details about the history of linkers and program loading can be found in [8]. --[ The future Forensic work on binary executeables will become very difficult, and most of the people who do forensics nowadays will drop out of the field. Most likely some people from the reverse engineering 'scene' will convert more to network security and become forensics. There are promising approaches to incorporating decompilation and data/code flow analysis techniques into binary encryption to implement further protections against tampering, analyzing and deprotecting such binaries. The strength of the next protections will rely on the missing debug interfaces on most UNIX's, that are able to deal with hostile code. The generation of protections that come afterwards will rely solely on their sophisticated obfuscation approaches to deny attempts of static and dead-listing type of analysis. There are approaches to replace the overtaxed ptrace interface [9] with more powerful debug interfaces that can deal with hostile code. Also work on kernel space debuggers has been done, such as the Pice debugger [10]. Aside from poor debugging tools and bad debugging hooks, the only thing that can be used to armour the run time binary is heavy obfuscation that will make it harder for a reverse engineer to see what is actually going on. You have to remember that a reverse engineer can see each atomic operation that is performed, as well as what is going on in memory (i.e. change variables, new mmaps, read()s, etc. etc. If this is to be defeated, they need to be swamped with information. They need to be so bady off that they cry about each time they have to restart their debuggers! --[ References [1] Tool Interface Standard, Executeable and Linking Format, Version 1.2 http://segfault.net/~scut/cpu/generic/TIS-ELF_v1.2.pdf http://www.caldera.com/developers/gabi/latest/contents.html http://www.caldera.com/developers/devspecs/gabi41.pdf additional per-architecture information is available from http://www.caldera.com/developers/devspecs/ [2] Silvio Cesare, Unix viruses http://www.big.net.au/~silvio/unix-viruses.txt [3] Silvio Cesare, Unix ELF parasites and virus http://www.big.net.au/~silvio/elf-pv.txt [4] klog, Phrack #56 article 9, Backdooring binary objects http://www.phrack.org/show.php?p=56&a=9 [5] Silvio Cesare, The 'VIT' virus http://www.big.net.au/~silvio/vit.html [6] Konrad Rieck, Konrad Kretschmer 'Brundle-Fly', a good-natured Linux ELF virus http://www.roqe.org/brundle-fly/ [7] The grugq, dacryfile binary encryptor http://hcunix.7350.org/grugq/src/dacryfile.tgz [8] John R. Levine, Linkers & Loaders ISBN 1-55860-496-0 [9] Linux ptrace man page (see if you can catch the three errors) http://www.die.net/doc/linux/man/man2/ptrace.2.html [10] PrivateICE Linux system level symbolic source debugger http://pice.sourceforge.net/ [11] Konstantin Boldyshev, Startup state of Linux/i386 ELF binary http://linuxassembly.org/startup.html [12] UPX, the Ultimate Packer for eXecutables http://upx.sourceforge.net/ [13] GNU binutils ftp://ftp.gnu.org [14] Forensic analysis of a burneye protected binary http://www.incidents.org/papers/ssh_exploit.pdf http://staff.washington.edu/dittrich/misc/ssh-analysis.txt [15] The grugq, Subversive Dynamic Linking http://hcunix.7350.org/grugq/doc/subversivedl.pdf begin 644 binary-encryption.tar.gz M'XL(`#^^+#P``^S\97`>3;,V"%K,S,S,8#%8S,QD,3,S6,S,;+$LM%@6,S,S M,S/K7MG/^[QPSG=F-F:^V(V-G9:C[^KLK*S$*ZM^M`W,;?0=W.F,;0P=W.V< MS&UM&#[];[\8&5D9V=D_?_S^N?[K[U]C=E8F%B86]@_>3XQ,+,PLGS\1?O[? MK\I_OYP=G?0="`D_.=C:.OT?\?V?O?__TQF[D3)_#'RAH9VMG$T-[4Q-B*TLK4QA?Y=$;H?NE-^""$T,:(E%+$R M86'6%3$S^A!D_''_FR+_AV+WA_+7,M0.QDZ_I_Y9[3^D0A$2VOP6;&AMY$C( M2\A("PT%]4&SUK>S,K8Q=3+[T.@/VP=-W\C(X>/Q8_7?3^9_ M+",@KRNO**$JH"SRKY=V#K9.'^\HY17EE'45102$O?Z,U!0EE$5^V_M;02@H M:L(/[73-K?5-C3]H_S+CXX7=;QT?OPG'ZL][' M@[&-T9^AT8>/_Q[K6UG9&GX\?(B!LC4QT77ZS?@Q^'CV_ENBH]9O!]+Q&>O: MF=DX6^O0$E(36G%#0T-9&UL[&CM1DO_-1TO(Z,;(2$OH:.YA;&M"^9]Z47W, M^@\Y5+]%F-@Z$%*:_W'NAS$?O[\CPTUH3LCSG\P?)!J:WRPT-%1_+'1T-79D)S0YQ^+ZEM]I`HA'2$3U;_/^7#F[Y!2 M_OL*/W/^@_$OJ/P+V7Q3Y3Z'_9/X[HO\# M]^^8>?R[OA_!_B?KQ_@CH/^SB=X?MX^BUG>VCK?Z._Q_U_U;AG_'X MH\0_4N\O)7]'A-[`T9'0T=CP]S[DH]+-;)VMC`@-C`D]C!ULC8WH">U,3$R< MB/Z$Y$^Z6-'0<46L+_P/4_>/H;I/Y`_M^8 M_4]L%?D+6W_CSW_'VX^^\=L3_X#>_]HNC&V<=/^@YX>]O^?_UO_?.]%_6&'W M'PQ_-:9_3S&:?X/`OZ/T?P4O_Q';?X-*0E[>OS'R`WC("8G^O?RI_JVR/ZSX MRZ*/E?Z6_T'YJ$2Z?T>7WXQV#A^.-*$D%OGS^B]17(1D5LZTA+I_X>AOCW]0 M?A/,;K**RFZ"6G*_2Q7U#^0"XVQ@_P^AU0.J;?D?MK`T4L]+LN;2B< M_DS_;8.=\\>^Z`.(B/\X[?<2'SXRHOS;-79_JN0?+O[]\"&3B/<_"?^2_GOJ M'QPV=OR0JO\AUN@ON?_+G+?[RP&_U_R`<4-K.\J_4\G; M""F)Q9VMG6U,;9T="?]L8O](,O_`G]^0]]>I[E_A^!NZ_@VT_@E3OP7_F_M_ ML_X6\]O8WS']CQ#\EN7J8.YD_(\4HB7\7TK\".Z_4/!?DLW_)(VKK8/E7]+^ M#@,CU3^+RUK_`ZS_U)6^@ZGA/W?1'P\N_\130L)_E5O`'%V_%#U`Q<12>>O:I&3E=;X7U3(G\+XRW&$OU'U=R[_9;.CS3]4^5OO M?Q;&WP0J0CH.6D)B,D?Z#\T^>MC?NC']T>W?T.>W^_\YB?N_0-7_N^>__W[^ M-]+_&/Z62?^!D/2F'O_WSYC_Q^=_%B8F)M;_CLQ[Q$3&D!,',0.)SR8] MO;1Q]'UQ?HAL_[0RU-[KJ8*@LB3.PKOV\8*@-\USLNZ?W:FBN_"/IY5979(WF30W^WM7L?6.M M=#;[R]Y`S<_G9_8%0&TQSQ6$H8PGFTM`]>GS/>4"#DPNS@H3^9=YA7G6&@ZDOUN>6;[*W+2MYBDDF^!+:0-3U4\O^$E!V1^'3I9<5,NYL# M<P?C) M[6539.2!36"Z%2QHQS1*X%XZXO2&&VY_Q8T\[,7K3S1K71MCP'.=TL*"@WVT]LZLE$2^MH62`;09$*6T"=>E3ZCN67186 M.GS(;@"T=12^3\^Z/1$+@+5CCS??2$L!@`,;509_(G@%X$5Q@^96EY=C<2EL M'I#UQOL1*OSTW@^N0$M/H0`XLZ9U7(PZ>\@@422+$E1(>P&#M$2H7+ZT3R"@ MFS")O5'5)9D_N+IKS+TQ2_&FB0^?SJ.LMV1"(Q!8V)RFLIKZ M@F"E%WY:6:`BHENPHVT1K:F-P)2#;<*39$MC>"=3'>.WH,1S"ZI'??,44I%$ M#P1E&!"Q%4U$[(;7\W^$E!%,;DG9@PI+1^G)WJ:6X+`8B23L2A0F%JW.F8=- M>^%L]3LM[#9JWK>BSIP,36R(>K;[N1Y"57G9;BWM+WQ9SBB8>0[N:E,\VJ"O M?H@2Z/*%-.%>^!-0J1TE[.V<\!<+BILO[&V&[$]P7-+V2*J\-\HI&OL M'?Q027+E1<]%TX%&[V7/74O#OT>,++N;<=0WD#7M?4+X>]& MUEM<(-[?'SPPRG3;`Y^?H-YU%`S?>D3$+ER`3C),,2K(&P19LY[=JTI=I29Y M;.OHY=(/;*4N]VL@#L[PZ])-Q_#][Y;)NF7%D[4$7U#';V5W\/CF-UBUQM;1 ME'BM[\?#5JFFRWI$VF8LV>BU[N"UM5WHEW7Z1=LXS%UP*CQNI/FI0)B_!0H` M9/@O!!YTVN8D'XZCHG'G-NJ:J/)Y.[KW\=JF2.X36L##0=/,DW(]O[.G.^7[ M3L;=>!S\$'ZSK9MH>?;5(49416Y(>-9XH[LOO/1#E5^/&HGV$7W5[VA)L?W5 M9G)14]RSXO)2(%6"Z*UV\3IO=;A&8E;?0IL[4OE5D+B-*T&,EA*OO$A6QR6# MMGC?7>["B9[!8^S>/0ZQS;)#3("PUMG*NYO9.LE#J\CTK M>@\/FX^BRIP*-%CM;X(:T75OH=O7R;,A-/0T4_A;74TZ=4LT M0$J$#MEIO5^^HSUDZ(T5?=U(WQG5RP#S9@Z$*^_3(5^_;RD*R,(*JR9('??3 M$X95C%]9AZ.F!=)?MC-16BXG3F'E?^+`2/-K^6KU4^G$M1>TL=V'(")&SU-+ MM8QSZ2&J.5D(MQF7$+)FG##4UJ^65387R@YQZV2\.)(A50X+,P?B'%30D!') MHGCL+F`I]N3*-700W)_"1C,@J*^I)`49E7LH]Y'&U-I>K`R4^_XS1QYY.98$ M'NO929PHU\]>1.;IPTE?U*E>9]'F2LRIVW5;+O5>LCJ%BQ/9PXD85JJU5:=U M"BB"N$J'IFO8U2_RDWY,6[='H2M\.[).8G'@E2;H(FZD+>X&@>#HZH^.B4<< MSEI"5PC?Y;_83HL*H/UZ0/%YLD(NC6JQIX,X8BN)"&*; M30D2A;&^!`CB:$0[/%@CT7[)IZ-S2/I)C3^D*-][?M4]N:D0QT!2Z4#9'O@4 MC[JPYJ_4U(0SX#?V$AJ;#?G&7M<_4+'`4U#M3H1O6JU`2JI51=?PC@D_@-8M MHE)`O!C-BL8N:ASW(YCMER;EPNR@T(/EL8PP9;L,[`:Y/P$)$'-4@6F:K!3\ M4O_,F\%]>ZV8&:P99,PAE'"YWYYSD<\Z*-,J+,=/Q:?@X5>BJHE]@T MKI!S6#Q/A_-:'05*=[87:L.R86:1'%;W@U-V3DUUO^@:&$@Z@JMIPQOA0G)! M;*6A4\D2->>::I6]3W3G-KEZ!#NS!X;<5OG@^TB+E]0>^T%CZZO"N6-CQ!51 MG-D/0+`30A,OE-2+FUE`6V-@A\H9AG4!\U3.>1LMOR9A^/1KL[YK):I+@^C< MR_H>\-^_8$1E+1.A[Q6\M( M=ETJO<"(V/-S/ED]%2-^?R'B\56M//79TGO*XN`+(H5QPQ=G)$-D'@A$P<:( MJ$A]004ZCP;%?NQ^',WJ[]@W3C$]*[9F"_-O@9).3V)+[0 M;(>KWPXR14(L@B:2THWQ,S.2Q**!W?0W6*YH9<8X#$64;MINT-+I/*R+V`_Z MR7)]A&UP&+A&N5MLFF<3Q_1##8-ER:\BQ>)*BY&[8QV<]1V;N4A>$R<3TK)D MK=5/:4CA(Y!#Q+F<(3?/E%K]'D#:H[@PVW^PE2E>IS6:=*>'3B\`WMIZ=?21W*7:.=0M3[ M9,*Z?J!0ZU3'1;2JFVJ0R,^O"E;+A+'[-5>;@BI8MS6#:<3")=D5$ MS+R_$.-(,U>@["EA69QH2U(CT1M_=@@3)_'GG_PA^T(0S?S9"K1@=C28%TQ@ M92/I4\_86`L&Q?$@HZ:IH9(BY1[P5TE#9:EC8M*5T\9/'JZ??+S-/ANQP$?& MB2-CS79#)Y9=6ARNM0;'L.9<$;U_]BH8^EPM9!]51K<]6D;B61D=SA.:R]S' MGNN/6Y,+2OW)_Z&W\M%@)_SR^]))SGQ&Q4AT]F@6\X(_L$(P/W/^Y2PXWZIP M0)0#J]GRG%D2^;6%%5#DBU`X^V86QD8_8R];! M[;;1;\!3[^K-]%TC9RE3U4KRZM+YD=2(6=2DCE,.C8:"VI2I#E,.;=6$GL*' M=F/8^!XA[.ZXA1P0QV=*YH)3D,Q*/?M[EV1:FJ.\>8*X&@F)L=F!M_C!K7&Q MDE(/6$UU:096*IK1OX"T(M?VU^#O0L%EE0E%A/5J<*90PGX4]4NNXI"MY;3S28XP='$O&L09V-Q& MU.;`N7R5@37")3W<$2T.4`.EURI,'2NTWZO[):SF=LQB`'#H9:6\*`GUJ M0D\X(8AJ^#I=D6").Y#T:$6;O5'-4D-3'A6JO3R0-+Y)'6]>$DB()[Q=8P%A M**GY[-W??PVV-V3$LX'WU*]<4=V5=VF@NXO_1)4:2GJ4H2K^JM(J&>5ZE]W* M>Y;#RMU69A9/XA9&!?+>/G-Z%(&J5-W7.SW[*FB7A@*][SY%\E)T`PAZC6'9 MJYP+L,%5^?2%VS:1)^>S. M5[+3HUH+JS6F"ZVN$FG;D`]26[%_3WO9:#XHER=(]T.Y6JDNCSEJQ3S7G*,9 MUW]841DK6O-<;4:+,F(9?E*7:"'H&/Y;9,VI8&)RP9X/%2OVX!QD%TYQQ?.* M#=(%ZH7(\+.R>CXZ4G`%5#2EC%*O0>^Q.Y"C?PR*!$FNRJ:]!K3D72`RH[/C@&ZSQ.:CWN0`Q-%M]UDS.:L7-KTKV^I[.\/$^2&])&`I@#^ MZ7Y\3,!+O68B0&UIA3?W%;`6,'SN\47[TT?S=KA2U]J9C$W9&HV4$=%KK)+0D48K%!N]R^)=%$"V1Q! M]#V"3FT6PY]MUO'GD(@V.KQ0`/EO*W"-8Z(5"4:AFK\.,F4SN@A7/?DQ/B[L M^&^@!HI!W?%'<(J`7U&$#8_8$04=4%%7GJ]M75(.H6A!XCM<,D':S(ATBA!8 M>KXL((D?EG&[#Q.T1X@#1TR6?M,*:I[$,'.\J?Z82QLMU!&F58><.?.TV5Z^;\S547Y4) M$L?[HB@A(5D@_'T&JF_XL-2-H"WX!-;ZEE)UJC6`-$\05D7P&4TY466I.>_] M5IV9F*JLCFU(E[R*[IO^?CSFAD,@@OORCZ)N/-!DN`L)4B%%JV_^Y@S)^F1PW M08H-/N!3KGF;B!<++8$("7>X74)H+07P`2>$&5ITAZ5&JM],*H@T!HMZZR>Y MY_VH_D%Y$`R<1TV7B4LLTHL6\!:6._?\K+_0_:[;3^K#&`5Q#X#@;JGO>^CX M`7'R!LC7_KAY`#K6`54/@#]#`,`90."K(1U$"F4/)_=(A`LM435]K^`M\%-*4/(C4WG;)E\&!@_G/ MNU)Z%/JARF5J-5-IL';"UION7V3ROF5TZH[P9$,]16@(5Z5YE`AC4^J?'JBQ2++>*BT1?M)-MZBDQGB>=[TLDN)XW&E6H&5,O-;."2+@@N)'\%3\,A#(F%34]C^]]X2"10(9B]\Q% M_7?[$CUD!V+'>:OWIU^I*S@AK/47T.;K"7EMMZJ?VCQ)O_F#FNUE`!>A_-C4 MX[C+4WA//-IS>!2ZB+23D1VQ'CRP'8+AXVN_L!9.HJ^J6;T2B+ZB3$2.G&)P M*60G9>A`_ZG^-=P=.5$+0MV:)C"#=]%HT+K-OC^ZSV4I,22`CD&M\)8J213 M1PLR`;2,\?[.VJUSN6@/$/+8&ZCQO!D]9?G&:"U*])U!UXJF:$I>)[(K`DFU M)T[6]I.7F)>6U[>)NX<<_(/A8T!Q`8`W%=`HQ.G[DL_7-87")#VD16R-!, M$B:S2/]N:J$5A.Y7;W=;34K@X7+=9\;\Y!&?)":?Y-)O)\[?JHQ>B^/9?!FC M0OI]"QLH!@!`AG2O(6W&_<>9J\OVD./Q2A7 M+&^FDVYZKPL_/*\>""Q?,@%:W(M:,0"QYFC`:*&YDQ4S(_`SMA\9;"<9+U]& M[:Y:L/W.\`7ETNT;FEC1$>D!";$#WJY@%=:K=T(SU[?XH,PY@8,H0.J2CX,7 MR@O5[A>]KDRY-VG7<$MN7RY.I\\@_;4*NR*#IPDK/ZVCR?*[PS:\:QZE4!=% M'V]++75A@V+>_2$A.0EHXSIVUL&OT?(.U\B*KXQJZ# M8A)CB:R.FVZ]81+:\X6+3<@)ZLTK$[I4DKMW4IDS&S;!P@.*_R!8V$N\> MZ&XS").@^<*[J&\;..3;6#ME`1.QJ@;B=5><^,(G1I+R?^,FNX,UR4?"*YEJ M9'DMY?F4F!.1MTFKF-=#[8Y]VM2X_"GG-&[GV=^9EHF8C9LP1G:5,*:_%P?G MZMN"$@?ML&R0$^Q@3J*H^51<-I%.$V-5F'J3F<"YG M2X[OP1Q%)VYW6KU%GR-ZCW0<, MKH1\/KQ1LBK>KFS88E6+4V(:LQ`3BW!1BA9YKO5[6]_1=/\9OSPV=*;]#WD;U5"D[& MN9ZZ!]2[GHU9XTB\OZ/Q]ZE?!2260DCP(M-W$&_#(%QU2,3UAT.`=6UB`'O\G.SC[/]HG,7T+$6!$B[L#( M;[:<*X"*<]F?%49A$;\1W,*@R39U$!A"[%E(/*CC,+TBW.;6U#'Q7W0RESG< MYR2=;+4DKN6,R)^5N4;9@4/:VIV677W!)F'X$#YFKXD M]\=)IK.HI&YT.HLP`[:273'B.4]'LO)H58MDW04,#C+H`.1-9CK3-6Q4!X.` M.;Z=D71-J:,]^I3XD:SYW1KE;7:M;>],B@*`:W:6#V![[\5Z1_5E@[<*L,!I M]*2+<)5S_`;8(A#VD`@15=WXDB")]FHW*!5E4OJ@CQ]P:+2]2YQ&5V*^_*YQ;2+@!3QE'PCD,@I3Y%#A@77[&AH8!GX# MY@WV^7/(UP6SN(:D1PK(0>4S64JV$G+DO=*&7CWI0+*M9^Q+[2_"9PL;/"0_ M+$!_83NA0EH_@[^)-5G$?J%GSB6E7Q8.Y$QQ.Y0T3$<"W8 M.<==X:G@!.U3I=$W0XN?5;GE"I;]3RF_I.K0I83]\G:OR*4[]PR!9H M']QG5P.9;PM?KT,E.QOA3WEW.S4,.]@ID=R MV10(S^?XLBP1T;LE8.:-8\TU+R&SN\5Q/$28[IG'FEM+)Y_N>V;+971-4LTM MGEP8];K:+IM1BE*/G7CT.6@BHS=AR@>9/_*I>RCIFV;Q M>,E?^]/HV5?>MK1R@LN@88UAY9:1N[<2*&8ZR2CX*\N]X[HYE M>CH;%._1DM$H1,_!SV\+E(!V.:BX]0$ M.+#A7["V2O;9AY9TMPWTD(H\9<`\^D[*'?=:OU=;?OG^YM:;C5,'64@<'O-8 ML,9,KSK!6ZEA3==;`72F()FW<339;L4O\S*CX;7U.ENSW>3,;XDO\RE$_)"0 MZ!I*A[2`[SL&^2D)T0,4A#CF8V"/FDM+*;>BDT0WC#TM8J8H[L67SY5,!3BW M=5C4:!YH$TD05&921;F9^,+LU*YYYKSK)U8;J/N0V>R-.1&=TC9V1.B)0H&R MMLDF3.CR'>B0(8GP63.0"Z!J2>9BK2*2_6O&8*Z4#XZ72!E^K_=@2%SJ(YEO MQ=G%4LVD9*.:PAB"*X;@RGQ0XT//@%;V:::D7&)NFT74BC;4AD)^9KZS ML^3&QYS\V,^?"1-=&%!IEHKVTM5`&S6^ZF%O->-F^`SF+E9X)#;=2/-4ZR$D),_BM657JU MPX'O'J:'D>"S&M#T,]>6U[>J!`=Z5JK-C#63`B=B&1V@LJJ+LZ+% MUN,G[P:UD#VZU+E>!/BYII7(G:B_6AFIC=";L+--=+SM7XRKW&E&4L;V_$!] M(G4YO(S``)#5H`JFAJ-@M7_A4.N,4-2HQ"O!@:O#K)W>5W>&6@L5C1;2KW;E METL]3A^OD;WE$?(%SV^V:N_:#)<,M$G! M(_OBTG7W"8A:,8AR6!A\1LQ[0-T5I@&M:`JCO_]'@,F8'B[-?(P`^+`UV@7$ MM68-5RVP#72#TJ;R])F5EIZQA%$Z7[S&^%01OHHD2NM.1@YEIWV=V<>_D M/K@=SA%G9MW2Q`WK2Y^]PIIB$/%DBTQ$6F*OMQ(\C"QXB?ZZ;R0$J=J^0H!> M\`@Y2`Q-P?J4.A95<.,'7F[@^/9I3G.!@:?%#0^26Y^BW5KOQMZ6DZS/MQ[Y M^!=]7HA\^XU-NK`SG??,<%.M/$(.;_MW4XC3D2PA(^(LL*9:>TLBODRZN!)' M8TP`P"SJ\@;5LR4^DC7WVOJ\;#B=5ECU/<7-[!.CPTE7=C8K;%"&DWS"GAFV M+9/ZT>?OMI>M/UKZDF&W.S/,LU;+FD4.D&91>"R=Y+`1UTD/L-&O?LY+*EVF M9]F&K;Y,K;_/S%CD99*G!\^94S'2Y62P6Q8%?0_'44XMY4A9B%`S MF1Z9X4T2A\U<`VDH1QCAG.'QK8!VCEMCS:."H/8>^6):CGQ>P`PW5@H'8%3B MR/!_+PJT3IE,"J0QWJ.^E=I2_X*5ZJ3"Y28[<$%&X)LRB0:V)W"2C0IV[W\2 M6%5]R@D3<>KO#(ZD12Q@L$Z,HT4PU#Q>>\Z.LC>!)-1EU06<6QND3`II@UX,59+)$?!.G'@S#546QXSJ$!@N:'OR M[5"YB3>'#O3%_OVB9*4)U5RT*3N4=MCJJ!!8!L_^V?$<%M:)/FQY(&K*/5J2 M(X4"(!`FK)',\'-*PWE3^6W_I\N.I6M'ALIKFMKV89RC1/E#6ALW*OWC1J6T-Z0%E@!BDR*Y@-FRP@ MD"AVH"<]ESZD>%F(L-`1Q1O&G\A-16$TY-,19C@T=.>0$3)"@IGLK#EKGD@S MZ1=*)V0C?C\@7)I2/^S9,9"L^[B8T27" M#@+P7N-V4`JX:TW-\>%>-F5D(U,2GW16V1"*`\\S;=M_6/+5*D;=S&)P'&M9 MVV:M\/%^L8T>(CO'3L2/YUP(`]YH#3+>-F!K9&`FKNR!;XR$_E[BTS#IW>7][?G7^3$M5B^H MVZKEO0W2KT9&2[7B[;EJ09]LZC=8,J?JTKJ>%/*@5"QN=>=T;>M;,4CA^2;7 M0W@WQ)4Y,1#PZ)T1NG5/X35/&#!_[VYIVGLA,`\LS@P$)>6B=3/ABG=UIJ+; MVM!D_ZY#M\6?H`7/8$R6.BZ$S58`W6%G!X.5;BC3XG,K)C>\B;14XSXI!C1 M:Q'76286EI"-\VSN!3'(K;94[YF>\R820"JUGZT3\5(^W2)N%6'0-V;BRI9X M7@%Y:G&8CIACN'L@I1Q16(+D/:B"67$\5H,PD5FPC$XM#YY&=NI%]I@26=FD MVJ*?I;HS*^R$'=79:4:9U(@?#+%&@34>SAJ"TNF)NM:P]!<9Y46`DOGYQUKH M%79AQS?9#8Z7-EQC-V`6YL,3KR1()/K3_!1>$LY#8M9!@C,I+Y0GYL@EH68C ME`TO4$=VD7>HC%B+;01-$`HTSSN8Z$"I?&)H9L%"IF;D`G'EQPS-'*&V$3W5 MX8PRJ4IAOEVC-HH"'DP'BT6#B$53(Z+QRSPKSM?`[17AFA7U. M!/<^AIC,AICDJQ#T-(3!-T$*B/=0"38W(D;4"5HZ,O-;%LUC(9F1I; MC:%(FT%RUL!-PW%,)PH-G)$^74SBET,:D+^?IP&#`FQ'TPER?LYPV+QI*O0- MI_*R!JL;W/975#0W+<%*6L\.83>]4?U"%U@N=^*WG9A?^&RLJZLU&)%Z4$&= M\%$TC;4HY?[*!2GDY^1[RW?B]IB%79IVLR_U-*0PPDN^3WVK.(!H$0NW;R`< MWP<'^4A/:<1<5^*O@!O"RC.=".FR'AJ@(+;FJM#G05VGV,E;&+4_L8-RL?37 MLDY`9?0QVGYBQ1ZMXC_<6[=XBT+;3_-UG)0C$WA=LCW=`IQ/ZB8GP:];2E8:=P?/GYF7 M>.L.>?J8@5X/ZTO]:6TMN%^/H@H%VI_*U=L*83I%-!W%W[//X-G(S695$+?# M@WCH%0#*03LT/R+!/\UYR`9\C;,N,,9O:DU&?U!C=%%@DT+FC;W+"`YJ5^>` M7'=/HJTPV\OP3P]1*UQ7/_;-;./JUTX[=IU](RELFY9OD'(I+`KPH*VU%'@Y MLG;;XM'Q)UY6%P4 MK'F$AQ4V#R5(BGD96F;+2D:+&T&-SSAPU,[+WDM@(9(4D=ZSODY)J.5!`\^D MT@AFF(L*%@96&J51VV59+I=KR-B#V^>94VE$?"AI_F4JB4T?Z4[K585,<`2- M\W8O2UM450_`[.A@LVD`')[BX3EGO@THJ)WQ6P!T7:]G[PGJW\2L`0HKOG^& M`VLKOH-'/04ZOUC8%J=QD"WD[-)JT7)[@5>C=_$.\9=B%UJ)HY77XR:SA+30 M&A4[W]*3#BO<%D55$G7KYH\2B/E*`)&A\@=\B`AL!QEUU>:#'B0#*(D,O-\: MU-<"8M,O?21.>8V_HV.TPY)>IRXNA3%'ZB%O78E=W'?2*D),5DOF0LE\QQ8F MSDUT5@&[*$VJ`Q2&_&_2@%2X M/`M(].BCBHV8<(D..2\/25,.&#$VC8"#]_6Y8L^,V[7#FUZK;.&,HC#_BN,0 MW@+?E[:&)0O;;(7P2RT9UK'*7F^DD3J[#7!Z-,A`^]X^F%VLFHM"86ILQK!)GBF3W2[BJ#G?KWM3. M),3AH5EJK6EP`[P7];E2<3/S!Z!1F#TX3RC$:_%Q#)225S@OGCEXX3YKB[]V M4HN$502'!.GB]GTC4U/U`)&@.==2L3E*4I=7QV MPD[GL\0,$,QP7S2ANN`L\%6UDDL=A;=7W&Y$]PJQCA*F*Z6`_F)P(DRX+)QG ML3Z4*I`/*GOQUZ>>-)7RS^)31.R-O8C%<^6IGZ>3]>_6NU9EZ]-/;C4+NXN: M^U*`Z5K8NYF;F$H2<_>-R+5D+$VA8>0J+IZRF$ZVU M*SKDBFO6W96Y"C&P*G79E5>:BS2;H03:<.5"X\#R@_6:3\-#SZ@&W+S'':8P MM*6C/-02<:+W(IA.;-ZB`PS8=9(&R=0^`\ZV[ZI[L=.D`97N^K@R`E45.N9O:V5N&2F&=CBT?WBWYFPB#3!N>T!`UO;E< M!98+1RL&J:`3,.XK3&&H%40V#QR>ZBXCCC%M;7W^&6*3`QA.B[.7Q&..A"VP)[9`%4O;.\C[PI5C2&/46`\TWWI]>6J(2HK*S@S9`J=MG1_ONCZ"6^MHT"6[H'0S4Y51=+4F)9&88^ M.`M6+PZJL`O$WAA%M1EDAO`U*CGK4\H*6OZ7TJG+IQS,BYB:G_8=3W-JF4J" M>`D&9`,P)?8:NT(0GUJ>TX68YM.-7=3XP]>((.0,32)@(B M0.ZUPP7AP1)0Y7JMO+#1K^H>,ZX+.'-YRPE8_[H)UE M6O)4N-3GL9IF)9]8(C7^X"F4-0^S5B2YV@1&>6^:Y##H0^FCR$J^.ZDY)M@. M._&J79B&#U62Q-6C,X/O8I%61IVYHJ4V>)NW7&HR+:NW2'Y#S[)>66BH:(;7 M_`%*>-$R_NV'J!7**/0:WHDKT#1*K4[]+7M+B]7-9.,XQ*(ST&OU?MY&@3N2 MUJ7N-.(MN3Q6YOTXCB0XCNEC:TN+`&^T:=IJS4]+KK'W[8D@SX6\<3:W9JY"394IL(T/)/KI8-=-0B*4X+ MO(XXPQ:2#^VA[$?U@2=P7?0N+WZ.4XDM05![5EYSUO2!OMUYR4=E+ MI::US;#XX<<2)1EAG6,&#M2ZIO/>&?5@#+/2XO).FQKP-J>`OQ($LK+2+O1I MCGGN;9I-IEWNPK$N5_?R).3BJ-6JGMKF$AZ$9ONF,YP#OCSTX!O:%6LU<30P MS39Q-3']#]7>7B6N1\5#74N"5O3):/]V.=N?GQ':,(T$-@X$-L3FVE->J%>N M&EWO6G++%";GB`\MD)SN)"95'(74C&6=7:9&ZG5>E:TM.1=B+`3`K4B_MBYV MX7+W:MS,L:EA;P3H>8DPMOL:=7V:B\H?+9,E.TZ9=9.R^VL-9C7??Z%X"`>\J1AV8A5,"+(IRG!^R2'W0)GVV#]JB M/!EJ94)?='2CHKRSMK]:#:K6A9RJ!X8/2NCBS!*:E')Y^$R6.8&+UCM@,4/> M)%+K\_FI?BQV]]7B^F'^HL^]5]<++;=U0I+-V].JY>'G'M?%L_*>K_16N^X2 M`7_C$>`6OL4#X+BXM')!]&[:V`!H21B`Z/KD6JOA;*ZC+3KSON2`'_(3(L\% M,W0KLA$-.HG),C8L_OD4HCR&;N1XD![L12W,R,CH%\YUE@7>:B%#J=C`"1_Y M$F/[L3:@M.4<15NE!3J"B1LVD&+"S26R0/2(H:8&A^*8:(5Z!F>KW[#X@+;Y M$-3,`DW0=3EE0N9A<[*-N4_#7=+ZM<0=$T[5`V5?5*RR((W0&:MH^+5KN9KE=5=,R^?N6V-$R#9M(%3S@9[+>C1>KF_48OB:!ZDEN@`!R09%: MA2195*XM#[_,VUWJTCX$&B5O@TQ[_=X&6^07/@+1K0:_#F>$B^=V^.4QKNHV M39C1D94MCA+RG*SKT$J(:SV^/8:`I$XUK*_);,Y/0/I%.K*:HK3UII'8ZN<1=S(J`H?$G:-..NT(VO/Q6_2_+[(I*3]T9:G(:B'UX MN>E=O2)T_!Z%=@#PQB[LVEO>)=86'0_G'CC=-P`%]]MP=!,'CUQ4W MUS>Y$<#%`[S%ZP>XZ@D5TTKL'#!#H4T:YA*$83H7['BT]ZU>)H6)K,Q7H>&L M$G_F\,%0I=WLU083M7A9X'1X[:A$`NFT]/1Z`C3ZE M$\#8YM]YFN_?_]EX.Q@8^QN3.?H MY&#^^_NS__N?@?T??__UF8V5D>7?OO_Z_?__L+,SLOT_WW_]?^+Z_?U77S'5 MG^^_+%U7V&J>)-^A9ZV1A^*,)%Q.Y\-G?D3'NRW\]+;BM&:_F_HN+FX@\TV3 MSZJLI;GC;1SV$W(!O@N[]7FS:<^,)C)^0%>KZ2>35%'_"7=>66)?MIWU^7Q^ M@#F;:[KG1$Z/:6W]0ZNYS_&!@J-M\=RZC>W%^2FO14.#5L4\R?TK0Z?QEL1. M;QBF)VJ+>8W-JO<;0"Y'/PU@O_N^Q'PI_]YXG^XI@[NPO+ZV\M8-F+BBW?/- M+.CA5X!\1P2XQ@&X6R9;F\LW\8`_-T MZ3PV?+0]A3M3B)I<9WF!QC;N7@X39M"6`U":)-. MK=)+\W!A:=\R^-:-@?DX^/O-B=E0&N"O^>&.XZ;4/IO#1A&7(RCQBWMUM9>* M?U%9X7N[LL4X[4R_U.O/%QWTVJ*X_,8<06"`_D2,]5EPI:'#1(CB7@<<%_^& MM*$C&%W[PB^J>1/I=K/<@]*_&1L$A#@:9%?.A7O+OQG)]5,8DQ,GD`R0.-NG MY49$?@:H'L)D2%COJ=3)89M.O#B!>NOG-ELM)7D:57XC\^T>4HOZ"C/H%>,, M/X")X?'H)L.GZ3%6!QIRN#GK0/;(H7968(9Q7W'4HFALO=SO/VESWV7`PC23 MM#Y]:4!SC.G3ZNWIH@7UM_%68E+77C-@J)DZ-0:"68'F4?6%:,D%:LKBLJO5 M%:['-P&=&4EY(/^6UC)1M/MB)GU?43ZW?4YJA%,:^O;3#Z\)A2)O'>C6I\D` M`H>\$@7.:[MP)FT=D?BVAC&\%QS*.):)8AU82H#>*N/+><8E3J6UMQ(G3_GV M_)CS2;%U(7C?U&"76[\.@1&\,2Y_&%$D9EY&MGYL'@_F MU@])I9JX^WSG>UV#&]/%5/Y-@&M.8[H9H$O?ZPJ0L],<`_`51;6+`=@VK*Q@ M`;16!@%M66<,[X!:GF4,@EV70=5V&2QB=3+K:\K12.@P@7GKJ.MY4T$P#]@F#&Q MT&X7,+MS*I+IYK.8VDK+!O9>O9@,39#^L2U5B`HL5;$Z&UZ1RCX%#I37C\!_@E\D&8D_^E1F]?KKI\+9)]3\ MO866@;'[-=&HIQH(3_-5P-\U"/33.6]I/L]B+BD(N2/>&,C-0V2Y M^G13M^7$/`=$C/3TK/>!L8)<=JQBKA<#EOU\A[%/[@AF`&!OONNK3WD?;@22 M2:!=-PW9LL)_VH&")'Z\G'?=\%:S!?%SJAU@GSBZ+W:0ON]!,X-]12!8I(M/@^G$L7)SX2X< M3A#2C=NV7^!GJVD;:Z5RD1E#.B;>1?!P5OJ&*TKDPM+FH.$5T4IQ_^E1/64K MOUQ"SHMB!8+9-%TVVSE&$D;N*0!A.,E42_=UFJ/XR.TP_:+HM2&%RL-JQ;YW8!>B56TJC?.^_9;.0%CA$_!26V9MFQ6%M?]RD(/Z(;YTUG`4L M7;"U"-%J#)-QS>'2C]N8;@`53*VD'M"-%^]DF`*)@GXC;"/-XA6X(DA;#NV3 M$-!AFDL.JLFFO,27+S!'O154B5K@Y4^@4"C989B'!TF3,"9>&QMDWMLOP`%* MUV'?B0T+LLAN%R[.OW7^61H&2T5PFW7[4X_$)H)>!`"*S4$;$CK4I.8"'5RV MF_5R,?:17:8/$^W7:`5Q^"+SM85T!)\=PKO%^I",(:@`_Q33SBWT>*?]Y]BZ M#4[QD,R@]5^3GSC#C/"1'`V/!YB@#4)9[802IWH+I`.\V"M!"WB$B8T*>E+[ M@>1+H$AOM+!$=57L*IZE^"YY)U,0VO*[6LXS]I.8D1ZS>-T-M"+IL%1H#5YJ`>OBY?R)A#<'.BU)>)P@>_`_P`B.+\95J'9F)\L(O<%NH'3N(2LC6W[XSN9&> MS_5LV79*@F_)[@K?X$I\)LB'/U.>K!O3XP4&ZN>&K+_Z^M.Z&3WMABHG^)-/ MVL\Q`7I,K3/&H40+\.HQF4QD2Y+(7CQ2=!_*U:'CO598,9+["U^6?)&"&>=T M"#:=B\%5"5EX]BN2(*HYD=6T87:!@*WP9;H:Q+]_JA&: MS(WZA'D$2OQ""I,5 M_U1VC-"&*S^0&4)=$-^@Q"S8'X_+DL6/!/,PQ0(XUF)8NW#3\%,.4>IGTUZB M+]>OB\[$,9Y1%AJY$:S-8K$J9;M$^R^T-+*@1*=&2I=:0V)41^YZV4&-K!K0 MHOKTI4)14&0LQ$"'/C:^])W&A-R,Y?D)HM9U3"73<\E[#5HKQR%#"C889X)4U5?<50@U9MRT[8)U'J,;?E$,*\F@PB>36BS_].AB4]E8:& MQZ9N91W>R8H`(J9]T'[S79$7CJ@]2^HLFHHA*YA]U4XRT3H^UN$'4J)@)M(3 M?.@L7BLJ$4V&")`NNOPA8@HNJD#L_>#([I)6F2*,A?RJ*)/I9Y"2)'S3^AXF M7#AWE)XTW*AY>7*3'7F_=5*S<#*-(TEI60UKRRE\BF5/'(F+83L.N-JD=";`_>E@INK^^;=E!,-%C_>12.K[#;/+J%Z)VG=UV7K M0>#`!%N5VD:!:FV*9*4:**%HMHE82SIE6NE:*R@SJ7J:5JX>(AH7NUW=_?#$ M#*HX'`RJJ$%PI_"U:3HJ9E\C=0TC*73*%R;&M#+T44(+NJH4.RKN9K)T!-;L M9ZBF3TS[)4^-<3F4OJ#R2;#]5H=ZZ>0R7S"?#$K/$ZG35TA M86M_`G/$X&331AI$Q`6X$M0PIS._K*D_7SG_97=.!$HI7$F3Q9+VG3@[XJL[ M+KF3.M&7J7KO*:8N$)#MS$!J&&V[(RG&[Q+B"#*UA:EF@O?`D!$BS*5RU?@X M.%\]"/SQKEAC6CN-OOW<"LX8CEQ[.](*V]3,TJ4M@,8LW*7W_KY`&QW$,OI% MK6ELVI^D#2:O:+[(>#>"H\*;_PJZ"%QS-M6[MA9S4#J+<_$&IX!T'0@NGS+K M6T2NGJ@(531#R3GRN`'Z>@D+DVOX``:N7.=,:>09\/EJ+HB`6(30(?Z1-:;. MRO1$/%H`OX++_G=!"VABNZ0YL6,-4+VHUNAHY-V?L7VUF$3<\`;73,:-F*H8 MP&;0?7.PVC/2NF*Q4`5??,W%F->)D@FIK&FO$),KRA!JFM[JWA/52^#5V>BO M2@QU-U`]O)U6+5FQ.\+AM$B:O_]2]I%3H_EVHKX$]FO;6QPK*BK/3I.V!"@5 M./=ADX41W8(]O=!PW*5VJ7R*J=B]7T,X/V8`4]/82SM&2!LI&AF1N%KI&\_Y M;?A!'AAD&;PXT7(H):5CL#UF`:HFY,ZDL@Z>_+7Y5P1*R$:^!&!5Q*$,M7`B M5-LO"<>?LJP$U+]E"H\$4M&*8%UF<.3+U3'&$=L()4#P=V-AH%F5_ISI>BK+ M&7?&!VECF#V#T90UI=(+M8,GBL&;R#8W5X!+S7XDWNM'"Z^B[LO'5WZCV+7^ MLK@+%/P!&\)IT,)4$)-8M=P7`10;Y) M5*':70H=%AXW^=[I$)R8D#C31\^$((:+W8`'JR_A`']^&BL5A__H;3J?76R]G8N@=4RV%QQ5XI>UNW5Z.Z&+7_RZN&_YIBK*G1H*.YWR MAV6X.5[\5FWOOMM]97/T]?'M=?0Q2Q$8M`1J=-$>"VV/+2I/.2;A^9IG M%I6NQ1>>![:>:VJJ+"(@?GQ0GJ@_17K MW;&8)/,J)D#%1L&AQQ3*E>'J**9%VYJ!C7D<&N2?+#@A;+L`;[!=:$E_Y*!",R1MZ6-D8!3A;81)+`%'CI"0A!\B*$%183^ M5&VGHA$XQ!WOK/4/QVQ+J,XZI5&,&GH MAY<81CZ[ST$3U&[YBK4VI>Q:&!!67OND*EAQ'$&?$P$BIMW(E=YX,34A+`P) MEW2:`>^X0`M+3X^UN-^!`Q1%-L:Y*W!-941*"ZI@Z#._4GG>=V;1!6$Z;U[H M&(]@GN:]8XMO7C18EFY0JK$@IOA%$FS$'B\W!F-$Z&2+U!Q^/V MD%;R<;A(5N"AW-7>PJ5=/C`4;K^V!ZJ3,#J&&/AAWW;GL4+R@*"VI,J_ZN_R M*(A)*!TT(KY9`SG"5E^IQOYB_QYKP>Z"?1:^]LDK#&QO+SQ2-5V-LGAH MY,@:8@YR&+=1`PM@CYY514UQB*<&=QEWP;?PT^.CY$RR"#V.DWZ!_`C]UQI' M@VH!+LM=*]@GDNV;CN$C?;S]TC2Y5^#@[Q M-(.>X7#V!T=WFVR%'N<=%$\(UI1,UT;]`D8O:YH+VQ_T95NF3^4A)L[:D(<( MORB,64Y=VT7@X0=T@7[^#7*&L,I:KEJO,A;1NA8)7!:7H1W3-/:"`TZXZ_(N MK/:G"MIV=ZJ%;@OU;Z6/P--KLF5+%K87/"D77$1R=QG"_,X3BS('JKA+L7$_I.=+VY! M:&/!P[2`2KUSGW>N`J2T!Y;&=:7]1 ML'Q-`YQ3=+1I!"\(U"=P_V!$_SD":%QEIIMID7IFC%`8)!4DX#KE]+D?J@3, MWDL9>#_B015$P@&K`IU';M"KMT/D6 M&MVPDJ?]`GUT$ M[OV\XTGA[9Z[QGC>LL%_MGN=Q22S+WU2[+1Q2_^N8*C1O-L.=3O17M*&:/O# MG?23%OZK^'Z2TBJ9$SWC=3D_!]?1P_A$,AUPI>KZ M33Q,XE*+M"EL8%V:.-@9.2QZGFAA&3]0&;A80$YT=`R$;O98!<3KAI.Q-,Q;WKDIZM#CPJF_)C4\C#:" M2J?$Y6'G)O5G8.!A@5B2R*R4 M2KW`77#WK\JS51'UO9JQC_0`!R(46BGOD[,9;\DL?D96[_HM66)A[E\B^D!( M`**P1YGH&K-&>.2+,+#%5WJJ7[&F-GM5A)*+]0@I]Z]HG7);YR MP=YEC=QEW,5EAB)C)JH@CC>J0.&SHE5CQLLI@L^GH2T[T9JV(>.9LKE*DBNT M3Q*(A`)^'FAXR9M,7"C9[$[B(?/=%J6S\6*W&66O*-V6"F(/M(J_V*-<&E*% M_*WZQU>IX:]FI!.:=G8:7O;/Y%9;& M8DU%<4'&48=C5IDEJ`0V$?= M5Q-`.%DHN2>ZI$@&T2]&SWI?\`X2!=4+.)_8IR,SA[`119=AO\5())F#UXU6 M;"JLL\YIC`!#C(V.PD`ME2[9BUJ<*^R39#?:;M@D8.=(0^0=7)62TXS4!#3V M0`WV)UNK*`Y,7"CPJB\%ZVCC*07#HE=X[O"0;HHL*MS_8PBPS.L`M MIS1JL&\!RPNRGU$8-:(MQ;/^)L:0LH?)=G`MS,VXVJ!,"%[\N@$C#G8_,VB)D,E%C<[L`5&5\36_*W(-,(+S9]::(G M'J&Z)+.\$+)&=!US_D;D6I@K*H;>%+&6B2O3J+DD$IBD`>PRGC@RLX31`O0RST4%_2N1_DX70L]KAKG M>MRE]*%V;"*9U M;49I!6/K>M/=]4V+#:WN;\F7J=%/6'TD=QN)/1C,34#S:G6I?M>+!1M*U\OL MGJ07SVZ]-TII&@V[D?7*;DAI5TV)Z_?@$JDZ:A[Z.K5NE]3;ICL1",%(V.?3-0RVKVE0@38J5(9TE[EEDMG4YK&ZG#[]*E&OSC@]@[U MTGG>+[90_[!A'<4C-_,TX96^CYTR9&=IDC$O(/"O[C.>\IBP:(R.YM#F+^IS1*]Y0^)+QD/ M,34KC+4_Y8B5^)2JV[#AZ\P^7P][VA?Z/[<&TXBRN5RXTS6?1E(=N5+[(/AZ M7&2J9TC,#B^1I-EF;]?/PG$&:LGAZF^Q?G1I9K:S'LD04!S-`-+XL[!8\E%B21#: M?IE*;X4<^XI%72@"EG"0B@95/P!N0G%)%9:2GSL?KX5,G([A#BJT74TN!>[GF)Q1*Q=!* M=#3,JL(_W=\0>0'TAJ7=-Q/8%W`+(E3"AII^CJ48$+8/"F`;N@0[GZ*/ M)Z\K>6>0W>=\T=1N[(:HR$A'Z=&3^EWXPA/,D+UG&UN>SU;Y.[A$;&1AWRP? M+@\OJZJBUS,O5WX&GW1.?FL-Y:>=3T]Z'95"H^AGT@E]UHE3R7`(YQ)`(/'D MR2DH]/V^AB4M5OWV:4+06GNA&PL](X/CI%MVU73;$LDQ::("#EKE[C*E7\BV M`=LF-*ZTT/IQ`@=J!.+8MSPIUW7VB+6[N$;%99.OP91#..ST>VVI/)U)F(>. M.^V='./>LSIPX\?PDS)^J](=R;Y*Y!L)R'EBB4Q1\&DQ MR4,\77V1U4="OG[Z.M7"-@J;K[B1DWDXUFD%?`\>ER0CHT,2L19ZQVWZ[(&+ M^[7Q=E:($X^#C0,K.`4%"ZRV($T#BLU"UGCF(&IX/96R>06-I?BL@)ZS7-BC MDJ/:"'R8/D4[R7W5<[V]#_G)NH%^I)U.^F%?7/73SR_BKE2S;=C4M,2BTFX\ M&5&)Z.C>JVL2!Z&7#,I('O,U92>-=*>L3IVLS<*0"$>]'5^=; M0Q%OAH-2UR67+4YSD^!@T500MY9@4OU^9WE&3YI=9H4]$4+\-\@3G&YI-^_M MW11L#4`[8L$0L^M`J%U$!\QIV2FMI63&X6:GCQ!V!^1Z*1CS)4,(M;5@KT,G M/-/[3_J9WQ_K30PWE7;6E7*^4/;OIA*5A8YEK'/0BDG'N+5)1+"0J/6W2)2- MYAO2>(YM,#C8[/&HZ/7+^HLLHL>## M]JT=Y.CO>]":5!K`\QQ#]/@1,/8\1K++97JO*:TD.3RE_7KOH?!(FU"L4(UX MTL?,H)T^G^I7%338)SY23VJNX"O]R:HQDO*DY0P^O MFINV-:DZ'%'ZJLHVP*V)W`(Y]PD\DW'@5/!AYI.[J!I,;G285:YB+\DN:0Z M<"+5U2K_@ESZAK\R34Z0AY1?]I-U&N]Q6AK5GOA:..>:<734<:5WD/_42"Q" M!-*=@1$/ZX0O&:+M6SZZ!A$I/!2)L]"U99?;OB#1JP9H7W.]A6S%:CT/`X2< M9.M&CF;%0"G,`KS0V#K0,:&E[@X:J@V/&&GKS^?Q((V@@?>#J)[6MA@RKK== M-I7$MC8H,FLKVW M4Y"[9Y&3)D67<3U?[Q^T4:XF:L_-U<@(_9F:MC"66Y#]DJZ901CLE;*;YFJ_ MOH6#1J92J"W.O[(D+5WW2E/4-3N.K1+YM5L/YYAV/BN3[D"_?,FQVI"[Y*># MYDY%'[K+EJ7B'Z'"(R@@*7HO0)_6A:EKH:-%1=VSEQRYGD@+6N*NHHO0552F MQ7J#`3&$=+QQM>UO*I2O3)GZG->LS60$_:S*MN=7#*M%N;2Q-)H-.%D(]N8V;O9TD,#&+>[/SK\W%XU1MF:##2\!NS2,G^2 M9>J0"W=<=>)QSSHN2&Z3#?W%.[%-8#88F*5.E<`%P80-RD^4:0%RH+Q*P;@\&)F3KW>C*W&H@/RJLY))F7.A-`$Z=>WEU(T;0F M;7Z*QK6O(U](L[**R++^@$GL'AD2S"HO5X::)K`X;)-57+NPT32]+2DT'Q^"A4=?35V6*WYV;,M7O*N.BVU?[Z2)Z+L3?5W*2QM+7J1I MP=>MO:F'%@8I<_F+Z?>5F;>=GO@K?OGUGWS?%T&(P]VGPFOMBTK\;^P<_4L$ MW*S*_-GH`Z_NT:&%>=J9\;?O9ESY./R-.3Q)Q8>Y#Y?Y?&5T>V%SUJL"[2NNEAS)8Z^%HT>/0-HX43K%R#@CT1T.OI"S_"&H8AF\7 MRE(C>B$)+E)8IX+;CB&C#L$I['\^)C=AFQ/&2UA*&A4U3&`.CP%:Y?96JG#4 M9NA-'21X-.>M@;],7*FCI4,&3-S>-D^-GWSNB$ MW@4-P\9KSPURE)6ID:RXS/MIK0WC(.JE/\L`NVQ2]O1B>_E;;/6@!U,(BP/[ M\/###9_'>HBR"S*88.G=4_VEW"O6XTJU#4IVM3*D,D_?ZR9\!B%3:RF[A-KJ M**'%C:5P10--ZEXMKB=Y)R>VLOA&%RK]F%[-//&(@.[Q26\@:\C+>HQG./O@ MH4][XU&$F]8C!WB$!0GU^H<6GT=/)Q.$TB%XD!Y:&9>Y;W"E+L4\9%Q$8Y@$!@AA/*IWA#?]>V?"4IM M0'MLT#+!IBZ)8/?^"JQ#]J`N,#/$7WEI*0#OSWWA9-I*TYA$KJF!V;DH:]\D\):[8MA M^_!8!P?'JK?$[?VM4E6I+%3!!K@^-Z.U@%V;UW8L:G'O2N)<=J[N%LPBD*9FU;W]S@ MBTJ%S!?51Y)=&;G#7G1L3CZVDP_X+S]6WEWA#*Y748`"B3:$CKQ:J MLWAV:A:R(.$WJAW%()U=_[:=6F3'GV?<*OX+?ZK.?Y2"\(#E:4"84O:075P, M`!FN8C(T]F"E%F^B**:XFT9TR5;$N=&M'C)%)6MRHF&_>)ZNX:KP*\7.>T!! MDO-I4Y%#3'.<#<=4S(6K'!21Q*@8[_R2#.G&?101NV4W@)MXJEIIV[K&3+J` M!BM*>3O@42]3:O*TZD=`3UN*;38)/:TP+R_4V7LL/!YXU.9\_D&NY8XPC&XW MX1`PXU%Y5TL+?/B@`8NER,1HEB\+G&/V.P4\+G]'C*AAQ<_F=KX9@"W)':#E MUWH@8"(J*>H.('^2LW%WE^/K^';Q?,4.S^/K2;#0"UA7WWK<*"NCN34U=#[C MYR!]W,]Z!WSF(V^X.Q\JF^\ZGA<]&=OJ&CJZF1US$(B&"X7CL];1VA2C:B,E MIYO]1?5U_\'Z5'0CN((82CT$JX48R*:S*[W^U=;0WQ)2W;CORJ*T0)DE0SI^ M!X*TRBC!?C!R=\Z*66SER[,F&]Z%3UQKMLP^1H/XQF4Z5-X0Y38\6QLVY%3X M;8455_8J\9,]FSO7+-98<(SUXE-H909^>]:-#:OHKY!+4FP[>X2MKA!]6(X, M2Q\6$(D'QG/7\1V8V+RC[Z/]>.(/B.1+2!1C@U<*_7-@T[R9$X(R+6@(!T`% M"`6>E'+6P2&.@CA-=77I)X*F;F84Z=(T^,OY0ZEU#$9N9A!O>CQ?//#/LOL] M^WH\4:7=I\L?#2M>OEH_,LI4QI[J>Q6DC>3^(YJD,:63W=2!7M_`@Y=2,\LL2O63N"+,6OS#<+[%^` MWF>5U[F1QXO:P8]?>*4*/VK8)\&6'7>C+[?>)0\;OXS=$U_([5Y6K12EO+&@ MXR\6,K=JB\-AD(Z_Z^9L\\=%,)_.\NO_%>*(ZDKN9[Y&L#$N/\U;!Y$O56"S M&\HT;>\1K6G^U0[`^]>!RJ;8+7U;P4G"D9Z.@WUWU,,TN#?[ M:/[#C[N/9&2_@C0P4M3:#C!?G(F'\J>7J$Y'_)>;;\&Y(43>ITC?31W$D2Z7 MEBE[P5>L'FO]%O4XM@R_XOH_LQ`=#9@.#C+$0BHY1+;R#(C?>&5W)10O70Y. MLA]E@#T2\D[0!"DHSN_@YG7VIMSP$5,CWO<6,1R*K/$M7^VUQ@14P!V#<[9; M20D>84][M_LMK9X045"`D$Y58Y`,"/%@.\>F"V4$!1B[KJ[)4#R M@N*W5XN1S$4AV?H?S8T.>:5'M@]2?$_1?*,?O(CP%GBPQ=R4,G(79L3X.GA= M^@77%=6HL6S M_]9&\17IIDY'&@K\&-_Z[5Y/MBIB>KO7XOG],\=C$:ZOOS99*YLW4IRJB;\8 MAAZPC*X\K`<4]36P=:6-0Z+8TU#(4TO/.4>K/$/N65:H?PKX935+;HHT6-AK M_[04JP_^G*9WA1JK]U2\V73?$54-CT,]HH&4+8V,[O!I6._<;>'HM^RS]E2H MKP"D(_QF]<;=R%?P$6")&0Q63TA;&X\K\<[>O9\/QF/?@A=26"$NM:DXQ_RQ MNR6\S974IM/XV,\R0W368?SM/Y&?P>0H;HY2;5;1S0#[?C?V2TM#D92A21-L M]^L/JLR+=<]A*%@FUS19L8#SEZ(^@+$"V\O3+ST:J5*TX=G/\PI\C6/U+V(8 M@P_0S[SM07Q=23&#.(V#P'KBM<`]#M,EG"MRQZ?K>HH[5;BXF+'S,DZ+9%B( M-L#7T"W"NQ?_@>>;"*5*.7>\=Q!1;VJ37=475=IVFI]7Q+`>33%N,W6[IS4T M)^@Q@V%'QKXWUQY;=E-_NWJ[ISW4#S[5IRH!YG44#8/(6TQD&R&CNYX$+.IB M^PQ\(0Z?E=Y>S3U=+"NC.SV7ISVF`5C,Y0O1X&9M554?235G!@G+NKC M"/.,TCZ>-YJ9R'Y:4_ME>!CF/5\`&,G2,F*MC'B]CY*4J)_CX%PWC$A&$(48 MDY3SGB]]&1T?T(#.-[ST-<'H@/DE#FZ@/B;N$1-^P'#9^-:>:*/X^,N>H;"& M\&8A]IN&QM(^AY.:E$C7DJV5+;*V2&U,:B8JB#;RO&61$&0VH8 M_:V`?GSIME%!G[K5^R59WO)N6UV,-[474F]24%(E)>F-[\NJ!=[&%XI9%M9Y M<790'4CM+RD$49L0.;O$8.K5SB9E0:F)MV5SQ/X-FL>&JPCDL&O`YZ4`2.X\ M,,+:"O1L&V8Q:,?)8F M^@=.QM.`1L82^CHJ8X7^3.Z7,?$*5.(^7;5+9V-T'T7A-&)=I+EC08J$NNN5 MG[IM\)[OO\*KRM@)`Q-5BVXOI!*H&=P*T7^E9E-`F`B[6*GF>"M&+#R__$4Y`RKF+5V3#BX7CC)?L6<'SP_`(0-_#T M$26XN0"H89]4PRUI6UJ5QP(W0[\`QNJY7P!5-TQQJA,]/@`A5GW;QH18I^`; M*\S]C]U613"*U]*K"W%34=S7BF]^Y;L8GB'%#'@1P#N9.-AYCH1>L\]/B^3L M+(6^?.C>TYR0?!9G>!<7V0Y+TB3%`[;P#Z1S,NO>;QZ`2\[Z3?(.,U[?F^>^ M&\52(+2])Z?9F$72C`I4:?'CU%T3-3N?J6=]`&I2>LFM$,=51,3W4MTC8>J* MW.DA&9KOQ2F%TQ9%%)E\<@E+;?)!]=(,8&AU%3^PWEU8)9(IMMP0^R38%L^/ M\+OL!%%_:>M*B07%RTWOHC$\F6:U'Q=V3!Y9FG>N!20$$$@N(PZ2GU^\N9&& MC06CV+'?N%7,'M61CH]F.7V!-%J!1WBXE^5HLN5KJ*+2.:XC M]EI!+92X\852P,5GB@? M*1\O'_Y8]$MA.DST=8YN[J@59/F"Q3N@IB!+J'0_5TM0'#7FL26`%W`OU6=. M%=5,=R]Q]%2_(]-R1/I-7)'?-$`;&3T354W7V]'#H>G%HN/.`7`9,D/`\M!. M?O(T5;86(*3471;'X.-VZ[5A/5TE/S_SI2?@J%,I1J_WPO6KNUO,_BM1E%2# MWT("'2?\BW[LJ(T$!&%6&C\DUT'@].CK;?2>#E-WFR]U?'6%-&P)OPHOIRLSRKONM@(/(Q=:PZA(5F" M_?/"0N;R2$'-#FIGBO6:A\R6F115D4F+PQ0K0ZU4E-7T>L:.(DN&<(:$>5__ MK(GO",?!SVCJ*"&-IHY?FXZ8-ZLRZT%V5M.:A.-4W/EQ\5%?EL2[5S58>6AP M*+I.;\4[AJ5NW=58DR%L@;IUKU^V[095YRP\-3(7C]G=#=--KB8;G.W';?Q& MU_&F>5IJHE#,+5A_]E_UT,,`E29'4Q9Z`13[&K\V0IMW_-!I(3K:QHVSQ+.- M>\9B9D6UC^YI*A5;?J$H8T,N4_!4QQQ`>>KWDA$+Z!=RIO_A_;0SQNR3LEOO M,'0H7)$\%7XX8``5KB"!2J+8%?4UL+'WFH51$ND+B7&(9UGN9.$*S`2/F#ME(I[]^A@V[/G^,P;QFF_@5_)EVJ+=4CVAJ,YQ6 MB$G4AKP-&C+8DH=[+M#LS%QN)C)'W#N_#GB3/5,S4#Y9TG_!>K"W,1T0[V0P M2/>]NNW-=EI"^BG*37XN6PU_:ZGN[9O\W@;E3U`O.?E4`;K-1#(,$A<<"ZR$ M91&-L%L9==1V[WQ49D)3\X($Z*->C4:]+2NXQD.J_)BB'MM$0J5F?;M2@>IU M:-W4TV,R%FCR@]7-QG!:O3$#2X%VL'$#YHO-UZAM&KO]JS:X2DB@'$D2]MG] M=M;LH-!?J M"@UZ39O&"MR7R'RX*NE%TJ`XR-.AD,?8V6B0UI@+CO\Y],T,_2FM"0!>$?$K MU5Y)B!QN0,[8_7'0% MJ%DW`A#@E-&>^N9V>F0?-U"]_R:QRK,P=>5ET%X&`(%]KJ]N<=G3#FNPO#U M_-T.N*/++HH*/@%I%JB=4;?.)]EWO:80"%^Z,(ICCJU$U-;")\\*Y;,*LLK*QR/ M*?R!LLQMY]>.]/1ZS,()[!:OM8GQ.7_6B(IXPSXK^=P1VD+V"1&;%=BO6I1; M8^&F6462_.IB.`K*PMHV2[]T+QE"@\@"`^X\#AP?&GJ!\SL[Y._ M\E=53EFHKZEK00`V%EMO`+`SF[T%6O\PJ*)QU:Y'_('/S0(OF#U[S2'/\.F#( MY'&EM6ZA?.6:!;"YVAAX?$F=(6!_NJ`&H+'_*#[XS@4_<2F[V%3@PQ*Y.&SA M$)38EDL01\D>Z?_<&BV3?WQ`R!D3;)K@=L@F;/5$Z@?[Q)PM.O2:S-942'?G MS?&.>-]#XXS\0([A-GW/T_O9504/EMLQ8]&C_"N8!++3>+'=4)Q\D!&R3!'* M?9,7MLMXB#T_7TLZPD`R%Q&3,Z+P&\XMY2'+VF?@#`M?:<&'$RX$4MC!_?L& M**F=!`E&Y0V('1>.=H&C#KWV5MA+$Z93UP.UV#A=^P%^!*:)4(P=1FF)=W^0 M^.\*1/[94[;QL5$H+4B/1I[#JHH\OGG"9$7,DL()O4TZ:#VTDOQ"H%*I-/)2 M@1#D>-)$*&=^B4X@>$P*Y`4:Y.@E*0H4N.1NAU?7>K:`2R/?[XJFU?`>VPL\ MQS6VI_:+4$A)//*+`S*.WJ4Z0=\6"9NZ'3N;X!XL0>5'J9'K4:5GGXR8E[]^ M;6]J*M&5MFP;*M&*&3`=^>7QYL5\*%7ERW-H4^;D6N*C/.:A-`5M2\_.EH*# M([QREC1W-C<`S:-TIAL]2U"ZG6+$.L*V7.4R?M,@OD(?*?V^8E%Z[E8)Y[FP46W(?OBHHW6&U;3&]L:+=)E%9FBN&6@.*(- M^GKIJP43IHI*U7;R-W/"ZU*YX0IU=0GX55X^#@VF#BW$`"TQAJ^9ISD-[?P< MO#^C4N-QP.TH'FM6%)]S'P;6$N:'MDYV/C9N&&F].=/*:XGGKT87)7>O!9_S M@Z27WITPRT=MT>C?$[O1]1Q^#*,JUJ>[T*VH+.=^CML43A50G)@%#Y'MKL/$ MD6GHL2L9[Q=HB>)<.3FB]$_@PNB0A%E273SQ79P3@)"0QNN"]V$-;DEK#\01 MI@7:)CBMS./+JT?Y+F:TI'K^P%!Z)OR,\$MG/9;QB<]Q(1!K/^Y>LBV*H`K$ M@"8+H7>27G`93$ZB9@,O2J6V%#NF<:&A02W]^.Y&R42/LKUL^2I79K'ZQKL( M]7`I2LS0("[BL='`BAO+R%EP-*ZT[]6B?(>I.M-#=S>$"@RPZC_KQALDH5`#YX#GPBS3^73#`;QSX M60-ODTY1=/S[?B&E5U:=6^!^0&/PV"\QBYJ+)]57!Z,?FJQ#%4$]"^]0G]YU MCP>^*?G0`S1]"F)*'T>KT9PWVBCZK+<:&1>"\*0EV3<13/SX(LL-0B3(AU^G MO2IJE%Q>Q$ASLQ+#3%(X0--B7$"CLLK@P_IAN%16F9PE?E,%H&TS==L;Z/L<$FK"\VO!#?-5QHG MG?_\Q//IJ^:/Q*=5FZ8ZTK3G$IO!`2?Z:W37Z7C?9=YUWOA9[=?S;#DV.QA1NGQV2W3:Y!XHF@KF&=<6`5-^7+C4@2C M)D6&QAEK>R24:SV]IH3=\4Q":U`B;?K:U=_ITS>5WDK;,4])XLOKW9,9`)A@ MS_=&B-I?A=>&W,FR'(HD`L=VR)^$Y\V1I@1WM=C1L=R^\ON,*%/`T&!4/"I] MQ2]Y5!';03=V&B_DBZ$A.!E7_WI&]3/P)_OQE1OBZ%=@94F$JCX/BBS\Q/XM MBE/0Z$C?&Z\:(NMTB^*"#5KQQH2:@[*"C2D)J_;`H/7PY%$6G9ZA3=NPV]L3ZT;&"$)B1I@]E>,@2,6_X39E.X(G"R;53'34 M1]!H7V>Y4K$.W4_K@[.6YP)!B<(92)S+3&UF%`J%H=7]PPM$MG!W^Y?@APW&';]7YIZ=)HP"\$PX=602^+$#L8'PV9*SK@TIB.F_'#&SAH2=^N!?:0M>E1>?; MH_");`'E88G>1VS.!1[9475?Q;TS6K7,6UT3@_@J_6N?A21?MCE-H;OC`73&Q_RHS8/ZC MK>',MS[5&I:86>#$FY"'A!`57B4F%2-TYQ_@D:?E4XQJS5YST58JT-RU8+&7 ML,3G>S_A]AV*BK+(QO/D6.ZT)98D;00_NVTGAF,E+E3&8;:2K[D_<$;21Z@5 M)4?$K<`IZ?YQH4HR3NV/>4&J/>J_Y<7>FY%C/<9?T":F:56KFBCWH>2,[#U@=K-MPRQMR,P&(D=NS75^PR;*(SIR;K$#]CO&O4G6#$;(( M$D*ZOW1ZMWN*#Y\;B/$2GB]Y`1E\A^,[\Z*>SD'GR[8[=?RF"D,J)66VU8&/ M+7]GGPUD)$MB`X+'N/SD+M7U7LE"R\O=W'M]"A:Q1=]8Z15WN_XI-Y)2G4 M%/6/05]0EI[9"VGAXQ"[BJKIPG`Z&^ZZ4?[B0>VDQ(.KL'Z,8J0!4'@&,BV( M8_$Q"&^-9"4B"\E`3>CY0064''MM?5_-DM!=M&.O43L)>)T>>(^^+YO-OE\G M8KOQ=#*6!@KM]IX_8\1>7X.#2G;#R1$&0!H^*6SEL:*^A3L!?6VG[)ALU4+% MT(^=PW_WGU$4Q&98-%\LD_RZ*O2SEJ.ED6]A.5-W!,`_<)7_KCT`P*&AH0+H M:B&]^QX`KLJ\H!]]/=+D:&A.P*X'WE*J'F+PV&/9NK2^!K6(6?0HXO(J:`3K%WE?[3PO;;L#.:Y4`JE[3CBUCAF*$K61JLI9K M/CVHB0=V">D$\;_3`#PGUAXPY0 M;(=!N[I]"AVM>\%>T%X@FKX8!38#2=G4 M-%J@!EO7BBK"'8UGK@98\A<\XP;P8LRD:B3-SB<`_]KV?]740\'#ETR4.-0= MZ*@R-*-IYQ&?'2REC%?:\H3EU43[9@8;($ZJF2_)YEL>_N8*BB*^F`J__9WJ M4U>F$9@;H)QH-U9B0-'_&TE`DK@\[GT;%IQ>9+@=AY=!BAUMRGCS,:A0PV*1 M(.(S1=VWQBKEMC&ZL`AY-E&(^LTCENSLK+*^F?P#L14K3P>1;N#Z-82K9>)3 M57U@(>)Q#J@YV4(>0][9Y:E)A>F(8G[E@NRXGV:%08;QN>A-IPV_C$.5=/8J<[51"KKH,H-Z$&.@G&"4H4H[I"V8R`<8;CN,4%WR\&'= M^^IFLEB0';I608[+H3\K+N9H,G)>!N6A/VS@9S9\/<5O]7)LU;6'A^S$?N*( M!>V,;AX/ZBESO4A#+4=/EL2K(+H6_APZS;H7#Z>*<2/56P[P3_"/SXI0QR,# M>?777P;STD@86;RC,[-I[4P)?&/$1%CZXLJ%WR=A%JKU$CE1#N[6E%;'T?II M;1:E'AA/9Z)D5+C:Q$28;JP"(VA^F]J::/UK[IS[1>DROP>1*?'\I90/ER@% M?D)N?PG2*N/*B-E!7A,D?N,N!:>6_1(:`H4AZ)AVSN$RL)7?\()L;>QG$GA/ MM8H#1V2ZUG#UMB*0B<;*-Y_5*6-Y:XFLU\?7ICN+A[.A+D`/#QV6,_&:>:+Y MS_0EO6G.V1B0ZIJ7-ZJK1*B?,1=V;0N+Q[K7>U)#@AIWP-I7.AT]9'OBP"VY M9`(J3W[B#X7XZRNT)B>:H3Y8/E<2A^,]H]C\[K6-C;X.V_B):S84#'9"%DA@ M8IU%/5:Y&%^#1:0RXN^&Z3>A!E&3JV-,%RJ\VVJ#6C\`?8'+GC3L2578CO)X M5;T#W0ZW55NVR)IHD=/V+8(><7Q2Z4VAJ-=2AQA//[W,K.`^DO7ZIFFA]H&` M#&_(G*#?LA6X01[1E##,"A#[[AC-MO:LOE$F58,"] MI.<*!/6YAP`0O0*)U@&`(;IRFUFF]&F"O?^X?Q@%K4ZK#`_(#L;DY#SS7=?I M0?)LS8A*QFPZ7\8*/H!R&QL^?'LC>3\DQ+GO'"MYP_B0L78==KANI]8\3T.; M<4N-%M1=1>2N>IPXM340J;NN9P@L^\6L`-DGR>]!D%9K$H$[M18J$$Q.*@^B M2KG[,2V!-G(%QN1>"BG.TS3:[(N.RY,Y'_:O'/6CL/06>-"KU$B;Q>"QQW*Q M=A,Z/SO_`U'M<'='!;+XM'HWU.>5.)O!;5*N$"IU%:Z<"N1FA$C#&P^GYJP7 MCM#`EE<[Q)@JFTB/TH'S7%K%[2,_4&AU(!$0@\^3!1SR5R)FWMGWN;FG`TU[IGI8MLY#3 MJ1^3!T4L0LY\M,\=;[9D/2G')W.F`Q:5'*RB5/PLR*,(K>1EYA\!$B9@%RQE M;88:&0P*%VLJMX;HD]3,./*ZOW^&5!D9RTB3W$E^.BKH:S5/V>1_F6?ZK\($+-":/!@CJFXB%JH%%ORQB:6;>:5@WTP6>`_-EB%/9YJ" MEL>/ZZP+U"-!W)IN)-DUK#0DXAL5#7@S$^-!P6:FO66O:GDJT$`MK69S2YG& MST2R#+\RH\NMV0^80;W-/L1?(EIO3F_]7>77Y%'3![ M`$<0:1"0D)#NEFX1%)18Z124;I!.5T)@Q05EP8"E.W?I[A;I6&I!64*6E@4D M?_=Y[NO[#]QS]O-JYC^8.?,]9ZXV)GAE2KOU)1>J75+^2%);SKO'RW2VT,7' MOJ=R:ZO:"E:B(UPW=O&44>WS^\'ZL%J804IVE&5T;.H2D.6."G`KZGU7P-$> M4OV]]8H-:;VS2J@_LK#Q,86OWP6KL&!/[0\3DZI5+%+Z7*MK(?"(1Y92XN%$ MM+_V,$FJ9 M+81Y-R..^%HA7^>M7S+VP^:ZCS+H%<+S?-27?'RV,WP%^PQB$SFDJA81THEFRN1QH9:1 MY/RKO3-^L5_[[XY$YZ=,"7I(6'D^34E'[ZP9A%KFA;VF8K>\_$XX96/G`/;B M&]=QXB0T<%:)7=]8T)ZOES5<0VJQ5N,'PTE.'$ M=L_8XV*H)73G0W#"?QJ'8]S)=W@D-&Y-D=>*76V.[$!L??0OJ]8RGT5*%(&J M*I:_*`;6SOE![Y??T[R[OOWFNAW1N*^&BB`_`-M]9G['\._]1=/<#4FH']!: MO:AUA3J938.V7JXBCB!AOU=GUSB86E^'AYF5#O0^#P6QB:006"GG`]F!2QM; M;E/^-C<=FIR!W`, M";-*R:@-HV15;;/CA#(4G_SF%0)R;8K*EOB\K0N]G[TI*W&JTQ(]3TX, M#V>X$'II;B+6\'7I?.H/%-W7U/ZF1ZZZ)JKLY#8?/$6#3AJ2C&TPA?$^OA,` MILOV".=V]C->3GQT@.LA8Q%9BE`\GAZI#":O'DDU?$N%HWHRA8/GKC:0["OL M3O\R/%;)8=!GR;MAIP?.RPXH`-6#O1!JOU7'!PC`"H#U][]8!`@C;6J!Z2#$&5"?-@NE:@`6+:S;EX#.@6+/ M1@H&M_#4VRZ<[DJ0"U^G9TJJE+']DYR;Q';FI=Y0\P M7G=8EO\#`=^2L:2[.\$_NN3/O]?>[/W\MZSVGZ'0QMKKUS4*^\/=P>F]`L$N M@))/#]X!/"+^N=X3L3!@/2F+?V-)Q;RU$CW:L,RF/Z`A\+/8[O8D;[:2_F$# MK\,6Y'!!6D\!(74BBB0M?.CR^^Y<-M*7*N6%_:88JW'R\6$*[2G-I""!>#>AL(VC]!N.J[+0G6 MXH1+9?)-#>Q,8]#MD;+IIV_NZ&YKL?CG?U9/7A=$+$JEV8PE0OFG>K7<NQ"7$4L7AK70R79<-AJ\P_T'3#JXW!"QT>OQXB5($1W&#)7)+,*\ M&:*>2K"%Y`4\D#JUD'Q`TG9?_['%\SN8!+EOCM'*5AV/ULO7*$7M/\7_9+Q: M#EX=[<"$=CKL?UQ_ETGSZ\XBI1++AQ')^>`<(H\Y36(KU5L1H3))RB,@U]AL M,9K#M>P[4I1WGA#D,L+W.ZPM5T/&Y8L2[HY_?MZ3XR\>'$\JZ"WI@O,U*$$$ M:B_.21-13%%)&JPN"G[V7Y#TRX6*(/V:L\E(H_9LUA)'NV(QZ&+<,#[1(%=(;)5O:*=: M8,OQ./5^3+ID"%^-&VQHBI`T2BI29UY]YBNCWF'\-R3-3N=\RF\G@G++`:T\ M(96BS!]4%5WRON[?3;8WWMJ_*SGQ;QIMW[J+=0WO23OSJV4)/&=C,:<]I2:! M;!Y%NFFUT9$,4@C*K#+S559>#Q5<#86AZ((*&-_WU_T[*(]L(.A>"#)E+2W@ M-Q0B:'%O*'HD0\1[5)O::FU$.-,PY?4K:"J=>U1(W-Q!IFAI0.TIS&BL?2/$ MFKJ;E@\DUB/05,1,N(0=;G\,NXRZ=@;A0DN'*E'9L;:,_J5O,_GNRJEOQ76U MK801=(S=EM,C(RM%P^2YU7>S'QP`OD:FJBN:CB^:H,^["X:2(%7AHZ+#QO\R M.T+`B(,P""KI6\>?AC%P%Y',%EN*&H%\<^1R=1RO]J%]:B&Y7):X#@1#5RQO M;&D"HJ8&AS2#_5H`I<1*O6X!U&A7W<4);((U@Y72@*M/G@7."AUC>U4I\97R MI)IWE'-=^W#VIGS+Q[9]9?,6,NZ>:>%WSFK[!Z#I1Q=&"]Y,0L2>=-QQ:";2 M?]ZH#V9M22QZA0&MP^;C'8YSEV9A>YL![;ZO#]!Z0BB;L=]1)1#NMDAI1WGX M[I0X-ROQUZSJ1,VM7P\=\E+,W,=+9[),2Z6+C5S,"O?AS]&6:2FN086\Z;/3 M_]LLYBO&,H\2^A@4.IH5SO!7(+.T_HI6A"U\?YG\U]D$.U8ZDVDJ!#<6@IL* M?3<6^OP\3!ZFM)(N:^_4XJA/;E8Q5'S6*@H7)RVWUV3@^;@I/*DT*FK"�= MF!ZT99.\\]#?3"BMY'6:K8=]1?/+Y-G"\Z$W"-',`G11GMPMR9#&DQ4K.>;/ MJN[3E68UTR\V6XB6:!<*S4QOT.62',V2[->GS:\ MS.!/@,2YUB)(C';I/?UE;S[HZ3H%>\8^%D?$IR*-RQ.LI'T:RU2E/W'KI$>\ M?H:VF,WWHCL5YMZ38O'L=;QTLO%NR7P#J\O?KMKM/',"CWCYUK:(HIV7,CH/ M(-MS/S-]YN:"]_3H0[_$=`Q+:7_BG;Z%X\J2Y?BD6\^9SBIR&'XB;K=LV*X*4NJ)_@> MFK+D8>/!];M).B!MZ[*X-5Q]C&'%9:C'Z'BQD:%64?OA7D`/;ZE_0*$KM8ESUF-;SV"/)T,$;+EV*$P\U[(H$ M!?@?YIJ$ADDD^4M9_84?5C(EN]7K0"7T8A>T"M$>YGBK\N_8SK9#227L.GM0 MH-CG[<7YGAVPVFKW-A2PJP08#U)]UD[5YLXS%H:=&!Q,VX> M0)^#SX6S=Z[*.%?FZIE\*<)Z++[28@W/IZQH=7MR9*,3Q1)B*\EL97^Q'N0- M2:BR<'/H9G0VF0VU%)7FI>F_]+RA>#X=!_]M"_A.*U%I8:P>33!N?]5*W`]8 M;Z+71:NI]%AOTSW(_/YXD8R3%6I'4E#E;\V\E(;;4/JUX^JG\72;./,9W&B) M)["50[(MLFU#9G99V*P!PWV^I_1HY6W>^?=P]M'W6<^_[V1@_TY4,/@ M\O].-S:6+RW1%DNQURAGS-C-3GG$CPWC:ZRJZZ!Q$U'"`$Q$EGR0W6+MC_9! M-;59N4JCL>>"6]X/[D(XY!/[$6PB2/"672Y['-HM7M^M1`P3]<$LY.=FX6&@ M');$W'[K%HKB*D?54!*7HQ0QT7/X<6Q08RN&?`!6$J.#<&(M,EOY(RT:P5[2 M7G)?6XR=5=!FL-Z@X(L:R%R][:VE[<=XI%B-E$7_XW7[#Y_F">J9/HJP:7P9 M@=XMMV6KTG.>O/5MA.=N3*U8U9Y>0'U+G_133.^A@X)!!MO*GF[TKD.#JA^'TG@@[-\KH_?/4P=?JE))^TUPK MGTBPE[`MD[48J-`8YW`%F>F$::;:U8N9V5MLY:^T%(65WN`2D=9Q>^;P,"'D M/.GFFB0H7(9SP??N5(GT[Y([5*"'>SS[WLVBSA`TDIYZ\?8];LS*'G'G-0P# M`.>;KPXDV!(:3@L?$-@,`AD[(G/`S@_^)0!1N;H-V&T89V%TD)3*0U&G1#<9 M[+4,D:[L'*XH(2:D_W1<]K6(U>_6WO+$7V5E"5S!:LA9][3084G*UB727M62 MLK>-Y.*D'DZ+:H=?#B^%,F*Z]QB$)&=P0>%5D*X@Q90@V* M;%"'1?AC4[LY-:I7"J[+OO;@>^--?=1G=AV"RB<[6,3MK"->WBQRG4NJ/M.! M"6\OF!0K$IMN4E"55*RY\H1MJ.0VG($X6KVSO41XESC=A[_/]_+0IRH%N5K^ M_FN=PU/?9:+-D$?K6N+2;LPC622]--CQH_,7[/&&T2+('&ENC?0..+38!1P? M@`:8^Q/2%9(>"4:'Z8'7-.[_;&1Z:1^3U%)':Z)(+^Z`< M,<[;+]TC/_IC=>Y0AT[,-E#"=/J`Q+.\U3HPDZN;`H/`0IK>MXAF%+@Q#&AL M'CCBF)LSE]]?`2*AXS^/`'L$4*4.6**7#P?`D5X;!L"EDD#VF=C\X+HKW# MX>[2ZP:5=]Z%Y95KO3;*ZE&9]UYL2X,'+M6YL>/F$P4N^0WH`M7ZU:)[?>=^ MNN:?=[D`=0NN[^-E6OV*W5I MWMO;"^'SB-4GM?/28#9]-K`^5GTUTOPI#H0DI(U8@'QG9+7L!&[ZC\.:BU(7 M:UVD9ZQKRQX@)L#EN%66ZT8#P,OD/O4)85:[P=K*.N$6A<2:4#4OF=\!72`WJ>G[SRV@@:?3 M0=D?XEZR.YB+M2FJA)0;5*4\4WBA_MEF+%[T`T&XV#C\3LC<66^JX[Y7?7B( M7\YIE]CWBIW147=_?;%ML(:-5MMN_;\`R,N5TOX28O-7R!PS?BO>/[KYOA/3 M^^I\CAIS'M5KN5SO!2)T^,8PO+MSK]M-IKDD"F=G-&OFIT71;:_-Q'K>ZGE: MTEDH_VVU3I]FWS6"4SJ?I':`%Y56P):?7:M=I&1*0J9:F`U!XFO95 M[-3S1[Y4OJ*B'89^9(B2,7N,"D&Y/JQW,;Y/QY/WT*E>^F``&L_C&=QO[4U! MW\P>H#91P(!`)FJTDDP[9EUD))>SRAQO9^NK'DE]BLP":8W2BI*=MWVB":UL MG_V><(#!WY0HEX'?-82'R M3>K0J@T'+7112$HY+220=Q!8D[1`YB!-MT5%DFC*$V3$(JWO/"P<&$T.H&!0 MN#IIZ;YD&WWX1UWZ,'VBMJ5`38J0E>I!%-2Y-^D=F69XU;W`DA647F!"FTR>W;Z3,CSD,W\;L<$]##V3O*'7VUVV]7 M]51V0YRINY'*I;5[K<(L8"Y(_5\B%T74M8J3H)2M!5>J*V>6]A*[9DIX$3M8 MMNBVR]\*GX>A_YDJ:M4\\NYMM[R1UF=;?+QJ-HO,6&*BC MP?H^"9I<1)L.<`BJV!+OZB:;HV3(]0:BAW_NPQ)K2^3'^*I&^/\,S[[+O_6C M%MLK9*?P#FV'?3+J$"'K.GBM53M6016^V`7%[KP7$JII5S<;C)^GB%YUW';3Y9`G9LY=BC#6F^]DL$E MZX4X97:!P(Z!L?;:%VY@YA+>L+LZ>9G*\4C3A]09.]P7HQGVW6/MS;G-Y45@ MV[1#+BK]6_1B4\G<'AX F>'AX>'AX>'AX>'AX>'AX>'AX>'AX>'AX>'C_S_T/[21E80#(```` ` end |=[ EOF ]=---------------------------------------------------------------=|